-
Notifications
You must be signed in to change notification settings - Fork 100
/
Copy pathInvertedFunctionTable.h
60 lines (55 loc) · 2.32 KB
/
InvertedFunctionTable.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#pragma once
typedef struct _RTL_INVERTED_FUNCTION_TABLE_ENTRY_64 {
PIMAGE_RUNTIME_FUNCTION_ENTRY ExceptionDirectory;
PVOID ImageBase;
ULONG ImageSize;
ULONG ExceptionDirectorySize;
} RTL_INVERTED_FUNCTION_TABLE_ENTRY_64, * PRTL_INVERTED_FUNCTION_TABLE_ENTRY_64;
typedef struct _RTL_INVERTED_FUNCTION_TABLE_64 {
ULONG Count;
ULONG MaxCount;
ULONG Epoch;
ULONG Overflow;
RTL_INVERTED_FUNCTION_TABLE_ENTRY_64 Entries[0x200];
} RTL_INVERTED_FUNCTION_TABLE_64, * PRTL_INVERTED_FUNCTION_TABLE_64;
// The correct data structure should be this.
//
//typedef struct _RTL_INVERTED_FUNCTION_TABLE_ENTRY_WIN7_32 {
// PVOID EntrySEHandlerTableEncoded;
// PVOID ImageBase;
// ULONG ImageSize;
// ULONG SEHandlerCount;
//} RTL_INVERTED_FUNCTION_TABLE_ENTRY_WIN7_32, * PRTL_INVERTED_FUNCTION_TABLE_ENTRY_WIN7_32;
//typedef struct _RTL_INVERTED_FUNCTION_TABLE_WIN7_32 {
// ULONG Count;
// ULONG MaxCount;
// ULONG Overflow;
// RTL_INVERTED_FUNCTION_TABLE_ENTRY_WIN7_32 Entries[0x200];
//} RTL_INVERTED_FUNCTION_TABLE_WIN7_32, * PRTL_INVERTED_FUNCTION_TABLE_WIN7_32;
//
//
typedef struct _RTL_INVERTED_FUNCTION_TABLE_ENTRY_WIN7_32 {
PVOID ImageBase;
ULONG ImageSize;
ULONG SEHandlerCount;
PVOID NextEntrySEHandlerTableEncoded;
} RTL_INVERTED_FUNCTION_TABLE_ENTRY_WIN7_32, * PRTL_INVERTED_FUNCTION_TABLE_ENTRY_WIN7_32;
typedef struct _RTL_INVERTED_FUNCTION_TABLE_WIN7_32 {
ULONG Count;
ULONG MaxCount;
ULONG Overflow;
ULONG NextEntrySEHandlerTableEncoded;
RTL_INVERTED_FUNCTION_TABLE_ENTRY_WIN7_32 Entries[0x200];
} RTL_INVERTED_FUNCTION_TABLE_WIN7_32, * PRTL_INVERTED_FUNCTION_TABLE_WIN7_32;
#ifdef _WIN64
typedef _RTL_INVERTED_FUNCTION_TABLE_ENTRY_64 _RTL_INVERTED_FUNCTION_TABLE_ENTRY, RTL_INVERTED_FUNCTION_TABLE_ENTRY, * PRTL_INVERTED_FUNCTION_TABLE_ENTRY;
typedef RTL_INVERTED_FUNCTION_TABLE_64 _RTL_INVERTED_FUNCTION_TABLE, RTL_INVERTED_FUNCTION_TABLE, * PRTL_INVERTED_FUNCTION_TABLE;
#else
typedef RTL_INVERTED_FUNCTION_TABLE_WIN7_32 _RTL_INVERTED_FUNCTION_TABLE, RTL_INVERTED_FUNCTION_TABLE, * PRTL_INVERTED_FUNCTION_TABLE;
typedef _RTL_INVERTED_FUNCTION_TABLE_ENTRY_WIN7_32 _RTL_INVERTED_FUNCTION_TABLE_ENTRY, RTL_INVERTED_FUNCTION_TABLE_ENTRY, * PRTL_INVERTED_FUNCTION_TABLE_ENTRY;
#endif
NTSTATUS NTAPI RtlInsertInvertedFunctionTable(
_In_ PVOID BaseAddress,
_In_ ULONG ImageSize
);
NTSTATUS NTAPI RtlRemoveInvertedFunctionTable(_In_ PVOID ImageBase);