Inheritance diagram for blackbone::Native:

Public Types
typedef std::list< ModuleData >	listModules

Public Member Functions
BLACKBONE_API	Native (HANDLE hProcess, bool x86OS=false)

BLACKBONE_API const Wow64Barrier &	GetWow64Barrier () const

virtual NTSTATUS	VirualAllocExT (ptr_t &lpAddress, size_t dwSize, DWORD flAllocationType, DWORD flProtect)
	Allocate virtual memory More...

virtual NTSTATUS	VirualFreeExT (ptr_t lpAddress, size_t dwSize, DWORD dwFreeType)
	Free virtual memory More...

virtual NTSTATUS	VirtualProtectExT (ptr_t lpAddress, DWORD64 dwSize, DWORD flProtect, DWORD *flOld)
	Change memory protection More...

virtual NTSTATUS	ReadProcessMemoryT (ptr_t lpBaseAddress, LPVOID lpBuffer, size_t nSize, DWORD64 *lpBytes=nullptr)
	Read virtual memory More...

virtual NTSTATUS	WriteProcessMemoryT (ptr_t lpBaseAddress, LPCVOID lpBuffer, size_t nSize, DWORD64 *lpBytes=nullptr)
	Write virtual memory More...

virtual NTSTATUS	VirtualQueryExT (ptr_t lpAddress, PMEMORY_BASIC_INFORMATION64 lpBuffer)
	Query virtual memory More...

virtual NTSTATUS	VirtualQueryExT (ptr_t lpAddress, MEMORY_INFORMATION_CLASS infoClass, LPVOID lpBuffer, size_t bufSize)
	Query virtual memory More...

virtual NTSTATUS	QueryProcessInfoT (PROCESSINFOCLASS infoClass, LPVOID lpBuffer, uint32_t bufSize)
	Call NtQueryInformationProcess for underlying process More...

virtual NTSTATUS	SetProcessInfoT (PROCESSINFOCLASS infoClass, LPVOID lpBuffer, uint32_t bufSize)
	Call NtSetInformationProcess for underlying process More...

virtual NTSTATUS	CreateRemoteThreadT (HANDLE &hThread, ptr_t entry, ptr_t arg, CreateThreadFlags flags)
	Creates new thread in the remote process More...

virtual NTSTATUS	GetThreadContextT (HANDLE hThread, _CONTEXT64 &ctx)
	Get native thread context More...

virtual NTSTATUS	GetThreadContextT (HANDLE hThread, _CONTEXT32 &ctx)
	Get WOW64 thread context More...

virtual NTSTATUS	SetThreadContextT (HANDLE hThread, _CONTEXT64 &ctx)
	Set native thread context More...

virtual NTSTATUS	SetThreadContextT (HANDLE hThread, _CONTEXT32 &ctx)
	Set WOW64 thread context More...

virtual ptr_t	getPEB (_PEB32 *ppeb)
	Get WOW64 PEB More...

virtual ptr_t	getPEB (_PEB64 *ppeb)
	Get native PEB More...

virtual ptr_t	getTEB (HANDLE hThread, _TEB32 *pteb)
	Get WOW64 TEB More...

virtual ptr_t	getTEB (HANDLE hThread, _TEB64 *pteb)
	Get native TEB More...

BLACKBONE_API size_t	EnumRegions (std::list< MEMORY_BASIC_INFORMATION64 > &results, bool includeFree=false)
	Enumerate valid memory regions More...

BLACKBONE_API size_t	EnumModules (listModules &result, eModSeachType search=LdrList, eModType mtype=mt_default)
	Enumerate process modules More...

BLACKBONE_API ptr_t	minAddr () const
	Get lowest possible valid address value More...

BLACKBONE_API ptr_t	maxAddr () const
	Get highest possible valid address value More...

BLACKBONE_API uint32_t	pageSize () const
	Get page size More...

Protected Attributes
HANDLE	_hProcess

Wow64Barrier	_wowBarrier

uint32_t	_pageSize

Member Function Documentation

NTSTATUS blackbone::Native::CreateRemoteThreadT	(	HANDLE &	hThread,
		ptr_t	entry,
		ptr_t	arg,
		CreateThreadFlags	flags
	)

virtual

Creates new thread in the remote process

Parameters

hThread	Created thread handle
entry	Thread entry point
arg	Thread argument
flags	Creation flags

Returns: Status code

Reimplemented in blackbone::NativeWow64.

size_t blackbone::Native::EnumModules	(	listModules &	result,
		eModSeachType	search = `LdrList`,
		eModType	mtype = `mt_default`
	)

Enumerate process modules

Parameters

result	Found modules
mtype	Module type: x86 or x64

Returns: Module count

size_t blackbone::Native::EnumRegions	(	std::list< MEMORY_BASIC_INFORMATION64 > &	results,
		bool	includeFree = `false`
	)

Enumerate valid memory regions

Parameters

results	Found regions
includeFree	If true - non-allocated regions will be included in list

Returns: Number of regions found

ptr_t blackbone::Native::getPEB ( _PEB32 * ppeb )

virtual

Get WOW64 PEB

Parameters

ppeb	Retrieved PEB

Returns: PEB pointer

Reimplemented in blackbone::NativeWow64, and blackbone::x86Native.

ptr_t blackbone::Native::getPEB ( _PEB64 * ppeb )

virtual

Get native PEB

Parameters

ppeb	Retrieved PEB

Returns: PEB pointer

Reimplemented in blackbone::NativeWow64, and blackbone::x86Native.

ptr_t blackbone::Native::getTEB	(	HANDLE	hThread,
		_TEB32 *	pteb
	)

virtual

Get WOW64 TEB

Parameters

ppeb	Retrieved TEB

Returns: TEB pointer

Reimplemented in blackbone::NativeWow64, and blackbone::x86Native.

ptr_t blackbone::Native::getTEB	(	HANDLE	hThread,
		_TEB64 *	pteb
	)

virtual

Get native TEB

Parameters

ppeb	Retrieved TEB

Returns: TEB pointer

Reimplemented in blackbone::NativeWow64, and blackbone::x86Native.

NTSTATUS blackbone::Native::GetThreadContextT	(	HANDLE	hThread,
		_CONTEXT64 &	ctx
	)

virtual

Get native thread context

Parameters

hThread	Thread handle.
ctx	Thread context

Returns: Status code

Reimplemented in blackbone::NativeWow64, and blackbone::x86Native.

NTSTATUS blackbone::Native::GetThreadContextT	(	HANDLE	hThread,
		_CONTEXT32 &	ctx
	)

virtual

Get WOW64 thread context

Parameters

hThread	Thread handle.
ctx	Thread context

Returns: Status code

Reimplemented in blackbone::NativeWow64, and blackbone::x86Native.

BLACKBONE_API ptr_t blackbone::Native::maxAddr ( ) const

inline

Get highest possible valid address value

Returns: Address value

BLACKBONE_API ptr_t blackbone::Native::minAddr ( ) const

inline

Get lowest possible valid address value

Returns: Address value

BLACKBONE_API uint32_t blackbone::Native::pageSize ( ) const

inline

Get page size

Returns: Address value

NTSTATUS blackbone::Native::QueryProcessInfoT	(	PROCESSINFOCLASS	infoClass,
		LPVOID	lpBuffer,
		uint32_t	bufSize
	)

virtual

Call NtQueryInformationProcess for underlying process

Parameters

infoClass	Information class
lpBuffer	Output buffer
bufSize	Buffer size

Returns: Status code

Reimplemented in blackbone::NativeWow64.

NTSTATUS blackbone::Native::ReadProcessMemoryT	(	ptr_t	lpBaseAddress,
		LPVOID	lpBuffer,
		size_t	nSize,
		DWORD64 *	lpBytes = `nullptr`
	)

virtual

Read virtual memory

Parameters

lpBaseAddress	Memory address
lpBuffer	Output buffer
nSize	Number of bytes to read
lpBytes	Mumber of bytes read

Returns: Status code

Reimplemented in blackbone::NativeWow64.

NTSTATUS blackbone::Native::SetProcessInfoT	(	PROCESSINFOCLASS	infoClass,
		LPVOID	lpBuffer,
		uint32_t	bufSize
	)

virtual

Call NtSetInformationProcess for underlying process

Parameters

infoClass	Information class
lpBuffer	Input buffer
bufSize	Buffer size

Returns: Status code

Reimplemented in blackbone::NativeWow64.

NTSTATUS blackbone::Native::SetThreadContextT	(	HANDLE	hThread,
		_CONTEXT64 &	ctx
	)

virtual

Set native thread context

Parameters

hThread	Thread handle.
ctx	Thread context

Returns: Status code

Reimplemented in blackbone::NativeWow64, and blackbone::x86Native.

NTSTATUS blackbone::Native::SetThreadContextT	(	HANDLE	hThread,
		_CONTEXT32 &	ctx
	)

virtual

Set WOW64 thread context

Parameters

hThread	Thread handle.
ctx	Thread context

Returns: Status code

Reimplemented in blackbone::NativeWow64, and blackbone::x86Native.

NTSTATUS blackbone::Native::VirtualProtectExT	(	ptr_t	lpAddress,
		DWORD64	dwSize,
		DWORD	flProtect,
		DWORD *	flOld
	)

virtual

Change memory protection

Parameters

lpAddress	Memory address.
dwSize	Region size
flProtect	New protection.
flOld	Old protection

Returns: Status code

Reimplemented in blackbone::NativeWow64.

NTSTATUS blackbone::Native::VirtualQueryExT	(	ptr_t	lpAddress,
		PMEMORY_BASIC_INFORMATION64	lpBuffer
	)

virtual

Query virtual memory

Parameters

lpAddress	Address to query
lpBuffer	Retrieved memory info

Returns: Status code

Reimplemented in blackbone::NativeWow64, and blackbone::x86Native.

NTSTATUS blackbone::Native::VirtualQueryExT	(	ptr_t	lpAddress,
		MEMORY_INFORMATION_CLASS	infoClass,
		LPVOID	lpBuffer,
		size_t	bufSize
	)

virtual

Query virtual memory

Parameters

lpAddress	Address to query
lpBuffer	Retrieved memory info

Returns: Status code

Reimplemented in blackbone::NativeWow64.

NTSTATUS blackbone::Native::VirualAllocExT	(	ptr_t &	lpAddress,
		size_t	dwSize,
		DWORD	flAllocationType,
		DWORD	flProtect
	)

virtual

Allocate virtual memory

Parameters

lpAddress	Allocation address
dwSize	Region size
flAllocationType	Allocation type
flProtect	Memory protection

Returns: Status code

Reimplemented in blackbone::NativeWow64.

NTSTATUS blackbone::Native::VirualFreeExT	(	ptr_t	lpAddress,
		size_t	dwSize,
		DWORD	dwFreeType
	)

virtual

Free virtual memory

Parameters

lpAddress	Memory address
dwSize	Region size
dwFreeType	Memory release type.

Returns: Status code

Reimplemented in blackbone::NativeWow64.

NTSTATUS blackbone::Native::WriteProcessMemoryT	(	ptr_t	lpBaseAddress,
		LPCVOID	lpBuffer,
		size_t	nSize,
		DWORD64 *	lpBytes = `nullptr`
	)

virtual

Write virtual memory

Parameters

lpBaseAddress	Memory address
lpBuffer	Buffer to write
nSize	Number of bytes to read
lpBytes	Mumber of bytes read

Returns: Status code

Reimplemented in blackbone::NativeWow64.

The documentation for this class was generated from the following files:

C:/Users/Ton/Documents/Visual Studio 2013/Projects/BlackBone/src/BlackBone/Subsystem/NativeSubsystem.h
C:/Users/Ton/Documents/Visual Studio 2013/Projects/BlackBone/src/BlackBone/Subsystem/NativeSubsystem.cpp

Public Types

Public Member Functions

Protected Attributes

Member Function Documentation