Here is a basic diagram to show what functions are called in order to load a module into a process (maybe not exact represantation).
The path was given absolute and no flags were given
## LoadLibraryA ```cpp HMODULE __fastcall LOADLIBRARY::fLoadLibraryA(LPCSTR lpLibFileName) { // If no path was given. if (!lpLibFileName) //return LoadLibraryExA(lpLibFileName, 0, 0); return NULL; // If path isn't 'twain_32.dll' // This is where our LoadLibrary calls mostly end up. if (_stricmp(lpLibFileName, "twain_32.dll")) return fLoadLibraryExA(lpLibFileName, 0, 0); // If path is 'twain_32.dll' // Windows probably uses this to make itself a shortcut, while we are using it the code won't reach here. PCHAR Heap = (PCHAR)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, *KernelBaseGlobalData, MAX_PATH); if (!Heap) return fLoadLibraryExA(lpLibFileName, 0, 0); HMODULE Module; // Heap receives the Windows path (def: C:\Windows) // The BufferSize check made against GetWindowsDirectoryA is to see if it actually received. If it's bigger than BufferSize // then GetWindowsDirectoryA returned the size needed (in summary it fails) // If this check doesn't fail '\twain_32.dll' is appended to the Windows path (def: C:\Windows\twain_32.dll) // Then this final module is loaded into the program. // If it can't load, it tries to load it directly and returns from there. if (GetWindowsDirectoryA(Heap, 0xF7) - 1 > 0xF5 || (strncat_s(Heap, MAX_PATH, "\\twain_32.dll", strlen("\\twain_32.dll")), (Module = fLoadLibraryA(Heap)) == 0)) { RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap); return fLoadLibraryExA(lpLibFileName, 0, 0); } RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Heap); return Module; } ``` In our use case it's just a small wrapper around LoadLibraryExA. Other way around you can see it provides a shortcut mechanism for loading "**twain_32.dll**".
## LoadLibraryW ```cpp HMODULE __fastcall LOADLIBRARY::fLoadLibraryW(LPCWSTR lpLibFileName) { return fLoadLibraryExW(lpLibFileName, 0, 0); } ``` A wrapper for LoadLibraryExW.
## LoadLibraryExA ```cpp HMODULE __fastcall LOADLIBRARY::fLoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags) { UNICODE_STRING Unicode; if (!Basep8BitStringToDynamicUnicodeString(&Unicode, lpLibFileName)) return NULL; HMODULE Module = fLoadLibraryExW(Unicode.Buffer, hFile, dwFlags); RtlFreeUnicodeString(&Unicode); return Module; } ``` Converts our ANSI given lpLibFileName into Unicode then calls LoadLibraryExW with it. In summary it's a wrapper for LoadLibraryExW, that's what I meant when I said all of the 4 functions end up in LoadLibraryExW.
## LoadLibraryExW ```cpp HMODULE __fastcall LOADLIBRARY::fLoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags) { NTSTATUS Status; DWORD ConvertedFlags; HMODULE BaseOfLoadedDll; DWORD DatafileFlags = dwFlags & LLEXW_ASDATAFILE; // If no DllName was given OR hFile was given (msdn states that hFile must be 0) OR dwFlags is set to an unknown value OR *both* the Datafile flags are set (they cannot be used together). if (!lpLibFileName || hFile || ((dwFlags & 0xFFFF0000) != 0) || (DatafileFlags == LLEXW_ASDATAFILE)) { BaseSetLastNTError(STATUS_INVALID_PARAMETER); return NULL; } UNICODE_STRING DllName; Status = RtlInitUnicodeStringEx(&DllName, lpLibFileName); if (!NT_SUCCESS(Status)) { BaseSetLastNTError(Status); return NULL; } USHORT DllNameLen = DllName.Length; if (!DllName.Length) { BaseSetLastNTError(STATUS_INVALID_PARAMETER); return NULL; } // If the DllName given had empty (space) chars as their last chars, this do-while loop excludes them and sets the excluded length. do { DWORD WchAmount = DllNameLen / 2; if (DllName.Buffer[WchAmount - 1] != ' ' /* 0x20 is space char */) break; DllNameLen -= 2; DllName.Length = DllNameLen; } while (DllNameLen != 2); // In case the above do-while loop misbehaves. if (DllNameLen == 0) { BaseSetLastNTError(STATUS_INVALID_PARAMETER); return NULL; } BaseOfLoadedDll = 0; // If the dll is not getting loaded as a datafile. if ((dwFlags & LLEXW_ISDATAFILE) == 0) { // Converts the actual flags into it's own flag format. Most flags are discarded (only used if loaded as datafile). // Only flags that can go through are DONT_RESOLVE_DLL_REFERENCES, LOAD_PACKAGED_LIBRARY, LOAD_LIBRARY_REQUIRE_SIGNED_TARGET and LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY ConvertedFlags = 0; if ((dwFlags & DONT_RESOLVE_DLL_REFERENCES) != 0) ConvertedFlags |= CNVTD_DONT_RESOLVE_DLL_REFERENCES; if ((dwFlags & LOAD_PACKAGED_LIBRARY) != 0) ConvertedFlags |= LOAD_PACKAGED_LIBRARY; if ((dwFlags & LOAD_LIBRARY_REQUIRE_SIGNED_TARGET) != 0) ConvertedFlags |= CNVTD_LOAD_LIBRARY_REQUIRE_SIGNED_TARGET; if ((dwFlags & LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY) != 0) ConvertedFlags |= CNVTD_LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY; // Evaluates dwFlags to get meaningful flags, includes DONT_RESOLVE_DLL_REFERENCES finally. // But it doesn't matter because the first param LdrLoadDll takes actually a (PWCHAR PathToFile), so I have no idea why that's done. Status = fLdrLoadDll((PWCHAR)((dwFlags & LLEXW_7F08) | 1), &ConvertedFlags, &DllName, (PVOID*)&BaseOfLoadedDll); if (NT_SUCCESS(Status)) return BaseOfLoadedDll; BaseSetLastNTError(Status); return NULL; } PWSTR Path; PWSTR Unknown; // Gets the Dll path. Status = LdrGetDllPath(DllName.Buffer, (dwFlags & LLEXW_7F08), &Path, &Unknown); if (!NT_SUCCESS(Status)) { BaseSetLastNTError(Status); return NULL; } // First step into loading a module as datafile. Status = fBasepLoadLibraryAsDataFileInternal(&DllName, Path, Unknown, dwFlags, &BaseOfLoadedDll); // If the Status is only success (excludes warnings) AND if the module is image resource, loads again. I don't know why. if (NT_SUCCESS(Status + 0x80000000) && Status != STATUS_NO_SUCH_FILE && (dwFlags & LOAD_LIBRARY_AS_IMAGE_RESOURCE)) { if (DatafileFlags) Status = fBasepLoadLibraryAsDataFileInternal(&DllName, Path, Unknown, DatafileFlags, &BaseOfLoadedDll); } RtlReleasePath(Path); BaseSetLastNTError(Status); return NULL; } ``` Converts our given flags to it's own converted flags and calls LdrLoadDll, other way around requires the dll to be loaded as a datafile, which we are not interested in right now.
## LdrLoadDll ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrLoadDll(PWSTR DllPath, PULONG pFlags, PUNICODE_STRING DllName, PVOID* BaseAddress) { NTSTATUS Status; // DllPath can also be used as Flags if called from LoadLibraryExW UINT_PTR FlagUsed = 0; if (pFlags) { // Only flags that could go through *LoadLibraryExW* were; // CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2) // LOAD_PACKAGED_LIBRARY (0x4) // CNVTD_LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x800000) // CNVTD_LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY (0x80000000) // So I am assuming the rest of the flags are 0. UINT_PTR ActualFlags = *pFlags; // If LOAD_PACKAGED_LIBRARY (0x4) flag is set (1) FlagUsed becomes CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2), if not set (0) FlagUsed becomes 0. FlagUsed = CNVTD_DONT_RESOLVE_DLL_REFERENCES * (ActualFlags & LOAD_PACKAGED_LIBRARY); // (MSDN about DONT_RESOLVE_DLL_REFERENCES) Note Do not use this value; it is provided only for backward compatibility. // If you are planning to access only data or resources in the DLL, use LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE // or LOAD_LIBRARY_AS_IMAGE_RESOURCE or both. Otherwise, load the library as a DLL or executable module using the LoadLibrary function. FlagUsed |= ((ActualFlags & CNVTD_DONT_RESOLVE_DLL_REFERENCES) ? LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE : NULL); FlagUsed |= ((ActualFlags & CNVTD_LOAD_LIBRARY_REQUIRE_SIGNED_TARGET) ? LOAD_LIBRARY_REQUIRE_SIGNED_TARGET : NULL); // Ignored because ActualFlags can't have 0x1000 (if called from LoadLibraryExW), this value is used probably in calls from different functions. FlagUsed |= ((ActualFlags & 0x1000) ? 0x100 : 0x0); // Ignored because ActualFlags can't be negative (if called from LoadLibraryExW), this value is used probably in calls from different functions. FlagUsed |= ((ActualFlags < 0) ? 0x400000 : 0x0); // To sum up, in case we are called from LoadLibraryExW, the most flags we can have are; // CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80) } WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0x244, "LdrLoadDll", 3u, "DLL name: %wZ\n", DllName); ) if ((*LdrpPolicyBits & 4) == 0 && ((USHORT)DllPath & LLDLL_401) == LLDLL_401) return STATUS_INVALID_PARAMETER; // In here it will go in by the first condition, because 8 couldn't be set by LoadLibraryExW. if ((FlagUsed & LOAD_WITH_ALTERED_SEARCH_PATH) == 0 || (*LdrpPolicyBits & 8) != 0) { // If the current thread is a Worker Thread it fails. if (NtCurrentTeb()->SameTebFlags & LoaderWorker) { Status = STATUS_INVALID_THREAD; } else { LDR_UNKSTRUCT DllPathInited; // There's another LdrpLogInternal inside this function, gonna mess with that later on. LdrpInitializeDllPath(DllName->Buffer, DllPath, &DllPathInited); LDR_DATA_TABLE_ENTRY* DllEntry; Status = fLdrpLoadDll(DllName, &DllPathInited, FlagUsed, &DllEntry); if (DllPathInited.IsInitedMaybe) RtlReleasePath(DllPathInited.pInitNameMaybe); if (NT_SUCCESS(Status)) { // Changes the actual return value and dereferences the module. *BaseAddress = DllEntry->DllBase; LdrpDereferenceModule(DllEntry); } } } else { // LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 601, "LdrLoadDll", 0, &LdrEntry[176]); WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0x259, "LdrLoadDll", 0, "Nonpackaged process attempted to load a packaged DLL.\n"); ) Status = STATUS_NO_APPLICATION_PACKAGE; } WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0x279, "LdrLoadDll", 4, "Status: 0x%08lx\n", Status); ) return Status; } ``` Flags are re-converted, a check is made to see if the current thread is a worker thread, our path is initialized then LdrpLoadDll is getting called.
## LdrpLoadDll ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrpLoadDll(PUNICODE_STRING DllName, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, LDR_DATA_TABLE_ENTRY** DllEntry) { NTSTATUS Status; WID_HIDDEN( LdrpLogDllState(0, DllName, 0x14A8); ) // Flags is passed by value so no need to create a backup, it's already a backup by itself. // MOST FLAGS = CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80) // Creates a new unicode_string and allocates it some buffer. UNICODE_STRING FullDllPath; WCHAR Buffer[128]; FullDllPath.Length = 0; FullDllPath.MaximumLength = MAX_PATH - 4; FullDllPath.Buffer = Buffer; Buffer[0] = 0; // Returns the Absolute path // If a non-relative path was given then the flags will be ORed with LOAD_LIBRARY_SEARCH_APPLICATION_DIR (0x200) | LOAD_LIBRARY_SEARCH_USER_DIRS (0x400) // resulting in the MOST FLAGS being: // CNVTD_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80) | // LOAD_LIBRARY_SEARCH_APPLICATION_DIR (0x200) | LOAD_LIBRARY_SEARCH_USER_DIRS (0x400) Status = LdrpPreprocessDllName(DllName, &FullDllPath, 0, &Flags); if (NT_SUCCESS(Status)) // A even deeper function, by far we can see Windows is kinda all *wrapped* around each other. fLdrpLoadDllInternal(&FullDllPath, DllPathInited, Flags, ImageDll, 0, 0, DllEntry, &Status, 0); if (Buffer != FullDllPath.Buffer) NtdllpFreeStringRoutine(FullDllPath.Buffer); // I don't see no point in this but anyways. FullDllPath.Length = 0; FullDllPath.MaximumLength = MAX_PATH - 4; FullDllPath.Buffer = Buffer; Buffer[0] = 0; WID_HIDDEN( LdrpLogDllState(0, DllName, 0x14A9); ) return Status; } ``` A fairly smaller one than the last, the main purpose of it is to divide our path given into meaningful parts by LdrpPreprocessDllName then calling LdrpLoadDllInternal using that.
## LdrpLoadDllInternal ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrpLoadDllInternal(PUNICODE_STRING FullPath, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, ULONG LdrFlags, PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY LdrEntry2, PLDR_DATA_TABLE_ENTRY* DllEntry, NTSTATUS* pStatus, ULONG Zero) { NTSTATUS Status; // NOTES: // I assumed that LdrFlags (which was sent as 0x4 (ImageDll) by LdrpLoadDll) is the same flags inside LDR_DATA_TABLE_ENTRY. // LdrEntry & LdrEntry2 were both sent as 0s by LdrpLoadDll. // // Instead of using gotos which causes the local variables to be initialized in the start of the function (making it look not good in my opinion) // I created a do-while loop. The outcome won't be affected. // // MOST FLAGS = CONVERTED_DONT_RESOLVE_DLL_REFERENCES (0x2) | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE (0x40) | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (0x80) // LOAD_LIBRARY_SEARCH_APPLICATION_DIR (0x200) | LOAD_LIBRARY_SEARCH_USER_DIRS (0x400) WID_HIDDEN(LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0x379, "LdrpLoadDllInternal", 3, "DLL name: %wZ\n", FullPath); ) bool IsWorkerThread = false; do { *DllEntry = 0; LdrEntry = LdrEntry2; // This will go in. if (LdrFlags != (PackagedBinary | LoadNotificationsSent)) { // This function does some prior setup, incrementing the module load count is done inside here. Status = LdrpFastpthReloadedDll(FullPath, Flags, LdrEntry2, DllEntry); // returns STATUS_DLL_NOT_FOUND in normal circumstances. // If not an actual nt success (excludes warnings) if (!(NT_SUCCESS((int)(Status + 0x80000000))) || Status == STATUS_IMAGE_LOADED_AS_PATCH_IMAGE) { *pStatus = Status; break; } } IsWorkerThread = ((NtCurrentTeb()->SameTebFlags & LoadOwner) == 0); if (IsWorkerThread) LdrpDrainWorkQueue(WaitLoadComplete); // This won't go in so we can ignore it. I still did simplifying though. // Because the LdrFlags was sent 0x4 (ImageDll), we can ignore this one. if (LdrFlags == (PackagedBinary | LoadNotificationsSent)) { Status = LdrpFindLoadedDllByHandle(Zero, &LdrEntry, 0); if (!NT_SUCCESS(Status)) { if (FullPath->Buffer) LdrpFreeUnicodeString(FullPath); *pStatus = Status; if (IsWorkerThread) LdrpDropLastInProgressCount(); break; } if (LdrEntry->HotPatchState == LdrHotPatchFailedToPatch) { Status = STATUS_PATCH_CONFLICT; // goto FREE_DLLNAMEPREPROCANDRETURN; if (FullPath->Buffer) LdrpFreeUnicodeString(FullPath); *pStatus = Status; if (IsWorkerThread) LdrpDropLastInProgressCount(); break; } Status = LdrpQueryCurrentPatch(LdrEntry->CheckSum, LdrEntry->TimeDateStamp, FullPath); if (!NT_SUCCESS(Status)) { // goto FREE_DLLNAMEPREPROCANDRETURN; if (FullPath->Buffer) LdrpFreeUnicodeString(FullPath); *pStatus = Status; if (IsWorkerThread) LdrpDropLastInProgressCount(); break; } if (!FullPath->Length) { if (LdrEntry->ActivePatchImageBase) Status = LdrpUndoPatchImage(LdrEntry); // goto FREE_DLLNAMEPREPROCANDRETURN; if (FullPath->Buffer) LdrpFreeUnicodeString(FullPath); *pStatus = Status; if (IsWorkerThread) LdrpDropLastInProgressCount(); break; } // LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0x3FA, "LdrpLoadDllInternal", 2u, &::LdrEntry[232], FullPath); WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0x3FA, "LdrpLoadDllInternal", 2, "Loading patch image: %wZ\n", FullPath); ) } // Opens a token to the current thread and sets GLOBAL variable LdrpMainThreadToken with that token. LdrpThreadTokenSetMainThreadToken(); // returns STATUS_NO_TOKEN in normal circumstances. LDR_DATA_TABLE_ENTRY* pLdrEntryLoaded = 0; // This will go in by the first check LdrEntry2 because it was sent as 0 in LdrpLoadDll. if (!LdrEntry || !IsWorkerThread || LdrEntry->DdagNode->LoadCount) { // I checked the function, it detects a hook by byte scanning these following functions; // • ntdll!NtOpenFile // • ntdll!NtCreateSection // • ntdll!ZqQueryAttributes // • ntdll!NtOpenSection // • ntdll!ZwMapViewOfSection // Resulting in the global variable LdrpDetourExist to be set if there's a hook, didn't checked what's done with it though. LdrpDetectDetour(); // [IGNORE THIS] Finds the module, increments the loaded module count. [IGNORE THIS] // [IGNORE THIS] It can go to another direction if the Flag LOAD_LIBRARY_SEARCH_APPLICATION_DIR was set, but that couldn't be set coming from LoadLibraryExW. [IGNORE THIS] // If LoadLibrary was given an absolute path, Flags will have LOAD_LIBRARY_SEARCH_APPLICATION_DIR causing this function to call LdrpLoadKnownDll. // In our case LdrpFindOrPrepareLoadingModule actually returns STATUS_DLL_NOT_FOUND, which I thought was a bad thing but after checking up inside // inside LdrpProcessWork it didn't looked that bad. // So our dll loading part is actually inside LdrpProcessWork (for calling LoadLibraryExW with an absolute path and 0 flags at least) //Status = LdrpFindOrPrepareLoadingModule(FullPath, DllPathInited, Flags, LdrFlags, LdrEntry, &pLdrEntryLoaded, pStatus); Status = LdrpFindOrPrepareLoadingModule(FullPath, DllPathInited, Flags, LdrFlags, LdrEntry, &pLdrEntryLoaded, pStatus); if (Status == STATUS_DLL_NOT_FOUND) // Even if the DllMain call succeeds, there's still runtime bugs on the dll side, like the dll not being able to unload itself and such. So I still got // a lot of work to do. fLdrpProcessWork(pLdrEntryLoaded->LoadContext, TRUE); else if (Status != STATUS_RETRY && !NT_SUCCESS(Status)) *pStatus = Status; } else { *pStatus = STATUS_DLL_NOT_FOUND; } LdrpDrainWorkQueue(WaitWorkComplete); if (*LdrpMainThreadToken) // Closes the token handle, and sets GLOBAL variable LdrpMainThreadToken to 0. LdrpThreadTokenUnsetMainThreadToken(); if (pLdrEntryLoaded) { *DllEntry = LdrpHandleReplacedModule(pLdrEntryLoaded); if (pLdrEntryLoaded != *DllEntry) { LdrpFreeReplacedModule(pLdrEntryLoaded); pLdrEntryLoaded = *DllEntry; if (pLdrEntryLoaded->LoadReason == LoadReasonPatchImage && LdrFlags != (PackagedBinary | LoadNotificationsSent)) *pStatus = STATUS_IMAGE_LOADED_AS_PATCH_IMAGE; } if (pLdrEntryLoaded->LoadContext) LdrpCondenseGraph(pLdrEntryLoaded->DdagNode); if (NT_SUCCESS(*pStatus)) { // [IGNORE THIS] In here I realized that the module must have already been loaded to be prepared for execution. // [IGNORE THIS] So I've gone a little back and realized the actual loading was done in the LdrpDrainWorkQueue function. // Doing more research revealed it was inside LdrpProcessWork after LdrpFindOrPrepareLoadingModule returning STATUS_DLL_NOT_FOUND. Status = fLdrpPrepareModuleForExecution(pLdrEntryLoaded, pStatus); *pStatus = Status; if (NT_SUCCESS(Status)) { Status = LdrpBuildForwarderLink(LdrEntry, pLdrEntryLoaded); *pStatus = Status; if (NT_SUCCESS(Status) && !*LdrInitState) LdrpPinModule(pLdrEntryLoaded); } // Because the LdrFlags was sent 0x4 (ImageDll), we can ignore this one too. if (LdrFlags == (PackagedBinary | LoadNotificationsSent) && LdrEntry->ActivePatchImageBase != pLdrEntryLoaded->DllBase) { if (pLdrEntryLoaded->HotPatchState == LdrHotPatchFailedToPatch) { *pStatus = STATUS_DLL_INIT_FAILED; } else { Status = LdrpApplyPatchImage(pLdrEntryLoaded); *pStatus = Status; if (!NT_SUCCESS(Status)) { //UNICODE_STRING Names[4]; //Names[0] = pLdrEntryLoaded->FullDllName; //WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0x4AF, "LdrpLoadDllInternal", 0, "Applying patch \"%wZ\" failed\n", Names); ) WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0x4AF, "LdrpLoadDllInternal", 0, "Applying patch \"%wZ\" failed\n", pLdrEntryLoaded->FullDllName); ) } } } } LdrpFreeLoadContextOfNode(pLdrEntryLoaded->DdagNode, pStatus); if (!NT_SUCCESS(*pStatus) && (LdrFlags != (PackagedBinary | LoadNotificationsSent) || pLdrEntryLoaded->HotPatchState != LdrHotPatchAppliedReverse)) { *DllEntry = 0; LdrpDecrementModuleLoadCountEx(pLdrEntryLoaded, 0); LdrpDereferenceModule(pLdrEntryLoaded); } } else { *pStatus = STATUS_NO_MEMORY; } } while (FALSE); // LoadNotificationsSent (0x8) | PackagedBinary (0x1) // Because the LdrFlags was sent 0x4 (ImageDll), we can ignore this one too. if (LdrFlags == (LoadNotificationsSent | PackagedBinary) && LdrEntry) LdrpDereferenceModule(LdrEntry); // Actually returns what LdrpLogInternal returns. WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0x52E, "LdrpLoadDllInternal", 4, "Status: 0x%08lx\n", *pStatus); ) return *pStatus; } ``` The main course of action of this function is to check whether the dll was already loaded and waiting to be executed, or is going to be patched, or a new dll is going to be loaded, if it's a new dll (which is our case) it first goes by LdrpProcessWork to start the mapping process, then after that call succeeds goes on by LdrpPrepareModuleForExecution to execute the mapped dll.
## LdrpProcessWork ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrpProcessWork(PLDRP_LOAD_CONTEXT LoadContext, BOOLEAN IsLoadOwner) { NTSTATUS Status; // Converted goto to do-while loop. do { Status = *LoadContext->pStatus; if (!NT_SUCCESS(Status)) break; // Caused most likely because CONTAINING_RECORD macro was used, I have no idea what's going on. // Also the structure used (LDRP_LOAD_CONTEXT) isn't documented, that's what I've got out of it so far. if ((UINT_PTR)LoadContext->WorkQueueListEntry.Flink[9].Blink[3].Blink & UINT_MAX) { Status = fLdrpSnapModule(LoadContext); } else { if (LoadContext->Flags & 0x100000) { Status = fLdrpMapDllRetry(LoadContext); } // We will continue from here since we have the LOAD_LIBRARY_SEARCH_APPLICATION_DIR flag, and also the function name is exactly representing // what we are expecting to happen. else if (LoadContext->Flags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR) { Status = fLdrpMapDllFullPath(LoadContext); } else { Status = fLdrpMapDllSearchPath(LoadContext); } if (NT_SUCCESS(Status) || Status == STATUS_RETRY) break; WID_HIDDEN( Status = LdrpLogInternal("minkernel\\ntdll\\ldrmap.c", 0x7D2, "LdrpProcessWork", 0, "Unable to load DLL: \"%wZ\", Parent Module: \"%wZ\", Status: 0x%x\n", LoadContext, ((UINT_PTR)&LoadContext->Entry->FullDllName & (UINT_PTR)LoadContext->Entry >> 64), Status); ) // This part is for failed cases so we can ignore it. if (Status == STATUS_DLL_NOT_FOUND) { WID_HIDDEN( LdrpLogError(STATUS_DLL_NOT_FOUND, 0x19, 0, LoadContext); ) WID_HIDDEN( LdrpLogDeprecatedDllEtwEvent(LoadContext); ) WID_HIDDEN( LdrpLogLoadFailureEtwEvent((PVOID)LoadContext, (PVOID)(((UINT_PTR)(LoadContext->Entry->EntryPointActivationContext) & ((UINT_PTR)(LoadContext->Entry) >> 64))), STATUS_DLL_NOT_FOUND, LoadFailure, 0); ) //PLDR_DATA_TABLE_ENTRY DllEntry = (PLDR_DATA_TABLE_ENTRY)LoadContext->WorkQueueListEntry.Flink; LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (DllEntry->FlagGroup[0] & ProcessStaticImport) { WID_HIDDEN( Status = LdrpReportError(LoadContext, 0, STATUS_DLL_NOT_FOUND); ) } } } if (!NT_SUCCESS(Status)) { *LoadContext->pStatus = Status; } } while (FALSE); if (!IsLoadOwner) { bool SetWorkCompleteEvent; RtlEnterCriticalSection(LdrpWorkQueueLock); --(*LdrpWorkInProgress); if (*LdrpWorkQueue != (LIST_ENTRY*)LdrpWorkQueue || (SetWorkCompleteEvent = TRUE, *LdrpWorkInProgress != 1)) SetWorkCompleteEvent = FALSE; Status = RtlLeaveCriticalSection(LdrpWorkQueueLock); if (SetWorkCompleteEvent) Status = ZwSetEvent(*LdrpWorkCompleteEvent, 0); } return Status; } ``` Goes in an according direction depending by the path type given, in our case we have an absolute path, so we continue by LdrpMapDllFullPath.
## LdrpMapDllFullPath ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrpMapDllFullPath(PLDRP_LOAD_CONTEXT LoadContext) { NTSTATUS Status; //LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink; LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); LDRP_FILENAME_BUFFER FileNameBuffer; FileNameBuffer.pFileName.Buffer = FileNameBuffer.FileName; FileNameBuffer.pFileName.Length = 0; FileNameBuffer.pFileName.MaximumLength = MAX_PATH - 4; FileNameBuffer.FileName[0] = 0; // Sets the according members of the DllEntry Status = LdrpResolveDllName(LoadContext, &FileNameBuffer, &DllEntry->BaseDllName, &DllEntry->FullDllName, LoadContext->Flags); do { if (LoadContext->UnknownPtr) { if (!NT_SUCCESS(Status)) break; } else { Status = LdrpAppCompatRedirect(LoadContext, &DllEntry->FullDllName, &DllEntry->BaseDllName, &FileNameBuffer, Status); if (!NT_SUCCESS(Status)) break; // Hashes the dll name ULONG BaseDllNameHash = LdrpHashUnicodeString(&DllEntry->BaseDllName); DllEntry->BaseNameHashValue = BaseDllNameHash; LDR_DATA_TABLE_ENTRY* LoadedDll = nullptr; // Most likely checks if the dll was already mapped/loaded. LdrpFindExistingModule(&DllEntry->BaseDllName, &DllEntry->FullDllName, LoadContext->Flags, BaseDllNameHash, &LoadedDll); if (LoadedDll) { LdrpLoadContextReplaceModule(LoadContext, LoadedDll); break; } } // After this function the dll is mapped. Status = fLdrpMapDllNtFileName(LoadContext, &FileNameBuffer); if (Status == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) Status = STATUS_INVALID_IMAGE_FORMAT; } while (FALSE); if (FileNameBuffer.FileName != FileNameBuffer.pFileName.Buffer) NtdllpFreeStringRoutine(FileNameBuffer.pFileName.Buffer); return Status; } ``` Sets up a LDRP_FILENAME_BUFFER structure, basically representing each portion of a path (base part, absolute part, etc.), hashes the **base** dll name and checks if it was already loaded, if it's not (our case) it goes on by calling LdrpMapDllNtFileName.
## LdrpMapDllNtFileName ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrpMapDllNtFileName(PLDRP_LOAD_CONTEXT LoadContext, LDRP_FILENAME_BUFFER* FileNameBuffer) // CHECKED. { NTSTATUS Status; //LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink; LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); INT64 UnknownPtr = LoadContext->UnknownPtr; LONG Unknown = 0; if (LdrpCheckForRetryLoading(LoadContext, 0)) return STATUS_RETRY; PUNICODE_STRING FullDllName = &DllEntry->FullDllName; WID_HIDDEN( LdrpLogDllState((ULONGLONG)DllEntry->DllBase, &DllEntry->FullDllName, 0x14A5); ) //OBJ_CASE_INSENSITIVE ULONG ObjAttributes = OBJ_CASE_INSENSITIVE; if (!*LdrpUseImpersonatedDeviceMap) ObjAttributes = (OBJ_IGNORE_IMPERSONATED_DEVICEMAP | OBJ_CASE_INSENSITIVE); OBJECT_ATTRIBUTES ObjectAttributes; ObjectAttributes.Length = 0x30; ObjectAttributes.RootDirectory = 0; ObjectAttributes.Attributes = ObjAttributes; ObjectAttributes.ObjectName = &FileNameBuffer->pFileName; ObjectAttributes.SecurityDescriptor = 0; ObjectAttributes.SecurityQualityOfService = 0; PCHAR NtPathStuff = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2]; PCHAR Unknown2 = 0; if (RtlGetCurrentServiceSessionId()) Unknown2 = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253]; else Unknown2 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2]; PCHAR NtPathStuff2 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1; if (*Unknown2 && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled)) { //: (char*)0x7FFE0385; PCHAR NtPathStuff3 = RtlGetCurrentServiceSessionId() ? (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1 : (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1; // 0x20 is SPACE char if ((*NtPathStuff3 & ' ')) LdrpLogEtwEvent(0x1485, -1, 0xFFu, 0xFFu); } // SYSTEM_FLAGS_INFORMATION if ((NtCurrentPeb()->NtGlobalFlag & FLG_ENABLE_KDEBUG_SYMBOL_LOAD)) { WID_HIDDEN( ZwSystemDebugControl(); ) } HANDLE FileHandle; while (TRUE) { IO_STATUS_BLOCK IoStatusBlock; Status = NtOpenFile(&FileHandle, SYNCHRONIZE | FILE_TRAVERSE | FILE_LIST_DIRECTORY, &ObjectAttributes, &IoStatusBlock, 5, 0x60); if (NT_SUCCESS(Status)) break; if (Status == STATUS_OBJECT_NAME_NOT_FOUND || Status == STATUS_OBJECT_PATH_NOT_FOUND) return STATUS_DLL_NOT_FOUND; if (Status != STATUS_ACCESS_DENIED || Unknown || !LdrpCheckComponentOnDemandEtwEvent(LoadContext)) return Status; Unknown = TRUE; } ULONG SigningLevel; ULONG AllocationAttributes = 0; if (*LdrpAuditIntegrityContinuity && (Status = LdrpValidateIntegrityContinuity(LoadContext, FileHandle), !NT_SUCCESS(Status)) && *LdrpEnforceIntegrityContinuity || (AllocationAttributes = MEM_IMAGE, (LoadContext->Flags & MEM_IMAGE)) && (NtCurrentPeb()->BitField & IsPackagedProcess) == 0 && // (Status = LdrpSetModuleSigningLevel(FileHandle, (PLDR_DATA_TABLE_ENTRY)LoadContext->WorkQueueListEntry.Flink, &SigningLevel, 8), !NT_SUCCESS(Status))) (Status = LdrpSetModuleSigningLevel(FileHandle, CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks), &SigningLevel, 8), !NT_SUCCESS(Status))) { NtClose(FileHandle); return Status; } if (*UseWOW64 && (LoadContext->Flags & 0x800) == 0) AllocationAttributes = MEM_IMAGE | MEM_TOP_DOWN; HANDLE SectionHandle; Status = NtCreateSection(&SectionHandle, SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE, 0, 0, PAGE_EXECUTE, AllocationAttributes, FileHandle); if (!NT_SUCCESS(Status)) { if (Status == STATUS_NEEDS_REMEDIATION || (Status + 0x3FFFFB82) <= 1) { Status = LdrAppxHandleIntegrityFailure(Status); } else if (Status != STATUS_NO_MEMORY && Status != STATUS_INSUFFICIENT_RESOURCES && Status != STATUS_COMMITMENT_LIMIT) { LDR_UNKSTRUCT2 NtHardParameters; NtHardParameters.Name = FullDllName; NtHardParameters.Status = Status; // Semi-documented in http://undocumented.ntinternals.net/ HARDERROR_RESPONSE Response; if (NT_SUCCESS(NtRaiseHardError(STATUS_INVALID_IMAGE_FORMAT, 2, 1, (INT*)&NtHardParameters, OptionOk, &Response)) && *LdrInitState != 3) { ++(*LdrpFatalHardErrorCount); } } WID_HIDDEN( LdrpLogError(Status, 0x1485u, 0, FullDllName); ) NtClose(FileHandle); return Status; } if (RtlGetCurrentServiceSessionId()) NtPathStuff = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253]; if (*NtPathStuff && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled) != 0) { if (RtlGetCurrentServiceSessionId()) NtPathStuff2 = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1; // 0x20 is SPACE char. if ((*NtPathStuff2 & ' ') != 0) WID_HIDDEN( LdrpLogEtwEvent(0x1486, -1, 0xFFu, 0xFFu); ) } if (!*UseWOW64 && (LoadContext->Flags & 0x100) == 0 && (Status = LdrpCodeAuthzCheckDllAllowed(FileNameBuffer, FileHandle), NT_SUCCESS((LONG)(Status + 0x80000000))) && Status != STATUS_NOT_FOUND || (Status = fLdrpMapDllWithSectionHandle(LoadContext, SectionHandle), !UnknownPtr) || !NT_SUCCESS(Status)) { NtClose(SectionHandle); NtClose(FileHandle); return Status; } LoadContext->FileHandle = FileHandle; LoadContext->SectionHandle = SectionHandle; return Status; } ``` Opens the file with NtOpenFile, creates a section using NtCreateSection to be able to map the dll, continues with calling LdrpMapDllWithSectionHandle.
## LdrpMapDllWithSectionHandle ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrpMapDllWithSectionHandle(PLDRP_LOAD_CONTEXT LoadContext, HANDLE SectionHandle) // CHECKED. { NTSTATUS Status; NTSTATUS Status2; NTSTATUS Status3; NTSTATUS Status4; int v19[14]; LDR_DATA_TABLE_ENTRY* LdrEntry2; // Mapping mechanism. Status = fLdrpMinimalMapModule(LoadContext, SectionHandle); Status2 = Status; if (Status == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) return Status2; if (!NT_SUCCESS(Status)) return Status2; //LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink; LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); SIZE_T Size = LoadContext->Size; LDR_DATA_TABLE_ENTRY* LdrEntry = nullptr; Status3 = Status; PIMAGE_NT_HEADERS OutHeaders; Status2 = RtlImageNtHeaderEx(0, DllEntry->DllBase, Size, &OutHeaders); if (!NT_SUCCESS(Status2)) return Status2; if (LoadContext->Flags & SEC_FILE) { Status3 = STATUS_SUCCESS; DllEntry->TimeDateStamp = OutHeaders->FileHeader.TimeDateStamp; DllEntry->CheckSum = OutHeaders->OptionalHeader.CheckSum; DllEntry->SizeOfImage = OutHeaders->OptionalHeader.SizeOfImage; } else { RtlAcquireSRWLockExclusive(LdrpModuleDatatableLock); UINT_PTR Flags = (LoadContext->Flags) & UINT_MAX; PUNICODE_STRING FullDllName_2 = 0; if ((Flags & 0x20) == 0) FullDllName_2 = &DllEntry->FullDllName; // Returns STATUS_DLL_NOT_FOUND is normal situations. Status4 = LdrpFindLoadedDllByNameLockHeld(&DllEntry->BaseDllName, FullDllName_2, Flags, &LdrEntry, DllEntry->BaseNameHashValue); if (Status4 == STATUS_DLL_NOT_FOUND) { PIMAGE_DOS_HEADER DllBase = DllEntry->DllBase; v19[0] = OutHeaders->FileHeader.TimeDateStamp; v19[1] = OutHeaders->OptionalHeader.SizeOfImage; LdrpFindLoadedDllByMappingLockHeld(DllBase, OutHeaders, (ULONG*)v19, &LdrEntry); } if (!LdrEntry) { LdrpInsertDataTableEntry(DllEntry); LdrpInsertModuleToIndexLockHeld(DllEntry, OutHeaders); } RtlReleaseSRWLockExclusive(LdrpModuleDatatableLock); if (LdrEntry) { if (DllEntry->LoadReason != LoadReasonPatchImage || LdrEntry->LoadReason == LoadReasonPatchImage) { LdrpLoadContextReplaceModule(LoadContext, LdrEntry); } else { Status2 = STATUS_IMAGE_LOADED_AS_PATCH_IMAGE; WID_HIDDEN( LdrpLogEtwHotPatchStatus(&(*LdrpImageEntry)->BaseDllName, LoadContext->Entry, &DllEntry->FullDllName, STATUS_IMAGE_LOADED_AS_PATCH_IMAGE, 3); ) LdrpDereferenceModule(LdrEntry); } return Status2; } } if (*qword_17E238 == NtCurrentTeb()->ClientId.UniqueThread) return STATUS_NOT_FOUND; Status2 = fLdrpCompleteMapModule(LoadContext, OutHeaders, Status3); if (NT_SUCCESS(Status2)) { Status2 = fLdrpProcessMappedModule(DllEntry, LoadContext->Flags & UINT_MAX, 1); if (NT_SUCCESS(Status2)) { WID_HIDDEN( LdrpLogNewDllLoad(LoadContext->Entry, DllEntry); ) LdrEntry2 = LoadContext->Entry; if (LdrEntry2) DllEntry->ParentDllBase = LdrEntry2->DllBase; BOOLEAN DllBasesEqual = FALSE; if (DllEntry->LoadReason == LoadReasonPatchImage && *LdrpImageEntry) DllBasesEqual = DllEntry->ParentDllBase == (*LdrpImageEntry)->DllBase; if ((LoadContext->Flags & SEC_FILE) || (DllEntry->FlagGroup[0] & ImageDll) || DllBasesEqual) { if ((DllEntry->Flags & CorILOnly)) { return fLdrpCorProcessImports(DllEntry); } else { fLdrpMapAndSnapDependency(LoadContext); return *LoadContext->pStatus; } } else { WID_HIDDEN( LdrpLogDllState((ULONG)DllEntry->DllBase, &DllEntry->FullDllName, 0x14AEu); ) Status2 = STATUS_SUCCESS; DllEntry->DdagNode->State = LdrModulesReadyToRun; } } } return Status2; } ``` Maps a view of section inside LdrpMinimalMapModule, validates the image inside LdrpCompleteMapModule, handles relocations inside LdrpProcessMappedModule, updates state inside LdrpCorProcessImports, goes on by calling LdrpMapAndSnapDependency.
## LdrpMapAndSnapDependency ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrpMapAndSnapDependency(PLDRP_LOAD_CONTEXT LoadContext) { NTSTATUS Status; LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); BOOLEAN IsFile = (LoadContext->Flags & SEC_FILE); BOOLEAN FullPathExists = 0; UNICODE_STRING FullPath; memset(&FullPath, 0, sizeof(FullPath)); do { if (!IsFile) { if (DllEntry->LoadReason != LoadReasonPatchImage) { Status = LdrpFindDllActivationContext(DllEntry); if (!NT_SUCCESS(Status)) break; } } Status = fLdrpPrepareImportAddressTableForSnap(LoadContext); if (!NT_SUCCESS(Status)) break; ULONG CurrentDllDecremented = 0; ULONG OldCurrentDll = 0; if (*LdrpIsHotPatchingEnabled) { DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink; if (DllEntry) { Status = LdrpQueryCurrentPatch(DllEntry->CheckSum, DllEntry->TimeDateStamp, &FullPath); if (!NT_SUCCESS(Status)) break; if (FullPath.Length) FullPathExists = TRUE; } } PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = nullptr; if (LoadContext->pImageImportDescriptor || FullPathExists) { if (LdrpShouldModuleImportBeRedirected(DllEntry)) LoadContext->Flags |= 0x2000000u; ImageImportDescriptor = LdrpGetImportDescriptorForSnap(LoadContext); ULONG IATSize = 0; PIMAGE_THUNK_DATA32 FirstThunk = (PIMAGE_THUNK_DATA32)&ImageImportDescriptor->FirstThunk; BOOLEAN JumpIn = FALSE; if (ImageImportDescriptor) { PIMAGE_THUNK_DATA32 FirstThunk2 = (IMAGE_THUNK_DATA32*)&ImageImportDescriptor->FirstThunk; ULONG DllBaseIncremented = 0; do { if (!FirstThunk2[-1].u1.ForwarderString) break; ULONG ForwarderString = FirstThunk2->u1.ForwarderString; if (!FirstThunk2->u1.ForwarderString) break; ULONG DllBaseIncremented_2 = DllBaseIncremented + 1; FirstThunk2 += 5; ++IATSize; if (!*(UINT_PTR*)((char*)&DllEntry->DllBase->e_magic + ForwarderString)) DllBaseIncremented_2 = DllBaseIncremented; DllBaseIncremented = DllBaseIncremented_2; } while (FirstThunk2 != (IMAGE_THUNK_DATA32*)16); OldCurrentDll = DllBaseIncremented; if (DllBaseIncremented) JumpIn = TRUE; } BOOLEAN JumpOut = FALSE; if (JumpIn || FullPathExists) { PVOID* Heap = (PVOID*)RtlAllocateHeap(*LdrpHeap, (*NtdllBaseTag + 0x180000) | 8u, 8 * IATSize); LoadContext->IATCheck = (LDR_DATA_TABLE_ENTRY**)Heap; if (Heap) { LoadContext->SizeOfIAT = IATSize; LoadContext->GuardCFCheckFunctionPointer = ImageImportDescriptor; LoadContext->CurrentDll = OldCurrentDll + 1; if (FullPathExists) LoadContext->CurrentDll = OldCurrentDll + 2; PIMAGE_THUNK_DATA pThunk = nullptr; UINT_PTR IATAmount = 0; if (ImageImportDescriptor) { while (FirstThunk[-1].u1.ForwarderString && FirstThunk->u1.ForwarderString) { PIMAGE_DOS_HEADER DllBase = DllEntry->DllBase; if (*(UINT_PTR*)((char*)&DllBase->e_magic + FirstThunk->u1.ForwarderString)) { ULONG ForwarderString_2 = FirstThunk[-1].u1.ForwarderString; IsFile = (PIMAGE_IMPORT_BY_NAME)(ForwarderString_2 + (UINT_PTR)DllBase) != 0; PCHAR ForwarderBuffer = (PCHAR)(ForwarderString_2 + (UINT_PTR)DllBase); STRING SourceString = {}; *(UINT_PTR*)&SourceString.Length = 0; SourceString.Buffer = ForwarderBuffer; if (IsFile) { SIZE_T SourceLen = -1; do { ++SourceLen; } while (ForwarderBuffer[SourceLen]); if (SourceLen > 0xFFFE) { Status = STATUS_NAME_TOO_LONG; break; } SourceString.Length = SourceLen; SourceString.MaximumLength = SourceLen + 1; } Status = LdrpLoadDependentModuleA((PUNICODE_STRING)&SourceString, LoadContext, DllEntry, 0, &LoadContext->IATCheck[IATAmount], (UINT_PTR)&pThunk); if (!NT_SUCCESS(Status)) break; } FirstThunk += 5; IATAmount = (ULONG)(IATAmount + 1); if (FirstThunk == (PIMAGE_THUNK_DATA32)16) break; } } if (FullPathExists) { // Loads Imports dlls. Status = LdrpLoadDependentModuleW(&FullPath, LoadContext, DllEntry); if (!NT_SUCCESS(Status)) WID_HIDDEN(LdrpLogEtwHotPatchStatus(&(*LdrpImageEntry)->BaseDllName, DllEntry, &FullPath, Status, 5u); ) } if (pThunk) RtlFreeHeap(*LdrpHeap, 0, pThunk); if (NT_SUCCESS(Status)) { RtlAcquireSRWLockExclusive(LdrpModuleDatatableLock); CurrentDllDecremented = --LoadContext->CurrentDll; RtlReleaseSRWLockExclusive(LdrpModuleDatatableLock); JumpOut = TRUE; } } else { Status = STATUS_NO_MEMORY; } } if (!JumpOut) CurrentDllDecremented = OldCurrentDll; } PLDR_DDAG_NODE DdagNode = nullptr; PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor = LoadContext->pImageImportDescriptor; if (pImageImportDescriptor || !FullPathExists) { if (CurrentDllDecremented) break; DdagNode = DllEntry->DdagNode; if (pImageImportDescriptor) { DdagNode->State = LdrModulesSnapping; if (LoadContext->Entry) LdrpQueueWork(LoadContext); else Status = fLdrpSnapModule(LoadContext); break; } } else { DdagNode = DllEntry->DdagNode; } DdagNode->State = LdrModulesSnapped; } while (FALSE); LdrpFreeUnicodeString(&FullPath); if (!NT_SUCCESS(Status)) { *LoadContext->pStatus = Status; } return *LoadContext->pStatus; } ``` Prepares the Import Address Table (IAT) by calling LdrpPrepareImportAddressTableForSnap, loads the imports of the dll getting loaded, sets the state, continues on by calling LdrpSnapModule which I am quite frank about the actual functionality, but I've seen it handling exports.
## LdrpPrepareImportAddressTableForSnap ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrpPrepareImportAddressTableForSnap(LDRP_LOAD_CONTEXT* LoadContext) { NTSTATUS Status; LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor = nullptr; UINT_PTR* pImageImportDescriptorLen = (UINT_PTR*)&LoadContext->ImageImportDescriptorLen; Status = RtlpImageDirectoryEntryToDataEx(DllEntry->DllBase, 1u, IMAGE_DIRECTORY_ENTRY_IAT, (UINT_PTR*)&LoadContext->ImageImportDescriptorLen, &ImageImportDescriptor); if (!NT_SUCCESS(Status)) ImageImportDescriptor = nullptr; BOOLEAN IsFile = (LoadContext->Flags & SEC_FILE); LoadContext->pImageImportDescriptor = ImageImportDescriptor; if (IsFile) return STATUS_SUCCESS; BOOLEAN JumpOver = FALSE; PIMAGE_NT_HEADERS OutHeaders = nullptr; RtlImageNtHeaderEx(3, DllEntry->DllBase, 0, &OutHeaders); PIMAGE_LOAD_CONFIG_DIRECTORY ImageConfigDirectory = LdrImageDirectoryEntryToLoadConfig(DllEntry->DllBase); if (!ImageConfigDirectory || ImageConfigDirectory->Size < 0x94) JumpOver = TRUE; if (!JumpOver) { if ((OutHeaders->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_GUARD_CF) != 0 && (ImageConfigDirectory->GuardFlags & IMAGE_GUARD_CF_INSTRUMENTED) != 0) { UINT_PTR* GuardCFCheckFunctionPointer = (UINT_PTR*)ImageConfigDirectory->GuardCFCheckFunctionPointer; LoadContext->UnknownFunc = (__int64)GuardCFCheckFunctionPointer; if (GuardCFCheckFunctionPointer) { LoadContext->DllNameLenCompare = *GuardCFCheckFunctionPointer; } } } do { if (!LoadContext->pImageImportDescriptor) { ULONG ImportDirectoryVA = OutHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; PIMAGE_SECTION_HEADER FirstSection = (PIMAGE_SECTION_HEADER)((char*)&OutHeaders->OptionalHeader + OutHeaders->FileHeader.SizeOfOptionalHeader); if (ImportDirectoryVA) { ULONG SectionIdx = 0; if (OutHeaders->FileHeader.NumberOfSections) { ULONG SectionVA = 0; while (TRUE) { SectionVA = FirstSection->VirtualAddress; if (ImportDirectoryVA >= SectionVA && ImportDirectoryVA < SectionVA + FirstSection->SizeOfRawData) break; ++SectionIdx; ++FirstSection; if (SectionIdx >= OutHeaders->FileHeader.NumberOfSections) break; } LoadContext->pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((char*)DllEntry->DllBase + SectionVA); ULONG SectionFA = FirstSection->Misc.PhysicalAddress; *pImageImportDescriptorLen = SectionFA; if (!SectionFA) *pImageImportDescriptorLen = FirstSection->SizeOfRawData; } } } } while (FALSE); PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor = LoadContext->pImageImportDescriptor; if (pImageImportDescriptor && *pImageImportDescriptorLen) { UINT_PTR ImageImportDescriptorLen = *pImageImportDescriptorLen; NTSTATUS Status_2 = ZwProtectVirtualMemory((HANDLE)-1, (PVOID*)&pImageImportDescriptor, (PULONG)&ImageImportDescriptorLen, PAGE_READWRITE, (PULONG)&LoadContext->GuardFlags); if (!NT_SUCCESS(Status_2)) return Status_2; PIMAGE_IMPORT_DESCRIPTOR pNextSectionMaybe = pImageImportDescriptor; PIMAGE_IMPORT_DESCRIPTOR pNextImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR*)((char*)pImageImportDescriptor + ImageImportDescriptorLen); do { pNextSectionMaybe = (PIMAGE_IMPORT_DESCRIPTOR)((char*)pNextSectionMaybe + 0x1000); } while (pNextSectionMaybe < pNextImageImportDescriptor); } return STATUS_SUCCESS; } ``` As the function name, prepares the Import Address Table (IAT) for our loaded dll. After this function we go back to LdrpLoadDllInternal because the mapping process is complete. Proceeding with calling LdrpPrepareModuleForExecution.
## LdrpPrepareModuleForExecution ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrpPrepareModuleForExecution(PLDR_DATA_TABLE_ENTRY LdrEntry, NTSTATUS* pStatus) { NTSTATUS Status; Status = STATUS_SUCCESS; if (*qword_17E238 == NtCurrentTeb()->ClientId.UniqueThread) return Status; BOOLEAN Skip = FALSE; LDR_DDAG_NODE* DdagNode = LdrEntry->DdagNode; switch (DdagNode->State) { case LdrModulesSnapped: LdrpCondenseGraph(DdagNode); case LdrModulesCondensed: { // This is where we'll start from normally. if ((LdrEntry->FlagGroup[0] & ProcessStaticImport) == 0) { UINT_PTR SubProcessTag = (UINT_PTR)NtCurrentTeb()->SubProcessTag; LdrpAddNodeServiceTag(DdagNode, SubProcessTag); } Status = LdrpNotifyLoadOfGraph(DdagNode); if (NT_SUCCESS(Status)) { Status = LdrpDynamicShimModule(DdagNode); if (!NT_SUCCESS(Status)) { WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrsnap.c", 0x9F3, "LdrpPrepareModuleForExecution", 1u, "Failed to load for appcompat reasons\n"); ) return Status; } Skip = TRUE; } if (!Skip) return Status; } case LdrModulesReadyToInit: LDRP_LOAD_CONTEXT* LoadContext = (LDRP_LOAD_CONTEXT*)LdrEntry->LoadContext; if (LoadContext && (LoadContext->Flags & 1) == 0) { LdrpAcquireLoaderLock(); UINT64 Unknown = 0; Status = fLdrpInitializeGraphRecurse(DdagNode, pStatus, (char*)&Unknown); ULONG64 Unused = 0; LdrpReleaseLoaderLock(Unused, 2, Status); } return Status; } // States end at 9. if (DdagNode->State > LdrModulesReadyToRun) return STATUS_INTERNAL_ERROR; return Status; } ``` Adds a service tag to our module by LdrModulesCondensed, continues by LdrModulesReadyToInit acquiring a Loader lock first then calling LdrpInitializeGraphRecurse.
## LdrpInitializeGraphRecurse ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrpInitializeGraphRecurse(LDR_DDAG_NODE* DdagNode, NTSTATUS* pStatus, char* Unknown) { NTSTATUS Status = STATUS_SUCCESS; if (DdagNode->State == LdrModulesInitError) return STATUS_DLL_INIT_FAILED; LDR_DDAG_NODE* DdagNode2 = (LDR_DDAG_NODE*)DdagNode->Dependencies.Tail; CHAR Unknown2_2 = 0; CHAR Unknown2 = 0; BOOLEAN JumpIn = FALSE; do { if (DdagNode2) { LDR_DDAG_NODE* DdagNode2_2 = DdagNode2; do { DdagNode2_2 = (LDR_DDAG_NODE*)DdagNode2_2->Modules.Flink; if ((DdagNode2_2->LoadCount & 1) == 0) { LDR_DDAG_NODE* Blink = (LDR_DDAG_NODE*)DdagNode2_2->Modules.Blink; if (Blink->State == LdrModulesReadyToInit) { Status = fLdrpInitializeGraphRecurse(Blink, pStatus, &Unknown2); if (!NT_SUCCESS(Status)) { JumpIn = TRUE; break; } Unknown2_2 = Unknown2; } else { if (Blink->State == LdrModulesInitError) { Status = STATUS_DLL_INIT_FAILED; { JumpIn = TRUE; break; } } if (Blink->State == LdrModulesInitializing) Unknown2_2 = 1; Unknown2 = Unknown2_2; } } } while (DdagNode2_2 != DdagNode2); if (JumpIn) break; if (Unknown2_2) { LDR_DDAG_NODE* DdagNode3 = (LDR_DDAG_NODE*)DdagNode->Modules.Flink; *Unknown = 1; LDR_SERVICE_TAG_RECORD* ServiceTagList = DdagNode3->ServiceTagList; if (ServiceTagList) { if (pStatus != *(NTSTATUS**)&ServiceTagList[2].ServiceTag) return STATUS_SUCCESS; } } } } while (FALSE); if (!JumpIn) Status = fLdrpInitializeNode(DdagNode); if (JumpIn || !NT_SUCCESS(Status)) DdagNode->State = LdrModulesInitError; return Status; } ``` Does some prior check on the upper area of the function if our DdagNode had dependencies (in our loading case it doesn't so we skip over all the do-while loop), checks for errors and if there are any, sets the state to failed and returns. Otherwise (our case) continues on by calling LdrpInitializeNode.
## LdrpInitializeNode ```cpp NTSTATUS __fastcall LOADLIBRARY::fLdrpInitializeNode(LDR_DDAG_NODE* DdagNode) { NTSTATUS Status; NTSTATUS Status_2; NTSTATUS Status_3; LDR_DDAG_STATE* pState = &DdagNode->State; UNICODE_STRING FullDllName; *(UINT_PTR*)&FullDllName.Length = (UINT_PTR)&DdagNode->State; DdagNode->State = LdrModulesInitializing; LDR_DATA_TABLE_ENTRY* Blink = (LDR_DATA_TABLE_ENTRY*)DdagNode->Modules.Blink; LDR_DATA_TABLE_ENTRY* LdrEntry = *LdrpImageEntry; UINT_PTR** v4 = (UINT_PTR**)*qword_1843B8; while (Blink != (LDR_DATA_TABLE_ENTRY*)DdagNode) { if (&Blink[-1].DdagNode != (LDR_DDAG_NODE**)LdrEntry) { PVOID* p_ParentDllBase = &Blink[-1].ParentDllBase; if (*v4 != qword_1843B0) __fastfail(3u); *p_ParentDllBase = qword_1843B0; Blink[-1].SwitchBackContext = v4; *v4 = (UINT_PTR*)p_ParentDllBase; v4 = (UINT_PTR**)&Blink[-1].ParentDllBase; *qword_1843B8 = (UINT_PTR**)v4; } Blink = (LDR_DATA_TABLE_ENTRY*)Blink->InLoadOrderLinks.Blink; } Status = STATUS_SUCCESS; for (LDR_DATA_TABLE_ENTRY* i = (LDR_DATA_TABLE_ENTRY*)DdagNode->Modules.Blink; i != (LDR_DATA_TABLE_ENTRY*)DdagNode; i = (LDR_DATA_TABLE_ENTRY*)i->InLoadOrderLinks.Blink) { LDR_DATA_TABLE_ENTRY* LdrEntry_2 = (LDR_DATA_TABLE_ENTRY*)((char*)i - 160); if (&i[-1].DdagNode != (LDR_DDAG_NODE**)LdrEntry) { if (LdrEntry_2->LoadReason == LoadReasonPatchImage) { Status_2 = LdrpApplyPatchImage((PLDR_DATA_TABLE_ENTRY)&i[-1].DdagNode); Status = Status_2; if (!NT_SUCCESS(Status_2)) { FullDllName = LdrEntry_2->FullDllName; Status_3 = Status_2; WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrsnap.c", 1392, "LdrpInitializeNode", 0, "Applying patch \"%wZ\" failed - Status = 0x%x\n", &FullDllName, *(UINT_PTR*)&Status_3); ) break; } } UINT_PTR CurrentDllIniter = *LdrpCurrentDllInitializer; *LdrpCurrentDllInitializer = (UINT_PTR)&i[-1].DdagNode; PVOID EntryPoint = LdrEntry_2->EntryPoint; PUNICODE_STRING pFullDllName = &LdrEntry_2->FullDllName; WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrsnap.c", 1411, "LdrpInitializeNode", 2u, "Calling init routine %p for DLL \"%wZ\"\n", EntryPoint, &LdrEntry_2->FullDllName); ) RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED StackFrameExtended; StackFrameExtended.Size = 0x48; StackFrameExtended.Format = 1; memset((char*)&StackFrameExtended.Frame.Previous + 4, 0, 48); UINT_PTR v20 = 0; RtlActivateActivationContextUnsafeFast(&StackFrameExtended, LdrEntry_2->EntryPointActivationContext); if (LdrEntry_2->TlsIndex) fLdrpCallTlsInitializers(1i64, (LDR_DATA_TABLE_ENTRY*)&i[-1].DdagNode); BOOLEAN CallSuccess = TRUE; if (EntryPoint) { LPVOID ContextRecord = nullptr; if ((LdrEntry_2->FlagGroup[0] & ProcessStaticImport) != 0) ContextRecord = *LdrpProcessInitContextRecord; CallSuccess = fLdrpCallInitRoutine((BOOL(__stdcall*)(HINSTANCE, DWORD, LPVOID))EntryPoint, LdrEntry_2->DllBase, DLL_PROCESS_ATTACH, ContextRecord); } RtlDeactivateActivationContextUnsafeFast(&StackFrameExtended); *LdrpCurrentDllInitializer = CurrentDllIniter; LdrEntry_2->Flags |= ProcessAttachCalled; if (!CallSuccess) { WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrsnap.c", 0x5B7, "LdrpInitializeNode", 0, "Init routine %p for DLL \"%wZ\" failed during DLL_PROCESS_ATTACH\n", EntryPoint, pFullDllName); ) Status = STATUS_DLL_INIT_FAILED; LdrEntry_2->Flags |= ProcessAttachFailed; break; } WID_HIDDEN( LdrpLogDllState((UINT_PTR)LdrEntry_2->DllBase, pFullDllName, 0x14AEu); ) LdrEntry = *LdrpImageEntry; } } *pState = Status != 0 ? LdrModulesInitError : LdrModulesReadyToRun; return Status; } ``` Sets the state to initializing, goes on by checking if it's purpose is to patch the image (not in our case), if it is, it patches the image by calling LdrpApplyPatchImage, if it's not it goes on by calling LdrpCallTlsInitializers which is self explanatory and finally it calls LdrpCallInitRoutine.
## LdrpCallInitRoutine ```cpp BOOLEAN __fastcall LOADLIBRARY::fLdrpCallInitRoutine(BOOL(__fastcall* DllMain)(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved), PIMAGE_DOS_HEADER DllBase, unsigned int One, LPVOID ContextRecord) { BOOLEAN ReturnVal = TRUE; PCHAR LoggingVar = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2]; PCHAR LoggingVar2 = 0; if (RtlGetCurrentServiceSessionId()) LoggingVar2 = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253]; else LoggingVar2 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2]; PCHAR LoggingVar3 = 0; PCHAR LoggingVar4 = 0; if (*LoggingVar2 && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled) != 0) { LoggingVar3 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1; if (RtlGetCurrentServiceSessionId()) LoggingVar4 = (char*)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1; else LoggingVar4 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1; // 0x20 is SPACE char. if ((*LoggingVar4 & ' ') != 0) WID_HIDDEN( LdrpLogEtwEvent(0x14A3u, (ULONGLONG)DllBase, 0xFF, 0xFF); ) } else { LoggingVar3 = (PCHAR)&kUserSharedData->UserModeGlobalLogger[2] + 1; } // DLL_PROCESS_ATTACH (1) ReturnVal = DllMain((HINSTANCE)DllBase, One, ContextRecord); if (RtlGetCurrentServiceSessionId()) LoggingVar = (PCHAR)&NtCurrentPeb()->SharedData->NtSystemRoot[253]; if (*LoggingVar && (NtCurrentPeb()->TracingFlags & LibLoaderTracingEnabled) != 0) { if (RtlGetCurrentServiceSessionId()) LoggingVar3 = (char*)&NtCurrentPeb()->SharedData->NtSystemRoot[253] + 1; // 0x20 is SPACE char. if ((*LoggingVar3 & ' ') != 0) WID_HIDDEN( LdrpLogEtwEvent(0x1496u, (ULONGLONG)DllBase, 0xFF, 0xFF); ) } ULONG LoggingVar5 = 0; if (!ReturnVal && One == 1) { LoggingVar5 = 1; WID_HIDDEN( LdrpLogError(STATUS_DLL_INIT_FAILED, 0x1496u, LoggingVar5, 0i64); ) } return ReturnVal; } ``` Does prior checks and calls DllMain which finishes the loading process. ================================================ FILE: Src/Functions/KERNEL32.cpp ================================================ #include "KERNEL32.h" ULONG* KernelBaseGlobalData = nullptr; tBasep8BitStringToDynamicUnicodeString Basep8BitStringToDynamicUnicodeString = nullptr; tBaseSetLastNTError BaseSetLastNTError = nullptr; // Signatured tBasepLoadLibraryAsDataFileInternal BasepLoadLibraryAsDataFileInternal = nullptr; ================================================ FILE: Src/Functions/KERNEL32.h ================================================ #pragma once #include "..\Includes.h" #include "Undocumented.h" extern ULONG* KernelBaseGlobalData; typedef BOOLEAN(WINAPI* tBasep8BitStringToDynamicUnicodeString)(PUNICODE_STRING pConvertedStr, LPCSTR pszAnsiStr); extern tBasep8BitStringToDynamicUnicodeString Basep8BitStringToDynamicUnicodeString; typedef DWORD(WINAPI* tBaseSetLastNTError)(IN NTSTATUS Status); extern tBaseSetLastNTError BaseSetLastNTError; // Signatured #define BASEP_LLASDATAFILE_INTERNAL_PATTERN "\x48\x89\x5C\x24\x20\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\xAC\x24\x10\xFF\xFF\xFF" typedef NTSTATUS(__fastcall* tBasepLoadLibraryAsDataFileInternal)(PUNICODE_STRING DllName, PWSTR Path, PWSTR Unknown, DWORD dwFlags, HMODULE* pBaseOfLoadedModule); extern tBasepLoadLibraryAsDataFileInternal BasepLoadLibraryAsDataFileInternal; ================================================ FILE: Src/Functions/NT.cpp ================================================ #include "NT.h" // Implemented. // Variables DWORD* LdrpPolicyBits = nullptr; HANDLE* LdrpMainThreadToken = nullptr; DWORD* LdrInitState = nullptr; DWORD* LoadFailure = nullptr; PRTL_CRITICAL_SECTION LdrpWorkQueueLock = nullptr; DWORD* LdrpWorkInProgress = nullptr; LIST_ENTRY** LdrpWorkQueue = nullptr; PHANDLE LdrpWorkCompleteEvent = nullptr; KUSER_SHARED_DATA* kUserSharedData = (KUSER_SHARED_DATA*)0x7FFE0000; DWORD* LdrpUseImpersonatedDeviceMap = nullptr; DWORD* LdrpAuditIntegrityContinuity = nullptr; DWORD* LdrpEnforceIntegrityContinuity = nullptr; DWORD* LdrpFatalHardErrorCount = nullptr; DWORD* UseWOW64 = nullptr; PRTL_SRWLOCK LdrpModuleDatatableLock = nullptr; PHANDLE qword_17E238 = nullptr; LDR_DATA_TABLE_ENTRY** LdrpImageEntry = nullptr; PUNICODE_STRING LdrpKernel32DllName = nullptr; UINT_PTR* LdrpAppHeaders = nullptr; PHANDLE LdrpLargePageDllKeyHandle = nullptr; ULONG** LdrpLockMemoryPrivilege = nullptr; ULONG64* LdrpMaximumUserModeAddress = nullptr; UINT_PTR* LdrpMapAndSnapWork = nullptr; LIST_ENTRY* LdrpHashTable = nullptr; PVOID* LdrpHeap = nullptr; BOOLEAN* LdrpIsHotPatchingEnabled = nullptr; LDR_DATA_TABLE_ENTRY** LdrpRedirectionModule = nullptr; ULONG64** qword_1993A8 = nullptr; LONG* NtdllBaseTag = nullptr; FUNCTION_TABLE_DATA* stru_199520 = nullptr; UINT_PTR* qword_199530 = nullptr; LDR_DATA_TABLE_ENTRY** LdrpNtDllDataTableEntry = nullptr; UINT_PTR* qword_1993B8 = nullptr; DWORD* dword_19939C = nullptr; DWORD* LoadFailureOperational = nullptr; DWORD* dword_199398 = nullptr; UINT_PTR*** qword_1843B8 = nullptr; UINT_PTR* qword_1843B0 = nullptr; UINT_PTR* LdrpCurrentDllInitializer = nullptr; LPVOID** LdrpProcessInitContextRecord = nullptr; PRTL_SRWLOCK LdrpTlsLock = nullptr; TLS_ENTRY** LdrpTlsList = nullptr; tLdrpManifestProberRoutine LdrpManifestProberRoutine = nullptr; tLdrpRedirectionCalloutFunc LdrpRedirectionCalloutFunc = nullptr; // Functions PEB* NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; } VOID __fastcall NtdllpFreeStringRoutine(PWCH Buffer) // CHECKED. { RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Buffer); } NTSTATUS __fastcall LdrpFastpthReloadedDll(PUNICODE_STRING FullPath, ULONG Flags, PLDR_DATA_TABLE_ENTRY LdrEntry, LDR_DATA_TABLE_ENTRY** DllEntry) { NTSTATUS Status; PUNICODE_STRING PathUsed; LDR_DATA_TABLE_ENTRY* pDllEntry; LDR_DDAG_STATE DdagState; DdagState = LdrModulesPlaceHolder; Status = STATUS_NOT_FOUND; if (Flags & LOAD_LIBRARY_AS_IMAGE_RESOURCE) { PathUsed = FullPath; FullPath = 0; } else { // If an absolute path was sent from LoadLibrary it will have 0x200 (LOAD_LIBRARY_SEARCH_APPLICATION_DIR), but the if is checking for not so it can be ignored. if ((Flags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR) == 0) return Status; PathUsed = nullptr; } Status = LdrpFindLoadedDllByName(PathUsed, FullPath, Flags, DllEntry, &DdagState); if (NT_SUCCESS(Status)) { pDllEntry = *DllEntry; if (pDllEntry->LoadReason == LoadReasonPatchImage) { Status = STATUS_IMAGE_LOADED_AS_PATCH_IMAGE; LdrpLogEtwHotPatchStatus(&(*LdrpImageEntry)->BaseDllName, pDllEntry, 0, STATUS_IMAGE_LOADED_AS_PATCH_IMAGE, 2u); } else { Status = STATUS_NOT_FOUND; if (DdagState == LdrModulesReadyToRun) { Status = LdrpIncrementModuleLoadCount(pDllEntry); if (NT_SUCCESS(Status)) { Status = LdrpBuildForwarderLink(LdrEntry, pDllEntry); // This is where we most likely end up on a normal call from LoadLibraryExW if (NT_SUCCESS(Status)) return Status; BOOLEAN IsWorkerThread = (!(NtCurrentTeb()->SameTebFlags & LoadOwner)); if (IsWorkerThread) LdrpDrainWorkQueue(WaitLoadComplete); LdrpDecrementModuleLoadCountEx(pDllEntry, 0); if (IsWorkerThread) LdrpDropLastInProgressCount(); } } } LdrpDereferenceModule(*DllEntry); *DllEntry = nullptr; } return Status; } NTSTATUS __fastcall LdrpIncrementModuleLoadCount(LDR_DATA_TABLE_ENTRY* LdrEntry) { NTSTATUS Status = STATUS_SUCCESS; RtlAcquireSRWLockExclusive(LdrpModuleDatatableLock); LDR_DDAG_NODE* DdagNode = LdrEntry->DdagNode; ULONG LoadCount = DdagNode->LoadCount; if (LoadCount != -1) { if (LoadCount) { DdagNode->LoadCount = LoadCount + 1; } else if (NtCurrentTeb()->SameTebFlags & LoadOwner) { ++DdagNode->LoadWhileUnloadingCount; } else { Status = STATUS_DLL_NOT_FOUND; } } RtlReleaseSRWLockExclusive(LdrpModuleDatatableLock); return Status; } VOID __fastcall RtlFreeUnicodeString(PUNICODE_STRING UnicodeString) // CHECKED. { WCHAR* Buffer; Buffer = UnicodeString->Buffer; if (Buffer) { NtdllpFreeStringRoutine(Buffer); //*UnicodeString = 0; memset(UnicodeString, 0, sizeof(UNICODE_STRING)); } } VOID __fastcall LdrpFreeUnicodeString(PUNICODE_STRING String) { WCHAR* Buffer; Buffer = String->Buffer; if (Buffer) { NtdllpFreeStringRoutine(Buffer); String->Buffer = 0; } String->Length = 0; String->MaximumLength = 0; } ULONG __fastcall RtlGetCurrentServiceSessionId(VOID) // CHECKED ? { LPVOID Return = NtCurrentPeb()->SharedData; if (Return) Return = (LPVOID)(*(DWORD*)Return); return (ULONG)Return; } USHORT __fastcall LdrpGetBaseNameFromFullName(PUNICODE_STRING BaseName, PUNICODE_STRING FullName) { USHORT StrLen = BaseName->Length >> 1; if (StrLen) { PWCHAR Buffer = BaseName->Buffer; do { if (Buffer[StrLen - 1] == '\\') break; if (Buffer[StrLen - 1] == '/') break; --StrLen; } while (StrLen); } USHORT ByteLen = 2 * StrLen; USHORT Return = BaseName->MaximumLength - ByteLen; FullName->Length = BaseName->Length - ByteLen; FullName->MaximumLength = Return; FullName->Buffer = &BaseName->Buffer[StrLen]; return Return; } PWCHAR __fastcall RtlGetNtSystemRoot() { if (RtlGetCurrentServiceSessionId()) return (PWCHAR)((char*)NtCurrentPeb()->SharedData + 30); else return kUserSharedData->NtSystemRoot; } BOOLEAN __fastcall LdrpHpatAllocationOptOut(PUNICODE_STRING FullDllName) { UNICODE_STRING NtString; // [rsp+30h] [rbp-18h] BYREF if ((NtCurrentPeb()->ProcessParameters->Flags & 0x2000000) == 0 || *FullDllName->Buffer == '\\') return 0; PWSTR NtSystemRoot = RtlGetNtSystemRoot(); RtlInitUnicodeStringEx(&NtString, NtSystemRoot); return FullDllName->Length < NtString.Length || RtlCompareUnicodeStrings(FullDllName->Buffer, NtString.Length >> 1, NtString.Buffer, NtString.Length >> 1, 1u) != 0; } NTSTATUS __fastcall LdrpCorValidateImage(PIMAGE_DOS_HEADER DosHeader) { NTSTATUS Status; PIMAGE_FILE_HEADER ImageFileHeader; UINT_PTR LastRVASection; Status = RtlpImageDirectoryEntryToDataEx(DosHeader, TRUE, IMAGE_FILE_RELOCS_STRIPPED | IMAGE_FILE_LOCAL_SYMS_STRIPPED, &LastRVASection, (PIMAGE_FILE_HEADER*)&ImageFileHeader); if (!NT_SUCCESS(Status)) ImageFileHeader = 0; return ImageFileHeader != 0 ? STATUS_INVALID_IMAGE_FORMAT : 0; } NTSTATUS __fastcall LdrpCorFixupImage(PIMAGE_DOS_HEADER DosHeader) { NTSTATUS Status; PIMAGE_NT_HEADERS NtHeader = RtlImageNtHeader(DosHeader); ULONG64 LastRVASection; PIMAGE_COR20_HEADER CorHeader = nullptr; Status = RtlpImageDirectoryEntryToDataEx(DosHeader, 1, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &LastRVASection, &CorHeader); if (!NT_SUCCESS(Status) || !CorHeader) return Status; if (NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC && NtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 && (CorHeader->Flags & 2) == 0) { ULONG64* pSizeOfHeapCommit = &NtHeader->OptionalHeader.SizeOfHeapCommit; PBYTE UnknownCalc = (PBYTE)&NtHeader->OptionalHeader + (32 * NtHeader->FileHeader.NumberOfSections) + (8 * NtHeader->FileHeader.NumberOfSections) + NtHeader->FileHeader.SizeOfOptionalHeader; UINT_PTR NumberOfBytesToProtect = 0x1000; if ((unsigned __int64)(UnknownCalc - (PBYTE)DosHeader + 0x10) <= 0x1000) { ULONG OldAccessProtection; Status = ZwProtectVirtualMemory((HANDLE)-1, (PVOID*)&DosHeader, (PULONG)&NumberOfBytesToProtect, PAGE_READWRITE, &OldAccessProtection); if (NT_SUCCESS(Status)) { memmove(NtHeader->OptionalHeader.DataDirectory, &NtHeader->OptionalHeader.SizeOfHeapCommit, UnknownCalc - (PBYTE)pSizeOfHeapCommit); *(ULONG64*)&NtHeader->OptionalHeader.LoaderFlags = NtHeader->OptionalHeader.SizeOfHeapReserve; *pSizeOfHeapCommit = (NtHeader->OptionalHeader.SizeOfStackCommit) & 0xFFFFFFFF00000000; NtHeader->OptionalHeader.SizeOfHeapReserve = (NtHeader->OptionalHeader.SizeOfStackCommit) & UINT_MAX; NtHeader->OptionalHeader.SizeOfStackCommit = (NtHeader->OptionalHeader.SizeOfStackReserve) & 0xFFFFFFFF00000000; NtHeader->OptionalHeader.SizeOfStackReserve = (NtHeader->OptionalHeader.SizeOfStackReserve) & UINT_MAX; NtHeader->OptionalHeader.ImageBase = (NtHeader->OptionalHeader.ImageBase) & 0xFFFFFFFF00000000; NtHeader->FileHeader.SizeOfOptionalHeader += 0x10; NtHeader->OptionalHeader.Magic = IMAGE_NT_OPTIONAL_HDR64_MAGIC; ZwProtectVirtualMemory((HANDLE)-1, (PVOID*)&DosHeader, (PULONG)&NumberOfBytesToProtect, OldAccessProtection, &OldAccessProtection); } } else { return STATUS_INVALID_IMAGE_FORMAT; } } else { WORD Machine = NtHeader->FileHeader.Machine; if (Machine < kUserSharedData->ImageNumberLow) return STATUS_INVALID_IMAGE_FORMAT; Status = STATUS_SUCCESS; if (Machine > kUserSharedData->ImageNumberHigh) return STATUS_INVALID_IMAGE_FORMAT; } return Status; } NTSTATUS __fastcall LdrpFindLoadedDllByNameLockHeld(PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, ULONG64 Flags, LDR_DATA_TABLE_ENTRY** pLdrEntry, ULONG BaseNameHashValue) { LIST_ENTRY* pHashIdx; LDR_DDAG_NODE* DdagNode; // Parse entire hash table. Maybe I use it later on. //for (int idx = 0; idx < 32; idx++) //{ // LIST_ENTRY* IdxHead = &LdrpHashTable[idx]; // LIST_ENTRY* IdxEntry = IdxHead->Flink; // while (IdxEntry != IdxHead) // { // LDR_DATA_TABLE_ENTRY* IdxLdrEntry = CONTAINING_RECORD(IdxEntry, LDR_DATA_TABLE_ENTRY, HashLinks); // // printf("[Name: %ws]\n", IdxLdrEntry->BaseDllName.Buffer); // // LIST_ENTRY* LdrHead = &IdxLdrEntry->InLoadOrderLinks; // LIST_ENTRY* LdrEntry = LdrHead->Flink; // while (LdrEntry != LdrHead) // { // LDR_DATA_TABLE_ENTRY* IdxLdrEntryMod = CONTAINING_RECORD(LdrEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); // // printf(" -> [Name: %ws]\n", IdxLdrEntryMod->BaseDllName.Buffer); // // LdrEntry = LdrEntry->Flink; // } // // IdxEntry = IdxEntry->Flink; // } //} pHashIdx = (LIST_ENTRY*)&(LdrpHashTable)[(BaseNameHashValue & 0x1F)]; BOOLEAN DllFound = FALSE; for (LIST_ENTRY* HashEntry = pHashIdx->Flink; HashEntry != pHashIdx; HashEntry = HashEntry->Flink) { LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)&HashEntry[-7]; //LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(HashEntry, LDR_DATA_TABLE_ENTRY, HashLinks); //LDR_DATA_TABLE_ENTRY* DllEntry = (PLDR_DATA_TABLE_ENTRY)CONTAINING_RECORD(HashEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (BaseNameHashValue == (DllEntry->BaseNameHashValue) && ((Flags & 8) == 0 || (DllEntry->FlagGroup[0] & 1) != 0)) { if (FullDllName) { DllFound = RtlEqualUnicodeString(FullDllName, &DllEntry->FullDllName, TRUE); if (DllFound) goto DLL_FOUND; } else { if ((DllEntry->Flags & Redirected) == 0 && RtlEqualUnicodeString(BaseDllName, &DllEntry->BaseDllName, TRUE)) { DllFound = TRUE; DLL_FOUND: DdagNode = DllEntry->DdagNode; if (DdagNode->LoadCount != -1 && ((__int64)DdagNode->Modules.Flink[-4].Blink & 0x20) == 0) _InterlockedIncrement(&DllEntry->ReferenceCount); *pLdrEntry = DllEntry; return DllFound ? STATUS_SUCCESS : STATUS_DLL_NOT_FOUND; } DllFound = FALSE; } } } return DllFound ? STATUS_SUCCESS : STATUS_DLL_NOT_FOUND; } BOOLEAN __fastcall LdrpIsILOnlyImage(PIMAGE_DOS_HEADER DllBase) { NTSTATUS Status; UINT_PTR LastRVASection; PIMAGE_COR20_HEADER CorHeader; Status = RtlpImageDirectoryEntryToDataEx(DllBase, 1u, 0xEu, &LastRVASection, (PVOID*)&CorHeader); if (Status < 0) return Status; return CorHeader && LastRVASection >= 0x48 && (CorHeader->Flags & 1) != 0; } VOID __fastcall LdrpAddNodeServiceTag(LDR_DDAG_NODE* DdagNode, UINT_PTR ServiceTag) { //LDR_DATA_TABLE_ENTRY* LdrEntry = CONTAINING_RECORD(DdagNode->Modules.Flink, LDR_DATA_TABLE_ENTRY, DdagNode); if (DdagNode->LoadCount != -1 && ((__int64)DdagNode->Modules.Flink[-4].Blink & 0x20) == 0) //if (DdagNode->LoadCount != -1 && (LdrEntry->FlagGroup[0] & 0x20) == 0) { for (LDR_SERVICE_TAG_RECORD* i = DdagNode->ServiceTagList; i; i = i->Next) { if (i->ServiceTag == ServiceTag) return; } LDR_SERVICE_TAG_RECORD* Heap = (LDR_SERVICE_TAG_RECORD*)RtlAllocateHeap(*LdrpHeap, 0, 0x10); if (Heap) { Heap->ServiceTag = ServiceTag; Heap->Next = DdagNode->ServiceTagList; DdagNode->ServiceTagList = Heap; SINGLE_LIST_ENTRY* Tail = DdagNode->Dependencies.Tail; if (Tail) { SINGLE_LIST_ENTRY* Tail_2 = Tail; do { Tail_2 = Tail_2->Next; // LDR_DDAG_NODE* NextNode = CONTAINING_RECORD(Tail_2, LDR_DDAG_NODE, CondenseLink); LdrpAddNodeServiceTag((LDR_DDAG_NODE*)Tail_2[1].Next, ServiceTag); //LdrpAddNodeServiceTag(NextNode, ServiceTag); } while (Tail_2 != Tail); } } } } PIMAGE_LOAD_CONFIG_DIRECTORY LdrImageDirectoryEntryToLoadConfig(PIMAGE_DOS_HEADER DllBase) { NTSTATUS Status = STATUS_SUCCESS; PIMAGE_NT_HEADERS OutHeaders = nullptr; RtlImageNtHeaderEx(1u, DllBase, 0, &OutHeaders); if (!DllBase) return nullptr; UINT_PTR LastRVASection = 0; PIMAGE_LOAD_CONFIG_DIRECTORY LoadConfigDirectory = nullptr; Status = RtlpImageDirectoryEntryToDataEx(DllBase, 1u, 0xAu, &LastRVASection, (PVOID*)&LoadConfigDirectory); if (!NT_SUCCESS(Status)) return nullptr; if (LoadConfigDirectory && (DWORD)LastRVASection && (DWORD)LastRVASection == LoadConfigDirectory->Size && OutHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) return LoadConfigDirectory; return nullptr; } BOOLEAN __fastcall LdrpShouldModuleImportBeRedirected(LDR_DATA_TABLE_ENTRY* DllEntry) { if (!DllEntry || !*LdrpRedirectionModule || *LdrpRedirectionModule == DllEntry) return FALSE; if ((NtCurrentPeb()->BitField & IsPackagedProcess) != 0) return DllEntry->FlagGroup[0] & PackagedBinary; // LdrpRedirectionCalloutFunc is a function pointer. if (*LdrpRedirectionCalloutFunc) return (*LdrpRedirectionCalloutFunc)(DllEntry->FullDllName.Buffer); else return TRUE; } PIMAGE_IMPORT_DESCRIPTOR __fastcall LdrpGetImportDescriptorForSnap(LDRP_LOAD_CONTEXT* LoadContext) { NTSTATUS Status; // [CORRECT] //LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink; LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); UINT_PTR LastRVASection; PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor; Status = RtlpImageDirectoryEntryToDataEx(DllEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &LastRVASection, (PVOID*)&pImageImportDescriptor); if (!NT_SUCCESS(Status)) return nullptr; if (DllEntry == *LdrpImageEntry && (((ULONG64)(*qword_1993A8) >> 44) & 3) == 1) { PIMAGE_NT_HEADERS pImageNtHeaders = nullptr; RtlImageNtHeaderEx(3, DllEntry->DllBase, 0, (PIMAGE_NT_HEADERS*)&pImageNtHeaders); if (!((LdrpCheckPagesForTampering(&pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT], 8) || LdrpCheckPagesForTampering((PIMAGE_DATA_DIRECTORY)pImageImportDescriptor, (ULONG)LastRVASection)) && NT_SUCCESS(LdrpMapCleanModuleView(LoadContext)))) { return nullptr; } } return pImageImportDescriptor; } NTSTATUS __fastcall LdrpMapCleanModuleView(LDRP_LOAD_CONTEXT* LoadContext) { NTSTATUS Status; HANDLE ProcessInformation = 0; PIMAGE_DOS_HEADER ImageDosHeader = nullptr; ULONG64 ViewSize = 0; if (CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks) != *LdrpImageEntry) return STATUS_NOT_SUPPORTED; Status = NtQueryInformationProcess((HANDLE)-1, ProcessImageSection, &ProcessInformation, 8, 0); if (NT_SUCCESS(Status)) { Status = ZwMapViewOfSection(ProcessInformation, (HANDLE)-1u, &ImageDosHeader, 0, 0, 0, (PULONG)&ViewSize, ViewShare, 0x40000u, 2u); if (NT_SUCCESS(Status)) LoadContext->ImageBase = ImageDosHeader; NtClose(ProcessInformation); } return Status; } LDR_DATA_TABLE_ENTRY* __fastcall LdrpHandleReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry) { LDR_DATA_TABLE_ENTRY* DllEntry = LdrEntry; if (LdrEntry) { LDRP_LOAD_CONTEXT* LoadContext = (LDRP_LOAD_CONTEXT*)LdrEntry->LoadContext; if (LoadContext) { if ((LoadContext->Flags & 0x80000) == 0 && (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink != LdrEntry) { DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink; LoadContext->WorkQueueListEntry.Flink = &LdrEntry->InLoadOrderLinks; } } } return DllEntry; } NTSTATUS __fastcall LdrpFreeReplacedModule(LDR_DATA_TABLE_ENTRY* LdrDataTableEntry) { LdrpFreeLoadContext(LdrDataTableEntry->LoadContext); // Revokes ProcessStaticImport (0x20) flag. LdrDataTableEntry->Flags &= ~ProcessStaticImport; LdrDataTableEntry->ReferenceCount = 1; return LdrpDereferenceModule(LdrDataTableEntry); } VOID __fastcall LdrpHandlePendingModuleReplaced(LDRP_LOAD_CONTEXT* LoadContext) { LDR_DATA_TABLE_ENTRY* Entry = (LDR_DATA_TABLE_ENTRY*)LoadContext->pvImports; if (Entry) { LDR_DATA_TABLE_ENTRY* ReturnEntry = LdrpHandleReplacedModule(Entry); LDR_DATA_TABLE_ENTRY** CompareEntry = LoadContext->pvImports; if (ReturnEntry != (LDR_DATA_TABLE_ENTRY*)CompareEntry) LdrpFreeReplacedModule((LDR_DATA_TABLE_ENTRY*)CompareEntry); LoadContext->pvImports = nullptr; } } PIMAGE_SECTION_HEADER __fastcall RtlSectionTableFromVirtualAddress(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address) { PIMAGE_SECTION_HEADER SectionHeader = (PIMAGE_SECTION_HEADER)((char*)&NtHeader->OptionalHeader + NtHeader->FileHeader.SizeOfOptionalHeader); if (!NtHeader->FileHeader.NumberOfSections) return nullptr; ULONG NumberOfSections = NtHeader->FileHeader.NumberOfSections; ULONG SectionIdx = 0; while (TRUE) { ULONG VirtualAddress = SectionHeader->VirtualAddress; if ((unsigned int)Address >= VirtualAddress && (unsigned int)Address < SectionHeader->SizeOfRawData + VirtualAddress) break; ++SectionHeader; if (++SectionIdx >= NumberOfSections) return nullptr; } return SectionHeader; } PIMAGE_SECTION_HEADER __fastcall RtlAddressInSectionTable(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address) { PIMAGE_SECTION_HEADER SectionHeader; SectionHeader = RtlSectionTableFromVirtualAddress(NtHeader, Base, Address); if (SectionHeader) return (PIMAGE_SECTION_HEADER)(SectionHeader->PointerToRawData - SectionHeader->VirtualAddress); return SectionHeader; } BOOLEAN __fastcall LdrpValidateEntrySection(LDR_DATA_TABLE_ENTRY* DllEntry) { PIMAGE_NT_HEADERS OutHeaders; RtlImageNtHeaderEx(3u, DllEntry->DllBase, 0, &OutHeaders); ULONG AddressOfEntryPoint = OutHeaders->OptionalHeader.AddressOfEntryPoint; return !AddressOfEntryPoint || !DllEntry->EntryPoint || AddressOfEntryPoint >= OutHeaders->OptionalHeader.SizeOfHeaders; } BOOL __fastcall LdrpIsExecutableRelocatedImage(PIMAGE_DOS_HEADER DllBase) { MEMORY_IMAGE_INFORMATION MemoryInformation; // [rsp+30h] [rbp-28h] BYREF PIMAGE_NT_HEADERS OutHeaders; // [rsp+68h] [rbp+10h] BYREF return NT_SUCCESS(RtlImageNtHeaderEx(3u, DllBase, 0i64, &OutHeaders)) && (PIMAGE_DOS_HEADER)OutHeaders->OptionalHeader.ImageBase == DllBase && NT_SUCCESS(ZwQueryVirtualMemory((HANDLE)-1, DllBase, MemoryImageInformation, &MemoryInformation, 0x18, 0)) && MemoryInformation.ImageBase == DllBase && (MemoryInformation.ImageFlags & 2) == 0 && (MemoryInformation.ImageFlags & 1) == 0; } TLS_ENTRY* __fastcall LdrpFindTlsEntry(LDR_DATA_TABLE_ENTRY* LdrEntry) { TLS_ENTRY* TlsEntry; for (TlsEntry = *LdrpTlsList; TlsEntry != (TLS_ENTRY*)LdrpTlsList; TlsEntry = (TLS_ENTRY*)TlsEntry->TlsEntry.Flink) { if ((LDR_DATA_TABLE_ENTRY*)TlsEntry->ModuleEntry == LdrEntry) return TlsEntry; } return nullptr; } BOOL __fastcall ImageTlsCallbackCaller(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved) { ((void(__fastcall*)(HINSTANCE, DWORD, LPVOID))lpvReserved)(hInstDll, fdwReason, 0); return 1; } // Implemented inside LOADLIBRARY class to use WID_HIDDEN NTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpThreadTokenSetMainThreadToken() // CHECKED. { NTSTATUS Status; HANDLE ReturnToken = NULL; Status = NtOpenThreadToken((HANDLE)-2, 0x2001C, 0, &ReturnToken); *LdrpMainThreadToken = ReturnToken; if (Status != STATUS_NO_TOKEN) { WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0xDC8, "LdrpThreadTokenSetMainThreadToken", 2, "Status: 0x%x\n", Status); ) } return Status; } NTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpThreadTokenUnsetMainThreadToken() // CHECKED. { NTSTATUS Status; Status = NtClose(*LdrpMainThreadToken); *LdrpMainThreadToken = NULL; WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0xDEE, "LdrpThreadTokenUnsetMainThreadToken", 2u, "Status: 0x%x\n", Status); ) return Status; } LDR_DATA_TABLE_ENTRY* __fastcall WID::Loader::LOADLIBRARY::LdrpHandleReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry) // CHECKED. { LDR_DATA_TABLE_ENTRY* DllEntry = LdrEntry; if (LdrEntry) { LDRP_LOAD_CONTEXT* LoadContext = LdrEntry->LoadContext; if (LoadContext) { DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); //if ((LoadContext->Flags & SEC_64K_PAGES) == 0 && (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink != LdrEntry) if ((LoadContext->Flags & SEC_64K_PAGES) == 0 && DllEntry != LdrEntry) { //DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink; LoadContext->WorkQueueListEntry.Flink = &LdrEntry->InLoadOrderLinks; } } } return DllEntry; } NTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpFreeReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry) // CHECKED. { LdrpFreeLoadContext(LdrEntry->LoadContext); // Resets (sets to 0) flag ProcessStaticImport (0x20) LdrEntry->Flags &= ~0x20u; // Might change if hidden, not touching for now. LdrEntry->ReferenceCount = 1; return LdrpDereferenceModule(LdrEntry); } NTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpResolveDllName(LDRP_LOAD_CONTEXT* LoadContext, LDRP_FILENAME_BUFFER* FileNameBuffer, PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, DWORD Flags) // CHECKED. { NTSTATUS Status; PWCHAR FileName; UNICODE_STRING DllName; BOOLEAN FileNamesNotEqual = FALSE; WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x6B9, "LdrpResolveDllName", 3u, "DLL name: %wZ\n", LoadContext); ) // Converted goto to do-while loop. do { // This if will go in if call stack starts back from LoadLibraryExW with an absolute path. if (Flags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR) { DllName = LoadContext->BaseDllName; } else { Status = LdrpGetFullPath(LoadContext, &FileNameBuffer->pFileName); if (!NT_SUCCESS(Status)) { if (FileNamesNotEqual) LdrpFreeUnicodeString(&DllName); WID_HIDDEN(LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x742, "LdrpResolveDllName", 4, "Status: 0x%08lx\n", Status); ) return Status; } FileName = FileNameBuffer->FileName; DllName = FileNameBuffer->pFileName; FileNamesNotEqual = (FileNameBuffer->FileName != FileNameBuffer->pFileName.Buffer); if (FileNamesNotEqual) { FileNameBuffer->pFileName.Buffer = FileName; FileNameBuffer->pFileName.MaximumLength = MAX_PATH - 4; *FileName = 0; break; } } USHORT Length = DllName.Length; PWCHAR Buffer = DllName.Buffer; Status = LdrpAllocateUnicodeString(&DllName, DllName.Length); if (!NT_SUCCESS(Status)) { if (FileNamesNotEqual) LdrpFreeUnicodeString(&DllName); WID_HIDDEN(LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x742, "LdrpResolveDllName", 4, "Status: 0x%08lx\n", Status); ) return Status; } FileNamesNotEqual = TRUE; memmove(DllName.Buffer, Buffer, Length + 2); DllName.Length = Length; } while (FALSE); FileNameBuffer->pFileName.Length = 0; if (Flags & 0x10000000) Status = LdrpAppendUnicodeStringToFilenameBuffer(&FileNameBuffer->pFileName, LoadContext); else Status = LdrpGetNtPathFromDosPath(&DllName, FileNameBuffer); if (NT_SUCCESS(Status)) { *FullDllName = DllName; LdrpGetBaseNameFromFullName(&DllName, BaseDllName); WID_HIDDEN(LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x742, "LdrpResolveDllName", 4, "Status: 0x%08lx\n", Status); ) return Status; } NTSTATUS StatusAdded = (Status + 0x3FFFFFF1); //LONGLONG BitTestVar = 0x1C3000000011; LONGLONG BitTestVar = 0b0001'1100'0011'0000'0000'0000'0000'0000'0000'0000'0001'0001; if (StatusAdded <= 0x2C && (_bittest64(&BitTestVar, StatusAdded)) || Status == STATUS_DEVICE_OFF_LINE || Status == STATUS_DEVICE_NOT_READY) { WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x72D, "LdrpResolveDllName", 2, "Original status: 0x%08lx\n", Status); ) Status = STATUS_DLL_NOT_FOUND; } if (FileNamesNotEqual) LdrpFreeUnicodeString(&DllName); WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x742, "LdrpResolveDllName", 4, "Status: 0x%08lx\n", Status); ) return Status; } NTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpFindDllActivationContext(LDR_DATA_TABLE_ENTRY* LdrEntry) // CHECKED. { NTSTATUS Status = STATUS_SUCCESS; if (*(UINT_PTR*)(*LdrpManifestProberRoutine)) { PEB* PEB = NtCurrentPeb(); if (LdrEntry != *LdrpImageEntry || !PEB->ActivationContextData) { PWCHAR Buffer = LdrEntry->FullDllName.Buffer; if (LdrEntry == *LdrpImageEntry && *Buffer == '\\' && Buffer[1] == '?' && Buffer[2] == '?' && Buffer[3] == '\\' && Buffer[4] && Buffer[5] == ':' && Buffer[6] == '\\') { Buffer += 4; } // LdrpManifestProberRoutine is a function pointer. ACTIVATION_CONTEXT* pActivationCtx = nullptr; Status = (*LdrpManifestProberRoutine)(LdrEntry->DllBase, Buffer, &pActivationCtx); if ((unsigned int)(Status + 0x3FFFFF77) <= 2 || Status == STATUS_NOT_SUPPORTED || Status == STATUS_NO_SUCH_FILE || Status == STATUS_NOT_IMPLEMENTED || Status == STATUS_RESOURCE_LANG_NOT_FOUND) { WID_HIDDEN(LdrpLogInternal("minkernel\\ntdll\\ldrsnap.c", 733, "LdrpFindDllActivationContext", 2u, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", &LdrEntry->FullDllName, Status); ) Status = STATUS_SUCCESS; } if (pActivationCtx) { if (LdrEntry->EntryPointActivationContext) { RtlReleaseActivationContext(LdrEntry->EntryPointActivationContext); } LdrEntry->EntryPointActivationContext = pActivationCtx; } if (!NT_SUCCESS(Status)) { WID_HIDDEN(LdrpLogInternal("minkernel\\ntdll\\ldrsnap.c", 0x2FA, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", Status); ) } } } return Status; } // Planning to implement them all in the future. tNtOpenThreadToken NtOpenThreadToken = nullptr; tNtClose NtClose = nullptr; tRtlAllocateHeap RtlAllocateHeap = nullptr; tRtlFreeHeap RtlFreeHeap = nullptr; tLdrGetDllPath LdrGetDllPath = nullptr; tRtlReleasePath RtlReleasePath = nullptr; tRtlInitUnicodeStringEx RtlInitUnicodeStringEx = nullptr; tRtlEnterCriticalSection RtlEnterCriticalSection = nullptr; tRtlLeaveCriticalSection RtlLeaveCriticalSection = nullptr; tZwSetEvent ZwSetEvent = nullptr; tNtOpenFile NtOpenFile = nullptr; tLdrAppxHandleIntegrityFailure LdrAppxHandleIntegrityFailure = nullptr; tNtRaiseHardError NtRaiseHardError = nullptr; tRtlImageNtHeaderEx RtlImageNtHeaderEx = nullptr; tRtlAcquireSRWLockExclusive RtlAcquireSRWLockExclusive = nullptr; tRtlReleaseSRWLockExclusive RtlReleaseSRWLockExclusive = nullptr; tRtlEqualUnicodeString RtlEqualUnicodeString = nullptr; tRtlAcquirePrivilege RtlAcquirePrivilege = nullptr; tRtlReleasePrivilege RtlReleasePrivilege = nullptr; tRtlCompareUnicodeStrings RtlCompareUnicodeStrings = nullptr; tRtlImageNtHeader RtlImageNtHeader = nullptr; tRtlReleaseActivationContext RtlReleaseActivationContext = nullptr; tRtlCharToInteger RtlCharToInteger = nullptr; tRtlActivateActivationContextUnsafeFast RtlActivateActivationContextUnsafeFast = nullptr; tRtlDeactivateActivationContextUnsafeFast RtlDeactivateActivationContextUnsafeFast = nullptr; tRtlAcquireSRWLockShared RtlAcquireSRWLockShared = nullptr; tRtlReleaseSRWLockShared RtlReleaseSRWLockShared = nullptr; // Signatured tLdrpLogInternal LdrpLogInternal = nullptr; tLdrpInitializeDllPath LdrpInitializeDllPath = nullptr; tLdrpDereferenceModule LdrpDereferenceModule = nullptr; tLdrpLogDllState LdrpLogDllState = nullptr; tLdrpPreprocessDllName LdrpPreprocessDllName = nullptr; tLdrpFindLoadedDllByName LdrpFindLoadedDllByName = nullptr; tLdrpDrainWorkQueue LdrpDrainWorkQueue = nullptr; tLdrpFindLoadedDllByHandle LdrpFindLoadedDllByHandle = nullptr; tLdrpDropLastInProgressCount LdrpDropLastInProgressCount = nullptr; tLdrpQueryCurrentPatch LdrpQueryCurrentPatch = nullptr; tLdrpUndoPatchImage LdrpUndoPatchImage = nullptr; tLdrpDetectDetour LdrpDetectDetour = nullptr; tLdrpFindOrPrepareLoadingModule LdrpFindOrPrepareLoadingModule = nullptr; tLdrpFreeLoadContext LdrpFreeLoadContext = nullptr; tLdrpCondenseGraph LdrpCondenseGraph = nullptr; tLdrpBuildForwarderLink LdrpBuildForwarderLink = nullptr; tLdrpPinModule LdrpPinModule = nullptr; tLdrpApplyPatchImage LdrpApplyPatchImage = nullptr; tLdrpFreeLoadContextOfNode LdrpFreeLoadContextOfNode = nullptr; tLdrpDecrementModuleLoadCountEx LdrpDecrementModuleLoadCountEx = nullptr; tLdrpLogError LdrpLogError = nullptr; tLdrpLogDeprecatedDllEtwEvent LdrpLogDeprecatedDllEtwEvent = nullptr; tLdrpLogLoadFailureEtwEvent LdrpLogLoadFailureEtwEvent = nullptr; tLdrpReportError LdrpReportError = nullptr; tLdrpResolveDllName LdrpResolveDllName = nullptr; tLdrpAppCompatRedirect LdrpAppCompatRedirect = nullptr; tLdrpHashUnicodeString LdrpHashUnicodeString = nullptr; tLdrpFindExistingModule LdrpFindExistingModule = nullptr; tLdrpLoadContextReplaceModule LdrpLoadContextReplaceModule = nullptr; tLdrpSearchPath LdrpSearchPath = nullptr; tLdrpIsSecurityEtwLoggingEnabled LdrpIsSecurityEtwLoggingEnabled = nullptr; tLdrpLogEtwDllSearchResults LdrpLogEtwDllSearchResults = nullptr; tLdrpCheckForRetryLoading LdrpCheckForRetryLoading = nullptr; tLdrpLogEtwEvent LdrpLogEtwEvent = nullptr; tLdrpCheckComponentOnDemandEtwEvent LdrpCheckComponentOnDemandEtwEvent = nullptr; tLdrpValidateIntegrityContinuity LdrpValidateIntegrityContinuity = nullptr; tLdrpSetModuleSigningLevel LdrpSetModuleSigningLevel = nullptr; tLdrpCodeAuthzCheckDllAllowed LdrpCodeAuthzCheckDllAllowed = nullptr; tLdrpGetFullPath LdrpGetFullPath = nullptr; tLdrpAllocateUnicodeString LdrpAllocateUnicodeString = nullptr; tLdrpAppendUnicodeStringToFilenameBuffer LdrpAppendUnicodeStringToFilenameBuffer = nullptr; tLdrpGetNtPathFromDosPath LdrpGetNtPathFromDosPath = nullptr; tLdrpFindLoadedDllByMappingLockHeld LdrpFindLoadedDllByMappingLockHeld = nullptr; tLdrpInsertDataTableEntry LdrpInsertDataTableEntry = nullptr; tLdrpInsertModuleToIndexLockHeld LdrpInsertModuleToIndexLockHeld = nullptr; tLdrpLogEtwHotPatchStatus LdrpLogEtwHotPatchStatus = nullptr; tLdrpLogNewDllLoad LdrpLogNewDllLoad = nullptr; tLdrpProcessMachineMismatch LdrpProcessMachineMismatch = nullptr; tRtlQueryImageFileKeyOption RtlQueryImageFileKeyOption = nullptr; tRtlpImageDirectoryEntryToDataEx RtlpImageDirectoryEntryToDataEx = nullptr; tLdrpLogDllRelocationEtwEvent LdrpLogDllRelocationEtwEvent = nullptr; tLdrpNotifyLoadOfGraph LdrpNotifyLoadOfGraph = nullptr; tLdrpDynamicShimModule LdrpDynamicShimModule = nullptr; tLdrpAcquireLoaderLock LdrpAcquireLoaderLock = nullptr; tLdrpReleaseLoaderLock LdrpReleaseLoaderLock = nullptr; tLdrpCheckPagesForTampering LdrpCheckPagesForTampering = nullptr; tLdrpLoadDependentModuleA LdrpLoadDependentModuleA = nullptr; tLdrpLoadDependentModuleW LdrpLoadDependentModuleW = nullptr; tLdrpQueueWork LdrpQueueWork = nullptr; tLdrpHandleTlsData LdrpHandleTlsData = nullptr; tLdrControlFlowGuardEnforcedWithExportSuppression LdrControlFlowGuardEnforcedWithExportSuppression = nullptr; tLdrpUnsuppressAddressTakenIat LdrpUnsuppressAddressTakenIat = nullptr; tLdrControlFlowGuardEnforced LdrControlFlowGuardEnforced = nullptr; tRtlpxLookupFunctionTable RtlpxLookupFunctionTable = nullptr; tLdrpCheckRedirection LdrpCheckRedirection = nullptr; tCompatCachepLookupCdb CompatCachepLookupCdb = nullptr; tLdrpGenRandom LdrpGenRandom = nullptr; tLdrInitSecurityCookie LdrInitSecurityCookie = nullptr; tLdrpCfgProcessLoadConfig LdrpCfgProcessLoadConfig = nullptr; tRtlInsertInvertedFunctionTable RtlInsertInvertedFunctionTable = nullptr; tLdrpSignalModuleMapped LdrpSignalModuleMapped = nullptr; tAVrfDllLoadNotification AVrfDllLoadNotification = nullptr; tLdrpSendDllNotifications LdrpSendDllNotifications = nullptr; tLdrpCallTlsInitializers LdrpCallTlsInitializers = nullptr; ================================================ FILE: Src/Functions/NT.h ================================================ #pragma once #include "..\Includes.h" #include "..\WID.h" #include "Undocumented.h" #define NT_SUCCESS(x) ((x)>=0) #define STATUS_SUCCESS 0x0 #define STATUS_IMAGE_NOT_AT_BASE 0x40000003 #define STATUS_IMAGE_AT_DIFFERENT_BASE 0x40000036 #define STATUS_IMAGE_MACHINE_TYPE_MISMATCH 0x4000000E #define STATUS_DEVICE_OFF_LINE 0x80000010 #define STATUS_UNSUCCESSFUL 0xC0000001 #define STATUS_NOT_IMPLEMENTED 0xC0000002 #define STATUS_NO_SUCH_FILE 0xC000000F #define STATUS_CONFLICTING_ADDRESSES 0xC0000018 #define STATUS_ACCESS_DENIED 0xC0000022 #define STATUS_OBJECT_NAME_NOT_FOUND 0xC0000034 #define STATUS_OBJECT_PATH_NOT_FOUND 0xC000003A #define STATUS_PROCEDURE_NOT_FOUND 0xC000007A #define STATUS_DEVICE_NOT_READY 0xC00000A3 #define STATUS_INVALID_IMAGE_FORMAT 0xC000007B #define STATUS_NO_TOKEN 0xC000007C #define STATUS_INSUFFICIENT_RESOURCES 0xC000009A #define STATUS_NOT_SUPPORTED 0xC00000BB #define STATUS_INTERNAL_ERROR 0xC00000E5 #define STATUS_NAME_TOO_LONG 0xC0000106 #define STATUS_COMMITMENT_LIMIT 0xC000012D #define STATUS_NO_APPLICATION_PACKAGE 0xC00001AA #define STATUS_RESOURCE_LANG_NOT_FOUND 0xC0000204 #define STATUS_NOT_FOUND 0xC0000225 #define STATUS_RETRY 0xC000022D #define STATUS_INVALID_IMAGE_HASH 0xC0000428 #define STATUS_NEEDS_REMEDIATION 0xC0000462 #define STATUS_PATCH_CONFLICT 0xC00004AC #define STATUS_IMAGE_LOADED_AS_PATCH_IMAGE 0xC00004C0 #define STATUS_INVALID_THREAD 0xC000071C // Implemented. extern DWORD* LdrpPolicyBits; extern HANDLE* LdrpMainThreadToken; extern DWORD* LdrInitState; extern DWORD* LoadFailure; extern PRTL_CRITICAL_SECTION LdrpWorkQueueLock; extern DWORD* LdrpWorkInProgress; extern LIST_ENTRY** LdrpWorkQueue; extern PHANDLE LdrpWorkCompleteEvent; extern KUSER_SHARED_DATA* kUserSharedData; extern DWORD* LdrpUseImpersonatedDeviceMap; extern DWORD* LdrpAuditIntegrityContinuity; extern DWORD* LdrpEnforceIntegrityContinuity; extern DWORD* LdrpFatalHardErrorCount; extern DWORD* UseWOW64; extern PRTL_SRWLOCK LdrpModuleDatatableLock; extern PHANDLE qword_17E238; extern LDR_DATA_TABLE_ENTRY** LdrpImageEntry; extern PUNICODE_STRING LdrpKernel32DllName; extern UINT_PTR* LdrpAppHeaders; extern PHANDLE LdrpLargePageDllKeyHandle; extern ULONG** LdrpLockMemoryPrivilege; extern ULONG64* LdrpMaximumUserModeAddress; extern UINT_PTR* LdrpMapAndSnapWork; extern LIST_ENTRY* LdrpHashTable; extern PVOID* LdrpHeap; extern BOOLEAN* LdrpIsHotPatchingEnabled; extern LDR_DATA_TABLE_ENTRY** LdrpRedirectionModule; extern ULONG64** qword_1993A8; extern LONG* NtdllBaseTag; extern FUNCTION_TABLE_DATA* stru_199520; extern UINT_PTR* qword_199530; extern LDR_DATA_TABLE_ENTRY** LdrpNtDllDataTableEntry; extern UINT_PTR* qword_1993B8; extern DWORD* dword_19939C; extern DWORD* LoadFailureOperational; extern DWORD* dword_199398; extern UINT_PTR*** qword_1843B8; extern UINT_PTR* qword_1843B0; extern UINT_PTR* LdrpCurrentDllInitializer; extern LPVOID** LdrpProcessInitContextRecord; extern PRTL_SRWLOCK LdrpTlsLock; extern TLS_ENTRY** LdrpTlsList; typedef NTSTATUS(__fastcall** tLdrpManifestProberRoutine)(PIMAGE_DOS_HEADER Base, PWCHAR, PVOID); extern tLdrpManifestProberRoutine LdrpManifestProberRoutine; typedef BOOLEAN(__fastcall** tLdrpRedirectionCalloutFunc)(PWCHAR Buffer); extern tLdrpRedirectionCalloutFunc LdrpRedirectionCalloutFunc; PEB* NtCurrentPeb(); VOID __fastcall NtdllpFreeStringRoutine(PWCH Buffer); // CHECKED. NTSTATUS __fastcall LdrpFastpthReloadedDll(PUNICODE_STRING FullPath, ULONG Flags, PLDR_DATA_TABLE_ENTRY LdrEntry, LDR_DATA_TABLE_ENTRY** DllEntry); NTSTATUS __fastcall LdrpIncrementModuleLoadCount(LDR_DATA_TABLE_ENTRY* LdrEntry); VOID __fastcall RtlFreeUnicodeString(PUNICODE_STRING UnicodeString); // CHECKED. VOID __fastcall LdrpFreeUnicodeString(PUNICODE_STRING String); ULONG __fastcall RtlGetCurrentServiceSessionId(VOID); // CHECKED ? USHORT __fastcall LdrpGetBaseNameFromFullName(PUNICODE_STRING BaseName, PUNICODE_STRING FullName); PWCHAR __fastcall RtlGetNtSystemRoot(); BOOLEAN __fastcall LdrpHpatAllocationOptOut(PUNICODE_STRING FullDllName); NTSTATUS __fastcall LdrpCorValidateImage(PIMAGE_DOS_HEADER DosHeader); NTSTATUS __fastcall LdrpCorFixupImage(PIMAGE_DOS_HEADER DosHeader); NTSTATUS __fastcall LdrpFindLoadedDllByNameLockHeld(PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, ULONG64 Flags, LDR_DATA_TABLE_ENTRY** pLdrEntry, ULONG BaseNameHashValue); BOOLEAN __fastcall LdrpIsILOnlyImage(PIMAGE_DOS_HEADER DllBase); VOID __fastcall LdrpAddNodeServiceTag(LDR_DDAG_NODE* DdagNode, UINT_PTR ServiceTag); PIMAGE_LOAD_CONFIG_DIRECTORY LdrImageDirectoryEntryToLoadConfig(PIMAGE_DOS_HEADER DllBase); BOOLEAN __fastcall LdrpShouldModuleImportBeRedirected(LDR_DATA_TABLE_ENTRY* DllEntry); PIMAGE_IMPORT_DESCRIPTOR __fastcall LdrpGetImportDescriptorForSnap(LDRP_LOAD_CONTEXT* LoadContext); NTSTATUS __fastcall LdrpMapCleanModuleView(LDRP_LOAD_CONTEXT* LoadContext); LDR_DATA_TABLE_ENTRY* __fastcall LdrpHandleReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry); NTSTATUS __fastcall LdrpFreeReplacedModule(LDR_DATA_TABLE_ENTRY* LdrDataTableEntry); VOID __fastcall LdrpHandlePendingModuleReplaced(LDRP_LOAD_CONTEXT* LoadContext); PIMAGE_SECTION_HEADER __fastcall RtlSectionTableFromVirtualAddress(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address); PIMAGE_SECTION_HEADER __fastcall RtlAddressInSectionTable(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address); BOOLEAN __fastcall LdrpValidateEntrySection(LDR_DATA_TABLE_ENTRY* DllEntry); BOOL __fastcall LdrpIsExecutableRelocatedImage(PIMAGE_DOS_HEADER DllBase); TLS_ENTRY* __fastcall LdrpFindTlsEntry(LDR_DATA_TABLE_ENTRY* LdrEntry); BOOL __fastcall ImageTlsCallbackCaller(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved); extern "C" NTSTATUS __fastcall ZwSystemDebugControl(); extern "C" NTSTATUS __fastcall NtCreateSection(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES * ObjectAttributes, PLARGE_INTEGER MaximumSize, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle); extern "C" NTSTATUS __fastcall ZwMapViewOfSection(HANDLE SectionHandle, HANDLE ProcessHandle, PIMAGE_DOS_HEADER * BaseAddress, ULONG64 ZeroBits, ULONG64 CommitSize, PLARGE_INTEGER SectionOffset, PULONG ViewSize, SECTION_INHERIT InheritDisposition, ULONG64 AllocationType, ULONG64 Protect); extern "C" NTSTATUS __fastcall ZwMapViewOfSectionEx(HANDLE SectionHandle, HANDLE ProcessHandle, PIMAGE_DOS_HEADER * DllBase, PLARGE_INTEGER a4, PULONG ViewSize, ULONG a6, ULONG a7, MEM_EXTENDED_PARAMETER * MemExtendedParam, ULONG a9); extern "C" NTSTATUS __fastcall NtUnmapViewOfSection(HANDLE ProcessHandle, PVOID BaseAddress); extern "C" NTSTATUS __fastcall ZwProtectVirtualMemory(HANDLE ProcessHandle, PVOID * BaseAddress, PULONG ProtectSize, ULONG NewProtect, PULONG OldProtect); extern "C" NTSTATUS __fastcall ZwQueryVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, PVOID MemoryInformation, SIZE_T MemoryInformationLength, PSIZE_T ReturnLength); extern "C" NTSTATUS __fastcall NtQueryInformationProcess(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); // Planning to implement them all in the future. typedef NTSTATUS(__fastcall* tNtOpenThreadToken)(IN HANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN OpenAsSelf, OUT PHANDLE TokenHandle); extern tNtOpenThreadToken NtOpenThreadToken; typedef NTSTATUS(__fastcall* tNtClose)(HANDLE Handle); extern tNtClose NtClose; typedef PVOID(__fastcall* tRtlAllocateHeap)(IN PVOID HeapHandle, IN OPTIONAL ULONG Flags, IN SIZE_T Size); extern tRtlAllocateHeap RtlAllocateHeap; typedef BOOLEAN(__fastcall* tRtlFreeHeap)(IN PVOID HeapHandle, IN OPTIONAL ULONG Flags, _Frees_ptr_opt_ PVOID BaseAddress); extern tRtlFreeHeap RtlFreeHeap; typedef NTSTATUS(__fastcall* tLdrGetDllPath)(PWCH DllName, DWORD dwFlags, PWSTR* Path, PWSTR* Unknown); extern tLdrGetDllPath LdrGetDllPath; typedef VOID(__fastcall* tRtlReleasePath)(IN PWSTR); extern tRtlReleasePath RtlReleasePath; typedef NTSTATUS(__fastcall* tRtlInitUnicodeStringEx)(PUNICODE_STRING target, PCWSTR source); extern tRtlInitUnicodeStringEx RtlInitUnicodeStringEx; typedef NTSTATUS(__fastcall* tRtlEnterCriticalSection)(PRTL_CRITICAL_SECTION CriticalSection); extern tRtlEnterCriticalSection RtlEnterCriticalSection; typedef NTSTATUS(__fastcall* tRtlLeaveCriticalSection)(PRTL_CRITICAL_SECTION CriticalSection); extern tRtlLeaveCriticalSection RtlLeaveCriticalSection; typedef NTSTATUS(__fastcall* tZwSetEvent)(HANDLE EventHandle, PLONG PreviousState); extern tZwSetEvent ZwSetEvent; typedef NTSTATUS(__fastcall* tNtOpenFile)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES* ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions); extern tNtOpenFile NtOpenFile; typedef NTSTATUS(__fastcall* tLdrAppxHandleIntegrityFailure)(NTSTATUS Status); extern tLdrAppxHandleIntegrityFailure LdrAppxHandleIntegrityFailure; typedef NTSTATUS(__fastcall* tNtRaiseHardError)(NTSTATUS Status, ULONG NumberOfParameters, ULONG UnicodeStringParameterMask, INT* Parameters, HARDERROR_RESPONSE_OPTION ValidResponseOption, HARDERROR_RESPONSE* Response); extern tNtRaiseHardError NtRaiseHardError; typedef NTSTATUS(__fastcall* tRtlImageNtHeaderEx)(ULONG Flags, PVOID Base, ULONG64 Size, PIMAGE_NT_HEADERS* OutHeaders); extern tRtlImageNtHeaderEx RtlImageNtHeaderEx; typedef VOID(__fastcall* tRtlAcquireSRWLockExclusive)(PRTL_SRWLOCK SRWLock); extern tRtlAcquireSRWLockExclusive RtlAcquireSRWLockExclusive; typedef NTSTATUS(__fastcall* tRtlReleaseSRWLockExclusive)(PRTL_SRWLOCK SRWLock); extern tRtlReleaseSRWLockExclusive RtlReleaseSRWLockExclusive; typedef NTSTATUS(__fastcall* tRtlEqualUnicodeString)(PUNICODE_STRING String1, PUNICODE_STRING String2, BOOLEAN CaseInSensitive); extern tRtlEqualUnicodeString RtlEqualUnicodeString; typedef NTSTATUS(__fastcall* tRtlAcquirePrivilege)(ULONG* Privilege,ULONG NumPriv,ULONG Flags,PVOID * ReturnedState); extern tRtlAcquirePrivilege RtlAcquirePrivilege; typedef VOID(__fastcall* tRtlReleasePrivilege)(PVOID ReturnedState); extern tRtlReleasePrivilege RtlReleasePrivilege; typedef NTSTATUS(__fastcall* tRtlCompareUnicodeStrings)(PWCH String1, UINT_PTR String1Length, PWCH String2, UINT_PTR String2Length, BOOLEAN CaseInSensitive); extern tRtlCompareUnicodeStrings RtlCompareUnicodeStrings; typedef PIMAGE_NT_HEADERS(__fastcall* tRtlImageNtHeader)(PIMAGE_DOS_HEADER DosHeader); extern tRtlImageNtHeader RtlImageNtHeader; typedef UINT_PTR(__fastcall* tRtlReleaseActivationContext)(ACTIVATION_CONTEXT* ActivationContext); extern tRtlReleaseActivationContext RtlReleaseActivationContext; typedef NTSTATUS(__fastcall* tRtlCharToInteger)(const PCHAR String, ULONG Base, PULONG Value); extern tRtlCharToInteger RtlCharToInteger; typedef NTSTATUS(__fastcall* tRtlActivateActivationContextUnsafeFast)(RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED* StackFrameExtended, ACTIVATION_CONTEXT* ActivationContext); extern tRtlActivateActivationContextUnsafeFast RtlActivateActivationContextUnsafeFast; typedef VOID(__fastcall* tRtlDeactivateActivationContextUnsafeFast)(RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED* StackFrameExtended); extern tRtlDeactivateActivationContextUnsafeFast RtlDeactivateActivationContextUnsafeFast; typedef NTSTATUS(__fastcall* tRtlAcquireSRWLockShared)(PRTL_SRWLOCK SrwLock); extern tRtlAcquireSRWLockShared RtlAcquireSRWLockShared; typedef NTSTATUS(__fastcall* tRtlReleaseSRWLockShared)(PRTL_SRWLOCK SrwLock); extern tRtlReleaseSRWLockShared RtlReleaseSRWLockShared; // Signatured #define LDRP_LOG_INTERNAL_PATTERN "\x89\x54\x24\x10\x4C\x8B\xDC\x49\x89\x4B\x08" typedef NTSTATUS(__fastcall* tLdrpLogInternal)(PCHAR, ULONG, PCHAR, ULONG, PCHAR, ...); extern tLdrpLogInternal LdrpLogInternal; #define LDRP_INITIALIZE_DLLPATH_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x30\x49\x8B\xF8\x48\x8B\xDA\x48\x8B\xF1" typedef NTSTATUS(__fastcall* tLdrpInitializeDllPath)(PWSTR DllName, PWSTR DllPath, LDR_UNKSTRUCT* ReturnPath); extern tLdrpInitializeDllPath LdrpInitializeDllPath; #define LDRP_DEREFERENCE_MODULE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x20\x48\x8B\x81\x98\x00\x00\x00" typedef NTSTATUS(__fastcall* tLdrpDereferenceModule)(LDR_DATA_TABLE_ENTRY* DllEntry); extern tLdrpDereferenceModule LdrpDereferenceModule; #define LDRP_LOG_DLLSTATE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x30\x65\x48\x8B\x04\x25\x60\x00\x00\x00\x41" typedef NTSTATUS(__fastcall* tLdrpLogDllState)(UINT_PTR, PUNICODE_STRING, ULONG); extern tLdrpLogDllState LdrpLogDllState; #define LDRP_PREPROCESS_DLLNAME_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x08\x49\x89\x6B\x10\x49\x89\x73\x18\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x83\xEC\x40" typedef NTSTATUS(__fastcall* tLdrpPreprocessDllName)(PUNICODE_STRING DllName, PUNICODE_STRING ResName, PULONG pZero, PULONG pFlags); extern tLdrpPreprocessDllName LdrpPreprocessDllName; #define LDRP_FIND_LOADEDDLLBYNAME_PATTERN "\x48\x8B\xC4\x53\x55\x41\x57\x48\x83\xEC\x50" typedef NTSTATUS(__fastcall* tLdrpFindLoadedDllByName)(PUNICODE_STRING FullPath, PUNICODE_STRING DllName, USHORT Flags, LDR_DATA_TABLE_ENTRY** DllEntry, LDR_DDAG_STATE* ReturnStatus); extern tLdrpFindLoadedDllByName LdrpFindLoadedDllByName; #define LDRP_DRAIN_WORKQUEUE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x54\x41\x56\x48\x83\xEC\x20\x4C\x8B\x35\x35\xA3\x15\x00" typedef TEB* (__fastcall* tLdrpDrainWorkQueue)(DRAIN_TASK DrainTask); extern tLdrpDrainWorkQueue LdrpDrainWorkQueue; #define LDRP_FIND_LOADEDDLL_BYHANDLE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x48\x89\x7C\x24\x18\x41\x56\x48\x83\xEC\x20\x33\xDB\x49\x8B\xF8\x4C\x8B\xF2" typedef NTSTATUS(__fastcall* tLdrpFindLoadedDllByHandle)(unsigned __int64 a1, PLDR_DATA_TABLE_ENTRY* ppLdrEntry, DWORD* a3); extern tLdrpFindLoadedDllByHandle LdrpFindLoadedDllByHandle; #define LDRP_DROP_LASTINPROGRESS_COUNT_PATTERN "\x48\x83\xEC\x28\x65\x48\x8B\x04\x25\x30\x00\x00\x00\xB9\xFF\xEF\x00\x00" typedef NTSTATUS(__fastcall* tLdrpDropLastInProgressCount)(); extern tLdrpDropLastInProgressCount LdrpDropLastInProgressCount; #define LDRP_QUERY_CURRENT_PATCH_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x70\x10\x48\x89\x78\x20\x55\x41\x56" typedef NTSTATUS(__fastcall* tLdrpQueryCurrentPatch)(ULONG Checksum, ULONG TimeDateStamp, PUNICODE_STRING FullPath); extern tLdrpQueryCurrentPatch LdrpQueryCurrentPatch; #define LDRP_UNDO_PATCH_IMAGE_PATTERN "\x4C\x8B\xDC\x53\x48\x83\xEC\x40\x48\x8B\x41\x30\x4D\x8D\x4B\x08" typedef NTSTATUS(__fastcall* tLdrpUndoPatchImage)(PLDR_DATA_TABLE_ENTRY LdrEntry); extern tLdrpUndoPatchImage LdrpUndoPatchImage; #define LDRP_DETECT_DETOUR_PATTERN "\x40\x57\x48\x83\xEC\x30\x80\x3D\x87\x32\x11\x00\x00\x75\x7B" typedef VOID(__fastcall* tLdrpDetectDetour)(); extern tLdrpDetectDetour LdrpDetectDetour; #define LDRP_FINDORPREPARE_LOADINGMODULE_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x20\x57\x41\x56\x41\x57\x48\x83\xEC\x50" typedef NTSTATUS(__fastcall* tLdrpFindOrPrepareLoadingModule)(PUNICODE_STRING FullPath, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, ULONG LdrFlags, PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY* pLdrEntryLoaded, NTSTATUS* pStatus); extern tLdrpFindOrPrepareLoadingModule LdrpFindOrPrepareLoadingModule; #define LDRP_FREE_LOAD_CONTEXT_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x48\x8B\x41\x38\x48\x8B\xD9\x48\x83\xA0\xB0\x00\x00\x00" typedef VOID(__fastcall* tLdrpFreeLoadContext)(PLDRP_LOAD_CONTEXT LoadContext); extern tLdrpFreeLoadContext LdrpFreeLoadContext; #define LDRP_CONDENSE_GRAPH_PATTERN "\x48\x8B\xC4\x48\x83\xEC\x28\x83\x79\x38\x06\x7D\x19" typedef PVOID* (__fastcall* tLdrpCondenseGraph)(LDR_DDAG_NODE* DdagNode); extern tLdrpCondenseGraph LdrpCondenseGraph; #define LDRP_BUILD_FORWARDER_LINK_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x20\x33\xDB\x48\x8B\xF2" typedef NTSTATUS(__fastcall* tLdrpBuildForwarderLink)(PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY LdrEntry2); extern tLdrpBuildForwarderLink LdrpBuildForwarderLink; #define LDRP_PIN_MODULE_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x48\x8B\xD9\x33\xFF\x48\x8D\x0D\x02\xBB\x10\x00" typedef NTSTATUS(__fastcall* tLdrpPinModule)(PLDR_DATA_TABLE_ENTRY LdrEntry); extern tLdrpPinModule LdrpPinModule; #define LDRP_APPLY_PATCH_IMAGE_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x7C\x24\x18\x55\x41\x56\x41\x57\x48\x8B\xEC" typedef NTSTATUS(__fastcall* tLdrpApplyPatchImage)(PLDR_DATA_TABLE_ENTRY LdrEntry); extern tLdrpApplyPatchImage LdrpApplyPatchImage; #define LDRP_FREE_LOADCONTEXT_NODE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x20\x48\x8B\x19\x48\x8B\xF2" typedef NTSTATUS(__fastcall* tLdrpFreeLoadContextOfNode)(PLDR_DDAG_NODE DdagNode, NTSTATUS* pStatus); extern tLdrpFreeLoadContextOfNode LdrpFreeLoadContextOfNode; #define LDRP_DECREMENT_MODULELOADCOUNTEX_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x8B\xFA\x48\x8B\xD9\x85\xD2" typedef NTSTATUS(__fastcall* tLdrpDecrementModuleLoadCountEx)(PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY LdrEntry2); extern tLdrpDecrementModuleLoadCountEx LdrpDecrementModuleLoadCountEx; #define LDRP_LOG_ERROR_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x30\x49\x8B\xD9" typedef PEB*(__fastcall* tLdrpLogError)(NTSTATUS Status, ULONG, ULONG, PVOID); extern tLdrpLogError LdrpLogError; #define LDRP_LOG_DEPRECATED_DLL_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x6C\x24\x18\x48\x89\x74\x24\x20\x57\x48\x83\xEC\x40" typedef WCHAR*(__fastcall* tLdrpLogDeprecatedDllEtwEvent)(PLDRP_LOAD_CONTEXT LoadContext); extern tLdrpLogDeprecatedDllEtwEvent LdrpLogDeprecatedDllEtwEvent; #define LDRP_LOG_LOAD_FAILURE_PATTERN "\x48\x89\x5C\x24\x08\x44\x89\x44\x24\x18\x55\x56\x57\x48\x8B\xEC\x48\x83\xEC\x70" typedef VOID(__fastcall* tLdrpLogLoadFailureEtwEvent)(PVOID Unknown, PVOID Unknown2, NTSTATUS Status, PVOID LoadFailure, ULONG Unknown3); extern tLdrpLogLoadFailureEtwEvent LdrpLogLoadFailureEtwEvent; #define LDRP_REPORT_ERROR_PATTERN "\x48\x89\x5C\x24\x20\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\xAC\x24\x50\xFF\xFF\xFF\x48\x81\xEC\xB0\x01\x00\x00\x48\x8B\x05\xEE\x08\x19\x00" typedef NTSTATUS(__fastcall* tLdrpReportError)(PVOID Report, ULONG Unknown, NTSTATUS Status); extern tLdrpReportError LdrpReportError; #define LDRP_RESOLVE_DLLNAME_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x08\x49\x89\x6B\x10\x49\x89\x73\x20\x4D\x89\x43\x18\x57\x41\x54\x41\x55\x41\x56" typedef NTSTATUS(__fastcall* tLdrpResolveDllName)(PLDRP_LOAD_CONTEXT FileName, LDRP_FILENAME_BUFFER* FileNameBuffer, PUNICODE_STRING FullName, PUNICODE_STRING ResolvedName, DWORD Flags); extern tLdrpResolveDllName LdrpResolveDllName; #define LDRP_APP_COMPAT_REDIRECT_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x56\x41\x57\x48\x83\xEC\x50\x45\x33\xFF\x49\x8B\xF1\x44\x38\x3D\xC3\x3A\x17\x00" typedef NTSTATUS(__fastcall* tLdrpAppCompatRedirect)(PLDRP_LOAD_CONTEXT LoadContext, PUNICODE_STRING FullDllName, PUNICODE_STRING BaseDllName, LDRP_FILENAME_BUFFER* FileNameBuffer, NTSTATUS Status); extern tLdrpAppCompatRedirect LdrpAppCompatRedirect; #define LDRP_HASH_UNICODE_STRING_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x45\x33\xDB" typedef ULONG(__fastcall* tLdrpHashUnicodeString)(PUNICODE_STRING BaseDllName); extern tLdrpHashUnicodeString LdrpHashUnicodeString; #define LDRP_FIND_EXISTING_MODULE_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48\x83\xEC\x30\x48\x8B\x7C\x24\x60\x48\x8B\xD9" typedef NTSTATUS(__fastcall* tLdrpFindExistingModule)(PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, UINT64 Flags, ULONG BaseDllNameHash, PLDR_DATA_TABLE_ENTRY* LoadedDll); extern tLdrpFindExistingModule LdrpFindExistingModule; #define LDRP_LOADCONTEXT_REPLACE_MODULE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x20\x48\x8B\xD9\x48\x8B\xF2" typedef NTSTATUS(__fastcall* tLdrpLoadContextReplaceModule)(PLDRP_LOAD_CONTEXT LoadContext, PLDR_DATA_TABLE_ENTRY LoadedDll); extern tLdrpLoadContextReplaceModule LdrpLoadContextReplaceModule; #define LDRP_SEARCHPATH_PATTERN "\x48\x89\x5C\x24\x18\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\x6C\x24\xF9\x48\x81\xEC\xD0\x00\x00\x00" typedef NTSTATUS(__fastcall* tLdrpSearchPath)(LDRP_LOAD_CONTEXT* LoadContext, LDR_UNKSTRUCT* UnkStruct, ULONG Flags, PUNICODE_STRING ReturnPath, LDRP_FILENAME_BUFFER* FileName, PUNICODE_STRING BaseDllName, PUNICODE_STRING UnkStruct3_String, BOOL* a8, LDR_UNKSTRUCT3* UnkStruct3); extern tLdrpSearchPath LdrpSearchPath; #define LDRP_ISSECURITYETW_LOGG_ENABLED_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x20\xE8\x04\xA2\x02\x00" typedef BOOLEAN(__fastcall* tLdrpIsSecurityEtwLoggingEnabled)(); extern tLdrpIsSecurityEtwLoggingEnabled LdrpIsSecurityEtwLoggingEnabled; #define LDRP_LOGETW_DLL_SEARCHRESULTS_PATTERN "\x48\x89\x5C\x24\x08\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8B\xEC\x48\x83\xEC\x60\x44\x8B\xF9" typedef VOID(__fastcall* tLdrpLogEtwDllSearchResults)(ULONG Flags, LDRP_LOAD_CONTEXT* LoadContext); extern tLdrpLogEtwDllSearchResults LdrpLogEtwDllSearchResults; #define LDRP_CHECKFORRETRY_LOADING_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x83\xEC\x20\x33\xDB\x44\x8A\xFA" typedef BOOLEAN(__fastcall* tLdrpCheckForRetryLoading)(PLDRP_LOAD_CONTEXT LoadContext, BOOLEAN Unknown); extern tLdrpCheckForRetryLoading LdrpCheckForRetryLoading; #define LDRP_LOG_ETWEVENT_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x81\xEC\x80\x02\x00\x00" typedef NTSTATUS(__fastcall* tLdrpLogEtwEvent)(ULONG a1, ULONGLONG a2, ULONG a3, ULONG a4); extern tLdrpLogEtwEvent LdrpLogEtwEvent; #define LDRP_CHECK_COMPONENTONDEMAND_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18\x55\x57\x41\x56\x48\x8B\xEC\x48\x81\xEC\x80\x00\x00\x00" typedef BOOLEAN(__fastcall* tLdrpCheckComponentOnDemandEtwEvent)(LDRP_LOAD_CONTEXT* LoadContext); extern tLdrpCheckComponentOnDemandEtwEvent LdrpCheckComponentOnDemandEtwEvent; #define LDRP_VALIDATE_INTEGRITY_PATTERN "\x44\x88\x44\x24\x18\x53\x56\x57\x48\x83\xEC\x30" typedef NTSTATUS(__fastcall* tLdrpValidateIntegrityContinuity)(PLDRP_LOAD_CONTEXT LoadContext, HANDLE FileHandle); extern tLdrpValidateIntegrityContinuity LdrpValidateIntegrityContinuity; #define LDRP_SET_MODULE_SIGNINGLEVEL_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x10\x49\x89\x73\x18\x49\x89\x7B\x20\x49\x89\x4B\x08\x41\x56" typedef NTSTATUS(__fastcall* tLdrpSetModuleSigningLevel)(HANDLE FileHandle, PLDR_DATA_TABLE_ENTRY LoadContext, PULONG pSigningLevel, ULONG NewSigningLevelMaybe); extern tLdrpSetModuleSigningLevel LdrpSetModuleSigningLevel; #define LDRP_CODE_AUTHZCHECKDLL_ALLOWED_PATTERN "\x48\x83\x3D\xC8\x44\x17\x00\x00\x4C\x8B\xCA" typedef NTSTATUS(__fastcall* tLdrpCodeAuthzCheckDllAllowed)(LDRP_FILENAME_BUFFER* pFileNameBuffer, HANDLE FileHandle); extern tLdrpCodeAuthzCheckDllAllowed LdrpCodeAuthzCheckDllAllowed; #define LDRP_GET_FULLPATH_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x08\x55\x56\x57\x41\x56\x41\x57\x48\x83\xEC\x30" typedef NTSTATUS(__fastcall* tLdrpGetFullPath)(PLDRP_LOAD_CONTEXT LoadContext, PUNICODE_STRING FullPath); extern tLdrpGetFullPath LdrpGetFullPath; #define LDRP_ALLOCATE_UNICODESTRING_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x20\x33\xDB\x8D\x7A\x02" typedef NTSTATUS(__fastcall* tLdrpAllocateUnicodeString)(PUNICODE_STRING Allocated, USHORT Length); extern tLdrpAllocateUnicodeString LdrpAllocateUnicodeString; #define LDRP_APPEND_UNICODETOFILENAME_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48\x83\xEC\x20\x45\x33\xF6\x48\x8B\xEA" typedef NTSTATUS(__fastcall* tLdrpAppendUnicodeStringToFilenameBuffer)(PUNICODE_STRING FileName, PLDRP_LOAD_CONTEXT LoadContext); extern tLdrpAppendUnicodeStringToFilenameBuffer LdrpAppendUnicodeStringToFilenameBuffer; #define LDRP_GET_NTPATH_FROM_DOSPATH_PATTERN "\x48\x89\x5C\x24\x18\x55\x56\x57\x48\x8D\x6C\x24\xB9\x48\x81\xEC\xC0\x00\x00\x00" typedef NTSTATUS(__fastcall* tLdrpGetNtPathFromDosPath)(PUNICODE_STRING DosPath, LDRP_FILENAME_BUFFER* NtPath); extern tLdrpGetNtPathFromDosPath LdrpGetNtPathFromDosPath; #define LDRP_FIND_LOADEDDLL_MAPLOCK_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x56\x41\x57\x48\x83\xEC\x30\x4C\x8B\x15\xFD\x89\x15\x00" typedef NTSTATUS(__fastcall* tLdrpFindLoadedDllByMappingLockHeld)(PIMAGE_DOS_HEADER DllBase, PIMAGE_NT_HEADERS OutHeaders, PVOID Unknown, PLDR_DATA_TABLE_ENTRY* pLdrEntry); extern tLdrpFindLoadedDllByMappingLockHeld LdrpFindLoadedDllByMappingLockHeld; #define LDRP_INSERT_DATATABLEENTRY_PATTERN "\x40\x53\x48\x83\xEC\x20\xF6\x41\x68\x40" typedef VOID(__fastcall* tLdrpInsertDataTableEntry)(PLDR_DATA_TABLE_ENTRY LdrEntry); extern tLdrpInsertDataTableEntry LdrpInsertDataTableEntry; #define LDRP_INSERT_MODTOIDX_LOCKHELD_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x44\x8B\x4A\x08" typedef NTSTATUS(__fastcall* tLdrpInsertModuleToIndexLockHeld)(PLDR_DATA_TABLE_ENTRY LdrEntry, PIMAGE_NT_HEADERS OutHeaders); extern tLdrpInsertModuleToIndexLockHeld LdrpInsertModuleToIndexLockHeld; #define LDRP_LOGETW_HOTPATCHSTATUS_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x70\x10\x48\x89\x78\x18\x4C\x89\x60\x20\x55\x41\x56\x41\x57\x48\x8D\x68\x98" typedef NTSTATUS(__fastcall* tLdrpLogEtwHotPatchStatus)(PUNICODE_STRING BaseDllName, LDR_DATA_TABLE_ENTRY* LdrEntry, PUNICODE_STRING FullDllName, NTSTATUS Status, ULONG Unknown); extern tLdrpLogEtwHotPatchStatus LdrpLogEtwHotPatchStatus; #define LDRP_LOG_NEWDLL_LOAD_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48\x83\xEC\x30\x48\x8B\xEA\x4C\x8B\xF1" typedef PEB*(__fastcall* tLdrpLogNewDllLoad)(LDR_DATA_TABLE_ENTRY* LdrEntry, LDR_DATA_TABLE_ENTRY* LdrEntry2); extern tLdrpLogNewDllLoad LdrpLogNewDllLoad; #define LDRP_PROCESS_MACHINE_MISMATCH_PATTERN "\x40\x53\x55\x57\x48\x83\xEC\x40\x48\x8B\x59\x38" typedef NTSTATUS(__fastcall* tLdrpProcessMachineMismatch)(PLDRP_LOAD_CONTEXT LoadContext); extern tLdrpProcessMachineMismatch LdrpProcessMachineMismatch; #define RTL_QUERY_IMAGEFILE_KEYOPT_PATTERN "\x48\x89\x5C\x24\x10\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\xAC\x24\xA0\xFC\xFF\xFF" typedef NTSTATUS(__fastcall* tRtlQueryImageFileKeyOption)(HANDLE hKey, PCWSTR lpszOption, ULONG dwType, PVOID lpData, ULONG cbData, ULONG* lpcbData); extern tRtlQueryImageFileKeyOption RtlQueryImageFileKeyOption; #define RTLP_IMAGEDIR_ENTRYTODATA_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x10\x49\x89\x6B\x18\x49\x89\x73\x20\x57\x41\x56\x41\x57\x48\x83\xEC\x20\x4C\x8B\x74\x24\x60" typedef NTSTATUS(__fastcall* tRtlpImageDirectoryEntryToDataEx)(PIMAGE_DOS_HEADER DllBase, BOOLEAN Unknown, WORD Characteristics, ULONG64* LastRVASection, PVOID OutHeader); extern tRtlpImageDirectoryEntryToDataEx RtlpImageDirectoryEntryToDataEx; #define LDRP_LOG_DLLRELOCATION_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x83\xEC\x20\x4D\x8B\xF1" typedef PVOID(__fastcall* tLdrpLogDllRelocationEtwEvent)(PUNICODE_STRING FullDllName, ULONGLONG ImageBase, PIMAGE_DOS_HEADER DllBase, SIZE_T Size); extern tLdrpLogDllRelocationEtwEvent LdrpLogDllRelocationEtwEvent; #define LDRP_NOTIFY_LOADOFGRAPH_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x20\x48\x8B\x71\x28\x48\x8B\xF9" typedef NTSTATUS(__fastcall* tLdrpNotifyLoadOfGraph)(LDR_DDAG_NODE* DdagNode); extern tLdrpNotifyLoadOfGraph LdrpNotifyLoadOfGraph; #define LDRP_DYNAMIC_SHIMMODULE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x18\x48\x89\x74\x24\x20\x57\x41\x56\x41\x57\x48\x83\xEC\x40" typedef NTSTATUS(__fastcall* tLdrpDynamicShimModule)(LDR_DDAG_NODE* DdagNode); extern tLdrpDynamicShimModule LdrpDynamicShimModule; #define LDRP_ACQUIRE_LOADERLOCK_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x30\xE8\xE4\x9E\xFE\xFF" typedef NTSTATUS(__fastcall* tLdrpAcquireLoaderLock)(); extern tLdrpAcquireLoaderLock LdrpAcquireLoaderLock; #define LDRP_RELEASE_LOADER_LOCK_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x30\x48\x8D\x0D\x2E\xD8\x12\x00" typedef NTSTATUS(__fastcall* tLdrpReleaseLoaderLock)(ULONG64 Unused, ULONG Two, ULONG64 LdrFlags); extern tLdrpReleaseLoaderLock LdrpReleaseLoaderLock; #define LDRP_CHECKPAGES_FOR_TAMPERING_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48\x83\xEC\x30\x48\x8D\xBA\xFF\x0F\x00\x00" typedef BOOLEAN(__fastcall* tLdrpCheckPagesForTampering)(PIMAGE_DATA_DIRECTORY pDataDir, ULONG64 Offset); extern tLdrpCheckPagesForTampering LdrpCheckPagesForTampering; #define LDRP_LOAD_DEPENDENTMODULEA_PATTERN "\x4C\x8B\xDC\x55\x53\x49\x8D\xAB\x48\xFF\xFF\xFF" typedef NTSTATUS(__fastcall* tLdrpLoadDependentModuleA)(PUNICODE_STRING SourceString, LDRP_LOAD_CONTEXT* LoadContext, LDR_DATA_TABLE_ENTRY* LdrEntry, UINT_PTR Unknown, LDR_DATA_TABLE_ENTRY** pLdrEntry, UINT_PTR Unknown2); extern tLdrpLoadDependentModuleA LdrpLoadDependentModuleA; #define LDRP_LOAD_DEPENDENTMODULEW_PATTERN "\x48\x89\x5C\x24\x20\x55\x56\x57\x41\x56\x41\x57\x48\x81\xEC\x50\x01\x00\x00" typedef NTSTATUS(__fastcall* tLdrpLoadDependentModuleW)(PUNICODE_STRING SourceString, LDRP_LOAD_CONTEXT* LoadContext, LDR_DATA_TABLE_ENTRY* DllEntry); extern tLdrpLoadDependentModuleW LdrpLoadDependentModuleW; #define LDRP_QUEUE_WORK_PATTERN "\x40\x53\x48\x83\xEC\x20\x48\x8B\x41\x28\x48\x8B\xD9" typedef NTSTATUS(__fastcall* tLdrpQueueWork)(PLDRP_LOAD_CONTEXT LoadContext); extern tLdrpQueueWork LdrpQueueWork; #define LDRP_HANDLE_TLSDATA_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18\x48\x89\x7C\x24\x20\x41\x55\x41\x56\x41\x57\x48\x81\xEC\x00\x01\x00\x00" typedef NTSTATUS(__fastcall* tLdrpHandleTlsData)(LDR_DATA_TABLE_ENTRY* LdrDataTableEntry); extern tLdrpHandleTlsData LdrpHandleTlsData; #define LDR_CONTROLFLOWGUARD_ENFEXP_PATTERN "\x33\xC0\x48\x39\x05\x8F\x7D\x17\x00" typedef BOOLEAN(__fastcall* tLdrControlFlowGuardEnforcedWithExportSuppression)(); extern tLdrControlFlowGuardEnforcedWithExportSuppression LdrControlFlowGuardEnforcedWithExportSuppression; #define LDRP_UNSUPPRESS_ADDRESSIAT_PATTERN "\x48\x89\x5C\x24\x18\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8B\xEC\x48\x83\xEC\x70\x48\x8B\x05\x6E\xC6\x0B\x00" typedef __int64(__fastcall* tLdrpUnsuppressAddressTakenIat)(PIMAGE_DOS_HEADER DllBase, ULONG Unknown, ULONG Unknown2); extern tLdrpUnsuppressAddressTakenIat LdrpUnsuppressAddressTakenIat; #define LDR_CONTROLFLOWGUARD_ENF_PATTERN "\x48\x83\x3D\x90\xD5\x16\x00\x00" typedef BOOL(__fastcall* tLdrControlFlowGuardEnforced)(); extern tLdrControlFlowGuardEnforced LdrControlFlowGuardEnforced; #define RTLP_LOOKUP_FUNCTIONTABLE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x18\x48\x89\x7C\x24\x20\x41\x56\x48\x83\xEC\x20\x33\xDB" typedef PIMAGE_RUNTIME_FUNCTION_ENTRY(__fastcall* tRtlpxLookupFunctionTable)(PIMAGE_DOS_HEADER DllBase, PIMAGE_RUNTIME_FUNCTION_ENTRY* ppImageFunctionEntry); extern tRtlpxLookupFunctionTable RtlpxLookupFunctionTable; #define LDRP_CHECK_REDIRECTION_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x70\x10\x48\x89\x78\x18\x4C\x89\x68\x20\x55\x41\x56\x41\x57\x48\x8D\x68\xA1" typedef PCHAR(__fastcall* tLdrpCheckRedirection)(LDR_DATA_TABLE_ENTRY* DllEntry, LDR_DATA_TABLE_ENTRY* NtLdrEntry, PCHAR StringToBeHashed); extern tLdrpCheckRedirection LdrpCheckRedirection; #define COMPAT_CACHE_LOOKUPCDB_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x81\xEC\xB0\x01\x00\x00" typedef BOOL(__fastcall* tCompatCachepLookupCdb)(PWCHAR Buffer, LONG Unknown); extern tCompatCachepLookupCdb CompatCachepLookupCdb; #define LDRP_GEN_RANDOM_PATTERN "\x48\x83\xEC\x28\xB9\x1C\x00\x00\x00\xE8\x0E\x0B\x00\x00" typedef UINT_PTR(__fastcall* tLdrpGenRandom)(); extern tLdrpGenRandom LdrpGenRandom; #define LDR_INIT_SECURITY_COOKIE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x48\x89\x7C\x24\x20\x55\x41\x54\x41\x56" typedef BOOL(__fastcall* tLdrInitSecurityCookie)(PIMAGE_DOS_HEADER DllBase, INT_PTR ImageSize, UINT_PTR* Zero, UINT_PTR RandomNumberStuff, UINT_PTR* Zero_2); extern tLdrInitSecurityCookie LdrInitSecurityCookie; #define LDRP_CFG_PROCESS_LOADCFG_PATTERN "\x48\x89\x5C\x24\x20\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\x6C\x24\xD9\x48\x81\xEC\xF0\x00\x00\x00\x48\x8B\x05\x99\x11\x17\x00" typedef NTSTATUS(__fastcall* tLdrpCfgProcessLoadConfig)(LDR_DATA_TABLE_ENTRY* DllEntry, PIMAGE_NT_HEADERS NtHeader, __int64 Zero); extern tLdrpCfgProcessLoadConfig LdrpCfgProcessLoadConfig; #define RTL_INSERT_INV_FUNCTIONTABLE_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x30\x8B\xDA\x4C\x8D\x44\x24\x50" typedef NTSTATUS(__fastcall* tRtlInsertInvertedFunctionTable)(PIMAGE_DOS_HEADER DllBase, ULONG ImageSize); extern tRtlInsertInvertedFunctionTable RtlInsertInvertedFunctionTable; #define LDRP_SIGNAL_MODULEMAPPED_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x48\x8B\x81\x98\x00\x00\x00\x48\x8B\x78\x30" typedef LDR_DDAG_NODE*(__fastcall* tLdrpSignalModuleMapped)(LDR_DATA_TABLE_ENTRY* DllEntry); extern tLdrpSignalModuleMapped LdrpSignalModuleMapped; #define AVRF_DLL_LOADNOTIFICATION_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x30\x65\x48\x8B\x04\x25\x60\x00\x00\x00" typedef NTSTATUS(__fastcall* tAVrfDllLoadNotification)(LDR_DATA_TABLE_ENTRY* DllEntry); extern tAVrfDllLoadNotification AVrfDllLoadNotification; #define LDRP_SEND_DLLNOTIFICATIONS_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x08\x49\x89\x73\x10\x57\x48\x83\xEC\x50\x83\x64\x24\x20\x00" typedef NTSTATUS(__fastcall* tLdrpSendDllNotifications)(LDR_DATA_TABLE_ENTRY* DllEntry, UINT_PTR Unknown); extern tLdrpSendDllNotifications LdrpSendDllNotifications; #define LDRP_CALL_TLSINIT_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x48\x89\x7C\x24\x20\x41\x56\x48\x83\xEC\x60" typedef NTSTATUS(__fastcall* tLdrpCallTlsInitializers)(ULONG One, LDR_DATA_TABLE_ENTRY* LdrEntry); extern tLdrpCallTlsInitializers LdrpCallTlsInitializers; ================================================ FILE: Src/Functions/Syscalls.asm ================================================ .code ZwSystemDebugControl proc mov r10, rcx mov eax, 1CDh test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall jnz short SYSCALL_DEFINED syscall ret SYSCALL_DEFINED: int 2Eh ZwSystemDebugControl endp NtCreateSection proc mov r10, rcx mov eax, 4Ah test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall jnz short SYSCALL_DEFINED syscall ret SYSCALL_DEFINED: int 2Eh NtCreateSection endp ZwMapViewOfSection proc mov r10, rcx mov eax, 28h test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall jnz short SYSCALL_DEFINED syscall ret SYSCALL_DEFINED: int 2Eh ZwMapViewOfSection endp ZwMapViewOfSectionEx proc mov r10, rcx mov eax, 11Ch test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall jnz short SYSCALL_DEFINED syscall ret SYSCALL_DEFINED: int 2Eh ZwMapViewOfSectionEx endp NtUnmapViewOfSection proc mov r10, rcx mov eax, 2Ah test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall jnz short SYSCALL_DEFINED syscall ret SYSCALL_DEFINED: int 2Eh NtUnmapViewOfSection endp ZwProtectVirtualMemory proc mov r10, rcx mov eax, 50h test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall jnz short SYSCALL_DEFINED syscall ret SYSCALL_DEFINED: int 2Eh ZwProtectVirtualMemory endp ZwQueryVirtualMemory proc mov r10, rcx mov eax, 23h test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall jnz short SYSCALL_DEFINED syscall ret SYSCALL_DEFINED: int 2Eh ZwQueryVirtualMemory endp NtQueryInformationProcess proc mov r10, rcx mov eax, 19h test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall jnz short SYSCALL_DEFINED syscall ret SYSCALL_DEFINED: int 2Eh NtQueryInformationProcess endp end ================================================ FILE: Src/Functions/Undocumented.h ================================================ #pragma once #include "..\Includes.h" typedef void* PPS_POST_PROCESS_INIT_ROUTINE; typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING; typedef struct _STRING { USHORT Length; USHORT MaximumLength; PCHAR Buffer; } STRING, * PSTRING, ANSI_STRING, * PANSI_STRING; #define DOS_MAX_COMPONENT_LENGTH 255 #define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) typedef struct _CURDIR { UNICODE_STRING DosPath; HANDLE Handle; } CURDIR, * PCURDIR; #define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 #define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 typedef struct _RTL_DRIVE_LETTER_CURDIR { USHORT Flags; USHORT Length; ULONG TimeStamp; STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; #define RTL_MAX_DRIVE_LETTERS 32 #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; HANDLE ConsoleHandle; ULONG ConsoleFlags; HANDLE StandardInput; HANDLE StandardOutput; HANDLE StandardError; CURDIR CurrentDirectory; UNICODE_STRING DllPath; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; PVOID Environment; ULONG StartingX; ULONG StartingY; ULONG CountX; ULONG CountY; ULONG CountCharsX; ULONG CountCharsY; ULONG FillAttribute; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING WindowTitle; UNICODE_STRING DesktopInfo; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeData; RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; ULONG EnvironmentSize; ULONG EnvironmentVersion; PVOID PackageDependencyData; ULONG ProcessGroupId; ULONG LoaderThreads; } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB_LDR_DATA { ULONG Length; BOOL Initialized; LPVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, * PPEB_LDR_DATA; typedef BOOLEAN(NTAPI* PLDR_INIT_ROUTINE)( _In_ PVOID DllHandle, _In_ ULONG Reason, _In_opt_ PVOID Context ); typedef struct _RTL_BALANCED_NODE { union { struct _RTL_BALANCED_NODE* Children[2]; //0x0 struct { struct _RTL_BALANCED_NODE* Left; //0x0 struct _RTL_BALANCED_NODE* Right; //0x4 }; }; union { struct { UCHAR Red : 1; //0x8 UCHAR Balance : 2; //0x8 }; ULONG ParentValue; //0x8 }; } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; // symbols typedef struct _LDR_SERVICE_TAG_RECORD { struct _LDR_SERVICE_TAG_RECORD* Next; ULONG ServiceTag; } LDR_SERVICE_TAG_RECORD, * PLDR_SERVICE_TAG_RECORD; // symbols typedef struct _LDRP_CSLIST { PSINGLE_LIST_ENTRY Tail; } LDRP_CSLIST, * PLDRP_CSLIST; // symbols typedef enum _LDR_DDAG_STATE { LdrModulesMerged = -5, LdrModulesInitError = -4, LdrModulesSnapError = -3, LdrModulesUnloaded = -2, LdrModulesUnloading = -1, LdrModulesPlaceHolder = 0, LdrModulesMapping = 1, LdrModulesMapped = 2, LdrModulesWaitingForDependencies = 3, LdrModulesSnapping = 4, LdrModulesSnapped = 5, LdrModulesCondensed = 6, LdrModulesReadyToInit = 7, LdrModulesInitializing = 8, LdrModulesReadyToRun = 9 } LDR_DDAG_STATE; // symbols typedef struct _LDR_DDAG_NODE { LIST_ENTRY Modules; PLDR_SERVICE_TAG_RECORD ServiceTagList; ULONG LoadCount; ULONG LoadWhileUnloadingCount; ULONG LowestLink; union { LDRP_CSLIST Dependencies; SINGLE_LIST_ENTRY* RemovalLink; }; LDRP_CSLIST IncomingDependencies; LDR_DDAG_STATE State; SINGLE_LIST_ENTRY* CondenseLink; ULONG PreorderNumber; ULONG Pad; } LDR_DDAG_NODE, * PLDR_DDAG_NODE; // rev typedef struct _LDR_DEPENDENCY_RECORD { SINGLE_LIST_ENTRY DependencyLink; PLDR_DDAG_NODE DependencyNode; SINGLE_LIST_ENTRY IncomingDependencyLink; PLDR_DDAG_NODE IncomingDependencyNode; } LDR_DEPENDENCY_RECORD, * PLDR_DEPENDENCY_RECORD; // symbols typedef enum _LDR_DLL_LOAD_REASON { LoadReasonStaticDependency, LoadReasonStaticForwarderDependency, LoadReasonDynamicForwarderDependency, LoadReasonDelayloadDependency, LoadReasonDynamicLoad, LoadReasonAsImageLoad, LoadReasonAsDataLoad, LoadReasonEnclavePrimary, // since REDSTONE3 LoadReasonEnclaveDependency, LoadReasonPatchImage, // since WIN11 LoadReasonUnknown = -1 } LDR_DLL_LOAD_REASON, * PLDR_DLL_LOAD_REASON; typedef enum _LDR_HOT_PATCH_STATE { LdrHotPatchBaseImage, LdrHotPatchNotApplied, LdrHotPatchAppliedReverse, LdrHotPatchAppliedForward, LdrHotPatchFailedToPatch, LdrHotPatchStateMax, } LDR_HOT_PATCH_STATE, * PLDR_HOT_PATCH_STATE; // LDR_DATA_TABLE_ENTRY->Flags #define LDRP_PACKAGED_BINARY 0x00000001 #define LDRP_MARKED_FOR_REMOVAL 0x00000002 #define LDRP_IMAGE_DLL 0x00000004 #define LDRP_LOAD_NOTIFICATIONS_SENT 0x00000008 #define LDRP_TELEMETRY_ENTRY_PROCESSED 0x00000010 #define LDRP_PROCESS_STATIC_IMPORT 0x00000020 #define LDRP_IN_LEGACY_LISTS 0x00000040 #define LDRP_IN_INDEXES 0x00000080 #define LDRP_SHIM_DLL 0x00000100 #define LDRP_IN_EXCEPTION_TABLE 0x00000200 #define LDRP_LOAD_IN_PROGRESS 0x00001000 #define LDRP_LOAD_CONFIG_PROCESSED 0x00002000 #define LDRP_ENTRY_PROCESSED 0x00004000 #define LDRP_PROTECT_DELAY_LOAD 0x00008000 #define LDRP_DONT_CALL_FOR_THREADS 0x00040000 #define LDRP_PROCESS_ATTACH_CALLED 0x00080000 #define LDRP_PROCESS_ATTACH_FAILED 0x00100000 #define LDRP_COR_DEFERRED_VALIDATE 0x00200000 #define LDRP_COR_IMAGE 0x00400000 #define LDRP_DONT_RELOCATE 0x00800000 #define LDRP_COR_IL_ONLY 0x01000000 #define LDRP_CHPE_IMAGE 0x02000000 #define LDRP_CHPE_EMULATOR_IMAGE 0x04000000 #define LDRP_REDIRECTED 0x10000000 #define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000 #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode) #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue) #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions) #define LDR_DATA_TABLE_ENTRY_SIZE_WIN10 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, SigningLevel) #define LDR_DATA_TABLE_ENTRY_SIZE_WIN11 sizeof(LDR_DATA_TABLE_ENTRY) // symbols typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; union { LIST_ENTRY InInitializationOrderLinks; LIST_ENTRY InProgressLinks; }; PIMAGE_DOS_HEADER DllBase; PLDR_INIT_ROUTINE EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; union { UCHAR FlagGroup[4]; ULONG Flags; struct { ULONG PackagedBinary : 1; ULONG MarkedForRemoval : 1; ULONG ImageDll : 1; ULONG LoadNotificationsSent : 1; ULONG TelemetryEntryProcessed : 1; ULONG ProcessStaticImport : 1; ULONG InLegacyLists : 1; ULONG InIndexes : 1; ULONG ShimDll : 1; ULONG InExceptionTable : 1; ULONG ReservedFlags1 : 2; ULONG LoadInProgress : 1; ULONG LoadConfigProcessed : 1; ULONG EntryProcessed : 1; ULONG ProtectDelayLoad : 1; ULONG ReservedFlags3 : 2; ULONG DontCallForThreads : 1; ULONG ProcessAttachCalled : 1; ULONG ProcessAttachFailed : 1; ULONG CorDeferredValidate : 1; ULONG CorImage : 1; ULONG DontRelocate : 1; ULONG CorILOnly : 1; ULONG ChpeImage : 1; ULONG ChpeEmulatorImage : 1; ULONG ReservedFlags5 : 1; ULONG Redirected : 1; ULONG ReservedFlags6 : 2; ULONG CompatDatabaseProcessed : 1; }; }; USHORT ObsoleteLoadCount; USHORT TlsIndex; LIST_ENTRY HashLinks; ULONG TimeDateStamp; struct _ACTIVATION_CONTEXT* EntryPointActivationContext; PVOID Lock; // RtlAcquireSRWLockExclusive PLDR_DDAG_NODE DdagNode; LIST_ENTRY NodeModuleLink; struct _LDRP_LOAD_CONTEXT* LoadContext; PVOID ParentDllBase; PVOID SwitchBackContext; RTL_BALANCED_NODE BaseAddressIndexNode; RTL_BALANCED_NODE MappingInfoIndexNode; ULONG_PTR OriginalBase; LARGE_INTEGER LoadTime; ULONG BaseNameHashValue; LDR_DLL_LOAD_REASON LoadReason; // since WIN8 ULONG ImplicitPathOptions; ULONG ReferenceCount; // since WIN10 ULONG DependentLoadFlags; UCHAR SigningLevel; // since REDSTONE2 ULONG CheckSum; // since 22H1 PVOID ActivePatchImageBase; LDR_HOT_PATCH_STATE HotPatchState; } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; #define PROCESSOR_FEATURE_MAX 64 typedef struct _KSYSTEM_TIME { ULONG LowPart; LONG High1Time; LONG High2Time; } KSYSTEM_TIME, * PKSYSTEM_TIME; typedef enum _NT_PRODUCT_TYPE { NtProductWinNt = 1, NtProductLanManNt = 2, NtProductServer = 3 } NT_PRODUCT_TYPE; typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE { StandardDesign = 0, NEC98x86 = 1, EndAlternatives = 2 } ALTERNATIVE_ARCHITECTURE_TYPE; typedef struct _KUSER_SHARED_DATA { ULONG TickCountLowDeprecated; ULONG TickCountMultiplier; KSYSTEM_TIME InterruptTime; KSYSTEM_TIME SystemTime; KSYSTEM_TIME TimeZoneBias; USHORT ImageNumberLow; USHORT ImageNumberHigh; WCHAR NtSystemRoot[260]; ULONG MaxStackTraceDepth; ULONG CryptoExponent; ULONG TimeZoneId; ULONG LargePageMinimum; ULONG AitSamplingValue; ULONG AppCompatFlag; ULONGLONG RNGSeedVersion; ULONG GlobalValidationRunlevel; LONG TimeZoneBiasStamp; ULONG NtBuildNumber; NT_PRODUCT_TYPE NtProductType; BOOLEAN ProductTypeIsValid; BOOLEAN Reserved0[1]; USHORT NativeProcessorArchitecture; ULONG NtMajorVersion; ULONG NtMinorVersion; BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; ULONG Reserved1; ULONG Reserved3; ULONG TimeSlip; ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; ULONG BootId; LARGE_INTEGER SystemExpirationDate; ULONG SuiteMask; BOOLEAN KdDebuggerEnabled; union { UCHAR MitigationPolicies; struct { UCHAR NXSupportPolicy : 2; UCHAR SEHValidationPolicy : 2; UCHAR CurDirDevicesSkippedForDlls : 2; UCHAR Reserved : 2; }; }; USHORT CyclesPerYield; ULONG ActiveConsoleId; ULONG DismountCount; ULONG ComPlusPackage; ULONG LastSystemRITEventTickCount; ULONG NumberOfPhysicalPages; BOOLEAN SafeBootMode; union { UCHAR VirtualizationFlags; struct { UCHAR ArchStartedInEl2 : 1; UCHAR QcSlIsSupported : 1; }; }; UCHAR Reserved12[2]; union { ULONG SharedDataFlags; struct { ULONG DbgErrorPortPresent : 1; ULONG DbgElevationEnabled : 1; ULONG DbgVirtEnabled : 1; ULONG DbgInstallerDetectEnabled : 1; ULONG DbgLkgEnabled : 1; ULONG DbgDynProcessorEnabled : 1; ULONG DbgConsoleBrokerEnabled : 1; ULONG DbgSecureBootEnabled : 1; ULONG DbgMultiSessionSku : 1; ULONG DbgMultiUsersInSessionSku : 1; ULONG DbgStateSeparationEnabled : 1; ULONG SpareBits : 21; } DUMMYSTRUCTNAME2; } DUMMYUNIONNAME2; ULONG DataFlagsPad[1]; ULONGLONG TestRetInstruction; LONGLONG QpcFrequency; ULONG SystemCall; ULONG Reserved2; ULONGLONG SystemCallPad[2]; union { KSYSTEM_TIME TickCount; ULONG64 TickCountQuad; struct { ULONG ReservedTickCountOverlay[3]; ULONG TickCountPad[1]; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME3; ULONG Cookie; ULONG CookiePad[1]; LONGLONG ConsoleSessionForegroundProcessId; ULONGLONG TimeUpdateLock; ULONGLONG BaselineSystemTimeQpc; ULONGLONG BaselineInterruptTimeQpc; ULONGLONG QpcSystemTimeIncrement; ULONGLONG QpcInterruptTimeIncrement; UCHAR QpcSystemTimeIncrementShift; UCHAR QpcInterruptTimeIncrementShift; USHORT UnparkedProcessorCount; ULONG EnclaveFeatureMask[4]; ULONG TelemetryCoverageRound; USHORT UserModeGlobalLogger[16]; ULONG ImageFileExecutionOptions; ULONG LangGenerationCount; ULONGLONG Reserved4; ULONGLONG InterruptTimeBias; ULONGLONG QpcBias; ULONG ActiveProcessorCount; UCHAR ActiveGroupCount; UCHAR Reserved9; union { USHORT QpcData; struct { UCHAR QpcBypassEnabled; UCHAR QpcShift; }; }; LARGE_INTEGER TimeZoneBiasEffectiveStart; LARGE_INTEGER TimeZoneBiasEffectiveEnd; XSTATE_CONFIGURATION XState; KSYSTEM_TIME FeatureConfigurationChangeStamp; ULONG Spare; ULONG64 UserPointerAuthMask; } KUSER_SHARED_DATA, * PKUSER_SHARED_DATA; enum DRAIN_TASK { WaitLoadComplete = 0, WaitWorkComplete }; typedef struct _PEB { BYTE InheritedAddressSpace; BYTE ReadImageFileExecOptions; BYTE BeingDebugged; union { UCHAR BitField; struct { /* bit fields, follow link */ }; }; LPVOID Mutant; LPVOID ImageBaseAddress; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; LPVOID SubSystemData; LPVOID ProcessHeap; LPVOID FastPebLock; LPVOID _SYSTEM_DEPENDENT_02; LPVOID _SYSTEM_DEPENDENT_03; LPVOID _SYSTEM_DEPENDENT_04; union { LPVOID KernelCallbackTable; LPVOID UserSharedInfoPtr; }; DWORD SystemReserved; DWORD _SYSTEM_DEPENDENT_05; LPVOID _SYSTEM_DEPENDENT_06; LPVOID TlsExpansionCounter; LPVOID TlsBitmap; DWORD TlsBitmapBits[2]; LPVOID ReadOnlySharedMemoryBase; KUSER_SHARED_DATA* SharedData; LPVOID ReadOnlyStaticServerData; LPVOID AnsiCodePageData; LPVOID OemCodePageData; LPVOID UnicodeCaseTableData; DWORD NumberOfProcessors; union { DWORD NtGlobalFlag; LPVOID dummy02; }; LARGE_INTEGER CriticalSectionTimeout; LPVOID HeapSegmentReserve; LPVOID HeapSegmentCommit; LPVOID HeapDeCommitTotalFreeThreshold; LPVOID HeapDeCommitFreeBlockThreshold; DWORD NumberOfHeaps; DWORD MaximumNumberOfHeaps; LPVOID ProcessHeaps; LPVOID GdiSharedHandleTable; LPVOID ProcessStarterHelper; LPVOID GdiDCAttributeList; LPVOID LoaderLock; DWORD OSMajorVersion; DWORD OSMinorVersion; WORD OSBuildNumber; WORD OSCSDVersion; DWORD OSPlatformId; DWORD ImageSubsystem; DWORD ImageSubsystemMajorVersion; LPVOID ImageSubsystemMinorVersion; union { LPVOID ImageProcessAffinityMask; LPVOID ActiveProcessAffinityMask; }; #ifdef _WIN64 LPVOID GdiHandleBuffer[64]; #else LPVOID GdiHandleBuffer[32]; #endif LPVOID PostProcessInitRoutine; LPVOID TlsExpansionBitmap; DWORD TlsExpansionBitmapBits[32]; LPVOID SessionId; ULARGE_INTEGER AppCompatFlags; ULARGE_INTEGER AppCompatFlagsUser; LPVOID pShimData; LPVOID AppCompatInfo; PUNICODE_STRING CSDVersion; LPVOID ActivationContextData; LPVOID ProcessAssemblyStorageMap; LPVOID SystemDefaultActivationContextData; LPVOID SystemAssemblyStorageMap; LPVOID MinimumStackCommit; //Appended for Windows Server 2003 PVOID SparePointers[4]; LIST_ENTRY FlsListHead; PVOID FlsBitmap; ULONG SpareUlongs[5]; ULONG FlsHighIndex; //Appended for Windows Vista PVOID WerRegistrationData; PVOID WerShipAssertPtr; //Appended for Windows 7 PVOID pUnused; PVOID pImageHeaderHash; union { ULONG TracingFlags; struct { /* bit fields, follow link */ }; }; } PEB, * PPEB; struct FUNCTION_TABLE_DATA { UINT_PTR TableAddress; PIMAGE_DOS_HEADER ImageBase; DWORD ImageSize; DWORD Size; }; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES; enum HARDERROR_RESPONSE_OPTION { OptionAbortRetryIgnore = 0x0, OptionOk = 0x1, OptionOkCancel = 0x2, OptionRetryCancel = 0x3, OptionYesNo = 0x4, OptionYesNoCancel = 0x5, OptionShutdownSystem = 0x6, }; enum HARDERROR_RESPONSE { ResponseReturnToCaller = 0x0, ResponseNotHandled = 0x1, ResponseAbort = 0x2, ResponseCancel = 0x3, ResponseIgnore = 0x4, ResponseNo = 0x5, ResponseOk = 0x6, ResponseRetry = 0x7, ResponseYes = 0x8, }; typedef struct _IO_STATUS_BLOCK { union { NTSTATUS Status; PVOID Pointer; }; ULONG_PTR Information; } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread; } CLIENT_ID, * PCLIENT_ID; typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* PRTL_ACTIVATION_CONTEXT_STACK_FRAME; typedef struct _ACTIVATION_CONTEXT* PACTIVATION_CONTEXT; typedef struct _TEB_ACTIVE_FRAME* PTEB_ACTIVE_FRAME; typedef struct _TEB_ACTIVE_FRAME_CONTEXT* PTEB_ACTIVE_FRAME_CONTEXT; typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME { PRTL_ACTIVATION_CONTEXT_STACK_FRAME Previous; PACTIVATION_CONTEXT* ActivationContext; ULONG Flags; } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME; typedef struct _ACTIVATION_CONTEXT_STACK { PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; LIST_ENTRY FrameListCache; ULONG Flags; ULONG NextCookieSequenceNumber; ULONG StackId; } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; typedef struct _RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_BASIC { SIZE_T Size; ULONG Format; RTL_ACTIVATION_CONTEXT_STACK_FRAME Frame; } RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_BASIC, * PRTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_BASIC; typedef struct _RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED { SIZE_T Size; ULONG Format; RTL_ACTIVATION_CONTEXT_STACK_FRAME Frame; PVOID Extra1; PVOID Extra2; PVOID Extra3; PVOID Extra4; } RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED, * PRTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED; #define GDI_BATCH_BUFFER_SIZE 310 typedef struct _GDI_TEB_BATCH { ULONG Offset; ULONG_PTR HDC; ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; } GDI_TEB_BATCH, * PGDI_TEB_BATCH; typedef struct _TEB_ACTIVE_FRAME_CONTEXT { ULONG Flags; PSTR FrameName; } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; typedef struct _TEB_ACTIVE_FRAME { ULONG Flags; struct _TEB_ACTIVE_FRAME* Previous; PTEB_ACTIVE_FRAME_CONTEXT Context; } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; #if !defined(_MSC_VER) typedef struct _PROCESSOR_NUMBER { USHORT Group; UCHAR Number; UCHAR Reserved; } PROCESSOR_NUMBER, * PPROCESSOR_NUMBER; #endif typedef struct _TEB { NT_TIB NtTib; PVOID EnvironmentPointer; CLIENT_ID ClientId; PVOID ActiveRpcHandle; PVOID ThreadLocalStoragePointer; PPEB ProcessEnvironmentBlock; ULONG LastErrorValue; ULONG CountOfOwnedCriticalSections; PVOID CsrClientThread; PVOID Win32ThreadInfo; ULONG User32Reserved[26]; ULONG UserReserved[5]; PVOID WOW32Reserved; LCID CurrentLocale; ULONG FpSoftwareStatusRegister; PVOID SystemReserved1[54]; NTSTATUS ExceptionCode; PVOID ActivationContextStackPointer; #ifdef _M_X64 UCHAR SpareBytes[24]; #else UCHAR SpareBytes[36]; #endif ULONG TxFsContext; GDI_TEB_BATCH GdiTebBatch; CLIENT_ID RealClientId; HANDLE GdiCachedProcessHandle; ULONG GdiClientPID; ULONG GdiClientTID; PVOID GdiThreadLocalInfo; ULONG_PTR Win32ClientInfo[62]; PVOID glDispatchTable[233]; ULONG_PTR glReserved1[29]; PVOID glReserved2; PVOID glSectionInfo; PVOID glSection; PVOID glTable; PVOID glCurrentRC; PVOID glContext; NTSTATUS LastStatusValue; UNICODE_STRING StaticUnicodeString; WCHAR StaticUnicodeBuffer[261]; PVOID DeallocationStack; PVOID TlsSlots[64]; LIST_ENTRY TlsLinks; PVOID Vdm; PVOID ReservedForNtRpc; PVOID DbgSsReserved[2]; ULONG HardErrorMode; #ifdef _M_X64 PVOID Instrumentation[11]; #else PVOID Instrumentation[9]; #endif GUID ActivityId; PVOID SubProcessTag; PVOID EtwLocalData; PVOID EtwTraceData; PVOID WinSockData; ULONG GdiBatchCount; union { PROCESSOR_NUMBER CurrentIdealProcessor; ULONG IdealProcessorValue; struct { UCHAR ReservedPad0; UCHAR ReservedPad1; UCHAR ReservedPad2; UCHAR IdealProcessor; }; }; ULONG GuaranteedStackBytes; PVOID ReservedForPerf; PVOID ReservedForOle; ULONG WaitingOnLoaderLock; PVOID SavedPriorityState; ULONG_PTR SoftPatchPtr1; PVOID ThreadPoolData; PVOID* TlsExpansionSlots; #ifdef _M_X64 PVOID DeallocationBStore; PVOID BStoreLimit; #endif ULONG MuiGeneration; ULONG IsImpersonating; PVOID NlsCache; PVOID pShimData; ULONG HeapVirtualAffinity; HANDLE CurrentTransactionHandle; PTEB_ACTIVE_FRAME ActiveFrame; PVOID FlsData; PVOID PreferredLanguages; PVOID UserPrefLanguages; PVOID MergedPrefLanguages; ULONG MuiImpersonation; union { USHORT CrossTebFlags; USHORT SpareCrossTebBits : 16; }; union { USHORT SameTebFlags; struct { USHORT SafeThunkCall : 1; USHORT InDebugPrint : 1; USHORT HasFiberData : 1; USHORT SkipThreadAttach : 1; USHORT WerInShipAssertCode : 1; USHORT RanProcessInit : 1; USHORT ClonedThread : 1; USHORT SuppressDebugMsg : 1; USHORT DisableUserStackWalk : 1; USHORT RtlExceptionAttached : 1; USHORT InitialThread : 1; USHORT SessionAware : 1; USHORT SpareSameTebBits : 4; }; }; PVOID TxnScopeEnterCallback; PVOID TxnScopeExitCallback; PVOID TxnScopeContext; ULONG LockCount; ULONG SpareUlong0; PVOID ResourceRetValue; PVOID ReservedForWdf; } TEB, * PTEB; struct LDR_UNKSTRUCT { PWSTR pInitNameMaybe; __declspec(align(16)) PWSTR Buffer; int Flags; PWSTR pDllName; char Pad1[84]; BOOLEAN IsInitedMaybe; char Pad2[3]; }; struct LDR_UNKSTRUCT2 { PUNICODE_STRING Name; UINT64 Status; }; struct LDR_UNKSTRUCT3 { ULONG Flags; UNICODE_STRING String; }; typedef struct _LDRP_LOAD_CONTEXT { UNICODE_STRING BaseDllName; LDR_UNKSTRUCT* UnkStruct; HANDLE SectionHandle; DWORD Flags; NTSTATUS* pStatus; LDR_DATA_TABLE_ENTRY* Entry; _LIST_ENTRY WorkQueueListEntry; LDR_DATA_TABLE_ENTRY* ReplacedEntry; LDR_DATA_TABLE_ENTRY** pvImports; LDR_DATA_TABLE_ENTRY** IATCheck; PVOID pvIAT; ULONG SizeOfIAT; ULONG CurrentDll; PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor; ULONG ImageImportDescriptorLen; __declspec(align(8)) ULONG OriginalIATProtect; PVOID GuardCFCheckFunctionPointer; __int64 GuardFlags; __int64 DllNameLenCompare; __int64 UnknownFunc; SIZE_T Size; __int64 UnknownPtr; HANDLE FileHandle; PIMAGE_DOS_HEADER ImageBase; wchar_t BaseDllNameBuffer[260]; } LDRP_LOAD_CONTEXT, *PLDRP_LOAD_CONTEXT; struct LDRP_FILENAME_BUFFER { UNICODE_STRING pFileName{}; wchar_t FileName[128]{}; }; typedef struct _MEMORY_IMAGE_INFORMATION { PVOID ImageBase; SIZE_T SizeOfImage; union { ULONG ImageFlags; struct { ULONG ImagePartialMap : 1; ULONG ImageNotExecutable : 1; ULONG ImageSigningLevel : 4; // REDSTONE3 ULONG Reserved : 26; }; }; } MEMORY_IMAGE_INFORMATION, * PMEMORY_IMAGE_INFORMATION; typedef struct _TLS_ENTRY { LIST_ENTRY TlsEntry; IMAGE_TLS_DIRECTORY TlsDirectory; PLDR_DATA_TABLE_ENTRY ModuleEntry; SIZE_T Index; } TLS_ENTRY, *PTLS_ENTRY; enum SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 }; /* struct MEM_EXTENDED_PARAMETER { PVOID Type; PHANDLE pHandle; HANDLE Handle; }; */ typedef struct _MEMORY_WORKING_SET_EX_BLOCK { union { struct { ULONG_PTR Valid : 1; ULONG_PTR ShareCount : 3; ULONG_PTR Win32Protection : 11; ULONG_PTR Shared : 1; ULONG_PTR Node : 6; ULONG_PTR Locked : 1; ULONG_PTR LargePage : 1; ULONG_PTR Priority : 3; ULONG_PTR Reserved : 3; ULONG_PTR SharedOriginal : 1; ULONG_PTR Bad : 1; ULONG_PTR Win32GraphicsProtection : 4; // 19H1 #ifdef _WIN64 ULONG_PTR ReservedUlong : 28; #endif }; struct { ULONG_PTR Valid : 1; ULONG_PTR Reserved0 : 14; ULONG_PTR Shared : 1; ULONG_PTR Reserved1 : 5; ULONG_PTR PageTable : 1; ULONG_PTR Location : 2; ULONG_PTR Priority : 3; ULONG_PTR ModifiedList : 1; ULONG_PTR Reserved2 : 2; ULONG_PTR SharedOriginal : 1; ULONG_PTR Bad : 1; #ifdef _WIN64 ULONG_PTR ReservedUlong : 32; #endif } Invalid; }; } MEMORY_WORKING_SET_EX_BLOCK, * PMEMORY_WORKING_SET_EX_BLOCK; // private typedef struct _MEMORY_WORKING_SET_EX_INFORMATION { PVOID VirtualAddress; union { MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes; ULONG_PTR Long; } u1; } MEMORY_WORKING_SET_EX_INFORMATION, * PMEMORY_WORKING_SET_EX_INFORMATION; typedef enum _MEMORY_INFORMATION_CLASS { MemoryBasicInformation, // q: MEMORY_BASIC_INFORMATION MemoryWorkingSetInformation, // q: MEMORY_WORKING_SET_INFORMATION MemoryMappedFilenameInformation, // q: UNICODE_STRING MemoryRegionInformation, // q: MEMORY_REGION_INFORMATION MemoryWorkingSetExInformation, // q: MEMORY_WORKING_SET_EX_INFORMATION // since VISTA MemorySharedCommitInformation, // q: MEMORY_SHARED_COMMIT_INFORMATION // since WIN8 MemoryImageInformation, // q: MEMORY_IMAGE_INFORMATION MemoryRegionInformationEx, // MEMORY_REGION_INFORMATION MemoryPrivilegedBasicInformation, // MEMORY_BASIC_INFORMATION MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 MemoryBasicInformationCapped, // 10 MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1 MemoryBadInformation, // since WIN11 MemoryBadInformationAllProcesses, // since 22H1 MaxMemoryInfoClass } MEMORY_INFORMATION_CLASS; typedef enum _PROCESSINFOCLASS { ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX ProcessIoCounters, // q: IO_COUNTERS ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 ProcessTimes, // q: KERNEL_USER_TIMES ProcessBasePriority, // s: KPRIORITY ProcessRaisePriority, // s: ULONG ProcessDebugPort, // q: HANDLE ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT (requires SeTcbPrivilege) ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 ProcessLdtSize, // s: PROCESS_LDT_SIZE ProcessDefaultHardErrorMode, // qs: ULONG ProcessIoPortHandlers, // (kernel-mode only) // PROCESS_IO_PORT_HANDLER_INFORMATION ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege) ProcessEnableAlignmentFaultFixup, // s: BOOLEAN ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 ProcessAffinityMask, // (q >WIN7)s: KAFFINITY, qs: GROUP_AFFINITY ProcessPriorityBoost, // qs: ULONG ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND ProcessWow64Information, // q: ULONG_PTR ProcessImageFileName, // q: UNICODE_STRING ProcessLUIDDeviceMapsEnabled, // q: ULONG ProcessBreakOnTermination, // qs: ULONG ProcessDebugObjectHandle, // q: HANDLE // 30 ProcessDebugFlags, // qs: ULONG ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables ProcessIoPriority, // qs: IO_PRIORITY_HINT ProcessExecuteFlags, // qs: ULONG ProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement ProcessCookie, // q: ULONG ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA ProcessPagePriority, // qs: PAGE_PRIORITY_INFORMATION ProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] ProcessImageFileNameWin32, // q: UNICODE_STRING ProcessImageFileMapping, // q: HANDLE (input) ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE ProcessGroupInformation, // q: USHORT[] ProcessTokenVirtualizationEnabled, // s: ULONG ProcessConsoleHostProcess, // qs: ULONG_PTR // ProcessOwnerInformation ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION ProcessDynamicFunctionTableInformation, ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL (requires SeDebugPrivilege) ProcessHandleTable, // q: ULONG[] // since WINBLUE ProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG) ProcessCommandLineInformation, // q: UNICODE_STRING // 60 ProcessProtectionInformation, // q: PS_PROTECTION ProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD ProcessFaultInformation, // PROCESS_FAULT_INFORMATION ProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION ProcessDefaultCpuSetsInformation, // SYSTEM_CPU_SET_INFORMATION[5] ProcessAllowedCpuSetsInformation, // SYSTEM_CPU_SET_INFORMATION[5] ProcessSubsystemProcess, ProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO ProcessInPrivate, // s: void // ETW // since THRESHOLD2 // 70 ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables ProcessIumChallengeResponse, ProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION ProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege) ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 ProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES ProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE ProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY ProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER ProcessDisableSystemAllowedCpuSets, // 80 ProcessWakeInformation, // PROCESS_WAKE_INFORMATION ProcessEnergyTrackingState, // qs: PROCESS_ENERGY_TRACKING_STATE ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 ProcessCaptureTrustletLiveDump, ProcessTelemetryCoverage, ProcessEnclaveInformation, ProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION ProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION ProcessImageSection, // q: HANDLE ProcessDebugAuthInformation, // since REDSTONE4 // 90 ProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT ProcessSequenceNumber, // q: ULONGLONG ProcessLoaderDetour, // since REDSTONE5 ProcessSecurityDomainInformation, // PROCESS_SECURITY_DOMAIN_INFORMATION ProcessCombineSecurityDomainsInformation, // PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION ProcessEnableLogging, // PROCESS_LOGGING_INFORMATION ProcessLeapSecondInformation, // PROCESS_LEAP_SECOND_INFORMATION ProcessFiberShadowStackAllocation, // PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1 ProcessFreeFiberShadowStackAllocation, // PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION ProcessAltSystemCallInformation, // since 20H1 // 100 ProcessDynamicEHContinuationTargets, // PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION ProcessDynamicEnforcedCetCompatibleRanges, // PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2 ProcessCreateStateChange, // since WIN11 ProcessApplyStateChange, ProcessEnableOptionalXStateFeatures, ProcessAltPrefetchParam, // since 22H1 ProcessAssignCpuPartitions, ProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX ProcessMembershipInformation, // PROCESS_MEMBERSHIP_INFORMATION ProcessEffectiveIoPriority, // q: IO_PRIORITY_HINT ProcessEffectivePagePriority, // q: ULONG MaxProcessInfoClass } PROCESSINFOCLASS; typedef struct _file_info { ULONG type; char info; } file_info; typedef struct _ASSEMBLY_STORAGE_MAP { ULONG Flags; ULONG AssemblyCount; PVOID AssemblyArray; } ASSEMBLY_STORAGE_MAP; typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY { ULONG Flags; UNICODE_STRING DosPath; HANDLE Handle; } ASSEMBLY_STORAGE_MAP_ENTRY; typedef struct _ACTIVATION_CONTEXT { LONG RefCount; ULONG Flags; LIST_ENTRY Links; PVOID ActivationContextData; PVOID NotificationRoutine; PVOID NotificationContext; ULONG SentNotifications[8]; ULONG DisabledNotifications[8]; ASSEMBLY_STORAGE_MAP* StorageMap; ASSEMBLY_STORAGE_MAP_ENTRY* InlineStorageMapEntires; ULONG StackTraceIndex; PVOID StackTraces[4][4]; file_info config; file_info appdir; char pad[256]; } ACTIVATION_CONTEXT; #define SEC_NO_FLAGS 0x000 /* Tells the OS to allocate space for this section when loading. This is clear for a section containing debug information only. */ #define SEC_ALLOC 0x001 /* Tells the OS to load the section from the file when loading. This is clear for a .bss section. */ #define SEC_LOAD 0x002 /* The section contains data still to be relocated, so there is some relocation information too. */ #define SEC_RELOC 0x004 #if 0 /* Obsolete ? */ #define SEC_BALIGN 0x008 #endif /* A signal to the OS that the section contains read only data. */ #define SEC_READONLY 0x010 /* The section contains code only. */ #define SEC_CODE 0x020 /* The section contains data only. */ #define SEC_DATA 0x040 /* The section will reside in ROM. */ #define SEC_ROM 0x080 /* The section contains constructor information. This section type is used by the linker to create lists of constructors and destructors used by g++. When a back end sees a symbol which should be used in a constructor list, it creates a new section for the type of name (e.g., __CTOR_LIST__), attaches the symbol to it, and builds a relocation. To build the lists of constructors, all the linker has to do is catenate all the sections called __CTOR_LIST__ and relocate the data contained within - exactly the operations it would peform on standard data. */ #define SEC_CONSTRUCTOR 0x100 /* The section is a constuctor, and should be placed at the end of the text, data, or bss section(?). */ #define SEC_CONSTRUCTOR_TEXT 0x1100 #define SEC_CONSTRUCTOR_DATA 0x2100 #define SEC_CONSTRUCTOR_BSS 0x3100 /* The section has contents - a data section could be SEC_ALLOC | SEC_HAS_CONTENTS; a debug section could be SEC_HAS_CONTENTS */ #define SEC_HAS_CONTENTS 0x200 /* An instruction to the linker to not output the section even if it has information which would normally be written. */ #define SEC_NEVER_LOAD 0x400 /* The section is a COFF shared library section. This flag is only for the linker. If this type of section appears in the input file, the linker must copy it to the output file without changing the vma or size. FIXME: Although this was originally intended to be general, it really is COFF specific (and the flag was renamed to indicate this). It might be cleaner to have some more general mechanism to allow the back end to control what the linker does with sections. */ #define SEC_COFF_SHARED_LIBRARY 0x800 /* The section contains common symbols (symbols may be defined multiple times, the value of a symbol is the amount of space it requires, and the largest symbol value is the one used). Most targets have exactly one of these (which we translate to bfd_com_section_ptr), but ECOFF has two. */ #define SEC_IS_COMMON 0x8000 /* The section contains only debugging information. For example, this is set for ELF .debug and .stab sections. strip tests this flag to see if a section can be discarded. */ #define SEC_DEBUGGING 0x10000 /* The contents of this section are held in memory pointed to by the contents field. This is checked by bfd_get_section_contents, and the data is retrieved from memory if appropriate. */ #define SEC_IN_MEMORY 0x20000 /* The contents of this section are to be excluded by the linker for executable and shared objects unless those objects are to be further relocated. */ #define SEC_EXCLUDE 0x40000 /* The contents of this section are to be sorted by the based on the address specified in the associated symbol table. */ #define SEC_SORT_ENTRIES 0x80000 /* When linking, duplicate sections of the same name should be discarded, rather than being combined into a single section as is usually done. This is similar to how common symbols are handled. See SEC_LINK_DUPLICATES below. */ #define SEC_LINK_ONCE 0x100000 /* If SEC_LINK_ONCE is set, this bitfield describes how the linker should handle duplicate sections. */ #define SEC_LINK_DUPLICATES 0x600000 /* This value for SEC_LINK_DUPLICATES means that duplicate sections with the same name should simply be discarded. */ #define SEC_LINK_DUPLICATES_DISCARD 0x0 /* This value for SEC_LINK_DUPLICATES means that the linker should warn if there are any duplicate sections, although it should still only link one copy. */ #define SEC_LINK_DUPLICATES_ONE_ONLY 0x200000 /* This value for SEC_LINK_DUPLICATES means that the linker should warn if any duplicate sections are a different size. */ #define SEC_LINK_DUPLICATES_SAME_SIZE 0x400000 /* This value for SEC_LINK_DUPLICATES means that the linker should warn if any duplicate sections contain different contents. */ #define SEC_LINK_DUPLICATES_SAME_CONTENTS 0x600000 /* This section was created by the linker as part of dynamic relocation or other arcane processing. It is skipped when going through the first-pass output, trusting that someone else up the line will take care of it later. */ #define SEC_LINKER_CREATED 0x800000 ================================================ FILE: Src/Includes.h ================================================ #pragma once #include