diff --git a/Source/Shared/ntos/ntbuilds.h b/Source/Shared/ntos/ntbuilds.h index 413f079..b09753f 100644 --- a/Source/Shared/ntos/ntbuilds.h +++ b/Source/Shared/ntos/ntbuilds.h @@ -6,7 +6,7 @@ * * VERSION: 1.00 * -* DATE: 26 July 2021 +* DATE: 01 Nov 2021 * * Windows NT builds definition file. * @@ -73,5 +73,8 @@ // Windows 10 21H2 #define NT_WIN10_21H2 19044 +// Windows 11 21H2 +#define NT_WIN11_21H2 22000 + // Windows 11 Active Develepment Branch (21XX) -#define NTX_WIN11_ADB 22000 +#define NTX_WIN11_ADB 22494 diff --git a/Source/Shared/ntos/ntos.h b/Source/Shared/ntos/ntos.h index ae4c9ec..eb9d33d 100644 --- a/Source/Shared/ntos/ntos.h +++ b/Source/Shared/ntos/ntos.h @@ -5,9 +5,9 @@ * * TITLE: NTOS.H * -* VERSION: 1.174 +* VERSION: 1.183 * -* DATE: 17 July 2021 +* DATE: 04 Oct 2021 * * Common header file for the ntos API functions and definitions. * @@ -367,7 +367,7 @@ char _RTL_CONSTANT_STRING_type_check(const void *s); #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 #define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 #define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 -#define THREAD_CREATE_FLAGS_SKIP_THREAD_SUSPEND 0x00000040 +#define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x00000040 #define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080 // @@ -427,18 +427,6 @@ char _RTL_CONSTANT_STRING_type_check(const void *s); MEMORY_PARTITION_MODIFY_ACCESS) #endif -// -// NtCreateProcessEx specific flags. -// -#define PS_REQUEST_BREAKAWAY 1 -#define PS_NO_DEBUG_INHERIT 2 -#define PS_INHERIT_HANDLES 4 -#define PS_LARGE_PAGES 8 -#define PS_ALL_FLAGS (PS_REQUEST_BREAKAWAY | \ - PS_NO_DEBUG_INHERIT | \ - PS_INHERIT_HANDLES | \ - PS_LARGE_PAGES) - // // Define special ByteOffset parameters for read and write operations // @@ -549,7 +537,7 @@ typedef struct _IO_STATUS_BLOCK { #ifndef INTERFACE_TYPE typedef enum _INTERFACE_TYPE { InterfaceTypeUndefined = -1, - Internal, + Internal = 0, Isa, Eisa, MicroChannel, @@ -667,6 +655,7 @@ typedef enum _KWAIT_REASON { WrAlertByThreadId, WrDeferredPreempt, WrPhysicalFault, + WrIoRing, MaximumWaitReason } KWAIT_REASON; @@ -1636,7 +1625,7 @@ typedef enum _SYSTEM_INFORMATION_CLASS { SystemHardwareSecurityTestInterfaceResultsInformation = 166, SystemSingleModuleInformation = 167, SystemAllowedCpuSetsInformation = 168, - SystemDmaProtectionInformation = 169, + SystemVsmProtectionInformation = 169, //ex SystemDmaProtectionInformation SystemInterruptCpuSetsInformation = 170, SystemSecureBootPolicyFullInformation = 171, SystemCodeIntegrityPolicyFullInformation = 172, @@ -1695,9 +1684,21 @@ typedef enum _SYSTEM_INFORMATION_CLASS { SystemCodeIntegrityClearDynamicStores = 225, SystemDifPoolTrackingInformation = 226, SystemPoolZeroingInformation = 227, + SystemDpcWatchdogInformation = 228, + SystemDpcWatchdogInformation2 = 229, + SystemSupportedProcessorArchitectures2 = 230, + SystemSingleProcessorRelationshipInformation = 231, + SystemXfgCheckFailureInformation = 232, MaxSystemInfoClass } SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS; +typedef struct _SYSTEM_VSM_PROTECTION_INFORMATION { + CHAR DmaProtectionsAvailable; + CHAR DmaProtectionsInUse; + CHAR HardwareMbecAvailable; + CHAR ApicVirtualizationAvailable; +} SYSTEM_VSM_PROTECTION_INFORMATION, * PSYSTEM_VSM_PROTECTION_INFORMATION; + //msdn.microsoft.com/en-us/library/windows/desktop/ms724509(v=vs.85).aspx typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION { union { @@ -1979,6 +1980,7 @@ typedef enum _FILE_INFORMATION_CLASS { FileLinkInformationExBypassAccessCheck, FileStorageReserveIdInformation, FileCaseSensitiveInformationForceAccessCheck, + FileKnownFolderInformation, FileMaximumInformation } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; @@ -2980,18 +2982,36 @@ typedef struct _OBJECT_DIRECTORY_ENTRY { } OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY; typedef struct _EX_PUSH_LOCK { - union - { - ULONG Locked : 1; - ULONG Waiting : 1; - ULONG Waking : 1; - ULONG MultipleShared : 1; - ULONG Shared : 28; - ULONG Value; + union { + struct { + ULONG_PTR Locked : 1; + ULONG_PTR Waiting : 1; + ULONG_PTR Waking : 1; + ULONG_PTR MultipleShared : 1; + ULONG_PTR Shared : sizeof(ULONG_PTR) * 8 - 4; + }; + ULONG_PTR Value; PVOID Ptr; }; } EX_PUSH_LOCK, *PEX_PUSH_LOCK; +typedef struct _EX_PUSH_LOCK_AUTO_EXPAND_STATE { + union { + struct { + ULONG Expanded : 1; + ULONG Transitioning : 1; + ULONG Pageable : 1; + }; + ULONG Value; + }; +} EX_PUSH_LOCK_AUTO_EXPAND_STATE, *PEX_PUSH_LOCK_AUTO_EXPAND_STATE; /* size: 0x0004 */ + +typedef struct _EX_PUSH_LOCK_AUTO_EXPAND { + EX_PUSH_LOCK LocalLock; + EX_PUSH_LOCK_AUTO_EXPAND_STATE State; + ULONG Stats; +} EX_PUSH_LOCK_AUTO_EXPAND, *PEX_PUSH_LOCK_AUTO_EXPAND; /* size: 0x0010 */ + typedef struct _OBJECT_NAMESPACE_LOOKUPTABLE { LIST_ENTRY HashBuckets[NUMBER_HASH_BUCKETS]; EX_PUSH_LOCK Lock; @@ -3493,6 +3513,61 @@ typedef struct _OBJECT_HEADER { QUAD Body; } OBJECT_HEADER, *POBJECT_HEADER; +// +// Actual object header from windows 10-11. +// +typedef struct _OBJECT_HEADER_X { + LONG_PTR PointerCount; + union + { + LONG_PTR HandleCount; + PVOID NextToFree; + }; + + EX_PUSH_LOCK Lock; + UCHAR TypeIndex; + + union + { + UCHAR TraceFlags; + struct + { + UCHAR DbgRefTrace : 1; + UCHAR DbgTracePermanent : 1; + }; + }; + + UCHAR InfoMask; + + union + { + UCHAR Flags; + struct + { + UCHAR NewObject : 1; + UCHAR KernelObject : 1; + UCHAR KernelOnlyAccess : 1; + UCHAR ExclusiveObject : 1; + UCHAR PermanentObject : 1; + UCHAR DefaultSecurityQuota : 1; + UCHAR SingleHandleEntry : 1; + UCHAR DeletedInline : 1; + }; + }; + + ULONG Reserved; + + union + { + POBJECT_CREATE_INFORMATION ObjectCreateInfo; + PVOID QuotaBlockCharged; + }; + + PVOID SecurityDescriptor; + QUAD Body; + +} OBJECT_HEADER_X, * POBJECT_HEADER_X; + #define OBJECT_TO_OBJECT_HEADER(obj) \ CONTAINING_RECORD( (obj), OBJECT_HEADER, Body ) @@ -3527,6 +3602,19 @@ typedef struct _DEVICE_MAP_V2 { PEJOB ServerSilo; } DEVICE_MAP_V2, * PDEVICE_MAP_V2; +//Since W11 (22000) +typedef struct _DEVICE_MAP_V3 { + OBJECT_DIRECTORY* DosDevicesDirectory; + OBJECT_DIRECTORY* GlobalDosDevicesDirectory; + PEJOB ServerSilo; + struct _DEVICE_MAP* GlobalDeviceMap; + EX_FAST_REF DriveObject[26]; + LONGLONG ReferenceCount; + PVOID DosDevicesDirectoryHandle; + ULONG DriveMap; + UCHAR DriveType[32]; +} DEVICE_MAP_V3, PDEVICE_MAP_V3; + /* ** OBJECT MANAGER END */ @@ -4355,6 +4443,37 @@ typedef struct _FILE_OBJECT { } FILE_OBJECT; typedef struct _FILE_OBJECT* PFILE_OBJECT; +typedef ULONG_PTR ERESOURCE_THREAD; +typedef ERESOURCE_THREAD* PERESOURCE_THREAD; + +typedef struct _OWNER_ENTRY { + ERESOURCE_THREAD OwnerThread; + union { + LONG OwnerCount; + ULONG TableSize; + }; + +} OWNER_ENTRY, *POWNER_ENTRY; + +typedef struct _ERESOURCE { + LIST_ENTRY SystemResourcesList; + POWNER_ENTRY OwnerTable; + SHORT ActiveCount; + USHORT Flag; + PKSEMAPHORE SharedWaiters; + PKEVENT ExclusiveWaiters; + OWNER_ENTRY OwnerThreads[2]; + ULONG ContentionCount; + USHORT NumberOfSharedWaiters; + USHORT NumberOfExclusiveWaiters; + union { + PVOID Address; + ULONG_PTR CreatorBackTraceIndex; + }; + + KSPIN_LOCK SpinLock; +} ERESOURCE, *PERESOURCE; + /* * WDM END */ @@ -4465,6 +4584,7 @@ typedef struct _MI_REVERSE_VIEW_MAP { } u2; union { struct _MI_SYSTEM_CACHE_VIEW_ATTRIBUTES SystemCacheAttributes; + ULONGLONG AllAttributes; //Since W11 ULONGLONG SectionOffset; } u3; } MI_REVERSE_VIEW_MAP, * PMI_REVERSE_VIEW_MAP; /* size: 0x0028 */ @@ -4560,7 +4680,7 @@ typedef struct _CONTROL_AREA_COMPAT { union { volatile LONG WritableUserReferences; - struct + struct // version dependent, this bitset is not valid for w11 { unsigned long ImageRelocationSizeIn64k : 16; /* bit position: 0 */ unsigned long LargePage : 1; /* bit position: 16 */ @@ -5635,6 +5755,7 @@ typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG ProcessGroupId; // ULONG LoaderThreads; // UNICODE_STRING RedirectionDllName; + // UNICODE_STRING HeapPartitionName; // ULONGLONG* DefaultThreadpoolCpuSetMasks; // ULONG DefaultThreadpoolCpuSetMaskCount; // ULONG DefaultThreadpoolThreadMaximum; @@ -5776,6 +5897,26 @@ typedef struct _PEB { }; }; ULONGLONG CsrServerReadOnlySharedMemoryBase; + //ULONGLONG TppWorkerpListLock; + //LIST_ENTRY TppWorkerpList; + //PVOID WaitOnAddressHashTable[128]; + //PVOID TelemetryCoverageHeader; + //ULONG CloudFileFlags; + //ULONG CloudFileDiagFlags; + //CHAR PlaceholderCompatibilityMode; + //CHAR PlaceholderCompatibilityModeReserved[7]; + //struct _LEAP_SECOND_DATA* LeapSecondData; + //union + //{ + // ULONG LeapSecondFlags; + // struct + // { + // ULONG SixtySecondEnabled : 1; + // ULONG Reserved : 31; + // }; + //}; + //ULONG NtGlobalFlag2; + //ULONG64 ExtendedFeatureDisableMask; } PEB, *PPEB; typedef struct _TEB_ACTIVE_FRAME_CONTEXT { @@ -5928,7 +6069,11 @@ typedef struct _TEB { USHORT DisableUserStackWalk : 1; USHORT RtlExceptionAttached : 1; USHORT InitialThread : 1; - USHORT SpareSameTebBits : 1; + USHORT SessionAware : 1; + USHORT LoadOwner : 1; + USHORT LoaderWorker : 1; + USHORT SkipLoaderInit : 1; + USHORT SkipFileAPIBrokering : 1; }; }; @@ -5938,9 +6083,13 @@ typedef struct _TEB { ULONG LockCount; ULONG SpareUlong0; PVOID ResourceRetValue; -// PVOID ReservedForWdf; -// ULONGLONG ReservedForCrt; -// GUID EffectiveContainerId; + //PVOID ReservedForWdf; + //ULONGLONG ReservedForCrt; + //GUID EffectiveContainerId; + //ULONGLONG LastSleepCounter; + //ULONG SpinCallCount; + //UCHAR Padding8[4]; + //ULONGLONG ExtendedFeatureDisableMask; } TEB, *PTEB; typedef struct _PROCESS_DEVICEMAP_INFORMATION { @@ -6300,15 +6449,16 @@ typedef struct _KUSER_SHARED_DATA { union { volatile KSYSTEM_TIME TickCount; volatile ULONG64 TickCountQuad; - ULONG ReservedTickCountOverlay[3]; + struct { + ULONG ReservedTickCountOverlay[3]; + ULONG TickCountPad[1]; + }; }; - ULONG TickCountPad[1]; - ULONG Cookie; - ULONG CookiedPad; + ULONG CookiedPad[1]; - ULONG ConsoleSessionForegroundProcessId; + LONGLONG ConsoleSessionForegroundProcessId; ULONGLONG TimeUpdateLock; ULONGLONG BaselineSystemTimeQpc; @@ -6351,11 +6501,109 @@ typedef struct _KUSER_SHARED_DATA { XSTATE_CONFIGURATION XState; + KSYSTEM_TIME FeatureConfigurationChangeStamp; + ULONG Spare; + } KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; #include #define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)MM_SHARED_USER_DATA_VA) +#if !defined(__midl) && !defined(MIDL_PASS) + +// +// The overall size can change, but it must be the same for all architectures. +// + +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountLowDeprecated) == 0x0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x4); +C_ASSERT(__alignof(KSYSTEM_TIME) == 4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x08); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x014); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x020); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberLow) == 0x02c); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberHigh) == 0x02e); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x030); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MaxStackTraceDepth) == 0x238); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, CryptoExponent) == 0x23c); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneId) == 0x240); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AitSamplingValue) == 0x248); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AppCompatFlag) == 0x24c); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, RNGSeedVersion) == 0x250); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, GlobalValidationRunlevel) == 0x258); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasStamp) == 0x25c); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtBuildNumber) == 0x260); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProductTypeIsValid) == 0x268); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NativeProcessorArchitecture) == 0x26a); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved1) == 0x2b4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved3) == 0x2b8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeSlip) == 0x2bc); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AlternativeArchitecture) == 0x2c0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemExpirationDate) == 0x2c8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SuiteMask) == 0x2d0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MitigationPolicies) == 0x2d5); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, DismountCount) == 0x2dc); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ComPlusPackage) == 0x2e0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, VirtualizationFlags) == 0x2ed); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved12) == 0x2ee); + +#if defined(_MSC_EXTENSIONS) + +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SharedDataFlags) == 0x2f0); + +#endif + +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcFrequency) == 0x300); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCall) == 0x308); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad0) == 0x30c); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x310); + +#if defined(_MSC_EXTENSIONS) + +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320); + +#endif + +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Cookie) == 0x330); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ConsoleSessionForegroundProcessId) == 0x338); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeUpdateLock) == 0x340); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineSystemTimeQpc) == 0x348); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineInterruptTimeQpc) == 0x350); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrement) == 0x358); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrement) == 0x360); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrementShift) == 0x368); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrementShift) == 0x369); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UnparkedProcessorCount) == 0x36a); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, EnclaveFeatureMask) == 0x36c); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved8) == 0x37c); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UserModeGlobalLogger) == 0x380); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageFileExecutionOptions) == 0x3a0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LangGenerationCount) == 0x3a4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved4) == 0x3a8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTimeBias) == 0x3b0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcBias) == 0x3b8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveProcessorCount) == 0x3c0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveGroupCount) == 0x3c4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved9) == 0x3c5); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcData) == 0x3c6); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveStart) == 0x3c8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveEnd) == 0x3d0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8); + +#endif /* __midl | MIDL_PASS */ + /* ** KUSER_SHARED_DATA END */ @@ -6369,7 +6617,7 @@ typedef struct _UNLOADED_DRIVERS { PVOID StartAddress; PVOID EndAddress; LARGE_INTEGER CurrentTime; -} UNLOADED_DRIVERS, * PUNLOADED_DRIVERS; +} UNLOADED_DRIVERS, *PUNLOADED_DRIVERS; #define MI_UNLOADED_DRIVERS 50 @@ -6381,17 +6629,24 @@ typedef struct _UNLOADED_DRIVERS { /* ** FLT MANAGER START */ - -#define FLTFL_MANDATORY_UNLOAD_IN_PROGRESS 0x1 -#define FLTFL_FILTERING_INITIATED 0x2 -#define FLTFL_NAME_PROVIDER 0x4 -#define FLTFL_SUPPORTS_PIPES_MAILSLOTS 0x8 - -#define FLT_OBFL_DRAINING 0x1 -#define FLT_OBFL_ZOMBIED 0x2 -#define FLT_OBFL_TYPE_INSTANCE 0x1000000 -#define FLT_OBFL_TYPE_FILTER 0x2000000 -#define FLT_OBFL_TYPE_VOLUME 0x4000000 +typedef enum _FLT_FILTER_FLAGS { + FLTFL_MANDATORY_UNLOAD_IN_PROGRESS = 1, + FLTFL_FILTERING_INITIATED = 2, + FLTFL_NAME_PROVIDER = 4, + FLTFL_SUPPORTS_PIPES_MAILSLOTS = 8, + FLTFL_BACKED_BY_PAGEFILE = 16, + FLTFL_SUPPORTS_DAX_VOLUME = 32, + FLTFL_SUPPORTS_WCOS = 64, + FLTFL_FILTERS_READ_WRITE = 128, +} FLT_FILTER_FLAGS, *PFLT_FILTER_FLAGS; + +typedef enum _FLT_OBJECT_FLAGS { + FLT_OBFL_DRAINING = 1, + FLT_OBFL_ZOMBIED = 2, + FLT_OBFL_TYPE_INSTANCE = 0x1000000, + FLT_OBFL_TYPE_FILTER = 0x2000000, + FLT_OBFL_TYPE_VOLUME = 0x4000000, +} FLT_OBJECT_FLAGS, *PFLT_OBJECT_FLAGS; typedef struct _FLT_OBJECT { ULONG Flags; @@ -6400,6 +6655,15 @@ typedef struct _FLT_OBJECT { LIST_ENTRY PrimaryLink; } FLT_OBJECT, *PFLT_OBJECT; +// Since w10 th1 +typedef struct _FLT_OBJECT_V2 { + ULONG Flags; + ULONG PointerCount; + EX_RUNDOWN_REF RundownRef; + LIST_ENTRY PrimaryLink; + GUID UniqueIdentifier; +} FLT_OBJECT_V2, *PFLT_OBJECT_V2; /* size: 0x0030 */ + typedef struct _FLT_SERVER_PORT_OBJECT { LIST_ENTRY FilterLink; PVOID ConnectNotify; @@ -6408,9 +6672,171 @@ typedef struct _FLT_SERVER_PORT_OBJECT { PVOID Filter; PVOID Cookie; ULONG Flags; - ULONG NumberOfConnections; - ULONG MaxConnections; -} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT; + LONG NumberOfConnections; + LONG MaxConnections; + LONG __PADDING__[1]; +} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT; /* size: 0x0048 */ + +typedef struct _FLT_RESOURCE_LIST_HEAD { + ERESOURCE rLock; + LIST_ENTRY rList; + ULONG rCount; + LONG __PADDING__[1]; +} FLT_RESOURCE_LIST_HEAD, *PFLT_RESOURCE_LIST_HEAD; /* size: 0x0080 */ + +typedef struct _FLT_MUTEX_LIST_HEAD { + FAST_MUTEX mLock; + LIST_ENTRY mList; + union { + ULONG mCount; + struct { + UCHAR mInvalid : 1; + CHAR __PADDING__[7]; + }; + }; +} FLT_MUTEX_LIST_HEAD, *PFLT_MUTEX_LIST_HEAD; /* size: 0x0050 */ + +// Windows 7 version +typedef struct _FLT_FILTER_V1 { + /* 0x0000 */ FLT_OBJECT Base; + /* 0x0020 */ struct _FLTP_FRAME* Frame; + /* 0x0028 */ UNICODE_STRING Name; + /* 0x0038 */ UNICODE_STRING DefaultAltitude; + /* 0x0048 */ FLT_FILTER_FLAGS Flags; + /* 0x004c */ LONG Padding; + /* 0x0050 */ DRIVER_OBJECT* DriverObject; + /* 0x0058 */ FLT_RESOURCE_LIST_HEAD InstanceList; + /* 0x00d8 */ struct FLT_VERIFIER_EXTENSION* VerifierExtension; + /* 0x00e0 */ LIST_ENTRY VerifiedFiltersLink; + /* 0x00f0 */ PVOID FilterUnload /* function */; + /* 0x00f8 */ PVOID InstanceSetup /* function */; + /* 0x0100 */ PVOID InstanceQueryTeardown /* function */; + /* 0x0108 */ PVOID InstanceTeardownStart /* function */; + /* 0x0110 */ PVOID InstanceTeardownComplete /* function */; + /* 0x0118 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead; + /* 0x0120 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[6]; + /* 0x0150 */ PVOID PreVolumeMount /* function */; + /* 0x0158 */ PVOID PostVolumeMount /* function */; + /* 0x0160 */ PVOID GenerateFileName /* function */; + /* 0x0168 */ PVOID NormalizeNameComponent /* function */; + /* 0x0170 */ PVOID NormalizeNameComponentEx /* function */; + /* 0x0178 */ PVOID NormalizeContextCleanup /* function */; + /* 0x0180 */ PVOID KtmNotification /* function */; + /* 0x0188 */ struct _FLT_OPERATION_REGISTRATION* Operations; + /* 0x0190 */ PVOID OldDriverUnload /* function */; + /* 0x0198 */ FLT_MUTEX_LIST_HEAD ActiveOpens; + /* 0x01e8 */ FLT_MUTEX_LIST_HEAD ConnectionList; + /* 0x0238 */ FLT_MUTEX_LIST_HEAD PortList; + /* 0x0288 */ EX_PUSH_LOCK PortLock; +} FLT_FILTER_V1, * PFLT_FILTER_V1; /* size: 0x0290 */ + +// Windows 8/8.1 version +typedef struct _FLT_FILTER_V2 { + /* 0x0000 */ FLT_OBJECT Base; + /* 0x0020 */ struct _FLTP_FRAME* Frame; + /* 0x0028 */ UNICODE_STRING Name; + /* 0x0038 */ UNICODE_STRING DefaultAltitude; + /* 0x0048 */ FLT_FILTER_FLAGS Flags; + /* 0x004c */ LONG Padding; + /* 0x0050 */ DRIVER_OBJECT* DriverObject; + /* 0x0058 */ FLT_RESOURCE_LIST_HEAD InstanceList; + /* 0x00d8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension; + /* 0x00e0 */ LIST_ENTRY VerifiedFiltersLink; + /* 0x00f0 */ PVOID FilterUnload /* function */; + /* 0x00f8 */ PVOID InstanceSetup /* function */; + /* 0x0100 */ PVOID InstanceQueryTeardown /* function */; + /* 0x0108 */ PVOID InstanceTeardownStart /* function */; + /* 0x0110 */ PVOID InstanceTeardownComplete /* function */; + /* 0x0118 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead; + /* 0x0120 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7]; + /* 0x0158 */ PVOID PreVolumeMount /* function */; + /* 0x0160 */ PVOID PostVolumeMount /* function */; + /* 0x0168 */ PVOID GenerateFileName /* function */; + /* 0x0170 */ PVOID NormalizeNameComponent /* function */; + /* 0x0178 */ PVOID NormalizeNameComponentEx /* function */; + /* 0x0180 */ PVOID NormalizeContextCleanup /* function */; + /* 0x0188 */ PVOID KtmNotification /* function */; + /* 0x0190 */ PVOID SectionNotification /* function */; //SINCE 8.1 + /* 0x0198 */ struct _FLT_OPERATION_REGISTRATION* Operations; + /* 0x01a0 */ PVOID OldDriverUnload /* function */; + /* 0x01a8 */ FLT_MUTEX_LIST_HEAD ActiveOpens; + /* 0x01f8 */ FLT_MUTEX_LIST_HEAD ConnectionList; + /* 0x0248 */ FLT_MUTEX_LIST_HEAD PortList; + /* 0x0298 */ EX_PUSH_LOCK PortLock; +} FLT_FILTER_V2, * PFLT_FILTER_V2; /* size: 0x02a0 */ + +// Windows 10 version +typedef struct _FLT_FILTER_V3 { + /* 0x0000 */ FLT_OBJECT_V2 Base; + /* 0x0030 */ struct _FLTP_FRAME* Frame; + /* 0x0038 */ UNICODE_STRING Name; + /* 0x0048 */ UNICODE_STRING DefaultAltitude; + /* 0x0058 */ FLT_FILTER_FLAGS Flags; + /* 0x005c */ LONG Padding; + /* 0x0060 */ DRIVER_OBJECT* DriverObject; + /* 0x0068 */ FLT_RESOURCE_LIST_HEAD InstanceList; + /* 0x00e8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension; + /* 0x00f0 */ LIST_ENTRY VerifiedFiltersLink; + /* 0x0100 */ PVOID FilterUnload /* function */; + /* 0x0108 */ PVOID InstanceSetup /* function */; + /* 0x0110 */ PVOID InstanceQueryTeardown /* function */; + /* 0x0118 */ PVOID InstanceTeardownStart /* function */; + /* 0x0120 */ PVOID InstanceTeardownComplete /* function */; + /* 0x0128 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead; + /* 0x0130 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7]; + /* 0x0168 */ PVOID PreVolumeMount /* function */; + /* 0x0170 */ PVOID PostVolumeMount /* function */; + /* 0x0178 */ PVOID GenerateFileName /* function */; + /* 0x0180 */ PVOID NormalizeNameComponent /* function */; + /* 0x0188 */ PVOID NormalizeNameComponentEx /* function */; + /* 0x0190 */ PVOID NormalizeContextCleanup /* function */; + /* 0x0198 */ PVOID KtmNotification /* function */; + /* 0x01a0 */ PVOID SectionNotification /* function */; + /* 0x01a8 */ struct _FLT_OPERATION_REGISTRATION* Operations; + /* 0x01b0 */ PVOID OldDriverUnload /* function */; + /* 0x01b8 */ FLT_MUTEX_LIST_HEAD ActiveOpens; + /* 0x0208 */ FLT_MUTEX_LIST_HEAD ConnectionList; + /* 0x0258 */ FLT_MUTEX_LIST_HEAD PortList; + /* 0x02a8 */ EX_PUSH_LOCK PortLock; +} FLT_FILTER_V3, *PFLT_FILTER_V3; /* size: 0x02b0 */ + +// Windows 10/11+ (22000) +typedef struct _FLT_FILTER_V4 { + /* 0x0000 */ FLT_OBJECT_V2 Base; + /* 0x0030 */ struct _FLTP_FRAME* Frame; + /* 0x0038 */ UNICODE_STRING Name; + /* 0x0048 */ UNICODE_STRING DefaultAltitude; + /* 0x0058 */ FLT_FILTER_FLAGS Flags; + /* 0x005c */ LONG Padding; + /* 0x0060 */ DRIVER_OBJECT* DriverObject; + /* 0x0068 */ FLT_RESOURCE_LIST_HEAD InstanceList; + /* 0x00e8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension; + /* 0x00f0 */ LIST_ENTRY VerifiedFiltersLink; + /* 0x0100 */ PVOID FilterUnload /* function */; + /* 0x0108 */ PVOID InstanceSetup /* function */; + /* 0x0110 */ PVOID InstanceQueryTeardown /* function */; + /* 0x0118 */ PVOID InstanceTeardownStart /* function */; + /* 0x0120 */ PVOID InstanceTeardownComplete /* function */; + /* 0x0128 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead; + /* 0x0130 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7]; + /* 0x0168 */ PVOID PreVolumeMount /* function */; + /* 0x0170 */ PVOID PostVolumeMount /* function */; + /* 0x0178 */ PVOID GenerateFileName /* function */; + /* 0x0180 */ PVOID NormalizeNameComponent /* function */; + /* 0x0188 */ PVOID NormalizeNameComponentEx /* function */; + /* 0x0190 */ PVOID NormalizeContextCleanup /* function */; + /* 0x0198 */ PVOID KtmNotification /* function */; + /* 0x01a0 */ PVOID SectionNotification /* function */; + /* 0x01a8 */ struct _FLT_OPERATION_REGISTRATION* Operations; + /* 0x01b0 */ PVOID OldDriverUnload /* function */; + /* 0x01b8 */ FLT_MUTEX_LIST_HEAD ActiveOpens; + /* 0x0208 */ FLT_MUTEX_LIST_HEAD ConnectionList; + /* 0x0258 */ FLT_MUTEX_LIST_HEAD PortList; + /* 0x02a8 */ EX_PUSH_LOCK_AUTO_EXPAND PortLock; +} FLT_FILTER_V4, * PFLT_FILTER_V4; /* size: 0x02b8 */ + +typedef FLT_FILTER_V4 FLT_FILTER_COMPATIBLE; +typedef PFLT_FILTER_V4 PFLT_FILTER_COMPATIBLE; /* ** FLT MANAGER END @@ -6433,6 +6859,7 @@ typedef struct _SILO_USER_SHARED_DATA { ULONG SuiteMask; ULONG SharedUserSessionId; BOOLEAN IsMultiSessionSku; + BOOLEAN IsStateSeparationEnabled; WCHAR NtSystemRoot[260]; USHORT UserModeGlobalLogger[16]; } SILO_USER_SHARED_DATA, *PSILO_USER_SHARED_DATA; @@ -6449,6 +6876,13 @@ typedef struct _OBP_SILODRIVERSTATE { OBJECT_NAMESPACE_LOOKUPTABLE PrivateNamespaceLookupTable; } OBP_SILODRIVERSTATE, *POBP_SILODRIVERSTATE; +typedef struct _OBP_SILODRIVERSTATE_V2 { + EX_FAST_REF SystemDeviceMap; + OBP_SYSTEM_DOS_DEVICE_STATE SystemDosDeviceState; + EX_PUSH_LOCK DeviceMapLock; + OBJECT_NAMESPACE_LOOKUPTABLE PrivateNamespaceLookupTable; +} OBP_SILODRIVERSTATE_V2, * POBP_SILODRIVERSTATE_V2; /* size: 0x02e0 */ + //incomplete, values not important, change between versions. typedef struct _ESERVERSILO_GLOBALS { OBP_SILODRIVERSTATE ObSiloState; @@ -6792,7 +7226,7 @@ PushEntryList( #define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2 typedef enum _LDR_DLL_LOAD_REASON { - LoadReasonStaticDependency, + LoadReasonStaticDependency = 0, LoadReasonStaticForwarderDependency, LoadReasonDynamicForwarderDependency, LoadReasonDelayloadDependency, @@ -6801,6 +7235,7 @@ typedef enum _LDR_DLL_LOAD_REASON { LoadReasonAsDataLoad, LoadReasonEnclavePrimary, LoadReasonEnclaveDependency, + LoadReasonPatchImage, LoadReasonUnknown = -1 } LDR_DLL_LOAD_REASON, * PLDR_DLL_LOAD_REASON; @@ -6971,6 +7406,16 @@ typedef struct _LDR_DDAG_NODE ULONG PreorderNumber; } LDR_DDAG_NODE, * PLDR_DDAG_NODE; +typedef enum _LDR_HOT_PATCH_STATE +{ + LdrHotPatchBaseImage = 0, + LdrHotPatchNotApplied = 1, + LdrHotPatchAppliedReverse = 2, + LdrHotPatchAppliedForward = 3, + LdrHotPatchFailedToPatch = 4, + LdrHotPatchStateMax = 5, +} LDR_HOT_PATCH_STATE, * PLDR_HOT_PATCH_STATE; + // // Full declaration of LDR_DATA_TABLE_ENTRY // @@ -7045,6 +7490,12 @@ typedef struct _LDR_DATA_TABLE_ENTRY_FULL ULONG ReferenceCount; ULONG DependentLoadFlags; UCHAR SigningLevel; + CHAR Padding1[3]; + ULONG CheckSum; + LONG Padding2; + PVOID ActivePatchImageBase; + LDR_HOT_PATCH_STATE HotPatchState; + LONG __PADDING__[1]; } LDR_DATA_TABLE_ENTRY_FULL, * PLDR_DATA_TABLE_ENTRY_FULL; typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA { @@ -7390,14 +7841,16 @@ LdrProcessRelocationBlock( _In_ PUSHORT NextOffset, _In_ LONG_PTR Diff); +DECLSPEC_NORETURN NTSYSAPI -NTSTATUS +VOID NTAPI LdrShutdownProcess( VOID); +DECLSPEC_NORETURN NTSYSAPI -NTSTATUS +VOID NTAPI LdrShutdownThread( VOID); @@ -7732,7 +8185,7 @@ RtlGetFullPathName_U( _Out_opt_ PWSTR *lpFilePart); NTSYSAPI -BOOLEAN +NTSTATUS NTAPI RtlGetSearchPath( _Out_ PWSTR *SearchPath); @@ -7853,14 +8306,14 @@ VOID NTAPI RtlRunEncodeUnicodeString( _Inout_ PUCHAR Seed, - _In_ PUNICODE_STRING String); + _Inout_ PUNICODE_STRING String); NTSYSAPI VOID NTAPI RtlRunDecodeUnicodeString( _In_ UCHAR Seed, - _In_ PUNICODE_STRING String); + _Inout_ PUNICODE_STRING String); /************************************************************************************ * @@ -9320,6 +9773,26 @@ NTAPI RtlGetSystemTimePrecise( VOID); +NTSYSAPI +LARGE_INTEGER +NTAPI +RtlGetInterruptTimePrecise( + _Out_ PLARGE_INTEGER PerformanceCounter); + +NTSYSAPI +BOOLEAN +NTAPI +RtlQueryUnbiasedInterruptTime( + _Out_ PLARGE_INTEGER InterruptTime); + +NTSYSAPI +KSYSTEM_TIME +NTAPI +RtlGetSystemTimeAndBias( + _Out_ KSYSTEM_TIME TimeZoneBias, + _Out_opt_ PLARGE_INTEGER TimeZoneBiasEffectiveStart, + _Out_opt_ PLARGE_INTEGER TimeZoneBiasEffectiveEnd); + /************************************************************************************ * * RTL Debug Support API. @@ -10817,7 +11290,7 @@ NtQueryDirectoryFile( _In_opt_ PUNICODE_STRING FileName, _In_ BOOLEAN RestartScan); -NTSYSCALLAPI +NTSYSAPI NTSTATUS NTAPI NtQueryDirectoryFileEx( @@ -10965,6 +11438,15 @@ NtLoadHotPatch( _In_ PUNICODE_STRING HotPatchName, _Reserved_ ULONG LoadFlag); +NTSYSAPI +NTSTATUS +NTAPI +NtManageHotPatch( + _In_ ULONG HotPatchInformation, + _In_ PVOID HotPatchData, + _In_ ULONG Length, + _Out_ PULONG ReturnLength); + /************************************************************************************ * * Section API (+MemoryPartitions). @@ -10986,6 +11468,13 @@ typedef enum _MEMORY_PARTITION_INFORMATION_CLASS { SystemMemoryPartitionCombineMemory, SystemMemoryPartitionInitialAddMemory, SystemMemoryPartitionGetMemoryEvents, + SystemMemoryPartitionSetAttributes, + SystemMemoryPartitionNodeInformation, + SystemMemoryPartitionCreateLargePages, + SystemMemoryPartitionDedicatedMemoryInformation, + SystemMemoryPartitionOpenDedicatedMemory, + SystemMemoryPartitionMemoryChargeAttributes, + SystemMemoryPartitionClearAttributes, SystemMemoryPartitionMax } MEMORY_PARTITION_INFORMATION_CLASS; @@ -11034,7 +11523,14 @@ typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION { ULONG_PTR ZeroPages; ULONG_PTR FreePages; ULONG_PTR StandbyPages; -} MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION; + + // Fields added RS1+ + ULONG_PTR StandbyPageCountByPriority[8]; + ULONG_PTR RepurposedPagesByPriority[8]; + ULONG_PTR MaximumCommitLimit; + ULONG_PTR DonatedPagesToPartitions; + ULONG PartitionId; +} MEMORY_PARTITION_CONFIGURATION_INFORMATION, * PMEMORY_PARTITION_CONFIGURATION_INFORMATION; NTSYSAPI NTSTATUS @@ -11172,6 +11668,15 @@ NtAreMappedFilesTheSame( _In_ PVOID File1MappedAsAnImage, _In_ PVOID File2MappedAsFile); +NTSYSAPI +NTSTATUS +NTAPI +NtCreatePartition( + _Out_ PHANDLE PartitionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG PreferredNode); + NTSYSAPI NTSTATUS NTAPI @@ -11187,18 +11692,9 @@ NtManagePartition( _In_ HANDLE TargetHandle, _In_opt_ HANDLE SourceHandle, _In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass, - _In_ PVOID PartitionInformation, + _Inout_updates_bytes_(PartitionInformationLength) PVOID PartitionInformation, _In_ ULONG PartitionInformationLength); -NTSYSAPI -NTSTATUS -NTAPI -NtCreatePartition( - _Out_ PHANDLE PartitionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG PreferredNode); - /************************************************************************************ * * Token API. @@ -11392,10 +11888,21 @@ NtDuplicateToken( _In_ TOKEN_TYPE TokenType, _Out_ PHANDLE NewTokenHandle); +#ifndef DISABLE_MAX_PRIVILEGE #define DISABLE_MAX_PRIVILEGE 0x1 // winnt +#endif + +#ifndef SANDBOX_INERT #define SANDBOX_INERT 0x2 // winnt -#define LUA_TOKEN 0x4 -#define WRITE_RESTRICT 0x8 +#endif + +#ifndef LUA_TOKEN +#define LUA_TOKEN 0x4 // winnt +#endif + +#ifndef WRITE_RESTRICTED +#define WRITE_RESTRICTED 0x8 // winnt +#endif NTSYSAPI NTSTATUS @@ -12193,9 +12700,83 @@ NtOpenTransactionManager( * ************************************************************************************/ +typedef struct _INITIAL_TEB +{ + struct + { + PVOID OldStackBase; + PVOID OldStackLimit; + } OldInitialTeb; + PVOID StackBase; + PVOID StackLimit; + PVOID StackAllocationBase; +} INITIAL_TEB, * PINITIAL_TEB; + +#define PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS 0x00000001 + #define QUEUE_USER_APC_FLAGS_NONE 0 #define QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC 1 +// +// NtCreateProcessEx specific flags. +// +#define PS_REQUEST_BREAKAWAY 1 +#define PS_NO_DEBUG_INHERIT 2 +#define PS_INHERIT_HANDLES 4 +#define PS_LARGE_PAGES 8 +#define PS_ALL_FLAGS (PS_REQUEST_BREAKAWAY | \ + PS_NO_DEBUG_INHERIT | \ + PS_INHERIT_HANDLES | \ + PS_LARGE_PAGES) + +NTSYSAPI +NTSTATUS +NTAPI +NtGetNextProcess( + _In_opt_ HANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ ULONG HandleAttributes, + _In_ ULONG Flags, + _Out_ PHANDLE NewProcessHandle); + +NTSYSAPI +NTSTATUS +NTAPI +NtGetNextThread( + _In_ HANDLE ProcessHandle, + _In_ HANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ ULONG HandleAttributes, + _In_ ULONG Flags, + _Out_ PHANDLE NewThreadHandle); + +NTSYSAPI +NTSTATUS +NTAPI +NtCreateProcess( + _Out_ PHANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ParentProcess, + _In_ BOOLEAN InheritObjectTable, + _In_opt_ HANDLE SectionHandle, + _In_opt_ HANDLE DebugPort, + _In_opt_ HANDLE ExceptionPort); + +NTSYSAPI +NTSTATUS +NTAPI +NtCreateProcessEx( + _Out_ PHANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ParentProcess, + _In_ ULONG Flags, + _In_opt_ HANDLE SectionHandle, + _In_opt_ HANDLE DebugPort, + _In_opt_ HANDLE ExceptionPort, + _In_ BOOLEAN InJob); + NTSYSAPI NTSTATUS NTAPI @@ -12212,6 +12793,35 @@ NtCreateUserProcess( _Inout_ PPS_CREATE_INFO CreateInfo, _In_opt_ PPS_ATTRIBUTE_LIST AttributeList); +NTSYSAPI +NTSTATUS +NTAPI +NtCreateThread( + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ProcessHandle, + _Out_ PCLIENT_ID ClientId, + _In_ PCONTEXT ThreadContext, + _In_ PINITIAL_TEB InitialTeb, + _In_ BOOLEAN CreateSuspended); + +NTSYSAPI +NTSTATUS +NTAPI +NtCreateThreadEx( + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ProcessHandle, + _In_ PVOID StartRoutine, + _In_opt_ PVOID Argument, + _In_ ULONG CreateFlags, //THREAD_CREATE_FLAGS_* + _In_opt_ ULONG_PTR ZeroBits, + _In_opt_ SIZE_T StackSize, + _In_opt_ SIZE_T MaximumStackSize, + _In_opt_ PPS_ATTRIBUTE_LIST AttributeList); + NTSYSAPI NTSTATUS NTAPI @@ -12383,39 +12993,35 @@ NtTestAlert( NTSYSAPI NTSTATUS NTAPI -NtDelayExecution( - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER DelayInterval); +NtAlertThread( + _In_ HANDLE ThreadHandle); NTSYSAPI NTSTATUS NTAPI -NtCreateProcessEx( - _Out_ PHANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ParentProcess, - _In_ ULONG Flags, - _In_opt_ HANDLE SectionHandle, - _In_opt_ HANDLE DebugPort, - _In_opt_ HANDLE ExceptionPort, - _In_ BOOLEAN InJob); +NtAlertResumeThread( + _In_ HANDLE ThreadHandle, + _Out_opt_ PULONG PreviousSuspendCount); NTSYSAPI NTSTATUS NTAPI -NtCreateThreadEx( - _Out_ PHANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ProcessHandle, - _In_ PVOID StartRoutine, - _In_opt_ PVOID Argument, - _In_ ULONG CreateFlags, //THREAD_CREATE_FLAGS_* - _In_opt_ ULONG_PTR ZeroBits, - _In_opt_ SIZE_T StackSize, - _In_opt_ SIZE_T MaximumStackSize, - _In_opt_ PPS_ATTRIBUTE_LIST AttributeList); +NtAlertThreadByThreadId( + _In_ HANDLE ThreadId); + +NTSYSAPI +NTSTATUS +NTAPI +NtWaitForAlertByThreadId( + _In_ PVOID Address, + _In_opt_ PLARGE_INTEGER Timeout); + +NTSYSAPI +NTSTATUS +NTAPI +NtDelayExecution( + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER DelayInterval); NTSYSAPI ULONG diff --git a/Source/Yuubari/Resource.rc b/Source/Yuubari/Resource.rc index 3dcd728..53d6e35 100644 Binary files a/Source/Yuubari/Resource.rc and b/Source/Yuubari/Resource.rc differ diff --git a/Source/Yuubari/Yuubari.vcxproj b/Source/Yuubari/Yuubari.vcxproj index 9b4f43e..112b218 100644 --- a/Source/Yuubari/Yuubari.vcxproj +++ b/Source/Yuubari/Yuubari.vcxproj @@ -18,7 +18,7 @@ {304D5A8A-EF98-4E21-8F4D-91E66E0BECAC} Win32Proj Yuubari - 10.0 + 10.0.19041.0 diff --git a/Source/Yuubari/appinfo.c b/Source/Yuubari/appinfo.c index d1b3cc3..171d3b7 100644 --- a/Source/Yuubari/appinfo.c +++ b/Source/Yuubari/appinfo.c @@ -4,9 +4,9 @@ * * TITLE: APPINFO.C * -* VERSION: 1.50 +* VERSION: 1.51 * -* DATE: 26 July 2021 +* DATE: 31 Oct 2021 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -17,21 +17,14 @@ #include "global.h" #include "patterns.h" #include "Shared/hde/hde64.h" -#pragma comment(lib, "dbghelp.lib") #pragma comment(lib, "version.lib") +#define DEFAULT_SYMPATH L"*https://msdl.microsoft.com/download/symbols" + #define TEXT_SECTION ".text" #define TEXT_SECTION_LEGNTH sizeof(TEXT_SECTION) -pfnSymSetOptions pSymSetOptions; -pfnSymInitializeW pSymInitializeW = NULL; -pfnSymLoadModuleExW pSymLoadModuleExW = NULL; -pfnSymEnumSymbolsW pSymEnumSymbolsW = NULL; -pfnSymUnloadModule64 pSymUnloadModule64 = NULL; -pfnSymFromAddrW pSymFromAddrW = NULL; -pfnSymCleanup pSymCleanup = NULL; - -UAC_PATTERN g_MmcPatterns[] = { +static UAC_PATTERN g_MmcPatterns[] = { { ptMmcBlock_7600, sizeof(ptMmcBlock_7600), 4, NT_WIN7_RTM, NT_WIN7_RTM }, { ptMmcBlock_7601, sizeof(ptMmcBlock_7601), 4, NT_WIN7_SP1, NT_WIN7_SP1 }, { ptMmcBlock_9200, sizeof(ptMmcBlock_9200), 4, NT_WIN8_RTM, NT_WIN8_RTM }, @@ -41,9 +34,8 @@ UAC_PATTERN g_MmcPatterns[] = { { ptMmcBlock_16300_17134, sizeof(ptMmcBlock_16300_17134), 4, NT_WIN10_REDSTONE4, NT_WIN10_REDSTONE4 } }; -UAC_PATTERN g_MmcPatterns2[] = { - { ptMmcBlock_Start21H1, sizeof(ptMmcBlock_Start21H1), 0, NT_WIN10_21H1, NT_WIN10_21H1 }, - { ptMmcBlock_StartW11, sizeof(ptMmcBlock_StartW11), 0, NTX_WIN11_ADB, NTX_WIN11_ADB } +static UAC_PATTERN g_MmcPatterns2[] = { + { ptMmcBlock_StartW11, sizeof(ptMmcBlock_StartW11), 0, NT_WIN11_21H2, NTX_WIN11_ADB } }; #define TestChar(x) (((WCHAR)x >= L'A') && ((WCHAR)x <= L'z')) @@ -72,7 +64,7 @@ BOOL GetAppInfoBuildVersion( dwHandle = 0; dwSize = GetFileVersionInfoSize(lpFileName, &dwHandle); if (dwSize) { - vinfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSize); + vinfo = supHeapAlloc(dwSize); if (vinfo) { if (GetFileVersionInfo(lpFileName, 0, dwSize, vinfo)) { bResult = VerQueryValue(vinfo, TEXT("\\"), (LPVOID*)&pFileInfo, (PUINT)&Length); @@ -80,175 +72,167 @@ BOOL GetAppInfoBuildVersion( *BuildNumber = HIWORD(pFileInfo->dwFileVersionLS); } } - HeapFree(GetProcessHeap(), 0, vinfo); + supHeapFree(vinfo); } } return bResult; } /* -* InitDbgHelp +* LookupAddressBySymbol * * Purpose: * -* This function loads dbghelp.dll, symsrv.dll from symdll directory and -* initialize function pointers from dbghelp.dll. +* Return address of symbol by name. * */ -BOOL InitDbgHelp( - VOID +ULONG64 LookupAddressBySymbol( + _In_ pfnSymFromNameW SymFromName, + _In_ LPCWSTR SymbolName, + _Out_opt_ PBOOL Status ) { - BOOL bResult = FALSE; - HMODULE hDbgHelp = NULL; - SIZE_T length; - WCHAR szBuffer[MAX_PATH * 2]; - - do { - RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); - if (GetModuleFileName(NULL, szBuffer, MAX_PATH) == 0) - break; - - _filepath(szBuffer, szBuffer); - _strcat(szBuffer, L"symdll\\"); - length = _strlen(szBuffer); - _strcat(szBuffer, L"dbghelp.dll"); - - hDbgHelp = LoadLibrary(szBuffer); - if (hDbgHelp == NULL) - break; - - szBuffer[length] = 0; - _strcat(szBuffer, L"symsrv.dll"); - if (LoadLibrary(szBuffer)) { - - pSymSetOptions = (pfnSymSetOptions)GetProcAddress(hDbgHelp, "SymSetOptions"); - if (pSymSetOptions == NULL) - break; - - pSymInitializeW = (pfnSymInitializeW)GetProcAddress(hDbgHelp, "SymInitializeW"); - if (pSymInitializeW == NULL) - break; + BOOL bStatus = FALSE; + SIZE_T symSize; + ULONG64 symAddress = 0; + PSYMBOL_INFOW symbolInfo = NULL; - pSymLoadModuleExW = (pfnSymLoadModuleExW)GetProcAddress(hDbgHelp, "SymLoadModuleExW"); - if (pSymLoadModuleExW == NULL) - break; + symSize = sizeof(SYMBOL_INFOW); - pSymEnumSymbolsW = (pfnSymEnumSymbolsW)GetProcAddress(hDbgHelp, "SymEnumSymbolsW"); - if (pSymEnumSymbolsW == NULL) - break; + symbolInfo = (PSYMBOL_INFOW)supHeapAlloc(symSize); + if (symbolInfo) { - pSymUnloadModule64 = (pfnSymUnloadModule64)GetProcAddress(hDbgHelp, "SymUnloadModule64"); - if (pSymUnloadModule64 == NULL) - break; + symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW); + symbolInfo->MaxNameLen = 0; //name is not used - pSymFromAddrW = (pfnSymFromAddrW)GetProcAddress(hDbgHelp, "SymFromAddrW"); - if (pSymFromAddrW == NULL) - break; + bStatus = SymFromName( + GetCurrentProcess(), + SymbolName, + symbolInfo); - pSymCleanup = (pfnSymCleanup)GetProcAddress(hDbgHelp, "SymCleanup"); - if (pSymCleanup == NULL) - break; + if (bStatus) + symAddress = symbolInfo->Address; - bResult = TRUE; - } + supHeapFree(symbolInfo); + } - } while (FALSE); + if (Status) + *Status = bStatus; - return bResult; + return symAddress; } /* -* SymbolsAddToList +* ResolveAppInfoSymbols * * Purpose: * -* This function add symbol to the list. +* Load dbghelp, resolve appinfo pointers through symbols lookup. * */ -VOID SymbolAddToList( - _In_ PSYMBOL_ENTRY SymbolsHead, - _In_ LPWSTR SymbolName, - _In_ DWORD64 lpAddress +BOOL ResolveAppInfoSymbols( + _In_ PUAC_AI_GLOBALS AppInfo ) { - PSYMBOL_ENTRY Entry; - SIZE_T sz; - - Entry = SymbolsHead; + SIZE_T dirLength; + WCHAR szBuffer[MAX_PATH * 2]; + WCHAR szUserSearchPath[MAX_PATH * 2]; - while (Entry->Next != NULL) - Entry = Entry->Next; + HANDLE dllHandle; + HANDLE processHandle = GetCurrentProcess(); + DWORD64 baseOfDll; - sz = (1 + _strlen(SymbolName)) * sizeof(WCHAR); + pfnSymInitializeW pSymInitialize; + pfnSymSetOptions pSymSetOptions; + pfnSymLoadModuleExW pSymLoadModuleEx; + pfnSymFromNameW pSymFromName; + pfnSymUnloadModule64 pSymUnloadModule64; + pfnSymCleanup pSymCleanup; - Entry->Next = (PSYMBOL_ENTRY)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SYMBOL_ENTRY)); - if (Entry->Next) { - Entry = Entry->Next; - Entry->Next = NULL; + RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); + if (GetModuleFileName(NULL, szBuffer, MAX_PATH) == 0) + return FALSE; - Entry->Name = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz); - if (Entry->Name) { + _filepath(szBuffer, szBuffer); + _strcat(szBuffer, TEXT("symdll\\")); + dirLength = _strlen(szBuffer); + _strcat(szBuffer, TEXT("dbghelp.dll")); + dllHandle = LoadLibrary(szBuffer); + if (dllHandle == NULL) + return FALSE; - _strncpy(Entry->Name, sz / sizeof(WCHAR), - SymbolName, sz / sizeof(WCHAR)); + /*szBuffer[dirLength] = 0; + _strcat(szBuffer, TEXT("symsrv.dll")); + LoadLibrary(szBuffer);*/ - Entry->Address = lpAddress; - } - else { - HeapFree(GetProcessHeap(), 0, Entry); - } - } -} + pSymInitialize = (pfnSymInitializeW)GetProcAddress(dllHandle, "SymInitializeW"); + if (pSymInitialize == NULL) + return FALSE; -/* -* SymbolAddressFromName -* -* Purpose: -* -* This function query address from the given symbol name. -* -*/ -DWORD64 SymbolAddressFromName( - _In_ PSYMBOL_ENTRY SymbolsHead, - _In_ LPWSTR lpszName -) -{ - PSYMBOL_ENTRY Entry; + pSymSetOptions = (pfnSymSetOptions)GetProcAddress(dllHandle, "SymSetOptions"); + if (pSymSetOptions == NULL) + return FALSE; - Entry = SymbolsHead; + pSymLoadModuleEx = (pfnSymLoadModuleExW)GetProcAddress(dllHandle, "SymLoadModuleExW"); + if (pSymLoadModuleEx == NULL) + return FALSE; - while (Entry) { - if (!_strcmp(lpszName, Entry->Name)) - return Entry->Address; - Entry = Entry->Next; - } - return 0; -} + pSymFromName = (pfnSymFromNameW)GetProcAddress(dllHandle, "SymFromNameW"); + if (pSymFromName == NULL) + return FALSE; -/* -* SymEnumSymbolsProc -* -* Purpose: -* -* Callback of SymEnumSymbolsW. -* -*/ -BOOL CALLBACK SymEnumSymbolsProc( - _In_ PSYMBOL_INFOW pSymInfo, - _In_ ULONG SymbolSize, - _In_opt_ PVOID UserContext -) -{ - PSYMBOL_ENTRY SymbolsHead = (PSYMBOL_ENTRY)UserContext; - UNREFERENCED_PARAMETER(SymbolSize); + pSymUnloadModule64 = (pfnSymUnloadModule64)GetProcAddress(dllHandle, "SymUnloadModule64"); + if (pSymUnloadModule64 == NULL) + return FALSE; - if (UserContext == NULL) + pSymCleanup = (pfnSymCleanup)GetProcAddress(dllHandle, "SymCleanup"); + if (pSymCleanup == NULL) return FALSE; - SymbolAddToList(SymbolsHead, pSymInfo->Name, pSymInfo->Address); - return TRUE; + pSymSetOptions(SYMOPT_DEFERRED_LOADS | SYMOPT_UNDNAME); + + szBuffer[dirLength] = 0; + _strcat(szBuffer, TEXT("Symbols")); + if (!CreateDirectory((LPCWSTR)&szBuffer, NULL)) + if (GetLastError() != ERROR_ALREADY_EXISTS) + return FALSE; + + _strcpy(szUserSearchPath, TEXT("SRV*")); + _strcat(szUserSearchPath, szBuffer); + _strcat(szUserSearchPath, DEFAULT_SYMPATH); + + processHandle = GetCurrentProcess(); + + if (pSymInitialize(processHandle, szUserSearchPath, FALSE)) { + + baseOfDll = pSymLoadModuleEx(processHandle, + NULL, + TEXT("appinfo.dll"), + NULL, + (DWORD64)AppInfo->DllBase, + 0, + NULL, + 0); + + if (baseOfDll) { + AppInfo->lpAutoApproveEXEList = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpAutoApproveEXEList"), NULL); + AppInfo->lpIncludedPFDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpIncludedPFDirs"), NULL); + AppInfo->lpIncludedWindowsDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpIncludedWindowsDirs"), NULL); + AppInfo->lpIncludedSystemDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpIncludedSystemDirs"), NULL); + AppInfo->lpExemptedAutoApproveExes = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpExemptedAutoApproveExes"), NULL); + AppInfo->lpExcludedWindowsDirs = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpExcludedWindowsDirs"), NULL); + AppInfo->lpAutoApproveEXEList = (PVOID*)LookupAddressBySymbol(pSymFromName, TEXT("g_lpAutoApproveEXEList"), NULL); + + pSymUnloadModule64(processHandle, baseOfDll); + pSymCleanup(processHandle); + + return TRUE; + } + + } + + return FALSE; } /* @@ -262,6 +246,7 @@ BOOL CALLBACK SymEnumSymbolsProc( BOOL GetSupportedPattern( _In_ ULONG AppInfoBuildNumber, _In_ UAC_PATTERN* Patterns, + _In_ ULONG PatternsCount, _Out_ LPCVOID* OutputPattern, _Out_ ULONG* OutputPatternSize, _Out_opt_ ULONG* SubtractBytes @@ -275,7 +260,7 @@ BOOL GetSupportedPattern( if (SubtractBytes) *SubtractBytes = 0; - for (i = 0; i < RTL_NUMBER_OF(g_MmcPatterns); i++) { + for (i = 0; i < PatternsCount; i++) { if ((AppInfoBuildNumber >= Patterns[i].AppInfoBuildMin) && (AppInfoBuildNumber <= Patterns[i].AppInfoBuildMax)) { @@ -292,7 +277,7 @@ BOOL GetSupportedPattern( return FALSE; } -BOOLEAN QueryAiMmcBlock2( +BOOLEAN QueryAiMmcBlockWin11( _In_ UAC_AI_GLOBALS* AppInfo, _In_ PBYTE PtrCode, _In_ ULONG SectionSize @@ -311,6 +296,7 @@ BOOLEAN QueryAiMmcBlock2( if (GetSupportedPattern(AppInfo->AppInfoBuildNumber, g_MmcPatterns2, + RTL_NUMBER_OF(g_MmcPatterns2), &PatternData, &PatternSize, NULL)) @@ -353,11 +339,10 @@ BOOLEAN QueryAiMmcBlock2( } - return FALSE; } -BOOLEAN QueryAiMmcBlockPre21H1( +BOOLEAN QueryAiMmcBlockWin10( _In_ UAC_AI_GLOBALS* AppInfo, _In_ PBYTE PtrCode, _In_ ULONG SectionSize @@ -473,6 +458,7 @@ BOOLEAN QueryAiMmcBlock( if (AppInfo->AppInfoBuildNumber < NT_WIN10_REDSTONE5) { if (GetSupportedPattern(AppInfo->AppInfoBuildNumber, g_MmcPatterns, + RTL_NUMBER_OF(g_MmcPatterns), &PatternData, &PatternSize, &SubtractBytes)) @@ -493,81 +479,22 @@ BOOLEAN QueryAiMmcBlock( else { // - // RS5 - 20H1 + // Windows 10 RS5 - 21H2 // - if (AppInfo->AppInfoBuildNumber < NT_WIN10_21H1) { - return QueryAiMmcBlockPre21H1(AppInfo, ptrCode, sectionSize); + if (AppInfo->AppInfoBuildNumber < NT_WIN11_21H2) { + return QueryAiMmcBlockWin10(AppInfo, ptrCode, sectionSize); } else { // - // 21H1 - XXXX + // Windows 11 21H2 - XXXX // - return QueryAiMmcBlock2(AppInfo, ptrCode, sectionSize); + return QueryAiMmcBlockWin11(AppInfo, ptrCode, sectionSize); } } return FALSE; } -/* -* QueryAiGlobalData -* -* Purpose: -* -* Load symbols for Appinfo global variables. -* -*/ -VOID QueryAiGlobalData( - _In_ UAC_AI_GLOBALS* AppInfo -) -{ - HANDLE hSym = GetCurrentProcess(); - WCHAR szFullSymbolInfo[MAX_PATH * 2]; - WCHAR szSymbolName[MAX_PATH]; - - SYMBOL_ENTRY SymbolsHead; - - DWORD64 DllBase; - - DllBase = (DWORD64)AppInfo->DllBase; - if (DllBase == 0) - return; - - do { - pSymSetOptions(SYMOPT_DEFERRED_LOADS | SYMOPT_UNDNAME); - RtlSecureZeroMemory(&SymbolsHead, sizeof(SymbolsHead)); - - RtlSecureZeroMemory(szSymbolName, sizeof(szSymbolName)); - if (GetModuleFileName(NULL, szSymbolName, MAX_PATH) == 0) - break; - - _strcpy(szFullSymbolInfo, TEXT("SRV*")); - _filepath(szSymbolName, _strend_w(szFullSymbolInfo)); - _strcat(szFullSymbolInfo, TEXT("Symbols")); - if (!CreateDirectory(&szFullSymbolInfo[4], NULL)) - if (GetLastError() != ERROR_ALREADY_EXISTS) - break; - - _strcat(szFullSymbolInfo, TEXT("*https://msdl.microsoft.com/download/symbols")); - if (pSymInitializeW(hSym, szFullSymbolInfo, FALSE)) { - if (pSymLoadModuleExW(hSym, NULL, TEXT("appinfo.dll"), NULL, DllBase, 0, NULL, 0)) { - if (pSymEnumSymbolsW(hSym, DllBase, NULL, SymEnumSymbolsProc, (PVOID)&SymbolsHead)) - { - AppInfo->lpAutoApproveEXEList = (PVOID*)SymbolAddressFromName(&SymbolsHead, TEXT("g_lpAutoApproveEXEList")); - AppInfo->lpIncludedPFDirs = (PVOID*)SymbolAddressFromName(&SymbolsHead, TEXT("g_lpIncludedPFDirs")); - AppInfo->lpIncludedWindowsDirs = (PVOID*)SymbolAddressFromName(&SymbolsHead, TEXT("g_lpIncludedWindowsDirs")); - AppInfo->lpIncludedSystemDirs = (PVOID*)SymbolAddressFromName(&SymbolsHead, TEXT("g_lpIncludedSystemDirs")); - AppInfo->lpExemptedAutoApproveExes = (PVOID*)SymbolAddressFromName(&SymbolsHead, TEXT("g_lpExemptedAutoApproveExes")); - AppInfo->lpExcludedWindowsDirs = (PVOID*)SymbolAddressFromName(&SymbolsHead, TEXT("g_lpExcludedWindowsDirs")); - } - pSymUnloadModule64(hSym, DllBase); - } - pSymCleanup(hSym); - } - } while (FALSE); - -} - BOOL IsCrossPtr( _In_ UAC_AI_GLOBALS* AppInfo, _In_ ULONG_PTR Ptr, @@ -633,7 +560,8 @@ VOID ListMMCFiles( return; __try { - if (AppInfo->MmcBlock->NumOfElements > 256) { + if (AppInfo->MmcBlock->NumOfElements == 0 || + AppInfo->MmcBlock->NumOfElements > 256) { OutputDebugString(TEXT("Invalid block data")); } else { @@ -800,44 +728,67 @@ VOID ScanAppInfo( do { + // + // Due to brilliant MS design all newest versions has the same build in file version attributes. + // if (g_NtBuildNumber >= NT_WIN10_19H1) { - -#ifndef _DEBUG - AppInfo.AppInfoBuildNumber = g_NtBuildNumber; -#else - AppInfo.AppInfoBuildNumber = g_TestAppInfoBuildNumber; -#endif } else { - if (!GetAppInfoBuildVersion(lpFileName, &AppInfo.AppInfoBuildNumber)) break; } +#ifdef _DEBUG + AppInfo.AppInfoBuildNumber = g_TestAppInfoBuildNumber; +#endif + if (RtlDosPathNameToNtPathName_U(lpFileName, &usFileName, NULL, NULL) == FALSE) break; - InitializeObjectAttributes(&attr, &usFileName, - OBJ_CASE_INSENSITIVE, NULL, NULL); + InitializeObjectAttributes(&attr, &usFileName, OBJ_CASE_INSENSITIVE, NULL, NULL); RtlSecureZeroMemory(&iosb, sizeof(iosb)); - status = NtCreateFile(&hFile, SYNCHRONIZE | FILE_READ_DATA, - &attr, &iosb, NULL, 0, FILE_SHARE_READ, FILE_OPEN, - FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); + status = NtCreateFile(&hFile, + SYNCHRONIZE | FILE_READ_DATA, + &attr, + &iosb, + NULL, + 0, + FILE_SHARE_READ, + FILE_OPEN, + FILE_SYNCHRONOUS_IO_NONALERT, + NULL, + 0); if (!NT_SUCCESS(status)) break; - status = NtCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, - NULL, PAGE_READONLY, SEC_IMAGE, hFile); + status = NtCreateSection(&hSection, + SECTION_ALL_ACCESS, + NULL, + NULL, + PAGE_READONLY, + SEC_IMAGE, + hFile); + if (!NT_SUCCESS(status)) break; DllBase = NULL; DllVirtualSize = 0; - status = NtMapViewOfSection(hSection, NtCurrentProcess(), (PVOID*)&DllBase, - 0, 0, NULL, &DllVirtualSize, ViewUnmap, 0, PAGE_READONLY); + + status = NtMapViewOfSection(hSection, + NtCurrentProcess(), + (PVOID*)&DllBase, + 0, + 0, + NULL, + &DllVirtualSize, + ViewUnmap, + 0, + PAGE_READONLY); + if (!NT_SUCCESS(status)) break; @@ -846,8 +797,7 @@ VOID ScanAppInfo( ListMMCFiles(&AppInfo, OutputCallback); - if (InitDbgHelp()) { - QueryAiGlobalData(&AppInfo); + if (ResolveAppInfoSymbols(&AppInfo)) { ListAutoApproveEXE(&AppInfo, OutputCallback); ListStringDataUnsorted(&AppInfo, AiIncludedPFDirs, AppInfo.lpIncludedPFDirs, OutputCallback); ListStringDataUnsorted(&AppInfo, AilpIncludedWindowsDirs, AppInfo.lpIncludedWindowsDirs, OutputCallback); diff --git a/Source/Yuubari/appinfo.h b/Source/Yuubari/appinfo.h index f969543..2747c3b 100644 --- a/Source/Yuubari/appinfo.h +++ b/Source/Yuubari/appinfo.h @@ -1,12 +1,12 @@ #/******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2020 +* (C) COPYRIGHT AUTHORS, 2014 - 2021 * * TITLE: APPINFO.H * -* VERSION: 1.48 +* VERSION: 1.51 * -* DATE: 10 Sep 2020 +* DATE: 15 Sep 2021 * * Header file for the AppInfo scan. * @@ -19,12 +19,6 @@ #pragma once #include -typedef struct _SYMBOL_ENTRY { - struct _SYMBOL_ENTRY *Next; - LPWSTR Name; - DWORD64 Address; -} SYMBOL_ENTRY, *PSYMBOL_ENTRY; - typedef enum _AI_DATA_TYPE { AiSnapinFile = 1, AiManagementConsole, @@ -72,14 +66,17 @@ typedef struct _UAC_AI_GLOBALS { } UAC_AI_GLOBALS, *PUAC_AI_GLOBALS; typedef DWORD(WINAPI *pfnSymSetOptions)( - _In_ DWORD SymOptions - ); + _In_ DWORD SymOptions); typedef BOOL(WINAPI *pfnSymInitializeW)( _In_ HANDLE hProcess, _In_opt_ PCWSTR UserSearchPath, - _In_ BOOL fInvadeProcess - ); + _In_ BOOL fInvadeProcess); + +typedef BOOL(WINAPI* pfnSymFromNameW)( + _In_ HANDLE hProcess, + _In_ PCWSTR Name, + _Inout_ PSYMBOL_INFOW Symbol); typedef DWORD64(WINAPI *pfnSymLoadModuleExW)( _In_ HANDLE hProcess, @@ -89,32 +86,14 @@ typedef DWORD64(WINAPI *pfnSymLoadModuleExW)( _In_ DWORD64 BaseOfDll, _In_ DWORD DllSize, _In_opt_ PMODLOAD_DATA Data, - _In_opt_ DWORD Flags - ); - -typedef BOOL(WINAPI *pfnSymEnumSymbolsW)( - _In_ HANDLE hProcess, - _In_ ULONG64 BaseOfDll, - _In_opt_ PCWSTR Mask, - _In_ PSYM_ENUMERATESYMBOLS_CALLBACKW EnumSymbolsCallback, - _In_opt_ PVOID UserContext - ); + _In_opt_ DWORD Flags); typedef BOOL(WINAPI *pfnSymUnloadModule64)( _In_ HANDLE hProcess, - _In_ DWORD64 BaseOfDll - ); + _In_ DWORD64 BaseOfDll); typedef BOOL(WINAPI *pfnSymCleanup)( - _In_ HANDLE hProcess - ); - -typedef BOOL(WINAPI *pfnSymFromAddrW)( - _In_ HANDLE hProcess, - _In_ DWORD64 Address, - _Out_opt_ PDWORD64 Displacement, - _Inout_ PSYMBOL_INFOW Symbol - ); + _In_ HANDLE hProcess); VOID ScanAppInfo( LPWSTR lpFileName, diff --git a/Source/Yuubari/basic.c b/Source/Yuubari/basic.c index b3879e0..af4cd38 100644 --- a/Source/Yuubari/basic.c +++ b/Source/Yuubari/basic.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2020 +* (C) COPYRIGHT AUTHORS, 2014 - 2021 * * TITLE: BASIC.C * -* VERSION: 1.49 +* VERSION: 1.51 * -* DATE: 11 Nov 2019 +* DATE: 01 Nov 2021 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED diff --git a/Source/Yuubari/comobj.c b/Source/Yuubari/comobj.c index a51b3d2..a8ec86a 100644 --- a/Source/Yuubari/comobj.c +++ b/Source/Yuubari/comobj.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2019 +* (C) COPYRIGHT AUTHORS, 2014 - 2021 * * TITLE: COMOBJ.C * -* VERSION: 1.45 +* VERSION: 1.51 * -* DATE: 22 Oct 2019 +* DATE: 31 Oct 2021 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -154,18 +154,18 @@ VOID CopQuerySubKey( dwDataSize = 0; t = supReadKeyString(RootKey, TEXT("LocalizedString"), &dwDataSize); if (t) { - lpLocalizedString = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (SIZE_T)MAX_PATH * 2); + lpLocalizedString = (LPWSTR)supHeapAlloc((SIZE_T)MAX_PATH * 2); if (lpLocalizedString) { SHLoadIndirectString(t, lpLocalizedString, MAX_PATH, NULL); } - HeapFree(GetProcessHeap(), 0, t); + supHeapFree(t); } //check if AppId present dwDataSize = 0; t = supReadKeyString(RootKey, TEXT("AppId"), &dwDataSize); if (t) { - lpAppId = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (SIZE_T)dwDataSize + 32); + lpAppId = (LPWSTR)supHeapAlloc((SIZE_T)dwDataSize + 32); if (lpAppId) { _strcpy(lpAppId, TEXT("AppId\\")); _strcat(lpAppId, t); @@ -186,7 +186,7 @@ VOID CopQuerySubKey( RegCloseKey(hAppIdKey); } } - HeapFree(GetProcessHeap(), 0, t); + supHeapFree(t); } // @@ -230,7 +230,7 @@ VOID CopQuerySubKey( OutputCallback((PVOID)&Data); if (Data.Key) { - HeapFree(GetProcessHeap(), 0, Data.Key); + supHeapFree(Data.Key); } // @@ -244,7 +244,7 @@ VOID CopQuerySubKey( if (lRet == ERROR_SUCCESS) { cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR)); - lpValue = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cMaxLength); + lpValue = (LPWSTR)supHeapAlloc(cMaxLength); if (lpValue) { for (i = 0; i < cValues; i++) { @@ -266,7 +266,7 @@ VOID CopQuerySubKey( } } - HeapFree(GetProcessHeap(), 0, lpValue); + supHeapFree(lpValue); } } RegCloseKey(hServerObjectsKey); @@ -276,13 +276,13 @@ VOID CopQuerySubKey( } while (FALSE); if (lpAppIdName) - HeapFree(GetProcessHeap(), 0, lpAppIdName); + supHeapFree(lpAppIdName); if (lpAppId != NULL) - HeapFree(GetProcessHeap(), 0, lpAppId); + supHeapFree(lpAppId); if (lpName != NULL) - HeapFree(GetProcessHeap(), 0, lpName); + supHeapFree(lpName); } else { CopScanRegistry(hSubKey, OutputCallback, InterfaceList); @@ -313,7 +313,7 @@ VOID CopEnumSubKey( do { dwcbName = 32 * 1024; - lpKeyName = (LPTSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwcbName); + lpKeyName = (LPTSTR)supHeapAlloc(dwcbName); if (lpKeyName == NULL) break; @@ -322,7 +322,7 @@ VOID CopEnumSubKey( lpKeyName, &cch, NULL, NULL, NULL, NULL); if (lRet == ERROR_MORE_DATA) { dwcbName *= 2; - HeapFree(GetProcessHeap(), 0, lpKeyName); + supHeapFree(lpKeyName); lpKeyName = NULL; continue; } @@ -340,7 +340,7 @@ VOID CopEnumSubKey( } while (lRet == ERROR_MORE_DATA); if (lpKeyName != NULL) - HeapFree(GetProcessHeap(), 0, lpKeyName); + supHeapFree(lpKeyName); } @@ -418,12 +418,12 @@ BOOL CoEnumInterfaces( if ((lRet != ERROR_SUCCESS) || (cSubKeys == 0)) __leave; - infoBuffer = (INTERFACE_INFO*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cSubKeys * sizeof(INTERFACE_INFO)); + infoBuffer = (INTERFACE_INFO*)supHeapAlloc(cSubKeys * sizeof(INTERFACE_INFO)); if (infoBuffer == NULL) __leave; cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR)); - lpKeyName = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cMaxLength); + lpKeyName = (LPWSTR)supHeapAlloc(cMaxLength); if (lpKeyName == NULL) __leave; @@ -457,7 +457,7 @@ BOOL CoEnumInterfaces( RegCloseKey(hKey); if (lpKeyName) - HeapFree(GetProcessHeap(), 0, lpKeyName); + supHeapFree(lpKeyName); } return bResult; @@ -497,7 +497,7 @@ VOID CoScanBrokerApprovalList( __leave; cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR)); - lpSubKey = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cMaxLength); + lpSubKey = (LPWSTR)supHeapAlloc(cMaxLength); if (lpSubKey == NULL) __leave; @@ -553,7 +553,7 @@ VOID CoScanBrokerApprovalList( RegCloseKey(hKey); if (lpSubKey) - HeapFree(GetProcessHeap(), 0, lpSubKey); + supHeapFree(lpSubKey); } } @@ -593,7 +593,7 @@ VOID CoScanAutoApprovalList( __leave; cMaxLength = (DWORD)((cMaxLength + 1) * sizeof(WCHAR)); - lpValue = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cMaxLength); + lpValue = (LPWSTR)supHeapAlloc(cMaxLength); if (lpValue == NULL) __leave; @@ -621,7 +621,7 @@ VOID CoScanAutoApprovalList( RegCloseKey(hKey); if (lpValue) - HeapFree(GetProcessHeap(), 0, lpValue); + supHeapFree(lpValue); } } diff --git a/Source/Yuubari/consts.h b/Source/Yuubari/consts.h index cedf782..3575f62 100644 --- a/Source/Yuubari/consts.h +++ b/Source/Yuubari/consts.h @@ -4,9 +4,9 @@ * * TITLE: CONSTS.H * -* VERSION: 1.50 +* VERSION: 1.51 * -* DATE: 26 July 2021 +* DATE: 31 Oct 2021 * * Global consts definition file. * @@ -18,8 +18,8 @@ *******************************************************************************/ #pragma once -#define YUUBARI_MIN_SUPPORTED_NT_BUILD 7600 -#define YUUBARI_MAX_SUPPORTED_NT_BUILD 22000 +#define YUUBARI_MIN_SUPPORTED_NT_BUILD NT_WIN7_RTM +#define YUUBARI_MAX_SUPPORTED_NT_BUILD NTX_WIN11_ADB #define T_UAC_COM_AUTOAPPROVAL_LIST TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UAC\\COMAutoApprovalList") //RS1+ #define T_UAC_BROKER_APPROVAL_LIST TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CloudExperienceHost\\Broker\\ElevatedClsids") @@ -37,7 +37,7 @@ #define T_FLAG_INSTALLERDETECT_ENABLED TEXT("InstallerDetectEnabled") #define T_PROGRAM_NAME TEXT("Yuubari") -#define T_PROGRAM_TITLE TEXT("[UacView] UAC information gathering tool, v1.5.0 (July 26, 2021)\r\n") +#define T_PROGRAM_TITLE TEXT("[UacView] UAC information gathering tool, v1.5.1 (Nov 01, 2021)\r\n") #define T_HELP TEXT("Optional parameters to execute: \r\n\n\ YUUBARI [/v] \r\n\n\ diff --git a/Source/Yuubari/fusion.c b/Source/Yuubari/fusion.c index c97ddac..7863255 100644 --- a/Source/Yuubari/fusion.c +++ b/Source/Yuubari/fusion.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2020 +* (C) COPYRIGHT AUTHORS, 2014 - 2021 * * TITLE: FUSION.C * -* VERSION: 1.49 +* VERSION: 1.51 * -* DATE: 11 Nov 2020 +* DATE: 01 Nov 2021 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -647,7 +647,7 @@ VOID FusionScanFiles( WIN32_FIND_DATA fdata; sz = (_strlen(lpDirectory) + MAX_PATH) * sizeof(WCHAR); - lpLookupDirectory = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz); + lpLookupDirectory = (LPWSTR)supHeapAlloc(sz); if (lpLookupDirectory) { _strncpy(lpLookupDirectory, MAX_PATH, lpDirectory, MAX_PATH); _strcat(lpLookupDirectory, TEXT("\\*.exe")); @@ -660,7 +660,7 @@ VOID FusionScanFiles( } while (FindNextFile(hFile, &fdata)); FindClose(hFile); } - HeapFree(GetProcessHeap(), 0, lpLookupDirectory); + supHeapFree(lpLookupDirectory); } } diff --git a/Source/Yuubari/logger.c b/Source/Yuubari/logger.c index 46e14d4..ebcf941 100644 --- a/Source/Yuubari/logger.c +++ b/Source/Yuubari/logger.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2017 +* (C) COPYRIGHT AUTHORS, 2014 - 2021 * * TITLE: LOGGER.C * -* VERSION: 1.0F +* VERSION: 1.51 * -* DATE: 14 Feb 2017 +* DATE: 31 Oct 2021 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -71,13 +71,13 @@ VOID LoggerWrite( return; sz = sz * sizeof(WCHAR) + 4 + sizeof(UNICODE_NULL); - Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz); + Buffer = (LPWSTR)supHeapAlloc(sz); if (Buffer) { _strcpy(Buffer, lpText); if (UseReturn) _strcat(Buffer, TEXT("\r\n")); sz = _strlen(Buffer); WriteFile(hLogFile, Buffer, (DWORD)(sz * sizeof(WCHAR)), &bytesIO, NULL); - HeapFree(GetProcessHeap(), 0, Buffer); + supHeapFree(Buffer); } } } diff --git a/Source/Yuubari/main.c b/Source/Yuubari/main.c index 78287c3..4289d55 100644 --- a/Source/Yuubari/main.c +++ b/Source/Yuubari/main.c @@ -4,9 +4,9 @@ * * TITLE: MAIN.C * -* VERSION: 1.50 +* VERSION: 1.51 * -* DATE: 26 July 2021 +* DATE: 29 Oct 2021 * * Program entry point. * @@ -54,7 +54,7 @@ VOID AppInfoDataOutputCallback( return; sz = (_strlen(Data->Name) * sizeof(WCHAR)) + MAX_PATH; - lpLog = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz); + lpLog = (LPWSTR)supHeapAlloc(sz); if (lpLog) { switch (Data->Type) { case AiSnapinFile: @@ -90,7 +90,7 @@ VOID AppInfoDataOutputCallback( LoggerWrite(g_LogFile, lpLog, TRUE); cuiPrintText(lpLog, TRUE); - HeapFree(GetProcessHeap(), 0, lpLog); + supHeapFree(lpLog); } } @@ -113,7 +113,7 @@ VOID WINAPI BasicDataOutputCallback( return; sz = (_strlen(Data->Name) * sizeof(WCHAR)) + MAX_PATH; - lpLog = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz); + lpLog = (LPWSTR)supHeapAlloc(sz); if (lpLog) { _strcpy(lpLog, Data->Name); _strcat(lpLog, TEXT("=")); @@ -128,7 +128,7 @@ VOID WINAPI BasicDataOutputCallback( } LoggerWrite(g_LogFile, lpLog, TRUE); cuiPrintText(lpLog, TRUE); - HeapFree(GetProcessHeap(), 0, lpLog); + supHeapFree(lpLog); } } @@ -302,15 +302,15 @@ VOID WINAPI FusionOutputCallback( } if (Data->DataType == UacFusionDataRedirectedDllType) { Dll = (UAC_FUSION_DATA_DLL*)Data; - sz = _strlen(Dll->DllName) + _strlen(Dll->FileName) + MAX_PATH; - lpLog = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz * sizeof(WCHAR)); + sz = (_strlen(Dll->DllName) + _strlen(Dll->FileName) + MAX_PATH) * sizeof(WCHAR); + lpLog = (LPWSTR)supHeapAlloc(sz); if (lpLog) { _strcpy(lpLog, TEXT("DllRedirection: ")); _strcat(lpLog, Dll->FileName); _strcat(lpLog, TEXT(" -> ")); _strcat(lpLog, Dll->DllName); LoggerWrite(g_LogFile, lpLog, TRUE); - HeapFree(GetProcessHeap(), 0, lpLog); + supHeapFree(lpLog); } } } @@ -376,7 +376,7 @@ VOID ListCOMFromRegistry( __finally { CoUninitialize(); if (InterfaceList.List) - HeapFree(GetProcessHeap(), 0, InterfaceList.List); + supHeapFree(InterfaceList.List); } } @@ -451,8 +451,8 @@ VOID ListAppInfo( _strcpy(szFileName, USER_SHARED_DATA->NtSystemRoot); _strcat(szFileName, TEXT("\\system32\\appinfo.dll")); #else - g_TestAppInfoBuildNumber = 19043; - _strcpy(szFileName, TEXT("C:\\appinfo\\appinfo_19043.dll")); + g_TestAppInfoBuildNumber = 22494; + _strcpy(szFileName, TEXT("C:\\appinfo\\appinfo_22494.dll")); #endif ScanAppInfo(szFileName, (OUTPUTCALLBACK)AppInfoDataOutputCallback); } diff --git a/Source/Yuubari/patterns.h b/Source/Yuubari/patterns.h index b5b7515..5f1df8d 100644 --- a/Source/Yuubari/patterns.h +++ b/Source/Yuubari/patterns.h @@ -4,9 +4,9 @@ * * TITLE: PATTERNS.H * -* VERSION: 1.50 +* VERSION: 1.51 * -* DATE: 26 July 2021 +* DATE: 31 Oct 2021 * * Patterns for supported AppInfo versions. * @@ -27,22 +27,22 @@ // g_MmcBlock // const unsigned char ptMmcBlock_7600[] = { - 0x48, 0x8D, 0x3C, 0x40, 0x4C, 0x39, 0x6C, 0xFB + 0x48, 0x8D, 0x3C, 0x40, 0x4C, 0x39, 0x6C, 0xFB }; const unsigned char ptMmcBlock_7601[] = { - 0x48, 0x8B, 0x55, 0x00, 0x48, 0x8B, 0xCF, 0xFF, 0x15 + 0x48, 0x8B, 0x55, 0x00, 0x48, 0x8B, 0xCF, 0xFF, 0x15 }; const unsigned char ptMmcBlock_9200[] = { - 0x49, 0x8B, 0x16, 0x48, 0x8B, 0xCE, 0xFF, 0x15 + 0x49, 0x8B, 0x16, 0x48, 0x8B, 0xCE, 0xFF, 0x15 }; const unsigned char ptMmcBlock_9600[] = { 0x48, 0x8b, 0x17, 0x49, 0x8b, 0xce, 0xff, 0x15 }; const unsigned char ptMmcBlock_10240[] = { - 0x49, 0x8B, 0x14, 0x24, 0x49, 0x8B, 0xCE, 0xFF, 0x15 + 0x49, 0x8B, 0x14, 0x24, 0x49, 0x8B, 0xCE, 0xFF, 0x15 }; const unsigned char ptMmcBlock_10586_16299[] = { - 0x49, 0x8B, 0x16, 0x49, 0x8B, 0xCD, 0xFF, 0x15 + 0x49, 0x8B, 0x16, 0x49, 0x8B, 0xCD, 0xFF, 0x15 }; const unsigned char ptMmcBlock_16300_17134[] = { 0x41, 0x8B, 0xF7, 0x49, 0x8B, 0x16, 0x48, 0x8B @@ -59,10 +59,6 @@ const unsigned char ptMmcBlock_Start[] = { // xor r13d, r13d // mov rcx // -const unsigned char ptMmcBlock_Start21H1[] = { - 0x45, 0x33, 0xED, 0x48, 0x8B -}; - const unsigned char ptMmcBlock_StartW11[] = { 0xBA, 0x0D, 0x00, 0x00, 0x00, 0x4D, 0x8B, 0xCF }; diff --git a/Source/Yuubari/sup.c b/Source/Yuubari/sup.c index aa48d40..13dc004 100644 --- a/Source/Yuubari/sup.c +++ b/Source/Yuubari/sup.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2020 +* (C) COPYRIGHT AUTHORS, 2014 - 2021 * * TITLE: SUP.C * -* VERSION: 1.49 +* VERSION: 1.51 * -* DATE: 11 Nov 2020 +* DATE: 29 Oct 2021 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -66,12 +66,12 @@ LPWSTR supReadKeyString( lRet = RegQueryValueEx(hKey, KeyValue, NULL, NULL, NULL, pdwDataSize); if (lRet == ERROR_SUCCESS) { - lpString = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, *pdwDataSize); + lpString = (LPWSTR)supHeapAlloc(*pdwDataSize); if (lpString != NULL) { lRet = RegQueryValueEx(hKey, KeyValue, NULL, NULL, (LPBYTE)lpString, pdwDataSize); if (lRet != ERROR_SUCCESS) { - HeapFree(GetProcessHeap(), 0, lpString); + supHeapFree(lpString); lpString = NULL; } } @@ -103,13 +103,13 @@ PVOID supQueryKeyName( *ReturnedLength = 0; NtQueryObject(hKey, ObjectNameInformation, NULL, 0, &ulen); - pObjName = (POBJECT_NAME_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ulen); + pObjName = (POBJECT_NAME_INFORMATION)supHeapAlloc(ulen); if (pObjName) { status = NtQueryObject(hKey, ObjectNameInformation, pObjName, ulen, NULL); if (NT_SUCCESS(status)) { if ((pObjName->Name.Buffer != NULL) && (pObjName->Name.Length > 0)) { sz = pObjName->Name.Length + sizeof(UNICODE_NULL); - ReturnBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz); + ReturnBuffer = supHeapAlloc(sz); if (ReturnBuffer) { RtlCopyMemory(ReturnBuffer, pObjName->Name.Buffer, pObjName->Name.Length); if (ReturnedLength) @@ -117,7 +117,7 @@ PVOID supQueryKeyName( } } } - HeapFree(GetProcessHeap(), 0, pObjName); + supHeapFree(pObjName); } return ReturnBuffer; } diff --git a/Source/Yuubari/sup.h b/Source/Yuubari/sup.h index adc077e..5978ac7 100644 --- a/Source/Yuubari/sup.h +++ b/Source/Yuubari/sup.h @@ -1,12 +1,12 @@ #/******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2020 +* (C) COPYRIGHT AUTHORS, 2014 - 2021 * * TITLE: SUP.H * -* VERSION: 1.49 +* VERSION: 1.51 * -* DATE: 11 Nov 2020 +* DATE: 29 Oct 2021 * * Common header file for the program support routines. * @@ -18,6 +18,34 @@ *******************************************************************************/ #pragma once +/* +* supHeapAlloc +* +* Purpose: +* +* Wrapper for RtlAllocateHeap. +* +*/ +PVOID FORCEINLINE supHeapAlloc( + _In_ SIZE_T Size) +{ + return RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Size); +} + +/* +* supHeapFree +* +* Purpose: +* +* Wrapper for RtlFreeHeap. +* +*/ +BOOL FORCEINLINE supHeapFree( + _In_ PVOID Memory) +{ + return RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Memory); +} + BOOL supIsCorImageFile( _In_ PVOID ImageBase); diff --git a/UACME.sha256 b/UACME.sha256 index 91fe745..c4fdc6f 100644 --- a/UACME.sha256 +++ b/UACME.sha256 @@ -137,32 +137,32 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Shared\ e99aa4997bda14b534c614c3d8cb78a72c4aca91a1212c8b03ec605d1d75e36e *Source\Shared\hde\hde64.h f8e6a0be357726bee35c7247b57408b54bb38d94e8324a6bb84b91c462b2be30 *Source\Shared\hde\pstdint.h b774446d2f110ce954fb0a710f4693c5562ddbd8d56fe84106f2ee80db8b50a2 *Source\Shared\hde\table64.h -d4da941865d4b9a0b5857dd851f6d8da0eff52f9808e0ed95b1f982cd877aaf7 *Source\Shared\ntos\ntbuilds.h -e1013ed809f18c5e4d88ab95e625139f07cd8b7ec8619b25d70bee45acd8690a *Source\Shared\ntos\ntos.h +5951b85f4d82c7ca4c0adffd312133e8dc82b468bc97e172c58d6c1c5f7008cb *Source\Shared\ntos\ntbuilds.h +05f2df33304c25f11d1ba69d17e2862be61293f170dd756475822704ac6e6478 *Source\Shared\ntos\ntos.h b61eb9474f593e61a241495f6c06c6c3c1afe03d45b1b23af33075ecc02f4ad1 *Source\Shared\ntos\ntsxs.h -c51315abec6d5517519f05901135f2a36e147408931b9ffc2c98c0e852cddc2e *Source\Yuubari\appinfo.c -5e076fa2884ca946bc0459455709f8cbcbc49f9c3ff7ef44746e1ef77ec2b7b3 *Source\Yuubari\appinfo.h -910654bf3d2fe5ae64efdf7ab14e0806d9b5adbd58d9a5c60d3316d27c4a1cf2 *Source\Yuubari\basic.c +93468ab5bab0ae72c5040fae803fbc479a0d0edfb10de7c9b8f47110f9fca75f *Source\Yuubari\appinfo.c +ddf75052baeb39c7e53184588516b058589a6d41f64e900a0543f707c5c79eca *Source\Yuubari\appinfo.h +46ce4d9e34f8845b17c5a9b87891b5ace6dca83427377029ee1d06af5af6d637 *Source\Yuubari\basic.c 10979d6665292065b840f8d95366201a686146e949908cdd41331699b331ab9c *Source\Yuubari\basic.h -659cff5279e2ad77f2d0e755d6b10a49d1beb3a292820f93ff56bda7a38c389e *Source\Yuubari\comobj.c +c0ddb8ed4e267153cd7fd2fb858e0a18fd8fa88ddc3f748bcee35372f41bec46 *Source\Yuubari\comobj.c 5b20f14c3b8322a354bf374d9cb463359c57d07f4031d788c7bc88bda6f833ee *Source\Yuubari\comobj.h -f41270403f8c605f0e75a6bd8c806b445523d7cabb799592c5a78f7f89712497 *Source\Yuubari\consts.h +9df98ecd6a52f89d0acd6b927e9510becc09aac11a89c4d2c78fcd36bd959780 *Source\Yuubari\consts.h 27b89ba25c1620f7f46af4a239d6a18b71b9b689ea33eb7ab099e0b039cdf21f *Source\Yuubari\cui.c 3058dea6894b1ca7bcff8896b35080c0ddfa1c541e7e505792cbac65dea9d0d9 *Source\Yuubari\cui.h -9d326f50d515e1f033c9dc9f6202a556a29b75a63a62ea8e0c730b809c7af967 *Source\Yuubari\fusion.c +585f2c8b5fc2eaaccfa1d334b176f2f681df61322c064b89e50cb592d073d07d *Source\Yuubari\fusion.c 0da59496e173b30d19c4f6c3ca62f2be8ef5b5e790c4952ac0d27f987577488f *Source\Yuubari\fusion.h bad9cc44456acdb30751cb4d4bb98c10519a28c0354ae9a048b9bfa139bcc55e *Source\Yuubari\global.h -04bd5497fa817f15e3f6d63325c5e20172fde7f4c668d1dfdc35f99b228d3f33 *Source\Yuubari\logger.c +56843f0410f4c97e8d0809bf7fe4c3e7efaf0dcefd595da58da07794d1709f27 *Source\Yuubari\logger.c 9b9dad8b40daf87f796c91a0538198921acebd13d47515e0e27b18eaad6906f4 *Source\Yuubari\logger.h -af14463a80218cbcce51eb6134cd31d159b4a9899e7e6ed900adc7c689bc67bc *Source\Yuubari\main.c -02445b03ba0f2f9f1b7571639356495c95f76fb81e8d6d427592e30741598c14 *Source\Yuubari\patterns.h +b317904d35ae33c177f2ffbbf60822e5daf79ed18e45a66b4217741abeb54172 *Source\Yuubari\main.c +cb677a1313f7cc9c2ed3571c2d94c257f6798c3ab78b12d824fe775265df19c2 *Source\Yuubari\patterns.h 76faa46729e53c1204c1c6f4d51d9a0c2701cca1f7e927249cfb0bce71e60022 *Source\Yuubari\resource.h -c11137f6cb08b245ceabcfd5d4a69bc0304021eb433218510e98725771a0e0fc *Source\Yuubari\Resource.rc -ba5271947ebef7456607be0a33cea8abff32928538584b37fcb8102214595c9c *Source\Yuubari\sup.c -efcfc436722ff7927d221bb9e4bca57eecf4b1bbd33f2e57eb845e9c47f64ee6 *Source\Yuubari\sup.h +393cc832b1de1f5c7dc1bb130fb8c5489cda23908575ce6753c39f56f01d47ff *Source\Yuubari\Resource.rc +c3815c32f54c31fa2115b0367c76e9186a5987629c9523e148e803ab811384ab *Source\Yuubari\sup.c +f49b2dfdc27085d2906a7b29b21d68b365928706fb3539cef82a05cc65e175fb *Source\Yuubari\sup.h e0be14373098896893f34e02dfe84d3eb64e11d9d9f7f70a15101b41cf9ae5bd *Source\Yuubari\wintrustex.h d4acf557a541579d5a8992b9514169fc05c40f26144ad8a560d8ef8d0a3cce0e *Source\Yuubari\yuubari.ico -9983303e97ab3f5c8f8513622a5aab86d85219eb2e6e8f6a7ab6b98527b17c9d *Source\Yuubari\Yuubari.vcxproj +21a03a822b0eb6580a5e626b302e209f26e28b84b4e4a43f78a6c72e79a2c19e *Source\Yuubari\Yuubari.vcxproj 5f0cc11346f91e922f9779d307b12745b7abd841c64f5be7681437f3be13af67 *Source\Yuubari\Yuubari.vcxproj.filters f41690990d738d243f75d60ffe7a585027c0b379735b7d9d6df9cba7c7ad4c2c *Source\Yuubari\Yuubari.vcxproj.user ccac7cdcbd419f3184c3886f5c36669ff9f7714b57a1249e2bb4be07b492c8ac *Source\Yuubari\tests\test_fusion.c