Mirrors
/
Windows-Rootkits
mirror of https://github.com/ciyze0101/Windows-Rootkits
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

update 

update
This commit is contained in:
LycorisGuard 2018-08-14 22:01:03 +08:00
parent 94f523ced9
commit 7691ab9b92
4 changed files with 309 additions and 309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

164
ProtectFilex64/FileProtectX64.c
View File

@ -1,125 +1,125 @@
#ifndef CXX_FILEPROTECTX64_H #ifndef CXX_FILEPROTECTX64_H
# include "FileProtectX64.h" # include "FileProtectX64.h"
#endif #endif
PVOID CallBackHandle = NULL; PVOID CallBackHandle = NULL;
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath) NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
{ {
PLDR_DATA_TABLE_ENTRY64 ldr; PLDR_DATA_TABLE_ENTRY64 ldr;
DriverObject->DriverUnload = UnloadDriver; DriverObject->DriverUnload = UnloadDriver;
ldr = (PLDR_DATA_TABLE_ENTRY64)DriverObject->DriverSection; ldr = (PLDR_DATA_TABLE_ENTRY64)DriverObject->DriverSection;
ldr->Flags |= 0x20; ldr->Flags |= 0x20;
ProtectFileByObRegisterCallbacks(); ProtectFileByObRegisterCallbacks();
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
NTSTATUS ProtectFileByObRegisterCallbacks() NTSTATUS ProtectFileByObRegisterCallbacks()
{ {
OB_CALLBACK_REGISTRATION CallBackReg; OB_CALLBACK_REGISTRATION CallBackReg;
OB_OPERATION_REGISTRATION OperationReg; OB_OPERATION_REGISTRATION OperationReg;
NTSTATUS Status; NTSTATUS Status;
EnableObType(*IoFileObjectType); //开启文件对象回调 EnableObType(*IoFileObjectType); //开启文件对象回调
memset(&CallBackReg, 0, sizeof(OB_CALLBACK_REGISTRATION)); memset(&CallBackReg, 0, sizeof(OB_CALLBACK_REGISTRATION));
CallBackReg.Version = ObGetFilterVersion(); CallBackReg.Version = ObGetFilterVersion();
CallBackReg.OperationRegistrationCount = 1; CallBackReg.OperationRegistrationCount = 1;
CallBackReg.RegistrationContext = NULL; CallBackReg.RegistrationContext = NULL;
RtlInitUnicodeString(&CallBackReg.Altitude, L"321000"); RtlInitUnicodeString(&CallBackReg.Altitude, L"321000");
memset(&OperationReg, 0, sizeof(OB_OPERATION_REGISTRATION)); //初始化结构体变量 memset(&OperationReg, 0, sizeof(OB_OPERATION_REGISTRATION)); //初始化结构体变量
OperationReg.ObjectType = IoFileObjectType; OperationReg.ObjectType = IoFileObjectType;
OperationReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE; OperationReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE;
OperationReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&PreCallBack; //在这里注册一个回调函数指针 OperationReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&PreCallBack; //在这里注册一个回调函数指针
CallBackReg.OperationRegistration = &OperationReg; //注意这一条语句 将结构体信息放入大结构体 CallBackReg.OperationRegistration = &OperationReg; //注意这一条语句 将结构体信息放入大结构体
Status = ObRegisterCallbacks(&CallBackReg, &CallBackHandle); Status = ObRegisterCallbacks(&CallBackReg, &CallBackHandle);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
Status = STATUS_UNSUCCESSFUL; Status = STATUS_UNSUCCESSFUL;
} }
else else
{ {
Status = STATUS_SUCCESS; Status = STATUS_SUCCESS;
} }
return Status; return Status;
} }
OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
{ {
UNICODE_STRING uniDosName; UNICODE_STRING uniDosName;
UNICODE_STRING uniFilePath; UNICODE_STRING uniFilePath;
PFILE_OBJECT FileObject = (PFILE_OBJECT)OperationInformation->Object; PFILE_OBJECT FileObject = (PFILE_OBJECT)OperationInformation->Object;
HANDLE CurrentProcessId = PsGetCurrentProcessId(); HANDLE CurrentProcessId = PsGetCurrentProcessId();
if( OperationInformation->ObjectType!=*IoFileObjectType) if( OperationInformation->ObjectType!=*IoFileObjectType)
{ {
return OB_PREOP_SUCCESS; return OB_PREOP_SUCCESS;
} }
//过滤无效指针 //过滤无效指针
if( FileObject->FileName.Buffer==NULL || if( FileObject->FileName.Buffer==NULL ||
!MmIsAddressValid(FileObject->FileName.Buffer) || !MmIsAddressValid(FileObject->FileName.Buffer) ||
FileObject->DeviceObject==NULL || FileObject->DeviceObject==NULL ||
!MmIsAddressValid(FileObject->DeviceObject) ) !MmIsAddressValid(FileObject->DeviceObject) )
{ {
return OB_PREOP_SUCCESS; return OB_PREOP_SUCCESS;
} }
uniFilePath = GetFilePathByFileObject(FileObject); uniFilePath = GetFilePathByFileObject(FileObject);
if (uniFilePath.Buffer==NULL||uniFilePath.Length==0) if (uniFilePath.Buffer==NULL||uniFilePath.Length==0)
{ {
return OB_PREOP_SUCCESS; return OB_PREOP_SUCCESS;
} }
if(wcsstr(uniFilePath.Buffer,L"D:\\Alif.txt")) if(wcsstr(uniFilePath.Buffer,L"D:\\Alif.txt"))
{ {
if (FileObject->DeleteAccess==TRUE||FileObject->WriteAccess==TRUE) if (FileObject->DeleteAccess==TRUE||FileObject->WriteAccess==TRUE)
{ {
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE) if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{ {
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess=0; OperationInformation->Parameters->CreateHandleInformation.DesiredAccess=0;
} }
if(OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE) if(OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
{ {
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess=0; OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess=0;
} }
} }
} }
RtlVolumeDeviceToDosName(FileObject->DeviceObject, &uniDosName); RtlVolumeDeviceToDosName(FileObject->DeviceObject, &uniDosName);
DbgPrint("PID : %ld File : %wZ %wZ\r\n", (ULONG64)CurrentProcessId, &uniDosName, &uniFilePath); DbgPrint("PID : %ld File : %wZ %wZ\r\n", (ULONG64)CurrentProcessId, &uniDosName, &uniFilePath);
return OB_PREOP_SUCCESS; return OB_PREOP_SUCCESS;
} }
UNICODE_STRING GetFilePathByFileObject(PVOID FileObject) UNICODE_STRING GetFilePathByFileObject(PVOID FileObject)
{ {
POBJECT_NAME_INFORMATION ObjetNameInfor; POBJECT_NAME_INFORMATION ObjetNameInfor;
if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)FileObject, &ObjetNameInfor))) if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)FileObject, &ObjetNameInfor)))
{ {
return ObjetNameInfor->Name; return ObjetNameInfor->Name;
} }
} }
VOID EnableObType(POBJECT_TYPE ObjectType) VOID EnableObType(POBJECT_TYPE ObjectType)
{ {
POBJECT_TYPE_TEMP ObjectTypeTemp = (POBJECT_TYPE_TEMP)ObjectType; POBJECT_TYPE_TEMP ObjectTypeTemp = (POBJECT_TYPE_TEMP)ObjectType;
ObjectTypeTemp->TypeInfo.SupportsObjectCallbacks = 1; ObjectTypeTemp->TypeInfo.SupportsObjectCallbacks = 1;
} }
VOID UnloadDriver(PDRIVER_OBJECT DriverObject) VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
{ {
if (CallBackHandle!=NULL) if (CallBackHandle!=NULL)
{ {
ObUnRegisterCallbacks(CallBackHandle); ObUnRegisterCallbacks(CallBackHandle);
} }
DbgPrint("UnloadDriver\r\n"); DbgPrint("UnloadDriver\r\n");
} }

128
ProtectFilex64/FileProtectX64.h
View File

@ -7,7 +7,7 @@
#include <devioctl.h> #include <devioctl.h>
NTSTATUS NTSTATUS
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath); DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath);
VOID UnloadDriver(PDRIVER_OBJECT DriverObject); VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
@ -16,79 +16,79 @@ VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
typedef struct _LDR_DATA_TABLE_ENTRY64 typedef struct _LDR_DATA_TABLE_ENTRY64
{ {
LIST_ENTRY64 InLoadOrderLinks; LIST_ENTRY64 InLoadOrderLinks;
LIST_ENTRY64 InMemoryOrderLinks; LIST_ENTRY64 InMemoryOrderLinks;
LIST_ENTRY64 InInitializationOrderLinks; LIST_ENTRY64 InInitializationOrderLinks;
PVOID DllBase; PVOID DllBase;
PVOID EntryPoint; PVOID EntryPoint;
ULONG SizeOfImage; ULONG SizeOfImage;
UNICODE_STRING FullDllName; UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName; UNICODE_STRING BaseDllName;
ULONG Flags; ULONG Flags;
USHORT LoadCount; USHORT LoadCount;
USHORT TlsIndex; USHORT TlsIndex;
PVOID SectionPointer; PVOID SectionPointer;
ULONG CheckSum; ULONG CheckSum;
PVOID LoadedImports; PVOID LoadedImports;
PVOID EntryPointActivationContext; PVOID EntryPointActivationContext;
PVOID PatchInformation; PVOID PatchInformation;
LIST_ENTRY64 ForwarderLinks; LIST_ENTRY64 ForwarderLinks;
LIST_ENTRY64 ServiceTagLinks; LIST_ENTRY64 ServiceTagLinks;
LIST_ENTRY64 StaticLinks; LIST_ENTRY64 StaticLinks;
PVOID ContextInformation; PVOID ContextInformation;
ULONG64 OriginalBase; ULONG64 OriginalBase;
LARGE_INTEGER LoadTime; LARGE_INTEGER LoadTime;
} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64; } LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;
typedef struct _OBJECT_TYPE_INITIALIZER typedef struct _OBJECT_TYPE_INITIALIZER
{ {
UINT16 Length; UINT16 Length;
union union
{ {
UINT8 ObjectTypeFlags; UINT8 ObjectTypeFlags;
struct struct
{ {
UINT8 CaseInsensitive : 1; UINT8 UnnamedObjectsOnly : 1; UINT8 UseDefaultObject : 1; UINT8 SecurityRequired : 1; UINT8 MaintainHandleCount : 1; UINT8 MaintainTypeList : 1; UINT8 SupportsObjectCallbacks : 1; UINT8 CaseInsensitive : 1; UINT8 UnnamedObjectsOnly : 1; UINT8 UseDefaultObject : 1; UINT8 SecurityRequired : 1; UINT8 MaintainHandleCount : 1; UINT8 MaintainTypeList : 1; UINT8 SupportsObjectCallbacks : 1;
}; };
}; };
ULONG32 ObjectTypeCode; ULONG32 ObjectTypeCode;
ULONG32 InvalidAttributes; ULONG32 InvalidAttributes;
struct _GENERIC_MAPPING GenericMapping; struct _GENERIC_MAPPING GenericMapping;
ULONG32 ValidAccessMask; ULONG32 ValidAccessMask;
ULONG32 RetainAccess; ULONG32 RetainAccess;
enum _POOL_TYPE PoolType; enum _POOL_TYPE PoolType;
ULONG32 DefaultPagedPoolCharge; ULONG32 DefaultPagedPoolCharge;
ULONG32 DefaultNonPagedPoolCharge; ULONG32 DefaultNonPagedPoolCharge;
PVOID DumpProcedure; PVOID DumpProcedure;
PVOID OpenProcedure; PVOID OpenProcedure;
PVOID CloseProcedure; PVOID CloseProcedure;
PVOID DeleteProcedure; PVOID DeleteProcedure;
PVOID ParseProcedure; PVOID ParseProcedure;
PVOID SecurityProcedure; PVOID SecurityProcedure;
PVOID QueryNameProcedure; PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure; PVOID OkayToCloseProcedure;
}OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; }OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
typedef struct _OBJECT_TYPE_TEMP typedef struct _OBJECT_TYPE_TEMP
{ {
struct _LIST_ENTRY TypeList; struct _LIST_ENTRY TypeList;
struct _UNICODE_STRING Name; struct _UNICODE_STRING Name;
VOID* DefaultObject; VOID* DefaultObject;
UINT8 Index; UINT8 Index;
UINT8 _PADDING0_[0x3]; UINT8 _PADDING0_[0x3];
ULONG32 TotalNumberOfObjects; ULONG32 TotalNumberOfObjects;
ULONG32 TotalNumberOfHandles; ULONG32 TotalNumberOfHandles;
ULONG32 HighWaterNumberOfObjects; ULONG32 HighWaterNumberOfObjects;
ULONG32 HighWaterNumberOfHandles; ULONG32 HighWaterNumberOfHandles;
UINT8 _PADDING1_[0x4]; UINT8 _PADDING1_[0x4];
struct _OBJECT_TYPE_INITIALIZER TypeInfo; struct _OBJECT_TYPE_INITIALIZER TypeInfo;
ULONG64 TypeLock; ULONG64 TypeLock;
ULONG32 Key; ULONG32 Key;
UINT8 _PADDING2_[0x4]; UINT8 _PADDING2_[0x4];
struct _LIST_ENTRY CallbackList; struct _LIST_ENTRY CallbackList;
}OBJECT_TYPE_TEMP, *POBJECT_TYPE_TEMP; }OBJECT_TYPE_TEMP, *POBJECT_TYPE_TEMP;
@ -99,7 +99,7 @@ OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATIO
NTSTATUS ProtectFileByObRegisterCallbacks(); NTSTATUS ProtectFileByObRegisterCallbacks();
#endif #endif

4
ProtectFilex64/common.h
View File

@ -4,10 +4,10 @@
* MODULE : common.h * MODULE : common.h
* *
* Command: * Command:
* IOCTRL Common Header * IOCTRL Common Header
* *
* Description: * Description:
* Common data for the IoCtrl driver and application * Common data for the IoCtrl driver and application
* *
**************************************************************************************** ****************************************************************************************
* Copyright (C) 2010 MZ. * Copyright (C) 2010 MZ.

322
ProtectFilex64/struct.h
View File

@ -46,12 +46,12 @@ typedef BYTE BOOLEAN;
#pragma pack(4) #pragma pack(4)
typedef struct _PEB_LDR_DATA typedef struct _PEB_LDR_DATA
{ {
ULONG Length; ULONG Length;
BOOLEAN Initialized; BOOLEAN Initialized;
PVOID SsHandle; PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList; LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA; } PEB_LDR_DATA, *PPEB_LDR_DATA;
#pragma pack() #pragma pack()
@ -66,106 +66,106 @@ typedef struct _PEB_ORIG {
typedef void (*PPEBLOCKROUTINE)(PVOID PebLock); typedef void (*PPEBLOCKROUTINE)(PVOID PebLock);
struct _PEB_FREE_BLOCK { struct _PEB_FREE_BLOCK {
struct _PEB_FREE_BLOCK *Next; struct _PEB_FREE_BLOCK *Next;
ULONG Size; ULONG Size;
}; };
typedef struct _PEB_FREE_BLOCK PEB_FREE_BLOCK; typedef struct _PEB_FREE_BLOCK PEB_FREE_BLOCK;
typedef struct _PEB_FREE_BLOCK *PPEB_FREE_BLOCK; typedef struct _PEB_FREE_BLOCK *PPEB_FREE_BLOCK;
typedef struct _RTL_DRIVE_LETTER_CURDIR { typedef struct _RTL_DRIVE_LETTER_CURDIR {
USHORT Flags; USHORT Flags;
USHORT Length; USHORT Length;
ULONG TimeStamp; ULONG TimeStamp;
UNICODE_STRING DosPath; UNICODE_STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
typedef struct _RTL_USER_PROCESS_PARAMETERS { typedef struct _RTL_USER_PROCESS_PARAMETERS {
ULONG MaximumLength; ULONG MaximumLength;
ULONG Length; ULONG Length;
ULONG Flags; ULONG Flags;
ULONG DebugFlags; ULONG DebugFlags;
PVOID ConsoleHandle; PVOID ConsoleHandle;
ULONG ConsoleFlags; ULONG ConsoleFlags;
HANDLE StdInputHandle; HANDLE StdInputHandle;
HANDLE StdOutputHandle; HANDLE StdOutputHandle;
HANDLE StdErrorHandle; HANDLE StdErrorHandle;
UNICODE_STRING CurrentDirectoryPath; UNICODE_STRING CurrentDirectoryPath;
HANDLE CurrentDirectoryHandle; HANDLE CurrentDirectoryHandle;
UNICODE_STRING DllPath; UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName; UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine; UNICODE_STRING CommandLine;
PVOID Environment; PVOID Environment;
ULONG StartingPositionLeft; ULONG StartingPositionLeft;
ULONG StartingPositionTop; ULONG StartingPositionTop;
ULONG Width; ULONG Width;
ULONG Height; ULONG Height;
ULONG CharWidth; ULONG CharWidth;
ULONG CharHeight; ULONG CharHeight;
ULONG ConsoleTextAttributes; ULONG ConsoleTextAttributes;
ULONG WindowFlags; ULONG WindowFlags;
ULONG ShowWindowFlags; ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle; UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopName; UNICODE_STRING DesktopName;
UNICODE_STRING ShellInfo; UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData; UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB { typedef struct _PEB {
BOOLEAN InheritedAddressSpace; BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions; BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged; BOOLEAN BeingDebugged;
BOOLEAN Spare; BOOLEAN Spare;
HANDLE Mutant; HANDLE Mutant;
PVOID ImageBaseAddress; PVOID ImageBaseAddress;
PPEB_LDR_DATA LoaderData; PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters; PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData; PVOID SubSystemData;
PVOID ProcessHeap; PVOID ProcessHeap;
PVOID FastPebLock; PVOID FastPebLock;
PPEBLOCKROUTINE FastPebLockRoutine; PPEBLOCKROUTINE FastPebLockRoutine;
PPEBLOCKROUTINE FastPebUnlockRoutine; PPEBLOCKROUTINE FastPebUnlockRoutine;
ULONG EnvironmentUpdateCount; ULONG EnvironmentUpdateCount;
PVOID *KernelCallbackTable; PVOID *KernelCallbackTable;
PVOID EventLogSection; PVOID EventLogSection;
PVOID EventLog; PVOID EventLog;
PPEB_FREE_BLOCK FreeList; PPEB_FREE_BLOCK FreeList;
ULONG TlsExpansionCounter; ULONG TlsExpansionCounter;
PVOID TlsBitmap; PVOID TlsBitmap;
ULONG TlsBitmapBits[0x2]; ULONG TlsBitmapBits[0x2];
PVOID ReadOnlySharedMemoryBase; PVOID ReadOnlySharedMemoryBase;
PVOID ReadOnlySharedMemoryHeap; PVOID ReadOnlySharedMemoryHeap;
PVOID *ReadOnlyStaticServerData; PVOID *ReadOnlyStaticServerData;
PVOID AnsiCodePageData; PVOID AnsiCodePageData;
PVOID OemCodePageData; PVOID OemCodePageData;
PVOID UnicodeCaseTableData; PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors; ULONG NumberOfProcessors;
ULONG NtGlobalFlag; ULONG NtGlobalFlag;
BYTE Spare2[0x4]; BYTE Spare2[0x4];
LARGE_INTEGER CriticalSectionTimeout; LARGE_INTEGER CriticalSectionTimeout;
ULONG HeapSegmentReserve; ULONG HeapSegmentReserve;
ULONG HeapSegmentCommit; ULONG HeapSegmentCommit;
ULONG HeapDeCommitTotalFreeThreshold; ULONG HeapDeCommitTotalFreeThreshold;
ULONG HeapDeCommitFreeBlockThreshold; ULONG HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps; ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps; ULONG MaximumNumberOfHeaps;
PVOID **ProcessHeaps; PVOID **ProcessHeaps;
PVOID GdiSharedHandleTable; PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper; PVOID ProcessStarterHelper;
PVOID GdiDCAttributeList; PVOID GdiDCAttributeList;
PVOID LoaderLock; PVOID LoaderLock;
ULONG OSMajorVersion; ULONG OSMajorVersion;
ULONG OSMinorVersion; ULONG OSMinorVersion;
ULONG OSBuildNumber; ULONG OSBuildNumber;
ULONG OSPlatformId; ULONG OSPlatformId;
ULONG ImageSubSystem; ULONG ImageSubSystem;
ULONG ImageSubSystemMajorVersion; ULONG ImageSubSystemMajorVersion;
ULONG ImageSubSystemMinorVersion; ULONG ImageSubSystemMinorVersion;
ULONG GdiHandleBuffer[0x22]; ULONG GdiHandleBuffer[0x22];
ULONG PostProcessInitRoutine; ULONG PostProcessInitRoutine;
ULONG TlsExpansionBitmap; ULONG TlsExpansionBitmap;
BYTE TlsExpansionBitmapBits[0x80]; BYTE TlsExpansionBitmapBits[0x80];
ULONG SessionId; ULONG SessionId;
} PEB, *PPEB; } PEB, *PPEB;
typedef struct _SYSTEM_PROCESS_INFORMATION { typedef struct _SYSTEM_PROCESS_INFORMATION {
@ -214,36 +214,36 @@ typedef struct _SYSTEM_THREAD_INFORMATION {
struct _SYSTEM_THREADS struct _SYSTEM_THREADS
{ {
LARGE_INTEGER KernelTime; LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime; LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime; LARGE_INTEGER CreateTime;
ULONG WaitTime; ULONG WaitTime;
PVOID StartAddress; PVOID StartAddress;
CLIENT_ID ClientIs; CLIENT_ID ClientIs;
KPRIORITY Priority; KPRIORITY Priority;
KPRIORITY BasePriority; KPRIORITY BasePriority;
ULONG ContextSwitchCount; ULONG ContextSwitchCount;
ULONG ThreadState; ULONG ThreadState;
KWAIT_REASON WaitReason; KWAIT_REASON WaitReason;
}; };
struct _SYSTEM_PROCESSES struct _SYSTEM_PROCESSES
{ {
ULONG NextEntryDelta; ULONG NextEntryDelta;
ULONG ThreadCount; ULONG ThreadCount;
ULONG Reserved[6]; ULONG Reserved[6];
LARGE_INTEGER CreateTime; LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime; LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime; LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName; UNICODE_STRING ProcessName;
KPRIORITY BasePriority; KPRIORITY BasePriority;
ULONG ProcessId; ULONG ProcessId;
ULONG InheritedFromProcessId; ULONG InheritedFromProcessId;
ULONG HandleCount; ULONG HandleCount;
ULONG Reserved2[2]; ULONG Reserved2[2];
VM_COUNTERS VmCounters; VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; //windows 2000 only IO_COUNTERS IoCounters; //windows 2000 only
struct _SYSTEM_THREADS Threads[1]; struct _SYSTEM_THREADS Threads[1];
}; };
typedef struct _HANDLE_TABLE_ENTRY_INFO typedef struct _HANDLE_TABLE_ENTRY_INFO
@ -294,42 +294,42 @@ typedef struct _HANDLE_TABLE
} HANDLE_TABLE, *PHANDLE_TABLE; } HANDLE_TABLE, *PHANDLE_TABLE;
typedef struct _OBJECT_TYPE_INITIALIZER { typedef struct _OBJECT_TYPE_INITIALIZER {
USHORT Length; USHORT Length;
BOOLEAN UseDefaultObject; BOOLEAN UseDefaultObject;
BOOLEAN CaseInsensitive; BOOLEAN CaseInsensitive;
ULONG InvalidAttributes; ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping; GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask; ULONG ValidAccessMask;
BOOLEAN SecurityRequired; BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount; BOOLEAN MaintainHandleCount;
BOOLEAN MaintainTypeList; BOOLEAN MaintainTypeList;
POOL_TYPE PoolType; POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge; ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge; ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure; PVOID DumpProcedure;
PVOID OpenProcedure; PVOID OpenProcedure;
PVOID CloseProcedure; PVOID CloseProcedure;
PVOID DeleteProcedure; PVOID DeleteProcedure;
PVOID ParseProcedure; PVOID ParseProcedure;
PVOID SecurityProcedure; PVOID SecurityProcedure;
PVOID QueryNameProcedure; PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure; PVOID OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
typedef struct _OBJECT_TYPE { typedef struct _OBJECT_TYPE {
ERESOURCE Mutex; ERESOURCE Mutex;
LIST_ENTRY TypeList; LIST_ENTRY TypeList;
UNICODE_STRING Name; // Copy from object header for convenience UNICODE_STRING Name; // Copy from object header for convenience
PVOID DefaultObject; PVOID DefaultObject;
ULONG Index; ULONG Index;
ULONG TotalNumberOfObjects; ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles; ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects; ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles; ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo; OBJECT_TYPE_INITIALIZER TypeInfo;
ULONG Key; ULONG Key;
ERESOURCE ObjectLocks[4]; ERESOURCE ObjectLocks[4];
} OBJECT_TYPE, *POBJECT_TYPE; } OBJECT_TYPE, *POBJECT_TYPE;
typedef struct _OBJECT_DIRECTORY { typedef struct _OBJECT_DIRECTORY {
@ -337,8 +337,8 @@ typedef struct _OBJECT_DIRECTORY {
ULONG Lock; ULONG Lock;
PVOID DeviceMap; PVOID DeviceMap;
ULONG SessionId; ULONG SessionId;
USHORT Reserved; USHORT Reserved;
USHORT SymbolicLinkUsageCount; USHORT SymbolicLinkUsageCount;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY; } OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
/* /*
@ -353,8 +353,8 @@ typedef enum _KAPC_ENVIRONMENT {
typedef enum typedef enum
{ {
OriginalApcEnvironment, OriginalApcEnvironment,
AttachedApcEnvironment, AttachedApcEnvironment,
CurrentApcEnvironment CurrentApcEnvironment
} KAPC_ENVIRONMENT; } KAPC_ENVIRONMENT;
//---------------------------------------------------- //----------------------------------------------------
@ -362,10 +362,10 @@ typedef enum
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI ZwQuerySystemInformation( NTAPI ZwQuerySystemInformation(
IN ULONG SystemInformationClass, IN ULONG SystemInformationClass,
IN PVOID SystemInformation, IN PVOID SystemInformation,
IN ULONG SystemInformationLength, IN ULONG SystemInformationLength,
OUT PULONG ReturnLength); OUT PULONG ReturnLength);