mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-23 20:05:26 +00:00
378 lines
7.0 KiB
C
378 lines
7.0 KiB
C
|
/*
|
||
|
* This file is part of the Process Hacker project - https://processhacker.sourceforge.io/
|
||
|
*
|
||
|
* You can redistribute this file and/or modify it under the terms of the
|
||
|
* Attribution 4.0 International (CC BY 4.0) license.
|
||
|
*
|
||
|
* You must give appropriate credit, provide a link to the license, and
|
||
|
* indicate if changes were made. You may do so in any reasonable manner, but
|
||
|
* not in any way that suggests the licensor endorses you or your use.
|
||
|
*/
|
||
|
|
||
|
#ifndef _NTDBG_H
|
||
|
#define _NTDBG_H
|
||
|
|
||
|
// Debugging
|
||
|
|
||
|
NTSYSAPI
|
||
|
VOID
|
||
|
NTAPI
|
||
|
DbgUserBreakPoint(
|
||
|
VOID
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
VOID
|
||
|
NTAPI
|
||
|
DbgBreakPoint(
|
||
|
VOID
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
VOID
|
||
|
NTAPI
|
||
|
DbgBreakPointWithStatus(
|
||
|
_In_ ULONG Status
|
||
|
);
|
||
|
|
||
|
#define DBG_STATUS_CONTROL_C 1
|
||
|
#define DBG_STATUS_SYSRQ 2
|
||
|
#define DBG_STATUS_BUGCHECK_FIRST 3
|
||
|
#define DBG_STATUS_BUGCHECK_SECOND 4
|
||
|
#define DBG_STATUS_FATAL 5
|
||
|
#define DBG_STATUS_DEBUG_CONTROL 6
|
||
|
#define DBG_STATUS_WORKER 7
|
||
|
|
||
|
NTSYSAPI
|
||
|
ULONG
|
||
|
STDAPIVCALLTYPE
|
||
|
DbgPrint(
|
||
|
_In_z_ _Printf_format_string_ PSTR Format,
|
||
|
...
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
ULONG
|
||
|
STDAPIVCALLTYPE
|
||
|
DbgPrintEx(
|
||
|
_In_ ULONG ComponentId,
|
||
|
_In_ ULONG Level,
|
||
|
_In_z_ _Printf_format_string_ PSTR Format,
|
||
|
...
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
ULONG
|
||
|
NTAPI
|
||
|
vDbgPrintEx(
|
||
|
_In_ ULONG ComponentId,
|
||
|
_In_ ULONG Level,
|
||
|
_In_z_ PCH Format,
|
||
|
_In_ va_list arglist
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
ULONG
|
||
|
NTAPI
|
||
|
vDbgPrintExWithPrefix(
|
||
|
_In_z_ PCH Prefix,
|
||
|
_In_ ULONG ComponentId,
|
||
|
_In_ ULONG Level,
|
||
|
_In_z_ PCH Format,
|
||
|
_In_ va_list arglist
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
DbgQueryDebugFilterState(
|
||
|
_In_ ULONG ComponentId,
|
||
|
_In_ ULONG Level
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
DbgSetDebugFilterState(
|
||
|
_In_ ULONG ComponentId,
|
||
|
_In_ ULONG Level,
|
||
|
_In_ BOOLEAN State
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
ULONG
|
||
|
NTAPI
|
||
|
DbgPrompt(
|
||
|
_In_ PCH Prompt,
|
||
|
_Out_writes_bytes_(Length) PCH Response,
|
||
|
_In_ ULONG Length
|
||
|
);
|
||
|
|
||
|
// Definitions
|
||
|
|
||
|
typedef struct _DBGKM_EXCEPTION
|
||
|
{
|
||
|
EXCEPTION_RECORD ExceptionRecord;
|
||
|
ULONG FirstChance;
|
||
|
} DBGKM_EXCEPTION, *PDBGKM_EXCEPTION;
|
||
|
|
||
|
typedef struct _DBGKM_CREATE_THREAD
|
||
|
{
|
||
|
ULONG SubSystemKey;
|
||
|
PVOID StartAddress;
|
||
|
} DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD;
|
||
|
|
||
|
typedef struct _DBGKM_CREATE_PROCESS
|
||
|
{
|
||
|
ULONG SubSystemKey;
|
||
|
HANDLE FileHandle;
|
||
|
PVOID BaseOfImage;
|
||
|
ULONG DebugInfoFileOffset;
|
||
|
ULONG DebugInfoSize;
|
||
|
DBGKM_CREATE_THREAD InitialThread;
|
||
|
} DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS;
|
||
|
|
||
|
typedef struct _DBGKM_EXIT_THREAD
|
||
|
{
|
||
|
NTSTATUS ExitStatus;
|
||
|
} DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD;
|
||
|
|
||
|
typedef struct _DBGKM_EXIT_PROCESS
|
||
|
{
|
||
|
NTSTATUS ExitStatus;
|
||
|
} DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS;
|
||
|
|
||
|
typedef struct _DBGKM_LOAD_DLL
|
||
|
{
|
||
|
HANDLE FileHandle;
|
||
|
PVOID BaseOfDll;
|
||
|
ULONG DebugInfoFileOffset;
|
||
|
ULONG DebugInfoSize;
|
||
|
PVOID NamePointer;
|
||
|
} DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL;
|
||
|
|
||
|
typedef struct _DBGKM_UNLOAD_DLL
|
||
|
{
|
||
|
PVOID BaseAddress;
|
||
|
} DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL;
|
||
|
|
||
|
typedef enum _DBG_STATE
|
||
|
{
|
||
|
DbgIdle,
|
||
|
DbgReplyPending,
|
||
|
DbgCreateThreadStateChange,
|
||
|
DbgCreateProcessStateChange,
|
||
|
DbgExitThreadStateChange,
|
||
|
DbgExitProcessStateChange,
|
||
|
DbgExceptionStateChange,
|
||
|
DbgBreakpointStateChange,
|
||
|
DbgSingleStepStateChange,
|
||
|
DbgLoadDllStateChange,
|
||
|
DbgUnloadDllStateChange
|
||
|
} DBG_STATE, *PDBG_STATE;
|
||
|
|
||
|
typedef struct _DBGUI_CREATE_THREAD
|
||
|
{
|
||
|
HANDLE HandleToThread;
|
||
|
DBGKM_CREATE_THREAD NewThread;
|
||
|
} DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD;
|
||
|
|
||
|
typedef struct _DBGUI_CREATE_PROCESS
|
||
|
{
|
||
|
HANDLE HandleToProcess;
|
||
|
HANDLE HandleToThread;
|
||
|
DBGKM_CREATE_PROCESS NewProcess;
|
||
|
} DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS;
|
||
|
|
||
|
typedef struct _DBGUI_WAIT_STATE_CHANGE
|
||
|
{
|
||
|
DBG_STATE NewState;
|
||
|
CLIENT_ID AppClientId;
|
||
|
union
|
||
|
{
|
||
|
DBGKM_EXCEPTION Exception;
|
||
|
DBGUI_CREATE_THREAD CreateThread;
|
||
|
DBGUI_CREATE_PROCESS CreateProcessInfo;
|
||
|
DBGKM_EXIT_THREAD ExitThread;
|
||
|
DBGKM_EXIT_PROCESS ExitProcess;
|
||
|
DBGKM_LOAD_DLL LoadDll;
|
||
|
DBGKM_UNLOAD_DLL UnloadDll;
|
||
|
} StateInfo;
|
||
|
} DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE;
|
||
|
|
||
|
#define DEBUG_READ_EVENT 0x0001
|
||
|
#define DEBUG_PROCESS_ASSIGN 0x0002
|
||
|
#define DEBUG_SET_INFORMATION 0x0004
|
||
|
#define DEBUG_QUERY_INFORMATION 0x0008
|
||
|
#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
|
||
|
DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \
|
||
|
DEBUG_QUERY_INFORMATION)
|
||
|
|
||
|
#define DEBUG_KILL_ON_CLOSE 0x1
|
||
|
|
||
|
typedef enum _DEBUGOBJECTINFOCLASS
|
||
|
{
|
||
|
DebugObjectUnusedInformation,
|
||
|
DebugObjectKillProcessOnExitInformation,
|
||
|
MaxDebugObjectInfoClass
|
||
|
} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS;
|
||
|
|
||
|
// System calls
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtCreateDebugObject(
|
||
|
_Out_ PHANDLE DebugObjectHandle,
|
||
|
_In_ ACCESS_MASK DesiredAccess,
|
||
|
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
|
_In_ ULONG Flags
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtDebugActiveProcess(
|
||
|
_In_ HANDLE ProcessHandle,
|
||
|
_In_ HANDLE DebugObjectHandle
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtDebugContinue(
|
||
|
_In_ HANDLE DebugObjectHandle,
|
||
|
_In_ PCLIENT_ID ClientId,
|
||
|
_In_ NTSTATUS ContinueStatus
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtRemoveProcessDebug(
|
||
|
_In_ HANDLE ProcessHandle,
|
||
|
_In_ HANDLE DebugObjectHandle
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtSetInformationDebugObject(
|
||
|
_In_ HANDLE DebugObjectHandle,
|
||
|
_In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass,
|
||
|
_In_ PVOID DebugInformation,
|
||
|
_In_ ULONG DebugInformationLength,
|
||
|
_Out_opt_ PULONG ReturnLength
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtWaitForDebugEvent(
|
||
|
_In_ HANDLE DebugObjectHandle,
|
||
|
_In_ BOOLEAN Alertable,
|
||
|
_In_opt_ PLARGE_INTEGER Timeout,
|
||
|
_Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange
|
||
|
);
|
||
|
|
||
|
// Debugging UI
|
||
|
|
||
|
NTSYSAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
DbgUiConnectToDbg(
|
||
|
VOID
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
HANDLE
|
||
|
NTAPI
|
||
|
DbgUiGetThreadDebugObject(
|
||
|
VOID
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
VOID
|
||
|
NTAPI
|
||
|
DbgUiSetThreadDebugObject(
|
||
|
_In_ HANDLE DebugObject
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
DbgUiWaitStateChange(
|
||
|
_Out_ PDBGUI_WAIT_STATE_CHANGE StateChange,
|
||
|
_In_opt_ PLARGE_INTEGER Timeout
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
DbgUiContinue(
|
||
|
_In_ PCLIENT_ID AppClientId,
|
||
|
_In_ NTSTATUS ContinueStatus
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
DbgUiStopDebugging(
|
||
|
_In_ HANDLE Process
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
DbgUiDebugActiveProcess(
|
||
|
_In_ HANDLE Process
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
VOID
|
||
|
NTAPI
|
||
|
DbgUiRemoteBreakin(
|
||
|
_In_ PVOID Context
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
DbgUiIssueRemoteBreakin(
|
||
|
_In_ HANDLE Process
|
||
|
);
|
||
|
|
||
|
NTSYSAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
DbgUiConvertStateChangeStructure(
|
||
|
_In_ PDBGUI_WAIT_STATE_CHANGE StateChange,
|
||
|
_Out_ LPDEBUG_EVENT DebugEvent
|
||
|
);
|
||
|
|
||
|
struct _EVENT_FILTER_DESCRIPTOR;
|
||
|
|
||
|
typedef VOID (NTAPI *PENABLECALLBACK)(
|
||
|
_In_ LPCGUID SourceId,
|
||
|
_In_ ULONG IsEnabled,
|
||
|
_In_ UCHAR Level,
|
||
|
_In_ ULONGLONG MatchAnyKeyword,
|
||
|
_In_ ULONGLONG MatchAllKeyword,
|
||
|
_In_opt_ struct _EVENT_FILTER_DESCRIPTOR *FilterData,
|
||
|
_Inout_opt_ PVOID CallbackContext
|
||
|
);
|
||
|
|
||
|
typedef ULONGLONG REGHANDLE, *PREGHANDLE;
|
||
|
|
||
|
NTSYSAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
EtwEventRegister(
|
||
|
_In_ LPCGUID ProviderId,
|
||
|
_In_opt_ PENABLECALLBACK EnableCallback,
|
||
|
_In_opt_ PVOID CallbackContext,
|
||
|
_Out_ PREGHANDLE RegHandle
|
||
|
);
|
||
|
|
||
|
#endif
|