forked from JKornev/hidden
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathHelper.h
165 lines (145 loc) · 4.51 KB
/
Helper.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
#pragma once
#include <Ntddk.h>
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemProcessInformation = 5,
SystemProcessorPerformanceInformation = 8,
SystemInterruptInformation = 23,
SystemExceptionInformation = 33,
SystemRegistryQuotaInformation = 37,
SystemLookasideInformation = 45,
SystemPolicyInformation = 134,
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
ULONG HandleCount;
UCHAR Reserved4[4];
PVOID Reserved5[11];
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY LoadOrder;
LIST_ENTRY MemoryOrder;
LIST_ENTRY InitializationOrder;
PVOID ModuleBaseAddress;
PVOID EntryPoint;
ULONG ModuleSize;
UNICODE_STRING FullModuleName;
UNICODE_STRING ModuleName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY Hash;
struct {
PVOID SectionPointer;
ULONG CheckSum;
} s;
} u;
ULONG TimeStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_Out_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);
_Must_inspect_result_
_IRQL_requires_max_(APC_LEVEL)
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
_In_ HANDLE ProcessId,
_Outptr_ PEPROCESS* Process
);
#define EXHANDLE_TABLE_ENTRY_LOCK_BIT 1
typedef struct _HANDLE_TABLE_ENTRY {
union {
VOID* Object;
ULONG_PTR Value;
} u1;
union {
ULONG GrantedAccess;
ULONG_PTR NextFreeTableEntry;
} u2;
} HANDLE_TABLE_ENTRY, * PHANDLE_TABLE_ENTRY;
typedef struct _HANDLE_TABLE_WIN8 {
ULONG NextHandleNeedingPool;
LONG ExtraInfoPages;
volatile ULONG TableCode;
struct _EPROCESS* QuotaProcess;
struct _LIST_ENTRY HandleTableList;
ULONG UniqueProcessId;
ULONG Flags;
EX_PUSH_LOCK HandleContentionEvent;
EX_PUSH_LOCK HandleTableLock;
// ... other useless fields
} HANDLE_TABLE_WIN8, *PHANDLE_TABLE_WIN8;
// Windows 7
typedef BOOLEAN(*EX_ENUMERATE_HANDLE_ROUTINE)(
IN PHANDLE_TABLE_ENTRY HandleTableEntry,
IN HANDLE Handle,
IN PVOID EnumParameter
);
// Windows 8
typedef BOOLEAN(*EX_ENUMERATE_HANDLE_ROUTINE_WIN8)(
IN PVOID PspCidTable,
IN PHANDLE_TABLE_ENTRY HandleTableEntry,
IN HANDLE Handle,
IN PVOID EnumParameter
);
NTKERNELAPI
BOOLEAN
ExEnumHandleTable(
_In_ PVOID HandleTable,
_In_ EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
_In_ PVOID EnumParameter,
_Out_opt_ PHANDLE Handle
);
NTKERNELAPI
VOID
FASTCALL
ExfUnblockPushLock(
PEX_PUSH_LOCK PushLock,
PVOID CurrentWaitBlock
);
NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize);
NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize);
VOID FreeInformation(PVOID Buffer);
#define NORMALIZE_INCREAMENT (USHORT)0x200
NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized);
#define _LogMsg(lvl, lvlname, frmt, ...) \
DbgPrintEx(\
DPFLTR_IHVDRIVER_ID, \
lvl, \
"[" lvlname "] [irql:%Iu,pid:%Iu,tid:%Iu]\thidden!" __FUNCTION__ ": " frmt "\n", \
KeGetCurrentIrql(), \
PsGetCurrentProcessId(), \
PsGetCurrentThreadId(), \
__VA_ARGS__ \
)
BOOLEAN IsWin8OrAbove();
#define LogError(frmt, ...) _LogMsg(DPFLTR_ERROR_LEVEL, "error", frmt, __VA_ARGS__)
#define LogWarning(frmt, ...) _LogMsg(DPFLTR_WARNING_LEVEL, "warning", frmt, __VA_ARGS__)
#define LogTrace(frmt, ...) _LogMsg(DPFLTR_TRACE_LEVEL, "trace", frmt, __VA_ARGS__)
#define LogInfo(frmt, ...) _LogMsg(DPFLTR_INFO_LEVEL, "info", frmt, __VA_ARGS__)