IDontCode
/
kutils
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update kutils.hpp

Browse Source
main
IDontCode 3 years ago
parent 0c6485dbde
commit ae8be70806
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File

22
kutils.hpp
Unescape View File

@ -641,7 +641,7 @@ FORCEINLINE PVOID GetDriverExport(_In_ CONST CHAR* pszDriverName,
: NULL; : NULL;
} }
FORCEINLINE PDRIVER_OBJECT GetDriverObject(_In_ CONST PWCHAR pwszDriverName) { FORCEINLINE PDRIVER_OBJECT GetDriverObject(_In_ CONST WHCAR* pwszDriverName) {
HANDLE handle{}; HANDLE handle{};
OBJECT_ATTRIBUTES attr{}; OBJECT_ATTRIBUTES attr{};
UNICODE_STRING dirName{}; UNICODE_STRING dirName{};
@ -734,9 +734,9 @@ FORCEINLINE HANDLE GetPid(_In_ CONST WCHAR* pwszProcessName) {
return NULL; return NULL;
} }
FORCEINLINE PVOID GetProcessBase(_In_ HANDLE pid) { FORCEINLINE PVOID GetProcessBase(_In_ HANDLE hPid) {
PEPROCESS lpProc; PEPROCESS lpProc;
if (NT_SUCCESS(DYN_NT_SYM(PsLookupProcessByProcessId)(pid, &lpProc))) { if (NT_SUCCESS(DYN_NT_SYM(PsLookupProcessByProcessId)(hPid, &lpProc))) {
PVOID lpBaseAddr = DYN_NT_SYM(PsGetProcessSectionBaseAddress)(lpProc); PVOID lpBaseAddr = DYN_NT_SYM(PsGetProcessSectionBaseAddress)(lpProc);
DYN_NT_SYM(ObfDereferenceObject)(lpProc); DYN_NT_SYM(ObfDereferenceObject)(lpProc);
return lpBaseAddr; return lpBaseAddr;
@ -750,21 +750,21 @@ VOID PsCallbackExample(CONST SYSTEM_PROCESS_INFORMATION& PsInfo);
using TdCallbackPtr = decltype(&TdCallbackExample); using TdCallbackPtr = decltype(&TdCallbackExample);
using PsCallbackPtr = decltype(&PsCallbackExample); using PsCallbackPtr = decltype(&PsCallbackExample);
FORCEINLINE VOID ForEachProcess(_In_ PsCallbackPtr callback) { FORCEINLINE VOID ForEachProcess(_In_ PsCallbackPtr lpCallback) {
u32 allocSize{}; ULONG nAllocSize{};
DYN_NT_SYM(ZwQuerySystemInformation) DYN_NT_SYM(ZwQuerySystemInformation)
(SystemProcessInformation, NULL, allocSize, &allocSize); (SystemProcessInformation, NULL, nAllocSize, &nAllocSize);
auto procInfo = reinterpret_cast<PSYSTEM_PROCESS_INFORMATION>( auto procInfo = reinterpret_cast<PSYSTEM_PROCESS_INFORMATION>(
DYN_NT_SYM(ExAllocatePool)(NonPagedPool, allocSize)); DYN_NT_SYM(ExAllocatePool)(NonPagedPool, nAllocSize));
const auto origPtr = procInfo; const auto origPtr = procInfo;
DYN_NT_SYM(ZwQuerySystemInformation) DYN_NT_SYM(ZwQuerySystemInformation)
(SystemProcessInformation, procInfo, allocSize, &allocSize); (SystemProcessInformation, procInfo, nAllocSize, &nAllocSize);
while (true) { while (true) {
for (auto idx = 0u; idx < procInfo->NumberOfThreads; ++idx) for (auto idx = 0u; idx < procInfo->NumberOfThreads; ++idx)
callback(*procInfo); lpCallback(*procInfo);
if (!procInfo->NextEntryOffset) if (!procInfo->NextEntryOffset)
break; break;
@ -803,7 +803,7 @@ FORCEINLINE VOID ForEachThread(_In_ HANDLE hPid, _In_ TdCallbackPtr lpCallback)
} }
FORCEINLINE PVOID GetModuleBase(_In_ HANDLE hPid, FORCEINLINE PVOID GetModuleBase(_In_ HANDLE hPid,
_In_ CONST PWCHAR lpwszModuleName) { _In_ CONST PWCHAR pwszModuleName) {
PEPROCESS lpProc; PEPROCESS lpProc;
KAPC_STATE stApcState; KAPC_STATE stApcState;
if (NT_SUCCESS(DYN_NT_SYM(PsLookupProcessByProcessId)(hPid, &lpProc))) { if (NT_SUCCESS(DYN_NT_SYM(PsLookupProcessByProcessId)(hPid, &lpProc))) {
@ -818,7 +818,7 @@ FORCEINLINE PVOID GetModuleBase(_In_ HANDLE hPid,
reinterpret_cast<u64>(currentEntry) - sizeof LIST_ENTRY); reinterpret_cast<u64>(currentEntry) - sizeof LIST_ENTRY);
const auto entryModuleName = currentEntryData->BaseDllName.Buffer; const auto entryModuleName = currentEntryData->BaseDllName.Buffer;
if (!DYN_NT_SYM(_wcsicmp)(entryModuleName, lpwszModuleName)) { if (!DYN_NT_SYM(_wcsicmp)(entryModuleName, pwszModuleName)) {
DYN_NT_SYM(ObfDereferenceObject)(lpProc); DYN_NT_SYM(ObfDereferenceObject)(lpProc);
auto moduleBase = currentEntryData->DllBase; auto moduleBase = currentEntryData->DllBase;

Write Preview
Loading…
Cancel
Save