BlackBone
Windows memory hacking library
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros
Private.h
Go to the documentation of this file.
1 #pragma once
2 
3 #include "Imports.h"
4 
5 #ifdef DBG
6 #define DPRINT(format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, format, __VA_ARGS__)
7 #else
8 #define DPRINT(...)
9 #endif
10 
11 #define BB_POOL_TAG 'enoB'
12 
13 
14 #define ObpAccessProtectCloseBit 0x2000000
15 
16 //
17 // PTE protection values
18 //
19 #define MM_ZERO_ACCESS 0
20 #define MM_READONLY 1
21 #define MM_EXECUTE 2
22 #define MM_EXECUTE_READ 3
23 #define MM_READWRITE 4
24 #define MM_WRITECOPY 5
25 #define MM_EXECUTE_READWRITE 6
26 #define MM_EXECUTE_WRITECOPY 7
27 
28 #define MM_PTE_VALID_MASK 0x1
29 #define MM_PTE_WRITE_MASK 0x800
30 #define MM_PTE_OWNER_MASK 0x4
31 #define MM_PTE_WRITE_THROUGH_MASK 0x8
32 #define MM_PTE_CACHE_DISABLE_MASK 0x10
33 #define MM_PTE_ACCESS_MASK 0x20
34 #define MM_PTE_DIRTY_MASK 0x42
35 #define MM_PTE_LARGE_PAGE_MASK 0x80
36 #define MM_PTE_GLOBAL_MASK 0x100
37 #define MM_PTE_COPY_ON_WRITE_MASK 0x200
38 #define MM_PTE_PROTOTYPE_MASK 0x400
39 #define MM_PTE_TRANSITION_MASK 0x800
40 
41 #define VIRTUAL_ADDRESS_BITS 48
42 #define VIRTUAL_ADDRESS_MASK ((((ULONG_PTR)1) << VIRTUAL_ADDRESS_BITS) - 1)
43 
44 #define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
45 #define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
46 #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
47 
48 #define PTE_SHIFT 3
49 #define ObpDecodeGrantedAccess( Access ) \
50  ((Access)& ~ObpAccessProtectCloseBit)
51 
52 #define ObpDecodeObject( Object ) (PVOID)(((LONG_PTR)Object >> 0x10) & ~(ULONG_PTR)0xF)
53 
54 #define MiGetPxeOffset(va) \
55  ((ULONG)(((ULONG_PTR)(va) >> PXI_SHIFT) & PXI_MASK))
56 
57 #define MiGetPxeAddress(va) \
58  ((PMMPTE)PXE_BASE + MiGetPxeOffset(va))
59 
60 #define MiGetPpeAddress(va) \
61  ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PPI_SHIFT) << PTE_SHIFT) + PPE_BASE))
62 
63 #define MiGetPdeAddress(va) \
64  ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PDI_SHIFT) << PTE_SHIFT) + PDE_BASE))
65 
66 #define MiGetPteAddress(va) \
67  ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PTI_SHIFT) << PTE_SHIFT) + PTE_BASE))
68 
69 #define VA_SHIFT (63 - 47) // address sign extend shift count
70 
71 #define MiGetVirtualAddressMappedByPte(PTE) \
72  ((PVOID)((LONG_PTR)(((LONG_PTR)(PTE) - PTE_BASE) << (PAGE_SHIFT + VA_SHIFT - PTE_SHIFT)) >> VA_SHIFT))
73 
74 #define MI_IS_PHYSICAL_ADDRESS(Va) \
75  ((MiGetPxeAddress(Va)->u.Hard.Valid == 1) && \
76  (MiGetPpeAddress(Va)->u.Hard.Valid == 1) && \
77  ((MiGetPdeAddress(Va)->u.Long & 0x81) == 0x81) || (MiGetPteAddress(Va)->u.Hard.Valid == 1))
78 
79 typedef ULONG WIN32_PROTECTION_MASK;
80 typedef PULONG PWIN32_PROTECTION_MASK;
81 
82 typedef enum _WinVer
83 {
84  WINVER_7 = 0x610,
85  WINVER_7_SP1 = 0x611,
86  WINVER_8 = 0x620,
87  WINVER_81 = 0x630,
88 } WinVer;
89 
90 extern PLIST_ENTRY PsLoadedModuleList;
91 extern MMPTE ValidKernelPte;
92 
96 typedef struct _DYNAMIC_DATA
97 {
98  WinVer ver; // OS version
99 
100  ULONG KExecOpt; // KEXECUTE_OPTIONS offset in KPROCESS
101  ULONG Protection; // Process protection flag offset in EPROCESS
102  ULONG ObjTable; // Process handle table offset in EPROCESS
103  ULONG VadRoot; // VadRoot offset in EPROCESS
104  ULONG NtProtectIndex; // NtProtectVirtualMemory SSDT index
105  ULONG NtThdIndex; // NtCreateThreadEx SSDT index
106  ULONG PrevMode; // PreviousMode offset in KTHREAD
107  ULONG ExitStatus; // ETHREAD ExitStatus field
108  ULONG MiAllocPage; // MiAllocateDriver page offset
109 } DYNAMIC_DATA, *PDYNAMIC_DATA;
110 
111 
112 typedef NTSTATUS( NTAPI* fnNtCreateThreadEx )
113  (
114  OUT PHANDLE hThread,
115  IN ACCESS_MASK DesiredAccess,
116  IN PVOID ObjectAttributes,
117  IN HANDLE ProcessHandle,
118  IN PVOID lpStartAddress,
119  IN PVOID lpParameter,
120  IN ULONG Flags,
121  IN SIZE_T StackZeroBits,
122  IN SIZE_T SizeOfStackCommit,
123  IN SIZE_T SizeOfStackReserve,
124  OUT PVOID lpBytesBuffer
125  );
126 
127 typedef PFN_NUMBER( NTAPI* fnMiAllocateDriverPage )(PMMPTE pPTE);
128 
129 #if defined(_WIN8_) || defined (_WIN7_)
130 
131 typedef NTSTATUS( NTAPI* fnNtProtectVirtualMemory )
132  (
133  IN HANDLE ProcessHandle,
134  IN PVOID* BaseAddress,
135  IN SIZE_T* NumberOfBytesToProtect,
136  IN ULONG NewAccessProtection,
137  OUT PULONG OldAccessProtection
138  );
139 
140 NTSTATUS
141 NTAPI
142 ZwProtectVirtualMemory(
143  IN HANDLE ProcessHandle,
144  IN PVOID* BaseAddress,
145  IN SIZE_T* NumberOfBytesToProtect,
146  IN ULONG NewAccessProtection,
147  OUT PULONG OldAccessProtection
148  );
149 
150 
151 #else
152 NTSYSAPI
153 NTSTATUS
154 NTAPI
155 ZwProtectVirtualMemory(
156  IN HANDLE ProcessHandle,
157  IN PVOID* BaseAddress,
158  IN SIZE_T* NumberOfBytesToProtect,
159  IN ULONG NewAccessProtection,
160  OUT PULONG OldAccessProtection
161  );
162 
163 #endif
164 
165 #ifdef _WIN81_
166 
167 NTSYSAPI
168 PVOID
169 NTAPI
170 RtlAvlRemoveNode(
171  IN PRTL_AVL_TREE pTree,
172  IN PMMADDRESS_NODE pNode
173  );
174 
175 #endif
176 
183 PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry( IN PHANDLE_TABLE HandleTable, IN EXHANDLE tHandle );
184 
189 PVOID GetKernelBase();
190 
195 PVOID GetSSDTBase();
196 
202 PVOID GetSSDTEntry( IN ULONG index );
203 
210 PMMPTE GetPTEForVA( IN PVOID pAddress );
_EXHANDLE
Definition: NativeStructs.h:44
PsLoadedModuleList
PLIST_ENTRY PsLoadedModuleList
Definition: Loader.c:7
_DYNAMIC_DATA
OS-dependent stuff
Definition: Private.h:96
lpBytesBuffer
IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T IN SIZE_T IN SIZE_T OUT PVOID lpBytesBuffer
Definition: Private.h:115
_HANDLE_TABLE_ENTRY
Definition: NativeStructs.h:58
_DYNAMIC_DATA::Protection
ULONG Protection
Definition: Private.h:101
WINVER_7
Definition: Private.h:84
ValidKernelPte
MMPTE ValidKernelPte
Definition: Private.c:15
_HANDLE_TABLE
Definition: NativeStructs.h:100
_DYNAMIC_DATA::PrevMode
ULONG PrevMode
Definition: Private.h:106
GetSSDTBase
PVOID GetSSDTBase()
Gets SSDT base - KiSystemServiceTable
Definition: Private.c:123
StackZeroBits
IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T StackZeroBits
Definition: Private.h:115
NTSTATUS
typedef NTSTATUS(NTAPI *fnNtCreateThreadEx)(OUT PHANDLE hThread
_DYNAMIC_DATA::NtProtectIndex
ULONG NtProtectIndex
Definition: Private.h:104
lpParameter
IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID lpParameter
Definition: Private.h:115
WINVER_7_SP1
Definition: Private.h:85
ExpLookupHandleTableEntry
PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry(IN PHANDLE_TABLE HandleTable, IN EXHANDLE tHandle)
Lookup handle in the process handle table
Definition: Private.c:28
ZwProtectVirtualMemory
NTSYSAPI NTSTATUS NTAPI ZwProtectVirtualMemory(IN HANDLE ProcessHandle, IN PVOID *BaseAddress, IN SIZE_T *NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection)
_DYNAMIC_DATA::ExitStatus
ULONG ExitStatus
Definition: Private.h:107
_DYNAMIC_DATA::NtThdIndex
ULONG NtThdIndex
Definition: Private.h:105
PDYNAMIC_DATA
struct _DYNAMIC_DATA * PDYNAMIC_DATA
PFN_NUMBER
typedef PFN_NUMBER(NTAPI *fnMiAllocateDriverPage)(PMMPTE pPTE)
_WinVer
_WinVer
Definition: Private.h:82
SizeOfStackReserve
IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T IN SIZE_T IN SIZE_T SizeOfStackReserve
Definition: Private.h:115
WINVER_8
Definition: Private.h:86
PWIN32_PROTECTION_MASK
PULONG PWIN32_PROTECTION_MASK
Definition: Private.h:80
ProcessHandle
IN ACCESS_MASK IN PVOID IN HANDLE ProcessHandle
Definition: Private.h:115
lpStartAddress
IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID lpStartAddress
Definition: Private.h:115
_RTL_AVL_TREE
Definition: NativeStructs81.h:24
_DYNAMIC_DATA::VadRoot
ULONG VadRoot
Definition: Private.h:103
WINVER_81
Definition: Private.h:87
_MMPTE
Definition: NativeStructs.h:281
Flags
IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG Flags
Definition: Private.h:115
Imports.h
WIN32_PROTECTION_MASK
ULONG WIN32_PROTECTION_MASK
Definition: Private.h:79
_DYNAMIC_DATA::MiAllocPage
ULONG MiAllocPage
Definition: Private.h:108
ObjectAttributes
IN ACCESS_MASK IN PVOID ObjectAttributes
Definition: Private.h:115
GetSSDTEntry
PVOID GetSSDTEntry(IN ULONG index)
Gets the SSDT entry address by index.
Definition: Private.c:174
GetPTEForVA
PMMPTE GetPTEForVA(IN PVOID pAddress)
Get page hardware PTE Address must be valid, otherwise bug check is imminent
Definition: Private.c:191
GetKernelBase
PVOID GetKernelBase()
Get ntoskrnl base address
Definition: Private.c:57
DYNAMIC_DATA
struct _DYNAMIC_DATA DYNAMIC_DATA
OS-dependent stuff
_DYNAMIC_DATA::ObjTable
ULONG ObjTable
Definition: Private.h:102
_MMADDRESS_NODE
Definition: NativeStructs7.h:101
_DYNAMIC_DATA::ver
WinVer ver
Definition: Private.h:98
DesiredAccess
IN ACCESS_MASK DesiredAccess
Definition: Private.h:115
SizeOfStackCommit
IN ACCESS_MASK IN PVOID IN HANDLE IN PVOID IN PVOID IN ULONG IN SIZE_T IN SIZE_T SizeOfStackCommit
Definition: Private.h:115
WinVer
enum _WinVer WinVer
_DYNAMIC_DATA::KExecOpt
ULONG KExecOpt
Definition: Private.h:100