2023-07-01 04:14:20 +02:00
|
|
|
#pragma once
|
|
|
|
|
|
|
|
|
|
// Structure representing a loaded module
|
|
|
|
|
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
|
|
|
|
|
{
|
2023-07-01 04:23:11 +02:00
|
|
|
PVOID Unknown1;
|
|
|
|
|
PVOID Unknown2;
|
|
|
|
|
PVOID Base;
|
|
|
|
|
ULONG Size;
|
|
|
|
|
ULONG Flags;
|
|
|
|
|
USHORT Index;
|
|
|
|
|
USHORT NameLength;
|
|
|
|
|
USHORT LoadCount;
|
|
|
|
|
USHORT PathLength;
|
|
|
|
|
CHAR ImageName[256];
|
|
|
|
|
} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
|
2023-07-01 04:14:20 +02:00
|
|
|
|
|
|
|
|
// Structure representing the loaded module information
|
|
|
|
|
typedef struct _SYSTEM_MODULE_INFORMATION
|
|
|
|
|
{
|
2023-07-01 04:23:11 +02:00
|
|
|
ULONG Count;
|
|
|
|
|
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
|
|
|
|
|
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
|
2023-07-01 04:14:20 +02:00
|
|
|
|
|
|
|
|
// Function prototype for ZwQuerySystemInformation
|
|
|
|
|
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
|
2023-07-01 04:23:11 +02:00
|
|
|
ULONG SystemInformationClass,
|
|
|
|
|
PVOID SystemInformation,
|
|
|
|
|
ULONG SystemInformationLength,
|
|
|
|
|
PULONG ReturnLength
|
2023-07-01 04:14:20 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef struct _LDR_DATA_TABLE_ENTRY
|
|
|
|
|
{
|
2023-07-01 04:23:11 +02:00
|
|
|
LIST_ENTRY64 InLoadOrderLinks;
|
|
|
|
|
PVOID ExceptionTable;
|
|
|
|
|
ULONG ExceptionTableSize;
|
|
|
|
|
PVOID GpValue;
|
|
|
|
|
PVOID NonPagedDebugInfo;
|
|
|
|
|
PVOID ImageBase;
|
|
|
|
|
PVOID EntryPoint;
|
|
|
|
|
ULONG SizeOfImage;
|
|
|
|
|
UNICODE_STRING FullImageName;
|
|
|
|
|
UNICODE_STRING BaseImageName;
|
|
|
|
|
ULONG Flags;
|
|
|
|
|
USHORT LoadCount;
|
|
|
|
|
USHORT TlsIndex;
|
|
|
|
|
LIST_ENTRY64 HashLinks;
|
|
|
|
|
PVOID SectionPointer;
|
|
|
|
|
ULONG CheckSum;
|
|
|
|
|
ULONG TimeDateStamp;
|
|
|
|
|
PVOID LoadedImports;
|
|
|
|
|
PVOID EntryPointActivationContext;
|
|
|
|
|
PVOID PatchInformation;
|
|
|
|
|
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
|
2023-07-01 04:14:20 +02:00
|
|
|
|
2023-07-01 04:23:11 +02:00
|
|
|
typedef PVOID(NTAPI* t_RtlImageDirectoryEntryToData)(
|
|
|
|
|
IN PVOID Base,
|
|
|
|
|
IN BOOLEAN MappedAsImage,
|
|
|
|
|
IN USHORT DirectoryEntry,
|
|
|
|
|
OUT PULONG Size
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
typedef
|
|
|
|
|
_IRQL_requires_same_
|
|
|
|
|
_Function_class_(DOMITO_ALLOCATE_ROUTINE)
|
|
|
|
|
__drv_allocatesMem(Mem)
|
|
|
|
|
PVOID
|
|
|
|
|
NTAPI
|
|
|
|
|
DOMITO_ALLOCATE_ROUTINE(
|
|
|
|
|
_In_ SIZE_T ByteSize
|
2023-07-01 04:14:20 +02:00
|
|
|
);
|
2023-07-01 04:23:11 +02:00
|
|
|
typedef DOMITO_ALLOCATE_ROUTINE* PDOMITO_ALLOCATE_ROUTINE;
|
2023-07-01 04:14:20 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
_Success_(return == STATUS_SUCCESS)
|
|
|
|
|
_Must_inspect_result_
|
|
|
|
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
|
|
|
EXTERN_C
|
|
|
|
|
NTSTATUS
|
|
|
|
|
DomitoFindDriverBaseAddress(
|
2023-07-01 04:23:11 +02:00
|
|
|
_In_ STRING ModuleName,
|
|
|
|
|
_Inout_opt_ PVOID * ModuleBase
|
2023-07-01 04:14:20 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
_Success_(return == STATUS_SUCCESS)
|
|
|
|
|
_Must_inspect_result_
|
|
|
|
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
|
|
|
EXTERN_C
|
|
|
|
|
NTSTATUS
|
|
|
|
|
DomitoFindExportedFunctionAddress(
|
2023-07-01 04:23:11 +02:00
|
|
|
_In_ PVOID ModuleBase,
|
|
|
|
|
_In_ STRING FunctionName,
|
|
|
|
|
_Inout_opt_ PVOID * FunctionAddress
|
2023-07-01 04:14:20 +02:00
|
|
|
);
|
