mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 05:15:28 +00:00
408 lines
9.6 KiB
C
408 lines
9.6 KiB
C
|
/***************************************************************************************
|
|||
|
* AUTHOR : MZ
|
|||
|
* DATE : 2016-8-29
|
|||
|
* MODULE : struct.h
|
|||
|
*
|
|||
|
* Command:
|
|||
|
* <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷ<EFBFBD>ļ<EFBFBD>
|
|||
|
*
|
|||
|
* Description:
|
|||
|
* <EFBFBD><EFBFBD><EFBFBD><EFBFBD>һЩ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>,<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ظ<EFBFBD><EFBFBD>Ͷ<EFBFBD>; <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڴ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD>ĺ<EFBFBD><EFBFBD><EFBFBD>/<EFBFBD>ṹ<EFBFBD><EFBFBD>
|
|||
|
*
|
|||
|
****************************************************************************************
|
|||
|
|
|||
|
Copyright (C) 2010 MZ.
|
|||
|
****************************************************************************************/
|
|||
|
|
|||
|
#pragma once
|
|||
|
|
|||
|
#include <ntddk.h>
|
|||
|
|
|||
|
typedef long LONG;
|
|||
|
typedef unsigned char BOOL, *PBOOL;
|
|||
|
typedef unsigned char BYTE, *PBYTE;
|
|||
|
typedef unsigned long DWORD, *PDWORD;
|
|||
|
typedef unsigned short WORD, *PWORD;
|
|||
|
|
|||
|
typedef void *HMODULE;
|
|||
|
typedef long NTSTATUS, *PNTSTATUS;
|
|||
|
typedef unsigned long DWORD;
|
|||
|
typedef DWORD * PDWORD;
|
|||
|
typedef unsigned long ULONG;
|
|||
|
typedef unsigned long ULONG_PTR;
|
|||
|
typedef ULONG *PULONG;
|
|||
|
typedef unsigned short WORD;
|
|||
|
typedef unsigned char BYTE;
|
|||
|
typedef unsigned char UCHAR;
|
|||
|
typedef unsigned short USHORT;
|
|||
|
typedef void *PVOID;
|
|||
|
typedef BYTE BOOLEAN;
|
|||
|
#define SEC_IMAGE 0x01000000
|
|||
|
|
|||
|
//----------------------------------------------------
|
|||
|
|
|||
|
// PEB
|
|||
|
|
|||
|
#pragma pack(4)
|
|||
|
typedef struct _PEB_LDR_DATA
|
|||
|
{
|
|||
|
ULONG Length;
|
|||
|
BOOLEAN Initialized;
|
|||
|
PVOID SsHandle;
|
|||
|
LIST_ENTRY InLoadOrderModuleList;
|
|||
|
LIST_ENTRY InMemoryOrderModuleList;
|
|||
|
LIST_ENTRY InInitializationOrderModuleList;
|
|||
|
} PEB_LDR_DATA, *PPEB_LDR_DATA;
|
|||
|
#pragma pack()
|
|||
|
|
|||
|
typedef struct _PEB_ORIG {
|
|||
|
BYTE Reserved1[2];
|
|||
|
BYTE BeingDebugged;
|
|||
|
BYTE Reserved2[229];
|
|||
|
PVOID Reserved3[59];
|
|||
|
ULONG SessionId;
|
|||
|
} PEB_ORIG, *PPEB_ORIG;
|
|||
|
|
|||
|
typedef void (*PPEBLOCKROUTINE)(PVOID PebLock);
|
|||
|
|
|||
|
struct _PEB_FREE_BLOCK {
|
|||
|
struct _PEB_FREE_BLOCK *Next;
|
|||
|
ULONG Size;
|
|||
|
};
|
|||
|
typedef struct _PEB_FREE_BLOCK PEB_FREE_BLOCK;
|
|||
|
typedef struct _PEB_FREE_BLOCK *PPEB_FREE_BLOCK;
|
|||
|
|
|||
|
typedef struct _RTL_DRIVE_LETTER_CURDIR {
|
|||
|
USHORT Flags;
|
|||
|
USHORT Length;
|
|||
|
ULONG TimeStamp;
|
|||
|
UNICODE_STRING DosPath;
|
|||
|
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
|
|||
|
|
|||
|
typedef struct _RTL_USER_PROCESS_PARAMETERS {
|
|||
|
ULONG MaximumLength;
|
|||
|
ULONG Length;
|
|||
|
ULONG Flags;
|
|||
|
ULONG DebugFlags;
|
|||
|
PVOID ConsoleHandle;
|
|||
|
ULONG ConsoleFlags;
|
|||
|
HANDLE StdInputHandle;
|
|||
|
HANDLE StdOutputHandle;
|
|||
|
HANDLE StdErrorHandle;
|
|||
|
UNICODE_STRING CurrentDirectoryPath;
|
|||
|
HANDLE CurrentDirectoryHandle;
|
|||
|
UNICODE_STRING DllPath;
|
|||
|
UNICODE_STRING ImagePathName;
|
|||
|
UNICODE_STRING CommandLine;
|
|||
|
PVOID Environment;
|
|||
|
ULONG StartingPositionLeft;
|
|||
|
ULONG StartingPositionTop;
|
|||
|
ULONG Width;
|
|||
|
ULONG Height;
|
|||
|
ULONG CharWidth;
|
|||
|
ULONG CharHeight;
|
|||
|
ULONG ConsoleTextAttributes;
|
|||
|
ULONG WindowFlags;
|
|||
|
ULONG ShowWindowFlags;
|
|||
|
UNICODE_STRING WindowTitle;
|
|||
|
UNICODE_STRING DesktopName;
|
|||
|
UNICODE_STRING ShellInfo;
|
|||
|
UNICODE_STRING RuntimeData;
|
|||
|
RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
|
|||
|
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
|
|||
|
|
|||
|
typedef struct _PEB {
|
|||
|
BOOLEAN InheritedAddressSpace;
|
|||
|
BOOLEAN ReadImageFileExecOptions;
|
|||
|
BOOLEAN BeingDebugged;
|
|||
|
BOOLEAN Spare;
|
|||
|
HANDLE Mutant;
|
|||
|
PVOID ImageBaseAddress;
|
|||
|
PPEB_LDR_DATA LoaderData;
|
|||
|
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
|
|||
|
PVOID SubSystemData;
|
|||
|
PVOID ProcessHeap;
|
|||
|
PVOID FastPebLock;
|
|||
|
PPEBLOCKROUTINE FastPebLockRoutine;
|
|||
|
PPEBLOCKROUTINE FastPebUnlockRoutine;
|
|||
|
ULONG EnvironmentUpdateCount;
|
|||
|
PVOID *KernelCallbackTable;
|
|||
|
PVOID EventLogSection;
|
|||
|
PVOID EventLog;
|
|||
|
PPEB_FREE_BLOCK FreeList;
|
|||
|
ULONG TlsExpansionCounter;
|
|||
|
PVOID TlsBitmap;
|
|||
|
ULONG TlsBitmapBits[0x2];
|
|||
|
PVOID ReadOnlySharedMemoryBase;
|
|||
|
PVOID ReadOnlySharedMemoryHeap;
|
|||
|
PVOID *ReadOnlyStaticServerData;
|
|||
|
PVOID AnsiCodePageData;
|
|||
|
PVOID OemCodePageData;
|
|||
|
PVOID UnicodeCaseTableData;
|
|||
|
ULONG NumberOfProcessors;
|
|||
|
ULONG NtGlobalFlag;
|
|||
|
BYTE Spare2[0x4];
|
|||
|
LARGE_INTEGER CriticalSectionTimeout;
|
|||
|
ULONG HeapSegmentReserve;
|
|||
|
ULONG HeapSegmentCommit;
|
|||
|
ULONG HeapDeCommitTotalFreeThreshold;
|
|||
|
ULONG HeapDeCommitFreeBlockThreshold;
|
|||
|
ULONG NumberOfHeaps;
|
|||
|
ULONG MaximumNumberOfHeaps;
|
|||
|
PVOID **ProcessHeaps;
|
|||
|
PVOID GdiSharedHandleTable;
|
|||
|
PVOID ProcessStarterHelper;
|
|||
|
PVOID GdiDCAttributeList;
|
|||
|
PVOID LoaderLock;
|
|||
|
ULONG OSMajorVersion;
|
|||
|
ULONG OSMinorVersion;
|
|||
|
ULONG OSBuildNumber;
|
|||
|
ULONG OSPlatformId;
|
|||
|
ULONG ImageSubSystem;
|
|||
|
ULONG ImageSubSystemMajorVersion;
|
|||
|
ULONG ImageSubSystemMinorVersion;
|
|||
|
ULONG GdiHandleBuffer[0x22];
|
|||
|
ULONG PostProcessInitRoutine;
|
|||
|
ULONG TlsExpansionBitmap;
|
|||
|
BYTE TlsExpansionBitmapBits[0x80];
|
|||
|
ULONG SessionId;
|
|||
|
} PEB, *PPEB;
|
|||
|
|
|||
|
typedef struct _SYSTEM_PROCESS_INFORMATION {
|
|||
|
ULONG NextEntryOffset;
|
|||
|
ULONG NumberOfThreads;
|
|||
|
LARGE_INTEGER SpareLi1;
|
|||
|
LARGE_INTEGER SpareLi2;
|
|||
|
LARGE_INTEGER SpareLi3;
|
|||
|
LARGE_INTEGER CreateTime;
|
|||
|
LARGE_INTEGER UserTime;
|
|||
|
LARGE_INTEGER KernelTime;
|
|||
|
UNICODE_STRING ImageName;
|
|||
|
KPRIORITY BasePriority;
|
|||
|
HANDLE UniqueProcessId;
|
|||
|
HANDLE InheritedFromUniqueProcessId;
|
|||
|
ULONG HandleCount;
|
|||
|
ULONG SpareUl2;
|
|||
|
ULONG SpareUl3;
|
|||
|
ULONG PeakVirtualSize;
|
|||
|
ULONG VirtualSize;
|
|||
|
ULONG PageFaultCount;
|
|||
|
ULONG PeakWorkingSetSize;
|
|||
|
ULONG WorkingSetSize;
|
|||
|
ULONG QuotaPeakPagedPoolUsage;
|
|||
|
ULONG QuotaPagedPoolUsage;
|
|||
|
ULONG QuotaPeakNonPagedPoolUsage;
|
|||
|
ULONG QuotaNonPagedPoolUsage;
|
|||
|
ULONG PagefileUsage;
|
|||
|
ULONG PeakPagefileUsage;
|
|||
|
ULONG PrivatePageCount;
|
|||
|
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
|
|||
|
|
|||
|
typedef struct _SYSTEM_THREAD_INFORMATION {
|
|||
|
LARGE_INTEGER KernelTime;
|
|||
|
LARGE_INTEGER UserTime;
|
|||
|
LARGE_INTEGER CreateTime;
|
|||
|
ULONG WaitTime;
|
|||
|
PVOID StartAddress;
|
|||
|
CLIENT_ID ClientId;
|
|||
|
KPRIORITY Priority;
|
|||
|
LONG BasePriority;
|
|||
|
ULONG ContextSwitches;
|
|||
|
ULONG ThreadState;
|
|||
|
ULONG WaitReason;
|
|||
|
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
|
|||
|
|
|||
|
struct _SYSTEM_THREADS
|
|||
|
{
|
|||
|
LARGE_INTEGER KernelTime;
|
|||
|
LARGE_INTEGER UserTime;
|
|||
|
LARGE_INTEGER CreateTime;
|
|||
|
ULONG WaitTime;
|
|||
|
PVOID StartAddress;
|
|||
|
CLIENT_ID ClientIs;
|
|||
|
KPRIORITY Priority;
|
|||
|
KPRIORITY BasePriority;
|
|||
|
ULONG ContextSwitchCount;
|
|||
|
ULONG ThreadState;
|
|||
|
KWAIT_REASON WaitReason;
|
|||
|
};
|
|||
|
|
|||
|
struct _SYSTEM_PROCESSES
|
|||
|
{
|
|||
|
ULONG NextEntryDelta;
|
|||
|
ULONG ThreadCount;
|
|||
|
ULONG Reserved[6];
|
|||
|
LARGE_INTEGER CreateTime;
|
|||
|
LARGE_INTEGER UserTime;
|
|||
|
LARGE_INTEGER KernelTime;
|
|||
|
UNICODE_STRING ProcessName;
|
|||
|
KPRIORITY BasePriority;
|
|||
|
ULONG ProcessId;
|
|||
|
ULONG InheritedFromProcessId;
|
|||
|
ULONG HandleCount;
|
|||
|
ULONG Reserved2[2];
|
|||
|
VM_COUNTERS VmCounters;
|
|||
|
IO_COUNTERS IoCounters; //windows 2000 only
|
|||
|
struct _SYSTEM_THREADS Threads[1];
|
|||
|
};
|
|||
|
|
|||
|
typedef struct _HANDLE_TABLE_ENTRY_INFO
|
|||
|
{
|
|||
|
ULONG AuditMask;
|
|||
|
} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
|
|||
|
|
|||
|
typedef struct _HANDLE_TABLE_ENTRY
|
|||
|
{
|
|||
|
union
|
|||
|
{
|
|||
|
PVOID Object;
|
|||
|
ULONG_PTR ObAttributes;
|
|||
|
PHANDLE_TABLE_ENTRY_INFO InfoTable;
|
|||
|
ULONG_PTR Value;
|
|||
|
};
|
|||
|
union
|
|||
|
{
|
|||
|
ULONG GrantedAccess;
|
|||
|
struct
|
|||
|
{
|
|||
|
USHORT GrantedAccessIndex;
|
|||
|
USHORT CreatorBackTraceIndex;
|
|||
|
};
|
|||
|
LONG NextFreeTableEntry;
|
|||
|
};
|
|||
|
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
|
|||
|
|
|||
|
typedef struct _HANDLE_TABLE
|
|||
|
{
|
|||
|
ULONG TableCode;
|
|||
|
PEPROCESS QuotaProcess;
|
|||
|
PVOID UniqueProcessId;
|
|||
|
ULONG HandleTableLock[4];
|
|||
|
LIST_ENTRY HandleTableList;
|
|||
|
ULONG HandleContentionEvent;
|
|||
|
PVOID DebugInfo;
|
|||
|
LONG ExtraInfoPages;
|
|||
|
ULONG FirstFree;
|
|||
|
ULONG LastFree;
|
|||
|
ULONG NextHandleNeedingPool;
|
|||
|
LONG HandleCount;
|
|||
|
union
|
|||
|
{
|
|||
|
ULONG Flags;
|
|||
|
UCHAR StrictFIFO:1;
|
|||
|
};
|
|||
|
} HANDLE_TABLE, *PHANDLE_TABLE;
|
|||
|
|
|||
|
typedef struct _OBJECT_TYPE_INITIALIZER {
|
|||
|
USHORT Length;
|
|||
|
BOOLEAN UseDefaultObject;
|
|||
|
BOOLEAN CaseInsensitive;
|
|||
|
ULONG InvalidAttributes;
|
|||
|
GENERIC_MAPPING GenericMapping;
|
|||
|
ULONG ValidAccessMask;
|
|||
|
BOOLEAN SecurityRequired;
|
|||
|
BOOLEAN MaintainHandleCount;
|
|||
|
BOOLEAN MaintainTypeList;
|
|||
|
POOL_TYPE PoolType;
|
|||
|
ULONG DefaultPagedPoolCharge;
|
|||
|
ULONG DefaultNonPagedPoolCharge;
|
|||
|
PVOID DumpProcedure;
|
|||
|
PVOID OpenProcedure;
|
|||
|
PVOID CloseProcedure;
|
|||
|
PVOID DeleteProcedure;
|
|||
|
PVOID ParseProcedure;
|
|||
|
PVOID SecurityProcedure;
|
|||
|
PVOID QueryNameProcedure;
|
|||
|
PVOID OkayToCloseProcedure;
|
|||
|
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
|
|||
|
|
|||
|
|
|||
|
typedef struct _OBJECT_TYPE {
|
|||
|
ERESOURCE Mutex;
|
|||
|
LIST_ENTRY TypeList;
|
|||
|
UNICODE_STRING Name; // Copy from object header for convenience
|
|||
|
PVOID DefaultObject;
|
|||
|
ULONG Index;
|
|||
|
ULONG TotalNumberOfObjects;
|
|||
|
ULONG TotalNumberOfHandles;
|
|||
|
ULONG HighWaterNumberOfObjects;
|
|||
|
ULONG HighWaterNumberOfHandles;
|
|||
|
OBJECT_TYPE_INITIALIZER TypeInfo;
|
|||
|
ULONG Key;
|
|||
|
ERESOURCE ObjectLocks[4];
|
|||
|
} OBJECT_TYPE, *POBJECT_TYPE;
|
|||
|
|
|||
|
typedef struct _OBJECT_DIRECTORY {
|
|||
|
struct _OBJECT_DIRECTORY_ENTRY *HashBuckets[ 37 ];
|
|||
|
ULONG Lock;
|
|||
|
PVOID DeviceMap;
|
|||
|
ULONG SessionId;
|
|||
|
USHORT Reserved;
|
|||
|
USHORT SymbolicLinkUsageCount;
|
|||
|
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
|
|||
|
|
|||
|
/*
|
|||
|
typedef enum _KAPC_ENVIRONMENT {
|
|||
|
OriginalApcEnvironment,
|
|||
|
AttachedApcEnvironment,
|
|||
|
CurrentApcEnvironment,
|
|||
|
InsertApcEnvironment
|
|||
|
} KAPC_ENVIRONMENT;
|
|||
|
*/
|
|||
|
|
|||
|
typedef enum
|
|||
|
{
|
|||
|
OriginalApcEnvironment,
|
|||
|
AttachedApcEnvironment,
|
|||
|
CurrentApcEnvironment
|
|||
|
} KAPC_ENVIRONMENT;
|
|||
|
|
|||
|
//----------------------------------------------------
|
|||
|
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI ZwQuerySystemInformation(
|
|||
|
IN ULONG SystemInformationClass,
|
|||
|
IN PVOID SystemInformation,
|
|||
|
IN ULONG SystemInformationLength,
|
|||
|
OUT PULONG ReturnLength);
|
|||
|
|
|||
|
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NtOpenFile(
|
|||
|
OUT PHANDLE FileHandle,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|||
|
IN ULONG ShareAccess,
|
|||
|
IN ULONG OpenOptions
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
ZwOpenProcess(
|
|||
|
OUT PHANDLE ProcessHandle,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
IN PCLIENT_ID ClientId
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
PsLookupProcessByProcessId(
|
|||
|
IN HANDLE ProcessId,
|
|||
|
OUT PEPROCESS *Process
|
|||
|
);
|
|||
|
|
|||
|
HANDLE
|
|||
|
PsGetProcessId(
|
|||
|
IN PEPROCESS Process
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
RtlFormatCurrentUserKeyPath(
|
|||
|
OUT PUNICODE_STRING CurrentUserKeyPath
|
|||
|
);
|
|||
|
|
|||
|
VOID KeAttachProcess( PEPROCESS proc );
|
|||
|
VOID KeDetachProcess();
|