From e2373783550cc54b21568c82fc1e07ebe90aa54d Mon Sep 17 00:00:00 2001 From: Ricardo Carvalho Date: Thu, 22 Aug 2024 02:12:58 -0300 Subject: [PATCH 01/19] upgrade to vs2022 add .clang-format --- .clang-format | 6 ++++++ .gitignore | 1 + TestHide/TestHide.vcxproj | 10 +++++----- 3 files changed, 12 insertions(+), 5 deletions(-) create mode 100644 .clang-format diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..d23ba71 --- /dev/null +++ b/.clang-format @@ -0,0 +1,6 @@ +--- +BasedOnStyle: Microsoft +IncludeBlocks: Preserve +SortIncludes: Never + +... diff --git a/.gitignore b/.gitignore index 7a043ac..12cb754 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,4 @@ _ReSharper*/ *.db-wal *.opendb *.ipch +*.vsidx diff --git a/TestHide/TestHide.vcxproj b/TestHide/TestHide.vcxproj index df03f30..fd6bbfa 100644 --- a/TestHide/TestHide.vcxproj +++ b/TestHide/TestHide.vcxproj @@ -23,32 +23,32 @@ Win32Proj {f3ec3652-037e-45a3-9c0b-7703800d858b} TestHide - 10.0.18362.0 + 10.0 Application true - v142 + v143 MultiByte Application false - v142 + v143 true MultiByte Application true - v142 + v143 MultiByte Application false - v142 + v143 true MultiByte From fa46e1ac4902b5411032c0f8f156825f89d711de Mon Sep 17 00:00:00 2001 From: Ricardo Carvalho Date: Thu, 22 Aug 2024 03:42:42 -0300 Subject: [PATCH 02/19] upgraded to vs2022 --- .vs/MasterHide/v17/DocumentLayout.backup.json | 309 +++++ .vs/MasterHide/v17/DocumentLayout.json | 309 +++++ MasterHide/MasterHide.vcxproj | 45 +- MasterHide/MasterHide.vcxproj.filters | 27 +- MasterHide/drivermain.cpp | 118 ++ MasterHide/globals.hpp | 95 +- MasterHide/hooks.cpp | 852 ++++++++++++++ MasterHide/hooks.hpp | 117 ++ MasterHide/{stdafx.h => includes.hpp} | 22 +- MasterHide/main.cpp | 116 -- MasterHide/mh_hooks.cpp | 832 ------------- MasterHide/mh_hooks.h | 103 -- MasterHide/misc.cpp | 573 +++++++++ MasterHide/misc.hpp | 97 ++ MasterHide/shadow_ssdt.cpp | 705 +++++------ MasterHide/shadow_ssdt.h | 10 - MasterHide/shadow_ssdt.hpp | 10 + MasterHide/ssdt.cpp | 525 +++++---- MasterHide/ssdt.h | 12 - MasterHide/ssdt.hpp | 13 + MasterHide/tools.cpp | 586 --------- MasterHide/tools.h | 93 -- MasterHide/winnt.h | 1018 ---------------- MasterHide/winnt.hpp | 1048 +++++++++++++++++ 24 files changed, 4183 insertions(+), 3452 deletions(-) create mode 100644 .vs/MasterHide/v17/DocumentLayout.backup.json create mode 100644 .vs/MasterHide/v17/DocumentLayout.json create mode 100644 MasterHide/drivermain.cpp create mode 100644 MasterHide/hooks.cpp create mode 100644 MasterHide/hooks.hpp rename MasterHide/{stdafx.h => includes.hpp} (58%) delete mode 100644 MasterHide/main.cpp delete mode 100644 MasterHide/mh_hooks.cpp delete mode 100644 MasterHide/mh_hooks.h create mode 100644 MasterHide/misc.cpp create mode 100644 MasterHide/misc.hpp delete mode 100644 MasterHide/shadow_ssdt.h create mode 100644 MasterHide/shadow_ssdt.hpp delete mode 100644 MasterHide/ssdt.h create mode 100644 MasterHide/ssdt.hpp delete mode 100644 MasterHide/tools.cpp delete mode 100644 MasterHide/tools.h delete mode 100644 MasterHide/winnt.h create mode 100644 MasterHide/winnt.hpp diff --git a/.vs/MasterHide/v17/DocumentLayout.backup.json b/.vs/MasterHide/v17/DocumentLayout.backup.json new file mode 100644 index 0000000..b5a16cd --- /dev/null +++ b/.vs/MasterHide/v17/DocumentLayout.backup.json @@ -0,0 +1,309 @@ +{ + "Version": 1, + "WorkspaceRootPath": "A:\\work\\MasterHide\\", + "Documents": [ + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\misc.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\misc.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\drivermain.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\drivermain.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\winnt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\winnt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\driver.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|C:\\PROGRAM FILES (X86)\\WINDOWS KITS\\10\\INCLUDE\\10.0.26100.0\\KM\\NTIFS.H||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|C:\\PROGRAM FILES (X86)\\WINDOWS KITS\\10\\INCLUDE\\10.0.26100.0\\KM\\WDM.H||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\shadow_ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + } + ], + "DocumentGroupContainers": [ + { + "Orientation": 0, + "VerticalTabListWidth": 256, + "DocumentGroups": [ + { + "DockedWidth": 200, + "SelectedChildIndex": 11, + "Children": [ + { + "$type": "Document", + "DocumentIndex": 2, + "Title": "utils.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\utils.cpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\utils.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T06:40:21.171Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 9, + "Title": "driver.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\driver.cpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\driver.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T06:29:36.886Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 13, + "Title": "ntifs.h", + "DocumentMoniker": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\ntifs.h", + "ToolTip": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\ntifs.h", + "ViewState": "AgIAAEAAAAAAAAAAAAAmwFQAAAAzAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T06:28:17.411Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 14, + "Title": "wdm.h", + "DocumentMoniker": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\wdm.h", + "ToolTip": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\wdm.h", + "ViewState": "AgIAAD8AAAAAAAAAAAAmwFMAAAAaAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T06:28:15.79Z", + "EditorCaption": "" + }, + { + "$type": "Bookmark", + "Name": "ST:0:0:{aa2115a1-9712-457b-9047-dbb71ca2cdd2}" + }, + { + "$type": "Document", + "DocumentIndex": 8, + "Title": "hooks.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\hooks.hpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\hooks.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAABQAAAACAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:19:34.796Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 12, + "Title": "shadow_ssdt.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp", + "RelativeDocumentMoniker": "MasterHide\\shadow_ssdt.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp", + "RelativeToolTip": "MasterHide\\shadow_ssdt.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAABEAAAAUAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T05:16:26.761Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 4, + "Title": "hooks.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\hooks.cpp", + "RelativeDocumentMoniker": "MasterHide\\hooks.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\hooks.cpp", + "RelativeToolTip": "MasterHide\\hooks.cpp", + "ViewState": "AgIAACoAAAAAAAAAAAAEwDAAAAAZAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T05:16:23.103Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 6, + "Title": "winnt.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\winnt.hpp", + "RelativeDocumentMoniker": "MasterHide\\winnt.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\winnt.hpp", + "RelativeToolTip": "MasterHide\\winnt.hpp", + "ViewState": "AgIAAPgDAAAAAAAAAAAUwAMEAAAFAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:15:37.931Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 7, + "Title": "hooks.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", + "RelativeDocumentMoniker": "MasterHide\\hooks.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", + "RelativeToolTip": "MasterHide\\hooks.hpp", + "ViewState": "AgIAAAMAAAAAAAAAAAAAAA0AAAACAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:14:34.986Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 10, + "Title": "globals.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", + "RelativeDocumentMoniker": "MasterHide\\globals.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", + "RelativeToolTip": "MasterHide\\globals.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAsAAAACAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:14:10.424Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 0, + "Title": "includes.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\includes.hpp", + "RelativeDocumentMoniker": "MasterHide\\includes.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\includes.hpp", + "RelativeToolTip": "MasterHide\\includes.hpp", + "ViewState": "AgIAAAMAAAAAAAAAAAAAAB8AAAAOAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:14:07.92Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 5, + "Title": "drivermain.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", + "RelativeDocumentMoniker": "MasterHide\\drivermain.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", + "RelativeToolTip": "MasterHide\\drivermain.cpp", + "ViewState": "AgIAAFQAAAAAAAAAAAAmwGIAAAAOAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T05:12:24.294Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 11, + "Title": "ssdt.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\ssdt.cpp", + "RelativeDocumentMoniker": "MasterHide\\ssdt.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\ssdt.cpp", + "RelativeToolTip": "MasterHide\\ssdt.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAABQAAAABAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T05:18:04.012Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 1, + "Title": "misc.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", + "RelativeDocumentMoniker": "MasterHide\\misc.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", + "RelativeToolTip": "MasterHide\\misc.hpp", + "ViewState": "AgIAACQAAAAAAAAAAAAAAB0AAAAAAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:15:38.11Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 3, + "Title": "misc.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\misc.cpp", + "RelativeDocumentMoniker": "MasterHide\\misc.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\misc.cpp", + "RelativeToolTip": "MasterHide\\misc.cpp", + "ViewState": "AgIAAA8AAAAAAAAAAAAEwC0AAAABAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T05:16:27.304Z", + "EditorCaption": "" + }, + { + "$type": "Bookmark", + "Name": "ST:0:0:{d3750d8a-574b-4fb3-b7e2-aa8af40e8231}" + }, + { + "$type": "Document", + "DocumentIndex": 15, + "Title": "ssdt.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\ssdt.hpp", + "RelativeDocumentMoniker": "MasterHide\\ssdt.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\ssdt.hpp", + "RelativeToolTip": "MasterHide\\ssdt.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAwAAAAaAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:15:26.408Z" + }, + { + "$type": "Document", + "DocumentIndex": 16, + "Title": "shadow_ssdt.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", + "RelativeDocumentMoniker": "MasterHide\\shadow_ssdt.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", + "RelativeToolTip": "MasterHide\\shadow_ssdt.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAgAAAAUAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:18:32.151Z" + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/.vs/MasterHide/v17/DocumentLayout.json b/.vs/MasterHide/v17/DocumentLayout.json new file mode 100644 index 0000000..10f01bc --- /dev/null +++ b/.vs/MasterHide/v17/DocumentLayout.json @@ -0,0 +1,309 @@ +{ + "Version": 1, + "WorkspaceRootPath": "A:\\work\\MasterHide\\", + "Documents": [ + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\misc.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\misc.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\drivermain.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\drivermain.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\winnt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\winnt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\driver.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|C:\\PROGRAM FILES (X86)\\WINDOWS KITS\\10\\INCLUDE\\10.0.26100.0\\KM\\NTIFS.H||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|C:\\PROGRAM FILES (X86)\\WINDOWS KITS\\10\\INCLUDE\\10.0.26100.0\\KM\\WDM.H||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\shadow_ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + } + ], + "DocumentGroupContainers": [ + { + "Orientation": 0, + "VerticalTabListWidth": 256, + "DocumentGroups": [ + { + "DockedWidth": 200, + "SelectedChildIndex": 14, + "Children": [ + { + "$type": "Document", + "DocumentIndex": 3, + "Title": "utils.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\utils.cpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\utils.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T06:40:21.171Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 9, + "Title": "driver.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\driver.cpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\driver.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T06:29:36.886Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 13, + "Title": "ntifs.h", + "DocumentMoniker": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\ntifs.h", + "ToolTip": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\ntifs.h", + "ViewState": "AgIAAEAAAAAAAAAAAAAmwFQAAAAzAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T06:28:17.411Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 14, + "Title": "wdm.h", + "DocumentMoniker": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\wdm.h", + "ToolTip": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\wdm.h", + "ViewState": "AgIAAD8AAAAAAAAAAAAmwFMAAAAaAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T06:28:15.79Z", + "EditorCaption": "" + }, + { + "$type": "Bookmark", + "Name": "ST:0:0:{aa2115a1-9712-457b-9047-dbb71ca2cdd2}" + }, + { + "$type": "Document", + "DocumentIndex": 8, + "Title": "hooks.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\hooks.hpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\hooks.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAABQAAAACAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:19:34.796Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 12, + "Title": "shadow_ssdt.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp", + "RelativeDocumentMoniker": "MasterHide\\shadow_ssdt.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp", + "RelativeToolTip": "MasterHide\\shadow_ssdt.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAABEAAAAUAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T05:16:26.761Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 4, + "Title": "hooks.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\hooks.cpp", + "RelativeDocumentMoniker": "MasterHide\\hooks.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\hooks.cpp", + "RelativeToolTip": "MasterHide\\hooks.cpp", + "ViewState": "AgIAACoAAAAAAAAAAAAEwDAAAAAZAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T05:16:23.103Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 6, + "Title": "winnt.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\winnt.hpp", + "RelativeDocumentMoniker": "MasterHide\\winnt.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\winnt.hpp", + "RelativeToolTip": "MasterHide\\winnt.hpp", + "ViewState": "AgIAAPgDAAAAAAAAAAAUwAMEAAAFAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:15:37.931Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 7, + "Title": "hooks.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", + "RelativeDocumentMoniker": "MasterHide\\hooks.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", + "RelativeToolTip": "MasterHide\\hooks.hpp", + "ViewState": "AgIAAAMAAAAAAAAAAAAAAA0AAAACAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:14:34.986Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 10, + "Title": "globals.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", + "RelativeDocumentMoniker": "MasterHide\\globals.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", + "RelativeToolTip": "MasterHide\\globals.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAsAAAACAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:14:10.424Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 2, + "Title": "includes.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\includes.hpp", + "RelativeDocumentMoniker": "MasterHide\\includes.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\includes.hpp", + "RelativeToolTip": "MasterHide\\includes.hpp", + "ViewState": "AgIAAAMAAAAAAAAAAAAAAB8AAAAOAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:14:07.92Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 5, + "Title": "drivermain.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", + "RelativeDocumentMoniker": "MasterHide\\drivermain.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", + "RelativeToolTip": "MasterHide\\drivermain.cpp", + "ViewState": "AgIAAFQAAAAAAAAAAAAmwGIAAAAOAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T05:12:24.294Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 11, + "Title": "ssdt.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\ssdt.cpp", + "RelativeDocumentMoniker": "MasterHide\\ssdt.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\ssdt.cpp", + "RelativeToolTip": "MasterHide\\ssdt.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAABQAAAABAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T05:18:04.012Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 0, + "Title": "misc.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", + "RelativeDocumentMoniker": "MasterHide\\misc.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", + "RelativeToolTip": "MasterHide\\misc.hpp", + "ViewState": "AgIAACQAAAAAAAAAAAAAAB0AAAAAAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:15:38.11Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 1, + "Title": "misc.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\misc.cpp", + "RelativeDocumentMoniker": "MasterHide\\misc.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\misc.cpp", + "RelativeToolTip": "MasterHide\\misc.cpp", + "ViewState": "AgIAAA8AAAAAAAAAAAAEwC0AAAABAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-22T05:16:27.304Z", + "EditorCaption": "" + }, + { + "$type": "Bookmark", + "Name": "ST:0:0:{d3750d8a-574b-4fb3-b7e2-aa8af40e8231}" + }, + { + "$type": "Document", + "DocumentIndex": 15, + "Title": "ssdt.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\ssdt.hpp", + "RelativeDocumentMoniker": "MasterHide\\ssdt.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\ssdt.hpp", + "RelativeToolTip": "MasterHide\\ssdt.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAwAAAAaAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:15:26.408Z" + }, + { + "$type": "Document", + "DocumentIndex": 16, + "Title": "shadow_ssdt.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", + "RelativeDocumentMoniker": "MasterHide\\shadow_ssdt.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", + "RelativeToolTip": "MasterHide\\shadow_ssdt.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAgAAAAUAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:18:32.151Z" + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/MasterHide/MasterHide.vcxproj b/MasterHide/MasterHide.vcxproj index 5df1e38..3e64b09 100644 --- a/MasterHide/MasterHide.vcxproj +++ b/MasterHide/MasterHide.vcxproj @@ -18,16 +18,17 @@ Debug Win32 MasterHide - 10.0.18362.0 + 10.0.26100.0 + masterhide - Windows7 true WindowsKernelModeDriver10.0 Driver WDM - Desktop + Windows10 + Universal Windows7 @@ -60,6 +61,8 @@ ..\KasperskyHook\KasperskyHookDrv;%(AdditionalIncludeDirectories) + _DEBUG;%(PreprocessorDefinitions) + 4996;%(DisableSpecificWarnings) false @@ -67,6 +70,9 @@ false + + sha256 + @@ -74,6 +80,7 @@ ..\KasperskyHook\KasperskyHookDrv;%(AdditionalIncludeDirectories) + 4996;%(DisableSpecificWarnings) false @@ -83,28 +90,40 @@ - + + true + true + + + true + true + - - + + - + + + true + true + + - - - - - - + + + + + + diff --git a/MasterHide/MasterHide.vcxproj.filters b/MasterHide/MasterHide.vcxproj.filters index 588b752..17607bd 100644 --- a/MasterHide/MasterHide.vcxproj.filters +++ b/MasterHide/MasterHide.vcxproj.filters @@ -22,10 +22,10 @@ - + Source Files - + Source Files @@ -49,24 +49,27 @@ Header Files\Kaspersky - + Source Files + + Header Files\Kaspersky + - + Header Files - + Header Files - + Header Files - + Header Files - + Header Files @@ -78,11 +81,17 @@ Header Files\Kaspersky - + Header Files Header Files + + Header Files\Kaspersky + + + Header Files\Kaspersky + \ No newline at end of file diff --git a/MasterHide/drivermain.cpp b/MasterHide/drivermain.cpp new file mode 100644 index 0000000..204e369 --- /dev/null +++ b/MasterHide/drivermain.cpp @@ -0,0 +1,118 @@ +#include "includes.hpp" + +void OnDriverUnload(PDRIVER_OBJECT pDriverObject) +{ + UNREFERENCED_PARAMETER(pDriverObject); + + ssdt::Destroy(); + sssdt::Destroy(); + + // + // Delay the execution for a second to make sure no thread is executing the hooked function + // + LARGE_INTEGER LargeInteger{}; + LargeInteger.QuadPart = -11000000; + + KeDelayExecutionThread(KernelMode, FALSE, &LargeInteger); + tools::UnloadImages(); + + DBGPRINT("Driver unload routine triggered!\n"); +} + +extern "C" NTSTATUS NTAPI DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) +{ + UNREFERENCED_PARAMETER(pRegistryPath); + + if (!pDriverObject) + { + DBGPRINT("Err: No driver object!\n"); + return STATUS_FAILED_DRIVER_ENTRY; + } + + RTL_OSVERSIONINFOW os{}; + os.dwOSVersionInfoSize = sizeof(os); + + if (!NT_SUCCESS(RtlGetVersion(&os))) + { + DBGPRINT("Err: RtlGetVersion failed!\n"); + return STATUS_FAILED_DRIVER_ENTRY; + } + + pDriverObject->DriverUnload = &OnDriverUnload; + DBGPRINT("Driver loaded!\n"); + + // + // If the OS is either Windows 10, 8/8.1 those are the only supported OS + // + bool bIsWin7 = (os.dwMajorVersion == 6 && os.dwMinorVersion == 1); + + if (os.dwMajorVersion == 10 || (bIsWin7 || (os.dwMajorVersion == 6 && os.dwMinorVersion == 2) || + (os.dwMajorVersion == 6 && os.dwMinorVersion == 3))) + { + // This special API only works in Win8+ and it basically allows you to set no executable flag in NonPagedPools + ExInitializeDriverRuntime(DrvRtPoolNxOptIn); + + // + // Sycalls numbers are OS based, since user32.dll doesnt export them in early Windows versions ( Win7 for + // example ) we hardcode them and extract them on newer systems that export it ( Win8+ for example in win32u.dll + // ) + // + if (!bIsWin7) + { + SYSCALL_NTUSERQUERYWND = tools::GetWin32Syscall("NtUserQueryWindow"); + SYSCALL_NTUSERFINDWNDEX = tools::GetWin32Syscall("NtUserFindWindowEx"); + SYSCALL_NTUSERWNDFROMPOINT = tools::GetWin32Syscall("NtUserWindowFromPoint"); + SYSCALL_NTUSERBUILDWNDLIST = tools::GetWin32Syscall("NtUserBuildHwndList"); + SYSCALL_NTGETFOREGROUNDWND = tools::GetWin32Syscall("NtUserGetForegroundWindow"); + + SYSCALL_NTOPENPROCESS = tools::GetNtSyscall("NtOpenProcess"); + SYSCALL_NTDEVICEIOCTRLFILE = tools::GetNtSyscall("NtDeviceIoControlFile"); + SYSCALL_NTQUERYSYSINFO = tools::GetNtSyscall("NtQuerySystemInformation"); + SYSCALL_NTALLOCVIRTUALMEM = tools::GetNtSyscall("NtAllocateVirtualMemory"); + SYSCALL_NTFREEVIRTUALMEM = tools::GetNtSyscall("NtFreeVirtualMemory"); + SYSCALL_NTWRITEVIRTUALMEM = tools::GetNtSyscall("NtWriteVirtualMemory"); + SYSCALL_NTLOADDRIVER = tools::GetNtSyscall("NtLoadDriver"); + } + +#ifndef USE_KASPERSKY + // + // (S)SSDT Hooks are only Win7 compatible ( hardcoded ) + // + DBGPRINT("Not using Kaspersky to hook, Shadow SSDT is unstable!\n"); +#else + DBGPRINT("Using Kaspersky!\n"); + + if (!kaspersky::is_klhk_loaded()) + { + tools::UnloadImages(); + DBGPRINT("Kaspersky not loaded!\n"); + return STATUS_UNSUCCESSFUL; + } + + if (!kaspersky::initialize()) + { + tools::UnloadImages(); + DBGPRINT("Kaspersky init failed!\n"); + return STATUS_UNSUCCESSFUL; + } + + DBGPRINT("Using Kaspersky hypervisor!\n"); + + if (!kaspersky::hvm_init()) + { + tools::UnloadImages(); + DBGPRINT("Hypervisor not loaded!\n"); + return STATUS_UNSUCCESSFUL; + } + + DBGPRINT("Hypervisor loaded!\n"); +#endif + ssdt::Init(); + sssdt::Init(); + } + else + // No support for other OS + return STATUS_NOT_SUPPORTED; + + return STATUS_SUCCESS; +} \ No newline at end of file diff --git a/MasterHide/globals.hpp b/MasterHide/globals.hpp index 55307d6..6cbf69f 100644 --- a/MasterHide/globals.hpp +++ b/MasterHide/globals.hpp @@ -2,60 +2,53 @@ namespace masterhide { - namespace globals - { - // - // Custom MAC Address - // - static UCHAR szFakeMAC[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0x01, 0x2 }; +namespace globals +{ +// +// Custom MAC Address +// +static UCHAR szFakeMAC[] = {0xDE, 0xAD, 0xBE, 0xEF, 0x01, 0x2}; - // - // Custom HD Serial and Model - // - static char szFakeSerial[] = "XJEBA1973M2"; +// +// Custom HD Serial and Model +// +static char szFakeSerial[] = "XJEBA1973M2"; - static char* szFakeModels[] = - { - "Samsung EVO 970", - //... - }; +static char *szFakeModels[] = { + "Samsung EVO 970", + //... +}; - // - // Those drivers will not appear on drivers list - // - static char* szProtectedDrivers[] = - { - "dbk64", - "processhacker2", - //... - }; +// +// Those drivers will not appear on drivers list +// +static char *szProtectedDrivers[] = { + "dbk64", "processhacker2", + //... +}; - // - // Those processes will not appear on process list or via window methods - // - static wchar_t* wsProtectedProcesses[] = - { - L"cheatengine", - L"ProcessHacker" - //... - }; +// +// Those processes will not appear on process list or via window methods +// +static wchar_t *wsProtectedProcesses[] = { + L"cheatengine", L"ProcessHacker" + //... +}; - // - // Those processes will be monitored - // - static wchar_t* wsMonitoredProcesses[] = - { - L"Tibia", - //... - }; +// +// Those processes will be monitored +// +static wchar_t *wsMonitoredProcesses[] = { + L"Tibia", + //... +}; - // - // Those processess will be blacklisted to query data on protect processes - // - static wchar_t* wsBlacklistedProcessess[] = - { - L"Tibia", - //... - }; - } -}; \ No newline at end of file +// +// Those processess will be blacklisted to query data on protect processes +// +static wchar_t *wsBlacklistedProcessess[] = { + L"Tibia", + //... +}; +} // namespace globals +}; // namespace masterhide \ No newline at end of file diff --git a/MasterHide/hooks.cpp b/MasterHide/hooks.cpp new file mode 100644 index 0000000..4833ce6 --- /dev/null +++ b/MasterHide/hooks.cpp @@ -0,0 +1,852 @@ +#include "includes.hpp" + +namespace masterhide +{ +namespace tools +{ +bool IsProtectedProcess(HANDLE PID) +{ + UNICODE_STRING wsProcName{}; + if (!GetProcessName(PID, &wsProcName)) + { + return false; + } + + bool bResult = false; + if (wsProcName.Buffer) + { + for (int i = 0; i < ARRAYSIZE(globals::wsProtectedProcesses); ++i) + { + if (wcsstr(wsProcName.Buffer, globals::wsProtectedProcesses[i])) + { + bResult = true; + break; + } + } + FreeUnicodeString(&wsProcName); + } + return bResult; +} + +bool IsProtectedProcess(PWCH Buffer) +{ + if (!Buffer) + return false; + + for (int i = 0; i < ARRAYSIZE(globals::wsProtectedProcesses); ++i) + { + if (wcsstr(Buffer, globals::wsProtectedProcesses[i])) + { + return true; + } + } + return false; +} + +bool IsProtectedProcessEx(PEPROCESS Process) +{ + UNICODE_STRING wsProcName{}; + if (!GetProcessNameByPEPROCESS(Process, &wsProcName)) + return false; + + bool bResult = false; + if (wsProcName.Buffer) + { + for (int i = 0; i < ARRAYSIZE(globals::wsProtectedProcesses); ++i) + { + if (wcsstr(wsProcName.Buffer, globals::wsProtectedProcesses[i])) + { + bResult = true; + break; + } + } + FreeUnicodeString(&wsProcName); + } + return bResult; +} + +bool IsMonitoredProcess(HANDLE PID) +{ + UNICODE_STRING wsProcName{}; + if (!GetProcessName(PID, &wsProcName)) + return false; + + bool bResult = false; + if (wsProcName.Buffer) + { + for (int i = 0; i < ARRAYSIZE(globals::wsMonitoredProcesses); ++i) + { + if (wcsstr(wsProcName.Buffer, globals::wsMonitoredProcesses[i])) + { + bResult = true; + break; + } + } + FreeUnicodeString(&wsProcName); + } + return bResult; +} + +bool IsMonitoredProcessEx(PEPROCESS Process) +{ + UNICODE_STRING wsProcName{}; + if (!GetProcessNameByPEPROCESS(Process, &wsProcName)) + return false; + + bool bResult = false; + if (wsProcName.Buffer) + { + for (int i = 0; i < ARRAYSIZE(globals::wsMonitoredProcesses); ++i) + { + if (wcsstr(wsProcName.Buffer, globals::wsMonitoredProcesses[i])) + { + bResult = true; + break; + } + } + FreeUnicodeString(&wsProcName); + } + return bResult; +} + +bool IsBlacklistedProcess(HANDLE PID) +{ + UNICODE_STRING wsProcName{}; + if (!GetProcessName(PID, &wsProcName)) + return false; + + bool bResult = false; + if (wsProcName.Buffer) + { + for (int i = 0; i < ARRAYSIZE(globals::wsBlacklistedProcessess); ++i) + { + if (wcsstr(wsProcName.Buffer, globals::wsBlacklistedProcessess[i])) + { + bResult = true; + break; + } + } + FreeUnicodeString(&wsProcName); + } + return bResult; +} + +bool IsBlacklistedProcessEx(PEPROCESS Process) +{ + UNICODE_STRING wsProcName{}; + if (!GetProcessNameByPEPROCESS(Process, &wsProcName)) + return false; + + bool bResult = false; + if (wsProcName.Buffer) + { + for (int i = 0; i < ARRAYSIZE(globals::wsBlacklistedProcessess); ++i) + { + if (wcsstr(wsProcName.Buffer, globals::wsBlacklistedProcessess[i])) + { + bResult = true; + break; + } + } + FreeUnicodeString(&wsProcName); + } + return bResult; +} +} // namespace tools +}; // namespace masterhide + +NtOpenProcess_ oNtOpenProcess = NULL; +NTSTATUS NTAPI hkNtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, + PCLIENT_ID ClientId) +{ + const auto ret = oNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); + if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess()) || + tools::IsProtectedProcess(PsGetCurrentProcessId())) + return ret; + + if (NT_SUCCESS(ret)) + { + if (tools::IsBlacklistedProcess(PsGetCurrentProcessId())) + { + if (tools::IsProtectedProcess(ClientId->UniqueProcess)) + { + DBGPRINT("Denying access from PID %p to PID %p\n", PsGetCurrentProcessId(), ClientId->UniqueProcess); + ZwClose(*ProcessHandle); + *ProcessHandle = HANDLE(-1); + return STATUS_ACCESS_DENIED; + } + } + + if (tools::IsMonitoredProcess(ClientId->UniqueProcess)) + { + UNICODE_STRING wsProcName{}; + if (tools::GetProcessName(ClientId->UniqueProcess, &wsProcName)) + { + if (wsProcName.Buffer) + { + auto ShortName = wcsrchr(wsProcName.Buffer, '\\'); + DBGPRINT("[ OP ] PID %p is opening a handle with access mask 0x%X to process %ws\n", + PsGetCurrentProcessId(), DesiredAccess, ShortName); + FreeUnicodeString(&wsProcName); + } + } + } + } + return ret; +} + +NtWriteVirtualMemory_ oNtWriteVirtualMemory = NULL; +NTSTATUS NTAPI hkNtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, + PULONG NumberOfBytesWritten) +{ + const auto res = + oNtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToWrite, NumberOfBytesWritten); + if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess()) || + tools::IsProtectedProcess(PsGetCurrentProcessId())) + return res; + + if (NT_SUCCESS(res)) + { + // + // Get Name from handle + // + PEPROCESS Process = nullptr; + auto ret = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, ExGetPreviousMode(), (PVOID *)&Process, + nullptr); + if (!NT_SUCCESS(ret)) + return res; + + if (tools::IsMonitoredProcessEx(Process)) + { + UNICODE_STRING wsProcName{}; + if (tools::GetProcessName(PsGetCurrentProcessId(), &wsProcName)) + { + if (wsProcName.Buffer) + { + auto ShortName = wcsrchr(wsProcName.Buffer, '\\'); + DBGPRINT("[ WPM ] From: %p to %ws with BaseAddress 0x%p Buffer 0x%p Length %d\n", + PsGetCurrentProcessId(), ShortName, BaseAddress, Buffer, NumberOfBytesToWrite); + FreeUnicodeString(&wsProcName); + } + } + } + + ObDereferenceObject(Process); + } + return res; +} + +NtAllocateVirtualMemory_ oNtAllocateVirtualMemory = NULL; +NTSTATUS NTAPI hkNtAllocateVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, + PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect) +{ + const auto res = + oNtAllocateVirtualMemory(ProcessHandle, BaseAddress, ZeroBits, RegionSize, AllocationType, Protect); + if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess()) || + tools::IsProtectedProcess(PsGetCurrentProcessId())) + return res; + + if (NT_SUCCESS(res) && BaseAddress && RegionSize && *RegionSize >= 0x1000) + { + // + // Get Name from handle + // + PEPROCESS Process = nullptr; + auto ret = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, ExGetPreviousMode(), (PVOID *)&Process, + nullptr); + if (!NT_SUCCESS(ret)) + return res; + + if (tools::IsMonitoredProcessEx(Process)) + { + UNICODE_STRING wsProcName{}; + if (tools::GetProcessName(PsGetCurrentProcessId(), &wsProcName)) + { + if (wsProcName.Buffer) + { + auto ShortName = wcsrchr(wsProcName.Buffer, '\\'); + DBGPRINT("[ AVM ] From: %p to %ws with BaseAddress 0x%p Length 0x%llx Type 0x%X Protect 0x%X\n", + PsGetCurrentProcessId(), ShortName, *BaseAddress, *RegionSize, AllocationType, Protect); + FreeUnicodeString(&wsProcName); + } + } + } + + ObDereferenceObject(Process); + } + return res; +} + +NtFreeVirtualMemory_ oNtFreeVirtualMemory = NULL; +NTSTATUS NTAPI hkNtFreeVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, PSIZE_T RegionSize, ULONG FreeType) +{ + const auto res = oNtFreeVirtualMemory(ProcessHandle, BaseAddress, RegionSize, FreeType); + if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess()) || + tools::IsProtectedProcess(PsGetCurrentProcessId())) + return res; + + if (NT_SUCCESS(res) && BaseAddress && RegionSize && *RegionSize >= 0x1000) + { + // + // Get Name from handle + // + PEPROCESS Process = nullptr; + auto ret = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, ExGetPreviousMode(), (PVOID *)&Process, + nullptr); + if (!NT_SUCCESS(ret)) + return res; + + if (tools::IsMonitoredProcessEx(Process)) + { + UNICODE_STRING wsProcName{}; + if (tools::GetProcessName(PsGetCurrentProcessId(), &wsProcName)) + { + if (wsProcName.Buffer) + { + auto ShortName = wcsrchr(wsProcName.Buffer, '\\'); + DBGPRINT("[ FVM ] From: %p to %ws with BaseAddress 0x%p Length 0x%llx FreeType 0x%X\n", + PsGetCurrentProcessId(), ShortName, *BaseAddress, *RegionSize, FreeType); + tools::DumpMZ(PUCHAR(*BaseAddress)); + FreeUnicodeString(&wsProcName); + } + } + } + + ObDereferenceObject(Process); + } + return res; +} + +NtDeviceIoControlFile_ oNtDeviceIoControlFile = NULL; +NTSTATUS NTAPI hkNtDeviceIoControlFile(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, + PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, + ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength) +{ + const auto ret = oNtDeviceIoControlFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, IoControlCode, + InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength); + + // + // If the callee process is a protected process we ignore it + // + if (!tools::IsBlacklistedProcess(PsGetCurrentProcessId())) + return ret; + + if (NT_SUCCESS(ret)) + { + const auto szNewModel = globals::szFakeModels[0]; + wchar_t wsProcess[MAX_PATH] = L"\\Unknown"; + + UNICODE_STRING wsProcName{}; + if (tools::GetProcessName(PsGetCurrentProcessId(), &wsProcName)) + { + if (wsProcName.Buffer) + { + wcscpy_s(wsProcess, wsProcName.Buffer); + FreeUnicodeString(&wsProcName); + } + } + + auto ShortName = wcsrchr(wsProcess, '\\'); + + __try + { + // + // Hardware Spoofing + // + switch (IoControlCode) + { + + case IOCTL_STORAGE_QUERY_PROPERTY: { + PSTORAGE_PROPERTY_QUERY Query = PSTORAGE_PROPERTY_QUERY(InputBuffer); + if (Query && Query->PropertyId == StorageDeviceProperty) + { + if (OutputBufferLength >= sizeof(STORAGE_DEVICE_DESCRIPTOR)) + { + PSTORAGE_DEVICE_DESCRIPTOR Desc = PSTORAGE_DEVICE_DESCRIPTOR(OutputBuffer); + if (Desc) + { + if (Desc->SerialNumberOffset) + { + auto Serial = PCHAR(Desc) + Desc->SerialNumberOffset; + DBGPRINT("%ws Spoofing Serial ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, + Serial, globals::szFakeSerial); + memset(Serial, 0, strlen(Serial)); + strcpy(Serial, globals::szFakeSerial); + } + + if (Desc->ProductIdOffset) + { + auto Model = PCHAR(Desc) + Desc->ProductIdOffset; + DBGPRINT("%ws Spoofing Model ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, + Model, szNewModel); + memset(Model, 0, strlen(Model)); + strcpy(Model, szNewModel); + } + } + } + } + break; + } + + case IOCTL_ATA_PASS_THROUGH: { + if (OutputBufferLength >= sizeof(ATA_PASS_THROUGH_EX) + sizeof(PIDENTIFY_DEVICE_DATA)) + { + PATA_PASS_THROUGH_EX Ata = PATA_PASS_THROUGH_EX(OutputBuffer); + if (Ata && Ata->DataBufferOffset) + { + PIDENTIFY_DEVICE_DATA Identify = + PIDENTIFY_DEVICE_DATA(PCHAR(OutputBuffer) + Ata->DataBufferOffset); + if (Identify) + { + auto Serial = PCHAR(Identify->SerialNumber); + if (strlen(Serial) > 0) + { + tools::SwapEndianness(Serial, sizeof(Identify->SerialNumber)); + + DBGPRINT("%ws Spoofing Serial ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, + Serial, globals::szFakeSerial); + memset(Serial, 0, strlen(Serial)); + strcpy(Serial, globals::szFakeSerial); + + tools::SwapEndianness(Serial, sizeof(Identify->SerialNumber)); + } + + auto Model = PCHAR(Identify->ModelNumber); + if (strlen(Model) > 0) + { + // Fix invalid characters. + Model[sizeof(Identify->ModelNumber) - 1] = 0; + Model[sizeof(Identify->ModelNumber) - 2] = 0; + + tools::SwapEndianness(Model, sizeof(Identify->ModelNumber) - 2); + + DBGPRINT("%ws Spoofing Model ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, + Model, szNewModel); + memset(Model, 0, strlen(Model)); + strcpy(Model, szNewModel); + + tools::SwapEndianness(Model, sizeof(Identify->ModelNumber) - 2); + } + } + } + } + break; + } + + case SMART_RCV_DRIVE_DATA: { + if (OutputBufferLength >= sizeof(SENDCMDOUTPARAMS)) + { + PSENDCMDOUTPARAMS Cmd = PSENDCMDOUTPARAMS(OutputBuffer); + if (Cmd) + { + PIDSECTOR Sector = PIDSECTOR(Cmd->bBuffer); + if (Sector) + { + auto Serial = PCHAR(Sector->sSerialNumber); + if (strlen(Serial) > 0) + { + tools::SwapEndianness(Serial, sizeof(Sector->sSerialNumber)); + + DBGPRINT("%ws Spoofing Serial ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, + Serial, globals::szFakeSerial); + memset(Serial, 0, strlen(Serial)); + strcpy(Serial, globals::szFakeSerial); + + tools::SwapEndianness(Serial, sizeof(Sector->sSerialNumber)); + } + + auto Model = PCHAR(Sector->sModelNumber); + if (strlen(Model) > 0) + { + // Fix invalid characters. + Model[sizeof(Sector->sModelNumber) - 1] = 0; + Model[sizeof(Sector->sModelNumber) - 2] = 0; + + tools::SwapEndianness(Model, sizeof(Sector->sModelNumber) - 2); + + DBGPRINT("%ws Spoofing Model ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, + Model, szNewModel); + memset(Model, 0, strlen(Model)); + strcpy(Model, szNewModel); + + tools::SwapEndianness(Model, sizeof(Sector->sModelNumber) - 2); + } + } + } + } + break; + } + + case IOCTL_DISK_GET_PARTITION_INFO_EX: { + if (OutputBufferLength >= sizeof(PARTITION_INFORMATION_EX)) + { + PPARTITION_INFORMATION_EX PartInfo = PPARTITION_INFORMATION_EX(OutputBuffer); + if (PartInfo && PartInfo->PartitionStyle == PARTITION_STYLE_GPT) + { + DBGPRINT("%ws Zero'ing partition GUID (EX)\n", ShortName); + memset(&PartInfo->Gpt.PartitionId, 0, sizeof(GUID)); + } + } + break; + } + + case IOCTL_DISK_GET_DRIVE_LAYOUT_EX: { + if (OutputBufferLength >= sizeof(DRIVE_LAYOUT_INFORMATION_EX)) + { + PDRIVE_LAYOUT_INFORMATION_EX LayoutInfo = PDRIVE_LAYOUT_INFORMATION_EX(OutputBuffer); + if (LayoutInfo && LayoutInfo->PartitionStyle == PARTITION_STYLE_GPT) + { + DBGPRINT("%ws Zero'ing partition GUID\n", ShortName); + memset(&LayoutInfo->Gpt.DiskId, 0, sizeof(GUID)); + } + } + break; + } + + case IOCTL_MOUNTMGR_QUERY_POINTS: { + if (OutputBufferLength >= sizeof(MOUNTMGR_MOUNT_POINTS)) + { + PMOUNTMGR_MOUNT_POINTS Points = PMOUNTMGR_MOUNT_POINTS(OutputBuffer); + if (Points) + { + DBGPRINT("%ws Spoofing mounted points\n", ShortName); + for (unsigned i = 0; i < Points->NumberOfMountPoints; ++i) + { + auto Point = &Points->MountPoints[i]; + + if (Point->UniqueIdOffset) + Point->UniqueIdLength = 0; + + if (Point->SymbolicLinkNameOffset) + Point->SymbolicLinkNameLength = 0; + } + } + } + break; + } + + case IOCTL_MOUNTDEV_QUERY_UNIQUE_ID: { + if (OutputBufferLength >= sizeof(MOUNTDEV_UNIQUE_ID)) + { + PMOUNTDEV_UNIQUE_ID UniqueId = PMOUNTDEV_UNIQUE_ID(OutputBuffer); + if (UniqueId) + { + DBGPRINT("%ws Spoofing mounted unique id\n", ShortName); + UniqueId->UniqueIdLength = 0; + } + } + break; + } + + case IOCTL_NDIS_QUERY_GLOBAL_STATS: { + switch (*(PDWORD)InputBuffer) + { + case OID_802_3_PERMANENT_ADDRESS: + case OID_802_3_CURRENT_ADDRESS: + case OID_802_5_PERMANENT_ADDRESS: + case OID_802_5_CURRENT_ADDRESS: + DBGPRINT("%ws Spoofing permanent MAC\n", ShortName); + memcpy(OutputBuffer, globals::szFakeMAC, sizeof(globals::szFakeMAC)); + break; + } + } + } + } + __except (EXCEPTION_EXECUTE_HANDLER) + { + } + } + return ret; +} + +NtQuerySystemInformation_ oNtQuerySystemInformation = NULL; +NTSTATUS NTAPI hkNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID Buffer, ULONG Length, + PULONG ReturnLength) +{ + const auto ret = oNtQuerySystemInformation(SystemInformationClass, Buffer, Length, ReturnLength); + + // + // If the callee process is a protected process we ignore it + // + if (tools::IsProtectedProcess(PsGetCurrentProcessId())) + return ret; + + if (NT_SUCCESS(ret)) + { + // + // Hide from Driver list + // + if (SystemInformationClass == SystemModuleInformation) + { + const auto pModule = PRTL_PROCESS_MODULES(Buffer); + const auto pEntry = &pModule->Modules[0]; + + for (unsigned i = 0; i < pModule->NumberOfModules; ++i) + { + if (pEntry[i].ImageBase && pEntry[i].ImageSize && strlen((char *)pEntry[i].FullPathName) > 2) + { + for (int x = 0; x < ARRAYSIZE(globals::szProtectedDrivers); ++x) + { + if (strstr((char *)pEntry[i].FullPathName, globals::szProtectedDrivers[x])) + { + const auto next_entry = i + 1; + + if (next_entry < pModule->NumberOfModules) + memcpy(&pEntry[i], &pEntry[next_entry], sizeof(RTL_PROCESS_MODULE_INFORMATION)); + else + { + memset(&pEntry[i], 0, sizeof(RTL_PROCESS_MODULE_INFORMATION)); + pModule->NumberOfModules--; + } + } + } + } + } + } + // + // Hide from Process list + // + else if (SystemInformationClass == SystemProcessInformation || + SystemInformationClass == SystemSessionProcessInformation || + SystemInformationClass == SystemExtendedProcessInformation) + { + PSYSTEM_PROCESS_INFO pCurr = NULL; + PSYSTEM_PROCESS_INFO pNext = PSYSTEM_PROCESS_INFO(Buffer); + + while (pNext->NextEntryOffset != 0) + { + pCurr = pNext; + pNext = (PSYSTEM_PROCESS_INFO)((PUCHAR)pCurr + pCurr->NextEntryOffset); + + // + // Erase our protected processes from the list + // + if (pNext->ImageName.Buffer && tools::IsProtectedProcess(pNext->ImageName.Buffer)) + { + if (pNext->NextEntryOffset == 0) + { + pCurr->NextEntryOffset = 0; + } + else + { + pCurr->NextEntryOffset += pNext->NextEntryOffset; + } + + pNext = pCurr; + } + } + } + // + // Hide from handle list + // + else if (SystemInformationClass == SystemHandleInformation) + { + if (tools::IsBlacklistedProcess(PsGetCurrentProcessId())) + { + const auto pHandle = PSYSTEM_HANDLE_INFORMATION(Buffer); + const auto pEntry = &pHandle->Information[0]; + + for (unsigned i = 0; i < pHandle->NumberOfHandles; ++i) + { + if (tools::IsProtectedProcess(ULongToHandle(pEntry[i].ProcessId))) + { + const auto next_entry = i + 1; + + if (next_entry < pHandle->NumberOfHandles) + memcpy(&pEntry[i], &pEntry[next_entry], sizeof(SYSTEM_HANDLE)); + else + { + memset(&pEntry[i], 0, sizeof(SYSTEM_HANDLE)); + pHandle->NumberOfHandles--; + } + } + } + } + } + else if (SystemInformationClass == SystemExtendedHandleInformation) + { + if (tools::IsBlacklistedProcess(PsGetCurrentProcessId())) + { + const auto pHandle = PSYSTEM_HANDLE_INFORMATION_EX(Buffer); + const auto pEntry = &pHandle->Information[0]; + + for (unsigned i = 0; i < pHandle->NumberOfHandles; ++i) + { + if (tools::IsProtectedProcess(ULongToHandle(pEntry[i].ProcessId))) + { + const auto next_entry = i + 1; + + if (next_entry < pHandle->NumberOfHandles) + memcpy(&pEntry[i], &pEntry[next_entry], sizeof(SYSTEM_HANDLE)); + else + { + memset(&pEntry[i], 0, sizeof(SYSTEM_HANDLE)); + pHandle->NumberOfHandles--; + } + } + } + } + } + // + // Spoof code integrity status + // + else if (SystemInformationClass == SystemCodeIntegrityInformation) + { + PSYSTEM_CODEINTEGRITY_INFORMATION Integrity = PSYSTEM_CODEINTEGRITY_INFORMATION(Buffer); + + // Spoof test sign flag if present + if (Integrity->CodeIntegrityOptions & CODEINTEGRITY_OPTION_TESTSIGN) + Integrity->CodeIntegrityOptions &= ~CODEINTEGRITY_OPTION_TESTSIGN; + + // Set as always enabled. + Integrity->CodeIntegrityOptions |= CODEINTEGRITY_OPTION_ENABLED; + } + } + return ret; +} + +NtLoadDriver_ oNtLoadDriver = NULL; +NTSTATUS NTAPI hkNtLoadDriver(PUNICODE_STRING DriverServiceName) +{ + NTSTATUS ret = STATUS_UNSUCCESSFUL; + bool bLoad = true; + + if (DriverServiceName && DriverServiceName->Buffer) + { + /* + + For example: + + if ( wcsstr( DriverServiceName->Buffer, L"BEDaisy.sys" ) ) + bLoad = false; + + Loading will be blocked. + */ + } + + if (bLoad) + { + ret = oNtLoadDriver(DriverServiceName); + if (NT_SUCCESS(ret)) + DBGPRINT("Loading Driver: %ws\n", DriverServiceName->Buffer); + } + return ret; +} + +NtUserWindowFromPoint_ oNtUserWindowFromPoint = NULL; +HWND NTAPI hkNtUserWindowFromPoint(LONG x, LONG y) +{ + const auto res = oNtUserWindowFromPoint(x, y); + + if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess())) + return res; + + if (!tools::IsBlacklistedProcessEx(PsGetCurrentProcess())) + return res; + + return 0; +} + +NtUserQueryWindow_ oNtUserQueryWindow = NULL; +HANDLE NTAPI hkNtUserQueryWindow(HWND WindowHandle, HANDLE TypeInformation) +{ + const auto res = oNtUserQueryWindow(WindowHandle, TypeInformation); + + if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess())) + return res; + + if (!tools::IsBlacklistedProcessEx(PsGetCurrentProcess())) + return res; + + auto PID = oNtUserQueryWindow(WindowHandle, 0); + if (tools::IsProtectedProcess(PID)) + return 0; + + return res; +} + +NtUserFindWindowEx_ oNtUserFindWindowEx = NULL; +HWND NTAPI hkNtUserFindWindowEx(HWND hWndParent, HWND hWndChildAfter, PUNICODE_STRING lpszClass, + PUNICODE_STRING lpszWindow, DWORD dwType) +{ + const auto res = oNtUserFindWindowEx(hWndParent, hWndChildAfter, lpszClass, lpszWindow, dwType); + + if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess())) + return res; + + if (!tools::IsBlacklistedProcessEx(PsGetCurrentProcess())) + return res; + + if (res) + { + auto PID = oNtUserQueryWindow(res, 0); + if (tools::IsProtectedProcess(PID)) + { + return NULL; + } + } + return res; +} + +NtUserBuildHwndList_ oNtUserBuildHwndList = NULL; +NTSTATUS NTAPI hkNtUserBuildHwndList(HDESK hdesk, HWND hwndNext, ULONG fEnumChildren, DWORD idThread, UINT cHwndMax, + HWND *phwndFirst, ULONG *pcHwndNeeded) +{ + const auto res = oNtUserBuildHwndList(hdesk, hwndNext, fEnumChildren, idThread, cHwndMax, phwndFirst, pcHwndNeeded); + + if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess())) + return res; + + if (!tools::IsBlacklistedProcessEx(PsGetCurrentProcess())) + return res; + + if (fEnumChildren == 1) + { + auto PID = oNtUserQueryWindow(hwndNext, 0); + if (tools::IsProtectedProcess(PID)) + return STATUS_UNSUCCESSFUL; + } + + if (NT_SUCCESS(res)) + { + ULONG i = 0; + ULONG j; + + while (i < *pcHwndNeeded) + { + auto PID = oNtUserQueryWindow(phwndFirst[i], 0); + if (tools::IsProtectedProcess(PID)) + { + for (j = i; j < (*pcHwndNeeded) - 1; j++) + phwndFirst[j] = phwndFirst[j + 1]; + phwndFirst[*pcHwndNeeded - 1] = 0; + (*pcHwndNeeded)--; + continue; + } + i++; + } + } + return res; +} + +NtUserGetForegroundWindow_ oNtUserGetForegroundWindow = NULL; +HWND LastForeWnd = HWND(-1); + +HWND NTAPI hkNtUserGetForegroundWindow(VOID) +{ + const auto res = oNtUserGetForegroundWindow(); + + if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess())) + return res; + + if (!tools::IsBlacklistedProcessEx(PsGetCurrentProcess())) + return res; + + auto PID = oNtUserQueryWindow(res, 0); + if (tools::IsProtectedProcess(PID)) + return LastForeWnd; + else + LastForeWnd = res; + + return res; +} \ No newline at end of file diff --git a/MasterHide/hooks.hpp b/MasterHide/hooks.hpp new file mode 100644 index 0000000..5e1b6b8 --- /dev/null +++ b/MasterHide/hooks.hpp @@ -0,0 +1,117 @@ +#pragma once + +// +// ntoskrnl.exe +// +static auto SYSCALL_NTUSERFINDWNDEX = 0x106e; +static auto SYSCALL_NTUSERWNDFROMPOINT = 0x1014; +static auto SYSCALL_NTUSERBUILDWNDLIST = 0x101c; +static auto SYSCALL_NTGETFOREGROUNDWND = 0x103c; +static auto SYSCALL_NTUSERQUERYWND = 0x1010; + +// +// win32k.sys +// +static auto SYSCALL_NTQUERYSYSINFO = 0x0033; +static auto SYSCALL_NTOPENPROCESS = 0x0023; +static auto SYSCALL_NTALLOCVIRTUALMEM = 0x0015; +static auto SYSCALL_NTWRITEVIRTUALMEM = 0x0037; +static auto SYSCALL_NTFREEVIRTUALMEM = 0x001b; +static auto SYSCALL_NTDEVICEIOCTRLFILE = 0x0004; +static auto SYSCALL_NTLOADDRIVER = 0x0004; + +namespace masterhide +{ +namespace tools +{ +extern bool IsProtectedProcess(HANDLE PID); +extern bool IsProtectedProcess(PWCH Buffer); +extern bool IsProtectedProcessEx(PEPROCESS Process); +extern bool IsMonitoredProcess(HANDLE PID); +extern bool IsMonitoredProcessEx(PEPROCESS Process); +extern bool IsBlacklistedProcess(HANDLE PID); +extern bool IsBlacklistedProcessEx(PEPROCESS Process); +} // namespace tools +}; // namespace masterhide + +// +// ntoskrnl.exe hooks +// +using NtQuerySystemInformation_ = NTSTATUS(NTAPI *)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); +extern NtQuerySystemInformation_ oNtQuerySystemInformation; + +NTSTATUS NTAPI hkNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID Buffer, ULONG Length, + PULONG ReturnLength); + +using NtOpenProcess_ = NTSTATUS(NTAPI *)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); +extern NtOpenProcess_ oNtOpenProcess; + +NTSTATUS NTAPI hkNtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, + PCLIENT_ID ClientId); + +using NtAllocateVirtualMemory_ = NTSTATUS(NTAPI *)(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, + PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); +extern NtAllocateVirtualMemory_ oNtAllocateVirtualMemory; + +NTSTATUS NTAPI hkNtAllocateVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, + PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); + +using NtFreeVirtualMemory_ = NTSTATUS(NTAPI *)(HANDLE ProcessHandle, PVOID *BaseAddress, PSIZE_T RegionSize, + ULONG FreeType); +extern NtFreeVirtualMemory_ oNtFreeVirtualMemory; + +NTSTATUS NTAPI hkNtFreeVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, PSIZE_T RegionSize, ULONG FreeType); + +using NtWriteVirtualMemory_ = NTSTATUS(NTAPI *)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, + ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten); +extern NtWriteVirtualMemory_ oNtWriteVirtualMemory; + +NTSTATUS NTAPI hkNtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, + PULONG NumberOfBytesWritten); + +using NtDeviceIoControlFile_ = NTSTATUS(NTAPI *)(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, + PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, + PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, + ULONG OutputBufferLength); +extern NtDeviceIoControlFile_ oNtDeviceIoControlFile; + +NTSTATUS NTAPI hkNtDeviceIoControlFile(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, + PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, + ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength); + +using NtLoadDriver_ = NTSTATUS(NTAPI *)(PUNICODE_STRING DriverServiceName); +extern NtLoadDriver_ oNtLoadDriver; + +NTSTATUS NTAPI hkNtLoadDriver(PUNICODE_STRING DriverServiceName); + +// +// win32k.sys hooks +// +using NtUserWindowFromPoint_ = HWND(NTAPI *)(LONG, LONG); +extern NtUserWindowFromPoint_ oNtUserWindowFromPoint; + +HWND hkNtUserWindowFromPoint(LONG x, LONG y); + +using NtUserQueryWindow_ = HANDLE(NTAPI *)(HWND, HANDLE); +extern NtUserQueryWindow_ oNtUserQueryWindow; + +HANDLE hkNtUserQueryWindow(HWND WindowHandle, HANDLE TypeInformation); + +using NtUserFindWindowEx_ = HWND(NTAPI *)(HWND, HWND, PUNICODE_STRING, PUNICODE_STRING, DWORD); +extern NtUserFindWindowEx_ oNtUserFindWindowEx; + +HWND NTAPI hkNtUserFindWindowEx(HWND hWndParent, HWND hWndChildAfter, PUNICODE_STRING lpszClass, + PUNICODE_STRING lpszWindow, DWORD dwType); + +using NtUserBuildHwndList_ = NTSTATUS(NTAPI *)(HDESK hdesk, HWND hwndNext, ULONG fEnumChildren, DWORD idThread, + UINT cHwndMax, HWND *phwndFirst, ULONG *pcHwndNeeded); +extern NtUserBuildHwndList_ oNtUserBuildHwndList; + +NTSTATUS NTAPI hkNtUserBuildHwndList(HDESK hdesk, HWND hwndNext, ULONG fEnumChildren, DWORD idThread, UINT cHwndMax, + HWND *phwndFirst, ULONG *pcHwndNeeded); + +using NtUserGetForegroundWindow_ = HWND(NTAPI *)(VOID); +extern NtUserGetForegroundWindow_ oNtUserGetForegroundWindow; + +HWND NTAPI hkNtUserGetForegroundWindow(VOID); \ No newline at end of file diff --git a/MasterHide/stdafx.h b/MasterHide/includes.hpp similarity index 58% rename from MasterHide/stdafx.h rename to MasterHide/includes.hpp index 675c6ed..5a4e3e1 100644 --- a/MasterHide/stdafx.h +++ b/MasterHide/includes.hpp @@ -10,23 +10,29 @@ #include #include #include -#include #include -#define TAG 'gtHM' -#define DBGPRINT( x, ... ) DbgPrintEx( NULL, NULL, "[ MasterHide ] " x, __VA_ARGS__ ); +#define TAG '00hm' + +#ifndef DBGPRINT +#if _DEBUG +#define DBGPRINT(x, ...) DbgPrintEx(NULL, NULL, "[ MasterHide ] " x "\n", __VA_ARGS__); +#else +#define DBGPRINT(...) +#endif +#endif // // Uncomment that to use ordinary SSDT/SSSDT hooking // #define USE_KASPERSKY -#include "winnt.h" +#include "winnt.hpp" #include "globals.hpp" -#include "tools.h" +#include "misc.hpp" #include "kaspersky.hpp" -#include "ssdt.h" -#include "shadow_ssdt.h" -#include "mh_hooks.h" +#include "ssdt.hpp" +#include "shadow_ssdt.hpp" +#include "hooks.hpp" using namespace masterhide; \ No newline at end of file diff --git a/MasterHide/main.cpp b/MasterHide/main.cpp deleted file mode 100644 index de7745e..0000000 --- a/MasterHide/main.cpp +++ /dev/null @@ -1,116 +0,0 @@ -#include "stdafx.h" - -void OnDriverUnload( PDRIVER_OBJECT pDriverObject ) -{ - UNREFERENCED_PARAMETER( pDriverObject ); - - ssdt::Destroy(); - sssdt::Destroy(); - - // - // Delay the execution for a second to make sure no thread is executing the hooked function - // - LARGE_INTEGER LargeInteger{ }; - LargeInteger.QuadPart = -11000000; - - KeDelayExecutionThread( KernelMode, FALSE, &LargeInteger ); - tools::UnloadImages(); - - DBGPRINT( "Driver unload routine triggered!\n" ); -} - -extern "C" NTSTATUS NTAPI DriverEntry( PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath ) -{ - UNREFERENCED_PARAMETER( pRegistryPath ); - - if ( !pDriverObject ) - { - DBGPRINT( "Err: No driver object!\n" ); - return STATUS_FAILED_DRIVER_ENTRY; - } - - RTL_OSVERSIONINFOW os{ }; - os.dwOSVersionInfoSize = sizeof( os ); - - if ( !NT_SUCCESS( RtlGetVersion( &os ) ) ) - { - DBGPRINT( "Err: RtlGetVersion failed!\n" ); - return STATUS_FAILED_DRIVER_ENTRY; - } - - pDriverObject->DriverUnload = &OnDriverUnload; - DBGPRINT( "Driver loaded!\n" ); - - // - // If the OS is either Windows 10, 8/8.1 those are the only supported OS - // - bool bIsWin7 = ( os.dwMajorVersion == 6 && os.dwMinorVersion == 1 ); - - if ( os.dwMajorVersion == 10 || ( bIsWin7 || ( os.dwMajorVersion == 6 && os.dwMinorVersion == 2 ) || ( os.dwMajorVersion == 6 && os.dwMinorVersion == 3 ) ) ) - { - // This special API only works in Win8+ and it basically allows you to set no executable flag in NonPagedPools - ExInitializeDriverRuntime( DrvRtPoolNxOptIn ); - - // - // Sycalls numbers are OS based, since user32.dll doesnt export them in early Windows versions ( Win7 for example ) we hardcode them and extract them on newer - // systems that export it ( Win8+ for example in win32u.dll ) - // - if ( !bIsWin7 ) - { - SYSCALL_NTUSERQUERYWND = tools::GetWin32Syscall( "NtUserQueryWindow" ); - SYSCALL_NTUSERFINDWNDEX = tools::GetWin32Syscall( "NtUserFindWindowEx" ); - SYSCALL_NTUSERWNDFROMPOINT = tools::GetWin32Syscall( "NtUserWindowFromPoint" ); - SYSCALL_NTUSERBUILDWNDLIST = tools::GetWin32Syscall( "NtUserBuildHwndList" ); - SYSCALL_NTGETFOREGROUNDWND = tools::GetWin32Syscall( "NtUserGetForegroundWindow" ); - - SYSCALL_NTOPENPROCESS = tools::GetNtSyscall( "NtOpenProcess" ); - SYSCALL_NTDEVICEIOCTRLFILE = tools::GetNtSyscall( "NtDeviceIoControlFile" ); - SYSCALL_NTQUERYSYSINFO = tools::GetNtSyscall( "NtQuerySystemInformation" ); - SYSCALL_NTALLOCVIRTUALMEM = tools::GetNtSyscall( "NtAllocateVirtualMemory" ); - SYSCALL_NTFREEVIRTUALMEM = tools::GetNtSyscall( "NtFreeVirtualMemory" ); - SYSCALL_NTWRITEVIRTUALMEM = tools::GetNtSyscall( "NtWriteVirtualMemory" ); - SYSCALL_NTLOADDRIVER = tools::GetNtSyscall( "NtLoadDriver" ); - } - -#ifndef USE_KASPERSKY - // - // (S)SSDT Hooks are only Win7 compatible ( hardcoded ) - // - DBGPRINT( "Not using Kaspersky to hook, Shadow SSDT is unstable!\n" ); -#else - DBGPRINT( "Using Kaspersky!\n" ); - - if ( !kaspersky::is_klhk_loaded() ) - { - tools::UnloadImages(); - DBGPRINT( "Kaspersky not loaded!\n" ); - return STATUS_UNSUCCESSFUL; - } - - if ( !kaspersky::initialize() ) - { - tools::UnloadImages(); - DBGPRINT( "Kaspersky init failed!\n" ); - return STATUS_UNSUCCESSFUL; - } - - DBGPRINT( "Using Kaspersky hypervisor!\n" ); - - if ( !kaspersky::hvm_init() ) - { - tools::UnloadImages(); - DBGPRINT( "Hypervisor not loaded!\n" ); - return STATUS_UNSUCCESSFUL; - } - - DBGPRINT( "Hypervisor loaded!\n" ); -#endif - ssdt::Init(); - sssdt::Init(); - } - else - // No support for other OS - return STATUS_NOT_SUPPORTED; - - return STATUS_SUCCESS; -} \ No newline at end of file diff --git a/MasterHide/mh_hooks.cpp b/MasterHide/mh_hooks.cpp deleted file mode 100644 index c1c72f3..0000000 --- a/MasterHide/mh_hooks.cpp +++ /dev/null @@ -1,832 +0,0 @@ -#include "stdafx.h" - -namespace masterhide -{ - namespace tools - { - bool IsProtectedProcess( HANDLE PID ) - { - UNICODE_STRING wsProcName{ }; - if ( !GetProcessName( PID, &wsProcName ) ) - return false; - - bool bResult = false; - if ( wsProcName.Buffer ) - { - for ( int i = 0; i < ARRAYSIZE( globals::wsProtectedProcesses ); ++i ) - { - if ( wcsstr( wsProcName.Buffer, globals::wsProtectedProcesses[ i ] ) ) - { - bResult = true; - break; - } - } - FreeUnicodeString( &wsProcName ); - } - return bResult; - } - - bool IsProtectedProcess( PWCH Buffer ) - { - if ( !Buffer ) - return false; - - for ( int i = 0; i < ARRAYSIZE( globals::wsProtectedProcesses ); ++i ) - { - if ( wcsstr( Buffer, globals::wsProtectedProcesses[ i ] ) ) - { - return true; - } - } - return false; - } - - bool IsProtectedProcessEx( PEPROCESS Process ) - { - UNICODE_STRING wsProcName{ }; - if ( !GetProcessNameByPEPROCESS( Process, &wsProcName ) ) - return false; - - bool bResult = false; - if ( wsProcName.Buffer ) - { - for ( int i = 0; i < ARRAYSIZE( globals::wsProtectedProcesses ); ++i ) - { - if ( wcsstr( wsProcName.Buffer, globals::wsProtectedProcesses[ i ] ) ) - { - bResult = true; - break; - } - } - FreeUnicodeString( &wsProcName ); - } - return bResult; - } - - bool IsMonitoredProcess( HANDLE PID ) - { - UNICODE_STRING wsProcName{ }; - if ( !GetProcessName( PID, &wsProcName ) ) - return false; - - bool bResult = false; - if ( wsProcName.Buffer ) - { - for ( int i = 0; i < ARRAYSIZE( globals::wsMonitoredProcesses ); ++i ) - { - if ( wcsstr( wsProcName.Buffer, globals::wsMonitoredProcesses[ i ] ) ) - { - bResult = true; - break; - } - } - FreeUnicodeString( &wsProcName ); - } - return bResult; - } - - bool IsMonitoredProcessEx( PEPROCESS Process ) - { - UNICODE_STRING wsProcName{ }; - if ( !GetProcessNameByPEPROCESS( Process, &wsProcName ) ) - return false; - - bool bResult = false; - if ( wsProcName.Buffer ) - { - for ( int i = 0; i < ARRAYSIZE( globals::wsMonitoredProcesses ); ++i ) - { - if ( wcsstr( wsProcName.Buffer, globals::wsMonitoredProcesses[ i ] ) ) - { - bResult = true; - break; - } - } - FreeUnicodeString( &wsProcName ); - } - return bResult; - } - - bool IsBlacklistedProcess( HANDLE PID ) - { - UNICODE_STRING wsProcName{ }; - if ( !GetProcessName( PID, &wsProcName ) ) - return false; - - bool bResult = false; - if ( wsProcName.Buffer ) - { - for ( int i = 0; i < ARRAYSIZE( globals::wsBlacklistedProcessess ); ++i ) - { - if ( wcsstr( wsProcName.Buffer, globals::wsBlacklistedProcessess[ i ] ) ) - { - bResult = true; - break; - } - } - FreeUnicodeString( &wsProcName ); - } - return bResult; - } - - bool IsBlacklistedProcessEx( PEPROCESS Process ) - { - UNICODE_STRING wsProcName{ }; - if ( !GetProcessNameByPEPROCESS( Process, &wsProcName ) ) - return false; - - bool bResult = false; - if ( wsProcName.Buffer ) - { - for ( int i = 0; i < ARRAYSIZE( globals::wsBlacklistedProcessess ); ++i ) - { - if ( wcsstr( wsProcName.Buffer, globals::wsBlacklistedProcessess[ i ] ) ) - { - bResult = true; - break; - } - } - FreeUnicodeString( &wsProcName ); - } - return bResult; - } - } -}; - -NtOpenProcess_ oNtOpenProcess = NULL; -NTSTATUS NTAPI hkNtOpenProcess( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId ) -{ - const auto ret = oNtOpenProcess( ProcessHandle, DesiredAccess, ObjectAttributes, ClientId ); - if ( PsIsProtectedProcess( PsGetCurrentProcess() ) || PsIsSystemProcess( PsGetCurrentProcess() ) || tools::IsProtectedProcess( PsGetCurrentProcessId() ) ) - return ret; - - if ( NT_SUCCESS( ret ) ) - { - if ( tools::IsBlacklistedProcess( PsGetCurrentProcessId() ) ) - { - if ( tools::IsProtectedProcess( ClientId->UniqueProcess ) ) - { - DBGPRINT( "Denying access from PID %p to PID %p\n", PsGetCurrentProcessId(), ClientId->UniqueProcess ); - ZwClose( *ProcessHandle ); - *ProcessHandle = HANDLE( -1 ); - return STATUS_ACCESS_DENIED; - } - } - - if ( tools::IsMonitoredProcess( ClientId->UniqueProcess ) ) - { - UNICODE_STRING wsProcName{ }; - if ( tools::GetProcessName( ClientId->UniqueProcess, &wsProcName ) ) - { - if ( wsProcName.Buffer ) - { - auto ShortName = wcsrchr( wsProcName.Buffer, '\\' ); - DBGPRINT( "[ OP ] PID %p is opening a handle with access mask 0x%X to process %ws\n", PsGetCurrentProcessId(), DesiredAccess, ShortName ); - FreeUnicodeString( &wsProcName ); - } - } - } - } - return ret; -} - -NtWriteVirtualMemory_ oNtWriteVirtualMemory = NULL; -NTSTATUS NTAPI hkNtWriteVirtualMemory( HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten ) -{ - const auto res = oNtWriteVirtualMemory( ProcessHandle, BaseAddress, Buffer, NumberOfBytesToWrite, NumberOfBytesWritten ); - if ( PsIsProtectedProcess( PsGetCurrentProcess() ) || PsIsSystemProcess( PsGetCurrentProcess() ) || tools::IsProtectedProcess( PsGetCurrentProcessId() ) ) - return res; - - if ( NT_SUCCESS( res ) ) - { - // - // Get Name from handle - // - PEPROCESS Process = nullptr; - auto ret = ObReferenceObjectByHandle( ProcessHandle, 0, *PsProcessType, ExGetPreviousMode(), ( PVOID* )&Process, nullptr ); - if ( !NT_SUCCESS( ret ) ) - return res; - - if ( tools::IsMonitoredProcessEx( Process ) ) - { - UNICODE_STRING wsProcName{ }; - if ( tools::GetProcessName( PsGetCurrentProcessId(), &wsProcName ) ) - { - if ( wsProcName.Buffer ) - { - auto ShortName = wcsrchr( wsProcName.Buffer, '\\' ); - DBGPRINT( "[ WPM ] From: %p to %ws with BaseAddress 0x%p Buffer 0x%p Length %d\n", PsGetCurrentProcessId(), ShortName, BaseAddress, Buffer, NumberOfBytesToWrite ); - FreeUnicodeString( &wsProcName ); - } - } - } - - ObDereferenceObject( Process ); - } - return res; -} - -NtAllocateVirtualMemory_ oNtAllocateVirtualMemory = NULL; -NTSTATUS NTAPI hkNtAllocateVirtualMemory( HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect ) -{ - const auto res = oNtAllocateVirtualMemory( ProcessHandle, BaseAddress, ZeroBits, RegionSize, AllocationType, Protect ); - if ( PsIsProtectedProcess( PsGetCurrentProcess() ) || PsIsSystemProcess( PsGetCurrentProcess() ) || tools::IsProtectedProcess( PsGetCurrentProcessId() ) ) - return res; - - if ( NT_SUCCESS( res ) && BaseAddress && RegionSize && *RegionSize >= 0x1000 ) - { - // - // Get Name from handle - // - PEPROCESS Process = nullptr; - auto ret = ObReferenceObjectByHandle( ProcessHandle, 0, *PsProcessType, ExGetPreviousMode(), ( PVOID* )&Process, nullptr ); - if ( !NT_SUCCESS( ret ) ) - return res; - - if ( tools::IsMonitoredProcessEx( Process ) ) - { - UNICODE_STRING wsProcName{ }; - if ( tools::GetProcessName( PsGetCurrentProcessId(), &wsProcName ) ) - { - if ( wsProcName.Buffer ) - { - auto ShortName = wcsrchr( wsProcName.Buffer, '\\' ); - DBGPRINT( "[ AVM ] From: %p to %ws with BaseAddress 0x%p Length 0x%llx Type 0x%X Protect 0x%X\n", PsGetCurrentProcessId(), ShortName, *BaseAddress, *RegionSize, AllocationType, Protect ); - FreeUnicodeString( &wsProcName ); - } - } - } - - ObDereferenceObject( Process ); - } - return res; -} - -NtFreeVirtualMemory_ oNtFreeVirtualMemory = NULL; -NTSTATUS NTAPI hkNtFreeVirtualMemory( HANDLE ProcessHandle, PVOID* BaseAddress, PSIZE_T RegionSize, ULONG FreeType ) -{ - const auto res = oNtFreeVirtualMemory( ProcessHandle, BaseAddress, RegionSize, FreeType ); - if ( PsIsProtectedProcess( PsGetCurrentProcess() ) || PsIsSystemProcess( PsGetCurrentProcess() ) || tools::IsProtectedProcess( PsGetCurrentProcessId() ) ) - return res; - - if ( NT_SUCCESS( res ) && BaseAddress && RegionSize && *RegionSize >= 0x1000 ) - { - // - // Get Name from handle - // - PEPROCESS Process = nullptr; - auto ret = ObReferenceObjectByHandle( ProcessHandle, 0, *PsProcessType, ExGetPreviousMode(), ( PVOID* )&Process, nullptr ); - if ( !NT_SUCCESS( ret ) ) - return res; - - if ( tools::IsMonitoredProcessEx( Process ) ) - { - UNICODE_STRING wsProcName{ }; - if ( tools::GetProcessName( PsGetCurrentProcessId(), &wsProcName ) ) - { - if ( wsProcName.Buffer ) - { - auto ShortName = wcsrchr( wsProcName.Buffer, '\\' ); - DBGPRINT( "[ FVM ] From: %p to %ws with BaseAddress 0x%p Length 0x%llx FreeType 0x%X\n", PsGetCurrentProcessId(), ShortName, *BaseAddress, *RegionSize, FreeType ); - tools::DumpMZ( PUCHAR( *BaseAddress ) ); - FreeUnicodeString( &wsProcName ); - } - } - } - - ObDereferenceObject( Process ); - } - return res; -} - -NtDeviceIoControlFile_ oNtDeviceIoControlFile = NULL; -NTSTATUS NTAPI hkNtDeviceIoControlFile( HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength ) -{ - const auto ret = oNtDeviceIoControlFile( FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength ); - - // - // If the callee process is a protected process we ignore it - // - if ( !tools::IsBlacklistedProcess( PsGetCurrentProcessId() ) ) - return ret; - - if ( NT_SUCCESS( ret ) ) - { - const auto szNewModel = globals::szFakeModels[ 0 ]; - wchar_t wsProcess[ MAX_PATH ] = L"\\Unknown"; - - UNICODE_STRING wsProcName{ }; - if ( tools::GetProcessName( PsGetCurrentProcessId(), &wsProcName ) ) - { - if ( wsProcName.Buffer ) - { - wcscpy_s( wsProcess, wsProcName.Buffer ); - FreeUnicodeString( &wsProcName ); - } - } - - auto ShortName = wcsrchr( wsProcess, '\\' ); - - __try - { - // - // Hardware Spoofing - // - switch ( IoControlCode ) - { - - case IOCTL_STORAGE_QUERY_PROPERTY: - { - PSTORAGE_PROPERTY_QUERY Query = PSTORAGE_PROPERTY_QUERY( InputBuffer ); - if ( Query && Query->PropertyId == StorageDeviceProperty ) - { - if ( OutputBufferLength >= sizeof( STORAGE_DEVICE_DESCRIPTOR ) ) - { - PSTORAGE_DEVICE_DESCRIPTOR Desc = PSTORAGE_DEVICE_DESCRIPTOR( OutputBuffer ); - if ( Desc ) - { - if ( Desc->SerialNumberOffset ) - { - auto Serial = PCHAR( Desc ) + Desc->SerialNumberOffset; - DBGPRINT( "%ws Spoofing Serial ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, Serial, globals::szFakeSerial ); - memset( Serial, 0, strlen( Serial ) ); - strcpy( Serial, globals::szFakeSerial ); - } - - if ( Desc->ProductIdOffset ) - { - auto Model = PCHAR( Desc ) + Desc->ProductIdOffset; - DBGPRINT( "%ws Spoofing Model ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, Model, szNewModel ); - memset( Model, 0, strlen( Model ) ); - strcpy( Model, szNewModel ); - } - } - } - } - break; - } - - case IOCTL_ATA_PASS_THROUGH: - { - if ( OutputBufferLength >= sizeof( ATA_PASS_THROUGH_EX ) + sizeof( PIDENTIFY_DEVICE_DATA ) ) - { - PATA_PASS_THROUGH_EX Ata = PATA_PASS_THROUGH_EX( OutputBuffer ); - if ( Ata && Ata->DataBufferOffset ) - { - PIDENTIFY_DEVICE_DATA Identify = PIDENTIFY_DEVICE_DATA( PCHAR( OutputBuffer ) + Ata->DataBufferOffset ); - if ( Identify ) - { - auto Serial = PCHAR( Identify->SerialNumber ); - if ( strlen( Serial ) > 0 ) - { - tools::SwapEndianness( Serial, sizeof( Identify->SerialNumber ) ); - - DBGPRINT( "%ws Spoofing Serial ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, Serial, globals::szFakeSerial ); - memset( Serial, 0, strlen( Serial ) ); - strcpy( Serial, globals::szFakeSerial ); - - tools::SwapEndianness( Serial, sizeof( Identify->SerialNumber ) ); - } - - auto Model = PCHAR( Identify->ModelNumber ); - if ( strlen( Model ) > 0 ) - { - // Fix invalid characters. - Model[ sizeof( Identify->ModelNumber ) - 1 ] = 0; - Model[ sizeof( Identify->ModelNumber ) - 2 ] = 0; - - tools::SwapEndianness( Model, sizeof( Identify->ModelNumber ) - 2 ); - - DBGPRINT( "%ws Spoofing Model ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, Model, szNewModel ); - memset( Model, 0, strlen( Model ) ); - strcpy( Model, szNewModel ); - - tools::SwapEndianness( Model, sizeof( Identify->ModelNumber ) - 2 ); - } - } - } - } - break; - } - - case SMART_RCV_DRIVE_DATA: - { - if ( OutputBufferLength >= sizeof( SENDCMDOUTPARAMS ) ) - { - PSENDCMDOUTPARAMS Cmd = PSENDCMDOUTPARAMS( OutputBuffer ); - if ( Cmd ) - { - PIDSECTOR Sector = PIDSECTOR( Cmd->bBuffer ); - if ( Sector ) - { - auto Serial = PCHAR( Sector->sSerialNumber ); - if ( strlen( Serial ) > 0 ) - { - tools::SwapEndianness( Serial, sizeof( Sector->sSerialNumber ) ); - - DBGPRINT( "%ws Spoofing Serial ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, Serial, globals::szFakeSerial ); - memset( Serial, 0, strlen( Serial ) ); - strcpy( Serial, globals::szFakeSerial ); - - tools::SwapEndianness( Serial, sizeof( Sector->sSerialNumber ) ); - } - - auto Model = PCHAR( Sector->sModelNumber ); - if ( strlen( Model ) > 0 ) - { - // Fix invalid characters. - Model[ sizeof( Sector->sModelNumber ) - 1 ] = 0; - Model[ sizeof( Sector->sModelNumber ) - 2 ] = 0; - - tools::SwapEndianness( Model, sizeof( Sector->sModelNumber ) - 2 ); - - DBGPRINT( "%ws Spoofing Model ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, Model, szNewModel ); - memset( Model, 0, strlen( Model ) ); - strcpy( Model, szNewModel ); - - tools::SwapEndianness( Model, sizeof( Sector->sModelNumber ) - 2 ); - } - } - } - } - break; - } - - case IOCTL_DISK_GET_PARTITION_INFO_EX: - { - if ( OutputBufferLength >= sizeof( PARTITION_INFORMATION_EX ) ) - { - PPARTITION_INFORMATION_EX PartInfo = PPARTITION_INFORMATION_EX( OutputBuffer ); - if ( PartInfo && PartInfo->PartitionStyle == PARTITION_STYLE_GPT ) - { - DBGPRINT( "%ws Zero'ing partition GUID (EX)\n", ShortName ); - memset( &PartInfo->Gpt.PartitionId, 0, sizeof( GUID ) ); - } - } - break; - } - - case IOCTL_DISK_GET_DRIVE_LAYOUT_EX: - { - if ( OutputBufferLength >= sizeof( DRIVE_LAYOUT_INFORMATION_EX ) ) - { - PDRIVE_LAYOUT_INFORMATION_EX LayoutInfo = PDRIVE_LAYOUT_INFORMATION_EX( OutputBuffer ); - if ( LayoutInfo && LayoutInfo->PartitionStyle == PARTITION_STYLE_GPT ) - { - DBGPRINT( "%ws Zero'ing partition GUID\n", ShortName ); - memset( &LayoutInfo->Gpt.DiskId, 0, sizeof( GUID ) ); - } - } - break; - } - - case IOCTL_MOUNTMGR_QUERY_POINTS: - { - if ( OutputBufferLength >= sizeof( MOUNTMGR_MOUNT_POINTS ) ) - { - PMOUNTMGR_MOUNT_POINTS Points = PMOUNTMGR_MOUNT_POINTS( OutputBuffer ); - if ( Points ) - { - DBGPRINT( "%ws Spoofing mounted points\n", ShortName ); - for ( unsigned i = 0; i < Points->NumberOfMountPoints; ++i ) - { - auto Point = &Points->MountPoints[ i ]; - - if ( Point->UniqueIdOffset ) - Point->UniqueIdLength = 0; - - if ( Point->SymbolicLinkNameOffset ) - Point->SymbolicLinkNameLength = 0; - } - } - } - break; - } - - case IOCTL_MOUNTDEV_QUERY_UNIQUE_ID: - { - if ( OutputBufferLength >= sizeof( MOUNTDEV_UNIQUE_ID ) ) - { - PMOUNTDEV_UNIQUE_ID UniqueId = PMOUNTDEV_UNIQUE_ID( OutputBuffer ); - if ( UniqueId ) - { - DBGPRINT( "%ws Spoofing mounted unique id\n", ShortName ); - UniqueId->UniqueIdLength = 0; - } - } - break; - } - - case IOCTL_NDIS_QUERY_GLOBAL_STATS: - { - switch ( *( PDWORD )InputBuffer ) - { - case OID_802_3_PERMANENT_ADDRESS: - case OID_802_3_CURRENT_ADDRESS: - case OID_802_5_PERMANENT_ADDRESS: - case OID_802_5_CURRENT_ADDRESS: - DBGPRINT( "%ws Spoofing permanent MAC\n", ShortName ); - memcpy( OutputBuffer, globals::szFakeMAC, sizeof( globals::szFakeMAC ) ); - break; - } - } - - } - } - __except ( EXCEPTION_EXECUTE_HANDLER ) - { - - } - } - return ret; -} - -NtQuerySystemInformation_ oNtQuerySystemInformation = NULL; -NTSTATUS NTAPI hkNtQuerySystemInformation( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID Buffer, ULONG Length, PULONG ReturnLength ) -{ - const auto ret = oNtQuerySystemInformation( SystemInformationClass, Buffer, Length, ReturnLength ); - - // - // If the callee process is a protected process we ignore it - // - if ( tools::IsProtectedProcess( PsGetCurrentProcessId() ) ) - return ret; - - if ( NT_SUCCESS( ret ) ) - { - // - // Hide from Driver list - // - if ( SystemInformationClass == SystemModuleInformation ) - { - const auto pModule = PRTL_PROCESS_MODULES( Buffer ); - const auto pEntry = &pModule->Modules[ 0 ]; - - for ( unsigned i = 0; i < pModule->NumberOfModules; ++i ) - { - if ( pEntry[ i ].ImageBase && pEntry[ i ].ImageSize && strlen( ( char* )pEntry[ i ].FullPathName ) > 2 ) - { - for ( int x = 0; x < ARRAYSIZE( globals::szProtectedDrivers ); ++x ) - { - if ( strstr( ( char* )pEntry[ i ].FullPathName, globals::szProtectedDrivers[ x ] ) ) - { - const auto next_entry = i + 1; - - if ( next_entry < pModule->NumberOfModules ) - memcpy( &pEntry[ i ], &pEntry[ next_entry ], sizeof( RTL_PROCESS_MODULE_INFORMATION ) ); - else - { - memset( &pEntry[ i ], 0, sizeof( RTL_PROCESS_MODULE_INFORMATION ) ); - pModule->NumberOfModules--; - } - } - } - } - } - } - // - // Hide from Process list - // - else if ( - SystemInformationClass == SystemProcessInformation || - SystemInformationClass == SystemSessionProcessInformation || - SystemInformationClass == SystemExtendedProcessInformation ) - { - PSYSTEM_PROCESS_INFO pCurr = NULL; - PSYSTEM_PROCESS_INFO pNext = PSYSTEM_PROCESS_INFO( Buffer ); - - while ( pNext->NextEntryOffset != 0 ) - { - pCurr = pNext; - pNext = ( PSYSTEM_PROCESS_INFO )( ( PUCHAR )pCurr + pCurr->NextEntryOffset ); - - // - // Erase our protected processes from the list - // - if ( pNext->ImageName.Buffer && tools::IsProtectedProcess( pNext->ImageName.Buffer ) ) - { - if ( pNext->NextEntryOffset == 0 ) - { - pCurr->NextEntryOffset = 0; - } - else - { - pCurr->NextEntryOffset += pNext->NextEntryOffset; - } - - pNext = pCurr; - } - } - } - // - // Hide from handle list - // - else if ( SystemInformationClass == SystemHandleInformation ) - { - if ( tools::IsBlacklistedProcess( PsGetCurrentProcessId() ) ) - { - const auto pHandle = PSYSTEM_HANDLE_INFORMATION( Buffer ); - const auto pEntry = &pHandle->Information[ 0 ]; - - for ( unsigned i = 0; i < pHandle->NumberOfHandles; ++i ) - { - if ( tools::IsProtectedProcess( ULongToHandle( pEntry[ i ].ProcessId ) ) ) - { - const auto next_entry = i + 1; - - if ( next_entry < pHandle->NumberOfHandles ) - memcpy( &pEntry[ i ], &pEntry[ next_entry ], sizeof( SYSTEM_HANDLE ) ); - else - { - memset( &pEntry[ i ], 0, sizeof( SYSTEM_HANDLE ) ); - pHandle->NumberOfHandles--; - } - } - } - } - } - else if ( SystemInformationClass == SystemExtendedHandleInformation ) - { - if ( tools::IsBlacklistedProcess( PsGetCurrentProcessId() ) ) - { - const auto pHandle = PSYSTEM_HANDLE_INFORMATION_EX( Buffer ); - const auto pEntry = &pHandle->Information[ 0 ]; - - for ( unsigned i = 0; i < pHandle->NumberOfHandles; ++i ) - { - if ( tools::IsProtectedProcess( ULongToHandle( pEntry[ i ].ProcessId ) ) ) - { - const auto next_entry = i + 1; - - if ( next_entry < pHandle->NumberOfHandles ) - memcpy( &pEntry[ i ], &pEntry[ next_entry ], sizeof( SYSTEM_HANDLE ) ); - else - { - memset( &pEntry[ i ], 0, sizeof( SYSTEM_HANDLE ) ); - pHandle->NumberOfHandles--; - } - } - } - } - } - // - // Spoof code integrity status - // - else if ( SystemInformationClass == SystemCodeIntegrityInformation ) - { - PSYSTEM_CODEINTEGRITY_INFORMATION Integrity = PSYSTEM_CODEINTEGRITY_INFORMATION( Buffer ); - - // Spoof test sign flag if present - if ( Integrity->CodeIntegrityOptions & CODEINTEGRITY_OPTION_TESTSIGN ) - Integrity->CodeIntegrityOptions &= ~CODEINTEGRITY_OPTION_TESTSIGN; - - // Set as always enabled. - Integrity->CodeIntegrityOptions |= CODEINTEGRITY_OPTION_ENABLED; - } - } - return ret; -} - -NtLoadDriver_ oNtLoadDriver = NULL; -NTSTATUS NTAPI hkNtLoadDriver( PUNICODE_STRING DriverServiceName ) -{ - NTSTATUS ret = STATUS_UNSUCCESSFUL; - bool bLoad = true; - - if ( DriverServiceName && DriverServiceName->Buffer ) - { - /* - - For example: - - if ( wcsstr( DriverServiceName->Buffer, L"BEDaisy.sys" ) ) - bLoad = false; - - Loading will be blocked. - */ - } - - if ( bLoad ) - { - ret = oNtLoadDriver( DriverServiceName ); - if ( NT_SUCCESS( ret ) ) - DBGPRINT( "Loading Driver: %ws\n", DriverServiceName->Buffer ); - } - return ret; -} - -NtUserWindowFromPoint_ oNtUserWindowFromPoint = NULL; -HWND NTAPI hkNtUserWindowFromPoint( LONG x, LONG y ) -{ - const auto res = oNtUserWindowFromPoint( x, y ); - - if ( PsIsProtectedProcess( PsGetCurrentProcess() ) || PsIsSystemProcess( PsGetCurrentProcess() ) ) - return res; - - if ( !tools::IsBlacklistedProcessEx( PsGetCurrentProcess() ) ) - return res; - - return 0; -} - -NtUserQueryWindow_ oNtUserQueryWindow = NULL; -HANDLE NTAPI hkNtUserQueryWindow( HWND WindowHandle, HANDLE TypeInformation ) -{ - const auto res = oNtUserQueryWindow( WindowHandle, TypeInformation ); - - if ( PsIsProtectedProcess( PsGetCurrentProcess() ) || PsIsSystemProcess( PsGetCurrentProcess() ) ) - return res; - - if ( !tools::IsBlacklistedProcessEx( PsGetCurrentProcess() ) ) - return res; - - auto PID = oNtUserQueryWindow( WindowHandle, 0 ); - if ( tools::IsProtectedProcess( PID ) ) - return 0; - - return res; -} - -NtUserFindWindowEx_ oNtUserFindWindowEx = NULL; -HWND NTAPI hkNtUserFindWindowEx( HWND hWndParent, HWND hWndChildAfter, PUNICODE_STRING lpszClass, PUNICODE_STRING lpszWindow, DWORD dwType ) -{ - const auto res = oNtUserFindWindowEx( hWndParent, hWndChildAfter, lpszClass, lpszWindow, dwType ); - - if ( PsIsProtectedProcess( PsGetCurrentProcess() ) || PsIsSystemProcess( PsGetCurrentProcess() ) ) - return res; - - if ( !tools::IsBlacklistedProcessEx( PsGetCurrentProcess() ) ) - return res; - - if ( res ) - { - auto PID = oNtUserQueryWindow( res, 0 ); - if ( tools::IsProtectedProcess( PID ) ) - { - return NULL; - } - } - return res; -} - -NtUserBuildHwndList_ oNtUserBuildHwndList = NULL; -NTSTATUS NTAPI hkNtUserBuildHwndList( HDESK hdesk, HWND hwndNext, ULONG fEnumChildren, DWORD idThread, UINT cHwndMax, HWND* phwndFirst, ULONG* pcHwndNeeded ) -{ - const auto res = oNtUserBuildHwndList( hdesk, hwndNext, fEnumChildren, idThread, cHwndMax, phwndFirst, pcHwndNeeded ); - - if ( PsIsProtectedProcess( PsGetCurrentProcess() ) || PsIsSystemProcess( PsGetCurrentProcess() ) ) - return res; - - if ( !tools::IsBlacklistedProcessEx( PsGetCurrentProcess() ) ) - return res; - - if ( fEnumChildren == 1 ) - { - auto PID = oNtUserQueryWindow( hwndNext, 0 ); - if ( tools::IsProtectedProcess( PID ) ) - return STATUS_UNSUCCESSFUL; - } - - if ( NT_SUCCESS( res ) ) - { - ULONG i = 0; - ULONG j; - - while ( i < *pcHwndNeeded ) - { - auto PID = oNtUserQueryWindow( phwndFirst[ i ], 0 ); - if ( tools::IsProtectedProcess( PID ) ) - { - for ( j = i; j < ( *pcHwndNeeded ) - 1; j++ ) - phwndFirst[ j ] = phwndFirst[ j + 1 ]; - phwndFirst[ *pcHwndNeeded - 1 ] = 0; - ( *pcHwndNeeded )--; - continue; - } - i++; - } - } - return res; -} - -NtUserGetForegroundWindow_ oNtUserGetForegroundWindow = NULL; -HWND LastForeWnd = HWND( -1 ); - -HWND NTAPI hkNtUserGetForegroundWindow( VOID ) -{ - const auto res = oNtUserGetForegroundWindow(); - - if ( PsIsProtectedProcess( PsGetCurrentProcess() ) || PsIsSystemProcess( PsGetCurrentProcess() ) ) - return res; - - if ( !tools::IsBlacklistedProcessEx( PsGetCurrentProcess() ) ) - return res; - - auto PID = oNtUserQueryWindow( res, 0 ); - if ( tools::IsProtectedProcess( PID ) ) - return LastForeWnd; - else - LastForeWnd = res; - - return res; -} \ No newline at end of file diff --git a/MasterHide/mh_hooks.h b/MasterHide/mh_hooks.h deleted file mode 100644 index 913cafe..0000000 --- a/MasterHide/mh_hooks.h +++ /dev/null @@ -1,103 +0,0 @@ -#pragma once - -//HARDCODED for Windows 7 x64 SP1 7601 - -// -// ntoskrnl.exe -// -static auto SYSCALL_NTUSERFINDWNDEX = 0x106e; -static auto SYSCALL_NTUSERWNDFROMPOINT = 0x1014; -static auto SYSCALL_NTUSERBUILDWNDLIST = 0x101c; -static auto SYSCALL_NTGETFOREGROUNDWND = 0x103c; -static auto SYSCALL_NTUSERQUERYWND = 0x1010; - -// -// win32k.sys -// -static auto SYSCALL_NTQUERYSYSINFO = 0x0033; -static auto SYSCALL_NTOPENPROCESS = 0x0023; -static auto SYSCALL_NTALLOCVIRTUALMEM = 0x0015; -static auto SYSCALL_NTWRITEVIRTUALMEM = 0x0037; -static auto SYSCALL_NTFREEVIRTUALMEM = 0x001b; -static auto SYSCALL_NTDEVICEIOCTRLFILE = 0x0004; -static auto SYSCALL_NTLOADDRIVER = 0x0004; - -namespace masterhide -{ - namespace tools - { - extern bool IsProtectedProcess( HANDLE PID ); - extern bool IsProtectedProcess( PWCH Buffer ); - extern bool IsProtectedProcessEx( PEPROCESS Process ); - extern bool IsMonitoredProcess( HANDLE PID ); - extern bool IsMonitoredProcessEx( PEPROCESS Process ); - extern bool IsBlacklistedProcess( HANDLE PID ); - extern bool IsBlacklistedProcessEx( PEPROCESS Process ); - } -}; - -// -// ntoskrnl.exe hooks -// -using NtQuerySystemInformation_ = NTSTATUS( NTAPI* )( SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG ); -extern NtQuerySystemInformation_ oNtQuerySystemInformation; - -NTSTATUS NTAPI hkNtQuerySystemInformation( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID Buffer, ULONG Length, PULONG ReturnLength ); - -using NtOpenProcess_ = NTSTATUS( NTAPI* ) ( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId ); -extern NtOpenProcess_ oNtOpenProcess; - -NTSTATUS NTAPI hkNtOpenProcess( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId ); - -using NtAllocateVirtualMemory_ = NTSTATUS( NTAPI* )( HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect ); -extern NtAllocateVirtualMemory_ oNtAllocateVirtualMemory; - -NTSTATUS NTAPI hkNtAllocateVirtualMemory( HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect ); - -using NtFreeVirtualMemory_ = NTSTATUS( NTAPI* )( HANDLE ProcessHandle, PVOID* BaseAddress, PSIZE_T RegionSize, ULONG FreeType ); -extern NtFreeVirtualMemory_ oNtFreeVirtualMemory; - -NTSTATUS NTAPI hkNtFreeVirtualMemory( HANDLE ProcessHandle, PVOID* BaseAddress, PSIZE_T RegionSize, ULONG FreeType ); - -using NtWriteVirtualMemory_ = NTSTATUS( NTAPI* )( HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten ); -extern NtWriteVirtualMemory_ oNtWriteVirtualMemory; - -NTSTATUS NTAPI hkNtWriteVirtualMemory( HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten ); - -using NtDeviceIoControlFile_ = NTSTATUS( NTAPI* )( HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength ); -extern NtDeviceIoControlFile_ oNtDeviceIoControlFile; - -NTSTATUS NTAPI hkNtDeviceIoControlFile( HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength ); - -using NtLoadDriver_ = NTSTATUS( NTAPI* )( PUNICODE_STRING DriverServiceName ); -extern NtLoadDriver_ oNtLoadDriver; - -NTSTATUS NTAPI hkNtLoadDriver( PUNICODE_STRING DriverServiceName ); - -// -// win32k.sys hooks -// -using NtUserWindowFromPoint_ = HWND( NTAPI* )( LONG, LONG ); -extern NtUserWindowFromPoint_ oNtUserWindowFromPoint; - -HWND hkNtUserWindowFromPoint( LONG x, LONG y ); - -using NtUserQueryWindow_ = HANDLE( NTAPI* )( HWND, HANDLE ); -extern NtUserQueryWindow_ oNtUserQueryWindow; - -HANDLE hkNtUserQueryWindow( HWND WindowHandle, HANDLE TypeInformation ); - -using NtUserFindWindowEx_ = HWND( NTAPI* )( HWND, HWND, PUNICODE_STRING, PUNICODE_STRING, DWORD ); -extern NtUserFindWindowEx_ oNtUserFindWindowEx; - -HWND NTAPI hkNtUserFindWindowEx( HWND hWndParent, HWND hWndChildAfter, PUNICODE_STRING lpszClass, PUNICODE_STRING lpszWindow, DWORD dwType ); - -using NtUserBuildHwndList_ = NTSTATUS( NTAPI* )( HDESK hdesk, HWND hwndNext, ULONG fEnumChildren, DWORD idThread, UINT cHwndMax, HWND* phwndFirst, ULONG* pcHwndNeeded ); -extern NtUserBuildHwndList_ oNtUserBuildHwndList; - -NTSTATUS NTAPI hkNtUserBuildHwndList( HDESK hdesk, HWND hwndNext, ULONG fEnumChildren, DWORD idThread, UINT cHwndMax, HWND* phwndFirst, ULONG* pcHwndNeeded ); - -using NtUserGetForegroundWindow_ = HWND( NTAPI* )( VOID ); -extern NtUserGetForegroundWindow_ oNtUserGetForegroundWindow; - -HWND NTAPI hkNtUserGetForegroundWindow( VOID ); \ No newline at end of file diff --git a/MasterHide/misc.cpp b/MasterHide/misc.cpp new file mode 100644 index 0000000..9cc64f0 --- /dev/null +++ b/MasterHide/misc.cpp @@ -0,0 +1,573 @@ +#include "includes.hpp" + +PUCHAR ntdll = nullptr; +PUCHAR win32u = nullptr; + +namespace masterhide +{ +namespace tools +{ +bool GetProcessName(HANDLE PID, PUNICODE_STRING ProcessImageName) +{ + KAPC_STATE apc{}; + bool bReturn = false; + + if (!ProcessImageName) + return false; + + PEPROCESS Process = nullptr; + auto status = PsLookupProcessByProcessId(PID, &Process); + if (!NT_SUCCESS(status)) + return false; + + KeStackAttachProcess(Process, &apc); + + // + // Credits: iPower + // + wchar_t lpModuleName[MAX_PATH]; + status = ZwQueryVirtualMemory(NtCurrentProcess(), PsGetProcessSectionBaseAddress(Process), + static_cast(2), lpModuleName, sizeof(lpModuleName), NULL); + if (NT_SUCCESS(status)) + { + PUNICODE_STRING pModuleName = (PUNICODE_STRING)lpModuleName; + if (pModuleName->Length > 0) + { + AllocateUnicodeString(ProcessImageName, pModuleName->MaximumLength); + RtlCopyUnicodeString(ProcessImageName, pModuleName); + bReturn = true; + } + } + + KeUnstackDetachProcess(&apc); + ObDereferenceObject(Process); + + return bReturn; +} + +bool GetProcessNameByPEPROCESS(PEPROCESS Process, PUNICODE_STRING ProcessImageName) +{ + KAPC_STATE apc{}; + bool bReturn = false; + bool bAttached = false; + + if (!ProcessImageName) + return false; + + if (Process != PsGetCurrentProcess()) + { + KeStackAttachProcess(Process, &apc); + bAttached = true; + } + + wchar_t lpModuleName[MAX_PATH]; + auto status = ZwQueryVirtualMemory(NtCurrentProcess(), PsGetProcessSectionBaseAddress(Process), + (MEMORY_INFORMATION_CLASS)2, lpModuleName, sizeof(lpModuleName), NULL); + if (NT_SUCCESS(status)) + { + PUNICODE_STRING pModuleName = (PUNICODE_STRING)lpModuleName; + if (pModuleName->Length > 0) + { + AllocateUnicodeString(ProcessImageName, pModuleName->MaximumLength); + RtlCopyUnicodeString(ProcessImageName, pModuleName); + bReturn = true; + } + } + + if (bAttached) + KeUnstackDetachProcess(&apc); + + return bReturn; +} + +PEPROCESS FindPEPROCESSById(PWCH wsName) +{ + if (!wsName) + return nullptr; + + for (unsigned i = 4; i < 0xFFFF; i += 0x4) + { + PEPROCESS Process = nullptr; + if (!NT_SUCCESS(PsLookupProcessByProcessId(HANDLE(i), &Process))) + continue; + + UNICODE_STRING wsProcName{}; + if (!GetProcessNameByPEPROCESS(Process, &wsProcName)) + { + ObDereferenceObject(Process); + continue; + } + + if (wsProcName.Buffer && wcsstr(wsProcName.Buffer, wsName)) + return Process; + + ObDereferenceObject(Process); + } + return nullptr; +} + +bool DumpMZ(PUCHAR pImageBase) +{ + __try + { + if (!pImageBase) + { + DBGPRINT("[ DumpMZ ] Invalid image base!\n"); + return false; + } + + ProbeForRead(pImageBase, sizeof(pImageBase), __alignof(pImageBase)); + + PIMAGE_DOS_HEADER dos = PIMAGE_DOS_HEADER(pImageBase); + if (dos->e_magic != IMAGE_DOS_SIGNATURE) + { + DBGPRINT("[ DumpMZ ] Invalid DOS signature!\n"); + return false; + } + + PIMAGE_NT_HEADERS32 nt32 = PIMAGE_NT_HEADERS32(pImageBase + dos->e_lfanew); + if (nt32->Signature != IMAGE_NT_SIGNATURE) + { + DBGPRINT("[ DumpMZ ] Invalid NT signature!\n"); + return false; + } + + ULONG uImageSize = NULL; + + if (nt32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) + { + uImageSize = nt32->OptionalHeader.SizeOfImage; + } + else + { + PIMAGE_NT_HEADERS64 nt64 = PIMAGE_NT_HEADERS64(pImageBase + dos->e_lfanew); + uImageSize = nt64->OptionalHeader.SizeOfImage; + } + + if (KeGetCurrentIrql() != PASSIVE_LEVEL) + { + DBGPRINT("[ DumpMZ ] Curerent IRQL too high for IO operations!\n"); + return false; + } + + DBGPRINT("[ DumpMZ ] ImageBase: 0x%p\n", pImageBase); + DBGPRINT("[ DumpMZ ] ImageSize: 0x%X\n", uImageSize); + + wchar_t wsFilePath[MAX_PATH]{}; + RtlStringCbPrintfW(wsFilePath, sizeof(wsFilePath), L"\\SystemRoot\\Dumped_%p.dll", pImageBase); + + DBGPRINT("[ DumpMZ ] Save Location: %ws\n", wsFilePath); + + UNICODE_STRING wsFinalPath{}; + RtlInitUnicodeString(&wsFinalPath, wsFilePath); + + OBJECT_ATTRIBUTES oa{}; + InitializeObjectAttributes(&oa, &wsFinalPath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); + + IO_STATUS_BLOCK io{}; + HANDLE hFile{}; + + auto res = ZwCreateFile(&hFile, GENERIC_WRITE, &oa, &io, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, + FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); + + if (!NT_SUCCESS(res)) + { + DBGPRINT("[ DumpMZ ] ZwCreateFile failed 0x%X\n", res); + return false; + } + + res = ZwWriteFile(hFile, NULL, NULL, NULL, &io, pImageBase, uImageSize, NULL, NULL); + if (!NT_SUCCESS(res)) + { + ZwClose(hFile); + DBGPRINT("[ DumpMZ ] ZwWriteFile failed 0x%X\n", res); + return false; + } + + DBGPRINT("[ DumpMZ ] Dump success!\n"); + ZwClose(hFile); + return false; + } + __except (EXCEPTION_EXECUTE_HANDLER) + { + return false; + } +} + +PIMAGE_SECTION_HEADER GetSectionHeader(const ULONG64 image_base, const char *section_name) +{ + if (!image_base || !section_name) + return nullptr; + + const auto pimage_dos_header = reinterpret_cast(image_base); + const auto pimage_nt_headers = reinterpret_cast(image_base + pimage_dos_header->e_lfanew); + + auto psection = IMAGE_FIRST_SECTION(pimage_nt_headers); + + PIMAGE_SECTION_HEADER psection_hdr = nullptr; + + const auto NumberOfSections = pimage_nt_headers->FileHeader.NumberOfSections; + + for (auto i = 0; i < NumberOfSections; ++i) + { + if (strstr((char *)psection->Name, section_name)) + { + psection_hdr = psection; + break; + } + + ++psection; + } + + return psection_hdr; +} + +bool bDataCompare(const char *pdata, const char *bmask, const char *szmask) +{ + for (; *szmask; ++szmask, ++pdata, ++bmask) + { + if (*szmask == 'x' && *pdata != *bmask) + return false; + } + + return !*szmask; +} + +ULONG64 InternalFindPattern(const ULONG64 base, const ULONG size, const char *bmask, const char *szmask) +{ + for (auto i = 0ul; i < size; ++i) + if (bDataCompare(PCHAR(base + i), bmask, szmask)) + return base + i; + + return 0; +} + +ULONG64 FindPatternKM(const char *szModuleName, const char *szsection, const char *bmask, const char *szmask) +{ + if (!szModuleName || !szsection || !bmask || !szmask) + return 0; + + const auto module_base = ULONG64(GetModuleBase(szModuleName)); + + if (!module_base) + return 0; + + const auto psection = GetSectionHeader(module_base, szsection); + + return psection + ? InternalFindPattern(module_base + psection->VirtualAddress, psection->Misc.VirtualSize, bmask, szmask) + : 0; +} + +PVOID GetImageTextSection(const ULONG64 uImageBase, ULONG *ulSectionSize) +{ + if (!uImageBase) + return nullptr; + + const auto pText = GetSectionHeader(uImageBase, ".text"); + if (!pText) + return nullptr; + + if (ulSectionSize) + *ulSectionSize = pText->Misc.VirtualSize; + + return PVOID(uImageBase + pText->VirtualAddress); +} + +PVOID GetNtKernelBase() +{ + return GetModuleBase("\\SystemRoot\\System32\\ntoskrnl.exe"); +} + +PVOID GetModuleBase(const char *szModule) +{ + PSYSTEM_MODULE_INFORMATION pSystemInfoBuffer = nullptr; + ULONG ulBytes = 0; + PVOID pImageBase = nullptr; + + __try + { + auto status = ZwQuerySystemInformation(SystemModuleInformation, 0, ulBytes, &ulBytes); + if (!ulBytes) + { + DBGPRINT("[ GetModuleBase ] ZwQuerySystemInformation failed 0x%X\n", status); + return nullptr; + } + + pSystemInfoBuffer = PSYSTEM_MODULE_INFORMATION(ExAllocatePoolWithTag(PagedPool, ulBytes, TAG)); + if (!pSystemInfoBuffer) + { + DBGPRINT("[ GetModuleBase ] ExAllocatePoolWithTag failed!\n"); + return nullptr; + } + + status = ZwQuerySystemInformation(SystemModuleInformation, pSystemInfoBuffer, ulBytes, &ulBytes); + if (!NT_SUCCESS(status)) + { + DBGPRINT("[ GetModuleBase ] ZwQuerySystemInformation[1] failed 0x%X\n", status); + ExFreePoolWithTag(pSystemInfoBuffer, TAG); + return nullptr; + } + + for (unsigned i = 0; i < pSystemInfoBuffer->ModulesCount; ++i) + { + auto Buff = &pSystemInfoBuffer->Modules[i]; + + if (!_stricmp(Buff->ImageName, szModule)) + { + pImageBase = Buff->Base; + break; + } + } + } + __finally + { + if (pSystemInfoBuffer) + ExFreePoolWithTag(pSystemInfoBuffer, TAG); + } + + return pImageBase; +} + +NTSTATUS LoadFile(PUNICODE_STRING FileName, PUCHAR *pImageBase) +{ + if (!FileName) + return STATUS_INVALID_PARAMETER; + + OBJECT_ATTRIBUTES oa{}; + InitializeObjectAttributes(&oa, FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); + + if (KeGetCurrentIrql() != PASSIVE_LEVEL) + { + DBGPRINT("[ LoadFile ] IRQL too high for IO operations!\n"); + return STATUS_UNSUCCESSFUL; + } + + HANDLE FileHandle = NULL; + + IO_STATUS_BLOCK IoStatusBlock{}; + auto res = ZwCreateFile(&FileHandle, GENERIC_READ, &oa, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, + FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); + + if (!NT_SUCCESS(res)) + { + DBGPRINT("[ LoadFile ] ZwCreateFile failed 0x%X\n", res); + return STATUS_UNSUCCESSFUL; + } + + FILE_STANDARD_INFORMATION StandardInformation{}; + res = ZwQueryInformationFile(FileHandle, &IoStatusBlock, &StandardInformation, sizeof(FILE_STANDARD_INFORMATION), + FileStandardInformation); + if (!NT_SUCCESS(res)) + { + DBGPRINT("[ LoadFile ] ZwQueryInformationFile failed 0x%X\n", res); + ZwClose(FileHandle); + return STATUS_UNSUCCESSFUL; + } + + auto FileSize = StandardInformation.EndOfFile.LowPart; + auto FileBuffer = PUCHAR(ExAllocatePoolWithTag(NonPagedPool, FileSize, TAG)); + + if (!FileBuffer) + { + DBGPRINT("[ LoadFile ] ExAllocatePoolWithTag failed\n"); + ZwClose(FileHandle); + return STATUS_SUCCESS; + } + + LARGE_INTEGER li{}; + res = ZwReadFile(FileHandle, NULL, NULL, NULL, &IoStatusBlock, FileBuffer, FileSize, &li, NULL); + if (!NT_SUCCESS(res)) + { + DBGPRINT("[ LoadFile ] ZwReadFile failed 0x%X\n", res); + ExFreePoolWithTag(FileBuffer, TAG); + ZwClose(FileHandle); + return STATUS_SUCCESS; + } + + auto dos = PIMAGE_DOS_HEADER(FileBuffer); + if (dos->e_magic != IMAGE_DOS_SIGNATURE) + { + DBGPRINT("[ LoadFile ] Invalid DOS signature!\n"); + ExFreePoolWithTag(FileBuffer, TAG); + ZwClose(FileHandle); + return STATUS_SUCCESS; + } + + auto nt = PIMAGE_NT_HEADERS64(FileBuffer + dos->e_lfanew); + if (nt->Signature != IMAGE_NT_SIGNATURE) + { + DBGPRINT("[ LoadFile ] Invalid NT signature!\n"); + ExFreePoolWithTag(FileBuffer, TAG); + ZwClose(FileHandle); + return STATUS_SUCCESS; + } + + auto Image = PUCHAR(ExAllocatePoolWithTag(NonPagedPool, nt->OptionalHeader.SizeOfImage, TAG)); + if (!Image) + { + DBGPRINT("[ LoadFile ] ExAllocatePoolWithTag[1] failed!\n"); + ExFreePoolWithTag(FileBuffer, TAG); + ZwClose(FileHandle); + return STATUS_SUCCESS; + } + + memcpy(Image, FileBuffer, nt->OptionalHeader.SizeOfHeaders); + + auto pISH = IMAGE_FIRST_SECTION(nt); + for (unsigned i = 0; i < nt->FileHeader.NumberOfSections; i++) + memcpy(Image + pISH[i].VirtualAddress, FileBuffer + pISH[i].PointerToRawData, pISH[i].SizeOfRawData); + + if (pImageBase) + *pImageBase = Image; + + ExFreePoolWithTag(FileBuffer, TAG); + ZwClose(FileHandle); + return STATUS_SUCCESS; +} + +PVOID GetFunctionAddress(PVOID Module, LPCSTR FunctionName) +{ + PIMAGE_DOS_HEADER pIDH; + PIMAGE_NT_HEADERS pINH; + PIMAGE_EXPORT_DIRECTORY pIED; + + PULONG Address, Name; + PUSHORT Ordinal; + + ULONG i; + + pIDH = (PIMAGE_DOS_HEADER)Module; + pINH = (PIMAGE_NT_HEADERS)((PUCHAR)Module + pIDH->e_lfanew); + + pIED = (PIMAGE_EXPORT_DIRECTORY)((PUCHAR)Module + + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + + Address = (PULONG)((PUCHAR)Module + pIED->AddressOfFunctions); + Name = (PULONG)((PUCHAR)Module + pIED->AddressOfNames); + + Ordinal = (PUSHORT)((PUCHAR)Module + pIED->AddressOfNameOrdinals); + + for (i = 0; i < pIED->AddressOfFunctions; i++) + { + if (!strcmp(FunctionName, (char *)Module + Name[i])) + { + return (PVOID)((PUCHAR)Module + Address[Ordinal[i]]); + } + } + + return NULL; +} + +ULONG GetNtSyscall(LPCSTR FunctionName) +{ + if (!ntdll) + { + UNICODE_STRING FileName = RTL_CONSTANT_STRING(L"\\SystemRoot\\System32\\ntdll.dll"); + + auto res = LoadFile(&FileName, &ntdll); + if (!NT_SUCCESS(res)) + DBGPRINT("[ GetNtSyscall ] Failed to load ntdll.dll 0x%X\n", res) + } + + if (ntdll) + { + auto Fn = PUCHAR(GetFunctionAddress(ntdll, FunctionName)); + if (Fn) + { + for (int i = 0; i < 24; ++i) + { + if (Fn[i] == 0xC2 || Fn[i] == 0xC3) + break; + + if (Fn[i] == 0xB8) + return *(PULONG)(Fn + i + 1); + } + } + } + return 0; +} + +ULONG GetWin32Syscall(LPCSTR FunctionName) +{ + if (!win32u) + { + UNICODE_STRING FileName = RTL_CONSTANT_STRING(L"\\SystemRoot\\System32\\win32u.dll"); + + auto res = LoadFile(&FileName, &win32u); + if (!NT_SUCCESS(res)) + DBGPRINT("[ GetWin32Syscall ] Failed to load win32u.dll 0x%X\n", res) + } + + if (win32u) + { + auto Fn = PUCHAR(GetFunctionAddress(win32u, FunctionName)); + if (Fn) + { + for (int i = 0; i < 24; ++i) + { + if (Fn[i] == 0xC2 || Fn[i] == 0xC3) + break; + + if (Fn[i] == 0xB8) + return *(PULONG)(Fn + i + 1); + } + } + } + return 0; +} + +void UnloadImages() +{ + if (ntdll) + ExFreePoolWithTag(ntdll, TAG); + + if (win32u) + ExFreePoolWithTag(win32u, TAG); +} +}; // namespace tools +}; // namespace masterhide + +namespace masterhide +{ +namespace utils +{ +KIRQL WPOFF() +{ + KIRQL Irql = KeRaiseIrqlToDpcLevel(); + UINT_PTR cr0 = __readcr0(); + + cr0 &= ~0x10000; + __writecr0(cr0); + _disable(); + + return Irql; +} + +void WPON(KIRQL Irql) +{ + UINT_PTR cr0 = __readcr0(); + + cr0 |= 0x10000; + _enable(); + __writecr0(cr0); + + KeLowerIrql(Irql); +} + +const PUCHAR FindCodeCave(PUCHAR Code, ULONG ulCodeSize, size_t CaveLength) +{ + for (unsigned i = 0, j = 0; i < ulCodeSize; i++) + { + if (Code[i] == 0x90 || Code[i] == 0xCC) + j++; + else + j = 0; + + if (j == CaveLength) + return PUCHAR((ULONG_PTR)Code + i - CaveLength + 1); + } + return nullptr; +} +} // namespace utils +}; // namespace masterhide \ No newline at end of file diff --git a/MasterHide/misc.hpp b/MasterHide/misc.hpp new file mode 100644 index 0000000..0bb35d1 --- /dev/null +++ b/MasterHide/misc.hpp @@ -0,0 +1,97 @@ +#pragma once + +#define SYSCALL_INDEX(a) (*(PULONG)((PUCHAR)a + 1)) + +inline void AllocateUnicodeString(PUNICODE_STRING us, USHORT Size) +{ + if (!us) + return; + + __try + { + us->Length = 0; + us->MaximumLength = 0; + us->Buffer = PWSTR(ExAllocatePoolWithTag(NonPagedPool, Size, TAG)); + if (us->Buffer) + { + us->Length = 0; + us->MaximumLength = Size; + } + } + __except (EXCEPTION_EXECUTE_HANDLER) + { + } +} + +inline void FreeUnicodeString(PUNICODE_STRING us) +{ + if (!us) + return; + + __try + { + if (us->MaximumLength > 0 && us->Buffer) + ExFreePoolWithTag(us->Buffer, TAG); + + us->Length = 0; + us->MaximumLength = 0; + } + __except (EXCEPTION_EXECUTE_HANDLER) + { + } +} + +namespace masterhide +{ +namespace utils +{ +extern KIRQL WPOFF(); +extern void WPON(KIRQL Irql); +extern const PUCHAR FindCodeCave(PUCHAR Code, ULONG ulCodeSize, size_t CaveLength); +} // namespace utils +}; // namespace masterhide + +namespace masterhide +{ +namespace tools +{ +// +// Tools +// +extern ULONG64 FindPatternKM(const char *szModuleName, const char *szsection, const char *bmask, const char *szmask); +extern bool GetProcessName(HANDLE PID, PUNICODE_STRING wsProcessName); +extern bool GetProcessNameByPEPROCESS(PEPROCESS Process, PUNICODE_STRING ProcessImageName); +extern PVOID GetNtKernelBase(); +extern PVOID GetModuleBase(const char *szModule); +extern PEPROCESS FindPEPROCESSById(PWCH wsName); + +inline void SwapEndianness(PCHAR ptr, size_t size) +{ + struct u16 + { + UCHAR high; + UCHAR low; + }; + + for (u16 *pStruct = (u16 *)ptr; pStruct < (u16 *)ptr + size / 2; pStruct++) + { + auto tmp = pStruct->low; + pStruct->low = pStruct->high; + pStruct->high = tmp; + } +} + +// +// Helpers +// +extern ULONG GetNtSyscall(LPCSTR FunctionName); +extern ULONG GetWin32Syscall(LPCSTR FunctionName); +extern PVOID GetImageTextSection(const ULONG64 uImageBase, ULONG *ulSectionSize); + +// +// Misc +// +extern bool DumpMZ(PUCHAR pImageBase); +extern void UnloadImages(); +} // namespace tools +} // namespace masterhide \ No newline at end of file diff --git a/MasterHide/shadow_ssdt.cpp b/MasterHide/shadow_ssdt.cpp index 1bad560..129f345 100644 --- a/MasterHide/shadow_ssdt.cpp +++ b/MasterHide/shadow_ssdt.cpp @@ -1,402 +1,417 @@ -#include "stdafx.h" +#include "includes.hpp" PSYSTEM_SERVICE_TABLE g_KeServiceDescriptorTableShadow = NULL; -HANDLE hCsrssPID = HANDLE( -1 ); +HANDLE hCsrssPID = HANDLE(-1); ULONGLONG GetKeServiceDescriptorTableShadow64() { - PUCHAR StartSearchAddress = ( PUCHAR )__readmsr( 0xC0000082 ); - PUCHAR EndSearchAddress = StartSearchAddress + 0x500; - PUCHAR i = NULL; - UCHAR b1 = 0, b2 = 0, b3 = 0; - ULONG templong = 0; - ULONGLONG addr = 0; - for ( i = StartSearchAddress; i < EndSearchAddress; i++ ) - { - if ( MmIsAddressValid( i ) && MmIsAddressValid( i + 1 ) && MmIsAddressValid( i + 2 ) ) - { - b1 = *i; - b2 = *( i + 1 ); - b3 = *( i + 2 ); - if ( b1 == 0x4c && b2 == 0x8d && b3 == 0x1d ) - { - memcpy( &templong, i + 3, 4 ); - addr = ( ULONGLONG )templong + ( ULONGLONG )i + 7; - return addr; - } - } - } - return 0; + PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082); + PUCHAR EndSearchAddress = StartSearchAddress + 0x500; + PUCHAR i = NULL; + UCHAR b1 = 0, b2 = 0, b3 = 0; + ULONG templong = 0; + ULONGLONG addr = 0; + for (i = StartSearchAddress; i < EndSearchAddress; i++) + { + if (MmIsAddressValid(i) && MmIsAddressValid(i + 1) && MmIsAddressValid(i + 2)) + { + b1 = *i; + b2 = *(i + 1); + b3 = *(i + 2); + if (b1 == 0x4c && b2 == 0x8d && b3 == 0x1d) + { + memcpy(&templong, i + 3, 4); + addr = (ULONGLONG)templong + (ULONGLONG)i + 7; + return addr; + } + } + } + return 0; } -ULONGLONG GetSSSDTFuncCurAddr64( ULONG64 Index ) +ULONGLONG GetSSSDTFuncCurAddr64(ULONG64 Index) { - ULONGLONG W32pServiceTable = 0, qwTemp = 0; - LONG dwTemp = 0; - W32pServiceTable = ( ULONGLONG )( g_KeServiceDescriptorTableShadow->ServiceTableBase ); - qwTemp = W32pServiceTable + 4 * ( Index - 0x1000 ); - dwTemp = *( PLONG )qwTemp; - dwTemp = dwTemp >> 4; - qwTemp = W32pServiceTable + ( LONG64 )dwTemp; - return qwTemp; + ULONGLONG W32pServiceTable = 0, qwTemp = 0; + LONG dwTemp = 0; + W32pServiceTable = (ULONGLONG)(g_KeServiceDescriptorTableShadow->ServiceTableBase); + qwTemp = W32pServiceTable + 4 * (Index - 0x1000); + dwTemp = *(PLONG)qwTemp; + dwTemp = dwTemp >> 4; + qwTemp = W32pServiceTable + (LONG64)dwTemp; + return qwTemp; } -bool HookSSSDT( PUCHAR pCode, ULONG ulCodeSize, PVOID pNewFunction, PVOID* pOldFunction, ULONG SyscallNum ) +bool HookSSSDT(PUCHAR pCode, ULONG ulCodeSize, PVOID pNewFunction, PVOID *pOldFunction, ULONG SyscallNum) { - if ( !pNewFunction || !pOldFunction || SyscallNum <= 0 ) - return false; - - ULONGLONG W32pServiceTable = 0, qwTemp = 0; - LONG dwTemp = 0; - KIRQL irql; - - // - // Log the Syscall number that we're hooking - // - DBGPRINT( "[ HookSSSDT ] Syscall: 0x%X\n", SyscallNum ); - - // - // Log the Original function address - // - *pOldFunction = PVOID( GetSSSDTFuncCurAddr64( SyscallNum ) ); - DBGPRINT( "[ HookSSSDT ] Original: 0x%p\n", *pOldFunction ); - - *( PULONG64 )( jmp_trampoline + 3 ) = ULONG64( pNewFunction ); - - // - // Find a suitable code cave inside the module .text section that we can use to trampoline to our hook - // - auto pCodeCave = utils::FindCodeCave( pCode, ulCodeSize, sizeof( jmp_trampoline ) ); - if ( !pCodeCave ) - { - DBGPRINT( "[ HookSSSDT ] Failed to find a suitable code cave.\n" ); - return false; - } - - DBGPRINT( "[ HookSSSDT ] Code Cave: 0x%p\n", pCodeCave ); - - // - // Change page protection - // - auto Mdl = IoAllocateMdl( pCodeCave, sizeof( jmp_trampoline ), 0, 0, NULL ); - if ( Mdl == NULL ) - { - DBGPRINT( "[ HookSSSDT ] IoAllocateMdl failed!\n" ); - return false; - } - - MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess ); - - auto Mapping = MmMapLockedPagesSpecifyCache( Mdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority ); - if ( Mapping == NULL ) - { - MmUnlockPages( Mdl ); - IoFreeMdl( Mdl ); - DBGPRINT( "[ HookSSSDT ] MmMapLockedPagesSpecifyCache failed!\n" ); - return false; - } - - // - // Modify SSSDT table - // - irql = utils::WPOFF(); - - RtlCopyMemory( Mapping, jmp_trampoline, sizeof( jmp_trampoline ) ); - - W32pServiceTable = ( ULONGLONG )( g_KeServiceDescriptorTableShadow->ServiceTableBase ); - qwTemp = W32pServiceTable + 4 * ( SyscallNum - 0x1000 ); - dwTemp = ( LONG )( ( ULONG64 )pCodeCave - W32pServiceTable ); - dwTemp = dwTemp << 4; - - *( PLONG )qwTemp = dwTemp; - - utils::WPON( irql ); - - // - // Restore protection - // - MmUnmapLockedPages( Mapping, Mdl ); - MmUnlockPages( Mdl ); - IoFreeMdl( Mdl ); - - return true; + if (!pNewFunction || !pOldFunction || SyscallNum <= 0) + return false; + + ULONGLONG W32pServiceTable = 0, qwTemp = 0; + LONG dwTemp = 0; + KIRQL irql; + + // + // Log the Syscall number that we're hooking + // + DBGPRINT("[ HookSSSDT ] Syscall: 0x%X\n", SyscallNum); + + // + // Log the Original function address + // + *pOldFunction = PVOID(GetSSSDTFuncCurAddr64(SyscallNum)); + DBGPRINT("[ HookSSSDT ] Original: 0x%p\n", *pOldFunction); + + *(PULONG64)(jmp_trampoline + 3) = ULONG64(pNewFunction); + + // + // Find a suitable code cave inside the module .text section that we can use to trampoline to our hook + // + auto pCodeCave = utils::FindCodeCave(pCode, ulCodeSize, sizeof(jmp_trampoline)); + if (!pCodeCave) + { + DBGPRINT("[ HookSSSDT ] Failed to find a suitable code cave.\n"); + return false; + } + + DBGPRINT("[ HookSSSDT ] Code Cave: 0x%p\n", pCodeCave); + + // + // Change page protection + // + auto Mdl = IoAllocateMdl(pCodeCave, sizeof(jmp_trampoline), 0, 0, NULL); + if (Mdl == NULL) + { + DBGPRINT("[ HookSSSDT ] IoAllocateMdl failed!\n"); + return false; + } + + MmProbeAndLockPages(Mdl, KernelMode, IoWriteAccess); + + auto Mapping = MmMapLockedPagesSpecifyCache(Mdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority); + if (Mapping == NULL) + { + MmUnlockPages(Mdl); + IoFreeMdl(Mdl); + DBGPRINT("[ HookSSSDT ] MmMapLockedPagesSpecifyCache failed!\n"); + return false; + } + + // + // Modify SSSDT table + // + irql = utils::WPOFF(); + + RtlCopyMemory(Mapping, jmp_trampoline, sizeof(jmp_trampoline)); + + W32pServiceTable = (ULONGLONG)(g_KeServiceDescriptorTableShadow->ServiceTableBase); + qwTemp = W32pServiceTable + 4 * (SyscallNum - 0x1000); + dwTemp = (LONG)((ULONG64)pCodeCave - W32pServiceTable); + dwTemp = dwTemp << 4; + + *(PLONG)qwTemp = dwTemp; + + utils::WPON(irql); + + // + // Restore protection + // + MmUnmapLockedPages(Mapping, Mdl); + MmUnlockPages(Mdl); + IoFreeMdl(Mdl); + + return true; } -bool UnhookSSSDT( PVOID pFunction, ULONG SyscallNum ) +bool UnhookSSSDT(PVOID pFunction, ULONG SyscallNum) { - if ( !pFunction || SyscallNum <= 0 ) - return false; + if (!pFunction || SyscallNum <= 0) + return false; - ULONGLONG W32pServiceTable = 0, qwTemp = 0; - LONG dwTemp = 0; - KIRQL irql; + ULONGLONG W32pServiceTable = 0, qwTemp = 0; + LONG dwTemp = 0; + KIRQL irql; - irql = utils::WPOFF(); + irql = utils::WPOFF(); - W32pServiceTable = ( ULONGLONG )( g_KeServiceDescriptorTableShadow->ServiceTableBase ); - qwTemp = W32pServiceTable + 4 * ( SyscallNum - 0x1000 ); - dwTemp = ( LONG )( ( ULONG64 )pFunction - W32pServiceTable ); - dwTemp = dwTemp << 4; + W32pServiceTable = (ULONGLONG)(g_KeServiceDescriptorTableShadow->ServiceTableBase); + qwTemp = W32pServiceTable + 4 * (SyscallNum - 0x1000); + dwTemp = (LONG)((ULONG64)pFunction - W32pServiceTable); + dwTemp = dwTemp << 4; - *( PLONG )qwTemp = dwTemp; + *(PLONG)qwTemp = dwTemp; - utils::WPON( irql ); + utils::WPON(irql); - return true; + return true; } PSYSTEM_HANDLE_INFORMATION_EX GetSystemHandleInformation() { - PSYSTEM_HANDLE_INFORMATION_EX pSHInfo = NULL; - NTSTATUS Status = STATUS_NO_MEMORY; - ULONG SMInfoLen = 0x1000; - - do - { - pSHInfo = ( PSYSTEM_HANDLE_INFORMATION_EX )ExAllocatePoolWithTag( PagedPool, SMInfoLen, TAG ); - if ( !pSHInfo ) - break; - - Status = ZwQuerySystemInformation( SystemHandleInformation, pSHInfo, SMInfoLen, &SMInfoLen ); - if ( !NT_SUCCESS( Status ) ) - { - ExFreePoolWithTag( pSHInfo, TAG ); - pSHInfo = NULL; - } - } while ( Status == STATUS_INFO_LENGTH_MISMATCH ); - - return pSHInfo; + PSYSTEM_HANDLE_INFORMATION_EX pSHInfo = NULL; + NTSTATUS Status = STATUS_NO_MEMORY; + ULONG SMInfoLen = 0x1000; + + do + { + pSHInfo = (PSYSTEM_HANDLE_INFORMATION_EX)ExAllocatePoolWithTag(PagedPool, SMInfoLen, TAG); + if (!pSHInfo) + break; + + Status = ZwQuerySystemInformation(SystemHandleInformation, pSHInfo, SMInfoLen, &SMInfoLen); + if (!NT_SUCCESS(Status)) + { + ExFreePoolWithTag(pSHInfo, TAG); + pSHInfo = NULL; + } + } while (Status == STATUS_INFO_LENGTH_MISMATCH); + + return pSHInfo; } HANDLE GetCsrssPid() { - HANDLE CsrId = ( HANDLE )0; - PSYSTEM_HANDLE_INFORMATION_EX pHandles = GetSystemHandleInformation(); - if ( pHandles ) - { - unsigned i; - for ( i = 0; i < pHandles->NumberOfHandles && !CsrId; i++ ) - { - OBJECT_ATTRIBUTES obj; CLIENT_ID cid; - HANDLE Process, hObject; - InitializeObjectAttributes( &obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL ); - cid.UniqueProcess = ( HANDLE )pHandles->Information[ i ].ProcessId; - cid.UniqueThread = 0; - - auto res = ZwOpenProcess( &Process, PROCESS_DUP_HANDLE, &obj, &cid ); - if ( NT_SUCCESS( res ) ) - { - res = ZwDuplicateObject( Process, ( PHANDLE )( pHandles->Information[ i ].Handle ), NtCurrentProcess(), &hObject, 0, FALSE, DUPLICATE_SAME_ACCESS ); - if ( NT_SUCCESS( res ) ) - { - UCHAR Buff[ 0x200 ]; - POBJECT_NAME_INFORMATION ObjName = ( POBJECT_NAME_INFORMATION )&Buff; - - res = ZwQueryObject( hObject, ObjectTypeInformation, ObjName, sizeof( Buff ), NULL ); - if ( NT_SUCCESS( res ) ) - { - if ( ObjName->Name.Buffer && ( !wcsncmp( L"Port", ObjName->Name.Buffer, 4 ) || !wcsncmp( L"ALPC Port", ObjName->Name.Buffer, 9 ) ) ) - { - res = ZwQueryObject( hObject, ( OBJECT_INFORMATION_CLASS )1, ObjName, sizeof( Buff ), NULL ); - if ( NT_SUCCESS( res ) ) - { - if ( ObjName->Name.Buffer && !wcsncmp( L"\\Windows\\ApiPort", ObjName->Name.Buffer, 20 ) ) - CsrId = ( HANDLE )pHandles->Information[ i ].ProcessId; - } - } - } - else - DBGPRINT( "[ GetCsr ] ZwQueryObject failed 0x%X\n", res ); - - ZwClose( hObject ); - } - else if ( res != STATUS_NOT_SUPPORTED ) - DBGPRINT( "[ GetCsr ] ZwDuplicateObject failed 0x%X\n", res ); - - ZwClose( Process ); - } - else - DBGPRINT( "[ GetCsr ] NtOpenProcess failed 0x%X\n", res ); - } - ExFreePoolWithTag( pHandles, TAG ); - } - return CsrId; + HANDLE CsrId = (HANDLE)0; + PSYSTEM_HANDLE_INFORMATION_EX pHandles = GetSystemHandleInformation(); + if (pHandles) + { + unsigned i; + for (i = 0; i < pHandles->NumberOfHandles && !CsrId; i++) + { + OBJECT_ATTRIBUTES obj; + CLIENT_ID cid; + HANDLE Process, hObject; + InitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); + cid.UniqueProcess = (HANDLE)pHandles->Information[i].ProcessId; + cid.UniqueThread = 0; + + auto res = ZwOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid); + if (NT_SUCCESS(res)) + { + res = ZwDuplicateObject(Process, (PHANDLE)(pHandles->Information[i].Handle), NtCurrentProcess(), + &hObject, 0, FALSE, DUPLICATE_SAME_ACCESS); + if (NT_SUCCESS(res)) + { + UCHAR Buff[0x200]; + POBJECT_NAME_INFORMATION ObjName = (POBJECT_NAME_INFORMATION)&Buff; + + res = ZwQueryObject(hObject, ObjectTypeInformation, ObjName, sizeof(Buff), NULL); + if (NT_SUCCESS(res)) + { + if (ObjName->Name.Buffer && (!wcsncmp(L"Port", ObjName->Name.Buffer, 4) || + !wcsncmp(L"ALPC Port", ObjName->Name.Buffer, 9))) + { + res = ZwQueryObject(hObject, (OBJECT_INFORMATION_CLASS)1, ObjName, sizeof(Buff), NULL); + if (NT_SUCCESS(res)) + { + if (ObjName->Name.Buffer && !wcsncmp(L"\\Windows\\ApiPort", ObjName->Name.Buffer, 20)) + CsrId = (HANDLE)pHandles->Information[i].ProcessId; + } + } + } + else + DBGPRINT("[ GetCsr ] ZwQueryObject failed 0x%X\n", res); + + ZwClose(hObject); + } + else if (res != STATUS_NOT_SUPPORTED) + DBGPRINT("[ GetCsr ] ZwDuplicateObject failed 0x%X\n", res); + + ZwClose(Process); + } + else + DBGPRINT("[ GetCsr ] NtOpenProcess failed 0x%X\n", res); + } + ExFreePoolWithTag(pHandles, TAG); + } + return CsrId; } void sssdt::Init() { #ifndef USE_KASPERSKY - g_KeServiceDescriptorTableShadow = PSYSTEM_SERVICE_TABLE( GetKeServiceDescriptorTableShadow64() + sizeof( SYSTEM_SERVICE_TABLE ) ); - DBGPRINT( "KeServiceDescriptorTableShadow: 0x%p\n", g_KeServiceDescriptorTableShadow ); - - if ( !g_KeServiceDescriptorTableShadow ) - return; - - auto W32pServiceTable = PULONG( g_KeServiceDescriptorTableShadow->ServiceTableBase ); - DBGPRINT( "KeServiceDescriptorTableShadow->ServiceTableBase: 0x%p\n", W32pServiceTable ); - - if ( !W32pServiceTable ) - return; - - DBGPRINT( "KeServiceDescriptorTableShadow->NumberOfServices: %lld\n", g_KeServiceDescriptorTableShadow->NumberOfServices ); - - auto Csrss = GetCsrssPid(); - - PEPROCESS Process = nullptr; - auto res = PsLookupProcessByProcessId( Csrss, &Process ); - if ( !NT_SUCCESS( res ) ) - { - DBGPRINT( "[ ShadowSSDT ] PsLookupProcessByProcessId failed 0x%X\n", res ); - return; - } - - // - // Save csrss.exe PID for later - // - hCsrssPID = Csrss; - - KAPC_STATE apc{ }; - KeStackAttachProcess( Process, &apc ); - - auto win32k = ULONG64( tools::GetModuleBase( "\\SystemRoot\\System32\\win32k.sys" ) ); - DBGPRINT( "win32k: 0x%llx\n", win32k ); - if ( !win32k ) - return; - - ULONG ulCodeSize = 0; - auto pCode = PUCHAR( tools::GetImageTextSection( win32k, &ulCodeSize ) ); - if ( pCode ) - { - DBGPRINT( "win32k.sys .text section 0x%p\n", pCode ); - - if ( HookSSSDT( pCode, ulCodeSize, &hkNtUserQueryWindow, reinterpret_cast< PVOID* >( &oNtUserQueryWindow ), SYSCALL_NTUSERQUERYWND ) ) - { - DBGPRINT( "NtUserQueryWindow hooked successfully!\n" ); - } - else - DBGPRINT( "Failed to hook NtUserQueryWindow!\n" ); - - if ( HookSSSDT( pCode, ulCodeSize, &hkNtUserFindWindowEx, reinterpret_cast< PVOID* >( &oNtUserFindWindowEx ), SYSCALL_NTUSERFINDWNDEX ) ) - { - DBGPRINT( "NtUserFindWindowEx hooked successfully!\n" ); - } - else - DBGPRINT( "Failed to hook NtUserFindWindowEx!\n" ); - - if ( HookSSSDT( pCode, ulCodeSize, &hkNtUserWindowFromPoint, reinterpret_cast< PVOID* >( &oNtUserWindowFromPoint ), SYSCALL_NTUSERWNDFROMPOINT ) ) - { - DBGPRINT( "NtUserWindowFromPoint hooked successfully!\n" ); - } - else - DBGPRINT( "Failed to hook NtUserWindowFromPoint!\n" ); - - if ( HookSSSDT( pCode, ulCodeSize, &hkNtUserBuildHwndList, reinterpret_cast< PVOID* >( &oNtUserBuildHwndList ), SYSCALL_NTUSERBUILDWNDLIST ) ) - { - DBGPRINT( "NtUserBuildHwndList hooked successfully!\n" ); - } - else - DBGPRINT( "Failed to hook NtUserBuildHwndList!\n" ); - - if ( HookSSSDT( pCode, ulCodeSize, &hkNtUserGetForegroundWindow, reinterpret_cast< PVOID* >( &oNtUserGetForegroundWindow ), SYSCALL_NTGETFOREGROUNDWND ) ) - { - DBGPRINT( "NtUserGetForegroundWindow hooked successfully!\n" ); - } - else - DBGPRINT( "Failed to hook NtUserGetForegroundWindow!\n" ); - } - - KeUnstackDetachProcess( &apc ); - ObDereferenceObject( Process ); + g_KeServiceDescriptorTableShadow = + PSYSTEM_SERVICE_TABLE(GetKeServiceDescriptorTableShadow64() + sizeof(SYSTEM_SERVICE_TABLE)); + DBGPRINT("KeServiceDescriptorTableShadow: 0x%p\n", g_KeServiceDescriptorTableShadow); + + if (!g_KeServiceDescriptorTableShadow) + return; + + auto W32pServiceTable = PULONG(g_KeServiceDescriptorTableShadow->ServiceTableBase); + DBGPRINT("KeServiceDescriptorTableShadow->ServiceTableBase: 0x%p\n", W32pServiceTable); + + if (!W32pServiceTable) + return; + + DBGPRINT("KeServiceDescriptorTableShadow->NumberOfServices: %lld\n", + g_KeServiceDescriptorTableShadow->NumberOfServices); + + auto Csrss = GetCsrssPid(); + + PEPROCESS Process = nullptr; + auto res = PsLookupProcessByProcessId(Csrss, &Process); + if (!NT_SUCCESS(res)) + { + DBGPRINT("[ ShadowSSDT ] PsLookupProcessByProcessId failed 0x%X\n", res); + return; + } + + // + // Save csrss.exe PID for later + // + hCsrssPID = Csrss; + + KAPC_STATE apc{}; + KeStackAttachProcess(Process, &apc); + + auto win32k = ULONG64(tools::GetModuleBase("\\SystemRoot\\System32\\win32k.sys")); + DBGPRINT("win32k: 0x%llx\n", win32k); + if (!win32k) + return; + + ULONG ulCodeSize = 0; + auto pCode = PUCHAR(tools::GetImageTextSection(win32k, &ulCodeSize)); + if (pCode) + { + DBGPRINT("win32k.sys .text section 0x%p\n", pCode); + + if (HookSSSDT(pCode, ulCodeSize, &hkNtUserQueryWindow, reinterpret_cast(&oNtUserQueryWindow), + SYSCALL_NTUSERQUERYWND)) + { + DBGPRINT("NtUserQueryWindow hooked successfully!\n"); + } + else + DBGPRINT("Failed to hook NtUserQueryWindow!\n"); + + if (HookSSSDT(pCode, ulCodeSize, &hkNtUserFindWindowEx, reinterpret_cast(&oNtUserFindWindowEx), + SYSCALL_NTUSERFINDWNDEX)) + { + DBGPRINT("NtUserFindWindowEx hooked successfully!\n"); + } + else + DBGPRINT("Failed to hook NtUserFindWindowEx!\n"); + + if (HookSSSDT(pCode, ulCodeSize, &hkNtUserWindowFromPoint, reinterpret_cast(&oNtUserWindowFromPoint), + SYSCALL_NTUSERWNDFROMPOINT)) + { + DBGPRINT("NtUserWindowFromPoint hooked successfully!\n"); + } + else + DBGPRINT("Failed to hook NtUserWindowFromPoint!\n"); + + if (HookSSSDT(pCode, ulCodeSize, &hkNtUserBuildHwndList, reinterpret_cast(&oNtUserBuildHwndList), + SYSCALL_NTUSERBUILDWNDLIST)) + { + DBGPRINT("NtUserBuildHwndList hooked successfully!\n"); + } + else + DBGPRINT("Failed to hook NtUserBuildHwndList!\n"); + + if (HookSSSDT(pCode, ulCodeSize, &hkNtUserGetForegroundWindow, + reinterpret_cast(&oNtUserGetForegroundWindow), SYSCALL_NTGETFOREGROUNDWND)) + { + DBGPRINT("NtUserGetForegroundWindow hooked successfully!\n"); + } + else + DBGPRINT("Failed to hook NtUserGetForegroundWindow!\n"); + } + + KeUnstackDetachProcess(&apc); + ObDereferenceObject(Process); #else - if ( kaspersky::hook_shadow_ssdt_routine( SYSCALL_NTUSERQUERYWND, hkNtUserQueryWindow, reinterpret_cast< PVOID* >( &oNtUserQueryWindow ) ) ) - { - DBGPRINT( "NtUserQueryWindow ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERQUERYWND ); - } - else - DBGPRINT( "Failed to hook NtUserQueryWindow!\n" ); - - if ( kaspersky::hook_shadow_ssdt_routine( SYSCALL_NTUSERFINDWNDEX, hkNtUserFindWindowEx, reinterpret_cast< PVOID* >( &oNtUserFindWindowEx ) ) ) - { - DBGPRINT( "NtUserFindWindowEx ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERFINDWNDEX ); - } - else - DBGPRINT( "Failed to hook NtUserFindWindowEx!\n" ); - - if ( kaspersky::hook_shadow_ssdt_routine( SYSCALL_NTUSERWNDFROMPOINT, hkNtUserWindowFromPoint, reinterpret_cast< PVOID* >( &oNtUserWindowFromPoint ) ) ) - { - DBGPRINT( "NtUserWindowFromPoint ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERWNDFROMPOINT ); - } - else - DBGPRINT( "Failed to hook NtUserWindowFromPoint!\n" ); - - if ( kaspersky::hook_shadow_ssdt_routine( SYSCALL_NTUSERBUILDWNDLIST, hkNtUserBuildHwndList, reinterpret_cast< PVOID* >( &oNtUserBuildHwndList ) ) ) - { - DBGPRINT( "NtUserBuildHwndList ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERBUILDWNDLIST ); - } - else - DBGPRINT( "Failed to hook NtUserBuildHwndList!\n" ); - - if ( kaspersky::hook_shadow_ssdt_routine( SYSCALL_NTGETFOREGROUNDWND, hkNtUserGetForegroundWindow, reinterpret_cast< PVOID* >( &oNtUserGetForegroundWindow ) ) ) - { - DBGPRINT( "NtUserGetForegroundWindow ( 0x%X ) hooked successfully!\n", SYSCALL_NTGETFOREGROUNDWND ); - } - else - DBGPRINT( "Failed to hook NtUserGetForegroundWindow!\n" ); + if (kaspersky::hook_shadow_ssdt_routine(SYSCALL_NTUSERQUERYWND, hkNtUserQueryWindow, + reinterpret_cast(&oNtUserQueryWindow))) + { + DBGPRINT("NtUserQueryWindow ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERQUERYWND); + } + else + DBGPRINT("Failed to hook NtUserQueryWindow!\n"); + + if (kaspersky::hook_shadow_ssdt_routine(SYSCALL_NTUSERFINDWNDEX, hkNtUserFindWindowEx, + reinterpret_cast(&oNtUserFindWindowEx))) + { + DBGPRINT("NtUserFindWindowEx ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERFINDWNDEX); + } + else + DBGPRINT("Failed to hook NtUserFindWindowEx!\n"); + + if (kaspersky::hook_shadow_ssdt_routine(SYSCALL_NTUSERWNDFROMPOINT, hkNtUserWindowFromPoint, + reinterpret_cast(&oNtUserWindowFromPoint))) + { + DBGPRINT("NtUserWindowFromPoint ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERWNDFROMPOINT); + } + else + DBGPRINT("Failed to hook NtUserWindowFromPoint!\n"); + + if (kaspersky::hook_shadow_ssdt_routine(SYSCALL_NTUSERBUILDWNDLIST, hkNtUserBuildHwndList, + reinterpret_cast(&oNtUserBuildHwndList))) + { + DBGPRINT("NtUserBuildHwndList ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERBUILDWNDLIST); + } + else + DBGPRINT("Failed to hook NtUserBuildHwndList!\n"); + + if (kaspersky::hook_shadow_ssdt_routine(SYSCALL_NTGETFOREGROUNDWND, hkNtUserGetForegroundWindow, + reinterpret_cast(&oNtUserGetForegroundWindow))) + { + DBGPRINT("NtUserGetForegroundWindow ( 0x%X ) hooked successfully!\n", SYSCALL_NTGETFOREGROUNDWND); + } + else + DBGPRINT("Failed to hook NtUserGetForegroundWindow!\n"); #endif } void sssdt::Destroy() { #ifndef USE_KASPERSKY - if ( !g_KeServiceDescriptorTableShadow ) - return; + if (!g_KeServiceDescriptorTableShadow) + return; - PEPROCESS Process = nullptr; - auto res = PsLookupProcessByProcessId( hCsrssPID, &Process ); - if ( !NT_SUCCESS( res ) ) - { - DBGPRINT( "[ DestroyShadowSSDT ] PsLookupProcessByProcessId failed 0x%X\n", res ); - return; - } + PEPROCESS Process = nullptr; + auto res = PsLookupProcessByProcessId(hCsrssPID, &Process); + if (!NT_SUCCESS(res)) + { + DBGPRINT("[ DestroyShadowSSDT ] PsLookupProcessByProcessId failed 0x%X\n", res); + return; + } - KAPC_STATE apc{ }; - KeStackAttachProcess( Process, &apc ); + KAPC_STATE apc{}; + KeStackAttachProcess(Process, &apc); - if ( !UnhookSSSDT( oNtUserFindWindowEx, SYSCALL_NTUSERFINDWNDEX ) ) - DBGPRINT( "Failed to unhook NtUserFindWindowEx!\n" ); + if (!UnhookSSSDT(oNtUserFindWindowEx, SYSCALL_NTUSERFINDWNDEX)) + DBGPRINT("Failed to unhook NtUserFindWindowEx!\n"); - if ( !UnhookSSSDT( oNtUserWindowFromPoint, SYSCALL_NTUSERWNDFROMPOINT ) ) - DBGPRINT( "Failed to unhook NtUserWindowFromPoint!\n" ); + if (!UnhookSSSDT(oNtUserWindowFromPoint, SYSCALL_NTUSERWNDFROMPOINT)) + DBGPRINT("Failed to unhook NtUserWindowFromPoint!\n"); - if ( !UnhookSSSDT( oNtUserBuildHwndList, SYSCALL_NTUSERBUILDWNDLIST ) ) - DBGPRINT( "Failed to unhook NtUserBuildHwndList!\n" ); + if (!UnhookSSSDT(oNtUserBuildHwndList, SYSCALL_NTUSERBUILDWNDLIST)) + DBGPRINT("Failed to unhook NtUserBuildHwndList!\n"); - if ( !UnhookSSSDT( oNtUserGetForegroundWindow, SYSCALL_NTGETFOREGROUNDWND ) ) - DBGPRINT( "Failed to unhook NtUserGetForegroundWindow!\n" ); + if (!UnhookSSSDT(oNtUserGetForegroundWindow, SYSCALL_NTGETFOREGROUNDWND)) + DBGPRINT("Failed to unhook NtUserGetForegroundWindow!\n"); - if ( !UnhookSSSDT( oNtUserQueryWindow, SYSCALL_NTUSERQUERYWND ) ) - DBGPRINT( "Failed to unhook NtUserQueryWindow!\n" ); + if (!UnhookSSSDT(oNtUserQueryWindow, SYSCALL_NTUSERQUERYWND)) + DBGPRINT("Failed to unhook NtUserQueryWindow!\n"); - KeUnstackDetachProcess( &apc ); - ObDereferenceObject( Process ); + KeUnstackDetachProcess(&apc); + ObDereferenceObject(Process); #else - if ( !kaspersky::is_klhk_loaded() ) - return; + if (!kaspersky::is_klhk_loaded()) + return; - if ( !kaspersky::unhook_shadow_ssdt_routine( SYSCALL_NTUSERBUILDWNDLIST, oNtUserBuildHwndList ) ) - DBGPRINT( "Failed to unhook NtUserBuildHwndList" ); + if (!kaspersky::unhook_shadow_ssdt_routine(SYSCALL_NTUSERBUILDWNDLIST, oNtUserBuildHwndList)) + DBGPRINT("Failed to unhook NtUserBuildHwndList"); - if ( !kaspersky::unhook_shadow_ssdt_routine( SYSCALL_NTUSERWNDFROMPOINT, oNtUserWindowFromPoint ) ) - DBGPRINT( "Failed to unhook NtUserWindowFromPoint" ); + if (!kaspersky::unhook_shadow_ssdt_routine(SYSCALL_NTUSERWNDFROMPOINT, oNtUserWindowFromPoint)) + DBGPRINT("Failed to unhook NtUserWindowFromPoint"); - if ( !kaspersky::unhook_shadow_ssdt_routine( SYSCALL_NTUSERFINDWNDEX, oNtUserFindWindowEx ) ) - DBGPRINT( "Failed to unhook NtUserFindWindowEx" ); + if (!kaspersky::unhook_shadow_ssdt_routine(SYSCALL_NTUSERFINDWNDEX, oNtUserFindWindowEx)) + DBGPRINT("Failed to unhook NtUserFindWindowEx"); - if ( !kaspersky::unhook_shadow_ssdt_routine( SYSCALL_NTGETFOREGROUNDWND, oNtUserGetForegroundWindow ) ) - DBGPRINT( "Failed to unhook NtUserGetForegroundWindow" ); + if (!kaspersky::unhook_shadow_ssdt_routine(SYSCALL_NTGETFOREGROUNDWND, oNtUserGetForegroundWindow)) + DBGPRINT("Failed to unhook NtUserGetForegroundWindow"); - if ( !kaspersky::unhook_shadow_ssdt_routine( SYSCALL_NTUSERQUERYWND, oNtUserQueryWindow ) ) - DBGPRINT( "Failed to unhook NtUserQueryWindow" ); + if (!kaspersky::unhook_shadow_ssdt_routine(SYSCALL_NTUSERQUERYWND, oNtUserQueryWindow)) + DBGPRINT("Failed to unhook NtUserQueryWindow"); #endif } \ No newline at end of file diff --git a/MasterHide/shadow_ssdt.h b/MasterHide/shadow_ssdt.h deleted file mode 100644 index 5ee8161..0000000 --- a/MasterHide/shadow_ssdt.h +++ /dev/null @@ -1,10 +0,0 @@ -#pragma once - -namespace masterhide -{ - namespace sssdt - { - extern void Init(); - extern void Destroy(); - } -}; diff --git a/MasterHide/shadow_ssdt.hpp b/MasterHide/shadow_ssdt.hpp new file mode 100644 index 0000000..b8a6439 --- /dev/null +++ b/MasterHide/shadow_ssdt.hpp @@ -0,0 +1,10 @@ +#pragma once + +namespace masterhide +{ +namespace sssdt +{ +extern void Init(); +extern void Destroy(); +} // namespace sssdt +}; // namespace masterhide diff --git a/MasterHide/ssdt.cpp b/MasterHide/ssdt.cpp index 7851c85..ab90598 100644 --- a/MasterHide/ssdt.cpp +++ b/MasterHide/ssdt.cpp @@ -1,306 +1,319 @@ -#include "stdafx.h" +#include "includes.hpp" PSYSTEM_SERVICE_TABLE g_KeServiceDescriptorTable = NULL; ULONGLONG GetKeServiceDescriptorTable64() { - PUCHAR pStartSearchAddress = ( PUCHAR )__readmsr( 0xC0000082 ); - PUCHAR pEndSearchAddress = ( PUCHAR )( ( ( ULONG_PTR )pStartSearchAddress + PAGE_SIZE ) & ( ~0x0FFF ) ); - PULONG pFindCodeAddress = NULL; - - while ( ++pStartSearchAddress < pEndSearchAddress ) - { - if ( ( *( PULONG )pStartSearchAddress & 0xFFFFFF00 ) == 0x83f70000 ) - { - pFindCodeAddress = ( PULONG )( pStartSearchAddress - 12 ); - return ( ULONG_PTR )pFindCodeAddress + ( ( ( *( PULONG )pFindCodeAddress ) >> 24 ) + 7 ) + ( ULONG_PTR )( ( ( *( PULONG )( pFindCodeAddress + 1 ) ) & 0x0FFFF ) << 8 ); - } - } - return 0; + PUCHAR pStartSearchAddress = (PUCHAR)__readmsr(0xC0000082); + PUCHAR pEndSearchAddress = (PUCHAR)(((ULONG_PTR)pStartSearchAddress + PAGE_SIZE) & (~0x0FFF)); + PULONG pFindCodeAddress = NULL; + + while (++pStartSearchAddress < pEndSearchAddress) + { + if ((*(PULONG)pStartSearchAddress & 0xFFFFFF00) == 0x83f70000) + { + pFindCodeAddress = (PULONG)(pStartSearchAddress - 12); + return (ULONG_PTR)pFindCodeAddress + (((*(PULONG)pFindCodeAddress) >> 24) + 7) + + (ULONG_PTR)(((*(PULONG)(pFindCodeAddress + 1)) & 0x0FFFF) << 8); + } + } + return 0; } -ULONGLONG GetSSDTFuncCurAddr64( ULONG id ) +ULONGLONG GetSSDTFuncCurAddr64(ULONG id) { - LONG dwtmp = 0; - PULONG ServiceTableBase = NULL; - ServiceTableBase = ( PULONG )g_KeServiceDescriptorTable->ServiceTableBase; - dwtmp = ServiceTableBase[ id ]; - dwtmp = dwtmp >> 4; - return ( LONGLONG )dwtmp + ( ULONGLONG )ServiceTableBase; + LONG dwtmp = 0; + PULONG ServiceTableBase = NULL; + ServiceTableBase = (PULONG)g_KeServiceDescriptorTable->ServiceTableBase; + dwtmp = ServiceTableBase[id]; + dwtmp = dwtmp >> 4; + return (LONGLONG)dwtmp + (ULONGLONG)ServiceTableBase; } -ULONG GetOffsetAddress( ULONGLONG FuncAddr ) +ULONG GetOffsetAddress(ULONGLONG FuncAddr) { - ULONG dwtmp = 0; - PULONG ServiceTableBase = NULL; - ServiceTableBase = ( PULONG )g_KeServiceDescriptorTable->ServiceTableBase; - dwtmp = ( ULONG )( FuncAddr - ( ULONGLONG )ServiceTableBase ); - dwtmp = dwtmp << 4; - return dwtmp; + ULONG dwtmp = 0; + PULONG ServiceTableBase = NULL; + ServiceTableBase = (PULONG)g_KeServiceDescriptorTable->ServiceTableBase; + dwtmp = (ULONG)(FuncAddr - (ULONGLONG)ServiceTableBase); + dwtmp = dwtmp << 4; + return dwtmp; } -bool HookSSDT( PUCHAR pCode, ULONG ulCodeSize, PVOID pNewFunction, PVOID* pOldFunction, ULONG SyscallNum ) +bool HookSSDT(PUCHAR pCode, ULONG ulCodeSize, PVOID pNewFunction, PVOID *pOldFunction, ULONG SyscallNum) { - if ( !pNewFunction || !pOldFunction || SyscallNum <= 0 ) - return false; - - // - // Log the Syscall number that we're hooking - // - DBGPRINT( "[ HookSSDT ] Syscall: 0x%X\n", SyscallNum ); - - // - // Log the Original function address - // - *pOldFunction = PVOID( GetSSDTFuncCurAddr64( SyscallNum ) ); - DBGPRINT( "[ HookSSDT ] Original: 0x%p\n", *pOldFunction ); - - *( PULONG64 )( jmp_trampoline + 3 ) = ULONG64( pNewFunction ); - - // - // Find a suitable code cave inside the module .text section that we can use to trampoline to our hook - // - auto pCodeCave = utils::FindCodeCave( pCode, ulCodeSize, sizeof( jmp_trampoline ) ); - if ( !pCodeCave ) - { - DBGPRINT( "[ HookSSDT ] Failed to find a suitable code cave.\n" ); - return false; - } - - DBGPRINT( "[ HookSSDT ] Code Cave: 0x%p\n", pCodeCave ); - - // - // Change page protection - // - auto Mdl = IoAllocateMdl( pCodeCave, sizeof( jmp_trampoline ), 0, 0, NULL ); - if ( Mdl == NULL ) - { - DBGPRINT( "[ HookSSDT ] IoAllocateMdl failed!\n" ); - return false; - } - - MmProbeAndLockPages( Mdl, KernelMode, IoWriteAccess ); - - auto Mapping = MmMapLockedPagesSpecifyCache( Mdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority ); - if ( Mapping == NULL ) - { - MmUnlockPages( Mdl ); - IoFreeMdl( Mdl ); - DBGPRINT( "[ HookSSDT ] MmMapLockedPagesSpecifyCache failed!\n" ); - return false; - } - - // - // Modify SSDT table - // - auto ServiceTableBase = ( PULONG )g_KeServiceDescriptorTable->ServiceTableBase; - - auto irql = utils::WPOFF(); - - RtlCopyMemory( Mapping, jmp_trampoline, sizeof( jmp_trampoline ) ); - - auto SsdtEntry = GetOffsetAddress( ULONG64( pCodeCave ) ); - SsdtEntry &= 0xFFFFFFF0; - SsdtEntry += ServiceTableBase[ SyscallNum ] & 0x0F; - ServiceTableBase[ SyscallNum ] = SsdtEntry; - - utils::WPON( irql ); - - // - // Restore protection - // - MmUnmapLockedPages( Mapping, Mdl ); - MmUnlockPages( Mdl ); - IoFreeMdl( Mdl ); - - return true; + if (!pNewFunction || !pOldFunction || SyscallNum <= 0) + return false; + + // + // Log the Syscall number that we're hooking + // + DBGPRINT("[ HookSSDT ] Syscall: 0x%X\n", SyscallNum); + + // + // Log the Original function address + // + *pOldFunction = PVOID(GetSSDTFuncCurAddr64(SyscallNum)); + DBGPRINT("[ HookSSDT ] Original: 0x%p\n", *pOldFunction); + + *(PULONG64)(jmp_trampoline + 3) = ULONG64(pNewFunction); + + // + // Find a suitable code cave inside the module .text section that we can use to trampoline to our hook + // + auto pCodeCave = utils::FindCodeCave(pCode, ulCodeSize, sizeof(jmp_trampoline)); + if (!pCodeCave) + { + DBGPRINT("[ HookSSDT ] Failed to find a suitable code cave.\n"); + return false; + } + + DBGPRINT("[ HookSSDT ] Code Cave: 0x%p\n", pCodeCave); + + // + // Change page protection + // + auto Mdl = IoAllocateMdl(pCodeCave, sizeof(jmp_trampoline), 0, 0, NULL); + if (Mdl == NULL) + { + DBGPRINT("[ HookSSDT ] IoAllocateMdl failed!\n"); + return false; + } + + MmProbeAndLockPages(Mdl, KernelMode, IoWriteAccess); + + auto Mapping = MmMapLockedPagesSpecifyCache(Mdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority); + if (Mapping == NULL) + { + MmUnlockPages(Mdl); + IoFreeMdl(Mdl); + DBGPRINT("[ HookSSDT ] MmMapLockedPagesSpecifyCache failed!\n"); + return false; + } + + // + // Modify SSDT table + // + auto ServiceTableBase = (PULONG)g_KeServiceDescriptorTable->ServiceTableBase; + + auto irql = utils::WPOFF(); + + RtlCopyMemory(Mapping, jmp_trampoline, sizeof(jmp_trampoline)); + + auto SsdtEntry = GetOffsetAddress(ULONG64(pCodeCave)); + SsdtEntry &= 0xFFFFFFF0; + SsdtEntry += ServiceTableBase[SyscallNum] & 0x0F; + ServiceTableBase[SyscallNum] = SsdtEntry; + + utils::WPON(irql); + + // + // Restore protection + // + MmUnmapLockedPages(Mapping, Mdl); + MmUnlockPages(Mdl); + IoFreeMdl(Mdl); + + return true; } -bool UnhookSSDT( PVOID pFunction, ULONG SyscallNum ) +bool UnhookSSDT(PVOID pFunction, ULONG SyscallNum) { - if ( !pFunction || SyscallNum <= 0 ) - return false; + if (!pFunction || SyscallNum <= 0) + return false; - auto ServiceTableBase = ( PULONG )g_KeServiceDescriptorTable->ServiceTableBase; + auto ServiceTableBase = (PULONG)g_KeServiceDescriptorTable->ServiceTableBase; - auto irql = utils::WPOFF(); + auto irql = utils::WPOFF(); - auto SsdtEntry = GetOffsetAddress( ULONG64( pFunction ) ); - SsdtEntry &= 0xFFFFFFF0; - SsdtEntry += ServiceTableBase[ SyscallNum ] & 0x0F; - ServiceTableBase[ SyscallNum ] = SsdtEntry; + auto SsdtEntry = GetOffsetAddress(ULONG64(pFunction)); + SsdtEntry &= 0xFFFFFFF0; + SsdtEntry += ServiceTableBase[SyscallNum] & 0x0F; + ServiceTableBase[SyscallNum] = SsdtEntry; - utils::WPON( irql ); + utils::WPON(irql); - return true; + return true; } void ssdt::Init() { #ifndef USE_KASPERSKY - g_KeServiceDescriptorTable = PSYSTEM_SERVICE_TABLE( GetKeServiceDescriptorTable64() ); - DBGPRINT( "KeServiceDescriptorTable: 0x%p\n", g_KeServiceDescriptorTable ); - if ( !g_KeServiceDescriptorTable ) - return; - - auto KiServiceTable = PULONG( g_KeServiceDescriptorTable->ServiceTableBase ); - DBGPRINT( "KeServiceDescriptorTable->ServiceTableBase: 0x%p\n", KiServiceTable ); - if ( !KiServiceTable ) - return; - - DBGPRINT( "KeServiceDescriptorTable->NumberOfServices: %lld\n", g_KeServiceDescriptorTable->NumberOfServices ); - - auto ntoskrnl = ULONG64( tools::GetNtKernelBase() ); - DBGPRINT( "ntoskrnl: 0x%llx\n", ntoskrnl ); - if ( !ntoskrnl ) - return; - - ULONG ulCodeSize = 0; - auto pCode = PUCHAR( tools::GetImageTextSection( ntoskrnl, &ulCodeSize ) ); - if ( pCode ) - { - DBGPRINT( "ntoskrnl.exe .text section %p\n", pCode ); - - if ( HookSSDT( pCode, ulCodeSize, &hkNtQuerySystemInformation, reinterpret_cast< PVOID* >( &oNtQuerySystemInformation ), SYSCALL_NTQUERYSYSINFO ) ) - { - DBGPRINT( "NtQuerySystemInformation hooked successfully!\n" ); - } - else - DBGPRINT( "Failed to hook NtQuerySystemInformation!\n" ); - - if ( HookSSDT( pCode, ulCodeSize, &hkNtOpenProcess, reinterpret_cast< PVOID* >( &oNtOpenProcess ), SYSCALL_NTOPENPROCESS ) ) - { - DBGPRINT( "NtOpenProcess hooked successfully!\n" ); - } - else - DBGPRINT( "Failed to hook NtOpenProcess!\n" ); - - if ( HookSSDT( pCode, ulCodeSize, &hkNtAllocateVirtualMemory, reinterpret_cast< PVOID* >( &oNtAllocateVirtualMemory ), SYSCALL_NTALLOCVIRTUALMEM ) ) - { - DBGPRINT( "NtAllocateVirtualMemory hooked successfully!\n" ); - } - else - DBGPRINT( "Failed to hook NtAllocateVirtualMemory!\n" ); - - if ( HookSSDT( pCode, ulCodeSize, &hkNtFreeVirtualMemory, reinterpret_cast< PVOID* >( &oNtFreeVirtualMemory ), SYSCALL_NTFREEVIRTUALMEM ) ) - { - DBGPRINT( "NtFreeVirtualMemory hooked successfully!\n" ); - } - else - DBGPRINT( "Failed to hook NtFreeVirtualMemory!\n" ); - - if ( HookSSDT( pCode, ulCodeSize, &hkNtWriteVirtualMemory, reinterpret_cast< PVOID* >( &oNtWriteVirtualMemory ), SYSCALL_NTWRITEVIRTUALMEM ) ) - { - DBGPRINT( "NtWriteVirtualMemory hooked successfully!\n" ); - } - else - DBGPRINT( "Failed to hook NtWriteVirtualMemory!\n" ); - - if ( HookSSDT( pCode, ulCodeSize, &hkNtDeviceIoControlFile, reinterpret_cast< PVOID* >( &oNtDeviceIoControlFile ), SYSCALL_NTDEVICEIOCTRLFILE ) ) - { - DBGPRINT( "NtDeviceIoControlFile hooked successfully!\n" ); - } - else - DBGPRINT( "Failed to hook NtDeviceIoControlFile!\n" ); - } + g_KeServiceDescriptorTable = PSYSTEM_SERVICE_TABLE(GetKeServiceDescriptorTable64()); + DBGPRINT("KeServiceDescriptorTable: 0x%p\n", g_KeServiceDescriptorTable); + if (!g_KeServiceDescriptorTable) + return; + + auto KiServiceTable = PULONG(g_KeServiceDescriptorTable->ServiceTableBase); + DBGPRINT("KeServiceDescriptorTable->ServiceTableBase: 0x%p\n", KiServiceTable); + if (!KiServiceTable) + return; + + DBGPRINT("KeServiceDescriptorTable->NumberOfServices: %lld\n", g_KeServiceDescriptorTable->NumberOfServices); + + auto ntoskrnl = ULONG64(tools::GetNtKernelBase()); + DBGPRINT("ntoskrnl: 0x%llx\n", ntoskrnl); + if (!ntoskrnl) + return; + + ULONG ulCodeSize = 0; + auto pCode = PUCHAR(tools::GetImageTextSection(ntoskrnl, &ulCodeSize)); + if (pCode) + { + DBGPRINT("ntoskrnl.exe .text section %p\n", pCode); + + if (HookSSDT(pCode, ulCodeSize, &hkNtQuerySystemInformation, + reinterpret_cast(&oNtQuerySystemInformation), SYSCALL_NTQUERYSYSINFO)) + { + DBGPRINT("NtQuerySystemInformation hooked successfully!\n"); + } + else + DBGPRINT("Failed to hook NtQuerySystemInformation!\n"); + + if (HookSSDT(pCode, ulCodeSize, &hkNtOpenProcess, reinterpret_cast(&oNtOpenProcess), + SYSCALL_NTOPENPROCESS)) + { + DBGPRINT("NtOpenProcess hooked successfully!\n"); + } + else + DBGPRINT("Failed to hook NtOpenProcess!\n"); + + if (HookSSDT(pCode, ulCodeSize, &hkNtAllocateVirtualMemory, + reinterpret_cast(&oNtAllocateVirtualMemory), SYSCALL_NTALLOCVIRTUALMEM)) + { + DBGPRINT("NtAllocateVirtualMemory hooked successfully!\n"); + } + else + DBGPRINT("Failed to hook NtAllocateVirtualMemory!\n"); + + if (HookSSDT(pCode, ulCodeSize, &hkNtFreeVirtualMemory, reinterpret_cast(&oNtFreeVirtualMemory), + SYSCALL_NTFREEVIRTUALMEM)) + { + DBGPRINT("NtFreeVirtualMemory hooked successfully!\n"); + } + else + DBGPRINT("Failed to hook NtFreeVirtualMemory!\n"); + + if (HookSSDT(pCode, ulCodeSize, &hkNtWriteVirtualMemory, reinterpret_cast(&oNtWriteVirtualMemory), + SYSCALL_NTWRITEVIRTUALMEM)) + { + DBGPRINT("NtWriteVirtualMemory hooked successfully!\n"); + } + else + DBGPRINT("Failed to hook NtWriteVirtualMemory!\n"); + + if (HookSSDT(pCode, ulCodeSize, &hkNtDeviceIoControlFile, reinterpret_cast(&oNtDeviceIoControlFile), + SYSCALL_NTDEVICEIOCTRLFILE)) + { + DBGPRINT("NtDeviceIoControlFile hooked successfully!\n"); + } + else + DBGPRINT("Failed to hook NtDeviceIoControlFile!\n"); + } #else - if ( kaspersky::hook_ssdt_routine( SYSCALL_NTOPENPROCESS, hkNtOpenProcess, reinterpret_cast< PVOID* >( &oNtOpenProcess ) ) ) - { - DBGPRINT( "NtOpenProcess ( 0x%X ) hooked successfully!\n", SYSCALL_NTOPENPROCESS ); -} - else - DBGPRINT( "Failed to hook NtOpenProcess!\n" ); - - if ( kaspersky::hook_ssdt_routine( SYSCALL_NTDEVICEIOCTRLFILE, hkNtDeviceIoControlFile, reinterpret_cast< PVOID* >( &oNtDeviceIoControlFile ) ) ) - { - DBGPRINT( "NtDeviceIoControlFile ( 0x%X ) hooked successfully!\n", SYSCALL_NTDEVICEIOCTRLFILE ); - } - else - DBGPRINT( "Failed to hook NtDeviceIoControlFile!\n" ); - - if ( kaspersky::hook_ssdt_routine( SYSCALL_NTQUERYSYSINFO, hkNtQuerySystemInformation, reinterpret_cast< PVOID* >( &oNtQuerySystemInformation ) ) ) - { - DBGPRINT( "NtQuerySystemInformation ( 0x%X ) hooked successfully!\n", SYSCALL_NTQUERYSYSINFO ); - } - else - DBGPRINT( "Failed to hook NtQuerySystemInformation!\n" ); - - if ( kaspersky::hook_ssdt_routine( SYSCALL_NTALLOCVIRTUALMEM, hkNtAllocateVirtualMemory, reinterpret_cast< PVOID* >( &oNtAllocateVirtualMemory ) ) ) - { - DBGPRINT( "NtAllocateVirtualMemory ( 0x%X ) hooked successfully!\n", SYSCALL_NTALLOCVIRTUALMEM ); - } - else - DBGPRINT( "Failed to hook NtAllocateVirtualMemory!\n" ); - - if ( kaspersky::hook_ssdt_routine( SYSCALL_NTFREEVIRTUALMEM, hkNtFreeVirtualMemory, reinterpret_cast< PVOID* >( &oNtFreeVirtualMemory ) ) ) - { - DBGPRINT( "NtFreeVirtualMemory ( 0x%X ) hooked successfully!\n", SYSCALL_NTFREEVIRTUALMEM ); - } - else - DBGPRINT( "Failed to hook NtFreeVirtualMemory!\n" ); - - if ( kaspersky::hook_ssdt_routine( SYSCALL_NTWRITEVIRTUALMEM, hkNtWriteVirtualMemory, reinterpret_cast< PVOID* >( &oNtWriteVirtualMemory ) ) ) - { - DBGPRINT( "NtWriteVirtualMemory ( 0x%X ) hooked successfully!\n", SYSCALL_NTWRITEVIRTUALMEM ); - } - else - DBGPRINT( "Failed to hook NtWriteVirtualMemory!\n" ); - - if ( kaspersky::hook_ssdt_routine( SYSCALL_NTLOADDRIVER, hkNtLoadDriver, reinterpret_cast< PVOID* >( &oNtLoadDriver ) ) ) - { - DBGPRINT( "NtLoadDriver ( 0x%X ) hooked successfully!\n", SYSCALL_NTLOADDRIVER ); - } - else - DBGPRINT( "Failed to hook NtLoadDriver!\n" ); + if (kaspersky::hook_ssdt_routine(SYSCALL_NTOPENPROCESS, hkNtOpenProcess, + reinterpret_cast(&oNtOpenProcess))) + { + DBGPRINT("NtOpenProcess ( 0x%X ) hooked successfully!\n", SYSCALL_NTOPENPROCESS); + } + else + DBGPRINT("Failed to hook NtOpenProcess!\n"); + + if (kaspersky::hook_ssdt_routine(SYSCALL_NTDEVICEIOCTRLFILE, hkNtDeviceIoControlFile, + reinterpret_cast(&oNtDeviceIoControlFile))) + { + DBGPRINT("NtDeviceIoControlFile ( 0x%X ) hooked successfully!\n", SYSCALL_NTDEVICEIOCTRLFILE); + } + else + DBGPRINT("Failed to hook NtDeviceIoControlFile!\n"); + + if (kaspersky::hook_ssdt_routine(SYSCALL_NTQUERYSYSINFO, hkNtQuerySystemInformation, + reinterpret_cast(&oNtQuerySystemInformation))) + { + DBGPRINT("NtQuerySystemInformation ( 0x%X ) hooked successfully!\n", SYSCALL_NTQUERYSYSINFO); + } + else + DBGPRINT("Failed to hook NtQuerySystemInformation!\n"); + + if (kaspersky::hook_ssdt_routine(SYSCALL_NTALLOCVIRTUALMEM, hkNtAllocateVirtualMemory, + reinterpret_cast(&oNtAllocateVirtualMemory))) + { + DBGPRINT("NtAllocateVirtualMemory ( 0x%X ) hooked successfully!\n", SYSCALL_NTALLOCVIRTUALMEM); + } + else + DBGPRINT("Failed to hook NtAllocateVirtualMemory!\n"); + + if (kaspersky::hook_ssdt_routine(SYSCALL_NTFREEVIRTUALMEM, hkNtFreeVirtualMemory, + reinterpret_cast(&oNtFreeVirtualMemory))) + { + DBGPRINT("NtFreeVirtualMemory ( 0x%X ) hooked successfully!\n", SYSCALL_NTFREEVIRTUALMEM); + } + else + DBGPRINT("Failed to hook NtFreeVirtualMemory!\n"); + + if (kaspersky::hook_ssdt_routine(SYSCALL_NTWRITEVIRTUALMEM, hkNtWriteVirtualMemory, + reinterpret_cast(&oNtWriteVirtualMemory))) + { + DBGPRINT("NtWriteVirtualMemory ( 0x%X ) hooked successfully!\n", SYSCALL_NTWRITEVIRTUALMEM); + } + else + DBGPRINT("Failed to hook NtWriteVirtualMemory!\n"); + + if (kaspersky::hook_ssdt_routine(SYSCALL_NTLOADDRIVER, hkNtLoadDriver, reinterpret_cast(&oNtLoadDriver))) + { + DBGPRINT("NtLoadDriver ( 0x%X ) hooked successfully!\n", SYSCALL_NTLOADDRIVER); + } + else + DBGPRINT("Failed to hook NtLoadDriver!\n"); #endif } void ssdt::Destroy() { #ifndef USE_KASPERSKY - if ( !g_KeServiceDescriptorTable ) - return; + if (!g_KeServiceDescriptorTable) + return; - if ( !UnhookSSDT( oNtQuerySystemInformation, SYSCALL_NTQUERYSYSINFO ) ) - DBGPRINT( "Failed to unhook NtQuerySystemInformation!\n" ); + if (!UnhookSSDT(oNtQuerySystemInformation, SYSCALL_NTQUERYSYSINFO)) + DBGPRINT("Failed to unhook NtQuerySystemInformation!\n"); - if ( !UnhookSSDT( oNtOpenProcess, SYSCALL_NTOPENPROCESS ) ) - DBGPRINT( "Failed to unhook NtOpenProcess!\n" ); + if (!UnhookSSDT(oNtOpenProcess, SYSCALL_NTOPENPROCESS)) + DBGPRINT("Failed to unhook NtOpenProcess!\n"); - if ( !UnhookSSDT( oNtAllocateVirtualMemory, SYSCALL_NTALLOCVIRTUALMEM ) ) - DBGPRINT( "Failed to unhook NtAllocateVirtualMemory!\n" ); + if (!UnhookSSDT(oNtAllocateVirtualMemory, SYSCALL_NTALLOCVIRTUALMEM)) + DBGPRINT("Failed to unhook NtAllocateVirtualMemory!\n"); - if ( !UnhookSSDT( oNtFreeVirtualMemory, SYSCALL_NTFREEVIRTUALMEM ) ) - DBGPRINT( "Failed to unhook NtFreeVirtualMemory!\n" ); + if (!UnhookSSDT(oNtFreeVirtualMemory, SYSCALL_NTFREEVIRTUALMEM)) + DBGPRINT("Failed to unhook NtFreeVirtualMemory!\n"); - if ( !UnhookSSDT( oNtWriteVirtualMemory, SYSCALL_NTWRITEVIRTUALMEM ) ) - DBGPRINT( "Failed to unhook NtWriteVirtualMemory!\n" ); + if (!UnhookSSDT(oNtWriteVirtualMemory, SYSCALL_NTWRITEVIRTUALMEM)) + DBGPRINT("Failed to unhook NtWriteVirtualMemory!\n"); - if ( !UnhookSSDT( oNtDeviceIoControlFile, SYSCALL_NTDEVICEIOCTRLFILE ) ) - DBGPRINT( "Failed to unhook NtDeviceIoControlFile!\n" ); + if (!UnhookSSDT(oNtDeviceIoControlFile, SYSCALL_NTDEVICEIOCTRLFILE)) + DBGPRINT("Failed to unhook NtDeviceIoControlFile!\n"); #else - if ( !kaspersky::is_klhk_loaded() ) - return; + if (!kaspersky::is_klhk_loaded()) + return; - if ( !kaspersky::unhook_ssdt_routine( SYSCALL_NTQUERYSYSINFO, oNtQuerySystemInformation ) ) - DBGPRINT( "Failed to unhook NtQuerySystemInformation" ); + if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTQUERYSYSINFO, oNtQuerySystemInformation)) + DBGPRINT("Failed to unhook NtQuerySystemInformation"); - if ( !kaspersky::unhook_ssdt_routine( SYSCALL_NTOPENPROCESS, oNtOpenProcess ) ) - DBGPRINT( "Failed to unhook NtOpenProcess" ); + if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTOPENPROCESS, oNtOpenProcess)) + DBGPRINT("Failed to unhook NtOpenProcess"); - if ( !kaspersky::unhook_ssdt_routine( SYSCALL_NTALLOCVIRTUALMEM, oNtAllocateVirtualMemory ) ) - DBGPRINT( "Failed to unhook NtAllocateVirtualMemory" ); + if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTALLOCVIRTUALMEM, oNtAllocateVirtualMemory)) + DBGPRINT("Failed to unhook NtAllocateVirtualMemory"); - if ( !kaspersky::unhook_ssdt_routine( SYSCALL_NTFREEVIRTUALMEM, oNtFreeVirtualMemory ) ) - DBGPRINT( "Failed to unhook NtFreeVirtualMemory" ); + if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTFREEVIRTUALMEM, oNtFreeVirtualMemory)) + DBGPRINT("Failed to unhook NtFreeVirtualMemory"); - if ( !kaspersky::unhook_ssdt_routine( SYSCALL_NTWRITEVIRTUALMEM, oNtWriteVirtualMemory ) ) - DBGPRINT( "Failed to unhook NtWriteVirtualMemory" ); + if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTWRITEVIRTUALMEM, oNtWriteVirtualMemory)) + DBGPRINT("Failed to unhook NtWriteVirtualMemory"); - if ( !kaspersky::unhook_ssdt_routine( SYSCALL_NTDEVICEIOCTRLFILE, oNtDeviceIoControlFile ) ) - DBGPRINT( "Failed to unhook NtDeviceIoControlFile" ); + if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTDEVICEIOCTRLFILE, oNtDeviceIoControlFile)) + DBGPRINT("Failed to unhook NtDeviceIoControlFile"); - if ( !kaspersky::unhook_ssdt_routine( SYSCALL_NTLOADDRIVER, oNtLoadDriver ) ) - DBGPRINT( "Failed to unhook NtLoadDriver" ); + if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTLOADDRIVER, oNtLoadDriver)) + DBGPRINT("Failed to unhook NtLoadDriver"); #endif } \ No newline at end of file diff --git a/MasterHide/ssdt.h b/MasterHide/ssdt.h deleted file mode 100644 index 0d50338..0000000 --- a/MasterHide/ssdt.h +++ /dev/null @@ -1,12 +0,0 @@ -#pragma once - -static UCHAR jmp_trampoline[] = { 0x50, 0x48, 0xB8, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0x48, 0x87, 0x04, 0x24, 0xC3 }; - -namespace masterhide -{ - namespace ssdt - { - extern void Init(); - extern void Destroy(); - } -}; \ No newline at end of file diff --git a/MasterHide/ssdt.hpp b/MasterHide/ssdt.hpp new file mode 100644 index 0000000..0045e5f --- /dev/null +++ b/MasterHide/ssdt.hpp @@ -0,0 +1,13 @@ +#pragma once + +static UCHAR jmp_trampoline[] = {0x50, 0x48, 0xB8, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, + 0xBE, 0xAD, 0xDE, 0x48, 0x87, 0x04, 0x24, 0xC3}; + +namespace masterhide +{ +namespace ssdt +{ +extern void Init(); +extern void Destroy(); +} // namespace ssdt +}; // namespace masterhide \ No newline at end of file diff --git a/MasterHide/tools.cpp b/MasterHide/tools.cpp deleted file mode 100644 index 44e8c7f..0000000 --- a/MasterHide/tools.cpp +++ /dev/null @@ -1,586 +0,0 @@ -#include "stdafx.h" - -PUCHAR ntdll = nullptr; -PUCHAR win32u = nullptr; - -namespace masterhide -{ - namespace tools - { - bool GetProcessName( HANDLE PID, PUNICODE_STRING ProcessImageName ) - { - KAPC_STATE apc{ }; - bool bReturn = false; - - if ( !ProcessImageName ) - return false; - - PEPROCESS Process = nullptr; - auto status = PsLookupProcessByProcessId( PID, &Process ); - if ( !NT_SUCCESS( status ) ) - return false; - - KeStackAttachProcess( Process, &apc ); - - // - // Credits: iPower - // - wchar_t lpModuleName[ MAX_PATH ]; - status = ZwQueryVirtualMemory( NtCurrentProcess(), PsGetProcessSectionBaseAddress( Process ), ( MEMORY_INFORMATION_CLASS )2, lpModuleName, sizeof( lpModuleName ), NULL ); - if ( NT_SUCCESS( status ) ) - { - PUNICODE_STRING pModuleName = ( PUNICODE_STRING )lpModuleName; - if ( pModuleName->Length > 0 ) - { - AllocateUnicodeString( ProcessImageName, pModuleName->MaximumLength ); - RtlCopyUnicodeString( ProcessImageName, pModuleName ); - bReturn = true; - } - } - - KeUnstackDetachProcess( &apc ); - ObDereferenceObject( Process ); - - return bReturn; - } - - bool GetProcessNameByPEPROCESS( PEPROCESS Process, PUNICODE_STRING ProcessImageName ) - { - KAPC_STATE apc{ }; - bool bReturn = false; - bool bAttached = false; - - if ( !ProcessImageName ) - return false; - - if ( Process != PsGetCurrentProcess() ) - { - KeStackAttachProcess( Process, &apc ); - bAttached = true; - } - - wchar_t lpModuleName[ MAX_PATH ]; - auto status = ZwQueryVirtualMemory( NtCurrentProcess(), PsGetProcessSectionBaseAddress( Process ), ( MEMORY_INFORMATION_CLASS )2, lpModuleName, sizeof( lpModuleName ), NULL ); - if ( NT_SUCCESS( status ) ) - { - PUNICODE_STRING pModuleName = ( PUNICODE_STRING )lpModuleName; - if ( pModuleName->Length > 0 ) - { - AllocateUnicodeString( ProcessImageName, pModuleName->MaximumLength ); - RtlCopyUnicodeString( ProcessImageName, pModuleName ); - bReturn = true; - } - } - - if ( bAttached ) - KeUnstackDetachProcess( &apc ); - - return bReturn; - } - - PEPROCESS FindPEPROCESSById( PWCH wsName ) - { - if ( !wsName ) - return nullptr; - - for ( unsigned i = 4; i < 0xFFFF; i += 0x4 ) - { - PEPROCESS Process = nullptr; - if ( !NT_SUCCESS( PsLookupProcessByProcessId( HANDLE( i ), &Process ) ) ) - continue; - - UNICODE_STRING wsProcName{ }; - if ( !GetProcessNameByPEPROCESS( Process, &wsProcName ) ) - { - ObDereferenceObject( Process ); - continue; - } - - if ( wsProcName.Buffer && wcsstr( wsProcName.Buffer, wsName ) ) - return Process; - - ObDereferenceObject( Process ); - } - return nullptr; - } - - bool DumpMZ( PUCHAR pImageBase ) - { - __try - { - if ( !pImageBase ) - { - DBGPRINT( "[ DumpMZ ] Invalid image base!\n" ); - return false; - } - - ProbeForRead( pImageBase, sizeof( pImageBase ), __alignof( pImageBase ) ); - - PIMAGE_DOS_HEADER dos = PIMAGE_DOS_HEADER( pImageBase ); - if ( dos->e_magic != IMAGE_DOS_SIGNATURE ) - { - DBGPRINT( "[ DumpMZ ] Invalid DOS signature!\n" ); - return false; - } - - PIMAGE_NT_HEADERS32 nt32 = PIMAGE_NT_HEADERS32( pImageBase + dos->e_lfanew ); - if ( nt32->Signature != IMAGE_NT_SIGNATURE ) - { - DBGPRINT( "[ DumpMZ ] Invalid NT signature!\n" ); - return false; - } - - ULONG uImageSize = NULL; - - if ( nt32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 ) - { - uImageSize = nt32->OptionalHeader.SizeOfImage; - } - else - { - PIMAGE_NT_HEADERS64 nt64 = PIMAGE_NT_HEADERS64( pImageBase + dos->e_lfanew ); - uImageSize = nt64->OptionalHeader.SizeOfImage; - } - - if ( KeGetCurrentIrql() != PASSIVE_LEVEL ) - { - DBGPRINT( "[ DumpMZ ] Curerent IRQL too high for IO operations!\n" ); - return false; - } - - DBGPRINT( "[ DumpMZ ] ImageBase: 0x%p\n", pImageBase ); - DBGPRINT( "[ DumpMZ ] ImageSize: 0x%X\n", uImageSize ); - - wchar_t wsFilePath[ MAX_PATH ]{ }; - RtlStringCbPrintfW( wsFilePath, sizeof( wsFilePath ), L"\\SystemRoot\\Dumped_%p.dll", pImageBase ); - - DBGPRINT( "[ DumpMZ ] Save Location: %ws\n", wsFilePath ); - - UNICODE_STRING wsFinalPath{ }; - RtlInitUnicodeString( &wsFinalPath, wsFilePath ); - - OBJECT_ATTRIBUTES oa{ }; - InitializeObjectAttributes( &oa, &wsFinalPath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); - - IO_STATUS_BLOCK io{ }; - HANDLE hFile{ }; - - auto res = ZwCreateFile( &hFile, GENERIC_WRITE, &oa, &io, NULL, - FILE_ATTRIBUTE_NORMAL, - 0, - FILE_OVERWRITE_IF, - FILE_SYNCHRONOUS_IO_NONALERT, - NULL, 0 ); - - if ( !NT_SUCCESS( res ) ) - { - DBGPRINT( "[ DumpMZ ] ZwCreateFile failed 0x%X\n", res ); - return false; - } - - res = ZwWriteFile( hFile, NULL, NULL, NULL, &io, pImageBase, uImageSize, NULL, NULL ); - if ( !NT_SUCCESS( res ) ) - { - ZwClose( hFile ); - DBGPRINT( "[ DumpMZ ] ZwWriteFile failed 0x%X\n", res ); - return false; - } - - DBGPRINT( "[ DumpMZ ] Dump success!\n" ); - ZwClose( hFile ); - return false; - } - __except ( EXCEPTION_EXECUTE_HANDLER ) - { - return false; - } - } - - PIMAGE_SECTION_HEADER GetSectionHeader( const ULONG64 image_base, const char* section_name ) - { - if ( !image_base || !section_name ) - return nullptr; - - const auto pimage_dos_header = reinterpret_cast< PIMAGE_DOS_HEADER >( image_base ); - const auto pimage_nt_headers = reinterpret_cast< PIMAGE_NT_HEADERS64 >( image_base + pimage_dos_header->e_lfanew ); - - auto psection = IMAGE_FIRST_SECTION( pimage_nt_headers ); - - PIMAGE_SECTION_HEADER psection_hdr = nullptr; - - const auto NumberOfSections = pimage_nt_headers->FileHeader.NumberOfSections; - - for ( auto i = 0; i < NumberOfSections; ++i ) - { - if ( strstr( ( char* )psection->Name, section_name ) ) - { - psection_hdr = psection; - break; - } - - ++psection; - } - - return psection_hdr; - } - - bool bDataCompare( const char* pdata, const char* bmask, const char* szmask ) - { - for ( ; *szmask; ++szmask, ++pdata, ++bmask ) - { - if ( *szmask == 'x' && *pdata != *bmask ) - return false; - } - - return !*szmask; - } - - ULONG64 InternalFindPattern( const ULONG64 base, const ULONG size, const char* bmask, const char* szmask ) - { - for ( auto i = 0ul; i < size; ++i ) - if ( bDataCompare( PCHAR( base + i ), bmask, szmask ) ) - return base + i; - - return 0; - } - - ULONG64 FindPatternKM( const char* szModuleName, const char* szsection, const char* bmask, const char* szmask ) - { - if ( !szModuleName || !szsection || !bmask || !szmask ) - return 0; - - const auto module_base = ULONG64( GetModuleBase( szModuleName ) ); - - if ( !module_base ) - return 0; - - const auto psection = GetSectionHeader( module_base, szsection ); - - return psection ? InternalFindPattern( module_base + psection->VirtualAddress, psection->Misc.VirtualSize, bmask, szmask ) : 0; - } - - PVOID GetImageTextSection( const ULONG64 uImageBase, ULONG* ulSectionSize ) - { - if ( !uImageBase ) - return nullptr; - - const auto pText = GetSectionHeader( uImageBase, ".text" ); - if ( !pText ) - return nullptr; - - if ( ulSectionSize ) - *ulSectionSize = pText->Misc.VirtualSize; - - return PVOID( uImageBase + pText->VirtualAddress ); - } - - PVOID GetNtKernelBase() - { - return GetModuleBase( "\\SystemRoot\\System32\\ntoskrnl.exe" ); - } - - PVOID GetModuleBase( const char* szModule ) - { - PSYSTEM_MODULE_INFORMATION pSystemInfoBuffer = nullptr; - ULONG ulBytes = 0; - PVOID pImageBase = nullptr; - - __try - { - auto status = ZwQuerySystemInformation( SystemModuleInformation, 0, ulBytes, &ulBytes ); - if ( !ulBytes ) - { - DBGPRINT( "[ GetModuleBase ] ZwQuerySystemInformation failed 0x%X\n", status ); - return nullptr; - } - - pSystemInfoBuffer = PSYSTEM_MODULE_INFORMATION( ExAllocatePoolWithTag( PagedPool, ulBytes, TAG ) ); - if ( !pSystemInfoBuffer ) - { - DBGPRINT( "[ GetModuleBase ] ExAllocatePoolWithTag failed!\n" ); - return nullptr; - } - - status = ZwQuerySystemInformation( SystemModuleInformation, pSystemInfoBuffer, ulBytes, &ulBytes ); - if ( !NT_SUCCESS( status ) ) - { - DBGPRINT( "[ GetModuleBase ] ZwQuerySystemInformation[1] failed 0x%X\n", status ); - ExFreePoolWithTag( pSystemInfoBuffer, TAG ); - return nullptr; - } - - for ( unsigned i = 0; i < pSystemInfoBuffer->ModulesCount; ++i ) - { - auto Buff = &pSystemInfoBuffer->Modules[ i ]; - - if ( !_stricmp( Buff->ImageName, szModule ) ) - { - pImageBase = Buff->Base; - break; - } - } - } - __finally - { - if ( pSystemInfoBuffer ) - ExFreePoolWithTag( pSystemInfoBuffer, TAG ); - } - - return pImageBase; - } - - NTSTATUS LoadFile( PUNICODE_STRING FileName, PUCHAR* pImageBase ) - { - if ( !FileName ) - return STATUS_INVALID_PARAMETER; - - OBJECT_ATTRIBUTES oa{ }; - InitializeObjectAttributes( &oa, FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); - - if ( KeGetCurrentIrql() != PASSIVE_LEVEL ) - { - DBGPRINT( "[ LoadFile ] IRQL too high for IO operations!\n" ); - return STATUS_UNSUCCESSFUL; - } - - HANDLE FileHandle = NULL; - - IO_STATUS_BLOCK IoStatusBlock{ }; - auto res = ZwCreateFile( &FileHandle, - GENERIC_READ, - &oa, - &IoStatusBlock, NULL, - FILE_ATTRIBUTE_NORMAL, - FILE_SHARE_READ, - FILE_OPEN, - FILE_SYNCHRONOUS_IO_NONALERT, - NULL, 0 ); - - if ( !NT_SUCCESS( res ) ) - { - DBGPRINT( "[ LoadFile ] ZwCreateFile failed 0x%X\n", res ); - return STATUS_UNSUCCESSFUL; - } - - FILE_STANDARD_INFORMATION StandardInformation{ }; - res = ZwQueryInformationFile( FileHandle, &IoStatusBlock, &StandardInformation, sizeof( FILE_STANDARD_INFORMATION ), FileStandardInformation ); - if ( !NT_SUCCESS( res ) ) - { - DBGPRINT( "[ LoadFile ] ZwQueryInformationFile failed 0x%X\n", res ); - ZwClose( FileHandle ); - return STATUS_UNSUCCESSFUL; - } - - auto FileSize = StandardInformation.EndOfFile.LowPart; - auto FileBuffer = PUCHAR( ExAllocatePoolWithTag( NonPagedPool, FileSize, TAG ) ); - - if ( !FileBuffer ) - { - DBGPRINT( "[ LoadFile ] ExAllocatePoolWithTag failed\n" ); - ZwClose( FileHandle ); - return STATUS_SUCCESS; - } - - LARGE_INTEGER li{ }; - res = ZwReadFile( FileHandle, - NULL, NULL, NULL, - &IoStatusBlock, - FileBuffer, - FileSize, - &li, NULL ); - if ( !NT_SUCCESS( res ) ) - { - DBGPRINT( "[ LoadFile ] ZwReadFile failed 0x%X\n", res ); - ExFreePoolWithTag( FileBuffer, TAG ); - ZwClose( FileHandle ); - return STATUS_SUCCESS; - } - - auto dos = PIMAGE_DOS_HEADER( FileBuffer ); - if ( dos->e_magic != IMAGE_DOS_SIGNATURE ) - { - DBGPRINT( "[ LoadFile ] Invalid DOS signature!\n" ); - ExFreePoolWithTag( FileBuffer, TAG ); - ZwClose( FileHandle ); - return STATUS_SUCCESS; - } - - auto nt = PIMAGE_NT_HEADERS64( FileBuffer + dos->e_lfanew ); - if ( nt->Signature != IMAGE_NT_SIGNATURE ) - { - DBGPRINT( "[ LoadFile ] Invalid NT signature!\n" ); - ExFreePoolWithTag( FileBuffer, TAG ); - ZwClose( FileHandle ); - return STATUS_SUCCESS; - } - - auto Image = PUCHAR( ExAllocatePoolWithTag( NonPagedPool, nt->OptionalHeader.SizeOfImage, TAG ) ); - if ( !Image ) - { - DBGPRINT( "[ LoadFile ] ExAllocatePoolWithTag[1] failed!\n" ); - ExFreePoolWithTag( FileBuffer, TAG ); - ZwClose( FileHandle ); - return STATUS_SUCCESS; - } - - memcpy( Image, FileBuffer, nt->OptionalHeader.SizeOfHeaders ); - - auto pISH = IMAGE_FIRST_SECTION( nt ); - for ( unsigned i = 0; i < nt->FileHeader.NumberOfSections; i++ ) - memcpy( - Image + pISH[ i ].VirtualAddress, - FileBuffer + pISH[ i ].PointerToRawData, - pISH[ i ].SizeOfRawData ); - - if ( pImageBase ) - *pImageBase = Image; - - ExFreePoolWithTag( FileBuffer, TAG ); - ZwClose( FileHandle ); - return STATUS_SUCCESS; - } - - PVOID GetFunctionAddress( PVOID Module, LPCSTR FunctionName ) - { - PIMAGE_DOS_HEADER pIDH; - PIMAGE_NT_HEADERS pINH; - PIMAGE_EXPORT_DIRECTORY pIED; - - PULONG Address, Name; - PUSHORT Ordinal; - - ULONG i; - - pIDH = ( PIMAGE_DOS_HEADER )Module; - pINH = ( PIMAGE_NT_HEADERS )( ( PUCHAR )Module + pIDH->e_lfanew ); - - pIED = ( PIMAGE_EXPORT_DIRECTORY )( ( PUCHAR )Module + pINH->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ].VirtualAddress ); - - Address = ( PULONG )( ( PUCHAR )Module + pIED->AddressOfFunctions ); - Name = ( PULONG )( ( PUCHAR )Module + pIED->AddressOfNames ); - - Ordinal = ( PUSHORT )( ( PUCHAR )Module + pIED->AddressOfNameOrdinals ); - - for ( i = 0; i < pIED->AddressOfFunctions; i++ ) - { - if ( !strcmp( FunctionName, ( char* )Module + Name[ i ] ) ) - { - return ( PVOID )( ( PUCHAR )Module + Address[ Ordinal[ i ] ] ); - } - } - - return NULL; - } - - ULONG GetNtSyscall( LPCSTR FunctionName ) - { - if ( !ntdll ) - { - UNICODE_STRING FileName = RTL_CONSTANT_STRING( L"\\SystemRoot\\System32\\ntdll.dll" ); - - auto res = LoadFile( &FileName, &ntdll ); - if ( !NT_SUCCESS( res ) ) - DBGPRINT( "[ GetNtSyscall ] Failed to load ntdll.dll 0x%X\n", res ) - } - - if ( ntdll ) - { - auto Fn = PUCHAR( GetFunctionAddress( ntdll, FunctionName ) ); - if ( Fn ) - { - for ( int i = 0; i < 24; ++i ) - { - if ( Fn[ i ] == 0xC2 || Fn[ i ] == 0xC3 ) - break; - - if ( Fn[ i ] == 0xB8 ) - return *( PULONG )( Fn + i + 1 ); - } - } - } - return 0; - } - - ULONG GetWin32Syscall( LPCSTR FunctionName ) - { - if ( !win32u ) - { - UNICODE_STRING FileName = RTL_CONSTANT_STRING( L"\\SystemRoot\\System32\\win32u.dll" ); - - auto res = LoadFile( &FileName, &win32u ); - if ( !NT_SUCCESS( res ) ) - DBGPRINT( "[ GetWin32Syscall ] Failed to load win32u.dll 0x%X\n", res ) - } - - if ( win32u ) - { - auto Fn = PUCHAR( GetFunctionAddress( win32u, FunctionName ) ); - if ( Fn ) - { - for ( int i = 0; i < 24; ++i ) - { - if ( Fn[ i ] == 0xC2 || Fn[ i ] == 0xC3 ) - break; - - if ( Fn[ i ] == 0xB8 ) - return *( PULONG )( Fn + i + 1 ); - } - } - } - return 0; - } - - void UnloadImages() - { - if ( ntdll ) - ExFreePoolWithTag( ntdll, TAG ); - - if ( win32u ) - ExFreePoolWithTag( win32u, TAG ); - } - }; -}; - -namespace masterhide -{ - namespace utils - { - KIRQL WPOFF() - { - KIRQL Irql = KeRaiseIrqlToDpcLevel(); - UINT_PTR cr0 = __readcr0(); - - cr0 &= ~0x10000; - __writecr0( cr0 ); - _disable(); - - return Irql; - } - - void WPON( KIRQL Irql ) - { - UINT_PTR cr0 = __readcr0(); - - cr0 |= 0x10000; - _enable(); - __writecr0( cr0 ); - - KeLowerIrql( Irql ); - } - - const PUCHAR FindCodeCave( PUCHAR Code, ULONG ulCodeSize, size_t CaveLength ) - { - for ( unsigned i = 0, j = 0; i < ulCodeSize; i++ ) - { - if ( Code[ i ] == 0x90 || Code[ i ] == 0xCC ) - j++; - else - j = 0; - - if ( j == CaveLength ) - return PUCHAR( ( ULONG_PTR )Code + i - CaveLength + 1 ); - } - return nullptr; - } - } -}; \ No newline at end of file diff --git a/MasterHide/tools.h b/MasterHide/tools.h deleted file mode 100644 index e9edf0e..0000000 --- a/MasterHide/tools.h +++ /dev/null @@ -1,93 +0,0 @@ -#pragma once - -#define SYSCALL_INDEX( a ) ( *( PULONG )( ( PUCHAR )a + 1 ) ) - -inline void AllocateUnicodeString( PUNICODE_STRING us, USHORT Size ) -{ - if ( !us ) - return; - - __try - { - us->Length = 0; - us->MaximumLength = 0; - us->Buffer = PWSTR( ExAllocatePoolWithTag( NonPagedPool, Size, TAG ) ); - if ( us->Buffer ) - { - us->Length = 0; - us->MaximumLength = Size; - } - } - __except ( EXCEPTION_EXECUTE_HANDLER ) { } -} - -inline void FreeUnicodeString( PUNICODE_STRING us ) -{ - if ( !us ) - return; - - __try - { - if ( us->MaximumLength > 0 && us->Buffer ) - ExFreePoolWithTag( us->Buffer, TAG ); - - us->Length = 0; - us->MaximumLength = 0; - } - __except ( EXCEPTION_EXECUTE_HANDLER ) { } -} - -namespace masterhide -{ - namespace utils - { - extern KIRQL WPOFF(); - extern void WPON( KIRQL Irql ); - extern const PUCHAR FindCodeCave( PUCHAR Code, ULONG ulCodeSize, size_t CaveLength ); - } -}; - -namespace masterhide -{ - namespace tools - { - // - // Tools - // - extern ULONG64 FindPatternKM( const char* szModuleName, const char* szsection, const char* bmask, const char* szmask ); - extern bool GetProcessName( HANDLE PID, PUNICODE_STRING wsProcessName ); - extern bool GetProcessNameByPEPROCESS( PEPROCESS Process, PUNICODE_STRING ProcessImageName ); - extern PVOID GetNtKernelBase(); - extern PVOID GetModuleBase( const char* szModule ); - extern PEPROCESS FindPEPROCESSById( PWCH wsName ); - - inline void SwapEndianness( PCHAR ptr, size_t size ) - { - struct u16 - { - UCHAR high; - UCHAR low; - }; - - for ( u16* pStruct = ( u16* )ptr; pStruct < ( u16* )ptr + size / 2; pStruct++ ) - { - auto tmp = pStruct->low; - pStruct->low = pStruct->high; - pStruct->high = tmp; - } - } - - // - // Helpers - // - extern ULONG GetNtSyscall( LPCSTR FunctionName ); - extern ULONG GetWin32Syscall( LPCSTR FunctionName ); - extern PVOID GetImageTextSection( const ULONG64 uImageBase, ULONG* ulSectionSize ); - - // - // Misc - // - extern bool DumpMZ( PUCHAR pImageBase ); - extern void UnloadImages(); - } -} \ No newline at end of file diff --git a/MasterHide/winnt.h b/MasterHide/winnt.h deleted file mode 100644 index 66aa736..0000000 --- a/MasterHide/winnt.h +++ /dev/null @@ -1,1018 +0,0 @@ -#pragma once - -#pragma warning(push) -#pragma warning(disable: 4201) - -typedef struct _SYSTEM_HANDLE -{ - ULONG ProcessId; - UCHAR ObjectTypeNumber; - UCHAR Flags; - USHORT Handle; - PVOID Object; - ACCESS_MASK GrantedAccess; -} SYSTEM_HANDLE, * PSYSTEM_HANDLE; - -typedef struct _SYSTEM_HANDLE_INFORMATION_EX -{ - ULONG NumberOfHandles; - _SYSTEM_HANDLE Information[ 1 ]; -} _SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX; - -typedef struct _SYSTEM_HANDLE_INFORMATION -{ - ULONG NumberOfHandles; - _SYSTEM_HANDLE Information[ 1 ]; -} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION; - -typedef struct _SYSTEM_MODULE -{ - PVOID Reserved[ 2 ]; - PVOID Base; - ULONG Size; - ULONG Flags; - USHORT Index; - USHORT Unknown; - USHORT LoadCount; - USHORT ModuleNameOffset; - CHAR ImageName[ 256 ]; -} SYSTEM_MODULE, * PSYSTEM_MODULE; - -typedef struct _SYSTEM_MODULE_INFORMATION -{ - ULONG ModulesCount; - SYSTEM_MODULE Modules[ 1 ]; -} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; - -typedef struct _SYSTEM_SERVICE_TABLE -{ - PVOID ServiceTableBase; - PVOID ServiceCounterTableBase; - ULONGLONG NumberOfServices; - PVOID ParamTableBase; -} SYSTEM_SERVICE_TABLE, * PSYSTEM_SERVICE_TABLE; - -typedef enum _SYSTEM_INFORMATION_CLASS -{ - SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION - SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION - SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION - SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION - SystemPathInformation, // not implemented - SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION - SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION - SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION - SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION - SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION - SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10 - SystemModuleInformation, // q: RTL_PROCESS_MODULES - SystemLocksInformation, // q: RTL_PROCESS_LOCKS - SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES - SystemPagedPoolInformation, // not implemented - SystemNonPagedPoolInformation, // not implemented - SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION - SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION - SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION - SystemVdmInstemulInformation, // q - SystemVdmBopInformation, // not implemented // 20 - SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) - SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION - SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION - SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) - SystemFullMemoryInformation, // not implemented - SystemLoadGdiDriverInformation, // s (kernel-mode only) - SystemUnloadGdiDriverInformation, // s (kernel-mode only) - SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) - SystemSummaryMemoryInformation, // not implemented - SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30 - SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) - SystemObsolete0, // not implemented - SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION - SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege) - SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION - SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION - SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) - SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only - SystemPrioritySeperation, // s (requires SeTcbPrivilege) - SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40 - SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege) - SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION - SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION - SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION - SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION - SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege) - SystemSessionCreate, // not implemented - SystemSessionDetach, // not implemented - SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION) - SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50 - SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) - SystemVerifierThunkExtend, // s (kernel-mode only) - SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION - SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation) - SystemNumaProcessorMap, // q - SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation - SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION - SystemRecommendedSharedDataAlignment, // q - SystemComPlusPackage, // q; s - SystemNumaAvailableMemory, // 60 - SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION - SystemEmulationBasicInformation, // q - SystemEmulationProcessorInformation, - SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX - SystemLostDelayedWriteInformation, // q: ULONG - SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION - SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION - SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION - SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION - SystemObjectSecurityMode, // q: ULONG // 70 - SystemWatchdogTimerHandler, // s (kernel-mode only) - SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only) - SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION - SystemWow64SharedInformationObsolete, // not implemented - SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only) - SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION - SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX - SystemVerifierTriageInformation, // not implemented - SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation - SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80 - SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) - SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) - SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] - SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation - SystemProcessorPowerInformationEx, // not implemented - SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation - SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 - SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION - SystemErrorPortInformation, // s (requires SeTcbPrivilege) - SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 - SystemHypervisorInformation, // q; s (kernel-mode only) - SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX - SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege) - SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) - SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation - SystemPrefetchPatchInformation, // not implemented - SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege) - SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION - SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION - SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100 - SystemNumaProximityNodeInformation, // q - SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege) - SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation - SystemProcessorMicrocodeUpdateInformation, // s - SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 - SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation - SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship - SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] - SystemStoreInformation, // q; s // SmQueryStoreInformation - SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 - SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege) - SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION - SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation - SystemNativeBasicInformation, // not implemented - SystemSpare1, // not implemented - SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION - SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation - SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION - SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) - SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 - SystemNodeDistanceInformation, // q - SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 - SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation - SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 - SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 - SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) - SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION - SystemBadPageInformation, - SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA - SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 - SystemEntropyInterruptTimingCallback, - SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION - SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION - SystemThrottleNotificationInformation, - SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION - SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION - SystemDeviceDataEnumerationInformation, - SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION - SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION - SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 - SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE - SystemSpare0, - SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION - SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX - SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION - SystemEntropyInterruptTimingRawInformation, - SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION - SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) - SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX - SystemBootMetadataInformation, // 150 - SystemSoftRebootInformation, - SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION - SystemOfflineDumpConfigInformation, - SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION - SystemRegistryReconciliationInformation, - SystemEdidInformation, - SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD - SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION - SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION - SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160 - SystemVmGenerationCountInformation, - SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION - SystemKernelDebuggerFlags, - SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION - SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION - SystemHardwareSecurityTestInterfaceResultsInformation, - SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION - SystemAllowedCpuSetsInformation, - SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) - SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 - SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION - SystemCodeIntegrityPolicyFullInformation, - SystemAffinitizedInterruptProcessorInformation, - SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION - SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 - SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION - SystemWin32WerStartCallout, - SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION - SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE - SystemInterruptSteeringInformation, // 180 - SystemSupportedProcessorArchitectures, - SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION - SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION - SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 - SystemControlFlowTransition, - SystemKernelDebuggingAllowed, - SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE - SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS - SystemCodeIntegrityPoliciesFullInformation, - SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 - SystemIntegrityQuotaInformation, - SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION - SystemProcessorIdleMaskInformation, // since REDSTONE3 - SystemSecureDumpEncryptionInformation, - SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION - SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION - SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4 - SystemFirmwareBootPerformanceInformation, - SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION - SystemFirmwarePartitionInformation, // 200 - SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above. - SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION - SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION - SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5 - SystemCodeIntegrityUnlockModeInformation, - SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION - SystemFlags2Information, - MaxSystemInfoClass -} SYSTEM_INFORMATION_CLASS; - -typedef struct _LDR_DATA_TABLE_ENTRY -{ - LIST_ENTRY InLoadOrderLinks; - LIST_ENTRY InMemoryOrderLinks; - LIST_ENTRY InInitializationOrderLinks; - PVOID DllBase; - PVOID EntryPoint; - ULONG SizeOfImage; - UNICODE_STRING FullDllName; - UNICODE_STRING BaseDllName; - ULONG Flags; - WORD LoadCount; - WORD TlsIndex; - union - { - LIST_ENTRY HashLinks; - struct - { - PVOID SectionPointer; - ULONG CheckSum; - }; - }; - union - { - ULONG TimeDateStamp; - PVOID LoadedImports; - }; - struct _ACTIVATION_CONTEXT* EntryPointActivationContext; - PVOID PatchInformation; - LIST_ENTRY ForwarderLinks; - LIST_ENTRY ServiceTagLinks; - LIST_ENTRY StaticLinks; -} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; - -typedef struct _SYSTEM_PROCESS_INFO -{ - ULONG NextEntryOffset; - ULONG NumberOfThreads; - LARGE_INTEGER Reserved[ 3 ]; - LARGE_INTEGER CreateTime; - LARGE_INTEGER UserTime; - LARGE_INTEGER KernelTime; - UNICODE_STRING ImageName; - ULONG BasePriority; - HANDLE ProcessId; - HANDLE InheritedFromProcessId; -} SYSTEM_PROCESS_INFO, * PSYSTEM_PROCESS_INFO; - -typedef struct _RTL_PROCESS_MODULE_INFORMATION -{ - HANDLE Section; - PVOID MappedBase; - PVOID ImageBase; - ULONG ImageSize; - ULONG Flags; - USHORT LoadOrderIndex; - USHORT InitOrderIndex; - USHORT LoadCount; - USHORT OffsetToFileName; - UCHAR FullPathName[ 256 ]; -} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION; - -typedef struct _RTL_PROCESS_MODULES -{ - ULONG NumberOfModules; - RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ]; -} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES; - -// private -typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX -{ - USHORT NextOffset; - RTL_PROCESS_MODULE_INFORMATION BaseInfo; - ULONG ImageChecksum; - ULONG TimeDateStamp; - PVOID DefaultBase; -} RTL_PROCESS_MODULE_INFORMATION_EX, * PRTL_PROCESS_MODULE_INFORMATION_EX; - -#define CODEINTEGRITY_OPTION_ENABLED 0x01 -#define CODEINTEGRITY_OPTION_TESTSIGN 0x02 -#define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x04 -#define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x08 -#define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x10 -#define CODEINTEGRITY_OPTION_TEST_BUILD 0x20 -#define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x40 -#define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x80 -#define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x100 -#define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x200 -#define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x400 -#define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x800 -#define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000 -#define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000 - -typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION { - ULONG Length; - ULONG CodeIntegrityOptions; -} SYSTEM_CODEINTEGRITY_INFORMATION, * PSYSTEM_CODEINTEGRITY_INFORMATION; - -#pragma warning(pop) - -// -// IDE command definitions -// -#define IDE_COMMAND_NOP 0x00 -#define IDE_COMMAND_DATA_SET_MANAGEMENT 0x06 -#define IDE_COMMAND_ATAPI_RESET 0x08 -#define IDE_COMMAND_READ 0x20 -#define IDE_COMMAND_READ_EXT 0x24 -#define IDE_COMMAND_READ_DMA_EXT 0x25 -#define IDE_COMMAND_READ_DMA_QUEUED_EXT 0x26 -#define IDE_COMMAND_READ_MULTIPLE_EXT 0x29 -#define IDE_COMMAND_READ_LOG_EXT 0x2f -#define IDE_COMMAND_WRITE 0x30 -#define IDE_COMMAND_WRITE_EXT 0x34 -#define IDE_COMMAND_WRITE_DMA_EXT 0x35 -#define IDE_COMMAND_WRITE_DMA_QUEUED_EXT 0x36 -#define IDE_COMMAND_WRITE_MULTIPLE_EXT 0x39 -#define IDE_COMMAND_WRITE_DMA_FUA_EXT 0x3D -#define IDE_COMMAND_WRITE_DMA_QUEUED_FUA_EXT 0x3E -#define IDE_COMMAND_WRITE_LOG_EXT 0x3f -#define IDE_COMMAND_VERIFY 0x40 -#define IDE_COMMAND_VERIFY_EXT 0x42 -#define IDE_COMMAND_WRITE_LOG_DMA_EXT 0x57 -#define IDE_COMMAND_TRUSTED_NON_DATA 0x5B -#define IDE_COMMAND_TRUSTED_RECEIVE 0x5C -#define IDE_COMMAND_TRUSTED_RECEIVE_DMA 0x5D -#define IDE_COMMAND_TRUSTED_SEND 0x5E -#define IDE_COMMAND_TRUSTED_SEND_DMA 0x5F -#define IDE_COMMAND_READ_FPDMA_QUEUED 0x60 // NCQ Read command -#define IDE_COMMAND_WRITE_FPDMA_QUEUED 0x61 // NCQ Write command -#define IDE_COMMAND_NCQ_NON_DATA 0x63 // NCQ Non-Data command -#define IDE_COMMAND_SEND_FPDMA_QUEUED 0x64 // NCQ Send command -#define IDE_COMMAND_RECEIVE_FPDMA_QUEUED 0x65 // NCQ Receive command -#define IDE_COMMAND_SET_DATE_AND_TIME 0x77 // optional 48bit command -#define IDE_COMMAND_EXECUTE_DEVICE_DIAGNOSTIC 0x90 -#define IDE_COMMAND_SET_DRIVE_PARAMETERS 0x91 -#define IDE_COMMAND_ATAPI_PACKET 0xA0 -#define IDE_COMMAND_ATAPI_IDENTIFY 0xA1 -#define IDE_COMMAND_SMART 0xB0 -#define IDE_COMMAND_READ_LOG_DMA_EXT 0xB1 -#define IDE_COMMAND_SANITIZE_DEVICE 0xB4 -#define IDE_COMMAND_READ_MULTIPLE 0xC4 -#define IDE_COMMAND_WRITE_MULTIPLE 0xC5 -#define IDE_COMMAND_SET_MULTIPLE 0xC6 -#define IDE_COMMAND_READ_DMA 0xC8 -#define IDE_COMMAND_WRITE_DMA 0xCA -#define IDE_COMMAND_WRITE_DMA_QUEUED 0xCC -#define IDE_COMMAND_WRITE_MULTIPLE_FUA_EXT 0xCE -#define IDE_COMMAND_GET_MEDIA_STATUS 0xDA -#define IDE_COMMAND_DOOR_LOCK 0xDE -#define IDE_COMMAND_DOOR_UNLOCK 0xDF -#define IDE_COMMAND_STANDBY_IMMEDIATE 0xE0 -#define IDE_COMMAND_IDLE_IMMEDIATE 0xE1 -#define IDE_COMMAND_CHECK_POWER 0xE5 -#define IDE_COMMAND_SLEEP 0xE6 -#define IDE_COMMAND_FLUSH_CACHE 0xE7 -#define IDE_COMMAND_FLUSH_CACHE_EXT 0xEA -#define IDE_COMMAND_IDENTIFY 0xEC -#define IDE_COMMAND_MEDIA_EJECT 0xED -#define IDE_COMMAND_SET_FEATURE 0xEF -#define IDE_COMMAND_SECURITY_SET_PASSWORD 0xF1 -#define IDE_COMMAND_SECURITY_UNLOCK 0xF2 -#define IDE_COMMAND_SECURITY_ERASE_PREPARE 0xF3 -#define IDE_COMMAND_SECURITY_ERASE_UNIT 0xF4 -#define IDE_COMMAND_SECURITY_FREEZE_LOCK 0xF5 -#define IDE_COMMAND_SECURITY_DISABLE_PASSWORD 0xF6 -#define IDE_COMMAND_NOT_VALID 0xFF - -// -// IDE status definitions -// -#define IDE_STATUS_ERROR 0x01 -#define IDE_STATUS_INDEX 0x02 -#define IDE_STATUS_CORRECTED_ERROR 0x04 -#define IDE_STATUS_DRQ 0x08 -#define IDE_STATUS_DSC 0x10 -#define IDE_STATUS_DEVICE_FAULT 0x20 -#define IDE_STATUS_DRDY 0x40 -#define IDE_STATUS_IDLE 0x50 -#define IDE_STATUS_BUSY 0x80 - -typedef struct _IDSECTOR { - USHORT wGenConfig; - USHORT wNumCyls; - USHORT wReserved; - USHORT wNumHeads; - USHORT wBytesPerTrack; - USHORT wBytesPerSector; - USHORT wSectorsPerTrack; - USHORT wVendorUnique[ 3 ]; - CHAR sSerialNumber[ 20 ]; - USHORT wBufferType; - USHORT wBufferSize; - USHORT wECCSize; - CHAR sFirmwareRev[ 8 ]; - CHAR sModelNumber[ 40 ]; - USHORT wMoreVendorUnique; - USHORT wDoubleWordIO; - USHORT wCapabilities; - USHORT wReserved1; - USHORT wPIOTiming; - USHORT wDMATiming; - USHORT wBS; - USHORT wNumCurrentCyls; - USHORT wNumCurrentHeads; - USHORT wNumCurrentSectorsPerTrack; - ULONG ulCurrentSectorCapacity; - USHORT wMultSectorStuff; - ULONG ulTotalAddressableSectors; - USHORT wSingleWordDMA; - USHORT wMultiWordDMA; - BYTE bReserved[ 128 ]; -} IDSECTOR, * PIDSECTOR; - -#pragma pack(push, id_device_data, 1) -typedef struct _IDENTIFY_DEVICE_DATA { - - struct { - USHORT Reserved1 : 1; - USHORT Retired3 : 1; - USHORT ResponseIncomplete : 1; - USHORT Retired2 : 3; - USHORT FixedDevice : 1; // obsolete - USHORT RemovableMedia : 1; // obsolete - USHORT Retired1 : 7; - USHORT DeviceType : 1; - } GeneralConfiguration; // word 0 - - USHORT NumCylinders; // word 1, obsolete - USHORT SpecificConfiguration; // word 2 - USHORT NumHeads; // word 3, obsolete - USHORT Retired1[ 2 ]; - USHORT NumSectorsPerTrack; // word 6, obsolete - USHORT VendorUnique1[ 3 ]; - UCHAR SerialNumber[ 20 ]; // word 10-19 - USHORT Retired2[ 2 ]; - USHORT Obsolete1; - UCHAR FirmwareRevision[ 8 ]; // word 23-26 - UCHAR ModelNumber[ 40 ]; // word 27-46 - UCHAR MaximumBlockTransfer; // word 47. 01h-10h = Maximum number of sectors that shall be transferred per interrupt on READ/WRITE MULTIPLE commands - UCHAR VendorUnique2; - - struct { - USHORT FeatureSupported : 1; - USHORT Reserved : 15; - }TrustedComputing; // word 48 - - struct { - UCHAR CurrentLongPhysicalSectorAlignment : 2; - UCHAR ReservedByte49 : 6; - - UCHAR DmaSupported : 1; - UCHAR LbaSupported : 1; // Shall be set to one to indicate that LBA is supported. - UCHAR IordyDisable : 1; - UCHAR IordySupported : 1; - UCHAR Reserved1 : 1; // Reserved for the IDENTIFY PACKET DEVICE command - UCHAR StandybyTimerSupport : 1; - UCHAR Reserved2 : 2; // Reserved for the IDENTIFY PACKET DEVICE command - - USHORT ReservedWord50; - }Capabilities; // word 49-50 - - USHORT ObsoleteWords51[ 2 ]; - - USHORT TranslationFieldsValid : 3; // word 53, bit 0 - Obsolete; bit 1 - words 70:64 valid; bit 2; word 88 valid - USHORT Reserved3 : 5; - USHORT FreeFallControlSensitivity : 8; - - USHORT NumberOfCurrentCylinders; // word 54, obsolete - USHORT NumberOfCurrentHeads; // word 55, obsolete - USHORT CurrentSectorsPerTrack; // word 56, obsolete - ULONG CurrentSectorCapacity; // word 57, word 58, obsolete - - UCHAR CurrentMultiSectorSetting; // word 59 - UCHAR MultiSectorSettingValid : 1; - UCHAR ReservedByte59 : 3; - UCHAR SanitizeFeatureSupported : 1; - UCHAR CryptoScrambleExtCommandSupported : 1; - UCHAR OverwriteExtCommandSupported : 1; - UCHAR BlockEraseExtCommandSupported : 1; - - ULONG UserAddressableSectors; // word 60-61, for 28-bit commands - - USHORT ObsoleteWord62; - - USHORT MultiWordDMASupport : 8; // word 63 - USHORT MultiWordDMAActive : 8; - - USHORT AdvancedPIOModes : 8; // word 64. bit 0:1 - PIO mode supported - USHORT ReservedByte64 : 8; - - USHORT MinimumMWXferCycleTime; // word 65 - USHORT RecommendedMWXferCycleTime; // word 66 - USHORT MinimumPIOCycleTime; // word 67 - USHORT MinimumPIOCycleTimeIORDY; // word 68 - - struct { - USHORT Reserved : 2; - USHORT NonVolatileWriteCache : 1; // All write cache is non-volatile - USHORT ExtendedUserAddressableSectorsSupported : 1; - USHORT DeviceEncryptsAllUserData : 1; - USHORT ReadZeroAfterTrimSupported : 1; - USHORT Optional28BitCommandsSupported : 1; - USHORT IEEE1667 : 1; // Reserved for IEEE 1667 - USHORT DownloadMicrocodeDmaSupported : 1; - USHORT SetMaxSetPasswordUnlockDmaSupported : 1; - USHORT WriteBufferDmaSupported : 1; - USHORT ReadBufferDmaSupported : 1; - USHORT DeviceConfigIdentifySetDmaSupported : 1; // obsolete - USHORT LPSAERCSupported : 1; // Long Physical Sector Alignment Error Reporting Control is supported. - USHORT DeterministicReadAfterTrimSupported : 1; - USHORT CFastSpecSupported : 1; - }AdditionalSupported; // word 69 - - USHORT ReservedWords70[ 5 ]; // word 70 - reserved - // word 71:74 - Reserved for the IDENTIFY PACKET DEVICE command - - //Word 75 - USHORT QueueDepth : 5; // Maximum queue depth - 1 - USHORT ReservedWord75 : 11; - - struct { - // Word 76 - USHORT Reserved0 : 1; // shall be set to 0 - USHORT SataGen1 : 1; // Supports SATA Gen1 Signaling Speed (1.5Gb/s) - USHORT SataGen2 : 1; // Supports SATA Gen2 Signaling Speed (3.0Gb/s) - USHORT SataGen3 : 1; // Supports SATA Gen3 Signaling Speed (6.0Gb/s) - - USHORT Reserved1 : 4; - - USHORT NCQ : 1; // Supports the NCQ feature set - USHORT HIPM : 1; // Supports HIPM - USHORT PhyEvents : 1; // Supports the SATA Phy Event Counters log - USHORT NcqUnload : 1; // Supports Unload while NCQ commands are outstanding - - USHORT NcqPriority : 1; // Supports NCQ priority information - USHORT HostAutoPS : 1; // Supports Host Automatic Partial to Slumber transitions - USHORT DeviceAutoPS : 1; // Supports Device Automatic Partial to Slumber transitions - USHORT ReadLogDMA : 1; // Supports READ LOG DMA EXT as equivalent to READ LOG EXT - - // Word 77 - USHORT Reserved2 : 1; // shall be set to 0 - USHORT CurrentSpeed : 3; // Coded value indicating current negotiated Serial ATA signal speed - - USHORT NcqStreaming : 1; // Supports NCQ Streaming - USHORT NcqQueueMgmt : 1; // Supports NCQ Queue Management Command - USHORT NcqReceiveSend : 1; // Supports RECEIVE FPDMA QUEUED and SEND FPDMA QUEUED commands - USHORT DEVSLPtoReducedPwrState : 1; - - USHORT Reserved3 : 8; - }SerialAtaCapabilities; - - // Word 78 - struct { - USHORT Reserved0 : 1; //shall be set to 0 - USHORT NonZeroOffsets : 1; // Device supports non-zero buffer offsets in DMA Setup FIS - USHORT DmaSetupAutoActivate : 1; // Device supports DMA Setup auto-activation - USHORT DIPM : 1; // Device supports DIPM - - USHORT InOrderData : 1; // Device supports in-order data delivery - USHORT HardwareFeatureControl : 1; // Hardware Feature Control is supported - USHORT SoftwareSettingsPreservation : 1; // Device supports Software Settings Preservation - USHORT NCQAutosense : 1; // Supports NCQ Autosense - - USHORT DEVSLP : 1; // Device supports link power state - device sleep - USHORT HybridInformation : 1; // Device supports Hybrid Information Feature (If the device does not support NCQ (word 76 bit 8 is 0), then this bit shall be cleared to 0.) - - USHORT Reserved1 : 6; - }SerialAtaFeaturesSupported; - - // Word 79 - struct { - USHORT Reserved0 : 1; // shall be set to 0 - USHORT NonZeroOffsets : 1; // Non-zero buffer offsets in DMA Setup FIS enabled - USHORT DmaSetupAutoActivate : 1; // DMA Setup auto-activation optimization enabled - USHORT DIPM : 1; // DIPM enabled - - USHORT InOrderData : 1; // In-order data delivery enabled - USHORT HardwareFeatureControl : 1; // Hardware Feature Control is enabled - USHORT SoftwareSettingsPreservation : 1; // Software Settings Preservation enabled - USHORT DeviceAutoPS : 1; // Device Automatic Partial to Slumber transitions enabled - - USHORT DEVSLP : 1; // link power state - device sleep is enabled - USHORT HybridInformation : 1; // Hybrid Information Feature is enabled - - USHORT Reserved1 : 6; - }SerialAtaFeaturesEnabled; - - USHORT MajorRevision; // word 80. bit 5 - supports ATA5; bit 6 - supports ATA6; bit 7 - supports ATA7; bit 8 - supports ATA8-ACS; bit 9 - supports ACS-2; - USHORT MinorRevision; // word 81. T13 minior version number - - struct { - - // - // Word 82 - // - USHORT SmartCommands : 1; // The SMART feature set is supported - USHORT SecurityMode : 1; // The Security feature set is supported - USHORT RemovableMediaFeature : 1; // obsolete - USHORT PowerManagement : 1; // shall be set to 1 - USHORT Reserved1 : 1; // PACKET feature set, set to 0 indicates not supported for ATA devices (only support for ATAPI devices) - USHORT WriteCache : 1; // The volatile write cache is supported - USHORT LookAhead : 1; // Read look-ahead is supported - USHORT ReleaseInterrupt : 1; // obsolete - USHORT ServiceInterrupt : 1; // obsolete - USHORT DeviceReset : 1; // Shall be cleared to zero to indicate that the DEVICE RESET command is not supported - USHORT HostProtectedArea : 1; // obsolete - USHORT Obsolete1 : 1; - USHORT WriteBuffer : 1; // The WRITE BUFFER command is supported - USHORT ReadBuffer : 1; // The READ BUFFER command is supported - USHORT Nop : 1; // The NOP command is supported - USHORT Obsolete2 : 1; - - // - // Word 83 - // - USHORT DownloadMicrocode : 1; // The DOWNLOAD MICROCODE command is supported - USHORT DmaQueued : 1; // obsolete - USHORT Cfa : 1; // The CFA feature set is supported - USHORT AdvancedPm : 1; // The APM feature set is supported - USHORT Msn : 1; // obsolete - USHORT PowerUpInStandby : 1; // The PUIS feature set is supported - USHORT ManualPowerUp : 1; // SET FEATURES subcommand is required to spin-up after power-up - USHORT Reserved2 : 1; - USHORT SetMax : 1; // obsolete - USHORT Acoustics : 1; // obsolete - USHORT BigLba : 1; // The 48-bit Address feature set is supported - USHORT DeviceConfigOverlay : 1; // obsolete - USHORT FlushCache : 1; // Shall be set to one to indicate that the mandatory FLUSH CACHE command is supported - USHORT FlushCacheExt : 1; // The FLUSH CACHE EXT command is supported - USHORT WordValid83 : 2; // shall be 01b - - - // - // Word 84 - // - USHORT SmartErrorLog : 1; // SMART error logging is supported - USHORT SmartSelfTest : 1; // The SMART self-test is supported - USHORT MediaSerialNumber : 1; // Media serial number is supported - USHORT MediaCardPassThrough : 1; // obsolete - USHORT StreamingFeature : 1; // The Streaming feature set is supported - USHORT GpLogging : 1; // The GPL feature set is supported - USHORT WriteFua : 1; // The WRITE DMA FUA EXT and WRITE MULTIPLE FUA EXT commands are supported - USHORT WriteQueuedFua : 1; // obsolete - USHORT WWN64Bit : 1; // The 64-bit World wide name is supported - USHORT URGReadStream : 1; // obsolete - USHORT URGWriteStream : 1; // obsolete - USHORT ReservedForTechReport : 2; - USHORT IdleWithUnloadFeature : 1; // The IDLE IMMEDIATE command with UNLOAD feature is supported - USHORT WordValid : 2; // shall be 01b - - }CommandSetSupport; - - struct { - - // - // Word 85 - // - USHORT SmartCommands : 1; // The SMART feature set is enabled - USHORT SecurityMode : 1; // The Security feature set is enabled - USHORT RemovableMediaFeature : 1; // obsolete - USHORT PowerManagement : 1; // Shall be set to one to indicate that the mandatory Power Management feature set is supported - USHORT Reserved1 : 1; // Shall be cleared to zero to indicate that the PACKET feature set is not supported - USHORT WriteCache : 1; // The volatile write cache is enabled - USHORT LookAhead : 1; // Read look-ahead is enabled - USHORT ReleaseInterrupt : 1; // The release interrupt is enabled - USHORT ServiceInterrupt : 1; // The SERVICE interrupt is enabled - USHORT DeviceReset : 1; // Shall be cleared to zero to indicate that the DEVICE RESET command is not supported - USHORT HostProtectedArea : 1; // obsolete - USHORT Obsolete1 : 1; - USHORT WriteBuffer : 1; // The WRITE BUFFER command is supported - USHORT ReadBuffer : 1; // The READ BUFFER command is supported - USHORT Nop : 1; // The NOP command is supported - USHORT Obsolete2 : 1; - - // - // Word 86 - // - USHORT DownloadMicrocode : 1; // The DOWNLOAD MICROCODE command is supported - USHORT DmaQueued : 1; // obsolete - USHORT Cfa : 1; // The CFA feature set is supported - USHORT AdvancedPm : 1; // The APM feature set is enabled - USHORT Msn : 1; // obsolete - USHORT PowerUpInStandby : 1; // The PUIS feature set is enabled - USHORT ManualPowerUp : 1; // SET FEATURES subcommand is required to spin-up after power-up - USHORT Reserved2 : 1; - USHORT SetMax : 1; // obsolete - USHORT Acoustics : 1; // obsolete - USHORT BigLba : 1; // The 48-bit Address features set is supported - USHORT DeviceConfigOverlay : 1; // obsolete - USHORT FlushCache : 1; // FLUSH CACHE command supported - USHORT FlushCacheExt : 1; // FLUSH CACHE EXT command supported - USHORT Resrved3 : 1; - USHORT Words119_120Valid : 1; // Words 119..120 are valid - - // - // Word 87 - // - USHORT SmartErrorLog : 1; // SMART error logging is supported - USHORT SmartSelfTest : 1; // SMART self-test supported - USHORT MediaSerialNumber : 1; // Media serial number is valid - USHORT MediaCardPassThrough : 1; // obsolete - USHORT StreamingFeature : 1; // obsolete - USHORT GpLogging : 1; // The GPL feature set is supported - USHORT WriteFua : 1; // The WRITE DMA FUA EXT and WRITE MULTIPLE FUA EXT commands are supported - USHORT WriteQueuedFua : 1; // obsolete - USHORT WWN64Bit : 1; // The 64-bit World wide name is supported - USHORT URGReadStream : 1; // obsolete - USHORT URGWriteStream : 1; // obsolete - USHORT ReservedForTechReport : 2; - USHORT IdleWithUnloadFeature : 1; // The IDLE IMMEDIATE command with UNLOAD FEATURE is supported - USHORT Reserved4 : 2; // bit 14 shall be set to 1; bit 15 shall be cleared to 0 - - }CommandSetActive; - - USHORT UltraDMASupport : 8; // word 88. bit 0 - UDMA mode 0 is supported ... bit 6 - UDMA mode 6 and below are supported - USHORT UltraDMAActive : 8; // word 88. bit 8 - UDMA mode 0 is selected ... bit 14 - UDMA mode 6 is selected - - struct { // word 89 - USHORT TimeRequired : 15; - USHORT ExtendedTimeReported : 1; - } NormalSecurityEraseUnit; - - struct { // word 90 - USHORT TimeRequired : 15; - USHORT ExtendedTimeReported : 1; - } EnhancedSecurityEraseUnit; - - USHORT CurrentAPMLevel : 8; // word 91 - USHORT ReservedWord91 : 8; - - USHORT MasterPasswordID; // word 92. Master Password Identifier - - USHORT HardwareResetResult; // word 93 - - USHORT CurrentAcousticValue : 8; // word 94. obsolete - USHORT RecommendedAcousticValue : 8; - - USHORT StreamMinRequestSize; // word 95 - USHORT StreamingTransferTimeDMA; // word 96 - USHORT StreamingAccessLatencyDMAPIO; // word 97 - ULONG StreamingPerfGranularity; // word 98, 99 - - ULONG Max48BitLBA[ 2 ]; // word 100-103 - - USHORT StreamingTransferTime; // word 104. Streaming Transfer Time - PIO - - USHORT DsmCap; // word 105 - - struct { - USHORT LogicalSectorsPerPhysicalSector : 4; // n power of 2: logical sectors per physical sector - USHORT Reserved0 : 8; - USHORT LogicalSectorLongerThan256Words : 1; - USHORT MultipleLogicalSectorsPerPhysicalSector : 1; - USHORT Reserved1 : 2; // bit 14 - shall be set to 1; bit 15 - shall be clear to 0 - } PhysicalLogicalSectorSize; // word 106 - - USHORT InterSeekDelay; //word 107. Inter-seek delay for ISO 7779 standard acoustic testing - USHORT WorldWideName[ 4 ]; //words 108-111 - USHORT ReservedForWorldWideName128[ 4 ]; //words 112-115 - USHORT ReservedForTlcTechnicalReport; //word 116 - USHORT WordsPerLogicalSector[ 2 ]; //words 117-118 Logical sector size (DWord) - - struct { - USHORT ReservedForDrqTechnicalReport : 1; - USHORT WriteReadVerify : 1; // The Write-Read-Verify feature set is supported - USHORT WriteUncorrectableExt : 1; // The WRITE UNCORRECTABLE EXT command is supported - USHORT ReadWriteLogDmaExt : 1; // The READ LOG DMA EXT and WRITE LOG DMA EXT commands are supported - USHORT DownloadMicrocodeMode3 : 1; // Download Microcode mode 3 is supported - USHORT FreefallControl : 1; // The Free-fall Control feature set is supported - USHORT SenseDataReporting : 1; // Sense Data Reporting feature set is supported - USHORT ExtendedPowerConditions : 1; // Extended Power Conditions feature set is supported - USHORT Reserved0 : 6; - USHORT WordValid : 2; // shall be 01b - }CommandSetSupportExt; //word 119 - - struct { - USHORT ReservedForDrqTechnicalReport : 1; - USHORT WriteReadVerify : 1; // The Write-Read-Verify feature set is enabled - USHORT WriteUncorrectableExt : 1; // The WRITE UNCORRECTABLE EXT command is supported - USHORT ReadWriteLogDmaExt : 1; // The READ LOG DMA EXT and WRITE LOG DMA EXT commands are supported - USHORT DownloadMicrocodeMode3 : 1; // Download Microcode mode 3 is supported - USHORT FreefallControl : 1; // The Free-fall Control feature set is enabled - USHORT SenseDataReporting : 1; // Sense Data Reporting feature set is enabled - USHORT ExtendedPowerConditions : 1; // Extended Power Conditions feature set is enabled - USHORT Reserved0 : 6; - USHORT Reserved1 : 2; // bit 14 - shall be set to 1; bit 15 - shall be clear to 0 - }CommandSetActiveExt; //word 120 - - USHORT ReservedForExpandedSupportandActive[ 6 ]; - - USHORT MsnSupport : 2; //word 127. obsolete - USHORT ReservedWord127 : 14; - - struct { //word 128 - USHORT SecuritySupported : 1; - USHORT SecurityEnabled : 1; - USHORT SecurityLocked : 1; - USHORT SecurityFrozen : 1; - USHORT SecurityCountExpired : 1; - USHORT EnhancedSecurityEraseSupported : 1; - USHORT Reserved0 : 2; - USHORT SecurityLevel : 1; // Master Password Capability: 0 = High, 1 = Maximum - USHORT Reserved1 : 7; - } SecurityStatus; - - USHORT ReservedWord129[ 31 ]; //word 129...159. Vendor specific - - struct { //word 160 - USHORT MaximumCurrentInMA : 12; - USHORT CfaPowerMode1Disabled : 1; - USHORT CfaPowerMode1Required : 1; - USHORT Reserved0 : 1; - USHORT Word160Supported : 1; - } CfaPowerMode1; - - USHORT ReservedForCfaWord161[ 7 ]; //Words 161-167 - - USHORT NominalFormFactor : 4; //Word 168 - USHORT ReservedWord168 : 12; - - struct { //Word 169 - USHORT SupportsTrim : 1; - USHORT Reserved0 : 15; - } DataSetManagementFeature; - - USHORT AdditionalProductID[ 4 ]; //Words 170-173 - - USHORT ReservedForCfaWord174[ 2 ]; //Words 174-175 - - USHORT CurrentMediaSerialNumber[ 30 ]; //Words 176-205 - - struct { //Word 206 - USHORT Supported : 1; // The SCT Command Transport is supported - USHORT Reserved0 : 1; // obsolete - USHORT WriteSameSuported : 1; // The SCT Write Same command is supported - USHORT ErrorRecoveryControlSupported : 1; // The SCT Error Recovery Control command is supported - USHORT FeatureControlSuported : 1; // The SCT Feature Control command is supported - USHORT DataTablesSuported : 1; // The SCT Data Tables command is supported - USHORT Reserved1 : 6; - USHORT VendorSpecific : 4; - } SCTCommandTransport; - - USHORT ReservedWord207[ 2 ]; //Words 207-208 - - struct { //Word 209 - USHORT AlignmentOfLogicalWithinPhysical : 14; - USHORT Word209Supported : 1; // shall be set to 1 - USHORT Reserved0 : 1; // shall be cleared to 0 - } BlockAlignment; - - USHORT WriteReadVerifySectorCountMode3Only[ 2 ]; //Words 210-211 - USHORT WriteReadVerifySectorCountMode2Only[ 2 ]; //Words 212-213 - - struct { - USHORT NVCachePowerModeEnabled : 1; - USHORT Reserved0 : 3; - USHORT NVCacheFeatureSetEnabled : 1; - USHORT Reserved1 : 3; - USHORT NVCachePowerModeVersion : 4; - USHORT NVCacheFeatureSetVersion : 4; - } NVCacheCapabilities; //Word 214. obsolete - USHORT NVCacheSizeLSW; //Word 215. obsolete - USHORT NVCacheSizeMSW; //Word 216. obsolete - - USHORT NominalMediaRotationRate; //Word 217; value 0001h means non-rotating media. - - USHORT ReservedWord218; //Word 218 - - struct { - UCHAR NVCacheEstimatedTimeToSpinUpInSeconds; - UCHAR Reserved; - } NVCacheOptions; //Word 219. obsolete - - USHORT WriteReadVerifySectorCountMode : 8; //Word 220. Write-Read-Verify feature set current mode - USHORT ReservedWord220 : 8; - - USHORT ReservedWord221; //Word 221 - - struct { //Word 222 Transport major version number - USHORT MajorVersion : 12; // 0000h or FFFFh = device does not report version - USHORT TransportType : 4; - } TransportMajorVersion; - - USHORT TransportMinorVersion; // Word 223 - - USHORT ReservedWord224[ 6 ]; // Word 224...229 - - ULONG ExtendedNumberOfUserAddressableSectors[ 2 ]; // Words 230...233 Extended Number of User Addressable Sectors - - USHORT MinBlocksPerDownloadMicrocodeMode03; // Word 234 Minimum number of 512-byte data blocks per Download Microcode mode 03h operation - USHORT MaxBlocksPerDownloadMicrocodeMode03; // Word 235 Maximum number of 512-byte data blocks per Download Microcode mode 03h operation - - USHORT ReservedWord236[ 19 ]; // Word 236...254 - - USHORT Signature : 8; //Word 255 - USHORT CheckSum : 8; - -} IDENTIFY_DEVICE_DATA, * PIDENTIFY_DEVICE_DATA; -#pragma pack (pop, id_device_data) - -extern "C" -{ - NTSYSAPI POBJECT_TYPE* IoDriverObjectType; - - NTSYSAPI BOOLEAN - NTAPI - PsIsProtectedProcess( - _In_ PEPROCESS Process - ); - - NTSYSAPI - BOOLEAN - NTAPI - PsIsSystemProcess( - _In_ PEPROCESS Process - ); - - NTSYSAPI - PVOID - PsGetProcessSectionBaseAddress( - __in PEPROCESS Process - ); - - NTSYSAPI NTSTATUS NTAPI - ObReferenceObjectByName( - __in PUNICODE_STRING ObjectName, - __in ULONG Attributes, - __in_opt PACCESS_STATE AccessState, - __in_opt ACCESS_MASK DesiredAccess, - __in POBJECT_TYPE ObjectType, - __in KPROCESSOR_MODE AccessMode, - __inout_opt PVOID ParseContext, - __out PVOID* Object - ); - - NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( - _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, - _Inout_ PVOID SystemInformation, - _In_ ULONG SystemInformationLength, - _Out_opt_ PULONG ReturnLength - ); - - NTSYSAPI NTSTATUS WINAPI ZwQueryInformationProcess( - _In_ HANDLE ProcessHandle, - _In_ PROCESSINFOCLASS ProcessInformationClass, - _Out_ PVOID ProcessInformation, - _In_ ULONG ProcessInformationLength, - _Out_opt_ PULONG ReturnLength - ); -}; \ No newline at end of file diff --git a/MasterHide/winnt.hpp b/MasterHide/winnt.hpp new file mode 100644 index 0000000..ce38dfb --- /dev/null +++ b/MasterHide/winnt.hpp @@ -0,0 +1,1048 @@ +#pragma once + +#pragma warning(push) +#pragma warning(disable : 4201) + +typedef struct _SYSTEM_HANDLE +{ + ULONG ProcessId; + UCHAR ObjectTypeNumber; + UCHAR Flags; + USHORT Handle; + PVOID Object; + ACCESS_MASK GrantedAccess; +} SYSTEM_HANDLE, *PSYSTEM_HANDLE; + +typedef struct _SYSTEM_HANDLE_INFORMATION_EX +{ + ULONG NumberOfHandles; + _SYSTEM_HANDLE Information[1]; +} _SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG NumberOfHandles; + _SYSTEM_HANDLE Information[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _SYSTEM_MODULE +{ + PVOID Reserved[2]; + PVOID Base; + ULONG Size; + ULONG Flags; + USHORT Index; + USHORT Unknown; + USHORT LoadCount; + USHORT ModuleNameOffset; + CHAR ImageName[256]; +} SYSTEM_MODULE, *PSYSTEM_MODULE; + +typedef struct _SYSTEM_MODULE_INFORMATION +{ + ULONG ModulesCount; + SYSTEM_MODULE Modules[1]; +} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; + +typedef struct _SYSTEM_SERVICE_TABLE +{ + PVOID ServiceTableBase; + PVOID ServiceCounterTableBase; + ULONGLONG NumberOfServices; + PVOID ParamTableBase; +} SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE; + +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION + SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION + SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION + SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION + SystemPathInformation, // not implemented + SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION + SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION + SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION + SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION + SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION + SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10 + SystemModuleInformation, // q: RTL_PROCESS_MODULES + SystemLocksInformation, // q: RTL_PROCESS_LOCKS + SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES + SystemPagedPoolInformation, // not implemented + SystemNonPagedPoolInformation, // not implemented + SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION + SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION + SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION + SystemVdmInstemulInformation, // q + SystemVdmBopInformation, // not implemented // 20 + SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for + // WorkingSetTypeSystemCache) + SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION + SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION + SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires + // SeLoadDriverPrivilege) + SystemFullMemoryInformation, // not implemented + SystemLoadGdiDriverInformation, // s (kernel-mode only) + SystemUnloadGdiDriverInformation, // s (kernel-mode only) + SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION + // (requires SeSystemtimePrivilege) + SystemSummaryMemoryInformation, // not implemented + SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires + // SeShutdownPrivilege) // 30 + SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) + SystemObsolete0, // not implemented + SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION + SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege) + SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION + SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION + SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) + SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only + SystemPrioritySeperation, // s (requires SeTcbPrivilege) + SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40 + SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege) + SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION + SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION + SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION + SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION + SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege) + SystemSessionCreate, // not implemented + SystemSessionDetach, // not implemented + SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION) + SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50 + SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) + SystemVerifierThunkExtend, // s (kernel-mode only) + SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION + SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation) + SystemNumaProcessorMap, // q + SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // + // PfSnQueryPrefetcherInformation + SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION + SystemRecommendedSharedDataAlignment, // q + SystemComPlusPackage, // q; s + SystemNumaAvailableMemory, // 60 + SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION + SystemEmulationBasicInformation, // q + SystemEmulationProcessorInformation, + SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX + SystemLostDelayedWriteInformation, // q: ULONG + SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION + SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION + SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION + SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION + SystemObjectSecurityMode, // q: ULONG // 70 + SystemWatchdogTimerHandler, // s (kernel-mode only) + SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only) + SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION + SystemWow64SharedInformationObsolete, // not implemented + SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only) + SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION + SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX + SystemVerifierTriageInformation, // not implemented + SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation + SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires + // SeProfileSingleProcessPrivilege) // 80 + SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as + // SystemFileCacheInformation) + SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires + // SeIncreaseBasePriorityPrivilege) + SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] + SystemVerifierCancellationInformation, // not implemented // + // name:wow64:whNT32QuerySystemVerifierCancellationInformation + SystemProcessorPowerInformationEx, // not implemented + SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation + SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then + // MmSpecialPoolCatchOverruns != 0 + SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION + SystemErrorPortInformation, // s (requires SeTcbPrivilege) + SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 + SystemHypervisorInformation, // q; s (kernel-mode only) + SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX + SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege) + SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires + // SeTcbPrivilege) + SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation + SystemPrefetchPatchInformation, // not implemented + SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege) + SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION + SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION + SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100 + SystemNumaProximityNodeInformation, // q + SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege) + SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation + SystemProcessorMicrocodeUpdateInformation, // s + SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 + SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires + // SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation + SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // + // KeQueryLogicalProcessorRelationship + SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] + SystemStoreInformation, // q; s // SmQueryStoreInformation + SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 + SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege) + SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION + SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation + SystemNativeBasicInformation, // not implemented + SystemSpare1, // not implemented + SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION + SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation + SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION + SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for + // WorkingSetTypePagedPool) + SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for + // WorkingSetTypeSystemPtes) // 120 + SystemNodeDistanceInformation, // q + SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> + // HalpAuditQueryResults, info class 26 + SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // + // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation + SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 + SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 + SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) + SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION + SystemBadPageInformation, + SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA + SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, + // MEMORY_COMBINE_INFORMATION_EX2 // 130 + SystemEntropyInterruptTimingCallback, + SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION + SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION + SystemThrottleNotificationInformation, + SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION + SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION + SystemDeviceDataEnumerationInformation, + SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION + SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION + SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 + SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE + SystemSpare0, + SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION + SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX + SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION + SystemEntropyInterruptTimingRawInformation, + SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION + SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires + // admin) + SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX + SystemBootMetadataInformation, // 150 + SystemSoftRebootInformation, + SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION + SystemOfflineDumpConfigInformation, + SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION + SystemRegistryReconciliationInformation, + SystemEdidInformation, + SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD + SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION + SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION + SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160 + SystemVmGenerationCountInformation, + SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION + SystemKernelDebuggerFlags, + SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION + SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION + SystemHardwareSecurityTestInterfaceResultsInformation, + SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION + SystemAllowedCpuSetsInformation, + SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) + SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 + SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION + SystemCodeIntegrityPolicyFullInformation, + SystemAffinitizedInterruptProcessorInformation, + SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION + SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 + SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION + SystemWin32WerStartCallout, + SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION + SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since + // REDSTONE + SystemInterruptSteeringInformation, // 180 + SystemSupportedProcessorArchitectures, + SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION + SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION + SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 + SystemControlFlowTransition, + SystemKernelDebuggingAllowed, + SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE + SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS + SystemCodeIntegrityPoliciesFullInformation, + SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 + SystemIntegrityQuotaInformation, + SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION + SystemProcessorIdleMaskInformation, // since REDSTONE3 + SystemSecureDumpEncryptionInformation, + SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION + SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION + SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4 + SystemFirmwareBootPerformanceInformation, + SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION + SystemFirmwarePartitionInformation, // 200 + SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and + // above. + SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION + SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION + SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5 + SystemCodeIntegrityUnlockModeInformation, + SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION + SystemFlags2Information, + MaxSystemInfoClass +} SYSTEM_INFORMATION_CLASS; + +typedef struct _LDR_DATA_TABLE_ENTRY +{ + LIST_ENTRY InLoadOrderLinks; + LIST_ENTRY InMemoryOrderLinks; + LIST_ENTRY InInitializationOrderLinks; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT TlsIndex; + union { + LIST_ENTRY HashLinks; + struct + { + PVOID SectionPointer; + ULONG CheckSum; + }; + }; + union { + ULONG TimeDateStamp; + PVOID LoadedImports; + }; + struct _ACTIVATION_CONTEXT *EntryPointActivationContext; + PVOID PatchInformation; + LIST_ENTRY ForwarderLinks; + LIST_ENTRY ServiceTagLinks; + LIST_ENTRY StaticLinks; +} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; + +typedef struct _SYSTEM_PROCESS_INFO +{ + ULONG NextEntryOffset; + ULONG NumberOfThreads; + LARGE_INTEGER Reserved[3]; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ImageName; + ULONG BasePriority; + HANDLE ProcessId; + HANDLE InheritedFromProcessId; +} SYSTEM_PROCESS_INFO, *PSYSTEM_PROCESS_INFO; + +typedef struct _RTL_PROCESS_MODULE_INFORMATION +{ + HANDLE Section; + PVOID MappedBase; + PVOID ImageBase; + ULONG ImageSize; + ULONG Flags; + USHORT LoadOrderIndex; + USHORT InitOrderIndex; + USHORT LoadCount; + USHORT OffsetToFileName; + UCHAR FullPathName[256]; +} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; + +typedef struct _RTL_PROCESS_MODULES +{ + ULONG NumberOfModules; + RTL_PROCESS_MODULE_INFORMATION Modules[1]; +} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; + +// private +typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX +{ + USHORT NextOffset; + RTL_PROCESS_MODULE_INFORMATION BaseInfo; + ULONG ImageChecksum; + ULONG TimeDateStamp; + PVOID DefaultBase; +} RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX; + +#define CODEINTEGRITY_OPTION_ENABLED 0x01 +#define CODEINTEGRITY_OPTION_TESTSIGN 0x02 +#define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x04 +#define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x08 +#define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x10 +#define CODEINTEGRITY_OPTION_TEST_BUILD 0x20 +#define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x40 +#define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x80 +#define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x100 +#define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x200 +#define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x400 +#define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x800 +#define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000 +#define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000 + +typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION +{ + ULONG Length; + ULONG CodeIntegrityOptions; +} SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION; + +#pragma warning(pop) + +// +// IDE command definitions +// +#define IDE_COMMAND_NOP 0x00 +#define IDE_COMMAND_DATA_SET_MANAGEMENT 0x06 +#define IDE_COMMAND_ATAPI_RESET 0x08 +#define IDE_COMMAND_READ 0x20 +#define IDE_COMMAND_READ_EXT 0x24 +#define IDE_COMMAND_READ_DMA_EXT 0x25 +#define IDE_COMMAND_READ_DMA_QUEUED_EXT 0x26 +#define IDE_COMMAND_READ_MULTIPLE_EXT 0x29 +#define IDE_COMMAND_READ_LOG_EXT 0x2f +#define IDE_COMMAND_WRITE 0x30 +#define IDE_COMMAND_WRITE_EXT 0x34 +#define IDE_COMMAND_WRITE_DMA_EXT 0x35 +#define IDE_COMMAND_WRITE_DMA_QUEUED_EXT 0x36 +#define IDE_COMMAND_WRITE_MULTIPLE_EXT 0x39 +#define IDE_COMMAND_WRITE_DMA_FUA_EXT 0x3D +#define IDE_COMMAND_WRITE_DMA_QUEUED_FUA_EXT 0x3E +#define IDE_COMMAND_WRITE_LOG_EXT 0x3f +#define IDE_COMMAND_VERIFY 0x40 +#define IDE_COMMAND_VERIFY_EXT 0x42 +#define IDE_COMMAND_WRITE_LOG_DMA_EXT 0x57 +#define IDE_COMMAND_TRUSTED_NON_DATA 0x5B +#define IDE_COMMAND_TRUSTED_RECEIVE 0x5C +#define IDE_COMMAND_TRUSTED_RECEIVE_DMA 0x5D +#define IDE_COMMAND_TRUSTED_SEND 0x5E +#define IDE_COMMAND_TRUSTED_SEND_DMA 0x5F +#define IDE_COMMAND_READ_FPDMA_QUEUED 0x60 // NCQ Read command +#define IDE_COMMAND_WRITE_FPDMA_QUEUED 0x61 // NCQ Write command +#define IDE_COMMAND_NCQ_NON_DATA 0x63 // NCQ Non-Data command +#define IDE_COMMAND_SEND_FPDMA_QUEUED 0x64 // NCQ Send command +#define IDE_COMMAND_RECEIVE_FPDMA_QUEUED 0x65 // NCQ Receive command +#define IDE_COMMAND_SET_DATE_AND_TIME 0x77 // optional 48bit command +#define IDE_COMMAND_EXECUTE_DEVICE_DIAGNOSTIC 0x90 +#define IDE_COMMAND_SET_DRIVE_PARAMETERS 0x91 +#define IDE_COMMAND_ATAPI_PACKET 0xA0 +#define IDE_COMMAND_ATAPI_IDENTIFY 0xA1 +#define IDE_COMMAND_SMART 0xB0 +#define IDE_COMMAND_READ_LOG_DMA_EXT 0xB1 +#define IDE_COMMAND_SANITIZE_DEVICE 0xB4 +#define IDE_COMMAND_READ_MULTIPLE 0xC4 +#define IDE_COMMAND_WRITE_MULTIPLE 0xC5 +#define IDE_COMMAND_SET_MULTIPLE 0xC6 +#define IDE_COMMAND_READ_DMA 0xC8 +#define IDE_COMMAND_WRITE_DMA 0xCA +#define IDE_COMMAND_WRITE_DMA_QUEUED 0xCC +#define IDE_COMMAND_WRITE_MULTIPLE_FUA_EXT 0xCE +#define IDE_COMMAND_GET_MEDIA_STATUS 0xDA +#define IDE_COMMAND_DOOR_LOCK 0xDE +#define IDE_COMMAND_DOOR_UNLOCK 0xDF +#define IDE_COMMAND_STANDBY_IMMEDIATE 0xE0 +#define IDE_COMMAND_IDLE_IMMEDIATE 0xE1 +#define IDE_COMMAND_CHECK_POWER 0xE5 +#define IDE_COMMAND_SLEEP 0xE6 +#define IDE_COMMAND_FLUSH_CACHE 0xE7 +#define IDE_COMMAND_FLUSH_CACHE_EXT 0xEA +#define IDE_COMMAND_IDENTIFY 0xEC +#define IDE_COMMAND_MEDIA_EJECT 0xED +#define IDE_COMMAND_SET_FEATURE 0xEF +#define IDE_COMMAND_SECURITY_SET_PASSWORD 0xF1 +#define IDE_COMMAND_SECURITY_UNLOCK 0xF2 +#define IDE_COMMAND_SECURITY_ERASE_PREPARE 0xF3 +#define IDE_COMMAND_SECURITY_ERASE_UNIT 0xF4 +#define IDE_COMMAND_SECURITY_FREEZE_LOCK 0xF5 +#define IDE_COMMAND_SECURITY_DISABLE_PASSWORD 0xF6 +#define IDE_COMMAND_NOT_VALID 0xFF + +// +// IDE status definitions +// +#define IDE_STATUS_ERROR 0x01 +#define IDE_STATUS_INDEX 0x02 +#define IDE_STATUS_CORRECTED_ERROR 0x04 +#define IDE_STATUS_DRQ 0x08 +#define IDE_STATUS_DSC 0x10 +#define IDE_STATUS_DEVICE_FAULT 0x20 +#define IDE_STATUS_DRDY 0x40 +#define IDE_STATUS_IDLE 0x50 +#define IDE_STATUS_BUSY 0x80 + +typedef struct _IDSECTOR +{ + USHORT wGenConfig; + USHORT wNumCyls; + USHORT wReserved; + USHORT wNumHeads; + USHORT wBytesPerTrack; + USHORT wBytesPerSector; + USHORT wSectorsPerTrack; + USHORT wVendorUnique[3]; + CHAR sSerialNumber[20]; + USHORT wBufferType; + USHORT wBufferSize; + USHORT wECCSize; + CHAR sFirmwareRev[8]; + CHAR sModelNumber[40]; + USHORT wMoreVendorUnique; + USHORT wDoubleWordIO; + USHORT wCapabilities; + USHORT wReserved1; + USHORT wPIOTiming; + USHORT wDMATiming; + USHORT wBS; + USHORT wNumCurrentCyls; + USHORT wNumCurrentHeads; + USHORT wNumCurrentSectorsPerTrack; + ULONG ulCurrentSectorCapacity; + USHORT wMultSectorStuff; + ULONG ulTotalAddressableSectors; + USHORT wSingleWordDMA; + USHORT wMultiWordDMA; + UCHAR bReserved[128]; +} IDSECTOR, *PIDSECTOR; + +#pragma pack(push, id_device_data, 1) +typedef struct _IDENTIFY_DEVICE_DATA +{ + + struct + { + USHORT Reserved1 : 1; + USHORT Retired3 : 1; + USHORT ResponseIncomplete : 1; + USHORT Retired2 : 3; + USHORT FixedDevice : 1; // obsolete + USHORT RemovableMedia : 1; // obsolete + USHORT Retired1 : 7; + USHORT DeviceType : 1; + } GeneralConfiguration; // word 0 + + USHORT NumCylinders; // word 1, obsolete + USHORT SpecificConfiguration; // word 2 + USHORT NumHeads; // word 3, obsolete + USHORT Retired1[2]; + USHORT NumSectorsPerTrack; // word 6, obsolete + USHORT VendorUnique1[3]; + UCHAR SerialNumber[20]; // word 10-19 + USHORT Retired2[2]; + USHORT Obsolete1; + UCHAR FirmwareRevision[8]; // word 23-26 + UCHAR ModelNumber[40]; // word 27-46 + UCHAR MaximumBlockTransfer; // word 47. 01h-10h = Maximum number of sectors that shall be transferred per interrupt + // on READ/WRITE MULTIPLE commands + UCHAR VendorUnique2; + + struct + { + USHORT FeatureSupported : 1; + USHORT Reserved : 15; + } TrustedComputing; // word 48 + + struct + { + UCHAR CurrentLongPhysicalSectorAlignment : 2; + UCHAR ReservedByte49 : 6; + + UCHAR DmaSupported : 1; + UCHAR LbaSupported : 1; // Shall be set to one to indicate that LBA is supported. + UCHAR IordyDisable : 1; + UCHAR IordySupported : 1; + UCHAR Reserved1 : 1; // Reserved for the IDENTIFY PACKET DEVICE command + UCHAR StandybyTimerSupport : 1; + UCHAR Reserved2 : 2; // Reserved for the IDENTIFY PACKET DEVICE command + + USHORT ReservedWord50; + } Capabilities; // word 49-50 + + USHORT ObsoleteWords51[2]; + + USHORT TranslationFieldsValid : 3; // word 53, bit 0 - Obsolete; bit 1 - words 70:64 valid; bit 2; word 88 valid + USHORT Reserved3 : 5; + USHORT FreeFallControlSensitivity : 8; + + USHORT NumberOfCurrentCylinders; // word 54, obsolete + USHORT NumberOfCurrentHeads; // word 55, obsolete + USHORT CurrentSectorsPerTrack; // word 56, obsolete + ULONG CurrentSectorCapacity; // word 57, word 58, obsolete + + UCHAR CurrentMultiSectorSetting; // word 59 + UCHAR MultiSectorSettingValid : 1; + UCHAR ReservedByte59 : 3; + UCHAR SanitizeFeatureSupported : 1; + UCHAR CryptoScrambleExtCommandSupported : 1; + UCHAR OverwriteExtCommandSupported : 1; + UCHAR BlockEraseExtCommandSupported : 1; + + ULONG UserAddressableSectors; // word 60-61, for 28-bit commands + + USHORT ObsoleteWord62; + + USHORT MultiWordDMASupport : 8; // word 63 + USHORT MultiWordDMAActive : 8; + + USHORT AdvancedPIOModes : 8; // word 64. bit 0:1 - PIO mode supported + USHORT ReservedByte64 : 8; + + USHORT MinimumMWXferCycleTime; // word 65 + USHORT RecommendedMWXferCycleTime; // word 66 + USHORT MinimumPIOCycleTime; // word 67 + USHORT MinimumPIOCycleTimeIORDY; // word 68 + + struct + { + USHORT Reserved : 2; + USHORT NonVolatileWriteCache : 1; // All write cache is non-volatile + USHORT ExtendedUserAddressableSectorsSupported : 1; + USHORT DeviceEncryptsAllUserData : 1; + USHORT ReadZeroAfterTrimSupported : 1; + USHORT Optional28BitCommandsSupported : 1; + USHORT IEEE1667 : 1; // Reserved for IEEE 1667 + USHORT DownloadMicrocodeDmaSupported : 1; + USHORT SetMaxSetPasswordUnlockDmaSupported : 1; + USHORT WriteBufferDmaSupported : 1; + USHORT ReadBufferDmaSupported : 1; + USHORT DeviceConfigIdentifySetDmaSupported : 1; // obsolete + USHORT LPSAERCSupported : 1; // Long Physical Sector Alignment Error Reporting Control is supported. + USHORT DeterministicReadAfterTrimSupported : 1; + USHORT CFastSpecSupported : 1; + } AdditionalSupported; // word 69 + + USHORT ReservedWords70[5]; // word 70 - reserved + // word 71:74 - Reserved for the IDENTIFY PACKET DEVICE command + + // Word 75 + USHORT QueueDepth : 5; // Maximum queue depth - 1 + USHORT ReservedWord75 : 11; + + struct + { + // Word 76 + USHORT Reserved0 : 1; // shall be set to 0 + USHORT SataGen1 : 1; // Supports SATA Gen1 Signaling Speed (1.5Gb/s) + USHORT SataGen2 : 1; // Supports SATA Gen2 Signaling Speed (3.0Gb/s) + USHORT SataGen3 : 1; // Supports SATA Gen3 Signaling Speed (6.0Gb/s) + + USHORT Reserved1 : 4; + + USHORT NCQ : 1; // Supports the NCQ feature set + USHORT HIPM : 1; // Supports HIPM + USHORT PhyEvents : 1; // Supports the SATA Phy Event Counters log + USHORT NcqUnload : 1; // Supports Unload while NCQ commands are outstanding + + USHORT NcqPriority : 1; // Supports NCQ priority information + USHORT HostAutoPS : 1; // Supports Host Automatic Partial to Slumber transitions + USHORT DeviceAutoPS : 1; // Supports Device Automatic Partial to Slumber transitions + USHORT ReadLogDMA : 1; // Supports READ LOG DMA EXT as equivalent to READ LOG EXT + + // Word 77 + USHORT Reserved2 : 1; // shall be set to 0 + USHORT CurrentSpeed : 3; // Coded value indicating current negotiated Serial ATA signal speed + + USHORT NcqStreaming : 1; // Supports NCQ Streaming + USHORT NcqQueueMgmt : 1; // Supports NCQ Queue Management Command + USHORT NcqReceiveSend : 1; // Supports RECEIVE FPDMA QUEUED and SEND FPDMA QUEUED commands + USHORT DEVSLPtoReducedPwrState : 1; + + USHORT Reserved3 : 8; + } SerialAtaCapabilities; + + // Word 78 + struct + { + USHORT Reserved0 : 1; // shall be set to 0 + USHORT NonZeroOffsets : 1; // Device supports non-zero buffer offsets in DMA Setup FIS + USHORT DmaSetupAutoActivate : 1; // Device supports DMA Setup auto-activation + USHORT DIPM : 1; // Device supports DIPM + + USHORT InOrderData : 1; // Device supports in-order data delivery + USHORT HardwareFeatureControl : 1; // Hardware Feature Control is supported + USHORT SoftwareSettingsPreservation : 1; // Device supports Software Settings Preservation + USHORT NCQAutosense : 1; // Supports NCQ Autosense + + USHORT DEVSLP : 1; // Device supports link power state - device sleep + USHORT HybridInformation : 1; // Device supports Hybrid Information Feature (If the device does not support NCQ + // (word 76 bit 8 is 0), then this bit shall be cleared to 0.) + + USHORT Reserved1 : 6; + } SerialAtaFeaturesSupported; + + // Word 79 + struct + { + USHORT Reserved0 : 1; // shall be set to 0 + USHORT NonZeroOffsets : 1; // Non-zero buffer offsets in DMA Setup FIS enabled + USHORT DmaSetupAutoActivate : 1; // DMA Setup auto-activation optimization enabled + USHORT DIPM : 1; // DIPM enabled + + USHORT InOrderData : 1; // In-order data delivery enabled + USHORT HardwareFeatureControl : 1; // Hardware Feature Control is enabled + USHORT SoftwareSettingsPreservation : 1; // Software Settings Preservation enabled + USHORT DeviceAutoPS : 1; // Device Automatic Partial to Slumber transitions enabled + + USHORT DEVSLP : 1; // link power state - device sleep is enabled + USHORT HybridInformation : 1; // Hybrid Information Feature is enabled + + USHORT Reserved1 : 6; + } SerialAtaFeaturesEnabled; + + USHORT MajorRevision; // word 80. bit 5 - supports ATA5; bit 6 - supports ATA6; bit 7 - supports ATA7; bit 8 - + // supports ATA8-ACS; bit 9 - supports ACS-2; + USHORT MinorRevision; // word 81. T13 minior version number + + struct + { + + // + // Word 82 + // + USHORT SmartCommands : 1; // The SMART feature set is supported + USHORT SecurityMode : 1; // The Security feature set is supported + USHORT RemovableMediaFeature : 1; // obsolete + USHORT PowerManagement : 1; // shall be set to 1 + USHORT Reserved1 : 1; // PACKET feature set, set to 0 indicates not supported for ATA devices (only support for + // ATAPI devices) + USHORT WriteCache : 1; // The volatile write cache is supported + USHORT LookAhead : 1; // Read look-ahead is supported + USHORT ReleaseInterrupt : 1; // obsolete + USHORT ServiceInterrupt : 1; // obsolete + USHORT DeviceReset : 1; // Shall be cleared to zero to indicate that the DEVICE RESET command is not supported + USHORT HostProtectedArea : 1; // obsolete + USHORT Obsolete1 : 1; + USHORT WriteBuffer : 1; // The WRITE BUFFER command is supported + USHORT ReadBuffer : 1; // The READ BUFFER command is supported + USHORT Nop : 1; // The NOP command is supported + USHORT Obsolete2 : 1; + + // + // Word 83 + // + USHORT DownloadMicrocode : 1; // The DOWNLOAD MICROCODE command is supported + USHORT DmaQueued : 1; // obsolete + USHORT Cfa : 1; // The CFA feature set is supported + USHORT AdvancedPm : 1; // The APM feature set is supported + USHORT Msn : 1; // obsolete + USHORT PowerUpInStandby : 1; // The PUIS feature set is supported + USHORT ManualPowerUp : 1; // SET FEATURES subcommand is required to spin-up after power-up + USHORT Reserved2 : 1; + USHORT SetMax : 1; // obsolete + USHORT Acoustics : 1; // obsolete + USHORT BigLba : 1; // The 48-bit Address feature set is supported + USHORT DeviceConfigOverlay : 1; // obsolete + USHORT FlushCache : 1; // Shall be set to one to indicate that the mandatory FLUSH CACHE command is supported + USHORT FlushCacheExt : 1; // The FLUSH CACHE EXT command is supported + USHORT WordValid83 : 2; // shall be 01b + + // + // Word 84 + // + USHORT SmartErrorLog : 1; // SMART error logging is supported + USHORT SmartSelfTest : 1; // The SMART self-test is supported + USHORT MediaSerialNumber : 1; // Media serial number is supported + USHORT MediaCardPassThrough : 1; // obsolete + USHORT StreamingFeature : 1; // The Streaming feature set is supported + USHORT GpLogging : 1; // The GPL feature set is supported + USHORT WriteFua : 1; // The WRITE DMA FUA EXT and WRITE MULTIPLE FUA EXT commands are supported + USHORT WriteQueuedFua : 1; // obsolete + USHORT WWN64Bit : 1; // The 64-bit World wide name is supported + USHORT URGReadStream : 1; // obsolete + USHORT URGWriteStream : 1; // obsolete + USHORT ReservedForTechReport : 2; + USHORT IdleWithUnloadFeature : 1; // The IDLE IMMEDIATE command with UNLOAD feature is supported + USHORT WordValid : 2; // shall be 01b + + } CommandSetSupport; + + struct + { + + // + // Word 85 + // + USHORT SmartCommands : 1; // The SMART feature set is enabled + USHORT SecurityMode : 1; // The Security feature set is enabled + USHORT RemovableMediaFeature : 1; // obsolete + USHORT PowerManagement : 1; // Shall be set to one to indicate that the mandatory Power Management feature set + // is supported + USHORT Reserved1 : 1; // Shall be cleared to zero to indicate that the PACKET feature set is not supported + USHORT WriteCache : 1; // The volatile write cache is enabled + USHORT LookAhead : 1; // Read look-ahead is enabled + USHORT ReleaseInterrupt : 1; // The release interrupt is enabled + USHORT ServiceInterrupt : 1; // The SERVICE interrupt is enabled + USHORT DeviceReset : 1; // Shall be cleared to zero to indicate that the DEVICE RESET command is not supported + USHORT HostProtectedArea : 1; // obsolete + USHORT Obsolete1 : 1; + USHORT WriteBuffer : 1; // The WRITE BUFFER command is supported + USHORT ReadBuffer : 1; // The READ BUFFER command is supported + USHORT Nop : 1; // The NOP command is supported + USHORT Obsolete2 : 1; + + // + // Word 86 + // + USHORT DownloadMicrocode : 1; // The DOWNLOAD MICROCODE command is supported + USHORT DmaQueued : 1; // obsolete + USHORT Cfa : 1; // The CFA feature set is supported + USHORT AdvancedPm : 1; // The APM feature set is enabled + USHORT Msn : 1; // obsolete + USHORT PowerUpInStandby : 1; // The PUIS feature set is enabled + USHORT ManualPowerUp : 1; // SET FEATURES subcommand is required to spin-up after power-up + USHORT Reserved2 : 1; + USHORT SetMax : 1; // obsolete + USHORT Acoustics : 1; // obsolete + USHORT BigLba : 1; // The 48-bit Address features set is supported + USHORT DeviceConfigOverlay : 1; // obsolete + USHORT FlushCache : 1; // FLUSH CACHE command supported + USHORT FlushCacheExt : 1; // FLUSH CACHE EXT command supported + USHORT Resrved3 : 1; + USHORT Words119_120Valid : 1; // Words 119..120 are valid + + // + // Word 87 + // + USHORT SmartErrorLog : 1; // SMART error logging is supported + USHORT SmartSelfTest : 1; // SMART self-test supported + USHORT MediaSerialNumber : 1; // Media serial number is valid + USHORT MediaCardPassThrough : 1; // obsolete + USHORT StreamingFeature : 1; // obsolete + USHORT GpLogging : 1; // The GPL feature set is supported + USHORT WriteFua : 1; // The WRITE DMA FUA EXT and WRITE MULTIPLE FUA EXT commands are supported + USHORT WriteQueuedFua : 1; // obsolete + USHORT WWN64Bit : 1; // The 64-bit World wide name is supported + USHORT URGReadStream : 1; // obsolete + USHORT URGWriteStream : 1; // obsolete + USHORT ReservedForTechReport : 2; + USHORT IdleWithUnloadFeature : 1; // The IDLE IMMEDIATE command with UNLOAD FEATURE is supported + USHORT Reserved4 : 2; // bit 14 shall be set to 1; bit 15 shall be cleared to 0 + + } CommandSetActive; + + USHORT UltraDMASupport : 8; // word 88. bit 0 - UDMA mode 0 is supported ... bit 6 - UDMA mode 6 and below are + // supported + USHORT UltraDMAActive : 8; // word 88. bit 8 - UDMA mode 0 is selected ... bit 14 - UDMA mode 6 is selected + + struct + { // word 89 + USHORT TimeRequired : 15; + USHORT ExtendedTimeReported : 1; + } NormalSecurityEraseUnit; + + struct + { // word 90 + USHORT TimeRequired : 15; + USHORT ExtendedTimeReported : 1; + } EnhancedSecurityEraseUnit; + + USHORT CurrentAPMLevel : 8; // word 91 + USHORT ReservedWord91 : 8; + + USHORT MasterPasswordID; // word 92. Master Password Identifier + + USHORT HardwareResetResult; // word 93 + + USHORT CurrentAcousticValue : 8; // word 94. obsolete + USHORT RecommendedAcousticValue : 8; + + USHORT StreamMinRequestSize; // word 95 + USHORT StreamingTransferTimeDMA; // word 96 + USHORT StreamingAccessLatencyDMAPIO; // word 97 + ULONG StreamingPerfGranularity; // word 98, 99 + + ULONG Max48BitLBA[2]; // word 100-103 + + USHORT StreamingTransferTime; // word 104. Streaming Transfer Time - PIO + + USHORT DsmCap; // word 105 + + struct + { + USHORT LogicalSectorsPerPhysicalSector : 4; // n power of 2: logical sectors per physical sector + USHORT Reserved0 : 8; + USHORT LogicalSectorLongerThan256Words : 1; + USHORT MultipleLogicalSectorsPerPhysicalSector : 1; + USHORT Reserved1 : 2; // bit 14 - shall be set to 1; bit 15 - shall be clear to 0 + } PhysicalLogicalSectorSize; // word 106 + + USHORT InterSeekDelay; // word 107. Inter-seek delay for ISO 7779 standard acoustic testing + USHORT WorldWideName[4]; // words 108-111 + USHORT ReservedForWorldWideName128[4]; // words 112-115 + USHORT ReservedForTlcTechnicalReport; // word 116 + USHORT WordsPerLogicalSector[2]; // words 117-118 Logical sector size (DWord) + + struct + { + USHORT ReservedForDrqTechnicalReport : 1; + USHORT WriteReadVerify : 1; // The Write-Read-Verify feature set is supported + USHORT WriteUncorrectableExt : 1; // The WRITE UNCORRECTABLE EXT command is supported + USHORT ReadWriteLogDmaExt : 1; // The READ LOG DMA EXT and WRITE LOG DMA EXT commands are supported + USHORT DownloadMicrocodeMode3 : 1; // Download Microcode mode 3 is supported + USHORT FreefallControl : 1; // The Free-fall Control feature set is supported + USHORT SenseDataReporting : 1; // Sense Data Reporting feature set is supported + USHORT ExtendedPowerConditions : 1; // Extended Power Conditions feature set is supported + USHORT Reserved0 : 6; + USHORT WordValid : 2; // shall be 01b + } CommandSetSupportExt; // word 119 + + struct + { + USHORT ReservedForDrqTechnicalReport : 1; + USHORT WriteReadVerify : 1; // The Write-Read-Verify feature set is enabled + USHORT WriteUncorrectableExt : 1; // The WRITE UNCORRECTABLE EXT command is supported + USHORT ReadWriteLogDmaExt : 1; // The READ LOG DMA EXT and WRITE LOG DMA EXT commands are supported + USHORT DownloadMicrocodeMode3 : 1; // Download Microcode mode 3 is supported + USHORT FreefallControl : 1; // The Free-fall Control feature set is enabled + USHORT SenseDataReporting : 1; // Sense Data Reporting feature set is enabled + USHORT ExtendedPowerConditions : 1; // Extended Power Conditions feature set is enabled + USHORT Reserved0 : 6; + USHORT Reserved1 : 2; // bit 14 - shall be set to 1; bit 15 - shall be clear to 0 + } CommandSetActiveExt; // word 120 + + USHORT ReservedForExpandedSupportandActive[6]; + + USHORT MsnSupport : 2; // word 127. obsolete + USHORT ReservedWord127 : 14; + + struct + { // word 128 + USHORT SecuritySupported : 1; + USHORT SecurityEnabled : 1; + USHORT SecurityLocked : 1; + USHORT SecurityFrozen : 1; + USHORT SecurityCountExpired : 1; + USHORT EnhancedSecurityEraseSupported : 1; + USHORT Reserved0 : 2; + USHORT SecurityLevel : 1; // Master Password Capability: 0 = High, 1 = Maximum + USHORT Reserved1 : 7; + } SecurityStatus; + + USHORT ReservedWord129[31]; // word 129...159. Vendor specific + + struct + { // word 160 + USHORT MaximumCurrentInMA : 12; + USHORT CfaPowerMode1Disabled : 1; + USHORT CfaPowerMode1Required : 1; + USHORT Reserved0 : 1; + USHORT Word160Supported : 1; + } CfaPowerMode1; + + USHORT ReservedForCfaWord161[7]; // Words 161-167 + + USHORT NominalFormFactor : 4; // Word 168 + USHORT ReservedWord168 : 12; + + struct + { // Word 169 + USHORT SupportsTrim : 1; + USHORT Reserved0 : 15; + } DataSetManagementFeature; + + USHORT AdditionalProductID[4]; // Words 170-173 + + USHORT ReservedForCfaWord174[2]; // Words 174-175 + + USHORT CurrentMediaSerialNumber[30]; // Words 176-205 + + struct + { // Word 206 + USHORT Supported : 1; // The SCT Command Transport is supported + USHORT Reserved0 : 1; // obsolete + USHORT WriteSameSuported : 1; // The SCT Write Same command is supported + USHORT ErrorRecoveryControlSupported : 1; // The SCT Error Recovery Control command is supported + USHORT FeatureControlSuported : 1; // The SCT Feature Control command is supported + USHORT DataTablesSuported : 1; // The SCT Data Tables command is supported + USHORT Reserved1 : 6; + USHORT VendorSpecific : 4; + } SCTCommandTransport; + + USHORT ReservedWord207[2]; // Words 207-208 + + struct + { // Word 209 + USHORT AlignmentOfLogicalWithinPhysical : 14; + USHORT Word209Supported : 1; // shall be set to 1 + USHORT Reserved0 : 1; // shall be cleared to 0 + } BlockAlignment; + + USHORT WriteReadVerifySectorCountMode3Only[2]; // Words 210-211 + USHORT WriteReadVerifySectorCountMode2Only[2]; // Words 212-213 + + struct + { + USHORT NVCachePowerModeEnabled : 1; + USHORT Reserved0 : 3; + USHORT NVCacheFeatureSetEnabled : 1; + USHORT Reserved1 : 3; + USHORT NVCachePowerModeVersion : 4; + USHORT NVCacheFeatureSetVersion : 4; + } NVCacheCapabilities; // Word 214. obsolete + USHORT NVCacheSizeLSW; // Word 215. obsolete + USHORT NVCacheSizeMSW; // Word 216. obsolete + + USHORT NominalMediaRotationRate; // Word 217; value 0001h means non-rotating media. + + USHORT ReservedWord218; // Word 218 + + struct + { + UCHAR NVCacheEstimatedTimeToSpinUpInSeconds; + UCHAR Reserved; + } NVCacheOptions; // Word 219. obsolete + + USHORT WriteReadVerifySectorCountMode : 8; // Word 220. Write-Read-Verify feature set current mode + USHORT ReservedWord220 : 8; + + USHORT ReservedWord221; // Word 221 + + struct + { // Word 222 Transport major version number + USHORT MajorVersion : 12; // 0000h or FFFFh = device does not report version + USHORT TransportType : 4; + } TransportMajorVersion; + + USHORT TransportMinorVersion; // Word 223 + + USHORT ReservedWord224[6]; // Word 224...229 + + ULONG ExtendedNumberOfUserAddressableSectors[2]; // Words 230...233 Extended Number of User Addressable Sectors + + USHORT MinBlocksPerDownloadMicrocodeMode03; // Word 234 Minimum number of 512-byte data blocks per Download + // Microcode mode 03h operation + USHORT MaxBlocksPerDownloadMicrocodeMode03; // Word 235 Maximum number of 512-byte data blocks per Download + // Microcode mode 03h operation + + USHORT ReservedWord236[19]; // Word 236...254 + + USHORT Signature : 8; // Word 255 + USHORT CheckSum : 8; + +} IDENTIFY_DEVICE_DATA, *PIDENTIFY_DEVICE_DATA; +#pragma pack(pop, id_device_data) + +EXTERN_C_START + +NTSYSAPI POBJECT_TYPE *IoDriverObjectType; + +NTSYSAPI BOOLEAN NTAPI PsIsProtectedProcess(_In_ PEPROCESS Process); + +NTSYSAPI +BOOLEAN +NTAPI +PsIsSystemProcess(_In_ PEPROCESS Process); + +NTSYSAPI +PVOID NTAPI PsGetProcessSectionBaseAddress(__in PEPROCESS Process); + +NTSYSAPI NTSTATUS NTAPI ObReferenceObjectByName(__in PUNICODE_STRING ObjectName, __in ULONG Attributes, + __in_opt PACCESS_STATE AccessState, __in_opt ACCESS_MASK DesiredAccess, + __in POBJECT_TYPE ObjectType, __in KPROCESSOR_MODE AccessMode, + __inout_opt PVOID ParseContext, __out PVOID *Object); + +NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, + _Out_opt_ PULONG ReturnLength); + +NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(_In_ HANDLE ProcessHandle, + _In_ PROCESSINFOCLASS ProcessInformationClass, + _Out_ PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, + _Out_opt_ PULONG ReturnLength); + +EXTERN_C_END \ No newline at end of file From 6599f559700ed6883bb86c8e55795306bc2530ae Mon Sep 17 00:00:00 2001 From: Ricardo Carvalho Date: Thu, 22 Aug 2024 04:08:54 -0300 Subject: [PATCH 03/19] Update .gitignore --- .gitignore | 442 ++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 389 insertions(+), 53 deletions(-) diff --git a/.gitignore b/.gitignore index 12cb754..8a30d25 100644 --- a/.gitignore +++ b/.gitignore @@ -1,62 +1,398 @@ -# Prerequisites -*.d +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore -# Compiled Object files -*.slo -*.lo -*.o -*.obj +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates -# Precompiled Headers -*.gch -*.pch +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs -# Compiled Dynamic libraries -*.so -*.dylib -*.dll - -# Fortran module files -*.mod -*.smod - -# Compiled Static libraries -*.lai -*.la -*.a -*.lib - -# Executables -*.exe -*.out -*.app -*.sys -*.pdb -*.manifest -*.cache +# Mono auto generated files +mono_crash.* -#Ignore files build by Visual Studio -*.user -*.aps -*.pch -*.vspscc +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Ww][Ii][Nn]32/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# ASP.NET Scaffolding +ScaffoldingReadMe.txt + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio *_i.c *_p.c -*.ncb -*.suo -*.bak -*.cache +*_h.h *.ilk -*.log -[Bb]in -[Dd]ebug*/ +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp *.sbr -obj/ -[Rr]elease*/ -_ReSharper*/ -*.db -*.db-shm -*.db-wal +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.tlog +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb *.opendb -*.ipch -*.vsidx +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Coverlet is a free, cross platform Code Coverage Tool +coverage*.json +coverage*.xml +coverage*.info + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio 6 auto-generated project file (contains which files were open etc.) +*.vbp + +# Visual Studio 6 workspace and project file (working project files containing files to include in project) +*.dsw +*.dsp + +# Visual Studio 6 technical files +*.ncb +*.aps + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# Visual Studio History (VSHistory) files +.vshistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +# Fody - auto-generated XML schema +FodyWeavers.xsd + +# VS Code files for those working on multiple tools +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +# Windows Installer files from build outputs +*.cab +*.msi +*.msix +*.msm +*.msp + +# JetBrains Rider +*.sln.iml From 64a26b8870029a24fa28d28c786ba0e333ffc1ae Mon Sep 17 00:00:00 2001 From: Ricardo Carvalho Date: Thu, 22 Aug 2024 22:31:35 -0300 Subject: [PATCH 04/19] Reset submodule to original state --- KasperskyHook | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/KasperskyHook b/KasperskyHook index 9c7d412..238c1b8 160000 --- a/KasperskyHook +++ b/KasperskyHook @@ -1 +1 @@ -Subproject commit 9c7d412ddf59f622b5a054a23aeffaaa0e77d3c3 +Subproject commit 238c1b8f376b91b63fbac260d7c6b5fefa76f375 From eca8a7921f52e9ae465fb1af34e3c5be177c70ff Mon Sep 17 00:00:00 2001 From: Ricardo Carvalho Date: Sat, 24 Aug 2024 03:33:56 -0300 Subject: [PATCH 05/19] code refactor wip added new thirdparty library code reviewed and cleaned added improved debug logging removed unused/old code added MasterHideLoader project SSDT hook vanilla still wip --- .vs/MasterHide/v17/DocumentLayout.backup.json | 348 +- .vs/MasterHide/v17/DocumentLayout.json | 348 +- MasterHide.sln | 42 +- MasterHide/MasterHide.vcxproj | 18 +- MasterHide/MasterHide.vcxproj.filters | 27 +- MasterHide/drivermain.cpp | 154 +- MasterHide/fnv1a.hpp | 42 + MasterHide/globals.hpp | 46 - MasterHide/hooks.cpp | 956 +- MasterHide/hooks.hpp | 107 +- MasterHide/includes.hpp | 9 +- MasterHide/misc.cpp | 764 +- MasterHide/misc.hpp | 116 +- MasterHide/shadow_ssdt.cpp | 177 +- MasterHide/shadow_ssdt.hpp | 2 +- MasterHide/ssdt.cpp | 116 +- MasterHide/ssdt.hpp | 2 +- .../scope_guard/.github/workflows/macos.yml | 37 + .../scope_guard/.github/workflows/ubuntu.yml | 74 + .../scope_guard/.github/workflows/windows.yml | 43 + MasterHide/thirdparty/scope_guard/.gitignore | 50 + .../thirdparty/scope_guard/CMakeLists.txt | 54 + MasterHide/thirdparty/scope_guard/LICENSE | 21 + MasterHide/thirdparty/scope_guard/README.md | 155 + .../scope_guard/example/CMakeLists.txt | 25 + .../example/scope_exit_example.cpp | 91 + .../example/scope_fail_example.cpp | 83 + .../example/scope_success_example.cpp | 81 + .../scope_guard/include/scope_guard.hpp | 369 + .../scope_guard/test/3rdparty/Catch2/LICENSE | 23 + .../test/3rdparty/Catch2/catch.hpp | 17937 ++++++++++++++++ .../3rdparty/Catch2/catch_trompeloeil.hpp | 58 + .../test/3rdparty/Trompeloeil/LICENSE | 23 + .../test/3rdparty/Trompeloeil/trompeloeil.hpp | 5304 +++++ .../scope_guard/test/CMakeLists.txt | 64 + .../thirdparty/scope_guard/test/test.cpp | 242 + MasterHide/winnt.hpp | 46 + MasterHideLoader/MasterHideLoader.vcxproj | 151 + .../MasterHideLoader.vcxproj.filters | 36 + MasterHideLoader/klhk.hpp | 87 + MasterHideLoader/loader.hpp | 53 + MasterHideLoader/main.cpp | 51 + MasterHideLoader/service.hpp | 46 + SetupKasperskyDriver.bat | 23 + TestHide/TestHide.vcxproj | 2 + 45 files changed, 26790 insertions(+), 1713 deletions(-) create mode 100644 MasterHide/fnv1a.hpp create mode 100644 MasterHide/thirdparty/scope_guard/.github/workflows/macos.yml create mode 100644 MasterHide/thirdparty/scope_guard/.github/workflows/ubuntu.yml create mode 100644 MasterHide/thirdparty/scope_guard/.github/workflows/windows.yml create mode 100644 MasterHide/thirdparty/scope_guard/.gitignore create mode 100644 MasterHide/thirdparty/scope_guard/CMakeLists.txt create mode 100644 MasterHide/thirdparty/scope_guard/LICENSE create mode 100644 MasterHide/thirdparty/scope_guard/README.md create mode 100644 MasterHide/thirdparty/scope_guard/example/CMakeLists.txt create mode 100644 MasterHide/thirdparty/scope_guard/example/scope_exit_example.cpp create mode 100644 MasterHide/thirdparty/scope_guard/example/scope_fail_example.cpp create mode 100644 MasterHide/thirdparty/scope_guard/example/scope_success_example.cpp create mode 100644 MasterHide/thirdparty/scope_guard/include/scope_guard.hpp create mode 100644 MasterHide/thirdparty/scope_guard/test/3rdparty/Catch2/LICENSE create mode 100644 MasterHide/thirdparty/scope_guard/test/3rdparty/Catch2/catch.hpp create mode 100644 MasterHide/thirdparty/scope_guard/test/3rdparty/Catch2/catch_trompeloeil.hpp create mode 100644 MasterHide/thirdparty/scope_guard/test/3rdparty/Trompeloeil/LICENSE create mode 100644 MasterHide/thirdparty/scope_guard/test/3rdparty/Trompeloeil/trompeloeil.hpp create mode 100644 MasterHide/thirdparty/scope_guard/test/CMakeLists.txt create mode 100644 MasterHide/thirdparty/scope_guard/test/test.cpp create mode 100644 MasterHideLoader/MasterHideLoader.vcxproj create mode 100644 MasterHideLoader/MasterHideLoader.vcxproj.filters create mode 100644 MasterHideLoader/klhk.hpp create mode 100644 MasterHideLoader/loader.hpp create mode 100644 MasterHideLoader/main.cpp create mode 100644 MasterHideLoader/service.hpp create mode 100644 SetupKasperskyDriver.bat diff --git a/.vs/MasterHide/v17/DocumentLayout.backup.json b/.vs/MasterHide/v17/DocumentLayout.backup.json index b5a16cd..748ef3b 100644 --- a/.vs/MasterHide/v17/DocumentLayout.backup.json +++ b/.vs/MasterHide/v17/DocumentLayout.backup.json @@ -3,70 +3,72 @@ "WorkspaceRootPath": "A:\\work\\MasterHide\\", "Documents": [ { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\misc.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\misc.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|A:\\work\\MasterHide\\MasterHideLoader\\main.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|solutionrelative:MasterHideLoader\\main.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\drivermain.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\drivermain.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\winnt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\winnt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" - }, - { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|A:\\work\\MasterHide\\MasterHideLoader\\klhk.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|solutionrelative:MasterHideLoader\\klhk.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\driver.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|A:\\work\\MasterHide\\MasterHideLoader\\loader.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|solutionrelative:MasterHideLoader\\loader.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\pe.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\pe.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\utils.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|C:\\PROGRAM FILES (X86)\\WINDOWS KITS\\10\\INCLUDE\\10.0.26100.0\\KM\\NTIFS.H||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|C:\\PROGRAM FILES (X86)\\WINDOWS KITS\\10\\INCLUDE\\10.0.26100.0\\KM\\WDM.H||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\shadow_ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" } ], "DocumentGroupContainers": [ @@ -76,230 +78,228 @@ "DocumentGroups": [ { "DockedWidth": 200, - "SelectedChildIndex": 11, + "SelectedChildIndex": 13, "Children": [ + { + "$type": "Bookmark", + "Name": "ST:0:0:{aa2115a1-9712-457b-9047-dbb71ca2cdd2}" + }, { "$type": "Document", - "DocumentIndex": 2, + "DocumentIndex": 1, + "Title": "hooks.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", + "RelativeDocumentMoniker": "MasterHide\\hooks.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", + "RelativeToolTip": "MasterHide\\hooks.hpp", + "ViewState": "AgIAABUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-24T06:15:01.328Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 7, + "Title": "klhk.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHideLoader\\klhk.hpp", + "RelativeDocumentMoniker": "MasterHideLoader\\klhk.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHideLoader\\klhk.hpp", + "RelativeToolTip": "MasterHideLoader\\klhk.hpp", + "ViewState": "AgIAACEAAAAAAAAAAAAAADQAAAAlAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-24T03:11:58.364Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 9, + "Title": "pe.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\pe.cpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\pe.cpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\pe.cpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\pe.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-23T20:17:12.605Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 11, "Title": "utils.cpp", "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp", "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\utils.cpp", "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp", "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\utils.cpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", + "ViewState": "AgIAACgAAAAAAAAAAAAcwG4AAAAnAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", - "WhenOpened": "2024-08-22T06:40:21.171Z", + "WhenOpened": "2024-08-23T20:16:21.755Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 9, - "Title": "driver.cpp", - "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp", - "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\driver.cpp", - "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp", - "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\driver.cpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", - "WhenOpened": "2024-08-22T06:29:36.886Z", + "DocumentIndex": 10, + "Title": "utils.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.hpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\utils.hpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.hpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\utils.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAgAAAAIAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-23T20:14:46.181Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 13, - "Title": "ntifs.h", - "DocumentMoniker": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\ntifs.h", - "ToolTip": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\ntifs.h", - "ViewState": "AgIAAEAAAAAAAAAAAAAmwFQAAAAzAAAAAAAAAA==", + "DocumentIndex": 12, + "Title": "kaspersky.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T06:28:17.411Z", + "WhenOpened": "2024-08-23T20:14:42.005Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 14, - "Title": "wdm.h", - "DocumentMoniker": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\wdm.h", - "ToolTip": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\wdm.h", - "ViewState": "AgIAAD8AAAAAAAAAAAAmwFMAAAAaAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T06:28:15.79Z", + "DocumentIndex": 6, + "Title": "kaspersky.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp", + "ViewState": "AgIAAAIBAAAAAAAAAAAcwB4BAAAVAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-23T20:14:19.128Z", "EditorCaption": "" }, { - "$type": "Bookmark", - "Name": "ST:0:0:{aa2115a1-9712-457b-9047-dbb71ca2cdd2}" + "$type": "Document", + "DocumentIndex": 5, + "Title": "drivermain.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", + "RelativeDocumentMoniker": "MasterHide\\drivermain.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", + "RelativeToolTip": "MasterHide\\drivermain.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAoAAAAQAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-23T18:20:14.613Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 13, + "Title": "misc.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", + "RelativeDocumentMoniker": "MasterHide\\misc.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", + "RelativeToolTip": "MasterHide\\misc.hpp", + "ViewState": "AgIAACQAAAAAAAAAAAAvwDQAAAABAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-23T06:24:34.848Z" }, { "$type": "Document", "DocumentIndex": 8, - "Title": "hooks.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp", - "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\hooks.hpp", - "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp", - "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\hooks.hpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAABQAAAACAAAAAAAAAA==", + "Title": "loader.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHideLoader\\loader.hpp", + "RelativeDocumentMoniker": "MasterHideLoader\\loader.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHideLoader\\loader.hpp", + "RelativeToolTip": "MasterHideLoader\\loader.hpp", + "ViewState": "AgIAAAMAAAAAAAAAAAAAAAsAAAArAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:19:34.796Z", + "WhenOpened": "2024-08-23T04:14:42.168Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 12, + "DocumentIndex": 4, + "Title": "main.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHideLoader\\main.cpp", + "RelativeDocumentMoniker": "MasterHideLoader\\main.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHideLoader\\main.cpp", + "RelativeToolTip": "MasterHideLoader\\main.cpp", + "ViewState": "AgIAAAwAAAAAAAAAAAAAABcAAAAXAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-23T02:42:22.298Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 2, "Title": "shadow_ssdt.cpp", "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp", "RelativeDocumentMoniker": "MasterHide\\shadow_ssdt.cpp", "ToolTip": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp", "RelativeToolTip": "MasterHide\\shadow_ssdt.cpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAABEAAAAUAAAAAAAAAA==", + "ViewState": "AgIAAOAAAAAAAAAAAAAswP0AAAAAAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", - "WhenOpened": "2024-08-22T05:16:26.761Z", + "WhenOpened": "2024-08-22T23:59:53.632Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 4, + "DocumentIndex": 0, "Title": "hooks.cpp", "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\hooks.cpp", "RelativeDocumentMoniker": "MasterHide\\hooks.cpp", "ToolTip": "A:\\work\\MasterHide\\MasterHide\\hooks.cpp", "RelativeToolTip": "MasterHide\\hooks.cpp", - "ViewState": "AgIAACoAAAAAAAAAAAAEwDAAAAAZAAAAAAAAAA==", + "ViewState": "AgIAAE8DAAAAAAAAAAAcwGADAAAiAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", "WhenOpened": "2024-08-22T05:16:23.103Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 6, - "Title": "winnt.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\winnt.hpp", - "RelativeDocumentMoniker": "MasterHide\\winnt.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\winnt.hpp", - "RelativeToolTip": "MasterHide\\winnt.hpp", - "ViewState": "AgIAAPgDAAAAAAAAAAAUwAMEAAAFAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:15:37.931Z", - "EditorCaption": "" - }, - { - "$type": "Document", - "DocumentIndex": 7, - "Title": "hooks.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", - "RelativeDocumentMoniker": "MasterHide\\hooks.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", - "RelativeToolTip": "MasterHide\\hooks.hpp", - "ViewState": "AgIAAAMAAAAAAAAAAAAAAA0AAAACAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:14:34.986Z", - "EditorCaption": "" - }, - { - "$type": "Document", - "DocumentIndex": 10, - "Title": "globals.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", - "RelativeDocumentMoniker": "MasterHide\\globals.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", - "RelativeToolTip": "MasterHide\\globals.hpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAAAsAAAACAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:14:10.424Z", - "EditorCaption": "" - }, - { - "$type": "Document", - "DocumentIndex": 0, + "DocumentIndex": 14, "Title": "includes.hpp", "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\includes.hpp", "RelativeDocumentMoniker": "MasterHide\\includes.hpp", "ToolTip": "A:\\work\\MasterHide\\MasterHide\\includes.hpp", "RelativeToolTip": "MasterHide\\includes.hpp", - "ViewState": "AgIAAAMAAAAAAAAAAAAAAB8AAAAOAAAAAAAAAA==", + "ViewState": "AgIAAAwAAAAAAAAAAAAAACgAAAATAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:14:07.92Z", - "EditorCaption": "" + "WhenOpened": "2024-08-22T23:01:56.465Z" }, { "$type": "Document", - "DocumentIndex": 5, - "Title": "drivermain.cpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", - "RelativeDocumentMoniker": "MasterHide\\drivermain.cpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", - "RelativeToolTip": "MasterHide\\drivermain.cpp", - "ViewState": "AgIAAFQAAAAAAAAAAAAmwGIAAAAOAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", - "WhenOpened": "2024-08-22T05:12:24.294Z", - "EditorCaption": "" + "DocumentIndex": 15, + "Title": "shadow_ssdt.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", + "RelativeDocumentMoniker": "MasterHide\\shadow_ssdt.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", + "RelativeToolTip": "MasterHide\\shadow_ssdt.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAYAAAALAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:18:32.151Z" }, { "$type": "Document", - "DocumentIndex": 11, + "DocumentIndex": 3, "Title": "ssdt.cpp", "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\ssdt.cpp", "RelativeDocumentMoniker": "MasterHide\\ssdt.cpp", "ToolTip": "A:\\work\\MasterHide\\MasterHide\\ssdt.cpp", "RelativeToolTip": "MasterHide\\ssdt.cpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAABQAAAABAAAAAAAAAA==", + "ViewState": "AgIAAMgAAAAAAAAAAAAmwAUBAAAlAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", "WhenOpened": "2024-08-22T05:18:04.012Z", "EditorCaption": "" }, - { - "$type": "Document", - "DocumentIndex": 1, - "Title": "misc.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", - "RelativeDocumentMoniker": "MasterHide\\misc.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", - "RelativeToolTip": "MasterHide\\misc.hpp", - "ViewState": "AgIAACQAAAAAAAAAAAAAAB0AAAAAAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:15:38.11Z", - "EditorCaption": "" - }, - { - "$type": "Document", - "DocumentIndex": 3, - "Title": "misc.cpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\misc.cpp", - "RelativeDocumentMoniker": "MasterHide\\misc.cpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\misc.cpp", - "RelativeToolTip": "MasterHide\\misc.cpp", - "ViewState": "AgIAAA8AAAAAAAAAAAAEwC0AAAABAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", - "WhenOpened": "2024-08-22T05:16:27.304Z", - "EditorCaption": "" - }, - { - "$type": "Bookmark", - "Name": "ST:0:0:{d3750d8a-574b-4fb3-b7e2-aa8af40e8231}" - }, - { - "$type": "Document", - "DocumentIndex": 15, - "Title": "ssdt.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\ssdt.hpp", - "RelativeDocumentMoniker": "MasterHide\\ssdt.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\ssdt.hpp", - "RelativeToolTip": "MasterHide\\ssdt.hpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAAAwAAAAaAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:15:26.408Z" - }, { "$type": "Document", "DocumentIndex": 16, - "Title": "shadow_ssdt.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", - "RelativeDocumentMoniker": "MasterHide\\shadow_ssdt.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", - "RelativeToolTip": "MasterHide\\shadow_ssdt.hpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAAAgAAAAUAAAAAAAAAA==", + "Title": "globals.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", + "RelativeDocumentMoniker": "MasterHide\\globals.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", + "RelativeToolTip": "MasterHide\\globals.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAUAAAABAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:18:32.151Z" + "WhenOpened": "2024-08-22T05:14:10.424Z" } ] } diff --git a/.vs/MasterHide/v17/DocumentLayout.json b/.vs/MasterHide/v17/DocumentLayout.json index 10f01bc..fe3dc84 100644 --- a/.vs/MasterHide/v17/DocumentLayout.json +++ b/.vs/MasterHide/v17/DocumentLayout.json @@ -3,70 +3,72 @@ "WorkspaceRootPath": "A:\\work\\MasterHide\\", "Documents": [ { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\misc.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\misc.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|A:\\work\\MasterHide\\MasterHideLoader\\main.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|solutionrelative:MasterHideLoader\\main.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\drivermain.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\drivermain.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\winnt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\winnt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" - }, - { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\hooks.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|A:\\work\\MasterHide\\MasterHideLoader\\klhk.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|solutionrelative:MasterHideLoader\\klhk.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\driver.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|A:\\work\\MasterHide\\MasterHideLoader\\loader.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{018FEB18-6063-4D5F-AC3A-7CDFBD224016}|MasterHideLoader\\MasterHideLoader.vcxproj|solutionrelative:MasterHideLoader\\loader.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\pe.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\pe.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\utils.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\shadow_ssdt.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\utils.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|C:\\PROGRAM FILES (X86)\\WINDOWS KITS\\10\\INCLUDE\\10.0.26100.0\\KM\\NTIFS.H||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|C:\\PROGRAM FILES (X86)\\WINDOWS KITS\\10\\INCLUDE\\10.0.26100.0\\KM\\WDM.H||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\misc.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { - "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", - "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\includes.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" }, { "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\shadow_ssdt.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" + }, + { + "AbsoluteMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|A:\\work\\MasterHide\\MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}", + "RelativeMoniker": "D:0:0:{68D74A79-3DE6-463F-9F5A-03E719657B14}|MasterHide\\MasterHide.vcxproj|solutionrelative:MasterHide\\globals.hpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}" } ], "DocumentGroupContainers": [ @@ -76,230 +78,228 @@ "DocumentGroups": [ { "DockedWidth": 200, - "SelectedChildIndex": 14, + "SelectedChildIndex": 13, "Children": [ + { + "$type": "Bookmark", + "Name": "ST:0:0:{aa2115a1-9712-457b-9047-dbb71ca2cdd2}" + }, { "$type": "Document", - "DocumentIndex": 3, + "DocumentIndex": 1, + "Title": "hooks.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", + "RelativeDocumentMoniker": "MasterHide\\hooks.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", + "RelativeToolTip": "MasterHide\\hooks.hpp", + "ViewState": "AgIAABUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-24T06:15:01.328Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 7, + "Title": "klhk.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHideLoader\\klhk.hpp", + "RelativeDocumentMoniker": "MasterHideLoader\\klhk.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHideLoader\\klhk.hpp", + "RelativeToolTip": "MasterHideLoader\\klhk.hpp", + "ViewState": "AgIAACEAAAAAAAAAAAAAADQAAAAlAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-24T03:11:58.364Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 9, + "Title": "pe.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\pe.cpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\pe.cpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\pe.cpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\pe.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-23T20:17:12.605Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 11, "Title": "utils.cpp", "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp", "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\utils.cpp", "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.cpp", "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\utils.cpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", + "ViewState": "AgIAACgAAAAAAAAAAAAcwG4AAAAnAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", - "WhenOpened": "2024-08-22T06:40:21.171Z", + "WhenOpened": "2024-08-23T20:16:21.755Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 9, - "Title": "driver.cpp", - "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp", - "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\driver.cpp", - "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\driver.cpp", - "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\driver.cpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", - "WhenOpened": "2024-08-22T06:29:36.886Z", + "DocumentIndex": 10, + "Title": "utils.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.hpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\utils.hpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\utils.hpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\utils.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAgAAAAIAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-23T20:14:46.181Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 13, - "Title": "ntifs.h", - "DocumentMoniker": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\ntifs.h", - "ToolTip": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\ntifs.h", - "ViewState": "AgIAAEAAAAAAAAAAAAAmwFQAAAAzAAAAAAAAAA==", + "DocumentIndex": 12, + "Title": "kaspersky.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\kaspersky.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T06:28:17.411Z", + "WhenOpened": "2024-08-23T20:14:42.005Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 14, - "Title": "wdm.h", - "DocumentMoniker": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\wdm.h", - "ToolTip": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.26100.0\\km\\wdm.h", - "ViewState": "AgIAAD8AAAAAAAAAAAAmwFMAAAAaAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T06:28:15.79Z", + "DocumentIndex": 6, + "Title": "kaspersky.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp", + "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp", + "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp", + "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\kaspersky.cpp", + "ViewState": "AgIAAAIBAAAAAAAAAAAcwB4BAAAVAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-23T20:14:19.128Z", "EditorCaption": "" }, { - "$type": "Bookmark", - "Name": "ST:0:0:{aa2115a1-9712-457b-9047-dbb71ca2cdd2}" + "$type": "Document", + "DocumentIndex": 5, + "Title": "drivermain.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", + "RelativeDocumentMoniker": "MasterHide\\drivermain.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", + "RelativeToolTip": "MasterHide\\drivermain.cpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAoAAAAQAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-23T18:20:14.613Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 13, + "Title": "misc.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", + "RelativeDocumentMoniker": "MasterHide\\misc.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", + "RelativeToolTip": "MasterHide\\misc.hpp", + "ViewState": "AgIAACQAAAAAAAAAAAAvwDQAAAABAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-23T06:24:34.848Z" }, { "$type": "Document", "DocumentIndex": 8, - "Title": "hooks.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp", - "RelativeDocumentMoniker": "KasperskyHook\\KasperskyHookDrv\\hooks.hpp", - "ToolTip": "A:\\work\\MasterHide\\KasperskyHook\\KasperskyHookDrv\\hooks.hpp", - "RelativeToolTip": "KasperskyHook\\KasperskyHookDrv\\hooks.hpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAABQAAAACAAAAAAAAAA==", + "Title": "loader.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHideLoader\\loader.hpp", + "RelativeDocumentMoniker": "MasterHideLoader\\loader.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHideLoader\\loader.hpp", + "RelativeToolTip": "MasterHideLoader\\loader.hpp", + "ViewState": "AgIAAAMAAAAAAAAAAAAAAAsAAAArAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:19:34.796Z", + "WhenOpened": "2024-08-23T04:14:42.168Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 12, + "DocumentIndex": 4, + "Title": "main.cpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHideLoader\\main.cpp", + "RelativeDocumentMoniker": "MasterHideLoader\\main.cpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHideLoader\\main.cpp", + "RelativeToolTip": "MasterHideLoader\\main.cpp", + "ViewState": "AgIAAAwAAAAAAAAAAAAAABcAAAAXAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", + "WhenOpened": "2024-08-23T02:42:22.298Z", + "EditorCaption": "" + }, + { + "$type": "Document", + "DocumentIndex": 2, "Title": "shadow_ssdt.cpp", "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp", "RelativeDocumentMoniker": "MasterHide\\shadow_ssdt.cpp", "ToolTip": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.cpp", "RelativeToolTip": "MasterHide\\shadow_ssdt.cpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAABEAAAAUAAAAAAAAAA==", + "ViewState": "AgIAAOAAAAAAAAAAAAAswP0AAAAAAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", - "WhenOpened": "2024-08-22T05:16:26.761Z", + "WhenOpened": "2024-08-22T23:59:53.632Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 4, + "DocumentIndex": 0, "Title": "hooks.cpp", "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\hooks.cpp", "RelativeDocumentMoniker": "MasterHide\\hooks.cpp", "ToolTip": "A:\\work\\MasterHide\\MasterHide\\hooks.cpp", "RelativeToolTip": "MasterHide\\hooks.cpp", - "ViewState": "AgIAACoAAAAAAAAAAAAEwDAAAAAZAAAAAAAAAA==", + "ViewState": "AgIAABwDAAAAAAAAAAAcwGMDAAAaAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", "WhenOpened": "2024-08-22T05:16:23.103Z", "EditorCaption": "" }, { "$type": "Document", - "DocumentIndex": 6, - "Title": "winnt.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\winnt.hpp", - "RelativeDocumentMoniker": "MasterHide\\winnt.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\winnt.hpp", - "RelativeToolTip": "MasterHide\\winnt.hpp", - "ViewState": "AgIAAPgDAAAAAAAAAAAUwAMEAAAFAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:15:37.931Z", - "EditorCaption": "" - }, - { - "$type": "Document", - "DocumentIndex": 7, - "Title": "hooks.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", - "RelativeDocumentMoniker": "MasterHide\\hooks.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\hooks.hpp", - "RelativeToolTip": "MasterHide\\hooks.hpp", - "ViewState": "AgIAAAMAAAAAAAAAAAAAAA0AAAACAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:14:34.986Z", - "EditorCaption": "" - }, - { - "$type": "Document", - "DocumentIndex": 10, - "Title": "globals.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", - "RelativeDocumentMoniker": "MasterHide\\globals.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", - "RelativeToolTip": "MasterHide\\globals.hpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAAAsAAAACAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:14:10.424Z", - "EditorCaption": "" - }, - { - "$type": "Document", - "DocumentIndex": 2, + "DocumentIndex": 14, "Title": "includes.hpp", "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\includes.hpp", "RelativeDocumentMoniker": "MasterHide\\includes.hpp", "ToolTip": "A:\\work\\MasterHide\\MasterHide\\includes.hpp", "RelativeToolTip": "MasterHide\\includes.hpp", - "ViewState": "AgIAAAMAAAAAAAAAAAAAAB8AAAAOAAAAAAAAAA==", + "ViewState": "AgIAAAwAAAAAAAAAAAAAACgAAAATAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:14:07.92Z", - "EditorCaption": "" + "WhenOpened": "2024-08-22T23:01:56.465Z" }, { "$type": "Document", - "DocumentIndex": 5, - "Title": "drivermain.cpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", - "RelativeDocumentMoniker": "MasterHide\\drivermain.cpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\drivermain.cpp", - "RelativeToolTip": "MasterHide\\drivermain.cpp", - "ViewState": "AgIAAFQAAAAAAAAAAAAmwGIAAAAOAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", - "WhenOpened": "2024-08-22T05:12:24.294Z", - "EditorCaption": "" + "DocumentIndex": 15, + "Title": "shadow_ssdt.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", + "RelativeDocumentMoniker": "MasterHide\\shadow_ssdt.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", + "RelativeToolTip": "MasterHide\\shadow_ssdt.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAYAAAALAAAAAAAAAA==", + "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", + "WhenOpened": "2024-08-22T05:18:32.151Z" }, { "$type": "Document", - "DocumentIndex": 11, + "DocumentIndex": 3, "Title": "ssdt.cpp", "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\ssdt.cpp", "RelativeDocumentMoniker": "MasterHide\\ssdt.cpp", "ToolTip": "A:\\work\\MasterHide\\MasterHide\\ssdt.cpp", "RelativeToolTip": "MasterHide\\ssdt.cpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAABQAAAABAAAAAAAAAA==", + "ViewState": "AgIAAMgAAAAAAAAAAAAmwAUBAAAlAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", "WhenOpened": "2024-08-22T05:18:04.012Z", "EditorCaption": "" }, - { - "$type": "Document", - "DocumentIndex": 0, - "Title": "misc.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", - "RelativeDocumentMoniker": "MasterHide\\misc.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\misc.hpp", - "RelativeToolTip": "MasterHide\\misc.hpp", - "ViewState": "AgIAACQAAAAAAAAAAAAAAB0AAAAAAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:15:38.11Z", - "EditorCaption": "" - }, - { - "$type": "Document", - "DocumentIndex": 1, - "Title": "misc.cpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\misc.cpp", - "RelativeDocumentMoniker": "MasterHide\\misc.cpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\misc.cpp", - "RelativeToolTip": "MasterHide\\misc.cpp", - "ViewState": "AgIAAA8AAAAAAAAAAAAEwC0AAAABAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|", - "WhenOpened": "2024-08-22T05:16:27.304Z", - "EditorCaption": "" - }, - { - "$type": "Bookmark", - "Name": "ST:0:0:{d3750d8a-574b-4fb3-b7e2-aa8af40e8231}" - }, - { - "$type": "Document", - "DocumentIndex": 15, - "Title": "ssdt.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\ssdt.hpp", - "RelativeDocumentMoniker": "MasterHide\\ssdt.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\ssdt.hpp", - "RelativeToolTip": "MasterHide\\ssdt.hpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAAAwAAAAaAAAAAAAAAA==", - "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:15:26.408Z" - }, { "$type": "Document", "DocumentIndex": 16, - "Title": "shadow_ssdt.hpp", - "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", - "RelativeDocumentMoniker": "MasterHide\\shadow_ssdt.hpp", - "ToolTip": "A:\\work\\MasterHide\\MasterHide\\shadow_ssdt.hpp", - "RelativeToolTip": "MasterHide\\shadow_ssdt.hpp", - "ViewState": "AgIAAAAAAAAAAAAAAAAAAAgAAAAUAAAAAAAAAA==", + "Title": "globals.hpp", + "DocumentMoniker": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", + "RelativeDocumentMoniker": "MasterHide\\globals.hpp", + "ToolTip": "A:\\work\\MasterHide\\MasterHide\\globals.hpp", + "RelativeToolTip": "MasterHide\\globals.hpp", + "ViewState": "AgIAAAAAAAAAAAAAAAAAAAUAAAABAAAAAAAAAA==", "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|", - "WhenOpened": "2024-08-22T05:18:32.151Z" + "WhenOpened": "2024-08-22T05:14:10.424Z" } ] } diff --git a/MasterHide.sln b/MasterHide.sln index 0fe977e..c58f4b5 100644 --- a/MasterHide.sln +++ b/MasterHide.sln @@ -1,62 +1,34 @@  Microsoft Visual Studio Solution File, Format Version 12.00 -# Visual Studio Version 16 -VisualStudioVersion = 16.0.30406.217 +# Visual Studio Version 17 +VisualStudioVersion = 17.11.35219.272 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MasterHide", "MasterHide\MasterHide.vcxproj", "{68D74A79-3DE6-463F-9F5A-03E719657B14}" EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestHide", "TestHide\TestHide.vcxproj", "{F3EC3652-037E-45A3-9C0B-7703800D858B}" EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KasperskyHookLoader", "KasperskyHook\KasperskyHookLoader\KasperskyHookLoader.vcxproj", "{AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}" +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MasterHideLoader", "MasterHideLoader\MasterHideLoader.vcxproj", "{018FEB18-6063-4D5F-AC3A-7CDFBD224016}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution - Debug|ARM = Debug|ARM - Debug|ARM64 = Debug|ARM64 Debug|x64 = Debug|x64 - Debug|x86 = Debug|x86 - Release|ARM = Release|ARM - Release|ARM64 = Release|ARM64 Release|x64 = Release|x64 - Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution - {68D74A79-3DE6-463F-9F5A-03E719657B14}.Debug|ARM.ActiveCfg = Debug|x64 - {68D74A79-3DE6-463F-9F5A-03E719657B14}.Debug|ARM64.ActiveCfg = Debug|x64 {68D74A79-3DE6-463F-9F5A-03E719657B14}.Debug|x64.ActiveCfg = Debug|x64 {68D74A79-3DE6-463F-9F5A-03E719657B14}.Debug|x64.Build.0 = Debug|x64 {68D74A79-3DE6-463F-9F5A-03E719657B14}.Debug|x64.Deploy.0 = Debug|x64 - {68D74A79-3DE6-463F-9F5A-03E719657B14}.Debug|x86.ActiveCfg = Debug|x64 - {68D74A79-3DE6-463F-9F5A-03E719657B14}.Release|ARM.ActiveCfg = Release|x64 - {68D74A79-3DE6-463F-9F5A-03E719657B14}.Release|ARM64.ActiveCfg = Release|x64 {68D74A79-3DE6-463F-9F5A-03E719657B14}.Release|x64.ActiveCfg = Release|x64 {68D74A79-3DE6-463F-9F5A-03E719657B14}.Release|x64.Build.0 = Release|x64 {68D74A79-3DE6-463F-9F5A-03E719657B14}.Release|x64.Deploy.0 = Release|x64 - {68D74A79-3DE6-463F-9F5A-03E719657B14}.Release|x86.ActiveCfg = Release|x64 - {F3EC3652-037E-45A3-9C0B-7703800D858B}.Debug|ARM.ActiveCfg = Debug|Win32 - {F3EC3652-037E-45A3-9C0B-7703800D858B}.Debug|ARM64.ActiveCfg = Debug|Win32 {F3EC3652-037E-45A3-9C0B-7703800D858B}.Debug|x64.ActiveCfg = Debug|x64 {F3EC3652-037E-45A3-9C0B-7703800D858B}.Debug|x64.Build.0 = Debug|x64 - {F3EC3652-037E-45A3-9C0B-7703800D858B}.Debug|x86.ActiveCfg = Debug|Win32 - {F3EC3652-037E-45A3-9C0B-7703800D858B}.Debug|x86.Build.0 = Debug|Win32 - {F3EC3652-037E-45A3-9C0B-7703800D858B}.Release|ARM.ActiveCfg = Release|Win32 - {F3EC3652-037E-45A3-9C0B-7703800D858B}.Release|ARM64.ActiveCfg = Release|Win32 {F3EC3652-037E-45A3-9C0B-7703800D858B}.Release|x64.ActiveCfg = Release|x64 {F3EC3652-037E-45A3-9C0B-7703800D858B}.Release|x64.Build.0 = Release|x64 - {F3EC3652-037E-45A3-9C0B-7703800D858B}.Release|x86.ActiveCfg = Release|Win32 - {F3EC3652-037E-45A3-9C0B-7703800D858B}.Release|x86.Build.0 = Release|Win32 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Debug|ARM.ActiveCfg = Debug|Win32 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Debug|ARM64.ActiveCfg = Debug|Win32 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Debug|x64.ActiveCfg = Debug|x64 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Debug|x64.Build.0 = Debug|x64 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Debug|x86.ActiveCfg = Debug|Win32 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Debug|x86.Build.0 = Debug|Win32 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Release|ARM.ActiveCfg = Release|Win32 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Release|ARM64.ActiveCfg = Release|Win32 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Release|x64.ActiveCfg = Release|x64 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Release|x64.Build.0 = Release|x64 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Release|x86.ActiveCfg = Release|Win32 - {AC843DC7-AE89-45D5-AD78-EDCB560ACCC3}.Release|x86.Build.0 = Release|Win32 + {018FEB18-6063-4D5F-AC3A-7CDFBD224016}.Debug|x64.ActiveCfg = Debug|x64 + {018FEB18-6063-4D5F-AC3A-7CDFBD224016}.Debug|x64.Build.0 = Debug|x64 + {018FEB18-6063-4D5F-AC3A-7CDFBD224016}.Release|x64.ActiveCfg = Release|x64 + {018FEB18-6063-4D5F-AC3A-7CDFBD224016}.Release|x64.Build.0 = Release|x64 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/MasterHide/MasterHide.vcxproj b/MasterHide/MasterHide.vcxproj index 3e64b09..729efdf 100644 --- a/MasterHide/MasterHide.vcxproj +++ b/MasterHide/MasterHide.vcxproj @@ -19,7 +19,7 @@ Win32 MasterHide 10.0.26100.0 - masterhide + MasterHide @@ -29,6 +29,7 @@ WDM Windows10 Universal + Spectre Windows7 @@ -38,6 +39,7 @@ WDM Desktop <_NT_TARGET_VERSION>0x0601 + Spectre @@ -50,10 +52,16 @@ DbgengKernelDebugger false + $(VC_IncludePath);$(KM_IncludePath);$(KIT_SHARED_IncludePath) + $(ExternalIncludePath) + ..\bin\$(Configuration)\ DbgengKernelDebugger false + $(VC_IncludePath);$(KM_IncludePath);$(KIT_SHARED_IncludePath) + $(ExternalIncludePath) + ..\bin\$(Configuration)\ @@ -61,8 +69,10 @@ ..\KasperskyHook\KasperskyHookDrv;%(AdditionalIncludeDirectories) - _DEBUG;%(PreprocessorDefinitions) + _NO_CRT_STDIO_INLINE;__STDC_WANT_SECURE_LIB__=0;SCOPE_GUARD_NO_THROW_ACTION;_DEBUG;%(PreprocessorDefinitions) 4996;%(DisableSpecificWarnings) + stdcpp20 + false false @@ -81,6 +91,9 @@ ..\KasperskyHook\KasperskyHookDrv;%(AdditionalIncludeDirectories) 4996;%(DisableSpecificWarnings) + stdcpp20 + _NO_CRT_STDIO_INLINE;__STDC_WANT_SECURE_LIB__=0;SCOPE_GUARD_NO_THROW_ACTION;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions) + false false @@ -117,6 +130,7 @@ + diff --git a/MasterHide/MasterHide.vcxproj.filters b/MasterHide/MasterHide.vcxproj.filters index 17607bd..ff4b140 100644 --- a/MasterHide/MasterHide.vcxproj.filters +++ b/MasterHide/MasterHide.vcxproj.filters @@ -17,7 +17,7 @@ {8E41214B-6785-4CFE-B992-037D68949A14} inf;inv;inx;mof;mc; - + {6c5d2264-5690-4b45-b290-99996ca571c5} @@ -35,25 +35,25 @@ Source Files - Header Files\Kaspersky + Header Files\KasperskyHook - Header Files\Kaspersky + Header Files\KasperskyHook - Header Files\Kaspersky + Header Files\KasperskyHook - Header Files\Kaspersky + Header Files\KasperskyHook - Header Files\Kaspersky + Header Files\KasperskyHook Source Files - Header Files\Kaspersky + Header Files\KasperskyHook @@ -73,13 +73,13 @@ Header Files - Header Files\Kaspersky + Header Files\KasperskyHook - Header Files\Kaspersky + Header Files\KasperskyHook - Header Files\Kaspersky + Header Files\KasperskyHook Header Files @@ -88,10 +88,13 @@ Header Files - Header Files\Kaspersky + Header Files\KasperskyHook - Header Files\Kaspersky + Header Files\KasperskyHook + + + Header Files \ No newline at end of file diff --git a/MasterHide/drivermain.cpp b/MasterHide/drivermain.cpp index 204e369..8870dc1 100644 --- a/MasterHide/drivermain.cpp +++ b/MasterHide/drivermain.cpp @@ -1,118 +1,104 @@ #include "includes.hpp" -void OnDriverUnload(PDRIVER_OBJECT pDriverObject) +void DriverUnload(PDRIVER_OBJECT pDriverObject) { UNREFERENCED_PARAMETER(pDriverObject); + DBGPRINT("Unload called\n"); + ssdt::Destroy(); sssdt::Destroy(); + syscalls::Destroy(); - // - // Delay the execution for a second to make sure no thread is executing the hooked function - // - LARGE_INTEGER LargeInteger{}; - LargeInteger.QuadPart = -11000000; + DBGPRINT("Waiting for hooks to complete!"); - KeDelayExecutionThread(KernelMode, FALSE, &LargeInteger); - tools::UnloadImages(); + hooks::WaitForHooksCompletion(); - DBGPRINT("Driver unload routine triggered!\n"); + DBGPRINT("MasterHide unloaded!"); } extern "C" NTSTATUS NTAPI DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { UNREFERENCED_PARAMETER(pRegistryPath); - if (!pDriverObject) + NTSTATUS status = STATUS_SUCCESS; + + DBGPRINT("MasterHide is loading!"); + + RTL_OSVERSIONINFOW os{}; + os.dwOSVersionInfoSize = sizeof(os); + + status = RtlGetVersion(&os); + if (!NT_SUCCESS(status)) { - DBGPRINT("Err: No driver object!\n"); + DBGPRINT("Err: RtlGetVersion returned 0x%08X", status); return STATUS_FAILED_DRIVER_ENTRY; } - RTL_OSVERSIONINFOW os{}; - os.dwOSVersionInfoSize = sizeof(os); + const ULONG majorVersion = os.dwMajorVersion; + const ULONG minorVersion = os.dwMinorVersion; - if (!NT_SUCCESS(RtlGetVersion(&os))) + if (!((majorVersion == 10 && minorVersion == 1) || // Windows 11 + (majorVersion == 10 && minorVersion == 0) || // Windows 10 + (majorVersion == 6 && minorVersion == 3) || // Windows 8.1 + (majorVersion == 6 && minorVersion == 2) || // Windows 8 + (majorVersion == 6 && minorVersion == 1))) // Windows 7 { - DBGPRINT("Err: RtlGetVersion failed!\n"); + DBGPRINT("Err: Unsupported Windows version. Major = %d Minor = %d", majorVersion, minorVersion); return STATUS_FAILED_DRIVER_ENTRY; } - pDriverObject->DriverUnload = &OnDriverUnload; - DBGPRINT("Driver loaded!\n"); + DBGPRINT("Windows Major = %d Minor = %d Build = %d", majorVersion, minorVersion, os.dwBuildNumber); + +#ifdef USE_KASPERSKY + DBGPRINT("Using kaspersky hook."); - // - // If the OS is either Windows 10, 8/8.1 those are the only supported OS - // - bool bIsWin7 = (os.dwMajorVersion == 6 && os.dwMinorVersion == 1); + if (!::utils::init()) + { + DBGPRINT("Err: utils not initialized!"); + return STATUS_FAILED_DRIVER_ENTRY; + } + + if (!kaspersky::is_klhk_loaded() || !kaspersky::initialize()) + { + DBGPRINT("Err: Failed to setup kaspersky!"); + return STATUS_FAILED_DRIVER_ENTRY; + } - if (os.dwMajorVersion == 10 || (bIsWin7 || (os.dwMajorVersion == 6 && os.dwMinorVersion == 2) || - (os.dwMajorVersion == 6 && os.dwMinorVersion == 3))) + status = kaspersky::hvm_init(); + if (!NT_SUCCESS(status)) { - // This special API only works in Win8+ and it basically allows you to set no executable flag in NonPagedPools - ExInitializeDriverRuntime(DrvRtPoolNxOptIn); - - // - // Sycalls numbers are OS based, since user32.dll doesnt export them in early Windows versions ( Win7 for - // example ) we hardcode them and extract them on newer systems that export it ( Win8+ for example in win32u.dll - // ) - // - if (!bIsWin7) - { - SYSCALL_NTUSERQUERYWND = tools::GetWin32Syscall("NtUserQueryWindow"); - SYSCALL_NTUSERFINDWNDEX = tools::GetWin32Syscall("NtUserFindWindowEx"); - SYSCALL_NTUSERWNDFROMPOINT = tools::GetWin32Syscall("NtUserWindowFromPoint"); - SYSCALL_NTUSERBUILDWNDLIST = tools::GetWin32Syscall("NtUserBuildHwndList"); - SYSCALL_NTGETFOREGROUNDWND = tools::GetWin32Syscall("NtUserGetForegroundWindow"); - - SYSCALL_NTOPENPROCESS = tools::GetNtSyscall("NtOpenProcess"); - SYSCALL_NTDEVICEIOCTRLFILE = tools::GetNtSyscall("NtDeviceIoControlFile"); - SYSCALL_NTQUERYSYSINFO = tools::GetNtSyscall("NtQuerySystemInformation"); - SYSCALL_NTALLOCVIRTUALMEM = tools::GetNtSyscall("NtAllocateVirtualMemory"); - SYSCALL_NTFREEVIRTUALMEM = tools::GetNtSyscall("NtFreeVirtualMemory"); - SYSCALL_NTWRITEVIRTUALMEM = tools::GetNtSyscall("NtWriteVirtualMemory"); - SYSCALL_NTLOADDRIVER = tools::GetNtSyscall("NtLoadDriver"); - } - -#ifndef USE_KASPERSKY - // - // (S)SSDT Hooks are only Win7 compatible ( hardcoded ) - // - DBGPRINT("Not using Kaspersky to hook, Shadow SSDT is unstable!\n"); + DBGPRINT("Err: hvm_init returned 0x%08X", status); + return STATUS_FAILED_DRIVER_ENTRY; + } + + DBGPRINT("Kaspersky hypervisor loaded!"); #else - DBGPRINT("Using Kaspersky!\n"); - - if (!kaspersky::is_klhk_loaded()) - { - tools::UnloadImages(); - DBGPRINT("Kaspersky not loaded!\n"); - return STATUS_UNSUCCESSFUL; - } - - if (!kaspersky::initialize()) - { - tools::UnloadImages(); - DBGPRINT("Kaspersky init failed!\n"); - return STATUS_UNSUCCESSFUL; - } - - DBGPRINT("Using Kaspersky hypervisor!\n"); - - if (!kaspersky::hvm_init()) - { - tools::UnloadImages(); - DBGPRINT("Hypervisor not loaded!\n"); - return STATUS_UNSUCCESSFUL; - } - - DBGPRINT("Hypervisor loaded!\n"); + DBGPRINT("MasterHide is using odinary SSDT hooks, which means: It only can be used on PatchGuard disabled " + "environment, such as kernel debugger attached or manually patching the kernel! The system WILL crash if " + "PatchGuard is enabled.\n"); #endif - ssdt::Init(); - sssdt::Init(); + + pDriverObject->DriverUnload = &DriverUnload; + + // attach to win32k process first please. + + PEPROCESS winlogon = tools::GetProcessByName(L"winlogon.exe"); + if (!winlogon) + { + DBGPRINT("Err: winlogon.exe process not found!"); + return STATUS_FAILED_DRIVER_ENTRY; } - else - // No support for other OS - return STATUS_NOT_SUPPORTED; + + KeAttachProcess(winlogon); + + syscalls::Init(); + ssdt::Init(); + sssdt::Init(); + + KeDetachProcess(); + + DBGPRINT("MasterHide loaded!"); return STATUS_SUCCESS; } \ No newline at end of file diff --git a/MasterHide/fnv1a.hpp b/MasterHide/fnv1a.hpp new file mode 100644 index 0000000..9450a28 --- /dev/null +++ b/MasterHide/fnv1a.hpp @@ -0,0 +1,42 @@ +#pragma once + +using FNV1A_t = ULONGLONG; + +/* + * 64-BIT FNV1A HASH + */ +namespace FNV1A +{ +/* @section: [internal] constants */ +constexpr FNV1A_t ullBasis = 0xCBF29CE484222325ULL; +constexpr FNV1A_t ullPrime = 0x100000001B3ULL; + +/* @section: get */ +/// @param[in] szString string for which you want to generate a hash +/// @param[in] uKey key of hash generation +/// @returns: calculated at compile-time hash of given string +consteval FNV1A_t HashConst(const char *szString, const FNV1A_t uKey = ullBasis) noexcept +{ + return (szString[0] == '\0') ? uKey + : HashConst(&szString[1], (uKey ^ static_cast(szString[0])) * ullPrime); +} + +/// @param[in] szString string for which you want to generate a hash +/// @param[in] uKey key of hash generation +/// @returns: calculated at run-time hash of given string +inline FNV1A_t Hash(const char *szString, FNV1A_t uKey = ullBasis) noexcept +{ + + const char *s; + + for (s = szString; *s; ++s) + { + uKey ^= *s; + uKey *= ullPrime; + } + + return uKey; +} +} // namespace FNV1A + +#define FNV(s) FNV1A::HashConst(s) \ No newline at end of file diff --git a/MasterHide/globals.hpp b/MasterHide/globals.hpp index 6cbf69f..3c73167 100644 --- a/MasterHide/globals.hpp +++ b/MasterHide/globals.hpp @@ -4,51 +4,5 @@ namespace masterhide { namespace globals { -// -// Custom MAC Address -// -static UCHAR szFakeMAC[] = {0xDE, 0xAD, 0xBE, 0xEF, 0x01, 0x2}; - -// -// Custom HD Serial and Model -// -static char szFakeSerial[] = "XJEBA1973M2"; - -static char *szFakeModels[] = { - "Samsung EVO 970", - //... -}; - -// -// Those drivers will not appear on drivers list -// -static char *szProtectedDrivers[] = { - "dbk64", "processhacker2", - //... -}; - -// -// Those processes will not appear on process list or via window methods -// -static wchar_t *wsProtectedProcesses[] = { - L"cheatengine", L"ProcessHacker" - //... -}; - -// -// Those processes will be monitored -// -static wchar_t *wsMonitoredProcesses[] = { - L"Tibia", - //... -}; - -// -// Those processess will be blacklisted to query data on protect processes -// -static wchar_t *wsBlacklistedProcessess[] = { - L"Tibia", - //... -}; } // namespace globals }; // namespace masterhide \ No newline at end of file diff --git a/MasterHide/hooks.cpp b/MasterHide/hooks.cpp index 4833ce6..8d79e89 100644 --- a/MasterHide/hooks.cpp +++ b/MasterHide/hooks.cpp @@ -2,173 +2,142 @@ namespace masterhide { -namespace tools +namespace process { -bool IsProtectedProcess(HANDLE PID) +bool IsProtectedProcess(_In_ HANDLE processId) { - UNICODE_STRING wsProcName{}; - if (!GetProcessName(PID, &wsProcName)) - { - return false; - } - - bool bResult = false; - if (wsProcName.Buffer) - { - for (int i = 0; i < ARRAYSIZE(globals::wsProtectedProcesses); ++i) - { - if (wcsstr(wsProcName.Buffer, globals::wsProtectedProcesses[i])) - { - bResult = true; - break; - } - } - FreeUnicodeString(&wsProcName); - } - return bResult; + UNREFERENCED_PARAMETER(processId); + // TODO: implement + return false; } -bool IsProtectedProcess(PWCH Buffer) +bool IsProtectedProcess(_In_ LPCWSTR processName) { - if (!Buffer) - return false; + UNREFERENCED_PARAMETER(processName); + // TODO: implement + return false; +} - for (int i = 0; i < ARRAYSIZE(globals::wsProtectedProcesses); ++i) - { - if (wcsstr(Buffer, globals::wsProtectedProcesses[i])) - { - return true; - } - } +bool IsProtectedProcess(_In_ PEPROCESS process) +{ + UNREFERENCED_PARAMETER(process); + // TODO: implement return false; } -bool IsProtectedProcessEx(PEPROCESS Process) +bool IsMonitoredProcess(_In_ HANDLE processId) { - UNICODE_STRING wsProcName{}; - if (!GetProcessNameByPEPROCESS(Process, &wsProcName)) - return false; + UNREFERENCED_PARAMETER(processId); + // TODO: implement + return false; +} - bool bResult = false; - if (wsProcName.Buffer) - { - for (int i = 0; i < ARRAYSIZE(globals::wsProtectedProcesses); ++i) - { - if (wcsstr(wsProcName.Buffer, globals::wsProtectedProcesses[i])) - { - bResult = true; - break; - } - } - FreeUnicodeString(&wsProcName); - } - return bResult; +bool IsMonitoredProcess(_In_ PEPROCESS process) +{ + UNREFERENCED_PARAMETER(process); + // TODO: implement + return false; } -bool IsMonitoredProcess(HANDLE PID) +bool IsBlacklistedProcess(_In_ HANDLE processId) { - UNICODE_STRING wsProcName{}; - if (!GetProcessName(PID, &wsProcName)) - return false; + UNREFERENCED_PARAMETER(processId); + // TODO: implement + return false; +} - bool bResult = false; - if (wsProcName.Buffer) - { - for (int i = 0; i < ARRAYSIZE(globals::wsMonitoredProcesses); ++i) - { - if (wcsstr(wsProcName.Buffer, globals::wsMonitoredProcesses[i])) - { - bResult = true; - break; - } - } - FreeUnicodeString(&wsProcName); - } - return bResult; +bool IsBlacklistedProcess(_In_ PEPROCESS process) +{ + UNREFERENCED_PARAMETER(process); + // TODO: implement + return false; } -bool IsMonitoredProcessEx(PEPROCESS Process) +enum EProcessPolicyFlags { - UNICODE_STRING wsProcName{}; - if (!GetProcessNameByPEPROCESS(Process, &wsProcName)) + ProcessPolicyFlagProtected, + ProcessPolicyFlagSystem, +}; + +ULONG g_processPolicyFlags = 0; + +bool IsProcessInPolicy(_In_ PEPROCESS process) +{ + if (PsIsProtectedProcess(process) && !BooleanFlagOn(g_processPolicyFlags, ProcessPolicyFlagProtected)) + { + // Ignore protected processes return false; + } - bool bResult = false; - if (wsProcName.Buffer) + if (PsIsSystemProcess(process) && !BooleanFlagOn(g_processPolicyFlags, ProcessPolicyFlagSystem)) { - for (int i = 0; i < ARRAYSIZE(globals::wsMonitoredProcesses); ++i) - { - if (wcsstr(wsProcName.Buffer, globals::wsMonitoredProcesses[i])) - { - bResult = true; - break; - } - } - FreeUnicodeString(&wsProcName); + // Ignore system processes + return false; } - return bResult; + + return process::IsProtectedProcess(process); } -bool IsBlacklistedProcess(HANDLE PID) +bool IsProcessInPolicy(_In_ HANDLE processHandle) { - UNICODE_STRING wsProcName{}; - if (!GetProcessName(PID, &wsProcName)) - return false; + PEPROCESS process = nullptr; - bool bResult = false; - if (wsProcName.Buffer) + const NTSTATUS status = ObReferenceObjectByHandle(processHandle, 0, *PsProcessType, KernelMode, + reinterpret_cast(&process), nullptr); + if (!NT_SUCCESS(status)) { - for (int i = 0; i < ARRAYSIZE(globals::wsBlacklistedProcessess); ++i) - { - if (wcsstr(wsProcName.Buffer, globals::wsBlacklistedProcessess[i])) - { - bResult = true; - break; - } - } - FreeUnicodeString(&wsProcName); + DBGPRINT("Err: ObReferenceObjectByHandle returned 0x%08X", status); + return false; } - return bResult; + + SCOPE_EXIT + { + ObDereferenceObject(process); + }; + + return IsProcessInPolicy(process); } +} // namespace process -bool IsBlacklistedProcessEx(PEPROCESS Process) +namespace hooks { - UNICODE_STRING wsProcName{}; - if (!GetProcessNameByPEPROCESS(Process, &wsProcName)) - return false; +volatile LONG g_refCount = 0; - bool bResult = false; - if (wsProcName.Buffer) +void WaitForHooksCompletion() +{ + DBGPRINT("%d ref counts", g_refCount); + + while (InterlockedCompareExchange(&g_refCount, 0, 0) != 0) { - for (int i = 0; i < ARRAYSIZE(globals::wsBlacklistedProcessess); ++i) - { - if (wcsstr(wsProcName.Buffer, globals::wsBlacklistedProcessess[i])) - { - bResult = true; - break; - } - } - FreeUnicodeString(&wsProcName); + DBGPRINT("%d references left", g_refCount); + YieldProcessor(); } - return bResult; } -} // namespace tools -}; // namespace masterhide -NtOpenProcess_ oNtOpenProcess = NULL; NTSTATUS NTAPI hkNtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId) { - const auto ret = oNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); - if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess()) || - tools::IsProtectedProcess(PsGetCurrentProcessId())) - return ret; + PAGED_CODE(); - if (NT_SUCCESS(ret)) + InterlockedIncrement(&g_refCount); + SCOPE_EXIT { - if (tools::IsBlacklistedProcess(PsGetCurrentProcessId())) + InterlockedDecrement(&g_refCount); + }; + + const PEPROCESS currentProcess = PsGetCurrentProcess(); + if (!process::IsProcessInPolicy(currentProcess)) + { + // Process is not meant to be monitored. + return oNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); + } + + const NTSTATUS status = oNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); + if (NT_SUCCESS(status)) + { + if (process::IsBlacklistedProcess(PsGetCurrentProcessId())) { - if (tools::IsProtectedProcess(ClientId->UniqueProcess)) + if (process::IsProtectedProcess(ClientId->UniqueProcess)) { DBGPRINT("Denying access from PID %p to PID %p\n", PsGetCurrentProcessId(), ClientId->UniqueProcess); ZwClose(*ProcessHandle); @@ -177,76 +146,75 @@ NTSTATUS NTAPI hkNtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, } } - if (tools::IsMonitoredProcess(ClientId->UniqueProcess)) + if (process::IsMonitoredProcess(ClientId->UniqueProcess)) { - UNICODE_STRING wsProcName{}; - if (tools::GetProcessName(ClientId->UniqueProcess, &wsProcName)) - { - if (wsProcName.Buffer) - { - auto ShortName = wcsrchr(wsProcName.Buffer, '\\'); - DBGPRINT("[ OP ] PID %p is opening a handle with access mask 0x%X to process %ws\n", - PsGetCurrentProcessId(), DesiredAccess, ShortName); - FreeUnicodeString(&wsProcName); - } - } + // TODO: implement } } - return ret; + return status; } -NtWriteVirtualMemory_ oNtWriteVirtualMemory = NULL; NTSTATUS NTAPI hkNtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten) { - const auto res = - oNtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToWrite, NumberOfBytesWritten); - if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess()) || - tools::IsProtectedProcess(PsGetCurrentProcessId())) - return res; + PAGED_CODE(); - if (NT_SUCCESS(res)) + InterlockedIncrement(&g_refCount); + SCOPE_EXIT + { + InterlockedDecrement(&g_refCount); + }; + + const PEPROCESS currentProcess = PsGetCurrentProcess(); + if (!process::IsProcessInPolicy(currentProcess)) + { + // Process is not meant to be monitored. + return oNtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToWrite, NumberOfBytesWritten); + } + + const NTSTATUS status = + oNtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToWrite, NumberOfBytesWritten); + if (NT_SUCCESS(status)) { - // - // Get Name from handle - // PEPROCESS Process = nullptr; auto ret = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, ExGetPreviousMode(), (PVOID *)&Process, nullptr); if (!NT_SUCCESS(ret)) - return res; + { + return status; + } - if (tools::IsMonitoredProcessEx(Process)) + if (process::IsMonitoredProcess(Process)) { - UNICODE_STRING wsProcName{}; - if (tools::GetProcessName(PsGetCurrentProcessId(), &wsProcName)) - { - if (wsProcName.Buffer) - { - auto ShortName = wcsrchr(wsProcName.Buffer, '\\'); - DBGPRINT("[ WPM ] From: %p to %ws with BaseAddress 0x%p Buffer 0x%p Length %d\n", - PsGetCurrentProcessId(), ShortName, BaseAddress, Buffer, NumberOfBytesToWrite); - FreeUnicodeString(&wsProcName); - } - } + // TODO: implement } ObDereferenceObject(Process); } - return res; + return status; } -NtAllocateVirtualMemory_ oNtAllocateVirtualMemory = NULL; NTSTATUS NTAPI hkNtAllocateVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect) { - const auto res = - oNtAllocateVirtualMemory(ProcessHandle, BaseAddress, ZeroBits, RegionSize, AllocationType, Protect); - if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess()) || - tools::IsProtectedProcess(PsGetCurrentProcessId())) - return res; + PAGED_CODE(); - if (NT_SUCCESS(res) && BaseAddress && RegionSize && *RegionSize >= 0x1000) + InterlockedIncrement(&g_refCount); + SCOPE_EXIT + { + InterlockedDecrement(&g_refCount); + }; + + const PEPROCESS currentProcess = PsGetCurrentProcess(); + if (!process::IsProcessInPolicy(currentProcess)) + { + // Process is not meant to be monitored. + return oNtAllocateVirtualMemory(ProcessHandle, BaseAddress, ZeroBits, RegionSize, AllocationType, Protect); + } + + const NTSTATUS status = + oNtAllocateVirtualMemory(ProcessHandle, BaseAddress, ZeroBits, RegionSize, AllocationType, Protect); + if (NT_SUCCESS(status) && BaseAddress && RegionSize && *RegionSize >= 0x1000) { // // Get Name from handle @@ -255,35 +223,36 @@ NTSTATUS NTAPI hkNtAllocateVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddres auto ret = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, ExGetPreviousMode(), (PVOID *)&Process, nullptr); if (!NT_SUCCESS(ret)) - return res; + return status; - if (tools::IsMonitoredProcessEx(Process)) + if (process::IsMonitoredProcess(Process)) { - UNICODE_STRING wsProcName{}; - if (tools::GetProcessName(PsGetCurrentProcessId(), &wsProcName)) - { - if (wsProcName.Buffer) - { - auto ShortName = wcsrchr(wsProcName.Buffer, '\\'); - DBGPRINT("[ AVM ] From: %p to %ws with BaseAddress 0x%p Length 0x%llx Type 0x%X Protect 0x%X\n", - PsGetCurrentProcessId(), ShortName, *BaseAddress, *RegionSize, AllocationType, Protect); - FreeUnicodeString(&wsProcName); - } - } + // TODO: implement } ObDereferenceObject(Process); } - return res; + return status; } -NtFreeVirtualMemory_ oNtFreeVirtualMemory = NULL; NTSTATUS NTAPI hkNtFreeVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, PSIZE_T RegionSize, ULONG FreeType) { + PAGED_CODE(); + + InterlockedIncrement(&g_refCount); + SCOPE_EXIT + { + InterlockedDecrement(&g_refCount); + }; + const auto res = oNtFreeVirtualMemory(ProcessHandle, BaseAddress, RegionSize, FreeType); + + // TODO: move this check to a function if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess()) || - tools::IsProtectedProcess(PsGetCurrentProcessId())) + process::IsProtectedProcess(PsGetCurrentProcessId())) + { return res; + } if (NT_SUCCESS(res) && BaseAddress && RegionSize && *RegionSize >= 0x1000) { @@ -296,20 +265,9 @@ NTSTATUS NTAPI hkNtFreeVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, P if (!NT_SUCCESS(ret)) return res; - if (tools::IsMonitoredProcessEx(Process)) + if (process::IsMonitoredProcess(Process)) { - UNICODE_STRING wsProcName{}; - if (tools::GetProcessName(PsGetCurrentProcessId(), &wsProcName)) - { - if (wsProcName.Buffer) - { - auto ShortName = wcsrchr(wsProcName.Buffer, '\\'); - DBGPRINT("[ FVM ] From: %p to %ws with BaseAddress 0x%p Length 0x%llx FreeType 0x%X\n", - PsGetCurrentProcessId(), ShortName, *BaseAddress, *RegionSize, FreeType); - tools::DumpMZ(PUCHAR(*BaseAddress)); - FreeUnicodeString(&wsProcName); - } - } + // TODO: implement } ObDereferenceObject(Process); @@ -317,259 +275,306 @@ NTSTATUS NTAPI hkNtFreeVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, P return res; } -NtDeviceIoControlFile_ oNtDeviceIoControlFile = NULL; NTSTATUS NTAPI hkNtDeviceIoControlFile(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength) { - const auto ret = oNtDeviceIoControlFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, IoControlCode, - InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength); + PAGED_CODE(); + + InterlockedIncrement(&g_refCount); + SCOPE_EXIT + { + InterlockedDecrement(&g_refCount); + }; + + NTSTATUS status = oNtDeviceIoControlFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, IoControlCode, + InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength); + + const PEPROCESS currentProcess = PsGetCurrentProcess(); + const HANDLE currentPid = PsGetCurrentProcessId(); // - // If the callee process is a protected process we ignore it + // perform actions in case it's a blacklisted process. // - if (!tools::IsBlacklistedProcess(PsGetCurrentProcessId())) - return ret; - - if (NT_SUCCESS(ret)) + if (process::IsBlacklistedProcess(currentPid)) { - const auto szNewModel = globals::szFakeModels[0]; - wchar_t wsProcess[MAX_PATH] = L"\\Unknown"; - - UNICODE_STRING wsProcName{}; - if (tools::GetProcessName(PsGetCurrentProcessId(), &wsProcName)) + UNICODE_STRING processImageName{}; + if (!tools::GetProcessFileName(currentProcess, &processImageName)) { - if (wsProcName.Buffer) - { - wcscpy_s(wsProcess, wsProcName.Buffer); - FreeUnicodeString(&wsProcName); - } + DBGPRINT("Failed to get process %d file name\n", HandleToUlong(currentPid)); + goto Exit; } - auto ShortName = wcsrchr(wsProcess, '\\'); + SCOPE_EXIT + { + RtlFreeUnicodeString(&processImageName); + }; + + // This is safe because GetProcessFileName gives us a null terminated string. + LPWSTR moduleName = wcsrchr(processImageName.Buffer, '\\'); - __try + // + // Hardware Spoofing + // + if (NT_SUCCESS(status)) { - // - // Hardware Spoofing - // - switch (IoControlCode) + __try { + static constexpr char newSerialNumber[] = "XKH2A83XVALP766"; + static constexpr char newModelNumber[] = "Kingston"; + static constexpr UCHAR newMac[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; - case IOCTL_STORAGE_QUERY_PROPERTY: { - PSTORAGE_PROPERTY_QUERY Query = PSTORAGE_PROPERTY_QUERY(InputBuffer); - if (Query && Query->PropertyId == StorageDeviceProperty) + switch (IoControlCode) { - if (OutputBufferLength >= sizeof(STORAGE_DEVICE_DESCRIPTOR)) + + case IOCTL_STORAGE_QUERY_PROPERTY: { + PSTORAGE_PROPERTY_QUERY Query = PSTORAGE_PROPERTY_QUERY(InputBuffer); + if (Query && Query->PropertyId == StorageDeviceProperty) { - PSTORAGE_DEVICE_DESCRIPTOR Desc = PSTORAGE_DEVICE_DESCRIPTOR(OutputBuffer); - if (Desc) + if (OutputBufferLength >= sizeof(STORAGE_DEVICE_DESCRIPTOR)) { - if (Desc->SerialNumberOffset) - { - auto Serial = PCHAR(Desc) + Desc->SerialNumberOffset; - DBGPRINT("%ws Spoofing Serial ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, - Serial, globals::szFakeSerial); - memset(Serial, 0, strlen(Serial)); - strcpy(Serial, globals::szFakeSerial); - } - - if (Desc->ProductIdOffset) + PSTORAGE_DEVICE_DESCRIPTOR Desc = PSTORAGE_DEVICE_DESCRIPTOR(OutputBuffer); + if (Desc) { - auto Model = PCHAR(Desc) + Desc->ProductIdOffset; - DBGPRINT("%ws Spoofing Model ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, - Model, szNewModel); - memset(Model, 0, strlen(Model)); - strcpy(Model, szNewModel); + if (Desc->SerialNumberOffset) + { + auto serialNumber = PCHAR(Desc) + Desc->SerialNumberOffset; + const size_t serialNumberLen = strlen(serialNumber); + + if (serialNumberLen > 0) + { + DBGPRINT( + "[Process: %ls] [IOCTL_STORAGE_QUERY_PROPERTY] spoofing serial %s to %s\n", + moduleName, serialNumber, newSerialNumber); + + RtlZeroMemory(serialNumber, serialNumberLen); + strcpy(serialNumber, newSerialNumber); + } + } + + if (Desc->ProductIdOffset) + { + auto modelNumber = PCHAR(Desc) + Desc->ProductIdOffset; + const size_t modelNumberLen = strlen(modelNumber); + + if (modelNumberLen > 0) + { + DBGPRINT( + "[Process: %ls] [IOCTL_STORAGE_QUERY_PROPERTY] spoofing model %s to %s\n", + moduleName, modelNumber, newModelNumber); + + RtlZeroMemory(modelNumber, modelNumberLen); + strcpy(modelNumber, newModelNumber); + } + } } } } + break; } - break; - } - case IOCTL_ATA_PASS_THROUGH: { - if (OutputBufferLength >= sizeof(ATA_PASS_THROUGH_EX) + sizeof(PIDENTIFY_DEVICE_DATA)) - { - PATA_PASS_THROUGH_EX Ata = PATA_PASS_THROUGH_EX(OutputBuffer); - if (Ata && Ata->DataBufferOffset) + case IOCTL_ATA_PASS_THROUGH: { + if (OutputBufferLength >= sizeof(ATA_PASS_THROUGH_EX) + sizeof(PIDENTIFY_DEVICE_DATA)) { - PIDENTIFY_DEVICE_DATA Identify = - PIDENTIFY_DEVICE_DATA(PCHAR(OutputBuffer) + Ata->DataBufferOffset); - if (Identify) + PATA_PASS_THROUGH_EX Ata = PATA_PASS_THROUGH_EX(OutputBuffer); + if (Ata && Ata->DataBufferOffset) { - auto Serial = PCHAR(Identify->SerialNumber); - if (strlen(Serial) > 0) + PIDENTIFY_DEVICE_DATA Identify = + PIDENTIFY_DEVICE_DATA(PCHAR(OutputBuffer) + Ata->DataBufferOffset); + if (Identify) { - tools::SwapEndianness(Serial, sizeof(Identify->SerialNumber)); + auto Serial = PCHAR(Identify->SerialNumber); + if (strlen(Serial) > 0) + { + tools::SwapEndianness(Serial, sizeof(Identify->SerialNumber)); - DBGPRINT("%ws Spoofing Serial ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, - Serial, globals::szFakeSerial); - memset(Serial, 0, strlen(Serial)); - strcpy(Serial, globals::szFakeSerial); + DBGPRINT("%ls Spoofing Serial ( 0x%X ) Old: %s New: %s\n", moduleName, + IoControlCode, Serial, newSerialNumber); - tools::SwapEndianness(Serial, sizeof(Identify->SerialNumber)); - } + RtlZeroMemory(Serial, strlen(Serial)); + strcpy(Serial, newSerialNumber); - auto Model = PCHAR(Identify->ModelNumber); - if (strlen(Model) > 0) - { - // Fix invalid characters. - Model[sizeof(Identify->ModelNumber) - 1] = 0; - Model[sizeof(Identify->ModelNumber) - 2] = 0; + tools::SwapEndianness(Serial, sizeof(Identify->SerialNumber)); + } + + auto Model = PCHAR(Identify->ModelNumber); + if (strlen(Model) > 0) + { + // Fix invalid characters. + Model[sizeof(Identify->ModelNumber) - 1] = 0; + Model[sizeof(Identify->ModelNumber) - 2] = 0; + + tools::SwapEndianness(Model, sizeof(Identify->ModelNumber) - 2); - tools::SwapEndianness(Model, sizeof(Identify->ModelNumber) - 2); + DBGPRINT("$ls Spoofing Model ( 0x%X ) Old: %s New: %s\n", moduleName, IoControlCode, + Model, newModelNumber); - DBGPRINT("%ws Spoofing Model ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, - Model, szNewModel); - memset(Model, 0, strlen(Model)); - strcpy(Model, szNewModel); + RtlZeroMemory(Model, strlen(Model)); + strcpy(Model, newModelNumber); - tools::SwapEndianness(Model, sizeof(Identify->ModelNumber) - 2); + tools::SwapEndianness(Model, sizeof(Identify->ModelNumber) - 2); + } } } } + break; } - break; - } - case SMART_RCV_DRIVE_DATA: { - if (OutputBufferLength >= sizeof(SENDCMDOUTPARAMS)) - { - PSENDCMDOUTPARAMS Cmd = PSENDCMDOUTPARAMS(OutputBuffer); - if (Cmd) + case SMART_RCV_DRIVE_DATA: { + if (OutputBufferLength >= sizeof(SENDCMDOUTPARAMS)) { - PIDSECTOR Sector = PIDSECTOR(Cmd->bBuffer); - if (Sector) + PSENDCMDOUTPARAMS sendCmdOutParams = PSENDCMDOUTPARAMS(OutputBuffer); + if (sendCmdOutParams) { - auto Serial = PCHAR(Sector->sSerialNumber); - if (strlen(Serial) > 0) + PIDSECTOR sector = PIDSECTOR(sendCmdOutParams->bBuffer); + if (sector) { - tools::SwapEndianness(Serial, sizeof(Sector->sSerialNumber)); + auto serialNumber = PCHAR(sector->sSerialNumber); + const size_t serialNumberLen = strlen(serialNumber); - DBGPRINT("%ws Spoofing Serial ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, - Serial, globals::szFakeSerial); - memset(Serial, 0, strlen(Serial)); - strcpy(Serial, globals::szFakeSerial); + if (serialNumberLen > 0) + { + tools::SwapEndianness(serialNumber, sizeof(sector->sSerialNumber)); - tools::SwapEndianness(Serial, sizeof(Sector->sSerialNumber)); - } + DBGPRINT("[Process: %ls] [SMART_RCV_DRIVE_DATA] spoofing serial %s to %s\n", + moduleName, serialNumber, newSerialNumber); - auto Model = PCHAR(Sector->sModelNumber); - if (strlen(Model) > 0) - { - // Fix invalid characters. - Model[sizeof(Sector->sModelNumber) - 1] = 0; - Model[sizeof(Sector->sModelNumber) - 2] = 0; + RtlZeroMemory(serialNumber, serialNumberLen); + strcpy(serialNumber, newSerialNumber); + + tools::SwapEndianness(serialNumber, sizeof(sector->sSerialNumber)); + } + + auto moduleNumber = reinterpret_cast(sector->sModelNumber); + const size_t moduleNumberLen = strlen(moduleNumber); + + if (moduleNumberLen > 0) + { + // Fix invalid characters. + moduleNumber[sizeof(sector->sModelNumber) - 1] = 0; + moduleNumber[sizeof(sector->sModelNumber) - 2] = 0; - tools::SwapEndianness(Model, sizeof(Sector->sModelNumber) - 2); + tools::SwapEndianness(moduleNumber, sizeof(sector->sModelNumber) - 2); - DBGPRINT("%ws Spoofing Model ( 0x%X ) Old: %s New: %s\n", ShortName, IoControlCode, - Model, szNewModel); - memset(Model, 0, strlen(Model)); - strcpy(Model, szNewModel); + DBGPRINT("[Process: %ls] [SMART_RCV_DRIVE_DATA] spoofing model %s to %s\n", + moduleName, moduleNumber, newModelNumber); - tools::SwapEndianness(Model, sizeof(Sector->sModelNumber) - 2); + RtlZeroMemory(moduleNumber, moduleNumberLen); + strcpy(moduleNumber, newModelNumber); + + tools::SwapEndianness(moduleNumber, sizeof(sector->sModelNumber) - 2); + } } } } + break; } - break; - } - case IOCTL_DISK_GET_PARTITION_INFO_EX: { - if (OutputBufferLength >= sizeof(PARTITION_INFORMATION_EX)) - { - PPARTITION_INFORMATION_EX PartInfo = PPARTITION_INFORMATION_EX(OutputBuffer); - if (PartInfo && PartInfo->PartitionStyle == PARTITION_STYLE_GPT) + case IOCTL_DISK_GET_PARTITION_INFO_EX: { + if (OutputBufferLength >= sizeof(PARTITION_INFORMATION_EX)) { - DBGPRINT("%ws Zero'ing partition GUID (EX)\n", ShortName); - memset(&PartInfo->Gpt.PartitionId, 0, sizeof(GUID)); + PPARTITION_INFORMATION_EX PartInfo = PPARTITION_INFORMATION_EX(OutputBuffer); + if (PartInfo && PartInfo->PartitionStyle == PARTITION_STYLE_GPT) + { + DBGPRINT("%ls Zero'ing partition GUID (EX)\n", moduleName); + memset(&PartInfo->Gpt.PartitionId, 0, sizeof(GUID)); + } } + break; } - break; - } - case IOCTL_DISK_GET_DRIVE_LAYOUT_EX: { - if (OutputBufferLength >= sizeof(DRIVE_LAYOUT_INFORMATION_EX)) - { - PDRIVE_LAYOUT_INFORMATION_EX LayoutInfo = PDRIVE_LAYOUT_INFORMATION_EX(OutputBuffer); - if (LayoutInfo && LayoutInfo->PartitionStyle == PARTITION_STYLE_GPT) + case IOCTL_DISK_GET_DRIVE_LAYOUT_EX: { + if (OutputBufferLength >= sizeof(DRIVE_LAYOUT_INFORMATION_EX)) { - DBGPRINT("%ws Zero'ing partition GUID\n", ShortName); - memset(&LayoutInfo->Gpt.DiskId, 0, sizeof(GUID)); + PDRIVE_LAYOUT_INFORMATION_EX LayoutInfo = PDRIVE_LAYOUT_INFORMATION_EX(OutputBuffer); + if (LayoutInfo && LayoutInfo->PartitionStyle == PARTITION_STYLE_GPT) + { + DBGPRINT("%ls Zero'ing partition GUID\n", moduleName); + memset(&LayoutInfo->Gpt.DiskId, 0, sizeof(GUID)); + } } + break; } - break; - } - case IOCTL_MOUNTMGR_QUERY_POINTS: { - if (OutputBufferLength >= sizeof(MOUNTMGR_MOUNT_POINTS)) - { - PMOUNTMGR_MOUNT_POINTS Points = PMOUNTMGR_MOUNT_POINTS(OutputBuffer); - if (Points) + case IOCTL_MOUNTMGR_QUERY_POINTS: { + if (OutputBufferLength >= sizeof(MOUNTMGR_MOUNT_POINTS)) { - DBGPRINT("%ws Spoofing mounted points\n", ShortName); - for (unsigned i = 0; i < Points->NumberOfMountPoints; ++i) + PMOUNTMGR_MOUNT_POINTS Points = PMOUNTMGR_MOUNT_POINTS(OutputBuffer); + if (Points) { - auto Point = &Points->MountPoints[i]; + DBGPRINT("%ls Spoofing mounted points\n", moduleName); + for (unsigned i = 0; i < Points->NumberOfMountPoints; ++i) + { + auto Point = &Points->MountPoints[i]; - if (Point->UniqueIdOffset) - Point->UniqueIdLength = 0; + if (Point->UniqueIdOffset) + Point->UniqueIdLength = 0; - if (Point->SymbolicLinkNameOffset) - Point->SymbolicLinkNameLength = 0; + if (Point->SymbolicLinkNameOffset) + Point->SymbolicLinkNameLength = 0; + } } } + break; } - break; - } - case IOCTL_MOUNTDEV_QUERY_UNIQUE_ID: { - if (OutputBufferLength >= sizeof(MOUNTDEV_UNIQUE_ID)) - { - PMOUNTDEV_UNIQUE_ID UniqueId = PMOUNTDEV_UNIQUE_ID(OutputBuffer); - if (UniqueId) + case IOCTL_MOUNTDEV_QUERY_UNIQUE_ID: { + if (OutputBufferLength >= sizeof(MOUNTDEV_UNIQUE_ID)) { - DBGPRINT("%ws Spoofing mounted unique id\n", ShortName); - UniqueId->UniqueIdLength = 0; + PMOUNTDEV_UNIQUE_ID UniqueId = PMOUNTDEV_UNIQUE_ID(OutputBuffer); + if (UniqueId) + { + DBGPRINT("%ls Spoofing mounted unique id\n", moduleName); + UniqueId->UniqueIdLength = 0; + } } + break; } - break; - } - case IOCTL_NDIS_QUERY_GLOBAL_STATS: { - switch (*(PDWORD)InputBuffer) - { - case OID_802_3_PERMANENT_ADDRESS: - case OID_802_3_CURRENT_ADDRESS: - case OID_802_5_PERMANENT_ADDRESS: - case OID_802_5_CURRENT_ADDRESS: - DBGPRINT("%ws Spoofing permanent MAC\n", ShortName); - memcpy(OutputBuffer, globals::szFakeMAC, sizeof(globals::szFakeMAC)); - break; + case IOCTL_NDIS_QUERY_GLOBAL_STATS: { + switch (*(PDWORD)InputBuffer) + { + case OID_802_3_PERMANENT_ADDRESS: + case OID_802_3_CURRENT_ADDRESS: + case OID_802_5_PERMANENT_ADDRESS: + case OID_802_5_CURRENT_ADDRESS: + DBGPRINT("%ls Spoofing permanent MAC\n", moduleName); + + RtlCopyMemory(OutputBuffer, newMac, sizeof(newMac)); + break; + } + } } } + __except (EXCEPTION_EXECUTE_HANDLER) + { } } - __except (EXCEPTION_EXECUTE_HANDLER) - { - } } - return ret; +Exit: + return status; } -NtQuerySystemInformation_ oNtQuerySystemInformation = NULL; NTSTATUS NTAPI hkNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID Buffer, ULONG Length, PULONG ReturnLength) { + PAGED_CODE(); + + InterlockedIncrement(&g_refCount); + SCOPE_EXIT + { + InterlockedDecrement(&g_refCount); + }; + const auto ret = oNtQuerySystemInformation(SystemInformationClass, Buffer, Length, ReturnLength); // // If the callee process is a protected process we ignore it // - if (tools::IsProtectedProcess(PsGetCurrentProcessId())) + if (process::IsProtectedProcess(PsGetCurrentProcessId())) + { return ret; + } if (NT_SUCCESS(ret)) { @@ -585,21 +590,22 @@ NTSTATUS NTAPI hkNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInforma { if (pEntry[i].ImageBase && pEntry[i].ImageSize && strlen((char *)pEntry[i].FullPathName) > 2) { - for (int x = 0; x < ARRAYSIZE(globals::szProtectedDrivers); ++x) + // TODO: implement +#if 0 { - if (strstr((char *)pEntry[i].FullPathName, globals::szProtectedDrivers[x])) - { - const auto next_entry = i + 1; + const auto next_entry = i + 1; - if (next_entry < pModule->NumberOfModules) - memcpy(&pEntry[i], &pEntry[next_entry], sizeof(RTL_PROCESS_MODULE_INFORMATION)); - else - { - memset(&pEntry[i], 0, sizeof(RTL_PROCESS_MODULE_INFORMATION)); - pModule->NumberOfModules--; - } + if (next_entry < pModule->NumberOfModules) + { + RtlCopyMemory(&pEntry[i], &pEntry[next_entry], sizeof(RTL_PROCESS_MODULE_INFORMATION)); + } + else + { + RtlZeroMemory(&pEntry[i], sizeof(RTL_PROCESS_MODULE_INFORMATION)); + pModule->NumberOfModules--; } } +#endif } } } @@ -621,7 +627,7 @@ NTSTATUS NTAPI hkNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInforma // // Erase our protected processes from the list // - if (pNext->ImageName.Buffer && tools::IsProtectedProcess(pNext->ImageName.Buffer)) + if (pNext->ImageName.Buffer && process::IsProtectedProcess(pNext->ImageName.Buffer)) { if (pNext->NextEntryOffset == 0) { @@ -641,19 +647,21 @@ NTSTATUS NTAPI hkNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInforma // else if (SystemInformationClass == SystemHandleInformation) { - if (tools::IsBlacklistedProcess(PsGetCurrentProcessId())) + if (process::IsBlacklistedProcess(PsGetCurrentProcessId())) { const auto pHandle = PSYSTEM_HANDLE_INFORMATION(Buffer); const auto pEntry = &pHandle->Information[0]; for (unsigned i = 0; i < pHandle->NumberOfHandles; ++i) { - if (tools::IsProtectedProcess(ULongToHandle(pEntry[i].ProcessId))) + if (process::IsProtectedProcess(ULongToHandle(pEntry[i].ProcessId))) { const auto next_entry = i + 1; if (next_entry < pHandle->NumberOfHandles) - memcpy(&pEntry[i], &pEntry[next_entry], sizeof(SYSTEM_HANDLE)); + { + RtlCopyMemory(&pEntry[i], &pEntry[next_entry], sizeof(SYSTEM_HANDLE)); + } else { memset(&pEntry[i], 0, sizeof(SYSTEM_HANDLE)); @@ -665,19 +673,21 @@ NTSTATUS NTAPI hkNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInforma } else if (SystemInformationClass == SystemExtendedHandleInformation) { - if (tools::IsBlacklistedProcess(PsGetCurrentProcessId())) + if (process::IsBlacklistedProcess(PsGetCurrentProcessId())) { const auto pHandle = PSYSTEM_HANDLE_INFORMATION_EX(Buffer); const auto pEntry = &pHandle->Information[0]; for (unsigned i = 0; i < pHandle->NumberOfHandles; ++i) { - if (tools::IsProtectedProcess(ULongToHandle(pEntry[i].ProcessId))) + if (process::IsProtectedProcess(ULongToHandle(pEntry[i].ProcessId))) { const auto next_entry = i + 1; if (next_entry < pHandle->NumberOfHandles) - memcpy(&pEntry[i], &pEntry[next_entry], sizeof(SYSTEM_HANDLE)); + { + RtlCopyMemory(&pEntry[i], &pEntry[next_entry], sizeof(SYSTEM_HANDLE)); + } else { memset(&pEntry[i], 0, sizeof(SYSTEM_HANDLE)); @@ -692,22 +702,31 @@ NTSTATUS NTAPI hkNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInforma // else if (SystemInformationClass == SystemCodeIntegrityInformation) { - PSYSTEM_CODEINTEGRITY_INFORMATION Integrity = PSYSTEM_CODEINTEGRITY_INFORMATION(Buffer); + auto info = PSYSTEM_CODEINTEGRITY_INFORMATION(Buffer); + + ULONG options = info->CodeIntegrityOptions; - // Spoof test sign flag if present - if (Integrity->CodeIntegrityOptions & CODEINTEGRITY_OPTION_TESTSIGN) - Integrity->CodeIntegrityOptions &= ~CODEINTEGRITY_OPTION_TESTSIGN; + // fix flags + options &= ~CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED; + options &= ~CODEINTEGRITY_OPTION_TESTSIGN; + options |= CODEINTEGRITY_OPTION_ENABLED; - // Set as always enabled. - Integrity->CodeIntegrityOptions |= CODEINTEGRITY_OPTION_ENABLED; + info->CodeIntegrityOptions = options; } } return ret; } -NtLoadDriver_ oNtLoadDriver = NULL; NTSTATUS NTAPI hkNtLoadDriver(PUNICODE_STRING DriverServiceName) { + PAGED_CODE(); + + InterlockedIncrement(&g_refCount); + SCOPE_EXIT + { + InterlockedDecrement(&g_refCount); + }; + NTSTATUS ret = STATUS_UNSUCCESSFUL; bool bLoad = true; @@ -733,120 +752,135 @@ NTSTATUS NTAPI hkNtLoadDriver(PUNICODE_STRING DriverServiceName) return ret; } -NtUserWindowFromPoint_ oNtUserWindowFromPoint = NULL; HWND NTAPI hkNtUserWindowFromPoint(LONG x, LONG y) { - const auto res = oNtUserWindowFromPoint(x, y); + PAGED_CODE(); - if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess())) - return res; + InterlockedIncrement(&g_refCount); + SCOPE_EXIT + { + InterlockedDecrement(&g_refCount); + }; - if (!tools::IsBlacklistedProcessEx(PsGetCurrentProcess())) - return res; + // TODO: implement - return 0; + return oNtUserWindowFromPoint(x, y); } -NtUserQueryWindow_ oNtUserQueryWindow = NULL; HANDLE NTAPI hkNtUserQueryWindow(HWND WindowHandle, HANDLE TypeInformation) { - const auto res = oNtUserQueryWindow(WindowHandle, TypeInformation); - - if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess())) - return res; + PAGED_CODE(); - if (!tools::IsBlacklistedProcessEx(PsGetCurrentProcess())) - return res; + InterlockedIncrement(&g_refCount); + SCOPE_EXIT + { + InterlockedDecrement(&g_refCount); + }; - auto PID = oNtUserQueryWindow(WindowHandle, 0); - if (tools::IsProtectedProcess(PID)) - return 0; + // TODO: implement - return res; + return oNtUserQueryWindow(WindowHandle, TypeInformation); } -NtUserFindWindowEx_ oNtUserFindWindowEx = NULL; HWND NTAPI hkNtUserFindWindowEx(HWND hWndParent, HWND hWndChildAfter, PUNICODE_STRING lpszClass, PUNICODE_STRING lpszWindow, DWORD dwType) { - const auto res = oNtUserFindWindowEx(hWndParent, hWndChildAfter, lpszClass, lpszWindow, dwType); + PAGED_CODE(); - if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess())) - return res; + InterlockedIncrement(&g_refCount); + SCOPE_EXIT + { + InterlockedDecrement(&g_refCount); + }; - if (!tools::IsBlacklistedProcessEx(PsGetCurrentProcess())) - return res; + // TODO: implement - if (res) - { - auto PID = oNtUserQueryWindow(res, 0); - if (tools::IsProtectedProcess(PID)) - { - return NULL; - } - } - return res; + return oNtUserFindWindowEx(hWndParent, hWndChildAfter, lpszClass, lpszWindow, dwType); } -NtUserBuildHwndList_ oNtUserBuildHwndList = NULL; NTSTATUS NTAPI hkNtUserBuildHwndList(HDESK hdesk, HWND hwndNext, ULONG fEnumChildren, DWORD idThread, UINT cHwndMax, HWND *phwndFirst, ULONG *pcHwndNeeded) { - const auto res = oNtUserBuildHwndList(hdesk, hwndNext, fEnumChildren, idThread, cHwndMax, phwndFirst, pcHwndNeeded); + PAGED_CODE(); - if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess())) - return res; - - if (!tools::IsBlacklistedProcessEx(PsGetCurrentProcess())) - return res; - - if (fEnumChildren == 1) + InterlockedIncrement(&g_refCount); + SCOPE_EXIT { - auto PID = oNtUserQueryWindow(hwndNext, 0); - if (tools::IsProtectedProcess(PID)) - return STATUS_UNSUCCESSFUL; - } + InterlockedDecrement(&g_refCount); + }; + + const auto res = oNtUserBuildHwndList(hdesk, hwndNext, fEnumChildren, idThread, cHwndMax, phwndFirst, pcHwndNeeded); - if (NT_SUCCESS(res)) + if (process::IsBlacklistedProcess(PsGetCurrentProcess())) { - ULONG i = 0; - ULONG j; + // + // Hide protected process window from blacklisted process + // + if (fEnumChildren == 1) + { + const HANDLE processId = oNtUserQueryWindow(hwndNext, 0); + if (process::IsProtectedProcess(processId)) + { + return STATUS_UNSUCCESSFUL; + } + } - while (i < *pcHwndNeeded) + if (NT_SUCCESS(res)) { - auto PID = oNtUserQueryWindow(phwndFirst[i], 0); - if (tools::IsProtectedProcess(PID)) + ULONG i = 0; + ULONG j; + + while (i < *pcHwndNeeded) { - for (j = i; j < (*pcHwndNeeded) - 1; j++) - phwndFirst[j] = phwndFirst[j + 1]; - phwndFirst[*pcHwndNeeded - 1] = 0; - (*pcHwndNeeded)--; - continue; + const HANDLE processId = oNtUserQueryWindow(phwndFirst[i], 0); + if (process::IsProtectedProcess(processId)) + { + for (j = i; j < (*pcHwndNeeded) - 1; j++) + phwndFirst[j] = phwndFirst[j + 1]; + phwndFirst[*pcHwndNeeded - 1] = 0; + (*pcHwndNeeded)--; + continue; + } + i++; } - i++; } } return res; } -NtUserGetForegroundWindow_ oNtUserGetForegroundWindow = NULL; -HWND LastForeWnd = HWND(-1); - HWND NTAPI hkNtUserGetForegroundWindow(VOID) { - const auto res = oNtUserGetForegroundWindow(); + PAGED_CODE(); - if (PsIsProtectedProcess(PsGetCurrentProcess()) || PsIsSystemProcess(PsGetCurrentProcess())) - return res; + InterlockedIncrement(&g_refCount); + SCOPE_EXIT + { + InterlockedDecrement(&g_refCount); + }; - if (!tools::IsBlacklistedProcessEx(PsGetCurrentProcess())) - return res; + const HWND result = oNtUserGetForegroundWindow(); - auto PID = oNtUserQueryWindow(res, 0); - if (tools::IsProtectedProcess(PID)) - return LastForeWnd; - else - LastForeWnd = res; + if (process::IsBlacklistedProcess(PsGetCurrentProcess())) + { + // + // Hide protected process window from blacklisted process + // + const HANDLE processId = oNtUserQueryWindow(result, 0); - return res; -} \ No newline at end of file + static HWND lastHwnd = nullptr; + + if (process::IsProtectedProcess(processId)) + { + return lastHwnd; + } + else + { + // store a copy of the last HWND + lastHwnd = result; + } + } + + return result; +} +} // namespace hooks +} // namespace masterhide \ No newline at end of file diff --git a/MasterHide/hooks.hpp b/MasterHide/hooks.hpp index 5e1b6b8..fad01e4 100644 --- a/MasterHide/hooks.hpp +++ b/MasterHide/hooks.hpp @@ -1,117 +1,74 @@ #pragma once -// -// ntoskrnl.exe -// -static auto SYSCALL_NTUSERFINDWNDEX = 0x106e; -static auto SYSCALL_NTUSERWNDFROMPOINT = 0x1014; -static auto SYSCALL_NTUSERBUILDWNDLIST = 0x101c; -static auto SYSCALL_NTGETFOREGROUNDWND = 0x103c; -static auto SYSCALL_NTUSERQUERYWND = 0x1010; - -// -// win32k.sys -// -static auto SYSCALL_NTQUERYSYSINFO = 0x0033; -static auto SYSCALL_NTOPENPROCESS = 0x0023; -static auto SYSCALL_NTALLOCVIRTUALMEM = 0x0015; -static auto SYSCALL_NTWRITEVIRTUALMEM = 0x0037; -static auto SYSCALL_NTFREEVIRTUALMEM = 0x001b; -static auto SYSCALL_NTDEVICEIOCTRLFILE = 0x0004; -static auto SYSCALL_NTLOADDRIVER = 0x0004; - namespace masterhide { -namespace tools +namespace process +{ +bool IsProtectedProcess(_In_ HANDLE processId); +bool IsProtectedProcess(_In_ LPCWSTR processName); +bool IsProtectedProcess(_In_ PEPROCESS process); +bool IsMonitoredProcess(_In_ HANDLE processId); +bool IsMonitoredProcess(_In_ PEPROCESS process); +bool IsBlacklistedProcess(_In_ HANDLE processId); +bool IsBlacklistedProcess(_In_ PEPROCESS process); +} // namespace process + +namespace hooks { -extern bool IsProtectedProcess(HANDLE PID); -extern bool IsProtectedProcess(PWCH Buffer); -extern bool IsProtectedProcessEx(PEPROCESS Process); -extern bool IsMonitoredProcess(HANDLE PID); -extern bool IsMonitoredProcessEx(PEPROCESS Process); -extern bool IsBlacklistedProcess(HANDLE PID); -extern bool IsBlacklistedProcessEx(PEPROCESS Process); -} // namespace tools -}; // namespace masterhide +inline ERESOURCE g_resource{}; + +void WaitForHooksCompletion(); // -// ntoskrnl.exe hooks +// SSDT Hooks // -using NtQuerySystemInformation_ = NTSTATUS(NTAPI *)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); -extern NtQuerySystemInformation_ oNtQuerySystemInformation; - NTSTATUS NTAPI hkNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID Buffer, ULONG Length, PULONG ReturnLength); +inline decltype(&hkNtQuerySystemInformation) oNtQuerySystemInformation = nullptr; using NtOpenProcess_ = NTSTATUS(NTAPI *)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); -extern NtOpenProcess_ oNtOpenProcess; - NTSTATUS NTAPI hkNtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); - -using NtAllocateVirtualMemory_ = NTSTATUS(NTAPI *)(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, - PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); -extern NtAllocateVirtualMemory_ oNtAllocateVirtualMemory; +inline decltype(&hkNtOpenProcess) oNtOpenProcess = nullptr; NTSTATUS NTAPI hkNtAllocateVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); - -using NtFreeVirtualMemory_ = NTSTATUS(NTAPI *)(HANDLE ProcessHandle, PVOID *BaseAddress, PSIZE_T RegionSize, - ULONG FreeType); -extern NtFreeVirtualMemory_ oNtFreeVirtualMemory; +inline decltype(&hkNtAllocateVirtualMemory) oNtAllocateVirtualMemory = nullptr; NTSTATUS NTAPI hkNtFreeVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, PSIZE_T RegionSize, ULONG FreeType); - -using NtWriteVirtualMemory_ = NTSTATUS(NTAPI *)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, - ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten); -extern NtWriteVirtualMemory_ oNtWriteVirtualMemory; +inline decltype(&hkNtFreeVirtualMemory) oNtFreeVirtualMemory = nullptr; NTSTATUS NTAPI hkNtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten); - -using NtDeviceIoControlFile_ = NTSTATUS(NTAPI *)(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, - PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, - PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, - ULONG OutputBufferLength); -extern NtDeviceIoControlFile_ oNtDeviceIoControlFile; +inline decltype(&hkNtWriteVirtualMemory) oNtWriteVirtualMemory = nullptr; NTSTATUS NTAPI hkNtDeviceIoControlFile(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength); - -using NtLoadDriver_ = NTSTATUS(NTAPI *)(PUNICODE_STRING DriverServiceName); -extern NtLoadDriver_ oNtLoadDriver; +inline decltype(&hkNtDeviceIoControlFile) oNtDeviceIoControlFile = nullptr; NTSTATUS NTAPI hkNtLoadDriver(PUNICODE_STRING DriverServiceName); +inline decltype(&hkNtLoadDriver) oNtLoadDriver = nullptr; // -// win32k.sys hooks +// Shadow SSDT hooks // -using NtUserWindowFromPoint_ = HWND(NTAPI *)(LONG, LONG); -extern NtUserWindowFromPoint_ oNtUserWindowFromPoint; - HWND hkNtUserWindowFromPoint(LONG x, LONG y); - -using NtUserQueryWindow_ = HANDLE(NTAPI *)(HWND, HANDLE); -extern NtUserQueryWindow_ oNtUserQueryWindow; +inline decltype(&hkNtUserWindowFromPoint) oNtUserWindowFromPoint = nullptr; HANDLE hkNtUserQueryWindow(HWND WindowHandle, HANDLE TypeInformation); - -using NtUserFindWindowEx_ = HWND(NTAPI *)(HWND, HWND, PUNICODE_STRING, PUNICODE_STRING, DWORD); -extern NtUserFindWindowEx_ oNtUserFindWindowEx; +inline decltype(&hkNtUserQueryWindow) oNtUserQueryWindow = nullptr; HWND NTAPI hkNtUserFindWindowEx(HWND hWndParent, HWND hWndChildAfter, PUNICODE_STRING lpszClass, PUNICODE_STRING lpszWindow, DWORD dwType); - -using NtUserBuildHwndList_ = NTSTATUS(NTAPI *)(HDESK hdesk, HWND hwndNext, ULONG fEnumChildren, DWORD idThread, - UINT cHwndMax, HWND *phwndFirst, ULONG *pcHwndNeeded); -extern NtUserBuildHwndList_ oNtUserBuildHwndList; +inline decltype(&hkNtUserFindWindowEx) oNtUserFindWindowEx = nullptr; NTSTATUS NTAPI hkNtUserBuildHwndList(HDESK hdesk, HWND hwndNext, ULONG fEnumChildren, DWORD idThread, UINT cHwndMax, HWND *phwndFirst, ULONG *pcHwndNeeded); +inline decltype(&hkNtUserBuildHwndList) oNtUserBuildHwndList = nullptr; -using NtUserGetForegroundWindow_ = HWND(NTAPI *)(VOID); -extern NtUserGetForegroundWindow_ oNtUserGetForegroundWindow; - -HWND NTAPI hkNtUserGetForegroundWindow(VOID); \ No newline at end of file +HWND NTAPI hkNtUserGetForegroundWindow(VOID); +inline decltype(&hkNtUserGetForegroundWindow) oNtUserGetForegroundWindow = nullptr; +} // namespace hooks +} // namespace masterhide \ No newline at end of file diff --git a/MasterHide/includes.hpp b/MasterHide/includes.hpp index 5a4e3e1..5b560df 100644 --- a/MasterHide/includes.hpp +++ b/MasterHide/includes.hpp @@ -1,5 +1,10 @@ #pragma once +#include +#include +#include +#include + #include #include #include @@ -12,7 +17,7 @@ #include #include -#define TAG '00hm' +#include "thirdparty/scope_guard/include/scope_guard.hpp" #ifndef DBGPRINT #if _DEBUG @@ -28,8 +33,10 @@ #define USE_KASPERSKY #include "winnt.hpp" +#include "fnv1a.hpp" #include "globals.hpp" #include "misc.hpp" +#include "utils.hpp" #include "kaspersky.hpp" #include "ssdt.hpp" #include "shadow_ssdt.hpp" diff --git a/MasterHide/misc.cpp b/MasterHide/misc.cpp index 9cc64f0..c79a166 100644 --- a/MasterHide/misc.cpp +++ b/MasterHide/misc.cpp @@ -1,107 +1,349 @@ #include "includes.hpp" -PUCHAR ntdll = nullptr; -PUCHAR win32u = nullptr; - namespace masterhide { -namespace tools +namespace syscalls { -bool GetProcessName(HANDLE PID, PUNICODE_STRING ProcessImageName) +/// +/// Dynamic hash table pointer +/// +PRTL_DYNAMIC_HASH_TABLE g_hashTable = nullptr; + +/// +/// Dynamic hash table context +/// +RTL_DYNAMIC_HASH_TABLE_CONTEXT g_hashTableContext{}; + +inline bool g_initialized = false; + +typedef struct _SYSCALL_TABLE_ENTRY { - KAPC_STATE apc{}; - bool bReturn = false; + USHORT serviceIndex; + RTL_DYNAMIC_HASH_TABLE_ENTRY hashTableEntry; + +} SYSCALL_TABLE_ENTRY, *PSYSCALL_TABLE_ENTRY; + +/// +/// This function will try to map and extract syscalls from provided file name and finally add them to dynamic hash +/// table if possible. +/// +/// File name to extract syscalls from +/// NTSTATUS value +static NTSTATUS FillSyscallTable(_In_ PUNICODE_STRING fileName) +{ + NT_ASSERT(g_initialized); - if (!ProcessImageName) - return false; + PVOID mappedBase = nullptr; + SIZE_T mappedSize = 0; - PEPROCESS Process = nullptr; - auto status = PsLookupProcessByProcessId(PID, &Process); + NTSTATUS status = tools::MapFileInSystemSpace(fileName, &mappedBase, &mappedSize); if (!NT_SUCCESS(status)) - return false; + { + DBGPRINT("Err: Failed to map %wZ to system space!", fileName); + return STATUS_UNSUCCESSFUL; + } - KeStackAttachProcess(Process, &apc); + SCOPE_EXIT + { + MmUnmapViewInSystemSpace(mappedBase); + }; - // - // Credits: iPower - // - wchar_t lpModuleName[MAX_PATH]; - status = ZwQueryVirtualMemory(NtCurrentProcess(), PsGetProcessSectionBaseAddress(Process), - static_cast(2), lpModuleName, sizeof(lpModuleName), NULL); - if (NT_SUCCESS(status)) + __try { - PUNICODE_STRING pModuleName = (PUNICODE_STRING)lpModuleName; - if (pModuleName->Length > 0) + PIMAGE_NT_HEADERS nth = RtlImageNtHeader(mappedBase); + if (!nth) { - AllocateUnicodeString(ProcessImageName, pModuleName->MaximumLength); - RtlCopyUnicodeString(ProcessImageName, pModuleName); - bReturn = true; + DBGPRINT("Err: Invalid file NT header!"); + return STATUS_UNSUCCESSFUL; + } + + const PIMAGE_DATA_DIRECTORY exportDataDirectory = + &nth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; + if (!exportDataDirectory->VirtualAddress || !exportDataDirectory->Size) + { + DBGPRINT("Err: Invalid file export data directory!"); + return STATUS_UNSUCCESSFUL; + } + + PUCHAR moduleBase = reinterpret_cast(mappedBase); + + const PIMAGE_EXPORT_DIRECTORY exportDirectory = + tools::RVAtoRawAddress(nth, exportDataDirectory->VirtualAddress, moduleBase); + + const PULONG AddressOfNames = tools::RVAtoRawAddress(nth, exportDirectory->AddressOfNames, moduleBase); + const PUSHORT AddressOfNameOrdinals = + tools::RVAtoRawAddress(nth, exportDirectory->AddressOfNameOrdinals, moduleBase); + const PULONG AddressOfFunctions = + tools::RVAtoRawAddress(nth, exportDirectory->AddressOfFunctions, moduleBase); + + for (auto i = 0ul; i < exportDirectory->NumberOfNames; i++) + { + auto routineName = tools::RVAtoRawAddress(nth, AddressOfNames[i], moduleBase); + auto routineAddress = + tools::RVAtoRawAddress(nth, AddressOfFunctions[AddressOfNameOrdinals[i]], moduleBase); + + auto IsSyscall = [&]() -> BOOLEAN { + return (routineAddress[0] == 0x4C && routineAddress[1] == 0x8B && routineAddress[2] == 0xD1 && + routineAddress[3] == 0xB8); + }; + + // Check if the export is possibly a syscall + if (IsSyscall()) + { + ULONG64 functionData = *(ULONG64 *)routineAddress; + ULONG syscallNum = (functionData >> 8 * 4); + syscallNum = syscallNum & 0xfff; + + // Allocate new entry and insert to hash table. + auto entry = tools::AllocatePoolZero(NonPagedPool, sizeof(SYSCALL_TABLE_ENTRY), + tags::TAG_HASH_TABLE); + if (entry) + { + const FNV1A_t serviceHash = FNV1A::Hash(routineName); + entry->serviceIndex = static_cast(syscallNum); + + InitializeListHead(&(entry->hashTableEntry.Linkage)); + RtlInsertEntryHashTable(g_hashTable, &entry->hashTableEntry, ULONG_PTR(serviceHash), + &g_hashTableContext); + } + } } } + __except (EXCEPTION_EXECUTE_HANDLER) + { + DBGPRINT("Err: Exception while trying to parse PE file!"); - KeUnstackDetachProcess(&apc); - ObDereferenceObject(Process); + status = GetExceptionCode(); + } - return bReturn; + return status; } -bool GetProcessNameByPEPROCESS(PEPROCESS Process, PUNICODE_STRING ProcessImageName) +bool Init() { - KAPC_STATE apc{}; - bool bReturn = false; - bool bAttached = false; + g_hashTable = tools::AllocatePoolZero(NonPagedPool, sizeof(RTL_DYNAMIC_HASH_TABLE), + tags::TAG_HASH_TABLE); + if (!g_hashTable) + { + DBGPRINT("Err: Failed to allocate memory for dynamic hash table!"); + return false; + } - if (!ProcessImageName) + if (!RtlCreateHashTable(&g_hashTable, 0, 0)) + { + ExFreePool(g_hashTable); + DBGPRINT("Err: Failed to create dynamic hash table!"); return false; + } + + RtlInitHashTableContext(&g_hashTableContext); + + g_initialized = true; + + UNICODE_STRING ntdll = RTL_CONSTANT_STRING(L"\\SystemRoot\\System32\\ntdll.dll"); + UNICODE_STRING win32u = RTL_CONSTANT_STRING(L"\\SystemRoot\\System32\\win32u.dll"); + + FillSyscallTable(&ntdll); + FillSyscallTable(&win32u); - if (Process != PsGetCurrentProcess()) + return true; +} + +void Destroy() +{ + if (!g_initialized) { - KeStackAttachProcess(Process, &apc); - bAttached = true; + return; } - wchar_t lpModuleName[MAX_PATH]; - auto status = ZwQueryVirtualMemory(NtCurrentProcess(), PsGetProcessSectionBaseAddress(Process), - (MEMORY_INFORMATION_CLASS)2, lpModuleName, sizeof(lpModuleName), NULL); - if (NT_SUCCESS(status)) + RTL_DYNAMIC_HASH_TABLE_ENUMERATOR hashTableEnumerator{}; + + if (RtlInitEnumerationHashTable(g_hashTable, &hashTableEnumerator)) { - PUNICODE_STRING pModuleName = (PUNICODE_STRING)lpModuleName; - if (pModuleName->Length > 0) + while (true) { - AllocateUnicodeString(ProcessImageName, pModuleName->MaximumLength); - RtlCopyUnicodeString(ProcessImageName, pModuleName); - bReturn = true; + PRTL_DYNAMIC_HASH_TABLE_ENTRY hashTableEntry = + RtlEnumerateEntryHashTable(g_hashTable, &hashTableEnumerator); + if (!hashTableEntry) + { + break; + } + + RtlRemoveEntryHashTable(g_hashTable, hashTableEntry, &g_hashTableContext); + + PSYSCALL_TABLE_ENTRY entry = CONTAINING_RECORD(hashTableEntry, SYSCALL_TABLE_ENTRY, hashTableEntry); + ExFreePool(entry); } + RtlEndEnumerationHashTable(g_hashTable, &hashTableEnumerator); + } + + RtlDeleteHashTable(g_hashTable); + RtlReleaseHashTableContext(&g_hashTableContext); + + g_initialized = false; +} + +USHORT GetSyscallIndexByName(_In_ LPCSTR serviceName) +{ + NT_ASSERT(g_initialized); + + USHORT serviceIndex = USHORT(-1); + FNV1A_t signature = FNV1A::Hash(serviceName); + + RTL_DYNAMIC_HASH_TABLE_ENUMERATOR hashTableEnumerator{}; + if (RtlInitEnumerationHashTable(g_hashTable, &hashTableEnumerator)) + { + while (true) + { + PRTL_DYNAMIC_HASH_TABLE_ENTRY hashTableEntry = + RtlEnumerateEntryHashTable(g_hashTable, &hashTableEnumerator); + if (!hashTableEntry) + { + break; + } + + if (hashTableEntry->Signature == signature) + { + PSYSCALL_TABLE_ENTRY entry = CONTAINING_RECORD(hashTableEntry, SYSCALL_TABLE_ENTRY, hashTableEntry); + serviceIndex = entry->serviceIndex; + break; + } + } + RtlEndEnumerationHashTable(g_hashTable, &hashTableEnumerator); + } + + if (serviceIndex == USHORT(-1)) + { + DBGPRINT("Service %s not found in hash table list!", serviceName); + } + + return serviceIndex; +} +} // namespace syscalls + +namespace tools +{ +bool GetProcessFileName(_In_ PEPROCESS process, _Out_ PUNICODE_STRING processImageName) +{ + NT_ASSERT(processImageName); + + HANDLE processHandle{}; + + NTSTATUS status = ObOpenObjectByPointer(process, 0, NULL, 0, 0, KernelMode, &processHandle); + if (!NT_SUCCESS(status)) + { + DBGPRINT("Err: ObOpenObjectByPointer returned 0x%08X", status); + return false; + } + + SCOPE_EXIT + { + ZwClose(processHandle); + }; + + ULONG returnedLength = 0; + + status = ZwQueryInformationProcess(processHandle, ProcessImageFileName, nullptr, 0, &returnedLength); + if (status != STATUS_INFO_LENGTH_MISMATCH) + { + DBGPRINT("Err: ZwQueryInformationProcess returned 0x%08X", status); + return false; + } + + returnedLength *= (1 << 8); + + void *buffer = tools::AllocatePoolZero(NonPagedPool, returnedLength, tags::TAG_DEFAULT); + if (!buffer) + { + DBGPRINT("Err: Failed to allocate %d bytes for ZwQueryInformationProcess", returnedLength); + return false; + } + + SCOPE_EXIT + { + ExFreePool(buffer); + }; + + status = ZwQueryInformationProcess(processHandle, ProcessImageFileName, buffer, returnedLength, &returnedLength); + if (!NT_SUCCESS(status)) + { + DBGPRINT("Err: ZwQueryInformationProcess[1] returned 0x%08X", status); + return false; } - if (bAttached) - KeUnstackDetachProcess(&apc); + processImageName->Length = 0; + processImageName->MaximumLength = NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR); + processImageName->Buffer = + tools::AllocatePoolZero(NonPagedPool, processImageName->MaximumLength, tags::TAG_DEFAULT); + if (!processImageName->Buffer) + { + DBGPRINT("Err: Failed to allocate memory for process image file name"); + return false; + } - return bReturn; + auto imageName = reinterpret_cast(buffer); + RtlCopyUnicodeString(processImageName, imageName); + + return true; } -PEPROCESS FindPEPROCESSById(PWCH wsName) +bool GetProcessFileName(_In_ HANDLE processId, _Out_ PUNICODE_STRING processImageName) { - if (!wsName) - return nullptr; + NT_ASSERT(processImageName); - for (unsigned i = 4; i < 0xFFFF; i += 0x4) + PEPROCESS process = nullptr; + NTSTATUS status = PsLookupProcessByProcessId(processId, &process); + if (!NT_SUCCESS(status)) { - PEPROCESS Process = nullptr; - if (!NT_SUCCESS(PsLookupProcessByProcessId(HANDLE(i), &Process))) + return false; + } + + const bool result = GetProcessFileName(process, processImageName); + ObDereferenceObject(process); + + return result; +} + +PEPROCESS GetProcessByName(_In_ LPCWSTR processName) +{ + NT_ASSERT(processName); + + for (ULONG i = 4; // Ignore system process + i < 0xFFFFFFF; // Try to go tru all possible PIDs + i += sizeof(ULONG)) + { + PEPROCESS process = nullptr; + if (!NT_SUCCESS(PsLookupProcessByProcessId(UlongToHandle(i), &process))) + { continue; + } - UNICODE_STRING wsProcName{}; - if (!GetProcessNameByPEPROCESS(Process, &wsProcName)) + UNICODE_STRING processFileName{}; + if (!GetProcessFileName(process, &processFileName)) { - ObDereferenceObject(Process); + ObDereferenceObject(process); continue; } - if (wsProcName.Buffer && wcsstr(wsProcName.Buffer, wsName)) - return Process; + SCOPE_EXIT + { + RtlFreeUnicodeString(&processFileName); + }; - ObDereferenceObject(Process); + // safe operation because GetProcessFileName returns a null terminated string. + PWSTR moduleName = wcsrchr(processFileName.Buffer, L'\\'); + if (moduleName) + { + ++moduleName; + + if (!wcscmp(moduleName, processName)) + { + // Process was found. + return process; + } + } + + ObDereferenceObject(process); } return nullptr; } @@ -194,365 +436,146 @@ bool DumpMZ(PUCHAR pImageBase) } } -PIMAGE_SECTION_HEADER GetSectionHeader(const ULONG64 image_base, const char *section_name) +PVOID GetKernelBase() { - if (!image_base || !section_name) - return nullptr; - - const auto pimage_dos_header = reinterpret_cast(image_base); - const auto pimage_nt_headers = reinterpret_cast(image_base + pimage_dos_header->e_lfanew); - - auto psection = IMAGE_FIRST_SECTION(pimage_nt_headers); - - PIMAGE_SECTION_HEADER psection_hdr = nullptr; - - const auto NumberOfSections = pimage_nt_headers->FileHeader.NumberOfSections; - - for (auto i = 0; i < NumberOfSections; ++i) + static PVOID kernelBase = nullptr; + if (!kernelBase) { - if (strstr((char *)psection->Name, section_name)) - { - psection_hdr = psection; - break; - } - - ++psection; + auto entry = reinterpret_cast(PsLoadedModuleList->Flink); + kernelBase = entry->DllBase; } - - return psection_hdr; + return kernelBase; } -bool bDataCompare(const char *pdata, const char *bmask, const char *szmask) +bool GetModuleInformation(_In_ const char *moduleName, _Out_ PVOID *moduleBase, _Out_opt_ PULONG moduleSize) { - for (; *szmask; ++szmask, ++pdata, ++bmask) - { - if (*szmask == 'x' && *pdata != *bmask) - return false; - } - - return !*szmask; -} - -ULONG64 InternalFindPattern(const ULONG64 base, const ULONG size, const char *bmask, const char *szmask) -{ - for (auto i = 0ul; i < size; ++i) - if (bDataCompare(PCHAR(base + i), bmask, szmask)) - return base + i; - - return 0; -} - -ULONG64 FindPatternKM(const char *szModuleName, const char *szsection, const char *bmask, const char *szmask) -{ - if (!szModuleName || !szsection || !bmask || !szmask) - return 0; - - const auto module_base = ULONG64(GetModuleBase(szModuleName)); - - if (!module_base) - return 0; - - const auto psection = GetSectionHeader(module_base, szsection); - - return psection - ? InternalFindPattern(module_base + psection->VirtualAddress, psection->Misc.VirtualSize, bmask, szmask) - : 0; -} - -PVOID GetImageTextSection(const ULONG64 uImageBase, ULONG *ulSectionSize) -{ - if (!uImageBase) - return nullptr; + PAGED_CODE(); + NT_ASSERT(moduleName); + NT_ASSERT(moduleBase); - const auto pText = GetSectionHeader(uImageBase, ".text"); - if (!pText) - return nullptr; + ULONG returnedBytes = 0; - if (ulSectionSize) - *ulSectionSize = pText->Misc.VirtualSize; - - return PVOID(uImageBase + pText->VirtualAddress); -} + NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, nullptr, 0, &returnedBytes); + if (status != STATUS_INFO_LENGTH_MISMATCH || status != STATUS_BUFFER_OVERFLOW) + { + // TODO: add verbose log + return false; + } -PVOID GetNtKernelBase() -{ - return GetModuleBase("\\SystemRoot\\System32\\ntoskrnl.exe"); -} + // Just in case the info size increases in between calls. + returnedBytes *= (1 << 8); -PVOID GetModuleBase(const char *szModule) -{ - PSYSTEM_MODULE_INFORMATION pSystemInfoBuffer = nullptr; - ULONG ulBytes = 0; - PVOID pImageBase = nullptr; + auto systemInfoBuffer = + tools::AllocatePoolZero(PagedPool, returnedBytes, tags::TAG_DEFAULT); + if (!systemInfoBuffer) + { + DBGPRINT("Err: Failed to allocate memory for ZwQuerySystemInformation\n"); + return false; + } - __try + SCOPE_EXIT { - auto status = ZwQuerySystemInformation(SystemModuleInformation, 0, ulBytes, &ulBytes); - if (!ulBytes) - { - DBGPRINT("[ GetModuleBase ] ZwQuerySystemInformation failed 0x%X\n", status); - return nullptr; - } + ExFreePool(systemInfoBuffer); + }; - pSystemInfoBuffer = PSYSTEM_MODULE_INFORMATION(ExAllocatePoolWithTag(PagedPool, ulBytes, TAG)); - if (!pSystemInfoBuffer) - { - DBGPRINT("[ GetModuleBase ] ExAllocatePoolWithTag failed!\n"); - return nullptr; - } + status = ZwQuerySystemInformation(SystemModuleInformation, systemInfoBuffer, returnedBytes, &returnedBytes); + if (!NT_SUCCESS(status)) + { + DBGPRINT("Err: ZwQuerySystemInformation returned 0x%08X\n", status); + return false; + } - status = ZwQuerySystemInformation(SystemModuleInformation, pSystemInfoBuffer, ulBytes, &ulBytes); - if (!NT_SUCCESS(status)) - { - DBGPRINT("[ GetModuleBase ] ZwQuerySystemInformation[1] failed 0x%X\n", status); - ExFreePoolWithTag(pSystemInfoBuffer, TAG); - return nullptr; - } + for (unsigned i = 0; i < systemInfoBuffer->ModulesCount; ++i) + { + const SYSTEM_MODULE *systemModule = &systemInfoBuffer->Modules[i]; - for (unsigned i = 0; i < pSystemInfoBuffer->ModulesCount; ++i) + if (!strcmp(systemModule->ImageName + systemModule->ModuleNameOffset, moduleName)) { - auto Buff = &pSystemInfoBuffer->Modules[i]; + *moduleBase = systemModule->Base; - if (!_stricmp(Buff->ImageName, szModule)) + if (moduleSize) { - pImageBase = Buff->Base; - break; + *moduleSize = systemModule->Size; } + + return true; } } - __finally - { - if (pSystemInfoBuffer) - ExFreePoolWithTag(pSystemInfoBuffer, TAG); - } - return pImageBase; + return false; } -NTSTATUS LoadFile(PUNICODE_STRING FileName, PUCHAR *pImageBase) +NTSTATUS MapFileInSystemSpace(_In_ PUNICODE_STRING FileName, _Out_ PVOID *MappedBase, _Out_opt_ SIZE_T *MappedSize) { - if (!FileName) - return STATUS_INVALID_PARAMETER; + NT_ASSERT(FileName); + NT_ASSERT(MappedBase); - OBJECT_ATTRIBUTES oa{}; - InitializeObjectAttributes(&oa, FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); + PAGED_CODE(); - if (KeGetCurrentIrql() != PASSIVE_LEVEL) - { - DBGPRINT("[ LoadFile ] IRQL too high for IO operations!\n"); - return STATUS_UNSUCCESSFUL; - } + HANDLE fileHandle = NULL; + HANDLE sectionHandle = NULL; + PVOID sectionObject = nullptr; - HANDLE FileHandle = NULL; + PVOID ViewBase = nullptr; + SIZE_T ViewSize = 0; - IO_STATUS_BLOCK IoStatusBlock{}; - auto res = ZwCreateFile(&FileHandle, GENERIC_READ, &oa, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, - FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); + IO_STATUS_BLOCK iosb{}; - if (!NT_SUCCESS(res)) - { - DBGPRINT("[ LoadFile ] ZwCreateFile failed 0x%X\n", res); - return STATUS_UNSUCCESSFUL; - } + OBJECT_ATTRIBUTES oa{}; + InitializeObjectAttributes(&oa, FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, nullptr, nullptr); + OBJECT_ATTRIBUTES oa2{}; + InitializeObjectAttributes(&oa2, nullptr, OBJ_KERNEL_HANDLE, nullptr, nullptr); - FILE_STANDARD_INFORMATION StandardInformation{}; - res = ZwQueryInformationFile(FileHandle, &IoStatusBlock, &StandardInformation, sizeof(FILE_STANDARD_INFORMATION), - FileStandardInformation); - if (!NT_SUCCESS(res)) + NTSTATUS status = + ZwCreateFile(&fileHandle, SYNCHRONIZE | FILE_READ_DATA, &oa, &iosb, NULL, FILE_ATTRIBUTE_NORMAL, + FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); + if (!NT_SUCCESS(status)) { - DBGPRINT("[ LoadFile ] ZwQueryInformationFile failed 0x%X\n", res); - ZwClose(FileHandle); + DBGPRINT("ZwCreateFile returned 0x%08X", status); return STATUS_UNSUCCESSFUL; } - auto FileSize = StandardInformation.EndOfFile.LowPart; - auto FileBuffer = PUCHAR(ExAllocatePoolWithTag(NonPagedPool, FileSize, TAG)); - - if (!FileBuffer) - { - DBGPRINT("[ LoadFile ] ExAllocatePoolWithTag failed\n"); - ZwClose(FileHandle); - return STATUS_SUCCESS; - } - - LARGE_INTEGER li{}; - res = ZwReadFile(FileHandle, NULL, NULL, NULL, &IoStatusBlock, FileBuffer, FileSize, &li, NULL); - if (!NT_SUCCESS(res)) - { - DBGPRINT("[ LoadFile ] ZwReadFile failed 0x%X\n", res); - ExFreePoolWithTag(FileBuffer, TAG); - ZwClose(FileHandle); - return STATUS_SUCCESS; - } - - auto dos = PIMAGE_DOS_HEADER(FileBuffer); - if (dos->e_magic != IMAGE_DOS_SIGNATURE) + SCOPE_EXIT { - DBGPRINT("[ LoadFile ] Invalid DOS signature!\n"); - ExFreePoolWithTag(FileBuffer, TAG); - ZwClose(FileHandle); - return STATUS_SUCCESS; - } + ZwClose(fileHandle); + }; - auto nt = PIMAGE_NT_HEADERS64(FileBuffer + dos->e_lfanew); - if (nt->Signature != IMAGE_NT_SIGNATURE) + status = ZwCreateSection(§ionHandle, SECTION_MAP_READ, &oa2, nullptr, PAGE_READONLY, SEC_COMMIT, fileHandle); + if (!NT_SUCCESS(status)) { - DBGPRINT("[ LoadFile ] Invalid NT signature!\n"); - ExFreePoolWithTag(FileBuffer, TAG); - ZwClose(FileHandle); - return STATUS_SUCCESS; + DBGPRINT("ZwCreateFile returned 0x%08X", status); + return STATUS_UNSUCCESSFUL; } - auto Image = PUCHAR(ExAllocatePoolWithTag(NonPagedPool, nt->OptionalHeader.SizeOfImage, TAG)); - if (!Image) + SCOPE_EXIT { - DBGPRINT("[ LoadFile ] ExAllocatePoolWithTag[1] failed!\n"); - ExFreePoolWithTag(FileBuffer, TAG); - ZwClose(FileHandle); - return STATUS_SUCCESS; - } - - memcpy(Image, FileBuffer, nt->OptionalHeader.SizeOfHeaders); - - auto pISH = IMAGE_FIRST_SECTION(nt); - for (unsigned i = 0; i < nt->FileHeader.NumberOfSections; i++) - memcpy(Image + pISH[i].VirtualAddress, FileBuffer + pISH[i].PointerToRawData, pISH[i].SizeOfRawData); + ZwClose(sectionHandle); + }; - if (pImageBase) - *pImageBase = Image; - - ExFreePoolWithTag(FileBuffer, TAG); - ZwClose(FileHandle); - return STATUS_SUCCESS; -} - -PVOID GetFunctionAddress(PVOID Module, LPCSTR FunctionName) -{ - PIMAGE_DOS_HEADER pIDH; - PIMAGE_NT_HEADERS pINH; - PIMAGE_EXPORT_DIRECTORY pIED; - - PULONG Address, Name; - PUSHORT Ordinal; - - ULONG i; - - pIDH = (PIMAGE_DOS_HEADER)Module; - pINH = (PIMAGE_NT_HEADERS)((PUCHAR)Module + pIDH->e_lfanew); - - pIED = (PIMAGE_EXPORT_DIRECTORY)((PUCHAR)Module + - pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); - - Address = (PULONG)((PUCHAR)Module + pIED->AddressOfFunctions); - Name = (PULONG)((PUCHAR)Module + pIED->AddressOfNames); - - Ordinal = (PUSHORT)((PUCHAR)Module + pIED->AddressOfNameOrdinals); - - for (i = 0; i < pIED->AddressOfFunctions; i++) + status = ObReferenceObjectByHandle(sectionHandle, SECTION_MAP_READ, nullptr, KernelMode, §ionObject, nullptr); + if (!NT_SUCCESS(status)) { - if (!strcmp(FunctionName, (char *)Module + Name[i])) - { - return (PVOID)((PUCHAR)Module + Address[Ordinal[i]]); - } + DBGPRINT("ObReferenceObjectByHandle returned 0x%08X", status); + return STATUS_UNSUCCESSFUL; } - return NULL; -} + status = MmMapViewInSystemSpace(sectionObject, &ViewBase, &ViewSize); + ObDereferenceObject(sectionObject); -ULONG GetNtSyscall(LPCSTR FunctionName) -{ - if (!ntdll) + if (!NT_SUCCESS(status)) { - UNICODE_STRING FileName = RTL_CONSTANT_STRING(L"\\SystemRoot\\System32\\ntdll.dll"); - - auto res = LoadFile(&FileName, &ntdll); - if (!NT_SUCCESS(res)) - DBGPRINT("[ GetNtSyscall ] Failed to load ntdll.dll 0x%X\n", res) + DBGPRINT("MmMapViewInSystemSpace returned 0x%08X", status); + return STATUS_UNSUCCESSFUL; } - if (ntdll) - { - auto Fn = PUCHAR(GetFunctionAddress(ntdll, FunctionName)); - if (Fn) - { - for (int i = 0; i < 24; ++i) - { - if (Fn[i] == 0xC2 || Fn[i] == 0xC3) - break; - - if (Fn[i] == 0xB8) - return *(PULONG)(Fn + i + 1); - } - } - } - return 0; -} + *MappedBase = ViewBase; -ULONG GetWin32Syscall(LPCSTR FunctionName) -{ - if (!win32u) + if (MappedSize) { - UNICODE_STRING FileName = RTL_CONSTANT_STRING(L"\\SystemRoot\\System32\\win32u.dll"); - - auto res = LoadFile(&FileName, &win32u); - if (!NT_SUCCESS(res)) - DBGPRINT("[ GetWin32Syscall ] Failed to load win32u.dll 0x%X\n", res) + *MappedSize = ViewSize; } - if (win32u) - { - auto Fn = PUCHAR(GetFunctionAddress(win32u, FunctionName)); - if (Fn) - { - for (int i = 0; i < 24; ++i) - { - if (Fn[i] == 0xC2 || Fn[i] == 0xC3) - break; - - if (Fn[i] == 0xB8) - return *(PULONG)(Fn + i + 1); - } - } - } - return 0; -} - -void UnloadImages() -{ - if (ntdll) - ExFreePoolWithTag(ntdll, TAG); - - if (win32u) - ExFreePoolWithTag(win32u, TAG); -} -}; // namespace tools -}; // namespace masterhide - -namespace masterhide -{ -namespace utils -{ -KIRQL WPOFF() -{ - KIRQL Irql = KeRaiseIrqlToDpcLevel(); - UINT_PTR cr0 = __readcr0(); - - cr0 &= ~0x10000; - __writecr0(cr0); - _disable(); - - return Irql; -} - -void WPON(KIRQL Irql) -{ - UINT_PTR cr0 = __readcr0(); - - cr0 |= 0x10000; - _enable(); - __writecr0(cr0); - - KeLowerIrql(Irql); + return STATUS_SUCCESS; } const PUCHAR FindCodeCave(PUCHAR Code, ULONG ulCodeSize, size_t CaveLength) @@ -560,14 +583,21 @@ const PUCHAR FindCodeCave(PUCHAR Code, ULONG ulCodeSize, size_t CaveLength) for (unsigned i = 0, j = 0; i < ulCodeSize; i++) { if (Code[i] == 0x90 || Code[i] == 0xCC) + { j++; + } else + { j = 0; + } if (j == CaveLength) + { return PUCHAR((ULONG_PTR)Code + i - CaveLength + 1); + } } return nullptr; } -} // namespace utils + +} // namespace tools }; // namespace masterhide \ No newline at end of file diff --git a/MasterHide/misc.hpp b/MasterHide/misc.hpp index 0bb35d1..655616a 100644 --- a/MasterHide/misc.hpp +++ b/MasterHide/misc.hpp @@ -1,69 +1,40 @@ #pragma once -#define SYSCALL_INDEX(a) (*(PULONG)((PUCHAR)a + 1)) - -inline void AllocateUnicodeString(PUNICODE_STRING us, USHORT Size) +namespace masterhide { - if (!us) - return; - - __try - { - us->Length = 0; - us->MaximumLength = 0; - us->Buffer = PWSTR(ExAllocatePoolWithTag(NonPagedPool, Size, TAG)); - if (us->Buffer) - { - us->Length = 0; - us->MaximumLength = Size; - } - } - __except (EXCEPTION_EXECUTE_HANDLER) - { - } -} +namespace tags +{ +static constexpr ULONG TAG_DEFAULT = '00hm'; +static constexpr ULONG TAG_HASH_TABLE = '10hm'; +} // namespace tags -inline void FreeUnicodeString(PUNICODE_STRING us) +namespace syscalls { - if (!us) - return; +/// +/// This function is resposible for initialize and fill the syscall dynamic hash table. +/// +/// NTSTATUS value +bool Init(); - __try - { - if (us->MaximumLength > 0 && us->Buffer) - ExFreePoolWithTag(us->Buffer, TAG); +void Destroy(); - us->Length = 0; - us->MaximumLength = 0; - } - __except (EXCEPTION_EXECUTE_HANDLER) - { - } -} +/// +/// This function returns a syscall index by service name. +/// +/// Service name to extract syscall index from. +/// +USHORT GetSyscallIndexByName(_In_ LPCSTR serviceName); +} // namespace syscalls -namespace masterhide -{ -namespace utils -{ -extern KIRQL WPOFF(); -extern void WPON(KIRQL Irql); -extern const PUCHAR FindCodeCave(PUCHAR Code, ULONG ulCodeSize, size_t CaveLength); -} // namespace utils -}; // namespace masterhide - -namespace masterhide -{ namespace tools { -// -// Tools -// -extern ULONG64 FindPatternKM(const char *szModuleName, const char *szsection, const char *bmask, const char *szmask); -extern bool GetProcessName(HANDLE PID, PUNICODE_STRING wsProcessName); -extern bool GetProcessNameByPEPROCESS(PEPROCESS Process, PUNICODE_STRING ProcessImageName); -extern PVOID GetNtKernelBase(); -extern PVOID GetModuleBase(const char *szModule); -extern PEPROCESS FindPEPROCESSById(PWCH wsName); +const PUCHAR FindCodeCave(PUCHAR Code, ULONG ulCodeSize, size_t CaveLength); + +_Success_(return != false) bool GetProcessFileName(_In_ PEPROCESS process, _Out_ PUNICODE_STRING processImageName); + +bool GetProcessFileName(_In_ HANDLE processId, _Out_ PUNICODE_STRING processImageName); +PEPROCESS GetProcessByName(_In_ LPCWSTR processName); +PVOID GetKernelBase(); inline void SwapEndianness(PCHAR ptr, size_t size) { @@ -81,16 +52,31 @@ inline void SwapEndianness(PCHAR ptr, size_t size) } } -// -// Helpers -// -extern ULONG GetNtSyscall(LPCSTR FunctionName); -extern ULONG GetWin32Syscall(LPCSTR FunctionName); -extern PVOID GetImageTextSection(const ULONG64 uImageBase, ULONG *ulSectionSize); +template inline T RVAtoRawAddress(PIMAGE_NT_HEADERS nth, ULONG rva, PUCHAR moduleBase) +{ + PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(nth); + + for (int i = 0; i < nth->FileHeader.NumberOfSections; i++, section++) + { + if (rva >= section->VirtualAddress && rva < section->VirtualAddress + section->Misc.VirtualSize) + { + return T(moduleBase + (rva - section->VirtualAddress + section->PointerToRawData)); + } + } + return {}; +}; + +template inline T AllocatePoolZero(POOL_TYPE poolType, SIZE_T size, ULONG tag) +{ + void *p = ExAllocatePoolWithTag(poolType, size, tag); + if (p) + { + RtlZeroMemory(p, size); + } + return T(p); +} -// -// Misc -// +NTSTATUS MapFileInSystemSpace(_In_ PUNICODE_STRING FileName, _Out_ PVOID *MappedBase, _Out_opt_ SIZE_T *MappedSize); extern bool DumpMZ(PUCHAR pImageBase); extern void UnloadImages(); } // namespace tools diff --git a/MasterHide/shadow_ssdt.cpp b/MasterHide/shadow_ssdt.cpp index 129f345..3cfaade 100644 --- a/MasterHide/shadow_ssdt.cpp +++ b/MasterHide/shadow_ssdt.cpp @@ -1,7 +1,6 @@ #include "includes.hpp" PSYSTEM_SERVICE_TABLE g_KeServiceDescriptorTableShadow = NULL; -HANDLE hCsrssPID = HANDLE(-1); ULONGLONG GetKeServiceDescriptorTableShadow64() { @@ -48,7 +47,6 @@ bool HookSSSDT(PUCHAR pCode, ULONG ulCodeSize, PVOID pNewFunction, PVOID *pOldFu ULONGLONG W32pServiceTable = 0, qwTemp = 0; LONG dwTemp = 0; - KIRQL irql; // // Log the Syscall number that we're hooking @@ -66,7 +64,7 @@ bool HookSSSDT(PUCHAR pCode, ULONG ulCodeSize, PVOID pNewFunction, PVOID *pOldFu // // Find a suitable code cave inside the module .text section that we can use to trampoline to our hook // - auto pCodeCave = utils::FindCodeCave(pCode, ulCodeSize, sizeof(jmp_trampoline)); + auto pCodeCave = tools::FindCodeCave(pCode, ulCodeSize, sizeof(jmp_trampoline)); if (!pCodeCave) { DBGPRINT("[ HookSSSDT ] Failed to find a suitable code cave.\n"); @@ -99,7 +97,7 @@ bool HookSSSDT(PUCHAR pCode, ULONG ulCodeSize, PVOID pNewFunction, PVOID *pOldFu // // Modify SSSDT table // - irql = utils::WPOFF(); + // irql = utils::WPOFF(); RtlCopyMemory(Mapping, jmp_trampoline, sizeof(jmp_trampoline)); @@ -110,7 +108,7 @@ bool HookSSSDT(PUCHAR pCode, ULONG ulCodeSize, PVOID pNewFunction, PVOID *pOldFu *(PLONG)qwTemp = dwTemp; - utils::WPON(irql); + // utils::WPON(irql); // // Restore protection @@ -129,9 +127,8 @@ bool UnhookSSSDT(PVOID pFunction, ULONG SyscallNum) ULONGLONG W32pServiceTable = 0, qwTemp = 0; LONG dwTemp = 0; - KIRQL irql; - irql = utils::WPOFF(); + // irql = utils::WPOFF(); W32pServiceTable = (ULONGLONG)(g_KeServiceDescriptorTableShadow->ServiceTableBase); qwTemp = W32pServiceTable + 4 * (SyscallNum - 0x1000); @@ -140,93 +137,12 @@ bool UnhookSSSDT(PVOID pFunction, ULONG SyscallNum) *(PLONG)qwTemp = dwTemp; - utils::WPON(irql); + // utils::WPON(irql); return true; } -PSYSTEM_HANDLE_INFORMATION_EX GetSystemHandleInformation() -{ - PSYSTEM_HANDLE_INFORMATION_EX pSHInfo = NULL; - NTSTATUS Status = STATUS_NO_MEMORY; - ULONG SMInfoLen = 0x1000; - - do - { - pSHInfo = (PSYSTEM_HANDLE_INFORMATION_EX)ExAllocatePoolWithTag(PagedPool, SMInfoLen, TAG); - if (!pSHInfo) - break; - - Status = ZwQuerySystemInformation(SystemHandleInformation, pSHInfo, SMInfoLen, &SMInfoLen); - if (!NT_SUCCESS(Status)) - { - ExFreePoolWithTag(pSHInfo, TAG); - pSHInfo = NULL; - } - } while (Status == STATUS_INFO_LENGTH_MISMATCH); - - return pSHInfo; -} - -HANDLE GetCsrssPid() -{ - HANDLE CsrId = (HANDLE)0; - PSYSTEM_HANDLE_INFORMATION_EX pHandles = GetSystemHandleInformation(); - if (pHandles) - { - unsigned i; - for (i = 0; i < pHandles->NumberOfHandles && !CsrId; i++) - { - OBJECT_ATTRIBUTES obj; - CLIENT_ID cid; - HANDLE Process, hObject; - InitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); - cid.UniqueProcess = (HANDLE)pHandles->Information[i].ProcessId; - cid.UniqueThread = 0; - - auto res = ZwOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid); - if (NT_SUCCESS(res)) - { - res = ZwDuplicateObject(Process, (PHANDLE)(pHandles->Information[i].Handle), NtCurrentProcess(), - &hObject, 0, FALSE, DUPLICATE_SAME_ACCESS); - if (NT_SUCCESS(res)) - { - UCHAR Buff[0x200]; - POBJECT_NAME_INFORMATION ObjName = (POBJECT_NAME_INFORMATION)&Buff; - - res = ZwQueryObject(hObject, ObjectTypeInformation, ObjName, sizeof(Buff), NULL); - if (NT_SUCCESS(res)) - { - if (ObjName->Name.Buffer && (!wcsncmp(L"Port", ObjName->Name.Buffer, 4) || - !wcsncmp(L"ALPC Port", ObjName->Name.Buffer, 9))) - { - res = ZwQueryObject(hObject, (OBJECT_INFORMATION_CLASS)1, ObjName, sizeof(Buff), NULL); - if (NT_SUCCESS(res)) - { - if (ObjName->Name.Buffer && !wcsncmp(L"\\Windows\\ApiPort", ObjName->Name.Buffer, 20)) - CsrId = (HANDLE)pHandles->Information[i].ProcessId; - } - } - } - else - DBGPRINT("[ GetCsr ] ZwQueryObject failed 0x%X\n", res); - - ZwClose(hObject); - } - else if (res != STATUS_NOT_SUPPORTED) - DBGPRINT("[ GetCsr ] ZwDuplicateObject failed 0x%X\n", res); - - ZwClose(Process); - } - else - DBGPRINT("[ GetCsr ] NtOpenProcess failed 0x%X\n", res); - } - ExFreePoolWithTag(pHandles, TAG); - } - return CsrId; -} - -void sssdt::Init() +bool sssdt::Init() { #ifndef USE_KASPERSKY g_KeServiceDescriptorTableShadow = @@ -318,47 +234,27 @@ void sssdt::Init() KeUnstackDetachProcess(&apc); ObDereferenceObject(Process); #else - - if (kaspersky::hook_shadow_ssdt_routine(SYSCALL_NTUSERQUERYWND, hkNtUserQueryWindow, - reinterpret_cast(&oNtUserQueryWindow))) - { - DBGPRINT("NtUserQueryWindow ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERQUERYWND); +#define KASPERSKY_HOOK_ROUTINE(name) \ + if (!kaspersky::hook_shadow_ssdt_routine(syscalls::GetSyscallIndexByName(#name) + 0x1000, hooks::hk##name, \ + reinterpret_cast(&hooks::o##name))) \ + { \ + DBGPRINT("Failed to hook " #name); \ + return false; \ + } \ + else \ + { \ + DBGPRINT(#name " hooked successfully!"); \ } - else - DBGPRINT("Failed to hook NtUserQueryWindow!\n"); - if (kaspersky::hook_shadow_ssdt_routine(SYSCALL_NTUSERFINDWNDEX, hkNtUserFindWindowEx, - reinterpret_cast(&oNtUserFindWindowEx))) - { - DBGPRINT("NtUserFindWindowEx ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERFINDWNDEX); - } - else - DBGPRINT("Failed to hook NtUserFindWindowEx!\n"); + KASPERSKY_HOOK_ROUTINE(NtUserQueryWindow); + KASPERSKY_HOOK_ROUTINE(NtUserFindWindowEx); + KASPERSKY_HOOK_ROUTINE(NtUserWindowFromPoint); + KASPERSKY_HOOK_ROUTINE(NtUserBuildHwndList); + KASPERSKY_HOOK_ROUTINE(NtUserGetForegroundWindow); - if (kaspersky::hook_shadow_ssdt_routine(SYSCALL_NTUSERWNDFROMPOINT, hkNtUserWindowFromPoint, - reinterpret_cast(&oNtUserWindowFromPoint))) - { - DBGPRINT("NtUserWindowFromPoint ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERWNDFROMPOINT); - } - else - DBGPRINT("Failed to hook NtUserWindowFromPoint!\n"); - - if (kaspersky::hook_shadow_ssdt_routine(SYSCALL_NTUSERBUILDWNDLIST, hkNtUserBuildHwndList, - reinterpret_cast(&oNtUserBuildHwndList))) - { - DBGPRINT("NtUserBuildHwndList ( 0x%X ) hooked successfully!\n", SYSCALL_NTUSERBUILDWNDLIST); - } - else - DBGPRINT("Failed to hook NtUserBuildHwndList!\n"); - - if (kaspersky::hook_shadow_ssdt_routine(SYSCALL_NTGETFOREGROUNDWND, hkNtUserGetForegroundWindow, - reinterpret_cast(&oNtUserGetForegroundWindow))) - { - DBGPRINT("NtUserGetForegroundWindow ( 0x%X ) hooked successfully!\n", SYSCALL_NTGETFOREGROUNDWND); - } - else - DBGPRINT("Failed to hook NtUserGetForegroundWindow!\n"); +#undef KASPERSKY_HOOK_ROUTINE #endif + return true; } void sssdt::Destroy() @@ -399,19 +295,20 @@ void sssdt::Destroy() if (!kaspersky::is_klhk_loaded()) return; - if (!kaspersky::unhook_shadow_ssdt_routine(SYSCALL_NTUSERBUILDWNDLIST, oNtUserBuildHwndList)) - DBGPRINT("Failed to unhook NtUserBuildHwndList"); - - if (!kaspersky::unhook_shadow_ssdt_routine(SYSCALL_NTUSERWNDFROMPOINT, oNtUserWindowFromPoint)) - DBGPRINT("Failed to unhook NtUserWindowFromPoint"); - - if (!kaspersky::unhook_shadow_ssdt_routine(SYSCALL_NTUSERFINDWNDEX, oNtUserFindWindowEx)) - DBGPRINT("Failed to unhook NtUserFindWindowEx"); - - if (!kaspersky::unhook_shadow_ssdt_routine(SYSCALL_NTGETFOREGROUNDWND, oNtUserGetForegroundWindow)) - DBGPRINT("Failed to unhook NtUserGetForegroundWindow"); +#define KASPERSKY_UNHOOK_ROUTINE(name) \ + if (!kaspersky::unhook_shadow_ssdt_routine(syscalls::GetSyscallIndexByName(#name) + 0x1000, hooks::o##name)) \ + { \ + DBGPRINT("Failed to unhook " #name); \ + } \ + else \ + { \ + DBGPRINT(#name " unhooked successfully!"); \ + } - if (!kaspersky::unhook_shadow_ssdt_routine(SYSCALL_NTUSERQUERYWND, oNtUserQueryWindow)) - DBGPRINT("Failed to unhook NtUserQueryWindow"); + KASPERSKY_UNHOOK_ROUTINE(NtUserQueryWindow); + KASPERSKY_UNHOOK_ROUTINE(NtUserFindWindowEx); + KASPERSKY_UNHOOK_ROUTINE(NtUserWindowFromPoint); + KASPERSKY_UNHOOK_ROUTINE(NtUserBuildHwndList); + KASPERSKY_UNHOOK_ROUTINE(NtUserGetForegroundWindow); #endif } \ No newline at end of file diff --git a/MasterHide/shadow_ssdt.hpp b/MasterHide/shadow_ssdt.hpp index b8a6439..7597e3b 100644 --- a/MasterHide/shadow_ssdt.hpp +++ b/MasterHide/shadow_ssdt.hpp @@ -4,7 +4,7 @@ namespace masterhide { namespace sssdt { -extern void Init(); +extern bool Init(); extern void Destroy(); } // namespace sssdt }; // namespace masterhide diff --git a/MasterHide/ssdt.cpp b/MasterHide/ssdt.cpp index ab90598..72f849a 100644 --- a/MasterHide/ssdt.cpp +++ b/MasterHide/ssdt.cpp @@ -61,7 +61,7 @@ bool HookSSDT(PUCHAR pCode, ULONG ulCodeSize, PVOID pNewFunction, PVOID *pOldFun // // Find a suitable code cave inside the module .text section that we can use to trampoline to our hook // - auto pCodeCave = utils::FindCodeCave(pCode, ulCodeSize, sizeof(jmp_trampoline)); + auto pCodeCave = tools::FindCodeCave(pCode, ulCodeSize, sizeof(jmp_trampoline)); if (!pCodeCave) { DBGPRINT("[ HookSSDT ] Failed to find a suitable code cave.\n"); @@ -96,7 +96,7 @@ bool HookSSDT(PUCHAR pCode, ULONG ulCodeSize, PVOID pNewFunction, PVOID *pOldFun // auto ServiceTableBase = (PULONG)g_KeServiceDescriptorTable->ServiceTableBase; - auto irql = utils::WPOFF(); + // auto irql = utils::WPOFF(); RtlCopyMemory(Mapping, jmp_trampoline, sizeof(jmp_trampoline)); @@ -105,7 +105,7 @@ bool HookSSDT(PUCHAR pCode, ULONG ulCodeSize, PVOID pNewFunction, PVOID *pOldFun SsdtEntry += ServiceTableBase[SyscallNum] & 0x0F; ServiceTableBase[SyscallNum] = SsdtEntry; - utils::WPON(irql); + // utils::WPON(irql); // // Restore protection @@ -124,19 +124,19 @@ bool UnhookSSDT(PVOID pFunction, ULONG SyscallNum) auto ServiceTableBase = (PULONG)g_KeServiceDescriptorTable->ServiceTableBase; - auto irql = utils::WPOFF(); + // auto irql = utils::WPOFF(); auto SsdtEntry = GetOffsetAddress(ULONG64(pFunction)); SsdtEntry &= 0xFFFFFFF0; SsdtEntry += ServiceTableBase[SyscallNum] & 0x0F; ServiceTableBase[SyscallNum] = SsdtEntry; - utils::WPON(irql); + // utils::WPON(irql); return true; } -void ssdt::Init() +bool ssdt::Init() { #ifndef USE_KASPERSKY g_KeServiceDescriptorTable = PSYSTEM_SERVICE_TABLE(GetKeServiceDescriptorTable64()); @@ -211,61 +211,28 @@ void ssdt::Init() DBGPRINT("Failed to hook NtDeviceIoControlFile!\n"); } #else - if (kaspersky::hook_ssdt_routine(SYSCALL_NTOPENPROCESS, hkNtOpenProcess, - reinterpret_cast(&oNtOpenProcess))) - { - DBGPRINT("NtOpenProcess ( 0x%X ) hooked successfully!\n", SYSCALL_NTOPENPROCESS); - } - else - DBGPRINT("Failed to hook NtOpenProcess!\n"); - - if (kaspersky::hook_ssdt_routine(SYSCALL_NTDEVICEIOCTRLFILE, hkNtDeviceIoControlFile, - reinterpret_cast(&oNtDeviceIoControlFile))) - { - DBGPRINT("NtDeviceIoControlFile ( 0x%X ) hooked successfully!\n", SYSCALL_NTDEVICEIOCTRLFILE); - } - else - DBGPRINT("Failed to hook NtDeviceIoControlFile!\n"); - - if (kaspersky::hook_ssdt_routine(SYSCALL_NTQUERYSYSINFO, hkNtQuerySystemInformation, - reinterpret_cast(&oNtQuerySystemInformation))) - { - DBGPRINT("NtQuerySystemInformation ( 0x%X ) hooked successfully!\n", SYSCALL_NTQUERYSYSINFO); - } - else - DBGPRINT("Failed to hook NtQuerySystemInformation!\n"); - - if (kaspersky::hook_ssdt_routine(SYSCALL_NTALLOCVIRTUALMEM, hkNtAllocateVirtualMemory, - reinterpret_cast(&oNtAllocateVirtualMemory))) - { - DBGPRINT("NtAllocateVirtualMemory ( 0x%X ) hooked successfully!\n", SYSCALL_NTALLOCVIRTUALMEM); +#define KASPERSKY_HOOK_ROUTINE(name) \ + if (!kaspersky::hook_ssdt_routine(syscalls::GetSyscallIndexByName(#name), hooks::hk##name, \ + reinterpret_cast(&hooks::o##name))) \ + { \ + DBGPRINT("Failed to hook " #name); \ + return false; \ + } \ + else \ + { \ + DBGPRINT(#name " hooked successfully!"); \ } - else - DBGPRINT("Failed to hook NtAllocateVirtualMemory!\n"); - if (kaspersky::hook_ssdt_routine(SYSCALL_NTFREEVIRTUALMEM, hkNtFreeVirtualMemory, - reinterpret_cast(&oNtFreeVirtualMemory))) - { - DBGPRINT("NtFreeVirtualMemory ( 0x%X ) hooked successfully!\n", SYSCALL_NTFREEVIRTUALMEM); - } - else - DBGPRINT("Failed to hook NtFreeVirtualMemory!\n"); + KASPERSKY_HOOK_ROUTINE(NtOpenProcess); + KASPERSKY_HOOK_ROUTINE(NtDeviceIoControlFile); + KASPERSKY_HOOK_ROUTINE(NtQuerySystemInformation); + KASPERSKY_HOOK_ROUTINE(NtAllocateVirtualMemory); + KASPERSKY_HOOK_ROUTINE(NtFreeVirtualMemory); + KASPERSKY_HOOK_ROUTINE(NtWriteVirtualMemory); + KASPERSKY_HOOK_ROUTINE(NtLoadDriver); - if (kaspersky::hook_ssdt_routine(SYSCALL_NTWRITEVIRTUALMEM, hkNtWriteVirtualMemory, - reinterpret_cast(&oNtWriteVirtualMemory))) - { - DBGPRINT("NtWriteVirtualMemory ( 0x%X ) hooked successfully!\n", SYSCALL_NTWRITEVIRTUALMEM); - } - else - DBGPRINT("Failed to hook NtWriteVirtualMemory!\n"); - - if (kaspersky::hook_ssdt_routine(SYSCALL_NTLOADDRIVER, hkNtLoadDriver, reinterpret_cast(&oNtLoadDriver))) - { - DBGPRINT("NtLoadDriver ( 0x%X ) hooked successfully!\n", SYSCALL_NTLOADDRIVER); - } - else - DBGPRINT("Failed to hook NtLoadDriver!\n"); #endif + return true; } void ssdt::Destroy() @@ -295,25 +262,24 @@ void ssdt::Destroy() if (!kaspersky::is_klhk_loaded()) return; - if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTQUERYSYSINFO, oNtQuerySystemInformation)) - DBGPRINT("Failed to unhook NtQuerySystemInformation"); - - if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTOPENPROCESS, oNtOpenProcess)) - DBGPRINT("Failed to unhook NtOpenProcess"); - - if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTALLOCVIRTUALMEM, oNtAllocateVirtualMemory)) - DBGPRINT("Failed to unhook NtAllocateVirtualMemory"); - - if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTFREEVIRTUALMEM, oNtFreeVirtualMemory)) - DBGPRINT("Failed to unhook NtFreeVirtualMemory"); - - if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTWRITEVIRTUALMEM, oNtWriteVirtualMemory)) - DBGPRINT("Failed to unhook NtWriteVirtualMemory"); +#define KASPERSKY_UNHOOK_ROUTINE(name) \ + if (!kaspersky::unhook_ssdt_routine(syscalls::GetSyscallIndexByName(#name), hooks::o##name)) \ + { \ + DBGPRINT("Failed to unhook " #name); \ + } \ + else \ + { \ + DBGPRINT(#name " unhooked successfully!"); \ + } - if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTDEVICEIOCTRLFILE, oNtDeviceIoControlFile)) - DBGPRINT("Failed to unhook NtDeviceIoControlFile"); + KASPERSKY_UNHOOK_ROUTINE(NtOpenProcess); + KASPERSKY_UNHOOK_ROUTINE(NtDeviceIoControlFile); + KASPERSKY_UNHOOK_ROUTINE(NtQuerySystemInformation); + KASPERSKY_UNHOOK_ROUTINE(NtAllocateVirtualMemory); + KASPERSKY_UNHOOK_ROUTINE(NtFreeVirtualMemory); + KASPERSKY_UNHOOK_ROUTINE(NtWriteVirtualMemory); + KASPERSKY_UNHOOK_ROUTINE(NtLoadDriver); - if (!kaspersky::unhook_ssdt_routine(SYSCALL_NTLOADDRIVER, oNtLoadDriver)) - DBGPRINT("Failed to unhook NtLoadDriver"); +#undef KASPERSKY_UNHOOK_ROUTINE #endif } \ No newline at end of file diff --git a/MasterHide/ssdt.hpp b/MasterHide/ssdt.hpp index 0045e5f..d6de12a 100644 --- a/MasterHide/ssdt.hpp +++ b/MasterHide/ssdt.hpp @@ -7,7 +7,7 @@ namespace masterhide { namespace ssdt { -extern void Init(); +extern bool Init(); extern void Destroy(); } // namespace ssdt }; // namespace masterhide \ No newline at end of file diff --git a/MasterHide/thirdparty/scope_guard/.github/workflows/macos.yml b/MasterHide/thirdparty/scope_guard/.github/workflows/macos.yml new file mode 100644 index 0000000..859bd70 --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/.github/workflows/macos.yml @@ -0,0 +1,37 @@ +name: macos + +on: [push, pull_request] + +permissions: read-all + +jobs: + build: + runs-on: ${{ matrix.config.os }} + strategy: + fail-fast: false + matrix: + config: + - { os: macos-11 } # https://github.com/actions/virtual-environments/blob/main/images/macos/macos-11-Readme.md#xcode + - { os: macos-12 } # https://github.com/actions/virtual-environments/blob/main/images/macos/macos-12-Readme.md#xcode + + name: "${{ matrix.config.os }}" + steps: + - uses: actions/checkout@v4 + + - name: Build Release + run: | + rm -rf build + mkdir build + cd build + cmake .. -DCMAKE_BUILD_TYPE=Release + cmake --build . -j 4 --config Release + ctest --output-on-failure -C Release + + - name: Build Debug + run: | + rm -rf build + mkdir build + cd build + cmake .. -DCMAKE_BUILD_TYPE=Debug + cmake --build . -j 4 --config Debug + ctest --output-on-failure -C Debug diff --git a/MasterHide/thirdparty/scope_guard/.github/workflows/ubuntu.yml b/MasterHide/thirdparty/scope_guard/.github/workflows/ubuntu.yml new file mode 100644 index 0000000..b416d9f --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/.github/workflows/ubuntu.yml @@ -0,0 +1,74 @@ +name: ubuntu + +on: [push, pull_request] + +permissions: read-all + +jobs: + ubuntu: + strategy: + fail-fast: false + matrix: + compiler: + - { cc: "gcc-9", cxx: "g++-9", os: "ubuntu-20.04" } + - { cc: "gcc-10", cxx: "g++-10", os: "ubuntu-20.04" } + - { cc: "gcc-10", cxx: "g++-10", os: "ubuntu-20.04" } + - { cc: "gcc-11", cxx: "g++-11", os: "ubuntu-20.04" } + - { cc: "gcc-11", cxx: "g++-11", os: "ubuntu-20.04" } + - { cc: "gcc-12", cxx: "g++-12", os: "ubuntu-22.04" } + - { cc: "clang-9", cxx: "clang++-9", os: "ubuntu-20.04" } + - { cc: "clang-10", cxx: "clang++-10", os: "ubuntu-20.04" } + - { cc: "clang-11", cxx: "clang++-11", os: "ubuntu-20.04" } + - { cc: "clang-12", cxx: "clang++-12", os: "ubuntu-20.04" } + - { cc: "clang-13", cxx: "clang++-13", os: "ubuntu-20.04" } + - { cc: "clang-14", cxx: "clang++-14", os: "ubuntu-20.04" } + - { cc: "clang-15", cxx: "clang++-15", os: "ubuntu-20.04" } + - { cc: "clang-16", cxx: "clang++-16", os: "ubuntu-20.04" } + + name: "${{ matrix.compiler.cc }}" + runs-on: ${{ matrix.compiler.os }} + steps: + - uses: actions/checkout@v4 + + - name: Configure clang + run: | + if [[ "${{ matrix.compiler.cc }}" == "clang"* ]]; then + wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|sudo apt-key add - + sudo apt-add-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-9 main" + sudo apt-add-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-10 main" + sudo apt-add-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-11 main" + sudo apt-add-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main" + sudo apt-add-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-13 main" + sudo apt-add-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-14 main" + sudo apt-add-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-15 main" + sudo apt-add-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-16 main" + sudo apt-add-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal main" + sudo apt update + sudo apt install ${{ matrix.compiler.cc }} -y + fi + + - name: Configure gcc + run: | + if [[ "${{ matrix.compiler.cc }}" == "gcc"* ]]; then + sudo add-apt-repository ppa:ubuntu-toolchain-r/test -y + sudo apt update + sudo apt install ${{ matrix.compiler.cxx }} -y + fi + + - name: Build Release + run: | + rm -rf build + mkdir build + cd build + cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_COMPILER=${{ matrix.compiler.cxx }} + cmake --build . -j 4 --config Release + ctest --output-on-failure -C Release + + - name: Build Debug + run: | + rm -rf build + mkdir build + cd build + cmake .. -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_COMPILER=${{ matrix.compiler.cxx }} + cmake --build . -j 4 --config Debug + ctest --output-on-failure -C Debug diff --git a/MasterHide/thirdparty/scope_guard/.github/workflows/windows.yml b/MasterHide/thirdparty/scope_guard/.github/workflows/windows.yml new file mode 100644 index 0000000..66cc74e --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/.github/workflows/windows.yml @@ -0,0 +1,43 @@ +name: windows + +on: [push, pull_request] + +permissions: read-all + +jobs: + build: + runs-on: ${{ matrix.config.os }} + strategy: + fail-fast: false + matrix: + config: + - { os: windows-2019, vs: "Visual Studio 2019" } # https://github.com/actions/virtual-environments/blob/main/images/win/Windows2019-Readme.md#visual-studio-enterprise-2019 + - { os: windows-2022, vs: "Visual Studio 2022" } # https://github.com/actions/virtual-environments/blob/main/images/win/Windows2022-Readme.md#visual-studio-enterprise-2022 + + name: "${{ matrix.config.vs }}" + steps: + - uses: actions/checkout@v4 + + - name: Build Win32 + shell: bash + run: | + rm -rf build + mkdir build + cd build + cmake .. -A Win32 + cmake --build . -j 4 --config Release + ctest --output-on-failure -C Release + cmake --build . -j 4 --config Debug + ctest --output-on-failure -C Debug + + - name: Build x64 + shell: bash + run: | + rm -rf build + mkdir build + cd build + cmake .. -A x64 + cmake --build . -j 4 --config Release + ctest --output-on-failure -C Release + cmake --build . -j 4 --config Debug + ctest --output-on-failure -C Debug diff --git a/MasterHide/thirdparty/scope_guard/.gitignore b/MasterHide/thirdparty/scope_guard/.gitignore new file mode 100644 index 0000000..ef6cd27 --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/.gitignore @@ -0,0 +1,50 @@ +build/ +.vscode/ +.vs/ + +### C++ gitignore ### +# Prerequisites +*.d + +# Compiled Object files +*.slo +*.lo +*.o +*.obj + +# Precompiled Headers +*.gch +*.pch + +# Compiled Dynamic libraries +*.so +*.dylib +*.dll + +# Fortran module files +*.mod +*.smod + +# Compiled Static libraries +*.lai +*.la +*.a +*.lib + +# Executables +*.exe +*.out +*.app + +### CMake gitignore ### +CMakeLists.txt.user +CMakeCache.txt +CMakeFiles +CMakeScripts +Testing +Makefile +cmake_install.cmake +install_manifest.txt +compile_commands.json +CTestTestfile.cmake +_deps diff --git a/MasterHide/thirdparty/scope_guard/CMakeLists.txt b/MasterHide/thirdparty/scope_guard/CMakeLists.txt new file mode 100644 index 0000000..40d4255 --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/CMakeLists.txt @@ -0,0 +1,54 @@ +cmake_minimum_required(VERSION 3.14) + +project(scope_guard VERSION "0.9.1" LANGUAGES CXX) + +if(CMAKE_PROJECT_NAME STREQUAL PROJECT_NAME) + set(IS_TOPLEVEL_PROJECT TRUE) +else() + set(IS_TOPLEVEL_PROJECT FALSE) +endif() + +option(SCOPE_GUARD_OPT_BUILD_EXAMPLES "Build scope_guard examples" ${IS_TOPLEVEL_PROJECT}) +option(SCOPE_GUARD_OPT_BUILD_TESTS "Build and perform scope_guard tests" ${IS_TOPLEVEL_PROJECT}) +option(SCOPE_GUARD_OPT_INSTALL "Generate and install scope_guard target" ${IS_TOPLEVEL_PROJECT}) + +if(SCOPE_GUARD_OPT_BUILD_EXAMPLES) + add_subdirectory(example) +endif() + +if(SCOPE_GUARD_OPT_BUILD_TESTS) + enable_testing() + add_subdirectory(test) +endif() + +include(CMakePackageConfigHelpers) + +add_library(${PROJECT_NAME} INTERFACE) +add_library(${PROJECT_NAME}::${PROJECT_NAME} ALIAS ${PROJECT_NAME}) +target_include_directories(${PROJECT_NAME} + INTERFACE + $ + $) + +write_basic_package_version_file(${PROJECT_NAME}ConfigVersion.cmake + VERSION ${PROJECT_VERSION} + COMPATIBILITY AnyNewerVersion + ARCH_INDEPENDENT) + +if(SCOPE_GUARD_OPT_INSTALL) + install(TARGETS ${PROJECT_NAME} + EXPORT ${PROJECT_NAME}Config) + + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}ConfigVersion.cmake + DESTINATION lib/cmake/${PROJECT_NAME}) + + install(EXPORT ${PROJECT_NAME}Config + NAMESPACE ${PROJECT_NAME}:: + DESTINATION lib/cmake/${PROJECT_NAME}) + + install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/include + DESTINATION .) + + export(EXPORT ${PROJECT_NAME}Config + NAMESPACE ${PROJECT_NAME}::) +endif() diff --git a/MasterHide/thirdparty/scope_guard/LICENSE b/MasterHide/thirdparty/scope_guard/LICENSE new file mode 100644 index 0000000..e18368c --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2018 - 2024 Daniil Goncharov + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/MasterHide/thirdparty/scope_guard/README.md b/MasterHide/thirdparty/scope_guard/README.md new file mode 100644 index 0000000..815151b --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/README.md @@ -0,0 +1,155 @@ +[![Github Releases](https://img.shields.io/github/release/Neargye/scope_guard.svg)](https://github.com/Neargye/scope_guard/releases) +[![License](https://img.shields.io/github/license/Neargye/scope_guard.svg)](LICENSE) + +# Scope Guard & Defer C++ + +Scope Guard statement invokes a function with deferred execution until surrounding function returns in cases: + +* scope_exit - executing action on scope exit. + +* scope_fail - executing action on scope exit when an exception has been thrown. + +* scope_success - executing action on scope exit when no exceptions have been thrown. + +Program control transferring does not influence Scope Guard statement execution. Hence, Scope Guard statement can be used to perform manual resource management, such as file descriptors closing, and to perform actions even if an error occurs. + +## Features + +* C++11 +* Header-only +* Dependency-free +* Thin callback wrapping, no added std::function or virtual table penalties +* No implicitly ignored return, check callback return void +* Defer or Scope Guard syntax and "With" syntax + +## [Examples](example) + +* [Scope Guard on exit](example/scope_exit_example.cpp) + + ```cpp + std::fstream file("test.txt"); + SCOPE_EXIT{ file.close(); }; // File closes when exit the enclosing scope or errors occur. + ``` + +* [Scope Guard on fail](example/scope_fail_example.cpp) + + ```cpp + persons.push_back(person); // Add the person to db. + SCOPE_FAIL{ persons.pop_back(); }; // If errors occur, we should roll back. + ``` + +* [Scope Guard on success](example/scope_success_example.cpp) + + ```cpp + person = new Person{/*...*/}; + // ... + SCOPE_SUCCESS{ persons.push_back(person); }; // If no errors occur, we should add the person to db. + ``` + +* Custom Scope Guard + + ```cpp + persons.push_back(person); // Add the person to db. + + MAKE_SCOPE_EXIT(scope_exit) { // Following block is executed when exit the enclosing scope or errors occur. + persons.pop_back(); // If the db insertion fails, we should roll back. + }; + // MAKE_SCOPE_EXIT(name) {action} - macro is used to create a new scope_exit object. + scope_exit.dismiss(); // An exception was not thrown, so don't execute the scope_exit. + ``` + + ```cpp + persons.push_back(person); // Add the person to db. + + auto scope_exit = make_scope_exit([]() { persons.pop_back(); }); + // make_scope_exit(A&& action) - function is used to create a new scope_exit object. It can be instantiated with a lambda function, a std::function, a functor, or a void(*)() function pointer. + // ... + scope_exit.dismiss(); // An exception was not thrown, so don't execute the scope_exit. + ``` + +* With Scope Guard + + ```cpp + std::fstream file("test.txt"); + WITH_SCOPE_EXIT({ file.close(); }) { // File closes when exit the enclosing with scope or errors occur. + // ... + }; + ``` + +## Synopsis + +### Reference + +#### scope_exit + +* `scope_exit make_scope_exit(F&& action);` - return scope_exit with the action. +* `SCOPE_EXIT{action};` - macro for creating scope_exit with the action. +* `MAKE_SCOPE_EXIT(name) {action};` - macro for creating named scope_exit with the action. +* `WITH_SCOPE_EXIT({action}) {/*...*/};` - macro for creating scope with scope_exit with the action. + +#### scope_fail + +* `scope_fail make_scope_fail(F&& action);` - return scope_fail with the action. +* `SCOPE_FAIL{action};` - macro for creating scope_fail with the action. +* `MAKE_SCOPE_FAIL(name) {action};` - macro for creating named scope_fail with the action. +* `WITH_SCOPE_FAIL({action}) {/*...*/};` - macro for creating scope with scope_fail with the action. + +#### scope_success + +* `scope_success make_scope_success(F&& action);` - return scope_success with the action. +* `SCOPE_SUCCESS{action};` - macro for creating scope_success with the action. +* `MAKE_SCOPE_SUCCESS(name) {action};` - macro for creating named scope_success with the action. +* `WITH_SCOPE_SUCCESS({action}) {/*...*/};` - macro for creating scope with scope_success with the action. + +#### defer + +* `DEFER{action};` - macro for creating defer with the action. +* `MAKE_DEFER(name) {action};` - macro for creating named defer with the action. +* `WITH_DEFER({action}) {/*...*/};` - macro for creating scope with defer with the action. + +### Interface of scope_guard + +scope_exit, scope_fail, scope_success implement scope_guard interface. + +* `dismiss()` - dismiss executing action on scope exit. + +#### Throwable settings + +* `SCOPE_GUARD_NOTHROW_CONSTRUCTIBLE` define this to require nothrow constructible action. + +* `SCOPE_GUARD_MAY_THROW_ACTION` define this to action may throw exceptions. + +* `SCOPE_GUARD_NO_THROW_ACTION` define this to require noexcept action. + +* `SCOPE_GUARD_SUPPRESS_THROW_ACTIONS` define this to exceptions during action will be suppressed. + +* By default using `SCOPE_GUARD_MAY_THROW_ACTION`. + +* `SCOPE_GUARD_CATCH_HANDLER` define this to add exceptions handler. If `SCOPE_GUARD_SUPPRESS_THROW_ACTIONS` is not defined, it will do nothing. + +### Remarks + +* If multiple Scope Guard statements appear in the same scope, the order they appear is the reverse of the order they are executed. + + ```cpp + void f() { + SCOPE_EXIT{ std::cout << "First" << std::endl; }; + SCOPE_EXIT{ std::cout << "Second" << std::endl; }; + SCOPE_EXIT{ std::cout << "Third" << std::endl; }; + ... // Other code. + // Prints "Third". + // Prints "Second". + // Prints "First". + } + ``` + +## Integration + +You should add required file [scope_guard.hpp](include/scope_guard.hpp). + +## References + +* [Andrei Alexandrescu "Systematic Error Handling in C++"](https://channel9.msdn.com/Shows/Going+Deep/C-and-Beyond-2012-Andrei-Alexandrescu-Systematic-Error-Handling-in-C) +* [Andrei Alexandrescu “Declarative Control Flow"](https://youtu.be/WjTrfoiB0MQ) + +## Licensed under the [MIT License](LICENSE) diff --git a/MasterHide/thirdparty/scope_guard/example/CMakeLists.txt b/MasterHide/thirdparty/scope_guard/example/CMakeLists.txt new file mode 100644 index 0000000..9bdacdc --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/example/CMakeLists.txt @@ -0,0 +1,25 @@ +include(CheckCXXCompilerFlag) + +if((CMAKE_CXX_COMPILER_ID MATCHES "GNU") OR (CMAKE_CXX_COMPILER_ID MATCHES "Clang")) + set(CMAKE_VERBOSE_MAKEFILE ON) + set(OPTIONS -Wall -Wextra -pedantic-errors -Werror) +elseif(CMAKE_CXX_COMPILER_ID MATCHES "MSVC") + set(OPTIONS /W4 /WX) + check_cxx_compiler_flag(/permissive HAS_PERMISSIVE_FLAG) + if(HAS_PERMISSIVE_FLAG) + set(OPTIONS ${OPTIONS} /permissive-) + endif() + set(OPTIONS ${OPTIONS} /wd4702) # Disable warning C4702: unreachable code +endif() + +function(make_example target) + add_executable(${target} ${target}.cpp ${CMAKE_SOURCE_DIR}/include/${CMAKE_PROJECT_NAME}.hpp) + set_target_properties(${target} PROPERTIES CXX_EXTENSIONS OFF) + target_compile_features(${target} PRIVATE cxx_std_11) + target_compile_options(${target} PRIVATE ${OPTIONS}) + target_link_libraries(${target} PRIVATE ${CMAKE_PROJECT_NAME}) +endfunction() + +make_example(scope_exit_example) +make_example(scope_fail_example) +make_example(scope_success_example) diff --git a/MasterHide/thirdparty/scope_guard/example/scope_exit_example.cpp b/MasterHide/thirdparty/scope_guard/example/scope_exit_example.cpp new file mode 100644 index 0000000..5afed2b --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/example/scope_exit_example.cpp @@ -0,0 +1,91 @@ +// Licensed under the MIT License . +// SPDX-License-Identifier: MIT +// Copyright (c) 2018 - 2024 Daniil Goncharov . +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. + +#include +#include +#include + +#define SCOPE_GUARD_SUPPRESS_THROW_ACTION +#define SCOPE_GUARD_CATCH_HANDLER std::cout << "exception in scope_guard!" << std::endl; + +#include + +int main() { + try { + std::fstream file; + file.open("test.txt", std::fstream::out | std::fstream::trunc); + SCOPE_EXIT{ + file.close(); + std::cout << "[1] close file" << std::endl; + throw std::runtime_error{"error close file"}; + }; + + MAKE_SCOPE_EXIT(scope_exit_1) { + file.close(); + std::cout << "[1] close file #1" << std::endl; + }; + + auto scope_exit_2 = scope_guard::make_scope_exit([&]() { + file.close(); + std::cout << "[1] close file #2" << std::endl; + }); + + WITH_SCOPE_EXIT({ std::cout << "[1] leave WITH_SCOPE_EXIT" << std::endl; }) { + std::cout << "[1] inside WITH_SCOPE_EXIT" << std::endl; + } + + file << "example" << std::endl; + std::cout << "[1] write to file" << std::endl; + + scope_exit_1.dismiss(); + + throw std::runtime_error{"error"}; + + scope_exit_2.dismiss(); + + file.close(); + } + catch (...) { + std::cout << "[1] error" << std::endl; + } + + std::fstream file; + SCOPE_EXIT{ + file.close(); + std::cout << "[2] close file" << std::endl; + }; + file.open("test.txt", std::fstream::out | std::fstream::trunc); + file << "[2] example" << std::endl; + std::cout << "[2] write to file" << std::endl; + file.close(); + + return 0; + + // prints "[1] inside WITH_SCOPE_EXIT". + // prints "[1] leave WITH_SCOPE_EXIT". + // prints "[1] write to file". + // prints "[1] close file #2". + // prints "[1] close file". + // prints "[1] error". + // prints "[2] write to file". + // prints "[2] close file". +} diff --git a/MasterHide/thirdparty/scope_guard/example/scope_fail_example.cpp b/MasterHide/thirdparty/scope_guard/example/scope_fail_example.cpp new file mode 100644 index 0000000..3d404aa --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/example/scope_fail_example.cpp @@ -0,0 +1,83 @@ +// Licensed under the MIT License . +// SPDX-License-Identifier: MIT +// Copyright (c) 2018 - 2024 Daniil Goncharov . +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. + +#include + +#include +#include +#include + +int main() { + try { + std::fstream file; + file.open("test.txt", std::fstream::out | std::fstream::trunc); + SCOPE_FAIL{ + file.close(); + std::cout << "[1] error write file" << std::endl; + }; + + MAKE_SCOPE_FAIL(scope_fail_1) { + std::cout << "[1] error write file #1" << std::endl; + }; + + auto scope_fail_2 = scope_guard::make_scope_fail([&]() { + std::cout << "[1] error write file #2" << std::endl; + }); + + WITH_SCOPE_FAIL({ std::cout << "[1] leave WITH_SCOPE_FAIL" << std::endl; }) { + std::cout << "[1] inside WITH_SCOPE_FAIL" << std::endl; + } + + file << "example" << std::endl; + std::cout << "[1] write to file" << std::endl; + + scope_fail_1.dismiss(); + + throw std::runtime_error{"error"}; + + scope_fail_2.dismiss(); + + file.close(); + } + catch (...) { + std::cout << "[1] error" << std::endl; + } + + std::fstream file; + SCOPE_FAIL{ + file.close(); + std::cout << "[2] error write file" << std::endl; + }; + file.open("test.txt", std::fstream::out | std::fstream::trunc); + file << "[2] example" << std::endl; + std::cout << "[2] write to file" << std::endl; + file.close(); + + return 0; + + // prints "[1] inside WITH_SCOPE_FAIL". + // prints "[1] write to file". + // prints "[1] error write file #2". + // prints "[1] error write file". + // prints "[1] error". + // prints "[2] write to file". +} diff --git a/MasterHide/thirdparty/scope_guard/example/scope_success_example.cpp b/MasterHide/thirdparty/scope_guard/example/scope_success_example.cpp new file mode 100644 index 0000000..71a405d --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/example/scope_success_example.cpp @@ -0,0 +1,81 @@ +// Licensed under the MIT License . +// SPDX-License-Identifier: MIT +// Copyright (c) 2018 - 2024 Daniil Goncharov . +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. + +#include + +#include +#include +#include + +int main() { + try { + std::fstream file; + file.open("test.txt", std::fstream::out | std::fstream::trunc); + SCOPE_SUCCESS{ + file.close(); + std::cout << "[1] file write success" << std::endl; + }; + + MAKE_SCOPE_SUCCESS(scope_success_1) { + std::cout << "[1] file write success" << std::endl; + }; + + auto scope_success_2 = scope_guard::make_scope_success([&]() { + std::cout << "[1] file write success" << std::endl; + }); + + WITH_SCOPE_SUCCESS({ std::cout << "[1] leave WITH_SCOPE_SUCCESS" << std::endl; }) { + std::cout << "[1] inside WITH_SCOPE_SUCCESS" << std::endl; + } + + file << "example" << std::endl; + std::cout << "[1] write to file" << std::endl; + file.close(); + + scope_success_1.dismiss(); + + throw std::runtime_error{"error"}; + + scope_success_2.dismiss(); + } + catch (...) { + std::cout << "[1] error" << std::endl; + } + + std::fstream file; + SCOPE_SUCCESS{ + file.close(); + std::cout << "[2] file write success" << std::endl; + }; + file.open("test.txt", std::fstream::out | std::fstream::trunc); + file << "[2] example" << std::endl; + std::cout << "[2] write to file" << std::endl; + + return 0; + + // prints "[1] inside WITH_SCOPE_SUCCESS". + // prints "[1] leave WITH_SCOPE_SUCCESS". + // prints "[1] write to file". + // prints "[1] error". + // prints "[2] write to file". + // prints "[2] file write success". +} diff --git a/MasterHide/thirdparty/scope_guard/include/scope_guard.hpp b/MasterHide/thirdparty/scope_guard/include/scope_guard.hpp new file mode 100644 index 0000000..5a21452 --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/include/scope_guard.hpp @@ -0,0 +1,369 @@ +// _____ _____ _ _____ +// / ____| / ____| | | / ____|_ _ +// | (___ ___ ___ _ __ ___ | | __ _ _ __ _ _ __ __| | | | _| |_ _| |_ +// \___ \ / __/ _ \| '_ \ / _ \ | | |_ | | | |/ _` | '__/ _` | | | |_ _|_ _| +// ____) | (_| (_) | |_) | __/ | |__| | |_| | (_| | | | (_| | | |____|_| |_| +// |_____/ \___\___/| .__/ \___| \_____|\__,_|\__,_|_| \__,_| \_____| +// | | https://github.com/Neargye/scope_guard +// |_| version 0.9.1 +// +// Licensed under the MIT License . +// SPDX-License-Identifier: MIT +// Copyright (c) 2018 - 2024 Daniil Goncharov . +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. + +#ifndef NEARGYE_SCOPE_GUARD_HPP +#define NEARGYE_SCOPE_GUARD_HPP + +#define SCOPE_GUARD_VERSION_MAJOR 0 +#define SCOPE_GUARD_VERSION_MINOR 9 +#define SCOPE_GUARD_VERSION_PATCH 1 + +#include +#if (defined(_MSC_VER) && _MSC_VER >= 1900) || ((defined(__clang__) || defined(__GNUC__)) && __cplusplus >= 201700L) +#include +#endif + +// scope_guard throwable settings: +// SCOPE_GUARD_NO_THROW_CONSTRUCTIBLE requires nothrow constructible action. +// SCOPE_GUARD_MAY_THROW_ACTION action may throw exceptions. +// SCOPE_GUARD_NO_THROW_ACTION requires noexcept action. +// SCOPE_GUARD_SUPPRESS_THROW_ACTION exceptions during action will be suppressed. +// SCOPE_GUARD_CATCH_HANDLER exceptions handler. If SCOPE_GUARD_SUPPRESS_THROW_ACTIONS is not defined, it will do nothing. + +#if !defined(SCOPE_GUARD_MAY_THROW_ACTION) && !defined(SCOPE_GUARD_NO_THROW_ACTION) && !defined(SCOPE_GUARD_SUPPRESS_THROW_ACTION) +# define SCOPE_GUARD_MAY_THROW_ACTION +#elif (defined(SCOPE_GUARD_MAY_THROW_ACTION) + defined(SCOPE_GUARD_NO_THROW_ACTION) + defined(SCOPE_GUARD_SUPPRESS_THROW_ACTION)) > 1 +# error Only one of SCOPE_GUARD_MAY_THROW_ACTION and SCOPE_GUARD_NO_THROW_ACTION and SCOPE_GUARD_SUPPRESS_THROW_ACTION may be defined. +#endif + +#if !defined(SCOPE_GUARD_CATCH_HANDLER) +# define SCOPE_GUARD_CATCH_HANDLER /* Suppress exception.*/ +#endif + +namespace scope_guard { + +namespace detail { + +#if defined(SCOPE_GUARD_SUPPRESS_THROW_ACTION) && (defined(__cpp_exceptions) || defined(__EXCEPTIONS) || (_HAS_EXCEPTIONS)) +# define NEARGYE_NOEXCEPT(...) noexcept +# define NEARGYE_TRY try { +# define NEARGYE_CATCH } catch (...) { SCOPE_GUARD_CATCH_HANDLER } +#else +# define NEARGYE_NOEXCEPT(...) noexcept(__VA_ARGS__) +# define NEARGYE_TRY +# define NEARGYE_CATCH +#endif + +#define NEARGYE_MOV(...) static_cast::type&&>(__VA_ARGS__) +#define NEARGYE_FWD(...) static_cast(__VA_ARGS__) + +// NEARGYE_NODISCARD encourages the compiler to issue a warning if the return value is discarded. +#if !defined(NEARGYE_NODISCARD) +# if defined(__clang__) +# if (__clang_major__ * 10 + __clang_minor__) >= 39 && __cplusplus >= 201703L +# define NEARGYE_NODISCARD [[nodiscard]] +# else +# define NEARGYE_NODISCARD __attribute__((__warn_unused_result__)) +# endif +# elif defined(__GNUC__) +# if __GNUC__ >= 7 && __cplusplus >= 201703L +# define NEARGYE_NODISCARD [[nodiscard]] +# else +# define NEARGYE_NODISCARD __attribute__((__warn_unused_result__)) +# endif +# elif defined(_MSC_VER) +# if _MSC_VER >= 1911 && defined(_MSVC_LANG) && _MSVC_LANG >= 201703L +# define NEARGYE_NODISCARD [[nodiscard]] +# elif defined(_Check_return_) +# define NEARGYE_NODISCARD _Check_return_ +# else +# define NEARGYE_NODISCARD +# endif +# else +# define NEARGYE_NODISCARD +# endif +#endif + +#if defined(_MSC_VER) && _MSC_VER < 1900 +inline int uncaught_exceptions() noexcept { + return *(reinterpret_cast(static_cast(static_cast(_getptd())) + (sizeof(void*) == 8 ? 0x100 : 0x90))); +} +#elif (defined(__clang__) || defined(__GNUC__)) && __cplusplus < 201700L +struct __cxa_eh_globals; +extern "C" __cxa_eh_globals* __cxa_get_globals() noexcept; +inline int uncaught_exceptions() noexcept { + return static_cast(*(reinterpret_cast(static_cast(static_cast(__cxa_get_globals())) + sizeof(void*)))); +} +#else +inline int uncaught_exceptions() noexcept { + return std::uncaught_exceptions(); +} +#endif + +class on_exit_policy { + bool execute_; + + public: + explicit on_exit_policy(bool execute) noexcept : execute_{execute} {} + + void dismiss() noexcept { + execute_ = false; + } + + bool should_execute() const noexcept { + return execute_; + } +}; + +class on_fail_policy { + int ec_; + + public: + explicit on_fail_policy(bool execute) noexcept : ec_{execute ? uncaught_exceptions() : -1} {} + + void dismiss() noexcept { + ec_ = -1; + } + + bool should_execute() const noexcept { + return ec_ != -1 && ec_ < uncaught_exceptions(); + } +}; + +class on_success_policy { + int ec_; + + public: + explicit on_success_policy(bool execute) noexcept : ec_{execute ? uncaught_exceptions() : -1} {} + + void dismiss() noexcept { + ec_ = -1; + } + + bool should_execute() const noexcept { + return ec_ != -1 && ec_ >= uncaught_exceptions(); + } +}; + +template +struct is_noarg_returns_void_action + : std::false_type {}; + +template +struct is_noarg_returns_void_action())())> + : std::true_type {}; + +template ::value> +struct is_nothrow_invocable_action + : std::false_type {}; + +template +struct is_nothrow_invocable_action + : std::integral_constant())())> {}; + +template +class scope_guard { + using A = typename std::decay::type; + + static_assert(is_noarg_returns_void_action::value, + "scope_guard requires no-argument action, that returns void."); + static_assert(std::is_same::value || std::is_same::value || std::is_same::value, + "scope_guard requires on_exit_policy, on_fail_policy or on_success_policy."); +#if defined(SCOPE_GUARD_NO_THROW_ACTION) + static_assert(is_nothrow_invocable_action::value, + "scope_guard requires noexcept invocable action."); +#endif +#if defined(SCOPE_GUARD_NO_THROW_CONSTRUCTIBLE) + static_assert(std::is_nothrow_move_constructible::value, + "scope_guard requires nothrow constructible action."); +#endif + + P policy_; + A action_; + + void* operator new(std::size_t) = delete; + void operator delete(void*) = delete; + + public: + scope_guard() = delete; + scope_guard(const scope_guard&) = delete; + scope_guard& operator=(const scope_guard&) = delete; + scope_guard& operator=(scope_guard&&) = delete; + + scope_guard(scope_guard&& other) noexcept(std::is_nothrow_move_constructible::value) + : policy_{false}, + action_{NEARGYE_MOV(other.action_)} { + policy_ = NEARGYE_MOV(other.policy_); + other.policy_.dismiss(); + } + + scope_guard(const A& action) = delete; + scope_guard(A& action) = delete; + + explicit scope_guard(A&& action) noexcept(std::is_nothrow_move_constructible::value) + : policy_{true}, + action_{NEARGYE_MOV(action)} {} + + void dismiss() noexcept { + policy_.dismiss(); + } + + ~scope_guard() NEARGYE_NOEXCEPT(is_nothrow_invocable_action::value) { + if (policy_.should_execute()) { + NEARGYE_TRY + action_(); + NEARGYE_CATCH + } + } +}; + +template +using scope_exit = scope_guard; + +template ::value, int>::type = 0> +NEARGYE_NODISCARD scope_exit make_scope_exit(F&& action) noexcept(noexcept(scope_exit{NEARGYE_FWD(action)})) { + return scope_exit{NEARGYE_FWD(action)}; +} + +template +using scope_fail = scope_guard; + +template ::value, int>::type = 0> +NEARGYE_NODISCARD scope_fail make_scope_fail(F&& action) noexcept(noexcept(scope_fail{NEARGYE_FWD(action)})) { + return scope_fail{NEARGYE_FWD(action)}; +} + +template +using scope_success = scope_guard; + +template ::value, int>::type = 0> +NEARGYE_NODISCARD scope_success make_scope_success(F&& action) noexcept(noexcept(scope_success{NEARGYE_FWD(action)})) { + return scope_success{NEARGYE_FWD(action)}; +} + +struct scope_exit_tag {}; + +template ::value, int>::type = 0> +scope_exit operator<<(scope_exit_tag, F&& action) noexcept(noexcept(scope_exit{NEARGYE_FWD(action)})) { + return scope_exit{NEARGYE_FWD(action)}; +} + +struct scope_fail_tag {}; + +template ::value, int>::type = 0> +scope_fail operator<<(scope_fail_tag, F&& action) noexcept(noexcept(scope_fail{NEARGYE_FWD(action)})) { + return scope_fail{NEARGYE_FWD(action)}; +} + +struct scope_success_tag {}; + +template ::value, int>::type = 0> +scope_success operator<<(scope_success_tag, F&& action) noexcept(noexcept(scope_success{NEARGYE_FWD(action)})) { + return scope_success{NEARGYE_FWD(action)}; +} + +#undef NEARGYE_MOV +#undef NEARGYE_FWD +#undef NEARGYE_NOEXCEPT +#undef NEARGYE_TRY +#undef NEARGYE_CATCH +#undef NEARGYE_NODISCARD + +} // namespace scope_guard::detail + +using detail::make_scope_exit; +using detail::make_scope_fail; +using detail::make_scope_success; + +} // namespace scope_guard + +// NEARGYE_MAYBE_UNUSED suppresses compiler warnings on unused entities, if any. +#if !defined(NEARGYE_MAYBE_UNUSED) +# if defined(__clang__) +# if (__clang_major__ * 10 + __clang_minor__) >= 39 && __cplusplus >= 201703L +# define NEARGYE_MAYBE_UNUSED [[maybe_unused]] +# else +# define NEARGYE_MAYBE_UNUSED __attribute__((__unused__)) +# endif +# elif defined(__GNUC__) +# if __GNUC__ >= 7 && __cplusplus >= 201703L +# define NEARGYE_MAYBE_UNUSED [[maybe_unused]] +# else +# define NEARGYE_MAYBE_UNUSED __attribute__((__unused__)) +# endif +# elif defined(_MSC_VER) +# if _MSC_VER >= 1911 && defined(_MSVC_LANG) && _MSVC_LANG >= 201703L +# define NEARGYE_MAYBE_UNUSED [[maybe_unused]] +# else +# define NEARGYE_MAYBE_UNUSED __pragma(warning(suppress : 4100 4101 4189)) +# endif +# else +# define NEARGYE_MAYBE_UNUSED +# endif +#endif + +#if !defined(NEARGYE_STR_CONCAT) +# define NEARGYE_STR_CONCAT_(s1, s2) s1##s2 +# define NEARGYE_STR_CONCAT(s1, s2) NEARGYE_STR_CONCAT_(s1, s2) +#endif + +#if !defined(NEARGYE_COUNTER) +# if defined(__COUNTER__) +# define NEARGYE_COUNTER __COUNTER__ +# elif defined(__LINE__) +# define NEARGYE_COUNTER __LINE__ +# endif +#endif + +#if defined(SCOPE_GUARD_NO_THROW_ACTION) +# define NEARGYE_MAKE_SCOPE_GUARD_ACTION [&]() noexcept -> void +#else +# define NEARGYE_MAKE_SCOPE_GUARD_ACTION [&]() -> void +#endif + +#define NEARGYE_MAKE_SCOPE_EXIT ::scope_guard::detail::scope_exit_tag{} << NEARGYE_MAKE_SCOPE_GUARD_ACTION +#define NEARGYE_MAKE_SCOPE_FAIL ::scope_guard::detail::scope_fail_tag{} << NEARGYE_MAKE_SCOPE_GUARD_ACTION +#define NEARGYE_MAKE_SCOPE_SUCCESS ::scope_guard::detail::scope_success_tag{} << NEARGYE_MAKE_SCOPE_GUARD_ACTION + +#define NEARGYE_SCOPE_GUARD_WITH_(g, i) for (int i = 1; i--; g) +#define NEARGYE_SCOPE_GUARD_WITH(g) NEARGYE_SCOPE_GUARD_WITH_(g, NEARGYE_STR_CONCAT(NEARGYE_INTERNAL_OBJECT_, NEARGYE_COUNTER)) + +// SCOPE_EXIT executing action on scope exit. +#define MAKE_SCOPE_EXIT(name) auto name = NEARGYE_MAKE_SCOPE_EXIT +#define SCOPE_EXIT NEARGYE_MAYBE_UNUSED const MAKE_SCOPE_EXIT(NEARGYE_STR_CONCAT(NEARGYE_SCOPE_EXIT_, NEARGYE_COUNTER)) +#define WITH_SCOPE_EXIT(guard) NEARGYE_SCOPE_GUARD_WITH(NEARGYE_MAKE_SCOPE_EXIT{ guard }) + +// SCOPE_FAIL executing action on scope exit when an exception has been thrown before scope exit. +#define MAKE_SCOPE_FAIL(name) auto name = NEARGYE_MAKE_SCOPE_FAIL +#define SCOPE_FAIL NEARGYE_MAYBE_UNUSED const MAKE_SCOPE_FAIL(NEARGYE_STR_CONCAT(NEARGYE_SCOPE_FAIL_, NEARGYE_COUNTER)) +#define WITH_SCOPE_FAIL(guard) NEARGYE_SCOPE_GUARD_WITH(NEARGYE_MAKE_SCOPE_FAIL{ guard }) + +// SCOPE_SUCCESS executing action on scope exit when no exceptions have been thrown before scope exit. +#define MAKE_SCOPE_SUCCESS(name) auto name = NEARGYE_MAKE_SCOPE_SUCCESS +#define SCOPE_SUCCESS NEARGYE_MAYBE_UNUSED const MAKE_SCOPE_SUCCESS(NEARGYE_STR_CONCAT(NEARGYE_SCOPE_SUCCESS_, NEARGYE_COUNTER)) +#define WITH_SCOPE_SUCCESS(guard) NEARGYE_SCOPE_GUARD_WITH(NEARGYE_MAKE_SCOPE_SUCCESS{ guard }) + +// DEFER executing action on scope exit. +#define MAKE_DEFER(name) MAKE_SCOPE_EXIT(name) +#define DEFER SCOPE_EXIT +#define WITH_DEFER(guard) WITH_SCOPE_EXIT(guard) + +#endif // NEARGYE_SCOPE_GUARD_HPP diff --git a/MasterHide/thirdparty/scope_guard/test/3rdparty/Catch2/LICENSE b/MasterHide/thirdparty/scope_guard/test/3rdparty/Catch2/LICENSE new file mode 100644 index 0000000..36b7cd9 --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/test/3rdparty/Catch2/LICENSE @@ -0,0 +1,23 @@ +Boost Software License - Version 1.0 - August 17th, 2003 + +Permission is hereby granted, free of charge, to any person or organization +obtaining a copy of the software and accompanying documentation covered by +this license (the "Software") to use, reproduce, display, distribute, +execute, and transmit the Software, and to prepare derivative works of the +Software, and to permit third-parties to whom the Software is furnished to +do so, all subject to the following: + +The copyright notices in the Software and this entire statement, including +the above license grant, this restriction and the following disclaimer, +must be included in all copies of the Software, in whole or in part, and +all derivative works of the Software, unless such copies or derivative +works are solely in the form of machine-executable object code generated by +a source language processor. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT +SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE +FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. diff --git a/MasterHide/thirdparty/scope_guard/test/3rdparty/Catch2/catch.hpp b/MasterHide/thirdparty/scope_guard/test/3rdparty/Catch2/catch.hpp new file mode 100644 index 0000000..9c1c854 --- /dev/null +++ b/MasterHide/thirdparty/scope_guard/test/3rdparty/Catch2/catch.hpp @@ -0,0 +1,17937 @@ +/* + * Catch v2.13.5 + * Generated: 2021-04-10 23:43:17.560525 + * ---------------------------------------------------------- + * This file has been merged from multiple headers. Please don't edit it directly + * Copyright (c) 2021 Two Blue Cubes Ltd. All rights reserved. + * + * Distributed under the Boost Software License, Version 1.0. (See accompanying + * file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt) + */ +#ifndef TWOBLUECUBES_SINGLE_INCLUDE_CATCH_HPP_INCLUDED +#define TWOBLUECUBES_SINGLE_INCLUDE_CATCH_HPP_INCLUDED +// start catch.hpp + + +#define CATCH_VERSION_MAJOR 2 +#define CATCH_VERSION_MINOR 13 +#define CATCH_VERSION_PATCH 5 + +#ifdef __clang__ +# pragma clang system_header +#elif defined __GNUC__ +# pragma GCC system_header +#endif + +// start catch_suppress_warnings.h + +#ifdef __clang__ +# ifdef __ICC // icpc defines the __clang__ macro +# pragma warning(push) +# pragma warning(disable: 161 1682) +# else // __ICC +# pragma clang diagnostic push +# pragma clang diagnostic ignored "-Wpadded" +# pragma clang diagnostic ignored "-Wswitch-enum" +# pragma clang diagnostic ignored "-Wcovered-switch-default" +# endif +#elif defined __GNUC__ + // Because REQUIREs trigger GCC's -Wparentheses, and because still + // supported version of g++ have only buggy support for _Pragmas, + // Wparentheses have to be suppressed globally. +# pragma GCC diagnostic ignored "-Wparentheses" // See #674 for details + +# pragma GCC diagnostic push +# pragma GCC diagnostic ignored "-Wunused-variable" +# pragma GCC diagnostic ignored "-Wpadded" +#endif +// end catch_suppress_warnings.h +#if defined(CATCH_CONFIG_MAIN) || defined(CATCH_CONFIG_RUNNER) +# define CATCH_IMPL +# define CATCH_CONFIG_ALL_PARTS +#endif + +// In the impl file, we want to have access to all parts of the headers +// Can also be used to sanely support PCHs +#if defined(CATCH_CONFIG_ALL_PARTS) +# define CATCH_CONFIG_EXTERNAL_INTERFACES +# if defined(CATCH_CONFIG_DISABLE_MATCHERS) +# undef CATCH_CONFIG_DISABLE_MATCHERS +# endif +# if !defined(CATCH_CONFIG_ENABLE_CHRONO_STRINGMAKER) +# define CATCH_CONFIG_ENABLE_CHRONO_STRINGMAKER +# endif +#endif + +#if !defined(CATCH_CONFIG_IMPL_ONLY) +// start catch_platform.h + +// See e.g.: +// https://opensource.apple.com/source/CarbonHeaders/CarbonHeaders-18.1/TargetConditionals.h.auto.html +#ifdef __APPLE__ +# include +# if (defined(TARGET_OS_OSX) && TARGET_OS_OSX == 1) || \ + (defined(TARGET_OS_MAC) && TARGET_OS_MAC == 1) +# define CATCH_PLATFORM_MAC +# elif (defined(TARGET_OS_IPHONE) && TARGET_OS_IPHONE == 1) +# define CATCH_PLATFORM_IPHONE +# endif + +#elif defined(linux) || defined(__linux) || defined(__linux__) +# define CATCH_PLATFORM_LINUX + +#elif defined(WIN32) || defined(__WIN32__) || defined(_WIN32) || defined(_MSC_VER) || defined(__MINGW32__) +# define CATCH_PLATFORM_WINDOWS +#endif + +// end catch_platform.h + +#ifdef CATCH_IMPL +# ifndef CLARA_CONFIG_MAIN +# define CLARA_CONFIG_MAIN_NOT_DEFINED +# define CLARA_CONFIG_MAIN +# endif +#endif + +// start catch_user_interfaces.h + +namespace Catch { + unsigned int rngSeed(); +} + +// end catch_user_interfaces.h +// start catch_tag_alias_autoregistrar.h + +// start catch_common.h + +// start catch_compiler_capabilities.h + +// Detect a number of compiler features - by compiler +// The following features are defined: +// +// CATCH_CONFIG_COUNTER : is the __COUNTER__ macro supported? +// CATCH_CONFIG_WINDOWS_SEH : is Windows SEH supported? +// CATCH_CONFIG_POSIX_SIGNALS : are POSIX signals supported? +// CATCH_CONFIG_DISABLE_EXCEPTIONS : Are exceptions enabled? +// **************** +// Note to maintainers: if new toggles are added please document them +// in configuration.md, too +// **************** + +// In general each macro has a _NO_ form +// (e.g. CATCH_CONFIG_NO_POSIX_SIGNALS) which disables the feature. +// Many features, at point of detection, define an _INTERNAL_ macro, so they +// can be combined, en-mass, with the _NO_ forms later. + +#ifdef __cplusplus + +# if (__cplusplus >= 201402L) || (defined(_MSVC_LANG) && _MSVC_LANG >= 201402L) +# define CATCH_CPP14_OR_GREATER +# endif + +# if (__cplusplus >= 201703L) || (defined(_MSVC_LANG) && _MSVC_LANG >= 201703L) +# define CATCH_CPP17_OR_GREATER +# endif + +#endif + +// Only GCC compiler should be used in this block, so other compilers trying to +// mask themselves as GCC should be ignored. +#if defined(__GNUC__) && !defined(__clang__) && !defined(__ICC) && !defined(__CUDACC__) && !defined(__LCC__) +# define CATCH_INTERNAL_START_WARNINGS_SUPPRESSION _Pragma( "GCC diagnostic push" ) +# define CATCH_INTERNAL_STOP_WARNINGS_SUPPRESSION _Pragma( "GCC diagnostic pop" ) + +# define CATCH_INTERNAL_IGNORE_BUT_WARN(...) (void)__builtin_constant_p(__VA_ARGS__) + +#endif + +#if defined(__clang__) + +# define CATCH_INTERNAL_START_WARNINGS_SUPPRESSION _Pragma( "clang diagnostic push" ) +# define CATCH_INTERNAL_STOP_WARNINGS_SUPPRESSION _Pragma( "clang diagnostic pop" ) + +// As of this writing, IBM XL's implementation of __builtin_constant_p has a bug +// which results in calls to destructors being emitted for each temporary, +// without a matching initialization. In practice, this can result in something +// like `std::string::~string` being called on an uninitialized value. +// +// For example, this code will likely segfault under IBM XL: +// ``` +// REQUIRE(std::string("12") + "34" == "1234") +// ``` +// +// Therefore, `CATCH_INTERNAL_IGNORE_BUT_WARN` is not implemented. +# if !defined(__ibmxl__) && !defined(__CUDACC__) +# define CATCH_INTERNAL_IGNORE_BUT_WARN(...) (void)__builtin_constant_p(__VA_ARGS__) /* NOLINT(cppcoreguidelines-pro-type-vararg, hicpp-vararg) */ +# endif + +# define CATCH_INTERNAL_SUPPRESS_GLOBALS_WARNINGS \ + _Pragma( "clang diagnostic ignored \"-Wexit-time-destructors\"" ) \ + _Pragma( "clang diagnostic ignored \"-Wglobal-constructors\"") + +# define CATCH_INTERNAL_SUPPRESS_PARENTHESES_WARNINGS \ + _Pragma( "clang diagnostic ignored \"-Wparentheses\"" ) + +# define CATCH_INTERNAL_SUPPRESS_UNUSED_WARNINGS \ + _Pragma( "clang diagnostic ignored \"-Wunused-variable\"" ) + +# define CATCH_INTERNAL_SUPPRESS_ZERO_VARIADIC_WARNINGS \ + _Pragma( "clang diagnostic ignored \"-Wgnu-zero-variadic-macro-arguments\"" ) + +# define CATCH_INTERNAL_SUPPRESS_UNUSED_TEMPLATE_WARNINGS \ + _Pragma( "clang diagnostic ignored \"-Wunused-template\"" ) + +#endif // __clang__ + +//////////////////////////////////////////////////////////////////////////////// +// Assume that non-Windows platforms support posix signals by default +#if !defined(CATCH_PLATFORM_WINDOWS) + #define CATCH_INTERNAL_CONFIG_POSIX_SIGNALS +#endif + +//////////////////////////////////////////////////////////////////////////////// +// We know some environments not to support full POSIX signals +#if defined(__CYGWIN__) || defined(__QNX__) || defined(__EMSCRIPTEN__) || defined(__DJGPP__) + #define CATCH_INTERNAL_CONFIG_NO_POSIX_SIGNALS +#endif + +#ifdef __OS400__ +# define CATCH_INTERNAL_CONFIG_NO_POSIX_SIGNALS +# define CATCH_CONFIG_COLOUR_NONE +#endif + +//////////////////////////////////////////////////////////////////////////////// +// Android somehow still does not support std::to_string +#if defined(__ANDROID__) +# define CATCH_INTERNAL_CONFIG_NO_CPP11_TO_STRING +# define CATCH_INTERNAL_CONFIG_ANDROID_LOGWRITE +#endif + +//////////////////////////////////////////////////////////////////////////////// +// Not all Windows environments support SEH properly +#if defined(__MINGW32__) +# define CATCH_INTERNAL_CONFIG_NO_WINDOWS_SEH +#endif + +//////////////////////////////////////////////////////////////////////////////// +// PS4 +#if defined(__ORBIS__) +# define CATCH_INTERNAL_CONFIG_NO_NEW_CAPTURE +#endif + +//////////////////////////////////////////////////////////////////////////////// +// Cygwin +#ifdef __CYGWIN__ + +// Required for some versions of Cygwin to declare gettimeofday +// see: http://stackoverflow.com/questions/36901803/gettimeofday-not-declared-in-this-scope-cygwin +# define _BSD_SOURCE +// some versions of cygwin (most) do not support std::to_string. Use the libstd check. +// https://gcc.gnu.org/onlinedocs/gcc-4.8.2/libstdc++/api/a01053_source.html line 2812-2813 +# if !((__cplusplus >= 201103L) && defined(_GLIBCXX_USE_C99) \ + && !defined(_GLIBCXX_HAVE_BROKEN_VSWPRINTF)) + +# define CATCH_INTERNAL_CONFIG_NO_CPP11_TO_STRING + +# endif +#endif // __CYGWIN__ + +//////////////////////////////////////////////////////////////////////////////// +// Visual C++ +#if defined(_MSC_VER) + +# define CATCH_INTERNAL_START_WARNINGS_SUPPRESSION __pragma( warning(push) ) +# define CATCH_INTERNAL_STOP_WARNINGS_SUPPRESSION __pragma( warning(pop) ) + +// Universal Windows platform does not support SEH +// Or console colours (or console at all...) +# if defined(WINAPI_FAMILY) && (WINAPI_FAMILY == WINAPI_FAMILY_APP) +# define CATCH_CONFIG_COLOUR_NONE +# else +# define CATCH_INTERNAL_CONFIG_WINDOWS_SEH +# endif + +// MSVC traditional preprocessor needs some workaround for __VA_ARGS__ +// _MSVC_TRADITIONAL == 0 means new conformant preprocessor +// _MSVC_TRADITIONAL == 1 means old traditional non-conformant preprocessor +# if !defined(__clang__) // Handle Clang masquerading for msvc +# if !defined(_MSVC_TRADITIONAL) || (defined(_MSVC_TRADITIONAL) && _MSVC_TRADITIONAL) +# define CATCH_INTERNAL_CONFIG_TRADITIONAL_MSVC_PREPROCESSOR +# endif // MSVC_TRADITIONAL +# endif // __clang__ + +#endif // _MSC_VER + +#if defined(_REENTRANT) || defined(_MSC_VER) +// Enable async processing, as -pthread is specified or no additional linking is required +# define CATCH_INTERNAL_CONFIG_USE_ASYNC +#endif // _MSC_VER + +//////////////////////////////////////////////////////////////////////////////// +// Check if we are compiled with -fno-exceptions or equivalent +#if defined(__EXCEPTIONS) || defined(__cpp_exceptions) || defined(_CPPUNWIND) +# define CATCH_INTERNAL_CONFIG_EXCEPTIONS_ENABLED +#endif + +//////////////////////////////////////////////////////////////////////////////// +// DJGPP +#ifdef __DJGPP__ +# define CATCH_INTERNAL_CONFIG_NO_WCHAR +#endif // __DJGPP__ + +//////////////////////////////////////////////////////////////////////////////// +// Embarcadero C++Build +#if defined(__BORLANDC__) + #define CATCH_INTERNAL_CONFIG_POLYFILL_ISNAN +#endif + +//////////////////////////////////////////////////////////////////////////////// + +// Use of __COUNTER__ is suppressed during code analysis in +// CLion/AppCode 2017.2.x and former, because __COUNTER__ is not properly +// handled by it. +// Otherwise all supported compilers support COUNTER macro, +// but user still might want to turn it off +#if ( !defined(__JETBRAINS_IDE__) || __JETBRAINS_IDE__ >= 20170300L ) + #define CATCH_INTERNAL_CONFIG_COUNTER +#endif + +//////////////////////////////////////////////////////////////////////////////// + +// RTX is a special version of Windows that is real time. +// This means that it is detected as Windows, but does not provide +// the same set of capabilities as real Windows does. +#if defined(UNDER_RTSS) || defined(RTX64_BUILD) + #define CATCH_INTERNAL_CONFIG_NO_WINDOWS_SEH + #define CATCH_INTERNAL_CONFIG_NO_ASYNC + #define CATCH_CONFIG_COLOUR_NONE +#endif + +#if !defined(_GLIBCXX_USE_C99_MATH_TR1) +#define CATCH_INTERNAL_CONFIG_GLOBAL_NEXTAFTER +#endif + +// Various stdlib support checks that require __has_include +#if defined(__has_include) + // Check if string_view is available and usable + #if __has_include() && defined(CATCH_CPP17_OR_GREATER) + # define CATCH_INTERNAL_CONFIG_CPP17_STRING_VIEW + #endif + + // Check if optional is available and usable + # if __has_include() && defined(CATCH_CPP17_OR_GREATER) + # define CATCH_INTERNAL_CONFIG_CPP17_OPTIONAL + # endif // __has_include() && defined(CATCH_CPP17_OR_GREATER) + + // Check if byte is available and usable + # if __has_include() && defined(CATCH_CPP17_OR_GREATER) + # include + # if __cpp_lib_byte > 0 + # define CATCH_INTERNAL_CONFIG_CPP17_BYTE + # endif + # endif // __has_include() && defined(CATCH_CPP17_OR_GREATER) + + // Check if variant is available and usable + # if __has_include() && defined(CATCH_CPP17_OR_GREATER) + # if defined(__clang__) && (__clang_major__ < 8) + // work around clang bug with libstdc++ https://bugs.llvm.org/show_bug.cgi?id=31852 + // fix should be in clang 8, workaround in libstdc++ 8.2 + # include + # if defined(__GLIBCXX__) && defined(_GLIBCXX_RELEASE) && (_GLIBCXX_RELEASE < 9) + # define CATCH_CONFIG_NO_CPP17_VARIANT + # else + # define CATCH_INTERNAL_CONFIG_CPP17_VARIANT + # endif // defined(__GLIBCXX__) && defined(_GLIBCXX_RELEASE) && (_GLIBCXX_RELEASE < 9) + # else + # define CATCH_INTERNAL_CONFIG_CPP17_VARIANT + # endif // defined(__clang__) && (__clang_major__ < 8) + # endif // __has_include() && defined(CATCH_CPP17_OR_GREATER) +#endif // defined(__has_include) + +#if defined(CATCH_INTERNAL_CONFIG_COUNTER) && !defined(CATCH_CONFIG_NO_COUNTER) && !defined(CATCH_CONFIG_COUNTER) +# define CATCH_CONFIG_COUNTER +#endif +#if defined(CATCH_INTERNAL_CONFIG_WINDOWS_SEH) && !defined(CATCH_CONFIG_NO_WINDOWS_SEH) && !defined(CATCH_CONFIG_WINDOWS_SEH) && !defined(CATCH_INTERNAL_CONFIG_NO_WINDOWS_SEH) +# define CATCH_CONFIG_WINDOWS_SEH +#endif +// This is set by default, because we assume that unix compilers are posix-signal-compatible by default. +#if defined(CATCH_INTERNAL_CONFIG_POSIX_SIGNALS) && !defined(CATCH_INTERNAL_CONFIG_NO_POSIX_SIGNALS) && !defined(CATCH_CONFIG_NO_POSIX_SIGNALS) && !defined(CATCH_CONFIG_POSIX_SIGNALS) +# define CATCH_CONFIG_POSIX_SIGNALS +#endif +// This is set by default, because we assume that compilers with no wchar_t support are just rare exceptions. +#if !defined(CATCH_INTERNAL_CONFIG_NO_WCHAR) && !defined(CATCH_CONFIG_NO_WCHAR) && !defined(CATCH_CONFIG_WCHAR) +# define CATCH_CONFIG_WCHAR +#endif + +#if !defined(CATCH_INTERNAL_CONFIG_NO_CPP11_TO_STRING) && !defined(CATCH_CONFIG_NO_CPP11_TO_STRING) && !defined(CATCH_CONFIG_CPP11_TO_STRING) +# define CATCH_CONFIG_CPP11_TO_STRING +#endif + +#if defined(CATCH_INTERNAL_CONFIG_CPP17_OPTIONAL) && !defined(CATCH_CONFIG_NO_CPP17_OPTIONAL) && !defined(CATCH_CONFIG_CPP17_OPTIONAL) +# define CATCH_CONFIG_CPP17_OPTIONAL +#endif + +#if defined(CATCH_INTERNAL_CONFIG_CPP17_STRING_VIEW) && !defined(CATCH_CONFIG_NO_CPP17_STRING_VIEW) && !defined(CATCH_CONFIG_CPP17_STRING_VIEW) +# define CATCH_CONFIG_CPP17_STRING_VIEW +#endif + +#if defined(CATCH_INTERNAL_CONFIG_CPP17_VARIANT) && !defined(CATCH_CONFIG_NO_CPP17_VARIANT) && !defined(CATCH_CONFIG_CPP17_VARIANT) +# define CATCH_CONFIG_CPP17_VARIANT +#endif + +#if defined(CATCH_INTERNAL_CONFIG_CPP17_BYTE) && !defined(CATCH_CONFIG_NO_CPP17_BYTE) && !defined(CATCH_CONFIG_CPP17_BYTE) +# define CATCH_CONFIG_CPP17_BYTE +#endif + +#if defined(CATCH_CONFIG_EXPERIMENTAL_REDIRECT) +# define CATCH_INTERNAL_CONFIG_NEW_CAPTURE +#endif + +#if defined(CATCH_INTERNAL_CONFIG_NEW_CAPTURE) && !defined(CATCH_INTERNAL_CONFIG_NO_NEW_CAPTURE) && !defined(CATCH_CONFIG_NO_NEW_CAPTURE) && !defined(CATCH_CONFIG_NEW_CAPTURE) +# define CATCH_CONFIG_NEW_CAPTURE +#endif + +#if !defined(CATCH_INTERNAL_CONFIG_EXCEPTIONS_ENABLED) && !defined(CATCH_CONFIG_DISABLE_EXCEPTIONS) +# define CATCH_CONFIG_DISABLE_EXCEPTIONS +#endif + +#if defined(CATCH_INTERNAL_CONFIG_POLYFILL_ISNAN) && !defined(CATCH_CONFIG_NO_POLYFILL_ISNAN) && !defined(CATCH_CONFIG_POLYFILL_ISNAN) +# define CATCH_CONFIG_POLYFILL_ISNAN +#endif + +#if defined(CATCH_INTERNAL_CONFIG_USE_ASYNC) && !defined(CATCH_INTERNAL_CONFIG_NO_ASYNC) && !defined(CATCH_CONFIG_NO_USE_ASYNC) && !defined(CATCH_CONFIG_USE_ASYNC) +# define CATCH_CONFIG_USE_ASYNC +#endif + +#if defined(CATCH_INTERNAL_CONFIG_ANDROID_LOGWRITE) && !defined(CATCH_CONFIG_NO_ANDROID_LOGWRITE) && !defined(CATCH_CONFIG_ANDROID_LOGWRITE) +# define CATCH_CONFIG_ANDROID_LOGWRITE +#endif + +#if defined(CATCH_INTERNAL_CONFIG_GLOBAL_NEXTAFTER) && !defined(CATCH_CONFIG_NO_GLOBAL_NEXTAFTER) && !defined(CATCH_CONFIG_GLOBAL_NEXTAFTER) +# define CATCH_CONFIG_GLOBAL_NEXTAFTER +#endif + +// Even if we do not think the compiler has that warning, we still have +// to provide a macro that can be used by the code. +#if !defined(CATCH_INTERNAL_START_WARNINGS_SUPPRESSION) +# define CATCH_INTERNAL_START_WARNINGS_SUPPRESSION +#endif +#if !defined(CATCH_INTERNAL_STOP_WARNINGS_SUPPRESSION) +# define CATCH_INTERNAL_STOP_WARNINGS_SUPPRESSION +#endif +#if !defined(CATCH_INTERNAL_SUPPRESS_PARENTHESES_WARNINGS) +# define CATCH_INTERNAL_SUPPRESS_PARENTHESES_WARNINGS +#endif +#if !defined(CATCH_INTERNAL_SUPPRESS_GLOBALS_WARNINGS) +# define CATCH_INTERNAL_SUPPRESS_GLOBALS_WARNINGS +#endif +#if !defined(CATCH_INTERNAL_SUPPRESS_UNUSED_WARNINGS) +# define CATCH_INTERNAL_SUPPRESS_UNUSED_WARNINGS +#endif +#if !defined(CATCH_INTERNAL_SUPPRESS_ZERO_VARIADIC_WARNINGS) +# define CATCH_INTERNAL_SUPPRESS_ZERO_VARIADIC_WARNINGS +#endif + +// The goal of this macro is to avoid evaluation of the arguments, but +// still have the compiler warn on problems inside... +#if !defined(CATCH_INTERNAL_IGNORE_BUT_WARN) +# define CATCH_INTERNAL_IGNORE_BUT_WARN(...) +#endif + +#if defined(__APPLE__) && defined(__apple_build_version__) && (__clang_major__ < 10) +# undef CATCH_INTERNAL_SUPPRESS_UNUSED_TEMPLATE_WARNINGS +#elif defined(__clang__) && (__clang_major__ < 5) +# undef CATCH_INTERNAL_SUPPRESS_UNUSED_TEMPLATE_WARNINGS +#endif + +#if !defined(CATCH_INTERNAL_SUPPRESS_UNUSED_TEMPLATE_WARNINGS) +# define CATCH_INTERNAL_SUPPRESS_UNUSED_TEMPLATE_WARNINGS +#endif + +#if defined(CATCH_CONFIG_DISABLE_EXCEPTIONS) +#define CATCH_TRY if ((true)) +#define CATCH_CATCH_ALL if ((false)) +#define CATCH_CATCH_ANON(type) if ((false)) +#else +#define CATCH_TRY try +#define CATCH_CATCH_ALL catch (...) +#define CATCH_CATCH_ANON(type) catch (type) +#endif + +#if defined(CATCH_INTERNAL_CONFIG_TRADITIONAL_MSVC_PREPROCESSOR) && !defined(CATCH_CONFIG_NO_TRADITIONAL_MSVC_PREPROCESSOR) && !defined(CATCH_CONFIG_TRADITIONAL_MSVC_PREPROCESSOR) +#define CATCH_CONFIG_TRADITIONAL_MSVC_PREPROCESSOR +#endif + +// end catch_compiler_capabilities.h +#define INTERNAL_CATCH_UNIQUE_NAME_LINE2( name, line ) name##line +#define INTERNAL_CATCH_UNIQUE_NAME_LINE( name, line ) INTERNAL_CATCH_UNIQUE_NAME_LINE2( name, line ) +#ifdef CATCH_CONFIG_COUNTER +# define INTERNAL_CATCH_UNIQUE_NAME( name ) INTERNAL_CATCH_UNIQUE_NAME_LINE( name, __COUNTER__ ) +#else +# define INTERNAL_CATCH_UNIQUE_NAME( name ) INTERNAL_CATCH_UNIQUE_NAME_LINE( name, __LINE__ ) +#endif + +#include +#include +#include + +// We need a dummy global operator<< so we can bring it into Catch namespace later +struct Catch_global_namespace_dummy {}; +std::ostream& operator<<(std::ostream&, Catch_global_namespace_dummy); + +namespace Catch { + + struct CaseSensitive { enum Choice { + Yes, + No + }; }; + + class NonCopyable { + NonCopyable( NonCopyable const& ) = delete; + NonCopyable( NonCopyable && ) = delete; + NonCopyable& operator = ( NonCopyable const& ) = delete; + NonCopyable& operator = ( NonCopyable && ) = delete; + + protected: + NonCopyable(); + virtual ~NonCopyable(); + }; + + struct SourceLineInfo { + + SourceLineInfo() = delete; + SourceLineInfo( char const* _file, std::size_t _line ) noexcept + : file( _file ), + line( _line ) + {} + + SourceLineInfo( SourceLineInfo const& other ) = default; + SourceLineInfo& operator = ( SourceLineInfo const& ) = default; + SourceLineInfo( SourceLineInfo&& ) noexcept = default; + SourceLineInfo& operator = ( SourceLineInfo&& ) noexcept = default; + + bool empty() const noexcept { return file[0] == '\0'; } + bool operator == ( SourceLineInfo const& other ) const noexcept; + bool operator < ( SourceLineInfo const& other ) const noexcept; + + char const* file; + std::size_t line; + }; + + std::ostream& operator << ( std::ostream& os, SourceLineInfo const& info ); + + // Bring in operator<< from global namespace into Catch namespace + // This is necessary because the overload of operator<< above makes + // lookup stop at namespace Catch + using ::operator<<; + + // Use this in variadic streaming macros to allow + // >> +StreamEndStop + // as well as + // >> stuff +StreamEndStop + struct StreamEndStop { + std::string operator+() const; + }; + template + T const& operator + ( T const& value, StreamEndStop ) { + return value; + } +} + +#define CATCH_INTERNAL_LINEINFO \ + ::Catch::SourceLineInfo( __FILE__, static_cast( __LINE__ ) ) + +// end catch_common.h +namespace Catch { + + struct RegistrarForTagAliases { + RegistrarForTagAliases( char const* alias, char const* tag, SourceLineInfo const& lineInfo ); + }; + +} // end namespace Catch + +#define CATCH_REGISTER_TAG_ALIAS( alias, spec ) \ + CATCH_INTERNAL_START_WARNINGS_SUPPRESSION \ + CATCH_INTERNAL_SUPPRESS_GLOBALS_WARNINGS \ + namespace{ Catch::RegistrarForTagAliases INTERNAL_CATCH_UNIQUE_NAME( AutoRegisterTagAlias )( alias, spec, CATCH_INTERNAL_LINEINFO ); } \ + CATCH_INTERNAL_STOP_WARNINGS_SUPPRESSION + +// end catch_tag_alias_autoregistrar.h +// start catch_test_registry.h + +// start catch_interfaces_testcase.h + +#include + +namespace Catch { + + class TestSpec; + + struct ITestInvoker { + virtual void invoke () const = 0; + virtual ~ITestInvoker(); + }; + + class TestCase; + struct IConfig; + + struct ITestCaseRegistry { + virtual ~ITestCaseRegistry(); + virtual std::vector const& getAllTests() const = 0; + virtual std::vector const& getAllTestsSorted( IConfig const& config ) const = 0; + }; + + bool isThrowSafe( TestCase const& testCase, IConfig const& config ); + bool matchTest( TestCase const& testCase, TestSpec const& testSpec, IConfig const& config ); + std::vector filterTests( std::vector const& testCases, TestSpec const& testSpec, IConfig const& config ); + std::vector const& getAllTestCasesSorted( IConfig const& config ); + +} + +// end catch_interfaces_testcase.h +// start catch_stringref.h + +#include +#include +#include +#include + +namespace Catch { + + /// A non-owning string class (similar to the forthcoming std::string_view) + /// Note that, because a StringRef may be a substring of another string, + /// it may not be null terminated. + class StringRef { + public: + using size_type = std::size_t; + using const_iterator = const char*; + + private: + static constexpr char const* const s_empty = ""; + + char const* m_start = s_empty; + size_type m_size = 0; + + public: // construction + constexpr StringRef() noexcept = default; + + StringRef( char const* rawChars ) noexcept; + + constexpr StringRef( char const* rawChars, size_type size ) noexcept + : m_start( rawChars ), + m_size( size ) + {} + + StringRef( std::string const& stdString ) noexcept + : m_start( stdString.c_str() ), + m_size( stdString.size() ) + {} + + explicit operator std::string() const { + return std::string(m_start, m_size); + } + + public: // operators + auto operator == ( StringRef const& other ) const noexcept -> bool; + auto operator != (StringRef const& other) const noexcept -> bool { + return !(*this == other); + } + + auto operator[] ( size_type index ) const noexcept -> char { + assert(index < m_size); + return m_start[index]; + } + + public: // named queries + constexpr auto empty() const noexcept -> bool { + return m_size == 0; + } + constexpr auto size() const noexcept -> size_type { + return m_size; + } + + // Returns the current start pointer. If the StringRef is not + // null-terminated, throws std::domain_exception + auto c_str() const -> char const*; + + public: // substrings and searches + // Returns a substring of [start, start + length). + // If start + length > size(), then the substring is [start, size()). + // If start > size(), then the substring is empty. + auto substr( size_type start, size_type length ) const noexcept -> StringRef; + + // Returns the current start pointer. May not be null-terminated. + auto data() const noexcept -> char const*; + + constexpr auto isNullTerminated() const noexcept -> bool { + return m_start[m_size] == '\0'; + } + + public: // iterators + constexpr const_iterator begin() const { return m_start; } + constexpr const_iterator end() const { return m_start + m_size; } + }; + + auto operator += ( std::string& lhs, StringRef const& sr ) -> std::string&; + auto operator << ( std::ostream& os, StringRef const& sr ) -> std::ostream&; + + constexpr auto operator "" _sr( char const* rawChars, std::size_t size ) noexcept -> StringRef { + return StringRef( rawChars, size ); + } +} // namespace Catch + +constexpr auto operator "" _catch_sr( char const* rawChars, std::size_t size ) noexcept -> Catch::StringRef { + return Catch::StringRef( rawChars, size ); +} + +// end catch_stringref.h +// start catch_preprocessor.hpp + + +#define CATCH_RECURSION_LEVEL0(...) __VA_ARGS__ +#define CATCH_RECURSION_LEVEL1(...) CATCH_RECURSION_LEVEL0(CATCH_RECURSION_LEVEL0(CATCH_RECURSION_LEVEL0(__VA_ARGS__))) +#define CATCH_RECURSION_LEVEL2(...) CATCH_RECURSION_LEVEL1(CATCH_RECURSION_LEVEL1(CATCH_RECURSION_LEVEL1(__VA_ARGS__))) +#define CATCH_RECURSION_LEVEL3(...) CATCH_RECURSION_LEVEL2(CATCH_RECURSION_LEVEL2(CATCH_RECURSION_LEVEL2(__VA_ARGS__))) +#define CATCH_RECURSION_LEVEL4(...) CATCH_RECURSION_LEVEL3(CATCH_RECURSION_LEVEL3(CATCH_RECURSION_LEVEL3(__VA_ARGS__))) +#define CATCH_RECURSION_LEVEL5(...) CATCH_RECURSION_LEVEL4(CATCH_RECURSION_LEVEL4(CATCH_RECURSION_LEVEL4(__VA_ARGS__))) + +#ifdef CATCH_CONFIG_TRADITIONAL_MSVC_PREPROCESSOR +#define INTERNAL_CATCH_EXPAND_VARGS(...) __VA_ARGS__ +// MSVC needs more evaluations +#define CATCH_RECURSION_LEVEL6(...) CATCH_RECURSION_LEVEL5(CATCH_RECURSION_LEVEL5(CATCH_RECURSION_LEVEL5(__VA_ARGS__))) +#define CATCH_RECURSE(...) CATCH_RECURSION_LEVEL6(CATCH_RECURSION_LEVEL6(__VA_ARGS__)) +#else +#define CATCH_RECURSE(...) CATCH_RECURSION_LEVEL5(__VA_ARGS__) +#endif + +#define CATCH_REC_END(...) +#define CATCH_REC_OUT + +#define CATCH_EMPTY() +#define CATCH_DEFER(id) id CATCH_EMPTY() + +#define CATCH_REC_GET_END2() 0, CATCH_REC_END +#define CATCH_REC_GET_END1(...) CATCH_REC_GET_END2 +#define CATCH_REC_GET_END(...) CATCH_REC_GET_END1 +#define CATCH_REC_NEXT0(test, next, ...) next CATCH_REC_OUT +#define CATCH_REC_NEXT1(test, next) CATCH_DEFER ( CATCH_REC_NEXT0 ) ( test, next, 0) +#define CATCH_REC_NEXT(test, next) CATCH_REC_NEXT1(CATCH_REC_GET_END test, next) + +#define CATCH_REC_LIST0(f, x, peek, ...) , f(x) CATCH_DEFER ( CATCH_REC_NEXT(peek, CATCH_REC_LIST1) ) ( f, peek, __VA_ARGS__ ) +#define CATCH_REC_LIST1(f, x, peek, ...) , f(x) CATCH_DEFER ( CATCH_REC_NEXT(peek, CATCH_REC_LIST0) ) ( f, peek, __VA_ARGS__ ) +#define CATCH_REC_LIST2(f, x, peek, ...) f(x) CATCH_DEFER ( CATCH_REC_NEXT(peek, CATCH_REC_LIST1) ) ( f, peek, __VA_ARGS__ ) + +#define CATCH_REC_LIST0_UD(f, userdata, x, peek, ...) , f(userdata, x) CATCH_DEFER ( CATCH_REC_NEXT(peek, CATCH_REC_LIST1_UD) ) ( f, userdata, peek, __VA_ARGS__ ) +#define CATCH_REC_LIST1_UD(f, userdata, x, peek, ...) , f(userdata, x) CATCH_DEFER ( CATCH_REC_NEXT(peek, CATCH_REC_LIST0_UD) ) ( f, userdata, peek, __VA_ARGS__ ) +#define CATCH_REC_LIST2_UD(f, userdata, x, peek, ...) f(userdata, x) CATCH_DEFER ( CATCH_REC_NEXT(peek, CATCH_REC_LIST1_UD) ) ( f, userdata, peek, __VA_ARGS__ ) + +// Applies the function macro `f` to each of the remaining parameters, inserts commas between the results, +// and passes userdata as the first parameter to each invocation, +// e.g. CATCH_REC_LIST_UD(f, x, a, b, c) evaluates to f(x, a), f(x, b), f(x, c) +#define CATCH_REC_LIST_UD(f, userdata, ...) CATCH_RECURSE(CATCH_REC_LIST2_UD(f, userdata, __VA_ARGS__, ()()(), ()()(), ()()(), 0)) + +#define CATCH_REC_LIST(f, ...) CATCH_RECURSE(CATCH_REC_LIST2(f, __VA_ARGS__, ()()(), ()()(), ()()(), 0)) + +#define INTERNAL_CATCH_EXPAND1(param) INTERNAL_CATCH_EXPAND2(param) +#define INTERNAL_CATCH_EXPAND2(...) INTERNAL_CATCH_NO## __VA_ARGS__ +#define INTERNAL_CATCH_DEF(...) INTERNAL_CATCH_DEF __VA_ARGS__ +#define INTERNAL_CATCH_NOINTERNAL_CATCH_DEF +#define INTERNAL_CATCH_STRINGIZE(...) INTERNAL_CATCH_STRINGIZE2(__VA_ARGS__) +#ifndef CATCH_CONFIG_TRADITIONAL_MSVC_PREPROCESSOR +#define INTERNAL_CATCH_STRINGIZE2(...) #__VA_ARGS__ +#define INTERNAL_CATCH_STRINGIZE_WITHOUT_PARENS(param) INTERNAL_CATCH_STRINGIZE(INTERNAL_CATCH_REMOVE_PARENS(param)) +#else +// MSVC is adding extra space and needs another indirection to expand INTERNAL_CATCH_NOINTERNAL_CATCH_DEF +#define INTERNAL_CATCH_STRINGIZE2(...) INTERNAL_CATCH_STRINGIZE3(__VA_ARGS__) +#define INTERNAL_CATCH_STRINGIZE3(...) #__VA_ARGS__ +#define INTERNAL_CATCH_STRINGIZE_WITHOUT_PARENS(param) (INTERNAL_CATCH_STRINGIZE(INTERNAL_CATCH_REMOVE_PARENS(param)) + 1) +#endif + +#define INTERNAL_CATCH_MAKE_NAMESPACE2(...) ns_##__VA_ARGS__ +#define INTERNAL_CATCH_MAKE_NAMESPACE(name) INTERNAL_CATCH_MAKE_NAMESPACE2(name) + +#define INTERNAL_CATCH_REMOVE_PARENS(...) INTERNAL_CATCH_EXPAND1(INTERNAL_CATCH_DEF __VA_ARGS__) + +#ifndef CATCH_CONFIG_TRADITIONAL_MSVC_PREPROCESSOR +#define INTERNAL_CATCH_MAKE_TYPE_LIST2(...) decltype(get_wrapper()) +#define INTERNAL_CATCH_MAKE_TYPE_LIST(...) INTERNAL_CATCH_MAKE_TYPE_LIST2(INTERNAL_CATCH_REMOVE_PARENS(__VA_ARGS__)) +#else +#define INTERNAL_CATCH_MAKE_TYPE_LIST2(...) INTERNAL_CATCH_EXPAND_VARGS(decltype(get_wrapper())) +#define INTERNAL_CATCH_MAKE_TYPE_LIST(...) INTERNAL_CATCH_EXPAND_VARGS(INTERNAL_CATCH_MAKE_TYPE_LIST2(INTERNAL_CATCH_REMOVE_PARENS(__VA_ARGS__))) +#endif + +#define INTERNAL_CATCH_MAKE_TYPE_LISTS_FROM_TYPES(...)\ + CATCH_REC_LIST(INTERNAL_CATCH_MAKE_TYPE_LIST,__VA_ARGS__) + +#define INTERNAL_CATCH_REMOVE_PARENS_1_ARG(_0) INTERNAL_CATCH_REMOVE_PARENS(_0) +#define INTERNAL_CATCH_REMOVE_PARENS_2_ARG(_0, _1) INTERNAL_CATCH_REMOVE_PARENS(_0), INTERNAL_CATCH_REMOVE_PARENS_1_ARG(_1) +#define INTERNAL_CATCH_REMOVE_PARENS_3_ARG(_0, _1, _2) INTERNAL_CATCH_REMOVE_PARENS(_0), INTERNAL_CATCH_REMOVE_PARENS_2_ARG(_1, _2) +#define INTERNAL_CATCH_REMOVE_PARENS_4_ARG(_0, _1, _2, _3) INTERNAL_CATCH_REMOVE_PARENS(_0), INTERNAL_CATCH_REMOVE_PARENS_3_ARG(_1, _2, _3) +#define INTERNAL_CATCH_REMOVE_PARENS_5_ARG(_0, _1, _2, _3, _4) INTERNAL_CATCH_REMOVE_PARENS(_0), INTERNAL_CATCH_REMOVE_PARENS_4_ARG(_1, _2, _3, _4) +#define INTERNAL_CATCH_REMOVE_PARENS_6_ARG(_0, _1, _2, _3, _4, _5) INTERNAL_CATCH_REMOVE_PARENS(_0), INTERNAL_CATCH_REMOVE_PARENS_5_ARG(_1, _2, _3, _4, _5) +#define INTERNAL_CATCH_REMOVE_PARENS_7_ARG(_0, _1, _2, _3, _4, _5, _6) INTERNAL_CATCH_REMOVE_PARENS(_0), INTERNAL_CATCH_REMOVE_PARENS_6_ARG(_1, _2, _3, _4, _5, _6) +#define INTERNAL_CATCH_REMOVE_PARENS_8_ARG(_0, _1, _2, _3, _4, _5, _6, _7) INTERNAL_CATCH_REMOVE_PARENS(_0), INTERNAL_CATCH_REMOVE_PARENS_7_ARG(_1, _2, _3, _4, _5, _6, _7) +#define INTERNAL_CATCH_REMOVE_PARENS_9_ARG(_0, _1, _2, _3, _4, _5, _6, _7, _8) INTERNAL_CATCH_REMOVE_PARENS(_0), INTERNAL_CATCH_REMOVE_PARENS_8_ARG(_1, _2, _3, _4, _5, _6, _7, _8) +#define INTERNAL_CATCH_REMOVE_PARENS_10_ARG(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9) INTERNAL_CATCH_REMOVE_PARENS(_0), INTERNAL_CATCH_REMOVE_PARENS_9_ARG(_1, _2, _3, _4, _5, _6, _7, _8, _9) +#define INTERNAL_CATCH_REMOVE_PARENS_11_ARG(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10) INTERNAL_CATCH_REMOVE_PARENS(_0), INTERNAL_CATCH_REMOVE_PARENS_10_ARG(_1, _2, _3, _4, _5, _6, _7, _8, _9, _10) + +#define INTERNAL_CATCH_VA_NARGS_IMPL(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10, N, ...) N + +#define INTERNAL_CATCH_TYPE_GEN\ + template struct TypeList {};\ + template\ + constexpr auto get_wrapper() noexcept -> TypeList { return {}; }\ + template class...> struct TemplateTypeList{};\ + template class...Cs>\ + constexpr auto get_wrapper() noexcept -> TemplateTypeList { return {}; }\ + template\ + struct append;\ + template\ + struct rewrap;\ + template class, typename...>\ + struct create;\ + template class, typename>\ + struct convert;\ + \ + template \ + struct append { using type = T; };\ + template< template class L1, typename...E1, template class L2, typename...E2, typename...Rest>\ + struct append, L2, Rest...> { using type = typename append, Rest...>::type; };\ + template< template class L1, typename...E1, typename...Rest>\ + struct append, TypeList, Rest...> { using type = L1; };\ + \ + template< template class Container, template class List, typename...elems>\ + struct rewrap, List> { using type = TypeList>; };\ + template< template class Container, template class List, class...Elems, typename...Elements>\ + struct rewrap, List, Elements...> { using type = typename append>, typename rewrap, Elements...>::type>::type; };\ + \ + template