diff --git a/src/headers/enums.h b/src/headers/enums.h new file mode 100644 index 0000000..4671632 --- /dev/null +++ b/src/headers/enums.h @@ -0,0 +1,65 @@ +#pragma once + +#ifndef ENUMS_H +#define ENUMS_H + +/* +* Define enumerations +*/ +typedef enum _SYSTEM_INFORMATION_CLASS { + SystemBasicInformation = 0, + SystemPerformanceInformation = 2, + SystemTimeOfDayInformation = 3, + SystemProcessInformation = 5, + SystemProcessorPerformanceInformation = 8, + SystemHandleInformation = 16, + SystemInterruptInformation = 23, + SystemExceptionInformation = 33, + SystemRegistryQuotaInformation = 37, + SystemLookasideInformation = 45 +} SYSTEM_INFORMATION_CLASS, +*PSYSTEM_INFORMATION_CLASS; + +typedef enum _POOL_TYPE { + NonPagedPool, + PagedPool, + NonPagedPoolMustSucceed, + DontUseThisType, + NonPagedPoolCacheAligned, + PagedPoolCacheAligned, + NonPagedPoolCacheAlignedMustS +} POOL_TYPE, +*PPOOL_TYPE; + +typedef enum _OBJECT_INFORMATION_CLASS { + ObjectBasicInformation, + ObjectNameInformation, + ObjectTypeInformation, + ObjectAllInformation, + ObjectDataInformation +} OBJECT_INFORMATION_CLASS, +*POBJECT_INFORMATION_CLASS; + +typedef enum _THREADINFOCLASS { + ThreadBasicInformation, + ThreadTimes, + ThreadPriority, + ThreadBasePriority, + ThreadAffinityMask, + ThreadImpersonationToken, + ThreadDescriptorTableEntry, + ThreadEnableAlignmentFaultFixup, + ThreadEventPair, + ThreadQuerySetWin32StartAddress, + ThreadZeroTlsCell, + ThreadPerformanceCount, + ThreadAmILastThread, + ThreadIdealProcessor, + ThreadPriorityBoost, + ThreadSetTlsArrayAddress, + ThreadIsIoPending, + ThreadHideFromDebugger +} THREADINFOCLASS, +*PTHREADINFOCLASS; + +#endif \ No newline at end of file diff --git a/src/headers/includes.h b/src/headers/includes.h new file mode 100644 index 0000000..f9d3c7a --- /dev/null +++ b/src/headers/includes.h @@ -0,0 +1,22 @@ +#pragma once + +#ifndef INCLUDES_H +#define INCLUDES_H + +#include +#include + +#include +#include +#include +#include +#include +#include + +#include "enums.h" +#include "structs.h" +#include "syscalls.h" + +#pragma comment(lib, "wevtapi.lib") + +#endif \ No newline at end of file diff --git a/src/headers/structs.h b/src/headers/structs.h new file mode 100644 index 0000000..b01ad8c --- /dev/null +++ b/src/headers/structs.h @@ -0,0 +1,183 @@ +#pragma once + +#ifndef STRUCTS_H +#define STRUCTS_H + +/* +* Define custom structs +*/ +typedef struct _SYSCALL_ENTRY { + PVOID Address; + unsigned long Hash; + SIZE_T Size; +} SYSCALL_ENTRY, +* PSYSCALL_ENTRY; + +/* +* Define PEB/Syscall structs +*/ +typedef struct _UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING, +* PUNICODE_STRING; + +typedef struct _PEB_LDR_DATA { + ULONG Length; + BOOLEAN Initialized; + PVOID SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; + PVOID EntryInProgress; + BOOLEAN ShutdownInProgress; + PVOID ShutdownThreadId; +} PEB_LDR_DATA, +* PPEB_LDR_DATA; + +typedef struct _LDR_DATA_TABLE_ENTRY { + LIST_ENTRY InLoadOrderLinks; + LIST_ENTRY InMemoryOrderLinks; + LIST_ENTRY InInitializationOrderLinks; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT TlsIndex; + LIST_ENTRY HashLinks; + ULONG TimeDateStamp; +} LDR_DATA_TABLE_ENTRY, +* PLDR_DATA_TABLE_ENTRY; + +typedef struct _PEB { + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + BOOLEAN BitField; + HANDLE Mutant; + PVOID ImageBaseAddress; + PPEB_LDR_DATA Ldr; + // ... other members are not relevant +} PEB, +* PPEB; + +typedef struct _OBJECT_ATTRIBUTES { + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR + PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE +} OBJECT_ATTRIBUTES, +* POBJECT_ATTRIBUTES; + +typedef struct _CLIENT_ID { + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, +* PCLIENT_ID; + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { + USHORT UniqueProcessId; + USHORT CreatorBackTraceIndex; + UCHAR ObjectTypeIndex; + UCHAR HandleAttributes; + USHORT HandleValue; + PVOID Object; + ULONG GrantedAccess; +} SYSTEM_HANDLE_TABLE_ENTRY_INFO, +* PSYSTEM_HANDLE_TABLE_ENTRY_INFO; + +typedef struct _SYSTEM_HANDLE_INFORMATION { + ULONG NumberOfHandles; + SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; +} SYSTEM_HANDLE_INFORMATION, +* PSYSTEM_HANDLE_INFORMATION; + +typedef LONG KPRIORITY; + +typedef struct _SYSTEM_THREAD_INFORMATION { + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientId; + KPRIORITY Priority; + LONG BasePriority; + ULONG ContextSwitches; + ULONG ThreadState; + ULONG WaitReason; +} SYSTEM_THREAD_INFORMATION, +* PSYSTEM_THREAD_INFORMATION; + +typedef struct _SYSTEM_PROCESS_INFORMATION { + ULONG NextEntryOffset; + ULONG NumberOfThreads; + LARGE_INTEGER WorkingSetPrivateSize; + ULONG HardFaultCount; + ULONG NumberOfThreadsHighWatermark; + ULONGLONG CycleTime; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ImageName; + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; + ULONG HandleCount; + ULONG SessionId; + ULONG_PTR UniqueProcessKey; + SIZE_T PeakVirtualSize; + SIZE_T VirtualSize; + ULONG PageFaultCount; + SIZE_T PeakWorkingSetSize; + SIZE_T WorkingSetSize; + SIZE_T QuotaPeakPagedPoolUsage; + SIZE_T QuotaPagedPoolUsage; + SIZE_T QuotaPeakNonPagedPoolUsage; + SIZE_T QuotaNonPagedPoolUsage; + SIZE_T PagefileUsage; + SIZE_T PeakPagefileUsage; + SIZE_T PrivatePageCount; + LARGE_INTEGER ReadOperationCount; + LARGE_INTEGER WriteOperationCount; + LARGE_INTEGER OtherOperationCount; + LARGE_INTEGER ReadTransferCount; + LARGE_INTEGER WriteTransferCount; + LARGE_INTEGER OtherTransferCount; + SYSTEM_THREAD_INFORMATION Threads[1]; +} SYSTEM_PROCESS_INFORMATION, +* PSYSTEM_PROCESS_INFORMATION; + +typedef struct _OBJECT_TYPE_INFORMATION { + UNICODE_STRING Name; + ULONG TotalNumberOfObjects; + ULONG TotalNumberOfHandles; + ULONG TotalPagedPoolUsage; + ULONG TotalNonPagedPoolUsage; + ULONG TotalNamePoolUsage; + ULONG TotalHandleTableUsage; + ULONG HighWaterNumberOfObjects; + ULONG HighWaterNumberOfHandles; + ULONG HighWaterPagedPoolUsage; + ULONG HighWaterNonPagedPoolUsage; + ULONG HighWaterNamePoolUsage; + ULONG HighWaterHandleTableUsage; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccess; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + USHORT MaintainTypeList; + POOL_TYPE PoolType; + ULONG PagedPoolUsage; + ULONG NonPagedPoolUsage; +} OBJECT_TYPE_INFORMATION, +* POBJECT_TYPE_INFORMATION; + +#endif \ No newline at end of file diff --git a/src/headers/syscalls.h b/src/headers/syscalls.h new file mode 100644 index 0000000..310f4d3 --- /dev/null +++ b/src/headers/syscalls.h @@ -0,0 +1,124 @@ +#pragma once + +#ifndef SYSCALLS_H +#define SYSCALLS_H + +/* +* Define syscalls +*/ + +extern "C" void SetJumpAddress(uintptr_t jumpAddress); + +EXTERN_C NTSTATUS NtReadVirtualMemory( + HANDLE ProcessHandle, + PVOID BaseAddress, + PVOID Buffer, + ULONG NumberOfBytesToRead, + PULONG NumberOfBytesReaded, + int SSN +); + +EXTERN_C NTSTATUS NtWriteVirtualMemory( + HANDLE ProcessHandle, + PVOID BaseAddress, + PVOID Buffer, + ULONG NumberOfBytesToWrite, + PULONG NumberOfBytesWritten, + int SSN +); + +EXTERN_C NTSTATUS NtProtectVirtualMemory( + HANDLE ProcessHandle, + PVOID* BaseAddress, + PSIZE_T NumberOfBytesToProtect, + ULONG NewAccessProtection, + PULONG OldAccessProtection, + int SSN +); + +EXTERN_C NTSTATUS NtOpenProcess( + PHANDLE ProcessHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + PCLIENT_ID ClientId, + int SSN +); + +EXTERN_C NTSTATUS NtDuplicateObject( + HANDLE SourceProcessHandle, + HANDLE SourceHandle, + HANDLE TargetProcessHandle, + PHANDLE TargetHandle, + ACCESS_MASK DesiredAccess, + ULONG HandleAttributes, + ULONG Options, + int SSN +); + +EXTERN_C NTSTATUS NtQueryObject( + HANDLE ObjectHandle, + OBJECT_INFORMATION_CLASS ObjectInformationClass, + PVOID ObjectInformation, + ULONG Length, + PULONG ResultLength, + int SSN +); + +EXTERN_C NTSTATUS NtOpenProcessToken( + HANDLE ProcessHandle, + ACCESS_MASK DesiredAccess, + PHANDLE TokenHandle, + int SSN +); + +EXTERN_C NTSTATUS NtQueryInformationToken( + HANDLE TokenHandle, + TOKEN_INFORMATION_CLASS TokenInformationClass, + PVOID TokenInformation, + ULONG TokenInformationLength, + PULONG ReturnLength, + int SSN +); + +EXTERN_C NTSTATUS NtAdjustPrivilegesToken( + HANDLE TokenHandle, + BOOLEAN DisableAllPrivileges, + PTOKEN_PRIVILEGES TokenPrivileges, + ULONG PreviousPrivilegesLength, + PTOKEN_PRIVILEGES PreviousPrivileges, + PULONG RequiredLength, + int SSN +); + +EXTERN_C NTSTATUS NtDuplicateToken( + HANDLE ExistingToken, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + BOOLEAN EffectiveOnly, + TOKEN_TYPE TokenType, + PHANDLE NewToken, + int SSN +); + +EXTERN_C NTSTATUS NtQuerySystemInformation( + SYSTEM_INFORMATION_CLASS SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength, + int SSN +); + +EXTERN_C NTSTATUS NtClose( + HANDLE Handle, + int SSN +); + +EXTERN_C NTSTATUS NtSetInformationThread( + HANDLE ThreadHandle, + THREADINFOCLASS ThreadInformationClass, + PVOID ThreadInformation, + ULONG ThreadInformationLength, + int SSN +); + +#endif \ No newline at end of file