Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
#pragma once
2

3
#include <Windows.h>
4

5
#define STATUS_SUCCESS 0
6
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
7

8
typedef struct _UNICODE_STRING {
9
	USHORT Length;
10
	USHORT MaximumLength;
11
	PWSTR  Buffer;
12
} UNICODE_STRING, *PUNICODE_STRING;
13

14
typedef const UNICODE_STRING* PCUNICODE_STRING;
15

16
typedef struct _PEB_LDR_DATA {
17
	ULONG Length;
18
	BOOLEAN Initialized;
19
	HANDLE SsHandle;
20
	LIST_ENTRY InLoadOrderModuleList;
21
	LIST_ENTRY InMemoryOrderModuleList;
22
	LIST_ENTRY InInitializationOrderModuleList;
23
	PVOID EntryInProgress;
24
	BOOLEAN ShutdownInProgress;
25
	HANDLE ShutdownThreadId;
26
} PEB_LDR_DATA, *PPEB_LDR_DATA;
27

28
typedef struct _RTL_USER_PROCESS_PARAMETERS {
29
	BYTE           Reserved1[16];
30
	PVOID          Reserved2[10];
31
	UNICODE_STRING ImagePathName;
32
	UNICODE_STRING CommandLine;
33
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
34

35
typedef struct _API_SET_NAMESPACE {
36
	ULONG Version;
37
	ULONG Size;
38
	ULONG Flags;
39
	ULONG Count;
40
	ULONG EntryOffset;
41
	ULONG HashOffset;
42
	ULONG HashFactor;
43
} API_SET_NAMESPACE, *PAPI_SET_NAMESPACE;
44

45
// Partial PEB
46
typedef struct _PEB {
47
	BOOLEAN InheritedAddressSpace;
48
	BOOLEAN ReadImageFileExecOptions;
49
	BOOLEAN BeingDebugged;
50
	union
51
	{
52
		BOOLEAN BitField;
53
		struct
54
		{
55
			BOOLEAN ImageUsesLargePages : 1;
56
			BOOLEAN IsProtectedProcess : 1;
57
			BOOLEAN IsLegacyProcess : 1;
58
			BOOLEAN IsImageDynamicallyRelocated : 1;
59
			BOOLEAN SkipPatchingUser32Forwarders : 1;
60
			BOOLEAN SpareBits : 3;
61
		};
62
	};
63
	HANDLE Mutant;
64

65
	PVOID ImageBaseAddress;
66
	PPEB_LDR_DATA Ldr;
67
	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
68
	PVOID SubSystemData;
69
	PVOID ProcessHeap;
70
	PRTL_CRITICAL_SECTION FastPebLock;
71
	PVOID IFEOKey;
72
	PSLIST_HEADER AtlThunkSListPtr;
73
	union
74
	{
75
		ULONG CrossProcessFlags;
76
		struct
77
		{
78
			ULONG ProcessInJob : 1;
79
			ULONG ProcessInitializing : 1;
80
			ULONG ProcessUsingVEH : 1;
81
			ULONG ProcessUsingVCH : 1;
82
			ULONG ProcessUsingFTH : 1;
83
			ULONG ProcessPreviouslyThrottled : 1;
84
			ULONG ProcessCurrentlyThrottled : 1;
85
			ULONG ProcessImagesHotPatched : 1;
86
			ULONG ReservedBits0 : 24;
87
		};
88
	};
89
	union
90
	{
91
		PVOID KernelCallbackTable;
92
		PVOID UserSharedInfoPtr;
93
	};
94
	ULONG SystemReserved;
95
	ULONG AtlThunkSListPtr32;
96
	PAPI_SET_NAMESPACE ApiSetMap;
97
	ULONG TlsExpansionCounter;
98
	PVOID TlsBitmap;
99
	ULONG TlsBitmapBits[2];
100
	PVOID ReadOnlySharedMemoryBase;
101
	PVOID SharedData;
102
	PVOID *ReadOnlyStaticServerData;
103
	PVOID AnsiCodePageData;
104
	PVOID OemCodePageData;
105
	PVOID UnicodeCaseTableData;
106
	ULONG NumberOfProcessors;
107
	ULONG NtGlobalFlag;
108
	ULARGE_INTEGER CriticalSectionTimeout;
109
	SIZE_T HeapSegmentReserve;
110
	SIZE_T HeapSegmentCommit;
111
	SIZE_T HeapDeCommitTotalFreeThreshold;
112
	SIZE_T HeapDeCommitFreeBlockThreshold;
113
	ULONG NumberOfHeaps;
114
	ULONG MaximumNumberOfHeaps;
115
	PVOID *ProcessHeaps;
116
	PVOID GdiSharedHandleTable;
117
	PVOID ProcessStarterHelper;
118
	ULONG GdiDCAttributeList;
119
	PRTL_CRITICAL_SECTION LoaderLock;
120
	ULONG OSMajorVersion;
121
	ULONG OSMinorVersion;
122
	USHORT OSBuildNumber;
123
} PEB, *PPEB;
124

125
typedef struct _LDR_DATA_TABLE_ENTRY {
126
	LIST_ENTRY InLoadOrderLinks;
127
	LIST_ENTRY InMemoryOrderLinks;
128
	union
129
	{
130
		LIST_ENTRY InInitializationOrderLinks;
131
		LIST_ENTRY InProgressLinks;
132
	};
133
	PVOID DllBase;
134
	PVOID EntryPoint;
135
	ULONG SizeOfImage;
136
	UNICODE_STRING FullDllName;
137
	UNICODE_STRING BaseDllName;
138
	ULONG Flags;
139
	WORD LoadCount;
140
	WORD TlsIndex;
141
	union
142
	{
143
		LIST_ENTRY HashLinks;
144
		struct
145
		{
146
			PVOID SectionPointer;
147
			ULONG CheckSum;
148
		};
149
	};
150
	union
151
	{
152
		ULONG TimeDateStamp;
153
		PVOID LoadedImports;
154
	};
155
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
156

157
typedef struct _TEB {
158
	PVOID Reserved1[12];
159
	PPEB  ProcessEnvironmentBlock;
160
	PVOID Reserved2[399];
161
	BYTE  Reserved3[1952];
162
	PVOID TlsSlots[64];
163
	BYTE  Reserved4[8];
164
	PVOID Reserved5[26];
165
	PVOID ReservedForOle;
166
	PVOID Reserved6[4];
167
	PVOID TlsExpansionSlots;
168
} TEB, *PTEB;
169

170
typedef ULONG(NTAPI *_EtwEventWrite)(
171
	__in REGHANDLE RegHandle,
172
	__in PCEVENT_DESCRIPTOR EventDescriptor,
173
	__in ULONG UserDataCount,
174
	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData
175
	);
176

177
typedef ULONG(NTAPI *_EtwEventWriteFull)(
178
	__in REGHANDLE RegHandle,
179
	__in PCEVENT_DESCRIPTOR EventDescriptor,
180
	__in USHORT EventProperty,
181
	__in_opt LPCGUID ActivityId,
182
	__in_opt LPCGUID RelatedActivityId,
183
	__in ULONG UserDataCount,
184
	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData
185
	);
186

187
// Windows 7 SP1 / Server 2008 R2 specific Syscalls
188
EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
189
EXTERN_C NTSTATUS ZwReadVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
190
EXTERN_C NTSTATUS ZwWriteVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
191

192
// Windows 8 / Server 2012 specific Syscalls
193
EXTERN_C NTSTATUS ZwProtectVirtualMemory80(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
194
EXTERN_C NTSTATUS ZwReadVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
195
EXTERN_C NTSTATUS ZwWriteVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
196

197

198
// Windows 8.1 / Server 2012 R2 specific Syscalls
199
EXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
200
EXTERN_C NTSTATUS ZwReadVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
201
EXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
202

203

204
// Windows 10 / Server 2016 specific Syscalls
205
EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
206
EXTERN_C NTSTATUS ZwReadVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
207
EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
208

209
NTSTATUS(*ZwProtectVirtualMemory)(
210
	IN HANDLE ProcessHandle,
211
	IN PVOID* BaseAddress,
212
	IN SIZE_T* NumberOfBytesToProtect,
213
	IN ULONG NewAccessProtection,
214
	OUT PULONG OldAccessProtection
215
	);
216

217
NTSTATUS(*ZwReadVirtualMemory)(
218
	HANDLE hProcess,
219
	PVOID lpBaseAddress,
220
	PVOID lpBuffer,
221
	SIZE_T NumberOfBytesToRead,
222
	PSIZE_T NumberOfBytesRead
223
	);
224

225
NTSTATUS(*ZwWriteVirtualMemory)(
226
	HANDLE hProcess,
227
	PVOID lpBaseAddress,
228
	PVOID lpBuffer,
229
	SIZE_T NumberOfBytesToWrite,
230
	PSIZE_T NumberOfBytesWritten
231
	);
232

233
ULONG NTAPI MyEtwEventWrite(
234
	__in REGHANDLE RegHandle,
235
	__in PCEVENT_DESCRIPTOR EventDescriptor,
236
	__in ULONG UserDataCount,
237
	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData);
238

239
BOOL PatchEtw(HANDLE pipe);
240

241