-
Notifications
You must be signed in to change notification settings - Fork 116
Expand file tree
/
Copy pathMmpGlobalData.h
More file actions
155 lines (118 loc) · 3.85 KB
/
MmpGlobalData.h
File metadata and controls
155 lines (118 loc) · 3.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#pragma once
//BaseAddressIndex.cpp
typedef struct _MMP_BASE_ADDRESS_INDEX_DATA {
PRTL_RB_TREE LdrpModuleBaseAddressIndex;
PLDR_DATA_TABLE_ENTRY NtdllLdrEntry;
PVOID _RtlRbInsertNodeEx;
PVOID _RtlRbRemoveNode;
}MMP_BASE_ADDRESS_INDEX_DATA, * PMMP_BASE_ADDRESS_INDEX_DATA;
//InvertedFunctionTable.cpp
typedef struct _MMP_INVERTED_FUNCTION_TABLE_DATA {
PVOID LdrpInvertedFunctionTable;
}MMP_INVERTED_FUNCTION_TABLE_DATA, * PMMP_INVERTED_FUNCTION_TABLE_DATA;
//LdrEntry.cpp
typedef struct _MMP_LDR_ENTRY_DATA {
PLIST_ENTRY LdrpHashTable;
}MMP_LDR_ENTRY_DATA, * PMMP_LDR_ENTRY_DATA;
//MmpTls.cpp
typedef struct _MMP_TLS_DATA {
LIST_ENTRY MmpTlsList;
RTL_BITMAP MmpTlsBitmap;
SRWLOCK MmpTlsListLock;
CRITICAL_SECTION MmpTlspLock;
LIST_ENTRY MmpThreadLocalStoragePointer;
DWORD MmpActiveThreadCount;
struct {
PVOID HookReserved1;
PVOID HookReserved2;
decltype(&NtSetInformationProcess) OriginNtSetInformationProcess;
decltype(&LdrShutdownThread) OriginLdrShutdownThread;
decltype(&RtlUserThreadStart) OriginRtlUserThreadStart;
}Hooks;
}MMP_TLS_DATA, * PMMP_TLS_DATA;
//MmpDotNet.cpp
typedef struct _MMP_DOT_NET_DATA {
FILETIME AssemblyTimes;
CRITICAL_SECTION MmpFakeHandleListLock;
LIST_ENTRY MmpFakeHandleListHead;
BOOLEAN PreHooked;
BOOLEAN Initialized;
struct {
decltype(&CreateFileW) OriginCreateFileW;
decltype(&GetFileInformationByHandle) OriginGetFileInformationByHandle;
decltype(&GetFileAttributesExW) OriginGetFileAttributesExW;
decltype(&GetFileSize) OriginGetFileSize;
decltype(&GetFileSizeEx) OriginGetFileSizeEx;
decltype(&CreateFileMappingW) OriginCreateFileMappingW;
decltype(&MapViewOfFileEx) OriginMapViewOfFileEx;
decltype(&MapViewOfFile) OriginMapViewOfFile;
decltype(&UnmapViewOfFile)OriginUnmapViewOfFile;
decltype(&CloseHandle)OriginCloseHandle;
GetFileVersion_T OriginGetFileVersion1;
GetFileVersion_T OriginGetFileVersion2;
}Hooks;
}MMP_DOT_NET_DATA, * PMMP_DOT_NET_DATA;
typedef struct _MMP_FUNCTIONS {
decltype(&LdrLoadDllMemoryExW) _LdrLoadDllMemoryExW;
decltype(&LdrUnloadDllMemory) _LdrUnloadDllMemory;
decltype(&LdrUnloadDllMemoryAndExitThread) _LdrUnloadDllMemoryAndExitThread;
decltype(&MmpHandleTlsData) _MmpHandleTlsData;
decltype(&MmpReleaseTlsEntry) _MmpReleaseTlsEntry;
}MMP_FUNCTIONS, * PMMP_FUNCTIONS;
//ImportTable.cpp
typedef struct _MMP_IAT_DATA {
LIST_ENTRY MmpIatResolverList;
CRITICAL_SECTION MmpIatResolverListLock;
MM_IAT_RESOLVER MmpIatResolverHead;
}MMP_IAT_DATA, * PMMP_IAT_DATA;
typedef enum class _WINDOWS_VERSION :BYTE {
null,
xp,
vista,
win7,
win8,
winBlue,
win10,
win10_1,
win10_2,
win11,
invalid
}WINDOWS_VERSION;
#define MEMORY_MODULE_MAKE_PREVIEW(MinorVersion) (0x8000|(MinorVersion))
#define MEMORY_MODULE_IS_PREVIEW(MinorVersion) (!!(0x8000&(MinorVersion)))
#define MEMORY_MODULE_GET_MINOR_VERSION(MinorVersion) (~0x8000&(MinorVersion))
#define MEMORY_MODULE_MAJOR_VERSION 2
#define MEMORY_MODULE_MINOR_VERSION MEMORY_MODULE_MAKE_PREVIEW(2)
typedef struct _MMP_GLOBAL_DATA {
WORD MajorVersion;
WORD MinorVersion;
DWORD MmpFeatures;
struct {
DWORD MajorVersion;
DWORD MinorVersion;
DWORD BuildNumber;
}NtVersions;
WINDOWS_VERSION WindowsVersion;
WORD LdrDataTableEntrySize;
SYSTEM_INFO SystemInfo;
PMMP_BASE_ADDRESS_INDEX_DATA MmpBaseAddressIndex;
PMMP_INVERTED_FUNCTION_TABLE_DATA MmpInvertedFunctionTable;
PMMP_LDR_ENTRY_DATA MmpLdrEntry;
PMMP_TLS_DATA MmpTls;
PMMP_DOT_NET_DATA MmpDotNet;
PVOID BaseAddress;
PMMP_FUNCTIONS MmpFunctions;
PMMP_IAT_DATA MmpIat;
DWORD ReferenceCount;
}MMP_GLOBAL_DATA, * PMMP_GLOBAL_DATA;
#define MMP_GLOBAL_DATA_SIZE (\
sizeof(MMP_GLOBAL_DATA) + \
sizeof(MMP_BASE_ADDRESS_INDEX_DATA) + \
sizeof(MMP_INVERTED_FUNCTION_TABLE_DATA) + \
sizeof(MMP_LDR_ENTRY_DATA) + \
sizeof(MMP_TLS_DATA) + \
sizeof(MMP_DOT_NET_DATA) + \
sizeof(MMP_FUNCTIONS) + \
sizeof(PMMP_IAT_DATA)\
)
extern PMMP_GLOBAL_DATA MmpGlobalDataPtr;