From 959919bb01317fb365d1bf1dcc3ddea02e6c7f62 Mon Sep 17 00:00:00 2001
From: hfiref0x <hfiref0x@users.noreply.github.com>
Date: Mon, 18 Dec 2017 19:58:24 +0700
Subject: [PATCH] v 1.1.2

Double free bugfix.
---
 Compiled/Furutaka.exe       |  Bin 99328 -> 99328 bytes
 Source/Furutaka/main.c      |    8 +-
 Source/Furutaka/ntos.h      | 1668 +++++++++++++++++++++++++++++++++--
 Source/Furutaka/resource.rc |  Bin 5702 -> 5702 bytes
 Source/Furutaka/sup.c       |    5 +-
 TDL.sha256                  |   10 +-
 6 files changed, 1591 insertions(+), 100 deletions(-)

diff --git a/Compiled/Furutaka.exe b/Compiled/Furutaka.exe
index 0e7377b10f4a3e72fce606143e3176e66b51c816..7ac677275873a8b28a3fa8cf3e24126026f2dde3 100644
GIT binary patch
delta 203
zcmZqZU~A}LoA7~U?>6(OiC=s;KF(oeU}i{YoSaaqxw(+BT$Ryx@=G-t2T7mq!^W39
zy3hR=og&A;!2JLJ(dNG?b(>#{w;rfq_2@qQS^%M<2&lsNfJe8FiiU^rnHSj{3=ESC
zpGt2|P!H1NH)2p=&|olNFl5jNVx!3i0~{HRHZuqIN-#!ko|rkAoqGct69Xd<0_n~A
gg{+L+MhtpDrRE^zo9&A#Q3RR~7jHjY%xEhB09x!qZ~y=R

delta 204
zcmZqZU~A}LoA80fr20q1#4kP^&t5Y!Ff$}HPEIJ*++4_5uFB{%`K6kSsi#l(VdG04
z-RJ&`PLX3^VE+IAX!GBcy3GjTTA;A;0grAU6%7yLGcU?G7#JoOJ{9F|Jy3DVqx<md
zt7pz^j#7`%<TqqcV9;PNVlZIP2V#@S2Ll`#4L36f_DV2DY@V1onVowD8zTb<0_n~A
hg{+L+h75WPh79H)<(ut`Dp3TQ4;ODgT+C=I004HKMDPFr

diff --git a/Source/Furutaka/main.c b/Source/Furutaka/main.c
index c6b259e..ed636a7 100644
--- a/Source/Furutaka/main.c
+++ b/Source/Furutaka/main.c
@@ -4,9 +4,9 @@
 *
 *  TITLE:       MAIN.C
 *
-*  VERSION:     1.11
+*  VERSION:     1.12
 *
-*  DATE:        20 Apr 2017
+*  DATE:        01 Dec 2017
 *
 *  Furutaka entry point.
 *
@@ -41,11 +41,11 @@ ULONG      g_NtBuildNumber = 0;
 #define supImageHandle  0x1a000
 #define PAGE_SIZE       0x1000
 
-#define T_LOADERTITLE   TEXT("Turla Driver Loader v1.1.1 (20/04/17)")
+#define T_LOADERTITLE   TEXT("Turla Driver Loader v1.1.2 (01/12/17)")
 #define T_LOADERUNSUP   TEXT("Unsupported WinNT version\r\n")
 #define T_LOADERRUN     TEXT("Another instance running, close it before\r\n")
 #define T_LOADERUSAGE   TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n")
-#define T_LOADERINTRO   TEXT("Turla Driver Loader v1.1.1 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
+#define T_LOADERINTRO   TEXT("Turla Driver Loader v1.1.2 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
 
 /*
 * TDLVBoxInstalled
diff --git a/Source/Furutaka/ntos.h b/Source/Furutaka/ntos.h
index 3b36663..4820cd2 100644
--- a/Source/Furutaka/ntos.h
+++ b/Source/Furutaka/ntos.h
@@ -1,12 +1,12 @@
 /************************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2015, translated from Microsoft sources/debugger
+*  (C) COPYRIGHT AUTHORS, 2015 - 2017, translated from Microsoft sources/debugger
 *
 *  TITLE:       NTOS.H
 *
-*  VERSION:     1.33
+*  VERSION:     1.74
 *
-*  DATE:        02 Feb 2016
+*  DATE:        01 Dec 2017
 *
 *  Common header file for the ntos API functions and definitions.
 *
@@ -29,6 +29,9 @@
 #define ALIGN_UP(count,size) \
             (ALIGN_DOWN( (ULONG_PTR)(count)+(ULONG_PTR)(size)-1, (ULONG_PTR)(size) ))
 
+#define ARGUMENT_PRESENT(ArgumentPointer)    (\
+    (CHAR *)((ULONG_PTR)(ArgumentPointer)) != (CHAR *)(NULL) )
+
 //Access Rights
 
 #define CALLBACK_MODIFY_STATE    0x0001
@@ -79,6 +82,13 @@
 
 #define THREAD_ALERT	(0x0004)
 
+#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
+#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 
+#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
+#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 
+#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 
+#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
+
 #define WORKER_FACTORY_RELEASE_WORKER 0x0001
 #define WORKER_FACTORY_WAIT 0x0002
 #define WORKER_FACTORY_SET_INFORMATION 0x0004
@@ -102,6 +112,31 @@
 #define TRACELOG_ACCESS_REALTIME      0x0400
 #define TRACELOG_REGISTER_GUIDS       0x0800
 
+//
+// Partition Specific Access Rights.
+//
+
+#define MEMORY_PARTITION_QUERY_ACCESS  0x0001
+#define MEMORY_PARTITION_MODIFY_ACCESS 0x0002
+
+#define MEMORY_PARTITION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |         \
+                                     SYNCHRONIZE |                      \
+                                     MEMORY_PARTITION_QUERY_ACCESS |    \
+                                     MEMORY_PARTITION_MODIFY_ACCESS)
+
+
+//
+// NtCreateProcessEx specific flags.
+//
+#define PS_REQUEST_BREAKAWAY        1
+#define PS_NO_DEBUG_INHERIT         2
+#define PS_INHERIT_HANDLES          4
+#define PS_LARGE_PAGES              8
+#define PS_ALL_FLAGS                (PS_REQUEST_BREAKAWAY | \
+                                     PS_NO_DEBUG_INHERIT  | \
+                                     PS_INHERIT_HANDLES   | \
+                                     PS_LARGE_PAGES)
+
 #define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 )
 #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
 #define ZwCurrentProcess() NtCurrentProcess()
@@ -121,6 +156,15 @@
 #define MAXUSHORT   0xffff     
 #define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) )
 
+typedef struct _EX_RUNDOWN_REF
+{
+    union
+    {
+        ULONG Count;
+        PVOID Ptr;
+    };
+} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;
+
 typedef struct _UNICODE_STRING {
 	USHORT Length;
 	USHORT MaximumLength;
@@ -197,6 +241,19 @@ typedef struct _SEMAPHORE_BASIC_INFORMATION {
 ** Semaphore END
 */
 
+/*
+** Kernel Debugger START
+*/
+
+typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
+    BOOLEAN KernelDebuggerEnabled;
+    BOOLEAN KernelDebuggerNotPresent;
+} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
+
+/*
+** Kernel Debugger END
+*/
+
 /*
 ** FileCache and MemoryList START
 */
@@ -231,6 +288,16 @@ typedef struct _SYSTEM_FILECACHE_INFORMATION {
 ** Processes START
 */
 
+typedef struct _SYSTEM_TIMEOFDAY_INFORMATION {
+    LARGE_INTEGER BootTime;
+    LARGE_INTEGER CurrentTime;
+    LARGE_INTEGER TimeZoneBias;
+    ULONG TimeZoneId;
+    ULONG Reserved;
+    ULONGLONG BootTimeBias;
+    ULONGLONG SleepTimeBias;
+} SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION;
+
 #ifndef KPRIORITY
 typedef LONG KPRIORITY;
 #endif
@@ -297,6 +364,16 @@ typedef struct _CLIENT_ID {
 	HANDLE UniqueThread;
 } CLIENT_ID, *PCLIENT_ID;
 
+typedef struct _CLIENT_ID64 {
+	ULONG64 UniqueProcess;
+	ULONG64 UniqueThread;
+} CLIENT_ID64, *PCLIENT_ID64;
+
+typedef struct _CLIENT_ID32 {
+	ULONG32 UniqueProcess;
+	ULONG32 UniqueThread;
+} CLIENT_ID32, *PCLIENT_ID32;
+
 typedef struct _VM_COUNTERS {
 	SIZE_T PeakVirtualSize;
 	SIZE_T VirtualSize;
@@ -347,6 +424,26 @@ typedef struct _SYSTEM_PROCESSES_INFORMATION {
 	SYSTEM_THREAD_INFORMATION Threads[1];
 } SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION;
 
+#if defined(_WIN64)
+typedef ULONG SYSINF_PAGE_COUNT;
+#else
+typedef SIZE_T SYSINF_PAGE_COUNT;
+#endif
+
+typedef struct _SYSTEM_BASIC_INFORMATION {
+	ULONG Reserved;
+	ULONG TimerResolution;
+	ULONG PageSize;
+	SYSINF_PAGE_COUNT NumberOfPhysicalPages;
+	SYSINF_PAGE_COUNT LowestPhysicalPageNumber;
+	SYSINF_PAGE_COUNT HighestPhysicalPageNumber;
+	ULONG AllocationGranularity;
+	ULONG_PTR MinimumUserModeAddress;
+	ULONG_PTR MaximumUserModeAddress;
+	ULONG_PTR ActiveProcessorsAffinityMask;
+	CCHAR NumberOfProcessors;
+} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
+
 typedef enum _PROCESSINFOCLASS {
 	ProcessBasicInformation = 0,
 	ProcessQuotaLimits = 1,
@@ -413,6 +510,52 @@ typedef enum _PROCESSINFOCLASS {
 	MaxProcessInfoClass = 62
 } PROCESSINFOCLASS;
 
+typedef enum _THREADINFOCLASS {
+	ThreadBasicInformation,
+	ThreadTimes,
+	ThreadPriority,
+	ThreadBasePriority,
+	ThreadAffinityMask,
+	ThreadImpersonationToken,
+	ThreadDescriptorTableEntry,
+	ThreadEnableAlignmentFaultFixup,
+	ThreadEventPair,
+	ThreadQuerySetWin32StartAddress,
+	ThreadZeroTlsCell,
+	ThreadPerformanceCount,
+	ThreadAmILastThread,
+	ThreadIdealProcessor,
+	ThreadPriorityBoost,
+	ThreadSetTlsArrayAddress,
+	ThreadIsIoPending,
+	ThreadHideFromDebugger,
+	ThreadBreakOnTermination,
+	ThreadSwitchLegacyState,
+	ThreadIsTerminated,
+	ThreadLastSystemCall,
+	ThreadIoPriority,
+	ThreadCycleTime,
+	ThreadPagePriority,
+	ThreadActualBasePriority,
+	ThreadTebInformation,
+	ThreadCSwitchMon,
+	ThreadCSwitchPmu,
+	ThreadWow64Context,
+	ThreadGroupInformation,
+	ThreadUmsInformation,
+	ThreadCounterProfiling,
+	ThreadIdealProcessorEx,
+	ThreadCpuAccountingInformation,
+	ThreadSuspendCount,
+	ThreadHeterogeneousCpuPolicy,
+	ThreadContainerId,
+	ThreadNameInformation,
+	ThreadProperty,
+	ThreadSelectedCpuSets,
+	ThreadSystemThreadInformation,
+	MaxThreadInfoClass
+} THREADINFOCLASS;
+
 typedef struct _PROCESS_BASIC_INFORMATION {
 	NTSTATUS ExitStatus;
 	PVOID PebBaseAddress;
@@ -443,6 +586,229 @@ typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION {
 	} DUMMYUNIONNAME;
 } PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;
 
+typedef struct _PROCESS_ACCESS_TOKEN {
+    HANDLE Token;
+    HANDLE Thread;
+} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
+
+//thanks to wj32 headers
+
+typedef enum _PS_CREATE_STATE {
+    PsCreateInitialState,
+    PsCreateFailOnFileOpen,
+    PsCreateFailOnSectionCreate,
+    PsCreateFailExeFormat,
+    PsCreateFailMachineMismatch,
+    PsCreateFailExeName, 
+    PsCreateSuccess,
+    PsCreateMaximumStates
+} PS_CREATE_STATE;
+
+typedef struct _PS_CREATE_INFO {
+    SIZE_T Size;
+    PS_CREATE_STATE State;
+    union
+    {
+        struct
+        {
+            union
+            {
+                ULONG InitFlags;
+                struct
+                {
+                    UCHAR WriteOutputOnExit : 1;
+                    UCHAR DetectManifest : 1;
+                    UCHAR IFEOSkipDebugger : 1;
+                    UCHAR IFEODoNotPropagateKeyState : 1;
+                    UCHAR SpareBits1 : 4;
+                    UCHAR SpareBits2 : 8;
+                    USHORT ProhibitedImageCharacteristics : 16;
+                };
+            };
+            ACCESS_MASK AdditionalFileAccess;
+        } InitState;
+
+        struct
+        {
+            HANDLE FileHandle;
+        } FailSection;
+
+        struct
+        {
+            USHORT DllCharacteristics;
+        } ExeFormat;
+
+        struct
+        {
+            HANDLE IFEOKey;
+        } ExeName;
+
+        struct
+        {
+            union
+            {
+                ULONG OutputFlags;
+                struct
+                {
+                    UCHAR ProtectedProcess : 1;
+                    UCHAR AddressSpaceOverride : 1;
+                    UCHAR DevOverrideEnabled : 1; 
+                    UCHAR ManifestDetected : 1;
+                    UCHAR ProtectedProcessLight : 1;
+                    UCHAR SpareBits1 : 3;
+                    UCHAR SpareBits2 : 8;
+                    USHORT SpareBits3 : 16;
+                };
+            };
+            HANDLE FileHandle;
+            HANDLE SectionHandle;
+            ULONGLONG UserProcessParametersNative;
+            ULONG UserProcessParametersWow64;
+            ULONG CurrentParameterFlags;
+            ULONGLONG PebAddressNative;
+            ULONG PebAddressWow64;
+            ULONGLONG ManifestAddress;
+            ULONG ManifestSize;
+        } SuccessState;
+    };
+} PS_CREATE_INFO, *PPS_CREATE_INFO;
+
+typedef struct _PS_ATTRIBUTE
+{
+    ULONG Attribute;
+    SIZE_T Size;
+    union
+    {
+        ULONG Value;
+        PVOID ValuePtr;
+    };
+    PSIZE_T ReturnLength;
+} PS_ATTRIBUTE, *PPS_ATTRIBUTE;
+
+typedef struct _PS_ATTRIBUTE_LIST
+{
+    SIZE_T TotalLength;
+    PS_ATTRIBUTE Attributes[1];
+} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
+
+typedef enum _PS_PROTECTED_TYPE
+{
+    PsProtectedTypeNone,
+    PsProtectedTypeProtectedLight,
+    PsProtectedTypeProtected,
+    PsProtectedTypeMax
+} PS_PROTECTED_TYPE;
+
+typedef enum _PS_PROTECTED_SIGNER
+{
+    PsProtectedSignerNone,
+    PsProtectedSignerAuthenticode,
+    PsProtectedSignerCodeGen,
+    PsProtectedSignerAntimalware,
+    PsProtectedSignerLsa,
+    PsProtectedSignerWindows,
+    PsProtectedSignerWinTcb,
+    PsProtectedSignerMax
+} PS_PROTECTED_SIGNER;
+
+typedef struct _PS_PROTECTION
+{
+    union
+    {
+        UCHAR Level;
+        struct
+        {
+            UCHAR Type : 3;
+            UCHAR Audit : 1;
+            UCHAR Signer : 4;
+        };
+    };
+} PS_PROTECTION, *PPS_PROTECTION;
+
+// begin_rev
+#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
+#define PS_ATTRIBUTE_THREAD 0x00010000 
+#define PS_ATTRIBUTE_INPUT 0x00020000 
+#define PS_ATTRIBUTE_ADDITIVE 0x00040000 
+// end_rev
+
+typedef enum _PS_ATTRIBUTE_NUM {
+    PsAttributeParentProcess, 
+    PsAttributeDebugPort, 
+    PsAttributeToken, 
+    PsAttributeClientId, 
+    PsAttributeTebAddress, 
+    PsAttributeImageName, 
+    PsAttributeImageInfo, 
+    PsAttributeMemoryReserve,
+    PsAttributePriorityClass, 
+    PsAttributeErrorMode, 
+    PsAttributeStdHandleInfo, 
+    PsAttributeHandleList,
+    PsAttributeGroupAffinity, 
+    PsAttributePreferredNode, 
+    PsAttributeIdealProcessor,
+    PsAttributeUmsThread,
+    PsAttributeMitigationOptions, 
+    PsAttributeProtectionLevel,
+    PsAttributeSecureProcess, 
+    PsAttributeJobList,
+    PsAttributeMax
+} PS_ATTRIBUTE_NUM;
+
+#define PsAttributeValue(Number, Thread, Input, Unknown) \
+    (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
+    ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
+    ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
+    ((Unknown) ? PS_ATTRIBUTE_ADDITIVE : 0))
+
+#define PS_ATTRIBUTE_PARENT_PROCESS \
+    PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE)
+#define PS_ATTRIBUTE_DEBUG_PORT \
+    PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE)
+#define PS_ATTRIBUTE_TOKEN \
+    PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE)
+#define PS_ATTRIBUTE_CLIENT_ID \
+    PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE)
+#define PS_ATTRIBUTE_TEB_ADDRESS \
+    PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE)
+#define PS_ATTRIBUTE_IMAGE_NAME \
+    PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
+#define PS_ATTRIBUTE_IMAGE_INFO \
+    PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE)
+#define PS_ATTRIBUTE_MEMORY_RESERVE \
+    PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE)
+#define PS_ATTRIBUTE_PRIORITY_CLASS \
+    PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE)
+#define PS_ATTRIBUTE_ERROR_MODE \
+    PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE)
+#define PS_ATTRIBUTE_STD_HANDLE_INFO \
+    PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE)
+#define PS_ATTRIBUTE_HANDLE_LIST \
+    PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE)
+#define PS_ATTRIBUTE_GROUP_AFFINITY \
+    PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE)
+#define PS_ATTRIBUTE_PREFERRED_NODE \
+    PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE)
+#define PS_ATTRIBUTE_IDEAL_PROCESSOR \
+    PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE)
+#define PS_ATTRIBUTE_MITIGATION_OPTIONS \
+    PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE)
+
+
+#define RTL_USER_PROC_PARAMS_NORMALIZED     0x00000001
+#define RTL_USER_PROC_PROFILE_USER          0x00000002
+#define RTL_USER_PROC_PROFILE_KERNEL        0x00000004
+#define RTL_USER_PROC_PROFILE_SERVER        0x00000008
+#define RTL_USER_PROC_RESERVE_1MB           0x00000020
+#define RTL_USER_PROC_RESERVE_16MB          0x00000040
+#define RTL_USER_PROC_CASE_SENSITIVE        0x00000080
+#define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100
+#define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000
+#define RTL_USER_PROC_APP_MANIFEST_PRESENT  0x00002000
+#define RTL_USER_PROC_IMAGE_KEY_MISSING     0x00004000
+#define RTL_USER_PROC_OPTIN_PROCESS         0x00020000
+
 /*
 ** Processes END
 */
@@ -794,6 +1160,37 @@ typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
 ** Objects END
 */
 
+/*
+** Boot Entry START
+*/
+
+typedef struct _FILE_PATH {
+    ULONG Version;
+    ULONG Length;
+    ULONG Type;
+    UCHAR FilePath[ANYSIZE_ARRAY];
+} FILE_PATH, *PFILE_PATH;
+
+typedef struct _BOOT_ENTRY {
+    ULONG Version;
+    ULONG Length;
+    ULONG Id;
+    ULONG Attributes;
+    ULONG FriendlyNameOffset;
+    ULONG BootFilePathOffset;
+    ULONG OsOptionsLength;
+    UCHAR OsOptions[ANYSIZE_ARRAY];
+} BOOT_ENTRY, *PBOOT_ENTRY;
+
+typedef struct _BOOT_ENTRY_LIST {
+    ULONG NextEntryOffset;
+    BOOT_ENTRY BootEntry;
+} BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST;
+
+/*
+** Boot Entry END
+*/
+
 /*
 ** File start
 */
@@ -2828,6 +3225,31 @@ typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY;
 typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE *PLDR_DATA_TABLE_ENTRY;
 typedef LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY;
 
+typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA {
+    ULONG Flags;                    //Reserved.
+    PCUNICODE_STRING FullDllName;   //The full path name of the DLL module.
+    PCUNICODE_STRING BaseDllName;   //The base file name of the DLL module.
+    PVOID DllBase;                  //A pointer to the base address for the DLL in memory.
+    ULONG SizeOfImage;              //The size of the DLL image, in bytes.
+} LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA;
+
+typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA {
+    ULONG Flags;                    //Reserved.
+    PCUNICODE_STRING FullDllName;   //The full path name of the DLL module.
+    PCUNICODE_STRING BaseDllName;   //The base file name of the DLL module.
+    PVOID DllBase;                  //A pointer to the base address for the DLL in memory.
+    ULONG SizeOfImage;              //The size of the DLL image, in bytes.
+} LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA;
+
+typedef union _LDR_DLL_NOTIFICATION_DATA {
+    LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
+    LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
+} LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA;
+typedef const LDR_DLL_NOTIFICATION_DATA *PCLDR_DLL_NOTIFICATION_DATA;
+
+#define LDR_DLL_NOTIFICATION_REASON_LOADED   1
+#define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2
+
 /*
 * WDM END
 */
@@ -2907,8 +3329,338 @@ typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {
 //
 //  PEB/TEB
 //
-typedef struct _PEB_LDR_DATA
-{
+#define GDI_HANDLE_BUFFER_SIZE32  34
+#define GDI_HANDLE_BUFFER_SIZE64  60
+
+#if !defined(_M_X64)
+#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE32
+#else
+#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE64
+#endif
+
+typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
+typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
+typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
+
+#define RTL_MAX_DRIVE_LETTERS 32
+#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001
+
+#define GDI_MAX_HANDLE_COUNT 0x4000
+
+// 32-bit definitions
+typedef struct _STRING32 {
+	USHORT Length;
+	USHORT MaximumLength;
+	ULONG Buffer;
+} STRING32;
+typedef STRING32 *PSTRING32;
+
+typedef STRING32 UNICODE_STRING32;
+
+#if (_MSC_VER < 1300) && !defined(_WINDOWS_)
+typedef struct LIST_ENTRY32 {
+	DWORD Flink;
+	DWORD Blink;
+} LIST_ENTRY32;
+typedef LIST_ENTRY32 *PLIST_ENTRY32;
+
+typedef struct LIST_ENTRY64 {
+	ULONGLONG Flink;
+	ULONGLONG Blink;
+} LIST_ENTRY64;
+typedef LIST_ENTRY64 *PLIST_ENTRY64;
+#endif
+
+#define WOW64_POINTER(Type) ULONG
+
+typedef struct _PEB_LDR_DATA32 {
+	ULONG Length;
+	BOOLEAN Initialized;
+	WOW64_POINTER(HANDLE) SsHandle;
+	LIST_ENTRY32 InLoadOrderModuleList;
+	LIST_ENTRY32 InMemoryOrderModuleList;
+	LIST_ENTRY32 InInitializationOrderModuleList;
+	WOW64_POINTER(PVOID) EntryInProgress;
+	BOOLEAN ShutdownInProgress;
+	WOW64_POINTER(HANDLE) ShutdownThreadId;
+} PEB_LDR_DATA32, *PPEB_LDR_DATA32;
+
+#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP32 FIELD_OFFSET( LDR_DATA_TABLE_ENTRY32, ForwarderLinks )
+
+typedef struct _LDR_DATA_TABLE_ENTRY32 {
+	LIST_ENTRY32 InLoadOrderLinks;
+	LIST_ENTRY32 InMemoryOrderLinks;
+	LIST_ENTRY32 InInitializationOrderLinks;
+	WOW64_POINTER(PVOID) DllBase;
+	WOW64_POINTER(PVOID) EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING32 FullDllName;
+	UNICODE_STRING32 BaseDllName;
+	ULONG Flags;
+	USHORT LoadCount;
+	USHORT TlsIndex;
+	union
+	{
+		LIST_ENTRY32 HashLinks;
+		struct
+		{
+			WOW64_POINTER(PVOID) SectionPointer;
+			ULONG CheckSum;
+		};
+	};
+	union
+	{
+		ULONG TimeDateStamp;
+		WOW64_POINTER(PVOID) LoadedImports;
+	};
+	WOW64_POINTER(PVOID) EntryPointActivationContext;
+	WOW64_POINTER(PVOID) PatchInformation;
+	LIST_ENTRY32 ForwarderLinks;
+	LIST_ENTRY32 ServiceTagLinks;
+	LIST_ENTRY32 StaticLinks;
+	WOW64_POINTER(PVOID) ContextInformation;
+	WOW64_POINTER(ULONG_PTR) OriginalBase;
+	LARGE_INTEGER LoadTime;
+} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
+
+typedef struct _CURDIR32 {
+	UNICODE_STRING32 DosPath;
+	WOW64_POINTER(HANDLE) Handle;
+} CURDIR32, *PCURDIR32;
+
+typedef struct _RTL_DRIVE_LETTER_CURDIR32 {
+	USHORT Flags;
+	USHORT Length;
+	ULONG TimeStamp;
+	STRING32 DosPath;
+} RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS32 {
+	ULONG MaximumLength;
+	ULONG Length;
+
+	ULONG Flags;
+	ULONG DebugFlags;
+
+	WOW64_POINTER(HANDLE) ConsoleHandle;
+	ULONG ConsoleFlags;
+	WOW64_POINTER(HANDLE) StandardInput;
+	WOW64_POINTER(HANDLE) StandardOutput;
+	WOW64_POINTER(HANDLE) StandardError;
+
+	CURDIR32 CurrentDirectory;
+	UNICODE_STRING32 DllPath;
+	UNICODE_STRING32 ImagePathName;
+	UNICODE_STRING32 CommandLine;
+	WOW64_POINTER(PVOID) Environment;
+
+	ULONG StartingX;
+	ULONG StartingY;
+	ULONG CountX;
+	ULONG CountY;
+	ULONG CountCharsX;
+	ULONG CountCharsY;
+	ULONG FillAttribute;
+
+	ULONG WindowFlags;
+	ULONG ShowWindowFlags;
+	UNICODE_STRING32 WindowTitle;
+	UNICODE_STRING32 DesktopInfo;
+	UNICODE_STRING32 ShellInfo;
+	UNICODE_STRING32 RuntimeData;
+	RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
+
+	ULONG EnvironmentSize;
+	ULONG EnvironmentVersion;
+} RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32;
+
+typedef struct _PEB32 {
+	BOOLEAN InheritedAddressSpace;
+	BOOLEAN ReadImageFileExecOptions;
+	BOOLEAN BeingDebugged;
+	union
+	{
+		BOOLEAN BitField;
+		struct
+		{
+			BOOLEAN ImageUsesLargePages : 1;
+			BOOLEAN IsProtectedProcess : 1;
+			BOOLEAN IsLegacyProcess : 1;
+			BOOLEAN IsImageDynamicallyRelocated : 1;
+			BOOLEAN SkipPatchingUser32Forwarders : 1;
+			BOOLEAN SpareBits : 3;
+		};
+	};
+	WOW64_POINTER(HANDLE) Mutant;
+
+	WOW64_POINTER(PVOID) ImageBaseAddress;
+	WOW64_POINTER(PPEB_LDR_DATA) Ldr;
+	WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters;
+	WOW64_POINTER(PVOID) SubSystemData;
+	WOW64_POINTER(PVOID) ProcessHeap;
+	WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock;
+	WOW64_POINTER(PVOID) AtlThunkSListPtr;
+	WOW64_POINTER(PVOID) IFEOKey;
+	union
+	{
+		ULONG CrossProcessFlags;
+		struct
+		{
+			ULONG ProcessInJob : 1;
+			ULONG ProcessInitializing : 1;
+			ULONG ProcessUsingVEH : 1;
+			ULONG ProcessUsingVCH : 1;
+			ULONG ProcessUsingFTH : 1;
+			ULONG ReservedBits0 : 27;
+		};
+		ULONG EnvironmentUpdateCount;
+	};
+	union
+	{
+		WOW64_POINTER(PVOID) KernelCallbackTable;
+		WOW64_POINTER(PVOID) UserSharedInfoPtr;
+	};
+	ULONG SystemReserved[1];
+	ULONG AtlThunkSListPtr32;
+	WOW64_POINTER(PVOID) ApiSetMap;
+	ULONG TlsExpansionCounter;
+	WOW64_POINTER(PVOID) TlsBitmap;
+	ULONG TlsBitmapBits[2];
+	WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase;
+	WOW64_POINTER(PVOID) HotpatchInformation;
+	WOW64_POINTER(PPVOID) ReadOnlyStaticServerData;
+	WOW64_POINTER(PVOID) AnsiCodePageData;
+	WOW64_POINTER(PVOID) OemCodePageData;
+	WOW64_POINTER(PVOID) UnicodeCaseTableData;
+
+	ULONG NumberOfProcessors;
+	ULONG NtGlobalFlag;
+
+	LARGE_INTEGER CriticalSectionTimeout;
+	WOW64_POINTER(SIZE_T) HeapSegmentReserve;
+	WOW64_POINTER(SIZE_T) HeapSegmentCommit;
+	WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold;
+	WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold;
+
+	ULONG NumberOfHeaps;
+	ULONG MaximumNumberOfHeaps;
+	WOW64_POINTER(PPVOID) ProcessHeaps;
+
+	WOW64_POINTER(PVOID) GdiSharedHandleTable;
+	WOW64_POINTER(PVOID) ProcessStarterHelper;
+	ULONG GdiDCAttributeList;
+
+	WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock;
+
+	ULONG OSMajorVersion;
+	ULONG OSMinorVersion;
+	USHORT OSBuildNumber;
+	USHORT OSCSDVersion;
+	ULONG OSPlatformId;
+	ULONG ImageSubsystem;
+	ULONG ImageSubsystemMajorVersion;
+	ULONG ImageSubsystemMinorVersion;
+	WOW64_POINTER(ULONG_PTR) ImageProcessAffinityMask;
+	GDI_HANDLE_BUFFER32 GdiHandleBuffer;
+	WOW64_POINTER(PVOID) PostProcessInitRoutine;
+
+	WOW64_POINTER(PVOID) TlsExpansionBitmap;
+	ULONG TlsExpansionBitmapBits[32];
+
+	ULONG SessionId;
+
+	// Rest of structure not included.
+} PEB32, *PPEB32;
+
+#define GDI_BATCH_BUFFER_SIZE 310
+
+typedef struct _GDI_TEB_BATCH32 {
+	ULONG Offset;
+	WOW64_POINTER(ULONG_PTR) HDC;
+	ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
+} GDI_TEB_BATCH32, *PGDI_TEB_BATCH32;
+
+#if (_MSC_VER < 1300) && !defined(_WINDOWS_)
+//
+// 32 and 64 bit specific version for wow64 and the debugger
+//
+typedef struct _NT_TIB32 {
+	DWORD ExceptionList;
+	DWORD StackBase;
+	DWORD StackLimit;
+	DWORD SubSystemTib;
+	union {
+		DWORD FiberData;
+		DWORD Version;
+	};
+	DWORD ArbitraryUserPointer;
+	DWORD Self;
+} NT_TIB32, *PNT_TIB32;
+
+typedef struct _NT_TIB64 {
+	DWORD64 ExceptionList;
+	DWORD64 StackBase;
+	DWORD64 StackLimit;
+	DWORD64 SubSystemTib;
+	union {
+		DWORD64 FiberData;
+		DWORD Version;
+	};
+	DWORD64 ArbitraryUserPointer;
+	DWORD64 Self;
+} NT_TIB64, *PNT_TIB64;
+#endif
+
+typedef struct _TEB32 {
+	NT_TIB32 NtTib;
+
+	WOW64_POINTER(PVOID) EnvironmentPointer;
+	CLIENT_ID32 ClientId;
+	WOW64_POINTER(PVOID) ActiveRpcHandle;
+	WOW64_POINTER(PVOID) ThreadLocalStoragePointer;
+	WOW64_POINTER(PPEB) ProcessEnvironmentBlock;
+
+	ULONG LastErrorValue;
+	ULONG CountOfOwnedCriticalSections;
+	WOW64_POINTER(PVOID) CsrClientThread;
+	WOW64_POINTER(PVOID) Win32ThreadInfo;
+	ULONG User32Reserved[26];
+	ULONG UserReserved[5];
+	WOW64_POINTER(PVOID) WOW32Reserved;
+	LCID CurrentLocale;
+	ULONG FpSoftwareStatusRegister;
+	WOW64_POINTER(PVOID) SystemReserved1[54];
+	NTSTATUS ExceptionCode;
+	WOW64_POINTER(PVOID) ActivationContextStackPointer;
+	BYTE SpareBytes[36];
+	ULONG TxFsContext;
+
+	GDI_TEB_BATCH32 GdiTebBatch;
+	CLIENT_ID32 RealClientId;
+	WOW64_POINTER(HANDLE) GdiCachedProcessHandle;
+	ULONG GdiClientPID;
+	ULONG GdiClientTID;
+	WOW64_POINTER(PVOID) GdiThreadLocalInfo;
+	WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62];
+	WOW64_POINTER(PVOID) glDispatchTable[233];
+	WOW64_POINTER(ULONG_PTR) glReserved1[29];
+	WOW64_POINTER(PVOID) glReserved2;
+	WOW64_POINTER(PVOID) glSectionInfo;
+	WOW64_POINTER(PVOID) glSection;
+	WOW64_POINTER(PVOID) glTable;
+	WOW64_POINTER(PVOID) glCurrentRC;
+	WOW64_POINTER(PVOID) glContext;
+
+	NTSTATUS LastStatusValue;
+	UNICODE_STRING32 StaticUnicodeString;
+	WCHAR StaticUnicodeBuffer[261];
+
+	WOW64_POINTER(PVOID) DeallocationStack;
+	WOW64_POINTER(PVOID) TlsSlots[64];
+	LIST_ENTRY32 TlsLinks;
+} TEB32, *PTEB32;
+
+typedef struct _PEB_LDR_DATA {
 	ULONG Length;
 	BOOLEAN Initialized;
 	HANDLE SsHandle;
@@ -2920,8 +3672,7 @@ typedef struct _PEB_LDR_DATA
 	HANDLE ShutdownThreadId;
 } PEB_LDR_DATA, *PPEB_LDR_DATA;
 
-typedef struct _GDI_HANDLE_ENTRY
-{
+typedef struct _GDI_HANDLE_ENTRY {
 	union
 	{
 		PVOID Object;
@@ -2943,10 +3694,7 @@ typedef struct _GDI_HANDLE_ENTRY
 	PVOID UserPointer;
 } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY;
 
-#define GDI_MAX_HANDLE_COUNT 0x4000
-
-typedef struct _GDI_SHARED_MEMORY
-{
+typedef struct _GDI_SHARED_MEMORY {
 	GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT];
 } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY;
 
@@ -2974,9 +3722,6 @@ typedef struct _RTL_DRIVE_LETTER_CURDIR
 	STRING DosPath;
 } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
 
-#define RTL_MAX_DRIVE_LETTERS 32
-#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001
-
 typedef struct _RTL_USER_PROCESS_PARAMETERS
 {
 	ULONG MaximumLength;
@@ -3015,21 +3760,11 @@ typedef struct _RTL_USER_PROCESS_PARAMETERS
 
 	ULONG EnvironmentSize;
 	ULONG EnvironmentVersion;
+    PVOID PackageDependencyData; //8+
+    ULONG ProcessGroupId;
+   // ULONG LoaderThreads;
 } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
 
-#define GDI_HANDLE_BUFFER_SIZE32  34
-#define GDI_HANDLE_BUFFER_SIZE64  60
-
-#if !defined(_M_X64)
-#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE32
-#else
-#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE64
-#endif
-
-typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
-typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
-typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
-
 typedef struct _PEB
 {
 	BOOLEAN InheritedAddressSpace;
@@ -3327,6 +4062,18 @@ typedef struct _TEB
 	PVOID ResourceRetValue;
 } TEB, *PTEB;
 
+typedef struct _PROCESS_DEVICEMAP_INFORMATION {
+    union {
+        struct {
+            HANDLE DirectoryHandle;
+        } Set;
+        struct {
+            ULONG DriveMap;
+            UCHAR DriveType[32];
+        } Query;
+    };
+} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
+
 __inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; }
 
 /*
@@ -3395,21 +4142,22 @@ typedef struct _LPC_CLIENT_DIED_MSG {
 	LARGE_INTEGER CreateTime;
 } LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
 
+//#pragma pack(push, 1)
 typedef struct _PORT_VIEW {
 	ULONG Length;
 	HANDLE SectionHandle;
 	ULONG SectionOffset;
-	ULONG ViewSize;
+	SIZE_T ViewSize;
 	PVOID ViewBase;
 	PVOID ViewRemoteBase;
 } PORT_VIEW, *PPORT_VIEW;
 
 typedef struct _REMOTE_PORT_VIEW {
 	ULONG Length;
-	ULONG ViewSize;
+	SIZE_T ViewSize;
 	PVOID ViewBase;
 } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
-
+//#pragma pack(pop)
 /*
 ** ALPC END
 */
@@ -3520,8 +4268,9 @@ typedef struct _KUSER_SHARED_DATA_COMPAT {
 			ULONG DbgDynProcessorEnabled : 1;
 			ULONG DbgConsoleBrokerEnabled : 1;
 			ULONG DbgSecureBootEnabled : 1;
-			ULONG DbgMultiSessionSku : 1;
-			ULONG SpareBits : 23;
+            ULONG DbgMultiSessionSku : 1;
+            ULONG DbgMultiUsersInSessionSku : 1;
+            ULONG SpareBits : 22;
 		};
 	};
 
@@ -3535,6 +4284,80 @@ typedef struct _KUSER_SHARED_DATA_COMPAT {
 ** KUSER_SHARED_DATA END
 */
 
+/*
+** FLT MANAGER START
+*/
+
+#define FLTFL_MANDATORY_UNLOAD_IN_PROGRESS  0x1
+#define FLTFL_FILTERING_INITIATED           0x2
+#define FLTFL_NAME_PROVIDER                 0x4
+#define FLTFL_SUPPORTS_PIPES_MAILSLOTS      0x8
+
+#define FLT_OBFL_DRAINING                   0x1
+#define FLT_OBFL_ZOMBIED                    0x2
+#define FLT_OBFL_TYPE_INSTANCE              0x1000000
+#define FLT_OBFL_TYPE_FILTER                0x2000000
+#define FLT_OBFL_TYPE_VOLUME                0x4000000
+
+typedef struct _FLT_OBJECT {
+    ULONG Flags;
+    ULONG PointerCount;
+    EX_RUNDOWN_REF RundownRef;
+    LIST_ENTRY PrimaryLink;
+} FLT_OBJECT, *PFLT_OBJECT;
+
+typedef struct _FLT_SERVER_PORT_OBJECT {
+    LIST_ENTRY FilterLink;
+    PVOID ConnectNotify;
+    PVOID DisconnectNotify;
+    PVOID MessageNotify;
+    PVOID Filter;
+    PVOID Cookie;
+    ULONG Flags;
+    ULONG NumberOfConnections;
+    ULONG MaxConnections;
+} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT;
+
+/*
+** FLT MANAGER END
+*/
+
+/*
+**  RTL START
+*/
+
+typedef NTSTATUS(*PUSER_PROCESS_START_ROUTINE)(
+	PRTL_USER_PROCESS_PARAMETERS ProcessParameters
+	);
+
+typedef NTSTATUS(*PUSER_THREAD_START_ROUTINE)(
+	PVOID ThreadParameter
+	);
+
+typedef struct _RTL_USER_PROCESS_INFORMATION {
+	ULONG Length;
+	HANDLE Process;
+	HANDLE Thread;
+	CLIENT_ID ClientId;
+	SECTION_IMAGE_INFORMATION ImageInformation;
+} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;
+
+//
+// This structure is used only by Wow64 processes. The offsets
+// of structure elements should the same as viewed by a native Win64 application.
+//
+typedef struct _RTL_USER_PROCESS_INFORMATION64 {
+	ULONG Length;
+	LONGLONG Process;
+	LONGLONG Thread;
+	CLIENT_ID64 ClientId;
+	SECTION_IMAGE_INFORMATION64 ImageInformation;
+} RTL_USER_PROCESS_INFORMATION64, *PRTL_USER_PROCESS_INFORMATION64;
+
+/*
+**  RTL END
+*/
+
 /*
 **  LDR START
 */
@@ -3543,7 +4366,26 @@ typedef
 VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)(
 	_In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,
 	_In_ PVOID Context,
-	_In_ OUT BOOLEAN *StopEnumeration
+	_Inout_ BOOLEAN *StopEnumeration
+	);
+
+typedef
+VOID (CALLBACK *PLDR_DLL_NOTIFICATION_FUNCTION)(
+    _In_     ULONG                       NotificationReason,
+    _In_     PCLDR_DLL_NOTIFICATION_DATA NotificationData,
+    _In_opt_ PVOID                       Context
+    );
+
+NTSTATUS NTAPI LdrAccessResource(
+	_In_ PVOID DllHandle,
+	_In_ CONST IMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry,
+	_Out_opt_ PVOID *Address,
+	_Out_opt_ PULONG Size
+	);
+
+NTSTATUS NTAPI LdrAddRefDll(
+	ULONG Flags,
+	PVOID DllHandle
 	);
 
 NTSTATUS NTAPI LdrEnumerateLoadedModules(
@@ -3552,6 +4394,25 @@ NTSTATUS NTAPI LdrEnumerateLoadedModules(
 	_In_opt_ PVOID Context
 	);
 
+NTSTATUS NTAPI LdrFindResource_U(
+	_In_ PVOID DllHandle,
+	_In_ CONST ULONG_PTR* ResourceIdPath,
+	_In_ ULONG ResourceIdPathLength,
+	_Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry
+	);
+
+NTSTATUS NTAPI LdrFindEntryForAddress(
+	_In_ PVOID Address,
+	_Out_ PLDR_DATA_TABLE_ENTRY *TableEntry
+	);
+
+NTSTATUS NTAPI LdrGetDllHandle(
+	_In_opt_ PCWSTR DllPath,
+	_In_opt_ PULONG DllCharacteristics,
+	_In_ PCUNICODE_STRING DllName,
+	_Out_ PVOID *DllHandle
+	);
+
 NTSTATUS NTAPI LdrGetProcedureAddress(
 	_In_     PVOID DllHandle,
 	_In_opt_ CONST ANSI_STRING* ProcedureName,
@@ -3566,40 +4427,110 @@ NTSTATUS NTAPI LdrLoadDll(
 	_Out_    PVOID *DllHandle
 	);
 
+NTSTATUS NTAPI LdrQueryProcessModuleInformation(
+	_Out_     PRTL_PROCESS_MODULES ModuleInformation,
+	_In_      ULONG ModuleInformationLength,
+	_Out_opt_ PULONG ReturnLength 
+	);
+
 NTSTATUS NTAPI LdrUnloadDll(
 	_In_ PVOID DllHandle
 	);
 
-NTSTATUS NTAPI LdrGetDllHandle(
-	_In_opt_ PCWSTR DllPath OPTIONAL,
-	_In_opt_ PULONG DllCharacteristics OPTIONAL,
-	_In_ PCUNICODE_STRING DllName,
-	_Out_ PVOID *DllHandle
-	);
+NTSTATUS NTAPI LdrRegisterDllNotification(
+    _In_     ULONG                          Flags,
+    _In_     PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction,
+    _In_opt_ PVOID                          Context,
+    _Out_    PVOID                          *Cookie
+    );
 
-NTSTATUS NTAPI LdrFindResource_U(
-	_In_ PVOID DllHandle,
-	_In_ CONST ULONG_PTR* ResourceIdPath,
-	_In_ ULONG ResourceIdPathLength,
-	_Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry
-	);
+NTSTATUS NTAPI LdrUnregisterDllNotification(
+    _In_ PVOID Cookie
+    );
 
-NTSTATUS NTAPI LdrAccessResource(
-	_In_ PVOID DllHandle,
-	_In_ CONST IMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry,
-	_Out_opt_ PVOID *Address,
-	_Out_opt_ PULONG Size
-	);
+NTSTATUS NTAPI LdrResSearchResource(
+    _In_        PVOID File,
+    _In_        CONST ULONG_PTR* ResIds,
+    _In_        ULONG ResIdCount,
+    _In_        ULONG Flags,
+    _Out_       LPVOID *Resource,
+    _Out_       ULONG_PTR *Size,
+    _In_opt_    USHORT *FoundLanguage,
+    _In_opt_    ULONG *FoundLanguageLength
+    );
 
-NTSTATUS NTAPI LdrFindEntryForAddress(
-	_In_ PVOID Address,
-	_Out_ PLDR_DATA_TABLE_ENTRY *TableEntry
-	);
+NTSTATUS NTAPI LdrOpenImageFileOptionsKey(
+    _In_ PCUNICODE_STRING ImagePathName,
+    _In_ BOOLEAN Wow64Path,
+    _Out_ PHANDLE KeyHandle
+);
+
+NTSTATUS NTAPI LdrQueryImageFileExecutionOptions(
+    _In_ PCUNICODE_STRING ImagePathName,
+    _In_ PCWSTR OptionName,
+    _In_ ULONG Type,
+    _Out_ PVOID Buffer,
+    _In_ ULONG BufferSize,
+    _Out_opt_ PULONG ResultSize
+    );
+
+NTSTATUS NTAPI LdrQueryImageFileExecutionOptionsEx(
+    _In_ PCUNICODE_STRING ImagePathName,
+    _In_ PCWSTR OptionName,
+    _In_ ULONG Type,
+    _Out_ PVOID Buffer,
+    _In_ ULONG BufferSize,
+    _Out_opt_ PULONG ResultSize,
+    _In_ BOOLEAN Wow64Path
+    );
+
+NTSTATUS NTAPI LdrQueryImageFileKeyOption(
+    _In_ HANDLE KeyHandle,
+    _In_ PCWSTR OptionName,
+    _In_ ULONG Type,
+    _Out_ PVOID Buffer,
+    _In_ ULONG BufferSize,
+    _Out_opt_ PULONG ResultSize
+    );
 
 /*
 **  LDR END
 */
 
+typedef PVOID PHEAD;
+
+typedef struct _HANDLEENTRY {
+    PHEAD   phead;  // Pointer to the Object.
+    PVOID   pOwner; // PTI or PPI
+    BYTE    bType;  // Object handle type
+    BYTE    bFlags; // Flags
+    WORD    wUniq;  // Access count.
+} HANDLEENTRY, *PHANDLEENTRY;
+
+typedef struct _SERVERINFO {
+    WORD            wRIPFlags;
+    WORD            wSRVIFlags;
+    WORD            wRIPPID;
+    WORD            wRIPError;
+    ULONG           cHandleEntries;
+    // incomplete
+} SERVERINFO, *PSERVERINFO;
+
+typedef struct _SHAREDINFO {
+    PSERVERINFO		psi;
+    PHANDLEENTRY	aheList;
+    ULONG			HeEntrySize;
+    // incomplete
+} SHAREDINFO, *PSHAREDINFO;
+
+typedef struct _USERCONNECT
+{
+    ULONG ulVersion;
+    ULONG ulCurrentVersion;
+    DWORD dwDispatchCount;
+    SHAREDINFO siClient;
+} USERCONNECT, *PUSERCONNECT;
+
 /*
 ** Csr Runtime START
 */
@@ -3607,6 +4538,14 @@ NTSTATUS NTAPI LdrFindEntryForAddress(
 ULONG NTAPI CsrGetProcessId(
 	);
 
+NTSTATUS NTAPI CsrClientConnectToServer(
+    _In_ PWSTR ObjectDirectory,  
+    _In_ ULONG ServerDllIndex,
+    _Inout_ PVOID ConnectionInformation,
+    _Inout_ ULONG *ConnectionInformationLength, 
+    _Out_ PBOOLEAN CalledFromServer
+);
+
 /*
 ** Csr Runtime END
 */
@@ -3615,6 +4554,80 @@ ULONG NTAPI CsrGetProcessId(
 ** Runtime Library API START
 */
 
+NTSTATUS NTAPI RtlCreateEnvironment(
+    _In_ BOOLEAN CloneCurrentEnvironment,
+    _Out_ PVOID *Environment
+    );
+
+NTSTATUS NTAPI RtlDestroyEnvironment(
+    _In_ PVOID Environment
+    );
+
+NTSTATUS NTAPI RtlCreateProcessParameters(
+    _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
+    _In_ PUNICODE_STRING ImagePathName,
+    _In_opt_ PUNICODE_STRING DllPath,
+    _In_opt_ PUNICODE_STRING CurrentDirectory,
+    _In_opt_ PUNICODE_STRING CommandLine,
+    _In_opt_ PVOID Environment,
+    _In_opt_ PUNICODE_STRING WindowTitle,
+    _In_opt_ PUNICODE_STRING DesktopInfo,
+    _In_opt_ PUNICODE_STRING ShellInfo,
+    _In_opt_ PUNICODE_STRING RuntimeData
+    );
+
+NTSTATUS NTAPI RtlDestroyProcessParameters(
+    _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters
+    );
+
+NTSTATUS NTAPI RtlCreateProcessParametersEx(
+    _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
+    _In_ PUNICODE_STRING ImagePathName,
+    _In_opt_ PUNICODE_STRING DllPath,
+    _In_opt_ PUNICODE_STRING CurrentDirectory,
+    _In_opt_ PUNICODE_STRING CommandLine,
+    _In_opt_ PVOID Environment,
+    _In_opt_ PUNICODE_STRING WindowTitle,
+    _In_opt_ PUNICODE_STRING DesktopInfo,
+    _In_opt_ PUNICODE_STRING ShellInfo,
+    _In_opt_ PUNICODE_STRING RuntimeData,
+    _In_ ULONG Flags);
+
+NTSTATUS NTAPI RtlCreateUserProcess(
+	PUNICODE_STRING NtImagePathName,
+	ULONG Attributes,
+	PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
+	PSECURITY_DESCRIPTOR ProcessSecurityDescriptor,
+	PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
+	HANDLE ParentProcess,
+	BOOLEAN InheritHandles,
+	HANDLE DebugPort,
+	HANDLE ExceptionPort,
+	PRTL_USER_PROCESS_INFORMATION ProcessInformation
+	);
+
+NTSTATUS NTAPI RtlCreateUserThread(
+    _In_ HANDLE Process,
+    _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
+    _In_ BOOLEAN CreateSuspended,
+    _In_ ULONG StackZeroBits,
+    _In_opt_ SIZE_T MaximumStackSize,
+    _In_opt_ SIZE_T InitialStackSize,
+    _In_ PUSER_THREAD_START_ROUTINE StartAddress,
+    _In_opt_ PVOID Parameter,
+    _Out_opt_ PHANDLE Thread,
+    _Out_opt_ PCLIENT_ID ClientId
+    );
+
+VOID NTAPI RtlExitUserThread(
+	IN NTSTATUS ExitStatus
+	);
+
+VOID NTAPI RtlFreeUserThreadStack(
+	HANDLE hProcess,
+	HANDLE hThread
+	);
+
 ULONG NTAPI RtlRandomEx(
 	_Inout_ PULONG Seed
 	);
@@ -3628,6 +4641,10 @@ ULONG NTAPI RtlRemoveVectoredExceptionHandler(
 	_In_ PVOID Handle
 	);
 
+VOID NTAPI RtlRaiseException(
+    _In_ PEXCEPTION_RECORD
+    );
+
 VOID NTAPI RtlPushFrame(
 	_In_ PTEB_ACTIVE_FRAME Frame
 	);
@@ -3640,9 +4657,14 @@ PTEB_ACTIVE_FRAME NTAPI RtlGetFrame(
 	VOID
 	);
 
+BOOLEAN NTAPI RtlCreateUnicodeString(
+    _Out_ PUNICODE_STRING DestinationString,
+    _In_  PCWSTR          SourceString
+    );
+
 VOID NTAPI RtlInitUnicodeString(
 	_Inout_	PUNICODE_STRING DestinationString,
-	_In_	PCWSTR SourceString
+    _In_opt_ PCWSTR SourceString
 	);
 
 BOOLEAN NTAPI RtlEqualUnicodeString(
@@ -3705,6 +4727,15 @@ VOID NTAPI RtlInitString(
 	PCSZ SourceString
 	);
 
+NTSTATUS NTAPI RtlExpandEnvironmentStrings(
+    _In_opt_ PVOID Environment,
+    _In_reads_(SrcLength) PWSTR Src,
+    _In_ SIZE_T SrcLength,
+    _Out_writes_opt_(DstLength) PWSTR Dst,
+    _In_ SIZE_T DstLength,
+    _Out_opt_ PSIZE_T ReturnLength
+    );
+
 NTSTATUS NTAPI RtlExpandEnvironmentStrings_U(
 	_In_opt_	PVOID Environment,
 	_In_		PCUNICODE_STRING Source,
@@ -3716,6 +4747,57 @@ VOID NTAPI RtlSetLastWin32Error(
 	LONG Win32Error
 	);
 
+NTSTATUS NTAPI RtlWow64EnableFsRedirection(
+    _In_ BOOLEAN Wow64FsEnableRedirection
+    );
+
+NTSTATUS NTAPI RtlWow64EnableFsRedirectionEx(
+    _In_ PVOID DisableFsRedirection,
+    _Out_ PVOID *OldFsRedirectionLevel
+    );
+
+PVOID NTAPI RtlEncodePointer(
+    PVOID Ptr
+    );
+
+PVOID NTAPI RtlDecodePointer(
+    PVOID Ptr
+    );
+
+typedef NTSTATUS
+(NTAPI * PRTL_HEAP_COMMIT_ROUTINE)(
+	IN PVOID Base,
+	IN OUT PVOID *CommitAddress,
+	IN OUT PSIZE_T CommitSize
+	);
+
+typedef struct _RTL_HEAP_PARAMETERS {
+	ULONG Length;
+	SIZE_T SegmentReserve;
+	SIZE_T SegmentCommit;
+	SIZE_T DeCommitFreeBlockThreshold;
+	SIZE_T DeCommitTotalFreeThreshold;
+	SIZE_T MaximumAllocationSize;
+	SIZE_T VirtualMemoryThreshold;
+	SIZE_T InitialCommit;
+	SIZE_T InitialReserve;
+	PRTL_HEAP_COMMIT_ROUTINE CommitRoutine;
+	SIZE_T Reserved[2];
+} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS;
+
+PVOID NTAPI RtlCreateHeap(
+	_In_ ULONG Flags,
+	_In_opt_ PVOID HeapBase,
+	_In_opt_ SIZE_T ReserveSize,
+	_In_opt_ SIZE_T CommitSize,
+	_In_opt_ PVOID Lock,
+	_In_opt_ PRTL_HEAP_PARAMETERS Parameters 
+	);
+
+PVOID NTAPI RtlDestroyHeap(
+	_In_ PVOID HeapHandle
+	);
+
 PVOID NTAPI RtlAllocateHeap(
 	_In_ PVOID HeapHandle,
 	_In_ ULONG Flags,
@@ -3961,6 +5043,68 @@ NTSTATUS NTAPI RtlAdjustPrivilege(
 	PBOOLEAN WasEnabled
 	);
 
+//
+// preallocated heap-growable buffers
+//
+typedef struct _RTL_BUFFER {
+    PUCHAR    Buffer;
+    PUCHAR    StaticBuffer;
+    SIZE_T    Size;
+    SIZE_T    StaticSize;
+    SIZE_T    ReservedForAllocatedSize; // for future doubling
+    PVOID     ReservedForIMalloc; // for future pluggable growth
+} RTL_BUFFER, *PRTL_BUFFER;
+
+typedef struct _RTL_UNICODE_STRING_BUFFER {
+    UNICODE_STRING String;
+    RTL_BUFFER     ByteBuffer;
+    UCHAR          MinimumStaticBufferForTerminalNul[sizeof(WCHAR)];
+} RTL_UNICODE_STRING_BUFFER, *PRTL_UNICODE_STRING_BUFFER;
+
+NTSTATUS NTAPI RtlNtPathNameToDosPathName(
+    _In_ ULONG Flags,
+    _Inout_ PRTL_UNICODE_STRING_BUFFER Path,
+    _Out_opt_ PULONG Disposition,
+    _Inout_opt_ PWSTR* FilePart
+    );
+
+ULONG NTAPI RtlIsDosDeviceName_U(
+    PCWSTR DosFileName
+    );
+
+ULONG NTAPI RtlGetFullPathName_U(
+    __in PCWSTR lpFileName,
+    __in ULONG nBufferLength,
+    __out_bcount(nBufferLength) PWSTR lpBuffer,
+    __out_opt PWSTR *lpFilePart
+    );
+
+typedef enum _RTL_PATH_TYPE {
+    RtlPathTypeUnknown,         // 0
+    RtlPathTypeUncAbsolute,     // 1
+    RtlPathTypeDriveAbsolute,   // 2
+    RtlPathTypeDriveRelative,   // 3
+    RtlPathTypeRooted,          // 4
+    RtlPathTypeRelative,        // 5
+    RtlPathTypeLocalDevice,     // 6
+    RtlPathTypeRootLocalDevice  // 7
+} RTL_PATH_TYPE;
+
+RTL_PATH_TYPE NTAPI RtlDetermineDosPathNameType_U(
+    PCWSTR DosFileName
+    );
+
+#define HASH_STRING_ALGORITHM_DEFAULT   (0)
+#define HASH_STRING_ALGORITHM_X65599    (1)
+#define HASH_STRING_ALGORITHM_INVALID   (0xffffffff)
+
+NTSTATUS NTAPI RtlHashUnicodeString(
+    _In_ const UNICODE_STRING *String,
+    _In_ BOOLEAN CaseInSensitive,
+    _In_ ULONG HashAlgorithm,
+    _Out_ PULONG HashValue
+);
+
 ULONG DbgPrint(
 	_In_ PCH Format,
 	...
@@ -4174,20 +5318,105 @@ NTSTATUS NTAPI RtlDeleteCriticalSection(
 ** Critical Section END
 */
 
-
 /*
-** Loader API START
+** UAC Elevation Start
 */
 
-NTSTATUS NTAPI LdrGetProcedureAddress(
-	_In_ PVOID DllHandle,
-	_In_opt_ CONST ANSI_STRING* ProcedureName,
-	_In_opt_ ULONG ProcedureNumber,
-	_Out_ PVOID *ProcedureAddress
-	);
+#define DBG_FLAG_ELEVATION_ENABLED 1
+#define DBG_FLAG_VIRTUALIZATION_ENABLED 2
+#define DBG_FLAG_INSTALLER_DETECT_ENABLED 3
+
+NTSTATUS NTAPI RtlQueryElevationFlags(
+    _Inout_ ULONG *ElevationFlags
+    );
 
 /*
-** Loader API END
+** UAC Elevation END
+*/
+
+
+/*
+*  Memory parition START
+*/
+
+typedef enum _MEMORY_PARTITION_INFORMATION_CLASS {
+    SystemMemoryPartitionInformation,
+    SystemMemoryPartitionMoveMemory,
+    SystemMemoryPartitionAddPagefile,
+    SystemMemoryPartitionCombineMemory,
+    SystemMemoryPartitionInitialAddMemory
+} MEMORY_PARTITION_INFORMATION_CLASS;
+
+typedef struct _MEMORY_PARTITION_PAGE_RANGE {
+    ULONG_PTR StartPage;
+    ULONG_PTR NumberOfPages;
+} MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE;
+
+typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION {
+    ULONG Flags;
+    ULONG NumberOfRanges;
+    ULONG_PTR NumberOfPagesAdded;
+    MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1];
+} MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION;
+
+typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION {
+    PVOID StopHandle;
+    ULONG Flags;
+    ULONG_PTR TotalNumberOfPages;
+} MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION;
+
+typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION {
+    UNICODE_STRING PageFileName;
+    LARGE_INTEGER MinimumSize;
+    LARGE_INTEGER MaximumSize;
+    ULONG Flags;
+} MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION;
+
+typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION {
+    ULONG_PTR NumberOfPages;
+    ULONG NumaNode;
+    ULONG Flags;
+} MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION;
+
+typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION {
+    ULONG Flags;
+    ULONG NumaNode;
+    ULONG Channel;
+    ULONG NumberOfNumaNodes;
+    ULONG_PTR ResidentAvailablePages;
+    ULONG_PTR CommittedPages;
+    ULONG_PTR CommitLimit;
+    ULONG_PTR PeakCommitment;
+    ULONG_PTR TotalNumberOfPages;
+    ULONG_PTR AvailablePages;
+    ULONG_PTR ZeroPages;
+    ULONG_PTR FreePages;
+    ULONG_PTR StandbyPages;
+} MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION;
+
+NTSTATUS NTAPI NtOpenPartition(
+    _Out_ PHANDLE PartitionHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+
+NTSTATUS NTAPI NtManagePartition(
+    _In_ HANDLE TargetHandle,
+    _In_ HANDLE SourceHandle,
+    _In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass,
+    _Inout_ PVOID PartitionInformation,
+    _In_ SIZE_T PartitionInformationLength
+    );
+
+NTSTATUS NTAPI NtCreatePartition(
+    _Out_ PHANDLE PartitionHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ ULONG PreferredNode
+    );
+
+/*
+*  Memory partition END
 */
 
 /*
@@ -4198,11 +5427,25 @@ NTSTATUS NTAPI NtClose(
 	_In_ HANDLE Handle
 	);
 
+NTSTATUS NTAPI NtCreateDirectoryObject(
+    _Out_ PHANDLE DirectoryHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+
+NTSTATUS NTAPI NtCreateDirectoryObjectEx(
+    _Out_ PHANDLE DirectoryHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ HANDLE ShadowDirectoryHandle,
+    _In_ ULONG Flags
+    );
+
 NTSTATUS NTAPI NtOpenDirectoryObject(
-	_Out_  PHANDLE				DirectoryHandle,
-	_In_   ACCESS_MASK			DesiredAccess,
-	_In_   POBJECT_ATTRIBUTES	ObjectAttributes
-	);
+    _Out_  PHANDLE				DirectoryHandle,
+    _In_   ACCESS_MASK			DesiredAccess,
+    _In_   POBJECT_ATTRIBUTES	ObjectAttributes
+    );
 
 NTSTATUS NTAPI NtQueryDirectoryObject(
 	_In_       HANDLE DirectoryHandle,
@@ -4229,6 +5472,12 @@ NTSTATUS WINAPI NtQuerySystemInformation(
 	_Out_opt_  PULONG ReturnLength
 	);
 
+NTSTATUS NTAPI NtSetSystemInformation(
+	_In_       SYSTEM_INFORMATION_CLASS SystemInformationClass,
+	_In_opt_   PVOID SystemInformation,
+	_In_       ULONG SystemInformationLength
+	);
+
 NTSTATUS NTAPI NtCreateMutant(
 	_Out_		PHANDLE MutantHandle,
 	_In_		ACCESS_MASK DesiredAccess,
@@ -4327,6 +5576,18 @@ NTSTATUS NTAPI NtQueryDirectoryFile(
 	_In_		BOOLEAN RestartScan
 	);
 
+NTSTATUS NTAPI NtNotifyChangeDirectoryFile(
+    _In_        HANDLE FileHandle,
+    _In_opt_    HANDLE Event,
+    _In_opt_    PIO_APC_ROUTINE ApcRoutine,
+    _In_opt_    PVOID ApcContext,
+    _Out_       PIO_STATUS_BLOCK IoStatusBlock,
+    __out_bcount(Length) PVOID Buffer,
+    _In_        ULONG Length,
+    _In_        ULONG CompletionFilter,
+    _In_        BOOLEAN WatchTree
+);
+
 NTSTATUS NTAPI NtQuerySection(
 	_In_		HANDLE SectionHandle,
 	_In_		SECTION_INFORMATION_CLASS SectionInformationClass,
@@ -4367,14 +5628,55 @@ NTSTATUS NTAPI NtMapViewOfSection(
 NTSTATUS NTAPI NtUnmapViewOfSection(
 	_In_	HANDLE ProcessHandle,
 	_In_	PVOID BaseAddress
-	);
+    );
 
 NTSTATUS NTAPI NtOpenProcessToken(
-	_In_	HANDLE ProcessHandle,
-	_In_	ACCESS_MASK DesiredAccess,
-	_Out_	PHANDLE TokenHandle
-	);
+    _In_	HANDLE ProcessHandle,
+    _In_	ACCESS_MASK DesiredAccess,
+    _Out_	PHANDLE TokenHandle
+    );
 
+NTSTATUS NTAPI NtDuplicateToken(
+    _In_ HANDLE ExistingTokenHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ BOOLEAN EffectiveOnly,
+    _In_ TOKEN_TYPE TokenType,
+    _Out_ PHANDLE NewTokenHandle
+    );
+
+#define DISABLE_MAX_PRIVILEGE   0x1 // winnt
+#define SANDBOX_INERT           0x2 // winnt
+#define LUA_TOKEN               0x4
+#define WRITE_RESTRICT          0x8
+
+NTSTATUS NTAPI NtFilterToken(
+    _In_ HANDLE ExistingTokenHandle,
+    _In_ ULONG Flags,
+    _In_opt_ PTOKEN_GROUPS SidsToDisable,
+    _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
+    _In_opt_ PTOKEN_GROUPS RestrictedSids,
+    _Out_ PHANDLE NewTokenHandle
+    );
+
+NTSTATUS NTAPI NtImpersonateAnonymousToken(
+    _In_ HANDLE ThreadHandle
+    );
+
+NTSTATUS NTAPI NtQueryInformationToken(
+    _In_ HANDLE TokenHandle,
+    _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
+    _Out_ PVOID TokenInformation,
+    _In_ ULONG TokenInformationLength,
+    _Out_ PULONG ReturnLength
+    );
+
+NTSTATUS NTAPI NtSetInformationToken(
+    _In_ HANDLE TokenHandle,
+    _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
+    _In_ PVOID TokenInformation,
+    _In_ ULONG TokenInformationLength
+    );
 
 NTSTATUS NTAPI NtOpenThreadTokenEx(
 	_In_       HANDLE ThreadHandle,
@@ -4401,6 +5703,16 @@ NTSTATUS NTAPI NtQueryInformationToken(
 	_Out_	PULONG ReturnLength
 	);
 
+NTSTATUS NTAPI NtCreateKey(
+    _Out_      PHANDLE KeyHandle,
+    _In_       ACCESS_MASK DesiredAccess,
+    _In_       POBJECT_ATTRIBUTES ObjectAttributes,
+    __reserved ULONG TitleIndex,
+    _In_opt_   PUNICODE_STRING Class,
+    _In_       ULONG CreateOptions,
+    _Out_opt_  PULONG Disposition
+    );
+
 NTSTATUS NTAPI NtOpenKey(
 	_Out_	PHANDLE KeyHandle,
 	_In_	ACCESS_MASK DesiredAccess,
@@ -4424,6 +5736,15 @@ NTSTATUS NTAPI NtQueryValueKey(
 	_Out_      PULONG ResultLength
 	);
 
+NTSTATUS NTAPI NtSetValueKey(
+    _In_     HANDLE KeyHandle,
+    _In_     PUNICODE_STRING ValueName,
+    _In_opt_ ULONG TitleIndex,
+    _In_     ULONG Type,
+    _In_     PVOID Data,
+    _In_     ULONG DataSize
+   );
+
 NTSTATUS NTAPI NtDeleteKey(
 	_In_       HANDLE KeyHandle
 	);
@@ -4433,6 +5754,14 @@ NTSTATUS NTAPI NtDeleteValueKey(
 	_In_       PUNICODE_STRING ValueName
 	);
 
+NTSTATUS NTAPI NtLoadDriver(
+    _In_ PUNICODE_STRING DriverServiceName
+    );
+
+NTSTATUS NTAPI NtUnloadDriver(
+    _In_ PUNICODE_STRING DriverServiceName
+    );
+
 NTSTATUS NTAPI NtOpenJobObject(
 	_Out_	PHANDLE JobHandle,
 	_In_	ACCESS_MASK DesiredAccess,
@@ -4469,18 +5798,10 @@ NTSTATUS NTAPI NtQueryInformationFile(
 	_In_	FILE_INFORMATION_CLASS FileInformationClass
 	);
 
-NTSTATUS NTAPI NtFsControlFile(
-	_In_     HANDLE FileHandle,
-	_In_opt_ HANDLE Event,
-	_In_opt_ PIO_APC_ROUTINE ApcRoutine,
-	_In_opt_ PVOID ApcContext,
-	_Out_    PIO_STATUS_BLOCK IoStatusBlock,
-	_In_     ULONG FsControlCode,
-	_In_     PVOID InputBuffer,
-	_In_     ULONG InputBufferLength,
-	_Out_    PVOID OutputBuffer,
-	_In_     ULONG OutputBufferLength
-	);
+NTSTATUS NTAPI NtQueryFullAttributesFile(
+    __in    POBJECT_ATTRIBUTES ObjectAttributes,
+    __out   PFILE_NETWORK_OPEN_INFORMATION FileInformation
+);
 
 NTSTATUS NTAPI NtQueryDirectoryFile(
 	_In_      HANDLE FileHandle,
@@ -4619,8 +5940,12 @@ NTSTATUS NTAPI NtCreateTransaction(
 	_In_opt_  PUNICODE_STRING Description
 	);
 
+NTSTATUS NTAPI NtRollbackTransaction(
+    _In_ HANDLE  TransactionHandle,
+    _In_ BOOLEAN Wait);
+
 //TmRm
-NTSTATUS NTAPINtCreateResourceManager(
+NTSTATUS NTAPI NtCreateResourceManager(
 	_Out_     PHANDLE ResourceManagerHandle,
 	_In_      ACCESS_MASK DesiredAccess,
 	_In_      HANDLE TmHandle,
@@ -4666,6 +5991,46 @@ NTSTATUS NTAPI NtCreateFile(
 	_In_		ULONG EaLength
 	);
 
+NTSTATUS NTAPI NtDeviceIoControlFile(
+    _In_  HANDLE           FileHandle,
+    _In_  HANDLE           Event,
+    _In_  PIO_APC_ROUTINE  ApcRoutine,
+    _In_  PVOID            ApcContext,
+    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+    _In_  ULONG            IoControlCode,
+    _In_  PVOID            InputBuffer,
+    _In_  ULONG            InputBufferLength,
+    _Out_ PVOID            OutputBuffer,
+    _In_  ULONG            OutputBufferLength
+    );
+
+NTSTATUS NTAPI NtFsControlFile(
+    _In_      HANDLE           FileHandle,
+    _In_opt_  HANDLE           Event,
+    _In_opt_  PIO_APC_ROUTINE  ApcRoutine,
+    _In_opt_  PVOID            ApcContext,
+    _Out_     PIO_STATUS_BLOCK IoStatusBlock,
+    _In_      ULONG            FsControlCode,
+    _In_opt_  PVOID            InputBuffer,
+    _In_      ULONG            InputBufferLength,
+    _Out_opt_ PVOID            OutputBuffer,
+    _In_      ULONG            OutputBufferLength
+    );
+
+NTSTATUS NTAPI NtCreateUserProcess(
+    _Out_ PHANDLE ProcessHandle,
+    _Out_ PHANDLE ThreadHandle,
+    _In_ ACCESS_MASK ProcessDesiredAccess,
+    _In_ ACCESS_MASK ThreadDesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
+    _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
+    _In_ ULONG ProcessFlags,
+    _In_ ULONG ThreadFlags, 
+    _In_opt_ PVOID ProcessParameters, 
+    _Inout_ PPS_CREATE_INFO CreateInfo,
+    _In_opt_ PPS_ATTRIBUTE_LIST AttributeList
+    );
+
 NTSTATUS NTAPI NtOpenProcess(
 	_Out_		PHANDLE ProcessHandle,
 	_In_		ACCESS_MASK DesiredAccess,
@@ -4678,6 +6043,14 @@ NTSTATUS NTAPI NtTerminateProcess(
 	_In_		NTSTATUS ExitStatus
 	);
 
+NTSTATUS NTAPI NtSuspendProcess(
+	_In_        HANDLE ProcessHandle
+	);
+
+NTSTATUS NTAPI NtResumeProcess(
+	_In_        HANDLE ProcessHandle
+	);
+
 NTSTATUS NTAPI NtSuspendThread(
 	_In_		HANDLE ThreadHandle,
 	_Out_opt_	PULONG PreviousSuspendCount
@@ -4695,6 +6068,11 @@ NTSTATUS NTAPI NtOpenThread(
 	_In_opt_    PCLIENT_ID ClientId
 	);
 
+NTSTATUS NTAPI NtTerminateThread(
+	_In_opt_    HANDLE ThreadHandle,
+	_In_        NTSTATUS ExitStatus
+	);
+
 NTSTATUS NTAPI NtImpersonateThread(
 	_In_        HANDLE ServerThreadHandle,
 	_In_        HANDLE ClientThreadHandle,
@@ -4711,6 +6089,21 @@ NTSTATUS NTAPI NtGetContextThread(
 	_Inout_     PCONTEXT ThreadContext
 	);
 
+NTSTATUS NTAPI NtQueryInformationThread(
+	_In_       HANDLE ThreadHandle,
+	_In_       THREADINFOCLASS ThreadInformationClass,
+	_Out_      PVOID ThreadInformation,
+	_In_       ULONG ThreadInformationLength,
+	_Out_opt_  PULONG ReturnLength
+	);
+
+NTSTATUS NTAPI NtSetInformationThread(
+	_In_       HANDLE ThreadHandle,
+	_In_       THREADINFOCLASS ThreadInformationClass,
+	_In_       PVOID ThreadInformation,
+	_In_       ULONG ThreadInformationLength
+	);
+
 NTSTATUS NTAPI NtQueryInformationProcess(
 	_In_		HANDLE ProcessHandle,
 	_In_		PROCESSINFOCLASS ProcessInformationClass,
@@ -4719,6 +6112,13 @@ NTSTATUS NTAPI NtQueryInformationProcess(
 	_Out_opt_	PULONG ReturnLength
 	);
 
+NTSTATUS NTAPI NtSetInformationProcess(
+    _In_        HANDLE ProcessHandle,
+    _In_        PROCESSINFOCLASS ProcessInformationClass,
+    _In_count_(ProcessInformationLength) PVOID ProcessInformation,
+    _In_        ULONG ProcessInformationLength
+    );
+
 NTSTATUS NTAPI NtDuplicateObject(
 	_In_		HANDLE SourceProcessHandle,
 	_In_		HANDLE SourceHandle,
@@ -4743,6 +6143,14 @@ NTSTATUS NTAPI NtQuerySecurityObject(
 	_Out_	PULONG LengthNeeded
 	);
 
+NTSTATUS NTAPI NtQueryLicenseValue(
+    _In_ PUNICODE_STRING ValueName,
+    _Out_opt_ PULONG Type,
+    _Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data,
+    _In_ ULONG DataSize,
+    _Out_ PULONG ResultDataSize
+);
+
 NTSTATUS NtCreateIoCompletion(
 	_Out_		PHANDLE IoCompletionHandle,
 	_In_		ACCESS_MASK DesiredAccess,
@@ -4758,6 +6166,11 @@ NTSTATUS NTAPI NtCreateEvent(
 	_In_		BOOLEAN InitialState
 	);
 
+NTSTATUS NTAPI NtSetEvent(
+    _In_        HANDLE EventHandle,
+    _Out_opt_   PLONG PreviousState
+    );
+
 NTSTATUS NTAPI NtAllocateVirtualMemory(
 	_In_        HANDLE ProcessHandle,
 	_Inout_     PVOID *BaseAddress,
@@ -4900,5 +6313,82 @@ NTSTATUS NTAPI NtAcceptConnectPort(
 	_In_			PPORT_MESSAGE ConnectionRequest,
 	_In_			BOOLEAN AcceptConnection,
 	_Inout_opt_		PPORT_VIEW ServerView,
-	_Out_opt_		PREMOTE_PORT_VIEW ClientView
-	);
+	_Out_opt_		PREMOTE_PORT_VIEW ClientView);
+
+typedef
+VOID
+(*PPS_APC_ROUTINE) (
+	_In_opt_ PVOID ApcArgument1,
+	_In_opt_ PVOID ApcArgument2,
+	_In_opt_ PVOID ApcArgument3);
+
+NTSTATUS NTAPI NtQueueApcThread(
+	_In_ HANDLE ThreadHandle,
+	_In_ PPS_APC_ROUTINE ApcRoutine,
+	_In_opt_ PVOID ApcArgument1,
+	_In_opt_ PVOID ApcArgument2,
+	_In_opt_ PVOID ApcArgument3);
+
+NTSTATUS NTAPI NtWaitForSingleObject(
+	_In_ HANDLE Handle,
+	_In_ BOOLEAN Alertable,
+	_In_opt_ PLARGE_INTEGER Timeout);
+
+NTSTATUS NTAPI NtYieldExecution(
+    VOID);
+
+NTSTATUS NTAPI NtCreateMailslotFile(
+    _Out_ PHANDLE FileHandle,
+    _In_ ULONG DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+    _In_ ULONG CreateOptions,
+    _In_ ULONG MailslotQuota,
+    _In_ ULONG MaximumMessageSize,
+    _In_ PLARGE_INTEGER ReadTimeout);
+
+NTSTATUS NTAPI NtSecureConnectPort(
+    _Out_ PHANDLE PortHandle,
+    _In_ PUNICODE_STRING PortName,
+    _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
+    _Inout_opt_ PPORT_VIEW ClientView,
+    _In_opt_ PSID RequiredServerSid,
+    _Inout_opt_ PREMOTE_PORT_VIEW ServerView,
+    _Out_opt_ PULONG MaxMessageLength,
+    _Inout_opt_ PVOID ConnectionInformation,
+    _Inout_opt_ PULONG ConnectionInformationLength);
+
+NTSTATUS NTAPI NtEnumerateBootEntries(
+    _Out_ PVOID Buffer,
+    _Inout_ PULONG BufferLength);
+
+NTSTATUS NTAPI NtPrivilegeCheck(
+    _In_ HANDLE ClientToken,
+    _Inout_ PPRIVILEGE_SET RequiredPrivileges,
+    _Out_ PBOOLEAN Result
+    );
+
+NTSTATUS NTAPI NtCreateProcessEx(
+    _Out_    PHANDLE ProcessHandle,
+    _In_     ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_     HANDLE ParentProcess,
+    _In_     ULONG Flags,
+    _In_opt_ HANDLE SectionHandle,
+    _In_opt_ HANDLE DebugPort,
+    _In_opt_ HANDLE ExceptionPort,
+    _In_     BOOLEAN InJob);
+
+NTSTATUS NTAPI NtCreateThreadEx(
+    _Out_ PHANDLE hThread,
+    _In_  ACCESS_MASK DesiredAccess,
+    _In_  LPVOID ObjectAttributes,
+    _In_  HANDLE ProcessHandle,
+    _In_  LPTHREAD_START_ROUTINE lpStartAddress,
+    _In_  LPVOID lpParameter,
+    _In_  BOOL CreateSuspended,
+    _In_  DWORD StackZeroBits,
+    _In_  DWORD SizeOfStackCommit,
+    _In_  DWORD SizeOfStackReserve,
+    _Out_ LPVOID lpBytesBuffer);
+
diff --git a/Source/Furutaka/resource.rc b/Source/Furutaka/resource.rc
index 9b6d71fe72095ebbdcf596f94c50ba42be17f8d5..33146699a9d347251ef8abefa186d34abd4e63e9 100644
GIT binary patch
delta 82
zcmX@6b4+K04mY<EgARisgE<fzO*ZG&MdokL=YGxv6wrey*qq4ch$1jKkxzW`H36Z`
I*8~b!0iC1}&j0`b

delta 82
zcmX@6b4+K04mY<UgARisgE@l%gUMubZe3*l=6vqwOh5rWn1aoTe2yprlN0&GCtni~
K+I&r*fE56pbP&$~

diff --git a/Source/Furutaka/sup.c b/Source/Furutaka/sup.c
index c23db86..460987f 100644
--- a/Source/Furutaka/sup.c
+++ b/Source/Furutaka/sup.c
@@ -4,9 +4,9 @@
 *
 *  TITLE:       SUP.C
 *
-*  VERSION:     1.10
+*  VERSION:     1.12
 *
-*  DATE:        17 Apr 2017
+*  DATE:        01 Dec 2017
 *
 * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -45,6 +45,7 @@ PVOID supGetSystemInfo(
         }
         if (status == STATUS_INFO_LENGTH_MISMATCH) {
             RtlFreeHeap(hHeap, 0, Buffer);
+            Buffer = NULL;
             Size *= 2;
             c++;
             if (c > 100) {
diff --git a/TDL.sha256 b/TDL.sha256
index fd98132..e764d71 100644
--- a/TDL.sha256
+++ b/TDL.sha256
@@ -1,6 +1,6 @@
 a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys
 f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys
-bef3056b55e2f29525817e3e44753dcf32152460028d27b28e54cce3a7d1eb0f *Compiled\Furutaka.exe
+a7b38ab63ccdca7dc1a677974a7b4e325e195a233ae4a70dc14ab957aef5975c *Compiled\Furutaka.exe
 14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln
 d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj
 2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters
@@ -22,12 +22,12 @@ b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutak
 9b9f412b442a3a328693af6f6be5bc3f00b0723e49012e6395d3d5eb9184b078 *Source\Furutaka\global.h
 94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c
 33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h
-2e0ae7d721d15facb6a63af2df430ce5a1d6250fdb78fc7511e24c23a2d73a9a *Source\Furutaka\main.c
-8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h
+3a7e165f891de48c942af84c9424c3f264e735d8d759fa4b694b6108686c0f05 *Source\Furutaka\main.c
+b29970b67a406364e4a8fef971e48383de176229a9333168bd03caa474d19e3b *Source\Furutaka\ntos.h
 fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h
-2ae545acec81745467b20da56f88a31df07de2021456d82dc16dbbe9ce0b3103 *Source\Furutaka\resource.rc
+a2ceea364b0cc637a441649c48b23ade244b45838f7cc0289338ff854ec4ed00 *Source\Furutaka\resource.rc
 6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h
-fd0fc26c051a852fe3eaf9cb44615543b92e642274fc1eb58b53f23457fd4e89 *Source\Furutaka\sup.c
+6ae8ca2192e5277e85a625c772092988592248dbaa444f385446202ea9e42eb5 *Source\Furutaka\sup.c
 059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h
 12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h
 cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys