diff --git a/Compiled/Furutaka.exe b/Compiled/Furutaka.exe index 0e7377b..7ac6772 100644 Binary files a/Compiled/Furutaka.exe and b/Compiled/Furutaka.exe differ diff --git a/Source/Furutaka/main.c b/Source/Furutaka/main.c index c6b259e..ed636a7 100644 --- a/Source/Furutaka/main.c +++ b/Source/Furutaka/main.c @@ -4,9 +4,9 @@ * * TITLE: MAIN.C * -* VERSION: 1.11 +* VERSION: 1.12 * -* DATE: 20 Apr 2017 +* DATE: 01 Dec 2017 * * Furutaka entry point. * @@ -41,11 +41,11 @@ ULONG g_NtBuildNumber = 0; #define supImageHandle 0x1a000 #define PAGE_SIZE 0x1000 -#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.1 (20/04/17)") +#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.2 (01/12/17)") #define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n") #define T_LOADERRUN TEXT("Another instance running, close it before\r\n") #define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n") -#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.1 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n") +#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.2 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n") /* * TDLVBoxInstalled diff --git a/Source/Furutaka/ntos.h b/Source/Furutaka/ntos.h index 3b36663..4820cd2 100644 --- a/Source/Furutaka/ntos.h +++ b/Source/Furutaka/ntos.h @@ -1,12 +1,12 @@ /************************************************************************************ * -* (C) COPYRIGHT AUTHORS, 2015, translated from Microsoft sources/debugger +* (C) COPYRIGHT AUTHORS, 2015 - 2017, translated from Microsoft sources/debugger * * TITLE: NTOS.H * -* VERSION: 1.33 +* VERSION: 1.74 * -* DATE: 02 Feb 2016 +* DATE: 01 Dec 2017 * * Common header file for the ntos API functions and definitions. * @@ -29,6 +29,9 @@ #define ALIGN_UP(count,size) \ (ALIGN_DOWN( (ULONG_PTR)(count)+(ULONG_PTR)(size)-1, (ULONG_PTR)(size) )) +#define ARGUMENT_PRESENT(ArgumentPointer) (\ + (CHAR *)((ULONG_PTR)(ArgumentPointer)) != (CHAR *)(NULL) ) + //Access Rights #define CALLBACK_MODIFY_STATE 0x0001 @@ -79,6 +82,13 @@ #define THREAD_ALERT (0x0004) +#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001 +#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 +#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 +#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 +#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 +#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080 + #define WORKER_FACTORY_RELEASE_WORKER 0x0001 #define WORKER_FACTORY_WAIT 0x0002 #define WORKER_FACTORY_SET_INFORMATION 0x0004 @@ -102,6 +112,31 @@ #define TRACELOG_ACCESS_REALTIME 0x0400 #define TRACELOG_REGISTER_GUIDS 0x0800 +// +// Partition Specific Access Rights. +// + +#define MEMORY_PARTITION_QUERY_ACCESS 0x0001 +#define MEMORY_PARTITION_MODIFY_ACCESS 0x0002 + +#define MEMORY_PARTITION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ + SYNCHRONIZE | \ + MEMORY_PARTITION_QUERY_ACCESS | \ + MEMORY_PARTITION_MODIFY_ACCESS) + + +// +// NtCreateProcessEx specific flags. +// +#define PS_REQUEST_BREAKAWAY 1 +#define PS_NO_DEBUG_INHERIT 2 +#define PS_INHERIT_HANDLES 4 +#define PS_LARGE_PAGES 8 +#define PS_ALL_FLAGS (PS_REQUEST_BREAKAWAY | \ + PS_NO_DEBUG_INHERIT | \ + PS_INHERIT_HANDLES | \ + PS_LARGE_PAGES) + #define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 ) #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) #define ZwCurrentProcess() NtCurrentProcess() @@ -121,6 +156,15 @@ #define MAXUSHORT 0xffff #define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) ) +typedef struct _EX_RUNDOWN_REF +{ + union + { + ULONG Count; + PVOID Ptr; + }; +} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF; + typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; @@ -197,6 +241,19 @@ typedef struct _SEMAPHORE_BASIC_INFORMATION { ** Semaphore END */ +/* +** Kernel Debugger START +*/ + +typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { + BOOLEAN KernelDebuggerEnabled; + BOOLEAN KernelDebuggerNotPresent; +} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; + +/* +** Kernel Debugger END +*/ + /* ** FileCache and MemoryList START */ @@ -231,6 +288,16 @@ typedef struct _SYSTEM_FILECACHE_INFORMATION { ** Processes START */ +typedef struct _SYSTEM_TIMEOFDAY_INFORMATION { + LARGE_INTEGER BootTime; + LARGE_INTEGER CurrentTime; + LARGE_INTEGER TimeZoneBias; + ULONG TimeZoneId; + ULONG Reserved; + ULONGLONG BootTimeBias; + ULONGLONG SleepTimeBias; +} SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION; + #ifndef KPRIORITY typedef LONG KPRIORITY; #endif @@ -297,6 +364,16 @@ typedef struct _CLIENT_ID { HANDLE UniqueThread; } CLIENT_ID, *PCLIENT_ID; +typedef struct _CLIENT_ID64 { + ULONG64 UniqueProcess; + ULONG64 UniqueThread; +} CLIENT_ID64, *PCLIENT_ID64; + +typedef struct _CLIENT_ID32 { + ULONG32 UniqueProcess; + ULONG32 UniqueThread; +} CLIENT_ID32, *PCLIENT_ID32; + typedef struct _VM_COUNTERS { SIZE_T PeakVirtualSize; SIZE_T VirtualSize; @@ -347,6 +424,26 @@ typedef struct _SYSTEM_PROCESSES_INFORMATION { SYSTEM_THREAD_INFORMATION Threads[1]; } SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION; +#if defined(_WIN64) +typedef ULONG SYSINF_PAGE_COUNT; +#else +typedef SIZE_T SYSINF_PAGE_COUNT; +#endif + +typedef struct _SYSTEM_BASIC_INFORMATION { + ULONG Reserved; + ULONG TimerResolution; + ULONG PageSize; + SYSINF_PAGE_COUNT NumberOfPhysicalPages; + SYSINF_PAGE_COUNT LowestPhysicalPageNumber; + SYSINF_PAGE_COUNT HighestPhysicalPageNumber; + ULONG AllocationGranularity; + ULONG_PTR MinimumUserModeAddress; + ULONG_PTR MaximumUserModeAddress; + ULONG_PTR ActiveProcessorsAffinityMask; + CCHAR NumberOfProcessors; +} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; + typedef enum _PROCESSINFOCLASS { ProcessBasicInformation = 0, ProcessQuotaLimits = 1, @@ -413,6 +510,52 @@ typedef enum _PROCESSINFOCLASS { MaxProcessInfoClass = 62 } PROCESSINFOCLASS; +typedef enum _THREADINFOCLASS { + ThreadBasicInformation, + ThreadTimes, + ThreadPriority, + ThreadBasePriority, + ThreadAffinityMask, + ThreadImpersonationToken, + ThreadDescriptorTableEntry, + ThreadEnableAlignmentFaultFixup, + ThreadEventPair, + ThreadQuerySetWin32StartAddress, + ThreadZeroTlsCell, + ThreadPerformanceCount, + ThreadAmILastThread, + ThreadIdealProcessor, + ThreadPriorityBoost, + ThreadSetTlsArrayAddress, + ThreadIsIoPending, + ThreadHideFromDebugger, + ThreadBreakOnTermination, + ThreadSwitchLegacyState, + ThreadIsTerminated, + ThreadLastSystemCall, + ThreadIoPriority, + ThreadCycleTime, + ThreadPagePriority, + ThreadActualBasePriority, + ThreadTebInformation, + ThreadCSwitchMon, + ThreadCSwitchPmu, + ThreadWow64Context, + ThreadGroupInformation, + ThreadUmsInformation, + ThreadCounterProfiling, + ThreadIdealProcessorEx, + ThreadCpuAccountingInformation, + ThreadSuspendCount, + ThreadHeterogeneousCpuPolicy, + ThreadContainerId, + ThreadNameInformation, + ThreadProperty, + ThreadSelectedCpuSets, + ThreadSystemThreadInformation, + MaxThreadInfoClass +} THREADINFOCLASS; + typedef struct _PROCESS_BASIC_INFORMATION { NTSTATUS ExitStatus; PVOID PebBaseAddress; @@ -443,6 +586,229 @@ typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION { } DUMMYUNIONNAME; } PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION; +typedef struct _PROCESS_ACCESS_TOKEN { + HANDLE Token; + HANDLE Thread; +} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; + +//thanks to wj32 headers + +typedef enum _PS_CREATE_STATE { + PsCreateInitialState, + PsCreateFailOnFileOpen, + PsCreateFailOnSectionCreate, + PsCreateFailExeFormat, + PsCreateFailMachineMismatch, + PsCreateFailExeName, + PsCreateSuccess, + PsCreateMaximumStates +} PS_CREATE_STATE; + +typedef struct _PS_CREATE_INFO { + SIZE_T Size; + PS_CREATE_STATE State; + union + { + struct + { + union + { + ULONG InitFlags; + struct + { + UCHAR WriteOutputOnExit : 1; + UCHAR DetectManifest : 1; + UCHAR IFEOSkipDebugger : 1; + UCHAR IFEODoNotPropagateKeyState : 1; + UCHAR SpareBits1 : 4; + UCHAR SpareBits2 : 8; + USHORT ProhibitedImageCharacteristics : 16; + }; + }; + ACCESS_MASK AdditionalFileAccess; + } InitState; + + struct + { + HANDLE FileHandle; + } FailSection; + + struct + { + USHORT DllCharacteristics; + } ExeFormat; + + struct + { + HANDLE IFEOKey; + } ExeName; + + struct + { + union + { + ULONG OutputFlags; + struct + { + UCHAR ProtectedProcess : 1; + UCHAR AddressSpaceOverride : 1; + UCHAR DevOverrideEnabled : 1; + UCHAR ManifestDetected : 1; + UCHAR ProtectedProcessLight : 1; + UCHAR SpareBits1 : 3; + UCHAR SpareBits2 : 8; + USHORT SpareBits3 : 16; + }; + }; + HANDLE FileHandle; + HANDLE SectionHandle; + ULONGLONG UserProcessParametersNative; + ULONG UserProcessParametersWow64; + ULONG CurrentParameterFlags; + ULONGLONG PebAddressNative; + ULONG PebAddressWow64; + ULONGLONG ManifestAddress; + ULONG ManifestSize; + } SuccessState; + }; +} PS_CREATE_INFO, *PPS_CREATE_INFO; + +typedef struct _PS_ATTRIBUTE +{ + ULONG Attribute; + SIZE_T Size; + union + { + ULONG Value; + PVOID ValuePtr; + }; + PSIZE_T ReturnLength; +} PS_ATTRIBUTE, *PPS_ATTRIBUTE; + +typedef struct _PS_ATTRIBUTE_LIST +{ + SIZE_T TotalLength; + PS_ATTRIBUTE Attributes[1]; +} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; + +typedef enum _PS_PROTECTED_TYPE +{ + PsProtectedTypeNone, + PsProtectedTypeProtectedLight, + PsProtectedTypeProtected, + PsProtectedTypeMax +} PS_PROTECTED_TYPE; + +typedef enum _PS_PROTECTED_SIGNER +{ + PsProtectedSignerNone, + PsProtectedSignerAuthenticode, + PsProtectedSignerCodeGen, + PsProtectedSignerAntimalware, + PsProtectedSignerLsa, + PsProtectedSignerWindows, + PsProtectedSignerWinTcb, + PsProtectedSignerMax +} PS_PROTECTED_SIGNER; + +typedef struct _PS_PROTECTION +{ + union + { + UCHAR Level; + struct + { + UCHAR Type : 3; + UCHAR Audit : 1; + UCHAR Signer : 4; + }; + }; +} PS_PROTECTION, *PPS_PROTECTION; + +// begin_rev +#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff +#define PS_ATTRIBUTE_THREAD 0x00010000 +#define PS_ATTRIBUTE_INPUT 0x00020000 +#define PS_ATTRIBUTE_ADDITIVE 0x00040000 +// end_rev + +typedef enum _PS_ATTRIBUTE_NUM { + PsAttributeParentProcess, + PsAttributeDebugPort, + PsAttributeToken, + PsAttributeClientId, + PsAttributeTebAddress, + PsAttributeImageName, + PsAttributeImageInfo, + PsAttributeMemoryReserve, + PsAttributePriorityClass, + PsAttributeErrorMode, + PsAttributeStdHandleInfo, + PsAttributeHandleList, + PsAttributeGroupAffinity, + PsAttributePreferredNode, + PsAttributeIdealProcessor, + PsAttributeUmsThread, + PsAttributeMitigationOptions, + PsAttributeProtectionLevel, + PsAttributeSecureProcess, + PsAttributeJobList, + PsAttributeMax +} PS_ATTRIBUTE_NUM; + +#define PsAttributeValue(Number, Thread, Input, Unknown) \ + (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \ + ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \ + ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \ + ((Unknown) ? PS_ATTRIBUTE_ADDITIVE : 0)) + +#define PS_ATTRIBUTE_PARENT_PROCESS \ + PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE) +#define PS_ATTRIBUTE_DEBUG_PORT \ + PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE) +#define PS_ATTRIBUTE_TOKEN \ + PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE) +#define PS_ATTRIBUTE_CLIENT_ID \ + PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE) +#define PS_ATTRIBUTE_TEB_ADDRESS \ + PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE) +#define PS_ATTRIBUTE_IMAGE_NAME \ + PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE) +#define PS_ATTRIBUTE_IMAGE_INFO \ + PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE) +#define PS_ATTRIBUTE_MEMORY_RESERVE \ + PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE) +#define PS_ATTRIBUTE_PRIORITY_CLASS \ + PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE) +#define PS_ATTRIBUTE_ERROR_MODE \ + PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE) +#define PS_ATTRIBUTE_STD_HANDLE_INFO \ + PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE) +#define PS_ATTRIBUTE_HANDLE_LIST \ + PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE) +#define PS_ATTRIBUTE_GROUP_AFFINITY \ + PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE) +#define PS_ATTRIBUTE_PREFERRED_NODE \ + PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE) +#define PS_ATTRIBUTE_IDEAL_PROCESSOR \ + PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE) +#define PS_ATTRIBUTE_MITIGATION_OPTIONS \ + PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE) + + +#define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001 +#define RTL_USER_PROC_PROFILE_USER 0x00000002 +#define RTL_USER_PROC_PROFILE_KERNEL 0x00000004 +#define RTL_USER_PROC_PROFILE_SERVER 0x00000008 +#define RTL_USER_PROC_RESERVE_1MB 0x00000020 +#define RTL_USER_PROC_RESERVE_16MB 0x00000040 +#define RTL_USER_PROC_CASE_SENSITIVE 0x00000080 +#define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100 +#define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000 +#define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000 +#define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000 +#define RTL_USER_PROC_OPTIN_PROCESS 0x00020000 + /* ** Processes END */ @@ -794,6 +1160,37 @@ typedef struct _OBJECT_HANDLE_FLAG_INFORMATION ** Objects END */ +/* +** Boot Entry START +*/ + +typedef struct _FILE_PATH { + ULONG Version; + ULONG Length; + ULONG Type; + UCHAR FilePath[ANYSIZE_ARRAY]; +} FILE_PATH, *PFILE_PATH; + +typedef struct _BOOT_ENTRY { + ULONG Version; + ULONG Length; + ULONG Id; + ULONG Attributes; + ULONG FriendlyNameOffset; + ULONG BootFilePathOffset; + ULONG OsOptionsLength; + UCHAR OsOptions[ANYSIZE_ARRAY]; +} BOOT_ENTRY, *PBOOT_ENTRY; + +typedef struct _BOOT_ENTRY_LIST { + ULONG NextEntryOffset; + BOOT_ENTRY BootEntry; +} BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST; + +/* +** Boot Entry END +*/ + /* ** File start */ @@ -2828,6 +3225,31 @@ typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY; typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE *PLDR_DATA_TABLE_ENTRY; typedef LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY; +typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA { + ULONG Flags; //Reserved. + PCUNICODE_STRING FullDllName; //The full path name of the DLL module. + PCUNICODE_STRING BaseDllName; //The base file name of the DLL module. + PVOID DllBase; //A pointer to the base address for the DLL in memory. + ULONG SizeOfImage; //The size of the DLL image, in bytes. +} LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA; + +typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA { + ULONG Flags; //Reserved. + PCUNICODE_STRING FullDllName; //The full path name of the DLL module. + PCUNICODE_STRING BaseDllName; //The base file name of the DLL module. + PVOID DllBase; //A pointer to the base address for the DLL in memory. + ULONG SizeOfImage; //The size of the DLL image, in bytes. +} LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA; + +typedef union _LDR_DLL_NOTIFICATION_DATA { + LDR_DLL_LOADED_NOTIFICATION_DATA Loaded; + LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded; +} LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA; +typedef const LDR_DLL_NOTIFICATION_DATA *PCLDR_DLL_NOTIFICATION_DATA; + +#define LDR_DLL_NOTIFICATION_REASON_LOADED 1 +#define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2 + /* * WDM END */ @@ -2907,8 +3329,338 @@ typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION { // // PEB/TEB // -typedef struct _PEB_LDR_DATA -{ +#define GDI_HANDLE_BUFFER_SIZE32 34 +#define GDI_HANDLE_BUFFER_SIZE64 60 + +#if !defined(_M_X64) +#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 +#else +#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 +#endif + +typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; +typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; +typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; + +#define RTL_MAX_DRIVE_LETTERS 32 +#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 + +#define GDI_MAX_HANDLE_COUNT 0x4000 + +// 32-bit definitions +typedef struct _STRING32 { + USHORT Length; + USHORT MaximumLength; + ULONG Buffer; +} STRING32; +typedef STRING32 *PSTRING32; + +typedef STRING32 UNICODE_STRING32; + +#if (_MSC_VER < 1300) && !defined(_WINDOWS_) +typedef struct LIST_ENTRY32 { + DWORD Flink; + DWORD Blink; +} LIST_ENTRY32; +typedef LIST_ENTRY32 *PLIST_ENTRY32; + +typedef struct LIST_ENTRY64 { + ULONGLONG Flink; + ULONGLONG Blink; +} LIST_ENTRY64; +typedef LIST_ENTRY64 *PLIST_ENTRY64; +#endif + +#define WOW64_POINTER(Type) ULONG + +typedef struct _PEB_LDR_DATA32 { + ULONG Length; + BOOLEAN Initialized; + WOW64_POINTER(HANDLE) SsHandle; + LIST_ENTRY32 InLoadOrderModuleList; + LIST_ENTRY32 InMemoryOrderModuleList; + LIST_ENTRY32 InInitializationOrderModuleList; + WOW64_POINTER(PVOID) EntryInProgress; + BOOLEAN ShutdownInProgress; + WOW64_POINTER(HANDLE) ShutdownThreadId; +} PEB_LDR_DATA32, *PPEB_LDR_DATA32; + +#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP32 FIELD_OFFSET( LDR_DATA_TABLE_ENTRY32, ForwarderLinks ) + +typedef struct _LDR_DATA_TABLE_ENTRY32 { + LIST_ENTRY32 InLoadOrderLinks; + LIST_ENTRY32 InMemoryOrderLinks; + LIST_ENTRY32 InInitializationOrderLinks; + WOW64_POINTER(PVOID) DllBase; + WOW64_POINTER(PVOID) EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING32 FullDllName; + UNICODE_STRING32 BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT TlsIndex; + union + { + LIST_ENTRY32 HashLinks; + struct + { + WOW64_POINTER(PVOID) SectionPointer; + ULONG CheckSum; + }; + }; + union + { + ULONG TimeDateStamp; + WOW64_POINTER(PVOID) LoadedImports; + }; + WOW64_POINTER(PVOID) EntryPointActivationContext; + WOW64_POINTER(PVOID) PatchInformation; + LIST_ENTRY32 ForwarderLinks; + LIST_ENTRY32 ServiceTagLinks; + LIST_ENTRY32 StaticLinks; + WOW64_POINTER(PVOID) ContextInformation; + WOW64_POINTER(ULONG_PTR) OriginalBase; + LARGE_INTEGER LoadTime; +} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; + +typedef struct _CURDIR32 { + UNICODE_STRING32 DosPath; + WOW64_POINTER(HANDLE) Handle; +} CURDIR32, *PCURDIR32; + +typedef struct _RTL_DRIVE_LETTER_CURDIR32 { + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + STRING32 DosPath; +} RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32; + +typedef struct _RTL_USER_PROCESS_PARAMETERS32 { + ULONG MaximumLength; + ULONG Length; + + ULONG Flags; + ULONG DebugFlags; + + WOW64_POINTER(HANDLE) ConsoleHandle; + ULONG ConsoleFlags; + WOW64_POINTER(HANDLE) StandardInput; + WOW64_POINTER(HANDLE) StandardOutput; + WOW64_POINTER(HANDLE) StandardError; + + CURDIR32 CurrentDirectory; + UNICODE_STRING32 DllPath; + UNICODE_STRING32 ImagePathName; + UNICODE_STRING32 CommandLine; + WOW64_POINTER(PVOID) Environment; + + ULONG StartingX; + ULONG StartingY; + ULONG CountX; + ULONG CountY; + ULONG CountCharsX; + ULONG CountCharsY; + ULONG FillAttribute; + + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING32 WindowTitle; + UNICODE_STRING32 DesktopInfo; + UNICODE_STRING32 ShellInfo; + UNICODE_STRING32 RuntimeData; + RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; + + ULONG EnvironmentSize; + ULONG EnvironmentVersion; +} RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32; + +typedef struct _PEB32 { + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + union + { + BOOLEAN BitField; + struct + { + BOOLEAN ImageUsesLargePages : 1; + BOOLEAN IsProtectedProcess : 1; + BOOLEAN IsLegacyProcess : 1; + BOOLEAN IsImageDynamicallyRelocated : 1; + BOOLEAN SkipPatchingUser32Forwarders : 1; + BOOLEAN SpareBits : 3; + }; + }; + WOW64_POINTER(HANDLE) Mutant; + + WOW64_POINTER(PVOID) ImageBaseAddress; + WOW64_POINTER(PPEB_LDR_DATA) Ldr; + WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters; + WOW64_POINTER(PVOID) SubSystemData; + WOW64_POINTER(PVOID) ProcessHeap; + WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock; + WOW64_POINTER(PVOID) AtlThunkSListPtr; + WOW64_POINTER(PVOID) IFEOKey; + union + { + ULONG CrossProcessFlags; + struct + { + ULONG ProcessInJob : 1; + ULONG ProcessInitializing : 1; + ULONG ProcessUsingVEH : 1; + ULONG ProcessUsingVCH : 1; + ULONG ProcessUsingFTH : 1; + ULONG ReservedBits0 : 27; + }; + ULONG EnvironmentUpdateCount; + }; + union + { + WOW64_POINTER(PVOID) KernelCallbackTable; + WOW64_POINTER(PVOID) UserSharedInfoPtr; + }; + ULONG SystemReserved[1]; + ULONG AtlThunkSListPtr32; + WOW64_POINTER(PVOID) ApiSetMap; + ULONG TlsExpansionCounter; + WOW64_POINTER(PVOID) TlsBitmap; + ULONG TlsBitmapBits[2]; + WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase; + WOW64_POINTER(PVOID) HotpatchInformation; + WOW64_POINTER(PPVOID) ReadOnlyStaticServerData; + WOW64_POINTER(PVOID) AnsiCodePageData; + WOW64_POINTER(PVOID) OemCodePageData; + WOW64_POINTER(PVOID) UnicodeCaseTableData; + + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + + LARGE_INTEGER CriticalSectionTimeout; + WOW64_POINTER(SIZE_T) HeapSegmentReserve; + WOW64_POINTER(SIZE_T) HeapSegmentCommit; + WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold; + WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold; + + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + WOW64_POINTER(PPVOID) ProcessHeaps; + + WOW64_POINTER(PVOID) GdiSharedHandleTable; + WOW64_POINTER(PVOID) ProcessStarterHelper; + ULONG GdiDCAttributeList; + + WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock; + + ULONG OSMajorVersion; + ULONG OSMinorVersion; + USHORT OSBuildNumber; + USHORT OSCSDVersion; + ULONG OSPlatformId; + ULONG ImageSubsystem; + ULONG ImageSubsystemMajorVersion; + ULONG ImageSubsystemMinorVersion; + WOW64_POINTER(ULONG_PTR) ImageProcessAffinityMask; + GDI_HANDLE_BUFFER32 GdiHandleBuffer; + WOW64_POINTER(PVOID) PostProcessInitRoutine; + + WOW64_POINTER(PVOID) TlsExpansionBitmap; + ULONG TlsExpansionBitmapBits[32]; + + ULONG SessionId; + + // Rest of structure not included. +} PEB32, *PPEB32; + +#define GDI_BATCH_BUFFER_SIZE 310 + +typedef struct _GDI_TEB_BATCH32 { + ULONG Offset; + WOW64_POINTER(ULONG_PTR) HDC; + ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; +} GDI_TEB_BATCH32, *PGDI_TEB_BATCH32; + +#if (_MSC_VER < 1300) && !defined(_WINDOWS_) +// +// 32 and 64 bit specific version for wow64 and the debugger +// +typedef struct _NT_TIB32 { + DWORD ExceptionList; + DWORD StackBase; + DWORD StackLimit; + DWORD SubSystemTib; + union { + DWORD FiberData; + DWORD Version; + }; + DWORD ArbitraryUserPointer; + DWORD Self; +} NT_TIB32, *PNT_TIB32; + +typedef struct _NT_TIB64 { + DWORD64 ExceptionList; + DWORD64 StackBase; + DWORD64 StackLimit; + DWORD64 SubSystemTib; + union { + DWORD64 FiberData; + DWORD Version; + }; + DWORD64 ArbitraryUserPointer; + DWORD64 Self; +} NT_TIB64, *PNT_TIB64; +#endif + +typedef struct _TEB32 { + NT_TIB32 NtTib; + + WOW64_POINTER(PVOID) EnvironmentPointer; + CLIENT_ID32 ClientId; + WOW64_POINTER(PVOID) ActiveRpcHandle; + WOW64_POINTER(PVOID) ThreadLocalStoragePointer; + WOW64_POINTER(PPEB) ProcessEnvironmentBlock; + + ULONG LastErrorValue; + ULONG CountOfOwnedCriticalSections; + WOW64_POINTER(PVOID) CsrClientThread; + WOW64_POINTER(PVOID) Win32ThreadInfo; + ULONG User32Reserved[26]; + ULONG UserReserved[5]; + WOW64_POINTER(PVOID) WOW32Reserved; + LCID CurrentLocale; + ULONG FpSoftwareStatusRegister; + WOW64_POINTER(PVOID) SystemReserved1[54]; + NTSTATUS ExceptionCode; + WOW64_POINTER(PVOID) ActivationContextStackPointer; + BYTE SpareBytes[36]; + ULONG TxFsContext; + + GDI_TEB_BATCH32 GdiTebBatch; + CLIENT_ID32 RealClientId; + WOW64_POINTER(HANDLE) GdiCachedProcessHandle; + ULONG GdiClientPID; + ULONG GdiClientTID; + WOW64_POINTER(PVOID) GdiThreadLocalInfo; + WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62]; + WOW64_POINTER(PVOID) glDispatchTable[233]; + WOW64_POINTER(ULONG_PTR) glReserved1[29]; + WOW64_POINTER(PVOID) glReserved2; + WOW64_POINTER(PVOID) glSectionInfo; + WOW64_POINTER(PVOID) glSection; + WOW64_POINTER(PVOID) glTable; + WOW64_POINTER(PVOID) glCurrentRC; + WOW64_POINTER(PVOID) glContext; + + NTSTATUS LastStatusValue; + UNICODE_STRING32 StaticUnicodeString; + WCHAR StaticUnicodeBuffer[261]; + + WOW64_POINTER(PVOID) DeallocationStack; + WOW64_POINTER(PVOID) TlsSlots[64]; + LIST_ENTRY32 TlsLinks; +} TEB32, *PTEB32; + +typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; HANDLE SsHandle; @@ -2920,8 +3672,7 @@ typedef struct _PEB_LDR_DATA HANDLE ShutdownThreadId; } PEB_LDR_DATA, *PPEB_LDR_DATA; -typedef struct _GDI_HANDLE_ENTRY -{ +typedef struct _GDI_HANDLE_ENTRY { union { PVOID Object; @@ -2943,10 +3694,7 @@ typedef struct _GDI_HANDLE_ENTRY PVOID UserPointer; } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; -#define GDI_MAX_HANDLE_COUNT 0x4000 - -typedef struct _GDI_SHARED_MEMORY -{ +typedef struct _GDI_SHARED_MEMORY { GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; @@ -2974,9 +3722,6 @@ typedef struct _RTL_DRIVE_LETTER_CURDIR STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; -#define RTL_MAX_DRIVE_LETTERS 32 -#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 - typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; @@ -3015,21 +3760,11 @@ typedef struct _RTL_USER_PROCESS_PARAMETERS ULONG EnvironmentSize; ULONG EnvironmentVersion; + PVOID PackageDependencyData; //8+ + ULONG ProcessGroupId; + // ULONG LoaderThreads; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; -#define GDI_HANDLE_BUFFER_SIZE32 34 -#define GDI_HANDLE_BUFFER_SIZE64 60 - -#if !defined(_M_X64) -#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 -#else -#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 -#endif - -typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; -typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; -typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; - typedef struct _PEB { BOOLEAN InheritedAddressSpace; @@ -3327,6 +4062,18 @@ typedef struct _TEB PVOID ResourceRetValue; } TEB, *PTEB; +typedef struct _PROCESS_DEVICEMAP_INFORMATION { + union { + struct { + HANDLE DirectoryHandle; + } Set; + struct { + ULONG DriveMap; + UCHAR DriveType[32]; + } Query; + }; +} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION; + __inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; } /* @@ -3395,21 +4142,22 @@ typedef struct _LPC_CLIENT_DIED_MSG { LARGE_INTEGER CreateTime; } LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG; +//#pragma pack(push, 1) typedef struct _PORT_VIEW { ULONG Length; HANDLE SectionHandle; ULONG SectionOffset; - ULONG ViewSize; + SIZE_T ViewSize; PVOID ViewBase; PVOID ViewRemoteBase; } PORT_VIEW, *PPORT_VIEW; typedef struct _REMOTE_PORT_VIEW { ULONG Length; - ULONG ViewSize; + SIZE_T ViewSize; PVOID ViewBase; } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; - +//#pragma pack(pop) /* ** ALPC END */ @@ -3520,8 +4268,9 @@ typedef struct _KUSER_SHARED_DATA_COMPAT { ULONG DbgDynProcessorEnabled : 1; ULONG DbgConsoleBrokerEnabled : 1; ULONG DbgSecureBootEnabled : 1; - ULONG DbgMultiSessionSku : 1; - ULONG SpareBits : 23; + ULONG DbgMultiSessionSku : 1; + ULONG DbgMultiUsersInSessionSku : 1; + ULONG SpareBits : 22; }; }; @@ -3535,6 +4284,80 @@ typedef struct _KUSER_SHARED_DATA_COMPAT { ** KUSER_SHARED_DATA END */ +/* +** FLT MANAGER START +*/ + +#define FLTFL_MANDATORY_UNLOAD_IN_PROGRESS 0x1 +#define FLTFL_FILTERING_INITIATED 0x2 +#define FLTFL_NAME_PROVIDER 0x4 +#define FLTFL_SUPPORTS_PIPES_MAILSLOTS 0x8 + +#define FLT_OBFL_DRAINING 0x1 +#define FLT_OBFL_ZOMBIED 0x2 +#define FLT_OBFL_TYPE_INSTANCE 0x1000000 +#define FLT_OBFL_TYPE_FILTER 0x2000000 +#define FLT_OBFL_TYPE_VOLUME 0x4000000 + +typedef struct _FLT_OBJECT { + ULONG Flags; + ULONG PointerCount; + EX_RUNDOWN_REF RundownRef; + LIST_ENTRY PrimaryLink; +} FLT_OBJECT, *PFLT_OBJECT; + +typedef struct _FLT_SERVER_PORT_OBJECT { + LIST_ENTRY FilterLink; + PVOID ConnectNotify; + PVOID DisconnectNotify; + PVOID MessageNotify; + PVOID Filter; + PVOID Cookie; + ULONG Flags; + ULONG NumberOfConnections; + ULONG MaxConnections; +} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT; + +/* +** FLT MANAGER END +*/ + +/* +** RTL START +*/ + +typedef NTSTATUS(*PUSER_PROCESS_START_ROUTINE)( + PRTL_USER_PROCESS_PARAMETERS ProcessParameters + ); + +typedef NTSTATUS(*PUSER_THREAD_START_ROUTINE)( + PVOID ThreadParameter + ); + +typedef struct _RTL_USER_PROCESS_INFORMATION { + ULONG Length; + HANDLE Process; + HANDLE Thread; + CLIENT_ID ClientId; + SECTION_IMAGE_INFORMATION ImageInformation; +} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; + +// +// This structure is used only by Wow64 processes. The offsets +// of structure elements should the same as viewed by a native Win64 application. +// +typedef struct _RTL_USER_PROCESS_INFORMATION64 { + ULONG Length; + LONGLONG Process; + LONGLONG Thread; + CLIENT_ID64 ClientId; + SECTION_IMAGE_INFORMATION64 ImageInformation; +} RTL_USER_PROCESS_INFORMATION64, *PRTL_USER_PROCESS_INFORMATION64; + +/* +** RTL END +*/ + /* ** LDR START */ @@ -3543,7 +4366,26 @@ typedef VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)( _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry, _In_ PVOID Context, - _In_ OUT BOOLEAN *StopEnumeration + _Inout_ BOOLEAN *StopEnumeration + ); + +typedef +VOID (CALLBACK *PLDR_DLL_NOTIFICATION_FUNCTION)( + _In_ ULONG NotificationReason, + _In_ PCLDR_DLL_NOTIFICATION_DATA NotificationData, + _In_opt_ PVOID Context + ); + +NTSTATUS NTAPI LdrAccessResource( + _In_ PVOID DllHandle, + _In_ CONST IMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry, + _Out_opt_ PVOID *Address, + _Out_opt_ PULONG Size + ); + +NTSTATUS NTAPI LdrAddRefDll( + ULONG Flags, + PVOID DllHandle ); NTSTATUS NTAPI LdrEnumerateLoadedModules( @@ -3552,6 +4394,25 @@ NTSTATUS NTAPI LdrEnumerateLoadedModules( _In_opt_ PVOID Context ); +NTSTATUS NTAPI LdrFindResource_U( + _In_ PVOID DllHandle, + _In_ CONST ULONG_PTR* ResourceIdPath, + _In_ ULONG ResourceIdPathLength, + _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry + ); + +NTSTATUS NTAPI LdrFindEntryForAddress( + _In_ PVOID Address, + _Out_ PLDR_DATA_TABLE_ENTRY *TableEntry + ); + +NTSTATUS NTAPI LdrGetDllHandle( + _In_opt_ PCWSTR DllPath, + _In_opt_ PULONG DllCharacteristics, + _In_ PCUNICODE_STRING DllName, + _Out_ PVOID *DllHandle + ); + NTSTATUS NTAPI LdrGetProcedureAddress( _In_ PVOID DllHandle, _In_opt_ CONST ANSI_STRING* ProcedureName, @@ -3566,40 +4427,110 @@ NTSTATUS NTAPI LdrLoadDll( _Out_ PVOID *DllHandle ); +NTSTATUS NTAPI LdrQueryProcessModuleInformation( + _Out_ PRTL_PROCESS_MODULES ModuleInformation, + _In_ ULONG ModuleInformationLength, + _Out_opt_ PULONG ReturnLength + ); + NTSTATUS NTAPI LdrUnloadDll( _In_ PVOID DllHandle ); -NTSTATUS NTAPI LdrGetDllHandle( - _In_opt_ PCWSTR DllPath OPTIONAL, - _In_opt_ PULONG DllCharacteristics OPTIONAL, - _In_ PCUNICODE_STRING DllName, - _Out_ PVOID *DllHandle - ); +NTSTATUS NTAPI LdrRegisterDllNotification( + _In_ ULONG Flags, + _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction, + _In_opt_ PVOID Context, + _Out_ PVOID *Cookie + ); -NTSTATUS NTAPI LdrFindResource_U( - _In_ PVOID DllHandle, - _In_ CONST ULONG_PTR* ResourceIdPath, - _In_ ULONG ResourceIdPathLength, - _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry - ); +NTSTATUS NTAPI LdrUnregisterDllNotification( + _In_ PVOID Cookie + ); -NTSTATUS NTAPI LdrAccessResource( - _In_ PVOID DllHandle, - _In_ CONST IMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry, - _Out_opt_ PVOID *Address, - _Out_opt_ PULONG Size - ); +NTSTATUS NTAPI LdrResSearchResource( + _In_ PVOID File, + _In_ CONST ULONG_PTR* ResIds, + _In_ ULONG ResIdCount, + _In_ ULONG Flags, + _Out_ LPVOID *Resource, + _Out_ ULONG_PTR *Size, + _In_opt_ USHORT *FoundLanguage, + _In_opt_ ULONG *FoundLanguageLength + ); -NTSTATUS NTAPI LdrFindEntryForAddress( - _In_ PVOID Address, - _Out_ PLDR_DATA_TABLE_ENTRY *TableEntry - ); +NTSTATUS NTAPI LdrOpenImageFileOptionsKey( + _In_ PCUNICODE_STRING ImagePathName, + _In_ BOOLEAN Wow64Path, + _Out_ PHANDLE KeyHandle +); + +NTSTATUS NTAPI LdrQueryImageFileExecutionOptions( + _In_ PCUNICODE_STRING ImagePathName, + _In_ PCWSTR OptionName, + _In_ ULONG Type, + _Out_ PVOID Buffer, + _In_ ULONG BufferSize, + _Out_opt_ PULONG ResultSize + ); + +NTSTATUS NTAPI LdrQueryImageFileExecutionOptionsEx( + _In_ PCUNICODE_STRING ImagePathName, + _In_ PCWSTR OptionName, + _In_ ULONG Type, + _Out_ PVOID Buffer, + _In_ ULONG BufferSize, + _Out_opt_ PULONG ResultSize, + _In_ BOOLEAN Wow64Path + ); + +NTSTATUS NTAPI LdrQueryImageFileKeyOption( + _In_ HANDLE KeyHandle, + _In_ PCWSTR OptionName, + _In_ ULONG Type, + _Out_ PVOID Buffer, + _In_ ULONG BufferSize, + _Out_opt_ PULONG ResultSize + ); /* ** LDR END */ +typedef PVOID PHEAD; + +typedef struct _HANDLEENTRY { + PHEAD phead; // Pointer to the Object. + PVOID pOwner; // PTI or PPI + BYTE bType; // Object handle type + BYTE bFlags; // Flags + WORD wUniq; // Access count. +} HANDLEENTRY, *PHANDLEENTRY; + +typedef struct _SERVERINFO { + WORD wRIPFlags; + WORD wSRVIFlags; + WORD wRIPPID; + WORD wRIPError; + ULONG cHandleEntries; + // incomplete +} SERVERINFO, *PSERVERINFO; + +typedef struct _SHAREDINFO { + PSERVERINFO psi; + PHANDLEENTRY aheList; + ULONG HeEntrySize; + // incomplete +} SHAREDINFO, *PSHAREDINFO; + +typedef struct _USERCONNECT +{ + ULONG ulVersion; + ULONG ulCurrentVersion; + DWORD dwDispatchCount; + SHAREDINFO siClient; +} USERCONNECT, *PUSERCONNECT; + /* ** Csr Runtime START */ @@ -3607,6 +4538,14 @@ NTSTATUS NTAPI LdrFindEntryForAddress( ULONG NTAPI CsrGetProcessId( ); +NTSTATUS NTAPI CsrClientConnectToServer( + _In_ PWSTR ObjectDirectory, + _In_ ULONG ServerDllIndex, + _Inout_ PVOID ConnectionInformation, + _Inout_ ULONG *ConnectionInformationLength, + _Out_ PBOOLEAN CalledFromServer +); + /* ** Csr Runtime END */ @@ -3615,6 +4554,80 @@ ULONG NTAPI CsrGetProcessId( ** Runtime Library API START */ +NTSTATUS NTAPI RtlCreateEnvironment( + _In_ BOOLEAN CloneCurrentEnvironment, + _Out_ PVOID *Environment + ); + +NTSTATUS NTAPI RtlDestroyEnvironment( + _In_ PVOID Environment + ); + +NTSTATUS NTAPI RtlCreateProcessParameters( + _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters, + _In_ PUNICODE_STRING ImagePathName, + _In_opt_ PUNICODE_STRING DllPath, + _In_opt_ PUNICODE_STRING CurrentDirectory, + _In_opt_ PUNICODE_STRING CommandLine, + _In_opt_ PVOID Environment, + _In_opt_ PUNICODE_STRING WindowTitle, + _In_opt_ PUNICODE_STRING DesktopInfo, + _In_opt_ PUNICODE_STRING ShellInfo, + _In_opt_ PUNICODE_STRING RuntimeData + ); + +NTSTATUS NTAPI RtlDestroyProcessParameters( + _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters + ); + +NTSTATUS NTAPI RtlCreateProcessParametersEx( + _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters, + _In_ PUNICODE_STRING ImagePathName, + _In_opt_ PUNICODE_STRING DllPath, + _In_opt_ PUNICODE_STRING CurrentDirectory, + _In_opt_ PUNICODE_STRING CommandLine, + _In_opt_ PVOID Environment, + _In_opt_ PUNICODE_STRING WindowTitle, + _In_opt_ PUNICODE_STRING DesktopInfo, + _In_opt_ PUNICODE_STRING ShellInfo, + _In_opt_ PUNICODE_STRING RuntimeData, + _In_ ULONG Flags); + +NTSTATUS NTAPI RtlCreateUserProcess( + PUNICODE_STRING NtImagePathName, + ULONG Attributes, + PRTL_USER_PROCESS_PARAMETERS ProcessParameters, + PSECURITY_DESCRIPTOR ProcessSecurityDescriptor, + PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, + HANDLE ParentProcess, + BOOLEAN InheritHandles, + HANDLE DebugPort, + HANDLE ExceptionPort, + PRTL_USER_PROCESS_INFORMATION ProcessInformation + ); + +NTSTATUS NTAPI RtlCreateUserThread( + _In_ HANDLE Process, + _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, + _In_ BOOLEAN CreateSuspended, + _In_ ULONG StackZeroBits, + _In_opt_ SIZE_T MaximumStackSize, + _In_opt_ SIZE_T InitialStackSize, + _In_ PUSER_THREAD_START_ROUTINE StartAddress, + _In_opt_ PVOID Parameter, + _Out_opt_ PHANDLE Thread, + _Out_opt_ PCLIENT_ID ClientId + ); + +VOID NTAPI RtlExitUserThread( + IN NTSTATUS ExitStatus + ); + +VOID NTAPI RtlFreeUserThreadStack( + HANDLE hProcess, + HANDLE hThread + ); + ULONG NTAPI RtlRandomEx( _Inout_ PULONG Seed ); @@ -3628,6 +4641,10 @@ ULONG NTAPI RtlRemoveVectoredExceptionHandler( _In_ PVOID Handle ); +VOID NTAPI RtlRaiseException( + _In_ PEXCEPTION_RECORD + ); + VOID NTAPI RtlPushFrame( _In_ PTEB_ACTIVE_FRAME Frame ); @@ -3640,9 +4657,14 @@ PTEB_ACTIVE_FRAME NTAPI RtlGetFrame( VOID ); +BOOLEAN NTAPI RtlCreateUnicodeString( + _Out_ PUNICODE_STRING DestinationString, + _In_ PCWSTR SourceString + ); + VOID NTAPI RtlInitUnicodeString( _Inout_ PUNICODE_STRING DestinationString, - _In_ PCWSTR SourceString + _In_opt_ PCWSTR SourceString ); BOOLEAN NTAPI RtlEqualUnicodeString( @@ -3705,6 +4727,15 @@ VOID NTAPI RtlInitString( PCSZ SourceString ); +NTSTATUS NTAPI RtlExpandEnvironmentStrings( + _In_opt_ PVOID Environment, + _In_reads_(SrcLength) PWSTR Src, + _In_ SIZE_T SrcLength, + _Out_writes_opt_(DstLength) PWSTR Dst, + _In_ SIZE_T DstLength, + _Out_opt_ PSIZE_T ReturnLength + ); + NTSTATUS NTAPI RtlExpandEnvironmentStrings_U( _In_opt_ PVOID Environment, _In_ PCUNICODE_STRING Source, @@ -3716,6 +4747,57 @@ VOID NTAPI RtlSetLastWin32Error( LONG Win32Error ); +NTSTATUS NTAPI RtlWow64EnableFsRedirection( + _In_ BOOLEAN Wow64FsEnableRedirection + ); + +NTSTATUS NTAPI RtlWow64EnableFsRedirectionEx( + _In_ PVOID DisableFsRedirection, + _Out_ PVOID *OldFsRedirectionLevel + ); + +PVOID NTAPI RtlEncodePointer( + PVOID Ptr + ); + +PVOID NTAPI RtlDecodePointer( + PVOID Ptr + ); + +typedef NTSTATUS +(NTAPI * PRTL_HEAP_COMMIT_ROUTINE)( + IN PVOID Base, + IN OUT PVOID *CommitAddress, + IN OUT PSIZE_T CommitSize + ); + +typedef struct _RTL_HEAP_PARAMETERS { + ULONG Length; + SIZE_T SegmentReserve; + SIZE_T SegmentCommit; + SIZE_T DeCommitFreeBlockThreshold; + SIZE_T DeCommitTotalFreeThreshold; + SIZE_T MaximumAllocationSize; + SIZE_T VirtualMemoryThreshold; + SIZE_T InitialCommit; + SIZE_T InitialReserve; + PRTL_HEAP_COMMIT_ROUTINE CommitRoutine; + SIZE_T Reserved[2]; +} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS; + +PVOID NTAPI RtlCreateHeap( + _In_ ULONG Flags, + _In_opt_ PVOID HeapBase, + _In_opt_ SIZE_T ReserveSize, + _In_opt_ SIZE_T CommitSize, + _In_opt_ PVOID Lock, + _In_opt_ PRTL_HEAP_PARAMETERS Parameters + ); + +PVOID NTAPI RtlDestroyHeap( + _In_ PVOID HeapHandle + ); + PVOID NTAPI RtlAllocateHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, @@ -3961,6 +5043,68 @@ NTSTATUS NTAPI RtlAdjustPrivilege( PBOOLEAN WasEnabled ); +// +// preallocated heap-growable buffers +// +typedef struct _RTL_BUFFER { + PUCHAR Buffer; + PUCHAR StaticBuffer; + SIZE_T Size; + SIZE_T StaticSize; + SIZE_T ReservedForAllocatedSize; // for future doubling + PVOID ReservedForIMalloc; // for future pluggable growth +} RTL_BUFFER, *PRTL_BUFFER; + +typedef struct _RTL_UNICODE_STRING_BUFFER { + UNICODE_STRING String; + RTL_BUFFER ByteBuffer; + UCHAR MinimumStaticBufferForTerminalNul[sizeof(WCHAR)]; +} RTL_UNICODE_STRING_BUFFER, *PRTL_UNICODE_STRING_BUFFER; + +NTSTATUS NTAPI RtlNtPathNameToDosPathName( + _In_ ULONG Flags, + _Inout_ PRTL_UNICODE_STRING_BUFFER Path, + _Out_opt_ PULONG Disposition, + _Inout_opt_ PWSTR* FilePart + ); + +ULONG NTAPI RtlIsDosDeviceName_U( + PCWSTR DosFileName + ); + +ULONG NTAPI RtlGetFullPathName_U( + __in PCWSTR lpFileName, + __in ULONG nBufferLength, + __out_bcount(nBufferLength) PWSTR lpBuffer, + __out_opt PWSTR *lpFilePart + ); + +typedef enum _RTL_PATH_TYPE { + RtlPathTypeUnknown, // 0 + RtlPathTypeUncAbsolute, // 1 + RtlPathTypeDriveAbsolute, // 2 + RtlPathTypeDriveRelative, // 3 + RtlPathTypeRooted, // 4 + RtlPathTypeRelative, // 5 + RtlPathTypeLocalDevice, // 6 + RtlPathTypeRootLocalDevice // 7 +} RTL_PATH_TYPE; + +RTL_PATH_TYPE NTAPI RtlDetermineDosPathNameType_U( + PCWSTR DosFileName + ); + +#define HASH_STRING_ALGORITHM_DEFAULT (0) +#define HASH_STRING_ALGORITHM_X65599 (1) +#define HASH_STRING_ALGORITHM_INVALID (0xffffffff) + +NTSTATUS NTAPI RtlHashUnicodeString( + _In_ const UNICODE_STRING *String, + _In_ BOOLEAN CaseInSensitive, + _In_ ULONG HashAlgorithm, + _Out_ PULONG HashValue +); + ULONG DbgPrint( _In_ PCH Format, ... @@ -4174,20 +5318,105 @@ NTSTATUS NTAPI RtlDeleteCriticalSection( ** Critical Section END */ - /* -** Loader API START +** UAC Elevation Start */ -NTSTATUS NTAPI LdrGetProcedureAddress( - _In_ PVOID DllHandle, - _In_opt_ CONST ANSI_STRING* ProcedureName, - _In_opt_ ULONG ProcedureNumber, - _Out_ PVOID *ProcedureAddress - ); +#define DBG_FLAG_ELEVATION_ENABLED 1 +#define DBG_FLAG_VIRTUALIZATION_ENABLED 2 +#define DBG_FLAG_INSTALLER_DETECT_ENABLED 3 + +NTSTATUS NTAPI RtlQueryElevationFlags( + _Inout_ ULONG *ElevationFlags + ); /* -** Loader API END +** UAC Elevation END +*/ + + +/* +* Memory parition START +*/ + +typedef enum _MEMORY_PARTITION_INFORMATION_CLASS { + SystemMemoryPartitionInformation, + SystemMemoryPartitionMoveMemory, + SystemMemoryPartitionAddPagefile, + SystemMemoryPartitionCombineMemory, + SystemMemoryPartitionInitialAddMemory +} MEMORY_PARTITION_INFORMATION_CLASS; + +typedef struct _MEMORY_PARTITION_PAGE_RANGE { + ULONG_PTR StartPage; + ULONG_PTR NumberOfPages; +} MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE; + +typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION { + ULONG Flags; + ULONG NumberOfRanges; + ULONG_PTR NumberOfPagesAdded; + MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1]; +} MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION; + +typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION { + PVOID StopHandle; + ULONG Flags; + ULONG_PTR TotalNumberOfPages; +} MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION; + +typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION { + UNICODE_STRING PageFileName; + LARGE_INTEGER MinimumSize; + LARGE_INTEGER MaximumSize; + ULONG Flags; +} MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION; + +typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION { + ULONG_PTR NumberOfPages; + ULONG NumaNode; + ULONG Flags; +} MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION; + +typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION { + ULONG Flags; + ULONG NumaNode; + ULONG Channel; + ULONG NumberOfNumaNodes; + ULONG_PTR ResidentAvailablePages; + ULONG_PTR CommittedPages; + ULONG_PTR CommitLimit; + ULONG_PTR PeakCommitment; + ULONG_PTR TotalNumberOfPages; + ULONG_PTR AvailablePages; + ULONG_PTR ZeroPages; + ULONG_PTR FreePages; + ULONG_PTR StandbyPages; +} MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION; + +NTSTATUS NTAPI NtOpenPartition( + _Out_ PHANDLE PartitionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtManagePartition( + _In_ HANDLE TargetHandle, + _In_ HANDLE SourceHandle, + _In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass, + _Inout_ PVOID PartitionInformation, + _In_ SIZE_T PartitionInformationLength + ); + +NTSTATUS NTAPI NtCreatePartition( + _Out_ PHANDLE PartitionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG PreferredNode + ); + +/* +* Memory partition END */ /* @@ -4198,11 +5427,25 @@ NTSTATUS NTAPI NtClose( _In_ HANDLE Handle ); +NTSTATUS NTAPI NtCreateDirectoryObject( + _Out_ PHANDLE DirectoryHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS NTAPI NtCreateDirectoryObjectEx( + _Out_ PHANDLE DirectoryHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ShadowDirectoryHandle, + _In_ ULONG Flags + ); + NTSTATUS NTAPI NtOpenDirectoryObject( - _Out_ PHANDLE DirectoryHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes - ); + _Out_ PHANDLE DirectoryHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes + ); NTSTATUS NTAPI NtQueryDirectoryObject( _In_ HANDLE DirectoryHandle, @@ -4229,6 +5472,12 @@ NTSTATUS WINAPI NtQuerySystemInformation( _Out_opt_ PULONG ReturnLength ); +NTSTATUS NTAPI NtSetSystemInformation( + _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _In_opt_ PVOID SystemInformation, + _In_ ULONG SystemInformationLength + ); + NTSTATUS NTAPI NtCreateMutant( _Out_ PHANDLE MutantHandle, _In_ ACCESS_MASK DesiredAccess, @@ -4327,6 +5576,18 @@ NTSTATUS NTAPI NtQueryDirectoryFile( _In_ BOOLEAN RestartScan ); +NTSTATUS NTAPI NtNotifyChangeDirectoryFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + __out_bcount(Length) PVOID Buffer, + _In_ ULONG Length, + _In_ ULONG CompletionFilter, + _In_ BOOLEAN WatchTree +); + NTSTATUS NTAPI NtQuerySection( _In_ HANDLE SectionHandle, _In_ SECTION_INFORMATION_CLASS SectionInformationClass, @@ -4367,14 +5628,55 @@ NTSTATUS NTAPI NtMapViewOfSection( NTSTATUS NTAPI NtUnmapViewOfSection( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress - ); + ); NTSTATUS NTAPI NtOpenProcessToken( - _In_ HANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _Out_ PHANDLE TokenHandle - ); + _In_ HANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _Out_ PHANDLE TokenHandle + ); +NTSTATUS NTAPI NtDuplicateToken( + _In_ HANDLE ExistingTokenHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ BOOLEAN EffectiveOnly, + _In_ TOKEN_TYPE TokenType, + _Out_ PHANDLE NewTokenHandle + ); + +#define DISABLE_MAX_PRIVILEGE 0x1 // winnt +#define SANDBOX_INERT 0x2 // winnt +#define LUA_TOKEN 0x4 +#define WRITE_RESTRICT 0x8 + +NTSTATUS NTAPI NtFilterToken( + _In_ HANDLE ExistingTokenHandle, + _In_ ULONG Flags, + _In_opt_ PTOKEN_GROUPS SidsToDisable, + _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, + _In_opt_ PTOKEN_GROUPS RestrictedSids, + _Out_ PHANDLE NewTokenHandle + ); + +NTSTATUS NTAPI NtImpersonateAnonymousToken( + _In_ HANDLE ThreadHandle + ); + +NTSTATUS NTAPI NtQueryInformationToken( + _In_ HANDLE TokenHandle, + _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, + _Out_ PVOID TokenInformation, + _In_ ULONG TokenInformationLength, + _Out_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtSetInformationToken( + _In_ HANDLE TokenHandle, + _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, + _In_ PVOID TokenInformation, + _In_ ULONG TokenInformationLength + ); NTSTATUS NTAPI NtOpenThreadTokenEx( _In_ HANDLE ThreadHandle, @@ -4401,6 +5703,16 @@ NTSTATUS NTAPI NtQueryInformationToken( _Out_ PULONG ReturnLength ); +NTSTATUS NTAPI NtCreateKey( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + __reserved ULONG TitleIndex, + _In_opt_ PUNICODE_STRING Class, + _In_ ULONG CreateOptions, + _Out_opt_ PULONG Disposition + ); + NTSTATUS NTAPI NtOpenKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, @@ -4424,6 +5736,15 @@ NTSTATUS NTAPI NtQueryValueKey( _Out_ PULONG ResultLength ); +NTSTATUS NTAPI NtSetValueKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING ValueName, + _In_opt_ ULONG TitleIndex, + _In_ ULONG Type, + _In_ PVOID Data, + _In_ ULONG DataSize + ); + NTSTATUS NTAPI NtDeleteKey( _In_ HANDLE KeyHandle ); @@ -4433,6 +5754,14 @@ NTSTATUS NTAPI NtDeleteValueKey( _In_ PUNICODE_STRING ValueName ); +NTSTATUS NTAPI NtLoadDriver( + _In_ PUNICODE_STRING DriverServiceName + ); + +NTSTATUS NTAPI NtUnloadDriver( + _In_ PUNICODE_STRING DriverServiceName + ); + NTSTATUS NTAPI NtOpenJobObject( _Out_ PHANDLE JobHandle, _In_ ACCESS_MASK DesiredAccess, @@ -4469,18 +5798,10 @@ NTSTATUS NTAPI NtQueryInformationFile( _In_ FILE_INFORMATION_CLASS FileInformationClass ); -NTSTATUS NTAPI NtFsControlFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG FsControlCode, - _In_ PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_ PVOID OutputBuffer, - _In_ ULONG OutputBufferLength - ); +NTSTATUS NTAPI NtQueryFullAttributesFile( + __in POBJECT_ATTRIBUTES ObjectAttributes, + __out PFILE_NETWORK_OPEN_INFORMATION FileInformation +); NTSTATUS NTAPI NtQueryDirectoryFile( _In_ HANDLE FileHandle, @@ -4619,8 +5940,12 @@ NTSTATUS NTAPI NtCreateTransaction( _In_opt_ PUNICODE_STRING Description ); +NTSTATUS NTAPI NtRollbackTransaction( + _In_ HANDLE TransactionHandle, + _In_ BOOLEAN Wait); + //TmRm -NTSTATUS NTAPINtCreateResourceManager( +NTSTATUS NTAPI NtCreateResourceManager( _Out_ PHANDLE ResourceManagerHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE TmHandle, @@ -4666,6 +5991,46 @@ NTSTATUS NTAPI NtCreateFile( _In_ ULONG EaLength ); +NTSTATUS NTAPI NtDeviceIoControlFile( + _In_ HANDLE FileHandle, + _In_ HANDLE Event, + _In_ PIO_APC_ROUTINE ApcRoutine, + _In_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG IoControlCode, + _In_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_ PVOID OutputBuffer, + _In_ ULONG OutputBufferLength + ); + +NTSTATUS NTAPI NtFsControlFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG FsControlCode, + _In_opt_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_opt_ PVOID OutputBuffer, + _In_ ULONG OutputBufferLength + ); + +NTSTATUS NTAPI NtCreateUserProcess( + _Out_ PHANDLE ProcessHandle, + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK ProcessDesiredAccess, + _In_ ACCESS_MASK ThreadDesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes, + _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes, + _In_ ULONG ProcessFlags, + _In_ ULONG ThreadFlags, + _In_opt_ PVOID ProcessParameters, + _Inout_ PPS_CREATE_INFO CreateInfo, + _In_opt_ PPS_ATTRIBUTE_LIST AttributeList + ); + NTSTATUS NTAPI NtOpenProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, @@ -4678,6 +6043,14 @@ NTSTATUS NTAPI NtTerminateProcess( _In_ NTSTATUS ExitStatus ); +NTSTATUS NTAPI NtSuspendProcess( + _In_ HANDLE ProcessHandle + ); + +NTSTATUS NTAPI NtResumeProcess( + _In_ HANDLE ProcessHandle + ); + NTSTATUS NTAPI NtSuspendThread( _In_ HANDLE ThreadHandle, _Out_opt_ PULONG PreviousSuspendCount @@ -4695,6 +6068,11 @@ NTSTATUS NTAPI NtOpenThread( _In_opt_ PCLIENT_ID ClientId ); +NTSTATUS NTAPI NtTerminateThread( + _In_opt_ HANDLE ThreadHandle, + _In_ NTSTATUS ExitStatus + ); + NTSTATUS NTAPI NtImpersonateThread( _In_ HANDLE ServerThreadHandle, _In_ HANDLE ClientThreadHandle, @@ -4711,6 +6089,21 @@ NTSTATUS NTAPI NtGetContextThread( _Inout_ PCONTEXT ThreadContext ); +NTSTATUS NTAPI NtQueryInformationThread( + _In_ HANDLE ThreadHandle, + _In_ THREADINFOCLASS ThreadInformationClass, + _Out_ PVOID ThreadInformation, + _In_ ULONG ThreadInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +NTSTATUS NTAPI NtSetInformationThread( + _In_ HANDLE ThreadHandle, + _In_ THREADINFOCLASS ThreadInformationClass, + _In_ PVOID ThreadInformation, + _In_ ULONG ThreadInformationLength + ); + NTSTATUS NTAPI NtQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, @@ -4719,6 +6112,13 @@ NTSTATUS NTAPI NtQueryInformationProcess( _Out_opt_ PULONG ReturnLength ); +NTSTATUS NTAPI NtSetInformationProcess( + _In_ HANDLE ProcessHandle, + _In_ PROCESSINFOCLASS ProcessInformationClass, + _In_count_(ProcessInformationLength) PVOID ProcessInformation, + _In_ ULONG ProcessInformationLength + ); + NTSTATUS NTAPI NtDuplicateObject( _In_ HANDLE SourceProcessHandle, _In_ HANDLE SourceHandle, @@ -4743,6 +6143,14 @@ NTSTATUS NTAPI NtQuerySecurityObject( _Out_ PULONG LengthNeeded ); +NTSTATUS NTAPI NtQueryLicenseValue( + _In_ PUNICODE_STRING ValueName, + _Out_opt_ PULONG Type, + _Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data, + _In_ ULONG DataSize, + _Out_ PULONG ResultDataSize +); + NTSTATUS NtCreateIoCompletion( _Out_ PHANDLE IoCompletionHandle, _In_ ACCESS_MASK DesiredAccess, @@ -4758,6 +6166,11 @@ NTSTATUS NTAPI NtCreateEvent( _In_ BOOLEAN InitialState ); +NTSTATUS NTAPI NtSetEvent( + _In_ HANDLE EventHandle, + _Out_opt_ PLONG PreviousState + ); + NTSTATUS NTAPI NtAllocateVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, @@ -4900,5 +6313,82 @@ NTSTATUS NTAPI NtAcceptConnectPort( _In_ PPORT_MESSAGE ConnectionRequest, _In_ BOOLEAN AcceptConnection, _Inout_opt_ PPORT_VIEW ServerView, - _Out_opt_ PREMOTE_PORT_VIEW ClientView - ); + _Out_opt_ PREMOTE_PORT_VIEW ClientView); + +typedef +VOID +(*PPS_APC_ROUTINE) ( + _In_opt_ PVOID ApcArgument1, + _In_opt_ PVOID ApcArgument2, + _In_opt_ PVOID ApcArgument3); + +NTSTATUS NTAPI NtQueueApcThread( + _In_ HANDLE ThreadHandle, + _In_ PPS_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcArgument1, + _In_opt_ PVOID ApcArgument2, + _In_opt_ PVOID ApcArgument3); + +NTSTATUS NTAPI NtWaitForSingleObject( + _In_ HANDLE Handle, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout); + +NTSTATUS NTAPI NtYieldExecution( + VOID); + +NTSTATUS NTAPI NtCreateMailslotFile( + _Out_ PHANDLE FileHandle, + _In_ ULONG DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG CreateOptions, + _In_ ULONG MailslotQuota, + _In_ ULONG MaximumMessageSize, + _In_ PLARGE_INTEGER ReadTimeout); + +NTSTATUS NTAPI NtSecureConnectPort( + _Out_ PHANDLE PortHandle, + _In_ PUNICODE_STRING PortName, + _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, + _Inout_opt_ PPORT_VIEW ClientView, + _In_opt_ PSID RequiredServerSid, + _Inout_opt_ PREMOTE_PORT_VIEW ServerView, + _Out_opt_ PULONG MaxMessageLength, + _Inout_opt_ PVOID ConnectionInformation, + _Inout_opt_ PULONG ConnectionInformationLength); + +NTSTATUS NTAPI NtEnumerateBootEntries( + _Out_ PVOID Buffer, + _Inout_ PULONG BufferLength); + +NTSTATUS NTAPI NtPrivilegeCheck( + _In_ HANDLE ClientToken, + _Inout_ PPRIVILEGE_SET RequiredPrivileges, + _Out_ PBOOLEAN Result + ); + +NTSTATUS NTAPI NtCreateProcessEx( + _Out_ PHANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ParentProcess, + _In_ ULONG Flags, + _In_opt_ HANDLE SectionHandle, + _In_opt_ HANDLE DebugPort, + _In_opt_ HANDLE ExceptionPort, + _In_ BOOLEAN InJob); + +NTSTATUS NTAPI NtCreateThreadEx( + _Out_ PHANDLE hThread, + _In_ ACCESS_MASK DesiredAccess, + _In_ LPVOID ObjectAttributes, + _In_ HANDLE ProcessHandle, + _In_ LPTHREAD_START_ROUTINE lpStartAddress, + _In_ LPVOID lpParameter, + _In_ BOOL CreateSuspended, + _In_ DWORD StackZeroBits, + _In_ DWORD SizeOfStackCommit, + _In_ DWORD SizeOfStackReserve, + _Out_ LPVOID lpBytesBuffer); + diff --git a/Source/Furutaka/resource.rc b/Source/Furutaka/resource.rc index 9b6d71f..3314669 100644 Binary files a/Source/Furutaka/resource.rc and b/Source/Furutaka/resource.rc differ diff --git a/Source/Furutaka/sup.c b/Source/Furutaka/sup.c index c23db86..460987f 100644 --- a/Source/Furutaka/sup.c +++ b/Source/Furutaka/sup.c @@ -4,9 +4,9 @@ * * TITLE: SUP.C * -* VERSION: 1.10 +* VERSION: 1.12 * -* DATE: 17 Apr 2017 +* DATE: 01 Dec 2017 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -45,6 +45,7 @@ PVOID supGetSystemInfo( } if (status == STATUS_INFO_LENGTH_MISMATCH) { RtlFreeHeap(hHeap, 0, Buffer); + Buffer = NULL; Size *= 2; c++; if (c > 100) { diff --git a/TDL.sha256 b/TDL.sha256 index fd98132..e764d71 100644 --- a/TDL.sha256 +++ b/TDL.sha256 @@ -1,6 +1,6 @@ a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys -bef3056b55e2f29525817e3e44753dcf32152460028d27b28e54cce3a7d1eb0f *Compiled\Furutaka.exe +a7b38ab63ccdca7dc1a677974a7b4e325e195a233ae4a70dc14ab957aef5975c *Compiled\Furutaka.exe 14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj 2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters @@ -22,12 +22,12 @@ b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutak 9b9f412b442a3a328693af6f6be5bc3f00b0723e49012e6395d3d5eb9184b078 *Source\Furutaka\global.h 94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c 33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h -2e0ae7d721d15facb6a63af2df430ce5a1d6250fdb78fc7511e24c23a2d73a9a *Source\Furutaka\main.c -8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h +3a7e165f891de48c942af84c9424c3f264e735d8d759fa4b694b6108686c0f05 *Source\Furutaka\main.c +b29970b67a406364e4a8fef971e48383de176229a9333168bd03caa474d19e3b *Source\Furutaka\ntos.h fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h -2ae545acec81745467b20da56f88a31df07de2021456d82dc16dbbe9ce0b3103 *Source\Furutaka\resource.rc +a2ceea364b0cc637a441649c48b23ade244b45838f7cc0289338ff854ec4ed00 *Source\Furutaka\resource.rc 6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h -fd0fc26c051a852fe3eaf9cb44615543b92e642274fc1eb58b53f23457fd4e89 *Source\Furutaka\sup.c +6ae8ca2192e5277e85a625c772092988592248dbaa444f385446202ea9e42eb5 *Source\Furutaka\sup.c 059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h 12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys