1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
#pragma once
#include <ntddk.h>
#include <wdm.h>
extern POBJECT_TYPE* IoDriverObjectType;
NTKERNELAPI
NTSTATUS
NTAPI
MmCopyVirtualMemory
(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);
NTKERNELAPI
NTSTATUS
NTAPI
PsLookupProcessByProcessId(
_In_ HANDLE ProcessId,
_Outptr_ PEPROCESS *Process
);
typedef struct _KAPC_STATE
{
LIST_ENTRY ApcListHead[2];
PKPROCESS Process;
UCHAR KernelApcInProgress;
UCHAR KernelApcPending;
UCHAR UserApcPending;
} KAPC_STATE, *PKAPC_STATE, *PRKAPC_STATE;
NTKERNELAPI
VOID
NTAPI
KeStackAttachProcess(
PRKPROCESS PROCESS,
PRKAPC_STATE ApcState
);
NTKERNELAPI
VOID
NTAPI
KeUnstackDetachProcess(
PRKAPC_STATE ApcState
);
NTKERNELAPI
PPEB
NTAPI
PsGetProcessPeb(PEPROCESS Process);
NTKERNELAPI
NTSTATUS
NTAPI
ObOpenObjectByPointer(
PVOID Object,
ULONG HandleAttributes,
PACCESS_STATE PassedAccessState,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PHANDLE Handle
);
typedef enum _MEMORY_INFORMATION_CLASS {
MemoryBasicInformation
} MEMORY_INFORMATION_CLASS;
NTKERNELAPI
NTSTATUS
NTAPI
ZwQueryVirtualMemory(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
_Out_ PVOID MemoryInformation,
_In_ SIZE_T MemoryInformationLength,
_Out_opt_ PSIZE_T ReturnLength
);
NTKERNELAPI
NTSTATUS
NTAPI
ZwProtectVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID* BaseAddress, /* THIS IS ACTUALLY AN IN_OUT */
IN SIZE_T* NumberOfBytesToProtect,
IN ULONG NewAccessProtection,
OUT PULONG OldAccessProtection
);
NTKERNELAPI
NTSTATUS
NTAPI
ObReferenceObjectByName(
PUNICODE_STRING ObjectName,
ULONG Attributes,
PACCESS_STATE Passed,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE Access,
PVOID ParseContext,
PVOID* ObjectPtr
);
NTSTATUS ZwAllocateVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG AllocationType,
_In_ ULONG Protect
);
NTSTATUS ZwFreeVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG FreeType
);
NTKERNELAPI
PVOID
NTAPI
PsGetProcessWow64Process(IN PEPROCESS Process);
NTSYSAPI
PVOID
NTAPI
RtlAvlRemoveNode(
IN PRTL_AVL_TREE pTree,
IN PMMADDRESS_NODE pNode
);
__kernel_entry
NTSTATUS
ZwQuerySystemInformation(
IN int SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT OPTIONAL PULONG ReturnLength
);
NTKERNELAPI
PVOID
PsGetProcessSectionBaseAddress(
IN PEPROCESS Process
);
|