2016-07-21 23:02:31 +00:00
|
|
|
#pragma once
|
|
|
|
|
|
|
|
#include <Ntddk.h>
|
|
|
|
|
|
|
|
typedef enum _SYSTEM_INFORMATION_CLASS {
|
|
|
|
SystemBasicInformation = 0,
|
|
|
|
SystemPerformanceInformation = 2,
|
|
|
|
SystemTimeOfDayInformation = 3,
|
|
|
|
SystemProcessInformation = 5,
|
|
|
|
SystemProcessorPerformanceInformation = 8,
|
|
|
|
SystemInterruptInformation = 23,
|
|
|
|
SystemExceptionInformation = 33,
|
|
|
|
SystemRegistryQuotaInformation = 37,
|
|
|
|
SystemLookasideInformation = 45,
|
|
|
|
SystemPolicyInformation = 134,
|
|
|
|
} SYSTEM_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_PROCESS_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
ULONG NumberOfThreads;
|
|
|
|
LARGE_INTEGER Reserved[3];
|
|
|
|
LARGE_INTEGER CreateTime;
|
|
|
|
LARGE_INTEGER UserTime;
|
|
|
|
LARGE_INTEGER KernelTime;
|
|
|
|
UNICODE_STRING ImageName;
|
|
|
|
KPRIORITY BasePriority;
|
|
|
|
HANDLE ProcessId;
|
|
|
|
HANDLE InheritedFromProcessId;
|
|
|
|
ULONG HandleCount;
|
|
|
|
UCHAR Reserved4[4];
|
|
|
|
PVOID Reserved5[11];
|
|
|
|
SIZE_T PeakPagefileUsage;
|
|
|
|
SIZE_T PrivatePageCount;
|
|
|
|
LARGE_INTEGER Reserved6[6];
|
|
|
|
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
|
|
|
|
|
2016-12-30 16:57:52 +00:00
|
|
|
typedef struct _LDR_DATA_TABLE_ENTRY {
|
|
|
|
LIST_ENTRY LoadOrder;
|
|
|
|
LIST_ENTRY MemoryOrder;
|
|
|
|
LIST_ENTRY InitializationOrder;
|
|
|
|
PVOID ModuleBaseAddress;
|
|
|
|
PVOID EntryPoint;
|
|
|
|
ULONG ModuleSize;
|
|
|
|
UNICODE_STRING FullModuleName;
|
|
|
|
UNICODE_STRING ModuleName;
|
|
|
|
ULONG Flags;
|
|
|
|
USHORT LoadCount;
|
|
|
|
USHORT TlsIndex;
|
|
|
|
union {
|
|
|
|
LIST_ENTRY Hash;
|
|
|
|
struct {
|
|
|
|
PVOID SectionPointer;
|
|
|
|
ULONG CheckSum;
|
|
|
|
} s;
|
|
|
|
} u;
|
|
|
|
ULONG TimeStamp;
|
|
|
|
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
|
|
|
|
|
2016-10-18 21:28:55 +00:00
|
|
|
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
|
2016-07-21 23:02:31 +00:00
|
|
|
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
|
|
|
_Inout_ PVOID SystemInformation,
|
|
|
|
_In_ ULONG SystemInformationLength,
|
|
|
|
_Out_opt_ PULONG ReturnLength
|
|
|
|
);
|
|
|
|
|
2016-10-18 21:28:55 +00:00
|
|
|
NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(
|
2016-07-21 23:02:31 +00:00
|
|
|
_In_ HANDLE ProcessHandle,
|
|
|
|
_In_ PROCESSINFOCLASS ProcessInformationClass,
|
|
|
|
_Out_ PVOID ProcessInformation,
|
|
|
|
_In_ ULONG ProcessInformationLength,
|
|
|
|
_Out_opt_ PULONG ReturnLength
|
|
|
|
);
|
|
|
|
|
2021-07-30 19:44:18 +00:00
|
|
|
_Must_inspect_result_
|
|
|
|
_IRQL_requires_max_(APC_LEVEL)
|
|
|
|
NTKERNELAPI
|
|
|
|
NTSTATUS
|
|
|
|
PsLookupProcessByProcessId(
|
|
|
|
_In_ HANDLE ProcessId,
|
|
|
|
_Outptr_ PEPROCESS* Process
|
|
|
|
);
|
|
|
|
|
2021-08-21 20:21:18 +00:00
|
|
|
#define EXHANDLE_TABLE_ENTRY_LOCK_BIT 1
|
|
|
|
|
2021-08-15 00:18:23 +00:00
|
|
|
typedef struct _HANDLE_TABLE_ENTRY {
|
2021-08-21 20:21:18 +00:00
|
|
|
union {
|
|
|
|
VOID* Object;
|
|
|
|
ULONG_PTR Value;
|
2021-08-15 00:18:23 +00:00
|
|
|
} u1;
|
2021-08-21 20:21:18 +00:00
|
|
|
union {
|
2021-08-15 00:18:23 +00:00
|
|
|
ULONG GrantedAccess;
|
2021-08-21 20:21:18 +00:00
|
|
|
ULONG_PTR NextFreeTableEntry;
|
2021-08-15 00:18:23 +00:00
|
|
|
} u2;
|
2021-08-21 20:21:18 +00:00
|
|
|
} HANDLE_TABLE_ENTRY, * PHANDLE_TABLE_ENTRY;
|
2021-08-15 00:18:23 +00:00
|
|
|
|
2021-08-21 20:21:18 +00:00
|
|
|
typedef struct _HANDLE_TABLE_WIN8 {
|
|
|
|
ULONG NextHandleNeedingPool;
|
|
|
|
LONG ExtraInfoPages;
|
|
|
|
volatile ULONG TableCode;
|
|
|
|
struct _EPROCESS* QuotaProcess;
|
|
|
|
struct _LIST_ENTRY HandleTableList;
|
|
|
|
ULONG UniqueProcessId;
|
|
|
|
ULONG Flags;
|
|
|
|
EX_PUSH_LOCK HandleContentionEvent;
|
|
|
|
EX_PUSH_LOCK HandleTableLock;
|
|
|
|
// ... other useless fields
|
|
|
|
} HANDLE_TABLE_WIN8, *PHANDLE_TABLE_WIN8;
|
|
|
|
|
|
|
|
// Windows 7
|
2021-08-15 00:18:23 +00:00
|
|
|
typedef BOOLEAN(*EX_ENUMERATE_HANDLE_ROUTINE)(
|
|
|
|
IN PHANDLE_TABLE_ENTRY HandleTableEntry,
|
|
|
|
IN HANDLE Handle,
|
|
|
|
IN PVOID EnumParameter
|
|
|
|
);
|
|
|
|
|
2021-08-21 20:21:18 +00:00
|
|
|
// Windows 8
|
|
|
|
typedef BOOLEAN(*EX_ENUMERATE_HANDLE_ROUTINE_WIN8)(
|
|
|
|
IN PVOID PspCidTable,
|
|
|
|
IN PHANDLE_TABLE_ENTRY HandleTableEntry,
|
|
|
|
IN HANDLE Handle,
|
|
|
|
IN PVOID EnumParameter
|
|
|
|
);
|
|
|
|
|
2021-08-15 00:18:23 +00:00
|
|
|
NTKERNELAPI
|
|
|
|
BOOLEAN
|
|
|
|
ExEnumHandleTable(
|
|
|
|
_In_ PVOID HandleTable,
|
|
|
|
_In_ EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
|
|
|
|
_In_ PVOID EnumParameter,
|
|
|
|
_Out_opt_ PHANDLE Handle
|
|
|
|
);
|
|
|
|
|
2021-08-21 20:21:18 +00:00
|
|
|
NTKERNELAPI
|
|
|
|
VOID
|
|
|
|
FASTCALL
|
|
|
|
ExfUnblockPushLock(
|
|
|
|
PEX_PUSH_LOCK PushLock,
|
|
|
|
PVOID CurrentWaitBlock
|
|
|
|
);
|
|
|
|
|
2016-07-21 23:02:31 +00:00
|
|
|
NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize);
|
|
|
|
NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize);
|
|
|
|
VOID FreeInformation(PVOID Buffer);
|
|
|
|
|
2018-12-19 23:54:24 +00:00
|
|
|
#define NORMALIZE_INCREAMENT (USHORT)0x200
|
2016-07-21 23:02:31 +00:00
|
|
|
|
|
|
|
NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized);
|
2018-12-02 21:56:39 +00:00
|
|
|
|
2021-08-21 20:21:18 +00:00
|
|
|
#define _LogMsg(lvl, lvlname, frmt, ...) \
|
|
|
|
DbgPrintEx(\
|
|
|
|
DPFLTR_IHVDRIVER_ID, \
|
|
|
|
lvl, \
|
2021-08-24 23:10:13 +00:00
|
|
|
"[" lvlname "] [irql:%Iu,pid:%Iu,tid:%Iu]\thidden!" __FUNCTION__ ": " frmt "\n", \
|
2021-08-21 20:21:18 +00:00
|
|
|
KeGetCurrentIrql(), \
|
|
|
|
PsGetCurrentProcessId(), \
|
2021-08-24 23:10:13 +00:00
|
|
|
PsGetCurrentThreadId(), \
|
2021-08-21 20:21:18 +00:00
|
|
|
__VA_ARGS__ \
|
|
|
|
)
|
2018-12-02 21:56:39 +00:00
|
|
|
|
2021-08-24 00:45:25 +00:00
|
|
|
BOOLEAN IsWin8OrAbove();
|
|
|
|
|
2018-12-02 21:56:39 +00:00
|
|
|
#define LogError(frmt, ...) _LogMsg(DPFLTR_ERROR_LEVEL, "error", frmt, __VA_ARGS__)
|
|
|
|
#define LogWarning(frmt, ...) _LogMsg(DPFLTR_WARNING_LEVEL, "warning", frmt, __VA_ARGS__)
|
|
|
|
#define LogTrace(frmt, ...) _LogMsg(DPFLTR_TRACE_LEVEL, "trace", frmt, __VA_ARGS__)
|
|
|
|
#define LogInfo(frmt, ...) _LogMsg(DPFLTR_INFO_LEVEL, "info", frmt, __VA_ARGS__)
|