/*++
Copyright (c)
Module Name:
SafeModel.h
Abstract:
This framework is generated by QuickSYS 0.4
Author:
<your name>
Environment:
User or kernel mode.
Revision History:
--*/
#ifndef _SAFEMODEL_H
#define _SAFEMODEL_H 1
#ifndef _MSC_VER
#define __in
#define __out
#define __inout
#define __in_opt
#define __out_opt
#define __deref_out
#define __out_bcount_opt(x)
#define IN
#define OUT
#define OPTIONAL
#define __try
#endif // _MSC_VER
//#define NTDDI_VERSION NTDDI_VISTA
//
// Define the various device type values. Note that values used by Microsoft
// Corporation are in the range 0-0x7FFF(32767), and 0x8000(32768)-0xFFFF(65535)
// are reserved for use by customers.
//
#define FILE_DEVICE_SAFEMODEL 0x8000
//
// Macro definition for defining IOCTL and FSCTL function control codes. Note
// that function codes 0-0x7FF(2047) are reserved for Microsoft Corporation,
// and 0x800(2048)-0xFFF(4095) are reserved for customers.
//
#define SAFEMODEL_IOCTL_BASE 0x800
//
// The device driver IOCTLs
//
#define CTL_CODE_SAFEMODEL(i) \
CTL_CODE(FILE_DEVICE_SAFEMODEL, SAFEMODEL_IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
// 定义I/O控制代码
#define DRIVE_INITIALIZE CTL_CODE_SAFEMODEL(0)
#define CRATE_PROCESS_MONITOR_ON CTL_CODE_SAFEMODEL(1)
#define CRATE_PROCESS_MONITOR_OFF CTL_CODE_SAFEMODEL(2)
#define WRITE_VIRTUAL_MEMORY_ON CTL_CODE_SAFEMODEL(3)
#define WRITE_VIRTUAL_MEMORY_OFF CTL_CODE_SAFEMODEL(4)
#define SET_VALUEKEY_MONITOR_ON CTL_CODE_SAFEMODEL(5)
#define SET_VALUEKEY_MONITOR_OFF CTL_CODE_SAFEMODEL(6)
#define SET_HOOK_MONITOR_ON CTL_CODE_SAFEMODEL(7)
#define SET_HOOK_MONITOR_OFF CTL_CODE_SAFEMODEL(8)
#define SET_SYSTEMTIME_MONITOR_ON CTL_CODE_SAFEMODEL(9)
#define SET_SYSTEMTIME_MONITOR_OFF CTL_CODE_SAFEMODEL(10)
#define WRITE_FILE_MONITOR_ON CTL_CODE_SAFEMODEL(11)
#define WRITE_FILE_MONITOR_OFF CTL_CODE_SAFEMODEL(12)
#define SYSTEM_DEBUG_MONITER_ON CTL_CODE_SAFEMODEL(13)
#define SYSTEM_DEBUG_MONITER_OFF CTL_CODE_SAFEMODEL(14)
#define LOAD_DRIVE_MONITOR_ON CTL_CODE_SAFEMODEL(15)
#define LOAD_DRIVE_MONITOR_OFF CTL_CODE_SAFEMODEL(16)
#define OPEN_SECTION_MONITOR_ON CTL_CODE_SAFEMODEL(17)
#define OPEN_SECTION_MONITOR_OFF CTL_CODE_SAFEMODEL(18)
#define READ_FILE_MONITOR_ON CTL_CODE_SAFEMODEL(19)
#define READ_FILE_MONITOR_OFF CTL_CODE_SAFEMODEL(20)
// Name that Win32 front end will use to open the SafeModel device
//
#define SAFEMODEL_WIN32_DEVICE_NAME_A "\\\\.\\SafeModel"
#define SAFEMODEL_WIN32_DEVICE_NAME_W L"\\\\.\\SafeModel"
#define SAFEMODEL_DEVICE_NAME_A "\\Device\\SafeModel"
#define SAFEMODEL_DEVICE_NAME_W L"\\Device\\SafeModel"
#define SAFEMODEL_DOS_DEVICE_NAME_A "\\DosDevices\\SafeModel"
#define SAFEMODEL_DOS_DEVICE_NAME_W L"\\DosDevices\\SafeModel"
#ifdef _UNICODE
#define SAFEMODEL_WIN32_DEVICE_NAME SAFEMODEL_WIN32_DEVICE_NAME_W
#define SAFEMODEL_DEVICE_NAME SAFEMODEL_DEVICE_NAME_W
#define SAFEMODEL_DOS_DEVICE_NAME SAFEMODEL_DOS_DEVICE_NAME_W
#else
#define SAFEMODEL_WIN32_DEVICE_NAME SAFEMODEL_WIN32_DEVICE_NAME_A
#define SAFEMODEL_DEVICE_NAME SAFEMODEL_DEVICE_NAME_A
#define SAFEMODEL_DOS_DEVICE_NAME SAFEMODEL_DOS_DEVICE_NAME_A
#endif
#endif
#include <windef.h>
#ifdef __GNUC__
//#include <ddk/ntimage.h>
#include <ddk/ntddk.h>
#include <ddk/ntifs.h>
DECLARE_HANDLE(HHOOK);
#define SECTION_MAP_EXECUTE_EXPLICIT 0x0020
#define INTERRUPT_3 \
__asm__ ("int $3")
#else
#include <ntimage.h>
#include <ntddk.h>
#include <ntifs.h>
#define INTERRUPT_3 \
__asm int 3
#endif
//#include <winnt.h>
#ifndef OBJ_KERNEL_HANDLE
#define OBJ_KERNEL_HANDLE 0x00000200L
#endif
//
// A structure representing the instance information associated with
// a particular device
//
//#define SEC_IMAGE 0x1000000
#define SYSTEM_INFORMATION_CLASS ULONG
//#define DEBUG_CONTROL_CODE ULONG
#define ObjectNameInformation 1
#define RETURN_ERRO_NOBOX 0x80070000
#define SystemHandleInformation 0x10
#define SystemLoadAndCallImage 38 //ZwSetSystemInformation加载驱动的参数
typedef enum _SYSDBG_COMMAND {
SysDbgQueryModuleInformation,
SysDbgQueryTraceInformation,
SysDbgSetTracepoint,
SysDbgSetSpecialCall,
SysDbgClearSpecialCalls,
SysDbgQuerySpecialCalls,
SysDbgBreakPoint,
SysDbgQueryVersion,
SysDbgReadVirtual,
SysDbgWriteVirtual,
SysDbgReadPhysical,
SysDbgWritePhysical,
SysDbgReadControlSpace,
SysDbgWriteControlSpace,
SysDbgReadIoSpace,
SysDbgWriteIoSpace,
SysDbgReadMsr,
SysDbgWriteMsr,
SysDbgReadBusData,
SysDbgWriteBusData,
SysDbgCheckLowMemory,
SysDbgEnableKernelDebugger,
SysDbgDisableKernelDebugger,
SysDbgGetAutoKdEnable,
SysDbgSetAutoKdEnable,
SysDbgGetPrintBufferSize,
SysDbgSetPrintBufferSize,
SysDbgGetKdUmExceptionEnable,
SysDbgSetKdUmExceptionEnable,
SysDbgGetTriageDump,
SysDbgGetKdBlockEnable,
SysDbgSetKdBlockEnable,
} SYSDBG_COMMAND, *PSYSDBG_COMMAND;
typedef struct _DEVICE_EXTENSION
{
ULONG StateVariable;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
//typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
//{
// UNICODE_STRING ModuleName;
//} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
typedef enum WIN_VER_DETAIL {
WINDOWS_VERSION_NONE, // 0
WINDOWS_VERSION_2K,
WINDOWS_VERSION_XP,
WINDOWS_VERSION_2K3,
WINDOWS_VERSION_2K3_SP1_SP2,
WINDOWS_VERSION_VISTA,
} WIN_VER_DETAIL;
//定义消息结构体
struct MESSAGE
{
BOOL state;
DWORD function;
HANDLE Appevent;
HANDLE Sysevent;
char source[MAX_PATH];
char object[MAX_PATH];
};
struct REGDATA
{
char szRegType[25];
char szRegData[MAX_PATH];
};
struct ADDRDATA
{
ULONG uAddr;
char szAddr[16];
};
struct HOOKDATA
{
ULONG uHookType;
char szHookType[20];
};
struct SECTIONDATA
{
ULONG access_mask;
char szAccess[MAX_PATH];
};
typedef struct _ServiceDescriptorTableEntry {
unsigned int *ServiceTableBase; //array of entry points
unsigned int *ServiceCounterTableBase; //array of usage counters
unsigned int NumberOfServices; //number of table entries
unsigned char *ParamTableBase; //array of byte counts
} ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
//typedef struct _SECTION_IMAGE_INFORMATION {
// PVOID EntryPoint;
// ULONG StackZeroBits;
// ULONG StackReserved;
// ULONG StackCommit;
// ULONG ImageSubsystem;
// WORD SubsystemVersionLow;
// WORD SubsystemVersionHigh;
// ULONG Unknown1;
// ULONG ImageCharacteristics;
// ULONG ImageMachineType;
// ULONG Unknown2[3];
//} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
typedef struct _RTL_DRIVE_LETTER_CURDIR {
USHORT Flags;
USHORT Length;
ULONG TimeStamp;
UNICODE_STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
/*
typedef struct _RTL_USER_PROCESS_PARAMETERS {
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
PVOID ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StdInputHandle;
HANDLE StdOutputHandle;
HANDLE StdErrorHandle;
UNICODE_STRING CurrentDirectoryPath;
HANDLE CurrentDirectoryHandle;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PVOID Environment;
ULONG StartingPositionLeft;
ULONG StartingPositionTop;
ULONG Width;
ULONG Height;
ULONG CharWidth;
ULONG CharHeight;
ULONG ConsoleTextAttributes;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopName;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} _SYSTEM_HANDLE_INFORMATION, *P_SYSTEM_HANDLE_INFORMATION;
*/
typedef struct _SYSTEM_HANDLE_INFORMATION _SYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_HANDLE_INformATION_EX {
ULONG NumberOfHandles;
_SYSTEM_HANDLE_INFORMATION Information[1];
} _SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
typedef struct _KPROCESS *PKPROCESS ,*PRKPROCESS;//, *PEPROCESS;
/*
typedef struct _KAPC_STATE {
LIST_ENTRY ApcListHead[MaximumMode];
struct _KPROCESS *Process;
BOOLEAN KernelApcInProgress;
BOOLEAN KernelApcPending;
BOOLEAN UserApcPending;
} KAPC_STATE, *PKAPC_STATE, *PRKAPC_STATE;
*/
typedef struct _KAPC_STATE KAPC_STATE, *PKAPC_STATE, *PRKAPC_STATE;
typedef struct _PEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
//typedef struct PPS_POST_PROCESS_INIT_ROUTINE PVOID ;
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // PRTL_USER_PROCESS_PARAMETERS
BYTE Reserved4[104];
PVOID Reserved5[52];
PVOID PostProcessInitRoutine; // PPS_POST_PROCESS_INIT_ROUTINE
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, * PPEB;
typedef PPEB (__stdcall *PPSGETPROCESSPEB) (IN PEPROCESS Process);
///
//typedef enum _OBJECT_INFORMATION_CLASS {
// ObjectBasicInformation = 0,
// ObjectTypeInformation = 2
//} OBJECT_INFORMATION_CLASS;
extern NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
//extern NTSTATUS ZwQuerySystemInformation(
// IN ULONG SystemInformationClass,
// IN PVOID SystemInformation,
// IN ULONG SystemInformationLength,
// OUT PULONG ReturnLength);
/*
extern KPROCESSOR_MODE
KeGetPreviousMode(
VOID
);
*/
//extern NTKERNELAPI
//NTSTATUS
//PsLookupProcessByProcessId(
// __in HANDLE ProcessId,
// __deref_out PEPROCESS *Process
// );
extern NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateObject(
__in HANDLE SourceProcessHandle,
__in HANDLE SourceHandle,
__in_opt HANDLE TargetProcessHandle,
__out_opt PHANDLE TargetHandle,
__in ACCESS_MASK DesiredAccess,
__in ULONG HandleAttributes,
__in ULONG Options
);
extern NTSYSAPI
NTSTATUS
NTAPI
ZwQueryObject(
__in_opt HANDLE Handle,
__in OBJECT_INFORMATION_CLASS ObjectInformationClass,
__out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation,
__in ULONG ObjectInformationLength,
__out_opt PULONG ReturnLength
);
extern NTKERNELAPI
NTSTATUS
ObQueryNameString(
__in PVOID Object,
__out_bcount_opt(Length) POBJECT_NAME_INFORMATION ObjectNameInfo,
__in ULONG Length,
__out PULONG ReturnLength
);
/*
extern NTKERNELAPI
VOID
KeStackAttachProcess (
__inout PEPROCESS PROCESS,
__out PRKAPC_STATE ApcState
);
*/
extern NTKERNELAPI
VOID
KeUnstackDetachProcess (
PRKAPC_STATE ApcState
);
/
typedef NTSTATUS (*ZWCREATEPROCESS)(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle,
IN HANDLE DebugPort,
IN HANDLE ExceptionPort
);
typedef NTSTATUS (*ZWCREATEPROCESSEX)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE InheritFromProcessHandle,
IN BOOLEAN InheritHandles,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE Unknown
);
typedef NTSTATUS (*NTCREATEUSERPROCESS)(PHANDLE ProcessHandle,
PHANDLE ThreadHandle,
PVOID Parameter2,
PVOID Parameter3,
PVOID ProcessSecurityDescriptor,
PVOID ThreadSecurityDescriptor,
PVOID Parameter6,
PVOID Parameter7,
PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
PVOID Parameter9,
PVOID pProcessUnKnow);
typedef NTSTATUS (*ZWSETVALUEKEY)
(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
typedef NTSTATUS (*ZWLOADDRIVER)
(
IN PUNICODE_STRING DriverServiceName
);
typedef NTSTATUS (*ZWSETSYSTEMTIME)
(
PLARGE_INTEGER NewTime,PLARGE_INTEGER OldTime
);
typedef NTSTATUS (*NTSETSYSTEMINFORMATION)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength
);
typedef NTSTATUS (*NTSYSTEMDEBUGCONTROL)(
IN DEBUG_CONTROL_CODE ControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength,
OUT PULONG ReturnLength OPTIONAL
);
typedef NTSTATUS (*NTWRITEFILE)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
);
typedef NTSTATUS (*NTREADFILE)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL);
typedef NTSTATUS(*ZWWRITEVIRTUALMEMORY)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
);
typedef NTSTATUS(*ZWOPENSECTION)(
__out PHANDLE SectionHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
typedef HHOOK (*NTUSERSETWINDOWSHOOKEX)(
HINSTANCE Mod,
PUNICODE_STRING UnsafeModuleName,
DWORD ThreadId,
int HookId,
PVOID HookProc,
BOOL Ansi
);
/
//
// Device driver routine declarations.
//
NTSTATUS DDKAPI DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath);
NTSTATUS DDKAPI SafemodelDispatchCreate(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
NTSTATUS DDKAPI SafemodelDispatchClose(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
NTSTATUS DDKAPI SafemodelDispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
VOID DDKAPI SafemodelUnload(IN PDRIVER_OBJECT DriverObject);
/
PVOID GetInfoTable(ULONG ATableType);
HANDLE GetProcPidByObjName(PWCHAR pwObjName,int iSize);
//VOID ZeroMemory(VOID* pobj,int len);
//BOOLEAN Sleep(ULONG MillionSecond);
WIN_VER_DETAIL GetWindowsVersion();
int ConvertFileNameWCHARToCHAR(PWCHAR pWChar, PCHAR pChar);
int ConvertFileNameUNISTRToCHAR(PUNICODE_STRING usFileName, PCHAR pChar);
NTSTATUS GetFilePathVista(HANDLE KeyHandle,char *fullname);
NTSTATUS GetFilePath2000_2003(HANDLE KeyHandle,char *fullname);
NTSTATUS GetFilePath(HANDLE KeyHandle,char *fullname);
BOOLEAN GetRegPath(HANDLE handle,PCHAR pKeyPath);
BOOL GetProcessName(PEPROCESS pProcess,PCHAR pProcessName);
BOOL GetProcessPath(HANDLE hProcess,PCHAR pPathName);
PULONG GetProcessObjectState(PEPROCESS MyProcess,HANDLE MyProcessId);
BOOL GoOrNot(PVOID fathername,PVOID procname,ULONG dFun,PVOID pValue1,PVOID pValue2,PVOID pValue3);
BOOL FakeAnyPro(IN PULONG FakeFunPos,IN ULONG NewFunValue,OUT PULONG POldFunValue,OUT PBOOL fakestate);
BOOL UnFakeAnyPro(IN PULONG FakeFunPos,IN ULONG OldFunValue,OUT PBOOL fakestate);
VOID InitShadowCallIndex();
VOID InitSysCallIndex();
unsigned int GetAddressOfShadowTable();
PULONG GetAddressOfShadowTable2() ;
ULONG GetShadowTable();
/
NTSTATUS FakedZwCreateProcess (OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle,
IN HANDLE DebugPort,
IN HANDLE ExceptionPort);
NTSTATUS FakedZwCreateProcessEx(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE InheritFromProcessHandle,
IN BOOLEAN InheritHandles,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE Unknown
);
NTSTATUS FakedNtCreateUserProcess (PHANDLE ProcessHandle,
PHANDLE ThreadHandle,
PVOID Parameter2,
PVOID Parameter3,
PVOID ProcessSecurityDescriptor,
PVOID ThreadSecurityDescriptor,
PVOID Parameter6,
PVOID Parameter7,
PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
PVOID Parameter9,
PVOID pProcessUnKnow);
NTSTATUS FakedZwSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
NTSTATUS FakedZwLoadDriver(IN PUNICODE_STRING DriverServiceName);
NTSTATUS FakedZwSetSystemTime(PLARGE_INTEGER NewTime,PLARGE_INTEGER OldTime);
NTSTATUS FakedZwLoadDriver(IN PUNICODE_STRING DriverServiceName);
NTSTATUS FakedZwWriteVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSTATUS FakedNtSetSystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength
);
NTSTATUS FakedNtSystemDebugControl(
IN DEBUG_CONTROL_CODE ControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSTATUS FakedNtWriteFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
);
HHOOK FakedNtUserSetWindowsHookEx(
HINSTANCE Mod,
PUNICODE_STRING UnsafeModuleName,
DWORD ThreadId,
int HookId,
PVOID HookProc,
BOOL Ansi
);
NTSTATUS FakedNtOpenProcess (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
);
NTSTATUS FakedZwOpenSection(
__out PHANDLE SectionHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes
);
VOID ProcMoniterOn();
VOID ProcMoniterOff();
VOID RegMoniterOn();
VOID RegMoniterOff();
VOID ModMonitorOn();
VOID ModMonitorOff();
VOID TimeSafeOn();
VOID TimeSafeOff();
VOID HookMoniterOn();
VOID HookMoniterOff();
VOID WriteFileMoniterOn();
VOID WriteFileMoniterOff();
VOID SystemDebugMoniterOn();
VOID SystemDebugMoniterOff();
VOID WriteVirtualMemoryOn();
VOID WriteVirtualMemoryOff();
VOID OpenSectionOn();
VOID OpenSectionOff();
扫一扫
评论
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
查看更多评论
添加红包
