initial commit

author: tumagonx 2017-08-08 10:54:53 +0700
committer: tumagonx 2017-08-08 10:54:53 +0700
commit: 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree: a8bea139ddd26116d44ea182b0b8436f2162e6e3 /sysinfo.h
1 files changed, 190 insertions, 0 deletions
diff --git a/sysinfo.h b/sysinfo.h
new file mode 100644
index 0000000..60a0a9a
--- /dev/null
+++ b/sysinfo.h
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              sysinfo.h
+ *
+ * Abstract:
+ *
+ *              This module defines various types used by ZwSetSystemInformation() hooking routines.
+ *              ZwSetSystemInformation's SystemLoadAndCallImage and SystemLoadImage parameters can be used
+ *              to load code into kernel address space.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 01-Mar-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#ifndef __SYSINFO_H__
+#define __SYSINFO_H__
+/*
+ * ZwSetSystemInformation sets information that affects the operation of the system. [NAR]
+ */
+                                                                                        // # Query Set
+typedef enum _SYSTEM_INFORMATION_CLASS {
+        SystemBasicInformation,                                 // 0    Y       N
+        SystemProcessorInformation,                             // 1    Y       N
+        SystemPerformanceInformation,                   // 2    Y       N
+        SystemTimeOfDayInformation,                             // 3    Y       N
+        SystemNotImplemented1,                                  // 4    Y       N       // SystemPathInformation
+        SystemProcessesAndThreadsInformation,   // 5    Y       N
+        SystemCallCounts,                                               // 6    Y       N
+        SystemConfigurationInformation,                 // 7    Y       N
+        SystemProcessorTimes,                                   // 8    Y       N
+        SystemGlobalFlag,                                               // 9    Y       Y
+        SystemNotImplemented2,                                  // 10   Y       N       // SystemCallTimeInformation
+        SystemModuleInformation,                                // 11   Y       N
+        SystemLockInformation,                                  // 12   Y       N
+        SystemNotImplemented3,                                  // 13   Y       N       // SystemStackTraceInformation
+        SystemNotImplemented4,                                  // 14   Y       N       // SystemPagedPoolInformation
+        SystemNotImplemented5,                                  // 15   Y       N       // SystemNonPagedPoolInformation
+        SystemHandleInformation,                                // 16   Y       N
+        SystemObjectInformation,                                // 17   Y       N
+        SystemPagefileInformation,                              // 18   Y       N
+        SystemInstructionEmulationCounts,               // 19   Y       N
+        SystemInvalidInfoClass1,                                // 20
+        SystemCacheInformation,                                 // 21   Y       Y
+        SystemPoolTagInformation,                               // 22   Y       N
+        SystemProcessorStatistics,                              // 23   Y       N
+        SystemDpcInformation,                                   // 24   Y       Y
+        SystemNotImplemented6,                                  // 25   Y       N       // SystemFullMemoryInformation
+        SystemLoadImage,                                                // 26   N       Y       // SystemLoadGdiDriverInformation
+        SystemUnloadImage,                                              // 27   N       Y
+        SystemTimeAdjustment,                                   // 28   Y       Y
+        SystemNotImplemented7,                                  // 29   Y       N       // SystemSummaryMemoryInformation
+        SystemNotImplemented8,                                  // 30   Y       N       // SystemNextEventIdInformation
+        SystemNotImplemented9,                                  // 31   Y       N       // SystemEventIdsInformation
+        SystemCrashDumpInformation,                             // 32   Y       N
+        SystemExceptionInformation,                             // 33   Y       N
+        SystemCrashDumpStateInformation,                // 34   Y       Y/N
+        SystemKernelDebuggerInformation,                // 35   Y       N
+        SystemContextSwitchInformation,                 // 36   Y       N
+        SystemRegistryQuotaInformation,                 // 37   Y       Y
+        SystemLoadAndCallImage,                                 // 38   N       Y       // SystemExtendServiceTableInformation
+        SystemPrioritySeparation,                               // 39   N       Y
+        SystemNotImplemented10,                                 // 40   Y       N       // SystemPlugPlayBusInformation
+        SystemNotImplemented11,                                 // 41   Y       N       // SystemDockInformation
+        SystemInvalidInfoClass2,                                // 42                   // SystemPowerInformation
+        SystemInvalidInfoClass3,                                // 43                   // SystemProcessorSpeedInformation
+        SystemTimeZoneInformation,                              // 44   Y       N
+        SystemLookasideInformation,                             // 45   Y       N
+        SystemSetTimeSlipEvent,                                 // 46   N       Y
+        SystemCreateSession,                                    // 47   N       Y
+        SystemDeleteSession,                                    // 48   N       Y
+        SystemInvalidInfoClass4,                                // 49
+        SystemRangeStartInformation,                    // 50   Y       N
+        SystemVerifierInformation,                              // 51   Y       Y
+        SystemAddVerifier,                                              // 52   N       Y
+        SystemSessionProcessesInformation               // 53   Y       N
+} SYSTEM_INFORMATION_CLASS;
+/*
+ * Information Class 5
+ */
+typedef enum {
+        StateInitialized,
+        StateReady,
+        StateRunning,
+        StateStandby,
+        StateTerminated,
+        StateWait,
+        StateTransition,
+        StateUnknown
+} THREAD_STATE;
+typedef struct _SYSTEM_THREADS {
+        LARGE_INTEGER KernelTime;
+        LARGE_INTEGER UserTime;
+        LARGE_INTEGER CreateTime;
+        ULONG WaitTime;
+        PVOID StartAddress;
+        CLIENT_ID ClientId;
+        KPRIORITY Priority;
+        KPRIORITY BasePriority;
+        ULONG ContextSwitchCount;
+        THREAD_STATE State;
+        KWAIT_REASON WaitReason;
+} SYSTEM_THREADS, *PSYSTEM_THREADS;
+typedef struct _SYSTEM_PROCESSES {
+        ULONG NextEntryDelta;
+        ULONG ThreadCount;
+        ULONG Reserved1[6];
+        LARGE_INTEGER CreateTime;
+        LARGE_INTEGER UserTime;
+        LARGE_INTEGER KernelTime;
+        UNICODE_STRING ProcessName;
+        KPRIORITY BasePriority;
+        ULONG ProcessId;
+        ULONG InheritedFromProcessId;
+        ULONG HandleCount;
+        ULONG Reserved2[2];
+        VM_COUNTERS VmCounters;
+        IO_COUNTERS IoCounters; // Windows 2000 only
+        SYSTEM_THREADS Threads[1];
+} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
+NTSTATUS
+NTAPI
+HookedNtSetSystemInformation(
+        IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+        IN OUT PVOID SystemInformation,
+        IN ULONG SystemInformationLength
+        );
+/*
+ * ZwQuerySystemInformation queries information about the system. [NAR]
+ */
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQuerySystemInformation(
+        IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+        IN OUT PVOID SystemInformation,
+        IN ULONG SystemInformationLength,
+        OUT PULONG ReturnLength OPTIONAL
+        );
+typedef NTSTATUS (*fpZwSetSystemInformation)
+(
+        IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+        IN OUT PVOID SystemInformation,
+        IN ULONG SystemInformationLength
+);
+/*
+ * Information Class 38
+ *
+ * "This information class can only be set. Rather than setting any information (in a narrow
+ * sense of �setting�), it performs the operation of loading a module into the kernel
+ * address space and calling its entry point." [NAR]
+ */
+typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE {
+        UNICODE_STRING ModuleName;              /* The full path in the native NT format of the module to load. */
+} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
+BOOLEAN InitSysInfoHooks();
+#endif  /* __SYSINFO_H__ */
author	tumagonx	2017-08-08 10:54:53 +0700
committer	tumagonx	2017-08-08 10:54:53 +0700
commit	2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree	a8bea139ddd26116d44ea182b0b8436f2162e6e3 /sysinfo.h

diff --git a/sysinfo.h b/sysinfo.h new file mode 100644 index 0000000..60a0a9a --- /dev/null +++ b/sysinfo.h
@@ -0,0 +1,190 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* sysinfo.h
	7	*
	8	* Abstract:
	9	*
	10	* This module defines various types used by ZwSetSystemInformation() hooking routines.
	11	* ZwSetSystemInformation's SystemLoadAndCallImage and SystemLoadImage parameters can be used
	12	* to load code into kernel address space.
	13	*
	14	* Author:
	15	*
	16	* Eugene Tsyrklevich 01-Mar-2004
	17	*
	18	* Revision History:
	19	*
	20	* None.
	21	*/
	22
	23
	24	#ifndef __SYSINFO_H__
	25	#define __SYSINFO_H__
	26
	27
	28
	29	/*
	30	* ZwSetSystemInformation sets information that affects the operation of the system. [NAR]
	31	*/
	32	// # Query Set
	33	typedef enum _SYSTEM_INFORMATION_CLASS {
	34	SystemBasicInformation, // 0 Y N
	35	SystemProcessorInformation, // 1 Y N
	36	SystemPerformanceInformation, // 2 Y N
	37	SystemTimeOfDayInformation, // 3 Y N
	38	SystemNotImplemented1, // 4 Y N // SystemPathInformation
	39	SystemProcessesAndThreadsInformation, // 5 Y N
	40	SystemCallCounts, // 6 Y N
	41	SystemConfigurationInformation, // 7 Y N
	42	SystemProcessorTimes, // 8 Y N
	43	SystemGlobalFlag, // 9 Y Y
	44	SystemNotImplemented2, // 10 Y N // SystemCallTimeInformation
	45	SystemModuleInformation, // 11 Y N
	46	SystemLockInformation, // 12 Y N
	47	SystemNotImplemented3, // 13 Y N // SystemStackTraceInformation
	48	SystemNotImplemented4, // 14 Y N // SystemPagedPoolInformation
	49	SystemNotImplemented5, // 15 Y N // SystemNonPagedPoolInformation
	50	SystemHandleInformation, // 16 Y N
	51	SystemObjectInformation, // 17 Y N
	52	SystemPagefileInformation, // 18 Y N
	53	SystemInstructionEmulationCounts, // 19 Y N
	54	SystemInvalidInfoClass1, // 20
	55	SystemCacheInformation, // 21 Y Y
	56	SystemPoolTagInformation, // 22 Y N
	57	SystemProcessorStatistics, // 23 Y N
	58	SystemDpcInformation, // 24 Y Y
	59	SystemNotImplemented6, // 25 Y N // SystemFullMemoryInformation
	60	SystemLoadImage, // 26 N Y // SystemLoadGdiDriverInformation
	61	SystemUnloadImage, // 27 N Y
	62	SystemTimeAdjustment, // 28 Y Y
	63	SystemNotImplemented7, // 29 Y N // SystemSummaryMemoryInformation
	64	SystemNotImplemented8, // 30 Y N // SystemNextEventIdInformation
	65	SystemNotImplemented9, // 31 Y N // SystemEventIdsInformation
	66	SystemCrashDumpInformation, // 32 Y N
	67	SystemExceptionInformation, // 33 Y N
	68	SystemCrashDumpStateInformation, // 34 Y Y/N
	69	SystemKernelDebuggerInformation, // 35 Y N
	70	SystemContextSwitchInformation, // 36 Y N
	71	SystemRegistryQuotaInformation, // 37 Y Y
	72	SystemLoadAndCallImage, // 38 N Y // SystemExtendServiceTableInformation
	73	SystemPrioritySeparation, // 39 N Y
	74	SystemNotImplemented10, // 40 Y N // SystemPlugPlayBusInformation
	75	SystemNotImplemented11, // 41 Y N // SystemDockInformation
	76	SystemInvalidInfoClass2, // 42 // SystemPowerInformation
	77	SystemInvalidInfoClass3, // 43 // SystemProcessorSpeedInformation
	78	SystemTimeZoneInformation, // 44 Y N
	79	SystemLookasideInformation, // 45 Y N
	80	SystemSetTimeSlipEvent, // 46 N Y
	81	SystemCreateSession, // 47 N Y
	82	SystemDeleteSession, // 48 N Y
	83	SystemInvalidInfoClass4, // 49
	84	SystemRangeStartInformation, // 50 Y N
	85	SystemVerifierInformation, // 51 Y Y
	86	SystemAddVerifier, // 52 N Y
	87	SystemSessionProcessesInformation // 53 Y N
	88	} SYSTEM_INFORMATION_CLASS;
	89
	90
	91	/*
	92	* Information Class 5
	93	*/
	94
	95	typedef enum {
	96	StateInitialized,
	97	StateReady,
	98	StateRunning,
	99	StateStandby,
	100	StateTerminated,
	101	StateWait,
	102	StateTransition,
	103	StateUnknown
	104	} THREAD_STATE;
	105
	106	typedef struct _SYSTEM_THREADS {
	107	LARGE_INTEGER KernelTime;
	108	LARGE_INTEGER UserTime;
	109	LARGE_INTEGER CreateTime;
	110	ULONG WaitTime;
	111	PVOID StartAddress;
	112	CLIENT_ID ClientId;
	113	KPRIORITY Priority;
	114	KPRIORITY BasePriority;
	115	ULONG ContextSwitchCount;
	116	THREAD_STATE State;
	117	KWAIT_REASON WaitReason;
	118	} SYSTEM_THREADS, *PSYSTEM_THREADS;
	119
	120	typedef struct _SYSTEM_PROCESSES {
	121	ULONG NextEntryDelta;
	122	ULONG ThreadCount;
	123	ULONG Reserved1[6];
	124	LARGE_INTEGER CreateTime;
	125	LARGE_INTEGER UserTime;
	126	LARGE_INTEGER KernelTime;
	127	UNICODE_STRING ProcessName;
	128	KPRIORITY BasePriority;
	129	ULONG ProcessId;
	130	ULONG InheritedFromProcessId;
	131	ULONG HandleCount;
	132	ULONG Reserved2[2];
	133	VM_COUNTERS VmCounters;
	134	IO_COUNTERS IoCounters; // Windows 2000 only
	135	SYSTEM_THREADS Threads[1];
	136	} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
	137
	138
	139	NTSTATUS
	140	NTAPI
	141	HookedNtSetSystemInformation(
	142	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
	143	IN OUT PVOID SystemInformation,
	144	IN ULONG SystemInformationLength
	145	);
	146
	147
	148	/*
	149	* ZwQuerySystemInformation queries information about the system. [NAR]
	150	*/
	151
	152	NTSYSAPI
	153	NTSTATUS
	154	NTAPI
	155	ZwQuerySystemInformation(
	156	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
	157	IN OUT PVOID SystemInformation,
	158	IN ULONG SystemInformationLength,
	159	OUT PULONG ReturnLength OPTIONAL
	160	);
	161
	162
	163	typedef NTSTATUS (*fpZwSetSystemInformation)
	164	(
	165	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
	166	IN OUT PVOID SystemInformation,
	167	IN ULONG SystemInformationLength
	168	);
	169
	170
	171	/*
	172	* Information Class 38
	173	*
	174	* "This information class can only be set. Rather than setting any information (in a narrow
	175	* sense of �setting�), it performs the operation of loading a module into the kernel
	176	* address space and calling its entry point." [NAR]
	177	*/
	178
	179	typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE {
	180
	181	UNICODE_STRING ModuleName; /* The full path in the native NT format of the module to load. */
	182
	183	} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
	184
	185
	186
	187	BOOLEAN InitSysInfoHooks();
	188
	189
	190	#endif /* __SYSINFO_H__ */