BlackBone
Windows memory hacking library
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros
Functions | Variables
Private.c File Reference
#include "Private.h"
#include <Ntstrsafe.h>

Functions

PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry (IN PHANDLE_TABLE HandleTable, IN EXHANDLE tHandle)
 Lookup handle in the process handle table More...
 
PVOID GetKernelBase ()
 Get ntoskrnl base address More...
 
PVOID GetSSDTBase ()
 Gets SSDT base - KiServiceTable More...
 
PVOID GetSSDTEntry (IN ULONG index)
 Gets the SSDT entry address by index. More...
 
PMMPTE GetPTEForVA (IN PVOID pAddress)
 Get page hardware PTE Address must be valid, otherwise bug check is imminent More...
 
NTSTATUS NTAPI ZwCreateThreadEx (OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN PVOID ObjectAttributes, IN HANDLE ProcessHandle, IN PVOID lpStartAddress, IN PVOID lpParameter, IN ULONG Flags, IN SIZE_T StackZeroBits, IN SIZE_T SizeOfStackCommit, IN SIZE_T SizeOfStackReserve, IN PNT_PROC_THREAD_ATTRIBUTE_LIST AttributeList)
 

Variables

DYNAMIC_DATA dynData
 
PVOID g_KernelBase = NULL
 
PVOID g_SSDT = NULL
 
MMPTE ValidKernelPte
 

Function Documentation

PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry ( IN PHANDLE_TABLE  HandleTable,
IN EXHANDLE  tHandle 
)

Lookup handle in the process handle table

Parameters
HandleTableHandle table
tHandleHandle to search for
Returns
Found entry, NULL if nothing found
PVOID GetKernelBase ( )

Get ntoskrnl base address

Returns
Found address, NULL if not found
PMMPTE GetPTEForVA ( IN PVOID  pAddress)

Get page hardware PTE Address must be valid, otherwise bug check is imminent

Parameters
pAddressTarget address
Returns
Found PTE
PVOID GetSSDTBase ( )

Gets SSDT base - KiServiceTable

Gets SSDT base - KiSystemServiceTable

Returns
SSDT base, NULL if not found
PVOID GetSSDTEntry ( IN ULONG  index)

Gets the SSDT entry address by index.

Parameters
indexService index
Returns
Found service address, NULL if not found
NTSTATUS NTAPI ZwCreateThreadEx ( OUT PHANDLE  hThread,
IN ACCESS_MASK  DesiredAccess,
IN PVOID  ObjectAttributes,
IN HANDLE  ProcessHandle,
IN PVOID  lpStartAddress,
IN PVOID  lpParameter,
IN ULONG  Flags,
IN SIZE_T  StackZeroBits,
IN SIZE_T  SizeOfStackCommit,
IN SIZE_T  SizeOfStackReserve,
IN PNT_PROC_THREAD_ATTRIBUTE_LIST  AttributeList 
)

Variable Documentation

DYNAMIC_DATA dynData
PVOID g_KernelBase = NULL
PVOID g_SSDT = NULL
MMPTE ValidKernelPte
Initial value:
= { MM_PTE_VALID_MASK |
MM_PTE_WRITE_MASK |
MM_PTE_GLOBAL_MASK |
MM_PTE_DIRTY_MASK |
MM_PTE_ACCESS_MASK }
MM_PTE_ACCESS_MASK
#define MM_PTE_ACCESS_MASK
Definition: Private.h:33
MM_PTE_WRITE_MASK
#define MM_PTE_WRITE_MASK
Definition: Private.h:29
MM_PTE_GLOBAL_MASK
#define MM_PTE_GLOBAL_MASK
Definition: Private.h:36
MM_PTE_VALID_MASK
#define MM_PTE_VALID_MASK
Definition: Private.h:28
MM_PTE_DIRTY_MASK
#define MM_PTE_DIRTY_MASK
Definition: Private.h:34