/*** Copyright (C) 2023 J Reece Wilson (a/k/a "Reece"). All rights reserved. File: AuProcAddresses.NT.hpp Date: 2023-2-16 Author: Reece ***/ #pragma once struct _PROCESS_MEMORY_COUNTERS; struct _tagSTACKFRAME64; struct _MINIDUMP_EXCEPTION_INFORMATION; struct _MINIDUMP_USER_STREAM_INFORMATION; struct _IMAGEHLP_LINE64; struct _tagADDRESS64; struct _MINIDUMP_CALLBACK_INFORMATION; struct _MIB_IPADDRTABLE; struct _IP_ADAPTER_INFO; struct _CREATEFILE2_EXTENDED_PARAMETERS; struct _EXPLICIT_ACCESS_A; struct _ACL; struct _SP_DEVINFO_DATA; struct _SP_DEVICE_INTERFACE_DATA; struct _SP_DEVICE_INTERFACE_DETAIL_DATA_W; struct _NETRESOURCEW; struct _CONSOLE_SCREEN_BUFFER_INFO; struct _SMALL_RECT; struct _CHAR_INFO; struct tagMODULEENTRY32W; enum _TOKEN_INFORMATION_CLASS; enum _SE_OBJECT_TYPE; enum _MINIDUMP_TYPE; enum _OBJECT_WAIT_TYPE; enum _SE_OBJECT_TYPE; enum _PROCESS_INFORMATION_CLASS; enum _SYSTEM_INFORMATION_CLASS; //#if defined(AURORA_COMPILER_MSVC) struct _IP_ADAPTER_ADDRESSES_LH; struct _IP_ADAPTER_ADDRESSES_XP; #if (NTDDI_VERSION >= NTDDI_VISTA) typedef _IP_ADAPTER_ADDRESSES_LH IP_ADAPTER_ADDRESSES; typedef _IP_ADAPTER_ADDRESSES_LH *PIP_ADAPTER_ADDRESSES; #elif (NTDDI_VERSION >= NTDDI_WINXP) typedef _IP_ADAPTER_ADDRESSES_XP IP_ADAPTER_ADDRESSES; typedef _IP_ADAPTER_ADDRESSES_XP *PIP_ADAPTER_ADDRESSES; #else typedef _IP_ADAPTER_ADDRESSES_XP IP_ADAPTER_ADDRESSES; typedef _IP_ADAPTER_ADDRESSES_XP *PIP_ADAPTER_ADDRESSES; #endif //#endif typedef UNICODE_STRING LSA_UNICODE_STRING, *PLSA_UNICODE_STRING; typedef STRING LSA_STRING, *PLSA_STRING; typedef OBJECT_ATTRIBUTES LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES; typedef PVOID LSA_HANDLE, *PLSA_HANDLE; struct CREDUI_INFOW { DWORD cbSize; HWND hwndParent; PCWSTR pszMessageText; PCWSTR pszCaptionText; HBITMAP hbmBanner; }; namespace Aurora { void InitNTAddresses(); void InitNTAddressesForClock(); static const wchar_t *kSyncDllName { L"API-MS-Win-Core-Synch-l1-2-0.dll" }; static const wchar_t *kNtDllName { L"NTDLL.dll" }; static const wchar_t *kKernel32DllName { L"Kernel32.dll" }; static const wchar_t *kKernelBaseDllName { L"KernelBase.dll" }; static const wchar_t *kWS2DllName { L"Ws2_32.dll" }; static const wchar_t *kAdvancedApiDllName { L"Advapi32.dll" }; static const wchar_t *kBCryptDllName { L"bcrypt.dll" }; static const wchar_t *kThemeDllName { L"UxTheme.dll" }; static const wchar_t *kShellDllName { L"Shell32.dll" }; static const wchar_t *kPSAPILegacyDllName { L"psapi.dll" }; static const wchar_t *kDbgHelperDllName { L"dbghelp.dll" }; static const wchar_t *kWinTrustDllName { L"WINTRUST.dll" }; static const wchar_t *kIPHelperDllName { L"IPHLPAPI.dll" }; static const wchar_t *kCOMDllName { L"ole32.dll" }; static const wchar_t *kUser32DllName { L"User32.dll" }; static const wchar_t *kSetupAPIDllName { L"SETUPAPI.dll" }; static const wchar_t *kRouterDllName { L"MPR.dll" }; static const wchar_t *kCredUIDllName { L"credui.dll" }; struct WIN32_MEMORY_RANGE_ENTRY2 { PVOID VirtualAddress; SIZE_T NumberOfBytes; }; enum class THREAD_INFORMATION_CLASS { ThreadMemoryPriority, ThreadAbsoluteCpuPriority, ThreadDynamicCodePolicy, ThreadPowerThrottling, ThreadInformationClassMax }; inline BOOL(__stdcall *pWaitOnAddress)( volatile VOID * Address, PVOID CompareAddress, SIZE_T AddressSize, DWORD dwMilliseconds ); inline void(__stdcall *pWakeByAddressSingle)( PVOID Address ); inline void(__stdcall *pWakeByAddressAll)( PVOID Address ); inline NTSTATUS(__stdcall *pNtWaitForMultipleObjects)( ULONG ObjectCount, PHANDLE ObjectsArray, _OBJECT_WAIT_TYPE WaitType, BOOLEAN Alertable, AuUInt64 * pTimeOut ); inline NTSTATUS(__stdcall *pNtQuerySymbolicLinkObject)( HANDLE LinkHandle, PUNICODE_STRING LinkTarget, PULONG ReturnedLength ); inline NTSTATUS(__stdcall *pNtOpenSymbolicLinkObject)( PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes ); inline DWORD(__stdcall *pNtDelayExecution)( BOOLEAN Alertable, PLARGE_INTEGER DelayInterval ); inline PVOID(__stdcall *pVirtualAlloc2)( HANDLE Process, PVOID BaseAddress, SIZE_T Size, ULONG AllocationType, ULONG PageProtection, MEM_EXTENDED_PARAMETER * ExtendedParameters, ULONG ParameterCount ); inline PVOID(__stdcall *pMapViewOfFile3)( HANDLE FileMapping, HANDLE Process, PVOID BaseAddress, ULONG64 Offset, SIZE_T ViewSize, ULONG AllocationType, ULONG PageProtection, MEM_EXTENDED_PARAMETER * ExtendedParameters, ULONG ParameterCount ); inline PVOID(__stdcall *pUnmapViewOfFile2)( HANDLE Process, PVOID BaseAddress, ULONG UnmapFlags ); inline NTSTATUS(__stdcall *pNtWaitForKeyedEvent)( HANDLE Handle, PVOID Key, BOOLEAN Alertable, PLARGE_INTEGER NTTimeout ); inline NTSTATUS(__stdcall *pNtReleaseKeyedEvent)( HANDLE Handle, PVOID Key, BOOLEAN Alertable, PLARGE_INTEGER NTTimeout ); inline NTSTATUS(__stdcall *pNtCreateKeyedEvent)( HANDLE Handle, ACCESS_MASK Access, POBJECT_ATTRIBUTES Attr, ULONG Flags ); inline NTSTATUS(__stdcall *pNtOpenKeyedEvent)( HANDLE Handle, ACCESS_MASK Access, POBJECT_ATTRIBUTES Attr, ULONG Flags ); inline NTSTATUS(__stdcall *pRtlWaitOnAddress)( const void * addr, const void * cmp, SIZE_T size, const LARGE_INTEGER * timeout ); inline void(__stdcall *pRtlWakeByAddressAll)( const void * addr ); inline void(__stdcall *pRtlWakeAddressSingle)( const void * addr ); #if defined(AURORA_PLATFORM_WIN32) inline NTSTATUS(__stdcall *pRtlGetVersion)( PRTL_OSVERSIONINFOW lpVersionInformation ); #endif inline HANDLE(__stdcall *pCreateFile2W)( LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, DWORD dwCreationDisposition, _CREATEFILE2_EXTENDED_PARAMETERS *pCreateExParams ); inline HANDLE(__stdcall *pCreateFileW)( LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile ); inline HANDLE(__stdcall *pCreateFileMappingA)( HANDLE hFile, LPSECURITY_ATTRIBUTES lpFileMappingAttributes, DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow, LPCSTR lpName ); inline HANDLE(__stdcall *pCreateFileMappingFromApp)( HANDLE hFile, PSECURITY_ATTRIBUTES SecurityAttributes, ULONG PageProtection, ULONG64 MaximumSize, PCWSTR Name ); inline HANDLE(__stdcall *pOpenFileMappingA)( ULONG DesiredAccess, BOOL InheritHandle, LPCSTR Name ); inline HANDLE(__stdcall *pOpenFileMappingFromApp)( ULONG DesiredAccess, BOOL InheritHandle, PCWSTR Name ); inline LPVOID(__stdcall *pMapViewOfFile)( HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow, SIZE_T dwNumberOfBytesToMap ); inline LPVOID(__stdcall *pMapViewOfFileFromApp)( HANDLE hFileMappingObject, ULONG DesiredAccess, ULONG64 FileOffset, SIZE_T dwNumberOfBytesToMap ); inline HANDLE(__stdcall *pCreateWaitableTimerExW)( LPSECURITY_ATTRIBUTES lpTimerAttributes, LPCWSTR lpTimerName, DWORD dwFlags, DWORD dwDesiredAccess ); inline NTSTATUS(__stdcall *pNtNotifyChangeDirectoryFile)( HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG BufferSize, ULONG CompletionFilter, BOOLEAN WatchTree ); inline NTSTATUS(__stdcall *pNtTerminateProcess)( HANDLE ProcessHandle, NTSTATUS ExitStatus ); inline BOOL(__stdcall *pGetSystemCpuSetInformation)( PSYSTEM_CPU_SET_INFORMATION Information, ULONG BufferLength, PULONG ReturnedLength, HANDLE Process, ULONG Flags ); inline BOOL(__stdcall *pGetLogicalProcessorInformation)( PSYSTEM_LOGICAL_PROCESSOR_INFORMATION Buffer, PDWORD ReturnedLength ); inline HRESULT(__stdcall *pSetThreadDescription)( HANDLE hThread, PCWSTR lpThreadDescription ); inline BOOL(__stdcall *pSetThreadInformation)( HANDLE hThread, THREAD_INFORMATION_CLASS ThreadInformationClass, LPVOID ThreadInformation, DWORD ThreadInformationSize ); inline BOOL(__stdcall *pSetThreadSelectedCpuSets)( HANDLE Thread, const ULONG * CpuSetIds, ULONG CpuSetIdCount ); #if defined(AURORA_PLATFORM_WIN32) inline BOOL(__stdcall *pSetThreadGroupAffinity)( HANDLE hThread, GROUP_AFFINITY * GroupAffinity, PGROUP_AFFINITY PreviousGroupAffinity ); #endif inline BOOL(__stdcall *pRemoveDllDirectory)( PVOID Cookie ); inline PVOID(__stdcall *pAddDllDirectory)( PCWSTR NewDirectory ); inline DWORD(__stdcall *pGetTempPathW)( DWORD nBufferLength, LPWSTR lpBuffer ); inline BOOL(__stdcall *pSetProcessInformation)( HANDLE hProcess, _PROCESS_INFORMATION_CLASS ProcessInformationClass, LPVOID ProcessInformation, DWORD ProcessInformationSize ); inline BOOL(__stdcall *pGetConsoleScreenBufferInfo)( HANDLE hConsoleOutput, _CONSOLE_SCREEN_BUFFER_INFO*lpConsoleScreenBufferInfo ); inline BOOL(__stdcall *pSetConsoleScreenBufferSize)( HANDLE hConsoleOutput, COORD dwSize ); inline BOOL(__stdcall *pSetConsoleWindowInfo)( HANDLE hConsoleOutput, BOOL bAbsolute, CONST _SMALL_RECT * lpConsoleWindow ); inline HANDLE(__stdcall *pCreateConsoleScreenBuffer)( DWORD dwDesiredAccess, DWORD dwShareMode, CONST _SECURITY_ATTRIBUTES *lpSecurityAttributes, DWORD dwFlags, LPVOID lpScreenBufferData ); inline BOOL(__stdcall *pSetConsoleCursorPosition)( HANDLE hConsoleOutput, COORD dwCursorPosition ); inline BOOL(__stdcall *pFillConsoleOutputCharacterW)( HANDLE hConsoleOutput, WCHAR cCharacter, DWORD nLength, COORD dwWriteCoord, LPDWORD lpNumberOfCharsWritten ); inline BOOL(__stdcall *pFillConsoleOutputAttribute)( HANDLE hConsoleOutput, WORD wAttribute, DWORD nLength, COORD dwWriteCoord, LPDWORD lpNumberOfAttrsWritten ); inline BOOL(__stdcall *pSetConsoleTextAttribute)( HANDLE hConsoleOutput, WORD wAttributes ); inline BOOL(__stdcall *pSetConsoleActiveScreenBuffer)( HANDLE hConsoleOutput ); inline BOOL(__stdcall *pScrollConsoleScreenBufferW)( HANDLE hConsoleOutput, CONST _SMALL_RECT * lpScrollRectangle, CONST _SMALL_RECT * lpClipRectangle, COORD dwDestinationOrigin, CONST _CHAR_INFO * lpFill ); inline BOOL(__stdcall *pGetNumberOfConsoleInputEvents)( HANDLE hConsoleInput, LPDWORD lpNumberOfEvents ); inline BOOL(__stdcall *pReadConsoleInputW)( HANDLE hConsoleInput, _INPUT_RECORD * lpBuffer, DWORD nLength, LPDWORD lpNumberOfEventsRead ); inline BOOL(__stdcall *pWriteConsoleInputW)( HANDLE hConsoleInput, CONST _INPUT_RECORD * lpBuffer, DWORD nLength, LPDWORD lpNumberOfEventsWritten ); inline BOOL(__stdcall *pWriteConsoleW)( HANDLE hConsoleInput, CONST wchar_t * lpBuffer, DWORD nLength, LPDWORD lpNumberOfEventsWritten, void * pReserved ); inline BOOL(__stdcall *pGetNamedPipeClientProcessId)( HANDLE Pipe, PULONG ClientProcessId ); inline BOOL(__stdcall *pModule32FirstW)( HANDLE Pipe, tagMODULEENTRY32W * lpme ); inline BOOL(__stdcall *pModule32NextW)( HANDLE Pipe, tagMODULEENTRY32W * lpme ); inline HANDLE(__stdcall *pCreateJobObjectW)( LPSECURITY_ATTRIBUTES lpJobAttributes, LPCWSTR lpName ); inline BOOL(__stdcall *pPrefetchVirtualMemory)( HANDLE hProcess, ULONG_PTR NumberOfEntries, WIN32_MEMORY_RANGE_ENTRY2 * VirtualAddresses, ULONG Flags ); inline BOOL(__stdcall *pCryptGenRandom)( ULONG_PTR hProv, DWORD dwLen, BYTE * pbBuffer ); inline NTSTATUS(__stdcall *pZwSetTimerResolution)( ULONG RequestedResolution, BOOLEAN Set, PULONG ActualResolution ); inline NTSTATUS(__stdcall *pZwQueryTimerResolution)( PULONG CoarsestResolution, PULONG FinestResolution, PULONG ActualResolution ); inline BOOLEAN(__stdcall *pRtlGenRandom)( PVOID RandomBuffer, ULONG RandomBufferLength ); #if defined(AURORA_PLATFORM_WIN32) inline NTSTATUS(__stdcall *pNtQueryInformationProcess)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength ); #endif inline NTSTATUS(__stdcall *pNtQuerySystemInformation)( _SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); inline ULONGLONG(__stdcall *pVerSetConditionMask)( ULONGLONG ConditionMask, DWORD TypeMask, BYTE Condition ); inline BOOL(__stdcall *pVerifyVersionInfoW)( LPOSVERSIONINFOEXW dwTypeMask, DWORD TypeMask, DWORDLONG dwlConditionMask ); inline HRESULT(__stdcall *pSetWindowTheme)( HWND hwnd, LPCWSTR pszSubAppName, LPCWSTR pszSubIdList ); inline HANDLE(__stdcall *pFindFirstStreamW)( LPCWSTR lpFileName, STREAM_INFO_LEVELS InfoLevel, LPVOID lpFindStreamData, DWORD dwFlags ); inline BOOL(__stdcall *pFindNextStreamW)( HANDLE hFindStream, LPVOID lpFindStreamData ); inline BOOL(__stdcall *pFindClose)( HANDLE hFindFile ); inline BOOL(__stdcall *pCancelIoEx)( HANDLE hFile, LPOVERLAPPED lpOverlapped ); inline BOOL(__stdcall *pCancelSynchronousIo)( HANDLE hThread ); #if 0 inline BOOL(__stdcall *pQueryPerformanceCounter)( LARGE_INTEGER * lpPerformanceCount ); inline BOOL(__stdcall *pQueryPerformanceFrequency)( LARGE_INTEGER * lpPerformanceCount ); #else // no one will notice inline BOOL(__stdcall *pQueryPerformanceCounter)( long long * lpPerformanceCount ); inline BOOL(__stdcall *pQueryPerformanceFrequency)( long long * lpPerformanceCount ); #endif inline BOOL(__stdcall *pGetProcessMemoryInfo)( HANDLE Process, ::_PROCESS_MEMORY_COUNTERS *ppsmemCounters, DWORD cb ); inline BOOL(__stdcall *pSetFileInformationByHandle)( HANDLE hFile, FILE_INFO_BY_HANDLE_CLASS FileInformationClass, LPVOID lpFileInformation, DWORD dwBufferSize ); inline int(__stdcall *pGetLocaleInfoEx)( LPCWSTR lpLocaleName, LCTYPE LCType, LPWSTR lpLCData, int cchData ); inline int(__stdcall *pLCIDToLocaleName)( LCID Locale, LPWSTR lpName, int cchName, DWORD dwFlags ); inline int(__stdcall *pGetLocaleInfoW)( LCID Locale, LCTYPE LCType, LPWSTR lpLCData, int cchData ); inline DWORD(__stdcall *pGetThreadId)( HANDLE hThread ); inline NTSTATUS(__stdcall *pBCryptGenRandom)( PVOID hAlgorithm, PUCHAR pbBuffer, ULONG cbBuffer, ULONG dwFlags ); // dbghelp inline DWORD(__stdcall *pUnDecorateSymbolName)( PCSTR name, PSTR outputString, DWORD maxStringLength, DWORD flags ); inline BOOL(__stdcall *pMiniDumpWriteDump)( HANDLE hProcess, DWORD ProcessId, HANDLE hFile, enum _MINIDUMP_TYPE DumpType, _MINIDUMP_EXCEPTION_INFORMATION * ExceptionParam, _MINIDUMP_USER_STREAM_INFORMATION * UserStreamParam, _MINIDUMP_CALLBACK_INFORMATION * CallbackParam ); inline BOOL(__stdcall *pSymInitialize)( HANDLE hProcess, PCSTR UserSearchPath, BOOL fInvadeProcess ); inline DWORD64(__stdcall *pSymGetModuleBase64)( HANDLE hProcess, DWORD64 qwAddr ); inline BOOL(__stdcall *pSymGetLineFromAddr64)( HANDLE hProcess, DWORD64 qwAddr, PDWORD pdwDisplacement, _IMAGEHLP_LINE64 * Line64 ); inline PVOID(__stdcall *pSymFunctionTableAccess64)( HANDLE hProcess, DWORD64 AddrBase ); typedef BOOL(__stdcall *PREAD_PROCESS_MEMORY_ROUTINE64)( HANDLE hProcess, DWORD64 qwBaseAddress, PVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesRead ); typedef PVOID (__stdcall *PFUNCTION_TABLE_ACCESS_ROUTINE64)( HANDLE hProcess, DWORD64 AddrBase ); typedef DWORD64(__stdcall *PGET_MODULE_BASE_ROUTINE64)( HANDLE hProcess, DWORD64 Address ); typedef DWORD64 (__stdcall *PTRANSLATE_ADDRESS_ROUTINE64)( HANDLE hProcess, HANDLE hThread, _tagADDRESS64 * lpaddr ); inline BOOL(__stdcall *pStackWalk64)( DWORD MachineType, HANDLE hProcess, HANDLE hThread, _tagSTACKFRAME64 * StackFrame, PVOID ContextRecord, PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine, PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine, PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine, PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress ); // WINTRUST inline BOOL(__stdcall *pWinVerifyTrust)( HWND hwnd, GUID * pgActionID, LPVOID pWVTData ); // IP Helper inline ULONG(__stdcall *pGetAdaptersAddresses)( ULONG Family, ULONG Flags, PVOID Reserved, IP_ADAPTER_ADDRESSES * AdapterAddresses, PULONG SizePointer ); inline ULONG(__stdcall *pGetAdaptersInfo)( _IP_ADAPTER_INFO * AdapterInfo, PULONG SizePointer ); // COM inline HRESULT(__stdcall *pCoInitializeEx)( LPVOID pvReserved, DWORD dwCoInit ); inline void(__stdcall *pCoTaskMemFree)( LPVOID pv ); inline void(__stdcall *pCoUninitialize)(); // Shell inline HRESULT(__stdcall *pSHGetKnownFolderPath)( const GUID & rfid, DWORD dwFlags, HANDLE hToken, PWSTR * ppszPath ); inline HINSTANCE(__stdcall *pShellExecuteW)( HWND hwnd, LPCWSTR lpOperation, LPCWSTR lpFile, LPCWSTR lpParameters, LPCWSTR lpDirectory, INT nShowCmd ); inline HRESULT(__stdcall *pSHGetFolderPathA)( HWND hwnd, int csidl, HANDLE hToken, DWORD dwFlags, LPSTR pszPath ); inline void *(__stdcall *pILCreateFromPathW)( LPCWSTR lpPath ); inline HRESULT (__stdcall *pSHOpenFolderAndSelectItems)( void * pidlFolder, UINT cidl, void * apidl, DWORD dwFlags ); inline void (__stdcall *pILFree)( void * pidl ); inline LPWSTR *(__stdcall *pCommandLineToArgvW)( LPCWSTR lpCmdLine, int * pNumArgs ); // Advanced API inline LSTATUS(__stdcall *pRegSetValueExW)( HKEY hKey, LPCWSTR lpValueName, DWORD Reserved, DWORD dwType, CONST BYTE * lpData, DWORD cbData ); inline LSTATUS(__stdcall *pRegQueryValueExW)( HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData ); inline LSTATUS(__stdcall *pRegCloseKey)( HKEY hKey ); inline LSTATUS(__stdcall *pRegOpenKeyExW)( HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult ); inline HANDLE(__stdcall *pRegisterEventSourceW)( LPCWSTR lpUNCServerName, LPCWSTR lpSourceName ); inline BOOL(__stdcall *pDeregisterEventSource)( HANDLE hEventLog ); inline BOOL(__stdcall *pReportEventW)( HANDLE hEventLog, WORD wType, WORD wCategory, DWORD dwEventID, PSID lpUserSid, WORD wNumStrings, DWORD dwDataSize, LPCWSTR * lpStrings, LPVOID lpRawData ); inline BOOL(__stdcall *pCryptAcquireContextW)( ULONG_PTR * hProv, LPCWSTR szContainer, LPCWSTR szProvider, DWORD dwProvType, DWORD dwFlags ); inline BOOL(__stdcall *pCryptReleaseContext)( ULONG_PTR hProvz, DWORD dwFlags ); inline DWORD(__stdcall *pSetEntriesInAclA)( ULONG cCountOfExplicitEntries, _EXPLICIT_ACCESS_A * pListOfExplicitEntries, _ACL * OldAcl, _ACL ** NewAcl ); inline BOOL(__stdcall *pAllocateAndInitializeSid)( PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, VOID ** pSid ); inline DWORD(__stdcall *pSetNamedSecurityInfoW)( LPWSTR pObjectName, _SE_OBJECT_TYPE ObjectType, SECURITY_INFORMATION SecurityInfo, VOID * psidOwner, VOID * psidGroup, _ACL * pDacl, _ACL * pSacl ); inline PVOID(__stdcall *pFreeSid)( VOID * pSid ); // Advanced API // The proper dodgy APIs that'll probably get us hit by AV-engines // The follow APIs are used for in-process privilege escalation inline BOOL(__stdcall *pCreateProcessWithLogonW)( LPCWSTR lpUsername, LPCWSTR lpDomain, LPCWSTR lpPassword, DWORD dwLogonFlags, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ); inline BOOL(__stdcall *pCreateProcessAsUserW)( HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ); inline BOOL(__stdcall *pAdjustTokenPrivileges)( HANDLE TokenHandle, BOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength ); inline BOOL(__stdcall *pRevertToSelf)(); inline BOOL(__stdcall *pSetTokenInformation)( HANDLE TokenHandle, _TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength ); inline PUCHAR(__stdcall *pGetSidSubAuthorityCount)(PSID pSid); inline BOOL(__stdcall *pLookupPrivilegeValueA)( LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid ); inline PDWORD(__stdcall *pGetSidSubAuthority)( PSID pSid, DWORD nSubAuthority ); inline PDWORD(__stdcall *pLogonUserW)( LPCWSTR lpszUsername, LPCWSTR lpszDomain, LPCWSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken ); inline PDWORD(__stdcall *pOpenProcessToken)( HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle ); inline BOOL(__stdcall *pSetThreadToken)( PHANDLE Thread, HANDLE Token ); inline DWORD(__stdcall *pSetSecurityInfo)( HANDLE handle, _SE_OBJECT_TYPE ObjectType, SECURITY_INFORMATION SecurityInfo, PSID psidOwner, PSID psidGroup, PACL pDacl, PACL pSacl ); inline BOOL(__stdcall *pGetUserNameW)( LPWSTR lpBuffer, LPDWORD pcbBuffer ); inline BOOL(__stdcall *pDuplicateTokenEx)( HANDLE hExistingToken, DWORD dwDesiredAccess, LPSECURITY_ATTRIBUTES lpTokenAttributes, SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, TOKEN_TYPE TokenType, PHANDLE phNewToken ); inline BOOL(__stdcall *pLookupAccountSidW)( LPCWSTR lpSystemName, PSID Sid, LPWSTR Name, LPDWORD cchName, LPWSTR ReferencedDomainName, LPDWORD cchReferencedDomainName, PSID_NAME_USE peUse ); inline BOOL(__stdcall *pGetTokenInformation)( HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength ); inline BOOL(__stdcall *pSetSecurityDescriptorDacl)( PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted ); inline BOOL(__stdcall *pInitializeSecurityDescriptor)( PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision ); inline NTSTATUS(__stdcall *pLsaOpenPolicy)( PLSA_UNICODE_STRING SystemName, PLSA_OBJECT_ATTRIBUTES ObjectAttributes, ACCESS_MASK DesiredAccess, PLSA_HANDLE PolicyHandle ); inline NTSTATUS(__stdcall *pLsaClose)( LSA_HANDLE ObjectHandle ); inline NTSTATUS(__stdcall *pLsaAddAccountRights)( LSA_HANDLE PolicyHandle, PSID AccountSid, PLSA_UNICODE_STRING UserRights, ULONG CountOfRights ); inline NTSTATUS(__stdcall *pLookupAccountNameW)( LPCWSTR lpSystemName, LPCWSTR lpAccountName, PSID Sid, LPDWORD cbSid, LPWSTR ReferencedDomainName, LPDWORD cchReferencedDomainName, PSID_NAME_USE peUse ); // USER32 - the shit microsoft will probably try to phase out and remove over time // [then give up and write a win32 emulator in a memelang, probably] inline BOOL(__stdcall *pOpenClipboard)( HWND hWndNewOwner ); inline HANDLE(__stdcall *pGetClipboardData)( UINT uFormat ); inline BOOL(__stdcall *pCloseClipboard)(); inline UINT(__stdcall *pMapVirtualKeyA)( UINT uCode, UINT uMapType ); inline DWORD(__stdcall *pGetWindowThreadProcessId)( HWND hWnd, LPDWORD lpdwProcessId ); inline LRESULT(__stdcall *pSendMessageA)( HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam ); inline BOOL(__stdcall *pEnumThreadWindows)( DWORD dwThreadId, WNDENUMPROC lpfn, LPARAM lParam ); inline BOOL(__stdcall *pTranslateMessage)( MSG * lpMsg ); inline LRESULT(__stdcall *pDispatchMessageW)( MSG * lpMsg ); inline DWORD(__stdcall *pMsgWaitForMultipleObjects)( DWORD nCount, CONST HANDLE * pHandles, BOOL fWaitAll, DWORD dwMilliseconds, DWORD dwWakeMask ); inline DWORD(__stdcall *pMsgWaitForMultipleObjectsEx)( DWORD nCount, CONST HANDLE * pHandles, DWORD dwMilliseconds, DWORD dwWakeMask, DWORD dwFlags ); inline BOOL(__stdcall *pPeekMessageW)( LPMSG lpMsg, HWND hWnd, UINT wMsgFilterMin, UINT wMsgFilterMax, UINT wRemoveMsg ); inline BOOL(__stdcall *pSetPropW)( HWND hWnd, LPCWSTR lpString, HANDLE hData ); // SETUPAPI.dll inline BOOL(__stdcall *pSetupDiEnumDeviceInterfaces)( PVOID DeviceInfoSet, _SP_DEVINFO_DATA * DeviceInfoData, const GUID * InterfaceClassGuid, DWORD MemberIndex, _SP_DEVICE_INTERFACE_DATA * DeviceInterfaceData ); inline BOOL(__stdcall *pSetupDiDestroyDeviceInfoList)( PVOID DeviceInfoSet ); inline PVOID(__stdcall *pSetupDiGetClassDevsW)( const GUID * ClassGuid, PCWSTR Enumerator, HWND hwndParent, DWORD Flags ); inline BOOL(__stdcall *pSetupDiGetDeviceRegistryPropertyA)( PVOID DeviceInfoSet, _SP_DEVINFO_DATA * DeviceInfoData, DWORD Property, PDWORD PropertyRegDataType, PBYTE PropertyBuffer, DWORD PropertyBufferSize, PDWORD RequiredSize ); inline BOOL(__stdcall *pSetupDiGetDeviceInterfaceDetailW)( PVOID DeviceInfoSet, _SP_DEVICE_INTERFACE_DATA * DeviceInterfaceData, _SP_DEVICE_INTERFACE_DETAIL_DATA_W * DeviceInterfaceDetailData, DWORD DeviceInterfaceDetailDataSize, PDWORD RequiredSize, _SP_DEVINFO_DATA * DeviceInfoData ); // MPR.dll inline DWORD(__stdcall *pWNetCloseEnum)( HANDLE hEnum ); inline DWORD(__stdcall *pWNetEnumResourceW)( HANDLE hEnum, LPDWORD lpcCount, LPVOID lpBuffer, LPDWORD lpBufferSize ); inline DWORD(__stdcall *pWNetOpenEnumW)( DWORD dwScope, DWORD dwType, DWORD dwUsage, _NETRESOURCEW * lpNetResource, LPHANDLE lphEnum ); inline DWORD(__stdcall *pWNetGetUniversalNameW)( LPCWSTR lpLocalPath, DWORD dwInfoLevel, LPVOID lpBuffer, LPDWORD lpBufferSize ); // Winsock2 inline INT(__stdcall *pGetAddrInfoExCancel)( LPHANDLE lpHandle ); using LPLOOKUPSERVICE_COMPLETION_ROUTINE = void(__stdcall *)( DWORD dwError, DWORD dwBytes, LPWSAOVERLAPPED lpOverlapped ); inline INT(__stdcall *pGetAddrInfoExW)( PCWSTR pName, PCWSTR pServiceName, DWORD dwNameSpace, LPGUID lpNspId, const ADDRINFOEXW * hints, PADDRINFOEXW * ppResult, struct timeval * timeout, LPOVERLAPPED lpOverlapped, LPLOOKUPSERVICE_COMPLETION_ROUTINE lpCompletionRoutine, LPHANDLE lpHandle ); inline void(__stdcall *pFreeAddrInfoExW)( PADDRINFOEXW pAddrInfoEx ); inline INT(__stdcall *pgetaddrinfo)( PCSTR pNodeName, PCSTR pServiceName, const ADDRINFOA * pHints, PADDRINFOA * ppResult ); inline void(__stdcall *pfreeaddrinfo)( PADDRINFOA pAddrInfo ); inline int(__stdcall *plisten)( SOCKET s, int backlog ); inline int(__stdcall *pbind)( SOCKET s, const sockaddr * name, int namelen ); inline int(__stdcall *pclosesocket)( SOCKET s ); inline int(__stdcall *pWSAStartup)( WORD wVersionRequested, LPWSADATA lpWSAData ); inline int(__stdcall *pshutdown)( SOCKET s, int flags ); inline int(__stdcall *pgetpeername)( SOCKET s, sockaddr * name, int * namelen ); inline int(__stdcall *pgetsockname)( SOCKET s, sockaddr * name, int * namelen ); inline int(__stdcall *pWSAIoctl)( SOCKET s, DWORD dwIoControlCode, LPVOID lpvInBuffer, DWORD cbInBuffer, LPVOID lpvOutBuffer, DWORD cbOutBuffer, LPDWORD lpcbBytesReturned, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine ); inline int(__stdcall *pioctlsocket)( SOCKET s, long cmd, u_long *argp ); inline int(__stdcall *psetsockopt)( SOCKET s, int level, int optname, const char * optval, int optlen ); inline int(__stdcall *pWSAGetLastError)(); inline SOCKET(__stdcall *pWSASocketW)( int af, int type, int protocol, LPWSAPROTOCOL_INFOW lpProtocolInfo, GROUP g, DWORD dwFlags ); inline int(__stdcall *pWSARecvFrom)( SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, LPDWORD lpNumberOfBytesRecvd, LPDWORD lpFlags, sockaddr * lpFrom, LPINT lpFromlen, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine ); inline int(__stdcall *pWSARecv)( SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, LPDWORD lpNumberOfBytesRecvd, LPDWORD lpFlags, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine ); inline int(__stdcall *pWSASendTo)( SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, LPDWORD lpNumberOfBytesSent, DWORD dwFlags, const sockaddr * lpTo, int iTolen, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine ); inline int(__stdcall *pWSASend)( SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, LPDWORD lpNumberOfBytesSent, DWORD dwFlags, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine ); inline INT(__stdcall *pWSAStringToAddressA)( LPSTR AddressString, INT AddressFamily, LPWSAPROTOCOL_INFOA lpProtocolInfo, LPSOCKADDR lpAddress, LPINT lpAddressLength ); // credui inline INT(__stdcall *pCredUIPromptForWindowsCredentialsW)( void * pUiInfo, DWORD dwAuthError, ULONG * pulAuthPackage, LPCVOID pvInAuthBuffer, ULONG ulInAuthBufferSize, LPVOID * ppvOutAuthBuffer, ULONG * pulOutAuthBufferSize, BOOL * pfSave, DWORD dwFlags ); inline BOOL(__stdcall *pCredUnPackAuthenticationBufferW)( DWORD dwFlags, PVOID pAuthBuffer, DWORD cbAuthBuffer, LPWSTR pszUserName, DWORD * pcchMaxUserName, LPWSTR pszDomainName, DWORD * pcchMaxDomainName, LPWSTR pszPassword, DWORD * pcchMaxPassword ); inline bool gUseNativeWaitMutex {}; inline bool gUseNativeWaitCondvar {}; inline bool gUseNativeWaitSemapahore {}; inline bool gUseFastFail {}; void Win32DropInit(); void Win32DropSchedulerResolution(); void Win32DropSchedulerResolutionForcedUndo(); void Win32DropSchedulerResolutionForced(); void Win32Terminate(); AUKN_SYM /* I'm going to be kind */ HANDLE Win32Open(LPCWSTR lpFileName, DWORD dwDesiredAccess = GENERIC_READ | GENERIC_WRITE, DWORD dwShareMode = FILE_SHARE_READ, bool bInherit = false, DWORD dwCreationDisposition = 0, DWORD dwFlags = 0, DWORD dwAttributes = 0 ); AUKN_SYM /* I'm going to be kind */ HANDLE Win32Open2(LPCWSTR lpFileName, DWORD dwDesiredAccess = GENERIC_READ | GENERIC_WRITE, DWORD dwShareMode = FILE_SHARE_READ, LPSECURITY_ATTRIBUTES lpSecurityAttributes = NULL, DWORD dwCreationDisposition = 0, DWORD dwFlags = 0, DWORD dwAttributes = 0 ); inline HMODULE(__stdcall *pLoadLibraryW)( LPCWSTR lpLibFileName ); inline FARPROC(__stdcall*pGetProcAddress)( HMODULE hModule, LPCSTR lpProcName ); void NTWriteEoS(HANDLE hHandle); static auline bool SysWaitOnAddressNoTimed(const void *pTargetAddress, const void *pCompareAddress, AuUInt8 uWordSize) { if (pRtlWaitOnAddress) { return pRtlWaitOnAddress((void *)pTargetAddress, (void *)pCompareAddress, uWordSize, nullptr); } else { return pWaitOnAddress((void *)pTargetAddress, (void *)pCompareAddress, uWordSize, INFINITE); } } static auline void SysWakeNOnAddress(const void *pAddress, AuUInt32 dwCount) { if (pRtlWakeAddressSingle) { if (dwCount < 6) { for (AuUInt i = 0; i < dwCount; i++) { pRtlWakeAddressSingle((void *)pAddress); } } else { pRtlWakeByAddressAll((void *)pAddress); } } else { for (AuUInt i = 0; i < dwCount; i++) { pWakeByAddressSingle((void *)pAddress); } } } static auline void SysWakeAllOnAddress(const void *pAddress) { if (pRtlWakeByAddressAll) { pRtlWakeByAddressAll((void *)pAddress); } else { pWakeByAddressAll((void *)pAddress); } } static auline void SysWakeOneOnAddress(const void *pAddress) { if (pRtlWakeAddressSingle) { pRtlWakeAddressSingle((void *)pAddress); } else { pWakeByAddressSingle((void *)pAddress); } } }