[ { "path": ".gitignore", "content": "################################################################################\n# Bu .gitignore dosyası Microsoft(R) Visual Studio tarafından otomatik olarak oluşturulmuştur.\n################################################################################\n\n/.vs\n/WID_LoadLibrary.vcxproj.user\n/x64/Debug\n/Debug/WID_LoadLibrary.tlog\n/Debug\n" }, { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2023 Paskalian\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "![WID LOGO](Images/WID.svg \"WID_LOGO\")\n\n
\n\n# LEGAL NOTICE\nI do not take responsibility for any misuse of these information in any way.\n\nThe purpose of these series are **only** to understand Windows better, there is a lot to discover.\n\n# Information\n### Compatibility\nThe project is designed specifically for x64 architecture, not tested in x86 architecture.\n\n### Functions\nAll the function implementations given are my own, they are not guaranteed to represent the exact functionality.\n\n# Usage\nPretty easy, you first include \"WID.h\" into your source file. Then you create a LOADLIBRARY instance with a path given, and that's it. Now you can almost see the entire loading process!\n```cpp\n#include \"WID.h\"\n\nusing namespace WID::Loader;\n\nint main()\n{\n LOADLIBRARY LoadDll(TEXT(\"PATH_TO_DLL.dll\"));\n}\n```\nThe constructor takes in 3 arguments, which the last 2 are set by default.\n#### PATH\nDll path, can be absolute or relative. **Must** be given.\n#### FLAGS\nSame flags as in LoadLibraryExW, you can check the possible values in [here](https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexw). Set to 0 by default.\n#### LOAD TYPE (NOT USEFUL CURRENTLY)\nIf set to LOADTYPE::HIDDEN, Windows will not be informed about the loading of the dll. Set to LOADTYPE::DEFAULT by default.\n\n
\n\n# What is LoadLibrary?\nLoadLibrary is an easy to use Windows API function for loading Dynamic Link Libraries (DLLs) into programs.\n\nTo be able to use it you must first include into your source file.\n\nThere are 4 widely used LoadLibrary functions\n- [LoadLibraryA](https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya \"MSDN Reference\")\n- [LoadLibraryW](https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryw \"MSDN Reference\")\n- [LoadLibraryExA](https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexa \"MSDN Reference\")\n- [LoadLibraryExW](https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexw \"MSDN Reference\")\n\nEven if they look like seperate, they all end up in **LoadLibraryExW** finally, wanna learn how? Keep reading.\n\n
\n\nHere is a basic diagram to show what functions are called in order to load a module into a process (maybe not exact represantation).
\n\n

\nThe path was given absolute and no flags were given\n\n\"Diagram\"/\n

\n\n# Basic Explanations\n## LoadLibrary\n```cpp\n#ifdef UNICODE\n#define LoadLibrary LoadLibraryW\n#else\n#define LoadLibrary LoadLibraryA\n#endif // !UNICODE\n```\nNot a function by itself but a macro instead, resolved into one of the according functions **LoadLibraryA** or **LoadLibraryW** depending on your character set being **Multi-byte** or **Unicode** respectively.\n
\n## LoadLibraryA\n```cpp\nHMODULE __fastcall LOADLIBRARY::fLoadLibraryA(LPCSTR lpLibFileName)\n{\n // If no path was given.\n if (!lpLibFileName)\n //return LoadLibraryExA(lpLibFileName, 0, 0);\n return NULL;\n\n // If path isn't 'twain_32.dll'\n // This is where our LoadLibrary calls mostly end up.\n if (_stricmp(lpLibFileName, \"twain_32.dll\"))\n return fLoadLibraryExA(lpLibFileName, 0, 0);\n\n // If path is 'twain_32.dll'\n // Windows probably uses this to make itself a shortcut, while we are using it the code won't reach here.\n PCHAR Heap = (PCHAR)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, *KernelBaseGlobalData, MAX_PATH);\n if (!Heap)\n return fLoadLibraryExA(lpLibFileName, 0, 0);\n\n HMODULE Module;\n // Heap receives the Windows path (def: C:\\Windows)\n\n // The BufferSize check made against GetWindowsDirectoryA is to see if it actually received. If it's bigger than BufferSize \n // then GetWindowsDirectoryA returned the size needed (in summary it fails)\n\n // If this check doesn't fail '\\twain_32.dll' is appended to the Windows path (def: C:\\Windows\\twain_32.dll)\n // Then this final module is loaded into the program.\n // If it can't load, it tries to load it directly and returns from there.\n if (GetWindowsDirectoryA(Heap, 0xF7) - 1 > 0xF5 ||\n (strncat_s(Heap, MAX_PATH, \"\\\\twain_32.dll\", strlen(\"\\\\twain_32.dll\")), (Module = fLoadLibraryA(Heap)) == 0))\n {\n RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);\n return fLoadLibraryExA(lpLibFileName, 0, 0);\n }\n\n RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);\n return Module;\n}\n```\nIn our use case it's just a small wrapper around LoadLibraryExA. Other way around you can see it provides a shortcut mechanism for loading \"**twain_32.dll**\".\n
\n## LoadLibraryW\n```cpp\nHMODULE __fastcall LOADLIBRARY::fLoadLibraryW(LPCWSTR lpLibFileName)\n{\n return fLoadLibraryExW(lpLibFileName, 0, 0);\n}\n```\nA wrapper for LoadLibraryExW.\n
\n## LoadLibraryExA\n```cpp\nHMODULE __fastcall LOADLIBRARY::fLoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)\n{ \n UNICODE_STRING Unicode;\n if (!Basep8BitStringToDynamicUnicodeString(&Unicode, lpLibFileName))\n return NULL;\n\n HMODULE Module = fLoadLibraryExW(Unicode.Buffer, hFile, dwFlags);\n RtlFreeUnicodeString(&Unicode);\n return Module;\n}\n```\nConverts our ANSI given lpLibFileName into Unicode then calls LoadLibraryExW with it. In summary it's a wrapper for LoadLibraryExW, that's what I meant when I said all of the 4 functions end up in LoadLibraryExW.\n
\n## LoadLibraryExW\n```cpp\nHMODULE __fastcall LOADLIBRARY::fLoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)\n{\n NTSTATUS Status;\n\n DWORD ConvertedFlags;\n HMODULE BaseOfLoadedDll;\n\n DWORD DatafileFlags = dwFlags & LLEXW_ASDATAFILE;\n // If no DllName was given OR hFile was given (msdn states that hFile must be 0) OR dwFlags is set to an unknown value OR *both* the Datafile flags are set (they cannot be used together).\n if (!lpLibFileName || hFile || ((dwFlags & 0xFFFF0000) != 0) || (DatafileFlags == LLEXW_ASDATAFILE))\n {\n BaseSetLastNTError(STATUS_INVALID_PARAMETER);\n return NULL;\n }\n\n UNICODE_STRING DllName;\n Status = RtlInitUnicodeStringEx(&DllName, lpLibFileName);\n if (!NT_SUCCESS(Status))\n {\n BaseSetLastNTError(Status);\n return NULL;\n }\n\n USHORT DllNameLen = DllName.Length;\n if (!DllName.Length)\n {\n BaseSetLastNTError(STATUS_INVALID_PARAMETER);\n return NULL;\n }\n\n // If the DllName given had empty (space) chars as their last chars, this do-while loop excludes them and sets the excluded length.\n do\n {\n DWORD WchAmount = DllNameLen / 2;\n if (DllName.Buffer[WchAmount - 1] != ' ' /* 0x20 is space char */)\n break;\n\n DllNameLen -= 2;\n DllName.Length = DllNameLen;\n } while (DllNameLen != 2);\n\n // In case the above do-while loop misbehaves.\n if (DllNameLen == 0)\n {\n BaseSetLastNTError(STATUS_INVALID_PARAMETER);\n return NULL;\n }\n\n BaseOfLoadedDll = 0;\n\n // If the dll is not getting loaded as a datafile.\n if ((dwFlags & LLEXW_ISDATAFILE) == 0)\n {\n // Converts the actual flags into it's own flag format. Most flags are discarded (only used if loaded as datafile).\n // Only flags that can go through are DONT_RESOLVE_DLL_REFERENCES, LOAD_PACKAGED_LIBRARY, LOAD_LIBRARY_REQUIRE_SIGNED_TARGET and LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY\n ConvertedFlags = 0;\n if ((dwFlags & DONT_RESOLVE_DLL_REFERENCES) != 0)\n ConvertedFlags |= CNVTD_DONT_RESOLVE_DLL_REFERENCES;\n\n if ((dwFlags & LOAD_PACKAGED_LIBRARY) != 0)\n ConvertedFlags |= LOAD_PACKAGED_LIBRARY;\n\n if ((dwFlags & LOAD_LIBRARY_REQUIRE_SIGNED_TARGET) != 0)\n ConvertedFlags |= CNVTD_LOAD_LIBRARY_REQUIRE_SIGNED_TARGET;\n\n if ((dwFlags & LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY) != 0)\n ConvertedFlags |= CNVTD_LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY;\n\n // Evaluates dwFlags to get meaningful flags, includes DONT_RESOLVE_DLL_REFERENCES finally.\n // But it doesn't matter because the first param LdrLoadDll takes actually a (PWCHAR PathToFile), so I have no idea why that's done.\n Status = fLdrLoadDll((PWCHAR)((dwFlags & LLEXW_7F08) | 1), &ConvertedFlags, &DllName, (PVOID*)&BaseOfLoadedDll);\n if (NT_SUCCESS(Status))\n return BaseOfLoadedDll;\n\n BaseSetLastNTError(Status);\n return NULL;\n }\n\n PWSTR Path;\n PWSTR Unknown;\n // Gets the Dll path.\n Status = LdrGetDllPath(DllName.Buffer, (dwFlags & LLEXW_7F08), &Path, &Unknown);\n if (!NT_SUCCESS(Status))\n {\n BaseSetLastNTError(Status);\n return NULL;\n }\n\n // First step into loading a module as datafile.\n Status = fBasepLoadLibraryAsDataFileInternal(&DllName, Path, Unknown, dwFlags, &BaseOfLoadedDll);\n // If the Status is only success (excludes warnings) AND if the module is image resource, loads again. I don't know why.\n if (NT_SUCCESS(Status + 0x80000000) && Status != STATUS_NO_SUCH_FILE && (dwFlags & LOAD_LIBRARY_AS_IMAGE_RESOURCE))\n {\n if (DatafileFlags)\n Status = fBasepLoadLibraryAsDataFileInternal(&DllName, Path, Unknown, DatafileFlags, &BaseOfLoadedDll);\n }\n\n RtlReleasePath(Path);\n BaseSetLastNTError(Status);\n return NULL;\n}\n```\nConverts our given flags to it's own converted flags and calls LdrLoadDll, other way around requires the dll to be loaded as a datafile, which we are not interested in right now.\n
\n## LdrLoadDll\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrLoadDll(PWSTR DllPath, PULONG pFlags, PUNICODE_STRING DllName, PVOID* BaseAddress)\n{\n NTSTATUS Status;\n\n // DllPath can also be used as Flags if called from LoadLibraryExW\n\n UINT_PTR FlagUsed = 0;\n if (pFlags)\n {\n // Only flags that could go through *LoadLibraryExW* were;\n // CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2)\n // LOAD_PACKAGED_LIBRARY (0x4)\n // CNVTD_LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x800000)\n // CNVTD_LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY (0x80000000)\n // So I am assuming the rest of the flags are 0.\n\n UINT_PTR ActualFlags = *pFlags;\n // If LOAD_PACKAGED_LIBRARY (0x4) flag is set (1) FlagUsed becomes CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2), if not set (0) FlagUsed becomes 0.\n FlagUsed = CNVTD_DONT_RESOLVE_DLL_REFERENCES * (ActualFlags & LOAD_PACKAGED_LIBRARY);\n\n // (MSDN about DONT_RESOLVE_DLL_REFERENCES) Note Do not use this value; it is provided only for backward compatibility.\n // If you are planning to access only data or resources in the DLL, use LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE\n // or LOAD_LIBRARY_AS_IMAGE_RESOURCE or both. Otherwise, load the library as a DLL or executable module using the LoadLibrary function.\n FlagUsed |= ((ActualFlags & CNVTD_DONT_RESOLVE_DLL_REFERENCES) ? LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE : NULL);\n FlagUsed |= ((ActualFlags & CNVTD_LOAD_LIBRARY_REQUIRE_SIGNED_TARGET) ? LOAD_LIBRARY_REQUIRE_SIGNED_TARGET : NULL);\n\n // Ignored because ActualFlags can't have 0x1000 (if called from LoadLibraryExW), this value is used probably in calls from different functions.\n FlagUsed |= ((ActualFlags & 0x1000) ? 0x100 : 0x0);\n // Ignored because ActualFlags can't be negative (if called from LoadLibraryExW), this value is used probably in calls from different functions.\n FlagUsed |= ((ActualFlags < 0) ? 0x400000 : 0x0);\n\n // To sum up, in case we are called from LoadLibraryExW, the most flags we can have are;\n // CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80)\n }\n\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x244, \"LdrLoadDll\", 3u, \"DLL name: %wZ\\n\", DllName); )\n\n if ((*LdrpPolicyBits & 4) == 0 && ((USHORT)DllPath & LLDLL_401) == LLDLL_401)\n return STATUS_INVALID_PARAMETER;\n\n // In here it will go in by the first condition, because 8 couldn't be set by LoadLibraryExW.\n if ((FlagUsed & LOAD_WITH_ALTERED_SEARCH_PATH) == 0 || (*LdrpPolicyBits & 8) != 0)\n {\n // If the current thread is a Worker Thread it fails.\n if (NtCurrentTeb()->SameTebFlags & LoaderWorker)\n {\n Status = STATUS_INVALID_THREAD;\n }\n else\n {\n LDR_UNKSTRUCT DllPathInited;\n // There's another LdrpLogInternal inside this function, gonna mess with that later on.\n LdrpInitializeDllPath(DllName->Buffer, DllPath, &DllPathInited);\n\n LDR_DATA_TABLE_ENTRY* DllEntry;\n Status = fLdrpLoadDll(DllName, &DllPathInited, FlagUsed, &DllEntry);\n if (DllPathInited.IsInitedMaybe)\n RtlReleasePath(DllPathInited.pInitNameMaybe);\n\n if (NT_SUCCESS(Status))\n {\n // Changes the actual return value and dereferences the module.\n *BaseAddress = DllEntry->DllBase;\n LdrpDereferenceModule(DllEntry);\n }\n }\n }\n else\n {\n // LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 601, \"LdrLoadDll\", 0, &LdrEntry[176]);\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x259, \"LdrLoadDll\", 0, \"Nonpackaged process attempted to load a packaged DLL.\\n\"); )\n Status = STATUS_NO_APPLICATION_PACKAGE;\n }\n\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x279, \"LdrLoadDll\", 4, \"Status: 0x%08lx\\n\", Status); )\n return Status;\n}\n```\nFlags are re-converted, a check is made to see if the current thread is a worker thread, our path is initialized then LdrpLoadDll is getting called.\n
\n## LdrpLoadDll\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrpLoadDll(PUNICODE_STRING DllName, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, LDR_DATA_TABLE_ENTRY** DllEntry)\n{\n NTSTATUS Status;\n\n WID_HIDDEN( LdrpLogDllState(0, DllName, 0x14A8); )\n\n // Flags is passed by value so no need to create a backup, it's already a backup by itself.\n // MOST FLAGS = CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80)\n\n // Creates a new unicode_string and allocates it some buffer.\n UNICODE_STRING FullDllPath;\n WCHAR Buffer[128];\n FullDllPath.Length = 0;\n FullDllPath.MaximumLength = MAX_PATH - 4;\n FullDllPath.Buffer = Buffer;\n Buffer[0] = 0;\n \n // Returns the Absolute path\n // If a non-relative path was given then the flags will be ORed with LOAD_LIBRARY_SEARCH_APPLICATION_DIR (0x200) | LOAD_LIBRARY_SEARCH_USER_DIRS (0x400)\n // resulting in the MOST FLAGS being:\n // CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80) |\n // LOAD_LIBRARY_SEARCH_APPLICATION_DIR (0x200) | LOAD_LIBRARY_SEARCH_USER_DIRS (0x400)\n Status = LdrpPreprocessDllName(DllName, &FullDllPath, 0, &Flags);\n\n if (NT_SUCCESS(Status))\n // A even deeper function, by far we can see Windows is kinda all *wrapped* around each other.\n fLdrpLoadDllInternal(&FullDllPath, DllPathInited, Flags, ImageDll, 0, 0, DllEntry, &Status, 0);\n\n if (Buffer != FullDllPath.Buffer)\n NtdllpFreeStringRoutine(FullDllPath.Buffer);\n\n // I don't see no point in this but anyways.\n FullDllPath.Length = 0;\n FullDllPath.MaximumLength = MAX_PATH - 4;\n FullDllPath.Buffer = Buffer;\n Buffer[0] = 0;\n WID_HIDDEN( LdrpLogDllState(0, DllName, 0x14A9); )\n return Status;\n}\n```\nA fairly smaller one than the last, the main purpose of it is to divide our path given into meaningful parts by LdrpPreprocessDllName then calling LdrpLoadDllInternal using that.\n
\n## LdrpLoadDllInternal\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrpLoadDllInternal(PUNICODE_STRING FullPath, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, ULONG LdrFlags, PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY LdrEntry2, PLDR_DATA_TABLE_ENTRY* DllEntry, NTSTATUS* pStatus, ULONG Zero)\n{\n NTSTATUS Status;\n\n // NOTES:\n // I assumed that LdrFlags (which was sent as 0x4 (ImageDll) by LdrpLoadDll) is the same flags inside LDR_DATA_TABLE_ENTRY.\n // LdrEntry & LdrEntry2 were both sent as 0s by LdrpLoadDll.\n // \n // Instead of using gotos which causes the local variables to be initialized in the start of the function (making it look not good in my opinion)\n // I created a do-while loop. The outcome won't be affected.\n //\n // MOST FLAGS = CONVERTED_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80)\n // LOAD_LIBRARY_SEARCH_APPLICATION_DIR (0x200) | LOAD_LIBRARY_SEARCH_USER_DIRS (0x400)\n\n WID_HIDDEN(LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x379, \"LdrpLoadDllInternal\", 3, \"DLL name: %wZ\\n\", FullPath); )\n\n bool IsWorkerThread = false;\n do\n {\n *DllEntry = 0;\n LdrEntry = LdrEntry2;\n\n // This will go in.\n if (LdrFlags != (PackagedBinary | LoadNotificationsSent))\n {\n // This function does some prior setup, incrementing the module load count is done inside here.\n Status = LdrpFastpthReloadedDll(FullPath, Flags, LdrEntry2, DllEntry); // returns STATUS_DLL_NOT_FOUND in normal circumstances.\n\n // If not an actual nt success (excludes warnings)\n if (!(NT_SUCCESS((int)(Status + 0x80000000))) || Status == STATUS_IMAGE_LOADED_AS_PATCH_IMAGE)\n {\n *pStatus = Status;\n break;\n }\n }\n\n IsWorkerThread = ((NtCurrentTeb()->SameTebFlags & LoadOwner) == 0);\n if (IsWorkerThread)\n LdrpDrainWorkQueue(WaitLoadComplete);\n\n // This won't go in so we can ignore it. I still did simplifying though.\n // Because the LdrFlags was sent 0x4 (ImageDll), we can ignore this one.\n if (LdrFlags == (PackagedBinary | LoadNotificationsSent))\n {\n Status = LdrpFindLoadedDllByHandle(Zero, &LdrEntry, 0);\n if (!NT_SUCCESS(Status))\n {\n if (FullPath->Buffer)\n LdrpFreeUnicodeString(FullPath);\n\n *pStatus = Status;\n if (IsWorkerThread)\n LdrpDropLastInProgressCount();\n break;\n }\n\n if (LdrEntry->HotPatchState == LdrHotPatchFailedToPatch)\n {\n Status = STATUS_PATCH_CONFLICT;\n\n // goto FREE_DLLNAMEPREPROCANDRETURN;\n if (FullPath->Buffer)\n LdrpFreeUnicodeString(FullPath);\n\n *pStatus = Status;\n if (IsWorkerThread)\n LdrpDropLastInProgressCount();\n break;\n }\n\n Status = LdrpQueryCurrentPatch(LdrEntry->CheckSum, LdrEntry->TimeDateStamp, FullPath);\n if (!NT_SUCCESS(Status))\n {\n // goto FREE_DLLNAMEPREPROCANDRETURN;\n if (FullPath->Buffer)\n LdrpFreeUnicodeString(FullPath);\n\n *pStatus = Status;\n if (IsWorkerThread)\n LdrpDropLastInProgressCount();\n break;\n }\n\n if (!FullPath->Length)\n {\n if (LdrEntry->ActivePatchImageBase)\n Status = LdrpUndoPatchImage(LdrEntry);\n\n // goto FREE_DLLNAMEPREPROCANDRETURN;\n if (FullPath->Buffer)\n LdrpFreeUnicodeString(FullPath);\n\n *pStatus = Status;\n if (IsWorkerThread)\n LdrpDropLastInProgressCount();\n\n break;\n }\n\n // LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x3FA, \"LdrpLoadDllInternal\", 2u, &::LdrEntry[232], FullPath);\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x3FA, \"LdrpLoadDllInternal\", 2, \"Loading patch image: %wZ\\n\", FullPath); )\n }\n\n // Opens a token to the current thread and sets GLOBAL variable LdrpMainThreadToken with that token.\n LdrpThreadTokenSetMainThreadToken(); // returns STATUS_NO_TOKEN in normal circumstances.\n\n LDR_DATA_TABLE_ENTRY* pLdrEntryLoaded = 0;\n // This will go in by the first check LdrEntry2 because it was sent as 0 in LdrpLoadDll.\n if (!LdrEntry || !IsWorkerThread || LdrEntry->DdagNode->LoadCount)\n {\n // I checked the function, it detects a hook by byte scanning these following functions;\n // • ntdll!NtOpenFile\n // • ntdll!NtCreateSection\n // • ntdll!ZqQueryAttributes\n // • ntdll!NtOpenSection\n // • ntdll!ZwMapViewOfSection\n // Resulting in the global variable LdrpDetourExist to be set if there's a hook, didn't checked what's done with it though.\n LdrpDetectDetour();\n\n // [IGNORE THIS] Finds the module, increments the loaded module count. [IGNORE THIS]\n // [IGNORE THIS] It can go to another direction if the Flag LOAD_LIBRARY_SEARCH_APPLICATION_DIR was set, but that couldn't be set coming from LoadLibraryExW. [IGNORE THIS]\n // If LoadLibrary was given an absolute path, Flags will have LOAD_LIBRARY_SEARCH_APPLICATION_DIR causing this function to call LdrpLoadKnownDll.\n // In our case LdrpFindOrPrepareLoadingModule actually returns STATUS_DLL_NOT_FOUND, which I thought was a bad thing but after checking up inside\n // inside LdrpProcessWork it didn't looked that bad.\n // So our dll loading part is actually inside LdrpProcessWork (for calling LoadLibraryExW with an absolute path and 0 flags at least)\n\n //Status = LdrpFindOrPrepareLoadingModule(FullPath, DllPathInited, Flags, LdrFlags, LdrEntry, &pLdrEntryLoaded, pStatus);\n Status = LdrpFindOrPrepareLoadingModule(FullPath, DllPathInited, Flags, LdrFlags, LdrEntry, &pLdrEntryLoaded, pStatus);\n if (Status == STATUS_DLL_NOT_FOUND)\n // Even if the DllMain call succeeds, there's still runtime bugs on the dll side, like the dll not being able to unload itself and such. So I still got\n // a lot of work to do.\n fLdrpProcessWork(pLdrEntryLoaded->LoadContext, TRUE);\n else if (Status != STATUS_RETRY && !NT_SUCCESS(Status))\n *pStatus = Status;\n }\n else\n {\n *pStatus = STATUS_DLL_NOT_FOUND;\n }\n\n LdrpDrainWorkQueue(WaitWorkComplete);\n\n if (*LdrpMainThreadToken)\n // Closes the token handle, and sets GLOBAL variable LdrpMainThreadToken to 0.\n LdrpThreadTokenUnsetMainThreadToken();\n\n if (pLdrEntryLoaded)\n {\n *DllEntry = LdrpHandleReplacedModule(pLdrEntryLoaded);\n if (pLdrEntryLoaded != *DllEntry)\n {\n LdrpFreeReplacedModule(pLdrEntryLoaded);\n pLdrEntryLoaded = *DllEntry;\n if (pLdrEntryLoaded->LoadReason == LoadReasonPatchImage && LdrFlags != (PackagedBinary | LoadNotificationsSent))\n *pStatus = STATUS_IMAGE_LOADED_AS_PATCH_IMAGE;\n }\n\n if (pLdrEntryLoaded->LoadContext)\n LdrpCondenseGraph(pLdrEntryLoaded->DdagNode);\n\n if (NT_SUCCESS(*pStatus))\n {\n // [IGNORE THIS] In here I realized that the module must have already been loaded to be prepared for execution.\n // [IGNORE THIS] So I've gone a little back and realized the actual loading was done in the LdrpDrainWorkQueue function.\n // Doing more research revealed it was inside LdrpProcessWork after LdrpFindOrPrepareLoadingModule returning STATUS_DLL_NOT_FOUND.\n\n Status = fLdrpPrepareModuleForExecution(pLdrEntryLoaded, pStatus);\n *pStatus = Status;\n if (NT_SUCCESS(Status))\n {\n Status = LdrpBuildForwarderLink(LdrEntry, pLdrEntryLoaded);\n *pStatus = Status;\n if (NT_SUCCESS(Status) && !*LdrInitState)\n LdrpPinModule(pLdrEntryLoaded);\n }\n\n // Because the LdrFlags was sent 0x4 (ImageDll), we can ignore this one too.\n if (LdrFlags == (PackagedBinary | LoadNotificationsSent) && LdrEntry->ActivePatchImageBase != pLdrEntryLoaded->DllBase)\n {\n if (pLdrEntryLoaded->HotPatchState == LdrHotPatchFailedToPatch)\n {\n *pStatus = STATUS_DLL_INIT_FAILED;\n }\n else\n {\n Status = LdrpApplyPatchImage(pLdrEntryLoaded);\n *pStatus = Status;\n if (!NT_SUCCESS(Status))\n {\n //UNICODE_STRING Names[4];\n //Names[0] = pLdrEntryLoaded->FullDllName;\n //WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x4AF, \"LdrpLoadDllInternal\", 0, \"Applying patch \\\"%wZ\\\" failed\\n\", Names); )\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x4AF, \"LdrpLoadDllInternal\", 0, \"Applying patch \\\"%wZ\\\" failed\\n\", pLdrEntryLoaded->FullDllName); )\n }\n }\n }\n }\n LdrpFreeLoadContextOfNode(pLdrEntryLoaded->DdagNode, pStatus);\n if (!NT_SUCCESS(*pStatus) && (LdrFlags != (PackagedBinary | LoadNotificationsSent) || pLdrEntryLoaded->HotPatchState != LdrHotPatchAppliedReverse))\n {\n *DllEntry = 0;\n LdrpDecrementModuleLoadCountEx(pLdrEntryLoaded, 0);\n LdrpDereferenceModule(pLdrEntryLoaded);\n }\n }\n else\n {\n *pStatus = STATUS_NO_MEMORY;\n }\n } while (FALSE);\n\n // LoadNotificationsSent (0x8) | PackagedBinary (0x1)\n // Because the LdrFlags was sent 0x4 (ImageDll), we can ignore this one too.\n if (LdrFlags == (LoadNotificationsSent | PackagedBinary) && LdrEntry)\n LdrpDereferenceModule(LdrEntry);\n\n // Actually returns what LdrpLogInternal returns.\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x52E, \"LdrpLoadDllInternal\", 4, \"Status: 0x%08lx\\n\", *pStatus); )\n return *pStatus;\n}\n```\nThe main course of action of this function is to check whether the dll was already loaded and waiting to be executed, or is going to be patched, or a new dll is going to be loaded, if it's a new dll (which is our case) it first goes by LdrpProcessWork to start the mapping process, then after that call succeeds goes on by LdrpPrepareModuleForExecution to execute the mapped dll.\n
\n## LdrpProcessWork\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrpProcessWork(PLDRP_LOAD_CONTEXT LoadContext, BOOLEAN IsLoadOwner)\n{\n NTSTATUS Status;\n\n // Converted goto to do-while loop.\n do\n {\n Status = *LoadContext->pStatus;\n if (!NT_SUCCESS(Status))\n break;\n\n // Caused most likely because CONTAINING_RECORD macro was used, I have no idea what's going on.\n // Also the structure used (LDRP_LOAD_CONTEXT) isn't documented, that's what I've got out of it so far.\n if ((UINT_PTR)LoadContext->WorkQueueListEntry.Flink[9].Blink[3].Blink & UINT_MAX)\n {\n Status = fLdrpSnapModule(LoadContext);\n }\n else\n {\n if (LoadContext->Flags & 0x100000)\n {\n Status = fLdrpMapDllRetry(LoadContext);\n }\n // We will continue from here since we have the LOAD_LIBRARY_SEARCH_APPLICATION_DIR flag, and also the function name is exactly representing\n // what we are expecting to happen.\n else if (LoadContext->Flags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR)\n {\n Status = fLdrpMapDllFullPath(LoadContext);\n }\n else\n {\n Status = fLdrpMapDllSearchPath(LoadContext);\n }\n if (NT_SUCCESS(Status) || Status == STATUS_RETRY)\n break;\n\n WID_HIDDEN( Status = LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrmap.c\", 0x7D2, \"LdrpProcessWork\", 0, \"Unable to load DLL: \\\"%wZ\\\", Parent Module: \\\"%wZ\\\", Status: 0x%x\\n\", LoadContext, ((UINT_PTR)&LoadContext->Entry->FullDllName & (UINT_PTR)LoadContext->Entry >> 64), Status); )\n // This part is for failed cases so we can ignore it.\n if (Status == STATUS_DLL_NOT_FOUND)\n {\n WID_HIDDEN( LdrpLogError(STATUS_DLL_NOT_FOUND, 0x19, 0, LoadContext); )\n WID_HIDDEN( LdrpLogDeprecatedDllEtwEvent(LoadContext); )\n WID_HIDDEN( LdrpLogLoadFailureEtwEvent((PVOID)LoadContext, (PVOID)(((UINT_PTR)(LoadContext->Entry->EntryPointActivationContext) & ((UINT_PTR)(LoadContext->Entry) >> 64))), STATUS_DLL_NOT_FOUND, LoadFailure, 0); )\n\n //PLDR_DATA_TABLE_ENTRY DllEntry = (PLDR_DATA_TABLE_ENTRY)LoadContext->WorkQueueListEntry.Flink;\n LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n if (DllEntry->FlagGroup[0] & ProcessStaticImport)\n {\n WID_HIDDEN( Status = LdrpReportError(LoadContext, 0, STATUS_DLL_NOT_FOUND); )\n }\n }\n }\n if (!NT_SUCCESS(Status))\n {\n *LoadContext->pStatus = Status;\n }\n } while (FALSE);\n\n if (!IsLoadOwner)\n {\n bool SetWorkCompleteEvent;\n\n RtlEnterCriticalSection(LdrpWorkQueueLock);\n --(*LdrpWorkInProgress);\n if (*LdrpWorkQueue != (LIST_ENTRY*)LdrpWorkQueue || (SetWorkCompleteEvent = TRUE, *LdrpWorkInProgress != 1))\n SetWorkCompleteEvent = FALSE;\n Status = RtlLeaveCriticalSection(LdrpWorkQueueLock);\n if (SetWorkCompleteEvent)\n Status = ZwSetEvent(*LdrpWorkCompleteEvent, 0);\n }\n\n return Status;\n}\n```\nGoes in an according direction depending by the path type given, in our case we have an absolute path, so we continue by LdrpMapDllFullPath.\n
\n## LdrpMapDllFullPath\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMapDllFullPath(PLDRP_LOAD_CONTEXT LoadContext)\n{\n NTSTATUS Status;\n \n //LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\n LDRP_FILENAME_BUFFER FileNameBuffer; \n\n FileNameBuffer.pFileName.Buffer = FileNameBuffer.FileName;\n FileNameBuffer.pFileName.Length = 0;\n FileNameBuffer.pFileName.MaximumLength = MAX_PATH - 4;\n FileNameBuffer.FileName[0] = 0;\n\n // Sets the according members of the DllEntry\n Status = LdrpResolveDllName(LoadContext, &FileNameBuffer, &DllEntry->BaseDllName, &DllEntry->FullDllName, LoadContext->Flags);\n do\n {\n if (LoadContext->UnknownPtr)\n {\n if (!NT_SUCCESS(Status))\n break;\n }\n else\n {\n Status = LdrpAppCompatRedirect(LoadContext, &DllEntry->FullDllName, &DllEntry->BaseDllName, &FileNameBuffer, Status);\n if (!NT_SUCCESS(Status))\n break;\n\n // Hashes the dll name\n ULONG BaseDllNameHash = LdrpHashUnicodeString(&DllEntry->BaseDllName);\n DllEntry->BaseNameHashValue = BaseDllNameHash;\n\n LDR_DATA_TABLE_ENTRY* LoadedDll = nullptr;\n\n // Most likely checks if the dll was already mapped/loaded.\n LdrpFindExistingModule(&DllEntry->BaseDllName, &DllEntry->FullDllName, LoadContext->Flags, BaseDllNameHash, &LoadedDll);\n if (LoadedDll)\n {\n LdrpLoadContextReplaceModule(LoadContext, LoadedDll);\n break;\n }\n }\n\n // After this function the dll is mapped.\n Status = fLdrpMapDllNtFileName(LoadContext, &FileNameBuffer);\n if (Status == STATUS_IMAGE_MACHINE_TYPE_MISMATCH)\n Status = STATUS_INVALID_IMAGE_FORMAT;\n } while (FALSE);\n\n if (FileNameBuffer.FileName != FileNameBuffer.pFileName.Buffer)\n NtdllpFreeStringRoutine(FileNameBuffer.pFileName.Buffer);\n\n return Status;\n}\n```\nSets up a LDRP_FILENAME_BUFFER structure, basically representing each portion of a path (base part, absolute part, etc.), hashes the **base** dll name and checks if it was already loaded, if it's not (our case) it goes on by calling LdrpMapDllNtFileName.\n
\n## LdrpMapDllNtFileName\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMapDllNtFileName(PLDRP_LOAD_CONTEXT LoadContext, LDRP_FILENAME_BUFFER* FileNameBuffer) // CHECKED.\n{\n NTSTATUS Status;\n\n //LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n INT64 UnknownPtr = LoadContext->UnknownPtr;\n LONG Unknown = 0;\n if (LdrpCheckForRetryLoading(LoadContext, 0))\n return STATUS_RETRY;\n\n PUNICODE_STRING FullDllName = &DllEntry->FullDllName;\n WID_HIDDEN( LdrpLogDllState((ULONGLONG)DllEntry->DllBase, &DllEntry->FullDllName, 0x14A5); )\n //OBJ_CASE_INSENSITIVE \n ULONG ObjAttributes = OBJ_CASE_INSENSITIVE;\n if (!*LdrpUseImpersonatedDeviceMap)\n ObjAttributes = (OBJ_IGNORE_IMPERSONATED_DEVICEMAP | OBJ_CASE_INSENSITIVE);\n\n OBJECT_ATTRIBUTES ObjectAttributes;\n ObjectAttributes.Length = 0x30;\n ObjectAttributes.RootDirectory = 0;\n ObjectAttributes.Attributes = ObjAttributes;\n ObjectAttributes.ObjectName = &FileNameBuffer->pFileName;\n ObjectAttributes.SecurityDescriptor = 0;\n ObjectAttributes.SecurityQualityOfService = 0;\n\n PCHAR NtPathStuff = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2];\n PCHAR Unknown2 = 0;\n if (RtlGetCurrentServiceSessionId())\n Unknown2 = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253];\n else\n Unknown2 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2];\n\n PCHAR NtPathStuff2 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1;\n if (*Unknown2 && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled))\n {\n //: (char*)0x7FFE0385;\n PCHAR NtPathStuff3 = RtlGetCurrentServiceSessionId() ? (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1 : (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1;\n \n // 0x20 is SPACE char\n if ((*NtPathStuff3 & ' '))\n LdrpLogEtwEvent(0x1485, -1, 0xFFu, 0xFFu);\n }\n\n // SYSTEM_FLAGS_INFORMATION\n if ((NtCurrentPeb()->NtGlobalFlag & FLG_ENABLE_KDEBUG_SYMBOL_LOAD))\n {\n WID_HIDDEN( ZwSystemDebugControl(); )\n }\n\n HANDLE FileHandle;\n while (TRUE)\n { \n IO_STATUS_BLOCK IoStatusBlock; \n Status = NtOpenFile(&FileHandle, SYNCHRONIZE | FILE_TRAVERSE | FILE_LIST_DIRECTORY, &ObjectAttributes, &IoStatusBlock, 5, 0x60);\n if (NT_SUCCESS(Status))\n break;\n\n if (Status == STATUS_OBJECT_NAME_NOT_FOUND || Status == STATUS_OBJECT_PATH_NOT_FOUND)\n return STATUS_DLL_NOT_FOUND;\n\n if (Status != STATUS_ACCESS_DENIED || Unknown || !LdrpCheckComponentOnDemandEtwEvent(LoadContext))\n return Status;\n\n Unknown = TRUE;\n }\n\n ULONG SigningLevel;\n ULONG AllocationAttributes = 0;\n if (*LdrpAuditIntegrityContinuity && (Status = LdrpValidateIntegrityContinuity(LoadContext, FileHandle), !NT_SUCCESS(Status)) && *LdrpEnforceIntegrityContinuity || \n (AllocationAttributes = MEM_IMAGE, (LoadContext->Flags & MEM_IMAGE)) && (NtCurrentPeb()->BitField & IsPackagedProcess) == 0 &&\n // (Status = LdrpSetModuleSigningLevel(FileHandle, (PLDR_DATA_TABLE_ENTRY)LoadContext->WorkQueueListEntry.Flink, &SigningLevel, 8), !NT_SUCCESS(Status)))\n (Status = LdrpSetModuleSigningLevel(FileHandle, CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks), &SigningLevel, 8), !NT_SUCCESS(Status)))\n {\n NtClose(FileHandle);\n return Status;\n }\n\n if (*UseWOW64 && (LoadContext->Flags & 0x800) == 0)\n AllocationAttributes = MEM_IMAGE | MEM_TOP_DOWN;\n\n HANDLE SectionHandle;\n Status = NtCreateSection(&SectionHandle, SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE, 0, 0, PAGE_EXECUTE, AllocationAttributes, FileHandle);\n if (!NT_SUCCESS(Status))\n {\n if (Status == STATUS_NEEDS_REMEDIATION || (Status + 0x3FFFFB82) <= 1)\n {\n Status = LdrAppxHandleIntegrityFailure(Status);\n }\n else if (Status != STATUS_NO_MEMORY && Status != STATUS_INSUFFICIENT_RESOURCES && Status != STATUS_COMMITMENT_LIMIT)\n {\n LDR_UNKSTRUCT2 NtHardParameters;\n NtHardParameters.Name = FullDllName;\n NtHardParameters.Status = Status;\n // Semi-documented in http://undocumented.ntinternals.net/\n HARDERROR_RESPONSE Response;\n if (NT_SUCCESS(NtRaiseHardError(STATUS_INVALID_IMAGE_FORMAT, 2, 1, (INT*)&NtHardParameters, OptionOk, &Response)) && *LdrInitState != 3)\n {\n ++(*LdrpFatalHardErrorCount);\n }\n }\n WID_HIDDEN( LdrpLogError(Status, 0x1485u, 0, FullDllName); )\n NtClose(FileHandle);\n return Status;\n }\n if (RtlGetCurrentServiceSessionId())\n NtPathStuff = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253];\n if (*NtPathStuff && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled) != 0)\n {\n if (RtlGetCurrentServiceSessionId())\n NtPathStuff2 = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1;\n\n // 0x20 is SPACE char.\n if ((*NtPathStuff2 & ' ') != 0)\n WID_HIDDEN( LdrpLogEtwEvent(0x1486, -1, 0xFFu, 0xFFu); )\n }\n if (!*UseWOW64 && (LoadContext->Flags & 0x100) == 0 && (Status = LdrpCodeAuthzCheckDllAllowed(FileNameBuffer, FileHandle), NT_SUCCESS((LONG)(Status + 0x80000000))) && Status != STATUS_NOT_FOUND || (Status = fLdrpMapDllWithSectionHandle(LoadContext, SectionHandle), !UnknownPtr) || !NT_SUCCESS(Status))\n {\n NtClose(SectionHandle);\n NtClose(FileHandle);\n return Status;\n }\n LoadContext->FileHandle = FileHandle;\n LoadContext->SectionHandle = SectionHandle;\n return Status;\n}\n```\nOpens the file with NtOpenFile, creates a section using NtCreateSection to be able to map the dll, continues with calling LdrpMapDllWithSectionHandle.\n
\n## LdrpMapDllWithSectionHandle\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMapDllWithSectionHandle(PLDRP_LOAD_CONTEXT LoadContext, HANDLE SectionHandle) // CHECKED.\n{\n NTSTATUS Status;\n NTSTATUS Status2;\n NTSTATUS Status3;\n NTSTATUS Status4;\n \n int v19[14];\n\n LDR_DATA_TABLE_ENTRY* LdrEntry2;\n\n // Mapping mechanism.\n Status = fLdrpMinimalMapModule(LoadContext, SectionHandle);\n Status2 = Status;\n if (Status == STATUS_IMAGE_MACHINE_TYPE_MISMATCH)\n return Status2;\n\n if (!NT_SUCCESS(Status))\n return Status2;\n\n //LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n SIZE_T Size = LoadContext->Size;\n LDR_DATA_TABLE_ENTRY* LdrEntry = nullptr;\n Status3 = Status;\n\n PIMAGE_NT_HEADERS OutHeaders;\n Status2 = RtlImageNtHeaderEx(0, DllEntry->DllBase, Size, &OutHeaders);\n if (!NT_SUCCESS(Status2))\n return Status2;\n\n if (LoadContext->Flags & SEC_FILE)\n {\n Status3 = STATUS_SUCCESS;\n DllEntry->TimeDateStamp = OutHeaders->FileHeader.TimeDateStamp;\n DllEntry->CheckSum = OutHeaders->OptionalHeader.CheckSum;\n DllEntry->SizeOfImage = OutHeaders->OptionalHeader.SizeOfImage;\n }\n else\n {\n RtlAcquireSRWLockExclusive(LdrpModuleDatatableLock);\n UINT_PTR Flags = (LoadContext->Flags) & UINT_MAX;\n PUNICODE_STRING FullDllName_2 = 0;\n if ((Flags & 0x20) == 0)\n FullDllName_2 = &DllEntry->FullDllName;\n\n\n // Returns STATUS_DLL_NOT_FOUND is normal situations.\n Status4 = LdrpFindLoadedDllByNameLockHeld(&DllEntry->BaseDllName, FullDllName_2, Flags, &LdrEntry, DllEntry->BaseNameHashValue);\n if (Status4 == STATUS_DLL_NOT_FOUND)\n {\n PIMAGE_DOS_HEADER DllBase = DllEntry->DllBase;\n v19[0] = OutHeaders->FileHeader.TimeDateStamp;\n v19[1] = OutHeaders->OptionalHeader.SizeOfImage;\n LdrpFindLoadedDllByMappingLockHeld(DllBase, OutHeaders, (ULONG*)v19, &LdrEntry);\n }\n\n if (!LdrEntry)\n {\n LdrpInsertDataTableEntry(DllEntry);\n LdrpInsertModuleToIndexLockHeld(DllEntry, OutHeaders);\n }\n\n RtlReleaseSRWLockExclusive(LdrpModuleDatatableLock);\n if (LdrEntry)\n {\n if (DllEntry->LoadReason != LoadReasonPatchImage || LdrEntry->LoadReason == LoadReasonPatchImage)\n {\n LdrpLoadContextReplaceModule(LoadContext, LdrEntry);\n }\n else\n {\n Status2 = STATUS_IMAGE_LOADED_AS_PATCH_IMAGE;\n WID_HIDDEN( LdrpLogEtwHotPatchStatus(&(*LdrpImageEntry)->BaseDllName, LoadContext->Entry, &DllEntry->FullDllName, STATUS_IMAGE_LOADED_AS_PATCH_IMAGE, 3); )\n LdrpDereferenceModule(LdrEntry);\n }\n return Status2;\n }\n }\n if (*qword_17E238 == NtCurrentTeb()->ClientId.UniqueThread)\n return STATUS_NOT_FOUND;\n\n Status2 = fLdrpCompleteMapModule(LoadContext, OutHeaders, Status3);\n if (NT_SUCCESS(Status2))\n {\n Status2 = fLdrpProcessMappedModule(DllEntry, LoadContext->Flags & UINT_MAX, 1);\n if (NT_SUCCESS(Status2))\n {\n WID_HIDDEN( LdrpLogNewDllLoad(LoadContext->Entry, DllEntry); )\n LdrEntry2 = LoadContext->Entry;\n if (LdrEntry2)\n DllEntry->ParentDllBase = LdrEntry2->DllBase;\n\n BOOLEAN DllBasesEqual = FALSE;\n if (DllEntry->LoadReason == LoadReasonPatchImage && *LdrpImageEntry)\n DllBasesEqual = DllEntry->ParentDllBase == (*LdrpImageEntry)->DllBase;\n\n if ((LoadContext->Flags & SEC_FILE) || (DllEntry->FlagGroup[0] & ImageDll) || DllBasesEqual)\n {\n if ((DllEntry->Flags & CorILOnly))\n {\n return fLdrpCorProcessImports(DllEntry);\n }\n else\n {\n fLdrpMapAndSnapDependency(LoadContext);\n return *LoadContext->pStatus;\n }\n }\n else\n {\n WID_HIDDEN( LdrpLogDllState((ULONG)DllEntry->DllBase, &DllEntry->FullDllName, 0x14AEu); )\n Status2 = STATUS_SUCCESS;\n DllEntry->DdagNode->State = LdrModulesReadyToRun;\n }\n }\n }\n\n return Status2;\n}\n```\nMaps a view of section inside LdrpMinimalMapModule, validates the image inside LdrpCompleteMapModule, handles relocations inside LdrpProcessMappedModule, updates state inside LdrpCorProcessImports, goes on by calling LdrpMapAndSnapDependency.\n
\n## LdrpMapAndSnapDependency\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMapAndSnapDependency(PLDRP_LOAD_CONTEXT LoadContext)\n{\n NTSTATUS Status;\n \n LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n BOOLEAN IsFile = (LoadContext->Flags & SEC_FILE);\n BOOLEAN FullPathExists = 0;\n\n UNICODE_STRING FullPath;\n memset(&FullPath, 0, sizeof(FullPath));\n\n do\n {\n if (!IsFile)\n {\n if (DllEntry->LoadReason != LoadReasonPatchImage)\n {\n Status = LdrpFindDllActivationContext(DllEntry);\n if (!NT_SUCCESS(Status))\n break;\n }\n }\n\n Status = fLdrpPrepareImportAddressTableForSnap(LoadContext);\n if (!NT_SUCCESS(Status))\n break;\n\n ULONG CurrentDllDecremented = 0;\n ULONG OldCurrentDll = 0;\n if (*LdrpIsHotPatchingEnabled)\n {\n DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n if (DllEntry)\n {\n Status = LdrpQueryCurrentPatch(DllEntry->CheckSum, DllEntry->TimeDateStamp, &FullPath);\n if (!NT_SUCCESS(Status))\n break;\n\n if (FullPath.Length)\n FullPathExists = TRUE;\n }\n }\n\n PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = nullptr;\n if (LoadContext->pImageImportDescriptor || FullPathExists)\n {\n if (LdrpShouldModuleImportBeRedirected(DllEntry))\n LoadContext->Flags |= 0x2000000u;\n\n ImageImportDescriptor = LdrpGetImportDescriptorForSnap(LoadContext);\n ULONG IATSize = 0;\n PIMAGE_THUNK_DATA32 FirstThunk = (PIMAGE_THUNK_DATA32)&ImageImportDescriptor->FirstThunk;\n\n BOOLEAN JumpIn = FALSE;\n if (ImageImportDescriptor)\n {\n PIMAGE_THUNK_DATA32 FirstThunk2 = (IMAGE_THUNK_DATA32*)&ImageImportDescriptor->FirstThunk;\n ULONG DllBaseIncremented = 0;\n do\n {\n if (!FirstThunk2[-1].u1.ForwarderString)\n break;\n\n ULONG ForwarderString = FirstThunk2->u1.ForwarderString;\n if (!FirstThunk2->u1.ForwarderString)\n break;\n\n ULONG DllBaseIncremented_2 = DllBaseIncremented + 1;\n FirstThunk2 += 5;\n ++IATSize;\n if (!*(UINT_PTR*)((char*)&DllEntry->DllBase->e_magic + ForwarderString))\n DllBaseIncremented_2 = DllBaseIncremented;\n\n DllBaseIncremented = DllBaseIncremented_2;\n } while (FirstThunk2 != (IMAGE_THUNK_DATA32*)16);\n\n OldCurrentDll = DllBaseIncremented;\n if (DllBaseIncremented)\n JumpIn = TRUE;\n }\n\n BOOLEAN JumpOut = FALSE;\n if (JumpIn || FullPathExists)\n {\n PVOID* Heap = (PVOID*)RtlAllocateHeap(*LdrpHeap, (*NtdllBaseTag + 0x180000) | 8u, 8 * IATSize);\n LoadContext->IATCheck = (LDR_DATA_TABLE_ENTRY**)Heap;\n if (Heap)\n {\n LoadContext->SizeOfIAT = IATSize;\n LoadContext->GuardCFCheckFunctionPointer = ImageImportDescriptor;\n LoadContext->CurrentDll = OldCurrentDll + 1;\n if (FullPathExists)\n LoadContext->CurrentDll = OldCurrentDll + 2;\n\n PIMAGE_THUNK_DATA pThunk = nullptr;\n UINT_PTR IATAmount = 0;\n if (ImageImportDescriptor)\n {\n while (FirstThunk[-1].u1.ForwarderString && FirstThunk->u1.ForwarderString)\n {\n PIMAGE_DOS_HEADER DllBase = DllEntry->DllBase;\n if (*(UINT_PTR*)((char*)&DllBase->e_magic + FirstThunk->u1.ForwarderString))\n {\n ULONG ForwarderString_2 = FirstThunk[-1].u1.ForwarderString;\n IsFile = (PIMAGE_IMPORT_BY_NAME)(ForwarderString_2 + (UINT_PTR)DllBase) != 0;\n PCHAR ForwarderBuffer = (PCHAR)(ForwarderString_2 + (UINT_PTR)DllBase);\n\n STRING SourceString = {};\n *(UINT_PTR*)&SourceString.Length = 0;\n SourceString.Buffer = ForwarderBuffer;\n if (IsFile)\n {\n SIZE_T SourceLen = -1;\n do\n {\n ++SourceLen;\n } while (ForwarderBuffer[SourceLen]);\n\n if (SourceLen > 0xFFFE)\n {\n Status = STATUS_NAME_TOO_LONG;\n break;\n }\n\n SourceString.Length = SourceLen;\n SourceString.MaximumLength = SourceLen + 1;\n }\n\n Status = LdrpLoadDependentModuleA((PUNICODE_STRING)&SourceString, LoadContext, DllEntry, 0, &LoadContext->IATCheck[IATAmount], (UINT_PTR)&pThunk);\n if (!NT_SUCCESS(Status))\n break;\n }\n\n FirstThunk += 5;\n IATAmount = (ULONG)(IATAmount + 1);\n if (FirstThunk == (PIMAGE_THUNK_DATA32)16)\n break;\n }\n }\n if (FullPathExists)\n {\n // Loads Imports dlls.\n Status = LdrpLoadDependentModuleW(&FullPath, LoadContext, DllEntry);\n if (!NT_SUCCESS(Status))\n WID_HIDDEN(LdrpLogEtwHotPatchStatus(&(*LdrpImageEntry)->BaseDllName, DllEntry, &FullPath, Status, 5u); )\n }\n\n if (pThunk)\n RtlFreeHeap(*LdrpHeap, 0, pThunk);\n\n if (NT_SUCCESS(Status))\n {\n RtlAcquireSRWLockExclusive(LdrpModuleDatatableLock);\n CurrentDllDecremented = --LoadContext->CurrentDll;\n RtlReleaseSRWLockExclusive(LdrpModuleDatatableLock);\n JumpOut = TRUE;\n }\n }\n else\n {\n Status = STATUS_NO_MEMORY;\n }\n }\n\n if (!JumpOut)\n CurrentDllDecremented = OldCurrentDll;\n }\n\n PLDR_DDAG_NODE DdagNode = nullptr;\n PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor = LoadContext->pImageImportDescriptor;\n if (pImageImportDescriptor || !FullPathExists)\n {\n if (CurrentDllDecremented)\n break;\n\n DdagNode = DllEntry->DdagNode;\n if (pImageImportDescriptor)\n {\n DdagNode->State = LdrModulesSnapping;\n if (LoadContext->Entry)\n LdrpQueueWork(LoadContext);\n else\n Status = fLdrpSnapModule(LoadContext);\n break;\n }\n }\n else\n {\n DdagNode = DllEntry->DdagNode;\n }\n\n DdagNode->State = LdrModulesSnapped;\n } while (FALSE);\n\n LdrpFreeUnicodeString(&FullPath);\n if (!NT_SUCCESS(Status))\n {\n *LoadContext->pStatus = Status;\n }\n\n return *LoadContext->pStatus;\n}\n```\nPrepares the Import Address Table (IAT) by calling LdrpPrepareImportAddressTableForSnap, loads the imports of the dll getting loaded, sets the state, continues on by calling LdrpSnapModule which I am quite frank about the actual functionality, but I've seen it handling exports.\n
\n## LdrpPrepareImportAddressTableForSnap\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrpPrepareImportAddressTableForSnap(LDRP_LOAD_CONTEXT* LoadContext)\n{\n NTSTATUS Status;\n \n LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\n PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = nullptr;\n UINT_PTR* pImageImportDescriptorLen = (UINT_PTR*)&LoadContext->ImageImportDescriptorLen;\n Status = RtlpImageDirectoryEntryToDataEx(DllEntry->DllBase, 1u, IMAGE_DIRECTORY_ENTRY_IAT, (UINT_PTR*)&LoadContext->ImageImportDescriptorLen, &ImageImportDescriptor);\n if (!NT_SUCCESS(Status))\n ImageImportDescriptor = nullptr;\n\n BOOLEAN IsFile = (LoadContext->Flags & SEC_FILE);\n LoadContext->pImageImportDescriptor = ImageImportDescriptor;\n if (IsFile)\n return STATUS_SUCCESS;\n\n BOOLEAN JumpOver = FALSE;\n\n PIMAGE_NT_HEADERS OutHeaders = nullptr;\n RtlImageNtHeaderEx(3, DllEntry->DllBase, 0, &OutHeaders);\n PIMAGE_LOAD_CONFIG_DIRECTORY ImageConfigDirectory = LdrImageDirectoryEntryToLoadConfig(DllEntry->DllBase);\n if (!ImageConfigDirectory || ImageConfigDirectory->Size < 0x94)\n JumpOver = TRUE;\n\n if (!JumpOver)\n {\n if ((OutHeaders->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_GUARD_CF) != 0 && (ImageConfigDirectory->GuardFlags & IMAGE_GUARD_CF_INSTRUMENTED) != 0)\n {\n UINT_PTR* GuardCFCheckFunctionPointer = (UINT_PTR*)ImageConfigDirectory->GuardCFCheckFunctionPointer;\n LoadContext->UnknownFunc = (__int64)GuardCFCheckFunctionPointer;\n if (GuardCFCheckFunctionPointer)\n {\n LoadContext->DllNameLenCompare = *GuardCFCheckFunctionPointer;\n }\n }\n }\n\n do\n {\n if (!LoadContext->pImageImportDescriptor)\n {\n ULONG ImportDirectoryVA = OutHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;\n PIMAGE_SECTION_HEADER FirstSection = (PIMAGE_SECTION_HEADER)((char*)&OutHeaders->OptionalHeader + OutHeaders->FileHeader.SizeOfOptionalHeader);\n if (ImportDirectoryVA)\n {\n ULONG SectionIdx = 0;\n if (OutHeaders->FileHeader.NumberOfSections)\n {\n ULONG SectionVA = 0;\n while (TRUE)\n {\n SectionVA = FirstSection->VirtualAddress;\n if (ImportDirectoryVA >= SectionVA && ImportDirectoryVA < SectionVA + FirstSection->SizeOfRawData)\n break;\n\n ++SectionIdx;\n ++FirstSection;\n\n if (SectionIdx >= OutHeaders->FileHeader.NumberOfSections)\n break;\n }\n\n LoadContext->pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((char*)DllEntry->DllBase + SectionVA);\n ULONG SectionFA = FirstSection->Misc.PhysicalAddress;\n *pImageImportDescriptorLen = SectionFA;\n if (!SectionFA)\n *pImageImportDescriptorLen = FirstSection->SizeOfRawData;\n }\n }\n }\n } while (FALSE);\n\n PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor = LoadContext->pImageImportDescriptor;\n if (pImageImportDescriptor && *pImageImportDescriptorLen)\n {\n UINT_PTR ImageImportDescriptorLen = *pImageImportDescriptorLen;\n\n NTSTATUS Status_2 = ZwProtectVirtualMemory((HANDLE)-1, (PVOID*)&pImageImportDescriptor, (PULONG)&ImageImportDescriptorLen, PAGE_READWRITE, (PULONG)&LoadContext->GuardFlags);\n if (!NT_SUCCESS(Status_2))\n return Status_2;\n\n PIMAGE_IMPORT_DESCRIPTOR pNextSectionMaybe = pImageImportDescriptor;\n PIMAGE_IMPORT_DESCRIPTOR pNextImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR*)((char*)pImageImportDescriptor + ImageImportDescriptorLen);\n do\n {\n pNextSectionMaybe = (PIMAGE_IMPORT_DESCRIPTOR)((char*)pNextSectionMaybe + 0x1000);\n } while (pNextSectionMaybe < pNextImageImportDescriptor);\n }\n return STATUS_SUCCESS;\n}\n```\nAs the function name, prepares the Import Address Table (IAT) for our loaded dll. After this function we go back to LdrpLoadDllInternal because the mapping process is complete. Proceeding with calling LdrpPrepareModuleForExecution.\n
\n## LdrpPrepareModuleForExecution\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrpPrepareModuleForExecution(PLDR_DATA_TABLE_ENTRY LdrEntry, NTSTATUS* pStatus)\n{\n NTSTATUS Status;\n\n Status = STATUS_SUCCESS;\n if (*qword_17E238 == NtCurrentTeb()->ClientId.UniqueThread)\n return Status;\n\n BOOLEAN Skip = FALSE;\n\n LDR_DDAG_NODE* DdagNode = LdrEntry->DdagNode;\n switch (DdagNode->State)\n {\n case LdrModulesSnapped:\n LdrpCondenseGraph(DdagNode);\n case LdrModulesCondensed:\n {\n // This is where we'll start from normally.\n if ((LdrEntry->FlagGroup[0] & ProcessStaticImport) == 0)\n {\n UINT_PTR SubProcessTag = (UINT_PTR)NtCurrentTeb()->SubProcessTag;\n LdrpAddNodeServiceTag(DdagNode, SubProcessTag);\n }\n\n Status = LdrpNotifyLoadOfGraph(DdagNode);\n if (NT_SUCCESS(Status))\n {\n Status = LdrpDynamicShimModule(DdagNode);\n if (!NT_SUCCESS(Status))\n {\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 0x9F3, \"LdrpPrepareModuleForExecution\", 1u, \"Failed to load for appcompat reasons\\n\"); )\n return Status;\n }\n Skip = TRUE;\n }\n\n if (!Skip)\n return Status;\n }\n case LdrModulesReadyToInit:\n LDRP_LOAD_CONTEXT* LoadContext = (LDRP_LOAD_CONTEXT*)LdrEntry->LoadContext;\n if (LoadContext && (LoadContext->Flags & 1) == 0)\n {\n LdrpAcquireLoaderLock();\n\n UINT64 Unknown = 0;\n Status = fLdrpInitializeGraphRecurse(DdagNode, pStatus, (char*)&Unknown);\n\n ULONG64 Unused = 0;\n LdrpReleaseLoaderLock(Unused, 2, Status);\n }\n return Status;\n }\n\n // States end at 9.\n if (DdagNode->State > LdrModulesReadyToRun)\n return STATUS_INTERNAL_ERROR;\n\n return Status;\n}\n```\nAdds a service tag to our module by LdrModulesCondensed, continues by LdrModulesReadyToInit acquiring a Loader lock first then calling LdrpInitializeGraphRecurse.\n
\n## LdrpInitializeGraphRecurse\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrpInitializeGraphRecurse(LDR_DDAG_NODE* DdagNode, NTSTATUS* pStatus, char* Unknown)\n{\n NTSTATUS Status = STATUS_SUCCESS;\n\n if (DdagNode->State == LdrModulesInitError)\n return STATUS_DLL_INIT_FAILED;\n\n LDR_DDAG_NODE* DdagNode2 = (LDR_DDAG_NODE*)DdagNode->Dependencies.Tail;\n CHAR Unknown2_2 = 0;\n CHAR Unknown2 = 0;\n\n BOOLEAN JumpIn = FALSE;\n do\n {\n if (DdagNode2)\n {\n LDR_DDAG_NODE* DdagNode2_2 = DdagNode2;\n do\n {\n DdagNode2_2 = (LDR_DDAG_NODE*)DdagNode2_2->Modules.Flink;\n if ((DdagNode2_2->LoadCount & 1) == 0)\n {\n LDR_DDAG_NODE* Blink = (LDR_DDAG_NODE*)DdagNode2_2->Modules.Blink;\n if (Blink->State == LdrModulesReadyToInit)\n {\n Status = fLdrpInitializeGraphRecurse(Blink, pStatus, &Unknown2);\n if (!NT_SUCCESS(Status))\n {\n JumpIn = TRUE;\n break;\n }\n Unknown2_2 = Unknown2;\n }\n else\n {\n if (Blink->State == LdrModulesInitError)\n {\n Status = STATUS_DLL_INIT_FAILED;\n {\n JumpIn = TRUE;\n break;\n }\n }\n if (Blink->State == LdrModulesInitializing)\n Unknown2_2 = 1;\n Unknown2 = Unknown2_2;\n }\n }\n } while (DdagNode2_2 != DdagNode2);\n\n if (JumpIn)\n break;\n\n if (Unknown2_2)\n {\n LDR_DDAG_NODE* DdagNode3 = (LDR_DDAG_NODE*)DdagNode->Modules.Flink;\n *Unknown = 1;\n LDR_SERVICE_TAG_RECORD* ServiceTagList = DdagNode3->ServiceTagList;\n if (ServiceTagList)\n {\n if (pStatus != *(NTSTATUS**)&ServiceTagList[2].ServiceTag)\n return STATUS_SUCCESS;\n }\n }\n }\n } while (FALSE);\n\n if (!JumpIn)\n Status = fLdrpInitializeNode(DdagNode);\n\n if (JumpIn || !NT_SUCCESS(Status))\n DdagNode->State = LdrModulesInitError;\n\n return Status;\n}\n```\nDoes some prior check on the upper area of the function if our DdagNode had dependencies (in our loading case it doesn't so we skip over all the do-while loop), checks for errors and if there are any, sets the state to failed and returns. Otherwise (our case) continues on by calling LdrpInitializeNode.\n
\n## LdrpInitializeNode\n```cpp\nNTSTATUS __fastcall LOADLIBRARY::fLdrpInitializeNode(LDR_DDAG_NODE* DdagNode)\n{\n NTSTATUS Status;\n NTSTATUS Status_2;\n NTSTATUS Status_3;\n\n LDR_DDAG_STATE* pState = &DdagNode->State;\n\n UNICODE_STRING FullDllName;\n *(UINT_PTR*)&FullDllName.Length = (UINT_PTR)&DdagNode->State;\n DdagNode->State = LdrModulesInitializing;\n\n LDR_DATA_TABLE_ENTRY* Blink = (LDR_DATA_TABLE_ENTRY*)DdagNode->Modules.Blink;\n LDR_DATA_TABLE_ENTRY* LdrEntry = *LdrpImageEntry;\n UINT_PTR** v4 = (UINT_PTR**)*qword_1843B8;\n while (Blink != (LDR_DATA_TABLE_ENTRY*)DdagNode)\n {\n if (&Blink[-1].DdagNode != (LDR_DDAG_NODE**)LdrEntry)\n {\n PVOID* p_ParentDllBase = &Blink[-1].ParentDllBase;\n if (*v4 != qword_1843B0)\n __fastfail(3u);\n\n *p_ParentDllBase = qword_1843B0;\n Blink[-1].SwitchBackContext = v4;\n *v4 = (UINT_PTR*)p_ParentDllBase;\n v4 = (UINT_PTR**)&Blink[-1].ParentDllBase;\n *qword_1843B8 = (UINT_PTR**)v4;\n }\n\n Blink = (LDR_DATA_TABLE_ENTRY*)Blink->InLoadOrderLinks.Blink;\n }\n\n Status = STATUS_SUCCESS;\n for (LDR_DATA_TABLE_ENTRY* i = (LDR_DATA_TABLE_ENTRY*)DdagNode->Modules.Blink; i != (LDR_DATA_TABLE_ENTRY*)DdagNode; i = (LDR_DATA_TABLE_ENTRY*)i->InLoadOrderLinks.Blink)\n {\n LDR_DATA_TABLE_ENTRY* LdrEntry_2 = (LDR_DATA_TABLE_ENTRY*)((char*)i - 160);\n if (&i[-1].DdagNode != (LDR_DDAG_NODE**)LdrEntry)\n {\n if (LdrEntry_2->LoadReason == LoadReasonPatchImage)\n {\n Status_2 = LdrpApplyPatchImage((PLDR_DATA_TABLE_ENTRY)&i[-1].DdagNode);\n Status = Status_2;\n if (!NT_SUCCESS(Status_2))\n {\n FullDllName = LdrEntry_2->FullDllName;\n Status_3 = Status_2;\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 1392, \"LdrpInitializeNode\", 0, \"Applying patch \\\"%wZ\\\" failed - Status = 0x%x\\n\", &FullDllName, *(UINT_PTR*)&Status_3); )\n break;\n }\n }\n\n UINT_PTR CurrentDllIniter = *LdrpCurrentDllInitializer;\n *LdrpCurrentDllInitializer = (UINT_PTR)&i[-1].DdagNode;\n PVOID EntryPoint = LdrEntry_2->EntryPoint;\n PUNICODE_STRING pFullDllName = &LdrEntry_2->FullDllName;\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 1411, \"LdrpInitializeNode\", 2u, \"Calling init routine %p for DLL \\\"%wZ\\\"\\n\", EntryPoint, &LdrEntry_2->FullDllName); )\n \n RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED StackFrameExtended;\n StackFrameExtended.Size = 0x48;\n StackFrameExtended.Format = 1;\n memset((char*)&StackFrameExtended.Frame.Previous + 4, 0, 48);\n UINT_PTR v20 = 0;\n RtlActivateActivationContextUnsafeFast(&StackFrameExtended, LdrEntry_2->EntryPointActivationContext);\n if (LdrEntry_2->TlsIndex)\n fLdrpCallTlsInitializers(1i64, (LDR_DATA_TABLE_ENTRY*)&i[-1].DdagNode);\n\n BOOLEAN CallSuccess = TRUE;\n if (EntryPoint)\n {\n LPVOID ContextRecord = nullptr;\n if ((LdrEntry_2->FlagGroup[0] & ProcessStaticImport) != 0)\n ContextRecord = *LdrpProcessInitContextRecord;\n\n CallSuccess = fLdrpCallInitRoutine((BOOL(__stdcall*)(HINSTANCE, DWORD, LPVOID))EntryPoint, LdrEntry_2->DllBase, DLL_PROCESS_ATTACH, ContextRecord);\n }\n\n RtlDeactivateActivationContextUnsafeFast(&StackFrameExtended);\n *LdrpCurrentDllInitializer = CurrentDllIniter;\n LdrEntry_2->Flags |= ProcessAttachCalled;\n if (!CallSuccess)\n {\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 0x5B7, \"LdrpInitializeNode\", 0, \"Init routine %p for DLL \\\"%wZ\\\" failed during DLL_PROCESS_ATTACH\\n\", EntryPoint, pFullDllName); )\n Status = STATUS_DLL_INIT_FAILED;\n LdrEntry_2->Flags |= ProcessAttachFailed;\n break;\n }\n\n WID_HIDDEN( LdrpLogDllState((UINT_PTR)LdrEntry_2->DllBase, pFullDllName, 0x14AEu); )\n LdrEntry = *LdrpImageEntry;\n }\n }\n *pState = Status != 0 ? LdrModulesInitError : LdrModulesReadyToRun;\n return Status;\n}\n```\nSets the state to initializing, goes on by checking if it's purpose is to patch the image (not in our case), if it is, it patches the image by calling LdrpApplyPatchImage, if it's not it goes on by calling LdrpCallTlsInitializers which is self explanatory and finally it calls LdrpCallInitRoutine.\n
\n## LdrpCallInitRoutine\n```cpp\nBOOLEAN __fastcall LOADLIBRARY::fLdrpCallInitRoutine(BOOL(__fastcall* DllMain)(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved), PIMAGE_DOS_HEADER DllBase, unsigned int One, LPVOID ContextRecord)\n{\n BOOLEAN ReturnVal = TRUE;\n\n PCHAR LoggingVar = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2];\n PCHAR LoggingVar2 = 0;\n if (RtlGetCurrentServiceSessionId())\n LoggingVar2 = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253];\n else\n LoggingVar2 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2];\n\n PCHAR LoggingVar3 = 0;\n PCHAR LoggingVar4 = 0;\n if (*LoggingVar2 && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled) != 0)\n {\n LoggingVar3 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1;\n if (RtlGetCurrentServiceSessionId())\n LoggingVar4 = (char*)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1;\n else\n LoggingVar4 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1;\n\n // 0x20 is SPACE char.\n if ((*LoggingVar4 & ' ') != 0)\n WID_HIDDEN( LdrpLogEtwEvent(0x14A3u, (ULONGLONG)DllBase, 0xFF, 0xFF); )\n }\n else\n {\n LoggingVar3 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1;\n }\n\n // DLL_PROCESS_ATTACH (1)\n ReturnVal = DllMain((HINSTANCE)DllBase, One, ContextRecord);\n if (RtlGetCurrentServiceSessionId())\n LoggingVar = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253];\n\n if (*LoggingVar && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled) != 0)\n {\n if (RtlGetCurrentServiceSessionId())\n LoggingVar3 = (char*)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1;\n\n // 0x20 is SPACE char.\n if ((*LoggingVar3 & ' ') != 0)\n WID_HIDDEN( LdrpLogEtwEvent(0x1496u, (ULONGLONG)DllBase, 0xFF, 0xFF); )\n }\n\n ULONG LoggingVar5 = 0;\n if (!ReturnVal && One == 1)\n {\n LoggingVar5 = 1;\n WID_HIDDEN( LdrpLogError(STATUS_DLL_INIT_FAILED, 0x1496u, LoggingVar5, 0i64); )\n }\n\n return ReturnVal;\n}\n```\nDoes prior checks and calls DllMain which finishes the loading process.\n" }, { "path": "Src/Functions/KERNEL32.cpp", "content": "#include \"KERNEL32.h\"\n\nULONG* KernelBaseGlobalData = nullptr;\n\ntBasep8BitStringToDynamicUnicodeString Basep8BitStringToDynamicUnicodeString = nullptr;\ntBaseSetLastNTError BaseSetLastNTError = nullptr;\n\n// Signatured\ntBasepLoadLibraryAsDataFileInternal BasepLoadLibraryAsDataFileInternal = nullptr;" }, { "path": "Src/Functions/KERNEL32.h", "content": "#pragma once\n\n#include \"..\\Includes.h\"\n#include \"Undocumented.h\"\n\nextern ULONG* KernelBaseGlobalData;\n\ntypedef BOOLEAN(WINAPI* tBasep8BitStringToDynamicUnicodeString)(PUNICODE_STRING pConvertedStr, LPCSTR pszAnsiStr);\nextern tBasep8BitStringToDynamicUnicodeString Basep8BitStringToDynamicUnicodeString;\n\ntypedef DWORD(WINAPI* tBaseSetLastNTError)(IN NTSTATUS Status);\nextern tBaseSetLastNTError BaseSetLastNTError;\n\n// Signatured\n#define BASEP_LLASDATAFILE_INTERNAL_PATTERN \"\\x48\\x89\\x5C\\x24\\x20\\x55\\x56\\x57\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x8D\\xAC\\x24\\x10\\xFF\\xFF\\xFF\"\ntypedef NTSTATUS(__fastcall* tBasepLoadLibraryAsDataFileInternal)(PUNICODE_STRING DllName, PWSTR Path, PWSTR Unknown, DWORD dwFlags, HMODULE* pBaseOfLoadedModule);\nextern tBasepLoadLibraryAsDataFileInternal BasepLoadLibraryAsDataFileInternal;" }, { "path": "Src/Functions/NT.cpp", "content": "#include \"NT.h\"\n\n// Implemented.\n// Variables\nDWORD* LdrpPolicyBits = nullptr;\nHANDLE* LdrpMainThreadToken = nullptr;\nDWORD* LdrInitState = nullptr;\nDWORD* LoadFailure = nullptr;\nPRTL_CRITICAL_SECTION LdrpWorkQueueLock = nullptr;\nDWORD* LdrpWorkInProgress = nullptr;\nLIST_ENTRY** LdrpWorkQueue = nullptr;\nPHANDLE LdrpWorkCompleteEvent = nullptr;\nKUSER_SHARED_DATA* kUserSharedData = (KUSER_SHARED_DATA*)0x7FFE0000;\nDWORD* LdrpUseImpersonatedDeviceMap = nullptr;\nDWORD* LdrpAuditIntegrityContinuity = nullptr;\nDWORD* LdrpEnforceIntegrityContinuity = nullptr;\nDWORD* LdrpFatalHardErrorCount = nullptr;\nDWORD* UseWOW64 = nullptr;\nPRTL_SRWLOCK\t\t\tLdrpModuleDatatableLock = nullptr;\nPHANDLE\t\t\t\t\tqword_17E238 = nullptr;\nLDR_DATA_TABLE_ENTRY** LdrpImageEntry = nullptr;\nPUNICODE_STRING\t\t\tLdrpKernel32DllName = nullptr;\nUINT_PTR* LdrpAppHeaders = nullptr;\nPHANDLE\t\t\t\t\tLdrpLargePageDllKeyHandle = nullptr;\nULONG** LdrpLockMemoryPrivilege = nullptr;\nULONG64* LdrpMaximumUserModeAddress = nullptr;\nUINT_PTR* LdrpMapAndSnapWork = nullptr;\nLIST_ENTRY* LdrpHashTable = nullptr;\nPVOID* LdrpHeap = nullptr;\nBOOLEAN* LdrpIsHotPatchingEnabled = nullptr;\nLDR_DATA_TABLE_ENTRY** LdrpRedirectionModule = nullptr;\nULONG64** qword_1993A8 = nullptr;\nLONG* NtdllBaseTag = nullptr;\nFUNCTION_TABLE_DATA* stru_199520 = nullptr;\nUINT_PTR* qword_199530 = nullptr;\nLDR_DATA_TABLE_ENTRY** LdrpNtDllDataTableEntry = nullptr;\nUINT_PTR* qword_1993B8 = nullptr;\nDWORD* dword_19939C = nullptr;\nDWORD* LoadFailureOperational = nullptr;\nDWORD* dword_199398 = nullptr;\nUINT_PTR*** qword_1843B8 = nullptr;\nUINT_PTR* qword_1843B0 = nullptr;\nUINT_PTR* LdrpCurrentDllInitializer = nullptr;\nLPVOID** LdrpProcessInitContextRecord = nullptr;\nPRTL_SRWLOCK\t\t\tLdrpTlsLock = nullptr;\nTLS_ENTRY** LdrpTlsList = nullptr;\n\ntLdrpManifestProberRoutine LdrpManifestProberRoutine = nullptr;\ntLdrpRedirectionCalloutFunc LdrpRedirectionCalloutFunc = nullptr;\n\n// Functions\nPEB* NtCurrentPeb()\n{\n\treturn NtCurrentTeb()->ProcessEnvironmentBlock;\n}\n\nVOID __fastcall NtdllpFreeStringRoutine(PWCH Buffer) // CHECKED.\n{\n\tRtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Buffer);\n}\n\nNTSTATUS __fastcall LdrpFastpthReloadedDll(PUNICODE_STRING FullPath, ULONG Flags, PLDR_DATA_TABLE_ENTRY LdrEntry, LDR_DATA_TABLE_ENTRY** DllEntry)\n{\n NTSTATUS Status;\n\n PUNICODE_STRING PathUsed;\n LDR_DATA_TABLE_ENTRY* pDllEntry;\n LDR_DDAG_STATE DdagState;\n\n DdagState = LdrModulesPlaceHolder;\n Status = STATUS_NOT_FOUND;\n\n if (Flags & LOAD_LIBRARY_AS_IMAGE_RESOURCE)\n {\n PathUsed = FullPath;\n FullPath = 0;\n }\n else\n {\n // If an absolute path was sent from LoadLibrary it will have 0x200 (LOAD_LIBRARY_SEARCH_APPLICATION_DIR), but the if is checking for not so it can be ignored.\n if ((Flags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR) == 0)\n return Status;\n\n PathUsed = nullptr;\n }\n\n Status = LdrpFindLoadedDllByName(PathUsed, FullPath, Flags, DllEntry, &DdagState);\n if (NT_SUCCESS(Status))\n {\n pDllEntry = *DllEntry;\n if (pDllEntry->LoadReason == LoadReasonPatchImage)\n {\n Status = STATUS_IMAGE_LOADED_AS_PATCH_IMAGE;\n LdrpLogEtwHotPatchStatus(&(*LdrpImageEntry)->BaseDllName, pDllEntry, 0, STATUS_IMAGE_LOADED_AS_PATCH_IMAGE, 2u);\n }\n else\n {\n Status = STATUS_NOT_FOUND;\n if (DdagState == LdrModulesReadyToRun)\n {\n Status = LdrpIncrementModuleLoadCount(pDllEntry);\n if (NT_SUCCESS(Status))\n {\n Status = LdrpBuildForwarderLink(LdrEntry, pDllEntry);\n // This is where we most likely end up on a normal call from LoadLibraryExW\n if (NT_SUCCESS(Status))\n return Status;\n\n BOOLEAN IsWorkerThread = (!(NtCurrentTeb()->SameTebFlags & LoadOwner));\n if (IsWorkerThread)\n LdrpDrainWorkQueue(WaitLoadComplete);\n\n LdrpDecrementModuleLoadCountEx(pDllEntry, 0);\n if (IsWorkerThread)\n LdrpDropLastInProgressCount();\n }\n }\n }\n\n LdrpDereferenceModule(*DllEntry);\n *DllEntry = nullptr;\n }\n\n return Status;\n}\n\nNTSTATUS __fastcall LdrpIncrementModuleLoadCount(LDR_DATA_TABLE_ENTRY* LdrEntry)\n{\n NTSTATUS Status = STATUS_SUCCESS;\n\n RtlAcquireSRWLockExclusive(LdrpModuleDatatableLock);\n\n LDR_DDAG_NODE* DdagNode = LdrEntry->DdagNode;\n ULONG LoadCount = DdagNode->LoadCount;\n if (LoadCount != -1)\n {\n if (LoadCount)\n {\n DdagNode->LoadCount = LoadCount + 1;\n }\n else if (NtCurrentTeb()->SameTebFlags & LoadOwner)\n {\n ++DdagNode->LoadWhileUnloadingCount;\n }\n else\n {\n Status = STATUS_DLL_NOT_FOUND;\n }\n }\n\n RtlReleaseSRWLockExclusive(LdrpModuleDatatableLock);\n\n return Status;\n}\n\nVOID __fastcall RtlFreeUnicodeString(PUNICODE_STRING UnicodeString) // CHECKED.\n{\n WCHAR* Buffer;\n\n Buffer = UnicodeString->Buffer;\n if (Buffer)\n {\n NtdllpFreeStringRoutine(Buffer);\n //*UnicodeString = 0;\n memset(UnicodeString, 0, sizeof(UNICODE_STRING));\n }\n}\n\nVOID __fastcall LdrpFreeUnicodeString(PUNICODE_STRING String)\n{\n WCHAR* Buffer;\n\n Buffer = String->Buffer;\n if (Buffer)\n {\n NtdllpFreeStringRoutine(Buffer);\n String->Buffer = 0;\n }\n String->Length = 0;\n String->MaximumLength = 0;\n}\n\nULONG __fastcall RtlGetCurrentServiceSessionId(VOID) // CHECKED ?\n{\n LPVOID Return = NtCurrentPeb()->SharedData;\n\n if (Return)\n Return = (LPVOID)(*(DWORD*)Return);\n return (ULONG)Return;\n}\n\nUSHORT __fastcall LdrpGetBaseNameFromFullName(PUNICODE_STRING BaseName, PUNICODE_STRING FullName)\n{\n USHORT StrLen = BaseName->Length >> 1;\n if (StrLen)\n {\n PWCHAR Buffer = BaseName->Buffer;\n do\n {\n if (Buffer[StrLen - 1] == '\\\\')\n break;\n if (Buffer[StrLen - 1] == '/')\n break;\n --StrLen;\n } while (StrLen);\n }\n\n USHORT ByteLen = 2 * StrLen;\n\n USHORT Return = BaseName->MaximumLength - ByteLen;\n FullName->Length = BaseName->Length - ByteLen;\n FullName->MaximumLength = Return;\n FullName->Buffer = &BaseName->Buffer[StrLen];\n return Return;\n}\n\nPWCHAR __fastcall RtlGetNtSystemRoot()\n{\n if (RtlGetCurrentServiceSessionId())\n return (PWCHAR)((char*)NtCurrentPeb()->SharedData + 30);\n else\n return kUserSharedData->NtSystemRoot;\n}\n\nBOOLEAN __fastcall LdrpHpatAllocationOptOut(PUNICODE_STRING FullDllName)\n{\n UNICODE_STRING NtString; // [rsp+30h] [rbp-18h] BYREF\n\n if ((NtCurrentPeb()->ProcessParameters->Flags & 0x2000000) == 0 || *FullDllName->Buffer == '\\\\')\n return 0;\n PWSTR NtSystemRoot = RtlGetNtSystemRoot();\n RtlInitUnicodeStringEx(&NtString, NtSystemRoot);\n return FullDllName->Length < NtString.Length || RtlCompareUnicodeStrings(FullDllName->Buffer, NtString.Length >> 1, NtString.Buffer, NtString.Length >> 1, 1u) != 0;\n}\n\nNTSTATUS __fastcall LdrpCorValidateImage(PIMAGE_DOS_HEADER DosHeader)\n{\n NTSTATUS Status;\n \n PIMAGE_FILE_HEADER ImageFileHeader;\n UINT_PTR LastRVASection;\n Status = RtlpImageDirectoryEntryToDataEx(DosHeader, TRUE, IMAGE_FILE_RELOCS_STRIPPED | IMAGE_FILE_LOCAL_SYMS_STRIPPED, &LastRVASection, (PIMAGE_FILE_HEADER*)&ImageFileHeader);\n if (!NT_SUCCESS(Status))\n ImageFileHeader = 0;\n return ImageFileHeader != 0 ? STATUS_INVALID_IMAGE_FORMAT : 0;\n}\n\nNTSTATUS __fastcall LdrpCorFixupImage(PIMAGE_DOS_HEADER DosHeader)\n{\n NTSTATUS Status;\n\n PIMAGE_NT_HEADERS NtHeader = RtlImageNtHeader(DosHeader);\n ULONG64 LastRVASection;\n PIMAGE_COR20_HEADER CorHeader = nullptr;\n Status = RtlpImageDirectoryEntryToDataEx(DosHeader, 1, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &LastRVASection, &CorHeader);\n if (!NT_SUCCESS(Status) || !CorHeader)\n return Status;\n\n if (NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC && NtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 && (CorHeader->Flags & 2) == 0)\n {\n ULONG64* pSizeOfHeapCommit = &NtHeader->OptionalHeader.SizeOfHeapCommit;\n PBYTE UnknownCalc = (PBYTE)&NtHeader->OptionalHeader +\n (32 * NtHeader->FileHeader.NumberOfSections) + \n (8 * NtHeader->FileHeader.NumberOfSections) + \n NtHeader->FileHeader.SizeOfOptionalHeader;\n\n UINT_PTR NumberOfBytesToProtect = 0x1000;\n if ((unsigned __int64)(UnknownCalc - (PBYTE)DosHeader + 0x10) <= 0x1000)\n {\n ULONG OldAccessProtection;\n Status = ZwProtectVirtualMemory((HANDLE)-1, (PVOID*)&DosHeader, (PULONG)&NumberOfBytesToProtect, PAGE_READWRITE, &OldAccessProtection);\n if (NT_SUCCESS(Status))\n {\n memmove(NtHeader->OptionalHeader.DataDirectory, &NtHeader->OptionalHeader.SizeOfHeapCommit, UnknownCalc - (PBYTE)pSizeOfHeapCommit);\n *(ULONG64*)&NtHeader->OptionalHeader.LoaderFlags = NtHeader->OptionalHeader.SizeOfHeapReserve;\n *pSizeOfHeapCommit = (NtHeader->OptionalHeader.SizeOfStackCommit) & 0xFFFFFFFF00000000;\n\n NtHeader->OptionalHeader.SizeOfHeapReserve = (NtHeader->OptionalHeader.SizeOfStackCommit) & UINT_MAX;\n NtHeader->OptionalHeader.SizeOfStackCommit = (NtHeader->OptionalHeader.SizeOfStackReserve) & 0xFFFFFFFF00000000;\n NtHeader->OptionalHeader.SizeOfStackReserve = (NtHeader->OptionalHeader.SizeOfStackReserve) & UINT_MAX;\n NtHeader->OptionalHeader.ImageBase = (NtHeader->OptionalHeader.ImageBase) & 0xFFFFFFFF00000000;\n NtHeader->FileHeader.SizeOfOptionalHeader += 0x10;\n\n NtHeader->OptionalHeader.Magic = IMAGE_NT_OPTIONAL_HDR64_MAGIC;\n ZwProtectVirtualMemory((HANDLE)-1, (PVOID*)&DosHeader, (PULONG)&NumberOfBytesToProtect, OldAccessProtection, &OldAccessProtection);\n }\n }\n else\n {\n return STATUS_INVALID_IMAGE_FORMAT;\n }\n }\n else\n {\n WORD Machine = NtHeader->FileHeader.Machine;\n if (Machine < kUserSharedData->ImageNumberLow)\n return STATUS_INVALID_IMAGE_FORMAT;\n\n Status = STATUS_SUCCESS;\n if (Machine > kUserSharedData->ImageNumberHigh)\n return STATUS_INVALID_IMAGE_FORMAT;\n }\n return Status;\n}\n\nNTSTATUS __fastcall LdrpFindLoadedDllByNameLockHeld(PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, ULONG64 Flags, LDR_DATA_TABLE_ENTRY** pLdrEntry, ULONG BaseNameHashValue)\n{\n LIST_ENTRY* pHashIdx;\n \n LDR_DDAG_NODE* DdagNode;\n\n // Parse entire hash table. Maybe I use it later on.\n //for (int idx = 0; idx < 32; idx++)\n //{\n // LIST_ENTRY* IdxHead = &LdrpHashTable[idx];\n // LIST_ENTRY* IdxEntry = IdxHead->Flink;\n // while (IdxEntry != IdxHead)\n // {\n // LDR_DATA_TABLE_ENTRY* IdxLdrEntry = CONTAINING_RECORD(IdxEntry, LDR_DATA_TABLE_ENTRY, HashLinks);\n //\n // printf(\"[Name: %ws]\\n\", IdxLdrEntry->BaseDllName.Buffer);\n //\n // LIST_ENTRY* LdrHead = &IdxLdrEntry->InLoadOrderLinks;\n // LIST_ENTRY* LdrEntry = LdrHead->Flink;\n // while (LdrEntry != LdrHead)\n // {\n // LDR_DATA_TABLE_ENTRY* IdxLdrEntryMod = CONTAINING_RECORD(LdrEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n //\n // printf(\" -> [Name: %ws]\\n\", IdxLdrEntryMod->BaseDllName.Buffer);\n //\n // LdrEntry = LdrEntry->Flink;\n // }\n //\n // IdxEntry = IdxEntry->Flink;\n // }\n //}\n\n pHashIdx = (LIST_ENTRY*)&(LdrpHashTable)[(BaseNameHashValue & 0x1F)];\n BOOLEAN DllFound = FALSE;\n for (LIST_ENTRY* HashEntry = pHashIdx->Flink; HashEntry != pHashIdx; HashEntry = HashEntry->Flink)\n {\n LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)&HashEntry[-7];\n //LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(HashEntry, LDR_DATA_TABLE_ENTRY, HashLinks);\n\n //LDR_DATA_TABLE_ENTRY* DllEntry = (PLDR_DATA_TABLE_ENTRY)CONTAINING_RECORD(HashEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n if (BaseNameHashValue == (DllEntry->BaseNameHashValue) && ((Flags & 8) == 0 || (DllEntry->FlagGroup[0] & 1) != 0))\n {\n if (FullDllName)\n {\n DllFound = RtlEqualUnicodeString(FullDllName, &DllEntry->FullDllName, TRUE);\n if (DllFound)\n goto DLL_FOUND;\n }\n else\n {\n if ((DllEntry->Flags & Redirected) == 0 && RtlEqualUnicodeString(BaseDllName, &DllEntry->BaseDllName, TRUE))\n {\n DllFound = TRUE;\n DLL_FOUND:\n DdagNode = DllEntry->DdagNode;\n if (DdagNode->LoadCount != -1 && ((__int64)DdagNode->Modules.Flink[-4].Blink & 0x20) == 0)\n _InterlockedIncrement(&DllEntry->ReferenceCount);\n\n *pLdrEntry = DllEntry;\n return DllFound ? STATUS_SUCCESS : STATUS_DLL_NOT_FOUND;\n }\n DllFound = FALSE;\n }\n }\n }\n return DllFound ? STATUS_SUCCESS : STATUS_DLL_NOT_FOUND;\n}\n\nBOOLEAN __fastcall LdrpIsILOnlyImage(PIMAGE_DOS_HEADER DllBase)\n{\n NTSTATUS Status;\n \n UINT_PTR LastRVASection;\n PIMAGE_COR20_HEADER CorHeader;\n Status = RtlpImageDirectoryEntryToDataEx(DllBase, 1u, 0xEu, &LastRVASection, (PVOID*)&CorHeader);\n if (Status < 0)\n return Status;\n\n return CorHeader && LastRVASection >= 0x48 && (CorHeader->Flags & 1) != 0;\n}\n\nVOID __fastcall LdrpAddNodeServiceTag(LDR_DDAG_NODE* DdagNode, UINT_PTR ServiceTag)\n{\n //LDR_DATA_TABLE_ENTRY* LdrEntry = CONTAINING_RECORD(DdagNode->Modules.Flink, LDR_DATA_TABLE_ENTRY, DdagNode);\n if (DdagNode->LoadCount != -1 && ((__int64)DdagNode->Modules.Flink[-4].Blink & 0x20) == 0)\n //if (DdagNode->LoadCount != -1 && (LdrEntry->FlagGroup[0] & 0x20) == 0)\n {\n for (LDR_SERVICE_TAG_RECORD* i = DdagNode->ServiceTagList; i; i = i->Next)\n {\n if (i->ServiceTag == ServiceTag)\n return;\n }\n\n LDR_SERVICE_TAG_RECORD* Heap = (LDR_SERVICE_TAG_RECORD*)RtlAllocateHeap(*LdrpHeap, 0, 0x10);\n if (Heap)\n {\n Heap->ServiceTag = ServiceTag;\n Heap->Next = DdagNode->ServiceTagList;\n DdagNode->ServiceTagList = Heap;\n\n SINGLE_LIST_ENTRY* Tail = DdagNode->Dependencies.Tail;\n if (Tail)\n {\n SINGLE_LIST_ENTRY* Tail_2 = Tail;\n do\n {\n Tail_2 = Tail_2->Next;\n // LDR_DDAG_NODE* NextNode = CONTAINING_RECORD(Tail_2, LDR_DDAG_NODE, CondenseLink);\n LdrpAddNodeServiceTag((LDR_DDAG_NODE*)Tail_2[1].Next, ServiceTag);\n //LdrpAddNodeServiceTag(NextNode, ServiceTag);\n } while (Tail_2 != Tail);\n }\n }\n }\n}\n\nPIMAGE_LOAD_CONFIG_DIRECTORY LdrImageDirectoryEntryToLoadConfig(PIMAGE_DOS_HEADER DllBase)\n{\n NTSTATUS Status = STATUS_SUCCESS;\n \n PIMAGE_NT_HEADERS OutHeaders = nullptr;\n RtlImageNtHeaderEx(1u, DllBase, 0, &OutHeaders);\n if (!DllBase)\n return nullptr;\n\n UINT_PTR LastRVASection = 0;\n PIMAGE_LOAD_CONFIG_DIRECTORY LoadConfigDirectory = nullptr;\n Status = RtlpImageDirectoryEntryToDataEx(DllBase, 1u, 0xAu, &LastRVASection, (PVOID*)&LoadConfigDirectory);\n if (!NT_SUCCESS(Status))\n return nullptr;\n\n if (LoadConfigDirectory && (DWORD)LastRVASection && (DWORD)LastRVASection == LoadConfigDirectory->Size && OutHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)\n return LoadConfigDirectory;\n\n return nullptr;\n}\n\nBOOLEAN __fastcall LdrpShouldModuleImportBeRedirected(LDR_DATA_TABLE_ENTRY* DllEntry)\n{\n if (!DllEntry || !*LdrpRedirectionModule || *LdrpRedirectionModule == DllEntry)\n return FALSE;\n\n if ((NtCurrentPeb()->BitField & IsPackagedProcess) != 0)\n return DllEntry->FlagGroup[0] & PackagedBinary;\n\n // LdrpRedirectionCalloutFunc is a function pointer.\n if (*LdrpRedirectionCalloutFunc)\n return (*LdrpRedirectionCalloutFunc)(DllEntry->FullDllName.Buffer);\n else\n return TRUE;\n}\n\nPIMAGE_IMPORT_DESCRIPTOR __fastcall LdrpGetImportDescriptorForSnap(LDRP_LOAD_CONTEXT* LoadContext)\n{\n NTSTATUS Status;\n\n // [CORRECT]\n //LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\n UINT_PTR LastRVASection;\n PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor;\n Status = RtlpImageDirectoryEntryToDataEx(DllEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &LastRVASection, (PVOID*)&pImageImportDescriptor);\n if (!NT_SUCCESS(Status))\n return nullptr;\n if (DllEntry == *LdrpImageEntry && (((ULONG64)(*qword_1993A8) >> 44) & 3) == 1)\n {\n PIMAGE_NT_HEADERS pImageNtHeaders = nullptr;\n RtlImageNtHeaderEx(3, DllEntry->DllBase, 0, (PIMAGE_NT_HEADERS*)&pImageNtHeaders);\n if (!((LdrpCheckPagesForTampering(&pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT], 8) || LdrpCheckPagesForTampering((PIMAGE_DATA_DIRECTORY)pImageImportDescriptor, (ULONG)LastRVASection)) && NT_SUCCESS(LdrpMapCleanModuleView(LoadContext))))\n {\n return nullptr;\n }\n }\n return pImageImportDescriptor;\n}\n\nNTSTATUS __fastcall LdrpMapCleanModuleView(LDRP_LOAD_CONTEXT* LoadContext)\n{\n NTSTATUS Status;\n\n HANDLE ProcessInformation = 0;\n PIMAGE_DOS_HEADER ImageDosHeader = nullptr;\n ULONG64 ViewSize = 0;\n if (CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks) != *LdrpImageEntry)\n return STATUS_NOT_SUPPORTED;\n\n Status = NtQueryInformationProcess((HANDLE)-1, ProcessImageSection, &ProcessInformation, 8, 0);\n if (NT_SUCCESS(Status))\n {\n Status = ZwMapViewOfSection(ProcessInformation, (HANDLE)-1u, &ImageDosHeader, 0, 0, 0, (PULONG)&ViewSize, ViewShare, 0x40000u, 2u);\n if (NT_SUCCESS(Status))\n LoadContext->ImageBase = ImageDosHeader;\n\n NtClose(ProcessInformation);\n }\n\n return Status;\n}\n\nLDR_DATA_TABLE_ENTRY* __fastcall LdrpHandleReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry)\n{\n LDR_DATA_TABLE_ENTRY* DllEntry = LdrEntry;\n if (LdrEntry)\n {\n LDRP_LOAD_CONTEXT* LoadContext = (LDRP_LOAD_CONTEXT*)LdrEntry->LoadContext;\n if (LoadContext)\n {\n if ((LoadContext->Flags & 0x80000) == 0 && (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink != LdrEntry)\n {\n DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n LoadContext->WorkQueueListEntry.Flink = &LdrEntry->InLoadOrderLinks;\n }\n }\n }\n return DllEntry;\n}\n\nNTSTATUS __fastcall LdrpFreeReplacedModule(LDR_DATA_TABLE_ENTRY* LdrDataTableEntry)\n{\n LdrpFreeLoadContext(LdrDataTableEntry->LoadContext);\n // Revokes ProcessStaticImport (0x20) flag.\n LdrDataTableEntry->Flags &= ~ProcessStaticImport;\n LdrDataTableEntry->ReferenceCount = 1;\n return LdrpDereferenceModule(LdrDataTableEntry);\n}\n\nVOID __fastcall LdrpHandlePendingModuleReplaced(LDRP_LOAD_CONTEXT* LoadContext)\n{\n LDR_DATA_TABLE_ENTRY* Entry = (LDR_DATA_TABLE_ENTRY*)LoadContext->pvImports;\n if (Entry)\n {\n LDR_DATA_TABLE_ENTRY* ReturnEntry = LdrpHandleReplacedModule(Entry);\n LDR_DATA_TABLE_ENTRY** CompareEntry = LoadContext->pvImports;\n if (ReturnEntry != (LDR_DATA_TABLE_ENTRY*)CompareEntry)\n LdrpFreeReplacedModule((LDR_DATA_TABLE_ENTRY*)CompareEntry);\n LoadContext->pvImports = nullptr;\n }\n}\n\nPIMAGE_SECTION_HEADER __fastcall RtlSectionTableFromVirtualAddress(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address)\n{\n PIMAGE_SECTION_HEADER SectionHeader = (PIMAGE_SECTION_HEADER)((char*)&NtHeader->OptionalHeader + NtHeader->FileHeader.SizeOfOptionalHeader);\n if (!NtHeader->FileHeader.NumberOfSections)\n return nullptr;\n\n ULONG NumberOfSections = NtHeader->FileHeader.NumberOfSections;\n ULONG SectionIdx = 0;\n while (TRUE)\n {\n ULONG VirtualAddress = SectionHeader->VirtualAddress;\n if ((unsigned int)Address >= VirtualAddress && (unsigned int)Address < SectionHeader->SizeOfRawData + VirtualAddress)\n break;\n\n ++SectionHeader;\n if (++SectionIdx >= NumberOfSections)\n return nullptr;\n }\n return SectionHeader;\n}\n\nPIMAGE_SECTION_HEADER __fastcall RtlAddressInSectionTable(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address)\n{\n PIMAGE_SECTION_HEADER SectionHeader;\n\n SectionHeader = RtlSectionTableFromVirtualAddress(NtHeader, Base, Address);\n if (SectionHeader)\n return (PIMAGE_SECTION_HEADER)(SectionHeader->PointerToRawData - SectionHeader->VirtualAddress);\n return SectionHeader;\n}\n\nBOOLEAN __fastcall LdrpValidateEntrySection(LDR_DATA_TABLE_ENTRY* DllEntry)\n{\n PIMAGE_NT_HEADERS OutHeaders;\n RtlImageNtHeaderEx(3u, DllEntry->DllBase, 0, &OutHeaders);\n ULONG AddressOfEntryPoint = OutHeaders->OptionalHeader.AddressOfEntryPoint;\n return !AddressOfEntryPoint || !DllEntry->EntryPoint || AddressOfEntryPoint >= OutHeaders->OptionalHeader.SizeOfHeaders;\n}\n\nBOOL __fastcall LdrpIsExecutableRelocatedImage(PIMAGE_DOS_HEADER DllBase)\n{\n MEMORY_IMAGE_INFORMATION MemoryInformation; // [rsp+30h] [rbp-28h] BYREF\n PIMAGE_NT_HEADERS OutHeaders; // [rsp+68h] [rbp+10h] BYREF\n\n return NT_SUCCESS(RtlImageNtHeaderEx(3u, DllBase, 0i64, &OutHeaders)) && (PIMAGE_DOS_HEADER)OutHeaders->OptionalHeader.ImageBase == DllBase\n && NT_SUCCESS(ZwQueryVirtualMemory((HANDLE)-1, DllBase, MemoryImageInformation, &MemoryInformation, 0x18, 0))\n && MemoryInformation.ImageBase == DllBase\n && (MemoryInformation.ImageFlags & 2) == 0\n && (MemoryInformation.ImageFlags & 1) == 0;\n}\n\nTLS_ENTRY* __fastcall LdrpFindTlsEntry(LDR_DATA_TABLE_ENTRY* LdrEntry)\n{\n TLS_ENTRY* TlsEntry;\n\n for (TlsEntry = *LdrpTlsList; TlsEntry != (TLS_ENTRY*)LdrpTlsList; TlsEntry = (TLS_ENTRY*)TlsEntry->TlsEntry.Flink)\n {\n if ((LDR_DATA_TABLE_ENTRY*)TlsEntry->ModuleEntry == LdrEntry)\n return TlsEntry;\n }\n return nullptr;\n}\n\nBOOL __fastcall ImageTlsCallbackCaller(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved)\n{\n ((void(__fastcall*)(HINSTANCE, DWORD, LPVOID))lpvReserved)(hInstDll, fdwReason, 0);\n return 1;\n}\n\n// Implemented inside LOADLIBRARY class to use WID_HIDDEN\nNTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpThreadTokenSetMainThreadToken() // CHECKED.\n{\n NTSTATUS Status;\n \n HANDLE ReturnToken = NULL;\n Status = NtOpenThreadToken((HANDLE)-2, 0x2001C, 0, &ReturnToken);\n *LdrpMainThreadToken = ReturnToken;\n if (Status != STATUS_NO_TOKEN)\n {\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0xDC8, \"LdrpThreadTokenSetMainThreadToken\", 2, \"Status: 0x%x\\n\", Status); )\n }\n return Status;\n}\n\nNTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpThreadTokenUnsetMainThreadToken() // CHECKED.\n{\n NTSTATUS Status;\n\n Status = NtClose(*LdrpMainThreadToken);\n *LdrpMainThreadToken = NULL;\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0xDEE, \"LdrpThreadTokenUnsetMainThreadToken\", 2u, \"Status: 0x%x\\n\", Status); )\n return Status;\n}\n\nLDR_DATA_TABLE_ENTRY* __fastcall WID::Loader::LOADLIBRARY::LdrpHandleReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry) // CHECKED.\n{\n LDR_DATA_TABLE_ENTRY* DllEntry = LdrEntry;\n if (LdrEntry)\n {\n LDRP_LOAD_CONTEXT* LoadContext = LdrEntry->LoadContext;\n if (LoadContext)\n {\n DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n //if ((LoadContext->Flags & SEC_64K_PAGES) == 0 && (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink != LdrEntry)\n if ((LoadContext->Flags & SEC_64K_PAGES) == 0 && DllEntry != LdrEntry)\n {\n //DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n LoadContext->WorkQueueListEntry.Flink = &LdrEntry->InLoadOrderLinks;\n }\n }\n }\n return DllEntry;\n}\n\nNTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpFreeReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry) // CHECKED.\n{\n LdrpFreeLoadContext(LdrEntry->LoadContext);\n // Resets (sets to 0) flag ProcessStaticImport (0x20)\n LdrEntry->Flags &= ~0x20u;\n\n // Might change if hidden, not touching for now.\n LdrEntry->ReferenceCount = 1;\n return LdrpDereferenceModule(LdrEntry);\n}\n\nNTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpResolveDllName(LDRP_LOAD_CONTEXT* LoadContext, LDRP_FILENAME_BUFFER* FileNameBuffer, PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, DWORD Flags) // CHECKED.\n{\n NTSTATUS Status;\n\n PWCHAR FileName;\n UNICODE_STRING DllName;\n BOOLEAN FileNamesNotEqual = FALSE;\n\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrfind.c\", 0x6B9, \"LdrpResolveDllName\", 3u, \"DLL name: %wZ\\n\", LoadContext); )\n\n // Converted goto to do-while loop.\n do\n {\n // This if will go in if call stack starts back from LoadLibraryExW with an absolute path.\n if (Flags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR)\n {\n DllName = LoadContext->BaseDllName;\n }\n else\n {\n Status = LdrpGetFullPath(LoadContext, &FileNameBuffer->pFileName);\n if (!NT_SUCCESS(Status))\n {\n if (FileNamesNotEqual)\n LdrpFreeUnicodeString(&DllName);\n\n WID_HIDDEN(LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrfind.c\", 0x742, \"LdrpResolveDllName\", 4, \"Status: 0x%08lx\\n\", Status); )\n return Status;\n }\n\n FileName = FileNameBuffer->FileName;\n DllName = FileNameBuffer->pFileName;\n\n FileNamesNotEqual = (FileNameBuffer->FileName != FileNameBuffer->pFileName.Buffer);\n if (FileNamesNotEqual)\n {\n FileNameBuffer->pFileName.Buffer = FileName;\n FileNameBuffer->pFileName.MaximumLength = MAX_PATH - 4;\n *FileName = 0;\n break;\n }\n }\n\n USHORT Length = DllName.Length;\n PWCHAR Buffer = DllName.Buffer;\n Status = LdrpAllocateUnicodeString(&DllName, DllName.Length);\n if (!NT_SUCCESS(Status))\n {\n if (FileNamesNotEqual)\n LdrpFreeUnicodeString(&DllName);\n\n WID_HIDDEN(LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrfind.c\", 0x742, \"LdrpResolveDllName\", 4, \"Status: 0x%08lx\\n\", Status); )\n return Status;\n }\n\n FileNamesNotEqual = TRUE;\n memmove(DllName.Buffer, Buffer, Length + 2);\n DllName.Length = Length;\n } while (FALSE);\n\n\n FileNameBuffer->pFileName.Length = 0;\n if (Flags & 0x10000000)\n Status = LdrpAppendUnicodeStringToFilenameBuffer(&FileNameBuffer->pFileName, LoadContext);\n else\n Status = LdrpGetNtPathFromDosPath(&DllName, FileNameBuffer);\n\n if (NT_SUCCESS(Status))\n {\n *FullDllName = DllName;\n LdrpGetBaseNameFromFullName(&DllName, BaseDllName);\n WID_HIDDEN(LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrfind.c\", 0x742, \"LdrpResolveDllName\", 4, \"Status: 0x%08lx\\n\", Status); )\n return Status;\n }\n\n NTSTATUS StatusAdded = (Status + 0x3FFFFFF1);\n //LONGLONG BitTestVar = 0x1C3000000011;\n LONGLONG BitTestVar = 0b0001'1100'0011'0000'0000'0000'0000'0000'0000'0000'0001'0001;\n if (StatusAdded <= 0x2C && (_bittest64(&BitTestVar, StatusAdded)) || Status == STATUS_DEVICE_OFF_LINE || Status == STATUS_DEVICE_NOT_READY)\n {\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrfind.c\", 0x72D, \"LdrpResolveDllName\", 2, \"Original status: 0x%08lx\\n\", Status); )\n Status = STATUS_DLL_NOT_FOUND;\n }\n\n if (FileNamesNotEqual)\n LdrpFreeUnicodeString(&DllName);\n\n WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrfind.c\", 0x742, \"LdrpResolveDllName\", 4, \"Status: 0x%08lx\\n\", Status); )\n return Status;\n}\n\nNTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpFindDllActivationContext(LDR_DATA_TABLE_ENTRY* LdrEntry) // CHECKED.\n{\n NTSTATUS Status = STATUS_SUCCESS;\n\n if (*(UINT_PTR*)(*LdrpManifestProberRoutine))\n {\n PEB* PEB = NtCurrentPeb();\n if (LdrEntry != *LdrpImageEntry || !PEB->ActivationContextData)\n {\n PWCHAR Buffer = LdrEntry->FullDllName.Buffer;\n if (LdrEntry == *LdrpImageEntry && *Buffer == '\\\\' && Buffer[1] == '?' && Buffer[2] == '?' && Buffer[3] == '\\\\' && Buffer[4] && Buffer[5] == ':' && Buffer[6] == '\\\\')\n {\n Buffer += 4;\n }\n\n // LdrpManifestProberRoutine is a function pointer.\n ACTIVATION_CONTEXT* pActivationCtx = nullptr;\n Status = (*LdrpManifestProberRoutine)(LdrEntry->DllBase, Buffer, &pActivationCtx);\n if ((unsigned int)(Status + 0x3FFFFF77) <= 2 || Status == STATUS_NOT_SUPPORTED || Status == STATUS_NO_SUCH_FILE || Status == STATUS_NOT_IMPLEMENTED || Status == STATUS_RESOURCE_LANG_NOT_FOUND)\n {\n WID_HIDDEN(LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 733, \"LdrpFindDllActivationContext\", 2u, \"Probing for the manifest of DLL \\\"%wZ\\\" failed with status 0x%08lx\\n\", &LdrEntry->FullDllName, Status); )\n Status = STATUS_SUCCESS;\n }\n\n if (pActivationCtx)\n {\n if (LdrEntry->EntryPointActivationContext)\n {\n RtlReleaseActivationContext(LdrEntry->EntryPointActivationContext);\n }\n\n LdrEntry->EntryPointActivationContext = pActivationCtx;\n }\n\n if (!NT_SUCCESS(Status))\n {\n WID_HIDDEN(LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 0x2FA, \"LdrpFindDllActivationContext\", 0, \"Querying the active activation context failed with status 0x%08lx\\n\", Status); )\n }\n }\n }\n return Status;\n}\n\n// Planning to implement them all in the future.\ntNtOpenThreadToken NtOpenThreadToken = nullptr;\ntNtClose NtClose = nullptr;\ntRtlAllocateHeap\t\t\t RtlAllocateHeap\t\t\t\t = nullptr;\ntRtlFreeHeap\t\t\t\t RtlFreeHeap\t\t\t\t\t = nullptr;\ntLdrGetDllPath\t\t\t\t LdrGetDllPath\t\t\t\t = nullptr;\ntRtlReleasePath\t\t\t\t RtlReleasePath\t\t\t\t = nullptr;\ntRtlInitUnicodeStringEx\t\t RtlInitUnicodeStringEx\t\t = nullptr;\ntRtlEnterCriticalSection\t RtlEnterCriticalSection = nullptr;\ntRtlLeaveCriticalSection RtlLeaveCriticalSection = nullptr;\ntZwSetEvent ZwSetEvent = nullptr;\ntNtOpenFile NtOpenFile = nullptr;\ntLdrAppxHandleIntegrityFailure LdrAppxHandleIntegrityFailure = nullptr;\ntNtRaiseHardError NtRaiseHardError = nullptr;\ntRtlImageNtHeaderEx RtlImageNtHeaderEx = nullptr;\ntRtlAcquireSRWLockExclusive RtlAcquireSRWLockExclusive = nullptr;\ntRtlReleaseSRWLockExclusive RtlReleaseSRWLockExclusive = nullptr;\ntRtlEqualUnicodeString RtlEqualUnicodeString = nullptr;\ntRtlAcquirePrivilege RtlAcquirePrivilege = nullptr;\ntRtlReleasePrivilege RtlReleasePrivilege = nullptr;\ntRtlCompareUnicodeStrings RtlCompareUnicodeStrings = nullptr;\ntRtlImageNtHeader RtlImageNtHeader = nullptr;\ntRtlReleaseActivationContext RtlReleaseActivationContext = nullptr;\ntRtlCharToInteger RtlCharToInteger = nullptr;\ntRtlActivateActivationContextUnsafeFast RtlActivateActivationContextUnsafeFast = nullptr;\ntRtlDeactivateActivationContextUnsafeFast RtlDeactivateActivationContextUnsafeFast = nullptr;\ntRtlAcquireSRWLockShared RtlAcquireSRWLockShared = nullptr;\ntRtlReleaseSRWLockShared RtlReleaseSRWLockShared = nullptr;\n\n// Signatured\ntLdrpLogInternal\t\t\t LdrpLogInternal\t\t\t\t = nullptr;\ntLdrpInitializeDllPath\t\t LdrpInitializeDllPath\t\t = nullptr;\ntLdrpDereferenceModule\t\t LdrpDereferenceModule\t\t = nullptr;\ntLdrpLogDllState\t\t\t LdrpLogDllState\t\t\t\t = nullptr;\ntLdrpPreprocessDllName\t\t LdrpPreprocessDllName\t\t = nullptr;\ntLdrpFindLoadedDllByName LdrpFindLoadedDllByName = nullptr;\ntLdrpDrainWorkQueue\t\t\t LdrpDrainWorkQueue\t\t\t = nullptr;\ntLdrpFindLoadedDllByHandle\t LdrpFindLoadedDllByHandle\t = nullptr;\ntLdrpDropLastInProgressCount LdrpDropLastInProgressCount = nullptr;\ntLdrpQueryCurrentPatch LdrpQueryCurrentPatch = nullptr;\ntLdrpUndoPatchImage LdrpUndoPatchImage = nullptr;\ntLdrpDetectDetour LdrpDetectDetour = nullptr;\ntLdrpFindOrPrepareLoadingModule LdrpFindOrPrepareLoadingModule = nullptr;\ntLdrpFreeLoadContext LdrpFreeLoadContext = nullptr;\ntLdrpCondenseGraph LdrpCondenseGraph = nullptr;\ntLdrpBuildForwarderLink LdrpBuildForwarderLink = nullptr;\ntLdrpPinModule LdrpPinModule = nullptr;\ntLdrpApplyPatchImage LdrpApplyPatchImage = nullptr;\ntLdrpFreeLoadContextOfNode LdrpFreeLoadContextOfNode = nullptr;\ntLdrpDecrementModuleLoadCountEx LdrpDecrementModuleLoadCountEx = nullptr;\ntLdrpLogError LdrpLogError = nullptr;\ntLdrpLogDeprecatedDllEtwEvent LdrpLogDeprecatedDllEtwEvent = nullptr;\ntLdrpLogLoadFailureEtwEvent LdrpLogLoadFailureEtwEvent = nullptr;\ntLdrpReportError LdrpReportError = nullptr;\ntLdrpResolveDllName LdrpResolveDllName = nullptr;\ntLdrpAppCompatRedirect LdrpAppCompatRedirect = nullptr;\ntLdrpHashUnicodeString LdrpHashUnicodeString = nullptr;\ntLdrpFindExistingModule LdrpFindExistingModule = nullptr;\ntLdrpLoadContextReplaceModule LdrpLoadContextReplaceModule = nullptr;\ntLdrpSearchPath LdrpSearchPath = nullptr;\ntLdrpIsSecurityEtwLoggingEnabled LdrpIsSecurityEtwLoggingEnabled = nullptr;\ntLdrpLogEtwDllSearchResults LdrpLogEtwDllSearchResults = nullptr;\ntLdrpCheckForRetryLoading LdrpCheckForRetryLoading = nullptr;\ntLdrpLogEtwEvent LdrpLogEtwEvent = nullptr;\ntLdrpCheckComponentOnDemandEtwEvent LdrpCheckComponentOnDemandEtwEvent = nullptr;\ntLdrpValidateIntegrityContinuity LdrpValidateIntegrityContinuity = nullptr;\ntLdrpSetModuleSigningLevel LdrpSetModuleSigningLevel = nullptr;\ntLdrpCodeAuthzCheckDllAllowed LdrpCodeAuthzCheckDllAllowed = nullptr;\ntLdrpGetFullPath LdrpGetFullPath = nullptr;\ntLdrpAllocateUnicodeString LdrpAllocateUnicodeString = nullptr;\ntLdrpAppendUnicodeStringToFilenameBuffer LdrpAppendUnicodeStringToFilenameBuffer = nullptr;\ntLdrpGetNtPathFromDosPath LdrpGetNtPathFromDosPath = nullptr;\ntLdrpFindLoadedDllByMappingLockHeld LdrpFindLoadedDllByMappingLockHeld = nullptr;\ntLdrpInsertDataTableEntry LdrpInsertDataTableEntry = nullptr;\ntLdrpInsertModuleToIndexLockHeld LdrpInsertModuleToIndexLockHeld = nullptr;\ntLdrpLogEtwHotPatchStatus LdrpLogEtwHotPatchStatus = nullptr;\ntLdrpLogNewDllLoad LdrpLogNewDllLoad = nullptr;\ntLdrpProcessMachineMismatch LdrpProcessMachineMismatch = nullptr;\ntRtlQueryImageFileKeyOption RtlQueryImageFileKeyOption = nullptr;\ntRtlpImageDirectoryEntryToDataEx RtlpImageDirectoryEntryToDataEx = nullptr;\ntLdrpLogDllRelocationEtwEvent LdrpLogDllRelocationEtwEvent = nullptr;\ntLdrpNotifyLoadOfGraph LdrpNotifyLoadOfGraph = nullptr;\ntLdrpDynamicShimModule LdrpDynamicShimModule = nullptr;\ntLdrpAcquireLoaderLock LdrpAcquireLoaderLock = nullptr;\ntLdrpReleaseLoaderLock LdrpReleaseLoaderLock = nullptr;\ntLdrpCheckPagesForTampering LdrpCheckPagesForTampering = nullptr;\ntLdrpLoadDependentModuleA LdrpLoadDependentModuleA = nullptr;\ntLdrpLoadDependentModuleW LdrpLoadDependentModuleW = nullptr;\ntLdrpQueueWork LdrpQueueWork = nullptr;\ntLdrpHandleTlsData LdrpHandleTlsData = nullptr;\ntLdrControlFlowGuardEnforcedWithExportSuppression LdrControlFlowGuardEnforcedWithExportSuppression = nullptr;\ntLdrpUnsuppressAddressTakenIat LdrpUnsuppressAddressTakenIat = nullptr;\ntLdrControlFlowGuardEnforced LdrControlFlowGuardEnforced = nullptr;\ntRtlpxLookupFunctionTable RtlpxLookupFunctionTable = nullptr; \ntLdrpCheckRedirection LdrpCheckRedirection = nullptr;\ntCompatCachepLookupCdb CompatCachepLookupCdb = nullptr;\ntLdrpGenRandom LdrpGenRandom = nullptr;\ntLdrInitSecurityCookie LdrInitSecurityCookie = nullptr;\ntLdrpCfgProcessLoadConfig LdrpCfgProcessLoadConfig = nullptr;\ntRtlInsertInvertedFunctionTable RtlInsertInvertedFunctionTable = nullptr;\ntLdrpSignalModuleMapped LdrpSignalModuleMapped = nullptr;\ntAVrfDllLoadNotification AVrfDllLoadNotification = nullptr;\ntLdrpSendDllNotifications LdrpSendDllNotifications = nullptr;\ntLdrpCallTlsInitializers LdrpCallTlsInitializers = nullptr;" }, { "path": "Src/Functions/NT.h", "content": "#pragma once\n\n#include \"..\\Includes.h\"\n#include \"..\\WID.h\"\n#include \"Undocumented.h\"\n\n\n#define NT_SUCCESS(x) ((x)>=0)\n#define STATUS_SUCCESS\t\t\t\t\t\t0x0\n#define STATUS_IMAGE_NOT_AT_BASE\t\t\t0x40000003\n#define STATUS_IMAGE_AT_DIFFERENT_BASE\t\t0x40000036\n#define STATUS_IMAGE_MACHINE_TYPE_MISMATCH\t0x4000000E\n#define STATUS_DEVICE_OFF_LINE\t\t\t\t0x80000010\n#define STATUS_UNSUCCESSFUL\t\t\t\t\t0xC0000001\n#define STATUS_NOT_IMPLEMENTED\t\t\t\t0xC0000002\n#define STATUS_NO_SUCH_FILE\t\t\t\t\t0xC000000F\n#define STATUS_CONFLICTING_ADDRESSES\t\t0xC0000018\n#define STATUS_ACCESS_DENIED\t\t\t\t0xC0000022\n#define STATUS_OBJECT_NAME_NOT_FOUND\t\t0xC0000034\n#define STATUS_OBJECT_PATH_NOT_FOUND\t\t0xC000003A\n#define STATUS_PROCEDURE_NOT_FOUND\t\t\t0xC000007A\n#define STATUS_DEVICE_NOT_READY\t\t\t\t0xC00000A3\n#define STATUS_INVALID_IMAGE_FORMAT\t\t\t0xC000007B\n#define STATUS_NO_TOKEN\t\t\t\t\t\t0xC000007C\n#define STATUS_INSUFFICIENT_RESOURCES\t\t0xC000009A\n#define STATUS_NOT_SUPPORTED\t\t\t\t0xC00000BB\n#define STATUS_INTERNAL_ERROR\t\t\t\t0xC00000E5\n#define STATUS_NAME_TOO_LONG\t\t\t\t0xC0000106\n#define STATUS_COMMITMENT_LIMIT\t\t\t\t0xC000012D\n#define STATUS_NO_APPLICATION_PACKAGE\t\t0xC00001AA\n#define STATUS_RESOURCE_LANG_NOT_FOUND\t\t0xC0000204\n#define STATUS_NOT_FOUND\t\t\t\t\t0xC0000225\n#define STATUS_RETRY\t\t\t\t\t\t0xC000022D\n#define STATUS_INVALID_IMAGE_HASH\t\t\t0xC0000428\n#define STATUS_NEEDS_REMEDIATION\t\t\t0xC0000462\n#define STATUS_PATCH_CONFLICT\t\t\t\t0xC00004AC\n#define STATUS_IMAGE_LOADED_AS_PATCH_IMAGE\t0xC00004C0\n#define STATUS_INVALID_THREAD\t\t\t\t0xC000071C\n\n\n// Implemented.\nextern DWORD*\t\t\t\t\tLdrpPolicyBits;\nextern HANDLE*\t\t\t\t\tLdrpMainThreadToken;\nextern DWORD*\t\t\t\t\tLdrInitState;\nextern DWORD*\t\t\t\t\tLoadFailure;\nextern PRTL_CRITICAL_SECTION\tLdrpWorkQueueLock;\nextern DWORD*\t\t\t\t\tLdrpWorkInProgress;\nextern LIST_ENTRY**\t\t\t\tLdrpWorkQueue;\nextern PHANDLE\t\t\t\t\tLdrpWorkCompleteEvent;\nextern KUSER_SHARED_DATA*\t\tkUserSharedData;\nextern DWORD*\t\t\t\t\tLdrpUseImpersonatedDeviceMap;\nextern DWORD*\t\t\t\t\tLdrpAuditIntegrityContinuity;\nextern DWORD*\t\t\t\t\tLdrpEnforceIntegrityContinuity;\nextern DWORD*\t\t\t\t\tLdrpFatalHardErrorCount;\nextern DWORD*\t\t\t\t\tUseWOW64;\nextern PRTL_SRWLOCK\t\t\t\tLdrpModuleDatatableLock;\nextern PHANDLE\t\t\t\t\tqword_17E238;\nextern LDR_DATA_TABLE_ENTRY**\tLdrpImageEntry;\nextern PUNICODE_STRING\t\t\tLdrpKernel32DllName;\nextern UINT_PTR*\t\t\t\tLdrpAppHeaders;\nextern PHANDLE\t\t\t\t\tLdrpLargePageDllKeyHandle;\nextern ULONG**\t\t\t\t\tLdrpLockMemoryPrivilege;\nextern ULONG64*\t\t\t\t\tLdrpMaximumUserModeAddress;\nextern UINT_PTR*\t\t\t\tLdrpMapAndSnapWork;\nextern LIST_ENTRY*\t\t\t\tLdrpHashTable;\nextern PVOID*\t\t\t\t\tLdrpHeap;\nextern BOOLEAN*\t\t\t\t\tLdrpIsHotPatchingEnabled;\nextern LDR_DATA_TABLE_ENTRY**\tLdrpRedirectionModule;\nextern ULONG64**\t\t\t\tqword_1993A8;\nextern LONG*\t\t\t\t\tNtdllBaseTag;\nextern FUNCTION_TABLE_DATA*\t\tstru_199520;\nextern UINT_PTR*\t\t\t\tqword_199530;\nextern LDR_DATA_TABLE_ENTRY**\tLdrpNtDllDataTableEntry;\nextern UINT_PTR*\t\t\t\tqword_1993B8;\nextern DWORD*\t\t\t\t\tdword_19939C;\nextern DWORD*\t\t\t\t\tLoadFailureOperational;\nextern DWORD*\t\t\t\t\tdword_199398;\nextern UINT_PTR***\t\t\t\tqword_1843B8;\nextern UINT_PTR*\t\t\t\tqword_1843B0;\nextern UINT_PTR*\t\t\t\tLdrpCurrentDllInitializer;\nextern LPVOID**\t\t\t\t\tLdrpProcessInitContextRecord;\nextern PRTL_SRWLOCK\t\t\t\tLdrpTlsLock;\nextern TLS_ENTRY**\t\t\t\tLdrpTlsList;\n\ntypedef NTSTATUS(__fastcall** tLdrpManifestProberRoutine)(PIMAGE_DOS_HEADER Base, PWCHAR, PVOID);\nextern tLdrpManifestProberRoutine LdrpManifestProberRoutine;\ntypedef BOOLEAN(__fastcall** tLdrpRedirectionCalloutFunc)(PWCHAR Buffer);\nextern tLdrpRedirectionCalloutFunc LdrpRedirectionCalloutFunc;\n\n\nPEB* NtCurrentPeb();\nVOID __fastcall NtdllpFreeStringRoutine(PWCH Buffer); // CHECKED.\nNTSTATUS __fastcall LdrpFastpthReloadedDll(PUNICODE_STRING FullPath, ULONG Flags, PLDR_DATA_TABLE_ENTRY LdrEntry, LDR_DATA_TABLE_ENTRY** DllEntry);\nNTSTATUS __fastcall LdrpIncrementModuleLoadCount(LDR_DATA_TABLE_ENTRY* LdrEntry);\nVOID __fastcall RtlFreeUnicodeString(PUNICODE_STRING UnicodeString); // CHECKED.\nVOID __fastcall LdrpFreeUnicodeString(PUNICODE_STRING String);\nULONG __fastcall RtlGetCurrentServiceSessionId(VOID); // CHECKED ?\nUSHORT __fastcall LdrpGetBaseNameFromFullName(PUNICODE_STRING BaseName, PUNICODE_STRING FullName);\nPWCHAR __fastcall RtlGetNtSystemRoot();\nBOOLEAN __fastcall LdrpHpatAllocationOptOut(PUNICODE_STRING FullDllName);\nNTSTATUS __fastcall LdrpCorValidateImage(PIMAGE_DOS_HEADER DosHeader);\nNTSTATUS __fastcall LdrpCorFixupImage(PIMAGE_DOS_HEADER DosHeader);\nNTSTATUS __fastcall LdrpFindLoadedDllByNameLockHeld(PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, ULONG64 Flags, LDR_DATA_TABLE_ENTRY** pLdrEntry, ULONG BaseNameHashValue);\nBOOLEAN __fastcall LdrpIsILOnlyImage(PIMAGE_DOS_HEADER DllBase);\nVOID __fastcall LdrpAddNodeServiceTag(LDR_DDAG_NODE* DdagNode, UINT_PTR ServiceTag);\nPIMAGE_LOAD_CONFIG_DIRECTORY LdrImageDirectoryEntryToLoadConfig(PIMAGE_DOS_HEADER DllBase);\nBOOLEAN __fastcall LdrpShouldModuleImportBeRedirected(LDR_DATA_TABLE_ENTRY* DllEntry);\nPIMAGE_IMPORT_DESCRIPTOR __fastcall LdrpGetImportDescriptorForSnap(LDRP_LOAD_CONTEXT* LoadContext);\nNTSTATUS __fastcall LdrpMapCleanModuleView(LDRP_LOAD_CONTEXT* LoadContext);\nLDR_DATA_TABLE_ENTRY* __fastcall LdrpHandleReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry);\nNTSTATUS __fastcall LdrpFreeReplacedModule(LDR_DATA_TABLE_ENTRY* LdrDataTableEntry);\nVOID __fastcall LdrpHandlePendingModuleReplaced(LDRP_LOAD_CONTEXT* LoadContext);\nPIMAGE_SECTION_HEADER __fastcall RtlSectionTableFromVirtualAddress(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address);\nPIMAGE_SECTION_HEADER __fastcall RtlAddressInSectionTable(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address);\nBOOLEAN __fastcall LdrpValidateEntrySection(LDR_DATA_TABLE_ENTRY* DllEntry);\nBOOL __fastcall LdrpIsExecutableRelocatedImage(PIMAGE_DOS_HEADER DllBase);\nTLS_ENTRY* __fastcall LdrpFindTlsEntry(LDR_DATA_TABLE_ENTRY* LdrEntry);\nBOOL __fastcall ImageTlsCallbackCaller(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved);\n\nextern \"C\" NTSTATUS __fastcall ZwSystemDebugControl();\nextern \"C\" NTSTATUS __fastcall NtCreateSection(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES * ObjectAttributes, PLARGE_INTEGER MaximumSize, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle);\nextern \"C\" NTSTATUS __fastcall ZwMapViewOfSection(HANDLE SectionHandle, HANDLE ProcessHandle, PIMAGE_DOS_HEADER * BaseAddress, ULONG64 ZeroBits, ULONG64 CommitSize, PLARGE_INTEGER SectionOffset, PULONG ViewSize, SECTION_INHERIT InheritDisposition, ULONG64 AllocationType, ULONG64 Protect);\nextern \"C\" NTSTATUS __fastcall ZwMapViewOfSectionEx(HANDLE SectionHandle, HANDLE ProcessHandle, PIMAGE_DOS_HEADER * DllBase, PLARGE_INTEGER a4, PULONG ViewSize, ULONG a6, ULONG a7, MEM_EXTENDED_PARAMETER * MemExtendedParam, ULONG a9);\nextern \"C\" NTSTATUS __fastcall NtUnmapViewOfSection(HANDLE ProcessHandle, PVOID BaseAddress);\nextern \"C\" NTSTATUS __fastcall ZwProtectVirtualMemory(HANDLE ProcessHandle, PVOID * BaseAddress, PULONG ProtectSize, ULONG NewProtect, PULONG OldProtect);\nextern \"C\" NTSTATUS __fastcall ZwQueryVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, PVOID MemoryInformation, SIZE_T MemoryInformationLength, PSIZE_T ReturnLength);\nextern \"C\" NTSTATUS __fastcall NtQueryInformationProcess(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);\n\n// Planning to implement them all in the future.\ntypedef NTSTATUS(__fastcall* tNtOpenThreadToken)(IN HANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN OpenAsSelf, OUT PHANDLE TokenHandle);\nextern\ttNtOpenThreadToken NtOpenThreadToken;\n\ntypedef NTSTATUS(__fastcall* tNtClose)(HANDLE Handle);\nextern\ttNtClose NtClose;\n\ntypedef PVOID(__fastcall* tRtlAllocateHeap)(IN PVOID HeapHandle, IN OPTIONAL ULONG Flags, IN SIZE_T Size);\nextern\ttRtlAllocateHeap RtlAllocateHeap;\n\ntypedef BOOLEAN(__fastcall* tRtlFreeHeap)(IN PVOID HeapHandle, IN OPTIONAL ULONG Flags, _Frees_ptr_opt_ PVOID BaseAddress);\nextern\ttRtlFreeHeap RtlFreeHeap;\n\ntypedef NTSTATUS(__fastcall* tLdrGetDllPath)(PWCH DllName, DWORD dwFlags, PWSTR* Path, PWSTR* Unknown);\nextern\ttLdrGetDllPath LdrGetDllPath;\n\ntypedef VOID(__fastcall* tRtlReleasePath)(IN PWSTR);\nextern\ttRtlReleasePath RtlReleasePath;\n\ntypedef NTSTATUS(__fastcall* tRtlInitUnicodeStringEx)(PUNICODE_STRING target, PCWSTR source);\nextern\ttRtlInitUnicodeStringEx RtlInitUnicodeStringEx;\n\ntypedef NTSTATUS(__fastcall* tRtlEnterCriticalSection)(PRTL_CRITICAL_SECTION CriticalSection);\nextern\ttRtlEnterCriticalSection RtlEnterCriticalSection;\n\ntypedef NTSTATUS(__fastcall* tRtlLeaveCriticalSection)(PRTL_CRITICAL_SECTION CriticalSection);\nextern\ttRtlLeaveCriticalSection RtlLeaveCriticalSection;\n\ntypedef NTSTATUS(__fastcall* tZwSetEvent)(HANDLE EventHandle, PLONG PreviousState);\nextern\ttZwSetEvent ZwSetEvent;\n\ntypedef NTSTATUS(__fastcall* tNtOpenFile)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES* ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);\nextern tNtOpenFile NtOpenFile;\n\ntypedef NTSTATUS(__fastcall* tLdrAppxHandleIntegrityFailure)(NTSTATUS Status);\nextern tLdrAppxHandleIntegrityFailure LdrAppxHandleIntegrityFailure;\n\ntypedef NTSTATUS(__fastcall* tNtRaiseHardError)(NTSTATUS Status, ULONG NumberOfParameters, ULONG UnicodeStringParameterMask, INT* Parameters, HARDERROR_RESPONSE_OPTION ValidResponseOption, HARDERROR_RESPONSE* Response);\nextern tNtRaiseHardError NtRaiseHardError;\n\ntypedef NTSTATUS(__fastcall* tRtlImageNtHeaderEx)(ULONG Flags, PVOID Base, ULONG64 Size, PIMAGE_NT_HEADERS* OutHeaders);\nextern tRtlImageNtHeaderEx RtlImageNtHeaderEx;\n\ntypedef VOID(__fastcall* tRtlAcquireSRWLockExclusive)(PRTL_SRWLOCK SRWLock);\nextern tRtlAcquireSRWLockExclusive RtlAcquireSRWLockExclusive;\n\ntypedef NTSTATUS(__fastcall* tRtlReleaseSRWLockExclusive)(PRTL_SRWLOCK SRWLock);\nextern tRtlReleaseSRWLockExclusive RtlReleaseSRWLockExclusive;\n\ntypedef NTSTATUS(__fastcall* tRtlEqualUnicodeString)(PUNICODE_STRING String1, PUNICODE_STRING String2, BOOLEAN CaseInSensitive);\nextern tRtlEqualUnicodeString RtlEqualUnicodeString;\n\ntypedef NTSTATUS(__fastcall* tRtlAcquirePrivilege)(ULONG* Privilege,ULONG NumPriv,ULONG Flags,PVOID * ReturnedState);\nextern tRtlAcquirePrivilege RtlAcquirePrivilege;\n\ntypedef VOID(__fastcall* tRtlReleasePrivilege)(PVOID ReturnedState);\nextern tRtlReleasePrivilege RtlReleasePrivilege;\n\ntypedef NTSTATUS(__fastcall* tRtlCompareUnicodeStrings)(PWCH String1, UINT_PTR String1Length, PWCH String2, UINT_PTR String2Length, BOOLEAN CaseInSensitive);\nextern tRtlCompareUnicodeStrings RtlCompareUnicodeStrings;\n\ntypedef PIMAGE_NT_HEADERS(__fastcall* tRtlImageNtHeader)(PIMAGE_DOS_HEADER DosHeader);\nextern tRtlImageNtHeader RtlImageNtHeader;\n\ntypedef UINT_PTR(__fastcall* tRtlReleaseActivationContext)(ACTIVATION_CONTEXT* ActivationContext);\nextern tRtlReleaseActivationContext RtlReleaseActivationContext;\n\ntypedef NTSTATUS(__fastcall* tRtlCharToInteger)(const PCHAR String, ULONG Base, PULONG Value);\nextern tRtlCharToInteger RtlCharToInteger;\n\ntypedef NTSTATUS(__fastcall* tRtlActivateActivationContextUnsafeFast)(RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED* StackFrameExtended, ACTIVATION_CONTEXT* ActivationContext);\nextern tRtlActivateActivationContextUnsafeFast RtlActivateActivationContextUnsafeFast;\n\ntypedef VOID(__fastcall* tRtlDeactivateActivationContextUnsafeFast)(RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED* StackFrameExtended);\nextern tRtlDeactivateActivationContextUnsafeFast RtlDeactivateActivationContextUnsafeFast;\n\ntypedef NTSTATUS(__fastcall* tRtlAcquireSRWLockShared)(PRTL_SRWLOCK SrwLock);\nextern tRtlAcquireSRWLockShared RtlAcquireSRWLockShared;\n\ntypedef NTSTATUS(__fastcall* tRtlReleaseSRWLockShared)(PRTL_SRWLOCK SrwLock);\nextern tRtlReleaseSRWLockShared RtlReleaseSRWLockShared;\n\n// Signatured\n#define LDRP_LOG_INTERNAL_PATTERN \"\\x89\\x54\\x24\\x10\\x4C\\x8B\\xDC\\x49\\x89\\x4B\\x08\"\ntypedef NTSTATUS(__fastcall* tLdrpLogInternal)(PCHAR, ULONG, PCHAR, ULONG, PCHAR, ...);\nextern\ttLdrpLogInternal LdrpLogInternal;\n\n#define LDRP_INITIALIZE_DLLPATH_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x10\\x57\\x48\\x83\\xEC\\x30\\x49\\x8B\\xF8\\x48\\x8B\\xDA\\x48\\x8B\\xF1\"\ntypedef NTSTATUS(__fastcall* tLdrpInitializeDllPath)(PWSTR DllName, PWSTR DllPath, LDR_UNKSTRUCT* ReturnPath);\nextern\ttLdrpInitializeDllPath LdrpInitializeDllPath;\n\n#define LDRP_DEREFERENCE_MODULE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x6C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x48\\x83\\xEC\\x20\\x48\\x8B\\x81\\x98\\x00\\x00\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpDereferenceModule)(LDR_DATA_TABLE_ENTRY* DllEntry);\nextern\ttLdrpDereferenceModule LdrpDereferenceModule;\n\n#define LDRP_LOG_DLLSTATE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x10\\x57\\x48\\x83\\xEC\\x30\\x65\\x48\\x8B\\x04\\x25\\x60\\x00\\x00\\x00\\x41\"\ntypedef NTSTATUS(__fastcall* tLdrpLogDllState)(UINT_PTR, PUNICODE_STRING, ULONG);\nextern\ttLdrpLogDllState LdrpLogDllState;\n\n#define LDRP_PREPROCESS_DLLNAME_PATTERN \"\\x4C\\x8B\\xDC\\x49\\x89\\x5B\\x08\\x49\\x89\\x6B\\x10\\x49\\x89\\x73\\x18\\x57\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x83\\xEC\\x40\"\ntypedef NTSTATUS(__fastcall* tLdrpPreprocessDllName)(PUNICODE_STRING DllName, PUNICODE_STRING ResName, PULONG pZero, PULONG pFlags);\nextern\ttLdrpPreprocessDllName LdrpPreprocessDllName;\n\n#define LDRP_FIND_LOADEDDLLBYNAME_PATTERN \"\\x48\\x8B\\xC4\\x53\\x55\\x41\\x57\\x48\\x83\\xEC\\x50\"\ntypedef NTSTATUS(__fastcall* tLdrpFindLoadedDllByName)(PUNICODE_STRING FullPath, PUNICODE_STRING DllName, USHORT Flags, LDR_DATA_TABLE_ENTRY** DllEntry, LDR_DDAG_STATE* ReturnStatus);\nextern tLdrpFindLoadedDllByName LdrpFindLoadedDllByName;\n\n#define LDRP_DRAIN_WORKQUEUE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x6C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x41\\x54\\x41\\x56\\x48\\x83\\xEC\\x20\\x4C\\x8B\\x35\\x35\\xA3\\x15\\x00\"\ntypedef TEB* (__fastcall* tLdrpDrainWorkQueue)(DRAIN_TASK DrainTask);\nextern\ttLdrpDrainWorkQueue LdrpDrainWorkQueue;\n\n#define LDRP_FIND_LOADEDDLL_BYHANDLE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x10\\x48\\x89\\x7C\\x24\\x18\\x41\\x56\\x48\\x83\\xEC\\x20\\x33\\xDB\\x49\\x8B\\xF8\\x4C\\x8B\\xF2\"\ntypedef NTSTATUS(__fastcall* tLdrpFindLoadedDllByHandle)(unsigned __int64 a1, PLDR_DATA_TABLE_ENTRY* ppLdrEntry, DWORD* a3);\nextern\ttLdrpFindLoadedDllByHandle LdrpFindLoadedDllByHandle;\n\n#define LDRP_DROP_LASTINPROGRESS_COUNT_PATTERN \"\\x48\\x83\\xEC\\x28\\x65\\x48\\x8B\\x04\\x25\\x30\\x00\\x00\\x00\\xB9\\xFF\\xEF\\x00\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpDropLastInProgressCount)();\nextern\ttLdrpDropLastInProgressCount LdrpDropLastInProgressCount;\n\n#define LDRP_QUERY_CURRENT_PATCH_PATTERN \"\\x48\\x8B\\xC4\\x48\\x89\\x58\\x08\\x48\\x89\\x70\\x10\\x48\\x89\\x78\\x20\\x55\\x41\\x56\"\ntypedef NTSTATUS(__fastcall* tLdrpQueryCurrentPatch)(ULONG Checksum, ULONG TimeDateStamp, PUNICODE_STRING FullPath);\nextern\ttLdrpQueryCurrentPatch LdrpQueryCurrentPatch;\n\n#define LDRP_UNDO_PATCH_IMAGE_PATTERN \"\\x4C\\x8B\\xDC\\x53\\x48\\x83\\xEC\\x40\\x48\\x8B\\x41\\x30\\x4D\\x8D\\x4B\\x08\"\ntypedef NTSTATUS(__fastcall* tLdrpUndoPatchImage)(PLDR_DATA_TABLE_ENTRY LdrEntry);\nextern\ttLdrpUndoPatchImage LdrpUndoPatchImage;\n\n#define LDRP_DETECT_DETOUR_PATTERN \"\\x40\\x57\\x48\\x83\\xEC\\x30\\x80\\x3D\\x87\\x32\\x11\\x00\\x00\\x75\\x7B\"\ntypedef VOID(__fastcall* tLdrpDetectDetour)();\nextern\ttLdrpDetectDetour LdrpDetectDetour;\n\n#define LDRP_FINDORPREPARE_LOADINGMODULE_PATTERN \"\\x48\\x8B\\xC4\\x48\\x89\\x58\\x08\\x48\\x89\\x68\\x10\\x48\\x89\\x70\\x20\\x57\\x41\\x56\\x41\\x57\\x48\\x83\\xEC\\x50\"\ntypedef NTSTATUS(__fastcall* tLdrpFindOrPrepareLoadingModule)(PUNICODE_STRING FullPath, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, ULONG LdrFlags, PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY* pLdrEntryLoaded, NTSTATUS* pStatus);\nextern\ttLdrpFindOrPrepareLoadingModule LdrpFindOrPrepareLoadingModule;\n\n#define LDRP_FREE_LOAD_CONTEXT_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x57\\x48\\x83\\xEC\\x20\\x48\\x8B\\x41\\x38\\x48\\x8B\\xD9\\x48\\x83\\xA0\\xB0\\x00\\x00\\x00\"\ntypedef VOID(__fastcall* tLdrpFreeLoadContext)(PLDRP_LOAD_CONTEXT LoadContext);\nextern\ttLdrpFreeLoadContext LdrpFreeLoadContext;\n\n#define LDRP_CONDENSE_GRAPH_PATTERN \"\\x48\\x8B\\xC4\\x48\\x83\\xEC\\x28\\x83\\x79\\x38\\x06\\x7D\\x19\"\ntypedef PVOID* (__fastcall* tLdrpCondenseGraph)(LDR_DDAG_NODE* DdagNode);\nextern\ttLdrpCondenseGraph LdrpCondenseGraph;\n\n#define LDRP_BUILD_FORWARDER_LINK_PATTERN \"\\x48\\x89\\x5C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x48\\x83\\xEC\\x20\\x33\\xDB\\x48\\x8B\\xF2\"\ntypedef NTSTATUS(__fastcall* tLdrpBuildForwarderLink)(PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY LdrEntry2);\nextern\ttLdrpBuildForwarderLink LdrpBuildForwarderLink;\n\n#define LDRP_PIN_MODULE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x57\\x48\\x83\\xEC\\x20\\x48\\x8B\\xD9\\x33\\xFF\\x48\\x8D\\x0D\\x02\\xBB\\x10\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpPinModule)(PLDR_DATA_TABLE_ENTRY LdrEntry);\nextern tLdrpPinModule LdrpPinModule;\n\n#define LDRP_APPLY_PATCH_IMAGE_PATTERN \"\\x48\\x89\\x5C\\x24\\x10\\x48\\x89\\x7C\\x24\\x18\\x55\\x41\\x56\\x41\\x57\\x48\\x8B\\xEC\"\ntypedef NTSTATUS(__fastcall* tLdrpApplyPatchImage)(PLDR_DATA_TABLE_ENTRY LdrEntry);\nextern tLdrpApplyPatchImage LdrpApplyPatchImage;\n\n#define LDRP_FREE_LOADCONTEXT_NODE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x10\\x57\\x48\\x83\\xEC\\x20\\x48\\x8B\\x19\\x48\\x8B\\xF2\"\ntypedef NTSTATUS(__fastcall* tLdrpFreeLoadContextOfNode)(PLDR_DDAG_NODE DdagNode, NTSTATUS* pStatus);\nextern tLdrpFreeLoadContextOfNode LdrpFreeLoadContextOfNode;\n\n#define LDRP_DECREMENT_MODULELOADCOUNTEX_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x57\\x48\\x83\\xEC\\x20\\x8B\\xFA\\x48\\x8B\\xD9\\x85\\xD2\"\ntypedef NTSTATUS(__fastcall* tLdrpDecrementModuleLoadCountEx)(PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY LdrEntry2);\nextern tLdrpDecrementModuleLoadCountEx LdrpDecrementModuleLoadCountEx;\n\n#define LDRP_LOG_ERROR_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x6C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x48\\x83\\xEC\\x30\\x49\\x8B\\xD9\"\ntypedef PEB*(__fastcall* tLdrpLogError)(NTSTATUS Status, ULONG, ULONG, PVOID);\nextern tLdrpLogError LdrpLogError;\n\n#define LDRP_LOG_DEPRECATED_DLL_PATTERN \"\\x48\\x89\\x5C\\x24\\x10\\x48\\x89\\x6C\\x24\\x18\\x48\\x89\\x74\\x24\\x20\\x57\\x48\\x83\\xEC\\x40\"\ntypedef WCHAR*(__fastcall* tLdrpLogDeprecatedDllEtwEvent)(PLDRP_LOAD_CONTEXT LoadContext);\nextern tLdrpLogDeprecatedDllEtwEvent LdrpLogDeprecatedDllEtwEvent;\n\n#define LDRP_LOG_LOAD_FAILURE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x44\\x89\\x44\\x24\\x18\\x55\\x56\\x57\\x48\\x8B\\xEC\\x48\\x83\\xEC\\x70\"\ntypedef VOID(__fastcall* tLdrpLogLoadFailureEtwEvent)(PVOID Unknown, PVOID Unknown2, NTSTATUS Status, PVOID LoadFailure, ULONG Unknown3);\nextern tLdrpLogLoadFailureEtwEvent LdrpLogLoadFailureEtwEvent;\n\n#define LDRP_REPORT_ERROR_PATTERN \"\\x48\\x89\\x5C\\x24\\x20\\x55\\x56\\x57\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x8D\\xAC\\x24\\x50\\xFF\\xFF\\xFF\\x48\\x81\\xEC\\xB0\\x01\\x00\\x00\\x48\\x8B\\x05\\xEE\\x08\\x19\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpReportError)(PVOID Report, ULONG Unknown, NTSTATUS Status);\nextern tLdrpReportError LdrpReportError;\n\n#define LDRP_RESOLVE_DLLNAME_PATTERN \"\\x4C\\x8B\\xDC\\x49\\x89\\x5B\\x08\\x49\\x89\\x6B\\x10\\x49\\x89\\x73\\x20\\x4D\\x89\\x43\\x18\\x57\\x41\\x54\\x41\\x55\\x41\\x56\"\ntypedef NTSTATUS(__fastcall* tLdrpResolveDllName)(PLDRP_LOAD_CONTEXT FileName, LDRP_FILENAME_BUFFER* FileNameBuffer, PUNICODE_STRING FullName, PUNICODE_STRING ResolvedName, DWORD Flags);\nextern tLdrpResolveDllName LdrpResolveDllName;\n\n#define LDRP_APP_COMPAT_REDIRECT_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x6C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x41\\x56\\x41\\x57\\x48\\x83\\xEC\\x50\\x45\\x33\\xFF\\x49\\x8B\\xF1\\x44\\x38\\x3D\\xC3\\x3A\\x17\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpAppCompatRedirect)(PLDRP_LOAD_CONTEXT LoadContext, PUNICODE_STRING FullDllName, PUNICODE_STRING BaseDllName, LDRP_FILENAME_BUFFER* FileNameBuffer, NTSTATUS Status);\nextern tLdrpAppCompatRedirect LdrpAppCompatRedirect;\n\n#define LDRP_HASH_UNICODE_STRING_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x57\\x48\\x83\\xEC\\x20\\x45\\x33\\xDB\"\ntypedef ULONG(__fastcall* tLdrpHashUnicodeString)(PUNICODE_STRING BaseDllName);\nextern tLdrpHashUnicodeString LdrpHashUnicodeString;\n\n#define LDRP_FIND_EXISTING_MODULE_PATTERN \"\\x48\\x8B\\xC4\\x48\\x89\\x58\\x08\\x48\\x89\\x68\\x10\\x48\\x89\\x70\\x18\\x48\\x89\\x78\\x20\\x41\\x56\\x48\\x83\\xEC\\x30\\x48\\x8B\\x7C\\x24\\x60\\x48\\x8B\\xD9\"\ntypedef NTSTATUS(__fastcall* tLdrpFindExistingModule)(PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, UINT64 Flags, ULONG BaseDllNameHash, PLDR_DATA_TABLE_ENTRY* LoadedDll);\nextern tLdrpFindExistingModule LdrpFindExistingModule;\n\n#define LDRP_LOADCONTEXT_REPLACE_MODULE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x6C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x48\\x83\\xEC\\x20\\x48\\x8B\\xD9\\x48\\x8B\\xF2\"\ntypedef NTSTATUS(__fastcall* tLdrpLoadContextReplaceModule)(PLDRP_LOAD_CONTEXT LoadContext, PLDR_DATA_TABLE_ENTRY LoadedDll);\nextern tLdrpLoadContextReplaceModule LdrpLoadContextReplaceModule;\n\n#define LDRP_SEARCHPATH_PATTERN \"\\x48\\x89\\x5C\\x24\\x18\\x55\\x56\\x57\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x8D\\x6C\\x24\\xF9\\x48\\x81\\xEC\\xD0\\x00\\x00\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpSearchPath)(LDRP_LOAD_CONTEXT* LoadContext, LDR_UNKSTRUCT* UnkStruct, ULONG Flags, PUNICODE_STRING ReturnPath, LDRP_FILENAME_BUFFER* FileName, PUNICODE_STRING BaseDllName, PUNICODE_STRING UnkStruct3_String, BOOL* a8, LDR_UNKSTRUCT3* UnkStruct3);\nextern tLdrpSearchPath LdrpSearchPath;\n\n#define LDRP_ISSECURITYETW_LOGG_ENABLED_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x10\\x57\\x48\\x83\\xEC\\x20\\xE8\\x04\\xA2\\x02\\x00\"\ntypedef BOOLEAN(__fastcall* tLdrpIsSecurityEtwLoggingEnabled)();\nextern tLdrpIsSecurityEtwLoggingEnabled LdrpIsSecurityEtwLoggingEnabled;\n\n#define LDRP_LOGETW_DLL_SEARCHRESULTS_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x55\\x56\\x57\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x8B\\xEC\\x48\\x83\\xEC\\x60\\x44\\x8B\\xF9\"\ntypedef VOID(__fastcall* tLdrpLogEtwDllSearchResults)(ULONG Flags, LDRP_LOAD_CONTEXT* LoadContext);\nextern tLdrpLogEtwDllSearchResults LdrpLogEtwDllSearchResults;\n\n#define LDRP_CHECKFORRETRY_LOADING_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x6C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x83\\xEC\\x20\\x33\\xDB\\x44\\x8A\\xFA\"\ntypedef BOOLEAN(__fastcall* tLdrpCheckForRetryLoading)(PLDRP_LOAD_CONTEXT LoadContext, BOOLEAN Unknown);\nextern tLdrpCheckForRetryLoading LdrpCheckForRetryLoading;\n\n#define LDRP_LOG_ETWEVENT_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x6C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x81\\xEC\\x80\\x02\\x00\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpLogEtwEvent)(ULONG a1, ULONGLONG a2, ULONG a3, ULONG a4);\nextern tLdrpLogEtwEvent LdrpLogEtwEvent;\n\n#define LDRP_CHECK_COMPONENTONDEMAND_PATTERN \"\\x48\\x89\\x5C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x55\\x57\\x41\\x56\\x48\\x8B\\xEC\\x48\\x81\\xEC\\x80\\x00\\x00\\x00\"\ntypedef BOOLEAN(__fastcall* tLdrpCheckComponentOnDemandEtwEvent)(LDRP_LOAD_CONTEXT* LoadContext);\nextern tLdrpCheckComponentOnDemandEtwEvent LdrpCheckComponentOnDemandEtwEvent;\n\n#define LDRP_VALIDATE_INTEGRITY_PATTERN \"\\x44\\x88\\x44\\x24\\x18\\x53\\x56\\x57\\x48\\x83\\xEC\\x30\"\ntypedef NTSTATUS(__fastcall* tLdrpValidateIntegrityContinuity)(PLDRP_LOAD_CONTEXT LoadContext, HANDLE FileHandle);\nextern tLdrpValidateIntegrityContinuity LdrpValidateIntegrityContinuity;\n\n#define LDRP_SET_MODULE_SIGNINGLEVEL_PATTERN \"\\x4C\\x8B\\xDC\\x49\\x89\\x5B\\x10\\x49\\x89\\x73\\x18\\x49\\x89\\x7B\\x20\\x49\\x89\\x4B\\x08\\x41\\x56\"\ntypedef NTSTATUS(__fastcall* tLdrpSetModuleSigningLevel)(HANDLE FileHandle, PLDR_DATA_TABLE_ENTRY LoadContext, PULONG pSigningLevel, ULONG NewSigningLevelMaybe);\nextern tLdrpSetModuleSigningLevel LdrpSetModuleSigningLevel;\n\n#define LDRP_CODE_AUTHZCHECKDLL_ALLOWED_PATTERN \"\\x48\\x83\\x3D\\xC8\\x44\\x17\\x00\\x00\\x4C\\x8B\\xCA\"\ntypedef NTSTATUS(__fastcall* tLdrpCodeAuthzCheckDllAllowed)(LDRP_FILENAME_BUFFER* pFileNameBuffer, HANDLE FileHandle);\nextern tLdrpCodeAuthzCheckDllAllowed LdrpCodeAuthzCheckDllAllowed;\n\n#define LDRP_GET_FULLPATH_PATTERN \"\\x4C\\x8B\\xDC\\x49\\x89\\x5B\\x08\\x55\\x56\\x57\\x41\\x56\\x41\\x57\\x48\\x83\\xEC\\x30\"\ntypedef NTSTATUS(__fastcall* tLdrpGetFullPath)(PLDRP_LOAD_CONTEXT LoadContext, PUNICODE_STRING FullPath);\nextern tLdrpGetFullPath LdrpGetFullPath;\n\n#define LDRP_ALLOCATE_UNICODESTRING_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x10\\x57\\x48\\x83\\xEC\\x20\\x33\\xDB\\x8D\\x7A\\x02\"\ntypedef NTSTATUS(__fastcall* tLdrpAllocateUnicodeString)(PUNICODE_STRING Allocated, USHORT Length);\nextern tLdrpAllocateUnicodeString LdrpAllocateUnicodeString;\n\n#define LDRP_APPEND_UNICODETOFILENAME_PATTERN \"\\x48\\x8B\\xC4\\x48\\x89\\x58\\x08\\x48\\x89\\x68\\x10\\x48\\x89\\x70\\x18\\x48\\x89\\x78\\x20\\x41\\x56\\x48\\x83\\xEC\\x20\\x45\\x33\\xF6\\x48\\x8B\\xEA\"\ntypedef NTSTATUS(__fastcall* tLdrpAppendUnicodeStringToFilenameBuffer)(PUNICODE_STRING FileName, PLDRP_LOAD_CONTEXT LoadContext);\nextern tLdrpAppendUnicodeStringToFilenameBuffer LdrpAppendUnicodeStringToFilenameBuffer;\n\n#define LDRP_GET_NTPATH_FROM_DOSPATH_PATTERN \"\\x48\\x89\\x5C\\x24\\x18\\x55\\x56\\x57\\x48\\x8D\\x6C\\x24\\xB9\\x48\\x81\\xEC\\xC0\\x00\\x00\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpGetNtPathFromDosPath)(PUNICODE_STRING DosPath, LDRP_FILENAME_BUFFER* NtPath);\nextern tLdrpGetNtPathFromDosPath LdrpGetNtPathFromDosPath;\n\n#define LDRP_FIND_LOADEDDLL_MAPLOCK_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x6C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x41\\x56\\x41\\x57\\x48\\x83\\xEC\\x30\\x4C\\x8B\\x15\\xFD\\x89\\x15\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpFindLoadedDllByMappingLockHeld)(PIMAGE_DOS_HEADER DllBase, PIMAGE_NT_HEADERS OutHeaders, PVOID Unknown, PLDR_DATA_TABLE_ENTRY* pLdrEntry);\nextern tLdrpFindLoadedDllByMappingLockHeld LdrpFindLoadedDllByMappingLockHeld;\n\n#define LDRP_INSERT_DATATABLEENTRY_PATTERN \"\\x40\\x53\\x48\\x83\\xEC\\x20\\xF6\\x41\\x68\\x40\"\ntypedef VOID(__fastcall* tLdrpInsertDataTableEntry)(PLDR_DATA_TABLE_ENTRY LdrEntry);\nextern tLdrpInsertDataTableEntry LdrpInsertDataTableEntry;\n\n#define LDRP_INSERT_MODTOIDX_LOCKHELD_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x57\\x48\\x83\\xEC\\x20\\x44\\x8B\\x4A\\x08\"\ntypedef NTSTATUS(__fastcall* tLdrpInsertModuleToIndexLockHeld)(PLDR_DATA_TABLE_ENTRY LdrEntry, PIMAGE_NT_HEADERS OutHeaders);\nextern tLdrpInsertModuleToIndexLockHeld LdrpInsertModuleToIndexLockHeld;\n\n#define LDRP_LOGETW_HOTPATCHSTATUS_PATTERN \"\\x48\\x8B\\xC4\\x48\\x89\\x58\\x08\\x48\\x89\\x70\\x10\\x48\\x89\\x78\\x18\\x4C\\x89\\x60\\x20\\x55\\x41\\x56\\x41\\x57\\x48\\x8D\\x68\\x98\"\ntypedef NTSTATUS(__fastcall* tLdrpLogEtwHotPatchStatus)(PUNICODE_STRING BaseDllName, LDR_DATA_TABLE_ENTRY* LdrEntry, PUNICODE_STRING FullDllName, NTSTATUS Status, ULONG Unknown);\nextern tLdrpLogEtwHotPatchStatus LdrpLogEtwHotPatchStatus;\n\n#define LDRP_LOG_NEWDLL_LOAD_PATTERN \"\\x48\\x8B\\xC4\\x48\\x89\\x58\\x08\\x48\\x89\\x68\\x10\\x48\\x89\\x70\\x18\\x48\\x89\\x78\\x20\\x41\\x56\\x48\\x83\\xEC\\x30\\x48\\x8B\\xEA\\x4C\\x8B\\xF1\"\ntypedef PEB*(__fastcall* tLdrpLogNewDllLoad)(LDR_DATA_TABLE_ENTRY* LdrEntry, LDR_DATA_TABLE_ENTRY* LdrEntry2);\nextern tLdrpLogNewDllLoad LdrpLogNewDllLoad;\n\n#define LDRP_PROCESS_MACHINE_MISMATCH_PATTERN \"\\x40\\x53\\x55\\x57\\x48\\x83\\xEC\\x40\\x48\\x8B\\x59\\x38\"\ntypedef NTSTATUS(__fastcall* tLdrpProcessMachineMismatch)(PLDRP_LOAD_CONTEXT LoadContext);\nextern tLdrpProcessMachineMismatch LdrpProcessMachineMismatch;\n\n#define RTL_QUERY_IMAGEFILE_KEYOPT_PATTERN \"\\x48\\x89\\x5C\\x24\\x10\\x55\\x56\\x57\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x8D\\xAC\\x24\\xA0\\xFC\\xFF\\xFF\"\ntypedef NTSTATUS(__fastcall* tRtlQueryImageFileKeyOption)(HANDLE hKey, PCWSTR lpszOption, ULONG dwType, PVOID lpData, ULONG cbData, ULONG* lpcbData);\nextern tRtlQueryImageFileKeyOption RtlQueryImageFileKeyOption;\n\n#define RTLP_IMAGEDIR_ENTRYTODATA_PATTERN \"\\x4C\\x8B\\xDC\\x49\\x89\\x5B\\x10\\x49\\x89\\x6B\\x18\\x49\\x89\\x73\\x20\\x57\\x41\\x56\\x41\\x57\\x48\\x83\\xEC\\x20\\x4C\\x8B\\x74\\x24\\x60\"\ntypedef NTSTATUS(__fastcall* tRtlpImageDirectoryEntryToDataEx)(PIMAGE_DOS_HEADER DllBase, BOOLEAN Unknown, WORD Characteristics, ULONG64* LastRVASection, PVOID OutHeader);\nextern tRtlpImageDirectoryEntryToDataEx RtlpImageDirectoryEntryToDataEx;\n\n#define LDRP_LOG_DLLRELOCATION_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x6C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x83\\xEC\\x20\\x4D\\x8B\\xF1\"\ntypedef PVOID(__fastcall* tLdrpLogDllRelocationEtwEvent)(PUNICODE_STRING FullDllName, ULONGLONG ImageBase, PIMAGE_DOS_HEADER DllBase, SIZE_T Size);\nextern tLdrpLogDllRelocationEtwEvent LdrpLogDllRelocationEtwEvent;\n\n#define LDRP_NOTIFY_LOADOFGRAPH_PATTERN \"\\x48\\x89\\x5C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x48\\x83\\xEC\\x20\\x48\\x8B\\x71\\x28\\x48\\x8B\\xF9\"\ntypedef NTSTATUS(__fastcall* tLdrpNotifyLoadOfGraph)(LDR_DDAG_NODE* DdagNode);\nextern tLdrpNotifyLoadOfGraph LdrpNotifyLoadOfGraph;\n\n#define LDRP_DYNAMIC_SHIMMODULE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x6C\\x24\\x18\\x48\\x89\\x74\\x24\\x20\\x57\\x41\\x56\\x41\\x57\\x48\\x83\\xEC\\x40\"\ntypedef NTSTATUS(__fastcall* tLdrpDynamicShimModule)(LDR_DDAG_NODE* DdagNode);\nextern tLdrpDynamicShimModule LdrpDynamicShimModule;\n\n#define LDRP_ACQUIRE_LOADERLOCK_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x10\\x57\\x48\\x83\\xEC\\x30\\xE8\\xE4\\x9E\\xFE\\xFF\"\ntypedef NTSTATUS(__fastcall* tLdrpAcquireLoaderLock)();\nextern tLdrpAcquireLoaderLock LdrpAcquireLoaderLock;\n\n#define LDRP_RELEASE_LOADER_LOCK_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x10\\x57\\x48\\x83\\xEC\\x30\\x48\\x8D\\x0D\\x2E\\xD8\\x12\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpReleaseLoaderLock)(ULONG64 Unused, ULONG Two, ULONG64 LdrFlags);\nextern tLdrpReleaseLoaderLock LdrpReleaseLoaderLock;\n\n#define LDRP_CHECKPAGES_FOR_TAMPERING_PATTERN \"\\x48\\x8B\\xC4\\x48\\x89\\x58\\x08\\x48\\x89\\x68\\x10\\x48\\x89\\x70\\x18\\x48\\x89\\x78\\x20\\x41\\x56\\x48\\x83\\xEC\\x30\\x48\\x8D\\xBA\\xFF\\x0F\\x00\\x00\"\ntypedef BOOLEAN(__fastcall* tLdrpCheckPagesForTampering)(PIMAGE_DATA_DIRECTORY pDataDir, ULONG64 Offset);\nextern tLdrpCheckPagesForTampering LdrpCheckPagesForTampering;\n\n#define LDRP_LOAD_DEPENDENTMODULEA_PATTERN \"\\x4C\\x8B\\xDC\\x55\\x53\\x49\\x8D\\xAB\\x48\\xFF\\xFF\\xFF\"\ntypedef NTSTATUS(__fastcall* tLdrpLoadDependentModuleA)(PUNICODE_STRING SourceString, LDRP_LOAD_CONTEXT* LoadContext, LDR_DATA_TABLE_ENTRY* LdrEntry, UINT_PTR Unknown, LDR_DATA_TABLE_ENTRY** pLdrEntry, UINT_PTR Unknown2);\nextern tLdrpLoadDependentModuleA LdrpLoadDependentModuleA;\n\n#define LDRP_LOAD_DEPENDENTMODULEW_PATTERN \"\\x48\\x89\\x5C\\x24\\x20\\x55\\x56\\x57\\x41\\x56\\x41\\x57\\x48\\x81\\xEC\\x50\\x01\\x00\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpLoadDependentModuleW)(PUNICODE_STRING SourceString, LDRP_LOAD_CONTEXT* LoadContext, LDR_DATA_TABLE_ENTRY* DllEntry);\nextern tLdrpLoadDependentModuleW LdrpLoadDependentModuleW;\n\n#define LDRP_QUEUE_WORK_PATTERN \"\\x40\\x53\\x48\\x83\\xEC\\x20\\x48\\x8B\\x41\\x28\\x48\\x8B\\xD9\"\ntypedef NTSTATUS(__fastcall* tLdrpQueueWork)(PLDRP_LOAD_CONTEXT LoadContext);\nextern tLdrpQueueWork LdrpQueueWork;\n\n#define LDRP_HANDLE_TLSDATA_PATTERN \"\\x48\\x89\\x5C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x48\\x89\\x7C\\x24\\x20\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x81\\xEC\\x00\\x01\\x00\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpHandleTlsData)(LDR_DATA_TABLE_ENTRY* LdrDataTableEntry);\nextern tLdrpHandleTlsData LdrpHandleTlsData;\n\n#define LDR_CONTROLFLOWGUARD_ENFEXP_PATTERN \"\\x33\\xC0\\x48\\x39\\x05\\x8F\\x7D\\x17\\x00\"\ntypedef BOOLEAN(__fastcall* tLdrControlFlowGuardEnforcedWithExportSuppression)();\nextern tLdrControlFlowGuardEnforcedWithExportSuppression LdrControlFlowGuardEnforcedWithExportSuppression;\n\n#define LDRP_UNSUPPRESS_ADDRESSIAT_PATTERN \"\\x48\\x89\\x5C\\x24\\x18\\x55\\x56\\x57\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x8B\\xEC\\x48\\x83\\xEC\\x70\\x48\\x8B\\x05\\x6E\\xC6\\x0B\\x00\"\ntypedef __int64(__fastcall* tLdrpUnsuppressAddressTakenIat)(PIMAGE_DOS_HEADER DllBase, ULONG Unknown, ULONG Unknown2);\nextern tLdrpUnsuppressAddressTakenIat LdrpUnsuppressAddressTakenIat;\n\n#define LDR_CONTROLFLOWGUARD_ENF_PATTERN \"\\x48\\x83\\x3D\\x90\\xD5\\x16\\x00\\x00\"\ntypedef BOOL(__fastcall* tLdrControlFlowGuardEnforced)();\nextern tLdrControlFlowGuardEnforced LdrControlFlowGuardEnforced;\n\n#define RTLP_LOOKUP_FUNCTIONTABLE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x18\\x48\\x89\\x7C\\x24\\x20\\x41\\x56\\x48\\x83\\xEC\\x20\\x33\\xDB\"\ntypedef PIMAGE_RUNTIME_FUNCTION_ENTRY(__fastcall* tRtlpxLookupFunctionTable)(PIMAGE_DOS_HEADER DllBase, PIMAGE_RUNTIME_FUNCTION_ENTRY* ppImageFunctionEntry);\nextern tRtlpxLookupFunctionTable RtlpxLookupFunctionTable;\n\n#define LDRP_CHECK_REDIRECTION_PATTERN \"\\x48\\x8B\\xC4\\x48\\x89\\x58\\x08\\x48\\x89\\x70\\x10\\x48\\x89\\x78\\x18\\x4C\\x89\\x68\\x20\\x55\\x41\\x56\\x41\\x57\\x48\\x8D\\x68\\xA1\"\ntypedef PCHAR(__fastcall* tLdrpCheckRedirection)(LDR_DATA_TABLE_ENTRY* DllEntry, LDR_DATA_TABLE_ENTRY* NtLdrEntry, PCHAR StringToBeHashed);\nextern tLdrpCheckRedirection LdrpCheckRedirection;\n\n#define COMPAT_CACHE_LOOKUPCDB_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x10\\x57\\x48\\x81\\xEC\\xB0\\x01\\x00\\x00\"\ntypedef BOOL(__fastcall* tCompatCachepLookupCdb)(PWCHAR Buffer, LONG Unknown);\nextern tCompatCachepLookupCdb CompatCachepLookupCdb;\n\n#define LDRP_GEN_RANDOM_PATTERN \"\\x48\\x83\\xEC\\x28\\xB9\\x1C\\x00\\x00\\x00\\xE8\\x0E\\x0B\\x00\\x00\"\ntypedef UINT_PTR(__fastcall* tLdrpGenRandom)();\nextern tLdrpGenRandom LdrpGenRandom;\n\n#define LDR_INIT_SECURITY_COOKIE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x10\\x48\\x89\\x7C\\x24\\x20\\x55\\x41\\x54\\x41\\x56\"\ntypedef BOOL(__fastcall* tLdrInitSecurityCookie)(PIMAGE_DOS_HEADER DllBase, INT_PTR ImageSize, UINT_PTR* Zero, UINT_PTR RandomNumberStuff, UINT_PTR* Zero_2);\nextern tLdrInitSecurityCookie LdrInitSecurityCookie;\n\n#define LDRP_CFG_PROCESS_LOADCFG_PATTERN \"\\x48\\x89\\x5C\\x24\\x20\\x55\\x56\\x57\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x48\\x8D\\x6C\\x24\\xD9\\x48\\x81\\xEC\\xF0\\x00\\x00\\x00\\x48\\x8B\\x05\\x99\\x11\\x17\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpCfgProcessLoadConfig)(LDR_DATA_TABLE_ENTRY* DllEntry, PIMAGE_NT_HEADERS NtHeader, __int64 Zero);\nextern tLdrpCfgProcessLoadConfig LdrpCfgProcessLoadConfig;\n\n#define RTL_INSERT_INV_FUNCTIONTABLE_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x57\\x48\\x83\\xEC\\x30\\x8B\\xDA\\x4C\\x8D\\x44\\x24\\x50\"\ntypedef NTSTATUS(__fastcall* tRtlInsertInvertedFunctionTable)(PIMAGE_DOS_HEADER DllBase, ULONG ImageSize);\nextern tRtlInsertInvertedFunctionTable RtlInsertInvertedFunctionTable;\n\n#define LDRP_SIGNAL_MODULEMAPPED_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x57\\x48\\x83\\xEC\\x20\\x48\\x8B\\x81\\x98\\x00\\x00\\x00\\x48\\x8B\\x78\\x30\"\ntypedef LDR_DDAG_NODE*(__fastcall* tLdrpSignalModuleMapped)(LDR_DATA_TABLE_ENTRY* DllEntry);\nextern tLdrpSignalModuleMapped LdrpSignalModuleMapped;\n\n#define AVRF_DLL_LOADNOTIFICATION_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x6C\\x24\\x10\\x48\\x89\\x74\\x24\\x18\\x57\\x48\\x83\\xEC\\x30\\x65\\x48\\x8B\\x04\\x25\\x60\\x00\\x00\\x00\"\ntypedef NTSTATUS(__fastcall* tAVrfDllLoadNotification)(LDR_DATA_TABLE_ENTRY* DllEntry);\nextern tAVrfDllLoadNotification AVrfDllLoadNotification;\n\n#define LDRP_SEND_DLLNOTIFICATIONS_PATTERN \"\\x4C\\x8B\\xDC\\x49\\x89\\x5B\\x08\\x49\\x89\\x73\\x10\\x57\\x48\\x83\\xEC\\x50\\x83\\x64\\x24\\x20\\x00\"\ntypedef NTSTATUS(__fastcall* tLdrpSendDllNotifications)(LDR_DATA_TABLE_ENTRY* DllEntry, UINT_PTR Unknown);\nextern tLdrpSendDllNotifications LdrpSendDllNotifications;\n\n#define LDRP_CALL_TLSINIT_PATTERN \"\\x48\\x89\\x5C\\x24\\x08\\x48\\x89\\x74\\x24\\x10\\x48\\x89\\x7C\\x24\\x20\\x41\\x56\\x48\\x83\\xEC\\x60\"\ntypedef NTSTATUS(__fastcall* tLdrpCallTlsInitializers)(ULONG One, LDR_DATA_TABLE_ENTRY* LdrEntry);\nextern tLdrpCallTlsInitializers LdrpCallTlsInitializers;" }, { "path": "Src/Functions/Syscalls.asm", "content": ".code\nZwSystemDebugControl proc\n \n\tmov r10, rcx\n\tmov eax, 1CDh\n\ttest byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall\n\tjnz short SYSCALL_DEFINED\n\tsyscall\n\tret\nSYSCALL_DEFINED:\n\tint 2Eh\n \nZwSystemDebugControl endp\n\nNtCreateSection proc\n\n\tmov r10, rcx\n\tmov eax, 4Ah\n\ttest byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall\n\tjnz short SYSCALL_DEFINED\n\tsyscall\n\tret\nSYSCALL_DEFINED:\n\tint 2Eh\n\nNtCreateSection endp\n\nZwMapViewOfSection proc\n\n\tmov r10, rcx\n\tmov eax, 28h\n\ttest byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall\n\tjnz short SYSCALL_DEFINED\n\tsyscall\n\tret\nSYSCALL_DEFINED:\n\tint 2Eh\n\nZwMapViewOfSection endp\n\nZwMapViewOfSectionEx proc\n\n\tmov r10, rcx\n\tmov eax, 11Ch\n\ttest byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall\n\tjnz short SYSCALL_DEFINED\n\tsyscall\n\tret\nSYSCALL_DEFINED:\n\tint 2Eh\n\nZwMapViewOfSectionEx endp\n\nNtUnmapViewOfSection proc\n\n\tmov r10, rcx\n\tmov eax, 2Ah\n\ttest byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall\n\tjnz short SYSCALL_DEFINED\n\tsyscall\n\tret\nSYSCALL_DEFINED:\n\tint 2Eh\n\nNtUnmapViewOfSection endp\n\nZwProtectVirtualMemory proc\n\n\tmov r10, rcx\n\tmov eax, 50h\n\ttest byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall\n\tjnz short SYSCALL_DEFINED\n\tsyscall\n\tret\nSYSCALL_DEFINED:\n\tint 2Eh\n\nZwProtectVirtualMemory endp\n\nZwQueryVirtualMemory proc\n\n\tmov r10, rcx\n\tmov eax, 23h\n\ttest byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall\n\tjnz short SYSCALL_DEFINED\n\tsyscall\n\tret\nSYSCALL_DEFINED:\n\tint 2Eh\n\nZwQueryVirtualMemory endp\n\nNtQueryInformationProcess proc\n\n\tmov r10, rcx\n\tmov eax, 19h\n\ttest byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall\n\tjnz short SYSCALL_DEFINED\n\tsyscall\n\tret\nSYSCALL_DEFINED:\n\tint 2Eh\n\nNtQueryInformationProcess endp\nend\n\n" }, { "path": "Src/Functions/Undocumented.h", "content": "#pragma once\n\n#include \"..\\Includes.h\"\n\ntypedef void* PPS_POST_PROCESS_INIT_ROUTINE;\n\ntypedef struct _LSA_UNICODE_STRING {\n USHORT Length;\n USHORT MaximumLength;\n PWSTR Buffer;\n} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING;\n\ntypedef struct _STRING {\n USHORT Length;\n USHORT MaximumLength;\n PCHAR Buffer;\n} STRING, * PSTRING, ANSI_STRING, * PANSI_STRING;\n\n#define DOS_MAX_COMPONENT_LENGTH 255\n#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5)\n\ntypedef struct _CURDIR\n{\n UNICODE_STRING DosPath;\n HANDLE Handle;\n} CURDIR, * PCURDIR;\n\n#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002\n#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003\n\ntypedef struct _RTL_DRIVE_LETTER_CURDIR\n{\n USHORT Flags;\n USHORT Length;\n ULONG TimeStamp;\n STRING DosPath;\n} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;\n\n#define RTL_MAX_DRIVE_LETTERS 32\n#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001\n\ntypedef struct _RTL_USER_PROCESS_PARAMETERS\n{\n ULONG MaximumLength;\n ULONG Length;\n \n ULONG Flags;\n ULONG DebugFlags;\n \n HANDLE ConsoleHandle;\n ULONG ConsoleFlags;\n HANDLE StandardInput;\n HANDLE StandardOutput;\n HANDLE StandardError;\n \n CURDIR CurrentDirectory;\n UNICODE_STRING DllPath;\n UNICODE_STRING ImagePathName;\n UNICODE_STRING CommandLine;\n PVOID Environment;\n \n ULONG StartingX;\n ULONG StartingY;\n ULONG CountX;\n ULONG CountY;\n ULONG CountCharsX;\n ULONG CountCharsY;\n ULONG FillAttribute;\n \n ULONG WindowFlags;\n ULONG ShowWindowFlags;\n UNICODE_STRING WindowTitle;\n UNICODE_STRING DesktopInfo;\n UNICODE_STRING ShellInfo;\n UNICODE_STRING RuntimeData;\n\n RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];\n ULONG EnvironmentSize;\n ULONG EnvironmentVersion;\n PVOID PackageDependencyData;\n ULONG ProcessGroupId;\n ULONG LoaderThreads;\n} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;\n\ntypedef struct _PEB_LDR_DATA {\n ULONG Length;\n BOOL Initialized;\n LPVOID SsHandle;\n LIST_ENTRY InLoadOrderModuleList;\n LIST_ENTRY InMemoryOrderModuleList;\n LIST_ENTRY InInitializationOrderModuleList;\n} PEB_LDR_DATA, * PPEB_LDR_DATA;\n\ntypedef BOOLEAN(NTAPI* PLDR_INIT_ROUTINE)(\n _In_ PVOID DllHandle,\n _In_ ULONG Reason,\n _In_opt_ PVOID Context\n );\n\ntypedef struct _RTL_BALANCED_NODE\n{\n union\n {\n struct _RTL_BALANCED_NODE* Children[2]; //0x0\n struct\n {\n struct _RTL_BALANCED_NODE* Left; //0x0\n struct _RTL_BALANCED_NODE* Right; //0x4\n };\n };\n union\n {\n struct\n {\n UCHAR Red : 1; //0x8\n UCHAR Balance : 2; //0x8\n };\n ULONG ParentValue; //0x8\n };\n} RTL_BALANCED_NODE, *PRTL_BALANCED_NODE;\n\n// symbols\ntypedef struct _LDR_SERVICE_TAG_RECORD\n{\n struct _LDR_SERVICE_TAG_RECORD* Next;\n ULONG ServiceTag;\n} LDR_SERVICE_TAG_RECORD, * PLDR_SERVICE_TAG_RECORD;\n\n// symbols\ntypedef struct _LDRP_CSLIST\n{\n PSINGLE_LIST_ENTRY Tail;\n} LDRP_CSLIST, * PLDRP_CSLIST;\n\n// symbols\ntypedef enum _LDR_DDAG_STATE\n{\n LdrModulesMerged = -5,\n LdrModulesInitError = -4,\n LdrModulesSnapError = -3,\n LdrModulesUnloaded = -2,\n LdrModulesUnloading = -1,\n LdrModulesPlaceHolder = 0,\n LdrModulesMapping = 1,\n LdrModulesMapped = 2,\n LdrModulesWaitingForDependencies = 3,\n LdrModulesSnapping = 4,\n LdrModulesSnapped = 5,\n LdrModulesCondensed = 6,\n LdrModulesReadyToInit = 7,\n LdrModulesInitializing = 8,\n LdrModulesReadyToRun = 9\n} LDR_DDAG_STATE;\n\n// symbols\ntypedef struct _LDR_DDAG_NODE\n{\n LIST_ENTRY Modules;\n PLDR_SERVICE_TAG_RECORD ServiceTagList;\n ULONG LoadCount;\n ULONG LoadWhileUnloadingCount;\n ULONG LowestLink;\n union\n {\n LDRP_CSLIST Dependencies;\n SINGLE_LIST_ENTRY* RemovalLink;\n };\n LDRP_CSLIST IncomingDependencies;\n LDR_DDAG_STATE State;\n SINGLE_LIST_ENTRY* CondenseLink;\n ULONG PreorderNumber;\n ULONG Pad;\n} LDR_DDAG_NODE, * PLDR_DDAG_NODE;\n\n// rev\n\n\n\ntypedef struct _LDR_DEPENDENCY_RECORD\n{\n SINGLE_LIST_ENTRY DependencyLink;\n PLDR_DDAG_NODE DependencyNode;\n SINGLE_LIST_ENTRY IncomingDependencyLink;\n PLDR_DDAG_NODE IncomingDependencyNode;\n} LDR_DEPENDENCY_RECORD, * PLDR_DEPENDENCY_RECORD;\n\n// symbols\ntypedef enum _LDR_DLL_LOAD_REASON\n{\n LoadReasonStaticDependency,\n LoadReasonStaticForwarderDependency,\n LoadReasonDynamicForwarderDependency,\n LoadReasonDelayloadDependency,\n LoadReasonDynamicLoad,\n LoadReasonAsImageLoad,\n LoadReasonAsDataLoad,\n LoadReasonEnclavePrimary, // since REDSTONE3\n LoadReasonEnclaveDependency,\n LoadReasonPatchImage, // since WIN11\n LoadReasonUnknown = -1\n} LDR_DLL_LOAD_REASON, * PLDR_DLL_LOAD_REASON;\n\ntypedef enum _LDR_HOT_PATCH_STATE\n{\n LdrHotPatchBaseImage,\n LdrHotPatchNotApplied,\n LdrHotPatchAppliedReverse,\n LdrHotPatchAppliedForward,\n LdrHotPatchFailedToPatch,\n LdrHotPatchStateMax,\n} LDR_HOT_PATCH_STATE, * PLDR_HOT_PATCH_STATE;\n\n// LDR_DATA_TABLE_ENTRY->Flags\n#define LDRP_PACKAGED_BINARY 0x00000001\n#define LDRP_MARKED_FOR_REMOVAL 0x00000002\n#define LDRP_IMAGE_DLL 0x00000004\n#define LDRP_LOAD_NOTIFICATIONS_SENT 0x00000008\n#define LDRP_TELEMETRY_ENTRY_PROCESSED 0x00000010\n#define LDRP_PROCESS_STATIC_IMPORT 0x00000020\n#define LDRP_IN_LEGACY_LISTS 0x00000040\n#define LDRP_IN_INDEXES 0x00000080\n#define LDRP_SHIM_DLL 0x00000100\n#define LDRP_IN_EXCEPTION_TABLE 0x00000200\n#define LDRP_LOAD_IN_PROGRESS 0x00001000\n#define LDRP_LOAD_CONFIG_PROCESSED 0x00002000\n#define LDRP_ENTRY_PROCESSED 0x00004000\n#define LDRP_PROTECT_DELAY_LOAD 0x00008000\n#define LDRP_DONT_CALL_FOR_THREADS 0x00040000\n#define LDRP_PROCESS_ATTACH_CALLED 0x00080000\n#define LDRP_PROCESS_ATTACH_FAILED 0x00100000\n#define LDRP_COR_DEFERRED_VALIDATE 0x00200000\n#define LDRP_COR_IMAGE 0x00400000\n#define LDRP_DONT_RELOCATE 0x00800000\n#define LDRP_COR_IL_ONLY 0x01000000\n#define LDRP_CHPE_IMAGE 0x02000000\n#define LDRP_CHPE_EMULATOR_IMAGE 0x04000000\n#define LDRP_REDIRECTED 0x10000000\n#define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000\n\n#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode)\n#define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue)\n#define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions)\n#define LDR_DATA_TABLE_ENTRY_SIZE_WIN10 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, SigningLevel)\n#define LDR_DATA_TABLE_ENTRY_SIZE_WIN11 sizeof(LDR_DATA_TABLE_ENTRY)\n\n// symbols\ntypedef struct _LDR_DATA_TABLE_ENTRY\n{\n LIST_ENTRY InLoadOrderLinks;\n LIST_ENTRY InMemoryOrderLinks;\n union\n {\n LIST_ENTRY InInitializationOrderLinks;\n LIST_ENTRY InProgressLinks;\n };\n PIMAGE_DOS_HEADER DllBase;\n PLDR_INIT_ROUTINE EntryPoint;\n ULONG SizeOfImage;\n UNICODE_STRING FullDllName;\n UNICODE_STRING BaseDllName;\n union\n {\n UCHAR FlagGroup[4];\n ULONG Flags;\n struct\n {\n ULONG PackagedBinary : 1;\n ULONG MarkedForRemoval : 1;\n ULONG ImageDll : 1;\n ULONG LoadNotificationsSent : 1;\n ULONG TelemetryEntryProcessed : 1;\n ULONG ProcessStaticImport : 1;\n ULONG InLegacyLists : 1;\n ULONG InIndexes : 1;\n ULONG ShimDll : 1;\n ULONG InExceptionTable : 1;\n ULONG ReservedFlags1 : 2;\n ULONG LoadInProgress : 1;\n ULONG LoadConfigProcessed : 1;\n ULONG EntryProcessed : 1;\n ULONG ProtectDelayLoad : 1;\n ULONG ReservedFlags3 : 2;\n ULONG DontCallForThreads : 1;\n ULONG ProcessAttachCalled : 1;\n ULONG ProcessAttachFailed : 1;\n ULONG CorDeferredValidate : 1;\n ULONG CorImage : 1;\n ULONG DontRelocate : 1;\n ULONG CorILOnly : 1;\n ULONG ChpeImage : 1;\n ULONG ChpeEmulatorImage : 1;\n ULONG ReservedFlags5 : 1;\n ULONG Redirected : 1;\n ULONG ReservedFlags6 : 2;\n ULONG CompatDatabaseProcessed : 1;\n };\n };\n USHORT ObsoleteLoadCount;\n USHORT TlsIndex;\n LIST_ENTRY HashLinks;\n ULONG TimeDateStamp;\n struct _ACTIVATION_CONTEXT* EntryPointActivationContext;\n PVOID Lock; // RtlAcquireSRWLockExclusive\n PLDR_DDAG_NODE DdagNode;\n LIST_ENTRY NodeModuleLink;\n struct _LDRP_LOAD_CONTEXT* LoadContext;\n PVOID ParentDllBase;\n PVOID SwitchBackContext;\n RTL_BALANCED_NODE BaseAddressIndexNode;\n RTL_BALANCED_NODE MappingInfoIndexNode;\n ULONG_PTR OriginalBase;\n LARGE_INTEGER LoadTime;\n ULONG BaseNameHashValue;\n LDR_DLL_LOAD_REASON LoadReason; // since WIN8\n ULONG ImplicitPathOptions;\n ULONG ReferenceCount; // since WIN10\n ULONG DependentLoadFlags;\n UCHAR SigningLevel; // since REDSTONE2\n ULONG CheckSum; // since 22H1\n PVOID ActivePatchImageBase;\n LDR_HOT_PATCH_STATE HotPatchState;\n} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;\n\n#define PROCESSOR_FEATURE_MAX 64\n\ntypedef struct _KSYSTEM_TIME\n{\n ULONG LowPart;\n LONG High1Time;\n LONG High2Time;\n} KSYSTEM_TIME, * PKSYSTEM_TIME;\n\ntypedef enum _NT_PRODUCT_TYPE\n{\n NtProductWinNt = 1,\n NtProductLanManNt = 2,\n NtProductServer = 3\n} NT_PRODUCT_TYPE;\n\ntypedef enum _ALTERNATIVE_ARCHITECTURE_TYPE\n{\n StandardDesign = 0,\n NEC98x86 = 1,\n EndAlternatives = 2\n} ALTERNATIVE_ARCHITECTURE_TYPE;\n\ntypedef struct _KUSER_SHARED_DATA {\n ULONG TickCountLowDeprecated;\n ULONG TickCountMultiplier;\n KSYSTEM_TIME InterruptTime;\n KSYSTEM_TIME SystemTime;\n KSYSTEM_TIME TimeZoneBias;\n USHORT ImageNumberLow;\n USHORT ImageNumberHigh;\n WCHAR NtSystemRoot[260];\n ULONG MaxStackTraceDepth;\n ULONG CryptoExponent;\n ULONG TimeZoneId;\n ULONG LargePageMinimum;\n ULONG AitSamplingValue;\n ULONG AppCompatFlag;\n ULONGLONG RNGSeedVersion;\n ULONG GlobalValidationRunlevel;\n LONG TimeZoneBiasStamp;\n ULONG NtBuildNumber;\n NT_PRODUCT_TYPE NtProductType;\n BOOLEAN ProductTypeIsValid;\n BOOLEAN Reserved0[1];\n USHORT NativeProcessorArchitecture;\n ULONG NtMajorVersion;\n ULONG NtMinorVersion;\n BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];\n ULONG Reserved1;\n ULONG Reserved3;\n ULONG TimeSlip;\n ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;\n ULONG BootId;\n LARGE_INTEGER SystemExpirationDate;\n ULONG SuiteMask;\n BOOLEAN KdDebuggerEnabled;\n union {\n UCHAR MitigationPolicies;\n struct {\n UCHAR NXSupportPolicy : 2;\n UCHAR SEHValidationPolicy : 2;\n UCHAR CurDirDevicesSkippedForDlls : 2;\n UCHAR Reserved : 2;\n };\n };\n USHORT CyclesPerYield;\n ULONG ActiveConsoleId;\n ULONG DismountCount;\n ULONG ComPlusPackage;\n ULONG LastSystemRITEventTickCount;\n ULONG NumberOfPhysicalPages;\n BOOLEAN SafeBootMode;\n union {\n UCHAR VirtualizationFlags;\n struct {\n UCHAR ArchStartedInEl2 : 1;\n UCHAR QcSlIsSupported : 1;\n };\n };\n UCHAR Reserved12[2];\n union {\n ULONG SharedDataFlags;\n struct {\n ULONG DbgErrorPortPresent : 1;\n ULONG DbgElevationEnabled : 1;\n ULONG DbgVirtEnabled : 1;\n ULONG DbgInstallerDetectEnabled : 1;\n ULONG DbgLkgEnabled : 1;\n ULONG DbgDynProcessorEnabled : 1;\n ULONG DbgConsoleBrokerEnabled : 1;\n ULONG DbgSecureBootEnabled : 1;\n ULONG DbgMultiSessionSku : 1;\n ULONG DbgMultiUsersInSessionSku : 1;\n ULONG DbgStateSeparationEnabled : 1;\n ULONG SpareBits : 21;\n } DUMMYSTRUCTNAME2;\n } DUMMYUNIONNAME2;\n ULONG DataFlagsPad[1];\n ULONGLONG TestRetInstruction;\n LONGLONG QpcFrequency;\n ULONG SystemCall;\n ULONG Reserved2;\n ULONGLONG SystemCallPad[2];\n union {\n KSYSTEM_TIME TickCount;\n ULONG64 TickCountQuad;\n struct {\n ULONG ReservedTickCountOverlay[3];\n ULONG TickCountPad[1];\n } DUMMYSTRUCTNAME;\n } DUMMYUNIONNAME3;\n ULONG Cookie;\n ULONG CookiePad[1];\n LONGLONG ConsoleSessionForegroundProcessId;\n ULONGLONG TimeUpdateLock;\n ULONGLONG BaselineSystemTimeQpc;\n ULONGLONG BaselineInterruptTimeQpc;\n ULONGLONG QpcSystemTimeIncrement;\n ULONGLONG QpcInterruptTimeIncrement;\n UCHAR QpcSystemTimeIncrementShift;\n UCHAR QpcInterruptTimeIncrementShift;\n USHORT UnparkedProcessorCount;\n ULONG EnclaveFeatureMask[4];\n ULONG TelemetryCoverageRound;\n USHORT UserModeGlobalLogger[16];\n ULONG ImageFileExecutionOptions;\n ULONG LangGenerationCount;\n ULONGLONG Reserved4;\n ULONGLONG InterruptTimeBias;\n ULONGLONG QpcBias;\n ULONG ActiveProcessorCount;\n UCHAR ActiveGroupCount;\n UCHAR Reserved9;\n union {\n USHORT QpcData;\n struct {\n UCHAR QpcBypassEnabled;\n UCHAR QpcShift;\n };\n };\n LARGE_INTEGER TimeZoneBiasEffectiveStart;\n LARGE_INTEGER TimeZoneBiasEffectiveEnd;\n XSTATE_CONFIGURATION XState;\n KSYSTEM_TIME FeatureConfigurationChangeStamp;\n ULONG Spare;\n ULONG64 UserPointerAuthMask;\n} KUSER_SHARED_DATA, * PKUSER_SHARED_DATA;\n\nenum DRAIN_TASK\n{\n WaitLoadComplete = 0,\n WaitWorkComplete\n};\n\ntypedef struct _PEB {\n BYTE InheritedAddressSpace;\n BYTE ReadImageFileExecOptions;\n BYTE BeingDebugged;\n union {\n UCHAR BitField;\n struct {\n /* bit fields, follow link */\n };\n };\n\n LPVOID Mutant;\n LPVOID ImageBaseAddress;\n\n PPEB_LDR_DATA Ldr;\n PRTL_USER_PROCESS_PARAMETERS ProcessParameters;\n LPVOID SubSystemData;\n LPVOID ProcessHeap;\n LPVOID FastPebLock;\n LPVOID _SYSTEM_DEPENDENT_02;\n LPVOID _SYSTEM_DEPENDENT_03;\n LPVOID _SYSTEM_DEPENDENT_04;\n union {\n LPVOID KernelCallbackTable;\n LPVOID UserSharedInfoPtr;\n };\n DWORD SystemReserved;\n DWORD _SYSTEM_DEPENDENT_05;\n LPVOID _SYSTEM_DEPENDENT_06;\n LPVOID TlsExpansionCounter;\n LPVOID TlsBitmap;\n DWORD TlsBitmapBits[2];\n LPVOID ReadOnlySharedMemoryBase;\n KUSER_SHARED_DATA* SharedData;\n LPVOID ReadOnlyStaticServerData;\n LPVOID AnsiCodePageData;\n LPVOID OemCodePageData;\n LPVOID UnicodeCaseTableData;\n DWORD NumberOfProcessors;\n union\n {\n DWORD NtGlobalFlag;\n LPVOID dummy02;\n };\n LARGE_INTEGER CriticalSectionTimeout;\n LPVOID HeapSegmentReserve;\n LPVOID HeapSegmentCommit;\n LPVOID HeapDeCommitTotalFreeThreshold;\n LPVOID HeapDeCommitFreeBlockThreshold;\n DWORD NumberOfHeaps;\n DWORD MaximumNumberOfHeaps;\n LPVOID ProcessHeaps;\n LPVOID GdiSharedHandleTable;\n LPVOID ProcessStarterHelper;\n LPVOID GdiDCAttributeList;\n LPVOID LoaderLock;\n DWORD OSMajorVersion;\n DWORD OSMinorVersion;\n WORD OSBuildNumber;\n WORD OSCSDVersion;\n DWORD OSPlatformId;\n DWORD ImageSubsystem;\n DWORD ImageSubsystemMajorVersion;\n LPVOID ImageSubsystemMinorVersion;\n union\n {\n LPVOID ImageProcessAffinityMask;\n LPVOID ActiveProcessAffinityMask;\n };\n#ifdef _WIN64\n LPVOID GdiHandleBuffer[64];\n#else\n LPVOID GdiHandleBuffer[32];\n#endif \n LPVOID PostProcessInitRoutine;\n LPVOID TlsExpansionBitmap;\n DWORD TlsExpansionBitmapBits[32];\n LPVOID SessionId;\n ULARGE_INTEGER AppCompatFlags;\n ULARGE_INTEGER AppCompatFlagsUser;\n LPVOID pShimData;\n LPVOID AppCompatInfo;\n PUNICODE_STRING CSDVersion;\n LPVOID ActivationContextData;\n LPVOID ProcessAssemblyStorageMap;\n LPVOID SystemDefaultActivationContextData;\n LPVOID SystemAssemblyStorageMap;\n LPVOID MinimumStackCommit;\n\n //Appended for Windows Server 2003\n PVOID SparePointers[4];\n LIST_ENTRY FlsListHead;\n PVOID FlsBitmap;\n ULONG SpareUlongs[5];\n ULONG FlsHighIndex;\n\n //Appended for Windows Vista\n PVOID WerRegistrationData;\n PVOID WerShipAssertPtr;\n\n //Appended for Windows 7\n PVOID pUnused;\n PVOID pImageHeaderHash;\n union {\n ULONG TracingFlags;\n struct {\n /* bit fields, follow link */\n };\n };\n} PEB, * PPEB;\n\nstruct FUNCTION_TABLE_DATA\n{\n UINT_PTR TableAddress;\n PIMAGE_DOS_HEADER ImageBase;\n DWORD ImageSize;\n DWORD Size;\n};\n\ntypedef struct _OBJECT_ATTRIBUTES {\n ULONG Length;\n HANDLE RootDirectory;\n PUNICODE_STRING ObjectName;\n ULONG Attributes;\n PVOID SecurityDescriptor;\n PVOID SecurityQualityOfService;\n} OBJECT_ATTRIBUTES;\n\nenum HARDERROR_RESPONSE_OPTION\n{\n OptionAbortRetryIgnore = 0x0,\n OptionOk = 0x1,\n OptionOkCancel = 0x2,\n OptionRetryCancel = 0x3,\n OptionYesNo = 0x4,\n OptionYesNoCancel = 0x5,\n OptionShutdownSystem = 0x6,\n};\n\nenum HARDERROR_RESPONSE\n{\n ResponseReturnToCaller = 0x0,\n ResponseNotHandled = 0x1,\n ResponseAbort = 0x2,\n ResponseCancel = 0x3,\n ResponseIgnore = 0x4,\n ResponseNo = 0x5,\n ResponseOk = 0x6,\n ResponseRetry = 0x7,\n ResponseYes = 0x8,\n};\n\ntypedef struct _IO_STATUS_BLOCK {\n union {\n NTSTATUS Status;\n PVOID Pointer;\n };\n ULONG_PTR Information;\n} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;\n\ntypedef struct _CLIENT_ID {\n HANDLE UniqueProcess;\n HANDLE UniqueThread;\n} CLIENT_ID, * PCLIENT_ID;\n\ntypedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* PRTL_ACTIVATION_CONTEXT_STACK_FRAME;\ntypedef struct _ACTIVATION_CONTEXT* PACTIVATION_CONTEXT;\ntypedef struct _TEB_ACTIVE_FRAME* PTEB_ACTIVE_FRAME;\ntypedef struct _TEB_ACTIVE_FRAME_CONTEXT* PTEB_ACTIVE_FRAME_CONTEXT;\n\ntypedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {\n PRTL_ACTIVATION_CONTEXT_STACK_FRAME Previous;\n PACTIVATION_CONTEXT* ActivationContext;\n ULONG Flags;\n} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;\n\ntypedef struct _ACTIVATION_CONTEXT_STACK\n{\n PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;\n LIST_ENTRY FrameListCache;\n ULONG Flags;\n ULONG NextCookieSequenceNumber;\n ULONG StackId;\n} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;\n\ntypedef struct _RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_BASIC\n{\n SIZE_T Size;\n ULONG Format;\n RTL_ACTIVATION_CONTEXT_STACK_FRAME Frame;\n} RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_BASIC, * PRTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_BASIC;\n\ntypedef struct _RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED\n{\n SIZE_T Size;\n ULONG Format;\n RTL_ACTIVATION_CONTEXT_STACK_FRAME Frame;\n PVOID Extra1;\n PVOID Extra2;\n PVOID Extra3;\n PVOID Extra4;\n} RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED, * PRTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED;\n\n#define GDI_BATCH_BUFFER_SIZE 310\n\ntypedef struct _GDI_TEB_BATCH\n{\n ULONG Offset;\n ULONG_PTR HDC;\n ULONG Buffer[GDI_BATCH_BUFFER_SIZE];\n} GDI_TEB_BATCH, * PGDI_TEB_BATCH;\n\ntypedef struct _TEB_ACTIVE_FRAME_CONTEXT\n{\n ULONG Flags;\n PSTR FrameName;\n} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;\n\ntypedef struct _TEB_ACTIVE_FRAME\n{\n ULONG Flags;\n struct _TEB_ACTIVE_FRAME* Previous;\n PTEB_ACTIVE_FRAME_CONTEXT Context;\n} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;\n\n#if !defined(_MSC_VER)\ntypedef struct _PROCESSOR_NUMBER {\n USHORT Group;\n UCHAR Number;\n UCHAR Reserved;\n} PROCESSOR_NUMBER, * PPROCESSOR_NUMBER;\n#endif\n\ntypedef struct _TEB\n{\n NT_TIB NtTib;\n\n PVOID EnvironmentPointer;\n CLIENT_ID ClientId;\n PVOID ActiveRpcHandle;\n PVOID ThreadLocalStoragePointer;\n PPEB ProcessEnvironmentBlock;\n\n ULONG LastErrorValue;\n ULONG CountOfOwnedCriticalSections;\n PVOID CsrClientThread;\n PVOID Win32ThreadInfo;\n ULONG User32Reserved[26];\n ULONG UserReserved[5];\n PVOID WOW32Reserved;\n LCID CurrentLocale;\n ULONG FpSoftwareStatusRegister;\n PVOID SystemReserved1[54];\n NTSTATUS ExceptionCode;\n PVOID ActivationContextStackPointer;\n#ifdef _M_X64\n UCHAR SpareBytes[24];\n#else\n UCHAR SpareBytes[36];\n#endif\n ULONG TxFsContext;\n\n GDI_TEB_BATCH GdiTebBatch;\n CLIENT_ID RealClientId;\n HANDLE GdiCachedProcessHandle;\n ULONG GdiClientPID;\n ULONG GdiClientTID;\n PVOID GdiThreadLocalInfo;\n ULONG_PTR Win32ClientInfo[62];\n PVOID glDispatchTable[233];\n ULONG_PTR glReserved1[29];\n PVOID glReserved2;\n PVOID glSectionInfo;\n PVOID glSection;\n PVOID glTable;\n PVOID glCurrentRC;\n PVOID glContext;\n\n NTSTATUS LastStatusValue;\n UNICODE_STRING StaticUnicodeString;\n WCHAR StaticUnicodeBuffer[261];\n\n PVOID DeallocationStack;\n PVOID TlsSlots[64];\n LIST_ENTRY TlsLinks;\n\n PVOID Vdm;\n PVOID ReservedForNtRpc;\n PVOID DbgSsReserved[2];\n\n ULONG HardErrorMode;\n#ifdef _M_X64\n PVOID Instrumentation[11];\n#else\n PVOID Instrumentation[9];\n#endif\n GUID ActivityId;\n\n PVOID SubProcessTag;\n PVOID EtwLocalData;\n PVOID EtwTraceData;\n PVOID WinSockData;\n ULONG GdiBatchCount;\n\n union\n {\n PROCESSOR_NUMBER CurrentIdealProcessor;\n ULONG IdealProcessorValue;\n struct\n {\n UCHAR ReservedPad0;\n UCHAR ReservedPad1;\n UCHAR ReservedPad2;\n UCHAR IdealProcessor;\n };\n };\n\n ULONG GuaranteedStackBytes;\n PVOID ReservedForPerf;\n PVOID ReservedForOle;\n ULONG WaitingOnLoaderLock;\n PVOID SavedPriorityState;\n ULONG_PTR SoftPatchPtr1;\n PVOID ThreadPoolData;\n PVOID* TlsExpansionSlots;\n#ifdef _M_X64\n PVOID DeallocationBStore;\n PVOID BStoreLimit;\n#endif\n ULONG MuiGeneration;\n ULONG IsImpersonating;\n PVOID NlsCache;\n PVOID pShimData;\n ULONG HeapVirtualAffinity;\n HANDLE CurrentTransactionHandle;\n PTEB_ACTIVE_FRAME ActiveFrame;\n PVOID FlsData;\n\n PVOID PreferredLanguages;\n PVOID UserPrefLanguages;\n PVOID MergedPrefLanguages;\n ULONG MuiImpersonation;\n\n union\n {\n USHORT CrossTebFlags;\n USHORT SpareCrossTebBits : 16;\n };\n union\n {\n USHORT SameTebFlags;\n struct\n {\n USHORT SafeThunkCall : 1;\n USHORT InDebugPrint : 1;\n USHORT HasFiberData : 1;\n USHORT SkipThreadAttach : 1;\n USHORT WerInShipAssertCode : 1;\n USHORT RanProcessInit : 1;\n USHORT ClonedThread : 1;\n USHORT SuppressDebugMsg : 1;\n USHORT DisableUserStackWalk : 1;\n USHORT RtlExceptionAttached : 1;\n USHORT InitialThread : 1;\n USHORT SessionAware : 1;\n USHORT SpareSameTebBits : 4;\n };\n };\n\n PVOID TxnScopeEnterCallback;\n PVOID TxnScopeExitCallback;\n PVOID TxnScopeContext;\n ULONG LockCount;\n ULONG SpareUlong0;\n PVOID ResourceRetValue;\n PVOID ReservedForWdf;\n} TEB, * PTEB;\n\n\nstruct LDR_UNKSTRUCT\n{\n PWSTR pInitNameMaybe;\n __declspec(align(16)) PWSTR Buffer;\n int Flags;\n PWSTR pDllName;\n char Pad1[84];\n BOOLEAN IsInitedMaybe;\n char Pad2[3];\n};\n\nstruct LDR_UNKSTRUCT2\n{\n PUNICODE_STRING Name;\n UINT64 Status;\n};\n\nstruct LDR_UNKSTRUCT3\n{\n ULONG Flags;\n UNICODE_STRING String;\n};\n\ntypedef struct _LDRP_LOAD_CONTEXT\n{\n UNICODE_STRING BaseDllName;\n LDR_UNKSTRUCT* UnkStruct;\n HANDLE SectionHandle;\n DWORD Flags;\n NTSTATUS* pStatus;\n LDR_DATA_TABLE_ENTRY* Entry;\n _LIST_ENTRY WorkQueueListEntry;\n LDR_DATA_TABLE_ENTRY* ReplacedEntry;\n LDR_DATA_TABLE_ENTRY** pvImports;\n LDR_DATA_TABLE_ENTRY** IATCheck;\n PVOID pvIAT;\n ULONG SizeOfIAT;\n ULONG CurrentDll;\n PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor;\n ULONG ImageImportDescriptorLen;\n __declspec(align(8)) ULONG OriginalIATProtect;\n PVOID GuardCFCheckFunctionPointer;\n __int64 GuardFlags;\n __int64 DllNameLenCompare;\n __int64 UnknownFunc;\n SIZE_T Size;\n __int64 UnknownPtr;\n HANDLE FileHandle;\n PIMAGE_DOS_HEADER ImageBase;\n wchar_t BaseDllNameBuffer[260];\n} LDRP_LOAD_CONTEXT, *PLDRP_LOAD_CONTEXT;\n\nstruct LDRP_FILENAME_BUFFER\n{\n UNICODE_STRING pFileName{};\n wchar_t FileName[128]{};\n};\n\ntypedef struct _MEMORY_IMAGE_INFORMATION\n{\n PVOID ImageBase;\n SIZE_T SizeOfImage;\n union\n {\n ULONG ImageFlags;\n struct\n {\n ULONG ImagePartialMap : 1;\n ULONG ImageNotExecutable : 1;\n ULONG ImageSigningLevel : 4; // REDSTONE3\n ULONG Reserved : 26;\n };\n };\n} MEMORY_IMAGE_INFORMATION, * PMEMORY_IMAGE_INFORMATION;\n\ntypedef struct _TLS_ENTRY\n{\n LIST_ENTRY TlsEntry;\n IMAGE_TLS_DIRECTORY TlsDirectory;\n PLDR_DATA_TABLE_ENTRY ModuleEntry;\n SIZE_T Index;\n} TLS_ENTRY, *PTLS_ENTRY;\n\nenum SECTION_INHERIT\n{\n ViewShare = 1,\n ViewUnmap = 2\n};\n\n/*\nstruct MEM_EXTENDED_PARAMETER\n{\n PVOID Type;\n PHANDLE pHandle;\n HANDLE Handle;\n};\n*/\n\ntypedef struct _MEMORY_WORKING_SET_EX_BLOCK\n{\n union\n {\n struct\n {\n ULONG_PTR Valid : 1;\n ULONG_PTR ShareCount : 3;\n ULONG_PTR Win32Protection : 11;\n ULONG_PTR Shared : 1;\n ULONG_PTR Node : 6;\n ULONG_PTR Locked : 1;\n ULONG_PTR LargePage : 1;\n ULONG_PTR Priority : 3;\n ULONG_PTR Reserved : 3;\n ULONG_PTR SharedOriginal : 1;\n ULONG_PTR Bad : 1;\n ULONG_PTR Win32GraphicsProtection : 4; // 19H1\n#ifdef _WIN64\n ULONG_PTR ReservedUlong : 28;\n#endif\n };\n struct\n {\n ULONG_PTR Valid : 1;\n ULONG_PTR Reserved0 : 14;\n ULONG_PTR Shared : 1;\n ULONG_PTR Reserved1 : 5;\n ULONG_PTR PageTable : 1;\n ULONG_PTR Location : 2;\n ULONG_PTR Priority : 3;\n ULONG_PTR ModifiedList : 1;\n ULONG_PTR Reserved2 : 2;\n ULONG_PTR SharedOriginal : 1;\n ULONG_PTR Bad : 1;\n#ifdef _WIN64\n ULONG_PTR ReservedUlong : 32;\n#endif\n } Invalid;\n };\n} MEMORY_WORKING_SET_EX_BLOCK, * PMEMORY_WORKING_SET_EX_BLOCK;\n\n// private\ntypedef struct _MEMORY_WORKING_SET_EX_INFORMATION\n{\n PVOID VirtualAddress;\n union\n {\n MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes;\n ULONG_PTR Long;\n } u1;\n} MEMORY_WORKING_SET_EX_INFORMATION, * PMEMORY_WORKING_SET_EX_INFORMATION;\n\ntypedef enum _MEMORY_INFORMATION_CLASS\n{\n MemoryBasicInformation, // q: MEMORY_BASIC_INFORMATION\n MemoryWorkingSetInformation, // q: MEMORY_WORKING_SET_INFORMATION\n MemoryMappedFilenameInformation, // q: UNICODE_STRING\n MemoryRegionInformation, // q: MEMORY_REGION_INFORMATION\n MemoryWorkingSetExInformation, // q: MEMORY_WORKING_SET_EX_INFORMATION // since VISTA\n MemorySharedCommitInformation, // q: MEMORY_SHARED_COMMIT_INFORMATION // since WIN8\n MemoryImageInformation, // q: MEMORY_IMAGE_INFORMATION\n MemoryRegionInformationEx, // MEMORY_REGION_INFORMATION\n MemoryPrivilegedBasicInformation, // MEMORY_BASIC_INFORMATION\n MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3\n MemoryBasicInformationCapped, // 10\n MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1\n MemoryBadInformation, // since WIN11\n MemoryBadInformationAllProcesses, // since 22H1\n MaxMemoryInfoClass\n} MEMORY_INFORMATION_CLASS;\n\ntypedef enum _PROCESSINFOCLASS\n{\n ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION\n ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX\n ProcessIoCounters, // q: IO_COUNTERS\n ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2\n ProcessTimes, // q: KERNEL_USER_TIMES\n ProcessBasePriority, // s: KPRIORITY\n ProcessRaisePriority, // s: ULONG\n ProcessDebugPort, // q: HANDLE\n ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT (requires SeTcbPrivilege)\n ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN\n ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10\n ProcessLdtSize, // s: PROCESS_LDT_SIZE\n ProcessDefaultHardErrorMode, // qs: ULONG\n ProcessIoPortHandlers, // (kernel-mode only) // PROCESS_IO_PORT_HANDLER_INFORMATION\n ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS\n ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void\n ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege)\n ProcessEnableAlignmentFaultFixup, // s: BOOLEAN\n ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS\n ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed)\n ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20\n ProcessAffinityMask, // (q >WIN7)s: KAFFINITY, qs: GROUP_AFFINITY\n ProcessPriorityBoost, // qs: ULONG\n ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX\n ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION\n ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND\n ProcessWow64Information, // q: ULONG_PTR\n ProcessImageFileName, // q: UNICODE_STRING\n ProcessLUIDDeviceMapsEnabled, // q: ULONG\n ProcessBreakOnTermination, // qs: ULONG\n ProcessDebugObjectHandle, // q: HANDLE // 30\n ProcessDebugFlags, // qs: ULONG\n ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables\n ProcessIoPriority, // qs: IO_PRIORITY_HINT\n ProcessExecuteFlags, // qs: ULONG\n ProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement\n ProcessCookie, // q: ULONG\n ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION\n ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA\n ProcessPagePriority, // qs: PAGE_PRIORITY_INFORMATION\n ProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40\n ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX\n ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]\n ProcessImageFileNameWin32, // q: UNICODE_STRING\n ProcessImageFileMapping, // q: HANDLE (input)\n ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE\n ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE\n ProcessGroupInformation, // q: USHORT[]\n ProcessTokenVirtualizationEnabled, // s: ULONG\n ProcessConsoleHostProcess, // qs: ULONG_PTR // ProcessOwnerInformation\n ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50\n ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8\n ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION\n ProcessDynamicFunctionTableInformation,\n ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables\n ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION\n ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION\n ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL (requires SeDebugPrivilege)\n ProcessHandleTable, // q: ULONG[] // since WINBLUE\n ProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG)\n ProcessCommandLineInformation, // q: UNICODE_STRING // 60\n ProcessProtectionInformation, // q: PS_PROTECTION\n ProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD\n ProcessFaultInformation, // PROCESS_FAULT_INFORMATION\n ProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION\n ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION\n ProcessDefaultCpuSetsInformation, // SYSTEM_CPU_SET_INFORMATION[5]\n ProcessAllowedCpuSetsInformation, // SYSTEM_CPU_SET_INFORMATION[5]\n ProcessSubsystemProcess,\n ProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO\n ProcessInPrivate, // s: void // ETW // since THRESHOLD2 // 70\n ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables\n ProcessIumChallengeResponse,\n ProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION\n ProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege)\n ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2\n ProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES\n ProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE\n ProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY\n ProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER\n ProcessDisableSystemAllowedCpuSets, // 80\n ProcessWakeInformation, // PROCESS_WAKE_INFORMATION\n ProcessEnergyTrackingState, // qs: PROCESS_ENERGY_TRACKING_STATE\n ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3\n ProcessCaptureTrustletLiveDump,\n ProcessTelemetryCoverage,\n ProcessEnclaveInformation,\n ProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION\n ProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION\n ProcessImageSection, // q: HANDLE\n ProcessDebugAuthInformation, // since REDSTONE4 // 90\n ProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT\n ProcessSequenceNumber, // q: ULONGLONG\n ProcessLoaderDetour, // since REDSTONE5\n ProcessSecurityDomainInformation, // PROCESS_SECURITY_DOMAIN_INFORMATION\n ProcessCombineSecurityDomainsInformation, // PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION\n ProcessEnableLogging, // PROCESS_LOGGING_INFORMATION\n ProcessLeapSecondInformation, // PROCESS_LEAP_SECOND_INFORMATION\n ProcessFiberShadowStackAllocation, // PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1\n ProcessFreeFiberShadowStackAllocation, // PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION\n ProcessAltSystemCallInformation, // since 20H1 // 100\n ProcessDynamicEHContinuationTargets, // PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION\n ProcessDynamicEnforcedCetCompatibleRanges, // PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2\n ProcessCreateStateChange, // since WIN11\n ProcessApplyStateChange,\n ProcessEnableOptionalXStateFeatures,\n ProcessAltPrefetchParam, // since 22H1\n ProcessAssignCpuPartitions,\n ProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX\n ProcessMembershipInformation, // PROCESS_MEMBERSHIP_INFORMATION\n ProcessEffectiveIoPriority, // q: IO_PRIORITY_HINT\n ProcessEffectivePagePriority, // q: ULONG\n MaxProcessInfoClass\n} PROCESSINFOCLASS;\n\ntypedef struct _file_info\n{\n ULONG type;\n char info;\n} file_info;\n\ntypedef struct _ASSEMBLY_STORAGE_MAP\n{\n ULONG Flags;\n ULONG AssemblyCount;\n PVOID AssemblyArray;\n} ASSEMBLY_STORAGE_MAP;\n\ntypedef struct _ASSEMBLY_STORAGE_MAP_ENTRY\n{\n ULONG Flags;\n UNICODE_STRING DosPath;\n HANDLE Handle;\n} ASSEMBLY_STORAGE_MAP_ENTRY;\n\ntypedef struct _ACTIVATION_CONTEXT\n{\n LONG RefCount;\n ULONG Flags;\n LIST_ENTRY Links;\n PVOID ActivationContextData;\n PVOID NotificationRoutine;\n PVOID NotificationContext;\n ULONG SentNotifications[8];\n ULONG DisabledNotifications[8];\n ASSEMBLY_STORAGE_MAP* StorageMap;\n ASSEMBLY_STORAGE_MAP_ENTRY* InlineStorageMapEntires;\n ULONG StackTraceIndex;\n PVOID StackTraces[4][4];\n file_info config;\n file_info appdir;\n char pad[256];\n} ACTIVATION_CONTEXT;\n\n#define SEC_NO_FLAGS 0x000\n\n/* Tells the OS to allocate space for this section when loading.\nThis is clear for a section containing debug information\nonly. */\n#define SEC_ALLOC 0x001\n\n/* Tells the OS to load the section from the file when loading.\nThis is clear for a .bss section. */\n#define SEC_LOAD 0x002\n\n/* The section contains data still to be relocated, so there is\nsome relocation information too. */\n#define SEC_RELOC 0x004\n\n#if 0 /* Obsolete ? */\n#define SEC_BALIGN 0x008\n#endif\n\n/* A signal to the OS that the section contains read only\ndata. */\n#define SEC_READONLY 0x010\n\n/* The section contains code only. */\n#define SEC_CODE 0x020\n\n/* The section contains data only. */\n#define SEC_DATA 0x040\n\n/* The section will reside in ROM. */\n#define SEC_ROM 0x080\n\n/* The section contains constructor information. This section\ntype is used by the linker to create lists of constructors and\ndestructors used by g++. When a back end sees a symbol\nwhich should be used in a constructor list, it creates a new\nsection for the type of name (e.g., __CTOR_LIST__), attaches\nthe symbol to it, and builds a relocation. To build the lists\nof constructors, all the linker has to do is catenate all the\nsections called __CTOR_LIST__ and relocate the data\ncontained within - exactly the operations it would peform on\nstandard data. */\n#define SEC_CONSTRUCTOR 0x100\n\n/* The section is a constuctor, and should be placed at the\nend of the text, data, or bss section(?). */\n#define SEC_CONSTRUCTOR_TEXT 0x1100\n#define SEC_CONSTRUCTOR_DATA 0x2100\n#define SEC_CONSTRUCTOR_BSS 0x3100\n\n/* The section has contents - a data section could be\nSEC_ALLOC | SEC_HAS_CONTENTS; a debug section could be\nSEC_HAS_CONTENTS */\n#define SEC_HAS_CONTENTS 0x200\n\n/* An instruction to the linker to not output the section\neven if it has information which would normally be written. */\n#define SEC_NEVER_LOAD 0x400\n\n/* The section is a COFF shared library section. This flag is\nonly for the linker. If this type of section appears in\nthe input file, the linker must copy it to the output file\nwithout changing the vma or size. FIXME: Although this\nwas originally intended to be general, it really is COFF\nspecific (and the flag was renamed to indicate this). It\nmight be cleaner to have some more general mechanism to\nallow the back end to control what the linker does with\nsections. */\n#define SEC_COFF_SHARED_LIBRARY 0x800\n\n/* The section contains common symbols (symbols may be defined\nmultiple times, the value of a symbol is the amount of\nspace it requires, and the largest symbol value is the one\nused). Most targets have exactly one of these (which we\ntranslate to bfd_com_section_ptr), but ECOFF has two. */\n#define SEC_IS_COMMON 0x8000\n\n/* The section contains only debugging information. For\nexample, this is set for ELF .debug and .stab sections.\nstrip tests this flag to see if a section can be\ndiscarded. */\n#define SEC_DEBUGGING 0x10000\n\n/* The contents of this section are held in memory pointed to\nby the contents field. This is checked by\nbfd_get_section_contents, and the data is retrieved from\nmemory if appropriate. */\n#define SEC_IN_MEMORY 0x20000\n\n/* The contents of this section are to be excluded by the\nlinker for executable and shared objects unless those\nobjects are to be further relocated. */\n#define SEC_EXCLUDE 0x40000\n\n/* The contents of this section are to be sorted by the\nbased on the address specified in the associated symbol\ntable. */\n#define SEC_SORT_ENTRIES 0x80000\n\n/* When linking, duplicate sections of the same name should be\ndiscarded, rather than being combined into a single section as\nis usually done. This is similar to how common symbols are\nhandled. See SEC_LINK_DUPLICATES below. */\n#define SEC_LINK_ONCE 0x100000\n\n/* If SEC_LINK_ONCE is set, this bitfield describes how the linker\nshould handle duplicate sections. */\n#define SEC_LINK_DUPLICATES 0x600000\n\n/* This value for SEC_LINK_DUPLICATES means that duplicate\nsections with the same name should simply be discarded. */\n#define SEC_LINK_DUPLICATES_DISCARD 0x0\n\n/* This value for SEC_LINK_DUPLICATES means that the linker\nshould warn if there are any duplicate sections, although\nit should still only link one copy. */\n#define SEC_LINK_DUPLICATES_ONE_ONLY 0x200000\n\n/* This value for SEC_LINK_DUPLICATES means that the linker\nshould warn if any duplicate sections are a different size. */\n#define SEC_LINK_DUPLICATES_SAME_SIZE 0x400000\n\n/* This value for SEC_LINK_DUPLICATES means that the linker\nshould warn if any duplicate sections contain different\ncontents. */\n#define SEC_LINK_DUPLICATES_SAME_CONTENTS 0x600000\n\n/* This section was created by the linker as part of dynamic\nrelocation or other arcane processing. It is skipped when\ngoing through the first-pass output, trusting that someone\nelse up the line will take care of it later. */\n#define SEC_LINKER_CREATED 0x800000" }, { "path": "Src/Includes.h", "content": "#pragma once\n\n#include \n#include \n#include \n#include " }, { "path": "Src/Loader/Loader.cpp", "content": "#include \"Loader.h\"\n\nusing namespace WID::Loader;\nLOADLIBRARY::LOADLIBRARY(TCHAR* DllPath, DWORD Flags, LOADTYPE LoadType)\n{\n\tassert(DllPath);\n\tassert(GetFileAttributes(DllPath) != INVALID_FILE_ATTRIBUTES);\n\n\tif (!bInitialized)\n\t\tInit();\n\n\tmemcpy(CreationInfo.DllPath, DllPath, MAX_PATH * sizeof(TCHAR));\n\tCreationInfo.Flags = Flags;\n\tCreationInfo.LoadType = LoadType;\n\n\tDllHandle = NULL;\n\n\tNTSTATUS Status = STATUS_SUCCESS;\n\tif (Status = Load(), NT_SUCCESS(Status))\n\t{\n\t\tWID_DBG(TEXT(\"[WID] >> (Path: %s), (Flags: %lu) load successful.\\n\"), DllPath, Flags);\n\t\tWID_DBG(TEXT(\"[WID] >> Base address: %p.\\n\"), DllHandle);\n\t}\n\telse\n\t{\n\t\tWID_DBG(TEXT(\"[WID] >> (Path: %s), (Flags: %lu) load failed, err: 0x%X.\\n\"), DllPath, Flags, Status);\n\t}\n}\n\nLOADLIBRARY::~LOADLIBRARY()\n{\n\tNTSTATUS Status = STATUS_SUCCESS;\n\tif (Status = Unload(), NT_SUCCESS(Status))\n\t{\n\t\tWID_DBG(TEXT(\"[WID] >> (Path: %s), (Flags: %lu) unload successful.\\n\"), CreationInfo.DllPath, CreationInfo.Flags);\n\t}\n\telse\n\t{\n\t\tWID_DBG(TEXT(\"[WID] >> (Path: %s), (Flags: %lu) unload failed, err: 0x%X.\\n\"), CreationInfo.DllPath, CreationInfo.Flags, Status);\n\t}\n}\n\n\nNTSTATUS LOADLIBRARY::Load()\n{\n\tif (!CreationInfo.DllPath)\n\t\treturn STATUS_INVALID_PARAMETER;\n\n\tswitch (CreationInfo.LoadType)\n\t{\n\tcase LOADTYPE::DEFAULT:\n\t//case LOADTYPE::HIDDEN:\n\t\tDllHandle = fLoadLibrary(CreationInfo.DllPath);\n\t\tif (!DllHandle || DllHandle == INVALID_HANDLE_VALUE)\n\t\t\tbreak;\n\t\treturn STATUS_SUCCESS;\n\tcase LOADTYPE::HIDDEN:\n\t\tWID_DBG(TEXT(\"[WID] >> Hidden loading isn't available currently.\\n\"));\n\tdefault:\n\t\treturn STATUS_INVALID_PARAMETER;\n\t}\n\n\treturn STATUS_UNSUCCESSFUL;\n}\n\n\n\nHMODULE __fastcall LOADLIBRARY::fLoadLibrary(PTCHAR lpLibFileName) // CHECKED.\n{\n#ifndef _UNICODE\n\treturn fLoadLibraryA(lpLibFileName);\n#else\n\treturn fLoadLibraryW(lpLibFileName);\n#endif\n}\n\nHMODULE __fastcall LOADLIBRARY::fLoadLibraryA(LPCSTR lpLibFileName) // CHECKED.\n{\n\t// If no path was given.\n\tif (!lpLibFileName)\n\t\t//return LoadLibraryExA(lpLibFileName, 0, 0);\n\t\treturn NULL;\n\n\t// If path isn't 'twain_32.dll'\n\t// This is where our LoadLibrary calls mostly end up.\n\tif (_stricmp(lpLibFileName, \"twain_32.dll\"))\n\t\treturn fLoadLibraryExA(lpLibFileName, 0, 0);\n\n\t// If path is 'twain_32.dll'\n\t// Windows probably uses this to make itself a shortcut, while we are using it the code won't reach here.\n\tPCHAR Heap = (PCHAR)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, *KernelBaseGlobalData, MAX_PATH);\n\tif (!Heap)\n\t\treturn fLoadLibraryExA(lpLibFileName, 0, 0);\n\n\tHMODULE Module;\n\t// Heap receives the Windows path (def: C:\\Windows)\n\n\t// The BufferSize check made against GetWindowsDirectoryA is to see if it actually received. If it's bigger than BufferSize \n\t// then GetWindowsDirectoryA returned the size needed (in summary it fails)\n\n\t// If this check doesn't fail '\\twain_32.dll' is appended to the Windows path (def: C:\\Windows\\twain_32.dll)\n\t// Then this final module is loaded into the program.\n\t// If it can't load, it tries to load it directly and returns from there.\n\tif (GetWindowsDirectoryA(Heap, 0xF7) - 1 > 0xF5 ||\n\t\t(strncat_s(Heap, MAX_PATH, \"\\\\twain_32.dll\", strlen(\"\\\\twain_32.dll\")), (Module = fLoadLibraryA(Heap)) == 0))\n\t{\n\t\tRtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);\n\t\treturn fLoadLibraryExA(lpLibFileName, 0, 0);\n\t}\n\n\tRtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap);\n\treturn Module;\n}\n\nHMODULE __fastcall LOADLIBRARY::fLoadLibraryW(LPCWSTR lpLibFileName) // CHECKED.\n{\n\treturn fLoadLibraryExW(lpLibFileName, 0, 0);\n}\n\nHMODULE __fastcall LOADLIBRARY::fLoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags) // CHECKED.\n{\t\n\tUNICODE_STRING Unicode;\n\tif (!Basep8BitStringToDynamicUnicodeString(&Unicode, lpLibFileName))\n\t\treturn NULL;\n\n\tHMODULE Module = fLoadLibraryExW(Unicode.Buffer, hFile, dwFlags);\n\tRtlFreeUnicodeString(&Unicode);\n\treturn Module;\n}\n\nHMODULE __fastcall LOADLIBRARY::fLoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags) // CHECKED.\n{\n\tNTSTATUS Status;\n\n\tDWORD ConvertedFlags;\n\tHMODULE BaseOfLoadedDll;\n\n\tDWORD DatafileFlags = dwFlags & LLEXW_ASDATAFILE;\n\t// If no DllName was given OR hFile was given (msdn states that hFile must be 0) OR dwFlags is set to an unknown value OR *both* the Datafile flags are set (they cannot be used together).\n\tif (!lpLibFileName || hFile || ((dwFlags & 0xFFFF0000) != 0) || (DatafileFlags == LLEXW_ASDATAFILE))\n\t{\n\t\tBaseSetLastNTError(STATUS_INVALID_PARAMETER);\n\t\treturn NULL;\n\t}\n\n\tUNICODE_STRING DllName;\n\tStatus = RtlInitUnicodeStringEx(&DllName, lpLibFileName);\n\tif (!NT_SUCCESS(Status))\n\t{\n\t\tBaseSetLastNTError(Status);\n\t\treturn NULL;\n\t}\n\n\tUSHORT DllNameLen = DllName.Length;\n\tif (!DllName.Length)\n\t{\n\t\tBaseSetLastNTError(STATUS_INVALID_PARAMETER);\n\t\treturn NULL;\n\t}\n\n\t// If the DllName given had empty (space) chars as their last chars, this do-while loop excludes them and sets the excluded length.\n\tdo\n\t{\n\t\tDWORD WchAmount = DllNameLen / 2;\n\t\tif (DllName.Buffer[WchAmount - 1] != ' ' /* 0x20 is space char */)\n\t\t\tbreak;\n\n\t\tDllNameLen -= 2;\n\t\tDllName.Length = DllNameLen;\n\t} while (DllNameLen != 2);\n\n\t// In case the above do-while loop misbehaves.\n\tif (DllNameLen == 0)\n\t{\n\t\tBaseSetLastNTError(STATUS_INVALID_PARAMETER);\n\t\treturn NULL;\n\t}\n\n\tBaseOfLoadedDll = 0;\n\n\t// If the dll is not getting loaded as a datafile.\n\tif ((dwFlags & LLEXW_ISDATAFILE) == 0)\n\t{\n\t\t// Converts the actual flags into it's own flag format. Most flags are discarded (only used if loaded as datafile).\n\t\t// Only flags that can go through are DONT_RESOLVE_DLL_REFERENCES, LOAD_PACKAGED_LIBRARY, LOAD_LIBRARY_REQUIRE_SIGNED_TARGET and LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY\n\t\tConvertedFlags = 0;\n\t\tif ((dwFlags & DONT_RESOLVE_DLL_REFERENCES) != 0)\n\t\t\tConvertedFlags |= CNVTD_DONT_RESOLVE_DLL_REFERENCES;\n\n\t\tif ((dwFlags & LOAD_PACKAGED_LIBRARY) != 0)\n\t\t\tConvertedFlags |= LOAD_PACKAGED_LIBRARY;\n\n\t\tif ((dwFlags & LOAD_LIBRARY_REQUIRE_SIGNED_TARGET) != 0)\n\t\t\tConvertedFlags |= CNVTD_LOAD_LIBRARY_REQUIRE_SIGNED_TARGET;\n\n\t\tif ((dwFlags & LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY) != 0)\n\t\t\tConvertedFlags |= CNVTD_LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY;\n\n\t\t// Evaluates dwFlags to get meaningful flags, includes DONT_RESOLVE_DLL_REFERENCES finally.\n\t\t// But it doesn't matter because the first param LdrLoadDll takes actually a (PWCHAR PathToFile), so I have no idea why that's done.\n\t\tStatus = fLdrLoadDll((PWCHAR)((dwFlags & LLEXW_7F08) | 1), &ConvertedFlags, &DllName, (PVOID*)&BaseOfLoadedDll);\n\t\tif (NT_SUCCESS(Status))\n\t\t\treturn BaseOfLoadedDll;\n\n\t\tBaseSetLastNTError(Status);\n\t\treturn NULL;\n\t}\n\n\tPWSTR Path;\n\tPWSTR Unknown;\n\t// Gets the Dll path.\n\tStatus = LdrGetDllPath(DllName.Buffer, (dwFlags & LLEXW_7F08), &Path, &Unknown);\n\tif (!NT_SUCCESS(Status))\n\t{\n\t\tBaseSetLastNTError(Status);\n\t\treturn NULL;\n\t}\n\n\t// First step into loading a module as datafile.\n\tStatus = fBasepLoadLibraryAsDataFileInternal(&DllName, Path, Unknown, dwFlags, &BaseOfLoadedDll);\n\t// If the Status is only success (excludes warnings) AND if the module is image resource, loads again. I don't know why.\n\tif (NT_SUCCESS(Status + 0x80000000) && Status != STATUS_NO_SUCH_FILE && (dwFlags & LOAD_LIBRARY_AS_IMAGE_RESOURCE))\n\t{\n\t\tif (DatafileFlags)\n\t\t\tStatus = fBasepLoadLibraryAsDataFileInternal(&DllName, Path, Unknown, DatafileFlags, &BaseOfLoadedDll);\n\t}\n\n\tRtlReleasePath(Path);\n\tBaseSetLastNTError(Status);\n\treturn NULL;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrLoadDll(PWSTR DllPath, PULONG pFlags, PUNICODE_STRING DllName, PVOID* BaseAddress) // CHECKED.\n{\n\tNTSTATUS Status;\n\n\t// DllPath can also be used as Flags if called from LoadLibraryExW\n\n\tUINT_PTR FlagUsed = 0;\n\tif (pFlags)\n\t{\n\t\t// Only flags that could go through *LoadLibraryExW* were;\n\t\t// CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2)\n\t\t// LOAD_PACKAGED_LIBRARY (0x4)\n\t\t// CNVTD_LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x800000)\n\t\t// CNVTD_LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY (0x80000000)\n\t\t// So I am assuming the rest of the flags are 0.\n\n\t\tUINT_PTR ActualFlags = *pFlags;\n\t\t// If LOAD_PACKAGED_LIBRARY (0x4) flag is set (1) FlagUsed becomes CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2), if not set (0) FlagUsed becomes 0.\n\t\tFlagUsed = CNVTD_DONT_RESOLVE_DLL_REFERENCES * (ActualFlags & LOAD_PACKAGED_LIBRARY);\n\n\t\t// (MSDN about DONT_RESOLVE_DLL_REFERENCES) Note Do not use this value; it is provided only for backward compatibility.\n\t\t// If you are planning to access only data or resources in the DLL, use LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE\n\t\t// or LOAD_LIBRARY_AS_IMAGE_RESOURCE or both. Otherwise, load the library as a DLL or executable module using the LoadLibrary function.\n\t\tFlagUsed |= ((ActualFlags & CNVTD_DONT_RESOLVE_DLL_REFERENCES)\t\t\t? LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE : NULL);\n\t\tFlagUsed |= ((ActualFlags & CNVTD_LOAD_LIBRARY_REQUIRE_SIGNED_TARGET)\t? LOAD_LIBRARY_REQUIRE_SIGNED_TARGET : NULL);\n\n\t\t// Ignored because ActualFlags can't have 0x1000 (if called from LoadLibraryExW), this value is used probably in calls from different functions.\n\t\tFlagUsed |= ((ActualFlags & 0x1000) ? 0x100 : 0x0);\n\t\t// Ignored because ActualFlags can't be negative (if called from LoadLibraryExW), this value is used probably in calls from different functions.\n\t\tFlagUsed |= ((ActualFlags < 0) ? 0x400000 : 0x0);\n\n\t\t// To sum up, in case we are called from LoadLibraryExW, the most flags we can have are;\n\t\t// CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80)\n\t}\n\n\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x244, \"LdrLoadDll\", 3u, \"DLL name: %wZ\\n\", DllName); )\n\n\tif ((*LdrpPolicyBits & 4) == 0 && ((USHORT)DllPath & LLDLL_401) == LLDLL_401)\n\t\treturn STATUS_INVALID_PARAMETER;\n\n\t// In here it will go in by the first condition, because 8 couldn't be set by LoadLibraryExW.\n\tif ((FlagUsed & LOAD_WITH_ALTERED_SEARCH_PATH) == 0 || (*LdrpPolicyBits & 8) != 0)\n\t{\n\t\t// If the current thread is a Worker Thread it fails.\n\t\tif (NtCurrentTeb()->SameTebFlags & LoaderWorker)\n\t\t{\n\t\t\tStatus = STATUS_INVALID_THREAD;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tLDR_UNKSTRUCT DllPathInited;\n\t\t\t// There's another LdrpLogInternal inside this function, gonna mess with that later on.\n\t\t\tLdrpInitializeDllPath(DllName->Buffer, DllPath, &DllPathInited);\n\n\t\t\tLDR_DATA_TABLE_ENTRY* DllEntry;\n\t\t\tStatus = fLdrpLoadDll(DllName, &DllPathInited, FlagUsed, &DllEntry);\n\t\t\tif (DllPathInited.IsInitedMaybe)\n\t\t\t\tRtlReleasePath(DllPathInited.pInitNameMaybe);\n\n\t\t\tif (NT_SUCCESS(Status))\n\t\t\t{\n\t\t\t\t// Changes the actual return value and dereferences the module.\n\t\t\t\t*BaseAddress = DllEntry->DllBase;\n\t\t\t\tLdrpDereferenceModule(DllEntry);\n\t\t\t}\n\t\t}\n\t}\n\telse\n\t{\n\t\t// LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 601, \"LdrLoadDll\", 0, &LdrEntry[176]);\n\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x259, \"LdrLoadDll\", 0, \"Nonpackaged process attempted to load a packaged DLL.\\n\"); )\n\t\tStatus = STATUS_NO_APPLICATION_PACKAGE;\n\t}\n\n\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x279, \"LdrLoadDll\", 4, \"Status: 0x%08lx\\n\", Status); )\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpLoadDll(PUNICODE_STRING DllName, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, LDR_DATA_TABLE_ENTRY** DllEntry) // CHECKED.\n{\n\tNTSTATUS Status;\n\n\tWID_HIDDEN( LdrpLogDllState(0, DllName, 0x14A8); )\n\n\t// Flags is passed by value so no need to create a backup, it's already a backup by itself.\n\t// MOST FLAGS = CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80)\n\n\t// Creates a new unicode_string and allocates it some buffer.\n\tUNICODE_STRING FullDllPath;\n\tWCHAR Buffer[128];\n\tFullDllPath.Length = 0;\n\tFullDllPath.MaximumLength = MAX_PATH - 4;\n\tFullDllPath.Buffer = Buffer;\n\tBuffer[0] = 0;\n\t \n\t// Returns the Absolute path\n\t// If a non-relative path was given then the flags will be ORed with LOAD_LIBRARY_SEARCH_APPLICATION_DIR (0x200) | LOAD_LIBRARY_SEARCH_USER_DIRS (0x400)\n\t// resulting in the MOST FLAGS being:\n\t// CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80) |\n\t// LOAD_LIBRARY_SEARCH_APPLICATION_DIR (0x200) | LOAD_LIBRARY_SEARCH_USER_DIRS (0x400)\n\tStatus = LdrpPreprocessDllName(DllName, &FullDllPath, 0, &Flags);\n\n\tif (NT_SUCCESS(Status))\n\t\t// A even deeper function, by far we can see Windows is kinda all *wrapped* around each other.\n\n\t\t// This function is responsible for the linking issue.\n\t\tfLdrpLoadDllInternal(&FullDllPath, DllPathInited, Flags, ImageDll, 0, 0, DllEntry, &Status, 0);\n\n\tif (Buffer != FullDllPath.Buffer)\n\t\tNtdllpFreeStringRoutine(FullDllPath.Buffer);\n\n\t// I don't see no point in this but anyways.\n\tFullDllPath.Length = 0;\n\tFullDllPath.MaximumLength = MAX_PATH - 4;\n\tFullDllPath.Buffer = Buffer;\n\tBuffer[0] = 0;\n\tWID_HIDDEN( LdrpLogDllState(0, DllName, 0x14A9); )\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpLoadDllInternal(PUNICODE_STRING FullPath, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, ULONG LdrFlags, PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY LdrEntry2, PLDR_DATA_TABLE_ENTRY* DllEntry, NTSTATUS* pStatus, ULONG Zero) // CHECKED. // This function is responsible for the linking issue.\n{\n\tNTSTATUS Status;\n\n\t// NOTES:\n\t// I assumed that LdrFlags (which was sent as 0x4 (ImageDll) by LdrpLoadDll) is the same flags inside LDR_DATA_TABLE_ENTRY.\n\t// LdrEntry & LdrEntry2 were both sent as 0s by LdrpLoadDll.\n\t// \n\t// Instead of using gotos which causes the local variables to be initialized in the start of the function (making it look not good in my opinion)\n\t// I created a do-while loop. The outcome won't be affected.\n\t//\n\t// MOST FLAGS = CONVERTED_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80)\n\t// LOAD_LIBRARY_SEARCH_APPLICATION_DIR (0x200) | LOAD_LIBRARY_SEARCH_USER_DIRS (0x400)\n\n\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x379, \"LdrpLoadDllInternal\", 3, \"DLL name: %wZ\\n\", FullPath); )\n\n\tbool IsWorkerThread = false;\n\tdo\n\t{\n\t\t*DllEntry = 0;\n\t\tLdrEntry = LdrEntry2;\n\n\t\t// This will go in.\n\t\tif (LdrFlags != (PackagedBinary | LoadNotificationsSent))\n\t\t{\n\t\t\t// This function does some prior setup, incrementing the module load count is done inside here.\n\t\t\tStatus = LdrpFastpthReloadedDll(FullPath, Flags, LdrEntry2, DllEntry); // returns STATUS_DLL_NOT_FOUND in normal circumstances.\n\n\t\t\t// If not an actual nt success (excludes warnings)\n\t\t\tif (!NT_SUCCESS((LONG)(Status + 0x80000000)) || Status == STATUS_IMAGE_LOADED_AS_PATCH_IMAGE)\n\t\t\t{\n\t\t\t\t*pStatus = Status;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tIsWorkerThread = ((NtCurrentTeb()->SameTebFlags & LoadOwner) == 0);\n\t\tif (IsWorkerThread)\n\t\t\tLdrpDrainWorkQueue(WaitLoadComplete);\n\n\t\t// This won't go in so we can ignore it. I still did simplifying though.\n\t\t// Because the LdrFlags was sent 0x4 (ImageDll), we can ignore this one.\n\t\tif (LdrFlags == (PackagedBinary | LoadNotificationsSent))\n\t\t{\n\t\t\tStatus = LdrpFindLoadedDllByHandle(Zero, &LdrEntry, 0);\n\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t{\n\t\t\t\tif (FullPath->Buffer)\n\t\t\t\t\tLdrpFreeUnicodeString(FullPath);\n\n\t\t\t\t*pStatus = Status;\n\n\t\t\t\tif (IsWorkerThread)\n\t\t\t\t\tLdrpDropLastInProgressCount();\n\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tif (LdrEntry->HotPatchState == LdrHotPatchFailedToPatch)\n\t\t\t{\n\t\t\t\tStatus = STATUS_PATCH_CONFLICT;\n\n\t\t\t\tif (FullPath->Buffer)\n\t\t\t\t\tLdrpFreeUnicodeString(FullPath);\n\n\t\t\t\t*pStatus = Status;\n\n\t\t\t\tif (IsWorkerThread)\n\t\t\t\t\tLdrpDropLastInProgressCount();\n\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tStatus = LdrpQueryCurrentPatch(LdrEntry->CheckSum, LdrEntry->TimeDateStamp, FullPath);\n\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t{\n\t\t\t\tif (FullPath->Buffer)\n\t\t\t\t\tLdrpFreeUnicodeString(FullPath);\n\n\t\t\t\t*pStatus = Status;\n\n\t\t\t\tif (IsWorkerThread)\n\t\t\t\t\tLdrpDropLastInProgressCount();\n\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tif (!FullPath->Length)\n\t\t\t{\n\t\t\t\tif (LdrEntry->ActivePatchImageBase)\n\t\t\t\t\tStatus = LdrpUndoPatchImage(LdrEntry);\n\n\t\t\t\tif (FullPath->Buffer)\n\t\t\t\t\tLdrpFreeUnicodeString(FullPath);\n\n\t\t\t\t*pStatus = Status;\n\n\t\t\t\tif (IsWorkerThread)\n\t\t\t\t\tLdrpDropLastInProgressCount();\n\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\t// LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x3FA, \"LdrpLoadDllInternal\", 2u, &::LdrEntry[232], FullPath);\n\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x3FA, \"LdrpLoadDllInternal\", 2, \"Loading patch image: %wZ\\n\", FullPath); )\n\t\t}\n\n\t\t// Opens a token to the current thread and sets GLOBAL variable LdrpMainThreadToken with that token.\n\t\tLdrpThreadTokenSetMainThreadToken(); // returns STATUS_NO_TOKEN in normal circumstances.\n\n\t\tLDR_DATA_TABLE_ENTRY* pLdrEntryLoaded = 0;\n\t\t// This will go in by the first check LdrEntry2 because it was sent as 0 in LdrpLoadDll.\n\t\tif (!LdrEntry || !IsWorkerThread || LdrEntry->DdagNode->LoadCount)\n\t\t{\n\t\t\t// I checked the function, it detects a hook by byte scanning these following functions;\n\t\t\t// ntdll!NtOpenFile\n\t\t\t// ntdll!NtCreateSection\n\t\t\t// ntdll!ZqQueryAttributes\n\t\t\t// ntdll!NtOpenSection\n\t\t\t// ntdll!ZwMapViewOfSection\n\t\t\t// Resulting in the global variable LdrpDetourExist to be set if there's a hook, didn't checked what's done with it though.\n\t\t\tLdrpDetectDetour();\n\n\t\t\t// [IGNORE THIS] Finds the module, increments the loaded module count. [IGNORE THIS]\n\t\t\t// [IGNORE THIS] It can go to another direction if the Flag LOAD_LIBRARY_SEARCH_APPLICATION_DIR was set, but that couldn't be set coming from LoadLibraryExW. [IGNORE THIS]\n\t\t\t// If LoadLibrary was given an absolute path, Flags will have LOAD_LIBRARY_SEARCH_APPLICATION_DIR causing this function to call LdrpLoadKnownDll.\n\t\t\t// In our case LdrpFindOrPrepareLoadingModule actually returns STATUS_DLL_NOT_FOUND, which I thought was a bad thing but after checking up inside\n\t\t\t// inside LdrpProcessWork it didn't looked that bad.\n\t\t\t// So our dll loading part is actually inside LdrpProcessWork (for calling LoadLibraryExW with an absolute path and 0 flags at least)\n\n\t\t\t//Status = LdrpFindOrPrepareLoadingModule(FullPath, DllPathInited, Flags, LdrFlags, LdrEntry, &pLdrEntryLoaded, pStatus);\n\t\t\tStatus = LdrpFindOrPrepareLoadingModule(FullPath, DllPathInited, Flags, LdrFlags, LdrEntry, &pLdrEntryLoaded, pStatus);\n\t\t\tif (Status == STATUS_DLL_NOT_FOUND)\n\t\t\t\t// Even if the DllMain call succeeds, there's still runtime bugs on the dll side, like the dll not being able to unload itself and such. So I still got\n\t\t\t\t// a lot of work to do.\n\t\t\t\tfLdrpProcessWork(pLdrEntryLoaded->LoadContext, TRUE);\n\t\t\telse if (Status != STATUS_RETRY && !NT_SUCCESS(Status))\n\t\t\t\t*pStatus = Status;\n\t\t}\n\t\telse\n\t\t{\n\t\t\t*pStatus = STATUS_DLL_NOT_FOUND;\n\t\t}\n\n\t\tLdrpDrainWorkQueue(WaitWorkComplete);\n\n\t\tif (*LdrpMainThreadToken)\n\t\t\t// Closes the token handle, and sets GLOBAL variable LdrpMainThreadToken to 0.\n\t\t\tLdrpThreadTokenUnsetMainThreadToken();\n\n\t\tif (pLdrEntryLoaded)\n\t\t{\n\t\t\t*DllEntry = LdrpHandleReplacedModule(pLdrEntryLoaded);\n\t\t\tif (pLdrEntryLoaded != *DllEntry)\n\t\t\t{\n\t\t\t\tLdrpFreeReplacedModule(pLdrEntryLoaded);\n\t\t\t\tpLdrEntryLoaded = *DllEntry;\n\t\t\t\tif (pLdrEntryLoaded->LoadReason == LoadReasonPatchImage && LdrFlags != (PackagedBinary | LoadNotificationsSent))\n\t\t\t\t\t*pStatus = STATUS_IMAGE_LOADED_AS_PATCH_IMAGE;\n\t\t\t}\n\n\t\t\tif (pLdrEntryLoaded->LoadContext)\n\t\t\t\tLdrpCondenseGraph(pLdrEntryLoaded->DdagNode);\n\n\t\t\tif (NT_SUCCESS(*pStatus))\n\t\t\t{\n\t\t\t\t// [IGNORE THIS] In here I realized that the module must have already been loaded to be prepared for execution.\n\t\t\t\t// [IGNORE THIS] So I've gone a little back and realized the actual loading was done in the LdrpDrainWorkQueue function.\n\t\t\t\t// Doing more research revealed it was inside LdrpProcessWork after LdrpFindOrPrepareLoadingModule returning STATUS_DLL_NOT_FOUND.\n\n\t\t\t\tStatus = fLdrpPrepareModuleForExecution(pLdrEntryLoaded, pStatus);\n\t\t\t\t*pStatus = Status;\n\t\t\t\tif (NT_SUCCESS(Status))\n\t\t\t\t{\n\t\t\t\t\tStatus = LdrpBuildForwarderLink(LdrEntry, pLdrEntryLoaded);\n\t\t\t\t\t*pStatus = Status;\n\t\t\t\t\tif (NT_SUCCESS(Status) && !*LdrInitState)\n\t\t\t\t\t\tLdrpPinModule(pLdrEntryLoaded);\n\t\t\t\t}\n\n\t\t\t\t// Because the LdrFlags was sent 0x4 (ImageDll), we can ignore this one too.\n\t\t\t\tif (LdrFlags == (PackagedBinary | LoadNotificationsSent) && LdrEntry->ActivePatchImageBase != pLdrEntryLoaded->DllBase)\n\t\t\t\t{\n\t\t\t\t\tif (pLdrEntryLoaded->HotPatchState == LdrHotPatchFailedToPatch)\n\t\t\t\t\t{\n\t\t\t\t\t\t*pStatus = STATUS_DLL_INIT_FAILED;\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\tStatus = LdrpApplyPatchImage(pLdrEntryLoaded);\n\t\t\t\t\t\t*pStatus = Status;\n\t\t\t\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t//UNICODE_STRING Names[4];\n\t\t\t\t\t\t\t//Names[0] = pLdrEntryLoaded->FullDllName;\n\t\t\t\t\t\t\t//WID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x4AF, \"LdrpLoadDllInternal\", 0, \"Applying patch \\\"%wZ\\\" failed\\n\", Names); )\n\t\t\t\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x4AF, \"LdrpLoadDllInternal\", 0, \"Applying patch \\\"%wZ\\\" failed\\n\", pLdrEntryLoaded->FullDllName); )\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tLdrpFreeLoadContextOfNode(pLdrEntryLoaded->DdagNode, pStatus);\n\t\t\tif (!NT_SUCCESS(*pStatus) && (LdrFlags != (PackagedBinary | LoadNotificationsSent) || pLdrEntryLoaded->HotPatchState != LdrHotPatchAppliedReverse))\n\t\t\t{\n\t\t\t\t*DllEntry = 0;\n\t\t\t\tLdrpDecrementModuleLoadCountEx(pLdrEntryLoaded, 0);\n\t\t\t\tLdrpDereferenceModule(pLdrEntryLoaded);\n\t\t\t}\n\t\t}\n\t\telse\n\t\t{\n\t\t\t*pStatus = STATUS_NO_MEMORY;\n\t\t}\n\t} while (FALSE);\n\t\n\tif (IsWorkerThread)\n\t\tLdrpDropLastInProgressCount();\n\n\t// LoadNotificationsSent (0x8) | PackagedBinary (0x1)\n\t// Because the LdrFlags was sent 0x4 (ImageDll), we can ignore this one too.\n\tif (LdrFlags == (LoadNotificationsSent | PackagedBinary) && LdrEntry)\n\t\tLdrpDereferenceModule(LdrEntry);\n\n\tStatus = *pStatus;\n\tWID_HIDDEN( Status = LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrapi.c\", 0x52E, \"LdrpLoadDllInternal\", 4, \"Status: 0x%08lx\\n\", Status); )\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpProcessWork(PLDRP_LOAD_CONTEXT LoadContext, BOOLEAN IsLoadOwner) // CHECKED.\n{\n\tNTSTATUS Status;\n\n\t// Converted goto to do-while loop.\n\tdo\n\t{\n\t\tStatus = *LoadContext->pStatus;\n\t\tif (!NT_SUCCESS(Status))\n\t\t\tbreak;\n\n\t\t// Caused most likely because CONTAINING_RECORD macro was used, I have no idea what's going on.\n\t\t// Also the structure used (LDRP_LOAD_CONTEXT) isn't documented, that's what I've got out of it so far.\n\t\tif ((UINT_PTR)LoadContext->WorkQueueListEntry.Flink[9].Blink[3].Blink & UINT_MAX)\n\t\t{\n\t\t\tStatus = fLdrpSnapModule(LoadContext);\n\t\t}\n\t\telse\n\t\t{\n\t\t\tif (LoadContext->Flags & 0x100000)\n\t\t\t{\n\t\t\t\tStatus = fLdrpMapDllRetry(LoadContext);\n\t\t\t}\n\t\t\t// We will continue from here since we have the LOAD_LIBRARY_SEARCH_APPLICATION_DIR flag, and also the function name is exactly representing\n\t\t\t// what we are expecting to happen.\n\t\t\telse if (LoadContext->Flags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR)\n\t\t\t{\n\t\t\t\tStatus = fLdrpMapDllFullPath(LoadContext);\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tStatus = fLdrpMapDllSearchPath(LoadContext);\n\t\t\t}\n\t\t\tif (NT_SUCCESS(Status) || Status == STATUS_RETRY)\n\t\t\t\tbreak;\n\n\t\t\t//Status = LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrmap.c\", 0x7D2, \"LdrpProcessWork\", 0, \"Unable to load DLL: \\\"%wZ\\\", Parent Module: \\\"%wZ\\\", Status: 0x%x\\n\", LoadContext, &LoadContext->Entry->FullDllName & (unsigned __int64)((unsigned __int128)-(__int128)(unsigned __int64)LoadContext->Entry >> 64), Status);\n\t\t\tWID_HIDDEN( Status = LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrmap.c\", 0x7D2, \"LdrpProcessWork\", 0, \"Unable to load DLL: \\\"%wZ\\\", Parent Module: \\\"%wZ\\\", Status: 0x%x\\n\", LoadContext, ((UINT_PTR)&LoadContext->Entry->FullDllName & (UINT_PTR)LoadContext->Entry >> 64), Status); )\n\t\t\t// This part is for failed cases so we can ignore it.\n\t\t\tif (Status == STATUS_DLL_NOT_FOUND)\n\t\t\t{\n\t\t\t\tWID_HIDDEN( LdrpLogError(STATUS_DLL_NOT_FOUND, 0x19, 0, LoadContext); )\n\t\t\t\tWID_HIDDEN( LdrpLogDeprecatedDllEtwEvent(LoadContext); )\n\t\t\t\t//LdrpLogLoadFailureEtwEvent((DWORD)LoadContext,(DWORD(LoadContext->Entry) + 0x48) & ((unsigned __int128)-(__int128)(unsigned __int64)LoadContext->Entry >> 64),STATUS_DLL_NOT_FOUND,(unsigned int)&LoadFailure,0);\n\t\t\t\tWID_HIDDEN( LdrpLogLoadFailureEtwEvent((PVOID)LoadContext, (PVOID)(((UINT_PTR)(LoadContext->Entry->EntryPointActivationContext) & ((UINT_PTR)(LoadContext->Entry) >> 64))), STATUS_DLL_NOT_FOUND, LoadFailure, 0); )\n\n\t\t\t\t//PLDR_DATA_TABLE_ENTRY DllEntry = (PLDR_DATA_TABLE_ENTRY)LoadContext->WorkQueueListEntry.Flink;\n\t\t\t\tLDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\t\t\t\tif (DllEntry->FlagGroup[0] & ProcessStaticImport)\n\t\t\t\t{\n\t\t\t\t\tWID_HIDDEN( Status = LdrpReportError(LoadContext, 0, STATUS_DLL_NOT_FOUND); )\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (!NT_SUCCESS(Status))\n\t\t{\n\t\t\t*LoadContext->pStatus = Status;\n\t\t}\n\t} while (FALSE);\n\n\tif (!IsLoadOwner)\n\t{\n\t\tbool SetWorkCompleteEvent;\n\n\t\t//RtlEnterCriticalSection(&LdrpWorkQueueLock);\n\t\tRtlEnterCriticalSection(LdrpWorkQueueLock);\n\t\t--(*LdrpWorkInProgress);\n\t\tif (*LdrpWorkQueue != (LIST_ENTRY*)LdrpWorkQueue || (SetWorkCompleteEvent = TRUE, *LdrpWorkInProgress != 1))\n\t\t\tSetWorkCompleteEvent = FALSE;\n\t\t//Status = RtlLeaveCriticalSection(&LdrpWorkQueueLock);\n\t\tStatus = RtlLeaveCriticalSection(LdrpWorkQueueLock);\n\t\tif (SetWorkCompleteEvent)\n\t\t\tStatus = ZwSetEvent(*LdrpWorkCompleteEvent, 0);\n\t}\n\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpSnapModule(PLDRP_LOAD_CONTEXT LoadContext)\n{\n\tNTSTATUS Status = STATUS_SUCCESS;\n\tNTSTATUS Status_2 = STATUS_SUCCESS;\n\tNTSTATUS Status_3 = STATUS_SUCCESS;\n\tNTSTATUS NtStatus = STATUS_SUCCESS;\n\n\tFUNCTION_TABLE_DATA FunctionTableData{};\n\tFUNCTION_TABLE_DATA FunctionTableData2{};\n\t\n\n\tLDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\n\tPIMAGE_DOS_HEADER DllBase = DllEntry->DllBase;\n\tPUNICODE_STRING FullDllName = &DllEntry->FullDllName;\n\tWID_HIDDEN( LdrpLogDllState((UINT_PTR)DllBase, &DllEntry->FullDllName, 0x14A6u); )\n\tLdrpHandlePendingModuleReplaced(LoadContext);\n\n\tPIMAGE_DOS_HEADER DosHeaders[8];\n\tmemset(DosHeaders, 0, sizeof(DosHeaders));\n\n\tPIMAGE_SECTION_HEADER SectionHeader = nullptr;\n\tLONG DosHeaderIdx = 0;\n\tULONG v93 = 0;\n\n\tBOOL SomeStatus = FALSE;\n\tLDR_DATA_TABLE_ENTRY* DllEntry_2 = nullptr;\n\tLDR_DATA_TABLE_ENTRY* DllEntry_3 = nullptr;\n\n\tPCHAR GuardCFArray = nullptr;\n\tPCHAR GuardCFArray2VA = nullptr;\n\n\tPIMAGE_SECTION_HEADER SectionHeader_2;\n\twhile (TRUE)\n\t{\n\t\tSomeStatus = TRUE;\n\t\tULONG OriginalIATProtect = LoadContext->OriginalIATProtect;\n\t\tif (OriginalIATProtect >= LoadContext->SizeOfIAT)\n\t\t{\n\t\t\tStatus = fLdrpDoPostSnapWork(LoadContext);\n\t\t\tif (NT_SUCCESS(Status))\n\t\t\t{\n\t\t\t\tWID_HIDDEN( LdrpLogDllState((UINT_PTR)DllEntry->DllBase, &DllEntry->FullDllName, 0x14A7u); )\n\t\t\t\tDllEntry->DdagNode->State = LdrModulesSnapped;\n\t\t\t}\n\n\t\t\tgoto SET_LOAD_CONTEXT;\n\t\t}\n\n\t\tUINT_PTR OriginalIATProtect_2 = OriginalIATProtect;\n\t\tLDR_DATA_TABLE_ENTRY* IdxLdrEntry = LoadContext->IATCheck[OriginalIATProtect];\n\t\tDllEntry_2 = IdxLdrEntry;\n\t\tDllEntry_3 = IdxLdrEntry;\n\t\tif (IdxLdrEntry)\n\t\t{\n\t\t\tLDRP_LOAD_CONTEXT* LoadContext_2 = IdxLdrEntry->LoadContext;\n\t\t\tif (LoadContext_2)\n\t\t\t{\n\t\t\t\tif ((LoadContext_2->Flags & 0x80000) == 0 && CONTAINING_RECORD(LoadContext_2->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks) != IdxLdrEntry)\n\t\t\t\t{\n\t\t\t\t\tDllEntry_2 = CONTAINING_RECORD(LoadContext_2->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\t\t\t\t\tDllEntry_3 = DllEntry_2;\n\t\t\t\t\tLoadContext_2->WorkQueueListEntry.Flink = &IdxLdrEntry->InLoadOrderLinks;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tLDR_DATA_TABLE_ENTRY* IdxLdrEntry_2 = LoadContext->IATCheck[OriginalIATProtect_2];\n\t\tif (IdxLdrEntry_2 != DllEntry_2)\n\t\t{\n\t\t\tLdrpFreeReplacedModule(IdxLdrEntry_2);\n\t\t\tLoadContext->IATCheck[OriginalIATProtect_2] = DllEntry_2;\n\t\t}\n\n\t\tULONG* GuardCFCheckFunctionPointer = (ULONG*)LoadContext->GuardCFCheckFunctionPointer;\n\t\tUINT_PTR GuardCFArrayVA = GuardCFCheckFunctionPointer[5 * OriginalIATProtect_2];\n\t\tGuardCFArray = (char*)DllBase + GuardCFArrayVA;\n\t\tGuardCFArray2VA = (char*)DllBase + GuardCFCheckFunctionPointer[5 * OriginalIATProtect_2 + 4];\n\t\tif (!(DWORD)GuardCFArrayVA || (unsigned int)GuardCFArrayVA > DllEntry->SizeOfImage)\n\t\t\tGuardCFArray = (char*)DllBase + GuardCFCheckFunctionPointer[5 * OriginalIATProtect_2 + 4];\n\n\t\tif (DllEntry_2)\n\t\t\tbreak;\n\n\tINCREMENT_IAT_PROTECT:\n\t\t++LoadContext->OriginalIATProtect;\n\t}\n\n\tPIMAGE_DOS_HEADER DllBase_3 = DllEntry_2->DllBase;\n\tPIMAGE_DOS_HEADER DllBase_4 = DllBase_3;\n\tBOOLEAN DllBaseUnknownFlagCheck = TRUE;\n\tPIMAGE_DOS_HEADER DllBase_5 = DllBase_3;\n\tPIMAGE_NT_HEADERS32 pNtHeader = nullptr;\n\tPIMAGE_EXPORT_DIRECTORY pImageExportDir_2 = nullptr;\n\tif (((BYTE)DllBase_3 & 3) != 0)\n\t{\n\t\tDllBase_5 = (PIMAGE_DOS_HEADER)((UINT_PTR)DllBase_3 & 0xFFFFFFFFFFFFFFFC);\n\t\tDllBaseUnknownFlagCheck = ((BYTE)DllBase_3 & 1) == 0;\n\t}\n\n\tNtStatus = RtlImageNtHeaderEx(1u, DllBase_5, 0i64, (PIMAGE_NT_HEADERS*)&pNtHeader);\n\tif (!pNtHeader)\n\t\tgoto ZERO_IMAGE_EXPORT_DIR_2;\n\n\tWORD Magic = pNtHeader->OptionalHeader.Magic;\n\tULONG DirectorySize = 0;\n\tUINT_PTR DirectoryVA = 0;\n\n\t// For 32-bit apps\n\t// Checks if it's not a 32-bit app\n\tif (Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC)\n\t{\n\t\t// For 64-bit apps\n\t\tif (Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC && pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size)\n\t\t{\n\t\t\tDirectoryVA = pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress;\n\t\t\t\n\t\t\tif ((DWORD)DirectoryVA)\n\t\t\t{\n\t\t\t\tDirectorySize = pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size;\n\t\t\t\tif (!DllBaseUnknownFlagCheck && (ULONG)DirectoryVA >= pNtHeader->OptionalHeader.SizeOfHeaders)\n\t\t\t\t{\n\t\t\t\t\tSectionHeader_2 = RtlAddressInSectionTable((PIMAGE_NT_HEADERS)pNtHeader, DllBase_5, (ULONG)DirectoryVA);\n\t\t\t\t\tpImageExportDir_2 = (PIMAGE_EXPORT_DIRECTORY)SectionHeader_2;\n\t\t\t\t\tNtStatus = STATUS_SUCCESS;\n\t\t\t\t\tif (!SectionHeader_2)\n\t\t\t\t\t\tNtStatus = STATUS_INVALID_PARAMETER;\n\n\t\t\t\t\tgoto NT_STUFF;\n\t\t\t\t}\n\n\t\t\tGET_IMAGE_EXPORT_DIR:\n\t\t\t\tSectionHeader_2 = (PIMAGE_SECTION_HEADER)((char*)DllBase_5 + DirectoryVA);\n\t\t\t\tpImageExportDir_2 = (PIMAGE_EXPORT_DIRECTORY)((char*)DllBase_5 + DirectoryVA);\n\t\t\t\tNtStatus = STATUS_SUCCESS;\n\t\t\t\tgoto NT_STUFF;\n\t\t\t}\n\n\t\t\tNtStatus = STATUS_NOT_IMPLEMENTED;\n\t\tZERO_IMAGE_EXPORT_DIR_2:\n\t\t\tSectionHeader_2 = nullptr;\n\t\t\tgoto NT_STUFF;\n\t\t}\n\n\tZERO_IMAGE_EXPORT_DIR:\n\t\tNtStatus = STATUS_INVALID_PARAMETER;\n\t\tgoto ZERO_IMAGE_EXPORT_DIR_2;\n\t}\n\n\tif (!pNtHeader->OptionalHeader.NumberOfRvaAndSizes)\n\t\tgoto ZERO_IMAGE_EXPORT_DIR;\n\n\tDirectoryVA = pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;\n\tif (!(DWORD)DirectoryVA)\n\t{\n\t\tNtStatus = STATUS_NOT_IMPLEMENTED;\n\t\tgoto ZERO_IMAGE_EXPORT_DIR_2;\n\t}\n\n\tDirectorySize = pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;\n\tif (DllBaseUnknownFlagCheck || (ULONG)DirectoryVA < pNtHeader->OptionalHeader.SizeOfHeaders)\n\t\tgoto GET_IMAGE_EXPORT_DIR;\n\n\tSectionHeader_2 = RtlAddressInSectionTable((PIMAGE_NT_HEADERS)pNtHeader, DllBase_5, (ULONG)DirectoryVA);\n\tpImageExportDir_2 = (PIMAGE_EXPORT_DIRECTORY)SectionHeader_2;\n\tNtStatus = STATUS_SUCCESS;\n\tif (!SectionHeader_2)\n\t\tNtStatus = STATUS_INVALID_PARAMETER;\n\nNT_STUFF:\n\tif (!NT_SUCCESS(NtStatus))\n\t{\n\t\tSectionHeader_2 = nullptr;\n\t\tpImageExportDir_2 = nullptr;\n\t}\n\n\tif (!SectionHeader_2)\n\t{\n\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 3278, \"LdrpSnapModule\", 0, \"DLL \\\"%wZ\\\" does not contain an export table\\n\", &DllEntry_3->FullDllName); )\n\t\tStatus = STATUS_INVALID_IMAGE_FORMAT;\n\t\tSomeStatus = TRUE;\n\t\tgoto SET_LOAD_CONTEXT;\n\t}\n\n\tULONG i = 0;\n\tBOOLEAN IsFinalIdx = FALSE;\n\tfor (i = 0; ; ++i)\n\t{\n\t\tIsFinalIdx = i == 8;\n\t\tif (i >= 8)\n\t\t\tbreak;\n\n\t\tPIMAGE_DOS_HEADER IdxDosHeader = DosHeaders[i];\n\t\tif (!IdxDosHeader || DllBase_3 == IdxDosHeader)\n\t\t{\n\t\t\tIsFinalIdx = i == 8;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (IsFinalIdx || !DosHeaders[i])\n\t{\n\t\tif (LdrControlFlowGuardEnforced())\n\t\t{\n\t\t\tif (DllBase_3 < (*stru_199520).ImageBase\n\t\t\t\t|| DllBase_3 >= (PIMAGE_DOS_HEADER)((char*)(*stru_199520).ImageBase + (*stru_199520).ImageSize))\n\t\t\t{\n\t\t\t\tRtlpxLookupFunctionTable(DllBase_3, (PIMAGE_RUNTIME_FUNCTION_ENTRY*)&FunctionTableData);\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tFunctionTableData = (*stru_199520);\n\t\t\t}\n\n\t\t\tif (FunctionTableData.ImageBase != DllBase_3)\n\t\t\t\tgoto LABEL_188;\n\t\t}\n\n\t\tDosHeaders[DosHeaderIdx] = DllBase_3;\n\t\tDosHeaderIdx = ((BYTE)DosHeaderIdx + 1) & 7;\n\t}\n\n\tPCHAR v27 = (CHAR*)&SectionHeader_2->Name[DirectorySize];\n\tPCHAR v108 = v27;\n\tUINT_PTR* pFuncAddresses = (UINT_PTR*)((char*)&DllBase_3->e_magic + SectionHeader_2->PointerToLinenumbers);\n\tUINT_PTR* pFuncAddresses_2 = pFuncAddresses;\n\tDWORD NumberNames = SectionHeader_2->PointerToRelocations;\n\tDWORD NumberNames_2 = NumberNames;\n\tPCHAR pAddressNames = (char*)DllBase_3 + *(unsigned int*)&SectionHeader_2->NumberOfRelocations;\n\tPCHAR pAddressNames_2 = pAddressNames;\n\tPSHORT pNameOrdinals = (SHORT*)((char*)DllBase_3 + SectionHeader_2->Characteristics);\n\tUINT_PTR IATIdx = 8 * (*(&LoadContext->OriginalIATProtect + 1));\n\tUINT_PTR* v32 = (UINT_PTR*)&GuardCFArray[IATIdx];\n\tUINT_PTR* v33 = (UINT_PTR*)&GuardCFArray2VA[IATIdx];\n\n\tUINT_PTR v36 = 0;\n\tPCHAR v104 = 0;\n\twhile (TRUE)\n\t{\n\t\tUINT_PTR* v106 = v33;\n\t\tUINT_PTR* v105 = v32;\n\t\tUINT_PTR v34 = *v32;\n\t\tif (!*v32)\n\t\t{\n\t\t\t*(&LoadContext->OriginalIATProtect + 1) = 0;\n\t\t\tgoto INCREMENT_IAT_PROTECT;\n\t\t}\n\n\t\tStatus = STATUS_PROCEDURE_NOT_FOUND;\n\t\tv36 = v34 >> 63;\n\t\tUINT_PTR v103 = v34 >> 63;\n\t\tPCHAR FunctionIdxAddress = (PCHAR)0xFFFFFFFFFFBADD11;\n\t\tULONG FunctionIdx = 0;\n\t\tv104 = 0;\n\t\tif ((v34 & 0x8000000000000000) != 0)\n\t\t{\n\t\t\tv93 = (USHORT)v34;\n\t\t\tFunctionIdx = (USHORT)v34 - SectionHeader_2->SizeOfRawData;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tPCHAR v38 = (char*)DllEntry->DllBase + (ULONG)v34;\n\t\t\tv104 = v38 + 2;\n\t\t\tif ((LoadContext->Flags & 0x2000000) != 0)\n\t\t\t{\n\t\t\t\tPCHAR v79 = LdrpCheckRedirection(DllEntry, DllEntry_3, v38 + 2);\n\t\t\t\tFunctionIdxAddress = v79;\n\t\t\t\tif (v79 != (PCHAR)0xFFFFFFFFFFBADD11)\n\t\t\t\t{\n\t\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 3375, \"LdrpSnapModule\", 2u, \"Import '%s' of DLL '%wZ' is redirected to 0x%p\", v38 + 2, FullDllName, v79); )\n\t\t\t\t\tSectionHeader_2 = (PIMAGE_SECTION_HEADER)pImageExportDir_2;\n\t\t\t\t\tgoto LABEL_54;\n\t\t\t\t}\n\t\t\t\tpAddressNames = pAddressNames_2;\n\t\t\t\tNumberNames = NumberNames_2;\n\t\t\t}\n\n\t\t\tLONG NameOrdinalIdx = *(USHORT*)v38;\n\t\t\tLONG v40 = 0;\n\t\t\tLONG NumberNamesM1 = NumberNames - 1;\n\t\t\tif (NameOrdinalIdx >= NumberNames)\n\t\t\t\tNameOrdinalIdx = NumberNamesM1 / 2;\n\n\t\t\tif (NumberNamesM1 < 0)\n\t\t\t{\n\t\t\tSET_SOMESTATUS_LOG_RETURN:\n\t\t\t\tSomeStatus = TRUE;\n\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 2190, \"LdrpNameToOrdinal\", 1u, \"Procedure \\\"%s\\\" could not be located in DLL at base 0x%p.\\n\", v38 + 2, DllBase_3); )\n\t\t\t\tSectionHeader_2 = (PIMAGE_SECTION_HEADER)pImageExportDir_2;\n\t\t\t\tgoto CHECK_STATUS_GOON;\n\t\t\t}\n\n\t\t\tLONG v45 = 0;\n\t\t\twhile (TRUE)\n\t\t\t{\n\t\t\t\tPBOOLEAN v42 = (BOOLEAN*)(v38 + 2);\n\t\t\t\tBOOLEAN v44 = FALSE;\n\t\t\t\tPCHAR Names = (PCHAR)((char*)DllBase_3 + *(unsigned int*)&pAddressNames[4 * NameOrdinalIdx] - (v38 + 2));\n\t\t\t\twhile (TRUE)\n\t\t\t\t{\n\t\t\t\t\tv44 = *v42;\n\t\t\t\t\tif (*v42 != Names[(UINT_PTR)v42])\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t++v42;\n\t\t\t\t\tif (!v44)\n\t\t\t\t\t{\n\t\t\t\t\t\tv45 = 0;\n\t\t\t\t\t\tgoto LABEL_41;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tv45 = v44 < (unsigned int)Names[(UINT_PTR)v42] ? -1 : 1;\n\t\t\tLABEL_41:\n\t\t\t\tif (!v45)\n\t\t\t\t\tbreak;\n\n\t\t\t\tLONG NameOrdinalIdxM1 = NameOrdinalIdx - 1;\n\t\t\t\tif (v45 >= 0)\n\t\t\t\t\tNameOrdinalIdxM1 = NumberNamesM1;\n\n\t\t\t\tNumberNamesM1 = NameOrdinalIdxM1;\n\t\t\t\tif (v45 >= 0)\n\t\t\t\t\tv40 = NameOrdinalIdx + 1;\n\n\t\t\t\tNameOrdinalIdx = (v40 + NameOrdinalIdxM1) / 2;\n\t\t\t\tpAddressNames = pAddressNames_2;\n\t\t\t\tif (NameOrdinalIdxM1 < v40)\n\t\t\t\t\tgoto SET_SOMESTATUS_LOG_RETURN;\n\t\t\t}\n\n\t\t\tFunctionIdx = (USHORT)pNameOrdinals[NameOrdinalIdx];\n\t\t\tSectionHeader_2 = (PIMAGE_SECTION_HEADER)pImageExportDir_2;\n\t\t\tpFuncAddresses = pFuncAddresses_2;\n\t\t\tv27 = v108;\n\t\t}\n\n\t\tif (FunctionIdx >= SectionHeader_2->PointerToRawData)\n\t\t{\n\t\tLABEL_52:\n\t\t\tSomeStatus = TRUE;\n\t\t\tgoto CHECK_STATUS_GOON;\n\t\t}\n\n\t\t_mm_lfence();\n\t\tUINT_PTR FunctionIdxAddressVA = *((ULONG*)pFuncAddresses + FunctionIdx);\n\t\tif (!(DWORD)FunctionIdxAddressVA)\n\t\t{\n\t\t\tStatus = STATUS_PROCEDURE_NOT_FOUND;\n\t\t\tgoto LABEL_52;\n\t\t}\n\n\t\tFunctionIdxAddress = (char*)DllBase_3 + FunctionIdxAddressVA;\n\t\tPCHAR FunctionIdxAddress_2 = (char*)DllBase_3 + FunctionIdxAddressVA;\n\t\tStatus = STATUS_SUCCESS;\n\t\tif ((char*)DllBase_3 + FunctionIdxAddressVA <= (char*)SectionHeader_2 || FunctionIdxAddress >= v27)\n\t\t\tgoto LABEL_52;\n\n\t\tLDR_DATA_TABLE_ENTRY* NtLdrEntry = DllEntry_3;\n\t\tPCHAR FunctionIdxAddress_3 = (char*)DllBase_3 + FunctionIdxAddressVA;\n\t\tpNtHeader = nullptr;\n\t\tLDR_DATA_TABLE_ENTRY* NtLdrEntry_2 = nullptr;\n\t\tLDRP_LOAD_CONTEXT* LoadContext_3 = DllEntry->LoadContext;\n\t\tLDRP_LOAD_CONTEXT* v111 = LoadContext_3;\n\t\tPVOID v101 = nullptr;\n\n\t\tSTRING SourceString = {};\n\t\tPCHAR SourceBuffer = SourceString.Buffer;\n\t\tUSHORT SourceLength = SourceString.Length;\n\t\twhile (TRUE)\n\t\t{\n\t\t\tPCHAR StringToBeHashed = 0;\n\t\t\tPCHAR DotOccurence = strrchr(FunctionIdxAddress_3, '.');\n\t\t\tif (!DotOccurence || (unsigned __int64)(DotOccurence - FunctionIdxAddress_3) > 0xFFFF)\n\t\t\t\tgoto LABEL_169;\n\n\t\t\tSourceBuffer = FunctionIdxAddress_3;\n\t\t\tSourceString.Buffer = FunctionIdxAddress_3;\n\t\t\tSourceLength = (WORD)DotOccurence - (WORD)FunctionIdxAddress_3;\n\t\t\tSourceString.Length = (WORD)DotOccurence - (WORD)FunctionIdxAddress_3;\n\t\t\tSourceString.MaximumLength = (WORD)DotOccurence - (WORD)FunctionIdxAddress_3;\n\t\t\tif (DotOccurence[1] != '#')\n\t\t\t{\n\t\t\t\tStringToBeHashed = DotOccurence + 1;\n\t\t\t\tgoto LABEL_64;\n\t\t\t}\n\n\t\t\tPCHAR StringToBeHashed_2 = nullptr;\n\t\t\tULONG IntValue = 0;\n\t\t\tBOOL SomeStatus_2 = FALSE;\n\t\t\tif (RtlCharToInteger(DotOccurence + 2, 0, &IntValue) >= 0)\n\t\t\t{\n\t\t\t\tStringToBeHashed = nullptr;\n\t\t\tLABEL_64:\n\t\t\t\tStringToBeHashed_2 = StringToBeHashed;\n\t\t\t\tStatus = STATUS_SUCCESS;\n\t\t\t\tSomeStatus_2 = TRUE;\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\tLABEL_169:\n\t\t\t\tStatus = STATUS_INVALID_IMAGE_FORMAT;\n\t\t\t\tSomeStatus_2 = FALSE;\n\t\t\t\tStringToBeHashed = StringToBeHashed_2;\n\t\t\t}\n\t\t\tif (!SomeStatus_2)\n\t\t\t\tgoto LABEL_105;\n\t\t\t// 4 spaces, ldtn, 1 space, l\n\t\t\tif (SourceLength == 5 && (*(DWORD*)SourceBuffer | ' ') == 'ldtn' && ((BYTE)SourceBuffer[4] | ' ') == 'l')\n\t\t\t{\n\t\t\t\tNtLdrEntry = (LDR_DATA_TABLE_ENTRY*)(*LdrpNtDllDataTableEntry);\n\t\t\t\tNtLdrEntry_2 = (LDR_DATA_TABLE_ENTRY*)(*LdrpNtDllDataTableEntry);\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tStatus = LdrpLoadDependentModuleA((PUNICODE_STRING)&SourceString, LoadContext_3, NtLdrEntry, 1, &NtLdrEntry_2, (UINT_PTR)&v101);\n\t\t\t\tSomeStatus = TRUE;\n\t\t\t\tif (!NT_SUCCESS(Status) || Status == STATUS_PENDING)\n\t\t\t\t\tgoto LOAD_DEPENDENTA_FAILED;\n\n\t\t\t\tNtLdrEntry = NtLdrEntry_2;\n\t\t\t\tSourceBuffer = SourceString.Buffer;\n\t\t\t\tSourceLength = SourceString.Length;\n\t\t\t}\n\n\t\t\tPCHAR v85 = 0;\n\t\t\tif ((DllEntry->LoadContext->Flags & 0x2000000) != 0)\n\t\t\t{\n\t\t\t\tif (StringToBeHashed)\n\t\t\t\t{\n\t\t\t\t\tFunctionIdxAddress_3 = LdrpCheckRedirection(DllEntry, NtLdrEntry, StringToBeHashed);\n\t\t\t\t\tv85 = FunctionIdxAddress_3;\n\t\t\t\t\tif (FunctionIdxAddress_3 != (PCHAR)0xFFFFFFFFFFBADD11)\n\t\t\t\t\t{\n\t\t\t\t\t\tStatus = STATUS_SUCCESS;\n\t\t\t\t\t\tSomeStatus = TRUE;\n\t\t\t\t\t\tgoto LABEL_109;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tPIMAGE_DOS_HEADER NtBase = NtLdrEntry->DllBase;\n\t\t\tBOOLEAN SomeNtCheck = TRUE;\n\t\t\tPIMAGE_DOS_HEADER NtBase_2 = NtBase;\n\t\t\tPIMAGE_NT_HEADERS OutHeaders = nullptr;\n\t\t\tif (((BYTE)NtBase & 3) != 0)\n\t\t\t{\n\t\t\t\tNtBase_2 = (PIMAGE_DOS_HEADER)((UINT_PTR)NtBase & 0xFFFFFFFFFFFFFFFC);\n\t\t\t\tSomeNtCheck = ((BYTE)NtBase & 1) == 0;\n\t\t\t}\n\n\t\t\tStatus_2 = RtlImageNtHeaderEx(1u, NtBase_2, 0, &OutHeaders);\n\n\t\t\tULONG Size = 0;\n\t\t\tif (OutHeaders)\n\t\t\t{\n\t\t\t\tWORD Magic_2 = OutHeaders->OptionalHeader.Magic;\n\t\t\t\tUINT_PTR NtExportDirVA = 0;\n\t\t\t\tif (Magic_2 != IMAGE_NT_OPTIONAL_HDR32_MAGIC)\n\t\t\t\t{\n\t\t\t\t\tif (Magic_2 == IMAGE_NT_OPTIONAL_HDR64_MAGIC && OutHeaders->OptionalHeader.NumberOfRvaAndSizes)\n\t\t\t\t\t{\n\t\t\t\t\t\tNtExportDirVA = OutHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;\n\t\t\t\t\t\tif (!(DWORD)NtExportDirVA)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tStatus_2 = STATUS_NOT_IMPLEMENTED;\n\t\t\t\t\t\t\tgoto CHECK_NT_EXPORTDIR;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tSize = OutHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;\n\t\t\t\t\t\tif (!SomeNtCheck && (unsigned int)NtExportDirVA >= OutHeaders->OptionalHeader.SizeOfHeaders)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSectionHeader = RtlAddressInSectionTable(OutHeaders, NtBase_2, (unsigned int)NtExportDirVA);\n\t\t\t\t\t\t\tStatus_2 = 0;\n\t\t\t\t\t\t\tif (!SectionHeader)\n\t\t\t\t\t\t\t\tStatus_2 = STATUS_INVALID_PARAMETER;\n\t\t\t\t\t\t\tgoto CHECK_NT_EXPORTDIR;\n\t\t\t\t\t\t}\n\n\t\t\t\t\tGET_NT_EXPORTDIR:\n\t\t\t\t\t\tSectionHeader = (PIMAGE_SECTION_HEADER)((char*)NtBase_2 + NtExportDirVA);\n\t\t\t\t\t\tStatus_2 = 0;\n\t\t\t\t\t\tgoto CHECK_NT_EXPORTDIR;\n\t\t\t\t\t}\n\t\t\t\tFAIL_NTSTATUS:\n\t\t\t\t\tStatus_2 = STATUS_INVALID_PARAMETER;\n\t\t\t\t\tgoto CHECK_NT_EXPORTDIR;\n\t\t\t\t}\n\t\t\t\tif (!(OutHeaders->OptionalHeader.SizeOfHeapReserve & 0xFFFFFFFF00000000))\n\t\t\t\t\tgoto FAIL_NTSTATUS;\n\n\t\t\t\tNtExportDirVA = (OutHeaders->OptionalHeader.SizeOfHeapCommit & UINT_MAX);\n\t\t\t\tif (!(DWORD)NtExportDirVA)\n\t\t\t\t{\n\t\t\t\t\tStatus_2 = STATUS_NOT_IMPLEMENTED;\n\t\t\t\t\tgoto CHECK_NT_EXPORTDIR;\n\t\t\t\t}\n\n\t\t\t\tSize = (OutHeaders->OptionalHeader.SizeOfHeapCommit & 0xFFFFFFFF00000000);\n\t\t\t\tif (SomeNtCheck || (unsigned int)NtExportDirVA < OutHeaders->OptionalHeader.SizeOfHeaders)\n\t\t\t\t\tgoto GET_NT_EXPORTDIR;\n\n\t\t\t\tSectionHeader = RtlAddressInSectionTable(OutHeaders, NtBase_2, (unsigned int)NtExportDirVA);\n\t\t\t\tStatus_2 = 0;\n\t\t\t\tif (!SectionHeader)\n\t\t\t\t\tStatus_2 = STATUS_INVALID_PARAMETER;\n\t\t\t}\n\t\tCHECK_NT_EXPORTDIR:\n\t\t\tif (!NT_SUCCESS(Status_2))\n\t\t\t\tSectionHeader = nullptr;\n\n\t\t\tif (!SectionHeader)\n\t\t\t{\n\t\t\t\tStatus = STATUS_PROCEDURE_NOT_FOUND;\n\t\t\tLABEL_192:\n\t\t\t\tSectionHeader = nullptr;\n\t\t\tLABEL_105:\n\t\t\t\tSomeStatus = TRUE;\n\t\t\t\tgoto LOAD_DEPENDENTA_FAILED;\n\t\t\t}\n\n\t\t\tPCHAR v64 = StringToBeHashed_2;\n\t\t\tULONG v73 = 0;\n\t\t\tif (StringToBeHashed_2)\n\t\t\t{\n\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 827, \"LdrpGetProcedureAddress\", 2u, \"Locating procedure \\\"%s\\\" by name\\n\", StringToBeHashed_2); )\n\t\t\t\tLONG NameIdxP1 = 0;\n\t\t\t\tLONG NumberOfNames = SectionHeader->PointerToRelocations - 1;\n\t\t\t\tLONG NameIdx = NumberOfNames / 2;\n\t\t\t\tif (NumberOfNames >= 0)\n\t\t\t\t{\n\t\t\t\t\tLONG v71 = 0;\n\t\t\t\t\tBOOLEAN v70 = 0;\n\t\t\t\t\twhile (TRUE)\n\t\t\t\t\t{\n\t\t\t\t\t\tPCHAR v68 = StringToBeHashed_2;\n\t\t\t\t\t\tINT_PTR v69 = (char*)NtBase + *(unsigned int*)((char*)&NtBase->e_magic + 4 * NameIdx + *(unsigned int*)&SectionHeader->NumberOfRelocations) - StringToBeHashed_2;\n\t\t\t\t\t\twhile (TRUE)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tv70 = *v68;\n\t\t\t\t\t\t\tif (*v68 != v68[v69])\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\t++v68;\n\t\t\t\t\t\t\tif (!v70)\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tv71 = 0;\n\t\t\t\t\t\t\t\tgoto LABEL_89;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tv71 = v70 < (BOOLEAN)v68[v69] ? -1 : 1;\n\t\t\t\t\tLABEL_89:\n\t\t\t\t\t\tif (!v71)\n\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\tLONG v72 = NameIdx - 1;\n\t\t\t\t\t\tif (v71 >= 0)\n\t\t\t\t\t\t\tv72 = NumberOfNames;\n\n\t\t\t\t\t\tNumberOfNames = v72;\n\t\t\t\t\t\tif (v71 >= 0)\n\t\t\t\t\t\t\tNameIdxP1 = NameIdx + 1;\n\n\t\t\t\t\t\tNameIdx = (NameIdxP1 + v72) / 2;\n\t\t\t\t\t\tif (v72 < NameIdxP1)\n\t\t\t\t\t\t\tgoto LABEL_187;\n\t\t\t\t\t}\n\t\t\t\t\tv73 = *(unsigned __int16*)((char*)&NtBase->e_magic + 2 * NameIdx + SectionHeader->Characteristics);\n\t\t\t\t\tv64 = StringToBeHashed_2;\n\t\t\t\t\tgoto LABEL_97;\n\t\t\t\t}\n\t\t\tLABEL_187:\n\t\t\t\tSomeStatus = TRUE;\n\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 2190, \"LdrpNameToOrdinal\", 1u, \"Procedure \\\"%s\\\" could not be located in DLL at base 0x%p.\\n\", StringToBeHashed_2, NtBase); )\n\n\t\t\t\tStatus = STATUS_PROCEDURE_NOT_FOUND;\n\t\t\t\tSectionHeader = nullptr;\n\t\t\tLOAD_DEPENDENTA_FAILED:\n\t\t\t\tFunctionIdxAddress_3 = v85;\n\t\t\t\tgoto LABEL_107;\n\t\t\t}\n\n\t\t\tULONG v78 = IntValue;\n\t\t\tPVOID v83 = (PVOID)IntValue;\n\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 0x34D, \"LdrpGetProcedureAddress\", 2u, \"Loading procedure 0x%lx by ordinal\\n\", v83); )\n\t\t\tif (!v78)\n\t\t\t{\n\t\t\t\tStatus = STATUS_INVALID_PARAMETER;\n\t\t\t\tgoto LABEL_192;\n\t\t\t}\n\n\t\t\tv73 = v78 - SectionHeader->SizeOfRawData;\n\t\tLABEL_97:\n\t\t\tif (v73 >= SectionHeader->PointerToRawData)\n\t\t\t{\n\t\t\t\tSectionHeader = nullptr;\n\t\t\t\tStatus = (v64 != nullptr) - 0x3FFFFEC8;\n\t\t\t\tgoto LABEL_105;\n\t\t\t}\n\n\t\t\tFunctionIdxAddress_3 = (char*)NtBase + *(unsigned int*)((char*)&NtBase->e_magic + 4 * v73 + SectionHeader->PointerToLinenumbers);\n\t\t\tv85 = FunctionIdxAddress_3;\n\t\t\tif (FunctionIdxAddress_3 < (PCHAR)SectionHeader || FunctionIdxAddress_3 >= (PCHAR)&SectionHeader->Name[Size])\n\t\t\t{\n\t\t\t\tSectionHeader = nullptr;\n\t\t\t\tStatus = STATUS_SUCCESS;\n\t\t\t\tPIMAGE_RUNTIME_FUNCTION_ENTRY v74 = (PIMAGE_RUNTIME_FUNCTION_ENTRY)NtLdrEntry->DllBase;\n\t\t\t\tif (!*qword_1993B8 || (*dword_19939C & 1))\n\t\t\t\t\tgoto LABEL_105;\n\n\t\t\t\tif ((PIMAGE_DOS_HEADER)v74 < (*stru_199520).ImageBase || v74 >= (PIMAGE_RUNTIME_FUNCTION_ENTRY)((char*)(*stru_199520).ImageBase + (*stru_199520).ImageSize))\n\t\t\t\t{\n\t\t\t\t\tRtlpxLookupFunctionTable(NtLdrEntry->DllBase, (PIMAGE_RUNTIME_FUNCTION_ENTRY*)&FunctionTableData2);\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tFunctionTableData2 = *stru_199520;\n\t\t\t\t}\n\n\t\t\t\tif ((PIMAGE_RUNTIME_FUNCTION_ENTRY)FunctionTableData2.ImageBase == v74)\n\t\t\t\t\tgoto LABEL_105;\n\n\t\t\tLABEL_188:\n\t\t\t\t__fastfail(0x18u);\n\t\t\t}\n\n\t\t\tpNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pNtHeader + 1);\n\t\t\tSectionHeader = 0;\n\t\t\tif ((DWORD)pNtHeader != 32)\n\t\t\t{\n\t\t\t\tLoadContext_3 = v111;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tbreak;\n\t\t}\n\n\t\tStatus = STATUS_INVALID_IMAGE_FORMAT;\n\t\tSomeStatus = TRUE;\n\tLABEL_107:\n\t\tif (v101)\n\t\t\tRtlFreeHeap(*LdrpHeap, 0, v101);\n\n\tLABEL_109:\n\t\tif (Status == STATUS_PENDING)\n\t\t\treturn STATUS_SUCCESS;\n\n\t\tDllBase_3 = DllBase_4;\n\t\tv36 = (BYTE)v103;\n\t\tif (!NT_SUCCESS(Status))\n\t\t\tFunctionIdxAddress = FunctionIdxAddress_2;\n\t\telse\n\t\t\tFunctionIdxAddress = FunctionIdxAddress_3;\n\n\t\tSectionHeader_2 = (PIMAGE_SECTION_HEADER)pImageExportDir_2;\n\tCHECK_STATUS_GOON:\n\t\tif (NT_SUCCESS(Status))\n\t\t{\n\t\tLABEL_54:\n\t\t\tUINT_PTR* v49 = v106;\n\t\t\t*v106 = (UINT_PTR)FunctionIdxAddress;\n\t\t\tv32 = v105 + 1;\n\t\t\tv33 = v49 + 1;\n\t\t\t++(*(&LoadContext->OriginalIATProtect + 1));\n\t\t\tpAddressNames = pAddressNames_2;\n\t\t\tNumberNames = NumberNames_2;\n\t\t\tpFuncAddresses = pFuncAddresses_2;\n\t\t\tv27 = v108;\n\t\t\tcontinue;\n\t\t}\n\t\tbreak;\n\t}\n\n\tLDRP_LOAD_CONTEXT* LoadContext_4 = nullptr;\n\tif (Status != STATUS_PROCEDURE_NOT_FOUND && Status != STATUS_DLL_NOT_FOUND)\n\t{\n\tSET_LOAD_CONTEXT:\n\t\tLoadContext_4 = LoadContext;\n\t\tgoto GET_IMAGEBASE_RETURN;\n\t}\n\n\tPUNICODE_STRING pFullDllName_2 = {};\n\tif (CompatCachepLookupCdb(DllEntry->FullDllName.Buffer, 128) || CompatCachepLookupCdb(DllEntry_3->FullDllName.Buffer, 128))\n\t{\n\t\tpFullDllName_2 = FullDllName;\n\t\tWID_HIDDEN( LdrpLogLoadFailureEtwEvent(FullDllName, (PCHAR)DllEntry_3 + 72, 1, LoadFailure, 0); )\n\t\tWID_HIDDEN( LdrpLogLoadFailureEtwEvent(pFullDllName_2, (PCHAR)DllEntry_3 + 72, 1, LoadFailureOperational, 1); )\n\t}\n\telse\n\t{\n\t\tpFullDllName_2 = FullDllName;\n\t}\n\n\tUINT_PTR v82 = 0;\n\tif ((BYTE)v36)\n\t{\n\t\tStatus_3 = STATUS_ORDINAL_NOT_FOUND;\n\t\tStatus = STATUS_ORDINAL_NOT_FOUND;\n\t\tv82 = v93;\n\t}\n\telse\n\t{\n\t\tStatus = STATUS_ENTRYPOINT_NOT_FOUND;\n\t\tStatus_3 = STATUS_ENTRYPOINT_NOT_FOUND;\n\t\tv82 = (UINT_PTR)v104;\n\t}\n\n\tLdrpReportError(pFullDllName_2, v82, (unsigned int)Status_3);\n\tLoadContext_4 = LoadContext;\n\nGET_IMAGEBASE_RETURN:\n\tPIMAGE_DOS_HEADER ImageBase = LoadContext_4->ImageBase;\n\tif (ImageBase)\n\t{\n\t\tNtUnmapViewOfSection((HANDLE)-1ui64, ImageBase);\n\t\tLoadContext_4 = LoadContext;\n\t\tLoadContext->ImageBase = 0i64;\n\t}\n\n\tif (!NT_SUCCESS(Status))\n\t\tSomeStatus = FALSE;\n\n\tif (!SomeStatus)\n\t\tWID_HIDDEN( LdrpLogError(Status, 0x19u, 0, &LoadContext_4->BaseDllName); )\n\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpDoPostSnapWork(LDRP_LOAD_CONTEXT* LoadContext)\n{\n\tNTSTATUS Status = STATUS_SUCCESS;\n\n\tLDR_DATA_TABLE_ENTRY* DllEntry;\n\t\n\tNTSTATUS Status_2;\n\tUINT_PTR* DllNameLen;\n\tNTSTATUS Status_3;\n\tNTSTATUS Status_4;\n\tULONG OldAccessProtect;\n\n\tDllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n\tif (!LoadContext->pImageImportDescriptor || (Status_2 = ZwProtectVirtualMemory((HANDLE)-1, (PVOID*)&LoadContext->pImageImportDescriptor, &LoadContext->ImageImportDescriptorLen, LoadContext->GuardFlags, &OldAccessProtect), Status = Status_2, Status_2 >= 0))\n\t{\n\t\tDllNameLen = (UINT_PTR*)LoadContext->UnknownFunc;\n\t\tif (DllNameLen && *DllNameLen != LoadContext->DllNameLenCompare)\n\t\t\t__fastfail(0x13u);\n\n\t\tif (DllEntry->TlsIndex || (Status_2 = LdrpHandleTlsData(DllEntry), Status = Status_2, Status_2 >= 0))\n\t\t{\n\t\t\tif (LdrControlFlowGuardEnforcedWithExportSuppression())\n\t\t\t{\n\t\t\t\tStatus_3 = LdrpUnsuppressAddressTakenIat(DllEntry->DllBase, 0i64, 0i64);\n\t\t\t\tStatus = Status_3;\n\t\t\t\tif (Status_3 < 0)\n\t\t\t\t{\n\t\t\t\t\tStatus_4 = Status_3;\n\t\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 583, \"LdrpDoPostSnapWork\", 0, \"LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based a\"\"t 0x%p.Status = 0x%x\\n\", DllEntry->DllBase, Status_4); )\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn Status;\n\t\t}\n\t}\n\treturn Status_2;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMapDllRetry(PLDRP_LOAD_CONTEXT LoadContext)\n{\n\t// TO DO.\n\n\treturn STATUS_SUCCESS;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMapDllFullPath(PLDRP_LOAD_CONTEXT LoadContext) // CHECKED.\n{\n\tNTSTATUS Status;\n\t\n\t//LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n\tLDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\n\tLDRP_FILENAME_BUFFER FileNameBuffer;\t\n\n\tFileNameBuffer.pFileName.Buffer = FileNameBuffer.FileName;\n\tFileNameBuffer.pFileName.Length = 0;\n\tFileNameBuffer.pFileName.MaximumLength = MAX_PATH - 4;\n\tFileNameBuffer.FileName[0] = 0;\n\n\t// Sets the according members of the DllEntry\n\tStatus = LdrpResolveDllName(LoadContext, &FileNameBuffer, &DllEntry->BaseDllName, &DllEntry->FullDllName, LoadContext->Flags);\n\tdo\n\t{\n\t\tif (LoadContext->UnknownPtr)\n\t\t{\n\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t\tbreak;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStatus = LdrpAppCompatRedirect(LoadContext, &DllEntry->FullDllName, &DllEntry->BaseDllName, &FileNameBuffer, Status);\n\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t\tbreak;\n\n\t\t\t// Hashes the dll name\n\t\t\tULONG BaseDllNameHash = LdrpHashUnicodeString(&DllEntry->BaseDllName);\n\t\t\tDllEntry->BaseNameHashValue = BaseDllNameHash;\n\n\t\t\tLDR_DATA_TABLE_ENTRY* LoadedDll = nullptr;\n\n\t\t\t// Most likely checks if the dll was already mapped/loaded.\n\t\t\tLdrpFindExistingModule(&DllEntry->BaseDllName, &DllEntry->FullDllName, LoadContext->Flags, BaseDllNameHash, &LoadedDll);\n\t\t\tif (LoadedDll)\n\t\t\t{\n\t\t\t\tLdrpLoadContextReplaceModule(LoadContext, LoadedDll);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\t// After this function the dll is mapped.\n\t\tStatus = fLdrpMapDllNtFileName(LoadContext, &FileNameBuffer);\n\t\tif (Status == STATUS_IMAGE_MACHINE_TYPE_MISMATCH)\n\t\t\tStatus = STATUS_INVALID_IMAGE_FORMAT;\n\t} while (FALSE);\n\n\tif (FileNameBuffer.FileName != FileNameBuffer.pFileName.Buffer)\n\t\tNtdllpFreeStringRoutine(FileNameBuffer.pFileName.Buffer);\n\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMapDllSearchPath(PLDRP_LOAD_CONTEXT LoadContext)\n{\n\tNTSTATUS Status;\n\n\tUINT_PTR DependentLoadFlags;\n\tLDR_UNKSTRUCT* UnkStruct;\n\tULONG Flags;\n\t\t\n\tLDR_UNKSTRUCT DllPath;\n\n\tLDRP_FILENAME_BUFFER DllNameResolved;\n\tDllNameResolved.pFileName.Buffer = DllNameResolved.FileName;\n\tDllNameResolved.pFileName.Length = 0;\n\tDllNameResolved.pFileName.MaximumLength = MAX_PATH - 4;\n\tDllNameResolved.FileName[0] = 0;\n\n\tLDR_UNKSTRUCT3 UnkStruct3;\n\tmemset(&UnkStruct3, 0, sizeof(UnkStruct3));\n\tUNICODE_STRING ReturnPath = {};\n\n\tLDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n\tLDR_DATA_TABLE_ENTRY* LdrEntry = LoadContext->Entry;\n\tLDR_DATA_TABLE_ENTRY* LdrEntry2 = nullptr;\n\tdo\n\t{\n\t\tif (LdrEntry && (DependentLoadFlags = LdrEntry->DependentLoadFlags, (((*LdrpPolicyBits & 4) != 0 ? 0x7F00 : 0x7B00) & (ULONG)DependentLoadFlags) != 0))\n\t\t{\n\t\t\tLdrpInitializeDllPath(LdrEntry->FullDllName.Buffer, (PWSTR)(DependentLoadFlags & ((-(__int64)((*LdrpPolicyBits & 4) != 0) & 0x400) + 0x7B00) | 1), &DllPath);\n\t\t\tUnkStruct = &DllPath;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tLdrpInitializeDllPath(nullptr, nullptr, &DllPath);\n\t\t\tUnkStruct = LoadContext->UnkStruct;\n\t\t}\n\n\t\tBOOL SomeCheck;\n\t\tBOOLEAN JumpOut = FALSE;\n\t\twhile (TRUE)\n\t\t{\n\t\t\tUNICODE_STRING BaseDllName;\n\n\t\t\tBOOL a8 = FALSE;\n\t\t\tFlags = LoadContext->Flags >> 3;\n\t\t\tFlags = (LoadContext->Flags & 8) != 0;\n\t\t\tStatus = LdrpSearchPath(LoadContext, UnkStruct, Flags, &ReturnPath, &DllNameResolved, &BaseDllName, &UnkStruct3.String, &a8, &UnkStruct3);\n\t\t\tif (a8)\n\t\t\t\tDllEntry->Flags |= PackagedBinary;\n\n\t\t\tif (Status == STATUS_DLL_NOT_FOUND)\n\t\t\t\tbreak;\n\n\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t{\n\t\t\t\tJumpOut = TRUE;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\tCHECK_LOADCONTEXT:\n\t\t\tSomeCheck = TRUE;\n\t\t\tif (!LoadContext->UnknownPtr)\n\t\t\t{\n\t\t\t\tStatus = LdrpAppCompatRedirect(LoadContext, &UnkStruct3.String, &BaseDllName, &DllNameResolved, Status);\n\t\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t\t{\n\t\t\t\t\tJumpOut = TRUE;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\n\t\t\t\tif ((LoadContext->Flags & 0x10000) != 0)\n\t\t\t\t\tUnkStruct3.Flags |= PackagedBinary;\n\n\t\t\t\tULONG DllNameHash = LdrpHashUnicodeString(&BaseDllName);\n\t\t\t\tDllEntry->BaseNameHashValue = DllNameHash;\n\t\t\t\tStatus = LdrpFindExistingModule(&BaseDllName, &UnkStruct3.String, LoadContext->Flags, DllNameHash, &LdrEntry2);\n\t\t\t\tif (Status != STATUS_DLL_NOT_FOUND)\n\t\t\t\t{\n\t\t\t\t\tJumpOut = TRUE;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tLdrpFreeUnicodeString(&DllEntry->FullDllName);\n\t\t\tDllEntry->FullDllName = UnkStruct3.String;\n\t\t\tDllEntry->BaseDllName = BaseDllName;\n\t\t\tUnkStruct3.String = {};\n\t\t\tStatus = fLdrpMapDllNtFileName(LoadContext, &DllNameResolved);\n\n\t\t\tif (Status != STATUS_IMAGE_MACHINE_TYPE_MISMATCH)\n\t\t\t{\n\t\t\t\tJumpOut = TRUE;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tif (DllNameResolved.FileName != DllNameResolved.pFileName.Buffer)\n\t\t\t\tNtdllpFreeStringRoutine(DllNameResolved.pFileName.Buffer);\n\n\t\t\tDllNameResolved.pFileName.Length = 0;\n\t\t\tDllNameResolved.pFileName.MaximumLength = MAX_PATH - 4;\n\t\t\tDllNameResolved.pFileName.Buffer = DllNameResolved.FileName;\n\t\t\tDllNameResolved.FileName[0] = 0;\n\t\t}\n\n\t\tif (JumpOut)\n\t\t\tbreak;\n\n\t\tif (!SomeCheck)\n\t\t\tgoto CHECK_LOADCONTEXT;\n\n\t\tStatus = STATUS_INVALID_IMAGE_FORMAT;\n\t} while (FALSE);\n\n\tif (LdrEntry2)\n\t{\n\t\tLdrpLoadContextReplaceModule(LoadContext, LdrEntry2);\n\t}\n\telse if (LdrpIsSecurityEtwLoggingEnabled())\n\t{\n\t\tLdrpLogEtwDllSearchResults(UnkStruct3.Flags, LoadContext);\n\t}\n\tif (DllNameResolved.FileName != DllNameResolved.pFileName.Buffer)\n\t\tNtdllpFreeStringRoutine(DllNameResolved.pFileName.Buffer);\n\n\tDllNameResolved.pFileName.Length = 0;\n\tDllNameResolved.pFileName.MaximumLength = MAX_PATH - 4;\n\tDllNameResolved.pFileName.Buffer = DllNameResolved.FileName;\n\tDllNameResolved.FileName[0] = 0;\n\tLdrpFreeUnicodeString(&UnkStruct3.String);\n\tif (DllPath.IsInitedMaybe)\n\t\tRtlReleasePath(DllPath.pInitNameMaybe);\n\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMapDllNtFileName(PLDRP_LOAD_CONTEXT LoadContext, LDRP_FILENAME_BUFFER* FileNameBuffer) // CHECKED.\n{\n\tNTSTATUS Status;\n\n\t//LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n\tLDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\tINT64 UnknownPtr = LoadContext->UnknownPtr;\n\tLONG Unknown = 0;\n\tif (LdrpCheckForRetryLoading(LoadContext, 0))\n\t\treturn STATUS_RETRY;\n\n\tPUNICODE_STRING FullDllName = &DllEntry->FullDllName;\n\tWID_HIDDEN( LdrpLogDllState((UINT_PTR)DllEntry->DllBase, &DllEntry->FullDllName, 0x14A5); )\n\t//OBJ_CASE_INSENSITIVE \n\tULONG ObjAttributes = OBJ_CASE_INSENSITIVE;\n\tif (!*LdrpUseImpersonatedDeviceMap)\n\t\tObjAttributes = (OBJ_IGNORE_IMPERSONATED_DEVICEMAP | OBJ_CASE_INSENSITIVE);\n\n\tOBJECT_ATTRIBUTES ObjectAttributes;\n\tObjectAttributes.Length = 0x30;\n\tObjectAttributes.RootDirectory = 0;\n\tObjectAttributes.Attributes = ObjAttributes;\n\tObjectAttributes.ObjectName = &FileNameBuffer->pFileName;\n\tObjectAttributes.SecurityDescriptor = 0;\n\tObjectAttributes.SecurityQualityOfService = 0;\n\n\tPCHAR NtPathStuff = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2];\n\tPCHAR Unknown2 = 0;\n\tif (RtlGetCurrentServiceSessionId())\n\t\tUnknown2 = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253];\n\telse\n\t\tUnknown2 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2];\n\n\tPCHAR NtPathStuff2 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1;\n\tif (*Unknown2 && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled))\n\t{\n\t\t//: (char*)0x7FFE0385;\n\t\tPCHAR NtPathStuff3 = RtlGetCurrentServiceSessionId() ? (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1 : (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1;\n\t\t\t\n\t\t// 0x20 is SPACE char\n\t\tif ((*NtPathStuff3 & ' '))\n\t\t\tLdrpLogEtwEvent(0x1485, -1, 0xFFu, 0xFFu);\n\t}\n\n\t// SYSTEM_FLAGS_INFORMATION\n\tif ((NtCurrentPeb()->NtGlobalFlag & FLG_ENABLE_KDEBUG_SYMBOL_LOAD))\n\t{\n\t\tWID_HIDDEN( ZwSystemDebugControl(); )\n\t}\n\n\tHANDLE FileHandle;\n\twhile (TRUE)\n\t{\t\n\t\tIO_STATUS_BLOCK IoStatusBlock;\t\n\t\tStatus = NtOpenFile(&FileHandle, SYNCHRONIZE | FILE_TRAVERSE | FILE_LIST_DIRECTORY, &ObjectAttributes, &IoStatusBlock, 5, 0x60);\n\t\tif (NT_SUCCESS(Status))\n\t\t\tbreak;\n\n\t\tif (Status == STATUS_OBJECT_NAME_NOT_FOUND || Status == STATUS_OBJECT_PATH_NOT_FOUND)\n\t\t\treturn STATUS_DLL_NOT_FOUND;\n\n\t\tif (Status != STATUS_ACCESS_DENIED || Unknown || !LdrpCheckComponentOnDemandEtwEvent(LoadContext))\n\t\t\treturn Status;\n\n\t\tUnknown = TRUE;\n\t}\n\n\tULONG SigningLevel;\n\tULONG AllocationAttributes = 0;\n\tif\t(*LdrpAuditIntegrityContinuity && (Status = LdrpValidateIntegrityContinuity(LoadContext, FileHandle), !NT_SUCCESS(Status)) && *LdrpEnforceIntegrityContinuity || \n\t\t(AllocationAttributes = MEM_IMAGE, (LoadContext->Flags & MEM_IMAGE)) && (NtCurrentPeb()->BitField & IsPackagedProcess) == 0 &&\n\t // (Status = LdrpSetModuleSigningLevel(FileHandle, (PLDR_DATA_TABLE_ENTRY)LoadContext->WorkQueueListEntry.Flink, &SigningLevel, 8), !NT_SUCCESS(Status)))\n\t\t(Status = LdrpSetModuleSigningLevel(FileHandle, CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks), &SigningLevel, 8), !NT_SUCCESS(Status)))\n\t{\n\t\tNtClose(FileHandle);\n\t\treturn Status;\n\t}\n\n\tif (*UseWOW64 && (LoadContext->Flags & 0x800) == 0)\n\t\tAllocationAttributes = MEM_IMAGE | MEM_TOP_DOWN;\n\n\tHANDLE SectionHandle;\n\tStatus = NtCreateSection(&SectionHandle, SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE, 0, 0, PAGE_EXECUTE, AllocationAttributes, FileHandle);\n\tif (!NT_SUCCESS(Status))\n\t{\n\t\tif (Status == STATUS_NEEDS_REMEDIATION || (Status + 0x3FFFFB82) <= 1)\n\t\t{\n\t\t\tStatus = LdrAppxHandleIntegrityFailure(Status);\n\t\t}\n\t\telse if (Status != STATUS_NO_MEMORY && Status != STATUS_INSUFFICIENT_RESOURCES && Status != STATUS_COMMITMENT_LIMIT)\n\t\t{\n\t\t\tLDR_UNKSTRUCT2 NtHardParameters;\n\t\t\tNtHardParameters.Name = FullDllName;\n\t\t\tNtHardParameters.Status = Status;\n\t\t\t// Semi-documented in http://undocumented.ntinternals.net/\n\t\t\tHARDERROR_RESPONSE Response;\n\t\t\tif (NT_SUCCESS(NtRaiseHardError(STATUS_INVALID_IMAGE_FORMAT, 2, 1, (INT*)&NtHardParameters, OptionOk, &Response)) && *LdrInitState != 3)\n\t\t\t{\n\t\t\t\t++(*LdrpFatalHardErrorCount);\n\t\t\t}\n\t\t}\n\t\tWID_HIDDEN( LdrpLogError(Status, 0x1485u, 0, FullDllName); )\n\t\tNtClose(FileHandle);\n\t\treturn Status;\n\t}\n\tif (RtlGetCurrentServiceSessionId())\n\t\tNtPathStuff = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253];\n\tif (*NtPathStuff && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled) != 0)\n\t{\n\t\tif (RtlGetCurrentServiceSessionId())\n\t\t\tNtPathStuff2 = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1;\n\n\t\t// 0x20 is SPACE char.\n\t\tif ((*NtPathStuff2 & ' ') != 0)\n\t\t\tWID_HIDDEN( LdrpLogEtwEvent(0x1486, -1, 0xFFu, 0xFFu); )\n\t}\n\tif (!*UseWOW64 && (LoadContext->Flags & 0x100) == 0 && (Status = LdrpCodeAuthzCheckDllAllowed(FileNameBuffer, FileHandle), NT_SUCCESS((LONG)(Status + 0x80000000))) && Status != STATUS_NOT_FOUND || (Status = fLdrpMapDllWithSectionHandle(LoadContext, SectionHandle), !UnknownPtr) || !NT_SUCCESS(Status))\n\t{\n\t\tNtClose(SectionHandle);\n\t\tNtClose(FileHandle);\n\t\treturn Status;\n\t}\n\tLoadContext->FileHandle = FileHandle;\n\tLoadContext->SectionHandle = SectionHandle;\n\treturn Status;\n}\n\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMapDllWithSectionHandle(PLDRP_LOAD_CONTEXT LoadContext, HANDLE SectionHandle) // CHECKED.\n{\n\tNTSTATUS Status;\n\tNTSTATUS Status2;\n\tNTSTATUS Status3;\n\tNTSTATUS Status4;\n\t\t\n\tint v19[14];\n\n\tLDR_DATA_TABLE_ENTRY* LdrEntry2;\n\n\t// Mapping mechanism.\n\tStatus = fLdrpMinimalMapModule(LoadContext, SectionHandle);\n\tStatus2 = Status;\n\tif (Status == STATUS_IMAGE_MACHINE_TYPE_MISMATCH)\n\t\treturn Status2;\n\n\tif (!NT_SUCCESS(Status))\n\t\treturn Status2;\n\n\t//LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n\tLDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\tSIZE_T Size = LoadContext->Size;\n\tLDR_DATA_TABLE_ENTRY* LdrEntry = nullptr;\n\tStatus3 = Status;\n\n\tPIMAGE_NT_HEADERS OutHeaders;\n\tStatus2 = RtlImageNtHeaderEx(0, DllEntry->DllBase, Size, &OutHeaders);\n\tif (!NT_SUCCESS(Status2))\n\t\treturn Status2;\n\n\tif (LoadContext->Flags & SEC_FILE)\n\t{\n\t\tStatus3 = STATUS_SUCCESS;\n\t\tDllEntry->TimeDateStamp = OutHeaders->FileHeader.TimeDateStamp;\n\t\tDllEntry->CheckSum = OutHeaders->OptionalHeader.CheckSum;\n\t\tDllEntry->SizeOfImage = OutHeaders->OptionalHeader.SizeOfImage;\n\t}\n\telse\n\t{\n\t\tRtlAcquireSRWLockExclusive(LdrpModuleDatatableLock);\n\t\tUINT_PTR Flags = (LoadContext->Flags) & UINT_MAX;\n\t\tPUNICODE_STRING FullDllName_2 = 0;\n\t\tif ((Flags & 0x20) == 0)\n\t\t\tFullDllName_2 = &DllEntry->FullDllName;\n\n\n\t\t// Returns STATUS_DLL_NOT_FOUND is normal situations.\n\t\tStatus4 = LdrpFindLoadedDllByNameLockHeld(&DllEntry->BaseDllName, FullDllName_2, Flags, &LdrEntry, DllEntry->BaseNameHashValue);\n\t\tif (Status4 == STATUS_DLL_NOT_FOUND)\n\t\t{\n\t\t\tPIMAGE_DOS_HEADER DllBase = DllEntry->DllBase;\n\t\t\tv19[0] = OutHeaders->FileHeader.TimeDateStamp;\n\t\t\tv19[1] = OutHeaders->OptionalHeader.SizeOfImage;\n\t\t\tLdrpFindLoadedDllByMappingLockHeld(DllBase, OutHeaders, (ULONG*)v19, &LdrEntry);\n\t\t}\n\n\t\tif (!LdrEntry)\n\t\t{\n\t\t\tLdrpInsertDataTableEntry(DllEntry);\n\t\t\tLdrpInsertModuleToIndexLockHeld(DllEntry, OutHeaders);\n\t\t}\n\n\t\tRtlReleaseSRWLockExclusive(LdrpModuleDatatableLock);\n\t\tif (LdrEntry)\n\t\t{\n\t\t\tif (DllEntry->LoadReason != LoadReasonPatchImage || LdrEntry->LoadReason == LoadReasonPatchImage)\n\t\t\t{\n\t\t\t\tLdrpLoadContextReplaceModule(LoadContext, LdrEntry);\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tStatus2 = STATUS_IMAGE_LOADED_AS_PATCH_IMAGE;\n\t\t\t\tWID_HIDDEN( LdrpLogEtwHotPatchStatus(&(*LdrpImageEntry)->BaseDllName, LoadContext->Entry, &DllEntry->FullDllName, STATUS_IMAGE_LOADED_AS_PATCH_IMAGE, 3); )\n\t\t\t\tLdrpDereferenceModule(LdrEntry);\n\t\t\t}\n\t\t\treturn Status2;\n\t\t}\n\t}\n\tif (*qword_17E238 == NtCurrentTeb()->ClientId.UniqueThread)\n\t\treturn STATUS_NOT_FOUND;\n\n\tStatus2 = fLdrpCompleteMapModule(LoadContext, OutHeaders, Status3);\n\tif (NT_SUCCESS(Status2))\n\t{\n\t\tStatus2 = fLdrpProcessMappedModule(DllEntry, LoadContext->Flags & UINT_MAX, 1);\n\t\tif (NT_SUCCESS(Status2))\n\t\t{\n\t\t\tWID_HIDDEN( LdrpLogNewDllLoad(LoadContext->Entry, DllEntry); )\n\t\t\tLdrEntry2 = LoadContext->Entry;\n\t\t\tif (LdrEntry2)\n\t\t\t\tDllEntry->ParentDllBase = LdrEntry2->DllBase;\n\n\t\t\tBOOLEAN DllBasesEqual = FALSE;\n\t\t\tif (DllEntry->LoadReason == LoadReasonPatchImage && *LdrpImageEntry)\n\t\t\t\tDllBasesEqual = DllEntry->ParentDllBase == (*LdrpImageEntry)->DllBase;\n\n\t\t\tif ((LoadContext->Flags & SEC_FILE) || (DllEntry->FlagGroup[0] & ImageDll) || DllBasesEqual)\n\t\t\t{\n\t\t\t\tif ((DllEntry->Flags & CorILOnly))\n\t\t\t\t{\n\t\t\t\t\treturn fLdrpCorProcessImports(DllEntry);\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tfLdrpMapAndSnapDependency(LoadContext);\n\t\t\t\t\treturn *LoadContext->pStatus;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tWID_HIDDEN( LdrpLogDllState((UINT_PTR)DllEntry->DllBase, &DllEntry->FullDllName, 0x14AEu); )\n\t\t\t\tStatus2 = STATUS_SUCCESS;\n\t\t\t\tDllEntry->DdagNode->State = LdrModulesReadyToRun;\n\t\t\t}\n\t\t}\n\t}\n\n\treturn Status2;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMinimalMapModule(PLDRP_LOAD_CONTEXT LoadContext, HANDLE SectionHandle)\n{\n\tNTSTATUS Status;\n\n\tBOOLEAN UnknownBool;\n\tint Flags;\n\tint Flags2;\n\tULONG ProtectFlags;\n\twchar_t* Buffer;\n\tMEM_EXTENDED_PARAMETER MemExtendedParam;\n\t\n\tvoid* Data;\n\n\tLDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\n\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrmap.c\", 0x2BC, \"LdrpMinimalMapModule\", 3u, \"DLL name: %wZ\\n\", &DllEntry->FullDllName); )\n\tif (!RtlEqualUnicodeString(&DllEntry->BaseDllName, LdrpKernel32DllName, TRUE) || (UnknownBool = 1, (*((BYTE*)*LdrpAppHeaders + 0x16) & 0x20) == 0))\n\t{\n\t\tUnknownBool = 0;\n\t}\n\tPVOID ReturnedState = nullptr;\n\tFlags = DontRelocate;\n\tif (!UnknownBool)\n\t{\n\t\tif (*LdrpLargePageDllKeyHandle)\n\t\t{\n\t\t\tBuffer = DllEntry->BaseDllName.Buffer;\n\t\t\tData = 0;\n\t\t\tRtlQueryImageFileKeyOption(*LdrpLargePageDllKeyHandle, Buffer, 4, &Data, 4, 0);\n\t\t\tif ((DWORD)Data)\n\t\t\t{\n\t\t\t\tif (NT_SUCCESS(RtlAcquirePrivilege(*LdrpLockMemoryPrivilege, 1, 0, &ReturnedState)))\n\t\t\t\t\tFlags = 0x20000000;\n\t\t\t}\n\t\t}\n\t}\n\n\tTEB* TEB = NtCurrentTeb();\n\tLoadContext->Size = 0;\n\tData = TEB->NtTib.ArbitraryUserPointer;\n\tTEB->NtTib.ArbitraryUserPointer = DllEntry->FullDllName.Buffer;\n\n\tULONG64 MaxUsermodeAddress;\n\n\tProtectFlags = (LoadContext->Flags & SEC_LINKER_CREATED) != 0 ? PAGE_READONLY : PAGE_EXECUTE_WRITECOPY;\n\tFlags2 = Flags | DontCallForThreads;\n\tif ((LoadContext->Flags & SEC_LINKER_CREATED) == 0)\n\t\tFlags2 = Flags;\n\tif ((LoadContext->Flags & SEC_COFF_SHARED_LIBRARY) != 0)\n\t{\n\t\tMaxUsermodeAddress = *LdrpMaximumUserModeAddress;\n\t\tMemExtendedParam.Handle = 0;\n\t\tMemExtendedParam.Pointer = &MemExtendedParam.Handle;\n\t\tMemExtendedParam.Type = 1;\n\t\tStatus = ZwMapViewOfSectionEx(SectionHandle, (HANDLE)-1, &DllEntry->DllBase, 0, (PULONG)&LoadContext->Size, Flags2, ProtectFlags, &MemExtendedParam, 1);\n\t}\n\telse\n\t{ \n\t\t// R9 register isn't used by the function (or I couldn't see) but it must be passed anyways so I did.\n\t\t// After this function our dll is mapped, DllEntry->DllBase receives the base address.\n\t\tStatus = fLdrpMapViewOfSection(SectionHandle, ProtectFlags, &DllEntry->DllBase, 0x4B, (PULONG)&LoadContext->Size, Flags2, ProtectFlags, &DllEntry->FullDllName);\n\t}\n\n\tTEB->NtTib.ArbitraryUserPointer = Data;\n\tif (Flags2 == 0x20000000)\n\t\tRtlReleasePrivilege(ReturnedState);\n\n\tswitch (Status)\n\t{\n\tcase STATUS_IMAGE_MACHINE_TYPE_MISMATCH: \n\t\tStatus = LdrpProcessMachineMismatch(LoadContext);\n\t\tbreak;\n\tcase STATUS_IMAGE_NOT_AT_BASE:\n\tcase STATUS_IMAGE_AT_DIFFERENT_BASE:\n\t\tif (!LoadContext->UnknownPtr && *LdrpMapAndSnapWork)\n\t\t{\n\t\t\tif (LdrpCheckForRetryLoading(LoadContext, TRUE))\n\t\t\t{\n\t\t\t\tStatus = STATUS_RETRY;\n\t\t\t}\n\t\t\telse if (UnknownBool)\n\t\t\t{\n\t\t\t\tStatus = STATUS_CONFLICTING_ADDRESSES;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\t}\n\n\tif (DllEntry->DllBase && (!NT_SUCCESS(Status) || Status == STATUS_IMAGE_MACHINE_TYPE_MISMATCH))\n\t{\n\t\tNtUnmapViewOfSection((HANDLE)-1, DllEntry->DllBase);\n\t\tDllEntry->DllBase = 0;\n\t}\n\n\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrmap.c\", 0x38D, \"LdrpMinimalMapModule\", 4, \"Status: 0x%08lx\\n\", Status); )\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMapViewOfSection(HANDLE SectionHandle, ULONG ProtectFlags, PIMAGE_DOS_HEADER* BaseAddress, DWORD Unknown, PULONG ViewSize, ULONG AllocationType, ULONG Win32Protect, PUNICODE_STRING FullDllName)\n{\n\tMEM_EXTENDED_PARAMETER MemExtendedParam; // [rsp+50h] [rbp-18h] BYREF\n\n\t// I believe this check is to seperate between Windows dlls and user-made dlls. Goes in if User-made dll.\n\tif (!LdrpHpatAllocationOptOut(FullDllName))\n\t\treturn ZwMapViewOfSection(SectionHandle, (HANDLE)-1, BaseAddress, 0, 0, 0, ViewSize, ViewShare, AllocationType, Win32Protect);\n\t// Windows dlls.\n\tMemExtendedParam.Type = 5;\n\tMemExtendedParam.Pointer = (PHANDLE)128;\n\treturn ZwMapViewOfSectionEx(SectionHandle, (HANDLE)-1, BaseAddress, 0, ViewSize, AllocationType, Win32Protect, &MemExtendedParam, 1);\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpCompleteMapModule(PLDRP_LOAD_CONTEXT LoadContext, PIMAGE_NT_HEADERS OutHeaders, NTSTATUS Status)\n{\n\tNTSTATUS ReturnStatus = STATUS_SUCCESS;\n\tNTSTATUS ReturnStatus2;\n\t\n\t//LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink;\n\tLDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\tPIMAGE_DOS_HEADER DllBase = DllEntry->DllBase;\n\n\tPIMAGE_COR20_HEADER CorHeader = nullptr; \n\tULONG64 LastRVASection = 0;\n\tReturnStatus2 = RtlpImageDirectoryEntryToDataEx(DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &LastRVASection, &CorHeader);\n\tif (!NT_SUCCESS(ReturnStatus2))\n\t\tCorHeader = 0;\n\n\tBOOLEAN JumpIn = FALSE;\n\tif (!CorHeader)\n\t\tJumpIn = TRUE;\n\n\tDWORD NewDllFlags = 0;\n\tif (!JumpIn)\n\t{\n\t\tif ((LoadContext->Flags & SEC_LINKER_CREATED) != 0)\n\t\t\treturn STATUS_INVALID_IMAGE_FORMAT;\n\n\t\tNewDllFlags = DllEntry->Flags | CorImage;\n\t\tDllEntry->Flags = NewDllFlags;\n\t}\n\tif (JumpIn || ((CorHeader->Flags & 1) == 0 || (DllEntry->Flags = NewDllFlags | CorILOnly, ReturnStatus = LdrpCorValidateImage(DllBase), (NT_SUCCESS(ReturnStatus))\n\t\t&& ((LoadContext->Flags & SEC_LINK_DUPLICATES_ONE_ONLY) == 0 || (ReturnStatus = LdrpCorFixupImage(DllBase), NT_SUCCESS(ReturnStatus))))))\n\t{\n\t\tif ((OutHeaders->FileHeader.Characteristics & IMAGE_FILE_DLL) != 0)\n\t\t{\n\t\t\tif (NT_SUCCESS(*(BYTE*)&(LoadContext->Flags)) || !NT_SUCCESS(*(BYTE*)&(OutHeaders->OptionalHeader.DllCharacteristics)))\n\t\t\t{\n\t\t\t\tif ((DllEntry->Flags & CorILOnly) == 0 && (Status == STATUS_IMAGE_NOT_AT_BASE || Status == STATUS_IMAGE_AT_DIFFERENT_BASE))\n\t\t\t\t{\n\t\t\t\t\tchar* UMGlobalLogger = (char*)&kUserSharedData->UserModeGlobalLogger[2];\n\t\t\t\t\tchar* UMGlobalLogger_2 = nullptr;\n\t\t\t\t\tchar* UMGlobalLoggerP1 = nullptr;\n\t\t\t\t\tchar* UMGlobalLoggerP1_2 = nullptr;\n\n\t\t\t\t\tif (RtlGetCurrentServiceSessionId())\n\t\t\t\t\t\tUMGlobalLogger_2 = (char*)NtCurrentPeb()->SharedData + 0x22A;\n\t\t\t\t\telse\n\t\t\t\t\t\tUMGlobalLogger_2 = (char*)&kUserSharedData->UserModeGlobalLogger[2];\n\n\t\t\t\t\tUMGlobalLoggerP1 = (char*)&kUserSharedData->UserModeGlobalLogger[2] + 1;\n\t\t\t\t\tif (*(BYTE*)UMGlobalLogger_2 && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled) != 0)\n\t\t\t\t\t{\n\t\t\t\t\t\tUMGlobalLoggerP1_2 = RtlGetCurrentServiceSessionId() ? (char*)NtCurrentPeb()->SharedData + 0x22B : (char*)UMGlobalLoggerP1;\n\n\t\t\t\t\t\t// 0x20 is space char.\n\t\t\t\t\t\tif ((*UMGlobalLoggerP1_2 & ' ') != 0)\n\t\t\t\t\t\t\tWID_HIDDEN( LdrpLogEtwEvent(0x1490u, (ULONGLONG)DllBase, 0xFFu, 0xFFu); )\n\t\t\t\t\t}\n\n\t\t\t\t\tif (Status == STATUS_IMAGE_NOT_AT_BASE && (ReturnStatus = fLdrpRelocateImage(DllEntry->DllBase, LoadContext->Size, OutHeaders, &DllEntry->FullDllName), !NT_SUCCESS(ReturnStatus)))\n\t\t\t\t\t{\n\t\t\t\t\t\tWID_HIDDEN( LdrpLogError(ReturnStatus, 0x1490u, 0, &DllEntry->FullDllName); )\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\tif (RtlGetCurrentServiceSessionId())\n\t\t\t\t\t\t\tUMGlobalLogger = (char*)NtCurrentPeb()->SharedData + 0x22A;\n\n\t\t\t\t\t\tif (*(BYTE*)UMGlobalLogger && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled) != 0)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tif (RtlGetCurrentServiceSessionId())\n\t\t\t\t\t\t\t\tUMGlobalLoggerP1 = (char*)NtCurrentPeb()->SharedData + 0x22B;\n\n\t\t\t\t\t\t\t// 0x20 is space char.\n\t\t\t\t\t\t\tif ((*(BYTE*)UMGlobalLoggerP1 & ' ') != 0)\n\t\t\t\t\t\t\t\tWID_HIDDEN( LdrpLogEtwEvent(0x1491u, (ULONGLONG)DllBase, 0xFFu, 0xFFu); )\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrmap.c\", 1009, \"LdrpCompleteMapModule\", 0, \"Could not validate the crypto signature for DLL %wZ\\n\", &DllEntry->FullDllName); )\n\t\t\t\treturn STATUS_INVALID_IMAGE_HASH;\n\t\t\t}\n\t\t}\n\t\telse\n\t\t{\n\t\t\tDllEntry->Flags &= ~ImageDll;\n\t\t}\n\t}\n\treturn ReturnStatus;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpRelocateImage(PIMAGE_DOS_HEADER DllBase, SIZE_T Size, PIMAGE_NT_HEADERS OutHeaders, PUNICODE_STRING FullDllName)\n{\n\tNTSTATUS Status;\n\t\n\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrmap.c\", 0x164, \"LdrpRelocateImage\", 3, \"DLL name: %wZ\\n\", FullDllName); )\n\n\tStatus = STATUS_SUCCESS;\n\n\t// To delete goto.\n\tBOOLEAN PassOver = FALSE;\n\tif ((OutHeaders->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED) != 0)\n\t\tPassOver = TRUE;\n\n\tUINT_PTR LastRVASection;\n\tPIMAGE_BASE_RELOCATION BaseReloc;\n\tif (!PassOver)\n\t{\n\t\tStatus = RtlpImageDirectoryEntryToDataEx(DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &LastRVASection, (PVOID*)&BaseReloc);\n\t\tif (!NT_SUCCESS(Status))\n\t\t\tBaseReloc = 0;\n\t}\n\tif (PassOver || (BaseReloc && (DWORD)LastRVASection))\n\t{\n\t\tif (!LdrpIsILOnlyImage(DllBase))\n\t\t{\n\t\t\tWID_HIDDEN( LdrpLogDllRelocationEtwEvent(FullDllName, OutHeaders->OptionalHeader.ImageBase, DllBase, Size); )\n\t\t\tStatus = fLdrpProtectAndRelocateImage(DllBase, Size, OutHeaders);\n\t\t}\n\t}\n\n\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrmap.c\", 396, \"LdrpRelocateImage\", 4u, \"Status: 0x%08lx\\n\", Status); )\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpProtectAndRelocateImage(PIMAGE_DOS_HEADER DllBase, SIZE_T Size, PIMAGE_NT_HEADERS OutHeader)\n{\n\tNTSTATUS Status;\n\n\tdo\n\t{\n\t\tBOOLEAN DoNotRelocate = FALSE;\n\n\t\t// The DOS header receives memory information.\n\t\tMEMORY_WORKING_SET_EX_INFORMATION MemoryWorkingSetExInfo;\n\t\tMemoryWorkingSetExInfo.VirtualAddress = DllBase;\n\t\tStatus = ZwQueryVirtualMemory((HANDLE)-1, 0, MemoryWorkingSetExInformation, &MemoryWorkingSetExInfo, 0x10, 0);\n\t\tif (!NT_SUCCESS(Status))\n\t\t{\n\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrfind.c\", 0x7BC, \"LdrpProtectAndRelocateImage\", 0, \"Querying large page info failed with status 0x%08lx\\n\", Status); )\n\t\t}\n\t\telse if ((MemoryWorkingSetExInfo.u1.Long & PackagedBinary) != 0)\n\t\t{\n\t\t\tDoNotRelocate = (MemoryWorkingSetExInfo.u1.Long & DontRelocate) != 0;\n\t\t}\n\n\t\tif (!DontRelocate)\n\t\t{\n\t\t\tStatus = fLdrpSetProtection(DllBase, FALSE);\n\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t{\n\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrfind.c\", 0x7C6, \"LdrpProtectAndRelocateImage\", 0, \"Changing the protection of the executable at %p failed with status 0x%08lx\\n\", DllBase, Status); )\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tStatus = fLdrRelocateImageWithBias(DllBase, Size, OutHeader);\n\t\tif (NT_SUCCESS(Status) && !DontRelocate)\n\t\t{\n\t\t\tStatus = fLdrpSetProtection(DllBase, TRUE);\n\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t{\n\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrfind.c\", 0x7DE, \"LdrpProtectAndRelocateImage\", 0, \"Changing the protection of the executable at %p failed with status 0x%08lx\\n\", DllBase, Status); )\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t} while (FALSE);\n\n\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrfind.c\", 0x806, \"LdrpProtectAndRelocateImage\", 4u, \"Status: 0x%08lx\\n\", Status); )\n\treturn Status;\n}\n\nNTSTATUS __fastcall\tLOADLIBRARY::fLdrpSetProtection(PIMAGE_DOS_HEADER DllBase, BOOLEAN Unknown)\n{\n\tNTSTATUS Status;\n\n\tPIMAGE_NT_HEADERS NtHeader;\n\tRtlImageNtHeaderEx(3, DllBase, 0, &NtHeader);\n\tPIMAGE_NT_HEADERS NtHeader_2 = NtHeader;\n\t\n\tif (!NtHeader->FileHeader.NumberOfSections)\n\t\treturn STATUS_SUCCESS;\n\n\tLONG SectionIdx = 0;\n\tfor (PIMAGE_SECTION_HEADER SectionHeader = (PIMAGE_SECTION_HEADER)((char*)&NtHeader->OptionalHeader.AddressOfEntryPoint + NtHeader->FileHeader.SizeOfOptionalHeader); ; ++SectionHeader)\n\t{\n\t\tLONG pRawData = SectionHeader->PointerToRawData;\n\t\tif (pRawData >= 0 && *(DWORD*)SectionHeader->Name)\n\t\t{\n\t\t\tULONG Flags;\n\t\t\tULONG Flags2;\n\t\t\tif (Unknown)\n\t\t\t{\n\t\t\t\t// Reserved (0x2), Reserved (0x10)\n\t\t\t\tFlags = (pRawData & IMAGE_SCN_MEM_EXECUTE) != 0 ? ((pRawData & IMAGE_SCN_MEM_READ) != 0 ? IMAGE_SCN_CNT_CODE : 0x10) : 2;\n\t\t\t\tFlags2 = Flags | IMAGE_SCN_LNK_INFO;\n\t\t\t\tif ((pRawData & IMAGE_SCN_MEM_NOT_CACHED) == 0)\n\t\t\t\t\tFlags2 = Flags;\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t// Reserved (0x4)\n\t\t\t\tFlags2 = 4;\n\t\t\t}\n\t\t\tPVOID BaseAddress[6];\n\t\t\tBaseAddress[0] = (char*)DllBase + SectionHeader[-1].Characteristics;\n\t\t\tULONG64 NumberOfBytesToProtect = *(unsigned int*)SectionHeader->Name;\n\t\t\tif (NumberOfBytesToProtect)\n\t\t\t{\n\t\t\t\tULONG OldAccessProtection;\n\t\t\t\tStatus = ZwProtectVirtualMemory((HANDLE)-1, BaseAddress, (PULONG)&NumberOfBytesToProtect, Flags2, &OldAccessProtection);\n\t\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (++SectionIdx >= (unsigned int)NtHeader_2->FileHeader.NumberOfSections)\n\t\t\treturn STATUS_SUCCESS;\n\t}\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrRelocateImageWithBias(PIMAGE_DOS_HEADER DllBase, SIZE_T Size, PIMAGE_NT_HEADERS OutHeader)\n{\n\tNTSTATUS Status = STATUS_SUCCESS;\n\t\n\tPIMAGE_NT_HEADERS NtHeader_4;\n\tULONG64 ImageBaseHigh;\n\tNTSTATUS Status_2;\n\tPIMAGE_NT_HEADERS NtHeader_3;\n\tULONG LastRVASection_2;\n\tULONG Machine;\n\tPIMAGE_NT_HEADERS NtHeader_2;\n\n\tNtHeader_2 = OutHeader;\n\tULONG64 LastRVASection = 0;\n\tif (!NT_SUCCESS(RtlImageNtHeaderEx(1, DllBase, 0, &NtHeader_2)))\n\t\treturn STATUS_INVALID_IMAGE_FORMAT;\n\tNtHeader_4 = NtHeader_2;\n\tif (NtHeader_2->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)\n\t{\n\t\tImageBaseHigh = (NtHeader_2->OptionalHeader.ImageBase) & 0xFFFFFFFF00000000;\n\t}\n\telse\n\t{\n\t\tif (NtHeader_2->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC)\n\t\t\treturn STATUS_INVALID_IMAGE_FORMAT;\n\t\tImageBaseHigh = NtHeader_2->OptionalHeader.ImageBase;\n\t}\n\n\tStatus_2 = RtlpImageDirectoryEntryToDataEx(DllBase, 1u, IMAGE_DIRECTORY_ENTRY_BASERELOC, &LastRVASection, (PVOID*)&NtHeader_2);\n\tNtHeader_3 = NtHeader_2;\n\tif (!NT_SUCCESS(Status_2))\n\t\tNtHeader_3 = 0;\n\n\tif (!NtHeader_3)\n\t\treturn (NtHeader_4->FileHeader.Characteristics & 1) != 0 ? STATUS_CONFLICTING_ADDRESSES : 0;\n\n\tLastRVASection_2 = LastRVASection;\n\tif (!(DWORD)LastRVASection)\n\t\treturn (NtHeader_4->FileHeader.Characteristics & 1) != 0 ? STATUS_CONFLICTING_ADDRESSES : 0;\n\n\twhile (TRUE)\n\t{\n\t\tMachine = *(DWORD*)&NtHeader_3->FileHeader.Machine;\n\t\tLastRVASection_2 -= Machine;\n\t\tNtHeader_3 = fLdrProcessRelocationBlockLongLong(NtHeader_4->FileHeader.Machine, (LONG)DllBase + NtHeader_3->Signature, (ULONG)(Machine - 8) >> 1, (PIMAGE_NT_HEADERS64)((LONG)NtHeader_3 + 8), (UINT_PTR)DllBase - ImageBaseHigh);\n\t\tif (!NtHeader_3)\n\t\t\tbreak;\n\n\t\tif (!LastRVASection_2)\n\t\t\treturn Status;\n\t}\n\treturn STATUS_INVALID_IMAGE_FORMAT;\n}\n\nPIMAGE_NT_HEADERS __fastcall LOADLIBRARY::fLdrProcessRelocationBlockLongLong(USHORT Machine, ULONG64 Signature, ULONG64 Unknown, PIMAGE_NT_HEADERS64 NtHeader, ULONG64 Unknown2)\n{\n\t// TO DO.\n\n\treturn STATUS_SUCCESS;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpProcessMappedModule(PLDR_DATA_TABLE_ENTRY DllEntry, UINT_PTR Flags, ULONG One)\n{\n\tNTSTATUS Status;\t\n\n\tPIMAGE_DOS_HEADER DllBase = DllEntry->DllBase;\n\n\tPIMAGE_NT_HEADERS OutHeaders;\n\tStatus = RtlImageNtHeaderEx(3, DllBase, 0, &OutHeaders);\n\tif (!NT_SUCCESS(Status))\n\t\treturn Status;\n\n\tPIMAGE_NT_HEADERS OutHeaders_2 = OutHeaders;\n\n\tif ((DllEntry->Flags & (ImageDll | CorILOnly)) == ImageDll && DllEntry->LoadReason != LoadReasonPatchImage)\n\t{\n\t\tPLDR_INIT_ROUTINE EntryPoint = nullptr;\n\t\tif (OutHeaders->OptionalHeader.AddressOfEntryPoint)\n\t\t\tEntryPoint = (PLDR_INIT_ROUTINE)((char*)DllBase + OutHeaders->OptionalHeader.AddressOfEntryPoint);\n\t\telse\n\t\t\tEntryPoint = nullptr;\n\n\t\tDllEntry->EntryPoint = EntryPoint;\n\t}\n\n\tif (!LdrpValidateEntrySection(DllEntry))\n\t\treturn STATUS_INVALID_IMAGE_FORMAT;\n\n\tDllEntry->OriginalBase = OutHeaders_2->OptionalHeader.ImageBase;\n\tDllEntry->LoadTime.QuadPart = *(LONGLONG*)(0x7FFE0014);\n\tdo\n\t{\n\t\tif ((Flags & 0x800000) == 0 && ((DllEntry->FlagGroup[0] & 4) != 0 || One && LdrpIsExecutableRelocatedImage(DllBase)) && (DllEntry->Flags & LoadConfigProcessed) == 0 && One)\n\t\t{\n\t\t\tUINT_PTR Zero = 0;\n\t\t\tUINT_PTR RandomNumber = LdrpGenRandom();\n\t\t\tBOOL IsInited = LdrInitSecurityCookie(DllBase, DllEntry->SizeOfImage, 0, RandomNumber ^ *dword_199398, &Zero);\n\t\t\tif (!DllBase || !DllEntry->EntryPoint || (OutHeaders->OptionalHeader.MajorSubsystemVersion != 6 || OutHeaders->OptionalHeader.MinorSubsystemVersion < IMAGE_SUBSYSTEM_WINDOWS_CUI) && OutHeaders->OptionalHeader.MajorSubsystemVersion < IMAGE_SUBSYSTEM_POSIX_CUI || IsInited)\n\t\t\t{\n\t\t\t\tStatus = LdrpCfgProcessLoadConfig(DllEntry, OutHeaders, Zero);\n\t\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t\t\treturn Status;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\treturn STATUS_INVALID_IMAGE_FORMAT;\n\t\t}\n\t} while (FALSE);\n\n\tif ((Flags & 0x800000) == 0 && (DllEntry->Flags & InExceptionTable) == 0)\n\t\tRtlInsertInvertedFunctionTable(DllBase, DllEntry->SizeOfImage);\n\n\tDllEntry->Flags |= InExceptionTable | LoadConfigProcessed;\n\tRtlAcquireSRWLockExclusive(LdrpModuleDatatableLock);\n\tDllEntry->DdagNode->State = LdrModulesMapped;\n\tif ((Flags & 0x800000) == 0 && DllEntry->LoadContext)\n\t\tLdrpSignalModuleMapped(DllEntry);\n\n\tRtlReleaseSRWLockExclusive(LdrpModuleDatatableLock);\n\t\n\tWID_HIDDEN( LdrpLogDllState((UINT_PTR)DllEntry->DllBase, &DllEntry->FullDllName, 0x14A1u); )\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpCorProcessImports(PLDR_DATA_TABLE_ENTRY DllEntry)\n{\n\tNTSTATUS Status = STATUS_SUCCESS; \n\n\tDllEntry->DdagNode->State = LdrModulesCondensed;\n\tStatus = AVrfDllLoadNotification(DllEntry);\n\tif (NT_SUCCESS(Status))\n\t{\n\t\tLdrpSendDllNotifications(DllEntry, 1);\n\t\tWID_HIDDEN( LdrpLogDllState((UINT_PTR)DllEntry->DllBase, &DllEntry->FullDllName, 0x14ADu); )\n\t\tDllEntry->DdagNode->State = LdrModulesReadyToInit;\n\t}\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpMapAndSnapDependency(PLDRP_LOAD_CONTEXT LoadContext)\n{\n\tNTSTATUS Status;\n\t\t\n\tLDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\tBOOLEAN IsFile = (LoadContext->Flags & SEC_FILE);\n\tBOOLEAN FullPathExists = 0;\n\n\tUNICODE_STRING FullPath;\n\tmemset(&FullPath, 0, sizeof(FullPath));\n\n\tdo\n\t{\n\t\tif (!IsFile)\n\t\t{\n\t\t\tif (DllEntry->LoadReason != LoadReasonPatchImage)\n\t\t\t{\n\t\t\t\tStatus = LdrpFindDllActivationContext(DllEntry);\n\t\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tStatus = fLdrpPrepareImportAddressTableForSnap(LoadContext);\n\t\tif (!NT_SUCCESS(Status))\n\t\t\tbreak;\n\n\t\tULONG CurrentDllDecremented = 0;\n\t\tULONG OldCurrentDll = 0;\n\t\tif (*LdrpIsHotPatchingEnabled)\n\t\t{\n\t\t\tDllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\t\t\tif (DllEntry)\n\t\t\t{\n\t\t\t\tStatus = LdrpQueryCurrentPatch(DllEntry->CheckSum, DllEntry->TimeDateStamp, &FullPath);\n\t\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t\t\tbreak;\n\n\t\t\t\tif (FullPath.Length)\n\t\t\t\t\tFullPathExists = TRUE;\n\t\t\t}\n\t\t}\n\n\t\tPIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = nullptr;\n\t\tif (LoadContext->pImageImportDescriptor || FullPathExists)\n\t\t{\n\t\t\tif (LdrpShouldModuleImportBeRedirected(DllEntry))\n\t\t\t\tLoadContext->Flags |= 0x2000000u;\n\n\t\t\tImageImportDescriptor = LdrpGetImportDescriptorForSnap(LoadContext);\n\t\t\tULONG IATSize = 0;\n\t\t\tPIMAGE_THUNK_DATA32 FirstThunk = (PIMAGE_THUNK_DATA32)&ImageImportDescriptor->FirstThunk;\n\n\t\t\tBOOLEAN JumpIn = FALSE;\n\t\t\tif (ImageImportDescriptor)\n\t\t\t{\n\t\t\t\tPIMAGE_THUNK_DATA32 FirstThunk2 = (IMAGE_THUNK_DATA32*)&ImageImportDescriptor->FirstThunk;\n\t\t\t\tULONG DllBaseIncremented = 0;\n\t\t\t\tdo\n\t\t\t\t{\n\t\t\t\t\tif (!FirstThunk2[-1].u1.ForwarderString)\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tULONG ForwarderString = FirstThunk2->u1.ForwarderString;\n\t\t\t\t\tif (!FirstThunk2->u1.ForwarderString)\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tULONG DllBaseIncremented_2 = DllBaseIncremented + 1;\n\t\t\t\t\tFirstThunk2 += 5;\n\t\t\t\t\t++IATSize;\n\t\t\t\t\tif (!*(UINT_PTR*)((char*)&DllEntry->DllBase->e_magic + ForwarderString))\n\t\t\t\t\t\tDllBaseIncremented_2 = DllBaseIncremented;\n\n\t\t\t\t\tDllBaseIncremented = DllBaseIncremented_2;\n\t\t\t\t} while (FirstThunk2 != (IMAGE_THUNK_DATA32*)16);\n\n\t\t\t\tOldCurrentDll = DllBaseIncremented;\n\t\t\t\tif (DllBaseIncremented)\n\t\t\t\t\tJumpIn = TRUE;\n\t\t\t}\n\n\t\t\tBOOLEAN JumpOut = FALSE;\n\t\t\tif (JumpIn || FullPathExists)\n\t\t\t{\n\t\t\t\tPVOID* Heap = (PVOID*)RtlAllocateHeap(*LdrpHeap, (*NtdllBaseTag + 0x180000) | 8u, 8 * IATSize);\n\t\t\t\tLoadContext->IATCheck = (LDR_DATA_TABLE_ENTRY**)Heap;\n\t\t\t\tif (Heap)\n\t\t\t\t{\n\t\t\t\t\tLoadContext->SizeOfIAT = IATSize;\n\t\t\t\t\tLoadContext->GuardCFCheckFunctionPointer = ImageImportDescriptor;\n\t\t\t\t\tLoadContext->CurrentDll = OldCurrentDll + 1;\n\t\t\t\t\tif (FullPathExists)\n\t\t\t\t\t\tLoadContext->CurrentDll = OldCurrentDll + 2;\n\n\t\t\t\t\tPIMAGE_THUNK_DATA pThunk = nullptr;\n\t\t\t\t\tUINT_PTR IATAmount = 0;\n\t\t\t\t\tif (ImageImportDescriptor)\n\t\t\t\t\t{\n\t\t\t\t\t\twhile (FirstThunk[-1].u1.ForwarderString && FirstThunk->u1.ForwarderString)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tPIMAGE_DOS_HEADER DllBase = DllEntry->DllBase;\n\t\t\t\t\t\t\tif (*(UINT_PTR*)((char*)&DllBase->e_magic + FirstThunk->u1.ForwarderString))\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tULONG ForwarderString_2 = FirstThunk[-1].u1.ForwarderString;\n\t\t\t\t\t\t\t\tIsFile = (PIMAGE_IMPORT_BY_NAME)(ForwarderString_2 + (UINT_PTR)DllBase) != 0;\n\t\t\t\t\t\t\t\tPCHAR ForwarderBuffer = (PCHAR)(ForwarderString_2 + (UINT_PTR)DllBase);\n\n\t\t\t\t\t\t\t\tSTRING SourceString = {};\n\t\t\t\t\t\t\t\t*(UINT_PTR*)&SourceString.Length = 0;\n\t\t\t\t\t\t\t\tSourceString.Buffer = ForwarderBuffer;\n\t\t\t\t\t\t\t\tif (IsFile)\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tSIZE_T SourceLen = -1;\n\t\t\t\t\t\t\t\t\tdo\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t++SourceLen;\n\t\t\t\t\t\t\t\t\t} while (ForwarderBuffer[SourceLen]);\n\n\t\t\t\t\t\t\t\t\tif (SourceLen > 0xFFFE)\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tStatus = STATUS_NAME_TOO_LONG;\n\t\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\t\tSourceString.Length = SourceLen;\n\t\t\t\t\t\t\t\t\tSourceString.MaximumLength = SourceLen + 1;\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\tStatus = LdrpLoadDependentModuleA((PUNICODE_STRING)&SourceString, LoadContext, DllEntry, 0, &LoadContext->IATCheck[IATAmount], (UINT_PTR)&pThunk);\n\t\t\t\t\t\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\tFirstThunk += 5;\n\t\t\t\t\t\t\tIATAmount = (ULONG)(IATAmount + 1);\n\t\t\t\t\t\t\tif (FirstThunk == (PIMAGE_THUNK_DATA32)16)\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tif (FullPathExists)\n\t\t\t\t\t{\n\t\t\t\t\t\t// Loads Imports dlls.\n\t\t\t\t\t\tStatus = LdrpLoadDependentModuleW(&FullPath, LoadContext, DllEntry);\n\t\t\t\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t\t\t\t\tWID_HIDDEN(LdrpLogEtwHotPatchStatus(&(*LdrpImageEntry)->BaseDllName, DllEntry, &FullPath, Status, 5u); )\n\t\t\t\t\t}\n\n\t\t\t\t\tif (pThunk)\n\t\t\t\t\t\tRtlFreeHeap(*LdrpHeap, 0, pThunk);\n\n\t\t\t\t\tif (NT_SUCCESS(Status))\n\t\t\t\t\t{\n\t\t\t\t\t\tRtlAcquireSRWLockExclusive(LdrpModuleDatatableLock);\n\t\t\t\t\t\tCurrentDllDecremented = --LoadContext->CurrentDll;\n\t\t\t\t\t\tRtlReleaseSRWLockExclusive(LdrpModuleDatatableLock);\n\t\t\t\t\t\tJumpOut = TRUE;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tStatus = STATUS_NO_MEMORY;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (!JumpOut)\n\t\t\t\tCurrentDllDecremented = OldCurrentDll;\n\t\t}\n\n\t\tPLDR_DDAG_NODE DdagNode = nullptr;\n\t\tPIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor = LoadContext->pImageImportDescriptor;\n\t\tif (pImageImportDescriptor || !FullPathExists)\n\t\t{\n\t\t\tif (CurrentDllDecremented)\n\t\t\t\tbreak;\n\n\t\t\tDdagNode = DllEntry->DdagNode;\n\t\t\tif (pImageImportDescriptor)\n\t\t\t{\n\t\t\t\tDdagNode->State = LdrModulesSnapping;\n\t\t\t\tif (LoadContext->Entry)\n\t\t\t\t\tLdrpQueueWork(LoadContext);\n\t\t\t\telse\n\t\t\t\t\tStatus = fLdrpSnapModule(LoadContext);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\telse\n\t\t{\n\t\t\tDdagNode = DllEntry->DdagNode;\n\t\t}\n\n\t\tDdagNode->State = LdrModulesSnapped;\n\t} while (FALSE);\n\n\tLdrpFreeUnicodeString(&FullPath);\n\tif (!NT_SUCCESS(Status))\n\t{\n\t\t*LoadContext->pStatus = Status;\n\t}\n\n\treturn *LoadContext->pStatus;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpPrepareImportAddressTableForSnap(LDRP_LOAD_CONTEXT* LoadContext)\n{\n\tNTSTATUS Status;\n\t\n\tLDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);\n\n\tPIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = nullptr;\n\tUINT_PTR* pImageImportDescriptorLen = (UINT_PTR*)&LoadContext->ImageImportDescriptorLen;\n\tStatus = RtlpImageDirectoryEntryToDataEx(DllEntry->DllBase, 1u, IMAGE_DIRECTORY_ENTRY_IAT, (UINT_PTR*)&LoadContext->ImageImportDescriptorLen, &ImageImportDescriptor);\n\tif (!NT_SUCCESS(Status))\n\t\tImageImportDescriptor = nullptr;\n\n\tBOOLEAN IsFile = (LoadContext->Flags & SEC_FILE);\n\tLoadContext->pImageImportDescriptor = ImageImportDescriptor;\n\tif (IsFile)\n\t\treturn STATUS_SUCCESS;\n\n\tBOOLEAN JumpOver = FALSE;\n\n\tPIMAGE_NT_HEADERS OutHeaders = nullptr;\n\tRtlImageNtHeaderEx(3, DllEntry->DllBase, 0, &OutHeaders);\n\tPIMAGE_LOAD_CONFIG_DIRECTORY ImageConfigDirectory = LdrImageDirectoryEntryToLoadConfig(DllEntry->DllBase);\n\tif (!ImageConfigDirectory || ImageConfigDirectory->Size < 0x94)\n\t\tJumpOver = TRUE;\n\n\tif (!JumpOver)\n\t{\n\t\tif ((OutHeaders->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_GUARD_CF) != 0 && (ImageConfigDirectory->GuardFlags & IMAGE_GUARD_CF_INSTRUMENTED) != 0)\n\t\t{\n\t\t\tUINT_PTR* GuardCFCheckFunctionPointer = (UINT_PTR*)ImageConfigDirectory->GuardCFCheckFunctionPointer;\n\t\t\tLoadContext->UnknownFunc = (__int64)GuardCFCheckFunctionPointer;\n\t\t\tif (GuardCFCheckFunctionPointer)\n\t\t\t{\n\t\t\t\tLoadContext->DllNameLenCompare = *GuardCFCheckFunctionPointer;\n\t\t\t}\n\t\t}\n\t}\n\n\tdo\n\t{\n\t\tif (!LoadContext->pImageImportDescriptor)\n\t\t{\n\t\t\tULONG ImportDirectoryVA = OutHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;\n\t\t\tPIMAGE_SECTION_HEADER FirstSection = (PIMAGE_SECTION_HEADER)((char*)&OutHeaders->OptionalHeader + OutHeaders->FileHeader.SizeOfOptionalHeader);\n\t\t\tif (ImportDirectoryVA)\n\t\t\t{\n\t\t\t\tULONG SectionIdx = 0;\n\t\t\t\tif (OutHeaders->FileHeader.NumberOfSections)\n\t\t\t\t{\n\t\t\t\t\tULONG SectionVA = 0;\n\t\t\t\t\twhile (TRUE)\n\t\t\t\t\t{\n\t\t\t\t\t\tSectionVA = FirstSection->VirtualAddress;\n\t\t\t\t\t\tif (ImportDirectoryVA >= SectionVA && ImportDirectoryVA < SectionVA + FirstSection->SizeOfRawData)\n\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t++SectionIdx;\n\t\t\t\t\t\t++FirstSection;\n\n\t\t\t\t\t\tif (SectionIdx >= OutHeaders->FileHeader.NumberOfSections)\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\n\t\t\t\t\tLoadContext->pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((char*)DllEntry->DllBase + SectionVA);\n\t\t\t\t\tULONG SectionFA = FirstSection->Misc.PhysicalAddress;\n\t\t\t\t\t*pImageImportDescriptorLen = SectionFA;\n\t\t\t\t\tif (!SectionFA)\n\t\t\t\t\t\t*pImageImportDescriptorLen = FirstSection->SizeOfRawData;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} while (FALSE);\n\n\tPIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor = LoadContext->pImageImportDescriptor;\n\tif (pImageImportDescriptor && *pImageImportDescriptorLen)\n\t{\n\t\tUINT_PTR ImageImportDescriptorLen = *pImageImportDescriptorLen;\n\n\t\tNTSTATUS Status_2 = ZwProtectVirtualMemory((HANDLE)-1, (PVOID*)&pImageImportDescriptor, (PULONG)&ImageImportDescriptorLen, PAGE_READWRITE, (PULONG)&LoadContext->GuardFlags);\n\t\tif (!NT_SUCCESS(Status_2))\n\t\t\treturn Status_2;\n\n\t\tPIMAGE_IMPORT_DESCRIPTOR pNextSectionMaybe = pImageImportDescriptor;\n\t\tPIMAGE_IMPORT_DESCRIPTOR pNextImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR*)((char*)pImageImportDescriptor + ImageImportDescriptorLen);\n\t\tdo\n\t\t{\n\t\t\tpNextSectionMaybe = (PIMAGE_IMPORT_DESCRIPTOR)((char*)pNextSectionMaybe + 0x1000);\n\t\t} while (pNextSectionMaybe < pNextImageImportDescriptor);\n\t}\n\treturn STATUS_SUCCESS;\n}\n\n\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpPrepareModuleForExecution(PLDR_DATA_TABLE_ENTRY LdrEntry, NTSTATUS* pStatus)\n{\n\tNTSTATUS Status;\n\n\tStatus = STATUS_SUCCESS;\n\tif (*qword_17E238 == NtCurrentTeb()->ClientId.UniqueThread)\n\t\treturn Status;\n\n\tBOOLEAN Skip = FALSE;\n\n\tLDR_DDAG_NODE* DdagNode = LdrEntry->DdagNode;\n\tswitch (DdagNode->State)\n\t{\n\tcase LdrModulesSnapped:\n\t\tLdrpCondenseGraph(DdagNode);\n\tcase LdrModulesCondensed:\n\t{\n\t\t// This is where we'll start from normally.\n\t\tif ((LdrEntry->FlagGroup[0] & ProcessStaticImport) == 0)\n\t\t{\n\t\t\tUINT_PTR SubProcessTag = (UINT_PTR)NtCurrentTeb()->SubProcessTag;\n\t\t\tLdrpAddNodeServiceTag(DdagNode, SubProcessTag);\n\t\t}\n\n\t\tStatus = LdrpNotifyLoadOfGraph(DdagNode);\n\t\tif (NT_SUCCESS(Status))\n\t\t{\n\t\t\tStatus = LdrpDynamicShimModule(DdagNode);\n\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t{\n\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 0x9F3, \"LdrpPrepareModuleForExecution\", 1u, \"Failed to load for appcompat reasons\\n\"); )\n\t\t\t\treturn Status;\n\t\t\t}\n\t\t\tSkip = TRUE;\n\t\t}\n\n\t\tif (!Skip)\n\t\t\treturn Status;\n\t}\n\tcase LdrModulesReadyToInit:\n\t\tLDRP_LOAD_CONTEXT* LoadContext = (LDRP_LOAD_CONTEXT*)LdrEntry->LoadContext;\n\t\tif (LoadContext && (LoadContext->Flags & 1) == 0)\n\t\t{\n\t\t\tLdrpAcquireLoaderLock();\n\n\t\t\tUINT64 Unknown = 0;\n\t\t\tStatus = fLdrpInitializeGraphRecurse(DdagNode, pStatus, (char*)&Unknown);\n\n\t\t\tULONG64 Unused = 0;\n\t\t\tLdrpReleaseLoaderLock(Unused, 2, Status);\n\t\t}\n\t\treturn Status;\n\t}\n\n\t// States end at 9.\n\tif (DdagNode->State > LdrModulesReadyToRun)\n\t\treturn STATUS_INTERNAL_ERROR;\n\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpInitializeGraphRecurse(LDR_DDAG_NODE* DdagNode, NTSTATUS* pStatus, char* Unknown)\n{\n\tNTSTATUS Status = STATUS_SUCCESS;\n\n\tif (DdagNode->State == LdrModulesInitError)\n\t\treturn STATUS_DLL_INIT_FAILED;\n\n\tLDR_DDAG_NODE* DdagNode2 = (LDR_DDAG_NODE*)DdagNode->Dependencies.Tail;\n\tCHAR Unknown2_2 = 0;\n\tCHAR Unknown2 = 0;\n\n\tBOOLEAN JumpIn = FALSE;\n\tdo\n\t{\n\t\tif (DdagNode2)\n\t\t{\n\t\t\tLDR_DDAG_NODE* DdagNode2_2 = DdagNode2;\n\t\t\tdo\n\t\t\t{\n\t\t\t\tDdagNode2_2 = (LDR_DDAG_NODE*)DdagNode2_2->Modules.Flink;\n\t\t\t\tif ((DdagNode2_2->LoadCount & 1) == 0)\n\t\t\t\t{\n\t\t\t\t\tLDR_DDAG_NODE* Blink = (LDR_DDAG_NODE*)DdagNode2_2->Modules.Blink;\n\t\t\t\t\tif (Blink->State == LdrModulesReadyToInit)\n\t\t\t\t\t{\n\t\t\t\t\t\tStatus = fLdrpInitializeGraphRecurse(Blink, pStatus, &Unknown2);\n\t\t\t\t\t\tif (!NT_SUCCESS(Status))\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tJumpIn = TRUE;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tUnknown2_2 = Unknown2;\n\t\t\t\t\t}\n\t\t\t\t\telse\n\t\t\t\t\t{\n\t\t\t\t\t\tif (Blink->State == LdrModulesInitError)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tStatus = STATUS_DLL_INIT_FAILED;\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tJumpIn = TRUE;\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (Blink->State == LdrModulesInitializing)\n\t\t\t\t\t\t\tUnknown2_2 = 1;\n\t\t\t\t\t\tUnknown2 = Unknown2_2;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} while (DdagNode2_2 != DdagNode2);\n\n\t\t\tif (JumpIn)\n\t\t\t\tbreak;\n\n\t\t\tif (Unknown2_2)\n\t\t\t{\n\t\t\t\tLDR_DDAG_NODE* DdagNode3 = (LDR_DDAG_NODE*)DdagNode->Modules.Flink;\n\t\t\t\t*Unknown = 1;\n\t\t\t\tLDR_SERVICE_TAG_RECORD* ServiceTagList = DdagNode3->ServiceTagList;\n\t\t\t\tif (ServiceTagList)\n\t\t\t\t{\n\t\t\t\t\tif (pStatus != *(NTSTATUS**)&ServiceTagList[2].ServiceTag)\n\t\t\t\t\t\treturn STATUS_SUCCESS;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} while (FALSE);\n\n\tif (!JumpIn)\n\t\tStatus = fLdrpInitializeNode(DdagNode);\n\n\tif (JumpIn || !NT_SUCCESS(Status))\n\t\tDdagNode->State = LdrModulesInitError;\n\n\treturn Status;\n}\n\nNTSTATUS __fastcall LOADLIBRARY::fLdrpInitializeNode(LDR_DDAG_NODE* DdagNode)\n{\n\tNTSTATUS Status;\n\tNTSTATUS Status_2;\n\tNTSTATUS Status_3;\n\n\tLDR_DDAG_STATE* pState = &DdagNode->State;\n\n\tUNICODE_STRING FullDllName;\n\t*(UINT_PTR*)&FullDllName.Length = (UINT_PTR)&DdagNode->State;\n\tDdagNode->State = LdrModulesInitializing;\n\n\tLDR_DATA_TABLE_ENTRY* Blink = (LDR_DATA_TABLE_ENTRY*)DdagNode->Modules.Blink;\n\tLDR_DATA_TABLE_ENTRY* LdrEntry = *LdrpImageEntry;\n\tUINT_PTR** v4 = (UINT_PTR**)*qword_1843B8;\n\twhile (Blink != (LDR_DATA_TABLE_ENTRY*)DdagNode)\n\t{\n\t\tif (&Blink[-1].DdagNode != (LDR_DDAG_NODE**)LdrEntry)\n\t\t{\n\t\t\tPVOID* p_ParentDllBase = &Blink[-1].ParentDllBase;\n\t\t\tif (*v4 != qword_1843B0)\n\t\t\t\t__fastfail(3u);\n\n\t\t\t*p_ParentDllBase = qword_1843B0;\n\t\t\tBlink[-1].SwitchBackContext = v4;\n\t\t\t*v4 = (UINT_PTR*)p_ParentDllBase;\n\t\t\tv4 = (UINT_PTR**)&Blink[-1].ParentDllBase;\n\t\t\t*qword_1843B8 = (UINT_PTR**)v4;\n\t\t}\n\n\t\tBlink = (LDR_DATA_TABLE_ENTRY*)Blink->InLoadOrderLinks.Blink;\n\t}\n\n\tStatus = STATUS_SUCCESS;\n\tfor (LDR_DATA_TABLE_ENTRY* i = (LDR_DATA_TABLE_ENTRY*)DdagNode->Modules.Blink; i != (LDR_DATA_TABLE_ENTRY*)DdagNode; i = (LDR_DATA_TABLE_ENTRY*)i->InLoadOrderLinks.Blink)\n\t{\n\t\tLDR_DATA_TABLE_ENTRY* LdrEntry_2 = (LDR_DATA_TABLE_ENTRY*)((char*)i - 160);\n\t\tif (&i[-1].DdagNode != (LDR_DDAG_NODE**)LdrEntry)\n\t\t{\n\t\t\tif (LdrEntry_2->LoadReason == LoadReasonPatchImage)\n\t\t\t{\n\t\t\t\tStatus_2 = LdrpApplyPatchImage((PLDR_DATA_TABLE_ENTRY)&i[-1].DdagNode);\n\t\t\t\tStatus = Status_2;\n\t\t\t\tif (!NT_SUCCESS(Status_2))\n\t\t\t\t{\n\t\t\t\t\tFullDllName = LdrEntry_2->FullDllName;\n\t\t\t\t\tStatus_3 = Status_2;\n\t\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 1392, \"LdrpInitializeNode\", 0, \"Applying patch \\\"%wZ\\\" failed - Status = 0x%x\\n\", &FullDllName, *(UINT_PTR*)&Status_3); )\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tUINT_PTR CurrentDllIniter = *LdrpCurrentDllInitializer;\n\t\t\t*LdrpCurrentDllInitializer = (UINT_PTR)&i[-1].DdagNode;\n\t\t\tPVOID EntryPoint = LdrEntry_2->EntryPoint;\n\t\t\tPUNICODE_STRING pFullDllName = &LdrEntry_2->FullDllName;\n\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 1411, \"LdrpInitializeNode\", 2u, \"Calling init routine %p for DLL \\\"%wZ\\\"\\n\", EntryPoint, &LdrEntry_2->FullDllName); )\n\t\t\t\n\t\t\tRTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED StackFrameExtended;\n\t\t\tStackFrameExtended.Size = 0x48;\n\t\t\tStackFrameExtended.Format = 1;\n\t\t\tmemset((char*)&StackFrameExtended.Frame.Previous + 4, 0, 48);\n\t\t\tUINT_PTR v20 = 0;\n\t\t\tRtlActivateActivationContextUnsafeFast(&StackFrameExtended, LdrEntry_2->EntryPointActivationContext);\n\t\t\tif (LdrEntry_2->TlsIndex)\n\t\t\t\tfLdrpCallTlsInitializers(1i64, (LDR_DATA_TABLE_ENTRY*)&i[-1].DdagNode);\n\n\t\t\tBOOLEAN CallSuccess = TRUE;\n\t\t\tif (EntryPoint)\n\t\t\t{\n\t\t\t\tLPVOID ContextRecord = nullptr;\n\t\t\t\tif ((LdrEntry_2->FlagGroup[0] & ProcessStaticImport) != 0)\n\t\t\t\t\tContextRecord = *LdrpProcessInitContextRecord;\n\n\t\t\t\tCallSuccess = fLdrpCallInitRoutine((BOOL(__stdcall*)(HINSTANCE, DWORD, LPVOID))EntryPoint, LdrEntry_2->DllBase, DLL_PROCESS_ATTACH, ContextRecord);\n\t\t\t}\n\n\t\t\tRtlDeactivateActivationContextUnsafeFast(&StackFrameExtended);\n\t\t\t*LdrpCurrentDllInitializer = CurrentDllIniter;\n\t\t\tLdrEntry_2->Flags |= ProcessAttachCalled;\n\t\t\tif (!CallSuccess)\n\t\t\t{\n\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrsnap.c\", 0x5B7, \"LdrpInitializeNode\", 0, \"Init routine %p for DLL \\\"%wZ\\\" failed during DLL_PROCESS_ATTACH\\n\", EntryPoint, pFullDllName); )\n\t\t\t\tStatus = STATUS_DLL_INIT_FAILED;\n\t\t\t\tLdrEntry_2->Flags |= ProcessAttachFailed;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tWID_HIDDEN( LdrpLogDllState((UINT_PTR)LdrEntry_2->DllBase, pFullDllName, 0x14AEu); )\n\t\t\tLdrEntry = *LdrpImageEntry;\n\t\t}\n\t}\n\t*pState = Status != 0 ? LdrModulesInitError : LdrModulesReadyToRun;\n\treturn Status;\n}\n\nBOOL __fastcall LOADLIBRARY::fLdrpCallTlsInitializers(DWORD fdwReason, LDR_DATA_TABLE_ENTRY* LdrEntry)\n{\n\tBOOL Result = FALSE;\n\n\tRtlAcquireSRWLockShared(LdrpTlsLock);\n\n\tTLS_ENTRY* TlsEntry = LdrpFindTlsEntry(LdrEntry);\n\n\tRtlReleaseSRWLockShared(LdrpTlsLock);\n\tif (TlsEntry)\n\t{\n\t\tLPVOID* AddressOfCallBacks = (LPVOID*)TlsEntry->TlsDirectory.AddressOfCallBacks;\n\t\tif (AddressOfCallBacks)\n\t\t{\n\t\t\twhile (TRUE)\n\t\t\t{\n\t\t\t\tLPVOID ContextRecord = *AddressOfCallBacks;\n\t\t\t\tif (!ContextRecord)\n\t\t\t\t\tbreak;\n\n\t\t\t\t++AddressOfCallBacks;\n\t\t\t\tWID_HIDDEN( LdrpLogInternal(\"minkernel\\\\ntdll\\\\ldrtls.c\", 1180, \"LdrpCallTlsInitializers\", 2u, \"Calling TLS callback %p for DLL \\\"%wZ\\\" at %p\\n\", ContextRecord, &LdrEntry->FullDllName, LdrEntry->DllBase); )\n\t\t\t\t\n\t\t\t\tResult = fLdrpCallInitRoutine(ImageTlsCallbackCaller, LdrEntry->DllBase, fdwReason, ContextRecord);\n\t\t\t}\n\t\t}\n\t}\n\n\treturn Result;\n}\n\nBOOLEAN __fastcall LOADLIBRARY::fLdrpCallInitRoutine(BOOL(__fastcall* DllMain)(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved), PIMAGE_DOS_HEADER DllBase, unsigned int One, LPVOID ContextRecord)\n{\n\tBOOLEAN ReturnVal = TRUE;\n\n\tPCHAR LoggingVar = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2];\n\tPCHAR LoggingVar2 = 0;\n\tif (RtlGetCurrentServiceSessionId())\n\t\tLoggingVar2 = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253];\n\telse\n\t\tLoggingVar2 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2];\n\n\tPCHAR LoggingVar3 = 0;\n\tPCHAR LoggingVar4 = 0;\n\tif (*LoggingVar2 && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled) != 0)\n\t{\n\t\tLoggingVar3 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1;\n\t\tif (RtlGetCurrentServiceSessionId())\n\t\t\tLoggingVar4 = (char*)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1;\n\t\telse\n\t\t\tLoggingVar4 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1;\n\n\t\t// 0x20 is SPACE char.\n\t\tif ((*LoggingVar4 & ' ') != 0)\n\t\t\tWID_HIDDEN( LdrpLogEtwEvent(0x14A3u, (ULONGLONG)DllBase, 0xFF, 0xFF); )\n\t}\n\telse\n\t{\n\t\tLoggingVar3 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1;\n\t}\n\n\t// DLL_PROCESS_ATTACH (1)\n\tReturnVal = DllMain((HINSTANCE)DllBase, One, ContextRecord);\n\tif (RtlGetCurrentServiceSessionId())\n\t\tLoggingVar = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253];\n\n\tif (*LoggingVar && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled) != 0)\n\t{\n\t\tif (RtlGetCurrentServiceSessionId())\n\t\t\tLoggingVar3 = (char*)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1;\n\n\t\t// 0x20 is SPACE char.\n\t\tif ((*LoggingVar3 & ' ') != 0)\n\t\t\tWID_HIDDEN( LdrpLogEtwEvent(0x1496u, (ULONGLONG)DllBase, 0xFF, 0xFF); )\n\t}\n\n\tULONG LoggingVar5 = 0;\n\tif (!ReturnVal && One == 1)\n\t{\n\t\tLoggingVar5 = 1;\n\t\tWID_HIDDEN( LdrpLogError(STATUS_DLL_INIT_FAILED, 0x1496u, LoggingVar5, 0i64); )\n\t}\n\n\treturn ReturnVal;\n}\n\n\nNTSTATUS __fastcall LOADLIBRARY::fBasepLoadLibraryAsDataFileInternal(PUNICODE_STRING DllName, PWSTR Path, PWSTR Unknown, DWORD dwFlags, HMODULE* pBaseOfLoadedModule)\n{\n\t// I have no control over datafile loads. It's only included to not break-up functionality.\n\treturn BasepLoadLibraryAsDataFileInternal(DllName, Path, Unknown, dwFlags, pBaseOfLoadedModule);\n}\n\nNTSTATUS LOADLIBRARY::Unload()\n{\n\tif (DllHandle)\n\t{\n\t\t// Yes.\n\t\tif (!FreeLibrary(DllHandle))\n\t\t\treturn STATUS_UNSUCCESSFUL;\n\t}\n\n\treturn STATUS_SUCCESS;\n}" }, { "path": "Src/Loader/Loader.h", "content": "#pragma once\n\n#include \"..\\WID.h\"\n\n#define LLEXW_ISDATAFILE\t(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)\n#define LLEXW_7F08\t\t\t(LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER | LOAD_LIBRARY_SAFE_CURRENT_DIRS | LOAD_LIBRARY_SEARCH_DEFAULT_DIRS | LOAD_LIBRARY_SEARCH_SYSTEM32 | LOAD_LIBRARY_SEARCH_USER_DIRS | LOAD_LIBRARY_SEARCH_APPLICATION_DIR | LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR | LOAD_WITH_ALTERED_SEARCH_PATH)\n#define LLEXW_ASDATAFILE\t(LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE | LOAD_LIBRARY_AS_DATAFILE)\n#define LLDLL_401\t\t\t(LOAD_LIBRARY_SEARCH_USER_DIRS | DONT_RESOLVE_DLL_REFERENCES)\n\n#define CNVTD_DONT_RESOLVE_DLL_REFERENCES 0x2\n#define LOAD_PACKAGED_LIBRARY 0x4\n#define CNVTD_LOAD_LIBRARY_REQUIRE_SIGNED_TARGET 0x800000\n#define CNVTD_LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY 0x80000000\n\n#define LoadOwner 0x1000\n#define LoaderWorker 0x2000\n\n#define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x40000\n\n// OBJECT_ATTRIBUTES.Attributes\n#define OBJ_INHERIT 0x00000002\n#define OBJ_PERMANENT 0x00000010\n#define OBJ_EXCLUSIVE 0x00000020\n#define OBJ_CASE_INSENSITIVE 0x00000040\n#define OBJ_OPENIF 0x00000080\n#define OBJ_OPENLINK 0x00000100\n#define OBJ_KERNEL_HANDLE 0x00000200\n#define OBJ_FORCE_ACCESS_CHECK 0x00000400\n#define OBJ_VALID_ATTRIBUTES 0x000007f2\n#define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x800\n\n// PEB.Bitfield\n#define IsPackagedProcess 0x10\n\n// PEB.TracingFlags\n#define HeapTracingEnabled 0x1\n#define CritSecTracingEnabled 0x2\n#define LibLoaderTracingEnabled 0x4\n\n// LDR_DATA_TABLE_ENTRY.Flags\n#define\tPackagedBinary\t\t\t0x00000001\n#define\tMarkedForRemoval\t\t0x00000002\n#define\tImageDll\t\t\t\t0x00000004\n#define\tLoadNotificationsSent\t0x00000008\n#define\tTelemetryEntryProcessed\t0x00000010\n#define\tProcessStaticImport\t\t0x00000020\n#define\tInLegacyLists\t\t\t0x00000040\n#define\tInIndexes\t\t\t\t0x00000080\n#define\tShimDll\t\t\t\t\t0x00000100\n#define\tInExceptionTable\t\t0x00000200\n#define\tReservedFlags1\t\t\t0x00000C00\n#define\tLoadInProgress\t\t\t0x00001000\n#define\tLoadConfigProcessed\t\t0x00002000\n#define\tEntryProcessed\t\t\t0x00004000\n#define\tProtectDelayLoad\t\t0x00008000\n#define\tReservedFlags3\t\t\t0x00030000\n#define\tDontCallForThreads\t\t0x00040000\n#define\tProcessAttachCalled\t\t0x00080000\n#define\tProcessAttachFailed\t\t0x00100000\n#define\tCorDeferredValidate\t\t0x00200000\n#define\tCorImage\t\t\t\t0x00400000\n#define\tDontRelocate\t\t\t0x00800000\n#define\tCorILOnly\t\t\t\t0x01000000\n#define\tReservedFlags5\t\t\t0x0E000000\n#define\tRedirected\t\t\t\t0x10000000\n#define\tReservedFlags6\t\t\t0x60000000\n#define\tCompatDatabaseProcessed\t0x80000000\n\nnamespace WID\n{\n\tnamespace Loader\n\t{\n\t\tenum class LOADTYPE\n\t\t{\n\t\t\tDEFAULT = 0,\n\t\t\tHIDDEN\n\t\t};\n\n\t\tclass LOADLIBRARY\n\t\t{\n\t\tprivate:\n\t\t\tNTSTATUS Load();\n\n\t\t\t// NT Functions\n\t\t\tNTSTATUS __fastcall LdrpThreadTokenSetMainThreadToken(); // CHECKED.\n\t\t\tNTSTATUS __fastcall LdrpThreadTokenUnsetMainThreadToken(); // CHECKED.\n\n\t\t\tLDR_DATA_TABLE_ENTRY* __fastcall LdrpHandleReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry); // CHECKED.\n\t\t\tNTSTATUS __fastcall LdrpFreeReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry); // CHECKED.\n\t\t\tNTSTATUS __fastcall LdrpResolveDllName(LDRP_LOAD_CONTEXT* LoadContext, LDRP_FILENAME_BUFFER* FileNameBuffer, PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, DWORD Flags); // CHECKED.\n\t\t\tNTSTATUS __fastcall LdrpFindDllActivationContext(LDR_DATA_TABLE_ENTRY* LdrEntry); // CHECKED.\n\n\t\t\t// Using directly is not recommended.\n\t\t\tHMODULE __fastcall fLoadLibrary(PTCHAR lpLibFileName); // CHECKED.\n\t\t\tHMODULE __fastcall fLoadLibraryA(LPCSTR lpLibFileName); // CHECKED.\n\t\t\tHMODULE __fastcall fLoadLibraryW(LPCWSTR lpLibFileName); // CHECKED.\n\t\t\tHMODULE __fastcall fLoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags); // CHECKED.\n\t\t\tHMODULE __fastcall fLoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags); // CHECKED.\n\t\t\t\n\t\t\tNTSTATUS __fastcall fLdrLoadDll(PWSTR DllPath, PULONG pFlags, PUNICODE_STRING DllName, PVOID* BaseAddress); // CHECKED.\n\t\t\tNTSTATUS __fastcall fLdrpLoadDll(PUNICODE_STRING DllName, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, LDR_DATA_TABLE_ENTRY** DllEntry); // CHECKED.\n\t\t\tNTSTATUS __fastcall fLdrpLoadDllInternal(PUNICODE_STRING FullPath, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, ULONG LdrFlags, PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY LdrEntry2, PLDR_DATA_TABLE_ENTRY* DllEntry, NTSTATUS* pStatus, ULONG Zero); // CHECKED. // This function is responsible for the linking issue.\n\n\t\t\tNTSTATUS __fastcall fLdrpProcessWork(PLDRP_LOAD_CONTEXT LoadContext, BOOLEAN IsLoadOwner); // CHECKED.\n\t\t\tNTSTATUS __fastcall fLdrpSnapModule(PLDRP_LOAD_CONTEXT LoadContext);\n\t\t\tNTSTATUS __fastcall fLdrpDoPostSnapWork(LDRP_LOAD_CONTEXT* LoadContext);\n\n\t\t\tNTSTATUS __fastcall fLdrpMapDllRetry(PLDRP_LOAD_CONTEXT LoadContext);\n\t\t\tNTSTATUS __fastcall fLdrpMapDllFullPath(PLDRP_LOAD_CONTEXT LoadContext); // CHECKED.\n\t\t\tNTSTATUS __fastcall fLdrpMapDllSearchPath(PLDRP_LOAD_CONTEXT LoadContext);\n\n\t\t\tNTSTATUS __fastcall fLdrpMapDllNtFileName(PLDRP_LOAD_CONTEXT LoadContext, LDRP_FILENAME_BUFFER* FileNameBuffer); // CHECKED.\n\t\t\tNTSTATUS __fastcall fLdrpMapDllWithSectionHandle(PLDRP_LOAD_CONTEXT LoadContext, HANDLE SectionHandle); // CHECKED.\n\n\t\t\tNTSTATUS __fastcall fLdrpMinimalMapModule(PLDRP_LOAD_CONTEXT LoadContext, HANDLE SectionHandle);\n\t\t\tNTSTATUS __fastcall fLdrpMapViewOfSection(HANDLE SectionHandle, ULONG ProtectFlags, PIMAGE_DOS_HEADER* BaseAddress, DWORD Unknown, PULONG ViewSize, ULONG AllocationType, ULONG Win32Protect, PUNICODE_STRING FullDllName);\n\t\t\tNTSTATUS __fastcall fLdrpCompleteMapModule(PLDRP_LOAD_CONTEXT LoadContext, PIMAGE_NT_HEADERS OutHeaders, NTSTATUS Status);\n\t\t\tNTSTATUS __fastcall fLdrpRelocateImage(PIMAGE_DOS_HEADER DllBase, SIZE_T Size, PIMAGE_NT_HEADERS OutHeaders, PUNICODE_STRING FullDllName);\n\t\t\tNTSTATUS __fastcall fLdrpProtectAndRelocateImage(PIMAGE_DOS_HEADER DllBase, SIZE_T Size, PIMAGE_NT_HEADERS OutHeader);\n\t\t\tNTSTATUS __fastcall\tfLdrpSetProtection(PIMAGE_DOS_HEADER DllBase, BOOLEAN Unknown);\n\t\t\tNTSTATUS __fastcall fLdrRelocateImageWithBias(PIMAGE_DOS_HEADER DllBase, SIZE_T Size, PIMAGE_NT_HEADERS OutHeader);\n\t\t\tPIMAGE_NT_HEADERS __fastcall fLdrProcessRelocationBlockLongLong(USHORT Machine, ULONG64 Signature, ULONG64 Unknown, PIMAGE_NT_HEADERS64 NtHeader, ULONG64 Unknown2);\n\n\t\t\tNTSTATUS __fastcall fLdrpProcessMappedModule(PLDR_DATA_TABLE_ENTRY DllEntry, UINT_PTR Flags, ULONG One);\n\t\t\tNTSTATUS __fastcall fLdrpCorProcessImports(PLDR_DATA_TABLE_ENTRY DllEntry);\n\t\t\tNTSTATUS __fastcall fLdrpMapAndSnapDependency(PLDRP_LOAD_CONTEXT LoadContext);\n\t\t\tNTSTATUS __fastcall fLdrpPrepareImportAddressTableForSnap(LDRP_LOAD_CONTEXT* LoadContext);\n\n\t\t\tNTSTATUS __fastcall fLdrpPrepareModuleForExecution(PLDR_DATA_TABLE_ENTRY LdrEntry, NTSTATUS* pStatus);\n\t\t\tNTSTATUS __fastcall fLdrpInitializeGraphRecurse(LDR_DDAG_NODE* DdagNode, NTSTATUS* pStatus, char* Unknown);\n\t\t\tNTSTATUS __fastcall fLdrpInitializeNode(_LDR_DDAG_NODE* DdagNode);\n\t\t\tBOOL\t __fastcall fLdrpCallTlsInitializers(DWORD fdwReason, LDR_DATA_TABLE_ENTRY* LdrEntry);\n\t\t\tBOOLEAN\t __fastcall fLdrpCallInitRoutine(BOOL(__fastcall* DllMain)(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved), PIMAGE_DOS_HEADER DllBase, unsigned int One, LPVOID ContextRecord);\n\n\t\t\tNTSTATUS __fastcall fBasepLoadLibraryAsDataFileInternal(PUNICODE_STRING DllName, PWSTR Path, PWSTR Unknown, DWORD dwFlags, HMODULE* pBaseOfLoadedModule);\n\t\tpublic:\n\t\t\tLOADLIBRARY(TCHAR* DllPath, DWORD Flags = 0, LOADTYPE LoadType = LOADTYPE::DEFAULT);\n\t\t\t~LOADLIBRARY();\n\n\t\t\tNTSTATUS Unload();\n\n\t\t\tstruct CREATIONINFO\n\t\t\t{\n\t\t\t\tTCHAR DllPath[MAX_PATH];\n\t\t\t\tDWORD Flags;\n\t\t\t\tLOADTYPE LoadType;\n\t\t\t} CreationInfo;\n\n\n\t\t\tHMODULE DllHandle;\n\t\t};\n\t}\n}" }, { "path": "Src/Main.cpp", "content": "#include \"WID.h\"\n\n#pragma warning(disable : 6031)\n\nint main()\n{\n\t{\n\t\tWID::Loader::LOADLIBRARY Test(TEXT(\"PATH_TO_DLL.dll\"));\n\n\t\tgetchar();\n\t}\n\n\tgetchar();\n}" }, { "path": "Src/WID.cpp", "content": "#include \"WID.h\"\n\nBOOLEAN\t\tWID::bInitialized\t\t\t= FALSE;\nMODULEINFO\tWID::Kernel32ModuleInfo\t\t= {};\nMODULEINFO\tWID::KernelBaseModuleInfo\t= {};\nMODULEINFO\tWID::NtdllModuleInfo\t\t= {};\n\nNTSTATUS WID::Init()\n{\n\tif (!bInitialized)\n\t{\n\t\t// MODULE INITIALIZATION\n\t\tHMODULE Kernel32Module\t\t= GetModuleHandle(TEXT(\"KERNEL32.DLL\"));\n\t\tassert(Kernel32Module);\n\n\t\tHMODULE KernelBaseModule\t= GetModuleHandle(TEXT(\"KERNELBASE.DLL\"));\n\t\tassert(KernelBaseModule);\n\n\t\tHMODULE NtdllModule\t\t\t= GetModuleHandle(TEXT(\"NTDLL.DLL\"));\n\t\tassert(NtdllModule);\n\n\t\t(GetModuleInformation(GetCurrentProcess(), Kernel32Module,\t\t&Kernel32ModuleInfo,\tsizeof(MODULEINFO)),\tassert(Kernel32ModuleInfo.lpBaseOfDll));\n\t\t(GetModuleInformation(GetCurrentProcess(), KernelBaseModule,\t&KernelBaseModuleInfo,\tsizeof(MODULEINFO)),\tassert(KernelBaseModuleInfo.lpBaseOfDll));\n\t\t(GetModuleInformation(GetCurrentProcess(), NtdllModule,\t\t\t&NtdllModuleInfo,\t\tsizeof(MODULEINFO)),\tassert(NtdllModuleInfo.lpBaseOfDll));\n\n\t\t// KERNEL32\n\t\t// Variables\n\t\t(KernelBaseGlobalData\t\t\t\t\t= (ULONG*)\t\t\t\t\t\t\t\t((PCHAR)Kernel32Module + 0x34DE80)\t\t\t\t\t\t\t,assert(KernelBaseGlobalData));\n\n\t\t// Exported functions\n\t\t(Basep8BitStringToDynamicUnicodeString\t= (tBasep8BitStringToDynamicUnicodeString)GetProcAddress(Kernel32Module, \"Basep8BitStringToDynamicUnicodeString\")\t,assert(Basep8BitStringToDynamicUnicodeString));\n\t\t(BaseSetLastNTError\t\t\t\t\t\t= (tBaseSetLastNTError)GetProcAddress(Kernel32Module, \"BaseSetLastNTError\")\t\t\t\t\t\t\t\t\t\t\t,assert(BaseSetLastNTError));\n\n\t\t// KERNELBASE\n\t\t// Signatured\n\t\t(BasepLoadLibraryAsDataFileInternal\t\t= (tBasepLoadLibraryAsDataFileInternal)\tHelper::SigScan((PCHAR)KernelBaseModule, KernelBaseModuleInfo.SizeOfImage, BASEP_LLASDATAFILE_INTERNAL_PATTERN, ARRAYSIZE(BASEP_LLASDATAFILE_INTERNAL_PATTERN) - 1), assert(BasepLoadLibraryAsDataFileInternal));\n\n\t\t// NTDLL\n\t\t// Variables\n\t\t(LdrpPolicyBits\t\t\t\t\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x181694)\t\t\t\t\t\t\t\t,assert(LdrpPolicyBits));\n\t\t(LdrpMainThreadToken\t\t\t\t\t= (HANDLE*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1842C8)\t\t\t\t\t\t\t\t,assert(LdrpMainThreadToken));\n\t\t(LdrInitState\t\t\t\t\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x185220)\t\t\t\t\t\t\t\t,assert(LdrInitState));\n\t\t(LoadFailure\t\t\t\t\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x135CA0)\t\t\t\t\t\t\t\t,assert(LoadFailure));\n\t\t(LdrpWorkQueueLock\t\t\t\t\t\t= (PRTL_CRITICAL_SECTION)\t\t\t\t((PCHAR)NtdllModule + 0x184280)\t\t\t\t\t\t\t\t,assert(LdrpWorkQueueLock));\n\t\t(LdrpWorkInProgress\t\t\t\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1842A8)\t\t\t\t\t\t\t\t,assert(LdrpWorkInProgress));\n\t\t(LdrpWorkQueue\t\t\t\t\t\t\t= (LIST_ENTRY**)\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1842B0)\t\t\t\t\t\t\t\t,assert(LdrpWorkQueue));\n\t\t(LdrpWorkCompleteEvent\t\t\t\t\t= (PHANDLE)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x184260)\t\t\t\t\t\t\t\t,assert(LdrpWorkCompleteEvent));\n\t\t(LdrpUseImpersonatedDeviceMap\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x184350)\t\t\t\t\t\t\t\t,assert(LdrpUseImpersonatedDeviceMap));\n\t\t(LdrpAuditIntegrityContinuity\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x184328)\t\t\t\t\t\t\t\t,assert(LdrpAuditIntegrityContinuity));\n\t\t(LdrpEnforceIntegrityContinuity\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1842D8)\t\t\t\t\t\t\t\t,assert(LdrpEnforceIntegrityContinuity));\n\t\t(LdrpFatalHardErrorCount\t\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x183EE8)\t\t\t\t\t\t\t\t,assert(LdrpFatalHardErrorCount));\n\t\t(UseWOW64\t\t\t\t\t\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1843E8)\t\t\t\t\t\t\t\t,assert(UseWOW64));\n\t\t(LdrpModuleDatatableLock\t\t\t\t= (PRTL_SRWLOCK)\t\t\t\t\t\t((PCHAR)NtdllModule + 0x184D40)\t\t\t\t\t\t\t\t,assert(LdrpModuleDatatableLock));\n\t\t(qword_17E238\t\t\t\t\t\t\t= (PHANDLE)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x17E238)\t\t\t\t\t\t\t\t,assert(qword_17E238));\n\t\t(LdrpImageEntry\t\t\t\t\t\t\t= (LDR_DATA_TABLE_ENTRY**)\t\t\t\t((PCHAR)NtdllModule + 0x183F88)\t\t\t\t\t\t\t\t,assert(LdrpImageEntry));\n\t\t(LdrpKernel32DllName\t\t\t\t\t= (PUNICODE_STRING)\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1311C0)\t\t\t\t\t\t\t\t,assert(LdrpKernel32DllName));\n\t\t(LdrpAppHeaders\t\t\t\t\t\t\t= (UINT_PTR*)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1842D0)\t\t\t\t\t\t\t\t,assert(LdrpAppHeaders));\n\t\t(LdrpLargePageDllKeyHandle\t\t\t\t= (PHANDLE)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x183EE0)\t\t\t\t\t\t\t\t,assert(LdrpLargePageDllKeyHandle));\n\t\t(LdrpLockMemoryPrivilege\t\t\t\t= (ULONG**)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x14DAC0)\t\t\t\t\t\t\t\t,assert(LdrpLockMemoryPrivilege));\n\t\t(LdrpMaximumUserModeAddress\t\t\t\t= (ULONG64*)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x199280)\t\t\t\t\t\t\t\t,assert(LdrpMaximumUserModeAddress));\n\t\t(LdrpMapAndSnapWork\t\t\t\t\t\t= (UINT_PTR*)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x184238)\t\t\t\t\t\t\t\t,assert(LdrpMapAndSnapWork));\n\t\t(LdrpHashTable\t\t\t\t\t\t\t= (LIST_ENTRY*)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x183FE0)\t\t\t\t\t\t\t\t,assert(LdrpHashTable));\n\t\t(LdrpHeap\t\t\t\t\t\t\t\t= (PVOID*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1843E0)\t\t\t\t\t\t\t\t,assert(LdrpHeap));\n\t\t(LdrpIsHotPatchingEnabled\t\t\t\t= (BOOLEAN*)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x185258)\t\t\t\t\t\t\t\t,assert(LdrpIsHotPatchingEnabled));\n\t\t(LdrpRedirectionModule\t\t\t\t\t= (LDR_DATA_TABLE_ENTRY**)\t\t\t\t((PCHAR)NtdllModule + 0x184218)\t\t\t\t\t\t\t\t,assert(LdrpRedirectionModule));\n\t\t(LdrpManifestProberRoutine\t\t\t\t= (tLdrpManifestProberRoutine)\t\t\t((PCHAR)NtdllModule + 0x184C20)\t\t\t\t\t\t\t\t,assert(LdrpManifestProberRoutine));\n\t\t(LdrpRedirectionCalloutFunc\t\t\t\t= (tLdrpRedirectionCalloutFunc)\t\t\t((PCHAR)NtdllModule + 0x184228)\t\t\t\t\t\t\t\t,assert(LdrpRedirectionCalloutFunc));\n\t\t(qword_1993A8\t\t\t\t\t\t\t= (ULONG64**)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1993A8)\t\t\t\t\t\t\t\t,assert(qword_1993A8));\n\t\t(NtdllBaseTag\t\t\t\t\t\t\t= (LONG*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1843F0)\t\t\t\t\t\t\t\t,assert(NtdllBaseTag));\n\t\t(stru_199520\t\t\t\t\t\t\t= (FUNCTION_TABLE_DATA*)\t\t\t\t((PCHAR)NtdllModule + 0x199520)\t\t\t\t\t\t\t\t,assert(stru_199520));\n\t\t(qword_199530\t\t\t\t\t\t\t= (UINT_PTR*)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x199530)\t\t\t\t\t\t\t\t,assert(qword_199530));\n\t\t(LdrpNtDllDataTableEntry\t\t\t\t= (LDR_DATA_TABLE_ENTRY**)\t\t\t\t((PCHAR)NtdllModule + 0x184370)\t\t\t\t\t\t\t\t,assert(LdrpNtDllDataTableEntry));\n\t\t(qword_1993B8\t\t\t\t\t\t\t= (UINT_PTR*)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1993B8)\t\t\t\t\t\t\t\t,assert(qword_1993B8));\n\t\t(dword_19939C\t\t\t\t\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x19939C)\t\t\t\t\t\t\t\t,assert(dword_19939C));\n\t\t(LoadFailureOperational\t\t\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x14BA98)\t\t\t\t\t\t\t\t,assert(LoadFailureOperational));\n\t\t(dword_199398\t\t\t\t\t\t\t= (DWORD*)\t\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x199398)\t\t\t\t\t\t\t\t,assert(dword_199398));\n\t\t(qword_1843B8\t\t\t\t\t\t\t= (UINT_PTR***)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1843B8)\t\t\t\t\t\t\t\t,assert(qword_1843B8));\n\t\t(qword_1843B0\t\t\t\t\t\t\t= (UINT_PTR*)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x1843B0)\t\t\t\t\t\t\t\t,assert(qword_1843B0));\n\t\t(LdrpCurrentDllInitializer\t\t\t\t= (UINT_PTR*)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x184A88)\t\t\t\t\t\t\t\t,assert(LdrpCurrentDllInitializer));\n\t\t(LdrpProcessInitContextRecord\t\t\t= (LPVOID**)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x184358)\t\t\t\t\t\t\t\t,assert(LdrpProcessInitContextRecord));\n\t\t(LdrpTlsLock\t\t\t\t\t\t\t= (PRTL_SRWLOCK)\t\t\t\t\t\t((PCHAR)NtdllModule + 0x184EF8)\t\t\t\t\t\t\t\t,assert(LdrpTlsLock));\n\t\t(LdrpTlsList\t\t\t\t\t\t\t= (TLS_ENTRY**)\t\t\t\t\t\t\t((PCHAR)NtdllModule + 0x17E2B0)\t\t\t\t\t\t\t\t,assert(LdrpTlsList));\n\n\t\t// Exported functions\n\t\t(NtOpenThreadToken\t\t\t\t\t\t= (tNtOpenThreadToken)\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"NtOpenThreadToken\")\t\t\t\t\t\t,assert(NtOpenThreadToken));\n\t\t(NtClose\t\t\t\t\t\t\t\t= (tNtClose)\t\t\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"NtClose\")\t\t\t\t\t\t\t\t\t,assert(NtClose));\n\t\t(RtlAllocateHeap\t\t\t\t\t\t= (tRtlAllocateHeap)\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlAllocateHeap\")\t\t\t\t\t\t\t,assert(RtlAllocateHeap));\n\t\t(RtlFreeHeap\t\t\t\t\t\t\t= (tRtlFreeHeap)\t\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlFreeHeap\")\t\t\t\t\t\t\t\t,assert(RtlFreeHeap));\n\t\t(LdrGetDllPath\t\t\t\t\t\t\t= (tLdrGetDllPath)\t\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"LdrGetDllPath\")\t\t\t\t\t\t\t,assert(LdrGetDllPath));\n\t\t(RtlReleasePath\t\t\t\t\t\t\t= (tRtlReleasePath)\t\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlReleasePath\")\t\t\t\t\t\t\t,assert(RtlReleasePath));\n\t\t(RtlInitUnicodeStringEx\t\t\t\t\t= (tRtlInitUnicodeStringEx)\t\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlInitUnicodeStringEx\")\t\t\t\t\t,assert(RtlInitUnicodeStringEx));\n\t\t(RtlEnterCriticalSection\t\t\t\t= (tRtlEnterCriticalSection)\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlEnterCriticalSection\")\t\t\t\t\t,assert(RtlEnterCriticalSection));\n\t\t(RtlLeaveCriticalSection\t\t\t\t= (tRtlLeaveCriticalSection)\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlLeaveCriticalSection\")\t\t\t\t\t,assert(RtlLeaveCriticalSection));\n\t\t(ZwSetEvent\t\t\t\t\t\t\t\t= (tZwSetEvent)\t\t\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"ZwSetEvent\")\t\t\t\t\t\t\t\t,assert(ZwSetEvent));\n\t\t(NtOpenFile\t\t\t\t\t\t\t\t= (tNtOpenFile)\t\t\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"NtOpenFile\")\t\t\t\t\t\t\t\t,assert(NtOpenFile));\n\t\t(LdrAppxHandleIntegrityFailure\t\t\t= (tLdrAppxHandleIntegrityFailure)\t\t\t\tGetProcAddress(NtdllModule, \"LdrAppxHandleIntegrityFailure\")\t\t\t,assert(LdrAppxHandleIntegrityFailure));\n\t\t(NtRaiseHardError\t\t\t\t\t\t= (tNtRaiseHardError)\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"NtRaiseHardError\")\t\t\t\t\t\t\t,assert(NtRaiseHardError));\n\t\t(RtlImageNtHeaderEx\t\t\t\t\t\t= (tRtlImageNtHeaderEx)\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlImageNtHeaderEx\")\t\t\t\t\t\t,assert(RtlImageNtHeaderEx));\n\t\t(RtlAcquireSRWLockExclusive\t\t\t\t= (tRtlAcquireSRWLockExclusive)\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlAcquireSRWLockExclusive\")\t\t\t\t,assert(RtlAcquireSRWLockExclusive));\n\t\t(RtlReleaseSRWLockExclusive\t\t\t\t= (tRtlReleaseSRWLockExclusive)\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlReleaseSRWLockExclusive\")\t\t\t\t,assert(RtlReleaseSRWLockExclusive));\n\t\t(RtlEqualUnicodeString\t\t\t\t\t= (tRtlEqualUnicodeString)\t\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlEqualUnicodeString\")\t\t\t\t\t,assert(RtlEqualUnicodeString));\n\t\t(RtlAcquirePrivilege\t\t\t\t\t= (tRtlAcquirePrivilege)\t\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlAcquirePrivilege\")\t\t\t\t\t\t,assert(RtlAcquirePrivilege));\n\t\t(RtlReleasePrivilege\t\t\t\t\t= (tRtlReleasePrivilege)\t\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlReleasePrivilege\")\t\t\t\t\t\t,assert(RtlReleasePrivilege));\n\t\t(RtlCompareUnicodeStrings\t\t\t\t= (tRtlCompareUnicodeStrings)\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlCompareUnicodeStrings\")\t\t\t\t\t,assert(RtlCompareUnicodeStrings));\n\t\t(RtlImageNtHeader\t\t\t\t\t\t= (tRtlImageNtHeader)\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlImageNtHeader\")\t\t\t\t\t\t\t,assert(RtlImageNtHeader));\n\t\t(RtlReleaseActivationContext\t\t\t= (tRtlReleaseActivationContext)\t\t\t\tGetProcAddress(NtdllModule, \"RtlReleaseActivationContext\")\t\t\t\t,assert(RtlReleaseActivationContext));\n\t\t(RtlCharToInteger\t\t\t\t\t\t= (tRtlCharToInteger)\t\t\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlCharToInteger\")\t\t\t\t\t\t\t,assert(RtlCharToInteger));\n\t\t(RtlActivateActivationContextUnsafeFast = (tRtlActivateActivationContextUnsafeFast)\t\tGetProcAddress(NtdllModule, \"RtlActivateActivationContextUnsafeFast\")\t,assert(RtlActivateActivationContextUnsafeFast));\n\t\t(RtlDeactivateActivationContextUnsafeFast = (tRtlDeactivateActivationContextUnsafeFast)\tGetProcAddress(NtdllModule, \"RtlDeactivateActivationContextUnsafeFast\")\t,assert(RtlDeactivateActivationContextUnsafeFast));\n\t\t(RtlAcquireSRWLockShared\t\t\t\t= (tRtlAcquireSRWLockShared)\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlAcquireSRWLockShared\")\t\t\t\t\t,assert(RtlAcquireSRWLockShared));\n\t\t(RtlReleaseSRWLockShared\t\t\t\t= (tRtlReleaseSRWLockShared)\t\t\t\t\tGetProcAddress(NtdllModule, \"RtlReleaseSRWLockShared\")\t\t\t\t\t,assert(RtlReleaseSRWLockShared));\n\n\t\t// Signatured.\n\t\t// I don't think the signatures will ever change, you can go with the offsets though.\n\t\t(LdrpLogInternal\t\t\t\t\t\t\t= (tLdrpLogInternal)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_INTERNAL_PATTERN,\t\t\t\t\t\t\tARRAYSIZE(LDRP_LOG_INTERNAL_PATTERN)\t\t\t\t- 1)\t,assert(LdrpLogInternal));\n\t\t(LdrpInitializeDllPath\t\t\t\t\t\t= (tLdrpInitializeDllPath)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_INITIALIZE_DLLPATH_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_INITIALIZE_DLLPATH_PATTERN)\t\t\t- 1)\t,assert(LdrpInitializeDllPath));\n\t\t(LdrpDereferenceModule\t\t\t\t\t\t= (tLdrpDereferenceModule)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DEREFERENCE_MODULE_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_DEREFERENCE_MODULE_PATTERN)\t\t\t- 1)\t,assert(LdrpDereferenceModule));\n\t\t(LdrpLogDllState\t\t\t\t\t\t\t= (tLdrpLogDllState)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_DLLSTATE_PATTERN,\t\t\t\t\t\t\tARRAYSIZE(LDRP_LOG_DLLSTATE_PATTERN)\t\t\t\t- 1)\t,assert(LdrpLogDllState));\n\t\t(LdrpPreprocessDllName\t\t\t\t\t\t= (tLdrpPreprocessDllName)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_PREPROCESS_DLLNAME_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_PREPROCESS_DLLNAME_PATTERN)\t\t\t- 1)\t,assert(LdrpPreprocessDllName));\n\t\t(LdrpFindLoadedDllByName\t\t\t\t\t= (tLdrpFindLoadedDllByName)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FIND_LOADEDDLLBYNAME_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_FIND_LOADEDDLLBYNAME_PATTERN)\t\t- 1)\t,assert(LdrpFindLoadedDllByName));\n\t\t(LdrpDrainWorkQueue\t\t\t\t\t\t\t= (tLdrpDrainWorkQueue)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DRAIN_WORKQUEUE_PATTERN,\t\t\t\t\t\tARRAYSIZE(LDRP_DRAIN_WORKQUEUE_PATTERN)\t\t\t\t- 1)\t,assert(LdrpDrainWorkQueue));\n\t\t(LdrpFindLoadedDllByHandle\t\t\t\t\t= (tLdrpFindLoadedDllByHandle)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FIND_LOADEDDLL_BYHANDLE_PATTERN,\t\t\t\tARRAYSIZE(LDRP_FIND_LOADEDDLL_BYHANDLE_PATTERN)\t\t- 1)\t,assert(LdrpFindLoadedDllByHandle));\n\t\t(LdrpDropLastInProgressCount\t\t\t\t= (tLdrpDropLastInProgressCount)\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DROP_LASTINPROGRESS_COUNT_PATTERN,\t\t\tARRAYSIZE(LDRP_DROP_LASTINPROGRESS_COUNT_PATTERN)\t- 1)\t,assert(LdrpDropLastInProgressCount));\n\t\t(LdrpQueryCurrentPatch\t\t\t\t\t\t= (tLdrpQueryCurrentPatch)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_QUERY_CURRENT_PATCH_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_QUERY_CURRENT_PATCH_PATTERN)\t\t\t- 1)\t,assert(LdrpQueryCurrentPatch));\n\t\t(LdrpUndoPatchImage\t\t\t\t\t\t\t= (tLdrpUndoPatchImage)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_UNDO_PATCH_IMAGE_PATTERN,\t\t\t\t\t\tARRAYSIZE(LDRP_UNDO_PATCH_IMAGE_PATTERN)\t\t\t- 1)\t,assert(LdrpUndoPatchImage));\n\t\t(LdrpDetectDetour\t\t\t\t\t\t\t= (tLdrpDetectDetour)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DETECT_DETOUR_PATTERN,\t\t\t\t\t\tARRAYSIZE(LDRP_DETECT_DETOUR_PATTERN)\t\t\t\t- 1)\t,assert(LdrpDetectDetour));\n\t\t(LdrpFindOrPrepareLoadingModule\t\t\t\t= (tLdrpFindOrPrepareLoadingModule)\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FINDORPREPARE_LOADINGMODULE_PATTERN,\t\t\tARRAYSIZE(LDRP_FINDORPREPARE_LOADINGMODULE_PATTERN) - 1)\t,assert(LdrpFindOrPrepareLoadingModule));\n\t\t(LdrpFreeLoadContext\t\t\t\t\t\t= (tLdrpFreeLoadContext)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FREE_LOAD_CONTEXT_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_FREE_LOAD_CONTEXT_PATTERN)\t\t\t- 1)\t,assert(LdrpFreeLoadContext));\n\t\t(LdrpCondenseGraph\t\t\t\t\t\t\t= (tLdrpCondenseGraph)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CONDENSE_GRAPH_PATTERN,\t\t\t\t\t\tARRAYSIZE(LDRP_CONDENSE_GRAPH_PATTERN)\t\t\t\t- 1)\t,assert(LdrpCondenseGraph));\n\t\t(LdrpBuildForwarderLink\t\t\t\t\t\t= (tLdrpBuildForwarderLink)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_BUILD_FORWARDER_LINK_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_BUILD_FORWARDER_LINK_PATTERN)\t\t- 1)\t,assert(LdrpBuildForwarderLink));\n\t\t(LdrpPinModule\t\t\t\t\t\t\t\t= (tLdrpPinModule)\t\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_PIN_MODULE_PATTERN,\t\t\t\t\t\t\tARRAYSIZE(LDRP_PIN_MODULE_PATTERN)\t\t\t\t\t- 1)\t,assert(LdrpPinModule));\n\t\t(LdrpApplyPatchImage\t\t\t\t\t\t= (tLdrpApplyPatchImage)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_APPLY_PATCH_IMAGE_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_APPLY_PATCH_IMAGE_PATTERN)\t\t\t- 1)\t,assert(LdrpApplyPatchImage));\n\t\t(LdrpFreeLoadContextOfNode\t\t\t\t\t= (tLdrpFreeLoadContextOfNode)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FREE_LOADCONTEXT_NODE_PATTERN,\t\t\t\tARRAYSIZE(LDRP_FREE_LOADCONTEXT_NODE_PATTERN)\t\t- 1)\t,assert(LdrpFreeLoadContextOfNode));\n\t\t(LdrpDecrementModuleLoadCountEx\t\t\t\t= (tLdrpDecrementModuleLoadCountEx)\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DECREMENT_MODULELOADCOUNTEX_PATTERN,\t\t\tARRAYSIZE(LDRP_DECREMENT_MODULELOADCOUNTEX_PATTERN) - 1)\t,assert(LdrpDecrementModuleLoadCountEx));\n\t\t(LdrpLogError\t\t\t\t\t\t\t\t= (tLdrpLogError)\t\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_ERROR_PATTERN,\t\t\t\t\t\t\tARRAYSIZE(LDRP_LOG_ERROR_PATTERN)\t\t\t\t\t- 1)\t,assert(LdrpLogError));\n\t\t(LdrpLogDeprecatedDllEtwEvent\t\t\t\t= (tLdrpLogDeprecatedDllEtwEvent)\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_DEPRECATED_DLL_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_LOG_DEPRECATED_DLL_PATTERN)\t\t\t- 1)\t,assert(LdrpLogDeprecatedDllEtwEvent));\n\t\t(LdrpLogLoadFailureEtwEvent\t\t\t\t\t= (tLdrpLogLoadFailureEtwEvent)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_LOAD_FAILURE_PATTERN,\t\t\t\t\t\tARRAYSIZE(LDRP_LOG_LOAD_FAILURE_PATTERN)\t\t\t- 1)\t,assert(LdrpLogLoadFailureEtwEvent));\n\t\t(LdrpReportError\t\t\t\t\t\t\t= (tLdrpReportError)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_REPORT_ERROR_PATTERN,\t\t\t\t\t\t\tARRAYSIZE(LDRP_REPORT_ERROR_PATTERN)\t\t\t\t- 1)\t,assert(LdrpReportError));\n\t\t(LdrpResolveDllName\t\t\t\t\t\t\t= (tLdrpResolveDllName)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_RESOLVE_DLLNAME_PATTERN,\t\t\t\t\t\tARRAYSIZE(LDRP_RESOLVE_DLLNAME_PATTERN)\t\t\t\t- 1)\t,assert(LdrpResolveDllName));\n\t\t(LdrpAppCompatRedirect\t\t\t\t\t\t= (tLdrpAppCompatRedirect)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_APP_COMPAT_REDIRECT_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_APP_COMPAT_REDIRECT_PATTERN)\t\t\t- 1)\t,assert(LdrpAppCompatRedirect));\n\t\t(LdrpHashUnicodeString\t\t\t\t\t\t= (tLdrpHashUnicodeString)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_HASH_UNICODE_STRING_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_HASH_UNICODE_STRING_PATTERN)\t\t\t- 1)\t,assert(LdrpHashUnicodeString));\n\t\t(LdrpFindExistingModule\t\t\t\t\t\t= (tLdrpFindExistingModule)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FIND_EXISTING_MODULE_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_FIND_EXISTING_MODULE_PATTERN)\t\t- 1)\t,assert(LdrpFindExistingModule));\n\t\t(LdrpLoadContextReplaceModule\t\t\t\t= (tLdrpLoadContextReplaceModule)\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOADCONTEXT_REPLACE_MODULE_PATTERN,\t\t\tARRAYSIZE(LDRP_LOADCONTEXT_REPLACE_MODULE_PATTERN)\t- 1)\t,assert(LdrpLoadContextReplaceModule));\n\t\t(LdrpSearchPath\t\t\t\t\t\t\t\t= (tLdrpSearchPath)\t\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_SEARCHPATH_PATTERN,\t\t\t\t\t\t\tARRAYSIZE(LDRP_SEARCHPATH_PATTERN)\t\t\t\t\t- 1)\t,assert(LdrpSearchPath));\n\t\t(LdrpIsSecurityEtwLoggingEnabled\t\t\t= (tLdrpIsSecurityEtwLoggingEnabled)\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_ISSECURITYETW_LOGG_ENABLED_PATTERN,\t\t\tARRAYSIZE(LDRP_ISSECURITYETW_LOGG_ENABLED_PATTERN)\t- 1)\t,assert(LdrpIsSecurityEtwLoggingEnabled));\n\t\t(LdrpLogEtwDllSearchResults\t\t\t\t\t= (tLdrpLogEtwDllSearchResults)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOGETW_DLL_SEARCHRESULTS_PATTERN,\t\t\t\tARRAYSIZE(LDRP_LOGETW_DLL_SEARCHRESULTS_PATTERN)\t- 1)\t,assert(LdrpLogEtwDllSearchResults));\n\t\t(LdrpCheckForRetryLoading\t\t\t\t\t= (tLdrpCheckForRetryLoading)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CHECKFORRETRY_LOADING_PATTERN,\t\t\t\tARRAYSIZE(LDRP_CHECKFORRETRY_LOADING_PATTERN)\t\t- 1)\t,assert(LdrpCheckForRetryLoading));\n\t\t(LdrpLogEtwEvent\t\t\t\t\t\t\t= (tLdrpLogEtwEvent)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_ETWEVENT_PATTERN,\t\t\t\t\t\t\tARRAYSIZE(LDRP_LOG_ETWEVENT_PATTERN)\t\t\t\t- 1)\t,assert(LdrpLogEtwEvent));\n\t\t(LdrpCheckComponentOnDemandEtwEvent\t\t\t= (tLdrpCheckComponentOnDemandEtwEvent)\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CHECK_COMPONENTONDEMAND_PATTERN,\t\t\t\tARRAYSIZE(LDRP_CHECK_COMPONENTONDEMAND_PATTERN)\t\t- 1)\t,assert(LdrpCheckComponentOnDemandEtwEvent));\n\t\t(LdrpValidateIntegrityContinuity\t\t\t= (tLdrpValidateIntegrityContinuity)\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_VALIDATE_INTEGRITY_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_VALIDATE_INTEGRITY_PATTERN)\t\t\t- 1)\t,assert(LdrpValidateIntegrityContinuity));\n\t\t(LdrpSetModuleSigningLevel\t\t\t\t\t= (tLdrpSetModuleSigningLevel)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_SET_MODULE_SIGNINGLEVEL_PATTERN,\t\t\t\tARRAYSIZE(LDRP_SET_MODULE_SIGNINGLEVEL_PATTERN)\t\t- 1)\t,assert(LdrpSetModuleSigningLevel));\n\t\t(LdrpCodeAuthzCheckDllAllowed\t\t\t\t= (tLdrpCodeAuthzCheckDllAllowed)\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CODE_AUTHZCHECKDLL_ALLOWED_PATTERN,\t\t\tARRAYSIZE(LDRP_CODE_AUTHZCHECKDLL_ALLOWED_PATTERN)\t- 1)\t,assert(LdrpCodeAuthzCheckDllAllowed));\n\t\t(LdrpGetFullPath\t\t\t\t\t\t\t= (tLdrpGetFullPath)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_GET_FULLPATH_PATTERN,\t\t\t\t\t\t\tARRAYSIZE(LDRP_GET_FULLPATH_PATTERN)\t\t\t\t- 1)\t,assert(LdrpGetFullPath));\n\t\t(LdrpAllocateUnicodeString\t\t\t\t\t= (tLdrpAllocateUnicodeString)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_ALLOCATE_UNICODESTRING_PATTERN,\t\t\t\tARRAYSIZE(LDRP_ALLOCATE_UNICODESTRING_PATTERN)\t\t- 1)\t,assert(LdrpAllocateUnicodeString));\n\t\t(LdrpAppendUnicodeStringToFilenameBuffer\t= (tLdrpAppendUnicodeStringToFilenameBuffer)Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_APPEND_UNICODETOFILENAME_PATTERN,\t\t\t\tARRAYSIZE(LDRP_APPEND_UNICODETOFILENAME_PATTERN)\t- 1)\t,assert(LdrpAppendUnicodeStringToFilenameBuffer));\n\t\t(LdrpGetNtPathFromDosPath\t\t\t\t\t= (tLdrpGetNtPathFromDosPath)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_GET_NTPATH_FROM_DOSPATH_PATTERN,\t\t\t\tARRAYSIZE(LDRP_GET_NTPATH_FROM_DOSPATH_PATTERN)\t\t- 1)\t,assert(LdrpGetNtPathFromDosPath));\n\t\t(LdrpFindLoadedDllByMappingLockHeld\t\t\t= (tLdrpFindLoadedDllByMappingLockHeld)\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FIND_LOADEDDLL_MAPLOCK_PATTERN,\t\t\t\tARRAYSIZE(LDRP_FIND_LOADEDDLL_MAPLOCK_PATTERN)\t\t- 1)\t,assert(LdrpFindLoadedDllByMappingLockHeld));\n\t\t(LdrpInsertDataTableEntry\t\t\t\t\t= (tLdrpInsertDataTableEntry)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_INSERT_DATATABLEENTRY_PATTERN,\t\t\t\tARRAYSIZE(LDRP_INSERT_DATATABLEENTRY_PATTERN)\t\t- 1)\t,assert(LdrpInsertDataTableEntry));\n\t\t(LdrpInsertModuleToIndexLockHeld\t\t\t= (tLdrpInsertModuleToIndexLockHeld)\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_INSERT_MODTOIDX_LOCKHELD_PATTERN,\t\t\t\tARRAYSIZE(LDRP_INSERT_MODTOIDX_LOCKHELD_PATTERN)\t- 1)\t,assert(LdrpInsertModuleToIndexLockHeld));\n\t\t(LdrpLogEtwHotPatchStatus\t\t\t\t\t= (tLdrpLogEtwHotPatchStatus)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOGETW_HOTPATCHSTATUS_PATTERN,\t\t\t\tARRAYSIZE(LDRP_LOGETW_HOTPATCHSTATUS_PATTERN)\t\t- 1)\t,assert(LdrpLogEtwHotPatchStatus));\n\t\t(LdrpLogNewDllLoad\t\t\t\t\t\t\t= (tLdrpLogNewDllLoad)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_NEWDLL_LOAD_PATTERN,\t\t\t\t\t\tARRAYSIZE(LDRP_LOG_NEWDLL_LOAD_PATTERN)\t\t\t\t- 1)\t,assert(LdrpLogNewDllLoad));\n\t\t(LdrpProcessMachineMismatch\t\t\t\t\t= (tLdrpProcessMachineMismatch)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_PROCESS_MACHINE_MISMATCH_PATTERN,\t\t\t\tARRAYSIZE(LDRP_PROCESS_MACHINE_MISMATCH_PATTERN)\t- 1)\t,assert(LdrpProcessMachineMismatch));\n\t\t(RtlQueryImageFileKeyOption\t\t\t\t\t= (tRtlQueryImageFileKeyOption)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, RTL_QUERY_IMAGEFILE_KEYOPT_PATTERN,\t\t\t\tARRAYSIZE(RTL_QUERY_IMAGEFILE_KEYOPT_PATTERN)\t\t- 1)\t,assert(RtlQueryImageFileKeyOption));\n\t\t(RtlpImageDirectoryEntryToDataEx\t\t\t= (tRtlpImageDirectoryEntryToDataEx)\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, RTLP_IMAGEDIR_ENTRYTODATA_PATTERN,\t\t\t\t\tARRAYSIZE(RTLP_IMAGEDIR_ENTRYTODATA_PATTERN)\t\t- 1)\t,assert(RtlpImageDirectoryEntryToDataEx));\n\t\t(LdrpLogDllRelocationEtwEvent\t\t\t\t= (tLdrpLogDllRelocationEtwEvent)\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_DLLRELOCATION_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_LOG_DLLRELOCATION_PATTERN)\t\t\t- 1)\t,assert(LdrpLogDllRelocationEtwEvent));\n\t\t(LdrpNotifyLoadOfGraph\t\t\t\t\t\t= (tLdrpNotifyLoadOfGraph)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_NOTIFY_LOADOFGRAPH_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_NOTIFY_LOADOFGRAPH_PATTERN)\t\t\t- 1)\t,assert(LdrpNotifyLoadOfGraph));\n\t\t(LdrpDynamicShimModule\t\t\t\t\t\t= (tLdrpDynamicShimModule)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DYNAMIC_SHIMMODULE_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_DYNAMIC_SHIMMODULE_PATTERN)\t\t\t- 1)\t,assert(LdrpDynamicShimModule));\n\t\t(LdrpAcquireLoaderLock\t\t\t\t\t\t= (tLdrpAcquireLoaderLock)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_ACQUIRE_LOADERLOCK_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_ACQUIRE_LOADERLOCK_PATTERN)\t\t\t- 1)\t,assert(LdrpAcquireLoaderLock));\n\t\t(LdrpReleaseLoaderLock\t\t\t\t\t\t= (tLdrpReleaseLoaderLock)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_RELEASE_LOADER_LOCK_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_RELEASE_LOADER_LOCK_PATTERN)\t\t\t- 1)\t,assert(LdrpReleaseLoaderLock));\n\t\t(LdrpCheckPagesForTampering\t\t\t\t\t= (tLdrpCheckPagesForTampering)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CHECKPAGES_FOR_TAMPERING_PATTERN,\t\t\t\tARRAYSIZE(LDRP_CHECKPAGES_FOR_TAMPERING_PATTERN)\t- 1)\t,assert(LdrpCheckPagesForTampering));\n\t\t(LdrpLoadDependentModuleA\t\t\t\t\t= (tLdrpLoadDependentModuleA)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOAD_DEPENDENTMODULEA_PATTERN,\t\t\t\tARRAYSIZE(LDRP_LOAD_DEPENDENTMODULEA_PATTERN)\t\t- 1)\t,assert(LdrpLoadDependentModuleA));\n\t\t(LdrpLoadDependentModuleW\t\t\t\t\t= (tLdrpLoadDependentModuleW)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOAD_DEPENDENTMODULEW_PATTERN,\t\t\t\tARRAYSIZE(LDRP_LOAD_DEPENDENTMODULEW_PATTERN)\t\t- 1)\t,assert(LdrpLoadDependentModuleW));\n\t\t(LdrpQueueWork\t\t\t\t\t\t\t\t= (tLdrpQueueWork)\t\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_QUEUE_WORK_PATTERN,\t\t\t\t\t\t\tARRAYSIZE(LDRP_QUEUE_WORK_PATTERN)\t\t\t\t\t- 1)\t,assert(LdrpQueueWork));\n\t\t(LdrpHandleTlsData\t\t\t\t\t\t\t= (tLdrpHandleTlsData)\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_HANDLE_TLSDATA_PATTERN,\t\t\t\t\t\tARRAYSIZE(LDRP_HANDLE_TLSDATA_PATTERN)\t\t\t\t- 1)\t,assert(LdrpHandleTlsData));\n\t\t(LdrControlFlowGuardEnforcedWithExportSuppression = (tLdrControlFlowGuardEnforcedWithExportSuppression)Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDR_CONTROLFLOWGUARD_ENFEXP_PATTERN,ARRAYSIZE(LDR_CONTROLFLOWGUARD_ENFEXP_PATTERN)\t\t- 1)\t,assert(LdrControlFlowGuardEnforcedWithExportSuppression));\n\t\t(LdrpUnsuppressAddressTakenIat\t\t\t\t= (tLdrpUnsuppressAddressTakenIat)\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_UNSUPPRESS_ADDRESSIAT_PATTERN,\t\t\t\tARRAYSIZE(LDRP_UNSUPPRESS_ADDRESSIAT_PATTERN)\t\t- 1)\t,assert(LdrpUnsuppressAddressTakenIat));\n\t\t(LdrControlFlowGuardEnforced\t\t\t\t= (tLdrControlFlowGuardEnforced)\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDR_CONTROLFLOWGUARD_ENF_PATTERN,\t\t\t\t\tARRAYSIZE(LDR_CONTROLFLOWGUARD_ENF_PATTERN)\t\t\t- 1)\t,assert(LdrControlFlowGuardEnforced));\n\t\t(RtlpxLookupFunctionTable\t\t\t\t\t= (tRtlpxLookupFunctionTable)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, RTLP_LOOKUP_FUNCTIONTABLE_PATTERN,\t\t\t\t\tARRAYSIZE(RTLP_LOOKUP_FUNCTIONTABLE_PATTERN)\t\t- 1)\t,assert(RtlpxLookupFunctionTable));\n\t\t(LdrpCheckRedirection\t\t\t\t\t\t= (tLdrpCheckRedirection)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CHECK_REDIRECTION_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_CHECK_REDIRECTION_PATTERN)\t\t\t- 1)\t,assert(LdrpCheckRedirection));\n\t\t(CompatCachepLookupCdb\t\t\t\t\t\t= (tCompatCachepLookupCdb)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, COMPAT_CACHE_LOOKUPCDB_PATTERN,\t\t\t\t\tARRAYSIZE(COMPAT_CACHE_LOOKUPCDB_PATTERN)\t\t\t- 1)\t,assert(CompatCachepLookupCdb));\n\t\t(LdrpGenRandom\t\t\t\t\t\t\t\t= (tLdrpGenRandom)\t\t\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_GEN_RANDOM_PATTERN,\t\t\t\t\t\t\tARRAYSIZE(LDRP_GEN_RANDOM_PATTERN)\t\t\t\t\t- 1)\t,assert(LdrpGenRandom));\n\t\t(LdrInitSecurityCookie\t\t\t\t\t\t= (tLdrInitSecurityCookie)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDR_INIT_SECURITY_COOKIE_PATTERN,\t\t\t\t\tARRAYSIZE(LDR_INIT_SECURITY_COOKIE_PATTERN)\t\t\t- 1)\t,assert(LdrInitSecurityCookie));\n\t\t(LdrpCfgProcessLoadConfig\t\t\t\t\t= (tLdrpCfgProcessLoadConfig)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CFG_PROCESS_LOADCFG_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_CFG_PROCESS_LOADCFG_PATTERN)\t\t\t- 1)\t,assert(LdrpCfgProcessLoadConfig));\n\t\t(RtlInsertInvertedFunctionTable\t\t\t\t= (tRtlInsertInvertedFunctionTable)\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, RTL_INSERT_INV_FUNCTIONTABLE_PATTERN,\t\t\t\tARRAYSIZE(RTL_INSERT_INV_FUNCTIONTABLE_PATTERN)\t\t- 1)\t,assert(RtlInsertInvertedFunctionTable));\n\t\t(LdrpSignalModuleMapped\t\t\t\t\t\t= (tLdrpSignalModuleMapped)\t\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_SIGNAL_MODULEMAPPED_PATTERN,\t\t\t\t\tARRAYSIZE(LDRP_SIGNAL_MODULEMAPPED_PATTERN)\t\t\t- 1)\t,assert(LdrpSignalModuleMapped));\n\t\t(AVrfDllLoadNotification\t\t\t\t\t= (tAVrfDllLoadNotification)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, AVRF_DLL_LOADNOTIFICATION_PATTERN,\t\t\t\t\tARRAYSIZE(AVRF_DLL_LOADNOTIFICATION_PATTERN)\t\t- 1)\t,assert(AVrfDllLoadNotification));\n\t\t(LdrpSendDllNotifications\t\t\t\t\t= (tLdrpSendDllNotifications)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_SEND_DLLNOTIFICATIONS_PATTERN,\t\t\t\tARRAYSIZE(LDRP_SEND_DLLNOTIFICATIONS_PATTERN)\t\t- 1)\t,assert(LdrpSendDllNotifications));\n\t\t(LdrpCallTlsInitializers\t\t\t\t\t= (tLdrpCallTlsInitializers)\t\t\t\tHelper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CALL_TLSINIT_PATTERN,\t\t\t\t\t\t\tARRAYSIZE(LDRP_CALL_TLSINIT_PATTERN)\t\t\t\t- 1)\t,assert(LdrpCallTlsInitializers));\n\n\t\tWID_DBG(TEXT(\"[WID] >> Initialized.\\n\"));\n\n\t\tbInitialized = TRUE;\n\t\treturn STATUS_SUCCESS;\n\t}\n\n\tWID_DBG(TEXT(\"[WID] >> Already initialized.\\n\"));\n\treturn STATUS_SUCCESS;\n}\n\nPVOID WID::Helper::SigScan(PCHAR StartAddress, SIZE_T Len, PCHAR Pattern, SIZE_T PatternLen)\n{\n\tbool Found = TRUE;\n\tfor (int i1 = 0; i1 < Len; i1++)\n\t{\n\t\tFound = TRUE;\n\t\tfor (int i2 = 0; i2 < PatternLen; i2++)\n\t\t{\n\t\t\tif (Pattern[i2] != 0x90 && StartAddress[i1 + i2] != Pattern[i2])\n\t\t\t{\n\t\t\t\tFound = FALSE;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tif (Found)\n\t\t\treturn StartAddress + i1;\n\t}\n\n\treturn nullptr;\n}" }, { "path": "Src/WID.h", "content": "#pragma once\n\n#include \"Includes.h\"\n\n#include \"Functions/KERNEL32.h\"\n#include \"Functions/NT.h\"\n#include \"Functions/Undocumented.h\"\n#include \"Loader/Loader.h\"\n\n#ifdef _DEBUG\n#ifdef UNICODE\n#define WID_DBG wprintf\n#else\n#define WID_DBG printf\n#endif\n#else\n#define WID_DBG ;\n#endif\n#define WID_HIDDEN(x) { if(CreationInfo.LoadType == LOADTYPE::DEFAULT){x} }\n\nnamespace WID\n{\n\textern BOOLEAN bInitialized;\n\n\textern MODULEINFO Kernel32ModuleInfo;\n\textern MODULEINFO KernelBaseModuleInfo;\n\textern MODULEINFO NtdllModuleInfo;\n\n\tNTSTATUS Init();\n\n\tnamespace Helper\n\t{\n\t\tPVOID SigScan(PCHAR StartAddress, SIZE_T Len, PCHAR Pattern, SIZE_T PatternLen);\n\t}\n}" }, { "path": "WID_LoadLibrary.sln", "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 17\nVisualStudioVersion = 17.4.33213.308\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"WID_LoadLibrary\", \"WID_LoadLibrary.vcxproj\", \"{096D6383-D4DE-494B-B324-A925C690CD93}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{096D6383-D4DE-494B-B324-A925C690CD93}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{096D6383-D4DE-494B-B324-A925C690CD93}.Debug|x64.Build.0 = Debug|x64\n\t\t{096D6383-D4DE-494B-B324-A925C690CD93}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{096D6383-D4DE-494B-B324-A925C690CD93}.Debug|x86.Build.0 = Debug|Win32\n\t\t{096D6383-D4DE-494B-B324-A925C690CD93}.Release|x64.ActiveCfg = Release|x64\n\t\t{096D6383-D4DE-494B-B324-A925C690CD93}.Release|x64.Build.0 = Release|x64\n\t\t{096D6383-D4DE-494B-B324-A925C690CD93}.Release|x86.ActiveCfg = Release|Win32\n\t\t{096D6383-D4DE-494B-B324-A925C690CD93}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\n\tGlobalSection(ExtensibilityGlobals) = postSolution\n\t\tSolutionGuid = {C5486FDA-3A69-4FF4-9FD5-4DCF94799F68}\n\tEndGlobalSection\nEndGlobal\n" }, { "path": "WID_LoadLibrary.vcxproj", "content": "\n\n \n \n Debug\n Win32\n \n \n Release\n Win32\n \n \n Debug\n x64\n \n \n Release\n x64\n \n \n \n 17.0\n {096D6383-D4DE-494B-B324-A925C690CD93}\n Win32Proj\n \n \n \n Application\n true\n v143\n \n \n Application\n false\n v143\n \n \n Application\n true\n v143\n Unicode\n \n \n Application\n false\n v143\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n true\n \n \n true\n \n \n \n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\n MultiThreadedDebugDLL\n Level3\n ProgramDatabase\n Disabled\n \n \n MachineX86\n true\n Console\n \n \n \n \n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\n MultiThreadedDLL\n Level3\n ProgramDatabase\n \n \n MachineX86\n true\n Console\n true\n true\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Document\n \n \n \n \n \n \n" }, { "path": "WID_LoadLibrary.vcxproj.filters", "content": "\n\n \n \n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\n \n \n {93995380-89BD-4b04-88EB-625FBE52EBFB}\n h;hh;hpp;hxx;hm;inl;inc;xsd\n \n \n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav\n \n \n \n \n Source Files\n \n \n Source Files\n \n \n Source Files\n \n \n Source Files\n \n \n Source Files\n \n \n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n Header Files\n \n \n \n \n Source Files\n \n \n" } ]