From 7691ab9b92e8b308f2a2241ccb8c5bda0284fc7e Mon Sep 17 00:00:00 2001 From: LycorisGuard <984022254@qq.com> Date: Tue, 14 Aug 2018 22:01:03 +0800 Subject: [PATCH] update update --- ProtectFilex64/FileProtectX64.c | 164 ++++++++-------- ProtectFilex64/FileProtectX64.h | 128 ++++++------- ProtectFilex64/common.h | 4 +- ProtectFilex64/struct.h | 322 ++++++++++++++++---------------- 4 files changed, 309 insertions(+), 309 deletions(-) diff --git a/ProtectFilex64/FileProtectX64.c b/ProtectFilex64/FileProtectX64.c index ad4ce48..a459c30 100644 --- a/ProtectFilex64/FileProtectX64.c +++ b/ProtectFilex64/FileProtectX64.c @@ -1,125 +1,125 @@ #ifndef CXX_FILEPROTECTX64_H -# include "FileProtectX64.h" +# include "FileProtectX64.h" #endif PVOID CallBackHandle = NULL; NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath) -{ - PLDR_DATA_TABLE_ENTRY64 ldr; +{ + PLDR_DATA_TABLE_ENTRY64 ldr; - DriverObject->DriverUnload = UnloadDriver; - ldr = (PLDR_DATA_TABLE_ENTRY64)DriverObject->DriverSection; - ldr->Flags |= 0x20; + DriverObject->DriverUnload = UnloadDriver; + ldr = (PLDR_DATA_TABLE_ENTRY64)DriverObject->DriverSection; + ldr->Flags |= 0x20; - ProtectFileByObRegisterCallbacks(); - return STATUS_SUCCESS; + ProtectFileByObRegisterCallbacks(); + return STATUS_SUCCESS; } NTSTATUS ProtectFileByObRegisterCallbacks() { - OB_CALLBACK_REGISTRATION CallBackReg; - OB_OPERATION_REGISTRATION OperationReg; - NTSTATUS Status; + OB_CALLBACK_REGISTRATION CallBackReg; + OB_OPERATION_REGISTRATION OperationReg; + NTSTATUS Status; - EnableObType(*IoFileObjectType); //开启文件对象回调 + EnableObType(*IoFileObjectType); //开启文件对象回调 - memset(&CallBackReg, 0, sizeof(OB_CALLBACK_REGISTRATION)); - CallBackReg.Version = ObGetFilterVersion(); - CallBackReg.OperationRegistrationCount = 1; - CallBackReg.RegistrationContext = NULL; - RtlInitUnicodeString(&CallBackReg.Altitude, L"321000"); + memset(&CallBackReg, 0, sizeof(OB_CALLBACK_REGISTRATION)); + CallBackReg.Version = ObGetFilterVersion(); + CallBackReg.OperationRegistrationCount = 1; + CallBackReg.RegistrationContext = NULL; + RtlInitUnicodeString(&CallBackReg.Altitude, L"321000"); - memset(&OperationReg, 0, sizeof(OB_OPERATION_REGISTRATION)); //初始化结构体变量 + memset(&OperationReg, 0, sizeof(OB_OPERATION_REGISTRATION)); //初始化结构体变量 - OperationReg.ObjectType = IoFileObjectType; - OperationReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE; - OperationReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&PreCallBack; //在这里注册一个回调函数指针 - CallBackReg.OperationRegistration = &OperationReg; //注意这一条语句 将结构体信息放入大结构体 + OperationReg.ObjectType = IoFileObjectType; + OperationReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE; + OperationReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&PreCallBack; //在这里注册一个回调函数指针 + CallBackReg.OperationRegistration = &OperationReg; //注意这一条语句 将结构体信息放入大结构体 - Status = ObRegisterCallbacks(&CallBackReg, &CallBackHandle); - if (!NT_SUCCESS(Status)) - { - Status = STATUS_UNSUCCESSFUL; - } - else - { - Status = STATUS_SUCCESS; - } - return Status; + Status = ObRegisterCallbacks(&CallBackReg, &CallBackHandle); + if (!NT_SUCCESS(Status)) + { + Status = STATUS_UNSUCCESSFUL; + } + else + { + Status = STATUS_SUCCESS; + } + return Status; } OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) { - UNICODE_STRING uniDosName; - UNICODE_STRING uniFilePath; - PFILE_OBJECT FileObject = (PFILE_OBJECT)OperationInformation->Object; - HANDLE CurrentProcessId = PsGetCurrentProcessId(); + UNICODE_STRING uniDosName; + UNICODE_STRING uniFilePath; + PFILE_OBJECT FileObject = (PFILE_OBJECT)OperationInformation->Object; + HANDLE CurrentProcessId = PsGetCurrentProcessId(); - if( OperationInformation->ObjectType!=*IoFileObjectType) - { - return OB_PREOP_SUCCESS; - } - //过滤无效指针 - if( FileObject->FileName.Buffer==NULL || - !MmIsAddressValid(FileObject->FileName.Buffer) || - FileObject->DeviceObject==NULL || - !MmIsAddressValid(FileObject->DeviceObject) ) - { - return OB_PREOP_SUCCESS; - } + if( OperationInformation->ObjectType!=*IoFileObjectType) + { + return OB_PREOP_SUCCESS; + } + //过滤无效指针 + if( FileObject->FileName.Buffer==NULL || + !MmIsAddressValid(FileObject->FileName.Buffer) || + FileObject->DeviceObject==NULL || + !MmIsAddressValid(FileObject->DeviceObject) ) + { + return OB_PREOP_SUCCESS; + } - uniFilePath = GetFilePathByFileObject(FileObject); + uniFilePath = GetFilePathByFileObject(FileObject); - if (uniFilePath.Buffer==NULL||uniFilePath.Length==0) - { - return OB_PREOP_SUCCESS; - } + if (uniFilePath.Buffer==NULL||uniFilePath.Length==0) + { + return OB_PREOP_SUCCESS; + } - if(wcsstr(uniFilePath.Buffer,L"D:\\Alif.txt")) - { - if (FileObject->DeleteAccess==TRUE||FileObject->WriteAccess==TRUE) - { - if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE) - { - OperationInformation->Parameters->CreateHandleInformation.DesiredAccess=0; - } - if(OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE) - { - OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess=0; - } - } - } - RtlVolumeDeviceToDosName(FileObject->DeviceObject, &uniDosName); - DbgPrint("PID : %ld File : %wZ %wZ\r\n", (ULONG64)CurrentProcessId, &uniDosName, &uniFilePath); - return OB_PREOP_SUCCESS; + if(wcsstr(uniFilePath.Buffer,L"D:\\Alif.txt")) + { + if (FileObject->DeleteAccess==TRUE||FileObject->WriteAccess==TRUE) + { + if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE) + { + OperationInformation->Parameters->CreateHandleInformation.DesiredAccess=0; + } + if(OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE) + { + OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess=0; + } + } + } + RtlVolumeDeviceToDosName(FileObject->DeviceObject, &uniDosName); + DbgPrint("PID : %ld File : %wZ %wZ\r\n", (ULONG64)CurrentProcessId, &uniDosName, &uniFilePath); + return OB_PREOP_SUCCESS; } UNICODE_STRING GetFilePathByFileObject(PVOID FileObject) { - POBJECT_NAME_INFORMATION ObjetNameInfor; - if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)FileObject, &ObjetNameInfor))) - { - return ObjetNameInfor->Name; - } + POBJECT_NAME_INFORMATION ObjetNameInfor; + if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)FileObject, &ObjetNameInfor))) + { + return ObjetNameInfor->Name; + } } VOID EnableObType(POBJECT_TYPE ObjectType) { - POBJECT_TYPE_TEMP ObjectTypeTemp = (POBJECT_TYPE_TEMP)ObjectType; - ObjectTypeTemp->TypeInfo.SupportsObjectCallbacks = 1; + POBJECT_TYPE_TEMP ObjectTypeTemp = (POBJECT_TYPE_TEMP)ObjectType; + ObjectTypeTemp->TypeInfo.SupportsObjectCallbacks = 1; } VOID UnloadDriver(PDRIVER_OBJECT DriverObject) { - if (CallBackHandle!=NULL) - { - ObUnRegisterCallbacks(CallBackHandle); - } + if (CallBackHandle!=NULL) + { + ObUnRegisterCallbacks(CallBackHandle); + } - DbgPrint("UnloadDriver\r\n"); + DbgPrint("UnloadDriver\r\n"); } diff --git a/ProtectFilex64/FileProtectX64.h b/ProtectFilex64/FileProtectX64.h index d0bbc7c..e4781e7 100644 --- a/ProtectFilex64/FileProtectX64.h +++ b/ProtectFilex64/FileProtectX64.h @@ -7,7 +7,7 @@ #include NTSTATUS - DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath); + DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath); VOID UnloadDriver(PDRIVER_OBJECT DriverObject); @@ -16,79 +16,79 @@ VOID UnloadDriver(PDRIVER_OBJECT DriverObject); typedef struct _LDR_DATA_TABLE_ENTRY64 { - LIST_ENTRY64 InLoadOrderLinks; - LIST_ENTRY64 InMemoryOrderLinks; - LIST_ENTRY64 InInitializationOrderLinks; - PVOID DllBase; - PVOID EntryPoint; - ULONG SizeOfImage; - UNICODE_STRING FullDllName; - UNICODE_STRING BaseDllName; - ULONG Flags; - USHORT LoadCount; - USHORT TlsIndex; - PVOID SectionPointer; - ULONG CheckSum; - PVOID LoadedImports; - PVOID EntryPointActivationContext; - PVOID PatchInformation; - LIST_ENTRY64 ForwarderLinks; - LIST_ENTRY64 ServiceTagLinks; - LIST_ENTRY64 StaticLinks; - PVOID ContextInformation; - ULONG64 OriginalBase; - LARGE_INTEGER LoadTime; + LIST_ENTRY64 InLoadOrderLinks; + LIST_ENTRY64 InMemoryOrderLinks; + LIST_ENTRY64 InInitializationOrderLinks; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT TlsIndex; + PVOID SectionPointer; + ULONG CheckSum; + PVOID LoadedImports; + PVOID EntryPointActivationContext; + PVOID PatchInformation; + LIST_ENTRY64 ForwarderLinks; + LIST_ENTRY64 ServiceTagLinks; + LIST_ENTRY64 StaticLinks; + PVOID ContextInformation; + ULONG64 OriginalBase; + LARGE_INTEGER LoadTime; } LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64; typedef struct _OBJECT_TYPE_INITIALIZER { - UINT16 Length; - union - { - UINT8 ObjectTypeFlags; - struct - { - UINT8 CaseInsensitive : 1; UINT8 UnnamedObjectsOnly : 1; UINT8 UseDefaultObject : 1; UINT8 SecurityRequired : 1; UINT8 MaintainHandleCount : 1; UINT8 MaintainTypeList : 1; UINT8 SupportsObjectCallbacks : 1; - }; - }; - ULONG32 ObjectTypeCode; - ULONG32 InvalidAttributes; - struct _GENERIC_MAPPING GenericMapping; - ULONG32 ValidAccessMask; - ULONG32 RetainAccess; - enum _POOL_TYPE PoolType; - ULONG32 DefaultPagedPoolCharge; - ULONG32 DefaultNonPagedPoolCharge; - PVOID DumpProcedure; - PVOID OpenProcedure; - PVOID CloseProcedure; - PVOID DeleteProcedure; - PVOID ParseProcedure; - PVOID SecurityProcedure; - PVOID QueryNameProcedure; - PVOID OkayToCloseProcedure; + UINT16 Length; + union + { + UINT8 ObjectTypeFlags; + struct + { + UINT8 CaseInsensitive : 1; UINT8 UnnamedObjectsOnly : 1; UINT8 UseDefaultObject : 1; UINT8 SecurityRequired : 1; UINT8 MaintainHandleCount : 1; UINT8 MaintainTypeList : 1; UINT8 SupportsObjectCallbacks : 1; + }; + }; + ULONG32 ObjectTypeCode; + ULONG32 InvalidAttributes; + struct _GENERIC_MAPPING GenericMapping; + ULONG32 ValidAccessMask; + ULONG32 RetainAccess; + enum _POOL_TYPE PoolType; + ULONG32 DefaultPagedPoolCharge; + ULONG32 DefaultNonPagedPoolCharge; + PVOID DumpProcedure; + PVOID OpenProcedure; + PVOID CloseProcedure; + PVOID DeleteProcedure; + PVOID ParseProcedure; + PVOID SecurityProcedure; + PVOID QueryNameProcedure; + PVOID OkayToCloseProcedure; }OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; typedef struct _OBJECT_TYPE_TEMP { - struct _LIST_ENTRY TypeList; - struct _UNICODE_STRING Name; - VOID* DefaultObject; - UINT8 Index; - UINT8 _PADDING0_[0x3]; - ULONG32 TotalNumberOfObjects; - ULONG32 TotalNumberOfHandles; - ULONG32 HighWaterNumberOfObjects; - ULONG32 HighWaterNumberOfHandles; - UINT8 _PADDING1_[0x4]; - struct _OBJECT_TYPE_INITIALIZER TypeInfo; - ULONG64 TypeLock; - ULONG32 Key; - UINT8 _PADDING2_[0x4]; - struct _LIST_ENTRY CallbackList; + struct _LIST_ENTRY TypeList; + struct _UNICODE_STRING Name; + VOID* DefaultObject; + UINT8 Index; + UINT8 _PADDING0_[0x3]; + ULONG32 TotalNumberOfObjects; + ULONG32 TotalNumberOfHandles; + ULONG32 HighWaterNumberOfObjects; + ULONG32 HighWaterNumberOfHandles; + UINT8 _PADDING1_[0x4]; + struct _OBJECT_TYPE_INITIALIZER TypeInfo; + ULONG64 TypeLock; + ULONG32 Key; + UINT8 _PADDING2_[0x4]; + struct _LIST_ENTRY CallbackList; }OBJECT_TYPE_TEMP, *POBJECT_TYPE_TEMP; @@ -99,7 +99,7 @@ OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATIO NTSTATUS ProtectFileByObRegisterCallbacks(); -#endif +#endif diff --git a/ProtectFilex64/common.h b/ProtectFilex64/common.h index edc7267..a668d69 100644 --- a/ProtectFilex64/common.h +++ b/ProtectFilex64/common.h @@ -4,10 +4,10 @@ * MODULE : common.h * * Command: -* IOCTRL Common Header +* IOCTRL Common Header * * Description: -* Common data for the IoCtrl driver and application +* Common data for the IoCtrl driver and application * **************************************************************************************** * Copyright (C) 2010 MZ. diff --git a/ProtectFilex64/struct.h b/ProtectFilex64/struct.h index 78d907a..0592e10 100644 --- a/ProtectFilex64/struct.h +++ b/ProtectFilex64/struct.h @@ -46,12 +46,12 @@ typedef BYTE BOOLEAN; #pragma pack(4) typedef struct _PEB_LDR_DATA { - ULONG Length; - BOOLEAN Initialized; - PVOID SsHandle; - LIST_ENTRY InLoadOrderModuleList; - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; + ULONG Length; + BOOLEAN Initialized; + PVOID SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; #pragma pack() @@ -66,106 +66,106 @@ typedef struct _PEB_ORIG { typedef void (*PPEBLOCKROUTINE)(PVOID PebLock); struct _PEB_FREE_BLOCK { - struct _PEB_FREE_BLOCK *Next; - ULONG Size; + struct _PEB_FREE_BLOCK *Next; + ULONG Size; }; typedef struct _PEB_FREE_BLOCK PEB_FREE_BLOCK; typedef struct _PEB_FREE_BLOCK *PPEB_FREE_BLOCK; typedef struct _RTL_DRIVE_LETTER_CURDIR { - USHORT Flags; - USHORT Length; - ULONG TimeStamp; - UNICODE_STRING DosPath; + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + UNICODE_STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; typedef struct _RTL_USER_PROCESS_PARAMETERS { - ULONG MaximumLength; - ULONG Length; - ULONG Flags; - ULONG DebugFlags; - PVOID ConsoleHandle; - ULONG ConsoleFlags; - HANDLE StdInputHandle; - HANDLE StdOutputHandle; - HANDLE StdErrorHandle; - UNICODE_STRING CurrentDirectoryPath; - HANDLE CurrentDirectoryHandle; - UNICODE_STRING DllPath; - UNICODE_STRING ImagePathName; - UNICODE_STRING CommandLine; - PVOID Environment; - ULONG StartingPositionLeft; - ULONG StartingPositionTop; - ULONG Width; - ULONG Height; - ULONG CharWidth; - ULONG CharHeight; - ULONG ConsoleTextAttributes; - ULONG WindowFlags; - ULONG ShowWindowFlags; - UNICODE_STRING WindowTitle; - UNICODE_STRING DesktopName; - UNICODE_STRING ShellInfo; - UNICODE_STRING RuntimeData; - RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; + ULONG MaximumLength; + ULONG Length; + ULONG Flags; + ULONG DebugFlags; + PVOID ConsoleHandle; + ULONG ConsoleFlags; + HANDLE StdInputHandle; + HANDLE StdOutputHandle; + HANDLE StdErrorHandle; + UNICODE_STRING CurrentDirectoryPath; + HANDLE CurrentDirectoryHandle; + UNICODE_STRING DllPath; + UNICODE_STRING ImagePathName; + UNICODE_STRING CommandLine; + PVOID Environment; + ULONG StartingPositionLeft; + ULONG StartingPositionTop; + ULONG Width; + ULONG Height; + ULONG CharWidth; + ULONG CharHeight; + ULONG ConsoleTextAttributes; + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING WindowTitle; + UNICODE_STRING DesktopName; + UNICODE_STRING ShellInfo; + UNICODE_STRING RuntimeData; + RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB { - BOOLEAN InheritedAddressSpace; - BOOLEAN ReadImageFileExecOptions; - BOOLEAN BeingDebugged; - BOOLEAN Spare; - HANDLE Mutant; - PVOID ImageBaseAddress; - PPEB_LDR_DATA LoaderData; - PRTL_USER_PROCESS_PARAMETERS ProcessParameters; - PVOID SubSystemData; - PVOID ProcessHeap; - PVOID FastPebLock; - PPEBLOCKROUTINE FastPebLockRoutine; - PPEBLOCKROUTINE FastPebUnlockRoutine; - ULONG EnvironmentUpdateCount; - PVOID *KernelCallbackTable; - PVOID EventLogSection; - PVOID EventLog; - PPEB_FREE_BLOCK FreeList; - ULONG TlsExpansionCounter; - PVOID TlsBitmap; - ULONG TlsBitmapBits[0x2]; - PVOID ReadOnlySharedMemoryBase; - PVOID ReadOnlySharedMemoryHeap; - PVOID *ReadOnlyStaticServerData; - PVOID AnsiCodePageData; - PVOID OemCodePageData; - PVOID UnicodeCaseTableData; - ULONG NumberOfProcessors; - ULONG NtGlobalFlag; - BYTE Spare2[0x4]; - LARGE_INTEGER CriticalSectionTimeout; - ULONG HeapSegmentReserve; - ULONG HeapSegmentCommit; - ULONG HeapDeCommitTotalFreeThreshold; - ULONG HeapDeCommitFreeBlockThreshold; - ULONG NumberOfHeaps; - ULONG MaximumNumberOfHeaps; - PVOID **ProcessHeaps; - PVOID GdiSharedHandleTable; - PVOID ProcessStarterHelper; - PVOID GdiDCAttributeList; - PVOID LoaderLock; - ULONG OSMajorVersion; - ULONG OSMinorVersion; - ULONG OSBuildNumber; - ULONG OSPlatformId; - ULONG ImageSubSystem; - ULONG ImageSubSystemMajorVersion; - ULONG ImageSubSystemMinorVersion; - ULONG GdiHandleBuffer[0x22]; - ULONG PostProcessInitRoutine; - ULONG TlsExpansionBitmap; - BYTE TlsExpansionBitmapBits[0x80]; - ULONG SessionId; + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + BOOLEAN Spare; + HANDLE Mutant; + PVOID ImageBaseAddress; + PPEB_LDR_DATA LoaderData; + PRTL_USER_PROCESS_PARAMETERS ProcessParameters; + PVOID SubSystemData; + PVOID ProcessHeap; + PVOID FastPebLock; + PPEBLOCKROUTINE FastPebLockRoutine; + PPEBLOCKROUTINE FastPebUnlockRoutine; + ULONG EnvironmentUpdateCount; + PVOID *KernelCallbackTable; + PVOID EventLogSection; + PVOID EventLog; + PPEB_FREE_BLOCK FreeList; + ULONG TlsExpansionCounter; + PVOID TlsBitmap; + ULONG TlsBitmapBits[0x2]; + PVOID ReadOnlySharedMemoryBase; + PVOID ReadOnlySharedMemoryHeap; + PVOID *ReadOnlyStaticServerData; + PVOID AnsiCodePageData; + PVOID OemCodePageData; + PVOID UnicodeCaseTableData; + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + BYTE Spare2[0x4]; + LARGE_INTEGER CriticalSectionTimeout; + ULONG HeapSegmentReserve; + ULONG HeapSegmentCommit; + ULONG HeapDeCommitTotalFreeThreshold; + ULONG HeapDeCommitFreeBlockThreshold; + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + PVOID **ProcessHeaps; + PVOID GdiSharedHandleTable; + PVOID ProcessStarterHelper; + PVOID GdiDCAttributeList; + PVOID LoaderLock; + ULONG OSMajorVersion; + ULONG OSMinorVersion; + ULONG OSBuildNumber; + ULONG OSPlatformId; + ULONG ImageSubSystem; + ULONG ImageSubSystemMajorVersion; + ULONG ImageSubSystemMinorVersion; + ULONG GdiHandleBuffer[0x22]; + ULONG PostProcessInitRoutine; + ULONG TlsExpansionBitmap; + BYTE TlsExpansionBitmapBits[0x80]; + ULONG SessionId; } PEB, *PPEB; typedef struct _SYSTEM_PROCESS_INFORMATION { @@ -214,36 +214,36 @@ typedef struct _SYSTEM_THREAD_INFORMATION { struct _SYSTEM_THREADS { - LARGE_INTEGER KernelTime; - LARGE_INTEGER UserTime; - LARGE_INTEGER CreateTime; - ULONG WaitTime; - PVOID StartAddress; - CLIENT_ID ClientIs; - KPRIORITY Priority; - KPRIORITY BasePriority; - ULONG ContextSwitchCount; - ULONG ThreadState; - KWAIT_REASON WaitReason; + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientIs; + KPRIORITY Priority; + KPRIORITY BasePriority; + ULONG ContextSwitchCount; + ULONG ThreadState; + KWAIT_REASON WaitReason; }; struct _SYSTEM_PROCESSES { - ULONG NextEntryDelta; - ULONG ThreadCount; - ULONG Reserved[6]; - LARGE_INTEGER CreateTime; - LARGE_INTEGER UserTime; - LARGE_INTEGER KernelTime; - UNICODE_STRING ProcessName; - KPRIORITY BasePriority; - ULONG ProcessId; - ULONG InheritedFromProcessId; - ULONG HandleCount; - ULONG Reserved2[2]; - VM_COUNTERS VmCounters; - IO_COUNTERS IoCounters; //windows 2000 only - struct _SYSTEM_THREADS Threads[1]; + ULONG NextEntryDelta; + ULONG ThreadCount; + ULONG Reserved[6]; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ProcessName; + KPRIORITY BasePriority; + ULONG ProcessId; + ULONG InheritedFromProcessId; + ULONG HandleCount; + ULONG Reserved2[2]; + VM_COUNTERS VmCounters; + IO_COUNTERS IoCounters; //windows 2000 only + struct _SYSTEM_THREADS Threads[1]; }; typedef struct _HANDLE_TABLE_ENTRY_INFO @@ -294,42 +294,42 @@ typedef struct _HANDLE_TABLE } HANDLE_TABLE, *PHANDLE_TABLE; typedef struct _OBJECT_TYPE_INITIALIZER { - USHORT Length; - BOOLEAN UseDefaultObject; - BOOLEAN CaseInsensitive; - ULONG InvalidAttributes; - GENERIC_MAPPING GenericMapping; - ULONG ValidAccessMask; - BOOLEAN SecurityRequired; - BOOLEAN MaintainHandleCount; - BOOLEAN MaintainTypeList; - POOL_TYPE PoolType; - ULONG DefaultPagedPoolCharge; - ULONG DefaultNonPagedPoolCharge; - PVOID DumpProcedure; - PVOID OpenProcedure; - PVOID CloseProcedure; - PVOID DeleteProcedure; - PVOID ParseProcedure; - PVOID SecurityProcedure; - PVOID QueryNameProcedure; - PVOID OkayToCloseProcedure; + USHORT Length; + BOOLEAN UseDefaultObject; + BOOLEAN CaseInsensitive; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccessMask; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + BOOLEAN MaintainTypeList; + POOL_TYPE PoolType; + ULONG DefaultPagedPoolCharge; + ULONG DefaultNonPagedPoolCharge; + PVOID DumpProcedure; + PVOID OpenProcedure; + PVOID CloseProcedure; + PVOID DeleteProcedure; + PVOID ParseProcedure; + PVOID SecurityProcedure; + PVOID QueryNameProcedure; + PVOID OkayToCloseProcedure; } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; typedef struct _OBJECT_TYPE { - ERESOURCE Mutex; - LIST_ENTRY TypeList; - UNICODE_STRING Name; // Copy from object header for convenience - PVOID DefaultObject; - ULONG Index; - ULONG TotalNumberOfObjects; - ULONG TotalNumberOfHandles; - ULONG HighWaterNumberOfObjects; - ULONG HighWaterNumberOfHandles; - OBJECT_TYPE_INITIALIZER TypeInfo; - ULONG Key; - ERESOURCE ObjectLocks[4]; + ERESOURCE Mutex; + LIST_ENTRY TypeList; + UNICODE_STRING Name; // Copy from object header for convenience + PVOID DefaultObject; + ULONG Index; + ULONG TotalNumberOfObjects; + ULONG TotalNumberOfHandles; + ULONG HighWaterNumberOfObjects; + ULONG HighWaterNumberOfHandles; + OBJECT_TYPE_INITIALIZER TypeInfo; + ULONG Key; + ERESOURCE ObjectLocks[4]; } OBJECT_TYPE, *POBJECT_TYPE; typedef struct _OBJECT_DIRECTORY { @@ -337,8 +337,8 @@ typedef struct _OBJECT_DIRECTORY { ULONG Lock; PVOID DeviceMap; ULONG SessionId; - USHORT Reserved; - USHORT SymbolicLinkUsageCount; + USHORT Reserved; + USHORT SymbolicLinkUsageCount; } OBJECT_DIRECTORY, *POBJECT_DIRECTORY; /* @@ -353,8 +353,8 @@ typedef enum _KAPC_ENVIRONMENT { typedef enum { OriginalApcEnvironment, - AttachedApcEnvironment, - CurrentApcEnvironment + AttachedApcEnvironment, + CurrentApcEnvironment } KAPC_ENVIRONMENT; //---------------------------------------------------- @@ -362,10 +362,10 @@ typedef enum NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( - IN ULONG SystemInformationClass, - IN PVOID SystemInformation, - IN ULONG SystemInformationLength, - OUT PULONG ReturnLength); + IN ULONG SystemInformationClass, + IN PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength);