329 lines
15 KiB
C
329 lines
15 KiB
C
|
#pragma once
|
||
|
|
|
||
|
|
#ifndef STRUCTS_H
|
||
|
|
#define STRUCTS_H
|
||
|
|
|
||
|
|
typedef struct SyscallEntry {
|
||
|
|
INT SSN;
|
||
|
|
PVOID Address;
|
||
|
|
PVOID Syscall;
|
||
|
|
};
|
||
|
|
|
||
|
|
//0x18 bytes (sizeof)
|
||
|
|
struct _RTL_BALANCED_NODE {
|
||
|
|
union
|
||
|
|
{
|
||
|
|
struct _RTL_BALANCED_NODE* Children[2]; //0x0
|
||
|
|
struct
|
||
|
|
{
|
||
|
|
struct _RTL_BALANCED_NODE* Left; //0x0
|
||
|
|
struct _RTL_BALANCED_NODE* Right; //0x8
|
||
|
|
};
|
||
|
|
};
|
||
|
|
union
|
||
|
|
{
|
||
|
|
struct
|
||
|
|
{
|
||
|
|
UCHAR Red : 1; //0x10
|
||
|
|
UCHAR Balance : 2; //0x10
|
||
|
|
};
|
||
|
|
ULONGLONG ParentValue; //0x10
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
//0x138 bytes (sizeof)
|
||
|
|
typedef struct _LDR_DATA_TABLE_ENTRY_MODIFIED {
|
||
|
|
struct _LIST_ENTRY InLoadOrderLinks; //0x0
|
||
|
|
struct _LIST_ENTRY InMemoryOrderLinks; //0x10
|
||
|
|
struct _LIST_ENTRY InInitializationOrderLinks; //0x20
|
||
|
|
PVOID DllBase; //0x30
|
||
|
|
PVOID EntryPoint; //0x38
|
||
|
|
ULONG SizeOfImage; //0x40
|
||
|
|
struct _UNICODE_STRING FullDllName; //0x48
|
||
|
|
struct _UNICODE_STRING BaseDllName; //0x58
|
||
|
|
union
|
||
|
|
{
|
||
|
|
UCHAR FlagGroup[4]; //0x68
|
||
|
|
ULONG Flags; //0x68
|
||
|
|
struct
|
||
|
|
{
|
||
|
|
ULONG PackagedBinary : 1; //0x68
|
||
|
|
ULONG MarkedForRemoval : 1; //0x68
|
||
|
|
ULONG ImageDll : 1; //0x68
|
||
|
|
ULONG LoadNotificationsSent : 1; //0x68
|
||
|
|
ULONG TelemetryEntryProcessed : 1; //0x68
|
||
|
|
ULONG ProcessStaticImport : 1; //0x68
|
||
|
|
ULONG InLegacyLists : 1; //0x68
|
||
|
|
ULONG InIndexes : 1; //0x68
|
||
|
|
ULONG ShimDll : 1; //0x68
|
||
|
|
ULONG InExceptionTable : 1; //0x68
|
||
|
|
ULONG ReservedFlags1 : 2; //0x68
|
||
|
|
ULONG LoadInProgress : 1; //0x68
|
||
|
|
ULONG LoadConfigProcessed : 1; //0x68
|
||
|
|
ULONG EntryProcessed : 1; //0x68
|
||
|
|
ULONG ProtectDelayLoad : 1; //0x68
|
||
|
|
ULONG ReservedFlags3 : 2; //0x68
|
||
|
|
ULONG DontCallForThreads : 1; //0x68
|
||
|
|
ULONG ProcessAttachCalled : 1; //0x68
|
||
|
|
ULONG ProcessAttachFailed : 1; //0x68
|
||
|
|
ULONG CorDeferredValidate : 1; //0x68
|
||
|
|
ULONG CorImage : 1; //0x68
|
||
|
|
ULONG DontRelocate : 1; //0x68
|
||
|
|
ULONG CorILOnly : 1; //0x68
|
||
|
|
ULONG ChpeImage : 1; //0x68
|
||
|
|
ULONG ChpeEmulatorImage : 1; //0x68
|
||
|
|
ULONG ReservedFlags5 : 1; //0x68
|
||
|
|
ULONG Redirected : 1; //0x68
|
||
|
|
ULONG ReservedFlags6 : 2; //0x68
|
||
|
|
ULONG CompatDatabaseProcessed : 1; //0x68
|
||
|
|
};
|
||
|
|
};
|
||
|
|
USHORT ObsoleteLoadCount; //0x6c
|
||
|
|
USHORT TlsIndex; //0x6e
|
||
|
|
struct _LIST_ENTRY HashLinks; //0x70
|
||
|
|
ULONG TimeDateStamp; //0x80
|
||
|
|
struct _ACTIVATION_CONTEXT* EntryPointActivationContext; //0x88
|
||
|
|
PVOID Lock; //0x90
|
||
|
|
struct _LDR_DDAG_NODE* DdagNode; //0x98
|
||
|
|
struct _LIST_ENTRY NodeModuleLink; //0xa0
|
||
|
|
struct _LDRP_LOAD_CONTEXT* LoadContext; //0xb0
|
||
|
|
PVOID ParentDllBase; //0xb8
|
||
|
|
PVOID SwitchBackContext; //0xc0
|
||
|
|
struct _RTL_BALANCED_NODE BaseAddressIndexNode; //0xc8
|
||
|
|
struct _RTL_BALANCED_NODE MappingInfoIndexNode; //0xe0
|
||
|
|
ULONGLONG OriginalBase; //0xf8
|
||
|
|
union _LARGE_INTEGER LoadTime; //0x100
|
||
|
|
ULONG BaseNameHashValue; //0x108
|
||
|
|
enum _LDR_DLL_LOAD_REASON LoadReason; //0x10c
|
||
|
|
ULONG ImplicitPathOptions; //0x110
|
||
|
|
ULONG ReferenceCount; //0x114
|
||
|
|
ULONG DependentLoadFlags; //0x118
|
||
|
|
UCHAR SigningLevel; //0x11c
|
||
|
|
ULONG CheckSum; //0x120
|
||
|
|
PVOID ActivePatchImageBase; //0x128
|
||
|
|
enum _LDR_HOT_PATCH_STATE HotPatchState; //0x130
|
||
|
|
} LDR_DATA_TABLE_ENTRY_MODIFIED,
|
||
|
|
* PLDR_DATA_TABLE_ENTRY_MODIFIED;
|
||
|
|
|
||
|
|
// Define call stack spoofing structs
|
||
|
|
typedef struct {
|
||
|
|
PVOID Fixup; // 0
|
||
|
|
PVOID OG_retaddr; // 8
|
||
|
|
PVOID rbx; // 16
|
||
|
|
PVOID rdi; // 24
|
||
|
|
PVOID BTIT_ss; // 32
|
||
|
|
PVOID BTIT_retaddr; // 40
|
||
|
|
PVOID Gadget_ss; // 48
|
||
|
|
PVOID RUTS_ss; // 56
|
||
|
|
PVOID RUTS_retaddr; // 64
|
||
|
|
PVOID ssn; // 72
|
||
|
|
PVOID trampoline; // 80
|
||
|
|
PVOID rsi; // 88
|
||
|
|
PVOID r12; // 96
|
||
|
|
PVOID r13; // 104
|
||
|
|
PVOID r14; // 112
|
||
|
|
PVOID r15; // 120
|
||
|
|
} PRM,
|
||
|
|
* PPRM;
|
||
|
|
|
||
|
|
typedef union _UNWIND_CODE {
|
||
|
|
struct {
|
||
|
|
BYTE CodeOffset;
|
||
|
|
BYTE UnwindOp : 4;
|
||
|
|
BYTE OpInfo : 4;
|
||
|
|
};
|
||
|
|
USHORT FrameOffset;
|
||
|
|
} UNWIND_CODE,
|
||
|
|
* PUNWIND_CODE;
|
||
|
|
|
||
|
|
typedef struct _UNWIND_INFO {
|
||
|
|
BYTE Version : 3;
|
||
|
|
BYTE Flags : 5;
|
||
|
|
BYTE SizeOfProlog;
|
||
|
|
BYTE CountOfCodes;
|
||
|
|
BYTE FrameRegister : 4;
|
||
|
|
BYTE FrameOffset : 4;
|
||
|
|
UNWIND_CODE UnwindCode[1];
|
||
|
|
} UNWIND_INFO,
|
||
|
|
* PUNWIND_INFO;
|
||
|
|
|
||
|
|
typedef struct _EXCEPTION_INFO {
|
||
|
|
UINT64 hModule;
|
||
|
|
UINT64 pExceptionDirectory;
|
||
|
|
DWORD dwRuntimeFunctionCount;
|
||
|
|
}EXCEPTION_INFO,
|
||
|
|
* PEXCEPTION_INFO;
|
||
|
|
|
||
|
|
typedef struct {
|
||
|
|
LPCWSTR dllPath;
|
||
|
|
ULONG offset;
|
||
|
|
ULONG totalStackSize;
|
||
|
|
BOOL requiresLoadLibrary;
|
||
|
|
BOOL setsFramePointer;
|
||
|
|
PVOID returnAddress;
|
||
|
|
BOOL pushRbp;
|
||
|
|
ULONG countOfCodes;
|
||
|
|
BOOL pushRbpIndex;
|
||
|
|
} StackFrame,
|
||
|
|
* PStackFrame;
|
||
|
|
|
||
|
|
typedef struct _FILE_STANDARD_INFORMATION {
|
||
|
|
LARGE_INTEGER AllocationSize; // The file allocation size in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device.
|
||
|
|
LARGE_INTEGER EndOfFile; // The end of file location as a byte offset.
|
||
|
|
ULONG NumberOfLinks; // The number of hard links to the file.
|
||
|
|
BOOLEAN DeletePending; // The delete pending status. TRUE indicates that a file deletion has been requested.
|
||
|
|
BOOLEAN Directory; // The file directory status. TRUE indicates the file object represents a directory.
|
||
|
|
} FILE_STANDARD_INFORMATION,
|
||
|
|
* PFILE_STANDARD_INFORMATION;
|
||
|
|
|
||
|
|
typedef struct _FILE_RENAME_INFORMATION_EX {
|
||
|
|
ULONG Flags;
|
||
|
|
HANDLE RootDirectory;
|
||
|
|
ULONG FileNameLength;
|
||
|
|
_Field_size_bytes_(FileNameLength) WCHAR FileName[1];
|
||
|
|
} FILE_RENAME_INFORMATION_EX,
|
||
|
|
* PFILE_RENAME_INFORMATION_EX;
|
||
|
|
|
||
|
|
typedef struct _FILE_DISPOSITION_INFORMATION {
|
||
|
|
BOOLEAN DeleteFile;
|
||
|
|
} FILE_DISPOSITION_INFORMATION,
|
||
|
|
* PFILE_DISPOSITION_INFORMATION;
|
||
|
|
|
||
|
|
typedef struct _KSYSTEM_TIME {
|
||
|
|
ULONG LowPart;
|
||
|
|
LONG High1Time;
|
||
|
|
LONG High2Time;
|
||
|
|
} KSYSTEM_TIME,
|
||
|
|
* PKSYSTEM_TIME;
|
||
|
|
|
||
|
|
typedef struct _KUSER_SHARED_DATA {
|
||
|
|
ULONG TickCountLowDeprecated;
|
||
|
|
ULONG TickCountMultiplier;
|
||
|
|
KSYSTEM_TIME InterruptTime;
|
||
|
|
KSYSTEM_TIME SystemTime;
|
||
|
|
KSYSTEM_TIME TimeZoneBias;
|
||
|
|
USHORT ImageNumberLow;
|
||
|
|
USHORT ImageNumberHigh;
|
||
|
|
WCHAR NtSystemRoot[260];
|
||
|
|
ULONG MaxStackTraceDepth;
|
||
|
|
ULONG CryptoExponent;
|
||
|
|
ULONG TimeZoneId;
|
||
|
|
ULONG LargePageMinimum;
|
||
|
|
ULONG AitSamplingValue;
|
||
|
|
ULONG AppCompatFlag;
|
||
|
|
ULONGLONG RNGSeedVersion;
|
||
|
|
ULONG GlobalValidationRunlevel;
|
||
|
|
LONG TimeZoneBiasStamp;
|
||
|
|
ULONG NtBuildNumber;
|
||
|
|
NT_PRODUCT_TYPE NtProductType;
|
||
|
|
BOOLEAN ProductTypeIsValid;
|
||
|
|
BOOLEAN Reserved0[1];
|
||
|
|
USHORT NativeProcessorArchitecture;
|
||
|
|
ULONG NtMajorVersion;
|
||
|
|
ULONG NtMinorVersion;
|
||
|
|
BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];
|
||
|
|
ULONG Reserved1;
|
||
|
|
ULONG Reserved3;
|
||
|
|
ULONG TimeSlip;
|
||
|
|
ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
|
||
|
|
ULONG BootId;
|
||
|
|
LARGE_INTEGER SystemExpirationDate;
|
||
|
|
ULONG SuiteMask;
|
||
|
|
BOOLEAN KdDebuggerEnabled;
|
||
|
|
union {
|
||
|
|
UCHAR MitigationPolicies;
|
||
|
|
struct {
|
||
|
|
UCHAR NXSupportPolicy : 2;
|
||
|
|
UCHAR SEHValidationPolicy : 2;
|
||
|
|
UCHAR CurDirDevicesSkippedForDlls : 2;
|
||
|
|
UCHAR Reserved : 2;
|
||
|
|
};
|
||
|
|
};
|
||
|
|
USHORT CyclesPerYield;
|
||
|
|
ULONG ActiveConsoleId;
|
||
|
|
ULONG DismountCount;
|
||
|
|
ULONG ComPlusPackage;
|
||
|
|
ULONG LastSystemRITEventTickCount;
|
||
|
|
ULONG NumberOfPhysicalPages;
|
||
|
|
BOOLEAN SafeBootMode;
|
||
|
|
union {
|
||
|
|
UCHAR VirtualizationFlags;
|
||
|
|
struct {
|
||
|
|
UCHAR ArchStartedInEl2 : 1;
|
||
|
|
UCHAR QcSlIsSupported : 1;
|
||
|
|
};
|
||
|
|
};
|
||
|
|
UCHAR Reserved12[2];
|
||
|
|
union {
|
||
|
|
ULONG SharedDataFlags;
|
||
|
|
struct {
|
||
|
|
ULONG DbgErrorPortPresent : 1;
|
||
|
|
ULONG DbgElevationEnabled : 1;
|
||
|
|
ULONG DbgVirtEnabled : 1;
|
||
|
|
ULONG DbgInstallerDetectEnabled : 1;
|
||
|
|
ULONG DbgLkgEnabled : 1;
|
||
|
|
ULONG DbgDynProcessorEnabled : 1;
|
||
|
|
ULONG DbgConsoleBrokerEnabled : 1;
|
||
|
|
ULONG DbgSecureBootEnabled : 1;
|
||
|
|
ULONG DbgMultiSessionSku : 1;
|
||
|
|
ULONG DbgMultiUsersInSessionSku : 1;
|
||
|
|
ULONG DbgStateSeparationEnabled : 1;
|
||
|
|
ULONG SpareBits : 21;
|
||
|
|
} DUMMYSTRUCTNAME2;
|
||
|
|
} DUMMYUNIONNAME2;
|
||
|
|
ULONG DataFlagsPad[1];
|
||
|
|
ULONGLONG TestRetInstruction;
|
||
|
|
LONGLONG QpcFrequency;
|
||
|
|
ULONG SystemCall;
|
||
|
|
ULONG Reserved2;
|
||
|
|
ULONGLONG FullNumberOfPhysicalPages;
|
||
|
|
ULONGLONG SystemCallPad[1];
|
||
|
|
union {
|
||
|
|
KSYSTEM_TIME TickCount;
|
||
|
|
ULONG64 TickCountQuad;
|
||
|
|
struct {
|
||
|
|
ULONG ReservedTickCountOverlay[3];
|
||
|
|
ULONG TickCountPad[1];
|
||
|
|
} DUMMYSTRUCTNAME;
|
||
|
|
} DUMMYUNIONNAME3;
|
||
|
|
ULONG Cookie;
|
||
|
|
ULONG CookiePad[1];
|
||
|
|
LONGLONG ConsoleSessionForegroundProcessId;
|
||
|
|
ULONGLONG TimeUpdateLock;
|
||
|
|
ULONGLONG BaselineSystemTimeQpc;
|
||
|
|
ULONGLONG BaselineInterruptTimeQpc;
|
||
|
|
ULONGLONG QpcSystemTimeIncrement;
|
||
|
|
ULONGLONG QpcInterruptTimeIncrement;
|
||
|
|
UCHAR QpcSystemTimeIncrementShift;
|
||
|
|
UCHAR QpcInterruptTimeIncrementShift;
|
||
|
|
USHORT UnparkedProcessorCount;
|
||
|
|
ULONG EnclaveFeatureMask[4];
|
||
|
|
ULONG TelemetryCoverageRound;
|
||
|
|
USHORT UserModeGlobalLogger[16];
|
||
|
|
ULONG ImageFileExecutionOptions;
|
||
|
|
ULONG LangGenerationCount;
|
||
|
|
ULONGLONG Reserved4;
|
||
|
|
ULONGLONG InterruptTimeBias;
|
||
|
|
ULONGLONG QpcBias;
|
||
|
|
ULONG ActiveProcessorCount;
|
||
|
|
UCHAR ActiveGroupCount;
|
||
|
|
UCHAR Reserved9;
|
||
|
|
union {
|
||
|
|
USHORT QpcData;
|
||
|
|
struct {
|
||
|
|
UCHAR QpcBypassEnabled;
|
||
|
|
UCHAR QpcReserved;
|
||
|
|
};
|
||
|
|
};
|
||
|
|
LARGE_INTEGER TimeZoneBiasEffectiveStart;
|
||
|
|
LARGE_INTEGER TimeZoneBiasEffectiveEnd;
|
||
|
|
XSTATE_CONFIGURATION XState;
|
||
|
|
KSYSTEM_TIME FeatureConfigurationChangeStamp;
|
||
|
|
ULONG Spare;
|
||
|
|
ULONG64 UserPointerAuthMask;
|
||
|
|
XSTATE_CONFIGURATION XStateArm64;
|
||
|
|
ULONG Reserved10[210];
|
||
|
|
} KUSER_SHARED_DATA,
|
||
|
|
* PKUSER_SHARED_DATA;
|
||
|
|
|
||
|
|
#endif
|