Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/HostingCLR_inject/HostingCLR/EtwTamper.h
19516 views
1
#pragma once

2


3
#include <Windows.h>

4


5
#define STATUS_SUCCESS 0

6
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )

7


8
typedef struct _UNICODE_STRING {

9
	USHORT Length;

10
	USHORT MaximumLength;

11
	PWSTR  Buffer;

12
} UNICODE_STRING, *PUNICODE_STRING;

13


14
typedef const UNICODE_STRING* PCUNICODE_STRING;

15


16
typedef struct _PEB_LDR_DATA {

17
	ULONG Length;

18
	BOOLEAN Initialized;

19
	HANDLE SsHandle;

20
	LIST_ENTRY InLoadOrderModuleList;

21
	LIST_ENTRY InMemoryOrderModuleList;

22
	LIST_ENTRY InInitializationOrderModuleList;

23
	PVOID EntryInProgress;

24
	BOOLEAN ShutdownInProgress;

25
	HANDLE ShutdownThreadId;

26
} PEB_LDR_DATA, *PPEB_LDR_DATA;

27


28
typedef struct _RTL_USER_PROCESS_PARAMETERS {

29
	BYTE           Reserved1[16];

30
	PVOID          Reserved2[10];

31
	UNICODE_STRING ImagePathName;

32
	UNICODE_STRING CommandLine;

33
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

34


35
typedef struct _API_SET_NAMESPACE {

36
	ULONG Version;

37
	ULONG Size;

38
	ULONG Flags;

39
	ULONG Count;

40
	ULONG EntryOffset;

41
	ULONG HashOffset;

42
	ULONG HashFactor;

43
} API_SET_NAMESPACE, *PAPI_SET_NAMESPACE;

44


45
// Partial PEB

46
typedef struct _PEB {

47
	BOOLEAN InheritedAddressSpace;

48
	BOOLEAN ReadImageFileExecOptions;

49
	BOOLEAN BeingDebugged;

50
	union

51
	{

52
		BOOLEAN BitField;

53
		struct

54
		{

55
			BOOLEAN ImageUsesLargePages : 1;

56
			BOOLEAN IsProtectedProcess : 1;

57
			BOOLEAN IsLegacyProcess : 1;

58
			BOOLEAN IsImageDynamicallyRelocated : 1;

59
			BOOLEAN SkipPatchingUser32Forwarders : 1;

60
			BOOLEAN SpareBits : 3;

61
		} _bitField;

62
	};

63
	HANDLE Mutant;

64


65
	PVOID ImageBaseAddress;

66
	PPEB_LDR_DATA Ldr;

67
	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;

68
	PVOID SubSystemData;

69
	PVOID ProcessHeap;

70
	PRTL_CRITICAL_SECTION FastPebLock;

71
	PVOID IFEOKey;

72
	PSLIST_HEADER AtlThunkSListPtr;

73
	union

74
	{

75
		ULONG CrossProcessFlags;

76
		struct

77
		{

78
			ULONG ProcessInJob : 1;

79
			ULONG ProcessInitializing : 1;

80
			ULONG ProcessUsingVEH : 1;

81
			ULONG ProcessUsingVCH : 1;

82
			ULONG ProcessUsingFTH : 1;

83
			ULONG ProcessPreviouslyThrottled : 1;

84
			ULONG ProcessCurrentlyThrottled : 1;

85
			ULONG ProcessImagesHotPatched : 1;

86
			ULONG ReservedBits0 : 24;

87
		} _crossProcessFlags;

88
	};

89
	union

90
	{

91
		PVOID KernelCallbackTable;

92
		PVOID UserSharedInfoPtr;

93
	};

94
	ULONG SystemReserved;

95
	ULONG AtlThunkSListPtr32;

96
	PAPI_SET_NAMESPACE ApiSetMap;

97
	ULONG TlsExpansionCounter;

98
	PVOID TlsBitmap;

99
	ULONG TlsBitmapBits[2];

100
	PVOID ReadOnlySharedMemoryBase;

101
	PVOID SharedData;

102
	PVOID *ReadOnlyStaticServerData;

103
	PVOID AnsiCodePageData;

104
	PVOID OemCodePageData;

105
	PVOID UnicodeCaseTableData;

106
	ULONG NumberOfProcessors;

107
	ULONG NtGlobalFlag;

108
	ULARGE_INTEGER CriticalSectionTimeout;

109
	SIZE_T HeapSegmentReserve;

110
	SIZE_T HeapSegmentCommit;

111
	SIZE_T HeapDeCommitTotalFreeThreshold;

112
	SIZE_T HeapDeCommitFreeBlockThreshold;

113
	ULONG NumberOfHeaps;

114
	ULONG MaximumNumberOfHeaps;

115
	PVOID *ProcessHeaps;

116
	PVOID GdiSharedHandleTable;

117
	PVOID ProcessStarterHelper;

118
	ULONG GdiDCAttributeList;

119
	PRTL_CRITICAL_SECTION LoaderLock;

120
	ULONG OSMajorVersion;

121
	ULONG OSMinorVersion;

122
	USHORT OSBuildNumber;

123
} PEB, *PPEB;

124


125
typedef struct _LDR_DATA_TABLE_ENTRY {

126
	LIST_ENTRY InLoadOrderLinks;

127
	LIST_ENTRY InMemoryOrderLinks;

128
	union

129
	{

130
		LIST_ENTRY InInitializationOrderLinks;

131
		LIST_ENTRY InProgressLinks;

132
	};

133
	PVOID DllBase;

134
	PVOID EntryPoint;

135
	ULONG SizeOfImage;

136
	UNICODE_STRING FullDllName;

137
	UNICODE_STRING BaseDllName;

138
	ULONG Flags;

139
	WORD LoadCount;

140
	WORD TlsIndex;

141
	union

142
	{

143
		LIST_ENTRY HashLinks;

144
		struct

145
		{

146
			PVOID SectionPointer;

147
			ULONG CheckSum;

148
		} _hashLinks;

149
	};

150
	union

151
	{

152
		ULONG TimeDateStamp;

153
		PVOID LoadedImports;

154
	};

155
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

156


157
typedef struct _TEB {

158
	PVOID Reserved1[12];

159
	PPEB  ProcessEnvironmentBlock;

160
	PVOID Reserved2[399];

161
	BYTE  Reserved3[1952];

162
	PVOID TlsSlots[64];

163
	BYTE  Reserved4[8];

164
	PVOID Reserved5[26];

165
	PVOID ReservedForOle;

166
	PVOID Reserved6[4];

167
	PVOID TlsExpansionSlots;

168
} TEB, *PTEB;

169


170
typedef ULONG(NTAPI *_EtwEventWrite)(

171
	__in REGHANDLE RegHandle,

172
	__in PCEVENT_DESCRIPTOR EventDescriptor,

173
	__in ULONG UserDataCount,

174
	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData

175
	);

176


177
typedef ULONG(NTAPI *_EtwEventWriteFull)(

178
	__in REGHANDLE RegHandle,

179
	__in PCEVENT_DESCRIPTOR EventDescriptor,

180
	__in USHORT EventProperty,

181
	__in_opt LPCGUID ActivityId,

182
	__in_opt LPCGUID RelatedActivityId,

183
	__in ULONG UserDataCount,

184
	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData

185
	);

186


187
typedef NTSTATUS(NTAPI* pNtProtectVirtualMemory)(

188
	HANDLE ProcessHandle,

189
	PVOID* BaseAddress,

190
	PSIZE_T RegionSize,

191
	ULONG NewProtect,

192
	PULONG OldProtect

193
	);

194


195
typedef NTSTATUS (NTAPI* pNtWriteVirtualMemory)(

196
	HANDLE ProcessHandle,

197
	PVOID BaseAddress,

198
	PVOID Buffer,

199
	ULONG NumberOfBytesToWrite,

200
	PULONG NumberOfBytesWritten

201
);

202


203
typedef NTSTATUS(NTAPI* pNtReadVirtualMemory)(

204
	HANDLE ProcessHandle,

205
	PVOID BaseAddress,

206
	PVOID Buffer,

207
	ULONG NumberOfBytesToRead,

208
	PULONG NumberOfBytesRead

209
	);

210


211
// Windows 7 SP1 / Server 2008 R2 specific Syscalls

212
EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);

213
EXTERN_C NTSTATUS ZwReadVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);

214
EXTERN_C NTSTATUS ZwWriteVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);

215


216
// Windows 8 / Server 2012 specific Syscalls

217
EXTERN_C NTSTATUS ZwProtectVirtualMemory80(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);

218
EXTERN_C NTSTATUS ZwReadVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);

219
EXTERN_C NTSTATUS ZwWriteVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);

220


221


222
// Windows 8.1 / Server 2012 R2 specific Syscalls

223
EXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);

224
EXTERN_C NTSTATUS ZwReadVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);

225
EXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);

226


227


228
// Windows 10 / Server 2016 specific Syscalls

229
#ifdef _X64

230
EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);

231
EXTERN_C NTSTATUS ZwReadVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);

232
#else

233
EXTERN_C NTSTATUS ZwProtectVirtualMemory10_1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);

234
EXTERN_C NTSTATUS ZwReadVirtualMemory10_1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);

235
EXTERN_C NTSTATUS ZwProtectVirtualMemory10_2(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);

236
EXTERN_C NTSTATUS ZwReadVirtualMemory10_2(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);

237
EXTERN_C NTSTATUS ZwProtectVirtualMemory10_3(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);

238
EXTERN_C NTSTATUS ZwReadVirtualMemory10_3(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);

239
EXTERN_C NTSTATUS ZwProtectVirtualMemory10_4(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);

240
EXTERN_C NTSTATUS ZwReadVirtualMemory10_4(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);

241
#endif

242
EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);

243


244
pNtProtectVirtualMemory ZwProtectVirtualMemory;

245
pNtWriteVirtualMemory ZwWriteVirtualMemory;

246
pNtReadVirtualMemory ZwReadVirtualMemory;

247


248
ULONG NTAPI MyEtwEventWrite(

249
	__in REGHANDLE RegHandle,

250
	__in PCEVENT_DESCRIPTOR EventDescriptor,

251
	__in ULONG UserDataCount,

252
	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData);

253


254
BOOL PatchEtw(HANDLE pipe);

255


256