-
Notifications
You must be signed in to change notification settings - Fork 48
/
Copy pathglobal.h
301 lines (260 loc) · 6.92 KB
/
global.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
#pragma once
#include <ntifs.h>
#include <intrin.h>
#include <ntimage.h>
#include "inc/inc.h"
#pragma warning(disable:4201)
//
//内存操作flasg
//
#define PROCESS_TERMINATE (0x0001)
#define PROCESS_CREATE_THREAD (0x0002)
#define PROCESS_SET_SESSIONID (0x0004)
#define PROCESS_VM_OPERATION (0x0008)
#define PROCESS_VM_READ (0x0010)
#define PROCESS_VM_WRITE (0x0020)
#define PROCESS_DUP_HANDLE (0x0040)
#define PROCESS_CREATE_PROCESS (0x0080)
#define PROCESS_SET_QUOTA (0x0100)
#define PROCESS_SET_INFORMATION (0x0200)
#define PROCESS_QUERY_INFORMATION (0x0400)
#define PROCESS_SUSPEND_RESUME (0x0800)
#define PROCESS_QUERY_LIMITED_INFORMATION (0x1000)
#define PROCESS_SET_LIMITED_INFORMATION (0x2000)
//
//系统模块链表
//
typedef struct _LDR_DATA_TABLE_ENTRY64 {
LIST_ENTRY64 InLoadOrderLinks;
LIST_ENTRY64 InMemoryOrderLinks;
LIST_ENTRY64 InInitializationOrderLinks;
ULONG64 DllBase;
ULONG64 EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY64 HashLinks;
struct _Unkown1 {
ULONG64 SectionPointer;
ULONG CheckSum;
};
};
union {
ULONG TimeDateStamp;
ULONG64 LoadedImports;
};
//
// NOTE : Do not grow this structure at the dump files used a packed
// array of these structures.
//
} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;
//
//自定义PEB结构
//
typedef struct _MYPEB
{
union
{
struct dummy00
{
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
UCHAR BitField;
};
PVOID dummy01;
};
PVOID Mutant;
PVOID ImageBaseAddress;
PVOID Ldr;
PVOID ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PVOID FastPebLock;
PVOID AtlThunkSListPtr;
PVOID IFEOKey;
PVOID CrossProcessFlags;
PVOID KernelCallbackTable;
ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
PVOID ApiSetMap;
} MYPEB, *PMYPEB;
typedef struct _PEB_LDR_DATA
{
ULONG Length;
ULONG Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
ULONG ShutdownInProgress;
PVOID ShutdownThreadId;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
union
{
ULONG SizeOfImage;
PVOID dummy01;
};
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
#ifdef __cplusplus
extern "C"
{
#endif
NTKERNELAPI
NTSTATUS
ObReferenceObjectByName(
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID *Object
);
extern POBJECT_TYPE *IoDriverObjectType;
#ifdef __cplusplus
}
#endif
//
//自己定义NTAPI,用于shellcode动态调用
//
typedef HANDLE(NTAPI *fn_PsGetCurrentProcessId)(
VOID
);
typedef NTSTATUS(NTAPI *fn_PsLookupProcessByProcessId)(
_In_ HANDLE ProcessId,
_Outptr_ PEPROCESS *Process
);
typedef BOOLEAN(NTAPI *fn_MmIsAddressValid)(
_In_ PVOID VirtualAddress
);
typedef PMDL(NTAPI *fn_IoAllocateMdl)(
_In_opt_ __drv_aliasesMem PVOID VirtualAddress,
_In_ ULONG Length,
_In_ BOOLEAN SecondaryBuffer,
_In_ BOOLEAN ChargeQuota,
_Inout_opt_ PIRP Irp
);
typedef VOID(NTAPI *fn_MmBuildMdlForNonPagedPool)(
_Inout_ PMDL MemoryDescriptorList
);
typedef PVOID(NTAPI *fn_MmMapLockedPages)(
_Inout_ PMDL MemoryDescriptorList,
_In_ __drv_strictType(KPROCESSOR_MODE / enum _MODE, __drv_typeConst)
KPROCESSOR_MODE AccessMode
);
typedef VOID(NTAPI *fn_IoFreeMdl)(
PMDL Mdl
);
typedef PEPROCESS(NTAPI *fn_PsGetCurrentProcess)(
VOID
);
typedef VOID(NTAPI *fn_KeStackAttachProcess)(
_Inout_ PRKPROCESS PROCESS,
_Out_ PRKAPC_STATE ApcState
);
typedef KIRQL(NTAPI *fn_KeRaiseIrqlToDpcLevel)(
VOID
);
typedef VOID(NTAPI *fn_RtlCopyMemory)(
void *Dst,
const void *Src,
size_t Size);
typedef VOID(NTAPI *fn_KeLowerIrql)(
_In_ _Notliteral_ _IRQL_restores_ KIRQL NewIrql
);
typedef VOID(NTAPI *fn_KeUnstackDetachProcess)(
_In_ PRKAPC_STATE ApcState
);
typedef VOID(NTAPI *fn_MmUnmapLockedPages)(
_In_ PVOID BaseAddress,
_Inout_ PMDL MemoryDescriptorList
);
typedef LONG_PTR(NTAPI *fn_ObDereferenceObject)(
_In_ PVOID Object
);
typedef PVOID(NTAPI *fn_PsGetProcessWow64Process)(
IN PEPROCESS Process);
typedef PMYPEB(NTAPI *fn_PsGetProcessPeb)(
IN PEPROCESS Process);
typedef HANDLE(NTAPI* fn_PsGetProcessId)(
_In_ PEPROCESS Process
);
typedef VOID(NTAPI *fn_MmUnlockPages)(
_Inout_ PMDL MemoryDescriptorList
);
typedef VOID(NTAPI* fn_MmProbeAndLockPages)(
_Inout_ PMDL MemoryDescriptorList,
_In_ KPROCESSOR_MODE AccessMode,
_In_ LOCK_OPERATION Operation
);
typedef KIRQL(NTAPI *fn_KeGetCurrentIrql)(
VOID);
typedef NTSTATUS(NTAPI* fn_MmCopyVirtualMemory)(
IN PEPROCESS FromProcess,
IN CONST VOID *FromAddress,
IN PEPROCESS ToProcess,
OUT PVOID ToAddress,
IN SIZE_T BufferSize,
IN KPROCESSOR_MODE PreviousMode,
OUT PSIZE_T NumberOfBytesCopied
);
typedef VOID(NTAPI* fn_RtlInitUnicodeString)(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);
typedef LONG(NTAPI* fn_RtlCompareUnicodeString)(
_In_ PCUNICODE_STRING String1,
_In_ PCUNICODE_STRING String2,
_In_ BOOLEAN CaseInSensitive
);
//
//自定义全局数据,包含NTAPI 地址和一些数据
//
typedef struct _SYSTEM_ROUTINE_ADDRESS {
HANDLE ProtectPid;
ULONG64 tag;
ULONG64 flags;
fn_PsGetCurrentProcessId pfn_PsGetCurrentProcessId;
fn_PsLookupProcessByProcessId pfn_PsLookupProcessByProcessId;
fn_MmIsAddressValid pfn_MmIsAddressValid;
fn_IoAllocateMdl pfn_IoAllocateMdl;
fn_MmBuildMdlForNonPagedPool pfn_MmBuildMdlForNonPagedPool;
fn_MmMapLockedPages pfn_MmMapLockedPages;
fn_IoFreeMdl pfn_IoFreeMdl;
fn_PsGetCurrentProcess pfn_PsGetCurrentProcess;
fn_KeStackAttachProcess pfn_KeStackAttachProcess;
fn_KeRaiseIrqlToDpcLevel pfn_KeRaiseIrqlToDpcLevel;
fn_RtlCopyMemory pfn_RtlCopyMemory;
fn_KeLowerIrql pfn_KeLowerIrql;
fn_KeUnstackDetachProcess pfn_KeUnstackDetachProcess;
fn_MmUnmapLockedPages pfn_MmUnmapLockedPages;
fn_ObDereferenceObject pfn_ObDereferenceObject;
fn_PsGetProcessWow64Process pfn_PsGetProcessWow64Process;
fn_PsGetProcessPeb pfn_PsGetProcessPeb;
fn_PsGetProcessId pfn_PsGetProcessId;
fn_MmUnlockPages pfn_MmUnlockPages;
fn_MmProbeAndLockPages pfn_MmProbeAndLockPages;
fn_KeGetCurrentIrql pfn_KeGetCurrentIrql;
fn_MmCopyVirtualMemory pfn_MmCopyVirtualMemory;
fn_RtlInitUnicodeString pfn_RtlInitUnicodeString;
fn_RtlCompareUnicodeString pfn_RtlCompareUnicodeString;
}SYSTEM_ROUTINE_ADDRESS, *PSYSTEM_ROUTINE_ADDRESS;