Update

2 years ago · ce936023a2
parent 328b869cf7
commit ce936023a2
7 changed files with 572 additions and 1 deletions
--- a/.clang-format
+++ b/.clang-format
@ -0,0 +1,101 @@
+AccessModifierOffset: -4
+AlignAfterOpenBracket: AlwaysBreak
+AlignConsecutiveAssignments: false
+AlignConsecutiveDeclarations: false
+AlignEscapedNewlines: DontAlign
+AlignOperands: true
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortBlocksOnASingleLine: false
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: Inline
+AllowShortIfStatementsOnASingleLine: false
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterReturnType: TopLevel
+AlwaysBreakBeforeMultilineStrings: false
+AlwaysBreakTemplateDeclarations: true
+BinPackArguments: false
+BinPackParameters: false
+BraceWrapping:
+    AfterClass: true
+    AfterControlStatement: true
+    AfterEnum: true
+    AfterFunction: true
+    AfterNamespace: false
+    AfterStruct: true
+    AfterUnion: true
+    AfterExternBlock: false
+    BeforeCatch: true
+    BeforeElse: true
+BreakBeforeBraces: Custom
+BreakBeforeBinaryOperators: None
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializers: AfterColon
+BreakStringLiterals: false
+ColumnLimit: 120
+CommentPragmas: '^begin_wpp|^end_wpp|^FUNC |^USESUFFIX |^USESUFFIX '
+ConstructorInitializerAllOnOneLineOrOnePerLine: true
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DerivePointerAlignment: false
+ExperimentalAutoDetectBinPacking: false
+IndentCaseLabels: false
+IndentPPDirectives: AfterHash
+IndentWidth: 4
+KeepEmptyLinesAtTheStartOfBlocks: false
+Language: Cpp
+MacroBlockBegin: '^BEGIN_MODULE$|^BEGIN_TEST_CLASS$|^BEGIN_TEST_METHOD$'
+MacroBlockEnd: '^END_MODULE$|^END_TEST_CLASS$|^END_TEST_METHOD$'
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: None
+PointerAlignment: Right
+ReflowComments: true
+SortIncludes: false
+SpaceAfterCStyleCast: false
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeParens: ControlStatements
+SpaceBeforeRangeBasedForLoopColon: true
+SpaceInEmptyParentheses: false
+SpacesInAngles: false
+SpacesInCStyleCastParentheses: false
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+Standard: Cpp11
+StatementMacros: [
+    'EXTERN_C',
+    'PAGED',
+    'PAGEDX',
+    'NONPAGED',
+    'PNPCODE',
+    'INITCODE',
+    '_At_',
+    '_When_',
+    '_Success_',
+    '_Check_return_',
+    '_Must_inspect_result_',
+    '_IRQL_requires_',
+    '_IRQL_requires_max_',
+    '_IRQL_requires_min_',
+    '_IRQL_saves_',
+    '_IRQL_restores_',
+    '_IRQL_saves_global_',
+    '_IRQL_restores_global_',
+    '_IRQL_raises_',
+    '_IRQL_lowers_',
+    '_Acquires_lock_',
+    '_Releases_lock_',
+    '_Acquires_exclusive_lock_',
+    '_Releases_exclusive_lock_',
+    '_Acquires_shared_lock_',
+    '_Releases_shared_lock_',
+    '_Requires_lock_held_',
+    '_Use_decl_annotations_',
+    '_Guarded_by_',
+    '__drv_preferredFunction',
+    '__drv_allocatesMem',
+    '__drv_freesMem',
+    ]
+TabWidth: '4'
+UseTab: Never
--- a/FakeEnclave.sln
+++ b/FakeEnclave.sln
@ -0,0 +1,35 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.2.32519.379
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FakeEnclave", "FakeEnclave.vcxproj", "{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|ARM64 = Debug|ARM64
+		Debug|x64 = Debug|x64
+		Release|ARM64 = Release|ARM64
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|ARM64.ActiveCfg = Debug|ARM64
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|ARM64.Build.0 = Debug|ARM64
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|ARM64.Deploy.0 = Debug|ARM64
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|x64.ActiveCfg = Debug|x64
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|x64.Build.0 = Debug|x64
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Debug|x64.Deploy.0 = Debug|x64
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|ARM64.ActiveCfg = Release|ARM64
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|ARM64.Build.0 = Release|ARM64
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|ARM64.Deploy.0 = Release|ARM64
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|x64.ActiveCfg = Release|x64
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|x64.Build.0 = Release|x64
+		{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}.Release|x64.Deploy.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {8852CAE8-8666-47DE-8C40-AA6BF9B7D73B}
+	EndGlobalSection
+EndGlobal
--- a/FakeEnclave.vcxproj
+++ b/FakeEnclave.vcxproj
@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM64">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{FE7F43A7-1F9C-4E4B-8898-4B768B43BF55}</ProjectGuid>
+    <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
+    <Configuration>Debug</Configuration>
+    <Platform Condition="'$(Platform)' == ''">x64</Platform>
+    <RootNamespace>FakeEnclave</RootNamespace>
+    <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>LLVM-MSVC_v143_KernelMode</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+    <ClCompile>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <WarningLevel>Level3</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+    <ClCompile>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <WarningLevel>Level3</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <DriverSign>
+      <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
+    </DriverSign>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <FilesToPackage Include="$(TargetPath)" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Source.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="struct.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
--- a/FakeEnclave.vcxproj.filters
+++ b/FakeEnclave.vcxproj.filters
@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Source.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="struct.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
--- a/README.md
+++ b/README.md
@ -1,3 +1,11 @@
 # FakeEnclave
-
 A poc that abuses Enclave
+![image](https://user-images.githubusercontent.com/13917777/189128521-bf4e0691-bed8-41b1-aa7b-bd9ed17e39f7.png)
+
+## What it can do?
+- Anti-tamper
+- There may be nothing to do
+
+## Compile
+- Visual Studio 2022 & WDK10
+- llvm-msvc [[link]](https://github.com/NewWorldComingSoon/llvm-msvc-build)
--- a/Source.cpp
+++ b/Source.cpp
@ -0,0 +1,183 @@
+#include <fltKernel.h>
+#include <ntimage.h>
+#include "struct.h"
+
+#define YOUR_APP_NAME "dwm.exe"
+
+#define dprintf(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
+
+EXTERN_C
+PCCHAR
+NTAPI
+PsGetProcessImageFileName(IN PEPROCESS Process);
+
+EXTERN_C
+PVOID
+PsGetProcessSectionBaseAddress(__in PEPROCESS Process);
+
+using fnMiObtainReferencedVadEx = void *(NTAPI *)(void *a1, char a2, int *a3);
+
+__declspec(naked) PVOID GetNtosBase()
+{
+    _asm {
+        mov     rax, qword ptr gs:[18h]
+        mov     rcx, [rax+38h]
+        mov     rax, 0FFFFFFFFFFFFF000h
+        and     rax, [rcx+4h]
+        jmp      while_begin
+        search_begin:
+        add     rax, 0FFFFFFFFFFFFF000h
+        while_begin: 
+        xor     ecx, ecx
+        jmp     search_cmp
+        search_next: 
+        add     rcx, 1
+        cmp     rcx, 0FF9h
+        jz      search_begin
+        search_cmp:  
+        cmp     byte ptr[rax+rcx], 48h
+        jnz     search_next
+        cmp     byte ptr[rax+rcx+1], 8Dh
+        jnz     search_next
+        cmp     byte ptr[rax+rcx+2], 1Dh
+        jnz     search_next
+        cmp     byte ptr[rax+rcx+6], 0FFh
+        jnz     search_next
+        mov     r8d,[rax+rcx+3]
+        lea     edx,[rcx+r8]
+        add     edx, eax
+        add     edx, 7
+        test    edx, 0FFFh
+        jnz     search_next
+        mov     rdx, 0FFFFFFFF00000000h
+        and     rdx, rax
+        add     r8d, eax
+        lea     eax,[rcx+r8]
+        add     eax, 7
+        or      rax, rdx
+        ret
+    }
+}
+
+static PUCHAR
+FindPattern(PVOID Module, ULONG Size, LPCSTR Pattern, LPCSTR Mask)
+{
+    auto checkMask = [](PUCHAR Buffer, LPCSTR Pattern, LPCSTR Mask) -> bool {
+        for (auto x = Buffer; *Mask; Pattern++, Mask++, x++)
+        {
+            auto addr = *(UCHAR *)(Pattern);
+            if (addr != *x && *Mask != '?')
+                return false;
+        }
+
+        return true;
+    };
+
+    for (auto x = 0; x < Size - strlen(Mask); x++)
+    {
+        auto addr = (PUCHAR)Module + x;
+        if (checkMask(addr, Pattern, Mask))
+            return addr;
+    }
+
+    return nullptr;
+}
+
+static PEPROCESS
+FindDWMEprocess(ULONG &OutPid)
+{
+    OutPid = 0;
+    PEPROCESS pEpDWM = nullptr;
+    for (ULONG i = 0; i < 0x5000; i += 4)
+    {
+        PEPROCESS pEp = nullptr;
+        auto lStatus = PsLookupProcessByProcessId((HANDLE)i, &pEp);
+        if (!NT_SUCCESS(lStatus) || !pEp)
+        {
+            continue;
+        }
+
+        auto pName = PsGetProcessImageFileName(pEp);
+        // A more casual code
+        if (pName && strstr(pName, YOUR_APP_NAME))
+        {
+            pEpDWM = pEp;
+        }
+        ObDereferenceObject(pEp);
+
+        if (pEpDWM)
+        {
+            OutPid = i;
+            break;
+        }
+    }
+
+    return pEpDWM;
+}
+
+EXTERN_C
+NTSTATUS
+DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
+{
+    dprintf("new world!\n");
+
+    PVOID pNtosBase = GetNtosBase();
+    dprintf("pNtosBase=%p\n", pNtosBase);
+
+    // 48 89 5C 24 10 48 89 74 24 18 48 89 7C 24 20 41 54 41 56 41 57 48 83 EC 20 41 C7 00 00 00 00 00 4D 8B E0 65 48 8B
+    // ?? ?? 88 01 00 00 44 8B ?? 48 8B ?? ?? ?? ?? B8 00 00 00
+    fnMiObtainReferencedVadEx pMiObtainReferencedVadEx = (fnMiObtainReferencedVadEx)FindPattern(
+        ((PUCHAR)pNtosBase + 0x1000),
+        0x50000,
+        "\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18\x48\x89\x7C\x24\x20\x41\x54\x41\x56\x41\x57\x48\x83\xEC\x20\x41\xC7\x00\x00\x00\x00\x00\x4D\x8B\xE0\x65\x48\x8B\x00\x00\x88\x01\x00\x00\x44\x8B\x00\x48\x8B\x00\x00\x00\x00\xB8\x00\x00\x00",
+        "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx??xxxxxx?xx????xxxx");
+    dprintf("pMiObtainReferencedVadEx=%p\n", pMiObtainReferencedVadEx);
+
+    if (!pMiObtainReferencedVadEx)
+    {
+        dprintf("Error: Not found MiObtainReferencedVadEx!\n");
+        return -1;
+    }
+
+    ULONG uDWMPID;
+    PEPROCESS pEpDWM = FindDWMEprocess(uDWMPID);
+    dprintf("pEpDWM=%p, uDWMPID=%d!\n", pEpDWM, uDWMPID);
+    if (uDWMPID == 0)
+    {
+        dprintf("Error: Not found DWM!\n");
+        return -2;
+    }
+
+    PUCHAR pFirstPage = (PUCHAR)PsGetProcessSectionBaseAddress(pEpDWM) + 0x1000;
+    dprintf("pFirstPage=%p!\n", pFirstPage);
+
+    KAPC_STATE ks;
+    KeStackAttachProcess(pEpDWM, &ks);
+
+    PETHREAD pCurThread = KeGetCurrentThread();
+    short uOldSpecialApcDisable = *(short *)((PUCHAR)pCurThread + SpecialApcDisable_17763_OFFSET);
+
+    *(short *)((PUCHAR)pCurThread + SpecialApcDisable_17763_OFFSET) = 0;
+
+    int ns = 0;
+    auto pVAD = (PMMVAD_SHORT_17763)pMiObtainReferencedVadEx(pFirstPage, 2, &ns);
+
+    *(short *)((PUCHAR)pCurThread + SpecialApcDisable_17763_OFFSET) = uOldSpecialApcDisable;
+
+    KeUnstackDetachProcess(&ks);
+
+    dprintf("pVAD=%p\n", pVAD);
+    if (pVAD)
+    {
+        dprintf("pVAD->u.VadFlags.PrivateMemory=%d\n", pVAD->u.VadFlags.PrivateMemory);
+        dprintf("pVAD->u.VadFlags.Graphics=%d\n", pVAD->u.VadFlags.Graphics);
+        dprintf("pVAD->u.VadFlags.Enclave=%d\n", pVAD->u.VadFlags.Enclave);
+
+        pVAD->u.VadFlags.PrivateMemory = 1;
+        pVAD->u.VadFlags.Graphics = 1;
+        pVAD->u.VadFlags.Enclave = 1;
+        dprintf("fake world!\n");
+    }
+
+    return STATUS_VIRUS_INFECTED;
+}
--- a/struct.h
+++ b/struct.h
@ -0,0 +1,83 @@
+#pragma once
+#include <fltKernel.h>
+
+typedef struct _EX_PUSH_LOCK_17763
+{
+    union
+    {
+        struct /* bitfield */
+        {
+            /* 0x0000 */ unsigned __int64 Locked : 1;         /* bit position: 0 */
+            /* 0x0000 */ unsigned __int64 Waiting : 1;        /* bit position: 1 */
+            /* 0x0000 */ unsigned __int64 Waking : 1;         /* bit position: 2 */
+            /* 0x0000 */ unsigned __int64 MultipleShared : 1; /* bit position: 3 */
+            /* 0x0000 */ unsigned __int64 Shared : 60;        /* bit position: 4 */
+        };                                                    /* bitfield */
+        /* 0x0000 */ unsigned __int64 Value;
+        /* 0x0000 */ void *Ptr;
+    };                                      /* size: 0x0008 */
+} EX_PUSH_LOCK_17763, *PEX_PUSH_LOCK_17763; /* size: 0x0008 */
+
+typedef struct _MMVAD_FLAGS_17763
+{
+    struct /* bitfield */
+    {
+        /* 0x0000 */ unsigned long VadType : 3;          /* bit position: 0 */
+        /* 0x0000 */ unsigned long Protection : 5;       /* bit position: 3 */
+        /* 0x0000 */ unsigned long PreferredNode : 6;    /* bit position: 8 */
+        /* 0x0000 */ unsigned long PrivateMemory : 1;    /* bit position: 14 */
+        /* 0x0000 */ unsigned long PrivateFixup : 1;     /* bit position: 15 */
+        /* 0x0000 */ unsigned long Graphics : 1;         /* bit position: 16 */
+        /* 0x0000 */ unsigned long Enclave : 1;          /* bit position: 17 */
+        /* 0x0000 */ unsigned long PageSize64K : 1;      /* bit position: 18 */
+        /* 0x0000 */ unsigned long ShadowStack : 1;      /* bit position: 19 */
+        /* 0x0000 */ unsigned long Spare : 6;            /* bit position: 20 */
+        /* 0x0000 */ unsigned long HotPatchAllowed : 1;  /* bit position: 26 */
+        /* 0x0000 */ unsigned long NoChange : 1;         /* bit position: 27 */
+        /* 0x0000 */ unsigned long ManySubsections : 1;  /* bit position: 28 */
+        /* 0x0000 */ unsigned long DeleteInProgress : 1; /* bit position: 29 */
+        /* 0x0000 */ unsigned long LockContended : 1;    /* bit position: 30 */
+        /* 0x0000 */ unsigned long Lock : 1;             /* bit position: 31 */
+    };                                                   /* bitfield */
+} MMVAD_FLAGS_17763, *PMMVAD_FLAGS_17763;                /* size: 0x0004 */
+
+typedef struct _MMVAD_SHORT_17763
+{
+    union
+    {
+        struct
+        {
+            /* 0x0000 */ struct _MMVAD_SHORT *NextVad;
+            /* 0x0008 */ void *ExtraCreateInfo;
+        }; /* size: 0x0010 */
+        /* 0x0000 */ struct _RTL_BALANCED_NODE VadNode;
+    }; /* size: 0x0018 */
+    /* 0x0018 */ unsigned long StartingVpn;
+    /* 0x001c */ unsigned long EndingVpn;
+    /* 0x0020 */ unsigned char StartingVpnHigh;
+    /* 0x0021 */ unsigned char EndingVpnHigh;
+    /* 0x0022 */ unsigned char CommitChargeHigh;
+    /* 0x0023 */ unsigned char SpareNT64VadUChar;
+    /* 0x0024 */ long ReferenceCount;
+    /* 0x0028 */ struct _EX_PUSH_LOCK_17763 PushLock;
+    union
+    {
+        union
+        {
+            /* 0x0030 */ unsigned long LongFlags;
+            /* 0x0030 */ struct _MMVAD_FLAGS_17763 VadFlags;
+            /* 0x0030 */ volatile unsigned long VolatileVadLong;
+        }; /* size: 0x0004 */
+    } /* size: 0x0004 */ u;
+    union
+    {
+        union
+        {
+            /* 0x0034 */ unsigned long LongFlags1;
+            ///* 0x0034 */ struct _MMVAD_FLAGS1 VadFlags1;
+        }; /* size: 0x0004 */
+    } /* size: 0x0004 */ u1;
+    /* 0x0038 */ struct _MI_VAD_EVENT_BLOCK *EventList;
+} MMVAD_SHORT_17763, *PMMVAD_SHORT_17763; /* size: 0x0040 */
+
+#define SpecialApcDisable_17763_OFFSET (0x01e6)