Üye
- Katılım
- 23 Eyl 2020
- Mesajlar
- 36
- Tepki puanı
- 27
Driver
Usermode
Kod:
+ lOperationsOffset));
try
{
while (IRP_MJ_OPERATION_END != pFltOperationRegistration->MajorFunction)
{
if (MmIsAddressValid(pFltOperationRegistration->PreOperation) &&
IsFromEACRange(pFltOperationRegistration->PreOperation))
{
FilterAddr = pFltOperationRegistration->PreOperation;
pFltOperationRegistration->PreOperation = DummyObjectPreCallback;
break;
}
pFltOperationRegistration = (PFLT_OPERATION_REGISTRATION)((PUCHAR)pFltOperationRegistration + sizeof(FLT_OPERATION_REGISTRATION));
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
FltObjectDereference(ppFilterList[i]);
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
VirtualizerStrEncryptEnd();
VirtualizerEnd();
ExFreePool(ppFilterList);
ppFilterList = NULL;
#endif
return TRUE;
}
BOOLEAN RestoreMiniFilter()
{
#if (REMOVE_FILTER == 1)
NTSTATUS status = STATUS_SUCCESS;
ULONG ulFilterListSize = 0;
PFLT_FILTER* ppFilterList = NULL;
ULONG i = 0;
PFLT_OPERATION_REGISTRATION pFltOperationRegistration = NULL;
try
{
VirtualizerStart();
VirtualizerStrEncryptStart();
FltEnumerateFilters(NULL, 0, &ulFilterListSize);
ppFilterList = (PFLT_FILTER*)ExAllocatePool(NonPagedPool, ulFilterListSize * sizeof(PFLT_FILTER));
if (NULL == ppFilterList)
{
return FALSE;
}
status = FltEnumerateFilters(ppFilterList, ulFilterListSize, &ulFilterListSize);
if (!NT_SUCCESS(status))
{
return FALSE;
}
if (lOperationsOffset == 0)
{
return FALSE;
}
for (i = 0; i < ulFilterListSize; i++)
{
pFltOperationRegistration = (PFLT_OPERATION_REGISTRATION)(*(PVOID*)((PUCHAR)ppFilterList[i] + lOperationsOffset));
try
{
while (IRP_MJ_OPERATION_END != pFltOperationRegistration->MajorFunction)
{
if (pFltOperationRegistration->PreOperation == DummyObjectPreCallback)
{
pFltOperationRegistration->PreOperation = pFltOperationRegistration->PreOperation;
}
pFltOperationRegistration = (PFLT_OPERATION_REGISTRATION)((PUCHAR)pFltOperationRegistration + sizeof(FLT_OPERATION_REGISTRATION));
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
FltObjectDereference(ppFilterList[i]);
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
VirtualizerStrEncryptEnd();
VirtualizerEnd();
ExFreePool(ppFilterList);
ppFilterList = NULL;
#endif
return TRUE;
}
BOOLEAN Do_Bypass()
{
PLIST_ENTRY FirstEntry = 0;
PLIST_ENTRY pEntry = 0;;
__try
{
VirtualizerStart();
VirtualizerStrEncryptStart();
#if (REMOVE_PROCESSCALLBACKS == 1)
if (ProcessPostOperation || ProcessPreOperation)
return TRUE;
#if (SUSPEND_EAC == 1)
if (!NT_SUCCESS(SuspendOrResumeAllThreads(1)))
{
return FALSE;
}
#endif
FirstEntry = (PLIST_ENTRY)((uintptr_t)* PsProcessType + 0xC8);
pEntry = FirstEntry;
while (pEntry != NULL || pEntry != FirstEntry)
{
CALLBACK_ENTRY_ITEM* curCallback = (CALLBACK_ENTRY_ITEM*)pEntry;
if (!MmIsAddressValid(pEntry))
break;
if (IsFromEACRange((PVOID)curCallback->PostOperation) ||
IsFromEACRange((PVOID)curCallback->PreOperation))
{
ProcessPostOperation = (PVOID)curCallback->PostOperation;
ProcessPreOperation = (PVOID)curCallback->PreOperation;
curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)ProcessObjectPostCallback;
curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)ProcessObjectPreCallback;
break;
}
pEntry = pEntry->Flink;
if (pEntry == FirstEntry || pEntry == 0 || !MmIsAddressValid(pEntry) || !MmIsAddressValid(pEntry)) break;
}
#endif
#if (REMOVE_THREADCALLBACKS == 1)
FirstEntry = (PLIST_ENTRY)((uintptr_t)* PsThreadType + 0xC8);
pEntry = FirstEntry;
while (pEntry != NULL || pEntry != FirstEntry)
{
CALLBACK_ENTRY_ITEM* curCallback = (CALLBACK_ENTRY_ITEM*)pEntry;
if (!MmIsAddressValid(pEntry))
break;
if (IsFromEACRange((PVOID)curCallback->PostOperation) ||
IsFromEACRange((PVOID)curCallback->PreOperation))
{
ThreadPostOperation = (PVOID)curCallback->PostOperation;
ThreadPreOperation = (PVOID)curCallback->PreOperation;
curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)ThreadObjectPostCallback;
curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)ThreadObjectPreCallback;
break;
}
pEntry = pEntry->Flink;
if (pEntry == FirstEntry || pEntry == 0 || !MmIsAddressValid(pEntry) || !MmIsAddressValid(pEntry)) break;
}
#endif
VirtualizerStrEncryptEnd();
VirtualizerEnd();
}
except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualizerStrEncryptStart();
VirtualizerStrEncryptEnd();
return FALSE;
}
return TRUE;
}
BOOLEAN Remove_Bypass()
{
PLIST_ENTRY FirstEntry = 0;
PLIST_ENTRY pEntry = 0;
__try
{
VirtualizerStart();
VirtualizerStrEncryptStart();
#if (REMOVE_PROCESSCALLBACKS == 1)
FirstEntry = (PLIST_ENTRY)((uintptr_t)* PsProcessType + 0xC8);
pEntry = FirstEntry;
while (pEntry != NULL || pEntry != FirstEntry)
{
CALLBACK_ENTRY_ITEM* curCallback = (CALLBACK_ENTRY_ITEM*)pEntry;
if (!MmIsAddressValid(pEntry))
break;
if (curCallback->PostOperation == ProcessObjectPostCallback ||
curCallback->PreOperation == ProcessObjectPreCallback)
{
curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)ProcessPostOperation;
curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)ProcessPreOperation;
ProcessPostOperation = 0;
ProcessPreOperation = 0;
break;
}
pEntry = pEntry->Flink;
if (pEntry == FirstEntry || pEntry == 0 || !MmIsAddressValid(pEntry)) break;
}
#endif
#if (REMOVE_THREADCALLBACKS == 1)
FirstEntry = (PLIST_ENTRY)((uintptr_t)* PsThreadType + 0xC8);
pEntry = FirstEntry;
while (pEntry != NULL || pEntry != FirstEntry)
{
CALLBACK_ENTRY_ITEM* curCallback = (CALLBACK_ENTRY_ITEM*)pEntry;
if (!MmIsAddressValid(pEntry))
break;
if (curCallback->PostOperation == ThreadObjectPostCallback ||
curCallback->PreOperation == ThreadObjectPreCallback)
{
curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)ThreadPostOperation;
curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)ThreadPreOperation;
ThreadPostOperation = 0;
ThreadPreOperation = 0;
break;
}
pEntry = pEntry->Flink;
if (pEntry == FirstEntry || pEntry == 0 || !MmIsAddressValid(pEntry)) break;
}
#endif
#if (SUSPEND_EAC == 1)
if (!NT_SUCCESS(SuspendOrResumeAllThreads(0)))
{
return FALSE;
}
#endif
VirtualizerStrEncryptEnd();
VirtualizerEnd();
}
except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualizerStrEncryptStart();
VirtualizerStrEncryptEnd();
return FALSE;
}
return TRUE;
}
BOOLEAN FuckImageCallBack()
{
#if (REMOVE_IMAGEROUTINE == 1)
__try
{
VirtualizerStart();
VirtualizerStrEncryptStart();
ULONG64 NotifyAddr = 0, MagicPtr = 0;
ULONG64 PspLoadImageNotifyRoutine = (ULONG64)ImageCallBacks;
for (int i = 0; i < 64; i++)
{
MagicPtr = PspLoadImageNotifyRoutine + i * 8;
NotifyAddr = *(PULONG64)(MagicPtr);
if (MmIsAddressValid((PVOID)NotifyAddr) && NotifyAddr != 0)
{
NotifyAddr = *(PULONG64)(NotifyAddr & 0xfffffffffffffff8);
if (IsFromEACRange((PVOID)NotifyAddr))
{
EAC_ImageRoutine = (PVOID)NotifyAddr;
if (!NT_SUCCESS(PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)NotifyAddr)))
DbgPrint("PsRemoveLoadImageNotifyRoutine başarısız oldu");
else
{
return TRUE;
}
}
}
}
VirtualizerStrEncryptEnd();
VirtualizerEnd();
}
except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualizerStrEncryptStart();
VirtualizerStrEncryptEnd();
return FALSE;
}
#endif
return FALSE;
}
BOOLEAN FuckThreadCallBack()
{
#if (REMOVE_THREADROUTINE == 1)
__try
{
VirtualizerStart();
VirtualizerStrEncryptStart();
ULONG64 NotifyAddr = 0, MagicPtr = 0;
ULONG64 PspCreateThreadNotifyRoutine = (ULONG64)ThreadCallBacks;
for (int i = 0; i < 64; i++)
{
MagicPtr = PspCreateThreadNotifyRoutine + i * 8;
NotifyAddr = *(PULONG64)(MagicPtr);
if (MmIsAddressValid((PVOID)NotifyAddr) && NotifyAddr != 0)
{
NotifyAddr = *(PULONG64)(NotifyAddr & 0xfffffffffffffff8);
if (IsFromEACRange((PVOID)NotifyAddr))
{
EAC_ThreadRoutine = (PVOID)NotifyAddr;
if (!NT_SUCCESS(PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)NotifyAddr)))
DbgPrint("PsRemoveCreateThreadNotifyRoutine başarısız oldu!");
else
{
return TRUE;
}
}
}
}
VirtualizerStrEncryptEnd();
VirtualizerEnd();
}
except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualizerStrEncryptStart();
VirtualizerStrEncryptEnd();
return FALSE;
}
#endif
return FALSE;
}
BOOLEAN RestoreImageCallBack()
{
VirtualizerStart();
VirtualizerStrEncryptStart();
#if (REMOVE_IMAGEROUTINE == 1)
if (!MmIsAddressValid((PVOID)EAC_ImageRoutine) ||
!NT_SUCCESS(PsSetLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)EAC_ImageRoutine)))
else
{
return TRUE;
}
#endif
VirtualizerStrEncryptEnd();
VirtualizerEnd();
return FALSE;
}
BOOLEAN RestoreThreadCallBack()
{
VirtualizerStart();
VirtualizerStrEncryptStart();
#if (REMOVE_THREADROUTINE == 1)
if (!MmIsAddressValid((PVOID)EAC_ThreadRoutine) ||
!NT_SUCCESS(PsSetCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)EAC_ThreadRoutine)))
else
{
return TRUE;
}
#endif
VirtualizerStrEncryptEnd();
VirtualizerEnd();
return FALSE;
}
#pragma endregion CallBacks
#pragma region Routines
VOID ImageRoutine(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO Info)
{
UNREFERENCED_PARAMETER(ProcessId);
//VirtualizerStart();
if (wcsstr(FullImageName->Buffer, L"EasyAntiCheat.sys"))
{
EAC_Base = Info->ImageBase;
EAC_Base_Size = Info->ImageSize;
VirtualizerStrEncryptStart();
VirtualizerStrEncryptEnd();
}
}
VOID ProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
{
VirtualizerStart();
VirtualizerStrEncryptStart();
LPSTR lpFileName = 0;
PEPROCESS Process = 0;
if (ProcessId == pGameId && pGameId)
{
if (Create == 0)
{
if (ProcessPreOperation || ProcessPostOperation || ThreadPreOperation || ThreadPostOperation)
{
if (Remove_Bypass() == FALSE)
//hiçbir şey yapma
}
IsBypassEnabled = FALSE;
if (FilterAddr)
{
if (!RestoreMiniFilter())
//hiçbir şey yapma
}
#if (RESTORE_ROUTINES == 1)
//hiçbir şey yapma
#endif
}
}
if (ProcessId == pParentId && pParentId)
{
if (Create == 0)
{
if (FuckImageCallBack() == FALSE)
DbgPrint("FuckImageCallBack başarısız oldu");
if (FuckThreadCallBack() == FALSE)
DbgPrint("FuckThreadCallBack oldu");
if (!RemoveMiniFilter())
DbgPrint("RemoveMiniFilter oldu);
}
}
if (!NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &Process)))
{
return;
}
if (MmIsAddressValid(Process))
{
lpFileName = (LPSTR)PsGetProcessImageFileName(Process);
if (MmIsAddressValid(lpFileName))
{
if (!_stricmp(lpFileName, "EACOyunAdı.exe") ||
strstr(lpFileName, "EACOyunAdı.exe"))
{
if (Create)
{
pParentId = ParentId;
pGameId = ProcessId;
FilterAddr = 0;
IsBypassEnabled = FALSE;
if (Do_Bypass() == FALSE)
DbgPrint("Do_Bypass başarısız oldu");
IsBypassEnabled = TRUE;
#if (RESTORE_ROUTINES == 1)
if (RestoreThreadCallBack() == FALSE)
DbgPrint("RestoreImageCallBack başarısız oldu.");
if (RestoreImageCallBack() == FALSE)
DbgPrint("RestoreImageCallBack başarısız oldu.");
#endif
}
}
}
}
VirtualizerStrEncryptEnd();
VirtualizerEnd();
}
#pragma endregion Routines
BOOLEAN InitBypass()
{
VirtualizerStart();
VirtualizerStrEncryptStart();
BOOLEAN Result = FALSE;
RTL_OSVERSIONINFOW osInfo;
PVOID Base = 0;
PIMAGE_NT_HEADERS64 Header = 0;
PIMAGE_SECTION_HEADER pFirstSec = 0;
ANSI_STRING s1, s2;
PVOID pFound = 0;
NTSTATUS status = -1;
RtlFillMemory(&osInfo, sizeof(RTL_OSVERSIONINFOW), 0);
RtlFillMemory(&s1, sizeof(ANSI_STRING), 0);
RtlFillMemory(&s2, sizeof(ANSI_STRING), 0);
osInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
RtlGetVersion(&osInfo);
DbgPrint("Sistem Bilgileri: BuildNumber[%ld] dwMajorVersion[%d] dwMinorVersion[%d]", osInfo.dwBuildNumber, osInfo.dwMajorVersion, osInfo.dwMinorVersion);
if (6 == osInfo.dwMajorVersion)
{
if (osInfo.dwMinorVersion == 1)
{
DbgPrint("Windows 7 tespit edildi");
//Eğer Windows 7yse
Base = GetKernelBase();
if (Base == 0)
{
DbgPrint("GetKernelBase başarısız oldu.");
return Result;
}
Header = RtlImageNtHeader(Base);
pFirstSec = (PIMAGE_SECTION_HEADER)(Header + 1);
for (PIMAGE_SECTION_HEADER pSec = pFirstSec; pSec < pFirstSec + (Header->FileHeader.NumberOfSections); pSec++)
{
RtlInitAnsiString(&s1, "PAGE");
RtlInitAnsiString(&s2, (PCCHAR)pSec->Name);
if (RtlCompareString(&s1, &s2, TRUE) == 0)
{
//BE ?? ?? ?? ?? 6A 00 8B CB 8B C6 E8 ?? ?? ?? ?? 84 C0 75 20 83 C7 04 83 C6 04 81 ?? ?? ?? ?? ?? 72 E3 53 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 5F
UCHAR ImageCallBacks_pattern[] = "\x48\x8D\x0D\xCC\xCC\xCC\xCC\x45\x33\xC0\x48\x8B\xD7\x48\x8D\x0C\xD9\xE8\xCC\xCC\xCC\xCC\x84\xC0\x75\xCC\xFF\xC3\x83\xFB\x08\xCC\xCC\x48\x8B\xCF";
UCHAR ImageCallBacks_pattern2[] = "\xBE\xCC\xCC\xCC\xCC\x6A\x00\x8B\xCB\x8B\xC6\xE8\xCC\xCC\xCC\xCC\x84\xC0\x75\x20\x83\xC7\x04\x83\xC6\x04\x81\xCC\xCC\xCC\xCC\xCC\x72\xE3\x53\xE8\xCC\xCC\xCC\xCC\xB8\xCC\xCC\xCC\xCC";
//BE ?? ?? ?? ?? 6A 00 8B CB 8B C6 E8 ?? ?? ?? ?? 84 C0 75 20 83 C7 04 83 C6 04 81 ?? ?? ?? ?? ?? 72 E3 53 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 5E
UCHAR ThreadCallBacks_pattern[] = "\x48\x8D\x1D\xCC\xCC\xCC\xCC\x41\xBF\x40\x00\x00\x00\x48\x8B\xCB";
UCHAR ThreadCallBacks_pattern2[] = "\xBE\xCC\xCC\xCC\xCC\x6A\x00\x8B\xCB\x8B\xC\xE8\xCC\xCC\xCC\xCC\x84\xC0\x75\x20\x83\xC7\x04\x83\xC6\x04\x81\xCC\xCC\xCC\xCC\xCC\x72\xE3\x53\xE8\xCC\xCC\xCC\xCC\xB8\xCC\xCC\xCC\xCC\x5E";
UCHAR PsSuspendThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xF8\x48\x8B\x4C\x24\x68\xE8\xCC\xCC\xCC\xCC\xCC\x48";
//E8 ?? ?? ?? ?? 53 8B 45 08 E8 ?? ?? ?? ?? 8B D8 85 DB 75 E9
UCHAR PsSuspendThread_pattern2[] = "\xE8\xCC\xCC\xCC\xCC\x53\x8B\x45\x08\xE8\xCC\xCC\xCC\xCC\x8B\xD8\x85\xDB\x75\xE9";
// E8 ?? ?? ?? ?? 8B D8 85 DB 75 EA 8B 0F 83 E1 FE
UCHAR PsResumeThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xF8\x48\x8B\x4C\x24\x60\xE8";
UCHAR PsResumeThread_pattern2[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xD8\x85\xDB\x75\xEA\x8B\x0F\x83\xE1\xFE";
status = SearchPattern(ImageCallBacks_pattern, 0xCC, sizeof(ImageCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
ImageCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
if (!ImageCallBacks)
{
status = SearchPattern(ImageCallBacks_pattern2, 0xCC, sizeof(ImageCallBacks_pattern2) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
{
DbgPrint("ImageCallBacks tespit edildi!");
ImageCallBacks = *(uintptr_t*)((uintptr_t)(pFound)+1);
}
if (!ImageCallBacks)
{
DbgPrint("ImageCallBacks bulunamadı.");
return Result;
}
}
pFound = 0;
status = SearchPattern(ThreadCallBacks_pattern, 0xCC, sizeof(ThreadCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
ThreadCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
if (!ThreadCallBacks)
{
status = SearchPattern(ThreadCallBacks_pattern2, 0xCC, sizeof(ThreadCallBacks_pattern2) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
ThreadCallBacks = *(uintptr_t*)((uintptr_t)(pFound)+1);
if (!ThreadCallBacks)
{
DbgPrint("ThreadCallBacks bulunamadı.");
return Result;
}
}
pFound = 0;
status = SearchPattern(PsSuspendThread_pattern, 0xCC, sizeof(PsSuspendThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
if (!o_PsSuspendThread)
{
status = SearchPattern(PsSuspendThread_pattern2, 0xCC, sizeof(PsSuspendThread_pattern2) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
if (!o_PsSuspendThread)
{
DbgPrint("o_PsSuspendThread bulunamadı.");
return Result;
}
}
pFound = 0;
status = SearchPattern(PsResumeThread_pattern, 0xCC, sizeof(PsResumeThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
if (!o_PsResumeThread)
{
status = SearchPattern(PsResumeThread_pattern2, 0xCC, sizeof(PsResumeThread_pattern2) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
if (!o_PsResumeThread)
{
DbgPrint("o_PsResumeThread bulunamadı.");
return Result;
}
}
}
}
if (ImageCallBacks && ThreadCallBacks && o_PsSuspendThread && o_PsResumeThread)
{
DbgPrint("PsSuspendThread 0x%llX", o_PsSuspendThread);
DbgPrint("PsResumeThread 0x%llX", o_PsResumeThread);
DbgPrint("ImageCallBacks 0x%llX", ImageCallBacks);
DbgPrint("ThreadCallBacks 0x%llX", ThreadCallBacks);
DbgPrint("Tüm addressler bulundu bypass hazır");
Result = 1;
}
}
else if (osInfo.dwMinorVersion == 3)
{
// Win8.1
DbgPrint(" Windows 8.1 tespit edildi");
Base = GetKernelBase();
if (Base == 0)
{
DbgPrint("GetKernelBase bulunamadı.");
return Result;
}
Header = RtlImageNtHeader(Base);
pFirstSec = (PIMAGE_SECTION_HEADER)(Header + 1);
for (PIMAGE_SECTION_HEADER pSec = pFirstSec; pSec < pFirstSec + (Header->FileHeader.NumberOfSections); pSec++)
{
RtlInitAnsiString(&s1, "PAGE");
RtlInitAnsiString(&s2, (PCCHAR)pSec->Name);
if (RtlCompareString(&s1, &s2, TRUE) == 0)
{
UCHAR ImageCallBacks_pattern[] = "\x48\x8D\x3D\xCC\xCC\xCC\xCC\xBD\x40\x00\x00\x00\x89\x06";
UCHAR ThreadCallBacks_pattern[] = "\x48\x8D\x1D\xCC\xCC\xCC\xCC\x41\xBF\x40\x00\x00\x00\x48\x8B\xCB";
UCHAR PsSuspendThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xF8\xBA\xCC\xCC\xCC\xCC\x48\x8B\x4C\x24\x68";
UCHAR PsResumeThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xF8\x83\xF8\x01\x75\xCC\x48\x8B\x8E\xCC\xCC\xCC\xCC";
status = SearchPattern(ImageCallBacks_pattern, 0xCC, sizeof(ImageCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
ImageCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
if (!ImageCallBacks)
{
DbgPrint("ImageCallBacks bulunamadı.");
return Result;
}
pFound = 0;
status = SearchPattern(ThreadCallBacks_pattern, 0xCC, sizeof(ThreadCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
ThreadCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
if (!ThreadCallBacks)
{
DbgPrint("ThreadCallBacks bulunamadı.");
return Result;
}
pFound = 0;
status = SearchPattern(PsSuspendThread_pattern, 0xCC, sizeof(PsSuspendThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
if (!o_PsSuspendThread)
{
DbgPrint("o_PsSuspendThread bulunamadı.");
return Result;
}
pFound = 0;
status = SearchPattern(PsResumeThread_pattern, 0xCC, sizeof(PsResumeThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
if (!o_PsResumeThread)
{
DbgPrint("o_PsResumeThread bulunamadı.");
return Result;
}
}
}
if (ImageCallBacks && ThreadCallBacks && o_PsSuspendThread && o_PsResumeThread)
{
DbgPrint("PsSuspendThread 0x%llX", o_PsSuspendThread);
DbgPrint("PsResumeThread 0x%llX", o_PsResumeThread);
DbgPrint("ImageCallBacks 0x%llX", ImageCallBacks);
DbgPrint("ThreadCallBacks 0x%llX", ThreadCallBacks);
DbgPrint("Tüm addressler bulundu bypass hazır");
Result = 1;
}
}
}
else if (osInfo.dwMajorVersion == 10)
{
//Windows 10
DbgPrint("Windows 10 tespit edildi");
Base = GetKernelBase();
if (Base == 0)
{
DbgPrint("GetKernelBase başarısız oldu.");
return Result;
}
Header = RtlImageNtHeader(Base);
pFirstSec = (PIMAGE_SECTION_HEADER)(Header + 1);
for (PIMAGE_SECTION_HEADER pSec = pFirstSec; pSec < pFirstSec + (Header->FileHeader.NumberOfSections); pSec++)
{
RtlInitAnsiString(&s1, "PAGE");
RtlInitAnsiString(&s2, (PCCHAR)pSec->Name);
if (RtlCompareString(&s1, &s2, TRUE) == 0)
{
UCHAR ImageCallBacks_pattern[] = "\x48\x8D\x0D\xCC\xCC\xCC\xCC\x45\x33\xC0\x48\x8D\x0C\xD9\x48\x8B\xD7\xE8\xCC\xCC\xCC\xCC\x84\xC0\x0F\x84\xCC\xCC\xCC\xCC";
UCHAR ThreadCallBacks_pattern[] = "\x48\x8D\x0D\xCC\xCC\xCC\xCC\x45\x33\xC0\x48\x8D\x0C\xD9\x48\x8B\xD7\xE8\xCC\xCC\xCC\xCC\x84\xC0\x74";
UCHAR ThreadCallBacks2_pattern[] = "\x48\x8D\x0D\xCC\xCC\xCC\xCC\x45\x33\xC0\x48\x8D\x0C\xD9\x48\x8B\xD7\xE8\xCC\xCC\xCC\xCC\x84\xC0\x75";
UCHAR PsSuspendThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x48\x8B\xD6\x48\x8B\xCD\xE8\xCC\xCC\xCC\xCC\x48\x8B\xF0";
UCHAR PsResumeThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x48\x8B\xD7\x48\x8B\xCD\xE8\xCC\xCC\xCC\xCC\xEB\xCC\xBB";
UCHAR PsSuspendThread3_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xF8\xBA\xCC\xCC\xCC\xCC\x48\x8B\x4C\x24\x78";
UCHAR PsResumeThread3_pattern[] = "\xE8\xCC\xCC\xCC\xCC\xBA\xCC\xCC\xCC\xCC\x48\x8B\x4C\x24\x78\xE8\xCC\xCC\xCC\xCC\x90";
UCHAR PsSuspendThread2_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x48\x8B\xD7\x48\x8B\xCE\xE8\xCC\xCC\xCC\xCC\x48\x8B\xF8";
UCHAR PsResumeThread2_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x48\x8B\xD7\x48\x8B\xCE\xE8\xCC\xCC\xCC\xCC\xCC\xCC\x49\x8B\xCE";
status = SearchPattern(ImageCallBacks_pattern, 0xCC, sizeof(ImageCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
ImageCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
if (!ImageCallBacks)
{
DbgPrint("ImageCallBacks bulunamadı.");
return Result;
}
pFound = 0;
status = SearchPattern(ThreadCallBacks_pattern, 0xCC, sizeof(ThreadCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
ThreadCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
if (!ThreadCallBacks)
{
DbgPrint("ThreadCallBacks bulunamadı.Tekrar deneniyor...");
status = SearchPattern(ThreadCallBacks2_pattern, 0xCC, sizeof(ThreadCallBacks2_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
ThreadCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
if (!ThreadCallBacks)
{
DbgPrint("ThreadCallBacks bulunamadı.");
return Result;
}
}
pFound = 0;
status = SearchPattern(PsSuspendThread_pattern, 0xCC, sizeof(PsSuspendThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
if (!o_PsSuspendThread)
{
DbgPrint("o_PsSuspendThread bulunamadı.Tekrar deneniyor...");
status = SearchPattern(PsSuspendThread2_pattern, 0xCC, sizeof(PsSuspendThread2_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
if (!o_PsSuspendThread)
{
DbgPrint("o_PsSuspendThread bulunamadı.Tekrar deneniyor...");
status = SearchPattern(PsSuspendThread3_pattern, 0xCC, sizeof(PsSuspendThread3_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
if (!o_PsSuspendThread)
{
return Result;
}
}
}
pFound = 0;
status = SearchPattern(PsResumeThread_pattern, 0xCC, sizeof(PsResumeThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
if (!o_PsResumeThread)
{
DbgPrint("o_PsResumeThread bulunamadı.Tekrar deneniyor...");
status = SearchPattern(PsResumeThread2_pattern, 0xCC, sizeof(PsResumeThread2_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
if (!o_PsResumeThread)
{
DbgPrint("o_PsResumeThread bulunamadı.Tekrar deneniyor...");
status = SearchPattern(PsResumeThread3_pattern, 0xCC, sizeof(PsResumeThread3_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
if (NT_SUCCESS(status))
o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
if (!o_PsResumeThread)
{
DbgPrint("o_PsResumeThread bulunamadı.");
return Result;
}
}
}
}
}
if (ImageCallBacks && ThreadCallBacks && o_PsSuspendThread && o_PsResumeThread)
{
DbgPrint("PsSuspendThread 0x%llX", o_PsSuspendThread);
DbgPrint("PsResumeThread 0x%llX", o_PsResumeThread);
DbgPrint("ImageCallBacks 0x%llX", ImageCallBacks);
DbgPrint("ThreadCallBacks 0x%llX", ThreadCallBacks);
DbgPrint("Tüm addressler bulundu bypass hazır");
Result = 1;
}
}
if (Result == 0)
return Result;
if (!NT_SUCCESS(PsSetLoadImageNotifyRoutine(ImageRoutine)) ||
!NT_SUCCESS(PsSetCreateProcessNotifyRoutine(ProcessRoutine, 0)))
{
VirtualizerStrEncryptStart();
VirtualizerStrEncryptEnd();
Result = 0;
return Result;
}
ProcessPreOperation = 0;
ProcessPostOperation = 0;
ThreadPreOperation = 0;
ThreadPostOperation = 0;
VirtualizerStrEncryptEnd();
VirtualizerEnd();
return Result;
}
BOOLEAN UninitBypass()
{
VirtualizerStart();
VirtualizerStrEncryptStart();
BOOLEAN Result = 1;
if (ProcessPreOperation || ProcessPostOperation || ThreadPreOperation || ThreadPostOperation)
{
if (!Remove_Bypass())
{
DbgPrint("Callbackler resetlenemedi");
Result = 0;
}
}
IsBypassEnabled = FALSE;
#if (RESTORE_ROUTINES == 1)
if (RestoreThreadCallBack() == FALSE)
DbgPrint("RestoreImageCallBack başarısız oldu.");
if (RestoreImageCallBack() == FALSE)
DbgPrint("RestoreImageCallBack başarısız oldu.");
#endif
if (FilterAddr)
{
if (!RestoreMiniFilter())
{
DbgPrint("minifilter onarılamadı");
Result = 0;
}
}
if (!NT_SUCCESS(PsRemoveLoadImageNotifyRoutine(ImageRoutine)) ||
!NT_SUCCESS(PsSetCreateProcessNotifyRoutine(ProcessRoutine, 1)))
{
DbgPrint("callbackler kaldırılamadı");
Result = 0;
}
VirtualizerStrEncryptEnd();
VirtualizerEnd();
return Result;
}
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
UNREFERENCED_PARAMETER(DriverObject);
VirtualizerStart();
VirtualizerStrEncryptStart();
UNICODE_STRING symLink;
RtlInitUnicodeString(&symLink, dSymLinkBuffer);
if (!NT_SUCCESS(IoDeleteSymbolicLink(&symLink)))
{
DbgPrint("IoDeleteSymbolicLink başarısız oldu.");
}
if (pDeviceObject)
IoDeleteDevice(pDeviceObject);
if (!UninitBypass())
DbgPrint("İşlem başarısız oldu.");
VirtualizerStrEncryptEnd();
VirtualizerEnd();
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(RegistryPath);
VirtualizerStart();
VirtualizerStrEncryptStart();
NTSTATUS ntStatus = -1;
UNICODE_STRING deviceNameUnicodeString, deviceSymLinkUnicodeString;
RtlInitUnicodeString(&deviceNameUnicodeString, dNameBuffer);
RtlInitUnicodeString(&deviceSymLinkUnicodeString, dSymLinkBuffer);
DriverObject->DriverUnload = OnUnload;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DeviceCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DeviceClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceIoHandler;
if (InitBypass() == 0)
{
DbgPrint("InitBypass başarısız oldu.");
return ntStatus;
}
ntStatus = IoCreateDevice(DriverObject, 0, &deviceNameUnicodeString, FILE_DEVICE_UNKNOWN, FILE_DEVICE_UNKNOWN, FALSE, &pDeviceObject);
if (!NT_SUCCESS(ntStatus))
{
DbgPrint("IoCreateDevice başarısız oldu.");
return ntStatus;
}
ntStatus = IoCreateSymbolicLink(&deviceSymLinkUnicodeString, &deviceNameUnicodeString);
if (!NT_SUCCESS(ntStatus))
{
DbgPrint("IoCreateSymbolicLink başarısız oldu.");
return ntStatus;
}
//HideDriver(DriverObject);
VirtualizerStrEncryptEnd();
VirtualizerEnd();
return ntStatus;
}
NTSTATUS DeviceCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
UNREFERENCED_PARAMETER(Irp);
return STATUS_SUCCESS;
}
NTSTATUS DeviceClose(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
UNREFERENCED_PARAMETER(Irp);
return STATUS_SUCCESS;
}
NTSTATUS DeviceIoHandler(PDEVICE_OBJECT DeviceObject, PIRP IRP)
{
UNREFERENCED_PARAMETER(DeviceObject);
VirtualizerStart();
VirtualizerStrEncryptStart();
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(IRP);
IRP->IoStatus.Status = STATUS_SUCCESS;
if (stack)
{
if (stack->Parameters.DeviceIoControl.IoControlCode == ctl_protectprocess)
{
PHIDEPROC_STRUCT buffer = (PHIDEPROC_STRUCT)IRP->AssociatedIrp.SystemBuffer;
if (MmIsAddressValid(buffer))
ProcessIdToProtect = buffer->pId;
IRP->IoStatus.Information = sizeof(PHIDEPROC_STRUCT);
}
if (stack->Parameters.DeviceIoControl.IoControlCode == ctl_isenabled)
{
PIS_ENABLED_STRUCT buffer = (PIS_ENABLED_STRUCT)IRP->AssociatedIrp.SystemBuffer;
if (MmIsAddressValid(buffer))
buffer->IsEnabled = IsBypassEnabled;
IRP->IoStatus.Information = sizeof(PIS_ENABLED_STRUCT);
}
if (stack->Parameters.DeviceIoControl.IoControlCode == ctl_getprocid)
{
PGETPROC_STRUCT buffer = (PGETPROC_STRUCT)IRP->AssociatedIrp.SystemBuffer;
if (MmIsAddressValid(buffer))
buffer->pId = pGameId;
IRP->IoStatus.Information = sizeof(PGETPROC_STRUCT);
}
}
IoCompleteRequest(IRP, IO_NO_INCREMENT);
VirtualizerStrEncryptEnd();
VirtualizerEnd();
return IRP->IoStatus.Status;
}
#pragma region Utils
NTSTATUS SearchPattern(IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound)
{
ASSERT(ppFound != NULL && pattern != NULL && base != NULL);
if (ppFound == NULL || pattern == NULL || base == NULL)
return STATUS_INVALID_PARAMETER;
for (ULONG_PTR i = 0; i < size - len; i++)
{
BOOLEAN found = TRUE;
for (ULONG_PTR j = 0; j < len; j++)
{
if (pattern[j] != wildcard && pattern[j] != ((PCUCHAR)base)[i + j])
{
found = FALSE;
break;
}
}
if (found != FALSE)
{
*ppFound = (PUCHAR)base + i;
return STATUS_SUCCESS;
}
}
return STATUS_NOT_FOUND;
}
PVOID GetKernelBase()
{
VirtualizerStart();
VirtualizerStrEncryptStart();
NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES;
PVOID Base = 0;
ULONG cb = 0x10000;
do
{
status = STATUS_INSUFFICIENT_RESOURCES;
PRTL_PROCESS_MODULES prpm = (PRTL_PROCESS_MODULES)ExAllocatePool(PagedPool, cb);
if (prpm)
{
if (0 <= (status == ZwQuerySystemInformation(0x0B, prpm, cb, &cb)))
{
ULONG NumberOfModules = prpm->NumberOfModules;
if (NumberOfModules)
{
PRTL_PROCESS_MODULE_INFORMATION Modules = prpm->Modules;
do
{
if ((ULONG64)Modules->ImageBase > (ULONG64)(0x8000000000000000))
{
Base = Modules->ImageBase;
break;
}
} while (Modules++, --NumberOfModules);
}
}
ExFreePool(prpm);
}
} while (status == STATUS_INFO_LENGTH_MISMATCH);
VirtualizerStrEncryptEnd();
VirtualizerEnd();
return Base;
}
BOOLEAN IsFromEACRange(PVOID Address)
{
if ((ULONG64)Address > (ULONG64)EAC_Base &&
(ULONG64)((ULONG64)EAC_Base + (ULONG64)EAC_Base_Size) > (ULONG64)Address)
{
return 1;
}
return 0;
}
BOOLEAN SuspendOrResumeAllThreads(BOOLEAN Suspend)
{
VirtualizerStart();
VirtualizerStrEncryptStart();
ULONG cb = 0x20000;
PSYSTEM_PROCESS_INFORMATION psi = 0;
PVOID buf = 0;
NTSTATUS status = 0, rc = 0;
PETHREAD peThread = 0;
do
{
status = STATUS_INSUFFICIENT_RESOURCES;
if (buf = ExAllocatePool(PagedPool, cb))
{
if (0 <= (status = ZwQuerySystemInformation(5, buf, cb, &cb)))
{
psi = (PSYSTEM_PROCESS_INFORMATION)buf;
while (psi->NextEntryOffset)
{
if (psi->UniqueProcessId == (HANDLE)4)
{
for (ULONG i = 0; i < psi->NumberOfThreads; i++)
{
if (MmIsAddressValid(psi->Threads[i].StartAddress) && IsFromEACRange(psi->Threads[i].StartAddress))
{
rc = PsLookupThreadByThreadId(psi->Threads[i].ClientId.UniqueThread, &peThread);
if (!NT_SUCCESS(rc))
{
DbgPrint("PsLookupThreadByThreadId SuspendOrResumeAllThreads içerisinde başarısız oldu");
if (buf)
ExFreePool(buf);
return 0;
}
if (NT_SUCCESS(rc))
{
DbgPrint("EAC Thread %d !", psi->Threads[i].ClientId.UniqueThread);
if (peThread)
{
if (Suspend == TRUE)
{
if (!NT_SUCCESS(o_PsSuspendThread(peThread, 0)))
DbgPrint("o_PsSuspendThread başarısız oldu.");
}
else
if (!NT_SUCCESS(o_PsResumeThread(peThread)))
DbgPrint("o_PsSuspendThread başarısız oldu.");
}
}
}
}
}
psi = (PSYSTEM_PROCESS_INFORMATION)((ULONG64)(psi)+psi->NextEntryOffset);
}
}
if (buf)
ExFreePool(buf);
}
} while (status == STATUS_INFO_LENGTH_MISMATCH);
VirtualizerStrEncryptEnd();
VirtualizerEnd();
return (status == 0) ? 1 : 0;
}
uintptr_t dereference(uintptr_t address, unsigned int offset)
{
if (address == 0)
return 0;
return address + (int)((*(int*)(address + offset) + offset) + sizeof(int));
}
#pragma endregion Utils
C++:
#pragma once
#include "ntos.hpp"
#include "ntstructs.hpp"
typedef struct HIDEPROC_STRUCT
{
ULONG pId;
}HIDEPROC_STRUCT, * PHIDEPROC_STRUCT;
typedef struct IS_ENABLED_STRUCT
{
BOOLEAN IsEnabled;
}IS_ENABLED_STRUCT, * PIS_ENABLED_STRUCT;
typedef struct GETPROC_STRUCT
{
ULONG pId;
}GETPROC_STRUCT, * PGETPROC_STRUCT;
#define ctl_protectprocess CTL_CODE(FILE_DEVICE_UNKNOWN, 0xad138, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define ctl_isenabled CTL_CODE(FILE_DEVICE_UNKNOWN, 0xad136, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define ctl_getprocid CTL_CODE(FILE_DEVICE_UNKNOWN, 0xad139, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
const WCHAR dNameBuffer[] = L"\\Device\\EAC_AntiDebug_Bypass";
const WCHAR dSymLinkBuffer[] = L"\\DosDevices\\EAC_AntiDebug_Bypass";
ULONG ProcessIdToProtect = 0;
BOOLEAN IsBypassEnabled = 0;
PDEVICE_OBJECT pDeviceObject = 0;
NTSTATUS DeviceIoHandler(PDEVICE_OBJECT devicDriverObjecte_obj, PIRP IRP);
NTSTATUS DeviceCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp);
NTSTATUS DeviceClose(PDEVICE_OBJECT DeviceObject, PIRP Irp);
PVOID* ThreadCallBacks = 0, *ImageCallBacks = 0;
PVOID ProcessPostOperation = 0, ProcessPreOperation = 0, ThreadPostOperation = 0, ThreadPreOperation = 0, FilterAddr = 0;
PVOID EAC_ThreadRoutine = 0, EAC_ImageRoutine = 0;
PVOID EAC_Base = 0;
ULONG64 EAC_Base_Size = 0;
HANDLE pParentId = 0, pGameId = 0;
LONG lOperationsOffset = 0;
typedef NTSTATUS(NTAPI* p_PsSuspendThread)(IN PETHREAD Thread, OUT PULONG PreviousCount OPTIONAL);
p_PsSuspendThread o_PsSuspendThread = 0;
typedef NTSTATUS(NTAPI* p_PsResumeThread)(IN PETHREAD Thread);
p_PsResumeThread o_PsResumeThread = 0;
BOOLEAN RestoreImageCallBack();
BOOLEAN RestoreThreadCallBack();
VOID ImageRoutine(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO Info);
VOID ProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create);
NTSTATUS SearchPattern(IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound);
PVOID GetKernelBase();
BOOLEAN IsFromEACRange(PVOID Address);
BOOLEAN SuspendOrResumeAllThreads(BOOLEAN Suspend);
uintptr_t dereference(uintptr_t address, unsigned int offset);
VOID HideDriver(PDRIVER_OBJECT pDriverObject);
C++:
#pragma once
#define REMOVE_IMAGEROUTINE 1
#define REMOVE_THREADROUTINE 1
#define REMOVE_PROCESSCALLBACKS 1
#define REMOVE_THREADCALLBACKS 1
#define REMOVE_FILTER 0
#define SUSPEND_EAC 1
#define PROTECT_PROCESS 1
#define RESTORE_ROUTINES 1
#define USE_VM 0
#if(USE_VM == 1)
#include "VL\VirtualizerSDK.h"
#else
#define VM_TIGER_WHITE_START
#define VM_TIGER_WHITE_END
#define VM_TIGER_WHITE_START
#define VM_TIGER_WHITE_END
#define VM_EAGLE_BLACK_START
#define VM_EAGLE_BLACK_END
#define VIRTUALIZER_TIGER_WHITE_START
#define VIRTUALIZER_TIGER_WHITE_END
static void VirtualizerStart() {}
static void VirtualizerEnd() {}
static void VirtualizerStrEncryptStart() {}
static void VirtualizerStrEncryptEnd() {}
#endif
C:
#pragma once
#include <ntdef.h>
#include <ntifs.h>
#include <ntddk.h>
typedef unsigned long long QWORD;
NTKERNELAPI
NTSTATUS
PsCreateSystemProcess(
OUT PHANDLE ProcessHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef unsigned short WORD;
typedef
VOID
(*PCREATE_THREAD_NOTIFY_ROUTINE)(
IN HANDLE ProcessId,
IN HANDLE ThreadId,
IN BOOLEAN Create
);
typedef
VOID
(*PLOAD_IMAGE_NOTIFY_ROUTINE)(
IN PUNICODE_STRING FullImageName,
IN HANDLE ProcessId, // pid into which image is being mapped
IN PIMAGE_INFO ImageInfo
);
NTKERNELAPI
NTSTATUS
PsRemoveCreateThreadNotifyRoutine(
IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
);
NTSYSAPI PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(IN PVOID ModuleAddress);
NTKERNELAPI
NTSTATUS
PsRemoveLoadImageNotifyRoutine(
IN PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
);
NTKERNELAPI
BOOLEAN
PsIsThreadTerminating(
IN PETHREAD Thread
);
/*
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID;
typedef CLIENT_ID *PCLIENT_ID;
*/
NTKERNELAPI
NTSTATUS
PsLookupProcessThreadByCid(
IN PCLIENT_ID Cid,
OUT PEPROCESS* Process,
OUT PETHREAD* Thread
);
// begin_ntosp
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
IN HANDLE ProcessId,
OUT PEPROCESS* Process
);
NTKERNELAPI
NTSTATUS
PsLookupThreadByThreadId(
IN HANDLE ThreadId,
OUT PETHREAD* Thread
);
NTKERNELAPI
PVOID
PsGetCurrentThreadStackLimit(
VOID
);
NTKERNELAPI
PVOID
PsGetCurrentThreadStackBase(
VOID
);
NTKERNELAPI
PVOID
PsGetProcessDebugPort(
IN PEPROCESS Process
);
NTKERNELAPI
BOOLEAN
PsIsProcessBeingDebugged(
IN PEPROCESS Process
);
NTKERNELAPI
HANDLE
PsGetProcessId(
IN PEPROCESS Process
);
NTKERNELAPI
HANDLE
PsGetProcessInheritedFromUniqueProcessId(
IN PEPROCESS Process
);
NTKERNELAPI
PPEB
PsGetProcessPeb(
IN PEPROCESS Process
);
NTKERNELAPI
PVOID
PsGetThreadTeb(
IN PETHREAD Thread
);
NTKERNELAPI //ntifs
BOOLEAN //ntifs
PsIsSystemThread( //ntifs
IN PETHREAD Thread //ntifs
); //ntifs
NTKERNELAPI
NTSTATUS
PsSetProcessWin32Process(
IN PEPROCESS Process,
IN PVOID Win32Process,
IN PVOID PrevWin32Process
);
NTKERNELAPI
VOID
PsSetProcessWindowStation(
OUT PEPROCESS Process,
IN HANDLE Win32WindowStation
);
NTKERNELAPI
VOID
PsSetThreadWin32Thread(
IN OUT PETHREAD Thread,
IN PVOID Win32Thread,
IN PVOID PrevWin32Thread
);
// Processor modes.
//
/*
typedef CCHAR KPROCESSOR_MODE;
typedef enum _MODE {
KernelMode,
UserMode,
MaximumMode
} MODE;
#define OBJECT_LOCK_COUNT 4
// Object Manager types
//
typedef struct _OBJECT_HANDLE_INFORMATION {
ULONG HandleAttributes;
ACCESS_MASK GrantedAccess;
} OBJECT_HANDLE_INFORMATION, *POBJECT_HANDLE_INFORMATION;
// end_ntddk end_wdm end_nthal end_ntifs
typedef struct _OBJECT_DUMP_CONTROL {
PVOID Stream;
ULONG Detail;
} OB_DUMP_CONTROL, *POB_DUMP_CONTROL;
typedef VOID (*OB_DUMP_METHOD)(
IN PVOID Object,
IN POB_DUMP_CONTROL Control OPTIONAL
);
typedef enum _OB_OPEN_REASON {
ObCreateHandle,
ObOpenHandle,
ObDuplicateHandle,
ObInheritHandle,
ObMaxOpenReason
} OB_OPEN_REASON;
typedef NTSTATUS (*OB_OPEN_METHOD)(
IN OB_OPEN_REASON OpenReason,
IN PEPROCESS Process OPTIONAL,
IN PVOID Object,
IN ACCESS_MASK GrantedAccess,
IN ULONG HandleCount
);
typedef BOOLEAN (*OB_OKAYTOCLOSE_METHOD)(
IN PEPROCESS Process OPTIONAL,
IN PVOID Object,
IN HANDLE Handle,
IN KPROCESSOR_MODE PreviousMode
);
typedef VOID (*OB_CLOSE_METHOD)(
IN PEPROCESS Process OPTIONAL,
IN PVOID Object,
IN ACCESS_MASK GrantedAccess,
IN ULONG_PTR ProcessHandleCount,
IN ULONG_PTR SystemHandleCount
);
typedef VOID (*OB_DELETE_METHOD)(
IN PVOID Object
);
typedef NTSTATUS (*OB_PARSE_METHOD)(
IN PVOID ParseObject,
IN PVOID ObjectType,
IN OUT PACCESS_STATE AccessState,
IN KPROCESSOR_MODE AccessMode,
IN ULONG Attributes,
IN OUT PUNICODE_STRING CompleteName,
IN OUT PUNICODE_STRING RemainingName,
IN OUT PVOID Context OPTIONAL,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
OUT PVOID *Object
);
typedef NTSTATUS (*OB_SECURITY_METHOD)(
IN PVOID Object,
IN SECURITY_OPERATION_CODE OperationCode,
IN PSECURITY_INFORMATION SecurityInformation,
IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN OUT PULONG CapturedLength,
IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
IN POOL_TYPE PoolType,
IN PGENERIC_MAPPING GenericMapping
);
typedef NTSTATUS (*OB_QUERYNAME_METHOD)(
IN PVOID Object,
IN BOOLEAN HasObjectName,
OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
IN ULONG Length,
OUT PULONG ReturnLength,
IN KPROCESSOR_MODE Mode
);
typedef struct _OBJECT_TYPE_INITIALIZER {
USHORT Length;
BOOLEAN UseDefaultObject;
BOOLEAN CaseInsensitive;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
BOOLEAN MaintainTypeList;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
OB_DUMP_METHOD DumpProcedure;
OB_OPEN_METHOD OpenProcedure;
OB_CLOSE_METHOD CloseProcedure;
OB_DELETE_METHOD DeleteProcedure;
OB_PARSE_METHOD ParseProcedure;
OB_SECURITY_METHOD SecurityProcedure;
OB_QUERYNAME_METHOD QueryNameProcedure;
OB_OKAYTOCLOSE_METHOD OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
typedef struct _OBJECT_TYPE {
ERESOURCE Mutex;
LIST_ENTRY TypeList;
UNICODE_STRING Name; // Copy from object header for convenience
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
#ifdef POOL_TAGGING
ULONG Key;
#endif //POOL_TAGGING
ERESOURCE ObjectLocks[ OBJECT_LOCK_COUNT ];
} OBJECT_TYPE, *POBJECT_TYPE;
NTKERNELAPI
NTSTATUS
ObCreateObject(
IN KPROCESSOR_MODE ProbeMode,
IN POBJECT_TYPE ObjectType,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN KPROCESSOR_MODE OwnershipMode,
INout_opt PVOID ParseContext,
IN ULONG ObjectBodySize,
IN ULONG PagedPoolCharge,
IN ULONG NonPagedPoolCharge,
OUT PVOID *Object
);
NTKERNELAPI
NTSTATUS
ObInsertObject(
IN PVOID Object,
IN PACCESS_STATE PassedAccessState,
IN ACCESS_MASK DesiredAccess,
IN ULONG ObjectPointerBias,
OUT_opt PVOID *NewObject,
OUT_opt PHANDLE Handle
);
NTKERNELAPI
NTSTATUS
ObOpenObjectByName(
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
INout_opt PACCESS_STATE AccessState,
IN ACCESS_MASK DesiredAccess,
INout_opt PVOID ParseContext,
OUT PHANDLE Handle
);
NTKERNELAPI // ntifs
NTSTATUS // ntifs
ObOpenObjectByPointer( // ntifs
IN PVOID Object, // ntifs
IN ULONG HandleAttributes, // ntifs
IN PACCESS_STATE PassedAccessState, // ntifs
IN ACCESS_MASK DesiredAccess, // ntifs
IN POBJECT_TYPE ObjectType, // ntifs
IN KPROCESSOR_MODE AccessMode, // ntifs
OUT PHANDLE Handle // ntifs
); // ntifs
NTKERNELAPI
NTSTATUS
ObReferenceObjectByName(
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE AccessState,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
INout_opt PVOID ParseContext,
OUT PVOID *Object
);
NTKERNELAPI
BOOLEAN
ObFindHandleForObject(
IN PEPROCESS Process,
IN PVOID Object,
IN POBJECT_TYPE ObjectType,
IN POBJECT_HANDLE_INFORMATION MatchCriteria,
OUT PHANDLE Handle
);
// begin_ntifs begin_ntosp
NTKERNELAPI
NTSTATUS
ObQueryNameString(
IN PVOID Object,
OUT_bcount(Length) POBJECT_NAME_INFORMATION ObjectNameInfo,
IN ULONG Length,
OUT PULONG ReturnLength
);
NTKERNELAPI
NTSTATUS
ObSetHandleAttributes (
IN HANDLE Handle,
IN POBJECT_HANDLE_FLAG_INFORMATION HandleFlags,
IN KPROCESSOR_MODE PreviousMode
);
NTKERNELAPI
NTSTATUS
ObCloseHandle (
IN HANDLE Handle,
IN KPROCESSOR_MODE PreviousMode
);
*/
//////////////////////////////////////////////////////////////////////////
//Nt?|????��??????��??????��?|D
//typedef struct _KPROCESS *PKPROCESS, *PRKPROCESS, *PEPROCESS;
// begin_ntddk begin_ntifs
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
// end_ntddk end_ntifs
// begin_ntddk begin_ntifs
/*
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers, // Note: this is kernel mode only
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
ProcessDeviceMap,
ProcessSessionInformation,
ProcessForegroundInformation,
ProcessWow64Information,
ProcessImageFileName,
ProcessLUIDDeviceMapsEnabled,
ProcessBreakOnTermination,
ProcessDebugObjectHandle,
ProcessDebugFlags,
ProcessHandleTracing,
ProcessIoPriority,
ProcessExecuteFlags,
ProcessResourceManagement,
ProcessCookie,
ProcessImageInformation,
MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum
} PROCESSINFOCLASS;
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength
);
// end_ntddk end_ntifs
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
IN PVOID ProcessInformation,
IN ULONG ProcessInformationLength
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
//
// Thread Information Classes
//
/*
typedef enum _THREADINFOCLASS {
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
ThreadSwitchLegacyState,
ThreadIsTerminated,
MaxThreadInfoClass
} THREADINFOCLASS;
// end_ntddk end_ntifs
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength
);
// begin_ntifs
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength
);
// end_ntifs
/*
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer,
IN ULONG EaLength
);
typedef
VOID
(NTAPI* PIO_APC_ROUTINE) (
IN PVOID ApcContext,
IN PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG Reserved
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtDeviceIoControlFile(
IN HANDLE FileHandle,
IN HANDLE Event,
IN PIO_APC_ROUTINE ApcRoutine,
IN PVOID ApcContext,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength
);
/*
typedef enum _FILE_INFORMATION_CLASS {
// end_wdm
FileDirectoryInformation = 1,
FileFullDirectoryInformation, // 2
FileBothDirectoryInformation, // 3
FileBasicInformation, // 4 wdm
FileStandardInformation, // 5 wdm
FileInternalInformation, // 6
FileEaInformation, // 7
FileAccessInformation, // 8
FileNameInformation, // 9
FileRenameInformation, // 10
FileLinkInformation, // 11
FileNamesInformation, // 12
FileDispositionInformation, // 13
FilePositionInformation, // 14 wdm
FileFullEaInformation, // 15
FileModeInformation, // 16
FileAlignmentInformation, // 17
FileAllInformation, // 18
FileAllocationInformation, // 19
FileEndOfFileInformation, // 20 wdm
FileAlternateNameInformation, // 21
FileStreamInformation, // 22
FilePipeInformation, // 23
FilePipeLocalInformation, // 24
FilePipeRemoteInformation, // 25
FileMailslotQueryInformation, // 26
FileMailslotSetInformation, // 27
FileCompressionInformation, // 28
FileObjectIdInformation, // 29
FileCompletionInformation, // 30
FileMoveClusterInformation, // 31
FileQuotaInformation, // 32
FileReparsePointInformation, // 33
FileNetworkOpenInformation, // 34
FileAttributeTagInformation, // 35
FileTrackingInformation, // 36
FileIdBothDirectoryInformation, // 37
FileIdFullDirectoryInformation, // 38
FileValidDataLengthInformation, // 39
FileShortNameInformation, // 40
FileMaximumInformation
// begin_wdm
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryDirectoryFile(
IN HANDLE FileHandle,
IN HANDLE Event,
IN PIO_APC_ROUTINE ApcRoutine,
IN PVOID ApcContext,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName,
IN BOOLEAN RestartScan
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
);
/*
typedef enum _FSINFOCLASS {
FileFsVolumeInformation = 1,
FileFsLabelInformation, // 2
FileFsSizeInformation, // 3
FileFsDeviceInformation, // 4
FileFsAttributeInformation, // 5
FileFsControlInformation, // 6
FileFsFullSizeInformation, // 7
FileFsObjectIdInformation, // 8
FileFsDriverPathInformation, // 9
FileFsMaximumInformation
} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryVolumeInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FsInformation,
IN ULONG Length,
IN FS_INFORMATION_CLASS FsInformationClass
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtReadFile(
IN HANDLE FileHandle,
IN HANDLE Event,
IN PIO_APC_ROUTINE ApcRoutine,
IN PVOID ApcContext,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset,
IN PULONG Key
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetVolumeInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FsInformation,
IN ULONG Length,
IN FS_INFORMATION_CLASS FsInformationClass
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtWriteFile(
IN HANDLE FileHandle,
IN HANDLE Event,
IN PIO_APC_ROUTINE ApcRoutine,
IN PVOID ApcContext,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset,
IN PULONG Key
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtUnlockFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER ByteOffset,
IN PLARGE_INTEGER Length,
IN ULONG Key
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetEaFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtLockFile(
IN HANDLE FileHandle,
IN HANDLE Event,
IN PIO_APC_ROUTINE ApcRoutine,
IN PVOID ApcContext,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER ByteOffset,
IN PLARGE_INTEGER Length,
IN ULONG Key,
IN BOOLEAN FailImmediately,
IN BOOLEAN ExclusiveLock
);
typedef enum _SHUTDOWN_ACTION {
ShutdownNoReboot,
ShutdownReboot,
ShutdownPowerOff
} SHUTDOWN_ACTION;
NTSYSCALLAPI
NTSTATUS
NTAPI
NtShutdownSystem(
IN SHUTDOWN_ACTION Action
);
//////////////////////////////////////////////////////////////////////////
//Io?|????��??????��??????��?|D (1??a|????��???????��?????????��??????��????��?????��??????��?|??????��?o????????��????��???��?????��??????��????..)
//
// Define driver initialization routine type.
//
typedef
NTSTATUS
(*PDRIVER_INITIALIZE) (
IN struct _DRIVER_OBJECT* DriverObject,
IN PUNICODE_STRING RegistryPath
);
NTKERNELAPI
NTSTATUS
IoCreateDriver(
IN PUNICODE_STRING DriverName, OPTIONAL
IN PDRIVER_INITIALIZE InitializationFunction
);
NTKERNELAPI
VOID
IoDeleteDriver(
IN PDRIVER_OBJECT DriverObject
);
//////////////////////////////////////////////////////////////////////////
//Kd?|????��??????��??????��?|D
/*
NTKERNELAPI
NTSTATUS
KdDisableDebugger(
VOID
);
NTKERNELAPI
NTSTATUS
KdEnableDebugger(
VOID
);
*/
NTKERNELAPI
NTSTATUS
KdPowerTransition(
IN DEVICE_POWER_STATE newDeviceState
);
NTKERNELAPI
BOOLEAN
KdPollBreakIn(
VOID
);
//////////////////////////////////////////////////////////////////////////
//Ke?|????��??????��??????��?|D
NTSTATUS
NTAPI
Ke386CallBios(
IN ULONG BiosCommand,
IN OUT PCONTEXT BiosArguments
);
#define IOPM_SIZE 8192
typedef UCHAR KIO_ACCESS_MAP[IOPM_SIZE];
typedef KIO_ACCESS_MAP* PKIO_ACCESS_MAP;
BOOLEAN
NTAPI
Ke386SetIoAccessMap(
ULONG MapNumber,
PKIO_ACCESS_MAP IoAccessMap
);
BOOLEAN
NTAPI
Ke386QueryIoAccessMap(
ULONG MapNumber,
PKIO_ACCESS_MAP IoAccessMap
);
NTKERNELAPI
BOOLEAN
KeAddSystemServiceTable(
IN PULONG_PTR Base,
IN PULONG Count OPTIONAL,
IN ULONG Limit,
IN PUCHAR Number,
IN ULONG Index
);
#define PKPROCESS PRKPROCESS
NTKERNELAPI
VOID
KeDetachProcess(
VOID
);
NTKERNELAPI
DECLSPEC_NORETURN
VOID
NTAPI
KeBugCheck(
IN ULONG BugCheckCode
);
NTKERNELAPI
DECLSPEC_NORETURN
VOID
KeBugCheckEx(
IN ULONG BugCheckCode,
IN ULONG_PTR BugCheckParameter1,
IN ULONG_PTR BugCheckParameter2,
IN ULONG_PTR BugCheckParameter3,
IN ULONG_PTR BugCheckParameter4
);
/*
//
// Interrupt object
//
struct _KINTERRUPT;
// begin_ntddk begin_wdm begin_ntifs begin_ntosp
typedef
BOOLEAN
(*PKSERVICE_ROUTINE) (
IN struct _KINTERRUPT *Interrupt,
IN PVOID ServiceContext
);
typedef struct _KINTERRUPT {
CSHORT Type;
CSHORT Size;
LIST_ENTRY InterruptListEntry;
PKSERVICE_ROUTINE ServiceRoutine;
PVOID ServiceContext;
KSPIN_LOCK SpinLock;
ULONG TickCount;
PKSPIN_LOCK ActualLock;
PKINTERRUPT_ROUTINE DispatchAddress;
ULONG Vector;
KIRQL Irql;
KIRQL SynchronizeIrql;
BOOLEAN FloatingSave;
BOOLEAN Connected;
CCHAR Number;
BOOLEAN ShareVector;
KINTERRUPT_MODE Mode;
ULONG ServiceCount;
ULONG DispatchCount;
#if defined(_AMD64_)
PKTRAP_FRAME TrapFrame;
PVOID Reserved;
ULONG DispatchCode[DISPATCH_LENGTH];
#else
ULONG DispatchCode[DISPATCH_LENGTH];
#endif
} KINTERRUPT;
#if !defined(_X86AMD64_) && defined(_AMD64_)
C_ASSERT((FIELD_OFFSET(KINTERRUPT, DispatchCode) % 16) == 0);
C_ASSERT((sizeof(KINTERRUPT) % 16) == 0);
#endif
typedef struct _KINTERRUPT *PKINTERRUPT, *PRKINTERRUPT; // ntndis ntosp
NTKERNELAPI
BOOLEAN
KeDisconnectInterrupt (
INout PKINTERRUPT Interrupt
);
*/
NTKERNELAPI
VOID
KeEnterKernelDebugger(
VOID
);
NTSTATUS
NTAPI
KeI386AbiosCall(
IN USHORT LogicalId,
IN struct _DRIVER_OBJECT* DriverObject,
IN PUCHAR RequestBlock,
IN USHORT EntryPoint
);
NTSTATUS
NTAPI
KeI386AllocateGdtSelectors(
OUT PUSHORT SelectorArray,
IN USHORT NumberOfSelectors
);
NTSTATUS
NTAPI
KeI386FlatToGdtSelector(
IN ULONG SelectorBase,
IN USHORT Length,
IN USHORT Selector
);
NTSTATUS
NTAPI
KeI386ReleaseGdtSelectors(
OUT PUSHORT SelectorArray,
IN USHORT NumberOfSelectors
);
//
// GDT Entry
//
typedef struct _KGDTENTRY {
USHORT LimitLow;
USHORT BaseLow;
union {
struct {
UCHAR BaseMid;
UCHAR Flags1; // Declare as bytes to avoid alignment
UCHAR Flags2; // Problems.
UCHAR BaseHi;
} Bytes;
struct {
ULONG BaseMid : 8;
ULONG Type : 5;
ULONG Dpl : 2;
ULONG Pres : 1;
ULONG LimitHi : 4;
ULONG Sys : 1;
ULONG Reserved_0 : 1;
ULONG Default_Big : 1;
ULONG Granularity : 1;
ULONG BaseHi : 8;
} Bits;
} HighWord;
} KGDTENTRY, * PKGDTENTRY;
NTSTATUS
NTAPI
KeI386SetGdtSelector(
ULONG Selector,
PKGDTENTRY GdtValue
);
NTSTATUS
NTAPI
KeI386GetLid(
IN USHORT DeviceId,
IN USHORT RelativeLid,
IN BOOLEAN SharedLid,
IN struct _DRIVER_OBJECT* DeviceObject,
OUT PUSHORT LogicalId
);
NTSTATUS
NTAPI
KeI386ReleaseLid(
IN USHORT LogicalId,
IN struct _DRIVER_OBJECT* DeviceObject
);
/*
typedef enum _MODE {
KernelMode,
UserMode,
MaximumMode
} MODE;
*/
NTKERNELAPI
VOID
KeTerminateThread(
IN KPRIORITY Increment
);
//////////////////////////////////////////////////////////////////////////
//Mm?|????��??????��??????��?|D
NTKERNELAPI
PVOID
MmGetVirtualForPhysical(
IN PHYSICAL_ADDRESS PhysicalAddress
);
NTKERNELAPI
NTSTATUS
MmMapUserAddressesToPage(
IN PVOID BaseAddress,
IN SIZE_T NumberOfBytes,
IN PVOID PageAddress
);
NTKERNELAPI
NTSTATUS
MmMapViewOfSection(
IN PVOID SectionToMap,
IN PEPROCESS Process,
PVOID* CapturedBase,
IN ULONG_PTR ZeroBits,
IN SIZE_T CommitSize,
IN OUT PLARGE_INTEGER SectionOffset,
IN OUT PSIZE_T CapturedViewSize,
IN SECTION_INHERIT InheritDisposition,
IN ULONG AllocationType,
IN ULONG Win32Protect
);
NTKERNELAPI
NTSTATUS
MmUnmapViewOfSection(
IN PEPROCESS Process,
IN PVOID BaseAddress
);
/*
typedef enum _MM_SYSTEM_SIZE {
MmSmallSystem,
MmMediumSystem,
MmLargeSystem
} MM_SYSTEMSIZE;
*/
NTKERNELAPI
MM_SYSTEMSIZE
MmQuerySystemSize(
VOID
);
NTSTATUS NTAPI MmCopyVirtualMemory
(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);
NTSTATUS ZwQuerySystemInformation(ULONG InfoClass, PVOID Buffer, ULONG Length, PULONG ReturnLength);
LPSTR PsGetProcessImageFileName(PEPROCESS Process);
BOOLEAN KeInsertQueueApc(
PRKAPC Apc,
PVOID SystemArgument1,
PVOID SystemArgument2,
KPRIORITY Increment);
NTSTATUS ZwAllocateVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_In_ ULONG_PTR ZeroBits,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG AllocationType,
_In_ ULONG Protect
);
NTSTATUS ZwFreeVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG FreeType
);
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
// You may only use this code if you agree to the terms of the Windows Research Kernel Source Code License agreement (see License.txt).
// If you do not agree to the terms, do not use the code.
//
NTSYSAPI
NTSTATUS
NTAPI
ZwDelayExecution(
__in BOOLEAN Alertable,
__in PLARGE_INTEGER DelayInterval
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemEnvironmentValue(
__in PUNICODE_STRING VariableName,
__out_bcount(ValueLength) PWSTR VariableValue,
__in USHORT ValueLength,
__out_opt PUSHORT ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemEnvironmentValue(
__in PUNICODE_STRING VariableName,
__in PUNICODE_STRING VariableValue
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemEnvironmentValueEx(
__in PUNICODE_STRING VariableName,
__in LPGUID VendorGuid,
__out_bcount_opt(*ValueLength) PVOID Value,
__inout PULONG ValueLength,
__out_opt PULONG Attributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemEnvironmentValueEx(
__in PUNICODE_STRING VariableName,
__in LPGUID VendorGuid,
__in_bcount_opt(ValueLength) PVOID Value,
__in ULONG ValueLength,
__in ULONG Attributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwEnumerateSystemEnvironmentValuesEx(
__in ULONG InformationClass,
__out PVOID Buffer,
__inout PULONG BufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteBootEntry(
__in ULONG Id
);
NTSYSAPI
NTSTATUS
NTAPI
ZwEnumerateBootEntries(
__out_bcount_opt(*BufferLength) PVOID Buffer,
__inout PULONG BufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryBootEntryOrder(
__out_ecount_opt(*Count) PULONG Ids,
__inout PULONG Count
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetBootEntryOrder(
__in_ecount(Count) PULONG Ids,
__in ULONG Count
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteDriverEntry(
__in ULONG Id
);
NTSYSAPI
NTSTATUS
NTAPI
ZwEnumerateDriverEntries(
__out_bcount(*BufferLength) PVOID Buffer,
__inout PULONG BufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDriverEntryOrder(
__out_ecount(*Count) PULONG Ids,
__inout PULONG Count
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDriverEntryOrder(
__in_ecount(Count) PULONG Ids,
__in ULONG Count
);
NTSYSAPI
NTSTATUS
NTAPI
ZwClearEvent(
__in HANDLE EventHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateEvent(
__out PHANDLE EventHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in EVENT_TYPE EventType,
__in BOOLEAN InitialState
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenEvent(
__out PHANDLE EventHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwPulseEvent(
__in HANDLE EventHandle,
__out_opt PLONG PreviousState
);
NTSYSAPI
NTSTATUS
NTAPI
ZwResetEvent(
__in HANDLE EventHandle,
__out_opt PLONG PreviousState
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetEvent(
__in HANDLE EventHandle,
__out_opt PLONG PreviousState
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetEventBoostPriority(
__in HANDLE EventHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateEventPair(
__out PHANDLE EventPairHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenEventPair(
__out PHANDLE EventPairHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitLowEventPair(
__in HANDLE EventPairHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitHighEventPair(
__in HANDLE EventPairHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetLowWaitHighEventPair(
__in HANDLE EventPairHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetHighWaitLowEventPair(
__in HANDLE EventPairHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetLowEventPair(
__in HANDLE EventPairHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetHighEventPair(
__in HANDLE EventPairHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateMutant(
__out PHANDLE MutantHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in BOOLEAN InitialOwner
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenMutant(
__out PHANDLE MutantHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwReleaseMutant(
__in HANDLE MutantHandle,
__out_opt PLONG PreviousCount
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateSemaphore(
__out PHANDLE SemaphoreHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in LONG InitialCount,
__in LONG MaximumCount
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSemaphore(
__out PHANDLE SemaphoreHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwReleaseSemaphore(
__in HANDLE SemaphoreHandle,
__in LONG ReleaseCount,
__out_opt PLONG PreviousCount
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemTime(
__out PLARGE_INTEGER SystemTime
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemTime(
__in_opt PLARGE_INTEGER SystemTime,
__out_opt PLARGE_INTEGER PreviousTime
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryTimerResolution(
__out PULONG MaximumTime,
__out PULONG MinimumTime,
__out PULONG CurrentTime
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetTimerResolution(
__in ULONG DesiredTime,
__in BOOLEAN SetResolution,
__out PULONG ActualTime
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAllocateLocallyUniqueId(
__out PLUID Luid
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetUuidSeed(
__in PCHAR Seed
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAllocateUuids(
__out PULARGE_INTEGER Time,
__out PULONG Range,
__out PULONG Sequence,
__out PCHAR Seed
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProfile(
__out PHANDLE ProfileHandle,
__in HANDLE Process OPTIONAL,
__in PVOID ProfileBase,
__in SIZE_T ProfileSize,
__in ULONG BucketSize,
__in PULONG Buffer,
__in ULONG BufferSize,
__in KPROFILE_SOURCE ProfileSource,
__in KAFFINITY Affinity
);
NTSYSAPI
NTSTATUS
NTAPI
ZwStartProfile(
__in HANDLE ProfileHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwStopProfile(
__in HANDLE ProfileHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetIntervalProfile(
__in ULONG Interval,
__in KPROFILE_SOURCE Source
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryIntervalProfile(
__in KPROFILE_SOURCE ProfileSource,
__out PULONG Interval
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryPerformanceCounter(
__out PLARGE_INTEGER PerformanceCounter,
__out_opt PLARGE_INTEGER PerformanceFrequency
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateKeyedEvent(
__out PHANDLE KeyedEventHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in ULONG Flags
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenKeyedEvent(
__out PHANDLE KeyedEventHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwReleaseKeyedEvent(
__in HANDLE KeyedEventHandle,
__in PVOID KeyValue,
__in BOOLEAN Alertable,
__in_opt PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForKeyedEvent(
__in HANDLE KeyedEventHandle,
__in PVOID KeyValue,
__in BOOLEAN Alertable,
__in_opt PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRaiseHardError(
__in NTSTATUS ErrorStatus,
__in ULONG NumberOfParameters,
__in ULONG UnicodeStringParameterMask,
__in_ecount(NumberOfParameters) PULONG_PTR Parameters,
__in ULONG ValidResponseOptions,
__out PULONG Response
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDefaultLocale(
__in BOOLEAN UserProfile,
__out PLCID DefaultLocaleId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultLocale(
__in BOOLEAN UserProfile,
__in LCID DefaultLocaleId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInstallUILanguage(
__out LANGID* InstallUILanguageId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDefaultUILanguage(
__out LANGID* DefaultUILanguageId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultUILanguage(
__in LANGID DefaultUILanguageId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultHardErrorPort(
__in HANDLE DefaultHardErrorPort
);
NTSYSAPI
NTSTATUS
NTAPI
ZwShutdownSystem(
__in SHUTDOWN_ACTION Action
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDisplayString(
__in PUNICODE_STRING String
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCancelIoFile(
__in HANDLE FileHandle,
__out PIO_STATUS_BLOCK IoStatusBlock
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateNamedPipeFile(
__out PHANDLE FileHandle,
__in ULONG DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in ULONG ShareAccess,
__in ULONG CreateDisposition,
__in ULONG CreateOptions,
__in ULONG NamedPipeType,
__in ULONG ReadMode,
__in ULONG CompletionMode,
__in ULONG MaximumInstances,
__in ULONG InboundQuota,
__in ULONG OutboundQuota,
__in_opt PLARGE_INTEGER DefaultTimeout
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateMailslotFile(
__out PHANDLE FileHandle,
__in ULONG DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in ULONG CreateOptions,
__in ULONG MailslotQuota,
__in ULONG MaximumMessageSize,
__in PLARGE_INTEGER ReadTimeout
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteFile(
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFlushBuffersFile(
__in HANDLE FileHandle,
__out PIO_STATUS_BLOCK IoStatusBlock
);
NTSYSAPI
NTSTATUS
NTAPI
ZwNotifyChangeDirectoryFile(
__in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__out_bcount(Length) PVOID Buffer,
__in ULONG Length,
__in ULONG CompletionFilter,
__in BOOLEAN WatchTree
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryAttributesFile(
__in POBJECT_ATTRIBUTES ObjectAttributes,
__out PFILE_BASIC_INFORMATION FileInformation
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryFullAttributesFile(
__in POBJECT_ATTRIBUTES ObjectAttributes,
__out PFILE_NETWORK_OPEN_INFORMATION FileInformation
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateFile(
__out PHANDLE FileHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in_opt PLARGE_INTEGER AllocationSize,
__in ULONG FileAttributes,
__in ULONG ShareAccess,
__in ULONG CreateDisposition,
__in ULONG CreateOptions,
__in_bcount_opt(EaLength) PVOID EaBuffer,
__in ULONG EaLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeviceIoControlFile(
__in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in ULONG IoControlCode,
__in_bcount_opt(InputBufferLength) PVOID InputBuffer,
__in ULONG InputBufferLength,
__out_bcount_opt(OutputBufferLength) PVOID OutputBuffer,
__in ULONG OutputBufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFsControlFile(
__in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in ULONG FsControlCode,
__in_bcount_opt(InputBufferLength) PVOID InputBuffer,
__in ULONG InputBufferLength,
__out_bcount_opt(OutputBufferLength) PVOID OutputBuffer,
__in ULONG OutputBufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwLockFile(
__in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in PLARGE_INTEGER ByteOffset,
__in PLARGE_INTEGER Length,
__in ULONG Key,
__in BOOLEAN FailImmediately,
__in BOOLEAN ExclusiveLock
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenFile(
__out PHANDLE FileHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in ULONG ShareAccess,
__in ULONG OpenOptions
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryFile(
__in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__out_bcount(Length) PVOID FileInformation,
__in ULONG Length,
__in FILE_INFORMATION_CLASS FileInformationClass,
__in BOOLEAN ReturnSingleEntry,
__in_opt PUNICODE_STRING FileName,
__in BOOLEAN RestartScan
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationFile(
__in HANDLE FileHandle,
__out PIO_STATUS_BLOCK IoStatusBlock,
__out_bcount(Length) PVOID FileInformation,
__in ULONG Length,
__in FILE_INFORMATION_CLASS FileInformationClass
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryQuotaInformationFile(
__in HANDLE FileHandle,
__out PIO_STATUS_BLOCK IoStatusBlock,
__out_bcount(Length) PVOID Buffer,
__in ULONG Length,
__in BOOLEAN ReturnSingleEntry,
__in_bcount_opt(SidListLength) PVOID SidList,
__in ULONG SidListLength,
__in_opt PSID StartSid,
__in BOOLEAN RestartScan
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryVolumeInformationFile(
__in HANDLE FileHandle,
__out PIO_STATUS_BLOCK IoStatusBlock,
__out_bcount(Length) PVOID FsInformation,
__in ULONG Length,
__in FS_INFORMATION_CLASS FsInformationClass
);
NTSYSAPI
NTSTATUS
NTAPI
ZwReadFile(
__in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__out_bcount(Length) PVOID Buffer,
__in ULONG Length,
__in_opt PLARGE_INTEGER ByteOffset,
__in_opt PULONG Key
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationFile(
__in HANDLE FileHandle,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in_bcount(Length) PVOID FileInformation,
__in ULONG Length,
__in FILE_INFORMATION_CLASS FileInformationClass
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetQuotaInformationFile(
__in HANDLE FileHandle,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in_bcount(Length) PVOID Buffer,
__in ULONG Length
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetVolumeInformationFile(
__in HANDLE FileHandle,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in_bcount(Length) PVOID FsInformation,
__in ULONG Length,
__in FS_INFORMATION_CLASS FsInformationClass
);
NTSYSAPI
NTSTATUS
NTAPI
ZwWriteFile(
__in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in_bcount(Length) PVOID Buffer,
__in ULONG Length,
__in_opt PLARGE_INTEGER ByteOffset,
__in_opt PULONG Key
);
NTSYSAPI
NTSTATUS
NTAPI
ZwUnlockFile(
__in HANDLE FileHandle,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in PLARGE_INTEGER ByteOffset,
__in PLARGE_INTEGER Length,
__in ULONG Key
);
NTSYSAPI
NTSTATUS
NTAPI
ZwReadFileScatter(
__in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in PFILE_SEGMENT_ELEMENT SegmentArray,
__in ULONG Length,
__in_opt PLARGE_INTEGER ByteOffset,
__in_opt PULONG Key
);
NTSYSAPI
NTSTATUS
NTAPI
ZwWriteFileGather(
__in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in PFILE_SEGMENT_ELEMENT SegmentArray,
__in ULONG Length,
__in_opt PLARGE_INTEGER ByteOffset,
__in_opt PULONG Key
);
NTSYSAPI
NTSTATUS
NTAPI
ZwLoadDriver(
__in PUNICODE_STRING DriverServiceName
);
NTSYSAPI
NTSTATUS
NTAPI
ZwUnloadDriver(
__in PUNICODE_STRING DriverServiceName
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateIoCompletion(
__out PHANDLE IoCompletionHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in ULONG Count OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenIoCompletion(
__out PHANDLE IoCompletionHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetIoCompletion(
__in HANDLE IoCompletionHandle,
__in PVOID KeyContext,
__in_opt PVOID ApcContext,
__in NTSTATUS IoStatus,
__in ULONG_PTR IoStatusInformation
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRemoveIoCompletion(
__in HANDLE IoCompletionHandle,
__out PVOID* KeyContext,
__out PVOID* ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in_opt PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCallbackReturn(
__in_bcount_opt(OutputLength) PVOID OutputBuffer,
__in ULONG OutputLength,
__in NTSTATUS Status
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDebugFilterState(
__in ULONG ComponentId,
__in ULONG Level
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDebugFilterState(
__in ULONG ComponentId,
__in ULONG Level,
__in BOOLEAN State
);
NTSYSAPI
NTSTATUS
NTAPI
ZwYieldExecution(
VOID
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreatePort(
__out PHANDLE PortHandle,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in ULONG MaxConnectionInfoLength,
__in ULONG MaxMessageLength,
__in_opt ULONG MaxPoolUsage
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateWaitablePort(
__out PHANDLE PortHandle,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in ULONG MaxConnectionInfoLength,
__in ULONG MaxMessageLength,
__in_opt ULONG MaxPoolUsage
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCompleteConnectPort(
__in HANDLE PortHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateSection(
__out PHANDLE SectionHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PLARGE_INTEGER MaximumSize,
__in ULONG SectionPageProtection,
__in ULONG AllocationAttributes,
__in_opt HANDLE FileHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSection(
__out PHANDLE SectionHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwMapViewOfSection(
__in HANDLE SectionHandle,
__in HANDLE ProcessHandle,
__inout PVOID* BaseAddress,
__in ULONG_PTR ZeroBits,
__in SIZE_T CommitSize,
__inout_opt PLARGE_INTEGER SectionOffset,
__inout PSIZE_T ViewSize,
__in SECTION_INHERIT InheritDisposition,
__in ULONG AllocationType,
__in ULONG Win32Protect
);
NTSYSAPI
NTSTATUS
NTAPI
ZwUnmapViewOfSection(
__in HANDLE ProcessHandle,
__in PVOID BaseAddress
);
NTSYSAPI
NTSTATUS
NTAPI
ZwExtendSection(
__in HANDLE SectionHandle,
__inout PLARGE_INTEGER NewSectionSize
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAreMappedFilesTheSame(
__in PVOID File1MappedAsAnImage,
__in PVOID File2MappedAsFile
);
NTSYSAPI
NTSTATUS
NTAPI
ZwReadVirtualMemory(
__in HANDLE ProcessHandle,
__in_opt PVOID BaseAddress,
__out_bcount(BufferSize) PVOID Buffer,
__in SIZE_T BufferSize,
__out_opt PSIZE_T NumberOfBytesRead
);
NTSYSAPI
NTSTATUS
NTAPI
ZwWriteVirtualMemory(
__in HANDLE ProcessHandle,
__in_opt PVOID BaseAddress,
__in_bcount(BufferSize) CONST VOID* Buffer,
__in SIZE_T BufferSize,
__out_opt PSIZE_T NumberOfBytesWritten
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFlushVirtualMemory(
__in HANDLE ProcessHandle,
__inout PVOID* BaseAddress,
__inout PSIZE_T RegionSize,
__out PIO_STATUS_BLOCK IoStatus
);
NTSYSAPI
NTSTATUS
NTAPI
ZwLockVirtualMemory(
__in HANDLE ProcessHandle,
__inout PVOID* BaseAddress,
__inout PSIZE_T RegionSize,
__in ULONG MapType
);
NTSYSAPI
NTSTATUS
NTAPI
ZwUnlockVirtualMemory(
__in HANDLE ProcessHandle,
__inout PVOID* BaseAddress,
__inout PSIZE_T RegionSize,
__in ULONG MapType
);
NTSYSAPI
NTSTATUS
NTAPI
ZwProtectVirtualMemory(
__in HANDLE ProcessHandle,
__inout PVOID* BaseAddress,
__inout PSIZE_T RegionSize,
__in ULONG NewProtect,
__out PULONG OldProtect
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryVirtualMemory(
__in HANDLE ProcessHandle,
__in PVOID BaseAddress,
__in MEMORY_INFORMATION_CLASS MemoryInformationClass,
__out_bcount(MemoryInformationLength) PVOID MemoryInformation,
__in SIZE_T MemoryInformationLength,
__out_opt PSIZE_T ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwMapUserPhysicalPages(
__in PVOID VirtualAddress,
__in ULONG_PTR NumberOfPages,
__in_ecount_opt(NumberOfPages) PULONG_PTR UserPfnArray
);
NTSYSAPI
NTSTATUS
NTAPI
ZwMapUserPhysicalPagesScatter(
__in_ecount(NumberOfPages) PVOID* VirtualAddresses,
__in ULONG_PTR NumberOfPages,
__in_ecount_opt(NumberOfPages) PULONG_PTR UserPfnArray
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAllocateUserPhysicalPages(
__in HANDLE ProcessHandle,
__inout PULONG_PTR NumberOfPages,
__out_ecount(*NumberOfPages) PULONG_PTR UserPfnArray
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFreeUserPhysicalPages(
__in HANDLE ProcessHandle,
__inout PULONG_PTR NumberOfPages,
__in_ecount(*NumberOfPages) PULONG_PTR UserPfnArray
);
NTSYSAPI
NTSTATUS
NTAPI
ZwGetWriteWatch(
__in HANDLE ProcessHandle,
__in ULONG Flags,
__in PVOID BaseAddress,
__in SIZE_T RegionSize,
__out_ecount(*EntriesInUserAddressArray) PVOID* UserAddressArray,
__inout PULONG_PTR EntriesInUserAddressArray,
__out PULONG Granularity
);
NTSYSAPI
NTSTATUS
NTAPI
ZwResetWriteWatch(
__in HANDLE ProcessHandle,
__in PVOID BaseAddress,
__in SIZE_T RegionSize
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreatePagingFile(
__in PUNICODE_STRING PageFileName,
__in PLARGE_INTEGER MinimumSize,
__in PLARGE_INTEGER MaximumSize,
__in ULONG Priority
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFlushInstructionCache(
__in HANDLE ProcessHandle,
__in_opt PVOID BaseAddress,
__in SIZE_T Length
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFlushWriteBuffer(
VOID
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryObject(
__in HANDLE Handle,
__in OBJECT_INFORMATION_CLASS ObjectInformationClass,
__out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation,
__in ULONG ObjectInformationLength,
__out_opt PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationObject(
__in HANDLE Handle,
__in OBJECT_INFORMATION_CLASS ObjectInformationClass,
__in_bcount(ObjectInformationLength) PVOID ObjectInformation,
__in ULONG ObjectInformationLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateObject(
__in HANDLE SourceProcessHandle,
__in HANDLE SourceHandle,
__in_opt HANDLE TargetProcessHandle,
__out_opt PHANDLE TargetHandle,
__in ACCESS_MASK DesiredAccess,
__in ULONG HandleAttributes,
__in ULONG Options
);
NTSYSAPI
NTSTATUS
NTAPI
ZwMakeTemporaryObject(
__in HANDLE Handle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwMakePermanentObject(
__in HANDLE Handle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSignalAndWaitForSingleObject(
__in HANDLE SignalHandle,
__in HANDLE WaitHandle,
__in BOOLEAN Alertable,
__in_opt PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForSingleObject(
__in HANDLE Handle,
__in BOOLEAN Alertable,
__in_opt PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForMultipleObjects(
__in ULONG Count,
__in_ecount(Count) HANDLE Handles[],
__in WAIT_TYPE WaitType,
__in BOOLEAN Alertable,
__in_opt PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForMultipleObjects32(
__in ULONG Count,
__in_ecount(Count) LONG Handles[],
__in WAIT_TYPE WaitType,
__in BOOLEAN Alertable,
__in_opt PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSecurityObject(
__in HANDLE Handle,
__in SECURITY_INFORMATION SecurityInformation,
__in PSECURITY_DESCRIPTOR SecurityDescriptor
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySecurityObject(
__in HANDLE Handle,
__in SECURITY_INFORMATION SecurityInformation,
__out_bcount_opt(Length) PSECURITY_DESCRIPTOR SecurityDescriptor,
__in ULONG Length,
__out PULONG LengthNeeded
);
NTSYSAPI
NTSTATUS
NTAPI
ZwClose(
__in HANDLE Handle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateDirectoryObject(
__out PHANDLE DirectoryHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenDirectoryObject(
__out PHANDLE DirectoryHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryObject(
__in HANDLE DirectoryHandle,
__out_bcount_opt(Length) PVOID Buffer,
__in ULONG Length,
__in BOOLEAN ReturnSingleEntry,
__in BOOLEAN RestartScan,
__inout PULONG Context,
__out_opt PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateSymbolicLinkObject(
__out PHANDLE LinkHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in PUNICODE_STRING LinkTarget
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSymbolicLinkObject(
__out PHANDLE LinkHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySymbolicLinkObject(
__in HANDLE LinkHandle,
__inout PUNICODE_STRING LinkTarget,
__out_opt PULONG ReturnedLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwPowerInformation(
__in POWER_INFORMATION_LEVEL InformationLevel,
__in_bcount_opt(InputBufferLength) PVOID InputBuffer,
__in ULONG InputBufferLength,
__out_bcount_opt(OutputBufferLength) PVOID OutputBuffer,
__in ULONG OutputBufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetThreadExecutionState(
__in EXECUTION_STATE esFlags, // ES_xxx flags
__out EXECUTION_STATE* PreviousFlags
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRequestWakeupLatency(
__in LATENCY_TIME latency
);
NTSYSAPI
NTSTATUS
NTAPI
ZwInitiatePowerAction(
__in POWER_ACTION SystemAction,
__in SYSTEM_POWER_STATE MinSystemState,
__in ULONG Flags, // POWER_ACTION_xxx flags
__in BOOLEAN Asynchronous
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemPowerState(
__in POWER_ACTION SystemAction,
__in SYSTEM_POWER_STATE MinSystemState,
__in ULONG Flags // POWER_ACTION_xxx flags
);
NTSYSAPI
NTSTATUS
NTAPI
ZwGetDevicePowerState(
__in HANDLE Device,
__out DEVICE_POWER_STATE* State
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCancelDeviceWakeupRequest(
__in HANDLE Device
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRequestDeviceWakeup(
__in HANDLE Device
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProcess(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in HANDLE ParentProcess,
__in BOOLEAN InheritObjectTable,
__in_opt HANDLE SectionHandle,
__in_opt HANDLE DebugPort,
__in_opt HANDLE ExceptionPort
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProcessEx(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in HANDLE ParentProcess,
__in ULONG Flags,
__in_opt HANDLE SectionHandle,
__in_opt HANDLE DebugPort,
__in_opt HANDLE ExceptionPort,
__in ULONG JobMemberLevel
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess(
__in_opt HANDLE ProcessHandle,
__in NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwGetNextProcess(
__in HANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in ULONG HandleAttributes,
__in ULONG Flags,
__out PHANDLE NewProcessHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwGetNextThread(
__in HANDLE ProcessHandle,
__in HANDLE ThreadHandle,
__in ACCESS_MASK DesiredAccess,
__in ULONG HandleAttributes,
__in ULONG Flags,
__out PHANDLE NewThreadHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryPortInformationProcess(
VOID
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationProcess(
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__in_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThread(
__out PHANDLE ThreadHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateThread(
__in_opt HANDLE ThreadHandle,
__in NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSuspendThread(
__in HANDLE ThreadHandle,
__out_opt PULONG PreviousSuspendCount
);
NTSYSAPI
NTSTATUS
NTAPI
ZwResumeThread(
__in HANDLE ThreadHandle,
__out_opt PULONG PreviousSuspendCount
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSuspendProcess(
__in HANDLE ProcessHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwResumeProcess(
__in HANDLE ProcessHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwGetContextThread(
__in HANDLE ThreadHandle,
__inout PCONTEXT ThreadContext
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetContextThread(
__in HANDLE ThreadHandle,
__in PCONTEXT ThreadContext
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationThread(
__in HANDLE ThreadHandle,
__in THREADINFOCLASS ThreadInformationClass,
__out_bcount(ThreadInformationLength) PVOID ThreadInformation,
__in ULONG ThreadInformationLength,
__out_opt PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationThread(
__in HANDLE ThreadHandle,
__in THREADINFOCLASS ThreadInformationClass,
__in_bcount(ThreadInformationLength) PVOID ThreadInformation,
__in ULONG ThreadInformationLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAlertThread(
__in HANDLE ThreadHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAlertResumeThread(
__in HANDLE ThreadHandle,
__out_opt PULONG PreviousSuspendCount
);
NTSYSAPI
NTSTATUS
NTAPI
ZwImpersonateThread(
__in HANDLE ServerThreadHandle,
__in HANDLE ClientThreadHandle,
__in PSECURITY_QUALITY_OF_SERVICE SecurityQos
);
NTSYSAPI
NTSTATUS
NTAPI
ZwTestAlert(
VOID
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRegisterThreadTerminatePort(
__in HANDLE PortHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetLdtEntries(
__in ULONG Selector0,
__in ULONG Entry0Low,
__in ULONG Entry0Hi,
__in ULONG Selector1,
__in ULONG Entry1Low,
__in ULONG Entry1Hi
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateJobObject(
__out PHANDLE JobHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenJobObject(
__out PHANDLE JobHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAssignProcessToJobObject(
__in HANDLE JobHandle,
__in HANDLE ProcessHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateJobObject(
__in HANDLE JobHandle,
__in NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
ZwIsProcessInJob(
__in HANDLE ProcessHandle,
__in_opt HANDLE JobHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateKey(
__out PHANDLE KeyHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__reserved ULONG TitleIndex,
__in_opt PUNICODE_STRING Class,
__in ULONG CreateOptions,
__out_opt PULONG Disposition
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteKey(
__in HANDLE KeyHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteValueKey(
__in HANDLE KeyHandle,
__in PUNICODE_STRING ValueName
);
NTSYSAPI
NTSTATUS
NTAPI
ZwEnumerateKey(
__in HANDLE KeyHandle,
__in ULONG Index,
__in KEY_INFORMATION_CLASS KeyInformationClass,
__out_bcount_opt(Length) PVOID KeyInformation,
__in ULONG Length,
__out PULONG ResultLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwEnumerateValueKey(
__in HANDLE KeyHandle,
__in ULONG Index,
__in KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
__out_bcount_opt(Length) PVOID KeyValueInformation,
__in ULONG Length,
__out PULONG ResultLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFlushKey(
__in HANDLE KeyHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwInitializeRegistry(
__in USHORT BootCondition
);
NTSYSAPI
NTSTATUS
NTAPI
ZwNotifyChangeKey(
__in HANDLE KeyHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in ULONG CompletionFilter,
__in BOOLEAN WatchTree,
__out_bcount_opt(BufferSize) PVOID Buffer,
__in ULONG BufferSize,
__in BOOLEAN Asynchronous
);
NTSYSAPI
NTSTATUS
NTAPI
ZwNotifyChangeMultipleKeys(
__in HANDLE MasterKeyHandle,
__in_opt ULONG Count,
__in_ecount_opt(Count) OBJECT_ATTRIBUTES SlaveObjects[],
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in ULONG CompletionFilter,
__in BOOLEAN WatchTree,
__out_bcount_opt(BufferSize) PVOID Buffer,
__in ULONG BufferSize,
__in BOOLEAN Asynchronous
);
NTSYSAPI
NTSTATUS
NTAPI
ZwLoadKey(
__in POBJECT_ATTRIBUTES TargetKey,
__in POBJECT_ATTRIBUTES SourceFile
);
NTSYSAPI
NTSTATUS
NTAPI
ZwLoadKey2(
__in POBJECT_ATTRIBUTES TargetKey,
__in POBJECT_ATTRIBUTES SourceFile,
__in ULONG Flags
);
NTSYSAPI
NTSTATUS
NTAPI
ZwLoadKeyEx(
__in POBJECT_ATTRIBUTES TargetKey,
__in POBJECT_ATTRIBUTES SourceFile,
__in ULONG Flags,
__in_opt HANDLE TrustClassKey
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenKey(
__out PHANDLE KeyHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryKey(
__in HANDLE KeyHandle,
__in KEY_INFORMATION_CLASS KeyInformationClass,
__out_bcount_opt(Length) PVOID KeyInformation,
__in ULONG Length,
__out PULONG ResultLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryValueKey(
__in HANDLE KeyHandle,
__in PUNICODE_STRING ValueName,
__in KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
__out_bcount_opt(Length) PVOID KeyValueInformation,
__in ULONG Length,
__out PULONG ResultLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryMultipleValueKey(
__in HANDLE KeyHandle,
__inout_ecount(EntryCount) PKEY_VALUE_ENTRY ValueEntries,
__in ULONG EntryCount,
__out_bcount(*BufferLength) PVOID ValueBuffer,
__inout PULONG BufferLength,
__out_opt PULONG RequiredBufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwReplaceKey(
__in POBJECT_ATTRIBUTES NewFile,
__in HANDLE TargetHandle,
__in POBJECT_ATTRIBUTES OldFile
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRenameKey(
__in HANDLE KeyHandle,
__in PUNICODE_STRING NewName
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCompactKeys(
__in ULONG Count,
__in_ecount(Count) HANDLE KeyArray[]
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCompressKey(
__in HANDLE Key
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRestoreKey(
__in HANDLE KeyHandle,
__in HANDLE FileHandle,
__in ULONG Flags
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSaveKey(
__in HANDLE KeyHandle,
__in HANDLE FileHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSaveKeyEx(
__in HANDLE KeyHandle,
__in HANDLE FileHandle,
__in ULONG Format
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSaveMergedKeys(
__in HANDLE HighPrecedenceKeyHandle,
__in HANDLE LowPrecedenceKeyHandle,
__in HANDLE FileHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetValueKey(
__in HANDLE KeyHandle,
__in PUNICODE_STRING ValueName,
__in_opt ULONG TitleIndex,
__in ULONG Type,
__in_bcount_opt(DataSize) PVOID Data,
__in ULONG DataSize
);
NTSYSAPI
NTSTATUS
NTAPI
ZwUnloadKey(
__in POBJECT_ATTRIBUTES TargetKey
);
NTSYSAPI
NTSTATUS
NTAPI
ZwUnloadKey2(
__in POBJECT_ATTRIBUTES TargetKey,
__in ULONG Flags
);
NTSYSAPI
NTSTATUS
NTAPI
ZwUnloadKeyEx(
__in POBJECT_ATTRIBUTES TargetKey,
__in_opt HANDLE Event
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationKey(
__in HANDLE KeyHandle,
__in KEY_SET_INFORMATION_CLASS KeySetInformationClass,
__in_bcount(KeySetInformationLength) PVOID KeySetInformation,
__in ULONG KeySetInformationLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryOpenSubKeys(
__in POBJECT_ATTRIBUTES TargetKey,
__out PULONG HandleCount
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryOpenSubKeysEx(
__in POBJECT_ATTRIBUTES TargetKey,
__in ULONG BufferLength,
__out_bcount(BufferLength) PVOID Buffer,
__out PULONG RequiredSize
);
NTSYSAPI
NTSTATUS
NTAPI
ZwLockRegistryKey(
__in HANDLE KeyHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwLockProductActivationKeys(
__inout_opt ULONG* pPrivateVer,
__out_opt ULONG* pSafeMode
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAccessCheck(
__in PSECURITY_DESCRIPTOR SecurityDescriptor,
__in HANDLE ClientToken,
__in ACCESS_MASK DesiredAccess,
__in PGENERIC_MAPPING GenericMapping,
__out_bcount(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
__inout PULONG PrivilegeSetLength,
__out PACCESS_MASK GrantedAccess,
__out PNTSTATUS AccessStatus
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAccessCheckByType(
__in PSECURITY_DESCRIPTOR SecurityDescriptor,
__in_opt PSID PrincipalSelfSid,
__in HANDLE ClientToken,
__in ACCESS_MASK DesiredAccess,
__in_ecount(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
__in ULONG ObjectTypeListLength,
__in PGENERIC_MAPPING GenericMapping,
__out_bcount(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
__inout PULONG PrivilegeSetLength,
__out PACCESS_MASK GrantedAccess,
__out PNTSTATUS AccessStatus
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAccessCheckByTypeResultList(
__in PSECURITY_DESCRIPTOR SecurityDescriptor,
__in_opt PSID PrincipalSelfSid,
__in HANDLE ClientToken,
__in ACCESS_MASK DesiredAccess,
__in_ecount(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
__in ULONG ObjectTypeListLength,
__in PGENERIC_MAPPING GenericMapping,
__out_bcount(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
__inout PULONG PrivilegeSetLength,
__out_ecount(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
__out_ecount(ObjectTypeListLength) PNTSTATUS AccessStatus
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateToken(
__out PHANDLE TokenHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in TOKEN_TYPE TokenType,
__in PLUID AuthenticationId,
__in PLARGE_INTEGER ExpirationTime,
__in PTOKEN_USER User,
__in PTOKEN_GROUPS Groups,
__in PTOKEN_PRIVILEGES Privileges,
__in_opt PTOKEN_OWNER Owner,
__in PTOKEN_PRIMARY_GROUP PrimaryGroup,
__in_opt PTOKEN_DEFAULT_DACL DefaultDacl,
__in PTOKEN_SOURCE TokenSource
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCompareTokens(
__in HANDLE FirstTokenHandle,
__in HANDLE SecondTokenHandle,
__out PBOOLEAN Equal
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThreadToken(
__in HANDLE ThreadHandle,
__in ACCESS_MASK DesiredAccess,
__in BOOLEAN OpenAsSelf,
__out PHANDLE TokenHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThreadTokenEx(
__in HANDLE ThreadHandle,
__in ACCESS_MASK DesiredAccess,
__in BOOLEAN OpenAsSelf,
__in ULONG HandleAttributes,
__out PHANDLE TokenHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcessToken(
__in HANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__out PHANDLE TokenHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcessTokenEx(
__in HANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in ULONG HandleAttributes,
__out PHANDLE TokenHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateToken(
__in HANDLE ExistingTokenHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in BOOLEAN EffectiveOnly,
__in TOKEN_TYPE TokenType,
__out PHANDLE NewTokenHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFilterToken(
__in HANDLE ExistingTokenHandle,
__in ULONG Flags,
__in_opt PTOKEN_GROUPS SidsToDisable,
__in_opt PTOKEN_PRIVILEGES PrivilegesToDelete,
__in_opt PTOKEN_GROUPS RestrictedSids,
__out PHANDLE NewTokenHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwImpersonateAnonymousToken(
__in HANDLE ThreadHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationToken(
__in HANDLE TokenHandle,
__in TOKEN_INFORMATION_CLASS TokenInformationClass,
__out_bcount_part_opt(TokenInformationLength, *ReturnLength) PVOID TokenInformation,
__in ULONG TokenInformationLength,
__out PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationToken(
__in HANDLE TokenHandle,
__in TOKEN_INFORMATION_CLASS TokenInformationClass,
__in_bcount(TokenInformationLength) PVOID TokenInformation,
__in ULONG TokenInformationLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAdjustPrivilegesToken(
__in HANDLE TokenHandle,
__in BOOLEAN DisableAllPrivileges,
__in_opt PTOKEN_PRIVILEGES NewState,
__in_opt ULONG BufferLength,
__out_bcount_part_opt(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
__out_opt PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAdjustGroupsToken(
__in HANDLE TokenHandle,
__in BOOLEAN ResetToDefault,
__in PTOKEN_GROUPS NewState,
__in_opt ULONG BufferLength,
__out_bcount_part_opt(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
__out PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwPrivilegeCheck(
__in HANDLE ClientToken,
__inout PPRIVILEGE_SET RequiredPrivileges,
__out PBOOLEAN Result
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAccessCheckAndAuditAlarm(
__in PUNICODE_STRING SubsystemName,
__in_opt PVOID HandleId,
__in PUNICODE_STRING ObjectTypeName,
__in PUNICODE_STRING ObjectName,
__in PSECURITY_DESCRIPTOR SecurityDescriptor,
__in ACCESS_MASK DesiredAccess,
__in PGENERIC_MAPPING GenericMapping,
__in BOOLEAN ObjectCreation,
__out PACCESS_MASK GrantedAccess,
__out PNTSTATUS AccessStatus,
__out PBOOLEAN GenerateOnClose
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAccessCheckByTypeAndAuditAlarm(
__in PUNICODE_STRING SubsystemName,
__in_opt PVOID HandleId,
__in PUNICODE_STRING ObjectTypeName,
__in PUNICODE_STRING ObjectName,
__in PSECURITY_DESCRIPTOR SecurityDescriptor,
__in_opt PSID PrincipalSelfSid,
__in ACCESS_MASK DesiredAccess,
__in AUDIT_EVENT_TYPE AuditType,
__in ULONG Flags,
__in_ecount_opt(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
__in ULONG ObjectTypeListLength,
__in PGENERIC_MAPPING GenericMapping,
__in BOOLEAN ObjectCreation,
__out PACCESS_MASK GrantedAccess,
__out PNTSTATUS AccessStatus,
__out PBOOLEAN GenerateOnClose
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAccessCheckByTypeResultListAndAuditAlarm(
__in PUNICODE_STRING SubsystemName,
__in_opt PVOID HandleId,
__in PUNICODE_STRING ObjectTypeName,
__in PUNICODE_STRING ObjectName,
__in PSECURITY_DESCRIPTOR SecurityDescriptor,
__in_opt PSID PrincipalSelfSid,
__in ACCESS_MASK DesiredAccess,
__in AUDIT_EVENT_TYPE AuditType,
__in ULONG Flags,
__in_ecount_opt(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
__in ULONG ObjectTypeListLength,
__in PGENERIC_MAPPING GenericMapping,
__in BOOLEAN ObjectCreation,
__out_ecount(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
__out_ecount(ObjectTypeListLength) PNTSTATUS AccessStatus,
__out PBOOLEAN GenerateOnClose
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAccessCheckByTypeResultListAndAuditAlarmByHandle(
__in PUNICODE_STRING SubsystemName,
__in_opt PVOID HandleId,
__in HANDLE ClientToken,
__in PUNICODE_STRING ObjectTypeName,
__in PUNICODE_STRING ObjectName,
__in PSECURITY_DESCRIPTOR SecurityDescriptor,
__in_opt PSID PrincipalSelfSid,
__in ACCESS_MASK DesiredAccess,
__in AUDIT_EVENT_TYPE AuditType,
__in ULONG Flags,
__in_ecount_opt(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
__in ULONG ObjectTypeListLength,
__in PGENERIC_MAPPING GenericMapping,
__in BOOLEAN ObjectCreation,
__out_ecount(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
__out_ecount(ObjectTypeListLength) PNTSTATUS AccessStatus,
__out PBOOLEAN GenerateOnClose
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenObjectAuditAlarm(
__in PUNICODE_STRING SubsystemName,
__in_opt PVOID HandleId,
__in PUNICODE_STRING ObjectTypeName,
__in PUNICODE_STRING ObjectName,
__in_opt PSECURITY_DESCRIPTOR SecurityDescriptor,
__in HANDLE ClientToken,
__in ACCESS_MASK DesiredAccess,
__in ACCESS_MASK GrantedAccess,
__in_opt PPRIVILEGE_SET Privileges,
__in BOOLEAN ObjectCreation,
__in BOOLEAN AccessGranted,
__out PBOOLEAN GenerateOnClose
);
NTSYSAPI
NTSTATUS
NTAPI
ZwPrivilegeObjectAuditAlarm(
__in PUNICODE_STRING SubsystemName,
__in_opt PVOID HandleId,
__in HANDLE ClientToken,
__in ACCESS_MASK DesiredAccess,
__in PPRIVILEGE_SET Privileges,
__in BOOLEAN AccessGranted
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCloseObjectAuditAlarm(
__in PUNICODE_STRING SubsystemName,
__in_opt PVOID HandleId,
__in BOOLEAN GenerateOnClose
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteObjectAuditAlarm(
__in PUNICODE_STRING SubsystemName,
__in_opt PVOID HandleId,
__in BOOLEAN GenerateOnClose
);
NTSYSAPI
NTSTATUS
NTAPI
ZwPrivilegedServiceAuditAlarm(
__in PUNICODE_STRING SubsystemName,
__in PUNICODE_STRING ServiceName,
__in HANDLE ClientToken,
__in PPRIVILEGE_SET Privileges,
__in BOOLEAN AccessGranted
);
NTSYSAPI
NTSTATUS
NTAPI
ZwTraceEvent(
__in HANDLE TraceHandle,
__in ULONG Flags,
__in ULONG FieldSize,
__in PVOID Fields
);
NTSYSAPI
NTSTATUS
NTAPI
ZwContinue(
__in PCONTEXT ContextRecord,
__in BOOLEAN TestAlert
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRaiseException(
__in PEXCEPTION_RECORD ExceptionRecord,
__in PCONTEXT ContextRecord,
__in BOOLEAN FirstChance
);
NTSTATUS NTAPI MmCopyVirtualMemory
(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);
C++:
#pragma once
typedef struct _OPERATION_INFO_ENTRY
{
LIST_ENTRY ListEntry;
OB_OPERATION Operation;
ULONG Flags;
PVOID Object;
POBJECT_TYPE ObjectType;
ACCESS_MASK AccessMask;
} OPERATION_INFO_ENTRY, * POPERATION_INFO_ENTRY;
typedef struct _THREAD_BASIC_INFORMATION
{
NTSTATUS ExitStatus;
PVOID TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION;
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _SYSTEM_THREAD {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitchCount;
ULONG State;
KWAIT_REASON WaitReason;
} SYSTEM_THREAD, * PSYSTEM_THREAD;
typedef struct _SYSTEM_THREAD_INFORMATION
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
KWAIT_REASON WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
ULONG HardFaultCount; // since WIN7
ULONG NumberOfThreadsHighWatermark; // since WIN7
ULONGLONG CycleTime; // since WIN7
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef struct _RTL_PROCESS_MODULES
{
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ANYSIZE_ARRAY];
}RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
typedef struct _IMAGE_SECTION_HEADER {
char Name[8];
union {
ULONG PhysicalAddress;
ULONG VirtualSize;
} Misc;
ULONG VirtualAddress;
ULONG SizeOfRawData;
ULONG PointerToRawData;
ULONG PointerToRelocations;
ULONG PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
ULONG Characteristics;
} IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER;
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
ULONG TimeDateStamp;
ULONG PointerToSymbolTable;
ULONG NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
ULONG VirtualAddress;
ULONG Size;
} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
typedef struct _IMAGE_OPTIONAL_HEADER64 {
WORD Magic;
char MajorLinkerVersion;
char MinorLinkerVersion;
ULONG SizeOfCode;
ULONG SizeOfInitializedData;
ULONG SizeOfUninitializedData;
ULONG AddressOfEntryPoint;
ULONG BaseOfCode;
ULONGLONG ImageBase;
ULONG SectionAlignment;
ULONG FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
ULONG Win32VersionValue;
ULONG SizeOfImage;
ULONG SizeOfHeaders;
ULONG CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
ULONG LoaderFlags;
ULONG NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[16];
} IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
typedef struct _IMAGE_NT_HEADERS64 {
ULONG Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;
typedef struct _OBJECT_TYPE_INITIALIZER
{
SHORT Length;
UCHAR ObjectTypeFlags;
ULONG CaseInsensitive : 1;
ULONG UnnamedObjectsOnly : 1;
ULONG UseDefaultObject : 1;
ULONG SecurityRequired : 1;
ULONG MaintainHandleCount : 1;
ULONG MaintainTypeList : 1;
ULONG ObjectTypeCode;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
LONG* OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
LONG* ParseProcedure;
LONG* SecurityProcedure;
LONG* QueryNameProcedure;
UCHAR* OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, * POBJECT_TYPE_INITIALIZER;
typedef struct _CALLBACK_ENTRY {
UINT16 Version;
UINT16 OperationRegistrationCount;
UINT32 unk1;
PVOID RegistrationContext;
UNICODE_STRING Altitude;
} CALLBACK_ENTRY, * PCALLBACK_ENTRY;
typedef struct _CALLBACK_ENTRY_ITEM {
LIST_ENTRY EntryItemList;
OB_OPERATION Operations;
CALLBACK_ENTRY* CallbackEntry;
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
__int64 unk;
}CALLBACK_ENTRY_ITEM, * PCALLBACK_ENTRY_ITEM;
typedef struct _OBJECT_TYPE {
LIST_ENTRY TypeList;
UNICODE_STRING Name;
VOID* DefaultObject;
UCHAR Index;
unsigned __int32 TotalNumberOfObjects;
unsigned __int32 TotalNumberOfHandles;
unsigned __int32 HighWaterNumberOfObjects;
unsigned __int32 HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
EX_PUSH_LOCK TypeLock;
unsigned __int32 Key;
LIST_ENTRY CallbackList;
}OBJECT_TYPE, * POBJECT_TYPE;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID SectionPointer;
ULONG CheckSum;
};
};
union
{
ULONG TimeDateStamp;
PVOID LoadedImports;
};
struct _ACTIVATION_CONTEXT* EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY ForwarderLinks;
LIST_ENTRY ServiceTagLinks;
LIST_ENTRY StaticLinks;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
C++:
#pragma once
#include "ntos.h"
typedef struct _OPERATION_INFO_ENTRY
{
LIST_ENTRY ListEntry;
OB_OPERATION Operation;
ULONG Flags;
PVOID Object;
POBJECT_TYPE ObjectType;
ACCESS_MASK AccessMask;
} OPERATION_INFO_ENTRY, * POPERATION_INFO_ENTRY;
typedef struct _THREAD_BASIC_INFORMATION
{
NTSTATUS ExitStatus;
PVOID TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION;
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _SYSTEM_THREAD {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitchCount;
ULONG State;
KWAIT_REASON WaitReason;
} SYSTEM_THREAD, * PSYSTEM_THREAD;
typedef struct _SYSTEM_THREAD_INFORMATION
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
KWAIT_REASON WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize;
ULONG HardFaultCount;
ULONG NumberOfThreadsHighWatermark;
ULONGLONG CycleTime;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef struct _RTL_PROCESS_MODULES
{
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ANYSIZE_ARRAY];
}RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
typedef struct _IMAGE_SECTION_HEADER {
char Name[8];
union {
ULONG PhysicalAddress;
ULONG VirtualSize;
} Misc;
ULONG VirtualAddress;
ULONG SizeOfRawData;
ULONG PointerToRawData;
ULONG PointerToRelocations;
ULONG PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
ULONG Characteristics;
} IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER;
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
ULONG TimeDateStamp;
ULONG PointerToSymbolTable;
ULONG NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
ULONG VirtualAddress;
ULONG Size;
} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
typedef struct _IMAGE_OPTIONAL_HEADER64 {
WORD Magic;
char MajorLinkerVersion;
char MinorLinkerVersion;
ULONG SizeOfCode;
ULONG SizeOfInitializedData;
ULONG SizeOfUninitializedData;
ULONG AddressOfEntryPoint;
ULONG BaseOfCode;
ULONGLONG ImageBase;
ULONG SectionAlignment;
ULONG FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
ULONG Win32VersionValue;
ULONG SizeOfImage;
ULONG SizeOfHeaders;
ULONG CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
ULONG LoaderFlags;
ULONG NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[16];
} IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
typedef struct _IMAGE_NT_HEADERS64 {
ULONG Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;
typedef struct _OBJECT_TYPE_INITIALIZER
{
SHORT Length;
UCHAR ObjectTypeFlags;
ULONG CaseInsensitive : 1;
ULONG UnnamedObjectsOnly : 1;
ULONG UseDefaultObject : 1;
ULONG SecurityRequired : 1;
ULONG MaintainHandleCount : 1;
ULONG MaintainTypeList : 1;
ULONG ObjectTypeCode;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
LONG* OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
LONG* ParseProcedure;
LONG* SecurityProcedure;
LONG* QueryNameProcedure;
UCHAR* OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, * POBJECT_TYPE_INITIALIZER;
typedef struct _CALLBACK_ENTRY {
UINT16 Version;
UINT16 OperationRegistrationCount;
UINT32 unk1;
PVOID RegistrationContext;
UNICODE_STRING Altitude;
} CALLBACK_ENTRY, * PCALLBACK_ENTRY;
typedef struct _CALLBACK_ENTRY_ITEM {
LIST_ENTRY EntryItemList;
OB_OPERATION Operations;
CALLBACK_ENTRY* CallbackEntry;
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
__int64 unk;
}CALLBACK_ENTRY_ITEM, * PCALLBACK_ENTRY_ITEM;
typedef struct _OBJECT_TYPE {
LIST_ENTRY TypeList;
UNICODE_STRING Name;
VOID* DefaultObject;
UCHAR Index;
unsigned __int32 TotalNumberOfObjects;
unsigned __int32 TotalNumberOfHandles;
unsigned __int32 HighWaterNumberOfObjects;
unsigned __int32 HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
EX_PUSH_LOCK TypeLock;
unsigned __int32 Key;
LIST_ENTRY CallbackList;
}OBJECT_TYPE, * POBJECT_TYPE;
PVOID *ThreadCallBacks = 0, *ImageCallBacks = 0;
PVOID ProcessPostOperation = 0, ProcessPreOperation = 0, ThreadPostOperation = 0, ThreadPreOperation = 0;
PVOID EAC_ThreadRoutine = 0, EAC_ImageRoutine = 0;
PVOID EAC_Base = 0;
ULONG64 EAC_Base_Size = 0;
HANDLE pParentId = 0, pGameId = 0;
typedef NTSTATUS(NTAPI* p_PsSuspendThread)(IN PETHREAD Thread, OUT PULONG PreviousCount OPTIONAL);
p_PsSuspendThread o_PsSuspendThread = 0;
typedef NTSTATUS(NTAPI* p_PsResumeThread)(IN PETHREAD Thread);
p_PsResumeThread o_PsResumeThread = 0;
VOID FuckThreadCallBack();
VOID FuckImageCallBack();
VOID Do_Bypass();
VOID Remove_Bypass();
VOID ImageRoutine(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO Info);
VOID ProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create);
NTSTATUS SearchPattern(IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound);
PVOID GetKernelBase();
BOOLEAN IsFromEACRange(PVOID Address);
BOOLEAN SuspendOrResumeAllThreads(BOOLEAN Suspend);
uintptr_t dereference(uintptr_t address, unsigned int offset);Usermode
Kod:
(HWND hWnd, LPARAM lParam) -> BOOL
{
DWORD procId = 0;
if (GetWindowThreadProcessId(hWnd, &procId) && procId == GetCurrentProcessId())
SuspendThread(GetCurrentThread());
return TRUE;
}, NULL))
{
MessageBoxExA(0, "EnumWindows başarısız oldu!", "Hata!", 0, 0);
return false;
}
}
VM_END
return o_DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);
};
bool EAC::Bypass_DeviceIoControl(bool detourStatus)
{
VM_START
if(!o_DeviceIoControl)
o_DeviceIoControl = reinterpret_cast<p_DeviceIoControl>(GetProcAddress(GetModuleHandleA("KERNELBASE"), "DeviceIoControl"));
if (DetourTransactionBegin() != NO_ERROR ||
DetourUpdateThread(GetCurrentThread()) != NO_ERROR ||
DetourAttach(&(PVOID&)o_DeviceIoControl, DeviceIoControl_Hook) != NO_ERROR ||
DetourTransactionCommit() != NO_ERROR)
{
#if _DEBUG == 1
std::cout << "Fonksiyonlar hooklanamadı" << std::endl;
#endif
MessageBoxExA(0, "Fonksiyonlar hooklanamadı!", "Hata!", 0, 0);
return false;
}
VM_END
return true;
}
C++:
#pragma once
#include <windows.h>
#include <iostream>
#include "detours.h"
#include <cstdint>
#include <intrin.h>
#include <winternl.h>
#include "Options.hpp"
#pragma comment(lib,"ntdll")
#ifdef _WIN64
#pragma comment(lib,"detours64")
#else
#pragma comment(lib,"detours")
#endif
class EAC
{
public:
static EAC& GetInstance() {
static EAC Instance;
return Instance;
}
bool Init();
bool Uninit();
private:
EAC(EAC const&) = delete;
EAC(EAC&&) = delete;
EAC& operator=(EAC const&) = delete;
EAC& operator=(EAC&&) = delete;
static bool Bypass_DeviceIoControl(bool detourStatus);
protected:
EAC()
{
hEvent = CreateEvent(0, 0, 0, 0);
}
~EAC()
{
CloseHandle(hEvent);
}
static HANDLE hEvent;
};
C++:
#define USE_VM 0
#if(USE_VM == 1)
#include "WL\WinlicenseSDK.h"
#if _WIN64
#pragma comment(lib,"WinLicenseSDK64.lib")
#else
#pragma comment(lib,"WinLicenseSDK32.lib")
#endif
#else
#define VM_START
#define VM_END
#endif
Kod:
[/CENTER]
Son düzenleme:
