#include "Imports.h"

Go to the source code of this file.

Data Structures
struct	_DYNAMIC_DATA
	OS-dependent stuff More...

Macros
#define	DPRINT(...)

#define	BB_POOL_TAG 'enoB'

#define	ObpAccessProtectCloseBit 0x2000000

#define	MM_ZERO_ACCESS 0

#define	MM_READONLY 1

#define	MM_EXECUTE 2

#define	MM_EXECUTE_READ 3

#define	MM_READWRITE 4

#define	MM_WRITECOPY 5

#define	MM_EXECUTE_READWRITE 6

#define	MM_EXECUTE_WRITECOPY 7

#define	MM_PTE_VALID_MASK 0x1

#define	MM_PTE_WRITE_MASK 0x800

#define	MM_PTE_OWNER_MASK 0x4

#define	MM_PTE_WRITE_THROUGH_MASK 0x8

#define	MM_PTE_CACHE_DISABLE_MASK 0x10

#define	MM_PTE_ACCESS_MASK 0x20

#define	MM_PTE_DIRTY_MASK 0x42

#define	MM_PTE_LARGE_PAGE_MASK 0x80

#define	MM_PTE_GLOBAL_MASK 0x100

#define	MM_PTE_COPY_ON_WRITE_MASK 0x200

#define	MM_PTE_PROTOTYPE_MASK 0x400

#define	MM_PTE_TRANSITION_MASK 0x800

#define	VIRTUAL_ADDRESS_BITS 48

#define	VIRTUAL_ADDRESS_MASK ((((ULONG_PTR)1) << VIRTUAL_ADDRESS_BITS) - 1)

#define	THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001

#define	THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002

#define	THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004

#define	PTE_SHIFT 3

#define	ObpDecodeGrantedAccess(Access) ((Access)& ~ObpAccessProtectCloseBit)

#define	ObpDecodeObject(Object) (PVOID)(((LONG_PTR)Object >> 0x10) & ~(ULONG_PTR)0xF)

#define	MiGetPxeOffset(va) ((ULONG)(((ULONG_PTR)(va) >> PXI_SHIFT) & PXI_MASK))

#define	MiGetPxeAddress(va) ((PMMPTE)PXE_BASE + MiGetPxeOffset(va))

#define	MiGetPpeAddress(va) ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PPI_SHIFT) << PTE_SHIFT) + PPE_BASE))

#define	MiGetPdeAddress(va) ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PDI_SHIFT) << PTE_SHIFT) + PDE_BASE))

#define	MiGetPteAddress(va) ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PTI_SHIFT) << PTE_SHIFT) + PTE_BASE))

#define	VA_SHIFT (63 - 47)

#define	MiGetVirtualAddressMappedByPte(PTE) ((PVOID)((LONG_PTR)(((LONG_PTR)(PTE) - PTE_BASE) << (PAGE_SHIFT + VA_SHIFT - PTE_SHIFT)) >> VA_SHIFT))

#define	MI_IS_PHYSICAL_ADDRESS(Va)

Typedefs
typedef ULONG	WIN32_PROTECTION_MASK

typedef PULONG	PWIN32_PROTECTION_MASK

typedef enum _WinVer	WinVer

typedef struct _DYNAMIC_DATA	DYNAMIC_DATA
	OS-dependent stuff More...

typedef struct _DYNAMIC_DATA *	PDYNAMIC_DATA

typedef IN ACCESS_MASK	DesiredAccess

typedef IN ACCESS_MASK IN PVOID	ObjectAttributes

typedef IN ACCESS_MASK IN PVOID IN HANDLE	ProcessHandle

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID	lpStartAddress

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID	lpParameter

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG	Flags

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T	StackZeroBits

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T IN SIZE_T	SizeOfStackCommit

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T IN SIZE_T IN SIZE_T	SizeOfStackReserve

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T IN SIZE_T IN SIZE_T OUT PVOID	lpBytesBuffer

Enumerations
enum	_WinVer { WINVER_7 = 0x610, WINVER_7_SP1 = 0x611, WINVER_8 = 0x620, WINVER_81 = 0x630 }

Functions
typedef	NTSTATUS (NTAPI *fnNtCreateThreadEx)(OUT PHANDLE hThread

typedef	PFN_NUMBER (NTAPI *fnMiAllocateDriverPage)(PMMPTE pPTE)

NTSYSAPI NTSTATUS NTAPI	ZwProtectVirtualMemory (IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN SIZE_T NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection)

PHANDLE_TABLE_ENTRY	ExpLookupHandleTableEntry (IN PHANDLE_TABLE HandleTable, IN EXHANDLE tHandle)
	Lookup handle in the process handle table More...

PVOID	GetKernelBase ()
	Get ntoskrnl base address More...

PVOID	GetSSDTBase ()
	Gets SSDT base - KiSystemServiceTable More...

PVOID	GetSSDTEntry (IN ULONG index)
	Gets the SSDT entry address by index. More...

PMMPTE	GetPTEForVA (IN PVOID pAddress)
	Get page hardware PTE Address must be valid, otherwise bug check is imminent More...

Variables
PLIST_ENTRY	PsLoadedModuleList

MMPTE	ValidKernelPte

Macro Definition Documentation

#define BB_POOL_TAG 'enoB'

#define DPRINT ( ... )

#define MI_IS_PHYSICAL_ADDRESS ( Va )

Value:

((MiGetPxeAddress(Va)->u.Hard.Valid == 1) && \
     (MiGetPpeAddress(Va)->u.Hard.Valid == 1) && \
     ((MiGetPdeAddress(Va)->u.Long & 0x81) == 0x81) || (MiGetPteAddress(Va)->u.Hard.Valid == 1))

#define MiGetPdeAddress ( va ) ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PDI_SHIFT) << PTE_SHIFT) + PDE_BASE))

#define MiGetPpeAddress ( va ) ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PPI_SHIFT) << PTE_SHIFT) + PPE_BASE))

#define MiGetPteAddress ( va ) ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PTI_SHIFT) << PTE_SHIFT) + PTE_BASE))

#define MiGetPxeAddress ( va ) ((PMMPTE)PXE_BASE + MiGetPxeOffset(va))

#define MiGetPxeOffset ( va ) ((ULONG)(((ULONG_PTR)(va) >> PXI_SHIFT) & PXI_MASK))

#define MiGetVirtualAddressMappedByPte ( PTE ) ((PVOID)((LONG_PTR)(((LONG_PTR)(PTE) - PTE_BASE) << (PAGE_SHIFT + VA_SHIFT - PTE_SHIFT)) >> VA_SHIFT))

#define MM_EXECUTE 2

#define MM_EXECUTE_READ 3

#define MM_EXECUTE_READWRITE 6

#define MM_EXECUTE_WRITECOPY 7

#define MM_PTE_ACCESS_MASK 0x20

#define MM_PTE_CACHE_DISABLE_MASK 0x10

#define MM_PTE_COPY_ON_WRITE_MASK 0x200

#define MM_PTE_DIRTY_MASK 0x42

#define MM_PTE_GLOBAL_MASK 0x100

#define MM_PTE_LARGE_PAGE_MASK 0x80

#define MM_PTE_OWNER_MASK 0x4

#define MM_PTE_PROTOTYPE_MASK 0x400

#define MM_PTE_TRANSITION_MASK 0x800

#define MM_PTE_VALID_MASK 0x1

#define MM_PTE_WRITE_MASK 0x800

#define MM_PTE_WRITE_THROUGH_MASK 0x8

#define MM_READONLY 1

#define MM_READWRITE 4

#define MM_WRITECOPY 5

#define MM_ZERO_ACCESS 0

#define ObpAccessProtectCloseBit 0x2000000

#define ObpDecodeGrantedAccess ( Access ) ((Access)& ~ObpAccessProtectCloseBit)

#define ObpDecodeObject ( Object ) (PVOID)(((LONG_PTR)Object >> 0x10) & ~(ULONG_PTR)0xF)

#define PTE_SHIFT 3

#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001

#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004

#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002

#define VA_SHIFT (63 - 47)

#define VIRTUAL_ADDRESS_BITS 48

#define VIRTUAL_ADDRESS_MASK ((((ULONG_PTR)1) << VIRTUAL_ADDRESS_BITS) - 1)

Typedef Documentation

typedef IN ACCESS_MASK DesiredAccess

typedef struct _DYNAMIC_DATA DYNAMIC_DATA

OS-dependent stuff

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG Flags

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T IN SIZE_T IN SIZE_T OUT PVOID lpBytesBuffer

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID lpParameter

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID lpStartAddress

typedef IN ACCESS_MASK IN PVOID ObjectAttributes

typedef struct _DYNAMIC_DATA * PDYNAMIC_DATA

typedef IN ACCESS_MASK IN PVOID IN HANDLE ProcessHandle

typedef PULONG PWIN32_PROTECTION_MASK

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T IN SIZE_T SizeOfStackCommit

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T IN SIZE_T IN SIZE_T SizeOfStackReserve

typedef IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T StackZeroBits

typedef ULONG WIN32_PROTECTION_MASK

typedef enum _WinVer WinVer

Enumeration Type Documentation

enum _WinVer

Enumerator
WINVER_7
WINVER_7_SP1
WINVER_8
WINVER_81

Function Documentation

PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry	(	IN PHANDLE_TABLE	HandleTable,
		IN EXHANDLE	tHandle
	)

Lookup handle in the process handle table

Parameters

HandleTable	Handle table
tHandle	Handle to search for

Returns: Found entry, NULL if nothing found

PVOID GetKernelBase ( )

Get ntoskrnl base address

Returns: Found address, NULL if not found

PMMPTE GetPTEForVA ( IN PVOID pAddress )

Get page hardware PTE Address must be valid, otherwise bug check is imminent

Parameters

pAddress Target address

Returns: Found PTE

PVOID GetSSDTBase ( )

Gets SSDT base - KiSystemServiceTable

Returns: SSDT base, NULL if not found

Gets SSDT base - KiSystemServiceTable

Returns: SSDT base, NULL if not found

PVOID GetSSDTEntry ( IN ULONG index )

Gets the SSDT entry address by index.

Parameters

index Service index

Returns: Found service address, NULL if not found

typedef NTSTATUS ( NTAPI * fnNtCreateThreadEx )

typedef PFN_NUMBER ( NTAPI * fnMiAllocateDriverPage )

NTSYSAPI NTSTATUS NTAPI ZwProtectVirtualMemory	(	IN HANDLE	ProcessHandle,
		IN PVOID *	BaseAddress,
		IN SIZE_T *	NumberOfBytesToProtect,
		IN ULONG	NewAccessProtection,
		OUT PULONG	OldAccessProtection
	)

Variable Documentation

PLIST_ENTRY PsLoadedModuleList

MMPTE ValidKernelPte

Data Structures

Macros

Typedefs

Enumerations

Functions

Variables

Macro Definition Documentation

Typedef Documentation

Enumeration Type Documentation

Function Documentation

Variable Documentation