update

2018-08-14 22:03:25 +08:00 · 2018-08-14 22:03:25 +08:00 · d7ae1105e6
parent 7691ab9b92
commit d7ae1105e6
4 changed files with 293 additions and 301 deletions
--- a/ProtectProcessx64/ProtectProcessx64.c
+++ b/ProtectProcessx64/ProtectProcessx64.c
@ -1,7 +1,7 @@


 #ifndef CXX_PROTECTPROCESSX64_H
-#	include "ProtectProcessx64.h"
+#    include "ProtectProcessx64.h"
 #endif


@ -10,153 +10,145 @@ PVOID obHandle;//
 NTSTATUS
 DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
 {
-	NTSTATUS status = STATUS_SUCCESS;
-	PLDR_DATA_TABLE_ENTRY64 ldr;
+    NTSTATUS status = STATUS_SUCCESS;
+    PLDR_DATA_TABLE_ENTRY64 ldr;

-	pDriverObj->DriverUnload = DriverUnload;
-	// 绕过MmVerifyCallbackFunction。
-	ldr = (PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection;
-	ldr->Flags |= 0x20;
+    pDriverObj->DriverUnload = DriverUnload;
+    // 绕过MmVerifyCallbackFunction。
+    ldr = (PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection;
+    ldr->Flags |= 0x20;

-	ProtectProcess(TRUE);
+    ProtectProcess(TRUE);

-	return STATUS_SUCCESS;
+    return STATUS_SUCCESS;
 }



 NTSTATUS ProtectProcess(BOOLEAN Enable)
 {
+    OB_CALLBACK_REGISTRATION obReg;
+    OB_OPERATION_REGISTRATION opReg;

-	OB_CALLBACK_REGISTRATION obReg;
-	OB_OPERATION_REGISTRATION opReg;
+    memset(&obReg, 0, sizeof(obReg));
+    obReg.Version = ObGetFilterVersion();
+    obReg.OperationRegistrationCount = 1;
+    obReg.RegistrationContext = NULL;
+    RtlInitUnicodeString(&obReg.Altitude, L"321000");
+    memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量

-	memset(&obReg, 0, sizeof(obReg));
-	obReg.Version = ObGetFilterVersion();
-	obReg.OperationRegistrationCount = 1;
-	obReg.RegistrationContext = NULL;
-	RtlInitUnicodeString(&obReg.Altitude, L"321000");
-	memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量
+    //下面 请注意这个结构体的成员字段的设置
+    opReg.ObjectType = PsProcessType;
+    opReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE; 
+    opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&preCall; //在这里注册一个回调函数指针
+    obReg.OperationRegistration = &opReg; //注意这一条语句

-	//下面 请注意这个结构体的成员字段的设置
-	opReg.ObjectType = PsProcessType;
-	opReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE; 
-
-	opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&preCall; //在这里注册一个回调函数指针
-
-	obReg.OperationRegistration = &opReg; //注意这一条语句
-
-	return ObRegisterCallbacks(&obReg, &obHandle); //在这里注册回调函数
+    return ObRegisterCallbacks(&obReg, &obHandle); //在这里注册回调函数
 }


 OB_PREOP_CALLBACK_STATUS 
-	preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
+    preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
 {
-	HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);
-	char szProcName[16]={0};
-	UNREFERENCED_PARAMETER(RegistrationContext);
-	strcpy(szProcName,GetProcessImageNameByProcessID((ULONG)pid));
-	if( !_stricmp(szProcName,"calc.exe") )
-	{
-		if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
-		{
-			if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
-			{
-				//Terminate the process, such as by calling the user-mode TerminateProcess routine..
-				pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
-			}
-			if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
-			{
-				//Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines.
-				pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
-			}
-			if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
-			{
-				//Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine.
-				pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
-			}
-			if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
-			{
-				//Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine.
-				pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
-			}
-		}
-	}
-	return OB_PREOP_SUCCESS;
+    HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);
+    char szProcName[16]={0};
+    UNREFERENCED_PARAMETER(RegistrationContext);
+    strcpy(szProcName,GetProcessImageNameByProcessID((ULONG)pid));
+    if( !_stricmp(szProcName,"calc.exe") )
+    {
+        if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
+        {
+            if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
+            {
+                //Terminate the process, such as by calling the user-mode TerminateProcess routine..
+                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
+            }
+            if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
+            {
+                //Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines.
+                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
+            }
+            if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
+            {
+                //Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine.
+                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
+            }
+            if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
+            {
+                //Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine.
+                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
+            }
+        }
+    }
+    return OB_PREOP_SUCCESS;
 }


 /*
 OpenProcess 会一直走入回调中  直接蓝屏
 char*
-	GetProcessImageNameByProcessID(ULONG ulProcessID)
+    GetProcessImageNameByProcessID(ULONG ulProcessID)
 {
-	CLIENT_ID Cid;    
-	HANDLE    hProcess;
-	NTSTATUS  Status;
-	OBJECT_ATTRIBUTES  oa;
-	PEPROCESS  EProcess = NULL;
+    CLIENT_ID Cid;    
+    HANDLE    hProcess;
+    NTSTATUS  Status;
+    OBJECT_ATTRIBUTES  oa;
+    PEPROCESS  EProcess = NULL;

-	Cid.UniqueProcess = (HANDLE)ulProcessID;
-	Cid.UniqueThread = 0;
+    Cid.UniqueProcess = (HANDLE)ulProcessID;
+    Cid.UniqueThread = 0;

-	InitializeObjectAttributes(&oa,0,0,0,0);
-	Status = ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&oa,&Cid);    //hProcess
-	//强打开进程获得句柄
-	if (!NT_SUCCESS(Status))
-	{
-		return FALSE;
-	}
-	Status = ObReferenceObjectByHandle(hProcess,FILE_READ_DATA,0,
-		KernelMode,&EProcess, 0);
-	//通过句柄获取EProcess
-	if (!NT_SUCCESS(Status))
-	{
-		ZwClose(hProcess);
-		return FALSE;
-	}
-	ObDereferenceObject(EProcess);
-	//最好判断
-	ZwClose(hProcess);
-	//通过EProcess获得进程名称
-	return (char*)PsGetProcessImageFileName(EProcess);     
-	
+    InitializeObjectAttributes(&oa,0,0,0,0);
+    Status = ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&oa,&Cid);    //hProcess
+    //强打开进程获得句柄
+    if (!NT_SUCCESS(Status))
+    {
+        return FALSE;
+    }
+    Status = ObReferenceObjectByHandle(hProcess,FILE_READ_DATA,0,
+        KernelMode,&EProcess, 0);
+    //通过句柄获取EProcess
+    if (!NT_SUCCESS(Status))
+    {
+        ZwClose(hProcess);
+        return FALSE;
+    }
+    ObDereferenceObject(EProcess);
+    //最好判断
+    ZwClose(hProcess);
+    //通过EProcess获得进程名称
+    return (char*)PsGetProcessImageFileName(EProcess);     
+    
 }
 */

-
-
-
 char*
-	GetProcessImageNameByProcessID(ULONG ulProcessID)
+    GetProcessImageNameByProcessID(ULONG ulProcessID)
 {
-	NTSTATUS  Status;
-	PEPROCESS  EProcess = NULL;
+    NTSTATUS  Status;
+    PEPROCESS  EProcess = NULL;

-	
-	Status = PsLookupProcessByProcessId((HANDLE)ulProcessID,&EProcess);    //hProcess
-
-	//通过句柄获取EProcess
-	if (!NT_SUCCESS(Status))
-	{
-		return FALSE;
-	}
-	ObDereferenceObject(EProcess);
-	//通过EProcess获得进程名称
-	return (char*)PsGetProcessImageFileName(EProcess);     
+    Status = PsLookupProcessByProcessId((HANDLE)ulProcessID,&EProcess);    //hProcess

+    //通过句柄获取EProcess
+    if (!NT_SUCCESS(Status))
+    {
+        return FALSE;
+    }
+    ObDereferenceObject(EProcess);
+    //通过EProcess获得进程名称
+    return (char*)PsGetProcessImageFileName(EProcess);
 }



 VOID
 DriverUnload(IN PDRIVER_OBJECT pDriverObj)
-{	
-	UNREFERENCED_PARAMETER(pDriverObj);
-	DbgPrint("driver unloading...\n");
+{    
+    UNREFERENCED_PARAMETER(pDriverObj);
+    DbgPrint("driver unloading...\n");

-	ObUnRegisterCallbacks(obHandle); //obHandle是上面定义的 PVOID obHandle;
+    ObUnRegisterCallbacks(obHandle); //obHandle是上面定义的 PVOID obHandle;
 }


--- a/ProtectProcessx64/ProtectProcessx64.h
+++ b/ProtectProcessx64/ProtectProcessx64.h
@ -6,7 +6,7 @@
 * IOCTRL Sample Driver
 *
 * Description:
-*		Demonstrates communications between USER and KERNEL.
+*        Demonstrates communications between USER and KERNEL.
 *
 ****************************************************************************************
 * Copyright (C) 2010 MZ.
@ -28,41 +28,41 @@ VOID DriverUnload(IN PDRIVER_OBJECT pDriverObj);

 typedef struct _LDR_DATA_TABLE_ENTRY64
 {
-	LIST_ENTRY64    InLoadOrderLinks;
-	LIST_ENTRY64    InMemoryOrderLinks;
-	LIST_ENTRY64    InInitializationOrderLinks;
-	PVOID            DllBase;
-	PVOID            EntryPoint;
-	ULONG            SizeOfImage;
-	UNICODE_STRING    FullDllName;
-	UNICODE_STRING     BaseDllName;
-	ULONG            Flags;
-	USHORT            LoadCount;
-	USHORT            TlsIndex;
-	PVOID            SectionPointer;
-	ULONG            CheckSum;
-	PVOID            LoadedImports;
-	PVOID            EntryPointActivationContext;
-	PVOID            PatchInformation;
-	LIST_ENTRY64    ForwarderLinks;
-	LIST_ENTRY64    ServiceTagLinks;
-	LIST_ENTRY64    StaticLinks;
-	PVOID            ContextInformation;
-	ULONG64            OriginalBase;
-	LARGE_INTEGER    LoadTime;
+    LIST_ENTRY64    InLoadOrderLinks;
+    LIST_ENTRY64    InMemoryOrderLinks;
+    LIST_ENTRY64    InInitializationOrderLinks;
+    PVOID            DllBase;
+    PVOID            EntryPoint;
+    ULONG            SizeOfImage;
+    UNICODE_STRING    FullDllName;
+    UNICODE_STRING     BaseDllName;
+    ULONG            Flags;
+    USHORT            LoadCount;
+    USHORT            TlsIndex;
+    PVOID            SectionPointer;
+    ULONG            CheckSum;
+    PVOID            LoadedImports;
+    PVOID            EntryPointActivationContext;
+    PVOID            PatchInformation;
+    LIST_ENTRY64    ForwarderLinks;
+    LIST_ENTRY64    ServiceTagLinks;
+    LIST_ENTRY64    StaticLinks;
+    PVOID            ContextInformation;
+    ULONG64            OriginalBase;
+    LARGE_INTEGER    LoadTime;
 } LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;

 extern 
-	UCHAR *
-	PsGetProcessImageFileName(
-	__in PEPROCESS Process
-	);
+    UCHAR *
+    PsGetProcessImageFileName(
+    __in PEPROCESS Process
+    );
 char*
-	GetProcessImageNameByProcessID(ULONG ulProcessID);
+    GetProcessImageNameByProcessID(ULONG ulProcessID);

 NTSTATUS ProtectProcess(BOOLEAN Enable);

 OB_PREOP_CALLBACK_STATUS 
-	preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation);
+    preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation);

-#endif	
+#endif    
--- a/ProtectProcessx64/common.h
+++ b/ProtectProcessx64/common.h
@ -4,10 +4,10 @@
 * MODULE : common.h
 *
 * Command: 
-*	IOCTRL Common Header
+*    IOCTRL Common Header
 *
 * Description:
-*	Common data for the IoCtrl driver and application
+*    Common data for the IoCtrl driver and application
 *
 ****************************************************************************************
 * Copyright (C) 2010 MZ.
--- a/ProtectProcessx64/struct.h
+++ b/ProtectProcessx64/struct.h
@ -46,12 +46,12 @@ typedef BYTE BOOLEAN;
 #pragma pack(4)
 typedef struct _PEB_LDR_DATA
 {
-	ULONG Length;
-	BOOLEAN Initialized;
-	PVOID SsHandle;
-	LIST_ENTRY InLoadOrderModuleList;
-	LIST_ENTRY InMemoryOrderModuleList;
-	LIST_ENTRY InInitializationOrderModuleList;
+    ULONG Length;
+    BOOLEAN Initialized;
+    PVOID SsHandle;
+    LIST_ENTRY InLoadOrderModuleList;
+    LIST_ENTRY InMemoryOrderModuleList;
+    LIST_ENTRY InInitializationOrderModuleList;
 } PEB_LDR_DATA, *PPEB_LDR_DATA;
 #pragma pack() 

@ -66,106 +66,106 @@ typedef struct _PEB_ORIG {
 typedef void (*PPEBLOCKROUTINE)(PVOID PebLock);

 struct _PEB_FREE_BLOCK {
-	struct _PEB_FREE_BLOCK *Next;
-	ULONG Size;
+    struct _PEB_FREE_BLOCK *Next;
+    ULONG Size;
 };
 typedef struct _PEB_FREE_BLOCK PEB_FREE_BLOCK;
 typedef struct _PEB_FREE_BLOCK *PPEB_FREE_BLOCK;

 typedef struct _RTL_DRIVE_LETTER_CURDIR {
-	USHORT Flags;
-	USHORT Length;
-	ULONG TimeStamp;
-	UNICODE_STRING DosPath;
+    USHORT Flags;
+    USHORT Length;
+    ULONG TimeStamp;
+    UNICODE_STRING DosPath;
 } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;

 typedef struct _RTL_USER_PROCESS_PARAMETERS {
-	ULONG MaximumLength;
-	ULONG Length;
-	ULONG Flags;
-	ULONG DebugFlags;
-	PVOID ConsoleHandle;
-	ULONG ConsoleFlags;
-	HANDLE StdInputHandle;
-	HANDLE StdOutputHandle;
-	HANDLE StdErrorHandle;
-	UNICODE_STRING CurrentDirectoryPath;
-	HANDLE CurrentDirectoryHandle;
-	UNICODE_STRING DllPath;
-	UNICODE_STRING ImagePathName;
-	UNICODE_STRING CommandLine;
-	PVOID Environment;
-	ULONG StartingPositionLeft;
-	ULONG StartingPositionTop;
-	ULONG Width;
-	ULONG Height;
-	ULONG CharWidth;
-	ULONG CharHeight;
-	ULONG ConsoleTextAttributes;
-	ULONG WindowFlags;
-	ULONG ShowWindowFlags;
-	UNICODE_STRING WindowTitle;
-	UNICODE_STRING DesktopName;
-	UNICODE_STRING ShellInfo;
-	UNICODE_STRING RuntimeData;
-	RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
+    ULONG MaximumLength;
+    ULONG Length;
+    ULONG Flags;
+    ULONG DebugFlags;
+    PVOID ConsoleHandle;
+    ULONG ConsoleFlags;
+    HANDLE StdInputHandle;
+    HANDLE StdOutputHandle;
+    HANDLE StdErrorHandle;
+    UNICODE_STRING CurrentDirectoryPath;
+    HANDLE CurrentDirectoryHandle;
+    UNICODE_STRING DllPath;
+    UNICODE_STRING ImagePathName;
+    UNICODE_STRING CommandLine;
+    PVOID Environment;
+    ULONG StartingPositionLeft;
+    ULONG StartingPositionTop;
+    ULONG Width;
+    ULONG Height;
+    ULONG CharWidth;
+    ULONG CharHeight;
+    ULONG ConsoleTextAttributes;
+    ULONG WindowFlags;
+    ULONG ShowWindowFlags;
+    UNICODE_STRING WindowTitle;
+    UNICODE_STRING DesktopName;
+    UNICODE_STRING ShellInfo;
+    UNICODE_STRING RuntimeData;
+    RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
 } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

 typedef struct _PEB {
-	BOOLEAN InheritedAddressSpace;
-	BOOLEAN ReadImageFileExecOptions;
-	BOOLEAN BeingDebugged;
-	BOOLEAN Spare;
-	HANDLE Mutant;
-	PVOID ImageBaseAddress;
-	PPEB_LDR_DATA LoaderData;
-	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
-	PVOID SubSystemData;
-	PVOID ProcessHeap;
-	PVOID FastPebLock;
-	PPEBLOCKROUTINE FastPebLockRoutine;
-	PPEBLOCKROUTINE FastPebUnlockRoutine;
-	ULONG EnvironmentUpdateCount;
-	PVOID *KernelCallbackTable;
-	PVOID EventLogSection;
-	PVOID EventLog;
-	PPEB_FREE_BLOCK FreeList;
-	ULONG TlsExpansionCounter;
-	PVOID TlsBitmap;
-	ULONG TlsBitmapBits[0x2];
-	PVOID ReadOnlySharedMemoryBase;
-	PVOID ReadOnlySharedMemoryHeap;
-	PVOID *ReadOnlyStaticServerData;
-	PVOID AnsiCodePageData;
-	PVOID OemCodePageData;
-	PVOID UnicodeCaseTableData;
-	ULONG NumberOfProcessors;
-	ULONG NtGlobalFlag;
-	BYTE Spare2[0x4];
-	LARGE_INTEGER CriticalSectionTimeout;
-	ULONG HeapSegmentReserve;
-	ULONG HeapSegmentCommit;
-	ULONG HeapDeCommitTotalFreeThreshold;
-	ULONG HeapDeCommitFreeBlockThreshold;
-	ULONG NumberOfHeaps;
-	ULONG MaximumNumberOfHeaps;
-	PVOID **ProcessHeaps;
-	PVOID GdiSharedHandleTable;
-	PVOID ProcessStarterHelper;
-	PVOID GdiDCAttributeList;
-	PVOID LoaderLock;
-	ULONG OSMajorVersion;
-	ULONG OSMinorVersion;
-	ULONG OSBuildNumber;
-	ULONG OSPlatformId;
-	ULONG ImageSubSystem;
-	ULONG ImageSubSystemMajorVersion;
-	ULONG ImageSubSystemMinorVersion;
-	ULONG GdiHandleBuffer[0x22];
-	ULONG PostProcessInitRoutine;
-	ULONG TlsExpansionBitmap;
-	BYTE TlsExpansionBitmapBits[0x80];
-	ULONG SessionId;
+    BOOLEAN InheritedAddressSpace;
+    BOOLEAN ReadImageFileExecOptions;
+    BOOLEAN BeingDebugged;
+    BOOLEAN Spare;
+    HANDLE Mutant;
+    PVOID ImageBaseAddress;
+    PPEB_LDR_DATA LoaderData;
+    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+    PVOID SubSystemData;
+    PVOID ProcessHeap;
+    PVOID FastPebLock;
+    PPEBLOCKROUTINE FastPebLockRoutine;
+    PPEBLOCKROUTINE FastPebUnlockRoutine;
+    ULONG EnvironmentUpdateCount;
+    PVOID *KernelCallbackTable;
+    PVOID EventLogSection;
+    PVOID EventLog;
+    PPEB_FREE_BLOCK FreeList;
+    ULONG TlsExpansionCounter;
+    PVOID TlsBitmap;
+    ULONG TlsBitmapBits[0x2];
+    PVOID ReadOnlySharedMemoryBase;
+    PVOID ReadOnlySharedMemoryHeap;
+    PVOID *ReadOnlyStaticServerData;
+    PVOID AnsiCodePageData;
+    PVOID OemCodePageData;
+    PVOID UnicodeCaseTableData;
+    ULONG NumberOfProcessors;
+    ULONG NtGlobalFlag;
+    BYTE Spare2[0x4];
+    LARGE_INTEGER CriticalSectionTimeout;
+    ULONG HeapSegmentReserve;
+    ULONG HeapSegmentCommit;
+    ULONG HeapDeCommitTotalFreeThreshold;
+    ULONG HeapDeCommitFreeBlockThreshold;
+    ULONG NumberOfHeaps;
+    ULONG MaximumNumberOfHeaps;
+    PVOID **ProcessHeaps;
+    PVOID GdiSharedHandleTable;
+    PVOID ProcessStarterHelper;
+    PVOID GdiDCAttributeList;
+    PVOID LoaderLock;
+    ULONG OSMajorVersion;
+    ULONG OSMinorVersion;
+    ULONG OSBuildNumber;
+    ULONG OSPlatformId;
+    ULONG ImageSubSystem;
+    ULONG ImageSubSystemMajorVersion;
+    ULONG ImageSubSystemMinorVersion;
+    ULONG GdiHandleBuffer[0x22];
+    ULONG PostProcessInitRoutine;
+    ULONG TlsExpansionBitmap;
+    BYTE TlsExpansionBitmapBits[0x80];
+    ULONG SessionId;
 } PEB, *PPEB;

 typedef struct _SYSTEM_PROCESS_INFORMATION {
@ -214,36 +214,36 @@ typedef struct _SYSTEM_THREAD_INFORMATION {

 struct _SYSTEM_THREADS
 {
-	LARGE_INTEGER		KernelTime;
-	LARGE_INTEGER		UserTime;
-	LARGE_INTEGER		CreateTime;
-	ULONG				WaitTime;
-	PVOID				StartAddress;
-	CLIENT_ID			ClientIs;
-	KPRIORITY			Priority;
-	KPRIORITY			BasePriority;
-	ULONG				ContextSwitchCount;
-	ULONG				ThreadState;
-	KWAIT_REASON		WaitReason;
+    LARGE_INTEGER        KernelTime;
+    LARGE_INTEGER        UserTime;
+    LARGE_INTEGER        CreateTime;
+    ULONG                WaitTime;
+    PVOID                StartAddress;
+    CLIENT_ID            ClientIs;
+    KPRIORITY            Priority;
+    KPRIORITY            BasePriority;
+    ULONG                ContextSwitchCount;
+    ULONG                ThreadState;
+    KWAIT_REASON        WaitReason;
 };

 struct _SYSTEM_PROCESSES
 {
-	ULONG				NextEntryDelta;
-	ULONG				ThreadCount;
-	ULONG				Reserved[6];
-	LARGE_INTEGER		CreateTime;
-	LARGE_INTEGER		UserTime;
-	LARGE_INTEGER		KernelTime;
-	UNICODE_STRING		ProcessName;
-	KPRIORITY			BasePriority;
-	ULONG				ProcessId;
-	ULONG				InheritedFromProcessId;
-	ULONG				HandleCount;
-	ULONG				Reserved2[2];
-	VM_COUNTERS			VmCounters;
-	IO_COUNTERS			IoCounters; //windows 2000 only
-	struct _SYSTEM_THREADS	Threads[1];
+    ULONG                NextEntryDelta;
+    ULONG                ThreadCount;
+    ULONG                Reserved[6];
+    LARGE_INTEGER        CreateTime;
+    LARGE_INTEGER        UserTime;
+    LARGE_INTEGER        KernelTime;
+    UNICODE_STRING        ProcessName;
+    KPRIORITY            BasePriority;
+    ULONG                ProcessId;
+    ULONG                InheritedFromProcessId;
+    ULONG                HandleCount;
+    ULONG                Reserved2[2];
+    VM_COUNTERS            VmCounters;
+    IO_COUNTERS            IoCounters; //windows 2000 only
+    struct _SYSTEM_THREADS    Threads[1];
 };

 typedef struct _HANDLE_TABLE_ENTRY_INFO
@ -294,42 +294,42 @@ typedef struct _HANDLE_TABLE
 } HANDLE_TABLE, *PHANDLE_TABLE;

 typedef struct _OBJECT_TYPE_INITIALIZER {
-	USHORT Length;
-	BOOLEAN UseDefaultObject;
-	BOOLEAN CaseInsensitive;
-	ULONG InvalidAttributes;
-	GENERIC_MAPPING GenericMapping;
-	ULONG ValidAccessMask;
-	BOOLEAN SecurityRequired;
-	BOOLEAN MaintainHandleCount;
-	BOOLEAN MaintainTypeList;
-	POOL_TYPE PoolType;
-	ULONG DefaultPagedPoolCharge;
-	ULONG DefaultNonPagedPoolCharge;
-	PVOID DumpProcedure;
-	PVOID OpenProcedure;
-	PVOID CloseProcedure;
-	PVOID DeleteProcedure;
-	PVOID ParseProcedure;
-	PVOID SecurityProcedure;
-	PVOID QueryNameProcedure;
-	PVOID OkayToCloseProcedure;
+    USHORT Length;
+    BOOLEAN UseDefaultObject;
+    BOOLEAN CaseInsensitive;
+    ULONG InvalidAttributes;
+    GENERIC_MAPPING GenericMapping;
+    ULONG ValidAccessMask;
+    BOOLEAN SecurityRequired;
+    BOOLEAN MaintainHandleCount;
+    BOOLEAN MaintainTypeList;
+    POOL_TYPE PoolType;
+    ULONG DefaultPagedPoolCharge;
+    ULONG DefaultNonPagedPoolCharge;
+    PVOID DumpProcedure;
+    PVOID OpenProcedure;
+    PVOID CloseProcedure;
+    PVOID DeleteProcedure;
+    PVOID ParseProcedure;
+    PVOID SecurityProcedure;
+    PVOID QueryNameProcedure;
+    PVOID OkayToCloseProcedure;
 } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;


 typedef struct _OBJECT_TYPE {
-	ERESOURCE Mutex;
-	LIST_ENTRY TypeList;
-	UNICODE_STRING Name;            // Copy from object header for convenience
-	PVOID DefaultObject;
-	ULONG Index;
-	ULONG TotalNumberOfObjects;
-	ULONG TotalNumberOfHandles;
-	ULONG HighWaterNumberOfObjects;
-	ULONG HighWaterNumberOfHandles;
-	OBJECT_TYPE_INITIALIZER TypeInfo;
-	ULONG Key;
-	ERESOURCE ObjectLocks[4];
+    ERESOURCE Mutex;
+    LIST_ENTRY TypeList;
+    UNICODE_STRING Name;            // Copy from object header for convenience
+    PVOID DefaultObject;
+    ULONG Index;
+    ULONG TotalNumberOfObjects;
+    ULONG TotalNumberOfHandles;
+    ULONG HighWaterNumberOfObjects;
+    ULONG HighWaterNumberOfHandles;
+    OBJECT_TYPE_INITIALIZER TypeInfo;
+    ULONG Key;
+    ERESOURCE ObjectLocks[4];
 } OBJECT_TYPE, *POBJECT_TYPE;

 typedef struct _OBJECT_DIRECTORY {
@ -337,8 +337,8 @@ typedef struct _OBJECT_DIRECTORY {
    ULONG Lock;
    PVOID DeviceMap;
    ULONG SessionId;
-	USHORT Reserved;
-	USHORT SymbolicLinkUsageCount;
+    USHORT Reserved;
+    USHORT SymbolicLinkUsageCount;
 } OBJECT_DIRECTORY, *POBJECT_DIRECTORY;

 /*
@ -353,8 +353,8 @@ typedef enum _KAPC_ENVIRONMENT {
 typedef enum
 {
    OriginalApcEnvironment,
-	AttachedApcEnvironment,
-	CurrentApcEnvironment
+    AttachedApcEnvironment,
+    CurrentApcEnvironment
 } KAPC_ENVIRONMENT;

 //----------------------------------------------------
@ -362,10 +362,10 @@ typedef enum
 NTSYSAPI
 NTSTATUS
 NTAPI ZwQuerySystemInformation(
-							   IN ULONG SystemInformationClass,
-							   IN PVOID SystemInformation,
-							   IN ULONG SystemInformationLength,
-							   OUT PULONG ReturnLength);
+                               IN ULONG SystemInformationClass,
+                               IN PVOID SystemInformation,
+                               IN ULONG SystemInformationLength,
+                               OUT PULONG ReturnLength);