diff --git a/src/analyzer/main.cpp b/src/analyzer/main.cpp index 0736280b..0c3c0476 100644 --- a/src/analyzer/main.cpp +++ b/src/analyzer/main.cpp @@ -64,12 +64,13 @@ namespace catch (const std::exception& e) { win_emu.log.print(color::red, "Emulation failed at: 0x%" PRIx64 " - %s\n", - win_emu.emu().read_instruction_pointer(), e.what()); + win_emu.emu().read_instruction_pointer(), e.what()); throw; } catch (...) { - win_emu.log.print(color::red, "Emulation failed at: 0x%" PRIx64 "\n", win_emu.emu().read_instruction_pointer()); + win_emu.log.print(color::red, "Emulation failed at: 0x%" PRIx64 "\n", + win_emu.emu().read_instruction_pointer()); throw; } diff --git a/src/analyzer/object_watching.hpp b/src/analyzer/object_watching.hpp index 25bfcdcc..f382de81 100644 --- a/src/analyzer/object_watching.hpp +++ b/src/analyzer/object_watching.hpp @@ -31,10 +31,10 @@ emulator_hook* watch_object(windows_emulator& emu, emulator_object object, co const auto offset = address - object.value(); emu.log.print(is_main_access ? color::green : color::dark_gray, - "Object access: %s - 0x%llX (%s) at 0x%llX (%s)\n", - i.get_type_name().c_str(), - offset, - i.get_member_name(offset).c_str(), rip, - mod ? mod->name.c_str() : ""); + "Object access: %s - 0x%llX (%s) at 0x%llX (%s)\n", + i.get_type_name().c_str(), + offset, + i.get_member_name(offset).c_str(), rip, + mod ? mod->name.c_str() : ""); }); } diff --git a/src/analyzer/std_include.hpp b/src/analyzer/std_include.hpp index 57332229..43df7c99 100644 --- a/src/analyzer/std_include.hpp +++ b/src/analyzer/std_include.hpp @@ -27,4 +27,4 @@ #include -using namespace std::literals; \ No newline at end of file +using namespace std::literals; diff --git a/src/common/network/address.cpp b/src/common/network/address.cpp index 12e25508..1737804e 100644 --- a/src/common/network/address.cpp +++ b/src/common/network/address.cpp @@ -339,7 +339,7 @@ namespace network addrinfo* result = nullptr; if (!getaddrinfo(hostname.data(), nullptr, nullptr, &result)) { - const auto _2 = utils::finally([&result]() + const auto _2 = utils::finally([&result] { freeaddrinfo(result); }); diff --git a/src/common/network/socket.cpp b/src/common/network/socket.cpp index c8d8fc2a..45991ff3 100644 --- a/src/common/network/socket.cpp +++ b/src/common/network/socket.cpp @@ -69,8 +69,8 @@ namespace network bool socket::send(const address& target, const void* data, const size_t size) const { const auto res = sendto(this->socket_, static_cast(data), static_cast(size), 0, - &target.get_addr(), - target.get_size()); + &target.get_addr(), + target.get_size()); return static_cast(res) == size; } diff --git a/src/common/platform/compiler.hpp b/src/common/platform/compiler.hpp index 51e9e46b..b8fca2ef 100644 --- a/src/common/platform/compiler.hpp +++ b/src/common/platform/compiler.hpp @@ -1,49 +1,44 @@ #pragma once #if defined(_WIN32) || defined(_WIN64) - #define OS_WINDOWS +#define OS_WINDOWS #elif defined(__APPLE__) || defined(__MACH__) - #define OS_MAC + #define OS_MAC #elif defined(__linux__) - #define OS_LINUX +#define OS_LINUX #else - #error "Unsupported platform" +#error "Unsupported platform" #endif #ifdef OS_WINDOWS - #define EXPORT_SYMBOL __declspec(dllexport) - #define IMPORT_SYMBOL __declspec(dllimport) - #define NO_INLINE __declspec(noinline) +#define EXPORT_SYMBOL __declspec(dllexport) +#define IMPORT_SYMBOL __declspec(dllimport) +#define NO_INLINE __declspec(noinline) - #define DECLSPEC_ALIGN(n) __declspec(align(n)) - #define _fseeki64 _fseeki64 - #define _ftelli64 _ftelli64 - #define fopen_s fopen_s +#define DECLSPEC_ALIGN(n) __declspec(align(n)) - #define RESTRICTED_POINTER +#define RESTRICTED_POINTER #else - #include - - #define EXPORT_SYMBOL __attribute__((visibility("default"))) - #define IMPORT_SYMBOL - #define NO_INLINE __attribute__((noinline)) +#include - #define DECLSPEC_ALIGN(n) alignas(n) - #define fopen_s fopen +#define EXPORT_SYMBOL __attribute__((visibility("default"))) +#define IMPORT_SYMBOL +#define NO_INLINE __attribute__((noinline)) - #define RESTRICTED_POINTER __restrict - // TODO: warning stdcall problem - #define WINAPI +#define DECLSPEC_ALIGN(n) alignas(n) +#define fopen_s fopen + +#define RESTRICTED_POINTER __restrict #ifdef OS_MAC - #define _fseeki64 fseeko - #define _ftelli64 ftello - #define _stat64 stat +#define _fseeki64 fseeko +#define _ftelli64 ftello +#define _stat64 stat #else - #define _fseeki64 fseeko64 - #define _ftelli64 ftello64 - #define _stat64 stat64 +#define _fseeki64 fseeko64 +#define _ftelli64 ftello64 +#define _stat64 stat64 #endif -#endif \ No newline at end of file +#endif diff --git a/src/common/platform/file_management.hpp b/src/common/platform/file_management.hpp index 48c42332..57e6d403 100644 --- a/src/common/platform/file_management.hpp +++ b/src/common/platform/file_management.hpp @@ -73,151 +73,174 @@ typedef enum _FSINFOCLASS { - FileFsVolumeInformation = 1, // q: FILE_FS_VOLUME_INFORMATION - FileFsLabelInformation, // s: FILE_FS_LABEL_INFORMATION (requires FILE_WRITE_DATA to volume) - FileFsSizeInformation, // q: FILE_FS_SIZE_INFORMATION - FileFsDeviceInformation, // q: FILE_FS_DEVICE_INFORMATION - FileFsAttributeInformation, // q: FILE_FS_ATTRIBUTE_INFORMATION - FileFsControlInformation, // q, s: FILE_FS_CONTROL_INFORMATION (q: requires FILE_READ_DATA; s: requires FILE_WRITE_DATA to volume) - FileFsFullSizeInformation, // q: FILE_FS_FULL_SIZE_INFORMATION - FileFsObjectIdInformation, // q; s: FILE_FS_OBJECTID_INFORMATION (s: requires FILE_WRITE_DATA to volume) - FileFsDriverPathInformation, // q: FILE_FS_DRIVER_PATH_INFORMATION - FileFsVolumeFlagsInformation, // q; s: FILE_FS_VOLUME_FLAGS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES to volume) // 10 - FileFsSectorSizeInformation, // q: FILE_FS_SECTOR_SIZE_INFORMATION // since WIN8 - FileFsDataCopyInformation, // q: FILE_FS_DATA_COPY_INFORMATION - FileFsMetadataSizeInformation, // q: FILE_FS_METADATA_SIZE_INFORMATION // since THRESHOLD - FileFsFullSizeInformationEx, // q: FILE_FS_FULL_SIZE_INFORMATION_EX // since REDSTONE5 - FileFsGuidInformation, // q: FILE_FS_GUID_INFORMATION // since 23H2 - FileFsMaximumInformation + FileFsVolumeInformation = 1, // q: FILE_FS_VOLUME_INFORMATION + FileFsLabelInformation, // s: FILE_FS_LABEL_INFORMATION (requires FILE_WRITE_DATA to volume) + FileFsSizeInformation, // q: FILE_FS_SIZE_INFORMATION + FileFsDeviceInformation, // q: FILE_FS_DEVICE_INFORMATION + FileFsAttributeInformation, // q: FILE_FS_ATTRIBUTE_INFORMATION + FileFsControlInformation, + // q, s: FILE_FS_CONTROL_INFORMATION (q: requires FILE_READ_DATA; s: requires FILE_WRITE_DATA to volume) + FileFsFullSizeInformation, // q: FILE_FS_FULL_SIZE_INFORMATION + FileFsObjectIdInformation, // q; s: FILE_FS_OBJECTID_INFORMATION (s: requires FILE_WRITE_DATA to volume) + FileFsDriverPathInformation, // q: FILE_FS_DRIVER_PATH_INFORMATION + FileFsVolumeFlagsInformation, + // q; s: FILE_FS_VOLUME_FLAGS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES to volume) // 10 + FileFsSectorSizeInformation, // q: FILE_FS_SECTOR_SIZE_INFORMATION // since WIN8 + FileFsDataCopyInformation, // q: FILE_FS_DATA_COPY_INFORMATION + FileFsMetadataSizeInformation, // q: FILE_FS_METADATA_SIZE_INFORMATION // since THRESHOLD + FileFsFullSizeInformationEx, // q: FILE_FS_FULL_SIZE_INFORMATION_EX // since REDSTONE5 + FileFsGuidInformation, // q: FILE_FS_GUID_INFORMATION // since 23H2 + FileFsMaximumInformation } FSINFOCLASS, *PFSINFOCLASS; + typedef enum _FSINFOCLASS FS_INFORMATION_CLASS; typedef enum _FILE_INFORMATION_CLASS { - FileDirectoryInformation = 1, // q: FILE_DIRECTORY_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileFullDirectoryInformation, // q: FILE_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileBothDirectoryInformation, // q: FILE_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileBasicInformation, // q; s: FILE_BASIC_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) - FileStandardInformation, // q: FILE_STANDARD_INFORMATION, FILE_STANDARD_INFORMATION_EX - FileInternalInformation, // q: FILE_INTERNAL_INFORMATION - FileEaInformation, // q: FILE_EA_INFORMATION - FileAccessInformation, // q: FILE_ACCESS_INFORMATION - FileNameInformation, // q: FILE_NAME_INFORMATION - FileRenameInformation, // s: FILE_RENAME_INFORMATION (requires DELETE) // 10 - FileLinkInformation, // s: FILE_LINK_INFORMATION - FileNamesInformation, // q: FILE_NAMES_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileDispositionInformation, // s: FILE_DISPOSITION_INFORMATION (requires DELETE) - FilePositionInformation, // q; s: FILE_POSITION_INFORMATION - FileFullEaInformation, // FILE_FULL_EA_INFORMATION - FileModeInformation, // q; s: FILE_MODE_INFORMATION - FileAlignmentInformation, // q: FILE_ALIGNMENT_INFORMATION - FileAllInformation, // q: FILE_ALL_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileAllocationInformation, // s: FILE_ALLOCATION_INFORMATION (requires FILE_WRITE_DATA) - FileEndOfFileInformation, // s: FILE_END_OF_FILE_INFORMATION (requires FILE_WRITE_DATA) // 20 - FileAlternateNameInformation, // q: FILE_NAME_INFORMATION - FileStreamInformation, // q: FILE_STREAM_INFORMATION - FilePipeInformation, // q; s: FILE_PIPE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) - FilePipeLocalInformation, // q: FILE_PIPE_LOCAL_INFORMATION (requires FILE_READ_ATTRIBUTES) - FilePipeRemoteInformation, // q; s: FILE_PIPE_REMOTE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) - FileMailslotQueryInformation, // q: FILE_MAILSLOT_QUERY_INFORMATION - FileMailslotSetInformation, // s: FILE_MAILSLOT_SET_INFORMATION - FileCompressionInformation, // q: FILE_COMPRESSION_INFORMATION - FileObjectIdInformation, // q: FILE_OBJECTID_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileCompletionInformation, // s: FILE_COMPLETION_INFORMATION // 30 - FileMoveClusterInformation, // s: FILE_MOVE_CLUSTER_INFORMATION (requires FILE_WRITE_DATA) - FileQuotaInformation, // q: FILE_QUOTA_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileReparsePointInformation, // q: FILE_REPARSE_POINT_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileNetworkOpenInformation, // q: FILE_NETWORK_OPEN_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileAttributeTagInformation, // q: FILE_ATTRIBUTE_TAG_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileTrackingInformation, // s: FILE_TRACKING_INFORMATION (requires FILE_WRITE_DATA) - FileIdBothDirectoryInformation, // q: FILE_ID_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileIdFullDirectoryInformation, // q: FILE_ID_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileValidDataLengthInformation, // s: FILE_VALID_DATA_LENGTH_INFORMATION (requires FILE_WRITE_DATA and/or SeManageVolumePrivilege) - FileShortNameInformation, // s: FILE_NAME_INFORMATION (requires DELETE) // 40 - FileIoCompletionNotificationInformation, // q; s: FILE_IO_COMPLETION_NOTIFICATION_INFORMATION (q: requires FILE_READ_ATTRIBUTES) // since VISTA - FileIoStatusBlockRangeInformation, // s: FILE_IOSTATUSBLOCK_RANGE_INFORMATION (requires SeLockMemoryPrivilege) - FileIoPriorityHintInformation, // q; s: FILE_IO_PRIORITY_HINT_INFORMATION, FILE_IO_PRIORITY_HINT_INFORMATION_EX (q: requires FILE_READ_DATA) - FileSfioReserveInformation, // q; s: FILE_SFIO_RESERVE_INFORMATION (q: requires FILE_READ_DATA) - FileSfioVolumeInformation, // q: FILE_SFIO_VOLUME_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileHardLinkInformation, // q: FILE_LINKS_INFORMATION - FileProcessIdsUsingFileInformation, // q: FILE_PROCESS_IDS_USING_FILE_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileNormalizedNameInformation, // q: FILE_NAME_INFORMATION - FileNetworkPhysicalNameInformation, // q: FILE_NETWORK_PHYSICAL_NAME_INFORMATION - FileIdGlobalTxDirectoryInformation, // q: FILE_ID_GLOBAL_TX_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since WIN7 // 50 - FileIsRemoteDeviceInformation, // q: FILE_IS_REMOTE_DEVICE_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileUnusedInformation, - FileNumaNodeInformation, // q: FILE_NUMA_NODE_INFORMATION - FileStandardLinkInformation, // q: FILE_STANDARD_LINK_INFORMATION - FileRemoteProtocolInformation, // q: FILE_REMOTE_PROTOCOL_INFORMATION - FileRenameInformationBypassAccessCheck, // (kernel-mode only); s: FILE_RENAME_INFORMATION // since WIN8 - FileLinkInformationBypassAccessCheck, // (kernel-mode only); s: FILE_LINK_INFORMATION - FileVolumeNameInformation, // q: FILE_VOLUME_NAME_INFORMATION - FileIdInformation, // q: FILE_ID_INFORMATION - FileIdExtdDirectoryInformation, // q: FILE_ID_EXTD_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // 60 - FileReplaceCompletionInformation, // s: FILE_COMPLETION_INFORMATION // since WINBLUE - FileHardLinkFullIdInformation, // q: FILE_LINK_ENTRY_FULL_ID_INFORMATION // FILE_LINKS_FULL_ID_INFORMATION - FileIdExtdBothDirectoryInformation, // q: FILE_ID_EXTD_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since THRESHOLD - FileDispositionInformationEx, // s: FILE_DISPOSITION_INFO_EX (requires DELETE) // since REDSTONE - FileRenameInformationEx, // s: FILE_RENAME_INFORMATION_EX - FileRenameInformationExBypassAccessCheck, // (kernel-mode only); s: FILE_RENAME_INFORMATION_EX - FileDesiredStorageClassInformation, // q; s: FILE_DESIRED_STORAGE_CLASS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) // since REDSTONE2 - FileStatInformation, // q: FILE_STAT_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileMemoryPartitionInformation, // s: FILE_MEMORY_PARTITION_INFORMATION // since REDSTONE3 - FileStatLxInformation, // q: FILE_STAT_LX_INFORMATION (requires FILE_READ_ATTRIBUTES and FILE_READ_EA) // since REDSTONE4 // 70 - FileCaseSensitiveInformation, // q; s: FILE_CASE_SENSITIVE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) - FileLinkInformationEx, // s: FILE_LINK_INFORMATION_EX // since REDSTONE5 - FileLinkInformationExBypassAccessCheck, // (kernel-mode only); s: FILE_LINK_INFORMATION_EX - FileStorageReserveIdInformation, // q; s: FILE_STORAGE_RESERVE_ID_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) - FileCaseSensitiveInformationForceAccessCheck, // q; s: FILE_CASE_SENSITIVE_INFORMATION - FileKnownFolderInformation, // q; s: FILE_KNOWN_FOLDER_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) // since WIN11 - FileStatBasicInformation, // since 23H2 - FileId64ExtdDirectoryInformation, // FILE_ID_64_EXTD_DIR_INFORMATION - FileId64ExtdBothDirectoryInformation, // FILE_ID_64_EXTD_BOTH_DIR_INFORMATION - FileIdAllExtdDirectoryInformation, // FILE_ID_ALL_EXTD_DIR_INFORMATION - FileIdAllExtdBothDirectoryInformation, // FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION - FileStreamReservationInformation, // FILE_STREAM_RESERVATION_INFORMATION // since 24H2 - FileMupProviderInfo, // MUP_PROVIDER_INFORMATION - FileMaximumInformation + FileDirectoryInformation = 1, + // q: FILE_DIRECTORY_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileFullDirectoryInformation, + // q: FILE_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileBothDirectoryInformation, + // q: FILE_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileBasicInformation, + // q; s: FILE_BASIC_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileStandardInformation, // q: FILE_STANDARD_INFORMATION, FILE_STANDARD_INFORMATION_EX + FileInternalInformation, // q: FILE_INTERNAL_INFORMATION + FileEaInformation, // q: FILE_EA_INFORMATION + FileAccessInformation, // q: FILE_ACCESS_INFORMATION + FileNameInformation, // q: FILE_NAME_INFORMATION + FileRenameInformation, // s: FILE_RENAME_INFORMATION (requires DELETE) // 10 + FileLinkInformation, // s: FILE_LINK_INFORMATION + FileNamesInformation, // q: FILE_NAMES_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileDispositionInformation, // s: FILE_DISPOSITION_INFORMATION (requires DELETE) + FilePositionInformation, // q; s: FILE_POSITION_INFORMATION + FileFullEaInformation, // FILE_FULL_EA_INFORMATION + FileModeInformation, // q; s: FILE_MODE_INFORMATION + FileAlignmentInformation, // q: FILE_ALIGNMENT_INFORMATION + FileAllInformation, // q: FILE_ALL_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileAllocationInformation, // s: FILE_ALLOCATION_INFORMATION (requires FILE_WRITE_DATA) + FileEndOfFileInformation, // s: FILE_END_OF_FILE_INFORMATION (requires FILE_WRITE_DATA) // 20 + FileAlternateNameInformation, // q: FILE_NAME_INFORMATION + FileStreamInformation, // q: FILE_STREAM_INFORMATION + FilePipeInformation, + // q; s: FILE_PIPE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FilePipeLocalInformation, // q: FILE_PIPE_LOCAL_INFORMATION (requires FILE_READ_ATTRIBUTES) + FilePipeRemoteInformation, + // q; s: FILE_PIPE_REMOTE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileMailslotQueryInformation, // q: FILE_MAILSLOT_QUERY_INFORMATION + FileMailslotSetInformation, // s: FILE_MAILSLOT_SET_INFORMATION + FileCompressionInformation, // q: FILE_COMPRESSION_INFORMATION + FileObjectIdInformation, // q: FILE_OBJECTID_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileCompletionInformation, // s: FILE_COMPLETION_INFORMATION // 30 + FileMoveClusterInformation, // s: FILE_MOVE_CLUSTER_INFORMATION (requires FILE_WRITE_DATA) + FileQuotaInformation, // q: FILE_QUOTA_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileReparsePointInformation, + // q: FILE_REPARSE_POINT_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileNetworkOpenInformation, // q: FILE_NETWORK_OPEN_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileAttributeTagInformation, // q: FILE_ATTRIBUTE_TAG_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileTrackingInformation, // s: FILE_TRACKING_INFORMATION (requires FILE_WRITE_DATA) + FileIdBothDirectoryInformation, + // q: FILE_ID_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileIdFullDirectoryInformation, + // q: FILE_ID_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) + FileValidDataLengthInformation, + // s: FILE_VALID_DATA_LENGTH_INFORMATION (requires FILE_WRITE_DATA and/or SeManageVolumePrivilege) + FileShortNameInformation, // s: FILE_NAME_INFORMATION (requires DELETE) // 40 + FileIoCompletionNotificationInformation, + // q; s: FILE_IO_COMPLETION_NOTIFICATION_INFORMATION (q: requires FILE_READ_ATTRIBUTES) // since VISTA + FileIoStatusBlockRangeInformation, // s: FILE_IOSTATUSBLOCK_RANGE_INFORMATION (requires SeLockMemoryPrivilege) + FileIoPriorityHintInformation, + // q; s: FILE_IO_PRIORITY_HINT_INFORMATION, FILE_IO_PRIORITY_HINT_INFORMATION_EX (q: requires FILE_READ_DATA) + FileSfioReserveInformation, // q; s: FILE_SFIO_RESERVE_INFORMATION (q: requires FILE_READ_DATA) + FileSfioVolumeInformation, // q: FILE_SFIO_VOLUME_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileHardLinkInformation, // q: FILE_LINKS_INFORMATION + FileProcessIdsUsingFileInformation, // q: FILE_PROCESS_IDS_USING_FILE_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileNormalizedNameInformation, // q: FILE_NAME_INFORMATION + FileNetworkPhysicalNameInformation, // q: FILE_NETWORK_PHYSICAL_NAME_INFORMATION + FileIdGlobalTxDirectoryInformation, + // q: FILE_ID_GLOBAL_TX_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since WIN7 // 50 + FileIsRemoteDeviceInformation, // q: FILE_IS_REMOTE_DEVICE_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileUnusedInformation, + FileNumaNodeInformation, // q: FILE_NUMA_NODE_INFORMATION + FileStandardLinkInformation, // q: FILE_STANDARD_LINK_INFORMATION + FileRemoteProtocolInformation, // q: FILE_REMOTE_PROTOCOL_INFORMATION + FileRenameInformationBypassAccessCheck, // (kernel-mode only); s: FILE_RENAME_INFORMATION // since WIN8 + FileLinkInformationBypassAccessCheck, // (kernel-mode only); s: FILE_LINK_INFORMATION + FileVolumeNameInformation, // q: FILE_VOLUME_NAME_INFORMATION + FileIdInformation, // q: FILE_ID_INFORMATION + FileIdExtdDirectoryInformation, + // q: FILE_ID_EXTD_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // 60 + FileReplaceCompletionInformation, // s: FILE_COMPLETION_INFORMATION // since WINBLUE + FileHardLinkFullIdInformation, // q: FILE_LINK_ENTRY_FULL_ID_INFORMATION // FILE_LINKS_FULL_ID_INFORMATION + FileIdExtdBothDirectoryInformation, + // q: FILE_ID_EXTD_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since THRESHOLD + FileDispositionInformationEx, // s: FILE_DISPOSITION_INFO_EX (requires DELETE) // since REDSTONE + FileRenameInformationEx, // s: FILE_RENAME_INFORMATION_EX + FileRenameInformationExBypassAccessCheck, // (kernel-mode only); s: FILE_RENAME_INFORMATION_EX + FileDesiredStorageClassInformation, + // q; s: FILE_DESIRED_STORAGE_CLASS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) // since REDSTONE2 + FileStatInformation, // q: FILE_STAT_INFORMATION (requires FILE_READ_ATTRIBUTES) + FileMemoryPartitionInformation, // s: FILE_MEMORY_PARTITION_INFORMATION // since REDSTONE3 + FileStatLxInformation, + // q: FILE_STAT_LX_INFORMATION (requires FILE_READ_ATTRIBUTES and FILE_READ_EA) // since REDSTONE4 // 70 + FileCaseSensitiveInformation, + // q; s: FILE_CASE_SENSITIVE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileLinkInformationEx, // s: FILE_LINK_INFORMATION_EX // since REDSTONE5 + FileLinkInformationExBypassAccessCheck, // (kernel-mode only); s: FILE_LINK_INFORMATION_EX + FileStorageReserveIdInformation, + // q; s: FILE_STORAGE_RESERVE_ID_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) + FileCaseSensitiveInformationForceAccessCheck, // q; s: FILE_CASE_SENSITIVE_INFORMATION + FileKnownFolderInformation, + // q; s: FILE_KNOWN_FOLDER_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) // since WIN11 + FileStatBasicInformation, // since 23H2 + FileId64ExtdDirectoryInformation, // FILE_ID_64_EXTD_DIR_INFORMATION + FileId64ExtdBothDirectoryInformation, // FILE_ID_64_EXTD_BOTH_DIR_INFORMATION + FileIdAllExtdDirectoryInformation, // FILE_ID_ALL_EXTD_DIR_INFORMATION + FileIdAllExtdBothDirectoryInformation, // FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION + FileStreamReservationInformation, // FILE_STREAM_RESERVATION_INFORMATION // since 24H2 + FileMupProviderInfo, // MUP_PROVIDER_INFORMATION + FileMaximumInformation } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; typedef enum _OBJECT_INFORMATION_CLASS { - ObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION - ObjectNameInformation, // q: OBJECT_NAME_INFORMATION - ObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION - ObjectTypesInformation, // q: OBJECT_TYPES_INFORMATION - ObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION - ObjectSessionInformation, // s: void // change object session // (requires SeTcbPrivilege) - ObjectSessionObjectInformation, // s: void // change object session // (requires SeTcbPrivilege) - MaxObjectInfoClass + ObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION + ObjectNameInformation, // q: OBJECT_NAME_INFORMATION + ObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION + ObjectTypesInformation, // q: OBJECT_TYPES_INFORMATION + ObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION + ObjectSessionInformation, // s: void // change object session // (requires SeTcbPrivilege) + ObjectSessionObjectInformation, // s: void // change object session // (requires SeTcbPrivilege) + MaxObjectInfoClass } OBJECT_INFORMATION_CLASS; typedef enum _HARDERROR_RESPONSE_OPTION { - OptionAbortRetryIgnore, - OptionOk, - OptionOkCancel, - OptionRetryCancel, - OptionYesNo, - OptionYesNoCancel, - OptionShutdownSystem, - OptionOkNoWait, - OptionCancelTryContinue + OptionAbortRetryIgnore, + OptionOk, + OptionOkCancel, + OptionRetryCancel, + OptionYesNo, + OptionYesNoCancel, + OptionShutdownSystem, + OptionOkNoWait, + OptionCancelTryContinue } HARDERROR_RESPONSE_OPTION; typedef enum _HARDERROR_RESPONSE { - ResponseReturnToCaller, - ResponseNotHandled, - ResponseAbort, - ResponseCancel, - ResponseIgnore, - ResponseNo, - ResponseOk, - ResponseRetry, - ResponseYes, - ResponseTryAgain, - ResponseContinue + ResponseReturnToCaller, + ResponseNotHandled, + ResponseAbort, + ResponseCancel, + ResponseIgnore, + ResponseNo, + ResponseOk, + ResponseRetry, + ResponseYes, + ResponseTryAgain, + ResponseContinue } HARDERROR_RESPONSE; typedef USHORT RTL_ATOM; @@ -225,108 +248,109 @@ typedef USHORT RTL_ATOM; template struct IO_STATUS_BLOCK { - union - { - NTSTATUS Status; - typename Traits::PVOID Pointer; - }; - typename Traits::ULONG_PTR Information; + union + { + NTSTATUS Status; + typename Traits::PVOID Pointer; + }; + + typename Traits::ULONG_PTR Information; }; template struct OBJECT_ATTRIBUTES { - ULONG Length; - typename Traits::HANDLE RootDirectory; - EMULATOR_CAST(typename Traits::PVOID, UNICODE_STRING*) ObjectName; - ULONG Attributes; - typename Traits::PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; - typename Traits::PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE + ULONG Length; + typename Traits::HANDLE RootDirectory; + EMULATOR_CAST(typename Traits::PVOID, UNICODE_STRING*) ObjectName; + ULONG Attributes; + typename Traits::PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; + typename Traits::PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE }; typedef struct _FILE_FS_DEVICE_INFORMATION { - DEVICE_TYPE DeviceType; - ULONG Characteristics; + DEVICE_TYPE DeviceType; + ULONG Characteristics; } FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION; typedef struct _FILE_POSITION_INFORMATION { - LARGE_INTEGER CurrentByteOffset; + LARGE_INTEGER CurrentByteOffset; } FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; typedef struct _FILE_STANDARD_INFORMATION { - LARGE_INTEGER AllocationSize; - LARGE_INTEGER EndOfFile; - ULONG NumberOfLinks; - BOOLEAN DeletePending; - BOOLEAN Directory; + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG NumberOfLinks; + BOOLEAN DeletePending; + BOOLEAN Directory; } FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; typedef struct _FILE_NAME_INFORMATION { - ULONG FileNameLength; - char16_t FileName[1]; -} FILE_NAME_INFORMATION, * PFILE_NAME_INFORMATION; + ULONG FileNameLength; + char16_t FileName[1]; +} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; typedef struct _FILE_BASIC_INFORMATION { - LARGE_INTEGER CreationTime; // Specifies the time that the file was created. - LARGE_INTEGER LastAccessTime; // Specifies the time that the file was last accessed. - LARGE_INTEGER LastWriteTime; // Specifies the time that the file was last written to. - LARGE_INTEGER ChangeTime; // Specifies the last time the file was changed. - ULONG FileAttributes; // Specifies one or more FILE_ATTRIBUTE_XXX flags. -} FILE_BASIC_INFORMATION, * PFILE_BASIC_INFORMATION; + LARGE_INTEGER CreationTime; // Specifies the time that the file was created. + LARGE_INTEGER LastAccessTime; // Specifies the time that the file was last accessed. + LARGE_INTEGER LastWriteTime; // Specifies the time that the file was last written to. + LARGE_INTEGER ChangeTime; // Specifies the last time the file was changed. + ULONG FileAttributes; // Specifies one or more FILE_ATTRIBUTE_XXX flags. +} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; typedef struct _FILE_DIRECTORY_INFORMATION { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - char16_t FileName[1]; -} FILE_DIRECTORY_INFORMATION, * PFILE_DIRECTORY_INFORMATION; + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + char16_t FileName[1]; +} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; typedef struct _FILE_FULL_DIR_INFORMATION { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - char16_t FileName[1]; -} FILE_FULL_DIR_INFORMATION, * PFILE_FULL_DIR_INFORMATION; + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + ULONG EaSize; + char16_t FileName[1]; +} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; typedef struct _FILE_BOTH_DIR_INFORMATION { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - char ShortNameLength; - char16_t ShortName[12]; - char16_t FileName[1]; -} FILE_BOTH_DIR_INFORMATION, * PFILE_BOTH_DIR_INFORMATION; + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + ULONG EaSize; + char ShortNameLength; + char16_t ShortName[12]; + char16_t FileName[1]; +} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; #ifndef OS_WINDOWS typedef BOOLEAN SECURITY_CONTEXT_TRACKING_MODE, @@ -343,17 +367,17 @@ typedef struct _SECURITY_QUALITY_OF_SERVICE typedef struct _PORT_VIEW64 { - ULONG Length; - EMULATOR_CAST(std::uint64_t, HANDLE) SectionHandle; - ULONG SectionOffset; - EMULATOR_CAST(std::int64_t, SIZE_T) ViewSize; - EmulatorTraits::PVOID ViewBase; - EmulatorTraits::PVOID ViewRemoteBase; + ULONG Length; + EMULATOR_CAST(std::uint64_t, HANDLE) SectionHandle; + ULONG SectionOffset; + EMULATOR_CAST(std::int64_t, SIZE_T) ViewSize; + EmulatorTraits::PVOID ViewBase; + EmulatorTraits::PVOID ViewRemoteBase; } PORT_VIEW64, *PPORT_VIEW64; typedef struct _REMOTE_PORT_VIEW64 { - ULONG Length; - EMULATOR_CAST(std::int64_t, SIZE_T) ViewSize; - EmulatorTraits::PVOID ViewBase; -} REMOTE_PORT_VIEW64, *PREMOTE_PORT_VIEW64; \ No newline at end of file + ULONG Length; + EMULATOR_CAST(std::int64_t, SIZE_T) ViewSize; + EmulatorTraits::PVOID ViewBase; +} REMOTE_PORT_VIEW64, *PREMOTE_PORT_VIEW64; diff --git a/src/common/platform/kernel_mapped.hpp b/src/common/platform/kernel_mapped.hpp index 28b56ea2..eba0cb63 100644 --- a/src/common/platform/kernel_mapped.hpp +++ b/src/common/platform/kernel_mapped.hpp @@ -17,30 +17,32 @@ typedef struct _EMU_NT_TIB64 { - struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList; - std::uint64_t* StackBase; - std::uint64_t* StackLimit; - std::uint64_t* SubSystemTib; - std::uint64_t* FibreData; - std::uint64_t* ArbitraryUserPointer; - struct _EMU_NT_TIB64 *Self; + struct _EXCEPTION_REGISTRATION_RECORD* ExceptionList; + std::uint64_t* StackBase; + std::uint64_t* StackLimit; + std::uint64_t* SubSystemTib; + std::uint64_t* FibreData; + std::uint64_t* ArbitraryUserPointer; + struct _EMU_NT_TIB64* Self; } EMU_NT_TIB64; -typedef EMU_NT_TIB64 *PEMU_NT_TIB64; + +typedef EMU_NT_TIB64* PEMU_NT_TIB64; union PEB_BITFIELD_UNION { - BOOLEAN BitField; - struct - { - BOOLEAN ImageUsesLargePages : 1; - BOOLEAN IsProtectedProcess : 1; - BOOLEAN IsImageDynamicallyRelocated : 1; - BOOLEAN SkipPatchingUser32Forwarders : 1; - BOOLEAN IsPackagedProcess : 1; - BOOLEAN IsAppContainer : 1; - BOOLEAN IsProtectedProcessLight : 1; - BOOLEAN IsLongPathAwareProcess : 1; - }; + BOOLEAN BitField; + + struct + { + BOOLEAN ImageUsesLargePages : 1; + BOOLEAN IsProtectedProcess : 1; + BOOLEAN IsImageDynamicallyRelocated : 1; + BOOLEAN SkipPatchingUser32Forwarders : 1; + BOOLEAN IsPackagedProcess : 1; + BOOLEAN IsAppContainer : 1; + BOOLEAN IsProtectedProcessLight : 1; + BOOLEAN IsLongPathAwareProcess : 1; + }; }; #ifndef OS_WINDOWS @@ -55,303 +57,306 @@ typedef struct _LIST_ENTRY64 typedef struct _PEB_LDR_DATA64 { - ULONG Length; - BOOLEAN Initialized; - EmulatorTraits::HANDLE SsHandle; - LIST_ENTRY64 InLoadOrderModuleList; - LIST_ENTRY64 InMemoryOrderModuleList; - LIST_ENTRY64 InInitializationOrderModuleList; - std::uint64_t* EntryInProgress; - BOOLEAN ShutdownInProgress; - EmulatorTraits::HANDLE ShutdownThreadId; + ULONG Length; + BOOLEAN Initialized; + EmulatorTraits::HANDLE SsHandle; + LIST_ENTRY64 InLoadOrderModuleList; + LIST_ENTRY64 InMemoryOrderModuleList; + LIST_ENTRY64 InInitializationOrderModuleList; + std::uint64_t* EntryInProgress; + BOOLEAN ShutdownInProgress; + EmulatorTraits::HANDLE ShutdownThreadId; } PEB_LDR_DATA64, *PPEB_LDR_DATA64; typedef struct _STRING64 { - USHORT Length; - USHORT MaximumLength; - char16_t* Buffer; + USHORT Length; + USHORT MaximumLength; + char16_t* Buffer; } STRING64, *PSTRING64, ANSI_STRING64, *PANSI_STRING64, OEM_STRING64, *POEM_STRING64; typedef struct _RTL_DRIVE_LETTER_CURDIR64 { - USHORT Flags; - USHORT Length; - ULONG TimeStamp; - STRING64 DosPath; + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + STRING64 DosPath; } RTL_DRIVE_LETTER_CURDIR64, *PRTL_DRIVE_LETTER_CURDIR64; #define RTL_MAX_DRIVE_LETTERS 32 #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 -template +template struct ARRAY_CONTAINER { - T arr[Size]; + T arr[Size]; }; typedef struct _CURDIR64 { - UNICODE_STRING> DosPath; - EmulatorTraits::HANDLE Handle; + UNICODE_STRING> DosPath; + EmulatorTraits::HANDLE Handle; } CURDIR64, *PCURDIR64; typedef struct _RTL_USER_PROCESS_PARAMETERS64 { - ULONG MaximumLength; - ULONG Length; + ULONG MaximumLength; + ULONG Length; - ULONG Flags; - ULONG DebugFlags; + ULONG Flags; + ULONG DebugFlags; - EmulatorTraits::HANDLE ConsoleHandle; - ULONG ConsoleFlags; - EmulatorTraits::HANDLE StandardInput; - EmulatorTraits::HANDLE StandardOutput; - EmulatorTraits::HANDLE StandardError; + EmulatorTraits::HANDLE ConsoleHandle; + ULONG ConsoleFlags; + EmulatorTraits::HANDLE StandardInput; + EmulatorTraits::HANDLE StandardOutput; + EmulatorTraits::HANDLE StandardError; - CURDIR64 CurrentDirectory; - UNICODE_STRING> DllPath; - UNICODE_STRING> ImagePathName; - UNICODE_STRING> CommandLine; - std::uint64_t* Environment; + CURDIR64 CurrentDirectory; + UNICODE_STRING> DllPath; + UNICODE_STRING> ImagePathName; + UNICODE_STRING> CommandLine; + std::uint64_t* Environment; - ULONG StartingX; - ULONG StartingY; - ULONG CountX; - ULONG CountY; - ULONG CountCharsX; - ULONG CountCharsY; - ULONG FillAttribute; + ULONG StartingX; + ULONG StartingY; + ULONG CountX; + ULONG CountY; + ULONG CountCharsX; + ULONG CountCharsY; + ULONG FillAttribute; - ULONG WindowFlags; - ULONG ShowWindowFlags; - UNICODE_STRING> WindowTitle; - UNICODE_STRING> DesktopInfo; - UNICODE_STRING> ShellInfo; - UNICODE_STRING> RuntimeData; - ARRAY_CONTAINER CurrentDirectories; + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING> WindowTitle; + UNICODE_STRING> DesktopInfo; + UNICODE_STRING> ShellInfo; + UNICODE_STRING> RuntimeData; + ARRAY_CONTAINER CurrentDirectories; - std::uint64_t* EnvironmentSize; - std::uint64_t* EnvironmentVersion; + std::uint64_t* EnvironmentSize; + std::uint64_t* EnvironmentVersion; - std::uint64_t* PackageDependencyData; - ULONG ProcessGroupId; - ULONG LoaderThreads; + std::uint64_t* PackageDependencyData; + ULONG ProcessGroupId; + ULONG LoaderThreads; - UNICODE_STRING> RedirectionDllName; // REDSTONE4 - UNICODE_STRING> HeapPartitionName; // 19H1 - std::uint64_t* DefaultThreadpoolCpuSetMasks; - ULONG DefaultThreadpoolCpuSetMaskCount; - ULONG DefaultThreadpoolThreadMaximum; - ULONG HeapMemoryTypeMask; // WIN11 + UNICODE_STRING> RedirectionDllName; // REDSTONE4 + UNICODE_STRING> HeapPartitionName; // 19H1 + std::uint64_t* DefaultThreadpoolCpuSetMasks; + ULONG DefaultThreadpoolCpuSetMaskCount; + ULONG DefaultThreadpoolThreadMaximum; + ULONG HeapMemoryTypeMask; // WIN11 } RTL_USER_PROCESS_PARAMETERS64, *PRTL_USER_PROCESS_PARAMETERS64; union PEB_CROSS_PROCESS_FLAGS_UNION { - ULONG CrossProcessFlags; - struct - { - ULONG ProcessInJob : 1; - ULONG ProcessInitializing : 1; - ULONG ProcessUsingVEH : 1; - ULONG ProcessUsingVCH : 1; - ULONG ProcessUsingFTH : 1; - ULONG ProcessPreviouslyThrottled : 1; - ULONG ProcessCurrentlyThrottled : 1; - ULONG ProcessImagesHotPatched : 1; // REDSTONE5 - ULONG ReservedBits0 : 24; - }; + ULONG CrossProcessFlags; + + struct + { + ULONG ProcessInJob : 1; + ULONG ProcessInitializing : 1; + ULONG ProcessUsingVEH : 1; + ULONG ProcessUsingVCH : 1; + ULONG ProcessUsingFTH : 1; + ULONG ProcessPreviouslyThrottled : 1; + ULONG ProcessCurrentlyThrottled : 1; + ULONG ProcessImagesHotPatched : 1; // REDSTONE5 + ULONG ReservedBits0 : 24; + }; }; union PEB_KERNEL_CALLBACK_TABLE_UNION64 { - void* KernelCallbackTable; - void* UserSharedInfoPtr; + void* KernelCallbackTable; + void* UserSharedInfoPtr; }; typedef struct _API_SET_NAMESPACE { - ULONG Version; - ULONG Size; - ULONG Flags; - ULONG Count; - ULONG EntryOffset; - ULONG HashOffset; - ULONG HashFactor; + ULONG Version; + ULONG Size; + ULONG Flags; + ULONG Count; + ULONG EntryOffset; + ULONG HashOffset; + ULONG HashFactor; } API_SET_NAMESPACE, *PAPI_SET_NAMESPACE; union PEB_CONTEXT_DATA_UNION64 { - void* pContextData; // WIN7 - void* pUnused; // WIN10 - void* EcCodeBitMap; // WIN11 + void* pContextData; // WIN7 + void* pUnused; // WIN10 + void* EcCodeBitMap; // WIN11 }; union PEB_TRACING_FLAGS_UNION { - ULONG TracingFlags; - struct - { - ULONG HeapTracingEnabled : 1; - ULONG CritSecTracingEnabled : 1; - ULONG LibLoaderTracingEnabled : 1; - ULONG SpareTracingBits : 29; - }; + ULONG TracingFlags; + + struct + { + ULONG HeapTracingEnabled : 1; + ULONG CritSecTracingEnabled : 1; + ULONG LibLoaderTracingEnabled : 1; + ULONG SpareTracingBits : 29; + }; }; union PEB_LEAP_SECONDS_FLAG_UNION { - ULONG LeapSecondFlags; - struct - { - ULONG SixtySecondEnabled : 1; - ULONG Reserved : 31; - }; + ULONG LeapSecondFlags; + + struct + { + ULONG SixtySecondEnabled : 1; + ULONG Reserved : 31; + }; }; typedef struct _PEB64 { - BOOLEAN InheritedAddressSpace; - BOOLEAN ReadImageFileExecOptions; - BOOLEAN BeingDebugged; - PEB_BITFIELD_UNION BitField; + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + PEB_BITFIELD_UNION BitField; - EmulatorTraits::HANDLE Mutant; + EmulatorTraits::HANDLE Mutant; - std::uint64_t* ImageBaseAddress; - PPEB_LDR_DATA64 Ldr; - PRTL_USER_PROCESS_PARAMETERS64 ProcessParameters; - std::uint64_t* SubSystemData; - std::uint64_t* ProcessHeap; - EMULATOR_CAST(void*, PRTL_CRITICAL_SECTION) FastPebLock; - EMULATOR_CAST(void*, PSLIST_HEADER) AtlThunkSListPtr; - std::uint64_t* IFEOKey; - PEB_CROSS_PROCESS_FLAGS_UNION CrossProcessFlags; - PEB_KERNEL_CALLBACK_TABLE_UNION64 KernelCallbackTable; + std::uint64_t* ImageBaseAddress; + PPEB_LDR_DATA64 Ldr; + PRTL_USER_PROCESS_PARAMETERS64 ProcessParameters; + std::uint64_t* SubSystemData; + std::uint64_t* ProcessHeap; + EMULATOR_CAST(void*, PRTL_CRITICAL_SECTION) FastPebLock; + EMULATOR_CAST(void*, PSLIST_HEADER) AtlThunkSListPtr; + std::uint64_t* IFEOKey; + PEB_CROSS_PROCESS_FLAGS_UNION CrossProcessFlags; + PEB_KERNEL_CALLBACK_TABLE_UNION64 KernelCallbackTable; - ULONG SystemReserved; - ULONG AtlThunkSListPtr32; - PAPI_SET_NAMESPACE ApiSetMap; - ULONG TlsExpansionCounter; - EMULATOR_CAST(void*, PRTL_BITMAP) TlsBitmap; + ULONG SystemReserved; + ULONG AtlThunkSListPtr32; + PAPI_SET_NAMESPACE ApiSetMap; + ULONG TlsExpansionCounter; + EMULATOR_CAST(void*, PRTL_BITMAP) TlsBitmap; - ARRAY_CONTAINER TlsBitmapBits; // TLS_MINIMUM_AVAILABLE - void* ReadOnlySharedMemoryBase; - EMULATOR_CAST(void*, PSILO_USER_SHARED_DATA) SharedData; // HotpatchInformation - std::uint64_t** ReadOnlyStaticServerData; + ARRAY_CONTAINER TlsBitmapBits; // TLS_MINIMUM_AVAILABLE + void* ReadOnlySharedMemoryBase; + EMULATOR_CAST(void*, PSILO_USER_SHARED_DATA) SharedData; // HotpatchInformation + std::uint64_t** ReadOnlyStaticServerData; - std::uint64_t* AnsiCodePageData; // PCPTABLEINFO - std::uint64_t* OemCodePageData; // PCPTABLEINFO - std::uint64_t* UnicodeCaseTableData; // PNLSTABLEINFO + std::uint64_t* AnsiCodePageData; // PCPTABLEINFO + std::uint64_t* OemCodePageData; // PCPTABLEINFO + std::uint64_t* UnicodeCaseTableData; // PNLSTABLEINFO - ULONG NumberOfProcessors; - ULONG NtGlobalFlag; + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; - ULARGE_INTEGER CriticalSectionTimeout; - EMULATOR_CAST(std::int64_t, SIZE_T) HeapSegmentReserve; - EMULATOR_CAST(std::int64_t, SIZE_T) HeapSegmentCommit; - EMULATOR_CAST(std::int64_t, SIZE_T) HeapDeCommitTotalFreeThreshold; - EMULATOR_CAST(std::int64_t, SIZE_T) HeapDeCommitFreeBlockThreshold; + ULARGE_INTEGER CriticalSectionTimeout; + EMULATOR_CAST(std::int64_t, SIZE_T) HeapSegmentReserve; + EMULATOR_CAST(std::int64_t, SIZE_T) HeapSegmentCommit; + EMULATOR_CAST(std::int64_t, SIZE_T) HeapDeCommitTotalFreeThreshold; + EMULATOR_CAST(std::int64_t, SIZE_T) HeapDeCommitFreeBlockThreshold; - ULONG NumberOfHeaps; - ULONG MaximumNumberOfHeaps; - std::uint64_t** ProcessHeaps; // PHEAP + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + std::uint64_t** ProcessHeaps; // PHEAP - std::uint64_t* GdiSharedHandleTable; // PGDI_SHARED_MEMORY - std::uint64_t* ProcessStarterHelper; - ULONG GdiDCAttributeList; + std::uint64_t* GdiSharedHandleTable; // PGDI_SHARED_MEMORY + std::uint64_t* ProcessStarterHelper; + ULONG GdiDCAttributeList; - EMULATOR_CAST(void*, PRTL_CRITICAL_SECTION) LoaderLock; + EMULATOR_CAST(void*, PRTL_CRITICAL_SECTION) LoaderLock; - ULONG OSMajorVersion; - ULONG OSMinorVersion; - USHORT OSBuildNumber; - USHORT OSCSDVersion; - ULONG OSPlatformId; - ULONG ImageSubsystem; - ULONG ImageSubsystemMajorVersion; - ULONG ImageSubsystemMinorVersion; - EMULATOR_CAST(std::uint64_t, KAFFINITY) ActiveProcessAffinityMask; - ARRAY_CONTAINER GdiHandleBuffer; - std::uint64_t* PostProcessInitRoutine; + ULONG OSMajorVersion; + ULONG OSMinorVersion; + USHORT OSBuildNumber; + USHORT OSCSDVersion; + ULONG OSPlatformId; + ULONG ImageSubsystem; + ULONG ImageSubsystemMajorVersion; + ULONG ImageSubsystemMinorVersion; + EMULATOR_CAST(std::uint64_t, KAFFINITY) ActiveProcessAffinityMask; + ARRAY_CONTAINER GdiHandleBuffer; + std::uint64_t* PostProcessInitRoutine; - EMULATOR_CAST(void*, PRTL_BITMAP) TlsExpansionBitmap; - ARRAY_CONTAINER TlsExpansionBitmapBits; // TLS_EXPANSION_SLOTS + EMULATOR_CAST(void*, PRTL_BITMAP) TlsExpansionBitmap; + ARRAY_CONTAINER TlsExpansionBitmapBits; // TLS_EXPANSION_SLOTS - ULONG SessionId; + ULONG SessionId; - ULARGE_INTEGER AppCompatFlags; // KACF_* - ULARGE_INTEGER AppCompatFlagsUser; - std::uint64_t* pShimData; - std::uint64_t* AppCompatInfo; // APPCOMPAT_EXE_DATA + ULARGE_INTEGER AppCompatFlags; // KACF_* + ULARGE_INTEGER AppCompatFlagsUser; + std::uint64_t* pShimData; + std::uint64_t* AppCompatInfo; // APPCOMPAT_EXE_DATA - UNICODE_STRING> CSDVersion; + UNICODE_STRING> CSDVersion; - EMULATOR_CAST(void*, PACTIVATION_CONTEXT_DATA) ActivationContextData; - EMULATOR_CAST(void*, PASSEMBLY_STORAGE_MAP) ProcessAssemblyStorageMap; - EMULATOR_CAST(void*, PACTIVATION_CONTEXT_DATA) SystemDefaultActivationContextData; - EMULATOR_CAST(void*, PASSEMBLY_STORAGE_MAP) SystemAssemblyStorageMap; + EMULATOR_CAST(void*, PACTIVATION_CONTEXT_DATA) ActivationContextData; + EMULATOR_CAST(void*, PASSEMBLY_STORAGE_MAP) ProcessAssemblyStorageMap; + EMULATOR_CAST(void*, PACTIVATION_CONTEXT_DATA) SystemDefaultActivationContextData; + EMULATOR_CAST(void*, PASSEMBLY_STORAGE_MAP) SystemAssemblyStorageMap; - EMULATOR_CAST(std::int64_t, SIZE_T) MinimumStackCommit; + EMULATOR_CAST(std::int64_t, SIZE_T) MinimumStackCommit; - ARRAY_CONTAINER SparePointers; // 19H1 (previously FlsCallback to FlsHighIndex) - std::uint64_t* PatchLoaderData; - std::uint64_t* ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO + ARRAY_CONTAINER SparePointers; // 19H1 (previously FlsCallback to FlsHighIndex) + std::uint64_t* PatchLoaderData; + std::uint64_t* ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO - ULONG AppModelFeatureState; - ARRAY_CONTAINER SpareUlongs; + ULONG AppModelFeatureState; + ARRAY_CONTAINER SpareUlongs; - USHORT ActiveCodePage; - USHORT OemCodePage; - USHORT UseCaseMapping; - USHORT UnusedNlsField; + USHORT ActiveCodePage; + USHORT OemCodePage; + USHORT UseCaseMapping; + USHORT UnusedNlsField; - std::uint64_t* WerRegistrationData; - std::uint64_t* WerShipAssertPtr; + std::uint64_t* WerRegistrationData; + std::uint64_t* WerShipAssertPtr; - PEB_CONTEXT_DATA_UNION64 ContextData; + PEB_CONTEXT_DATA_UNION64 ContextData; - std::uint64_t* pImageHeaderHash; - PEB_TRACING_FLAGS_UNION TracingFlags; + std::uint64_t* pImageHeaderHash; + PEB_TRACING_FLAGS_UNION TracingFlags; - ULONGLONG CsrServerReadOnlySharedMemoryBase; - EMULATOR_CAST(void*, PRTL_CRITICAL_SECTION) TppWorkerpListLock; - LIST_ENTRY64 TppWorkerpList; - ARRAY_CONTAINER WaitOnAddressHashTable; - EMULATOR_CAST(void*, PTELEMETRY_COVERAGE_HEADER) TelemetryCoverageHeader; // REDSTONE3 - ULONG CloudFileFlags; - ULONG CloudFileDiagFlags; // REDSTONE4 - CHAR PlaceholderCompatibilityMode; - ARRAY_CONTAINER PlaceholderCompatibilityModeReserved; - EMULATOR_CAST(void*, PLEAP_SECOND_DATA) LeapSecondData; // REDSTONE5 - PEB_LEAP_SECONDS_FLAG_UNION LeapSecondFlags; + ULONGLONG CsrServerReadOnlySharedMemoryBase; + EMULATOR_CAST(void*, PRTL_CRITICAL_SECTION) TppWorkerpListLock; + LIST_ENTRY64 TppWorkerpList; + ARRAY_CONTAINER WaitOnAddressHashTable; + EMULATOR_CAST(void*, PTELEMETRY_COVERAGE_HEADER) TelemetryCoverageHeader; // REDSTONE3 + ULONG CloudFileFlags; + ULONG CloudFileDiagFlags; // REDSTONE4 + CHAR PlaceholderCompatibilityMode; + ARRAY_CONTAINER PlaceholderCompatibilityModeReserved; + EMULATOR_CAST(void*, PLEAP_SECOND_DATA) LeapSecondData; // REDSTONE5 + PEB_LEAP_SECONDS_FLAG_UNION LeapSecondFlags; - ULONG NtGlobalFlag2; - ULONGLONG ExtendedFeatureDisableMask; // since WIN11 + ULONG NtGlobalFlag2; + ULONGLONG ExtendedFeatureDisableMask; // since WIN11 } PEB64, *PPEB64; typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME64 { - struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME *Previous; - EMULATOR_CAST(void*, ACTIVATION_CONTEXT) ActivationContext; - ULONG Flags; // RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_* + struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; + EMULATOR_CAST(void*, ACTIVATION_CONTEXT) ActivationContext; + ULONG Flags; // RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_* } RTL_ACTIVATION_CONTEXT_STACK_FRAME64, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME64; typedef struct _ACTIVATION_CONTEXT_STACK64 { - PRTL_ACTIVATION_CONTEXT_STACK_FRAME64 ActiveFrame; - LIST_ENTRY64 FrameListCache; - ULONG Flags; // ACTIVATION_CONTEXT_STACK_FLAG_* - ULONG NextCookieSequenceNumber; - ULONG StackId; + PRTL_ACTIVATION_CONTEXT_STACK_FRAME64 ActiveFrame; + LIST_ENTRY64 FrameListCache; + ULONG Flags; // ACTIVATION_CONTEXT_STACK_FLAG_* + ULONG NextCookieSequenceNumber; + ULONG StackId; } ACTIVATION_CONTEXT_STACK64, *PACTIVATION_CONTEXT_STACK64; typedef struct _GDI_TEB_BATCH64 { - ULONG Offset; - std::uint64_t* HDC; - ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; + ULONG Offset; + std::uint64_t* HDC; + ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; } GDI_TEB_BATCH64, *PGDI_TEB_BATCH64; #ifndef OS_WINDOWS @@ -374,47 +379,48 @@ typedef struct _PROCESSOR_NUMBER union TEB_CURRENT_IDEAL_PROCESSOR_UNION { - PROCESSOR_NUMBER CurrentIdealProcessor; - ULONG IdealProcessorValue; - struct - { - UCHAR ReservedPad0; - UCHAR ReservedPad1; - UCHAR ReservedPad2; - UCHAR IdealProcessor; - }; -}; + PROCESSOR_NUMBER CurrentIdealProcessor; + ULONG IdealProcessorValue; + struct + { + UCHAR ReservedPad0; + UCHAR ReservedPad1; + UCHAR ReservedPad2; + UCHAR IdealProcessor; + }; +}; union TEB_CROSS_TEB_FLAGS_UNION { - USHORT CrossTebFlags; - USHORT SpareCrossTebBits : 16; + USHORT CrossTebFlags; + USHORT SpareCrossTebBits : 16; }; union TEB_SAME_TEB_FLAGS_UNION { - USHORT SameTebFlags; - struct - { - USHORT SafeThunkCall : 1; - USHORT InDebugPrint : 1; - USHORT HasFiberData : 1; - USHORT SkipThreadAttach : 1; - USHORT WerInShipAssertCode : 1; - USHORT RanProcessInit : 1; - USHORT ClonedThread : 1; - USHORT SuppressDebugMsg : 1; - USHORT DisableUserStackWalk : 1; - USHORT RtlExceptionAttached : 1; - USHORT InitialThread : 1; - USHORT SessionAware : 1; - USHORT LoadOwner : 1; - USHORT LoaderWorker : 1; - USHORT SkipLoaderInit : 1; - USHORT SkipFileAPIBrokering : 1; - }; + USHORT SameTebFlags; + + struct + { + USHORT SafeThunkCall : 1; + USHORT InDebugPrint : 1; + USHORT HasFiberData : 1; + USHORT SkipThreadAttach : 1; + USHORT WerInShipAssertCode : 1; + USHORT RanProcessInit : 1; + USHORT ClonedThread : 1; + USHORT SuppressDebugMsg : 1; + USHORT DisableUserStackWalk : 1; + USHORT RtlExceptionAttached : 1; + USHORT InitialThread : 1; + USHORT SessionAware : 1; + USHORT LoadOwner : 1; + USHORT LoaderWorker : 1; + USHORT SkipLoaderInit : 1; + USHORT SkipFileAPIBrokering : 1; + }; }; #ifndef OS_WINDOWS @@ -423,226 +429,230 @@ using LCID = DWORD; typedef struct _TEB64 { - EMU_NT_TIB64 NtTib; + EMU_NT_TIB64 NtTib; - std::uint64_t* EnvironmentPointer; - CLIENT_ID64 ClientId; - std::uint64_t* ActiveRpcHandle; - std::uint64_t* ThreadLocalStoragePointer; - PPEB64 ProcessEnvironmentBlock; + std::uint64_t* EnvironmentPointer; + CLIENT_ID64 ClientId; + std::uint64_t* ActiveRpcHandle; + std::uint64_t* ThreadLocalStoragePointer; + PPEB64 ProcessEnvironmentBlock; - ULONG LastErrorValue; - ULONG CountOfOwnedCriticalSections; - std::uint64_t* CsrClientThread; - std::uint64_t* Win32ThreadInfo; - ARRAY_CONTAINER User32Reserved; - ARRAY_CONTAINER UserReserved; - std::uint64_t* WOW32Reserved; - LCID CurrentLocale; - ULONG FpSoftwareStatusRegister; - ARRAY_CONTAINER ReservedForDebuggerInstrumentation; - ARRAY_CONTAINER SystemReserved1; - std::uint64_t* HeapFlsData; - ARRAY_CONTAINER RngState; - CHAR PlaceholderCompatibilityMode; - BOOLEAN PlaceholderHydrationAlwaysExplicit; - ARRAY_CONTAINER PlaceholderReserved; + ULONG LastErrorValue; + ULONG CountOfOwnedCriticalSections; + std::uint64_t* CsrClientThread; + std::uint64_t* Win32ThreadInfo; + ARRAY_CONTAINER User32Reserved; + ARRAY_CONTAINER UserReserved; + std::uint64_t* WOW32Reserved; + LCID CurrentLocale; + ULONG FpSoftwareStatusRegister; + ARRAY_CONTAINER ReservedForDebuggerInstrumentation; + ARRAY_CONTAINER SystemReserved1; + std::uint64_t* HeapFlsData; + ARRAY_CONTAINER RngState; + CHAR PlaceholderCompatibilityMode; + BOOLEAN PlaceholderHydrationAlwaysExplicit; + ARRAY_CONTAINER PlaceholderReserved; - ULONG ProxiedProcessId; - ACTIVATION_CONTEXT_STACK64 ActivationStack; + ULONG ProxiedProcessId; + ACTIVATION_CONTEXT_STACK64 ActivationStack; - ARRAY_CONTAINER WorkingOnBehalfTicket; + ARRAY_CONTAINER WorkingOnBehalfTicket; - NTSTATUS ExceptionCode; + NTSTATUS ExceptionCode; - PACTIVATION_CONTEXT_STACK64 ActivationContextStackPointer; - std::uint64_t* InstrumentationCallbackSp; - std::uint64_t* InstrumentationCallbackPreviousPc; - std::uint64_t* InstrumentationCallbackPreviousSp; - ULONG TxFsContext; - BOOLEAN InstrumentationCallbackDisabled; - BOOLEAN UnalignedLoadStoreExceptions; - GDI_TEB_BATCH64 GdiTebBatch; - CLIENT_ID64 RealClientId; - EmulatorTraits::HANDLE GdiCachedProcessHandle; - ULONG GdiClientPID; - ULONG GdiClientTID; - std::uint64_t* GdiThreadLocalInfo; - ARRAY_CONTAINER Win32ClientInfo; + PACTIVATION_CONTEXT_STACK64 ActivationContextStackPointer; + std::uint64_t* InstrumentationCallbackSp; + std::uint64_t* InstrumentationCallbackPreviousPc; + std::uint64_t* InstrumentationCallbackPreviousSp; + ULONG TxFsContext; + BOOLEAN InstrumentationCallbackDisabled; + BOOLEAN UnalignedLoadStoreExceptions; + GDI_TEB_BATCH64 GdiTebBatch; + CLIENT_ID64 RealClientId; + EmulatorTraits::HANDLE GdiCachedProcessHandle; + ULONG GdiClientPID; + ULONG GdiClientTID; + std::uint64_t* GdiThreadLocalInfo; + ARRAY_CONTAINER Win32ClientInfo; - ARRAY_CONTAINER glDispatchTable; - ARRAY_CONTAINER glReserved1; - std::uint64_t* glReserved2; - std::uint64_t* glSectionInfo; - std::uint64_t* glSection; - std::uint64_t* glTable; - std::uint64_t* glCurrentRC; - std::uint64_t* glContext; + ARRAY_CONTAINER glDispatchTable; + ARRAY_CONTAINER glReserved1; + std::uint64_t* glReserved2; + std::uint64_t* glSectionInfo; + std::uint64_t* glSection; + std::uint64_t* glTable; + std::uint64_t* glCurrentRC; + std::uint64_t* glContext; - NTSTATUS LastStatusValue; + NTSTATUS LastStatusValue; - UNICODE_STRING> StaticUnicodeString; - ARRAY_CONTAINER StaticUnicodeBuffer; + UNICODE_STRING> StaticUnicodeString; + ARRAY_CONTAINER StaticUnicodeBuffer; - std::uint64_t* DeallocationStack; + std::uint64_t* DeallocationStack; - ARRAY_CONTAINER TlsSlots; - LIST_ENTRY64 TlsLinks; + ARRAY_CONTAINER TlsSlots; + LIST_ENTRY64 TlsLinks; - std::uint64_t* Vdm; - std::uint64_t* ReservedForNtRpc; - ARRAY_CONTAINER DbgSsReserved; + std::uint64_t* Vdm; + std::uint64_t* ReservedForNtRpc; + ARRAY_CONTAINER DbgSsReserved; - ULONG HardErrorMode; - ARRAY_CONTAINER Instrumentation; - GUID ActivityId; + ULONG HardErrorMode; + ARRAY_CONTAINER Instrumentation; + GUID ActivityId; - std::uint64_t* SubProcessTag; - std::uint64_t* PerflibData; - std::uint64_t* EtwTraceData; - std::uint64_t* WinSockData; - ULONG GdiBatchCount; + std::uint64_t* SubProcessTag; + std::uint64_t* PerflibData; + std::uint64_t* EtwTraceData; + std::uint64_t* WinSockData; + ULONG GdiBatchCount; - TEB_CURRENT_IDEAL_PROCESSOR_UNION CurrentIdealProcessor; + TEB_CURRENT_IDEAL_PROCESSOR_UNION CurrentIdealProcessor; - ULONG GuaranteedStackBytes; - std::uint64_t* ReservedForPerf; - std::uint64_t* ReservedForOle; // tagSOleTlsData - ULONG WaitingOnLoaderLock; - std::uint64_t* SavedPriorityState; - std::uint64_t* ReservedForCodeCoverage; - std::uint64_t* ThreadPoolData; - std::uint64_t**TlsExpansionSlots; - std::uint64_t* ChpeV2CpuAreaInfo; // CHPEV2_CPUAREA_INFO // previously DeallocationBStore - std::uint64_t* Unused; // previously BStoreLimit - ULONG MuiGeneration; - ULONG IsImpersonating; - std::uint64_t* NlsCache; - std::uint64_t* pShimData; - ULONG HeapData; - EmulatorTraits::HANDLE CurrentTransactionHandle; - EMULATOR_CAST(void*, PTEB_ACTIVE_FRAME) ActiveFrame; - std::uint64_t* FlsData; + ULONG GuaranteedStackBytes; + std::uint64_t* ReservedForPerf; + std::uint64_t* ReservedForOle; // tagSOleTlsData + ULONG WaitingOnLoaderLock; + std::uint64_t* SavedPriorityState; + std::uint64_t* ReservedForCodeCoverage; + std::uint64_t* ThreadPoolData; + std::uint64_t** TlsExpansionSlots; + std::uint64_t* ChpeV2CpuAreaInfo; // CHPEV2_CPUAREA_INFO // previously DeallocationBStore + std::uint64_t* Unused; // previously BStoreLimit + ULONG MuiGeneration; + ULONG IsImpersonating; + std::uint64_t* NlsCache; + std::uint64_t* pShimData; + ULONG HeapData; + EmulatorTraits::HANDLE CurrentTransactionHandle; + EMULATOR_CAST(void*, PTEB_ACTIVE_FRAME) ActiveFrame; + std::uint64_t* FlsData; - std::uint64_t* PreferredLanguages; - std::uint64_t* UserPrefLanguages; - std::uint64_t* MergedPrefLanguages; - ULONG MuiImpersonation; + std::uint64_t* PreferredLanguages; + std::uint64_t* UserPrefLanguages; + std::uint64_t* MergedPrefLanguages; + ULONG MuiImpersonation; - TEB_CROSS_TEB_FLAGS_UNION CrossTebFlags; - TEB_SAME_TEB_FLAGS_UNION SameTebFlags; + TEB_CROSS_TEB_FLAGS_UNION CrossTebFlags; + TEB_SAME_TEB_FLAGS_UNION SameTebFlags; - std::uint64_t* TxnScopeEnterCallback; - std::uint64_t* TxnScopeExitCallback; - std::uint64_t* TxnScopeContext; - ULONG LockCount; - LONG WowTebOffset; - std::uint64_t* ResourceRetValue; - std::uint64_t* ReservedForWdf; - ULONGLONG ReservedForCrt; - GUID EffectiveContainerId; - ULONGLONG LastSleepCounter; // Win11 - ULONG SpinCallCount; - ULONGLONG ExtendedFeatureDisableMask; - std::uint64_t* SchedulerSharedDataSlot; // 24H2 - std::uint64_t* HeapWalkContext; - EMU_GROUP_AFFINITY64 PrimaryGroupAffinity; - ARRAY_CONTAINER Rcu; + std::uint64_t* TxnScopeEnterCallback; + std::uint64_t* TxnScopeExitCallback; + std::uint64_t* TxnScopeContext; + ULONG LockCount; + LONG WowTebOffset; + std::uint64_t* ResourceRetValue; + std::uint64_t* ReservedForWdf; + ULONGLONG ReservedForCrt; + GUID EffectiveContainerId; + ULONGLONG LastSleepCounter; // Win11 + ULONG SpinCallCount; + ULONGLONG ExtendedFeatureDisableMask; + std::uint64_t* SchedulerSharedDataSlot; // 24H2 + std::uint64_t* HeapWalkContext; + EMU_GROUP_AFFINITY64 PrimaryGroupAffinity; + ARRAY_CONTAINER Rcu; } TEB64, *PTEB64; #ifdef OS_WINDOWS - inline TEB64* NtCurrentTeb64(VOID) - { - return (TEB64*)__readgsqword(FIELD_OFFSET(EMU_NT_TIB64, Self)); - } +inline TEB64* NtCurrentTeb64(VOID) +{ + return (TEB64*)__readgsqword(FIELD_OFFSET(EMU_NT_TIB64, Self)); +} #endif #pragma pack(push, 4) typedef struct _KSYSTEM_TIME { - ULONG LowPart; - LONG High1Time; - LONG High2Time; + ULONG LowPart; + LONG High1Time; + LONG High2Time; } KSYSTEM_TIME, *PKSYSTEM_TIME; #pragma pack(pop) typedef enum _NT_PRODUCT_TYPE { - NtProductWinNt = 1, - NtProductLanManNt, - NtProductServer + NtProductWinNt = 1, + NtProductLanManNt, + NtProductServer } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE { - StandardDesign, - NEC98x86, - EndAlternatives + StandardDesign, + NEC98x86, + EndAlternatives } ALTERNATIVE_ARCHITECTURE_TYPE; union KUSD_SHARED_DATA_FLAGS_UNION { - ULONG SharedDataFlags; - struct - { - // - // The following bit fields are for the debugger only. Do not use. - // Use the bit definitions instead. - // + ULONG SharedDataFlags; - ULONG DbgErrorPortPresent : 1; - ULONG DbgElevationEnabled : 1; - ULONG DbgVirtEnabled : 1; - ULONG DbgInstallerDetectEnabled : 1; - ULONG DbgLkgEnabled : 1; - ULONG DbgDynProcessorEnabled : 1; - ULONG DbgConsoleBrokerEnabled : 1; - ULONG DbgSecureBootEnabled : 1; - ULONG DbgMultiSessionSku : 1; - ULONG DbgMultiUsersInSessionSku : 1; - ULONG DbgStateSeparationEnabled : 1; - ULONG DbgSplitTokenEnabled : 1; - ULONG DbgShadowAdminEnabled : 1; - ULONG SpareBits : 19; - }; + struct + { + // + // The following bit fields are for the debugger only. Do not use. + // Use the bit definitions instead. + // + + ULONG DbgErrorPortPresent : 1; + ULONG DbgElevationEnabled : 1; + ULONG DbgVirtEnabled : 1; + ULONG DbgInstallerDetectEnabled : 1; + ULONG DbgLkgEnabled : 1; + ULONG DbgDynProcessorEnabled : 1; + ULONG DbgConsoleBrokerEnabled : 1; + ULONG DbgSecureBootEnabled : 1; + ULONG DbgMultiSessionSku : 1; + ULONG DbgMultiUsersInSessionSku : 1; + ULONG DbgStateSeparationEnabled : 1; + ULONG DbgSplitTokenEnabled : 1; + ULONG DbgShadowAdminEnabled : 1; + ULONG SpareBits : 19; + }; }; union KUSD_TICK_COUNT_UNION { - volatile KSYSTEM_TIME TickCount; - volatile std::uint64_t TickCountQuad; - struct - { - ULONG ReservedTickCountOverlay[3]; - ULONG TickCountPad[1]; - }; + volatile KSYSTEM_TIME TickCount; + volatile std::uint64_t TickCountQuad; + + struct + { + ULONG ReservedTickCountOverlay[3]; + ULONG TickCountPad[1]; + }; }; union KUSD_VIRTUALIZATION_FLAGS_UNION { - UCHAR VirtualizationFlags; + UCHAR VirtualizationFlags; }; union KUSD_MITIGATION_POLICIES_UNION { - UCHAR MitigationPolicies; - struct - { - UCHAR NXSupportPolicy : 2; - UCHAR SEHValidationPolicy : 2; - UCHAR CurDirDevicesSkippedForDlls : 2; - UCHAR Reserved : 2; - }; + UCHAR MitigationPolicies; + + struct + { + UCHAR NXSupportPolicy : 2; + UCHAR SEHValidationPolicy : 2; + UCHAR CurDirDevicesSkippedForDlls : 2; + UCHAR Reserved : 2; + }; }; union KUSD_QPC_DATA_UNION { - USHORT QpcData; - struct - { - volatile UCHAR QpcBypassEnabled; - UCHAR QpcReserved; - }; + USHORT QpcData; + + struct + { + volatile UCHAR QpcBypassEnabled; + UCHAR QpcReserved; + }; }; #ifndef OS_WINDOWS @@ -676,199 +686,201 @@ typedef struct _XSTATE_CONFIGURATION { typedef struct _KUSER_SHARED_DATA64 { - ULONG TickCountLowDeprecated; - ULONG TickCountMultiplier; - volatile KSYSTEM_TIME InterruptTime; - volatile KSYSTEM_TIME SystemTime; - volatile KSYSTEM_TIME TimeZoneBias; - USHORT ImageNumberLow; - USHORT ImageNumberHigh; - ARRAY_CONTAINER NtSystemRoot; - ULONG MaxStackTraceDepth; - ULONG CryptoExponent; - ULONG TimeZoneId; - ULONG LargePageMinimum; - ULONG AitSamplingValue; - ULONG AppCompatFlag; - ULONGLONG RNGSeedVersion; - ULONG GlobalValidationRunlevel; - volatile LONG TimeZoneBiasStamp; - ULONG NtBuildNumber; - NT_PRODUCT_TYPE NtProductType; - BOOLEAN ProductTypeIsValid; - BOOLEAN Reserved0; - USHORT NativeProcessorArchitecture; - ULONG NtMajorVersion; - ULONG NtMinorVersion; - ARRAY_CONTAINER ProcessorFeatures; - ULONG Reserved1; - ULONG Reserved3; - volatile ULONG TimeSlip; - ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; - ULONG BootId; - LARGE_INTEGER SystemExpirationDate; - ULONG SuiteMask; - BOOLEAN KdDebuggerEnabled; - KUSD_MITIGATION_POLICIES_UNION MitigationPolicies; - USHORT CyclesPerYield; - volatile ULONG ActiveConsoleId; - volatile ULONG DismountCount; - ULONG ComPlusPackage; - ULONG LastSystemRITEventTickCount; - ULONG NumberOfPhysicalPages; - BOOLEAN SafeBootMode; - KUSD_VIRTUALIZATION_FLAGS_UNION VirtualizationFlags; - ARRAY_CONTAINER Reserved12; - KUSD_SHARED_DATA_FLAGS_UNION SharedDataFlags; - ULONG DataFlagsPad; - ULONGLONG TestRetInstruction; - LONGLONG QpcFrequency; - ULONG SystemCall; - ULONG Reserved2; - ULONGLONG FullNumberOfPhysicalPages; - ULONGLONG SystemCallPad; - KUSD_TICK_COUNT_UNION TickCount; - ULONG Cookie; - ULONG CookiePad; - LONGLONG ConsoleSessionForegroundProcessId; - ULONGLONG TimeUpdateLock; - ULONGLONG BaselineSystemTimeQpc; - ULONGLONG BaselineInterruptTimeQpc; - ULONGLONG QpcSystemTimeIncrement; - ULONGLONG QpcInterruptTimeIncrement; - UCHAR QpcSystemTimeIncrementShift; - UCHAR QpcInterruptTimeIncrementShift; - USHORT UnparkedProcessorCount; - ARRAY_CONTAINER EnclaveFeatureMask; - ULONG TelemetryCoverageRound; - ARRAY_CONTAINER UserModeGlobalLogger; - ULONG ImageFileExecutionOptions; - ULONG LangGenerationCount; - ULONGLONG Reserved4; - volatile ULONGLONG InterruptTimeBias; - volatile ULONGLONG QpcBias; - ULONG ActiveProcessorCount; - volatile UCHAR ActiveGroupCount; - UCHAR Reserved9; - KUSD_QPC_DATA_UNION QpcData; - LARGE_INTEGER TimeZoneBiasEffectiveStart; - LARGE_INTEGER TimeZoneBiasEffectiveEnd; - XSTATE_CONFIGURATION XState; - KSYSTEM_TIME FeatureConfigurationChangeStamp; - ULONG Spare; - std::uint64_t UserPointerAuthMask; - ARRAY_CONTAINER Reserved10; + ULONG TickCountLowDeprecated; + ULONG TickCountMultiplier; + volatile KSYSTEM_TIME InterruptTime; + volatile KSYSTEM_TIME SystemTime; + volatile KSYSTEM_TIME TimeZoneBias; + USHORT ImageNumberLow; + USHORT ImageNumberHigh; + ARRAY_CONTAINER NtSystemRoot; + ULONG MaxStackTraceDepth; + ULONG CryptoExponent; + ULONG TimeZoneId; + ULONG LargePageMinimum; + ULONG AitSamplingValue; + ULONG AppCompatFlag; + ULONGLONG RNGSeedVersion; + ULONG GlobalValidationRunlevel; + volatile LONG TimeZoneBiasStamp; + ULONG NtBuildNumber; + NT_PRODUCT_TYPE NtProductType; + BOOLEAN ProductTypeIsValid; + BOOLEAN Reserved0; + USHORT NativeProcessorArchitecture; + ULONG NtMajorVersion; + ULONG NtMinorVersion; + ARRAY_CONTAINER ProcessorFeatures; + ULONG Reserved1; + ULONG Reserved3; + volatile ULONG TimeSlip; + ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; + ULONG BootId; + LARGE_INTEGER SystemExpirationDate; + ULONG SuiteMask; + BOOLEAN KdDebuggerEnabled; + KUSD_MITIGATION_POLICIES_UNION MitigationPolicies; + USHORT CyclesPerYield; + volatile ULONG ActiveConsoleId; + volatile ULONG DismountCount; + ULONG ComPlusPackage; + ULONG LastSystemRITEventTickCount; + ULONG NumberOfPhysicalPages; + BOOLEAN SafeBootMode; + KUSD_VIRTUALIZATION_FLAGS_UNION VirtualizationFlags; + ARRAY_CONTAINER Reserved12; + KUSD_SHARED_DATA_FLAGS_UNION SharedDataFlags; + ULONG DataFlagsPad; + ULONGLONG TestRetInstruction; + LONGLONG QpcFrequency; + ULONG SystemCall; + ULONG Reserved2; + ULONGLONG FullNumberOfPhysicalPages; + ULONGLONG SystemCallPad; + KUSD_TICK_COUNT_UNION TickCount; + ULONG Cookie; + ULONG CookiePad; + LONGLONG ConsoleSessionForegroundProcessId; + ULONGLONG TimeUpdateLock; + ULONGLONG BaselineSystemTimeQpc; + ULONGLONG BaselineInterruptTimeQpc; + ULONGLONG QpcSystemTimeIncrement; + ULONGLONG QpcInterruptTimeIncrement; + UCHAR QpcSystemTimeIncrementShift; + UCHAR QpcInterruptTimeIncrementShift; + USHORT UnparkedProcessorCount; + ARRAY_CONTAINER EnclaveFeatureMask; + ULONG TelemetryCoverageRound; + ARRAY_CONTAINER UserModeGlobalLogger; + ULONG ImageFileExecutionOptions; + ULONG LangGenerationCount; + ULONGLONG Reserved4; + volatile ULONGLONG InterruptTimeBias; + volatile ULONGLONG QpcBias; + ULONG ActiveProcessorCount; + volatile UCHAR ActiveGroupCount; + UCHAR Reserved9; + KUSD_QPC_DATA_UNION QpcData; + LARGE_INTEGER TimeZoneBiasEffectiveStart; + LARGE_INTEGER TimeZoneBiasEffectiveEnd; + XSTATE_CONFIGURATION XState; + KSYSTEM_TIME FeatureConfigurationChangeStamp; + ULONG Spare; + std::uint64_t UserPointerAuthMask; + ARRAY_CONTAINER Reserved10; } KUSER_SHARED_DATA64, *PKUSER_SHARED_DATA64; typedef struct _API_SET_NAMESPACE_ENTRY { - ULONG Flags; - ULONG NameOffset; - ULONG NameLength; - ULONG HashedLength; - ULONG ValueOffset; - ULONG ValueCount; + ULONG Flags; + ULONG NameOffset; + ULONG NameLength; + ULONG HashedLength; + ULONG ValueOffset; + ULONG ValueCount; } API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY; typedef struct _API_SET_HASH_ENTRY { - ULONG Hash; - ULONG Index; + ULONG Hash; + ULONG Index; } API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY; typedef struct _API_SET_VALUE_ENTRY { - ULONG Flags; - ULONG NameOffset; - ULONG NameLength; - ULONG ValueOffset; - ULONG ValueLength; + ULONG Flags; + ULONG NameOffset; + ULONG NameLength; + ULONG ValueOffset; + ULONG ValueLength; } API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY; template struct PS_ATTRIBUTE { - typename Traits::ULONG_PTR Attribute; - typename Traits::SIZE_T Size; - union - { - typename Traits::ULONG_PTR Value; - typename Traits::PVOID ValuePtr; - }; - typename Traits::SIZE_T* ReturnLength; + typename Traits::ULONG_PTR Attribute; + typename Traits::SIZE_T Size; + + union + { + typename Traits::ULONG_PTR Value; + typename Traits::PVOID ValuePtr; + }; + + typename Traits::SIZE_T* ReturnLength; }; template struct PS_ATTRIBUTE_LIST { - typename Traits::SIZE_T TotalLength; - PS_ATTRIBUTE Attributes[1]; + typename Traits::SIZE_T TotalLength; + PS_ATTRIBUTE Attributes[1]; }; typedef struct _SYSTEM_TIMEOFDAY_INFORMATION64 { - LARGE_INTEGER BootTime; - LARGE_INTEGER CurrentTime; - LARGE_INTEGER TimeZoneBias; - ULONG TimeZoneId; - ULONG Reserved; - ULONGLONG BootTimeBias; - ULONGLONG SleepTimeBias; + LARGE_INTEGER BootTime; + LARGE_INTEGER CurrentTime; + LARGE_INTEGER TimeZoneBias; + ULONG TimeZoneId; + ULONG Reserved; + ULONGLONG BootTimeBias; + ULONGLONG SleepTimeBias; } SYSTEM_TIMEOFDAY_INFORMATION64, *PSYSTEM_TIMEOFDAY_INFORMATION64; typedef struct _PROCESS_BASIC_INFORMATION64 { - NTSTATUS ExitStatus; - PPEB64 PebBaseAddress; - EMULATOR_CAST(std::uint64_t, KAFFINITY) AffinityMask; - EMULATOR_CAST(std::uint32_t, KPRIORITY) BasePriority; - EMULATOR_CAST(std::uint64_t, HANDLE) UniqueProcessId; - EMULATOR_CAST(std::uint64_t, HANDLE) InheritedFromUniqueProcessId; + NTSTATUS ExitStatus; + PPEB64 PebBaseAddress; + EMULATOR_CAST(std::uint64_t, KAFFINITY) AffinityMask; + EMULATOR_CAST(std::uint32_t, KPRIORITY) BasePriority; + EMULATOR_CAST(std::uint64_t, HANDLE) UniqueProcessId; + EMULATOR_CAST(std::uint64_t, HANDLE) InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION64, *PPROCESS_BASIC_INFORMATION64; typedef struct _KERNEL_USER_TIMES { - LARGE_INTEGER CreateTime; - LARGE_INTEGER ExitTime; - LARGE_INTEGER KernelTime; - LARGE_INTEGER UserTime; -} KERNEL_USER_TIMES, * PKERNEL_USER_TIMES; + LARGE_INTEGER CreateTime; + LARGE_INTEGER ExitTime; + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; +} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; struct THREAD_TLS_INFO { - ULONG Flags; + ULONG Flags; - union - { - EmulatorTraits::PVOID* TlsVector; - EmulatorTraits::PVOID TlsModulePointer; - }; + union + { + EmulatorTraits::PVOID* TlsVector; + EmulatorTraits::PVOID TlsModulePointer; + }; - EMULATOR_CAST(std::uint64_t, ULONG_PTR) ThreadId; + EMULATOR_CAST(std::uint64_t, ULONG_PTR) ThreadId; }; static_assert(sizeof(THREAD_TLS_INFO) == 0x18); typedef enum _PROCESS_TLS_INFORMATION_TYPE { - ProcessTlsReplaceIndex, - ProcessTlsReplaceVector, - MaxProcessTlsOperation -} PROCESS_TLS_INFORMATION_TYPE, * PPROCESS_TLS_INFORMATION_TYPE; + ProcessTlsReplaceIndex, + ProcessTlsReplaceVector, + MaxProcessTlsOperation +} PROCESS_TLS_INFORMATION_TYPE, *PPROCESS_TLS_INFORMATION_TYPE; struct PROCESS_TLS_INFO { - ULONG Unknown; - PROCESS_TLS_INFORMATION_TYPE TlsRequest; - ULONG ThreadDataCount; + ULONG Unknown; + PROCESS_TLS_INFORMATION_TYPE TlsRequest; + ULONG ThreadDataCount; - union - { - ULONG TlsIndex; - ULONG TlsVectorLength; - }; + union + { + ULONG TlsIndex; + ULONG TlsVectorLength; + }; - THREAD_TLS_INFO ThreadData[1]; + THREAD_TLS_INFO ThreadData[1]; }; static_assert(sizeof(PROCESS_TLS_INFO) - sizeof(THREAD_TLS_INFO) == 0x10); diff --git a/src/common/platform/memory.hpp b/src/common/platform/memory.hpp index 35539a92..8d8758c0 100644 --- a/src/common/platform/memory.hpp +++ b/src/common/platform/memory.hpp @@ -1,6 +1,5 @@ #pragma once - #define PAGE_EXECUTE 0x10 #define PAGE_EXECUTE_READ 0x20 #define PAGE_EXECUTE_READWRITE 0x40 @@ -39,90 +38,94 @@ typedef enum _MEMORY_INFORMATION_CLASS { - MemoryBasicInformation, // q: MEMORY_BASIC_INFORMATION - MemoryWorkingSetInformation, // q: MEMORY_WORKING_SET_INFORMATION - MemoryMappedFilenameInformation, // q: UNICODE_STRING - MemoryRegionInformation, // q: MEMORY_REGION_INFORMATION - MemoryWorkingSetExInformation, // q: MEMORY_WORKING_SET_EX_INFORMATION // since VISTA - MemorySharedCommitInformation, // q: MEMORY_SHARED_COMMIT_INFORMATION // since WIN8 - MemoryImageInformation, // q: MEMORY_IMAGE_INFORMATION - MemoryRegionInformationEx, // MEMORY_REGION_INFORMATION - MemoryPrivilegedBasicInformation, // MEMORY_BASIC_INFORMATION - MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 - MemoryBasicInformationCapped, // 10 - MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1 - MemoryBadInformation, // since WIN11 - MemoryBadInformationAllProcesses, // since 22H1 - MemoryImageExtensionInformation, // since 24H2 - MaxMemoryInfoClass + MemoryBasicInformation, // q: MEMORY_BASIC_INFORMATION + MemoryWorkingSetInformation, // q: MEMORY_WORKING_SET_INFORMATION + MemoryMappedFilenameInformation, // q: UNICODE_STRING + MemoryRegionInformation, // q: MEMORY_REGION_INFORMATION + MemoryWorkingSetExInformation, // q: MEMORY_WORKING_SET_EX_INFORMATION // since VISTA + MemorySharedCommitInformation, // q: MEMORY_SHARED_COMMIT_INFORMATION // since WIN8 + MemoryImageInformation, // q: MEMORY_IMAGE_INFORMATION + MemoryRegionInformationEx, // MEMORY_REGION_INFORMATION + MemoryPrivilegedBasicInformation, // MEMORY_BASIC_INFORMATION + MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 + MemoryBasicInformationCapped, // 10 + MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1 + MemoryBadInformation, // since WIN11 + MemoryBadInformationAllProcesses, // since 22H1 + MemoryImageExtensionInformation, // since 24H2 + MaxMemoryInfoClass } MEMORY_INFORMATION_CLASS; typedef enum _SECTION_INHERIT { - ViewShare = 1, - ViewUnmap = 2 + ViewShare = 1, + ViewUnmap = 2 } SECTION_INHERIT; typedef struct DECLSPEC_ALIGN(16) _EMU_MEMORY_BASIC_INFORMATION64 { - void* BaseAddress; - void* AllocationBase; - DWORD AllocationProtect; - WORD PartitionId; - std::int64_t RegionSize; - DWORD State; - DWORD Protect; - DWORD Type; + void* BaseAddress; + void* AllocationBase; + DWORD AllocationProtect; + WORD PartitionId; + std::int64_t RegionSize; + DWORD State; + DWORD Protect; + DWORD Type; } EMU_MEMORY_BASIC_INFORMATION64, *PEMU_MEMORY_BASIC_INFORMATION64; - typedef struct _MEMORY_IMAGE_INFORMATION64 { - void* ImageBase; - std::int64_t SizeOfImage; - union - { - ULONG ImageFlags; - struct - { - ULONG ImagePartialMap : 1; - ULONG ImageNotExecutable : 1; - ULONG ImageSigningLevel : 4; // REDSTONE3 - ULONG ImageExtensionPresent : 1; // since 24H2 - ULONG Reserved : 25; - }; - }; + void* ImageBase; + std::int64_t SizeOfImage; + + union + { + ULONG ImageFlags; + + struct + { + ULONG ImagePartialMap : 1; + ULONG ImageNotExecutable : 1; + ULONG ImageSigningLevel : 4; // REDSTONE3 + ULONG ImageExtensionPresent : 1; // since 24H2 + ULONG Reserved : 25; + }; + }; } MEMORY_IMAGE_INFORMATION64, *PMEMORY_IMAGE_INFORMATION64; typedef struct _MEMORY_REGION_INFORMATION { - void* AllocationBase; - ULONG AllocationProtect; - union - { - ULONG RegionType; - struct - { - ULONG Private : 1; - ULONG MappedDataFile : 1; - ULONG MappedImage : 1; - ULONG MappedPageFile : 1; - ULONG MappedPhysical : 1; - ULONG DirectMapped : 1; - ULONG SoftwareEnclave : 1; // REDSTONE3 - ULONG PageSize64K : 1; - ULONG PlaceholderReservation : 1; // REDSTONE4 - ULONG MappedAwe : 1; // 21H1 - ULONG MappedWriteWatch : 1; - ULONG PageSizeLarge : 1; - ULONG PageSizeHuge : 1; - ULONG Reserved : 19; - }; - }; - std::int64_t RegionSize; - std::int64_t CommitSize; - DWORD64 PartitionId; // 19H1 - DWORD64 NodePreference; // 20H1 -} MEMORY_REGION_INFORMATION64, *PMEMORY_REGION_INFORMATION64; \ No newline at end of file + void* AllocationBase; + ULONG AllocationProtect; + + union + { + ULONG RegionType; + + struct + { + ULONG Private : 1; + ULONG MappedDataFile : 1; + ULONG MappedImage : 1; + ULONG MappedPageFile : 1; + ULONG MappedPhysical : 1; + ULONG DirectMapped : 1; + ULONG SoftwareEnclave : 1; // REDSTONE3 + ULONG PageSize64K : 1; + ULONG PlaceholderReservation : 1; // REDSTONE4 + ULONG MappedAwe : 1; // 21H1 + ULONG MappedWriteWatch : 1; + ULONG PageSizeLarge : 1; + ULONG PageSizeHuge : 1; + ULONG Reserved : 19; + }; + }; + + std::int64_t RegionSize; + std::int64_t CommitSize; + DWORD64 PartitionId; // 19H1 + DWORD64 NodePreference; // 20H1 +} MEMORY_REGION_INFORMATION64, *PMEMORY_REGION_INFORMATION64; diff --git a/src/common/platform/network.hpp b/src/common/platform/network.hpp index 2960145b..2e14c0a5 100644 --- a/src/common/platform/network.hpp +++ b/src/common/platform/network.hpp @@ -1,9 +1,8 @@ #pragma once - template struct EMU_WSABUF { - ULONG len; - EMULATOR_CAST(typename Traits::PVOID, CHAR*) buf; -}; \ No newline at end of file + ULONG len; + EMULATOR_CAST(typename Traits::PVOID, CHAR*) buf; +}; diff --git a/src/common/platform/platform.hpp b/src/common/platform/platform.hpp index fbbe0969..a8730fd9 100644 --- a/src/common/platform/platform.hpp +++ b/src/common/platform/platform.hpp @@ -1,12 +1,12 @@ #pragma once #ifdef _WIN32 - #pragma warning(push) - #pragma warning(disable: 4201) // nameless struct/union - #pragma warning(disable: 4702) // unreachable code +#pragma warning(push) +#pragma warning(disable: 4201) // nameless struct/union +#pragma warning(disable: 4702) // unreachable code #else - #pragma GCC diagnostic push - #pragma GCC diagnostic ignored "-Wpedantic" +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wpedantic" #endif #include "compiler.hpp" @@ -26,22 +26,21 @@ #ifdef OS_WINDOWS #pragma comment(lib, "ntdll") - -extern "C" -{ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySystemInformationEx( - _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, - _In_reads_bytes_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation, - _In_ ULONG SystemInformationLength, - _Out_opt_ PULONG ReturnLength - ); + +extern "C" { +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySystemInformationEx( + _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _In_reads_bytes_(InputBufferLength) PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation, + _In_ ULONG SystemInformationLength, + _Out_opt_ PULONG ReturnLength +); } - #pragma warning(pop) +#pragma warning(pop) #else - #pragma GCC diagnostic pop -#endif \ No newline at end of file +#pragma GCC diagnostic pop +#endif diff --git a/src/common/platform/primitives.hpp b/src/common/platform/primitives.hpp index bbbd91c3..3fdb937d 100644 --- a/src/common/platform/primitives.hpp +++ b/src/common/platform/primitives.hpp @@ -2,57 +2,56 @@ #include - #ifdef OS_WINDOWS - #define WIN32_LEAN_AND_MEAN - #define NOMINMAX - #include - #include "winnt.h" + +#define WIN32_LEAN_AND_MEAN +#define NOMINMAX +#include +#include "winnt.h" + #else - #define DWORD std::uint32_t - using LONG = std::int32_t; - using ULONG = DWORD; - using DWORD64 = std::uint64_t; - using ULONGLONG = DWORD64; - using LONGLONG = std::int64_t; - - typedef union _ULARGE_INTEGER - { - struct - { - DWORD LowPart; - DWORD HighPart; - }; - ULONGLONG QuadPart; - } ULARGE_INTEGER; - typedef union _LARGE_INTEGER - { - struct - { - DWORD LowPart; - LONG HighPart; - }; - LONGLONG QuadPart; - } LARGE_INTEGER; +#define DWORD std::uint32_t +using LONG = std::int32_t; +using ULONG = DWORD; +using DWORD64 = std::uint64_t; +using ULONGLONG = DWORD64; +using LONGLONG = std::int64_t; - using BYTE = std::uint8_t; - #define CHAR BYTE +typedef union _ULARGE_INTEGER +{ + struct + { + DWORD LowPart; + DWORD HighPart; + }; + + ULONGLONG QuadPart; +} ULARGE_INTEGER; + +typedef union _LARGE_INTEGER +{ + struct + { + DWORD LowPart; + LONG HighPart; + }; + + LONGLONG QuadPart; +} LARGE_INTEGER; + +using BYTE = std::uint8_t; +#define CHAR BYTE #endif -using WORD = std::uint16_t; - - +using WORD = std::uint16_t; #define UCHAR unsigned char #define BOOLEAN bool -using CSHORT = short; -using USHORT = WORD; - - - +using CSHORT = short; +using USHORT = WORD; #define DUMMYSTRUCTNAME @@ -61,4 +60,3 @@ using USHORT = WORD; #define TRUE true #define FALSE false #endif - diff --git a/src/common/platform/process.hpp b/src/common/platform/process.hpp index 9f04c1d7..f4333648 100644 --- a/src/common/platform/process.hpp +++ b/src/common/platform/process.hpp @@ -21,255 +21,292 @@ typedef enum _SYSTEM_INFORMATION_CLASS { - SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION - SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION - SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION - SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION - SystemPathInformation, // not implemented - SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION - SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION - SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION - SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup) - SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION - SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10 - SystemModuleInformation, // q: RTL_PROCESS_MODULES - SystemLocksInformation, // q: RTL_PROCESS_LOCKS - SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES - SystemPagedPoolInformation, // not implemented - SystemNonPagedPoolInformation, // not implemented - SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION - SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION - SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION - SystemVdmInstemulInformation, // q: SYSTEM_VDM_INSTEMUL_INFO - SystemVdmBopInformation, // not implemented // 20 - SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) - SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION - SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup) - SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) - SystemFullMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION - SystemLoadGdiDriverInformation, // s (kernel-mode only) - SystemUnloadGdiDriverInformation, // s (kernel-mode only) - SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) - SystemSummaryMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION - SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30 - SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) - SystemObsolete0, // not implemented - SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION - SystemCrashDumpStateInformation, // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege) - SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION - SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION - SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) - SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only - SystemPrioritySeperation, // s (requires SeTcbPrivilege) - SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40 - SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege) - SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX in: USHORT ProcessorGroup) - SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION - SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION - SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION - SystemTimeSlipNotification, // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege) - SystemSessionCreate, // not implemented - SystemSessionDetach, // not implemented - SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION) - SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50 - SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) - SystemVerifierThunkExtend, // s (kernel-mode only) - SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION - SystemLoadGdiDriverInSystemSpace, // s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation) - SystemNumaProcessorMap, // q: SYSTEM_NUMA_INFORMATION - SystemPrefetcherInformation, // q; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation - SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION - SystemRecommendedSharedDataAlignment, // q: ULONG // KeGetRecommendedSharedDataAlignment - SystemComPlusPackage, // q; s: ULONG - SystemNumaAvailableMemory, // q: SYSTEM_NUMA_INFORMATION // 60 - SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup) - SystemEmulationBasicInformation, // q: SYSTEM_BASIC_INFORMATION - SystemEmulationProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION - SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX - SystemLostDelayedWriteInformation, // q: ULONG - SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION - SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION - SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION - SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION - SystemObjectSecurityMode, // q: ULONG // 70 - SystemWatchdogTimerHandler, // s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only) - SystemWatchdogTimerInformation, // q: SYSTEM_WATCHDOG_TIMER_INFORMATION // (kernel-mode only) - SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup) - SystemWow64SharedInformationObsolete, // not implemented - SystemRegisterFirmwareTableInformationHandler, // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only) - SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION - SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX - SystemVerifierTriageInformation, // not implemented - SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation - SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80 - SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) - SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) - SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) - SystemVerifierCancellationInformation, // SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation - SystemProcessorPowerInformationEx, // not implemented - SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation - SystemSpecialPoolInformation, // q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 - SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION - SystemErrorPortInformation, // s (requires SeTcbPrivilege) - SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 - SystemHypervisorInformation, // q: SYSTEM_HYPERVISOR_QUERY_INFORMATION - SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX - SystemTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) - SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) - SystemCoverageInformation, // q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege) - SystemPrefetchPatchInformation, // SYSTEM_PREFETCH_PATCH_INFORMATION - SystemVerifierFaultsInformation, // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege) - SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION - SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION - SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // 100 - SystemNumaProximityNodeInformation, // q; s: SYSTEM_NUMA_PROXIMITY_MAP - SystemDynamicTimeZoneInformation, // q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) - SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation - SystemProcessorMicrocodeUpdateInformation, // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION - SystemProcessorBrandString, // q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 - SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation - SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // KeQueryLogicalProcessorRelationship - SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) - SystemStoreInformation, // q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformation - SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 - SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege) - SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION - SystemCpuQuotaInformation, // q; s: PS_CPU_QUOTA_QUERY_INFORMATION - SystemNativeBasicInformation, // q: SYSTEM_BASIC_INFORMATION - SystemErrorPortTimeouts, // SYSTEM_ERROR_PORT_TIMEOUTS - SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION - SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation - SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION - SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) - SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 - SystemNodeDistanceInformation, // q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber) - SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 - SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation - SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 - SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 - SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) - SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION - SystemBadPageInformation, // SYSTEM_BAD_PAGE_INFORMATION - SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA - SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 - SystemEntropyInterruptTimingInformation, // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION - SystemConsoleInformation, // q; s: SYSTEM_CONSOLE_INFORMATION - SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) - SystemPolicyInformation, // q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute) - SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION - SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION - SystemDeviceDataEnumerationInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION - SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION - SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION - SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 - SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // since WINBLUE - SystemCriticalProcessErrorLogInformation, - SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION - SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX - SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION - SystemEntropyInterruptTimingRawInformation, - SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION - SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) - SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX - SystemBootMetadataInformation, // 150 - SystemSoftRebootInformation, // q: ULONG - SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION - SystemOfflineDumpConfigInformation, // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 - SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION - SystemRegistryReconciliationInformation, // s: NULL (requires admin) (flushes registry hives) - SystemEdidInformation, // q: SYSTEM_EDID_INFORMATION - SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD - SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION - SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION - SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // 160 - SystemVmGenerationCountInformation, - SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION - SystemKernelDebuggerFlags, // SYSTEM_KERNEL_DEBUGGER_FLAGS - SystemCodeIntegrityPolicyInformation, // q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION - SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION - SystemHardwareSecurityTestInterfaceResultsInformation, - SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION - SystemAllowedCpuSetsInformation, // s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION - SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) - SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 - SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION - SystemCodeIntegrityPolicyFullInformation, - SystemAffinitizedInterruptProcessorInformation, // (requires SeIncreaseBasePriorityPrivilege) - SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION - SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 - SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION - SystemWin32WerStartCallout, - SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION - SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE - SystemInterruptSteeringInformation, // q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT // NtQuerySystemInformationEx // 180 - SystemSupportedProcessorArchitectures, // p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx - SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION - SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION - SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 - SystemControlFlowTransition, // (Warbird/Encrypt/Decrypt/Execute) - SystemKernelDebuggingAllowed, // s: ULONG - SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE - SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS - SystemCodeIntegrityPoliciesFullInformation, - SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 - SystemIntegrityQuotaInformation, - SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION - SystemProcessorIdleMaskInformation, // q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3 - SystemSecureDumpEncryptionInformation, - SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION - SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION - SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4 - SystemFirmwareBootPerformanceInformation, - SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION - SystemFirmwarePartitionInformation, // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200 - SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above. - SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION - SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION - SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5 - SystemCodeIntegrityUnlockModeInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION - SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION - SystemFlags2Information, // q: SYSTEM_FLAGS_INFORMATION - SystemSecurityModelInformation, // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1 - SystemCodeIntegritySyntheticCacheInformation, - SystemFeatureConfigurationInformation, // q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE // NtQuerySystemInformationEx // since 20H1 // 210 - SystemFeatureConfigurationSectionInformation, // q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION // NtQuerySystemInformationEx - SystemFeatureUsageSubscriptionInformation, // q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE - SystemSecureSpeculationControlInformation, // SECURE_SPECULATION_CONTROL_INFORMATION - SystemSpacesBootInformation, // since 20H2 - SystemFwRamdiskInformation, // SYSTEM_FIRMWARE_RAMDISK_INFORMATION - SystemWheaIpmiHardwareInformation, - SystemDifSetRuleClassInformation, // SYSTEM_DIF_VOLATILE_INFORMATION - SystemDifClearRuleClassInformation, - SystemDifApplyPluginVerificationOnDriver, // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION - SystemDifRemovePluginVerificationOnDriver, // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION // 220 - SystemShadowStackInformation, // SYSTEM_SHADOW_STACK_INFORMATION - SystemBuildVersionInformation, // q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION // NtQuerySystemInformationEx // 222 - SystemPoolLimitInformation, // SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) - SystemCodeIntegrityAddDynamicStore, - SystemCodeIntegrityClearDynamicStores, - SystemDifPoolTrackingInformation, - SystemPoolZeroingInformation, // q: SYSTEM_POOL_ZEROING_INFORMATION - SystemDpcWatchdogInformation, // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION - SystemDpcWatchdogInformation2, // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2 - SystemSupportedProcessorArchitectures2, // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230 - SystemSingleProcessorRelationshipInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor) - SystemXfgCheckFailureInformation, // q: SYSTEM_XFG_FAILURE_INFORMATION - SystemIommuStateInformation, // SYSTEM_IOMMU_STATE_INFORMATION // since 22H1 - SystemHypervisorMinrootInformation, // SYSTEM_HYPERVISOR_MINROOT_INFORMATION - SystemHypervisorBootPagesInformation, // SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION - SystemPointerAuthInformation, // SYSTEM_POINTER_AUTH_INFORMATION - SystemSecureKernelDebuggerInformation, - SystemOriginalImageFeatureInformation, // q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT // NtQuerySystemInformationEx - SystemMemoryNumaInformation, // SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT - SystemMemoryNumaPerformanceInformation, // SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT // since 24H2 // 240 - SystemCodeIntegritySignedPoliciesFullInformation, - SystemSecureSecretsInformation, - SystemTrustedAppsRuntimeInformation, // SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION - SystemBadPageInformationEx, // SYSTEM_BAD_PAGE_INFORMATION - SystemResourceDeadlockTimeout, // ULONG - SystemBreakOnContextUnwindFailureInformation, // ULONG (requires SeDebugPrivilege) - SystemOslRamdiskInformation, // SYSTEM_OSL_RAMDISK_INFORMATION - MaxSystemInfoClass + SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION + SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION + SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION + SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION + SystemPathInformation, // not implemented + SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION + SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION + SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION + SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup) + SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION + SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10 + SystemModuleInformation, // q: RTL_PROCESS_MODULES + SystemLocksInformation, // q: RTL_PROCESS_LOCKS + SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES + SystemPagedPoolInformation, // not implemented + SystemNonPagedPoolInformation, // not implemented + SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION + SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION + SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION + SystemVdmInstemulInformation, // q: SYSTEM_VDM_INSTEMUL_INFO + SystemVdmBopInformation, // not implemented // 20 + SystemFileCacheInformation, + // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) + SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION + SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup) + SystemDpcBehaviorInformation, + // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) + SystemFullMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION + SystemLoadGdiDriverInformation, // s (kernel-mode only) + SystemUnloadGdiDriverInformation, // s (kernel-mode only) + SystemTimeAdjustmentInformation, + // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) + SystemSummaryMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION + SystemMirrorMemoryInformation, + // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30 + SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) + SystemObsolete0, // not implemented + SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION + SystemCrashDumpStateInformation, // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege) + SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION + SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION + SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) + SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only + SystemPrioritySeperation, // s (requires SeTcbPrivilege) + SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40 + SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege) + SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX in: USHORT ProcessorGroup) + SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION + SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION + SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION + SystemTimeSlipNotification, // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege) + SystemSessionCreate, // not implemented + SystemSessionDetach, // not implemented + SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION) + SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50 + SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) + SystemVerifierThunkExtend, // s (kernel-mode only) + SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION + SystemLoadGdiDriverInSystemSpace, + // s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation) + SystemNumaProcessorMap, // q: SYSTEM_NUMA_INFORMATION + SystemPrefetcherInformation, // q; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation + SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION + SystemRecommendedSharedDataAlignment, // q: ULONG // KeGetRecommendedSharedDataAlignment + SystemComPlusPackage, // q; s: ULONG + SystemNumaAvailableMemory, // q: SYSTEM_NUMA_INFORMATION // 60 + SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup) + SystemEmulationBasicInformation, // q: SYSTEM_BASIC_INFORMATION + SystemEmulationProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION + SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX + SystemLostDelayedWriteInformation, // q: ULONG + SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION + SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION + SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION + SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION + SystemObjectSecurityMode, // q: ULONG // 70 + SystemWatchdogTimerHandler, // s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only) + SystemWatchdogTimerInformation, // q: SYSTEM_WATCHDOG_TIMER_INFORMATION // (kernel-mode only) + SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup) + SystemWow64SharedInformationObsolete, // not implemented + SystemRegisterFirmwareTableInformationHandler, // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only) + SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION + SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX + SystemVerifierTriageInformation, // not implemented + SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation + SystemMemoryListInformation, + // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80 + SystemFileCacheInformationEx, + // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) + SystemThreadPriorityClientIdInformation, + // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) + SystemProcessorIdleCycleTimeInformation, + // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) + SystemVerifierCancellationInformation, + // SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation + SystemProcessorPowerInformationEx, // not implemented + SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation + SystemSpecialPoolInformation, + // q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 + SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION + SystemErrorPortInformation, // s (requires SeTcbPrivilege) + SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 + SystemHypervisorInformation, // q: SYSTEM_HYPERVISOR_QUERY_INFORMATION + SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX + SystemTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) + SystemImageFileExecutionOptionsInformation, + // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) + SystemCoverageInformation, + // q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege) + SystemPrefetchPatchInformation, // SYSTEM_PREFETCH_PATCH_INFORMATION + SystemVerifierFaultsInformation, // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege) + SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION + SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION + SystemProcessorPerformanceDistribution, + // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // 100 + SystemNumaProximityNodeInformation, // q; s: SYSTEM_NUMA_PROXIMITY_MAP + SystemDynamicTimeZoneInformation, // q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) + SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation + SystemProcessorMicrocodeUpdateInformation, // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION + SystemProcessorBrandString, // q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 + SystemVirtualAddressInformation, + // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation + SystemLogicalProcessorAndGroupInformation, + // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // KeQueryLogicalProcessorRelationship + SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) + SystemStoreInformation, + // q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformation + SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 + SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege) + SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION + SystemCpuQuotaInformation, // q; s: PS_CPU_QUOTA_QUERY_INFORMATION + SystemNativeBasicInformation, // q: SYSTEM_BASIC_INFORMATION + SystemErrorPortTimeouts, // SYSTEM_ERROR_PORT_TIMEOUTS + SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION + SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation + SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION + SystemPagedPoolInformationEx, + // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) + SystemSystemPtesInformationEx, + // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 + SystemNodeDistanceInformation, // q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber) + SystemAcpiAuditInformation, + // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 + SystemBasicPerformanceInformation, + // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation + SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 + SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 + SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) + SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION + SystemBadPageInformation, // SYSTEM_BAD_PAGE_INFORMATION + SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA + SystemCombinePhysicalMemoryInformation, + // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 + SystemEntropyInterruptTimingInformation, // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION + SystemConsoleInformation, // q; s: SYSTEM_CONSOLE_INFORMATION + SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) + SystemPolicyInformation, // q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute) + SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION + SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION + SystemDeviceDataEnumerationInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION + SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION + SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION + SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 + SystemProcessorPerformanceInformationEx, + // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // since WINBLUE + SystemCriticalProcessErrorLogInformation, + SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION + SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX + SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION + SystemEntropyInterruptTimingRawInformation, + SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION + SystemFullProcessInformation, + // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) + SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX + SystemBootMetadataInformation, // 150 + SystemSoftRebootInformation, // q: ULONG + SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION + SystemOfflineDumpConfigInformation, // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 + SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION + SystemRegistryReconciliationInformation, // s: NULL (requires admin) (flushes registry hives) + SystemEdidInformation, // q: SYSTEM_EDID_INFORMATION + SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD + SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION + SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION + SystemProcessorCycleStatsInformation, + // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // 160 + SystemVmGenerationCountInformation, + SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION + SystemKernelDebuggerFlags, // SYSTEM_KERNEL_DEBUGGER_FLAGS + SystemCodeIntegrityPolicyInformation, // q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION + SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION + SystemHardwareSecurityTestInterfaceResultsInformation, + SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION + SystemAllowedCpuSetsInformation, // s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION + SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) + SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 + SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION + SystemCodeIntegrityPolicyFullInformation, + SystemAffinitizedInterruptProcessorInformation, // (requires SeIncreaseBasePriorityPrivilege) + SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION + SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 + SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION + SystemWin32WerStartCallout, + SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION + SystemCodeIntegrityPlatformManifestInformation, + // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE + SystemInterruptSteeringInformation, + // q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT // NtQuerySystemInformationEx // 180 + SystemSupportedProcessorArchitectures, + // p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx + SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION + SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION + SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 + SystemControlFlowTransition, // (Warbird/Encrypt/Decrypt/Execute) + SystemKernelDebuggingAllowed, // s: ULONG + SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE + SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS + SystemCodeIntegrityPoliciesFullInformation, + SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 + SystemIntegrityQuotaInformation, + SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION + SystemProcessorIdleMaskInformation, // q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3 + SystemSecureDumpEncryptionInformation, + SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION + SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION + SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4 + SystemFirmwareBootPerformanceInformation, + SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION + SystemFirmwarePartitionInformation, // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200 + SystemSpeculationControlInformation, + // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above. + SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION + SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION + SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5 + SystemCodeIntegrityUnlockModeInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION + SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION + SystemFlags2Information, // q: SYSTEM_FLAGS_INFORMATION + SystemSecurityModelInformation, // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1 + SystemCodeIntegritySyntheticCacheInformation, + SystemFeatureConfigurationInformation, + // q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE // NtQuerySystemInformationEx // since 20H1 // 210 + SystemFeatureConfigurationSectionInformation, + // q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION // NtQuerySystemInformationEx + SystemFeatureUsageSubscriptionInformation, + // q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE + SystemSecureSpeculationControlInformation, // SECURE_SPECULATION_CONTROL_INFORMATION + SystemSpacesBootInformation, // since 20H2 + SystemFwRamdiskInformation, // SYSTEM_FIRMWARE_RAMDISK_INFORMATION + SystemWheaIpmiHardwareInformation, + SystemDifSetRuleClassInformation, // SYSTEM_DIF_VOLATILE_INFORMATION + SystemDifClearRuleClassInformation, + SystemDifApplyPluginVerificationOnDriver, // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION + SystemDifRemovePluginVerificationOnDriver, // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION // 220 + SystemShadowStackInformation, // SYSTEM_SHADOW_STACK_INFORMATION + SystemBuildVersionInformation, + // q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION // NtQuerySystemInformationEx // 222 + SystemPoolLimitInformation, // SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) + SystemCodeIntegrityAddDynamicStore, + SystemCodeIntegrityClearDynamicStores, + SystemDifPoolTrackingInformation, + SystemPoolZeroingInformation, // q: SYSTEM_POOL_ZEROING_INFORMATION + SystemDpcWatchdogInformation, // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION + SystemDpcWatchdogInformation2, // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2 + SystemSupportedProcessorArchitectures2, + // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230 + SystemSingleProcessorRelationshipInformation, + // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor) + SystemXfgCheckFailureInformation, // q: SYSTEM_XFG_FAILURE_INFORMATION + SystemIommuStateInformation, // SYSTEM_IOMMU_STATE_INFORMATION // since 22H1 + SystemHypervisorMinrootInformation, // SYSTEM_HYPERVISOR_MINROOT_INFORMATION + SystemHypervisorBootPagesInformation, // SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION + SystemPointerAuthInformation, // SYSTEM_POINTER_AUTH_INFORMATION + SystemSecureKernelDebuggerInformation, + SystemOriginalImageFeatureInformation, + // q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT // NtQuerySystemInformationEx + SystemMemoryNumaInformation, // SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT + SystemMemoryNumaPerformanceInformation, + // SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT // since 24H2 // 240 + SystemCodeIntegritySignedPoliciesFullInformation, + SystemSecureSecretsInformation, + SystemTrustedAppsRuntimeInformation, // SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION + SystemBadPageInformationEx, // SYSTEM_BAD_PAGE_INFORMATION + SystemResourceDeadlockTimeout, // ULONG + SystemBreakOnContextUnwindFailureInformation, // ULONG (requires SeDebugPrivilege) + SystemOslRamdiskInformation, // SYSTEM_OSL_RAMDISK_INFORMATION + MaxSystemInfoClass } SYSTEM_INFORMATION_CLASS; #ifndef OS_WINDOWS @@ -331,170 +368,172 @@ typedef enum _TOKEN_INFORMATION_CLASS typedef enum _PROCESSINFOCLASS { - ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION - ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX - ProcessIoCounters, // q: IO_COUNTERS - ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 - ProcessTimes, // q: KERNEL_USER_TIMES - ProcessBasePriority, // s: KPRIORITY - ProcessRaisePriority, // s: ULONG - ProcessDebugPort, // q: HANDLE - ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT (requires SeTcbPrivilege) - ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN - ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 - ProcessLdtSize, // s: PROCESS_LDT_SIZE - ProcessDefaultHardErrorMode, // qs: ULONG - ProcessIoPortHandlers, // (kernel-mode only) // s: PROCESS_IO_PORT_HANDLER_INFORMATION - ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS - ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void - ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege) - ProcessEnableAlignmentFaultFixup, // s: BOOLEAN - ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS - ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) - ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 - ProcessAffinityMask, // (q >WIN7)s: KAFFINITY, qs: GROUP_AFFINITY - ProcessPriorityBoost, // qs: ULONG - ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX - ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION - ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND - ProcessWow64Information, // q: ULONG_PTR - ProcessImageFileName, // q: UNICODE_STRING - ProcessLUIDDeviceMapsEnabled, // q: ULONG - ProcessBreakOnTermination, // qs: ULONG - ProcessDebugObjectHandle, // q: HANDLE // 30 - ProcessDebugFlags, // qs: ULONG - ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: PROCESS_HANDLE_TRACING_ENABLE[_EX] or void to disable - ProcessIoPriority, // qs: IO_PRIORITY_HINT - ProcessExecuteFlags, // qs: ULONG (MEM_EXECUTE_OPTION_*) - ProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement - ProcessCookie, // q: ULONG - ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION - ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA - ProcessPagePriority, // qs: PAGE_PRIORITY_INFORMATION - ProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 - ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX - ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]; s: void - ProcessImageFileNameWin32, // q: UNICODE_STRING - ProcessImageFileMapping, // q: HANDLE (input) - ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE - ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE - ProcessGroupInformation, // q: USHORT[] - ProcessTokenVirtualizationEnabled, // s: ULONG - ProcessConsoleHostProcess, // qs: ULONG_PTR // ProcessOwnerInformation - ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 - ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 - ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION - ProcessDynamicFunctionTableInformation, // s: PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION - ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables - ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION - ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION - ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL (requires SeDebugPrivilege) - ProcessHandleTable, // q: ULONG[] // since WINBLUE - ProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG) - ProcessCommandLineInformation, // q: UNICODE_STRING // 60 - ProcessProtectionInformation, // q: PS_PROTECTION - ProcessMemoryExhaustion, // s: PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD - ProcessFaultInformation, // s: PROCESS_FAULT_INFORMATION - ProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION - ProcessCommitReleaseInformation, // qs: PROCESS_COMMIT_RELEASE_INFORMATION - ProcessDefaultCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5] - ProcessAllowedCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5] - ProcessSubsystemProcess, - ProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO - ProcessInPrivate, // q: BOOLEAN; s: void // ETW // since THRESHOLD2 // 70 - ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables - ProcessIumChallengeResponse, - ProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION - ProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege) - ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 - ProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES - ProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE - ProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY - ProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER - ProcessDisableSystemAllowedCpuSets, // s: BOOLEAN // 80 - ProcessWakeInformation, // q: PROCESS_WAKE_INFORMATION - ProcessEnergyTrackingState, // qs: PROCESS_ENERGY_TRACKING_STATE - ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 - ProcessCaptureTrustletLiveDump, - ProcessTelemetryCoverage, // q: TELEMETRY_COVERAGE_HEADER; s: TELEMETRY_COVERAGE_POINT - ProcessEnclaveInformation, - ProcessEnableReadWriteVmLogging, // qs: PROCESS_READWRITEVM_LOGGING_INFORMATION - ProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION - ProcessImageSection, // q: HANDLE - ProcessDebugAuthInformation, // since REDSTONE4 // 90 - ProcessSystemResourceManagement, // s: PROCESS_SYSTEM_RESOURCE_MANAGEMENT - ProcessSequenceNumber, // q: ULONGLONG - ProcessLoaderDetour, // since REDSTONE5 - ProcessSecurityDomainInformation, // q: PROCESS_SECURITY_DOMAIN_INFORMATION - ProcessCombineSecurityDomainsInformation, // s: PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION - ProcessEnableLogging, // qs: PROCESS_LOGGING_INFORMATION - ProcessLeapSecondInformation, // qs: PROCESS_LEAP_SECOND_INFORMATION - ProcessFiberShadowStackAllocation, // s: PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1 - ProcessFreeFiberShadowStackAllocation, // s: PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION - ProcessAltSystemCallInformation, // s: PROCESS_SYSCALL_PROVIDER_INFORMATION // since 20H1 // 100 - ProcessDynamicEHContinuationTargets, // s: PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION - ProcessDynamicEnforcedCetCompatibleRanges, // s: PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2 - ProcessCreateStateChange, // since WIN11 - ProcessApplyStateChange, - ProcessEnableOptionalXStateFeatures, // s: ULONG64 // optional XState feature bitmask - ProcessAltPrefetchParam, // qs: OVERRIDE_PREFETCH_PARAMETER // App Launch Prefetch (ALPF) // since 22H1 - ProcessAssignCpuPartitions, - ProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX - ProcessMembershipInformation, // q: PROCESS_MEMBERSHIP_INFORMATION - ProcessEffectiveIoPriority, // q: IO_PRIORITY_HINT // 110 - ProcessEffectivePagePriority, // q: ULONG - ProcessSchedulerSharedData, // since 24H2 - ProcessSlistRollbackInformation, - ProcessNetworkIoCounters, // q: PROCESS_NETWORK_COUNTERS - ProcessFindFirstThreadByTebValue, // PROCESS_TEB_VALUE_INFORMATION - MaxProcessInfoClass + ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION + ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX + ProcessIoCounters, // q: IO_COUNTERS + ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 + ProcessTimes, // q: KERNEL_USER_TIMES + ProcessBasePriority, // s: KPRIORITY + ProcessRaisePriority, // s: ULONG + ProcessDebugPort, // q: HANDLE + ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT (requires SeTcbPrivilege) + ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN + ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 + ProcessLdtSize, // s: PROCESS_LDT_SIZE + ProcessDefaultHardErrorMode, // qs: ULONG + ProcessIoPortHandlers, // (kernel-mode only) // s: PROCESS_IO_PORT_HANDLER_INFORMATION + ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS + ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void + ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege) + ProcessEnableAlignmentFaultFixup, // s: BOOLEAN + ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS + ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) + ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 + ProcessAffinityMask, // (q >WIN7)s: KAFFINITY, qs: GROUP_AFFINITY + ProcessPriorityBoost, // qs: ULONG + ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX + ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION + ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND + ProcessWow64Information, // q: ULONG_PTR + ProcessImageFileName, // q: UNICODE_STRING + ProcessLUIDDeviceMapsEnabled, // q: ULONG + ProcessBreakOnTermination, // qs: ULONG + ProcessDebugObjectHandle, // q: HANDLE // 30 + ProcessDebugFlags, // qs: ULONG + ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: PROCESS_HANDLE_TRACING_ENABLE[_EX] or void to disable + ProcessIoPriority, // qs: IO_PRIORITY_HINT + ProcessExecuteFlags, // qs: ULONG (MEM_EXECUTE_OPTION_*) + ProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement + ProcessCookie, // q: ULONG + ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION + ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA + ProcessPagePriority, // qs: PAGE_PRIORITY_INFORMATION + ProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 + ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX + ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]; s: void + ProcessImageFileNameWin32, // q: UNICODE_STRING + ProcessImageFileMapping, // q: HANDLE (input) + ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE + ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE + ProcessGroupInformation, // q: USHORT[] + ProcessTokenVirtualizationEnabled, // s: ULONG + ProcessConsoleHostProcess, // qs: ULONG_PTR // ProcessOwnerInformation + ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 + ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 + ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION + ProcessDynamicFunctionTableInformation, // s: PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION + ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables + ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION + ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION + ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL (requires SeDebugPrivilege) + ProcessHandleTable, // q: ULONG[] // since WINBLUE + ProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG) + ProcessCommandLineInformation, // q: UNICODE_STRING // 60 + ProcessProtectionInformation, // q: PS_PROTECTION + ProcessMemoryExhaustion, // s: PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD + ProcessFaultInformation, // s: PROCESS_FAULT_INFORMATION + ProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION + ProcessCommitReleaseInformation, // qs: PROCESS_COMMIT_RELEASE_INFORMATION + ProcessDefaultCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5] + ProcessAllowedCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5] + ProcessSubsystemProcess, + ProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO + ProcessInPrivate, // q: BOOLEAN; s: void // ETW // since THRESHOLD2 // 70 + ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables + ProcessIumChallengeResponse, + ProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION + ProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege) + ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 + ProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES + ProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE + ProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY + ProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER + ProcessDisableSystemAllowedCpuSets, // s: BOOLEAN // 80 + ProcessWakeInformation, // q: PROCESS_WAKE_INFORMATION + ProcessEnergyTrackingState, // qs: PROCESS_ENERGY_TRACKING_STATE + ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 + ProcessCaptureTrustletLiveDump, + ProcessTelemetryCoverage, // q: TELEMETRY_COVERAGE_HEADER; s: TELEMETRY_COVERAGE_POINT + ProcessEnclaveInformation, + ProcessEnableReadWriteVmLogging, // qs: PROCESS_READWRITEVM_LOGGING_INFORMATION + ProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION + ProcessImageSection, // q: HANDLE + ProcessDebugAuthInformation, // since REDSTONE4 // 90 + ProcessSystemResourceManagement, // s: PROCESS_SYSTEM_RESOURCE_MANAGEMENT + ProcessSequenceNumber, // q: ULONGLONG + ProcessLoaderDetour, // since REDSTONE5 + ProcessSecurityDomainInformation, // q: PROCESS_SECURITY_DOMAIN_INFORMATION + ProcessCombineSecurityDomainsInformation, // s: PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION + ProcessEnableLogging, // qs: PROCESS_LOGGING_INFORMATION + ProcessLeapSecondInformation, // qs: PROCESS_LEAP_SECOND_INFORMATION + ProcessFiberShadowStackAllocation, // s: PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1 + ProcessFreeFiberShadowStackAllocation, // s: PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION + ProcessAltSystemCallInformation, // s: PROCESS_SYSCALL_PROVIDER_INFORMATION // since 20H1 // 100 + ProcessDynamicEHContinuationTargets, // s: PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION + ProcessDynamicEnforcedCetCompatibleRanges, // s: PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2 + ProcessCreateStateChange, // since WIN11 + ProcessApplyStateChange, + ProcessEnableOptionalXStateFeatures, // s: ULONG64 // optional XState feature bitmask + ProcessAltPrefetchParam, // qs: OVERRIDE_PREFETCH_PARAMETER // App Launch Prefetch (ALPF) // since 22H1 + ProcessAssignCpuPartitions, + ProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX + ProcessMembershipInformation, // q: PROCESS_MEMBERSHIP_INFORMATION + ProcessEffectiveIoPriority, // q: IO_PRIORITY_HINT // 110 + ProcessEffectivePagePriority, // q: ULONG + ProcessSchedulerSharedData, // since 24H2 + ProcessSlistRollbackInformation, + ProcessNetworkIoCounters, // q: PROCESS_NETWORK_COUNTERS + ProcessFindFirstThreadByTebValue, // PROCESS_TEB_VALUE_INFORMATION + MaxProcessInfoClass } PROCESSINFOCLASS; typedef enum _PS_ATTRIBUTE_NUM { - PsAttributeParentProcess, // in HANDLE - PsAttributeDebugObject, // in HANDLE - PsAttributeToken, // in HANDLE - PsAttributeClientId, // out PCLIENT_ID - PsAttributeTebAddress, // out PTEB * - PsAttributeImageName, // in PWSTR - PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION - PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE - PsAttributePriorityClass, // in UCHAR - PsAttributeErrorMode, // in ULONG - PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO - PsAttributeHandleList, // in HANDLE[] - PsAttributeGroupAffinity, // in PGROUP_AFFINITY - PsAttributePreferredNode, // in PUSHORT - PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER - PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES - PsAttributeMitigationOptions, // in PPS_MITIGATION_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_POLICY_*) // since WIN8 - PsAttributeProtectionLevel, // in PS_PROTECTION // since WINBLUE - PsAttributeSecureProcess, // in PPS_TRUSTLET_CREATE_ATTRIBUTES, since THRESHOLD - PsAttributeJobList, // in HANDLE[] - PsAttributeChildProcessPolicy, // 20, in PULONG (PROCESS_CREATION_CHILD_PROCESS_*) // since THRESHOLD2 - PsAttributeAllApplicationPackagesPolicy, // in PULONG (PROCESS_CREATION_ALL_APPLICATION_PACKAGES_*) // since REDSTONE - PsAttributeWin32kFilter, // in PWIN32K_SYSCALL_FILTER - PsAttributeSafeOpenPromptOriginClaim, // in SE_SAFE_OPEN_PROMPT_RESULTS - PsAttributeBnoIsolation, // in PPS_BNO_ISOLATION_PARAMETERS // since REDSTONE2 - PsAttributeDesktopAppPolicy, // in PULONG (PROCESS_CREATION_DESKTOP_APP_*) - PsAttributeChpe, // in BOOLEAN // since REDSTONE3 - PsAttributeMitigationAuditOptions, // in PPS_MITIGATION_AUDIT_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_AUDIT_POLICY_*) // since 21H1 - PsAttributeMachineType, // in USHORT // since 21H2 - PsAttributeComponentFilter, - PsAttributeEnableOptionalXStateFeatures, // since WIN11 - PsAttributeSupportedMachines, // since 24H2 - PsAttributeSveVectorLength, // PPS_PROCESS_CREATION_SVE_VECTOR_LENGTH - PsAttributeMax + PsAttributeParentProcess, // in HANDLE + PsAttributeDebugObject, // in HANDLE + PsAttributeToken, // in HANDLE + PsAttributeClientId, // out PCLIENT_ID + PsAttributeTebAddress, // out PTEB * + PsAttributeImageName, // in PWSTR + PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION + PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE + PsAttributePriorityClass, // in UCHAR + PsAttributeErrorMode, // in ULONG + PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO + PsAttributeHandleList, // in HANDLE[] + PsAttributeGroupAffinity, // in PGROUP_AFFINITY + PsAttributePreferredNode, // in PUSHORT + PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER + PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES + PsAttributeMitigationOptions, // in PPS_MITIGATION_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_POLICY_*) // since WIN8 + PsAttributeProtectionLevel, // in PS_PROTECTION // since WINBLUE + PsAttributeSecureProcess, // in PPS_TRUSTLET_CREATE_ATTRIBUTES, since THRESHOLD + PsAttributeJobList, // in HANDLE[] + PsAttributeChildProcessPolicy, // 20, in PULONG (PROCESS_CREATION_CHILD_PROCESS_*) // since THRESHOLD2 + PsAttributeAllApplicationPackagesPolicy, + // in PULONG (PROCESS_CREATION_ALL_APPLICATION_PACKAGES_*) // since REDSTONE + PsAttributeWin32kFilter, // in PWIN32K_SYSCALL_FILTER + PsAttributeSafeOpenPromptOriginClaim, // in SE_SAFE_OPEN_PROMPT_RESULTS + PsAttributeBnoIsolation, // in PPS_BNO_ISOLATION_PARAMETERS // since REDSTONE2 + PsAttributeDesktopAppPolicy, // in PULONG (PROCESS_CREATION_DESKTOP_APP_*) + PsAttributeChpe, // in BOOLEAN // since REDSTONE3 + PsAttributeMitigationAuditOptions, + // in PPS_MITIGATION_AUDIT_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_AUDIT_POLICY_*) // since 21H1 + PsAttributeMachineType, // in USHORT // since 21H2 + PsAttributeComponentFilter, + PsAttributeEnableOptionalXStateFeatures, // since WIN11 + PsAttributeSupportedMachines, // since 24H2 + PsAttributeSveVectorLength, // PPS_PROCESS_CREATION_SVE_VECTOR_LENGTH + PsAttributeMax } PS_ATTRIBUTE_NUM; struct SYSTEM_PROCESSOR_INFORMATION64 { - USHORT ProcessorArchitecture; - USHORT ProcessorLevel; - USHORT ProcessorRevision; - USHORT MaximumProcessors; - ULONG ProcessorFeatureBits; + USHORT ProcessorArchitecture; + USHORT ProcessorLevel; + USHORT ProcessorRevision; + USHORT MaximumProcessors; + ULONG ProcessorFeatureBits; }; #ifndef OS_WINDOWS @@ -525,101 +564,109 @@ typedef struct _XMM_SAVE_AREA32 { #endif -typedef struct _NEON128 { - ULONGLONG Low; - LONGLONG High; +typedef struct _NEON128 +{ + ULONGLONG Low; + LONGLONG High; } NEON128; -typedef struct DECLSPEC_ALIGN(16) _CONTEXT64 { - DWORD64 P1Home; - DWORD64 P2Home; - DWORD64 P3Home; - DWORD64 P4Home; - DWORD64 P5Home; - DWORD64 P6Home; - DWORD ContextFlags; - DWORD MxCsr; - WORD SegCs; - WORD SegDs; - WORD SegEs; - WORD SegFs; - WORD SegGs; - WORD SegSs; - DWORD EFlags; - DWORD64 Dr0; - DWORD64 Dr1; - DWORD64 Dr2; - DWORD64 Dr3; - DWORD64 Dr6; - DWORD64 Dr7; - DWORD64 Rax; - DWORD64 Rcx; - DWORD64 Rdx; - DWORD64 Rbx; - DWORD64 Rsp; - DWORD64 Rbp; - DWORD64 Rsi; - DWORD64 Rdi; - DWORD64 R8; - DWORD64 R9; - DWORD64 R10; - DWORD64 R11; - DWORD64 R12; - DWORD64 R13; - DWORD64 R14; - DWORD64 R15; - DWORD64 Rip; - union { - XMM_SAVE_AREA32 FltSave; - NEON128 Q[16]; - ULONGLONG D[32]; - struct { - M128A Header[2]; - M128A Legacy[8]; - M128A Xmm0; - M128A Xmm1; - M128A Xmm2; - M128A Xmm3; - M128A Xmm4; - M128A Xmm5; - M128A Xmm6; - M128A Xmm7; - M128A Xmm8; - M128A Xmm9; - M128A Xmm10; - M128A Xmm11; - M128A Xmm12; - M128A Xmm13; - M128A Xmm14; - M128A Xmm15; - }; - DWORD S[32]; - }; - M128A VectorRegister[26]; - DWORD64 VectorControl; - DWORD64 DebugControl; - DWORD64 LastBranchToRip; - DWORD64 LastBranchFromRip; - DWORD64 LastExceptionToRip; - DWORD64 LastExceptionFromRip; +typedef struct DECLSPEC_ALIGN(16) _CONTEXT64 +{ + DWORD64 P1Home; + DWORD64 P2Home; + DWORD64 P3Home; + DWORD64 P4Home; + DWORD64 P5Home; + DWORD64 P6Home; + DWORD ContextFlags; + DWORD MxCsr; + WORD SegCs; + WORD SegDs; + WORD SegEs; + WORD SegFs; + WORD SegGs; + WORD SegSs; + DWORD EFlags; + DWORD64 Dr0; + DWORD64 Dr1; + DWORD64 Dr2; + DWORD64 Dr3; + DWORD64 Dr6; + DWORD64 Dr7; + DWORD64 Rax; + DWORD64 Rcx; + DWORD64 Rdx; + DWORD64 Rbx; + DWORD64 Rsp; + DWORD64 Rbp; + DWORD64 Rsi; + DWORD64 Rdi; + DWORD64 R8; + DWORD64 R9; + DWORD64 R10; + DWORD64 R11; + DWORD64 R12; + DWORD64 R13; + DWORD64 R14; + DWORD64 R15; + DWORD64 Rip; + + union + { + XMM_SAVE_AREA32 FltSave; + NEON128 Q[16]; + ULONGLONG D[32]; + + struct + { + M128A Header[2]; + M128A Legacy[8]; + M128A Xmm0; + M128A Xmm1; + M128A Xmm2; + M128A Xmm3; + M128A Xmm4; + M128A Xmm5; + M128A Xmm6; + M128A Xmm7; + M128A Xmm8; + M128A Xmm9; + M128A Xmm10; + M128A Xmm11; + M128A Xmm12; + M128A Xmm13; + M128A Xmm14; + M128A Xmm15; + }; + + DWORD S[32]; + }; + + M128A VectorRegister[26]; + DWORD64 VectorControl; + DWORD64 DebugControl; + DWORD64 LastBranchToRip; + DWORD64 LastBranchFromRip; + DWORD64 LastExceptionToRip; + DWORD64 LastExceptionFromRip; } CONTEXT64, *PCONTEXT64; template struct EMU_EXCEPTION_RECORD { - DWORD ExceptionCode; - DWORD ExceptionFlags; - EMULATOR_CAST(typename Traits::PVOID, struct EMU_EXCEPTION_RECORD *) ExceptionRecord; - typename Traits::PVOID ExceptionAddress; - DWORD NumberParameters; - typename Traits::ULONG_PTR ExceptionInformation[15]; + DWORD ExceptionCode; + DWORD ExceptionFlags; + EMULATOR_CAST(typename Traits::PVOID, struct EMU_EXCEPTION_RECORD *) ExceptionRecord; + typename Traits::PVOID ExceptionAddress; + DWORD NumberParameters; + typename Traits::ULONG_PTR ExceptionInformation[15]; }; template struct EMU_EXCEPTION_POINTERS { - EMULATOR_CAST(typename Traits::PVOID, EMU_EXCEPTION_RECORD*) ExceptionRecord; - EMULATOR_CAST(typename Traits::PVOID, CONTEXT64* or CONTEXT32*) ContextRecord; + EMULATOR_CAST(typename Traits::PVOID, EMU_EXCEPTION_RECORD*) ExceptionRecord; + EMULATOR_CAST(typename Traits::PVOID, CONTEXT64* or CONTEXT32*) ContextRecord; }; #define MAXIMUM_NODE_COUNT64 0x40 @@ -627,65 +674,70 @@ struct EMU_EXCEPTION_POINTERS struct EMU_GROUP_AFFINITY64 { - EMULATOR_CAST(std::uint64_t, KAFFINITY) Mask; - WORD Group; - WORD Reserved[3]; + EMULATOR_CAST(std::uint64_t, KAFFINITY) Mask; + WORD Group; + WORD Reserved[3]; }; typedef struct _SYSTEM_NUMA_INFORMATION64 { - ULONG HighestNodeNumber; - ULONG Reserved; - union - { - EMU_GROUP_AFFINITY64 ActiveProcessorsGroupAffinity[MAXIMUM_NODE_COUNT64]; - ULONGLONG AvailableMemory[MAXIMUM_NODE_COUNT64]; - ULONGLONG Pad[MAXIMUM_NODE_COUNT64 * 2]; - }; + ULONG HighestNodeNumber; + ULONG Reserved; + + union + { + EMU_GROUP_AFFINITY64 ActiveProcessorsGroupAffinity[MAXIMUM_NODE_COUNT64]; + ULONGLONG AvailableMemory[MAXIMUM_NODE_COUNT64]; + ULONGLONG Pad[MAXIMUM_NODE_COUNT64 * 2]; + }; } SYSTEM_NUMA_INFORMATION64, *PSYSTEM_NUMA_INFORMATION64; typedef struct _SYSTEM_ERROR_PORT_TIMEOUTS { - ULONG StartTimeout; - ULONG CommTimeout; + ULONG StartTimeout; + ULONG CommTimeout; } SYSTEM_ERROR_PORT_TIMEOUTS, *PSYSTEM_ERROR_PORT_TIMEOUTS; typedef struct _SYSTEM_BASIC_INFORMATION64 { - ULONG Reserved; - ULONG TimerResolution; - ULONG PageSize; - ULONG NumberOfPhysicalPages; - ULONG LowestPhysicalPageNumber; - ULONG HighestPhysicalPageNumber; - ULONG AllocationGranularity; - EMULATOR_CAST(EmulatorTraits::PVOID, ULONG_PTR) MinimumUserModeAddress; - EMULATOR_CAST(EmulatorTraits::PVOID, ULONG_PTR) MaximumUserModeAddress; - EMULATOR_CAST(EmulatorTraits::PVOID, KAFFINITY) ActiveProcessorsAffinityMask; - char NumberOfProcessors; + ULONG Reserved; + ULONG TimerResolution; + ULONG PageSize; + ULONG NumberOfPhysicalPages; + ULONG LowestPhysicalPageNumber; + ULONG HighestPhysicalPageNumber; + ULONG AllocationGranularity; + EMULATOR_CAST(EmulatorTraits::PVOID, ULONG_PTR) MinimumUserModeAddress; + EMULATOR_CAST(EmulatorTraits::PVOID, ULONG_PTR) MaximumUserModeAddress; + EMULATOR_CAST(EmulatorTraits::PVOID, KAFFINITY) ActiveProcessorsAffinityMask; + char NumberOfProcessors; } SYSTEM_BASIC_INFORMATION64, *PSYSTEM_BASIC_INFORMATION64; typedef struct _SYSTEM_RANGE_START_INFORMATION64 { - EmulatorTraits::SIZE_T SystemRangeStart; + EmulatorTraits::SIZE_T SystemRangeStart; } SYSTEM_RANGE_START_INFORMATION64, *PSYSTEM_RANGE_START_INFORMATION64; -struct SID_AND_ATTRIBUTES64 { - EMULATOR_CAST(EmulatorTraits::PVOID, PSID) Sid; - DWORD Attributes; +struct SID_AND_ATTRIBUTES64 +{ + EMULATOR_CAST(EmulatorTraits::PVOID, PSID) Sid; + DWORD Attributes; }; -struct TOKEN_USER64 { - SID_AND_ATTRIBUTES64 User; +struct TOKEN_USER64 +{ + SID_AND_ATTRIBUTES64 User; }; -struct TOKEN_BNO_ISOLATION_INFORMATION64 { - EmulatorTraits::PVOID IsolationPrefix; - BOOLEAN IsolationEnabled; +struct TOKEN_BNO_ISOLATION_INFORMATION64 +{ + EmulatorTraits::PVOID IsolationPrefix; + BOOLEAN IsolationEnabled; }; -struct TOKEN_MANDATORY_LABEL64 { - SID_AND_ATTRIBUTES64 Label; +struct TOKEN_MANDATORY_LABEL64 +{ + SID_AND_ATTRIBUTES64 Label; }; #ifndef OS_WINDOWS @@ -730,99 +782,109 @@ typedef struct _TOKEN_STATISTICS { typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION { - USHORT Version; - USHORT Reserved; - ULONG AttributeCount; - union - { - EmulatorTraits::PVOID pAttributeV1; - } Attribute; -} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, * PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; + USHORT Version; + USHORT Reserved; + ULONG AttributeCount; + + union + { + EmulatorTraits::PVOID pAttributeV1; + } Attribute; +} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; struct GDI_HANDLE_ENTRY64 { - union - { - EmulatorTraits::PVOID Object; - EmulatorTraits::PVOID NextFree; - }; - union - { - struct - { - USHORT ProcessId; - USHORT Lock : 1; - USHORT Count : 15; - }; - ULONG Value; - } Owner; - USHORT Unique; - UCHAR Type; - UCHAR Flags; - EmulatorTraits::PVOID UserPointer; + union + { + EmulatorTraits::PVOID Object; + EmulatorTraits::PVOID NextFree; + }; + + union + { + struct + { + USHORT ProcessId; + USHORT Lock : 1; + USHORT Count : 15; + }; + + ULONG Value; + } Owner; + + USHORT Unique; + UCHAR Type; + UCHAR Flags; + EmulatorTraits::PVOID UserPointer; }; #define GDI_MAX_HANDLE_COUNT 0xFFFF // 0x4000 struct GDI_SHARED_MEMORY64 { - GDI_HANDLE_ENTRY64 Handles[GDI_MAX_HANDLE_COUNT]; + GDI_HANDLE_ENTRY64 Handles[GDI_MAX_HANDLE_COUNT]; }; struct CLIENT_ID64 { - DWORD64 UniqueProcess; - DWORD64 UniqueThread; + DWORD64 UniqueProcess; + DWORD64 UniqueThread; }; struct PORT_MESSAGE64 { - union - { - struct - { - CSHORT DataLength; - CSHORT TotalLength; - } s1; - ULONG Length; - } u1; - union - { - struct - { - CSHORT Type; - CSHORT DataInfoOffset; - } s2; - ULONG ZeroInit; - } u2; - union - { - CLIENT_ID64 ClientId; - double DoNotUseThisField; - }; - ULONG MessageId; - union - { - EmulatorTraits::SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages - ULONG CallbackId; // only valid for LPC_REQUEST messages - }; + union + { + struct + { + CSHORT DataLength; + CSHORT TotalLength; + } s1; + + ULONG Length; + } u1; + + union + { + struct + { + CSHORT Type; + CSHORT DataInfoOffset; + } s2; + + ULONG ZeroInit; + } u2; + + union + { + CLIENT_ID64 ClientId; + double DoNotUseThisField; + }; + + ULONG MessageId; + + union + { + EmulatorTraits::SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages + ULONG CallbackId; // only valid for LPC_REQUEST messages + }; }; struct ALPC_MESSAGE_ATTRIBUTES { - ULONG AllocatedAttributes; - ULONG ValidAttributes; + ULONG AllocatedAttributes; + ULONG ValidAttributes; }; template struct PORT_DATA_ENTRY { - typename Traits::PVOID Base; - ULONG Size; + typename Traits::PVOID Base; + ULONG Size; }; - template -struct EMU_RTL_SRWLOCK { - typename Traits::PVOID Ptr; -}; \ No newline at end of file +struct EMU_RTL_SRWLOCK +{ + typename Traits::PVOID Ptr; +}; diff --git a/src/common/platform/registry.hpp b/src/common/platform/registry.hpp index a858c566..f77dd5d4 100644 --- a/src/common/platform/registry.hpp +++ b/src/common/platform/registry.hpp @@ -2,63 +2,63 @@ typedef enum _KEY_INFORMATION_CLASS { - KeyBasicInformation, // KEY_BASIC_INFORMATION - KeyNodeInformation, // KEY_NODE_INFORMATION - KeyFullInformation, // KEY_FULL_INFORMATION - KeyNameInformation, // KEY_NAME_INFORMATION - KeyCachedInformation, // KEY_CACHED_INFORMATION - KeyFlagsInformation, // KEY_FLAGS_INFORMATION - KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION - KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION - KeyTrustInformation, // KEY_TRUST_INFORMATION - KeyLayerInformation, // KEY_LAYER_INFORMATION - MaxKeyInfoClass + KeyBasicInformation, // KEY_BASIC_INFORMATION + KeyNodeInformation, // KEY_NODE_INFORMATION + KeyFullInformation, // KEY_FULL_INFORMATION + KeyNameInformation, // KEY_NAME_INFORMATION + KeyCachedInformation, // KEY_CACHED_INFORMATION + KeyFlagsInformation, // KEY_FLAGS_INFORMATION + KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION + KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION + KeyTrustInformation, // KEY_TRUST_INFORMATION + KeyLayerInformation, // KEY_LAYER_INFORMATION + MaxKeyInfoClass } KEY_INFORMATION_CLASS; typedef enum _KEY_VALUE_INFORMATION_CLASS { - KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION - KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION - KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION - KeyValueFullInformationAlign64, - KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 - KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION - MaxKeyValueInfoClass + KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION + KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION + KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION + KeyValueFullInformationAlign64, + KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 + KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION + MaxKeyValueInfoClass } KEY_VALUE_INFORMATION_CLASS; struct KEY_NAME_INFORMATION { - std::uint32_t NameLength; - char16_t Name[1]; + std::uint32_t NameLength; + char16_t Name[1]; }; struct KEY_HANDLE_TAGS_INFORMATION { - ULONG HandleTags; + ULONG HandleTags; }; struct KEY_VALUE_BASIC_INFORMATION { - ULONG TitleIndex; - ULONG Type; - ULONG NameLength; - char16_t Name[1]; + ULONG TitleIndex; + ULONG Type; + ULONG NameLength; + char16_t Name[1]; }; struct KEY_VALUE_PARTIAL_INFORMATION { - ULONG TitleIndex; - ULONG Type; - ULONG DataLength; - UCHAR Data[1]; + ULONG TitleIndex; + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; }; struct KEY_VALUE_FULL_INFORMATION { - ULONG TitleIndex; - ULONG Type; - ULONG DataOffset; - ULONG DataLength; - ULONG NameLength; - char16_t Name[1]; -}; \ No newline at end of file + ULONG TitleIndex; + ULONG Type; + ULONG DataOffset; + ULONG DataLength; + ULONG NameLength; + char16_t Name[1]; +}; diff --git a/src/common/platform/status.hpp b/src/common/platform/status.hpp index 1eae6778..82b7e6dc 100644 --- a/src/common/platform/status.hpp +++ b/src/common/platform/status.hpp @@ -16,7 +16,7 @@ using NTSTATUS = std::uint32_t; #endif #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) -#define STATUS_WAIT_1 ((NTSTATUS)0x00000001L) +#define STATUS_WAIT_1 ((NTSTATUS)0x00000001L) #define STATUS_UNSUCCESSFUL ((NTSTATUS)0x00000001L) #define STATUS_ALERTED ((NTSTATUS)0x00000101L) @@ -42,7 +42,5 @@ using NTSTATUS = std::uint32_t; #define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L) - - #define FILE_DEVICE_NETWORK 0x00000012 -#define FSCTL_AFD_BASE FILE_DEVICE_NETWORK \ No newline at end of file +#define FSCTL_AFD_BASE FILE_DEVICE_NETWORK diff --git a/src/common/platform/synchronisation.hpp b/src/common/platform/synchronisation.hpp index c210de6f..8fc51aa8 100644 --- a/src/common/platform/synchronisation.hpp +++ b/src/common/platform/synchronisation.hpp @@ -1,17 +1,16 @@ #pragma once - typedef enum _EVENT_TYPE { - NotificationEvent, - SynchronizationEvent + NotificationEvent, + SynchronizationEvent } EVENT_TYPE; typedef enum _WAIT_TYPE { - WaitAll, - WaitAny, - WaitNotification, - WaitDequeue, - WaitDpc, + WaitAll, + WaitAny, + WaitNotification, + WaitDequeue, + WaitDpc, } WAIT_TYPE; diff --git a/src/common/platform/threading.hpp b/src/common/platform/threading.hpp index efcea64b..244994df 100644 --- a/src/common/platform/threading.hpp +++ b/src/common/platform/threading.hpp @@ -1,6 +1,5 @@ #pragma once - typedef enum _THREADINFOCLASS { ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION diff --git a/src/common/platform/traits.hpp b/src/common/platform/traits.hpp index f66b7060..758e641a 100644 --- a/src/common/platform/traits.hpp +++ b/src/common/platform/traits.hpp @@ -5,28 +5,33 @@ // used to retain original type "x" #define EMULATOR_CAST(T, x) T -struct Emu32 {}; -struct Emu64 {}; +struct Emu32 +{ +}; + +struct Emu64 +{ +}; template struct EmulatorTraits; -template<> +template <> struct EmulatorTraits { - using PVOID = std::uint32_t; - using ULONG_PTR = std::uint32_t; - using SIZE_T = std::uint32_t; - using UNICODE = char16_t; - using HANDLE = std::uint32_t; + using PVOID = std::uint32_t; + using ULONG_PTR = std::uint32_t; + using SIZE_T = std::uint32_t; + using UNICODE = char16_t; + using HANDLE = std::uint32_t; }; -template<> +template <> struct EmulatorTraits { - using PVOID = std::uint64_t; - using ULONG_PTR = std::uint64_t; - using SIZE_T = std::uint64_t; - using UNICODE = char16_t; - using HANDLE = std::uint64_t; -}; \ No newline at end of file + using PVOID = std::uint64_t; + using ULONG_PTR = std::uint64_t; + using SIZE_T = std::uint64_t; + using UNICODE = char16_t; + using HANDLE = std::uint64_t; +}; diff --git a/src/common/platform/win_pefile.hpp b/src/common/platform/win_pefile.hpp index eeee6d7b..41ca0e61 100644 --- a/src/common/platform/win_pefile.hpp +++ b/src/common/platform/win_pefile.hpp @@ -9,7 +9,7 @@ #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table #define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory - // IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage) +// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage) #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP #define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory @@ -59,177 +59,183 @@ enum class PEMachineType : std::uint16_t { - UNKNOWN = 0, - I386 = 0x014c, // Intel 386. - R3000 = 0x0162, // MIPS little-endian, 0x160 big-endian - R4000 = 0x0166, // MIPS little-endian - R10000 = 0x0168, // MIPS little-endian - WCEMIPSV2 = 0x0169, // MIPS little-endian WCE v2 - ALPHA = 0x0184, // Alpha_AXP - SH3 = 0x01a2, // SH3 little-endian - SH3DSP = 0x01a3, - SH3E = 0x01a4, // SH3E little-endian - SH4 = 0x01a6, // SH4 little-endian - SH5 = 0x01a8, // SH5 - ARM = 0x01c0, // ARM Little-Endian - THUMB = 0x01c2, // ARM Thumb/Thumb-2 Little-Endian - ARMNT = 0x01c4, // ARM Thumb-2 Little-Endian - AM33 = 0x01d3, - POWERPC = 0x01F0, // IBM PowerPC Little-Endian - POWERPCFP = 0x01f1, - IA64 = 0x0200, // Intel 64 - MIPS16 = 0x0266, // MIPS - ALPHA64 = 0x0284, // ALPHA64 - MIPSFPU = 0x0366, // MIPS - MIPSFPU16 = 0x0466, // MIPS - AXP64 = ALPHA64, - TRICORE = 0x0520, // Infineon - CEF = 0x0CEF, - EBC = 0x0EBC, // EFI Byte Code - AMD64 = 0x8664, // AMD64 (K8) - M32R = 0x9041, // M32R little-endian - CEE = 0xC0EE, + UNKNOWN = 0, + I386 = 0x014c, // Intel 386. + R3000 = 0x0162, // MIPS little-endian, 0x160 big-endian + R4000 = 0x0166, // MIPS little-endian + R10000 = 0x0168, // MIPS little-endian + WCEMIPSV2 = 0x0169, // MIPS little-endian WCE v2 + ALPHA = 0x0184, // Alpha_AXP + SH3 = 0x01a2, // SH3 little-endian + SH3DSP = 0x01a3, + SH3E = 0x01a4, // SH3E little-endian + SH4 = 0x01a6, // SH4 little-endian + SH5 = 0x01a8, // SH5 + ARM = 0x01c0, // ARM Little-Endian + THUMB = 0x01c2, // ARM Thumb/Thumb-2 Little-Endian + ARMNT = 0x01c4, // ARM Thumb-2 Little-Endian + AM33 = 0x01d3, + POWERPC = 0x01F0, // IBM PowerPC Little-Endian + POWERPCFP = 0x01f1, + IA64 = 0x0200, // Intel 64 + MIPS16 = 0x0266, // MIPS + ALPHA64 = 0x0284, // ALPHA64 + MIPSFPU = 0x0366, // MIPS + MIPSFPU16 = 0x0466, // MIPS + AXP64 = ALPHA64, + TRICORE = 0x0520, // Infineon + CEF = 0x0CEF, + EBC = 0x0EBC, // EFI Byte Code + AMD64 = 0x8664, // AMD64 (K8) + M32R = 0x9041, // M32R little-endian + CEE = 0xC0EE, }; - #pragma pack(push, 4) -template -struct PEOptionalHeaderBasePart2_t {}; - -template<> -struct PEOptionalHeaderBasePart2_t < std::uint32_t > +template +struct PEOptionalHeaderBasePart2_t { - std::uint32_t BaseOfData; - std::uint32_t ImageBase; }; -template<> -struct PEOptionalHeaderBasePart2_t < std::uint64_t > +template <> +struct PEOptionalHeaderBasePart2_t { - std::uint64_t ImageBase; + std::uint32_t BaseOfData; + std::uint32_t ImageBase; }; -template +template <> +struct PEOptionalHeaderBasePart2_t +{ + std::uint64_t ImageBase; +}; + +template struct PEOptionalHeaderBasePart1_t { - enum - { - k_NumberOfDataDirectors = 16 - }; - uint16_t Magic; - uint8_t MajorLinkerVersion; - uint8_t MinorLinkerVersion; - uint32_t SizeOfCode; - uint32_t SizeOfInitializedData; - uint32_t SizeOfUninitializedData; - uint32_t AddressOfEntryPoint; - uint32_t BaseOfCode; + enum + { + k_NumberOfDataDirectors = 16 + }; + + uint16_t Magic; + uint8_t MajorLinkerVersion; + uint8_t MinorLinkerVersion; + uint32_t SizeOfCode; + uint32_t SizeOfInitializedData; + uint32_t SizeOfUninitializedData; + uint32_t AddressOfEntryPoint; + uint32_t BaseOfCode; }; struct PEDirectory_t2 { - std::uint32_t VirtualAddress; - std::uint32_t Size; + std::uint32_t VirtualAddress; + std::uint32_t Size; }; -template +template struct PEOptionalHeaderBasePart3_t : PEOptionalHeaderBasePart1_t, PEOptionalHeaderBasePart2_t { - uint32_t SectionAlignment; - uint32_t FileAlignment; - uint16_t MajorOperatingSystemVersion; - uint16_t MinorOperatingSystemVersion; - uint16_t MajorImageVersion; - uint16_t MinorImageVersion; - uint16_t MajorSubsystemVersion; - uint16_t MinorSubsystemVersion; - uint32_t Win32VersionValue; - uint32_t SizeOfImage; - uint32_t SizeOfHeaders; - uint32_t CheckSum; - uint16_t Subsystem; - uint16_t DllCharacteristics; - T SizeOfStackReserve; - T SizeOfStackCommit; - T SizeOfHeapReserve; - T SizeOfHeapCommit; - uint32_t LoaderFlags; - uint32_t NumberOfRvaAndSizes; - PEDirectory_t2 DataDirectory[PEOptionalHeaderBasePart1_t::k_NumberOfDataDirectors]; + uint32_t SectionAlignment; + uint32_t FileAlignment; + uint16_t MajorOperatingSystemVersion; + uint16_t MinorOperatingSystemVersion; + uint16_t MajorImageVersion; + uint16_t MinorImageVersion; + uint16_t MajorSubsystemVersion; + uint16_t MinorSubsystemVersion; + uint32_t Win32VersionValue; + uint32_t SizeOfImage; + uint32_t SizeOfHeaders; + uint32_t CheckSum; + uint16_t Subsystem; + uint16_t DllCharacteristics; + T SizeOfStackReserve; + T SizeOfStackCommit; + T SizeOfHeapReserve; + T SizeOfHeapCommit; + uint32_t LoaderFlags; + uint32_t NumberOfRvaAndSizes; + PEDirectory_t2 DataDirectory[PEOptionalHeaderBasePart1_t::k_NumberOfDataDirectors]; }; -template -struct PEOptionalHeader_t {}; +template +struct PEOptionalHeader_t +{ +}; -template<> +template <> struct PEOptionalHeader_t : PEOptionalHeaderBasePart3_t { - enum - { - k_Magic = 0x10b, // IMAGE_NT_OPTIONAL_HDR32_MAGIC - }; + enum + { + k_Magic = 0x10b, // IMAGE_NT_OPTIONAL_HDR32_MAGIC + }; }; -template<> +template <> struct PEOptionalHeader_t : PEOptionalHeaderBasePart3_t { - enum - { - k_Magic = 0x20b, // IMAGE_NT_OPTIONAL_HDR64_MAGIC - }; + enum + { + k_Magic = 0x20b, // IMAGE_NT_OPTIONAL_HDR64_MAGIC + }; }; struct PEFileHeader_t { - PEMachineType Machine; - std::uint16_t NumberOfSections; - std::uint32_t TimeDateStamp; - std::uint32_t PointerToSymbolTable; - std::uint32_t NumberOfSymbols; - std::uint16_t SizeOfOptionalHeader; - std::uint16_t Characteristics; + PEMachineType Machine; + std::uint16_t NumberOfSections; + std::uint32_t TimeDateStamp; + std::uint32_t PointerToSymbolTable; + std::uint32_t NumberOfSymbols; + std::uint16_t SizeOfOptionalHeader; + std::uint16_t Characteristics; }; -template +template struct PENTHeaders_t { - enum - { - k_Signature = 0x00004550, // IMAGE_NT_SIGNATURE - }; - uint32_t Signature; - PEFileHeader_t FileHeader; - PEOptionalHeader_t OptionalHeader; + enum + { + k_Signature = 0x00004550, // IMAGE_NT_SIGNATURE + }; + + uint32_t Signature; + PEFileHeader_t FileHeader; + PEOptionalHeader_t OptionalHeader; }; struct PEDosHeader_t { - enum - { - k_Magic = 0x5A4D - }; - std::uint16_t e_magic; // Magic number ( k_Magic ) - std::uint16_t e_cblp; // Bytes on last page of file - std::uint16_t e_cp; // Pages in file - std::uint16_t e_crlc; // Relocations - std::uint16_t e_cparhdr; // Size of header in paragraphs - std::uint16_t e_minalloc; // Minimum extra paragraphs needed - std::uint16_t e_maxalloc; // Maximum extra paragraphs needed - std::uint16_t e_ss; // Initial (relative) SS value - std::uint16_t e_sp; // Initial SP value - std::uint16_t e_csum; // Checksum - std::uint16_t e_ip; // Initial IP value - std::uint16_t e_cs; // Initial (relative) CS value - std::uint16_t e_lfarlc; // File address of relocation table - std::uint16_t e_ovno; // Overlay number - std::uint16_t e_res[4]; // Reserved words - std::uint16_t e_oemid; // OEM identifier (for e_oeminfo) - std::uint16_t e_oeminfo; // OEM information; e_oemid specific - std::uint16_t e_res2[10]; // Reserved words - std::uint32_t e_lfanew; // File address of new exe header + enum + { + k_Magic = 0x5A4D + }; + + std::uint16_t e_magic; // Magic number ( k_Magic ) + std::uint16_t e_cblp; // Bytes on last page of file + std::uint16_t e_cp; // Pages in file + std::uint16_t e_crlc; // Relocations + std::uint16_t e_cparhdr; // Size of header in paragraphs + std::uint16_t e_minalloc; // Minimum extra paragraphs needed + std::uint16_t e_maxalloc; // Maximum extra paragraphs needed + std::uint16_t e_ss; // Initial (relative) SS value + std::uint16_t e_sp; // Initial SP value + std::uint16_t e_csum; // Checksum + std::uint16_t e_ip; // Initial IP value + std::uint16_t e_cs; // Initial (relative) CS value + std::uint16_t e_lfarlc; // File address of relocation table + std::uint16_t e_ovno; // Overlay number + std::uint16_t e_res[4]; // Reserved words + std::uint16_t e_oemid; // OEM identifier (for e_oeminfo) + std::uint16_t e_oeminfo; // OEM information; e_oemid specific + std::uint16_t e_res2[10]; // Reserved words + std::uint32_t e_lfanew; // File address of new exe header }; #pragma pack(pop) @@ -279,48 +285,56 @@ typedef struct _IMAGE_BASE_RELOCATION { template struct SECTION_IMAGE_INFORMATION { - typename Traits::PVOID TransferAddress; - ULONG ZeroBits; - typename Traits::SIZE_T MaximumStackSize; - typename Traits::SIZE_T CommittedStackSize; - ULONG SubSystemType; - union - { - struct - { - USHORT SubSystemMinorVersion; - USHORT SubSystemMajorVersion; - }; - ULONG SubSystemVersion; - }; - union - { - struct - { - USHORT MajorOperatingSystemVersion; - USHORT MinorOperatingSystemVersion; - }; - ULONG OperatingSystemVersion; - }; - USHORT ImageCharacteristics; - USHORT DllCharacteristics; - PEMachineType Machine; - BOOLEAN ImageContainsCode; - union - { - UCHAR ImageFlags; - struct - { - UCHAR ComPlusNativeReady : 1; - UCHAR ComPlusILOnly : 1; - UCHAR ImageDynamicallyRelocated : 1; - UCHAR ImageMappedFlat : 1; - UCHAR BaseBelow4gb : 1; - UCHAR ComPlusPrefer32bit : 1; - UCHAR Reserved : 2; - }; - }; - ULONG LoaderFlags; - ULONG ImageFileSize; - ULONG CheckSum; + typename Traits::PVOID TransferAddress; + ULONG ZeroBits; + typename Traits::SIZE_T MaximumStackSize; + typename Traits::SIZE_T CommittedStackSize; + ULONG SubSystemType; + + union + { + struct + { + USHORT SubSystemMinorVersion; + USHORT SubSystemMajorVersion; + }; + + ULONG SubSystemVersion; + }; + + union + { + struct + { + USHORT MajorOperatingSystemVersion; + USHORT MinorOperatingSystemVersion; + }; + + ULONG OperatingSystemVersion; + }; + + USHORT ImageCharacteristics; + USHORT DllCharacteristics; + PEMachineType Machine; + BOOLEAN ImageContainsCode; + + union + { + UCHAR ImageFlags; + + struct + { + UCHAR ComPlusNativeReady : 1; + UCHAR ComPlusILOnly : 1; + UCHAR ImageDynamicallyRelocated : 1; + UCHAR ImageMappedFlat : 1; + UCHAR BaseBelow4gb : 1; + UCHAR ComPlusPrefer32bit : 1; + UCHAR Reserved : 2; + }; + }; + + ULONG LoaderFlags; + ULONG ImageFileSize; + ULONG CheckSum; }; diff --git a/src/common/utils/finally.hpp b/src/common/utils/finally.hpp index 8d30b150..94489e59 100644 --- a/src/common/utils/finally.hpp +++ b/src/common/utils/finally.hpp @@ -13,8 +13,8 @@ namespace utils { public: static_assert(!std::is_reference::value && !std::is_const::value && - !std::is_volatile::value, - "Final_action should store its callable by value"); + !std::is_volatile::value, + "Final_action should store its callable by value"); explicit final_action(F f) noexcept : f_(std::move(f)) { @@ -52,4 +52,4 @@ namespace utils return final_action::type>::type>( std::forward(f)); } -} \ No newline at end of file +} diff --git a/src/common/utils/nt_handle.hpp b/src/common/utils/nt_handle.hpp index b90cba1c..fc97f925 100644 --- a/src/common/utils/nt_handle.hpp +++ b/src/common/utils/nt_handle.hpp @@ -1,6 +1,6 @@ #pragma once -#ifdef OS_WINDOWS +#ifdef WIN32 #define NOMINMAX #define WIN32_LEAN_AND_MEAN @@ -86,4 +86,4 @@ namespace utils::nt }; } -#endif \ No newline at end of file +#endif diff --git a/src/common/utils/timer.hpp b/src/common/utils/timer.hpp index b5a21553..3fd09722 100644 --- a/src/common/utils/timer.hpp +++ b/src/common/utils/timer.hpp @@ -21,6 +21,6 @@ namespace utils } private: - typename Clock::time_point point_{ Clock::now() }; + typename Clock::time_point point_{Clock::now()}; }; } diff --git a/src/emulator/emulator.hpp b/src/emulator/emulator.hpp index 2c54cd4b..b20b0925 100644 --- a/src/emulator/emulator.hpp +++ b/src/emulator/emulator.hpp @@ -42,7 +42,8 @@ using instruction_hook_callback = std::function using interrupt_hook_callback = std::function; using simple_memory_hook_callback = std::function; -using complex_memory_hook_callback = std::function; +using complex_memory_hook_callback = std::function; using memory_violation_hook_callback = std::function; @@ -140,7 +141,8 @@ private: { assert((static_cast(operation) & (static_cast(operation) - 1)) == 0); return this->hook_memory_access(address, size, operation, - [c = std::move(callback)](const uint64_t a, const size_t s, const uint64_t value, + [c = std::move(callback)](const uint64_t a, const size_t s, + const uint64_t value, memory_operation) { c(a, s, value); diff --git a/src/emulator/serialization.hpp b/src/emulator/serialization.hpp index 000b291e..e86894db 100644 --- a/src/emulator/serialization.hpp +++ b/src/emulator/serialization.hpp @@ -39,7 +39,7 @@ namespace utils template struct has_serialize_function(), - std::declval&>()) + std::declval&>()) )>> : std::true_type { diff --git a/src/fuzzer/main.cpp b/src/fuzzer/main.cpp index bae0baae..7179d79f 100644 --- a/src/fuzzer/main.cpp +++ b/src/fuzzer/main.cpp @@ -24,7 +24,8 @@ namespace catch (...) { win_emu.log.disable_output(false); - win_emu.log.print(color::red, "Emulation failed at: 0x%" PRIx64 "\n", win_emu.emu().read_instruction_pointer()); + win_emu.log.print(color::red, "Emulation failed at: 0x%" PRIx64 "\n", + win_emu.emu().read_instruction_pointer()); throw; } diff --git a/src/fuzzing-engine/fuzzer.cpp b/src/fuzzing-engine/fuzzer.cpp index 294a5cf0..f6338403 100644 --- a/src/fuzzing-engine/fuzzer.cpp +++ b/src/fuzzing-engine/fuzzer.cpp @@ -125,7 +125,8 @@ namespace fuzzer const auto executions = context.executions.exchange(0); const auto highest_scorer = context.generator.get_highest_scorer(); const auto avg_score = context.generator.get_average_score(); - printf("Executions/s: %" PRIu64 " - Score: %" PRIx64 " - Avg: %.3f\n", executions, highest_scorer.score, avg_score); + printf("Executions/s: %" PRIu64 " - Score: %" PRIx64 " - Avg: %.3f\n", executions, highest_scorer.score, + avg_score); } } } diff --git a/src/fuzzing-engine/fuzzer.hpp b/src/fuzzing-engine/fuzzer.hpp index b62240c8..900a0f83 100644 --- a/src/fuzzing-engine/fuzzer.hpp +++ b/src/fuzzing-engine/fuzzer.hpp @@ -20,7 +20,7 @@ namespace fuzzer virtual ~executer() = default; virtual execution_result execute(std::span data, - const std::function& coverage_handler) = 0; + const std::function& coverage_handler) = 0; }; struct fuzzing_handler diff --git a/src/unicorn-emulator/unicorn_x64_emulator.cpp b/src/unicorn-emulator/unicorn_x64_emulator.cpp index eabc664c..4bac8420 100644 --- a/src/unicorn-emulator/unicorn_x64_emulator.cpp +++ b/src/unicorn-emulator/unicorn_x64_emulator.cpp @@ -337,16 +337,16 @@ namespace unicorn { mmio_callbacks cb{ .read = mmio_callbacks::read_wrapper( - [c = std::move(read_cb)](uc_engine*, const uint64_t addr, const uint32_t s) - { - return c(addr, s); - }), + [c = std::move(read_cb)](uc_engine*, const uint64_t addr, const uint32_t s) + { + return c(addr, s); + }), .write = mmio_callbacks::write_wrapper( - [c = std::move(write_cb)](uc_engine*, const uint64_t addr, const uint32_t s, - const uint64_t value) - { - c(addr, s, value); - }) + [c = std::move(write_cb)](uc_engine*, const uint64_t addr, const uint32_t s, + const uint64_t value) + { + c(addr, s, value); + }) }; uce(uc_mmio_map(*this, address, size, cb.read.get_c_function(), cb.read.get_user_data(), diff --git a/src/unicorn-emulator/unicorn_x64_emulator.hpp b/src/unicorn-emulator/unicorn_x64_emulator.hpp index 4d26b48a..ca57015b 100644 --- a/src/unicorn-emulator/unicorn_x64_emulator.hpp +++ b/src/unicorn-emulator/unicorn_x64_emulator.hpp @@ -4,19 +4,11 @@ #include #include "platform/platform.hpp" -#ifdef WIN32 #ifdef UNICORN_EMULATOR_IMPL #define UNICORN_EMULATOR_DLL_STORAGE EXPORT_SYMBOL #else #define UNICORN_EMULATOR_DLL_STORAGE IMPORT_SYMBOL #endif -#else -#ifdef UNICORN_EMULATOR_IMPL -#define UNICORN_EMULATOR_DLL_STORAGE __attribute__((visibility("default"))) -#else -#define UNICORN_EMULATOR_DLL_STORAGE -#endif -#endif namespace unicorn { diff --git a/src/windows-emulator-test/main.cpp b/src/windows-emulator-test/main.cpp index 0194ab6e..cdf4fb81 100644 --- a/src/windows-emulator-test/main.cpp +++ b/src/windows-emulator-test/main.cpp @@ -2,6 +2,6 @@ int main(int argc, char* argv[]) { - ::testing::InitGoogleTest(&argc, argv); - return RUN_ALL_TESTS(); + ::testing::InitGoogleTest(&argc, argv); + return RUN_ALL_TESTS(); } diff --git a/src/windows-emulator-test/time_test.cpp b/src/windows-emulator-test/time_test.cpp index f168843c..70f1971d 100644 --- a/src/windows-emulator-test/time_test.cpp +++ b/src/windows-emulator-test/time_test.cpp @@ -6,7 +6,7 @@ namespace test { std::string output_buffer{}; - emulator_settings settings{ + const emulator_settings settings{ .arguments = {u"-time"}, .stdout_callback = [&output_buffer](const std::string_view data) { diff --git a/src/windows-emulator/debugging/gdb_stub.hpp b/src/windows-emulator/debugging/gdb_stub.hpp index 4248737e..82dbae58 100644 --- a/src/windows-emulator/debugging/gdb_stub.hpp +++ b/src/windows-emulator/debugging/gdb_stub.hpp @@ -35,4 +35,5 @@ struct gdb_stub_handler virtual void on_interrupt() = 0; }; -bool run_gdb_stub(gdb_stub_handler& handler, std::string target_description, size_t register_count, std::string bind_address); +bool run_gdb_stub(gdb_stub_handler& handler, std::string target_description, size_t register_count, + std::string bind_address); diff --git a/src/windows-emulator/emulator_utils.hpp b/src/windows-emulator/emulator_utils.hpp index 2f7d30c1..c151761b 100644 --- a/src/windows-emulator/emulator_utils.hpp +++ b/src/windows-emulator/emulator_utils.hpp @@ -181,7 +181,7 @@ public: return emulator_object(*this->emu_, potential_start); } - + char16_t* copy_string(const std::u16string_view str) { UNICODE_STRING> uc_str{}; @@ -287,7 +287,8 @@ inline std::u16string read_unicode_string(const emulator& emu, const UNICODE_STR } -inline std::u16string read_unicode_string(const emulator& emu, const emulator_object>> uc_string) +inline std::u16string read_unicode_string(const emulator& emu, + const emulator_object>> uc_string) { const auto ucs = uc_string.read(); return read_unicode_string(emu, ucs); diff --git a/src/windows-emulator/io_device.hpp b/src/windows-emulator/io_device.hpp index 0175f3ab..965d1da3 100644 --- a/src/windows-emulator/io_device.hpp +++ b/src/windows-emulator/io_device.hpp @@ -65,7 +65,8 @@ struct io_device_creation_data uint32_t length; }; -inline void write_io_status(const emulator_object>> io_status_block, const NTSTATUS status) +inline void write_io_status(const emulator_object>> io_status_block, + const NTSTATUS status) { if (io_status_block) { diff --git a/src/windows-emulator/module/module_mapping.cpp b/src/windows-emulator/module/module_mapping.cpp index 4a3ff46a..8d1577b1 100644 --- a/src/windows-emulator/module/module_mapping.cpp +++ b/src/windows-emulator/module/module_mapping.cpp @@ -10,7 +10,8 @@ namespace uint64_t get_first_section_offset(const PENTHeaders_t& nt_headers, const uint64_t nt_headers_offset) { const uint8_t* nt_headers_addr = reinterpret_cast(&nt_headers); - size_t optional_header_offset = reinterpret_cast(&(nt_headers.OptionalHeader)) - reinterpret_cast(&nt_headers); + size_t optional_header_offset = reinterpret_cast(&(nt_headers.OptionalHeader)) - reinterpret_cast< + uintptr_t>(&nt_headers); size_t optional_header_size = nt_headers.FileHeader.SizeOfOptionalHeader; const uint8_t* first_section_addr = nt_headers_addr + optional_header_offset + optional_header_size; diff --git a/src/windows-emulator/module/module_mapping.hpp b/src/windows-emulator/module/module_mapping.hpp index 8d69db80..f0802b4c 100644 --- a/src/windows-emulator/module/module_mapping.hpp +++ b/src/windows-emulator/module/module_mapping.hpp @@ -4,7 +4,7 @@ #include "mapped_module.hpp" mapped_module map_module_from_data(emulator& emu, std::span data, - std::filesystem::path file); + std::filesystem::path file); mapped_module map_module_from_file(emulator& emu, std::filesystem::path file); bool unmap_module(emulator& emu, const mapped_module& mod); diff --git a/src/windows-emulator/syscall_dispatcher.cpp b/src/windows-emulator/syscall_dispatcher.cpp index 2e72db12..6237ffdc 100644 --- a/src/windows-emulator/syscall_dispatcher.cpp +++ b/src/windows-emulator/syscall_dispatcher.cpp @@ -94,9 +94,9 @@ void syscall_dispatcher::dispatch(windows_emulator& win_emu) if (mod != context.ntdll && mod != context.win32u) { win_emu.log.print(color::blue, "Executing inline syscall: %s (0x%X) at 0x%" PRIx64 " (%s)\n", - entry->second.name.c_str(), - syscall_id, - address, mod ? mod->name.c_str() : ""); + entry->second.name.c_str(), + syscall_id, + address, mod ? mod->name.c_str() : ""); } else { @@ -106,19 +106,21 @@ void syscall_dispatcher::dispatch(windows_emulator& win_emu) const auto return_address = c.emu.read_memory(rsp); const auto* mod_name = context.mod_manager.find_name(return_address); - win_emu.log.print(color::dark_gray, "Executing syscall: %s (0x%X) at 0x%" PRIx64 " via 0x%" PRIx64 " (%s)\n", - entry->second.name.c_str(), - syscall_id, address, return_address, mod_name); + win_emu.log.print(color::dark_gray, + "Executing syscall: %s (0x%X) at 0x%" PRIx64 " via 0x%" PRIx64 " (%s)\n", + entry->second.name.c_str(), + syscall_id, address, return_address, mod_name); } else { const auto* previous_mod = context.mod_manager.find_by_address(context.previous_ip); win_emu.log.print(color::blue, - "Crafted out-of-line syscall: %s (0x%X) at 0x%" PRIx64 " (%s) via 0x%" PRIx64 " (%s)\n", - entry->second.name.c_str(), - syscall_id, - address, mod ? mod->name.c_str() : "", context.previous_ip, - previous_mod ? previous_mod->name.c_str() : ""); + "Crafted out-of-line syscall: %s (0x%X) at 0x%" PRIx64 " (%s) via 0x%" PRIx64 + " (%s)\n", + entry->second.name.c_str(), + syscall_id, + address, mod ? mod->name.c_str() : "", context.previous_ip, + previous_mod ? previous_mod->name.c_str() : ""); } } diff --git a/src/windows-emulator/syscalls.cpp b/src/windows-emulator/syscalls.cpp index e52c0798..32c8a9ee 100644 --- a/src/windows-emulator/syscalls.cpp +++ b/src/windows-emulator/syscalls.cpp @@ -17,32 +17,32 @@ namespace { NTSTATUS handle_NtQueryPerformanceCounter(const syscall_context& c, - const emulator_object performance_counter, - const emulator_object performance_frequency) + const emulator_object performance_counter, + const emulator_object performance_frequency) { try { if (performance_counter) { performance_counter.access([&](LARGE_INTEGER& value) + { + if (c.win_emu.time_is_relative()) { - if (c.win_emu.time_is_relative()) - { - value.QuadPart = static_cast(c.proc.executed_instructions); - } - else - { - value.QuadPart = std::chrono::steady_clock::now().time_since_epoch().count(); - } - }); + value.QuadPart = static_cast(c.proc.executed_instructions); + } + else + { + value.QuadPart = std::chrono::steady_clock::now().time_since_epoch().count(); + } + }); } if (performance_frequency) { performance_frequency.access([&](LARGE_INTEGER& value) - { - value.QuadPart = c.proc.kusd.get().QpcFrequency; - }); + { + value.QuadPart = c.proc.kusd.get().QpcFrequency; + }); } return STATUS_SUCCESS; @@ -64,11 +64,12 @@ namespace } NTSTATUS handle_NtOpenKey(const syscall_context& c, const emulator_object key_handle, - const ACCESS_MASK /*desired_access*/, - const emulator_object>> object_attributes) + const ACCESS_MASK /*desired_access*/, + const emulator_object>> object_attributes) { const auto attributes = object_attributes.read(); - auto key = read_unicode_string(c.emu, reinterpret_cast>*>(attributes.ObjectName)); + auto key = read_unicode_string( + c.emu, reinterpret_cast>*>(attributes.ObjectName)); if (attributes.RootDirectory) { @@ -97,17 +98,17 @@ namespace } NTSTATUS handle_NtOpenKeyEx(const syscall_context& c, const emulator_object key_handle, - const ACCESS_MASK desired_access, - const emulator_object>> object_attributes, - ULONG /*open_options*/) + const ACCESS_MASK desired_access, + const emulator_object>> object_attributes, + ULONG /*open_options*/) { return handle_NtOpenKey(c, key_handle, desired_access, object_attributes); } NTSTATUS handle_NtQueryKey(const syscall_context& c, const handle key_handle, - const KEY_INFORMATION_CLASS key_information_class, - const uint64_t key_information, const ULONG length, - const emulator_object result_length) + const KEY_INFORMATION_CLASS key_information_class, + const uint64_t key_information, const ULONG length, + const emulator_object result_length) { const auto* key = c.proc.registry_keys.get(key_handle); if (!key) @@ -136,12 +137,12 @@ namespace KEY_NAME_INFORMATION info{}; info.NameLength = static_cast(key_name.size() * 2); - const emulator_object info_obj{ c.emu, key_information }; + const emulator_object info_obj{c.emu, key_information}; info_obj.write(info); c.emu.write_memory(key_information + offsetof(KEY_NAME_INFORMATION, Name), - key_name.data(), - info.NameLength); + key_name.data(), + info.NameLength); return STATUS_SUCCESS; } @@ -159,7 +160,7 @@ namespace KEY_HANDLE_TAGS_INFORMATION info{}; info.HandleTags = 0; // ? - const emulator_object info_obj{ c.emu, key_information }; + const emulator_object info_obj{c.emu, key_information}; info_obj.write(info); return STATUS_SUCCESS; @@ -171,10 +172,10 @@ namespace } NTSTATUS handle_NtQueryValueKey(const syscall_context& c, const handle key_handle, - const emulator_object>> value_name, - const KEY_VALUE_INFORMATION_CLASS key_value_information_class, - const uint64_t key_value_information, - const ULONG length, const emulator_object result_length) + const emulator_object>> value_name, + const KEY_VALUE_INFORMATION_CLASS key_value_information_class, + const uint64_t key_value_information, + const ULONG length, const emulator_object result_length) { const auto* key = c.proc.registry_keys.get(key_handle); if (!key) @@ -269,12 +270,12 @@ namespace } c.emu.write_memory(key_value_information + base_size, - original_name.data(), - info.NameLength); + original_name.data(), + info.NameLength); c.emu.write_memory(key_value_information + base_size + info.NameLength, - value->data.data(), - value->data.size()); + value->data.data(), + value->data.size()); return STATUS_SUCCESS; } @@ -295,13 +296,13 @@ namespace } NTSTATUS handle_NtSetInformationThread(const syscall_context& c, const handle thread_handle, - const THREADINFOCLASS info_class, - const uint64_t thread_information, - const uint32_t thread_information_length) + const THREADINFOCLASS info_class, + const uint64_t thread_information, + const uint32_t thread_information_length) { auto* thread = thread_handle == CURRENT_THREAD - ? c.proc.active_thread - : c.proc.threads.get(thread_handle); + ? c.proc.active_thread + : c.proc.threads.get(thread_handle); if (!thread) { @@ -326,11 +327,12 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object>> info{ c.emu, thread_information }; + const emulator_object>> info{c.emu, thread_information}; const auto i = info.read(); thread->name = read_unicode_string(c.emu, i.ThreadName); - c.win_emu.log.print(color::blue, "Setting thread (%d) name: %s\n", thread->id, u16_to_u8(thread->name).c_str()); + c.win_emu.log.print(color::blue, "Setting thread (%d) name: %s\n", thread->id, + u16_to_u8(thread->name).c_str()); return STATUS_SUCCESS; } @@ -342,7 +344,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{ c.emu, thread_information }; + const emulator_object info{c.emu, thread_information}; info.write(DUMMY_IMPERSONATION_TOKEN); return STATUS_SUCCESS; @@ -370,7 +372,7 @@ namespace } NTSTATUS handle_NtSetEvent(const syscall_context& c, const uint64_t handle, - const emulator_object previous_state) + const emulator_object previous_state) { const auto entry = c.proc.events.get(handle); if (!entry) @@ -437,7 +439,7 @@ namespace } NTSTATUS handle_NtReleaseMutant(const syscall_context& c, const handle mutant_handle, - const emulator_object previous_count) + const emulator_object previous_count) { if (mutant_handle.value.type != handle_types::mutant) { @@ -463,9 +465,9 @@ namespace } NTSTATUS handle_NtCreateMutant(const syscall_context& c, const emulator_object mutant_handle, - const ACCESS_MASK /*desired_access*/, - const emulator_object>> object_attributes, - const BOOLEAN initial_owner) + const ACCESS_MASK /*desired_access*/, + const emulator_object>> object_attributes, + const BOOLEAN initial_owner) { std::u16string name{}; if (object_attributes) @@ -473,7 +475,8 @@ namespace const auto attributes = object_attributes.read(); if (attributes.ObjectName) { - name = read_unicode_string(c.emu, emulator_object>>{c.emu, attributes.ObjectName}); + name = read_unicode_string( + c.emu, emulator_object>>{c.emu, attributes.ObjectName}); } } @@ -503,9 +506,9 @@ namespace } NTSTATUS handle_NtCreateEvent(const syscall_context& c, const emulator_object event_handle, - const ACCESS_MASK /*desired_access*/, - const emulator_object>> object_attributes, - const EVENT_TYPE event_type, const BOOLEAN initial_state) + const ACCESS_MASK /*desired_access*/, + const emulator_object>> object_attributes, + const EVENT_TYPE event_type, const BOOLEAN initial_state) { std::u16string name{}; if (object_attributes) @@ -513,7 +516,8 @@ namespace const auto attributes = object_attributes.read(); if (attributes.ObjectName) { - name = read_unicode_string(c.emu, reinterpret_cast>*>(attributes.ObjectName)); + name = read_unicode_string( + c.emu, reinterpret_cast>*>(attributes.ObjectName)); } } @@ -543,11 +547,12 @@ namespace } NTSTATUS handle_NtOpenEvent(const syscall_context& c, const emulator_object event_handle, - const ACCESS_MASK /*desired_access*/, - const emulator_object>> object_attributes) + const ACCESS_MASK /*desired_access*/, + const emulator_object>> object_attributes) { const auto attributes = object_attributes.read(); - const auto name = read_unicode_string(c.emu, reinterpret_cast>*>(attributes.ObjectName)); + const auto name = read_unicode_string( + c.emu, reinterpret_cast>*>(attributes.ObjectName)); for (auto& entry : c.proc.events) { @@ -563,9 +568,9 @@ namespace } NTSTATUS handle_NtQueryVolumeInformationFile(const syscall_context& c, const handle file_handle, - const uint64_t /*io_status_block*/, const uint64_t fs_information, - const ULONG /*length*/, - const FS_INFORMATION_CLASS fs_information_class) + const uint64_t /*io_status_block*/, const uint64_t fs_information, + const ULONG /*length*/, + const FS_INFORMATION_CLASS fs_information_class) { if (fs_information_class != FileFsDeviceInformation) { @@ -574,31 +579,32 @@ namespace return STATUS_NOT_SUPPORTED; } - const emulator_object info_obj{ c.emu, fs_information }; + const emulator_object info_obj{c.emu, fs_information}; info_obj.access([&](FILE_FS_DEVICE_INFORMATION& info) + { + if (file_handle == STDOUT_HANDLE.bits && !c.win_emu.buffer_stdout) { - if (file_handle == STDOUT_HANDLE.bits && !c.win_emu.buffer_stdout) - { - info.DeviceType = FILE_DEVICE_CONSOLE; - info.Characteristics = 0x20000; - } - else - { - info.DeviceType = FILE_DEVICE_DISK; - info.Characteristics = 0x20020; - } - }); + info.DeviceType = FILE_DEVICE_CONSOLE; + info.Characteristics = 0x20000; + } + else + { + info.DeviceType = FILE_DEVICE_DISK; + info.Characteristics = 0x20020; + } + }); return STATUS_SUCCESS; } NTSTATUS handle_NtOpenSection(const syscall_context& c, const emulator_object section_handle, - const ACCESS_MASK /*desired_access*/, - const emulator_object>> object_attributes) + const ACCESS_MASK /*desired_access*/, + const emulator_object>> object_attributes) { const auto attributes = object_attributes.read(); - auto filename = read_unicode_string(c.emu, reinterpret_cast>*>(attributes.ObjectName)); + auto filename = read_unicode_string( + c.emu, reinterpret_cast>*>(attributes.ObjectName)); c.win_emu.log.print(color::dark_gray, "--> Opening section: %s\n", u16_to_u8(filename).c_str()); if (filename == u"\\Windows\\SharedSection") @@ -629,12 +635,14 @@ namespace } NTSTATUS handle_NtMapViewOfSection(const syscall_context& c, const handle section_handle, - const handle process_handle, const emulator_object base_address, - const EMULATOR_CAST(EmulatorTraits::ULONG_PTR, ULONG_PTR) /*zero_bits*/, const EMULATOR_CAST(EmulatorTraits::SIZE_T, SIZE_T) /*commit_size*/, - const emulator_object /*section_offset*/, - const emulator_object::SIZE_T, SIZE_T)> view_size, - const SECTION_INHERIT /*inherit_disposition*/, const ULONG /*allocation_type*/, - const ULONG /*win32_protect*/) + const handle process_handle, const emulator_object base_address, + const EMULATOR_CAST(EmulatorTraits::ULONG_PTR, ULONG_PTR) /*zero_bits*/, + const EMULATOR_CAST(EmulatorTraits::SIZE_T, SIZE_T) /*commit_size*/, + const emulator_object /*section_offset*/, + const emulator_object::SIZE_T, SIZE_T)> + view_size, + const SECTION_INHERIT /*inherit_disposition*/, const ULONG /*allocation_type*/, + const ULONG /*win32_protect*/) { if (process_handle != CURRENT_PROCESS) { @@ -656,31 +664,35 @@ namespace const auto obj_address = address + windows_dir_offset; - const emulator_object>> windir_obj{ c.emu, obj_address }; + const emulator_object>> windir_obj{c.emu, obj_address}; windir_obj.access([&](UNICODE_STRING>& ucs) - { - const auto dir_address = kusd_mmio::address() + offsetof(KUSER_SHARED_DATA64, NtSystemRoot); + { + const auto dir_address = kusd_mmio::address() + offsetof(KUSER_SHARED_DATA64, NtSystemRoot); - ucs.Buffer = dir_address - obj_address; - ucs.Length = static_cast(windows_dir_size); - ucs.MaximumLength = ucs.Length; - }); + ucs.Buffer = dir_address - obj_address; + ucs.Length = static_cast(windows_dir_size); + ucs.MaximumLength = ucs.Length; + }); - const emulator_object>> sysdir_obj{ c.emu, windir_obj.value() + windir_obj.size() }; + const emulator_object>> sysdir_obj{ + c.emu, windir_obj.value() + windir_obj.size() + }; sysdir_obj.access([&](UNICODE_STRING>& ucs) - { - c.proc.base_allocator.make_unicode_string(ucs, u"C:\\WINDOWS\\System32"); - ucs.Buffer = ucs.Buffer - obj_address; - }); + { + c.proc.base_allocator.make_unicode_string(ucs, u"C:\\WINDOWS\\System32"); + ucs.Buffer = ucs.Buffer - obj_address; + }); - const emulator_object>> base_dir_obj{ c.emu, sysdir_obj.value() + sysdir_obj.size() }; + const emulator_object>> base_dir_obj{ + c.emu, sysdir_obj.value() + sysdir_obj.size() + }; base_dir_obj.access([&](UNICODE_STRING>& ucs) - { - c.proc.base_allocator.make_unicode_string(ucs, u"\\Sessions\\1\\BaseNamedObjects"); - ucs.Buffer = ucs.Buffer - obj_address; - }); + { + c.proc.base_allocator.make_unicode_string(ucs, u"\\Sessions\\1\\BaseNamedObjects"); + ucs.Buffer = ucs.Buffer - obj_address; + }); if (view_size) { @@ -751,24 +763,26 @@ namespace NTSTATUS handle_NtCreateIoCompletion(const syscall_context& c, const emulator_object event_handle, - const ACCESS_MASK desired_access, - const emulator_object>> object_attributes, - const uint32_t /*number_of_concurrent_threads*/) + const ACCESS_MASK desired_access, + const emulator_object>> + object_attributes, + const uint32_t /*number_of_concurrent_threads*/) { return handle_NtCreateEvent(c, event_handle, desired_access, object_attributes, NotificationEvent, FALSE); } NTSTATUS handle_NtCreateWaitCompletionPacket(const syscall_context& c, const emulator_object event_handle, - const ACCESS_MASK desired_access, - const emulator_object>> object_attributes) + const ACCESS_MASK desired_access, + const emulator_object>> + object_attributes) { return handle_NtCreateEvent(c, event_handle, desired_access, object_attributes, NotificationEvent, FALSE); } NTSTATUS handle_NtQueryVirtualMemory(const syscall_context& c, const handle process_handle, - const uint64_t base_address, const uint32_t info_class, - const uint64_t memory_information, const uint32_t memory_information_length, - const emulator_object return_length) + const uint64_t base_address, const uint32_t info_class, + const uint64_t memory_information, const uint32_t memory_information_length, + const emulator_object return_length) { if (process_handle != CURRENT_PROCESS) { @@ -793,27 +807,27 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{ c.emu, memory_information }; + const emulator_object info{c.emu, memory_information}; info.access([&](EMU_MEMORY_BASIC_INFORMATION64& image_info) - { - const auto region_info = c.emu.get_region_info(base_address); + { + const auto region_info = c.emu.get_region_info(base_address); - assert(!region_info.is_committed || region_info.is_reserved); + assert(!region_info.is_committed || region_info.is_reserved); - image_info.BaseAddress = reinterpret_cast(region_info.start); - image_info.AllocationBase = reinterpret_cast(region_info.allocation_base); - image_info.AllocationProtect = 0; - image_info.PartitionId = 0; - image_info.RegionSize = region_info.length; - image_info.State = region_info.is_committed - ? MEM_COMMIT - : (region_info.is_reserved - ? MEM_RESERVE - : MEM_FREE); - image_info.Protect = map_emulator_to_nt_protection(region_info.permissions); - image_info.Type = MEM_PRIVATE; - }); + image_info.BaseAddress = reinterpret_cast(region_info.start); + image_info.AllocationBase = reinterpret_cast(region_info.allocation_base); + image_info.AllocationProtect = 0; + image_info.PartitionId = 0; + image_info.RegionSize = region_info.length; + image_info.State = region_info.is_committed + ? MEM_COMMIT + : (region_info.is_reserved + ? MEM_RESERVE + : MEM_FREE); + image_info.Protect = map_emulator_to_nt_protection(region_info.permissions); + image_info.Type = MEM_PRIVATE; + }); return STATUS_SUCCESS; } @@ -837,14 +851,14 @@ namespace return STATUS_INVALID_ADDRESS; } - const emulator_object info{ c.emu, memory_information }; + const emulator_object info{c.emu, memory_information}; info.access([&](MEMORY_IMAGE_INFORMATION64& image_info) - { - image_info.ImageBase = reinterpret_cast(mod->image_base); - image_info.SizeOfImage = mod->size_of_image; - image_info.ImageFlags = 0; - }); + { + image_info.ImageBase = reinterpret_cast(mod->image_base); + image_info.SizeOfImage = mod->size_of_image; + image_info.ImageFlags = 0; + }); return STATUS_SUCCESS; } @@ -867,18 +881,18 @@ namespace return STATUS_INVALID_ADDRESS; } - const emulator_object info{ c.emu, memory_information }; + const emulator_object info{c.emu, memory_information}; info.access([&](MEMORY_REGION_INFORMATION64& image_info) - { - memset(&image_info, 0, sizeof(image_info)); + { + memset(&image_info, 0, sizeof(image_info)); - image_info.AllocationBase = reinterpret_cast(region_info.allocation_base); - image_info.AllocationProtect = 0; - image_info.PartitionId = 0; - image_info.RegionSize = region_info.allocation_length; - image_info.Reserved = 0x10; - }); + image_info.AllocationBase = reinterpret_cast(region_info.allocation_base); + image_info.AllocationProtect = 0; + image_info.PartitionId = 0; + image_info.RegionSize = region_info.allocation_length; + image_info.Reserved = 0x10; + }); return STATUS_SUCCESS; } @@ -889,14 +903,14 @@ namespace } NTSTATUS handle_NtQuerySystemInformation(const syscall_context& c, const uint32_t info_class, - const uint64_t system_information, - const uint32_t system_information_length, - const emulator_object return_length) + const uint64_t system_information, + const uint32_t system_information_length, + const emulator_object return_length) { if (info_class == SystemFlushInformation || info_class == SystemHypervisorSharedPageInformation || info_class == 250 // Build 27744 - ) + ) { return STATUS_NOT_SUPPORTED; } @@ -913,13 +927,13 @@ namespace return STATUS_BUFFER_TOO_SMALL; } - const emulator_object info_obj{ c.emu, system_information }; + const emulator_object info_obj{c.emu, system_information}; info_obj.access([&](SYSTEM_TIMEOFDAY_INFORMATION64& info) - { - info.BootTime.QuadPart = 0; - // TODO: Fill - }); + { + info.BootTime.QuadPart = 0; + // TODO: Fill + }); return STATUS_SUCCESS; } @@ -936,12 +950,12 @@ namespace return STATUS_BUFFER_TOO_SMALL; } - const emulator_object info_obj{ c.emu, system_information }; + const emulator_object info_obj{c.emu, system_information}; info_obj.access([&](SYSTEM_RANGE_START_INFORMATION64& info) - { - info.SystemRangeStart = 0xFFFF800000000000; - }); + { + info.SystemRangeStart = 0xFFFF800000000000; + }); return STATUS_SUCCESS; } @@ -958,14 +972,14 @@ namespace return STATUS_BUFFER_TOO_SMALL; } - const emulator_object info_obj{ c.emu, system_information }; + const emulator_object info_obj{c.emu, system_information}; info_obj.access([&](SYSTEM_PROCESSOR_INFORMATION64& info) - { - memset(&info, 0, sizeof(info)); - info.MaximumProcessors = 2; - info.ProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64; - }); + { + memset(&info, 0, sizeof(info)); + info.MaximumProcessors = 2; + info.ProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64; + }); return STATUS_SUCCESS; } @@ -982,15 +996,15 @@ namespace return STATUS_BUFFER_TOO_SMALL; } - const emulator_object info_obj{ c.emu, system_information }; + const emulator_object info_obj{c.emu, system_information}; info_obj.access([&](SYSTEM_NUMA_INFORMATION64& info) - { - memset(&info, 0, sizeof(info)); - info.ActiveProcessorsGroupAffinity->Mask = 0xFFF; - info.AvailableMemory[0] = 0xFFF; - info.Pad[0] = 0xFFF; - }); + { + memset(&info, 0, sizeof(info)); + info.ActiveProcessorsGroupAffinity->Mask = 0xFFF; + info.AvailableMemory[0] = 0xFFF; + info.Pad[0] = 0xFFF; + }); return STATUS_SUCCESS; } @@ -1007,13 +1021,13 @@ namespace return STATUS_BUFFER_TOO_SMALL; } - const emulator_object info_obj{ c.emu, system_information }; + const emulator_object info_obj{c.emu, system_information}; info_obj.access([&](SYSTEM_ERROR_PORT_TIMEOUTS& info) - { - info.StartTimeout = 0; - info.CommTimeout = 0; - }); + { + info.StartTimeout = 0; + info.CommTimeout = 0; + }); return STATUS_SUCCESS; } @@ -1035,29 +1049,29 @@ namespace return STATUS_BUFFER_TOO_SMALL; } - const emulator_object info{ c.emu, system_information }; + const emulator_object info{c.emu, system_information}; info.access([&](SYSTEM_BASIC_INFORMATION64& basic_info) - { - basic_info.Reserved = 0; - basic_info.TimerResolution = 0x0002625a; - basic_info.PageSize = 0x1000; - basic_info.LowestPhysicalPageNumber = 0x00000001; - basic_info.HighestPhysicalPageNumber = 0x00c9c7ff; - basic_info.AllocationGranularity = 0x10000; - basic_info.MinimumUserModeAddress = 0x0000000000010000; - basic_info.MaximumUserModeAddress = 0x00007ffffffeffff; - basic_info.ActiveProcessorsAffinityMask = 0x0000000000000fff; - basic_info.NumberOfProcessors = 1; - }); + { + basic_info.Reserved = 0; + basic_info.TimerResolution = 0x0002625a; + basic_info.PageSize = 0x1000; + basic_info.LowestPhysicalPageNumber = 0x00000001; + basic_info.HighestPhysicalPageNumber = 0x00c9c7ff; + basic_info.AllocationGranularity = 0x10000; + basic_info.MinimumUserModeAddress = 0x0000000000010000; + basic_info.MaximumUserModeAddress = 0x00007ffffffeffff; + basic_info.ActiveProcessorsAffinityMask = 0x0000000000000fff; + basic_info.NumberOfProcessors = 1; + }); return STATUS_SUCCESS; } NTSTATUS handle_NtDuplicateObject(const syscall_context& /*c*/, const handle source_process_handle, - const handle source_handle, const handle target_process_handle, - const emulator_object target_handle, const ACCESS_MASK /*desired_access*/, - const ULONG /*handle_attributes*/, const ULONG /*options*/) + const handle source_handle, const handle target_process_handle, + const emulator_object target_handle, const ACCESS_MASK /*desired_access*/, + const ULONG /*handle_attributes*/, const ULONG /*options*/) { if (source_process_handle != CURRENT_PROCESS || target_process_handle != CURRENT_PROCESS) { @@ -1075,11 +1089,11 @@ namespace } NTSTATUS handle_NtQuerySystemInformationEx(const syscall_context& c, const uint32_t info_class, - const uint64_t input_buffer, - const uint32_t input_buffer_length, - const uint64_t system_information, - const uint32_t system_information_length, - const emulator_object return_length) + const uint64_t input_buffer, + const uint32_t input_buffer_length, + const uint64_t system_information, + const uint32_t system_information_length, + const emulator_object return_length) { if (info_class == SystemFlushInformation || info_class == SystemFeatureConfigurationInformation @@ -1099,18 +1113,18 @@ namespace NTSTATUS code = STATUS_SUCCESS; return_length.access([&](uint32_t& len) - { - (void)len; + { + (void)len; #ifdef OS_WINDOWS - code = NtQuerySystemInformationEx(static_cast(info_class), buffer, - input_buffer_length, - res_buff, - system_information_length, reinterpret_cast(&len)); + code = NtQuerySystemInformationEx(static_cast(info_class), buffer, + input_buffer_length, + res_buff, + system_information_length, reinterpret_cast(&len)); #else // TODO: unsupported code = STATUS_SUCCESS; #endif - }); + }); if (code == 0) { @@ -1140,29 +1154,29 @@ namespace return STATUS_BUFFER_TOO_SMALL; } - const emulator_object info{ c.emu, system_information }; + const emulator_object info{c.emu, system_information}; info.access([&](SYSTEM_BASIC_INFORMATION64& basic_info) - { - basic_info.Reserved = 0; - basic_info.TimerResolution = 0x0002625a; - basic_info.PageSize = 0x1000; - basic_info.LowestPhysicalPageNumber = 0x00000001; - basic_info.HighestPhysicalPageNumber = 0x00c9c7ff; - basic_info.AllocationGranularity = 0x10000; - basic_info.MinimumUserModeAddress = 0x0000000000010000; - basic_info.MaximumUserModeAddress = 0x00007ffffffeffff; - basic_info.ActiveProcessorsAffinityMask = 0x0000000000000fff; - basic_info.NumberOfProcessors = 1; - }); + { + basic_info.Reserved = 0; + basic_info.TimerResolution = 0x0002625a; + basic_info.PageSize = 0x1000; + basic_info.LowestPhysicalPageNumber = 0x00000001; + basic_info.HighestPhysicalPageNumber = 0x00c9c7ff; + basic_info.AllocationGranularity = 0x10000; + basic_info.MinimumUserModeAddress = 0x0000000000010000; + basic_info.MaximumUserModeAddress = 0x00007ffffffeffff; + basic_info.ActiveProcessorsAffinityMask = 0x0000000000000fff; + basic_info.NumberOfProcessors = 1; + }); return STATUS_SUCCESS; } NTSTATUS handle_NtQueryInformationProcess(const syscall_context& c, const handle process_handle, - const uint32_t info_class, const uint64_t process_information, - const uint32_t process_information_length, - const emulator_object return_length) + const uint32_t info_class, const uint64_t process_information, + const uint32_t process_information_length, + const emulator_object return_length) { if (process_handle != CURRENT_PROCESS) { @@ -1181,37 +1195,39 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object>> info{ c.emu, process_information }; + const emulator_object>> info{c.emu, process_information}; info.access([&](SECTION_IMAGE_INFORMATION>& i) - { - const auto& mod = *c.proc.executable; + { + const auto& mod = *c.proc.executable; - const emulator_object dos_header_obj{ c.emu, mod.image_base }; - const auto dos_header = dos_header_obj.read(); + const emulator_object dos_header_obj{c.emu, mod.image_base}; + const auto dos_header = dos_header_obj.read(); - const emulator_object> nt_headers_obj{ c.emu, mod.image_base + dos_header.e_lfanew }; - const auto nt_headers = nt_headers_obj.read(); + const emulator_object> nt_headers_obj{ + c.emu, mod.image_base + dos_header.e_lfanew + }; + const auto nt_headers = nt_headers_obj.read(); - const auto& file_header = nt_headers.FileHeader; - const auto& optional_header = nt_headers.OptionalHeader; + const auto& file_header = nt_headers.FileHeader; + const auto& optional_header = nt_headers.OptionalHeader; - i.TransferAddress = 0; - i.MaximumStackSize = optional_header.SizeOfStackReserve; - i.CommittedStackSize = optional_header.SizeOfStackCommit; - i.SubSystemType = optional_header.Subsystem; - i.SubSystemMajorVersion = optional_header.MajorSubsystemVersion; - i.SubSystemMinorVersion = optional_header.MinorSubsystemVersion; - i.MajorOperatingSystemVersion = optional_header.MajorOperatingSystemVersion; - i.MinorOperatingSystemVersion = optional_header.MinorOperatingSystemVersion; - i.ImageCharacteristics = file_header.Characteristics; - i.DllCharacteristics = optional_header.DllCharacteristics; - i.Machine = file_header.Machine; - i.ImageContainsCode = TRUE; - i.ImageFlags = 0; // TODO - i.ImageFileSize = optional_header.SizeOfImage; - i.LoaderFlags = optional_header.LoaderFlags; - i.CheckSum = optional_header.CheckSum; - }); + i.TransferAddress = 0; + i.MaximumStackSize = optional_header.SizeOfStackReserve; + i.CommittedStackSize = optional_header.SizeOfStackCommit; + i.SubSystemType = optional_header.Subsystem; + i.SubSystemMajorVersion = optional_header.MajorSubsystemVersion; + i.SubSystemMinorVersion = optional_header.MinorSubsystemVersion; + i.MajorOperatingSystemVersion = optional_header.MajorOperatingSystemVersion; + i.MinorOperatingSystemVersion = optional_header.MinorOperatingSystemVersion; + i.ImageCharacteristics = file_header.Characteristics; + i.DllCharacteristics = optional_header.DllCharacteristics; + i.Machine = file_header.Machine; + i.ImageContainsCode = TRUE; + i.ImageFlags = 0; // TODO + i.ImageFileSize = optional_header.SizeOfImage; + i.LoaderFlags = optional_header.LoaderFlags; + i.CheckSum = optional_header.CheckSum; + }); return STATUS_SUCCESS; } @@ -1228,7 +1244,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{ c.emu, process_information }; + const emulator_object info{c.emu, process_information}; info.write(0x01234567); return STATUS_SUCCESS; @@ -1246,7 +1262,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object::PVOID> info{ c.emu, process_information }; + const emulator_object::PVOID> info{c.emu, process_information}; info.write(0); return STATUS_SUCCESS; @@ -1264,7 +1280,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{ c.emu, process_information }; + const emulator_object info{c.emu, process_information}; info.write(0); return STATUS_SUCCESS; @@ -1288,7 +1304,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{ c.emu, process_information }; + const emulator_object info{c.emu, process_information}; info.write(KERNEL_USER_TIMES{}); return STATUS_SUCCESS; @@ -1306,12 +1322,12 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{ c.emu, process_information }; + const emulator_object info{c.emu, process_information}; info.access([&](PROCESS_BASIC_INFORMATION64& basic_info) - { - basic_info.PebBaseAddress = c.proc.peb.ptr(); - basic_info.UniqueProcessId = 1; - }); + { + basic_info.PebBaseAddress = c.proc.peb.ptr(); + basic_info.UniqueProcessId = 1; + }); return STATUS_SUCCESS; } @@ -1319,7 +1335,7 @@ namespace if (info_class == ProcessImageFileNameWin32) { const auto peb = c.proc.peb.read(); - emulator_object proc_params{ c.emu, peb.ProcessParameters }; + emulator_object proc_params{c.emu, peb.ProcessParameters}; const auto params = proc_params.read(); const auto length = params.ImagePathName.Length + sizeof(UNICODE_STRING>) + 2; @@ -1333,16 +1349,17 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object>> info{ c.emu, process_information }; + const emulator_object>> info{c.emu, process_information}; info.access([&](UNICODE_STRING>& str) - { - const auto buffer_start = static_cast(process_information) + sizeof(UNICODE_STRING>); - const auto string = read_unicode_string(c.emu, params.ImagePathName); - c.emu.write_memory(buffer_start, string.c_str(), (string.size() + 1) * 2); - str.Length = params.ImagePathName.Length; - str.MaximumLength = str.Length; - str.Buffer = buffer_start; - }); + { + const auto buffer_start = static_cast(process_information) + sizeof(UNICODE_STRING< + EmulatorTraits>); + const auto string = read_unicode_string(c.emu, params.ImagePathName); + c.emu.write_memory(buffer_start, string.c_str(), (string.size() + 1) * 2); + str.Length = params.ImagePathName.Length; + str.MaximumLength = str.Length; + str.Buffer = buffer_start; + }); return STATUS_SUCCESS; } @@ -1354,13 +1371,13 @@ namespace } NTSTATUS handle_NtQueryInformationThread(const syscall_context& c, const handle thread_handle, - const uint32_t info_class, const uint64_t thread_information, - const uint32_t thread_information_length, - const emulator_object return_length) + const uint32_t info_class, const uint64_t thread_information, + const uint32_t thread_information_length, + const emulator_object return_length) { const auto* thread = thread_handle == CURRENT_THREAD - ? c.proc.active_thread - : c.proc.threads.get(thread_handle); + ? c.proc.active_thread + : c.proc.threads.get(thread_handle); if (!thread) { @@ -1379,12 +1396,12 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{ c.emu, thread_information }; + const emulator_object info{c.emu, thread_information}; info.access([&](THREAD_BASIC_INFORMATION64& i) - { - i.TebBaseAddress = thread->teb->ptr(); - i.ClientId = thread->teb->read().ClientId; - }); + { + i.TebBaseAddress = thread->teb->ptr(); + i.ClientId = thread->teb->read().ClientId; + }); return STATUS_SUCCESS; } @@ -1401,7 +1418,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{ c.emu, thread_information }; + const emulator_object info{c.emu, thread_information}; info.write(c.proc.threads.size() <= 1); return STATUS_SUCCESS; @@ -1419,7 +1436,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object::PVOID> info{ c.emu, thread_information }; + const emulator_object::PVOID> info{c.emu, thread_information}; info.write(thread->start_address); return STATUS_SUCCESS; @@ -1432,9 +1449,9 @@ namespace } NTSTATUS handle_NtSetInformationFile(const syscall_context& c, const handle file_handle, - const emulator_object>> io_status_block, - const uint64_t file_information, - const ULONG length, const FILE_INFORMATION_CLASS info_class) + const emulator_object>> io_status_block, + const uint64_t file_information, + const ULONG length, const FILE_INFORMATION_CLASS info_class) { const auto* f = c.proc.files.get(file_handle); if (!f) @@ -1461,7 +1478,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{ c.emu, file_information }; + const emulator_object info{c.emu, file_information}; const auto i = info.read(); if (!f->handle.seek_to(i.CurrentByteOffset.QuadPart)) @@ -1487,16 +1504,17 @@ namespace for (const auto& file : std::filesystem::directory_iterator(dir)) { - files.emplace_back(file_entry{ .file_path = file.path().filename(), }); + files.emplace_back(file_entry{.file_path = file.path().filename(),}); } return files; } template - NTSTATUS handle_file_enumeration(const syscall_context& c, const emulator_object>> io_status_block, - const uint64_t file_information, const uint32_t length, const ULONG query_flags, - file* f) + NTSTATUS handle_file_enumeration(const syscall_context& c, + const emulator_object>> io_status_block, + const uint64_t file_information, const uint32_t length, const ULONG query_flags, + file* f) { if (!f->enumeration_state || query_flags & SL_RESTART_SCAN) { @@ -1506,8 +1524,8 @@ namespace auto& enum_state = *f->enumeration_state; - size_t current_offset{ 0 }; - emulator_object object{ c.emu }; + size_t current_offset{0}; + emulator_object object{c.emu}; size_t current_index = enum_state.current_index; @@ -1543,9 +1561,9 @@ namespace const auto object_offset = object.value() - file_information; object.access([&](T& dir_info) - { - dir_info.NextEntryOffset = static_cast(new_offset - object_offset); - }); + { + dir_info.NextEntryOffset = static_cast(new_offset - object_offset); + }); } T info{}; @@ -1558,11 +1576,12 @@ namespace object.write(info); c.emu.write_memory(object.value() + offsetof(T, FileName), file_name.data(), - info.FileNameLength); + info.FileNameLength); ++current_index; current_offset = end_offset; - } while ((query_flags & SL_RETURN_SINGLE_ENTRY) == 0); + } + while ((query_flags & SL_RETURN_SINGLE_ENTRY) == 0); if ((query_flags & SL_NO_CURSOR_UPDATE) == 0) { @@ -1577,13 +1596,14 @@ namespace } NTSTATUS handle_NtQueryDirectoryFileEx(const syscall_context& c, const handle file_handle, - const handle /*event_handle*/, - const emulator_pointer /*PIO_APC_ROUTINE*/ /*apc_routine*/, - const emulator_pointer /*apc_context*/, - const emulator_object>> io_status_block, - const uint64_t file_information, const uint32_t length, - const uint32_t info_class, const ULONG query_flags, - const emulator_object>> /*file_name*/) + const handle /*event_handle*/, + const emulator_pointer /*PIO_APC_ROUTINE*/ /*apc_routine*/, + const emulator_pointer /*apc_context*/, + const emulator_object>> + io_status_block, + const uint64_t file_information, const uint32_t length, + const uint32_t info_class, const ULONG query_flags, + const emulator_object>> /*file_name*/) { auto* f = c.proc.files.get(file_handle); if (!f || !f->is_directory()) @@ -1594,19 +1614,19 @@ namespace if (info_class == FileDirectoryInformation) { return handle_file_enumeration(c, io_status_block, file_information, length, - query_flags, f); + query_flags, f); } if (info_class == FileFullDirectoryInformation) { return handle_file_enumeration(c, io_status_block, file_information, length, - query_flags, f); + query_flags, f); } if (info_class == FileBothDirectoryInformation) { return handle_file_enumeration(c, io_status_block, file_information, length, - query_flags, f); + query_flags, f); } printf("Unsupported query directory file info class: %X\n", info_class); @@ -1616,9 +1636,10 @@ namespace } NTSTATUS handle_NtQueryInformationFile(const syscall_context& c, const handle file_handle, - const emulator_object>> io_status_block, - const uint64_t file_information, const uint32_t length, - const uint32_t info_class) + const emulator_object>> + io_status_block, + const uint64_t file_information, const uint32_t length, + const uint32_t info_class) { const auto* f = c.proc.files.get(file_handle); if (!f) @@ -1643,12 +1664,12 @@ namespace } c.emu.write_memory(file_information, FILE_NAME_INFORMATION{ - .FileNameLength = static_cast(f->name.size() * 2), - .FileName = {}, - }); + .FileNameLength = static_cast(f->name.size() * 2), + .FileName = {}, + }); c.emu.write_memory(file_information + offsetof(FILE_NAME_INFORMATION, FileName), f->name.c_str(), - (f->name.size() + 1) * 2); + (f->name.size() + 1) * 2); return STATUS_SUCCESS; } @@ -1667,7 +1688,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{ c.emu, file_information }; + const emulator_object info{c.emu, file_information}; FILE_STANDARD_INFORMATION i{}; i.Directory = f->is_directory() ? TRUE : FALSE; @@ -1700,7 +1721,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{ c.emu, file_information }; + const emulator_object info{c.emu, file_information}; FILE_POSITION_INFORMATION i{}; i.CurrentByteOffset.QuadPart = f->handle.tell(); @@ -1717,8 +1738,8 @@ namespace } NTSTATUS handle_NtSetInformationProcess(const syscall_context& c, const handle process_handle, - const uint32_t info_class, const uint64_t process_information, - const uint32_t process_information_length) + const uint32_t info_class, const uint64_t process_information, + const uint32_t process_information_length) { if (process_handle != CURRENT_PROCESS) { @@ -1742,7 +1763,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const emulator_object data{ c.emu, process_information + thread_data_offset }; + const emulator_object data{c.emu, process_information + thread_data_offset}; PROCESS_TLS_INFO tls_info{}; c.emu.read_memory(process_information, &tls_info, thread_data_offset); @@ -1752,9 +1773,9 @@ namespace auto entry = data.read(i); const auto _ = utils::finally([&] - { - data.write(entry, i); - }); + { + data.write(entry, i); + }); if (i >= c.proc.threads.size()) { @@ -1768,34 +1789,34 @@ namespace entry.Flags = 2; thread_iterator->second.teb->access([&](TEB64& teb) + { + entry.ThreadId = teb.ClientId.UniqueThread; + + const auto tls_vector = teb.ThreadLocalStoragePointer; + + if (tls_info.TlsRequest == ProcessTlsReplaceIndex) { - entry.ThreadId = teb.ClientId.UniqueThread; + const auto tls_entry_ptr = tls_vector + tls_info.TlsIndex; - const auto tls_vector = teb.ThreadLocalStoragePointer; + const auto old_entry = c.emu.read_memory::PVOID>(tls_entry_ptr); + c.emu.write_memory::PVOID>(tls_entry_ptr, entry.TlsModulePointer); - if (tls_info.TlsRequest == ProcessTlsReplaceIndex) + entry.TlsModulePointer = old_entry; + } + else if (tls_info.TlsRequest == ProcessTlsReplaceVector) + { + const auto new_tls_vector = entry.TlsVector; + + for (uint32_t index = 0; index < tls_info.TlsVectorLength; ++index) { - const auto tls_entry_ptr = tls_vector + tls_info.TlsIndex; - - const auto old_entry = c.emu.read_memory::PVOID>(tls_entry_ptr); - c.emu.write_memory::PVOID>(tls_entry_ptr, entry.TlsModulePointer); - - entry.TlsModulePointer = old_entry; + const auto old_entry = c.emu.read_memory(tls_vector + index); + c.emu.write_memory(new_tls_vector + index, old_entry); } - else if (tls_info.TlsRequest == ProcessTlsReplaceVector) - { - const auto new_tls_vector = entry.TlsVector; - for (uint32_t index = 0; index < tls_info.TlsVectorLength; ++index) - { - const auto old_entry = c.emu.read_memory(tls_vector + index); - c.emu.write_memory(new_tls_vector + index, old_entry); - } - - teb.ThreadLocalStoragePointer = new_tls_vector; - entry.TlsVector = tls_vector; - } - }); + teb.ThreadLocalStoragePointer = new_tls_vector; + entry.TlsVector = tls_vector; + } + }); } return STATUS_SUCCESS; @@ -1818,10 +1839,10 @@ namespace } NTSTATUS handle_NtProtectVirtualMemory(const syscall_context& c, const handle process_handle, - const emulator_object base_address, - const emulator_object bytes_to_protect, - const uint32_t protection, - const emulator_object old_protection) + const emulator_object base_address, + const emulator_object bytes_to_protect, + const uint32_t protection, + const emulator_object old_protection) { if (process_handle != CURRENT_PROCESS) { @@ -1839,8 +1860,9 @@ namespace const auto requested_protection = map_nt_to_emulator_protection(protection); - c.win_emu.log.print(color::dark_gray, "--> Changing protection at 0x%" PRIx64 "-0x%" PRIx64 " to %s\n", aligned_start, - aligned_start + aligned_length, get_permission_string(requested_protection).c_str()); + c.win_emu.log.print(color::dark_gray, "--> Changing protection at 0x%" PRIx64 "-0x%" PRIx64 " to %s\n", + aligned_start, + aligned_start + aligned_length, get_permission_string(requested_protection).c_str()); memory_permission old_protection_value{}; @@ -1860,12 +1882,14 @@ namespace } NTSTATUS handle_NtOpenDirectoryObject(const syscall_context& c, - const emulator_object directory_handle, - const ACCESS_MASK /*desired_access*/, - const emulator_object>> object_attributes) + const emulator_object directory_handle, + const ACCESS_MASK /*desired_access*/, + const emulator_object>> + object_attributes) { const auto attributes = object_attributes.read(); - const auto object_name = read_unicode_string(c.emu, reinterpret_cast>*>(attributes.ObjectName)); + const auto object_name = read_unicode_string( + c.emu, reinterpret_cast>*>(attributes.ObjectName)); if (object_name == u"\\KnownDlls") { @@ -1883,11 +1907,13 @@ namespace } NTSTATUS handle_NtOpenSymbolicLinkObject(const syscall_context& c, const emulator_object link_handle, - ACCESS_MASK /*desired_access*/, - const emulator_object>> object_attributes) + ACCESS_MASK /*desired_access*/, + const emulator_object>> + object_attributes) { const auto attributes = object_attributes.read(); - const auto object_name = read_unicode_string(c.emu, reinterpret_cast>*>(attributes.ObjectName)); + const auto object_name = read_unicode_string( + c.emu, reinterpret_cast>*>(attributes.ObjectName)); if (object_name == u"KnownDllPath") { @@ -1898,10 +1924,10 @@ namespace return STATUS_NOT_SUPPORTED; } - // TODO: warning stdcall problem - NTSTATUS WINAPI handle_NtQuerySymbolicLinkObject(const syscall_context& c, const handle link_handle, - const emulator_object>> link_target, - const emulator_object returned_length) + NTSTATUS handle_NtQuerySymbolicLinkObject(const syscall_context& c, const handle link_handle, + const emulator_object>> + link_target, + const emulator_object returned_length) { if (link_handle == KNOWN_DLLS_SYMLINK) { @@ -1913,30 +1939,30 @@ namespace bool too_small = false; link_target.access([&](UNICODE_STRING>& str) + { + if (str.MaximumLength < max_length) { - if (str.MaximumLength < max_length) - { - too_small = true; - return; - } + too_small = true; + return; + } - str.Length = str_length; - c.emu.write_memory(str.Buffer, system32.data(), max_length); - }); + str.Length = str_length; + c.emu.write_memory(str.Buffer, system32.data(), max_length); + }); return too_small - ? STATUS_BUFFER_TOO_SMALL - : STATUS_SUCCESS; + ? STATUS_BUFFER_TOO_SMALL + : STATUS_SUCCESS; } return STATUS_NOT_SUPPORTED; } NTSTATUS handle_NtAllocateVirtualMemoryEx(const syscall_context& c, const handle process_handle, - const emulator_object base_address, - const emulator_object bytes_to_allocate, - const uint32_t allocation_type, - const uint32_t page_protection) + const emulator_object base_address, + const emulator_object bytes_to_allocate, + const uint32_t allocation_type, + const uint32_t page_protection) { if (process_handle != CURRENT_PROCESS) { @@ -1976,22 +2002,22 @@ namespace } return c.emu.allocate_memory(potential_base, allocation_bytes, protection, !commit) - ? STATUS_SUCCESS - : STATUS_MEMORY_NOT_ALLOCATED; + ? STATUS_SUCCESS + : STATUS_MEMORY_NOT_ALLOCATED; } NTSTATUS handle_NtAllocateVirtualMemory(const syscall_context& c, const handle process_handle, - const emulator_object base_address, const uint64_t /*zero_bits*/, - const emulator_object bytes_to_allocate, - const uint32_t allocation_type, const uint32_t page_protection) + const emulator_object base_address, const uint64_t /*zero_bits*/, + const emulator_object bytes_to_allocate, + const uint32_t allocation_type, const uint32_t page_protection) { return handle_NtAllocateVirtualMemoryEx(c, process_handle, base_address, bytes_to_allocate, allocation_type, - page_protection); + page_protection); } NTSTATUS handle_NtFreeVirtualMemory(const syscall_context& c, const handle process_handle, - const emulator_object base_address, - const emulator_object bytes_to_allocate, const uint32_t free_type) + const emulator_object base_address, + const emulator_object bytes_to_allocate, const uint32_t free_type) { if (process_handle != CURRENT_PROCESS) { @@ -2004,26 +2030,26 @@ namespace if (free_type & MEM_RELEASE) { return c.emu.release_memory(allocation_base, allocation_size) - ? STATUS_SUCCESS - : STATUS_MEMORY_NOT_ALLOCATED; + ? STATUS_SUCCESS + : STATUS_MEMORY_NOT_ALLOCATED; } if (free_type & MEM_DECOMMIT) { return c.emu.decommit_memory(allocation_base, allocation_size) - ? STATUS_SUCCESS - : STATUS_MEMORY_NOT_ALLOCATED; + ? STATUS_SUCCESS + : STATUS_MEMORY_NOT_ALLOCATED; } throw std::runtime_error("Bad free type"); } NTSTATUS handle_NtCreateSection(const syscall_context& c, const emulator_object section_handle, - const ACCESS_MASK /*desired_access*/, - const emulator_object>> object_attributes, - const emulator_object maximum_size, - const ULONG section_page_protection, const ULONG allocation_attributes, - const handle file_handle) + const ACCESS_MASK /*desired_access*/, + const emulator_object>> object_attributes, + const emulator_object maximum_size, + const ULONG section_page_protection, const ULONG allocation_attributes, + const handle file_handle) { section s{}; s.section_page_protection = section_page_protection; @@ -2041,7 +2067,8 @@ namespace const auto attributes = object_attributes.read(); if (attributes.ObjectName) { - const auto name = read_unicode_string(c.emu, reinterpret_cast>*>(attributes.ObjectName)); + const auto name = read_unicode_string( + c.emu, reinterpret_cast>*>(attributes.ObjectName)); c.win_emu.log.print(color::dark_gray, "--> Section with name %s\n", u16_to_u8(name).c_str()); s.name = std::move(name); } @@ -2050,10 +2077,10 @@ namespace if (maximum_size) { maximum_size.access([&](ULARGE_INTEGER& large_int) - { - large_int.QuadPart = page_align_up(large_int.QuadPart); - s.maximum_size = large_int.QuadPart; - }); + { + large_int.QuadPart = page_align_up(large_int.QuadPart); + s.maximum_size = large_int.QuadPart; + }); } else if (!file) { @@ -2067,13 +2094,13 @@ namespace } NTSTATUS handle_NtConnectPort(const syscall_context& c, const emulator_object client_port_handle, - const emulator_object>> server_port_name, - const emulator_object /*security_qos*/, - const emulator_object client_shared_memory, - const emulator_object /*server_shared_memory*/, - const emulator_object /*maximum_message_length*/, - const emulator_pointer connection_info, - const emulator_object connection_info_length) + const emulator_object>> server_port_name, + const emulator_object /*security_qos*/, + const emulator_object client_shared_memory, + const emulator_object /*server_shared_memory*/, + const emulator_object /*maximum_message_length*/, + const emulator_pointer connection_info, + const emulator_object connection_info_length) { auto port_name = read_unicode_string(c.emu, server_port_name); c.win_emu.log.print(color::dark_gray, "NtConnectPort: %s\n", u16_to_u8(port_name).c_str()); @@ -2089,11 +2116,11 @@ namespace } client_shared_memory.access([&](PORT_VIEW64& view) - { - p.view_base = c.emu.allocate_memory(view.ViewSize, memory_permission::read_write); - view.ViewBase = p.view_base; - view.ViewRemoteBase = view.ViewBase; - }); + { + p.view_base = c.emu.allocate_memory(view.ViewSize, memory_permission::read_write); + view.ViewBase = p.view_base; + view.ViewRemoteBase = view.ViewBase; + }); const auto handle = c.proc.ports.store(std::move(p)); client_port_handle.write(handle); @@ -2102,9 +2129,9 @@ namespace } NTSTATUS handle_NtReadVirtualMemory(const syscall_context& c, const handle process_handle, - const emulator_pointer base_address, - const emulator_pointer buffer, const ULONG number_of_bytes_to_read, - const emulator_object number_of_bytes_read) + const emulator_pointer base_address, + const emulator_pointer buffer, const ULONG number_of_bytes_to_read, + const emulator_object number_of_bytes_read) { number_of_bytes_read.write(0); @@ -2127,14 +2154,14 @@ namespace } NTSTATUS handle_NtDeviceIoControlFile(const syscall_context& c, const handle file_handle, - const handle event, - const emulator_pointer /*PIO_APC_ROUTINE*/ apc_routine, - const emulator_pointer apc_context, - const emulator_object>> io_status_block, - const ULONG io_control_code, - const emulator_pointer input_buffer, - const ULONG input_buffer_length, const emulator_pointer output_buffer, - const ULONG output_buffer_length) + const handle event, + const emulator_pointer /*PIO_APC_ROUTINE*/ apc_routine, + const emulator_pointer apc_context, + const emulator_object>> io_status_block, + const ULONG io_control_code, + const emulator_pointer input_buffer, + const ULONG input_buffer_length, const emulator_pointer output_buffer, + const ULONG output_buffer_length) { auto* device = c.proc.devices.get(file_handle); if (!device) @@ -2142,7 +2169,7 @@ namespace return STATUS_INVALID_HANDLE; } - io_device_context context{ c.emu }; + io_device_context context{c.emu}; context.event = event; context.apc_routine = apc_routine; context.apc_context = apc_context; @@ -2170,8 +2197,8 @@ namespace } NTSTATUS handle_NtOpenThreadToken(const syscall_context&, const handle thread_handle, - const ACCESS_MASK /*desired_access*/, const BOOLEAN /*open_as_self*/, - const emulator_object token_handle) + const ACCESS_MASK /*desired_access*/, const BOOLEAN /*open_as_self*/, + const emulator_object token_handle) { if (thread_handle != CURRENT_THREAD) { @@ -2184,15 +2211,15 @@ namespace } NTSTATUS handle_NtOpenThreadTokenEx(const syscall_context& c, const handle thread_handle, - const ACCESS_MASK desired_access, const BOOLEAN open_as_self, - const ULONG /*handle_attributes*/, - const emulator_object token_handle) + const ACCESS_MASK desired_access, const BOOLEAN open_as_self, + const ULONG /*handle_attributes*/, + const emulator_object token_handle) { return handle_NtOpenThreadToken(c, thread_handle, desired_access, open_as_self, token_handle); } NTSTATUS handle_NtOpenProcessToken(const syscall_context&, const handle process_handle, - const ACCESS_MASK /*desired_access*/, const emulator_object token_handle) + const ACCESS_MASK /*desired_access*/, const emulator_object token_handle) { if (process_handle != CURRENT_PROCESS) { @@ -2205,8 +2232,8 @@ namespace } NTSTATUS handle_NtOpenProcessTokenEx(const syscall_context& c, const handle process_handle, - const ACCESS_MASK desired_access, const ULONG /*handle_attributes*/, - const emulator_object token_handle) + const ACCESS_MASK desired_access, const ULONG /*handle_attributes*/, + const emulator_object token_handle) { return handle_NtOpenProcessToken(c, process_handle, desired_access, token_handle); } @@ -2237,15 +2264,16 @@ namespace TOKEN_TYPE get_token_type(const handle token_handle) { return token_handle == DUMMY_IMPERSONATION_TOKEN // - ? TokenImpersonation - : TokenPrimary; + ? TokenImpersonation + : TokenPrimary; } NTSTATUS handle_NtDuplicateToken(const syscall_context&, const handle existing_token_handle, - ACCESS_MASK /*desired_access*/, - const emulator_object>> /*object_attributes*/, - const BOOLEAN /*effective_only*/, const TOKEN_TYPE type, - const emulator_object new_token_handle) + ACCESS_MASK /*desired_access*/, + const emulator_object>> + /*object_attributes*/, + const BOOLEAN /*effective_only*/, const TOKEN_TYPE type, + const emulator_object new_token_handle) { if (get_token_type(existing_token_handle) == type) { @@ -2264,8 +2292,8 @@ namespace } NTSTATUS handle_NtQueryTimerResolution(const syscall_context&, const emulator_object maximum_time, - const emulator_object minimum_time, - const emulator_object current_time) + const emulator_object minimum_time, + const emulator_object current_time) { maximum_time.write_if_valid(0x0002625a); minimum_time.write_if_valid(0x00001388); @@ -2274,15 +2302,15 @@ namespace } NTSTATUS handle_NtQueryInformationToken(const syscall_context& c, const handle token_handle, - const TOKEN_INFORMATION_CLASS token_information_class, - const uint64_t token_information, const ULONG token_information_length, - const emulator_object return_length) + const TOKEN_INFORMATION_CLASS token_information_class, + const uint64_t token_information, const ULONG token_information_length, + const emulator_object return_length) { if (token_handle != CURRENT_PROCESS_TOKEN && token_handle != CURRENT_THREAD_TOKEN && token_handle != CURRENT_THREAD_EFFECTIVE_TOKEN && token_handle != DUMMY_IMPERSONATION_TOKEN - ) + ) { return STATUS_NOT_SUPPORTED; } @@ -2381,8 +2409,8 @@ namespace } c.emu.write_memory(token_information, TOKEN_ELEVATION{ - .TokenIsElevated = 0, - }); + .TokenIsElevated = 0, + }); return STATUS_SUCCESS; } @@ -2426,11 +2454,11 @@ namespace } c.emu.write_memory(token_information, TOKEN_SECURITY_ATTRIBUTES_INFORMATION{ - .Version = 0, - .Reserved = {}, - .AttributeCount = 0, - .Attribute = {}, - }); + .Version = 0, + .Reserved = {}, + .AttributeCount = 0, + .Attribute = {}, + }); return STATUS_SUCCESS; } @@ -2465,9 +2493,9 @@ namespace } c.emu.write_memory(token_information, TOKEN_BNO_ISOLATION_INFORMATION64{ - .IsolationPrefix = 0, - .IsolationEnabled = 0, - }); + .IsolationPrefix = 0, + .IsolationEnabled = 0, + }); return STATUS_SUCCESS; } @@ -2497,12 +2525,13 @@ namespace NTSTATUS handle_NtGdiInit(const syscall_context& c) { c.proc.peb.access([&](PEB64& peb) + { + if (!peb.GdiSharedHandleTable) { - if (!peb.GdiSharedHandleTable) - { - peb.GdiSharedHandleTable = reinterpret_cast::PVOID*>(c.proc.base_allocator.reserve().ptr()); - } - }); + peb.GdiSharedHandleTable = reinterpret_cast::PVOID*>(c.proc.base_allocator.reserve + ().ptr()); + } + }); return STATUS_WAIT_1; } @@ -2544,16 +2573,16 @@ namespace } NTSTATUS handle_NtAlpcSendWaitReceivePort(const syscall_context& c, const handle port_handle, - const ULONG /*flags*/, - const emulator_object /*send_message*/, - const emulator_object - /*send_message_attributes*/ - , - const emulator_object receive_message, - const emulator_object::SIZE_T> /*buffer_length*/, - const emulator_object - /*receive_message_attributes*/, - const emulator_object /*timeout*/) + const ULONG /*flags*/, + const emulator_object /*send_message*/, + const emulator_object + /*send_message_attributes*/ + , + const emulator_object receive_message, + const emulator_object::SIZE_T> /*buffer_length*/, + const emulator_object + /*receive_message_attributes*/, + const emulator_object /*timeout*/) { const auto* port = c.proc.ports.get(port_handle); if (!port) @@ -2569,7 +2598,7 @@ namespace // TODO: Fix this. This is broken and wrong. - const emulator_object>> data{ c.emu, receive_message.value() + 0x48 }; + const emulator_object>> data{c.emu, receive_message.value() + 0x48}; const auto dest = data.read(); const auto base = dest.Base; @@ -2580,8 +2609,8 @@ namespace } NTSTATUS handle_NtInitializeNlsFiles(const syscall_context& c, const emulator_object base_address, - const emulator_object default_locale_id, - const emulator_object /*default_casing_table_size*/) + const emulator_object default_locale_id, + const emulator_object /*default_casing_table_size*/) { const auto locale_file = utils::io::read_file(R"(C:\Windows\System32\locale.nls)"); if (locale_file.empty()) @@ -2600,7 +2629,7 @@ namespace } NTSTATUS handle_NtContinue(const syscall_context& c, const emulator_object thread_context, - const BOOLEAN /*raise_alert*/) + const BOOLEAN /*raise_alert*/) { c.write_status = false; @@ -2611,7 +2640,7 @@ namespace } NTSTATUS handle_NtTerminateProcess(const syscall_context& c, const handle process_handle, - NTSTATUS exit_status) + NTSTATUS exit_status) { if (process_handle == 0) { @@ -2637,12 +2666,12 @@ namespace } NTSTATUS handle_NtReadFile(const syscall_context& c, const handle file_handle, const uint64_t /*event*/, - const uint64_t /*apc_routine*/, - const uint64_t /*apc_context*/, - const emulator_object>> io_status_block, - uint64_t buffer, const ULONG length, - const emulator_object /*byte_offset*/, - const emulator_object /*key*/) + const uint64_t /*apc_routine*/, + const uint64_t /*apc_context*/, + const emulator_object>> io_status_block, + uint64_t buffer, const ULONG length, + const emulator_object /*byte_offset*/, + const emulator_object /*key*/) { const auto* f = c.proc.files.get(file_handle); if (!f) @@ -2667,12 +2696,12 @@ namespace } NTSTATUS handle_NtWriteFile(const syscall_context& c, const handle file_handle, const uint64_t /*event*/, - const uint64_t /*apc_routine*/, - const uint64_t /*apc_context*/, - const emulator_object>> io_status_block, - uint64_t buffer, const ULONG length, - const emulator_object /*byte_offset*/, - const emulator_object /*key*/) + const uint64_t /*apc_routine*/, + const uint64_t /*apc_context*/, + const emulator_object>> io_status_block, + uint64_t buffer, const ULONG length, + const emulator_object /*byte_offset*/, + const emulator_object /*key*/) { std::string temp_buffer{}; temp_buffer.resize(length); @@ -2765,21 +2794,22 @@ namespace } NTSTATUS handle_NtCreateFile(const syscall_context& c, const emulator_object file_handle, - ACCESS_MASK desired_access, - const emulator_object>> object_attributes, - const emulator_object>> /*io_status_block*/, - const emulator_object /*allocation_size*/, ULONG /*file_attributes*/, - ULONG /*share_access*/, ULONG create_disposition, ULONG create_options, - uint64_t ea_buffer, - ULONG ea_length) + ACCESS_MASK desired_access, + const emulator_object>> object_attributes, + const emulator_object>> /*io_status_block*/, + const emulator_object /*allocation_size*/, ULONG /*file_attributes*/, + ULONG /*share_access*/, ULONG create_disposition, ULONG create_options, + uint64_t ea_buffer, + ULONG ea_length) { const auto attributes = object_attributes.read(); - auto filename = read_unicode_string(c.emu, reinterpret_cast>*>(attributes.ObjectName)); + auto filename = read_unicode_string( + c.emu, reinterpret_cast>*>(attributes.ObjectName)); auto printer = utils::finally([&] - { - c.win_emu.log.print(color::dark_gray, "--> Opening file: %s\n", u16_to_u8(filename).c_str()); - }); + { + c.win_emu.log.print(color::dark_gray, "--> Opening file: %s\n", u16_to_u8(filename).c_str()); + }); constexpr std::u16string_view device_prefix = u"\\Device\\"; if (filename.starts_with(device_prefix)) @@ -2790,7 +2820,7 @@ namespace }; auto device_name = filename.substr(device_prefix.size()); - io_device_container container{ std::move(device_name), c.win_emu, data }; + io_device_container container{std::move(device_name), c.win_emu, data}; const auto handle = c.proc.devices.store(std::move(container)); file_handle.write(handle); @@ -2884,8 +2914,9 @@ namespace } NTSTATUS handle_NtQueryAttributesFile(const syscall_context& c, - const emulator_object>> object_attributes, - const emulator_object file_information) + const emulator_object>> + object_attributes, + const emulator_object file_information) { if (!object_attributes) { @@ -2898,44 +2929,45 @@ namespace return STATUS_INVALID_PARAMETER; } - const auto filename = read_unicode_string(c.emu, emulator_object>>{c.emu, attributes.ObjectName}); + const auto filename = read_unicode_string( + c.emu, emulator_object>>{c.emu, attributes.ObjectName}); const auto u8_filename = u16_to_u8(filename); - struct _stat64 file_stat {}; + struct _stat64 file_stat{}; if (_stat64(u8_filename.c_str(), &file_stat) != 0) { return STATUS_OBJECT_NAME_NOT_FOUND; } file_information.access([&](FILE_BASIC_INFORMATION& info) - { - info.CreationTime = convert_unix_to_windows_time(file_stat.st_atime); - info.LastAccessTime = convert_unix_to_windows_time(file_stat.st_atime); - info.LastWriteTime = convert_unix_to_windows_time(file_stat.st_mtime); - info.ChangeTime = info.LastWriteTime; - info.FileAttributes = FILE_ATTRIBUTE_NORMAL; - }); + { + info.CreationTime = convert_unix_to_windows_time(file_stat.st_atime); + info.LastAccessTime = convert_unix_to_windows_time(file_stat.st_atime); + info.LastWriteTime = convert_unix_to_windows_time(file_stat.st_mtime); + info.ChangeTime = info.LastWriteTime; + info.FileAttributes = FILE_ATTRIBUTE_NORMAL; + }); return STATUS_SUCCESS; } NTSTATUS handle_NtOpenFile(const syscall_context& c, - const emulator_object file_handle, - const ACCESS_MASK desired_access, - const emulator_object>> object_attributes, - const emulator_object>> io_status_block, - const ULONG share_access, - const ULONG open_options) + const emulator_object file_handle, + const ACCESS_MASK desired_access, + const emulator_object>> object_attributes, + const emulator_object>> io_status_block, + const ULONG share_access, + const ULONG open_options) { - return handle_NtCreateFile(c, file_handle, desired_access, object_attributes, io_status_block, { c.emu }, 0, - share_access, FILE_OPEN, open_options, 0, 0); + return handle_NtCreateFile(c, file_handle, desired_access, object_attributes, io_status_block, {c.emu}, 0, + share_access, FILE_OPEN, open_options, 0, 0); } NTSTATUS handle_NtQueryObject(const syscall_context&, const handle /*handle*/, - const OBJECT_INFORMATION_CLASS /*object_information_class*/, - const emulator_pointer /*object_information*/, - const ULONG /*object_information_length*/, - const emulator_object /*return_length*/) + const OBJECT_INFORMATION_CLASS /*object_information_class*/, + const emulator_pointer /*object_information*/, + const ULONG /*object_information_length*/, + const emulator_object /*return_length*/) { return STATUS_NOT_SUPPORTED; } @@ -2961,11 +2993,12 @@ namespace } NTSTATUS handle_NtRaiseHardError(const syscall_context& c, const NTSTATUS error_status, - const ULONG /*number_of_parameters*/, - const emulator_object>> /*unicode_string_parameter_mask*/, - const emulator_object /*parameters*/, - const HARDERROR_RESPONSE_OPTION /*valid_response_option*/, - const emulator_object response) + const ULONG /*number_of_parameters*/, + const emulator_object>> + /*unicode_string_parameter_mask*/, + const emulator_object /*parameters*/, + const HARDERROR_RESPONSE_OPTION /*valid_response_option*/, + const emulator_object response) { if (response) { @@ -2980,8 +3013,9 @@ namespace } NTSTATUS handle_NtRaiseException(const syscall_context& c, - const emulator_object>> /*exception_record*/, - const emulator_object thread_context, BOOLEAN handle_exception) + const emulator_object>> + /*exception_record*/, + const emulator_object thread_context, BOOLEAN handle_exception) { if (handle_exception) { @@ -2997,8 +3031,8 @@ namespace } NTSTATUS handle_NtOpenSemaphore(const syscall_context& c, const emulator_object semaphore_handle, - const ACCESS_MASK /*desired_access*/, - const emulator_object>> object_attributes) + const ACCESS_MASK /*desired_access*/, + const emulator_object>> object_attributes) { if (!object_attributes) { @@ -3011,7 +3045,8 @@ namespace return STATUS_INVALID_PARAMETER; } - const auto name = read_unicode_string(c.emu, emulator_object>>{c.emu, attributes.ObjectName}); + const auto name = read_unicode_string( + c.emu, emulator_object>>{c.emu, attributes.ObjectName}); if (name.empty()) { return STATUS_INVALID_PARAMETER; @@ -3030,9 +3065,9 @@ namespace } NTSTATUS handle_NtCreateSemaphore(const syscall_context& c, const emulator_object semaphore_handle, - const ACCESS_MASK /*desired_access*/, - const emulator_object>> object_attributes, - const ULONG initial_count, const ULONG maximum_count) + const ACCESS_MASK /*desired_access*/, + const emulator_object>> object_attributes, + const ULONG initial_count, const ULONG maximum_count) { semaphore s{}; s.current_count = initial_count; @@ -3043,7 +3078,8 @@ namespace const auto attributes = object_attributes.read(); if (attributes.ObjectName) { - s.name = read_unicode_string(c.emu, reinterpret_cast>*>(attributes.ObjectName)); + s.name = read_unicode_string( + c.emu, reinterpret_cast>*>(attributes.ObjectName)); } } @@ -3065,7 +3101,7 @@ namespace } NTSTATUS handle_NtAddAtomEx(const syscall_context& c, const uint64_t atom_name, const ULONG length, - const emulator_object atom, const ULONG /*flags*/) + const emulator_object atom, const ULONG /*flags*/) { std::wstring name{}; name.resize(length / 2); @@ -3117,7 +3153,7 @@ namespace } NTSTATUS handle_NtUnmapViewOfSection(const syscall_context& c, const handle process_handle, - const uint64_t base_address) + const uint64_t base_address) { if (process_handle != CURRENT_PROCESS) { @@ -3141,18 +3177,21 @@ namespace } NTSTATUS handle_NtUnmapViewOfSectionEx(const syscall_context& c, const handle process_handle, - const uint64_t base_address, const ULONG /*flags*/) + const uint64_t base_address, const ULONG /*flags*/) { return handle_NtUnmapViewOfSection(c, process_handle, base_address); } NTSTATUS handle_NtCreateThreadEx(const syscall_context& c, const emulator_object thread_handle, - const ACCESS_MASK /*desired_access*/, - const emulator_object>> /*object_attributes*/, - const handle process_handle, const uint64_t start_routine, - const uint64_t argument, const ULONG /*create_flags*/, const EmulatorTraits::SIZE_T /*zero_bits*/, - const EmulatorTraits::SIZE_T stack_size, const EmulatorTraits::SIZE_T /*maximum_stack_size*/, - const emulator_object>> attribute_list) + const ACCESS_MASK /*desired_access*/, + const emulator_object>> + /*object_attributes*/, + const handle process_handle, const uint64_t start_routine, + const uint64_t argument, const ULONG /*create_flags*/, + const EmulatorTraits::SIZE_T /*zero_bits*/, + const EmulatorTraits::SIZE_T stack_size, + const EmulatorTraits::SIZE_T /*maximum_stack_size*/, + const emulator_object>> attribute_list) { if (process_handle != CURRENT_PROCESS) { @@ -3182,23 +3221,23 @@ namespace for (size_t i = 0; i < attribute_count; ++i) { attributes.access([&](const PS_ATTRIBUTE>& attribute) - { - const auto type = attribute.Attribute & ~PS_ATTRIBUTE_THREAD; + { + const auto type = attribute.Attribute & ~PS_ATTRIBUTE_THREAD; - if (type == PsAttributeClientId) - { - const auto client_id = thread->teb->read().ClientId; - write_attribute(c.emu, attribute, client_id); - } - else if (type == PsAttributeTebAddress) - { - write_attribute(c.emu, attribute, thread->teb->ptr()); - } - else - { - printf("Unsupported thread attribute type: %" PRIx64 "\n", type); - } - }, i); + if (type == PsAttributeClientId) + { + const auto client_id = thread->teb->read().ClientId; + write_attribute(c.emu, attribute, client_id); + } + else if (type == PsAttributeTebAddress) + { + write_attribute(c.emu, attribute, thread->teb->ptr()); + } + else + { + printf("Unsupported thread attribute type: %" PRIx64 "\n", type); + } + }, i); } return STATUS_SUCCESS; @@ -3217,8 +3256,8 @@ namespace } NTSTATUS handle_NtWaitForMultipleObjects(const syscall_context& c, const ULONG count, - const emulator_object handles, const WAIT_TYPE wait_type, - const BOOLEAN alertable, const emulator_object timeout) + const emulator_object handles, const WAIT_TYPE wait_type, + const BOOLEAN alertable, const emulator_object timeout) { if (alertable) { @@ -3243,7 +3282,7 @@ namespace if (!is_awaitable_object_type(h)) { c.win_emu.log.print(color::gray, "Unsupported handle type for NtWaitForMultipleObjects: %d!\n", - h.value.type); + h.value.type); return STATUS_NOT_SUPPORTED; } } @@ -3258,8 +3297,8 @@ namespace } NTSTATUS handle_NtWaitForSingleObject(const syscall_context& c, const handle h, - const BOOLEAN alertable, - const emulator_object timeout) + const BOOLEAN alertable, + const emulator_object timeout) { if (alertable) { @@ -3269,12 +3308,12 @@ namespace if (!is_awaitable_object_type(h)) { c.win_emu.log.print(color::gray, - "Unsupported handle type for NtWaitForSingleObject: %d!\n", h.value.type); + "Unsupported handle type for NtWaitForSingleObject: %d!\n", h.value.type); return STATUS_NOT_SUPPORTED; } auto& t = c.win_emu.current_thread(); - t.await_objects = { h }; + t.await_objects = {h}; t.await_any = false; if (timeout.value() && !t.await_time.has_value()) @@ -3287,11 +3326,11 @@ namespace } NTSTATUS handle_NtTerminateThread(const syscall_context& c, const handle thread_handle, - const NTSTATUS exit_status) + const NTSTATUS exit_status) { auto* thread = !thread_handle.bits - ? c.proc.active_thread - : c.proc.threads.get(thread_handle); + ? c.proc.active_thread + : c.proc.threads.get(thread_handle); if (!thread) { @@ -3308,7 +3347,7 @@ namespace } NTSTATUS handle_NtDelayExecution(const syscall_context& c, const BOOLEAN alertable, - const emulator_object delay_interval) + const emulator_object delay_interval) { if (alertable) { @@ -3340,7 +3379,7 @@ namespace } NTSTATUS handle_NtAlertThreadByThreadIdEx(const syscall_context& c, const uint64_t thread_id, - const emulator_object>> lock) + const emulator_object>> lock) { if (lock.value()) { @@ -3353,7 +3392,7 @@ namespace } NTSTATUS handle_NtWaitForAlertByThreadId(const syscall_context& c, const uint64_t, - const emulator_object timeout) + const emulator_object timeout) { auto& t = c.win_emu.current_thread(); t.waiting_for_alert = true; @@ -3369,7 +3408,7 @@ namespace } NTSTATUS handle_NtGetCurrentProcessorNumberEx(const syscall_context&, - const emulator_object processor_number) + const emulator_object processor_number) { constexpr PROCESSOR_NUMBER number{}; processor_number.write(number); @@ -3377,11 +3416,11 @@ namespace } NTSTATUS handle_NtGetContextThread(const syscall_context& c, handle thread_handle, - const emulator_object thread_context) + const emulator_object thread_context) { const auto* thread = thread_handle == CURRENT_THREAD - ? c.proc.active_thread - : c.proc.threads.get(thread_handle); + ? c.proc.active_thread + : c.proc.threads.get(thread_handle); if (!thread) { @@ -3390,21 +3429,21 @@ namespace c.proc.active_thread->save(c.emu); const auto _ = utils::finally([&] - { - c.proc.active_thread->restore(c.emu); - }); + { + c.proc.active_thread->restore(c.emu); + }); thread->restore(c.emu); thread_context.access([&](CONTEXT64& context) + { + if (context.ContextFlags & CONTEXT_DEBUG_REGISTERS_64) { - if (context.ContextFlags & CONTEXT_DEBUG_REGISTERS_64) - { - c.win_emu.log.print(color::pink, "--> Reading debug registers!\n"); - } + c.win_emu.log.print(color::pink, "--> Reading debug registers!\n"); + } - context_frame::save(c.emu, context); - }); + context_frame::save(c.emu, context); + }); return STATUS_SUCCESS; } diff --git a/src/windows-emulator/windows_emulator.cpp b/src/windows-emulator/windows_emulator.cpp index a3b0ef0f..042b4aa5 100644 --- a/src/windows-emulator/windows_emulator.cpp +++ b/src/windows-emulator/windows_emulator.cpp @@ -246,11 +246,13 @@ namespace allocator.make_unicode_string(proc_params.CommandLine, command_line); allocator.make_unicode_string(proc_params.CurrentDirectory.DosPath, current_folder); - allocator.make_unicode_string(proc_params.ImagePathName, canonicalize_path(settings.application).u16string()); + allocator.make_unicode_string(proc_params.ImagePathName, + canonicalize_path(settings.application).u16string()); const auto total_length = allocator.get_next_address() - context.process_params.value(); - proc_params.Length = static_cast(std::max(static_cast(sizeof(proc_params)), total_length)); + proc_params.Length = static_cast(std::max(static_cast(sizeof(proc_params)), + total_length)); proc_params.MaximumLength = proc_params.Length; }); @@ -275,11 +277,13 @@ namespace }); } - using exception_record_map = std::unordered_map>*, emulator_object>>>; + using exception_record_map = std::unordered_map< + const EMU_EXCEPTION_RECORD>*, emulator_object>>>; emulator_object>> save_exception_record(emulator_allocator& allocator, - const EMU_EXCEPTION_RECORD>& record, - exception_record_map& record_mapping) + const EMU_EXCEPTION_RECORD>& record, + exception_record_map& record_mapping) { const auto record_obj = allocator.reserve>>(); record_obj.write(record); @@ -289,7 +293,8 @@ namespace record_mapping.emplace(&record, record_obj); emulator_object>> nested_record_obj{allocator.get_emulator()}; - const auto nested_record = record_mapping.find(reinterpret_cast>*>(record.ExceptionRecord)); + const auto nested_record = record_mapping.find( + reinterpret_cast>*>(record.ExceptionRecord)); if (nested_record != record_mapping.end()) { @@ -297,8 +302,9 @@ namespace } else { - nested_record_obj = save_exception_record(allocator, *reinterpret_cast>*>(record.ExceptionRecord), - record_mapping); + nested_record_obj = save_exception_record( + allocator, *reinterpret_cast>*>(record.ExceptionRecord), + record_mapping); } record_obj.access([&](EMU_EXCEPTION_RECORD>& r) @@ -311,7 +317,7 @@ namespace } emulator_object>> save_exception_record(emulator_allocator& allocator, - const EMU_EXCEPTION_RECORD>& record) + const EMU_EXCEPTION_RECORD>& record) { exception_record_map record_mapping{}; return save_exception_record(allocator, record, record_mapping); @@ -359,11 +365,13 @@ namespace uint64_t ss; }; - void dispatch_exception_pointers(x64_emulator& emu, const uint64_t dispatcher, const EMU_EXCEPTION_POINTERS> pointers) + void dispatch_exception_pointers(x64_emulator& emu, const uint64_t dispatcher, + const EMU_EXCEPTION_POINTERS> pointers) { constexpr auto mach_frame_size = 0x40; constexpr auto context_record_size = 0x4F0; - const auto exception_record_size = calculate_exception_record_size(*reinterpret_cast>*>(pointers.ExceptionRecord)); + const auto exception_record_size = calculate_exception_record_size( + *reinterpret_cast>*>(pointers.ExceptionRecord)); const auto combined_size = align_up(exception_record_size + context_record_size, 0x10); assert(combined_size == 0x590); @@ -388,7 +396,8 @@ namespace context_record_obj.write(*reinterpret_cast(pointers.ContextRecord)); emulator_allocator allocator{emu, new_sp + context_record_size, exception_record_size}; - const auto exception_record_obj = save_exception_record(allocator, *reinterpret_cast>*>(pointers.ExceptionRecord)); + const auto exception_record_obj = save_exception_record( + allocator, *reinterpret_cast>*>(pointers.ExceptionRecord)); if (exception_record_obj.value() != allocator.get_base()) { @@ -398,11 +407,12 @@ namespace const emulator_object machine_frame_obj{emu, new_sp + combined_size}; machine_frame_obj.access([&](machine_frame& frame) { - frame.rip = reinterpret_cast(pointers.ContextRecord)->Rip; - frame.rsp = reinterpret_cast(pointers.ContextRecord)->Rsp; - frame.ss = reinterpret_cast(pointers.ContextRecord)->SegSs; - frame.cs = reinterpret_cast(pointers.ContextRecord)->SegCs; - frame.eflags = reinterpret_cast(pointers.ContextRecord)->EFlags; + const auto& record = *reinterpret_cast(pointers.ContextRecord); + frame.rip = record.Rip; + frame.rsp = record.Rsp; + frame.ss = record.SegSs; + frame.cs = record.SegCs; + frame.eflags = record.EFlags; }); } @@ -848,16 +858,16 @@ void windows_emulator::on_instruction_execution(uint64_t address) if (export_entry != binary->address_names.end()) { log.print(is_interesting_call ? color::yellow : color::dark_gray, - "Executing function: %s - %s (0x%" PRIx64 ")\n", - binary->name.c_str(), - export_entry->second.c_str(), address); + "Executing function: %s - %s (0x%" PRIx64 ")\n", + binary->name.c_str(), + export_entry->second.c_str(), address); } else if (address == binary->entry_point) { log.print(is_interesting_call ? color::yellow : color::gray, - "Executing entry point: %s (0x%" PRIx64 ")\n", - binary->name.c_str(), - address); + "Executing entry point: %s (0x%" PRIx64 ")\n", + binary->name.c_str(), + address); } } @@ -869,7 +879,8 @@ void windows_emulator::on_instruction_execution(uint64_t address) auto& emu = this->emu(); printf( - "Inst: %16" PRIx64 " - RAX: %16" PRIx64 " - RBX: %16" PRIx64 " - RCX: %16" PRIx64 " - RDX: %16" PRIx64 " - R8: %16" PRIx64 " - R9: %16" PRIx64 " - RDI: %16" PRIx64 " - RSI: %16" PRIx64 " - %s\n", + "Inst: %16" PRIx64 " - RAX: %16" PRIx64 " - RBX: %16" PRIx64 " - RCX: %16" PRIx64 " - RDX: %16" PRIx64 + " - R8: %16" PRIx64 " - R9: %16" PRIx64 " - RDI: %16" PRIx64 " - RSI: %16" PRIx64 " - %s\n", address, emu.reg(x64_register::rax), emu.reg(x64_register::rbx), emu.reg(x64_register::rcx), @@ -939,15 +950,17 @@ void windows_emulator::setup_hooks() if (type == memory_violation_type::protection) { - this->log.print(color::gray, "Protection violation: 0x%" PRIx64 " (%zX) - %s at 0x%" PRIx64 " (%s)\n", address, size, - permission.c_str(), ip, - name); + this->log.print(color::gray, "Protection violation: 0x%" PRIx64 " (%zX) - %s at 0x%" PRIx64 " (%s)\n", + address, size, + permission.c_str(), ip, + name); } else if (type == memory_violation_type::unmapped) { - this->log.print(color::gray, "Mapping violation: 0x%" PRIx64 " (%zX) - %s at 0x%" PRIx64 " (%s)\n", address, size, - permission.c_str(), ip, - name); + this->log.print(color::gray, "Mapping violation: 0x%" PRIx64 " (%zX) - %s at 0x%" PRIx64 " (%s)\n", address, + size, + permission.c_str(), ip, + name); } if (this->fuzzing)