Damnation Posted April 29, 2022 Posted April 29, 2022 @Mov AX, 0xDEAD If you're feeling motivated, can we start working on NDIS6 support for XP? missing imports - ndis - NtTraceControl KeRegisterProcessorChangeCallback RtlNumberOfSetBitsUlongPtr KeTestSpinLock IoGetDeviceNumaNode NtQuerySystemInformationEx netio - MmAllocatePagesForMdlEx KeFreeCalloutStack KeAllocateCalloutStack SeCaptureSubjectContextEx KeTestSpinLock SeAccessCheckFromState RtlCreateHashTable RtlDeleteHashTable RtlGetNextEntryHashTable RtlLookupEntryHashTable RtlRemoveEntryHashTable RtlInsertEntryHashTable RtlEndEnumerationHashTable RtlEnumerateEntryHashTable RtlInitEnumerationHashTable RtlContractHashTable RtlExpandHashTable msrpc - IoSetIoCompletionEx ZwAlpcCancelMessage ZwAlpcCreatePortSection ZwAlpcCreateResourceReserve ZwAlpcCreateSectionView ZwAlpcCreateSecurityContext ZwAlpcDeletePortSection ZwAlpcDeleteSectionView ZwAlpcDeleteSecurityContext ZwAlpcDisconnectPort ZwAlpcQueryInformation ZwAlpcSetInformation ZwCreateIoCompletion ZwImpersonateAnonymousToken ZwRemoveIoCompletionEx
Damnation Posted April 30, 2022 Author Posted April 30, 2022 I made a start on ndis6 code in ntoskrn8.c Quote /////////////////////////////////////////////////////////////////// ////////////////////////////// ndis6 ////////////////////////////// /////////////////////////////////////////////////////////////////// struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD *Next; enum _EXCEPTION_DISPOSITION ( *Handler)(struct _EXCEPTION_RECORD *,void *,struct _CONTEXT *,void *); } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD; struct _EH_EXCEPTION_REGISTRATION_RECORD { void *SavedESP; struct _EXCEPTION_POINTERS *ExceptionPointers; struct _EXCEPTION_REGISTRATION_RECORD SubRecord; unsigned int EncodedScopeTable; unsigned long TryLevel; } EH_EXCEPTION_REGISTRATION_RECORD, *PEH_EXCEPTION_REGISTRATION_RECORD; NTSTATUS NtTraceControl_k8 ( ULONG FunctionCode, PVOID InBuffer, ULONG InBufferLen, PVOID OutBuffer, ULONG OutBufferLen, ULONG *ReturnSize); NTSTATUS NtTraceControl_k8 ( ULONG FunctionCode, PVOID InBuffer, ULONG InBufferLen, PVOID OutBuffer, ULONG OutBufferLen, ULONG *ReturnSize) { // unsigned int ReturnSize; // [esp-52] unsigned int LocalReturnLength; // [esp-36] struct _EH_EXCEPTION_REGISTRATION_RECORD ExceptionRegistration; // [esp-28] unsigned int local_0x4; // [esp-4] struct _EH_EXCEPTION_REGISTRATION_RECORD esp; // esp unsigned int ebp; // ebp void * fs; // fs unsigned long * v3; // eax unsigned long NumberOfBytes; // eax struct _GUID * RealtimeConnectContext; // eax long v1; // eax struct _EH_EXCEPTION_REGISTRATION_RECORD v2; // esp /* local_0x4 = 40; ExceptionRegistration.TryLevel = &scope_table_365; ExceptionRegistration.ScopeTable = &NtTraceControl+0xC; ExceptionRegistration.Handler = &_except_handler4; ExceptionRegistration.Next = *fs; local_0x4 = ebp; ExceptionRegistration.TryLevel = &scope_table_365 ^ __security_cookie; ExceptionRegistration.SavedEsp = esp.SavedEsp - 76; ExceptionRegistration.TryLevel = 4294967294; ExceptionRegistration.ScopeTable = &scope_table_365 ^ __security_cookie; *fs = &ExceptionRegistration.Next; RealtimeConnectContext = 0; LocalReturnLength = 0; if( *(*((unsigned char *)fs + 292) + 231) == 0 ) { node_19: if( InBufferLen == 0 && OutBufferLen == 0 ) { RealtimeConnectContext = 0; } else { if( InBufferLen <= OutBufferLen ) { NumberOfBytes = OutBufferLen; } else { NumberOfBytes = InBufferLen; } RealtimeConnectContext = ExAllocatePoolWithQuotaTag( 9, NumberOfBytes, 1350005829 ); if( RealtimeConnectContext == 0 ) { v1 = -1073741801; v2.SavedEsp = esp.SavedEsp + 4294967220; if( RealtimeConnectContext != 0 ) { *(v2.SavedEsp + 4294967292) = 0; *(v2.SavedEsp + 4294967288) = RealtimeConnectContext; *(v2.SavedEsp + 4294967284) = &code_0x1EEF93; ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) ); } *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7; *fs = ExceptionRegistration.Next; return v1; } else if( InBuffer != 0 ) { memcpy( RealtimeConnectContext, InBuffer, InBufferLen ); } } if( FunctionCode < 18 ) { if( FunctionCode != 17 ) { if( FunctionCode < 14 ) { if( FunctionCode != 13 ) { if( FunctionCode != 0 ) { if( FunctionCode > 5 ) { if( FunctionCode != 11 ) { if( FunctionCode == 12 ) { if( InBufferLen == 16 && OutBufferLen == 16 ) { EtwpCreateActivityId( RealtimeConnectContext ); LocalReturnLength = 16; v1 = 0; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } } else if( InBufferLen == 32 && OutBufferLen == 32 ) { v1 = EtwpRealtimeConnect( RealtimeConnectContext ); LocalReturnLength = 32; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else { if( InBufferLen < 176 || OutBufferLen < 176 ) { v1 = -1073741306; } else { if( RealtimeConnectContext == 0 ) { v1 = -1073741811; } else if( RealtimeConnectContext->Data1 < 176 ) { v1 = -1073741306; } else { v1 = ((RealtimeConnectContext[2].Data4[4] & 0x20000) != 0 & 0x3FFFFFF3) + 3221225485; } if( v1 >= 0 ) { if( RealtimeConnectContext->Data1 > InBufferLen ) { v1 = -1073741306; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { v1 = 0; } } } if( v1 < 0 ) { v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { switch( FunctionCode ) { case 1: { v1 = EtwpStartTrace( RealtimeConnectContext ); break; } case 2: { v1 = EtwpStopTrace( RealtimeConnectContext, 0 ); break; } case 3: { v1 = EtwpQueryTrace( RealtimeConnectContext ); break; } case 4: { v1 = EtwpUpdateTrace( RealtimeConnectContext ); break; } case 5: { v1 = EtwpFlushTrace( RealtimeConnectContext ); break; } } LocalReturnLength = 176; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } } } } else if( InBufferLen == 48 && OutBufferLen == 0 ) { v1 = WdiDispatchControl( __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { goto node_167; } } else if( FunctionCode != 14 ) { if( FunctionCode != 15 ) { if( FunctionCode == 16 ) { if( InBufferLen == 0 && OutBufferLen < 65537 ) { v1 = EtwpReceiveNotification( RealtimeConnectContext, OutBufferLen, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } } else if( InBufferLen == 160 && OutBufferLen == 160 ) { v1 = EtwpRegisterUMGuid( RealtimeConnectContext ); LocalReturnLength = 160; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen == 8 && OutBufferLen == 0 ) { v1 = EtwpRealtimeDisconnectConsumer( RealtimeConnectContext->Data2, __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { goto node_167; } } else if( InBufferLen < 72 || OutBufferLen != 72 && OutBufferLen != 0 || InBufferLen != RealtimeConnectContext->Data2 ) { goto node_167; } else { if( RealtimeConnectContext->Data1 == 3 ) { v1 = EtwpEnableGuid( 1, __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { v1 = EtwpNotifyGuid( __security_cookie ^ &local_0x4 ); LocalReturnLength = OutBufferLen; v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } } } else if( FunctionCode != 18 ) { if( FunctionCode != 19 ) { if( FunctionCode != 20 ) { if( FunctionCode == 21 ) { LocalReturnLength = OutBufferLen; v1 = EtwpGetTraceGuidList( RealtimeConnectContext, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else if( FunctionCode != 22 ) { if( FunctionCode == 23 ) { LocalReturnLength = OutBufferLen; v1 = EtwpEnumerateTraceGuids( RealtimeConnectContext, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else if( FunctionCode == 24 ) { if( InBufferLen != 0 || OutBufferLen != 0 ) { goto node_167; } else if( EtwpSecurityProviderPID != 0 ) { v1 = -1073741790; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { EtwpSecurityProviderPID = *(*((unsigned char *)fs + 292) + 524); v1 = 0; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } } } else if( InBufferLen == 16 ) { LocalReturnLength = OutBufferLen; v1 = EtwpGetTraceGuidInfo( RealtimeConnectContext, RealtimeConnectContext, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen == 0 && OutBufferLen == 0 ) { v1 = WdiUpdateSem(); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen == 8 && OutBufferLen > 71 ) { v1 = EtwpReceiveReplyDataBlock( RealtimeConnectContext, OutBufferLen, &ReturnSize ); LocalReturnLength = ReturnSize; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen > 71 && InBufferLen == RealtimeConnectContext->Data2 ) { RealtimeConnectContext[2].Data2 = *(*((unsigned char *)fs + 292) + 524); v1 = EtwpSendReplyDataBlock( __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { goto node_167; } v1 = -1073741808; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; node_167: v1 = -1073741811; v2.SavedEsp = esp.SavedEsp + 4294967220; node_231: if( v1 >= 0 ) { if( LocalReturnLength != 0 ) { *(v2.SavedEsp + 4294967292) = LocalReturnLength; *(v2.SavedEsp + 4294967288) = RealtimeConnectContext; *(v2.SavedEsp + 4294967284) = OutBuffer; *(v2.SavedEsp + 4294967280) = &code_0x1EEF1D+0xC; memcpy( *(v2.SavedEsp + 4294967284), *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) ); } ReturnLength[0] = LocalReturnLength; } if( v1 == -1073741789 && (FunctionCode == 16 || FunctionCode == 21 || FunctionCode == 22) || FunctionCode == 23 || FunctionCode == 19 ) { ReturnLength[0] = LocalReturnLength; } } else { if( InBuffer == 0 ) { InBufferLen = 0; } else if( InBufferLen != 0 && (InBufferLen + InBuffer > MmUserProbeAddress || InBufferLen + InBuffer < InBuffer) ) { *MmUserProbeAddress = 0; } if( OutBuffer != 0 ) { ProbeForWrite( OutBuffer, OutBufferLen, 1 ); } else { OutBufferLen = 0; } if( ReturnLength == 0 ) { v1 = -1073741811; v2.SavedEsp = esp.SavedEsp + 4294967220; } else { if( ReturnLength >= MmUserProbeAddress ) { v3 = MmUserProbeAddress; } else { v3 = ReturnLength; } v3[0] = v3[0]; goto node_19; } } if( RealtimeConnectContext != 0 ) { *(v2.SavedEsp + 4294967292) = 0; *(v2.SavedEsp + 4294967288) = RealtimeConnectContext; *(v2.SavedEsp + 4294967284) = &code_0x1EEF93; ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) ); } *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7; *fs = ExceptionRegistration.Next; return v1; // */ return STATUS_SUCCESS; } PVOID KeRegisterProcessorChangeCallback_k8( PPROCESSOR_CALLBACK_FUNCTION CallbackFunction, PVOID CallbackContext, ULONG Flags ); PVOID KeRegisterProcessorChangeCallback_k8( PPROCESSOR_CALLBACK_FUNCTION CallbackFunction, PVOID CallbackContext, ULONG Flags ) { return STATUS_SUCCESS; } #pragma warning(disable : 4333) // // Lookup table that tells how many clear bits (i.e., 0) there are in a byte // CONST CCHAR RtlpBitsClearTotal[] = { 8,7,7,6,7,6,6,5,7,6,6,5,6,5,5,4, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 4,3,3,2,3,2,2,1,3,2,2,1,2,1,1,0 }; ULONG RtlNumberOfSetBitsUlongPtr_k8( ULONG_PTR Target ); ULONG RtlNumberOfSetBitsUlongPtr_k8( ULONG_PTR Target ) { unsigned long v1; // eax unsigned long v2; // edx unsigned long v3; // edx v1 = (unsigned char)~Target & 0xFFFFFF00 | RtlpBitsClearTotal[(unsigned char)~Target]; v2 = ~Target >> 24 & 0xFFFFFF00 | RtlpBitsClearTotal[~Target >> 24]; v3 = v2 & 0xFFFFFF00 | (unsigned char)v2 + RtlpBitsClearTotal[(unsigned char)~Target >> 16]; return (unsigned char)v3 & 0xFFFFFF00 | v3 + (v1 & 0xFFFFFF00 | (unsigned char)v1 + RtlpBitsClearTotal[(unsigned char)~Target / 256]); } typedef enum _MI_PFN_CACHE_ATTRIBUTE { MiNonCached, MiCached, MiWriteCombined, MiNotMapped } MI_PFN_CACHE_ATTRIBUTE, *PMI_PFN_CACHE_ATTRIBUTE; // // Cache control stuff. Note this may be overridden by deficient hardware // platforms at startup. // MI_PFN_CACHE_ATTRIBUTE MiPlatformCacheAttributes[2 * MmMaximumCacheType] = { // // Memory space // MiNonCached, MiCached, MiWriteCombined, MiCached, MiNonCached, MiWriteCombined, // // I/O space // MiNonCached, MiCached, MiWriteCombined, MiCached, MiNonCached, MiWriteCombined }; PMDL MmAllocatePagesForMdlEx_k8( PHYSICAL_ADDRESS LowAddress, PHYSICAL_ADDRESS HighAddress, PHYSICAL_ADDRESS SkipBytes, SIZE_T TotalBytes, MEMORY_CACHING_TYPE CacheType, ULONG Flags ); PMDL MmAllocatePagesForMdlEx_k8( PHYSICAL_ADDRESS LowAddress, PHYSICAL_ADDRESS HighAddress, PHYSICAL_ADDRESS SkipBytes, SIZE_T TotalBytes, MEMORY_CACHING_TYPE CacheType, ULONG Flags ) { /* enum _MI_PFN_CACHE_ATTRIBUTE CacheAttribute; // eax struct _MDL * v1; // eax if( CacheType > 2 ) { CacheAttribute = 3; } else { CacheAttribute = MiPlatformCacheAttributes[CacheType]; } if( (Flags & 0xFFFFFFFC) != 0 ) { v1 = 0; } else { // v1 = MiAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes, CacheAttribute, Flags ); v1 = MmAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes ); } return v1; */ return MmAllocatePagesForMdl( LowAddress, HighAddress, SkipBytes, TotalBytes ); } BOOLEAN KeTestSpinLock_k8( PKSPIN_LOCK SpinLock ); BOOLEAN KeTestSpinLock_k8( PKSPIN_LOCK SpinLock ) { return TRUE; } NTSTATUS IoGetDeviceNumaNode_k8( PDEVICE_OBJECT Pdo, PUSHORT NodeNumber ); NTSTATUS IoGetDeviceNumaNode_k8( PDEVICE_OBJECT Pdo, PUSHORT NodeNumber ) { return STATUS_SUCCESS; } NTSTATUS ZwQuerySystemInformationEx_k8 ( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID InputBuffer, ULONG InputBufferLength, PVOID SystemInformation, ULONG SystemInformationLength, ULONG *ReturnLength); NTSTATUS ZwQuerySystemInformationEx_k8 ( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID InputBuffer, ULONG InputBufferLength, PVOID SystemInformation, ULONG SystemInformationLength, ULONG *ReturnLength) { return STATUS_SUCCESS; } VOID MmDeleteKernelStack ( IN PVOID PointerKernelStack, IN BOOLEAN LargeStack ); VOID MmDeleteKernelStack ( IN PVOID PointerKernelStack, IN BOOLEAN LargeStack ) { return; } VOID KeFreeCalloutStack_k8 ( PVOID Context ); VOID KeFreeCalloutStack_k8 ( PVOID Context ) { // MmDeleteKernelStack( *((unsigned char *)Context + 8), *((unsigned char *)Context + 4) ); ExFreePoolWithTag( Context, 0 ); } ///////////////////////////////////////////////////////////////////
Damnation Posted May 1, 2022 Author Posted May 1, 2022 (edited) some more~ added the HashTable functions with psuedocode. Quote /////////////////////////////////////////////////////////////////// ////////////////////////////// ndis6 ////////////////////////////// /////////////////////////////////////////////////////////////////// struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD *Next; enum _EXCEPTION_DISPOSITION ( *Handler)(struct _EXCEPTION_RECORD *,void *,struct _CONTEXT *,void *); } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD; struct _EH_EXCEPTION_REGISTRATION_RECORD { void *SavedESP; struct _EXCEPTION_POINTERS *ExceptionPointers; struct _EXCEPTION_REGISTRATION_RECORD SubRecord; unsigned int EncodedScopeTable; unsigned long TryLevel; } EH_EXCEPTION_REGISTRATION_RECORD, *PEH_EXCEPTION_REGISTRATION_RECORD; NTSTATUS NtTraceControl_k8 ( ULONG FunctionCode, PVOID InBuffer, ULONG InBufferLen, PVOID OutBuffer, ULONG OutBufferLen, ULONG *ReturnSize); NTSTATUS NtTraceControl_k8 ( ULONG FunctionCode, PVOID InBuffer, ULONG InBufferLen, PVOID OutBuffer, ULONG OutBufferLen, ULONG *ReturnSize) { // unsigned int ReturnSize; // [esp-52] unsigned int LocalReturnLength; // [esp-36] struct _EH_EXCEPTION_REGISTRATION_RECORD ExceptionRegistration; // [esp-28] unsigned int local_0x4; // [esp-4] struct _EH_EXCEPTION_REGISTRATION_RECORD esp; // esp unsigned int ebp; // ebp void * fs; // fs unsigned long * v3; // eax unsigned long NumberOfBytes; // eax struct _GUID * RealtimeConnectContext; // eax long v1; // eax struct _EH_EXCEPTION_REGISTRATION_RECORD v2; // esp /* local_0x4 = 40; ExceptionRegistration.TryLevel = &scope_table_365; ExceptionRegistration.ScopeTable = &NtTraceControl+0xC; ExceptionRegistration.Handler = &_except_handler4; ExceptionRegistration.Next = *fs; local_0x4 = ebp; ExceptionRegistration.TryLevel = &scope_table_365 ^ __security_cookie; ExceptionRegistration.SavedEsp = esp.SavedEsp - 76; ExceptionRegistration.TryLevel = 4294967294; ExceptionRegistration.ScopeTable = &scope_table_365 ^ __security_cookie; *fs = &ExceptionRegistration.Next; RealtimeConnectContext = 0; LocalReturnLength = 0; if( *(*((unsigned char *)fs + 292) + 231) == 0 ) { node_19: if( InBufferLen == 0 && OutBufferLen == 0 ) { RealtimeConnectContext = 0; } else { if( InBufferLen <= OutBufferLen ) { NumberOfBytes = OutBufferLen; } else { NumberOfBytes = InBufferLen; } RealtimeConnectContext = ExAllocatePoolWithQuotaTag( 9, NumberOfBytes, 1350005829 ); if( RealtimeConnectContext == 0 ) { v1 = -1073741801; v2.SavedEsp = esp.SavedEsp + 4294967220; if( RealtimeConnectContext != 0 ) { *(v2.SavedEsp + 4294967292) = 0; *(v2.SavedEsp + 4294967288) = RealtimeConnectContext; *(v2.SavedEsp + 4294967284) = &code_0x1EEF93; ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) ); } *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7; *fs = ExceptionRegistration.Next; return v1; } else if( InBuffer != 0 ) { memcpy( RealtimeConnectContext, InBuffer, InBufferLen ); } } if( FunctionCode < 18 ) { if( FunctionCode != 17 ) { if( FunctionCode < 14 ) { if( FunctionCode != 13 ) { if( FunctionCode != 0 ) { if( FunctionCode > 5 ) { if( FunctionCode != 11 ) { if( FunctionCode == 12 ) { if( InBufferLen == 16 && OutBufferLen == 16 ) { EtwpCreateActivityId( RealtimeConnectContext ); LocalReturnLength = 16; v1 = 0; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } } else if( InBufferLen == 32 && OutBufferLen == 32 ) { v1 = EtwpRealtimeConnect( RealtimeConnectContext ); LocalReturnLength = 32; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else { if( InBufferLen < 176 || OutBufferLen < 176 ) { v1 = -1073741306; } else { if( RealtimeConnectContext == 0 ) { v1 = -1073741811; } else if( RealtimeConnectContext->Data1 < 176 ) { v1 = -1073741306; } else { v1 = ((RealtimeConnectContext[2].Data4[4] & 0x20000) != 0 & 0x3FFFFFF3) + 3221225485; } if( v1 >= 0 ) { if( RealtimeConnectContext->Data1 > InBufferLen ) { v1 = -1073741306; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { v1 = 0; } } } if( v1 < 0 ) { v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { switch( FunctionCode ) { case 1: { v1 = EtwpStartTrace( RealtimeConnectContext ); break; } case 2: { v1 = EtwpStopTrace( RealtimeConnectContext, 0 ); break; } case 3: { v1 = EtwpQueryTrace( RealtimeConnectContext ); break; } case 4: { v1 = EtwpUpdateTrace( RealtimeConnectContext ); break; } case 5: { v1 = EtwpFlushTrace( RealtimeConnectContext ); break; } } LocalReturnLength = 176; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } } } } else if( InBufferLen == 48 && OutBufferLen == 0 ) { v1 = WdiDispatchControl( __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { goto node_167; } } else if( FunctionCode != 14 ) { if( FunctionCode != 15 ) { if( FunctionCode == 16 ) { if( InBufferLen == 0 && OutBufferLen < 65537 ) { v1 = EtwpReceiveNotification( RealtimeConnectContext, OutBufferLen, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } } else if( InBufferLen == 160 && OutBufferLen == 160 ) { v1 = EtwpRegisterUMGuid( RealtimeConnectContext ); LocalReturnLength = 160; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen == 8 && OutBufferLen == 0 ) { v1 = EtwpRealtimeDisconnectConsumer( RealtimeConnectContext->Data2, __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { goto node_167; } } else if( InBufferLen < 72 || OutBufferLen != 72 && OutBufferLen != 0 || InBufferLen != RealtimeConnectContext->Data2 ) { goto node_167; } else { if( RealtimeConnectContext->Data1 == 3 ) { v1 = EtwpEnableGuid( 1, __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { v1 = EtwpNotifyGuid( __security_cookie ^ &local_0x4 ); LocalReturnLength = OutBufferLen; v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } } } else if( FunctionCode != 18 ) { if( FunctionCode != 19 ) { if( FunctionCode != 20 ) { if( FunctionCode == 21 ) { LocalReturnLength = OutBufferLen; v1 = EtwpGetTraceGuidList( RealtimeConnectContext, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else if( FunctionCode != 22 ) { if( FunctionCode == 23 ) { LocalReturnLength = OutBufferLen; v1 = EtwpEnumerateTraceGuids( RealtimeConnectContext, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else if( FunctionCode == 24 ) { if( InBufferLen != 0 || OutBufferLen != 0 ) { goto node_167; } else if( EtwpSecurityProviderPID != 0 ) { v1 = -1073741790; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { EtwpSecurityProviderPID = *(*((unsigned char *)fs + 292) + 524); v1 = 0; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } } } else if( InBufferLen == 16 ) { LocalReturnLength = OutBufferLen; v1 = EtwpGetTraceGuidInfo( RealtimeConnectContext, RealtimeConnectContext, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen == 0 && OutBufferLen == 0 ) { v1 = WdiUpdateSem(); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen == 8 && OutBufferLen > 71 ) { v1 = EtwpReceiveReplyDataBlock( RealtimeConnectContext, OutBufferLen, &ReturnSize ); LocalReturnLength = ReturnSize; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen > 71 && InBufferLen == RealtimeConnectContext->Data2 ) { RealtimeConnectContext[2].Data2 = *(*((unsigned char *)fs + 292) + 524); v1 = EtwpSendReplyDataBlock( __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { goto node_167; } v1 = -1073741808; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; node_167: v1 = -1073741811; v2.SavedEsp = esp.SavedEsp + 4294967220; node_231: if( v1 >= 0 ) { if( LocalReturnLength != 0 ) { *(v2.SavedEsp + 4294967292) = LocalReturnLength; *(v2.SavedEsp + 4294967288) = RealtimeConnectContext; *(v2.SavedEsp + 4294967284) = OutBuffer; *(v2.SavedEsp + 4294967280) = &code_0x1EEF1D+0xC; memcpy( *(v2.SavedEsp + 4294967284), *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) ); } ReturnLength[0] = LocalReturnLength; } if( v1 == -1073741789 && (FunctionCode == 16 || FunctionCode == 21 || FunctionCode == 22) || FunctionCode == 23 || FunctionCode == 19 ) { ReturnLength[0] = LocalReturnLength; } } else { if( InBuffer == 0 ) { InBufferLen = 0; } else if( InBufferLen != 0 && (InBufferLen + InBuffer > MmUserProbeAddress || InBufferLen + InBuffer < InBuffer) ) { *MmUserProbeAddress = 0; } if( OutBuffer != 0 ) { ProbeForWrite( OutBuffer, OutBufferLen, 1 ); } else { OutBufferLen = 0; } if( ReturnLength == 0 ) { v1 = -1073741811; v2.SavedEsp = esp.SavedEsp + 4294967220; } else { if( ReturnLength >= MmUserProbeAddress ) { v3 = MmUserProbeAddress; } else { v3 = ReturnLength; } v3[0] = v3[0]; goto node_19; } } if( RealtimeConnectContext != 0 ) { *(v2.SavedEsp + 4294967292) = 0; *(v2.SavedEsp + 4294967288) = RealtimeConnectContext; *(v2.SavedEsp + 4294967284) = &code_0x1EEF93; ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) ); } *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7; *fs = ExceptionRegistration.Next; return v1; // */ return STATUS_SUCCESS; } PVOID KeRegisterProcessorChangeCallback_k8( PPROCESSOR_CALLBACK_FUNCTION CallbackFunction, PVOID CallbackContext, ULONG Flags ); PVOID KeRegisterProcessorChangeCallback_k8( PPROCESSOR_CALLBACK_FUNCTION CallbackFunction, PVOID CallbackContext, ULONG Flags ) { return STATUS_SUCCESS; } #pragma warning(disable : 4333) // // Lookup table that tells how many clear bits (i.e., 0) there are in a byte // CONST CCHAR RtlpBitsClearTotal[] = { 8,7,7,6,7,6,6,5,7,6,6,5,6,5,5,4, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 4,3,3,2,3,2,2,1,3,2,2,1,2,1,1,0 }; ULONG RtlNumberOfSetBitsUlongPtr_k8( ULONG_PTR Target ); ULONG RtlNumberOfSetBitsUlongPtr_k8( ULONG_PTR Target ) { unsigned long v1; // eax unsigned long v2; // edx unsigned long v3; // edx v1 = (unsigned char)~Target & 0xFFFFFF00 | RtlpBitsClearTotal[(unsigned char)~Target]; v2 = ~Target >> 24 & 0xFFFFFF00 | RtlpBitsClearTotal[~Target >> 24]; v3 = v2 & 0xFFFFFF00 | (unsigned char)v2 + RtlpBitsClearTotal[(unsigned char)~Target >> 16]; return (unsigned char)v3 & 0xFFFFFF00 | v3 + (v1 & 0xFFFFFF00 | (unsigned char)v1 + RtlpBitsClearTotal[(unsigned char)~Target / 256]); } typedef enum _MI_PFN_CACHE_ATTRIBUTE { MiNonCached, MiCached, MiWriteCombined, MiNotMapped } MI_PFN_CACHE_ATTRIBUTE, *PMI_PFN_CACHE_ATTRIBUTE; // // Cache control stuff. Note this may be overridden by deficient hardware // platforms at startup. // MI_PFN_CACHE_ATTRIBUTE MiPlatformCacheAttributes[2 * MmMaximumCacheType] = { // // Memory space // MiNonCached, MiCached, MiWriteCombined, MiCached, MiNonCached, MiWriteCombined, // // I/O space // MiNonCached, MiCached, MiWriteCombined, MiCached, MiNonCached, MiWriteCombined }; PMDL MmAllocatePagesForMdlEx_k8( PHYSICAL_ADDRESS LowAddress, PHYSICAL_ADDRESS HighAddress, PHYSICAL_ADDRESS SkipBytes, SIZE_T TotalBytes, MEMORY_CACHING_TYPE CacheType, ULONG Flags ); PMDL MmAllocatePagesForMdlEx_k8( PHYSICAL_ADDRESS LowAddress, PHYSICAL_ADDRESS HighAddress, PHYSICAL_ADDRESS SkipBytes, SIZE_T TotalBytes, MEMORY_CACHING_TYPE CacheType, ULONG Flags ) { /* enum _MI_PFN_CACHE_ATTRIBUTE CacheAttribute; // eax struct _MDL * v1; // eax if( CacheType > 2 ) { CacheAttribute = 3; } else { CacheAttribute = MiPlatformCacheAttributes[CacheType]; } if( (Flags & 0xFFFFFFFC) != 0 ) { v1 = 0; } else { // v1 = MiAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes, CacheAttribute, Flags ); v1 = MmAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes ); } return v1; */ return MmAllocatePagesForMdl( LowAddress, HighAddress, SkipBytes, TotalBytes ); } BOOLEAN KeTestSpinLock_k8( PKSPIN_LOCK SpinLock ); BOOLEAN KeTestSpinLock_k8( PKSPIN_LOCK SpinLock ) { return TRUE; } NTSTATUS IoGetDeviceNumaNode_k8( PDEVICE_OBJECT Pdo, PUSHORT NodeNumber ); NTSTATUS IoGetDeviceNumaNode_k8( PDEVICE_OBJECT Pdo, PUSHORT NodeNumber ) { return STATUS_SUCCESS; } NTSTATUS ZwQuerySystemInformationEx_k8 ( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID InputBuffer, ULONG InputBufferLength, PVOID SystemInformation, ULONG SystemInformationLength, ULONG *ReturnLength); NTSTATUS ZwQuerySystemInformationEx_k8 ( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID InputBuffer, ULONG InputBufferLength, PVOID SystemInformation, ULONG SystemInformationLength, ULONG *ReturnLength) { return STATUS_SUCCESS; } VOID MmDeleteKernelStack ( PVOID PointerKernelStack, BOOLEAN LargeStack ); VOID MmDeleteKernelStack ( PVOID PointerKernelStack, BOOLEAN LargeStack ) { return; } VOID KeFreeCalloutStack_k8 ( PVOID Context ); VOID KeFreeCalloutStack_k8 ( PVOID Context ) { // MmDeleteKernelStack( *((unsigned char *)Context + 8), *((unsigned char *)Context + 4) ); ExFreePoolWithTag( Context, 0 ); } PVOID KeAllocateCalloutStack_k8 ( BOOLEAN LargeStack ); PVOID KeAllocateCalloutStack_k8 ( BOOLEAN LargeStack ) { void * P; // eax unsigned char v2; // ecx unsigned long StackFlags; // eax void * v1; // eax /* P = ExAllocatePoolWithTag( 0, 32, 1666409803 ); if( P == 0 ) { P = 0; } else { if( (unsigned char)LargeStack != 0 ) { StackFlags = 5; } else { StackFlags = 0; } v1 = MmCreateKernelStack( StackFlags, 0, 0 ); *((unsigned char *)P + 8) = v1; if( v1 == 0 ) { ExFreePoolWithTag( P, 0 ); P = 0; } else { *((unsigned char *)P + 4) = v1 & 0xFFFFFF00 | (unsigned char)LargeStack != 0; *P = 1801548883; *((unsigned char *)P + 12) = 0; *((unsigned char *)P + 17) = v2 & 0xFFFFFF00; *((unsigned char *)P + 16) = 7; *((unsigned char *)P + 18) = 4; *((unsigned char *)P + 20) = 1; *((unsigned char *)P + 28) = (unsigned char *)P + 16 + 8; *((unsigned char *)P + 24) = (unsigned char *)P + 16 + 8; } } return P; */ return STATUS_SUCCESS; } VOID SeCaptureSubjectContextEx_k8 ( PETHREAD Thread, PEPROCESS Process, PSECURITY_SUBJECT_CONTEXT SubjectContext ); VOID SeCaptureSubjectContextEx_k8 ( PETHREAD Thread, PEPROCESS Process, PSECURITY_SUBJECT_CONTEXT SubjectContext ) { unsigned char stack_0x7; // [esp+7] unsigned char stack_0xB; // [esp+11] void * v1; // eax void * v2; // eax /* SubjectContext->ProcessAuditId = *(Process[0] + 156); if( Thread[0] == 0 ) { SubjectContext->ClientToken = 0; } else { v1 = PsReferenceImpersonationToken( Thread[0], &stack_0xB, &stack_0x7, &SubjectContext->ImpersonationLevel ); SubjectContext->ClientToken = v1; } v2 = PsReferencePrimaryToken( Process[0] ); SubjectContext->PrimaryToken = v2; */ } BOOLEAN SeAccessCheckFromState_k8 ( PSECURITY_DESCRIPTOR SecurityDescriptor, PTOKEN_ACCESS_INFORMATION PrimaryTokenInformation, PTOKEN_ACCESS_INFORMATION ClientTokenInformation, ACCESS_MASK DesiredAccess, ACCESS_MASK PreviouslyGrantedAccess, PPRIVILEGE_SET *Privileges, PGENERIC_MAPPING GenericMapping, KPROCESSOR_MODE AccessMode, PACCESS_MASK GrantedAccess, PNTSTATUS AccessStatus ); BOOLEAN SeAccessCheckFromState_k8 ( PSECURITY_DESCRIPTOR SecurityDescriptor, PTOKEN_ACCESS_INFORMATION PrimaryTokenInformation, PTOKEN_ACCESS_INFORMATION ClientTokenInformation, ACCESS_MASK DesiredAccess, ACCESS_MASK PreviouslyGrantedAccess, PPRIVILEGE_SET *Privileges, PGENERIC_MAPPING GenericMapping, KPROCESSOR_MODE AccessMode, PACCESS_MASK GrantedAccess, PNTSTATUS AccessStatus ) { /* struct _TOKEN * local_0x404; // [esp-1028] unsigned char v1; // [esp-991] struct _TOKEN PrimaryToken; // [esp-988] unsigned int local_0xC; // [esp-12] struct _TOKEN_ACCESS_INFORMATION * AccessInformation1; // ebx unsigned int esp; // esp struct _TOKEN * Token; // esi struct _TOKEN_ACCESS_INFORMATION * AccessInformation; // edi unsigned char v3; // eax unsigned int v2; // esp local_0xC = __security_cookie ^ (esp - 4 & 0xFFFFFFF8) - 1020; local_0x404 = Privileges; memset( &v1, 0, 487 ); memset( &PrimaryToken, 0, 487 ); SepTokenFromAccessInformation( AccessInformation, Token ); if( ClientTokenInformation != 0 ) { SepTokenFromAccessInformation( AccessInformation1, local_0x404 ); v2 = (esp - 4 & 0xFFFFFFF8) + 4294966280; } else { v2 = (esp - 4 & 0xFFFFFFF8) + 4294966272; } *(v2 + 4294967292) = *(v2 + 20); *(v2 + 4294967288) = *(v2 + 28); *(v2 + 4294967284) = AccessMode; *(v2 + 4294967280) = GenericMapping; *(v2 + 4294967276) = *(v2 + 12); *(v2 + 4294967272) = PreviouslyGrantedAccess; *(v2 + 4294967268) = DesiredAccess; *(v2 + 4294967264) = 1; *(v2 + 4294967260) = v2 + 32; *(v2 + 4294967256) = *(v2 + 16); *(v2 + 4294967252) = &code_0x34BF8+0x28; v3 = SeAccessCheck( *(v2 + 4294967256), *(v2 + 4294967260), *(v2 + 4294967264), *(v2 + 4294967268), *(v2 + 4294967272), *(v2 + 4294967276), *(v2 + 4294967280), *(v2 + 4294967284), *(v2 + 4294967288), *(v2 + 4294967292) ); *(v2 + 8) = &code_0x34BF8+0x39; __security_check_cookie( *(v2 + 1028) ^ v2 + 12 ); return v3; */ return 0; } long __stdcall IoSetIoCompletionEx_k8 ( PVOID IoCompletion, PVOID KeyContext, PVOID ApcContext, long IoStatus, unsigned long IoStatusInformation, unsigned char Quota, PVOID MiniPacket ); long __stdcall IoSetIoCompletionEx_k8 ( PVOID IoCompletion, PVOID KeyContext, PVOID ApcContext, long IoStatus, unsigned long IoStatusInformation, unsigned char Quota, PVOID MiniPacket ) { /* long v1; // esi if( MiniPacket == 0 ) { MiniPacket = IopAllocateMiniCompletionPacket( 1, Quota ); if( MiniPacket == 0 ) { v1 = -1073741670; } else { *((unsigned char *)MiniPacket + 12) = KeyContext; *((unsigned char *)MiniPacket + 16) = ApcContext; *((unsigned char *)MiniPacket + 20) = IoStatus; *((unsigned char *)MiniPacket + 24) = IoStatusInformation; KeInsertQueue( IoCompletion, MiniPacket ); return 0; } } else { *((unsigned char *)MiniPacket + 12) = KeyContext; *((unsigned char *)MiniPacket + 16) = ApcContext; *((unsigned char *)MiniPacket + 20) = IoStatus; *((unsigned char *)MiniPacket + 24) = IoStatusInformation; KeInsertQueue( IoCompletion, MiniPacket ); v1 = 0; } return v1; */ return STATUS_SUCCESS; } VOID RtlDeleteHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ); VOID RtlDeleteHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ) { /* unsigned long v1; int v2; // edi unsigned long eax; // eax if( *(HashTable + 8) < 129 ) { eax = *(HashTable + 32); if( eax != 0 ) { eax = ExFreePoolWithTag( eax, 0 ); } } else { v1 = *(HashTable + 32); if( v1 != 0 ) { v2 = 0; while( *(v1 + v2 * 4) != 0 ) { ExFreePoolWithTag( *(v1 + v2 * 4), 0 ); if( v2 > 510 ) { break; } v2 += 1; } eax = ExFreePoolWithTag( v1, 0 ); } } if( (unsigned char)(*HashTable & 0x1) != 0 ) { eax = ExFreePoolWithTag( HashTable, 0 ); } return eax; */ return; } BOOLEAN RtlCreateHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE *HashTable, ULONG Shift, ULONG Flags ); BOOLEAN RtlCreateHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE *HashTable, ULONG Shift, ULONG Flags ) { /* unsigned long v4; int v6; // ecx unsigned long v5; // edi unsigned long v7; // eax unsigned long v2; // eax unsigned long v1; // edx unsigned long v3; // eax if( *HashTable == 0 ) { v2 = ExAllocatePoolWithTag( 0, 36, 1650545736 ); *HashTable = v2; if( v2 != 0 ) { v1 = 1; } else { goto node_30; } } else { v1 = 0; } v4 = *HashTable; v5 = v4; v6 = 9; while( v6 != 0 ) { *v5 = 0; v5 += 4; v6 -= 1; } *(v4 + 12) = 0; *v4 = v1 | Flags; *(v4 + 8) = 128; *(v4 + 16) = 127; *(v4 + 4) = Shift; v7 = RtlpAllocateSecondLevelDir(); if( v7 == 0 ) { v2 = RtlDeleteHashTable( v4 ); } else { *(v4 + 32) = v7; return v7 & 0xFFFFFF00 | 0x1; } node_30: return v2 & 0xFFFFFF00; */ return 0; } PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlGetNextEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlGetNextEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ) { /* unsigned long v1; unsigned int v3; // edx unsigned int v2; // edx v1 = ***(Context + 4); if( *Context == v1 ) { v1 = 0; } else { if( *(HashTable + 28) != 0 ) { v3 = **(Context + 4); while( *(*v3 + 8) == 0 ) { if( *Context == **v3 ) { v2 = *v3; v1 = *v3; goto node_21; } else { v3 = *v3; } } v2 = v3; v1 = *v3; } else { v2 = **(Context + 4); } node_21: if( *(Context + 8) == *(v1 + 8) ) { *(Context + 4) = v2; } else { return 0; } } return v1; */ return 0; } PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlLookupEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, ULONG_PTR Signature, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlLookupEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, ULONG_PTR Signature, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ) { /* unsigned long v1; unsigned long local_0x10; // [esp-16] unsigned long esi; // esi if( Context == 0 ) { Context = &local_0x10; } RtlpPopulateContext( Signature, esi, local_0x10 ); if( **(Context + 4) == *Context ) { v1 = 0; } else { v1 = ~-(Signature != *(**(Context + 4) + 8)) & **(Context + 4); } return v1; */ return 0; } BOOLEAN RtlRemoveEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); BOOLEAN RtlRemoveEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ) { /* unsigned long esi; // esi unsigned long edi; // edi unsigned long v1; // eax *(HashTable + 20) += 4294967295; if( *(Entry + 4) == *Entry ) { *(HashTable + 24) += 4294967295; } v1 = *(Entry + 4); *v1 = *Entry; *(*Entry + 4) = v1; if( Context != 0 && *Context == 0 ) { v1 = RtlpPopulateContext( *(Entry + 8), edi, esi ); } return v1 & 0xFFFFFF00 | 0x1; */ return 0; } BOOLEAN RtlInsertEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, ULONG_PTR Signature, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); BOOLEAN RtlInsertEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, ULONG_PTR Signature, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ) { /* unsigned int local_0x10; // [esp-16] unsigned long esi; // esi unsigned long edi; // edi *(Entry + 8) = Signature; *(HashTable + 20) += 1; if( Context == 0 ) { RtlpPopulateContext( Signature, edi, esi ); Context = &local_0x10; } else if( *Context == 0 ) { RtlpPopulateContext( Signature, edi, esi ); } if( *Context == **Context ) { *(HashTable + 24) += 1; } *(Entry + 4) = *(Context + 4); *Entry = **(Context + 4); *(**(Context + 4) + 4) = Entry; **(Context + 4) = Entry; return *(Context + 4) & 0xFFFFFF00 | 0x1; */ return 0; } VOID RtlEndEnumerationHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); VOID RtlEndEnumerationHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ) { /* *(HashTable + 28) += 4294967295; if( Enumerator != *Enumerator ) { **(Enumerator + 4) = *Enumerator; *(*Enumerator + 4) = *(Enumerator + 4); if( *(Enumerator + 12) == **(Enumerator + 12) ) { *(HashTable + 24) += 4294967295; } } *(Enumerator + 12) = 0; return Enumerator; */ return; } PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlEnumerateEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlEnumerateEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ) { /* int esp; // esp unsigned int v2; // ebx unsigned long v5; // eax int v1; // esp unsigned long v3; unsigned long v4; v1 = esp - 16; v2 = *(Enumerator + 16); while( v2 < *(HashTable + 8) ) { if( *(Enumerator + 16) == v2 ) { v5 = *(Enumerator + 12); v5 = Enumerator; break; } else { *(v1 - 4) = &code_0x8F619+0x9; v5 = RtlpGetChainHead( v3, v4 ); v1 += 8; break; } do { if( v5 == *v5 ) { goto node_61; } else { v5 = *v5; } } while( *(v5 + 8) == 0 ); **(Enumerator + 4) = *Enumerator; *(*Enumerator + 4) = *(Enumerator + 4); if( v5 != *(Enumerator + 12) ) { if( *(Enumerator + 12) == **(Enumerator + 12) ) { *(HashTable + 24) += 4294967295; } if( v5 == *v5 ) { *(HashTable + 24) += 1; } } *(Enumerator + 16) = v2; *(Enumerator + 12) = v5; *Enumerator = *v5; *(Enumerator + 4) = v5; *(*v5 + 4) = Enumerator; *v5 = Enumerator; goto node_23; node_61: v2 += 1; } v5 = 0; node_23: return v5; */ return 0; } BOOLEAN RtlInitEnumerationHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); BOOLEAN RtlInitEnumerationHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ) { /* unsigned int local_0x10; // [esp-16] unsigned long esi; // esi unsigned long edi; // edi RtlpPopulateContext( 0, edi, esi ); *(HashTable + 28) += 1; if( local_0x10 == *local_0x10 ) { *(HashTable + 24) += 1; } *Enumerator = *local_0x10; *(Enumerator + 4) = local_0x10; *(*local_0x10 + 4) = Enumerator; *local_0x10 = Enumerator; *(Enumerator + 16) = 0; *(Enumerator + 8) = 0; *(Enumerator + 12) = local_0x10; return Enumerator & 0xFFFFFF00 | 0x1; */ return 0; } BOOLEAN RtlContractHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ); BOOLEAN RtlContractHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ) { /* unsigned long v7; unsigned long eax; // eax unsigned long ebx; // ebx unsigned long ebp; // ebp unsigned long esi; // esi unsigned long edi; // edi unsigned int v1; // eax unsigned long v2; // eax unsigned long v3; // eax unsigned long v4; // edx unsigned long v6; // eax unsigned long v5; // eax unsigned long v8; // eax if( *(HashTable + 8) == 128 || *(HashTable + 28) != 0 ) { v8 = eax & 0xFFFFFF00; } else { if( *(HashTable + 12) == 0 ) { *(HashTable + 16) /= 2; v1 = *(HashTable + 16); } else { v1 = *(HashTable + 12) + 4294967295; } *(HashTable + 12) = v1; v2 = RtlpGetChainHead( edi, ebx ); v3 = RtlpGetChainHead( esi, ebp ); *(HashTable + 8) += 4294967295; if( v2 != *v2 && v3 != *v3 ) { *(HashTable + 24) += 4294967295; } v4 = v3; v5 = v4; while( v2 != *v2 ) { *v2 = **v2; *(**v2 + 4) = v2; if( v5 != *v4 ) { while( *(*v4 + 8) < *(*v2 + 8) ) { if( v3 == **v4 ) { v4 = *v4; v5 = v3; goto node_78; } else { v4 = *v4; } } } v5 = v3; node_78: **v2 = *v4; *(*v2 + 4) = v4; *(*v4 + 4) = *v2; *v4 = *v2; } if( (*(HashTable + 8) & 0x7F) == 0 ) { v7 = *(HashTable + 32); v6 = ExFreePoolWithTag( *(v7 + *(HashTable + 8) / 128 * 4), 0 ); *(v7 + *(HashTable + 8) / 128 * 4) = 0; if( *(HashTable + 8) == 128 ) { *(HashTable + 32) = *v7; v6 = ExFreePoolWithTag( v7, 0 ); } } else { v6 = *(HashTable + 8) / 128; } v8 = v6 & 0xFFFFFF00 | 0x1; } return v8; */ return 0; } BOOLEAN RtlExpandHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ); BOOLEAN RtlExpandHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ) { /* unsigned int v12; unsigned long v1; unsigned int v3; unsigned int v7; unsigned int v8; unsigned int v9; unsigned long v10; unsigned long eax; // eax unsigned long ebx; // ebx unsigned long edi; // edi unsigned long v5; // ecx int v2; // eax unsigned long v4; // eax unsigned long v11; // eax unsigned long v6; if( *(HashTable + 8) == 65536 || *(HashTable + 28) != 0 ) { v11 = eax & 0xFFFFFF00; } else { if( *(HashTable + 8) == 128 ) { v12 = *(HashTable + 32); v2 = ExAllocatePoolWithTag( 0, 2048, 1650545736 ); if( v2 != 0 ) { _memset( v2, 0, 2048 ); *v2 = v12; *(HashTable + 32) = v2; goto node_31; } } else { node_31: v1 = *(HashTable + 32); v2 = *(v1 + *(HashTable + 8) / 128 * 4); if( v2 == 0 ) { v2 = RtlpAllocateSecondLevelDir(); if( v2 != 0 ) { *(v1 + *(HashTable + 8) / 128 * 4) = v2; goto node_49; } else if( *(HashTable + 8) == 128 ) { *(HashTable + 32) = *v1; v2 = ExFreePoolWithTag( v1, 0 ); } } else { node_49: v3 = *(HashTable + 12); *(HashTable + 8) += 1; v4 = RtlpGetChainHead( edi, ebx ); *(HashTable + 12) = v3 + 1; if( v4 != *v4 ) { HashTable = v4; v5 = HashTable; while( 1 ) { v7 = *(*v5 + 8) >> (*(v6 + 4) & 0x1F) & (*(v6 + 16) + *(v6 + 16) | 0x1); if( *(v6 + 8) + 4294967295 == v7 ) { **(*v5 + 4) = **v5; *(**v5 + 4) = *(*v5 + 4); v8 = *(v2 + (*(v6 + 8) & 0x7F) * 8 + 4); **v5 = v2 + (*(v6 + 8) & 0x7F) * 8; *(*v5 + 4) = v8; *v8 = *v5; *(v2 + (*(v6 + 8) & 0x7F) * 8 + 4) = *v5; } else { HashTable = *v5; } if( v4 == *v6 ) { break; } v5 = v6; } v9 = *(v2 + (*(v6 + 8) & 0x7F) * 8); if( v2 + (*(v6 + 8) & 0x7F) * 8 != v9 ) { *(v6 + 24) += 1; } if( v4 == *v4 ) { *(v6 + 24) += 4294967295; } } if( *(HashTable + 16) + 1 == *(HashTable + 12) ) { v10 = *(HashTable + 16) + *(HashTable + 16) | 0x1; *(HashTable + 12) = 0; *(HashTable + 16) = v10; } else { v10 = *(HashTable + 16); } return v10 & 0xFFFFFF00 | 0x1; } } v11 = v2 & 0xFFFFFF00; } return v11; */ return 0; } /////////////////////////////////////////////////////////////////// Edited May 1, 2022 by Damnation
Damnation Posted May 2, 2022 Author Posted May 2, 2022 @Mov AX, 0xDEAD for functions like ZwAlpcCancelMessage and others NTSYSCALLAPI NTSTATUS NTAPI ZwAlpcCancelMessage(_In_ HANDLE PortHandle, _In_ ULONG Flags, _In_ PALPC_CONTEXT_ATTR MessageContext ); void __stdcall _ZwAlpcCancelMessage@12( int p1, int p2, int p3 ) { __asm.pushfd(); _KiSystemService(); } in asm void __stdcall _ZwAlpcCancelMessage@12( int p1, int p2, int p3 ) { mov eax, 0x14 lea edx, [p1] pushfd push 0x8 call _KiSystemService; void __cdecl( void ) ret 0xC } how should we implement this? should we take KiSystemService from trap.asm?
Damnation Posted May 2, 2022 Author Posted May 2, 2022 I've noticed that this part mov eax, 0x14 seems to increment upwords for each ZwAlpc function - I wonder why?
Damnation Posted May 2, 2022 Author Posted May 2, 2022 (edited) OK, all needed functions added for ndis6, although most are stubbed right now. edit: forgot NtQuerySystemInformationEx Quote /////////////////////////////////////////////////////////////////// ////////////////////////////// ndis6 ////////////////////////////// /////////////////////////////////////////////////////////////////// struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD *Next; enum _EXCEPTION_DISPOSITION ( *Handler)(struct _EXCEPTION_RECORD *,void *,struct _CONTEXT *,void *); } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD; struct _EH_EXCEPTION_REGISTRATION_RECORD { void *SavedESP; struct _EXCEPTION_POINTERS *ExceptionPointers; struct _EXCEPTION_REGISTRATION_RECORD SubRecord; unsigned int EncodedScopeTable; unsigned long TryLevel; } EH_EXCEPTION_REGISTRATION_RECORD, *PEH_EXCEPTION_REGISTRATION_RECORD; NTSTATUS NtTraceControl_k8 ( ULONG FunctionCode, PVOID InBuffer, ULONG InBufferLen, PVOID OutBuffer, ULONG OutBufferLen, ULONG *ReturnSize); NTSTATUS NtTraceControl_k8 ( ULONG FunctionCode, PVOID InBuffer, ULONG InBufferLen, PVOID OutBuffer, ULONG OutBufferLen, ULONG *ReturnSize) { /* // unsigned int ReturnSize; // [esp-52] unsigned int LocalReturnLength; // [esp-36] struct _EH_EXCEPTION_REGISTRATION_RECORD ExceptionRegistration; // [esp-28] unsigned int local_0x4; // [esp-4] struct _EH_EXCEPTION_REGISTRATION_RECORD esp; // esp unsigned int ebp; // ebp void * fs; // fs unsigned long * v3; // eax unsigned long NumberOfBytes; // eax struct _GUID * RealtimeConnectContext; // eax long v1; // eax struct _EH_EXCEPTION_REGISTRATION_RECORD v2; // esp /* local_0x4 = 40; ExceptionRegistration.TryLevel = &scope_table_365; ExceptionRegistration.ScopeTable = &NtTraceControl+0xC; ExceptionRegistration.Handler = &_except_handler4; ExceptionRegistration.Next = *fs; local_0x4 = ebp; ExceptionRegistration.TryLevel = &scope_table_365 ^ __security_cookie; ExceptionRegistration.SavedEsp = esp.SavedEsp - 76; ExceptionRegistration.TryLevel = 4294967294; ExceptionRegistration.ScopeTable = &scope_table_365 ^ __security_cookie; *fs = &ExceptionRegistration.Next; RealtimeConnectContext = 0; LocalReturnLength = 0; if( *(*((unsigned char *)fs + 292) + 231) == 0 ) { node_19: if( InBufferLen == 0 && OutBufferLen == 0 ) { RealtimeConnectContext = 0; } else { if( InBufferLen <= OutBufferLen ) { NumberOfBytes = OutBufferLen; } else { NumberOfBytes = InBufferLen; } RealtimeConnectContext = ExAllocatePoolWithQuotaTag( 9, NumberOfBytes, 1350005829 ); if( RealtimeConnectContext == 0 ) { v1 = -1073741801; v2.SavedEsp = esp.SavedEsp + 4294967220; if( RealtimeConnectContext != 0 ) { *(v2.SavedEsp + 4294967292) = 0; *(v2.SavedEsp + 4294967288) = RealtimeConnectContext; *(v2.SavedEsp + 4294967284) = &code_0x1EEF93; ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) ); } *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7; *fs = ExceptionRegistration.Next; return v1; } else if( InBuffer != 0 ) { memcpy( RealtimeConnectContext, InBuffer, InBufferLen ); } } if( FunctionCode < 18 ) { if( FunctionCode != 17 ) { if( FunctionCode < 14 ) { if( FunctionCode != 13 ) { if( FunctionCode != 0 ) { if( FunctionCode > 5 ) { if( FunctionCode != 11 ) { if( FunctionCode == 12 ) { if( InBufferLen == 16 && OutBufferLen == 16 ) { EtwpCreateActivityId( RealtimeConnectContext ); LocalReturnLength = 16; v1 = 0; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } } else if( InBufferLen == 32 && OutBufferLen == 32 ) { v1 = EtwpRealtimeConnect( RealtimeConnectContext ); LocalReturnLength = 32; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else { if( InBufferLen < 176 || OutBufferLen < 176 ) { v1 = -1073741306; } else { if( RealtimeConnectContext == 0 ) { v1 = -1073741811; } else if( RealtimeConnectContext->Data1 < 176 ) { v1 = -1073741306; } else { v1 = ((RealtimeConnectContext[2].Data4[4] & 0x20000) != 0 & 0x3FFFFFF3) + 3221225485; } if( v1 >= 0 ) { if( RealtimeConnectContext->Data1 > InBufferLen ) { v1 = -1073741306; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { v1 = 0; } } } if( v1 < 0 ) { v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { switch( FunctionCode ) { case 1: { v1 = EtwpStartTrace( RealtimeConnectContext ); break; } case 2: { v1 = EtwpStopTrace( RealtimeConnectContext, 0 ); break; } case 3: { v1 = EtwpQueryTrace( RealtimeConnectContext ); break; } case 4: { v1 = EtwpUpdateTrace( RealtimeConnectContext ); break; } case 5: { v1 = EtwpFlushTrace( RealtimeConnectContext ); break; } } LocalReturnLength = 176; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } } } } else if( InBufferLen == 48 && OutBufferLen == 0 ) { v1 = WdiDispatchControl( __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { goto node_167; } } else if( FunctionCode != 14 ) { if( FunctionCode != 15 ) { if( FunctionCode == 16 ) { if( InBufferLen == 0 && OutBufferLen < 65537 ) { v1 = EtwpReceiveNotification( RealtimeConnectContext, OutBufferLen, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } } else if( InBufferLen == 160 && OutBufferLen == 160 ) { v1 = EtwpRegisterUMGuid( RealtimeConnectContext ); LocalReturnLength = 160; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen == 8 && OutBufferLen == 0 ) { v1 = EtwpRealtimeDisconnectConsumer( RealtimeConnectContext->Data2, __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { goto node_167; } } else if( InBufferLen < 72 || OutBufferLen != 72 && OutBufferLen != 0 || InBufferLen != RealtimeConnectContext->Data2 ) { goto node_167; } else { if( RealtimeConnectContext->Data1 == 3 ) { v1 = EtwpEnableGuid( 1, __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { v1 = EtwpNotifyGuid( __security_cookie ^ &local_0x4 ); LocalReturnLength = OutBufferLen; v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } } } else if( FunctionCode != 18 ) { if( FunctionCode != 19 ) { if( FunctionCode != 20 ) { if( FunctionCode == 21 ) { LocalReturnLength = OutBufferLen; v1 = EtwpGetTraceGuidList( RealtimeConnectContext, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else if( FunctionCode != 22 ) { if( FunctionCode == 23 ) { LocalReturnLength = OutBufferLen; v1 = EtwpEnumerateTraceGuids( RealtimeConnectContext, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else if( FunctionCode == 24 ) { if( InBufferLen != 0 || OutBufferLen != 0 ) { goto node_167; } else if( EtwpSecurityProviderPID != 0 ) { v1 = -1073741790; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { EtwpSecurityProviderPID = *(*((unsigned char *)fs + 292) + 524); v1 = 0; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } } } else if( InBufferLen == 16 ) { LocalReturnLength = OutBufferLen; v1 = EtwpGetTraceGuidInfo( RealtimeConnectContext, RealtimeConnectContext, &LocalReturnLength ); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen == 0 && OutBufferLen == 0 ) { v1 = WdiUpdateSem(); v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen == 8 && OutBufferLen > 71 ) { v1 = EtwpReceiveReplyDataBlock( RealtimeConnectContext, OutBufferLen, &ReturnSize ); LocalReturnLength = ReturnSize; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; } else { goto node_167; } } else if( InBufferLen > 71 && InBufferLen == RealtimeConnectContext->Data2 ) { RealtimeConnectContext[2].Data2 = *(*((unsigned char *)fs + 292) + 524); v1 = EtwpSendReplyDataBlock( __security_cookie ^ &local_0x4 ); v2.SavedEsp = esp.SavedEsp + 4294967224; goto node_231; } else { goto node_167; } v1 = -1073741808; v2.SavedEsp = esp.SavedEsp + 4294967220; goto node_231; node_167: v1 = -1073741811; v2.SavedEsp = esp.SavedEsp + 4294967220; node_231: if( v1 >= 0 ) { if( LocalReturnLength != 0 ) { *(v2.SavedEsp + 4294967292) = LocalReturnLength; *(v2.SavedEsp + 4294967288) = RealtimeConnectContext; *(v2.SavedEsp + 4294967284) = OutBuffer; *(v2.SavedEsp + 4294967280) = &code_0x1EEF1D+0xC; memcpy( *(v2.SavedEsp + 4294967284), *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) ); } ReturnLength[0] = LocalReturnLength; } if( v1 == -1073741789 && (FunctionCode == 16 || FunctionCode == 21 || FunctionCode == 22) || FunctionCode == 23 || FunctionCode == 19 ) { ReturnLength[0] = LocalReturnLength; } } else { if( InBuffer == 0 ) { InBufferLen = 0; } else if( InBufferLen != 0 && (InBufferLen + InBuffer > MmUserProbeAddress || InBufferLen + InBuffer < InBuffer) ) { *MmUserProbeAddress = 0; } if( OutBuffer != 0 ) { ProbeForWrite( OutBuffer, OutBufferLen, 1 ); } else { OutBufferLen = 0; } if( ReturnLength == 0 ) { v1 = -1073741811; v2.SavedEsp = esp.SavedEsp + 4294967220; } else { if( ReturnLength >= MmUserProbeAddress ) { v3 = MmUserProbeAddress; } else { v3 = ReturnLength; } v3[0] = v3[0]; goto node_19; } } if( RealtimeConnectContext != 0 ) { *(v2.SavedEsp + 4294967292) = 0; *(v2.SavedEsp + 4294967288) = RealtimeConnectContext; *(v2.SavedEsp + 4294967284) = &code_0x1EEF93; ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) ); } *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7; *fs = ExceptionRegistration.Next; return v1; // */ return STATUS_SUCCESS; } PVOID KeRegisterProcessorChangeCallback_k8( PPROCESSOR_CALLBACK_FUNCTION CallbackFunction, PVOID CallbackContext, ULONG Flags ); PVOID KeRegisterProcessorChangeCallback_k8( PPROCESSOR_CALLBACK_FUNCTION CallbackFunction, PVOID CallbackContext, ULONG Flags ) { return STATUS_SUCCESS; } #pragma warning(disable : 4333) // // Lookup table that tells how many clear bits (i.e., 0) there are in a byte // CONST CCHAR RtlpBitsClearTotal[] = { 8,7,7,6,7,6,6,5,7,6,6,5,6,5,5,4, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1, 4,3,3,2,3,2,2,1,3,2,2,1,2,1,1,0 }; ULONG RtlNumberOfSetBitsUlongPtr_k8( ULONG_PTR Target ); ULONG RtlNumberOfSetBitsUlongPtr_k8( ULONG_PTR Target ) { unsigned long v1; // eax unsigned long v2; // edx unsigned long v3; // edx v1 = (unsigned char)~Target & 0xFFFFFF00 | RtlpBitsClearTotal[(unsigned char)~Target]; v2 = ~Target >> 24 & 0xFFFFFF00 | RtlpBitsClearTotal[~Target >> 24]; v3 = v2 & 0xFFFFFF00 | (unsigned char)v2 + RtlpBitsClearTotal[(unsigned char)~Target >> 16]; return (unsigned char)v3 & 0xFFFFFF00 | v3 + (v1 & 0xFFFFFF00 | (unsigned char)v1 + RtlpBitsClearTotal[(unsigned char)~Target / 256]); } typedef enum _MI_PFN_CACHE_ATTRIBUTE { MiNonCached, MiCached, MiWriteCombined, MiNotMapped } MI_PFN_CACHE_ATTRIBUTE, *PMI_PFN_CACHE_ATTRIBUTE; // // Cache control stuff. Note this may be overridden by deficient hardware // platforms at startup. // MI_PFN_CACHE_ATTRIBUTE MiPlatformCacheAttributes[2 * MmMaximumCacheType] = { // // Memory space // MiNonCached, MiCached, MiWriteCombined, MiCached, MiNonCached, MiWriteCombined, // // I/O space // MiNonCached, MiCached, MiWriteCombined, MiCached, MiNonCached, MiWriteCombined }; PMDL MmAllocatePagesForMdlEx_k8( PHYSICAL_ADDRESS LowAddress, PHYSICAL_ADDRESS HighAddress, PHYSICAL_ADDRESS SkipBytes, SIZE_T TotalBytes, MEMORY_CACHING_TYPE CacheType, ULONG Flags ); PMDL MmAllocatePagesForMdlEx_k8( PHYSICAL_ADDRESS LowAddress, PHYSICAL_ADDRESS HighAddress, PHYSICAL_ADDRESS SkipBytes, SIZE_T TotalBytes, MEMORY_CACHING_TYPE CacheType, ULONG Flags ) { /* enum _MI_PFN_CACHE_ATTRIBUTE CacheAttribute; // eax struct _MDL * v1; // eax if( CacheType > 2 ) { CacheAttribute = 3; } else { CacheAttribute = MiPlatformCacheAttributes[CacheType]; } if( (Flags & 0xFFFFFFFC) != 0 ) { v1 = 0; } else { // v1 = MiAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes, CacheAttribute, Flags ); v1 = MmAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes ); } return v1; */ return MmAllocatePagesForMdl( LowAddress, HighAddress, SkipBytes, TotalBytes ); } BOOLEAN KeTestSpinLock_k8( PKSPIN_LOCK SpinLock ); BOOLEAN KeTestSpinLock_k8( PKSPIN_LOCK SpinLock ) { return TRUE; } NTSTATUS IoGetDeviceNumaNode_k8( PDEVICE_OBJECT Pdo, PUSHORT NodeNumber ); NTSTATUS IoGetDeviceNumaNode_k8( PDEVICE_OBJECT Pdo, PUSHORT NodeNumber ) { return STATUS_SUCCESS; } NTSTATUS ZwQuerySystemInformationEx_k8 ( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID InputBuffer, ULONG InputBufferLength, PVOID SystemInformation, ULONG SystemInformationLength, ULONG *ReturnLength); NTSTATUS ZwQuerySystemInformationEx_k8 ( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID InputBuffer, ULONG InputBufferLength, PVOID SystemInformation, ULONG SystemInformationLength, ULONG *ReturnLength) { return STATUS_SUCCESS; } VOID MmDeleteKernelStack ( PVOID PointerKernelStack, BOOLEAN LargeStack ); VOID MmDeleteKernelStack ( PVOID PointerKernelStack, BOOLEAN LargeStack ) { return; } VOID KeFreeCalloutStack_k8 ( PVOID Context ); VOID KeFreeCalloutStack_k8 ( PVOID Context ) { // MmDeleteKernelStack( *((unsigned char *)Context + 8), *((unsigned char *)Context + 4) ); ExFreePoolWithTag( Context, 0 ); } PVOID KeAllocateCalloutStack_k8 ( BOOLEAN LargeStack ); PVOID KeAllocateCalloutStack_k8 ( BOOLEAN LargeStack ) { void * P; // eax unsigned char v2; // ecx unsigned long StackFlags; // eax void * v1; // eax /* P = ExAllocatePoolWithTag( 0, 32, 1666409803 ); if( P == 0 ) { P = 0; } else { if( (unsigned char)LargeStack != 0 ) { StackFlags = 5; } else { StackFlags = 0; } v1 = MmCreateKernelStack( StackFlags, 0, 0 ); *((unsigned char *)P + 8) = v1; if( v1 == 0 ) { ExFreePoolWithTag( P, 0 ); P = 0; } else { *((unsigned char *)P + 4) = v1 & 0xFFFFFF00 | (unsigned char)LargeStack != 0; *P = 1801548883; *((unsigned char *)P + 12) = 0; *((unsigned char *)P + 17) = v2 & 0xFFFFFF00; *((unsigned char *)P + 16) = 7; *((unsigned char *)P + 18) = 4; *((unsigned char *)P + 20) = 1; *((unsigned char *)P + 28) = (unsigned char *)P + 16 + 8; *((unsigned char *)P + 24) = (unsigned char *)P + 16 + 8; } } return P; */ return STATUS_SUCCESS; } VOID SeCaptureSubjectContextEx_k8 ( PETHREAD Thread, PEPROCESS Process, PSECURITY_SUBJECT_CONTEXT SubjectContext ); VOID SeCaptureSubjectContextEx_k8 ( PETHREAD Thread, PEPROCESS Process, PSECURITY_SUBJECT_CONTEXT SubjectContext ) { unsigned char stack_0x7; // [esp+7] unsigned char stack_0xB; // [esp+11] void * v1; // eax void * v2; // eax /* SubjectContext->ProcessAuditId = *(Process[0] + 156); if( Thread[0] == 0 ) { SubjectContext->ClientToken = 0; } else { v1 = PsReferenceImpersonationToken( Thread[0], &stack_0xB, &stack_0x7, &SubjectContext->ImpersonationLevel ); SubjectContext->ClientToken = v1; } v2 = PsReferencePrimaryToken( Process[0] ); SubjectContext->PrimaryToken = v2; */ } BOOLEAN SeAccessCheckFromState_k8 ( PSECURITY_DESCRIPTOR SecurityDescriptor, PTOKEN_ACCESS_INFORMATION PrimaryTokenInformation, PTOKEN_ACCESS_INFORMATION ClientTokenInformation, ACCESS_MASK DesiredAccess, ACCESS_MASK PreviouslyGrantedAccess, PPRIVILEGE_SET *Privileges, PGENERIC_MAPPING GenericMapping, KPROCESSOR_MODE AccessMode, PACCESS_MASK GrantedAccess, PNTSTATUS AccessStatus ); BOOLEAN SeAccessCheckFromState_k8 ( PSECURITY_DESCRIPTOR SecurityDescriptor, PTOKEN_ACCESS_INFORMATION PrimaryTokenInformation, PTOKEN_ACCESS_INFORMATION ClientTokenInformation, ACCESS_MASK DesiredAccess, ACCESS_MASK PreviouslyGrantedAccess, PPRIVILEGE_SET *Privileges, PGENERIC_MAPPING GenericMapping, KPROCESSOR_MODE AccessMode, PACCESS_MASK GrantedAccess, PNTSTATUS AccessStatus ) { /* struct _TOKEN * local_0x404; // [esp-1028] unsigned char v1; // [esp-991] struct _TOKEN PrimaryToken; // [esp-988] unsigned int local_0xC; // [esp-12] struct _TOKEN_ACCESS_INFORMATION * AccessInformation1; // ebx unsigned int esp; // esp struct _TOKEN * Token; // esi struct _TOKEN_ACCESS_INFORMATION * AccessInformation; // edi unsigned char v3; // eax unsigned int v2; // esp local_0xC = __security_cookie ^ (esp - 4 & 0xFFFFFFF8) - 1020; local_0x404 = Privileges; memset( &v1, 0, 487 ); memset( &PrimaryToken, 0, 487 ); SepTokenFromAccessInformation( AccessInformation, Token ); if( ClientTokenInformation != 0 ) { SepTokenFromAccessInformation( AccessInformation1, local_0x404 ); v2 = (esp - 4 & 0xFFFFFFF8) + 4294966280; } else { v2 = (esp - 4 & 0xFFFFFFF8) + 4294966272; } *(v2 + 4294967292) = *(v2 + 20); *(v2 + 4294967288) = *(v2 + 28); *(v2 + 4294967284) = AccessMode; *(v2 + 4294967280) = GenericMapping; *(v2 + 4294967276) = *(v2 + 12); *(v2 + 4294967272) = PreviouslyGrantedAccess; *(v2 + 4294967268) = DesiredAccess; *(v2 + 4294967264) = 1; *(v2 + 4294967260) = v2 + 32; *(v2 + 4294967256) = *(v2 + 16); *(v2 + 4294967252) = &code_0x34BF8+0x28; v3 = SeAccessCheck( *(v2 + 4294967256), *(v2 + 4294967260), *(v2 + 4294967264), *(v2 + 4294967268), *(v2 + 4294967272), *(v2 + 4294967276), *(v2 + 4294967280), *(v2 + 4294967284), *(v2 + 4294967288), *(v2 + 4294967292) ); *(v2 + 8) = &code_0x34BF8+0x39; __security_check_cookie( *(v2 + 1028) ^ v2 + 12 ); return v3; */ return 0; } long __stdcall IoSetIoCompletionEx_k8 ( PVOID IoCompletion, PVOID KeyContext, PVOID ApcContext, long IoStatus, unsigned long IoStatusInformation, unsigned char Quota, PVOID MiniPacket ); long __stdcall IoSetIoCompletionEx_k8 ( PVOID IoCompletion, PVOID KeyContext, PVOID ApcContext, long IoStatus, unsigned long IoStatusInformation, unsigned char Quota, PVOID MiniPacket ) { /* long v1; // esi if( MiniPacket == 0 ) { MiniPacket = IopAllocateMiniCompletionPacket( 1, Quota ); if( MiniPacket == 0 ) { v1 = -1073741670; } else { *((unsigned char *)MiniPacket + 12) = KeyContext; *((unsigned char *)MiniPacket + 16) = ApcContext; *((unsigned char *)MiniPacket + 20) = IoStatus; *((unsigned char *)MiniPacket + 24) = IoStatusInformation; KeInsertQueue( IoCompletion, MiniPacket ); return 0; } } else { *((unsigned char *)MiniPacket + 12) = KeyContext; *((unsigned char *)MiniPacket + 16) = ApcContext; *((unsigned char *)MiniPacket + 20) = IoStatus; *((unsigned char *)MiniPacket + 24) = IoStatusInformation; KeInsertQueue( IoCompletion, MiniPacket ); v1 = 0; } return v1; */ return STATUS_SUCCESS; } VOID RtlDeleteHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ); VOID RtlDeleteHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ) { /* unsigned long v1; int v2; // edi unsigned long eax; // eax if( *(HashTable + 8) < 129 ) { eax = *(HashTable + 32); if( eax != 0 ) { eax = ExFreePoolWithTag( eax, 0 ); } } else { v1 = *(HashTable + 32); if( v1 != 0 ) { v2 = 0; while( *(v1 + v2 * 4) != 0 ) { ExFreePoolWithTag( *(v1 + v2 * 4), 0 ); if( v2 > 510 ) { break; } v2 += 1; } eax = ExFreePoolWithTag( v1, 0 ); } } if( (unsigned char)(*HashTable & 0x1) != 0 ) { eax = ExFreePoolWithTag( HashTable, 0 ); } return eax; */ return; } BOOLEAN RtlCreateHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE *HashTable, ULONG Shift, ULONG Flags ); BOOLEAN RtlCreateHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE *HashTable, ULONG Shift, ULONG Flags ) { /* unsigned long v4; int v6; // ecx unsigned long v5; // edi unsigned long v7; // eax unsigned long v2; // eax unsigned long v1; // edx unsigned long v3; // eax if( *HashTable == 0 ) { v2 = ExAllocatePoolWithTag( 0, 36, 1650545736 ); *HashTable = v2; if( v2 != 0 ) { v1 = 1; } else { goto node_30; } } else { v1 = 0; } v4 = *HashTable; v5 = v4; v6 = 9; while( v6 != 0 ) { *v5 = 0; v5 += 4; v6 -= 1; } *(v4 + 12) = 0; *v4 = v1 | Flags; *(v4 + 8) = 128; *(v4 + 16) = 127; *(v4 + 4) = Shift; v7 = RtlpAllocateSecondLevelDir(); if( v7 == 0 ) { v2 = RtlDeleteHashTable( v4 ); } else { *(v4 + 32) = v7; return v7 & 0xFFFFFF00 | 0x1; } node_30: return v2 & 0xFFFFFF00; */ return 0; } PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlGetNextEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlGetNextEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ) { /* unsigned long v1; unsigned int v3; // edx unsigned int v2; // edx v1 = ***(Context + 4); if( *Context == v1 ) { v1 = 0; } else { if( *(HashTable + 28) != 0 ) { v3 = **(Context + 4); while( *(*v3 + 8) == 0 ) { if( *Context == **v3 ) { v2 = *v3; v1 = *v3; goto node_21; } else { v3 = *v3; } } v2 = v3; v1 = *v3; } else { v2 = **(Context + 4); } node_21: if( *(Context + 8) == *(v1 + 8) ) { *(Context + 4) = v2; } else { return 0; } } return v1; */ return 0; } PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlLookupEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, ULONG_PTR Signature, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlLookupEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, ULONG_PTR Signature, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ) { /* unsigned long v1; unsigned long local_0x10; // [esp-16] unsigned long esi; // esi if( Context == 0 ) { Context = &local_0x10; } RtlpPopulateContext( Signature, esi, local_0x10 ); if( **(Context + 4) == *Context ) { v1 = 0; } else { v1 = ~-(Signature != *(**(Context + 4) + 8)) & **(Context + 4); } return v1; */ return 0; } BOOLEAN RtlRemoveEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); BOOLEAN RtlRemoveEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ) { /* unsigned long esi; // esi unsigned long edi; // edi unsigned long v1; // eax *(HashTable + 20) += 4294967295; if( *(Entry + 4) == *Entry ) { *(HashTable + 24) += 4294967295; } v1 = *(Entry + 4); *v1 = *Entry; *(*Entry + 4) = v1; if( Context != 0 && *Context == 0 ) { v1 = RtlpPopulateContext( *(Entry + 8), edi, esi ); } return v1 & 0xFFFFFF00 | 0x1; */ return 0; } BOOLEAN RtlInsertEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, ULONG_PTR Signature, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); BOOLEAN RtlInsertEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, ULONG_PTR Signature, PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ) { /* unsigned int local_0x10; // [esp-16] unsigned long esi; // esi unsigned long edi; // edi *(Entry + 8) = Signature; *(HashTable + 20) += 1; if( Context == 0 ) { RtlpPopulateContext( Signature, edi, esi ); Context = &local_0x10; } else if( *Context == 0 ) { RtlpPopulateContext( Signature, edi, esi ); } if( *Context == **Context ) { *(HashTable + 24) += 1; } *(Entry + 4) = *(Context + 4); *Entry = **(Context + 4); *(**(Context + 4) + 4) = Entry; **(Context + 4) = Entry; return *(Context + 4) & 0xFFFFFF00 | 0x1; */ return 0; } VOID RtlEndEnumerationHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); VOID RtlEndEnumerationHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ) { /* *(HashTable + 28) += 4294967295; if( Enumerator != *Enumerator ) { **(Enumerator + 4) = *Enumerator; *(*Enumerator + 4) = *(Enumerator + 4); if( *(Enumerator + 12) == **(Enumerator + 12) ) { *(HashTable + 24) += 4294967295; } } *(Enumerator + 12) = 0; return Enumerator; */ return; } PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlEnumerateEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); PRTL_DYNAMIC_HASH_TABLE_ENTRY RtlEnumerateEntryHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ) { /* int esp; // esp unsigned int v2; // ebx unsigned long v5; // eax int v1; // esp unsigned long v3; unsigned long v4; v1 = esp - 16; v2 = *(Enumerator + 16); while( v2 < *(HashTable + 8) ) { if( *(Enumerator + 16) == v2 ) { v5 = *(Enumerator + 12); v5 = Enumerator; break; } else { *(v1 - 4) = &code_0x8F619+0x9; v5 = RtlpGetChainHead( v3, v4 ); v1 += 8; break; } do { if( v5 == *v5 ) { goto node_61; } else { v5 = *v5; } } while( *(v5 + 8) == 0 ); **(Enumerator + 4) = *Enumerator; *(*Enumerator + 4) = *(Enumerator + 4); if( v5 != *(Enumerator + 12) ) { if( *(Enumerator + 12) == **(Enumerator + 12) ) { *(HashTable + 24) += 4294967295; } if( v5 == *v5 ) { *(HashTable + 24) += 1; } } *(Enumerator + 16) = v2; *(Enumerator + 12) = v5; *Enumerator = *v5; *(Enumerator + 4) = v5; *(*v5 + 4) = Enumerator; *v5 = Enumerator; goto node_23; node_61: v2 += 1; } v5 = 0; node_23: return v5; */ return 0; } BOOLEAN RtlInitEnumerationHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); BOOLEAN RtlInitEnumerationHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable, PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ) { /* unsigned int local_0x10; // [esp-16] unsigned long esi; // esi unsigned long edi; // edi RtlpPopulateContext( 0, edi, esi ); *(HashTable + 28) += 1; if( local_0x10 == *local_0x10 ) { *(HashTable + 24) += 1; } *Enumerator = *local_0x10; *(Enumerator + 4) = local_0x10; *(*local_0x10 + 4) = Enumerator; *local_0x10 = Enumerator; *(Enumerator + 16) = 0; *(Enumerator + 8) = 0; *(Enumerator + 12) = local_0x10; return Enumerator & 0xFFFFFF00 | 0x1; */ return 0; } BOOLEAN RtlContractHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ); BOOLEAN RtlContractHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ) { /* unsigned long v7; unsigned long eax; // eax unsigned long ebx; // ebx unsigned long ebp; // ebp unsigned long esi; // esi unsigned long edi; // edi unsigned int v1; // eax unsigned long v2; // eax unsigned long v3; // eax unsigned long v4; // edx unsigned long v6; // eax unsigned long v5; // eax unsigned long v8; // eax if( *(HashTable + 8) == 128 || *(HashTable + 28) != 0 ) { v8 = eax & 0xFFFFFF00; } else { if( *(HashTable + 12) == 0 ) { *(HashTable + 16) /= 2; v1 = *(HashTable + 16); } else { v1 = *(HashTable + 12) + 4294967295; } *(HashTable + 12) = v1; v2 = RtlpGetChainHead( edi, ebx ); v3 = RtlpGetChainHead( esi, ebp ); *(HashTable + 8) += 4294967295; if( v2 != *v2 && v3 != *v3 ) { *(HashTable + 24) += 4294967295; } v4 = v3; v5 = v4; while( v2 != *v2 ) { *v2 = **v2; *(**v2 + 4) = v2; if( v5 != *v4 ) { while( *(*v4 + 8) < *(*v2 + 8) ) { if( v3 == **v4 ) { v4 = *v4; v5 = v3; goto node_78; } else { v4 = *v4; } } } v5 = v3; node_78: **v2 = *v4; *(*v2 + 4) = v4; *(*v4 + 4) = *v2; *v4 = *v2; } if( (*(HashTable + 8) & 0x7F) == 0 ) { v7 = *(HashTable + 32); v6 = ExFreePoolWithTag( *(v7 + *(HashTable + 8) / 128 * 4), 0 ); *(v7 + *(HashTable + 8) / 128 * 4) = 0; if( *(HashTable + 8) == 128 ) { *(HashTable + 32) = *v7; v6 = ExFreePoolWithTag( v7, 0 ); } } else { v6 = *(HashTable + 8) / 128; } v8 = v6 & 0xFFFFFF00 | 0x1; } return v8; */ return 0; } BOOLEAN RtlExpandHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ); BOOLEAN RtlExpandHashTable_k8 ( PRTL_DYNAMIC_HASH_TABLE HashTable ) { /* unsigned int v12; unsigned long v1; unsigned int v3; unsigned int v7; unsigned int v8; unsigned int v9; unsigned long v10; unsigned long eax; // eax unsigned long ebx; // ebx unsigned long edi; // edi unsigned long v5; // ecx int v2; // eax unsigned long v4; // eax unsigned long v11; // eax unsigned long v6; if( *(HashTable + 8) == 65536 || *(HashTable + 28) != 0 ) { v11 = eax & 0xFFFFFF00; } else { if( *(HashTable + 8) == 128 ) { v12 = *(HashTable + 32); v2 = ExAllocatePoolWithTag( 0, 2048, 1650545736 ); if( v2 != 0 ) { _memset( v2, 0, 2048 ); *v2 = v12; *(HashTable + 32) = v2; goto node_31; } } else { node_31: v1 = *(HashTable + 32); v2 = *(v1 + *(HashTable + 8) / 128 * 4); if( v2 == 0 ) { v2 = RtlpAllocateSecondLevelDir(); if( v2 != 0 ) { *(v1 + *(HashTable + 8) / 128 * 4) = v2; goto node_49; } else if( *(HashTable + 8) == 128 ) { *(HashTable + 32) = *v1; v2 = ExFreePoolWithTag( v1, 0 ); } } else { node_49: v3 = *(HashTable + 12); *(HashTable + 8) += 1; v4 = RtlpGetChainHead( edi, ebx ); *(HashTable + 12) = v3 + 1; if( v4 != *v4 ) { HashTable = v4; v5 = HashTable; while( 1 ) { v7 = *(*v5 + 8) >> (*(v6 + 4) & 0x1F) & (*(v6 + 16) + *(v6 + 16) | 0x1); if( *(v6 + 8) + 4294967295 == v7 ) { **(*v5 + 4) = **v5; *(**v5 + 4) = *(*v5 + 4); v8 = *(v2 + (*(v6 + 8) & 0x7F) * 8 + 4); **v5 = v2 + (*(v6 + 8) & 0x7F) * 8; *(*v5 + 4) = v8; *v8 = *v5; *(v2 + (*(v6 + 8) & 0x7F) * 8 + 4) = *v5; } else { HashTable = *v5; } if( v4 == *v6 ) { break; } v5 = v6; } v9 = *(v2 + (*(v6 + 8) & 0x7F) * 8); if( v2 + (*(v6 + 8) & 0x7F) * 8 != v9 ) { *(v6 + 24) += 1; } if( v4 == *v4 ) { *(v6 + 24) += 4294967295; } } if( *(HashTable + 16) + 1 == *(HashTable + 12) ) { v10 = *(HashTable + 16) + *(HashTable + 16) | 0x1; *(HashTable + 12) = 0; *(HashTable + 16) = v10; } else { v10 = *(HashTable + 16); } return v10 & 0xFFFFFF00 | 0x1; } } v11 = v2 & 0xFFFFFF00; } return v11; */ return 0; } typedef struct _ALPC_CONTEXT_ATTR { VOID *PortContext; VOID *MessageContext; unsigned long Sequence; unsigned long MessageId; unsigned long CallbackId; } ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR; NTSTATUS ZwAlpcCancelMessage_k8 ( HANDLE PortHandle, ULONG Flags, PALPC_CONTEXT_ATTR MessageContext ); NTSTATUS ZwAlpcCancelMessage_k8 ( HANDLE PortHandle, ULONG Flags, PALPC_CONTEXT_ATTR MessageContext ) { /* int return_address; // [esp+0] int v1; // eax // __asm.pushfd(); __asm{ pushfd } _KiSystemService( 8, return_address ); return v1; */ return STATUS_SUCCESS; } typedef HANDLE ALPC_HANDLE, *PALPC_HANDLE; NTSTATUS ZwAlpcCreatePortSection_k8 ( HANDLE PortHandle, ULONG Flags, HANDLE SectionHandle, SIZE_T SectionSize, PALPC_HANDLE AlpcSectionHandle, PSIZE_T ActualSectionSize ); NTSTATUS ZwAlpcCreatePortSection_k8 ( HANDLE PortHandle, ULONG Flags, HANDLE SectionHandle, SIZE_T SectionSize, PALPC_HANDLE AlpcSectionHandle, PSIZE_T ActualSectionSize ) { return STATUS_SUCCESS; } NTSTATUS ZwAlpcCreateResourceReserve_k8 ( HANDLE PortHandle, ULONG Flags, SIZE_T MessageSize, PALPC_HANDLE ResourceId ); NTSTATUS ZwAlpcCreateResourceReserve_k8 ( HANDLE PortHandle, ULONG Flags, SIZE_T MessageSize, PALPC_HANDLE ResourceId ) { return STATUS_SUCCESS; } // private typedef struct _ALPC_SECURITY_ATTR { ULONG Flags; PSECURITY_QUALITY_OF_SERVICE QoS; ALPC_HANDLE ContextHandle; // dbg } ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR; // begin_rev #define ALPC_VIEWFLG_NOT_SECURE 0x40000 // end_rev // private typedef struct _ALPC_DATA_VIEW_ATTR { ULONG Flags; ALPC_HANDLE SectionHandle; PVOID ViewBase; // must be zero on input SIZE_T ViewSize; } ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR; NTSTATUS ZwAlpcCreateSectionView_k8 ( HANDLE PortHandle, ULONG Flags, PALPC_DATA_VIEW_ATTR ViewAttributes ); NTSTATUS ZwAlpcCreateSectionView_k8 ( HANDLE PortHandle, ULONG Flags, PALPC_DATA_VIEW_ATTR ViewAttributes ) { return STATUS_SUCCESS; } NTSTATUS ZwAlpcCreateSecurityContext_k8 ( HANDLE PortHandle, ULONG Flags, PALPC_SECURITY_ATTR SecurityAttribute ); NTSTATUS ZwAlpcCreateSecurityContext_k8 ( HANDLE PortHandle, ULONG Flags, PALPC_SECURITY_ATTR SecurityAttribute ) { return STATUS_SUCCESS; } NTSTATUS ZwAlpcDeletePortSection_k8 ( HANDLE PortHandle, ULONG Flags, ALPC_HANDLE SectionHandle ); NTSTATUS ZwAlpcDeletePortSection_k8 ( HANDLE PortHandle, ULONG Flags, ALPC_HANDLE SectionHandle ) { return STATUS_SUCCESS; } NTSTATUS ZwAlpcDeleteSectionView_k8 ( HANDLE PortHandle, ULONG Flags, PVOID ViewBase ); NTSTATUS ZwAlpcDeleteSectionView_k8 ( HANDLE PortHandle, ULONG Flags, PVOID ViewBase ) { return STATUS_SUCCESS; } NTSTATUS ZwAlpcDeleteSecurityContext_k8 ( HANDLE PortHandle, ULONG Flags, ALPC_HANDLE ContextHandle ); NTSTATUS ZwAlpcDeleteSecurityContext_k8 ( HANDLE PortHandle, ULONG Flags, ALPC_HANDLE ContextHandle ) { return STATUS_SUCCESS; } NTSTATUS ZwAlpcDisconnectPort_k8 ( HANDLE PortHandle, ULONG Flags ); NTSTATUS ZwAlpcDisconnectPort_k8 ( HANDLE PortHandle, ULONG Flags ) { return STATUS_SUCCESS; } // private typedef enum _ALPC_PORT_INFORMATION_CLASS { AlpcBasicInformation, // q: out ALPC_BASIC_INFORMATION AlpcPortInformation, // s: in ALPC_PORT_ATTRIBUTES AlpcAssociateCompletionPortInformation, // s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT AlpcConnectedSIDInformation, // q: in SID AlpcServerInformation, // q: inout ALPC_SERVER_INFORMATION AlpcMessageZoneInformation, // s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION AlpcRegisterCompletionListInformation, // s: in ALPC_PORT_COMPLETION_LIST_INFORMATION AlpcUnregisterCompletionListInformation, // s: VOID AlpcAdjustCompletionListConcurrencyCountInformation, // s: in ULONG AlpcRegisterCallbackInformation, // kernel-mode only AlpcCompletionListRundownInformation, // s: VOID AlpcWaitForPortReferences, MaxAlpcPortInfoClass } ALPC_PORT_INFORMATION_CLASS; NTSTATUS ZwAlpcQueryInformation_k8 ( HANDLE PortHandle, ALPC_PORT_INFORMATION_CLASS PortInformationClass, PVOID PortInformation, ULONG Length, PULONG ReturnLength ); NTSTATUS ZwAlpcQueryInformation_k8 ( HANDLE PortHandle, ALPC_PORT_INFORMATION_CLASS PortInformationClass, PVOID PortInformation, ULONG Length, PULONG ReturnLength ) { return STATUS_SUCCESS; } NTSTATUS ZwAlpcSetInformation_k8 ( HANDLE PortHandle, ALPC_PORT_INFORMATION_CLASS PortInformationClass, PVOID PortInformation, ULONG Length ); NTSTATUS ZwAlpcSetInformation_k8 ( HANDLE PortHandle, ALPC_PORT_INFORMATION_CLASS PortInformationClass, PVOID PortInformation, ULONG Length ) { return STATUS_SUCCESS; } NTSTATUS ZwCreateIoCompletion_k8 ( PHANDLE IoCompletionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG Count ); NTSTATUS ZwCreateIoCompletion_k8 ( PHANDLE IoCompletionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG Count ) { return STATUS_SUCCESS; } NTSTATUS ZwImpersonateAnonymousToken_k8 ( HANDLE ThreadHandle ); NTSTATUS ZwImpersonateAnonymousToken_k8 ( HANDLE ThreadHandle ) { return STATUS_SUCCESS; } // private typedef struct _FILE_IO_COMPLETION_INFORMATION { PVOID KeyContext; PVOID ApcContext; IO_STATUS_BLOCK IoStatusBlock; } FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; NTSTATUS ZwRemoveIoCompletionEx_k8 ( HANDLE IoCompletionHandle, PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, ULONG Count, PULONG NumEntriesRemoved, PLARGE_INTEGER Timeout, BOOLEAN Alertable ); NTSTATUS ZwRemoveIoCompletionEx_k8 ( HANDLE IoCompletionHandle, PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, ULONG Count, PULONG NumEntriesRemoved, PLARGE_INTEGER Timeout, BOOLEAN Alertable ) { return STATUS_SUCCESS; } /////////////////////////////////////////////////////////////////// Edited May 2, 2022 by Damnation
Damnation Posted May 2, 2022 Author Posted May 2, 2022 This one builds successfully https://ufile.io/itvzfprv 1
Dietmar Posted May 2, 2022 Posted May 2, 2022 (edited) @Damnation What have I to do with my original 5512 ntkrnlpa.exe, so that your files are all recogniced? And do you use ndis.sys, netio.sys, msrpc.sys from win7 SP1 bit32 ? Which storport.sys I should use Dietmar PS: Anyway nice work EDIT: I think, you forget the following "Make corrections to target driver XXX.sys so that it loads ntoskrn8.sys instead of the original ntoskrnl.exe" Edited May 2, 2022 by Dietmar
Damnation Posted May 2, 2022 Author Posted May 2, 2022 14 minutes ago, Dietmar said: And do you use ndis.sys, netio.sys, msrpc.sys from win7 SP1 bit32 ? Which storport.sys I should use yeah, although not tested yet. storport is unchanged. yeah I haven't changed the import tables of these drivers yet.
Dietmar Posted May 2, 2022 Posted May 2, 2022 (edited) @Damnation I never worked before with the Kernel Extender from @Mov AX, 0xDEAD. Can you tell me, at which places I have to change via Ida Pro the name of ntoskrnl.exe ---> ntoskrn8.sys Dietmar PS: Or can you do this for me? First test with the free versions of ndis.sys, netio.sys, msrpc.sys from win7 SP1 bit32. Edited May 2, 2022 by Dietmar
Damnation Posted May 2, 2022 Author Posted May 2, 2022 @Dietmar I use CFF explorer to modify the import tables. here I modded them for you - https://ufile.io/5cxo9w60
Dietmar Posted May 2, 2022 Posted May 2, 2022 @Damnation Thanks a lot! Now the only thing is missed I think, is to do the same for the intel Lan driver for the i219 device. It has also some unsolved dependecies to ntoskrnl.exe from XP SP3 Dietmar PS: Here is the driver e1d6232.sys . It has also 11 unsolved dependencies to the original ntoskrnl.exe from XP SP3, may be most you integrate already. https://ufile.io/exw6n4cm Then, we only need to modd its *.inf. May be, I can do an extract from the registry of this driver running under Win7 SP1 bit32 for the i219 device.
George King Posted May 2, 2022 Posted May 2, 2022 @Dietmar Windows 7 NDIS is 6.3, Vista NDIS is 6.0 @Damnation Which one have you get as target? Here are latest files for both architectures and versions https://www.mediafire.com/file/serxsmclqslf5cv/NDIS6.0+6.3_latest_untouched.7z/file
George King Posted May 2, 2022 Posted May 2, 2022 7 minutes ago, Dietmar said: @Damnation Thanks a lot! Now the only thing is missed I think, is to do the same for the intel Lan driver for the i219 device. It has also some unsolved dependecies to ntoskrnl.exe from XP SP3 Dietmar PS: Here is the driver e1d6232.sys . It has also 11 unsolved dependencies to the original ntoskrnl.exe from XP SP3, may be most you integrate already. https://ufile.io/exw6n4cm Then, we only need to modd its *.inf. May be, I can do an extract from the registry of this driver running under Win7 SP1 bit32 for the i219 device. Just fix import to ntoskrn8.sys instead ntoskrnl.exe and thats all if you have already compiled ntoskrn8.sys from post above
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now