diff --git a/.gitmodules b/.gitmodules index c6814e54..21cf3d31 100644 --- a/.gitmodules +++ b/.gitmodules @@ -3,10 +3,6 @@ url = ../unicorn.git shallow = true branch = dev -[submodule "deps/phnt"] - path = deps/phnt - url = ../phnt.git - shallow = true [submodule "deps/reflect"] path = deps/reflect url = https://github.com/qlibs/reflect.git diff --git a/deps/CMakeLists.txt b/deps/CMakeLists.txt index 9217618b..8d55e778 100644 --- a/deps/CMakeLists.txt +++ b/deps/CMakeLists.txt @@ -1,7 +1,6 @@ set(UNICORN_ARCH "x86" CACHE STRING "") add_subdirectory(unicorn) -add_subdirectory(phnt) ########################################## diff --git a/deps/phnt b/deps/phnt deleted file mode 160000 index a218107e..00000000 --- a/deps/phnt +++ /dev/null @@ -1 +0,0 @@ -Subproject commit a218107e7a0eb16052a2124219778b3722e3681c diff --git a/src/common/platform/compiler.hpp b/src/common/platform/compiler.hpp new file mode 100644 index 00000000..21220486 --- /dev/null +++ b/src/common/platform/compiler.hpp @@ -0,0 +1,41 @@ +#pragma once + +#if defined(_WIN32) || defined(_WIN64) + #define OS_WINDOWS +#elif defined(__APPLE__) || defined(__MACH__) + #define OS_MAC +#elif defined(__linux__) + #define OS_LINUX +#else + #error "Unsupported platform" +#endif + +#ifdef OS_WINDOWS + #define EXPORT_SYMBOL __declspec(dllexport) + #define IMPORT_SYMBOL __declspec(dllimport) + #define NO_INLINE __declspec(noinline) + + #define DECLSPEC_ALIGN(n) __declspec(align(n)) + #define _fseeki64 _fseeki64 + #define _ftelli64 _ftelli64 + #define fopen_s fopen_s + + #define RESTRICTED_POINTER + +#else + #include + + #define EXPORT_SYMBOL __attribute__((visibility("default"))) + #define IMPORT_SYMBOL + #define NO_INLINE __attribute__((noinline)) + + #define DECLSPEC_ALIGN(n) alignas(n) + #define _fseeki64 fseeko64 + #define _ftelli64 ftello64 + #define fopen_s fopen + + #define RESTRICTED_POINTER __restrict + // TODO: warning stdcall problem + #define WINAPI + +#endif \ No newline at end of file diff --git a/src/common/platform/file_management.hpp b/src/common/platform/file_management.hpp new file mode 100644 index 00000000..edd18d5f --- /dev/null +++ b/src/common/platform/file_management.hpp @@ -0,0 +1,298 @@ +#pragma once + +#define ACCESS_MASK DWORD +#define DEVICE_TYPE DWORD + +#define FILE_DEVICE_DISK 0x00000007 +#define FILE_DEVICE_CONSOLE 0x00000050 + +#define FILE_SUPERSEDE 0x00000000 +#define FILE_OPEN 0x00000001 +#define FILE_CREATE 0x00000002 +#define FILE_OPEN_IF 0x00000003 +#define FILE_OVERWRITE 0x00000004 +#define FILE_OVERWRITE_IF 0x00000005 +#define FILE_MAXIMUM_DISPOSITION 0x00000005 + +#ifndef OS_WINDOWS +#define GENERIC_READ 0x80000000 +#define GENERIC_WRITE 0x40000000 +#define GENERIC_EXECUTE 0x20000000 +#define GENERIC_ALL 0x10000000 + +#undef DELETE +#define DELETE 0x00010000 +#define READ_CONTROL 0x00020000 +#define WRITE_DAC 0x00040000 +#define WRITE_OWNER 0x00080000 +#define SYNCHRONIZE 0x00100000 +#define STANDARD_RIGHTS_REQUIRED 0x000f0000 + +#define FILE_READ_DATA 0x0001 /* file & pipe */ +#define FILE_LIST_DIRECTORY 0x0001 /* directory */ +#define FILE_WRITE_DATA 0x0002 /* file & pipe */ +#define FILE_ADD_FILE 0x0002 /* directory */ +#define FILE_APPEND_DATA 0x0004 /* file */ +#define FILE_ADD_SUBDIRECTORY 0x0004 /* directory */ +#define FILE_CREATE_PIPE_INSTANCE 0x0004 /* named pipe */ +#define FILE_READ_EA 0x0008 /* file & directory */ +#define FILE_READ_PROPERTIES FILE_READ_EA +#define FILE_WRITE_EA 0x0010 /* file & directory */ +#define FILE_WRITE_PROPERTIES FILE_WRITE_EA +#define FILE_EXECUTE 0x0020 /* file */ +#define FILE_TRAVERSE 0x0020 /* directory */ +#define FILE_DELETE_CHILD 0x0040 /* directory */ +#define FILE_READ_ATTRIBUTES 0x0080 /* all */ +#define FILE_WRITE_ATTRIBUTES 0x0100 /* all */ +#define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x1ff) + +#endif + +#define FILE_DIRECTORY_FILE 0x00000001 +#define FILE_WRITE_THROUGH 0x00000002 +#define FILE_SEQUENTIAL_ONLY 0x00000004 +#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 + +#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 +#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 +#define FILE_NON_DIRECTORY_FILE 0x00000040 +#define FILE_CREATE_TREE_CONNECTION 0x00000080 + +#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff +#define PS_ATTRIBUTE_THREAD 0x00010000 // may be used with thread creation +#define PS_ATTRIBUTE_INPUT 0x00020000 // input only +#define PS_ATTRIBUTE_ADDITIVE 0x00040000 // "accumulated" e.g. bitmasks, counters, etc. + +typedef enum _FSINFOCLASS +{ + FileFsVolumeInformation = 1, // q: FILE_FS_VOLUME_INFORMATION + FileFsLabelInformation, // s: FILE_FS_LABEL_INFORMATION (requires FILE_WRITE_DATA to volume) + FileFsSizeInformation, // q: FILE_FS_SIZE_INFORMATION + FileFsDeviceInformation, // q: FILE_FS_DEVICE_INFORMATION + FileFsAttributeInformation, // q: FILE_FS_ATTRIBUTE_INFORMATION + FileFsControlInformation, // q, s: FILE_FS_CONTROL_INFORMATION (q: requires FILE_READ_DATA; s: requires FILE_WRITE_DATA to volume) + FileFsFullSizeInformation, // q: FILE_FS_FULL_SIZE_INFORMATION + FileFsObjectIdInformation, // q; s: FILE_FS_OBJECTID_INFORMATION (s: requires FILE_WRITE_DATA to volume) + FileFsDriverPathInformation, // q: FILE_FS_DRIVER_PATH_INFORMATION + FileFsVolumeFlagsInformation, // q; s: FILE_FS_VOLUME_FLAGS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES to volume) // 10 + FileFsSectorSizeInformation, // q: FILE_FS_SECTOR_SIZE_INFORMATION // since WIN8 + FileFsDataCopyInformation, // q: FILE_FS_DATA_COPY_INFORMATION + FileFsMetadataSizeInformation, // q: FILE_FS_METADATA_SIZE_INFORMATION // since THRESHOLD + FileFsFullSizeInformationEx, // q: FILE_FS_FULL_SIZE_INFORMATION_EX // since REDSTONE5 + FileFsGuidInformation, // q: FILE_FS_GUID_INFORMATION // since 23H2 + FileFsMaximumInformation +} FSINFOCLASS, *PFSINFOCLASS; +typedef enum _FSINFOCLASS FS_INFORMATION_CLASS; + +typedef enum _FILE_INFORMATION_CLASS +{ + FileDirectoryInformation = 1, // q: FILE_DIRECTORY_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileFullDirectoryInformation, // q: FILE_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileBothDirectoryInformation, // q: FILE_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileBasicInformation, // q; s: FILE_BASIC_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileStandardInformation, // q: FILE_STANDARD_INFORMATION, FILE_STANDARD_INFORMATION_EX + FileInternalInformation, // q: FILE_INTERNAL_INFORMATION + FileEaInformation, // q: FILE_EA_INFORMATION + FileAccessInformation, // q: FILE_ACCESS_INFORMATION + FileNameInformation, // q: FILE_NAME_INFORMATION + FileRenameInformation, // s: FILE_RENAME_INFORMATION (requires DELETE) // 10 + FileLinkInformation, // s: FILE_LINK_INFORMATION + FileNamesInformation, // q: FILE_NAMES_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileDispositionInformation, // s: FILE_DISPOSITION_INFORMATION (requires DELETE) + FilePositionInformation, // q; s: FILE_POSITION_INFORMATION + FileFullEaInformation, // FILE_FULL_EA_INFORMATION + FileModeInformation, // q; s: FILE_MODE_INFORMATION + FileAlignmentInformation, // q: FILE_ALIGNMENT_INFORMATION + FileAllInformation, // q: FILE_ALL_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileAllocationInformation, // s: FILE_ALLOCATION_INFORMATION (requires FILE_WRITE_DATA) + FileEndOfFileInformation, // s: FILE_END_OF_FILE_INFORMATION (requires FILE_WRITE_DATA) // 20 + FileAlternateNameInformation, // q: FILE_NAME_INFORMATION + FileStreamInformation, // q: FILE_STREAM_INFORMATION + FilePipeInformation, // q; s: FILE_PIPE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FilePipeLocalInformation, // q: FILE_PIPE_LOCAL_INFORMATION (requires FILE_READ_ATTRIBUTES) + FilePipeRemoteInformation, // q; s: FILE_PIPE_REMOTE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileMailslotQueryInformation, // q: FILE_MAILSLOT_QUERY_INFORMATION + FileMailslotSetInformation, // s: FILE_MAILSLOT_SET_INFORMATION + FileCompressionInformation, // q: FILE_COMPRESSION_INFORMATION + FileObjectIdInformation, // q: FILE_OBJECTID_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileCompletionInformation, // s: FILE_COMPLETION_INFORMATION // 30 + FileMoveClusterInformation, // s: FILE_MOVE_CLUSTER_INFORMATION (requires FILE_WRITE_DATA) + FileQuotaInformation, // q: FILE_QUOTA_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileReparsePointInformation, // q: FILE_REPARSE_POINT_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileNetworkOpenInformation, // q: FILE_NETWORK_OPEN_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileAttributeTagInformation, // q: FILE_ATTRIBUTE_TAG_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileTrackingInformation, // s: FILE_TRACKING_INFORMATION (requires FILE_WRITE_DATA) + FileIdBothDirectoryInformation, // q: FILE_ID_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileIdFullDirectoryInformation, // q: FILE_ID_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileValidDataLengthInformation, // s: FILE_VALID_DATA_LENGTH_INFORMATION (requires FILE_WRITE_DATA and/or SeManageVolumePrivilege) + FileShortNameInformation, // s: FILE_NAME_INFORMATION (requires DELETE) // 40 + FileIoCompletionNotificationInformation, // q; s: FILE_IO_COMPLETION_NOTIFICATION_INFORMATION (q: requires FILE_READ_ATTRIBUTES) // since VISTA + FileIoStatusBlockRangeInformation, // s: FILE_IOSTATUSBLOCK_RANGE_INFORMATION (requires SeLockMemoryPrivilege) + FileIoPriorityHintInformation, // q; s: FILE_IO_PRIORITY_HINT_INFORMATION, FILE_IO_PRIORITY_HINT_INFORMATION_EX (q: requires FILE_READ_DATA) + FileSfioReserveInformation, // q; s: FILE_SFIO_RESERVE_INFORMATION (q: requires FILE_READ_DATA) + FileSfioVolumeInformation, // q: FILE_SFIO_VOLUME_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileHardLinkInformation, // q: FILE_LINKS_INFORMATION + FileProcessIdsUsingFileInformation, // q: FILE_PROCESS_IDS_USING_FILE_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileNormalizedNameInformation, // q: FILE_NAME_INFORMATION + FileNetworkPhysicalNameInformation, // q: FILE_NETWORK_PHYSICAL_NAME_INFORMATION + FileIdGlobalTxDirectoryInformation, // q: FILE_ID_GLOBAL_TX_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since WIN7 // 50 + FileIsRemoteDeviceInformation, // q: FILE_IS_REMOTE_DEVICE_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileUnusedInformation, + FileNumaNodeInformation, // q: FILE_NUMA_NODE_INFORMATION + FileStandardLinkInformation, // q: FILE_STANDARD_LINK_INFORMATION + FileRemoteProtocolInformation, // q: FILE_REMOTE_PROTOCOL_INFORMATION + FileRenameInformationBypassAccessCheck, // (kernel-mode only); s: FILE_RENAME_INFORMATION // since WIN8 + FileLinkInformationBypassAccessCheck, // (kernel-mode only); s: FILE_LINK_INFORMATION + FileVolumeNameInformation, // q: FILE_VOLUME_NAME_INFORMATION + FileIdInformation, // q: FILE_ID_INFORMATION + FileIdExtdDirectoryInformation, // q: FILE_ID_EXTD_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // 60 + FileReplaceCompletionInformation, // s: FILE_COMPLETION_INFORMATION // since WINBLUE + FileHardLinkFullIdInformation, // q: FILE_LINK_ENTRY_FULL_ID_INFORMATION // FILE_LINKS_FULL_ID_INFORMATION + FileIdExtdBothDirectoryInformation, // q: FILE_ID_EXTD_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since THRESHOLD + FileDispositionInformationEx, // s: FILE_DISPOSITION_INFO_EX (requires DELETE) // since REDSTONE + FileRenameInformationEx, // s: FILE_RENAME_INFORMATION_EX + FileRenameInformationExBypassAccessCheck, // (kernel-mode only); s: FILE_RENAME_INFORMATION_EX + FileDesiredStorageClassInformation, // q; s: FILE_DESIRED_STORAGE_CLASS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) // since REDSTONE2 + FileStatInformation, // q: FILE_STAT_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileMemoryPartitionInformation, // s: FILE_MEMORY_PARTITION_INFORMATION // since REDSTONE3 + FileStatLxInformation, // q: FILE_STAT_LX_INFORMATION (requires FILE_READ_ATTRIBUTES and FILE_READ_EA) // since REDSTONE4 // 70 + FileCaseSensitiveInformation, // q; s: FILE_CASE_SENSITIVE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileLinkInformationEx, // s: FILE_LINK_INFORMATION_EX // since REDSTONE5 + FileLinkInformationExBypassAccessCheck, // (kernel-mode only); s: FILE_LINK_INFORMATION_EX + FileStorageReserveIdInformation, // q; s: FILE_STORAGE_RESERVE_ID_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileCaseSensitiveInformationForceAccessCheck, // q; s: FILE_CASE_SENSITIVE_INFORMATION + FileKnownFolderInformation, // q; s: FILE_KNOWN_FOLDER_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) // since WIN11 + FileStatBasicInformation, // since 23H2 + FileId64ExtdDirectoryInformation, // FILE_ID_64_EXTD_DIR_INFORMATION + FileId64ExtdBothDirectoryInformation, // FILE_ID_64_EXTD_BOTH_DIR_INFORMATION + FileIdAllExtdDirectoryInformation, // FILE_ID_ALL_EXTD_DIR_INFORMATION + FileIdAllExtdBothDirectoryInformation, // FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION + FileStreamReservationInformation, // FILE_STREAM_RESERVATION_INFORMATION // since 24H2 + FileMupProviderInfo, // MUP_PROVIDER_INFORMATION + FileMaximumInformation +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +#ifndef OS_WINDOWS +typedef enum _SECURITY_IMPERSONATION_LEVEL { + SecurityAnonymous, + SecurityIdentification, + SecurityImpersonation, + SecurityDelegation +} SECURITY_IMPERSONATION_LEVEL, *PSECURITY_IMPERSONATION_LEVEL; + + +#endif + +typedef enum _OBJECT_INFORMATION_CLASS +{ + ObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION + ObjectNameInformation, // q: OBJECT_NAME_INFORMATION + ObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION + ObjectTypesInformation, // q: OBJECT_TYPES_INFORMATION + ObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION + ObjectSessionInformation, // s: void // change object session // (requires SeTcbPrivilege) + ObjectSessionObjectInformation, // s: void // change object session // (requires SeTcbPrivilege) + MaxObjectInfoClass +} OBJECT_INFORMATION_CLASS; + +typedef enum _HARDERROR_RESPONSE_OPTION +{ + OptionAbortRetryIgnore, + OptionOk, + OptionOkCancel, + OptionRetryCancel, + OptionYesNo, + OptionYesNoCancel, + OptionShutdownSystem, + OptionOkNoWait, + OptionCancelTryContinue +} HARDERROR_RESPONSE_OPTION; + +typedef enum _HARDERROR_RESPONSE +{ + ResponseReturnToCaller, + ResponseNotHandled, + ResponseAbort, + ResponseCancel, + ResponseIgnore, + ResponseNo, + ResponseOk, + ResponseRetry, + ResponseYes, + ResponseTryAgain, + ResponseContinue +} HARDERROR_RESPONSE; + +typedef USHORT RTL_ATOM; + +template +struct IO_STATUS_BLOCK +{ + union + { + NTSTATUS Status; + typename Traits::PVOID Pointer; + }; + typename Traits::ULONG_PTR Information; +}; + +template +struct OBJECT_ATTRIBUTES +{ + ULONG Length; + typename Traits::HANDLE RootDirectory; + EMULATOR_CAST(typename Traits::PVOID, UNICODE_STRING*) ObjectName; + ULONG Attributes; + typename Traits::PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; + typename Traits::PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE +}; + +typedef struct _FILE_FS_DEVICE_INFORMATION +{ + DEVICE_TYPE DeviceType; + ULONG Characteristics; +} FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION; + +typedef struct _FILE_POSITION_INFORMATION +{ + LARGE_INTEGER CurrentByteOffset; +} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; + +typedef struct _FILE_STANDARD_INFORMATION +{ + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG NumberOfLinks; + BOOLEAN DeletePending; + BOOLEAN Directory; +} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; + +#ifndef OS_WINDOWS +typedef BOOLEAN SECURITY_CONTEXT_TRACKING_MODE, + * PSECURITY_CONTEXT_TRACKING_MODE; +typedef struct _SECURITY_QUALITY_OF_SERVICE +{ + DWORD Length; + SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; + SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode; + BOOLEAN EffectiveOnly; +} SECURITY_QUALITY_OF_SERVICE, *P_SECURITY_QUALITY_OF_SERVICE; + +#endif + +typedef struct _PORT_VIEW64 +{ + ULONG Length; + EMULATOR_CAST(std::uint64_t, HANDLE) SectionHandle; + ULONG SectionOffset; + EMULATOR_CAST(std::int64_t, SIZE_T) ViewSize; + EmulatorTraits::PVOID ViewBase; + EmulatorTraits::PVOID ViewRemoteBase; +} PORT_VIEW64, *PPORT_VIEW64; + +typedef struct _REMOTE_PORT_VIEW64 +{ + ULONG Length; + EMULATOR_CAST(std::int64_t, SIZE_T) ViewSize; + EmulatorTraits::PVOID ViewBase; +} REMOTE_PORT_VIEW64, *PREMOTE_PORT_VIEW64; \ No newline at end of file diff --git a/src/common/platform/kernel_mapped.hpp b/src/common/platform/kernel_mapped.hpp new file mode 100644 index 00000000..85ea2207 --- /dev/null +++ b/src/common/platform/kernel_mapped.hpp @@ -0,0 +1,820 @@ +#pragma once + +#include + +#define PROCESSOR_FEATURE_MAX 64 +#define GDI_HANDLE_BUFFER_SIZE64 60 +#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_RELEASE_ON_DEACTIVATION 0x00000001 +#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_NO_DEACTIVATE 0x00000002 +#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_ON_FREE_LIST 0x00000004 +#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_HEAP_ALLOCATED 0x00000008 +#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_NOT_REALLY_ACTIVATED 0x00000010 +#define ACTIVATION_CONTEXT_STACK_FLAG_QUERIES_DISABLED 0x00000001 +#define GDI_BATCH_BUFFER_SIZE 310 +#define WIN32_CLIENT_INFO_LENGTH 62 +#define STATIC_UNICODE_BUFFER_LENGTH 261 +#define TLS_MINIMUM_AVAILABLE 64 + +typedef struct _EMU_NT_TIB64 +{ + struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList; + std::uint64_t* StackBase; + std::uint64_t* StackLimit; + std::uint64_t* SubSystemTib; + std::uint64_t* FibreData; + std::uint64_t* ArbitraryUserPointer; + struct _EMU_NT_TIB64 *Self; +} EMU_NT_TIB64; +typedef EMU_NT_TIB64 *PEMU_NT_TIB64; + +union PEB_BITFIELD_UNION +{ + BOOLEAN BitField; + struct + { + BOOLEAN ImageUsesLargePages : 1; + BOOLEAN IsProtectedProcess : 1; + BOOLEAN IsImageDynamicallyRelocated : 1; + BOOLEAN SkipPatchingUser32Forwarders : 1; + BOOLEAN IsPackagedProcess : 1; + BOOLEAN IsAppContainer : 1; + BOOLEAN IsProtectedProcessLight : 1; + BOOLEAN IsLongPathAwareProcess : 1; + }; +}; + +#ifndef OS_WINDOWS + +typedef struct _LIST_ENTRY64 +{ + struct _LIST_ENTRY *Flink; + struct _LIST_ENTRY *Blink; +} LIST_ENTRY64, *PLIST_ENTRY64, *RESTRICTED_POINTER PRLIST_ENTRY64; + +#endif + +typedef struct _PEB_LDR_DATA64 +{ + ULONG Length; + BOOLEAN Initialized; + EmulatorTraits::HANDLE SsHandle; + LIST_ENTRY64 InLoadOrderModuleList; + LIST_ENTRY64 InMemoryOrderModuleList; + LIST_ENTRY64 InInitializationOrderModuleList; + std::uint64_t* EntryInProgress; + BOOLEAN ShutdownInProgress; + EmulatorTraits::HANDLE ShutdownThreadId; +} PEB_LDR_DATA64, *PPEB_LDR_DATA64; + +typedef struct _STRING64 +{ + USHORT Length; + USHORT MaximumLength; + char16_t* Buffer; +} STRING64, *PSTRING64, ANSI_STRING64, *PANSI_STRING64, OEM_STRING64, *POEM_STRING64; + +typedef struct _RTL_DRIVE_LETTER_CURDIR64 +{ + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + STRING64 DosPath; +} RTL_DRIVE_LETTER_CURDIR64, *PRTL_DRIVE_LETTER_CURDIR64; + +#define RTL_MAX_DRIVE_LETTERS 32 +#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 + +template +struct ARRAY_CONTAINER +{ + T arr[Size]; +}; + +typedef struct _CURDIR64 +{ + UNICODE_STRING> DosPath; + EmulatorTraits::HANDLE Handle; +} CURDIR64, *PCURDIR64; + +typedef struct _RTL_USER_PROCESS_PARAMETERS64 +{ + ULONG MaximumLength; + ULONG Length; + + ULONG Flags; + ULONG DebugFlags; + + EmulatorTraits::HANDLE ConsoleHandle; + ULONG ConsoleFlags; + EmulatorTraits::HANDLE StandardInput; + EmulatorTraits::HANDLE StandardOutput; + EmulatorTraits::HANDLE StandardError; + + CURDIR64 CurrentDirectory; + UNICODE_STRING> DllPath; + UNICODE_STRING> ImagePathName; + UNICODE_STRING> CommandLine; + std::uint64_t* Environment; + + ULONG StartingX; + ULONG StartingY; + ULONG CountX; + ULONG CountY; + ULONG CountCharsX; + ULONG CountCharsY; + ULONG FillAttribute; + + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING> WindowTitle; + UNICODE_STRING> DesktopInfo; + UNICODE_STRING> ShellInfo; + UNICODE_STRING> RuntimeData; + ARRAY_CONTAINER CurrentDirectories; + + std::uint64_t* EnvironmentSize; + std::uint64_t* EnvironmentVersion; + + std::uint64_t* PackageDependencyData; + ULONG ProcessGroupId; + ULONG LoaderThreads; + + UNICODE_STRING> RedirectionDllName; // REDSTONE4 + UNICODE_STRING> HeapPartitionName; // 19H1 + std::uint64_t* DefaultThreadpoolCpuSetMasks; + ULONG DefaultThreadpoolCpuSetMaskCount; + ULONG DefaultThreadpoolThreadMaximum; + ULONG HeapMemoryTypeMask; // WIN11 +} RTL_USER_PROCESS_PARAMETERS64, *PRTL_USER_PROCESS_PARAMETERS64; + +union PEB_CROSS_PROCESS_FLAGS_UNION +{ + ULONG CrossProcessFlags; + struct + { + ULONG ProcessInJob : 1; + ULONG ProcessInitializing : 1; + ULONG ProcessUsingVEH : 1; + ULONG ProcessUsingVCH : 1; + ULONG ProcessUsingFTH : 1; + ULONG ProcessPreviouslyThrottled : 1; + ULONG ProcessCurrentlyThrottled : 1; + ULONG ProcessImagesHotPatched : 1; // REDSTONE5 + ULONG ReservedBits0 : 24; + }; +}; + +union PEB_KERNEL_CALLBACK_TABLE_UNION64 +{ + void* KernelCallbackTable; + void* UserSharedInfoPtr; +}; + +typedef struct _API_SET_NAMESPACE +{ + ULONG Version; + ULONG Size; + ULONG Flags; + ULONG Count; + ULONG EntryOffset; + ULONG HashOffset; + ULONG HashFactor; +} API_SET_NAMESPACE, *PAPI_SET_NAMESPACE; + +union PEB_CONTEXT_DATA_UNION64 +{ + void* pContextData; // WIN7 + void* pUnused; // WIN10 + void* EcCodeBitMap; // WIN11 +}; + +union PEB_TRACING_FLAGS_UNION +{ + ULONG TracingFlags; + struct + { + ULONG HeapTracingEnabled : 1; + ULONG CritSecTracingEnabled : 1; + ULONG LibLoaderTracingEnabled : 1; + ULONG SpareTracingBits : 29; + }; +}; + +union PEB_LEAP_SECONDS_FLAG_UNION +{ + ULONG LeapSecondFlags; + struct + { + ULONG SixtySecondEnabled : 1; + ULONG Reserved : 31; + }; +}; + +typedef struct _PEB64 +{ + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + PEB_BITFIELD_UNION BitField; + + EmulatorTraits::HANDLE Mutant; + + std::uint64_t* ImageBaseAddress; + PPEB_LDR_DATA64 Ldr; + PRTL_USER_PROCESS_PARAMETERS64 ProcessParameters; + std::uint64_t* SubSystemData; + std::uint64_t* ProcessHeap; + EMULATOR_CAST(void*, PRTL_CRITICAL_SECTION) FastPebLock; + EMULATOR_CAST(void*, PSLIST_HEADER) AtlThunkSListPtr; + std::uint64_t* IFEOKey; + PEB_CROSS_PROCESS_FLAGS_UNION CrossProcessFlags; + PEB_KERNEL_CALLBACK_TABLE_UNION64 KernelCallbackTable; + + ULONG SystemReserved; + ULONG AtlThunkSListPtr32; + PAPI_SET_NAMESPACE ApiSetMap; + ULONG TlsExpansionCounter; + EMULATOR_CAST(void*, PRTL_BITMAP) TlsBitmap; + + ARRAY_CONTAINER TlsBitmapBits; // TLS_MINIMUM_AVAILABLE + void* ReadOnlySharedMemoryBase; + EMULATOR_CAST(void*, PSILO_USER_SHARED_DATA) SharedData; // HotpatchInformation + std::uint64_t** ReadOnlyStaticServerData; + + std::uint64_t* AnsiCodePageData; // PCPTABLEINFO + std::uint64_t* OemCodePageData; // PCPTABLEINFO + std::uint64_t* UnicodeCaseTableData; // PNLSTABLEINFO + + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + + ULARGE_INTEGER CriticalSectionTimeout; + EMULATOR_CAST(std::int64_t, SIZE_T) HeapSegmentReserve; + EMULATOR_CAST(std::int64_t, SIZE_T) HeapSegmentCommit; + EMULATOR_CAST(std::int64_t, SIZE_T) HeapDeCommitTotalFreeThreshold; + EMULATOR_CAST(std::int64_t, SIZE_T) HeapDeCommitFreeBlockThreshold; + + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + std::uint64_t** ProcessHeaps; // PHEAP + + std::uint64_t* GdiSharedHandleTable; // PGDI_SHARED_MEMORY + std::uint64_t* ProcessStarterHelper; + ULONG GdiDCAttributeList; + + EMULATOR_CAST(void*, PRTL_CRITICAL_SECTION) LoaderLock; + + ULONG OSMajorVersion; + ULONG OSMinorVersion; + USHORT OSBuildNumber; + USHORT OSCSDVersion; + ULONG OSPlatformId; + ULONG ImageSubsystem; + ULONG ImageSubsystemMajorVersion; + ULONG ImageSubsystemMinorVersion; + EMULATOR_CAST(std::uint64_t, KAFFINITY) ActiveProcessAffinityMask; + ARRAY_CONTAINER GdiHandleBuffer; + std::uint64_t* PostProcessInitRoutine; + + EMULATOR_CAST(void*, PRTL_BITMAP) TlsExpansionBitmap; + ARRAY_CONTAINER TlsExpansionBitmapBits; // TLS_EXPANSION_SLOTS + + ULONG SessionId; + + ULARGE_INTEGER AppCompatFlags; // KACF_* + ULARGE_INTEGER AppCompatFlagsUser; + std::uint64_t* pShimData; + std::uint64_t* AppCompatInfo; // APPCOMPAT_EXE_DATA + + UNICODE_STRING> CSDVersion; + + EMULATOR_CAST(void*, PACTIVATION_CONTEXT_DATA) ActivationContextData; + EMULATOR_CAST(void*, PASSEMBLY_STORAGE_MAP) ProcessAssemblyStorageMap; + EMULATOR_CAST(void*, PACTIVATION_CONTEXT_DATA) SystemDefaultActivationContextData; + EMULATOR_CAST(void*, PASSEMBLY_STORAGE_MAP) SystemAssemblyStorageMap; + + EMULATOR_CAST(std::int64_t, SIZE_T) MinimumStackCommit; + + ARRAY_CONTAINER SparePointers; // 19H1 (previously FlsCallback to FlsHighIndex) + std::uint64_t* PatchLoaderData; + std::uint64_t* ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO + + ULONG AppModelFeatureState; + ARRAY_CONTAINER SpareUlongs; + + USHORT ActiveCodePage; + USHORT OemCodePage; + USHORT UseCaseMapping; + USHORT UnusedNlsField; + + std::uint64_t* WerRegistrationData; + std::uint64_t* WerShipAssertPtr; + + PEB_CONTEXT_DATA_UNION64 ContextData; + + std::uint64_t* pImageHeaderHash; + PEB_TRACING_FLAGS_UNION TracingFlags; + + ULONGLONG CsrServerReadOnlySharedMemoryBase; + EMULATOR_CAST(void*, PRTL_CRITICAL_SECTION) TppWorkerpListLock; + LIST_ENTRY64 TppWorkerpList; + ARRAY_CONTAINER WaitOnAddressHashTable; + EMULATOR_CAST(void*, PTELEMETRY_COVERAGE_HEADER) TelemetryCoverageHeader; // REDSTONE3 + ULONG CloudFileFlags; + ULONG CloudFileDiagFlags; // REDSTONE4 + CHAR PlaceholderCompatibilityMode; + ARRAY_CONTAINER PlaceholderCompatibilityModeReserved; + EMULATOR_CAST(void*, PLEAP_SECOND_DATA) LeapSecondData; // REDSTONE5 + PEB_LEAP_SECONDS_FLAG_UNION LeapSecondFlags; + + ULONG NtGlobalFlag2; + ULONGLONG ExtendedFeatureDisableMask; // since WIN11 +} PEB64, *PPEB64; + +typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME64 +{ + struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME *Previous; + EMULATOR_CAST(void*, ACTIVATION_CONTEXT) ActivationContext; + ULONG Flags; // RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_* +} RTL_ACTIVATION_CONTEXT_STACK_FRAME64, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME64; + +typedef struct _ACTIVATION_CONTEXT_STACK64 +{ + PRTL_ACTIVATION_CONTEXT_STACK_FRAME64 ActiveFrame; + LIST_ENTRY64 FrameListCache; + ULONG Flags; // ACTIVATION_CONTEXT_STACK_FLAG_* + ULONG NextCookieSequenceNumber; + ULONG StackId; +} ACTIVATION_CONTEXT_STACK64, *PACTIVATION_CONTEXT_STACK64; + +typedef struct _GDI_TEB_BATCH64 +{ + ULONG Offset; + std::uint64_t* HDC; + ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; +} GDI_TEB_BATCH64, *PGDI_TEB_BATCH64; + +#ifndef OS_WINDOWS +typedef struct _GUID +{ + unsigned long Data1; + unsigned short Data2; + unsigned short Data3; + unsigned char Data4[8]; +} GUID; + +typedef struct _PROCESSOR_NUMBER +{ + WORD Group; + BYTE Number; + BYTE Reserved; +} PROCESSOR_NUMBER, *PPROCESSOR_NUMBER; + +#endif + +union TEB_CURRENT_IDEAL_PROCESSOR_UNION +{ + PROCESSOR_NUMBER CurrentIdealProcessor; + ULONG IdealProcessorValue; + struct + { + UCHAR ReservedPad0; + UCHAR ReservedPad1; + UCHAR ReservedPad2; + UCHAR IdealProcessor; + }; +}; + + + +union TEB_CROSS_TEB_FLAGS_UNION +{ + USHORT CrossTebFlags; + USHORT SpareCrossTebBits : 16; +}; + +union TEB_SAME_TEB_FLAGS_UNION +{ + USHORT SameTebFlags; + struct + { + USHORT SafeThunkCall : 1; + USHORT InDebugPrint : 1; + USHORT HasFiberData : 1; + USHORT SkipThreadAttach : 1; + USHORT WerInShipAssertCode : 1; + USHORT RanProcessInit : 1; + USHORT ClonedThread : 1; + USHORT SuppressDebugMsg : 1; + USHORT DisableUserStackWalk : 1; + USHORT RtlExceptionAttached : 1; + USHORT InitialThread : 1; + USHORT SessionAware : 1; + USHORT LoadOwner : 1; + USHORT LoaderWorker : 1; + USHORT SkipLoaderInit : 1; + USHORT SkipFileAPIBrokering : 1; + }; +}; + +#ifndef OS_WINDOWS +using LCID = DWORD; +#endif + +typedef struct _TEB64 +{ + EMU_NT_TIB64 NtTib; + + std::uint64_t* EnvironmentPointer; + CLIENT_ID64 ClientId; + std::uint64_t* ActiveRpcHandle; + std::uint64_t* ThreadLocalStoragePointer; + PPEB64 ProcessEnvironmentBlock; + + ULONG LastErrorValue; + ULONG CountOfOwnedCriticalSections; + std::uint64_t* CsrClientThread; + std::uint64_t* Win32ThreadInfo; + ARRAY_CONTAINER User32Reserved; + ARRAY_CONTAINER UserReserved; + std::uint64_t* WOW32Reserved; + LCID CurrentLocale; + ULONG FpSoftwareStatusRegister; + ARRAY_CONTAINER ReservedForDebuggerInstrumentation; + ARRAY_CONTAINER SystemReserved1; + std::uint64_t* HeapFlsData; + ARRAY_CONTAINER RngState; + CHAR PlaceholderCompatibilityMode; + BOOLEAN PlaceholderHydrationAlwaysExplicit; + ARRAY_CONTAINER PlaceholderReserved; + + ULONG ProxiedProcessId; + ACTIVATION_CONTEXT_STACK64 ActivationStack; + + ARRAY_CONTAINER WorkingOnBehalfTicket; + + NTSTATUS ExceptionCode; + + PACTIVATION_CONTEXT_STACK64 ActivationContextStackPointer; + std::uint64_t* InstrumentationCallbackSp; + std::uint64_t* InstrumentationCallbackPreviousPc; + std::uint64_t* InstrumentationCallbackPreviousSp; + ULONG TxFsContext; + BOOLEAN InstrumentationCallbackDisabled; + BOOLEAN UnalignedLoadStoreExceptions; + GDI_TEB_BATCH64 GdiTebBatch; + CLIENT_ID64 RealClientId; + EmulatorTraits::HANDLE GdiCachedProcessHandle; + ULONG GdiClientPID; + ULONG GdiClientTID; + std::uint64_t* GdiThreadLocalInfo; + ARRAY_CONTAINER Win32ClientInfo; + + ARRAY_CONTAINER glDispatchTable; + ARRAY_CONTAINER glReserved1; + std::uint64_t* glReserved2; + std::uint64_t* glSectionInfo; + std::uint64_t* glSection; + std::uint64_t* glTable; + std::uint64_t* glCurrentRC; + std::uint64_t* glContext; + + NTSTATUS LastStatusValue; + + UNICODE_STRING> StaticUnicodeString; + ARRAY_CONTAINER StaticUnicodeBuffer; + + std::uint64_t* DeallocationStack; + + ARRAY_CONTAINER TlsSlots; + LIST_ENTRY64 TlsLinks; + + std::uint64_t* Vdm; + std::uint64_t* ReservedForNtRpc; + ARRAY_CONTAINER DbgSsReserved; + + ULONG HardErrorMode; + ARRAY_CONTAINER Instrumentation; + GUID ActivityId; + + std::uint64_t* SubProcessTag; + std::uint64_t* PerflibData; + std::uint64_t* EtwTraceData; + std::uint64_t* WinSockData; + ULONG GdiBatchCount; + + TEB_CURRENT_IDEAL_PROCESSOR_UNION CurrentIdealProcessor; + + ULONG GuaranteedStackBytes; + std::uint64_t* ReservedForPerf; + std::uint64_t* ReservedForOle; // tagSOleTlsData + ULONG WaitingOnLoaderLock; + std::uint64_t* SavedPriorityState; + std::uint64_t* ReservedForCodeCoverage; + std::uint64_t* ThreadPoolData; + std::uint64_t**TlsExpansionSlots; + std::uint64_t* ChpeV2CpuAreaInfo; // CHPEV2_CPUAREA_INFO // previously DeallocationBStore + std::uint64_t* Unused; // previously BStoreLimit + ULONG MuiGeneration; + ULONG IsImpersonating; + std::uint64_t* NlsCache; + std::uint64_t* pShimData; + ULONG HeapData; + EmulatorTraits::HANDLE CurrentTransactionHandle; + EMULATOR_CAST(void*, PTEB_ACTIVE_FRAME) ActiveFrame; + std::uint64_t* FlsData; + + std::uint64_t* PreferredLanguages; + std::uint64_t* UserPrefLanguages; + std::uint64_t* MergedPrefLanguages; + ULONG MuiImpersonation; + + TEB_CROSS_TEB_FLAGS_UNION CrossTebFlags; + TEB_SAME_TEB_FLAGS_UNION SameTebFlags; + + std::uint64_t* TxnScopeEnterCallback; + std::uint64_t* TxnScopeExitCallback; + std::uint64_t* TxnScopeContext; + ULONG LockCount; + LONG WowTebOffset; + std::uint64_t* ResourceRetValue; + std::uint64_t* ReservedForWdf; + ULONGLONG ReservedForCrt; + GUID EffectiveContainerId; + ULONGLONG LastSleepCounter; // Win11 + ULONG SpinCallCount; + ULONGLONG ExtendedFeatureDisableMask; + std::uint64_t* SchedulerSharedDataSlot; // 24H2 + std::uint64_t* HeapWalkContext; + EMU_GROUP_AFFINITY64 PrimaryGroupAffinity; + ARRAY_CONTAINER Rcu; +} TEB64, *PTEB64; + +#pragma pack(push, 4) +typedef struct _KSYSTEM_TIME +{ + ULONG LowPart; + LONG High1Time; + LONG High2Time; +} KSYSTEM_TIME, *PKSYSTEM_TIME; +#pragma pack(pop) + +typedef enum _NT_PRODUCT_TYPE +{ + NtProductWinNt = 1, + NtProductLanManNt, + NtProductServer +} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; + +typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE +{ + StandardDesign, + NEC98x86, + EndAlternatives +} ALTERNATIVE_ARCHITECTURE_TYPE; + +union KUSD_SHARED_DATA_FLAGS_UNION +{ + ULONG SharedDataFlags; + struct + { + // + // The following bit fields are for the debugger only. Do not use. + // Use the bit definitions instead. + // + + ULONG DbgErrorPortPresent : 1; + ULONG DbgElevationEnabled : 1; + ULONG DbgVirtEnabled : 1; + ULONG DbgInstallerDetectEnabled : 1; + ULONG DbgLkgEnabled : 1; + ULONG DbgDynProcessorEnabled : 1; + ULONG DbgConsoleBrokerEnabled : 1; + ULONG DbgSecureBootEnabled : 1; + ULONG DbgMultiSessionSku : 1; + ULONG DbgMultiUsersInSessionSku : 1; + ULONG DbgStateSeparationEnabled : 1; + ULONG DbgSplitTokenEnabled : 1; + ULONG DbgShadowAdminEnabled : 1; + ULONG SpareBits : 19; + }; +}; + +union KUSD_TICK_COUNT_UNION +{ + volatile KSYSTEM_TIME TickCount; + volatile std::uint64_t TickCountQuad; + struct + { + ULONG ReservedTickCountOverlay[3]; + ULONG TickCountPad[1]; + }; +}; + +union KUSD_VIRTUALIZATION_FLAGS_UNION +{ + UCHAR VirtualizationFlags; +}; + +union KUSD_MITIGATION_POLICIES_UNION +{ + UCHAR MitigationPolicies; + struct + { + UCHAR NXSupportPolicy : 2; + UCHAR SEHValidationPolicy : 2; + UCHAR CurDirDevicesSkippedForDlls : 2; + UCHAR Reserved : 2; + }; +}; + +union KUSD_QPC_DATA_UNION +{ + USHORT QpcData; + struct + { + volatile UCHAR QpcBypassEnabled; + UCHAR QpcReserved; + }; +}; + +#ifndef OS_WINDOWS +#define MAXIMUM_XSTATE_FEATURES 64 + +typedef struct _XSTATE_FEATURE { + ULONG Offset; + ULONG Size; +} XSTATE_FEATURE; + +typedef struct _XSTATE_CONFIGURATION { + std::uint64_t EnabledFeatures; + std::uint64_t EnabledVolatileFeatures; + ULONG Size; + union { + ULONG ControlFlags; + struct { + ULONG OptimizedSave : 1; + ULONG CompactionEnabled : 1; + ULONG Reserved1 : 30; + }; + }; + XSTATE_FEATURE Features[MAXIMUM_XSTATE_FEATURES]; + std::uint64_t EnabledSupervisorFeatures; + std::uint64_t AlignedFeatures; + std::uint64_t AllFeatureSize; + ULONG AllFeatures[MAXIMUM_XSTATE_FEATURES]; +} XSTATE_CONFIGURATION, *PXSTATE_CONFIGURATION; + +#endif + +typedef struct _KUSER_SHARED_DATA64 +{ + ULONG TickCountLowDeprecated; + ULONG TickCountMultiplier; + volatile KSYSTEM_TIME InterruptTime; + volatile KSYSTEM_TIME SystemTime; + volatile KSYSTEM_TIME TimeZoneBias; + USHORT ImageNumberLow; + USHORT ImageNumberHigh; + ARRAY_CONTAINER NtSystemRoot; + ULONG MaxStackTraceDepth; + ULONG CryptoExponent; + ULONG TimeZoneId; + ULONG LargePageMinimum; + ULONG AitSamplingValue; + ULONG AppCompatFlag; + ULONGLONG RNGSeedVersion; + ULONG GlobalValidationRunlevel; + volatile LONG TimeZoneBiasStamp; + ULONG NtBuildNumber; + NT_PRODUCT_TYPE NtProductType; + BOOLEAN ProductTypeIsValid; + BOOLEAN Reserved0; + USHORT NativeProcessorArchitecture; + ULONG NtMajorVersion; + ULONG NtMinorVersion; + ARRAY_CONTAINER ProcessorFeatures; + ULONG Reserved1; + ULONG Reserved3; + volatile ULONG TimeSlip; + ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; + ULONG BootId; + LARGE_INTEGER SystemExpirationDate; + ULONG SuiteMask; + BOOLEAN KdDebuggerEnabled; + KUSD_MITIGATION_POLICIES_UNION MitigationPolicies; + USHORT CyclesPerYield; + volatile ULONG ActiveConsoleId; + volatile ULONG DismountCount; + ULONG ComPlusPackage; + ULONG LastSystemRITEventTickCount; + ULONG NumberOfPhysicalPages; + BOOLEAN SafeBootMode; + KUSD_VIRTUALIZATION_FLAGS_UNION VirtualizationFlags; + ARRAY_CONTAINER Reserved12; + KUSD_SHARED_DATA_FLAGS_UNION SharedDataFlags; + ULONG DataFlagsPad; + ULONGLONG TestRetInstruction; + LONGLONG QpcFrequency; + ULONG SystemCall; + ULONG Reserved2; + ULONGLONG FullNumberOfPhysicalPages; + ULONGLONG SystemCallPad; + KUSD_TICK_COUNT_UNION TickCount; + ULONG Cookie; + ULONG CookiePad; + LONGLONG ConsoleSessionForegroundProcessId; + ULONGLONG TimeUpdateLock; + ULONGLONG BaselineSystemTimeQpc; + ULONGLONG BaselineInterruptTimeQpc; + ULONGLONG QpcSystemTimeIncrement; + ULONGLONG QpcInterruptTimeIncrement; + UCHAR QpcSystemTimeIncrementShift; + UCHAR QpcInterruptTimeIncrementShift; + USHORT UnparkedProcessorCount; + ARRAY_CONTAINER EnclaveFeatureMask; + ULONG TelemetryCoverageRound; + ARRAY_CONTAINER UserModeGlobalLogger; + ULONG ImageFileExecutionOptions; + ULONG LangGenerationCount; + ULONGLONG Reserved4; + volatile ULONGLONG InterruptTimeBias; + volatile ULONGLONG QpcBias; + ULONG ActiveProcessorCount; + volatile UCHAR ActiveGroupCount; + UCHAR Reserved9; + KUSD_QPC_DATA_UNION QpcData; + LARGE_INTEGER TimeZoneBiasEffectiveStart; + LARGE_INTEGER TimeZoneBiasEffectiveEnd; + XSTATE_CONFIGURATION XState; + KSYSTEM_TIME FeatureConfigurationChangeStamp; + ULONG Spare; + std::uint64_t UserPointerAuthMask; + ARRAY_CONTAINER Reserved10; +} KUSER_SHARED_DATA64, *PKUSER_SHARED_DATA64; + +typedef struct _API_SET_NAMESPACE_ENTRY +{ + ULONG Flags; + ULONG NameOffset; + ULONG NameLength; + ULONG HashedLength; + ULONG ValueOffset; + ULONG ValueCount; +} API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY; + +typedef struct _API_SET_HASH_ENTRY +{ + ULONG Hash; + ULONG Index; +} API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY; + +typedef struct _API_SET_VALUE_ENTRY +{ + ULONG Flags; + ULONG NameOffset; + ULONG NameLength; + ULONG ValueOffset; + ULONG ValueLength; +} API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY; + +template +struct PS_ATTRIBUTE +{ + typename Traits::ULONG_PTR Attribute; + typename Traits::SIZE_T Size; + union + { + typename Traits::ULONG_PTR Value; + typename Traits::PVOID ValuePtr; + }; + typename Traits::SIZE_T* ReturnLength; +}; + +template +struct PS_ATTRIBUTE_LIST +{ + typename Traits::SIZE_T TotalLength; + PS_ATTRIBUTE Attributes[1]; +}; + +typedef struct _SYSTEM_TIMEOFDAY_INFORMATION64 +{ + LARGE_INTEGER BootTime; + LARGE_INTEGER CurrentTime; + LARGE_INTEGER TimeZoneBias; + ULONG TimeZoneId; + ULONG Reserved; + ULONGLONG BootTimeBias; + ULONGLONG SleepTimeBias; +} SYSTEM_TIMEOFDAY_INFORMATION64, *PSYSTEM_TIMEOFDAY_INFORMATION64; + +typedef struct _PROCESS_BASIC_INFORMATION64 +{ + NTSTATUS ExitStatus; + PPEB64 PebBaseAddress; + EMULATOR_CAST(std::uint64_t, KAFFINITY) AffinityMask; + EMULATOR_CAST(std::uint32_t, KPRIORITY) BasePriority; + EMULATOR_CAST(std::uint64_t, HANDLE) UniqueProcessId; + EMULATOR_CAST(std::uint64_t, HANDLE) InheritedFromUniqueProcessId; +} PROCESS_BASIC_INFORMATION64, *PPROCESS_BASIC_INFORMATION64; \ No newline at end of file diff --git a/src/common/platform/memory.hpp b/src/common/platform/memory.hpp new file mode 100644 index 00000000..35539a92 --- /dev/null +++ b/src/common/platform/memory.hpp @@ -0,0 +1,128 @@ +#pragma once + + +#define PAGE_EXECUTE 0x10 +#define PAGE_EXECUTE_READ 0x20 +#define PAGE_EXECUTE_READWRITE 0x40 +#define PAGE_EXECUTE_WRITECOPY 0x80 + +#define PAGE_NOACCESS 0x01 +#define PAGE_READONLY 0x02 +#define PAGE_READWRITE 0x04 +#define PAGE_WRITECOPY 0x08 + +#define PAGE_TARGETS_INVALID 0x40000000 +#define PAGE_TARGETS_NO_UPDATE 0x40000000 + +#define PAGE_GUARD 0x100 +#define PAGE_NOCACHE 0x200 +#define PAGE_WRITECOMBINE 0x400 + +#define MEM_COMMIT 0x00001000 +#define MEM_RESERVE 0x00002000 +#define MEM_DECOMMIT 0x00004000 +#define MEM_RELEASE 0x00008000 +#define MEM_FREE 0x00010000 +#define MEM_PRIVATE 0x00020000 +#define MEM_MAPPED 0x00040000 +#define MEM_RESET 0x00080000 +#define MEM_TOP_DOWN 0x00100000 +#define MEM_WRITE_WATCH 0x00200000 +#define MEM_PHYSICAL 0x00400000 +#define MEM_ROTATE 0x00800000 +#define MEM_DIFFERENT_IMAGE_BASE_OK 0x00800000 +#define MEM_RESET_UNDO 0x01000000 +#define MEM_LARGE_PAGES 0x20000000 +#define MEM_DOS_LIM 0x40000000 +#define MEM_4MB_PAGES 0x80000000 +#define MEM_64K_PAGES (MEM_LARGE_PAGES | MEM_PHYSICAL) + +typedef enum _MEMORY_INFORMATION_CLASS +{ + MemoryBasicInformation, // q: MEMORY_BASIC_INFORMATION + MemoryWorkingSetInformation, // q: MEMORY_WORKING_SET_INFORMATION + MemoryMappedFilenameInformation, // q: UNICODE_STRING + MemoryRegionInformation, // q: MEMORY_REGION_INFORMATION + MemoryWorkingSetExInformation, // q: MEMORY_WORKING_SET_EX_INFORMATION // since VISTA + MemorySharedCommitInformation, // q: MEMORY_SHARED_COMMIT_INFORMATION // since WIN8 + MemoryImageInformation, // q: MEMORY_IMAGE_INFORMATION + MemoryRegionInformationEx, // MEMORY_REGION_INFORMATION + MemoryPrivilegedBasicInformation, // MEMORY_BASIC_INFORMATION + MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 + MemoryBasicInformationCapped, // 10 + MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1 + MemoryBadInformation, // since WIN11 + MemoryBadInformationAllProcesses, // since 22H1 + MemoryImageExtensionInformation, // since 24H2 + MaxMemoryInfoClass +} MEMORY_INFORMATION_CLASS; + +typedef enum _SECTION_INHERIT +{ + ViewShare = 1, + ViewUnmap = 2 +} SECTION_INHERIT; + + +typedef struct DECLSPEC_ALIGN(16) _EMU_MEMORY_BASIC_INFORMATION64 +{ + void* BaseAddress; + void* AllocationBase; + DWORD AllocationProtect; + WORD PartitionId; + std::int64_t RegionSize; + DWORD State; + DWORD Protect; + DWORD Type; +} EMU_MEMORY_BASIC_INFORMATION64, *PEMU_MEMORY_BASIC_INFORMATION64; + + + +typedef struct _MEMORY_IMAGE_INFORMATION64 +{ + void* ImageBase; + std::int64_t SizeOfImage; + union + { + ULONG ImageFlags; + struct + { + ULONG ImagePartialMap : 1; + ULONG ImageNotExecutable : 1; + ULONG ImageSigningLevel : 4; // REDSTONE3 + ULONG ImageExtensionPresent : 1; // since 24H2 + ULONG Reserved : 25; + }; + }; +} MEMORY_IMAGE_INFORMATION64, *PMEMORY_IMAGE_INFORMATION64; + +typedef struct _MEMORY_REGION_INFORMATION +{ + void* AllocationBase; + ULONG AllocationProtect; + union + { + ULONG RegionType; + struct + { + ULONG Private : 1; + ULONG MappedDataFile : 1; + ULONG MappedImage : 1; + ULONG MappedPageFile : 1; + ULONG MappedPhysical : 1; + ULONG DirectMapped : 1; + ULONG SoftwareEnclave : 1; // REDSTONE3 + ULONG PageSize64K : 1; + ULONG PlaceholderReservation : 1; // REDSTONE4 + ULONG MappedAwe : 1; // 21H1 + ULONG MappedWriteWatch : 1; + ULONG PageSizeLarge : 1; + ULONG PageSizeHuge : 1; + ULONG Reserved : 19; + }; + }; + std::int64_t RegionSize; + std::int64_t CommitSize; + DWORD64 PartitionId; // 19H1 + DWORD64 NodePreference; // 20H1 +} MEMORY_REGION_INFORMATION64, *PMEMORY_REGION_INFORMATION64; \ No newline at end of file diff --git a/src/common/platform/network.hpp b/src/common/platform/network.hpp new file mode 100644 index 00000000..2960145b --- /dev/null +++ b/src/common/platform/network.hpp @@ -0,0 +1,9 @@ +#pragma once + + +template +struct EMU_WSABUF +{ + ULONG len; + EMULATOR_CAST(typename Traits::PVOID, CHAR*) buf; +}; \ No newline at end of file diff --git a/src/common/platform/platform.hpp b/src/common/platform/platform.hpp new file mode 100644 index 00000000..01e89ba6 --- /dev/null +++ b/src/common/platform/platform.hpp @@ -0,0 +1,40 @@ +#pragma once + +#ifdef _WIN32 + #pragma warning(disable: 4201) // nameless struct/union + #pragma warning(disable: 4702) // unreachable code +#endif + +#include "compiler.hpp" +#include "primitives.hpp" +#include "traits.hpp" +#include "unicode.hpp" +#include "status.hpp" +#include "process.hpp" +#include "kernel_mapped.hpp" +#include "memory.hpp" +#include "file_management.hpp" +#include "win_pefile.hpp" +#include "synchronisation.hpp" +#include "registry.hpp" +#include "network.hpp" +#include "threading.hpp" + +#ifdef OS_WINDOWS + #pragma comment(lib, "ntdll") + +extern "C" +{ + NTSYSCALLAPI + NTSTATUS + NTAPI + NtQuerySystemInformationEx( + _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _In_reads_bytes_(InputBufferLength) PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation, + _In_ ULONG SystemInformationLength, + _Out_opt_ PULONG ReturnLength + ); +} +#endif \ No newline at end of file diff --git a/src/common/platform/primitives.hpp b/src/common/platform/primitives.hpp new file mode 100644 index 00000000..bbbd91c3 --- /dev/null +++ b/src/common/platform/primitives.hpp @@ -0,0 +1,64 @@ +#pragma once + +#include + + +#ifdef OS_WINDOWS + #define WIN32_LEAN_AND_MEAN + #define NOMINMAX + #include + #include "winnt.h" +#else + #define DWORD std::uint32_t + using LONG = std::int32_t; + using ULONG = DWORD; + using DWORD64 = std::uint64_t; + using ULONGLONG = DWORD64; + using LONGLONG = std::int64_t; + + typedef union _ULARGE_INTEGER + { + struct + { + DWORD LowPart; + DWORD HighPart; + }; + ULONGLONG QuadPart; + } ULARGE_INTEGER; + + typedef union _LARGE_INTEGER + { + struct + { + DWORD LowPart; + LONG HighPart; + }; + LONGLONG QuadPart; + } LARGE_INTEGER; + + using BYTE = std::uint8_t; + #define CHAR BYTE +#endif + + +using WORD = std::uint16_t; + + + +#define UCHAR unsigned char + +#define BOOLEAN bool +using CSHORT = short; +using USHORT = WORD; + + + + + +#define DUMMYSTRUCTNAME + +#ifndef TRUE +#define TRUE true +#define FALSE false +#endif + diff --git a/src/common/platform/process.hpp b/src/common/platform/process.hpp new file mode 100644 index 00000000..c8b70e41 --- /dev/null +++ b/src/common/platform/process.hpp @@ -0,0 +1,768 @@ +#pragma once + +#define CONTEXT_X86_MAIN 0x00010000 +#define CONTEXT_AMD64_MAIN 0x100000 +#define CONTEXT_CONTROL_32 (CONTEXT_X86_MAIN | 0x1L) +#define CONTEXT_CONTROL_64 (CONTEXT_AMD64_MAIN | 0x1L) +#define CONTEXT_INTEGER_32 (CONTEXT_X86_MAIN | 0x2L) +#define CONTEXT_INTEGER_64 (CONTEXT_AMD64_MAIN | 0x2L) +#define CONTEXT_SEGMENTS_32 (CONTEXT_X86_MAIN | 0x4L) +#define CONTEXT_SEGMENTS_64 (CONTEXT_AMD64_MAIN | 0x4L) +#define CONTEXT_FLOATING_POINT_32 (CONTEXT_X86_MAIN | 0x8L) +#define CONTEXT_FLOATING_POINT_64 (CONTEXT_AMD64_MAIN | 0x8L) +#define CONTEXT_DEBUG_REGISTERS_32 (CONTEXT_X86_MAIN | 0x10L) +#define CONTEXT_DEBUG_REGISTERS_64 (CONTEXT_AMD64_MAIN | 0x10L) +#define CONTEXT_XSTATE_32 (CONTEXT_X86_MAIN | 0x20L) +#define CONTEXT_XSTATE_64 (CONTEXT_AMD64_MAIN | 0x20L) + +#define CONTEXT64_ALL (CONTEXT_CONTROL_64 | CONTEXT_INTEGER_64 | CONTEXT_SEGMENTS_64 | \ + CONTEXT_FLOATING_POINT_64 | CONTEXT_DEBUG_REGISTERS_64) + + +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION + SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION + SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION + SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION + SystemPathInformation, // not implemented + SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION + SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION + SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION + SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup) + SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION + SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10 + SystemModuleInformation, // q: RTL_PROCESS_MODULES + SystemLocksInformation, // q: RTL_PROCESS_LOCKS + SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES + SystemPagedPoolInformation, // not implemented + SystemNonPagedPoolInformation, // not implemented + SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION + SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION + SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION + SystemVdmInstemulInformation, // q: SYSTEM_VDM_INSTEMUL_INFO + SystemVdmBopInformation, // not implemented // 20 + SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) + SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION + SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup) + SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) + SystemFullMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION + SystemLoadGdiDriverInformation, // s (kernel-mode only) + SystemUnloadGdiDriverInformation, // s (kernel-mode only) + SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) + SystemSummaryMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION + SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30 + SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) + SystemObsolete0, // not implemented + SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION + SystemCrashDumpStateInformation, // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege) + SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION + SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION + SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) + SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only + SystemPrioritySeperation, // s (requires SeTcbPrivilege) + SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40 + SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege) + SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX in: USHORT ProcessorGroup) + SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION + SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION + SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION + SystemTimeSlipNotification, // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege) + SystemSessionCreate, // not implemented + SystemSessionDetach, // not implemented + SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION) + SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50 + SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) + SystemVerifierThunkExtend, // s (kernel-mode only) + SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION + SystemLoadGdiDriverInSystemSpace, // s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation) + SystemNumaProcessorMap, // q: SYSTEM_NUMA_INFORMATION + SystemPrefetcherInformation, // q; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation + SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION + SystemRecommendedSharedDataAlignment, // q: ULONG // KeGetRecommendedSharedDataAlignment + SystemComPlusPackage, // q; s: ULONG + SystemNumaAvailableMemory, // q: SYSTEM_NUMA_INFORMATION // 60 + SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup) + SystemEmulationBasicInformation, // q: SYSTEM_BASIC_INFORMATION + SystemEmulationProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION + SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX + SystemLostDelayedWriteInformation, // q: ULONG + SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION + SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION + SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION + SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION + SystemObjectSecurityMode, // q: ULONG // 70 + SystemWatchdogTimerHandler, // s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only) + SystemWatchdogTimerInformation, // q: SYSTEM_WATCHDOG_TIMER_INFORMATION // (kernel-mode only) + SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup) + SystemWow64SharedInformationObsolete, // not implemented + SystemRegisterFirmwareTableInformationHandler, // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only) + SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION + SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX + SystemVerifierTriageInformation, // not implemented + SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation + SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80 + SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) + SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) + SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) + SystemVerifierCancellationInformation, // SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation + SystemProcessorPowerInformationEx, // not implemented + SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation + SystemSpecialPoolInformation, // q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 + SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION + SystemErrorPortInformation, // s (requires SeTcbPrivilege) + SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 + SystemHypervisorInformation, // q: SYSTEM_HYPERVISOR_QUERY_INFORMATION + SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX + SystemTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) + SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) + SystemCoverageInformation, // q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege) + SystemPrefetchPatchInformation, // SYSTEM_PREFETCH_PATCH_INFORMATION + SystemVerifierFaultsInformation, // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege) + SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION + SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION + SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // 100 + SystemNumaProximityNodeInformation, // q; s: SYSTEM_NUMA_PROXIMITY_MAP + SystemDynamicTimeZoneInformation, // q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) + SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation + SystemProcessorMicrocodeUpdateInformation, // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION + SystemProcessorBrandString, // q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 + SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation + SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // KeQueryLogicalProcessorRelationship + SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) + SystemStoreInformation, // q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformation + SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 + SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege) + SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION + SystemCpuQuotaInformation, // q; s: PS_CPU_QUOTA_QUERY_INFORMATION + SystemNativeBasicInformation, // q: SYSTEM_BASIC_INFORMATION + SystemErrorPortTimeouts, // SYSTEM_ERROR_PORT_TIMEOUTS + SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION + SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation + SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION + SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) + SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 + SystemNodeDistanceInformation, // q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber) + SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 + SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation + SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 + SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 + SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) + SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION + SystemBadPageInformation, // SYSTEM_BAD_PAGE_INFORMATION + SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA + SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 + SystemEntropyInterruptTimingInformation, // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION + SystemConsoleInformation, // q; s: SYSTEM_CONSOLE_INFORMATION + SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) + SystemPolicyInformation, // q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute) + SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION + SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION + SystemDeviceDataEnumerationInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION + SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION + SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION + SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 + SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // since WINBLUE + SystemCriticalProcessErrorLogInformation, + SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION + SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX + SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION + SystemEntropyInterruptTimingRawInformation, + SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION + SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) + SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX + SystemBootMetadataInformation, // 150 + SystemSoftRebootInformation, // q: ULONG + SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION + SystemOfflineDumpConfigInformation, // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 + SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION + SystemRegistryReconciliationInformation, // s: NULL (requires admin) (flushes registry hives) + SystemEdidInformation, // q: SYSTEM_EDID_INFORMATION + SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD + SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION + SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION + SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // 160 + SystemVmGenerationCountInformation, + SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION + SystemKernelDebuggerFlags, // SYSTEM_KERNEL_DEBUGGER_FLAGS + SystemCodeIntegrityPolicyInformation, // q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION + SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION + SystemHardwareSecurityTestInterfaceResultsInformation, + SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION + SystemAllowedCpuSetsInformation, // s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION + SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) + SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 + SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION + SystemCodeIntegrityPolicyFullInformation, + SystemAffinitizedInterruptProcessorInformation, // (requires SeIncreaseBasePriorityPrivilege) + SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION + SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 + SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION + SystemWin32WerStartCallout, + SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION + SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE + SystemInterruptSteeringInformation, // q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT // NtQuerySystemInformationEx // 180 + SystemSupportedProcessorArchitectures, // p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx + SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION + SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION + SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 + SystemControlFlowTransition, // (Warbird/Encrypt/Decrypt/Execute) + SystemKernelDebuggingAllowed, // s: ULONG + SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE + SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS + SystemCodeIntegrityPoliciesFullInformation, + SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 + SystemIntegrityQuotaInformation, + SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION + SystemProcessorIdleMaskInformation, // q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3 + SystemSecureDumpEncryptionInformation, + SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION + SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION + SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4 + SystemFirmwareBootPerformanceInformation, + SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION + SystemFirmwarePartitionInformation, // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200 + SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above. + SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION + SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION + SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5 + SystemCodeIntegrityUnlockModeInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION + SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION + SystemFlags2Information, // q: SYSTEM_FLAGS_INFORMATION + SystemSecurityModelInformation, // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1 + SystemCodeIntegritySyntheticCacheInformation, + SystemFeatureConfigurationInformation, // q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE // NtQuerySystemInformationEx // since 20H1 // 210 + SystemFeatureConfigurationSectionInformation, // q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION // NtQuerySystemInformationEx + SystemFeatureUsageSubscriptionInformation, // q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE + SystemSecureSpeculationControlInformation, // SECURE_SPECULATION_CONTROL_INFORMATION + SystemSpacesBootInformation, // since 20H2 + SystemFwRamdiskInformation, // SYSTEM_FIRMWARE_RAMDISK_INFORMATION + SystemWheaIpmiHardwareInformation, + SystemDifSetRuleClassInformation, // SYSTEM_DIF_VOLATILE_INFORMATION + SystemDifClearRuleClassInformation, + SystemDifApplyPluginVerificationOnDriver, // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION + SystemDifRemovePluginVerificationOnDriver, // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION // 220 + SystemShadowStackInformation, // SYSTEM_SHADOW_STACK_INFORMATION + SystemBuildVersionInformation, // q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION // NtQuerySystemInformationEx // 222 + SystemPoolLimitInformation, // SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) + SystemCodeIntegrityAddDynamicStore, + SystemCodeIntegrityClearDynamicStores, + SystemDifPoolTrackingInformation, + SystemPoolZeroingInformation, // q: SYSTEM_POOL_ZEROING_INFORMATION + SystemDpcWatchdogInformation, // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION + SystemDpcWatchdogInformation2, // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2 + SystemSupportedProcessorArchitectures2, // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230 + SystemSingleProcessorRelationshipInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor) + SystemXfgCheckFailureInformation, // q: SYSTEM_XFG_FAILURE_INFORMATION + SystemIommuStateInformation, // SYSTEM_IOMMU_STATE_INFORMATION // since 22H1 + SystemHypervisorMinrootInformation, // SYSTEM_HYPERVISOR_MINROOT_INFORMATION + SystemHypervisorBootPagesInformation, // SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION + SystemPointerAuthInformation, // SYSTEM_POINTER_AUTH_INFORMATION + SystemSecureKernelDebuggerInformation, + SystemOriginalImageFeatureInformation, // q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT // NtQuerySystemInformationEx + SystemMemoryNumaInformation, // SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT + SystemMemoryNumaPerformanceInformation, // SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT // since 24H2 // 240 + SystemCodeIntegritySignedPoliciesFullInformation, + SystemSecureSecretsInformation, + SystemTrustedAppsRuntimeInformation, // SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION + SystemBadPageInformationEx, // SYSTEM_BAD_PAGE_INFORMATION + SystemResourceDeadlockTimeout, // ULONG + SystemBreakOnContextUnwindFailureInformation, // ULONG (requires SeDebugPrivilege) + SystemOslRamdiskInformation, // SYSTEM_OSL_RAMDISK_INFORMATION + MaxSystemInfoClass +} SYSTEM_INFORMATION_CLASS; + +#ifndef OS_WINDOWS +typedef enum _TOKEN_INFORMATION_CLASS +{ + TokenUser = 1, // q: TOKEN_USER, SE_TOKEN_USER + TokenGroups, // q: TOKEN_GROUPS + TokenPrivileges, // q: TOKEN_PRIVILEGES + TokenOwner, // q; s: TOKEN_OWNER + TokenPrimaryGroup, // q; s: TOKEN_PRIMARY_GROUP + TokenDefaultDacl, // q; s: TOKEN_DEFAULT_DACL + TokenSource, // q: TOKEN_SOURCE + TokenType, // q: TOKEN_TYPE + TokenImpersonationLevel, // q: SECURITY_IMPERSONATION_LEVEL + TokenStatistics, // q: TOKEN_STATISTICS // 10 + TokenRestrictedSids, // q: TOKEN_GROUPS + TokenSessionId, // q; s: ULONG (requires SeTcbPrivilege) + TokenGroupsAndPrivileges, // q: TOKEN_GROUPS_AND_PRIVILEGES + TokenSessionReference, // s: ULONG (requires SeTcbPrivilege) + TokenSandBoxInert, // q: ULONG + TokenAuditPolicy, // q; s: TOKEN_AUDIT_POLICY (requires SeSecurityPrivilege/SeTcbPrivilege) + TokenOrigin, // q; s: TOKEN_ORIGIN (requires SeTcbPrivilege) + TokenElevationType, // q: TOKEN_ELEVATION_TYPE + TokenLinkedToken, // q; s: TOKEN_LINKED_TOKEN (requires SeCreateTokenPrivilege) + TokenElevation, // q: TOKEN_ELEVATION // 20 + TokenHasRestrictions, // q: ULONG + TokenAccessInformation, // q: TOKEN_ACCESS_INFORMATION + TokenVirtualizationAllowed, // q; s: ULONG (requires SeCreateTokenPrivilege) + TokenVirtualizationEnabled, // q; s: ULONG + TokenIntegrityLevel, // q; s: TOKEN_MANDATORY_LABEL + TokenUIAccess, // q; s: ULONG (requires SeTcbPrivilege) + TokenMandatoryPolicy, // q; s: TOKEN_MANDATORY_POLICY (requires SeTcbPrivilege) + TokenLogonSid, // q: TOKEN_GROUPS + TokenIsAppContainer, // q: ULONG // since WIN8 + TokenCapabilities, // q: TOKEN_GROUPS // 30 + TokenAppContainerSid, // q: TOKEN_APPCONTAINER_INFORMATION + TokenAppContainerNumber, // q: ULONG + TokenUserClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION + TokenDeviceClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION + TokenRestrictedUserClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION + TokenRestrictedDeviceClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION + TokenDeviceGroups, // q: TOKEN_GROUPS + TokenRestrictedDeviceGroups, // q: TOKEN_GROUPS + TokenSecurityAttributes, // q; s: TOKEN_SECURITY_ATTRIBUTES_[AND_OPERATION_]INFORMATION (requires SeTcbPrivilege) + TokenIsRestricted, // q: ULONG // 40 + TokenProcessTrustLevel, // q: TOKEN_PROCESS_TRUST_LEVEL // since WINBLUE + TokenPrivateNameSpace, // q; s: ULONG (requires SeTcbPrivilege) // since THRESHOLD + TokenSingletonAttributes, // q: TOKEN_SECURITY_ATTRIBUTES_INFORMATION // since REDSTONE + TokenBnoIsolation, // q: TOKEN_BNO_ISOLATION_INFORMATION // since REDSTONE2 + TokenChildProcessFlags, // s: ULONG (requires SeTcbPrivilege) // since REDSTONE3 + TokenIsLessPrivilegedAppContainer, // q: ULONG // since REDSTONE5 + TokenIsSandboxed, // q: ULONG // since 19H1 + TokenIsAppSilo, // q: ULONG // since WIN11 22H2 // previously TokenOriginatingProcessTrustLevel // q: TOKEN_PROCESS_TRUST_LEVEL + TokenLoggingInformation, // TOKEN_LOGGING_INFORMATION // since 24H2 + MaxTokenInfoClass +} TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS; + +#endif + +typedef enum _PROCESSINFOCLASS +{ + ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION + ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX + ProcessIoCounters, // q: IO_COUNTERS + ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 + ProcessTimes, // q: KERNEL_USER_TIMES + ProcessBasePriority, // s: KPRIORITY + ProcessRaisePriority, // s: ULONG + ProcessDebugPort, // q: HANDLE + ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT (requires SeTcbPrivilege) + ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN + ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 + ProcessLdtSize, // s: PROCESS_LDT_SIZE + ProcessDefaultHardErrorMode, // qs: ULONG + ProcessIoPortHandlers, // (kernel-mode only) // s: PROCESS_IO_PORT_HANDLER_INFORMATION + ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS + ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void + ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege) + ProcessEnableAlignmentFaultFixup, // s: BOOLEAN + ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS + ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) + ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 + ProcessAffinityMask, // (q >WIN7)s: KAFFINITY, qs: GROUP_AFFINITY + ProcessPriorityBoost, // qs: ULONG + ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX + ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION + ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND + ProcessWow64Information, // q: ULONG_PTR + ProcessImageFileName, // q: UNICODE_STRING + ProcessLUIDDeviceMapsEnabled, // q: ULONG + ProcessBreakOnTermination, // qs: ULONG + ProcessDebugObjectHandle, // q: HANDLE // 30 + ProcessDebugFlags, // qs: ULONG + ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: PROCESS_HANDLE_TRACING_ENABLE[_EX] or void to disable + ProcessIoPriority, // qs: IO_PRIORITY_HINT + ProcessExecuteFlags, // qs: ULONG (MEM_EXECUTE_OPTION_*) + ProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement + ProcessCookie, // q: ULONG + ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION + ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA + ProcessPagePriority, // qs: PAGE_PRIORITY_INFORMATION + ProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 + ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX + ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]; s: void + ProcessImageFileNameWin32, // q: UNICODE_STRING + ProcessImageFileMapping, // q: HANDLE (input) + ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE + ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE + ProcessGroupInformation, // q: USHORT[] + ProcessTokenVirtualizationEnabled, // s: ULONG + ProcessConsoleHostProcess, // qs: ULONG_PTR // ProcessOwnerInformation + ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 + ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 + ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION + ProcessDynamicFunctionTableInformation, // s: PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION + ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables + ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION + ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION + ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL (requires SeDebugPrivilege) + ProcessHandleTable, // q: ULONG[] // since WINBLUE + ProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG) + ProcessCommandLineInformation, // q: UNICODE_STRING // 60 + ProcessProtectionInformation, // q: PS_PROTECTION + ProcessMemoryExhaustion, // s: PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD + ProcessFaultInformation, // s: PROCESS_FAULT_INFORMATION + ProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION + ProcessCommitReleaseInformation, // qs: PROCESS_COMMIT_RELEASE_INFORMATION + ProcessDefaultCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5] + ProcessAllowedCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5] + ProcessSubsystemProcess, + ProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO + ProcessInPrivate, // q: BOOLEAN; s: void // ETW // since THRESHOLD2 // 70 + ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables + ProcessIumChallengeResponse, + ProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION + ProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege) + ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 + ProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES + ProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE + ProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY + ProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER + ProcessDisableSystemAllowedCpuSets, // s: BOOLEAN // 80 + ProcessWakeInformation, // q: PROCESS_WAKE_INFORMATION + ProcessEnergyTrackingState, // qs: PROCESS_ENERGY_TRACKING_STATE + ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 + ProcessCaptureTrustletLiveDump, + ProcessTelemetryCoverage, // q: TELEMETRY_COVERAGE_HEADER; s: TELEMETRY_COVERAGE_POINT + ProcessEnclaveInformation, + ProcessEnableReadWriteVmLogging, // qs: PROCESS_READWRITEVM_LOGGING_INFORMATION + ProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION + ProcessImageSection, // q: HANDLE + ProcessDebugAuthInformation, // since REDSTONE4 // 90 + ProcessSystemResourceManagement, // s: PROCESS_SYSTEM_RESOURCE_MANAGEMENT + ProcessSequenceNumber, // q: ULONGLONG + ProcessLoaderDetour, // since REDSTONE5 + ProcessSecurityDomainInformation, // q: PROCESS_SECURITY_DOMAIN_INFORMATION + ProcessCombineSecurityDomainsInformation, // s: PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION + ProcessEnableLogging, // qs: PROCESS_LOGGING_INFORMATION + ProcessLeapSecondInformation, // qs: PROCESS_LEAP_SECOND_INFORMATION + ProcessFiberShadowStackAllocation, // s: PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1 + ProcessFreeFiberShadowStackAllocation, // s: PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION + ProcessAltSystemCallInformation, // s: PROCESS_SYSCALL_PROVIDER_INFORMATION // since 20H1 // 100 + ProcessDynamicEHContinuationTargets, // s: PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION + ProcessDynamicEnforcedCetCompatibleRanges, // s: PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2 + ProcessCreateStateChange, // since WIN11 + ProcessApplyStateChange, + ProcessEnableOptionalXStateFeatures, // s: ULONG64 // optional XState feature bitmask + ProcessAltPrefetchParam, // qs: OVERRIDE_PREFETCH_PARAMETER // App Launch Prefetch (ALPF) // since 22H1 + ProcessAssignCpuPartitions, + ProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX + ProcessMembershipInformation, // q: PROCESS_MEMBERSHIP_INFORMATION + ProcessEffectiveIoPriority, // q: IO_PRIORITY_HINT // 110 + ProcessEffectivePagePriority, // q: ULONG + ProcessSchedulerSharedData, // since 24H2 + ProcessSlistRollbackInformation, + ProcessNetworkIoCounters, // q: PROCESS_NETWORK_COUNTERS + ProcessFindFirstThreadByTebValue, // PROCESS_TEB_VALUE_INFORMATION + MaxProcessInfoClass +} PROCESSINFOCLASS; + +typedef enum _PS_ATTRIBUTE_NUM +{ + PsAttributeParentProcess, // in HANDLE + PsAttributeDebugObject, // in HANDLE + PsAttributeToken, // in HANDLE + PsAttributeClientId, // out PCLIENT_ID + PsAttributeTebAddress, // out PTEB * + PsAttributeImageName, // in PWSTR + PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION + PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE + PsAttributePriorityClass, // in UCHAR + PsAttributeErrorMode, // in ULONG + PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO + PsAttributeHandleList, // in HANDLE[] + PsAttributeGroupAffinity, // in PGROUP_AFFINITY + PsAttributePreferredNode, // in PUSHORT + PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER + PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES + PsAttributeMitigationOptions, // in PPS_MITIGATION_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_POLICY_*) // since WIN8 + PsAttributeProtectionLevel, // in PS_PROTECTION // since WINBLUE + PsAttributeSecureProcess, // in PPS_TRUSTLET_CREATE_ATTRIBUTES, since THRESHOLD + PsAttributeJobList, // in HANDLE[] + PsAttributeChildProcessPolicy, // 20, in PULONG (PROCESS_CREATION_CHILD_PROCESS_*) // since THRESHOLD2 + PsAttributeAllApplicationPackagesPolicy, // in PULONG (PROCESS_CREATION_ALL_APPLICATION_PACKAGES_*) // since REDSTONE + PsAttributeWin32kFilter, // in PWIN32K_SYSCALL_FILTER + PsAttributeSafeOpenPromptOriginClaim, // in SE_SAFE_OPEN_PROMPT_RESULTS + PsAttributeBnoIsolation, // in PPS_BNO_ISOLATION_PARAMETERS // since REDSTONE2 + PsAttributeDesktopAppPolicy, // in PULONG (PROCESS_CREATION_DESKTOP_APP_*) + PsAttributeChpe, // in BOOLEAN // since REDSTONE3 + PsAttributeMitigationAuditOptions, // in PPS_MITIGATION_AUDIT_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_AUDIT_POLICY_*) // since 21H1 + PsAttributeMachineType, // in USHORT // since 21H2 + PsAttributeComponentFilter, + PsAttributeEnableOptionalXStateFeatures, // since WIN11 + PsAttributeSupportedMachines, // since 24H2 + PsAttributeSveVectorLength, // PPS_PROCESS_CREATION_SVE_VECTOR_LENGTH + PsAttributeMax +} PS_ATTRIBUTE_NUM; + +struct SYSTEM_PROCESSOR_INFORMATION64 +{ + USHORT ProcessorArchitecture; + USHORT ProcessorLevel; + USHORT ProcessorRevision; + USHORT MaximumProcessors; + ULONG ProcessorFeatureBits; +}; + +#ifndef OS_WINDOWS + +typedef struct _M128A { + ULONGLONG Low; + LONGLONG High; +} M128A, *PM128A; + +typedef struct _XMM_SAVE_AREA32 { + WORD ControlWord; + WORD StatusWord; + BYTE TagWord; + BYTE Reserved1; + WORD ErrorOpcode; + DWORD ErrorOffset; + WORD ErrorSelector; + WORD Reserved2; + DWORD DataOffset; + WORD DataSelector; + WORD Reserved3; + DWORD MxCsr; + DWORD MxCsr_Mask; + M128A FloatRegisters[8]; + M128A XmmRegisters[16]; + BYTE Reserved4[96]; +} XMM_SAVE_AREA32, *PXMM_SAVE_AREA32; + +#endif + +typedef struct _NEON128 { + ULONGLONG Low; + LONGLONG High; +} NEON128; + +typedef struct DECLSPEC_ALIGN(16) _CONTEXT64 { + DWORD64 P1Home; + DWORD64 P2Home; + DWORD64 P3Home; + DWORD64 P4Home; + DWORD64 P5Home; + DWORD64 P6Home; + DWORD ContextFlags; + DWORD MxCsr; + WORD SegCs; + WORD SegDs; + WORD SegEs; + WORD SegFs; + WORD SegGs; + WORD SegSs; + DWORD EFlags; + DWORD64 Dr0; + DWORD64 Dr1; + DWORD64 Dr2; + DWORD64 Dr3; + DWORD64 Dr6; + DWORD64 Dr7; + DWORD64 Rax; + DWORD64 Rcx; + DWORD64 Rdx; + DWORD64 Rbx; + DWORD64 Rsp; + DWORD64 Rbp; + DWORD64 Rsi; + DWORD64 Rdi; + DWORD64 R8; + DWORD64 R9; + DWORD64 R10; + DWORD64 R11; + DWORD64 R12; + DWORD64 R13; + DWORD64 R14; + DWORD64 R15; + DWORD64 Rip; + union { + XMM_SAVE_AREA32 FltSave; + NEON128 Q[16]; + ULONGLONG D[32]; + struct { + M128A Header[2]; + M128A Legacy[8]; + M128A Xmm0; + M128A Xmm1; + M128A Xmm2; + M128A Xmm3; + M128A Xmm4; + M128A Xmm5; + M128A Xmm6; + M128A Xmm7; + M128A Xmm8; + M128A Xmm9; + M128A Xmm10; + M128A Xmm11; + M128A Xmm12; + M128A Xmm13; + M128A Xmm14; + M128A Xmm15; + }; + DWORD S[32]; + }; + M128A VectorRegister[26]; + DWORD64 VectorControl; + DWORD64 DebugControl; + DWORD64 LastBranchToRip; + DWORD64 LastBranchFromRip; + DWORD64 LastExceptionToRip; + DWORD64 LastExceptionFromRip; +} CONTEXT64, *PCONTEXT64; + +template +struct EMU_EXCEPTION_RECORD +{ + DWORD ExceptionCode; + DWORD ExceptionFlags; + EMULATOR_CAST(typename Traits::PVOID, struct EMU_EXCEPTION_RECORD *) ExceptionRecord; + typename Traits::PVOID ExceptionAddress; + DWORD NumberParameters; + typename Traits::ULONG_PTR ExceptionInformation[15]; +}; + +template +struct EMU_EXCEPTION_POINTERS +{ + EMULATOR_CAST(typename Traits::PVOID, EMU_EXCEPTION_RECORD*) ExceptionRecord; + EMULATOR_CAST(typename Traits::PVOID, CONTEXT64* or CONTEXT32*) ContextRecord; +}; + +#define MAXIMUM_NODE_COUNT64 0x40 +#define MAXIMUM_NODE_COUNT32 0x10 + +struct EMU_GROUP_AFFINITY64 +{ + EMULATOR_CAST(std::uint64_t, KAFFINITY) Mask; + WORD Group; + WORD Reserved[3]; +}; + +typedef struct _SYSTEM_NUMA_INFORMATION64 +{ + ULONG HighestNodeNumber; + ULONG Reserved; + union + { + EMU_GROUP_AFFINITY64 ActiveProcessorsGroupAffinity[MAXIMUM_NODE_COUNT64]; + ULONGLONG AvailableMemory[MAXIMUM_NODE_COUNT64]; + ULONGLONG Pad[MAXIMUM_NODE_COUNT64 * 2]; + }; +} SYSTEM_NUMA_INFORMATION64, *PSYSTEM_NUMA_INFORMATION64; + +typedef struct _SYSTEM_ERROR_PORT_TIMEOUTS +{ + ULONG StartTimeout; + ULONG CommTimeout; +} SYSTEM_ERROR_PORT_TIMEOUTS, *PSYSTEM_ERROR_PORT_TIMEOUTS; + +typedef struct _SYSTEM_BASIC_INFORMATION64 +{ + ULONG Reserved; + ULONG TimerResolution; + ULONG PageSize; + ULONG NumberOfPhysicalPages; + ULONG LowestPhysicalPageNumber; + ULONG HighestPhysicalPageNumber; + ULONG AllocationGranularity; + EMULATOR_CAST(EmulatorTraits::PVOID, ULONG_PTR) MinimumUserModeAddress; + EMULATOR_CAST(EmulatorTraits::PVOID, ULONG_PTR) MaximumUserModeAddress; + EMULATOR_CAST(EmulatorTraits::PVOID, KAFFINITY) ActiveProcessorsAffinityMask; + char NumberOfProcessors; +} SYSTEM_BASIC_INFORMATION64, *PSYSTEM_BASIC_INFORMATION64; + +typedef struct _SYSTEM_RANGE_START_INFORMATION64 +{ + EmulatorTraits::SIZE_T SystemRangeStart; +} SYSTEM_RANGE_START_INFORMATION64, *PSYSTEM_RANGE_START_INFORMATION64; + +struct SID_AND_ATTRIBUTES64 { + EMULATOR_CAST(EmulatorTraits::PVOID, PSID) Sid; + DWORD Attributes; +}; + +struct TOKEN_USER64 { + SID_AND_ATTRIBUTES64 User; +}; + +struct GDI_HANDLE_ENTRY64 +{ + union + { + EmulatorTraits::PVOID Object; + EmulatorTraits::PVOID NextFree; + }; + union + { + struct + { + USHORT ProcessId; + USHORT Lock : 1; + USHORT Count : 15; + }; + ULONG Value; + } Owner; + USHORT Unique; + UCHAR Type; + UCHAR Flags; + EmulatorTraits::PVOID UserPointer; +}; + +#define GDI_MAX_HANDLE_COUNT 0xFFFF // 0x4000 + +struct GDI_SHARED_MEMORY64 +{ + GDI_HANDLE_ENTRY64 Handles[GDI_MAX_HANDLE_COUNT]; +}; + +struct CLIENT_ID64 +{ + DWORD64 UniqueProcess; + DWORD64 UniqueThread; +}; + +struct PORT_MESSAGE64 +{ + union + { + struct + { + CSHORT DataLength; + CSHORT TotalLength; + } s1; + ULONG Length; + } u1; + union + { + struct + { + CSHORT Type; + CSHORT DataInfoOffset; + } s2; + ULONG ZeroInit; + } u2; + union + { + CLIENT_ID64 ClientId; + double DoNotUseThisField; + }; + ULONG MessageId; + union + { + EmulatorTraits::SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages + ULONG CallbackId; // only valid for LPC_REQUEST messages + }; +}; + +struct ALPC_MESSAGE_ATTRIBUTES +{ + ULONG AllocatedAttributes; + ULONG ValidAttributes; +}; + +template +struct PORT_DATA_ENTRY +{ + typename Traits::PVOID Base; + ULONG Size; +}; + + +template +struct EMU_RTL_SRWLOCK { + typename Traits::PVOID Ptr; +}; \ No newline at end of file diff --git a/src/common/platform/registry.hpp b/src/common/platform/registry.hpp new file mode 100644 index 00000000..a858c566 --- /dev/null +++ b/src/common/platform/registry.hpp @@ -0,0 +1,64 @@ +#pragma once + +typedef enum _KEY_INFORMATION_CLASS +{ + KeyBasicInformation, // KEY_BASIC_INFORMATION + KeyNodeInformation, // KEY_NODE_INFORMATION + KeyFullInformation, // KEY_FULL_INFORMATION + KeyNameInformation, // KEY_NAME_INFORMATION + KeyCachedInformation, // KEY_CACHED_INFORMATION + KeyFlagsInformation, // KEY_FLAGS_INFORMATION + KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION + KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION + KeyTrustInformation, // KEY_TRUST_INFORMATION + KeyLayerInformation, // KEY_LAYER_INFORMATION + MaxKeyInfoClass +} KEY_INFORMATION_CLASS; + +typedef enum _KEY_VALUE_INFORMATION_CLASS +{ + KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION + KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION + KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION + KeyValueFullInformationAlign64, + KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 + KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION + MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; + +struct KEY_NAME_INFORMATION +{ + std::uint32_t NameLength; + char16_t Name[1]; +}; + +struct KEY_HANDLE_TAGS_INFORMATION +{ + ULONG HandleTags; +}; + +struct KEY_VALUE_BASIC_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG NameLength; + char16_t Name[1]; +}; + +struct KEY_VALUE_PARTIAL_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; +}; + +struct KEY_VALUE_FULL_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG DataOffset; + ULONG DataLength; + ULONG NameLength; + char16_t Name[1]; +}; \ No newline at end of file diff --git a/src/common/platform/status.hpp b/src/common/platform/status.hpp new file mode 100644 index 00000000..f60a6369 --- /dev/null +++ b/src/common/platform/status.hpp @@ -0,0 +1,42 @@ +#pragma once + +#include + +using NTSTATUS = std::uint32_t; + +#ifndef OS_WINDOWS +#define STATUS_WAIT_0 ((NTSTATUS)0x00000000L) +#define STATUS_TIMEOUT ((NTSTATUS)0x00000102L) + +#define STATUS_ACCESS_VIOLATION ((NTSTATUS)0xC0000005L) +#define STATUS_INVALID_HANDLE ((NTSTATUS)0xC0000008L) +#define STATUS_INVALID_PARAMETER ((NTSTATUS)0xC000000DL) + +#define STATUS_PENDING ((DWORD)0x00000103L) +#endif + +#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) + +#define STATUS_UNSUCCESSFUL ((NTSTATUS)0x00000001L) +#define STATUS_ALERTED ((NTSTATUS)0x00000101L) + +#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) +#define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L) +#define STATUS_OBJECT_NAME_NOT_FOUND ((NTSTATUS)0xC0000034L) +#define STATUS_NO_TOKEN ((NTSTATUS)0xC000007CL) +#define STATUS_FILE_INVALID ((NTSTATUS)0xC0000098L) +#define STATUS_MEMORY_NOT_ALLOCATED ((NTSTATUS)0xC00000A0L) +#define STATUS_FILE_IS_A_DIRECTORY ((NTSTATUS)0xC00000BAL) +#define STATUS_NOT_SUPPORTED ((NTSTATUS)0xC00000BBL) +#define STATUS_INVALID_ADDRESS ((NTSTATUS)0xC0000141L) +#define STATUS_NOT_FOUND ((NTSTATUS)0xC0000225L) +#define STATUS_CONNECTION_REFUSED ((NTSTATUS)0xC0000236L) +#define STATUS_ADDRESS_ALREADY_ASSOCIATED ((NTSTATUS)0xC0000328L) + +#define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L) + + + + +#define FILE_DEVICE_NETWORK 0x00000012 +#define FSCTL_AFD_BASE FILE_DEVICE_NETWORK \ No newline at end of file diff --git a/src/common/platform/synchronisation.hpp b/src/common/platform/synchronisation.hpp new file mode 100644 index 00000000..f65f4de1 --- /dev/null +++ b/src/common/platform/synchronisation.hpp @@ -0,0 +1,8 @@ +#pragma once + + +typedef enum _EVENT_TYPE +{ + NotificationEvent, + SynchronizationEvent +} EVENT_TYPE; \ No newline at end of file diff --git a/src/common/platform/threading.hpp b/src/common/platform/threading.hpp new file mode 100644 index 00000000..efcea64b --- /dev/null +++ b/src/common/platform/threading.hpp @@ -0,0 +1,84 @@ +#pragma once + + +typedef enum _THREADINFOCLASS +{ + ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION + ThreadTimes, // q: KERNEL_USER_TIMES + ThreadPriority, // s: KPRIORITY (requires SeIncreaseBasePriorityPrivilege) + ThreadBasePriority, // s: KPRIORITY + ThreadAffinityMask, // s: KAFFINITY + ThreadImpersonationToken, // s: HANDLE + ThreadDescriptorTableEntry, // q: DESCRIPTOR_TABLE_ENTRY (or WOW64_DESCRIPTOR_TABLE_ENTRY) + ThreadEnableAlignmentFaultFixup, // s: BOOLEAN + ThreadEventPair, + ThreadQuerySetWin32StartAddress, // q: ULONG_PTR + ThreadZeroTlsCell, // s: ULONG // TlsIndex // 10 + ThreadPerformanceCount, // q: LARGE_INTEGER + ThreadAmILastThread, // q: ULONG + ThreadIdealProcessor, // s: ULONG + ThreadPriorityBoost, // qs: ULONG + ThreadSetTlsArrayAddress, // s: ULONG_PTR // Obsolete + ThreadIsIoPending, // q: ULONG + ThreadHideFromDebugger, // q: BOOLEAN; s: void + ThreadBreakOnTermination, // qs: ULONG + ThreadSwitchLegacyState, // s: void // NtCurrentThread // NPX/FPU + ThreadIsTerminated, // q: ULONG // 20 + ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION + ThreadIoPriority, // qs: IO_PRIORITY_HINT (requires SeIncreaseBasePriorityPrivilege) + ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION + ThreadPagePriority, // qs: PAGE_PRIORITY_INFORMATION + ThreadActualBasePriority, // s: LONG (requires SeIncreaseBasePriorityPrivilege) + ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT) + ThreadCSwitchMon, // Obsolete + ThreadCSwitchPmu, + ThreadWow64Context, // qs: WOW64_CONTEXT, ARM_NT_CONTEXT since 20H1 + ThreadGroupInformation, // qs: GROUP_AFFINITY // 30 + ThreadUmsInformation, // q: THREAD_UMS_INFORMATION // Obsolete + ThreadCounterProfiling, // q: BOOLEAN; s: THREAD_PROFILING_INFORMATION? + ThreadIdealProcessorEx, // qs: PROCESSOR_NUMBER; s: previous PROCESSOR_NUMBER on return + ThreadCpuAccountingInformation, // q: BOOLEAN; s: HANDLE (NtOpenSession) // NtCurrentThread // since WIN8 + ThreadSuspendCount, // q: ULONG // since WINBLUE + ThreadHeterogeneousCpuPolicy, // q: KHETERO_CPU_POLICY // since THRESHOLD + ThreadContainerId, // q: GUID + ThreadNameInformation, // qs: THREAD_NAME_INFORMATION + ThreadSelectedCpuSets, + ThreadSystemThreadInformation, // q: SYSTEM_THREAD_INFORMATION // 40 + ThreadActualGroupAffinity, // q: GROUP_AFFINITY // since THRESHOLD2 + ThreadDynamicCodePolicyInfo, // q: ULONG; s: ULONG (NtCurrentThread) + ThreadExplicitCaseSensitivity, // qs: ULONG; s: 0 disables, otherwise enables + ThreadWorkOnBehalfTicket, // RTL_WORK_ON_BEHALF_TICKET_EX + ThreadSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 + ThreadDbgkWerReportActive, // s: ULONG; s: 0 disables, otherwise enables + ThreadAttachContainer, // s: HANDLE (job object) // NtCurrentThread + ThreadManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 + ThreadPowerThrottlingState, // POWER_THROTTLING_THREAD_STATE // since REDSTONE3 (set), WIN11 22H2 (query) + ThreadWorkloadClass, // THREAD_WORKLOAD_CLASS // since REDSTONE5 // 50 + ThreadCreateStateChange, // since WIN11 + ThreadApplyStateChange, + ThreadStrongerBadHandleChecks, // since 22H1 + ThreadEffectiveIoPriority, // q: IO_PRIORITY_HINT + ThreadEffectivePagePriority, // q: ULONG + ThreadUpdateLockOwnership, // since 24H2 + ThreadSchedulerSharedDataSlot, // SCHEDULER_SHARED_DATA_SLOT_INFORMATION + ThreadTebInformationAtomic, // THREAD_TEB_INFORMATION + ThreadIndexInformation, // THREAD_INDEX_INFORMATION + MaxThreadInfoClass +} THREADINFOCLASS; + + +template +struct THREAD_NAME_INFORMATION +{ + UNICODE_STRING ThreadName; +}; + +typedef struct _THREAD_BASIC_INFORMATION64 +{ + NTSTATUS ExitStatus; + PTEB64 TebBaseAddress; + CLIENT_ID64 ClientId; + EMULATOR_CAST(std::uint64_t, KAFFINITY) AffinityMask; + EMULATOR_CAST(std::uint32_t, KPRIORITY) Priority; + EMULATOR_CAST(std::uint32_t, KPRIORITY) BasePriority; +} THREAD_BASIC_INFORMATION64, *PTHREAD_BASIC_INFORMATION64; \ No newline at end of file diff --git a/src/common/platform/traits.hpp b/src/common/platform/traits.hpp new file mode 100644 index 00000000..f66b7060 --- /dev/null +++ b/src/common/platform/traits.hpp @@ -0,0 +1,32 @@ +#pragma once + +#include + +// used to retain original type "x" +#define EMULATOR_CAST(T, x) T + +struct Emu32 {}; +struct Emu64 {}; + +template +struct EmulatorTraits; + +template<> +struct EmulatorTraits +{ + using PVOID = std::uint32_t; + using ULONG_PTR = std::uint32_t; + using SIZE_T = std::uint32_t; + using UNICODE = char16_t; + using HANDLE = std::uint32_t; +}; + +template<> +struct EmulatorTraits +{ + using PVOID = std::uint64_t; + using ULONG_PTR = std::uint64_t; + using SIZE_T = std::uint64_t; + using UNICODE = char16_t; + using HANDLE = std::uint64_t; +}; \ No newline at end of file diff --git a/src/common/platform/unicode.hpp b/src/common/platform/unicode.hpp new file mode 100644 index 00000000..ec20ba66 --- /dev/null +++ b/src/common/platform/unicode.hpp @@ -0,0 +1,28 @@ +#pragma once + +#include + +template +struct UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + EMULATOR_CAST(typename Traits::PVOID, char16_t*) Buffer; +}; + +inline std::string u16_to_u8(std::u16string_view u16_view) { + std::string utf8_str; + utf8_str.reserve(u16_view.size() * 2); + for (char16_t ch : u16_view) { + if (ch <= 0x7F) { + utf8_str.push_back(static_cast(ch)); + } else if (ch <= 0x7FF) { + utf8_str.push_back(static_cast(0xC0 | (ch >> 6))); + utf8_str.push_back(static_cast(0x80 | (ch & 0x3F))); + } else { + utf8_str.push_back(static_cast(0xE0 | (ch >> 12))); + utf8_str.push_back(static_cast(0x80 | ((ch >> 6) & 0x3F))); + utf8_str.push_back(static_cast(0x80 | (ch & 0x3F))); + } + } + return utf8_str; +} \ No newline at end of file diff --git a/src/common/platform/win_pefile.hpp b/src/common/platform/win_pefile.hpp new file mode 100644 index 00000000..eeee6d7b --- /dev/null +++ b/src/common/platform/win_pefile.hpp @@ -0,0 +1,326 @@ +#pragma once + +#include + +#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory +#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory +#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory +#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory +#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory +#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table +#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory + // IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage) +#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data +#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP +#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory +#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory +#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers +#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table +#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors +#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor + +#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations. +#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded. +#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable. +#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable. +#define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable. +#define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable. +#define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable. +#define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable. + +#define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code. +#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data. +#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data. + +#define IMAGE_REL_BASED_ABSOLUTE 0 +#define IMAGE_REL_BASED_HIGH 1 +#define IMAGE_REL_BASED_LOW 2 +#define IMAGE_REL_BASED_HIGHLOW 3 +#define IMAGE_REL_BASED_HIGHADJ 4 +#define IMAGE_REL_BASED_MIPS_JMPADDR 5 +#define IMAGE_REL_BASED_ARM_MOV32A 5 +#define IMAGE_REL_BASED_ARM_MOV32 5 +#define IMAGE_REL_BASED_SECTION 6 +#define IMAGE_REL_BASED_REL 7 +#define IMAGE_REL_BASED_ARM_MOV32T 7 +#define IMAGE_REL_BASED_THUMB_MOV32 7 +#define IMAGE_REL_BASED_MIPS_JMPADDR16 9 +#define IMAGE_REL_BASED_IA64_IMM64 9 +#define IMAGE_REL_BASED_DIR64 10 +#define IMAGE_REL_BASED_HIGH3ADJ 11 + +#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 +#define IMAGE_FILE_DLL 0x2000 + +#define IMAGE_FILE_MACHINE_I386 0x014c +#define IMAGE_FILE_MACHINE_AMD64 0x8664 + +#define PROCESSOR_ARCHITECTURE_AMD64 9 + +enum class PEMachineType : std::uint16_t +{ + UNKNOWN = 0, + I386 = 0x014c, // Intel 386. + R3000 = 0x0162, // MIPS little-endian, 0x160 big-endian + R4000 = 0x0166, // MIPS little-endian + R10000 = 0x0168, // MIPS little-endian + WCEMIPSV2 = 0x0169, // MIPS little-endian WCE v2 + ALPHA = 0x0184, // Alpha_AXP + SH3 = 0x01a2, // SH3 little-endian + SH3DSP = 0x01a3, + SH3E = 0x01a4, // SH3E little-endian + SH4 = 0x01a6, // SH4 little-endian + SH5 = 0x01a8, // SH5 + ARM = 0x01c0, // ARM Little-Endian + THUMB = 0x01c2, // ARM Thumb/Thumb-2 Little-Endian + ARMNT = 0x01c4, // ARM Thumb-2 Little-Endian + AM33 = 0x01d3, + POWERPC = 0x01F0, // IBM PowerPC Little-Endian + POWERPCFP = 0x01f1, + IA64 = 0x0200, // Intel 64 + MIPS16 = 0x0266, // MIPS + ALPHA64 = 0x0284, // ALPHA64 + MIPSFPU = 0x0366, // MIPS + MIPSFPU16 = 0x0466, // MIPS + AXP64 = ALPHA64, + TRICORE = 0x0520, // Infineon + CEF = 0x0CEF, + EBC = 0x0EBC, // EFI Byte Code + AMD64 = 0x8664, // AMD64 (K8) + M32R = 0x9041, // M32R little-endian + CEE = 0xC0EE, +}; + + + +#pragma pack(push, 4) + +template +struct PEOptionalHeaderBasePart2_t {}; + +template<> +struct PEOptionalHeaderBasePart2_t < std::uint32_t > +{ + std::uint32_t BaseOfData; + std::uint32_t ImageBase; +}; + +template<> +struct PEOptionalHeaderBasePart2_t < std::uint64_t > +{ + std::uint64_t ImageBase; +}; + +template +struct PEOptionalHeaderBasePart1_t +{ + enum + { + k_NumberOfDataDirectors = 16 + }; + uint16_t Magic; + uint8_t MajorLinkerVersion; + uint8_t MinorLinkerVersion; + uint32_t SizeOfCode; + uint32_t SizeOfInitializedData; + uint32_t SizeOfUninitializedData; + uint32_t AddressOfEntryPoint; + uint32_t BaseOfCode; +}; + + +struct PEDirectory_t2 +{ + std::uint32_t VirtualAddress; + std::uint32_t Size; +}; + +template +struct PEOptionalHeaderBasePart3_t : PEOptionalHeaderBasePart1_t, PEOptionalHeaderBasePart2_t +{ + uint32_t SectionAlignment; + uint32_t FileAlignment; + uint16_t MajorOperatingSystemVersion; + uint16_t MinorOperatingSystemVersion; + uint16_t MajorImageVersion; + uint16_t MinorImageVersion; + uint16_t MajorSubsystemVersion; + uint16_t MinorSubsystemVersion; + uint32_t Win32VersionValue; + uint32_t SizeOfImage; + uint32_t SizeOfHeaders; + uint32_t CheckSum; + uint16_t Subsystem; + uint16_t DllCharacteristics; + T SizeOfStackReserve; + T SizeOfStackCommit; + T SizeOfHeapReserve; + T SizeOfHeapCommit; + uint32_t LoaderFlags; + uint32_t NumberOfRvaAndSizes; + PEDirectory_t2 DataDirectory[PEOptionalHeaderBasePart1_t::k_NumberOfDataDirectors]; +}; + +template +struct PEOptionalHeader_t {}; + +template<> +struct PEOptionalHeader_t : PEOptionalHeaderBasePart3_t +{ + enum + { + k_Magic = 0x10b, // IMAGE_NT_OPTIONAL_HDR32_MAGIC + }; +}; + +template<> +struct PEOptionalHeader_t : PEOptionalHeaderBasePart3_t +{ + enum + { + k_Magic = 0x20b, // IMAGE_NT_OPTIONAL_HDR64_MAGIC + }; +}; + +struct PEFileHeader_t +{ + PEMachineType Machine; + std::uint16_t NumberOfSections; + std::uint32_t TimeDateStamp; + std::uint32_t PointerToSymbolTable; + std::uint32_t NumberOfSymbols; + std::uint16_t SizeOfOptionalHeader; + std::uint16_t Characteristics; +}; + +template +struct PENTHeaders_t +{ + enum + { + k_Signature = 0x00004550, // IMAGE_NT_SIGNATURE + }; + uint32_t Signature; + PEFileHeader_t FileHeader; + PEOptionalHeader_t OptionalHeader; +}; + +struct PEDosHeader_t +{ + enum + { + k_Magic = 0x5A4D + }; + std::uint16_t e_magic; // Magic number ( k_Magic ) + std::uint16_t e_cblp; // Bytes on last page of file + std::uint16_t e_cp; // Pages in file + std::uint16_t e_crlc; // Relocations + std::uint16_t e_cparhdr; // Size of header in paragraphs + std::uint16_t e_minalloc; // Minimum extra paragraphs needed + std::uint16_t e_maxalloc; // Maximum extra paragraphs needed + std::uint16_t e_ss; // Initial (relative) SS value + std::uint16_t e_sp; // Initial SP value + std::uint16_t e_csum; // Checksum + std::uint16_t e_ip; // Initial IP value + std::uint16_t e_cs; // Initial (relative) CS value + std::uint16_t e_lfarlc; // File address of relocation table + std::uint16_t e_ovno; // Overlay number + std::uint16_t e_res[4]; // Reserved words + std::uint16_t e_oemid; // OEM identifier (for e_oeminfo) + std::uint16_t e_oeminfo; // OEM information; e_oemid specific + std::uint16_t e_res2[10]; // Reserved words + std::uint32_t e_lfanew; // File address of new exe header +}; + +#pragma pack(pop) + +#define IMAGE_SIZEOF_SHORT_NAME 8 + +#ifndef OS_WINDOWS +typedef struct _IMAGE_SECTION_HEADER +{ + std::uint8_t Name[IMAGE_SIZEOF_SHORT_NAME]; + union { + std:: uint32_t PhysicalAddress; + std::uint32_t VirtualSize; + } Misc; + std::uint32_t VirtualAddress; + std::uint32_t SizeOfRawData; + std::uint32_t PointerToRawData; + std::uint32_t PointerToRelocations; + std::uint32_t PointerToLinenumbers; + std::uint16_t NumberOfRelocations; + std::uint16_t NumberOfLinenumbers; + std::uint32_t Characteristics; +} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; + +typedef struct _IMAGE_EXPORT_DIRECTORY { + DWORD Characteristics; + DWORD TimeDateStamp; + WORD MajorVersion; + WORD MinorVersion; + DWORD Name; + DWORD Base; + DWORD NumberOfFunctions; + DWORD NumberOfNames; + DWORD AddressOfFunctions; + DWORD AddressOfNames; + DWORD AddressOfNameOrdinals; +} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; + +typedef struct _IMAGE_BASE_RELOCATION { + DWORD VirtualAddress; + DWORD SizeOfBlock; + WORD TypeOffset[1]; +} IMAGE_BASE_RELOCATION, *PIMAGE_BASE_RELOCATION; + +#endif + +template +struct SECTION_IMAGE_INFORMATION +{ + typename Traits::PVOID TransferAddress; + ULONG ZeroBits; + typename Traits::SIZE_T MaximumStackSize; + typename Traits::SIZE_T CommittedStackSize; + ULONG SubSystemType; + union + { + struct + { + USHORT SubSystemMinorVersion; + USHORT SubSystemMajorVersion; + }; + ULONG SubSystemVersion; + }; + union + { + struct + { + USHORT MajorOperatingSystemVersion; + USHORT MinorOperatingSystemVersion; + }; + ULONG OperatingSystemVersion; + }; + USHORT ImageCharacteristics; + USHORT DllCharacteristics; + PEMachineType Machine; + BOOLEAN ImageContainsCode; + union + { + UCHAR ImageFlags; + struct + { + UCHAR ComPlusNativeReady : 1; + UCHAR ComPlusILOnly : 1; + UCHAR ImageDynamicallyRelocated : 1; + UCHAR ImageMappedFlat : 1; + UCHAR BaseBelow4gb : 1; + UCHAR ComPlusPrefer32bit : 1; + UCHAR Reserved : 2; + }; + }; + ULONG LoaderFlags; + ULONG ImageFileSize; + ULONG CheckSum; +}; diff --git a/src/unicorn-emulator/CMakeLists.txt b/src/unicorn-emulator/CMakeLists.txt index a6bedb3a..3b473f3b 100644 --- a/src/unicorn-emulator/CMakeLists.txt +++ b/src/unicorn-emulator/CMakeLists.txt @@ -13,4 +13,4 @@ target_include_directories(unicorn-emulator INTERFACE ) target_link_libraries(unicorn-emulator PUBLIC emulator) -target_link_libraries(unicorn-emulator PRIVATE unicorn) +target_link_libraries(unicorn-emulator PRIVATE unicorn common) diff --git a/src/windows-emulator/CMakeLists.txt b/src/windows-emulator/CMakeLists.txt index 7948efc7..0fb26ae9 100644 --- a/src/windows-emulator/CMakeLists.txt +++ b/src/windows-emulator/CMakeLists.txt @@ -20,7 +20,6 @@ target_link_libraries(windows-emulator PRIVATE target_link_libraries(windows-emulator PUBLIC emulator - phnt::phnt ) target_include_directories(windows-emulator INTERFACE