From 29fd63665aef8c54638a25f7f7714b6b44481a72 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Sat, 27 Sep 2025 14:07:54 -0700 Subject: [PATCH 01/32] improve format for resolver functions --- SysCaller/Wrapper/src/Resolver/Resolver.cpp | 113 ++++++++++++++------ 1 file changed, 82 insertions(+), 31 deletions(-) diff --git a/SysCaller/Wrapper/src/Resolver/Resolver.cpp b/SysCaller/Wrapper/src/Resolver/Resolver.cpp index 3e79089..d980995 100644 --- a/SysCaller/Wrapper/src/Resolver/Resolver.cpp +++ b/SysCaller/Wrapper/src/Resolver/Resolver.cpp @@ -1,18 +1,19 @@ #if defined(SYSCALLER_DIRECT) -#pragma message("SysCaller: Building via DIRECT syscall mode!") +#pragma message("SysCaller: Building via DIRECT syscall mode") #elif defined(SYSCALLER_INDIRECT) -#pragma message("SysCaller: Building via INDIRECT syscall mode!") +#pragma message("SysCaller: Building via INDIRECT syscall mode") #elif defined(SYSCALLER_INLINE) -#pragma message("SysCaller: Building via INLINE ASM syscall mode!") +#pragma message("SysCaller: Building via INLINE ASM syscall mode") #else -#pragma message("SysCaller: No build mode specified, defaulting to DIRECT!") +#pragma message("SysCaller: No build mode specified, defaulting to DIRECT") #endif #if defined(SYSCALLER_BINDINGS) -#pragma message("SysCaller: Building with BINDINGS support! (DLL export)") +#pragma message("SysCaller: Building with BINDINGS support (DLL export)") #endif #ifdef SYSCALLER_INDIRECT +// Indirect syscall mode,include resolver implementation #include "../../include/Resolver/Resolver.h" #include #include @@ -25,99 +26,149 @@ static std::unordered_map syscallCache; static HMODULE ntdllHandle = NULL; static BOOL resolverInitialized = FALSE; -HMODULE GetNtdllHandle() { - if (ntdllHandle == NULL) { +HMODULE GetNtdllHandle() +{ + if (ntdllHandle == NULL) + { ntdllHandle = GetModuleHandleA("ntdll.dll"); - if (ntdllHandle == NULL) { + + if (ntdllHandle == NULL) + { ntdllHandle = LoadLibraryA("ntdll.dll"); } } + return ntdllHandle; } -DWORD ExtractSyscallNumber(LPVOID functionAddress) { - if (functionAddress == NULL) { +DWORD ExtractSyscallNumber(LPVOID functionAddress) +{ + if (functionAddress == NULL) + { return 0; } + BYTE* bytes = (BYTE*)functionAddress; - for (int i = 0; i < 64; i++) { - if (bytes[i] == 0xB8) { + + for (int i = 0; i < 64; i++) + { + if (bytes[i] == 0xB8) + { DWORD syscallNumber = *(DWORD*)(&bytes[i + 1]); - if (syscallNumber <= 0xFFFF) { + + if (syscallNumber <= 0xFFFF) + { return syscallNumber; } } } + return 0; } -std::unordered_map ExtractSyscallsFromDll() { +std::unordered_map ExtractSyscallsFromDll() +{ std::unordered_map syscallNumbers; HMODULE hNtdll = GetNtdllHandle(); - if (!hNtdll) { + + if (!hNtdll) + { return syscallNumbers; } + PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hNtdll; - if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { + + if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) + { return syscallNumbers; } + PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hNtdll + dosHeader->e_lfanew); - if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) { + + if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) + { return syscallNumbers; } - if (ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress == 0) { + + if (ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress == 0) + { return syscallNumbers; } - PIMAGE_EXPORT_DIRECTORY exportDir = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)hNtdll + + + PIMAGE_EXPORT_DIRECTORY exportDir = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)hNtdll + ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + DWORD* functions = (DWORD*)((BYTE*)hNtdll + exportDir->AddressOfFunctions); DWORD* names = (DWORD*)((BYTE*)hNtdll + exportDir->AddressOfNames); WORD* ordinals = (WORD*)((BYTE*)hNtdll + exportDir->AddressOfNameOrdinals); - for (DWORD i = 0; i < exportDir->NumberOfNames; i++) { + + for (DWORD i = 0; i < exportDir->NumberOfNames; i++) + { const char* funcName = (const char*)((BYTE*)hNtdll + names[i]); - if (strncmp(funcName, "Nt", 2) != 0 && strncmp(funcName, "Zw", 2) != 0) { + + if (strncmp(funcName, "Nt", 2) != 0 && strncmp(funcName, "Zw", 2) != 0) + { continue; } + DWORD funcRVA = functions[ordinals[i]]; - LPVOID funcAddress = (LPVOID)((BYTE*)hNtdll + funcRVA); + LPVOID funcAddress = (LPVOID)((BYTE*)hNtdll + funcRVA); DWORD syscallNumber = ExtractSyscallNumber(funcAddress); - if (syscallNumber > 0 && syscallNumber <= 0xFFFF) { + + if (syscallNumber > 0 && syscallNumber <= 0xFFFF) + { syscallNumbers[funcName] = syscallNumber; } } + return syscallNumbers; } -BOOL InitializeResolver() { - if (resolverInitialized) { +BOOL InitializeResolver() +{ + if (resolverInitialized) + { return TRUE; } + syscallCache = ExtractSyscallsFromDll(); - if (syscallCache.empty()) { + + if (syscallCache.empty()) + { return FALSE; } + resolverInitialized = TRUE; return TRUE; } -DWORD GetSyscallNumber(const char* functionName) { - if (!resolverInitialized) { - if (!InitializeResolver()) { +DWORD GetSyscallNumber(const char* functionName) +{ + if (!resolverInitialized) + { + if (!InitializeResolver()) + { return 0; } } + auto it = syscallCache.find(functionName); - if (it != syscallCache.end()) { + + if (it != syscallCache.end()) + { return it->second; } + return 0; } -void CleanupResolver() { +void CleanupResolver() +{ syscallCache.clear(); resolverInitialized = FALSE; } #else +// Not in indirect mode file compiles to nothing #pragma message("SysCaller: Resolver.cpp skipped (SYSCALLER_INDIRECT not defined)") #endif From 47ffbb82bdde28ad55cf7656e208c52daa1feab9 Mon Sep 17 00:00:00 2001 From: WindowsAPI Date: Sun, 28 Sep 2025 11:17:35 -0700 Subject: [PATCH 02/32] replace c++ style comments with c-style comments '//' is used for optional/temporary code while '/* */' is used for actual comments. --- .../Integrity/Verification/Verification.h | 2 +- .../Direct/Encryption/DirectEncryptor.h | 12 +- .../ControlFlow/IndirectControlFlow.h | 10 +- .../Indirect/Encryptor/IndirectEncryptor.h | 12 - .../Indirect/Stub/IndirectStubGenerator.h | 10 +- Bind/resource.h | 2 +- .../Integrity/Compatibility/Compatibility.cpp | 14 +- .../Core/Integrity/Validator/Validator.cpp | 14 +- .../Integrity/Verification/Verification.cpp | 32 +- .../Direct/Encryption/DirectEncryptor.cpp | 4 +- .../Direct/Mapping/DirectStubMapper.cpp | 16 +- .../Direct/Stub/DirectJunkGenerator.cpp | 8 +- .../ControlFlow/IndirectControlFlow.cpp | 48 +- .../Indirect/Stub/IndirectJunkGenerator.cpp | 8 +- Bind/src/Core/Obfuscation/Obfuscation.cpp | 24 +- Bind/src/Core/Utils/Utils.cpp | 6 +- Bind/src/GUI/Bars/StatusBar.cpp | 8 +- Bind/src/GUI/Dialogs/ChangelogDialog.cpp | 2 +- Bind/src/GUI/Dialogs/HashCompareDialog.cpp | 22 +- Bind/src/GUI/Settings/Tabs/GeneralTab.cpp | 2 +- Default/sysFunctions.h | 26 +- Default/sysFunctions_k.h | 12 +- README.md | 6 +- SysCaller/Wrapper/include/Resolver/Resolver.h | 2 +- SysCaller/Wrapper/include/Sys/sysConstants.h | 40 +- SysCaller/Wrapper/include/Sys/sysExternals.h | 542 ++++----- SysCaller/Wrapper/include/Sys/sysTypes.h | 196 ++-- SysCaller/Wrapper/include/syscaller.h | 166 +-- SysCaller/Wrapper/include/syscaller_config.h | 6 +- SysCaller/Wrapper/src/DLL/dllmain.cpp | 16 +- SysCaller/Wrapper/src/Resolver/Resolver.cpp | 3 +- SysCaller/Wrapper/src/build_info.cpp | 6 +- .../Wrapper/include/SysK/sysConstants_k.h | 41 +- .../Wrapper/include/SysK/sysExternals_k.h | 1037 +++++++++-------- SysCallerK/Wrapper/include/SysK/sysTypes_k.h | 849 +++++++------- SysCallerK/Wrapper/include/syscaller_k.h | 2 +- SysCallerK/Wrapper/src/dummy.c | 2 +- 37 files changed, 1590 insertions(+), 1618 deletions(-) delete mode 100644 Bind/include/Core/Obfuscation/Indirect/Encryptor/IndirectEncryptor.h diff --git a/Bind/include/Core/Integrity/Verification/Verification.h b/Bind/include/Core/Integrity/Verification/Verification.h index f90ec58..d54b238 100644 --- a/Bind/include/Core/Integrity/Verification/Verification.h +++ b/Bind/include/Core/Integrity/Verification/Verification.h @@ -55,7 +55,7 @@ class Verification : public QObject { QString returnType; int parameterCount; QStringList errors; - QList> typeDefinitions; // type, source_file + QList> typeDefinitions; /* type, source_file */ }; class TypeDefinitionTracker { diff --git a/Bind/include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h b/Bind/include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h index fa4498d..90ceaa8 100644 --- a/Bind/include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h +++ b/Bind/include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h @@ -10,11 +10,11 @@ namespace DirectObfuscation { enum class EncryptionMethod { - BasicXOR = 1, // simple XOR encryption - MultiKeyXOR = 2, // multi key XOR encryption - AddXORCombo = 3, // addition + XOR combination - EnhancedXOR = 4, // enhanced XOR with larger keys - OffsetShifting = 5 // offset shifting/masking + BasicXOR = 1, /* simple XOR encryption */ + MultiKeyXOR = 2, /* multi key XOR encryption */ + AddXORCombo = 3, /* addition + XOR combination */ + EnhancedXOR = 4, /* enhanced XOR with larger keys */ + OffsetShifting = 5 /* offset shifting/masking */ }; inline QString encryptionMethodToString(EncryptionMethod method) { @@ -34,7 +34,7 @@ namespace DirectObfuscation { if (str.contains("add", Qt::CaseInsensitive) || str.contains("combo", Qt::CaseInsensitive)) return EncryptionMethod::AddXORCombo; if (str.contains("enhanced", Qt::CaseInsensitive)) return EncryptionMethod::EnhancedXOR; if (str.contains("offset", Qt::CaseInsensitive) || str.contains("shifting", Qt::CaseInsensitive)) return EncryptionMethod::OffsetShifting; - return EncryptionMethod::BasicXOR; // default + return EncryptionMethod::BasicXOR; } class Encryptor { diff --git a/Bind/include/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.h b/Bind/include/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.h index 35786da..cadbc68 100644 --- a/Bind/include/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.h +++ b/Bind/include/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.h @@ -9,10 +9,10 @@ namespace IndirectObfuscation { enum class ControlFlowPattern { - RegisterBased = 0, // register based opaque predicate - ValueBased = 1, // value based opaque predicate - FlagBased = 2, // flag based opaque predicate - MixedJunkCode = 3 // mixed junk code with opaque predicate + RegisterBased = 0, /* register based opaque predicate */ + ValueBased = 1, /* value based opaque predicate */ + FlagBased = 2, /* flag based opaque predicate */ + MixedJunkCode = 3 /* mixed junk code with opaque predicate */ }; inline QString controlFlowPatternToString(ControlFlowPattern pattern) { @@ -29,7 +29,7 @@ namespace IndirectObfuscation { if (str == "value") return ControlFlowPattern::ValueBased; if (str == "flag") return ControlFlowPattern::FlagBased; if (str == "mixed") return ControlFlowPattern::MixedJunkCode; - return ControlFlowPattern::RegisterBased; // default + return ControlFlowPattern::RegisterBased; } class ControlFlow { diff --git a/Bind/include/Core/Obfuscation/Indirect/Encryptor/IndirectEncryptor.h b/Bind/include/Core/Obfuscation/Indirect/Encryptor/IndirectEncryptor.h deleted file mode 100644 index 706bbb0..0000000 --- a/Bind/include/Core/Obfuscation/Indirect/Encryptor/IndirectEncryptor.h +++ /dev/null @@ -1,12 +0,0 @@ -#pragma once - -#include -#include - -namespace IndirectObfuscation { - - class Encryptor { - public: - static QString generateEncryptedSyscallNumbers(); - }; -} diff --git a/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.h b/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.h index 3d27d7f..0d04ece 100644 --- a/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.h +++ b/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.h @@ -8,10 +8,10 @@ namespace IndirectObfuscation { enum class ResolverCallMethod { - RegisterPointer = 0, // register pointer call via R10 - StackIndirect = 1, // stack indirect call (16 byte aligned) - StackScratch = 2, // stack scratch space indirect call - RegisterShuffle = 3 // register shuffle call via R10 + RegisterPointer = 0, /* register pointer call via R10 */ + StackIndirect = 1, /* stack indirect call (16 byte aligned) */ + StackScratch = 2, /* stack scratch space indirect call */ + RegisterShuffle = 3 /* register shuffle call via R10 */ }; inline QString resolverCallMethodToString(ResolverCallMethod method) { @@ -28,7 +28,7 @@ namespace IndirectObfuscation { if (str == "stack") return ResolverCallMethod::StackIndirect; if (str == "indirect") return ResolverCallMethod::StackScratch; if (str == "shuffle") return ResolverCallMethod::RegisterShuffle; - return ResolverCallMethod::RegisterPointer; // default + return ResolverCallMethod::RegisterPointer; } class StubGenerator { diff --git a/Bind/resource.h b/Bind/resource.h index c0c6f67..4685b18 100644 --- a/Bind/resource.h +++ b/Bind/resource.h @@ -3,4 +3,4 @@ #define IDI_ICON1 101 -#endif // RESOURCE_H +#endif /* RESOURCE_H */ diff --git a/Bind/src/Core/Integrity/Compatibility/Compatibility.cpp b/Bind/src/Core/Integrity/Compatibility/Compatibility.cpp index a82696d..b7ad804 100644 --- a/Bind/src/Core/Integrity/Compatibility/Compatibility.cpp +++ b/Bind/src/Core/Integrity/Compatibility/Compatibility.cpp @@ -126,15 +126,15 @@ QList Compatibility::readSyscalls(const QString& asm if (vMatch.hasMatch()) { - QString prefix = vMatch.captured(1); // "Sys", "SysK", or "SysInline" - QString namePart = vMatch.captured(2); // the actual function name - QString versionPart = vMatch.captured(3); // the version letter + QString prefix = vMatch.captured(1); /* "Sys", "SysK", or "SysInline" */ + QString namePart = vMatch.captured(2); /* the actual function name */ + QString versionPart = vMatch.captured(3); /* the version letter */ baseName = prefix + namePart; if (!versionPart.isEmpty()) { - // convert letter to version number A=2, B=3, C=4, etc + /* convert letter to version number A=2, B=3, C=4, etc */ version = versionPart.at(0).toLatin1() - 'A' + 2; } else @@ -332,7 +332,7 @@ void Compatibility::validateSyscalls(const QString& asmFile, const QStringList& for (const SyscallInfo& syscall : syscalls) { int version = syscall.version; - int dllIndex = (version == 1) ? 0 : (version - 1); // version 1 = table 0, version 2 = table 1, etc. + int dllIndex = (version == 1) ? 0 : (version - 1); /* version 1 = table 0, version 2 = table 1, etc. */ qDebug() << QString("Debug: Checking Syscall '%1' (version %2) against Table %3") .arg(syscall.name).arg(version).arg(dllIndex); @@ -346,7 +346,7 @@ void Compatibility::validateSyscalls(const QString& asmFile, const QStringList& QMap syscallNumbers = syscallTables[dllIndex]; - // remove version suffix for DLL lookup + /* remove version suffix for DLL lookup */ QString baseName = syscall.baseName; QString expectedName; @@ -374,7 +374,7 @@ void Compatibility::validateSyscalls(const QString& asmFile, const QStringList& } int actualOffset = syscallNumbers.value(expectedName, 0); - // check for duplicates only within same table + /* check for duplicates only within same table */ bool isDuplicate = false; QString dupType, dupWith; diff --git a/Bind/src/Core/Integrity/Validator/Validator.cpp b/Bind/src/Core/Integrity/Validator/Validator.cpp index 7612291..33d406f 100644 --- a/Bind/src/Core/Integrity/Validator/Validator.cpp +++ b/Bind/src/Core/Integrity/Validator/Validator.cpp @@ -320,7 +320,7 @@ void Validator::updateSyscalls(const QString& asmFile, const QMap>& syscallTab if (inlineAssemblyMode && syscallName.startsWith("SysInline")) { - // convert back to Sys prefix for checking against selectedSyscalls + /* convert back to Sys prefix for checking against selectedSyscalls */ checkName = "Sys" + syscallName.mid(9); } else if (indirectAssemblyMode && syscallName.startsWith("SysIndirect")) { - // convert back to Sys prefix for checking against selectedSyscalls + /* convert back to Sys prefix for checking against selectedSyscalls */ checkName = "Sys" + syscallName.mid(11); } @@ -887,7 +887,7 @@ void Validator::updateHeaderFile(const QMap>& syscallTab .arg(funcName) + Colors::ENDC()); continue; } - // add non versioned functions for table 0 + /* add non versioned functions for table 0 */ if (syscallTables.contains(0)) { QMap table0 = syscallTables[0]; @@ -926,7 +926,7 @@ void Validator::updateHeaderFile(const QMap>& syscallTab } } - // add versioned functions for additional tables + /* add versioned functions for additional tables */ for (int tableIdx = 1; tableIdx < numTables; ++tableIdx) { if (!syscallTables.contains(tableIdx)) diff --git a/Bind/src/Core/Integrity/Verification/Verification.cpp b/Bind/src/Core/Integrity/Verification/Verification.cpp index c434500..52eb3f0 100644 --- a/Bind/src/Core/Integrity/Verification/Verification.cpp +++ b/Bind/src/Core/Integrity/Verification/Verification.cpp @@ -142,7 +142,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() typeDefinitions.insert(name, def); } } - // parse comma types + /* parse comma types */ QRegularExpression commaRegex(R"(}\s*(\w+),\s*\*\s*(\w+);)"); QRegularExpressionMatchIterator commaMatches = commaRegex.globalMatch(content); @@ -164,7 +164,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() def2.definition = QString("typedef %1* %2").arg(baseType).arg(ptrType); typeDefinitions.insert(ptrType, def2); } - // parse pointer types + /* parse pointer types */ QRegularExpression ptrRegex(R"(typedef\s+(?:struct\s+)?(?:_)?(\w+)\s*\*\s*(\w+);)"); QRegularExpressionMatchIterator ptrMatches = ptrRegex.globalMatch(content); @@ -181,7 +181,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() def.definition = QString("typedef %1* %2").arg(baseType).arg(ptrType); typeDefinitions.insert(ptrType, def); } - // parse basic types + /* parse basic types */ QRegularExpression basicRegex(R"(typedef\s+(?:struct\s+)?(?:_)?(\w+)\s+(\w+);)"); QRegularExpressionMatchIterator basicMatches = basicRegex.globalMatch(content); @@ -198,7 +198,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() def.definition = QString("typedef %1 %2").arg(baseType).arg(newType); typeDefinitions.insert(newType, def); } - // parse structs + /* parse structs */ QRegularExpression structRegex(R"(typedef\s+struct\s+(?:_)?(\w+)\s*\{[^}]+\}\s*(\w+)\s*,\s*\*\s*(\w+);)"); QRegularExpressionMatchIterator structMatches = structRegex.globalMatch(content); @@ -220,7 +220,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() def2.definition = QString("typedef %1* %2").arg(structName).arg(ptrName); typeDefinitions.insert(ptrName, def2); } - // parse enums + /* parse enums */ QRegularExpression enumRegex(R"(typedef\s+enum\s+(?:_)?(\w+)\s*\{[^}]+\}\s*(\w+);)"); QRegularExpressionMatchIterator enumMatches = enumRegex.globalMatch(content); @@ -236,7 +236,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() def.definition = match.captured(0); typeDefinitions.insert(enumName, def); } - // parse function pointers + /* parse function pointers */ QRegularExpression funcPtrRegex(R"(typedef\s+\w+\s*\(\s*\w+\s*\*\s*(\w+)\s*\)\s*\([^)]*\))"); QRegularExpressionMatchIterator funcPtrMatches = funcPtrRegex.globalMatch(content); @@ -252,7 +252,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() def.definition = QString("typedef function_ptr %1").arg(typeName); typeDefinitions.insert(typeName, def); } - // parse const pointer types + /* parse const pointer types */ QRegularExpression constPtrRegex(R"(typedef\s+const\s+(\w+)\s*\*\s*(\w+);)"); QRegularExpressionMatchIterator constPtrMatches = constPtrRegex.globalMatch(content); @@ -269,7 +269,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() def.definition = QString("typedef const %1* %2").arg(baseType).arg(newType); typeDefinitions.insert(newType, def); } - // parse WNF types + /* parse WNF types */ QRegularExpression wnfRegex(R"(typedef\s+(?:const\s+)?(?:struct\s+)?_?(\w+)\s*(?:\*\s*)?(\w+)(?:\s*,\s*\*\s*(\w+))?;)"); QRegularExpressionMatchIterator wnfMatches = wnfRegex.globalMatch(content); @@ -698,13 +698,13 @@ std::optional Verification::getOffsetFromDll(const QString& syscallName, co { auto* verification = static_cast(N); - // safety check for the callback parameters + /* safety check for the callback parameters */ if (!verification || fn.empty()) { return 0; } - // use a safer string conversion + /* use a safer string conversion */ QString funcName; try @@ -721,11 +721,11 @@ std::optional Verification::getOffsetFromDll(const QString& syscallName, co return 0; } - // get function RVA (addr is VA, subtract image base to get RVA) + /* get function RVA (addr is VA, subtract image base to get RVA) */ uint32_t funcRVA = static_cast(addr - verification->imageBase); uint32_t fileOffset = 0; - // safety check for RVA calculation + /* safety check for RVA calculation */ if (addr < verification->imageBase) { return 0; @@ -811,7 +811,7 @@ Verification::TestResult Verification::testSyscall(const SyscallDefinition& sysc } } - // validate return type + /* validate return type */ QStringList validReturnTypes = {"NTSTATUS", "BOOL", "HANDLE", "VOID", "ULONG", "ULONG_PTR", "UINT32", "UINT64"}; if (!validReturnTypes.contains(syscall.returnType)) @@ -819,7 +819,7 @@ Verification::TestResult Verification::testSyscall(const SyscallDefinition& sysc result.errors.append(QString("Unexpected return type: %1").arg(syscall.returnType)); } - // validate parameters + /* validate parameters */ for (const Parameter& param : syscall.parameters) { if (!validateParameterType(param.type)) @@ -828,7 +828,7 @@ Verification::TestResult Verification::testSyscall(const SyscallDefinition& sysc } } - // validate offset + /* validate offset */ QString offset = syscall.offset.toLower().replace("h", ""); bool ok; int offsetValue = offset.toInt(&ok, 16); @@ -854,7 +854,7 @@ Verification::TestResult Verification::testSyscall(const SyscallDefinition& sysc result.errors.append(QString("Invalid Syscall Offset Format: %1").arg(syscall.offset)); } - // check type definitions + /* check type definitions */ for (const Parameter& param : syscall.parameters) { std::optional typeInfo = typeTracker.checkType(param.type, isKernelMode); diff --git a/Bind/src/Core/Obfuscation/Direct/Encryption/DirectEncryptor.cpp b/Bind/src/Core/Obfuscation/Direct/Encryption/DirectEncryptor.cpp index a1ce626..588ae0d 100644 --- a/Bind/src/Core/Obfuscation/Direct/Encryption/DirectEncryptor.cpp +++ b/Bind/src/Core/Obfuscation/Direct/Encryption/DirectEncryptor.cpp @@ -79,7 +79,7 @@ QPair> DirectObfuscation::Encryptor::encryptOffset( encryptionData["mask"] = mask; break; } - default: // default to basic xor + default: /* default to basic xor */ { int key = getRandomInt(0x11, 0xFF); encryptedOffset = realOffset ^ key; @@ -154,7 +154,7 @@ QStringList DirectObfuscation::Encryptor::generateDecryptionSequence(const QStri sequence << QString(" sub eax, 0%1h\n").arg(mask, 0, 16); break; } - default: // default to basic xor + default: /* default to basic xor */ { int key = encryptionData["key"].toInt(); sequence << QString(" mov eax, dword ptr [%1]\n").arg(offsetName); diff --git a/Bind/src/Core/Obfuscation/Direct/Mapping/DirectStubMapper.cpp b/Bind/src/Core/Obfuscation/Direct/Mapping/DirectStubMapper.cpp index 7323f25..9f81276 100644 --- a/Bind/src/Core/Obfuscation/Direct/Mapping/DirectStubMapper.cpp +++ b/Bind/src/Core/Obfuscation/Direct/Mapping/DirectStubMapper.cpp @@ -209,10 +209,10 @@ bool DirectObfuscation::StubMapper::processAssemblyFile(const QString& asmPath, QSet usedOffsets; QSet usedOffsetNames; - QMap offsetNameMap; // maps fake offset to random name - QMap syscallMap; // maps original syscall to random name - QMap syscallOffsets; // maps original syscall to its offset - QMap realToFakeOffset; // maps real offset to fake offset + QMap offsetNameMap; /* maps fake offset to random name */ + QMap syscallMap; /* maps original syscall to random name */ + QMap syscallOffsets; /* maps original syscall to its offset */ + QMap realToFakeOffset; /* maps real offset to fake offset */ QList> syscallStubs; QStringList currentStub; @@ -345,7 +345,7 @@ bool DirectObfuscation::StubMapper::processAssemblyFile(const QString& asmPath, QStringList aliases; bool enableControlFlow = settings->value("obfuscation/control_flow_enabled", false).toBool(); - QMap functionSuffixes; // store suffixes for each function + QMap functionSuffixes; /* store suffixes for each function */ if (enableControlFlow) { @@ -444,7 +444,7 @@ bool DirectObfuscation::StubMapper::processAssemblyFile(const QString& asmPath, QString originalSyscall = stubPair.first; QStringList stubLines = stubPair.second; bool skipRest = false; - QString functionSuffix; // store the random suffix for this function + QString functionSuffix; /* store the random suffix for this function */ if (enableControlFlow && functionSuffixes.contains(originalSyscall)) { @@ -718,7 +718,7 @@ bool DirectObfuscation::StubMapper::updateHeaderFile(const QString& headerPath, newHeaderContent << line; continue; } - // preserve c++ guards and extern blocks + /* preserve c++ guards and extern blocks */ if (line.contains("#ifdef __cplusplus") || line.contains("extern \"C\"") || line.trimmed() == "{" || @@ -806,7 +806,7 @@ bool DirectObfuscation::StubMapper::updateHeaderFile(const QString& headerPath, } } newHeaderContent << ""; - newHeaderContent << "// Syscall Name Mappings"; + newHeaderContent << "/* Syscall Name Mappings */"; for (auto it = syscallMap.begin(); it != syscallMap.end(); ++it) { diff --git a/Bind/src/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.cpp b/Bind/src/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.cpp index 1448720..f831c40 100644 --- a/Bind/src/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.cpp +++ b/Bind/src/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.cpp @@ -14,10 +14,10 @@ void DirectObfuscation::JunkGenerator::setSettings(QSettings* settings) QString DirectObfuscation::JunkGenerator::generateJunkInstructions(int minInst, int maxInst, bool useAdvanced) { - // rcx, rdx, r8, r9 are function parameters, NEVER touch these! - // rbx, rsi, rdi, r12 are used to save rcx, rdx, r8, r9, NEVER touch these! - // r10 is used for function pointer, NEVER touch this! - // so we can ONLY safely use: r11, r13, r14, r15, rax + /* rcx, rdx, r8, r9 are function parameters, NEVER touch these! + rbx, rsi, rdi, r12 are used to save rcx, rdx, r8, r9, NEVER touch these! + r10 is used for function pointer, NEVER touch this! + so we can ONLY safely use: r11, r13, r14, r15, rax */ if (!settings) { diff --git a/Bind/src/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.cpp b/Bind/src/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.cpp index 673fd22..7ec2c35 100644 --- a/Bind/src/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.cpp +++ b/Bind/src/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.cpp @@ -26,54 +26,54 @@ QString IndirectObfuscation::ControlFlow::generateControlFlowObfuscation() QStringList controlFlowPatterns = { QString(" ; Opaque Predicate - Register Based\n" - " test r11, r11\n" // r11 is always 0, so test sets ZF=1 - " jnz fake_branch_%1\n" // Never taken (ZF=1, so jnz fails) + " test r11, r11\n" /* r11 is always 0, so test sets ZF=1 */ + " jnz fake_branch_%1\n" /* never taken (ZF=1, so jnz fails) */ " ; Real code continues here\n" " jmp real_code_%1\n" "fake_branch_%1:\n" - " nop\n" // Dead code - " xor r13, r13\n" // Dead code - " add r14, 0\n" // Dead code + " nop\n" /* dead code */ + " xor r13, r13\n" /* dead code */ + " add r14, 0\n" /* dead code */ "real_code_%1:\n") .arg(QRandomGenerator::global()->bounded(1000, 999999)), QString(" ; Opaque Predicate - Value Based\n" - " mov r15, 0\n" // Set r15 to 0 - " cmp r15, 1\n" // Compare 0 with 1 (always false) - " je fake_branch_%1\n" // Never taken + " mov r15, 0\n" /* set r15 to 0 */ + " cmp r15, 1\n" /* compare 0 with 1 (always false) */ + " je fake_branch_%1\n" /* never taken */ " ; Real code continues here\n" " jmp real_code_%1\n" "fake_branch_%1:\n" - " push r11\n" // Dead code - " pop r11\n" // Dead code - " test r13, r13\n" // Dead code + " push r11\n" /* dead code */ + " pop r11\n" /* dead code */ + " test r13, r13\n" /* dead code */ "real_code_%1:\n") .arg(QRandomGenerator::global()->bounded(1000, 999999)), QString(" ; Opaque Predicate - Flag Based\n" - " clc\n" // Clear carry flag - " jc fake_branch_%1\n" // Never taken (CF=0) + " clc\n" /* clear carry flag */ + " jc fake_branch_%1\n" /* never taken (CF=0) */ " ; Real code continues here\n" " jmp real_code_%1\n" "fake_branch_%1:\n" - " lea r11, [r11]\n" // Dead code - " mov r13, r13\n" // Dead code - " xchg r14, r14\n" // Dead code + " lea r11, [r11]\n" /* dead code */ + " mov r13, r13\n" /* dead code */ + " xchg r14, r14\n" /* dead code */ "real_code_%1:\n") .arg(QRandomGenerator::global()->bounded(1000, 999999)), QString(" ; Opaque Predicate - Mixed Junk Code\n" - " xor r11, r11\n" // r11 = 0 - " or r11, 0\n" // r11 still = 0 - " test r11, r11\n" // Test 0 (always zero) - " jnz fake_branch_%1\n" // Never taken + " xor r11, r11\n" /* r11 = 0 */ + " or r11, 0\n" /* r11 still = 0 */ + " test r11, r11\n" /* test 0 (always zero) */ + " jnz fake_branch_%1\n" /* never taken */ " ; Real code continues here\n" " jmp real_code_%1\n" "fake_branch_%1:\n" - " pushfq\n" // Dead code - " popfq\n" // Dead code - " fnop\n" // Dead code - " pause\n" // Dead code + " pushfq\n" /* dead code */ + " popfq\n" /* dead code */ + " fnop\n" /* dead code */ + " pause\n" /* dead code */ "real_code_%1:\n") .arg(QRandomGenerator::global()->bounded(1000, 999999)) }; diff --git a/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.cpp b/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.cpp index b916432..ebc8098 100644 --- a/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.cpp +++ b/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.cpp @@ -9,10 +9,10 @@ IndirectObfuscation::JunkGenerator::JunkGenerator(QSettings* settings) QString IndirectObfuscation::JunkGenerator::generateRegisterSafeJunk() { - // rcx, rdx, r8, r9 are function parameters, NEVER touch these! - // rbx, rsi, rdi, r12 are used to save rcx, rdx, r8, r9, NEVER touch these! - // r10 is used for function pointer, NEVER touch this! - // so we can ONLY safely use: r11, r13, r14, r15, rax + /* rcx, rdx, r8, r9 are function parameters, NEVER touch these! + rbx, rsi, rdi, r12 are used to save rcx, rdx, r8, r9, NEVER touch these! + r10 is used for function pointer, NEVER touch this! + so we can ONLY safely use: r11, r13, r14, r15, rax */ QStringList safeJunkInstructions = { " nop\n", diff --git a/Bind/src/Core/Obfuscation/Obfuscation.cpp b/Bind/src/Core/Obfuscation/Obfuscation.cpp index 5481a68..cf381c3 100644 --- a/Bind/src/Core/Obfuscation/Obfuscation.cpp +++ b/Bind/src/Core/Obfuscation/Obfuscation.cpp @@ -208,10 +208,10 @@ bool Obfuscation::processAssemblyFile(const QString& asmPath, const QString& hea QSet usedNames; QSet usedOffsets; QSet usedOffsetNames; - QMap offsetNameMap; // maps fake offset to random name - QMap syscallMap; // maps original syscall to random name - QMap syscallOffsets; // maps original syscall to its offset - QMap realToFakeOffset; // maps real offset to fake offset + QMap offsetNameMap; /* maps fake offset to random name */ + QMap syscallMap; /* maps original syscall to random name */ + QMap syscallOffsets; /* maps original syscall to its offset */ + QMap realToFakeOffset; /* maps real offset to fake offset */ QList> syscallStubs; QStringList currentStub; QString currentSyscall; @@ -290,7 +290,7 @@ bool Obfuscation::processAssemblyFile(const QString& asmPath, const QString& hea QStringList publics; QStringList aliases; bool enableControlFlow = settings->value("obfuscation/control_flow_enabled", false).toBool(); - QMap functionSuffixes; // store suffixes for each function + QMap functionSuffixes; /* store suffixes for each function */ if (enableControlFlow) { @@ -371,8 +371,8 @@ bool Obfuscation::processAssemblyFile(const QString& asmPath, const QString& hea { QString originalSyscall = stubPair.first; QStringList stubLines = stubPair.second; - bool skipRest = false; // flag to skip lines after mov eax - QString functionSuffix; // store the random suffix for this function + bool skipRest = false; /* flag to skip lines after mov eax */ + QString functionSuffix; /* store the random suffix for this function */ if (enableControlFlow && functionSuffixes.contains(originalSyscall)) { @@ -404,7 +404,7 @@ bool Obfuscation::processAssemblyFile(const QString& asmPath, const QString& hea { if (skipRest) { - // only process ENDP line when skipping + /* only process ENDP line when skipping */ if (originalLine.contains(" ENDP")) { QString line = originalLine; @@ -434,7 +434,7 @@ bool Obfuscation::processAssemblyFile(const QString& asmPath, const QString& hea } newContent << line; - skipRest = false; // reset the flag after processing ENDP + skipRest = false; /* reset the flag after processing ENDP */ } continue; @@ -482,7 +482,7 @@ bool Obfuscation::processAssemblyFile(const QString& asmPath, const QString& hea QMap encryptionData = encryptionDataMap.value(offsetName); line = stubGen.generateChunkedSequence(offsetName, encryptionData, static_cast(encryptionMethod)); newContent << line; - skipRest = true; // skip original syscall/ret + skipRest = true; /* skip original syscall/ret */ continue; } } @@ -730,7 +730,7 @@ bool Obfuscation::updateHeaderFile(const QString& headerPath, continue; } - // preserve c++ guards and extern blocks + /* preserve c++ guards and extern blocks */ if (line.contains("#ifdef __cplusplus") || line.contains("extern \"C\"") || line.trimmed() == "{" || line.trimmed() == "}" || line.contains("#endif")) { @@ -818,7 +818,7 @@ bool Obfuscation::updateHeaderFile(const QString& headerPath, } newHeaderContent << ""; - newHeaderContent << "// Syscall Name Mappings"; + newHeaderContent << "/* Syscall Name Mappings */"; for (auto it = syscallMap.begin(); it != syscallMap.end(); ++it) { diff --git a/Bind/src/Core/Utils/Utils.cpp b/Bind/src/Core/Utils/Utils.cpp index 479a139..5431604 100644 --- a/Bind/src/Core/Utils/Utils.cpp +++ b/Bind/src/Core/Utils/Utils.cpp @@ -464,11 +464,11 @@ QVariantMap StubHashGenerator::generateStubHashes(const QString& asmFilePath, { QString stubCode = asmContent.mid(startPos, endPos - startPos); - // generate MD5 hash + /* generate MD5 hash */ QByteArray md5Hash = QCryptographicHash::hash(stubCode.toUtf8(), QCryptographicHash::Md5); QString md5Hex = md5Hash.toHex(); - // generate SHA256 hash + /* generate SHA256 hash */ QByteArray sha256Hash = QCryptographicHash::hash(stubCode.toUtf8(), QCryptographicHash::Sha256); QString sha256Hex = sha256Hash.toHex(); @@ -579,7 +579,7 @@ QPair StubHashGenerator::saveStubHashes(const QVariantMap& stubHa formattedOutput["stubs"] = formattedStubs; - // generate build ID + /* generate build ID */ QStringList allHashes; QStringList sortedSyscalls = stubs.keys(); std::sort(sortedSyscalls.begin(), sortedSyscalls.end()); diff --git a/Bind/src/GUI/Bars/StatusBar.cpp b/Bind/src/GUI/Bars/StatusBar.cpp index cbdb81f..4508cfb 100644 --- a/Bind/src/GUI/Bars/StatusBar.cpp +++ b/Bind/src/GUI/Bars/StatusBar.cpp @@ -47,22 +47,22 @@ void StatusBar::updateStatus(const QString& message, const QString& statusType) if (statusType == "working") { icon = "⏳"; - color = "#FFA500"; // orange + color = "#FFA500"; /* orange */ } else if (statusType == "success") { icon = "✅"; - color = "#00FF00"; // green + color = "#00FF00"; /* green */ } else if (statusType == "error") { icon = "❌"; - color = "#FF0000"; // red + color = "#FF0000"; /* red */ } else { icon = "⏺"; - color = "#666666"; // gray + color = "#666666"; /* gray */ } statusIcon->setText(icon); diff --git a/Bind/src/GUI/Dialogs/ChangelogDialog.cpp b/Bind/src/GUI/Dialogs/ChangelogDialog.cpp index 0798363..1f80c7b 100644 --- a/Bind/src/GUI/Dialogs/ChangelogDialog.cpp +++ b/Bind/src/GUI/Dialogs/ChangelogDialog.cpp @@ -24,7 +24,7 @@ ChangelogDialog::ChangelogDialog(QWidget* parent) resize(1150, 600); setWindowIcon(QIcon(":/src/Res/Icons/logo.ico")); setWindowFlags(Qt::Dialog | Qt::FramelessWindowHint); - // setAttribute(Qt::WA_TranslucentBackground); + /* setAttribute(Qt::WA_TranslucentBackground); */ setupStylesheet(); setupUI(); populateChangelogs(); diff --git a/Bind/src/GUI/Dialogs/HashCompareDialog.cpp b/Bind/src/GUI/Dialogs/HashCompareDialog.cpp index 8826c10..fddc0cf 100644 --- a/Bind/src/GUI/Dialogs/HashCompareDialog.cpp +++ b/Bind/src/GUI/Dialogs/HashCompareDialog.cpp @@ -82,7 +82,7 @@ void HashCompareDialog::initUI() splitter = new QSplitter(Qt::Horizontal); - // left side, hash file list + /* left side, hash file list */ auto* leftPanel = new QGroupBox("Hash Files"); auto* leftLayout = new QVBoxLayout(leftPanel); @@ -102,7 +102,7 @@ void HashCompareDialog::initUI() leftLayout->addWidget(compareBtn); splitter->addWidget(leftPanel); - // right side, hash table + /* right side, hash table */ auto* rightPanel = new QGroupBox("Hash Comparison"); auto* rightLayout = new QVBoxLayout(rightPanel); @@ -193,7 +193,7 @@ void HashCompareDialog::loadHashFiles() filters << "stub_hashes_*.json"; QFileInfoList files = dir.entryInfoList(filters, QDir::Files); - // sort files in reverse order (newest first) + /* sort files in reverse order (newest first) */ std::sort(files.begin(), files.end(), [](const QFileInfo& a, const QFileInfo& b) { return a.fileName() > b.fileName(); @@ -397,7 +397,7 @@ void HashCompareDialog::displayComparison(const QStringList& files) hashTable->setHorizontalHeaderLabels(headers); - // create hash mapping for duplicate detection + /* create hash mapping for duplicate detection */ QMap>> hashMapping; QStringList sortedSyscalls = allSyscalls.values(); std::sort(sortedSyscalls.begin(), sortedSyscalls.end()); @@ -448,13 +448,13 @@ void HashCompareDialog::displayComparison(const QStringList& files) { QList duplicateColors = { - QColor(255, 150, 150), // red - QColor(150, 255, 150), // green - QColor(150, 150, 255), // blue - QColor(255, 255, 150), // yellow - QColor(255, 150, 255), // purple - QColor(150, 255, 255), // cyan - QColor(255, 200, 150), // orange + QColor(255, 150, 150), /* red */ + QColor(150, 255, 150), /* green */ + QColor(150, 150, 255), /* blue */ + QColor(255, 255, 150), /* yellow */ + QColor(255, 150, 255), /* purple */ + QColor(150, 255, 255), /* cyan */ + QColor(255, 200, 150), /* orange */ }; int colorIndex = 0; diff --git a/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp b/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp index c8da96a..a0b19d3 100644 --- a/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp +++ b/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp @@ -713,7 +713,7 @@ void GeneralTab::createBackupFiles() } catch (...) { - // backup creation failed but dont stop the operation + /* backup creation failed but dont stop the operation */ } } diff --git a/Default/sysFunctions.h b/Default/sysFunctions.h index 0a78e48..157aee2 100644 --- a/Default/sysFunctions.h +++ b/Default/sysFunctions.h @@ -3,7 +3,7 @@ #include "sysTypes.h" #include "sysExternals.h" -#ifdef _WIN64 // Only compile on 64bit systems. +#ifdef _WIN64 /* only compile on 64bit systems */ #ifdef __cplusplus extern "C" { @@ -558,7 +558,7 @@ NTSTATUS SCCommitEnlistment( NTSTATUS SCCommitRegistryTransaction( HANDLE RegistryTransactionHandle, - ULONG Flags // Reserved + ULONG Flags /* reserved */ ); NTSTATUS SCCommitTransaction( @@ -613,7 +613,7 @@ NTSTATUS SCContinue( NTSTATUS SCContinueEx( PCONTEXT ContextRecord, - PVOID ContinueArgument // Can be PKCONTINUE_ARGUMENT or BOOLEAN + PVOID ContinueArgument /* can be PKCONTINUE_ARGUMENT or BOOLEAN */ ); NTSTATUS SCConvertBetweenAuxiliaryCounterAndPerformanceCounter( @@ -1596,7 +1596,7 @@ NTSTATUS SCLoadKeyEx( HANDLE Event OPTIONAL, ACCESS_MASK DesiredAccess OPTIONAL, PHANDLE RootHandle OPTIONAL, - PVOID Reserved OPTIONAL // previously PIO_STATUS_BLOCK + PVOID Reserved OPTIONAL /* previously PIO_STATUS_BLOCK */ ); NTSTATUS SCLockFile( @@ -1713,7 +1713,7 @@ NTSTATUS SCNotifyChangeDirectoryFile( PIO_APC_ROUTINE ApcRoutine OPTIONAL, PVOID ApcContext OPTIONAL, PIO_STATUS_BLOCK IoStatusBlock, - PVOID Buffer, // FILE_NOTIFY_INFORMATION + PVOID Buffer, /* FILE_NOTIFY_INFORMATION */ ULONG Length, ULONG CompletionFilter, BOOLEAN WatchTree @@ -2398,7 +2398,7 @@ NTSTATUS SCQuerySecurityAttributesToken( HANDLE TokenHandle, PUNICODE_STRING Attributes, ULONG NumberOfAttributes, - PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION + PVOID Buffer, /* PTOKEN_SECURITY_ATTRIBUTES_INFORMATION */ ULONG Length, PULONG ReturnLength ); @@ -2446,7 +2446,7 @@ NTSTATUS SCQuerySystemEnvironmentValueEx( PCGUID VendorGuid, PVOID Buffer OPTIONAL, PULONG BufferLength, - PULONG Attributes OPTIONAL // EFI_VARIABLE_* + PULONG Attributes OPTIONAL /* EFI_VARIABLE_* */ ); NTSTATUS SCQuerySystemInformation( @@ -2786,7 +2786,7 @@ NTSTATUS SCRollbackEnlistment( NTSTATUS SCRollbackRegistryTransaction( HANDLE RegistryTransactionHandle, - ULONG Flags // Reserved + ULONG Flags /* reserved */ ); NTSTATUS SCRollbackTransaction( @@ -3102,8 +3102,8 @@ NTSTATUS SCSetSystemEnvironmentValueEx( PCUNICODE_STRING VariableName, PCGUID VendorGuid, PVOID Buffer OPTIONAL, - ULONG BufferLength, // 0 = delete variable - ULONG Attributes // EFI_VARIABLE_* + ULONG BufferLength, /* 0 = delete variable */ + ULONG Attributes /* EFI_VARIABLE_* */ ); NTSTATUS SCSetSystemInformation( @@ -3115,7 +3115,7 @@ NTSTATUS SCSetSystemInformation( NTSTATUS SCSetSystemPowerState( POWER_ACTION SystemAction, SYSTEM_POWER_STATE LightestSystemState, - ULONG Flags // POWER_ACTION_* flags + ULONG Flags /* POWER_ACTION_* flags */ ); NTSTATUS SCSetSystemTime( @@ -3124,7 +3124,7 @@ NTSTATUS SCSetSystemTime( ); NTSTATUS SCSetThreadExecutionState( - EXECUTION_STATE NewFlags, // ES_* flags + EXECUTION_STATE NewFlags, /* ES_* flags */ EXECUTION_STATE * PreviousFlags ); @@ -3246,7 +3246,7 @@ NTSTATUS SCSystemDebugControl( NTSTATUS SCTerminateEnclave( PVOID BaseAddress, - ULONG Flags // TERMINATE_ENCLAVE_FLAG_* + ULONG Flags /* TERMINATE_ENCLAVE_FLAG_* */ ); NTSTATUS SCTerminateJobObject( diff --git a/Default/sysFunctions_k.h b/Default/sysFunctions_k.h index 096c709..cd48da1 100644 --- a/Default/sysFunctions_k.h +++ b/Default/sysFunctions_k.h @@ -4,7 +4,7 @@ #include "sysExternals_k.h" #include "sysConstants_k.h" -#ifdef _WIN64 // Only compile on 64bit systems. +#ifdef _WIN64 /* only compile on 64bit systems */ #ifdef __cplusplus extern "C" { @@ -559,7 +559,7 @@ NTSTATUS SCCommitEnlistment( NTSTATUS SCCommitRegistryTransaction( HANDLE RegistryTransactionHandle, - ULONG Flags // Reserved + ULONG Flags /* reserved */ ); NTSTATUS SCCommitTransaction( @@ -614,7 +614,7 @@ NTSTATUS SCContinue( NTSTATUS SCContinueEx( PCONTEXT ContextRecord, - PVOID ContinueArgument // Can be PKCONTINUE_ARGUMENT or BOOLEAN + PVOID ContinueArgument /* can be PKCONTINUE_ARGUMENT or BOOLEAN */ ); NTSTATUS SCConvertBetweenAuxiliaryCounterAndPerformanceCounter( @@ -1714,7 +1714,7 @@ NTSTATUS SCNotifyChangeDirectoryFile( PIO_APC_ROUTINE ApcRoutine OPTIONAL, PVOID ApcContext OPTIONAL, PIO_STATUS_BLOCK IoStatusBlock, - PVOID Buffer, // FILE_NOTIFY_INFORMATION + PVOID Buffer, /* FILE_NOTIFY_INFORMATION */ ULONG Length, ULONG CompletionFilter, BOOLEAN WatchTree @@ -2399,7 +2399,7 @@ NTSTATUS SCQuerySecurityAttributesToken( HANDLE TokenHandle, PUNICODE_STRING Attributes, ULONG NumberOfAttributes, - PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION + PVOID Buffer, /* PTOKEN_SECURITY_ATTRIBUTES_INFORMATION */ ULONG Length, PULONG ReturnLength ); @@ -3469,4 +3469,4 @@ NTSTATUS SCYieldExecution(VOID); } #endif -#endif +#endif \ No newline at end of file diff --git a/README.md b/README.md index 3fe07d6..94a5341 100644 --- a/README.md +++ b/README.md @@ -208,13 +208,13 @@ To use SysCaller from C, C++, Rust, Python, Go, or any other language that suppo ``` 3. **Call syscalls directly:** ```cpp - // User mode example + /* User mode example */ NTSTATUS status = SysAllocateVirtualMemory( processHandle, &baseAddress, 0, ®ionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); ``` ```cpp - // Kernel mode example + /* Kernel mode example */ NTSTATUS status = SysKAllocateVirtualMemory( ZwCurrentProcess(), &base, 0, ®ionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); @@ -310,4 +310,4 @@ SysCaller is licensed under the GNU General Public License v3.0. See [LICENSE](L

SysCaller — Bridging the gap between user mode and kernel mode -

+

\ No newline at end of file diff --git a/SysCaller/Wrapper/include/Resolver/Resolver.h b/SysCaller/Wrapper/include/Resolver/Resolver.h index cc94903..744c907 100644 --- a/SysCaller/Wrapper/include/Resolver/Resolver.h +++ b/SysCaller/Wrapper/include/Resolver/Resolver.h @@ -27,4 +27,4 @@ void CleanupResolver(); #ifdef __cplusplus } -#endif +#endif \ No newline at end of file diff --git a/SysCaller/Wrapper/include/Sys/sysConstants.h b/SysCaller/Wrapper/include/Sys/sysConstants.h index 1bfd667..f7fd263 100644 --- a/SysCaller/Wrapper/include/Sys/sysConstants.h +++ b/SysCaller/Wrapper/include/Sys/sysConstants.h @@ -1,36 +1,32 @@ #pragma once #define CM_EXTENDED_PARAMETER_TYPE_BITS 8 -// ADD THESE TO GITHUB LATER #define PAGE_SIZE 0x1000 #define PAGE_MASK 0xFFF #define PAGE_SHIFT 0xC - -#define PAGE_NOACCESS 0x01 // Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation. -#define PAGE_READONLY 0x02 // Enables read-only access to the committed region of pages. An attempt to write or execute the committed region results in an access violation. -#define PAGE_READWRITE 0x04 // Enables read-only or read/write access to the committed region of pages. -#define PAGE_WRITECOPY 0x08 // Enables read-only or copy-on-write access to a mapped view of a file mapping object. -#define PAGE_EXECUTE 0x10 // Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation. -#define PAGE_EXECUTE_READ 0x20 // Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. -#define PAGE_EXECUTE_READWRITE 0x40 // Enables execute, read-only, or read/write access to the committed region of pages. -#define PAGE_EXECUTE_WRITECOPY 0x80 // Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. -#define PAGE_GUARD 0x100 // Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception. -#define PAGE_NOCACHE 0x200 // Sets all pages to be non-cachable. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. -#define PAGE_WRITECOMBINE 0x400 // Sets all pages to be write-combined. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. -#define PAGE_REVERT_TO_FILE_MAP 0x80000000 // Pages in the region can revert modified copy-on-write pages to the original unmodified page when using the mapped view of a file mapping object. -#define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 // Pages in the region contain a thread control structure (TCS) from the Intel Software Guard Extensions programming model. -#define PAGE_TARGETS_NO_UPDATE 0x40000000 // Pages in the region will not update the CFG bitmap when the protection changes. The default behavior for VirtualProtect is to mark all locations as valid call targets for CFG. -#define PAGE_TARGETS_INVALID 0x40000000 // Pages in the region are excluded from the CFG bitmap as valid targets. Any indirect call to locations in those pages will terminate the process using the __fastfail intrinsic. -#define PAGE_ENCLAVE_UNVALIDATED 0x20000000 // Pages in the region are excluded from measurement with the EEXTEND instruction of the Intel Software Guard Extensions programming model. +#define PAGE_NOACCESS 0x01 /* Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation. */ +#define PAGE_READONLY 0x02 /* Enables read-only access to the committed region of pages. An attempt to write or execute the committed region results in an access violation. */ +#define PAGE_READWRITE 0x04 /* Enables read-only or read/write access to the committed region of pages. */ +#define PAGE_WRITECOPY 0x08 /* Enables read-only or copy-on-write access to a mapped view of a file mapping object. */ +#define PAGE_EXECUTE 0x10 /* Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation. */ +#define PAGE_EXECUTE_READ 0x20 /* Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. */ +#define PAGE_EXECUTE_READWRITE 0x40 /* Enables execute, read-only, or read/write access to the committed region of pages. */ +#define PAGE_EXECUTE_WRITECOPY 0x80 /* Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. */ +#define PAGE_GUARD 0x100 /* Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception. */ +#define PAGE_NOCACHE 0x200 /* Sets all pages to be non-cachable. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. */ +#define PAGE_WRITECOMBINE 0x400 /* Sets all pages to be write-combined. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. */ +#define PAGE_REVERT_TO_FILE_MAP 0x80000000 /* Pages in the region can revert modified copy-on-write pages to the original unmodified page when using the mapped view of a file mapping object. */ +#define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 /* Pages in the region contain a thread control structure (TCS) from the Intel Software Guard Extensions programming model. */ +#define PAGE_TARGETS_NO_UPDATE 0x40000000 /* Pages in the region will not update the CFG bitmap when the protection changes. The default behavior for VirtualProtect is to mark all locations as valid call targets for CFG. */ +#define PAGE_TARGETS_INVALID 0x40000000 /* Pages in the region are excluded from the CFG bitmap as valid targets. Any indirect call to locations in those pages will terminate the process using the __fastfail intrinsic. */ +#define PAGE_ENCLAVE_UNVALIDATED 0x20000000 /* Pages in the region are excluded from measurement with the EEXTEND instruction of the Intel Software Guard Extensions programming model. */ #define PAGE_ENCLAVE_NO_CHANGE 0x20000000 #define PAGE_ENCLAVE_MASK 0x10000000 #define PAGE_ENCLAVE_DECOMMIT (PAGE_ENCLAVE_MASK | 0) #define PAGE_ENCLAVE_SS_FIRST (PAGE_ENCLAVE_MASK | 1) #define PAGE_ENCLAVE_SS_REST (PAGE_ENCLAVE_MASK | 2) -// -// Memory Region and Section Constants -// +/* Memory Region and Section Constants */ #define GENERIC_ALL 0x10000000 #define MEM_COMMIT 0x00001000 #define MEM_RESERVE 0x00002000 @@ -58,7 +54,7 @@ #define SEC_HUGE_PAGES 0x00020000 #define SEC_PARTITION_OWNER_HANDLE 0x00040000 #define SEC_64K_PAGES 0x00080000 -#define SEC_DRIVER_IMAGE 0x00100000 // rev +#define SEC_DRIVER_IMAGE 0x00100000 /* rev */ #define SEC_BASED 0x00200000 #define SEC_NO_CHANGE 0x00400000 #define SEC_FILE 0x00800000 diff --git a/SysCaller/Wrapper/include/Sys/sysExternals.h b/SysCaller/Wrapper/include/Sys/sysExternals.h index e1fb963..6f925c5 100644 --- a/SysCaller/Wrapper/include/Sys/sysExternals.h +++ b/SysCaller/Wrapper/include/Sys/sysExternals.h @@ -7,13 +7,13 @@ typedef struct _WNF_STATE_NAME ULONG Data[2]; } WNF_STATE_NAME, * PWNF_STATE_NAME; -// WNF Type ID +/* WNF Type ID */ typedef struct _WNF_TYPE_ID { GUID TypeId; } WNF_TYPE_ID, * PWNF_TYPE_ID; -// General Types +/* General Types */ typedef LONG NTSTATUS; typedef ULONG LOGICAL; typedef ULONG_PTR SIZE_T; @@ -36,7 +36,7 @@ typedef LCID * PLCID; typedef const GUID * LPCGUID; typedef GUID * LPGUID; -// ALPC Types +/* ALPC Types */ typedef struct _PORT_MESSAGE * PPORT_MESSAGE; typedef struct _PORT_VIEW * PPORT_VIEW; typedef struct _REMOTE_PORT_VIEW * PREMOTE_PORT_VIEW; @@ -48,7 +48,7 @@ typedef struct _ALPC_DATA_VIEW_ATTR * PALPC_DATA_VIEW_ATTR; typedef struct _ALPC_SECURITY_ATTR * PALPC_SECURITY_ATTR; typedef HANDLE PALPC_HANDLE; -// Proccess & Thread Types +/* Proccess & Thread Types */ typedef struct _OBJECT_TYPE * POBJECT_TYPE; typedef NTSTATUS * PNTSTATUS; typedef HANDLE AUDIT_EVENT_HANDLE; @@ -60,60 +60,60 @@ typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION * PTOKEN_SECURITY_ATTRIBUT typedef struct _OBJECT_ATTRIBUTES * PCOBJECT_ATTRIBUTES; typedef enum _MEMORY_RESERVE_TYPE MEMORY_RESERVE_TYPE; -// Enum Classes & Types -> +/* Enum Classes & Types -> */ -// ALPC Message Information Classes +/* ALPC Message Information Classes */ typedef enum _ALPC_MESSAGE_INFORMATION_CLASS { - AlpcMessageSidInformation, // q: out SID - AlpcMessageTokenModifiedIdInformation, // q: out LUID + AlpcMessageSidInformation, /* q: out SID */ + AlpcMessageTokenModifiedIdInformation, /* q: out LUID */ AlpcMessageDirectStatusInformation, - AlpcMessageHandleInformation, // ALPC_MESSAGE_HANDLE_INFORMATION + AlpcMessageHandleInformation, /* ALPC_MESSAGE_HANDLE_INFORMATION */ MaxAlpcMessageInfoClass } ALPC_MESSAGE_INFORMATION_CLASS, * PALPC_MESSAGE_INFORMATION_CLASS; -// ALPC Port Information Classes +/* ALPC Port Information Classes */ typedef enum _ALPC_PORT_INFORMATION_CLASS { - AlpcBasicInformation, // q: out ALPC_BASIC_INFORMATION - AlpcPortInformation, // s: in ALPC_PORT_ATTRIBUTES - AlpcAssociateCompletionPortInformation, // s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT - AlpcConnectedSIDInformation, // q: in SID - AlpcServerInformation, // q: inout ALPC_SERVER_INFORMATION - AlpcMessageZoneInformation, // s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION - AlpcRegisterCompletionListInformation, // s: in ALPC_PORT_COMPLETION_LIST_INFORMATION - AlpcUnregisterCompletionListInformation, // s: VOID - AlpcAdjustCompletionListConcurrencyCountInformation, // s: in ULONG - AlpcRegisterCallbackInformation, // s: ALPC_REGISTER_CALLBACK // kernel-mode only - AlpcCompletionListRundownInformation, // s: VOID // 10 + AlpcBasicInformation, /* q: out ALPC_BASIC_INFORMATION */ + AlpcPortInformation, /* s: in ALPC_PORT_ATTRIBUTES */ + AlpcAssociateCompletionPortInformation, /* s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT */ + AlpcConnectedSIDInformation, /* q: in SID */ + AlpcServerInformation, /* q: inout ALPC_SERVER_INFORMATION */ + AlpcMessageZoneInformation, /* s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION */ + AlpcRegisterCompletionListInformation, /* s: in ALPC_PORT_COMPLETION_LIST_INFORMATION */ + AlpcUnregisterCompletionListInformation, /* s: VOID */ + AlpcAdjustCompletionListConcurrencyCountInformation, /* s: in ULONG */ + AlpcRegisterCallbackInformation, /* s: ALPC_REGISTER_CALLBACK, kernel-mode only */ + AlpcCompletionListRundownInformation, /* s: VOID, 10 */ AlpcWaitForPortReferences, - AlpcServerSessionInformation // q: ALPC_SERVER_SESSION_INFORMATION // since 19H2 + AlpcServerSessionInformation /* q: ALPC_SERVER_SESSION_INFORMATION, since 19H2 */ } ALPC_PORT_INFORMATION_CLASS; -// Atom Information Classes +/* Atom Information Classes */ typedef enum _ATOM_INFORMATION_CLASS { AtomBasicInformation, AtomTableInformation } ATOM_INFORMATION_CLASS; -// CPU Partition Information Classes +/* CPU Partition Information Classes */ typedef enum _CPU_PARTITION_INFORMATION_CLASS { - CpuPartitionBasicInformation, // q: BASIC_CPU_PARTITION_INFORMATION - CpuPartitionPerformanceInformation, // q: CPU_PARTITION_PERFORMANCE_INFORMATION - CpuPartitionTopologyInformation, // q: CPU_PARTITION_TOPOLOGY_INFORMATION - CpuPartitionAffinityInformation, // q; s: CPU_PARTITION_AFFINITY_INFORMATION - CpuPartitionPolicyInformation, // q; s: CPU_PARTITION_POLICY_INFORMATION - CpuPartitionSchedulingInformation, // q: CPU_PARTITION_SCHEDULING_INFORMATION - CpuPartitionResourceControl, // s: CPU_PARTITION_RESOURCE_CONTROL_INFORMATION - CpuPartitionPowerManagement, // q; s: CPU_PARTITION_POWER_MANAGEMENT_INFORMATION - CpuPartitionStatistics, // q: CPU_PARTITION_STATISTICS_INFORMATION - CpuPartitionDebugInformation, // q: CPU_PARTITION_DEBUG_INFORMATION + CpuPartitionBasicInformation, /* q: BASIC_CPU_PARTITION_INFORMATION */ + CpuPartitionPerformanceInformation, /* q: CPU_PARTITION_PERFORMANCE_INFORMATION */ + CpuPartitionTopologyInformation, /* q: CPU_PARTITION_TOPOLOGY_INFORMATION */ + CpuPartitionAffinityInformation, /* q; s: CPU_PARTITION_AFFINITY_INFORMATION */ + CpuPartitionPolicyInformation, /* q; s: CPU_PARTITION_POLICY_INFORMATION */ + CpuPartitionSchedulingInformation, /* q: CPU_PARTITION_SCHEDULING_INFORMATION */ + CpuPartitionResourceControl, /* s: CPU_PARTITION_RESOURCE_CONTROL_INFORMATION */ + CpuPartitionPowerManagement, /* q; s: CPU_PARTITION_POWER_MANAGEMENT_INFORMATION */ + CpuPartitionStatistics, /* q: CPU_PARTITION_STATISTICS_INFORMATION */ + CpuPartitionDebugInformation, /* q: CPU_PARTITION_DEBUG_INFORMATION */ CpuPartitionMax } CPU_PARTITION_INFORMATION_CLASS, * PCPU_PARTITION_INFORMATION_CLASS; -// Debug States +/* Debug States */ typedef enum _DBG_STATE { DbgIdle, @@ -129,48 +129,48 @@ typedef enum _DBG_STATE DbgUnloadDllStateChange } DBG_STATE, * PDBG_STATE; -// Debug Object Information Classes +/* Debug Object Information Classes */ typedef enum _DEBUGOBJECTINFOCLASS { DebugObjectUnusedInformation, - DebugObjectKillProcessOnExitInformation, // s: ULONG + DebugObjectKillProcessOnExitInformation, /* s: ULONG */ MaxDebugObjectInfoClass } DEBUGOBJECTINFOCLASS, * PDEBUGOBJECTINFOCLASS; -// Directory Notify Information Classes +/* Directory Notify Information Classes */ typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS { DirectoryNotifyInformation, DirectoryNotifyInformationEx, DirectoryNotifyInformationMax } DIRECTORY_NOTIFY_INFORMATION_CLASS; -// ETW Trace Control Codes +/* ETW Trace Control Codes */ typedef enum _ETWTRACECONTROLCODE { - EtwStartLoggerCode = 1, // inout WMI_LOGGER_INFORMATION - EtwStopLoggerCode = 2, // inout WMI_LOGGER_INFORMATION - EtwQueryLoggerCode = 3, // inout WMI_LOGGER_INFORMATION - EtwUpdateLoggerCode = 4, // inout WMI_LOGGER_INFORMATION - EtwFlushLoggerCode = 5, // inout WMI_LOGGER_INFORMATION - EtwIncrementLoggerFile = 6, // inout WMI_LOGGER_INFORMATION - EtwRealtimeTransition = 7, // inout WMI_LOGGER_INFORMATION - // reserved + EtwStartLoggerCode = 1, /* inout WMI_LOGGER_INFORMATION */ + EtwStopLoggerCode = 2, /* inout WMI_LOGGER_INFORMATION */ + EtwQueryLoggerCode = 3, /* inout WMI_LOGGER_INFORMATION */ + EtwUpdateLoggerCode = 4, /* inout WMI_LOGGER_INFORMATION */ + EtwFlushLoggerCode = 5, /* inout WMI_LOGGER_INFORMATION */ + EtwIncrementLoggerFile = 6, /* inout WMI_LOGGER_INFORMATION */ + EtwRealtimeTransition = 7, /* inout WMI_LOGGER_INFORMATION */ + /* reserved */ EtwRealtimeConnectCode = 11, EtwActivityIdCreate = 12, EtwWdiScenarioCode = 13, - EtwRealtimeDisconnectCode = 14, // in HANDLE + EtwRealtimeDisconnectCode = 14, /* in HANDLE */ EtwRegisterGuidsCode = 15, EtwReceiveNotification = 16, - EtwSendDataBlock = 17, // ETW_ENABLE_NOTIFICATION_PACKET // ETW_SESSION_NOTIFICATION_PACKET + EtwSendDataBlock = 17, /* ETW_ENABLE_NOTIFICATION_PACKET, ETW_SESSION_NOTIFICATION_PACKET */ EtwSendReplyDataBlock = 18, EtwReceiveReplyDataBlock = 19, EtwWdiSemUpdate = 20, - EtwEnumTraceGuidList = 21, // out GUID[] - EtwGetTraceGuidInfo = 22, // in GUID, out ETW_TRACE_GUID_INFO - EtwEnumerateTraceGuids = 23, // out TRACE_GUID_PROPERTIES[] + EtwEnumTraceGuidList = 21, /* out GUID[] */ + EtwGetTraceGuidInfo = 22, /* in GUID, out ETW_TRACE_GUID_INFO */ + EtwEnumerateTraceGuids = 23, /* out TRACE_GUID_PROPERTIES[] */ EtwRegisterSecurityProv = 24, - EtwReferenceTimeCode = 25, // in ULONG LoggerId, out ETW_REF_CLOCK - EtwTrackBinaryCode = 26, // in HANDLE + EtwReferenceTimeCode = 25, /* in ULONG LoggerId, out ETW_REF_CLOCK */ + EtwTrackBinaryCode = 26, /* in HANDLE */ EtwAddNotificationEvent = 27, EtwUpdateDisallowList = 28, EtwSetEnableAllKeywordsCode = 29, @@ -186,26 +186,26 @@ typedef enum _ETWTRACECONTROLCODE EtwRegisterPrivateSession = 39, EtwQuerySessionDemuxObject = 40, EtwSetProviderBinaryTracking = 41, - EtwMaxLoggers = 42, // out ULONG - EtwMaxPmcCounter = 43, // out ULONG - EtwQueryUsedProcessorCount = 44, // ULONG // since WIN11 + EtwMaxLoggers = 42, /* out ULONG */ + EtwMaxPmcCounter = 43, /* out ULONG */ + EtwQueryUsedProcessorCount = 44, /* ULONG, since WIN11 */ EtwGetPmcOwnership = 45, EtwGetPmcSessions = 46, } ETWTRACECONTROLCODE; -// Event Information Classes +/* Event Information Classes */ typedef enum _EVENT_INFORMATION_CLASS { EventBasicInformation } EVENT_INFORMATION_CLASS; -// Event Types +/* Event Types */ typedef enum _EVENT_TYPE { NotificationEvent, SynchronizationEvent, } EVENT_TYPE; -// Filter Boot Option Operations +/* Filter Boot Option Operations */ typedef enum _FILTER_BOOT_OPTION_OPERATION { FilterBootOptionAdd, FilterBootOptionRemove, @@ -213,34 +213,34 @@ typedef enum _FILTER_BOOT_OPTION_OPERATION { FilterBootOptionQuery } FILTER_BOOT_OPTION_OPERATION; -// File System Information Classes +/* File System Information Classes */ typedef enum _FSINFOCLASS { - FileFsVolumeInformation = 1, // q: FILE_FS_VOLUME_INFORMATION - FileFsLabelInformation, // s: FILE_FS_LABEL_INFORMATION (requires FILE_WRITE_DATA to volume) - FileFsSizeInformation, // q: FILE_FS_SIZE_INFORMATION - FileFsDeviceInformation, // q: FILE_FS_DEVICE_INFORMATION - FileFsAttributeInformation, // q: FILE_FS_ATTRIBUTE_INFORMATION - FileFsControlInformation, // q, s: FILE_FS_CONTROL_INFORMATION (q: requires FILE_READ_DATA; s: requires FILE_WRITE_DATA to volume) - FileFsFullSizeInformation, // q: FILE_FS_FULL_SIZE_INFORMATION - FileFsObjectIdInformation, // q; s: FILE_FS_OBJECTID_INFORMATION (s: requires FILE_WRITE_DATA to volume) - FileFsDriverPathInformation, // q: FILE_FS_DRIVER_PATH_INFORMATION - FileFsVolumeFlagsInformation, // q; s: FILE_FS_VOLUME_FLAGS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES to volume) // 10 - FileFsSectorSizeInformation, // q: FILE_FS_SECTOR_SIZE_INFORMATION // since WIN8 - FileFsDataCopyInformation, // q: FILE_FS_DATA_COPY_INFORMATION - FileFsMetadataSizeInformation, // q: FILE_FS_METADATA_SIZE_INFORMATION // since THRESHOLD - FileFsFullSizeInformationEx, // q: FILE_FS_FULL_SIZE_INFORMATION_EX // since REDSTONE5 - FileFsGuidInformation, // q: FILE_FS_GUID_INFORMATION // since 23H2 + FileFsVolumeInformation = 1, /* q: FILE_FS_VOLUME_INFORMATION */ + FileFsLabelInformation, /* s: FILE_FS_LABEL_INFORMATION (requires FILE_WRITE_DATA to volume) */ + FileFsSizeInformation, /* q: FILE_FS_SIZE_INFORMATION */ + FileFsDeviceInformation, /* q: FILE_FS_DEVICE_INFORMATION */ + FileFsAttributeInformation, /* q: FILE_FS_ATTRIBUTE_INFORMATION */ + FileFsControlInformation, /* q, s: FILE_FS_CONTROL_INFORMATION (q: requires FILE_READ_DATA; s: requires FILE_WRITE_DATA to volume) */ + FileFsFullSizeInformation, /* q: FILE_FS_FULL_SIZE_INFORMATION */ + FileFsObjectIdInformation, /* q; s: FILE_FS_OBJECTID_INFORMATION (s: requires FILE_WRITE_DATA to volume) */ + FileFsDriverPathInformation, /* q: FILE_FS_DRIVER_PATH_INFORMATION */ + FileFsVolumeFlagsInformation, /* q; s: FILE_FS_VOLUME_FLAGS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES to volume), 10 */ + FileFsSectorSizeInformation, /* q: FILE_FS_SECTOR_SIZE_INFORMATION, since WIN8 */ + FileFsDataCopyInformation, /* q: FILE_FS_DATA_COPY_INFORMATION */ + FileFsMetadataSizeInformation, /* q: FILE_FS_METADATA_SIZE_INFORMATION, since THRESHOLD */ + FileFsFullSizeInformationEx, /* q: FILE_FS_FULL_SIZE_INFORMATION_EX, since REDSTONE5 */ + FileFsGuidInformation, /* q: FILE_FS_GUID_INFORMATION, since 23H2 */ FileFsMaximumInformation } FSINFOCLASS, * PFSINFOCLASS; -// IO Completion Information Classes +/* IO Completion Information Classes */ typedef enum _IO_COMPLETION_INFORMATION_CLASS { IoCompletionBasicInformation } IO_COMPLETION_INFORMATION_CLASS; -// IO Session Events +/* IO Session Events */ typedef enum _IO_SESSION_EVENT { IoSessionEventIgnore, @@ -253,7 +253,7 @@ typedef enum _IO_SESSION_EVENT IoSessionEventMax } IO_SESSION_EVENT; -// IO Session States +/* IO Session States */ typedef enum _IO_SESSION_STATE { IoSessionStateCreated = 1, @@ -267,35 +267,35 @@ typedef enum _IO_SESSION_STATE IoSessionStateMax } IO_SESSION_STATE; -// Key Information Classes +/* Key Information Classes */ typedef enum _KEY_INFORMATION_CLASS { - KeyBasicInformation, // KEY_BASIC_INFORMATION - KeyNodeInformation, // KEY_NODE_INFORMATION - KeyFullInformation, // KEY_FULL_INFORMATION - KeyNameInformation, // KEY_NAME_INFORMATION - KeyCachedInformation, // KEY_CACHED_INFORMATION - KeyFlagsInformation, // KEY_FLAGS_INFORMATION - KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION - KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION - KeyTrustInformation, // KEY_TRUST_INFORMATION - KeyLayerInformation, // KEY_LAYER_INFORMATION + KeyBasicInformation, /* KEY_BASIC_INFORMATION */ + KeyNodeInformation, /* KEY_NODE_INFORMATION */ + KeyFullInformation, /* KEY_FULL_INFORMATION */ + KeyNameInformation, /* KEY_NAME_INFORMATION */ + KeyCachedInformation, /* KEY_CACHED_INFORMATION */ + KeyFlagsInformation, /* KEY_FLAGS_INFORMATION */ + KeyVirtualizationInformation, /* KEY_VIRTUALIZATION_INFORMATION */ + KeyHandleTagsInformation, /* KEY_HANDLE_TAGS_INFORMATION */ + KeyTrustInformation, /* KEY_TRUST_INFORMATION */ + KeyLayerInformation, /* KEY_LAYER_INFORMATION */ MaxKeyInfoClass } KEY_INFORMATION_CLASS; -// Key Value Information Classes +/* Key Value Information Classes */ typedef enum _KEY_VALUE_INFORMATION_CLASS { - KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION - KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION - KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION + KeyValueBasicInformation, /* KEY_VALUE_BASIC_INFORMATION */ + KeyValueFullInformation, /* KEY_VALUE_FULL_INFORMATION */ + KeyValuePartialInformation, /* KEY_VALUE_PARTIAL_INFORMATION */ KeyValueFullInformationAlign64, - KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 - KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION + KeyValuePartialInformationAlign64, /* KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 */ + KeyValueLayerInformation, /* KEY_VALUE_LAYER_INFORMATION */ MaxKeyValueInfoClass } KEY_VALUE_INFORMATION_CLASS; -// KProfile Sources +/* KProfile Sources */ typedef enum _KPROFILE_SOURCE { ProfileTime, ProfileAlignmentFaults, @@ -309,7 +309,7 @@ typedef enum _KPROFILE_SOURCE { ProfileMaximum } KPROFILE_SOURCE; -// KThread State +/* KThread State */ typedef enum _KTHREAD_STATE { Initialized, @@ -325,77 +325,77 @@ typedef enum _KTHREAD_STATE MaximumThreadState } KTHREAD_STATE, *PKTHREAD_STATE; -// KWait Reason +/* KWait Reason */ typedef enum _KWAIT_REASON { - Executive, // Waiting for an executive event. - FreePage, // Waiting for a free page. - PageIn, // Waiting for a page to be read in. - PoolAllocation, // Waiting for a pool allocation. - DelayExecution, // Waiting due to a delay execution. // NtDelayExecution - Suspended, // Waiting because the thread is suspended. // NtSuspendThread - UserRequest, // Waiting due to a user request. // NtWaitForSingleObject - WrExecutive, // Waiting for an executive event. - WrFreePage, // Waiting for a free page. - WrPageIn, // Waiting for a page to be read in. - WrPoolAllocation, // Waiting for a pool allocation. - WrDelayExecution, // Waiting due to a delay execution. - WrSuspended, // Waiting because the thread is suspended. - WrUserRequest, // Waiting due to a user request. - WrEventPair, // Waiting for an event pair. // NtCreateEventPair - WrQueue, // Waiting for a queue. // NtRemoveIoCompletion - WrLpcReceive, // Waiting for an LPC receive. - WrLpcReply, // Waiting for an LPC reply. - WrVirtualMemory, // Waiting for virtual memory. - WrPageOut, // Waiting for a page to be written out. - WrRendezvous, // Waiting for a rendezvous. - WrKeyedEvent, // Waiting for a keyed event. // NtCreateKeyedEvent - WrTerminated, // Waiting for thread termination. - WrProcessInSwap, // Waiting for a process to be swapped in. - WrCpuRateControl, // Waiting for CPU rate control. - WrCalloutStack, // Waiting for a callout stack. - WrKernel, // Waiting for a kernel event. - WrResource, // Waiting for a resource. - WrPushLock, // Waiting for a push lock. - WrMutex, // Waiting for a mutex. - WrQuantumEnd, // Waiting for the end of a quantum. - WrDispatchInt, // Waiting for a dispatch interrupt. - WrPreempted, // Waiting because the thread was preempted. - WrYieldExecution, // Waiting to yield execution. - WrFastMutex, // Waiting for a fast mutex. - WrGuardedMutex, // Waiting for a guarded mutex. - WrRundown, // Waiting for a rundown. - WrAlertByThreadId, // Waiting for an alert by thread ID. - WrDeferredPreempt, // Waiting for a deferred preemption. - WrPhysicalFault, // Waiting for a physical fault. - WrIoRing, // Waiting for an I/O ring. - WrMdlCache, // Waiting for an MDL cache. - WrRcu, // Waiting for read-copy-update (RCU) synchronization. + Executive, /* Waiting for an executive event. */ + FreePage, /* Waiting for a free page. */ + PageIn, /* Waiting for a page to be read in. */ + PoolAllocation, /* Waiting for a pool allocation. */ + DelayExecution, /* Waiting due to a delay execution. NtDelayExecution */ + Suspended, /* Waiting because the thread is suspended. NtSuspendThread */ + UserRequest, /* Waiting due to a user request. NtWaitForSingleObject */ + WrExecutive, /* Waiting for an executive event. */ + WrFreePage, /* Waiting for a free page. */ + WrPageIn, /* Waiting for a page to be read in. */ + WrPoolAllocation, /* Waiting for a pool allocation. */ + WrDelayExecution, /* Waiting due to a delay execution. */ + WrSuspended, /* Waiting because the thread is suspended. */ + WrUserRequest, /* Waiting due to a user request. */ + WrEventPair, /* Waiting for an event pair. NtCreateEventPair */ + WrQueue, /* Waiting for a queue. NtRemoveIoCompletion */ + WrLpcReceive, /* Waiting for an LPC receive. */ + WrLpcReply, /* Waiting for an LPC reply. */ + WrVirtualMemory, /* Waiting for virtual memory. */ + WrPageOut, /* Waiting for a page to be written out. */ + WrRendezvous, /* Waiting for a rendezvous. */ + WrKeyedEvent, /* Waiting for a keyed event. NtCreateKeyedEvent */ + WrTerminated, /* Waiting for thread termination. */ + WrProcessInSwap, /* Waiting for a process to be swapped in. */ + WrCpuRateControl, /* Waiting for CPU rate control. */ + WrCalloutStack, /* Waiting for a callout stack. */ + WrKernel, /* Waiting for a kernel event. */ + WrResource, /* Waiting for a resource. */ + WrPushLock, /* Waiting for a push lock. */ + WrMutex, /* Waiting for a mutex. */ + WrQuantumEnd, /* Waiting for the end of a quantum. */ + WrDispatchInt, /* Waiting for a dispatch interrupt. */ + WrPreempted, /* Waiting because the thread was preempted. */ + WrYieldExecution, /* Waiting to yield execution. */ + WrFastMutex, /* Waiting for a fast mutex. */ + WrGuardedMutex, /* Waiting for a guarded mutex. */ + WrRundown, /* Waiting for a rundown. */ + WrAlertByThreadId, /* Waiting for an alert by thread ID. */ + WrDeferredPreempt, /* Waiting for a deferred preemption. */ + WrPhysicalFault, /* Waiting for a physical fault. */ + WrIoRing, /* Waiting for an I/O ring. */ + WrMdlCache, /* Waiting for an MDL cache. */ + WrRcu, /* Waiting for read-copy-update (RCU) synchronization. */ MaximumWaitReason } KWAIT_REASON, *PKWAIT_REASON; -// Memory Information CLasses +/* Memory Information CLasses */ typedef enum _MEMORY_INFORMATION_CLASS { - MemoryBasicInformation, // q: MEMORY_BASIC_INFORMATION - MemoryWorkingSetInformation, // q: MEMORY_WORKING_SET_INFORMATION - MemoryMappedFilenameInformation, // q: UNICODE_STRING - MemoryRegionInformation, // q: MEMORY_REGION_INFORMATION - MemoryWorkingSetExInformation, // q: MEMORY_WORKING_SET_EX_INFORMATION // since VISTA - MemorySharedCommitInformation, // q: MEMORY_SHARED_COMMIT_INFORMATION // since WIN8 - MemoryImageInformation, // q: MEMORY_IMAGE_INFORMATION - MemoryRegionInformationEx, // MEMORY_REGION_INFORMATION - MemoryPrivilegedBasicInformation, // MEMORY_BASIC_INFORMATION - MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 - MemoryBasicInformationCapped, // 10 - MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1 - MemoryBadInformation, // since WIN11 - MemoryBadInformationAllProcesses, // since 22H1 - MemoryImageExtensionInformation, // MEMORY_IMAGE_EXTENSION_INFORMATION // since 24H2 + MemoryBasicInformation, /* q: MEMORY_BASIC_INFORMATION */ + MemoryWorkingSetInformation, /* q: MEMORY_WORKING_SET_INFORMATION */ + MemoryMappedFilenameInformation, /* q: UNICODE_STRING */ + MemoryRegionInformation, /* q: MEMORY_REGION_INFORMATION */ + MemoryWorkingSetExInformation, /* q: MEMORY_WORKING_SET_EX_INFORMATION, since VISTA */ + MemorySharedCommitInformation, /* q: MEMORY_SHARED_COMMIT_INFORMATION, since WIN8 */ + MemoryImageInformation, /* q: MEMORY_IMAGE_INFORMATION */ + MemoryRegionInformationEx, /* MEMORY_REGION_INFORMATION */ + MemoryPrivilegedBasicInformation, /* MEMORY_BASIC_INFORMATION */ + MemoryEnclaveImageInformation, /* MEMORY_ENCLAVE_IMAGE_INFORMATION, since REDSTONE3 */ + MemoryBasicInformationCapped, /* 10 */ + MemoryPhysicalContiguityInformation, /* MEMORY_PHYSICAL_CONTIGUITY_INFORMATION, since 20H1 */ + MemoryBadInformation, /* since WIN11 */ + MemoryBadInformationAllProcesses, /* since 22H1 */ + MemoryImageExtensionInformation, /* MEMORY_IMAGE_EXTENSION_INFORMATION, since 24H2 */ MaxMemoryInfoClass } MEMORY_INFORMATION_CLASS; -// Memory Reserve Type +/* Memory Reserve Type */ typedef enum _MEMORY_RESERVE_TYPE { MemoryReserveUserApc, @@ -403,72 +403,72 @@ typedef enum _MEMORY_RESERVE_TYPE MemoryReserveTypeMax } MEMORY_RESERVE_TYPE; -// Mutant Information Classes +/* Mutant Information Classes */ typedef enum _MUTANT_INFORMATION_CLASS { - MutantBasicInformation, // MUTANT_BASIC_INFORMATION - MutantOwnerInformation // MUTANT_OWNER_INFORMATION + MutantBasicInformation, /* MUTANT_BASIC_INFORMATION */ + MutantOwnerInformation /* MUTANT_OWNER_INFORMATION */ } MUTANT_INFORMATION_CLASS; -// Partition Information Classses +/* Partition Information Classses */ typedef enum _PARTITION_INFORMATION_CLASS { - SystemMemoryPartitionInformation, // q: MEMORY_PARTITION_CONFIGURATION_INFORMATION - SystemMemoryPartitionMoveMemory, // s: MEMORY_PARTITION_TRANSFER_INFORMATION - SystemMemoryPartitionAddPagefile, // s: MEMORY_PARTITION_PAGEFILE_INFORMATION - SystemMemoryPartitionCombineMemory, // q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION - SystemMemoryPartitionInitialAddMemory, // q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION - SystemMemoryPartitionGetMemoryEvents, // MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION // since REDSTONE2 + SystemMemoryPartitionInformation, /* q: MEMORY_PARTITION_CONFIGURATION_INFORMATION */ + SystemMemoryPartitionMoveMemory, /* s: MEMORY_PARTITION_TRANSFER_INFORMATION */ + SystemMemoryPartitionAddPagefile, /* s: MEMORY_PARTITION_PAGEFILE_INFORMATION */ + SystemMemoryPartitionCombineMemory, /* q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION */ + SystemMemoryPartitionInitialAddMemory, /* q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION */ + SystemMemoryPartitionGetMemoryEvents, /* MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION */ /* since REDSTONE2 */ SystemMemoryPartitionSetAttributes, SystemMemoryPartitionNodeInformation, SystemMemoryPartitionCreateLargePages, SystemMemoryPartitionDedicatedMemoryInformation, - SystemMemoryPartitionOpenDedicatedMemory, // 10 + SystemMemoryPartitionOpenDedicatedMemory, /* 10 */ SystemMemoryPartitionMemoryChargeAttributes, SystemMemoryPartitionClearAttributes, - SystemMemoryPartitionSetMemoryThresholds, // since WIN11 - SystemMemoryPartitionMemoryListCommand, // since 24H2 + SystemMemoryPartitionSetMemoryThresholds, /* since WIN11 */ + SystemMemoryPartitionMemoryListCommand, /* since 24H2 */ SystemMemoryPartitionMax } PARTITION_INFORMATION_CLASS, * PPARTITION_INFORMATION_CLASS; -// PlugPlay Control Classes +/* PlugPlay Control Classes */ typedef enum _PLUGPLAY_CONTROL_CLASS { - PlugPlayControlEnumerateDevice, // PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA - PlugPlayControlRegisterNewDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlDeregisterDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlInitializeDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlStartDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlUnlockDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlQueryAndRemoveDevice, // PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA - PlugPlayControlUserResponse, // PLUGPLAY_CONTROL_USER_RESPONSE_DATA - PlugPlayControlGenerateLegacyDevice, // PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA - PlugPlayControlGetInterfaceDeviceList, // PLUGPLAY_CONTROL_INTERFACE_LIST_DATA - PlugPlayControlProperty, // PLUGPLAY_CONTROL_PROPERTY_DATA - PlugPlayControlDeviceClassAssociation, // PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA - PlugPlayControlGetRelatedDevice, // PLUGPLAY_CONTROL_RELATED_DEVICE_DATA - PlugPlayControlGetInterfaceDeviceAlias, // PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA - PlugPlayControlDeviceStatus, // PLUGPLAY_CONTROL_STATUS_DATA - PlugPlayControlGetDeviceDepth, // PLUGPLAY_CONTROL_DEPTH_DATA - PlugPlayControlQueryDeviceRelations, // PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA - PlugPlayControlTargetDeviceRelation, // PLUGPLAY_CONTROL_TARGET_RELATION_DATA - PlugPlayControlQueryConflictList, // PLUGPLAY_CONTROL_CONFLICT_LIST - PlugPlayControlRetrieveDock, // PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA - PlugPlayControlResetDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlHaltDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlGetBlockedDriverList, // PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA - PlugPlayControlGetDeviceInterfaceEnabled, // PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED + PlugPlayControlEnumerateDevice, /* PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA */ + PlugPlayControlRegisterNewDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlDeregisterDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlInitializeDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlStartDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlUnlockDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlQueryAndRemoveDevice, /* PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA */ + PlugPlayControlUserResponse, /* PLUGPLAY_CONTROL_USER_RESPONSE_DATA */ + PlugPlayControlGenerateLegacyDevice, /* PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA */ + PlugPlayControlGetInterfaceDeviceList, /* PLUGPLAY_CONTROL_INTERFACE_LIST_DATA */ + PlugPlayControlProperty, /* PLUGPLAY_CONTROL_PROPERTY_DATA */ + PlugPlayControlDeviceClassAssociation, /* PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA */ + PlugPlayControlGetRelatedDevice, /* PLUGPLAY_CONTROL_RELATED_DEVICE_DATA */ + PlugPlayControlGetInterfaceDeviceAlias, /* PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA */ + PlugPlayControlDeviceStatus, /* PLUGPLAY_CONTROL_STATUS_DATA */ + PlugPlayControlGetDeviceDepth, /* PLUGPLAY_CONTROL_DEPTH_DATA */ + PlugPlayControlQueryDeviceRelations, /* PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA */ + PlugPlayControlTargetDeviceRelation, /* PLUGPLAY_CONTROL_TARGET_RELATION_DATA */ + PlugPlayControlQueryConflictList, /* PLUGPLAY_CONTROL_CONFLICT_LIST */ + PlugPlayControlRetrieveDock, /* PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA */ + PlugPlayControlResetDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlHaltDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlGetBlockedDriverList, /* PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA */ + PlugPlayControlGetDeviceInterfaceEnabled, /* PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED */ MaxPlugPlayControl } PLUGPLAY_CONTROL_CLASS, * PPLUGPLAY_CONTROL_CLASS; -// Port Information Classes +/* Port Information Classes */ typedef enum _PORT_INFORMATION_CLASS { PortBasicInformation, PortDumpInformation } PORT_INFORMATION_CLASS; -// Process State Change Types +/* Process State Change Types */ typedef enum _PROCESS_STATE_CHANGE_TYPE { ProcessStateChangeSuspend, @@ -476,7 +476,7 @@ typedef enum _PROCESS_STATE_CHANGE_TYPE ProcessStateChangeMax, } PROCESS_STATE_CHANGE_TYPE, * PPROCESS_STATE_CHANGE_TYPE; -// PS Create States +/* PS Create States */ typedef enum _PS_CREATE_STATE { PsCreateInitialState, @@ -484,30 +484,30 @@ typedef enum _PS_CREATE_STATE PsCreateFailOnSectionCreate, PsCreateFailExeFormat, PsCreateFailMachineMismatch, - PsCreateFailExeName, // Debugger specified + PsCreateFailExeName, /* Debugger specified */ PsCreateSuccess, PsCreateMaximumStates } PS_CREATE_STATE; -// Section Information Classes +/* Section Information Classes */ typedef enum _SECTION_INFORMATION_CLASS { - SectionBasicInformation, // q; SECTION_BASIC_INFORMATION - SectionImageInformation, // q; SECTION_IMAGE_INFORMATION - SectionRelocationInformation, // q; ULONG_PTR RelocationDelta // name:wow64:whNtQuerySection_SectionRelocationInformation // since WIN7 - SectionOriginalBaseInformation, // q; PVOID BaseAddress // since REDSTONE - SectionInternalImageInformation, // SECTION_INTERNAL_IMAGE_INFORMATION // since REDSTONE2 + SectionBasicInformation, /* q; SECTION_BASIC_INFORMATION */ + SectionImageInformation, /* q; SECTION_IMAGE_INFORMATION */ + SectionRelocationInformation, /* q; ULONG_PTR RelocationDelta, name:wow64:whNtQuerySection_SectionRelocationInformation, since WIN7 */ + SectionOriginalBaseInformation, /* q; PVOID BaseAddress, since REDSTONE */ + SectionInternalImageInformation, /* SECTION_INTERNAL_IMAGE_INFORMATION, since REDSTONE2 */ MaxSectionInfoClass } SECTION_INFORMATION_CLASS; -// Section Inherit +/* Section Inherit */ typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 } SECTION_INHERIT; -// Secure Setting Value Types +/* Secure Setting Value Types */ typedef enum _SECURE_SETTING_VALUE_TYPE { SecureSettingValueTypeBoolean = 0, @@ -517,53 +517,53 @@ typedef enum _SECURE_SETTING_VALUE_TYPE SecureSettingValueTypeUnknown = 4 } SECURE_SETTING_VALUE_TYPE, * PSECURE_SETTING_VALUE_TYPE; -// Semaphore Information Classes +/* Semaphore Information Classes */ typedef enum _SEMAPHORE_INFORMATION_CLASS { SemaphoreBasicInformation } SEMAPHORE_INFORMATION_CLASS; -// Shutdown Actions +/* Shutdown Actions */ typedef enum _SHUTDOWN_ACTION { ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff, - ShutdownRebootForRecovery // since WIN11 + ShutdownRebootForRecovery /* since WIN11 */ } SHUTDOWN_ACTION; -// Symbolic Link Info Classes +/* Symbolic Link Info Classes */ typedef enum _SYMBOLIC_LINK_INFO_CLASS { - SymbolicLinkGlobalInformation = 1, // s: ULONG - SymbolicLinkAccessMask, // s: ACCESS_MASK + SymbolicLinkGlobalInformation = 1, /* s: ULONG */ + SymbolicLinkAccessMask, /* s: ACCESS_MASK */ MaxnSymbolicLinkInfoClass } SYMBOLIC_LINK_INFO_CLASS; -// SYSDBG Commands +/* SYSDBG Commands */ typedef enum _SYSDBG_COMMAND { SysDbgQueryModuleInformation, SysDbgQueryTraceInformation, SysDbgSetTracepoint, - SysDbgSetSpecialCall, // PVOID - SysDbgClearSpecialCalls, // void + SysDbgSetSpecialCall, /* PVOID */ + SysDbgClearSpecialCalls, /* void */ SysDbgQuerySpecialCalls, SysDbgBreakPoint, - SysDbgQueryVersion, // DBGKD_GET_VERSION64 - SysDbgReadVirtual, // SYSDBG_VIRTUAL - SysDbgWriteVirtual, // SYSDBG_VIRTUAL - SysDbgReadPhysical, // SYSDBG_PHYSICAL // 10 - SysDbgWritePhysical, // SYSDBG_PHYSICAL - SysDbgReadControlSpace, // SYSDBG_CONTROL_SPACE - SysDbgWriteControlSpace, // SYSDBG_CONTROL_SPACE - SysDbgReadIoSpace, // SYSDBG_IO_SPACE - SysDbgWriteIoSpace, // SYSDBG_IO_SPACE - SysDbgReadMsr, // SYSDBG_MSR - SysDbgWriteMsr, // SYSDBG_MSR - SysDbgReadBusData, // SYSDBG_BUS_DATA - SysDbgWriteBusData, // SYSDBG_BUS_DATA - SysDbgCheckLowMemory, // 20 + SysDbgQueryVersion, /* DBGKD_GET_VERSION64 */ + SysDbgReadVirtual, /* SYSDBG_VIRTUAL */ + SysDbgWriteVirtual, /* SYSDBG_VIRTUAL */ + SysDbgReadPhysical, /* SYSDBG_PHYSICAL, 10 */ + SysDbgWritePhysical, /* SYSDBG_PHYSICAL */ + SysDbgReadControlSpace, /* SYSDBG_CONTROL_SPACE */ + SysDbgWriteControlSpace, /* SYSDBG_CONTROL_SPACE */ + SysDbgReadIoSpace, /* SYSDBG_IO_SPACE */ + SysDbgWriteIoSpace, /* SYSDBG_IO_SPACE */ + SysDbgReadMsr, /* SYSDBG_MSR */ + SysDbgWriteMsr, /* SYSDBG_MSR */ + SysDbgReadBusData, /* SYSDBG_BUS_DATA */ + SysDbgWriteBusData, /* SYSDBG_BUS_DATA */ + SysDbgCheckLowMemory, /* 20 */ SysDbgEnableKernelDebugger, SysDbgDisableKernelDebugger, SysDbgGetAutoKdEnable, @@ -572,20 +572,20 @@ typedef enum _SYSDBG_COMMAND SysDbgSetPrintBufferSize, SysDbgGetKdUmExceptionEnable, SysDbgSetKdUmExceptionEnable, - SysDbgGetTriageDump, // SYSDBG_TRIAGE_DUMP - SysDbgGetKdBlockEnable, // 30 + SysDbgGetTriageDump, /* SYSDBG_TRIAGE_DUMP */ + SysDbgGetKdBlockEnable, /* 30 */ SysDbgSetKdBlockEnable, SysDbgRegisterForUmBreakInfo, SysDbgGetUmBreakPid, SysDbgClearUmBreakPid, SysDbgGetUmAttachPid, SysDbgClearUmAttachPid, - SysDbgGetLiveKernelDump, // SYSDBG_LIVEDUMP_CONTROL - SysDbgKdPullRemoteFile, // SYSDBG_KD_PULL_REMOTE_FILE + SysDbgGetLiveKernelDump, /* SYSDBG_LIVEDUMP_CONTROL */ + SysDbgKdPullRemoteFile, /* SYSDBG_KD_PULL_REMOTE_FILE */ SysDbgMaxInfoClass } SYSDBG_COMMAND, * PSYSDBG_COMMAND; -// Thread State Change Types +/* Thread State Change Types */ typedef enum _THREAD_STATE_CHANGE_TYPE { ThreadStateChangeSuspend, @@ -593,26 +593,26 @@ typedef enum _THREAD_STATE_CHANGE_TYPE ThreadStateChangeMax, } THREAD_STATE_CHANGE_TYPE, * PTHREAD_STATE_CHANGE_TYPE; -// Timer Information Classes +/* Timer Information Classes */ typedef enum _TIMER_INFORMATION_CLASS { - TimerBasicInformation // TIMER_BASIC_INFORMATION + TimerBasicInformation /* TIMER_BASIC_INFORMATION */ } TIMER_INFORMATION_CLASS; -// Timer Set Information Classes +/* Timer Set Information Classes */ typedef enum _TIMER_SET_INFORMATION_CLASS { - TimerSetCoalescableTimer, // TIMER_SET_COALESCABLE_TIMER_INFO + TimerSetCoalescableTimer, /* TIMER_SET_COALESCABLE_TIMER_INFO */ MaxTimerInfoClass } TIMER_SET_INFORMATION_CLASS; -// Timer Types +/* Timer Types */ typedef enum _TIMER_TYPE { TimerNotification, TimerSynchronization } TIMER_TYPE; -// VDM Service Classes +/* VDM Service Classes */ typedef enum _VDMSERVICECLASS { VdmStartExecution, @@ -633,21 +633,21 @@ typedef enum _VDMSERVICECLASS VdmPreInitialize } VDMSERVICECLASS, * PVDMSERVICECLASS; -// Virtual Memory Information Classes +/* Virtual Memory Information Classes */ typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS { - VmPrefetchInformation, // MEMORY_PREFETCH_INFORMATION - VmPagePriorityInformation, // MEMORY_PAGE_PRIORITY_INFORMATION - VmCfgCallTargetInformation, // CFG_CALL_TARGET_LIST_INFORMATION // REDSTONE2 - VmPageDirtyStateInformation, // REDSTONE3 - VmImageHotPatchInformation, // 19H1 - VmPhysicalContiguityInformation, // 20H1 + VmPrefetchInformation, /* MEMORY_PREFETCH_INFORMATION */ + VmPagePriorityInformation, /* MEMORY_PAGE_PRIORITY_INFORMATION */ + VmCfgCallTargetInformation, /* CFG_CALL_TARGET_LIST_INFORMATION, REDSTONE2 */ + VmPageDirtyStateInformation, /* REDSTONE3 */ + VmImageHotPatchInformation, /* 19H1 */ + VmPhysicalContiguityInformation, /* 20H1 */ VmVirtualMachinePrepopulateInformation, VmRemoveFromWorkingSetInformation, MaxVmInfoClass } VIRTUAL_MEMORY_INFORMATION_CLASS; -// Wait Types +/* Wait Types */ typedef enum _WAIT_TYPE { WaitAll, @@ -657,18 +657,18 @@ typedef enum _WAIT_TYPE WaitDpc, } WAIT_TYPE; -// WNF Data Scope +/* WNF Data Scope */ typedef enum _WNF_DATA_SCOPE { WnfDataScopeSystem, WnfDataScopeSession, WnfDataScopeUser, WnfDataScopeProcess, - WnfDataScopeMachine, // REDSTONE3 - WnfDataScopePhysicalMachine, // WIN11 + WnfDataScopeMachine, /* REDSTONE3 */ + WnfDataScopePhysicalMachine, /* WIN11 */ } WNF_DATA_SCOPE; -// WNF State Name Information +/* WNF State Name Information */ typedef enum _WNF_STATE_NAME_INFORMATION { WnfInfoStateNameExist, @@ -676,7 +676,7 @@ typedef enum _WNF_STATE_NAME_INFORMATION WnfInfoIsQuiescent } WNF_STATE_NAME_INFORMATION; -// WNF State Name Lifetime +/* WNF State Name Lifetime */ typedef enum _WNF_STATE_NAME_LIFETIME { WnfWellKnownStateName, @@ -685,24 +685,24 @@ typedef enum _WNF_STATE_NAME_LIFETIME WnfTemporaryStateName } WNF_STATE_NAME_LIFETIME; -// Worker Factory Information Classes +/* Worker Factory Information Classes */ typedef enum _WORKERFACTORYINFOCLASS { - WorkerFactoryTimeout, // LARGE_INTEGER - WorkerFactoryRetryTimeout, // LARGE_INTEGER - WorkerFactoryIdleTimeout, // s: LARGE_INTEGER - WorkerFactoryBindingCount, // s: ULONG - WorkerFactoryThreadMinimum, // s: ULONG - WorkerFactoryThreadMaximum, // s: ULONG - WorkerFactoryPaused, // ULONG or BOOLEAN - WorkerFactoryBasicInformation, // q: WORKER_FACTORY_BASIC_INFORMATION + WorkerFactoryTimeout, /* LARGE_INTEGER */ + WorkerFactoryRetryTimeout, /* LARGE_INTEGER */ + WorkerFactoryIdleTimeout, /* s: LARGE_INTEGER */ + WorkerFactoryBindingCount, /* s: ULONG */ + WorkerFactoryThreadMinimum, /* s: ULONG */ + WorkerFactoryThreadMaximum, /* s: ULONG */ + WorkerFactoryPaused, /* ULONG or BOOLEAN */ + WorkerFactoryBasicInformation, /* q: WORKER_FACTORY_BASIC_INFORMATION */ WorkerFactoryAdjustThreadGoal, WorkerFactoryCallbackType, - WorkerFactoryStackInformation, // 10 - WorkerFactoryThreadBasePriority, // s: ULONG - WorkerFactoryTimeoutWaiters, // s: ULONG, since THRESHOLD - WorkerFactoryFlags, // s: ULONG - WorkerFactoryThreadSoftMaximum, // s: ULONG - WorkerFactoryThreadCpuSets, // since REDSTONE5 + WorkerFactoryStackInformation, /* 10 */ + WorkerFactoryThreadBasePriority, /* s: ULONG */ + WorkerFactoryTimeoutWaiters, /* s: ULONG, since THRESHOLD */ + WorkerFactoryFlags, /* s: ULONG */ + WorkerFactoryThreadSoftMaximum, /* s: ULONG */ + WorkerFactoryThreadCpuSets, /* since REDSTONE5 */ MaxWorkerFactoryInfoClass } WORKERFACTORYINFOCLASS, * PWORKERFACTORYINFOCLASS; \ No newline at end of file diff --git a/SysCaller/Wrapper/include/Sys/sysTypes.h b/SysCaller/Wrapper/include/Sys/sysTypes.h index 910dcdf..8caaa6e 100644 --- a/SysCaller/Wrapper/include/Sys/sysTypes.h +++ b/SysCaller/Wrapper/include/Sys/sysTypes.h @@ -4,11 +4,11 @@ #include "sysExternals.h" #include "sysConstants.h" -// #define USE_PISID // Uncomment this line to use PISID instead of PSID -#define USE_DYNAMIC_ARRAY // Uncomment this line to use dynamic array -#define USE_POINTER_SUBAUTH // Uncomment this line to use pointer to an array for SubAuthority +// #define USE_PISID /* Uncomment this line to use PISID instead of PSID */ +#define USE_DYNAMIC_ARRAY /* Uncomment this line to use dynamic array */ +#define USE_POINTER_SUBAUTH /* Uncomment this line to use pointer to an array for SubAuthority */ -// APC Routines +/* APC Routines */ typedef VOID(NTAPI * PPS_APC_ROUTINE)( _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, @@ -31,13 +31,13 @@ typedef VOID(NTAPI * IO_APC_ROUTINE)( _In_ ULONG Reserved ); -// User Thread Start Routine +/* User Thread Start Routine */ typedef VOID(*PUSER_THREAD_START_ROUTINE)(PVOID); -// Timer APC Routine +/* Timer APC Routine */ typedef TIMER_APC_ROUTINE* PTIMER_APC_ROUTINE; -// Boot Options +/* Boot Options */ typedef struct _BOOT_OPTIONS { ULONG Version; @@ -48,35 +48,35 @@ typedef struct _BOOT_OPTIONS WCHAR HeadlessRedirection[1]; } BOOT_OPTIONS, * PBOOT_OPTIONS; -// CM Extended Parameter +/* CM Extended Parameter */ typedef struct DECLSPEC_ALIGN(8) _CM_EXTENDED_PARAMETER { - // Bit field for the type of the extended parameter + /* Bit field for the type of the extended parameter */ struct { - ULONG64 Type : CM_EXTENDED_PARAMETER_TYPE_BITS; // Type of the extended parameter - ULONG64 Reserved : 64 - CM_EXTENDED_PARAMETER_TYPE_BITS; // Reserved bits for future use + ULONG64 Type : CM_EXTENDED_PARAMETER_TYPE_BITS; /* Type of the extended parameter */ + ULONG64 Reserved : 64 - CM_EXTENDED_PARAMETER_TYPE_BITS; /* Reserved bits for future use */ }; - // Union to hold different types of data + /* Union to hold different types of data */ union { - ULONG64 ULong64; // 64-bit unsigned long - PVOID Pointer; // Pointer to any type - SIZE_T Size; // Size type - HANDLE Handle; // Handle type - ULONG ULong; // 32-bit unsigned long - ACCESS_MASK AccessMask; // Access mask type + ULONG64 ULong64; /* 64-bit unsigned long */ + PVOID Pointer; /* Pointer to any type */ + SIZE_T Size; /* Size type */ + HANDLE Handle; /* Handle type */ + ULONG ULong; /* 32-bit unsigned long */ + ACCESS_MASK AccessMask; /* Access mask type */ }; } CM_EXTENDED_PARAMETER, * PCM_EXTENDED_PARAMETER; -// DBGKM Create Thread +/* DBGKM Create Thread */ typedef struct _DBGKM_CREATE_THREAD { ULONG SubSystemKey; PVOID StartAddress; } DBGKM_CREATE_THREAD, * PDBGKM_CREATE_THREAD; -// DBGKM Create Process +/* DBGKM Create Process */ typedef struct _DBGKM_CREATE_PROCESS { ULONG SubSystemKey; @@ -87,26 +87,26 @@ typedef struct _DBGKM_CREATE_PROCESS DBGKM_CREATE_THREAD InitialThread; } DBGKM_CREATE_PROCESS, * PDBGKM_CREATE_PROCESS; -// DBGKM Exception +/* DBGKM Exception */ typedef struct _DBGKM_EXCEPTION { EXCEPTION_RECORD ExceptionRecord; ULONG FirstChance; } DBGKM_EXCEPTION, * PDBGKM_EXCEPTION; -// DBGKM Exit Thread +/* DBGKM Exit Thread */ typedef struct _DBGKM_EXIT_THREAD { NTSTATUS ExitStatus; } DBGKM_EXIT_THREAD, * PDBGKM_EXIT_THREAD; -// DBGKM Exit Process +/* DBGKM Exit Process */ typedef struct _DBGKM_EXIT_PROCESS { NTSTATUS ExitStatus; } DBGKM_EXIT_PROCESS, * PDBGKM_EXIT_PROCESS; -// DBGKM Load DLL +/* DBGKM Load DLL */ typedef struct _DBGKM_LOAD_DLL { HANDLE FileHandle; @@ -116,20 +116,20 @@ typedef struct _DBGKM_LOAD_DLL PVOID NamePointer; } DBGKM_LOAD_DLL, * PDBGKM_LOAD_DLL; -// DBGKM Unload DLL +/* DBGKM Unload DLL */ typedef struct _DBGKM_UNLOAD_DLL { PVOID BaseAddress; } DBGKM_UNLOAD_DLL, * PDBGKM_UNLOAD_DLL; -// DBGUI Create Thread +/* DBGUI Create Thread */ typedef struct _DBGUI_CREATE_THREAD { HANDLE HandleToThread; DBGKM_CREATE_THREAD NewThread; } DBGUI_CREATE_THREAD, * PDBGUI_CREATE_THREAD; -// DBGUI Create Process +/* DBGUI Create Process */ typedef struct _DBGUI_CREATE_PROCESS { HANDLE HandleToProcess; @@ -137,7 +137,7 @@ typedef struct _DBGUI_CREATE_PROCESS DBGKM_CREATE_PROCESS NewProcess; } DBGUI_CREATE_PROCESS, * PDBGUI_CREATE_PROCESS; -// DBGUI Wait State Change +/* DBGUI Wait State Change */ typedef struct _DBGUI_WAIT_STATE_CHANGE { DBG_STATE NewState; @@ -154,17 +154,17 @@ typedef struct _DBGUI_WAIT_STATE_CHANGE } StateInfo; } DBGUI_WAIT_STATE_CHANGE, * PDBGUI_WAIT_STATE_CHANGE; -// File Basic Information +/* File Basic Information */ typedef struct _FILE_BASIC_INFORMATION { - LARGE_INTEGER CreationTime; // Specifies the time that the file was created. - LARGE_INTEGER LastAccessTime; // Specifies the time that the file was last accessed. - LARGE_INTEGER LastWriteTime; // Specifies the time that the file was last written to. - LARGE_INTEGER ChangeTime; // Specifies the last time the file was changed. - ULONG FileAttributes; // Specifies one or more FILE_ATTRIBUTE_XXX flags. + LARGE_INTEGER CreationTime; /* Specifies the time that the file was created. */ + LARGE_INTEGER LastAccessTime; /* Specifies the time that the file was last accessed. */ + LARGE_INTEGER LastWriteTime; /* Specifies the time that the file was last written to. */ + LARGE_INTEGER ChangeTime; /* Specifies the last time the file was changed. */ + ULONG FileAttributes; /* Specifies one or more FILE_ATTRIBUTE_XXX flags. */ } FILE_BASIC_INFORMATION, * PFILE_BASIC_INFORMATION; -// File IO Completion Information +/* File IO Completion Information */ typedef struct _FILE_IO_COMPLETION_INFORMATION { PVOID KeyContext; @@ -172,7 +172,7 @@ typedef struct _FILE_IO_COMPLETION_INFORMATION IO_STATUS_BLOCK IoStatusBlock; } FILE_IO_COMPLETION_INFORMATION, * PFILE_IO_COMPLETION_INFORMATION; -// File Network Open Information +/* File Network Open Information */ typedef struct _FILE_NETWORK_OPEN_INFORMATION { LARGE_INTEGER CreationTime; @@ -184,7 +184,7 @@ typedef struct _FILE_NETWORK_OPEN_INFORMATION ULONG FileAttributes; } FILE_NETWORK_OPEN_INFORMATION, * PFILE_NETWORK_OPEN_INFORMATION; -// File Path +/* File Path */ typedef struct _FILE_PATH { ULONG Version; @@ -193,7 +193,7 @@ typedef struct _FILE_PATH _Field_size_bytes_(Length) UCHAR FilePath[1]; } FILE_PATH, * PFILE_PATH; -// Initial TEB +/* Initial TEB */ typedef struct _INITIAL_TEB { struct @@ -206,14 +206,14 @@ typedef struct _INITIAL_TEB PVOID StackAllocationBase; } INITIAL_TEB, * PINITIAL_TEB; -// Memory Range Entry +/* Memory Range Entry */ typedef struct _MEMORY_RANGE_ENTRY { PVOID VirtualAddress; SIZE_T NumberOfBytes; } MEMORY_RANGE_ENTRY, * PMEMORY_RANGE_ENTRY; -// NTPSS Memory Bulk Information +/* NTPSS Memory Bulk Information */ typedef struct _NTPSS_MEMORY_BULK_INFORMATION { ULONG QueryFlags; @@ -221,7 +221,7 @@ typedef struct _NTPSS_MEMORY_BULK_INFORMATION PVOID NextValidAddress; } NTPSS_MEMORY_BULK_INFORMATION, * PNTPSS_MEMORY_BULK_INFORMATION; -// Object Boundary Descriptor +/* Object Boundary Descriptor */ typedef struct _OBJECT_BOUNDARY_DESCRIPTOR { ULONG Version; @@ -236,10 +236,10 @@ typedef struct _OBJECT_BOUNDARY_DESCRIPTOR ULONG Reserved : 31; }; }; - //OBJECT_BOUNDARY_ENTRY Entries[1]; + /* OBJECT_BOUNDARY_ENTRY Entries[1]; */ } OBJECT_BOUNDARY_DESCRIPTOR, * POBJECT_BOUNDARY_DESCRIPTOR; -// PS Attribute +/* PS Attribute */ typedef struct _PS_ATTRIBUTE { ULONG_PTR Attribute; @@ -252,21 +252,21 @@ typedef struct _PS_ATTRIBUTE PSIZE_T ReturnLength; } PS_ATTRIBUTE, * PPS_ATTRIBUTE; -// PS Attribute List +/* PS Attribute List */ typedef struct _PS_ATTRIBUTE_LIST { SIZE_T TotalLength; PS_ATTRIBUTE Attributes[1]; } PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST; -// PS Create Info +/* PS Create Info */ typedef struct _PS_CREATE_INFO { SIZE_T Size; PS_CREATE_STATE State; union { - // PsCreateInitialState + /* PsCreateInitialState */ struct { union @@ -285,22 +285,22 @@ typedef struct _PS_CREATE_INFO }; ACCESS_MASK AdditionalFileAccess; } InitState; - // PsCreateFailOnSectionCreate + /* PsCreateFailOnSectionCreate */ struct { HANDLE FileHandle; } FailSection; - // PsCreateFailExeFormat + /* PsCreateFailExeFormat */ struct { USHORT DllCharacteristics; } ExeFormat; - // PsCreateFailExeName + /* PsCreateFailExeName */ struct { HANDLE IFEOKey; } ExeName; - // PsCreateSuccess + /* PsCreateSuccess */ struct { union @@ -310,7 +310,7 @@ typedef struct _PS_CREATE_INFO { UCHAR ProtectedProcess : 1; UCHAR AddressSpaceOverride : 1; - UCHAR DevOverrideEnabled : 1; // from Image File Execution Options + UCHAR DevOverrideEnabled : 1; /* from Image File Execution Options */ UCHAR ManifestDetected : 1; UCHAR ProtectedProcessLight : 1; UCHAR SpareBits1 : 3; @@ -331,14 +331,14 @@ typedef struct _PS_CREATE_INFO }; } PS_CREATE_INFO, * PPS_CREATE_INFO; -// SE File Cache Claim Information +/* SE File Cache Claim Information */ typedef struct _SE_FILE_CACHE_CLAIM_INFORMATION { ULONG Size; PVOID Claim; } SE_FILE_CACHE_CLAIM_INFORMATION, * PSE_FILE_CACHE_CLAIM_INFORMATION; -// SE Set File Cache Information +/* SE Set File Cache Information */ typedef struct _SE_SET_FILE_CACHE_INFORMATION { ULONG Size; @@ -346,63 +346,63 @@ typedef struct _SE_SET_FILE_CACHE_INFORMATION SE_FILE_CACHE_CLAIM_INFORMATION OriginClaimInfo; } SE_SET_FILE_CACHE_INFORMATION, * PSE_SET_FILE_CACHE_INFORMATION; -// System Thread Information +/* System Thread Information */ typedef struct _SYSTEM_THREAD_INFO { - LARGE_INTEGER KernelTime; // Number of 100-nanosecond intervals spent executing kernel code. - LARGE_INTEGER UserTime; // Number of 100-nanosecond intervals spent executing user code. - LARGE_INTEGER CreateTime; // System time when the thread was created. - ULONG WaitTime; // Time spent in ready queue or waiting (depending on the thread state). - PVOID StartAddress; // Start address of the thread. - CLIENT_ID ClientId; // ID of the thread and the process owning the thread. - KPRIORITY Priority; // Dynamic thread priority. - KPRIORITY BasePriority; // Base thread priority. - ULONG ContextSwitches; // Total context switches. - KTHREAD_STATE ThreadState; // Current thread state. - KWAIT_REASON WaitReason; // The reason the thread is waiting. + LARGE_INTEGER KernelTime; /* Number of 100-nanosecond intervals spent executing kernel code. */ + LARGE_INTEGER UserTime; /* Number of 100-nanosecond intervals spent executing user code. */ + LARGE_INTEGER CreateTime; /* System time when the thread was created. */ + ULONG WaitTime; /* Time spent in ready queue or waiting (depending on the thread state). */ + PVOID StartAddress; /* Start address of the thread. */ + CLIENT_ID ClientId; /* ID of the thread and the process owning the thread. */ + KPRIORITY Priority; /* Dynamic thread priority. */ + KPRIORITY BasePriority; /* Base thread priority. */ + ULONG ContextSwitches; /* Total context switches. */ + KTHREAD_STATE ThreadState; /* Current thread state. */ + KWAIT_REASON WaitReason; /* The reason the thread is waiting. */ } SYSTEM_THREAD_INFO, * PSYSTEM_THREAD_INFO; -// System Process Information +/* System Process Information */ typedef struct _SYSTEM_PROCESS_INFO { - ULONG NextEntryOffset; // The address of the previous item plus the value in the NextEntryOffset member. For the last item in the array, NextEntryOffset is 0. - ULONG NumberOfThreads; // The NumberOfThreads member contains the number of threads in the process. - ULONGLONG WorkingSetPrivateSize; // since VISTA - ULONG HardFaultCount; // since WIN7 - ULONG NumberOfThreadsHighWatermark; // The peak number of threads that were running at any given point in time, indicative of potential performance bottlenecks related to thread management. - ULONGLONG CycleTime; // The sum of the cycle time of all threads in the process. - LARGE_INTEGER CreateTime; // Number of 100-nanosecond intervals since the creation time of the process. Not updated during system timezone changes resullting in an incorrect value. + ULONG NextEntryOffset; /* The address of the previous item plus the value in the NextEntryOffset member. For the last item in the array, NextEntryOffset is 0. */ + ULONG NumberOfThreads; /* The NumberOfThreads member contains the number of threads in the process. */ + ULONGLONG WorkingSetPrivateSize; /* since VISTA */ + ULONG HardFaultCount; /* since WIN7 */ + ULONG NumberOfThreadsHighWatermark; /* The peak number of threads that were running at any given point in time, indicative of potential performance bottlenecks related to thread management. */ + ULONGLONG CycleTime; /* The sum of the cycle time of all threads in the process. */ + LARGE_INTEGER CreateTime; /* Number of 100-nanosecond intervals since the creation time of the process. Not updated during system timezone changes resullting in an incorrect value. */ LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; - UNICODE_STRING ImageName; // The file name of the executable image. + UNICODE_STRING ImageName; /* The file name of the executable image. */ KPRIORITY BasePriority; HANDLE UniqueProcessId; HANDLE InheritedFromUniqueProcessId; ULONG HandleCount; ULONG SessionId; - ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation) - SIZE_T PeakVirtualSize; // The peak size, in bytes, of the virtual memory used by the process. - SIZE_T VirtualSize; // The current size, in bytes, of virtual memory used by the process. - ULONG PageFaultCount; // The member of page faults for data that is not currently in memory. - SIZE_T PeakWorkingSetSize; // The peak size, in kilobytes, of the working set of the process. - SIZE_T WorkingSetSize; // The number of pages visible to the process in physical memory. These pages are resident and available for use without triggering a page fault. - SIZE_T QuotaPeakPagedPoolUsage; // The peak quota charged to the process for pool usage, in bytes. - SIZE_T QuotaPagedPoolUsage; // The quota charged to the process for paged pool usage, in bytes. - SIZE_T QuotaPeakNonPagedPoolUsage; // The peak quota charged to the process for nonpaged pool usage, in bytes. - SIZE_T QuotaNonPagedPoolUsage; // The current quota charged to the process for nonpaged pool usage. - SIZE_T PagefileUsage; // The PagefileUsage member contains the number of bytes of page file storage in use by the process. - SIZE_T PeakPagefileUsage; // The maximum number of bytes of page-file storage used by the process. - SIZE_T PrivatePageCount; // The number of memory pages allocated for the use by the process. - LARGE_INTEGER ReadOperationCount; // The total number of read operations performed. - LARGE_INTEGER WriteOperationCount; // The total number of write operations performed. - LARGE_INTEGER OtherOperationCount; // The total number of I/O operations performed other than read and write operations. - LARGE_INTEGER ReadTransferCount; // The total number of bytes read during a read operation. - LARGE_INTEGER WriteTransferCount; // The total number of bytes written during a write operation. - LARGE_INTEGER OtherTransferCount; // The total number of bytes transferred during operations other than read and write operations. - SYSTEM_THREAD_INFORMATION Threads[1]; // This type is not defined in the structure but was added for convenience. + ULONG_PTR UniqueProcessKey; /* since VISTA (requires SystemExtendedProcessInformation) */ + SIZE_T PeakVirtualSize; /* The peak size, in bytes, of the virtual memory used by the process. */ + SIZE_T VirtualSize; /* The current size, in bytes, of virtual memory used by the process. */ + ULONG PageFaultCount; /* The member of page faults for data that is not currently in memory. */ + SIZE_T PeakWorkingSetSize; /* The peak size, in kilobytes, of the working set of the process. */ + SIZE_T WorkingSetSize; /* The number of pages visible to the process in physical memory. These pages are resident and available for use without triggering a page fault. */ + SIZE_T QuotaPeakPagedPoolUsage; /* The peak quota charged to the process for pool usage, in bytes. */ + SIZE_T QuotaPagedPoolUsage; /* The quota charged to the process for paged pool usage, in bytes. */ + SIZE_T QuotaPeakNonPagedPoolUsage; /* The peak quota charged to the process for nonpaged pool usage, in bytes. */ + SIZE_T QuotaNonPagedPoolUsage; /* The current quota charged to the process for nonpaged pool usage. */ + SIZE_T PagefileUsage; /* The PagefileUsage member contains the number of bytes of page file storage in use by the process. */ + SIZE_T PeakPagefileUsage; /* The maximum number of bytes of page-file storage used by the process. */ + SIZE_T PrivatePageCount; /* The number of memory pages allocated for the use by the process. */ + LARGE_INTEGER ReadOperationCount; /* The total number of read operations performed. */ + LARGE_INTEGER WriteOperationCount; /* The total number of write operations performed. */ + LARGE_INTEGER OtherOperationCount; /* The total number of I/O operations performed other than read and write operations. */ + LARGE_INTEGER ReadTransferCount; /* The total number of bytes read during a read operation. */ + LARGE_INTEGER WriteTransferCount; /* The total number of bytes written during a write operation. */ + LARGE_INTEGER OtherTransferCount; /* The total number of bytes transferred during operations other than read and write operations. */ + SYSTEM_THREAD_INFORMATION Threads[1]; /* This type is not defined in the structure but was added for convenience. */ } SYSTEM_PROCESS_INFO, * PSYSTEM_PROCESS_INFO; -// Thread Basic Information +/* Thread Basic Information */ typedef struct _THREAD_BASIC_INFO { NTSTATUS ExitStatus; @@ -413,7 +413,7 @@ typedef struct _THREAD_BASIC_INFO KPRIORITY BasePriority; } THREAD_BASIC_INFO, * PTHREAD_BASIC_INFO; -// T2 Set Parameters +/* T2 Set Parameters */ typedef struct _T2_SET_PARAMETERS_V0 { ULONG Version; @@ -421,7 +421,7 @@ typedef struct _T2_SET_PARAMETERS_V0 LONGLONG NoWakeTolerance; } T2_SET_PARAMETERS, * PT2_SET_PARAMETERS; -// WNF Delivery Descriptor +/* WNF Delivery Descriptor */ typedef struct _WNF_DELIVERY_DESCRIPTOR { ULONGLONG SubscriptionId; @@ -433,7 +433,7 @@ typedef struct _WNF_DELIVERY_DESCRIPTOR ULONG StateDataOffset; } WNF_DELIVERY_DESCRIPTOR, * PWNF_DELIVERY_DESCRIPTOR; -// Worker Factory Deferred Work +/* Worker Factory Deferred Work */ typedef struct _WORKER_FACTORY_DEFERRED_WORK { PPORT_MESSAGE AlpcSendMessage; diff --git a/SysCaller/Wrapper/include/syscaller.h b/SysCaller/Wrapper/include/syscaller.h index 0109ad1..aeba4d2 100644 --- a/SysCaller/Wrapper/include/syscaller.h +++ b/SysCaller/Wrapper/include/syscaller.h @@ -1,83 +1,83 @@ -#pragma once - -/* - * SysCaller SDK - * Copyright (c) 2025 micREsoft - * - * License: GPLv3 - * - * This software is free to use, modify, and distribute under the terms - * of the GNU General Public License version 3. - * - * You MAY NOT sell this software or derivative versions without also releasing - * their full source code under the same license. - * - * For more information, see https://www.gnu.org/licenses/gpl-3.0.html - */ - - /* - * SysCaller Build Configuration - * - * Define one of these macros in syscaller_config.h: - * - SYSCALLER_DIRECT : Direct syscalls (default if none specified) - * - SYSCALLER_INDIRECT : Indirect syscalls with runtime resolution - * - SYSCALLER_INLINE : Inline ASM syscalls - * - * Optional: Define SYSCALLER_BINDINGS if building for multi language bindings - * - * Examples: - * - Direct syscalls (C++ only): SYSCALLER_DIRECT - * - Direct syscalls (bindings): SYSCALLER_DIRECT;SYSCALLER_BINDINGS - * - Indirect syscalls (C++ only): SYSCALLER_INDIRECT - * - Indirect syscalls (bindings): SYSCALLER_INDIRECT;SYSCALLER_BINDINGS - * - Inline syscalls (C++ only): SYSCALLER_INLINE - * - Inline syscalls (bindings): SYSCALLER_INLINE;SYSCALLER_BINDINGS - * - */ - -#define SYSCALLER_BUILD_CONFIG -#include "syscaller_config.h" -#undef SYSCALLER_BUILD_CONFIG - -#if !defined(SYSCALLER_DIRECT) && !defined(SYSCALLER_INDIRECT) && !defined(SYSCALLER_INLINE) -#define SYSCALLER_DIRECT -#endif - -#if (defined(SYSCALLER_DIRECT) && defined(SYSCALLER_INDIRECT)) || \ - (defined(SYSCALLER_DIRECT) && defined(SYSCALLER_INLINE)) || \ - (defined(SYSCALLER_INDIRECT) && defined(SYSCALLER_INLINE)) -#error "Only one syscall mode can be defined: SYSCALLER_DIRECT, SYSCALLER_INDIRECT, or SYSCALLER_INLINE" -#endif - -#define WIN32_LEAN_AND_MEAN -#define NOMINMAX -#define _WINSOCK_DEPRECATED_NO_WARNINGS -#ifdef _WIN64 -#define _AMD64_ -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#pragma comment(lib, "winhttp.lib") -#pragma comment(lib, "ws2_32.lib") - -#include -#include -#include -#include - -#include "Sys/sysTypes.h" -#include "Sys/sysExternals.h" -#include "Sys/sysFunctions.h" - -#if defined(SYSCALLER_INDIRECT) -#include "Resolver/Resolver.h" -#endif +#pragma once + +/* + * SysCaller SDK + * Copyright (c) 2025 micREsoft + * + * License: GPLv3 + * + * This software is free to use, modify, and distribute under the terms + * of the GNU General Public License version 3. + * + * You MAY NOT sell this software or derivative versions without also releasing + * their full source code under the same license. + * + * For more information, see https://www.gnu.org/licenses/gpl-3.0.html + */ + + /* + * SysCaller Build Configuration + * + * Define one of these macros in syscaller_config.h: + * - SYSCALLER_DIRECT : Direct syscalls (default if none specified) + * - SYSCALLER_INDIRECT : Indirect syscalls with runtime resolution + * - SYSCALLER_INLINE : Inline ASM syscalls + * + * Optional: Define SYSCALLER_BINDINGS if building for multi language bindings + * + * Examples: + * - Direct syscalls (C++ only): SYSCALLER_DIRECT + * - Direct syscalls (bindings): SYSCALLER_DIRECT;SYSCALLER_BINDINGS + * - Indirect syscalls (C++ only): SYSCALLER_INDIRECT + * - Indirect syscalls (bindings): SYSCALLER_INDIRECT;SYSCALLER_BINDINGS + * - Inline syscalls (C++ only): SYSCALLER_INLINE + * - Inline syscalls (bindings): SYSCALLER_INLINE;SYSCALLER_BINDINGS + * + */ + +#define SYSCALLER_BUILD_CONFIG +#include "syscaller_config.h" +#undef SYSCALLER_BUILD_CONFIG + +#if !defined(SYSCALLER_DIRECT) && !defined(SYSCALLER_INDIRECT) && !defined(SYSCALLER_INLINE) +#define SYSCALLER_DIRECT +#endif + +#if (defined(SYSCALLER_DIRECT) && defined(SYSCALLER_INDIRECT)) || \ + (defined(SYSCALLER_DIRECT) && defined(SYSCALLER_INLINE)) || \ + (defined(SYSCALLER_INDIRECT) && defined(SYSCALLER_INLINE)) +#error "Only one syscall mode can be defined: SYSCALLER_DIRECT, SYSCALLER_INDIRECT, or SYSCALLER_INLINE" +#endif + +#define WIN32_LEAN_AND_MEAN +#define NOMINMAX +#define _WINSOCK_DEPRECATED_NO_WARNINGS +#ifdef _WIN64 +#define _AMD64_ +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#pragma comment(lib, "winhttp.lib") +#pragma comment(lib, "ws2_32.lib") + +#include +#include +#include +#include + +#include "Sys/sysTypes.h" +#include "Sys/sysExternals.h" +#include "Sys/sysFunctions.h" + +#if defined(SYSCALLER_INDIRECT) +#include "Resolver/Resolver.h" +#endif \ No newline at end of file diff --git a/SysCaller/Wrapper/include/syscaller_config.h b/SysCaller/Wrapper/include/syscaller_config.h index c6eea25..b68c04d 100644 --- a/SysCaller/Wrapper/include/syscaller_config.h +++ b/SysCaller/Wrapper/include/syscaller_config.h @@ -9,13 +9,13 @@ * Uncomment one of the following lines & add to preprocessor definitions to select your build mode: */ -// Direct syscalls (default), no runtime resolution +/* Direct syscalls (default), no runtime resolution */ #define SYSCALLER_DIRECT -// Indirect syscalls, runtime resolution +/* Indirect syscalls, runtime resolution */ // #define SYSCALLER_INDIRECT -// Inline ASM syscalls, embedded assembly +/* Inline ASM syscalls, embedded assembly */ // #define SYSCALLER_INLINE /* diff --git a/SysCaller/Wrapper/src/DLL/dllmain.cpp b/SysCaller/Wrapper/src/DLL/dllmain.cpp index 2e9f2d3..b7e84b8 100644 --- a/SysCaller/Wrapper/src/DLL/dllmain.cpp +++ b/SysCaller/Wrapper/src/DLL/dllmain.cpp @@ -1,18 +1,19 @@ #if defined(SYSCALLER_DIRECT) -#pragma message("SysCaller: Building via DIRECT syscall mode!") +#pragma message("SysCaller: Building via DIRECT syscall mode") #elif defined(SYSCALLER_INDIRECT) -#pragma message("SysCaller: Building via INDIRECT syscall mode!") +#pragma message("SysCaller: Building via INDIRECT syscall mode") #elif defined(SYSCALLER_INLINE) -#pragma message("SysCaller: Building via INLINE ASM syscall mode!") +#pragma message("SysCaller: Building via INLINE ASM syscall mode") #else -#pragma message("SysCaller: Building via DIRECT syscall mode! (default)") +#pragma message("SysCaller: Building via DIRECT syscall mode (default)") #endif #if defined(SYSCALLER_BINDINGS) -#pragma message("SysCaller: Building with BINDINGS support! (DLL export)") +#pragma message("SysCaller: Building with BINDINGS support (DLL export)") #endif #ifdef SYSCALLER_BINDINGS +/* bindings mode enabled, include DLL export functionality */ #include BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { @@ -20,5 +21,6 @@ BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserv } #else -#pragma message("SysCaller: dllmain.cpp skipped! (SYSCALLER_BINDINGS not defined)") -#endif +/* not in bindings mode file compiles to nothing */ +#pragma message("SysCaller: dllmain.cpp skipped (SYSCALLER_BINDINGS not defined)") +#endif \ No newline at end of file diff --git a/SysCaller/Wrapper/src/Resolver/Resolver.cpp b/SysCaller/Wrapper/src/Resolver/Resolver.cpp index d980995..aad471f 100644 --- a/SysCaller/Wrapper/src/Resolver/Resolver.cpp +++ b/SysCaller/Wrapper/src/Resolver/Resolver.cpp @@ -13,7 +13,6 @@ #endif #ifdef SYSCALLER_INDIRECT -// Indirect syscall mode,include resolver implementation #include "../../include/Resolver/Resolver.h" #include #include @@ -169,6 +168,6 @@ void CleanupResolver() } #else -// Not in indirect mode file compiles to nothing +/* not in indirect mode file compiles to nothing */ #pragma message("SysCaller: Resolver.cpp skipped (SYSCALLER_INDIRECT not defined)") #endif diff --git a/SysCaller/Wrapper/src/build_info.cpp b/SysCaller/Wrapper/src/build_info.cpp index f7517d4..163f5af 100644 --- a/SysCaller/Wrapper/src/build_info.cpp +++ b/SysCaller/Wrapper/src/build_info.cpp @@ -1,6 +1,6 @@ /* * SysCaller Build Information - * This file is always compiled to show the current build configuration + * this file is always compiled to show the current build configuration */ #if defined(SYSCALLER_DIRECT) @@ -27,5 +27,5 @@ #include "../include/syscaller.h" -// Empty function ensures this TU is compiled and processed -void SysCallerBuildInfo() {} +/* empty function ensures this TU is compiled and processed */ +void SysCallerBuildInfo() {} \ No newline at end of file diff --git a/SysCallerK/Wrapper/include/SysK/sysConstants_k.h b/SysCallerK/Wrapper/include/SysK/sysConstants_k.h index dd241e1..5afa122 100644 --- a/SysCallerK/Wrapper/include/SysK/sysConstants_k.h +++ b/SysCallerK/Wrapper/include/SysK/sysConstants_k.h @@ -6,39 +6,34 @@ #define TLS_MINIMUM_AVAILABLE 64 #define RTL_MAX_DRIVE_LETTERS 32 -// ADD THESE TO GITHUB LATER #define PAGE_SIZE 0x1000 #define PAGE_MASK 0xFFF - #ifndef PAGE_SHIFT #define PAGE_SHIFT 0xC #endif - -#define PAGE_NOACCESS 0x01 // Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation. -#define PAGE_READONLY 0x02 // Enables read-only access to the committed region of pages. An attempt to write or execute the committed region results in an access violation. -#define PAGE_READWRITE 0x04 // Enables read-only or read/write access to the committed region of pages. -#define PAGE_WRITECOPY 0x08 // Enables read-only or copy-on-write access to a mapped view of a file mapping object. -#define PAGE_EXECUTE 0x10 // Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation. -#define PAGE_EXECUTE_READ 0x20 // Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. -#define PAGE_EXECUTE_READWRITE 0x40 // Enables execute, read-only, or read/write access to the committed region of pages. -#define PAGE_EXECUTE_WRITECOPY 0x80 // Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. -#define PAGE_GUARD 0x100 // Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception. -#define PAGE_NOCACHE 0x200 // Sets all pages to be non-cachable. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. -#define PAGE_WRITECOMBINE 0x400 // Sets all pages to be write-combined. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. -#define PAGE_REVERT_TO_FILE_MAP 0x80000000 // Pages in the region can revert modified copy-on-write pages to the original unmodified page when using the mapped view of a file mapping object. -#define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 // Pages in the region contain a thread control structure (TCS) from the Intel Software Guard Extensions programming model. -#define PAGE_TARGETS_NO_UPDATE 0x40000000 // Pages in the region will not update the CFG bitmap when the protection changes. The default behavior for VirtualProtect is to mark all locations as valid call targets for CFG. -#define PAGE_TARGETS_INVALID 0x40000000 // Pages in the region are excluded from the CFG bitmap as valid targets. Any indirect call to locations in those pages will terminate the process using the __fastfail intrinsic. -#define PAGE_ENCLAVE_UNVALIDATED 0x20000000 // Pages in the region are excluded from measurement with the EEXTEND instruction of the Intel Software Guard Extensions programming model. +#define PAGE_NOACCESS 0x01 /* Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation. */ +#define PAGE_READONLY 0x02 /* Enables read-only access to the committed region of pages. An attempt to write or execute the committed region results in an access violation. */ +#define PAGE_READWRITE 0x04 /* Enables read-only or read/write access to the committed region of pages. */ +#define PAGE_WRITECOPY 0x08 /* Enables read-only or copy-on-write access to a mapped view of a file mapping object. */ +#define PAGE_EXECUTE 0x10 /* Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation. */ +#define PAGE_EXECUTE_READ 0x20 /* Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. */ +#define PAGE_EXECUTE_READWRITE 0x40 /* Enables execute, read-only, or read/write access to the committed region of pages. */ +#define PAGE_EXECUTE_WRITECOPY 0x80 /* Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. */ +#define PAGE_GUARD 0x100 /* Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception. */ +#define PAGE_NOCACHE 0x200 /* Sets all pages to be non-cachable. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. */ +#define PAGE_WRITECOMBINE 0x400 /* Sets all pages to be write-combined. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. */ +#define PAGE_REVERT_TO_FILE_MAP 0x80000000 /* Pages in the region can revert modified copy-on-write pages to the original unmodified page when using the mapped view of a file mapping object. */ +#define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 /* Pages in the region contain a thread control structure (TCS) from the Intel Software Guard Extensions programming model. */ +#define PAGE_TARGETS_NO_UPDATE 0x40000000 /* Pages in the region will not update the CFG bitmap when the protection changes. The default behavior for VirtualProtect is to mark all locations as valid call targets for CFG. */ +#define PAGE_TARGETS_INVALID 0x40000000 /* Pages in the region are excluded from the CFG bitmap as valid targets. Any indirect call to locations in those pages will terminate the process using the __fastfail intrinsic. */ +#define PAGE_ENCLAVE_UNVALIDATED 0x20000000 /* Pages in the region are excluded from measurement with the EEXTEND instruction of the Intel Software Guard Extensions programming model. */ #define PAGE_ENCLAVE_NO_CHANGE 0x20000000 #define PAGE_ENCLAVE_MASK 0x10000000 #define PAGE_ENCLAVE_DECOMMIT (PAGE_ENCLAVE_MASK | 0) #define PAGE_ENCLAVE_SS_FIRST (PAGE_ENCLAVE_MASK | 1) #define PAGE_ENCLAVE_SS_REST (PAGE_ENCLAVE_MASK | 2) -// -// Memory Region and Section Constants -// +/* Memory Region and Section Constants */ #ifndef GENERIC_ALL #define GENERIC_ALL 0x10000000 #endif @@ -69,7 +64,7 @@ #define SEC_HUGE_PAGES 0x00020000 #define SEC_PARTITION_OWNER_HANDLE 0x00040000 #define SEC_64K_PAGES 0x00080000 -#define SEC_DRIVER_IMAGE 0x00100000 // rev +#define SEC_DRIVER_IMAGE 0x00100000 /* rev */ #define SEC_BASED 0x00200000 #define SEC_NO_CHANGE 0x00400000 #define SEC_FILE 0x00800000 diff --git a/SysCallerK/Wrapper/include/SysK/sysExternals_k.h b/SysCallerK/Wrapper/include/SysK/sysExternals_k.h index feec4d8..b4fdae3 100644 --- a/SysCallerK/Wrapper/include/SysK/sysExternals_k.h +++ b/SysCallerK/Wrapper/include/SysK/sysExternals_k.h @@ -7,7 +7,7 @@ typedef struct _SYSK_WNF_STATE_NAME ULONG Data[2]; } SYSK_WNF_STATE_NAME, * SYSK_PWNF_STATE_NAME; -// WNF Type ID +/* WNF Type ID */ typedef struct _WNF_TYPE_ID { GUID TypeId; @@ -15,7 +15,7 @@ typedef struct _WNF_TYPE_ID typedef unsigned long DWORD; -// General Types +/* General Types */ typedef LONG NTSTATUS; typedef ULONG LOGICAL; typedef ULONG_PTR SIZE_T; @@ -38,7 +38,7 @@ typedef LCID * PLCID; typedef const GUID * LPCGUID; typedef GUID * LPGUID; -// ALPC Types +/* ALPC Types */ typedef struct _PORT_MESSAGE * PPORT_MESSAGE; typedef struct _PORT_VIEW * PPORT_VIEW; typedef struct _REMOTE_PORT_VIEW * PREMOTE_PORT_VIEW; @@ -50,7 +50,7 @@ typedef struct _ALPC_DATA_VIEW_ATTR * PALPC_DATA_VIEW_ATTR; typedef struct _ALPC_SECURITY_ATTR * PALPC_SECURITY_ATTR; typedef HANDLE PALPC_HANDLE; -// Proccess & Thread Types +/* Proccess & Thread Types */ typedef struct _OBJECT_TYPE * POBJECT_TYPE; typedef NTSTATUS * PNTSTATUS; typedef HANDLE AUDIT_EVENT_HANDLE; @@ -60,61 +60,62 @@ typedef ULONG PROCESS_ACTIVITY_TYPE; typedef struct _RTL_ATOM * PRTL_ATOM; typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION * PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; typedef struct _SYSK_OBJECT_ATTRIBUTES * PSYSK_COBJECT_ATTRIBUTES; +typedef enum _MEMORY_RESERVE_TYPE MEMORY_RESERVE_TYPE; -// Enum Classes & Types -> +/* Enum Classes & Types -> */ -// ALPC Message Information Classes +/* ALPC Message Information Classes */ typedef enum _ALPC_MESSAGE_INFORMATION_CLASS { - AlpcMessageSidInformation, // q: out SID - AlpcMessageTokenModifiedIdInformation, // q: out LUID + AlpcMessageSidInformation, /* q: out SID */ + AlpcMessageTokenModifiedIdInformation, /* q: out LUID */ AlpcMessageDirectStatusInformation, - AlpcMessageHandleInformation, // ALPC_MESSAGE_HANDLE_INFORMATION + AlpcMessageHandleInformation, /* ALPC_MESSAGE_HANDLE_INFORMATION */ MaxAlpcMessageInfoClass } ALPC_MESSAGE_INFORMATION_CLASS, * PALPC_MESSAGE_INFORMATION_CLASS; -// ALPC Port Information Classes +/* ALPC Port Information Classes */ typedef enum _ALPC_PORT_INFORMATION_CLASS { - AlpcBasicInformation, // q: out ALPC_BASIC_INFORMATION - AlpcPortInformation, // s: in ALPC_PORT_ATTRIBUTES - AlpcAssociateCompletionPortInformation, // s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT - AlpcConnectedSIDInformation, // q: in SID - AlpcServerInformation, // q: inout ALPC_SERVER_INFORMATION - AlpcMessageZoneInformation, // s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION - AlpcRegisterCompletionListInformation, // s: in ALPC_PORT_COMPLETION_LIST_INFORMATION - AlpcUnregisterCompletionListInformation, // s: VOID - AlpcAdjustCompletionListConcurrencyCountInformation, // s: in ULONG - AlpcRegisterCallbackInformation, // s: ALPC_REGISTER_CALLBACK // kernel-mode only - AlpcCompletionListRundownInformation, // s: VOID // 10 + AlpcBasicInformation, /* q: out ALPC_BASIC_INFORMATION */ + AlpcPortInformation, /* s: in ALPC_PORT_ATTRIBUTES */ + AlpcAssociateCompletionPortInformation, /* s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT */ + AlpcConnectedSIDInformation, /* q: in SID */ + AlpcServerInformation, /* q: inout ALPC_SERVER_INFORMATION */ + AlpcMessageZoneInformation, /* s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION */ + AlpcRegisterCompletionListInformation, /* s: in ALPC_PORT_COMPLETION_LIST_INFORMATION */ + AlpcUnregisterCompletionListInformation, /* s: VOID */ + AlpcAdjustCompletionListConcurrencyCountInformation, /* s: in ULONG */ + AlpcRegisterCallbackInformation, /* s: ALPC_REGISTER_CALLBACK, kernel-mode only */ + AlpcCompletionListRundownInformation, /* s: VOID, 10 */ AlpcWaitForPortReferences, - AlpcServerSessionInformation // q: ALPC_SERVER_SESSION_INFORMATION // since 19H2 + AlpcServerSessionInformation /* q: ALPC_SERVER_SESSION_INFORMATION, since 19H2 */ } ALPC_PORT_INFORMATION_CLASS; -// Atom Information Classes +/* Atom Information Classes */ typedef enum _ATOM_INFORMATION_CLASS { AtomBasicInformation, AtomTableInformation } ATOM_INFORMATION_CLASS; -// CPU Partition Information Classes +/* CPU Partition Information Classes */ typedef enum _CPU_PARTITION_INFORMATION_CLASS { - CpuPartitionBasicInformation, // q: BASIC_CPU_PARTITION_INFORMATION - CpuPartitionPerformanceInformation, // q: CPU_PARTITION_PERFORMANCE_INFORMATION - CpuPartitionTopologyInformation, // q: CPU_PARTITION_TOPOLOGY_INFORMATION - CpuPartitionAffinityInformation, // q; s: CPU_PARTITION_AFFINITY_INFORMATION - CpuPartitionPolicyInformation, // q; s: CPU_PARTITION_POLICY_INFORMATION - CpuPartitionSchedulingInformation, // q: CPU_PARTITION_SCHEDULING_INFORMATION - CpuPartitionResourceControl, // s: CPU_PARTITION_RESOURCE_CONTROL_INFORMATION - CpuPartitionPowerManagement, // q; s: CPU_PARTITION_POWER_MANAGEMENT_INFORMATION - CpuPartitionStatistics, // q: CPU_PARTITION_STATISTICS_INFORMATION - CpuPartitionDebugInformation, // q: CPU_PARTITION_DEBUG_INFORMATION + CpuPartitionBasicInformation, /* q: BASIC_CPU_PARTITION_INFORMATION */ + CpuPartitionPerformanceInformation, /* q: CPU_PARTITION_PERFORMANCE_INFORMATION */ + CpuPartitionTopologyInformation, /* q: CPU_PARTITION_TOPOLOGY_INFORMATION */ + CpuPartitionAffinityInformation, /* q; s: CPU_PARTITION_AFFINITY_INFORMATION */ + CpuPartitionPolicyInformation, /* q; s: CPU_PARTITION_POLICY_INFORMATION */ + CpuPartitionSchedulingInformation, /* q: CPU_PARTITION_SCHEDULING_INFORMATION */ + CpuPartitionResourceControl, /* s: CPU_PARTITION_RESOURCE_CONTROL_INFORMATION */ + CpuPartitionPowerManagement, /* q; s: CPU_PARTITION_POWER_MANAGEMENT_INFORMATION */ + CpuPartitionStatistics, /* q: CPU_PARTITION_STATISTICS_INFORMATION */ + CpuPartitionDebugInformation, /* q: CPU_PARTITION_DEBUG_INFORMATION */ CpuPartitionMax } CPU_PARTITION_INFORMATION_CLASS, * PCPU_PARTITION_INFORMATION_CLASS; -// Debug States +/* Debug States */ typedef enum _DBG_STATE { DbgIdle, @@ -130,48 +131,48 @@ typedef enum _DBG_STATE DbgUnloadDllStateChange } DBG_STATE, * PDBG_STATE; -// Debug Object Information Classes +/* Debug Object Information Classes */ typedef enum _DEBUGOBJECTINFOCLASS { DebugObjectUnusedInformation, - DebugObjectKillProcessOnExitInformation, // s: ULONG + DebugObjectKillProcessOnExitInformation, /* s: ULONG */ MaxDebugObjectInfoClass } DEBUGOBJECTINFOCLASS, * PDEBUGOBJECTINFOCLASS; -// Directory Notify Information Classes +/* Directory Notify Information Classes */ typedef enum _SYSK_DIRECTORY_NOTIFY_INFORMATION_CLASS { SysKDirectoryNotifyInformation, SysKDirectoryNotifyInformationEx, SysKDirectoryNotifyInformationMax } SYSK_DIRECTORY_NOTIFY_INFORMATION_CLASS; -// ETW Trace Control Codes +/* ETW Trace Control Codes */ typedef enum _ETWTRACECONTROLCODE { - EtwStartLoggerCode = 1, // inout WMI_LOGGER_INFORMATION - EtwStopLoggerCode = 2, // inout WMI_LOGGER_INFORMATION - EtwQueryLoggerCode = 3, // inout WMI_LOGGER_INFORMATION - EtwUpdateLoggerCode = 4, // inout WMI_LOGGER_INFORMATION - EtwFlushLoggerCode = 5, // inout WMI_LOGGER_INFORMATION - EtwIncrementLoggerFile = 6, // inout WMI_LOGGER_INFORMATION - EtwRealtimeTransition = 7, // inout WMI_LOGGER_INFORMATION - // reserved + EtwStartLoggerCode = 1, /* inout WMI_LOGGER_INFORMATION */ + EtwStopLoggerCode = 2, /* inout WMI_LOGGER_INFORMATION */ + EtwQueryLoggerCode = 3, /* inout WMI_LOGGER_INFORMATION */ + EtwUpdateLoggerCode = 4, /* inout WMI_LOGGER_INFORMATION */ + EtwFlushLoggerCode = 5, /* inout WMI_LOGGER_INFORMATION */ + EtwIncrementLoggerFile = 6, /* inout WMI_LOGGER_INFORMATION */ + EtwRealtimeTransition = 7, /* inout WMI_LOGGER_INFORMATION */ + /* reserved */ EtwRealtimeConnectCode = 11, EtwActivityIdCreate = 12, EtwWdiScenarioCode = 13, - EtwRealtimeDisconnectCode = 14, // in HANDLE + EtwRealtimeDisconnectCode = 14, /* in HANDLE */ EtwRegisterGuidsCode = 15, EtwReceiveNotification = 16, - EtwSendDataBlock = 17, // ETW_ENABLE_NOTIFICATION_PACKET // ETW_SESSION_NOTIFICATION_PACKET + EtwSendDataBlock = 17, /* ETW_ENABLE_NOTIFICATION_PACKET, ETW_SESSION_NOTIFICATION_PACKET */ EtwSendReplyDataBlock = 18, EtwReceiveReplyDataBlock = 19, EtwWdiSemUpdate = 20, - EtwEnumTraceGuidList = 21, // out GUID[] - EtwGetTraceGuidInfo = 22, // in GUID, out ETW_TRACE_GUID_INFO - EtwEnumerateTraceGuids = 23, // out TRACE_GUID_PROPERTIES[] + EtwEnumTraceGuidList = 21, /* out GUID[] */ + EtwGetTraceGuidInfo = 22, /* in GUID, out ETW_TRACE_GUID_INFO */ + EtwEnumerateTraceGuids = 23, /* out TRACE_GUID_PROPERTIES[] */ EtwRegisterSecurityProv = 24, - EtwReferenceTimeCode = 25, // in ULONG LoggerId, out ETW_REF_CLOCK - EtwTrackBinaryCode = 26, // in HANDLE + EtwReferenceTimeCode = 25, /* in ULONG LoggerId, out ETW_REF_CLOCK */ + EtwTrackBinaryCode = 26, /* in HANDLE */ EtwAddNotificationEvent = 27, EtwUpdateDisallowList = 28, EtwSetEnableAllKeywordsCode = 29, @@ -187,26 +188,26 @@ typedef enum _ETWTRACECONTROLCODE EtwRegisterPrivateSession = 39, EtwQuerySessionDemuxObject = 40, EtwSetProviderBinaryTracking = 41, - EtwMaxLoggers = 42, // out ULONG - EtwMaxPmcCounter = 43, // out ULONG - EtwQueryUsedProcessorCount = 44, // ULONG // since WIN11 + EtwMaxLoggers = 42, /* out ULONG */ + EtwMaxPmcCounter = 43, /* out ULONG */ + EtwQueryUsedProcessorCount = 44, /* ULONG, since WIN11 */ EtwGetPmcOwnership = 45, EtwGetPmcSessions = 46, } ETWTRACECONTROLCODE; -// Event Information Classes +/* Event Information Classes */ typedef enum _EVENT_INFORMATION_CLASS { EventBasicInformation } EVENT_INFORMATION_CLASS; -// Event Types +/* Event Types */ typedef enum _SYSK_EVENT_TYPE { SysKNotificationEvent, SysKSynchronizationEvent, } SYSK_EVENT_TYPE; -// Filter Boot Option Operations +/* Filter Boot Option Operations */ typedef enum _FILTER_BOOT_OPTION_OPERATION { FilterBootOptionAdd, FilterBootOptionRemove, @@ -214,34 +215,34 @@ typedef enum _FILTER_BOOT_OPTION_OPERATION { FilterBootOptionQuery } FILTER_BOOT_OPTION_OPERATION; -// File System Information Classes +/* File System Information Classes */ typedef enum _SYSK_FSINFOCLASS { - SysKFileFsVolumeInformation = 1, // q: FILE_FS_VOLUME_INFORMATION - SysKFileFsLabelInformation, // s: FILE_FS_LABEL_INFORMATION (requires FILE_WRITE_DATA to volume) - SysKFileFsSizeInformation, // q: FILE_FS_SIZE_INFORMATION - SysKFileFsDeviceInformation, // q: FILE_FS_DEVICE_INFORMATION - SysKFileFsAttributeInformation, // q: FILE_FS_ATTRIBUTE_INFORMATION - SysKFileFsControlInformation, // q, s: FILE_FS_CONTROL_INFORMATION (q: requires FILE_READ_DATA; s: requires FILE_WRITE_DATA to volume) - SysKFileFsFullSizeInformation, // q: FILE_FS_FULL_SIZE_INFORMATION - SysKFileFsObjectIdInformation, // q; s: FILE_FS_OBJECTID_INFORMATION (s: requires FILE_WRITE_DATA to volume) - SysKFileFsDriverPathInformation, // q: FILE_FS_DRIVER_PATH_INFORMATION - SysKFileFsVolumeFlagsInformation, // q; s: FILE_FS_VOLUME_FLAGS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES to volume) // 10 - SysKFileFsSectorSizeInformation, // q: FILE_FS_SECTOR_SIZE_INFORMATION // since WIN8 - SysKFileFsDataCopyInformation, // q: FILE_FS_DATA_COPY_INFORMATION - SysKFileFsMetadataSizeInformation, // q: FILE_FS_METADATA_SIZE_INFORMATION // since THRESHOLD - SysKFileFsFullSizeInformationEx, // q: FILE_FS_FULL_SIZE_INFORMATION_EX // since REDSTONE5 - SysKFileFsGuidInformation, // q: FILE_FS_GUID_INFORMATION // since 23H2 + SysKFileFsVolumeInformation = 1, /* q: FILE_FS_VOLUME_INFORMATION */ + SysKFileFsLabelInformation, /* s: FILE_FS_LABEL_INFORMATION (requires FILE_WRITE_DATA to volume) */ + SysKFileFsSizeInformation, /* q: FILE_FS_SIZE_INFORMATION */ + SysKFileFsDeviceInformation, /* q: FILE_FS_DEVICE_INFORMATION */ + SysKFileFsAttributeInformation, /* q: FILE_FS_ATTRIBUTE_INFORMATION */ + SysKFileFsControlInformation, /* q, s: FILE_FS_CONTROL_INFORMATION (q: requires FILE_READ_DATA; s: requires FILE_WRITE_DATA to volume) */ + SysKFileFsFullSizeInformation, /* q: FILE_FS_FULL_SIZE_INFORMATION */ + SysKFileFsObjectIdInformation, /* q; s: FILE_FS_OBJECTID_INFORMATION (s: requires FILE_WRITE_DATA to volume) */ + SysKFileFsDriverPathInformation, /* q: FILE_FS_DRIVER_PATH_INFORMATION */ + SysKFileFsVolumeFlagsInformation, /* q; s: FILE_FS_VOLUME_FLAGS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES to volume), 10 */ + SysKFileFsSectorSizeInformation, /* q: FILE_FS_SECTOR_SIZE_INFORMATION, since WIN8 */ + SysKFileFsDataCopyInformation, /* q: FILE_FS_DATA_COPY_INFORMATION */ + SysKFileFsMetadataSizeInformation, /* q: FILE_FS_METADATA_SIZE_INFORMATION, since THRESHOLD */ + SysKFileFsFullSizeInformationEx, /* q: FILE_FS_FULL_SIZE_INFORMATION_EX, since REDSTONE5 */ + SysKFileFsGuidInformation, /* q: FILE_FS_GUID_INFORMATION, since 23H2 */ SysKFileFsMaximumInformation } SYSK_FSINFOCLASS, * PSYSK_FSINFOCLASS; -// IO Completion Information Classes +/* IO Completion Information Classes */ typedef enum _IO_COMPLETION_INFORMATION_CLASS { IoCompletionBasicInformation } IO_COMPLETION_INFORMATION_CLASS; -// IO Session Events +/* IO Session Events */ typedef enum _SYSK_IO_SESSION_EVENT { SysKIoSessionEventIgnore, @@ -254,7 +255,7 @@ typedef enum _SYSK_IO_SESSION_EVENT SysKIoSessionEventMax } SYSK_IO_SESSION_EVENT; -// IO Session States +/* IO Session States */ typedef enum _SYSK_IO_SESSION_STATE { SysKIoSessionStateCreated = 1, @@ -268,7 +269,7 @@ typedef enum _SYSK_IO_SESSION_STATE SysKIoSessionStateMax } SYSK_IO_SESSION_STATE; -// Job Object Information Classes +/* Job Object Information Classes */ typedef enum _JOBOBJECTINFOCLASS { JobObjectBasicAccountingInformation = 1, @@ -325,35 +326,35 @@ typedef enum _JOBOBJECTINFOCLASS { JobObjectMax = 52 } JOBOBJECTINFOCLASS; -// Key Information Classes +/* Key Information Classes */ typedef enum _SYSK_KEY_INFORMATION_CLASS { - SysKKeyBasicInformation, // KEY_BASIC_INFORMATION - SysKKeyNodeInformation, // KEY_NODE_INFORMATION - SysKKeyFullInformation, // KEY_FULL_INFORMATION - SysKKeyNameInformation, // KEY_NAME_INFORMATION - SysKKeyCachedInformation, // KEY_CACHED_INFORMATION - SysKKeyFlagsInformation, // KEY_FLAGS_INFORMATION - SysKKeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION - SysKKeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION - SysKKeyTrustInformation, // KEY_TRUST_INFORMATION - SysKKeyLayerInformation, // KEY_LAYER_INFORMATION + SysKKeyBasicInformation, /* KEY_BASIC_INFORMATION */ + SysKKeyNodeInformation, /* KEY_NODE_INFORMATION */ + SysKKeyFullInformation, /* KEY_FULL_INFORMATION */ + SysKKeyNameInformation, /* KEY_NAME_INFORMATION */ + SysKKeyCachedInformation, /* KEY_CACHED_INFORMATION */ + SysKKeyFlagsInformation, /* KEY_FLAGS_INFORMATION */ + SysKKeyVirtualizationInformation, /* KEY_VIRTUALIZATION_INFORMATION */ + SysKKeyHandleTagsInformation, /* KEY_HANDLE_TAGS_INFORMATION */ + SysKKeyTrustInformation, /* KEY_TRUST_INFORMATION */ + SysKKeyLayerInformation, /* KEY_LAYER_INFORMATION */ SysKMaxKeyInfoClass } SYSK_KEY_INFORMATION_CLASS; -// Key Value Information Classes +/* Key Value Information Classes */ typedef enum _SYSK_KEY_VALUE_INFORMATION_CLASS { - SysKKeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION - SysKKeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION - SysKKeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION + SysKKeyValueBasicInformation, /* KEY_VALUE_BASIC_INFORMATION */ + SysKKeyValueFullInformation, /* KEY_VALUE_FULL_INFORMATION */ + SysKKeyValuePartialInformation, /* KEY_VALUE_PARTIAL_INFORMATION */ SysKKeyValueFullInformationAlign64, - SysKKeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 - SysKKeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION + SysKKeyValuePartialInformationAlign64, /* KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 */ + SysKKeyValueLayerInformation, /* KEY_VALUE_LAYER_INFORMATION */ SysKMaxKeyValueInfoClass } SYSK_KEY_VALUE_INFORMATION_CLASS; -// KProfile Sources +/* KProfile Sources */ typedef enum _SYSK_KPROFILE_SOURCE { SysKProfileTime, SysKProfileAlignmentFaults, @@ -367,7 +368,7 @@ typedef enum _SYSK_KPROFILE_SOURCE { SysKProfileMaximum } SYSK_KPROFILE_SOURCE; -// KThread State +/* KThread State */ typedef enum _KTHREAD_STATE { Initialized, @@ -383,77 +384,77 @@ typedef enum _KTHREAD_STATE MaximumThreadState } KTHREAD_STATE, *PKTHREAD_STATE; -// KWait Reason +/* KWait Reason */ typedef enum _SYSK_KWAIT_REASON { - SysKExecutive, // Waiting for an executive event. - SysKFreePage, // Waiting for a free page. - SysKPageIn, // Waiting for a page to be read in. - SysKPoolAllocation, // Waiting for a pool allocation. - SysKDelayExecution, // Waiting due to a delay execution. // NtDelayExecution - SysKSuspended, // Waiting because the thread is suspended. // NtSuspendThread - SysKUserRequest, // Waiting due to a user request. // NtWaitForSingleObject - SysKWrExecutive, // Waiting for an executive event. - SysKWrFreePage, // Waiting for a free page. - SysKWrPageIn, // Waiting for a page to be read in. - SysKWrPoolAllocation, // Waiting for a pool allocation. - SysKWrDelayExecution, // Waiting due to a delay execution. - SysKWrSuspended, // Waiting because the thread is suspended. - SysKWrUserRequest, // Waiting due to a user request. - SysKWrEventPair, // Waiting for an event pair. // NtCreateEventPair - SysKWrQueue, // Waiting for a queue. // NtRemoveIoCompletion - SysKWrLpcReceive, // Waiting for an LPC receive. - SysKWrLpcReply, // Waiting for an LPC reply. - SysKWrVirtualMemory, // Waiting for virtual memory. - SysKWrPageOut, // Waiting for a page to be written out. - SysKWrRendezvous, // Waiting for a rendezvous. - SysKWrKeyedEvent, // Waiting for a keyed event. // NtCreateKeyedEvent - SysKWrTerminated, // Waiting for thread termination. - SysKWrProcessInSwap, // Waiting for a process to be swapped in. - SysKWrCpuRateControl, // Waiting for CPU rate control. - SysKWrCalloutStack, // Waiting for a callout stack. - SysKWrKernel, // Waiting for a kernel event. - SysKWrResource, // Waiting for a resource. - SysKWrPushLock, // Waiting for a push lock. - SysKWrMutex, // Waiting for a mutex. - SysKWrQuantumEnd, // Waiting for the end of a quantum. - SysKWrDispatchInt, // Waiting for a dispatch interrupt. - SysKWrPreempted, // Waiting because the thread was preempted. - SysKWrYieldExecution, // Waiting to yield execution. - SysKWrFastMutex, // Waiting for a fast mutex. - SysKWrGuardedMutex, // Waiting for a guarded mutex. - SysKWrRundown, // Waiting for a rundown. - SysKWrAlertByThreadId, // Waiting for an alert by thread ID. - SysKWrDeferredPreempt, // Waiting for a deferred preemption. - SysKWrPhysicalFault, // Waiting for a physical fault. - SysKWrIoRing, // Waiting for an I/O ring. - SysKWrMdlCache, // Waiting for an MDL cache. - SysKWrRcu, // Waiting for read-copy-update (RCU) synchronization. + SysKExecutive, /* Waiting for an executive event. */ + SysKFreePage, /* Waiting for a free page. */ + SysKPageIn, /* Waiting for a page to be read in. */ + SysKPoolAllocation, /* Waiting for a pool allocation. */ + SysKDelayExecution, /* Waiting due to a delay execution. NtDelayExecution */ + SysKSuspended, /* Waiting because the thread is suspended. NtSuspendThread */ + SysKUserRequest, /* Waiting due to a user request. NtWaitForSingleObject */ + SysKWrExecutive, /* Waiting for an executive event. */ + SysKWrFreePage, /* Waiting for a free page. */ + SysKWrPageIn, /* Waiting for a page to be read in. */ + SysKWrPoolAllocation, /* Waiting for a pool allocation. */ + SysKWrDelayExecution, /* Waiting due to a delay execution. */ + SysKWrSuspended, /* Waiting because the thread is suspended. */ + SysKWrUserRequest, /* Waiting due to a user request. */ + SysKWrEventPair, /* Waiting for an event pair. NtCreateEventPair */ + SysKWrQueue, /* Waiting for a queue. NtRemoveIoCompletion */ + SysKWrLpcReceive, /* Waiting for an LPC receive. */ + SysKWrLpcReply, /* Waiting for an LPC reply. */ + SysKWrVirtualMemory, /* Waiting for virtual memory. */ + SysKWrPageOut, /* Waiting for a page to be written out. */ + SysKWrRendezvous, /* Waiting for a rendezvous. */ + SysKWrKeyedEvent, /* Waiting for a keyed event. NtCreateKeyedEvent */ + SysKWrTerminated, /* Waiting for thread termination. */ + SysKWrProcessInSwap, /* Waiting for a process to be swapped in. */ + SysKWrCpuRateControl, /* Waiting for CPU rate control. */ + SysKWrCalloutStack, /* Waiting for a callout stack. */ + SysKWrKernel, /* Waiting for a kernel event. */ + SysKWrResource, /* Waiting for a resource. */ + SysKWrPushLock, /* Waiting for a push lock. */ + SysKWrMutex, /* Waiting for a mutex. */ + SysKWrQuantumEnd, /* Waiting for the end of a quantum. */ + SysKWrDispatchInt, /* Waiting for a dispatch interrupt. */ + SysKWrPreempted, /* Waiting because the thread was preempted. */ + SysKWrYieldExecution, /* Waiting to yield execution. */ + SysKWrFastMutex, /* Waiting for a fast mutex. */ + SysKWrGuardedMutex, /* Waiting for a guarded mutex. */ + SysKWrRundown, /* Waiting for a rundown. */ + SysKWrAlertByThreadId, /* Waiting for an alert by thread ID. */ + SysKWrDeferredPreempt, /* Waiting for a deferred preemption. */ + SysKWrPhysicalFault, /* Waiting for a physical fault. */ + SysKWrIoRing, /* Waiting for an I/O ring. */ + SysKWrMdlCache, /* Waiting for an MDL cache. */ + SysKWrRcu, /* Waiting for read-copy-update (RCU) synchronization. */ SysKMaximumWaitReason } SYSK_KWAIT_REASON, *PSYSK_KWAIT_REASON; -// Memory Information CLasses +/* Memory Information CLasses */ typedef enum _SYSK_MEMORY_INFORMATION_CLASS { - SysKMemoryBasicInformation, // q: MEMORY_BASIC_INFORMATION - SysKMemoryWorkingSetInformation, // q: MEMORY_WORKING_SET_INFORMATION - SysKMemoryMappedFilenameInformation, // q: UNICODE_STRING - SysKMemoryRegionInformation, // q: MEMORY_REGION_INFORMATION - SysKMemoryWorkingSetExInformation, // q: MEMORY_WORKING_SET_EX_INFORMATION // since VISTA - SysKMemorySharedCommitInformation, // q: MEMORY_SHARED_COMMIT_INFORMATION // since WIN8 - SysKMemoryImageInformation, // q: MEMORY_IMAGE_INFORMATION - SysKMemoryRegionInformationEx, // MEMORY_REGION_INFORMATION - SysKMemoryPrivilegedBasicInformation, // MEMORY_BASIC_INFORMATION - SysKMemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 - SysKMemoryBasicInformationCapped, // 10 - SysKMemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1 - SysKMemoryBadInformation, // since WIN11 - SysKMemoryBadInformationAllProcesses, // since 22H1 - SysKMemoryImageExtensionInformation, // MEMORY_IMAGE_EXTENSION_INFORMATION // since 24H2 + SysKMemoryBasicInformation, /* q: MEMORY_BASIC_INFORMATION */ + SysKMemoryWorkingSetInformation, /* q: MEMORY_WORKING_SET_INFORMATION */ + SysKMemoryMappedFilenameInformation, /* q: UNICODE_STRING */ + SysKMemoryRegionInformation, /* q: MEMORY_REGION_INFORMATION */ + SysKMemoryWorkingSetExInformation, /* q: MEMORY_WORKING_SET_EX_INFORMATION, since VISTA */ + SysKMemorySharedCommitInformation, /* q: MEMORY_SHARED_COMMIT_INFORMATION, since WIN8 */ + SysKMemoryImageInformation, /* q: MEMORY_IMAGE_INFORMATION */ + SysKMemoryRegionInformationEx, /* MEMORY_REGION_INFORMATION */ + SysKMemoryPrivilegedBasicInformation, /* MEMORY_BASIC_INFORMATION */ + SysKMemoryEnclaveImageInformation, /* MEMORY_ENCLAVE_IMAGE_INFORMATION, since REDSTONE3 */ + SysKMemoryBasicInformationCapped, /* 10 */ + SysKMemoryPhysicalContiguityInformation, /* MEMORY_PHYSICAL_CONTIGUITY_INFORMATION, since 20H1 */ + SysKMemoryBadInformation, /* since WIN11 */ + SysKMemoryBadInformationAllProcesses, /* since 22H1 */ + SysKMemoryImageExtensionInformation, /* MEMORY_IMAGE_EXTENSION_INFORMATION, since 24H2 */ SysKMaxMemoryInfoClass } SYSK_MEMORY_INFORMATION_CLASS; -// Memory Reserve Type +/* Memory Reserve Type */ typedef enum _MEMORY_RESERVE_TYPE { MemoryReserveUserApc, @@ -461,72 +462,72 @@ typedef enum _MEMORY_RESERVE_TYPE MemoryReserveTypeMax } MEMORY_RESERVE_TYPE; -// Mutant Information Classes +/* Mutant Information Classes */ typedef enum _MUTANT_INFORMATION_CLASS { - MutantBasicInformation, // MUTANT_BASIC_INFORMATION - MutantOwnerInformation // MUTANT_OWNER_INFORMATION + MutantBasicInformation, /* MUTANT_BASIC_INFORMATION */ + MutantOwnerInformation /* MUTANT_OWNER_INFORMATION */ } MUTANT_INFORMATION_CLASS; -// Partition Information Classses +/* Partition Information Classses */ typedef enum _SYSK_PARTITION_INFORMATION_CLASS { - SysKSystemMemoryPartitionInformation, // q: MEMORY_PARTITION_CONFIGURATION_INFORMATION - SysKSystemMemoryPartitionMoveMemory, // s: MEMORY_PARTITION_TRANSFER_INFORMATION - SysKSystemMemoryPartitionAddPagefile, // s: MEMORY_PARTITION_PAGEFILE_INFORMATION - SysKSystemMemoryPartitionCombineMemory, // q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION - SysKSystemMemoryPartitionInitialAddMemory, // q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION - SysKSystemMemoryPartitionGetMemoryEvents, // MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION // since REDSTONE2 + SysKSystemMemoryPartitionInformation, /* q: MEMORY_PARTITION_CONFIGURATION_INFORMATION */ + SysKSystemMemoryPartitionMoveMemory, /* s: MEMORY_PARTITION_TRANSFER_INFORMATION */ + SysKSystemMemoryPartitionAddPagefile, /* s: MEMORY_PARTITION_PAGEFILE_INFORMATION */ + SysKSystemMemoryPartitionCombineMemory, /* q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION */ + SysKSystemMemoryPartitionInitialAddMemory, /* q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION */ + SysKSystemMemoryPartitionGetMemoryEvents, /* MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION, since REDSTONE2 */ SysKSystemMemoryPartitionSetAttributes, SysKSystemMemoryPartitionNodeInformation, SysKSystemMemoryPartitionCreateLargePages, SysKSystemMemoryPartitionDedicatedMemoryInformation, - SysKSystemMemoryPartitionOpenDedicatedMemory, // 10 + SysKSystemMemoryPartitionOpenDedicatedMemory, /* 10 */ SysKSystemMemoryPartitionMemoryChargeAttributes, SysKSystemMemoryPartitionClearAttributes, - SysKSystemMemoryPartitionSetMemoryThresholds, // since WIN11 - SysKSystemMemoryPartitionMemoryListCommand, // since 24H2 + SysKSystemMemoryPartitionSetMemoryThresholds, /* since WIN11 */ + SysKSystemMemoryPartitionMemoryListCommand, /* since 24H2 */ SysKSystemMemoryPartitionMax } SYSK_PARTITION_INFORMATION_CLASS, * SYSK_PPARTITION_INFORMATION_CLASS; -// PlugPlay Control Classes +/* PlugPlay Control Classes */ typedef enum _PLUGPLAY_CONTROL_CLASS { - PlugPlayControlEnumerateDevice, // PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA - PlugPlayControlRegisterNewDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlDeregisterDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlInitializeDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlStartDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlUnlockDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlQueryAndRemoveDevice, // PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA - PlugPlayControlUserResponse, // PLUGPLAY_CONTROL_USER_RESPONSE_DATA - PlugPlayControlGenerateLegacyDevice, // PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA - PlugPlayControlGetInterfaceDeviceList, // PLUGPLAY_CONTROL_INTERFACE_LIST_DATA - PlugPlayControlProperty, // PLUGPLAY_CONTROL_PROPERTY_DATA - PlugPlayControlDeviceClassAssociation, // PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA - PlugPlayControlGetRelatedDevice, // PLUGPLAY_CONTROL_RELATED_DEVICE_DATA - PlugPlayControlGetInterfaceDeviceAlias, // PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA - PlugPlayControlDeviceStatus, // PLUGPLAY_CONTROL_STATUS_DATA - PlugPlayControlGetDeviceDepth, // PLUGPLAY_CONTROL_DEPTH_DATA - PlugPlayControlQueryDeviceRelations, // PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA - PlugPlayControlTargetDeviceRelation, // PLUGPLAY_CONTROL_TARGET_RELATION_DATA - PlugPlayControlQueryConflictList, // PLUGPLAY_CONTROL_CONFLICT_LIST - PlugPlayControlRetrieveDock, // PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA - PlugPlayControlResetDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlHaltDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlGetBlockedDriverList, // PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA - PlugPlayControlGetDeviceInterfaceEnabled, // PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED + PlugPlayControlEnumerateDevice, /* PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA */ + PlugPlayControlRegisterNewDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlDeregisterDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlInitializeDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlStartDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlUnlockDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlQueryAndRemoveDevice, /* PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA */ + PlugPlayControlUserResponse, /* PLUGPLAY_CONTROL_USER_RESPONSE_DATA */ + PlugPlayControlGenerateLegacyDevice, /* PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA */ + PlugPlayControlGetInterfaceDeviceList, /* PLUGPLAY_CONTROL_INTERFACE_LIST_DATA */ + PlugPlayControlProperty, /* PLUGPLAY_CONTROL_PROPERTY_DATA */ + PlugPlayControlDeviceClassAssociation, /* PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA */ + PlugPlayControlGetRelatedDevice, /* PLUGPLAY_CONTROL_RELATED_DEVICE_DATA */ + PlugPlayControlGetInterfaceDeviceAlias, /* PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA */ + PlugPlayControlDeviceStatus, /* PLUGPLAY_CONTROL_STATUS_DATA */ + PlugPlayControlGetDeviceDepth, /* PLUGPLAY_CONTROL_DEPTH_DATA */ + PlugPlayControlQueryDeviceRelations, /* PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA */ + PlugPlayControlTargetDeviceRelation, /* PLUGPLAY_CONTROL_TARGET_RELATION_DATA */ + PlugPlayControlQueryConflictList, /* PLUGPLAY_CONTROL_CONFLICT_LIST */ + PlugPlayControlRetrieveDock, /* PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA */ + PlugPlayControlResetDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlHaltDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlGetBlockedDriverList, /* PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA */ + PlugPlayControlGetDeviceInterfaceEnabled, /* PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED */ MaxPlugPlayControl } PLUGPLAY_CONTROL_CLASS, * PPLUGPLAY_CONTROL_CLASS; -// Port Information Classes +/* Port Information Classes */ typedef enum _PORT_INFORMATION_CLASS { PortBasicInformation, PortDumpInformation } PORT_INFORMATION_CLASS; -// Process State Change Types +/* Process State Change Types */ typedef enum _PROCESS_STATE_CHANGE_TYPE { ProcessStateChangeSuspend, @@ -534,7 +535,7 @@ typedef enum _PROCESS_STATE_CHANGE_TYPE ProcessStateChangeMax, } PROCESS_STATE_CHANGE_TYPE, * PPROCESS_STATE_CHANGE_TYPE; -// PS Create States +/* PS Create States */ typedef enum _PS_CREATE_STATE { PsCreateInitialState, @@ -542,30 +543,30 @@ typedef enum _PS_CREATE_STATE PsCreateFailOnSectionCreate, PsCreateFailExeFormat, PsCreateFailMachineMismatch, - PsCreateFailExeName, // Debugger specified + PsCreateFailExeName, /* Debugger specified */ PsCreateSuccess, PsCreateMaximumStates } PS_CREATE_STATE; -// Section Information Classes +/* Section Information Classes */ typedef enum _SECTION_INFORMATION_CLASS { - SectionBasicInformation, // q; SECTION_BASIC_INFORMATION - SectionImageInformation, // q; SECTION_IMAGE_INFORMATION - SectionRelocationInformation, // q; ULONG_PTR RelocationDelta // name:wow64:whNtQuerySection_SectionRelocationInformation // since WIN7 - SectionOriginalBaseInformation, // q; PVOID BaseAddress // since REDSTONE - SectionInternalImageInformation, // SECTION_INTERNAL_IMAGE_INFORMATION // since REDSTONE2 + SectionBasicInformation, /* q; SECTION_BASIC_INFORMATION */ + SectionImageInformation, /* q; SECTION_IMAGE_INFORMATION */ + SectionRelocationInformation, /* q; ULONG_PTR RelocationDelta, name:wow64:whNtQuerySection_SectionRelocationInformation, since WIN7 */ + SectionOriginalBaseInformation, /* q; PVOID BaseAddress, since REDSTONE */ + SectionInternalImageInformation, /* SECTION_INTERNAL_IMAGE_INFORMATION, since REDSTONE2 */ MaxSectionInfoClass } SECTION_INFORMATION_CLASS; -// Section Inherit +/* Section Inherit */ typedef enum _SYSK_SECTION_INHERIT { SysKViewShare = 1, SysKViewUnmap = 2 } SYSK_SECTION_INHERIT; -// Secure Setting Value Types +/* Secure Setting Value Types */ typedef enum _SECURE_SETTING_VALUE_TYPE { SecureSettingValueTypeBoolean = 0, @@ -575,53 +576,53 @@ typedef enum _SECURE_SETTING_VALUE_TYPE SecureSettingValueTypeUnknown = 4 } SECURE_SETTING_VALUE_TYPE, * PSECURE_SETTING_VALUE_TYPE; -// Semaphore Information Classes +/* Semaphore Information Classes */ typedef enum _SEMAPHORE_INFORMATION_CLASS { SemaphoreBasicInformation } SEMAPHORE_INFORMATION_CLASS; -// Shutdown Actions +/* Shutdown Actions */ typedef enum _SHUTDOWN_ACTION { ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff, - ShutdownRebootForRecovery // since WIN11 + ShutdownRebootForRecovery /* since WIN11 */ } SHUTDOWN_ACTION; -// Symbolic Link Info Classes +/* Symbolic Link Info Classes */ typedef enum _SYMBOLIC_LINK_INFO_CLASS { - SymbolicLinkGlobalInformation = 1, // s: ULONG - SymbolicLinkAccessMask, // s: ACCESS_MASK + SymbolicLinkGlobalInformation = 1, /* s: ULONG */ + SymbolicLinkAccessMask, /* s: ACCESS_MASK */ MaxnSymbolicLinkInfoClass } SYMBOLIC_LINK_INFO_CLASS; -// SYSDBG Commands +/* SYSDBG Commands */ typedef enum _SYSDBG_COMMAND { SysDbgQueryModuleInformation, SysDbgQueryTraceInformation, SysDbgSetTracepoint, - SysDbgSetSpecialCall, // PVOID - SysDbgClearSpecialCalls, // void + SysDbgSetSpecialCall, /* PVOID */ + SysDbgClearSpecialCalls, /* void */ SysDbgQuerySpecialCalls, SysDbgBreakPoint, - SysDbgQueryVersion, // DBGKD_GET_VERSION64 - SysDbgReadVirtual, // SYSDBG_VIRTUAL - SysDbgWriteVirtual, // SYSDBG_VIRTUAL - SysDbgReadPhysical, // SYSDBG_PHYSICAL // 10 - SysDbgWritePhysical, // SYSDBG_PHYSICAL - SysDbgReadControlSpace, // SYSDBG_CONTROL_SPACE - SysDbgWriteControlSpace, // SYSDBG_CONTROL_SPACE - SysDbgReadIoSpace, // SYSDBG_IO_SPACE - SysDbgWriteIoSpace, // SYSDBG_IO_SPACE - SysDbgReadMsr, // SYSDBG_MSR - SysDbgWriteMsr, // SYSDBG_MSR - SysDbgReadBusData, // SYSDBG_BUS_DATA - SysDbgWriteBusData, // SYSDBG_BUS_DATA - SysDbgCheckLowMemory, // 20 + SysDbgQueryVersion, /* DBGKD_GET_VERSION64 */ + SysDbgReadVirtual, /* SYSDBG_VIRTUAL */ + SysDbgWriteVirtual, /* SYSDBG_VIRTUAL */ + SysDbgReadPhysical, /* SYSDBG_PHYSICAL, 10 */ + SysDbgWritePhysical, /* SYSDBG_PHYSICAL */ + SysDbgReadControlSpace, /* SYSDBG_CONTROL_SPACE */ + SysDbgWriteControlSpace, /* SYSDBG_CONTROL_SPACE */ + SysDbgReadIoSpace, /* SYSDBG_IO_SPACE */ + SysDbgWriteIoSpace, /* SYSDBG_IO_SPACE */ + SysDbgReadMsr, /* SYSDBG_MSR */ + SysDbgWriteMsr, /* SYSDBG_MSR */ + SysDbgReadBusData, /* SYSDBG_BUS_DATA */ + SysDbgWriteBusData, /* SYSDBG_BUS_DATA */ + SysDbgCheckLowMemory, /* 20 */ SysDbgEnableKernelDebugger, SysDbgDisableKernelDebugger, SysDbgGetAutoKdEnable, @@ -630,280 +631,280 @@ typedef enum _SYSDBG_COMMAND SysDbgSetPrintBufferSize, SysDbgGetKdUmExceptionEnable, SysDbgSetKdUmExceptionEnable, - SysDbgGetTriageDump, // SYSDBG_TRIAGE_DUMP - SysDbgGetKdBlockEnable, // 30 + SysDbgGetTriageDump, /* SYSDBG_TRIAGE_DUMP */ + SysDbgGetKdBlockEnable, /* 30 */ SysDbgSetKdBlockEnable, SysDbgRegisterForUmBreakInfo, SysDbgGetUmBreakPid, SysDbgClearUmBreakPid, SysDbgGetUmAttachPid, SysDbgClearUmAttachPid, - SysDbgGetLiveKernelDump, // SYSDBG_LIVEDUMP_CONTROL - SysDbgKdPullRemoteFile, // SYSDBG_KD_PULL_REMOTE_FILE + SysDbgGetLiveKernelDump, /* SYSDBG_LIVEDUMP_CONTROL */ + SysDbgKdPullRemoteFile, /* SYSDBG_KD_PULL_REMOTE_FILE */ SysDbgMaxInfoClass } SYSDBG_COMMAND, * PSYSDBG_COMMAND; -// System Information Classes +/* System Information Classes */ typedef enum _SYSTEM_INFORMATION_CLASS { - SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION - SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION - SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION - SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION - SystemPathInformation, // not implemented - SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION - SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION - SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION - SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup) - SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION - SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10 - SystemModuleInformation, // q: RTL_PROCESS_MODULES - SystemLocksInformation, // q: RTL_PROCESS_LOCKS - SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES - SystemPagedPoolInformation, // not implemented - SystemNonPagedPoolInformation, // not implemented - SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION - SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION - SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION - SystemVdmInstemulInformation, // q: SYSTEM_VDM_INSTEMUL_INFO - SystemVdmBopInformation, // not implemented // 20 - SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) - SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION - SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup) - SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) - SystemFullMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION - SystemLoadGdiDriverInformation, // s (kernel-mode only) - SystemUnloadGdiDriverInformation, // s (kernel-mode only) - SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) - SystemSummaryMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION - SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30 - SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) - SystemObsolete0, // not implemented - SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION - SystemCrashDumpStateInformation, // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege) - SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION - SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION - SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) - SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only - SystemPrioritySeparation, // s (requires SeTcbPrivilege) - SystemVerifierAddDriverInformation, // s: UNICODE_STRING (requires SeDebugPrivilege) // 40 - SystemVerifierRemoveDriverInformation, // s: UNICODE_STRING (requires SeDebugPrivilege) - SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX: USHORT ProcessorGroup) - SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION - SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION - SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION - SystemTimeSlipNotification, // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege) - SystemSessionCreate, // not implemented - SystemSessionDetach, // not implemented - SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION) - SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50 - SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) - SystemVerifierThunkExtend, // s (kernel-mode only) - SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION - SystemLoadGdiDriverInSystemSpace, // s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation) - SystemNumaProcessorMap, // q: SYSTEM_NUMA_INFORMATION - SystemPrefetcherInformation, // q; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation - SystemExtendedProcessInformation, // q: SYSTEM_EXTENDED_PROCESS_INFORMATION - SystemRecommendedSharedDataAlignment, // q: ULONG // KeGetRecommendedSharedDataAlignment - SystemComPlusPackage, // q; s: ULONG - SystemNumaAvailableMemory, // q: SYSTEM_NUMA_INFORMATION // 60 - SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup) - SystemEmulationBasicInformation, // q: SYSTEM_BASIC_INFORMATION - SystemEmulationProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION - SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX - SystemLostDelayedWriteInformation, // q: ULONG - SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION - SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION - SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION - SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION - SystemObjectSecurityMode, // q: ULONG // 70 - SystemWatchdogTimerHandler, // s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only) - SystemWatchdogTimerInformation, // q: SYSTEM_WATCHDOG_TIMER_INFORMATION // NtQuerySystemInformationEx // (kernel-mode only) - SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx - SystemWow64SharedInformationObsolete, // not implemented - SystemRegisterFirmwareTableInformationHandler, // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only) - SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION - SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX // since VISTA - SystemVerifierTriageInformation, // not implemented - SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation - SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80 - SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) - SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) // NtQuerySystemInformationEx - SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx - SystemVerifierCancellationInformation, // SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation - SystemProcessorPowerInformationEx, // not implemented - SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation - SystemSpecialPoolInformation, // q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 - SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION - SystemErrorPortInformation, // s (requires SeTcbPrivilege) - SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 - SystemHypervisorInformation, // q: SYSTEM_HYPERVISOR_QUERY_INFORMATION - SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX - SystemTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) - SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) - SystemCoverageInformation, // q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege) - SystemPrefetchPatchInformation, // SYSTEM_PREFETCH_PATCH_INFORMATION - SystemVerifierFaultsInformation, // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege) - SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION - SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION - SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // 100 - SystemNumaProximityNodeInformation, // q; s: SYSTEM_NUMA_PROXIMITY_MAP - SystemDynamicTimeZoneInformation, // q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) - SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation - SystemProcessorMicrocodeUpdateInformation, // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION - SystemProcessorBrandString, // q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 - SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation - SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // NtQuerySystemInformationEx // KeQueryLogicalProcessorRelationship - SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx - SystemStoreInformation, // q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformation - SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 - SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege) - SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION - SystemCpuQuotaInformation, // q; s: PS_CPU_QUOTA_QUERY_INFORMATION - SystemNativeBasicInformation, // q: SYSTEM_BASIC_INFORMATION - SystemErrorPortTimeouts, // SYSTEM_ERROR_PORT_TIMEOUTS - SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION - SystemTpmBootEntropyInformation, // q: BOOT_ENTROPY_NT_RESULT // ExQueryBootEntropyInformation - SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION - SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) - SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 - SystemNodeDistanceInformation, // q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber) // NtQuerySystemInformationEx - SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 - SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation - SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 - SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 - SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) - SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION - SystemBadPageInformation, // SYSTEM_BAD_PAGE_INFORMATION - SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA - SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 - SystemEntropyInterruptTimingInformation, // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION - SystemConsoleInformation, // q; s: SYSTEM_CONSOLE_INFORMATION - SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) - SystemPolicyInformation, // q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute) - SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION - SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION - SystemDeviceDataEnumerationInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION - SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION - SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION - SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 - SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // since WINBLUE - SystemCriticalProcessErrorLogInformation, // CRITICAL_PROCESS_EXCEPTION_DATA - SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION - SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX - SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION - SystemEntropyInterruptTimingRawInformation, // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION - SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION - SystemFullProcessInformation, // q: SYSTEM_EXTENDED_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) - SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX - SystemBootMetadataInformation, // 150 // (requires SeTcbPrivilege) - SystemSoftRebootInformation, // q: ULONG - SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION - SystemOfflineDumpConfigInformation, // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 - SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION - SystemRegistryReconciliationInformation, // s: NULL (requires admin) (flushes registry hives) - SystemEdidInformation, // q: SYSTEM_EDID_INFORMATION - SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD - SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION - SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION - SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // 160 + SystemBasicInformation, /* q: SYSTEM_BASIC_INFORMATION */ + SystemProcessorInformation, /* q: SYSTEM_PROCESSOR_INFORMATION */ + SystemPerformanceInformation, /* q: SYSTEM_PERFORMANCE_INFORMATION */ + SystemTimeOfDayInformation, /* q: SYSTEM_TIMEOFDAY_INFORMATION */ + SystemPathInformation, /* not implemented */ + SystemProcessInformation, /* q: SYSTEM_PROCESS_INFORMATION */ + SystemCallCountInformation, /* q: SYSTEM_CALL_COUNT_INFORMATION */ + SystemDeviceInformation, /* q: SYSTEM_DEVICE_INFORMATION */ + SystemProcessorPerformanceInformation, /* q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup) */ + SystemFlagsInformation, /* q: SYSTEM_FLAGS_INFORMATION */ + SystemCallTimeInformation, /* not implemented, SYSTEM_CALL_TIME_INFORMATION, 10 */ + SystemModuleInformation, /* q: RTL_PROCESS_MODULES */ + SystemLocksInformation, /* q: RTL_PROCESS_LOCKS */ + SystemStackTraceInformation, /* q: RTL_PROCESS_BACKTRACES */ + SystemPagedPoolInformation, /* not implemented */ + SystemNonPagedPoolInformation, /* not implemented */ + SystemHandleInformation, /* q: SYSTEM_HANDLE_INFORMATION */ + SystemObjectInformation, /* q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION */ + SystemPageFileInformation, /* q: SYSTEM_PAGEFILE_INFORMATION */ + SystemVdmInstemulInformation, /* q: SYSTEM_VDM_INSTEMUL_INFO */ + SystemVdmBopInformation, /* not implemented, 20 */ + SystemFileCacheInformation, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) */ + SystemPoolTagInformation, /* q: SYSTEM_POOLTAG_INFORMATION */ + SystemInterruptInformation, /* q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup) */ + SystemDpcBehaviorInformation, /* q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) */ + SystemFullMemoryInformation, /* not implemented, SYSTEM_MEMORY_USAGE_INFORMATION */ + SystemLoadGdiDriverInformation, /* s (kernel-mode only) */ + SystemUnloadGdiDriverInformation, /* s (kernel-mode only) */ + SystemTimeAdjustmentInformation, /* q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) */ + SystemSummaryMemoryInformation, /* not implemented, SYSTEM_MEMORY_USAGE_INFORMATION */ + SystemMirrorMemoryInformation, /* s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege), 30 */ + SystemPerformanceTraceInformation, /* q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) */ + SystemObsolete0, /* not implemented */ + SystemExceptionInformation, /* q: SYSTEM_EXCEPTION_INFORMATION */ + SystemCrashDumpStateInformation, /* s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege) */ + SystemKernelDebuggerInformation, /* q: SYSTEM_KERNEL_DEBUGGER_INFORMATION */ + SystemContextSwitchInformation, /* q: SYSTEM_CONTEXT_SWITCH_INFORMATION */ + SystemRegistryQuotaInformation, /* q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) */ + SystemExtendServiceTableInformation, /* s (requires SeLoadDriverPrivilege), loads win32k only */ + SystemPrioritySeparation, /* s (requires SeTcbPrivilege) */ + SystemVerifierAddDriverInformation, /* s: UNICODE_STRING (requires SeDebugPrivilege), 40 */ + SystemVerifierRemoveDriverInformation, /* s: UNICODE_STRING (requires SeDebugPrivilege) */ + SystemProcessorIdleInformation, /* q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX: USHORT ProcessorGroup) */ + SystemLegacyDriverInformation, /* q: SYSTEM_LEGACY_DRIVER_INFORMATION */ + SystemCurrentTimeZoneInformation, /* q; s: RTL_TIME_ZONE_INFORMATION */ + SystemLookasideInformation, /* q: SYSTEM_LOOKASIDE_INFORMATION */ + SystemTimeSlipNotification, /* s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege) */ + SystemSessionCreate, /* not implemented */ + SystemSessionDetach, /* not implemented */ + SystemSessionInformation, /* not implemented (SYSTEM_SESSION_INFORMATION) */ + SystemRangeStartInformation, /* q: SYSTEM_RANGE_START_INFORMATION, 50 */ + SystemVerifierInformation, /* q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) */ + SystemVerifierThunkExtend, /* s (kernel-mode only) */ + SystemSessionProcessInformation, /* q: SYSTEM_SESSION_PROCESS_INFORMATION */ + SystemLoadGdiDriverInSystemSpace, /* s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation) */ + SystemNumaProcessorMap, /* q: SYSTEM_NUMA_INFORMATION */ + SystemPrefetcherInformation, /* q; s: PREFETCHER_INFORMATION, PfSnQueryPrefetcherInformation */ + SystemExtendedProcessInformation, /* q: SYSTEM_EXTENDED_PROCESS_INFORMATION */ + SystemRecommendedSharedDataAlignment, /* q: ULONG, KeGetRecommendedSharedDataAlignment */ + SystemComPlusPackage, /* q; s: ULONG */ + SystemNumaAvailableMemory, /* q: SYSTEM_NUMA_INFORMATION, 60 */ + SystemProcessorPowerInformation, /* q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup) */ + SystemEmulationBasicInformation, /* q: SYSTEM_BASIC_INFORMATION */ + SystemEmulationProcessorInformation, /* q: SYSTEM_PROCESSOR_INFORMATION */ + SystemExtendedHandleInformation, /* q: SYSTEM_HANDLE_INFORMATION_EX */ + SystemLostDelayedWriteInformation, /* q: ULONG */ + SystemBigPoolInformation, /* q: SYSTEM_BIGPOOL_INFORMATION */ + SystemSessionPoolTagInformation, /* q: SYSTEM_SESSION_POOLTAG_INFORMATION */ + SystemSessionMappedViewInformation, /* q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION */ + SystemHotpatchInformation, /* q; s: SYSTEM_HOTPATCH_CODE_INFORMATION */ + SystemObjectSecurityMode, /* q: ULONG, 70 */ + SystemWatchdogTimerHandler, /* s: SYSTEM_WATCHDOG_HANDLER_INFORMATION, (kernel-mode only) */ + SystemWatchdogTimerInformation, /* q: SYSTEM_WATCHDOG_TIMER_INFORMATION, NtQuerySystemInformationEx, (kernel-mode only) */ + SystemLogicalProcessorInformation, /* q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup), NtQuerySystemInformationEx */ + SystemWow64SharedInformationObsolete, /* not implemented */ + SystemRegisterFirmwareTableInformationHandler, /* s: SYSTEM_FIRMWARE_TABLE_HANDLER, (kernel-mode only) */ + SystemFirmwareTableInformation, /* SYSTEM_FIRMWARE_TABLE_INFORMATION */ + SystemModuleInformationEx, /* q: RTL_PROCESS_MODULE_INFORMATION_EX, since VISTA */ + SystemVerifierTriageInformation, /* not implemented */ + SystemSuperfetchInformation, /* q; s: SUPERFETCH_INFORMATION, PfQuerySuperfetchInformation */ + SystemMemoryListInformation, /* q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege), 80 */ + SystemFileCacheInformationEx, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) */ + SystemThreadPriorityClientIdInformation, /* s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege), NtQuerySystemInformationEx */ + SystemProcessorIdleCycleTimeInformation, /* q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup), NtQuerySystemInformationEx */ + SystemVerifierCancellationInformation, /* SYSTEM_VERIFIER_CANCELLATION_INFORMATION, name:wow64:whNT32QuerySystemVerifierCancellationInformation */ + SystemProcessorPowerInformationEx, /* not implemented */ + SystemRefTraceInformation, /* q; s: SYSTEM_REF_TRACE_INFORMATION, ObQueryRefTraceInformation */ + SystemSpecialPoolInformation, /* q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege), MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 */ + SystemProcessIdInformation, /* q: SYSTEM_PROCESS_ID_INFORMATION */ + SystemErrorPortInformation, /* s (requires SeTcbPrivilege) */ + SystemBootEnvironmentInformation, /* q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION, 90 */ + SystemHypervisorInformation, /* q: SYSTEM_HYPERVISOR_QUERY_INFORMATION */ + SystemVerifierInformationEx, /* q; s: SYSTEM_VERIFIER_INFORMATION_EX */ + SystemTimeZoneInformation, /* q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) */ + SystemImageFileExecutionOptionsInformation, /* s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) */ + SystemCoverageInformation, /* q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST, ExpCovQueryInformation (requires SeDebugPrivilege) */ + SystemPrefetchPatchInformation, /* SYSTEM_PREFETCH_PATCH_INFORMATION */ + SystemVerifierFaultsInformation, /* s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege) */ + SystemSystemPartitionInformation, /* q: SYSTEM_SYSTEM_PARTITION_INFORMATION */ + SystemSystemDiskInformation, /* q: SYSTEM_SYSTEM_DISK_INFORMATION */ + SystemProcessorPerformanceDistribution, /* q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) NtQuerySystemInformationEx, 100 */ + SystemNumaProximityNodeInformation, /* q; s: SYSTEM_NUMA_PROXIMITY_MAP */ + SystemDynamicTimeZoneInformation, /* q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) */ + SystemCodeIntegrityInformation, /* q: SYSTEM_CODEINTEGRITY_INFORMATION, SeCodeIntegrityQueryInformation */ + SystemProcessorMicrocodeUpdateInformation, /* s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION */ + SystemProcessorBrandString, /* q: CHAR[], HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 */ + SystemVirtualAddressInformation, /* q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege), MmQuerySystemVaInformation */ + SystemLogicalProcessorAndGroupInformation, /* q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) since WIN7 NtQuerySystemInformationEx KeQueryLogicalProcessorRelationship */ + SystemProcessorCycleTimeInformation, /* q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup), NtQuerySystemInformationEx */ + SystemStoreInformation, /* q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege), SmQueryStoreInformation */ + SystemRegistryAppendString, /* s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS, 110 */ + SystemAitSamplingValue, /* s: ULONG (requires SeProfileSingleProcessPrivilege) */ + SystemVhdBootInformation, /* q: SYSTEM_VHD_BOOT_INFORMATION */ + SystemCpuQuotaInformation, /* q; s: PS_CPU_QUOTA_QUERY_INFORMATION */ + SystemNativeBasicInformation, /* q: SYSTEM_BASIC_INFORMATION */ + SystemErrorPortTimeouts, /* SYSTEM_ERROR_PORT_TIMEOUTS */ + SystemLowPriorityIoInformation, /* q: SYSTEM_LOW_PRIORITY_IO_INFORMATION */ + SystemTpmBootEntropyInformation, /* q: BOOT_ENTROPY_NT_RESULT, ExQueryBootEntropyInformation */ + SystemVerifierCountersInformation, /* q: SYSTEM_VERIFIER_COUNTERS_INFORMATION */ + SystemPagedPoolInformationEx, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) */ + SystemSystemPtesInformationEx, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) 120 */ + SystemNodeDistanceInformation, /* q: USHORT[4*NumaNodes] (EX in: USHORT NodeNumber) NtQuerySystemInformationEx */ + SystemAcpiAuditInformation, /* q: SYSTEM_ACPI_AUDIT_INFORMATION, HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 */ + SystemBasicPerformanceInformation, /* q: SYSTEM_BASIC_PERFORMANCE_INFORMATION, name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation */ + SystemQueryPerformanceCounterInformation, /* q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION, since WIN7 SP1 */ + SystemSessionBigPoolInformation, /* q: SYSTEM_SESSION_POOLTAG_INFORMATION, since WIN8 */ + SystemBootGraphicsInformation, /* q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) */ + SystemScrubPhysicalMemoryInformation, /* q; s: MEMORY_SCRUB_INFORMATION */ + SystemBadPageInformation, /* SYSTEM_BAD_PAGE_INFORMATION */ + SystemProcessorProfileControlArea, /* q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA */ + SystemCombinePhysicalMemoryInformation, /* s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2, 130 */ + SystemEntropyInterruptTimingInformation, /* q; s: SYSTEM_ENTROPY_TIMING_INFORMATION */ + SystemConsoleInformation, /* q; s: SYSTEM_CONSOLE_INFORMATION */ + SystemPlatformBinaryInformation, /* q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) */ + SystemPolicyInformation, /* q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute) */ + SystemHypervisorProcessorCountInformation, /* q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION */ + SystemDeviceDataInformation, /* q: SYSTEM_DEVICE_DATA_INFORMATION */ + SystemDeviceDataEnumerationInformation, /* q: SYSTEM_DEVICE_DATA_INFORMATION */ + SystemMemoryTopologyInformation, /* q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION */ + SystemMemoryChannelInformation, /* q: SYSTEM_MEMORY_CHANNEL_INFORMATION */ + SystemBootLogoInformation, /* q: SYSTEM_BOOT_LOGO_INFORMATION, 140 */ + SystemProcessorPerformanceInformationEx, /* q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX (EX in: USHORT ProcessorGroup) NtQuerySystemInformationEx since WINBLUE */ + SystemCriticalProcessErrorLogInformation, /* CRITICAL_PROCESS_EXCEPTION_DATA */ + SystemSecureBootPolicyInformation, /* q: SYSTEM_SECUREBOOT_POLICY_INFORMATION */ + SystemPageFileInformationEx, /* q: SYSTEM_PAGEFILE_INFORMATION_EX */ + SystemSecureBootInformation, /* q: SYSTEM_SECUREBOOT_INFORMATION */ + SystemEntropyInterruptTimingRawInformation, /* q; s: SYSTEM_ENTROPY_TIMING_INFORMATION */ + SystemPortableWorkspaceEfiLauncherInformation, /* q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION */ + SystemFullProcessInformation, /* q: SYSTEM_EXTENDED_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) */ + SystemKernelDebuggerInformationEx, /* q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX */ + SystemBootMetadataInformation, /* 150 (requires SeTcbPrivilege) */ + SystemSoftRebootInformation, /* q: ULONG */ + SystemElamCertificateInformation, /* s: SYSTEM_ELAM_CERTIFICATE_INFORMATION */ + SystemOfflineDumpConfigInformation, /* q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 */ + SystemProcessorFeaturesInformation, /* q: SYSTEM_PROCESSOR_FEATURES_INFORMATION */ + SystemRegistryReconciliationInformation, /* s: NULL (requires admin) (flushes registry hives) */ + SystemEdidInformation, /* q: SYSTEM_EDID_INFORMATION */ + SystemManufacturingInformation, /* q: SYSTEM_MANUFACTURING_INFORMATION since THRESHOLD */ + SystemEnergyEstimationConfigInformation, /* q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION */ + SystemHypervisorDetailInformation, /* q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION */ + SystemProcessorCycleStatsInformation, /* q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) NtQuerySystemInformationEx, 160 */ SystemVmGenerationCountInformation, - SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION - SystemKernelDebuggerFlags, // SYSTEM_KERNEL_DEBUGGER_FLAGS - SystemCodeIntegrityPolicyInformation, // q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION - SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION + SystemTrustedPlatformModuleInformation, /* q: SYSTEM_TPM_INFORMATION */ + SystemKernelDebuggerFlags, /* SYSTEM_KERNEL_DEBUGGER_FLAGS */ + SystemCodeIntegrityPolicyInformation, /* q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION */ + SystemIsolatedUserModeInformation, /* q: SYSTEM_ISOLATED_USER_MODE_INFORMATION */ SystemHardwareSecurityTestInterfaceResultsInformation, - SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION - SystemAllowedCpuSetsInformation, // s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION - SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) - SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 - SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION + SystemSingleModuleInformation, /* q: SYSTEM_SINGLE_MODULE_INFORMATION */ + SystemAllowedCpuSetsInformation, /* s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION */ + SystemVsmProtectionInformation, /* q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) */ + SystemInterruptCpuSetsInformation, /* q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION, 170 */ + SystemSecureBootPolicyFullInformation, /* q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION */ SystemCodeIntegrityPolicyFullInformation, - SystemAffinitizedInterruptProcessorInformation, // q: KAFFINITY_EX // (requires SeIncreaseBasePriorityPrivilege) - SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION - SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 - SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION + SystemAffinitizedInterruptProcessorInformation, /* q: KAFFINITY_EX (requires SeIncreaseBasePriorityPrivilege) */ + SystemRootSiloInformation, /* q: SYSTEM_ROOT_SILO_INFORMATION */ + SystemCpuSetInformation, /* q: SYSTEM_CPU_SET_INFORMATION since THRESHOLD2 */ + SystemCpuSetTagInformation, /* q: SYSTEM_CPU_SET_TAG_INFORMATION */ SystemWin32WerStartCallout, - SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION - SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // NtQuerySystemInformationEx // since REDSTONE - SystemInterruptSteeringInformation, // q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT // NtQuerySystemInformationEx // 180 - SystemSupportedProcessorArchitectures, // p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx - SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION - SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION - SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 - SystemControlFlowTransition, // (Warbird/Encrypt/Decrypt/Execute) - SystemKernelDebuggingAllowed, // s: ULONG - SystemActivityModerationExeState, // s: SYSTEM_ACTIVITY_MODERATION_EXE_STATE - SystemActivityModerationUserSettings, // q: SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS - SystemCodeIntegrityPoliciesFullInformation, // NtQuerySystemInformationEx - SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 + SystemSecureKernelProfileInformation, /* q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION */ + SystemCodeIntegrityPlatformManifestInformation, /* q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION NtQuerySystemInformationEx since REDSTONE */ + SystemInterruptSteeringInformation, /* q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT NtQuerySystemInformationEx, 180 */ + SystemSupportedProcessorArchitectures, /* p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] NtQuerySystemInformationEx */ + SystemMemoryUsageInformation, /* q: SYSTEM_MEMORY_USAGE_INFORMATION */ + SystemCodeIntegrityCertificateInformation, /* q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION */ + SystemPhysicalMemoryInformation, /* q: SYSTEM_PHYSICAL_MEMORY_INFORMATION since REDSTONE2 */ + SystemControlFlowTransition, /* (Warbird/Encrypt/Decrypt/Execute) */ + SystemKernelDebuggingAllowed, /* s: ULONG */ + SystemActivityModerationExeState, /* s: SYSTEM_ACTIVITY_MODERATION_EXE_STATE */ + SystemActivityModerationUserSettings, /* q: SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS */ + SystemCodeIntegrityPoliciesFullInformation, /* NtQuerySystemInformationEx */ + SystemCodeIntegrityUnlockInformation, /* SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION, 190 */ SystemIntegrityQuotaInformation, - SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION - SystemProcessorIdleMaskInformation, // q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3 - SystemSecureDumpEncryptionInformation, // NtQuerySystemInformationEx - SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION - SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION - SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4 + SystemFlushInformation, /* q: SYSTEM_FLUSH_INFORMATION */ + SystemProcessorIdleMaskInformation, /* q: ULONG_PTR[ActiveGroupCount] since REDSTONE3 */ + SystemSecureDumpEncryptionInformation, /* NtQuerySystemInformationEx */ + SystemWriteConstraintInformation, /* SYSTEM_WRITE_CONSTRAINT_INFORMATION */ + SystemKernelVaShadowInformation, /* SYSTEM_KERNEL_VA_SHADOW_INFORMATION */ + SystemHypervisorSharedPageInformation, /* SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION since REDSTONE4 */ SystemFirmwareBootPerformanceInformation, - SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION - SystemFirmwarePartitionInformation, // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200 - SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above. - SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION - SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION - SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5 - SystemCodeIntegrityUnlockModeInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION - SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION - SystemFlags2Information, // q: SYSTEM_FLAGS_INFORMATION - SystemSecurityModelInformation, // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1 - SystemCodeIntegritySyntheticCacheInformation, // NtQuerySystemInformationEx - SystemFeatureConfigurationInformation, // q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE // NtQuerySystemInformationEx // since 20H1 // 210 - SystemFeatureConfigurationSectionInformation, // q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION // NtQuerySystemInformationEx - SystemFeatureUsageSubscriptionInformation, // q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE - SystemSecureSpeculationControlInformation, // SECURE_SPECULATION_CONTROL_INFORMATION - SystemSpacesBootInformation, // since 20H2 - SystemFwRamdiskInformation, // SYSTEM_FIRMWARE_RAMDISK_INFORMATION + SystemCodeIntegrityVerificationInformation, /* SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION */ + SystemFirmwarePartitionInformation, /* SYSTEM_FIRMWARE_PARTITION_INFORMATION, 200 */ + SystemSpeculationControlInformation, /* SYSTEM_SPECULATION_CONTROL_INFORMATION (CVE-2017-5715) REDSTONE3 and above. */ + SystemDmaGuardPolicyInformation, /* SYSTEM_DMA_GUARD_POLICY_INFORMATION */ + SystemEnclaveLaunchControlInformation, /* SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION */ + SystemWorkloadAllowedCpuSetsInformation, /* SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION since REDSTONE5 */ + SystemCodeIntegrityUnlockModeInformation, /* SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION */ + SystemLeapSecondInformation, /* SYSTEM_LEAP_SECOND_INFORMATION */ + SystemFlags2Information, /* q: SYSTEM_FLAGS_INFORMATION */ + SystemSecurityModelInformation, /* SYSTEM_SECURITY_MODEL_INFORMATION since 19H1 */ + SystemCodeIntegritySyntheticCacheInformation, /* NtQuerySystemInformationEx */ + SystemFeatureConfigurationInformation, /* q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE NtQuerySystemInformationEx since 20H1, 210 */ + SystemFeatureConfigurationSectionInformation, /* q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION NtQuerySystemInformationEx */ + SystemFeatureUsageSubscriptionInformation, /* q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE */ + SystemSecureSpeculationControlInformation, /* SECURE_SPECULATION_CONTROL_INFORMATION */ + SystemSpacesBootInformation, /* since 20H2 */ + SystemFwRamdiskInformation, /* SYSTEM_FIRMWARE_RAMDISK_INFORMATION */ SystemWheaIpmiHardwareInformation, - SystemDifSetRuleClassInformation, // s: SYSTEM_DIF_VOLATILE_INFORMATION (requires SeDebugPrivilege) - SystemDifClearRuleClassInformation, // s: NULL (requires SeDebugPrivilege) - SystemDifApplyPluginVerificationOnDriver, // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) - SystemDifRemovePluginVerificationOnDriver, // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) // 220 - SystemShadowStackInformation, // SYSTEM_SHADOW_STACK_INFORMATION - SystemBuildVersionInformation, // q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION // NtQuerySystemInformationEx // 222 - SystemPoolLimitInformation, // SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) // NtQuerySystemInformationEx - SystemCodeIntegrityAddDynamicStore, // CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners - SystemCodeIntegrityClearDynamicStores, // CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners + SystemDifSetRuleClassInformation, /* s: SYSTEM_DIF_VOLATILE_INFORMATION (requires SeDebugPrivilege) */ + SystemDifClearRuleClassInformation, /* s: NULL (requires SeDebugPrivilege) */ + SystemDifApplyPluginVerificationOnDriver, /* SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) */ + SystemDifRemovePluginVerificationOnDriver, /* SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) 220 */ + SystemShadowStackInformation, /* SYSTEM_SHADOW_STACK_INFORMATION */ + SystemBuildVersionInformation, /* q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION NtQuerySystemInformationEx, 222 */ + SystemPoolLimitInformation, /* SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) NtQuerySystemInformationEx */ + SystemCodeIntegrityAddDynamicStore, /* CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners */ + SystemCodeIntegrityClearDynamicStores, /* CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners */ SystemDifPoolTrackingInformation, - SystemPoolZeroingInformation, // q: SYSTEM_POOL_ZEROING_INFORMATION - SystemDpcWatchdogInformation, // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION - SystemDpcWatchdogInformation2, // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2 - SystemSupportedProcessorArchitectures2, // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230 - SystemSingleProcessorRelationshipInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor) // NtQuerySystemInformationEx - SystemXfgCheckFailureInformation, // q: SYSTEM_XFG_FAILURE_INFORMATION - SystemIommuStateInformation, // SYSTEM_IOMMU_STATE_INFORMATION // since 22H1 - SystemHypervisorMinrootInformation, // SYSTEM_HYPERVISOR_MINROOT_INFORMATION - SystemHypervisorBootPagesInformation, // SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION - SystemPointerAuthInformation, // SYSTEM_POINTER_AUTH_INFORMATION - SystemSecureKernelDebuggerInformation, // NtQuerySystemInformationEx - SystemOriginalImageFeatureInformation, // q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT // NtQuerySystemInformationEx - SystemMemoryNumaInformation, // SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT // NtQuerySystemInformationEx - SystemMemoryNumaPerformanceInformation, // SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT // since 24H2 // 240 + SystemPoolZeroingInformation, /* q: SYSTEM_POOL_ZEROING_INFORMATION */ + SystemDpcWatchdogInformation, /* q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION */ + SystemDpcWatchdogInformation2, /* q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2 */ + SystemSupportedProcessorArchitectures2, /* q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] NtQuerySystemInformationEx, 230 */ + SystemSingleProcessorRelationshipInformation, /* q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: PROCESSOR_NUMBER Processor) NtQuerySystemInformationEx */ + SystemXfgCheckFailureInformation, /* q: SYSTEM_XFG_FAILURE_INFORMATION */ + SystemIommuStateInformation, /* SYSTEM_IOMMU_STATE_INFORMATION since 22H1 */ + SystemHypervisorMinrootInformation, /* SYSTEM_HYPERVISOR_MINROOT_INFORMATION */ + SystemHypervisorBootPagesInformation, /* SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION */ + SystemPointerAuthInformation, /* SYSTEM_POINTER_AUTH_INFORMATION */ + SystemSecureKernelDebuggerInformation, /* NtQuerySystemInformationEx */ + SystemOriginalImageFeatureInformation, /* q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT NtQuerySystemInformationEx */ + SystemMemoryNumaInformation, /* SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT NtQuerySystemInformationEx */ + SystemMemoryNumaPerformanceInformation, /* SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT since 24H2, 240 */ SystemCodeIntegritySignedPoliciesFullInformation, - SystemSecureCoreInformation, // SystemSecureSecretsInformation - SystemTrustedAppsRuntimeInformation, // SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION - SystemBadPageInformationEx, // SYSTEM_BAD_PAGE_INFORMATION - SystemResourceDeadlockTimeout, // ULONG - SystemBreakOnContextUnwindFailureInformation, // ULONG (requires SeDebugPrivilege) - SystemOslRamdiskInformation, // SYSTEM_OSL_RAMDISK_INFORMATION - SystemCodeIntegrityPolicyManagementInformation, // SYSTEM_CODEINTEGRITYPOLICY_MANAGEMENT // since 25H2 + SystemSecureCoreInformation, /* SystemSecureSecretsInformation */ + SystemTrustedAppsRuntimeInformation, /* SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION */ + SystemBadPageInformationEx, /* SYSTEM_BAD_PAGE_INFORMATION */ + SystemResourceDeadlockTimeout, /* ULONG */ + SystemBreakOnContextUnwindFailureInformation, /* ULONG (requires SeDebugPrivilege) */ + SystemOslRamdiskInformation, /* SYSTEM_OSL_RAMDISK_INFORMATION */ + SystemCodeIntegrityPolicyManagementInformation, /* SYSTEM_CODEINTEGRITYPOLICY_MANAGEMENT since 25H2 */ SystemMemoryNumaCacheInformation, - SystemProcessorFeaturesBitMapInformation, // 250 - SystemRefTraceInformationEx, // SYSTEM_REF_TRACE_INFORMATION_EX - SystemBasicProcessInformation, // SYSTEM_BASICPROCESS_INFORMATION - SystemHandleCountInformation, // SYSTEM_HANDLECOUNT_INFORMATION + SystemProcessorFeaturesBitMapInformation, /* 250 */ + SystemRefTraceInformationEx, /* SYSTEM_REF_TRACE_INFORMATION_EX */ + SystemBasicProcessInformation, /* SYSTEM_BASICPROCESS_INFORMATION */ + SystemHandleCountInformation, /* SYSTEM_HANDLECOUNT_INFORMATION */ MaxSystemInfoClass } SYSTEM_INFORMATION_CLASS; -// Thread State Change Types +/* Thread State Change Types */ typedef enum _THREAD_STATE_CHANGE_TYPE { ThreadStateChangeSuspend, @@ -911,26 +912,26 @@ typedef enum _THREAD_STATE_CHANGE_TYPE ThreadStateChangeMax, } THREAD_STATE_CHANGE_TYPE, * PTHREAD_STATE_CHANGE_TYPE; -// Timer Information Classes +/* Timer Information Classes */ typedef enum _TIMER_INFORMATION_CLASS { - TimerBasicInformation // TIMER_BASIC_INFORMATION + TimerBasicInformation /* TIMER_BASIC_INFORMATION */ } TIMER_INFORMATION_CLASS; -// Timer Set Information Classes +/* Timer Set Information Classes */ typedef enum _SYSK_TIMER_SET_INFORMATION_CLASS { - SysKTimerSetCoalescableTimer, // TIMER_SET_COALESCABLE_TIMER_INFO + SysKTimerSetCoalescableTimer, /* TIMER_SET_COALESCABLE_TIMER_INFO */ SysKMaxTimerInfoClass } SYSK_TIMER_SET_INFORMATION_CLASS; -// Timer Types +/* Timer Types */ typedef enum _SYSK_TIMER_TYPE { SysKTimerNotification, SysKTimerSynchronization } SYSK_TIMER_TYPE; -// VDM Service Classes +/* VDM Service Classes */ typedef enum _VDMSERVICECLASS { VdmStartExecution, @@ -951,21 +952,21 @@ typedef enum _VDMSERVICECLASS VdmPreInitialize } VDMSERVICECLASS, * PVDMSERVICECLASS; -// Virtual Memory Information Classes +/* Virtual Memory Information Classes */ typedef enum _SYSK_VIRTUAL_MEMORY_INFORMATION_CLASS { - SysKVmPrefetchInformation, // MEMORY_PREFETCH_INFORMATION - SysKVmPagePriorityInformation, // MEMORY_PAGE_PRIORITY_INFORMATION - SysKVmCfgCallTargetInformation, // CFG_CALL_TARGET_LIST_INFORMATION // REDSTONE2 - SysKVmPageDirtyStateInformation, // REDSTONE3 - SysKVmImageHotPatchInformation, // 19H1 - SysKVmPhysicalContiguityInformation, // 20H1 + SysKVmPrefetchInformation, /* MEMORY_PREFETCH_INFORMATION */ + SysKVmPagePriorityInformation, /* MEMORY_PAGE_PRIORITY_INFORMATION */ + SysKVmCfgCallTargetInformation, /* CFG_CALL_TARGET_LIST_INFORMATION REDSTONE2 */ + SysKVmPageDirtyStateInformation, /* REDSTONE3 */ + SysKVmImageHotPatchInformation, /* 19H1 */ + SysKVmPhysicalContiguityInformation, /* 20H1 */ SysKVmVirtualMachinePrepopulateInformation, SysKVmRemoveFromWorkingSetInformation, SysKMaxVmInfoClass } SYSK_VIRTUAL_MEMORY_INFORMATION_CLASS; -// Wait Types +/* Wait Types */ typedef enum _SYSK_WAIT_TYPE { SysKWaitAll, @@ -975,18 +976,18 @@ typedef enum _SYSK_WAIT_TYPE SysKWaitDpc, } SYSK_WAIT_TYPE; -// WNF Data Scope +/* WNF Data Scope */ typedef enum _WNF_DATA_SCOPE { WnfDataScopeSystem, WnfDataScopeSession, WnfDataScopeUser, WnfDataScopeProcess, - WnfDataScopeMachine, // REDSTONE3 - WnfDataScopePhysicalMachine, // WIN11 + WnfDataScopeMachine, /* REDSTONE3 */ + WnfDataScopePhysicalMachine, /* WIN11 */ } WNF_DATA_SCOPE; -// WNF State Name Information +/* WNF State Name Information */ typedef enum _WNF_STATE_NAME_INFORMATION { WnfInfoStateNameExist, @@ -994,7 +995,7 @@ typedef enum _WNF_STATE_NAME_INFORMATION WnfInfoIsQuiescent } WNF_STATE_NAME_INFORMATION; -// WNF State Name Lifetime +/* WNF State Name Lifetime */ typedef enum _WNF_STATE_NAME_LIFETIME { WnfWellKnownStateName, @@ -1003,24 +1004,24 @@ typedef enum _WNF_STATE_NAME_LIFETIME WnfTemporaryStateName } WNF_STATE_NAME_LIFETIME; -// Worker Factory Information Classes +/* Worker Factory Information Classes */ typedef enum _WORKERFACTORYINFOCLASS { - WorkerFactoryTimeout, // LARGE_INTEGER - WorkerFactoryRetryTimeout, // LARGE_INTEGER - WorkerFactoryIdleTimeout, // s: LARGE_INTEGER - WorkerFactoryBindingCount, // s: ULONG - WorkerFactoryThreadMinimum, // s: ULONG - WorkerFactoryThreadMaximum, // s: ULONG - WorkerFactoryPaused, // ULONG or BOOLEAN - WorkerFactoryBasicInformation, // q: WORKER_FACTORY_BASIC_INFORMATION + WorkerFactoryTimeout, /* LARGE_INTEGER */ + WorkerFactoryRetryTimeout, /* LARGE_INTEGER */ + WorkerFactoryIdleTimeout, /* s: LARGE_INTEGER */ + WorkerFactoryBindingCount, /* s: ULONG */ + WorkerFactoryThreadMinimum, /* s: ULONG */ + WorkerFactoryThreadMaximum, /* s: ULONG */ + WorkerFactoryPaused, /* ULONG or BOOLEAN */ + WorkerFactoryBasicInformation, /* q: WORKER_FACTORY_BASIC_INFORMATION */ WorkerFactoryAdjustThreadGoal, WorkerFactoryCallbackType, - WorkerFactoryStackInformation, // 10 - WorkerFactoryThreadBasePriority, // s: ULONG - WorkerFactoryTimeoutWaiters, // s: ULONG, since THRESHOLD - WorkerFactoryFlags, // s: ULONG - WorkerFactoryThreadSoftMaximum, // s: ULONG - WorkerFactoryThreadCpuSets, // since REDSTONE5 + WorkerFactoryStackInformation, /* 10 */ + WorkerFactoryThreadBasePriority, /* s: ULONG */ + WorkerFactoryTimeoutWaiters, /* s: ULONG, since THRESHOLD */ + WorkerFactoryFlags, /* s: ULONG */ + WorkerFactoryThreadSoftMaximum, /* s: ULONG */ + WorkerFactoryThreadCpuSets, /* since REDSTONE5 */ MaxWorkerFactoryInfoClass -} WORKERFACTORYINFOCLASS, * PWORKERFACTORYINFOCLASS; +} WORKERFACTORYINFOCLASS, * PWORKERFACTORYINFOCLASS; \ No newline at end of file diff --git a/SysCallerK/Wrapper/include/SysK/sysTypes_k.h b/SysCallerK/Wrapper/include/SysK/sysTypes_k.h index 92c2795..857c32a 100644 --- a/SysCallerK/Wrapper/include/SysK/sysTypes_k.h +++ b/SysCallerK/Wrapper/include/SysK/sysTypes_k.h @@ -1,25 +1,20 @@ #pragma once -#if defined(_MSC_VER) -#pragma warning(push) -#pragma warning(disable:4201) // Disable nameless struct/union warnings (C4201) -#endif - #include "sysExternals_k.h" #include "sysConstants_k.h" -// Forward declarations for cyclic dependencies +/* Forward declarations for cyclic dependencies */ typedef struct _ACTIVATION_CONTEXT* PACTIVATION_CONTEXT; typedef struct _ACTIVATION_CONTEXT_DATA* PACTIVATION_CONTEXT_DATA; typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* PRTL_ACTIVATION_CONTEXT_STACK_FRAME; typedef struct _ACTIVATION_CONTEXT_STACK* PACTIVATION_CONTEXT_STACK; typedef struct _TEB* PTEB; -// #define USE_PISID // Uncomment this line to use PISID instead of PSID -#define USE_DYNAMIC_ARRAY // Uncomment this line to use dynamic array -#define USE_POINTER_SUBAUTH // Uncomment this line to use pointer to an array for SubAuthority +// #define USE_PISID /* Uncomment this line to use PISID instead of PSID */ +#define USE_DYNAMIC_ARRAY /* Uncomment this line to use dynamic array */ +#define USE_POINTER_SUBAUTH /* Uncomment this line to use pointer to an array for SubAuthority */ -// APC Routines +/* APC Routines */ typedef VOID(NTAPI * PPS_APC_ROUTINE)( _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, @@ -44,13 +39,13 @@ typedef VOID(NTAPI * IO_APC_ROUTINE)( typedef VOID(NTAPI * PENCLAVE_ROUTINE)(VOID); -// User Thread Start Routine +/* User Thread Start Routine */ typedef VOID(*PUSER_THREAD_START_ROUTINE)(PVOID); -// Timer APC Routine +/* Timer APC Routine */ typedef VOID(NTAPI* PACTIVATION_CONTEXT_NOTIFY_ROUTINE)( - _In_ ULONG NotificationType, // ACTIVATION_CONTEXT_NOTIFICATION_* + _In_ ULONG NotificationType, /* ACTIVATION_CONTEXT_NOTIFICATION_* */ _In_ PACTIVATION_CONTEXT ActivationContext, _In_ PACTIVATION_CONTEXT_DATA ActivationContextData, _In_opt_ PVOID NotificationContext, @@ -58,20 +53,20 @@ typedef VOID(NTAPI* PACTIVATION_CONTEXT_NOTIFY_ROUTINE)( _Inout_ PBOOLEAN DisableThisNotification ); -// Activation Context Data +/* Activation Context Data */ typedef struct _ACTIVATION_CONTEXT_DATA { ULONG Magic; ULONG HeaderSize; ULONG FormatVersion; ULONG TotalSize; - ULONG DefaultTocOffset; // to ACTIVATION_CONTEXT_DATA_TOC_HEADER - ULONG ExtendedTocOffset; // to ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER - ULONG AssemblyRosterOffset; // to ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER - ULONG Flags; // ACTIVATION_CONTEXT_FLAG_* + ULONG DefaultTocOffset; /* to ACTIVATION_CONTEXT_DATA_TOC_HEADER */ + ULONG ExtendedTocOffset; /* to ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER */ + ULONG AssemblyRosterOffset; /* to ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER */ + ULONG Flags; /* ACTIVATION_CONTEXT_FLAG_* */ } ACTIVATION_CONTEXT_DATA, * PACTIVATION_CONTEXT_DATA; -// Assembly Storage Map Entry +/* Assembly Storage Map Entry */ typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY { ULONG Flags; @@ -79,7 +74,7 @@ typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY HANDLE Handle; } ASSEMBLY_STORAGE_MAP_ENTRY, * PASSEMBLY_STORAGE_MAP_ENTRY; -// Assembly Storage Map +/* Assembly Storage Map */ typedef struct _ASSEMBLY_STORAGE_MAP { ULONG Flags; @@ -87,7 +82,7 @@ typedef struct _ASSEMBLY_STORAGE_MAP PASSEMBLY_STORAGE_MAP_ENTRY* AssemblyArray; } ASSEMBLY_STORAGE_MAP, * PASSEMBLY_STORAGE_MAP; -// Activation Context +/* Activation Context */ typedef struct _ACTIVATION_CONTEXT { LONG RefCount; @@ -101,25 +96,25 @@ typedef struct _ACTIVATION_CONTEXT PASSEMBLY_STORAGE_MAP_ENTRY InlineStorageMapEntries[32]; } ACTIVATION_CONTEXT, * PACTIVATION_CONTEXT; -// RTL Activation Context Stack Frame +/* RTL Activation Context Stack Frame */ typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME { struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; PACTIVATION_CONTEXT ActivationContext; - ULONG Flags; // RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_* + ULONG Flags; /* RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_* */ } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME; -// Activation Context Stack Frame +/* Activation Context Stack Frame */ typedef struct _ACTIVATION_CONTEXT_STACK { PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; LIST_ENTRY FrameListCache; - ULONG Flags; // ACTIVATION_CONTEXT_STACK_FLAG_* + ULONG Flags; /* ACTIVATION_CONTEXT_STACK_FLAG_* */ ULONG NextCookieSequenceNumber; ULONG StackId; } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; -// Boot Options +/* Boot Options */ typedef struct _BOOT_OPTIONS { ULONG Version; @@ -136,35 +131,35 @@ typedef struct _CURDIR HANDLE Handle; } CURDIR, * PCURDIR; -// CM Extended Parameter +/* CM Extended Parameter */ typedef struct DECLSPEC_ALIGN(8) _CM_EXTENDED_PARAMETER { - // Bit field for the type of the extended parameter + /* Bit field for the type of the extended parameter */ struct { - ULONG64 Type : CM_EXTENDED_PARAMETER_TYPE_BITS; // Type of the extended parameter - ULONG64 Reserved : 64 - CM_EXTENDED_PARAMETER_TYPE_BITS; // Reserved bits for future use + ULONG64 Type : CM_EXTENDED_PARAMETER_TYPE_BITS; /* Type of the extended parameter */ + ULONG64 Reserved : 64 - CM_EXTENDED_PARAMETER_TYPE_BITS; /* Reserved bits for future use */ }; - // Union to hold different types of data + /* Union to hold different types of data */ union { - ULONG64 ULong64; // 64-bit unsigned long - PVOID Pointer; // Pointer to any type - SIZE_T Size; // Size type - HANDLE Handle; // Handle type - ULONG ULong; // 32-bit unsigned long - ACCESS_MASK AccessMask; // Access mask type + ULONG64 ULong64; /* 64-bit unsigned long */ + PVOID Pointer; /* Pointer to any type */ + SIZE_T Size; /* Size type */ + HANDLE Handle; /* Handle type */ + ULONG ULong; /* 32-bit unsigned long */ + ACCESS_MASK AccessMask; /* Access mask type */ }; } CM_EXTENDED_PARAMETER, * PCM_EXTENDED_PARAMETER; -// DBGKM Create Thread +/* DBGKM Create Thread */ typedef struct _DBGKM_CREATE_THREAD { ULONG SubSystemKey; PVOID StartAddress; } DBGKM_CREATE_THREAD, * PDBGKM_CREATE_THREAD; -// DBGKM Create Process +/* DBGKM Create Process */ typedef struct _DBGKM_CREATE_PROCESS { ULONG SubSystemKey; @@ -175,26 +170,26 @@ typedef struct _DBGKM_CREATE_PROCESS DBGKM_CREATE_THREAD InitialThread; } DBGKM_CREATE_PROCESS, * PDBGKM_CREATE_PROCESS; -// DBGKM Exception +/* DBGKM Exception */ typedef struct _DBGKM_EXCEPTION { EXCEPTION_RECORD ExceptionRecord; ULONG FirstChance; } DBGKM_EXCEPTION, * PDBGKM_EXCEPTION; -// DBGKM Exit Thread +/* DBGKM Exit Thread */ typedef struct _DBGKM_EXIT_THREAD { NTSTATUS ExitStatus; } DBGKM_EXIT_THREAD, * PDBGKM_EXIT_THREAD; -// DBGKM Exit Process +/* DBGKM Exit Process */ typedef struct _DBGKM_EXIT_PROCESS { NTSTATUS ExitStatus; } DBGKM_EXIT_PROCESS, * PDBGKM_EXIT_PROCESS; -// DBGKM Load DLL +/* DBGKM Load DLL */ typedef struct _DBGKM_LOAD_DLL { HANDLE FileHandle; @@ -204,20 +199,20 @@ typedef struct _DBGKM_LOAD_DLL PVOID NamePointer; } DBGKM_LOAD_DLL, * PDBGKM_LOAD_DLL; -// DBGKM Unload DLL +/* DBGKM Unload DLL */ typedef struct _DBGKM_UNLOAD_DLL { PVOID BaseAddress; } DBGKM_UNLOAD_DLL, * PDBGKM_UNLOAD_DLL; -// DBGUI Create Thread +/* DBGUI Create Thread */ typedef struct _DBGUI_CREATE_THREAD { HANDLE HandleToThread; DBGKM_CREATE_THREAD NewThread; } DBGUI_CREATE_THREAD, * PDBGUI_CREATE_THREAD; -// DBGUI Create Process +/* DBGUI Create Process */ typedef struct _DBGUI_CREATE_PROCESS { HANDLE HandleToProcess; @@ -225,7 +220,7 @@ typedef struct _DBGUI_CREATE_PROCESS DBGKM_CREATE_PROCESS NewProcess; } DBGUI_CREATE_PROCESS, * PDBGUI_CREATE_PROCESS; -// DBGUI Wait State Change +/* DBGUI Wait State Change */ typedef struct _DBGUI_WAIT_STATE_CHANGE { DBG_STATE NewState; @@ -242,17 +237,17 @@ typedef struct _DBGUI_WAIT_STATE_CHANGE } StateInfo; } DBGUI_WAIT_STATE_CHANGE, * PDBGUI_WAIT_STATE_CHANGE; -// File Basic Information +/* File Basic Information */ typedef struct _SYSK_FILE_BASIC_INFORMATION { - LARGE_INTEGER CreationTime; // Specifies the time that the file was created. - LARGE_INTEGER LastAccessTime; // Specifies the time that the file was last accessed. - LARGE_INTEGER LastWriteTime; // Specifies the time that the file was last written to. - LARGE_INTEGER ChangeTime; // Specifies the last time the file was changed. - ULONG FileAttributes; // Specifies one or more FILE_ATTRIBUTE_XXX flags. + LARGE_INTEGER CreationTime; /* Specifies the time that the file was created. */ + LARGE_INTEGER LastAccessTime; /* Specifies the time that the file was last accessed. */ + LARGE_INTEGER LastWriteTime; /* Specifies the time that the file was last written to. */ + LARGE_INTEGER ChangeTime; /* Specifies the last time the file was changed. */ + ULONG FileAttributes; /* Specifies one or more FILE_ATTRIBUTE_XXX flags. */ } SYSK_FILE_BASIC_INFORMATION, * PSYSK_FILE_BASIC_INFORMATION; -// File IO Completion Information +/* File IO Completion Information */ typedef struct _FILE_IO_COMPLETION_INFORMATION { PVOID KeyContext; @@ -260,7 +255,7 @@ typedef struct _FILE_IO_COMPLETION_INFORMATION IO_STATUS_BLOCK IoStatusBlock; } FILE_IO_COMPLETION_INFORMATION, * PFILE_IO_COMPLETION_INFORMATION; -// File Network Open Information +/* File Network Open Information */ typedef struct _SYSK_FILE_NETWORK_OPEN_INFORMATION { LARGE_INTEGER CreationTime; @@ -272,7 +267,7 @@ typedef struct _SYSK_FILE_NETWORK_OPEN_INFORMATION ULONG FileAttributes; } SYSK_FILE_NETWORK_OPEN_INFORMATION, * PSYSK_FILE_NETWORK_OPEN_INFORMATION; -// File Path +/* File Path */ typedef struct _FILE_PATH { ULONG Version; @@ -281,7 +276,7 @@ typedef struct _FILE_PATH _Field_size_bytes_(Length) UCHAR FilePath[1]; } FILE_PATH, * PFILE_PATH; -// GDI TEB Batch +/* GDI TEB Batch */ typedef struct _GDI_TEB_BATCH { ULONG Offset; @@ -289,7 +284,7 @@ typedef struct _GDI_TEB_BATCH ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; } GDI_TEB_BATCH, * PGDI_TEB_BATCH; -// Initial TEB +/* Initial TEB */ typedef struct _INITIAL_TEB { struct @@ -302,21 +297,21 @@ typedef struct _INITIAL_TEB PVOID StackAllocationBase; } INITIAL_TEB, * PINITIAL_TEB; -// Job Set Arrary +/* Job Set Arrary */ typedef struct _JOB_SET_ARRAY { HANDLE JobHandle; DWORD MemberLevel; DWORD Flags; } JOB_SET_ARRAY, * PJOB_SET_ARRAY; -// Memory Range Entry +/* Memory Range Entry */ typedef struct _SYSK_MEMORY_RANGE_ENTRY { PVOID VirtualAddress; SIZE_T NumberOfBytes; } SYSK_MEMORY_RANGE_ENTRY, * PSYSK_MEMORY_RANGE_ENTRY; -// NTPSS Memory Bulk Information +/* NTPSS Memory Bulk Information */ typedef struct _NTPSS_MEMORY_BULK_INFORMATION { ULONG QueryFlags; @@ -324,7 +319,7 @@ typedef struct _NTPSS_MEMORY_BULK_INFORMATION PVOID NextValidAddress; } NTPSS_MEMORY_BULK_INFORMATION, * PNTPSS_MEMORY_BULK_INFORMATION; -// Object Boundary Descriptor +/* Object Boundary Descriptor */ typedef struct _OBJECT_BOUNDARY_DESCRIPTOR { ULONG Version; @@ -339,10 +334,10 @@ typedef struct _OBJECT_BOUNDARY_DESCRIPTOR ULONG Reserved : 31; }; }; - //OBJECT_BOUNDARY_ENTRY Entries[1]; + /* OBJECT_BOUNDARY_ENTRY Entries[1]; */ } OBJECT_BOUNDARY_DESCRIPTOR, * POBJECT_BOUNDARY_DESCRIPTOR; -// PS Attribute +/* PS Attribute */ typedef struct _PS_ATTRIBUTE { ULONG_PTR Attribute; @@ -355,21 +350,21 @@ typedef struct _PS_ATTRIBUTE PSIZE_T ReturnLength; } PS_ATTRIBUTE, * PPS_ATTRIBUTE; -// PS Attribute List +/* PS Attribute List */ typedef struct _PS_ATTRIBUTE_LIST { SIZE_T TotalLength; PS_ATTRIBUTE Attributes[1]; } PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST; -// PS Create Info +/* PS Create Info */ typedef struct _PS_CREATE_INFO { SIZE_T Size; PS_CREATE_STATE State; union { - // PsCreateInitialState + /* PsCreateInitialState */ struct { union @@ -388,22 +383,22 @@ typedef struct _PS_CREATE_INFO }; ACCESS_MASK AdditionalFileAccess; } InitState; - // PsCreateFailOnSectionCreate + /* PsCreateFailOnSectionCreate */ struct { HANDLE FileHandle; } FailSection; - // PsCreateFailExeFormat + /* PsCreateFailExeFormat */ struct { USHORT DllCharacteristics; } ExeFormat; - // PsCreateFailExeName + /* PsCreateFailExeName */ struct { HANDLE IFEOKey; } ExeName; - // PsCreateSuccess + /* PsCreateSuccess */ struct { union @@ -413,7 +408,7 @@ typedef struct _PS_CREATE_INFO { UCHAR ProtectedProcess : 1; UCHAR AddressSpaceOverride : 1; - UCHAR DevOverrideEnabled : 1; // from Image File Execution Options + UCHAR DevOverrideEnabled : 1; /* from Image File Execution Options */ UCHAR ManifestDetected : 1; UCHAR ProtectedProcessLight : 1; UCHAR SpareBits1 : 3; @@ -434,7 +429,7 @@ typedef struct _PS_CREATE_INFO }; } PS_CREATE_INFO, * PPS_CREATE_INFO; -// RTL Drive Letter Current Directory +/* RTL Drive Letter Current Directory */ typedef struct _RTL_DRIVE_LETTER_CURDIR { USHORT Flags; @@ -443,7 +438,7 @@ typedef struct _RTL_DRIVE_LETTER_CURDIR STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; -// RTL User Process Parameters +/* RTL User Process Parameters */ typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; @@ -486,22 +481,22 @@ typedef struct _RTL_USER_PROCESS_PARAMETERS PVOID PackageDependencyData; ULONG ProcessGroupId; ULONG LoaderThreads; - UNICODE_STRING RedirectionDllName; // REDSTONE4 - UNICODE_STRING HeapPartitionName; // 19H1 + UNICODE_STRING RedirectionDllName; /* REDSTONE4 */ + UNICODE_STRING HeapPartitionName; /* 19H1 */ PULONGLONG DefaultThreadpoolCpuSetMasks; ULONG DefaultThreadpoolCpuSetMaskCount; ULONG DefaultThreadpoolThreadMaximum; - ULONG HeapMemoryTypeMask; // WIN11 + ULONG HeapMemoryTypeMask; /* WIN11 */ } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; -// SE File Cache Claim Information +/* SE File Cache Claim Information */ typedef struct _SE_FILE_CACHE_CLAIM_INFORMATION { ULONG Size; PVOID Claim; } SE_FILE_CACHE_CLAIM_INFORMATION, * PSE_FILE_CACHE_CLAIM_INFORMATION; -// SE Set File Cache Information +/* SE Set File Cache Information */ typedef struct _SE_SET_FILE_CACHE_INFORMATION { ULONG Size; @@ -509,90 +504,90 @@ typedef struct _SE_SET_FILE_CACHE_INFORMATION SE_FILE_CACHE_CLAIM_INFORMATION OriginClaimInfo; } SE_SET_FILE_CACHE_INFORMATION, * PSE_SET_FILE_CACHE_INFORMATION; -// System Thread Information +/* System Thread Information */ typedef struct _SYSTEM_THREAD_INFORMATION { - LARGE_INTEGER KernelTime; // Number of 100-nanosecond intervals spent executing kernel code. - LARGE_INTEGER UserTime; // Number of 100-nanosecond intervals spent executing user code. - LARGE_INTEGER CreateTime; // The date and time when the thread was created. - ULONG WaitTime; // The current time spent in ready queue or waiting (depending on the thread state). - PVOID StartAddress; // The initial start address of the thread. - CLIENT_ID ClientId; // The identifier of the thread and the process owning the thread. - KPRIORITY Priority; // The dynamic priority of the thread. - KPRIORITY BasePriority; // The starting priority of the thread. - ULONG ContextSwitches; // The total number of context switches performed. - KTHREAD_STATE ThreadState; // The current state of the thread. - KWAIT_REASON WaitReason; // The current reason the thread is waiting. + LARGE_INTEGER KernelTime; /* Number of 100-nanosecond intervals spent executing kernel code. */ + LARGE_INTEGER UserTime; /* Number of 100-nanosecond intervals spent executing user code. */ + LARGE_INTEGER CreateTime; /* The date and time when the thread was created. */ + ULONG WaitTime; /* The current time spent in ready queue or waiting (depending on the thread state). */ + PVOID StartAddress; /* The initial start address of the thread. */ + CLIENT_ID ClientId; /* The identifier of the thread and the process owning the thread. */ + KPRIORITY Priority; /* The dynamic priority of the thread. */ + KPRIORITY BasePriority; /* The starting priority of the thread. */ + ULONG ContextSwitches; /* The total number of context switches performed. */ + KTHREAD_STATE ThreadState; /* The current state of the thread. */ + KWAIT_REASON WaitReason; /* The current reason the thread is waiting. */ } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION; -// System Process Information +/* System Process Information */ typedef struct _SYSTEM_PROCESS_INFO { - ULONG NextEntryOffset; // The address of the previous item plus the value in the NextEntryOffset member. For the last item in the array, NextEntryOffset is 0. - ULONG NumberOfThreads; // The NumberOfThreads member contains the number of threads in the process. - ULONGLONG WorkingSetPrivateSize; // since VISTA - ULONG HardFaultCount; // since WIN7 - ULONG NumberOfThreadsHighWatermark; // The peak number of threads that were running at any given point in time, indicative of potential performance bottlenecks related to thread management. - ULONGLONG CycleTime; // The sum of the cycle time of all threads in the process. - LARGE_INTEGER CreateTime; // Number of 100-nanosecond intervals since the creation time of the process. Not updated during system timezone changes resullting in an incorrect value. + ULONG NextEntryOffset; /* The address of the previous item plus the value in the NextEntryOffset member. For the last item in the array, NextEntryOffset is 0. */ + ULONG NumberOfThreads; /* The NumberOfThreads member contains the number of threads in the process. */ + ULONGLONG WorkingSetPrivateSize; /* since VISTA */ + ULONG HardFaultCount; /* since WIN7 */ + ULONG NumberOfThreadsHighWatermark; /* The peak number of threads that were running at any given point in time, indicative of potential performance bottlenecks related to thread management. */ + ULONGLONG CycleTime; /* The sum of the cycle time of all threads in the process. */ + LARGE_INTEGER CreateTime; /* Number of 100-nanosecond intervals since the creation time of the process. Not updated during system timezone changes resullting in an incorrect value. */ LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; - UNICODE_STRING ImageName; // The file name of the executable image. + UNICODE_STRING ImageName; /* The file name of the executable image. */ KPRIORITY BasePriority; HANDLE UniqueProcessId; HANDLE InheritedFromUniqueProcessId; ULONG HandleCount; ULONG SessionId; - ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation) - SIZE_T PeakVirtualSize; // The peak size, in bytes, of the virtual memory used by the process. - SIZE_T VirtualSize; // The current size, in bytes, of virtual memory used by the process. - ULONG PageFaultCount; // The member of page faults for data that is not currently in memory. - SIZE_T PeakWorkingSetSize; // The peak size, in kilobytes, of the working set of the process. - SIZE_T WorkingSetSize; // The number of pages visible to the process in physical memory. These pages are resident and available for use without triggering a page fault. - SIZE_T QuotaPeakPagedPoolUsage; // The peak quota charged to the process for pool usage, in bytes. - SIZE_T QuotaPagedPoolUsage; // The quota charged to the process for paged pool usage, in bytes. - SIZE_T QuotaPeakNonPagedPoolUsage; // The peak quota charged to the process for nonpaged pool usage, in bytes. - SIZE_T QuotaNonPagedPoolUsage; // The current quota charged to the process for nonpaged pool usage. - SIZE_T PagefileUsage; // The PagefileUsage member contains the number of bytes of page file storage in use by the process. - SIZE_T PeakPagefileUsage; // The maximum number of bytes of page-file storage used by the process. - SIZE_T PrivatePageCount; // The number of memory pages allocated for the use by the process. - LARGE_INTEGER ReadOperationCount; // The total number of read operations performed. - LARGE_INTEGER WriteOperationCount; // The total number of write operations performed. - LARGE_INTEGER OtherOperationCount; // The total number of I/O operations performed other than read and write operations. - LARGE_INTEGER ReadTransferCount; // The total number of bytes read during a read operation. - LARGE_INTEGER WriteTransferCount; // The total number of bytes written during a write operation. - LARGE_INTEGER OtherTransferCount; // The total number of bytes transferred during operations other than read and write operations. - SYSTEM_THREAD_INFORMATION Threads[1]; // This type is not defined in the structure but was added for convenience. + ULONG_PTR UniqueProcessKey; /* since VISTA (requires SystemExtendedProcessInformation) */ + SIZE_T PeakVirtualSize; /* The peak size, in bytes, of the virtual memory used by the process. */ + SIZE_T VirtualSize; /* The current size, in bytes, of virtual memory used by the process. */ + ULONG PageFaultCount; /* The member of page faults for data that is not currently in memory. */ + SIZE_T PeakWorkingSetSize; /* The peak size, in kilobytes, of the working set of the process. */ + SIZE_T WorkingSetSize; /* The number of pages visible to the process in physical memory. These pages are resident and available for use without triggering a page fault. */ + SIZE_T QuotaPeakPagedPoolUsage; /* The peak quota charged to the process for pool usage, in bytes. */ + SIZE_T QuotaPagedPoolUsage; /* The quota charged to the process for paged pool usage, in bytes. */ + SIZE_T QuotaPeakNonPagedPoolUsage; /* The peak quota charged to the process for nonpaged pool usage, in bytes. */ + SIZE_T QuotaNonPagedPoolUsage; /* The current quota charged to the process for nonpaged pool usage. */ + SIZE_T PagefileUsage; /* The PagefileUsage member contains the number of bytes of page file storage in use by the process. */ + SIZE_T PeakPagefileUsage; /* The maximum number of bytes of page-file storage used by the process. */ + SIZE_T PrivatePageCount; /* The number of memory pages allocated for the use by the process. */ + LARGE_INTEGER ReadOperationCount; /* The total number of read operations performed. */ + LARGE_INTEGER WriteOperationCount; /* The total number of write operations performed. */ + LARGE_INTEGER OtherOperationCount; /* The total number of I/O operations performed other than read and write operations. */ + LARGE_INTEGER ReadTransferCount; /* The total number of bytes read during a read operation. */ + LARGE_INTEGER WriteTransferCount; /* The total number of bytes written during a write operation. */ + LARGE_INTEGER OtherTransferCount; /* The total number of bytes transferred during operations other than read and write operations. */ + SYSTEM_THREAD_INFORMATION Threads[1]; /* This type is not defined in the structure but was added for convenience. */ } SYSTEM_PROCESS_INFO, * PSYSTEM_PROCESS_INFO; -// tagSOleTlsData +/* tagSOleTlsData */ typedef struct tagSOleTlsData { PVOID ThreadBase; PVOID SmAllocator; ULONG ApartmentID; - ULONG Flags; // OLETLSFLAGS + ULONG Flags; /* OLETLSFLAGS */ LONG TlsMapIndex; PVOID* TlsSlot; ULONG ComInits; ULONG OleInits; ULONG Calls; - PVOID ServerCall; // previously CallInfo (before TH1) - PVOID CallObjectCache; // previously FreeAsyncCall (before TH1) - PVOID ContextStack; // previously FreeClientCall (before TH1) + PVOID ServerCall; /* previously CallInfo (before TH1) */ + PVOID CallObjectCache; /* previously FreeAsyncCall (before TH1) */ + PVOID ContextStack; /* previously FreeClientCall (before TH1) */ PVOID ObjServer; ULONG TIDCaller; - // ... (other fields are version-dependant) + /* ... (other fields are version-dependant) */ } SOleTlsData, * PSOleTlsData; -// TEB Active Frame Context +/* TEB Active Frame Context */ typedef struct _TEB_ACTIVE_FRAME_CONTEXT { ULONG Flags; PCSTR FrameName; } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; -// TEB Active Frame +/* TEB Active Frame */ typedef struct _TEB_ACTIVE_FRAME { ULONG Flags; @@ -600,172 +595,172 @@ typedef struct _TEB_ACTIVE_FRAME PTEB_ACTIVE_FRAME_CONTEXT Context; } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; -// TEB +/* TEB */ typedef struct _TEB { - // - // Thread Information Block (TIB) contains the thread's stack, base and limit addresses, the current stack pointer, and the exception list. - // + /* + Thread Information Block (TIB) contains the thread's stack, base and limit addresses, the current stack pointer, and the exception list. + */ NT_TIB NtTib; - // - // Reserved. - // + /* + Reserved. + */ PVOID EnvironmentPointer; - // - // Client ID for this thread. - // + /* + Client ID for this thread. + */ CLIENT_ID ClientId; - // - // A handle to an active Remote Procedure Call (RPC) if the thread is currently involved in an RPC operation. - // + /* + A handle to an active Remote Procedure Call (RPC) if the thread is currently involved in an RPC operation. + */ PVOID ActiveRpcHandle; - // - // A pointer to the __declspec(thread) local storage array. - // + /* + A pointer to the __declspec(thread) local storage array. + */ PVOID ThreadLocalStoragePointer; - // - // A pointer to the Process Environment Block (PEB), which contains information about the process. - // + /* + A pointer to the Process Environment Block (PEB), which contains information about the process. + */ PPEB ProcessEnvironmentBlock; - // - // The previous Win32 error value for this thread. - // + /* + The previous Win32 error value for this thread. + */ ULONG LastErrorValue; - // - // The number of critical sections currently owned by this thread. - // + /* + The number of critical sections currently owned by this thread. + */ ULONG CountOfOwnedCriticalSections; - // - // Reserved. - // + /* + Reserved. + */ PVOID CsrClientThread; - // - // Reserved for GDI/USER (Win32k). - // + /* + Reserved for GDI/USER (Win32k). + */ PVOID Win32ThreadInfo; ULONG User32Reserved[26]; ULONG UserReserved[5]; - // - // Reserved. - // + /* + Reserved. + */ PVOID WOW32Reserved; - // - // The LCID of the current thread. (Kernel32!GetThreadLocale) - // + /* + The LCID of the current thread. (Kernel32!GetThreadLocale) + */ LCID CurrentLocale; - // - // Reserved. - // + /* + Reserved. + */ ULONG FpSoftwareStatusRegister; - // - // Reserved. - // + /* + Reserved. + */ PVOID ReservedForDebuggerInstrumentation[16]; #ifdef _WIN64 - // - // Reserved. - // + /* + Reserved. + */ PVOID SystemReserved1[25]; - // - // Per-thread fiber local storage. (Teb->HasFiberData) - // + /* + Per-thread fiber local storage. (Teb->HasFiberData) + */ PVOID HeapFlsData; - // - // Reserved. - // + /* + Reserved. + */ ULONG_PTR RngState[4]; #else - // - // Reserved. - // + /* + Reserved. + */ PVOID SystemReserved1[26]; #endif - // - // Placeholder compatibility mode. (ProjFs and Cloud Files) - // + /* + Placeholder compatibility mode. (ProjFs and Cloud Files) + */ CHAR PlaceholderCompatibilityMode; - // - // Indicates whether placeholder hydration is always explicit. - // + /* + Indicates whether placeholder hydration is always explicit. + */ BOOLEAN PlaceholderHydrationAlwaysExplicit; - // - // ProjFs and Cloud Files (reparse point) file virtualization. - // + /* + ProjFs and Cloud Files (reparse point) file virtualization. + */ CHAR PlaceholderReserved[10]; - // - // The process ID (PID) that the current COM server thread is acting on behalf of. - // + /* + The process ID (PID) that the current COM server thread is acting on behalf of. + */ ULONG ProxiedProcessId; - // - // Pointer to the activation context stack for the current thread. - // + /* + Pointer to the activation context stack for the current thread. + */ ACTIVATION_CONTEXT_STACK ActivationStack; - // - // Opaque operation on behalf of another user or process. - // + /* + Opaque operation on behalf of another user or process. + */ UCHAR WorkingOnBehalfTicket[8]; - // - // The last exception status for the current thread. - // + /* + The last exception status for the current thread. + */ NTSTATUS ExceptionCode; - // - // Pointer to the activation context stack for the current thread. - // + /* + Pointer to the activation context stack for the current thread. + */ PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; - // - // The stack pointer (SP) of the current system call or exception during instrumentation. - // + /* + The stack pointer (SP) of the current system call or exception during instrumentation. + */ ULONG_PTR InstrumentationCallbackSp; - // - // The program counter (PC) of the previous system call or exception during instrumentation. - // + /* + The program counter (PC) of the previous system call or exception during instrumentation. + */ ULONG_PTR InstrumentationCallbackPreviousPc; - // - // The stack pointer (SP) of the previous system call or exception during instrumentation. - // + /* + The stack pointer (SP) of the previous system call or exception during instrumentation. + */ ULONG_PTR InstrumentationCallbackPreviousSp; #ifdef _WIN64 - // - // The miniversion ID of the current transacted file operation. - // + /* + The miniversion ID of the current transacted file operation. + */ ULONG TxFsContext; #endif - // - // Indicates the state of the system call or exception instrumentation callback. - // + /* + Indicates the state of the system call or exception instrumentation callback. + */ BOOLEAN InstrumentationCallbackDisabled; #ifdef _WIN64 - // - // Indicates the state of alignment exceptions for unaligned load/store operations. - // + /* + Indicates the state of alignment exceptions for unaligned load/store operations. + */ BOOLEAN UnalignedLoadStoreExceptions; #endif #ifndef _WIN64 - // - // SpareBytes. - // + /* + SpareBytes. + */ UCHAR SpareBytes[23]; - // - // The miniversion ID of the current transacted file operation. - // + /* + The miniversion ID of the current transacted file operation. + */ ULONG TxFsContext; #endif - // - // Reserved for GDI (Win32k). - // + /* + Reserved for GDI (Win32k). + */ GDI_TEB_BATCH GdiTebBatch; CLIENT_ID RealClientId; HANDLE GdiCachedProcessHandle; ULONG GdiClientPID; ULONG GdiClientTID; PVOID GdiThreadLocalInfo; - // - // Reserved for User32 (Win32k). - // + /* + Reserved for User32 (Win32k). + */ ULONG_PTR Win32ClientInfo[WIN32_CLIENT_INFO_LENGTH]; - // - // Reserved for opengl32.dll - // + /* + Reserved for opengl32.dll + */ PVOID glDispatchTable[233]; ULONG_PTR glReserved1[29]; PVOID glReserved2; @@ -774,81 +769,81 @@ typedef struct _TEB PVOID glTable; PVOID glCurrentRC; PVOID glContext; - // - // The previous status value for this thread. - // + /* + The previous status value for this thread. + */ NTSTATUS LastStatusValue; - // - // A static string for use by the application. - // + /* + A static string for use by the application. + */ UNICODE_STRING StaticUnicodeString; - // - // A static buffer for use by the application. - // + /* + A static buffer for use by the application. + */ WCHAR StaticUnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH]; - // - // The maximum stack size and indicates the base of the stack. - // + /* + The maximum stack size and indicates the base of the stack. + */ PVOID DeallocationStack; - // - // Data for Thread Local Storage. (TlsGetValue) - // + /* + Data for Thread Local Storage. (TlsGetValue) + */ PVOID TlsSlots[TLS_MINIMUM_AVAILABLE]; - // - // Reserved for TLS. - // + /* + Reserved for TLS. + */ LIST_ENTRY TlsLinks; - // - // Reserved for NTVDM. - // + /* + Reserved for NTVDM. + */ PVOID Vdm; - // - // Reserved for RPC. - // + /* + Reserved for RPC. + */ PVOID ReservedForNtRpc; - // - // Reserved for Debugging (DebugActiveProcess). - // + /* + Reserved for Debugging (DebugActiveProcess). + */ PVOID DbgSsReserved[2]; - // - // The error mode for the current thread. (GetThreadErrorMode) - // + /* + The error mode for the current thread. (GetThreadErrorMode) + */ ULONG HardErrorMode; - // - // Reserved. - // + /* + Reserved. + */ #ifdef _WIN64 PVOID Instrumentation[11]; #else PVOID Instrumentation[9]; #endif - // - // Reserved. - // + /* + Reserved. + */ GUID ActivityId; - // - // The identifier of the service that created the thread. (svchost) - // + /* + The identifier of the service that created the thread. (svchost) + */ PVOID SubProcessTag; - // - // Reserved. - // + /* + Reserved. + */ PVOID PerflibData; - // - // Reserved. - // + /* + Reserved. + */ PVOID EtwTraceData; - // - // The address of a socket handle during a blocking socket operation. (WSAStartup) - // + /* + The address of a socket handle during a blocking socket operation. (WSAStartup) + */ HANDLE WinSockData; - // - // The number of function calls accumulated in the current GDI batch. (GdiSetBatchLimit) - // + /* + The number of function calls accumulated in the current GDI batch. (GdiSetBatchLimit) + */ ULONG GdiBatchCount; - // - // The preferred processor for the current thread. (SetThreadIdealProcessor/SetThreadIdealProcessorEx) - // + /* + The preferred processor for the current thread. (SetThreadIdealProcessor/SetThreadIdealProcessorEx) + */ union { PROCESSOR_NUMBER CurrentIdealProcessor; @@ -861,191 +856,191 @@ typedef struct _TEB UCHAR IdealProcessor; }; }; - // - // The minimum size of the stack available during any stack overflow exceptions. (SetThreadStackGuarantee) - // + /* + The minimum size of the stack available during any stack overflow exceptions. (SetThreadStackGuarantee) + */ ULONG GuaranteedStackBytes; - // - // Reserved. - // + /* + Reserved. + */ PVOID ReservedForPerf; - // - // Reserved for Object Linking and Embedding (OLE) - // + /* + Reserved for Object Linking and Embedding (OLE) + */ PSOleTlsData ReservedForOle; - // - // Indicates whether the thread is waiting on the loader lock. - // + /* + Indicates whether the thread is waiting on the loader lock. + */ ULONG WaitingOnLoaderLock; - // - // The saved priority state for the thread. - // + /* + The saved priority state for the thread. + */ PVOID SavedPriorityState; - // - // Reserved. - // + /* + Reserved. + */ ULONG_PTR ReservedForCodeCoverage; - // - // Reserved. - // + /* + Reserved. + */ PVOID ThreadPoolData; - // - // Pointer to the TLS (Thread Local Storage) expansion slots for the thread. - // + /* + Pointer to the TLS (Thread Local Storage) expansion slots for the thread. + */ PVOID* TlsExpansionSlots; #ifdef _WIN64 - PVOID ChpeV2CpuAreaInfo; // CHPEV2_CPUAREA_INFO // previously DeallocationBStore - PVOID Unused; // previously BStoreLimit + PVOID ChpeV2CpuAreaInfo; /* CHPEV2_CPUAREA_INFO, previously DeallocationBStore */ + PVOID Unused; /* previously BStoreLimit */ #endif - // - // The generation of the MUI (Multilingual User Interface) data. - // + /* + The generation of the MUI (Multilingual User Interface) data. + */ ULONG MuiGeneration; - // - // Indicates whether the thread is impersonating another security context. - // + /* + Indicates whether the thread is impersonating another security context. + */ ULONG IsImpersonating; - // - // Pointer to the NLS (National Language Support) cache. - // + /* + Pointer to the NLS (National Language Support) cache. + */ PVOID NlsCache; - // - // Pointer to the AppCompat/Shim Engine data. - // + /* + Pointer to the AppCompat/Shim Engine data. + */ PVOID pShimData; - // - // Reserved. - // + /* + Reserved. + */ ULONG HeapData; - // - // Handle to the current transaction associated with the thread. - // + /* + Handle to the current transaction associated with the thread. + */ HANDLE CurrentTransactionHandle; - // - // Pointer to the active frame for the thread. - // + /* + Pointer to the active frame for the thread. + */ PTEB_ACTIVE_FRAME ActiveFrame; - // - // Reserved for FLS (RtlProcessFlsData). - // + /* + Reserved for FLS (RtlProcessFlsData). + */ PVOID FlsData; - // - // Pointer to the preferred languages for the current thread. (GetThreadPreferredUILanguages) - // + /* + Pointer to the preferred languages for the current thread. (GetThreadPreferredUILanguages) + */ PVOID PreferredLanguages; - // - // Pointer to the user-preferred languages for the current thread. (GetUserPreferredUILanguages) - // + /* + Pointer to the user-preferred languages for the current thread. (GetUserPreferredUILanguages) + */ PVOID UserPrefLanguages; - // - // Pointer to the merged preferred languages for the current thread. (MUI_MERGE_USER_FALLBACK) - // + /* + Pointer to the merged preferred languages for the current thread. (MUI_MERGE_USER_FALLBACK) + */ PVOID MergedPrefLanguages; - // - // Indicates whether the thread is impersonating another user's language settings. - // + /* + Indicates whether the thread is impersonating another user's language settings. + */ ULONG MuiImpersonation; - // - // Reserved. - // + /* + Reserved. + */ union { USHORT CrossTebFlags; USHORT SpareCrossTebBits : 16; }; - // - // SameTebFlags modify the state and behavior of the current thread. - // + /* + SameTebFlags modify the state and behavior of the current thread. + */ union { USHORT SameTebFlags; struct { USHORT SafeThunkCall : 1; - USHORT InDebugPrint : 1; // Indicates if the thread is currently in a debug print routine. - USHORT HasFiberData : 1; // Indicates if the thread has local fiber-local storage (FLS). - USHORT SkipThreadAttach : 1; // Indicates if the thread should suppress DLL_THREAD_ATTACH notifications. + USHORT InDebugPrint : 1; /* Indicates if the thread is currently in a debug print routine. */ + USHORT HasFiberData : 1; /* Indicates if the thread has local fiber-local storage (FLS). */ + USHORT SkipThreadAttach : 1; /* Indicates if the thread should suppress DLL_THREAD_ATTACH notifications. */ USHORT WerInShipAssertCode : 1; - USHORT RanProcessInit : 1; // Indicates if the thread has run process initialization code. - USHORT ClonedThread : 1; // Indicates if the thread is a clone of a different thread. - USHORT SuppressDebugMsg : 1; // Indicates if the thread should suppress LOAD_DLL_DEBUG_INFO notifications. + USHORT RanProcessInit : 1; /* Indicates if the thread has run process initialization code. */ + USHORT ClonedThread : 1; /* Indicates if the thread is a clone of a different thread. */ + USHORT SuppressDebugMsg : 1; /* Indicates if the thread should suppress LOAD_DLL_DEBUG_INFO notifications. */ USHORT DisableUserStackWalk : 1; USHORT RtlExceptionAttached : 1; - USHORT InitialThread : 1; // Indicates if the thread is the initial thread of the process. + USHORT InitialThread : 1; /* Indicates if the thread is the initial thread of the process. */ USHORT SessionAware : 1; - USHORT LoadOwner : 1; // Indicates if the thread is the owner of the process loader lock. + USHORT LoadOwner : 1; /* Indicates if the thread is the owner of the process loader lock. */ USHORT LoaderWorker : 1; USHORT SkipLoaderInit : 1; USHORT SkipFileAPIBrokering : 1; }; }; - // - // Pointer to the callback function that is called when a KTM transaction scope is entered. - // + /* + Pointer to the callback function that is called when a KTM transaction scope is entered. + */ PVOID TxnScopeEnterCallback; - // - // Pointer to the callback function that is called when a KTM transaction scope is exited. - /// + /* + Pointer to the callback function that is called when a KTM transaction scope is exited. + */ PVOID TxnScopeExitCallback; - // - // Pointer to optional context data for use by the application when a KTM transaction scope callback is called. - // + /* + Pointer to optional context data for use by the application when a KTM transaction scope callback is called. + */ PVOID TxnScopeContext; - // - // The lock count of critical sections for the current thread. - // + /* + The lock count of critical sections for the current thread. + */ ULONG LockCount; - // - // The offset to the WOW64 (Windows on Windows) TEB for the current thread. - // + /* + The offset to the WOW64 (Windows on Windows) TEB for the current thread. + */ LONG WowTebOffset; - // - // Reserved. - // + /* + Reserved. + */ PVOID ResourceRetValue; - // - // Reserved for Windows Driver Framework (WDF). - // + /* + Reserved for Windows Driver Framework (WDF). + */ PVOID ReservedForWdf; - // - // Reserved for the Microsoft C runtime (CRT). - // + /* + Reserved for the Microsoft C runtime (CRT). + */ ULONGLONG ReservedForCrt; - // - // The Host Compute Service (HCS) container identifier. - // + /* + The Host Compute Service (HCS) container identifier. + */ GUID EffectiveContainerId; - // - // Reserved for Kernel32!Sleep (SpinWait). - // - ULONGLONG LastSleepCounter; // since Win11 - // - // Reserved for Kernel32!Sleep (SpinWait). - // + /* + Reserved for Kernel32!Sleep (SpinWait). + */ + ULONGLONG LastSleepCounter; /* since Win11 */ + /* + Reserved for Kernel32!Sleep (SpinWait). + */ ULONG SpinCallCount; - // - // Extended feature disable mask (AVX). - // + /* + Extended feature disable mask (AVX). + */ ULONGLONG ExtendedFeatureDisableMask; - // - // Reserved. - // - PVOID SchedulerSharedDataSlot; // since 24H2 - // - // Reserved. - // + /* + Reserved. + */ + PVOID SchedulerSharedDataSlot; /* since 24H2 */ + /* + Reserved. + */ PVOID HeapWalkContext; - // - // The primary processor group affinity of the thread. - // + /* + The primary processor group affinity of the thread. + */ GROUP_AFFINITY PrimaryGroupAffinity; - // - // Read-copy-update (RCU) synchronization context. - // + /* + Read-copy-update (RCU) synchronization context. + */ ULONG Rcu[2]; } TEB, * PTEB; -// Thread Basic Information +/* Thread Basic Information */ typedef struct _THREAD_BASIC_INFO { NTSTATUS ExitStatus; @@ -1056,7 +1051,7 @@ typedef struct _THREAD_BASIC_INFO KPRIORITY BasePriority; } THREAD_BASIC_INFO, * PTHREAD_BASIC_INFO; -// T2 Set Parameters +/* T2 Set Parameters */ typedef struct _T2_SET_PARAMETERS_V0 { ULONG Version; @@ -1064,7 +1059,7 @@ typedef struct _T2_SET_PARAMETERS_V0 LONGLONG NoWakeTolerance; } T2_SET_PARAMETERS, * PT2_SET_PARAMETERS; -// WNF Delivery Descriptor +/* WNF Delivery Descriptor */ typedef struct _WNF_DELIVERY_DESCRIPTOR { ULONGLONG SubscriptionId; @@ -1076,15 +1071,11 @@ typedef struct _WNF_DELIVERY_DESCRIPTOR ULONG StateDataOffset; } WNF_DELIVERY_DESCRIPTOR, * PWNF_DELIVERY_DESCRIPTOR; -// Worker Factory Deferred Work +/* Worker Factory Deferred Work */ typedef struct _WORKER_FACTORY_DEFERRED_WORK { PPORT_MESSAGE AlpcSendMessage; PVOID AlpcSendMessagePort; ULONG AlpcSendMessageFlags; ULONG Flags; -} WORKER_FACTORY_DEFERRED_WORK, * PWORKER_FACTORY_DEFERRED_WORK; - -#if defined(_MSC_VER) -#pragma warning(pop) -#endif +} WORKER_FACTORY_DEFERRED_WORK, * PWORKER_FACTORY_DEFERRED_WORK; \ No newline at end of file diff --git a/SysCallerK/Wrapper/include/syscaller_k.h b/SysCallerK/Wrapper/include/syscaller_k.h index e502a52..ed138a2 100644 --- a/SysCallerK/Wrapper/include/syscaller_k.h +++ b/SysCallerK/Wrapper/include/syscaller_k.h @@ -19,4 +19,4 @@ #include "SysK/sysTypes_k.h" #include "SysK/sysExternals_k.h" -#include "SysK/sysFunctions_k.h" +#include "SysK/sysFunctions_k.h" \ No newline at end of file diff --git a/SysCallerK/Wrapper/src/dummy.c b/SysCallerK/Wrapper/src/dummy.c index ff39c48..6a4aca4 100644 --- a/SysCallerK/Wrapper/src/dummy.c +++ b/SysCallerK/Wrapper/src/dummy.c @@ -1,3 +1,3 @@ -// Required for Visual Studio to parse C headers like ntifs.h +/* required for Visual Studio to parse C headers like ntifs.h */ #include "syscaller_k.h" \ No newline at end of file From 292634aad5d26b07cd82f203f0a19667856ddbae Mon Sep 17 00:00:00 2001 From: WindowsAPI Date: Sun, 28 Sep 2025 11:55:36 -0700 Subject: [PATCH 03/32] update release workflow and add changelogs for v1.3.0/v1.3.1 Updated the GitHub Actions build workflow to use version v1.3.2 for release packaging and artifact naming. Added new changelog files for v1.3.0 and v1.3.1. --- .github/workflows/build.yml | 18 +++++++-------- History/CHANGELOG_1.0.0.md | 32 ++++++++++++++------------ History/CHANGELOG_1.1.0.md | 44 ++++++++++++++++++----------------- History/CHANGELOG_1.2.0.md | 32 ++++++++++++-------------- History/CHANGELOG_1.3.0.md | 46 +++++++++++++++++++++++++++++++++++++ History/CHANGELOG_1.3.1.md | 17 ++++++++++++++ 6 files changed, 127 insertions(+), 62 deletions(-) create mode 100644 History/CHANGELOG_1.3.0.md create mode 100644 History/CHANGELOG_1.3.1.md diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0841cb7..32bf28f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -396,7 +396,7 @@ jobs: - name: Create Release Package if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master') run: | - $version = "v1.3.1-${{ github.run_number }}" + $version = "v1.3.2" $zipName = "Bind-$version.zip" New-Item -ItemType Directory -Path "release-package" -Force @@ -404,7 +404,7 @@ jobs: Copy-Item "x64/Release/*" "release-package\" -Recurse # Create README - $version = "v1.3.1-${{ github.run_number }}" + $version = "v1.3.2" $readmeText = "# SysCaller: Bind - v1.3.1`n`n" $readmeText += "Build Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss UTC')`n" $readmeText += "Commit: ${{ github.sha }}`n" @@ -430,7 +430,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: Release-Package - path: Bind/Bind-v1.3.1-*.zip + path: Bind/Bind-v1.3.2.zip retention-days: 90 - name: Create GitHub Release @@ -440,10 +440,10 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - tag_name: v1.3.1-${{ github.run_number }} - release_name: "SysCaller: Bind - v1.3.1-${{ github.run_number }}" + tag_name: v1.3.2 + release_name: "SysCaller: Bind - v1.3.2" body: | - ## SysCaller: Bind - v1.3.1-${{ github.run_number }} + ## SysCaller: Bind - v1.3.2 **Build Date:** ${{ github.event.head_commit.timestamp }} **Commit:** ${{ github.sha }} @@ -466,6 +466,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: Bind/Bind-v1.3.1-${{ github.run_number }}.zip - asset_name: Bind-v1.3.1-${{ github.run_number }}.zip - asset_content_type: application/zip + asset_path: Bind/Bind-v1.3.2.zip + asset_name: Bind-v1.3.2.zip + asset_content_type: application/zip \ No newline at end of file diff --git a/History/CHANGELOG_1.0.0.md b/History/CHANGELOG_1.0.0.md index 9bbab08..29f45a3 100644 --- a/History/CHANGELOG_1.0.0.md +++ b/History/CHANGELOG_1.0.0.md @@ -1,25 +1,27 @@ -# v1.0.0 – Initial Release +# v1.0.0 - Initial Release Released: **March 5, 2025** --- -## What's New? +## **What's New?** -- **Integrity Checks**: Introduced validation, verification, & compatibility checks for all stubs. -- **Dynamic Obfuscation**: Added an obfuscation engine for crafted stubs. -- **Stub Craft (Manual Crafter)**: Early work began on manual stub crafting logic (WIP). -- **Settings & Configuration**: Configurable settings. -- **Backup & Restore**: Full project backup and restoration support. -- **Tooltips & UX**: Added informative tooltips across the GUI. -- **Drag & Drop**: Support for DLL file drag & drop into the interface. -- **GUI Frontend**: Migrated from CLI to a full PyQt based GUI frontend. -- **CMake Build Support**: Initial `CMakeLists.txt` build integration. -- **Wrapper Modularization**: Began modularizing BuildTools & Wrapper logic. -- **Documentation**: Created initial `README.md`. +--- + +- Introduced validation, verification, & compatibility checks for all stubs. +- Added an obfuscation engine for crafted stubs. +- Early work began on manual stub crafting logic (WIP). +- Added Configurable settings. +- Full project backup and restoration support. +- Added informative tooltips across the GUI. +- Support for DLL file drag & drop into the interface. +- Migrated from CLI to a full PyQt based GUI frontend. +- Initial `CMakeLists.txt` build integration. +- Began modularizing BuildTools & Wrapper logic. +- Created initial `README.md`. --- -## Bug Fixes +## **Bug Fixes** -- N/A (Initial Stable Release) +- N/A (Initial Stable Release) \ No newline at end of file diff --git a/History/CHANGELOG_1.1.0.md b/History/CHANGELOG_1.1.0.md index 217d6a8..26d9f45 100644 --- a/History/CHANGELOG_1.1.0.md +++ b/History/CHANGELOG_1.1.0.md @@ -4,28 +4,30 @@ Released: **July 22, 2025** --- -## What's New? - -- **Kernel Mode Support**: Added support for kernel mode / `Zw` syscalls. -- **Debug Mode**: You can now build in debug mode with full support. -- **Multiple Syscall Tables**: Support for switching and managing syscall tables. -- **Stronger Regex Patterns**: Improved regex resilience and matching. -- **Stub Hashing**: Each stub now has integrity hashes. -- **Stub Hash Comparison**: Added support to compare hash values of stubs. -- **Documentation**: New **README** and a detailed **WIKI** added. -- **Global Profiles**: Save configurations globally as `.ini` files. -- **Stub Mapper**: Added custom obfuscation via stub mapping. -- **Changelog Viewer**: Changelog history now available in the GUI. -- **GUI / UX Improvements**: Fixed layout, colors, DPI scaling, and architecture inconsistencies. -- **Modular Wrappers**: Wrapper and build tools are now modularized. -- **Project Updates**: Added `SysCaller` and `SysCallerK` directly into the solution. +## **What's New?** --- -## Bug Fixes: +- Added support for kernel mode / `Zw` syscalls. +- You can now build in debug mode with full support. +- Support for switching and managing syscall tables. +- Improved regex resilience and matching. +- Each stub now has integrity hashes. +- Added support to compare hash values of stubs. +- New **README** and a detailed **WIKI** added. +- Save configurations globally as `.ini` files. +- Added custom obfuscation via stub mapping. +- Changelog history now available in the GUI. +- Fixed layout, colors, DPI scaling, and architecture inconsistencies. +- Wrapper and build tools are now modularized. +- Added `SysCaller` and `SysCallerK` directly into the solution. -- **Removed Conflicts**: Removed `64bit` macro (already defined by WDK). -- **Cleaned Structs**: Removed forward declaration of `MEMORY_RESERVE_TYPE`. -- **Suppressed Warnings**: Disabled nameless struct/union compiler warnings. -- **Grammar Fixes**: Fixed multiple grammatical issues across UI and docs. -- **Regex Fixes**: Rewrote broken patterns using integrity check feedback. +--- + +## **Bug Fixes** + +- Removed `64bit` macro (already defined by WDK). +- Removed forward declaration of `MEMORY_RESERVE_TYPE`. +- Disabled nameless struct/union compiler warnings. +- Fixed multiple grammatical issues across UI and docs. +- Rewrote broken patterns using integrity check feedback. \ No newline at end of file diff --git a/History/CHANGELOG_1.2.0.md b/History/CHANGELOG_1.2.0.md index 7de86c7..ad8991e 100644 --- a/History/CHANGELOG_1.2.0.md +++ b/History/CHANGELOG_1.2.0.md @@ -1,27 +1,25 @@ -# v1.2.0 – Changelog +# v1.2.0 - Changelog -Released: **July 28, 2025** +Released: **July 29, 2025** --- -## What's New? +## **What's New?** -- **C++ Refactor** Rewrote the entire BuildTools/GUI from Python (PyQt) to native C++ using Qt improving performance, stability maintainability, and integration with the core SDK. - -- **Bindings** Added support for any programming language with C bindings, making SysCaller accessible across a wider ecosystem. - -- **SysCaller: Bind** The BuildTools has been officially renamed to **Bind**, reflecting its role in connecting your project with SysCaller using clean GUI based binding, wrapping, and obfuscation features. - -- **Error Handling**: Improved error reporting and exception handling throughout Bind. +--- -- **Enhanced Performance**: C++ BuildTools delivers significantly improved speed, native integration, and reduced memory footprint. +- Rewrote the entire BuildTools/GUI from Python (PyQt) to native C++ using Qt improving performance, stability maintainability, and integration with the core SDK. +- Added support for any programming language with C bindings, making SysCaller accessible across a wider ecosystem. +- The BuildTools has been officially renamed to **Bind**, reflecting its role in connecting your project with SysCaller using clean GUI based binding, wrapping, and obfuscation features. +- Improved error reporting and exception handling throughout Bind. +- C++ BuildTools delivers significantly improved speed, native integration, and reduced memory footprint. --- -## Bug Fixes +## **Bug Fixes** -- **Stub Hash Logic**: Fixed edge case where stub hashes could mismatch during integrity comparison. -- **Obfuscation Output**: Resolved console output issues that caused issues. -- **Dev Artifacts**: Removed placeholder comments, WIP debug code, and development macros. -- **Build System**: Resolved various compilation issues and dependency conflicts. -- **Memory Leaks**: Eliminated memory leaks present in the Python implementation. +- Fixed edge case where stub hashes could mismatch during integrity comparison. +- Resolved console output issues that caused issues. +- Removed placeholder comments, WIP debug code, and development macros. +- Resolved various compilation issues and dependency conflicts. +- Eliminated memory leaks present in the Python implementation. \ No newline at end of file diff --git a/History/CHANGELOG_1.3.0.md b/History/CHANGELOG_1.3.0.md new file mode 100644 index 0000000..02a60b4 --- /dev/null +++ b/History/CHANGELOG_1.3.0.md @@ -0,0 +1,46 @@ +# v1.3.0 - Changelog + +Released: **September 3, 2025** + +--- + +## **What's New?** + +--- + +- Added comprehensive support for Direct, Inline, and Indirect assembly modes +- Added general tab support with assembly mode selection +- Improved validation system supporting all three modes +- Improved memory management in obfuscation pipeline +- Improved error reporting throughout the system +- Improved CMake support for all assembly modes +- Improved Visual Studio solution files +- Complete restructure of obfuscation system into focused, maintainable modules +- Clear namespace separation: DO (Direct Obfuscation), ID (Indirect Obfuscation), SO (Shared Obfuscation) +- Specialized components for better code organization and performance +- Full implementation of inline/indirect syscalls, and obfuscation with runtime resolver support for indirect mode. +- Resolver string encryption and conditional resolver logic +- control flow, junk generation, string randomization and more for indirect stubs +- (Inline obfuscation is coming in a future release!) +- Unified custom title bars across all dialogs (Settings, Hash Compare, Stub Mapper, Changelog) +- External QSS stylesheets for better maintainability +- Enhanced dialog layouts and improved visual consistency +- New ConfirmationDialog for better user interactions +- Comprehensive build configuration macros and conditional compilation +- Better error handling and build messages +- Eliminated namespace conflicts through proper organization +- Consistent header formatting across all files + +--- + +## **Bug Fixes** + +- Removed rcx/r10 conflicting junk instructions that could interfere with syscall execution +- Resolved missing module definition directives and exported functions +- Resolved various compilation issues and dependency conflicts from modularization +- Improved header formatting consistency across all source files +- Improved CMake and Visual Studio solution files for new modular structure +- Improved memory handling in obfuscation pipeline +- Improved error reporting and build message system +- Improved separation of concerns and consistent naming conventions +- Many gui/grammer fixes. \ No newline at end of file diff --git a/History/CHANGELOG_1.3.1.md b/History/CHANGELOG_1.3.1.md new file mode 100644 index 0000000..39296a9 --- /dev/null +++ b/History/CHANGELOG_1.3.1.md @@ -0,0 +1,17 @@ +# v1.3.1 - Changelog + +Released: **September 26, 2025** + +--- + +## **What's New?** + +--- + +- Added GitHub Actions workflows for Bind. +- Added Enums to obfuscation and integrity modules. +- Refactored the entire codebase for the future by ensuring proper usability/practices. + +## **Bug Fixes** + +- N/A (Stability Release) \ No newline at end of file From 85ad45133ec96c945b687e2c5503e0651c821f08 Mon Sep 17 00:00:00 2001 From: WindowsAPI Date: Tue, 30 Sep 2025 12:54:55 -0700 Subject: [PATCH 04/32] refactor syscall resolver architecture --- SysCaller/SysCaller.vcxproj | 75 ++------- SysCaller/SysCaller.vcxproj.filters | 15 +- .../Resolver/Methods/HashedExportResolver.h | 18 +++ .../Resolver/Methods/MemoryExportResolver.h | 18 +++ .../include/Resolver/Methods/PebLdrResolver.h | 18 +++ SysCaller/Wrapper/include/Resolver/PebUtils.h | 34 ++++ .../Resolver/{Resolver.h => ResolverBase.h} | 15 +- SysCaller/Wrapper/include/syscaller.h | 20 ++- SysCaller/Wrapper/include/syscaller_config.h | 17 +- .../Resolver/Methods/HashedExportResolver.cpp | 147 ++++++++++++++++++ .../Resolver/Methods/MemoryExportResolver.cpp | 46 ++++++ .../src/Resolver/Methods/PebLdrResolver.cpp | 48 ++++++ SysCaller/Wrapper/src/Resolver/PebUtils.cpp | 60 +++++++ .../{Resolver.cpp => ResolverBase.cpp} | 56 ++----- 14 files changed, 469 insertions(+), 118 deletions(-) create mode 100644 SysCaller/Wrapper/include/Resolver/Methods/HashedExportResolver.h create mode 100644 SysCaller/Wrapper/include/Resolver/Methods/MemoryExportResolver.h create mode 100644 SysCaller/Wrapper/include/Resolver/Methods/PebLdrResolver.h create mode 100644 SysCaller/Wrapper/include/Resolver/PebUtils.h rename SysCaller/Wrapper/include/Resolver/{Resolver.h => ResolverBase.h} (52%) create mode 100644 SysCaller/Wrapper/src/Resolver/Methods/HashedExportResolver.cpp create mode 100644 SysCaller/Wrapper/src/Resolver/Methods/MemoryExportResolver.cpp create mode 100644 SysCaller/Wrapper/src/Resolver/Methods/PebLdrResolver.cpp create mode 100644 SysCaller/Wrapper/src/Resolver/PebUtils.cpp rename SysCaller/Wrapper/src/Resolver/{Resolver.cpp => ResolverBase.cpp} (70%) diff --git a/SysCaller/SysCaller.vcxproj b/SysCaller/SysCaller.vcxproj index 8a671bd..9d2b3a6 100644 --- a/SysCaller/SysCaller.vcxproj +++ b/SysCaller/SysCaller.vcxproj @@ -1,14 +1,6 @@ - - Debug - Win32 - - - Release - Win32 - Debug x64 @@ -26,19 +18,6 @@ 10.0 - - Application - true - v143 - Unicode - - - Application - false - v143 - true - Unicode - StaticLibrary true @@ -46,7 +25,7 @@ Unicode - StaticLibrary + DynamicLibrary false v143 true @@ -58,12 +37,6 @@ - - - - - - @@ -84,34 +57,6 @@ false false - - - Level3 - true - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - - - Console - true - - - - - Level3 - true - true - true - WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - - - Console - true - true - true - - Level3 @@ -119,7 +64,7 @@ _DEBUG;_CONSOLE;SYSCALLER_DIRECT;%(PreprocessorDefinitions) true stdcpp20 - C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.26100.0\km;%(AdditionalIncludeDirectories) + C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.26100.0\km;$(PROJECTDIR)Wrapper\include;%(AdditionalIncludeDirectories) Console @@ -138,7 +83,7 @@ NDEBUG;_CONSOLE;SYSCALLER_DIRECT;%(PreprocessorDefinitions) true stdcpp20 - C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.26100.0\km;%(AdditionalIncludeDirectories) + C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.26100.0\km;$(PROJECTDIR)Wrapper\include;%(AdditionalIncludeDirectories) Console @@ -160,18 +105,26 @@ - + + + + + - + + + + + @@ -180,4 +133,4 @@ - + \ No newline at end of file diff --git a/SysCaller/SysCaller.vcxproj.filters b/SysCaller/SysCaller.vcxproj.filters index 0384b57..fe8f356 100644 --- a/SysCaller/SysCaller.vcxproj.filters +++ b/SysCaller/SysCaller.vcxproj.filters @@ -2,17 +2,22 @@ - - - - - + + + + + + + + + + \ No newline at end of file diff --git a/SysCaller/Wrapper/include/Resolver/Methods/HashedExportResolver.h b/SysCaller/Wrapper/include/Resolver/Methods/HashedExportResolver.h new file mode 100644 index 0000000..8f29f6f --- /dev/null +++ b/SysCaller/Wrapper/include/Resolver/Methods/HashedExportResolver.h @@ -0,0 +1,18 @@ +#pragma once + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +DWORD GetSyscallNumber(const char* functionName); + +BOOL InitializeResolver(); + +void CleanupResolver(); + +#ifdef __cplusplus +} +#endif diff --git a/SysCaller/Wrapper/include/Resolver/Methods/MemoryExportResolver.h b/SysCaller/Wrapper/include/Resolver/Methods/MemoryExportResolver.h new file mode 100644 index 0000000..b175a5a --- /dev/null +++ b/SysCaller/Wrapper/include/Resolver/Methods/MemoryExportResolver.h @@ -0,0 +1,18 @@ +#pragma once + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +DWORD GetSyscallNumber(const char* functionName); + +BOOL InitializeResolver(); + +void CleanupResolver(); + +#ifdef __cplusplus +} +#endif \ No newline at end of file diff --git a/SysCaller/Wrapper/include/Resolver/Methods/PebLdrResolver.h b/SysCaller/Wrapper/include/Resolver/Methods/PebLdrResolver.h new file mode 100644 index 0000000..8f29f6f --- /dev/null +++ b/SysCaller/Wrapper/include/Resolver/Methods/PebLdrResolver.h @@ -0,0 +1,18 @@ +#pragma once + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +DWORD GetSyscallNumber(const char* functionName); + +BOOL InitializeResolver(); + +void CleanupResolver(); + +#ifdef __cplusplus +} +#endif diff --git a/SysCaller/Wrapper/include/Resolver/PebUtils.h b/SysCaller/Wrapper/include/Resolver/PebUtils.h new file mode 100644 index 0000000..a1b0748 --- /dev/null +++ b/SysCaller/Wrapper/include/Resolver/PebUtils.h @@ -0,0 +1,34 @@ +#pragma once + +#include +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +__forceinline PPEB GetPeb() +{ +#ifdef _WIN64 + return (PPEB)__readgsqword(0x60); +#else + return (PPEB)__readfsdword(0x30); +#endif +} + +typedef struct _LDR_DATA_TABLE_ENTRY_SYSCALLER { + LIST_ENTRY InMemoryOrderLinks; + PVOID Reserved1[2]; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; +} LDR_DATA_TABLE_ENTRY_SYSCALLER, *PLDR_DATA_TABLE_ENTRY_SYSCALLER; + +HMODULE FindNtdllBase(); + +#ifdef __cplusplus +} +#endif diff --git a/SysCaller/Wrapper/include/Resolver/Resolver.h b/SysCaller/Wrapper/include/Resolver/ResolverBase.h similarity index 52% rename from SysCaller/Wrapper/include/Resolver/Resolver.h rename to SysCaller/Wrapper/include/Resolver/ResolverBase.h index 744c907..7dcb47b 100644 --- a/SysCaller/Wrapper/include/Resolver/Resolver.h +++ b/SysCaller/Wrapper/include/Resolver/ResolverBase.h @@ -2,6 +2,8 @@ #include #include +#include +#include #ifdef __cplusplus extern "C" { @@ -9,14 +11,14 @@ extern "C" { /** * @brief resolves a syscall number by function name at runtime - * @param functionName the name of the Nt function - * @return the syscall number, or -1 if not found + * @param functionName the name of the Nt/Zw function + * @return the syscall number or -1 if not found */ DWORD GetSyscallNumber(const char* functionName); /** * @brief initializes the resolver (optional, called automatically on first use) - * @return TRUE if successful, FALSE otherwise + * @return TRUE if successful or FALSE otherwise */ BOOL InitializeResolver(); @@ -27,4 +29,9 @@ void CleanupResolver(); #ifdef __cplusplus } -#endif \ No newline at end of file +#endif + +/* internal functions for resolver methods */ +HMODULE GetNtdllHandleInternal(); +std::unordered_map ExtractSyscallsFromDllInternal(); +DWORD ExtractSyscallNumber(LPVOID functionAddress); diff --git a/SysCaller/Wrapper/include/syscaller.h b/SysCaller/Wrapper/include/syscaller.h index aeba4d2..e01fded 100644 --- a/SysCaller/Wrapper/include/syscaller.h +++ b/SysCaller/Wrapper/include/syscaller.h @@ -36,7 +36,7 @@ */ #define SYSCALLER_BUILD_CONFIG -#include "syscaller_config.h" +#include #undef SYSCALLER_BUILD_CONFIG #if !defined(SYSCALLER_DIRECT) && !defined(SYSCALLER_INDIRECT) && !defined(SYSCALLER_INLINE) @@ -74,10 +74,20 @@ #include #include -#include "Sys/sysTypes.h" -#include "Sys/sysExternals.h" -#include "Sys/sysFunctions.h" +#include +#include +#include #if defined(SYSCALLER_INDIRECT) -#include "Resolver/Resolver.h" + +#if defined(SYSCALLER_RESOLVER_PEB_LDR) +#include +#elif defined(SYSCALLER_RESOLVER_MEMORY_EXPORT) +#include +#elif defined(SYSCALLER_RESOLVER_HASHED_EXPORT) +#include +#else +#error "For SYSCALLER_INDIRECT mode, you must define one resolver: SYSCALLER_RESOLVER_PEB_LDR, SYSCALLER_RESOLVER_MEMORY_EXPORT, or SYSCALLER_RESOLVER_HASHED_EXPORT" +#endif + #endif \ No newline at end of file diff --git a/SysCaller/Wrapper/include/syscaller_config.h b/SysCaller/Wrapper/include/syscaller_config.h index b68c04d..20e6d3f 100644 --- a/SysCaller/Wrapper/include/syscaller_config.h +++ b/SysCaller/Wrapper/include/syscaller_config.h @@ -5,7 +5,7 @@ /* * SysCaller Build Configuration - * + * * Uncomment one of the following lines & add to preprocessor definitions to select your build mode: */ @@ -23,3 +23,18 @@ * This will include dllmain.cpp in the build */ // #define SYSCALLER_BINDINGS + +/* + * Resolver Configuration (for SYSCALLER_INDIRECT mode) + * + * Choose one resolver method: + */ + +/* Use PEB LDR traversal (no WinAPI calls) */ +// #define SYSCALLER_RESOLVER_PEB_LDR + +/* Use memory export parsing with GetModuleHandle (uses WinAPI) */ +// #define SYSCALLER_RESOLVER_MEMORY_EXPORT + +/* Use hashed export parsing (no WinAPI calls) */ +// #define SYSCALLER_RESOLVER_HASHED_EXPORT diff --git a/SysCaller/Wrapper/src/Resolver/Methods/HashedExportResolver.cpp b/SysCaller/Wrapper/src/Resolver/Methods/HashedExportResolver.cpp new file mode 100644 index 0000000..9ad4907 --- /dev/null +++ b/SysCaller/Wrapper/src/Resolver/Methods/HashedExportResolver.cpp @@ -0,0 +1,147 @@ +#if defined(SYSCALLER_DIRECT) +#pragma message("SysCaller: Building via DIRECT syscall mode") +#elif defined(SYSCALLER_INDIRECT) +#pragma message("SysCaller: Building via INDIRECT syscall mode") +#elif defined(SYSCALLER_INLINE) +#pragma message("SysCaller: Building via INLINE ASM syscall mode") +#else +#pragma message("SysCaller: No build mode specified, defaulting to DIRECT") +#endif + +#if defined(SYSCALLER_BINDINGS) +#pragma message("SysCaller: Building with BINDINGS support (DLL export)") +#endif + +#ifdef SYSCALLER_INDIRECT +#ifdef SYSCALLER_RESOLVER_HASHED_EXPORT + +#include +#include +#include + +/* simple djb2 hash function for strings */ +constexpr DWORD HashString(const char* str) +{ + DWORD hash = 5381; + int c; + while ((c = *str++)) + { + hash = ((hash << 5) + hash) + c; /* hash * 33 + c */ + } + return hash; +} + +/* known syscall name hashes */ +static const DWORD knownSyscallHashes[] = { + HashString("NtQuerySystemInformation") +}; + +static const size_t numKnownHashes = sizeof(knownSyscallHashes) / sizeof(knownSyscallHashes[0]); + +DWORD HashStringRuntime(const char* str) +{ + DWORD hash = 5381; + int c; + while ((c = *str++)) + { + hash = ((hash << 5) + hash) + c; /* hash * 33 + c */ + } + return hash; +} + +bool IsKnownSyscallHash(DWORD hash) +{ + for (size_t i = 0; i < numKnownHashes; i++) + { + if (knownSyscallHashes[i] == hash) + { + return true; + } + } + return false; +} + +std::unordered_map ExtractSyscallsFromDllHashedInternal() +{ + std::unordered_map syscallNumbers; + HMODULE hNtdll = GetNtdllHandleInternal(); + + if (!hNtdll) + { + return syscallNumbers; + } + + PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hNtdll; + + if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) + { + return syscallNumbers; + } + + PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hNtdll + dosHeader->e_lfanew); + + if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) + { + return syscallNumbers; + } + + if (ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress == 0) + { + return syscallNumbers; + } + + PIMAGE_EXPORT_DIRECTORY exportDir = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)hNtdll + + ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + + DWORD* functions = (DWORD*)((BYTE*)hNtdll + exportDir->AddressOfFunctions); + DWORD* names = (DWORD*)((BYTE*)hNtdll + exportDir->AddressOfNames); + WORD* ordinals = (WORD*)((BYTE*)hNtdll + exportDir->AddressOfNameOrdinals); + + for (DWORD i = 0; i < exportDir->NumberOfNames; i++) + { + const char* funcName = (const char*)((BYTE*)hNtdll + names[i]); + DWORD nameHash = HashStringRuntime(funcName); + + if (IsKnownSyscallHash(nameHash)) + { + DWORD funcRVA = functions[ordinals[i]]; + LPVOID funcAddress = (LPVOID)((BYTE*)hNtdll + funcRVA); + DWORD syscallNumber = ExtractSyscallNumber(funcAddress); + + if (syscallNumber > 0 && syscallNumber <= 0xFFFF) + { + syscallNumbers[funcName] = syscallNumber; + } + } + } + + return syscallNumbers; +} + +HMODULE GetNtdllHandleInternal() +{ + static HMODULE cachedNtdllHandle = NULL; + + if (cachedNtdllHandle == NULL) + { + cachedNtdllHandle = FindNtdllBase(); + + if (cachedNtdllHandle == NULL) + { + /* peb traversal failed so this is a critical error, no fallback */ + return NULL; + } + } + + return cachedNtdllHandle; +} + +#else +/* not using HashedExportResolver */ +#pragma message("SysCaller: HashedExportResolver.cpp skipped (SYSCALLER_RESOLVER_HASHED_EXPORT not defined)") +#endif + +#else +/* not in indirect mode file compiles to nothing */ +#pragma message("SysCaller: HashedExportResolver.cpp skipped (SYSCALLER_INDIRECT not defined)") +#endif diff --git a/SysCaller/Wrapper/src/Resolver/Methods/MemoryExportResolver.cpp b/SysCaller/Wrapper/src/Resolver/Methods/MemoryExportResolver.cpp new file mode 100644 index 0000000..02adcf2 --- /dev/null +++ b/SysCaller/Wrapper/src/Resolver/Methods/MemoryExportResolver.cpp @@ -0,0 +1,46 @@ +#if defined(SYSCALLER_DIRECT) +#pragma message("SysCaller: Building via DIRECT syscall mode") +#elif defined(SYSCALLER_INDIRECT) +#pragma message("SysCaller: Building via INDIRECT syscall mode") +#elif defined(SYSCALLER_INLINE) +#pragma message("SysCaller: Building via INLINE ASM syscall mode") +#else +#pragma message("SysCaller: No build mode specified, defaulting to DIRECT") +#endif + +#if defined(SYSCALLER_BINDINGS) +#pragma message("SysCaller: Building with BINDINGS support (DLL export)") +#endif + +#ifdef SYSCALLER_INDIRECT +#ifdef SYSCALLER_RESOLVER_MEMORY_EXPORT + +#include +#include + +HMODULE GetNtdllHandleInternal() +{ + static HMODULE cachedNtdllHandle = NULL; + + if (cachedNtdllHandle == NULL) + { + cachedNtdllHandle = GetModuleHandleA("ntdll.dll"); + + if (cachedNtdllHandle == NULL) + { + cachedNtdllHandle = LoadLibraryA("ntdll.dll"); + } + } + + return cachedNtdllHandle; +} + +#else +/* not using MemoryExportResolver */ +#pragma message("SysCaller: MemoryExportResolver.cpp skipped (SYSCALLER_RESOLVER_MEMORY_EXPORT not defined)") +#endif + +#else +/* not in indirect mode file compiles to nothing */ +#pragma message("SysCaller: MemoryExportResolver.cpp skipped (SYSCALLER_INDIRECT not defined)") +#endif diff --git a/SysCaller/Wrapper/src/Resolver/Methods/PebLdrResolver.cpp b/SysCaller/Wrapper/src/Resolver/Methods/PebLdrResolver.cpp new file mode 100644 index 0000000..ae33780 --- /dev/null +++ b/SysCaller/Wrapper/src/Resolver/Methods/PebLdrResolver.cpp @@ -0,0 +1,48 @@ +#if defined(SYSCALLER_DIRECT) +#pragma message("SysCaller: Building via DIRECT syscall mode") +#elif defined(SYSCALLER_INDIRECT) +#pragma message("SysCaller: Building via INDIRECT syscall mode") +#elif defined(SYSCALLER_INLINE) +#pragma message("SysCaller: Building via INLINE ASM syscall mode") +#else +#pragma message("SysCaller: No build mode specified, defaulting to DIRECT") +#endif + +#if defined(SYSCALLER_BINDINGS) +#pragma message("SysCaller: Building with BINDINGS support (DLL export)") +#endif + +#ifdef SYSCALLER_INDIRECT +#ifdef SYSCALLER_RESOLVER_PEB_LDR + +#include +#include +#include + +HMODULE GetNtdllHandleInternal() +{ + static HMODULE cachedNtdllHandle = NULL; + + if (cachedNtdllHandle == NULL) + { + cachedNtdllHandle = FindNtdllBase(); + + if (cachedNtdllHandle == NULL) + { + /* peb traversal failed so this is a critical error, no fallback */ + return NULL; + } + } + + return cachedNtdllHandle; +} + +#else +/* not using PEBLDRResolver */ +#pragma message("SysCaller: PebLdrResolver.cpp skipped (SYSCALLER_RESOLVER_PEB_LDR not defined)") +#endif + +#else +/* not in indirect mode file compiles to nothing */ +#pragma message("SysCaller: PebLdrResolver.cpp skipped (SYSCALLER_INDIRECT not defined)") +#endif diff --git a/SysCaller/Wrapper/src/Resolver/PebUtils.cpp b/SysCaller/Wrapper/src/Resolver/PebUtils.cpp new file mode 100644 index 0000000..45f6916 --- /dev/null +++ b/SysCaller/Wrapper/src/Resolver/PebUtils.cpp @@ -0,0 +1,60 @@ +#include "../../include/Resolver/PebUtils.h" + +HMODULE FindNtdllBase() +{ + PPEB peb = GetPeb(); + + if (!peb || !peb->Ldr) + { + return NULL; + } + + PPEB_LDR_DATA ldr = peb->Ldr; + + /* walk InMemoryOrderModuleList (more reliable than InLoadOrder) */ + PLIST_ENTRY head = &ldr->InMemoryOrderModuleList; + PLIST_ENTRY entry = head->Flink; + + while (entry != head && entry) + { + /* get the LDR_DATA_TABLE_ENTRY from the list entry */ + PLDR_DATA_TABLE_ENTRY_SYSCALLER ldrEntry = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY_SYSCALLER, InMemoryOrderLinks); + + if (!ldrEntry || !ldrEntry->DllBase) + { + entry = entry->Flink; + continue; + } + + /* check if this is ntdll.dll by examining the BaseDllName */ + __try { + if (ldrEntry->BaseDllName.Length > 0 && ldrEntry->BaseDllName.Buffer) + { + /* convert to lowercase for comparison */ + WCHAR baseNameLower[256] = {0}; + size_t len = ldrEntry->BaseDllName.Length / sizeof(WCHAR); + if (len >= 256) len = 255; + + for (size_t i = 0; i < len; i++) + { + baseNameLower[i] = (ldrEntry->BaseDllName.Buffer[i] >= L'A' && ldrEntry->BaseDllName.Buffer[i] <= L'Z') ? + ldrEntry->BaseDllName.Buffer[i] + 0x20 : ldrEntry->BaseDllName.Buffer[i]; + } + + if (wcsstr(baseNameLower, L"ntdll.dll") != NULL) + { + return (HMODULE)ldrEntry->DllBase; + } + } + } + __except (EXCEPTION_EXECUTE_HANDLER) { + /* skip this entry if we cant access the name */ + entry = entry->Flink; + continue; + } + + entry = entry->Flink; + } + + return NULL; +} diff --git a/SysCaller/Wrapper/src/Resolver/Resolver.cpp b/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp similarity index 70% rename from SysCaller/Wrapper/src/Resolver/Resolver.cpp rename to SysCaller/Wrapper/src/Resolver/ResolverBase.cpp index aad471f..9b3fdd5 100644 --- a/SysCaller/Wrapper/src/Resolver/Resolver.cpp +++ b/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp @@ -1,44 +1,14 @@ -#if defined(SYSCALLER_DIRECT) -#pragma message("SysCaller: Building via DIRECT syscall mode") -#elif defined(SYSCALLER_INDIRECT) -#pragma message("SysCaller: Building via INDIRECT syscall mode") -#elif defined(SYSCALLER_INLINE) -#pragma message("SysCaller: Building via INLINE ASM syscall mode") -#else -#pragma message("SysCaller: No build mode specified, defaulting to DIRECT") -#endif - -#if defined(SYSCALLER_BINDINGS) -#pragma message("SysCaller: Building with BINDINGS support (DLL export)") -#endif - -#ifdef SYSCALLER_INDIRECT -#include "../../include/Resolver/Resolver.h" -#include -#include -#include +#include "../../include/Resolver/ResolverBase.h" #include #include -#include +/* shared global state */ static std::unordered_map syscallCache; static HMODULE ntdllHandle = NULL; static BOOL resolverInitialized = FALSE; -HMODULE GetNtdllHandle() -{ - if (ntdllHandle == NULL) - { - ntdllHandle = GetModuleHandleA("ntdll.dll"); - - if (ntdllHandle == NULL) - { - ntdllHandle = LoadLibraryA("ntdll.dll"); - } - } - - return ntdllHandle; -} +HMODULE GetNtdllHandleInternal(); +std::unordered_map ExtractSyscallsFromDllInternal(); DWORD ExtractSyscallNumber(LPVOID functionAddress) { @@ -65,10 +35,16 @@ DWORD ExtractSyscallNumber(LPVOID functionAddress) return 0; } -std::unordered_map ExtractSyscallsFromDll() +std::unordered_map ExtractSyscallsFromDllInternal() { +#if defined(SYSCALLER_RESOLVER_HASHED_EXPORT) + /* forward declaration for the hashed resolver implementation */ + std::unordered_map ExtractSyscallsFromDllHashedInternal(); + return ExtractSyscallsFromDllHashedInternal(); +#else + /* default implementation for other resolver methods */ std::unordered_map syscallNumbers; - HMODULE hNtdll = GetNtdllHandle(); + HMODULE hNtdll = GetNtdllHandleInternal(); if (!hNtdll) { @@ -121,6 +97,7 @@ std::unordered_map ExtractSyscallsFromDll() } return syscallNumbers; +#endif } BOOL InitializeResolver() @@ -130,7 +107,7 @@ BOOL InitializeResolver() return TRUE; } - syscallCache = ExtractSyscallsFromDll(); + syscallCache = ExtractSyscallsFromDllInternal(); if (syscallCache.empty()) { @@ -166,8 +143,3 @@ void CleanupResolver() syscallCache.clear(); resolverInitialized = FALSE; } - -#else -/* not in indirect mode file compiles to nothing */ -#pragma message("SysCaller: Resolver.cpp skipped (SYSCALLER_INDIRECT not defined)") -#endif From a72b61fa3f091d977d096061418b4cfafc290fb6 Mon Sep 17 00:00:00 2001 From: WindowsAPI Date: Wed, 1 Oct 2025 00:01:20 -0700 Subject: [PATCH 05/32] refactor resolver headers and add disk mapped resolver Introduces DiskMappedResolver for parsing ntdll.dll directly from disk, updates project files and configuration to support the new resolver, and consolidates all resolver method headers into a single Resolver.h file --- SysCaller/SysCaller.vcxproj | 5 +- .../Resolver/Methods/MemoryExportResolver.h | 18 -- .../include/Resolver/Methods/PebLdrResolver.h | 18 -- .../HashedExportResolver.h => Resolver.h} | 0 SysCaller/Wrapper/include/syscaller.h | 10 +- SysCaller/Wrapper/include/syscaller_config.h | 5 +- .../Resolver/Methods/DiskMappedResolver.cpp | 199 ++++++++++++++++++ .../Resolver/Methods/HashedExportResolver.cpp | 2 +- .../Resolver/Methods/MemoryExportResolver.cpp | 2 +- .../src/Resolver/Methods/PebLdrResolver.cpp | 2 +- SysCaller/Wrapper/src/Resolver/PebUtils.cpp | 2 +- .../Wrapper/src/Resolver/ResolverBase.cpp | 12 +- SysCaller/Wrapper/src/build_info.cpp | 2 +- 13 files changed, 227 insertions(+), 50 deletions(-) delete mode 100644 SysCaller/Wrapper/include/Resolver/Methods/MemoryExportResolver.h delete mode 100644 SysCaller/Wrapper/include/Resolver/Methods/PebLdrResolver.h rename SysCaller/Wrapper/include/Resolver/{Methods/HashedExportResolver.h => Resolver.h} (100%) create mode 100644 SysCaller/Wrapper/src/Resolver/Methods/DiskMappedResolver.cpp diff --git a/SysCaller/SysCaller.vcxproj b/SysCaller/SysCaller.vcxproj index 9d2b3a6..de3a105 100644 --- a/SysCaller/SysCaller.vcxproj +++ b/SysCaller/SysCaller.vcxproj @@ -105,9 +105,7 @@ - - - + @@ -120,6 +118,7 @@ + diff --git a/SysCaller/Wrapper/include/Resolver/Methods/MemoryExportResolver.h b/SysCaller/Wrapper/include/Resolver/Methods/MemoryExportResolver.h deleted file mode 100644 index b175a5a..0000000 --- a/SysCaller/Wrapper/include/Resolver/Methods/MemoryExportResolver.h +++ /dev/null @@ -1,18 +0,0 @@ -#pragma once - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -DWORD GetSyscallNumber(const char* functionName); - -BOOL InitializeResolver(); - -void CleanupResolver(); - -#ifdef __cplusplus -} -#endif \ No newline at end of file diff --git a/SysCaller/Wrapper/include/Resolver/Methods/PebLdrResolver.h b/SysCaller/Wrapper/include/Resolver/Methods/PebLdrResolver.h deleted file mode 100644 index 8f29f6f..0000000 --- a/SysCaller/Wrapper/include/Resolver/Methods/PebLdrResolver.h +++ /dev/null @@ -1,18 +0,0 @@ -#pragma once - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -DWORD GetSyscallNumber(const char* functionName); - -BOOL InitializeResolver(); - -void CleanupResolver(); - -#ifdef __cplusplus -} -#endif diff --git a/SysCaller/Wrapper/include/Resolver/Methods/HashedExportResolver.h b/SysCaller/Wrapper/include/Resolver/Resolver.h similarity index 100% rename from SysCaller/Wrapper/include/Resolver/Methods/HashedExportResolver.h rename to SysCaller/Wrapper/include/Resolver/Resolver.h diff --git a/SysCaller/Wrapper/include/syscaller.h b/SysCaller/Wrapper/include/syscaller.h index e01fded..c615c91 100644 --- a/SysCaller/Wrapper/include/syscaller.h +++ b/SysCaller/Wrapper/include/syscaller.h @@ -81,13 +81,15 @@ #if defined(SYSCALLER_INDIRECT) #if defined(SYSCALLER_RESOLVER_PEB_LDR) -#include +#include #elif defined(SYSCALLER_RESOLVER_MEMORY_EXPORT) -#include +#include #elif defined(SYSCALLER_RESOLVER_HASHED_EXPORT) -#include +#include +#elif defined(SYSCALLER_RESOLVER_DISK_MAPPED) +#include #else -#error "For SYSCALLER_INDIRECT mode, you must define one resolver: SYSCALLER_RESOLVER_PEB_LDR, SYSCALLER_RESOLVER_MEMORY_EXPORT, or SYSCALLER_RESOLVER_HASHED_EXPORT" +#error "For SYSCALLER_INDIRECT mode, you must define one resolver: SYSCALLER_RESOLVER_PEB_LDR, SYSCALLER_RESOLVER_MEMORY_EXPORT, SYSCALLER_RESOLVER_HASHED_EXPORT, or SYSCALLER_RESOLVER_DISK_MAPPED" #endif #endif \ No newline at end of file diff --git a/SysCaller/Wrapper/include/syscaller_config.h b/SysCaller/Wrapper/include/syscaller_config.h index 20e6d3f..34d5fc4 100644 --- a/SysCaller/Wrapper/include/syscaller_config.h +++ b/SysCaller/Wrapper/include/syscaller_config.h @@ -33,8 +33,11 @@ /* Use PEB LDR traversal (no WinAPI calls) */ // #define SYSCALLER_RESOLVER_PEB_LDR -/* Use memory export parsing with GetModuleHandle (uses WinAPI) */ +/* Use memory export parsing with GetModuleHandle (uses WinAPI to locate ntdll) */ // #define SYSCALLER_RESOLVER_MEMORY_EXPORT /* Use hashed export parsing (no WinAPI calls) */ // #define SYSCALLER_RESOLVER_HASHED_EXPORT + +/* Use disk mapped ntdll.dll parsing (uses WinAPI for I/O funcs not locating ntdll) */ +// #define SYSCALLER_RESOLVER_DISK_MAPPED diff --git a/SysCaller/Wrapper/src/Resolver/Methods/DiskMappedResolver.cpp b/SysCaller/Wrapper/src/Resolver/Methods/DiskMappedResolver.cpp new file mode 100644 index 0000000..ff314a7 --- /dev/null +++ b/SysCaller/Wrapper/src/Resolver/Methods/DiskMappedResolver.cpp @@ -0,0 +1,199 @@ +#if defined(SYSCALLER_DIRECT) +#pragma message("SysCaller: Building via DIRECT syscall mode") +#elif defined(SYSCALLER_INDIRECT) +#pragma message("SysCaller: Building via INDIRECT syscall mode") +#elif defined(SYSCALLER_INLINE) +#pragma message("SysCaller: Building via INLINE ASM syscall mode") +#else +#pragma message("SysCaller: No build mode specified, defaulting to DIRECT") +#endif + +#if defined(SYSCALLER_BINDINGS) +#pragma message("SysCaller: Building with BINDINGS support (DLL export)") +#endif + +#ifdef SYSCALLER_INDIRECT +#ifdef SYSCALLER_RESOLVER_DISK_MAPPED + +#include +#include + +typedef struct _MAPPED_NTDLL_INFO { + HANDLE hFile; + HANDLE hMapping; + LPVOID pMappedBase; + PIMAGE_DOS_HEADER pDosHeader; + PIMAGE_NT_HEADERS pNtHeaders; + PIMAGE_EXPORT_DIRECTORY pExportDir; +} MAPPED_NTDLL_INFO, *PMAPPED_NTDLL_INFO; + +PMAPPED_NTDLL_INFO MapNtdllFromDisk() +{ + static MAPPED_NTDLL_INFO mappedInfo = {0}; + static BOOL initialized = FALSE; + + if (initialized) + { + return &mappedInfo; + } + + CHAR systemPath[MAX_PATH] = {0}; + if (GetSystemDirectoryA(systemPath, MAX_PATH) == 0) + { + return NULL; + } + + CHAR ntdllPath[MAX_PATH] = {0}; + if (sprintf_s(ntdllPath, MAX_PATH, "%s\\ntdll.dll", systemPath) < 0) + { + return NULL; + } + + mappedInfo.hFile = CreateFileA(ntdllPath, GENERIC_READ, FILE_SHARE_READ, + NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if (mappedInfo.hFile == INVALID_HANDLE_VALUE) + { + return NULL; + } + + /* create file mapping */ + mappedInfo.hMapping = CreateFileMappingA(mappedInfo.hFile, NULL, PAGE_READONLY, 0, 0, NULL); + if (mappedInfo.hMapping == NULL) + { + CloseHandle(mappedInfo.hFile); + return NULL; + } + + /* map the file into memory */ + mappedInfo.pMappedBase = MapViewOfFile(mappedInfo.hMapping, FILE_MAP_READ, 0, 0, 0); + if (mappedInfo.pMappedBase == NULL) + { + CloseHandle(mappedInfo.hMapping); + CloseHandle(mappedInfo.hFile); + return NULL; + } + + /* validate PE headers */ + mappedInfo.pDosHeader = (PIMAGE_DOS_HEADER)mappedInfo.pMappedBase; + if (mappedInfo.pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) + { + UnmapViewOfFile(mappedInfo.pMappedBase); + CloseHandle(mappedInfo.hMapping); + CloseHandle(mappedInfo.hFile); + return NULL; + } + + mappedInfo.pNtHeaders = (PIMAGE_NT_HEADERS)((BYTE*)mappedInfo.pMappedBase + mappedInfo.pDosHeader->e_lfanew); + if (mappedInfo.pNtHeaders->Signature != IMAGE_NT_SIGNATURE) + { + UnmapViewOfFile(mappedInfo.pMappedBase); + CloseHandle(mappedInfo.hMapping); + CloseHandle(mappedInfo.hFile); + return NULL; + } + + /* get export directory */ + if (mappedInfo.pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress == 0) + { + UnmapViewOfFile(mappedInfo.pMappedBase); + CloseHandle(mappedInfo.hMapping); + CloseHandle(mappedInfo.hFile); + return NULL; + } + + mappedInfo.pExportDir = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)mappedInfo.pMappedBase + + mappedInfo.pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + + initialized = TRUE; + return &mappedInfo; +} + +/* cleanup mapped file */ +void UnmapNtdllFromDisk() +{ + static MAPPED_NTDLL_INFO mappedInfo = {0}; + static BOOL initialized = FALSE; + + if (!initialized) + { + /* check if we have mapped info */ + PMAPPED_NTDLL_INFO pInfo = MapNtdllFromDisk(); + if (!pInfo || !pInfo->pMappedBase) return; + + /* copy the info to our static variable */ + memcpy(&mappedInfo, pInfo, sizeof(MAPPED_NTDLL_INFO)); + initialized = TRUE; + } + + if (mappedInfo.pMappedBase) + { + UnmapViewOfFile(mappedInfo.pMappedBase); + mappedInfo.pMappedBase = NULL; + } + + if (mappedInfo.hMapping) + { + CloseHandle(mappedInfo.hMapping); + mappedInfo.hMapping = NULL; + } + + if (mappedInfo.hFile) + { + CloseHandle(mappedInfo.hFile); + mappedInfo.hFile = NULL; + } +} + +std::unordered_map ExtractSyscallsFromDllDiskMappedInternal() +{ + std::unordered_map syscallNumbers; + + /* map ntdll.dll from disk */ + PMAPPED_NTDLL_INFO pMappedInfo = MapNtdllFromDisk(); + if (!pMappedInfo || !pMappedInfo->pExportDir) + { + return syscallNumbers; + } + + DWORD* functions = (DWORD*)((BYTE*)pMappedInfo->pMappedBase + pMappedInfo->pExportDir->AddressOfFunctions); + DWORD* names = (DWORD*)((BYTE*)pMappedInfo->pMappedBase + pMappedInfo->pExportDir->AddressOfNames); + WORD* ordinals = (WORD*)((BYTE*)pMappedInfo->pMappedBase + pMappedInfo->pExportDir->AddressOfNameOrdinals); + + for (DWORD i = 0; i < pMappedInfo->pExportDir->NumberOfNames; i++) + { + const char* funcName = (const char*)((BYTE*)pMappedInfo->pMappedBase + names[i]); + + if (strncmp(funcName, "Nt", 2) != 0 && strncmp(funcName, "Zw", 2) != 0) + { + continue; + } + + DWORD funcRVA = functions[ordinals[i]]; + LPVOID funcAddress = (LPVOID)((BYTE*)pMappedInfo->pMappedBase + funcRVA); + DWORD syscallNumber = ExtractSyscallNumber(funcAddress); + + if (syscallNumber > 0 && syscallNumber <= 0xFFFF) + { + syscallNumbers[funcName] = syscallNumber; + } + } + + return syscallNumbers; +} + +/* (not needed for disk mapping but required by interface) */ +HMODULE GetNtdllHandleInternal() +{ + /* return a dummy handle since we read from disk */ + return (HMODULE)0x1; +} + +#else +/* not using Disk Mapped resolver */ +#pragma message("SysCaller: DiskMappedResolver.cpp skipped (SYSCALLER_RESOLVER_DISK_MAPPED not defined)") +#endif + +#else +/* not in indirect mode file compiles to nothing */ +#pragma message("SysCaller: DiskMappedResolver.cpp skipped (SYSCALLER_INDIRECT not defined)") +#endif diff --git a/SysCaller/Wrapper/src/Resolver/Methods/HashedExportResolver.cpp b/SysCaller/Wrapper/src/Resolver/Methods/HashedExportResolver.cpp index 9ad4907..a0e40a0 100644 --- a/SysCaller/Wrapper/src/Resolver/Methods/HashedExportResolver.cpp +++ b/SysCaller/Wrapper/src/Resolver/Methods/HashedExportResolver.cpp @@ -16,7 +16,7 @@ #ifdef SYSCALLER_RESOLVER_HASHED_EXPORT #include -#include +#include #include /* simple djb2 hash function for strings */ diff --git a/SysCaller/Wrapper/src/Resolver/Methods/MemoryExportResolver.cpp b/SysCaller/Wrapper/src/Resolver/Methods/MemoryExportResolver.cpp index 02adcf2..4b782bd 100644 --- a/SysCaller/Wrapper/src/Resolver/Methods/MemoryExportResolver.cpp +++ b/SysCaller/Wrapper/src/Resolver/Methods/MemoryExportResolver.cpp @@ -16,7 +16,7 @@ #ifdef SYSCALLER_RESOLVER_MEMORY_EXPORT #include -#include +#include HMODULE GetNtdllHandleInternal() { diff --git a/SysCaller/Wrapper/src/Resolver/Methods/PebLdrResolver.cpp b/SysCaller/Wrapper/src/Resolver/Methods/PebLdrResolver.cpp index ae33780..4ee06ec 100644 --- a/SysCaller/Wrapper/src/Resolver/Methods/PebLdrResolver.cpp +++ b/SysCaller/Wrapper/src/Resolver/Methods/PebLdrResolver.cpp @@ -16,7 +16,7 @@ #ifdef SYSCALLER_RESOLVER_PEB_LDR #include -#include +#include #include HMODULE GetNtdllHandleInternal() diff --git a/SysCaller/Wrapper/src/Resolver/PebUtils.cpp b/SysCaller/Wrapper/src/Resolver/PebUtils.cpp index 45f6916..0947f22 100644 --- a/SysCaller/Wrapper/src/Resolver/PebUtils.cpp +++ b/SysCaller/Wrapper/src/Resolver/PebUtils.cpp @@ -1,4 +1,4 @@ -#include "../../include/Resolver/PebUtils.h" +#include HMODULE FindNtdllBase() { diff --git a/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp b/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp index 9b3fdd5..995e907 100644 --- a/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp +++ b/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp @@ -1,4 +1,4 @@ -#include "../../include/Resolver/ResolverBase.h" +#include #include #include @@ -41,6 +41,10 @@ std::unordered_map ExtractSyscallsFromDllInternal() /* forward declaration for the hashed resolver implementation */ std::unordered_map ExtractSyscallsFromDllHashedInternal(); return ExtractSyscallsFromDllHashedInternal(); +#elif defined(SYSCALLER_RESOLVER_DISK_MAPPED) + /* forward declaration for the disk mapped resolver implementation */ + std::unordered_map ExtractSyscallsFromDllDiskMappedInternal(); + return ExtractSyscallsFromDllDiskMappedInternal(); #else /* default implementation for other resolver methods */ std::unordered_map syscallNumbers; @@ -142,4 +146,10 @@ void CleanupResolver() { syscallCache.clear(); resolverInitialized = FALSE; + +#if defined(SYSCALLER_RESOLVER_DISK_MAPPED) + /* cleanup disk mapped resources */ + extern void UnmapNtdllFromDisk(); + UnmapNtdllFromDisk(); +#endif } diff --git a/SysCaller/Wrapper/src/build_info.cpp b/SysCaller/Wrapper/src/build_info.cpp index 163f5af..de0d8f9 100644 --- a/SysCaller/Wrapper/src/build_info.cpp +++ b/SysCaller/Wrapper/src/build_info.cpp @@ -25,7 +25,7 @@ #pragma message("[SysCaller] Resolver: SKIPPED (not required for direct/inline)") #endif -#include "../include/syscaller.h" +#include /* empty function ensures this TU is compiled and processed */ void SysCallerBuildInfo() {} \ No newline at end of file From f77260e1d319607ac1a978f7f53517eeda9fa289 Mon Sep 17 00:00:00 2001 From: WindowsAPI Date: Wed, 1 Oct 2025 00:38:32 -0700 Subject: [PATCH 06/32] update version to v1.3.2 --- .github/workflows/build.yml | 2 +- .../Dialogs/ObfuscationSelectionDialog.cpp | 2 +- Bind/src/GUI/Dialogs/StubMapperDialog.cpp | 8 ++--- Bind/src/GUI/MainWindow.cpp | 24 +++++++------- Bind/src/GUI/Panels/LeftPanel.cpp | 6 ++-- Bind/src/GUI/Settings/Tabs/GeneralTab.cpp | 32 +++++++++---------- Bind/src/GUI/Settings/Tabs/ProfileTab.cpp | 10 +++--- 7 files changed, 42 insertions(+), 42 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 32bf28f..984cdac 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -405,7 +405,7 @@ jobs: # Create README $version = "v1.3.2" - $readmeText = "# SysCaller: Bind - v1.3.1`n`n" + $readmeText = "# SysCaller: Bind - v1.3.2`n`n" $readmeText += "Build Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss UTC')`n" $readmeText += "Commit: ${{ github.sha }}`n" $readmeText += "Platform: Windows x64 (64-bit)`n" diff --git a/Bind/src/GUI/Dialogs/ObfuscationSelectionDialog.cpp b/Bind/src/GUI/Dialogs/ObfuscationSelectionDialog.cpp index 5c98576..cd4ae9c 100644 --- a/Bind/src/GUI/Dialogs/ObfuscationSelectionDialog.cpp +++ b/Bind/src/GUI/Dialogs/ObfuscationSelectionDialog.cpp @@ -13,7 +13,7 @@ ObfuscationSelectionDialog::ObfuscationSelectionDialog(QWidget* parent) : QDialog(parent) , selection(Cancelled) { - setWindowTitle("Bind - v1.3.1"); + setWindowTitle("Bind - v1.3.2"); setFixedSize(450, 300); setWindowFlags(Qt::Dialog | Qt::FramelessWindowHint); setAttribute(Qt::WA_TranslucentBackground); diff --git a/Bind/src/GUI/Dialogs/StubMapperDialog.cpp b/Bind/src/GUI/Dialogs/StubMapperDialog.cpp index a351dca..1e40b1e 100644 --- a/Bind/src/GUI/Dialogs/StubMapperDialog.cpp +++ b/Bind/src/GUI/Dialogs/StubMapperDialog.cpp @@ -555,7 +555,7 @@ void StubMapperDialog::validateCurrentSettings() } else { - QMessageBox::warning(this, "Bind - v1.3.1", "Please select a Syscall first."); + QMessageBox::warning(this, "Bind - v1.3.2", "Please select a Syscall first."); } } @@ -596,7 +596,7 @@ void StubMapperDialog::saveSettings() } settings->setValue("stub_mapper/syscall_settings", QVariant::fromValue(syscallSettings)); - QMessageBox::information(this, "Bind - v1.3.1", "Custom Syscall Settings have been saved successfully."); + QMessageBox::information(this, "Bind - v1.3.2", "Custom Syscall Settings have been saved successfully."); accept(); } @@ -668,10 +668,10 @@ bool StubMapperDialog::validateStubSettings(const QMap& setti void StubMapperDialog::showValidationError(const QString& message) { - QMessageBox::critical(this, "Bind - v1.3.1", message); + QMessageBox::critical(this, "Bind - v1.3.2", message); } void StubMapperDialog::showValidationSuccess(const QString& message) { - QMessageBox::information(this, "Bind - v1.3.1", message); + QMessageBox::information(this, "Bind - v1.3.2", message); } diff --git a/Bind/src/GUI/MainWindow.cpp b/Bind/src/GUI/MainWindow.cpp index acf84d0..dba680e 100644 --- a/Bind/src/GUI/MainWindow.cpp +++ b/Bind/src/GUI/MainWindow.cpp @@ -30,7 +30,7 @@ MainWindow::MainWindow(QWidget *parent) , verificationThread(nullptr) , obfuscationThread(nullptr) { - setWindowTitle("Bind - v1.3.1"); + setWindowTitle("Bind - v1.3.2"); setMinimumSize(1400, 900); setWindowFlags(Qt::FramelessWindowHint); setAttribute(Qt::WA_TranslucentBackground); @@ -149,7 +149,7 @@ void MainWindow::runValidation() { if (validatorThread && validatorThread->isRunning()) { - QMessageBox::information(this, "Bind - v1.3.1", "Validation Check is already running. Please wait for it to complete."); + QMessageBox::information(this, "Bind - v1.3.2", "Validation Check is already running. Please wait for it to complete."); return; } @@ -157,7 +157,7 @@ void MainWindow::runValidation() if (dllPaths.isEmpty()) { - QMessageBox::warning(this, "Bind - v1.3.1", "No DLL Paths specified. Please add at least one NTDLL path."); + QMessageBox::warning(this, "Bind - v1.3.2", "No DLL Paths specified. Please add at least one NTDLL path."); return; } @@ -197,7 +197,7 @@ void MainWindow::runValidation() { leftPanel->updateStatus("Validation Failed!"); statusBar->updateStatus("Validation Failed!"); - QMessageBox::critical(this, "Bind - v1.3.1", message); + QMessageBox::critical(this, "Bind - v1.3.2", message); } validatorThread->deleteLater(); @@ -234,7 +234,7 @@ void MainWindow::runCompatibility() { if (compatibilityThread && compatibilityThread->isRunning()) { - QMessageBox::information(this, "Bind - v1.3.1", "Compatibility Check is already running. Please wait for it to complete."); + QMessageBox::information(this, "Bind - v1.3.2", "Compatibility Check is already running. Please wait for it to complete."); return; } @@ -242,7 +242,7 @@ void MainWindow::runCompatibility() if (dllPaths.isEmpty()) { - QMessageBox::warning(this, "Bind - v1.3.1", "No DLL Paths specified. Please add at least one NTDLL path."); + QMessageBox::warning(this, "Bind - v1.3.2", "No DLL Paths specified. Please add at least one NTDLL path."); return; } @@ -282,7 +282,7 @@ void MainWindow::runCompatibility() { leftPanel->updateStatus("Compatibility Failed!"); statusBar->updateStatus("Compatibility Failed!"); - QMessageBox::critical(this, "Bind - v1.3.1", message); + QMessageBox::critical(this, "Bind - v1.3.2", message); } compatibilityThread->deleteLater(); @@ -296,7 +296,7 @@ void MainWindow::runVerification() { if (verificationThread && verificationThread->isRunning()) { - QMessageBox::information(this, "Bind - v1.3.1", "Verification Check is already running. Please wait for it to complete."); + QMessageBox::information(this, "Bind - v1.3.2", "Verification Check is already running. Please wait for it to complete."); return; } @@ -304,7 +304,7 @@ void MainWindow::runVerification() if (dllPaths.isEmpty()) { - QMessageBox::warning(this, "Bind - v1.3.1", "No DLL Paths specified. Please add at least one NTDLL path."); + QMessageBox::warning(this, "Bind - v1.3.2", "No DLL Paths specified. Please add at least one NTDLL path."); return; } @@ -351,7 +351,7 @@ void MainWindow::runVerification() { leftPanel->updateStatus("Verification Failed!"); statusBar->updateStatus("Verification Failed!"); - QMessageBox::critical(this, "Bind - v1.3.1", message); + QMessageBox::critical(this, "Bind - v1.3.2", message); } verificationThread->deleteLater(); @@ -365,7 +365,7 @@ void MainWindow::runObfuscation() { if (obfuscationThread && obfuscationThread->isRunning()) { - QMessageBox::information(this, "Bind - v1.3.1", "Syscall Obfuscation is already running. Please wait for it to complete."); + QMessageBox::information(this, "Bind - v1.3.2", "Syscall Obfuscation is already running. Please wait for it to complete."); return; } @@ -437,7 +437,7 @@ void MainWindow::runObfuscation() { leftPanel->updateStatus("Obfuscation Failed!"); statusBar->updateStatus("Obfuscation Failed!"); - QMessageBox::critical(this, "Bind - v1.3.1", message); + QMessageBox::critical(this, "Bind - v1.3.2", message); } QSettings settings(PathUtils::getIniPath(), QSettings::IniFormat); diff --git a/Bind/src/GUI/Panels/LeftPanel.cpp b/Bind/src/GUI/Panels/LeftPanel.cpp index f540d89..734f9ed 100644 --- a/Bind/src/GUI/Panels/LeftPanel.cpp +++ b/Bind/src/GUI/Panels/LeftPanel.cpp @@ -52,12 +52,12 @@ LeftPanel::LeftPanel(QWidget* parent) logoLabel->setAlignment(Qt::AlignCenter); topSection->addWidget(logoLabel, 0, Qt::AlignCenter); - versionLabel = new QLabel("v1.3.1", this); + versionLabel = new QLabel("v1.3.2", this); versionLabel->setStyleSheet("color: #666666; font-size: 12px;"); versionLabel->setAlignment(Qt::AlignCenter); versionLabel->setCursor(Qt::PointingHandCursor); versionLabel->setTextFormat(Qt::RichText); - versionLabel->setText("v1.3.1"); + versionLabel->setText("v1.3.2"); topSection->addWidget(versionLabel, 0, Qt::AlignCenter); layout->addLayout(topSection); @@ -264,7 +264,7 @@ void LeftPanel::browseDll() { QString dllPath = QFileDialog::getOpenFileName( this, - "Bind - v1.3.1", + "Bind - v1.3.2", "", "DLL Files (*.dll);;All Files (*.*)" ); diff --git a/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp b/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp index a0b19d3..8d23fb8 100644 --- a/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp +++ b/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp @@ -281,7 +281,7 @@ void GeneralTab::saveSettings() if (modeChanged) { - ConfirmationDialog infoDialog("Bind - v1.3.1", this); + ConfirmationDialog infoDialog("Bind - v1.3.2", this); infoDialog.setMessage(QString("The syscall mode has been changed from %1 to %2.\n\n" "This change affects which files are processed:\n" "- Nt Mode: User mode files in SysCaller directory\n" @@ -377,7 +377,7 @@ void GeneralTab::restoreDefaultFiles() QString filePathText = isKernelMode ? "SysCallerK directory" : "SysCaller directory"; QString headerName = isKernelMode ? "sysFunctions_k.h" : "sysFunctions.h"; - ConfirmationDialog confirmDialog("Bind - v1.3.1", this); + ConfirmationDialog confirmDialog("Bind - v1.3.2", this); confirmDialog.setMessage(QString("Are you sure you want to restore default %1 files?\n\n" "This will overwrite your current syscaller.asm and %2 files in the %3.") .arg(modeText, headerName, filePathText)); @@ -396,7 +396,7 @@ void GeneralTab::restoreDefaultFiles() if (!QFile::exists(defaultAsmPath) || !QFile::exists(defaultHeaderPath)) { - ConfirmationDialog warningDialog("Bind - v1.3.1", this); + ConfirmationDialog warningDialog("Bind - v1.3.2", this); warningDialog.setMessage("Default files not found in Default directory."); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); @@ -423,7 +423,7 @@ void GeneralTab::restoreDefaultFiles() if (!asmCopied || !headerCopied) { - ConfirmationDialog errorDialog("Bind - v1.3.1", this); + ConfirmationDialog errorDialog("Bind - v1.3.2", this); errorDialog.setMessage(QString("Failed to copy files:\nASM: %1\nHeader: %2") .arg(asmCopied ? "Success" : "Failed") .arg(headerCopied ? "Success" : "Failed")); @@ -432,14 +432,14 @@ void GeneralTab::restoreDefaultFiles() return; } - ConfirmationDialog infoDialog("Bind - v1.3.1", this); + ConfirmationDialog infoDialog("Bind - v1.3.2", this); infoDialog.setMessage(QString("Default %1 files have been restored successfully!").arg(modeText)); infoDialog.setButtons(false, false, true, false); infoDialog.exec(); } catch (...) { - ConfirmationDialog errorDialog("Bind - v1.3.1", this); + ConfirmationDialog errorDialog("Bind - v1.3.2", this); errorDialog.setMessage("An error occurred while restoring default files."); errorDialog.setButtons(false, true, false); errorDialog.exec(); @@ -455,7 +455,7 @@ void GeneralTab::restoreBackup(const QString& timestamp) if (!completeBackups.contains(timestamp)) { - ConfirmationDialog warningDialog("Bind - v1.3.1", this); + ConfirmationDialog warningDialog("Bind - v1.3.2", this); warningDialog.setMessage(QString("Could not find complete backup set for timestamp %1").arg(timestamp)); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); @@ -478,14 +478,14 @@ void GeneralTab::restoreBackup(const QString& timestamp) if (!missingFiles.isEmpty()) { - ConfirmationDialog warningDialog("Bind - v1.3.1", this); + ConfirmationDialog warningDialog("Bind - v1.3.2", this); warningDialog.setMessage(QString("Could not find the following backup files:\n%1").arg(missingFiles.join("\n"))); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); return; } - ConfirmationDialog confirmDialog("Bind - v1.3.1", this); + ConfirmationDialog confirmDialog("Bind - v1.3.2", this); confirmDialog.setMessage(QString("Are you sure you want to restore from backup files dated %1?\n\n" "This will overwrite your current syscaller.asm and sysFunctions.h files.") .arg(formatTimestamp(timestamp))); @@ -504,7 +504,7 @@ void GeneralTab::restoreBackup(const QString& timestamp) if (QFile::exists(asmPath) && isFileLocked(asmPath)) { - ConfirmationDialog warningDialog("Bind - v1.3.1", this); + ConfirmationDialog warningDialog("Bind - v1.3.2", this); warningDialog.setMessage("The ASM file appears to be locked by another process. Close any applications that might be using it and try again."); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); @@ -513,7 +513,7 @@ void GeneralTab::restoreBackup(const QString& timestamp) if (QFile::exists(headerPath) && isFileLocked(headerPath)) { - ConfirmationDialog warningDialog("Bind - v1.3.1", this); + ConfirmationDialog warningDialog("Bind - v1.3.2", this); warningDialog.setMessage("The header file appears to be locked by another process. Close any applications that might be using it and try again."); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); @@ -554,7 +554,7 @@ void GeneralTab::restoreBackup(const QString& timestamp) if (asmRestored && headerRestored) { - ConfirmationDialog infoDialog("Bind - v1.3.1", this); + ConfirmationDialog infoDialog("Bind - v1.3.2", this); infoDialog.setMessage(QString("Files have been restored from backup successfully!\n\nBackup date: %1") .arg(formatTimestamp(timestamp))); infoDialog.setButtons(false, false, true, false); @@ -562,21 +562,21 @@ void GeneralTab::restoreBackup(const QString& timestamp) } else if (!asmRestored && headerRestored) { - ConfirmationDialog warningDialog("Bind - v1.3.1", this); + ConfirmationDialog warningDialog("Bind - v1.3.2", this); warningDialog.setMessage("Only the header file was restored successfully. The ASM file could not be restored."); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); } else if (asmRestored && !headerRestored) { - ConfirmationDialog warningDialog("Bind - v1.3.1", this); + ConfirmationDialog warningDialog("Bind - v1.3.2", this); warningDialog.setMessage("Only the ASM file was restored successfully. The header file could not be restored."); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); } else { - ConfirmationDialog errorDialog("Bind - v1.3.1", this); + ConfirmationDialog errorDialog("Bind - v1.3.2", this); errorDialog.setMessage("Failed to restore both files from backup."); errorDialog.setButtons(false, false, true, false); errorDialog.exec(); @@ -584,7 +584,7 @@ void GeneralTab::restoreBackup(const QString& timestamp) } catch (...) { - ConfirmationDialog errorDialog("Bind - v1.3.1", this); + ConfirmationDialog errorDialog("Bind - v1.3.2", this); errorDialog.setMessage("An error occurred while restoring backup files."); errorDialog.setButtons(false, true, false); errorDialog.exec(); diff --git a/Bind/src/GUI/Settings/Tabs/ProfileTab.cpp b/Bind/src/GUI/Settings/Tabs/ProfileTab.cpp index 2f832e8..e66f674 100644 --- a/Bind/src/GUI/Settings/Tabs/ProfileTab.cpp +++ b/Bind/src/GUI/Settings/Tabs/ProfileTab.cpp @@ -97,19 +97,19 @@ void ProfileTab::exportProfile() exportSettings.sync(); - QMessageBox::information(this, "Bind - v1.3.1", + QMessageBox::information(this, "Bind - v1.3.2", QString("Profile exported to:\n%1") .arg(QDir::toNativeSeparators(QFileInfo(path).absoluteFilePath()))); } catch (...) { - QMessageBox::critical(this, "Bind - v1.3.1", "Failed to export profile."); + QMessageBox::critical(this, "Bind - v1.3.2", "Failed to export profile."); } } void ProfileTab::importProfile() { - QString path = QFileDialog::getOpenFileName(this, "Bind - v1.3.1", "", "INI Files (*.ini);;All Files (*)"); + QString path = QFileDialog::getOpenFileName(this, "Bind - v1.3.2", "", "INI Files (*.ini);;All Files (*)"); if (path.isEmpty()) { @@ -126,7 +126,7 @@ void ProfileTab::importProfile() QFile::remove(iniPath); QFile::copy(path, iniPath); - QMessageBox::information(this, "Bind - v1.3.1", + QMessageBox::information(this, "Bind - v1.3.2", QString("Profile imported from:\n%1\n\nSysCaller will now restart to use the imported profile.") .arg(QDir::toNativeSeparators(QFileInfo(path).absoluteFilePath()))); @@ -135,7 +135,7 @@ void ProfileTab::importProfile() } catch (...) { - QMessageBox::critical(this, "Bind - v1.3.1", "Failed to import profile."); + QMessageBox::critical(this, "Bind - v1.3.2", "Failed to import profile."); } } From 95b52821d036cd12dce6a9eb40a12b5b7e95d300 Mon Sep 17 00:00:00 2001 From: WindowsAPI Date: Fri, 3 Oct 2025 19:59:32 -0700 Subject: [PATCH 07/32] refactor includes to use angle brackets and absolute paths --- Default/sysFunctions.h | 6 ++-- Default/sysFunctions_k.h | 8 ++--- SysCaller/Wrapper/include/Sys/sysExternals.h | 4 +-- SysCaller/Wrapper/include/Sys/sysFunctions.h | 32 ++++++++--------- SysCaller/Wrapper/include/Sys/sysTypes.h | 6 ++-- .../Wrapper/src/Resolver/ResolverBase.cpp | 36 +++++++++++++++++++ .../Wrapper/include/SysK/sysExternals_k.h | 2 +- SysCallerK/Wrapper/include/SysK/sysTypes_k.h | 4 +-- SysCallerK/Wrapper/include/syscaller_k.h | 8 ++--- 9 files changed, 71 insertions(+), 35 deletions(-) diff --git a/Default/sysFunctions.h b/Default/sysFunctions.h index 157aee2..15aedde 100644 --- a/Default/sysFunctions.h +++ b/Default/sysFunctions.h @@ -1,7 +1,7 @@ #pragma once -#include "../syscaller.h" -#include "sysTypes.h" -#include "sysExternals.h" +#include +#include +#include #ifdef _WIN64 /* only compile on 64bit systems */ diff --git a/Default/sysFunctions_k.h b/Default/sysFunctions_k.h index cd48da1..4d4a816 100644 --- a/Default/sysFunctions_k.h +++ b/Default/sysFunctions_k.h @@ -1,8 +1,8 @@ #pragma once -#include "../syscaller_k.h" -#include "sysTypes_k.h" -#include "sysExternals_k.h" -#include "sysConstants_k.h" +#include +#include +#include +#include #ifdef _WIN64 /* only compile on 64bit systems */ diff --git a/SysCaller/Wrapper/include/Sys/sysExternals.h b/SysCaller/Wrapper/include/Sys/sysExternals.h index 6f925c5..c735b4d 100644 --- a/SysCaller/Wrapper/include/Sys/sysExternals.h +++ b/SysCaller/Wrapper/include/Sys/sysExternals.h @@ -1,6 +1,6 @@ #pragma once -#include "../syscaller.h" -#include "sysTypes.h" +#include +#include typedef struct _WNF_STATE_NAME { diff --git a/SysCaller/Wrapper/include/Sys/sysFunctions.h b/SysCaller/Wrapper/include/Sys/sysFunctions.h index 98d8c8b..ad6ec9c 100644 --- a/SysCaller/Wrapper/include/Sys/sysFunctions.h +++ b/SysCaller/Wrapper/include/Sys/sysFunctions.h @@ -1,9 +1,9 @@ #pragma once -#include "../syscaller.h" -#include "sysTypes.h" -#include "sysExternals.h" +#include +#include +#include -#ifdef _WIN64 // Only compile on 64bit systems. +#ifdef _WIN64 /* only compile on 64bit systems */ #ifdef __cplusplus extern "C" { @@ -558,7 +558,7 @@ NTSTATUS SCCommitEnlistment( NTSTATUS SCCommitRegistryTransaction( HANDLE RegistryTransactionHandle, - ULONG Flags // Reserved + ULONG Flags /* reserved */ ); NTSTATUS SCCommitTransaction( @@ -613,7 +613,7 @@ NTSTATUS SCContinue( NTSTATUS SCContinueEx( PCONTEXT ContextRecord, - PVOID ContinueArgument // Can be PKCONTINUE_ARGUMENT or BOOLEAN + PVOID ContinueArgument /* can be PKCONTINUE_ARGUMENT or BOOLEAN */ ); NTSTATUS SCConvertBetweenAuxiliaryCounterAndPerformanceCounter( @@ -1596,7 +1596,7 @@ NTSTATUS SCLoadKeyEx( HANDLE Event OPTIONAL, ACCESS_MASK DesiredAccess OPTIONAL, PHANDLE RootHandle OPTIONAL, - PVOID Reserved OPTIONAL // previously PIO_STATUS_BLOCK + PVOID Reserved OPTIONAL /* previously PIO_STATUS_BLOCK */ ); NTSTATUS SCLockFile( @@ -1713,7 +1713,7 @@ NTSTATUS SCNotifyChangeDirectoryFile( PIO_APC_ROUTINE ApcRoutine OPTIONAL, PVOID ApcContext OPTIONAL, PIO_STATUS_BLOCK IoStatusBlock, - PVOID Buffer, // FILE_NOTIFY_INFORMATION + PVOID Buffer, /* FILE_NOTIFY_INFORMATION */ ULONG Length, ULONG CompletionFilter, BOOLEAN WatchTree @@ -2398,7 +2398,7 @@ NTSTATUS SCQuerySecurityAttributesToken( HANDLE TokenHandle, PUNICODE_STRING Attributes, ULONG NumberOfAttributes, - PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION + PVOID Buffer, /* PTOKEN_SECURITY_ATTRIBUTES_INFORMATION */ ULONG Length, PULONG ReturnLength ); @@ -2446,7 +2446,7 @@ NTSTATUS SCQuerySystemEnvironmentValueEx( PCGUID VendorGuid, PVOID Buffer OPTIONAL, PULONG BufferLength, - PULONG Attributes OPTIONAL // EFI_VARIABLE_* + PULONG Attributes OPTIONAL /* EFI_VARIABLE_* */ ); NTSTATUS SCQuerySystemInformation( @@ -2786,7 +2786,7 @@ NTSTATUS SCRollbackEnlistment( NTSTATUS SCRollbackRegistryTransaction( HANDLE RegistryTransactionHandle, - ULONG Flags // Reserved + ULONG Flags /* reserved */ ); NTSTATUS SCRollbackTransaction( @@ -3102,8 +3102,8 @@ NTSTATUS SCSetSystemEnvironmentValueEx( PCUNICODE_STRING VariableName, PCGUID VendorGuid, PVOID Buffer OPTIONAL, - ULONG BufferLength, // 0 = delete variable - ULONG Attributes // EFI_VARIABLE_* + ULONG BufferLength, /* 0 = delete variable */ + ULONG Attributes /* EFI_VARIABLE_* */ ); NTSTATUS SCSetSystemInformation( @@ -3115,7 +3115,7 @@ NTSTATUS SCSetSystemInformation( NTSTATUS SCSetSystemPowerState( POWER_ACTION SystemAction, SYSTEM_POWER_STATE LightestSystemState, - ULONG Flags // POWER_ACTION_* flags + ULONG Flags /* POWER_ACTION_* flags */ ); NTSTATUS SCSetSystemTime( @@ -3124,7 +3124,7 @@ NTSTATUS SCSetSystemTime( ); NTSTATUS SCSetThreadExecutionState( - EXECUTION_STATE NewFlags, // ES_* flags + EXECUTION_STATE NewFlags, /* ES_* flags */ EXECUTION_STATE * PreviousFlags ); @@ -3246,7 +3246,7 @@ NTSTATUS SCSystemDebugControl( NTSTATUS SCTerminateEnclave( PVOID BaseAddress, - ULONG Flags // TERMINATE_ENCLAVE_FLAG_* + ULONG Flags /* TERMINATE_ENCLAVE_FLAG_* */ ); NTSTATUS SCTerminateJobObject( diff --git a/SysCaller/Wrapper/include/Sys/sysTypes.h b/SysCaller/Wrapper/include/Sys/sysTypes.h index 8caaa6e..5af6258 100644 --- a/SysCaller/Wrapper/include/Sys/sysTypes.h +++ b/SysCaller/Wrapper/include/Sys/sysTypes.h @@ -1,8 +1,8 @@ #pragma once -#include "../syscaller.h" -#include "sysExternals.h" -#include "sysConstants.h" +#include +#include +#include // #define USE_PISID /* Uncomment this line to use PISID instead of PSID */ #define USE_DYNAMIC_ARRAY /* Uncomment this line to use dynamic array */ diff --git a/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp b/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp index 995e907..679fbed 100644 --- a/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp +++ b/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp @@ -1,15 +1,28 @@ #include #include #include +#include /* shared global state */ static std::unordered_map syscallCache; static HMODULE ntdllHandle = NULL; static BOOL resolverInitialized = FALSE; +static CRITICAL_SECTION resolverLock; HMODULE GetNtdllHandleInternal(); std::unordered_map ExtractSyscallsFromDllInternal(); +/* initialize the critical section for thread safety */ +void InitializeResolverLock() +{ + static BOOL lockInitialized = FALSE; + if (!lockInitialized) + { + InitializeCriticalSection(&resolverLock); + lockInitialized = TRUE; + } +} + DWORD ExtractSyscallNumber(LPVOID functionAddress) { if (functionAddress == NULL) @@ -106,19 +119,37 @@ std::unordered_map ExtractSyscallsFromDllInternal() BOOL InitializeResolver() { + /* ensure the lock is initialized */ + InitializeResolverLock(); + + /* first check if already initialized (without lock for performance) */ + if (resolverInitialized) + { + return TRUE; + } + + /* acquire lock for initialization */ + EnterCriticalSection(&resolverLock); + + /* double check to see if another thread has initialized while we waited */ if (resolverInitialized) { + LeaveCriticalSection(&resolverLock); return TRUE; } + /* clear the cache first to prevent destructor issues with corrupted state */ + syscallCache.clear(); syscallCache = ExtractSyscallsFromDllInternal(); if (syscallCache.empty()) { + LeaveCriticalSection(&resolverLock); return FALSE; } resolverInitialized = TRUE; + LeaveCriticalSection(&resolverLock); return TRUE; } @@ -144,8 +175,13 @@ DWORD GetSyscallNumber(const char* functionName) void CleanupResolver() { + /* ensure the lock is initialized */ + InitializeResolverLock(); + + EnterCriticalSection(&resolverLock); syscallCache.clear(); resolverInitialized = FALSE; + LeaveCriticalSection(&resolverLock); #if defined(SYSCALLER_RESOLVER_DISK_MAPPED) /* cleanup disk mapped resources */ diff --git a/SysCallerK/Wrapper/include/SysK/sysExternals_k.h b/SysCallerK/Wrapper/include/SysK/sysExternals_k.h index b4fdae3..69cf700 100644 --- a/SysCallerK/Wrapper/include/SysK/sysExternals_k.h +++ b/SysCallerK/Wrapper/include/SysK/sysExternals_k.h @@ -1,6 +1,6 @@ #pragma once -#include "sysTypes_k.h" +#include typedef struct _SYSK_WNF_STATE_NAME { diff --git a/SysCallerK/Wrapper/include/SysK/sysTypes_k.h b/SysCallerK/Wrapper/include/SysK/sysTypes_k.h index 857c32a..dc83c88 100644 --- a/SysCallerK/Wrapper/include/SysK/sysTypes_k.h +++ b/SysCallerK/Wrapper/include/SysK/sysTypes_k.h @@ -1,7 +1,7 @@ #pragma once -#include "sysExternals_k.h" -#include "sysConstants_k.h" +#include +#include /* Forward declarations for cyclic dependencies */ typedef struct _ACTIVATION_CONTEXT* PACTIVATION_CONTEXT; diff --git a/SysCallerK/Wrapper/include/syscaller_k.h b/SysCallerK/Wrapper/include/syscaller_k.h index ed138a2..2afe352 100644 --- a/SysCallerK/Wrapper/include/syscaller_k.h +++ b/SysCallerK/Wrapper/include/syscaller_k.h @@ -15,8 +15,8 @@ * For more information, see https://www.gnu.org/licenses/gpl-3.0.html */ -#include "ntifs.h" +#include -#include "SysK/sysTypes_k.h" -#include "SysK/sysExternals_k.h" -#include "SysK/sysFunctions_k.h" \ No newline at end of file +#include +#include +#include \ No newline at end of file From e59bf2d5f1144df27182935cf241734f596223b3 Mon Sep 17 00:00:00 2001 From: WindowsAPI Date: Sat, 18 Oct 2025 19:12:23 -0700 Subject: [PATCH 08/32] add DLL injection examples for Java (JNA/JNI) and LuaJIT DLL injection samples using direct syscalls via SysCaller for Java (JNA and JNI) and LuaJIT. --- Bindings/Examples/Java/JNA/.classpath | 5 + Bindings/Examples/Java/JNA/InjectDLL.java | 177 ++++++++++++++ Bindings/Examples/Java/JNA/README.md | 19 ++ .../Java/JNA/REPLACE_WITH_SysCaller.dll.txt | 0 .../Java/JNA/REPLACE_WITH_jna-5.18.1.jar.txt | 0 Bindings/Examples/Java/JNI/InjectDLL.java | 18 ++ Bindings/Examples/Java/JNI/InjectDLLNative.c | 84 +++++++ Bindings/Examples/Java/JNI/README.md | 25 ++ .../Java/JNI/REPLACE_WITH_SysCaller.dll.txt | 0 Bindings/Examples/LuaJIT/InjectDLL.lua | 224 ++++++++++++++++++ Bindings/Examples/LuaJIT/README.md | 19 ++ .../LuaJIT/REPLACE_WITH_SysCaller.dll.txt | 0 12 files changed, 571 insertions(+) create mode 100644 Bindings/Examples/Java/JNA/.classpath create mode 100644 Bindings/Examples/Java/JNA/InjectDLL.java create mode 100644 Bindings/Examples/Java/JNA/README.md create mode 100644 Bindings/Examples/Java/JNA/REPLACE_WITH_SysCaller.dll.txt create mode 100644 Bindings/Examples/Java/JNA/REPLACE_WITH_jna-5.18.1.jar.txt create mode 100644 Bindings/Examples/Java/JNI/InjectDLL.java create mode 100644 Bindings/Examples/Java/JNI/InjectDLLNative.c create mode 100644 Bindings/Examples/Java/JNI/README.md create mode 100644 Bindings/Examples/Java/JNI/REPLACE_WITH_SysCaller.dll.txt create mode 100644 Bindings/Examples/LuaJIT/InjectDLL.lua create mode 100644 Bindings/Examples/LuaJIT/README.md create mode 100644 Bindings/Examples/LuaJIT/REPLACE_WITH_SysCaller.dll.txt diff --git a/Bindings/Examples/Java/JNA/.classpath b/Bindings/Examples/Java/JNA/.classpath new file mode 100644 index 0000000..8c13587 --- /dev/null +++ b/Bindings/Examples/Java/JNA/.classpath @@ -0,0 +1,5 @@ + + + + + \ No newline at end of file diff --git a/Bindings/Examples/Java/JNA/InjectDLL.java b/Bindings/Examples/Java/JNA/InjectDLL.java new file mode 100644 index 0000000..352bc41 --- /dev/null +++ b/Bindings/Examples/Java/JNA/InjectDLL.java @@ -0,0 +1,177 @@ +import com.sun.jna.*; +import com.sun.jna.ptr.*; + +public class InjectDLL { + public interface Kernel32 extends Library { + Kernel32 INSTANCE = Native.load("kernel32", Kernel32.class); + + int PROCESS_ALL_ACCESS = 0x1F0FFF; + int WAIT_OBJECT_0 = 0x00000000; + + Pointer OpenProcess(int dwDesiredAccess, boolean bInheritHandle, int dwProcessId); + boolean CloseHandle(Pointer hObject); + Pointer GetModuleHandleA(String name); + Pointer GetProcAddress(Pointer hModule, String name); + int WaitForSingleObject(Pointer hHandle, int dwMilliseconds); + int GetLastError(); + int GetFullPathNameA(String lpFileName, int nBufferLength, byte[] lpBuffer, PointerByReference lpFilePart); + } + + public interface SysCaller extends Library { + SysCaller INSTANCE = Native.load("SysCaller", SysCaller.class); + + int SysAllocateVirtualMemoryEx(Pointer hProcess, + PointerByReference baseAddress, + SizeTByReference regionSize, + int allocationType, + int protect, + Pointer extendedParams, + int paramCount); + + int SysWriteVirtualMemory(Pointer hProcess, + Pointer baseAddress, + Pointer buffer, + NativeLong bufferSize, + SizeTByReference bytesWritten); + + int SysCreateThreadEx(PointerByReference threadHandle, + int desiredAccess, + Pointer objectAttributes, + Pointer processHandle, + Pointer startRoutine, + Pointer argument, + int createFlags, + NativeLong zeroBits, + NativeLong stackSize, + NativeLong maxStackSize, + Pointer attributeList); + + int SysClose(Pointer handle); + } + + private static boolean NT_SUCCESS(int status) { + return status >= 0; + } + + public static class SizeTByReference extends ByReference { + public SizeTByReference() { super(NativeLong.SIZE); setValue(new NativeLong(0)); } + public SizeTByReference(NativeLong value) { super(NativeLong.SIZE); setValue(value); } + public void setValue(NativeLong value) { + if (NativeLong.SIZE == 8) getPointer().setLong(0, value.longValue()); + else getPointer().setInt(0, value.intValue()); + } + public NativeLong getValue() { + return new NativeLong(NativeLong.SIZE == 8 ? getPointer().getLong(0) : getPointer().getInt(0)); + } + } + + public static boolean injectDLL(Pointer hProcess, String dllPath) { + Kernel32 k32 = Kernel32.INSTANCE; + SysCaller sc = SysCaller.INSTANCE; + + byte[] buf = new byte[260]; + int n = k32.GetFullPathNameA(dllPath, buf.length, buf, null); + String abs = (n > 0 && n < buf.length) ? new String(buf, 0, n) : dllPath; + byte[] pathBytes = (abs + "\0").getBytes(); + + PointerByReference baseRef = new PointerByReference(); + SizeTByReference region = new SizeTByReference(new NativeLong(pathBytes.length)); + int status = sc.SysAllocateVirtualMemoryEx( + hProcess, baseRef, region, 0x3000, 0x40, Pointer.NULL, 0); + if (!NT_SUCCESS(status)) { + System.out.printf("[!] Failed to allocate path. Status: 0x%08X\n", status); + return false; + } + Pointer base = baseRef.getValue(); + System.out.printf("[+] Allocated DLL path memory at: 0x%016X\n", Pointer.nativeValue(base)); + + Memory localPath = new Memory(pathBytes.length); + localPath.write(0, pathBytes, 0, pathBytes.length); + SizeTByReference written = new SizeTByReference(); + status = sc.SysWriteVirtualMemory(hProcess, base, localPath, new NativeLong(pathBytes.length), written); + if (!NT_SUCCESS(status) || written.getValue().longValue() != pathBytes.length) { + System.out.printf("[!] Failed to write DLL path. Status: 0x%08X, Bytes written: %d\n", status, written.getValue().longValue()); + return false; + } + System.out.println("[+] Successfully wrote DLL path to memory"); + + Pointer hKernel32 = k32.GetModuleHandleA("kernel32.dll"); + if (hKernel32 == null) { + System.out.println("[!] Failed to get kernel32.dll handle"); + return false; + } + Pointer loadLibrary = k32.GetProcAddress(hKernel32, "LoadLibraryA"); + if (loadLibrary == null) { + System.out.println("[!] Failed to get LoadLibraryA address"); + return false; + } + System.out.printf("[+] LoadLibraryA address: 0x%016X\n", Pointer.nativeValue(loadLibrary)); + + byte[] scode = new byte[1 + 3 + 2 + 8 + 2 + 8 + 2 + 4 + 1]; + int i = 0; + scode[i++] = 0x48; scode[i++] = (byte)0x83; scode[i++] = (byte)0xEC; scode[i++] = 0x28; + scode[i++] = 0x48; scode[i++] = (byte)0xB9; + long pathAddr = Pointer.nativeValue(base); + for (int b = 0; b < 8; b++) scode[i++] = (byte)((pathAddr >>> (8*b)) & 0xFF); + scode[i++] = 0x48; scode[i++] = (byte)0xB8; + long llAddr = Pointer.nativeValue(loadLibrary); + for (int b = 0; b < 8; b++) scode[i++] = (byte)((llAddr >>> (8*b)) & 0xFF); + scode[i++] = (byte)0xFF; scode[i++] = (byte)0xD0; + scode[i++] = 0x48; scode[i++] = (byte)0x83; scode[i++] = (byte)0xC4; scode[i++] = 0x28; + scode[i++] = (byte)0xC3; + + PointerByReference shellRef = new PointerByReference(); + region = new SizeTByReference(new NativeLong(scode.length)); + status = sc.SysAllocateVirtualMemoryEx(hProcess, shellRef, region, 0x3000, 0x40, Pointer.NULL, 0); + if (!NT_SUCCESS(status)) { + System.out.printf("[!] Failed to allocate shellcode. Status: 0x%08X\n", status); + return false; + } + Pointer shell = shellRef.getValue(); + System.out.printf("[+] Allocated shellcode memory at: 0x%016X\n", Pointer.nativeValue(shell)); + Memory scMem = new Memory(scode.length); + scMem.write(0, scode, 0, scode.length); + written = new SizeTByReference(); + status = sc.SysWriteVirtualMemory(hProcess, shell, scMem, new NativeLong(scode.length), written); + if (!NT_SUCCESS(status) || written.getValue().longValue() != scode.length) { + System.out.printf("[!] Failed to write shellcode. Status: 0x%08X, Bytes written: %d\n", status, written.getValue().longValue()); + return false; + } + System.out.println("[+] Successfully wrote shellcode"); + + PointerByReference hThreadRef = new PointerByReference(); + status = sc.SysCreateThreadEx(hThreadRef, 0x1FFFFF, Pointer.NULL, hProcess, shell, Pointer.NULL, + 0, new NativeLong(0), new NativeLong(0), new NativeLong(0), Pointer.NULL); + Pointer hThread = hThreadRef.getValue(); + if (!NT_SUCCESS(status) || hThread == null) { + System.out.printf("[!] Failed to create remote thread. Status: 0x%08X, Handle: %s\n", status, String.valueOf(hThread)); + return false; + } + System.out.printf("[+] Created remote thread: 0x%016X\n", Pointer.nativeValue(hThread)); + + k32.WaitForSingleObject(hThread, 5000); + sc.SysClose(hThread); + System.out.printf("[+] Successfully injected %s!\n", dllPath); + return true; + } + + public static void main(String[] args) { + if (args.length != 2) { + System.out.println("Usage: java InjectDLL "); + return; + } + int pid = Integer.parseInt(args[0]); + String dll = args[1]; + Kernel32 k32 = Kernel32.INSTANCE; + Pointer hProcess = k32.OpenProcess(Kernel32.PROCESS_ALL_ACCESS, false, pid); + if (hProcess == null) { + System.out.printf("[!] Failed to open process %d\n", pid); + return; + } + try { + injectDLL(hProcess, dll); + } finally { + k32.CloseHandle(hProcess); + } + } +} \ No newline at end of file diff --git a/Bindings/Examples/Java/JNA/README.md b/Bindings/Examples/Java/JNA/README.md new file mode 100644 index 0000000..5f4bc09 --- /dev/null +++ b/Bindings/Examples/Java/JNA/README.md @@ -0,0 +1,19 @@ +# DLL Injection via Direct Syscalls w/ SysCaller (Java/JNA) + +## Requirements + +- JDK 21 +- JNA jar on classpath (jna-5.x.jar) +- `SysCaller.dll` and target `test.dll` placed alongside the Java sources (or on PATH) + +## Usage + +1) Compile: + javac -cp .;jna-5.18.1.jar InjectDLL.java +2) Run: + java -cp .;jna-5.18.1.jar InjectDLL + +## Notes + +- The code resolves the DLL absolute path via `GetFullPathNameA` to avoid remote LoadLibrary path issues. +- Uses the same allocation/write/thread creation flow as other samples. diff --git a/Bindings/Examples/Java/JNA/REPLACE_WITH_SysCaller.dll.txt b/Bindings/Examples/Java/JNA/REPLACE_WITH_SysCaller.dll.txt new file mode 100644 index 0000000..e69de29 diff --git a/Bindings/Examples/Java/JNA/REPLACE_WITH_jna-5.18.1.jar.txt b/Bindings/Examples/Java/JNA/REPLACE_WITH_jna-5.18.1.jar.txt new file mode 100644 index 0000000..e69de29 diff --git a/Bindings/Examples/Java/JNI/InjectDLL.java b/Bindings/Examples/Java/JNI/InjectDLL.java new file mode 100644 index 0000000..05b0fcc --- /dev/null +++ b/Bindings/Examples/Java/JNI/InjectDLL.java @@ -0,0 +1,18 @@ +public class InjectDLL { + static { + System.loadLibrary("InjectDLLNative"); + } + + private static native boolean inject(int pid, String dllPath); + + public static void main(String[] args) { + if (args.length != 2) { + System.out.println("Usage: java InjectDLL "); + return; + } + int pid = Integer.parseInt(args[0]); + String dll = args[1]; + boolean ok = inject(pid, dll); + System.out.println(ok ? "[+] Injection succeeded" : "[!] Injection failed"); + } +} diff --git a/Bindings/Examples/Java/JNI/InjectDLLNative.c b/Bindings/Examples/Java/JNI/InjectDLLNative.c new file mode 100644 index 0000000..4b42288 --- /dev/null +++ b/Bindings/Examples/Java/JNI/InjectDLLNative.c @@ -0,0 +1,84 @@ +#include +#include +#include +#include + +typedef DWORD NTSTATUS; +typedef NTSTATUS (__stdcall *PFN_SysAllocateVirtualMemoryEx)( + HANDLE, PVOID*, SIZE_T*, DWORD, DWORD, PVOID, DWORD); +typedef NTSTATUS (__stdcall *PFN_SysWriteVirtualMemory)( + HANDLE, PVOID, PVOID, SIZE_T, SIZE_T*); +typedef NTSTATUS (__stdcall *PFN_SysCreateThreadEx)( + PHANDLE, DWORD, PVOID, HANDLE, PVOID, PVOID, DWORD, + SIZE_T, SIZE_T, SIZE_T, PVOID); +typedef NTSTATUS (__stdcall *PFN_SysClose)(HANDLE); + +#define NT_SUCCESS(Status) ((int32_t)(Status) >= 0) + +static jboolean inject_internal(DWORD pid, const char* dllPath) { + HMODULE hSysCaller = LoadLibraryA("SysCaller.dll"); + if (!hSysCaller) { + return JNI_FALSE; + } + PFN_SysAllocateVirtualMemoryEx SysAllocateVirtualMemoryEx = (PFN_SysAllocateVirtualMemoryEx)GetProcAddress(hSysCaller, "SysAllocateVirtualMemoryEx"); + PFN_SysWriteVirtualMemory SysWriteVirtualMemory = (PFN_SysWriteVirtualMemory)GetProcAddress(hSysCaller, "SysWriteVirtualMemory"); + PFN_SysCreateThreadEx SysCreateThreadEx = (PFN_SysCreateThreadEx)GetProcAddress(hSysCaller, "SysCreateThreadEx"); + PFN_SysClose SysClose = (PFN_SysClose)GetProcAddress(hSysCaller, "SysClose"); + if (!SysAllocateVirtualMemoryEx || !SysWriteVirtualMemory || !SysCreateThreadEx || !SysClose) { + return JNI_FALSE; + } + + HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); + if (!hProcess) return JNI_FALSE; + + char absPath[MAX_PATH]; + DWORD n = GetFullPathNameA(dllPath, MAX_PATH, absPath, NULL); + const char* usePath = (n > 0 && n < MAX_PATH) ? absPath : dllPath; + SIZE_T pathLen = (SIZE_T)strlen(usePath) + 1; + + PVOID base = NULL; SIZE_T region = pathLen; NTSTATUS status; + status = SysAllocateVirtualMemoryEx(hProcess, &base, ®ion, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE, NULL, 0); + if (!NT_SUCCESS(status)) { CloseHandle(hProcess); return JNI_FALSE; } + + SIZE_T written = 0; + status = SysWriteVirtualMemory(hProcess, base, (PVOID)usePath, pathLen, &written); + if (!NT_SUCCESS(status) || written != pathLen) { CloseHandle(hProcess); return JNI_FALSE; } + + HMODULE k32 = GetModuleHandleA("kernel32.dll"); + FARPROC pLoadLib = GetProcAddress(k32, "LoadLibraryA"); + if (!pLoadLib) { CloseHandle(hProcess); return JNI_FALSE; } + + uint8_t sc[32]; int idx = 0; + sc[idx++] = 0x48; sc[idx++] = 0x83; sc[idx++] = 0xEC; sc[idx++] = 0x28; + sc[idx++] = 0x48; sc[idx++] = 0xB9; *(uint64_t*)(sc+idx) = (uint64_t)base; idx += 8; + sc[idx++] = 0x48; sc[idx++] = 0xB8; *(uint64_t*)(sc+idx) = (uint64_t)pLoadLib; idx += 8; + sc[idx++] = 0xFF; sc[idx++] = 0xD0; + sc[idx++] = 0x48; sc[idx++] = 0x83; sc[idx++] = 0xC4; sc[idx++] = 0x28; + sc[idx++] = 0xC3; + SIZE_T scSize = (SIZE_T)idx; + + PVOID scAddr = NULL; region = scSize; + status = SysAllocateVirtualMemoryEx(hProcess, &scAddr, ®ion, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE, NULL, 0); + if (!NT_SUCCESS(status)) { CloseHandle(hProcess); return JNI_FALSE; } + written = 0; + status = SysWriteVirtualMemory(hProcess, scAddr, sc, scSize, &written); + if (!NT_SUCCESS(status) || written != scSize) { CloseHandle(hProcess); return JNI_FALSE; } + + HANDLE hThread = NULL; + status = SysCreateThreadEx(&hThread, 0x1FFFFF, NULL, hProcess, scAddr, NULL, 0, 0, 0, 0, NULL); + if (!NT_SUCCESS(status) || !hThread) { CloseHandle(hProcess); return JNI_FALSE; } + WaitForSingleObject(hThread, 5000); + SysClose(hThread); + + CloseHandle(hProcess); + return JNI_TRUE; +} + +JNIEXPORT jboolean JNICALL Java_InjectDLL_inject(JNIEnv* env, jclass cls, jint pid, jstring jpath) { + (void)cls; + const char* path = (*env)->GetStringUTFChars(env, jpath, NULL); + if (!path) return JNI_FALSE; + jboolean ok = inject_internal((DWORD)pid, path); + (*env)->ReleaseStringUTFChars(env, jpath, path); + return ok; +} diff --git a/Bindings/Examples/Java/JNI/README.md b/Bindings/Examples/Java/JNI/README.md new file mode 100644 index 0000000..b28b2ee --- /dev/null +++ b/Bindings/Examples/Java/JNI/README.md @@ -0,0 +1,25 @@ +# DLL Injection via Direct Syscalls w/ SysCaller (Java/JNI) + +## Requirements + +- JDK 21 (javac/java) +- MSVC build tools (x64) +- `SysCaller.dll` and `test.dll` in this directory (or on PATH) + +## Usage + +1) Generate JNI header inline (not strictly required with this C file): + javac .\InjectDLL.java + +2) Build native DLL (x64): + - Open "x64 Native Tools Command Prompt for VS" or call vcvars64.bat + - Compile: + cl /LD /I "%JAVA_HOME%\include" /I "%JAVA_HOME%\include\win32" InjectDLLNative.c /link /OUT:InjectDLLNative.dll + +3) Run: + java InjectDLL + +## Notes + +- The code resolves the DLL absolute path via `GetFullPathNameA` to avoid remote LoadLibrary path issues. +- Uses the same allocation/write/thread creation flow as other samples. diff --git a/Bindings/Examples/Java/JNI/REPLACE_WITH_SysCaller.dll.txt b/Bindings/Examples/Java/JNI/REPLACE_WITH_SysCaller.dll.txt new file mode 100644 index 0000000..e69de29 diff --git a/Bindings/Examples/LuaJIT/InjectDLL.lua b/Bindings/Examples/LuaJIT/InjectDLL.lua new file mode 100644 index 0000000..a65d394 --- /dev/null +++ b/Bindings/Examples/LuaJIT/InjectDLL.lua @@ -0,0 +1,224 @@ +local ffi = require("ffi") + +ffi.cdef[[ +typedef unsigned long DWORD; +typedef int BOOL; +typedef void* PVOID; +typedef PVOID HANDLE; +typedef size_t SIZE_T; +typedef unsigned long long ULONG_PTR; +typedef unsigned long ULONG; +typedef long NTSTATUS; + +NTSTATUS SysAllocateVirtualMemoryEx( + HANDLE ProcessHandle, + PVOID *BaseAddress, + SIZE_T *RegionSize, + ULONG AllocationType, + ULONG Protect, + PVOID ExtendedParameters, + ULONG ExtendedCount +); + +NTSTATUS SysWriteVirtualMemory( + HANDLE ProcessHandle, + PVOID BaseAddress, + PVOID Buffer, + SIZE_T BufferSize, + SIZE_T *NumberOfBytesWritten +); + +NTSTATUS SysCreateThreadEx( + HANDLE *ThreadHandle, + ULONG DesiredAccess, + PVOID ObjectAttributes, + HANDLE ProcessHandle, + PVOID StartRoutine, + PVOID Argument, + ULONG CreateFlags, + SIZE_T ZeroBits, + SIZE_T StackSize, + SIZE_T MaximumStackSize, + PVOID AttributeList +); + +NTSTATUS SysClose(HANDLE Handle); + +HANDLE OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); +BOOL CloseHandle(HANDLE hObject); +HANDLE GetModuleHandleA(const char *lpModuleName); +void* GetProcAddress(HANDLE hModule, const char *lpProcName); +DWORD WaitForSingleObject(HANDLE hHandle, DWORD dwMilliseconds); +DWORD GetFullPathNameA(const char* lpFileName, DWORD nBufferLength, char* lpBuffer, char** lpFilePart); +]] + +local syscaller = ffi.load("SysCaller") +local kernel32 = ffi.C + +local function NT_SUCCESS(status) + return tonumber(status) >= 0 +end + +local function pack_u64(val) + local buf = ffi.new("uint64_t[1]") + buf[0] = ffi.cast("uint64_t", val) + return ffi.string(buf, 8) +end + +local function ptr_to_uint64(p) + return tonumber(ffi.cast("uintptr_t", p)) +end + +local function InjectDLL(process_handle, dll_path) + local MAX_PATH = 260 + local outbuf = ffi.new("char[?]", MAX_PATH) + local ret = kernel32.GetFullPathNameA(dll_path, MAX_PATH, outbuf, nil) + local abs_path + if ret ~= 0 and ret < MAX_PATH then + abs_path = ffi.string(outbuf, ret) + else + abs_path = dll_path + end + + local path_bytes = abs_path .. "\0" + local path_size = #path_bytes + + local baseaddr = ffi.new("PVOID[1]") + local region_size = ffi.new("SIZE_T[1]", path_size) + + local STATUS = syscaller.SysAllocateVirtualMemoryEx( + process_handle, + baseaddr, + region_size, + 0x3000, + 0x40, + nil, + 0 + ) + if not NT_SUCCESS(STATUS) then + print(string.format("[!] Failed to allocate memory for DLL path. Status: 0x%08X", tonumber(ffi.cast("unsigned int", STATUS)))) + return false + end + local dll_path_addr = ptr_to_uint64(baseaddr[0]) + print(string.format("[+] Allocated DLL path memory at: 0x%016X", dll_path_addr)) + + local bytes_written = ffi.new("SIZE_T[1]", 0) + local local_buf = ffi.new("char[?]", path_size, path_bytes) + STATUS = syscaller.SysWriteVirtualMemory( + process_handle, + baseaddr[0], + ffi.cast("PVOID", local_buf), + path_size, + bytes_written + ) + if not NT_SUCCESS(STATUS) or tonumber(bytes_written[0]) ~= path_size then + print(string.format("[!] Failed to write DLL path. Status: 0x%08X, Bytes written: %d", tonumber(ffi.cast("unsigned int", STATUS)), tonumber(bytes_written[0]))) + return false + end + print("[+] Successfully wrote DLL path to memory") + + local h_kernel32 = kernel32.GetModuleHandleA("kernel32.dll") + if h_kernel32 == nil then + print("[!] Failed to get kernel32.dll handle") + return false + end + local load_library = kernel32.GetProcAddress(h_kernel32, "LoadLibraryA") + if load_library == nil then + print("[!] Failed to get LoadLibraryA address") + return false + end + local load_library_addr = ptr_to_uint64(load_library) + print(string.format("[+] LoadLibraryA address: 0x%016X", load_library_addr)) + + local sc = {} + sc[#sc+1] = string.char(0x48, 0x83, 0xEC, 0x28) + sc[#sc+1] = string.char(0x48, 0xB9) .. pack_u64(baseaddr[0]) + sc[#sc+1] = string.char(0x48, 0xB8) .. pack_u64(load_library) + sc[#sc+1] = string.char(0xFF, 0xD0) + sc[#sc+1] = string.char(0x48, 0x83, 0xC4, 0x28) + sc[#sc+1] = string.char(0xC3) + local shellcode = table.concat(sc) + local shellcode_size = #shellcode + + local shelladdr = ffi.new("PVOID[1]") + local shell_region = ffi.new("SIZE_T[1]", shellcode_size) + STATUS = syscaller.SysAllocateVirtualMemoryEx( + process_handle, + shelladdr, + shell_region, + 0x3000, + 0x40, + nil, + 0 + ) + if not NT_SUCCESS(STATUS) then + print(string.format("[!] Failed to allocate memory for shellcode. Status: 0x%08X", tonumber(ffi.cast("unsigned int", STATUS)))) + return false + end + local shellcode_addr_val = ptr_to_uint64(shelladdr[0]) + print(string.format("[+] Allocated shellcode memory at: 0x%016X", shellcode_addr_val)) + + local local_sc_buf = ffi.new("char[?]", shellcode_size, shellcode) + bytes_written[0] = 0 + STATUS = syscaller.SysWriteVirtualMemory( + process_handle, + shelladdr[0], + ffi.cast("PVOID", local_sc_buf), + shellcode_size, + bytes_written + ) + if not NT_SUCCESS(STATUS) or tonumber(bytes_written[0]) ~= shellcode_size then + print(string.format("[!] Failed to write shellcode. Status: 0x%08X, Bytes written: %d", tonumber(ffi.cast("unsigned int", STATUS)), tonumber(bytes_written[0]))) + return false + end + print("[+] Successfully wrote shellcode") + + local thread_handle = ffi.new("HANDLE[1]") + STATUS = syscaller.SysCreateThreadEx( + thread_handle, + 0x1FFFFF, + nil, + process_handle, + shelladdr[0], + nil, + 0, + 0, + 0, + 0, + nil + ) + if not NT_SUCCESS(STATUS) or thread_handle[0] == nil then + print(string.format("[!] Failed to create remote thread. Status: 0x%08X, Handle: %s", tonumber(ffi.cast("unsigned int", STATUS)), tostring(thread_handle[0]))) + return false + end + print(string.format("[+] Created remote thread: 0x%016X", ptr_to_uint64(thread_handle[0]))) + + kernel32.WaitForSingleObject(thread_handle[0], 5000) + STATUS = syscaller.SysClose(thread_handle[0]) + print(string.format("[+] Successfully injected %s!", dll_path)) + return true +end + +local argc = #arg +if argc ~= 2 then + print("Usage: luajit inject.lua ") + os.exit(1) +end + +local pid = tonumber(arg[1]) +local dll_path = arg[2] + +local PROCESS_ALL_ACCESS = 0x1F0FFF +local process_handle = ffi.C.OpenProcess(PROCESS_ALL_ACCESS, false, pid) +if process_handle == nil then + print(string.format("[!] Failed to open process %d", pid)) + os.exit(1) +end + +local ok = InjectDLL(process_handle, dll_path) + +ffi.C.CloseHandle(process_handle) + +if not ok then + os.exit(1) +end \ No newline at end of file diff --git a/Bindings/Examples/LuaJIT/README.md b/Bindings/Examples/LuaJIT/README.md new file mode 100644 index 0000000..0ab7e67 --- /dev/null +++ b/Bindings/Examples/LuaJIT/README.md @@ -0,0 +1,19 @@ +# DLL Injection via Direct Syscalls w/ SysCaller (LuaJIT/FFI) + +## Requirements + +- LuaJIT (2.x) +- `SysCaller.dll` placed alongside the Lua script (or on PATH) + +## Usage + +Run the script: +``` +luajit injectdll.lua +``` + +## Notes + +- The script resolves the DLL absolute path via `GetFullPathNameA` to avoid remote LoadLibrary path issues. +- Uses the same allocation/write/thread creation flow as other samples. +- Shellcode is built dynamically with proper 64-bit address packing to prevent precision loss. \ No newline at end of file diff --git a/Bindings/Examples/LuaJIT/REPLACE_WITH_SysCaller.dll.txt b/Bindings/Examples/LuaJIT/REPLACE_WITH_SysCaller.dll.txt new file mode 100644 index 0000000..e69de29 From 9b743704c5fd1000c0b2c9a963eda4297fe0723b Mon Sep 17 00:00:00 2001 From: WindowsAPI Date: Sun, 19 Oct 2025 03:54:33 -0700 Subject: [PATCH 09/32] fix duplicate close block in header Improves detection and handling of partially closed extern "C" blocks when updating header files. This should fix #28 --- .../Core/Integrity/Validator/Validator.cpp | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/Bind/src/Core/Integrity/Validator/Validator.cpp b/Bind/src/Core/Integrity/Validator/Validator.cpp index 33d406f..a78ae85 100644 --- a/Bind/src/Core/Integrity/Validator/Validator.cpp +++ b/Bind/src/Core/Integrity/Validator/Validator.cpp @@ -986,17 +986,27 @@ void Validator::updateHeaderFile(const QMap>& syscallTab for (int i = qMax(0, updatedLines.size() - searchWindow); i < updatedLines.size(); ++i) { tail += updatedLines[i]; + tail += "\n"; } - QRegularExpression externCloseRegex(R"(#ifdef\s+__cplusplus[\s\S]*?\}\s*\n\s*#endif)"); + QRegularExpression externCloseRegex(R"(#ifdef\s+__cplusplus[\s\S]*?\}\s*#endif)"); + QRegularExpression externPartialCloseRegex(R"(#ifdef\s+__cplusplus[\s\S]*?\}\s*$)"); if (!externCloseRegex.match(tail).hasMatch()) { - updatedLines.append(""); - updatedLines.append("#ifdef __cplusplus"); - updatedLines.append("}"); - updatedLines.append("#endif"); - updatedLines.append(""); + if (externPartialCloseRegex.match(tail).hasMatch()) + { + updatedLines.append("#endif"); + updatedLines.append(""); + } + else + { + updatedLines.append(""); + updatedLines.append("#ifdef __cplusplus"); + updatedLines.append("}"); + updatedLines.append("#endif"); + updatedLines.append(""); + } } int externOpenIdx = -1; From 3b2e7be87ce805ee97233a00564ff7286632a732 Mon Sep 17 00:00:00 2001 From: WindowsAPI Date: Sun, 19 Oct 2025 04:19:28 -0700 Subject: [PATCH 10/32] add DLL injection examples for Julia and D DLL injection samples using direct syscalls via SysCaller for Julia and D. --- Bindings/Examples/D/InjectDLL.d | 182 ++++++++++++++++++ Bindings/Examples/D/README.md | 20 ++ .../Examples/D/REPLACE_WITH_SysCaller.dll.txt | 0 Bindings/Examples/Julia/InjectDLL.jl | 151 +++++++++++++++ Bindings/Examples/Julia/README.md | 19 ++ .../Julia/REPLACE_WITH_SysCaller.dll.txt | 0 6 files changed, 372 insertions(+) create mode 100644 Bindings/Examples/D/InjectDLL.d create mode 100644 Bindings/Examples/D/README.md create mode 100644 Bindings/Examples/D/REPLACE_WITH_SysCaller.dll.txt create mode 100644 Bindings/Examples/Julia/InjectDLL.jl create mode 100644 Bindings/Examples/Julia/README.md create mode 100644 Bindings/Examples/Julia/REPLACE_WITH_SysCaller.dll.txt diff --git a/Bindings/Examples/D/InjectDLL.d b/Bindings/Examples/D/InjectDLL.d new file mode 100644 index 0000000..d3e7875 --- /dev/null +++ b/Bindings/Examples/D/InjectDLL.d @@ -0,0 +1,182 @@ +import core.sys.windows.windows; +import core.stdc.stdint; +import core.stdc.stdlib; +import core.stdc.string; +import std.stdio; +import std.string; +import std.conv; + +alias NTSTATUS = uint; + +extern(Windows) alias PFN_SysAllocateVirtualMemoryEx = NTSTATUS function( + HANDLE /*ProcessHandle*/, + void** /*BaseAddress*/, + size_t* /*RegionSize*/, + uint /*AllocationType*/, + uint /*Protect*/, + void* /*ExtendedParameters*/, + uint /*ExtendedCount*/ +); + +extern(Windows) alias PFN_SysWriteVirtualMemory = NTSTATUS function( + HANDLE /*ProcessHandle*/, + void* /*BaseAddress*/, + void* /*Buffer*/, + size_t /*BufferSize*/, + size_t* /*NumberOfBytesWritten*/ +); + +extern(Windows) alias PFN_SysCreateThreadEx = NTSTATUS function( + HANDLE* /*ThreadHandle*/, + uint /*DesiredAccess*/, + void* /*ObjectAttributes*/, + HANDLE /*ProcessHandle*/, + void* /*StartRoutine*/, + void* /*Argument*/, + uint /*CreateFlags*/, + size_t /*ZeroBits*/, + size_t /*StackSize*/, + size_t /*MaximumStackSize*/, + void* /*AttributeList*/ +); + +extern(Windows) alias PFN_SysClose = NTSTATUS function(HANDLE); + +enum MEM_COMMIT = 0x1000; +enum MEM_RESERVE = 0x2000; +enum PAGE_EXECUTE_READWRITE = 0x40; +enum THREAD_ALL_ACCESS = 0x1FFFFF; +enum PROCESS_ALL_ACCESS = 0x1F0FFF; + +bool NT_SUCCESS(NTSTATUS status) { return cast(int)status >= 0; } + +void appendLE64(ref ubyte[] arr, size_t value) +{ + foreach (i; 0 .. 8) + arr ~= cast(ubyte)((value >> (8*i)) & 0xFF); +} + +int main(string[] args) +{ + if (args.length != 3) + { + writeln("Usage: InjectDLL "); + return 1; + } + + uint pid = to!uint(args[1]); + string dllPath = args[2]; + + HMODULE hSysCaller = LoadLibraryA("SysCaller.dll"); + if (hSysCaller is null) + { + writeln("[!] Failed to load SysCaller.dll"); + return 1; + } + auto SysAllocateVirtualMemoryEx = cast(PFN_SysAllocateVirtualMemoryEx) GetProcAddress(hSysCaller, "SysAllocateVirtualMemoryEx"); + auto SysWriteVirtualMemory = cast(PFN_SysWriteVirtualMemory) GetProcAddress(hSysCaller, "SysWriteVirtualMemory"); + auto SysCreateThreadEx = cast(PFN_SysCreateThreadEx) GetProcAddress(hSysCaller, "SysCreateThreadEx"); + auto SysClose = cast(PFN_SysClose) GetProcAddress(hSysCaller, "SysClose"); + if (SysAllocateVirtualMemoryEx is null || SysWriteVirtualMemory is null || SysCreateThreadEx is null || SysClose is null) + { + writeln("[!] Failed to resolve SysCaller exports"); + return 1; + } + + HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); + if (hProcess is null) + { + writefln("[!] Failed to open process %s", pid); + return 1; + } + + char[260] pathBuf; + DWORD n = GetFullPathNameA(toStringz(dllPath), pathBuf.length, pathBuf.ptr, null); + string absPath = (n > 0 && n < pathBuf.length) ? pathBuf[0 .. n].idup : dllPath; + auto pathBytes = (absPath ~ '\0').dup; + + void* baseAddress = null; + size_t regionSize = pathBytes.length; + NTSTATUS status = SysAllocateVirtualMemoryEx(hProcess, &baseAddress, ®ionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE, null, 0); + if (!NT_SUCCESS(status)) + { + writefln("[!] Failed to allocate memory for DLL path. Status: 0x%08X", status); + CloseHandle(hProcess); + return 1; + } + writefln("[+] Allocated DLL path memory at: 0x%016X", cast(size_t)baseAddress); + + size_t bytesWritten = 0; + status = SysWriteVirtualMemory(hProcess, baseAddress, pathBytes.ptr, pathBytes.length, &bytesWritten); + if (!NT_SUCCESS(status) || bytesWritten != pathBytes.length) + { + writefln("[!] Failed to write DLL path. Status: 0x%08X, Bytes written: %s", status, bytesWritten); + CloseHandle(hProcess); + return 1; + } + writeln("[+] Successfully wrote DLL path to memory"); + + HMODULE hKernel32 = GetModuleHandleA("kernel32.dll"); + if (hKernel32 is null) + { + writeln("[!] Failed to get kernel32.dll handle"); + CloseHandle(hProcess); + return 1; + } + auto pLoadLibraryA = GetProcAddress(hKernel32, "LoadLibraryA"); + if (pLoadLibraryA is null) + { + writeln("[!] Failed to get LoadLibraryA address"); + CloseHandle(hProcess); + return 1; + } + writefln("[+] LoadLibraryA address: 0x%016X", cast(size_t)pLoadLibraryA); + + ubyte[] sc; + sc ~= [cast(ubyte)0x48, 0x83, 0xEC, 0x28]; + sc ~= [cast(ubyte)0x48, 0xB9]; + appendLE64(sc, cast(size_t)baseAddress); + sc ~= [cast(ubyte)0x48, 0xB8]; + appendLE64(sc, cast(size_t)pLoadLibraryA); + sc ~= [cast(ubyte)0xFF, 0xD0]; + sc ~= [cast(ubyte)0x48, 0x83, 0xC4, 0x28]; + sc ~= [cast(ubyte)0xC3]; + + void* scAddress = null; + regionSize = sc.length; + status = SysAllocateVirtualMemoryEx(hProcess, &scAddress, ®ionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE, null, 0); + if (!NT_SUCCESS(status)) + { + writefln("[!] Failed to allocate shellcode. Status: 0x%08X", status); + CloseHandle(hProcess); + return 1; + } + writefln("[+] Allocated shellcode memory at: 0x%016X", cast(size_t)scAddress); + + bytesWritten = 0; + status = SysWriteVirtualMemory(hProcess, scAddress, sc.ptr, sc.length, &bytesWritten); + if (!NT_SUCCESS(status) || bytesWritten != sc.length) + { + writefln("[!] Failed to write shellcode. Status: 0x%08X, Bytes written: %s", status, bytesWritten); + CloseHandle(hProcess); + return 1; + } + writeln("[+] Successfully wrote shellcode"); + + HANDLE hThread = null; + status = SysCreateThreadEx(&hThread, THREAD_ALL_ACCESS, null, hProcess, scAddress, null, 0, 0, 0, 0, null); + if (!NT_SUCCESS(status) || hThread is null) + { + writefln("[!] Failed to create remote thread. Status: 0x%08X, Handle: %p", status, hThread); + CloseHandle(hProcess); + return 1; + } + writefln("[+] Created remote thread: 0x%016X", cast(size_t)hThread); + + WaitForSingleObject(hThread, 5000); + SysClose(hThread); + + CloseHandle(hProcess); + writefln("[+] Successfully injected %s!", dllPath); + return 0; +} \ No newline at end of file diff --git a/Bindings/Examples/D/README.md b/Bindings/Examples/D/README.md new file mode 100644 index 0000000..334900e --- /dev/null +++ b/Bindings/Examples/D/README.md @@ -0,0 +1,20 @@ +# DLL Injection via Direct Syscalls w/ SysCaller (D) + +## Requirements + +- D compiler (DMD) +- `SysCaller.dll` in this folder (or on PATH) + +## Usage + +From this folder: +``` +dmd InjectDLL.d +InjectDLL +``` + +## Notes + +- Resolves the DLL absolute path via `GetFullPathNameA` to avoid remote LoadLibrary path issues. +- Uses the same allocation/write/thread creation flow as other samples. +- Shellcode is built in D and embeds 64-bit addresses for the path buffer and `LoadLibraryA`. diff --git a/Bindings/Examples/D/REPLACE_WITH_SysCaller.dll.txt b/Bindings/Examples/D/REPLACE_WITH_SysCaller.dll.txt new file mode 100644 index 0000000..e69de29 diff --git a/Bindings/Examples/Julia/InjectDLL.jl b/Bindings/Examples/Julia/InjectDLL.jl new file mode 100644 index 0000000..9162c3c --- /dev/null +++ b/Bindings/Examples/Julia/InjectDLL.jl @@ -0,0 +1,151 @@ +using Printf + +const KERNEL32 = "kernel32" +const SYSCALLER = "SysCaller" + +const MEM_COMMIT = 0x1000 +const MEM_RESERVE = 0x2000 +const PAGE_EXECUTE_READWRITE = 0x40 +const THREAD_ALL_ACCESS = 0x1FFFFF +const PROCESS_ALL_ACCESS = 0x1F0FFF + +nt_success(status::Int32) = status >= 0 + +function get_full_path(path::AbstractString) + buf = Vector{UInt8}(undef, 260) + n = ccall((:GetFullPathNameA, KERNEL32), UInt32, + (Cstring, UInt32, Ptr{UInt8}, Ptr{Ptr{UInt8}}), + path, UInt32(length(buf)), buf, C_NULL) + if n > 0 && n < length(buf) + return unsafe_string(pointer(buf), n) + else + return path + end +end + +function open_process(pid::UInt32) + h = ccall((:OpenProcess, KERNEL32), Ptr{Cvoid}, + (UInt32, Cint, UInt32), PROCESS_ALL_ACCESS, 0, pid) + return h +end + +function close_handle(h::Ptr{Cvoid}) + ccall((:CloseHandle, KERNEL32), Cint, (Ptr{Cvoid},), h) +end + +function get_loadlibraryA() + k32 = ccall((:GetModuleHandleA, KERNEL32), Ptr{Cvoid}, (Cstring,), "kernel32.dll") + k32 == C_NULL && error("Failed to get kernel32.dll handle") + p = ccall((:GetProcAddress, KERNEL32), Ptr{Cvoid}, (Ptr{Cvoid}, Cstring), k32, "LoadLibraryA") + p == C_NULL && error("Failed to get LoadLibraryA address") + return p +end + +function injectdll(hproc::Ptr{Cvoid}, dllpath::AbstractString) + abs = get_full_path(dllpath) + path_bytes = Vector{UInt8}(codeunits(abs)) + push!(path_bytes, 0x00) + + base_ref = Ref{Ptr{Cvoid}}(C_NULL) + region = Ref{Csize_t}(Csize_t(length(path_bytes))) + status = ccall((:SysAllocateVirtualMemoryEx, SYSCALLER), Int32, + (Ptr{Cvoid}, Ptr{Ptr{Cvoid}}, Ptr{Csize_t}, UInt32, UInt32, Ptr{Cvoid}, UInt32), + hproc, base_ref, region, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE, C_NULL, 0) + if !nt_success(status) + @printf("[!] Failed to allocate memory for DLL path. Status: 0x%08X\n", UInt32(status)) + return false + end + base = base_ref[] + @printf("[+] Allocated DLL path memory at: %p\n", base) + + written = Ref{Csize_t}(0) + GC.@preserve path_bytes begin + status = ccall((:SysWriteVirtualMemory, SYSCALLER), Int32, + (Ptr{Cvoid}, Ptr{Cvoid}, Ptr{Cvoid}, Csize_t, Ptr{Csize_t}), + hproc, base, pointer(path_bytes), Csize_t(length(path_bytes)), written) + end + if !nt_success(status) || written[] != Csize_t(length(path_bytes)) + @printf("[!] Failed to write DLL path. Status: 0x%08X, Bytes written: %d\n", UInt32(status), UInt64(written[])) + return false + end + println("[+] Successfully wrote DLL path to memory") + + loadlib = get_loadlibraryA() + @printf("[+] LoadLibraryA address: %p\n", loadlib) + + sc = UInt8[] + append!(sc, [0x48, 0x83, 0xEC, 0x28]) + append!(sc, [0x48, 0xB9]) + addr_path = UInt64(UInt(base)) + for b in 0:7 push!(sc, UInt8((addr_path >> (8*b)) & 0xFF)) end + append!(sc, [0x48, 0xB8]) + addr_ll = UInt64(UInt(loadlib)) + for b in 0:7 push!(sc, UInt8((addr_ll >> (8*b)) & 0xFF)) end + append!(sc, [0xFF, 0xD0]) + append!(sc, [0x48, 0x83, 0xC4, 0x28]) + push!(sc, 0xC3) + + sc_base_ref = Ref{Ptr{Cvoid}}(C_NULL) + region = Ref{Csize_t}(Csize_t(length(sc))) + status = ccall((:SysAllocateVirtualMemoryEx, SYSCALLER), Int32, + (Ptr{Cvoid}, Ptr{Ptr{Cvoid}}, Ptr{Csize_t}, UInt32, UInt32, Ptr{Cvoid}, UInt32), + hproc, sc_base_ref, region, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE, C_NULL, 0) + if !nt_success(status) + @printf("[!] Failed to allocate shellcode. Status: 0x%08X\n", UInt32(status)) + return false + end + sc_base = sc_base_ref[] + @printf("[+] Allocated shellcode memory at: %p\n", sc_base) + + written[] = 0 + GC.@preserve sc begin + status = ccall((:SysWriteVirtualMemory, SYSCALLER), Int32, + (Ptr{Cvoid}, Ptr{Cvoid}, Ptr{Cvoid}, Csize_t, Ptr{Csize_t}), + hproc, sc_base, pointer(sc), Csize_t(length(sc)), written) + end + if !nt_success(status) || written[] != Csize_t(length(sc)) + @printf("[!] Failed to write shellcode. Status: 0x%08X, Bytes written: %d\n", UInt32(status), UInt64(written[])) + return false + end + println("[+] Successfully wrote shellcode") + + thread_ref = Ref{Ptr{Cvoid}}(C_NULL) + status = ccall((:SysCreateThreadEx, SYSCALLER), Int32, + (Ptr{Ptr{Cvoid}}, UInt32, Ptr{Cvoid}, Ptr{Cvoid}, Ptr{Cvoid}, Ptr{Cvoid}, UInt32, + Csize_t, Csize_t, Csize_t, Ptr{Cvoid}), + thread_ref, THREAD_ALL_ACCESS, C_NULL, hproc, sc_base, C_NULL, 0, + Csize_t(0), Csize_t(0), Csize_t(0), C_NULL) + thr = thread_ref[] + if !nt_success(status) || thr == C_NULL + @printf("[!] Failed to create remote thread. Status: 0x%08X, Handle: %p\n", UInt32(status), thr) + return false + end + @printf("[+] Created remote thread: %p\n", thr) + + ccall((:WaitForSingleObject, KERNEL32), UInt32, (Ptr{Cvoid}, UInt32), thr, 5000) + ccall((:SysClose, SYSCALLER), Int32, (Ptr{Cvoid},), thr) + + println("[+] Successfully injected $(dllpath)!") + return true +end + +function main() + if length(ARGS) != 2 + println("Usage: julia InjectDLL.jl ") + return + end + pid = parse(UInt32, ARGS[1]) + dll = ARGS[2] + hproc = open_process(pid) + if hproc == C_NULL + println("[!] Failed to open process ", pid) + return + end + try + injectdll(hproc, dll) + finally + close_handle(hproc) + end +end + +main() \ No newline at end of file diff --git a/Bindings/Examples/Julia/README.md b/Bindings/Examples/Julia/README.md new file mode 100644 index 0000000..abacd8b --- /dev/null +++ b/Bindings/Examples/Julia/README.md @@ -0,0 +1,19 @@ +# DLL Injection via Direct Syscalls w/ SysCaller (Julia) + +## Requirements + +- Julia 1.12+ +- `SysCaller.dll` in this folder (or on PATH) + +## Usage + +From this folder: +``` +julia InjectDLL.jl +``` + +## Notes + +- Resolves the DLL absolute path via `GetFullPathNameA` to avoid remote LoadLibrary path issues. +- Uses the same allocation/write/thread creation flow as other samples. +- Shellcode is generated in Julia and embeds 64-bit addresses for the path buffer and `LoadLibraryA`. diff --git a/Bindings/Examples/Julia/REPLACE_WITH_SysCaller.dll.txt b/Bindings/Examples/Julia/REPLACE_WITH_SysCaller.dll.txt new file mode 100644 index 0000000..e69de29 From 2a530763883313b6356c06ece71594e7e57d215e Mon Sep 17 00:00:00 2001 From: WindowsAPI Date: Mon, 20 Oct 2025 16:04:59 -0700 Subject: [PATCH 11/32] add WIN32_LEAN_AND_MEAN and NOMINMAX to includes This improves compilation times and avoids issues with min/max macros. --- SysCaller/Wrapper/include/Resolver/PebUtils.h | 8 +++++++- SysCaller/Wrapper/include/Resolver/Resolver.h | 8 +++++++- SysCaller/Wrapper/include/Resolver/ResolverBase.h | 10 ++++++++-- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/SysCaller/Wrapper/include/Resolver/PebUtils.h b/SysCaller/Wrapper/include/Resolver/PebUtils.h index a1b0748..00d0e5d 100644 --- a/SysCaller/Wrapper/include/Resolver/PebUtils.h +++ b/SysCaller/Wrapper/include/Resolver/PebUtils.h @@ -1,6 +1,12 @@ #pragma once -#include +#ifndef WIN32_LEAN_AND_MEAN +#define WIN32_LEAN_AND_MEAN +#endif +#ifndef NOMINMAX +#define NOMINMAX +#endif +#include #include #include diff --git a/SysCaller/Wrapper/include/Resolver/Resolver.h b/SysCaller/Wrapper/include/Resolver/Resolver.h index 8f29f6f..a59e396 100644 --- a/SysCaller/Wrapper/include/Resolver/Resolver.h +++ b/SysCaller/Wrapper/include/Resolver/Resolver.h @@ -1,6 +1,12 @@ #pragma once -#include +#ifndef WIN32_LEAN_AND_MEAN +#define WIN32_LEAN_AND_MEAN +#endif +#ifndef NOMINMAX +#define NOMINMAX +#endif +#include #include #ifdef __cplusplus diff --git a/SysCaller/Wrapper/include/Resolver/ResolverBase.h b/SysCaller/Wrapper/include/Resolver/ResolverBase.h index 7dcb47b..57880ef 100644 --- a/SysCaller/Wrapper/include/Resolver/ResolverBase.h +++ b/SysCaller/Wrapper/include/Resolver/ResolverBase.h @@ -1,6 +1,12 @@ #pragma once -#include +#ifndef WIN32_LEAN_AND_MEAN +#define WIN32_LEAN_AND_MEAN +#endif +#ifndef NOMINMAX +#define NOMINMAX +#endif +#include #include #include #include @@ -34,4 +40,4 @@ void CleanupResolver(); /* internal functions for resolver methods */ HMODULE GetNtdllHandleInternal(); std::unordered_map ExtractSyscallsFromDllInternal(); -DWORD ExtractSyscallNumber(LPVOID functionAddress); +DWORD ExtractSyscallNumber(LPVOID functionAddress); \ No newline at end of file From d2043b2fcbf6496603401df26ae37757882c6d62 Mon Sep 17 00:00:00 2001 From: WindowsAPI Date: Tue, 11 Nov 2025 22:13:25 -0800 Subject: [PATCH 12/32] refactor Bind structure & build config for v1.3.2 Removed Win32 platform support and solution/filter files from Bind. Updated Bind.vcxproj to use explicit x64 Qt/Vcpkg paths, set new output directories, and simplified build settings. Changed GitHub Actions workflow to match new build output locations. Migrated resource and artifact paths, and added missing headers for improved modularity. --- .github/workflows/build.yml | 26 +- Bind/Bind.sln | 31 - Bind/Bind.vcxproj | 199 +- Bind/Bind.vcxproj.filters | 396 - .../Integrity/Compatibility/Compatibility.h | 14 +- Bind/include/Core/Integrity/Integrity.h | 5 + .../Core/Integrity/Validator/Validator.h | 16 +- .../Integrity/Verification/Verification.h | 22 +- .../Direct/ControlFlow/DirectControlFlow.h | 8 +- Bind/include/Core/Obfuscation/Direct/Direct.h | 7 + .../Direct/Encryption/DirectEncryptor.h | 8 +- .../Direct/Mapping/DirectStubMapper.h | 12 +- .../Direct/Stub/DirectJunkGenerator.h | 2 +- .../Direct/Stub/DirectStubGenerator.h | 6 +- .../ControlFlow/IndirectControlFlow.h | 6 +- .../Indirect/Encryption/IndirectEncryptor.h | 2 +- .../Core/Obfuscation/Indirect/Indirect.h | 6 + .../Indirect/Stub/IndirectJunkGenerator.h | 2 +- .../Indirect/Stub/IndirectStubGenerator.h | 4 +- .../Core/Obfuscation/IndirectObfuscation.h | 6 +- Bind/include/Core/Obfuscation/Obfuscation.h | 10 +- Bind/include/Core/Obfuscation/Shared/Shared.h | 3 + .../Obfuscation/Shared/Stub/NameGenerator.h | 2 +- Bind/include/Core/Utils/Common.h | 8 + Bind/include/Core/Utils/Constants.h | 32 + Bind/include/Core/Utils/Dependencies.h | 9 + Bind/include/Core/Utils/PathUtils.h | 4 +- Bind/include/Core/Utils/QtDependencies.h | 69 + Bind/include/Core/Utils/Utils.h | 7 +- Bind/include/Core/Utils/Version.h | 11 + Bind/include/GUI/Bars.h | 6 + Bind/include/GUI/Bars/SettingsTitleBar.h | 3 +- Bind/include/GUI/Bars/StatusBar.h | 1 + Bind/include/GUI/Bars/TitleBar.h | 1 + Bind/include/GUI/Buttons.h | 3 + Bind/include/GUI/Dialogs.h | 8 + Bind/include/GUI/Dialogs/ChangelogDialog.h | 2 +- Bind/include/GUI/Dialogs/ConfirmationDialog.h | 6 +- Bind/include/GUI/Dialogs/HashCompareDialog.h | 4 +- .../GUI/Dialogs/ObfuscationSelectionDialog.h | 3 +- Bind/include/GUI/Dialogs/SettingsDialog.h | 10 +- Bind/include/GUI/Dialogs/StubMapperDialog.h | 28 +- Bind/include/GUI/MainWindow.h | 30 + Bind/include/GUI/Panels.h | 5 + Bind/include/GUI/Panels/LeftPanel.h | 6 +- Bind/include/GUI/Panels/OutputPanel.h | 3 +- Bind/include/GUI/Panels/RightPanel.h | 3 +- Bind/include/GUI/Settings.h | 8 + Bind/include/GUI/Settings/Tabs/GeneralTab.h | 16 +- .../Settings/Tabs/IndirectObfuscationTab.h | 9 +- .../GUI/Settings/Tabs/InlineObfuscationTab.h | 4 +- Bind/include/GUI/Settings/Tabs/IntegrityTab.h | 12 +- .../GUI/Settings/Tabs/ObfuscationTab.h | 12 +- Bind/include/GUI/Settings/Tabs/ProfileTab.h | 10 +- Bind/include/GUI/Themes.h | 3 + Bind/include/GUI/Themes/Colors.h | 3 +- Bind/include/GUI/Threads.h | 6 + .../include/GUI/Threads/CompatibilityThread.h | 7 +- Bind/include/GUI/Threads/ObfuscationThread.h | 6 +- Bind/include/GUI/Threads/ValidatorThread.h | 7 +- Bind/include/GUI/Threads/VerificationThread.h | 8 +- Bind/main.cpp | 39 - Bind/resources.qrc | 20 - .../Integrity/Compatibility/Compatibility.cpp | 21 +- .../Core/Integrity/Validator/Validator.cpp | 22 +- .../Integrity/Verification/Verification.cpp | 115 +- .../Direct/ControlFlow/DirectControlFlow.cpp | 7 +- .../Direct/Encryption/DirectEncryptor.cpp | 7 +- .../Direct/Mapping/DirectStubMapper.cpp | 27 +- .../Direct/Stub/DirectJunkGenerator.cpp | 8 +- .../Direct/Stub/DirectStubGenerator.cpp | 11 +- .../ControlFlow/IndirectControlFlow.cpp | 9 +- .../Indirect/Encryption/IndirectEncryptor.cpp | 6 +- .../Indirect/Stub/IndirectJunkGenerator.cpp | 8 +- .../Indirect/Stub/IndirectStubGenerator.cpp | 8 +- .../Core/Obfuscation/IndirectObfuscation.cpp | 49 +- Bind/src/Core/Obfuscation/Obfuscation.cpp | 31 +- .../Obfuscation/Shared/Stub/NameGenerator.cpp | 8 +- Bind/src/Core/Utils/PathUtils.cpp | 66 +- Bind/src/Core/Utils/Utils.cpp | 24 +- Bind/src/GUI/Bars/ProgressBar.cpp | 2 +- Bind/src/GUI/Bars/SettingsTitleBar.cpp | 10 +- Bind/src/GUI/Bars/StatusBar.cpp | 30 +- Bind/src/GUI/Bars/TitleBar.cpp | 10 +- Bind/src/GUI/Buttons/BindButton.cpp | 13 +- Bind/src/GUI/Dialogs/ChangelogDialog.cpp | 199 +- Bind/src/GUI/Dialogs/ConfirmationDialog.cpp | 35 +- Bind/src/GUI/Dialogs/HashCompareDialog.cpp | 61 +- .../Dialogs/ObfuscationSelectionDialog.cpp | 54 +- Bind/src/GUI/Dialogs/SettingsDialog.cpp | 61 +- Bind/src/GUI/Dialogs/StubMapperDialog.cpp | 41 +- Bind/src/GUI/MainWindow.cpp | 203 +- Bind/src/GUI/Panels/LeftPanel.cpp | 94 +- Bind/src/GUI/Panels/OutputPanel.cpp | 4 +- Bind/src/GUI/Panels/RightPanel.cpp | 8 +- Bind/src/GUI/Settings/Tabs/GeneralTab.cpp | 163 +- .../Settings/Tabs/IndirectObfuscationTab.cpp | 9 +- .../Settings/Tabs/InlineObfuscationTab.cpp | 7 +- Bind/src/GUI/Settings/Tabs/IntegrityTab.cpp | 10 +- Bind/src/GUI/Settings/Tabs/ObfuscationTab.cpp | 7 +- Bind/src/GUI/Settings/Tabs/ProfileTab.cpp | 68 +- Bind/src/GUI/Stylesheets/ChangelogDialog.qss | 142 +- .../GUI/Stylesheets/ConfirmationDialog.qss | 59 +- .../src/GUI/Stylesheets/HashCompareDialog.qss | 2 +- .../ObfuscationSelectionDialog.qss | 49 +- Bind/src/GUI/Stylesheets/SettingsDialog.qss | 27 +- Bind/src/GUI/Stylesheets/StubMapperDialog.qss | 2 +- Bind/src/GUI/Threads/CompatibilityThread.cpp | 7 +- Bind/src/GUI/Threads/ObfuscationThread.cpp | 11 +- Bind/src/GUI/Threads/ValidatorThread.cpp | 7 +- Bind/src/GUI/Threads/VerificationThread.cpp | 6 +- Bind/src/Res/Icons/green.png | Bin 0 -> 777 bytes Bind/src/Res/Icons/hourglass.png | Bin 0 -> 716 bytes Bind/src/Res/Icons/record.png | Bin 0 -> 529 bytes Bind/src/Res/Icons/red.png | Bin 0 -> 728 bytes Bind/src/Res/Icons/xmark.png | Bin 0 -> 544 bytes Bind/{ => src/Res}/app.rc | 4 +- Bind/{ => src/Res}/resource.h | 12 +- Bind/src/Res/resources.qrc | 24 + Bindings/Examples/C/InjectDLL.c | 2 +- Bindings/Examples/C/InjectDLLObf.c | 2 +- Bindings/Examples/C/README.md | 2 +- Bindings/Examples/CSharp/Program.cs | 2 +- Bindings/Examples/CSharp/ProgramObf.cs | 2 +- Bindings/Examples/GO/README.md | 2 +- Bindings/Examples/Nim/InjectDLL.nim | 2 +- Bindings/Examples/Nim/InjectDLLObf.nim | 2 +- Bindings/Examples/Python/InjectDLL.py | 2 +- Bindings/Examples/Python/InjectDLLObf.py | 2 +- Bindings/Examples/Python/README.md | 2 +- Bindings/Examples/Rust/README.md | 2 +- Bindings/Examples/Rust/cargo.toml | 2 +- Default/{sysFunctions_k.h => SysFunctionsK.h} | 8 +- Default/sysFunctions.h | 6 +- Default/syscaller.asm | 2 +- History/CHANGELOG_1.0.0.md | 2 - History/CHANGELOG_1.1.0.md | 2 - History/CHANGELOG_1.2.0.md | 2 - History/CHANGELOG_1.3.0.md | 2 - History/CHANGELOG_1.3.1.md | 4 +- History/CHANGELOG_1.3.2.md | 52 + README.md | 55 +- SysCaller.sln | 10 + SysCaller/SysCaller.vcxproj | 34 +- SysCaller/Wrapper/CMakeLists.txt | 83 +- SysCaller/Wrapper/include/Sys/sysExternals.h | 4 +- SysCaller/Wrapper/include/Sys/sysFunctions.h | 8 +- SysCaller/Wrapper/include/Sys/sysTypes.h | 6 +- .../{syscaller_config.h => SysCallerConfig.h} | 6 +- SysCaller/Wrapper/include/syscaller.h | 10 +- .../src/{build_info.cpp => BuildInfo.cpp} | 2 +- SysCaller/Wrapper/src/DLL/dllmain.cpp | 2 +- .../Wrapper/src/Resolver/ResolverBase.cpp | 1 - SysCallerK/SysCallerK.vcxproj | 24 +- .../include/{syscaller_k.h => SysCallerK.h} | 44 +- .../{sysConstants_k.h => SysKConstants.h} | 167 +- .../{sysExternals_k.h => SysKExternals.h} | 2052 ++--- .../{sysFunctions_k.h => SysKFunctions.h} | 6942 ++++++++--------- .../SysK/{sysTypes_k.h => SysKTypes.h} | 2160 ++--- SysCallerK/Wrapper/src/dummy.c | 2 +- 160 files changed, 7547 insertions(+), 7264 deletions(-) delete mode 100644 Bind/Bind.sln delete mode 100644 Bind/Bind.vcxproj.filters create mode 100644 Bind/include/Core/Integrity/Integrity.h create mode 100644 Bind/include/Core/Obfuscation/Direct/Direct.h create mode 100644 Bind/include/Core/Obfuscation/Indirect/Indirect.h create mode 100644 Bind/include/Core/Obfuscation/Shared/Shared.h create mode 100644 Bind/include/Core/Utils/Common.h create mode 100644 Bind/include/Core/Utils/Constants.h create mode 100644 Bind/include/Core/Utils/Dependencies.h create mode 100644 Bind/include/Core/Utils/QtDependencies.h create mode 100644 Bind/include/Core/Utils/Version.h create mode 100644 Bind/include/GUI/Bars.h create mode 100644 Bind/include/GUI/Buttons.h create mode 100644 Bind/include/GUI/Dialogs.h create mode 100644 Bind/include/GUI/Panels.h create mode 100644 Bind/include/GUI/Settings.h create mode 100644 Bind/include/GUI/Themes.h create mode 100644 Bind/include/GUI/Threads.h delete mode 100644 Bind/main.cpp delete mode 100644 Bind/resources.qrc create mode 100644 Bind/src/Res/Icons/green.png create mode 100644 Bind/src/Res/Icons/hourglass.png create mode 100644 Bind/src/Res/Icons/record.png create mode 100644 Bind/src/Res/Icons/red.png create mode 100644 Bind/src/Res/Icons/xmark.png rename Bind/{ => src/Res}/app.rc (97%) rename Bind/{ => src/Res}/resource.h (93%) create mode 100644 Bind/src/Res/resources.qrc rename Default/{sysFunctions_k.h => SysFunctionsK.h} (99%) create mode 100644 History/CHANGELOG_1.3.2.md rename SysCaller/Wrapper/include/{syscaller_config.h => SysCallerConfig.h} (86%) rename SysCaller/Wrapper/src/{build_info.cpp => BuildInfo.cpp} (97%) rename SysCallerK/Wrapper/include/{syscaller_k.h => SysCallerK.h} (79%) rename SysCallerK/Wrapper/include/SysK/{sysConstants_k.h => SysKConstants.h} (98%) rename SysCallerK/Wrapper/include/SysK/{sysExternals_k.h => SysKExternals.h} (98%) rename SysCallerK/Wrapper/include/SysK/{sysFunctions_k.h => SysKFunctions.h} (95%) rename SysCallerK/Wrapper/include/SysK/{sysTypes_k.h => SysKTypes.h} (96%) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 984cdac..c44fd90 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -270,7 +270,7 @@ jobs: - name: Copy Vcpkg Dependencies (Debug) run: | Write-Host "Copying Vcpkg Dependencies for Debug Build..." - $outputDir = "x64/Debug" + $outputDir = "Build/Bind/Debug" $vcpkgBin = "${{ github.workspace }}/vcpkg/installed/x64-windows/bin" # Copy Vcpkg Dependencies (Qt dependencies will be handled by windeployqt) @@ -298,10 +298,10 @@ jobs: Get-ChildItem "GeneratedFiles" -Name | Where-Object { $_ -like "*qrc*" } | ForEach-Object { Write-Host "Found RCC file: $_" } } - & $windeployqt "x64/Debug/Bind.exe" --debug --no-compiler-runtime --no-opengl-sw --force + & $windeployqt "Build/Bind/Debug/Bind.exe" --debug --no-compiler-runtime --no-opengl-sw --force if ($LASTEXITCODE -eq 0) { Write-Host "Qt deployment completed successfully for Debug build" - Get-ChildItem "x64/Debug" -Name | Sort-Object + Get-ChildItem "Build/Bind/Debug" -Name | Sort-Object } else { Write-Host "windeployqt failed with exit code: $LASTEXITCODE" } @@ -322,7 +322,7 @@ jobs: - name: Copy Vcpkg Dependencies (Release) run: | Write-Host "Copying Vcpkg Dependencies for Release Build..." - $outputDir = "x64/Release" + $outputDir = "Build/Bind/Release" $vcpkgBin = "${{ github.workspace }}/vcpkg/installed/x64-windows/bin" # Copy Vcpkg Dependencies (Qt dependencies will be handled by windeployqt) @@ -345,10 +345,10 @@ jobs: if (Test-Path $windeployqt) { Write-Host "Running windeployqt on Release executable..." - & $windeployqt "x64/Release/Bind.exe" --release --no-compiler-runtime --no-opengl-sw --force + & $windeployqt "Build/Bind/Release/Bind.exe" --release --no-compiler-runtime --no-opengl-sw --force if ($LASTEXITCODE -eq 0) { Write-Host "Qt deployment completed successfully for Release build" - Get-ChildItem "x64/Release" -Name | Sort-Object + Get-ChildItem "Build/Bind/Release" -Name | Sort-Object } else { Write-Host "windeployqt failed with exit code: $LASTEXITCODE" } @@ -358,18 +358,18 @@ jobs: - name: Verify Executables Exist run: | - if (Test-Path "x64/Release/Bind.exe") { + if (Test-Path "Build/Bind/Release/Bind.exe") { Write-Host "Bind.exe (Release) Built Successfully!" - Get-Item "x64/Release/Bind.exe" | Select-Object Name, Length, LastWriteTime + Get-Item "Build/Bind/Release/Bind.exe" | Select-Object Name, Length, LastWriteTime } else { Write-Host "Bind.exe (Release) not found!" Get-ChildItem -Recurse -Name "*.exe" | ForEach-Object { Write-Host "Found: $_" } exit 1 } - if (Test-Path "x64/Debug/Bind.exe") { + if (Test-Path "Build/Bind/Debug/Bind.exe") { Write-Host "Bind.exe (Debug) Built Successfully!" - Get-Item "x64/Debug/Bind.exe" | Select-Object Name, Length, LastWriteTime + Get-Item "Build/Bind/Debug/Bind.exe" | Select-Object Name, Length, LastWriteTime } else { Write-Host "Bind.exe (Debug) not found!" } @@ -383,14 +383,14 @@ jobs: uses: actions/upload-artifact@v4 with: name: Bind-Release - path: Bind/x64/Release/ + path: Bind/Build/Bind/Release/ retention-days: 30 - name: Upload Build Artifacts (Debug) uses: actions/upload-artifact@v4 with: name: Bind-Debug - path: Bind/x64/Debug/ + path: Bind/Build/Bind/Debug/ retention-days: 30 - name: Create Release Package @@ -401,7 +401,7 @@ jobs: New-Item -ItemType Directory -Path "release-package" -Force - Copy-Item "x64/Release/*" "release-package\" -Recurse + Copy-Item "Build/Bind/Release/*" "release-package\" -Recurse # Create README $version = "v1.3.2" diff --git a/Bind/Bind.sln b/Bind/Bind.sln deleted file mode 100644 index b5f2aa1..0000000 --- a/Bind/Bind.sln +++ /dev/null @@ -1,31 +0,0 @@ - -Microsoft Visual Studio Solution File, Format Version 12.00 -# Visual Studio Version 17 -VisualStudioVersion = 17.14.36202.13 d17.14 -MinimumVisualStudioVersion = 10.0.40219.1 -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Bind", "Bind.vcxproj", "{CB747D1D-F2CC-431A-B521-5F818525B584}" -EndProject -Global - GlobalSection(SolutionConfigurationPlatforms) = preSolution - Debug|x64 = Debug|x64 - Debug|x86 = Debug|x86 - Release|x64 = Release|x64 - Release|x86 = Release|x86 - EndGlobalSection - GlobalSection(ProjectConfigurationPlatforms) = postSolution - {CB747D1D-F2CC-431A-B521-5F818525B584}.Debug|x64.ActiveCfg = Debug|x64 - {CB747D1D-F2CC-431A-B521-5F818525B584}.Debug|x64.Build.0 = Debug|x64 - {CB747D1D-F2CC-431A-B521-5F818525B584}.Debug|x86.ActiveCfg = Debug|Win32 - {CB747D1D-F2CC-431A-B521-5F818525B584}.Debug|x86.Build.0 = Debug|Win32 - {CB747D1D-F2CC-431A-B521-5F818525B584}.Release|x64.ActiveCfg = Release|x64 - {CB747D1D-F2CC-431A-B521-5F818525B584}.Release|x64.Build.0 = Release|x64 - {CB747D1D-F2CC-431A-B521-5F818525B584}.Release|x86.ActiveCfg = Release|Win32 - {CB747D1D-F2CC-431A-B521-5F818525B584}.Release|x86.Build.0 = Release|Win32 - EndGlobalSection - GlobalSection(SolutionProperties) = preSolution - HideSolutionNode = FALSE - EndGlobalSection - GlobalSection(ExtensibilityGlobals) = postSolution - SolutionGuid = {3F1738C2-4D41-43BE-BF82-34DE2903C01F} - EndGlobalSection -EndGlobal diff --git a/Bind/Bind.vcxproj b/Bind/Bind.vcxproj index 49319c2..40b2a24 100644 --- a/Bind/Bind.vcxproj +++ b/Bind/Bind.vcxproj @@ -1,14 +1,6 @@  - - Debug - Win32 - - - Release - Win32 - Debug x64 @@ -29,19 +21,6 @@ Bind - - Application - true - v143 - Unicode - - - Application - false - v143 - true - Unicode - Application true @@ -57,18 +36,13 @@ - - $(QTDIR) - - - $(QTDIR) - - $(QTDIR) + C:\Qt\5.15.2\msvc2019_64 debug - $(QTDIR) + C:\Qt\5.15.2\msvc2019_64 + 5.15.2_msvc2019_64 @@ -77,14 +51,6 @@ - - - - - - - - @@ -94,40 +60,20 @@ + + $(SolutionDir)Build\Bind\$(Configuration)\ + $(SolutionDir)Build\Bind\int\$(Configuration)\ + + + $(SolutionDir)Build\Bind\$(Configuration)\ + $(SolutionDir)Build\Bind\int\$(Configuration)\ + false false - - - Level3 - true - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - true - - - Console - true - - - - - Level3 - true - true - true - WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - true - - - Console - true - - Level3 @@ -135,14 +81,14 @@ _DEBUG;UNICODE;_UNICODE;QT_WIDGETS_LIB;QT_GUI_LIB;QT_CORE_LIB;QT_DLL;%(PreprocessorDefinitions) true stdcpp20 - GeneratedFiles\$(ConfigurationName);GeneratedFiles;$(QTDIR)\include;$(QTDIR)\include\QtCore;$(QTDIR)\include\QtGui;$(QTDIR)\include\QtWidgets;$(VcpkgRoot)\installed\x64-windows\include;$(ProjectDir);%(AdditionalIncludeDirectories) + GeneratedFiles\$(ConfigurationName);GeneratedFiles;C:\Qt\5.15.2\msvc2019_64\include;C:\Qt\5.15.2\msvc2019_64\include\QtCore;C:\Qt\5.15.2\msvc2019_64\include\QtGui;C:\Qt\5.15.2\msvc2019_64\include\QtWidgets;C:\Users\devil\vcpkg\installed\x64-windows\include;C:\Users\devil\source\repos\SysCaller\Bind\include;%(AdditionalIncludeDirectories) true Windows true - $(QTDIR)\lib;$(VcpkgRoot)\installed\x64-windows\lib;$(ProjectDir);%(AdditionalLibraryDirectories) - qtmaind.lib;Qt5Cored.lib;Qt5Guid.lib;Qt5Widgetsd.lib;cmark.lib;pe-parse.lib;%(AdditionalDependencies) + C:\Qt\5.15.2\msvc2019_64\lib;C:\Users\devil\vcpkg\installed\x64-windows\lib;%(AdditionalLibraryDirectories) + Qt5Core.lib;Qt5Gui.lib;Qt5Widgets.lib;cmark.lib;pe-parse.lib;%(AdditionalDependencies) @@ -154,33 +100,20 @@ NDEBUG;UNICODE;_UNICODE;QT_WIDGETS_LIB;QT_GUI_LIB;QT_CORE_LIB;QT_DLL;%(PreprocessorDefinitions) true stdcpp20 - GeneratedFiles\$(ConfigurationName);GeneratedFiles;$(QTDIR)\include;$(QTDIR)\include\QtCore;$(QTDIR)\include\QtGui;$(QTDIR)\include\QtWidgets;$(VcpkgRoot)\installed\x64-windows\include;$(ProjectDir);%(AdditionalIncludeDirectories) + GeneratedFiles\$(ConfigurationName);GeneratedFiles;C:\Qt\5.15.2\msvc2019_64\include;C:\Qt\5.15.2\msvc2019_64\include\QtCore;C:\Qt\5.15.2\msvc2019_64\include\QtGui;C:\Qt\5.15.2\msvc2019_64\include\QtWidgets;C:\Users\devil\vcpkg\installed\x64-windows\include;C:\Users\devil\source\repos\SysCaller\Bind\include;%(AdditionalIncludeDirectories) true Windows true - $(QTDIR)\lib;$(VcpkgRoot)\installed\x64-windows\lib;$(ProjectDir);%(AdditionalLibraryDirectories) - qtmain.lib;Qt5Core.lib;Qt5Gui.lib;Qt5Widgets.lib;cmark.lib;pe-parse.lib;%(AdditionalDependencies) + C:\Qt\5.15.2\msvc2019_64\lib;C:\Users\devil\vcpkg\installed\x64-windows\lib;%(AdditionalLibraryDirectories) + Qt5Core.lib;Qt5Gui.lib;Qt5Widgets.lib;pe-parse.lib;cmark.lib;%(AdditionalDependencies) - - - - - - %(AdditionalDependencies) - + + "$(QTDIR)\bin\windeployqt.exe" "$(TargetPath)" + - - - - - - - - - @@ -224,26 +157,8 @@ - - - - - - - - - - - - - - - - - - - - + + @@ -264,42 +179,42 @@ GeneratedFiles\moc_%(Filename).cpp %(AdditionalDependencies) - + Document $(QTDIR)\bin\moc.exe "%(FullPath)" -o "GeneratedFiles\moc_%(Filename).cpp" GeneratedFiles\moc_%(Filename).cpp %(AdditionalDependencies) - - + + Document $(QTDIR)\bin\moc.exe "%(FullPath)" -o "GeneratedFiles\moc_%(Filename).cpp" GeneratedFiles\moc_%(Filename).cpp %(AdditionalDependencies) - - + + Document $(QTDIR)\bin\moc.exe "%(FullPath)" -o "GeneratedFiles\moc_%(Filename).cpp" GeneratedFiles\moc_%(Filename).cpp %(AdditionalDependencies) - - + + Document $(QTDIR)\bin\moc.exe "%(FullPath)" -o "GeneratedFiles\moc_%(Filename).cpp" GeneratedFiles\moc_%(Filename).cpp %(AdditionalDependencies) - - + + Document $(QTDIR)\bin\moc.exe "%(FullPath)" -o "GeneratedFiles\moc_%(Filename).cpp" GeneratedFiles\moc_%(Filename).cpp %(AdditionalDependencies) - - + + Document $(QTDIR)\bin\moc.exe "%(FullPath)" -o "GeneratedFiles\moc_%(Filename).cpp" GeneratedFiles\moc_%(Filename).cpp %(AdditionalDependencies) - + Document $(QTDIR)\bin\moc.exe "%(FullPath)" -o "GeneratedFiles\moc_%(Filename).cpp" @@ -336,24 +251,24 @@ GeneratedFiles\moc_%(Filename).cpp %(AdditionalDependencies) - + Document $(QTDIR)\bin\moc.exe "%(FullPath)" -o "GeneratedFiles\moc_%(Filename).cpp" GeneratedFiles\moc_%(Filename).cpp %(AdditionalDependencies) - - + + Document $(QTDIR)\bin\moc.exe "%(FullPath)" -o "GeneratedFiles\moc_%(Filename).cpp" GeneratedFiles\moc_%(Filename).cpp %(AdditionalDependencies) - - + + Document $(QTDIR)\bin\moc.exe "%(FullPath)" -o "GeneratedFiles\moc_%(Filename).cpp" GeneratedFiles\moc_%(Filename).cpp %(AdditionalDependencies) - + Document $(QTDIR)\bin\moc.exe "%(FullPath)" -o "GeneratedFiles\moc_%(Filename).cpp" @@ -430,28 +345,27 @@ + + + - - - - - - - - - - - - - - + + + + + + + + + + - + - + @@ -460,5 +374,4 @@ - - + \ No newline at end of file diff --git a/Bind/Bind.vcxproj.filters b/Bind/Bind.vcxproj.filters deleted file mode 100644 index f14865e..0000000 --- a/Bind/Bind.vcxproj.filters +++ /dev/null @@ -1,396 +0,0 @@ - - - - - {4FC737F1-C7A5-4376-A066-2A32D752A2FF} - cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx - - - {93995380-89BD-4b04-88EB-625FBE52EBFB} - h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd - - - {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} - rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms - - - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - - - Resource Files - - - Resource Files - - - Resource Files - - - Resource Files - - - Resource Files - - - Resource Files - - - Resource Files - - - Resource Files - - - Resource Files - - - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - - - Resource Files - - - - - Resource Files - - - - - Resource Files - - - \ No newline at end of file diff --git a/Bind/include/Core/Integrity/Compatibility/Compatibility.h b/Bind/include/Core/Integrity/Compatibility/Compatibility.h index e7c6338..9dcfc09 100644 --- a/Bind/include/Core/Integrity/Compatibility/Compatibility.h +++ b/Bind/include/Core/Integrity/Compatibility/Compatibility.h @@ -1,16 +1,14 @@ #pragma once -#include -#include -#include #include #include -#include -#include -#include +#include +#include +#include +#include +#include +#include #include -#include "include/GUI/Themes/Colors.h" -#include "include/Core/Utils/Utils.h" class Compatibility : public QObject { Q_OBJECT diff --git a/Bind/include/Core/Integrity/Integrity.h b/Bind/include/Core/Integrity/Integrity.h new file mode 100644 index 0000000..9d9be02 --- /dev/null +++ b/Bind/include/Core/Integrity/Integrity.h @@ -0,0 +1,5 @@ +#pragma once + +#include +#include +#include \ No newline at end of file diff --git a/Bind/include/Core/Integrity/Validator/Validator.h b/Bind/include/Core/Integrity/Validator/Validator.h index 9fab9fb..c10eb4b 100644 --- a/Bind/include/Core/Integrity/Validator/Validator.h +++ b/Bind/include/Core/Integrity/Validator/Validator.h @@ -1,18 +1,16 @@ #pragma once -#include -#include +#include #include #include -#include #include -#include -#include -#include +#include +#include +#include +#include +#include +#include #include -#include -#include "include/GUI/Themes/Colors.h" -#include "include/Core/Utils/Utils.h" class Validator : public QObject { Q_OBJECT diff --git a/Bind/include/Core/Integrity/Verification/Verification.h b/Bind/include/Core/Integrity/Verification/Verification.h index d54b238..5232f26 100644 --- a/Bind/include/Core/Integrity/Verification/Verification.h +++ b/Bind/include/Core/Integrity/Verification/Verification.h @@ -1,19 +1,16 @@ #pragma once -#include -#include -#include -#include #include #include +#include #include -#include -#include +#include +#include +#include +#include +#include +#include #include -#include -#include -#include "include/GUI/Themes/Colors.h" -#include "include/Core/Utils/Utils.h" class Verification : public QObject { Q_OBJECT @@ -92,4 +89,9 @@ class Verification : public QObject { uint64_t imageBase; QMap syscallNumbers; std::function outputCallback; + + QStringList outputBuffer; + static constexpr int OUTPUT_BATCH_SIZE = 20; /* flush buffer every 20 syscalls */ + int processedCount; + void flushOutputBuffer(); }; \ No newline at end of file diff --git a/Bind/include/Core/Obfuscation/Direct/ControlFlow/DirectControlFlow.h b/Bind/include/Core/Obfuscation/Direct/ControlFlow/DirectControlFlow.h index 8ecb267..29a40de 100644 --- a/Bind/include/Core/Obfuscation/Direct/ControlFlow/DirectControlFlow.h +++ b/Bind/include/Core/Obfuscation/Direct/ControlFlow/DirectControlFlow.h @@ -1,10 +1,10 @@ #pragma once -#include -#include #include -#include #include +#include +#include +#include namespace DirectObfuscation { @@ -37,4 +37,4 @@ namespace DirectObfuscation { int getControlFlowComplexity(); }; -} +} \ No newline at end of file diff --git a/Bind/include/Core/Obfuscation/Direct/Direct.h b/Bind/include/Core/Obfuscation/Direct/Direct.h new file mode 100644 index 0000000..293bdcf --- /dev/null +++ b/Bind/include/Core/Obfuscation/Direct/Direct.h @@ -0,0 +1,7 @@ +#pragma once + +#include +#include +#include +#include +#include \ No newline at end of file diff --git a/Bind/include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h b/Bind/include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h index 90ceaa8..2d8650c 100644 --- a/Bind/include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h +++ b/Bind/include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h @@ -1,11 +1,11 @@ #pragma once -#include #include -#include -#include #include +#include +#include #include +#include namespace DirectObfuscation { @@ -54,4 +54,4 @@ namespace DirectObfuscation { void setSettings(QSettings* settings); }; -} +} \ No newline at end of file diff --git a/Bind/include/Core/Obfuscation/Direct/Mapping/DirectStubMapper.h b/Bind/include/Core/Obfuscation/Direct/Mapping/DirectStubMapper.h index 88da88a..235b1d4 100644 --- a/Bind/include/Core/Obfuscation/Direct/Mapping/DirectStubMapper.h +++ b/Bind/include/Core/Obfuscation/Direct/Mapping/DirectStubMapper.h @@ -1,13 +1,13 @@ #pragma once -#include #include -#include -#include -#include #include +#include +#include +#include #include -#include "include/GUI/Themes/Colors.h" +#include +#include namespace DirectObfuscation { @@ -40,4 +40,4 @@ namespace DirectObfuscation { void setOutputCallback(std::function callback); }; -} +} \ No newline at end of file diff --git a/Bind/include/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.h b/Bind/include/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.h index f747109..a933f65 100644 --- a/Bind/include/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.h +++ b/Bind/include/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.h @@ -1,7 +1,7 @@ #pragma once -#include #include +#include namespace DirectObfuscation { diff --git a/Bind/include/Core/Obfuscation/Direct/Stub/DirectStubGenerator.h b/Bind/include/Core/Obfuscation/Direct/Stub/DirectStubGenerator.h index d422bf9..0e22ce0 100644 --- a/Bind/include/Core/Obfuscation/Direct/Stub/DirectStubGenerator.h +++ b/Bind/include/Core/Obfuscation/Direct/Stub/DirectStubGenerator.h @@ -1,10 +1,10 @@ #pragma once +#include +#include #include #include -#include #include -#include namespace DirectObfuscation { @@ -34,4 +34,4 @@ namespace DirectObfuscation { int getRandomInt(int min, int max); }; -} +} \ No newline at end of file diff --git a/Bind/include/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.h b/Bind/include/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.h index cadbc68..eaa845d 100644 --- a/Bind/include/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.h +++ b/Bind/include/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.h @@ -1,10 +1,10 @@ #pragma once +#include +#include #include #include #include -#include -#include namespace IndirectObfuscation { @@ -42,4 +42,4 @@ namespace IndirectObfuscation { QString generateControlFlowObfuscation(); }; -} +} \ No newline at end of file diff --git a/Bind/include/Core/Obfuscation/Indirect/Encryption/IndirectEncryptor.h b/Bind/include/Core/Obfuscation/Indirect/Encryption/IndirectEncryptor.h index 40f6041..ce79cf8 100644 --- a/Bind/include/Core/Obfuscation/Indirect/Encryption/IndirectEncryptor.h +++ b/Bind/include/Core/Obfuscation/Indirect/Encryption/IndirectEncryptor.h @@ -1,7 +1,7 @@ #pragma once -#include #include +#include namespace IndirectObfuscation { diff --git a/Bind/include/Core/Obfuscation/Indirect/Indirect.h b/Bind/include/Core/Obfuscation/Indirect/Indirect.h new file mode 100644 index 0000000..0d53419 --- /dev/null +++ b/Bind/include/Core/Obfuscation/Indirect/Indirect.h @@ -0,0 +1,6 @@ +#pragma once + +#include +#include +#include +#include \ No newline at end of file diff --git a/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.h b/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.h index 3eeb24b..0995434 100644 --- a/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.h +++ b/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.h @@ -1,8 +1,8 @@ #pragma once +#include #include #include -#include namespace IndirectObfuscation { diff --git a/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.h b/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.h index 0d04ece..d554a7c 100644 --- a/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.h +++ b/Bind/include/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.h @@ -1,9 +1,9 @@ #pragma once +#include #include #include -#include -#include +#include namespace IndirectObfuscation { diff --git a/Bind/include/Core/Obfuscation/IndirectObfuscation.h b/Bind/include/Core/Obfuscation/IndirectObfuscation.h index 03c1230..d559584 100644 --- a/Bind/include/Core/Obfuscation/IndirectObfuscation.h +++ b/Bind/include/Core/Obfuscation/IndirectObfuscation.h @@ -1,10 +1,10 @@ #pragma once +#include #include #include #include -#include -#include +#include class IndirectObfuscationManager { private: @@ -24,4 +24,4 @@ class IndirectObfuscationManager { void setOutputCallback(std::function callback); bool generateIndirectObfuscation(); bool processIndirectAssemblyFile(const QString& asmPath, const QString& headerPath); -}; +}; \ No newline at end of file diff --git a/Bind/include/Core/Obfuscation/Obfuscation.h b/Bind/include/Core/Obfuscation/Obfuscation.h index 181b57c..e9a1a18 100644 --- a/Bind/include/Core/Obfuscation/Obfuscation.h +++ b/Bind/include/Core/Obfuscation/Obfuscation.h @@ -1,12 +1,12 @@ #pragma once -#include -#include #include #include -#include #include -#include "include/GUI/Themes/Colors.h" +#include +#include +#include +#include enum class ObfuscationMode { Normal = 0, @@ -51,4 +51,4 @@ class Obfuscation { void setOutputCallback(std::function callback); static int extractSyscallOffset(const QString& line); bool generateExports(); -}; +}; \ No newline at end of file diff --git a/Bind/include/Core/Obfuscation/Shared/Shared.h b/Bind/include/Core/Obfuscation/Shared/Shared.h new file mode 100644 index 0000000..c41d1df --- /dev/null +++ b/Bind/include/Core/Obfuscation/Shared/Shared.h @@ -0,0 +1,3 @@ +#pragma once + +#include \ No newline at end of file diff --git a/Bind/include/Core/Obfuscation/Shared/Stub/NameGenerator.h b/Bind/include/Core/Obfuscation/Shared/Stub/NameGenerator.h index ffe4b52..b0e0303 100644 --- a/Bind/include/Core/Obfuscation/Shared/Stub/NameGenerator.h +++ b/Bind/include/Core/Obfuscation/Shared/Stub/NameGenerator.h @@ -1,8 +1,8 @@ #pragma once -#include #include #include +#include namespace SharedObfuscation { diff --git a/Bind/include/Core/Utils/Common.h b/Bind/include/Core/Utils/Common.h new file mode 100644 index 0000000..32d2ea5 --- /dev/null +++ b/Bind/include/Core/Utils/Common.h @@ -0,0 +1,8 @@ +#pragma once + +#include +#include +#include +#include +#include +#include \ No newline at end of file diff --git a/Bind/include/Core/Utils/Constants.h b/Bind/include/Core/Utils/Constants.h new file mode 100644 index 0000000..4d5f1f7 --- /dev/null +++ b/Bind/include/Core/Utils/Constants.h @@ -0,0 +1,32 @@ +#pragma once + +#include + +namespace Constants { + /* timeout values (milliseconds) */ + constexpr int THREAD_TERMINATION_TIMEOUT_MS = 5000; + constexpr int THREAD_FORCE_TERMINATION_TIMEOUT_MS = 1000; + + constexpr int MAX_FILE_PATH_LENGTH = 260; + constexpr int MIN_REQUIRED_PROJECT_ITEMS = 3; + + const QString DEFAULT_NTDLL_PATH = "C:\\Windows\\System32\\ntdll.dll"; + + const QString ENV_SYSCALLER_ROOT = "SYSCALLER_ROOT"; +} + +/* error code enums */ +enum class ErrorCode : int { + Success = 0, + GeneralError = -1, + FileNotFound = -2, + FileAccessDenied = -3, + InvalidPath = -4, + InvalidSettings = -5, + ThreadTimeout = -6, + OperationCancelled = -7, + ValidationFailed = -8, + CompatibilityFailed = -9, + VerificationFailed = -10, + ObfuscationFailed = -11 +}; \ No newline at end of file diff --git a/Bind/include/Core/Utils/Dependencies.h b/Bind/include/Core/Utils/Dependencies.h new file mode 100644 index 0000000..ccd8646 --- /dev/null +++ b/Bind/include/Core/Utils/Dependencies.h @@ -0,0 +1,9 @@ +#pragma once + +#include +#include +#include +#include +#include +#include +#include \ No newline at end of file diff --git a/Bind/include/Core/Utils/PathUtils.h b/Bind/include/Core/Utils/PathUtils.h index 2bd444a..5f3a4a2 100644 --- a/Bind/include/Core/Utils/PathUtils.h +++ b/Bind/include/Core/Utils/PathUtils.h @@ -1,10 +1,10 @@ #pragma once -#include #include #include -#include #include +#include +#include class PathUtils { public: diff --git a/Bind/include/Core/Utils/QtDependencies.h b/Bind/include/Core/Utils/QtDependencies.h new file mode 100644 index 0000000..64e04cb --- /dev/null +++ b/Bind/include/Core/Utils/QtDependencies.h @@ -0,0 +1,69 @@ +#pragma once + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include \ No newline at end of file diff --git a/Bind/include/Core/Utils/Utils.h b/Bind/include/Core/Utils/Utils.h index 665bf24..99d3124 100644 --- a/Bind/include/Core/Utils/Utils.h +++ b/Bind/include/Core/Utils/Utils.h @@ -1,11 +1,10 @@ #pragma once -#include +#include #include +#include #include -#include -#include -#include +#include #include class SyscallExtractor { diff --git a/Bind/include/Core/Utils/Version.h b/Bind/include/Core/Utils/Version.h new file mode 100644 index 0000000..1d14386 --- /dev/null +++ b/Bind/include/Core/Utils/Version.h @@ -0,0 +1,11 @@ +#pragma once + +#define SYSCALLER_VERSION_MAJOR 1 +#define SYSCALLER_VERSION_MINOR 3 +#define SYSCALLER_VERSION_PATCH 2 + +#define SYSCALLER_VERSION_STRING "1.3.2" +#define SYSCALLER_VERSION_STRING_FULL "v" SYSCALLER_VERSION_STRING + +#define SYSCALLER_APP_NAME "Bind" +#define SYSCALLER_WINDOW_TITLE SYSCALLER_APP_NAME " - " SYSCALLER_VERSION_STRING_FULL \ No newline at end of file diff --git a/Bind/include/GUI/Bars.h b/Bind/include/GUI/Bars.h new file mode 100644 index 0000000..ff0678f --- /dev/null +++ b/Bind/include/GUI/Bars.h @@ -0,0 +1,6 @@ +#pragma once + +#include +#include +#include +#include \ No newline at end of file diff --git a/Bind/include/GUI/Bars/SettingsTitleBar.h b/Bind/include/GUI/Bars/SettingsTitleBar.h index afd8a74..0782c65 100644 --- a/Bind/include/GUI/Bars/SettingsTitleBar.h +++ b/Bind/include/GUI/Bars/SettingsTitleBar.h @@ -1,4 +1,5 @@ #pragma once + #include class SettingsTitleBar : public QFrame { @@ -13,4 +14,4 @@ class SettingsTitleBar : public QFrame { private: void initTitleBar(const QString& title); -}; +}; \ No newline at end of file diff --git a/Bind/include/GUI/Bars/StatusBar.h b/Bind/include/GUI/Bars/StatusBar.h index e555d26..bff703e 100644 --- a/Bind/include/GUI/Bars/StatusBar.h +++ b/Bind/include/GUI/Bars/StatusBar.h @@ -1,4 +1,5 @@ #pragma once + #include class QLabel; diff --git a/Bind/include/GUI/Bars/TitleBar.h b/Bind/include/GUI/Bars/TitleBar.h index c83aa8f..22c4e5d 100644 --- a/Bind/include/GUI/Bars/TitleBar.h +++ b/Bind/include/GUI/Bars/TitleBar.h @@ -1,4 +1,5 @@ #pragma once + #include class TitleBar : public QFrame { diff --git a/Bind/include/GUI/Buttons.h b/Bind/include/GUI/Buttons.h new file mode 100644 index 0000000..7f45fc6 --- /dev/null +++ b/Bind/include/GUI/Buttons.h @@ -0,0 +1,3 @@ +#pragma once + +#include \ No newline at end of file diff --git a/Bind/include/GUI/Dialogs.h b/Bind/include/GUI/Dialogs.h new file mode 100644 index 0000000..3d0a894 --- /dev/null +++ b/Bind/include/GUI/Dialogs.h @@ -0,0 +1,8 @@ +#pragma once + +#include +#include +#include +#include +#include +#include \ No newline at end of file diff --git a/Bind/include/GUI/Dialogs/ChangelogDialog.h b/Bind/include/GUI/Dialogs/ChangelogDialog.h index 8ba3a29..fd4ba23 100644 --- a/Bind/include/GUI/Dialogs/ChangelogDialog.h +++ b/Bind/include/GUI/Dialogs/ChangelogDialog.h @@ -36,4 +36,4 @@ private slots: SettingsTitleBar* titleBar; bool m_dragging = false; QPoint m_dragPosition; -}; +}; \ No newline at end of file diff --git a/Bind/include/GUI/Dialogs/ConfirmationDialog.h b/Bind/include/GUI/Dialogs/ConfirmationDialog.h index add7e14..55fa709 100644 --- a/Bind/include/GUI/Dialogs/ConfirmationDialog.h +++ b/Bind/include/GUI/Dialogs/ConfirmationDialog.h @@ -1,12 +1,12 @@ #pragma once #include -#include #include #include -#include #include +#include #include +#include class SettingsTitleBar; @@ -55,4 +55,4 @@ private slots: bool m_dragging = false; QPoint m_dragPosition; -}; +}; \ No newline at end of file diff --git a/Bind/include/GUI/Dialogs/HashCompareDialog.h b/Bind/include/GUI/Dialogs/HashCompareDialog.h index 10173f4..d1866a8 100644 --- a/Bind/include/GUI/Dialogs/HashCompareDialog.h +++ b/Bind/include/GUI/Dialogs/HashCompareDialog.h @@ -2,10 +2,10 @@ #include #include +#include #include #include #include -#include class SettingsTitleBar; @@ -60,4 +60,4 @@ private slots: QPoint m_dragPosition; QMap hashData; QString hashType; -}; +}; \ No newline at end of file diff --git a/Bind/include/GUI/Dialogs/ObfuscationSelectionDialog.h b/Bind/include/GUI/Dialogs/ObfuscationSelectionDialog.h index 8acb823..694fcce 100644 --- a/Bind/include/GUI/Dialogs/ObfuscationSelectionDialog.h +++ b/Bind/include/GUI/Dialogs/ObfuscationSelectionDialog.h @@ -1,10 +1,10 @@ #pragma once #include -#include #include #include #include +#include class ObfuscationSelectionDialog : public QDialog { Q_OBJECT @@ -30,7 +30,6 @@ private slots: void initUI(); Selection selection; - QLabel* titleLabel; QLabel* descriptionLabel; QPushButton* normalObfuscationButton; QPushButton* stubMapperButton; diff --git a/Bind/include/GUI/Dialogs/SettingsDialog.h b/Bind/include/GUI/Dialogs/SettingsDialog.h index ef2754b..01b9741 100644 --- a/Bind/include/GUI/Dialogs/SettingsDialog.h +++ b/Bind/include/GUI/Dialogs/SettingsDialog.h @@ -1,12 +1,13 @@ #pragma once #include -#include #include -#include +#include #include +#include #include -#include +#include +#include class SettingsTitleBar; class GeneralTab; @@ -32,6 +33,7 @@ private slots: void mousePressEvent(QMouseEvent* event) override; void mouseMoveEvent(QMouseEvent* event) override; void mouseReleaseEvent(QMouseEvent* event) override; + void resizeEvent(QResizeEvent* event) override; QSettings* settings; QTabWidget* tabs; @@ -45,4 +47,4 @@ private slots: bool m_dragging = false; QPoint m_dragPosition; -}; +}; \ No newline at end of file diff --git a/Bind/include/GUI/Dialogs/StubMapperDialog.h b/Bind/include/GUI/Dialogs/StubMapperDialog.h index f855f58..53d78ce 100644 --- a/Bind/include/GUI/Dialogs/StubMapperDialog.h +++ b/Bind/include/GUI/Dialogs/StubMapperDialog.h @@ -1,25 +1,25 @@ #pragma once +#include +#include #include -#include +#include +#include #include #include -#include -#include -#include -#include -#include -#include +#include #include -#include -#include -#include +#include #include -#include +#include +#include #include -#include +#include +#include +#include #include -#include +#include +#include class SettingsTitleBar; @@ -93,4 +93,4 @@ private slots: QPoint m_dragPosition; QMap syscallSettings; -}; +}; \ No newline at end of file diff --git a/Bind/include/GUI/MainWindow.h b/Bind/include/GUI/MainWindow.h index 0a5a1df..553196c 100644 --- a/Bind/include/GUI/MainWindow.h +++ b/Bind/include/GUI/MainWindow.h @@ -1,7 +1,10 @@ #pragma once +#include #include #include +#include +#include class TitleBar; class LeftPanel; @@ -37,6 +40,33 @@ private slots: private: void saveAllSettings(); + void cleanupThread(QThread*& thread); + template + void cleanupThreadHelper(ThreadType*& thread) + { + if (!thread) + { + return; + } + + QThread* qthread = static_cast(thread); + if (qthread->isRunning()) + { + qthread->requestInterruption(); + qthread->quit(); + + if (!qthread->wait(Constants::THREAD_TERMINATION_TIMEOUT_MS)) + { + qWarning() << "Thread did not terminate in time, forcing termination"; + qthread->terminate(); + qthread->wait(Constants::THREAD_FORCE_TERMINATION_TIMEOUT_MS); + } + } + + qthread->deleteLater(); + thread = nullptr; + } + bool validateDllPaths(const QStringList& paths, QString& errorMessage); TitleBar* titleBar; LeftPanel* leftPanel; diff --git a/Bind/include/GUI/Panels.h b/Bind/include/GUI/Panels.h new file mode 100644 index 0000000..08c525e --- /dev/null +++ b/Bind/include/GUI/Panels.h @@ -0,0 +1,5 @@ +#pragma once + +#include +#include +#include \ No newline at end of file diff --git a/Bind/include/GUI/Panels/LeftPanel.h b/Bind/include/GUI/Panels/LeftPanel.h index bb00911..8d2f7c7 100644 --- a/Bind/include/GUI/Panels/LeftPanel.h +++ b/Bind/include/GUI/Panels/LeftPanel.h @@ -1,4 +1,5 @@ #pragma once + #include #include @@ -33,11 +34,14 @@ private slots: public slots: void setProgressIndeterminate(bool indeterminate); void updateStatus(const QString& message); + void updateButtonStates(); public: QStringList getDllPaths() const; private: + void updateButtonStatesFromSettings(); + QLabel* logoImage; QLabel* logoLabel; QLabel* versionLabel; @@ -55,4 +59,4 @@ public slots: BindButton* verifyBtn; BindButton* obfuscateBtn; BindButton* settingsBtn; -}; \ No newline at end of file +}; \ No newline at end of file diff --git a/Bind/include/GUI/Panels/OutputPanel.h b/Bind/include/GUI/Panels/OutputPanel.h index b32b3c4..3412d53 100644 --- a/Bind/include/GUI/Panels/OutputPanel.h +++ b/Bind/include/GUI/Panels/OutputPanel.h @@ -1,4 +1,5 @@ #pragma once + #include class OutputPanel : public QTextEdit { @@ -8,4 +9,4 @@ class OutputPanel : public QTextEdit { explicit OutputPanel(QWidget* parent = nullptr); void appendText(const QString& text); void clearText(); -}; \ No newline at end of file +}; \ No newline at end of file diff --git a/Bind/include/GUI/Panels/RightPanel.h b/Bind/include/GUI/Panels/RightPanel.h index 141ad56..38f9cb7 100644 --- a/Bind/include/GUI/Panels/RightPanel.h +++ b/Bind/include/GUI/Panels/RightPanel.h @@ -1,4 +1,5 @@ #pragma once + #include class QLabel; @@ -17,4 +18,4 @@ class RightPanel : public QFrame { private: QLabel* headerLabel; OutputPanel* outputText; -}; \ No newline at end of file +}; \ No newline at end of file diff --git a/Bind/include/GUI/Settings.h b/Bind/include/GUI/Settings.h new file mode 100644 index 0000000..809a3fc --- /dev/null +++ b/Bind/include/GUI/Settings.h @@ -0,0 +1,8 @@ +#pragma once + +#include +#include +#include +#include +#include +#include \ No newline at end of file diff --git a/Bind/include/GUI/Settings/Tabs/GeneralTab.h b/Bind/include/GUI/Settings/Tabs/GeneralTab.h index 36408a4..28b3e53 100644 --- a/Bind/include/GUI/Settings/Tabs/GeneralTab.h +++ b/Bind/include/GUI/Settings/Tabs/GeneralTab.h @@ -1,17 +1,17 @@ #pragma once -#include -#include +#include +#include #include #include #include +#include +#include #include #include -#include -#include -#include -#include #include +#include +#include class GeneralTab : public QWidget { Q_OBJECT @@ -27,10 +27,10 @@ private slots: void restoreBackup(const QString& timestamp); void openHashCompare(); void onModeChanged(); - void onAssemblyModeChanged(); private: void initUI(); + bool validateSettings(); QString formatTimestamp(const QString& timestamp); QString getIniPath(); bool isFileLocked(const QString& filePath); @@ -54,4 +54,4 @@ private slots: QRadioButton* indirectAssemblyRadio; QCheckBox* hashStubs; QCheckBox* createBackup; -}; +}; \ No newline at end of file diff --git a/Bind/include/GUI/Settings/Tabs/IndirectObfuscationTab.h b/Bind/include/GUI/Settings/Tabs/IndirectObfuscationTab.h index 6dd7286..e4027f1 100644 --- a/Bind/include/GUI/Settings/Tabs/IndirectObfuscationTab.h +++ b/Bind/include/GUI/Settings/Tabs/IndirectObfuscationTab.h @@ -1,12 +1,12 @@ #pragma once -#include -#include -#include #include #include -#include #include +#include +#include +#include +#include class IndirectObfuscationTab : public QWidget { Q_OBJECT @@ -43,7 +43,6 @@ class IndirectObfuscationTab : public QWidget { void initUI(); void setupJunkInstructionsGroup(); void setupResolverObfuscationGroup(); - void setupNameRandomizationGroup(); void setupEncryptionGroup(); void setupControlFlowGroup(); }; \ No newline at end of file diff --git a/Bind/include/GUI/Settings/Tabs/InlineObfuscationTab.h b/Bind/include/GUI/Settings/Tabs/InlineObfuscationTab.h index 8e9ab94..f60d7e2 100644 --- a/Bind/include/GUI/Settings/Tabs/InlineObfuscationTab.h +++ b/Bind/include/GUI/Settings/Tabs/InlineObfuscationTab.h @@ -1,7 +1,7 @@ #pragma once -#include #include +#include class InlineObfuscationTab : public QWidget { Q_OBJECT @@ -15,4 +15,4 @@ class InlineObfuscationTab : public QWidget { void initUI(); QSettings* settings; -}; +}; \ No newline at end of file diff --git a/Bind/include/GUI/Settings/Tabs/IntegrityTab.h b/Bind/include/GUI/Settings/Tabs/IntegrityTab.h index e1fcf64..21b5950 100644 --- a/Bind/include/GUI/Settings/Tabs/IntegrityTab.h +++ b/Bind/include/GUI/Settings/Tabs/IntegrityTab.h @@ -1,15 +1,15 @@ #pragma once -#include -#include +#include +#include #include #include -#include -#include -#include #include -#include +#include +#include #include +#include +#include class IntegrityTab : public QWidget { Q_OBJECT diff --git a/Bind/include/GUI/Settings/Tabs/ObfuscationTab.h b/Bind/include/GUI/Settings/Tabs/ObfuscationTab.h index 5c4ff8e..34ebbf3 100644 --- a/Bind/include/GUI/Settings/Tabs/ObfuscationTab.h +++ b/Bind/include/GUI/Settings/Tabs/ObfuscationTab.h @@ -1,15 +1,15 @@ #pragma once -#include -#include +#include +#include #include -#include #include +#include #include -#include -#include -#include #include +#include +#include +#include class ObfuscationTab : public QWidget { Q_OBJECT diff --git a/Bind/include/GUI/Settings/Tabs/ProfileTab.h b/Bind/include/GUI/Settings/Tabs/ProfileTab.h index f0f609c..ab2b5c4 100644 --- a/Bind/include/GUI/Settings/Tabs/ProfileTab.h +++ b/Bind/include/GUI/Settings/Tabs/ProfileTab.h @@ -1,14 +1,14 @@ #pragma once -#include -#include +#include +#include #include #include -#include -#include #include +#include #include -#include +#include +#include class ProfileTab : public QWidget { Q_OBJECT diff --git a/Bind/include/GUI/Themes.h b/Bind/include/GUI/Themes.h new file mode 100644 index 0000000..c6d19bc --- /dev/null +++ b/Bind/include/GUI/Themes.h @@ -0,0 +1,3 @@ +#pragma once + +#include \ No newline at end of file diff --git a/Bind/include/GUI/Themes/Colors.h b/Bind/include/GUI/Themes/Colors.h index c0fb541..ed2cef4 100644 --- a/Bind/include/GUI/Themes/Colors.h +++ b/Bind/include/GUI/Themes/Colors.h @@ -12,5 +12,4 @@ class Colors { static QString ENDC() { return ""; } static QString BOLD() { return ""; } static QString UNDERLINE() { return ""; } - -}; +}; \ No newline at end of file diff --git a/Bind/include/GUI/Threads.h b/Bind/include/GUI/Threads.h new file mode 100644 index 0000000..a3a5171 --- /dev/null +++ b/Bind/include/GUI/Threads.h @@ -0,0 +1,6 @@ +#pragma once + +#include +#include +#include +#include \ No newline at end of file diff --git a/Bind/include/GUI/Threads/CompatibilityThread.h b/Bind/include/GUI/Threads/CompatibilityThread.h index d6e6c22..9366de9 100644 --- a/Bind/include/GUI/Threads/CompatibilityThread.h +++ b/Bind/include/GUI/Threads/CompatibilityThread.h @@ -1,8 +1,8 @@ #pragma once -#include -#include #include +#include +#include class CompatibilityThread : public QThread { Q_OBJECT @@ -21,5 +21,4 @@ class CompatibilityThread : public QThread { private: QStringList dllPaths; - void setEnvironmentVariables(); -}; \ No newline at end of file +}; \ No newline at end of file diff --git a/Bind/include/GUI/Threads/ObfuscationThread.h b/Bind/include/GUI/Threads/ObfuscationThread.h index 2341bee..eb6d755 100644 --- a/Bind/include/GUI/Threads/ObfuscationThread.h +++ b/Bind/include/GUI/Threads/ObfuscationThread.h @@ -1,8 +1,8 @@ #pragma once -#include #include -#include +#include +#include class ObfuscationThread : public QThread { Q_OBJECT @@ -21,4 +21,4 @@ class ObfuscationThread : public QThread { private: std::function outputCallback; -}; \ No newline at end of file +}; \ No newline at end of file diff --git a/Bind/include/GUI/Threads/ValidatorThread.h b/Bind/include/GUI/Threads/ValidatorThread.h index 8664abf..1b781b0 100644 --- a/Bind/include/GUI/Threads/ValidatorThread.h +++ b/Bind/include/GUI/Threads/ValidatorThread.h @@ -1,8 +1,8 @@ #pragma once -#include -#include #include +#include +#include class ValidatorThread : public QThread { Q_OBJECT @@ -21,5 +21,4 @@ class ValidatorThread : public QThread { private: QStringList dllPaths; - void setEnvironmentVariables(); -}; \ No newline at end of file +}; \ No newline at end of file diff --git a/Bind/include/GUI/Threads/VerificationThread.h b/Bind/include/GUI/Threads/VerificationThread.h index e4414a6..6503719 100644 --- a/Bind/include/GUI/Threads/VerificationThread.h +++ b/Bind/include/GUI/Threads/VerificationThread.h @@ -1,10 +1,10 @@ #pragma once -#include -#include #include -#include -#include "include/Core/Integrity/Verification/Verification.h" +#include +#include +#include +#include class VerificationThread : public QThread { Q_OBJECT diff --git a/Bind/main.cpp b/Bind/main.cpp deleted file mode 100644 index d60963e..0000000 --- a/Bind/main.cpp +++ /dev/null @@ -1,39 +0,0 @@ -#include -#include "include/GUI/MainWindow.h" -#include "include/Core/Utils/PathUtils.h" -#include -#include -#include -#include -#include - -int main(int argc, char *argv[]) { - qputenv("QT_LOGGING_RULES", "*.debug=true;qt.qpa.*=false"); - QApplication app(argc, argv); - app.setStyle(QStyleFactory::create("Fusion")); - app.setWindowIcon(QIcon(":/src/Res/Icons/logo.ico")); - int fontId = QFontDatabase::addApplicationFont(":/src/Res/Fonts/ibmplexmono.ttf"); - if (fontId != -1) { - QStringList fontFamilies = QFontDatabase::applicationFontFamilies(fontId); - if (!fontFamilies.isEmpty()) { - app.setFont(QFont(fontFamilies.first(), 10)); - } - } - app.setStyleSheet( - "* {" - " font-family: 'IBM Plex Mono';" - "}" - "QToolTip {" - " background-color: #1E1E1E;" - " color: white;" - " border: 1px solid #2196F3;" - " border-radius: 4px;" - " padding: 5px;" - " font-family: 'IBM Plex Mono';" - "}" - ); - QString projectRoot = PathUtils::getProjectRoot(); - MainWindow w; - w.show(); - return app.exec(); -} \ No newline at end of file diff --git a/Bind/resources.qrc b/Bind/resources.qrc deleted file mode 100644 index 59dda9a..0000000 --- a/Bind/resources.qrc +++ /dev/null @@ -1,20 +0,0 @@ - - - src/Res/Icons/validation.png - src/Res/Icons/compatibility.png - src/Res/Icons/verification.png - src/Res/Icons/obfuscation.png - src/Res/Icons/settings.png - src/Res/Icons/syscaller.png - src/Res/Icons/logo.ico - src/Res/Icons/export.png - src/Res/Icons/refresh.png - src/Res/Fonts/ibmplexmono.ttf - src/GUI/Stylesheets/SettingsDialog.qss - src/GUI/Stylesheets/StubMapperDialog.qss - src/GUI/Stylesheets/ConfirmationDialog.qss - src/GUI/Stylesheets/ObfuscationSelectionDialog.qss - src/GUI/Stylesheets/HashCompareDialog.qss - src/GUI/Stylesheets/ChangelogDialog.qss - - \ No newline at end of file diff --git a/Bind/src/Core/Integrity/Compatibility/Compatibility.cpp b/Bind/src/Core/Integrity/Compatibility/Compatibility.cpp index b7ad804..7b5765f 100644 --- a/Bind/src/Core/Integrity/Compatibility/Compatibility.cpp +++ b/Bind/src/Core/Integrity/Compatibility/Compatibility.cpp @@ -1,13 +1,6 @@ -#include "include/Core/Integrity/Compatibility/Compatibility.h" -#include "include/Core/Utils/PathUtils.h" -#include -#include -#include -#include -#include -#include +#include +#include #include -#include Compatibility::Compatibility() : QObject(nullptr) @@ -28,7 +21,7 @@ void Compatibility::outputProgress(const QString& message) int Compatibility::run(int argc, char* argv[]) { - return runWithDllPaths(QStringList() << "C:\\Windows\\System32\\ntdll.dll"); + return runWithDllPaths(QStringList() << Constants::DEFAULT_NTDLL_PATH); } int Compatibility::runWithDllPaths(const QStringList& dllPaths) @@ -51,7 +44,7 @@ int Compatibility::runWithDllPaths(const QStringList& dllPaths) if (dllPathsToUse.isEmpty()) { - dllPathsToUse << "C:\\Windows\\System32\\ntdll.dll"; + dllPathsToUse << Constants::DEFAULT_NTDLL_PATH; } qDebug() << QString("Using DLL Paths: %1").arg(dllPathsToUse.join(", ")); @@ -283,7 +276,7 @@ void Compatibility::validateSyscalls(const QString& asmFile, const QStringList& QString modeDisplay = isZwMode ? "Zw" : "Nt"; QList syscalls = readSyscalls(asmFile); - outputProgress(Colors::BOLD() + QString("Found %1 Syscalls in syscaller.asm") + outputProgress(Colors::BOLD() + QString("Found %1 Syscalls in SysCaller.asm") .arg(syscalls.size()) + Colors::ENDC()); for (int i = 0; i < qMin(3, syscalls.size()); ++i) @@ -298,7 +291,7 @@ void Compatibility::validateSyscalls(const QString& asmFile, const QStringList& if (dllPathsToUse.isEmpty()) { - dllPathsToUse << "C:\\Windows\\System32\\ntdll.dll"; + dllPathsToUse << Constants::DEFAULT_NTDLL_PATH; } QString mainDllPath = dllPathsToUse.first(); @@ -469,4 +462,4 @@ QString Compatibility::getIniPath() QString Compatibility::getAsmFilePath(bool isKernelMode) { return PathUtils::getSysCallerAsmPath(isKernelMode); -} +} \ No newline at end of file diff --git a/Bind/src/Core/Integrity/Validator/Validator.cpp b/Bind/src/Core/Integrity/Validator/Validator.cpp index a78ae85..f4ec508 100644 --- a/Bind/src/Core/Integrity/Validator/Validator.cpp +++ b/Bind/src/Core/Integrity/Validator/Validator.cpp @@ -1,14 +1,6 @@ -#include "include/Core/Integrity/Validator/Validator.h" -#include "include/Core/Utils/PathUtils.h" -#include "include/Core/Utils/Utils.h" -#include -#include -#include -#include -#include -#include +#include +#include #include -#include Validator::Validator() : QObject(nullptr) @@ -29,7 +21,7 @@ void Validator::outputProgress(const QString& message) int Validator::run(int argc, char* argv[]) { - return runWithDllPaths(QStringList() << "C:\\Windows\\System32\\ntdll.dll"); + return runWithDllPaths(QStringList() << Constants::DEFAULT_NTDLL_PATH); } int Validator::runWithDllPaths(const QStringList& dllPaths) @@ -55,7 +47,7 @@ int Validator::runWithDllPaths(const QStringList& dllPaths) if (dllPathsToUse.isEmpty()) { - dllPathsToUse << "C:\\Windows\\System32\\ntdll.dll"; + dllPathsToUse << Constants::DEFAULT_NTDLL_PATH; } qDebug() << QString("Using DLL Paths: %1").arg(dllPathsToUse.join(", ")); @@ -72,8 +64,8 @@ int Validator::runWithDllPaths(const QStringList& dllPaths) if (!QFile::exists(mainDllPath)) { qWarning() << "Primary DLL path does not exist:" << mainDllPath; - qWarning() << "Using default path: C:\\Windows\\System32\\ntdll.dll"; - mainDllPath = "C:\\Windows\\System32\\ntdll.dll"; + qWarning() << "Using default path:" << Constants::DEFAULT_NTDLL_PATH; + mainDllPath = Constants::DEFAULT_NTDLL_PATH; if (!QFile::exists(mainDllPath)) { @@ -1195,4 +1187,4 @@ QString Validator::generateIndirectStub(const QString& stubName, int syscallId) .arg(ntName); return indirectStub; -} +} \ No newline at end of file diff --git a/Bind/src/Core/Integrity/Verification/Verification.cpp b/Bind/src/Core/Integrity/Verification/Verification.cpp index 52eb3f0..445d986 100644 --- a/Bind/src/Core/Integrity/Verification/Verification.cpp +++ b/Bind/src/Core/Integrity/Verification/Verification.cpp @@ -1,18 +1,12 @@ -#include "include/Core/Integrity/Verification/Verification.h" -#include "include/Core/Utils/PathUtils.h" -#include -#include -#include -#include -#include +#include +#include #include -#include -#include Verification::Verification() : QObject(nullptr) , pe(nullptr) , imageBase(0) + , processedCount(0) {} void Verification::setOutputCallback(std::function callback) @@ -24,19 +18,58 @@ void Verification::outputProgress(const QString& message) { if (outputCallback) { - outputCallback(message); + /* for important system messages (startup, summary, errors) send immediately */ + /* for result details (syscall names, status, offsets, etc.) batch them for performance */ + bool isImportantMessage = message.isEmpty() || + message.contains("Testing") || + message.contains("Summary") || + message.contains("Starting") || + message.contains("Using DLL") || + message.contains("Found") || + message.contains("Failed to open") || + message.contains("Error Testing"); + + if (isImportantMessage) + { + flushOutputBuffer(); + outputCallback(message); + } + else + { + outputBuffer.append(message); + + if (outputBuffer.size() >= OUTPUT_BATCH_SIZE) + { + flushOutputBuffer(); + } + } + } +} + +void Verification::flushOutputBuffer() +{ + if (outputCallback && !outputBuffer.isEmpty()) + { + for (const QString& line : outputBuffer) + { + outputCallback(line); + } + outputBuffer.clear(); } } int Verification::run(int argc, char* argv[]) { - return runWithDllPaths(QStringList() << "C:\\Windows\\System32\\ntdll.dll"); + return runWithDllPaths(QStringList() << Constants::DEFAULT_NTDLL_PATH); } int Verification::runWithDllPaths(const QStringList& dllPaths) { qDebug() << QString("Verification::runWithDllPaths() called with paths: %1") .arg(dllPaths.join(", ")); + /* reset performance counters and buffers */ + outputBuffer.clear(); + processedCount = 0; QSettings settings(getIniPath(), QSettings::IniFormat); QString syscallMode = settings.value("general/syscall_mode", "Nt").toString(); @@ -50,7 +83,7 @@ int Verification::runWithDllPaths(const QStringList& dllPaths) if (dllPathsToUse.isEmpty()) { - dllPathsToUse << "C:\\Windows\\System32\\ntdll.dll"; + dllPathsToUse << Constants::DEFAULT_NTDLL_PATH; } this->dllPaths = dllPathsToUse; @@ -98,15 +131,15 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() if (isKernelMode) { - headerFiles["constants"] = basePath + "/SysCallerK/Wrapper/include/SysK/sysConstants_k.h"; - headerFiles["types"] = basePath + "/SysCallerK/Wrapper/include/SysK/sysTypes_k.h"; - headerFiles["externals"] = basePath + "/SysCallerK/Wrapper/include/SysK/sysExternals_k.h"; + headerFiles["constants"] = basePath + "/SysCallerK/Wrapper/include/SysK/SysKConstants.h"; + headerFiles["types"] = basePath + "/SysCallerK/Wrapper/include/SysK/SysKTypes.h"; + headerFiles["externals"] = basePath + "/SysCallerK/Wrapper/include/SysK/SysKExternals.h"; } else { - headerFiles["constants"] = basePath + "/SysCaller/Wrapper/include/Sys/sysConstants.h"; - headerFiles["types"] = basePath + "/SysCaller/Wrapper/include/Sys/sysTypes.h"; - headerFiles["externals"] = basePath + "/SysCaller/Wrapper/include/Sys/sysExternals.h"; + headerFiles["constants"] = basePath + "/SysCaller/Wrapper/include/Sys/SysConstants.h"; + headerFiles["types"] = basePath + "/SysCaller/Wrapper/include/Sys/SysTypes.h"; + headerFiles["externals"] = basePath + "/SysCaller/Wrapper/include/Sys/SysExternals.h"; } for (auto it = headerFiles.begin(); it != headerFiles.end(); ++it) @@ -137,7 +170,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() QString value = match.captured(2); TypeDefinition def; - def.file = QString("sysConstants%1.h").arg(isKernelMode ? "_k" : ""); + def.file = QString("SysConstants%1.h").arg(isKernelMode ? "_k" : ""); def.definition = QString("#define %1 %2").arg(name).arg(value); typeDefinitions.insert(name, def); } @@ -151,7 +184,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() QRegularExpressionMatch match = commaMatches.next(); QString baseType = match.captured(1); QString ptrType = match.captured(2); - QString fileName = QString("sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) + QString fileName = QString("Sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) .arg(isKernelMode ? "_k" : ""); TypeDefinition def1; @@ -173,7 +206,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() QRegularExpressionMatch match = ptrMatches.next(); QString baseType = match.captured(1); QString ptrType = match.captured(2); - QString fileName = QString("sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) + QString fileName = QString("Sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) .arg(isKernelMode ? "_k" : ""); TypeDefinition def; @@ -190,7 +223,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() QRegularExpressionMatch match = basicMatches.next(); QString baseType = match.captured(1); QString newType = match.captured(2); - QString fileName = QString("sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) + QString fileName = QString("Sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) .arg(isKernelMode ? "_k" : ""); TypeDefinition def; @@ -207,7 +240,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() QRegularExpressionMatch match = structMatches.next(); QString structName = match.captured(2); QString ptrName = match.captured(3); - QString fileName = QString("sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) + QString fileName = QString("Sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) .arg(isKernelMode ? "_k" : ""); TypeDefinition def1; @@ -228,7 +261,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() { QRegularExpressionMatch match = enumMatches.next(); QString enumName = match.captured(2); - QString fileName = QString("sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) + QString fileName = QString("Sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) .arg(isKernelMode ? "_k" : ""); TypeDefinition def; @@ -244,7 +277,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() { QRegularExpressionMatch match = funcPtrMatches.next(); QString typeName = match.captured(1); - QString fileName = QString("sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) + QString fileName = QString("Sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) .arg(isKernelMode ? "_k" : ""); TypeDefinition def; @@ -261,7 +294,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() QRegularExpressionMatch match = constPtrMatches.next(); QString baseType = match.captured(1); QString newType = match.captured(2); - QString fileName = QString("sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) + QString fileName = QString("Sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) .arg(isKernelMode ? "_k" : ""); TypeDefinition def; @@ -279,7 +312,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() QString baseType = match.captured(1); QString newType = match.captured(2); QString ptrType = match.captured(3); - QString fileName = QString("sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) + QString fileName = QString("Sys%1%2.h").arg(fileType.at(0).toUpper() + fileType.mid(1)) .arg(isKernelMode ? "_k" : ""); TypeDefinition def1; @@ -307,7 +340,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() for (const QString& typeName : commonTypes) { TypeDefinition def; - def.file = QString("sysTypes%1.h").arg(isKernelMode ? "_k" : ""); + def.file = QString("SysTypes%1.h").arg(isKernelMode ? "_k" : ""); def.definition = QString("typedef base %1").arg(typeName); typeDefinitions.insert(typeName, def); } @@ -316,7 +349,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() if (!typeDefinitions.contains("WNF_CHANGE_STAMP")) { TypeDefinition def; - def.file = QString("sysExternals%1.h").arg(isKernelMode ? "_k" : ""); + def.file = QString("SysExternals%1.h").arg(isKernelMode ? "_k" : ""); def.definition = "typedef ULONG WNF_CHANGE_STAMP"; typeDefinitions.insert("WNF_CHANGE_STAMP", def); } @@ -324,7 +357,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() if (!typeDefinitions.contains("PCWNF_STATE_NAME")) { TypeDefinition def; - def.file = QString("sysExternals%1.h").arg(isKernelMode ? "_k" : ""); + def.file = QString("SysExternals%1.h").arg(isKernelMode ? "_k" : ""); def.definition = "typedef WNF_STATE_NAME* PCWNF_STATE_NAME"; typeDefinitions.insert("PCWNF_STATE_NAME", def); } @@ -332,7 +365,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() if (!typeDefinitions.contains("PCWNF_TYPE_ID")) { TypeDefinition def; - def.file = QString("sysExternals%1.h").arg(isKernelMode ? "_k" : ""); + def.file = QString("SysExternals%1.h").arg(isKernelMode ? "_k" : ""); def.definition = "typedef WNF_TYPE_ID* PCWNF_TYPE_ID"; typeDefinitions.insert("PCWNF_TYPE_ID", def); } @@ -340,7 +373,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() if (!typeDefinitions.contains("WAIT_TYPE")) { TypeDefinition def; - def.file = QString("sysExternals%1.h").arg(isKernelMode ? "_k" : ""); + def.file = QString("SysExternals%1.h").arg(isKernelMode ? "_k" : ""); def.definition = "typedef enum WAIT_TYPE"; typeDefinitions.insert("WAIT_TYPE", def); } @@ -348,7 +381,7 @@ void Verification::TypeDefinitionTracker::parseHeaderFiles() if (!typeDefinitions.contains("PIO_APC_ROUTINE")) { TypeDefinition def; - def.file = QString("sysTypes%1.h").arg(isKernelMode ? "_k" : ""); + def.file = QString("SysTypes%1.h").arg(isKernelMode ? "_k" : ""); def.definition = "typedef function_ptr PIO_APC_ROUTINE"; typeDefinitions.insert("PIO_APC_ROUTINE", def); } @@ -443,7 +476,7 @@ std::optional Verification::TypeDefinitionTracker: }; if (basicTypes.contains(cleanTypeName)) { TypeDefinition def; - def.file = QString("sysTypes%1.h").arg(isKernelMode ? "_k" : ""); + def.file = QString("SysTypes%1.h").arg(isKernelMode ? "_k" : ""); def.definition = QString("typedef base %1").arg(cleanTypeName); return def; } @@ -709,7 +742,7 @@ std::optional Verification::getOffsetFromDll(const QString& syscallName, co try { - funcName = QString::fromUtf8(fn.c_str(), fn.length()); + funcName = QString::fromUtf8(fn.c_str(), static_cast(fn.length())); } catch (...) { @@ -1008,12 +1041,24 @@ void Verification::runTests(const QString& outputFormat) TestResult result = testSyscall(it.value()); testResults.append(result); printResult(result); + + processedCount++; + + /* flush buffer periodically during processing */ + if (processedCount % OUTPUT_BATCH_SIZE == 0) + { + flushOutputBuffer(); + } } catch (const std::exception& e) { outputProgress(Colors::FAIL() + QString("Error Testing %1: %2").arg(it.key()).arg(e.what()) + Colors::ENDC()); + processedCount++; } } + + /* flush any remaining buffered output */ + flushOutputBuffer(); int successCount = 0, failureCount = 0; diff --git a/Bind/src/Core/Obfuscation/Direct/ControlFlow/DirectControlFlow.cpp b/Bind/src/Core/Obfuscation/Direct/ControlFlow/DirectControlFlow.cpp index 68c3246..5bace4b 100644 --- a/Bind/src/Core/Obfuscation/Direct/ControlFlow/DirectControlFlow.cpp +++ b/Bind/src/Core/Obfuscation/Direct/ControlFlow/DirectControlFlow.cpp @@ -1,6 +1,5 @@ -#include "include/Core/Obfuscation/Direct/ControlFlow/DirectControlFlow.h" -#include -#include +#include +#include DirectObfuscation::ControlFlow::ControlFlow(QSettings* settings) : settings(settings) @@ -235,4 +234,4 @@ QStringList DirectObfuscation::ControlFlow::generateComplexPredicate() predicate << QString(" sub %1, 2").arg(reg1); predicate << QString(" test %1, %1").arg(reg1); return predicate; -} +} \ No newline at end of file diff --git a/Bind/src/Core/Obfuscation/Direct/Encryption/DirectEncryptor.cpp b/Bind/src/Core/Obfuscation/Direct/Encryption/DirectEncryptor.cpp index 588ae0d..8ed436c 100644 --- a/Bind/src/Core/Obfuscation/Direct/Encryption/DirectEncryptor.cpp +++ b/Bind/src/Core/Obfuscation/Direct/Encryption/DirectEncryptor.cpp @@ -1,6 +1,5 @@ -#include "include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h" -#include -#include +#include +#include DirectObfuscation::Encryptor::Encryptor(QSettings* settings) : settings(settings) @@ -170,4 +169,4 @@ QStringList DirectObfuscation::Encryptor::generateDecryptionSequence(const QStri int DirectObfuscation::Encryptor::getRandomInt(int min, int max) { return QRandomGenerator::global()->bounded(min, max + 1); -} +} \ No newline at end of file diff --git a/Bind/src/Core/Obfuscation/Direct/Mapping/DirectStubMapper.cpp b/Bind/src/Core/Obfuscation/Direct/Mapping/DirectStubMapper.cpp index 9f81276..ff5fc27 100644 --- a/Bind/src/Core/Obfuscation/Direct/Mapping/DirectStubMapper.cpp +++ b/Bind/src/Core/Obfuscation/Direct/Mapping/DirectStubMapper.cpp @@ -1,17 +1,6 @@ -#include "include/Core/Obfuscation/Direct/Mapping/DirectStubMapper.h" -#include "include/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.h" -#include "include/Core/Obfuscation/Shared/Stub/NameGenerator.h" -#include "include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h" -#include "include/Core/Obfuscation/Direct/Stub/DirectStubGenerator.h" -#include "include/Core/Obfuscation/Direct/ControlFlow/DirectControlFlow.h" -#include "include/Core/Utils/PathUtils.h" -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include DirectObfuscation::StubMapper::StubMapper(QSettings* settings) : settings(settings) @@ -62,11 +51,11 @@ QString DirectObfuscation::StubMapper::getAsmFilePath(bool isKernelMode) { if (isKernelMode) { - return PathUtils::getSysCallerKPath() + "/Wrapper/src/syscaller.asm"; + return PathUtils::getSysCallerKPath() + "/Wrapper/src/SysCaller.asm"; } else { - return PathUtils::getSysCallerPath() + "/Wrapper/src/syscaller.asm"; + return PathUtils::getSysCallerPath() + "/Wrapper/src/SysCaller.asm"; } } @@ -74,11 +63,11 @@ QString DirectObfuscation::StubMapper::getHeaderFilePath(bool isKernelMode) { if (isKernelMode) { - return PathUtils::getSysCallerKPath() + "/Wrapper/include/SysK/sysFunctions_k.h"; + return PathUtils::getSysCallerKPath() + "/Wrapper/include/SysK/SysKFunctions.h"; } else { - return PathUtils::getSysCallerPath() + "/Wrapper/include/Sys/sysFunctions.h"; + return PathUtils::getSysCallerPath() + "/Wrapper/include/Sys/SysFunctions.h"; } } @@ -880,4 +869,4 @@ bool DirectObfuscation::StubMapper::updateDefFile(const QString& defPath, const int DirectObfuscation::StubMapper::getRandomInt(int min, int max) { return QRandomGenerator::global()->bounded(min, max + 1); -} +} \ No newline at end of file diff --git a/Bind/src/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.cpp b/Bind/src/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.cpp index f831c40..605f91e 100644 --- a/Bind/src/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.cpp +++ b/Bind/src/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.cpp @@ -1,7 +1,5 @@ -#include "include/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.h" -#include -#include -#include +#include +#include DirectObfuscation::JunkGenerator::JunkGenerator(QSettings* settings) : settings(settings) @@ -144,4 +142,4 @@ QString DirectObfuscation::JunkGenerator::getRandomAdvancedJunkInstruction() int DirectObfuscation::JunkGenerator::getRandomInt(int min, int max) { return QRandomGenerator::global()->bounded(min, max + 1); -} +} \ No newline at end of file diff --git a/Bind/src/Core/Obfuscation/Direct/Stub/DirectStubGenerator.cpp b/Bind/src/Core/Obfuscation/Direct/Stub/DirectStubGenerator.cpp index 65d3833..ea18813 100644 --- a/Bind/src/Core/Obfuscation/Direct/Stub/DirectStubGenerator.cpp +++ b/Bind/src/Core/Obfuscation/Direct/Stub/DirectStubGenerator.cpp @@ -1,9 +1,6 @@ -#include "include/Core/Obfuscation/Direct/Stub/DirectStubGenerator.h" -#include "include/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.h" -#include "include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h" -#include "include/Core/Obfuscation/Shared/Stub/NameGenerator.h" -#include -#include +#include +#include "Core/Obfuscation/Shared/Shared.h" +#include DirectObfuscation::StubGenerator::StubGenerator(QSettings* settings) : settings(settings) @@ -152,4 +149,4 @@ QString DirectObfuscation::StubGenerator::generateAlignPadding() int DirectObfuscation::StubGenerator::getRandomInt(int min, int max) { return QRandomGenerator::global()->bounded(min, max + 1); -} +} \ No newline at end of file diff --git a/Bind/src/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.cpp b/Bind/src/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.cpp index 7ec2c35..7c68668 100644 --- a/Bind/src/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.cpp +++ b/Bind/src/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.cpp @@ -1,7 +1,5 @@ -#include "include/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.h" -#include -#include -#include +#include +#include IndirectObfuscation::ControlFlow::ControlFlow(QSettings* settings) : settings(settings) @@ -10,7 +8,6 @@ IndirectObfuscation::ControlFlow::ControlFlow(QSettings* settings) QString IndirectObfuscation::ControlFlow::generateControlFlowObfuscation() { QString method = settings->value("obfuscation/indirect_control_flow_method", "random").toString(); - int pattern; ControlFlowPattern flowPattern; @@ -79,4 +76,4 @@ QString IndirectObfuscation::ControlFlow::generateControlFlowObfuscation() }; return controlFlowPatterns[static_cast(flowPattern)]; -} +} \ No newline at end of file diff --git a/Bind/src/Core/Obfuscation/Indirect/Encryption/IndirectEncryptor.cpp b/Bind/src/Core/Obfuscation/Indirect/Encryption/IndirectEncryptor.cpp index 4bc2f6a..cb065a3 100644 --- a/Bind/src/Core/Obfuscation/Indirect/Encryption/IndirectEncryptor.cpp +++ b/Bind/src/Core/Obfuscation/Indirect/Encryption/IndirectEncryptor.cpp @@ -1,5 +1,5 @@ -#include "include/Core/Obfuscation/Indirect/Encryption/IndirectEncryptor.h" -#include +#include +#include QString IndirectObfuscation::Encryptor::generateEncryptedSyscallNumbers() { @@ -23,4 +23,4 @@ QString IndirectObfuscation::Encryptor::generateEncryptedSyscallNumbers() .arg(offset); return encryptedCode; -} +} \ No newline at end of file diff --git a/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.cpp b/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.cpp index ebc8098..489c862 100644 --- a/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.cpp +++ b/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.cpp @@ -1,7 +1,5 @@ -#include "include/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.h" -#include -#include -#include +#include +#include IndirectObfuscation::JunkGenerator::JunkGenerator(QSettings* settings) : settings(settings) @@ -86,4 +84,4 @@ QString IndirectObfuscation::JunkGenerator::generateRegisterSafeJunk() } return junkCode; -} +} \ No newline at end of file diff --git a/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.cpp b/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.cpp index 3fdc4bf..468a526 100644 --- a/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.cpp +++ b/Bind/src/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.cpp @@ -1,7 +1,5 @@ -#include "include/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.h" -#include -#include -#include +#include +#include IndirectObfuscation::StubGenerator::StubGenerator(QSettings* settings) : settings(settings) @@ -57,4 +55,4 @@ QString IndirectObfuscation::StubGenerator::obfuscateResolverCall(const QString& } return originalCall; -} +} \ No newline at end of file diff --git a/Bind/src/Core/Obfuscation/IndirectObfuscation.cpp b/Bind/src/Core/Obfuscation/IndirectObfuscation.cpp index 60fc6ab..a2f3ebf 100644 --- a/Bind/src/Core/Obfuscation/IndirectObfuscation.cpp +++ b/Bind/src/Core/Obfuscation/IndirectObfuscation.cpp @@ -1,16 +1,7 @@ -#include "include/Core/Obfuscation/IndirectObfuscation.h" -#include "include/Core/Obfuscation/Indirect/Stub/IndirectStubGenerator.h" -#include "include/Core/Obfuscation/Indirect/Stub/IndirectJunkGenerator.h" -#include "include/Core/Obfuscation/Indirect/ControlFlow/IndirectControlFlow.h" -#include "include/Core/Obfuscation/Shared/Stub/NameGenerator.h" -#include "include/Core/Utils/PathUtils.h" -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include +#include IndirectObfuscationManager::IndirectObfuscationManager(QSettings* settings) : settings(settings) @@ -49,12 +40,12 @@ bool IndirectObfuscationManager::generateIndirectObfuscation() bool isKernel = settings->value("general/syscall_mode", "Nt").toString() == "Zw"; QString asmPath = isKernel ? - PathUtils::getSysCallerKPath() + "/Wrapper/src/syscaller.asm" : - PathUtils::getSysCallerPath() + "/Wrapper/src/syscaller.asm"; + PathUtils::getSysCallerKPath() + "/Wrapper/src/SysCaller.asm" : + PathUtils::getSysCallerPath() + "/Wrapper/src/SysCaller.asm"; QString headerPath = isKernel ? - PathUtils::getSysCallerKPath() + "/Wrapper/include/SysK/sysFunctions_k.h" : - PathUtils::getSysCallerPath() + "/Wrapper/include/Sys/sysFunctions.h"; + PathUtils::getSysCallerKPath() + "/Wrapper/SysK/SysKFunctions.h" : + PathUtils::getSysCallerPath() + "/Wrapper/Sys/SysFunctions.h"; return processIndirectAssemblyFile(asmPath, headerPath); } @@ -78,7 +69,7 @@ bool IndirectObfuscationManager::processIndirectAssemblyFile(const QString& asmP QString indirectPrefix = getIndirectPrefix(); QMap indirectStubs; QSet usedNames; - QMap syscallMap; // original -> obfuscated + QMap syscallMap; /* original -> obfuscated */ QStringList currentStub; QString currentSyscall; @@ -141,7 +132,7 @@ bool IndirectObfuscationManager::processIndirectAssemblyFile(const QString& asmP QByteArray pendingEncBytes; int pendingPlainLen = 0; quint8 pendingKey = 0; - bool encAdjustActive = false; // when true, convert next add rsp,32 to add rsp,64 + bool encAdjustActive = false; /* when true, convert next add rsp,32 to add rsp,64 */ for (const QString& line : it.value()) { @@ -212,22 +203,22 @@ bool IndirectObfuscationManager::processIndirectAssemblyFile(const QString& asmP } } - // if we have pending enc string and see shadow space reservation, - // emit the build+decrypt into shadow space + /* if we have pending enc string and see shadow space reservation, + emit the build+decrypt into shadow space */ if (pendingEncString && line.trimmed().startsWith("sub rsp, 32")) { - // replace with sub rsp, 64 to allocate extra 32 bytes (shadow + our buffer) + /* replace with sub rsp, 64 to allocate extra 32 bytes (shadow + our buffer) */ obfuscatedStub << " sub rsp, 64"; encAdjustActive = true; - // now emit write+decrypt sequence using only rax, rcx, r11, r8b; - // buffer base is [rsp+20h] + /* now emit write+decrypt sequence using only rax, rcx, r11, r8b; + buffer base is [rsp+20h] */ obfuscatedStub << " ; Build decrypted resolver string in shadow space"; int lblId = QRandomGenerator::global()->bounded(1000, 999999); QString loopLbl = QString("dec_loop_cf_%1").arg(lblId); QString doneLbl = QString("dec_done_cf_%1").arg(lblId); - // write encrypted qwords into [rsp+off] + /* write encrypted qwords into [rsp+off] */ for (int off = 0; off < 32; off += 8) { quint64 q = 0; @@ -278,7 +269,7 @@ bool IndirectObfuscationManager::processIndirectAssemblyFile(const QString& asmP obfuscatedStub << " jmp " + loopLbl; obfuscatedStub << doneLbl + ":"; - obfuscatedStub << " lea rcx, [rsp+20h]"; // rcx = decrypted buffer out of callee home space + obfuscatedStub << " lea rcx, [rsp+20h]"; /* rcx = decrypted buffer out of callee home space */ pendingEncString = false; pendingEncBytes.clear(); @@ -497,7 +488,7 @@ bool IndirectObfuscationManager::updateIndirectHeaderFile(const QString& headerP continue; } - // preserve c++ guards and extern blocks + /* preserve c++ guards and extern blocks */ if (line.contains("#ifdef __cplusplus") || line.contains("extern \"C\"") || line.trimmed() == "{" || line.trimmed() == "}" || line.contains("#endif")) { @@ -548,7 +539,7 @@ bool IndirectObfuscationManager::updateIndirectHeaderFile(const QString& headerP } } newHeaderContent << ""; - newHeaderContent << "// Syscall Name Mappings (Indirect)"; + newHeaderContent << "/* Syscall Name Mappings (Indirect) */"; for (auto it = syscallMap.begin(); it != syscallMap.end(); ++it) { @@ -618,4 +609,4 @@ bool IndirectObfuscationManager::updateDefFile(const QString& defPath, defFile.close(); return true; -} +} \ No newline at end of file diff --git a/Bind/src/Core/Obfuscation/Obfuscation.cpp b/Bind/src/Core/Obfuscation/Obfuscation.cpp index cf381c3..d795ffd 100644 --- a/Bind/src/Core/Obfuscation/Obfuscation.cpp +++ b/Bind/src/Core/Obfuscation/Obfuscation.cpp @@ -1,19 +1,8 @@ -#include "include/Core/Obfuscation/Obfuscation.h" -#include "include/Core/Obfuscation/Direct/Stub/DirectJunkGenerator.h" -#include "include/Core/Obfuscation/Shared/Stub/NameGenerator.h" -#include "include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h" -#include "include/Core/Obfuscation/Direct/Stub/DirectStubGenerator.h" -#include "include/Core/Obfuscation/Direct/Mapping/DirectStubMapper.h" -#include "include/Core/Obfuscation/Direct/ControlFlow/DirectControlFlow.h" -#include "include/Core/Obfuscation/IndirectObfuscation.h" -#include "include/Core/Utils/PathUtils.h" -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include +#include +#include Obfuscation::Obfuscation() : outputCallback(nullptr) @@ -61,11 +50,11 @@ QString Obfuscation::getAsmFilePath(bool isKernelMode) { if (isKernelMode) { - return PathUtils::getSysCallerKPath() + "/Wrapper/src/syscaller.asm"; + return PathUtils::getSysCallerKPath() + "/Wrapper/src/SysCaller.asm"; } else { - return PathUtils::getSysCallerPath() + "/Wrapper/src/syscaller.asm"; + return PathUtils::getSysCallerPath() + "/Wrapper/src/SysCaller.asm"; } } @@ -73,11 +62,11 @@ QString Obfuscation::getHeaderFilePath(bool isKernelMode) { if (isKernelMode) { - return PathUtils::getSysCallerKPath() + "/Wrapper/include/SysK/sysFunctions_k.h"; + return PathUtils::getSysCallerKPath() + "/Wrapper/SysK/SysKFunctions.h"; } else { - return PathUtils::getSysCallerPath() + "/Wrapper/include/Sys/sysFunctions.h"; + return PathUtils::getSysCallerPath() + "/Wrapper/Sys/SysFunctions.h"; } } @@ -887,4 +876,4 @@ bool Obfuscation::updateDefFile(const QString& defPath, const QStringList& obfus defFile.close(); return true; -} +} \ No newline at end of file diff --git a/Bind/src/Core/Obfuscation/Shared/Stub/NameGenerator.cpp b/Bind/src/Core/Obfuscation/Shared/Stub/NameGenerator.cpp index f0d30b8..e9b0997 100644 --- a/Bind/src/Core/Obfuscation/Shared/Stub/NameGenerator.cpp +++ b/Bind/src/Core/Obfuscation/Shared/Stub/NameGenerator.cpp @@ -1,7 +1,5 @@ -#include "include/Core/Obfuscation/Shared/Stub/NameGenerator.h" -#include -#include -#include +#include +#include SharedObfuscation::NameGenerator::NameGenerator(QSettings* settings) : settings(settings) @@ -106,4 +104,4 @@ QString SharedObfuscation::NameGenerator::generateRandomLabel() int SharedObfuscation::NameGenerator::getRandomInt(int min, int max) { return QRandomGenerator::global()->bounded(min, max + 1); -} +} \ No newline at end of file diff --git a/Bind/src/Core/Utils/PathUtils.cpp b/Bind/src/Core/Utils/PathUtils.cpp index 8562571..fc27005 100644 --- a/Bind/src/Core/Utils/PathUtils.cpp +++ b/Bind/src/Core/Utils/PathUtils.cpp @@ -1,17 +1,4 @@ -#include "include/Core/Utils/PathUtils.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include static QString s_projectRoot; @@ -27,38 +14,38 @@ QString PathUtils::getProjectRoot() QString PathUtils::getBackupsPath() { - return getProjectRoot() + "/Backups"; + return QDir(getProjectRoot()).filePath("Backups"); } QString PathUtils::getHashBackupsPath() { - return getBackupsPath() + "/Hashes"; + return QDir(getBackupsPath()).filePath("Hashes"); } QString PathUtils::getDefaultPath() { - return getProjectRoot() + "/Default"; + return QDir(getProjectRoot()).filePath("Default"); } QString PathUtils::getSysCallerPath() { - return getProjectRoot() + "/SysCaller"; + return QDir(getProjectRoot()).filePath("SysCaller"); } QString PathUtils::getSysCallerKPath() { - return getProjectRoot() + "/SysCallerK"; + return QDir(getProjectRoot()).filePath("SysCallerK"); } QString PathUtils::getSysFunctionsPath(bool isKernelMode) { if (isKernelMode) { - return getSysCallerKPath() + "/Wrapper/include/SysK/sysFunctions_k.h"; + return QDir(getSysCallerKPath()).filePath("Wrapper/include/SysK/SysKFunctions.h"); } else { - return getSysCallerPath() + "/Wrapper/include/Sys/sysFunctions.h"; + return QDir(getSysCallerPath()).filePath("Wrapper/include/Sys/SysFunctions.h"); } } @@ -66,11 +53,11 @@ QString PathUtils::getSysCallerAsmPath(bool isKernelMode) { if (isKernelMode) { - return getSysCallerKPath() + "/Wrapper/src/syscaller.asm"; + return QDir(getSysCallerKPath()).filePath("Wrapper/src/SysCaller.asm"); } else { - return getSysCallerPath() + "/Wrapper/src/syscaller.asm"; + return QDir(getSysCallerPath()).filePath("Wrapper/src/SysCaller.asm"); } } @@ -78,22 +65,22 @@ QString PathUtils::getDefaultSysFunctionsPath(bool isKernelMode) { if (isKernelMode) { - return getDefaultPath() + "/sysFunctions_k.h"; + return QDir(getDefaultPath()).filePath("SysKFunctions.h"); } else { - return getDefaultPath() + "/sysFunctions.h"; + return QDir(getDefaultPath()).filePath("SysFunctions.h"); } } QString PathUtils::getDefaultSysCallerAsmPath() { - return getDefaultPath() + "/syscaller.asm"; + return QDir(getDefaultPath()).filePath("SysCaller.asm"); } QString PathUtils::getIniPath() { - return getProjectRoot() + "/SysCaller.ini"; + return QDir(getProjectRoot()).filePath("SysCaller.ini"); } QString PathUtils::findProjectRoot() @@ -166,12 +153,21 @@ QString PathUtils::findProjectRoot() dir2.cdUp(); } - QString hardcodedPath = "C:/Users/devil/source/repos/SysCaller"; - - if (QDir(hardcodedPath).exists() && isProjectRoot(hardcodedPath)) + QProcessEnvironment env = QProcessEnvironment::systemEnvironment(); + QString envPath = env.value("SYSCALLER_ROOT", ""); + + if (!envPath.isEmpty()) { - qDebug() << "Using Hardcoded Project Root:" << hardcodedPath; - return hardcodedPath; + QString cleanPath = QDir::cleanPath(envPath); + if (QDir(cleanPath).exists() && isProjectRoot(cleanPath)) + { + qDebug() << "Using SYSCALLER_ROOT environment variable:" << cleanPath; + return cleanPath; + } + else + { + qWarning() << "SYSCALLER_ROOT environment variable set but path is invalid:" << cleanPath; + } } qWarning() << "Project Root not found, falling back to executable directory"; @@ -223,7 +219,7 @@ void PathUtils::debugPathDetection() qDebug() << "SysFunctions Path (Zw):" << getSysFunctionsPath(true); qDebug() << "INI Path:" << getIniPath(); qDebug() << "SysCaller.ini Exists:" << QFile::exists(getIniPath()); - qDebug() << "sysFunctions.h Exists:" << QFile::exists(getSysFunctionsPath(false)); - qDebug() << "sysFunctions_k.h Exists:" << QFile::exists(getSysFunctionsPath(true)); + qDebug() << "SysFunctions.h Exists:" << QFile::exists(getSysFunctionsPath(false)); + qDebug() << "SysKFunctions.h Exists:" << QFile::exists(getSysFunctionsPath(true)); qDebug() << "=== End PathUtils Debug ==="; -} +} \ No newline at end of file diff --git a/Bind/src/Core/Utils/Utils.cpp b/Bind/src/Core/Utils/Utils.cpp index 5431604..53ed612 100644 --- a/Bind/src/Core/Utils/Utils.cpp +++ b/Bind/src/Core/Utils/Utils.cpp @@ -1,20 +1,6 @@ -#include "include/Core/Utils/Utils.h" -#include "include/Core/Utils/PathUtils.h" -#include "include/Core/Obfuscation/Obfuscation.h" -#include "include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include QMap SyscallExtractor::getSyscallsFromDll(const QString& dllPath) { @@ -62,7 +48,7 @@ QMap SyscallExtractor::getSyscallsFromDll(const QString& dllPath) try { - funcName = QString::fromUtf8(fn.c_str(), fn.length()); + funcName = QString::fromUtf8(fn.c_str(), static_cast(fn.length())); } catch (...) { @@ -639,4 +625,4 @@ QString InlineAssemblyConverter::convertStubToInline(const QString& stubName, in .arg(highByte); return inlineStub; -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Bars/ProgressBar.cpp b/Bind/src/GUI/Bars/ProgressBar.cpp index b94427d..ed5ee9e 100644 --- a/Bind/src/GUI/Bars/ProgressBar.cpp +++ b/Bind/src/GUI/Bars/ProgressBar.cpp @@ -1,4 +1,4 @@ -#include "include/GUI/Bars/ProgressBar.h" +#include ProgressBar::ProgressBar(QWidget* parent) : QProgressBar(parent) { setTextVisible(false); diff --git a/Bind/src/GUI/Bars/SettingsTitleBar.cpp b/Bind/src/GUI/Bars/SettingsTitleBar.cpp index 12fe4ce..2bd845e 100644 --- a/Bind/src/GUI/Bars/SettingsTitleBar.cpp +++ b/Bind/src/GUI/Bars/SettingsTitleBar.cpp @@ -1,9 +1,5 @@ -#include "include/GUI/Bars/SettingsTitleBar.h" -#include -#include -#include -#include -#include +#include +#include SettingsTitleBar::SettingsTitleBar(QWidget* parent) : QFrame(parent) @@ -41,4 +37,4 @@ void SettingsTitleBar::initTitleBar(const QString& title) connect(closeBtn, &QToolButton::clicked, this, &SettingsTitleBar::closeClicked); layout->addWidget(closeBtn); -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Bars/StatusBar.cpp b/Bind/src/GUI/Bars/StatusBar.cpp index 4508cfb..86c445a 100644 --- a/Bind/src/GUI/Bars/StatusBar.cpp +++ b/Bind/src/GUI/Bars/StatusBar.cpp @@ -1,6 +1,5 @@ -#include "include/GUI/Bars/StatusBar.h" -#include -#include +#include +#include StatusBar::StatusBar(QWidget* parent) : QFrame(parent) @@ -15,8 +14,11 @@ StatusBar::StatusBar(QWidget* parent) auto* layout = new QHBoxLayout(this); layout->setContentsMargins(20, 0, 20, 0); - statusIcon = new QLabel("⏺", this); - statusIcon->setStyleSheet("color: #666666; font-size: 16px;"); + statusIcon = new QLabel(this); + statusIcon->setFixedSize(16, 16); + statusIcon->setScaledContents(true); + QPixmap recordPixmap(":/Icons/record.png"); + statusIcon->setPixmap(recordPixmap.scaled(16, 16, Qt::KeepAspectRatio, Qt::SmoothTransformation)); layout->addWidget(statusIcon); @@ -42,29 +44,33 @@ void StatusBar::updateStatus(const QString& message, const QString& statusType) { statusMsg->setText(message); - QString icon, color; + QString iconPath; + QString color; if (statusType == "working") { - icon = "⏳"; + iconPath = ":/Icons/hourglass.png"; color = "#FFA500"; /* orange */ } else if (statusType == "success") { - icon = "✅"; + iconPath = ":/Icons/green.png"; color = "#00FF00"; /* green */ } else if (statusType == "error") { - icon = "❌"; + iconPath = ":/Icons/xmark.png"; color = "#FF0000"; /* red */ } else { - icon = "⏺"; + iconPath = ":/Icons/record.png"; color = "#666666"; /* gray */ } - statusIcon->setText(icon); - statusIcon->setStyleSheet(QString("color: %1; font-size: 16px;").arg(color)); + QPixmap pixmap(iconPath); + if (!pixmap.isNull()) + { + statusIcon->setPixmap(pixmap.scaled(16, 16, Qt::KeepAspectRatio, Qt::SmoothTransformation)); + } } \ No newline at end of file diff --git a/Bind/src/GUI/Bars/TitleBar.cpp b/Bind/src/GUI/Bars/TitleBar.cpp index 24f6bf2..63ec400 100644 --- a/Bind/src/GUI/Bars/TitleBar.cpp +++ b/Bind/src/GUI/Bars/TitleBar.cpp @@ -1,9 +1,5 @@ -#include "include/GUI/Bars/TitleBar.h" -#include -#include -#include -#include -#include +#include +#include TitleBar::TitleBar(QWidget* parent) : QFrame(parent) @@ -48,4 +44,4 @@ TitleBar::TitleBar(QWidget* parent) controlsLayout->addWidget(maximizeBtn); controlsLayout->addWidget(closeBtn); layout->addLayout(controlsLayout); -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Buttons/BindButton.cpp b/Bind/src/GUI/Buttons/BindButton.cpp index d54674c..e0c3223 100644 --- a/Bind/src/GUI/Buttons/BindButton.cpp +++ b/Bind/src/GUI/Buttons/BindButton.cpp @@ -1,7 +1,5 @@ -#include "include/GUI/Buttons/BindButton.h" -#include -#include -#include +#include +#include BindButton::BindButton(const QString& text, const QString& iconPath, @@ -37,5 +35,12 @@ void BindButton::setupStyle() "}" "QPushButton:pressed {" " background: #0A7AD1;" + "}" + "QPushButton:disabled {" + " background: #333333;" + " color: #666666;" + "}" + "QPushButton:disabled:hover {" + " background: #333333;" "}"); } \ No newline at end of file diff --git a/Bind/src/GUI/Dialogs/ChangelogDialog.cpp b/Bind/src/GUI/Dialogs/ChangelogDialog.cpp index 1f80c7b..f550f4d 100644 --- a/Bind/src/GUI/Dialogs/ChangelogDialog.cpp +++ b/Bind/src/GUI/Dialogs/ChangelogDialog.cpp @@ -1,28 +1,14 @@ -#include "include/GUI/Dialogs/ChangelogDialog.h" -#include "include/GUI/Bars/SettingsTitleBar.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "include/Core/Utils/PathUtils.h" +#include +#include +#include ChangelogDialog::ChangelogDialog(QWidget* parent) : QDialog(parent) { - setWindowTitle("Bind - History"); + setWindowTitle("History"); setMinimumSize(1150, 600); resize(1150, 600); - setWindowIcon(QIcon(":/src/Res/Icons/logo.ico")); + setWindowIcon(QIcon(":/Icons/logo.ico")); setWindowFlags(Qt::Dialog | Qt::FramelessWindowHint); /* setAttribute(Qt::WA_TranslucentBackground); */ setupStylesheet(); @@ -40,7 +26,7 @@ ChangelogDialog::ChangelogDialog(QWidget* parent) void ChangelogDialog::setupStylesheet() { - QFile stylesheetFile(":/src/GUI/Stylesheets/ChangelogDialog.qss"); + QFile stylesheetFile(":/GUI/Stylesheets/ChangelogDialog.qss"); if (stylesheetFile.open(QFile::ReadOnly | QFile::Text)) { @@ -57,20 +43,29 @@ void ChangelogDialog::setupUI() layout->setContentsMargins(0, 0, 0, 0); layout->setSpacing(0); - titleBar = new SettingsTitleBar("Bind - Changelog History", this); + titleBar = new SettingsTitleBar("Changelog History", this); + titleBar->setStyleSheet("QFrame {" + " background: #252525;" + " border-top-left-radius: 0px;" + " border-top-right-radius: 0px;" + "}"); layout->addWidget(titleBar); auto* contentLayout = new QVBoxLayout(); - contentLayout->setContentsMargins(20, 20, 20, 20); - contentLayout->setSpacing(20); + contentLayout->setContentsMargins(25, 25, 25, 25); + contentLayout->setSpacing(25); auto* hbox = new QHBoxLayout(); + hbox->setSpacing(20); + listWidget = new QListWidget(); - listWidget->setFixedWidth(200); + listWidget->setFixedWidth(220); + listWidget->setSpacing(4); hbox->addWidget(listWidget); textEdit = new QTextEdit(); textEdit->setReadOnly(true); + textEdit->setFrameShape(QFrame::NoFrame); hbox->addWidget(textEdit, 1); contentLayout->addLayout(hbox); @@ -162,20 +157,146 @@ QString ChangelogDialog::markdownToHtml(const QString& markdown) QString customCss = ""; return customCss + result; @@ -207,4 +328,4 @@ void ChangelogDialog::mouseReleaseEvent(QMouseEvent* event) m_dragging = false; event->accept(); } -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Dialogs/ConfirmationDialog.cpp b/Bind/src/GUI/Dialogs/ConfirmationDialog.cpp index 5cc46e8..599d783 100644 --- a/Bind/src/GUI/Dialogs/ConfirmationDialog.cpp +++ b/Bind/src/GUI/Dialogs/ConfirmationDialog.cpp @@ -1,8 +1,6 @@ -#include "include/GUI/Dialogs/ConfirmationDialog.h" -#include "include/GUI/Bars/SettingsTitleBar.h" -#include -#include -#include +#include +#include +#include ConfirmationDialog::ConfirmationDialog(QWidget* parent) : QDialog(parent) @@ -64,38 +62,43 @@ void ConfirmationDialog::initUI(const QString& title) layout->addWidget(titleBar); QWidget* contentWidget = new QWidget(); - contentWidget->setStyleSheet("QWidget { background: #1E1E1E; color: white; padding: 20px; }"); + contentWidget->setObjectName("contentWidget"); QVBoxLayout* contentLayout = new QVBoxLayout(contentWidget); - contentLayout->setSpacing(20); + contentLayout->setContentsMargins(30, 30, 30, 30); + contentLayout->setSpacing(25); messageLabel = new QLabel(); messageLabel->setWordWrap(true); - messageLabel->setAlignment(Qt::AlignCenter); - messageLabel->setStyleSheet("QLabel { color: white; font-size: 14px; padding: 10px; }"); + messageLabel->setAlignment(Qt::AlignLeft | Qt::AlignTop); + messageLabel->setTextFormat(Qt::RichText); contentLayout->addWidget(messageLabel); QHBoxLayout* buttonLayout = new QHBoxLayout(); - buttonLayout->setSpacing(10); + buttonLayout->setSpacing(12); buttonLayout->addStretch(); yesButton = new QPushButton("Yes"); - yesButton->setMinimumWidth(80); + yesButton->setObjectName("yesButton"); + yesButton->setMinimumWidth(100); connect(yesButton, &QPushButton::clicked, this, &ConfirmationDialog::onYesClicked); buttonLayout->addWidget(yesButton); noButton = new QPushButton("No"); - noButton->setMinimumWidth(80); + noButton->setObjectName("noButton"); + noButton->setMinimumWidth(100); connect(noButton, &QPushButton::clicked, this, &ConfirmationDialog::onNoClicked); buttonLayout->addWidget(noButton); okButton = new QPushButton("OK"); - okButton->setMinimumWidth(80); + okButton->setObjectName("yesButton"); + okButton->setMinimumWidth(100); okButton->setVisible(false); connect(okButton, &QPushButton::clicked, this, &ConfirmationDialog::onOKClicked); buttonLayout->addWidget(okButton); cancelButton = new QPushButton("Cancel"); - cancelButton->setMinimumWidth(80); + cancelButton->setObjectName("cancelButton"); + cancelButton->setMinimumWidth(100); cancelButton->setVisible(false); connect(cancelButton, &QPushButton::clicked, this, &ConfirmationDialog::onCancelClicked); buttonLayout->addWidget(cancelButton); @@ -106,7 +109,7 @@ void ConfirmationDialog::initUI(const QString& title) void ConfirmationDialog::setupStylesheet() { - QFile stylesheetFile(":/src/GUI/Stylesheets/ConfirmationDialog.qss"); + QFile stylesheetFile(":/GUI/Stylesheets/ConfirmationDialog.qss"); if (stylesheetFile.open(QFile::ReadOnly | QFile::Text)) { @@ -177,4 +180,4 @@ void ConfirmationDialog::mouseReleaseEvent(QMouseEvent* event) m_dragging = false; event->accept(); } -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Dialogs/HashCompareDialog.cpp b/Bind/src/GUI/Dialogs/HashCompareDialog.cpp index fddc0cf..708098a 100644 --- a/Bind/src/GUI/Dialogs/HashCompareDialog.cpp +++ b/Bind/src/GUI/Dialogs/HashCompareDialog.cpp @@ -1,33 +1,6 @@ -#include "include/GUI/Dialogs/HashCompareDialog.h" -#include "include/Core/Utils/PathUtils.h" -#include "include/GUI/Bars/SettingsTitleBar.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include HashCompareDialog::HashCompareDialog(QWidget* parent) : QDialog(parent) @@ -52,7 +25,7 @@ void HashCompareDialog::initUI() topLayout->setContentsMargins(20, 10, 20, 10); refreshBtn = new QPushButton("Refresh"); - refreshBtn->setIcon(QIcon(":/src/Res/Icons/refresh.png")); + refreshBtn->setIcon(QIcon(":/Icons/refresh.png")); connect(refreshBtn, &QPushButton::clicked, this, &HashCompareDialog::loadHashFiles); topLayout->addWidget(refreshBtn); @@ -74,7 +47,7 @@ void HashCompareDialog::initUI() topLayout->addStretch(); exportBtn = new QPushButton("Export Comparison"); - exportBtn->setIcon(QIcon(":/src/Res/Icons/export.png")); + exportBtn->setIcon(QIcon(":/Icons/export.png")); connect(exportBtn, &QPushButton::clicked, this, &HashCompareDialog::exportComparison); exportBtn->setEnabled(false); topLayout->addWidget(exportBtn); @@ -132,7 +105,7 @@ void HashCompareDialog::initUI() void HashCompareDialog::setupStylesheet() { - QFile stylesheetFile(":/src/GUI/Stylesheets/HashCompareDialog.qss"); + QFile stylesheetFile(":/GUI/Stylesheets/HashCompareDialog.qss"); if (stylesheetFile.open(QFile::ReadOnly | QFile::Text)) { @@ -316,13 +289,13 @@ void HashCompareDialog::compareSelected() if (selectedItems.size() < 1) { - QMessageBox::warning(this, "Bind - v1.3.1", "Please select at least one Hash File to view."); + QMessageBox::warning(this, SYSCALLER_WINDOW_TITLE, "Please select at least one Hash File to view."); return; } if (selectedItems.size() > 5) { - QMessageBox::warning(this, "Bind - v1.3.1", "Please select at most 5 Hash Files to compare."); + QMessageBox::warning(this, SYSCALLER_WINDOW_TITLE, "Please select at most 5 Hash Files to compare."); return; } @@ -523,7 +496,7 @@ void HashCompareDialog::exportComparison() if (selectedItems.isEmpty()) { - QMessageBox::warning(this, "Bind - v1.3.1", "Please select at least one Hash File to export."); + QMessageBox::warning(this, SYSCALLER_WINDOW_TITLE, "Please select at least one Hash File to export."); return; } @@ -541,7 +514,7 @@ void HashCompareDialog::exportComparison() QString exportPath = QFileDialog::getSaveFileName( this, - "Bind - v1.3.1", + SYSCALLER_WINDOW_TITLE, "", "CSV Files (*.csv);;HTML Files (*.html);;All Files (*.*)" ); @@ -571,12 +544,12 @@ void HashCompareDialog::exportComparison() exportAsCsv(exportPath, selectedFiles); } - QMessageBox::information(this, "Bind - v1.3.1", + QMessageBox::information(this, SYSCALLER_WINDOW_TITLE, QString("Hash Comparison exported successfully to:\n%1").arg(exportPath)); } catch (...) { - QMessageBox::critical(this, "Bind - v1.3.1", "Failed to Export Comparison."); + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, "Failed to Export Comparison."); } } @@ -608,7 +581,7 @@ void HashCompareDialog::exportAsCsv(const QString& exportPath, const QStringList if (!file.open(QIODevice::WriteOnly | QIODevice::Text)) { - QMessageBox::critical(this, "Bind - v1.3.1", "Could not create Export File."); + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, "Could not create Export File."); return; } @@ -708,7 +681,7 @@ void HashCompareDialog::exportAsHtml(const QString& exportPath, const QStringLis if (!file.open(QIODevice::WriteOnly | QIODevice::Text)) { - QMessageBox::critical(this, "Bind - v1.3.1", "Could not create Export File."); + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, "Could not create Export File."); return; } @@ -718,7 +691,7 @@ void HashCompareDialog::exportAsHtml(const QString& exportPath, const QStringLis stream << "\n"; stream << "\n\n"; stream << "\n"; - stream << "Bind - Hash Comparison\n"; + stream << "Hash Comparison\n"; stream << "\n\n\n"; - stream << "

Bind - Hash Comparison

\n"; + stream << "

Hash Comparison

\n"; QString firstTimestamp = fileData.value(selectedFiles.first())["timestamp"].toString(); @@ -850,4 +823,4 @@ void HashCompareDialog::exportAsHtml(const QString& exportPath, const QStringLis QString HashCompareDialog::getProjectPaths() { return PathUtils::getProjectRoot(); -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Dialogs/ObfuscationSelectionDialog.cpp b/Bind/src/GUI/Dialogs/ObfuscationSelectionDialog.cpp index cd4ae9c..e8845a0 100644 --- a/Bind/src/GUI/Dialogs/ObfuscationSelectionDialog.cpp +++ b/Bind/src/GUI/Dialogs/ObfuscationSelectionDialog.cpp @@ -1,19 +1,12 @@ -#include "include/GUI/Dialogs/ObfuscationSelectionDialog.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include ObfuscationSelectionDialog::ObfuscationSelectionDialog(QWidget* parent) : QDialog(parent) , selection(Cancelled) { - setWindowTitle("Bind - v1.3.2"); + setWindowTitle(SYSCALLER_WINDOW_TITLE); setFixedSize(450, 300); setWindowFlags(Qt::Dialog | Qt::FramelessWindowHint); setAttribute(Qt::WA_TranslucentBackground); @@ -23,7 +16,7 @@ ObfuscationSelectionDialog::ObfuscationSelectionDialog(QWidget* parent) void ObfuscationSelectionDialog::setupStylesheet() { - QFile stylesheetFile(":/src/GUI/Stylesheets/ObfuscationSelectionDialog.qss"); + QFile stylesheetFile(":/GUI/Stylesheets/ObfuscationSelectionDialog.qss"); if (stylesheetFile.open(QFile::ReadOnly | QFile::Text)) { @@ -37,43 +30,54 @@ void ObfuscationSelectionDialog::setupStylesheet() void ObfuscationSelectionDialog::initUI() { QVBoxLayout* mainLayout = new QVBoxLayout(this); - mainLayout->setContentsMargins(30, 30, 30, 30); - mainLayout->setSpacing(20); + mainLayout->setContentsMargins(0, 0, 0, 0); + mainLayout->setSpacing(0); - titleLabel = new QLabel("Obfuscation Selection"); - titleLabel->setObjectName("title"); - titleLabel->setAlignment(Qt::AlignCenter); - mainLayout->addWidget(titleLabel); + SettingsTitleBar* titleBar = new SettingsTitleBar("Obfuscation Selection", this); + connect(titleBar, &SettingsTitleBar::closeClicked, this, &ObfuscationSelectionDialog::onCancelClicked); + mainLayout->addWidget(titleBar); + + QWidget* contentWidget = new QWidget(); + contentWidget->setObjectName("contentWidget"); + QVBoxLayout* contentLayout = new QVBoxLayout(contentWidget); + contentLayout->setContentsMargins(30, 30, 30, 30); + contentLayout->setSpacing(25); descriptionLabel = new QLabel("Choose the Obfuscation Method you want to use for Syscall Generation:"); descriptionLabel->setObjectName("description"); - descriptionLabel->setAlignment(Qt::AlignCenter); + descriptionLabel->setAlignment(Qt::AlignLeft | Qt::AlignTop); descriptionLabel->setWordWrap(true); - mainLayout->addWidget(descriptionLabel); + contentLayout->addWidget(descriptionLabel); QVBoxLayout* buttonLayout = new QVBoxLayout(); - buttonLayout->setSpacing(15); + buttonLayout->setSpacing(12); normalObfuscationButton = new QPushButton("Normal Obfuscation"); normalObfuscationButton->setToolTip("Runs w/ Obfuscation configured from the Obfuscation Settings for all Syscalls."); + normalObfuscationButton->setMinimumHeight(45); connect(normalObfuscationButton, &QPushButton::clicked, this, &ObfuscationSelectionDialog::onNormalObfuscationClicked); buttonLayout->addWidget(normalObfuscationButton); stubMapperButton = new QPushButton("Stub Mapper"); stubMapperButton->setToolTip("Runs w/ Obfuscation configured from Stub Mapper for specially configured Syscalls."); + stubMapperButton->setMinimumHeight(45); connect(stubMapperButton, &QPushButton::clicked, this, &ObfuscationSelectionDialog::onStubMapperClicked); buttonLayout->addWidget(stubMapperButton); - mainLayout->addLayout(buttonLayout); + contentLayout->addLayout(buttonLayout); + + contentLayout->addStretch(); QHBoxLayout* cancelLayout = new QHBoxLayout(); cancelLayout->addStretch(); cancelButton = new QPushButton("Cancel"); cancelButton->setObjectName("cancel"); - cancelButton->setFixedWidth(100); + cancelButton->setMinimumWidth(100); connect(cancelButton, &QPushButton::clicked, this, &ObfuscationSelectionDialog::onCancelClicked); cancelLayout->addWidget(cancelButton); - mainLayout->addLayout(cancelLayout); + contentLayout->addLayout(cancelLayout); + + mainLayout->addWidget(contentWidget); } void ObfuscationSelectionDialog::onNormalObfuscationClicked() @@ -92,4 +96,4 @@ void ObfuscationSelectionDialog::onCancelClicked() { selection = Cancelled; reject(); -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Dialogs/SettingsDialog.cpp b/Bind/src/GUI/Dialogs/SettingsDialog.cpp index d44ff08..a35e949 100644 --- a/Bind/src/GUI/Dialogs/SettingsDialog.cpp +++ b/Bind/src/GUI/Dialogs/SettingsDialog.cpp @@ -1,21 +1,7 @@ -#include "include/GUI/Dialogs/SettingsDialog.h" -#include "include/GUI/Settings/Tabs/GeneralTab.h" -#include "include/GUI/Settings/Tabs/ObfuscationTab.h" -#include "include/GUI/Settings/Tabs/IndirectObfuscationTab.h" -#include "include/GUI/Settings/Tabs/InlineObfuscationTab.h" -#include "include/GUI/Settings/Tabs/IntegrityTab.h" -#include "include/GUI/Settings/Tabs/ProfileTab.h" -#include "include/GUI/Dialogs/StubMapperDialog.h" -#include "include/GUI/Bars/SettingsTitleBar.h" -#include "include/Core/Utils/PathUtils.h" -#include -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include +#include SettingsDialog::SettingsDialog(QWidget* parent) : QDialog(parent) @@ -39,6 +25,8 @@ void SettingsDialog::initUI() layout->addWidget(titleBar); tabs = new QTabWidget(); + tabs->setDocumentMode(false); + tabs->setUsesScrollButtons(false); QScrollArea* generalScrollArea = new QScrollArea(); generalScrollArea->setWidgetResizable(true); @@ -114,6 +102,15 @@ void SettingsDialog::initUI() } tabs->addTab(profileScrollArea, "Profile"); + + QTabBar* tabBar = tabs->tabBar(); + if (tabBar) + { + tabBar->setExpanding(true); + tabBar->setDrawBase(false); + tabBar->setUsesScrollButtons(false); + } + layout->addWidget(tabs); QHBoxLayout* buttonLayout = new QHBoxLayout(); @@ -144,7 +141,7 @@ void SettingsDialog::initUI() void SettingsDialog::setupStylesheet() { - QFile stylesheetFile(":/src/GUI/Stylesheets/SettingsDialog.qss"); + QFile stylesheetFile(":/GUI/Stylesheets/SettingsDialog.qss"); if (stylesheetFile.open(QFile::ReadOnly | QFile::Text)) { @@ -186,6 +183,14 @@ void SettingsDialog::saveSettings() integrityTab->saveSettings(); profileTab->saveSettings(); + + settings->sync(); + + if (settings->status() != QSettings::NoError) + { + qWarning() << "Failed to save settings. Status:" << settings->status(); + } + accept(); } @@ -222,3 +227,21 @@ void SettingsDialog::mouseReleaseEvent(QMouseEvent* event) event->accept(); } } + +void SettingsDialog::resizeEvent(QResizeEvent* event) +{ + QDialog::resizeEvent(event); + + if (tabs) + { + QTabBar* tabBar = tabs->tabBar(); + if (tabBar) + { + int tabWidgetWidth = tabs->width(); + if (tabWidgetWidth > 0) + { + tabBar->setMinimumWidth(tabWidgetWidth); + } + } + } +} \ No newline at end of file diff --git a/Bind/src/GUI/Dialogs/StubMapperDialog.cpp b/Bind/src/GUI/Dialogs/StubMapperDialog.cpp index 1e40b1e..ca6f99a 100644 --- a/Bind/src/GUI/Dialogs/StubMapperDialog.cpp +++ b/Bind/src/GUI/Dialogs/StubMapperDialog.cpp @@ -1,15 +1,7 @@ -#include "include/GUI/Dialogs/StubMapperDialog.h" -#include "include/Core/Utils/PathUtils.h" -#include "include/GUI/Bars/SettingsTitleBar.h" -#include "include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h" -#include -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include +#include StubMapperDialog::StubMapperDialog(QWidget* parent) : QDialog(parent) @@ -237,7 +229,7 @@ void StubMapperDialog::initUI() void StubMapperDialog::setupStylesheet() { - QFile stylesheetFile(":/src/GUI/Stylesheets/StubMapperDialog.qss"); + QFile stylesheetFile(":/GUI/Stylesheets/StubMapperDialog.qss"); if (stylesheetFile.open(QFile::ReadOnly | QFile::Text)) { @@ -283,7 +275,7 @@ void StubMapperDialog::loadSyscalls() if (selectedSyscalls.isEmpty()) { - QString headerPath = PathUtils::getSysCallerPath() + "/Wrapper/include/Sys/sysFunctions.h"; + QString headerPath = PathUtils::getSysCallerPath() + "/Wrapper/include/Sys/SysFunctions.h"; QString syscallMode = settings->value("general/syscall_mode", "Nt").toString(); QString syscallPrefix = (syscallMode == "Nt") ? "Sys" : "SysK"; @@ -555,7 +547,7 @@ void StubMapperDialog::validateCurrentSettings() } else { - QMessageBox::warning(this, "Bind - v1.3.2", "Please select a Syscall first."); + QMessageBox::warning(this, SYSCALLER_WINDOW_TITLE, "Please select a Syscall first."); } } @@ -596,7 +588,18 @@ void StubMapperDialog::saveSettings() } settings->setValue("stub_mapper/syscall_settings", QVariant::fromValue(syscallSettings)); - QMessageBox::information(this, "Bind - v1.3.2", "Custom Syscall Settings have been saved successfully."); + settings->sync(); + + if (settings->status() != QSettings::NoError) + { + QMessageBox::warning(this, SYSCALLER_WINDOW_TITLE, + QString("Settings saved but sync failed. Status: %1").arg(settings->status())); + } + else + { + QMessageBox::information(this, SYSCALLER_WINDOW_TITLE, "Custom Syscall Settings have been saved successfully."); + } + accept(); } @@ -668,10 +671,10 @@ bool StubMapperDialog::validateStubSettings(const QMap& setti void StubMapperDialog::showValidationError(const QString& message) { - QMessageBox::critical(this, "Bind - v1.3.2", message); + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, message); } void StubMapperDialog::showValidationSuccess(const QString& message) { - QMessageBox::information(this, "Bind - v1.3.2", message); -} + QMessageBox::information(this, SYSCALLER_WINDOW_TITLE, message); +} \ No newline at end of file diff --git a/Bind/src/GUI/MainWindow.cpp b/Bind/src/GUI/MainWindow.cpp index dba680e..b32705e 100644 --- a/Bind/src/GUI/MainWindow.cpp +++ b/Bind/src/GUI/MainWindow.cpp @@ -1,26 +1,9 @@ -#include "include/GUI/MainWindow.h" -#include "include/GUI/Bars/TitleBar.h" -#include "include/GUI/Panels/LeftPanel.h" -#include "include/GUI/Panels/RightPanel.h" -#include "include/GUI/Panels/OutputPanel.h" -#include "include/GUI/Bars/StatusBar.h" -#include "include/GUI/Dialogs/SettingsDialog.h" -#include "include/GUI/Threads/ValidatorThread.h" -#include "include/GUI/Threads/CompatibilityThread.h" -#include "include/GUI/Threads/VerificationThread.h" -#include "include/GUI/Threads/ObfuscationThread.h" -#include "include/Core/Utils/PathUtils.h" -#include "include/GUI/Dialogs/ObfuscationSelectionDialog.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include +#include +#include +#include MainWindow::MainWindow(QWidget *parent) : QMainWindow(parent) @@ -30,7 +13,7 @@ MainWindow::MainWindow(QWidget *parent) , verificationThread(nullptr) , obfuscationThread(nullptr) { - setWindowTitle("Bind - v1.3.2"); + setWindowTitle(SYSCALLER_WINDOW_TITLE); setMinimumSize(1400, 900); setWindowFlags(Qt::FramelessWindowHint); setAttribute(Qt::WA_TranslucentBackground); @@ -81,33 +64,34 @@ MainWindow::MainWindow(QWidget *parent) MainWindow::~MainWindow() { - if (validatorThread) - { - validatorThread->quit(); - validatorThread->wait(); - delete validatorThread; - } + cleanupThreadHelper(validatorThread); + cleanupThreadHelper(compatibilityThread); + cleanupThreadHelper(verificationThread); + cleanupThreadHelper(obfuscationThread); +} - if (compatibilityThread) +void MainWindow::cleanupThread(QThread*& thread) +{ + if (!thread) { - compatibilityThread->quit(); - compatibilityThread->wait(); - delete compatibilityThread; + return; } - if (verificationThread) + if (thread->isRunning()) { - verificationThread->quit(); - verificationThread->wait(); - delete verificationThread; + thread->requestInterruption(); + thread->quit(); + + if (!thread->wait(Constants::THREAD_TERMINATION_TIMEOUT_MS)) + { + qWarning() << "Thread did not terminate in time, forcing termination"; + thread->terminate(); + thread->wait(Constants::THREAD_FORCE_TERMINATION_TIMEOUT_MS); + } } - if (obfuscationThread) - { - obfuscationThread->quit(); - obfuscationThread->wait(); - delete obfuscationThread; - } + thread->deleteLater(); + thread = nullptr; } void MainWindow::mousePressEvent(QMouseEvent* event) @@ -131,7 +115,10 @@ void MainWindow::mouseMoveEvent(QMouseEvent* event) void MainWindow::showSettings() { SettingsDialog dialog(this); - dialog.exec(); + if (dialog.exec() == QDialog::Accepted) + { + leftPanel->updateButtonStates(); + } } void MainWindow::saveAllSettings() @@ -139,9 +126,20 @@ void MainWindow::saveAllSettings() try { QSettings settings(PathUtils::getIniPath(), QSettings::IniFormat); + settings.sync(); + + if (settings.status() != QSettings::NoError) + { + qWarning() << "Failed to save settings. Status:" << settings.status(); + } + } + catch (const std::exception& e) + { + qWarning() << "Exception while saving settings:" << e.what(); } catch (...) { + qWarning() << "Unknown exception while saving settings"; } } @@ -149,15 +147,16 @@ void MainWindow::runValidation() { if (validatorThread && validatorThread->isRunning()) { - QMessageBox::information(this, "Bind - v1.3.2", "Validation Check is already running. Please wait for it to complete."); + QMessageBox::information(this, SYSCALLER_WINDOW_TITLE, "Validation Check is already running. Please wait for it to complete."); return; } QStringList dllPaths = leftPanel->getDllPaths(); - - if (dllPaths.isEmpty()) + QString errorMessage; + + if (!validateDllPaths(dllPaths, errorMessage)) { - QMessageBox::warning(this, "Bind - v1.3.2", "No DLL Paths specified. Please add at least one NTDLL path."); + QMessageBox::warning(this, SYSCALLER_WINDOW_TITLE, errorMessage); return; } @@ -197,7 +196,7 @@ void MainWindow::runValidation() { leftPanel->updateStatus("Validation Failed!"); statusBar->updateStatus("Validation Failed!"); - QMessageBox::critical(this, "Bind - v1.3.2", message); + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, message); } validatorThread->deleteLater(); @@ -234,15 +233,16 @@ void MainWindow::runCompatibility() { if (compatibilityThread && compatibilityThread->isRunning()) { - QMessageBox::information(this, "Bind - v1.3.2", "Compatibility Check is already running. Please wait for it to complete."); + QMessageBox::information(this, SYSCALLER_WINDOW_TITLE, "Compatibility Check is already running. Please wait for it to complete."); return; } QStringList dllPaths = leftPanel->getDllPaths(); - - if (dllPaths.isEmpty()) + QString errorMessage; + + if (!validateDllPaths(dllPaths, errorMessage)) { - QMessageBox::warning(this, "Bind - v1.3.2", "No DLL Paths specified. Please add at least one NTDLL path."); + QMessageBox::warning(this, SYSCALLER_WINDOW_TITLE, errorMessage); return; } @@ -282,7 +282,7 @@ void MainWindow::runCompatibility() { leftPanel->updateStatus("Compatibility Failed!"); statusBar->updateStatus("Compatibility Failed!"); - QMessageBox::critical(this, "Bind - v1.3.2", message); + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, message); } compatibilityThread->deleteLater(); @@ -296,15 +296,16 @@ void MainWindow::runVerification() { if (verificationThread && verificationThread->isRunning()) { - QMessageBox::information(this, "Bind - v1.3.2", "Verification Check is already running. Please wait for it to complete."); + QMessageBox::information(this, SYSCALLER_WINDOW_TITLE, "Verification Check is already running. Please wait for it to complete."); return; } QStringList dllPaths = leftPanel->getDllPaths(); - - if (dllPaths.isEmpty()) + QString errorMessage; + + if (!validateDllPaths(dllPaths, errorMessage)) { - QMessageBox::warning(this, "Bind - v1.3.2", "No DLL Paths specified. Please add at least one NTDLL path."); + QMessageBox::warning(this, SYSCALLER_WINDOW_TITLE, errorMessage); return; } @@ -351,7 +352,7 @@ void MainWindow::runVerification() { leftPanel->updateStatus("Verification Failed!"); statusBar->updateStatus("Verification Failed!"); - QMessageBox::critical(this, "Bind - v1.3.2", message); + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, message); } verificationThread->deleteLater(); @@ -365,7 +366,7 @@ void MainWindow::runObfuscation() { if (obfuscationThread && obfuscationThread->isRunning()) { - QMessageBox::information(this, "Bind - v1.3.2", "Syscall Obfuscation is already running. Please wait for it to complete."); + QMessageBox::information(this, SYSCALLER_WINDOW_TITLE, "Syscall Obfuscation is already running. Please wait for it to complete."); return; } @@ -388,6 +389,12 @@ void MainWindow::runObfuscation() settings.setValue("obfuscation/force_normal", true); settings.setValue("obfuscation/force_stub_mapper", false); settings.setValue("obfuscation/last_method", "normal"); + settings.sync(); + + if (settings.status() != QSettings::NoError) + { + qWarning() << "Failed to save obfuscation settings. Status:" << settings.status(); + } } else if (selection == ObfuscationSelectionDialog::StubMapper) { @@ -396,6 +403,12 @@ void MainWindow::runObfuscation() settings.setValue("obfuscation/force_normal", false); settings.setValue("obfuscation/force_stub_mapper", true); settings.setValue("obfuscation/last_method", "stub_mapper"); + settings.sync(); + + if (settings.status() != QSettings::NoError) + { + qWarning() << "Failed to save obfuscation settings. Status:" << settings.status(); + } } else { @@ -437,12 +450,13 @@ void MainWindow::runObfuscation() { leftPanel->updateStatus("Obfuscation Failed!"); statusBar->updateStatus("Obfuscation Failed!"); - QMessageBox::critical(this, "Bind - v1.3.2", message); + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, message); } QSettings settings(PathUtils::getIniPath(), QSettings::IniFormat); settings.remove("obfuscation/force_normal"); settings.remove("obfuscation/force_stub_mapper"); + settings.sync(); obfuscationThread->deleteLater(); obfuscationThread = nullptr; @@ -451,5 +465,68 @@ void MainWindow::runObfuscation() obfuscationThread->start(); } +bool MainWindow::validateDllPaths(const QStringList& paths, QString& errorMessage) +{ + if (paths.isEmpty()) + { + errorMessage = "No DLL Paths specified. Please add at least one NTDLL path."; + return false; + } + + for (const QString& path : paths) + { + if (path.isEmpty()) + { + errorMessage = "One or more DLL paths are empty."; + return false; + } + + if (path.length() > Constants::MAX_FILE_PATH_LENGTH) + { + errorMessage = QString("DLL path exceeds maximum length (%1 characters): %2") + .arg(Constants::MAX_FILE_PATH_LENGTH) + .arg(path); + return false; + } + + QFileInfo fileInfo(path); + if (!fileInfo.exists()) + { + errorMessage = QString("DLL file does not exist: %1").arg(path); + return false; + } + + if (!fileInfo.isFile()) + { + errorMessage = QString("Path is not a file: %1").arg(path); + return false; + } + + if (!fileInfo.isReadable()) + { + errorMessage = QString("DLL file is not readable: %1").arg(path); + return false; + } + + QString suffix = fileInfo.suffix().toLower(); + if (suffix != "dll") + { + errorMessage = QString("File is not a DLL: %1").arg(path); + return false; + } + } + + return true; +} + void MainWindow::closeEvent(QCloseEvent* event) -{} +{ + saveAllSettings(); + + cleanupThreadHelper(validatorThread); + cleanupThreadHelper(compatibilityThread); + cleanupThreadHelper(verificationThread); + cleanupThreadHelper(obfuscationThread); + + event->accept(); +} \ No newline at end of file diff --git a/Bind/src/GUI/Panels/LeftPanel.cpp b/Bind/src/GUI/Panels/LeftPanel.cpp index 734f9ed..bae3d73 100644 --- a/Bind/src/GUI/Panels/LeftPanel.cpp +++ b/Bind/src/GUI/Panels/LeftPanel.cpp @@ -1,18 +1,8 @@ -#include "include/GUI/Panels/LeftPanel.h" -#include "include/GUI/Bars/ProgressBar.h" -#include "include/GUI/Buttons/BindButton.h" -#include "include/GUI/Dialogs/ChangelogDialog.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include +#include +#include LeftPanel::LeftPanel(QWidget* parent) : QFrame(parent) @@ -33,7 +23,7 @@ LeftPanel::LeftPanel(QWidget* parent) topSection->setAlignment(Qt::AlignCenter); logoImage = new QLabel(this); - logoImage->setPixmap(QPixmap(":/src/Res/Icons/syscaller.png") + logoImage->setPixmap(QPixmap(":/Icons/syscaller.png") .scaled(128, 128, Qt::KeepAspectRatio, Qt::SmoothTransformation)); logoImage->setFixedSize(128, 128); logoImage->setAlignment(Qt::AlignCenter); @@ -52,12 +42,12 @@ LeftPanel::LeftPanel(QWidget* parent) logoLabel->setAlignment(Qt::AlignCenter); topSection->addWidget(logoLabel, 0, Qt::AlignCenter); - versionLabel = new QLabel("v1.3.2", this); + versionLabel = new QLabel(SYSCALLER_VERSION_STRING_FULL, this); versionLabel->setStyleSheet("color: #666666; font-size: 12px;"); versionLabel->setAlignment(Qt::AlignCenter); versionLabel->setCursor(Qt::PointingHandCursor); versionLabel->setTextFormat(Qt::RichText); - versionLabel->setText("v1.3.2"); + versionLabel->setText(QString("%1").arg(SYSCALLER_VERSION_STRING_FULL)); topSection->addWidget(versionLabel, 0, Qt::AlignCenter); layout->addLayout(topSection); @@ -166,9 +156,9 @@ LeftPanel::LeftPanel(QWidget* parent) validateBtn = new BindButton( " Validation Check", - ":/src/Res/Icons/validation.png", + ":/Icons/validation.png", "Bind Validation", - "Analyzes and updates syscall offsets in syscaller.asm by comparing against ntdll.dll.

" + "Analyzes and updates syscall offsets in SysCaller.asm by comparing against ntdll.dll.

" "• Disassembles ntdll.dll exports to extract syscall IDs and ensures correct mapping
" "• Updates or removes syscalls based on their presence in the current systems ntdll.dll" ); @@ -176,7 +166,7 @@ LeftPanel::LeftPanel(QWidget* parent) compatibilityBtn = new BindButton( " Compatibility Check", - ":/src/Res/Icons/compatibility.png", + ":/Icons/compatibility.png", "Bind Compatibility", "Performs compatibility analysis of syscalls against ntdll.dll:

" "• Detects duplicate syscall names and offsets
" @@ -188,7 +178,7 @@ LeftPanel::LeftPanel(QWidget* parent) verifyBtn = new BindButton( " Verification Check", - ":/src/Res/Icons/verification.png", + ":/Icons/verification.png", "Bind Verification", "Performs comprehensive syscall verification:

" "• Validates return types (NTSTATUS, BOOL, HANDLE, etc.)
" @@ -200,7 +190,7 @@ LeftPanel::LeftPanel(QWidget* parent) obfuscateBtn = new BindButton( " Obfuscation", - ":/src/Res/Icons/obfuscation.png", + ":/Icons/obfuscation.png", "Bind Obfuscation", "Obfuscates syscalls to enhance protection:

" "• Randomizes syscall names and offsets
" @@ -212,7 +202,7 @@ LeftPanel::LeftPanel(QWidget* parent) settingsBtn = new BindButton( " Settings", - ":/src/Res/Icons/settings.png", + ":/Icons/settings.png", "Bind Settings", "Configure SysCaller project settings" ); @@ -258,13 +248,15 @@ LeftPanel::LeftPanel(QWidget* parent) connect(verifyBtn, &BindButton::clicked, this, &LeftPanel::verificationButtonClicked); connect(obfuscateBtn, &BindButton::clicked, this, &LeftPanel::obfuscationButtonClicked); connect(versionLabel, &QLabel::linkActivated, this, &LeftPanel::showChangelogDialog); + + updateButtonStatesFromSettings(); } void LeftPanel::browseDll() { QString dllPath = QFileDialog::getOpenFileName( this, - "Bind - v1.3.2", + SYSCALLER_WINDOW_TITLE, "", "DLL Files (*.dll);;All Files (*.*)" ); @@ -373,3 +365,55 @@ void LeftPanel::showChangelogDialog() ChangelogDialog dialog(this); dialog.exec(); } + +void LeftPanel::updateButtonStates() +{ + updateButtonStatesFromSettings(); +} + +void LeftPanel::updateButtonStatesFromSettings() +{ + QString iniPath = PathUtils::getIniPath(); + QSettings settings(iniPath, QSettings::IniFormat); + + bool indirectMode = settings.value("general/indirect_assembly", false).toBool(); + + if (indirectMode) + { + compatibilityBtn->setEnabled(false); + compatibilityBtn->setToolTip("Bind Compatibility
" + "Performs compatibility analysis of syscalls against ntdll.dll:

" + "• Detects duplicate syscall names and offsets
" + "• Validates both Nt and Zw syscall variants
" + "• Verifies offset matches between implementation and DLL
" + "• Reports valid, invalid, and duplicate syscalls with detailed status

" + "Disabled in Indirect Syscall Mode"); + + verifyBtn->setEnabled(false); + verifyBtn->setToolTip("Bind Verification
" + "Performs comprehensive syscall verification:

" + "• Validates return types (NTSTATUS, BOOL, HANDLE, etc.)
" + "• Verifies parameter types against system headers
" + "• Checks offset ranges (0x0000-0x0200)
" + "• Traces type definitions in header files

" + "Disabled in Indirect Syscall Mode"); + } + else + { + compatibilityBtn->setEnabled(true); + compatibilityBtn->setToolTip("Bind Compatibility
" + "Performs compatibility analysis of syscalls against ntdll.dll:

" + "• Detects duplicate syscall names and offsets
" + "• Validates both Nt and Zw syscall variants
" + "• Verifies offset matches between implementation and DLL
" + "• Reports valid, invalid, and duplicate syscalls with detailed status"); + + verifyBtn->setEnabled(true); + verifyBtn->setToolTip("Bind Verification
" + "Performs comprehensive syscall verification:

" + "• Validates return types (NTSTATUS, BOOL, HANDLE, etc.)
" + "• Verifies parameter types against system headers
" + "• Checks offset ranges (0x0000-0x0200)
" + "• Traces type definitions in header files"); + } +} \ No newline at end of file diff --git a/Bind/src/GUI/Panels/OutputPanel.cpp b/Bind/src/GUI/Panels/OutputPanel.cpp index 9354583..4328fd3 100644 --- a/Bind/src/GUI/Panels/OutputPanel.cpp +++ b/Bind/src/GUI/Panels/OutputPanel.cpp @@ -1,4 +1,4 @@ -#include "include/GUI/Panels/OutputPanel.h" +#include OutputPanel::OutputPanel(QWidget* parent) : QTextEdit(parent) @@ -26,4 +26,4 @@ void OutputPanel::appendText(const QString& text) void OutputPanel::clearText() { clear(); -} \ No newline at end of file +} \ No newline at end of file diff --git a/Bind/src/GUI/Panels/RightPanel.cpp b/Bind/src/GUI/Panels/RightPanel.cpp index 7e54d9b..ea737b3 100644 --- a/Bind/src/GUI/Panels/RightPanel.cpp +++ b/Bind/src/GUI/Panels/RightPanel.cpp @@ -1,7 +1,5 @@ -#include "include/GUI/Panels/RightPanel.h" -#include "include/GUI/Panels/OutputPanel.h" -#include -#include +#include +#include RightPanel::RightPanel(QWidget* parent) : QFrame(parent) @@ -34,4 +32,4 @@ void RightPanel::appendOutput(const QString& text) void RightPanel::clearOutput() { outputText->clearText(); -} \ No newline at end of file +} \ No newline at end of file diff --git a/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp b/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp index 8d23fb8..69736fd 100644 --- a/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp +++ b/Bind/src/GUI/Settings/Tabs/GeneralTab.cpp @@ -1,16 +1,6 @@ -#include "include/GUI/Settings/Tabs/GeneralTab.h" -#include "include/GUI/Dialogs/HashCompareDialog.h" -#include "include/GUI/Dialogs/ConfirmationDialog.h" -#include "include/Core/Utils/PathUtils.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include GeneralTab::GeneralTab(QSettings* settings, QWidget* parent) : QWidget(parent) @@ -100,7 +90,7 @@ void GeneralTab::initUI() { bindingsDisableRadio->setChecked(true); } - inlineAssemblyGroup = new QGroupBox("Syscall Mode"); + inlineAssemblyGroup = new QGroupBox("Assembly Mode"); QVBoxLayout* inlineAssemblyLayout = new QVBoxLayout(); QLabel* inlineDesc = new QLabel("Select a mode for syscall generation."); @@ -147,9 +137,6 @@ void GeneralTab::initUI() this->indirectAssemblyRadio = indirectAssemblyRadio; this->assemblyModeGroup = assemblyModeGroup; - connect(directAssemblyRadio, &QRadioButton::toggled, this, &GeneralTab::onAssemblyModeChanged); - connect(inlineAssemblyRadio, &QRadioButton::toggled, this, &GeneralTab::onAssemblyModeChanged); - connect(indirectAssemblyRadio, &QRadioButton::toggled, this, &GeneralTab::onAssemblyModeChanged); inlineAssemblyGroup->setLayout(inlineAssemblyLayout); layout->addWidget(inlineAssemblyGroup); QGroupBox* hashStubsGroup = new QGroupBox("Hash Stubs"); @@ -250,11 +237,44 @@ void GeneralTab::onModeChanged() } } -void GeneralTab::onAssemblyModeChanged() { +bool GeneralTab::validateSettings() +{ + if (inlineAssemblyRadio && indirectAssemblyRadio && directAssemblyRadio) + { + bool hasSelection = inlineAssemblyRadio->isChecked() || + indirectAssemblyRadio->isChecked() || + directAssemblyRadio->isChecked(); + + if (!hasSelection) + { + QMessageBox::warning(this, SYSCALLER_WINDOW_TITLE, + "No assembly mode selected. Defaulting to Direct Syscall Mode."); + directAssemblyRadio->setChecked(true); + } + } + + if (!ntModeRadio || !zwModeRadio) + { + qWarning() << "Mode radio buttons not initialized"; + return false; + } + + if (!settings) + { + qWarning() << "Settings object is null"; + return false; + } + + return true; } void GeneralTab::saveSettings() { + if (!validateSettings()) + { + return; + } + settings->setValue("general/create_backup", createBackup->isChecked()); settings->setValue("general/hash_stubs", hashStubs->isChecked()); settings->setValue("general/bindings_enabled", bindingsEnableRadio->isChecked()); @@ -281,7 +301,7 @@ void GeneralTab::saveSettings() if (modeChanged) { - ConfirmationDialog infoDialog("Bind - v1.3.2", this); + ConfirmationDialog infoDialog(SYSCALLER_WINDOW_TITLE, this); infoDialog.setMessage(QString("The syscall mode has been changed from %1 to %2.\n\n" "This change affects which files are processed:\n" "- Nt Mode: User mode files in SysCaller directory\n" @@ -375,11 +395,11 @@ void GeneralTab::restoreDefaultFiles() bool isKernelMode = settings->value("general/syscall_mode", "Nt").toString() == "Zw"; QString modeText = isKernelMode ? "kernel mode" : "user mode"; QString filePathText = isKernelMode ? "SysCallerK directory" : "SysCaller directory"; - QString headerName = isKernelMode ? "sysFunctions_k.h" : "sysFunctions.h"; + QString headerName = isKernelMode ? "SysKFunctions.h" : "SysFunctions.h"; - ConfirmationDialog confirmDialog("Bind - v1.3.2", this); + ConfirmationDialog confirmDialog(SYSCALLER_WINDOW_TITLE, this); confirmDialog.setMessage(QString("Are you sure you want to restore default %1 files?\n\n" - "This will overwrite your current syscaller.asm and %2 files in the %3.") + "This will overwrite your current SysCaller.asm and %2 files in the %3.") .arg(modeText, headerName, filePathText)); if (confirmDialog.exec() != QDialog::Accepted || confirmDialog.getResult() != ConfirmationDialog::Yes) @@ -396,7 +416,7 @@ void GeneralTab::restoreDefaultFiles() if (!QFile::exists(defaultAsmPath) || !QFile::exists(defaultHeaderPath)) { - ConfirmationDialog warningDialog("Bind - v1.3.2", this); + ConfirmationDialog warningDialog(SYSCALLER_WINDOW_TITLE, this); warningDialog.setMessage("Default files not found in Default directory."); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); @@ -408,38 +428,67 @@ void GeneralTab::restoreDefaultFiles() createBackupFiles(); } + QDir().mkpath(QFileInfo(asmPath).absolutePath()); + QDir().mkpath(QFileInfo(headerPath).absolutePath()); + if (QFile::exists(asmPath)) { - QFile::remove(asmPath); + if (!QFile::remove(asmPath)) + { + ConfirmationDialog errorDialog(SYSCALLER_WINDOW_TITLE, this); + errorDialog.setMessage(QString("Failed to remove existing ASM file:\n%1\n\nFile may be locked by another process.") + .arg(asmPath)); + errorDialog.setButtons(false, false, true, false); + errorDialog.exec(); + return; + } } - + if (QFile::exists(headerPath)) { - QFile::remove(headerPath); + if (!QFile::remove(headerPath)) + { + ConfirmationDialog errorDialog(SYSCALLER_WINDOW_TITLE, this); + errorDialog.setMessage(QString("Failed to remove existing header file:\n%1\n\nFile may be locked by another process.") + .arg(headerPath)); + errorDialog.setButtons(false, false, true, false); + errorDialog.exec(); + return; + } } - + bool asmCopied = QFile::copy(defaultAsmPath, asmPath); bool headerCopied = QFile::copy(defaultHeaderPath, headerPath); if (!asmCopied || !headerCopied) { - ConfirmationDialog errorDialog("Bind - v1.3.2", this); - errorDialog.setMessage(QString("Failed to copy files:\nASM: %1\nHeader: %2") - .arg(asmCopied ? "Success" : "Failed") - .arg(headerCopied ? "Success" : "Failed")); + QString errorDetails; + if (!asmCopied) + { + errorDetails += QString("Failed to copy ASM file from:\n%1\nto:\n%2\n\n") + .arg(defaultAsmPath, asmPath); + } + if (!headerCopied) + { + errorDetails += QString("Failed to copy header file from:\n%1\nto:\n%2\n\n") + .arg(defaultHeaderPath, headerPath); + } + + ConfirmationDialog errorDialog(SYSCALLER_WINDOW_TITLE, this); + errorDialog.setMessage(errorDetails + "Please check file permissions and disk space."); errorDialog.setButtons(false, false, true, false); errorDialog.exec(); return; } - ConfirmationDialog infoDialog("Bind - v1.3.2", this); + ConfirmationDialog infoDialog(SYSCALLER_WINDOW_TITLE, this); infoDialog.setMessage(QString("Default %1 files have been restored successfully!").arg(modeText)); infoDialog.setButtons(false, false, true, false); infoDialog.exec(); } catch (...) { - ConfirmationDialog errorDialog("Bind - v1.3.2", this); + ConfirmationDialog errorDialog(SYSCALLER_WINDOW_TITLE, this); errorDialog.setMessage("An error occurred while restoring default files."); errorDialog.setButtons(false, true, false); errorDialog.exec(); @@ -455,15 +504,15 @@ void GeneralTab::restoreBackup(const QString& timestamp) if (!completeBackups.contains(timestamp)) { - ConfirmationDialog warningDialog("Bind - v1.3.2", this); + ConfirmationDialog warningDialog(SYSCALLER_WINDOW_TITLE, this); warningDialog.setMessage(QString("Could not find complete backup set for timestamp %1").arg(timestamp)); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); return; } - QString backupAsmPath = QString("%1/syscaller_%2.asm").arg(backupsDir, timestamp); - QString backupHeaderPath = QString("%1/sysFunctions_%2.h").arg(backupsDir, timestamp); + QString backupAsmPath = QString("%1/SysCaller_%2.asm").arg(backupsDir, timestamp); + QString backupHeaderPath = QString("%1/SysFunctions_%2.h").arg(backupsDir, timestamp); QStringList missingFiles; if (!QFile::exists(backupAsmPath)) @@ -478,16 +527,16 @@ void GeneralTab::restoreBackup(const QString& timestamp) if (!missingFiles.isEmpty()) { - ConfirmationDialog warningDialog("Bind - v1.3.2", this); + ConfirmationDialog warningDialog(SYSCALLER_WINDOW_TITLE, this); warningDialog.setMessage(QString("Could not find the following backup files:\n%1").arg(missingFiles.join("\n"))); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); return; } - ConfirmationDialog confirmDialog("Bind - v1.3.2", this); + ConfirmationDialog confirmDialog(SYSCALLER_WINDOW_TITLE, this); confirmDialog.setMessage(QString("Are you sure you want to restore from backup files dated %1?\n\n" - "This will overwrite your current syscaller.asm and sysFunctions.h files.") + "This will overwrite your current SysCaller.asm and SysFunctions.h files.") .arg(formatTimestamp(timestamp))); if (confirmDialog.exec() != QDialog::Accepted || confirmDialog.getResult() != ConfirmationDialog::Yes) @@ -504,7 +553,7 @@ void GeneralTab::restoreBackup(const QString& timestamp) if (QFile::exists(asmPath) && isFileLocked(asmPath)) { - ConfirmationDialog warningDialog("Bind - v1.3.2", this); + ConfirmationDialog warningDialog(SYSCALLER_WINDOW_TITLE, this); warningDialog.setMessage("The ASM file appears to be locked by another process. Close any applications that might be using it and try again."); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); @@ -513,7 +562,7 @@ void GeneralTab::restoreBackup(const QString& timestamp) if (QFile::exists(headerPath) && isFileLocked(headerPath)) { - ConfirmationDialog warningDialog("Bind - v1.3.2", this); + ConfirmationDialog warningDialog(SYSCALLER_WINDOW_TITLE, this); warningDialog.setMessage("The header file appears to be locked by another process. Close any applications that might be using it and try again."); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); @@ -554,7 +603,7 @@ void GeneralTab::restoreBackup(const QString& timestamp) if (asmRestored && headerRestored) { - ConfirmationDialog infoDialog("Bind - v1.3.2", this); + ConfirmationDialog infoDialog(SYSCALLER_WINDOW_TITLE, this); infoDialog.setMessage(QString("Files have been restored from backup successfully!\n\nBackup date: %1") .arg(formatTimestamp(timestamp))); infoDialog.setButtons(false, false, true, false); @@ -562,21 +611,21 @@ void GeneralTab::restoreBackup(const QString& timestamp) } else if (!asmRestored && headerRestored) { - ConfirmationDialog warningDialog("Bind - v1.3.2", this); + ConfirmationDialog warningDialog(SYSCALLER_WINDOW_TITLE, this); warningDialog.setMessage("Only the header file was restored successfully. The ASM file could not be restored."); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); } else if (asmRestored && !headerRestored) { - ConfirmationDialog warningDialog("Bind - v1.3.2", this); + ConfirmationDialog warningDialog(SYSCALLER_WINDOW_TITLE, this); warningDialog.setMessage("Only the ASM file was restored successfully. The header file could not be restored."); warningDialog.setButtons(false, false, true, false); warningDialog.exec(); } else { - ConfirmationDialog errorDialog("Bind - v1.3.2", this); + ConfirmationDialog errorDialog(SYSCALLER_WINDOW_TITLE, this); errorDialog.setMessage("Failed to restore both files from backup."); errorDialog.setButtons(false, false, true, false); errorDialog.exec(); @@ -584,7 +633,7 @@ void GeneralTab::restoreBackup(const QString& timestamp) } catch (...) { - ConfirmationDialog errorDialog("Bind - v1.3.2", this); + ConfirmationDialog errorDialog(SYSCALLER_WINDOW_TITLE, this); errorDialog.setMessage("An error occurred while restoring backup files."); errorDialog.setButtons(false, true, false); errorDialog.exec(); @@ -659,7 +708,7 @@ QStringList GeneralTab::getAvailableBackups() } QStringList filters; - filters << "syscaller_*.asm"; + filters << "SysCaller_*.asm"; QFileInfoList asmFiles = dir.entryInfoList(filters, QDir::Files); @@ -667,10 +716,10 @@ QStringList GeneralTab::getAvailableBackups() { QString fileName = asmFile.fileName(); - if (fileName.startsWith("syscaller_") && fileName.endsWith(".asm")) + if (fileName.startsWith("SysCaller_") && fileName.endsWith(".asm")) { QString timestamp = fileName.mid(10, fileName.length() - 14); - QString headerFile = QString("sysFunctions_%1.h").arg(timestamp); + QString headerFile = QString("SysFunctions_%1.h").arg(timestamp); QString headerPath = QString("%1/%2").arg(backupsDir, headerFile); if (QFile::exists(headerPath)) @@ -698,17 +747,23 @@ void GeneralTab::createBackupFiles() QString asmPath = PathUtils::getSysCallerAsmPath(isKernelMode); QString headerPath = PathUtils::getSysFunctionsPath(isKernelMode); - QString backupAsmPath = QString("%1/syscaller_%2.asm").arg(backupsDir, timestamp); - QString backupHeaderPath = QString("%1/sysFunctions_%2.h").arg(backupsDir, timestamp); + QString backupAsmPath = QString("%1/SysCaller_%2.asm").arg(backupsDir, timestamp); + QString backupHeaderPath = QString("%1/SysFunctions_%2.h").arg(backupsDir, timestamp); if (QFile::exists(asmPath)) { - QFile::copy(asmPath, backupAsmPath); + if (!QFile::copy(asmPath, backupAsmPath)) + { + qWarning() << "Failed to create backup of ASM file:" << asmPath; + } } if (QFile::exists(headerPath)) { - QFile::copy(headerPath, backupHeaderPath); + if (!QFile::copy(headerPath, backupHeaderPath)) + { + qWarning() << "Failed to create backup of header file:" << headerPath; + } } } catch (...) @@ -764,4 +819,4 @@ bool GeneralTab::restoreFileWithRetry(const QString& sourcePath, const QString& } return false; -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Settings/Tabs/IndirectObfuscationTab.cpp b/Bind/src/GUI/Settings/Tabs/IndirectObfuscationTab.cpp index eaea4d2..2fe6871 100644 --- a/Bind/src/GUI/Settings/Tabs/IndirectObfuscationTab.cpp +++ b/Bind/src/GUI/Settings/Tabs/IndirectObfuscationTab.cpp @@ -1,7 +1,5 @@ -#include "include/GUI/Settings/Tabs/IndirectObfuscationTab.h" -#include -#include -#include +#include +#include IndirectObfuscationTab::IndirectObfuscationTab(QSettings* settings, QWidget* parent) : QWidget(parent) @@ -151,5 +149,4 @@ void IndirectObfuscationTab::saveSettings() } void IndirectObfuscationTab::loadSettings() -{ -} +{} \ No newline at end of file diff --git a/Bind/src/GUI/Settings/Tabs/InlineObfuscationTab.cpp b/Bind/src/GUI/Settings/Tabs/InlineObfuscationTab.cpp index 00d1f14..9f4d971 100644 --- a/Bind/src/GUI/Settings/Tabs/InlineObfuscationTab.cpp +++ b/Bind/src/GUI/Settings/Tabs/InlineObfuscationTab.cpp @@ -1,6 +1,5 @@ -#include "include/GUI/Settings/Tabs/InlineObfuscationTab.h" -#include -#include +#include +#include InlineObfuscationTab::InlineObfuscationTab(QSettings* settings, QWidget* parent) : QWidget(parent) @@ -22,4 +21,4 @@ void InlineObfuscationTab::initUI() void InlineObfuscationTab::saveSettings() { -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Settings/Tabs/IntegrityTab.cpp b/Bind/src/GUI/Settings/Tabs/IntegrityTab.cpp index fabcf06..1f08f31 100644 --- a/Bind/src/GUI/Settings/Tabs/IntegrityTab.cpp +++ b/Bind/src/GUI/Settings/Tabs/IntegrityTab.cpp @@ -1,11 +1,5 @@ -#include "include/GUI/Settings/Tabs/IntegrityTab.h" -#include "include/Core/Utils/PathUtils.h" -#include -#include -#include -#include -#include -#include +#include +#include IntegrityTab::IntegrityTab(QSettings* settings, QWidget* parent) : QWidget(parent) diff --git a/Bind/src/GUI/Settings/Tabs/ObfuscationTab.cpp b/Bind/src/GUI/Settings/Tabs/ObfuscationTab.cpp index b34f2ba..e1bdbe3 100644 --- a/Bind/src/GUI/Settings/Tabs/ObfuscationTab.cpp +++ b/Bind/src/GUI/Settings/Tabs/ObfuscationTab.cpp @@ -1,6 +1,6 @@ -#include "include/GUI/Settings/Tabs/ObfuscationTab.h" -#include "include/Core/Obfuscation/Direct/Encryption/DirectEncryptor.h" -#include +#include +#include +#include ObfuscationTab::ObfuscationTab(QSettings* settings, QWidget* parent) : QWidget(parent) @@ -175,4 +175,5 @@ void ObfuscationTab::saveSettings() settings->setValue("obfuscation/control_flow_indirect_jumps", indirectJumps->isChecked()); settings->setValue("obfuscation/control_flow_conditional_branches", conditionalBranches->isChecked()); settings->setValue("obfuscation/control_flow_complexity", controlFlowComplexity->value()); + /* sync() is called by SettingsDialog::saveSettings() */ } \ No newline at end of file diff --git a/Bind/src/GUI/Settings/Tabs/ProfileTab.cpp b/Bind/src/GUI/Settings/Tabs/ProfileTab.cpp index e66f674..85a303a 100644 --- a/Bind/src/GUI/Settings/Tabs/ProfileTab.cpp +++ b/Bind/src/GUI/Settings/Tabs/ProfileTab.cpp @@ -1,7 +1,5 @@ -#include "include/GUI/Settings/Tabs/ProfileTab.h" -#include "include/Core/Utils/PathUtils.h" -#include -#include +#include +#include ProfileTab::ProfileTab(QSettings* settings, QWidget* parent) : QWidget(parent) @@ -97,19 +95,19 @@ void ProfileTab::exportProfile() exportSettings.sync(); - QMessageBox::information(this, "Bind - v1.3.2", + QMessageBox::information(this, SYSCALLER_WINDOW_TITLE, QString("Profile exported to:\n%1") .arg(QDir::toNativeSeparators(QFileInfo(path).absoluteFilePath()))); } catch (...) { - QMessageBox::critical(this, "Bind - v1.3.2", "Failed to export profile."); + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, "Failed to export profile."); } } void ProfileTab::importProfile() { - QString path = QFileDialog::getOpenFileName(this, "Bind - v1.3.2", "", "INI Files (*.ini);;All Files (*)"); + QString path = QFileDialog::getOpenFileName(this, SYSCALLER_WINDOW_TITLE, "", "INI Files (*.ini);;All Files (*)"); if (path.isEmpty()) { @@ -118,15 +116,60 @@ void ProfileTab::importProfile() try { + QFileInfo sourceInfo(path); + if (!sourceInfo.exists() || !sourceInfo.isFile() || !sourceInfo.isReadable()) + { + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, + QString("Cannot read source profile file:\n%1").arg(path)); + return; + } + QString iniPath = PathUtils::getIniPath(); + + QString backupPath = iniPath + ".backup"; + if (QFile::exists(iniPath)) + { + if (!QFile::copy(iniPath, backupPath)) + { + qWarning() << "Failed to create backup of current settings before import"; + } + } + settings->sync(); delete settings; settings = nullptr; - QFile::remove(iniPath); - QFile::copy(path, iniPath); + if (QFile::exists(iniPath)) + { + if (!QFile::remove(iniPath)) + { + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, + QString("Failed to remove existing settings file:\n%1\n\nFile may be locked.") + .arg(iniPath)); + return; + } + } + + if (!QFile::copy(path, iniPath)) + { + if (QFile::exists(backupPath)) + { + QFile::copy(backupPath, iniPath); + QFile::remove(backupPath); + } + + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, + QString("Failed to copy profile file:\n%1\nto:\n%2") + .arg(path, iniPath)); + return; + } + + if (QFile::exists(backupPath)) + { + QFile::remove(backupPath); + } - QMessageBox::information(this, "Bind - v1.3.2", + QMessageBox::information(this, SYSCALLER_WINDOW_TITLE, QString("Profile imported from:\n%1\n\nSysCaller will now restart to use the imported profile.") .arg(QDir::toNativeSeparators(QFileInfo(path).absoluteFilePath()))); @@ -135,10 +178,9 @@ void ProfileTab::importProfile() } catch (...) { - QMessageBox::critical(this, "Bind - v1.3.2", "Failed to import profile."); + QMessageBox::critical(this, SYSCALLER_WINDOW_TITLE, "Failed to import profile."); } } void ProfileTab::saveSettings() -{ -} \ No newline at end of file +{} \ No newline at end of file diff --git a/Bind/src/GUI/Stylesheets/ChangelogDialog.qss b/Bind/src/GUI/Stylesheets/ChangelogDialog.qss index 94cc523..dc8e950 100644 --- a/Bind/src/GUI/Stylesheets/ChangelogDialog.qss +++ b/Bind/src/GUI/Stylesheets/ChangelogDialog.qss @@ -2,38 +2,136 @@ QDialog { background: #1A1A1A; border-radius: 15px; } -QLabel { - color: #0077d4; - font-size: 18px; - font-weight: bold; - padding: 10px 0 10px 0; -} + +/* Version List Widget - Left Sidebar */ QListWidget { - background: #181818; - color: #fff; - border-radius: 8px; - font-size: 14px; + background: #1E1E1E; + color: #E0E0E0; + border: 1px solid #2A2A2A; + border-radius: 10px; + font-size: 13px; + font-weight: 500; min-width: 120px; + padding: 8px 0px; + outline: none; +} + +QListWidget::item { + background: transparent; + color: #B0B0B0; + padding: 12px 16px; + margin: 2px 8px; + border-radius: 6px; + border: none; + min-height: 20px; +} + +QListWidget::item:hover { + background: #2A2A2A; + color: #FFFFFF; } + QListWidget::item:selected { - background: #0077d4; - color: #fff; + background: qlineargradient(x1:0, y1:0, x2:1, y2:0, stop:0 #0b5394, stop:1 #0077d4); + color: #FFFFFF; + font-weight: 600; + border: 1px solid #0A7AD1; } + +QListWidget::item:selected:hover { + background: qlineargradient(x1:0, y1:0, x2:1, y2:0, stop:0 #0A7AD1, stop:1 #0088E8); +} + +/* Content Text Edit - Right Panel */ QTextEdit { - background: #181818; - color: #fff; - border-radius: 8px; - font-family: 'IBM Plex Mono'; - font-size: 13px; + background: #1E1E1E; + color: #E8E8E8; + border: 1px solid #2A2A2A; + border-radius: 10px; + font-family: 'Segoe UI', 'Roboto', 'Arial', sans-serif; + font-size: 14px; + line-height: 1.6; + padding: 20px; + selection-background-color: #0077d4; + selection-color: #FFFFFF; } + +QTextEdit:focus { + border: 1px solid #0077d4; + outline: none; +} + +/* Close Button */ QPushButton { - background: #0077d4; - color: #fff; - border-radius: 6px; - padding: 6px 18px; + background: #0b5394; + border: none; + border-radius: 8px; + padding: 10px 20px; + color: white; font-weight: bold; font-size: 13px; + min-width: 100px; } + QPushButton:hover { - background: #404040; + background: #67abdb; +} + +QPushButton:pressed { + background: #0A7AD1; +} + +/* Scrollbars */ +QScrollBar:vertical { + background: #1E1E1E; + width: 12px; + border: none; + border-radius: 6px; + margin: 0; +} + +QScrollBar::handle:vertical { + background: #3A3A3A; + border-radius: 6px; + min-height: 30px; + margin: 2px; +} + +QScrollBar::handle:vertical:hover { + background: #4A4A4A; +} + +QScrollBar::handle:vertical:pressed { + background: #5A5A5A; +} + +QScrollBar::add-line:vertical, QScrollBar::sub-line:vertical { + height: 0px; +} + +QScrollBar:horizontal { + background: #1E1E1E; + height: 12px; + border: none; + border-radius: 6px; + margin: 0; +} + +QScrollBar::handle:horizontal { + background: #3A3A3A; + border-radius: 6px; + min-width: 30px; + margin: 2px; +} + +QScrollBar::handle:horizontal:hover { + background: #4A4A4A; +} + +QScrollBar::handle:horizontal:pressed { + background: #5A5A5A; } + +QScrollBar::add-line:horizontal, QScrollBar::sub-line:horizontal { + width: 0px; +} \ No newline at end of file diff --git a/Bind/src/GUI/Stylesheets/ConfirmationDialog.qss b/Bind/src/GUI/Stylesheets/ConfirmationDialog.qss index cbc7126..1fcbaeb 100644 --- a/Bind/src/GUI/Stylesheets/ConfirmationDialog.qss +++ b/Bind/src/GUI/Stylesheets/ConfirmationDialog.qss @@ -1,29 +1,58 @@ QDialog { - background: #252525; - color: white; + background: #1A1A1A; border-radius: 15px; } + +/* Content Area */ +QWidget#contentWidget { + background: #1E1E1E; + border-bottom-left-radius: 15px; + border-bottom-right-radius: 15px; +} + +/* Message Label */ +QLabel { + color: #E8E8E8; + font-size: 14px; + font-weight: 400; + line-height: 1.6; + padding: 0px; +} + +/* Buttons */ QPushButton { background: #0b5394; - border: 2px solid #0b5394; - border-radius: 6px; - padding: 8px 15px; + border: none; + border-radius: 8px; + padding: 10px 20px; color: white; font-weight: bold; - transition: all 0.2s ease; + font-size: 13px; + min-width: 90px; } + QPushButton:hover { background: #67abdb; - border: 2px solid #8bc4e6; - transform: translateY(-1px); - box-shadow: 0 4px 8px rgba(103, 171, 219, 0.3); } + QPushButton:pressed { - background: #094a7a; - border: 2px solid #0b5394; - transform: translateY(0px); - box-shadow: none; + background: #0A7AD1; } -QLabel { - color: white; + +/* No/Cancel Button */ +QPushButton#noButton, +QPushButton#cancelButton { + background: #333333; + color: #E0E0E0; +} + +QPushButton#noButton:hover, +QPushButton#cancelButton:hover { + background: #444444; + color: #FFFFFF; } + +QPushButton#noButton:pressed, +QPushButton#cancelButton:pressed { + background: #2A2A2A; +} \ No newline at end of file diff --git a/Bind/src/GUI/Stylesheets/HashCompareDialog.qss b/Bind/src/GUI/Stylesheets/HashCompareDialog.qss index af664ae..85fe14a 100644 --- a/Bind/src/GUI/Stylesheets/HashCompareDialog.qss +++ b/Bind/src/GUI/Stylesheets/HashCompareDialog.qss @@ -68,4 +68,4 @@ QComboBox QAbstractItemView { background: #333333; color: white; selection-background-color: #0b5394; -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Stylesheets/ObfuscationSelectionDialog.qss b/Bind/src/GUI/Stylesheets/ObfuscationSelectionDialog.qss index 761bc37..0955d77 100644 --- a/Bind/src/GUI/Stylesheets/ObfuscationSelectionDialog.qss +++ b/Bind/src/GUI/Stylesheets/ObfuscationSelectionDialog.qss @@ -1,41 +1,56 @@ ObfuscationSelectionDialog { - background: #252525; - border: 2px solid #333333; + background: #1A1A1A; border-radius: 15px; } -QLabel { - color: white; -} -QLabel#title { - font-size: 18px; - font-weight: bold; - color: #0077d4; - padding: 10px; + +/* Content Area */ +QWidget#contentWidget { + background: #1E1E1E; + border-bottom-left-radius: 15px; + border-bottom-right-radius: 15px; } + +/* Description Label */ QLabel#description { + color: #E8E8E8; font-size: 14px; - color: #cccccc; - padding: 10px; + font-weight: 400; + line-height: 1.6; + padding: 0px; } + +/* Primary Action Buttons */ QPushButton { background: #0b5394; border: none; border-radius: 8px; - padding: 12px 20px; + padding: 12px 24px; color: white; font-weight: bold; font-size: 14px; - min-width: 120px; + text-align: left; } + QPushButton:hover { background: #67abdb; } + QPushButton:pressed { - background: #004578; + background: #0A7AD1; } + +/* Cancel Button */ QPushButton#cancel { - background: #555555; + background: #333333; + color: #E0E0E0; + text-align: center; } + QPushButton#cancel:hover { - background: #777777; + background: #444444; + color: #FFFFFF; } + +QPushButton#cancel:pressed { + background: #2A2A2A; +} \ No newline at end of file diff --git a/Bind/src/GUI/Stylesheets/SettingsDialog.qss b/Bind/src/GUI/Stylesheets/SettingsDialog.qss index 940a82e..e379b34 100644 --- a/Bind/src/GUI/Stylesheets/SettingsDialog.qss +++ b/Bind/src/GUI/Stylesheets/SettingsDialog.qss @@ -8,13 +8,38 @@ QTabWidget::pane { border-radius: 5px; background: #1E1E1E; } + +QTabWidget { + margin: 0px; + padding: 0px; +} + +QTabBar { + alignment: left; + margin: 0px; + padding: 0px; + spacing: 0px; +} + QTabBar::tab { background: #333333; color: white; padding: 8px 20px; border-top-left-radius: 5px; border-top-right-radius: 5px; + margin: 0px; + margin-right: 2px; } + +QTabBar::tab:first { + margin-left: 0px; +} + +QTabBar::tab:last { + margin-right: 0px; + border-top-right-radius: 0px; +} + QTabBar::tab:selected { background: #0b5394; } @@ -227,4 +252,4 @@ QScrollBar::handle:horizontal:hover { } QScrollBar::add-line:horizontal, QScrollBar::sub-line:horizontal { width: 0px; -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Stylesheets/StubMapperDialog.qss b/Bind/src/GUI/Stylesheets/StubMapperDialog.qss index dc1e077..9f7cdf7 100644 --- a/Bind/src/GUI/Stylesheets/StubMapperDialog.qss +++ b/Bind/src/GUI/Stylesheets/StubMapperDialog.qss @@ -81,4 +81,4 @@ QComboBox QAbstractItemView { background: #333333; color: white; selection-background-color: #0b5394; -} +} \ No newline at end of file diff --git a/Bind/src/GUI/Threads/CompatibilityThread.cpp b/Bind/src/GUI/Threads/CompatibilityThread.cpp index eaaf17d..dbc083f 100644 --- a/Bind/src/GUI/Threads/CompatibilityThread.cpp +++ b/Bind/src/GUI/Threads/CompatibilityThread.cpp @@ -1,7 +1,6 @@ -#include "include/GUI/Threads/CompatibilityThread.h" -#include "include/Core/Integrity/Compatibility/Compatibility.h" -#include -#include +#include +#include +#include CompatibilityThread::CompatibilityThread(QObject* parent) : QThread(parent) diff --git a/Bind/src/GUI/Threads/ObfuscationThread.cpp b/Bind/src/GUI/Threads/ObfuscationThread.cpp index 1b2b0b2..d1b766c 100644 --- a/Bind/src/GUI/Threads/ObfuscationThread.cpp +++ b/Bind/src/GUI/Threads/ObfuscationThread.cpp @@ -1,11 +1,6 @@ -#include "include/GUI/Threads/ObfuscationThread.h" -#include "include/Core/Obfuscation/Obfuscation.h" -#include "include/Core/Utils/PathUtils.h" -#include "include/Core/Utils/Utils.h" -#include -#include -#include -#include +#include +#include +#include ObfuscationThread::ObfuscationThread(QObject* parent) : QThread(parent) diff --git a/Bind/src/GUI/Threads/ValidatorThread.cpp b/Bind/src/GUI/Threads/ValidatorThread.cpp index 68b425e..0d063a6 100644 --- a/Bind/src/GUI/Threads/ValidatorThread.cpp +++ b/Bind/src/GUI/Threads/ValidatorThread.cpp @@ -1,7 +1,6 @@ -#include "include/GUI/Threads/ValidatorThread.h" -#include "include/Core/Integrity/Validator/Validator.h" -#include -#include +#include +#include +#include ValidatorThread::ValidatorThread(QObject* parent) : QThread(parent) diff --git a/Bind/src/GUI/Threads/VerificationThread.cpp b/Bind/src/GUI/Threads/VerificationThread.cpp index 27cd127..956d3f4 100644 --- a/Bind/src/GUI/Threads/VerificationThread.cpp +++ b/Bind/src/GUI/Threads/VerificationThread.cpp @@ -1,5 +1,5 @@ -#include "include/GUI/Threads/VerificationThread.h" -#include +#include +#include VerificationThread::VerificationThread(QObject* parent) : QThread(parent) @@ -33,4 +33,4 @@ void VerificationThread::run() qDebug() << "Verification Thread Exception:" << e.what(); emit verificationFinished(false, QString("Verification Failed: %1").arg(e.what())); } -} +} \ No newline at end of file diff --git a/Bind/src/Res/Icons/green.png b/Bind/src/Res/Icons/green.png new file mode 100644 index 0000000000000000000000000000000000000000..674773045e5dccb320fcaf2a8f8ea51a82068668 GIT binary patch literal 777 zcmV+k1NQuhP)m3R-mFJLleW&i9@F$vEfupTPuYI?aGkv1Wcp(_@hphymwC z^zG!+!8n+t%aD~J9#R2?5KtfqP9h3_3KMdPT)x@9Vbk8M?OQF9G5%;*i-pC6fTENB9vP)=D;`S18l821eKugpoy%&@1~HS!y%>M3%!N6!&sR09lB zbnYt0#!x*q29fDyFdYbEBvB3R+;aBVD>`l^JXwqFV)>?b3K{~@{7kE*&ecBzQEp20)vyfhNM3HgbW8gnaT7G@*vkA!r^T-=jv{^ zx$e&fc_;08^uwWF#D%fM1&U$b#0)>QtJZzwR(oT2K;c(Nw(sePX8gOq_JR~eE}HbI zHI?-(RW~o3yhpEI^^BtL*~q_}O(a;)l)^K5x0$<3@Zvx=4n`_7kzmu#2^NBp5UV%Y zJdcSHE0QRsviJSVRsCOa9;|0%!#Kq(N5O3^}^00000NkvXX Hu0mjf`BP@d literal 0 HcmV?d00001 diff --git a/Bind/src/Res/Icons/hourglass.png b/Bind/src/Res/Icons/hourglass.png new file mode 100644 index 0000000000000000000000000000000000000000..127c5d6156bfdab937bb0aee12672b3d84622f4a GIT binary patch literal 716 zcmV;-0yF)IP)%x^NueByi41g0Si7d|*JbMLw5o%=2qWnz9HN0qg-@S}O6UJ+SM?LlQ1V7CIm zuvE|PWK_48#b6ZP&16j`bdA)^rAt8HL2+FGSlD{|XyN3ya!c?#tyYhnbr-AcLc60P zNmh}n_0YJ-<~o;pwFUh%he7vxy}>_%e>j-GkM~~%C@X8S(d~kwlrmw_H%$p2Hpc6X zIw=B2^k&W$JZ8h+lu>{p$v!@wT78~y9XLW$6Z4-DMQeyQtBAI!-0|x<@4;#2OyWg? z@CG%yfI)1VB+oxsPdi*e#_WsyVqH@e_iXG_VB#o!A+??&dBWT0V5r5crfJ)!SDz*+ zvs2>27k7MtNy~ilmceL$l!FMqDUyj_zA*?0 zjgIg-cIhgKll-s)qd*iZN8j9DTxv>6%}CmDBd36Gh`ztSv{J5hgi-S^ z*CgTHy(=q(XKaHOi+Qm459?y>t}1dn$ywFmMQz`d>34QBSZ_3RGS82J=vm8S0o}D! z`nu@w?)Qi_RI*3dqx00q&p)#!Y6gQ0}R{G&1ZK1 zLfot?`_JZ`c$rwdOk6lrFd3E!r(NA{*Npi-{N2D1NzjcESPsM8F&RSDDu9ODt28m% yc%2ylp2H*ufQQFZQQ^zu9IWA*B5qCiE5HCPoj^x`Cwg800000>P literal 0 HcmV?d00001 diff --git a/Bind/src/Res/Icons/record.png b/Bind/src/Res/Icons/record.png new file mode 100644 index 0000000000000000000000000000000000000000..5cd9ea93ef5696ffb53d5f159e44dbfae7884ad9 GIT binary patch literal 529 zcmV+s0`C2ZP)D5@X(V-FF_BYV2hz>sbX6L+H8_dvTO0XV?0jF?2cA~e)_;sZ1}ZuTOo#b1P*lA=`S zE0xkzv8c+5B0H3_7hSL1YudI?X%%xWq6K8wgHu8ZX+=5S*x6YRBq`&0-cM30l>*4i)9_yEo_!Bq^BmIG0f(n1%s177mXmej~7L*&Q@CPQb9+AKflv?e>`H z`;bW(S>QN~4W^PvpmkfVatT)_=nvo=RTo7cFbEdnlackT42hOXP=mR}sq#pu8h=h;)G{EW# zz-|^`30CxBbbX=9C@M1c8Uy;H*Nh&EV=53KQG1pjs$KLr>786?Nh Tacv%%00000NkvXXu0mjfthDCu literal 0 HcmV?d00001 diff --git a/Bind/src/Res/Icons/red.png b/Bind/src/Res/Icons/red.png new file mode 100644 index 0000000000000000000000000000000000000000..5c008b0a6fa5e8a1f8ddc294419aeb3e37f79f46 GIT binary patch literal 728 zcmV;}0w?{6P)i77|PJ(5|QEt1&kR{od=E-S5<8@*3{T-MMcu<*4B~|#+oTM_-Ek<##U#r zg{artY%ZhMyHyrNQ(|fg$=O+$&1QTGg@(yJOBt{v@L6qOC5{Sa^Dd*uW7k=&8-7hs zBQZ0BbRvPJY!(7-cU?sVj3yKMg29nAaDi{3goKAsTwGh`cH7suT$>jY3E|t=7*g># z<}(>EDzw31fGCPElfi@T?$J4*gT(#p70^jVa^{r6a25%7U7a&JF#(-Uw=CqWw^$JD z>Uu+kY|{W?USV#4oPx^0Lu1E2pU)YK#ZXpW4oQ;G6$reeSPRu4%v0wELV+%XiSxao zP-IT4T^4r+0ueH8QDT4p1NF;7r2xq#K*N@c`h!aSR`NKUw|(sqZn#?fnBZ%XHZd&h z5ump)h&l#pjDy4{s++DiKDv44S#lHn`bqS!wE8)5jTq+{^w7;~0`@DxybMQX5yy8l zTxq;_>GYG-f_#JK26(Jbq2Lyl^4R`8DIeQ=(tqmi<>vd@oP3Ki9PFP2UKBbDD)G*r z>3qY1rZ!*C)pNb{)y{z^247D8`>;_L-ku(! z6_?D-?!0+#=VtbVZQGdTnZt~apI_HPK#=zVadHM((E`e*C+RoFb)Qo8-U{Lb7{`Tz zw4B8FZ|o?Wox+p=1wp47C;7ar*Xu~;a?<=sjPv>+otDjJ6FaGt!YnNyxQQhp)G1V! zk;r6ZtyV)c8pTbiRAnHRNXTxti%=+p$4aG2*+mMM&xrdiU^`VPk^N*+HX98^7!HT% zwA%;A{T)GxeQ|RcxyzV%! z$AbYD+)i1R64zB?q}NmTz}5|04~J#YG_goA*Eq(QJvp7pG14hUj1pZ^t>3S*xqHUO ze~r;}zTY_XkZ*}d@gm!;N90h8nBQenBUZ_ukZKNicn*hc_Pmc!Jn|2=s<~}>!Sb>Qm3!QP46b_JFw5YU70Tu$X}=T}ez@@t%j iG9vD)nDux55?}x$+|UyQVK_bj0000 + + Icons/validation.png + Icons/compatibility.png + Icons/verification.png + Icons/obfuscation.png + Icons/settings.png + Icons/syscaller.png + Icons/logo.ico + Icons/export.png + Icons/refresh.png + Icons/xmark.png + Icons/green.png + Icons/record.png + Icons/hourglass.png + Fonts/ibmplexmono.ttf + ../GUI/Stylesheets/SettingsDialog.qss + ../GUI/Stylesheets/StubMapperDialog.qss + ../GUI/Stylesheets/ConfirmationDialog.qss + ../GUI/Stylesheets/ObfuscationSelectionDialog.qss + ../GUI/Stylesheets/HashCompareDialog.qss + ../GUI/Stylesheets/ChangelogDialog.qss + + \ No newline at end of file diff --git a/Bindings/Examples/C/InjectDLL.c b/Bindings/Examples/C/InjectDLL.c index 72976af..537bf2b 100644 --- a/Bindings/Examples/C/InjectDLL.c +++ b/Bindings/Examples/C/InjectDLL.c @@ -195,4 +195,4 @@ int main(int argc, char* argv[]) InjectDLL(hProcess, dll_path, SysAllocateVirtualMemoryEx, SysWriteVirtualMemory, SysCreateThreadEx, SysClose); CloseHandle(hProcess); return 0; -} +} \ No newline at end of file diff --git a/Bindings/Examples/C/InjectDLLObf.c b/Bindings/Examples/C/InjectDLLObf.c index ae85154..6f26373 100644 --- a/Bindings/Examples/C/InjectDLLObf.c +++ b/Bindings/Examples/C/InjectDLLObf.c @@ -195,4 +195,4 @@ int main(int argc, char* argv[]) InjectDLL(hProcess, dll_path, oznbvo_655212, yexedj_555900, jljtug_682236, ezhgwv_592746); CloseHandle(hProcess); return 0; -} +} \ No newline at end of file diff --git a/Bindings/Examples/C/README.md b/Bindings/Examples/C/README.md index dda264e..4cda88f 100644 --- a/Bindings/Examples/C/README.md +++ b/Bindings/Examples/C/README.md @@ -40,4 +40,4 @@ $ InjectDLL.exe 4242 test.dll - Requires appropriate privileges to open the target process and inject code. - Tested & Works only on Windows x64. ---- +--- \ No newline at end of file diff --git a/Bindings/Examples/CSharp/Program.cs b/Bindings/Examples/CSharp/Program.cs index a5c3076..f510094 100644 --- a/Bindings/Examples/CSharp/Program.cs +++ b/Bindings/Examples/CSharp/Program.cs @@ -264,4 +264,4 @@ static void Main(string[] args) NativeMethods.CloseHandle(hProcess); } } -} +} \ No newline at end of file diff --git a/Bindings/Examples/CSharp/ProgramObf.cs b/Bindings/Examples/CSharp/ProgramObf.cs index d4ea7e1..8d9c497 100644 --- a/Bindings/Examples/CSharp/ProgramObf.cs +++ b/Bindings/Examples/CSharp/ProgramObf.cs @@ -264,4 +264,4 @@ static void Main(string[] args) NativeMethods.CloseHandle(hProcess); } } -} +} \ No newline at end of file diff --git a/Bindings/Examples/GO/README.md b/Bindings/Examples/GO/README.md index 1536103..3ac2de4 100644 --- a/Bindings/Examples/GO/README.md +++ b/Bindings/Examples/GO/README.md @@ -37,4 +37,4 @@ $ InjectedDLL.exe 1337 test.dll - Requires appropriate privileges to open the target process and inject code. - Tested & Works only on Windows x64. ---- +--- \ No newline at end of file diff --git a/Bindings/Examples/Nim/InjectDLL.nim b/Bindings/Examples/Nim/InjectDLL.nim index 0576570..4ed3716 100644 --- a/Bindings/Examples/Nim/InjectDLL.nim +++ b/Bindings/Examples/Nim/InjectDLL.nim @@ -176,4 +176,4 @@ when isMainModule: echo "[!] Failed to open process ", pid quit(1) discard injectDLL(hProcess, dllPath, SysAllocateVirtualMemoryEx, SysWriteVirtualMemory, SysCreateThreadEx, SysClose) - discard CloseHandle(hProcess) + discard CloseHandle(hProcess) \ No newline at end of file diff --git a/Bindings/Examples/Nim/InjectDLLObf.nim b/Bindings/Examples/Nim/InjectDLLObf.nim index 778aaaa..1717516 100644 --- a/Bindings/Examples/Nim/InjectDLLObf.nim +++ b/Bindings/Examples/Nim/InjectDLLObf.nim @@ -176,4 +176,4 @@ when isMainModule: echo "[!] Failed to open process ", pid quit(1) discard injectDLL(hProcess, dllPath, oznbvo_655212, yexedj_555900, jljtug_682236, ezhgwv_592746) - discard CloseHandle(hProcess) + discard CloseHandle(hProcess) \ No newline at end of file diff --git a/Bindings/Examples/Python/InjectDLL.py b/Bindings/Examples/Python/InjectDLL.py index 42a62bb..a98c8c0 100644 --- a/Bindings/Examples/Python/InjectDLL.py +++ b/Bindings/Examples/Python/InjectDLL.py @@ -198,4 +198,4 @@ def InjectDLL(process_handle, dll_path): print(f"[!] Failed to open process {pid}") sys.exit(1) InjectDLL(process_handle, dll_path) - kernel32.CloseHandle(process_handle) + kernel32.CloseHandle(process_handle) \ No newline at end of file diff --git a/Bindings/Examples/Python/InjectDLLObf.py b/Bindings/Examples/Python/InjectDLLObf.py index b7929f2..956adb7 100644 --- a/Bindings/Examples/Python/InjectDLLObf.py +++ b/Bindings/Examples/Python/InjectDLLObf.py @@ -198,4 +198,4 @@ def InjectDLL(process_handle, dll_path): print(f"[!] Failed to open process {pid}") sys.exit(1) InjectDLL(process_handle, dll_path) - kernel32.CloseHandle(process_handle) + kernel32.CloseHandle(process_handle) \ No newline at end of file diff --git a/Bindings/Examples/Python/README.md b/Bindings/Examples/Python/README.md index 1adcd72..6787a86 100644 --- a/Bindings/Examples/Python/README.md +++ b/Bindings/Examples/Python/README.md @@ -33,4 +33,4 @@ $ python InjectDLL.py 4728 test.dll - Requires appropriate privileges to open the target process and inject code. - Tested & Works only on Windows x64. ---- +--- \ No newline at end of file diff --git a/Bindings/Examples/Rust/README.md b/Bindings/Examples/Rust/README.md index 75e80a7..926e81b 100644 --- a/Bindings/Examples/Rust/README.md +++ b/Bindings/Examples/Rust/README.md @@ -37,4 +37,4 @@ $ target\release\injectdll.exe 5056 test.dll - Requires appropriate privileges to open the target process and inject code. - Tested & Works only on Windows x64. ---- +--- \ No newline at end of file diff --git a/Bindings/Examples/Rust/cargo.toml b/Bindings/Examples/Rust/cargo.toml index a7caf7c..170dfbd 100644 --- a/Bindings/Examples/Rust/cargo.toml +++ b/Bindings/Examples/Rust/cargo.toml @@ -11,4 +11,4 @@ "Win32_System_WindowsProgramming", "Win32_System_Diagnostics_Debug", "Win32_System_SystemServices" -] } +] } \ No newline at end of file diff --git a/Default/sysFunctions_k.h b/Default/SysFunctionsK.h similarity index 99% rename from Default/sysFunctions_k.h rename to Default/SysFunctionsK.h index 4d4a816..9a9c50a 100644 --- a/Default/sysFunctions_k.h +++ b/Default/SysFunctionsK.h @@ -1,8 +1,8 @@ #pragma once -#include -#include -#include -#include +#include +#include +#include +#include #ifdef _WIN64 /* only compile on 64bit systems */ diff --git a/Default/sysFunctions.h b/Default/sysFunctions.h index 15aedde..d8fc3b8 100644 --- a/Default/sysFunctions.h +++ b/Default/sysFunctions.h @@ -1,7 +1,7 @@ #pragma once -#include -#include -#include +#include +#include +#include #ifdef _WIN64 /* only compile on 64bit systems */ diff --git a/Default/syscaller.asm b/Default/syscaller.asm index 9d944cd..460abc7 100644 --- a/Default/syscaller.asm +++ b/Default/syscaller.asm @@ -3388,4 +3388,4 @@ SCYieldExecution PROC ret SCYieldExecution ENDP -end +end diff --git a/History/CHANGELOG_1.0.0.md b/History/CHANGELOG_1.0.0.md index 29f45a3..d3abb4d 100644 --- a/History/CHANGELOG_1.0.0.md +++ b/History/CHANGELOG_1.0.0.md @@ -6,8 +6,6 @@ Released: **March 5, 2025** ## **What's New?** ---- - - Introduced validation, verification, & compatibility checks for all stubs. - Added an obfuscation engine for crafted stubs. - Early work began on manual stub crafting logic (WIP). diff --git a/History/CHANGELOG_1.1.0.md b/History/CHANGELOG_1.1.0.md index 26d9f45..75e7b21 100644 --- a/History/CHANGELOG_1.1.0.md +++ b/History/CHANGELOG_1.1.0.md @@ -6,8 +6,6 @@ Released: **July 22, 2025** ## **What's New?** ---- - - Added support for kernel mode / `Zw` syscalls. - You can now build in debug mode with full support. - Support for switching and managing syscall tables. diff --git a/History/CHANGELOG_1.2.0.md b/History/CHANGELOG_1.2.0.md index ad8991e..d988a0d 100644 --- a/History/CHANGELOG_1.2.0.md +++ b/History/CHANGELOG_1.2.0.md @@ -6,8 +6,6 @@ Released: **July 29, 2025** ## **What's New?** ---- - - Rewrote the entire BuildTools/GUI from Python (PyQt) to native C++ using Qt improving performance, stability maintainability, and integration with the core SDK. - Added support for any programming language with C bindings, making SysCaller accessible across a wider ecosystem. - The BuildTools has been officially renamed to **Bind**, reflecting its role in connecting your project with SysCaller using clean GUI based binding, wrapping, and obfuscation features. diff --git a/History/CHANGELOG_1.3.0.md b/History/CHANGELOG_1.3.0.md index 02a60b4..1b79d90 100644 --- a/History/CHANGELOG_1.3.0.md +++ b/History/CHANGELOG_1.3.0.md @@ -6,8 +6,6 @@ Released: **September 3, 2025** ## **What's New?** ---- - - Added comprehensive support for Direct, Inline, and Indirect assembly modes - Added general tab support with assembly mode selection - Improved validation system supporting all three modes diff --git a/History/CHANGELOG_1.3.1.md b/History/CHANGELOG_1.3.1.md index 39296a9..0f20ee3 100644 --- a/History/CHANGELOG_1.3.1.md +++ b/History/CHANGELOG_1.3.1.md @@ -6,12 +6,12 @@ Released: **September 26, 2025** ## **What's New?** ---- - - Added GitHub Actions workflows for Bind. - Added Enums to obfuscation and integrity modules. - Refactored the entire codebase for the future by ensuring proper usability/practices. +--- + ## **Bug Fixes** - N/A (Stability Release) \ No newline at end of file diff --git a/History/CHANGELOG_1.3.2.md b/History/CHANGELOG_1.3.2.md new file mode 100644 index 0000000..d0704b1 --- /dev/null +++ b/History/CHANGELOG_1.3.2.md @@ -0,0 +1,52 @@ +# v1.3.2 - Changelog + +Released: **November 11, 2025** + +--- + +## **What's New?** + +--- + +- Refactored SysCaller, SysCallerK, and Bind architecture. +- Added bindings examples for LuaJIT, Java (JNA/JNI), Julia, D +- Added disk mapped resolver function +- Replaced all C++ style comments with C style comments +- Compatibility and Verification buttons are automatically disabled in Indirect Syscall Mode, as these integrity checks are not applicable to indirect syscalls. +- Added support for `SYSCALLER_ROOT` environment variable to override default project root detection. +- Redesigned Changelog Dialog +- Redesigned Confirmation Dialog +- Redesigned Obfuscation Selection Dialog +- Consistent button styling across all dialogs +- Improved Settings Dialog tab bar alignment +- Replaced StatusBar emoji icons with fugue icons +- Centralized error code enumeration (`ErrorCode` enum) for consistent error handling +- Added thread timeout constants (`THREAD_TERMINATION_TIMEOUT_MS`, `THREAD_FORCE_TERMINATION_TIMEOUT_MS`) for better resource management +- Enhanced settings validation with proper error handling +- Improved thread safety with proper cleanup and timeout handling +- Added input validation throughout the codebase +- Extracted magic numbers to named constants +- Improved resource cleanup in thread management +- Added proper path separator consistency handling +- Enhanced error handling with try catch blocks and proper error reporting + +--- + +## **Bug Fixes** + +--- + +- Fixed duplicate close block in func definition header file +- Fixed compiler warning C4067: unexpected tokens following preprocessor directive in Verification.cpp and Compatibility.cpp +- Fixed compiler warning C4267: conversion from 'size_t' to 'int' in Verification.cpp and Utils.cpp +- Fixed compiler warning C4101: unreferenced local variable in IndirectControlFlow.cpp +- Fixed potential thread timeout hangs by implementing proper thread cleanup with timeout constants +- Fixed settings save delay by removing duplicate `sync()` calls +- Fixed UI lag during verification checks with large syscall counts by implementing output batching (flushes every 20 messages) +- Fixed Settings Dialog tab bar alignment issue where Profile tab had a gap on the right side +- Fixed Changelog Dialog title bar rounded edges to match squared dialog window +- Improved settings persistence with proper `QSettings::sync()` error handling +- Fixed potential memory leaks in thread management with proper cleanup on application close +- Resolved path separator inconsistencies across different platforms + +--- \ No newline at end of file diff --git a/README.md b/README.md index 94a5341..cec81fd 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# SysCaller SDK v1.3.1 +# SysCaller SDK v1.3.2

SysCaller Logo @@ -12,7 +12,7 @@

-[![Version](https://img.shields.io/badge/Version-1.3.1-blue.svg)](https://github.com/micREsoft/SysCaller) +[![Version](https://img.shields.io/badge/Version-1.3.2-blue.svg)](https://github.com/micREsoft/SysCaller) [![License](https://img.shields.io/badge/License-GPLv3-green.svg)](LICENSE) [![Platform](https://img.shields.io/badge/Platform-Windows%2064--bit-lightgrey.svg)](https://github.com/micREsoft/SysCaller) [![C++](https://img.shields.io/badge/C%2B%2B-17%2B-blue.svg)](https://isocpp.org/) @@ -53,7 +53,7 @@ - **Dynamic Offset Resolution:** Automatically detects syscall IDs for compatibility across Windows 10/11 (x64). - **Obfuscation Layer:** Optional, randomized stub generation and anti pattern junk for stealth. - **Comprehensive GUI:** Validate, verify, and protect syscalls with a modern interface. -- **Multi Language Ready:** Official bindings and examples for C, Rust, Python, and Go. Easily extendable to more languages. +- **Multi Language Ready:** Official bindings and examples for C, C++, C#, Rust, Python, Go, Nim, LuaJIT, Java (JNA/JNI), Julia, and D. Easily extendable to more languages. - **Modular Build System:** Visual Studio (MASM) and CMake support. --- @@ -69,8 +69,12 @@ SysCaller is now not just for C++! The SDK now provides official bindings and re - **Nim** ([Nim Example](Bindings/Examples/Nim/)) - **Python** ([Python Example](Bindings/Examples/Python/)) - **Go** ([Go Example](Bindings/Examples/GO/)) +- **LuaJIT** ([LuaJIT Example](Bindings/Examples/LuaJIT/)) +- **Java** ([Java/JNA Example](Bindings/Examples/Java/JNA/) | [Java/JNI Example](Bindings/Examples/Java/JNI/)) +- **Julia** ([Julia Example](Bindings/Examples/Julia/)) +- **D** ([D Example](Bindings/Examples/D/)) -Each example demonstrates direct DLL injection using the SysCaller API, with full source and build instructions in each language’s folder. These are bare minimum examples meant to show simple usage, now you can expand syscalls and methodology. +Each example demonstrates direct DLL injection using the SysCaller API, with full source and build instructions in each language's folder. These are bare minimum examples meant to show simple usage, now you can expand syscalls and methodology. > Want to add support for another language? PRs and suggestions are welcome! @@ -101,7 +105,11 @@ Each example demonstrates direct DLL injection using the SysCaller API, with ful SysCaller supports three build modes that you can configure via preprocessor definitions: - **`SYSCALLER_DIRECT`** (default): Fastest execution, syscall numbers resolved at compile time -- **`SYSCALLER_INDIRECT`**: Runtime resolution via ntdll.dll analysis, more flexible across Windows versions +- **`SYSCALLER_INDIRECT`**: Runtime resolution via ntdll.dll analysis, more flexible across Windows versions. Supports multiple resolver methods: + - Memory Export (GetModuleHandle) + - PEB LDR Traversal (No WinAPI calls) + - Hashed Export (No string comparisons) + - Disk Mapped (Anti hook, reads from disk) - **`SYSCALLER_INLINE`**: Assembly code embedded directly, most stealthy but larger binary size **Optional**: Add `SYSCALLER_BINDINGS` for multi language DLL support. @@ -118,6 +126,25 @@ For detailed configuration instructions, see [BUILD_MODES.md](Wrapper/BUILD_MODE - [vcpkg](https://github.com/microsoft/vcpkg) - Install `cmark` and `pe-parse` via vcpkg +### Environment Variable Configuration + +You can configure the SysCaller project root path using the `SYSCALLER_ROOT` environment variable: + +```sh +# Windows Command Prompt +set SYSCALLER_ROOT=C:\Path\To\SysCaller + +# PowerShell +$env:SYSCALLER_ROOT = "C:\Path\To\SysCaller" +``` + +This is useful when: +- Running Bind from a different location +- Using a custom project structure +- Deploying Bind in a portable configuration + +If not set, Bind will automatically detect the project root by searching for the `SysCaller` and `SysCallerK` directories. + ### Quick Start (Visual Studio) 1. **Clone the SysCaller repo:** @@ -147,14 +174,17 @@ If you want to build Bind yourself: 6. **Build the project** (Release | x64). ### CMake (Alternative) -SysCaller v1.3 CMake Support: +SysCaller v1.3.2 CMake Support: ```bash # Direct mode cmake -B build -S . -DSYSCALLER_BUILD_MODE=DIRECT -# Indirect mode -cmake -B build -S . -DSYSCALLER_BUILD_MODE=INDIRECT +# Indirect mode with different resolver methods +cmake -B build -S . -DSYSCALLER_BUILD_MODE=INDIRECT -DSYSCALLER_RESOLVER_MEMORY_EXPORT=ON +cmake -B build -S . -DSYSCALLER_BUILD_MODE=INDIRECT -DSYSCALLER_RESOLVER_PEB_LDR=ON +cmake -B build -S . -DSYSCALLER_BUILD_MODE=INDIRECT -DSYSCALLER_RESOLVER_HASHED_EXPORT=ON +cmake -B build -S . -DSYSCALLER_BUILD_MODE=INDIRECT -DSYSCALLER_RESOLVER_DISK_MAPPED=ON # Inline asm mode cmake -B build -S . -DSYSCALLER_BUILD_MODE=INLINE @@ -162,7 +192,8 @@ cmake -B build -S . -DSYSCALLER_BUILD_MODE=INLINE # As dynamic link library cmake -B build -S . -DBUILD_SHARED_LIBS=ON -cmake -B build -S . \ -DSYSCALLER_BUILD_MODE=INDIRECT \ -DSYSCALLER_BINDINGS=ON \ -DBUILD_SHARED_LIBS=ON +# Indirect mode with bindings and shared library (example with disk mapped resolver) +cmake -B build -S . -DSYSCALLER_BUILD_MODE=INDIRECT -DSYSCALLER_RESOLVER_DISK_MAPPED=ON -DSYSCALLER_BINDINGS=ON -DBUILD_SHARED_LIBS=ON ``` > **Note:** CMake script for Kernel mode does not exist, but it is planned. @@ -171,7 +202,7 @@ cmake -B build -S . \ -DSYSCALLER_BUILD_MODE=INDIRECT \ -DSYSCALLER_BINDINGS=ON ## How to Build and Use Bindings (All Languages) -To use SysCaller from C, C++, Rust, Python, Go, or any other language that supports C bindings, follow these steps: +To use SysCaller from C, C++, Rust, Python, Go, LuaJIT, Java, Julia, D, or any other language that supports C bindings, follow these steps: 1. **Launch the Bind GUI:** - Run the Bind executable from the `Bind` directory (see Installation above). @@ -204,7 +235,7 @@ To use SysCaller from C, C++, Rust, Python, Go, or any other language that suppo - Link against `SysCaller.lib` (user) or `SysCallerK.lib` (kernel) 2. **Import the main header:** ```cpp - #include "syscaller.h" + #include "SysCaller.h" ``` 3. **Call syscalls directly:** ```cpp @@ -222,7 +253,7 @@ To use SysCaller from C, C++, Rust, Python, Go, or any other language that suppo #### Example: Write to Process Memory ```cpp -#include "syscaller.h" +#include "SysCaller.h" bool WriteToProcessMemory(HANDLE processHandle, PVOID targetAddress, PVOID data, SIZE_T size) { SIZE_T bytesWritten; diff --git a/SysCaller.sln b/SysCaller.sln index 352d98b..d7b2f81 100644 --- a/SysCaller.sln +++ b/SysCaller.sln @@ -7,6 +7,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SysCaller", "SysCaller\SysC EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SysCallerK", "SysCallerK\SysCallerK.vcxproj", "{9E0F783F-B100-485D-A527-16D7ED3BEBF1}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Bind", "Bind\Bind.vcxproj", "{CB747D1D-F2CC-431A-B521-5F818525B584}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -31,6 +33,14 @@ Global {9E0F783F-B100-485D-A527-16D7ED3BEBF1}.Release|x64.Build.0 = Release|x64 {9E0F783F-B100-485D-A527-16D7ED3BEBF1}.Release|x86.ActiveCfg = Release|Win32 {9E0F783F-B100-485D-A527-16D7ED3BEBF1}.Release|x86.Build.0 = Release|Win32 + {CB747D1D-F2CC-431A-B521-5F818525B584}.Debug|x64.ActiveCfg = Debug|x64 + {CB747D1D-F2CC-431A-B521-5F818525B584}.Debug|x64.Build.0 = Debug|x64 + {CB747D1D-F2CC-431A-B521-5F818525B584}.Debug|x86.ActiveCfg = Debug|Win32 + {CB747D1D-F2CC-431A-B521-5F818525B584}.Debug|x86.Build.0 = Debug|Win32 + {CB747D1D-F2CC-431A-B521-5F818525B584}.Release|x64.ActiveCfg = Release|x64 + {CB747D1D-F2CC-431A-B521-5F818525B584}.Release|x64.Build.0 = Release|x64 + {CB747D1D-F2CC-431A-B521-5F818525B584}.Release|x86.ActiveCfg = Release|Win32 + {CB747D1D-F2CC-431A-B521-5F818525B584}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/SysCaller/SysCaller.vcxproj b/SysCaller/SysCaller.vcxproj index de3a105..4ee448c 100644 --- a/SysCaller/SysCaller.vcxproj +++ b/SysCaller/SysCaller.vcxproj @@ -25,7 +25,7 @@ Unicode - DynamicLibrary + StaticLibrary false v143 true @@ -45,10 +45,12 @@ - $(ProjectDir)Wrapper\build\$(Platform)\$(Configuration)\ + $(SolutionDir)Build\SysCaller\$(Configuration)\ + $(SolutionDir)Build\SysCaller\int\$(Configuration)\ - $(ProjectDir)Wrapper\build\$(Platform)\$(Configuration)\ + $(SolutionDir)Build\SysCaller\$(Configuration)\ + $(SolutionDir)Build\SysCaller\int\$(Configuration)\ true @@ -61,14 +63,15 @@ Level3 true - _DEBUG;_CONSOLE;SYSCALLER_DIRECT;%(PreprocessorDefinitions) + _DEBUG;_CONSOLE;SYSCALLER_INDIRECT;SYSCALLER_RESOLVER_PEB_LDR;%(PreprocessorDefinitions) true stdcpp20 C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.26100.0\km;$(PROJECTDIR)Wrapper\include;%(AdditionalIncludeDirectories) + MultiThreadedDebug Console - true + false %(AdditionalLibraryDirectories) %(AdditionalDependencies) Wrapper\\SysCaller.def @@ -84,12 +87,13 @@ true stdcpp20 C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.26100.0\km;$(PROJECTDIR)Wrapper\include;%(AdditionalIncludeDirectories) + MultiThreadedDLL Console true true - true + false %(AdditionalLibraryDirectories) %(AdditionalDependencies) Wrapper\\SysCaller.def @@ -100,24 +104,24 @@ - + Document - - - - - - + + + + + + - - + + diff --git a/SysCaller/Wrapper/CMakeLists.txt b/SysCaller/Wrapper/CMakeLists.txt index d09dda2..393c3ac 100644 --- a/SysCaller/Wrapper/CMakeLists.txt +++ b/SysCaller/Wrapper/CMakeLists.txt @@ -1,5 +1,5 @@ cmake_minimum_required(VERSION 3.20) -project(SysCaller VERSION 1.3.0 LANGUAGES C CXX ASM_MASM) +project(SysCaller VERSION 1.3.2 LANGUAGES C CXX ASM_MASM) # require x64 build if(NOT CMAKE_SIZEOF_VOID_P EQUAL 8) @@ -22,6 +22,12 @@ set_property(CACHE SYSCALLER_BUILD_MODE PROPERTY STRINGS "DIRECT" "INDIRECT" "IN option(SYSCALLER_BINDINGS "Build with multi-language bindings support" OFF) +# Resolver options (for INDIRECT mode) +option(SYSCALLER_RESOLVER_MEMORY_EXPORT "Use GetModuleHandle for ntdll resolution" OFF) +option(SYSCALLER_RESOLVER_PEB_LDR "Use PEB LDR traversal for ntdll resolution" OFF) +option(SYSCALLER_RESOLVER_HASHED_EXPORT "Use hashed export parsing" OFF) +option(SYSCALLER_RESOLVER_DISK_MAPPED "Use disk-mapped ntdll parsing" OFF) + option(BUILD_SHARED_LIBS "Build as shared library (DLL)" OFF) if(SYSCALLER_BUILD_MODE STREQUAL "DIRECT") @@ -42,29 +48,61 @@ if(SYSCALLER_BINDINGS) endif() set(CORE_HEADERS - include/syscaller.h - include/syscaller_config.h - include/Sys/sysFunctions.h - include/Sys/sysTypes.h - include/Sys/sysExternals.h - include/Sys/sysConstants.h + include/SysCaller.h + include/SysCallerConfig.h + include/Sys/SysFunctions.h + include/Sys/SysTypes.h + include/Sys/SysExternals.h + include/Sys/SysConstants.h ) set(CORE_SOURCES - src/syscaller.asm - src/build_info.cpp + src/SysCaller.asm + src/BuildInfo.cpp ) if(SYSCALLER_BUILD_MODE STREQUAL "INDIRECT") - list(APPEND CORE_HEADERS include/Resolver/Resolver.h) - list(APPEND CORE_SOURCES src/Resolver/Resolver.cpp) - message(STATUS "[SysCaller] Resolver: INCLUDED (indirect mode requires resolver)") + # Always include base resolver files + list(APPEND CORE_HEADERS + include/Resolver/ResolverBase.h + include/Resolver/Resolver.h + include/Resolver/PebUtils.h + ) + list(APPEND CORE_SOURCES + src/Resolver/ResolverBase.cpp + src/Resolver/PebUtils.cpp + ) + + # Include resolver method based on configuration + if(SYSCALLER_RESOLVER_MEMORY_EXPORT) + list(APPEND CORE_HEADERS include/Resolver/Resolver.h) + list(APPEND CORE_SOURCES src/Resolver/Methods/MemoryExportResolver.cpp) + message(STATUS "[SysCaller] Resolver: Memory Export") + elseif(SYSCALLER_RESOLVER_PEB_LDR) + list(APPEND CORE_HEADERS + include/Resolver/Resolver.h + ) + list(APPEND CORE_SOURCES + src/Resolver/Methods/PebLdrResolver.cpp + ) + message(STATUS "[SysCaller] Resolver: PEB LDR Traversal") + elseif(SYSCALLER_RESOLVER_HASHED_EXPORT) + list(APPEND CORE_HEADERS include/Resolver/Resolver.h) + list(APPEND CORE_SOURCES src/Resolver/Methods/HashedExportResolver.cpp) + message(STATUS "[SysCaller] Resolver: Hashed Export") + elseif(SYSCALLER_RESOLVER_DISK_MAPPED) + list(APPEND CORE_HEADERS include/Resolver/Resolver.h) + list(APPEND CORE_SOURCES src/Resolver/Methods/DiskMappedResolver.cpp) + message(STATUS "[SysCaller] Resolver: Disk Mapped") + else() + message(FATAL_ERROR "No resolver method selected! Define one of: SYSCALLER_RESOLVER_MEMORY_EXPORT, SYSCALLER_RESOLVER_PEB_LDR, SYSCALLER_RESOLVER_HASHED_EXPORT, or SYSCALLER_RESOLVER_DISK_MAPPED") + endif() else() message(STATUS "[SysCaller] Resolver: SKIPPED (not required for ${SYSCALLER_BUILD_MODE})") endif() if(SYSCALLER_BINDINGS) - list(APPEND CORE_SOURCES src/DLL/dllmain.cpp) + list(APPEND CORE_SOURCES src/DLL/DllMain.cpp) message(STATUS "[SysCaller] DLL Main: INCLUDED (bindings mode)") else() message(STATUS "[SysCaller] DLL Main: SKIPPED (bindings not enabled)") @@ -81,6 +119,10 @@ endif() target_compile_definitions(SysCaller PRIVATE ${SYSCALLER_MODE_DEFINE} $<$:SYSCALLER_BINDINGS> + $<$:SYSCALLER_RESOLVER_MEMORY_EXPORT> + $<$:SYSCALLER_RESOLVER_PEB_LDR> + $<$:SYSCALLER_RESOLVER_HASHED_EXPORT> + $<$:SYSCALLER_RESOLVER_DISK_MAPPED> ) target_include_directories(SysCaller PUBLIC @@ -125,10 +167,23 @@ message(STATUS "============================================================") message(STATUS "SysCaller v${PROJECT_VERSION} Configuration Summary") message(STATUS "============================================================") message(STATUS "Build Mode: ${SYSCALLER_BUILD_MODE}") +if(SYSCALLER_BUILD_MODE STREQUAL "INDIRECT") + if(SYSCALLER_RESOLVER_MEMORY_EXPORT) + message(STATUS "Resolver: Memory Export (GetModuleHandle)") + elseif(SYSCALLER_RESOLVER_PEB_LDR) + message(STATUS "Resolver: PEB LDR Traversal (No WinAPI)") + elseif(SYSCALLER_RESOLVER_HASHED_EXPORT) + message(STATUS "Resolver: Hashed Export (No Strings)") + elseif(SYSCALLER_RESOLVER_DISK_MAPPED) + message(STATUS "Resolver: Disk Mapped (Anti-Hook)") + else() + message(STATUS "Resolver: NOT SELECTED (Will fail to build)") + endif() +endif() message(STATUS "Bindings: ${SYSCALLER_BINDINGS}") if(SYSCALLER_BINDINGS) message(STATUS "Bindings Mode: Exports enabled (.def file used)") endif() message(STATUS "Output Type: ${BUILD_SHARED_LIBS}") message(STATUS "C++ Standard: ${CMAKE_CXX_STANDARD}") -message(STATUS "============================================================") +message(STATUS "============================================================") \ No newline at end of file diff --git a/SysCaller/Wrapper/include/Sys/sysExternals.h b/SysCaller/Wrapper/include/Sys/sysExternals.h index c735b4d..5c1a3a5 100644 --- a/SysCaller/Wrapper/include/Sys/sysExternals.h +++ b/SysCaller/Wrapper/include/Sys/sysExternals.h @@ -1,6 +1,6 @@ #pragma once -#include -#include +#include +#include typedef struct _WNF_STATE_NAME { diff --git a/SysCaller/Wrapper/include/Sys/sysFunctions.h b/SysCaller/Wrapper/include/Sys/sysFunctions.h index ad6ec9c..61db9a5 100644 --- a/SysCaller/Wrapper/include/Sys/sysFunctions.h +++ b/SysCaller/Wrapper/include/Sys/sysFunctions.h @@ -1,7 +1,7 @@ #pragma once -#include -#include -#include +#include +#include +#include #ifdef _WIN64 /* only compile on 64bit systems */ @@ -3468,4 +3468,4 @@ NTSTATUS SCYieldExecution(VOID); } #endif -#endif +#endif \ No newline at end of file diff --git a/SysCaller/Wrapper/include/Sys/sysTypes.h b/SysCaller/Wrapper/include/Sys/sysTypes.h index 5af6258..5556f12 100644 --- a/SysCaller/Wrapper/include/Sys/sysTypes.h +++ b/SysCaller/Wrapper/include/Sys/sysTypes.h @@ -1,8 +1,8 @@ #pragma once -#include -#include -#include +#include +#include +#include // #define USE_PISID /* Uncomment this line to use PISID instead of PSID */ #define USE_DYNAMIC_ARRAY /* Uncomment this line to use dynamic array */ diff --git a/SysCaller/Wrapper/include/syscaller_config.h b/SysCaller/Wrapper/include/SysCallerConfig.h similarity index 86% rename from SysCaller/Wrapper/include/syscaller_config.h rename to SysCaller/Wrapper/include/SysCallerConfig.h index 34d5fc4..f7bfb31 100644 --- a/SysCaller/Wrapper/include/syscaller_config.h +++ b/SysCaller/Wrapper/include/SysCallerConfig.h @@ -1,6 +1,6 @@ #pragma once #ifndef SYSCALLER_BUILD_CONFIG -#error "Do not include syscaller_config.h directly, use syscaller.h instead" +#error "Do not include SysCallerConfig.h directly, use SysCaller.h instead" #endif /* @@ -20,7 +20,7 @@ /* * Optional: Uncomment if building for multi language bindings - * This will include dllmain.cpp in the build + * This will include DllMain.cpp in the build */ // #define SYSCALLER_BINDINGS @@ -40,4 +40,4 @@ // #define SYSCALLER_RESOLVER_HASHED_EXPORT /* Use disk mapped ntdll.dll parsing (uses WinAPI for I/O funcs not locating ntdll) */ -// #define SYSCALLER_RESOLVER_DISK_MAPPED +// #define SYSCALLER_RESOLVER_DISK_MAPPED \ No newline at end of file diff --git a/SysCaller/Wrapper/include/syscaller.h b/SysCaller/Wrapper/include/syscaller.h index c615c91..3cb9419 100644 --- a/SysCaller/Wrapper/include/syscaller.h +++ b/SysCaller/Wrapper/include/syscaller.h @@ -18,7 +18,7 @@ /* * SysCaller Build Configuration * - * Define one of these macros in syscaller_config.h: + * Define one of these macros in SysCallerConfig.h: * - SYSCALLER_DIRECT : Direct syscalls (default if none specified) * - SYSCALLER_INDIRECT : Indirect syscalls with runtime resolution * - SYSCALLER_INLINE : Inline ASM syscalls @@ -36,7 +36,7 @@ */ #define SYSCALLER_BUILD_CONFIG -#include +#include #undef SYSCALLER_BUILD_CONFIG #if !defined(SYSCALLER_DIRECT) && !defined(SYSCALLER_INDIRECT) && !defined(SYSCALLER_INLINE) @@ -74,9 +74,9 @@ #include #include -#include -#include -#include +#include +#include +#include #if defined(SYSCALLER_INDIRECT) diff --git a/SysCaller/Wrapper/src/build_info.cpp b/SysCaller/Wrapper/src/BuildInfo.cpp similarity index 97% rename from SysCaller/Wrapper/src/build_info.cpp rename to SysCaller/Wrapper/src/BuildInfo.cpp index de0d8f9..2423419 100644 --- a/SysCaller/Wrapper/src/build_info.cpp +++ b/SysCaller/Wrapper/src/BuildInfo.cpp @@ -25,7 +25,7 @@ #pragma message("[SysCaller] Resolver: SKIPPED (not required for direct/inline)") #endif -#include +#include /* empty function ensures this TU is compiled and processed */ void SysCallerBuildInfo() {} \ No newline at end of file diff --git a/SysCaller/Wrapper/src/DLL/dllmain.cpp b/SysCaller/Wrapper/src/DLL/dllmain.cpp index b7e84b8..deee060 100644 --- a/SysCaller/Wrapper/src/DLL/dllmain.cpp +++ b/SysCaller/Wrapper/src/DLL/dllmain.cpp @@ -22,5 +22,5 @@ BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserv #else /* not in bindings mode file compiles to nothing */ -#pragma message("SysCaller: dllmain.cpp skipped (SYSCALLER_BINDINGS not defined)") +#pragma message("SysCaller: DllMain.cpp skipped (SYSCALLER_BINDINGS not defined)") #endif \ No newline at end of file diff --git a/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp b/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp index 679fbed..10dcf03 100644 --- a/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp +++ b/SysCaller/Wrapper/src/Resolver/ResolverBase.cpp @@ -1,7 +1,6 @@ #include #include #include -#include /* shared global state */ static std::unordered_map syscallCache; diff --git a/SysCallerK/SysCallerK.vcxproj b/SysCallerK/SysCallerK.vcxproj index b4eeff3..6c13fe1 100644 --- a/SysCallerK/SysCallerK.vcxproj +++ b/SysCallerK/SysCallerK.vcxproj @@ -49,8 +49,12 @@ - $(ProjectDir)Wrapper\build\$(Platform)\$(Configuration)\ - $(ShortProjectName)\$(Platform)\$(Configuration)\ + $(SolutionDir)Build\SysCallerK\$(Configuration)\ + $(SolutionDir)Build\SysCallerK\int\$(Configuration)\ + + + $(SolutionDir)Build\SysCallerK\$(Configuration)\ + $(SolutionDir)Build\SysCallerK\int\$(Configuration)\ @@ -80,7 +84,7 @@ true true true - NDEBUG;_KERNEL_MODE;KERNEL_MODE=1;NT_INST=0;%(PreprocessorDefinitions) + NDEBUG;_KERNEL_MODE;KERNEL_MODE=1;NT_INST=0;_AMD64_;AMD64;%(PreprocessorDefinitions) true stdcpp20 C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.26100.0\km;$(ProjectDir)Wrapper\include;%(AdditionalIncludeDirectories) @@ -99,19 +103,19 @@ - - - - - + + + + + - + _KERNEL_MODE;%(PreprocessorDefinitions) - + diff --git a/SysCallerK/Wrapper/include/syscaller_k.h b/SysCallerK/Wrapper/include/SysCallerK.h similarity index 79% rename from SysCallerK/Wrapper/include/syscaller_k.h rename to SysCallerK/Wrapper/include/SysCallerK.h index 2afe352..680924b 100644 --- a/SysCallerK/Wrapper/include/syscaller_k.h +++ b/SysCallerK/Wrapper/include/SysCallerK.h @@ -1,22 +1,22 @@ -#pragma once - -/* - * SysCaller Kernel SDK - * Copyright (c) 2025 micREsoft - * - * License: GPLv3 - * - * This software is free to use, modify, and distribute under the terms - * of the GNU General Public License version 3. - * - * You MAY NOT sell this software or derivative versions without also releasing - * their full source code under the same license. - * - * For more information, see https://www.gnu.org/licenses/gpl-3.0.html - */ - -#include - -#include -#include -#include \ No newline at end of file +#pragma once + +/* + * SysCaller Kernel SDK + * Copyright (c) 2025 micREsoft + * + * License: GPLv3 + * + * This software is free to use, modify, and distribute under the terms + * of the GNU General Public License version 3. + * + * You MAY NOT sell this software or derivative versions without also releasing + * their full source code under the same license. + * + * For more information, see https://www.gnu.org/licenses/gpl-3.0.html + */ + +#include + +#include +#include +#include \ No newline at end of file diff --git a/SysCallerK/Wrapper/include/SysK/sysConstants_k.h b/SysCallerK/Wrapper/include/SysK/SysKConstants.h similarity index 98% rename from SysCallerK/Wrapper/include/SysK/sysConstants_k.h rename to SysCallerK/Wrapper/include/SysK/SysKConstants.h index 5afa122..11532b2 100644 --- a/SysCallerK/Wrapper/include/SysK/sysConstants_k.h +++ b/SysCallerK/Wrapper/include/SysK/SysKConstants.h @@ -1,84 +1,85 @@ -#pragma once -#define CM_EXTENDED_PARAMETER_TYPE_BITS 8 -#define GDI_BATCH_BUFFER_SIZE 310 -#define WIN32_CLIENT_INFO_LENGTH 62 -#define STATIC_UNICODE_BUFFER_LENGTH 261 -#define TLS_MINIMUM_AVAILABLE 64 -#define RTL_MAX_DRIVE_LETTERS 32 - -#define PAGE_SIZE 0x1000 -#define PAGE_MASK 0xFFF -#ifndef PAGE_SHIFT -#define PAGE_SHIFT 0xC -#endif -#define PAGE_NOACCESS 0x01 /* Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation. */ -#define PAGE_READONLY 0x02 /* Enables read-only access to the committed region of pages. An attempt to write or execute the committed region results in an access violation. */ -#define PAGE_READWRITE 0x04 /* Enables read-only or read/write access to the committed region of pages. */ -#define PAGE_WRITECOPY 0x08 /* Enables read-only or copy-on-write access to a mapped view of a file mapping object. */ -#define PAGE_EXECUTE 0x10 /* Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation. */ -#define PAGE_EXECUTE_READ 0x20 /* Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. */ -#define PAGE_EXECUTE_READWRITE 0x40 /* Enables execute, read-only, or read/write access to the committed region of pages. */ -#define PAGE_EXECUTE_WRITECOPY 0x80 /* Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. */ -#define PAGE_GUARD 0x100 /* Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception. */ -#define PAGE_NOCACHE 0x200 /* Sets all pages to be non-cachable. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. */ -#define PAGE_WRITECOMBINE 0x400 /* Sets all pages to be write-combined. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. */ -#define PAGE_REVERT_TO_FILE_MAP 0x80000000 /* Pages in the region can revert modified copy-on-write pages to the original unmodified page when using the mapped view of a file mapping object. */ -#define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 /* Pages in the region contain a thread control structure (TCS) from the Intel Software Guard Extensions programming model. */ -#define PAGE_TARGETS_NO_UPDATE 0x40000000 /* Pages in the region will not update the CFG bitmap when the protection changes. The default behavior for VirtualProtect is to mark all locations as valid call targets for CFG. */ -#define PAGE_TARGETS_INVALID 0x40000000 /* Pages in the region are excluded from the CFG bitmap as valid targets. Any indirect call to locations in those pages will terminate the process using the __fastfail intrinsic. */ -#define PAGE_ENCLAVE_UNVALIDATED 0x20000000 /* Pages in the region are excluded from measurement with the EEXTEND instruction of the Intel Software Guard Extensions programming model. */ -#define PAGE_ENCLAVE_NO_CHANGE 0x20000000 -#define PAGE_ENCLAVE_MASK 0x10000000 -#define PAGE_ENCLAVE_DECOMMIT (PAGE_ENCLAVE_MASK | 0) -#define PAGE_ENCLAVE_SS_FIRST (PAGE_ENCLAVE_MASK | 1) -#define PAGE_ENCLAVE_SS_REST (PAGE_ENCLAVE_MASK | 2) - -/* Memory Region and Section Constants */ -#ifndef GENERIC_ALL -#define GENERIC_ALL 0x10000000 -#endif - -#define MEM_COMMIT 0x00001000 -#define MEM_RESERVE 0x00002000 -#define MEM_DECOMMIT 0x00004000 -#define MEM_RELEASE 0x00008000 -#define MEM_FREE 0x00010000 -#define MEM_PRIVATE 0x00020000 -#define MEM_MAPPED 0x00040000 -#define MEM_RESET 0x00080000 -#define MEM_TOP_DOWN 0x00100000 -#define MEM_WRITE_WATCH 0x00200000 -#define MEM_PHYSICAL 0x00400000 -#define MEM_ROTATE 0x00800000 -#define MEM_DIFFERENT_IMAGE_BASE_OK 0x00800000 -#define MEM_RESET_UNDO 0x01000000 -#define MEM_LARGE_PAGES 0x20000000 -#define MEM_DOS_LIM 0x40000000 -#define MEM_4MB_PAGES 0x80000000 -#define MEM_64K_PAGES (MEM_LARGE_PAGES | MEM_PHYSICAL) -#define MEM_UNMAP_WITH_TRANSIENT_BOOST 0x00000001 -#define MEM_COALESCE_PLACEHOLDERS 0x00000001 -#define MEM_PRESERVE_PLACEHOLDER 0x00000002 -#define MEM_REPLACE_PLACEHOLDER 0x00004000 -#define MEM_RESERVE_PLACEHOLDER 0x00040000 -#define SEC_HUGE_PAGES 0x00020000 -#define SEC_PARTITION_OWNER_HANDLE 0x00040000 -#define SEC_64K_PAGES 0x00080000 -#define SEC_DRIVER_IMAGE 0x00100000 /* rev */ -#define SEC_BASED 0x00200000 -#define SEC_NO_CHANGE 0x00400000 -#define SEC_FILE 0x00800000 -#define SEC_IMAGE 0x01000000 -#define SEC_PROTECTED_IMAGE 0x02000000 -#define SEC_RESERVE 0x04000000 -#define SEC_COMMIT 0x08000000 -#define SEC_NOCACHE 0x10000000 -#define SEC_GLOBAL 0x20000000 - -#ifndef SECTION_ALL_ACCESS -#define SECTION_ALL_ACCESS 0x10000000 -#endif - -#define SEC_WRITECOMBINE 0x40000000 -#define SEC_LARGE_PAGES 0x80000000 +#pragma once + +#define CM_EXTENDED_PARAMETER_TYPE_BITS 8 +#define GDI_BATCH_BUFFER_SIZE 310 +#define WIN32_CLIENT_INFO_LENGTH 62 +#define STATIC_UNICODE_BUFFER_LENGTH 261 +#define TLS_MINIMUM_AVAILABLE 64 +#define RTL_MAX_DRIVE_LETTERS 32 + +#define PAGE_SIZE 0x1000 +#define PAGE_MASK 0xFFF +#ifndef PAGE_SHIFT +#define PAGE_SHIFT 0xC +#endif +#define PAGE_NOACCESS 0x01 /* Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation. */ +#define PAGE_READONLY 0x02 /* Enables read-only access to the committed region of pages. An attempt to write or execute the committed region results in an access violation. */ +#define PAGE_READWRITE 0x04 /* Enables read-only or read/write access to the committed region of pages. */ +#define PAGE_WRITECOPY 0x08 /* Enables read-only or copy-on-write access to a mapped view of a file mapping object. */ +#define PAGE_EXECUTE 0x10 /* Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation. */ +#define PAGE_EXECUTE_READ 0x20 /* Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. */ +#define PAGE_EXECUTE_READWRITE 0x40 /* Enables execute, read-only, or read/write access to the committed region of pages. */ +#define PAGE_EXECUTE_WRITECOPY 0x80 /* Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. */ +#define PAGE_GUARD 0x100 /* Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception. */ +#define PAGE_NOCACHE 0x200 /* Sets all pages to be non-cachable. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. */ +#define PAGE_WRITECOMBINE 0x400 /* Sets all pages to be write-combined. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. */ +#define PAGE_REVERT_TO_FILE_MAP 0x80000000 /* Pages in the region can revert modified copy-on-write pages to the original unmodified page when using the mapped view of a file mapping object. */ +#define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 /* Pages in the region contain a thread control structure (TCS) from the Intel Software Guard Extensions programming model. */ +#define PAGE_TARGETS_NO_UPDATE 0x40000000 /* Pages in the region will not update the CFG bitmap when the protection changes. The default behavior for VirtualProtect is to mark all locations as valid call targets for CFG. */ +#define PAGE_TARGETS_INVALID 0x40000000 /* Pages in the region are excluded from the CFG bitmap as valid targets. Any indirect call to locations in those pages will terminate the process using the __fastfail intrinsic. */ +#define PAGE_ENCLAVE_UNVALIDATED 0x20000000 /* Pages in the region are excluded from measurement with the EEXTEND instruction of the Intel Software Guard Extensions programming model. */ +#define PAGE_ENCLAVE_NO_CHANGE 0x20000000 +#define PAGE_ENCLAVE_MASK 0x10000000 +#define PAGE_ENCLAVE_DECOMMIT (PAGE_ENCLAVE_MASK | 0) +#define PAGE_ENCLAVE_SS_FIRST (PAGE_ENCLAVE_MASK | 1) +#define PAGE_ENCLAVE_SS_REST (PAGE_ENCLAVE_MASK | 2) + +/* Memory Region and Section Constants */ +#ifndef GENERIC_ALL +#define GENERIC_ALL 0x10000000 +#endif + +#define MEM_COMMIT 0x00001000 +#define MEM_RESERVE 0x00002000 +#define MEM_DECOMMIT 0x00004000 +#define MEM_RELEASE 0x00008000 +#define MEM_FREE 0x00010000 +#define MEM_PRIVATE 0x00020000 +#define MEM_MAPPED 0x00040000 +#define MEM_RESET 0x00080000 +#define MEM_TOP_DOWN 0x00100000 +#define MEM_WRITE_WATCH 0x00200000 +#define MEM_PHYSICAL 0x00400000 +#define MEM_ROTATE 0x00800000 +#define MEM_DIFFERENT_IMAGE_BASE_OK 0x00800000 +#define MEM_RESET_UNDO 0x01000000 +#define MEM_LARGE_PAGES 0x20000000 +#define MEM_DOS_LIM 0x40000000 +#define MEM_4MB_PAGES 0x80000000 +#define MEM_64K_PAGES (MEM_LARGE_PAGES | MEM_PHYSICAL) +#define MEM_UNMAP_WITH_TRANSIENT_BOOST 0x00000001 +#define MEM_COALESCE_PLACEHOLDERS 0x00000001 +#define MEM_PRESERVE_PLACEHOLDER 0x00000002 +#define MEM_REPLACE_PLACEHOLDER 0x00004000 +#define MEM_RESERVE_PLACEHOLDER 0x00040000 +#define SEC_HUGE_PAGES 0x00020000 +#define SEC_PARTITION_OWNER_HANDLE 0x00040000 +#define SEC_64K_PAGES 0x00080000 +#define SEC_DRIVER_IMAGE 0x00100000 /* rev */ +#define SEC_BASED 0x00200000 +#define SEC_NO_CHANGE 0x00400000 +#define SEC_FILE 0x00800000 +#define SEC_IMAGE 0x01000000 +#define SEC_PROTECTED_IMAGE 0x02000000 +#define SEC_RESERVE 0x04000000 +#define SEC_COMMIT 0x08000000 +#define SEC_NOCACHE 0x10000000 +#define SEC_GLOBAL 0x20000000 + +#ifndef SECTION_ALL_ACCESS +#define SECTION_ALL_ACCESS 0x10000000 +#endif + +#define SEC_WRITECOMBINE 0x40000000 +#define SEC_LARGE_PAGES 0x80000000 #define SEC_IMAGE_NO_EXECUTE (SEC_IMAGE | SEC_NOCACHE) \ No newline at end of file diff --git a/SysCallerK/Wrapper/include/SysK/sysExternals_k.h b/SysCallerK/Wrapper/include/SysK/SysKExternals.h similarity index 98% rename from SysCallerK/Wrapper/include/SysK/sysExternals_k.h rename to SysCallerK/Wrapper/include/SysK/SysKExternals.h index 69cf700..b0691b4 100644 --- a/SysCallerK/Wrapper/include/SysK/sysExternals_k.h +++ b/SysCallerK/Wrapper/include/SysK/SysKExternals.h @@ -1,1027 +1,1027 @@ -#pragma once - -#include - -typedef struct _SYSK_WNF_STATE_NAME -{ - ULONG Data[2]; -} SYSK_WNF_STATE_NAME, * SYSK_PWNF_STATE_NAME; - -/* WNF Type ID */ -typedef struct _WNF_TYPE_ID -{ - GUID TypeId; -} WNF_TYPE_ID, * PWNF_TYPE_ID; - -typedef unsigned long DWORD; - -/* General Types */ -typedef LONG NTSTATUS; -typedef ULONG LOGICAL; -typedef ULONG_PTR SIZE_T; -typedef SIZE_T * PSIZE_T; -typedef GUID * PCGUID; -typedef GUID * PCRM_PROTOCOL_ID; -typedef DWORD SECURITY_INFORMATION, * PSECURITY_INFORMATION; -typedef LARGE_INTEGER * PLARGE_INTEGER; -typedef ULONG WNF_CHANGE_STAMP, * PWNF_CHANGE_STAMP; -typedef ULONG_PTR KAFFINITY; -typedef WNF_STATE_NAME * PWNF_STATE_NAME; -typedef PVOID PT2_CANCEL_PARAMETERS; -typedef const WNF_STATE_NAME * PCWNF_STATE_NAME; -typedef const WNF_TYPE_ID * PCWNF_TYPE_ID; -typedef const wchar_t * PCWSTR; -typedef const UNICODE_STRING * PCUNICODE_STRING; -typedef LANGID * PLANGID; -typedef ULONG LCID; -typedef LCID * PLCID; -typedef const GUID * LPCGUID; -typedef GUID * LPGUID; - -/* ALPC Types */ -typedef struct _PORT_MESSAGE * PPORT_MESSAGE; -typedef struct _PORT_VIEW * PPORT_VIEW; -typedef struct _REMOTE_PORT_VIEW * PREMOTE_PORT_VIEW; -typedef struct _ALPC_PORT_ATTRIBUTES * PALPC_PORT_ATTRIBUTES; -typedef struct _ALPC_MESSAGE_ATTRIBUTES * PALPC_MESSAGE_ATTRIBUTES; -typedef struct _ALPC_CONTEXT_ATTR * PALPC_CONTEXT_ATTR; -typedef HANDLE ALPC_HANDLE; -typedef struct _ALPC_DATA_VIEW_ATTR * PALPC_DATA_VIEW_ATTR; -typedef struct _ALPC_SECURITY_ATTR * PALPC_SECURITY_ATTR; -typedef HANDLE PALPC_HANDLE; - -/* Proccess & Thread Types */ -typedef struct _OBJECT_TYPE * POBJECT_TYPE; -typedef NTSTATUS * PNTSTATUS; -typedef HANDLE AUDIT_EVENT_HANDLE; -typedef struct _BOOT_ENTRY * PBOOT_ENTRY; -typedef struct _EFI_DRIVER_ENTRY * PEFI_DRIVER_ENTRY; -typedef ULONG PROCESS_ACTIVITY_TYPE; -typedef struct _RTL_ATOM * PRTL_ATOM; -typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION * PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; -typedef struct _SYSK_OBJECT_ATTRIBUTES * PSYSK_COBJECT_ATTRIBUTES; -typedef enum _MEMORY_RESERVE_TYPE MEMORY_RESERVE_TYPE; - -/* Enum Classes & Types -> */ - -/* ALPC Message Information Classes */ -typedef enum _ALPC_MESSAGE_INFORMATION_CLASS -{ - AlpcMessageSidInformation, /* q: out SID */ - AlpcMessageTokenModifiedIdInformation, /* q: out LUID */ - AlpcMessageDirectStatusInformation, - AlpcMessageHandleInformation, /* ALPC_MESSAGE_HANDLE_INFORMATION */ - MaxAlpcMessageInfoClass -} ALPC_MESSAGE_INFORMATION_CLASS, * PALPC_MESSAGE_INFORMATION_CLASS; - -/* ALPC Port Information Classes */ -typedef enum _ALPC_PORT_INFORMATION_CLASS -{ - AlpcBasicInformation, /* q: out ALPC_BASIC_INFORMATION */ - AlpcPortInformation, /* s: in ALPC_PORT_ATTRIBUTES */ - AlpcAssociateCompletionPortInformation, /* s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT */ - AlpcConnectedSIDInformation, /* q: in SID */ - AlpcServerInformation, /* q: inout ALPC_SERVER_INFORMATION */ - AlpcMessageZoneInformation, /* s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION */ - AlpcRegisterCompletionListInformation, /* s: in ALPC_PORT_COMPLETION_LIST_INFORMATION */ - AlpcUnregisterCompletionListInformation, /* s: VOID */ - AlpcAdjustCompletionListConcurrencyCountInformation, /* s: in ULONG */ - AlpcRegisterCallbackInformation, /* s: ALPC_REGISTER_CALLBACK, kernel-mode only */ - AlpcCompletionListRundownInformation, /* s: VOID, 10 */ - AlpcWaitForPortReferences, - AlpcServerSessionInformation /* q: ALPC_SERVER_SESSION_INFORMATION, since 19H2 */ -} ALPC_PORT_INFORMATION_CLASS; - -/* Atom Information Classes */ -typedef enum _ATOM_INFORMATION_CLASS -{ - AtomBasicInformation, - AtomTableInformation -} ATOM_INFORMATION_CLASS; - -/* CPU Partition Information Classes */ -typedef enum _CPU_PARTITION_INFORMATION_CLASS -{ - CpuPartitionBasicInformation, /* q: BASIC_CPU_PARTITION_INFORMATION */ - CpuPartitionPerformanceInformation, /* q: CPU_PARTITION_PERFORMANCE_INFORMATION */ - CpuPartitionTopologyInformation, /* q: CPU_PARTITION_TOPOLOGY_INFORMATION */ - CpuPartitionAffinityInformation, /* q; s: CPU_PARTITION_AFFINITY_INFORMATION */ - CpuPartitionPolicyInformation, /* q; s: CPU_PARTITION_POLICY_INFORMATION */ - CpuPartitionSchedulingInformation, /* q: CPU_PARTITION_SCHEDULING_INFORMATION */ - CpuPartitionResourceControl, /* s: CPU_PARTITION_RESOURCE_CONTROL_INFORMATION */ - CpuPartitionPowerManagement, /* q; s: CPU_PARTITION_POWER_MANAGEMENT_INFORMATION */ - CpuPartitionStatistics, /* q: CPU_PARTITION_STATISTICS_INFORMATION */ - CpuPartitionDebugInformation, /* q: CPU_PARTITION_DEBUG_INFORMATION */ - CpuPartitionMax -} CPU_PARTITION_INFORMATION_CLASS, * PCPU_PARTITION_INFORMATION_CLASS; - -/* Debug States */ -typedef enum _DBG_STATE -{ - DbgIdle, - DbgReplyPending, - DbgCreateThreadStateChange, - DbgCreateProcessStateChange, - DbgExitThreadStateChange, - DbgExitProcessStateChange, - DbgExceptionStateChange, - DbgBreakpointStateChange, - DbgSingleStepStateChange, - DbgLoadDllStateChange, - DbgUnloadDllStateChange -} DBG_STATE, * PDBG_STATE; - -/* Debug Object Information Classes */ -typedef enum _DEBUGOBJECTINFOCLASS -{ - DebugObjectUnusedInformation, - DebugObjectKillProcessOnExitInformation, /* s: ULONG */ - MaxDebugObjectInfoClass -} DEBUGOBJECTINFOCLASS, * PDEBUGOBJECTINFOCLASS; - -/* Directory Notify Information Classes */ -typedef enum _SYSK_DIRECTORY_NOTIFY_INFORMATION_CLASS { - SysKDirectoryNotifyInformation, - SysKDirectoryNotifyInformationEx, - SysKDirectoryNotifyInformationMax -} SYSK_DIRECTORY_NOTIFY_INFORMATION_CLASS; - -/* ETW Trace Control Codes */ -typedef enum _ETWTRACECONTROLCODE -{ - EtwStartLoggerCode = 1, /* inout WMI_LOGGER_INFORMATION */ - EtwStopLoggerCode = 2, /* inout WMI_LOGGER_INFORMATION */ - EtwQueryLoggerCode = 3, /* inout WMI_LOGGER_INFORMATION */ - EtwUpdateLoggerCode = 4, /* inout WMI_LOGGER_INFORMATION */ - EtwFlushLoggerCode = 5, /* inout WMI_LOGGER_INFORMATION */ - EtwIncrementLoggerFile = 6, /* inout WMI_LOGGER_INFORMATION */ - EtwRealtimeTransition = 7, /* inout WMI_LOGGER_INFORMATION */ - /* reserved */ - EtwRealtimeConnectCode = 11, - EtwActivityIdCreate = 12, - EtwWdiScenarioCode = 13, - EtwRealtimeDisconnectCode = 14, /* in HANDLE */ - EtwRegisterGuidsCode = 15, - EtwReceiveNotification = 16, - EtwSendDataBlock = 17, /* ETW_ENABLE_NOTIFICATION_PACKET, ETW_SESSION_NOTIFICATION_PACKET */ - EtwSendReplyDataBlock = 18, - EtwReceiveReplyDataBlock = 19, - EtwWdiSemUpdate = 20, - EtwEnumTraceGuidList = 21, /* out GUID[] */ - EtwGetTraceGuidInfo = 22, /* in GUID, out ETW_TRACE_GUID_INFO */ - EtwEnumerateTraceGuids = 23, /* out TRACE_GUID_PROPERTIES[] */ - EtwRegisterSecurityProv = 24, - EtwReferenceTimeCode = 25, /* in ULONG LoggerId, out ETW_REF_CLOCK */ - EtwTrackBinaryCode = 26, /* in HANDLE */ - EtwAddNotificationEvent = 27, - EtwUpdateDisallowList = 28, - EtwSetEnableAllKeywordsCode = 29, - EtwSetProviderTraitsCode = 30, - EtwUseDescriptorTypeCode = 31, - EtwEnumTraceGroupList = 32, - EtwGetTraceGroupInfo = 33, - EtwGetDisallowList = 34, - EtwSetCompressionSettings = 35, - EtwGetCompressionSettings = 36, - EtwUpdatePeriodicCaptureState = 37, - EtwGetPrivateSessionTraceHandle = 38, - EtwRegisterPrivateSession = 39, - EtwQuerySessionDemuxObject = 40, - EtwSetProviderBinaryTracking = 41, - EtwMaxLoggers = 42, /* out ULONG */ - EtwMaxPmcCounter = 43, /* out ULONG */ - EtwQueryUsedProcessorCount = 44, /* ULONG, since WIN11 */ - EtwGetPmcOwnership = 45, - EtwGetPmcSessions = 46, -} ETWTRACECONTROLCODE; - -/* Event Information Classes */ -typedef enum _EVENT_INFORMATION_CLASS -{ - EventBasicInformation -} EVENT_INFORMATION_CLASS; - -/* Event Types */ -typedef enum _SYSK_EVENT_TYPE { - SysKNotificationEvent, - SysKSynchronizationEvent, -} SYSK_EVENT_TYPE; - -/* Filter Boot Option Operations */ -typedef enum _FILTER_BOOT_OPTION_OPERATION { - FilterBootOptionAdd, - FilterBootOptionRemove, - FilterBootOptionModify, - FilterBootOptionQuery -} FILTER_BOOT_OPTION_OPERATION; - -/* File System Information Classes */ -typedef enum _SYSK_FSINFOCLASS -{ - SysKFileFsVolumeInformation = 1, /* q: FILE_FS_VOLUME_INFORMATION */ - SysKFileFsLabelInformation, /* s: FILE_FS_LABEL_INFORMATION (requires FILE_WRITE_DATA to volume) */ - SysKFileFsSizeInformation, /* q: FILE_FS_SIZE_INFORMATION */ - SysKFileFsDeviceInformation, /* q: FILE_FS_DEVICE_INFORMATION */ - SysKFileFsAttributeInformation, /* q: FILE_FS_ATTRIBUTE_INFORMATION */ - SysKFileFsControlInformation, /* q, s: FILE_FS_CONTROL_INFORMATION (q: requires FILE_READ_DATA; s: requires FILE_WRITE_DATA to volume) */ - SysKFileFsFullSizeInformation, /* q: FILE_FS_FULL_SIZE_INFORMATION */ - SysKFileFsObjectIdInformation, /* q; s: FILE_FS_OBJECTID_INFORMATION (s: requires FILE_WRITE_DATA to volume) */ - SysKFileFsDriverPathInformation, /* q: FILE_FS_DRIVER_PATH_INFORMATION */ - SysKFileFsVolumeFlagsInformation, /* q; s: FILE_FS_VOLUME_FLAGS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES to volume), 10 */ - SysKFileFsSectorSizeInformation, /* q: FILE_FS_SECTOR_SIZE_INFORMATION, since WIN8 */ - SysKFileFsDataCopyInformation, /* q: FILE_FS_DATA_COPY_INFORMATION */ - SysKFileFsMetadataSizeInformation, /* q: FILE_FS_METADATA_SIZE_INFORMATION, since THRESHOLD */ - SysKFileFsFullSizeInformationEx, /* q: FILE_FS_FULL_SIZE_INFORMATION_EX, since REDSTONE5 */ - SysKFileFsGuidInformation, /* q: FILE_FS_GUID_INFORMATION, since 23H2 */ - SysKFileFsMaximumInformation -} SYSK_FSINFOCLASS, * PSYSK_FSINFOCLASS; - -/* IO Completion Information Classes */ -typedef enum _IO_COMPLETION_INFORMATION_CLASS -{ - IoCompletionBasicInformation -} IO_COMPLETION_INFORMATION_CLASS; - -/* IO Session Events */ -typedef enum _SYSK_IO_SESSION_EVENT -{ - SysKIoSessionEventIgnore, - SysKIoSessionEventCreated, - SysKIoSessionEventTerminated, - SysKIoSessionEventConnected, - SysKIoSessionEventDisconnected, - SysKIoSessionEventLogon, - SysKIoSessionEventLogoff, - SysKIoSessionEventMax -} SYSK_IO_SESSION_EVENT; - -/* IO Session States */ -typedef enum _SYSK_IO_SESSION_STATE -{ - SysKIoSessionStateCreated = 1, - SysKIoSessionStateInitialized = 2, - SysKIoSessionStateConnected = 3, - SysKIoSessionStateDisconnected = 4, - SysKIoSessionStateDisconnectedLoggedOn = 5, - SysKIoSessionStateLoggedOn = 6, - SysKIoSessionStateLoggedOff = 7, - SysKIoSessionStateTerminated = 8, - SysKIoSessionStateMax -} SYSK_IO_SESSION_STATE; - -/* Job Object Information Classes */ - -typedef enum _JOBOBJECTINFOCLASS { - JobObjectBasicAccountingInformation = 1, - JobObjectBasicLimitInformation = 2, - JobObjectBasicProcessIdList = 3, - JobObjectBasicUIRestrictions = 4, - JobObjectSecurityLimitInformation = 5, - JobObjectEndOfJobTimeInformation = 6, - JobObjectAssociateCompletionPortInformation = 7, - JobObjectBasicAndIoAccountingInformation = 8, - JobObjectExtendedLimitInformation = 9, - JobObjectJobSetInformation = 10, - JobObjectGroupInformation = 11, - JobObjectNotificationLimitInformation = 12, - JobObjectLimitViolationInformation = 13, - JobObjectGroupInformationEx = 14, - JobObjectCpuRateControlInformation = 15, - JobObjectCompletionFilter = 16, - JobObjectCompletionCounter = 17, - JobObjectFreezeInformation = 18, - JobObjectExtendedAccountingInformation = 19, - JobObjectWakeInformation = 20, - JobObjectBackgroundInformation = 21, - JobObjectSchedulingRankBiasInformation = 22, - JobObjectTimerVirtualizationInformation = 23, - JobObjectCycleTimeNotification = 24, - JobObjectClearEvent = 25, - JobObjectInterferenceInformation = 26, - JobObjectClearPeakJobMemoryUsed = 27, - JobObjectMemoryUsageInformation = 28, - JobObjectSharedCommit = 29, - JobObjectContainerId = 30, - JobObjectIoRateControlInformation = 31, - JobObjectNetRateControlInformation = 32, - JobObjectNotificationLimitInformation2 = 33, - JobObjectLimitViolationInformation2 = 34, - JobObjectCreateSilo = 35, - JobObjectSiloBasicInformation = 36, - JobObjectReserved1 = 37, - JobObjectReserved2 = 38, - JobObjectReserved3 = 39, - JobObjectReserved4 = 40, - JobObjectReserved5 = 41, - JobObjectReserved6 = 42, - JobObjectReserved7 = 43, - JobObjectReserved8 = 44, - JobObjectReserved9 = 45, - JobObjectReserved10 = 46, - JobObjectReserved11 = 47, - JobObjectReserved12 = 48, - JobObjectReserved13 = 49, - JobObjectReserved14 = 50, - JobObjectNetRateControlInformation2 = 51, - JobObjectMax = 52 -} JOBOBJECTINFOCLASS; - -/* Key Information Classes */ -typedef enum _SYSK_KEY_INFORMATION_CLASS -{ - SysKKeyBasicInformation, /* KEY_BASIC_INFORMATION */ - SysKKeyNodeInformation, /* KEY_NODE_INFORMATION */ - SysKKeyFullInformation, /* KEY_FULL_INFORMATION */ - SysKKeyNameInformation, /* KEY_NAME_INFORMATION */ - SysKKeyCachedInformation, /* KEY_CACHED_INFORMATION */ - SysKKeyFlagsInformation, /* KEY_FLAGS_INFORMATION */ - SysKKeyVirtualizationInformation, /* KEY_VIRTUALIZATION_INFORMATION */ - SysKKeyHandleTagsInformation, /* KEY_HANDLE_TAGS_INFORMATION */ - SysKKeyTrustInformation, /* KEY_TRUST_INFORMATION */ - SysKKeyLayerInformation, /* KEY_LAYER_INFORMATION */ - SysKMaxKeyInfoClass -} SYSK_KEY_INFORMATION_CLASS; - -/* Key Value Information Classes */ -typedef enum _SYSK_KEY_VALUE_INFORMATION_CLASS -{ - SysKKeyValueBasicInformation, /* KEY_VALUE_BASIC_INFORMATION */ - SysKKeyValueFullInformation, /* KEY_VALUE_FULL_INFORMATION */ - SysKKeyValuePartialInformation, /* KEY_VALUE_PARTIAL_INFORMATION */ - SysKKeyValueFullInformationAlign64, - SysKKeyValuePartialInformationAlign64, /* KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 */ - SysKKeyValueLayerInformation, /* KEY_VALUE_LAYER_INFORMATION */ - SysKMaxKeyValueInfoClass -} SYSK_KEY_VALUE_INFORMATION_CLASS; - -/* KProfile Sources */ -typedef enum _SYSK_KPROFILE_SOURCE { - SysKProfileTime, - SysKProfileAlignmentFaults, - SysKProfileCacheMisses, - SysKProfileDpcTime, - SysKProfileInterrupts, - SysKProfileDeferredProcedureCalls, - SysKProfileTotalCycles, - SysKProfileUserTime, - SysKProfileKernelTime, - SysKProfileMaximum -} SYSK_KPROFILE_SOURCE; - -/* KThread State */ -typedef enum _KTHREAD_STATE -{ - Initialized, - Ready, - Running, - Standby, - Terminated, - Waiting, - Transition, - DeferredReady, - GateWaitObsolete, - WaitingForProcessInSwap, - MaximumThreadState -} KTHREAD_STATE, *PKTHREAD_STATE; - -/* KWait Reason */ -typedef enum _SYSK_KWAIT_REASON -{ - SysKExecutive, /* Waiting for an executive event. */ - SysKFreePage, /* Waiting for a free page. */ - SysKPageIn, /* Waiting for a page to be read in. */ - SysKPoolAllocation, /* Waiting for a pool allocation. */ - SysKDelayExecution, /* Waiting due to a delay execution. NtDelayExecution */ - SysKSuspended, /* Waiting because the thread is suspended. NtSuspendThread */ - SysKUserRequest, /* Waiting due to a user request. NtWaitForSingleObject */ - SysKWrExecutive, /* Waiting for an executive event. */ - SysKWrFreePage, /* Waiting for a free page. */ - SysKWrPageIn, /* Waiting for a page to be read in. */ - SysKWrPoolAllocation, /* Waiting for a pool allocation. */ - SysKWrDelayExecution, /* Waiting due to a delay execution. */ - SysKWrSuspended, /* Waiting because the thread is suspended. */ - SysKWrUserRequest, /* Waiting due to a user request. */ - SysKWrEventPair, /* Waiting for an event pair. NtCreateEventPair */ - SysKWrQueue, /* Waiting for a queue. NtRemoveIoCompletion */ - SysKWrLpcReceive, /* Waiting for an LPC receive. */ - SysKWrLpcReply, /* Waiting for an LPC reply. */ - SysKWrVirtualMemory, /* Waiting for virtual memory. */ - SysKWrPageOut, /* Waiting for a page to be written out. */ - SysKWrRendezvous, /* Waiting for a rendezvous. */ - SysKWrKeyedEvent, /* Waiting for a keyed event. NtCreateKeyedEvent */ - SysKWrTerminated, /* Waiting for thread termination. */ - SysKWrProcessInSwap, /* Waiting for a process to be swapped in. */ - SysKWrCpuRateControl, /* Waiting for CPU rate control. */ - SysKWrCalloutStack, /* Waiting for a callout stack. */ - SysKWrKernel, /* Waiting for a kernel event. */ - SysKWrResource, /* Waiting for a resource. */ - SysKWrPushLock, /* Waiting for a push lock. */ - SysKWrMutex, /* Waiting for a mutex. */ - SysKWrQuantumEnd, /* Waiting for the end of a quantum. */ - SysKWrDispatchInt, /* Waiting for a dispatch interrupt. */ - SysKWrPreempted, /* Waiting because the thread was preempted. */ - SysKWrYieldExecution, /* Waiting to yield execution. */ - SysKWrFastMutex, /* Waiting for a fast mutex. */ - SysKWrGuardedMutex, /* Waiting for a guarded mutex. */ - SysKWrRundown, /* Waiting for a rundown. */ - SysKWrAlertByThreadId, /* Waiting for an alert by thread ID. */ - SysKWrDeferredPreempt, /* Waiting for a deferred preemption. */ - SysKWrPhysicalFault, /* Waiting for a physical fault. */ - SysKWrIoRing, /* Waiting for an I/O ring. */ - SysKWrMdlCache, /* Waiting for an MDL cache. */ - SysKWrRcu, /* Waiting for read-copy-update (RCU) synchronization. */ - SysKMaximumWaitReason -} SYSK_KWAIT_REASON, *PSYSK_KWAIT_REASON; - -/* Memory Information CLasses */ -typedef enum _SYSK_MEMORY_INFORMATION_CLASS -{ - SysKMemoryBasicInformation, /* q: MEMORY_BASIC_INFORMATION */ - SysKMemoryWorkingSetInformation, /* q: MEMORY_WORKING_SET_INFORMATION */ - SysKMemoryMappedFilenameInformation, /* q: UNICODE_STRING */ - SysKMemoryRegionInformation, /* q: MEMORY_REGION_INFORMATION */ - SysKMemoryWorkingSetExInformation, /* q: MEMORY_WORKING_SET_EX_INFORMATION, since VISTA */ - SysKMemorySharedCommitInformation, /* q: MEMORY_SHARED_COMMIT_INFORMATION, since WIN8 */ - SysKMemoryImageInformation, /* q: MEMORY_IMAGE_INFORMATION */ - SysKMemoryRegionInformationEx, /* MEMORY_REGION_INFORMATION */ - SysKMemoryPrivilegedBasicInformation, /* MEMORY_BASIC_INFORMATION */ - SysKMemoryEnclaveImageInformation, /* MEMORY_ENCLAVE_IMAGE_INFORMATION, since REDSTONE3 */ - SysKMemoryBasicInformationCapped, /* 10 */ - SysKMemoryPhysicalContiguityInformation, /* MEMORY_PHYSICAL_CONTIGUITY_INFORMATION, since 20H1 */ - SysKMemoryBadInformation, /* since WIN11 */ - SysKMemoryBadInformationAllProcesses, /* since 22H1 */ - SysKMemoryImageExtensionInformation, /* MEMORY_IMAGE_EXTENSION_INFORMATION, since 24H2 */ - SysKMaxMemoryInfoClass -} SYSK_MEMORY_INFORMATION_CLASS; - -/* Memory Reserve Type */ -typedef enum _MEMORY_RESERVE_TYPE -{ - MemoryReserveUserApc, - MemoryReserveIoCompletion, - MemoryReserveTypeMax -} MEMORY_RESERVE_TYPE; - -/* Mutant Information Classes */ -typedef enum _MUTANT_INFORMATION_CLASS -{ - MutantBasicInformation, /* MUTANT_BASIC_INFORMATION */ - MutantOwnerInformation /* MUTANT_OWNER_INFORMATION */ -} MUTANT_INFORMATION_CLASS; - -/* Partition Information Classses */ -typedef enum _SYSK_PARTITION_INFORMATION_CLASS -{ - SysKSystemMemoryPartitionInformation, /* q: MEMORY_PARTITION_CONFIGURATION_INFORMATION */ - SysKSystemMemoryPartitionMoveMemory, /* s: MEMORY_PARTITION_TRANSFER_INFORMATION */ - SysKSystemMemoryPartitionAddPagefile, /* s: MEMORY_PARTITION_PAGEFILE_INFORMATION */ - SysKSystemMemoryPartitionCombineMemory, /* q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION */ - SysKSystemMemoryPartitionInitialAddMemory, /* q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION */ - SysKSystemMemoryPartitionGetMemoryEvents, /* MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION, since REDSTONE2 */ - SysKSystemMemoryPartitionSetAttributes, - SysKSystemMemoryPartitionNodeInformation, - SysKSystemMemoryPartitionCreateLargePages, - SysKSystemMemoryPartitionDedicatedMemoryInformation, - SysKSystemMemoryPartitionOpenDedicatedMemory, /* 10 */ - SysKSystemMemoryPartitionMemoryChargeAttributes, - SysKSystemMemoryPartitionClearAttributes, - SysKSystemMemoryPartitionSetMemoryThresholds, /* since WIN11 */ - SysKSystemMemoryPartitionMemoryListCommand, /* since 24H2 */ - SysKSystemMemoryPartitionMax -} SYSK_PARTITION_INFORMATION_CLASS, * SYSK_PPARTITION_INFORMATION_CLASS; - -/* PlugPlay Control Classes */ -typedef enum _PLUGPLAY_CONTROL_CLASS -{ - PlugPlayControlEnumerateDevice, /* PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA */ - PlugPlayControlRegisterNewDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ - PlugPlayControlDeregisterDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ - PlugPlayControlInitializeDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ - PlugPlayControlStartDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ - PlugPlayControlUnlockDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ - PlugPlayControlQueryAndRemoveDevice, /* PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA */ - PlugPlayControlUserResponse, /* PLUGPLAY_CONTROL_USER_RESPONSE_DATA */ - PlugPlayControlGenerateLegacyDevice, /* PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA */ - PlugPlayControlGetInterfaceDeviceList, /* PLUGPLAY_CONTROL_INTERFACE_LIST_DATA */ - PlugPlayControlProperty, /* PLUGPLAY_CONTROL_PROPERTY_DATA */ - PlugPlayControlDeviceClassAssociation, /* PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA */ - PlugPlayControlGetRelatedDevice, /* PLUGPLAY_CONTROL_RELATED_DEVICE_DATA */ - PlugPlayControlGetInterfaceDeviceAlias, /* PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA */ - PlugPlayControlDeviceStatus, /* PLUGPLAY_CONTROL_STATUS_DATA */ - PlugPlayControlGetDeviceDepth, /* PLUGPLAY_CONTROL_DEPTH_DATA */ - PlugPlayControlQueryDeviceRelations, /* PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA */ - PlugPlayControlTargetDeviceRelation, /* PLUGPLAY_CONTROL_TARGET_RELATION_DATA */ - PlugPlayControlQueryConflictList, /* PLUGPLAY_CONTROL_CONFLICT_LIST */ - PlugPlayControlRetrieveDock, /* PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA */ - PlugPlayControlResetDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ - PlugPlayControlHaltDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ - PlugPlayControlGetBlockedDriverList, /* PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA */ - PlugPlayControlGetDeviceInterfaceEnabled, /* PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED */ - MaxPlugPlayControl -} PLUGPLAY_CONTROL_CLASS, * PPLUGPLAY_CONTROL_CLASS; - -/* Port Information Classes */ -typedef enum _PORT_INFORMATION_CLASS -{ - PortBasicInformation, - PortDumpInformation -} PORT_INFORMATION_CLASS; - -/* Process State Change Types */ -typedef enum _PROCESS_STATE_CHANGE_TYPE -{ - ProcessStateChangeSuspend, - ProcessStateChangeResume, - ProcessStateChangeMax, -} PROCESS_STATE_CHANGE_TYPE, * PPROCESS_STATE_CHANGE_TYPE; - -/* PS Create States */ -typedef enum _PS_CREATE_STATE -{ - PsCreateInitialState, - PsCreateFailOnFileOpen, - PsCreateFailOnSectionCreate, - PsCreateFailExeFormat, - PsCreateFailMachineMismatch, - PsCreateFailExeName, /* Debugger specified */ - PsCreateSuccess, - PsCreateMaximumStates -} PS_CREATE_STATE; - -/* Section Information Classes */ -typedef enum _SECTION_INFORMATION_CLASS -{ - SectionBasicInformation, /* q; SECTION_BASIC_INFORMATION */ - SectionImageInformation, /* q; SECTION_IMAGE_INFORMATION */ - SectionRelocationInformation, /* q; ULONG_PTR RelocationDelta, name:wow64:whNtQuerySection_SectionRelocationInformation, since WIN7 */ - SectionOriginalBaseInformation, /* q; PVOID BaseAddress, since REDSTONE */ - SectionInternalImageInformation, /* SECTION_INTERNAL_IMAGE_INFORMATION, since REDSTONE2 */ - MaxSectionInfoClass -} SECTION_INFORMATION_CLASS; - -/* Section Inherit */ -typedef enum _SYSK_SECTION_INHERIT -{ - SysKViewShare = 1, - SysKViewUnmap = 2 -} SYSK_SECTION_INHERIT; - -/* Secure Setting Value Types */ -typedef enum _SECURE_SETTING_VALUE_TYPE -{ - SecureSettingValueTypeBoolean = 0, - SecureSettingValueTypeUlong = 1, - SecureSettingValueTypeBinary = 2, - SecureSettingValueTypeString = 3, - SecureSettingValueTypeUnknown = 4 -} SECURE_SETTING_VALUE_TYPE, * PSECURE_SETTING_VALUE_TYPE; - -/* Semaphore Information Classes */ -typedef enum _SEMAPHORE_INFORMATION_CLASS -{ - SemaphoreBasicInformation -} SEMAPHORE_INFORMATION_CLASS; - -/* Shutdown Actions */ -typedef enum _SHUTDOWN_ACTION -{ - ShutdownNoReboot, - ShutdownReboot, - ShutdownPowerOff, - ShutdownRebootForRecovery /* since WIN11 */ -} SHUTDOWN_ACTION; - -/* Symbolic Link Info Classes */ -typedef enum _SYMBOLIC_LINK_INFO_CLASS -{ - SymbolicLinkGlobalInformation = 1, /* s: ULONG */ - SymbolicLinkAccessMask, /* s: ACCESS_MASK */ - MaxnSymbolicLinkInfoClass -} SYMBOLIC_LINK_INFO_CLASS; - -/* SYSDBG Commands */ -typedef enum _SYSDBG_COMMAND -{ - SysDbgQueryModuleInformation, - SysDbgQueryTraceInformation, - SysDbgSetTracepoint, - SysDbgSetSpecialCall, /* PVOID */ - SysDbgClearSpecialCalls, /* void */ - SysDbgQuerySpecialCalls, - SysDbgBreakPoint, - SysDbgQueryVersion, /* DBGKD_GET_VERSION64 */ - SysDbgReadVirtual, /* SYSDBG_VIRTUAL */ - SysDbgWriteVirtual, /* SYSDBG_VIRTUAL */ - SysDbgReadPhysical, /* SYSDBG_PHYSICAL, 10 */ - SysDbgWritePhysical, /* SYSDBG_PHYSICAL */ - SysDbgReadControlSpace, /* SYSDBG_CONTROL_SPACE */ - SysDbgWriteControlSpace, /* SYSDBG_CONTROL_SPACE */ - SysDbgReadIoSpace, /* SYSDBG_IO_SPACE */ - SysDbgWriteIoSpace, /* SYSDBG_IO_SPACE */ - SysDbgReadMsr, /* SYSDBG_MSR */ - SysDbgWriteMsr, /* SYSDBG_MSR */ - SysDbgReadBusData, /* SYSDBG_BUS_DATA */ - SysDbgWriteBusData, /* SYSDBG_BUS_DATA */ - SysDbgCheckLowMemory, /* 20 */ - SysDbgEnableKernelDebugger, - SysDbgDisableKernelDebugger, - SysDbgGetAutoKdEnable, - SysDbgSetAutoKdEnable, - SysDbgGetPrintBufferSize, - SysDbgSetPrintBufferSize, - SysDbgGetKdUmExceptionEnable, - SysDbgSetKdUmExceptionEnable, - SysDbgGetTriageDump, /* SYSDBG_TRIAGE_DUMP */ - SysDbgGetKdBlockEnable, /* 30 */ - SysDbgSetKdBlockEnable, - SysDbgRegisterForUmBreakInfo, - SysDbgGetUmBreakPid, - SysDbgClearUmBreakPid, - SysDbgGetUmAttachPid, - SysDbgClearUmAttachPid, - SysDbgGetLiveKernelDump, /* SYSDBG_LIVEDUMP_CONTROL */ - SysDbgKdPullRemoteFile, /* SYSDBG_KD_PULL_REMOTE_FILE */ - SysDbgMaxInfoClass -} SYSDBG_COMMAND, * PSYSDBG_COMMAND; - -/* System Information Classes */ -typedef enum _SYSTEM_INFORMATION_CLASS -{ - SystemBasicInformation, /* q: SYSTEM_BASIC_INFORMATION */ - SystemProcessorInformation, /* q: SYSTEM_PROCESSOR_INFORMATION */ - SystemPerformanceInformation, /* q: SYSTEM_PERFORMANCE_INFORMATION */ - SystemTimeOfDayInformation, /* q: SYSTEM_TIMEOFDAY_INFORMATION */ - SystemPathInformation, /* not implemented */ - SystemProcessInformation, /* q: SYSTEM_PROCESS_INFORMATION */ - SystemCallCountInformation, /* q: SYSTEM_CALL_COUNT_INFORMATION */ - SystemDeviceInformation, /* q: SYSTEM_DEVICE_INFORMATION */ - SystemProcessorPerformanceInformation, /* q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup) */ - SystemFlagsInformation, /* q: SYSTEM_FLAGS_INFORMATION */ - SystemCallTimeInformation, /* not implemented, SYSTEM_CALL_TIME_INFORMATION, 10 */ - SystemModuleInformation, /* q: RTL_PROCESS_MODULES */ - SystemLocksInformation, /* q: RTL_PROCESS_LOCKS */ - SystemStackTraceInformation, /* q: RTL_PROCESS_BACKTRACES */ - SystemPagedPoolInformation, /* not implemented */ - SystemNonPagedPoolInformation, /* not implemented */ - SystemHandleInformation, /* q: SYSTEM_HANDLE_INFORMATION */ - SystemObjectInformation, /* q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION */ - SystemPageFileInformation, /* q: SYSTEM_PAGEFILE_INFORMATION */ - SystemVdmInstemulInformation, /* q: SYSTEM_VDM_INSTEMUL_INFO */ - SystemVdmBopInformation, /* not implemented, 20 */ - SystemFileCacheInformation, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) */ - SystemPoolTagInformation, /* q: SYSTEM_POOLTAG_INFORMATION */ - SystemInterruptInformation, /* q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup) */ - SystemDpcBehaviorInformation, /* q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) */ - SystemFullMemoryInformation, /* not implemented, SYSTEM_MEMORY_USAGE_INFORMATION */ - SystemLoadGdiDriverInformation, /* s (kernel-mode only) */ - SystemUnloadGdiDriverInformation, /* s (kernel-mode only) */ - SystemTimeAdjustmentInformation, /* q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) */ - SystemSummaryMemoryInformation, /* not implemented, SYSTEM_MEMORY_USAGE_INFORMATION */ - SystemMirrorMemoryInformation, /* s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege), 30 */ - SystemPerformanceTraceInformation, /* q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) */ - SystemObsolete0, /* not implemented */ - SystemExceptionInformation, /* q: SYSTEM_EXCEPTION_INFORMATION */ - SystemCrashDumpStateInformation, /* s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege) */ - SystemKernelDebuggerInformation, /* q: SYSTEM_KERNEL_DEBUGGER_INFORMATION */ - SystemContextSwitchInformation, /* q: SYSTEM_CONTEXT_SWITCH_INFORMATION */ - SystemRegistryQuotaInformation, /* q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) */ - SystemExtendServiceTableInformation, /* s (requires SeLoadDriverPrivilege), loads win32k only */ - SystemPrioritySeparation, /* s (requires SeTcbPrivilege) */ - SystemVerifierAddDriverInformation, /* s: UNICODE_STRING (requires SeDebugPrivilege), 40 */ - SystemVerifierRemoveDriverInformation, /* s: UNICODE_STRING (requires SeDebugPrivilege) */ - SystemProcessorIdleInformation, /* q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX: USHORT ProcessorGroup) */ - SystemLegacyDriverInformation, /* q: SYSTEM_LEGACY_DRIVER_INFORMATION */ - SystemCurrentTimeZoneInformation, /* q; s: RTL_TIME_ZONE_INFORMATION */ - SystemLookasideInformation, /* q: SYSTEM_LOOKASIDE_INFORMATION */ - SystemTimeSlipNotification, /* s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege) */ - SystemSessionCreate, /* not implemented */ - SystemSessionDetach, /* not implemented */ - SystemSessionInformation, /* not implemented (SYSTEM_SESSION_INFORMATION) */ - SystemRangeStartInformation, /* q: SYSTEM_RANGE_START_INFORMATION, 50 */ - SystemVerifierInformation, /* q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) */ - SystemVerifierThunkExtend, /* s (kernel-mode only) */ - SystemSessionProcessInformation, /* q: SYSTEM_SESSION_PROCESS_INFORMATION */ - SystemLoadGdiDriverInSystemSpace, /* s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation) */ - SystemNumaProcessorMap, /* q: SYSTEM_NUMA_INFORMATION */ - SystemPrefetcherInformation, /* q; s: PREFETCHER_INFORMATION, PfSnQueryPrefetcherInformation */ - SystemExtendedProcessInformation, /* q: SYSTEM_EXTENDED_PROCESS_INFORMATION */ - SystemRecommendedSharedDataAlignment, /* q: ULONG, KeGetRecommendedSharedDataAlignment */ - SystemComPlusPackage, /* q; s: ULONG */ - SystemNumaAvailableMemory, /* q: SYSTEM_NUMA_INFORMATION, 60 */ - SystemProcessorPowerInformation, /* q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup) */ - SystemEmulationBasicInformation, /* q: SYSTEM_BASIC_INFORMATION */ - SystemEmulationProcessorInformation, /* q: SYSTEM_PROCESSOR_INFORMATION */ - SystemExtendedHandleInformation, /* q: SYSTEM_HANDLE_INFORMATION_EX */ - SystemLostDelayedWriteInformation, /* q: ULONG */ - SystemBigPoolInformation, /* q: SYSTEM_BIGPOOL_INFORMATION */ - SystemSessionPoolTagInformation, /* q: SYSTEM_SESSION_POOLTAG_INFORMATION */ - SystemSessionMappedViewInformation, /* q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION */ - SystemHotpatchInformation, /* q; s: SYSTEM_HOTPATCH_CODE_INFORMATION */ - SystemObjectSecurityMode, /* q: ULONG, 70 */ - SystemWatchdogTimerHandler, /* s: SYSTEM_WATCHDOG_HANDLER_INFORMATION, (kernel-mode only) */ - SystemWatchdogTimerInformation, /* q: SYSTEM_WATCHDOG_TIMER_INFORMATION, NtQuerySystemInformationEx, (kernel-mode only) */ - SystemLogicalProcessorInformation, /* q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup), NtQuerySystemInformationEx */ - SystemWow64SharedInformationObsolete, /* not implemented */ - SystemRegisterFirmwareTableInformationHandler, /* s: SYSTEM_FIRMWARE_TABLE_HANDLER, (kernel-mode only) */ - SystemFirmwareTableInformation, /* SYSTEM_FIRMWARE_TABLE_INFORMATION */ - SystemModuleInformationEx, /* q: RTL_PROCESS_MODULE_INFORMATION_EX, since VISTA */ - SystemVerifierTriageInformation, /* not implemented */ - SystemSuperfetchInformation, /* q; s: SUPERFETCH_INFORMATION, PfQuerySuperfetchInformation */ - SystemMemoryListInformation, /* q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege), 80 */ - SystemFileCacheInformationEx, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) */ - SystemThreadPriorityClientIdInformation, /* s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege), NtQuerySystemInformationEx */ - SystemProcessorIdleCycleTimeInformation, /* q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup), NtQuerySystemInformationEx */ - SystemVerifierCancellationInformation, /* SYSTEM_VERIFIER_CANCELLATION_INFORMATION, name:wow64:whNT32QuerySystemVerifierCancellationInformation */ - SystemProcessorPowerInformationEx, /* not implemented */ - SystemRefTraceInformation, /* q; s: SYSTEM_REF_TRACE_INFORMATION, ObQueryRefTraceInformation */ - SystemSpecialPoolInformation, /* q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege), MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 */ - SystemProcessIdInformation, /* q: SYSTEM_PROCESS_ID_INFORMATION */ - SystemErrorPortInformation, /* s (requires SeTcbPrivilege) */ - SystemBootEnvironmentInformation, /* q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION, 90 */ - SystemHypervisorInformation, /* q: SYSTEM_HYPERVISOR_QUERY_INFORMATION */ - SystemVerifierInformationEx, /* q; s: SYSTEM_VERIFIER_INFORMATION_EX */ - SystemTimeZoneInformation, /* q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) */ - SystemImageFileExecutionOptionsInformation, /* s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) */ - SystemCoverageInformation, /* q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST, ExpCovQueryInformation (requires SeDebugPrivilege) */ - SystemPrefetchPatchInformation, /* SYSTEM_PREFETCH_PATCH_INFORMATION */ - SystemVerifierFaultsInformation, /* s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege) */ - SystemSystemPartitionInformation, /* q: SYSTEM_SYSTEM_PARTITION_INFORMATION */ - SystemSystemDiskInformation, /* q: SYSTEM_SYSTEM_DISK_INFORMATION */ - SystemProcessorPerformanceDistribution, /* q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) NtQuerySystemInformationEx, 100 */ - SystemNumaProximityNodeInformation, /* q; s: SYSTEM_NUMA_PROXIMITY_MAP */ - SystemDynamicTimeZoneInformation, /* q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) */ - SystemCodeIntegrityInformation, /* q: SYSTEM_CODEINTEGRITY_INFORMATION, SeCodeIntegrityQueryInformation */ - SystemProcessorMicrocodeUpdateInformation, /* s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION */ - SystemProcessorBrandString, /* q: CHAR[], HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 */ - SystemVirtualAddressInformation, /* q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege), MmQuerySystemVaInformation */ - SystemLogicalProcessorAndGroupInformation, /* q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) since WIN7 NtQuerySystemInformationEx KeQueryLogicalProcessorRelationship */ - SystemProcessorCycleTimeInformation, /* q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup), NtQuerySystemInformationEx */ - SystemStoreInformation, /* q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege), SmQueryStoreInformation */ - SystemRegistryAppendString, /* s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS, 110 */ - SystemAitSamplingValue, /* s: ULONG (requires SeProfileSingleProcessPrivilege) */ - SystemVhdBootInformation, /* q: SYSTEM_VHD_BOOT_INFORMATION */ - SystemCpuQuotaInformation, /* q; s: PS_CPU_QUOTA_QUERY_INFORMATION */ - SystemNativeBasicInformation, /* q: SYSTEM_BASIC_INFORMATION */ - SystemErrorPortTimeouts, /* SYSTEM_ERROR_PORT_TIMEOUTS */ - SystemLowPriorityIoInformation, /* q: SYSTEM_LOW_PRIORITY_IO_INFORMATION */ - SystemTpmBootEntropyInformation, /* q: BOOT_ENTROPY_NT_RESULT, ExQueryBootEntropyInformation */ - SystemVerifierCountersInformation, /* q: SYSTEM_VERIFIER_COUNTERS_INFORMATION */ - SystemPagedPoolInformationEx, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) */ - SystemSystemPtesInformationEx, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) 120 */ - SystemNodeDistanceInformation, /* q: USHORT[4*NumaNodes] (EX in: USHORT NodeNumber) NtQuerySystemInformationEx */ - SystemAcpiAuditInformation, /* q: SYSTEM_ACPI_AUDIT_INFORMATION, HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 */ - SystemBasicPerformanceInformation, /* q: SYSTEM_BASIC_PERFORMANCE_INFORMATION, name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation */ - SystemQueryPerformanceCounterInformation, /* q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION, since WIN7 SP1 */ - SystemSessionBigPoolInformation, /* q: SYSTEM_SESSION_POOLTAG_INFORMATION, since WIN8 */ - SystemBootGraphicsInformation, /* q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) */ - SystemScrubPhysicalMemoryInformation, /* q; s: MEMORY_SCRUB_INFORMATION */ - SystemBadPageInformation, /* SYSTEM_BAD_PAGE_INFORMATION */ - SystemProcessorProfileControlArea, /* q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA */ - SystemCombinePhysicalMemoryInformation, /* s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2, 130 */ - SystemEntropyInterruptTimingInformation, /* q; s: SYSTEM_ENTROPY_TIMING_INFORMATION */ - SystemConsoleInformation, /* q; s: SYSTEM_CONSOLE_INFORMATION */ - SystemPlatformBinaryInformation, /* q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) */ - SystemPolicyInformation, /* q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute) */ - SystemHypervisorProcessorCountInformation, /* q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION */ - SystemDeviceDataInformation, /* q: SYSTEM_DEVICE_DATA_INFORMATION */ - SystemDeviceDataEnumerationInformation, /* q: SYSTEM_DEVICE_DATA_INFORMATION */ - SystemMemoryTopologyInformation, /* q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION */ - SystemMemoryChannelInformation, /* q: SYSTEM_MEMORY_CHANNEL_INFORMATION */ - SystemBootLogoInformation, /* q: SYSTEM_BOOT_LOGO_INFORMATION, 140 */ - SystemProcessorPerformanceInformationEx, /* q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX (EX in: USHORT ProcessorGroup) NtQuerySystemInformationEx since WINBLUE */ - SystemCriticalProcessErrorLogInformation, /* CRITICAL_PROCESS_EXCEPTION_DATA */ - SystemSecureBootPolicyInformation, /* q: SYSTEM_SECUREBOOT_POLICY_INFORMATION */ - SystemPageFileInformationEx, /* q: SYSTEM_PAGEFILE_INFORMATION_EX */ - SystemSecureBootInformation, /* q: SYSTEM_SECUREBOOT_INFORMATION */ - SystemEntropyInterruptTimingRawInformation, /* q; s: SYSTEM_ENTROPY_TIMING_INFORMATION */ - SystemPortableWorkspaceEfiLauncherInformation, /* q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION */ - SystemFullProcessInformation, /* q: SYSTEM_EXTENDED_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) */ - SystemKernelDebuggerInformationEx, /* q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX */ - SystemBootMetadataInformation, /* 150 (requires SeTcbPrivilege) */ - SystemSoftRebootInformation, /* q: ULONG */ - SystemElamCertificateInformation, /* s: SYSTEM_ELAM_CERTIFICATE_INFORMATION */ - SystemOfflineDumpConfigInformation, /* q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 */ - SystemProcessorFeaturesInformation, /* q: SYSTEM_PROCESSOR_FEATURES_INFORMATION */ - SystemRegistryReconciliationInformation, /* s: NULL (requires admin) (flushes registry hives) */ - SystemEdidInformation, /* q: SYSTEM_EDID_INFORMATION */ - SystemManufacturingInformation, /* q: SYSTEM_MANUFACTURING_INFORMATION since THRESHOLD */ - SystemEnergyEstimationConfigInformation, /* q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION */ - SystemHypervisorDetailInformation, /* q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION */ - SystemProcessorCycleStatsInformation, /* q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) NtQuerySystemInformationEx, 160 */ - SystemVmGenerationCountInformation, - SystemTrustedPlatformModuleInformation, /* q: SYSTEM_TPM_INFORMATION */ - SystemKernelDebuggerFlags, /* SYSTEM_KERNEL_DEBUGGER_FLAGS */ - SystemCodeIntegrityPolicyInformation, /* q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION */ - SystemIsolatedUserModeInformation, /* q: SYSTEM_ISOLATED_USER_MODE_INFORMATION */ - SystemHardwareSecurityTestInterfaceResultsInformation, - SystemSingleModuleInformation, /* q: SYSTEM_SINGLE_MODULE_INFORMATION */ - SystemAllowedCpuSetsInformation, /* s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION */ - SystemVsmProtectionInformation, /* q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) */ - SystemInterruptCpuSetsInformation, /* q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION, 170 */ - SystemSecureBootPolicyFullInformation, /* q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION */ - SystemCodeIntegrityPolicyFullInformation, - SystemAffinitizedInterruptProcessorInformation, /* q: KAFFINITY_EX (requires SeIncreaseBasePriorityPrivilege) */ - SystemRootSiloInformation, /* q: SYSTEM_ROOT_SILO_INFORMATION */ - SystemCpuSetInformation, /* q: SYSTEM_CPU_SET_INFORMATION since THRESHOLD2 */ - SystemCpuSetTagInformation, /* q: SYSTEM_CPU_SET_TAG_INFORMATION */ - SystemWin32WerStartCallout, - SystemSecureKernelProfileInformation, /* q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION */ - SystemCodeIntegrityPlatformManifestInformation, /* q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION NtQuerySystemInformationEx since REDSTONE */ - SystemInterruptSteeringInformation, /* q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT NtQuerySystemInformationEx, 180 */ - SystemSupportedProcessorArchitectures, /* p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] NtQuerySystemInformationEx */ - SystemMemoryUsageInformation, /* q: SYSTEM_MEMORY_USAGE_INFORMATION */ - SystemCodeIntegrityCertificateInformation, /* q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION */ - SystemPhysicalMemoryInformation, /* q: SYSTEM_PHYSICAL_MEMORY_INFORMATION since REDSTONE2 */ - SystemControlFlowTransition, /* (Warbird/Encrypt/Decrypt/Execute) */ - SystemKernelDebuggingAllowed, /* s: ULONG */ - SystemActivityModerationExeState, /* s: SYSTEM_ACTIVITY_MODERATION_EXE_STATE */ - SystemActivityModerationUserSettings, /* q: SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS */ - SystemCodeIntegrityPoliciesFullInformation, /* NtQuerySystemInformationEx */ - SystemCodeIntegrityUnlockInformation, /* SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION, 190 */ - SystemIntegrityQuotaInformation, - SystemFlushInformation, /* q: SYSTEM_FLUSH_INFORMATION */ - SystemProcessorIdleMaskInformation, /* q: ULONG_PTR[ActiveGroupCount] since REDSTONE3 */ - SystemSecureDumpEncryptionInformation, /* NtQuerySystemInformationEx */ - SystemWriteConstraintInformation, /* SYSTEM_WRITE_CONSTRAINT_INFORMATION */ - SystemKernelVaShadowInformation, /* SYSTEM_KERNEL_VA_SHADOW_INFORMATION */ - SystemHypervisorSharedPageInformation, /* SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION since REDSTONE4 */ - SystemFirmwareBootPerformanceInformation, - SystemCodeIntegrityVerificationInformation, /* SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION */ - SystemFirmwarePartitionInformation, /* SYSTEM_FIRMWARE_PARTITION_INFORMATION, 200 */ - SystemSpeculationControlInformation, /* SYSTEM_SPECULATION_CONTROL_INFORMATION (CVE-2017-5715) REDSTONE3 and above. */ - SystemDmaGuardPolicyInformation, /* SYSTEM_DMA_GUARD_POLICY_INFORMATION */ - SystemEnclaveLaunchControlInformation, /* SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION */ - SystemWorkloadAllowedCpuSetsInformation, /* SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION since REDSTONE5 */ - SystemCodeIntegrityUnlockModeInformation, /* SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION */ - SystemLeapSecondInformation, /* SYSTEM_LEAP_SECOND_INFORMATION */ - SystemFlags2Information, /* q: SYSTEM_FLAGS_INFORMATION */ - SystemSecurityModelInformation, /* SYSTEM_SECURITY_MODEL_INFORMATION since 19H1 */ - SystemCodeIntegritySyntheticCacheInformation, /* NtQuerySystemInformationEx */ - SystemFeatureConfigurationInformation, /* q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE NtQuerySystemInformationEx since 20H1, 210 */ - SystemFeatureConfigurationSectionInformation, /* q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION NtQuerySystemInformationEx */ - SystemFeatureUsageSubscriptionInformation, /* q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE */ - SystemSecureSpeculationControlInformation, /* SECURE_SPECULATION_CONTROL_INFORMATION */ - SystemSpacesBootInformation, /* since 20H2 */ - SystemFwRamdiskInformation, /* SYSTEM_FIRMWARE_RAMDISK_INFORMATION */ - SystemWheaIpmiHardwareInformation, - SystemDifSetRuleClassInformation, /* s: SYSTEM_DIF_VOLATILE_INFORMATION (requires SeDebugPrivilege) */ - SystemDifClearRuleClassInformation, /* s: NULL (requires SeDebugPrivilege) */ - SystemDifApplyPluginVerificationOnDriver, /* SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) */ - SystemDifRemovePluginVerificationOnDriver, /* SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) 220 */ - SystemShadowStackInformation, /* SYSTEM_SHADOW_STACK_INFORMATION */ - SystemBuildVersionInformation, /* q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION NtQuerySystemInformationEx, 222 */ - SystemPoolLimitInformation, /* SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) NtQuerySystemInformationEx */ - SystemCodeIntegrityAddDynamicStore, /* CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners */ - SystemCodeIntegrityClearDynamicStores, /* CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners */ - SystemDifPoolTrackingInformation, - SystemPoolZeroingInformation, /* q: SYSTEM_POOL_ZEROING_INFORMATION */ - SystemDpcWatchdogInformation, /* q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION */ - SystemDpcWatchdogInformation2, /* q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2 */ - SystemSupportedProcessorArchitectures2, /* q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] NtQuerySystemInformationEx, 230 */ - SystemSingleProcessorRelationshipInformation, /* q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: PROCESSOR_NUMBER Processor) NtQuerySystemInformationEx */ - SystemXfgCheckFailureInformation, /* q: SYSTEM_XFG_FAILURE_INFORMATION */ - SystemIommuStateInformation, /* SYSTEM_IOMMU_STATE_INFORMATION since 22H1 */ - SystemHypervisorMinrootInformation, /* SYSTEM_HYPERVISOR_MINROOT_INFORMATION */ - SystemHypervisorBootPagesInformation, /* SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION */ - SystemPointerAuthInformation, /* SYSTEM_POINTER_AUTH_INFORMATION */ - SystemSecureKernelDebuggerInformation, /* NtQuerySystemInformationEx */ - SystemOriginalImageFeatureInformation, /* q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT NtQuerySystemInformationEx */ - SystemMemoryNumaInformation, /* SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT NtQuerySystemInformationEx */ - SystemMemoryNumaPerformanceInformation, /* SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT since 24H2, 240 */ - SystemCodeIntegritySignedPoliciesFullInformation, - SystemSecureCoreInformation, /* SystemSecureSecretsInformation */ - SystemTrustedAppsRuntimeInformation, /* SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION */ - SystemBadPageInformationEx, /* SYSTEM_BAD_PAGE_INFORMATION */ - SystemResourceDeadlockTimeout, /* ULONG */ - SystemBreakOnContextUnwindFailureInformation, /* ULONG (requires SeDebugPrivilege) */ - SystemOslRamdiskInformation, /* SYSTEM_OSL_RAMDISK_INFORMATION */ - SystemCodeIntegrityPolicyManagementInformation, /* SYSTEM_CODEINTEGRITYPOLICY_MANAGEMENT since 25H2 */ - SystemMemoryNumaCacheInformation, - SystemProcessorFeaturesBitMapInformation, /* 250 */ - SystemRefTraceInformationEx, /* SYSTEM_REF_TRACE_INFORMATION_EX */ - SystemBasicProcessInformation, /* SYSTEM_BASICPROCESS_INFORMATION */ - SystemHandleCountInformation, /* SYSTEM_HANDLECOUNT_INFORMATION */ - MaxSystemInfoClass -} SYSTEM_INFORMATION_CLASS; - -/* Thread State Change Types */ -typedef enum _THREAD_STATE_CHANGE_TYPE -{ - ThreadStateChangeSuspend, - ThreadStateChangeResume, - ThreadStateChangeMax, -} THREAD_STATE_CHANGE_TYPE, * PTHREAD_STATE_CHANGE_TYPE; - -/* Timer Information Classes */ -typedef enum _TIMER_INFORMATION_CLASS -{ - TimerBasicInformation /* TIMER_BASIC_INFORMATION */ -} TIMER_INFORMATION_CLASS; - -/* Timer Set Information Classes */ -typedef enum _SYSK_TIMER_SET_INFORMATION_CLASS -{ - SysKTimerSetCoalescableTimer, /* TIMER_SET_COALESCABLE_TIMER_INFO */ - SysKMaxTimerInfoClass -} SYSK_TIMER_SET_INFORMATION_CLASS; - -/* Timer Types */ -typedef enum _SYSK_TIMER_TYPE { - SysKTimerNotification, - SysKTimerSynchronization -} SYSK_TIMER_TYPE; - -/* VDM Service Classes */ -typedef enum _VDMSERVICECLASS -{ - VdmStartExecution, - VdmQueueInterrupt, - VdmDelayInterrupt, - VdmInitialize, - VdmFeatures, - VdmSetInt21Handler, - VdmQueryDir, - VdmPrinterDirectIoOpen, - VdmPrinterDirectIoClose, - VdmPrinterInitialize, - VdmSetLdtEntries, - VdmSetProcessLdtInfo, - VdmAdlibEmulation, - VdmPMCliControl, - VdmQueryVdmProcess, - VdmPreInitialize -} VDMSERVICECLASS, * PVDMSERVICECLASS; - -/* Virtual Memory Information Classes */ -typedef enum _SYSK_VIRTUAL_MEMORY_INFORMATION_CLASS -{ - SysKVmPrefetchInformation, /* MEMORY_PREFETCH_INFORMATION */ - SysKVmPagePriorityInformation, /* MEMORY_PAGE_PRIORITY_INFORMATION */ - SysKVmCfgCallTargetInformation, /* CFG_CALL_TARGET_LIST_INFORMATION REDSTONE2 */ - SysKVmPageDirtyStateInformation, /* REDSTONE3 */ - SysKVmImageHotPatchInformation, /* 19H1 */ - SysKVmPhysicalContiguityInformation, /* 20H1 */ - SysKVmVirtualMachinePrepopulateInformation, - SysKVmRemoveFromWorkingSetInformation, - SysKMaxVmInfoClass -} SYSK_VIRTUAL_MEMORY_INFORMATION_CLASS; - -/* Wait Types */ -typedef enum _SYSK_WAIT_TYPE -{ - SysKWaitAll, - SysKWaitAny, - SysKWaitNotification, - SysKWaitDequeue, - SysKWaitDpc, -} SYSK_WAIT_TYPE; - -/* WNF Data Scope */ -typedef enum _WNF_DATA_SCOPE -{ - WnfDataScopeSystem, - WnfDataScopeSession, - WnfDataScopeUser, - WnfDataScopeProcess, - WnfDataScopeMachine, /* REDSTONE3 */ - WnfDataScopePhysicalMachine, /* WIN11 */ -} WNF_DATA_SCOPE; - -/* WNF State Name Information */ -typedef enum _WNF_STATE_NAME_INFORMATION -{ - WnfInfoStateNameExist, - WnfInfoSubscribersPresent, - WnfInfoIsQuiescent -} WNF_STATE_NAME_INFORMATION; - -/* WNF State Name Lifetime */ -typedef enum _WNF_STATE_NAME_LIFETIME -{ - WnfWellKnownStateName, - WnfPermanentStateName, - WnfPersistentStateName, - WnfTemporaryStateName -} WNF_STATE_NAME_LIFETIME; - -/* Worker Factory Information Classes */ -typedef enum _WORKERFACTORYINFOCLASS -{ - WorkerFactoryTimeout, /* LARGE_INTEGER */ - WorkerFactoryRetryTimeout, /* LARGE_INTEGER */ - WorkerFactoryIdleTimeout, /* s: LARGE_INTEGER */ - WorkerFactoryBindingCount, /* s: ULONG */ - WorkerFactoryThreadMinimum, /* s: ULONG */ - WorkerFactoryThreadMaximum, /* s: ULONG */ - WorkerFactoryPaused, /* ULONG or BOOLEAN */ - WorkerFactoryBasicInformation, /* q: WORKER_FACTORY_BASIC_INFORMATION */ - WorkerFactoryAdjustThreadGoal, - WorkerFactoryCallbackType, - WorkerFactoryStackInformation, /* 10 */ - WorkerFactoryThreadBasePriority, /* s: ULONG */ - WorkerFactoryTimeoutWaiters, /* s: ULONG, since THRESHOLD */ - WorkerFactoryFlags, /* s: ULONG */ - WorkerFactoryThreadSoftMaximum, /* s: ULONG */ - WorkerFactoryThreadCpuSets, /* since REDSTONE5 */ - MaxWorkerFactoryInfoClass +#pragma once + +#include + +typedef struct _SYSK_WNF_STATE_NAME +{ + ULONG Data[2]; +} SYSK_WNF_STATE_NAME, * SYSK_PWNF_STATE_NAME; + +/* WNF Type ID */ +typedef struct _WNF_TYPE_ID +{ + GUID TypeId; +} WNF_TYPE_ID, * PWNF_TYPE_ID; + +typedef unsigned long DWORD; + +/* General Types */ +typedef LONG NTSTATUS; +typedef ULONG LOGICAL; +typedef ULONG_PTR SIZE_T; +typedef SIZE_T * PSIZE_T; +typedef GUID * PCGUID; +typedef GUID * PCRM_PROTOCOL_ID; +typedef DWORD SECURITY_INFORMATION, * PSECURITY_INFORMATION; +typedef LARGE_INTEGER * PLARGE_INTEGER; +typedef ULONG WNF_CHANGE_STAMP, * PWNF_CHANGE_STAMP; +typedef ULONG_PTR KAFFINITY; +typedef WNF_STATE_NAME * PWNF_STATE_NAME; +typedef PVOID PT2_CANCEL_PARAMETERS; +typedef const WNF_STATE_NAME * PCWNF_STATE_NAME; +typedef const WNF_TYPE_ID * PCWNF_TYPE_ID; +typedef const wchar_t * PCWSTR; +typedef const UNICODE_STRING * PCUNICODE_STRING; +typedef LANGID * PLANGID; +typedef ULONG LCID; +typedef LCID * PLCID; +typedef const GUID * LPCGUID; +typedef GUID * LPGUID; + +/* ALPC Types */ +typedef struct _PORT_MESSAGE * PPORT_MESSAGE; +typedef struct _PORT_VIEW * PPORT_VIEW; +typedef struct _REMOTE_PORT_VIEW * PREMOTE_PORT_VIEW; +typedef struct _ALPC_PORT_ATTRIBUTES * PALPC_PORT_ATTRIBUTES; +typedef struct _ALPC_MESSAGE_ATTRIBUTES * PALPC_MESSAGE_ATTRIBUTES; +typedef struct _ALPC_CONTEXT_ATTR * PALPC_CONTEXT_ATTR; +typedef HANDLE ALPC_HANDLE; +typedef struct _ALPC_DATA_VIEW_ATTR * PALPC_DATA_VIEW_ATTR; +typedef struct _ALPC_SECURITY_ATTR * PALPC_SECURITY_ATTR; +typedef HANDLE PALPC_HANDLE; + +/* Proccess & Thread Types */ +typedef struct _OBJECT_TYPE * POBJECT_TYPE; +typedef NTSTATUS * PNTSTATUS; +typedef HANDLE AUDIT_EVENT_HANDLE; +typedef struct _BOOT_ENTRY * PBOOT_ENTRY; +typedef struct _EFI_DRIVER_ENTRY * PEFI_DRIVER_ENTRY; +typedef ULONG PROCESS_ACTIVITY_TYPE; +typedef struct _RTL_ATOM * PRTL_ATOM; +typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION * PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; +typedef struct _SYSK_OBJECT_ATTRIBUTES * PSYSK_COBJECT_ATTRIBUTES; +typedef enum _MEMORY_RESERVE_TYPE MEMORY_RESERVE_TYPE; + +/* Enum Classes & Types -> */ + +/* ALPC Message Information Classes */ +typedef enum _ALPC_MESSAGE_INFORMATION_CLASS +{ + AlpcMessageSidInformation, /* q: out SID */ + AlpcMessageTokenModifiedIdInformation, /* q: out LUID */ + AlpcMessageDirectStatusInformation, + AlpcMessageHandleInformation, /* ALPC_MESSAGE_HANDLE_INFORMATION */ + MaxAlpcMessageInfoClass +} ALPC_MESSAGE_INFORMATION_CLASS, * PALPC_MESSAGE_INFORMATION_CLASS; + +/* ALPC Port Information Classes */ +typedef enum _ALPC_PORT_INFORMATION_CLASS +{ + AlpcBasicInformation, /* q: out ALPC_BASIC_INFORMATION */ + AlpcPortInformation, /* s: in ALPC_PORT_ATTRIBUTES */ + AlpcAssociateCompletionPortInformation, /* s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT */ + AlpcConnectedSIDInformation, /* q: in SID */ + AlpcServerInformation, /* q: inout ALPC_SERVER_INFORMATION */ + AlpcMessageZoneInformation, /* s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION */ + AlpcRegisterCompletionListInformation, /* s: in ALPC_PORT_COMPLETION_LIST_INFORMATION */ + AlpcUnregisterCompletionListInformation, /* s: VOID */ + AlpcAdjustCompletionListConcurrencyCountInformation, /* s: in ULONG */ + AlpcRegisterCallbackInformation, /* s: ALPC_REGISTER_CALLBACK, kernel-mode only */ + AlpcCompletionListRundownInformation, /* s: VOID, 10 */ + AlpcWaitForPortReferences, + AlpcServerSessionInformation /* q: ALPC_SERVER_SESSION_INFORMATION, since 19H2 */ +} ALPC_PORT_INFORMATION_CLASS; + +/* Atom Information Classes */ +typedef enum _ATOM_INFORMATION_CLASS +{ + AtomBasicInformation, + AtomTableInformation +} ATOM_INFORMATION_CLASS; + +/* CPU Partition Information Classes */ +typedef enum _CPU_PARTITION_INFORMATION_CLASS +{ + CpuPartitionBasicInformation, /* q: BASIC_CPU_PARTITION_INFORMATION */ + CpuPartitionPerformanceInformation, /* q: CPU_PARTITION_PERFORMANCE_INFORMATION */ + CpuPartitionTopologyInformation, /* q: CPU_PARTITION_TOPOLOGY_INFORMATION */ + CpuPartitionAffinityInformation, /* q; s: CPU_PARTITION_AFFINITY_INFORMATION */ + CpuPartitionPolicyInformation, /* q; s: CPU_PARTITION_POLICY_INFORMATION */ + CpuPartitionSchedulingInformation, /* q: CPU_PARTITION_SCHEDULING_INFORMATION */ + CpuPartitionResourceControl, /* s: CPU_PARTITION_RESOURCE_CONTROL_INFORMATION */ + CpuPartitionPowerManagement, /* q; s: CPU_PARTITION_POWER_MANAGEMENT_INFORMATION */ + CpuPartitionStatistics, /* q: CPU_PARTITION_STATISTICS_INFORMATION */ + CpuPartitionDebugInformation, /* q: CPU_PARTITION_DEBUG_INFORMATION */ + CpuPartitionMax +} CPU_PARTITION_INFORMATION_CLASS, * PCPU_PARTITION_INFORMATION_CLASS; + +/* Debug States */ +typedef enum _DBG_STATE +{ + DbgIdle, + DbgReplyPending, + DbgCreateThreadStateChange, + DbgCreateProcessStateChange, + DbgExitThreadStateChange, + DbgExitProcessStateChange, + DbgExceptionStateChange, + DbgBreakpointStateChange, + DbgSingleStepStateChange, + DbgLoadDllStateChange, + DbgUnloadDllStateChange +} DBG_STATE, * PDBG_STATE; + +/* Debug Object Information Classes */ +typedef enum _DEBUGOBJECTINFOCLASS +{ + DebugObjectUnusedInformation, + DebugObjectKillProcessOnExitInformation, /* s: ULONG */ + MaxDebugObjectInfoClass +} DEBUGOBJECTINFOCLASS, * PDEBUGOBJECTINFOCLASS; + +/* Directory Notify Information Classes */ +typedef enum _SYSK_DIRECTORY_NOTIFY_INFORMATION_CLASS { + SysKDirectoryNotifyInformation, + SysKDirectoryNotifyInformationEx, + SysKDirectoryNotifyInformationMax +} SYSK_DIRECTORY_NOTIFY_INFORMATION_CLASS; + +/* ETW Trace Control Codes */ +typedef enum _ETWTRACECONTROLCODE +{ + EtwStartLoggerCode = 1, /* inout WMI_LOGGER_INFORMATION */ + EtwStopLoggerCode = 2, /* inout WMI_LOGGER_INFORMATION */ + EtwQueryLoggerCode = 3, /* inout WMI_LOGGER_INFORMATION */ + EtwUpdateLoggerCode = 4, /* inout WMI_LOGGER_INFORMATION */ + EtwFlushLoggerCode = 5, /* inout WMI_LOGGER_INFORMATION */ + EtwIncrementLoggerFile = 6, /* inout WMI_LOGGER_INFORMATION */ + EtwRealtimeTransition = 7, /* inout WMI_LOGGER_INFORMATION */ + /* reserved */ + EtwRealtimeConnectCode = 11, + EtwActivityIdCreate = 12, + EtwWdiScenarioCode = 13, + EtwRealtimeDisconnectCode = 14, /* in HANDLE */ + EtwRegisterGuidsCode = 15, + EtwReceiveNotification = 16, + EtwSendDataBlock = 17, /* ETW_ENABLE_NOTIFICATION_PACKET, ETW_SESSION_NOTIFICATION_PACKET */ + EtwSendReplyDataBlock = 18, + EtwReceiveReplyDataBlock = 19, + EtwWdiSemUpdate = 20, + EtwEnumTraceGuidList = 21, /* out GUID[] */ + EtwGetTraceGuidInfo = 22, /* in GUID, out ETW_TRACE_GUID_INFO */ + EtwEnumerateTraceGuids = 23, /* out TRACE_GUID_PROPERTIES[] */ + EtwRegisterSecurityProv = 24, + EtwReferenceTimeCode = 25, /* in ULONG LoggerId, out ETW_REF_CLOCK */ + EtwTrackBinaryCode = 26, /* in HANDLE */ + EtwAddNotificationEvent = 27, + EtwUpdateDisallowList = 28, + EtwSetEnableAllKeywordsCode = 29, + EtwSetProviderTraitsCode = 30, + EtwUseDescriptorTypeCode = 31, + EtwEnumTraceGroupList = 32, + EtwGetTraceGroupInfo = 33, + EtwGetDisallowList = 34, + EtwSetCompressionSettings = 35, + EtwGetCompressionSettings = 36, + EtwUpdatePeriodicCaptureState = 37, + EtwGetPrivateSessionTraceHandle = 38, + EtwRegisterPrivateSession = 39, + EtwQuerySessionDemuxObject = 40, + EtwSetProviderBinaryTracking = 41, + EtwMaxLoggers = 42, /* out ULONG */ + EtwMaxPmcCounter = 43, /* out ULONG */ + EtwQueryUsedProcessorCount = 44, /* ULONG, since WIN11 */ + EtwGetPmcOwnership = 45, + EtwGetPmcSessions = 46, +} ETWTRACECONTROLCODE; + +/* Event Information Classes */ +typedef enum _EVENT_INFORMATION_CLASS +{ + EventBasicInformation +} EVENT_INFORMATION_CLASS; + +/* Event Types */ +typedef enum _SYSK_EVENT_TYPE { + SysKNotificationEvent, + SysKSynchronizationEvent, +} SYSK_EVENT_TYPE; + +/* Filter Boot Option Operations */ +typedef enum _FILTER_BOOT_OPTION_OPERATION { + FilterBootOptionAdd, + FilterBootOptionRemove, + FilterBootOptionModify, + FilterBootOptionQuery +} FILTER_BOOT_OPTION_OPERATION; + +/* File System Information Classes */ +typedef enum _SYSK_FSINFOCLASS +{ + SysKFileFsVolumeInformation = 1, /* q: FILE_FS_VOLUME_INFORMATION */ + SysKFileFsLabelInformation, /* s: FILE_FS_LABEL_INFORMATION (requires FILE_WRITE_DATA to volume) */ + SysKFileFsSizeInformation, /* q: FILE_FS_SIZE_INFORMATION */ + SysKFileFsDeviceInformation, /* q: FILE_FS_DEVICE_INFORMATION */ + SysKFileFsAttributeInformation, /* q: FILE_FS_ATTRIBUTE_INFORMATION */ + SysKFileFsControlInformation, /* q, s: FILE_FS_CONTROL_INFORMATION (q: requires FILE_READ_DATA; s: requires FILE_WRITE_DATA to volume) */ + SysKFileFsFullSizeInformation, /* q: FILE_FS_FULL_SIZE_INFORMATION */ + SysKFileFsObjectIdInformation, /* q; s: FILE_FS_OBJECTID_INFORMATION (s: requires FILE_WRITE_DATA to volume) */ + SysKFileFsDriverPathInformation, /* q: FILE_FS_DRIVER_PATH_INFORMATION */ + SysKFileFsVolumeFlagsInformation, /* q; s: FILE_FS_VOLUME_FLAGS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES to volume), 10 */ + SysKFileFsSectorSizeInformation, /* q: FILE_FS_SECTOR_SIZE_INFORMATION, since WIN8 */ + SysKFileFsDataCopyInformation, /* q: FILE_FS_DATA_COPY_INFORMATION */ + SysKFileFsMetadataSizeInformation, /* q: FILE_FS_METADATA_SIZE_INFORMATION, since THRESHOLD */ + SysKFileFsFullSizeInformationEx, /* q: FILE_FS_FULL_SIZE_INFORMATION_EX, since REDSTONE5 */ + SysKFileFsGuidInformation, /* q: FILE_FS_GUID_INFORMATION, since 23H2 */ + SysKFileFsMaximumInformation +} SYSK_FSINFOCLASS, * PSYSK_FSINFOCLASS; + +/* IO Completion Information Classes */ +typedef enum _IO_COMPLETION_INFORMATION_CLASS +{ + IoCompletionBasicInformation +} IO_COMPLETION_INFORMATION_CLASS; + +/* IO Session Events */ +typedef enum _SYSK_IO_SESSION_EVENT +{ + SysKIoSessionEventIgnore, + SysKIoSessionEventCreated, + SysKIoSessionEventTerminated, + SysKIoSessionEventConnected, + SysKIoSessionEventDisconnected, + SysKIoSessionEventLogon, + SysKIoSessionEventLogoff, + SysKIoSessionEventMax +} SYSK_IO_SESSION_EVENT; + +/* IO Session States */ +typedef enum _SYSK_IO_SESSION_STATE +{ + SysKIoSessionStateCreated = 1, + SysKIoSessionStateInitialized = 2, + SysKIoSessionStateConnected = 3, + SysKIoSessionStateDisconnected = 4, + SysKIoSessionStateDisconnectedLoggedOn = 5, + SysKIoSessionStateLoggedOn = 6, + SysKIoSessionStateLoggedOff = 7, + SysKIoSessionStateTerminated = 8, + SysKIoSessionStateMax +} SYSK_IO_SESSION_STATE; + +/* Job Object Information Classes */ + +typedef enum _JOBOBJECTINFOCLASS { + JobObjectBasicAccountingInformation = 1, + JobObjectBasicLimitInformation = 2, + JobObjectBasicProcessIdList = 3, + JobObjectBasicUIRestrictions = 4, + JobObjectSecurityLimitInformation = 5, + JobObjectEndOfJobTimeInformation = 6, + JobObjectAssociateCompletionPortInformation = 7, + JobObjectBasicAndIoAccountingInformation = 8, + JobObjectExtendedLimitInformation = 9, + JobObjectJobSetInformation = 10, + JobObjectGroupInformation = 11, + JobObjectNotificationLimitInformation = 12, + JobObjectLimitViolationInformation = 13, + JobObjectGroupInformationEx = 14, + JobObjectCpuRateControlInformation = 15, + JobObjectCompletionFilter = 16, + JobObjectCompletionCounter = 17, + JobObjectFreezeInformation = 18, + JobObjectExtendedAccountingInformation = 19, + JobObjectWakeInformation = 20, + JobObjectBackgroundInformation = 21, + JobObjectSchedulingRankBiasInformation = 22, + JobObjectTimerVirtualizationInformation = 23, + JobObjectCycleTimeNotification = 24, + JobObjectClearEvent = 25, + JobObjectInterferenceInformation = 26, + JobObjectClearPeakJobMemoryUsed = 27, + JobObjectMemoryUsageInformation = 28, + JobObjectSharedCommit = 29, + JobObjectContainerId = 30, + JobObjectIoRateControlInformation = 31, + JobObjectNetRateControlInformation = 32, + JobObjectNotificationLimitInformation2 = 33, + JobObjectLimitViolationInformation2 = 34, + JobObjectCreateSilo = 35, + JobObjectSiloBasicInformation = 36, + JobObjectReserved1 = 37, + JobObjectReserved2 = 38, + JobObjectReserved3 = 39, + JobObjectReserved4 = 40, + JobObjectReserved5 = 41, + JobObjectReserved6 = 42, + JobObjectReserved7 = 43, + JobObjectReserved8 = 44, + JobObjectReserved9 = 45, + JobObjectReserved10 = 46, + JobObjectReserved11 = 47, + JobObjectReserved12 = 48, + JobObjectReserved13 = 49, + JobObjectReserved14 = 50, + JobObjectNetRateControlInformation2 = 51, + JobObjectMax = 52 +} JOBOBJECTINFOCLASS; + +/* Key Information Classes */ +typedef enum _SYSK_KEY_INFORMATION_CLASS +{ + SysKKeyBasicInformation, /* KEY_BASIC_INFORMATION */ + SysKKeyNodeInformation, /* KEY_NODE_INFORMATION */ + SysKKeyFullInformation, /* KEY_FULL_INFORMATION */ + SysKKeyNameInformation, /* KEY_NAME_INFORMATION */ + SysKKeyCachedInformation, /* KEY_CACHED_INFORMATION */ + SysKKeyFlagsInformation, /* KEY_FLAGS_INFORMATION */ + SysKKeyVirtualizationInformation, /* KEY_VIRTUALIZATION_INFORMATION */ + SysKKeyHandleTagsInformation, /* KEY_HANDLE_TAGS_INFORMATION */ + SysKKeyTrustInformation, /* KEY_TRUST_INFORMATION */ + SysKKeyLayerInformation, /* KEY_LAYER_INFORMATION */ + SysKMaxKeyInfoClass +} SYSK_KEY_INFORMATION_CLASS; + +/* Key Value Information Classes */ +typedef enum _SYSK_KEY_VALUE_INFORMATION_CLASS +{ + SysKKeyValueBasicInformation, /* KEY_VALUE_BASIC_INFORMATION */ + SysKKeyValueFullInformation, /* KEY_VALUE_FULL_INFORMATION */ + SysKKeyValuePartialInformation, /* KEY_VALUE_PARTIAL_INFORMATION */ + SysKKeyValueFullInformationAlign64, + SysKKeyValuePartialInformationAlign64, /* KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 */ + SysKKeyValueLayerInformation, /* KEY_VALUE_LAYER_INFORMATION */ + SysKMaxKeyValueInfoClass +} SYSK_KEY_VALUE_INFORMATION_CLASS; + +/* KProfile Sources */ +typedef enum _SYSK_KPROFILE_SOURCE { + SysKProfileTime, + SysKProfileAlignmentFaults, + SysKProfileCacheMisses, + SysKProfileDpcTime, + SysKProfileInterrupts, + SysKProfileDeferredProcedureCalls, + SysKProfileTotalCycles, + SysKProfileUserTime, + SysKProfileKernelTime, + SysKProfileMaximum +} SYSK_KPROFILE_SOURCE; + +/* KThread State */ +typedef enum _KTHREAD_STATE +{ + Initialized, + Ready, + Running, + Standby, + Terminated, + Waiting, + Transition, + DeferredReady, + GateWaitObsolete, + WaitingForProcessInSwap, + MaximumThreadState +} KTHREAD_STATE, *PKTHREAD_STATE; + +/* KWait Reason */ +typedef enum _SYSK_KWAIT_REASON +{ + SysKExecutive, /* Waiting for an executive event. */ + SysKFreePage, /* Waiting for a free page. */ + SysKPageIn, /* Waiting for a page to be read in. */ + SysKPoolAllocation, /* Waiting for a pool allocation. */ + SysKDelayExecution, /* Waiting due to a delay execution. NtDelayExecution */ + SysKSuspended, /* Waiting because the thread is suspended. NtSuspendThread */ + SysKUserRequest, /* Waiting due to a user request. NtWaitForSingleObject */ + SysKWrExecutive, /* Waiting for an executive event. */ + SysKWrFreePage, /* Waiting for a free page. */ + SysKWrPageIn, /* Waiting for a page to be read in. */ + SysKWrPoolAllocation, /* Waiting for a pool allocation. */ + SysKWrDelayExecution, /* Waiting due to a delay execution. */ + SysKWrSuspended, /* Waiting because the thread is suspended. */ + SysKWrUserRequest, /* Waiting due to a user request. */ + SysKWrEventPair, /* Waiting for an event pair. NtCreateEventPair */ + SysKWrQueue, /* Waiting for a queue. NtRemoveIoCompletion */ + SysKWrLpcReceive, /* Waiting for an LPC receive. */ + SysKWrLpcReply, /* Waiting for an LPC reply. */ + SysKWrVirtualMemory, /* Waiting for virtual memory. */ + SysKWrPageOut, /* Waiting for a page to be written out. */ + SysKWrRendezvous, /* Waiting for a rendezvous. */ + SysKWrKeyedEvent, /* Waiting for a keyed event. NtCreateKeyedEvent */ + SysKWrTerminated, /* Waiting for thread termination. */ + SysKWrProcessInSwap, /* Waiting for a process to be swapped in. */ + SysKWrCpuRateControl, /* Waiting for CPU rate control. */ + SysKWrCalloutStack, /* Waiting for a callout stack. */ + SysKWrKernel, /* Waiting for a kernel event. */ + SysKWrResource, /* Waiting for a resource. */ + SysKWrPushLock, /* Waiting for a push lock. */ + SysKWrMutex, /* Waiting for a mutex. */ + SysKWrQuantumEnd, /* Waiting for the end of a quantum. */ + SysKWrDispatchInt, /* Waiting for a dispatch interrupt. */ + SysKWrPreempted, /* Waiting because the thread was preempted. */ + SysKWrYieldExecution, /* Waiting to yield execution. */ + SysKWrFastMutex, /* Waiting for a fast mutex. */ + SysKWrGuardedMutex, /* Waiting for a guarded mutex. */ + SysKWrRundown, /* Waiting for a rundown. */ + SysKWrAlertByThreadId, /* Waiting for an alert by thread ID. */ + SysKWrDeferredPreempt, /* Waiting for a deferred preemption. */ + SysKWrPhysicalFault, /* Waiting for a physical fault. */ + SysKWrIoRing, /* Waiting for an I/O ring. */ + SysKWrMdlCache, /* Waiting for an MDL cache. */ + SysKWrRcu, /* Waiting for read-copy-update (RCU) synchronization. */ + SysKMaximumWaitReason +} SYSK_KWAIT_REASON, *PSYSK_KWAIT_REASON; + +/* Memory Information CLasses */ +typedef enum _SYSK_MEMORY_INFORMATION_CLASS +{ + SysKMemoryBasicInformation, /* q: MEMORY_BASIC_INFORMATION */ + SysKMemoryWorkingSetInformation, /* q: MEMORY_WORKING_SET_INFORMATION */ + SysKMemoryMappedFilenameInformation, /* q: UNICODE_STRING */ + SysKMemoryRegionInformation, /* q: MEMORY_REGION_INFORMATION */ + SysKMemoryWorkingSetExInformation, /* q: MEMORY_WORKING_SET_EX_INFORMATION, since VISTA */ + SysKMemorySharedCommitInformation, /* q: MEMORY_SHARED_COMMIT_INFORMATION, since WIN8 */ + SysKMemoryImageInformation, /* q: MEMORY_IMAGE_INFORMATION */ + SysKMemoryRegionInformationEx, /* MEMORY_REGION_INFORMATION */ + SysKMemoryPrivilegedBasicInformation, /* MEMORY_BASIC_INFORMATION */ + SysKMemoryEnclaveImageInformation, /* MEMORY_ENCLAVE_IMAGE_INFORMATION, since REDSTONE3 */ + SysKMemoryBasicInformationCapped, /* 10 */ + SysKMemoryPhysicalContiguityInformation, /* MEMORY_PHYSICAL_CONTIGUITY_INFORMATION, since 20H1 */ + SysKMemoryBadInformation, /* since WIN11 */ + SysKMemoryBadInformationAllProcesses, /* since 22H1 */ + SysKMemoryImageExtensionInformation, /* MEMORY_IMAGE_EXTENSION_INFORMATION, since 24H2 */ + SysKMaxMemoryInfoClass +} SYSK_MEMORY_INFORMATION_CLASS; + +/* Memory Reserve Type */ +typedef enum _MEMORY_RESERVE_TYPE +{ + MemoryReserveUserApc, + MemoryReserveIoCompletion, + MemoryReserveTypeMax +} MEMORY_RESERVE_TYPE; + +/* Mutant Information Classes */ +typedef enum _MUTANT_INFORMATION_CLASS +{ + MutantBasicInformation, /* MUTANT_BASIC_INFORMATION */ + MutantOwnerInformation /* MUTANT_OWNER_INFORMATION */ +} MUTANT_INFORMATION_CLASS; + +/* Partition Information Classses */ +typedef enum _SYSK_PARTITION_INFORMATION_CLASS +{ + SysKSystemMemoryPartitionInformation, /* q: MEMORY_PARTITION_CONFIGURATION_INFORMATION */ + SysKSystemMemoryPartitionMoveMemory, /* s: MEMORY_PARTITION_TRANSFER_INFORMATION */ + SysKSystemMemoryPartitionAddPagefile, /* s: MEMORY_PARTITION_PAGEFILE_INFORMATION */ + SysKSystemMemoryPartitionCombineMemory, /* q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION */ + SysKSystemMemoryPartitionInitialAddMemory, /* q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION */ + SysKSystemMemoryPartitionGetMemoryEvents, /* MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION, since REDSTONE2 */ + SysKSystemMemoryPartitionSetAttributes, + SysKSystemMemoryPartitionNodeInformation, + SysKSystemMemoryPartitionCreateLargePages, + SysKSystemMemoryPartitionDedicatedMemoryInformation, + SysKSystemMemoryPartitionOpenDedicatedMemory, /* 10 */ + SysKSystemMemoryPartitionMemoryChargeAttributes, + SysKSystemMemoryPartitionClearAttributes, + SysKSystemMemoryPartitionSetMemoryThresholds, /* since WIN11 */ + SysKSystemMemoryPartitionMemoryListCommand, /* since 24H2 */ + SysKSystemMemoryPartitionMax +} SYSK_PARTITION_INFORMATION_CLASS, * SYSK_PPARTITION_INFORMATION_CLASS; + +/* PlugPlay Control Classes */ +typedef enum _PLUGPLAY_CONTROL_CLASS +{ + PlugPlayControlEnumerateDevice, /* PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA */ + PlugPlayControlRegisterNewDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlDeregisterDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlInitializeDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlStartDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlUnlockDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlQueryAndRemoveDevice, /* PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA */ + PlugPlayControlUserResponse, /* PLUGPLAY_CONTROL_USER_RESPONSE_DATA */ + PlugPlayControlGenerateLegacyDevice, /* PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA */ + PlugPlayControlGetInterfaceDeviceList, /* PLUGPLAY_CONTROL_INTERFACE_LIST_DATA */ + PlugPlayControlProperty, /* PLUGPLAY_CONTROL_PROPERTY_DATA */ + PlugPlayControlDeviceClassAssociation, /* PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA */ + PlugPlayControlGetRelatedDevice, /* PLUGPLAY_CONTROL_RELATED_DEVICE_DATA */ + PlugPlayControlGetInterfaceDeviceAlias, /* PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA */ + PlugPlayControlDeviceStatus, /* PLUGPLAY_CONTROL_STATUS_DATA */ + PlugPlayControlGetDeviceDepth, /* PLUGPLAY_CONTROL_DEPTH_DATA */ + PlugPlayControlQueryDeviceRelations, /* PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA */ + PlugPlayControlTargetDeviceRelation, /* PLUGPLAY_CONTROL_TARGET_RELATION_DATA */ + PlugPlayControlQueryConflictList, /* PLUGPLAY_CONTROL_CONFLICT_LIST */ + PlugPlayControlRetrieveDock, /* PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA */ + PlugPlayControlResetDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlHaltDevice, /* PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA */ + PlugPlayControlGetBlockedDriverList, /* PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA */ + PlugPlayControlGetDeviceInterfaceEnabled, /* PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED */ + MaxPlugPlayControl +} PLUGPLAY_CONTROL_CLASS, * PPLUGPLAY_CONTROL_CLASS; + +/* Port Information Classes */ +typedef enum _PORT_INFORMATION_CLASS +{ + PortBasicInformation, + PortDumpInformation +} PORT_INFORMATION_CLASS; + +/* Process State Change Types */ +typedef enum _PROCESS_STATE_CHANGE_TYPE +{ + ProcessStateChangeSuspend, + ProcessStateChangeResume, + ProcessStateChangeMax, +} PROCESS_STATE_CHANGE_TYPE, * PPROCESS_STATE_CHANGE_TYPE; + +/* PS Create States */ +typedef enum _PS_CREATE_STATE +{ + PsCreateInitialState, + PsCreateFailOnFileOpen, + PsCreateFailOnSectionCreate, + PsCreateFailExeFormat, + PsCreateFailMachineMismatch, + PsCreateFailExeName, /* Debugger specified */ + PsCreateSuccess, + PsCreateMaximumStates +} PS_CREATE_STATE; + +/* Section Information Classes */ +typedef enum _SECTION_INFORMATION_CLASS +{ + SectionBasicInformation, /* q; SECTION_BASIC_INFORMATION */ + SectionImageInformation, /* q; SECTION_IMAGE_INFORMATION */ + SectionRelocationInformation, /* q; ULONG_PTR RelocationDelta, name:wow64:whNtQuerySection_SectionRelocationInformation, since WIN7 */ + SectionOriginalBaseInformation, /* q; PVOID BaseAddress, since REDSTONE */ + SectionInternalImageInformation, /* SECTION_INTERNAL_IMAGE_INFORMATION, since REDSTONE2 */ + MaxSectionInfoClass +} SECTION_INFORMATION_CLASS; + +/* Section Inherit */ +typedef enum _SYSK_SECTION_INHERIT +{ + SysKViewShare = 1, + SysKViewUnmap = 2 +} SYSK_SECTION_INHERIT; + +/* Secure Setting Value Types */ +typedef enum _SECURE_SETTING_VALUE_TYPE +{ + SecureSettingValueTypeBoolean = 0, + SecureSettingValueTypeUlong = 1, + SecureSettingValueTypeBinary = 2, + SecureSettingValueTypeString = 3, + SecureSettingValueTypeUnknown = 4 +} SECURE_SETTING_VALUE_TYPE, * PSECURE_SETTING_VALUE_TYPE; + +/* Semaphore Information Classes */ +typedef enum _SEMAPHORE_INFORMATION_CLASS +{ + SemaphoreBasicInformation +} SEMAPHORE_INFORMATION_CLASS; + +/* Shutdown Actions */ +typedef enum _SHUTDOWN_ACTION +{ + ShutdownNoReboot, + ShutdownReboot, + ShutdownPowerOff, + ShutdownRebootForRecovery /* since WIN11 */ +} SHUTDOWN_ACTION; + +/* Symbolic Link Info Classes */ +typedef enum _SYMBOLIC_LINK_INFO_CLASS +{ + SymbolicLinkGlobalInformation = 1, /* s: ULONG */ + SymbolicLinkAccessMask, /* s: ACCESS_MASK */ + MaxnSymbolicLinkInfoClass +} SYMBOLIC_LINK_INFO_CLASS; + +/* SYSDBG Commands */ +typedef enum _SYSDBG_COMMAND +{ + SysDbgQueryModuleInformation, + SysDbgQueryTraceInformation, + SysDbgSetTracepoint, + SysDbgSetSpecialCall, /* PVOID */ + SysDbgClearSpecialCalls, /* void */ + SysDbgQuerySpecialCalls, + SysDbgBreakPoint, + SysDbgQueryVersion, /* DBGKD_GET_VERSION64 */ + SysDbgReadVirtual, /* SYSDBG_VIRTUAL */ + SysDbgWriteVirtual, /* SYSDBG_VIRTUAL */ + SysDbgReadPhysical, /* SYSDBG_PHYSICAL, 10 */ + SysDbgWritePhysical, /* SYSDBG_PHYSICAL */ + SysDbgReadControlSpace, /* SYSDBG_CONTROL_SPACE */ + SysDbgWriteControlSpace, /* SYSDBG_CONTROL_SPACE */ + SysDbgReadIoSpace, /* SYSDBG_IO_SPACE */ + SysDbgWriteIoSpace, /* SYSDBG_IO_SPACE */ + SysDbgReadMsr, /* SYSDBG_MSR */ + SysDbgWriteMsr, /* SYSDBG_MSR */ + SysDbgReadBusData, /* SYSDBG_BUS_DATA */ + SysDbgWriteBusData, /* SYSDBG_BUS_DATA */ + SysDbgCheckLowMemory, /* 20 */ + SysDbgEnableKernelDebugger, + SysDbgDisableKernelDebugger, + SysDbgGetAutoKdEnable, + SysDbgSetAutoKdEnable, + SysDbgGetPrintBufferSize, + SysDbgSetPrintBufferSize, + SysDbgGetKdUmExceptionEnable, + SysDbgSetKdUmExceptionEnable, + SysDbgGetTriageDump, /* SYSDBG_TRIAGE_DUMP */ + SysDbgGetKdBlockEnable, /* 30 */ + SysDbgSetKdBlockEnable, + SysDbgRegisterForUmBreakInfo, + SysDbgGetUmBreakPid, + SysDbgClearUmBreakPid, + SysDbgGetUmAttachPid, + SysDbgClearUmAttachPid, + SysDbgGetLiveKernelDump, /* SYSDBG_LIVEDUMP_CONTROL */ + SysDbgKdPullRemoteFile, /* SYSDBG_KD_PULL_REMOTE_FILE */ + SysDbgMaxInfoClass +} SYSDBG_COMMAND, * PSYSDBG_COMMAND; + +/* System Information Classes */ +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation, /* q: SYSTEM_BASIC_INFORMATION */ + SystemProcessorInformation, /* q: SYSTEM_PROCESSOR_INFORMATION */ + SystemPerformanceInformation, /* q: SYSTEM_PERFORMANCE_INFORMATION */ + SystemTimeOfDayInformation, /* q: SYSTEM_TIMEOFDAY_INFORMATION */ + SystemPathInformation, /* not implemented */ + SystemProcessInformation, /* q: SYSTEM_PROCESS_INFORMATION */ + SystemCallCountInformation, /* q: SYSTEM_CALL_COUNT_INFORMATION */ + SystemDeviceInformation, /* q: SYSTEM_DEVICE_INFORMATION */ + SystemProcessorPerformanceInformation, /* q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup) */ + SystemFlagsInformation, /* q: SYSTEM_FLAGS_INFORMATION */ + SystemCallTimeInformation, /* not implemented, SYSTEM_CALL_TIME_INFORMATION, 10 */ + SystemModuleInformation, /* q: RTL_PROCESS_MODULES */ + SystemLocksInformation, /* q: RTL_PROCESS_LOCKS */ + SystemStackTraceInformation, /* q: RTL_PROCESS_BACKTRACES */ + SystemPagedPoolInformation, /* not implemented */ + SystemNonPagedPoolInformation, /* not implemented */ + SystemHandleInformation, /* q: SYSTEM_HANDLE_INFORMATION */ + SystemObjectInformation, /* q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION */ + SystemPageFileInformation, /* q: SYSTEM_PAGEFILE_INFORMATION */ + SystemVdmInstemulInformation, /* q: SYSTEM_VDM_INSTEMUL_INFO */ + SystemVdmBopInformation, /* not implemented, 20 */ + SystemFileCacheInformation, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) */ + SystemPoolTagInformation, /* q: SYSTEM_POOLTAG_INFORMATION */ + SystemInterruptInformation, /* q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup) */ + SystemDpcBehaviorInformation, /* q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) */ + SystemFullMemoryInformation, /* not implemented, SYSTEM_MEMORY_USAGE_INFORMATION */ + SystemLoadGdiDriverInformation, /* s (kernel-mode only) */ + SystemUnloadGdiDriverInformation, /* s (kernel-mode only) */ + SystemTimeAdjustmentInformation, /* q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) */ + SystemSummaryMemoryInformation, /* not implemented, SYSTEM_MEMORY_USAGE_INFORMATION */ + SystemMirrorMemoryInformation, /* s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege), 30 */ + SystemPerformanceTraceInformation, /* q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) */ + SystemObsolete0, /* not implemented */ + SystemExceptionInformation, /* q: SYSTEM_EXCEPTION_INFORMATION */ + SystemCrashDumpStateInformation, /* s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege) */ + SystemKernelDebuggerInformation, /* q: SYSTEM_KERNEL_DEBUGGER_INFORMATION */ + SystemContextSwitchInformation, /* q: SYSTEM_CONTEXT_SWITCH_INFORMATION */ + SystemRegistryQuotaInformation, /* q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) */ + SystemExtendServiceTableInformation, /* s (requires SeLoadDriverPrivilege), loads win32k only */ + SystemPrioritySeparation, /* s (requires SeTcbPrivilege) */ + SystemVerifierAddDriverInformation, /* s: UNICODE_STRING (requires SeDebugPrivilege), 40 */ + SystemVerifierRemoveDriverInformation, /* s: UNICODE_STRING (requires SeDebugPrivilege) */ + SystemProcessorIdleInformation, /* q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX: USHORT ProcessorGroup) */ + SystemLegacyDriverInformation, /* q: SYSTEM_LEGACY_DRIVER_INFORMATION */ + SystemCurrentTimeZoneInformation, /* q; s: RTL_TIME_ZONE_INFORMATION */ + SystemLookasideInformation, /* q: SYSTEM_LOOKASIDE_INFORMATION */ + SystemTimeSlipNotification, /* s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege) */ + SystemSessionCreate, /* not implemented */ + SystemSessionDetach, /* not implemented */ + SystemSessionInformation, /* not implemented (SYSTEM_SESSION_INFORMATION) */ + SystemRangeStartInformation, /* q: SYSTEM_RANGE_START_INFORMATION, 50 */ + SystemVerifierInformation, /* q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) */ + SystemVerifierThunkExtend, /* s (kernel-mode only) */ + SystemSessionProcessInformation, /* q: SYSTEM_SESSION_PROCESS_INFORMATION */ + SystemLoadGdiDriverInSystemSpace, /* s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation) */ + SystemNumaProcessorMap, /* q: SYSTEM_NUMA_INFORMATION */ + SystemPrefetcherInformation, /* q; s: PREFETCHER_INFORMATION, PfSnQueryPrefetcherInformation */ + SystemExtendedProcessInformation, /* q: SYSTEM_EXTENDED_PROCESS_INFORMATION */ + SystemRecommendedSharedDataAlignment, /* q: ULONG, KeGetRecommendedSharedDataAlignment */ + SystemComPlusPackage, /* q; s: ULONG */ + SystemNumaAvailableMemory, /* q: SYSTEM_NUMA_INFORMATION, 60 */ + SystemProcessorPowerInformation, /* q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup) */ + SystemEmulationBasicInformation, /* q: SYSTEM_BASIC_INFORMATION */ + SystemEmulationProcessorInformation, /* q: SYSTEM_PROCESSOR_INFORMATION */ + SystemExtendedHandleInformation, /* q: SYSTEM_HANDLE_INFORMATION_EX */ + SystemLostDelayedWriteInformation, /* q: ULONG */ + SystemBigPoolInformation, /* q: SYSTEM_BIGPOOL_INFORMATION */ + SystemSessionPoolTagInformation, /* q: SYSTEM_SESSION_POOLTAG_INFORMATION */ + SystemSessionMappedViewInformation, /* q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION */ + SystemHotpatchInformation, /* q; s: SYSTEM_HOTPATCH_CODE_INFORMATION */ + SystemObjectSecurityMode, /* q: ULONG, 70 */ + SystemWatchdogTimerHandler, /* s: SYSTEM_WATCHDOG_HANDLER_INFORMATION, (kernel-mode only) */ + SystemWatchdogTimerInformation, /* q: SYSTEM_WATCHDOG_TIMER_INFORMATION, NtQuerySystemInformationEx, (kernel-mode only) */ + SystemLogicalProcessorInformation, /* q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup), NtQuerySystemInformationEx */ + SystemWow64SharedInformationObsolete, /* not implemented */ + SystemRegisterFirmwareTableInformationHandler, /* s: SYSTEM_FIRMWARE_TABLE_HANDLER, (kernel-mode only) */ + SystemFirmwareTableInformation, /* SYSTEM_FIRMWARE_TABLE_INFORMATION */ + SystemModuleInformationEx, /* q: RTL_PROCESS_MODULE_INFORMATION_EX, since VISTA */ + SystemVerifierTriageInformation, /* not implemented */ + SystemSuperfetchInformation, /* q; s: SUPERFETCH_INFORMATION, PfQuerySuperfetchInformation */ + SystemMemoryListInformation, /* q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege), 80 */ + SystemFileCacheInformationEx, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) */ + SystemThreadPriorityClientIdInformation, /* s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege), NtQuerySystemInformationEx */ + SystemProcessorIdleCycleTimeInformation, /* q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup), NtQuerySystemInformationEx */ + SystemVerifierCancellationInformation, /* SYSTEM_VERIFIER_CANCELLATION_INFORMATION, name:wow64:whNT32QuerySystemVerifierCancellationInformation */ + SystemProcessorPowerInformationEx, /* not implemented */ + SystemRefTraceInformation, /* q; s: SYSTEM_REF_TRACE_INFORMATION, ObQueryRefTraceInformation */ + SystemSpecialPoolInformation, /* q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege), MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 */ + SystemProcessIdInformation, /* q: SYSTEM_PROCESS_ID_INFORMATION */ + SystemErrorPortInformation, /* s (requires SeTcbPrivilege) */ + SystemBootEnvironmentInformation, /* q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION, 90 */ + SystemHypervisorInformation, /* q: SYSTEM_HYPERVISOR_QUERY_INFORMATION */ + SystemVerifierInformationEx, /* q; s: SYSTEM_VERIFIER_INFORMATION_EX */ + SystemTimeZoneInformation, /* q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) */ + SystemImageFileExecutionOptionsInformation, /* s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) */ + SystemCoverageInformation, /* q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST, ExpCovQueryInformation (requires SeDebugPrivilege) */ + SystemPrefetchPatchInformation, /* SYSTEM_PREFETCH_PATCH_INFORMATION */ + SystemVerifierFaultsInformation, /* s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege) */ + SystemSystemPartitionInformation, /* q: SYSTEM_SYSTEM_PARTITION_INFORMATION */ + SystemSystemDiskInformation, /* q: SYSTEM_SYSTEM_DISK_INFORMATION */ + SystemProcessorPerformanceDistribution, /* q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) NtQuerySystemInformationEx, 100 */ + SystemNumaProximityNodeInformation, /* q; s: SYSTEM_NUMA_PROXIMITY_MAP */ + SystemDynamicTimeZoneInformation, /* q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) */ + SystemCodeIntegrityInformation, /* q: SYSTEM_CODEINTEGRITY_INFORMATION, SeCodeIntegrityQueryInformation */ + SystemProcessorMicrocodeUpdateInformation, /* s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION */ + SystemProcessorBrandString, /* q: CHAR[], HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 */ + SystemVirtualAddressInformation, /* q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege), MmQuerySystemVaInformation */ + SystemLogicalProcessorAndGroupInformation, /* q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) since WIN7 NtQuerySystemInformationEx KeQueryLogicalProcessorRelationship */ + SystemProcessorCycleTimeInformation, /* q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup), NtQuerySystemInformationEx */ + SystemStoreInformation, /* q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege), SmQueryStoreInformation */ + SystemRegistryAppendString, /* s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS, 110 */ + SystemAitSamplingValue, /* s: ULONG (requires SeProfileSingleProcessPrivilege) */ + SystemVhdBootInformation, /* q: SYSTEM_VHD_BOOT_INFORMATION */ + SystemCpuQuotaInformation, /* q; s: PS_CPU_QUOTA_QUERY_INFORMATION */ + SystemNativeBasicInformation, /* q: SYSTEM_BASIC_INFORMATION */ + SystemErrorPortTimeouts, /* SYSTEM_ERROR_PORT_TIMEOUTS */ + SystemLowPriorityIoInformation, /* q: SYSTEM_LOW_PRIORITY_IO_INFORMATION */ + SystemTpmBootEntropyInformation, /* q: BOOT_ENTROPY_NT_RESULT, ExQueryBootEntropyInformation */ + SystemVerifierCountersInformation, /* q: SYSTEM_VERIFIER_COUNTERS_INFORMATION */ + SystemPagedPoolInformationEx, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) */ + SystemSystemPtesInformationEx, /* q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) 120 */ + SystemNodeDistanceInformation, /* q: USHORT[4*NumaNodes] (EX in: USHORT NodeNumber) NtQuerySystemInformationEx */ + SystemAcpiAuditInformation, /* q: SYSTEM_ACPI_AUDIT_INFORMATION, HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 */ + SystemBasicPerformanceInformation, /* q: SYSTEM_BASIC_PERFORMANCE_INFORMATION, name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation */ + SystemQueryPerformanceCounterInformation, /* q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION, since WIN7 SP1 */ + SystemSessionBigPoolInformation, /* q: SYSTEM_SESSION_POOLTAG_INFORMATION, since WIN8 */ + SystemBootGraphicsInformation, /* q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) */ + SystemScrubPhysicalMemoryInformation, /* q; s: MEMORY_SCRUB_INFORMATION */ + SystemBadPageInformation, /* SYSTEM_BAD_PAGE_INFORMATION */ + SystemProcessorProfileControlArea, /* q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA */ + SystemCombinePhysicalMemoryInformation, /* s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2, 130 */ + SystemEntropyInterruptTimingInformation, /* q; s: SYSTEM_ENTROPY_TIMING_INFORMATION */ + SystemConsoleInformation, /* q; s: SYSTEM_CONSOLE_INFORMATION */ + SystemPlatformBinaryInformation, /* q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) */ + SystemPolicyInformation, /* q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute) */ + SystemHypervisorProcessorCountInformation, /* q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION */ + SystemDeviceDataInformation, /* q: SYSTEM_DEVICE_DATA_INFORMATION */ + SystemDeviceDataEnumerationInformation, /* q: SYSTEM_DEVICE_DATA_INFORMATION */ + SystemMemoryTopologyInformation, /* q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION */ + SystemMemoryChannelInformation, /* q: SYSTEM_MEMORY_CHANNEL_INFORMATION */ + SystemBootLogoInformation, /* q: SYSTEM_BOOT_LOGO_INFORMATION, 140 */ + SystemProcessorPerformanceInformationEx, /* q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX (EX in: USHORT ProcessorGroup) NtQuerySystemInformationEx since WINBLUE */ + SystemCriticalProcessErrorLogInformation, /* CRITICAL_PROCESS_EXCEPTION_DATA */ + SystemSecureBootPolicyInformation, /* q: SYSTEM_SECUREBOOT_POLICY_INFORMATION */ + SystemPageFileInformationEx, /* q: SYSTEM_PAGEFILE_INFORMATION_EX */ + SystemSecureBootInformation, /* q: SYSTEM_SECUREBOOT_INFORMATION */ + SystemEntropyInterruptTimingRawInformation, /* q; s: SYSTEM_ENTROPY_TIMING_INFORMATION */ + SystemPortableWorkspaceEfiLauncherInformation, /* q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION */ + SystemFullProcessInformation, /* q: SYSTEM_EXTENDED_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) */ + SystemKernelDebuggerInformationEx, /* q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX */ + SystemBootMetadataInformation, /* 150 (requires SeTcbPrivilege) */ + SystemSoftRebootInformation, /* q: ULONG */ + SystemElamCertificateInformation, /* s: SYSTEM_ELAM_CERTIFICATE_INFORMATION */ + SystemOfflineDumpConfigInformation, /* q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 */ + SystemProcessorFeaturesInformation, /* q: SYSTEM_PROCESSOR_FEATURES_INFORMATION */ + SystemRegistryReconciliationInformation, /* s: NULL (requires admin) (flushes registry hives) */ + SystemEdidInformation, /* q: SYSTEM_EDID_INFORMATION */ + SystemManufacturingInformation, /* q: SYSTEM_MANUFACTURING_INFORMATION since THRESHOLD */ + SystemEnergyEstimationConfigInformation, /* q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION */ + SystemHypervisorDetailInformation, /* q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION */ + SystemProcessorCycleStatsInformation, /* q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) NtQuerySystemInformationEx, 160 */ + SystemVmGenerationCountInformation, + SystemTrustedPlatformModuleInformation, /* q: SYSTEM_TPM_INFORMATION */ + SystemKernelDebuggerFlags, /* SYSTEM_KERNEL_DEBUGGER_FLAGS */ + SystemCodeIntegrityPolicyInformation, /* q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION */ + SystemIsolatedUserModeInformation, /* q: SYSTEM_ISOLATED_USER_MODE_INFORMATION */ + SystemHardwareSecurityTestInterfaceResultsInformation, + SystemSingleModuleInformation, /* q: SYSTEM_SINGLE_MODULE_INFORMATION */ + SystemAllowedCpuSetsInformation, /* s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION */ + SystemVsmProtectionInformation, /* q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) */ + SystemInterruptCpuSetsInformation, /* q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION, 170 */ + SystemSecureBootPolicyFullInformation, /* q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION */ + SystemCodeIntegrityPolicyFullInformation, + SystemAffinitizedInterruptProcessorInformation, /* q: KAFFINITY_EX (requires SeIncreaseBasePriorityPrivilege) */ + SystemRootSiloInformation, /* q: SYSTEM_ROOT_SILO_INFORMATION */ + SystemCpuSetInformation, /* q: SYSTEM_CPU_SET_INFORMATION since THRESHOLD2 */ + SystemCpuSetTagInformation, /* q: SYSTEM_CPU_SET_TAG_INFORMATION */ + SystemWin32WerStartCallout, + SystemSecureKernelProfileInformation, /* q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION */ + SystemCodeIntegrityPlatformManifestInformation, /* q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION NtQuerySystemInformationEx since REDSTONE */ + SystemInterruptSteeringInformation, /* q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT NtQuerySystemInformationEx, 180 */ + SystemSupportedProcessorArchitectures, /* p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] NtQuerySystemInformationEx */ + SystemMemoryUsageInformation, /* q: SYSTEM_MEMORY_USAGE_INFORMATION */ + SystemCodeIntegrityCertificateInformation, /* q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION */ + SystemPhysicalMemoryInformation, /* q: SYSTEM_PHYSICAL_MEMORY_INFORMATION since REDSTONE2 */ + SystemControlFlowTransition, /* (Warbird/Encrypt/Decrypt/Execute) */ + SystemKernelDebuggingAllowed, /* s: ULONG */ + SystemActivityModerationExeState, /* s: SYSTEM_ACTIVITY_MODERATION_EXE_STATE */ + SystemActivityModerationUserSettings, /* q: SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS */ + SystemCodeIntegrityPoliciesFullInformation, /* NtQuerySystemInformationEx */ + SystemCodeIntegrityUnlockInformation, /* SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION, 190 */ + SystemIntegrityQuotaInformation, + SystemFlushInformation, /* q: SYSTEM_FLUSH_INFORMATION */ + SystemProcessorIdleMaskInformation, /* q: ULONG_PTR[ActiveGroupCount] since REDSTONE3 */ + SystemSecureDumpEncryptionInformation, /* NtQuerySystemInformationEx */ + SystemWriteConstraintInformation, /* SYSTEM_WRITE_CONSTRAINT_INFORMATION */ + SystemKernelVaShadowInformation, /* SYSTEM_KERNEL_VA_SHADOW_INFORMATION */ + SystemHypervisorSharedPageInformation, /* SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION since REDSTONE4 */ + SystemFirmwareBootPerformanceInformation, + SystemCodeIntegrityVerificationInformation, /* SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION */ + SystemFirmwarePartitionInformation, /* SYSTEM_FIRMWARE_PARTITION_INFORMATION, 200 */ + SystemSpeculationControlInformation, /* SYSTEM_SPECULATION_CONTROL_INFORMATION (CVE-2017-5715) REDSTONE3 and above. */ + SystemDmaGuardPolicyInformation, /* SYSTEM_DMA_GUARD_POLICY_INFORMATION */ + SystemEnclaveLaunchControlInformation, /* SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION */ + SystemWorkloadAllowedCpuSetsInformation, /* SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION since REDSTONE5 */ + SystemCodeIntegrityUnlockModeInformation, /* SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION */ + SystemLeapSecondInformation, /* SYSTEM_LEAP_SECOND_INFORMATION */ + SystemFlags2Information, /* q: SYSTEM_FLAGS_INFORMATION */ + SystemSecurityModelInformation, /* SYSTEM_SECURITY_MODEL_INFORMATION since 19H1 */ + SystemCodeIntegritySyntheticCacheInformation, /* NtQuerySystemInformationEx */ + SystemFeatureConfigurationInformation, /* q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE NtQuerySystemInformationEx since 20H1, 210 */ + SystemFeatureConfigurationSectionInformation, /* q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION NtQuerySystemInformationEx */ + SystemFeatureUsageSubscriptionInformation, /* q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE */ + SystemSecureSpeculationControlInformation, /* SECURE_SPECULATION_CONTROL_INFORMATION */ + SystemSpacesBootInformation, /* since 20H2 */ + SystemFwRamdiskInformation, /* SYSTEM_FIRMWARE_RAMDISK_INFORMATION */ + SystemWheaIpmiHardwareInformation, + SystemDifSetRuleClassInformation, /* s: SYSTEM_DIF_VOLATILE_INFORMATION (requires SeDebugPrivilege) */ + SystemDifClearRuleClassInformation, /* s: NULL (requires SeDebugPrivilege) */ + SystemDifApplyPluginVerificationOnDriver, /* SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) */ + SystemDifRemovePluginVerificationOnDriver, /* SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) 220 */ + SystemShadowStackInformation, /* SYSTEM_SHADOW_STACK_INFORMATION */ + SystemBuildVersionInformation, /* q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION NtQuerySystemInformationEx, 222 */ + SystemPoolLimitInformation, /* SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) NtQuerySystemInformationEx */ + SystemCodeIntegrityAddDynamicStore, /* CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners */ + SystemCodeIntegrityClearDynamicStores, /* CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners */ + SystemDifPoolTrackingInformation, + SystemPoolZeroingInformation, /* q: SYSTEM_POOL_ZEROING_INFORMATION */ + SystemDpcWatchdogInformation, /* q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION */ + SystemDpcWatchdogInformation2, /* q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2 */ + SystemSupportedProcessorArchitectures2, /* q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] NtQuerySystemInformationEx, 230 */ + SystemSingleProcessorRelationshipInformation, /* q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: PROCESSOR_NUMBER Processor) NtQuerySystemInformationEx */ + SystemXfgCheckFailureInformation, /* q: SYSTEM_XFG_FAILURE_INFORMATION */ + SystemIommuStateInformation, /* SYSTEM_IOMMU_STATE_INFORMATION since 22H1 */ + SystemHypervisorMinrootInformation, /* SYSTEM_HYPERVISOR_MINROOT_INFORMATION */ + SystemHypervisorBootPagesInformation, /* SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION */ + SystemPointerAuthInformation, /* SYSTEM_POINTER_AUTH_INFORMATION */ + SystemSecureKernelDebuggerInformation, /* NtQuerySystemInformationEx */ + SystemOriginalImageFeatureInformation, /* q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT NtQuerySystemInformationEx */ + SystemMemoryNumaInformation, /* SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT NtQuerySystemInformationEx */ + SystemMemoryNumaPerformanceInformation, /* SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT since 24H2, 240 */ + SystemCodeIntegritySignedPoliciesFullInformation, + SystemSecureCoreInformation, /* SystemSecureSecretsInformation */ + SystemTrustedAppsRuntimeInformation, /* SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION */ + SystemBadPageInformationEx, /* SYSTEM_BAD_PAGE_INFORMATION */ + SystemResourceDeadlockTimeout, /* ULONG */ + SystemBreakOnContextUnwindFailureInformation, /* ULONG (requires SeDebugPrivilege) */ + SystemOslRamdiskInformation, /* SYSTEM_OSL_RAMDISK_INFORMATION */ + SystemCodeIntegrityPolicyManagementInformation, /* SYSTEM_CODEINTEGRITYPOLICY_MANAGEMENT since 25H2 */ + SystemMemoryNumaCacheInformation, + SystemProcessorFeaturesBitMapInformation, /* 250 */ + SystemRefTraceInformationEx, /* SYSTEM_REF_TRACE_INFORMATION_EX */ + SystemBasicProcessInformation, /* SYSTEM_BASICPROCESS_INFORMATION */ + SystemHandleCountInformation, /* SYSTEM_HANDLECOUNT_INFORMATION */ + MaxSystemInfoClass +} SYSTEM_INFORMATION_CLASS; + +/* Thread State Change Types */ +typedef enum _THREAD_STATE_CHANGE_TYPE +{ + ThreadStateChangeSuspend, + ThreadStateChangeResume, + ThreadStateChangeMax, +} THREAD_STATE_CHANGE_TYPE, * PTHREAD_STATE_CHANGE_TYPE; + +/* Timer Information Classes */ +typedef enum _TIMER_INFORMATION_CLASS +{ + TimerBasicInformation /* TIMER_BASIC_INFORMATION */ +} TIMER_INFORMATION_CLASS; + +/* Timer Set Information Classes */ +typedef enum _SYSK_TIMER_SET_INFORMATION_CLASS +{ + SysKTimerSetCoalescableTimer, /* TIMER_SET_COALESCABLE_TIMER_INFO */ + SysKMaxTimerInfoClass +} SYSK_TIMER_SET_INFORMATION_CLASS; + +/* Timer Types */ +typedef enum _SYSK_TIMER_TYPE { + SysKTimerNotification, + SysKTimerSynchronization +} SYSK_TIMER_TYPE; + +/* VDM Service Classes */ +typedef enum _VDMSERVICECLASS +{ + VdmStartExecution, + VdmQueueInterrupt, + VdmDelayInterrupt, + VdmInitialize, + VdmFeatures, + VdmSetInt21Handler, + VdmQueryDir, + VdmPrinterDirectIoOpen, + VdmPrinterDirectIoClose, + VdmPrinterInitialize, + VdmSetLdtEntries, + VdmSetProcessLdtInfo, + VdmAdlibEmulation, + VdmPMCliControl, + VdmQueryVdmProcess, + VdmPreInitialize +} VDMSERVICECLASS, * PVDMSERVICECLASS; + +/* Virtual Memory Information Classes */ +typedef enum _SYSK_VIRTUAL_MEMORY_INFORMATION_CLASS +{ + SysKVmPrefetchInformation, /* MEMORY_PREFETCH_INFORMATION */ + SysKVmPagePriorityInformation, /* MEMORY_PAGE_PRIORITY_INFORMATION */ + SysKVmCfgCallTargetInformation, /* CFG_CALL_TARGET_LIST_INFORMATION REDSTONE2 */ + SysKVmPageDirtyStateInformation, /* REDSTONE3 */ + SysKVmImageHotPatchInformation, /* 19H1 */ + SysKVmPhysicalContiguityInformation, /* 20H1 */ + SysKVmVirtualMachinePrepopulateInformation, + SysKVmRemoveFromWorkingSetInformation, + SysKMaxVmInfoClass +} SYSK_VIRTUAL_MEMORY_INFORMATION_CLASS; + +/* Wait Types */ +typedef enum _SYSK_WAIT_TYPE +{ + SysKWaitAll, + SysKWaitAny, + SysKWaitNotification, + SysKWaitDequeue, + SysKWaitDpc, +} SYSK_WAIT_TYPE; + +/* WNF Data Scope */ +typedef enum _WNF_DATA_SCOPE +{ + WnfDataScopeSystem, + WnfDataScopeSession, + WnfDataScopeUser, + WnfDataScopeProcess, + WnfDataScopeMachine, /* REDSTONE3 */ + WnfDataScopePhysicalMachine, /* WIN11 */ +} WNF_DATA_SCOPE; + +/* WNF State Name Information */ +typedef enum _WNF_STATE_NAME_INFORMATION +{ + WnfInfoStateNameExist, + WnfInfoSubscribersPresent, + WnfInfoIsQuiescent +} WNF_STATE_NAME_INFORMATION; + +/* WNF State Name Lifetime */ +typedef enum _WNF_STATE_NAME_LIFETIME +{ + WnfWellKnownStateName, + WnfPermanentStateName, + WnfPersistentStateName, + WnfTemporaryStateName +} WNF_STATE_NAME_LIFETIME; + +/* Worker Factory Information Classes */ +typedef enum _WORKERFACTORYINFOCLASS +{ + WorkerFactoryTimeout, /* LARGE_INTEGER */ + WorkerFactoryRetryTimeout, /* LARGE_INTEGER */ + WorkerFactoryIdleTimeout, /* s: LARGE_INTEGER */ + WorkerFactoryBindingCount, /* s: ULONG */ + WorkerFactoryThreadMinimum, /* s: ULONG */ + WorkerFactoryThreadMaximum, /* s: ULONG */ + WorkerFactoryPaused, /* ULONG or BOOLEAN */ + WorkerFactoryBasicInformation, /* q: WORKER_FACTORY_BASIC_INFORMATION */ + WorkerFactoryAdjustThreadGoal, + WorkerFactoryCallbackType, + WorkerFactoryStackInformation, /* 10 */ + WorkerFactoryThreadBasePriority, /* s: ULONG */ + WorkerFactoryTimeoutWaiters, /* s: ULONG, since THRESHOLD */ + WorkerFactoryFlags, /* s: ULONG */ + WorkerFactoryThreadSoftMaximum, /* s: ULONG */ + WorkerFactoryThreadCpuSets, /* since REDSTONE5 */ + MaxWorkerFactoryInfoClass } WORKERFACTORYINFOCLASS, * PWORKERFACTORYINFOCLASS; \ No newline at end of file diff --git a/SysCallerK/Wrapper/include/SysK/sysFunctions_k.h b/SysCallerK/Wrapper/include/SysK/SysKFunctions.h similarity index 95% rename from SysCallerK/Wrapper/include/SysK/sysFunctions_k.h rename to SysCallerK/Wrapper/include/SysK/SysKFunctions.h index 6049f40..9a9c50a 100644 --- a/SysCallerK/Wrapper/include/SysK/sysFunctions_k.h +++ b/SysCallerK/Wrapper/include/SysK/SysKFunctions.h @@ -1,3472 +1,3472 @@ -#pragma once -#include "../syscaller_k.h" -#include "sysTypes_k.h" -#include "sysExternals_k.h" -#include "sysConstants_k.h" - -#ifdef _WIN64 // Only compile on 64bit systems. - -#ifdef __cplusplus -extern "C" { -#endif - -NTSTATUS SCAcceptConnectPort( - PHANDLE PortHandle, - PVOID PortContext OPTIONAL, - PPORT_MESSAGE ConnectionRequest, - BOOLEAN AcceptConnection, - PPORT_VIEW ServerView OPTIONAL, - PREMOTE_PORT_VIEW ClientView OPTIONAL -); - -NTSTATUS SCAccessCheck( - PSECURITY_DESCRIPTOR SecurityDescriptor, - HANDLE ClientToken, - ACCESS_MASK DesiredAccess, - PGENERIC_MAPPING GenericMapping, - PPRIVILEGE_SET PrivilegeSet, - PULONG PrivilegeSetLength, - PACCESS_MASK GrantedAccess, - PNTSTATUS AccessStatus -); - -NTSTATUS SCAccessCheckAndAuditAlarm( - PUNICODE_STRING SubsystemName, - PVOID HandleId OPTIONAL, - PUNICODE_STRING ObjectTypeName, - PUNICODE_STRING ObjectName, - PSECURITY_DESCRIPTOR SecurityDescriptor, - ACCESS_MASK DesiredAccess, - PGENERIC_MAPPING GenericMapping, - BOOLEAN ObjectCreation, - PACCESS_MASK GrantedAccess, - PNTSTATUS AccessStatus, - PBOOLEAN GenerateOnClose -); - -NTSTATUS SCAccessCheckByType( - PSECURITY_DESCRIPTOR SecurityDescriptor, - PSID PrincipalSelfSid OPTIONAL, - HANDLE ClientToken, - ACCESS_MASK DesiredAccess, - POBJECT_TYPE_LIST ObjectTypeList, - ULONG ObjectTypeListLength, - PGENERIC_MAPPING GenericMapping, - PPRIVILEGE_SET PrivilegeSet, - PULONG PrivilegeSetLength, - PACCESS_MASK GrantedAccess, - PNTSTATUS AccessStatus -); - -NTSTATUS SCAccessCheckByTypeAndAuditAlarm( - PUNICODE_STRING SubsystemName, - PVOID HandleId OPTIONAL, - PUNICODE_STRING ObjectTypeName, - PUNICODE_STRING ObjectName, - PSECURITY_DESCRIPTOR SecurityDescriptor, - PSID PrincipalSelfSid OPTIONAL, - ACCESS_MASK DesiredAccess, - AUDIT_EVENT_TYPE AuditType, - ULONG Flags, - POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, - ULONG ObjectTypeListLength, - PGENERIC_MAPPING GenericMapping, - BOOLEAN ObjectCreation, - PACCESS_MASK GrantedAccess, - PNTSTATUS AccessStatus, - PBOOLEAN GenerateOnClose -); - -NTSTATUS SCAccessCheckByTypeResultList( - PSECURITY_DESCRIPTOR SecurityDescriptor, - PSID PrincipalSelfSid OPTIONAL, - HANDLE ClientToken, - ACCESS_MASK DesiredAccess, - POBJECT_TYPE_LIST ObjectTypeList, - ULONG ObjectTypeListLength, - PGENERIC_MAPPING GenericMapping, - PPRIVILEGE_SET PrivilegeSet, - PULONG PrivilegeSetLength, - PACCESS_MASK GrantedAccess, - PNTSTATUS AccessStatus -); - -NTSTATUS SCAccessCheckByTypeResultListAndAuditAlarm( - PUNICODE_STRING SubsystemName, - PVOID HandleId OPTIONAL, - PUNICODE_STRING ObjectTypeName, - PUNICODE_STRING ObjectName, - PSECURITY_DESCRIPTOR SecurityDescriptor, - PSID PrincipalSelfSid OPTIONAL, - ACCESS_MASK DesiredAccess, - AUDIT_EVENT_TYPE AuditType, - ULONG Flags, - POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, - ULONG ObjectTypeListLength, - PGENERIC_MAPPING GenericMapping, - BOOLEAN ObjectCreation, - PACCESS_MASK GrantedAccess, - PNTSTATUS AccessStatus, - PBOOLEAN GenerateOnClose -); - -NTSTATUS SCAccessCheckByTypeResultListAndAuditAlarmByHandle( - PUNICODE_STRING SubsystemName, - PVOID HandleId OPTIONAL, - PUNICODE_STRING ObjectTypeName, - PUNICODE_STRING ObjectName, - PSECURITY_DESCRIPTOR SecurityDescriptor, - PSID PrincipalSelfSid OPTIONAL, - HANDLE ClientToken, - ACCESS_MASK DesiredAccess, - POBJECT_TYPE_LIST ObjectTypeList, - ULONG ObjectTypeListLength, - PGENERIC_MAPPING GenericMapping, - BOOLEAN ObjectCreation, - PACCESS_MASK GrantedAccess, - PNTSTATUS AccessStatus, - PBOOLEAN GenerateOnClose, - AUDIT_EVENT_HANDLE AuditHandle OPTIONAL -); - -NTSTATUS SCAcquireCrossVmMutant( - HANDLE CrossVmMutant, - PLARGE_INTEGER Timeout -); - -NTSTATUS SCAcquireProcessActivityReference( - PHANDLE ActivityReferenceHandle, - HANDLE ParentProcessHandle, - PROCESS_ACTIVITY_TYPE Reserved -); - -NTSTATUS SCAddAtom( - PCWSTR AtomName OPTIONAL, - ULONG Length, - PRTL_ATOM Atom OPTIONAL -); - -NTSTATUS SCAddAtomEx( - PCWSTR AtomName OPTIONAL, - ULONG Length, - PRTL_ATOM Atom OPTIONAL, - ULONG Flags -); - -NTSTATUS SCAddBootEntry( - PBOOT_ENTRY BootEntry, - PULONG Id OPTIONAL -); - -NTSTATUS SCAddDriverEntry( - PEFI_DRIVER_ENTRY DriverEntry, - PULONG Id OPTIONAL -); - -NTSTATUS SCAdjustGroupsToken( - HANDLE TokenHandle, - BOOLEAN ResetToDefault, - PTOKEN_GROUPS NewState OPTIONAL, - ULONG BufferLength OPTIONAL, - PTOKEN_GROUPS PreviousState OPTIONAL, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCAdjustPrivilegesToken( - HANDLE TokenHandle, - BOOLEAN DisableAllPrivileges, - PTOKEN_PRIVILEGES NewState OPTIONAL, - ULONG BufferLength, - PTOKEN_PRIVILEGES PreviousState OPTIONAL, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCAdjustTokenClaimsAndDeviceGroups( - HANDLE TokenHandle, - BOOLEAN UserResetToDefault, - BOOLEAN DeviceResetToDefault, - BOOLEAN DeviceGroupsResetToDefault, - PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState OPTIONAL, - PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState OPTIONAL, - PTOKEN_GROUPS NewDeviceGroupsState OPTIONAL, - ULONG UserBufferLength, - PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState OPTIONAL, - ULONG DeviceBufferLength, - PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState OPTIONAL, - ULONG DeviceGroupsBufferLength, - PTOKEN_GROUPS PreviousDeviceGroups OPTIONAL, - PULONG UserReturnLength OPTIONAL, - PULONG DeviceReturnLength OPTIONAL, - PULONG DeviceGroupsReturnBufferLength OPTIONAL -); - -NTSTATUS SCAlertResumeThread( - HANDLE ThreadHandle, - PULONG PreviousSuspendCount OPTIONAL -); - -NTSTATUS SCAlertThread( - HANDLE ThreadHandle -); - -NTSTATUS SCAlertThreadByThreadId( - HANDLE ThreadId -); - -NTSTATUS SCAllocateLocallyUniqueId( - PLUID Luid -); - -NTSTATUS SCAllocateReserveObject( - PHANDLE MemoryReserveHandle, - POBJECT_ATTRIBUTES ObjectAttributes, - MEMORY_RESERVE_TYPE Type -); - -NTSTATUS SCAllocateUserPhysicalPages( - HANDLE ProcessHandle, - PSIZE_T NumberOfPages, - PULONG_PTR UserPfnArray -); - -NTSTATUS SCAllocateUserPhysicalPagesEx( - HANDLE ProcessHandle, - PULONG_PTR NumberOfPages, - PULONG_PTR UserPfnArray, - PMEM_EXTENDED_PARAMETER ExtendedParameters OPTIONAL, - ULONG ExtendedParameterCount -); - -NTSTATUS SCAllocateUuids( - PULARGE_INTEGER Time, - PULONG Range, - PULONG Sequence, - PCHAR Seed -); - -NTSTATUS SCAllocateVirtualMemory( - HANDLE ProcessHandle, - PVOID* BaseAddress, - ULONG_PTR ZeroBits, - PSIZE_T RegionSize, - ULONG AllocationType, - ULONG PageProtection -); - -NTSTATUS SCAllocateVirtualMemoryEx( - HANDLE ProcessHandle, - PVOID* BaseAddress, - PSIZE_T RegionSize, - ULONG AllocationType, - ULONG PageProtection, - PMEM_EXTENDED_PARAMETER ExtendedParameters OPTIONAL, - ULONG ExtendedParameterCount -); - -NTSTATUS SCAlpcAcceptConnectPort( - PHANDLE PortHandle, - HANDLE ConnectionPortHandle, - ULONG Flags, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, - PVOID PortContext OPTIONAL, - PPORT_MESSAGE ConnectionRequest, - PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes OPTIONAL, - BOOLEAN AcceptConnection -); - -NTSTATUS SCAlpcCancelMessage( - HANDLE PortHandle, - ULONG Flags, - PALPC_CONTEXT_ATTR MessageContext -); - -NTSTATUS SCAlpcConnectPort( - PHANDLE PortHandle, - PUNICODE_STRING PortName, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, - ULONG Flags, - PSID RequiredServerSid OPTIONAL, - PPORT_MESSAGE ConnectionMessage, - PSIZE_T BufferLength OPTIONAL, - PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, - PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCAlpcConnectPortEx( - PHANDLE PortHandle, - POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, - POBJECT_ATTRIBUTES ClientPortObjectAttributes OPTIONAL, - PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, - ULONG Flags, - PSECURITY_DESCRIPTOR ServerSecurityRequirements OPTIONAL, - PPORT_MESSAGE ConnectionMessage, - PSIZE_T BufferLength OPTIONAL, - PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, - PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCAlpcCreatePort( - PHANDLE PortHandle, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL -); - -NTSTATUS SCAlpcCreatePortSection( - HANDLE PortHandle, - ULONG Flags, - HANDLE SectionHandle OPTIONAL, - SIZE_T SectionSize, - PALPC_HANDLE AlpcSectionHandle, - PSIZE_T ActualSectionSize -); - -NTSTATUS SCAlpcCreateResourceReserve( - HANDLE PortHandle, - ULONG Flags, - SIZE_T MessageSize, - PALPC_HANDLE ResourceId -); - -NTSTATUS SCAlpcCreateSectionView( - HANDLE PortHandle, - ULONG Flags, - PALPC_DATA_VIEW_ATTR ViewAttributes -); - -NTSTATUS SCAlpcCreateSecurityContext( - HANDLE PortHandle, - ULONG Flags, - PALPC_SECURITY_ATTR SecurityAttribute -); - -NTSTATUS SCAlpcDeletePortSection( - HANDLE PortHandle, - ULONG Flags, - ALPC_HANDLE SectionHandle -); - -NTSTATUS SCAlpcDeleteResourceReserve( - HANDLE PortHandle, - ULONG Flags, - ALPC_HANDLE ResourceId -); - -NTSTATUS SCAlpcDeleteSectionView( - HANDLE PortHandle, - ULONG Flags, - PVOID ViewBase -); - -NTSTATUS SCAlpcDeleteSecurityContext( - HANDLE PortHandle, - ULONG Flags, - ALPC_HANDLE ContextHandle -); - -NTSTATUS SCAlpcDisconnectPort( - HANDLE PortHandle, - ULONG Flags -); - -NTSTATUS SCAlpcImpersonateClientContainerOfPort( - HANDLE PortHandle, - PPORT_MESSAGE Message, - ULONG Flags -); - -NTSTATUS SCAlpcImpersonateClientOfPort( - HANDLE PortHandle, - PPORT_MESSAGE Message, - PVOID Flags -); - -NTSTATUS SCAlpcOpenSenderProcess( - PHANDLE ProcessHandle, - HANDLE PortHandle, - PPORT_MESSAGE PortMessage, - ULONG Flags, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCAlpcOpenSenderThread( - PHANDLE ThreadHandle, - HANDLE PortHandle, - PPORT_MESSAGE PortMessage, - ULONG Flags, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCAlpcQueryInformation( - HANDLE PortHandle OPTIONAL, - ALPC_PORT_INFORMATION_CLASS PortInformationClass, - PVOID PortInformation, - ULONG Length, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCAlpcQueryInformationMessage( - HANDLE PortHandle, - PPORT_MESSAGE PortMessage, - ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, - PVOID MessageInformation, - ULONG Length, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCAlpcRevokeSecurityContext( - HANDLE PortHandle, - ULONG Flags, - ALPC_HANDLE ContextHandle -); - -NTSTATUS SCAlpcSendWaitReceivePort( - HANDLE PortHandle, - ULONG Flags, - PPORT_MESSAGE SendMessage OPTIONAL, - PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes OPTIONAL, - PPORT_MESSAGE ReceiveMessage OPTIONAL, - PSIZE_T BufferLength OPTIONAL, - PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes OPTIONAL, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCAlpcSetInformation( - HANDLE PortHandle, - ALPC_PORT_INFORMATION_CLASS PortInformationClass, - PVOID PortInformation OPTIONAL, - ULONG Length -); - -NTSTATUS SCApphelpCacheControl( - ULONG Command, - PVOID Buffer OPTIONAL, - ULONG BufferSize -); - -NTSTATUS SCAreMappedFilesTheSame( - PVOID File1MappedAsAnImage, - PVOID File2MappedAsFile -); - -NTSTATUS SCAssignProcessToJobObject( - HANDLE JobHandle, - HANDLE ProcessHandle -); - -NTSTATUS SCAssociateWaitCompletionPacket( - HANDLE WaitCompletionPacketHandle, - HANDLE IoCompletionHandle, - HANDLE TargetObjectHandle, - PVOID KeyContext OPTIONAL, - PVOID ApcContext OPTIONAL, - NTSTATUS IoStatus, - ULONG_PTR IoStatusInformation, - PBOOLEAN AlreadySignaled OPTIONAL -); - -NTSTATUS SCCallEnclave( - PENCLAVE_ROUTINE Routine, - PVOID Reserved, - ULONG Flags, - PVOID* RoutineParamReturn -); - -NTSTATUS SCCallbackReturn( - PVOID OutputBuffer OPTIONAL, - ULONG OutputLength, - NTSTATUS Status -); - -NTSTATUS SCCancelIoFile( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock -); - -NTSTATUS SCCancelIoFileEx( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock -); - -NTSTATUS SCCancelSynchronousIoFile( - HANDLE ThreadHandle, - PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock -); - -NTSTATUS SCCancelTimer( - HANDLE TimerHandle, - PBOOLEAN CurrentState OPTIONAL -); - -NTSTATUS SCCancelTimer2( - HANDLE TimerHandle, - PT2_CANCEL_PARAMETERS Parameters -); - -NTSTATUS SCCancelWaitCompletionPacket( - HANDLE WaitCompletionPacketHandle, - BOOLEAN RemoveSignaledPacket -); - -NTSTATUS SCChangeProcessState( - HANDLE ProcessStateChangeHandle, - HANDLE ProcessHandle, - PROCESS_STATE_CHANGE_TYPE StateChangeType, - PVOID ExtendedInformation OPTIONAL, - SIZE_T ExtendedInformationLength OPTIONAL, - ULONG64 Reserved OPTIONAL -); - -NTSTATUS SCChangeThreadState( - HANDLE ThreadStateChangeHandle, - HANDLE ThreadHandle, - THREAD_STATE_CHANGE_TYPE StateChangeType, - PVOID ExtendedInformation OPTIONAL, - SIZE_T ExtendedInformationLength OPTIONAL, - ULONG64 Reserved OPTIONAL -); - -NTSTATUS SCClearEvent( - HANDLE EventHandle -); - -NTSTATUS SCClose( - HANDLE Handle -); - -NTSTATUS SCCloseObjectAuditAlarm( - PUNICODE_STRING SubsystemName, - PVOID HandleId OPTIONAL, - BOOLEAN GenerateOnClose -); - -NTSTATUS SCCommitComplete( - HANDLE EnlistmentHandle, - PLARGE_INTEGER TmVirtualClock OPTIONAL -); - -NTSTATUS SCCommitEnlistment( - HANDLE EnlistmentHandle, - PLARGE_INTEGER TmVirtualClock OPTIONAL -); - -NTSTATUS SCCommitRegistryTransaction( - HANDLE RegistryTransactionHandle, - ULONG Flags // Reserved -); - -NTSTATUS SCCommitTransaction( - HANDLE TransactionHandle, - BOOLEAN Wait -); - -NTSTATUS SCCompactKeys( - ULONG Count, - HANDLE KeyArray[] -); - -NTSTATUS SCCompareObjects( - HANDLE FirstObjectHandle, - HANDLE SecondObjectHandle -); - -NTSTATUS SCCompareSigningLevels( - SE_SIGNING_LEVEL FirstSigningLevel, - SE_SIGNING_LEVEL SecondSigningLevel -); - -NTSTATUS SCCompareTokens( - HANDLE FirstTokenHandle, - HANDLE SecondTokenHandle, - PBOOLEAN Equal -); - -NTSTATUS SCCompleteConnectPort( - HANDLE PortHandle -); - -NTSTATUS SCCompressKey( - HANDLE KeyHandle -); - -NTSTATUS SCConnectPort( - PHANDLE PortHandle, - PUNICODE_STRING PortName, - PSECURITY_QUALITY_OF_SERVICE SecurityQos, - PPORT_VIEW ClientView OPTIONAL, - PREMOTE_PORT_VIEW ServerView OPTIONAL, - PULONG MaxMessageLength OPTIONAL, - PVOID ConnectionInformation OPTIONAL, - PULONG ConnectionInformationLength OPTIONAL -); - -NTSTATUS SCContinue( - PCONTEXT ContextRecord, - BOOLEAN TestAlert -); - -NTSTATUS SCContinueEx( - PCONTEXT ContextRecord, - PVOID ContinueArgument // Can be PKCONTINUE_ARGUMENT or BOOLEAN -); - -NTSTATUS SCConvertBetweenAuxiliaryCounterAndPerformanceCounter( - BOOLEAN ConvertAuxiliaryToPerformanceCounter, - PULONG64 PerformanceOrAuxiliaryCounterValue, - PULONG64 ConvertedValue, - PULONG64 ConversionError OPTIONAL -); - -NTSTATUS SCCopyFileChunk( - HANDLE SourceHandle, - HANDLE DestinationHandle, - HANDLE EventHandle OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - ULONG Length, - PLARGE_INTEGER SourceOffset, - PLARGE_INTEGER DestOffset, - PULONG SourceKey OPTIONAL, - PULONG DestKey OPTIONAL, - ULONG Flags -); - -NTSTATUS SCCreateCpuPartition( - PHANDLE CpuPartitionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL -); - -NTSTATUS SCCreateCrossVmEvent( - PHANDLE CrossVmEvent, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG CrossVmEventFlags, - LPCGUID VMID, - LPCGUID ServiceID -); - -NTSTATUS SCCreateCrossVmMutant( - PHANDLE EventHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG CrossVmEventFlags, - LPCGUID VMID, - LPCGUID ServiceID -); - -NTSTATUS SCCreateDebugObject( - PHANDLE DebugObjectHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG Flags -); - -NTSTATUS SCCreateDirectoryObject( - PHANDLE DirectoryHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCCreateDirectoryObjectEx( - PHANDLE DirectoryHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - HANDLE ShadowDirectoryHandle, - ULONG Flags -); - -NTSTATUS SCCreateEnclave( - HANDLE ProcessHandle, - PVOID* BaseAddress, - ULONG_PTR ZeroBits, - SIZE_T Size, - SIZE_T InitialCommitment, - ULONG EnclaveType, - PVOID EnclaveInformation, - ULONG EnclaveInformationLength, - PULONG EnclaveError OPTIONAL -); - -NTSTATUS SCCreateEnlistment( - PHANDLE EnlistmentHandle, - ACCESS_MASK DesiredAccess, - HANDLE ResourceManagerHandle, - HANDLE TransactionHandle, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG CreateOptions OPTIONAL, - NOTIFICATION_MASK NotificationMask, - PVOID EnlistmentKey OPTIONAL -); - -NTSTATUS SCCreateEvent( - PHANDLE EventHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - EVENT_TYPE EventType, - BOOLEAN InitialState -); - -NTSTATUS SCCreateEventPair( - PHANDLE EventPairHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL -); - -NTSTATUS SCCreateFile( - PHANDLE FileHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - PIO_STATUS_BLOCK IoStatusBlock, - PLARGE_INTEGER AllocationSize OPTIONAL, - ULONG FileAttributes, - ULONG ShareAccess, - ULONG CreateDisposition, - ULONG CreateOptions, - PVOID EaBuffer OPTIONAL, - ULONG EaLength -); - -NTSTATUS SCCreateIRTimer( - PHANDLE TimerHandle, - PVOID Reserved, - ACCESS_MASK DesiredAccess -); - -NTSTATUS SCCreateIoCompletion( - PHANDLE IoCompletionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG NumberOfConcurrentThreads OPTIONAL -); - -NTSTATUS SCCreateIoRing( - PHANDLE IoRingHandle, - ULONG CreateParametersLength, - PVOID CreateParameters, - ULONG OutputParametersLength, - PVOID OutputParameters -); - -NTSTATUS SCCreateJobObject( - PHANDLE JobHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL -); - -NTSTATUS SCCreateJobSet( - ULONG NumJob, - PJOB_SET_ARRAY UserJobSet, - ULONG Flags -); - -NTSTATUS SCCreateKey( - PHANDLE KeyHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - ULONG TitleIndex, - PUNICODE_STRING Class OPTIONAL, - ULONG CreateOptions, - PULONG Disposition OPTIONAL -); - -NTSTATUS SCCreateKeyTransacted( - PHANDLE KeyHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - ULONG TitleIndex, - PUNICODE_STRING Class OPTIONAL, - ULONG CreateOptions, - HANDLE TransactionHandle, - PULONG Disposition OPTIONAL -); - -NTSTATUS SCCreateKeyedEvent( - PHANDLE KeyedEventHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG Flags -); - -NTSTATUS SCCreateLowBoxToken( - PHANDLE TokenHandle, - HANDLE ExistingTokenHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - PSID PackageSid, - ULONG CapabilityCount, - PSID_AND_ATTRIBUTES Capabilities OPTIONAL, - ULONG HandleCount, - HANDLE* Handles OPTIONAL -); - -NTSTATUS SCCreateMailslotFile( - PHANDLE FileHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - PIO_STATUS_BLOCK IoStatusBlock, - ULONG CreateOptions, - ULONG MailslotQuota, - ULONG MaximumMessageSize, - PLARGE_INTEGER ReadTimeout -); - -NTSTATUS SCCreateMutant( - PHANDLE MutantHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - BOOLEAN InitialOwner -); - -NTSTATUS SCCreateNamedPipeFile( - PHANDLE FileHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - PIO_STATUS_BLOCK IoStatusBlock, - ULONG ShareAccess, - ULONG CreateDisposition, - ULONG CreateOptions, - ULONG NamedPipeType, - ULONG ReadMode, - ULONG CompletionMode, - ULONG MaximumInstances, - ULONG InboundQuota, - ULONG OutboundQuota, - PLARGE_INTEGER DefaultTimeout -); - -NTSTATUS SCCreatePagingFile( - PUNICODE_STRING PageFileName, - PLARGE_INTEGER MinimumSize, - PLARGE_INTEGER MaximumSize, - ULONG Priority -); - -NTSTATUS SCCreatePartition( - HANDLE ParentPartitionHandle OPTIONAL, - PHANDLE PartitionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG PreferredNode -); - -NTSTATUS SCCreatePort( - PHANDLE PortHandle, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG MaxConnectionInfoLength, - ULONG MaxMessageLength, - ULONG MaxPoolUsage OPTIONAL -); - -NTSTATUS SCCreatePrivateNamespace( - PHANDLE NamespaceHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor -); - -NTSTATUS SCCreateProcess( - PHANDLE ProcessHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - HANDLE ParentProcess, - BOOLEAN InheritObjectTable, - HANDLE SectionHandle OPTIONAL, - HANDLE DebugPort OPTIONAL, - HANDLE TokenHandle OPTIONAL -); - -NTSTATUS SCCreateProcessEx( - PHANDLE ProcessHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - HANDLE ParentProcess, - ULONG Flags, - HANDLE SectionHandle OPTIONAL, - HANDLE DebugPort OPTIONAL, - HANDLE TokenHandle OPTIONAL, - ULONG Reserved -); - -NTSTATUS SCCreateProcessStateChange( - PHANDLE ProcessStateChangeHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - HANDLE ProcessHandle, - ULONG64 Reserved OPTIONAL -); - -NTSTATUS SCCreateProfile( - PHANDLE ProfileHandle, - HANDLE Process OPTIONAL, - PVOID ProfileBase, - SIZE_T ProfileSize, - ULONG BucketSize, - PULONG Buffer, - ULONG BufferSize, - KPROFILE_SOURCE ProfileSource, - KAFFINITY Affinity -); - -NTSTATUS SCCreateProfileEx( - PHANDLE ProfileHandle, - HANDLE Process OPTIONAL, - PVOID ProfileBase, - SIZE_T ProfileSize, - ULONG BucketSize, - PULONG Buffer, - ULONG BufferSize, - KPROFILE_SOURCE ProfileSource, - USHORT GroupCount, - PGROUP_AFFINITY GroupAffinity -); - -NTSTATUS SCCreateRegistryTransaction( - PHANDLE RegistryTransactionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG CreateOptions -); - -NTSTATUS SCCreateResourceManager( - PHANDLE ResourceManagerHandle, - ACCESS_MASK DesiredAccess, - HANDLE TmHandle, - LPGUID RmGuid, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG CreateOptions OPTIONAL, - PUNICODE_STRING Description OPTIONAL -); - -NTSTATUS SCCreateSection( - PHANDLE SectionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - PLARGE_INTEGER MaximumSize, - ULONG SectionPageProtection, - ULONG AllocationAttributes, - HANDLE FileHandle -); - -NTSTATUS SCCreateSectionEx( - PHANDLE SectionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - PLARGE_INTEGER MaximumSize OPTIONAL, - ULONG SectionPageProtection, - ULONG AllocationAttributes, - HANDLE FileHandle OPTIONAL, - PMEM_EXTENDED_PARAMETER ExtendedParameters OPTIONAL, - ULONG ExtendedParameterCount -); - -NTSTATUS SCCreateSemaphore( - PHANDLE SemaphoreHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - LONG InitialCount, - LONG MaximumCount -); - -NTSTATUS SCCreateSymbolicLinkObject( - PHANDLE LinkHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - PUNICODE_STRING LinkTarget -); - -NTSTATUS SCCreateThread( - PHANDLE ThreadHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - HANDLE ProcessHandle, - CLIENT_ID* ClientId, - PCONTEXT ThreadContext, - PINITIAL_TEB InitialTeb, - BOOLEAN CreateSuspended -); - -NTSTATUS SCCreateThreadEx( - PHANDLE ThreadHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - HANDLE ProcessHandle, - PUSER_THREAD_START_ROUTINE StartRoutine, - PVOID Argument OPTIONAL, - ULONG CreateFlags, - SIZE_T ZeroBits, - SIZE_T StackSize, - SIZE_T MaximumStackSize, - PPS_ATTRIBUTE_LIST AttributeList OPTIONAL -); - -NTSTATUS SCCreateThreadStateChange( - PHANDLE ThreadStateChangeHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - HANDLE ThreadHandle, - ULONG64 Reserved OPTIONAL -); - -NTSTATUS SCCreateTimer( - PHANDLE TimerHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - TIMER_TYPE TimerType -); - -NTSTATUS SCCreateTimer2( - PHANDLE TimerHandle, - PVOID Reserved1 OPTIONAL, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG Attributes, - ACCESS_MASK DesiredAccess -); - -NTSTATUS SCCreateToken( - PHANDLE TokenHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - TOKEN_TYPE Type, - PLUID AuthenticationId, - PLARGE_INTEGER ExpirationTime, - PTOKEN_USER User, - PTOKEN_GROUPS Groups, - PTOKEN_PRIVILEGES Privileges, - PTOKEN_OWNER Owner OPTIONAL, - PTOKEN_PRIMARY_GROUP PrimaryGroup, - PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, - PTOKEN_SOURCE Source -); - -NTSTATUS SCCreateTokenEx( - PHANDLE TokenHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - TOKEN_TYPE Type, - PLUID AuthenticationId, - PLARGE_INTEGER ExpirationTime, - PTOKEN_USER User, - PTOKEN_GROUPS Groups, - PTOKEN_PRIVILEGES Privileges, - PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes OPTIONAL, - PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes OPTIONAL, - PTOKEN_GROUPS DeviceGroups OPTIONAL, - PTOKEN_MANDATORY_POLICY MandatoryPolicy OPTIONAL, - PTOKEN_OWNER Owner OPTIONAL, - PTOKEN_PRIMARY_GROUP PrimaryGroup, - PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, - PTOKEN_SOURCE Source -); - -NTSTATUS SCCreateTransaction( - PHANDLE TransactionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - LPGUID Uow OPTIONAL, - HANDLE TmHandle OPTIONAL, - ULONG CreateOptions OPTIONAL, - ULONG IsolationLevel OPTIONAL, - ULONG IsolationFlags OPTIONAL, - PLARGE_INTEGER Timeout OPTIONAL, - PUNICODE_STRING Description OPTIONAL -); - -NTSTATUS SCCreateTransactionManager( - PHANDLE TmHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - PUNICODE_STRING LogFileName OPTIONAL, - ULONG CreateOptions OPTIONAL, - ULONG CommitStrength OPTIONAL -); - -NTSTATUS SCCreateUserProcess( - PHANDLE ProcessHandle, - PHANDLE ThreadHandle, - ACCESS_MASK ProcessDesiredAccess, - ACCESS_MASK ThreadDesiredAccess, - POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, - POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, - ULONG ProcessFlags, - ULONG ThreadFlags, - PRTL_USER_PROCESS_PARAMETERS ProcessParameters OPTIONAL, - PPS_CREATE_INFO CreateInfo, - PPS_ATTRIBUTE_LIST AttributeList OPTIONAL -); - -NTSTATUS SCCreateWaitCompletionPacket( - PHANDLE WaitCompletionPacketHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL -); - -NTSTATUS SCCreateWaitablePort( - PHANDLE PortHandle, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - ULONG MaxConnectionInfoLength, - ULONG MaxMessageLength, - ULONG MaxPoolUsage OPTIONAL -); - -NTSTATUS SCCreateWnfStateName( - PWNF_STATE_NAME StateName, - WNF_STATE_NAME_LIFETIME NameLifetime, - WNF_DATA_SCOPE DataScope, - BOOLEAN PersistData, - PCWNF_TYPE_ID TypeId OPTIONAL, - ULONG MaximumStateSize, - PSECURITY_DESCRIPTOR SecurityDescriptor -); - -NTSTATUS SCCreateWorkerFactory( - PHANDLE WorkerFactoryHandleReturn, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - HANDLE CompletionPortHandle, - HANDLE WorkerProcessHandle, - PVOID StartRoutine, - PVOID StartParameter OPTIONAL, - ULONG MaxThreadCount OPTIONAL, - SIZE_T StackReserve OPTIONAL, - SIZE_T StackCommit OPTIONAL -); - -NTSTATUS SCDebugActiveProcess( - HANDLE ProcessHandle, - HANDLE DebugObjectHandle -); - -NTSTATUS SCDebugContinue( - HANDLE DebugObjectHandle, - CLIENT_ID* ClientId, - NTSTATUS ContinueStatus -); - -NTSTATUS SCDelayExecution( - BOOLEAN Alertable, - PLARGE_INTEGER DelayInterval -); - -NTSTATUS SCDeleteAtom( - PRTL_ATOM Atom -); - -NTSTATUS SCDeleteBootEntry( - ULONG Id -); - -NTSTATUS SCDeleteDriverEntry( - ULONG Id -); - -NTSTATUS SCDeleteFile( - POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCDeleteKey( - HANDLE KeyHandle -); - -NTSTATUS SCDeleteObjectAuditAlarm( - PUNICODE_STRING SubsystemName, - PVOID HandleId OPTIONAL, - BOOLEAN GenerateOnClose -); - -NTSTATUS SCDeletePrivateNamespace( - HANDLE NamespaceHandle -); - -NTSTATUS SCDeleteValueKey( - HANDLE KeyHandle, - PUNICODE_STRING ValueName -); - -NTSTATUS SCDeleteWnfStateData( - PCWNF_STATE_NAME StateName, - const VOID* ExplicitScope OPTIONAL -); - -NTSTATUS SCDeleteWnfStateName( - PCWNF_STATE_NAME StateName -); - -NTSTATUS SCDeviceIoControlFile( - HANDLE FileHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - ULONG IoControlCode, - PVOID InputBuffer OPTIONAL, - ULONG InputBufferLength, - PVOID OutputBuffer OPTIONAL, - ULONG OutputBufferLength -); - -NTSTATUS SCDirectGraphicsCall( - ULONG InputBufferLength, - PVOID InputBuffer OPTIONAL, - ULONG OutputBufferLength, - PVOID OutputBuffer OPTIONAL, - PULONG ReturnLength -); - -NTSTATUS SCDisableLastKnownGood(VOID); - -NTSTATUS SCDisplayString( - PUNICODE_STRING String -); - -NTSTATUS SCDrawText( - PUNICODE_STRING Text -); - -NTSTATUS SCDuplicateObject( - HANDLE SourceProcessHandle, - HANDLE SourceHandle, - HANDLE TargetProcessHandle OPTIONAL, - PHANDLE TargetHandle OPTIONAL, - ACCESS_MASK DesiredAccess, - ULONG HandleAttributes, - ULONG Options -); - -NTSTATUS SCDuplicateToken( - HANDLE ExistingTokenHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - BOOLEAN EffectiveOnly, - TOKEN_TYPE Type, - PHANDLE NewTokenHandle -); - -NTSTATUS SCEnableLastKnownGood(VOID); - -NTSTATUS SCEnumerateBootEntries( - PVOID Buffer OPTIONAL, - PULONG BufferLength -); - -NTSTATUS SCEnumerateDriverEntries( - PVOID Buffer OPTIONAL, - PULONG BufferLength -); - -NTSTATUS SCEnumerateKey( - HANDLE KeyHandle, - ULONG Index, - KEY_INFORMATION_CLASS KeyInformationClass, - PVOID KeyInformation OPTIONAL, - ULONG Length, - PULONG ResultLength -); - -NTSTATUS SCEnumerateSystemEnvironmentValuesEx( - ULONG InformationClass, - PVOID Buffer, - PULONG BufferLength -); - -NTSTATUS SCEnumerateTransactionObject( - HANDLE RootObjectHandle OPTIONAL, - KTMOBJECT_TYPE QueryType, - PKTMOBJECT_CURSOR ObjectCursor, - ULONG ObjectCursorLength, - PULONG ReturnLength -); - -NTSTATUS SCEnumerateValueKey( - HANDLE KeyHandle, - ULONG Index, - KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, - PVOID KeyValueInformation OPTIONAL, - ULONG Length, - PULONG ResultLength -); - -NTSTATUS SCExtendSection( - HANDLE SectionHandle, - PLARGE_INTEGER NewSectionSize -); - -NTSTATUS SCFilterBootOption( - FILTER_BOOT_OPTION_OPERATION FilterOperation, - ULONG ObjectType, - ULONG ElementType, - PVOID Data OPTIONAL, - ULONG DataSize -); - -NTSTATUS SCFilterToken( - HANDLE ExistingTokenHandle, - ULONG Flags, - PTOKEN_GROUPS SidsToDisable OPTIONAL, - PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, - PTOKEN_GROUPS RestrictedSids OPTIONAL, - PHANDLE NewTokenHandle -); - -NTSTATUS SCFilterTokenEx( - HANDLE ExistingTokenHandle, - ULONG Flags, - PTOKEN_GROUPS SidsToDisable OPTIONAL, - PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, - PTOKEN_GROUPS RestrictedSids OPTIONAL, - ULONG DisableUserClaimsCount, - PUNICODE_STRING UserClaimsToDisable OPTIONAL, - ULONG DisableDeviceClaimsCount, - PUNICODE_STRING DeviceClaimsToDisable OPTIONAL, - PTOKEN_GROUPS DeviceGroupsToDisable OPTIONAL, - PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes OPTIONAL, - PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes OPTIONAL, - PTOKEN_GROUPS RestrictedDeviceGroups OPTIONAL, - PHANDLE NewTokenHandle -); - -NTSTATUS SCFindAtom( - PCWSTR AtomName OPTIONAL, - ULONG Length, - PRTL_ATOM Atom OPTIONAL -); - -NTSTATUS SCFlushBuffersFile( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock -); - -NTSTATUS SCFlushBuffersFileEx( - HANDLE FileHandle, - ULONG Flags, - PVOID Parameters, - ULONG ParametersSize, - PIO_STATUS_BLOCK IoStatusBlock -); - -NTSTATUS SCFlushInstallUILanguage( - LANGID InstallUILanguage, - ULONG SetCommittedFlag -); - -NTSTATUS SCFlushInstructionCache( - HANDLE ProcessHandle, - PVOID BaseAddress OPTIONAL, - SIZE_T Length -); - -NTSTATUS SCFlushKey( - HANDLE KeyHandle -); - -NTSTATUS SCFlushProcessWriteBuffers(VOID); - -NTSTATUS SCFlushVirtualMemory( - HANDLE ProcessHandle, - PVOID * BaseAddress, - PSIZE_T RegionSize, - PIO_STATUS_BLOCK IoStatus -); - -NTSTATUS SCFlushWriteBuffer(VOID); - -NTSTATUS SCFreeUserPhysicalPages( - HANDLE ProcessHandle, - PULONG_PTR NumberOfPages, - PULONG_PTR UserPfnArray -); - -NTSTATUS SCFreeVirtualMemory( - HANDLE ProcessHandle, - PVOID * BaseAddress, - PSIZE_T RegionSize, - ULONG FreeType -); - -NTSTATUS SCFreezeRegistry( - ULONG TimeOutInSeconds -); - -NTSTATUS SCFreezeTransactions( - PLARGE_INTEGER FreezeTimeout, - PLARGE_INTEGER ThawTimeout -); - -NTSTATUS SCFsControlFile( - HANDLE FileHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - ULONG FsControlCode, - PVOID InputBuffer OPTIONAL, - ULONG InputBufferLength, - PVOID OutputBuffer OPTIONAL, - ULONG OutputBufferLength -); - -NTSTATUS SCGetCachedSigningLevel( - HANDLE File, - PULONG Flags, - PSE_SIGNING_LEVEL SigningLevel, - PUCHAR Thumbprint OPTIONAL, - PULONG ThumbprintSize OPTIONAL, - PULONG ThumbprintAlgorithm OPTIONAL -); - -NTSTATUS SCGetCompleteWnfStateSubscription( - PWNF_STATE_NAME OldDescriptorStateName OPTIONAL, - ULONG64* OldSubscriptionId OPTIONAL, - ULONG OldDescriptorEventMask, - ULONG OldDescriptorStatus, - PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, - ULONG DescriptorSize -); - -NTSTATUS SCGetContextThread( - HANDLE ThreadHandle, - PCONTEXT ThreadContext -); - -ULONG SCGetCurrentProcessorNumber(VOID); - -VOID SCGetCurrentProcessorNumberEx( - PPROCESSOR_NUMBER ProcessorNumber OPTIONAL -); - -NTSTATUS SCGetDevicePowerState( - HANDLE Device, - PDEVICE_POWER_STATE State -); - -NTSTATUS SCGetMUIRegistryInfo( - ULONG Flags, - PULONG DataSize, - PVOID Data -); - -NTSTATUS SCGetNextProcess( - HANDLE ProcessHandle OPTIONAL, - ACCESS_MASK DesiredAccess, - ULONG HandleAttributes, - ULONG Flags, - PHANDLE NewProcessHandle -); - -NTSTATUS SCGetNextThread( - HANDLE ProcessHandle, - HANDLE ThreadHandle OPTIONAL, - ACCESS_MASK DesiredAccess, - ULONG HandleAttributes, - ULONG Flags, - PHANDLE NewThreadHandle -); - -NTSTATUS SCGetNlsSectionPtr( - ULONG SectionType, - ULONG SectionData, - PVOID ContextData, - PVOID* SectionPointer, - PULONG SectionSize -); - -NTSTATUS SCGetNotificationResourceManager( - HANDLE ResourceManagerHandle, - PTRANSACTION_NOTIFICATION TransactionNotification, - ULONG NotificationLength, - PLARGE_INTEGER Timeout OPTIONAL, - PULONG ReturnLength OPTIONAL, - ULONG Asynchronous, - ULONG_PTR AsynchronousContext OPTIONAL -); - -NTSTATUS SCGetWriteWatch( - HANDLE ProcessHandle, - ULONG Flags, - PVOID BaseAddress, - SIZE_T RegionSize, - PVOID* UserAddressArray, - PULONG_PTR EntriesInUserAddressArray, - PULONG Granularity -); - -NTSTATUS SCImpersonateAnonymousToken( - HANDLE ThreadHandle -); - -NTSTATUS SCImpersonateClientOfPort( - HANDLE PortHandle, - PPORT_MESSAGE Message -); - -NTSTATUS SCImpersonateThread( - HANDLE ServerThreadHandle, - HANDLE ClientThreadHandle, - PSECURITY_QUALITY_OF_SERVICE SecurityQos -); - -NTSTATUS SCInitializeEnclave( - HANDLE ProcessHandle, - PVOID BaseAddress, - PVOID EnclaveInformation, - ULONG EnclaveInformationLength, - PULONG EnclaveError OPTIONAL -); - -NTSTATUS SCInitializeNlsFiles( - PVOID* BaseAddress, - PLCID DefaultLocaleId, - PLARGE_INTEGER DefaultCasingTableSize, - PULONG CurrentNLSVersion OPTIONAL -); - -NTSTATUS SCInitializeRegistry( - USHORT BootCondition -); - -NTSTATUS SCInitiatePowerAction( - POWER_ACTION SystemAction, - SYSTEM_POWER_STATE LightestSystemState, - ULONG Flags, - BOOLEAN Asynchronous -); - -NTSTATUS SCIsProcessInJob( - HANDLE ProcessHandle, - HANDLE JobHandle OPTIONAL -); - -BOOLEAN SCIsSystemResumeAutomatic(VOID); - -NTSTATUS SCIsUILanguageCommitted(VOID); - -NTSTATUS SCListenPort( - HANDLE PortHandle, - PPORT_MESSAGE ConnectionRequest -); - -NTSTATUS SCLoadDriver( - PUNICODE_STRING DriverServiceName -); - -NTSTATUS SCLoadEnclaveData( - HANDLE ProcessHandle, - PVOID BaseAddress, - PVOID Buffer, - SIZE_T BufferSize, - ULONG Protect, - PVOID PageInformation, - ULONG PageInformationLength, - PSIZE_T NumberOfBytesWritten OPTIONAL, - PULONG EnclaveError OPTIONAL -); - -NTSTATUS SCLoadKey( - POBJECT_ATTRIBUTES TargetKey, - POBJECT_ATTRIBUTES SourceFile -); - -NTSTATUS SCLoadKey2( - POBJECT_ATTRIBUTES TargetKey, - POBJECT_ATTRIBUTES SourceFile, - ULONG Flags -); - -NTSTATUS SCLoadKey3( - POBJECT_ATTRIBUTES TargetKey, - POBJECT_ATTRIBUTES SourceFile, - ULONG Flags, - PCM_EXTENDED_PARAMETER ExtendedParameters OPTIONAL, - ULONG ExtendedParameterCount, - ACCESS_MASK DesiredAccess OPTIONAL, - PHANDLE RootHandle OPTIONAL, - PVOID Reserved OPTIONAL -); - -NTSTATUS SCLoadKeyEx( - POBJECT_ATTRIBUTES TargetKey, - POBJECT_ATTRIBUTES SourceFile, - ULONG Flags, - HANDLE TrustClassKey OPTIONAL, - HANDLE Event OPTIONAL, - ACCESS_MASK DesiredAccess OPTIONAL, - PHANDLE RootHandle OPTIONAL, - PVOID Reserved OPTIONAL -); - -NTSTATUS SCLockFile( - HANDLE FileHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - PLARGE_INTEGER ByteOffset, - PLARGE_INTEGER Length, - ULONG Key, - BOOLEAN FailImmediately, - BOOLEAN ExclusiveLock -); - -NTSTATUS SCLockProductActivationKeys( - ULONG* pPrivateVer OPTIONAL, - ULONG* pSafeMode OPTIONAL -); - -NTSTATUS SCLockRegistryKey( - HANDLE KeyHandle -); - -NTSTATUS SCLockVirtualMemory( - HANDLE ProcessHandle, - PVOID* BaseAddress, - PSIZE_T RegionSize, - ULONG MapType -); - -NTSTATUS SCMakePermanentObject( - HANDLE Handle -); - -NTSTATUS SCMakeTemporaryObject( - HANDLE Handle -); - -NTSTATUS SCManageHotPatch( - HANDLE ProcessHandle, - ULONG Operation, - PVOID InputBuffer OPTIONAL, - ULONG InputBufferLength, - PVOID OutputBuffer OPTIONAL, - ULONG OutputBufferLength -); - -NTSTATUS SCManagePartition( - HANDLE TargetHandle, - HANDLE SourceHandle OPTIONAL, - PARTITION_INFORMATION_CLASS PartitionInformationClass, - PVOID PartitionInformation, - ULONG PartitionInformationLength -); - -NTSTATUS SCMapCMFModule( - ULONG What, - ULONG Index, - PULONG CacheIndexOut OPTIONAL, - PULONG CacheFlagsOut OPTIONAL, - PULONG ViewSizeOut OPTIONAL, - PVOID* BaseAddress OPTIONAL -); - -NTSTATUS SCMapUserPhysicalPages( - PVOID VirtualAddress, - SIZE_T NumberOfPages, - PULONG_PTR UserPfnArray OPTIONAL -); - -NTSTATUS SCMapUserPhysicalPagesScatter( - PVOID* VirtualAddresses, - SIZE_T NumberOfPages, - PULONG_PTR UserPfnArray OPTIONAL -); - -NTSTATUS SCMapViewOfSection( - HANDLE SectionHandle, - HANDLE ProcessHandle, - PVOID* BaseAddress, - ULONG_PTR ZeroBits, - SIZE_T CommitSize, - PLARGE_INTEGER SectionOffset, - PSIZE_T ViewSize, - ULONG InheritDisposition, - ULONG AllocationType, - ULONG Win32Protect -); - -NTSTATUS SCMapViewOfSectionEx( - HANDLE SectionHandle, - HANDLE ProcessHandle, - PVOID* BaseAddress, - PLARGE_INTEGER SectionOffset OPTIONAL, - PSIZE_T ViewSize, - ULONG AllocationType, - ULONG PageProtection, - PMEM_EXTENDED_PARAMETER ExtendedParameters OPTIONAL, - ULONG ExtendedParameterCount -); - -NTSTATUS SCModifyBootEntry( - PBOOT_ENTRY BootEntry -); - -NTSTATUS SCModifyDriverEntry( - PEFI_DRIVER_ENTRY DriverEntry -); - -NTSTATUS SCNotifyChangeDirectoryFile( - HANDLE FileHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID Buffer, // FILE_NOTIFY_INFORMATION - ULONG Length, - ULONG CompletionFilter, - BOOLEAN WatchTree -); - -NTSTATUS SCNotifyChangeDirectoryFileEx( - HANDLE FileHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID Buffer, - ULONG Length, - ULONG CompletionFilter, - BOOLEAN WatchTree, - DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass -); - -NTSTATUS SCNotifyChangeKey( - HANDLE KeyHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - ULONG CompletionFilter, - BOOLEAN WatchTree, - PVOID Buffer OPTIONAL, - ULONG BufferSize, - BOOLEAN Asynchronous -); - -NTSTATUS SCNotifyChangeMultipleKeys( - HANDLE MasterKeyHandle, - ULONG Count OPTIONAL, - OBJECT_ATTRIBUTES SubordinateObjects[], - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - ULONG CompletionFilter, - BOOLEAN WatchTree, - PVOID Buffer OPTIONAL, - ULONG BufferSize, - BOOLEAN Asynchronous -); - -NTSTATUS SCNotifyChangeSession( - HANDLE SessionHandle, - ULONG ChangeSequenceNumber, - PLARGE_INTEGER ChangeTimeStamp, - IO_SESSION_EVENT Event, - IO_SESSION_STATE NewState, - IO_SESSION_STATE PreviousState, - PVOID Payload OPTIONAL, - ULONG PayloadSize -); - -NTSTATUS SCOpenCpuPartition( - PHANDLE CpuPartitionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL -); - -NTSTATUS SCOpenEnlistment( - PHANDLE EnlistmentHandle, - ACCESS_MASK DesiredAccess, - HANDLE ResourceManagerHandle, - LPGUID EnlistmentGuid, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL -); - -NTSTATUS SCOpenEvent( - PHANDLE EventHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenEventPair( - PHANDLE EventPairHandle, - ACCESS_MASK DesiredAccess, - PCOBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenFile( - PHANDLE FileHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - PIO_STATUS_BLOCK IoStatusBlock, - ULONG ShareAccess, - ULONG OpenOptions -); - -NTSTATUS SCOpenIoCompletion( - PHANDLE IoCompletionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenJobObject( - PHANDLE JobHandle, - ACCESS_MASK DesiredAccess, - PCOBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenKey( - PHANDLE KeyHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenKeyEx( - PHANDLE KeyHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - ULONG OpenOptions -); - -NTSTATUS SCOpenKeyTransacted( - PHANDLE KeyHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - HANDLE TransactionHandle -); - -NTSTATUS SCOpenKeyTransactedEx( - PHANDLE KeyHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - ULONG OpenOptions, - HANDLE TransactionHandle -); - -NTSTATUS SCOpenKeyedEvent( - PHANDLE KeyedEventHandle, - ACCESS_MASK DesiredAccess, - PCOBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenMutant( - PHANDLE MutantHandle, - ACCESS_MASK DesiredAccess, - PCOBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenObjectAuditAlarm( - PUNICODE_STRING SubsystemName, - PVOID HandleId OPTIONAL, - PUNICODE_STRING ObjectTypeName, - PUNICODE_STRING ObjectName, - PSECURITY_DESCRIPTOR SecurityDescriptor, - HANDLE ClientToken, - ACCESS_MASK DesiredAccess, - ACCESS_MASK GrantedAccess, - PPRIVILEGE_SET Privileges OPTIONAL, - BOOLEAN ObjectCreation, - BOOLEAN AccessGranted, - PBOOLEAN GenerateOnClose -); - -NTSTATUS SCOpenPartition( - PHANDLE PartitionHandle, - ACCESS_MASK DesiredAccess, - PCOBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenPrivateNamespace( - PHANDLE NamespaceHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor -); - -NTSTATUS SCOpenProcess( - PHANDLE ProcessHandle, - ACCESS_MASK DesiredAccess, - PCOBJECT_ATTRIBUTES ObjectAttributes, - CLIENT_ID* ClientId OPTIONAL -); - -NTSTATUS SCOpenProcessToken( - HANDLE ProcessHandle, - ACCESS_MASK DesiredAccess, - PHANDLE TokenHandle -); - -NTSTATUS SCOpenProcessTokenEx( - HANDLE ProcessHandle, - ACCESS_MASK DesiredAccess, - ULONG HandleAttributes, - PHANDLE TokenHandle -); - -NTSTATUS SCOpenRegistryTransaction( - HANDLE* RegistryTransactionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjAttributes -); - -NTSTATUS SCOpenResourceManager( - PHANDLE ResourceManagerHandle, - ACCESS_MASK DesiredAccess, - HANDLE TmHandle, - LPGUID ResourceManagerGuid OPTIONAL, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL -); - -NTSTATUS SCOpenSection( - PHANDLE SectionHandle, - ACCESS_MASK DesiredAccess, - PCOBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenSemaphore( - PHANDLE SemaphoreHandle, - ACCESS_MASK DesiredAccess, - PCOBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenSession( - PHANDLE SessionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenSymbolicLinkObject( - PHANDLE LinkHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenThread( - PHANDLE ThreadHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - CLIENT_ID* ClientId OPTIONAL -); - -NTSTATUS SCOpenThreadToken( - HANDLE ThreadHandle, - ACCESS_MASK DesiredAccess, - BOOLEAN OpenAsSelf, - PHANDLE TokenHandle -); - -NTSTATUS SCOpenThreadTokenEx( - HANDLE ThreadHandle, - ACCESS_MASK DesiredAccess, - BOOLEAN OpenAsSelf, - ULONG HandleAttributes, - PHANDLE TokenHandle -); - -NTSTATUS SCOpenTimer( - PHANDLE TimerHandle, - ACCESS_MASK DesiredAccess, - PCOBJECT_ATTRIBUTES ObjectAttributes -); - -NTSTATUS SCOpenTransaction( - PHANDLE TransactionHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - LPGUID Uow, - HANDLE TmHandle OPTIONAL -); - -NTSTATUS SCOpenTransactionManager( - PHANDLE TmHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - PUNICODE_STRING LogFileName OPTIONAL, - LPGUID TmIdentity OPTIONAL, - ULONG OpenOptions OPTIONAL -); - -NTSTATUS SCPlugPlayControl( - PLUGPLAY_CONTROL_CLASS PnPControlClass, - PVOID PnPControlData OPTIONAL, - ULONG PnPControlDataLength -); - -NTSTATUS SCPowerInformation( - POWER_INFORMATION_LEVEL InformationLevel, - PVOID InputBuffer OPTIONAL, - ULONG InputBufferLength, - PVOID OutputBuffer OPTIONAL, - ULONG OutputBufferLength -); - -NTSTATUS SCPrePrepareComplete( - HANDLE EnlistmentHandle, - PLARGE_INTEGER TmVirtualClock OPTIONAL -); - -NTSTATUS SCPrePrepareEnlistment( - HANDLE EnlistmentHandle, - PLARGE_INTEGER TmVirtualClock OPTIONAL -); - -NTSTATUS SCPrepareComplete( - HANDLE EnlistmentHandle, - PLARGE_INTEGER TmVirtualClock OPTIONAL -); - -NTSTATUS SCPrepareEnlistment( - HANDLE EnlistmentHandle, - PLARGE_INTEGER TmVirtualClock OPTIONAL -); - -NTSTATUS SCPrivilegeCheck( - HANDLE ClientToken, - PPRIVILEGE_SET RequiredPrivileges, - PBOOLEAN Result -); - -NTSTATUS SCPrivilegeObjectAuditAlarm( - PUNICODE_STRING SubsystemName, - PVOID HandleId OPTIONAL, - HANDLE ClientToken, - ACCESS_MASK DesiredAccess, - PPRIVILEGE_SET Privileges, - BOOLEAN AccessGranted -); - -NTSTATUS SCPrivilegedServiceAuditAlarm( - PUNICODE_STRING SubsystemName, - PUNICODE_STRING ServiceName, - HANDLE ClientToken, - PPRIVILEGE_SET Privileges, - BOOLEAN AccessGranted -); - -NTSTATUS SCPropagationComplete( - HANDLE ResourceManagerHandle, - ULONG RequestCookie, - ULONG BufferLength, - PVOID Buffer -); - -NTSTATUS SCPropagationFailed( - HANDLE ResourceManagerHandle, - ULONG RequestCookie, - NTSTATUS PropStatus -); - -NTSTATUS SCProtectVirtualMemory( - HANDLE ProcessHandle, - PVOID* BaseAddress, - PSIZE_T RegionSize, - ULONG NewProtection, - PULONG OldProtection -); - -NTSTATUS SCPssCaptureVaSpaceBulk( - HANDLE ProcessHandle, - PVOID BaseAddress OPTIONAL, - PNTPSS_MEMORY_BULK_INFORMATION BulkInformation, - SIZE_T BulkInformationLength, - PSIZE_T ReturnLength OPTIONAL -); - -NTSTATUS SCPulseEvent( - HANDLE EventHandle, - PLONG PreviousState OPTIONAL -); - -NTSTATUS SCQueryAttributesFile( - POBJECT_ATTRIBUTES ObjectAttributes, - PFILE_BASIC_INFORMATION FileInformation -); - -NTSTATUS SCQueryAuxiliaryCounterFrequency( - PULONG64 AuxiliaryCounterFrequency -); - -NTSTATUS SCQueryBootEntryOrder( - PULONG Ids OPTIONAL, - PULONG Count -); - -NTSTATUS SCQueryBootOptions( - PBOOT_OPTIONS BootOptions OPTIONAL, - PULONG BootOptionsLength -); - -NTSTATUS SCQueryDebugFilterState( - ULONG ComponentId, - ULONG Level -); - -NTSTATUS SCQueryDefaultLocale( - BOOLEAN UserProfile, - PLCID DefaultLocaleId -); - -NTSTATUS SCQueryDefaultUILanguage( - LANGID* DefaultUILanguageId -); - -NTSTATUS SCQueryDirectoryFile( - HANDLE FileHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID FileInformation, - ULONG Length, - FILE_INFORMATION_CLASS FileInformationClass, - BOOLEAN ReturnSingleEntry, - PUNICODE_STRING FileName OPTIONAL, - BOOLEAN RestartScan -); - -NTSTATUS SCQueryDirectoryFileEx( - HANDLE FileHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID FileInformation, - ULONG Length, - FILE_INFORMATION_CLASS FileInformationClass, - ULONG QueryFlags, - PUNICODE_STRING FileName OPTIONAL -); - -NTSTATUS SCQueryDirectoryObject( - HANDLE DirectoryHandle, - PVOID Buffer OPTIONAL, - ULONG Length, - BOOLEAN ReturnSingleEntry, - BOOLEAN RestartScan, - PULONG Context, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryDriverEntryOrder( - PULONG Ids OPTIONAL, - PULONG Count -); - -NTSTATUS SCQueryEaFile( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID Buffer, - ULONG Length, - BOOLEAN ReturnSingleEntry, - PVOID EaList OPTIONAL, - ULONG EaListLength, - PULONG EaIndex OPTIONAL, - BOOLEAN RestartScan -); - -NTSTATUS SCQueryEvent( - HANDLE EventHandle, - EVENT_INFORMATION_CLASS EventInformationClass, - PVOID EventInformation, - ULONG EventInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryFullAttributesFile( - POBJECT_ATTRIBUTES ObjectAttributes, - PFILE_NETWORK_OPEN_INFORMATION FileInformation -); - -NTSTATUS SCQueryInformationAtom( - PRTL_ATOM Atom, - ATOM_INFORMATION_CLASS AtomInformationClass, - PVOID AtomInformation, - ULONG AtomInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInformationByName( - POBJECT_ATTRIBUTES ObjectAttributes, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID FileInformation, - ULONG Length, - FILE_INFORMATION_CLASS FileInformationClass -); - -NTSTATUS SCQueryInformationCpuPartition( - HANDLE PartitionHandle OPTIONAL, - CPU_PARTITION_INFORMATION_CLASS PartitionInformationClass, - PVOID PartitionInformation, - ULONG PartitionInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInformationEnlistment( - HANDLE EnlistmentHandle, - ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, - PVOID EnlistmentInformation, - ULONG EnlistmentInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInformationFile( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID FileInformation, - ULONG Length, - FILE_INFORMATION_CLASS FileInformationClass -); - -NTSTATUS SCQueryInformationJobObject( - HANDLE JobHandle OPTIONAL, - JOBOBJECTINFOCLASS JobObjectInformationClass, - PVOID JobObjectInformation, - ULONG JobObjectInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInformationPort( - HANDLE PortHandle, - PORT_INFORMATION_CLASS PortInformationClass, - PVOID PortInformation, - ULONG Length, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInformationProcess( - HANDLE ProcessHandle, - PROCESSINFOCLASS ProcessInformationClass, - PVOID ProcessInformation, - ULONG ProcessInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInformationResourceManager( - HANDLE ResourceManagerHandle, - RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, - PVOID ResourceManagerInformation, - ULONG ResourceManagerInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInformationThread( - HANDLE ThreadHandle, - THREADINFOCLASS ThreadInformationClass, - PVOID ThreadInformation, - ULONG ThreadInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInformationToken( - HANDLE TokenHandle, - TOKEN_INFORMATION_CLASS TokenInformationClass, - PVOID TokenInformation, - ULONG TokenInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInformationTransaction( - HANDLE TransactionHandle, - TRANSACTION_INFORMATION_CLASS TransactionInformationClass, - PVOID TransactionInformation, - ULONG TransactionInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInformationTransactionManager( - HANDLE TransactionManagerHandle, - TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, - PVOID TransactionManagerInformation, - ULONG TransactionManagerInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInformationWorkerFactory( - HANDLE WorkerFactoryHandle, - WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, - PVOID WorkerFactoryInformation, - ULONG WorkerFactoryInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryInstallUILanguage( - LANGID* InstallUILanguageId -); - -NTSTATUS SCQueryIntervalProfile( - KPROFILE_SOURCE ProfileSource, - PULONG Interval -); - -NTSTATUS SCQueryIoCompletion( - HANDLE IoCompletionHandle, - IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, - PVOID IoCompletionInformation, - ULONG IoCompletionInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryIoRingCapabilities( - SIZE_T IoRingCapabilitiesLength, - PVOID IoRingCapabilities -); - -NTSTATUS SCQueryKey( - HANDLE KeyHandle, - KEY_INFORMATION_CLASS KeyInformationClass, - PVOID KeyInformation, - ULONG Length, - PULONG ResultLength OPTIONAL -); - -NTSTATUS SCQueryLicenseValue( - PUNICODE_STRING ValueName, - PULONG Type OPTIONAL, - PVOID Data OPTIONAL, - ULONG DataSize, - PULONG ResultDataSize -); - -NTSTATUS SCQueryMultipleValueKey( - HANDLE KeyHandle, - PKEY_VALUE_ENTRY ValueEntries, - ULONG EntryCount, - PVOID ValueBuffer, - PULONG BufferLength, - PULONG RequiredBufferLength OPTIONAL -); - -NTSTATUS SCQueryMutant( - HANDLE MutantHandle, - MUTANT_INFORMATION_CLASS MutantInformationClass, - PVOID MutantInformation, - ULONG MutantInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryObject( - HANDLE Handle, - OBJECT_INFORMATION_CLASS ObjectInformationClass, - PVOID ObjectInformation OPTIONAL, - ULONG ObjectInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryOpenSubKeys( - POBJECT_ATTRIBUTES TargetKey, - PULONG HandleCount -); - -NTSTATUS SCQueryOpenSubKeysEx( - POBJECT_ATTRIBUTES TargetKey, - ULONG BufferLength, - PVOID Buffer, - PULONG RequiredSize -); - -NTSTATUS SCQueryPerformanceCounter( - PLARGE_INTEGER PerformanceCounter, - PLARGE_INTEGER PerformanceFrequency OPTIONAL -); - -NTSTATUS SCQueryPortInformationProcess(VOID); - -NTSTATUS SCQueryQuotaInformationFile( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID Buffer, - ULONG Length, - BOOLEAN ReturnSingleEntry, - PVOID SidList OPTIONAL, - ULONG SidListLength, - PSID StartSid OPTIONAL, - BOOLEAN RestartScan -); - -NTSTATUS SCQuerySection( - HANDLE SectionHandle, - SECTION_INFORMATION_CLASS SectionInformationClass, - PVOID SectionInformation, - SIZE_T SectionInformationLength, - PSIZE_T ReturnLength OPTIONAL -); - -NTSTATUS SCQuerySecurityAttributesToken( - HANDLE TokenHandle, - PUNICODE_STRING Attributes, - ULONG NumberOfAttributes, - PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION - ULONG Length, - PULONG ReturnLength -); - -NTSTATUS SCQuerySecurityObject( - HANDLE Handle, - SECURITY_INFORMATION SecurityInformation, - PSECURITY_DESCRIPTOR SecurityDescriptor, - ULONG Length, - PULONG LengthNeeded -); - -NTSTATUS SCQuerySecurityPolicy( - PCUNICODE_STRING Policy, - PCUNICODE_STRING KeyName, - PCUNICODE_STRING ValueName, - SECURE_SETTING_VALUE_TYPE ValueType, - PVOID Value OPTIONAL, - PULONG ValueSize -); - -NTSTATUS SCQuerySemaphore( - HANDLE SemaphoreHandle, - SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, - PVOID SemaphoreInformation, - ULONG SemaphoreInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQuerySymbolicLinkObject( - HANDLE LinkHandle, - PUNICODE_STRING LinkTarget, - PULONG ReturnedLength OPTIONAL -); - -NTSTATUS SCQuerySystemEnvironmentValue( - PUNICODE_STRING VariableName, - PWSTR VariableValue, - USHORT ValueLength, - PUSHORT ReturnLength OPTIONAL -); - -NTSTATUS SCQuerySystemEnvironmentValueEx( - PCUNICODE_STRING VariableName, - PCGUID VendorGuid, - PVOID Buffer OPTIONAL, - PULONG BufferLength, - PULONG Attributes OPTIONAL -); - -NTSTATUS SCQuerySystemInformation( - SYSTEM_INFORMATION_CLASS SystemInformationClass, - PVOID SystemInformation, - ULONG SystemInformationLength, - PULONG ReturnLength -); - -NTSTATUS SCQuerySystemInformationEx( - SYSTEM_INFORMATION_CLASS SystemInformationClass, - PVOID InputBuffer, - ULONG InputBufferLength, - PVOID SystemInformation, - ULONG SystemInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryTimer( - HANDLE TimerHandle, - TIMER_INFORMATION_CLASS TimerInformationClass, - PVOID TimerInformation, - ULONG TimerInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCQueryTimerResolution( - PULONG MaximumTime, - PULONG MinimumTime, - PULONG CurrentTime -); - -NTSTATUS SCQueryValueKey( - HANDLE KeyHandle, - PUNICODE_STRING ValueName, - KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, - PVOID KeyValueInformation, - ULONG Length, - PULONG ResultLength -); - -NTSTATUS SCQueryVirtualMemory( - HANDLE ProcessHandle, - PVOID BaseAddress OPTIONAL, - MEMORY_INFORMATION_CLASS MemoryInformationClass, - PVOID MemoryInformation, - SIZE_T MemoryInformationLength, - PSIZE_T ReturnLength OPTIONAL -); - -NTSTATUS SCQueryVolumeInformationFile( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID FsInformation, - ULONG Length, - SYSK_FSINFOCLASS FsInformationClass -); - -NTSTATUS SCQueryWnfStateData( - PCWNF_STATE_NAME StateName, - PCWNF_TYPE_ID TypeId OPTIONAL, - const VOID * ExplicitScope OPTIONAL, - PWNF_CHANGE_STAMP ChangeStamp, - PVOID Buffer OPTIONAL, - PULONG BufferSize -); - -NTSTATUS SCQueryWnfStateNameInformation( - PCWNF_STATE_NAME StateName, - WNF_STATE_NAME_INFORMATION NameInfoClass, - const VOID * ExplicitScope OPTIONAL, - PVOID InfoBuffer, - ULONG InfoBufferSize -); - -NTSTATUS SCQueueApcThread( - HANDLE ThreadHandle, - PPS_APC_ROUTINE ApcRoutine, - PVOID ApcArgument1 OPTIONAL, - PVOID ApcArgument2 OPTIONAL, - PVOID ApcArgument3 OPTIONAL -); - -NTSTATUS SCQueueApcThreadEx( - HANDLE ThreadHandle, - HANDLE ReserveHandle OPTIONAL, - PPS_APC_ROUTINE ApcRoutine, - PVOID ApcArgument1 OPTIONAL, - PVOID ApcArgument2 OPTIONAL, - PVOID ApcArgument3 OPTIONAL -); - -NTSTATUS SCQueueApcThreadEx2( - HANDLE ThreadHandle, - HANDLE ReserveHandle OPTIONAL, - ULONG ApcFlags, - PPS_APC_ROUTINE ApcRoutine, - PVOID ApcArgument1 OPTIONAL, - PVOID ApcArgument2 OPTIONAL, - PVOID ApcArgument3 OPTIONAL -); - -NTSTATUS SCRaiseException( - PEXCEPTION_RECORD ExceptionRecord, - PCONTEXT ContextRecord, - BOOLEAN FirstChance -); - -NTSTATUS SCRaiseHardError( - NTSTATUS ErrorStatus, - ULONG NumberOfParameters, - ULONG UnicodeStringParameterMask, - PULONG_PTR Parameters, - ULONG ValidResponseOptions, - PULONG Response -); - -NTSTATUS SCReadFile( - HANDLE FileHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID Buffer, - ULONG Length, - PLARGE_INTEGER ByteOffset OPTIONAL, - PULONG Key OPTIONAL -); - -NTSTATUS SCReadFileScatter( - HANDLE FileHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - PFILE_SEGMENT_ELEMENT SegmentArray, - ULONG Length, - PLARGE_INTEGER ByteOffset OPTIONAL, - PULONG Key OPTIONAL -); - -NTSTATUS SCReadOnlyEnlistment( - HANDLE EnlistmentHandle, - PLARGE_INTEGER TmVirtualClock OPTIONAL -); - -NTSTATUS SCReadRequestData( - HANDLE PortHandle, - PPORT_MESSAGE Message, - ULONG DataEntryIndex, - PVOID Buffer, - SIZE_T BufferSize, - PSIZE_T NumberOfBytesRead OPTIONAL -); - -NTSTATUS SCReadVirtualMemory( - HANDLE ProcessHandle, - PVOID BaseAddress OPTIONAL, - PVOID Buffer, - SIZE_T NumberOfBytesToRead, - PSIZE_T NumberOfBytesRead OPTIONAL -); - -NTSTATUS SCReadVirtualMemoryEx( - HANDLE ProcessHandle, - PVOID BaseAddress OPTIONAL, - PVOID Buffer, - SIZE_T NumberOfBytesToRead, - PSIZE_T NumberOfBytesRead OPTIONAL, - ULONG Flags -); - -NTSTATUS SCRecoverEnlistment( - HANDLE EnlistmentHandle, - PVOID EnlistmentKey OPTIONAL -); - -NTSTATUS SCRecoverResourceManager( - HANDLE ResourceManagerHandle -); - -NTSTATUS SCRecoverTransactionManager( - HANDLE TransactionManagerHandle -); - -NTSTATUS SCRegisterProtocolAddressInformation( - HANDLE ResourceManager, - PCRM_PROTOCOL_ID ProtocolId, - ULONG ProtocolInformationSize, - PVOID ProtocolInformation, - ULONG CreateOptions -); - -NTSTATUS SCRegisterThreadTerminatePort( - HANDLE PortHandle -); - -NTSTATUS SCReleaseKeyedEvent( - HANDLE KeyedEventHandle OPTIONAL, - PVOID KeyValue, - BOOLEAN Alertable, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCReleaseMutant( - HANDLE MutantHandle, - PLONG PreviousCount OPTIONAL -); - -NTSTATUS SCReleaseSemaphore( - HANDLE SemaphoreHandle, - LONG ReleaseCount, - PLONG PreviousCount OPTIONAL -); - -NTSTATUS SCReleaseWorkerFactoryWorker( - HANDLE WorkerFactoryHandle -); - -NTSTATUS SCRemoveIoCompletion( - HANDLE IoCompletionHandle, - PVOID * KeyContext, - PVOID * ApcContext, - PIO_STATUS_BLOCK IoStatusBlock, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCRemoveIoCompletionEx( - HANDLE IoCompletionHandle, - PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, - ULONG Count, - PULONG NumEntriesRemoved, - PLARGE_INTEGER Timeout OPTIONAL, - BOOLEAN Alertable -); - -NTSTATUS SCRemoveProcessDebug( - HANDLE ProcessHandle, - HANDLE DebugObjectHandle -); - -NTSTATUS SCRenameKey( - HANDLE KeyHandle, - PUNICODE_STRING NewName -); - -NTSTATUS SCRenameTransactionManager( - PUNICODE_STRING LogFileName, - LPGUID ExistingTransactionManagerGuid -); - -NTSTATUS SCReplaceKey( - POBJECT_ATTRIBUTES NewFile, - HANDLE TargetHandle, - POBJECT_ATTRIBUTES OldFile -); - -NTSTATUS SCReplacePartitionUnit( - PUNICODE_STRING TargetInstancePath, - PUNICODE_STRING SpareInstancePath, - ULONG Flags -); - -NTSTATUS SCReplyPort( - HANDLE PortHandle, - PPORT_MESSAGE ReplyMessage -); - -NTSTATUS SCReplyWaitReceivePort( - HANDLE PortHandle, - PVOID * PortContext OPTIONAL, - PPORT_MESSAGE RequestMessage, - PPORT_MESSAGE ReplyMessage -); - -NTSTATUS SCReplyWaitReceivePortEx( - HANDLE PortHandle, - PVOID * PortContext OPTIONAL, - PPORT_MESSAGE RequestMessage, - PPORT_MESSAGE ReplyMessage, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCReplyWaitReplyPort( - HANDLE PortHandle, - PPORT_MESSAGE ReplyMessage -); - -NTSTATUS SCRequestPort( - HANDLE PortHandle, - PPORT_MESSAGE RequestMessage -); - -NTSTATUS SCRequestWaitReplyPort( - HANDLE PortHandle, - PPORT_MESSAGE RequestMessage, - PPORT_MESSAGE ReplyMessage -); - -NTSTATUS SCResetEvent( - HANDLE EventHandle, - PLONG PreviousState OPTIONAL -); - -NTSTATUS SCResetWriteWatch( - HANDLE ProcessHandle, - PVOID BaseAddress, - SIZE_T RegionSize -); - -NTSTATUS SCRestoreKey( - HANDLE KeyHandle, - HANDLE FileHandle, - ULONG Flags -); - -NTSTATUS SCResumeProcess( - HANDLE ProcessHandle -); - -NTSTATUS SCResumeThread( - HANDLE ThreadHandle, - PULONG PreviousSuspendCount -); - -NTSTATUS SCRevertContainerImpersonation(VOID); - -NTSTATUS SCRollbackComplete( - HANDLE EnlistmentHandle, - PLARGE_INTEGER TmVirtualClock OPTIONAL -); - -NTSTATUS SCRollbackEnlistment( - HANDLE EnlistmentHandle, - PLARGE_INTEGER TmVirtualClock OPTIONAL -); - -NTSTATUS SCRollbackRegistryTransaction( - HANDLE RegistryTransactionHandle, - ULONG Flags -); - -NTSTATUS SCRollbackTransaction( - HANDLE TransactionHandle, - BOOLEAN Wait -); - -NTSTATUS SCRollforwardTransactionManager( - HANDLE TransactionManagerHandle, - PLARGE_INTEGER TmVirtualClock OPTIONAL -); - -NTSTATUS SCSaveKey( - HANDLE KeyHandle, - HANDLE FileHandle -); - -NTSTATUS SCSaveKeyEx( - HANDLE KeyHandle, - HANDLE FileHandle, - ULONG Format -); - -NTSTATUS SCSaveMergedKeys( - HANDLE HighPrecedenceKeyHandle, - HANDLE LowPrecedenceKeyHandle, - HANDLE FileHandle -); - -NTSTATUS SCSecureConnectPort( - PHANDLE PortHandle, - PUNICODE_STRING PortName, - PSECURITY_QUALITY_OF_SERVICE SecurityQos, - PPORT_VIEW ClientView OPTIONAL, - PSID RequiredServerSid OPTIONAL, - PREMOTE_PORT_VIEW ServerView OPTIONAL, - PULONG MaxMessageLength OPTIONAL, - PVOID ConnectionInformation OPTIONAL, - PULONG ConnectionInformationLength OPTIONAL -); - -NTSTATUS SCSerializeBoot(VOID); - -NTSTATUS SCSetBootEntryOrder( - PULONG Ids, - ULONG Count -); - -NTSTATUS SCSetBootOptions( - PBOOT_OPTIONS BootOptions, - ULONG FieldsToChange -); - -NTSTATUS SCSetCachedSigningLevel( - ULONG Flags, - SE_SIGNING_LEVEL InputSigningLevel, - PHANDLE SourceFiles, - ULONG SourceFileCount, - HANDLE TargetFile OPTIONAL -); - -NTSTATUS SCSetCachedSigningLevel2( - ULONG Flags, - SE_SIGNING_LEVEL InputSigningLevel, - PHANDLE SourceFiles, - ULONG SourceFileCount, - HANDLE TargetFile OPTIONAL, - SE_SET_FILE_CACHE_INFORMATION * CacheInformation OPTIONAL -); - -NTSTATUS SCSetContextThread( - HANDLE ThreadHandle, - PCONTEXT ThreadContext -); - -NTSTATUS SCSetDebugFilterState( - ULONG ComponentId, - ULONG Level, - BOOLEAN State -); - -NTSTATUS SCSetDefaultHardErrorPort( - HANDLE DefaultHardErrorPort -); - -NTSTATUS SCSetDefaultLocale( - BOOLEAN UserProfile, - LCID DefaultLocaleId -); - -NTSTATUS SCSetDefaultUILanguage( - LANGID DefaultUILanguageId -); - -NTSTATUS SCSetDriverEntryOrder( - PULONG Ids, - ULONG Count -); - -NTSTATUS SCSetEaFile( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID Buffer, - ULONG Length -); - -NTSTATUS SCSetEvent( - HANDLE EventHandle, - PLONG PreviousState OPTIONAL -); - -NTSTATUS SCSetEventBoostPriority( - HANDLE EventHandle -); - -NTSTATUS SCSetHighEventPair( - HANDLE EventPairHandle -); - -NTSTATUS SCSetHighWaitLowEventPair( - HANDLE EventPairHandle -); - -NTSTATUS SCSetIRTimer( - HANDLE TimerHandle, - PLARGE_INTEGER DueTime OPTIONAL -); - -NTSTATUS SCSetInformationCpuPartition( - HANDLE CpuPartitionHandle, - ULONG CpuPartitionInformationClass, - PVOID CpuPartitionInformation, - ULONG CpuPartitionInformationLength, - PVOID Reserved1 OPTIONAL, - ULONG Reserved2 OPTIONAL, - ULONG Reserved3 OPTIONAL -); - -NTSTATUS SCSetInformationDebugObject( - HANDLE DebugObjectHandle, - DEBUGOBJECTINFOCLASS DebugObjectInformationClass, - PVOID DebugInformation, - ULONG DebugInformationLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCSetInformationEnlistment( - HANDLE EnlistmentHandle OPTIONAL, - ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, - PVOID EnlistmentInformation, - ULONG EnlistmentInformationLength -); - -NTSTATUS SCSetInformationFile( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID FileInformation, - ULONG Length, - FILE_INFORMATION_CLASS FileInformationClass -); - -NTSTATUS SCSetInformationIoRing( - HANDLE IoRingHandle, - ULONG IoRingInformationClass, - ULONG IoRingInformationLength, - PVOID IoRingInformation -); - -NTSTATUS SCSetInformationJobObject( - HANDLE JobHandle, - JOBOBJECTINFOCLASS JobObjectInformationClass, - PVOID JobObjectInformation, - ULONG JobObjectInformationLength -); - -NTSTATUS SCSetInformationKey( - HANDLE KeyHandle, - KEY_SET_INFORMATION_CLASS KeySetInformationClass, - PVOID KeySetInformation, - ULONG KeySetInformationLength -); - -NTSTATUS SCSetInformationObject( - HANDLE Handle, - OBJECT_INFORMATION_CLASS ObjectInformationClass, - PVOID ObjectInformation, - ULONG ObjectInformationLength -); - -NTSTATUS SCSetInformationProcess( - HANDLE ProcessHandle, - PROCESSINFOCLASS ProcessInformationClass, - PVOID ProcessInformation, - ULONG ProcessInformationLength -); - -NTSTATUS SCSetInformationResourceManager( - HANDLE ResourceManagerHandle, - RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, - PVOID ResourceManagerInformation, - ULONG ResourceManagerInformationLength -); - -NTSTATUS SCSetInformationSymbolicLink( - HANDLE LinkHandle, - SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass, - PVOID SymbolicLinkInformation, - ULONG SymbolicLinkInformationLength -); - -NTSTATUS SCSetInformationThread( - HANDLE ThreadHandle, - THREADINFOCLASS ThreadInformationClass, - PVOID ThreadInformation, - ULONG ThreadInformationLength -); - -NTSTATUS SCSetInformationToken( - HANDLE TokenHandle, - TOKEN_INFORMATION_CLASS TokenInformationClass, - PVOID TokenInformation, - ULONG TokenInformationLength -); - -NTSTATUS SCSetInformationTransaction( - HANDLE TransactionHandle, - TRANSACTION_INFORMATION_CLASS TransactionInformationClass, - PVOID TransactionInformation, - ULONG TransactionInformationLength -); - -NTSTATUS SCSetInformationTransactionManager( - HANDLE TmHandle OPTIONAL, - TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, - PVOID TransactionManagerInformation, - ULONG TransactionManagerInformationLength -); - -NTSTATUS SCSetInformationVirtualMemory( - HANDLE ProcessHandle, - VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, - SIZE_T NumberOfEntries, - PMEMORY_RANGE_ENTRY VirtualAddresses, - PVOID VmInformation, - ULONG VmInformationLength -); - -NTSTATUS SCSetInformationWorkerFactory( - HANDLE WorkerFactoryHandle, - WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, - PVOID WorkerFactoryInformation, - ULONG WorkerFactoryInformationLength -); - -NTSTATUS SCSetIntervalProfile( - ULONG Interval, - KPROFILE_SOURCE Source -); - -NTSTATUS SCSetIoCompletion( - HANDLE IoCompletionHandle, - PVOID KeyContext OPTIONAL, - PVOID ApcContext OPTIONAL, - NTSTATUS IoStatus, - ULONG_PTR IoStatusInformation -); - -NTSTATUS SCSetIoCompletionEx( - HANDLE IoCompletionHandle, - HANDLE IoCompletionPacketHandle, - PVOID KeyContext OPTIONAL, - PVOID ApcContext OPTIONAL, - NTSTATUS IoStatus, - ULONG_PTR IoStatusInformation -); - -NTSTATUS SCSetLdtEntries( - ULONG Selector0, - ULONG Entry0Low, - ULONG Entry0Hi, - ULONG Selector1, - ULONG Entry1Low, - ULONG Entry1Hi -); - -NTSTATUS SCSetLowEventPair( - HANDLE EventPairHandle -); - -NTSTATUS SCSetLowWaitHighEventPair( - HANDLE EventPairHandle -); - -NTSTATUS SCSetQuotaInformationFile( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID Buffer, - ULONG Length -); - -NTSTATUS SCSetSecurityObject( - HANDLE Handle, - SECURITY_INFORMATION SecurityInformation, - PSECURITY_DESCRIPTOR SecurityDescriptor -); - -NTSTATUS SCSetSystemEnvironmentValue( - PCUNICODE_STRING VariableName, - PCUNICODE_STRING VariableValue -); - -NTSTATUS SCSetSystemEnvironmentValueEx( - PCUNICODE_STRING VariableName, - PCGUID VendorGuid, - PVOID Buffer OPTIONAL, - ULONG BufferLength, - ULONG Attributes -); - -NTSTATUS SCSetSystemInformation( - SYSTEM_INFORMATION_CLASS SystemInformationClass, - PVOID SystemInformation, - ULONG SystemInformationLength -); - -NTSTATUS SCSetSystemPowerState( - POWER_ACTION SystemAction, - SYSTEM_POWER_STATE LightestSystemState, - ULONG Flags -); - -NTSTATUS SCSetSystemTime( - PLARGE_INTEGER SystemTime OPTIONAL, - PLARGE_INTEGER PreviousTime OPTIONAL -); - -NTSTATUS SCSetThreadExecutionState( - EXECUTION_STATE NewFlags, - EXECUTION_STATE * PreviousFlags -); - -NTSTATUS SCSetTimer( - HANDLE TimerHandle, - PLARGE_INTEGER DueTime, - PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL, - PVOID TimerContext OPTIONAL, - BOOLEAN ResumeTimer, - LONG Period OPTIONAL, - PBOOLEAN PreviousState OPTIONAL -); - -NTSTATUS SCSetTimer2( - HANDLE TimerHandle, - PLARGE_INTEGER DueTime, - PLARGE_INTEGER Period OPTIONAL, - PT2_SET_PARAMETERS Parameters -); - -NTSTATUS SCSetTimerEx( - HANDLE TimerHandle, - TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, - PVOID TimerSetInformation, - ULONG TimerSetInformationLength -); - -NTSTATUS SCSetTimerResolution( - ULONG DesiredTime, - BOOLEAN SetResolution, - PULONG ActualTime -); - -NTSTATUS SCSetUuidSeed( - PCHAR Seed -); - -NTSTATUS SCSetValueKey( - HANDLE KeyHandle, - PUNICODE_STRING ValueName, - ULONG TitleIndex OPTIONAL, - ULONG Type, - PVOID Data OPTIONAL, - ULONG DataSize -); - -NTSTATUS SCSetVolumeInformationFile( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID FsInformation, - ULONG Length, - SYSK_FSINFOCLASS FsInformationClass -); - -NTSTATUS SCSetWnfProcessNotificationEvent( - HANDLE NotificationEvent -); - -NTSTATUS SCShutdownSystem( - SHUTDOWN_ACTION Action -); - -NTSTATUS SCShutdownWorkerFactory( - HANDLE WorkerFactoryHandle, - volatile LONG * PendingWorkerCount -); - -NTSTATUS SCSignalAndWaitForSingleObject( - HANDLE SignalHandle, - HANDLE WaitHandle, - BOOLEAN Alertable, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCSinglePhaseReject( - HANDLE EnlistmentHandle, - PLARGE_INTEGER TmVirtualClock OPTIONAL -); - -NTSTATUS SCStartProfile( - HANDLE ProfileHandle -); - -NTSTATUS SCStopProfile( - HANDLE ProfileHandle -); - -NTSTATUS SCSubmitIoRing( - HANDLE IoRingHandle, - ULONG Flags, - ULONG WaitOperations OPTIONAL, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCSubscribeWnfStateChange( - PCWNF_STATE_NAME StateName, - WNF_CHANGE_STAMP ChangeStamp OPTIONAL, - ULONG EventMask, - PULONG64 SubscriptionId OPTIONAL -); - -NTSTATUS SCSuspendProcess( - HANDLE ProcessHandle -); - -NTSTATUS SCSuspendThread( - HANDLE ThreadHandle, - PULONG PreviousSuspendCount -); - -NTSTATUS SCSystemDebugControl( - SYSDBG_COMMAND Command, - PVOID InputBuffer OPTIONAL, - ULONG InputBufferLength, - PVOID OutputBuffer OPTIONAL, - ULONG OutputBufferLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCTerminateEnclave( - PVOID BaseAddress, - ULONG Flags -); - -NTSTATUS SCTerminateJobObject( - HANDLE JobHandle, - NTSTATUS ExitStatus -); - -NTSTATUS SCTerminateProcess( - HANDLE ProcessHandle OPTIONAL, - NTSTATUS ExitStatus -); - -NTSTATUS SCTerminateThread( - HANDLE ThreadHandle OPTIONAL, - NTSTATUS ExitStatus -); - -NTSTATUS SCTestAlert(VOID); - -NTSTATUS SCThawRegistry(VOID); - -NTSTATUS SCThawTransactions(VOID); - -NTSTATUS SCTraceControl( - ETWTRACECONTROLCODE FunctionCode, - PVOID InputBuffer OPTIONAL, - ULONG InputBufferLength, - PVOID OutputBuffer OPTIONAL, - ULONG OutputBufferLength, - PULONG ReturnLength OPTIONAL -); - -NTSTATUS SCTraceEvent( - HANDLE TraceHandle, - ULONG Flags, - ULONG FieldSize, - PVOID Fields -); - -NTSTATUS SCTranslateFilePath( - PFILE_PATH InputFilePath, - ULONG OutputType, - PFILE_PATH OutputFilePath, - PULONG OutputFilePathLength OPTIONAL -); - -NTSTATUS SCUmsThreadYield( - PVOID SchedulerParam -); - -NTSTATUS SCUnloadDriver( - PUNICODE_STRING DriverServiceName -); - -NTSTATUS SCUnloadKey( - POBJECT_ATTRIBUTES TargetKey -); - -NTSTATUS SCUnloadKey2( - POBJECT_ATTRIBUTES TargetKey, - ULONG Flags -); - -NTSTATUS SCUnloadKeyEx( - POBJECT_ATTRIBUTES TargetKey, - HANDLE Event OPTIONAL -); - -NTSTATUS SCUnlockFile( - HANDLE FileHandle, - PIO_STATUS_BLOCK IoStatusBlock, - PLARGE_INTEGER ByteOffset, - PLARGE_INTEGER Length, - ULONG Key -); - -NTSTATUS SCUnlockVirtualMemory( - HANDLE ProcessHandle, - PVOID * BaseAddress, - PSIZE_T RegionSize, - ULONG MapType -); - -NTSTATUS SCUnsubscribeWnfStateChange( - PCWNF_STATE_NAME StateName -); - -NTSTATUS SCUnmapViewOfSection( - HANDLE ProcessHandle, - PVOID BaseAddress OPTIONAL -); - -NTSTATUS SCUnmapViewOfSectionEx( - HANDLE ProcessHandle, - PVOID BaseAddress OPTIONAL, - ULONG Flags -); - -NTSTATUS SCUpdateWnfStateData( - PCWNF_STATE_NAME StateName, - const VOID * Buffer OPTIONAL, - ULONG Length OPTIONAL, - PCWNF_TYPE_ID TypeId OPTIONAL, - const VOID * ExplicitScope OPTIONAL, - WNF_CHANGE_STAMP MatchingChangeStamp, - LOGICAL CheckStamp -); - -NTSTATUS SCVdmControl( - VDMSERVICECLASS Service, - PVOID ServiceData -); - -NTSTATUS SCWaitForAlertByThreadId( - PVOID Address OPTIONAL, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCWaitForDebugEvent( - HANDLE DebugObjectHandle, - BOOLEAN Alertable, - PLARGE_INTEGER Timeout OPTIONAL, - PDBGUI_WAIT_STATE_CHANGE WaitStateChange -); - -NTSTATUS SCWaitForKeyedEvent( - HANDLE KeyedEventHandle OPTIONAL, - PVOID KeyValue, - BOOLEAN Alertable, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCWaitForMultipleObjects( - ULONG Count, - HANDLE Handles[], - WAIT_TYPE WaitType, - BOOLEAN Alertable, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCWaitForMultipleObjects32( - ULONG Count, - LONG Handles[], - WAIT_TYPE WaitType, - BOOLEAN Alertable, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCWaitForSingleObject( - HANDLE Handle, - BOOLEAN Alertable, - PLARGE_INTEGER Timeout OPTIONAL -); - -NTSTATUS SCWaitForWorkViaWorkerFactory( - HANDLE WorkerFactoryHandle, - PFILE_IO_COMPLETION_INFORMATION MiniPackets, - ULONG Count, - PULONG PacketsReturned, - PWORKER_FACTORY_DEFERRED_WORK DeferredWork -); - -NTSTATUS SCWaitHighEventPair( - HANDLE EventPairHandle -); - -NTSTATUS SCWaitLowEventPair( - HANDLE EventPairHandle -); - -NTSTATUS SCWorkerFactoryWorkerReady( - HANDLE WorkerFactoryHandle -); - -NTSTATUS SCWriteFile( - HANDLE FileHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - PVOID Buffer, - ULONG Length, - PLARGE_INTEGER ByteOffset OPTIONAL, - PULONG Key OPTIONAL -); - -NTSTATUS SCWriteFileGather( - HANDLE FileHandle, - HANDLE Event OPTIONAL, - PIO_APC_ROUTINE ApcRoutine OPTIONAL, - PVOID ApcContext OPTIONAL, - PIO_STATUS_BLOCK IoStatusBlock, - PFILE_SEGMENT_ELEMENT SegmentArray, - ULONG Length, - PLARGE_INTEGER ByteOffset OPTIONAL, - PULONG Key OPTIONAL -); - -NTSTATUS SCWriteRequestData( - HANDLE PortHandle, - PPORT_MESSAGE Message, - ULONG DataEntryIndex, - PVOID Buffer, - SIZE_T BufferSize, - PSIZE_T NumberOfBytesWritten OPTIONAL -); - -NTSTATUS SCWriteVirtualMemory( - HANDLE ProcessHandle, - PVOID BaseAddress, - PVOID Buffer, - SIZE_T NumberOfBytesToWrite, - PSIZE_T NumberOfBytesWritten -); - -NTSTATUS SCYieldExecution(VOID); - -#ifdef __cplusplus -} -#endif - +#pragma once +#include +#include +#include +#include + +#ifdef _WIN64 /* only compile on 64bit systems */ + +#ifdef __cplusplus +extern "C" { +#endif + +NTSTATUS SCAcceptConnectPort( + PHANDLE PortHandle, + PVOID PortContext OPTIONAL, + PPORT_MESSAGE ConnectionRequest, + BOOLEAN AcceptConnection, + PPORT_VIEW ServerView OPTIONAL, + PREMOTE_PORT_VIEW ClientView OPTIONAL +); + +NTSTATUS SCAccessCheck( + PSECURITY_DESCRIPTOR SecurityDescriptor, + HANDLE ClientToken, + ACCESS_MASK DesiredAccess, + PGENERIC_MAPPING GenericMapping, + PPRIVILEGE_SET PrivilegeSet, + PULONG PrivilegeSetLength, + PACCESS_MASK GrantedAccess, + PNTSTATUS AccessStatus +); + +NTSTATUS SCAccessCheckAndAuditAlarm( + PUNICODE_STRING SubsystemName, + PVOID HandleId OPTIONAL, + PUNICODE_STRING ObjectTypeName, + PUNICODE_STRING ObjectName, + PSECURITY_DESCRIPTOR SecurityDescriptor, + ACCESS_MASK DesiredAccess, + PGENERIC_MAPPING GenericMapping, + BOOLEAN ObjectCreation, + PACCESS_MASK GrantedAccess, + PNTSTATUS AccessStatus, + PBOOLEAN GenerateOnClose +); + +NTSTATUS SCAccessCheckByType( + PSECURITY_DESCRIPTOR SecurityDescriptor, + PSID PrincipalSelfSid OPTIONAL, + HANDLE ClientToken, + ACCESS_MASK DesiredAccess, + POBJECT_TYPE_LIST ObjectTypeList, + ULONG ObjectTypeListLength, + PGENERIC_MAPPING GenericMapping, + PPRIVILEGE_SET PrivilegeSet, + PULONG PrivilegeSetLength, + PACCESS_MASK GrantedAccess, + PNTSTATUS AccessStatus +); + +NTSTATUS SCAccessCheckByTypeAndAuditAlarm( + PUNICODE_STRING SubsystemName, + PVOID HandleId OPTIONAL, + PUNICODE_STRING ObjectTypeName, + PUNICODE_STRING ObjectName, + PSECURITY_DESCRIPTOR SecurityDescriptor, + PSID PrincipalSelfSid OPTIONAL, + ACCESS_MASK DesiredAccess, + AUDIT_EVENT_TYPE AuditType, + ULONG Flags, + POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, + ULONG ObjectTypeListLength, + PGENERIC_MAPPING GenericMapping, + BOOLEAN ObjectCreation, + PACCESS_MASK GrantedAccess, + PNTSTATUS AccessStatus, + PBOOLEAN GenerateOnClose +); + +NTSTATUS SCAccessCheckByTypeResultList( + PSECURITY_DESCRIPTOR SecurityDescriptor, + PSID PrincipalSelfSid OPTIONAL, + HANDLE ClientToken, + ACCESS_MASK DesiredAccess, + POBJECT_TYPE_LIST ObjectTypeList, + ULONG ObjectTypeListLength, + PGENERIC_MAPPING GenericMapping, + PPRIVILEGE_SET PrivilegeSet, + PULONG PrivilegeSetLength, + PACCESS_MASK GrantedAccess, + PNTSTATUS AccessStatus +); + +NTSTATUS SCAccessCheckByTypeResultListAndAuditAlarm( + PUNICODE_STRING SubsystemName, + PVOID HandleId OPTIONAL, + PUNICODE_STRING ObjectTypeName, + PUNICODE_STRING ObjectName, + PSECURITY_DESCRIPTOR SecurityDescriptor, + PSID PrincipalSelfSid OPTIONAL, + ACCESS_MASK DesiredAccess, + AUDIT_EVENT_TYPE AuditType, + ULONG Flags, + POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, + ULONG ObjectTypeListLength, + PGENERIC_MAPPING GenericMapping, + BOOLEAN ObjectCreation, + PACCESS_MASK GrantedAccess, + PNTSTATUS AccessStatus, + PBOOLEAN GenerateOnClose +); + +NTSTATUS SCAccessCheckByTypeResultListAndAuditAlarmByHandle( + PUNICODE_STRING SubsystemName, + PVOID HandleId OPTIONAL, + PUNICODE_STRING ObjectTypeName, + PUNICODE_STRING ObjectName, + PSECURITY_DESCRIPTOR SecurityDescriptor, + PSID PrincipalSelfSid OPTIONAL, + HANDLE ClientToken, + ACCESS_MASK DesiredAccess, + POBJECT_TYPE_LIST ObjectTypeList, + ULONG ObjectTypeListLength, + PGENERIC_MAPPING GenericMapping, + BOOLEAN ObjectCreation, + PACCESS_MASK GrantedAccess, + PNTSTATUS AccessStatus, + PBOOLEAN GenerateOnClose, + AUDIT_EVENT_HANDLE AuditHandle OPTIONAL +); + +NTSTATUS SCAcquireCrossVmMutant( + HANDLE CrossVmMutant, + PLARGE_INTEGER Timeout +); + +NTSTATUS SCAcquireProcessActivityReference( + PHANDLE ActivityReferenceHandle, + HANDLE ParentProcessHandle, + PROCESS_ACTIVITY_TYPE Reserved +); + +NTSTATUS SCAddAtom( + PCWSTR AtomName OPTIONAL, + ULONG Length, + PRTL_ATOM Atom OPTIONAL +); + +NTSTATUS SCAddAtomEx( + PCWSTR AtomName OPTIONAL, + ULONG Length, + PRTL_ATOM Atom OPTIONAL, + ULONG Flags +); + +NTSTATUS SCAddBootEntry( + PBOOT_ENTRY BootEntry, + PULONG Id OPTIONAL +); + +NTSTATUS SCAddDriverEntry( + PEFI_DRIVER_ENTRY DriverEntry, + PULONG Id OPTIONAL +); + +NTSTATUS SCAdjustGroupsToken( + HANDLE TokenHandle, + BOOLEAN ResetToDefault, + PTOKEN_GROUPS NewState OPTIONAL, + ULONG BufferLength OPTIONAL, + PTOKEN_GROUPS PreviousState OPTIONAL, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCAdjustPrivilegesToken( + HANDLE TokenHandle, + BOOLEAN DisableAllPrivileges, + PTOKEN_PRIVILEGES NewState OPTIONAL, + ULONG BufferLength, + PTOKEN_PRIVILEGES PreviousState OPTIONAL, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCAdjustTokenClaimsAndDeviceGroups( + HANDLE TokenHandle, + BOOLEAN UserResetToDefault, + BOOLEAN DeviceResetToDefault, + BOOLEAN DeviceGroupsResetToDefault, + PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState OPTIONAL, + PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState OPTIONAL, + PTOKEN_GROUPS NewDeviceGroupsState OPTIONAL, + ULONG UserBufferLength, + PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState OPTIONAL, + ULONG DeviceBufferLength, + PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState OPTIONAL, + ULONG DeviceGroupsBufferLength, + PTOKEN_GROUPS PreviousDeviceGroups OPTIONAL, + PULONG UserReturnLength OPTIONAL, + PULONG DeviceReturnLength OPTIONAL, + PULONG DeviceGroupsReturnBufferLength OPTIONAL +); + +NTSTATUS SCAlertResumeThread( + HANDLE ThreadHandle, + PULONG PreviousSuspendCount OPTIONAL +); + +NTSTATUS SCAlertThread( + HANDLE ThreadHandle +); + +NTSTATUS SCAlertThreadByThreadId( + HANDLE ThreadId +); + +NTSTATUS SCAllocateLocallyUniqueId( + PLUID Luid +); + +NTSTATUS SCAllocateReserveObject( + PHANDLE MemoryReserveHandle, + POBJECT_ATTRIBUTES ObjectAttributes, + MEMORY_RESERVE_TYPE Type +); + +NTSTATUS SCAllocateUserPhysicalPages( + HANDLE ProcessHandle, + PSIZE_T NumberOfPages, + PULONG_PTR UserPfnArray +); + +NTSTATUS SCAllocateUserPhysicalPagesEx( + HANDLE ProcessHandle, + PULONG_PTR NumberOfPages, + PULONG_PTR UserPfnArray, + PMEM_EXTENDED_PARAMETER ExtendedParameters OPTIONAL, + ULONG ExtendedParameterCount +); + +NTSTATUS SCAllocateUuids( + PULARGE_INTEGER Time, + PULONG Range, + PULONG Sequence, + PCHAR Seed +); + +NTSTATUS SCAllocateVirtualMemory( + HANDLE ProcessHandle, + PVOID* BaseAddress, + ULONG_PTR ZeroBits, + PSIZE_T RegionSize, + ULONG AllocationType, + ULONG PageProtection +); + +NTSTATUS SCAllocateVirtualMemoryEx( + HANDLE ProcessHandle, + PVOID* BaseAddress, + PSIZE_T RegionSize, + ULONG AllocationType, + ULONG PageProtection, + PMEM_EXTENDED_PARAMETER ExtendedParameters OPTIONAL, + ULONG ExtendedParameterCount +); + +NTSTATUS SCAlpcAcceptConnectPort( + PHANDLE PortHandle, + HANDLE ConnectionPortHandle, + ULONG Flags, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + PVOID PortContext OPTIONAL, + PPORT_MESSAGE ConnectionRequest, + PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes OPTIONAL, + BOOLEAN AcceptConnection +); + +NTSTATUS SCAlpcCancelMessage( + HANDLE PortHandle, + ULONG Flags, + PALPC_CONTEXT_ATTR MessageContext +); + +NTSTATUS SCAlpcConnectPort( + PHANDLE PortHandle, + PUNICODE_STRING PortName, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + ULONG Flags, + PSID RequiredServerSid OPTIONAL, + PPORT_MESSAGE ConnectionMessage, + PSIZE_T BufferLength OPTIONAL, + PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, + PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCAlpcConnectPortEx( + PHANDLE PortHandle, + POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, + POBJECT_ATTRIBUTES ClientPortObjectAttributes OPTIONAL, + PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + ULONG Flags, + PSECURITY_DESCRIPTOR ServerSecurityRequirements OPTIONAL, + PPORT_MESSAGE ConnectionMessage, + PSIZE_T BufferLength OPTIONAL, + PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, + PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCAlpcCreatePort( + PHANDLE PortHandle, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL +); + +NTSTATUS SCAlpcCreatePortSection( + HANDLE PortHandle, + ULONG Flags, + HANDLE SectionHandle OPTIONAL, + SIZE_T SectionSize, + PALPC_HANDLE AlpcSectionHandle, + PSIZE_T ActualSectionSize +); + +NTSTATUS SCAlpcCreateResourceReserve( + HANDLE PortHandle, + ULONG Flags, + SIZE_T MessageSize, + PALPC_HANDLE ResourceId +); + +NTSTATUS SCAlpcCreateSectionView( + HANDLE PortHandle, + ULONG Flags, + PALPC_DATA_VIEW_ATTR ViewAttributes +); + +NTSTATUS SCAlpcCreateSecurityContext( + HANDLE PortHandle, + ULONG Flags, + PALPC_SECURITY_ATTR SecurityAttribute +); + +NTSTATUS SCAlpcDeletePortSection( + HANDLE PortHandle, + ULONG Flags, + ALPC_HANDLE SectionHandle +); + +NTSTATUS SCAlpcDeleteResourceReserve( + HANDLE PortHandle, + ULONG Flags, + ALPC_HANDLE ResourceId +); + +NTSTATUS SCAlpcDeleteSectionView( + HANDLE PortHandle, + ULONG Flags, + PVOID ViewBase +); + +NTSTATUS SCAlpcDeleteSecurityContext( + HANDLE PortHandle, + ULONG Flags, + ALPC_HANDLE ContextHandle +); + +NTSTATUS SCAlpcDisconnectPort( + HANDLE PortHandle, + ULONG Flags +); + +NTSTATUS SCAlpcImpersonateClientContainerOfPort( + HANDLE PortHandle, + PPORT_MESSAGE Message, + ULONG Flags +); + +NTSTATUS SCAlpcImpersonateClientOfPort( + HANDLE PortHandle, + PPORT_MESSAGE Message, + PVOID Flags +); + +NTSTATUS SCAlpcOpenSenderProcess( + PHANDLE ProcessHandle, + HANDLE PortHandle, + PPORT_MESSAGE PortMessage, + ULONG Flags, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCAlpcOpenSenderThread( + PHANDLE ThreadHandle, + HANDLE PortHandle, + PPORT_MESSAGE PortMessage, + ULONG Flags, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCAlpcQueryInformation( + HANDLE PortHandle OPTIONAL, + ALPC_PORT_INFORMATION_CLASS PortInformationClass, + PVOID PortInformation, + ULONG Length, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCAlpcQueryInformationMessage( + HANDLE PortHandle, + PPORT_MESSAGE PortMessage, + ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, + PVOID MessageInformation, + ULONG Length, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCAlpcRevokeSecurityContext( + HANDLE PortHandle, + ULONG Flags, + ALPC_HANDLE ContextHandle +); + +NTSTATUS SCAlpcSendWaitReceivePort( + HANDLE PortHandle, + ULONG Flags, + PPORT_MESSAGE SendMessage OPTIONAL, + PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes OPTIONAL, + PPORT_MESSAGE ReceiveMessage OPTIONAL, + PSIZE_T BufferLength OPTIONAL, + PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes OPTIONAL, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCAlpcSetInformation( + HANDLE PortHandle, + ALPC_PORT_INFORMATION_CLASS PortInformationClass, + PVOID PortInformation OPTIONAL, + ULONG Length +); + +NTSTATUS SCApphelpCacheControl( + ULONG Command, + PVOID Buffer OPTIONAL, + ULONG BufferSize +); + +NTSTATUS SCAreMappedFilesTheSame( + PVOID File1MappedAsAnImage, + PVOID File2MappedAsFile +); + +NTSTATUS SCAssignProcessToJobObject( + HANDLE JobHandle, + HANDLE ProcessHandle +); + +NTSTATUS SCAssociateWaitCompletionPacket( + HANDLE WaitCompletionPacketHandle, + HANDLE IoCompletionHandle, + HANDLE TargetObjectHandle, + PVOID KeyContext OPTIONAL, + PVOID ApcContext OPTIONAL, + NTSTATUS IoStatus, + ULONG_PTR IoStatusInformation, + PBOOLEAN AlreadySignaled OPTIONAL +); + +NTSTATUS SCCallEnclave( + PENCLAVE_ROUTINE Routine, + PVOID Reserved, + ULONG Flags, + PVOID* RoutineParamReturn +); + +NTSTATUS SCCallbackReturn( + PVOID OutputBuffer OPTIONAL, + ULONG OutputLength, + NTSTATUS Status +); + +NTSTATUS SCCancelIoFile( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock +); + +NTSTATUS SCCancelIoFileEx( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock +); + +NTSTATUS SCCancelSynchronousIoFile( + HANDLE ThreadHandle, + PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock +); + +NTSTATUS SCCancelTimer( + HANDLE TimerHandle, + PBOOLEAN CurrentState OPTIONAL +); + +NTSTATUS SCCancelTimer2( + HANDLE TimerHandle, + PT2_CANCEL_PARAMETERS Parameters +); + +NTSTATUS SCCancelWaitCompletionPacket( + HANDLE WaitCompletionPacketHandle, + BOOLEAN RemoveSignaledPacket +); + +NTSTATUS SCChangeProcessState( + HANDLE ProcessStateChangeHandle, + HANDLE ProcessHandle, + PROCESS_STATE_CHANGE_TYPE StateChangeType, + PVOID ExtendedInformation OPTIONAL, + SIZE_T ExtendedInformationLength OPTIONAL, + ULONG64 Reserved OPTIONAL +); + +NTSTATUS SCChangeThreadState( + HANDLE ThreadStateChangeHandle, + HANDLE ThreadHandle, + THREAD_STATE_CHANGE_TYPE StateChangeType, + PVOID ExtendedInformation OPTIONAL, + SIZE_T ExtendedInformationLength OPTIONAL, + ULONG64 Reserved OPTIONAL +); + +NTSTATUS SCClearEvent( + HANDLE EventHandle +); + +NTSTATUS SCClose( + HANDLE Handle +); + +NTSTATUS SCCloseObjectAuditAlarm( + PUNICODE_STRING SubsystemName, + PVOID HandleId OPTIONAL, + BOOLEAN GenerateOnClose +); + +NTSTATUS SCCommitComplete( + HANDLE EnlistmentHandle, + PLARGE_INTEGER TmVirtualClock OPTIONAL +); + +NTSTATUS SCCommitEnlistment( + HANDLE EnlistmentHandle, + PLARGE_INTEGER TmVirtualClock OPTIONAL +); + +NTSTATUS SCCommitRegistryTransaction( + HANDLE RegistryTransactionHandle, + ULONG Flags /* reserved */ +); + +NTSTATUS SCCommitTransaction( + HANDLE TransactionHandle, + BOOLEAN Wait +); + +NTSTATUS SCCompactKeys( + ULONG Count, + HANDLE KeyArray[] +); + +NTSTATUS SCCompareObjects( + HANDLE FirstObjectHandle, + HANDLE SecondObjectHandle +); + +NTSTATUS SCCompareSigningLevels( + SE_SIGNING_LEVEL FirstSigningLevel, + SE_SIGNING_LEVEL SecondSigningLevel +); + +NTSTATUS SCCompareTokens( + HANDLE FirstTokenHandle, + HANDLE SecondTokenHandle, + PBOOLEAN Equal +); + +NTSTATUS SCCompleteConnectPort( + HANDLE PortHandle +); + +NTSTATUS SCCompressKey( + HANDLE KeyHandle +); + +NTSTATUS SCConnectPort( + PHANDLE PortHandle, + PUNICODE_STRING PortName, + PSECURITY_QUALITY_OF_SERVICE SecurityQos, + PPORT_VIEW ClientView OPTIONAL, + PREMOTE_PORT_VIEW ServerView OPTIONAL, + PULONG MaxMessageLength OPTIONAL, + PVOID ConnectionInformation OPTIONAL, + PULONG ConnectionInformationLength OPTIONAL +); + +NTSTATUS SCContinue( + PCONTEXT ContextRecord, + BOOLEAN TestAlert +); + +NTSTATUS SCContinueEx( + PCONTEXT ContextRecord, + PVOID ContinueArgument /* can be PKCONTINUE_ARGUMENT or BOOLEAN */ +); + +NTSTATUS SCConvertBetweenAuxiliaryCounterAndPerformanceCounter( + BOOLEAN ConvertAuxiliaryToPerformanceCounter, + PULONG64 PerformanceOrAuxiliaryCounterValue, + PULONG64 ConvertedValue, + PULONG64 ConversionError OPTIONAL +); + +NTSTATUS SCCopyFileChunk( + HANDLE SourceHandle, + HANDLE DestinationHandle, + HANDLE EventHandle OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + ULONG Length, + PLARGE_INTEGER SourceOffset, + PLARGE_INTEGER DestOffset, + PULONG SourceKey OPTIONAL, + PULONG DestKey OPTIONAL, + ULONG Flags +); + +NTSTATUS SCCreateCpuPartition( + PHANDLE CpuPartitionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL +); + +NTSTATUS SCCreateCrossVmEvent( + PHANDLE CrossVmEvent, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG CrossVmEventFlags, + LPCGUID VMID, + LPCGUID ServiceID +); + +NTSTATUS SCCreateCrossVmMutant( + PHANDLE EventHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG CrossVmEventFlags, + LPCGUID VMID, + LPCGUID ServiceID +); + +NTSTATUS SCCreateDebugObject( + PHANDLE DebugObjectHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG Flags +); + +NTSTATUS SCCreateDirectoryObject( + PHANDLE DirectoryHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCCreateDirectoryObjectEx( + PHANDLE DirectoryHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + HANDLE ShadowDirectoryHandle, + ULONG Flags +); + +NTSTATUS SCCreateEnclave( + HANDLE ProcessHandle, + PVOID* BaseAddress, + ULONG_PTR ZeroBits, + SIZE_T Size, + SIZE_T InitialCommitment, + ULONG EnclaveType, + PVOID EnclaveInformation, + ULONG EnclaveInformationLength, + PULONG EnclaveError OPTIONAL +); + +NTSTATUS SCCreateEnlistment( + PHANDLE EnlistmentHandle, + ACCESS_MASK DesiredAccess, + HANDLE ResourceManagerHandle, + HANDLE TransactionHandle, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG CreateOptions OPTIONAL, + NOTIFICATION_MASK NotificationMask, + PVOID EnlistmentKey OPTIONAL +); + +NTSTATUS SCCreateEvent( + PHANDLE EventHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + EVENT_TYPE EventType, + BOOLEAN InitialState +); + +NTSTATUS SCCreateEventPair( + PHANDLE EventPairHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL +); + +NTSTATUS SCCreateFile( + PHANDLE FileHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + PIO_STATUS_BLOCK IoStatusBlock, + PLARGE_INTEGER AllocationSize OPTIONAL, + ULONG FileAttributes, + ULONG ShareAccess, + ULONG CreateDisposition, + ULONG CreateOptions, + PVOID EaBuffer OPTIONAL, + ULONG EaLength +); + +NTSTATUS SCCreateIRTimer( + PHANDLE TimerHandle, + PVOID Reserved, + ACCESS_MASK DesiredAccess +); + +NTSTATUS SCCreateIoCompletion( + PHANDLE IoCompletionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG NumberOfConcurrentThreads OPTIONAL +); + +NTSTATUS SCCreateIoRing( + PHANDLE IoRingHandle, + ULONG CreateParametersLength, + PVOID CreateParameters, + ULONG OutputParametersLength, + PVOID OutputParameters +); + +NTSTATUS SCCreateJobObject( + PHANDLE JobHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL +); + +NTSTATUS SCCreateJobSet( + ULONG NumJob, + PJOB_SET_ARRAY UserJobSet, + ULONG Flags +); + +NTSTATUS SCCreateKey( + PHANDLE KeyHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + ULONG TitleIndex, + PUNICODE_STRING Class OPTIONAL, + ULONG CreateOptions, + PULONG Disposition OPTIONAL +); + +NTSTATUS SCCreateKeyTransacted( + PHANDLE KeyHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + ULONG TitleIndex, + PUNICODE_STRING Class OPTIONAL, + ULONG CreateOptions, + HANDLE TransactionHandle, + PULONG Disposition OPTIONAL +); + +NTSTATUS SCCreateKeyedEvent( + PHANDLE KeyedEventHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG Flags +); + +NTSTATUS SCCreateLowBoxToken( + PHANDLE TokenHandle, + HANDLE ExistingTokenHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + PSID PackageSid, + ULONG CapabilityCount, + PSID_AND_ATTRIBUTES Capabilities OPTIONAL, + ULONG HandleCount, + HANDLE* Handles OPTIONAL +); + +NTSTATUS SCCreateMailslotFile( + PHANDLE FileHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + PIO_STATUS_BLOCK IoStatusBlock, + ULONG CreateOptions, + ULONG MailslotQuota, + ULONG MaximumMessageSize, + PLARGE_INTEGER ReadTimeout +); + +NTSTATUS SCCreateMutant( + PHANDLE MutantHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + BOOLEAN InitialOwner +); + +NTSTATUS SCCreateNamedPipeFile( + PHANDLE FileHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + PIO_STATUS_BLOCK IoStatusBlock, + ULONG ShareAccess, + ULONG CreateDisposition, + ULONG CreateOptions, + ULONG NamedPipeType, + ULONG ReadMode, + ULONG CompletionMode, + ULONG MaximumInstances, + ULONG InboundQuota, + ULONG OutboundQuota, + PLARGE_INTEGER DefaultTimeout +); + +NTSTATUS SCCreatePagingFile( + PUNICODE_STRING PageFileName, + PLARGE_INTEGER MinimumSize, + PLARGE_INTEGER MaximumSize, + ULONG Priority +); + +NTSTATUS SCCreatePartition( + HANDLE ParentPartitionHandle OPTIONAL, + PHANDLE PartitionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG PreferredNode +); + +NTSTATUS SCCreatePort( + PHANDLE PortHandle, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG MaxConnectionInfoLength, + ULONG MaxMessageLength, + ULONG MaxPoolUsage OPTIONAL +); + +NTSTATUS SCCreatePrivateNamespace( + PHANDLE NamespaceHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor +); + +NTSTATUS SCCreateProcess( + PHANDLE ProcessHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + HANDLE ParentProcess, + BOOLEAN InheritObjectTable, + HANDLE SectionHandle OPTIONAL, + HANDLE DebugPort OPTIONAL, + HANDLE TokenHandle OPTIONAL +); + +NTSTATUS SCCreateProcessEx( + PHANDLE ProcessHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + HANDLE ParentProcess, + ULONG Flags, + HANDLE SectionHandle OPTIONAL, + HANDLE DebugPort OPTIONAL, + HANDLE TokenHandle OPTIONAL, + ULONG Reserved +); + +NTSTATUS SCCreateProcessStateChange( + PHANDLE ProcessStateChangeHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + HANDLE ProcessHandle, + ULONG64 Reserved OPTIONAL +); + +NTSTATUS SCCreateProfile( + PHANDLE ProfileHandle, + HANDLE Process OPTIONAL, + PVOID ProfileBase, + SIZE_T ProfileSize, + ULONG BucketSize, + PULONG Buffer, + ULONG BufferSize, + KPROFILE_SOURCE ProfileSource, + KAFFINITY Affinity +); + +NTSTATUS SCCreateProfileEx( + PHANDLE ProfileHandle, + HANDLE Process OPTIONAL, + PVOID ProfileBase, + SIZE_T ProfileSize, + ULONG BucketSize, + PULONG Buffer, + ULONG BufferSize, + KPROFILE_SOURCE ProfileSource, + USHORT GroupCount, + PGROUP_AFFINITY GroupAffinity +); + +NTSTATUS SCCreateRegistryTransaction( + PHANDLE RegistryTransactionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG CreateOptions +); + +NTSTATUS SCCreateResourceManager( + PHANDLE ResourceManagerHandle, + ACCESS_MASK DesiredAccess, + HANDLE TmHandle, + LPGUID RmGuid, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG CreateOptions OPTIONAL, + PUNICODE_STRING Description OPTIONAL +); + +NTSTATUS SCCreateSection( + PHANDLE SectionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + PLARGE_INTEGER MaximumSize, + ULONG SectionPageProtection, + ULONG AllocationAttributes, + HANDLE FileHandle +); + +NTSTATUS SCCreateSectionEx( + PHANDLE SectionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + PLARGE_INTEGER MaximumSize OPTIONAL, + ULONG SectionPageProtection, + ULONG AllocationAttributes, + HANDLE FileHandle OPTIONAL, + PMEM_EXTENDED_PARAMETER ExtendedParameters OPTIONAL, + ULONG ExtendedParameterCount +); + +NTSTATUS SCCreateSemaphore( + PHANDLE SemaphoreHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + LONG InitialCount, + LONG MaximumCount +); + +NTSTATUS SCCreateSymbolicLinkObject( + PHANDLE LinkHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + PUNICODE_STRING LinkTarget +); + +NTSTATUS SCCreateThread( + PHANDLE ThreadHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + HANDLE ProcessHandle, + CLIENT_ID* ClientId, + PCONTEXT ThreadContext, + PINITIAL_TEB InitialTeb, + BOOLEAN CreateSuspended +); + +NTSTATUS SCCreateThreadEx( + PHANDLE ThreadHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + HANDLE ProcessHandle, + PUSER_THREAD_START_ROUTINE StartRoutine, + PVOID Argument OPTIONAL, + ULONG CreateFlags, + SIZE_T ZeroBits, + SIZE_T StackSize, + SIZE_T MaximumStackSize, + PPS_ATTRIBUTE_LIST AttributeList OPTIONAL +); + +NTSTATUS SCCreateThreadStateChange( + PHANDLE ThreadStateChangeHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + HANDLE ThreadHandle, + ULONG64 Reserved OPTIONAL +); + +NTSTATUS SCCreateTimer( + PHANDLE TimerHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + TIMER_TYPE TimerType +); + +NTSTATUS SCCreateTimer2( + PHANDLE TimerHandle, + PVOID Reserved1 OPTIONAL, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG Attributes, + ACCESS_MASK DesiredAccess +); + +NTSTATUS SCCreateToken( + PHANDLE TokenHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + TOKEN_TYPE Type, + PLUID AuthenticationId, + PLARGE_INTEGER ExpirationTime, + PTOKEN_USER User, + PTOKEN_GROUPS Groups, + PTOKEN_PRIVILEGES Privileges, + PTOKEN_OWNER Owner OPTIONAL, + PTOKEN_PRIMARY_GROUP PrimaryGroup, + PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, + PTOKEN_SOURCE Source +); + +NTSTATUS SCCreateTokenEx( + PHANDLE TokenHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + TOKEN_TYPE Type, + PLUID AuthenticationId, + PLARGE_INTEGER ExpirationTime, + PTOKEN_USER User, + PTOKEN_GROUPS Groups, + PTOKEN_PRIVILEGES Privileges, + PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes OPTIONAL, + PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes OPTIONAL, + PTOKEN_GROUPS DeviceGroups OPTIONAL, + PTOKEN_MANDATORY_POLICY MandatoryPolicy OPTIONAL, + PTOKEN_OWNER Owner OPTIONAL, + PTOKEN_PRIMARY_GROUP PrimaryGroup, + PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, + PTOKEN_SOURCE Source +); + +NTSTATUS SCCreateTransaction( + PHANDLE TransactionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + LPGUID Uow OPTIONAL, + HANDLE TmHandle OPTIONAL, + ULONG CreateOptions OPTIONAL, + ULONG IsolationLevel OPTIONAL, + ULONG IsolationFlags OPTIONAL, + PLARGE_INTEGER Timeout OPTIONAL, + PUNICODE_STRING Description OPTIONAL +); + +NTSTATUS SCCreateTransactionManager( + PHANDLE TmHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + PUNICODE_STRING LogFileName OPTIONAL, + ULONG CreateOptions OPTIONAL, + ULONG CommitStrength OPTIONAL +); + +NTSTATUS SCCreateUserProcess( + PHANDLE ProcessHandle, + PHANDLE ThreadHandle, + ACCESS_MASK ProcessDesiredAccess, + ACCESS_MASK ThreadDesiredAccess, + POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, + POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, + ULONG ProcessFlags, + ULONG ThreadFlags, + PRTL_USER_PROCESS_PARAMETERS ProcessParameters OPTIONAL, + PPS_CREATE_INFO CreateInfo, + PPS_ATTRIBUTE_LIST AttributeList OPTIONAL +); + +NTSTATUS SCCreateWaitCompletionPacket( + PHANDLE WaitCompletionPacketHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL +); + +NTSTATUS SCCreateWaitablePort( + PHANDLE PortHandle, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + ULONG MaxConnectionInfoLength, + ULONG MaxMessageLength, + ULONG MaxPoolUsage OPTIONAL +); + +NTSTATUS SCCreateWnfStateName( + PWNF_STATE_NAME StateName, + WNF_STATE_NAME_LIFETIME NameLifetime, + WNF_DATA_SCOPE DataScope, + BOOLEAN PersistData, + PCWNF_TYPE_ID TypeId OPTIONAL, + ULONG MaximumStateSize, + PSECURITY_DESCRIPTOR SecurityDescriptor +); + +NTSTATUS SCCreateWorkerFactory( + PHANDLE WorkerFactoryHandleReturn, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + HANDLE CompletionPortHandle, + HANDLE WorkerProcessHandle, + PVOID StartRoutine, + PVOID StartParameter OPTIONAL, + ULONG MaxThreadCount OPTIONAL, + SIZE_T StackReserve OPTIONAL, + SIZE_T StackCommit OPTIONAL +); + +NTSTATUS SCDebugActiveProcess( + HANDLE ProcessHandle, + HANDLE DebugObjectHandle +); + +NTSTATUS SCDebugContinue( + HANDLE DebugObjectHandle, + CLIENT_ID* ClientId, + NTSTATUS ContinueStatus +); + +NTSTATUS SCDelayExecution( + BOOLEAN Alertable, + PLARGE_INTEGER DelayInterval +); + +NTSTATUS SCDeleteAtom( + PRTL_ATOM Atom +); + +NTSTATUS SCDeleteBootEntry( + ULONG Id +); + +NTSTATUS SCDeleteDriverEntry( + ULONG Id +); + +NTSTATUS SCDeleteFile( + POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCDeleteKey( + HANDLE KeyHandle +); + +NTSTATUS SCDeleteObjectAuditAlarm( + PUNICODE_STRING SubsystemName, + PVOID HandleId OPTIONAL, + BOOLEAN GenerateOnClose +); + +NTSTATUS SCDeletePrivateNamespace( + HANDLE NamespaceHandle +); + +NTSTATUS SCDeleteValueKey( + HANDLE KeyHandle, + PUNICODE_STRING ValueName +); + +NTSTATUS SCDeleteWnfStateData( + PCWNF_STATE_NAME StateName, + const VOID* ExplicitScope OPTIONAL +); + +NTSTATUS SCDeleteWnfStateName( + PCWNF_STATE_NAME StateName +); + +NTSTATUS SCDeviceIoControlFile( + HANDLE FileHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + ULONG IoControlCode, + PVOID InputBuffer OPTIONAL, + ULONG InputBufferLength, + PVOID OutputBuffer OPTIONAL, + ULONG OutputBufferLength +); + +NTSTATUS SCDirectGraphicsCall( + ULONG InputBufferLength, + PVOID InputBuffer OPTIONAL, + ULONG OutputBufferLength, + PVOID OutputBuffer OPTIONAL, + PULONG ReturnLength +); + +NTSTATUS SCDisableLastKnownGood(VOID); + +NTSTATUS SCDisplayString( + PUNICODE_STRING String +); + +NTSTATUS SCDrawText( + PUNICODE_STRING Text +); + +NTSTATUS SCDuplicateObject( + HANDLE SourceProcessHandle, + HANDLE SourceHandle, + HANDLE TargetProcessHandle OPTIONAL, + PHANDLE TargetHandle OPTIONAL, + ACCESS_MASK DesiredAccess, + ULONG HandleAttributes, + ULONG Options +); + +NTSTATUS SCDuplicateToken( + HANDLE ExistingTokenHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + BOOLEAN EffectiveOnly, + TOKEN_TYPE Type, + PHANDLE NewTokenHandle +); + +NTSTATUS SCEnableLastKnownGood(VOID); + +NTSTATUS SCEnumerateBootEntries( + PVOID Buffer OPTIONAL, + PULONG BufferLength +); + +NTSTATUS SCEnumerateDriverEntries( + PVOID Buffer OPTIONAL, + PULONG BufferLength +); + +NTSTATUS SCEnumerateKey( + HANDLE KeyHandle, + ULONG Index, + KEY_INFORMATION_CLASS KeyInformationClass, + PVOID KeyInformation OPTIONAL, + ULONG Length, + PULONG ResultLength +); + +NTSTATUS SCEnumerateSystemEnvironmentValuesEx( + ULONG InformationClass, + PVOID Buffer, + PULONG BufferLength +); + +NTSTATUS SCEnumerateTransactionObject( + HANDLE RootObjectHandle OPTIONAL, + KTMOBJECT_TYPE QueryType, + PKTMOBJECT_CURSOR ObjectCursor, + ULONG ObjectCursorLength, + PULONG ReturnLength +); + +NTSTATUS SCEnumerateValueKey( + HANDLE KeyHandle, + ULONG Index, + KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + PVOID KeyValueInformation OPTIONAL, + ULONG Length, + PULONG ResultLength +); + +NTSTATUS SCExtendSection( + HANDLE SectionHandle, + PLARGE_INTEGER NewSectionSize +); + +NTSTATUS SCFilterBootOption( + FILTER_BOOT_OPTION_OPERATION FilterOperation, + ULONG ObjectType, + ULONG ElementType, + PVOID Data OPTIONAL, + ULONG DataSize +); + +NTSTATUS SCFilterToken( + HANDLE ExistingTokenHandle, + ULONG Flags, + PTOKEN_GROUPS SidsToDisable OPTIONAL, + PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, + PTOKEN_GROUPS RestrictedSids OPTIONAL, + PHANDLE NewTokenHandle +); + +NTSTATUS SCFilterTokenEx( + HANDLE ExistingTokenHandle, + ULONG Flags, + PTOKEN_GROUPS SidsToDisable OPTIONAL, + PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, + PTOKEN_GROUPS RestrictedSids OPTIONAL, + ULONG DisableUserClaimsCount, + PUNICODE_STRING UserClaimsToDisable OPTIONAL, + ULONG DisableDeviceClaimsCount, + PUNICODE_STRING DeviceClaimsToDisable OPTIONAL, + PTOKEN_GROUPS DeviceGroupsToDisable OPTIONAL, + PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes OPTIONAL, + PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes OPTIONAL, + PTOKEN_GROUPS RestrictedDeviceGroups OPTIONAL, + PHANDLE NewTokenHandle +); + +NTSTATUS SCFindAtom( + PCWSTR AtomName OPTIONAL, + ULONG Length, + PRTL_ATOM Atom OPTIONAL +); + +NTSTATUS SCFlushBuffersFile( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock +); + +NTSTATUS SCFlushBuffersFileEx( + HANDLE FileHandle, + ULONG Flags, + PVOID Parameters, + ULONG ParametersSize, + PIO_STATUS_BLOCK IoStatusBlock +); + +NTSTATUS SCFlushInstallUILanguage( + LANGID InstallUILanguage, + ULONG SetCommittedFlag +); + +NTSTATUS SCFlushInstructionCache( + HANDLE ProcessHandle, + PVOID BaseAddress OPTIONAL, + SIZE_T Length +); + +NTSTATUS SCFlushKey( + HANDLE KeyHandle +); + +NTSTATUS SCFlushProcessWriteBuffers(VOID); + +NTSTATUS SCFlushVirtualMemory( + HANDLE ProcessHandle, + PVOID * BaseAddress, + PSIZE_T RegionSize, + PIO_STATUS_BLOCK IoStatus +); + +NTSTATUS SCFlushWriteBuffer(VOID); + +NTSTATUS SCFreeUserPhysicalPages( + HANDLE ProcessHandle, + PULONG_PTR NumberOfPages, + PULONG_PTR UserPfnArray +); + +NTSTATUS SCFreeVirtualMemory( + HANDLE ProcessHandle, + PVOID * BaseAddress, + PSIZE_T RegionSize, + ULONG FreeType +); + +NTSTATUS SCFreezeRegistry( + ULONG TimeOutInSeconds +); + +NTSTATUS SCFreezeTransactions( + PLARGE_INTEGER FreezeTimeout, + PLARGE_INTEGER ThawTimeout +); + +NTSTATUS SCFsControlFile( + HANDLE FileHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + ULONG FsControlCode, + PVOID InputBuffer OPTIONAL, + ULONG InputBufferLength, + PVOID OutputBuffer OPTIONAL, + ULONG OutputBufferLength +); + +NTSTATUS SCGetCachedSigningLevel( + HANDLE File, + PULONG Flags, + PSE_SIGNING_LEVEL SigningLevel, + PUCHAR Thumbprint OPTIONAL, + PULONG ThumbprintSize OPTIONAL, + PULONG ThumbprintAlgorithm OPTIONAL +); + +NTSTATUS SCGetCompleteWnfStateSubscription( + PWNF_STATE_NAME OldDescriptorStateName OPTIONAL, + ULONG64* OldSubscriptionId OPTIONAL, + ULONG OldDescriptorEventMask, + ULONG OldDescriptorStatus, + PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, + ULONG DescriptorSize +); + +NTSTATUS SCGetContextThread( + HANDLE ThreadHandle, + PCONTEXT ThreadContext +); + +ULONG SCGetCurrentProcessorNumber(VOID); + +VOID SCGetCurrentProcessorNumberEx( + PPROCESSOR_NUMBER ProcessorNumber OPTIONAL +); + +NTSTATUS SCGetDevicePowerState( + HANDLE Device, + PDEVICE_POWER_STATE State +); + +NTSTATUS SCGetMUIRegistryInfo( + ULONG Flags, + PULONG DataSize, + PVOID Data +); + +NTSTATUS SCGetNextProcess( + HANDLE ProcessHandle OPTIONAL, + ACCESS_MASK DesiredAccess, + ULONG HandleAttributes, + ULONG Flags, + PHANDLE NewProcessHandle +); + +NTSTATUS SCGetNextThread( + HANDLE ProcessHandle, + HANDLE ThreadHandle OPTIONAL, + ACCESS_MASK DesiredAccess, + ULONG HandleAttributes, + ULONG Flags, + PHANDLE NewThreadHandle +); + +NTSTATUS SCGetNlsSectionPtr( + ULONG SectionType, + ULONG SectionData, + PVOID ContextData, + PVOID* SectionPointer, + PULONG SectionSize +); + +NTSTATUS SCGetNotificationResourceManager( + HANDLE ResourceManagerHandle, + PTRANSACTION_NOTIFICATION TransactionNotification, + ULONG NotificationLength, + PLARGE_INTEGER Timeout OPTIONAL, + PULONG ReturnLength OPTIONAL, + ULONG Asynchronous, + ULONG_PTR AsynchronousContext OPTIONAL +); + +NTSTATUS SCGetWriteWatch( + HANDLE ProcessHandle, + ULONG Flags, + PVOID BaseAddress, + SIZE_T RegionSize, + PVOID* UserAddressArray, + PULONG_PTR EntriesInUserAddressArray, + PULONG Granularity +); + +NTSTATUS SCImpersonateAnonymousToken( + HANDLE ThreadHandle +); + +NTSTATUS SCImpersonateClientOfPort( + HANDLE PortHandle, + PPORT_MESSAGE Message +); + +NTSTATUS SCImpersonateThread( + HANDLE ServerThreadHandle, + HANDLE ClientThreadHandle, + PSECURITY_QUALITY_OF_SERVICE SecurityQos +); + +NTSTATUS SCInitializeEnclave( + HANDLE ProcessHandle, + PVOID BaseAddress, + PVOID EnclaveInformation, + ULONG EnclaveInformationLength, + PULONG EnclaveError OPTIONAL +); + +NTSTATUS SCInitializeNlsFiles( + PVOID* BaseAddress, + PLCID DefaultLocaleId, + PLARGE_INTEGER DefaultCasingTableSize, + PULONG CurrentNLSVersion OPTIONAL +); + +NTSTATUS SCInitializeRegistry( + USHORT BootCondition +); + +NTSTATUS SCInitiatePowerAction( + POWER_ACTION SystemAction, + SYSTEM_POWER_STATE LightestSystemState, + ULONG Flags, + BOOLEAN Asynchronous +); + +NTSTATUS SCIsProcessInJob( + HANDLE ProcessHandle, + HANDLE JobHandle OPTIONAL +); + +BOOLEAN SCIsSystemResumeAutomatic(VOID); + +NTSTATUS SCIsUILanguageCommitted(VOID); + +NTSTATUS SCListenPort( + HANDLE PortHandle, + PPORT_MESSAGE ConnectionRequest +); + +NTSTATUS SCLoadDriver( + PUNICODE_STRING DriverServiceName +); + +NTSTATUS SCLoadEnclaveData( + HANDLE ProcessHandle, + PVOID BaseAddress, + PVOID Buffer, + SIZE_T BufferSize, + ULONG Protect, + PVOID PageInformation, + ULONG PageInformationLength, + PSIZE_T NumberOfBytesWritten OPTIONAL, + PULONG EnclaveError OPTIONAL +); + +NTSTATUS SCLoadKey( + POBJECT_ATTRIBUTES TargetKey, + POBJECT_ATTRIBUTES SourceFile +); + +NTSTATUS SCLoadKey2( + POBJECT_ATTRIBUTES TargetKey, + POBJECT_ATTRIBUTES SourceFile, + ULONG Flags +); + +NTSTATUS SCLoadKey3( + POBJECT_ATTRIBUTES TargetKey, + POBJECT_ATTRIBUTES SourceFile, + ULONG Flags, + PCM_EXTENDED_PARAMETER ExtendedParameters OPTIONAL, + ULONG ExtendedParameterCount, + ACCESS_MASK DesiredAccess OPTIONAL, + PHANDLE RootHandle OPTIONAL, + PVOID Reserved OPTIONAL +); + +NTSTATUS SCLoadKeyEx( + POBJECT_ATTRIBUTES TargetKey, + POBJECT_ATTRIBUTES SourceFile, + ULONG Flags, + HANDLE TrustClassKey OPTIONAL, + HANDLE Event OPTIONAL, + ACCESS_MASK DesiredAccess OPTIONAL, + PHANDLE RootHandle OPTIONAL, + PVOID Reserved OPTIONAL +); + +NTSTATUS SCLockFile( + HANDLE FileHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + PLARGE_INTEGER ByteOffset, + PLARGE_INTEGER Length, + ULONG Key, + BOOLEAN FailImmediately, + BOOLEAN ExclusiveLock +); + +NTSTATUS SCLockProductActivationKeys( + ULONG* pPrivateVer OPTIONAL, + ULONG* pSafeMode OPTIONAL +); + +NTSTATUS SCLockRegistryKey( + HANDLE KeyHandle +); + +NTSTATUS SCLockVirtualMemory( + HANDLE ProcessHandle, + PVOID* BaseAddress, + PSIZE_T RegionSize, + ULONG MapType +); + +NTSTATUS SCMakePermanentObject( + HANDLE Handle +); + +NTSTATUS SCMakeTemporaryObject( + HANDLE Handle +); + +NTSTATUS SCManageHotPatch( + HANDLE ProcessHandle, + ULONG Operation, + PVOID InputBuffer OPTIONAL, + ULONG InputBufferLength, + PVOID OutputBuffer OPTIONAL, + ULONG OutputBufferLength +); + +NTSTATUS SCManagePartition( + HANDLE TargetHandle, + HANDLE SourceHandle OPTIONAL, + PARTITION_INFORMATION_CLASS PartitionInformationClass, + PVOID PartitionInformation, + ULONG PartitionInformationLength +); + +NTSTATUS SCMapCMFModule( + ULONG What, + ULONG Index, + PULONG CacheIndexOut OPTIONAL, + PULONG CacheFlagsOut OPTIONAL, + PULONG ViewSizeOut OPTIONAL, + PVOID* BaseAddress OPTIONAL +); + +NTSTATUS SCMapUserPhysicalPages( + PVOID VirtualAddress, + SIZE_T NumberOfPages, + PULONG_PTR UserPfnArray OPTIONAL +); + +NTSTATUS SCMapUserPhysicalPagesScatter( + PVOID* VirtualAddresses, + SIZE_T NumberOfPages, + PULONG_PTR UserPfnArray OPTIONAL +); + +NTSTATUS SCMapViewOfSection( + HANDLE SectionHandle, + HANDLE ProcessHandle, + PVOID* BaseAddress, + ULONG_PTR ZeroBits, + SIZE_T CommitSize, + PLARGE_INTEGER SectionOffset, + PSIZE_T ViewSize, + ULONG InheritDisposition, + ULONG AllocationType, + ULONG Win32Protect +); + +NTSTATUS SCMapViewOfSectionEx( + HANDLE SectionHandle, + HANDLE ProcessHandle, + PVOID* BaseAddress, + PLARGE_INTEGER SectionOffset OPTIONAL, + PSIZE_T ViewSize, + ULONG AllocationType, + ULONG PageProtection, + PMEM_EXTENDED_PARAMETER ExtendedParameters OPTIONAL, + ULONG ExtendedParameterCount +); + +NTSTATUS SCModifyBootEntry( + PBOOT_ENTRY BootEntry +); + +NTSTATUS SCModifyDriverEntry( + PEFI_DRIVER_ENTRY DriverEntry +); + +NTSTATUS SCNotifyChangeDirectoryFile( + HANDLE FileHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID Buffer, /* FILE_NOTIFY_INFORMATION */ + ULONG Length, + ULONG CompletionFilter, + BOOLEAN WatchTree +); + +NTSTATUS SCNotifyChangeDirectoryFileEx( + HANDLE FileHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID Buffer, + ULONG Length, + ULONG CompletionFilter, + BOOLEAN WatchTree, + DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass +); + +NTSTATUS SCNotifyChangeKey( + HANDLE KeyHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + ULONG CompletionFilter, + BOOLEAN WatchTree, + PVOID Buffer OPTIONAL, + ULONG BufferSize, + BOOLEAN Asynchronous +); + +NTSTATUS SCNotifyChangeMultipleKeys( + HANDLE MasterKeyHandle, + ULONG Count OPTIONAL, + OBJECT_ATTRIBUTES SubordinateObjects[], + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + ULONG CompletionFilter, + BOOLEAN WatchTree, + PVOID Buffer OPTIONAL, + ULONG BufferSize, + BOOLEAN Asynchronous +); + +NTSTATUS SCNotifyChangeSession( + HANDLE SessionHandle, + ULONG ChangeSequenceNumber, + PLARGE_INTEGER ChangeTimeStamp, + IO_SESSION_EVENT Event, + IO_SESSION_STATE NewState, + IO_SESSION_STATE PreviousState, + PVOID Payload OPTIONAL, + ULONG PayloadSize +); + +NTSTATUS SCOpenCpuPartition( + PHANDLE CpuPartitionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL +); + +NTSTATUS SCOpenEnlistment( + PHANDLE EnlistmentHandle, + ACCESS_MASK DesiredAccess, + HANDLE ResourceManagerHandle, + LPGUID EnlistmentGuid, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL +); + +NTSTATUS SCOpenEvent( + PHANDLE EventHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenEventPair( + PHANDLE EventPairHandle, + ACCESS_MASK DesiredAccess, + PCOBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenFile( + PHANDLE FileHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + PIO_STATUS_BLOCK IoStatusBlock, + ULONG ShareAccess, + ULONG OpenOptions +); + +NTSTATUS SCOpenIoCompletion( + PHANDLE IoCompletionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenJobObject( + PHANDLE JobHandle, + ACCESS_MASK DesiredAccess, + PCOBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenKey( + PHANDLE KeyHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenKeyEx( + PHANDLE KeyHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + ULONG OpenOptions +); + +NTSTATUS SCOpenKeyTransacted( + PHANDLE KeyHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + HANDLE TransactionHandle +); + +NTSTATUS SCOpenKeyTransactedEx( + PHANDLE KeyHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + ULONG OpenOptions, + HANDLE TransactionHandle +); + +NTSTATUS SCOpenKeyedEvent( + PHANDLE KeyedEventHandle, + ACCESS_MASK DesiredAccess, + PCOBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenMutant( + PHANDLE MutantHandle, + ACCESS_MASK DesiredAccess, + PCOBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenObjectAuditAlarm( + PUNICODE_STRING SubsystemName, + PVOID HandleId OPTIONAL, + PUNICODE_STRING ObjectTypeName, + PUNICODE_STRING ObjectName, + PSECURITY_DESCRIPTOR SecurityDescriptor, + HANDLE ClientToken, + ACCESS_MASK DesiredAccess, + ACCESS_MASK GrantedAccess, + PPRIVILEGE_SET Privileges OPTIONAL, + BOOLEAN ObjectCreation, + BOOLEAN AccessGranted, + PBOOLEAN GenerateOnClose +); + +NTSTATUS SCOpenPartition( + PHANDLE PartitionHandle, + ACCESS_MASK DesiredAccess, + PCOBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenPrivateNamespace( + PHANDLE NamespaceHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor +); + +NTSTATUS SCOpenProcess( + PHANDLE ProcessHandle, + ACCESS_MASK DesiredAccess, + PCOBJECT_ATTRIBUTES ObjectAttributes, + CLIENT_ID* ClientId OPTIONAL +); + +NTSTATUS SCOpenProcessToken( + HANDLE ProcessHandle, + ACCESS_MASK DesiredAccess, + PHANDLE TokenHandle +); + +NTSTATUS SCOpenProcessTokenEx( + HANDLE ProcessHandle, + ACCESS_MASK DesiredAccess, + ULONG HandleAttributes, + PHANDLE TokenHandle +); + +NTSTATUS SCOpenRegistryTransaction( + HANDLE* RegistryTransactionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjAttributes +); + +NTSTATUS SCOpenResourceManager( + PHANDLE ResourceManagerHandle, + ACCESS_MASK DesiredAccess, + HANDLE TmHandle, + LPGUID ResourceManagerGuid OPTIONAL, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL +); + +NTSTATUS SCOpenSection( + PHANDLE SectionHandle, + ACCESS_MASK DesiredAccess, + PCOBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenSemaphore( + PHANDLE SemaphoreHandle, + ACCESS_MASK DesiredAccess, + PCOBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenSession( + PHANDLE SessionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenSymbolicLinkObject( + PHANDLE LinkHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenThread( + PHANDLE ThreadHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + CLIENT_ID* ClientId OPTIONAL +); + +NTSTATUS SCOpenThreadToken( + HANDLE ThreadHandle, + ACCESS_MASK DesiredAccess, + BOOLEAN OpenAsSelf, + PHANDLE TokenHandle +); + +NTSTATUS SCOpenThreadTokenEx( + HANDLE ThreadHandle, + ACCESS_MASK DesiredAccess, + BOOLEAN OpenAsSelf, + ULONG HandleAttributes, + PHANDLE TokenHandle +); + +NTSTATUS SCOpenTimer( + PHANDLE TimerHandle, + ACCESS_MASK DesiredAccess, + PCOBJECT_ATTRIBUTES ObjectAttributes +); + +NTSTATUS SCOpenTransaction( + PHANDLE TransactionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + LPGUID Uow, + HANDLE TmHandle OPTIONAL +); + +NTSTATUS SCOpenTransactionManager( + PHANDLE TmHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + PUNICODE_STRING LogFileName OPTIONAL, + LPGUID TmIdentity OPTIONAL, + ULONG OpenOptions OPTIONAL +); + +NTSTATUS SCPlugPlayControl( + PLUGPLAY_CONTROL_CLASS PnPControlClass, + PVOID PnPControlData OPTIONAL, + ULONG PnPControlDataLength +); + +NTSTATUS SCPowerInformation( + POWER_INFORMATION_LEVEL InformationLevel, + PVOID InputBuffer OPTIONAL, + ULONG InputBufferLength, + PVOID OutputBuffer OPTIONAL, + ULONG OutputBufferLength +); + +NTSTATUS SCPrePrepareComplete( + HANDLE EnlistmentHandle, + PLARGE_INTEGER TmVirtualClock OPTIONAL +); + +NTSTATUS SCPrePrepareEnlistment( + HANDLE EnlistmentHandle, + PLARGE_INTEGER TmVirtualClock OPTIONAL +); + +NTSTATUS SCPrepareComplete( + HANDLE EnlistmentHandle, + PLARGE_INTEGER TmVirtualClock OPTIONAL +); + +NTSTATUS SCPrepareEnlistment( + HANDLE EnlistmentHandle, + PLARGE_INTEGER TmVirtualClock OPTIONAL +); + +NTSTATUS SCPrivilegeCheck( + HANDLE ClientToken, + PPRIVILEGE_SET RequiredPrivileges, + PBOOLEAN Result +); + +NTSTATUS SCPrivilegeObjectAuditAlarm( + PUNICODE_STRING SubsystemName, + PVOID HandleId OPTIONAL, + HANDLE ClientToken, + ACCESS_MASK DesiredAccess, + PPRIVILEGE_SET Privileges, + BOOLEAN AccessGranted +); + +NTSTATUS SCPrivilegedServiceAuditAlarm( + PUNICODE_STRING SubsystemName, + PUNICODE_STRING ServiceName, + HANDLE ClientToken, + PPRIVILEGE_SET Privileges, + BOOLEAN AccessGranted +); + +NTSTATUS SCPropagationComplete( + HANDLE ResourceManagerHandle, + ULONG RequestCookie, + ULONG BufferLength, + PVOID Buffer +); + +NTSTATUS SCPropagationFailed( + HANDLE ResourceManagerHandle, + ULONG RequestCookie, + NTSTATUS PropStatus +); + +NTSTATUS SCProtectVirtualMemory( + HANDLE ProcessHandle, + PVOID* BaseAddress, + PSIZE_T RegionSize, + ULONG NewProtection, + PULONG OldProtection +); + +NTSTATUS SCPssCaptureVaSpaceBulk( + HANDLE ProcessHandle, + PVOID BaseAddress OPTIONAL, + PNTPSS_MEMORY_BULK_INFORMATION BulkInformation, + SIZE_T BulkInformationLength, + PSIZE_T ReturnLength OPTIONAL +); + +NTSTATUS SCPulseEvent( + HANDLE EventHandle, + PLONG PreviousState OPTIONAL +); + +NTSTATUS SCQueryAttributesFile( + POBJECT_ATTRIBUTES ObjectAttributes, + PFILE_BASIC_INFORMATION FileInformation +); + +NTSTATUS SCQueryAuxiliaryCounterFrequency( + PULONG64 AuxiliaryCounterFrequency +); + +NTSTATUS SCQueryBootEntryOrder( + PULONG Ids OPTIONAL, + PULONG Count +); + +NTSTATUS SCQueryBootOptions( + PBOOT_OPTIONS BootOptions OPTIONAL, + PULONG BootOptionsLength +); + +NTSTATUS SCQueryDebugFilterState( + ULONG ComponentId, + ULONG Level +); + +NTSTATUS SCQueryDefaultLocale( + BOOLEAN UserProfile, + PLCID DefaultLocaleId +); + +NTSTATUS SCQueryDefaultUILanguage( + LANGID* DefaultUILanguageId +); + +NTSTATUS SCQueryDirectoryFile( + HANDLE FileHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID FileInformation, + ULONG Length, + FILE_INFORMATION_CLASS FileInformationClass, + BOOLEAN ReturnSingleEntry, + PUNICODE_STRING FileName OPTIONAL, + BOOLEAN RestartScan +); + +NTSTATUS SCQueryDirectoryFileEx( + HANDLE FileHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID FileInformation, + ULONG Length, + FILE_INFORMATION_CLASS FileInformationClass, + ULONG QueryFlags, + PUNICODE_STRING FileName OPTIONAL +); + +NTSTATUS SCQueryDirectoryObject( + HANDLE DirectoryHandle, + PVOID Buffer OPTIONAL, + ULONG Length, + BOOLEAN ReturnSingleEntry, + BOOLEAN RestartScan, + PULONG Context, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryDriverEntryOrder( + PULONG Ids OPTIONAL, + PULONG Count +); + +NTSTATUS SCQueryEaFile( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID Buffer, + ULONG Length, + BOOLEAN ReturnSingleEntry, + PVOID EaList OPTIONAL, + ULONG EaListLength, + PULONG EaIndex OPTIONAL, + BOOLEAN RestartScan +); + +NTSTATUS SCQueryEvent( + HANDLE EventHandle, + EVENT_INFORMATION_CLASS EventInformationClass, + PVOID EventInformation, + ULONG EventInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryFullAttributesFile( + POBJECT_ATTRIBUTES ObjectAttributes, + PFILE_NETWORK_OPEN_INFORMATION FileInformation +); + +NTSTATUS SCQueryInformationAtom( + PRTL_ATOM Atom, + ATOM_INFORMATION_CLASS AtomInformationClass, + PVOID AtomInformation, + ULONG AtomInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInformationByName( + POBJECT_ATTRIBUTES ObjectAttributes, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID FileInformation, + ULONG Length, + FILE_INFORMATION_CLASS FileInformationClass +); + +NTSTATUS SCQueryInformationCpuPartition( + HANDLE PartitionHandle OPTIONAL, + CPU_PARTITION_INFORMATION_CLASS PartitionInformationClass, + PVOID PartitionInformation, + ULONG PartitionInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInformationEnlistment( + HANDLE EnlistmentHandle, + ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + PVOID EnlistmentInformation, + ULONG EnlistmentInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInformationFile( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID FileInformation, + ULONG Length, + FILE_INFORMATION_CLASS FileInformationClass +); + +NTSTATUS SCQueryInformationJobObject( + HANDLE JobHandle OPTIONAL, + JOBOBJECTINFOCLASS JobObjectInformationClass, + PVOID JobObjectInformation, + ULONG JobObjectInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInformationPort( + HANDLE PortHandle, + PORT_INFORMATION_CLASS PortInformationClass, + PVOID PortInformation, + ULONG Length, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInformationProcess( + HANDLE ProcessHandle, + PROCESSINFOCLASS ProcessInformationClass, + PVOID ProcessInformation, + ULONG ProcessInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInformationResourceManager( + HANDLE ResourceManagerHandle, + RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + PVOID ResourceManagerInformation, + ULONG ResourceManagerInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInformationThread( + HANDLE ThreadHandle, + THREADINFOCLASS ThreadInformationClass, + PVOID ThreadInformation, + ULONG ThreadInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInformationToken( + HANDLE TokenHandle, + TOKEN_INFORMATION_CLASS TokenInformationClass, + PVOID TokenInformation, + ULONG TokenInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInformationTransaction( + HANDLE TransactionHandle, + TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + PVOID TransactionInformation, + ULONG TransactionInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInformationTransactionManager( + HANDLE TransactionManagerHandle, + TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, + PVOID TransactionManagerInformation, + ULONG TransactionManagerInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInformationWorkerFactory( + HANDLE WorkerFactoryHandle, + WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + PVOID WorkerFactoryInformation, + ULONG WorkerFactoryInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryInstallUILanguage( + LANGID* InstallUILanguageId +); + +NTSTATUS SCQueryIntervalProfile( + KPROFILE_SOURCE ProfileSource, + PULONG Interval +); + +NTSTATUS SCQueryIoCompletion( + HANDLE IoCompletionHandle, + IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, + PVOID IoCompletionInformation, + ULONG IoCompletionInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryIoRingCapabilities( + SIZE_T IoRingCapabilitiesLength, + PVOID IoRingCapabilities +); + +NTSTATUS SCQueryKey( + HANDLE KeyHandle, + KEY_INFORMATION_CLASS KeyInformationClass, + PVOID KeyInformation, + ULONG Length, + PULONG ResultLength OPTIONAL +); + +NTSTATUS SCQueryLicenseValue( + PUNICODE_STRING ValueName, + PULONG Type OPTIONAL, + PVOID Data OPTIONAL, + ULONG DataSize, + PULONG ResultDataSize +); + +NTSTATUS SCQueryMultipleValueKey( + HANDLE KeyHandle, + PKEY_VALUE_ENTRY ValueEntries, + ULONG EntryCount, + PVOID ValueBuffer, + PULONG BufferLength, + PULONG RequiredBufferLength OPTIONAL +); + +NTSTATUS SCQueryMutant( + HANDLE MutantHandle, + MUTANT_INFORMATION_CLASS MutantInformationClass, + PVOID MutantInformation, + ULONG MutantInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryObject( + HANDLE Handle, + OBJECT_INFORMATION_CLASS ObjectInformationClass, + PVOID ObjectInformation OPTIONAL, + ULONG ObjectInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryOpenSubKeys( + POBJECT_ATTRIBUTES TargetKey, + PULONG HandleCount +); + +NTSTATUS SCQueryOpenSubKeysEx( + POBJECT_ATTRIBUTES TargetKey, + ULONG BufferLength, + PVOID Buffer, + PULONG RequiredSize +); + +NTSTATUS SCQueryPerformanceCounter( + PLARGE_INTEGER PerformanceCounter, + PLARGE_INTEGER PerformanceFrequency OPTIONAL +); + +NTSTATUS SCQueryPortInformationProcess(VOID); + +NTSTATUS SCQueryQuotaInformationFile( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID Buffer, + ULONG Length, + BOOLEAN ReturnSingleEntry, + PVOID SidList OPTIONAL, + ULONG SidListLength, + PSID StartSid OPTIONAL, + BOOLEAN RestartScan +); + +NTSTATUS SCQuerySection( + HANDLE SectionHandle, + SECTION_INFORMATION_CLASS SectionInformationClass, + PVOID SectionInformation, + SIZE_T SectionInformationLength, + PSIZE_T ReturnLength OPTIONAL +); + +NTSTATUS SCQuerySecurityAttributesToken( + HANDLE TokenHandle, + PUNICODE_STRING Attributes, + ULONG NumberOfAttributes, + PVOID Buffer, /* PTOKEN_SECURITY_ATTRIBUTES_INFORMATION */ + ULONG Length, + PULONG ReturnLength +); + +NTSTATUS SCQuerySecurityObject( + HANDLE Handle, + SECURITY_INFORMATION SecurityInformation, + PSECURITY_DESCRIPTOR SecurityDescriptor, + ULONG Length, + PULONG LengthNeeded +); + +NTSTATUS SCQuerySecurityPolicy( + PCUNICODE_STRING Policy, + PCUNICODE_STRING KeyName, + PCUNICODE_STRING ValueName, + SECURE_SETTING_VALUE_TYPE ValueType, + PVOID Value OPTIONAL, + PULONG ValueSize +); + +NTSTATUS SCQuerySemaphore( + HANDLE SemaphoreHandle, + SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, + PVOID SemaphoreInformation, + ULONG SemaphoreInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQuerySymbolicLinkObject( + HANDLE LinkHandle, + PUNICODE_STRING LinkTarget, + PULONG ReturnedLength OPTIONAL +); + +NTSTATUS SCQuerySystemEnvironmentValue( + PUNICODE_STRING VariableName, + PWSTR VariableValue, + USHORT ValueLength, + PUSHORT ReturnLength OPTIONAL +); + +NTSTATUS SCQuerySystemEnvironmentValueEx( + PCUNICODE_STRING VariableName, + PCGUID VendorGuid, + PVOID Buffer OPTIONAL, + PULONG BufferLength, + PULONG Attributes OPTIONAL +); + +NTSTATUS SCQuerySystemInformation( + SYSTEM_INFORMATION_CLASS SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength +); + +NTSTATUS SCQuerySystemInformationEx( + SYSTEM_INFORMATION_CLASS SystemInformationClass, + PVOID InputBuffer, + ULONG InputBufferLength, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryTimer( + HANDLE TimerHandle, + TIMER_INFORMATION_CLASS TimerInformationClass, + PVOID TimerInformation, + ULONG TimerInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCQueryTimerResolution( + PULONG MaximumTime, + PULONG MinimumTime, + PULONG CurrentTime +); + +NTSTATUS SCQueryValueKey( + HANDLE KeyHandle, + PUNICODE_STRING ValueName, + KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + PVOID KeyValueInformation, + ULONG Length, + PULONG ResultLength +); + +NTSTATUS SCQueryVirtualMemory( + HANDLE ProcessHandle, + PVOID BaseAddress OPTIONAL, + MEMORY_INFORMATION_CLASS MemoryInformationClass, + PVOID MemoryInformation, + SIZE_T MemoryInformationLength, + PSIZE_T ReturnLength OPTIONAL +); + +NTSTATUS SCQueryVolumeInformationFile( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID FsInformation, + ULONG Length, + SYSK_FSINFOCLASS FsInformationClass +); + +NTSTATUS SCQueryWnfStateData( + PCWNF_STATE_NAME StateName, + PCWNF_TYPE_ID TypeId OPTIONAL, + const VOID * ExplicitScope OPTIONAL, + PWNF_CHANGE_STAMP ChangeStamp, + PVOID Buffer OPTIONAL, + PULONG BufferSize +); + +NTSTATUS SCQueryWnfStateNameInformation( + PCWNF_STATE_NAME StateName, + WNF_STATE_NAME_INFORMATION NameInfoClass, + const VOID * ExplicitScope OPTIONAL, + PVOID InfoBuffer, + ULONG InfoBufferSize +); + +NTSTATUS SCQueueApcThread( + HANDLE ThreadHandle, + PPS_APC_ROUTINE ApcRoutine, + PVOID ApcArgument1 OPTIONAL, + PVOID ApcArgument2 OPTIONAL, + PVOID ApcArgument3 OPTIONAL +); + +NTSTATUS SCQueueApcThreadEx( + HANDLE ThreadHandle, + HANDLE ReserveHandle OPTIONAL, + PPS_APC_ROUTINE ApcRoutine, + PVOID ApcArgument1 OPTIONAL, + PVOID ApcArgument2 OPTIONAL, + PVOID ApcArgument3 OPTIONAL +); + +NTSTATUS SCQueueApcThreadEx2( + HANDLE ThreadHandle, + HANDLE ReserveHandle OPTIONAL, + ULONG ApcFlags, + PPS_APC_ROUTINE ApcRoutine, + PVOID ApcArgument1 OPTIONAL, + PVOID ApcArgument2 OPTIONAL, + PVOID ApcArgument3 OPTIONAL +); + +NTSTATUS SCRaiseException( + PEXCEPTION_RECORD ExceptionRecord, + PCONTEXT ContextRecord, + BOOLEAN FirstChance +); + +NTSTATUS SCRaiseHardError( + NTSTATUS ErrorStatus, + ULONG NumberOfParameters, + ULONG UnicodeStringParameterMask, + PULONG_PTR Parameters, + ULONG ValidResponseOptions, + PULONG Response +); + +NTSTATUS SCReadFile( + HANDLE FileHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID Buffer, + ULONG Length, + PLARGE_INTEGER ByteOffset OPTIONAL, + PULONG Key OPTIONAL +); + +NTSTATUS SCReadFileScatter( + HANDLE FileHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + PFILE_SEGMENT_ELEMENT SegmentArray, + ULONG Length, + PLARGE_INTEGER ByteOffset OPTIONAL, + PULONG Key OPTIONAL +); + +NTSTATUS SCReadOnlyEnlistment( + HANDLE EnlistmentHandle, + PLARGE_INTEGER TmVirtualClock OPTIONAL +); + +NTSTATUS SCReadRequestData( + HANDLE PortHandle, + PPORT_MESSAGE Message, + ULONG DataEntryIndex, + PVOID Buffer, + SIZE_T BufferSize, + PSIZE_T NumberOfBytesRead OPTIONAL +); + +NTSTATUS SCReadVirtualMemory( + HANDLE ProcessHandle, + PVOID BaseAddress OPTIONAL, + PVOID Buffer, + SIZE_T NumberOfBytesToRead, + PSIZE_T NumberOfBytesRead OPTIONAL +); + +NTSTATUS SCReadVirtualMemoryEx( + HANDLE ProcessHandle, + PVOID BaseAddress OPTIONAL, + PVOID Buffer, + SIZE_T NumberOfBytesToRead, + PSIZE_T NumberOfBytesRead OPTIONAL, + ULONG Flags +); + +NTSTATUS SCRecoverEnlistment( + HANDLE EnlistmentHandle, + PVOID EnlistmentKey OPTIONAL +); + +NTSTATUS SCRecoverResourceManager( + HANDLE ResourceManagerHandle +); + +NTSTATUS SCRecoverTransactionManager( + HANDLE TransactionManagerHandle +); + +NTSTATUS SCRegisterProtocolAddressInformation( + HANDLE ResourceManager, + PCRM_PROTOCOL_ID ProtocolId, + ULONG ProtocolInformationSize, + PVOID ProtocolInformation, + ULONG CreateOptions +); + +NTSTATUS SCRegisterThreadTerminatePort( + HANDLE PortHandle +); + +NTSTATUS SCReleaseKeyedEvent( + HANDLE KeyedEventHandle OPTIONAL, + PVOID KeyValue, + BOOLEAN Alertable, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCReleaseMutant( + HANDLE MutantHandle, + PLONG PreviousCount OPTIONAL +); + +NTSTATUS SCReleaseSemaphore( + HANDLE SemaphoreHandle, + LONG ReleaseCount, + PLONG PreviousCount OPTIONAL +); + +NTSTATUS SCReleaseWorkerFactoryWorker( + HANDLE WorkerFactoryHandle +); + +NTSTATUS SCRemoveIoCompletion( + HANDLE IoCompletionHandle, + PVOID * KeyContext, + PVOID * ApcContext, + PIO_STATUS_BLOCK IoStatusBlock, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCRemoveIoCompletionEx( + HANDLE IoCompletionHandle, + PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, + ULONG Count, + PULONG NumEntriesRemoved, + PLARGE_INTEGER Timeout OPTIONAL, + BOOLEAN Alertable +); + +NTSTATUS SCRemoveProcessDebug( + HANDLE ProcessHandle, + HANDLE DebugObjectHandle +); + +NTSTATUS SCRenameKey( + HANDLE KeyHandle, + PUNICODE_STRING NewName +); + +NTSTATUS SCRenameTransactionManager( + PUNICODE_STRING LogFileName, + LPGUID ExistingTransactionManagerGuid +); + +NTSTATUS SCReplaceKey( + POBJECT_ATTRIBUTES NewFile, + HANDLE TargetHandle, + POBJECT_ATTRIBUTES OldFile +); + +NTSTATUS SCReplacePartitionUnit( + PUNICODE_STRING TargetInstancePath, + PUNICODE_STRING SpareInstancePath, + ULONG Flags +); + +NTSTATUS SCReplyPort( + HANDLE PortHandle, + PPORT_MESSAGE ReplyMessage +); + +NTSTATUS SCReplyWaitReceivePort( + HANDLE PortHandle, + PVOID * PortContext OPTIONAL, + PPORT_MESSAGE RequestMessage, + PPORT_MESSAGE ReplyMessage +); + +NTSTATUS SCReplyWaitReceivePortEx( + HANDLE PortHandle, + PVOID * PortContext OPTIONAL, + PPORT_MESSAGE RequestMessage, + PPORT_MESSAGE ReplyMessage, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCReplyWaitReplyPort( + HANDLE PortHandle, + PPORT_MESSAGE ReplyMessage +); + +NTSTATUS SCRequestPort( + HANDLE PortHandle, + PPORT_MESSAGE RequestMessage +); + +NTSTATUS SCRequestWaitReplyPort( + HANDLE PortHandle, + PPORT_MESSAGE RequestMessage, + PPORT_MESSAGE ReplyMessage +); + +NTSTATUS SCResetEvent( + HANDLE EventHandle, + PLONG PreviousState OPTIONAL +); + +NTSTATUS SCResetWriteWatch( + HANDLE ProcessHandle, + PVOID BaseAddress, + SIZE_T RegionSize +); + +NTSTATUS SCRestoreKey( + HANDLE KeyHandle, + HANDLE FileHandle, + ULONG Flags +); + +NTSTATUS SCResumeProcess( + HANDLE ProcessHandle +); + +NTSTATUS SCResumeThread( + HANDLE ThreadHandle, + PULONG PreviousSuspendCount +); + +NTSTATUS SCRevertContainerImpersonation(VOID); + +NTSTATUS SCRollbackComplete( + HANDLE EnlistmentHandle, + PLARGE_INTEGER TmVirtualClock OPTIONAL +); + +NTSTATUS SCRollbackEnlistment( + HANDLE EnlistmentHandle, + PLARGE_INTEGER TmVirtualClock OPTIONAL +); + +NTSTATUS SCRollbackRegistryTransaction( + HANDLE RegistryTransactionHandle, + ULONG Flags +); + +NTSTATUS SCRollbackTransaction( + HANDLE TransactionHandle, + BOOLEAN Wait +); + +NTSTATUS SCRollforwardTransactionManager( + HANDLE TransactionManagerHandle, + PLARGE_INTEGER TmVirtualClock OPTIONAL +); + +NTSTATUS SCSaveKey( + HANDLE KeyHandle, + HANDLE FileHandle +); + +NTSTATUS SCSaveKeyEx( + HANDLE KeyHandle, + HANDLE FileHandle, + ULONG Format +); + +NTSTATUS SCSaveMergedKeys( + HANDLE HighPrecedenceKeyHandle, + HANDLE LowPrecedenceKeyHandle, + HANDLE FileHandle +); + +NTSTATUS SCSecureConnectPort( + PHANDLE PortHandle, + PUNICODE_STRING PortName, + PSECURITY_QUALITY_OF_SERVICE SecurityQos, + PPORT_VIEW ClientView OPTIONAL, + PSID RequiredServerSid OPTIONAL, + PREMOTE_PORT_VIEW ServerView OPTIONAL, + PULONG MaxMessageLength OPTIONAL, + PVOID ConnectionInformation OPTIONAL, + PULONG ConnectionInformationLength OPTIONAL +); + +NTSTATUS SCSerializeBoot(VOID); + +NTSTATUS SCSetBootEntryOrder( + PULONG Ids, + ULONG Count +); + +NTSTATUS SCSetBootOptions( + PBOOT_OPTIONS BootOptions, + ULONG FieldsToChange +); + +NTSTATUS SCSetCachedSigningLevel( + ULONG Flags, + SE_SIGNING_LEVEL InputSigningLevel, + PHANDLE SourceFiles, + ULONG SourceFileCount, + HANDLE TargetFile OPTIONAL +); + +NTSTATUS SCSetCachedSigningLevel2( + ULONG Flags, + SE_SIGNING_LEVEL InputSigningLevel, + PHANDLE SourceFiles, + ULONG SourceFileCount, + HANDLE TargetFile OPTIONAL, + SE_SET_FILE_CACHE_INFORMATION * CacheInformation OPTIONAL +); + +NTSTATUS SCSetContextThread( + HANDLE ThreadHandle, + PCONTEXT ThreadContext +); + +NTSTATUS SCSetDebugFilterState( + ULONG ComponentId, + ULONG Level, + BOOLEAN State +); + +NTSTATUS SCSetDefaultHardErrorPort( + HANDLE DefaultHardErrorPort +); + +NTSTATUS SCSetDefaultLocale( + BOOLEAN UserProfile, + LCID DefaultLocaleId +); + +NTSTATUS SCSetDefaultUILanguage( + LANGID DefaultUILanguageId +); + +NTSTATUS SCSetDriverEntryOrder( + PULONG Ids, + ULONG Count +); + +NTSTATUS SCSetEaFile( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID Buffer, + ULONG Length +); + +NTSTATUS SCSetEvent( + HANDLE EventHandle, + PLONG PreviousState OPTIONAL +); + +NTSTATUS SCSetEventBoostPriority( + HANDLE EventHandle +); + +NTSTATUS SCSetHighEventPair( + HANDLE EventPairHandle +); + +NTSTATUS SCSetHighWaitLowEventPair( + HANDLE EventPairHandle +); + +NTSTATUS SCSetIRTimer( + HANDLE TimerHandle, + PLARGE_INTEGER DueTime OPTIONAL +); + +NTSTATUS SCSetInformationCpuPartition( + HANDLE CpuPartitionHandle, + ULONG CpuPartitionInformationClass, + PVOID CpuPartitionInformation, + ULONG CpuPartitionInformationLength, + PVOID Reserved1 OPTIONAL, + ULONG Reserved2 OPTIONAL, + ULONG Reserved3 OPTIONAL +); + +NTSTATUS SCSetInformationDebugObject( + HANDLE DebugObjectHandle, + DEBUGOBJECTINFOCLASS DebugObjectInformationClass, + PVOID DebugInformation, + ULONG DebugInformationLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCSetInformationEnlistment( + HANDLE EnlistmentHandle OPTIONAL, + ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + PVOID EnlistmentInformation, + ULONG EnlistmentInformationLength +); + +NTSTATUS SCSetInformationFile( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID FileInformation, + ULONG Length, + FILE_INFORMATION_CLASS FileInformationClass +); + +NTSTATUS SCSetInformationIoRing( + HANDLE IoRingHandle, + ULONG IoRingInformationClass, + ULONG IoRingInformationLength, + PVOID IoRingInformation +); + +NTSTATUS SCSetInformationJobObject( + HANDLE JobHandle, + JOBOBJECTINFOCLASS JobObjectInformationClass, + PVOID JobObjectInformation, + ULONG JobObjectInformationLength +); + +NTSTATUS SCSetInformationKey( + HANDLE KeyHandle, + KEY_SET_INFORMATION_CLASS KeySetInformationClass, + PVOID KeySetInformation, + ULONG KeySetInformationLength +); + +NTSTATUS SCSetInformationObject( + HANDLE Handle, + OBJECT_INFORMATION_CLASS ObjectInformationClass, + PVOID ObjectInformation, + ULONG ObjectInformationLength +); + +NTSTATUS SCSetInformationProcess( + HANDLE ProcessHandle, + PROCESSINFOCLASS ProcessInformationClass, + PVOID ProcessInformation, + ULONG ProcessInformationLength +); + +NTSTATUS SCSetInformationResourceManager( + HANDLE ResourceManagerHandle, + RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + PVOID ResourceManagerInformation, + ULONG ResourceManagerInformationLength +); + +NTSTATUS SCSetInformationSymbolicLink( + HANDLE LinkHandle, + SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass, + PVOID SymbolicLinkInformation, + ULONG SymbolicLinkInformationLength +); + +NTSTATUS SCSetInformationThread( + HANDLE ThreadHandle, + THREADINFOCLASS ThreadInformationClass, + PVOID ThreadInformation, + ULONG ThreadInformationLength +); + +NTSTATUS SCSetInformationToken( + HANDLE TokenHandle, + TOKEN_INFORMATION_CLASS TokenInformationClass, + PVOID TokenInformation, + ULONG TokenInformationLength +); + +NTSTATUS SCSetInformationTransaction( + HANDLE TransactionHandle, + TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + PVOID TransactionInformation, + ULONG TransactionInformationLength +); + +NTSTATUS SCSetInformationTransactionManager( + HANDLE TmHandle OPTIONAL, + TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, + PVOID TransactionManagerInformation, + ULONG TransactionManagerInformationLength +); + +NTSTATUS SCSetInformationVirtualMemory( + HANDLE ProcessHandle, + VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, + SIZE_T NumberOfEntries, + PMEMORY_RANGE_ENTRY VirtualAddresses, + PVOID VmInformation, + ULONG VmInformationLength +); + +NTSTATUS SCSetInformationWorkerFactory( + HANDLE WorkerFactoryHandle, + WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + PVOID WorkerFactoryInformation, + ULONG WorkerFactoryInformationLength +); + +NTSTATUS SCSetIntervalProfile( + ULONG Interval, + KPROFILE_SOURCE Source +); + +NTSTATUS SCSetIoCompletion( + HANDLE IoCompletionHandle, + PVOID KeyContext OPTIONAL, + PVOID ApcContext OPTIONAL, + NTSTATUS IoStatus, + ULONG_PTR IoStatusInformation +); + +NTSTATUS SCSetIoCompletionEx( + HANDLE IoCompletionHandle, + HANDLE IoCompletionPacketHandle, + PVOID KeyContext OPTIONAL, + PVOID ApcContext OPTIONAL, + NTSTATUS IoStatus, + ULONG_PTR IoStatusInformation +); + +NTSTATUS SCSetLdtEntries( + ULONG Selector0, + ULONG Entry0Low, + ULONG Entry0Hi, + ULONG Selector1, + ULONG Entry1Low, + ULONG Entry1Hi +); + +NTSTATUS SCSetLowEventPair( + HANDLE EventPairHandle +); + +NTSTATUS SCSetLowWaitHighEventPair( + HANDLE EventPairHandle +); + +NTSTATUS SCSetQuotaInformationFile( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID Buffer, + ULONG Length +); + +NTSTATUS SCSetSecurityObject( + HANDLE Handle, + SECURITY_INFORMATION SecurityInformation, + PSECURITY_DESCRIPTOR SecurityDescriptor +); + +NTSTATUS SCSetSystemEnvironmentValue( + PCUNICODE_STRING VariableName, + PCUNICODE_STRING VariableValue +); + +NTSTATUS SCSetSystemEnvironmentValueEx( + PCUNICODE_STRING VariableName, + PCGUID VendorGuid, + PVOID Buffer OPTIONAL, + ULONG BufferLength, + ULONG Attributes +); + +NTSTATUS SCSetSystemInformation( + SYSTEM_INFORMATION_CLASS SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength +); + +NTSTATUS SCSetSystemPowerState( + POWER_ACTION SystemAction, + SYSTEM_POWER_STATE LightestSystemState, + ULONG Flags +); + +NTSTATUS SCSetSystemTime( + PLARGE_INTEGER SystemTime OPTIONAL, + PLARGE_INTEGER PreviousTime OPTIONAL +); + +NTSTATUS SCSetThreadExecutionState( + EXECUTION_STATE NewFlags, + EXECUTION_STATE * PreviousFlags +); + +NTSTATUS SCSetTimer( + HANDLE TimerHandle, + PLARGE_INTEGER DueTime, + PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL, + PVOID TimerContext OPTIONAL, + BOOLEAN ResumeTimer, + LONG Period OPTIONAL, + PBOOLEAN PreviousState OPTIONAL +); + +NTSTATUS SCSetTimer2( + HANDLE TimerHandle, + PLARGE_INTEGER DueTime, + PLARGE_INTEGER Period OPTIONAL, + PT2_SET_PARAMETERS Parameters +); + +NTSTATUS SCSetTimerEx( + HANDLE TimerHandle, + TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, + PVOID TimerSetInformation, + ULONG TimerSetInformationLength +); + +NTSTATUS SCSetTimerResolution( + ULONG DesiredTime, + BOOLEAN SetResolution, + PULONG ActualTime +); + +NTSTATUS SCSetUuidSeed( + PCHAR Seed +); + +NTSTATUS SCSetValueKey( + HANDLE KeyHandle, + PUNICODE_STRING ValueName, + ULONG TitleIndex OPTIONAL, + ULONG Type, + PVOID Data OPTIONAL, + ULONG DataSize +); + +NTSTATUS SCSetVolumeInformationFile( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID FsInformation, + ULONG Length, + SYSK_FSINFOCLASS FsInformationClass +); + +NTSTATUS SCSetWnfProcessNotificationEvent( + HANDLE NotificationEvent +); + +NTSTATUS SCShutdownSystem( + SHUTDOWN_ACTION Action +); + +NTSTATUS SCShutdownWorkerFactory( + HANDLE WorkerFactoryHandle, + volatile LONG * PendingWorkerCount +); + +NTSTATUS SCSignalAndWaitForSingleObject( + HANDLE SignalHandle, + HANDLE WaitHandle, + BOOLEAN Alertable, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCSinglePhaseReject( + HANDLE EnlistmentHandle, + PLARGE_INTEGER TmVirtualClock OPTIONAL +); + +NTSTATUS SCStartProfile( + HANDLE ProfileHandle +); + +NTSTATUS SCStopProfile( + HANDLE ProfileHandle +); + +NTSTATUS SCSubmitIoRing( + HANDLE IoRingHandle, + ULONG Flags, + ULONG WaitOperations OPTIONAL, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCSubscribeWnfStateChange( + PCWNF_STATE_NAME StateName, + WNF_CHANGE_STAMP ChangeStamp OPTIONAL, + ULONG EventMask, + PULONG64 SubscriptionId OPTIONAL +); + +NTSTATUS SCSuspendProcess( + HANDLE ProcessHandle +); + +NTSTATUS SCSuspendThread( + HANDLE ThreadHandle, + PULONG PreviousSuspendCount +); + +NTSTATUS SCSystemDebugControl( + SYSDBG_COMMAND Command, + PVOID InputBuffer OPTIONAL, + ULONG InputBufferLength, + PVOID OutputBuffer OPTIONAL, + ULONG OutputBufferLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCTerminateEnclave( + PVOID BaseAddress, + ULONG Flags +); + +NTSTATUS SCTerminateJobObject( + HANDLE JobHandle, + NTSTATUS ExitStatus +); + +NTSTATUS SCTerminateProcess( + HANDLE ProcessHandle OPTIONAL, + NTSTATUS ExitStatus +); + +NTSTATUS SCTerminateThread( + HANDLE ThreadHandle OPTIONAL, + NTSTATUS ExitStatus +); + +NTSTATUS SCTestAlert(VOID); + +NTSTATUS SCThawRegistry(VOID); + +NTSTATUS SCThawTransactions(VOID); + +NTSTATUS SCTraceControl( + ETWTRACECONTROLCODE FunctionCode, + PVOID InputBuffer OPTIONAL, + ULONG InputBufferLength, + PVOID OutputBuffer OPTIONAL, + ULONG OutputBufferLength, + PULONG ReturnLength OPTIONAL +); + +NTSTATUS SCTraceEvent( + HANDLE TraceHandle, + ULONG Flags, + ULONG FieldSize, + PVOID Fields +); + +NTSTATUS SCTranslateFilePath( + PFILE_PATH InputFilePath, + ULONG OutputType, + PFILE_PATH OutputFilePath, + PULONG OutputFilePathLength OPTIONAL +); + +NTSTATUS SCUmsThreadYield( + PVOID SchedulerParam +); + +NTSTATUS SCUnloadDriver( + PUNICODE_STRING DriverServiceName +); + +NTSTATUS SCUnloadKey( + POBJECT_ATTRIBUTES TargetKey +); + +NTSTATUS SCUnloadKey2( + POBJECT_ATTRIBUTES TargetKey, + ULONG Flags +); + +NTSTATUS SCUnloadKeyEx( + POBJECT_ATTRIBUTES TargetKey, + HANDLE Event OPTIONAL +); + +NTSTATUS SCUnlockFile( + HANDLE FileHandle, + PIO_STATUS_BLOCK IoStatusBlock, + PLARGE_INTEGER ByteOffset, + PLARGE_INTEGER Length, + ULONG Key +); + +NTSTATUS SCUnlockVirtualMemory( + HANDLE ProcessHandle, + PVOID * BaseAddress, + PSIZE_T RegionSize, + ULONG MapType +); + +NTSTATUS SCUnsubscribeWnfStateChange( + PCWNF_STATE_NAME StateName +); + +NTSTATUS SCUnmapViewOfSection( + HANDLE ProcessHandle, + PVOID BaseAddress OPTIONAL +); + +NTSTATUS SCUnmapViewOfSectionEx( + HANDLE ProcessHandle, + PVOID BaseAddress OPTIONAL, + ULONG Flags +); + +NTSTATUS SCUpdateWnfStateData( + PCWNF_STATE_NAME StateName, + const VOID * Buffer OPTIONAL, + ULONG Length OPTIONAL, + PCWNF_TYPE_ID TypeId OPTIONAL, + const VOID * ExplicitScope OPTIONAL, + WNF_CHANGE_STAMP MatchingChangeStamp, + LOGICAL CheckStamp +); + +NTSTATUS SCVdmControl( + VDMSERVICECLASS Service, + PVOID ServiceData +); + +NTSTATUS SCWaitForAlertByThreadId( + PVOID Address OPTIONAL, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCWaitForDebugEvent( + HANDLE DebugObjectHandle, + BOOLEAN Alertable, + PLARGE_INTEGER Timeout OPTIONAL, + PDBGUI_WAIT_STATE_CHANGE WaitStateChange +); + +NTSTATUS SCWaitForKeyedEvent( + HANDLE KeyedEventHandle OPTIONAL, + PVOID KeyValue, + BOOLEAN Alertable, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCWaitForMultipleObjects( + ULONG Count, + HANDLE Handles[], + WAIT_TYPE WaitType, + BOOLEAN Alertable, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCWaitForMultipleObjects32( + ULONG Count, + LONG Handles[], + WAIT_TYPE WaitType, + BOOLEAN Alertable, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCWaitForSingleObject( + HANDLE Handle, + BOOLEAN Alertable, + PLARGE_INTEGER Timeout OPTIONAL +); + +NTSTATUS SCWaitForWorkViaWorkerFactory( + HANDLE WorkerFactoryHandle, + PFILE_IO_COMPLETION_INFORMATION MiniPackets, + ULONG Count, + PULONG PacketsReturned, + PWORKER_FACTORY_DEFERRED_WORK DeferredWork +); + +NTSTATUS SCWaitHighEventPair( + HANDLE EventPairHandle +); + +NTSTATUS SCWaitLowEventPair( + HANDLE EventPairHandle +); + +NTSTATUS SCWorkerFactoryWorkerReady( + HANDLE WorkerFactoryHandle +); + +NTSTATUS SCWriteFile( + HANDLE FileHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID Buffer, + ULONG Length, + PLARGE_INTEGER ByteOffset OPTIONAL, + PULONG Key OPTIONAL +); + +NTSTATUS SCWriteFileGather( + HANDLE FileHandle, + HANDLE Event OPTIONAL, + PIO_APC_ROUTINE ApcRoutine OPTIONAL, + PVOID ApcContext OPTIONAL, + PIO_STATUS_BLOCK IoStatusBlock, + PFILE_SEGMENT_ELEMENT SegmentArray, + ULONG Length, + PLARGE_INTEGER ByteOffset OPTIONAL, + PULONG Key OPTIONAL +); + +NTSTATUS SCWriteRequestData( + HANDLE PortHandle, + PPORT_MESSAGE Message, + ULONG DataEntryIndex, + PVOID Buffer, + SIZE_T BufferSize, + PSIZE_T NumberOfBytesWritten OPTIONAL +); + +NTSTATUS SCWriteVirtualMemory( + HANDLE ProcessHandle, + PVOID BaseAddress, + PVOID Buffer, + SIZE_T NumberOfBytesToWrite, + PSIZE_T NumberOfBytesWritten +); + +NTSTATUS SCYieldExecution(VOID); + +#ifdef __cplusplus +} +#endif + #endif \ No newline at end of file diff --git a/SysCallerK/Wrapper/include/SysK/sysTypes_k.h b/SysCallerK/Wrapper/include/SysK/SysKTypes.h similarity index 96% rename from SysCallerK/Wrapper/include/SysK/sysTypes_k.h rename to SysCallerK/Wrapper/include/SysK/SysKTypes.h index dc83c88..054d49a 100644 --- a/SysCallerK/Wrapper/include/SysK/sysTypes_k.h +++ b/SysCallerK/Wrapper/include/SysK/SysKTypes.h @@ -1,1081 +1,1081 @@ -#pragma once - -#include -#include - -/* Forward declarations for cyclic dependencies */ -typedef struct _ACTIVATION_CONTEXT* PACTIVATION_CONTEXT; -typedef struct _ACTIVATION_CONTEXT_DATA* PACTIVATION_CONTEXT_DATA; -typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* PRTL_ACTIVATION_CONTEXT_STACK_FRAME; -typedef struct _ACTIVATION_CONTEXT_STACK* PACTIVATION_CONTEXT_STACK; -typedef struct _TEB* PTEB; - -// #define USE_PISID /* Uncomment this line to use PISID instead of PSID */ -#define USE_DYNAMIC_ARRAY /* Uncomment this line to use dynamic array */ -#define USE_POINTER_SUBAUTH /* Uncomment this line to use pointer to an array for SubAuthority */ - -/* APC Routines */ -typedef VOID(NTAPI * PPS_APC_ROUTINE)( - _In_opt_ PVOID ApcArgument1, - _In_opt_ PVOID ApcArgument2, - _In_opt_ PVOID ApcArgument3 - ); - -typedef VOID(NTAPI * TIMER_APC_ROUTINE)( - _In_ PVOID TimerContext, - _In_ ULONG TimerLowValue, - _In_ LONG TimerHighValue - ); - -typedef VOID(NTAPI * PUSER_THREAD_START_ROUTINE)( - _In_ PVOID ThreadParameter - ); - -typedef VOID(NTAPI * IO_APC_ROUTINE)( - _In_ PVOID ApcContext, - _In_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG Reserved - ); - -typedef VOID(NTAPI * PENCLAVE_ROUTINE)(VOID); - -/* User Thread Start Routine */ -typedef VOID(*PUSER_THREAD_START_ROUTINE)(PVOID); - -/* Timer APC Routine */ - -typedef VOID(NTAPI* PACTIVATION_CONTEXT_NOTIFY_ROUTINE)( - _In_ ULONG NotificationType, /* ACTIVATION_CONTEXT_NOTIFICATION_* */ - _In_ PACTIVATION_CONTEXT ActivationContext, - _In_ PACTIVATION_CONTEXT_DATA ActivationContextData, - _In_opt_ PVOID NotificationContext, - _In_opt_ PVOID NotificationData, - _Inout_ PBOOLEAN DisableThisNotification - ); - -/* Activation Context Data */ -typedef struct _ACTIVATION_CONTEXT_DATA -{ - ULONG Magic; - ULONG HeaderSize; - ULONG FormatVersion; - ULONG TotalSize; - ULONG DefaultTocOffset; /* to ACTIVATION_CONTEXT_DATA_TOC_HEADER */ - ULONG ExtendedTocOffset; /* to ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER */ - ULONG AssemblyRosterOffset; /* to ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER */ - ULONG Flags; /* ACTIVATION_CONTEXT_FLAG_* */ -} ACTIVATION_CONTEXT_DATA, * PACTIVATION_CONTEXT_DATA; - -/* Assembly Storage Map Entry */ -typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY -{ - ULONG Flags; - UNICODE_STRING DosPath; - HANDLE Handle; -} ASSEMBLY_STORAGE_MAP_ENTRY, * PASSEMBLY_STORAGE_MAP_ENTRY; - -/* Assembly Storage Map */ -typedef struct _ASSEMBLY_STORAGE_MAP -{ - ULONG Flags; - ULONG AssemblyCount; - PASSEMBLY_STORAGE_MAP_ENTRY* AssemblyArray; -} ASSEMBLY_STORAGE_MAP, * PASSEMBLY_STORAGE_MAP; - -/* Activation Context */ -typedef struct _ACTIVATION_CONTEXT -{ - LONG RefCount; - ULONG Flags; - PACTIVATION_CONTEXT_DATA ActivationContextData; - PACTIVATION_CONTEXT_NOTIFY_ROUTINE NotificationRoutine; - PVOID NotificationContext; - ULONG SentNotifications[8]; - ULONG DisabledNotifications[8]; - ASSEMBLY_STORAGE_MAP StorageMap; - PASSEMBLY_STORAGE_MAP_ENTRY InlineStorageMapEntries[32]; -} ACTIVATION_CONTEXT, * PACTIVATION_CONTEXT; - -/* RTL Activation Context Stack Frame */ -typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME -{ - struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; - PACTIVATION_CONTEXT ActivationContext; - ULONG Flags; /* RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_* */ -} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME; - -/* Activation Context Stack Frame */ -typedef struct _ACTIVATION_CONTEXT_STACK -{ - PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; - LIST_ENTRY FrameListCache; - ULONG Flags; /* ACTIVATION_CONTEXT_STACK_FLAG_* */ - ULONG NextCookieSequenceNumber; - ULONG StackId; -} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; - -/* Boot Options */ -typedef struct _BOOT_OPTIONS -{ - ULONG Version; - ULONG Length; - ULONG Timeout; - ULONG CurrentBootEntryId; - ULONG NextBootEntryId; - WCHAR HeadlessRedirection[1]; -} BOOT_OPTIONS, * PBOOT_OPTIONS; - -typedef struct _CURDIR -{ - UNICODE_STRING DosPath; - HANDLE Handle; -} CURDIR, * PCURDIR; - -/* CM Extended Parameter */ -typedef struct DECLSPEC_ALIGN(8) _CM_EXTENDED_PARAMETER -{ - /* Bit field for the type of the extended parameter */ - struct - { - ULONG64 Type : CM_EXTENDED_PARAMETER_TYPE_BITS; /* Type of the extended parameter */ - ULONG64 Reserved : 64 - CM_EXTENDED_PARAMETER_TYPE_BITS; /* Reserved bits for future use */ - }; - /* Union to hold different types of data */ - union - { - ULONG64 ULong64; /* 64-bit unsigned long */ - PVOID Pointer; /* Pointer to any type */ - SIZE_T Size; /* Size type */ - HANDLE Handle; /* Handle type */ - ULONG ULong; /* 32-bit unsigned long */ - ACCESS_MASK AccessMask; /* Access mask type */ - }; -} CM_EXTENDED_PARAMETER, * PCM_EXTENDED_PARAMETER; - -/* DBGKM Create Thread */ -typedef struct _DBGKM_CREATE_THREAD -{ - ULONG SubSystemKey; - PVOID StartAddress; -} DBGKM_CREATE_THREAD, * PDBGKM_CREATE_THREAD; - -/* DBGKM Create Process */ -typedef struct _DBGKM_CREATE_PROCESS -{ - ULONG SubSystemKey; - HANDLE FileHandle; - PVOID BaseOfImage; - ULONG DebugInfoFileOffset; - ULONG DebugInfoSize; - DBGKM_CREATE_THREAD InitialThread; -} DBGKM_CREATE_PROCESS, * PDBGKM_CREATE_PROCESS; - -/* DBGKM Exception */ -typedef struct _DBGKM_EXCEPTION -{ - EXCEPTION_RECORD ExceptionRecord; - ULONG FirstChance; -} DBGKM_EXCEPTION, * PDBGKM_EXCEPTION; - -/* DBGKM Exit Thread */ -typedef struct _DBGKM_EXIT_THREAD -{ - NTSTATUS ExitStatus; -} DBGKM_EXIT_THREAD, * PDBGKM_EXIT_THREAD; - -/* DBGKM Exit Process */ -typedef struct _DBGKM_EXIT_PROCESS -{ - NTSTATUS ExitStatus; -} DBGKM_EXIT_PROCESS, * PDBGKM_EXIT_PROCESS; - -/* DBGKM Load DLL */ -typedef struct _DBGKM_LOAD_DLL -{ - HANDLE FileHandle; - PVOID BaseOfDll; - ULONG DebugInfoFileOffset; - ULONG DebugInfoSize; - PVOID NamePointer; -} DBGKM_LOAD_DLL, * PDBGKM_LOAD_DLL; - -/* DBGKM Unload DLL */ -typedef struct _DBGKM_UNLOAD_DLL -{ - PVOID BaseAddress; -} DBGKM_UNLOAD_DLL, * PDBGKM_UNLOAD_DLL; - -/* DBGUI Create Thread */ -typedef struct _DBGUI_CREATE_THREAD -{ - HANDLE HandleToThread; - DBGKM_CREATE_THREAD NewThread; -} DBGUI_CREATE_THREAD, * PDBGUI_CREATE_THREAD; - -/* DBGUI Create Process */ -typedef struct _DBGUI_CREATE_PROCESS -{ - HANDLE HandleToProcess; - HANDLE HandleToThread; - DBGKM_CREATE_PROCESS NewProcess; -} DBGUI_CREATE_PROCESS, * PDBGUI_CREATE_PROCESS; - -/* DBGUI Wait State Change */ -typedef struct _DBGUI_WAIT_STATE_CHANGE -{ - DBG_STATE NewState; - CLIENT_ID AppClientId; - union - { - DBGKM_EXCEPTION Exception; - DBGUI_CREATE_THREAD CreateThread; - DBGUI_CREATE_PROCESS CreateProcessInfo; - DBGKM_EXIT_THREAD ExitThread; - DBGKM_EXIT_PROCESS ExitProcess; - DBGKM_LOAD_DLL LoadDll; - DBGKM_UNLOAD_DLL UnloadDll; - } StateInfo; -} DBGUI_WAIT_STATE_CHANGE, * PDBGUI_WAIT_STATE_CHANGE; - -/* File Basic Information */ -typedef struct _SYSK_FILE_BASIC_INFORMATION -{ - LARGE_INTEGER CreationTime; /* Specifies the time that the file was created. */ - LARGE_INTEGER LastAccessTime; /* Specifies the time that the file was last accessed. */ - LARGE_INTEGER LastWriteTime; /* Specifies the time that the file was last written to. */ - LARGE_INTEGER ChangeTime; /* Specifies the last time the file was changed. */ - ULONG FileAttributes; /* Specifies one or more FILE_ATTRIBUTE_XXX flags. */ -} SYSK_FILE_BASIC_INFORMATION, * PSYSK_FILE_BASIC_INFORMATION; - -/* File IO Completion Information */ -typedef struct _FILE_IO_COMPLETION_INFORMATION -{ - PVOID KeyContext; - PVOID ApcContext; - IO_STATUS_BLOCK IoStatusBlock; -} FILE_IO_COMPLETION_INFORMATION, * PFILE_IO_COMPLETION_INFORMATION; - -/* File Network Open Information */ -typedef struct _SYSK_FILE_NETWORK_OPEN_INFORMATION -{ - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER AllocationSize; - LARGE_INTEGER EndOfFile; - ULONG FileAttributes; -} SYSK_FILE_NETWORK_OPEN_INFORMATION, * PSYSK_FILE_NETWORK_OPEN_INFORMATION; - -/* File Path */ -typedef struct _FILE_PATH -{ - ULONG Version; - ULONG Length; - ULONG Type; - _Field_size_bytes_(Length) UCHAR FilePath[1]; -} FILE_PATH, * PFILE_PATH; - -/* GDI TEB Batch */ -typedef struct _GDI_TEB_BATCH -{ - ULONG Offset; - ULONG_PTR HDC; - ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; -} GDI_TEB_BATCH, * PGDI_TEB_BATCH; - -/* Initial TEB */ -typedef struct _INITIAL_TEB -{ - struct - { - PVOID OldStackBase; - PVOID OldStackLimit; - } OldInitialTeb; - PVOID StackBase; - PVOID StackLimit; - PVOID StackAllocationBase; -} INITIAL_TEB, * PINITIAL_TEB; - -/* Job Set Arrary */ -typedef struct _JOB_SET_ARRAY { - HANDLE JobHandle; - DWORD MemberLevel; - DWORD Flags; -} JOB_SET_ARRAY, * PJOB_SET_ARRAY; - -/* Memory Range Entry */ -typedef struct _SYSK_MEMORY_RANGE_ENTRY -{ - PVOID VirtualAddress; - SIZE_T NumberOfBytes; -} SYSK_MEMORY_RANGE_ENTRY, * PSYSK_MEMORY_RANGE_ENTRY; - -/* NTPSS Memory Bulk Information */ -typedef struct _NTPSS_MEMORY_BULK_INFORMATION -{ - ULONG QueryFlags; - ULONG NumberOfEntries; - PVOID NextValidAddress; -} NTPSS_MEMORY_BULK_INFORMATION, * PNTPSS_MEMORY_BULK_INFORMATION; - -/* Object Boundary Descriptor */ -typedef struct _OBJECT_BOUNDARY_DESCRIPTOR -{ - ULONG Version; - ULONG Items; - ULONG TotalSize; - union - { - ULONG Flags; - struct - { - ULONG AddAppContainerSid : 1; - ULONG Reserved : 31; - }; - }; - /* OBJECT_BOUNDARY_ENTRY Entries[1]; */ -} OBJECT_BOUNDARY_DESCRIPTOR, * POBJECT_BOUNDARY_DESCRIPTOR; - -/* PS Attribute */ -typedef struct _PS_ATTRIBUTE -{ - ULONG_PTR Attribute; - SIZE_T Size; - union - { - ULONG_PTR Value; - PVOID ValuePtr; - }; - PSIZE_T ReturnLength; -} PS_ATTRIBUTE, * PPS_ATTRIBUTE; - -/* PS Attribute List */ -typedef struct _PS_ATTRIBUTE_LIST -{ - SIZE_T TotalLength; - PS_ATTRIBUTE Attributes[1]; -} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST; - -/* PS Create Info */ -typedef struct _PS_CREATE_INFO -{ - SIZE_T Size; - PS_CREATE_STATE State; - union - { - /* PsCreateInitialState */ - struct - { - union - { - ULONG InitFlags; - struct - { - UCHAR WriteOutputOnExit : 1; - UCHAR DetectManifest : 1; - UCHAR IFEOSkipDebugger : 1; - UCHAR IFEODoNotPropagateKeyState : 1; - UCHAR SpareBits1 : 4; - UCHAR SpareBits2 : 8; - USHORT ProhibitedImageCharacteristics : 16; - }; - }; - ACCESS_MASK AdditionalFileAccess; - } InitState; - /* PsCreateFailOnSectionCreate */ - struct - { - HANDLE FileHandle; - } FailSection; - /* PsCreateFailExeFormat */ - struct - { - USHORT DllCharacteristics; - } ExeFormat; - /* PsCreateFailExeName */ - struct - { - HANDLE IFEOKey; - } ExeName; - /* PsCreateSuccess */ - struct - { - union - { - ULONG OutputFlags; - struct - { - UCHAR ProtectedProcess : 1; - UCHAR AddressSpaceOverride : 1; - UCHAR DevOverrideEnabled : 1; /* from Image File Execution Options */ - UCHAR ManifestDetected : 1; - UCHAR ProtectedProcessLight : 1; - UCHAR SpareBits1 : 3; - UCHAR SpareBits2 : 8; - USHORT SpareBits3 : 16; - }; - }; - HANDLE FileHandle; - HANDLE SectionHandle; - ULONGLONG UserProcessParametersNative; - ULONG UserProcessParametersWow64; - ULONG CurrentParameterFlags; - ULONGLONG PebAddressNative; - ULONG PebAddressWow64; - ULONGLONG ManifestAddress; - ULONG ManifestSize; - } SuccessState; - }; -} PS_CREATE_INFO, * PPS_CREATE_INFO; - -/* RTL Drive Letter Current Directory */ -typedef struct _RTL_DRIVE_LETTER_CURDIR -{ - USHORT Flags; - USHORT Length; - ULONG TimeStamp; - STRING DosPath; -} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; - -/* RTL User Process Parameters */ -typedef struct _RTL_USER_PROCESS_PARAMETERS -{ - ULONG MaximumLength; - ULONG Length; - - ULONG Flags; - ULONG DebugFlags; - - HANDLE ConsoleHandle; - ULONG ConsoleFlags; - HANDLE StandardInput; - HANDLE StandardOutput; - HANDLE StandardError; - - CURDIR CurrentDirectory; - UNICODE_STRING DllPath; - UNICODE_STRING ImagePathName; - UNICODE_STRING CommandLine; - PVOID Environment; - - ULONG StartingX; - ULONG StartingY; - ULONG CountX; - ULONG CountY; - ULONG CountCharsX; - ULONG CountCharsY; - ULONG FillAttribute; - - ULONG WindowFlags; - ULONG ShowWindowFlags; - UNICODE_STRING WindowTitle; - UNICODE_STRING DesktopInfo; - UNICODE_STRING ShellInfo; - UNICODE_STRING RuntimeData; - RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; - - ULONG_PTR EnvironmentSize; - ULONG_PTR EnvironmentVersion; - - PVOID PackageDependencyData; - ULONG ProcessGroupId; - ULONG LoaderThreads; - UNICODE_STRING RedirectionDllName; /* REDSTONE4 */ - UNICODE_STRING HeapPartitionName; /* 19H1 */ - PULONGLONG DefaultThreadpoolCpuSetMasks; - ULONG DefaultThreadpoolCpuSetMaskCount; - ULONG DefaultThreadpoolThreadMaximum; - ULONG HeapMemoryTypeMask; /* WIN11 */ -} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; - -/* SE File Cache Claim Information */ -typedef struct _SE_FILE_CACHE_CLAIM_INFORMATION -{ - ULONG Size; - PVOID Claim; -} SE_FILE_CACHE_CLAIM_INFORMATION, * PSE_FILE_CACHE_CLAIM_INFORMATION; - -/* SE Set File Cache Information */ -typedef struct _SE_SET_FILE_CACHE_INFORMATION -{ - ULONG Size; - UNICODE_STRING CatalogDirectoryPath; - SE_FILE_CACHE_CLAIM_INFORMATION OriginClaimInfo; -} SE_SET_FILE_CACHE_INFORMATION, * PSE_SET_FILE_CACHE_INFORMATION; - -/* System Thread Information */ -typedef struct _SYSTEM_THREAD_INFORMATION -{ - LARGE_INTEGER KernelTime; /* Number of 100-nanosecond intervals spent executing kernel code. */ - LARGE_INTEGER UserTime; /* Number of 100-nanosecond intervals spent executing user code. */ - LARGE_INTEGER CreateTime; /* The date and time when the thread was created. */ - ULONG WaitTime; /* The current time spent in ready queue or waiting (depending on the thread state). */ - PVOID StartAddress; /* The initial start address of the thread. */ - CLIENT_ID ClientId; /* The identifier of the thread and the process owning the thread. */ - KPRIORITY Priority; /* The dynamic priority of the thread. */ - KPRIORITY BasePriority; /* The starting priority of the thread. */ - ULONG ContextSwitches; /* The total number of context switches performed. */ - KTHREAD_STATE ThreadState; /* The current state of the thread. */ - KWAIT_REASON WaitReason; /* The current reason the thread is waiting. */ -} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION; - -/* System Process Information */ -typedef struct _SYSTEM_PROCESS_INFO -{ - ULONG NextEntryOffset; /* The address of the previous item plus the value in the NextEntryOffset member. For the last item in the array, NextEntryOffset is 0. */ - ULONG NumberOfThreads; /* The NumberOfThreads member contains the number of threads in the process. */ - ULONGLONG WorkingSetPrivateSize; /* since VISTA */ - ULONG HardFaultCount; /* since WIN7 */ - ULONG NumberOfThreadsHighWatermark; /* The peak number of threads that were running at any given point in time, indicative of potential performance bottlenecks related to thread management. */ - ULONGLONG CycleTime; /* The sum of the cycle time of all threads in the process. */ - LARGE_INTEGER CreateTime; /* Number of 100-nanosecond intervals since the creation time of the process. Not updated during system timezone changes resullting in an incorrect value. */ - LARGE_INTEGER UserTime; - LARGE_INTEGER KernelTime; - UNICODE_STRING ImageName; /* The file name of the executable image. */ - KPRIORITY BasePriority; - HANDLE UniqueProcessId; - HANDLE InheritedFromUniqueProcessId; - ULONG HandleCount; - ULONG SessionId; - ULONG_PTR UniqueProcessKey; /* since VISTA (requires SystemExtendedProcessInformation) */ - SIZE_T PeakVirtualSize; /* The peak size, in bytes, of the virtual memory used by the process. */ - SIZE_T VirtualSize; /* The current size, in bytes, of virtual memory used by the process. */ - ULONG PageFaultCount; /* The member of page faults for data that is not currently in memory. */ - SIZE_T PeakWorkingSetSize; /* The peak size, in kilobytes, of the working set of the process. */ - SIZE_T WorkingSetSize; /* The number of pages visible to the process in physical memory. These pages are resident and available for use without triggering a page fault. */ - SIZE_T QuotaPeakPagedPoolUsage; /* The peak quota charged to the process for pool usage, in bytes. */ - SIZE_T QuotaPagedPoolUsage; /* The quota charged to the process for paged pool usage, in bytes. */ - SIZE_T QuotaPeakNonPagedPoolUsage; /* The peak quota charged to the process for nonpaged pool usage, in bytes. */ - SIZE_T QuotaNonPagedPoolUsage; /* The current quota charged to the process for nonpaged pool usage. */ - SIZE_T PagefileUsage; /* The PagefileUsage member contains the number of bytes of page file storage in use by the process. */ - SIZE_T PeakPagefileUsage; /* The maximum number of bytes of page-file storage used by the process. */ - SIZE_T PrivatePageCount; /* The number of memory pages allocated for the use by the process. */ - LARGE_INTEGER ReadOperationCount; /* The total number of read operations performed. */ - LARGE_INTEGER WriteOperationCount; /* The total number of write operations performed. */ - LARGE_INTEGER OtherOperationCount; /* The total number of I/O operations performed other than read and write operations. */ - LARGE_INTEGER ReadTransferCount; /* The total number of bytes read during a read operation. */ - LARGE_INTEGER WriteTransferCount; /* The total number of bytes written during a write operation. */ - LARGE_INTEGER OtherTransferCount; /* The total number of bytes transferred during operations other than read and write operations. */ - SYSTEM_THREAD_INFORMATION Threads[1]; /* This type is not defined in the structure but was added for convenience. */ -} SYSTEM_PROCESS_INFO, * PSYSTEM_PROCESS_INFO; - -/* tagSOleTlsData */ -typedef struct tagSOleTlsData -{ - PVOID ThreadBase; - PVOID SmAllocator; - ULONG ApartmentID; - ULONG Flags; /* OLETLSFLAGS */ - LONG TlsMapIndex; - PVOID* TlsSlot; - ULONG ComInits; - ULONG OleInits; - ULONG Calls; - PVOID ServerCall; /* previously CallInfo (before TH1) */ - PVOID CallObjectCache; /* previously FreeAsyncCall (before TH1) */ - PVOID ContextStack; /* previously FreeClientCall (before TH1) */ - PVOID ObjServer; - ULONG TIDCaller; - /* ... (other fields are version-dependant) */ -} SOleTlsData, * PSOleTlsData; - -/* TEB Active Frame Context */ -typedef struct _TEB_ACTIVE_FRAME_CONTEXT -{ - ULONG Flags; - PCSTR FrameName; -} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; - -/* TEB Active Frame */ -typedef struct _TEB_ACTIVE_FRAME -{ - ULONG Flags; - struct _TEB_ACTIVE_FRAME* Previous; - PTEB_ACTIVE_FRAME_CONTEXT Context; -} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; - -/* TEB */ -typedef struct _TEB -{ - /* - Thread Information Block (TIB) contains the thread's stack, base and limit addresses, the current stack pointer, and the exception list. - */ - NT_TIB NtTib; - /* - Reserved. - */ - PVOID EnvironmentPointer; - /* - Client ID for this thread. - */ - CLIENT_ID ClientId; - /* - A handle to an active Remote Procedure Call (RPC) if the thread is currently involved in an RPC operation. - */ - PVOID ActiveRpcHandle; - /* - A pointer to the __declspec(thread) local storage array. - */ - PVOID ThreadLocalStoragePointer; - /* - A pointer to the Process Environment Block (PEB), which contains information about the process. - */ - PPEB ProcessEnvironmentBlock; - /* - The previous Win32 error value for this thread. - */ - ULONG LastErrorValue; - /* - The number of critical sections currently owned by this thread. - */ - ULONG CountOfOwnedCriticalSections; - /* - Reserved. - */ - PVOID CsrClientThread; - /* - Reserved for GDI/USER (Win32k). - */ - PVOID Win32ThreadInfo; - ULONG User32Reserved[26]; - ULONG UserReserved[5]; - /* - Reserved. - */ - PVOID WOW32Reserved; - /* - The LCID of the current thread. (Kernel32!GetThreadLocale) - */ - LCID CurrentLocale; - /* - Reserved. - */ - ULONG FpSoftwareStatusRegister; - /* - Reserved. - */ - PVOID ReservedForDebuggerInstrumentation[16]; -#ifdef _WIN64 - /* - Reserved. - */ - PVOID SystemReserved1[25]; - /* - Per-thread fiber local storage. (Teb->HasFiberData) - */ - PVOID HeapFlsData; - /* - Reserved. - */ - ULONG_PTR RngState[4]; -#else - /* - Reserved. - */ - PVOID SystemReserved1[26]; -#endif - /* - Placeholder compatibility mode. (ProjFs and Cloud Files) - */ - CHAR PlaceholderCompatibilityMode; - /* - Indicates whether placeholder hydration is always explicit. - */ - BOOLEAN PlaceholderHydrationAlwaysExplicit; - /* - ProjFs and Cloud Files (reparse point) file virtualization. - */ - CHAR PlaceholderReserved[10]; - /* - The process ID (PID) that the current COM server thread is acting on behalf of. - */ - ULONG ProxiedProcessId; - /* - Pointer to the activation context stack for the current thread. - */ - ACTIVATION_CONTEXT_STACK ActivationStack; - /* - Opaque operation on behalf of another user or process. - */ - UCHAR WorkingOnBehalfTicket[8]; - /* - The last exception status for the current thread. - */ - NTSTATUS ExceptionCode; - /* - Pointer to the activation context stack for the current thread. - */ - PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; - /* - The stack pointer (SP) of the current system call or exception during instrumentation. - */ - ULONG_PTR InstrumentationCallbackSp; - /* - The program counter (PC) of the previous system call or exception during instrumentation. - */ - ULONG_PTR InstrumentationCallbackPreviousPc; - /* - The stack pointer (SP) of the previous system call or exception during instrumentation. - */ - ULONG_PTR InstrumentationCallbackPreviousSp; -#ifdef _WIN64 - /* - The miniversion ID of the current transacted file operation. - */ - ULONG TxFsContext; -#endif - /* - Indicates the state of the system call or exception instrumentation callback. - */ - BOOLEAN InstrumentationCallbackDisabled; -#ifdef _WIN64 - /* - Indicates the state of alignment exceptions for unaligned load/store operations. - */ - BOOLEAN UnalignedLoadStoreExceptions; -#endif -#ifndef _WIN64 - /* - SpareBytes. - */ - UCHAR SpareBytes[23]; - /* - The miniversion ID of the current transacted file operation. - */ - ULONG TxFsContext; -#endif - /* - Reserved for GDI (Win32k). - */ - GDI_TEB_BATCH GdiTebBatch; - CLIENT_ID RealClientId; - HANDLE GdiCachedProcessHandle; - ULONG GdiClientPID; - ULONG GdiClientTID; - PVOID GdiThreadLocalInfo; - /* - Reserved for User32 (Win32k). - */ - ULONG_PTR Win32ClientInfo[WIN32_CLIENT_INFO_LENGTH]; - /* - Reserved for opengl32.dll - */ - PVOID glDispatchTable[233]; - ULONG_PTR glReserved1[29]; - PVOID glReserved2; - PVOID glSectionInfo; - PVOID glSection; - PVOID glTable; - PVOID glCurrentRC; - PVOID glContext; - /* - The previous status value for this thread. - */ - NTSTATUS LastStatusValue; - /* - A static string for use by the application. - */ - UNICODE_STRING StaticUnicodeString; - /* - A static buffer for use by the application. - */ - WCHAR StaticUnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH]; - /* - The maximum stack size and indicates the base of the stack. - */ - PVOID DeallocationStack; - /* - Data for Thread Local Storage. (TlsGetValue) - */ - PVOID TlsSlots[TLS_MINIMUM_AVAILABLE]; - /* - Reserved for TLS. - */ - LIST_ENTRY TlsLinks; - /* - Reserved for NTVDM. - */ - PVOID Vdm; - /* - Reserved for RPC. - */ - PVOID ReservedForNtRpc; - /* - Reserved for Debugging (DebugActiveProcess). - */ - PVOID DbgSsReserved[2]; - /* - The error mode for the current thread. (GetThreadErrorMode) - */ - ULONG HardErrorMode; - /* - Reserved. - */ -#ifdef _WIN64 - PVOID Instrumentation[11]; -#else - PVOID Instrumentation[9]; -#endif - /* - Reserved. - */ - GUID ActivityId; - /* - The identifier of the service that created the thread. (svchost) - */ - PVOID SubProcessTag; - /* - Reserved. - */ - PVOID PerflibData; - /* - Reserved. - */ - PVOID EtwTraceData; - /* - The address of a socket handle during a blocking socket operation. (WSAStartup) - */ - HANDLE WinSockData; - /* - The number of function calls accumulated in the current GDI batch. (GdiSetBatchLimit) - */ - ULONG GdiBatchCount; - /* - The preferred processor for the current thread. (SetThreadIdealProcessor/SetThreadIdealProcessorEx) - */ - union - { - PROCESSOR_NUMBER CurrentIdealProcessor; - ULONG IdealProcessorValue; - struct - { - UCHAR ReservedPad0; - UCHAR ReservedPad1; - UCHAR ReservedPad2; - UCHAR IdealProcessor; - }; - }; - /* - The minimum size of the stack available during any stack overflow exceptions. (SetThreadStackGuarantee) - */ - ULONG GuaranteedStackBytes; - /* - Reserved. - */ - PVOID ReservedForPerf; - /* - Reserved for Object Linking and Embedding (OLE) - */ - PSOleTlsData ReservedForOle; - /* - Indicates whether the thread is waiting on the loader lock. - */ - ULONG WaitingOnLoaderLock; - /* - The saved priority state for the thread. - */ - PVOID SavedPriorityState; - /* - Reserved. - */ - ULONG_PTR ReservedForCodeCoverage; - /* - Reserved. - */ - PVOID ThreadPoolData; - /* - Pointer to the TLS (Thread Local Storage) expansion slots for the thread. - */ - PVOID* TlsExpansionSlots; -#ifdef _WIN64 - PVOID ChpeV2CpuAreaInfo; /* CHPEV2_CPUAREA_INFO, previously DeallocationBStore */ - PVOID Unused; /* previously BStoreLimit */ -#endif - /* - The generation of the MUI (Multilingual User Interface) data. - */ - ULONG MuiGeneration; - /* - Indicates whether the thread is impersonating another security context. - */ - ULONG IsImpersonating; - /* - Pointer to the NLS (National Language Support) cache. - */ - PVOID NlsCache; - /* - Pointer to the AppCompat/Shim Engine data. - */ - PVOID pShimData; - /* - Reserved. - */ - ULONG HeapData; - /* - Handle to the current transaction associated with the thread. - */ - HANDLE CurrentTransactionHandle; - /* - Pointer to the active frame for the thread. - */ - PTEB_ACTIVE_FRAME ActiveFrame; - /* - Reserved for FLS (RtlProcessFlsData). - */ - PVOID FlsData; - /* - Pointer to the preferred languages for the current thread. (GetThreadPreferredUILanguages) - */ - PVOID PreferredLanguages; - /* - Pointer to the user-preferred languages for the current thread. (GetUserPreferredUILanguages) - */ - PVOID UserPrefLanguages; - /* - Pointer to the merged preferred languages for the current thread. (MUI_MERGE_USER_FALLBACK) - */ - PVOID MergedPrefLanguages; - /* - Indicates whether the thread is impersonating another user's language settings. - */ - ULONG MuiImpersonation; - /* - Reserved. - */ - union - { - USHORT CrossTebFlags; - USHORT SpareCrossTebBits : 16; - }; - /* - SameTebFlags modify the state and behavior of the current thread. - */ - union - { - USHORT SameTebFlags; - struct - { - USHORT SafeThunkCall : 1; - USHORT InDebugPrint : 1; /* Indicates if the thread is currently in a debug print routine. */ - USHORT HasFiberData : 1; /* Indicates if the thread has local fiber-local storage (FLS). */ - USHORT SkipThreadAttach : 1; /* Indicates if the thread should suppress DLL_THREAD_ATTACH notifications. */ - USHORT WerInShipAssertCode : 1; - USHORT RanProcessInit : 1; /* Indicates if the thread has run process initialization code. */ - USHORT ClonedThread : 1; /* Indicates if the thread is a clone of a different thread. */ - USHORT SuppressDebugMsg : 1; /* Indicates if the thread should suppress LOAD_DLL_DEBUG_INFO notifications. */ - USHORT DisableUserStackWalk : 1; - USHORT RtlExceptionAttached : 1; - USHORT InitialThread : 1; /* Indicates if the thread is the initial thread of the process. */ - USHORT SessionAware : 1; - USHORT LoadOwner : 1; /* Indicates if the thread is the owner of the process loader lock. */ - USHORT LoaderWorker : 1; - USHORT SkipLoaderInit : 1; - USHORT SkipFileAPIBrokering : 1; - }; - }; - /* - Pointer to the callback function that is called when a KTM transaction scope is entered. - */ - PVOID TxnScopeEnterCallback; - /* - Pointer to the callback function that is called when a KTM transaction scope is exited. - */ - PVOID TxnScopeExitCallback; - /* - Pointer to optional context data for use by the application when a KTM transaction scope callback is called. - */ - PVOID TxnScopeContext; - /* - The lock count of critical sections for the current thread. - */ - ULONG LockCount; - /* - The offset to the WOW64 (Windows on Windows) TEB for the current thread. - */ - LONG WowTebOffset; - /* - Reserved. - */ - PVOID ResourceRetValue; - /* - Reserved for Windows Driver Framework (WDF). - */ - PVOID ReservedForWdf; - /* - Reserved for the Microsoft C runtime (CRT). - */ - ULONGLONG ReservedForCrt; - /* - The Host Compute Service (HCS) container identifier. - */ - GUID EffectiveContainerId; - /* - Reserved for Kernel32!Sleep (SpinWait). - */ - ULONGLONG LastSleepCounter; /* since Win11 */ - /* - Reserved for Kernel32!Sleep (SpinWait). - */ - ULONG SpinCallCount; - /* - Extended feature disable mask (AVX). - */ - ULONGLONG ExtendedFeatureDisableMask; - /* - Reserved. - */ - PVOID SchedulerSharedDataSlot; /* since 24H2 */ - /* - Reserved. - */ - PVOID HeapWalkContext; - /* - The primary processor group affinity of the thread. - */ - GROUP_AFFINITY PrimaryGroupAffinity; - /* - Read-copy-update (RCU) synchronization context. - */ - ULONG Rcu[2]; -} TEB, * PTEB; - -/* Thread Basic Information */ -typedef struct _THREAD_BASIC_INFO -{ - NTSTATUS ExitStatus; - PTEB TebBaseAddress; - CLIENT_ID ClientId; - KAFFINITY AffinityMask; - KPRIORITY Priority; - KPRIORITY BasePriority; -} THREAD_BASIC_INFO, * PTHREAD_BASIC_INFO; - -/* T2 Set Parameters */ -typedef struct _T2_SET_PARAMETERS_V0 -{ - ULONG Version; - ULONG Reserved; - LONGLONG NoWakeTolerance; -} T2_SET_PARAMETERS, * PT2_SET_PARAMETERS; - -/* WNF Delivery Descriptor */ -typedef struct _WNF_DELIVERY_DESCRIPTOR -{ - ULONGLONG SubscriptionId; - WNF_STATE_NAME StateName; - WNF_CHANGE_STAMP ChangeStamp; - ULONG StateDataSize; - ULONG EventMask; - WNF_TYPE_ID TypeId; - ULONG StateDataOffset; -} WNF_DELIVERY_DESCRIPTOR, * PWNF_DELIVERY_DESCRIPTOR; - -/* Worker Factory Deferred Work */ -typedef struct _WORKER_FACTORY_DEFERRED_WORK -{ - PPORT_MESSAGE AlpcSendMessage; - PVOID AlpcSendMessagePort; - ULONG AlpcSendMessageFlags; - ULONG Flags; +#pragma once + +#include +#include + +/* Forward declarations for cyclic dependencies */ +typedef struct _ACTIVATION_CONTEXT* PACTIVATION_CONTEXT; +typedef struct _ACTIVATION_CONTEXT_DATA* PACTIVATION_CONTEXT_DATA; +typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* PRTL_ACTIVATION_CONTEXT_STACK_FRAME; +typedef struct _ACTIVATION_CONTEXT_STACK* PACTIVATION_CONTEXT_STACK; +typedef struct _TEB* PTEB; + +// #define USE_PISID /* Uncomment this line to use PISID instead of PSID */ +#define USE_DYNAMIC_ARRAY /* Uncomment this line to use dynamic array */ +#define USE_POINTER_SUBAUTH /* Uncomment this line to use pointer to an array for SubAuthority */ + +/* APC Routines */ +typedef VOID(NTAPI * PPS_APC_ROUTINE)( + _In_opt_ PVOID ApcArgument1, + _In_opt_ PVOID ApcArgument2, + _In_opt_ PVOID ApcArgument3 + ); + +typedef VOID(NTAPI * TIMER_APC_ROUTINE)( + _In_ PVOID TimerContext, + _In_ ULONG TimerLowValue, + _In_ LONG TimerHighValue + ); + +typedef VOID(NTAPI * PUSER_THREAD_START_ROUTINE)( + _In_ PVOID ThreadParameter + ); + +typedef VOID(NTAPI * IO_APC_ROUTINE)( + _In_ PVOID ApcContext, + _In_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG Reserved + ); + +typedef VOID(NTAPI * PENCLAVE_ROUTINE)(VOID); + +/* User Thread Start Routine */ +typedef VOID(*PUSER_THREAD_START_ROUTINE)(PVOID); + +/* Timer APC Routine */ + +typedef VOID(NTAPI* PACTIVATION_CONTEXT_NOTIFY_ROUTINE)( + _In_ ULONG NotificationType, /* ACTIVATION_CONTEXT_NOTIFICATION_* */ + _In_ PACTIVATION_CONTEXT ActivationContext, + _In_ PACTIVATION_CONTEXT_DATA ActivationContextData, + _In_opt_ PVOID NotificationContext, + _In_opt_ PVOID NotificationData, + _Inout_ PBOOLEAN DisableThisNotification + ); + +/* Activation Context Data */ +typedef struct _ACTIVATION_CONTEXT_DATA +{ + ULONG Magic; + ULONG HeaderSize; + ULONG FormatVersion; + ULONG TotalSize; + ULONG DefaultTocOffset; /* to ACTIVATION_CONTEXT_DATA_TOC_HEADER */ + ULONG ExtendedTocOffset; /* to ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER */ + ULONG AssemblyRosterOffset; /* to ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER */ + ULONG Flags; /* ACTIVATION_CONTEXT_FLAG_* */ +} ACTIVATION_CONTEXT_DATA, * PACTIVATION_CONTEXT_DATA; + +/* Assembly Storage Map Entry */ +typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY +{ + ULONG Flags; + UNICODE_STRING DosPath; + HANDLE Handle; +} ASSEMBLY_STORAGE_MAP_ENTRY, * PASSEMBLY_STORAGE_MAP_ENTRY; + +/* Assembly Storage Map */ +typedef struct _ASSEMBLY_STORAGE_MAP +{ + ULONG Flags; + ULONG AssemblyCount; + PASSEMBLY_STORAGE_MAP_ENTRY* AssemblyArray; +} ASSEMBLY_STORAGE_MAP, * PASSEMBLY_STORAGE_MAP; + +/* Activation Context */ +typedef struct _ACTIVATION_CONTEXT +{ + LONG RefCount; + ULONG Flags; + PACTIVATION_CONTEXT_DATA ActivationContextData; + PACTIVATION_CONTEXT_NOTIFY_ROUTINE NotificationRoutine; + PVOID NotificationContext; + ULONG SentNotifications[8]; + ULONG DisabledNotifications[8]; + ASSEMBLY_STORAGE_MAP StorageMap; + PASSEMBLY_STORAGE_MAP_ENTRY InlineStorageMapEntries[32]; +} ACTIVATION_CONTEXT, * PACTIVATION_CONTEXT; + +/* RTL Activation Context Stack Frame */ +typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME +{ + struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; + PACTIVATION_CONTEXT ActivationContext; + ULONG Flags; /* RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_* */ +} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME; + +/* Activation Context Stack Frame */ +typedef struct _ACTIVATION_CONTEXT_STACK +{ + PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; + LIST_ENTRY FrameListCache; + ULONG Flags; /* ACTIVATION_CONTEXT_STACK_FLAG_* */ + ULONG NextCookieSequenceNumber; + ULONG StackId; +} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; + +/* Boot Options */ +typedef struct _BOOT_OPTIONS +{ + ULONG Version; + ULONG Length; + ULONG Timeout; + ULONG CurrentBootEntryId; + ULONG NextBootEntryId; + WCHAR HeadlessRedirection[1]; +} BOOT_OPTIONS, * PBOOT_OPTIONS; + +typedef struct _CURDIR +{ + UNICODE_STRING DosPath; + HANDLE Handle; +} CURDIR, * PCURDIR; + +/* CM Extended Parameter */ +typedef struct DECLSPEC_ALIGN(8) _CM_EXTENDED_PARAMETER +{ + /* Bit field for the type of the extended parameter */ + struct + { + ULONG64 Type : CM_EXTENDED_PARAMETER_TYPE_BITS; /* Type of the extended parameter */ + ULONG64 Reserved : 64 - CM_EXTENDED_PARAMETER_TYPE_BITS; /* Reserved bits for future use */ + }; + /* Union to hold different types of data */ + union + { + ULONG64 ULong64; /* 64-bit unsigned long */ + PVOID Pointer; /* Pointer to any type */ + SIZE_T Size; /* Size type */ + HANDLE Handle; /* Handle type */ + ULONG ULong; /* 32-bit unsigned long */ + ACCESS_MASK AccessMask; /* Access mask type */ + }; +} CM_EXTENDED_PARAMETER, * PCM_EXTENDED_PARAMETER; + +/* DBGKM Create Thread */ +typedef struct _DBGKM_CREATE_THREAD +{ + ULONG SubSystemKey; + PVOID StartAddress; +} DBGKM_CREATE_THREAD, * PDBGKM_CREATE_THREAD; + +/* DBGKM Create Process */ +typedef struct _DBGKM_CREATE_PROCESS +{ + ULONG SubSystemKey; + HANDLE FileHandle; + PVOID BaseOfImage; + ULONG DebugInfoFileOffset; + ULONG DebugInfoSize; + DBGKM_CREATE_THREAD InitialThread; +} DBGKM_CREATE_PROCESS, * PDBGKM_CREATE_PROCESS; + +/* DBGKM Exception */ +typedef struct _DBGKM_EXCEPTION +{ + EXCEPTION_RECORD ExceptionRecord; + ULONG FirstChance; +} DBGKM_EXCEPTION, * PDBGKM_EXCEPTION; + +/* DBGKM Exit Thread */ +typedef struct _DBGKM_EXIT_THREAD +{ + NTSTATUS ExitStatus; +} DBGKM_EXIT_THREAD, * PDBGKM_EXIT_THREAD; + +/* DBGKM Exit Process */ +typedef struct _DBGKM_EXIT_PROCESS +{ + NTSTATUS ExitStatus; +} DBGKM_EXIT_PROCESS, * PDBGKM_EXIT_PROCESS; + +/* DBGKM Load DLL */ +typedef struct _DBGKM_LOAD_DLL +{ + HANDLE FileHandle; + PVOID BaseOfDll; + ULONG DebugInfoFileOffset; + ULONG DebugInfoSize; + PVOID NamePointer; +} DBGKM_LOAD_DLL, * PDBGKM_LOAD_DLL; + +/* DBGKM Unload DLL */ +typedef struct _DBGKM_UNLOAD_DLL +{ + PVOID BaseAddress; +} DBGKM_UNLOAD_DLL, * PDBGKM_UNLOAD_DLL; + +/* DBGUI Create Thread */ +typedef struct _DBGUI_CREATE_THREAD +{ + HANDLE HandleToThread; + DBGKM_CREATE_THREAD NewThread; +} DBGUI_CREATE_THREAD, * PDBGUI_CREATE_THREAD; + +/* DBGUI Create Process */ +typedef struct _DBGUI_CREATE_PROCESS +{ + HANDLE HandleToProcess; + HANDLE HandleToThread; + DBGKM_CREATE_PROCESS NewProcess; +} DBGUI_CREATE_PROCESS, * PDBGUI_CREATE_PROCESS; + +/* DBGUI Wait State Change */ +typedef struct _DBGUI_WAIT_STATE_CHANGE +{ + DBG_STATE NewState; + CLIENT_ID AppClientId; + union + { + DBGKM_EXCEPTION Exception; + DBGUI_CREATE_THREAD CreateThread; + DBGUI_CREATE_PROCESS CreateProcessInfo; + DBGKM_EXIT_THREAD ExitThread; + DBGKM_EXIT_PROCESS ExitProcess; + DBGKM_LOAD_DLL LoadDll; + DBGKM_UNLOAD_DLL UnloadDll; + } StateInfo; +} DBGUI_WAIT_STATE_CHANGE, * PDBGUI_WAIT_STATE_CHANGE; + +/* File Basic Information */ +typedef struct _SYSK_FILE_BASIC_INFORMATION +{ + LARGE_INTEGER CreationTime; /* Specifies the time that the file was created. */ + LARGE_INTEGER LastAccessTime; /* Specifies the time that the file was last accessed. */ + LARGE_INTEGER LastWriteTime; /* Specifies the time that the file was last written to. */ + LARGE_INTEGER ChangeTime; /* Specifies the last time the file was changed. */ + ULONG FileAttributes; /* Specifies one or more FILE_ATTRIBUTE_XXX flags. */ +} SYSK_FILE_BASIC_INFORMATION, * PSYSK_FILE_BASIC_INFORMATION; + +/* File IO Completion Information */ +typedef struct _FILE_IO_COMPLETION_INFORMATION +{ + PVOID KeyContext; + PVOID ApcContext; + IO_STATUS_BLOCK IoStatusBlock; +} FILE_IO_COMPLETION_INFORMATION, * PFILE_IO_COMPLETION_INFORMATION; + +/* File Network Open Information */ +typedef struct _SYSK_FILE_NETWORK_OPEN_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG FileAttributes; +} SYSK_FILE_NETWORK_OPEN_INFORMATION, * PSYSK_FILE_NETWORK_OPEN_INFORMATION; + +/* File Path */ +typedef struct _FILE_PATH +{ + ULONG Version; + ULONG Length; + ULONG Type; + _Field_size_bytes_(Length) UCHAR FilePath[1]; +} FILE_PATH, * PFILE_PATH; + +/* GDI TEB Batch */ +typedef struct _GDI_TEB_BATCH +{ + ULONG Offset; + ULONG_PTR HDC; + ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; +} GDI_TEB_BATCH, * PGDI_TEB_BATCH; + +/* Initial TEB */ +typedef struct _INITIAL_TEB +{ + struct + { + PVOID OldStackBase; + PVOID OldStackLimit; + } OldInitialTeb; + PVOID StackBase; + PVOID StackLimit; + PVOID StackAllocationBase; +} INITIAL_TEB, * PINITIAL_TEB; + +/* Job Set Arrary */ +typedef struct _JOB_SET_ARRAY { + HANDLE JobHandle; + DWORD MemberLevel; + DWORD Flags; +} JOB_SET_ARRAY, * PJOB_SET_ARRAY; + +/* Memory Range Entry */ +typedef struct _SYSK_MEMORY_RANGE_ENTRY +{ + PVOID VirtualAddress; + SIZE_T NumberOfBytes; +} SYSK_MEMORY_RANGE_ENTRY, * PSYSK_MEMORY_RANGE_ENTRY; + +/* NTPSS Memory Bulk Information */ +typedef struct _NTPSS_MEMORY_BULK_INFORMATION +{ + ULONG QueryFlags; + ULONG NumberOfEntries; + PVOID NextValidAddress; +} NTPSS_MEMORY_BULK_INFORMATION, * PNTPSS_MEMORY_BULK_INFORMATION; + +/* Object Boundary Descriptor */ +typedef struct _OBJECT_BOUNDARY_DESCRIPTOR +{ + ULONG Version; + ULONG Items; + ULONG TotalSize; + union + { + ULONG Flags; + struct + { + ULONG AddAppContainerSid : 1; + ULONG Reserved : 31; + }; + }; + /* OBJECT_BOUNDARY_ENTRY Entries[1]; */ +} OBJECT_BOUNDARY_DESCRIPTOR, * POBJECT_BOUNDARY_DESCRIPTOR; + +/* PS Attribute */ +typedef struct _PS_ATTRIBUTE +{ + ULONG_PTR Attribute; + SIZE_T Size; + union + { + ULONG_PTR Value; + PVOID ValuePtr; + }; + PSIZE_T ReturnLength; +} PS_ATTRIBUTE, * PPS_ATTRIBUTE; + +/* PS Attribute List */ +typedef struct _PS_ATTRIBUTE_LIST +{ + SIZE_T TotalLength; + PS_ATTRIBUTE Attributes[1]; +} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST; + +/* PS Create Info */ +typedef struct _PS_CREATE_INFO +{ + SIZE_T Size; + PS_CREATE_STATE State; + union + { + /* PsCreateInitialState */ + struct + { + union + { + ULONG InitFlags; + struct + { + UCHAR WriteOutputOnExit : 1; + UCHAR DetectManifest : 1; + UCHAR IFEOSkipDebugger : 1; + UCHAR IFEODoNotPropagateKeyState : 1; + UCHAR SpareBits1 : 4; + UCHAR SpareBits2 : 8; + USHORT ProhibitedImageCharacteristics : 16; + }; + }; + ACCESS_MASK AdditionalFileAccess; + } InitState; + /* PsCreateFailOnSectionCreate */ + struct + { + HANDLE FileHandle; + } FailSection; + /* PsCreateFailExeFormat */ + struct + { + USHORT DllCharacteristics; + } ExeFormat; + /* PsCreateFailExeName */ + struct + { + HANDLE IFEOKey; + } ExeName; + /* PsCreateSuccess */ + struct + { + union + { + ULONG OutputFlags; + struct + { + UCHAR ProtectedProcess : 1; + UCHAR AddressSpaceOverride : 1; + UCHAR DevOverrideEnabled : 1; /* from Image File Execution Options */ + UCHAR ManifestDetected : 1; + UCHAR ProtectedProcessLight : 1; + UCHAR SpareBits1 : 3; + UCHAR SpareBits2 : 8; + USHORT SpareBits3 : 16; + }; + }; + HANDLE FileHandle; + HANDLE SectionHandle; + ULONGLONG UserProcessParametersNative; + ULONG UserProcessParametersWow64; + ULONG CurrentParameterFlags; + ULONGLONG PebAddressNative; + ULONG PebAddressWow64; + ULONGLONG ManifestAddress; + ULONG ManifestSize; + } SuccessState; + }; +} PS_CREATE_INFO, * PPS_CREATE_INFO; + +/* RTL Drive Letter Current Directory */ +typedef struct _RTL_DRIVE_LETTER_CURDIR +{ + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + STRING DosPath; +} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; + +/* RTL User Process Parameters */ +typedef struct _RTL_USER_PROCESS_PARAMETERS +{ + ULONG MaximumLength; + ULONG Length; + + ULONG Flags; + ULONG DebugFlags; + + HANDLE ConsoleHandle; + ULONG ConsoleFlags; + HANDLE StandardInput; + HANDLE StandardOutput; + HANDLE StandardError; + + CURDIR CurrentDirectory; + UNICODE_STRING DllPath; + UNICODE_STRING ImagePathName; + UNICODE_STRING CommandLine; + PVOID Environment; + + ULONG StartingX; + ULONG StartingY; + ULONG CountX; + ULONG CountY; + ULONG CountCharsX; + ULONG CountCharsY; + ULONG FillAttribute; + + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING WindowTitle; + UNICODE_STRING DesktopInfo; + UNICODE_STRING ShellInfo; + UNICODE_STRING RuntimeData; + RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; + + ULONG_PTR EnvironmentSize; + ULONG_PTR EnvironmentVersion; + + PVOID PackageDependencyData; + ULONG ProcessGroupId; + ULONG LoaderThreads; + UNICODE_STRING RedirectionDllName; /* REDSTONE4 */ + UNICODE_STRING HeapPartitionName; /* 19H1 */ + PULONGLONG DefaultThreadpoolCpuSetMasks; + ULONG DefaultThreadpoolCpuSetMaskCount; + ULONG DefaultThreadpoolThreadMaximum; + ULONG HeapMemoryTypeMask; /* WIN11 */ +} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; + +/* SE File Cache Claim Information */ +typedef struct _SE_FILE_CACHE_CLAIM_INFORMATION +{ + ULONG Size; + PVOID Claim; +} SE_FILE_CACHE_CLAIM_INFORMATION, * PSE_FILE_CACHE_CLAIM_INFORMATION; + +/* SE Set File Cache Information */ +typedef struct _SE_SET_FILE_CACHE_INFORMATION +{ + ULONG Size; + UNICODE_STRING CatalogDirectoryPath; + SE_FILE_CACHE_CLAIM_INFORMATION OriginClaimInfo; +} SE_SET_FILE_CACHE_INFORMATION, * PSE_SET_FILE_CACHE_INFORMATION; + +/* System Thread Information */ +typedef struct _SYSTEM_THREAD_INFORMATION +{ + LARGE_INTEGER KernelTime; /* Number of 100-nanosecond intervals spent executing kernel code. */ + LARGE_INTEGER UserTime; /* Number of 100-nanosecond intervals spent executing user code. */ + LARGE_INTEGER CreateTime; /* The date and time when the thread was created. */ + ULONG WaitTime; /* The current time spent in ready queue or waiting (depending on the thread state). */ + PVOID StartAddress; /* The initial start address of the thread. */ + CLIENT_ID ClientId; /* The identifier of the thread and the process owning the thread. */ + KPRIORITY Priority; /* The dynamic priority of the thread. */ + KPRIORITY BasePriority; /* The starting priority of the thread. */ + ULONG ContextSwitches; /* The total number of context switches performed. */ + KTHREAD_STATE ThreadState; /* The current state of the thread. */ + KWAIT_REASON WaitReason; /* The current reason the thread is waiting. */ +} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION; + +/* System Process Information */ +typedef struct _SYSTEM_PROCESS_INFO +{ + ULONG NextEntryOffset; /* The address of the previous item plus the value in the NextEntryOffset member. For the last item in the array, NextEntryOffset is 0. */ + ULONG NumberOfThreads; /* The NumberOfThreads member contains the number of threads in the process. */ + ULONGLONG WorkingSetPrivateSize; /* since VISTA */ + ULONG HardFaultCount; /* since WIN7 */ + ULONG NumberOfThreadsHighWatermark; /* The peak number of threads that were running at any given point in time, indicative of potential performance bottlenecks related to thread management. */ + ULONGLONG CycleTime; /* The sum of the cycle time of all threads in the process. */ + LARGE_INTEGER CreateTime; /* Number of 100-nanosecond intervals since the creation time of the process. Not updated during system timezone changes resullting in an incorrect value. */ + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ImageName; /* The file name of the executable image. */ + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; + ULONG HandleCount; + ULONG SessionId; + ULONG_PTR UniqueProcessKey; /* since VISTA (requires SystemExtendedProcessInformation) */ + SIZE_T PeakVirtualSize; /* The peak size, in bytes, of the virtual memory used by the process. */ + SIZE_T VirtualSize; /* The current size, in bytes, of virtual memory used by the process. */ + ULONG PageFaultCount; /* The member of page faults for data that is not currently in memory. */ + SIZE_T PeakWorkingSetSize; /* The peak size, in kilobytes, of the working set of the process. */ + SIZE_T WorkingSetSize; /* The number of pages visible to the process in physical memory. These pages are resident and available for use without triggering a page fault. */ + SIZE_T QuotaPeakPagedPoolUsage; /* The peak quota charged to the process for pool usage, in bytes. */ + SIZE_T QuotaPagedPoolUsage; /* The quota charged to the process for paged pool usage, in bytes. */ + SIZE_T QuotaPeakNonPagedPoolUsage; /* The peak quota charged to the process for nonpaged pool usage, in bytes. */ + SIZE_T QuotaNonPagedPoolUsage; /* The current quota charged to the process for nonpaged pool usage. */ + SIZE_T PagefileUsage; /* The PagefileUsage member contains the number of bytes of page file storage in use by the process. */ + SIZE_T PeakPagefileUsage; /* The maximum number of bytes of page-file storage used by the process. */ + SIZE_T PrivatePageCount; /* The number of memory pages allocated for the use by the process. */ + LARGE_INTEGER ReadOperationCount; /* The total number of read operations performed. */ + LARGE_INTEGER WriteOperationCount; /* The total number of write operations performed. */ + LARGE_INTEGER OtherOperationCount; /* The total number of I/O operations performed other than read and write operations. */ + LARGE_INTEGER ReadTransferCount; /* The total number of bytes read during a read operation. */ + LARGE_INTEGER WriteTransferCount; /* The total number of bytes written during a write operation. */ + LARGE_INTEGER OtherTransferCount; /* The total number of bytes transferred during operations other than read and write operations. */ + SYSTEM_THREAD_INFORMATION Threads[1]; /* This type is not defined in the structure but was added for convenience. */ +} SYSTEM_PROCESS_INFO, * PSYSTEM_PROCESS_INFO; + +/* tagSOleTlsData */ +typedef struct tagSOleTlsData +{ + PVOID ThreadBase; + PVOID SmAllocator; + ULONG ApartmentID; + ULONG Flags; /* OLETLSFLAGS */ + LONG TlsMapIndex; + PVOID* TlsSlot; + ULONG ComInits; + ULONG OleInits; + ULONG Calls; + PVOID ServerCall; /* previously CallInfo (before TH1) */ + PVOID CallObjectCache; /* previously FreeAsyncCall (before TH1) */ + PVOID ContextStack; /* previously FreeClientCall (before TH1) */ + PVOID ObjServer; + ULONG TIDCaller; + /* ... (other fields are version-dependant) */ +} SOleTlsData, * PSOleTlsData; + +/* TEB Active Frame Context */ +typedef struct _TEB_ACTIVE_FRAME_CONTEXT +{ + ULONG Flags; + PCSTR FrameName; +} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; + +/* TEB Active Frame */ +typedef struct _TEB_ACTIVE_FRAME +{ + ULONG Flags; + struct _TEB_ACTIVE_FRAME* Previous; + PTEB_ACTIVE_FRAME_CONTEXT Context; +} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; + +/* TEB */ +typedef struct _TEB +{ + /* + Thread Information Block (TIB) contains the thread's stack, base and limit addresses, the current stack pointer, and the exception list. + */ + NT_TIB NtTib; + /* + Reserved. + */ + PVOID EnvironmentPointer; + /* + Client ID for this thread. + */ + CLIENT_ID ClientId; + /* + A handle to an active Remote Procedure Call (RPC) if the thread is currently involved in an RPC operation. + */ + PVOID ActiveRpcHandle; + /* + A pointer to the __declspec(thread) local storage array. + */ + PVOID ThreadLocalStoragePointer; + /* + A pointer to the Process Environment Block (PEB), which contains information about the process. + */ + PPEB ProcessEnvironmentBlock; + /* + The previous Win32 error value for this thread. + */ + ULONG LastErrorValue; + /* + The number of critical sections currently owned by this thread. + */ + ULONG CountOfOwnedCriticalSections; + /* + Reserved. + */ + PVOID CsrClientThread; + /* + Reserved for GDI/USER (Win32k). + */ + PVOID Win32ThreadInfo; + ULONG User32Reserved[26]; + ULONG UserReserved[5]; + /* + Reserved. + */ + PVOID WOW32Reserved; + /* + The LCID of the current thread. (Kernel32!GetThreadLocale) + */ + LCID CurrentLocale; + /* + Reserved. + */ + ULONG FpSoftwareStatusRegister; + /* + Reserved. + */ + PVOID ReservedForDebuggerInstrumentation[16]; +#ifdef _WIN64 + /* + Reserved. + */ + PVOID SystemReserved1[25]; + /* + Per-thread fiber local storage. (Teb->HasFiberData) + */ + PVOID HeapFlsData; + /* + Reserved. + */ + ULONG_PTR RngState[4]; +#else + /* + Reserved. + */ + PVOID SystemReserved1[26]; +#endif + /* + Placeholder compatibility mode. (ProjFs and Cloud Files) + */ + CHAR PlaceholderCompatibilityMode; + /* + Indicates whether placeholder hydration is always explicit. + */ + BOOLEAN PlaceholderHydrationAlwaysExplicit; + /* + ProjFs and Cloud Files (reparse point) file virtualization. + */ + CHAR PlaceholderReserved[10]; + /* + The process ID (PID) that the current COM server thread is acting on behalf of. + */ + ULONG ProxiedProcessId; + /* + Pointer to the activation context stack for the current thread. + */ + ACTIVATION_CONTEXT_STACK ActivationStack; + /* + Opaque operation on behalf of another user or process. + */ + UCHAR WorkingOnBehalfTicket[8]; + /* + The last exception status for the current thread. + */ + NTSTATUS ExceptionCode; + /* + Pointer to the activation context stack for the current thread. + */ + PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; + /* + The stack pointer (SP) of the current system call or exception during instrumentation. + */ + ULONG_PTR InstrumentationCallbackSp; + /* + The program counter (PC) of the previous system call or exception during instrumentation. + */ + ULONG_PTR InstrumentationCallbackPreviousPc; + /* + The stack pointer (SP) of the previous system call or exception during instrumentation. + */ + ULONG_PTR InstrumentationCallbackPreviousSp; +#ifdef _WIN64 + /* + The miniversion ID of the current transacted file operation. + */ + ULONG TxFsContext; +#endif + /* + Indicates the state of the system call or exception instrumentation callback. + */ + BOOLEAN InstrumentationCallbackDisabled; +#ifdef _WIN64 + /* + Indicates the state of alignment exceptions for unaligned load/store operations. + */ + BOOLEAN UnalignedLoadStoreExceptions; +#endif +#ifndef _WIN64 + /* + SpareBytes. + */ + UCHAR SpareBytes[23]; + /* + The miniversion ID of the current transacted file operation. + */ + ULONG TxFsContext; +#endif + /* + Reserved for GDI (Win32k). + */ + GDI_TEB_BATCH GdiTebBatch; + CLIENT_ID RealClientId; + HANDLE GdiCachedProcessHandle; + ULONG GdiClientPID; + ULONG GdiClientTID; + PVOID GdiThreadLocalInfo; + /* + Reserved for User32 (Win32k). + */ + ULONG_PTR Win32ClientInfo[WIN32_CLIENT_INFO_LENGTH]; + /* + Reserved for opengl32.dll + */ + PVOID glDispatchTable[233]; + ULONG_PTR glReserved1[29]; + PVOID glReserved2; + PVOID glSectionInfo; + PVOID glSection; + PVOID glTable; + PVOID glCurrentRC; + PVOID glContext; + /* + The previous status value for this thread. + */ + NTSTATUS LastStatusValue; + /* + A static string for use by the application. + */ + UNICODE_STRING StaticUnicodeString; + /* + A static buffer for use by the application. + */ + WCHAR StaticUnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH]; + /* + The maximum stack size and indicates the base of the stack. + */ + PVOID DeallocationStack; + /* + Data for Thread Local Storage. (TlsGetValue) + */ + PVOID TlsSlots[TLS_MINIMUM_AVAILABLE]; + /* + Reserved for TLS. + */ + LIST_ENTRY TlsLinks; + /* + Reserved for NTVDM. + */ + PVOID Vdm; + /* + Reserved for RPC. + */ + PVOID ReservedForNtRpc; + /* + Reserved for Debugging (DebugActiveProcess). + */ + PVOID DbgSsReserved[2]; + /* + The error mode for the current thread. (GetThreadErrorMode) + */ + ULONG HardErrorMode; + /* + Reserved. + */ +#ifdef _WIN64 + PVOID Instrumentation[11]; +#else + PVOID Instrumentation[9]; +#endif + /* + Reserved. + */ + GUID ActivityId; + /* + The identifier of the service that created the thread. (svchost) + */ + PVOID SubProcessTag; + /* + Reserved. + */ + PVOID PerflibData; + /* + Reserved. + */ + PVOID EtwTraceData; + /* + The address of a socket handle during a blocking socket operation. (WSAStartup) + */ + HANDLE WinSockData; + /* + The number of function calls accumulated in the current GDI batch. (GdiSetBatchLimit) + */ + ULONG GdiBatchCount; + /* + The preferred processor for the current thread. (SetThreadIdealProcessor/SetThreadIdealProcessorEx) + */ + union + { + PROCESSOR_NUMBER CurrentIdealProcessor; + ULONG IdealProcessorValue; + struct + { + UCHAR ReservedPad0; + UCHAR ReservedPad1; + UCHAR ReservedPad2; + UCHAR IdealProcessor; + }; + }; + /* + The minimum size of the stack available during any stack overflow exceptions. (SetThreadStackGuarantee) + */ + ULONG GuaranteedStackBytes; + /* + Reserved. + */ + PVOID ReservedForPerf; + /* + Reserved for Object Linking and Embedding (OLE) + */ + PSOleTlsData ReservedForOle; + /* + Indicates whether the thread is waiting on the loader lock. + */ + ULONG WaitingOnLoaderLock; + /* + The saved priority state for the thread. + */ + PVOID SavedPriorityState; + /* + Reserved. + */ + ULONG_PTR ReservedForCodeCoverage; + /* + Reserved. + */ + PVOID ThreadPoolData; + /* + Pointer to the TLS (Thread Local Storage) expansion slots for the thread. + */ + PVOID* TlsExpansionSlots; +#ifdef _WIN64 + PVOID ChpeV2CpuAreaInfo; /* CHPEV2_CPUAREA_INFO, previously DeallocationBStore */ + PVOID Unused; /* previously BStoreLimit */ +#endif + /* + The generation of the MUI (Multilingual User Interface) data. + */ + ULONG MuiGeneration; + /* + Indicates whether the thread is impersonating another security context. + */ + ULONG IsImpersonating; + /* + Pointer to the NLS (National Language Support) cache. + */ + PVOID NlsCache; + /* + Pointer to the AppCompat/Shim Engine data. + */ + PVOID pShimData; + /* + Reserved. + */ + ULONG HeapData; + /* + Handle to the current transaction associated with the thread. + */ + HANDLE CurrentTransactionHandle; + /* + Pointer to the active frame for the thread. + */ + PTEB_ACTIVE_FRAME ActiveFrame; + /* + Reserved for FLS (RtlProcessFlsData). + */ + PVOID FlsData; + /* + Pointer to the preferred languages for the current thread. (GetThreadPreferredUILanguages) + */ + PVOID PreferredLanguages; + /* + Pointer to the user-preferred languages for the current thread. (GetUserPreferredUILanguages) + */ + PVOID UserPrefLanguages; + /* + Pointer to the merged preferred languages for the current thread. (MUI_MERGE_USER_FALLBACK) + */ + PVOID MergedPrefLanguages; + /* + Indicates whether the thread is impersonating another user's language settings. + */ + ULONG MuiImpersonation; + /* + Reserved. + */ + union + { + USHORT CrossTebFlags; + USHORT SpareCrossTebBits : 16; + }; + /* + SameTebFlags modify the state and behavior of the current thread. + */ + union + { + USHORT SameTebFlags; + struct + { + USHORT SafeThunkCall : 1; + USHORT InDebugPrint : 1; /* Indicates if the thread is currently in a debug print routine. */ + USHORT HasFiberData : 1; /* Indicates if the thread has local fiber-local storage (FLS). */ + USHORT SkipThreadAttach : 1; /* Indicates if the thread should suppress DLL_THREAD_ATTACH notifications. */ + USHORT WerInShipAssertCode : 1; + USHORT RanProcessInit : 1; /* Indicates if the thread has run process initialization code. */ + USHORT ClonedThread : 1; /* Indicates if the thread is a clone of a different thread. */ + USHORT SuppressDebugMsg : 1; /* Indicates if the thread should suppress LOAD_DLL_DEBUG_INFO notifications. */ + USHORT DisableUserStackWalk : 1; + USHORT RtlExceptionAttached : 1; + USHORT InitialThread : 1; /* Indicates if the thread is the initial thread of the process. */ + USHORT SessionAware : 1; + USHORT LoadOwner : 1; /* Indicates if the thread is the owner of the process loader lock. */ + USHORT LoaderWorker : 1; + USHORT SkipLoaderInit : 1; + USHORT SkipFileAPIBrokering : 1; + }; + }; + /* + Pointer to the callback function that is called when a KTM transaction scope is entered. + */ + PVOID TxnScopeEnterCallback; + /* + Pointer to the callback function that is called when a KTM transaction scope is exited. + */ + PVOID TxnScopeExitCallback; + /* + Pointer to optional context data for use by the application when a KTM transaction scope callback is called. + */ + PVOID TxnScopeContext; + /* + The lock count of critical sections for the current thread. + */ + ULONG LockCount; + /* + The offset to the WOW64 (Windows on Windows) TEB for the current thread. + */ + LONG WowTebOffset; + /* + Reserved. + */ + PVOID ResourceRetValue; + /* + Reserved for Windows Driver Framework (WDF). + */ + PVOID ReservedForWdf; + /* + Reserved for the Microsoft C runtime (CRT). + */ + ULONGLONG ReservedForCrt; + /* + The Host Compute Service (HCS) container identifier. + */ + GUID EffectiveContainerId; + /* + Reserved for Kernel32!Sleep (SpinWait). + */ + ULONGLONG LastSleepCounter; /* since Win11 */ + /* + Reserved for Kernel32!Sleep (SpinWait). + */ + ULONG SpinCallCount; + /* + Extended feature disable mask (AVX). + */ + ULONGLONG ExtendedFeatureDisableMask; + /* + Reserved. + */ + PVOID SchedulerSharedDataSlot; /* since 24H2 */ + /* + Reserved. + */ + PVOID HeapWalkContext; + /* + The primary processor group affinity of the thread. + */ + GROUP_AFFINITY PrimaryGroupAffinity; + /* + Read-copy-update (RCU) synchronization context. + */ + ULONG Rcu[2]; +} TEB, * PTEB; + +/* Thread Basic Information */ +typedef struct _THREAD_BASIC_INFO +{ + NTSTATUS ExitStatus; + PTEB TebBaseAddress; + CLIENT_ID ClientId; + KAFFINITY AffinityMask; + KPRIORITY Priority; + KPRIORITY BasePriority; +} THREAD_BASIC_INFO, * PTHREAD_BASIC_INFO; + +/* T2 Set Parameters */ +typedef struct _T2_SET_PARAMETERS_V0 +{ + ULONG Version; + ULONG Reserved; + LONGLONG NoWakeTolerance; +} T2_SET_PARAMETERS, * PT2_SET_PARAMETERS; + +/* WNF Delivery Descriptor */ +typedef struct _WNF_DELIVERY_DESCRIPTOR +{ + ULONGLONG SubscriptionId; + WNF_STATE_NAME StateName; + WNF_CHANGE_STAMP ChangeStamp; + ULONG StateDataSize; + ULONG EventMask; + WNF_TYPE_ID TypeId; + ULONG StateDataOffset; +} WNF_DELIVERY_DESCRIPTOR, * PWNF_DELIVERY_DESCRIPTOR; + +/* Worker Factory Deferred Work */ +typedef struct _WORKER_FACTORY_DEFERRED_WORK +{ + PPORT_MESSAGE AlpcSendMessage; + PVOID AlpcSendMessagePort; + ULONG AlpcSendMessageFlags; + ULONG Flags; } WORKER_FACTORY_DEFERRED_WORK, * PWORKER_FACTORY_DEFERRED_WORK; \ No newline at end of file diff --git a/SysCallerK/Wrapper/src/dummy.c b/SysCallerK/Wrapper/src/dummy.c index 6a4aca4..369845b 100644 --- a/SysCallerK/Wrapper/src/dummy.c +++ b/SysCallerK/Wrapper/src/dummy.c @@ -1,3 +1,3 @@ /* required for Visual Studio to parse C headers like ntifs.h */ -#include "syscaller_k.h" \ No newline at end of file +#include \ No newline at end of file From 94b47c5e9310981bc0444587eee63eb305e7a1ea Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:26:14 -0800 Subject: [PATCH 13/32] rename to SysCaller.asm --- SysCaller/Wrapper/src/{syscaller.asm => SysCaller.asm} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename SysCaller/Wrapper/src/{syscaller.asm => SysCaller.asm} (100%) diff --git a/SysCaller/Wrapper/src/syscaller.asm b/SysCaller/Wrapper/src/SysCaller.asm similarity index 100% rename from SysCaller/Wrapper/src/syscaller.asm rename to SysCaller/Wrapper/src/SysCaller.asm From 2c5e222a009d4fb3f00e7eca36f48c5b3b9e296d Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:26:35 -0800 Subject: [PATCH 14/32] rename to DllMain.cpp --- SysCaller/Wrapper/src/DLL/{dllmain.cpp => DllMain.cpp} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename SysCaller/Wrapper/src/DLL/{dllmain.cpp => DllMain.cpp} (99%) diff --git a/SysCaller/Wrapper/src/DLL/dllmain.cpp b/SysCaller/Wrapper/src/DLL/DllMain.cpp similarity index 99% rename from SysCaller/Wrapper/src/DLL/dllmain.cpp rename to SysCaller/Wrapper/src/DLL/DllMain.cpp index deee060..0808fa7 100644 --- a/SysCaller/Wrapper/src/DLL/dllmain.cpp +++ b/SysCaller/Wrapper/src/DLL/DllMain.cpp @@ -23,4 +23,4 @@ BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserv #else /* not in bindings mode file compiles to nothing */ #pragma message("SysCaller: DllMain.cpp skipped (SYSCALLER_BINDINGS not defined)") -#endif \ No newline at end of file +#endif From 1d6c368fe344a44a6e7f59132ab563ee06cd7b07 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:27:07 -0800 Subject: [PATCH 15/32] rename to SysCaller.h --- SysCaller/Wrapper/include/{syscaller.h => SysCaller.h} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename SysCaller/Wrapper/include/{syscaller.h => SysCaller.h} (99%) diff --git a/SysCaller/Wrapper/include/syscaller.h b/SysCaller/Wrapper/include/SysCaller.h similarity index 99% rename from SysCaller/Wrapper/include/syscaller.h rename to SysCaller/Wrapper/include/SysCaller.h index 3cb9419..17ec8af 100644 --- a/SysCaller/Wrapper/include/syscaller.h +++ b/SysCaller/Wrapper/include/SysCaller.h @@ -92,4 +92,4 @@ #error "For SYSCALLER_INDIRECT mode, you must define one resolver: SYSCALLER_RESOLVER_PEB_LDR, SYSCALLER_RESOLVER_MEMORY_EXPORT, SYSCALLER_RESOLVER_HASHED_EXPORT, or SYSCALLER_RESOLVER_DISK_MAPPED" #endif -#endif \ No newline at end of file +#endif From eabf3a088b0400ff4c502162766d633cdac8c183 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:27:23 -0800 Subject: [PATCH 16/32] rename to SysConstants.h --- .../Wrapper/include/Sys/{sysConstants.h => SysConstants.h} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename SysCaller/Wrapper/include/Sys/{sysConstants.h => SysConstants.h} (97%) diff --git a/SysCaller/Wrapper/include/Sys/sysConstants.h b/SysCaller/Wrapper/include/Sys/SysConstants.h similarity index 97% rename from SysCaller/Wrapper/include/Sys/sysConstants.h rename to SysCaller/Wrapper/include/Sys/SysConstants.h index f7fd263..4c9cb3c 100644 --- a/SysCaller/Wrapper/include/Sys/sysConstants.h +++ b/SysCaller/Wrapper/include/Sys/SysConstants.h @@ -67,4 +67,4 @@ #define SECTION_ALL_ACCESS 0x10000000 #define SEC_WRITECOMBINE 0x40000000 #define SEC_LARGE_PAGES 0x80000000 -#define SEC_IMAGE_NO_EXECUTE (SEC_IMAGE | SEC_NOCACHE) \ No newline at end of file +#define SEC_IMAGE_NO_EXECUTE (SEC_IMAGE | SEC_NOCACHE) From b263273eced343fb1ddf3e555cbdca63f3321e52 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:27:49 -0800 Subject: [PATCH 17/32] rename to SysExternals.h --- .../Wrapper/include/Sys/{sysExternals.h => SysExternals.h} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename SysCaller/Wrapper/include/Sys/{sysExternals.h => SysExternals.h} (97%) diff --git a/SysCaller/Wrapper/include/Sys/sysExternals.h b/SysCaller/Wrapper/include/Sys/SysExternals.h similarity index 97% rename from SysCaller/Wrapper/include/Sys/sysExternals.h rename to SysCaller/Wrapper/include/Sys/SysExternals.h index 5c1a3a5..235a83a 100644 --- a/SysCaller/Wrapper/include/Sys/sysExternals.h +++ b/SysCaller/Wrapper/include/Sys/SysExternals.h @@ -705,4 +705,4 @@ typedef enum _WORKERFACTORYINFOCLASS WorkerFactoryThreadSoftMaximum, /* s: ULONG */ WorkerFactoryThreadCpuSets, /* since REDSTONE5 */ MaxWorkerFactoryInfoClass -} WORKERFACTORYINFOCLASS, * PWORKERFACTORYINFOCLASS; \ No newline at end of file +} WORKERFACTORYINFOCLASS, * PWORKERFACTORYINFOCLASS; From b83bf6ff4486b90a3486af6afa20b2262eef6d46 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:28:12 -0800 Subject: [PATCH 18/32] rename to SysFunctions.h --- .../Wrapper/include/Sys/{sysFunctions.h => SysFunctions.h} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename SysCaller/Wrapper/include/Sys/{sysFunctions.h => SysFunctions.h} (95%) diff --git a/SysCaller/Wrapper/include/Sys/sysFunctions.h b/SysCaller/Wrapper/include/Sys/SysFunctions.h similarity index 95% rename from SysCaller/Wrapper/include/Sys/sysFunctions.h rename to SysCaller/Wrapper/include/Sys/SysFunctions.h index 61db9a5..21e4727 100644 --- a/SysCaller/Wrapper/include/Sys/sysFunctions.h +++ b/SysCaller/Wrapper/include/Sys/SysFunctions.h @@ -3468,4 +3468,4 @@ NTSTATUS SCYieldExecution(VOID); } #endif -#endif \ No newline at end of file +#endif From ad106ab77b705840f90fc8f35265a2385add898b Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:28:29 -0800 Subject: [PATCH 19/32] rename to SysTypes.h --- SysCaller/Wrapper/include/Sys/{sysTypes.h => SysTypes.h} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename SysCaller/Wrapper/include/Sys/{sysTypes.h => SysTypes.h} (97%) diff --git a/SysCaller/Wrapper/include/Sys/sysTypes.h b/SysCaller/Wrapper/include/Sys/SysTypes.h similarity index 97% rename from SysCaller/Wrapper/include/Sys/sysTypes.h rename to SysCaller/Wrapper/include/Sys/SysTypes.h index 5556f12..c45d80f 100644 --- a/SysCaller/Wrapper/include/Sys/sysTypes.h +++ b/SysCaller/Wrapper/include/Sys/SysTypes.h @@ -440,4 +440,4 @@ typedef struct _WORKER_FACTORY_DEFERRED_WORK PVOID AlpcSendMessagePort; ULONG AlpcSendMessageFlags; ULONG Flags; -} WORKER_FACTORY_DEFERRED_WORK, * PWORKER_FACTORY_DEFERRED_WORK; \ No newline at end of file +} WORKER_FACTORY_DEFERRED_WORK, * PWORKER_FACTORY_DEFERRED_WORK; From eb565a7e5d2f589cb08a5269a77c8a2f58d0c483 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:29:08 -0800 Subject: [PATCH 20/32] rename to Dummy.c --- SysCallerK/Wrapper/src/{dummy.c => Dummy.c} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename SysCallerK/Wrapper/src/{dummy.c => Dummy.c} (70%) diff --git a/SysCallerK/Wrapper/src/dummy.c b/SysCallerK/Wrapper/src/Dummy.c similarity index 70% rename from SysCallerK/Wrapper/src/dummy.c rename to SysCallerK/Wrapper/src/Dummy.c index 369845b..f851888 100644 --- a/SysCallerK/Wrapper/src/dummy.c +++ b/SysCallerK/Wrapper/src/Dummy.c @@ -1,3 +1,3 @@ /* required for Visual Studio to parse C headers like ntifs.h */ -#include \ No newline at end of file +#include From e40aaa877b42d72e5d46779f6f826b385962ad8f Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:29:31 -0800 Subject: [PATCH 21/32] rename to SysCaller.asm --- SysCallerK/Wrapper/src/{syscaller.asm => SysCaller.asm} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename SysCallerK/Wrapper/src/{syscaller.asm => SysCaller.asm} (100%) diff --git a/SysCallerK/Wrapper/src/syscaller.asm b/SysCallerK/Wrapper/src/SysCaller.asm similarity index 100% rename from SysCallerK/Wrapper/src/syscaller.asm rename to SysCallerK/Wrapper/src/SysCaller.asm From a242f069d56f042191777c1baff81276305fa43e Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:30:09 -0800 Subject: [PATCH 22/32] rename to SysCaller.asm --- Default/{syscaller.asm => SysCaller.asm} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Default/{syscaller.asm => SysCaller.asm} (100%) diff --git a/Default/syscaller.asm b/Default/SysCaller.asm similarity index 100% rename from Default/syscaller.asm rename to Default/SysCaller.asm From 12c18b717160b5c593930329104b43497320f433 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:30:27 -0800 Subject: [PATCH 23/32] rename to SysFunctions.h --- Default/{sysFunctions.h => SysFunctions.h} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Default/{sysFunctions.h => SysFunctions.h} (100%) diff --git a/Default/sysFunctions.h b/Default/SysFunctions.h similarity index 100% rename from Default/sysFunctions.h rename to Default/SysFunctions.h From 19bb46b9ec6df0d843363801e0f073b8512e28fe Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:30:47 -0800 Subject: [PATCH 24/32] rename to SysKFunctions.h --- Default/{SysFunctionsK.h => SysKFunctions.h} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename Default/{SysFunctionsK.h => SysKFunctions.h} (99%) diff --git a/Default/SysFunctionsK.h b/Default/SysKFunctions.h similarity index 99% rename from Default/SysFunctionsK.h rename to Default/SysKFunctions.h index 9a9c50a..520e8a9 100644 --- a/Default/SysFunctionsK.h +++ b/Default/SysKFunctions.h @@ -3469,4 +3469,4 @@ NTSTATUS SCYieldExecution(VOID); } #endif -#endif \ No newline at end of file +#endif From 96d1d6b030f51d19dfee7cff5951802767997a9a Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:45:28 -0800 Subject: [PATCH 25/32] fix RCC file generation logic in build.yml --- .github/workflows/build.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c44fd90..811d584 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -205,12 +205,17 @@ jobs: # Generate RCC file manually if (Test-Path $rccPath) { Write-Host "Generating RCC file..." + $rccInput = "src/Res/resources.qrc" $rccOutput = "GeneratedFiles/qrc_resources.cpp" - & $rccPath -name resources "resources.qrc" -o $rccOutput - if ($LASTEXITCODE -eq 0) { - Write-Host "Successfully generated RCC file: $rccOutput" + if (Test-Path $rccInput) { + & $rccPath -name resources $rccInput -o $rccOutput + if ($LASTEXITCODE -eq 0) { + Write-Host "Successfully generated RCC file: $rccOutput" + } else { + Write-Host "RCC generation failed with exit code: $LASTEXITCODE" + } } else { - Write-Host "RCC generation failed with exit code: $LASTEXITCODE" + Write-Host "RCC input file not found: $rccInput" } } else { Write-Host "RCC tool not found, skipping resource compilation" @@ -468,4 +473,4 @@ jobs: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_path: Bind/Bind-v1.3.2.zip asset_name: Bind-v1.3.2.zip - asset_content_type: application/zip \ No newline at end of file + asset_content_type: application/zip From 5f64b093b144d973066cdc37eda8077499e3196b Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:48:51 -0800 Subject: [PATCH 26/32] update build configuration to use SysCaller.sln forgot we arent using Bind.sln anymore. --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 811d584..477ac84 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -270,7 +270,7 @@ jobs: Write-Host "VcpkgRoot: $env:VcpkgRoot" Write-Host "VCPKG_ROOT: $env:VCPKG_ROOT" - msbuild "Bind.sln" /p:Configuration=Debug /p:Platform=x64 /p:VcpkgEnabled=true /p:VcpkgEnableManifest=true /p:VcpkgUseStatic=false /p:VcpkgTriplet=x64-windows /p:QTDIR="$env:QTDIR" /p:VcpkgRoot="$env:VcpkgRoot" + msbuild "../SysCaller.sln" /p:Configuration=Debug /p:Platform=x64 /p:VcpkgEnabled=true /p:VcpkgEnableManifest=true /p:VcpkgUseStatic=false /p:VcpkgTriplet=x64-windows /p:QTDIR="$env:QTDIR" /p:VcpkgRoot="$env:VcpkgRoot" /t:Bind - name: Copy Vcpkg Dependencies (Debug) run: | @@ -322,7 +322,7 @@ jobs: Write-Host "VcpkgRoot: $env:VcpkgRoot" Write-Host "VCPKG_ROOT: $env:VCPKG_ROOT" - msbuild "Bind.sln" /p:Configuration=Release /p:Platform=x64 /p:VcpkgEnabled=true /p:VcpkgEnableManifest=true /p:VcpkgUseStatic=false /p:VcpkgTriplet=x64-windows /p:QTDIR="$env:QTDIR" /p:VcpkgRoot="$env:VcpkgRoot" + msbuild "../SysCaller.sln" /p:Configuration=Release /p:Platform=x64 /p:VcpkgEnabled=true /p:VcpkgEnableManifest=true /p:VcpkgUseStatic=false /p:VcpkgTriplet=x64-windows /p:QTDIR="$env:QTDIR" /p:VcpkgRoot="$env:VcpkgRoot" /t:Bind - name: Copy Vcpkg Dependencies (Release) run: | From c7240e9072ca21b3869aca9f8b7cfbb98c98f2f1 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 22:55:23 -0800 Subject: [PATCH 27/32] update vcxproj & removed hardcoded paths. --- Bind/Bind.vcxproj | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Bind/Bind.vcxproj b/Bind/Bind.vcxproj index 40b2a24..64cdb6a 100644 --- a/Bind/Bind.vcxproj +++ b/Bind/Bind.vcxproj @@ -1,4 +1,4 @@ - + @@ -37,11 +37,11 @@ - C:\Qt\5.15.2\msvc2019_64 + C:\Qt\5.15.2\msvc2019_64 debug - C:\Qt\5.15.2\msvc2019_64 + C:\Qt\5.15.2\msvc2019_64 5.15.2_msvc2019_64 @@ -81,13 +81,13 @@ _DEBUG;UNICODE;_UNICODE;QT_WIDGETS_LIB;QT_GUI_LIB;QT_CORE_LIB;QT_DLL;%(PreprocessorDefinitions) true stdcpp20 - GeneratedFiles\$(ConfigurationName);GeneratedFiles;C:\Qt\5.15.2\msvc2019_64\include;C:\Qt\5.15.2\msvc2019_64\include\QtCore;C:\Qt\5.15.2\msvc2019_64\include\QtGui;C:\Qt\5.15.2\msvc2019_64\include\QtWidgets;C:\Users\devil\vcpkg\installed\x64-windows\include;C:\Users\devil\source\repos\SysCaller\Bind\include;%(AdditionalIncludeDirectories) + GeneratedFiles\$(ConfigurationName);GeneratedFiles;$(QTDIR)\include;$(QTDIR)\include\QtCore;$(QTDIR)\include\QtGui;$(QTDIR)\include\QtWidgets;$(VcpkgRoot)\installed\x64-windows\include;$(MSBuildProjectDirectory)\include;%(AdditionalIncludeDirectories) true Windows true - C:\Qt\5.15.2\msvc2019_64\lib;C:\Users\devil\vcpkg\installed\x64-windows\lib;%(AdditionalLibraryDirectories) + $(QTDIR)\lib;$(VcpkgRoot)\installed\x64-windows\lib;%(AdditionalLibraryDirectories) Qt5Core.lib;Qt5Gui.lib;Qt5Widgets.lib;cmark.lib;pe-parse.lib;%(AdditionalDependencies) @@ -100,13 +100,13 @@ NDEBUG;UNICODE;_UNICODE;QT_WIDGETS_LIB;QT_GUI_LIB;QT_CORE_LIB;QT_DLL;%(PreprocessorDefinitions) true stdcpp20 - GeneratedFiles\$(ConfigurationName);GeneratedFiles;C:\Qt\5.15.2\msvc2019_64\include;C:\Qt\5.15.2\msvc2019_64\include\QtCore;C:\Qt\5.15.2\msvc2019_64\include\QtGui;C:\Qt\5.15.2\msvc2019_64\include\QtWidgets;C:\Users\devil\vcpkg\installed\x64-windows\include;C:\Users\devil\source\repos\SysCaller\Bind\include;%(AdditionalIncludeDirectories) + GeneratedFiles\$(ConfigurationName);GeneratedFiles;$(QTDIR)\include;$(QTDIR)\include\QtCore;$(QTDIR)\include\QtGui;$(QTDIR)\include\QtWidgets;$(VcpkgRoot)\installed\x64-windows\include;$(MSBuildProjectDirectory)\include;%(AdditionalIncludeDirectories) true Windows true - C:\Qt\5.15.2\msvc2019_64\lib;C:\Users\devil\vcpkg\installed\x64-windows\lib;%(AdditionalLibraryDirectories) + $(QTDIR)\lib;$(VcpkgRoot)\installed\x64-windows\lib;%(AdditionalLibraryDirectories) Qt5Core.lib;Qt5Gui.lib;Qt5Widgets.lib;pe-parse.lib;cmark.lib;%(AdditionalDependencies) @@ -374,4 +374,4 @@ - \ No newline at end of file + From a7b2c3432aab101b06131027a26d7012d5fb2d36 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 23:01:08 -0800 Subject: [PATCH 28/32] add missing main.cpp --- Bind/main.cpp | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 Bind/main.cpp diff --git a/Bind/main.cpp b/Bind/main.cpp new file mode 100644 index 0000000..bcb4e7e --- /dev/null +++ b/Bind/main.cpp @@ -0,0 +1,33 @@ +#include +#include + +int main(int argc, char *argv[]) { + qputenv("QT_LOGGING_RULES", "*.debug=true;qt.qpa.*=false"); + QApplication app(argc, argv); + app.setStyle(QStyleFactory::create("Fusion")); + app.setWindowIcon(QIcon(":/Icons/logo.ico")); + int fontId = QFontDatabase::addApplicationFont(":/Fonts/ibmplexmono.ttf"); + if (fontId != -1) { + QStringList fontFamilies = QFontDatabase::applicationFontFamilies(fontId); + if (!fontFamilies.isEmpty()) { + app.setFont(QFont(fontFamilies.first(), 10)); + } + } + app.setStyleSheet( + "* {" + " font-family: 'IBM Plex Mono';" + "}" + "QToolTip {" + " background-color: #1E1E1E;" + " color: white;" + " border: 1px solid #2196F3;" + " border-radius: 4px;" + " padding: 5px;" + " font-family: 'IBM Plex Mono';" + "}" + ); + QString projectRoot = PathUtils::getProjectRoot(); + MainWindow w; + w.show(); + return app.exec(); +} From eb0bf8e8703485ef61f409ce9acbd6214b09b218 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 23:07:30 -0800 Subject: [PATCH 29/32] add missing moc files to build --- Bind/Bind.vcxproj | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/Bind/Bind.vcxproj b/Bind/Bind.vcxproj index 64cdb6a..9b2150b 100644 --- a/Bind/Bind.vcxproj +++ b/Bind/Bind.vcxproj @@ -157,8 +157,34 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + From 0bc3094d9947e5a78b505b2b3ea5df6916ebf680 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 23:13:23 -0800 Subject: [PATCH 30/32] add qtmain.lib to linker deps --- Bind/Bind.vcxproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Bind/Bind.vcxproj b/Bind/Bind.vcxproj index 9b2150b..f68a5c3 100644 --- a/Bind/Bind.vcxproj +++ b/Bind/Bind.vcxproj @@ -88,7 +88,7 @@ Windows true $(QTDIR)\lib;$(VcpkgRoot)\installed\x64-windows\lib;%(AdditionalLibraryDirectories) - Qt5Core.lib;Qt5Gui.lib;Qt5Widgets.lib;cmark.lib;pe-parse.lib;%(AdditionalDependencies) + Qt5Core.lib;Qt5Gui.lib;Qt5Widgets.lib;qtmain.lib;cmark.lib;pe-parse.lib;%(AdditionalDependencies) From 23f9e2bf2a77758be10ca4cbcf5316dccfe2cbc7 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 23:20:56 -0800 Subject: [PATCH 31/32] fix paths for Vcpkg dependencies and executables Updated paths for Vcpkg dependencies and executable verification in the build workflow. --- .github/workflows/build.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 477ac84..49805af 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -275,7 +275,7 @@ jobs: - name: Copy Vcpkg Dependencies (Debug) run: | Write-Host "Copying Vcpkg Dependencies for Debug Build..." - $outputDir = "Build/Bind/Debug" + $outputDir = "../Build/Bind/Debug" $vcpkgBin = "${{ github.workspace }}/vcpkg/installed/x64-windows/bin" # Copy Vcpkg Dependencies (Qt dependencies will be handled by windeployqt) @@ -303,10 +303,10 @@ jobs: Get-ChildItem "GeneratedFiles" -Name | Where-Object { $_ -like "*qrc*" } | ForEach-Object { Write-Host "Found RCC file: $_" } } - & $windeployqt "Build/Bind/Debug/Bind.exe" --debug --no-compiler-runtime --no-opengl-sw --force + & $windeployqt "../Build/Bind/Debug/Bind.exe" --debug --no-compiler-runtime --no-opengl-sw --force if ($LASTEXITCODE -eq 0) { Write-Host "Qt deployment completed successfully for Debug build" - Get-ChildItem "Build/Bind/Debug" -Name | Sort-Object + Get-ChildItem "../Build/Bind/Debug" -Name | Sort-Object } else { Write-Host "windeployqt failed with exit code: $LASTEXITCODE" } @@ -327,7 +327,7 @@ jobs: - name: Copy Vcpkg Dependencies (Release) run: | Write-Host "Copying Vcpkg Dependencies for Release Build..." - $outputDir = "Build/Bind/Release" + $outputDir = "../Build/Bind/Release" $vcpkgBin = "${{ github.workspace }}/vcpkg/installed/x64-windows/bin" # Copy Vcpkg Dependencies (Qt dependencies will be handled by windeployqt) @@ -350,10 +350,10 @@ jobs: if (Test-Path $windeployqt) { Write-Host "Running windeployqt on Release executable..." - & $windeployqt "Build/Bind/Release/Bind.exe" --release --no-compiler-runtime --no-opengl-sw --force + & $windeployqt "../Build/Bind/Release/Bind.exe" --release --no-compiler-runtime --no-opengl-sw --force if ($LASTEXITCODE -eq 0) { Write-Host "Qt deployment completed successfully for Release build" - Get-ChildItem "Build/Bind/Release" -Name | Sort-Object + Get-ChildItem "../Build/Bind/Release" -Name | Sort-Object } else { Write-Host "windeployqt failed with exit code: $LASTEXITCODE" } @@ -363,18 +363,18 @@ jobs: - name: Verify Executables Exist run: | - if (Test-Path "Build/Bind/Release/Bind.exe") { + if (Test-Path "../Build/Bind/Release/Bind.exe") { Write-Host "Bind.exe (Release) Built Successfully!" - Get-Item "Build/Bind/Release/Bind.exe" | Select-Object Name, Length, LastWriteTime + Get-Item "../Build/Bind/Release/Bind.exe" | Select-Object Name, Length, LastWriteTime } else { Write-Host "Bind.exe (Release) not found!" Get-ChildItem -Recurse -Name "*.exe" | ForEach-Object { Write-Host "Found: $_" } exit 1 } - if (Test-Path "Build/Bind/Debug/Bind.exe") { + if (Test-Path "../Build/Bind/Debug/Bind.exe") { Write-Host "Bind.exe (Debug) Built Successfully!" - Get-Item "Build/Bind/Debug/Bind.exe" | Select-Object Name, Length, LastWriteTime + Get-Item "../Build/Bind/Debug/Bind.exe" | Select-Object Name, Length, LastWriteTime } else { Write-Host "Bind.exe (Debug) not found!" } @@ -388,14 +388,14 @@ jobs: uses: actions/upload-artifact@v4 with: name: Bind-Release - path: Bind/Build/Bind/Release/ + path: Build/Bind/Release/ retention-days: 30 - name: Upload Build Artifacts (Debug) uses: actions/upload-artifact@v4 with: name: Bind-Debug - path: Bind/Build/Bind/Debug/ + path: Build/Bind/Debug/ retention-days: 30 - name: Create Release Package @@ -406,7 +406,7 @@ jobs: New-Item -ItemType Directory -Path "release-package" -Force - Copy-Item "Build/Bind/Release/*" "release-package\" -Recurse + Copy-Item "../Build/Bind/Release/*" "release-package\" -Recurse # Create README $version = "v1.3.2" From 78396a087d518cba636c78829a211ae45e693ef0 Mon Sep 17 00:00:00 2001 From: WindowsAPI <82195276+WindowsAPI@users.noreply.github.com> Date: Tue, 11 Nov 2025 23:30:16 -0800 Subject: [PATCH 32/32] add qtmain.lib to linker deps for release --- Bind/Bind.vcxproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Bind/Bind.vcxproj b/Bind/Bind.vcxproj index f68a5c3..8b08916 100644 --- a/Bind/Bind.vcxproj +++ b/Bind/Bind.vcxproj @@ -107,7 +107,7 @@ Windows true $(QTDIR)\lib;$(VcpkgRoot)\installed\x64-windows\lib;%(AdditionalLibraryDirectories) - Qt5Core.lib;Qt5Gui.lib;Qt5Widgets.lib;pe-parse.lib;cmark.lib;%(AdditionalDependencies) + Qt5Core.lib;Qt5Gui.lib;Qt5Widgets.lib;qtmain.lib;pe-parse.lib;cmark.lib;%(AdditionalDependencies) "$(QTDIR)\bin\windeployqt.exe" "$(TargetPath)"