gmh5225
/
FakeEnclave
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update

Browse Source
master
gmh5225 2 years ago
parent 328b869cf7
commit ce936023a2
No known key found for this signature in database
GPG Key ID: 3BBC731F40B2CEC1
7 changed files with 572 additions and 1 deletions
Show Stats Download Patch File Download Diff File

101
.clang-format
Unescape View File

@ -0,0 +1,101 @@
AccessModifierOffset: -4
AlignAfterOpenBracket: AlwaysBreak
AlignConsecutiveAssignments: false
AlignConsecutiveDeclarations: false
AlignEscapedNewlines: DontAlign
AlignOperands: true
AllowAllParametersOfDeclarationOnNextLine: false
AllowShortBlocksOnASingleLine: false
AllowShortCaseLabelsOnASingleLine: false
AllowShortFunctionsOnASingleLine: Inline
AllowShortIfStatementsOnASingleLine: false
AllowShortLoopsOnASingleLine: false
AlwaysBreakAfterReturnType: TopLevel
AlwaysBreakBeforeMultilineStrings: false
AlwaysBreakTemplateDeclarations: true
BinPackArguments: false
BinPackParameters: false
BraceWrapping:
AfterClass: true
AfterControlStatement: true
AfterEnum: true
AfterFunction: true
AfterNamespace: false
AfterStruct: true
AfterUnion: true
AfterExternBlock: false
BeforeCatch: true
BeforeElse: true
BreakBeforeBraces: Custom
BreakBeforeBinaryOperators: None
BreakBeforeTernaryOperators: true
BreakConstructorInitializers: AfterColon
BreakStringLiterals: false
ColumnLimit: 120
CommentPragmas: '^begin_wpp|^end_wpp|^FUNC |^USESUFFIX |^USESUFFIX '
ConstructorInitializerAllOnOneLineOrOnePerLine: true
ConstructorInitializerIndentWidth: 4
ContinuationIndentWidth: 4
Cpp11BracedListStyle: true
DerivePointerAlignment: false
ExperimentalAutoDetectBinPacking: false
IndentCaseLabels: false
IndentPPDirectives: AfterHash
IndentWidth: 4
KeepEmptyLinesAtTheStartOfBlocks: false
Language: Cpp
MacroBlockBegin: '^BEGIN_MODULE$|^BEGIN_TEST_CLASS$|^BEGIN_TEST_METHOD$'
MacroBlockEnd: '^END_MODULE$|^END_TEST_CLASS$|^END_TEST_METHOD$'
MaxEmptyLinesToKeep: 1
NamespaceIndentation: None
PointerAlignment: Right
ReflowComments: true
SortIncludes: false
SpaceAfterCStyleCast: false
SpaceBeforeAssignmentOperators: true
SpaceBeforeCtorInitializerColon: true
SpaceBeforeCtorInitializerColon: true
SpaceBeforeParens: ControlStatements
SpaceBeforeRangeBasedForLoopColon: true
SpaceInEmptyParentheses: false
SpacesInAngles: false
SpacesInCStyleCastParentheses: false
SpacesInParentheses: false
SpacesInSquareBrackets: false
Standard: Cpp11
StatementMacros: [
'EXTERN_C',
'PAGED',
'PAGEDX',
'NONPAGED',
'PNPCODE',
'INITCODE',
'_At_',
'_When_',
'_Success_',
'_Check_return_',
'_Must_inspect_result_',
'_IRQL_requires_',
'_IRQL_requires_max_',
'_IRQL_requires_min_',
'_IRQL_saves_',
'_IRQL_restores_',
'_IRQL_saves_global_',
'_IRQL_restores_global_',
'_IRQL_raises_',
'_IRQL_lowers_',
'_Acquires_lock_',
'_Releases_lock_',
'_Acquires_exclusive_lock_',
'_Releases_exclusive_lock_',
'_Acquires_shared_lock_',
'_Releases_shared_lock_',
'_Requires_lock_held_',
'_Use_decl_annotations_',
'_Guarded_by_',
'__drv_preferredFunction',
'__drv_allocatesMem',
'__drv_freesMem',
]
TabWidth: '4'
UseTab: Never

35
FakeEnclave.sln
Unescape View File

@ -0,0 +1,35 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.2.32519.379
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FakeEnclave", "FakeEnclave.vcxproj", "{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|ARM64.ActiveCfg = Debug|ARM64
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|ARM64.Build.0 = Debug|ARM64
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|ARM64.Deploy.0 = Debug|ARM64
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|x64.ActiveCfg = Debug|x64
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|x64.Build.0 = Debug|x64
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|x64.Deploy.0 = Debug|x64
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|ARM64.ActiveCfg = Release|ARM64
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|ARM64.Build.0 = Release|ARM64
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|ARM64.Deploy.0 = Release|ARM64
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|x64.ActiveCfg = Release|x64
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|x64.Build.0 = Release|x64
{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|x64.Deploy.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {8852CAE8-8666-47DE-8C40-AA6BF9B7D73B}
EndGlobalSection
EndGlobal

134
FakeEnclave.vcxproj
Unescape View File

@ -0,0 +1,134 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}</ProjectGuid>
<TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">x64</Platform>
<RootNamespace>FakeEnclave</RootNamespace>
<WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
<ClCompile>
<BufferSecurityCheck>false</BufferSecurityCheck>
<WarningLevel>Level3</WarningLevel>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
<Link>
<EntryPointSymbol>DriverEntry</EntryPointSymbol>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
<ClCompile>
<BufferSecurityCheck>false</BufferSecurityCheck>
<WarningLevel>Level3</WarningLevel>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
<Link>
<EntryPointSymbol>DriverEntry</EntryPointSymbol>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="Source.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="struct.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

27
FakeEnclave.vcxproj.filters
Unescape View File

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Source.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="struct.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

10
README.md
Unescape View File

@ -1,3 +1,11 @@
# FakeEnclave # FakeEnclave
A poc that abuses Enclave A poc that abuses Enclave
![image](https://user-images.githubusercontent.com/13917777/189128521-bf4e0691-bed8-41b1-aa7b-bd9ed17e39f7.png)
## What it can do?
- Anti-tamper
- There may be nothing to do
## Compile
- Visual Studio 2022 & WDK10
- llvm-msvc [[link]](https://github.com/NewWorldComingSoon/llvm-msvc-build)

183
Source.cpp
Unescape View File

@ -0,0 +1,183 @@
#include <fltKernel.h>
#include <ntimage.h>
#include "struct.h"
#define YOUR_APP_NAME "dwm.exe"
#define dprintf(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
EXTERN_C
PCCHAR
NTAPI
PsGetProcessImageFileName(IN PEPROCESS Process);
EXTERN_C
PVOID
PsGetProcessSectionBaseAddress(__in PEPROCESS Process);
using fnMiObtainReferencedVadEx = void *(NTAPI *)(void *a1, char a2, int *a3);
__declspec(naked) PVOID GetNtosBase()
{
_asm {
mov rax, qword ptr gs:[18h]
mov rcx, [rax+38h]
mov rax, 0FFFFFFFFFFFFF000h
and rax, [rcx+4h]
jmp while_begin
search_begin:
add rax, 0FFFFFFFFFFFFF000h
while_begin:
xor ecx, ecx
jmp search_cmp
search_next:
add rcx, 1
cmp rcx, 0FF9h
jz search_begin
search_cmp:
cmp byte ptr[rax+rcx], 48h
jnz search_next
cmp byte ptr[rax+rcx+1], 8Dh
jnz search_next
cmp byte ptr[rax+rcx+2], 1Dh
jnz search_next
cmp byte ptr[rax+rcx+6], 0FFh
jnz search_next
mov r8d,[rax+rcx+3]
lea edx,[rcx+r8]
add edx, eax
add edx, 7
test edx, 0FFFh
jnz search_next
mov rdx, 0FFFFFFFF00000000h
and rdx, rax
add r8d, eax
lea eax,[rcx+r8]
add eax, 7
or rax, rdx
ret
}
}
static PUCHAR
FindPattern(PVOID Module, ULONG Size, LPCSTR Pattern, LPCSTR Mask)
{
auto checkMask = [](PUCHAR Buffer, LPCSTR Pattern, LPCSTR Mask) -> bool {
for (auto x = Buffer; *Mask; Pattern++, Mask++, x++)
{
auto addr = *(UCHAR *)(Pattern);
if (addr != *x && *Mask != '?')
return false;
}
return true;
};
for (auto x = 0; x < Size - strlen(Mask); x++)
{
auto addr = (PUCHAR)Module + x;
if (checkMask(addr, Pattern, Mask))
return addr;
}
return nullptr;
}
static PEPROCESS
FindDWMEprocess(ULONG &OutPid)
{
OutPid = 0;
PEPROCESS pEpDWM = nullptr;
for (ULONG i = 0; i < 0x5000; i += 4)
{
PEPROCESS pEp = nullptr;
auto lStatus = PsLookupProcessByProcessId((HANDLE)i, &pEp);
if (!NT_SUCCESS(lStatus) || !pEp)
{
continue;
}
auto pName = PsGetProcessImageFileName(pEp);
// A more casual code
if (pName && strstr(pName, YOUR_APP_NAME))
{
pEpDWM = pEp;
}
ObDereferenceObject(pEp);
if (pEpDWM)
{
OutPid = i;
break;
}
}
return pEpDWM;
}
EXTERN_C
NTSTATUS
DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
dprintf("new world!\n");
PVOID pNtosBase = GetNtosBase();
dprintf("pNtosBase=%p\n", pNtosBase);
// 48 89 5C 24 10 48 89 74 24 18 48 89 7C 24 20 41 54 41 56 41 57 48 83 EC 20 41 C7 00 00 00 00 00 4D 8B E0 65 48 8B
// ?? ?? 88 01 00 00 44 8B ?? 48 8B ?? ?? ?? ?? B8 00 00 00
fnMiObtainReferencedVadEx pMiObtainReferencedVadEx = (fnMiObtainReferencedVadEx)FindPattern(
((PUCHAR)pNtosBase + 0x1000),
0x50000,
"\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18\x48\x89\x7C\x24\x20\x41\x54\x41\x56\x41\x57\x48\x83\xEC\x20\x41\xC7\x00\x00\x00\x00\x00\x4D\x8B\xE0\x65\x48\x8B\x00\x00\x88\x01\x00\x00\x44\x8B\x00\x48\x8B\x00\x00\x00\x00\xB8\x00\x00\x00",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx??xxxxxx?xx????xxxx");
dprintf("pMiObtainReferencedVadEx=%p\n", pMiObtainReferencedVadEx);
if (!pMiObtainReferencedVadEx)
{
dprintf("Error: Not found MiObtainReferencedVadEx!\n");
return -1;
}
ULONG uDWMPID;
PEPROCESS pEpDWM = FindDWMEprocess(uDWMPID);
dprintf("pEpDWM=%p, uDWMPID=%d!\n", pEpDWM, uDWMPID);
if (uDWMPID == 0)
{
dprintf("Error: Not found DWM!\n");
return -2;
}
PUCHAR pFirstPage = (PUCHAR)PsGetProcessSectionBaseAddress(pEpDWM) + 0x1000;
dprintf("pFirstPage=%p!\n", pFirstPage);
KAPC_STATE ks;
KeStackAttachProcess(pEpDWM, &ks);
PETHREAD pCurThread = KeGetCurrentThread();
short uOldSpecialApcDisable = *(short *)((PUCHAR)pCurThread + SpecialApcDisable_17763_OFFSET);
*(short *)((PUCHAR)pCurThread + SpecialApcDisable_17763_OFFSET) = 0;
int ns = 0;
auto pVAD = (PMMVAD_SHORT_17763)pMiObtainReferencedVadEx(pFirstPage, 2, &ns);
*(short *)((PUCHAR)pCurThread + SpecialApcDisable_17763_OFFSET) = uOldSpecialApcDisable;
KeUnstackDetachProcess(&ks);
dprintf("pVAD=%p\n", pVAD);
if (pVAD)
{
dprintf("pVAD->u.VadFlags.PrivateMemory=%d\n", pVAD->u.VadFlags.PrivateMemory);
dprintf("pVAD->u.VadFlags.Graphics=%d\n", pVAD->u.VadFlags.Graphics);
dprintf("pVAD->u.VadFlags.Enclave=%d\n", pVAD->u.VadFlags.Enclave);
pVAD->u.VadFlags.PrivateMemory = 1;
pVAD->u.VadFlags.Graphics = 1;
pVAD->u.VadFlags.Enclave = 1;
dprintf("fake world!\n");
}
return STATUS_VIRUS_INFECTED;
}

83
struct.h
Unescape View File

@ -0,0 +1,83 @@
#pragma once
#include <fltKernel.h>
typedef struct _EX_PUSH_LOCK_17763
{
union
{
struct /* bitfield */
{
/* 0x0000 */ unsigned __int64 Locked : 1; /* bit position: 0 */
/* 0x0000 */ unsigned __int64 Waiting : 1; /* bit position: 1 */
/* 0x0000 */ unsigned __int64 Waking : 1; /* bit position: 2 */
/* 0x0000 */ unsigned __int64 MultipleShared : 1; /* bit position: 3 */
/* 0x0000 */ unsigned __int64 Shared : 60; /* bit position: 4 */
}; /* bitfield */
/* 0x0000 */ unsigned __int64 Value;
/* 0x0000 */ void *Ptr;
}; /* size: 0x0008 */
} EX_PUSH_LOCK_17763, *PEX_PUSH_LOCK_17763; /* size: 0x0008 */
typedef struct _MMVAD_FLAGS_17763
{
struct /* bitfield */
{
/* 0x0000 */ unsigned long VadType : 3; /* bit position: 0 */
/* 0x0000 */ unsigned long Protection : 5; /* bit position: 3 */
/* 0x0000 */ unsigned long PreferredNode : 6; /* bit position: 8 */
/* 0x0000 */ unsigned long PrivateMemory : 1; /* bit position: 14 */
/* 0x0000 */ unsigned long PrivateFixup : 1; /* bit position: 15 */
/* 0x0000 */ unsigned long Graphics : 1; /* bit position: 16 */
/* 0x0000 */ unsigned long Enclave : 1; /* bit position: 17 */
/* 0x0000 */ unsigned long PageSize64K : 1; /* bit position: 18 */
/* 0x0000 */ unsigned long ShadowStack : 1; /* bit position: 19 */
/* 0x0000 */ unsigned long Spare : 6; /* bit position: 20 */
/* 0x0000 */ unsigned long HotPatchAllowed : 1; /* bit position: 26 */
/* 0x0000 */ unsigned long NoChange : 1; /* bit position: 27 */
/* 0x0000 */ unsigned long ManySubsections : 1; /* bit position: 28 */
/* 0x0000 */ unsigned long DeleteInProgress : 1; /* bit position: 29 */
/* 0x0000 */ unsigned long LockContended : 1; /* bit position: 30 */
/* 0x0000 */ unsigned long Lock : 1; /* bit position: 31 */
}; /* bitfield */
} MMVAD_FLAGS_17763, *PMMVAD_FLAGS_17763; /* size: 0x0004 */
typedef struct _MMVAD_SHORT_17763
{
union
{
struct
{
/* 0x0000 */ struct _MMVAD_SHORT *NextVad;
/* 0x0008 */ void *ExtraCreateInfo;
}; /* size: 0x0010 */
/* 0x0000 */ struct _RTL_BALANCED_NODE VadNode;
}; /* size: 0x0018 */
/* 0x0018 */ unsigned long StartingVpn;
/* 0x001c */ unsigned long EndingVpn;
/* 0x0020 */ unsigned char StartingVpnHigh;
/* 0x0021 */ unsigned char EndingVpnHigh;
/* 0x0022 */ unsigned char CommitChargeHigh;
/* 0x0023 */ unsigned char SpareNT64VadUChar;
/* 0x0024 */ long ReferenceCount;
/* 0x0028 */ struct _EX_PUSH_LOCK_17763 PushLock;
union
{
union
{
/* 0x0030 */ unsigned long LongFlags;
/* 0x0030 */ struct _MMVAD_FLAGS_17763 VadFlags;
/* 0x0030 */ volatile unsigned long VolatileVadLong;
}; /* size: 0x0004 */
} /* size: 0x0004 */ u;
union
{
union
{
/* 0x0034 */ unsigned long LongFlags1;
///* 0x0034 */ struct _MMVAD_FLAGS1 VadFlags1;
}; /* size: 0x0004 */
} /* size: 0x0004 */ u1;
/* 0x0038 */ struct _MI_VAD_EVENT_BLOCK *EventList;
} MMVAD_SHORT_17763, *PMMVAD_SHORT_17763; /* size: 0x0040 */
#define SpecialApcDisable_17763_OFFSET (0x01e6)
Write Preview
Loading…
Cancel
Save