You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
IDontCode
ae8be70806
|
3 years ago | |
---|---|---|
README.md | 3 years ago | |
kutils.hpp | 3 years ago |
README.md
kutils
header only kernel utils library - completely self dependent - no imports - no strings
Macros
- HSTRING macro - compile time hashing of c-strings
HSTRING("hash me!")
- DYN_MOD - dynamically resolve base address of a kernel module. uses HSTRING to compare hashes of file names
DYN_MOD("ntoskrnl.exe")
- DYN_NT_SYM - dynamically resolve ntoskrnl export's
DYN_NT_SYM(DbgPrint)("Hello World")
- DYN_MOD_SYM - dynamically resolve export from a kernel modules file name - uses compile time hashes of both file name and export name.
DYN_MOD_SYM("win32kbase.sys", "NtGdiFlush")
Neither string will be in the binary.
Functions
PVOID KUtils::Driver::GetKernelBase(VOID)
- Get the base address of the kernel.PDRIVER_OBJECT KUtils::Driver::GetDriverObject(CONST WCHAR* pwszDriverName)
- Get driver object given the name of the driver.HANDLE KUtils::Process::GetPid(CONST WCHAR* pwszProcessName)
- get pid given a process file name.PVOID KUtils::Process:GetProcessBase(HANDLE hPid)
- get process base address given pid.VOID KUtils::Process::ForEachProcess(PsCallbackPtr lpCallback)
- pass a callback to loop over each process.VOID KUtils::Process::ForEachThread(HANDLE hPid, TdCallbackPtr lpCallback)
- pass a callback and pid to loop over each thread in that process.VOID KUtils::Process::GetModuleBase(HANDLE hPid, CONST WCHAR* pwszModuleName)
- gets module base base for a module in a given process.LPVOID KUtils::Signature::Scan(LPVOID lpBase, ULONG nSize, CONST CHAR* pszPattern, CONST CHAR* pszMask)