xerox
3 years ago
parent
f90f97c803
commit
d8d809f93b
Binary file not shown.
@ -0,0 +1,62 @@
|
||||
#include "callback.h"
|
||||
#include "hooks.h"
|
||||
|
||||
namespace callback
|
||||
{
|
||||
NTSTATUS gh_create_device(
|
||||
PDRIVER_OBJECT driver_obj,
|
||||
ULONG device_ext,
|
||||
PUNICODE_STRING device_name,
|
||||
DEVICE_TYPE device_type,
|
||||
ULONG device_char,
|
||||
BOOLEAN exclusive,
|
||||
PDEVICE_OBJECT* lpdevice_obj
|
||||
)
|
||||
{
|
||||
DBG_PRINT("=============== IoCreateDevice Called ===============");
|
||||
DBG_PRINT(" - driver object: 0x%p", driver_obj);
|
||||
|
||||
//
|
||||
// swap ioctl pointer
|
||||
//
|
||||
hooks::orig_device_control = driver_obj->MajorFunction[IRP_MJ_DEVICE_CONTROL];
|
||||
driver_obj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &hooks::device_control;
|
||||
|
||||
DBG_PRINT(" - swapped ioctl function from 0x%p to 0x%p", driver_obj->MajorFunction[IRP_MJ_DEVICE_CONTROL], &hooks::device_control);
|
||||
return IoCreateDevice(
|
||||
driver_obj,
|
||||
device_ext,
|
||||
device_name,
|
||||
device_type,
|
||||
device_char,
|
||||
exclusive,
|
||||
lpdevice_obj
|
||||
);
|
||||
}
|
||||
|
||||
void on_image_load(
|
||||
PUNICODE_STRING image_path,
|
||||
HANDLE pid,
|
||||
PIMAGE_INFO image_info
|
||||
)
|
||||
{
|
||||
if (!pid)
|
||||
{
|
||||
DBG_PRINT("driver loaded from: %ws", image_path->Buffer);
|
||||
DBG_PRINT(" - driver timestamp: 0x%p", driver_util::get_file_header(image_info->ImageBase)->TimeDateStamp);
|
||||
|
||||
//
|
||||
// if its intel lan driver then we hook IoCreateDevice and swap ioctl pointer.
|
||||
//
|
||||
if (driver_util::get_file_header(image_info->ImageBase)->TimeDateStamp == INTEL_LAN_DRIVER_TIMESTAMP)
|
||||
{
|
||||
DBG_PRINT("=============== Intel Lan Driver Loaded ===============");
|
||||
driver_util::iat_hook(
|
||||
image_info->ImageBase,
|
||||
"IoCreateDevice",
|
||||
&gh_create_device
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,22 @@
|
||||
#pragma once
|
||||
#include "types.h"
|
||||
#include "driver_util.h"
|
||||
|
||||
namespace callback
|
||||
{
|
||||
void on_image_load(
|
||||
PUNICODE_STRING image_path,
|
||||
HANDLE pid,
|
||||
PIMAGE_INFO image_info
|
||||
);
|
||||
|
||||
NTSTATUS gh_create_device(
|
||||
PDRIVER_OBJECT driver_obj,
|
||||
ULONG device_ext,
|
||||
PUNICODE_STRING device_name,
|
||||
DEVICE_TYPE device_type,
|
||||
ULONG device_char,
|
||||
BOOLEAN exclusive,
|
||||
PDEVICE_OBJECT* lpdevice_obj
|
||||
);
|
||||
}
|
||||
@ -0,0 +1,197 @@
|
||||
#include "driver_util.h"
|
||||
|
||||
namespace driver_util
|
||||
{
|
||||
void* get_driver_base(const char* module_name)
|
||||
{
|
||||
ULONG bytes{};
|
||||
NTSTATUS status = ZwQuerySystemInformation(
|
||||
SystemModuleInformation,
|
||||
NULL,
|
||||
bytes,
|
||||
&bytes
|
||||
);
|
||||
|
||||
if (!bytes)
|
||||
return NULL;
|
||||
PRTL_PROCESS_MODULES modules =
|
||||
(PRTL_PROCESS_MODULES)ExAllocatePool(NonPagedPool, bytes);
|
||||
|
||||
if (modules)
|
||||
{
|
||||
status = ZwQuerySystemInformation(
|
||||
SystemModuleInformation,
|
||||
modules,
|
||||
bytes,
|
||||
&bytes
|
||||
);
|
||||
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
ExFreePool(modules);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules;
|
||||
PVOID module_base{}, module_size{};
|
||||
for (ULONG i = 0; i < modules->NumberOfModules; i++)
|
||||
{
|
||||
if (strcmp(reinterpret_cast<char*>(module[i].FullPathName + module[i].OffsetToFileName), module_name) == 0)
|
||||
{
|
||||
module_base = module[i].ImageBase;
|
||||
module_size = (PVOID)module[i].ImageSize;
|
||||
break;
|
||||
}
|
||||
}
|
||||
ExFreePool(modules);
|
||||
return module_base;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void* get_kmode_export(const char* mod_name, const char* proc_name)
|
||||
{
|
||||
if (!mod_name || !proc_name)
|
||||
return NULL;
|
||||
|
||||
void* result = get_driver_base(mod_name);
|
||||
if (!result)
|
||||
return NULL;
|
||||
return RtlFindExportedRoutineByName(result, proc_name);
|
||||
}
|
||||
|
||||
PIMAGE_FILE_HEADER get_file_header(void* base_addr)
|
||||
{
|
||||
if (!base_addr || *(short*)base_addr != 0x5A4D)
|
||||
return NULL;
|
||||
|
||||
PIMAGE_DOS_HEADER dos_headers =
|
||||
reinterpret_cast<PIMAGE_DOS_HEADER>(base_addr);
|
||||
|
||||
PIMAGE_NT_HEADERS nt_headers =
|
||||
reinterpret_cast<PIMAGE_NT_HEADERS>(
|
||||
reinterpret_cast<DWORD_PTR>(base_addr) + dos_headers->e_lfanew);
|
||||
|
||||
return &nt_headers->FileHeader;
|
||||
}
|
||||
|
||||
void* iat_hook(void* base_addr, const char* import, void* func_addr)
|
||||
{
|
||||
if (!base_addr || *(short*)base_addr != 0x5A4D || !import || !func_addr)
|
||||
return NULL;
|
||||
|
||||
PIMAGE_DOS_HEADER dos_headers =
|
||||
reinterpret_cast<PIMAGE_DOS_HEADER>(base_addr);
|
||||
|
||||
PIMAGE_NT_HEADERS nt_headers =
|
||||
reinterpret_cast<PIMAGE_NT_HEADERS>(
|
||||
reinterpret_cast<DWORD_PTR>(base_addr) + dos_headers->e_lfanew);
|
||||
|
||||
IMAGE_DATA_DIRECTORY import_dir =
|
||||
nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
|
||||
|
||||
PIMAGE_IMPORT_DESCRIPTOR import_des =
|
||||
reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(import_dir.VirtualAddress + (DWORD_PTR)base_addr);
|
||||
|
||||
LPCSTR lib_name = NULL;
|
||||
PVOID result = NULL;
|
||||
PIMAGE_IMPORT_BY_NAME func_name = NULL;
|
||||
|
||||
if (!import_des)
|
||||
return NULL;
|
||||
|
||||
while (import_des->Name != NULL)
|
||||
{
|
||||
lib_name = (LPCSTR)import_des->Name + (DWORD_PTR)base_addr;
|
||||
|
||||
if (get_driver_base(lib_name))
|
||||
{
|
||||
PIMAGE_THUNK_DATA org_first_thunk = NULL, first_thunk = NULL;
|
||||
org_first_thunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)base_addr + import_des->OriginalFirstThunk);
|
||||
first_thunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)base_addr + import_des->FirstThunk);
|
||||
while (org_first_thunk->u1.AddressOfData != NULL)
|
||||
{
|
||||
func_name = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)base_addr + org_first_thunk->u1.AddressOfData);
|
||||
if (strcmp(func_name->Name, import) == 0)
|
||||
{
|
||||
// save old function pointer
|
||||
result = reinterpret_cast<PVOID>(first_thunk->u1.Function);
|
||||
|
||||
{
|
||||
//
|
||||
// disable write protection
|
||||
//
|
||||
auto cr0 = __readcr0();
|
||||
cr0 &= 0xfffffffffffeffff;
|
||||
__writecr0(cr0);
|
||||
_disable();
|
||||
}
|
||||
|
||||
// swap address
|
||||
first_thunk->u1.Function = reinterpret_cast<ULONG64>(func_addr);
|
||||
|
||||
{
|
||||
//
|
||||
// enable write protection
|
||||
//
|
||||
auto cr0 = __readcr0();
|
||||
cr0 |= 0x10000;
|
||||
_enable();
|
||||
__writecr0(cr0);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
++org_first_thunk;
|
||||
++first_thunk;
|
||||
}
|
||||
}
|
||||
++import_des;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void mem_dump(void* base_addr, unsigned len)
|
||||
{
|
||||
if (!base_addr || !len)
|
||||
return;
|
||||
|
||||
HANDLE h_file;
|
||||
UNICODE_STRING name;
|
||||
OBJECT_ATTRIBUTES attr;
|
||||
IO_STATUS_BLOCK status_block;
|
||||
LARGE_INTEGER offset{ NULL };
|
||||
|
||||
RtlInitUnicodeString(&name, L"\\DosDevices\\C:\\dump.bin");
|
||||
InitializeObjectAttributes(&attr, &name,
|
||||
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
|
||||
NULL, NULL
|
||||
);
|
||||
|
||||
auto status = ZwCreateFile(
|
||||
&h_file,
|
||||
GENERIC_WRITE,
|
||||
&attr,
|
||||
&status_block,
|
||||
NULL,
|
||||
FILE_ATTRIBUTE_NORMAL,
|
||||
NULL,
|
||||
FILE_OVERWRITE_IF,
|
||||
FILE_SYNCHRONOUS_IO_NONALERT,
|
||||
NULL,
|
||||
NULL
|
||||
);
|
||||
|
||||
status = ZwWriteFile(
|
||||
h_file,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
&status_block,
|
||||
base_addr,
|
||||
len,
|
||||
&offset,
|
||||
NULL
|
||||
);
|
||||
ZwClose(h_file);
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,11 @@
|
||||
#pragma once
|
||||
#include "types.h"
|
||||
|
||||
namespace driver_util
|
||||
{
|
||||
void* get_driver_base(const char* module_name);
|
||||
void* iat_hook(void* base_addr, const char* import, void* func_addr);
|
||||
void mem_dump(void* base_addr, unsigned len);
|
||||
void* get_kmode_export(const char* mod_name, const char* proc_name);
|
||||
PIMAGE_FILE_HEADER get_file_header(void* base_addr);
|
||||
}
|
||||
@ -0,0 +1,53 @@
|
||||
#include "hooks.h"
|
||||
|
||||
namespace hooks
|
||||
{
|
||||
NTSTATUS device_control(
|
||||
PDEVICE_OBJECT device_obj,
|
||||
PIRP irp
|
||||
)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(device_obj);
|
||||
PIO_STACK_LOCATION stack_location = IoGetCurrentIrpStackLocation(irp);
|
||||
|
||||
if (stack_location->Parameters.DeviceIoControl.IoControlCode == INTEL_LAN_DRIVER_IOCTL)
|
||||
{
|
||||
if (stack_location->Parameters.DeviceIoControl.InputBufferLength)
|
||||
{
|
||||
PCOPY_MEMORY_BUFFER_INFO copy_memory_buffer = reinterpret_cast<PCOPY_MEMORY_BUFFER_INFO>(stack_location->Parameters.SetFile.DeleteHandle);
|
||||
|
||||
//
|
||||
// if case is memmove and the destination is in the kernel (pml4 index is > 255)
|
||||
//
|
||||
if (copy_memory_buffer->case_number == INTEL_LAN_COPY_CASE_NUMBER)
|
||||
{
|
||||
if (virt_addr_t{ copy_memory_buffer->destination }.pml4_index > 255)
|
||||
{
|
||||
//
|
||||
// there are a few writes of size 0xC (inline jump code) we can skip those.
|
||||
//
|
||||
if (copy_memory_buffer->length > 0x20)
|
||||
{
|
||||
DBG_PRINT("=============== Dumping Memory ==============");
|
||||
DBG_PRINT(
|
||||
"Copying memory from 0x%p to 0x%p of size 0x%x",
|
||||
copy_memory_buffer->source,
|
||||
copy_memory_buffer->destination,
|
||||
copy_memory_buffer->length
|
||||
);
|
||||
|
||||
//
|
||||
// dump memory from inside of the PE to disk.
|
||||
//
|
||||
driver_util::mem_dump(
|
||||
copy_memory_buffer->source,
|
||||
copy_memory_buffer->length
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return reinterpret_cast<decltype(&device_control)>(orig_device_control)(device_obj, irp);
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,12 @@
|
||||
#pragma once
|
||||
#include "types.h"
|
||||
#include "driver_util.h"
|
||||
|
||||
namespace hooks
|
||||
{
|
||||
inline void* orig_device_control = NULL;
|
||||
NTSTATUS device_control(
|
||||
PDEVICE_OBJECT device_obj,
|
||||
PIRP irp
|
||||
);
|
||||
}
|
||||
@ -0,0 +1,41 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="callback.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="types.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="driver_util.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="hooks.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="callback.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="driver_util.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="main.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="hooks.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
@ -0,0 +1,39 @@
|
||||
#include "types.h"
|
||||
#include "callback.h"
|
||||
|
||||
void driver_unload(
|
||||
DRIVER_OBJECT* driver_obj
|
||||
)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(driver_obj);
|
||||
PsRemoveLoadImageNotifyRoutine(&callback::on_image_load);
|
||||
}
|
||||
|
||||
NTSTATUS driver_close(
|
||||
IN PDEVICE_OBJECT device_obj,
|
||||
IN PIRP lp_irp
|
||||
)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(device_obj);
|
||||
lp_irp->IoStatus.Status = STATUS_SUCCESS;
|
||||
lp_irp->IoStatus.Information = NULL;
|
||||
IoCompleteRequest(lp_irp, IO_NO_INCREMENT);
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
//
|
||||
// This driver is not to be manually mapped in its current form.
|
||||
// If you choose to manually map this driver please remove "driver_close" and "driver_unload".
|
||||
//
|
||||
NTSTATUS __cdecl driver_entry(
|
||||
_In_ PDRIVER_OBJECT driver_obj,
|
||||
_In_ PUNICODE_STRING reg_path
|
||||
)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(reg_path);
|
||||
driver_obj->MajorFunction[IRP_MJ_CLOSE] = &driver_close;
|
||||
driver_obj->DriverUnload = &driver_unload;
|
||||
|
||||
DBG_PRINT("callbacks registered, waiting for intel lan driver....");
|
||||
return PsSetLoadImageNotifyRoutine(&callback::on_image_load);
|
||||
}
|
||||
@ -0,0 +1,250 @@
|
||||
#pragma once
|
||||
#include <ntifs.h>
|
||||
#include <intrin.h>
|
||||
|
||||
#if true
|
||||
#define DBG_PRINT(...) DbgPrintEx( DPFLTR_SYSTEM_ID, DPFLTR_ERROR_LEVEL, "[kdstinker]" __VA_ARGS__);
|
||||
#else
|
||||
#define DBG_PRINT(...)
|
||||
#endif
|
||||
|
||||
#ifndef DWORD
|
||||
#define DWORD unsigned
|
||||
#endif
|
||||
|
||||
#ifndef WORD
|
||||
#define WORD unsigned short
|
||||
#endif
|
||||
|
||||
#ifndef uint64_t
|
||||
#define uint64_t ULONGLONG
|
||||
#endif
|
||||
|
||||
#ifndef uint32_t
|
||||
#define uint32_t DWORD
|
||||
#endif
|
||||
|
||||
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
|
||||
|
||||
#define INTEL_LAN_DRIVER_TIMESTAMP 0x5284EAC3
|
||||
#define INTEL_LAN_DRIVER_IOCTL 0x80862007
|
||||
#define INTEL_LAN_COPY_CASE_NUMBER 0x33
|
||||
|
||||
extern "C" NTSTATUS ZwQuerySystemInformation(
|
||||
ULONG InfoClass,
|
||||
PVOID Buffer,
|
||||
ULONG Length,
|
||||
PULONG ReturnLength
|
||||
);
|
||||
|
||||
extern "C" NTKERNELAPI
|
||||
PVOID
|
||||
NTAPI
|
||||
RtlFindExportedRoutineByName(
|
||||
_In_ PVOID ImageBase,
|
||||
_In_ PCCH RoutineName
|
||||
);
|
||||
|
||||
typedef struct _COPY_MEMORY_BUFFER_INFO
|
||||
{
|
||||
uint64_t case_number;
|
||||
uint64_t reserved;
|
||||
void* source;
|
||||
void* destination;
|
||||
uint64_t length;
|
||||
}COPY_MEMORY_BUFFER_INFO, * PCOPY_MEMORY_BUFFER_INFO;
|
||||
|
||||
typedef struct _FILL_MEMORY_BUFFER_INFO
|
||||
{
|
||||
uint64_t case_number;
|
||||
uint64_t reserved1;
|
||||
uint32_t value;
|
||||
uint32_t reserved2;
|
||||
uint64_t destination;
|
||||
uint64_t length;
|
||||
}FILL_MEMORY_BUFFER_INFO, * PFILL_MEMORY_BUFFER_INFO;
|
||||
|
||||
typedef struct _GET_PHYS_ADDRESS_BUFFER_INFO
|
||||
{
|
||||
uint64_t case_number;
|
||||
uint64_t reserved;
|
||||
uint64_t return_physical_address;
|
||||
uint64_t address_to_translate;
|
||||
}GET_PHYS_ADDRESS_BUFFER_INFO, * PGET_PHYS_ADDRESS_BUFFER_INFO;
|
||||
|
||||
typedef struct _MAP_IO_SPACE_BUFFER_INFO
|
||||
{
|
||||
uint64_t case_number;
|
||||
uint64_t reserved;
|
||||
uint64_t return_value;
|
||||
uint64_t return_virtual_address;
|
||||
uint64_t physical_address_to_map;
|
||||
uint32_t size;
|
||||
}MAP_IO_SPACE_BUFFER_INFO, * PMAP_IO_SPACE_BUFFER_INFO;
|
||||
|
||||
typedef struct _UNMAP_IO_SPACE_BUFFER_INFO
|
||||
{
|
||||
uint64_t case_number;
|
||||
uint64_t reserved1;
|
||||
uint64_t reserved2;
|
||||
uint64_t virt_address;
|
||||
uint64_t reserved3;
|
||||
uint32_t number_of_bytes;
|
||||
}UNMAP_IO_SPACE_BUFFER_INFO, * PUNMAP_IO_SPACE_BUFFER_INFO;
|
||||
|
||||
typedef struct _RTL_PROCESS_MODULE_INFORMATION
|
||||
{
|
||||
HANDLE Section;
|
||||
PVOID MappedBase;
|
||||
PVOID ImageBase;
|
||||
ULONG ImageSize;
|
||||
ULONG Flags;
|
||||
USHORT LoadOrderIndex;
|
||||
USHORT InitOrderIndex;
|
||||
USHORT LoadCount;
|
||||
USHORT OffsetToFileName;
|
||||
UCHAR FullPathName[256];
|
||||
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
|
||||
|
||||
typedef struct _RTL_PROCESS_MODULES
|
||||
{
|
||||
ULONG NumberOfModules;
|
||||
RTL_PROCESS_MODULE_INFORMATION Modules[1];
|
||||
} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
|
||||
|
||||
typedef enum _SYSTEM_INFORMATION_CLASS
|
||||
{
|
||||
SystemBasicInformation,
|
||||
SystemProcessorInformation,
|
||||
SystemPerformanceInformation,
|
||||
SystemTimeOfDayInformation,
|
||||
SystemPathInformation,
|
||||
SystemProcessInformation,
|
||||
SystemCallCountInformation,
|
||||
SystemDeviceInformation,
|
||||
SystemProcessorPerformanceInformation,
|
||||
SystemFlagsInformation,
|
||||
SystemCallTimeInformation,
|
||||
SystemModuleInformation = 0x0B
|
||||
} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
|
||||
|
||||
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
|
||||
USHORT e_magic; // Magic number
|
||||
USHORT e_cblp; // Bytes on last page of file
|
||||
USHORT e_cp; // Pages in file
|
||||
USHORT e_crlc; // Relocations
|
||||
USHORT e_cparhdr; // Size of header in paragraphs
|
||||
USHORT e_minalloc; // Minimum extra paragraphs needed
|
||||
USHORT e_maxalloc; // Maximum extra paragraphs needed
|
||||
USHORT e_ss; // Initial (relative) SS value
|
||||
USHORT e_sp; // Initial SP value
|
||||
USHORT e_csum; // Checksum
|
||||
USHORT e_ip; // Initial IP value
|
||||
USHORT e_cs; // Initial (relative) CS value
|
||||
USHORT e_lfarlc; // File address of relocation table
|
||||
USHORT e_ovno; // Overlay number
|
||||
USHORT e_res[4]; // Reserved words
|
||||
USHORT e_oemid; // OEM identifier (for e_oeminfo)
|
||||
USHORT e_oeminfo; // OEM information; e_oemid specific
|
||||
USHORT e_res2[10]; // Reserved words
|
||||
LONG e_lfanew; // File address of new exe header
|
||||
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
|
||||
|
||||
typedef struct _IMAGE_FILE_HEADER {
|
||||
short Machine;
|
||||
short NumberOfSections;
|
||||
unsigned TimeDateStamp;
|
||||
unsigned PointerToSymbolTable;
|
||||
unsigned NumberOfSymbols;
|
||||
short SizeOfOptionalHeader;
|
||||
short Characteristics;
|
||||
} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
|
||||
|
||||
typedef struct _IMAGE_DATA_DIRECTORY {
|
||||
unsigned VirtualAddress;
|
||||
unsigned Size;
|
||||
} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
|
||||
|
||||
typedef struct _IMAGE_OPTIONAL_HEADER64 {
|
||||
short Magic;
|
||||
unsigned char MajorLinkerVersion;
|
||||
unsigned char MinorLinkerVersion;
|
||||
unsigned SizeOfCode;
|
||||
unsigned SizeOfInitializedData;
|
||||
unsigned SizeOfUninitializedData;
|
||||
unsigned AddressOfEntryPoint;
|
||||
unsigned BaseOfCode;
|
||||
ULONGLONG ImageBase;
|
||||
unsigned SectionAlignment;
|
||||
unsigned FileAlignment;
|
||||
short MajorOperatingSystemVersion;
|
||||
short MinorOperatingSystemVersion;
|
||||
short MajorImageVersion;
|
||||
short MinorImageVersion;
|
||||
short MajorSubsystemVersion;
|
||||
short MinorSubsystemVersion;
|
||||
unsigned Win32VersionValue;
|
||||
unsigned SizeOfImage;
|
||||
unsigned SizeOfHeaders;
|
||||
unsigned CheckSum;
|
||||
short Subsystem;
|
||||
short DllCharacteristics;
|
||||
ULONGLONG SizeOfStackReserve;
|
||||
ULONGLONG SizeOfStackCommit;
|
||||
ULONGLONG SizeOfHeapReserve;
|
||||
ULONGLONG SizeOfHeapCommit;
|
||||
unsigned LoaderFlags;
|
||||
unsigned NumberOfRvaAndSizes;
|
||||
IMAGE_DATA_DIRECTORY DataDirectory[16];
|
||||
} IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
|
||||
|
||||
typedef struct _IMAGE_NT_HEADERS64 {
|
||||
unsigned Signature;
|
||||
IMAGE_FILE_HEADER FileHeader;
|
||||
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
|
||||
} IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;
|
||||
|
||||
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
|
||||
union {
|
||||
DWORD Characteristics; // 0 for terminating null import descriptor
|
||||
DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
|
||||
} DUMMYUNIONNAME;
|
||||
DWORD TimeDateStamp; // 0 if not bound,
|
||||
// -1 if bound, and real date\time stamp
|
||||
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
|
||||
// O.W. date/time stamp of DLL bound to (Old BIND)
|
||||
|
||||
DWORD ForwarderChain; // -1 if no forwarders
|
||||
DWORD Name;
|
||||
DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
|
||||
} IMAGE_IMPORT_DESCRIPTOR;
|
||||
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED* PIMAGE_IMPORT_DESCRIPTOR;
|
||||
|
||||
typedef struct _IMAGE_IMPORT_BY_NAME {
|
||||
WORD Hint;
|
||||
CHAR Name[1];
|
||||
} IMAGE_IMPORT_BY_NAME, * PIMAGE_IMPORT_BY_NAME;
|
||||
|
||||
typedef struct _IMAGE_THUNK_DATA64 {
|
||||
union {
|
||||
ULONGLONG ForwarderString; // PBYTE
|
||||
ULONGLONG Function; // PDWORD
|
||||
ULONGLONG Ordinal;
|
||||
ULONGLONG AddressOfData; // PIMAGE_IMPORT_BY_NAME
|
||||
} u1;
|
||||
} IMAGE_THUNK_DATA64, * PIMAGE_THUNK_DATA64;
|
||||
typedef PIMAGE_THUNK_DATA64 PIMAGE_THUNK_DATA;
|
||||
|
||||
typedef union _virt_addr_t
|
||||
{
|
||||
void* value;
|
||||
struct
|
||||
{
|
||||
ULONG64 offset : 12;
|
||||
ULONG64 pt_index : 9;
|
||||
ULONG64 pd_index : 9;
|
||||
ULONG64 pdpt_index : 9;
|
||||
ULONG64 pml4_index : 9;
|
||||
ULONG64 reserved : 16;
|
||||
};
|
||||
} virt_addr_t, * pvirt_addr_t;
|
||||
Loading…
Reference in new issue