1 files changed, 215 insertions, 0 deletions
diff --git a/process.h b/process.h
new file mode 100644
index 0000000..7bf4f08
--- /dev/null
+++ b/process.h
@@ -0,0 +1,215 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              process.h
+ *
+ * Abstract:
+ *
+ *              This module defines various types used by process and thread hooking routines.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 23-Feb-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#ifndef __PROCESS_H__
+#define __PROCESS_H__
+extern ULONG                    SystemProcessId;
+extern WCHAR                    OzoneInstallPath[];
+extern USHORT                   OzoneInstallPathSize;
+/*
+ * ZwCreateProcess creates a process object. [NAR]
+ */
+typedef NTSTATUS (*fpZwCreateProcess) (
+        OUT PHANDLE ProcessHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN HANDLE InheritFromProcessHandle,
+        IN BOOLEAN InheritHandles,
+        IN HANDLE SectionHandle OPTIONAL,
+        IN HANDLE DebugPort OPTIONAL,
+        IN HANDLE ExceptionPort OPTIONAL
+        );
+NTSTATUS
+NTAPI
+HookedNtCreateProcess(
+        OUT PHANDLE ProcessHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN HANDLE InheritFromProcessHandle,
+        IN BOOLEAN InheritHandles,
+        IN HANDLE SectionHandle OPTIONAL,
+        IN HANDLE DebugPort OPTIONAL,
+        IN HANDLE ExceptionPort OPTIONAL
+        );
+typedef NTSTATUS (*fpZwCreateProcessEx) (
+        OUT PHANDLE ProcessHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN HANDLE InheritFromProcessHandle,
+        IN ULONG Unknown1,
+        IN HANDLE SectionHandle OPTIONAL,
+        IN HANDLE DebugPort OPTIONAL,
+        IN HANDLE ExceptionPort OPTIONAL,
+        IN ULONG Unknown2
+        );
+NTSTATUS
+NTAPI
+HookedNtCreateProcessEx(
+        OUT PHANDLE ProcessHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN HANDLE InheritFromProcessHandle,
+        IN ULONG Unknown1,
+        IN HANDLE SectionHandle OPTIONAL,
+        IN HANDLE DebugPort OPTIONAL,
+        IN HANDLE ExceptionPort OPTIONAL,
+        IN ULONG Unknown2
+        );
+/*
+ * ZwOpenProcess opens a process object. [NAR]
+ */
+typedef NTSTATUS (*fpZwOpenProcess) (
+        OUT PHANDLE ProcessHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN PCLIENT_ID ClientId OPTIONAL
+        );
+NTSTATUS
+NTAPI
+HookedNtOpenProcess(
+        OUT PHANDLE ProcessHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN PCLIENT_ID ClientId OPTIONAL
+        );
+/*
+ * ZwCreateThread creates a thread in a process. [NAR]
+ */
+typedef struct _USER_STACK {
+        PVOID FixedStackBase;
+        PVOID FixedStackLimit;
+        PVOID ExpandableStackBase;
+        PVOID ExpandableStackLimit;
+        PVOID ExpandableStackBottom;
+} USER_STACK, *PUSER_STACK;
+typedef NTSTATUS (*fpZwCreateThread) (
+        OUT PHANDLE ThreadHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN HANDLE ProcessHandle,
+        OUT PCLIENT_ID ClientId,
+        IN PCONTEXT ThreadContext,
+        IN PUSER_STACK UserStack,
+        IN BOOLEAN CreateSuspended
+        );
+NTSTATUS
+NTAPI
+HookedNtCreateThread(
+        OUT PHANDLE ThreadHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN HANDLE ProcessHandle,
+        OUT PCLIENT_ID ClientId,
+        IN PCONTEXT ThreadContext,
+        IN PUSER_STACK UserStack,
+        IN BOOLEAN CreateSuspended
+        );
+/*
+ * ZwOpenThread opens a thread object. [NAR]
+ */
+typedef NTSTATUS (*fpZwOpenThread) (
+        OUT PHANDLE ThreadHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN PCLIENT_ID ClientId
+        );
+NTSTATUS
+NTAPI
+HookedNtOpenThread(
+        OUT PHANDLE ThreadHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN PCLIENT_ID ClientId
+        );
+/*
+ * ZwAllocateVirtualMemory allocates virtual memory in the user mode address range. [NAR]
+ */
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwAllocateVirtualMemory(
+        IN HANDLE ProcessHandle,
+        IN OUT PVOID *BaseAddress,
+        IN ULONG ZeroBits,
+        IN OUT PULONG AllocationSize,
+        IN ULONG AllocationType,
+        IN ULONG Protect
+        );
+/*
+ * ZwQueryInformationProcess retrieves information about a process object. [NAR]
+ */
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryInformationProcess(
+        IN HANDLE ProcessHandle,
+        IN PROCESSINFOCLASS ProcessInformationClass,
+        OUT PVOID ProcessInformation,
+        IN ULONG ProcessInformationLength,
+        OUT PULONG ReturnLength OPTIONAL
+        );
+VOID
+KeAttachProcess(
+    IN /*PRKPROCESS*/ PVOID Process
+    );
+VOID
+KeDetachProcess (
+    VOID
+    );
+BOOLEAN InitProcessEntries();
+VOID    RemoveProcessEntries();
+VOID    ProcessPostBootup();
+#endif  /* __PROCESS_H__ */
+\ No newline at end of file

diff --git a/process.h b/process.h new file mode 100644 index 0000000..7bf4f08 --- /dev/null +++ b/process.h
@@ -0,0 +1,215 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* process.h
	7	*
	8	* Abstract:
	9	*
	10	* This module defines various types used by process and thread hooking routines.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 23-Feb-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21	#ifndef __PROCESS_H__
	22	#define __PROCESS_H__
	23
	24
	25	extern ULONG SystemProcessId;
	26
	27	extern WCHAR OzoneInstallPath[];
	28	extern USHORT OzoneInstallPathSize;
	29
	30
	31	/*
	32	* ZwCreateProcess creates a process object. [NAR]
	33	*/
	34
	35	typedef NTSTATUS (*fpZwCreateProcess) (
	36	OUT PHANDLE ProcessHandle,
	37	IN ACCESS_MASK DesiredAccess,
	38	IN POBJECT_ATTRIBUTES ObjectAttributes,
	39	IN HANDLE InheritFromProcessHandle,
	40	IN BOOLEAN InheritHandles,
	41	IN HANDLE SectionHandle OPTIONAL,
	42	IN HANDLE DebugPort OPTIONAL,
	43	IN HANDLE ExceptionPort OPTIONAL
	44	);
	45
	46	NTSTATUS
	47	NTAPI
	48	HookedNtCreateProcess(
	49	OUT PHANDLE ProcessHandle,
	50	IN ACCESS_MASK DesiredAccess,
	51	IN POBJECT_ATTRIBUTES ObjectAttributes,
	52	IN HANDLE InheritFromProcessHandle,
	53	IN BOOLEAN InheritHandles,
	54	IN HANDLE SectionHandle OPTIONAL,
	55	IN HANDLE DebugPort OPTIONAL,
	56	IN HANDLE ExceptionPort OPTIONAL
	57	);
	58
	59
	60	typedef NTSTATUS (*fpZwCreateProcessEx) (
	61	OUT PHANDLE ProcessHandle,
	62	IN ACCESS_MASK DesiredAccess,
	63	IN POBJECT_ATTRIBUTES ObjectAttributes,
	64	IN HANDLE InheritFromProcessHandle,
	65	IN ULONG Unknown1,
	66	IN HANDLE SectionHandle OPTIONAL,
	67	IN HANDLE DebugPort OPTIONAL,
	68	IN HANDLE ExceptionPort OPTIONAL,
	69	IN ULONG Unknown2
	70	);
	71
	72	NTSTATUS
	73	NTAPI
	74	HookedNtCreateProcessEx(
	75	OUT PHANDLE ProcessHandle,
	76	IN ACCESS_MASK DesiredAccess,
	77	IN POBJECT_ATTRIBUTES ObjectAttributes,
	78	IN HANDLE InheritFromProcessHandle,
	79	IN ULONG Unknown1,
	80	IN HANDLE SectionHandle OPTIONAL,
	81	IN HANDLE DebugPort OPTIONAL,
	82	IN HANDLE ExceptionPort OPTIONAL,
	83	IN ULONG Unknown2
	84	);
	85
	86
	87	/*
	88	* ZwOpenProcess opens a process object. [NAR]
	89	*/
	90
	91	typedef NTSTATUS (*fpZwOpenProcess) (
	92	OUT PHANDLE ProcessHandle,
	93	IN ACCESS_MASK DesiredAccess,
	94	IN POBJECT_ATTRIBUTES ObjectAttributes,
	95	IN PCLIENT_ID ClientId OPTIONAL
	96	);
	97
	98	NTSTATUS
	99	NTAPI
	100	HookedNtOpenProcess(
	101	OUT PHANDLE ProcessHandle,
	102	IN ACCESS_MASK DesiredAccess,
	103	IN POBJECT_ATTRIBUTES ObjectAttributes,
	104	IN PCLIENT_ID ClientId OPTIONAL
	105	);
	106
	107
	108	/*
	109	* ZwCreateThread creates a thread in a process. [NAR]
	110	*/
	111
	112	typedef struct _USER_STACK {
	113	PVOID FixedStackBase;
	114	PVOID FixedStackLimit;
	115	PVOID ExpandableStackBase;
	116	PVOID ExpandableStackLimit;
	117	PVOID ExpandableStackBottom;
	118	} USER_STACK, *PUSER_STACK;
	119
	120	typedef NTSTATUS (*fpZwCreateThread) (
	121	OUT PHANDLE ThreadHandle,
	122	IN ACCESS_MASK DesiredAccess,
	123	IN POBJECT_ATTRIBUTES ObjectAttributes,
	124	IN HANDLE ProcessHandle,
	125	OUT PCLIENT_ID ClientId,
	126	IN PCONTEXT ThreadContext,
	127	IN PUSER_STACK UserStack,
	128	IN BOOLEAN CreateSuspended
	129	);
	130
	131	NTSTATUS
	132	NTAPI
	133	HookedNtCreateThread(
	134	OUT PHANDLE ThreadHandle,
	135	IN ACCESS_MASK DesiredAccess,
	136	IN POBJECT_ATTRIBUTES ObjectAttributes,
	137	IN HANDLE ProcessHandle,
	138	OUT PCLIENT_ID ClientId,
	139	IN PCONTEXT ThreadContext,
	140	IN PUSER_STACK UserStack,
	141	IN BOOLEAN CreateSuspended
	142	);
	143
	144
	145	/*
	146	* ZwOpenThread opens a thread object. [NAR]
	147	*/
	148
	149	typedef NTSTATUS (*fpZwOpenThread) (
	150	OUT PHANDLE ThreadHandle,
	151	IN ACCESS_MASK DesiredAccess,
	152	IN POBJECT_ATTRIBUTES ObjectAttributes,
	153	IN PCLIENT_ID ClientId
	154	);
	155
	156	NTSTATUS
	157	NTAPI
	158	HookedNtOpenThread(
	159	OUT PHANDLE ThreadHandle,
	160	IN ACCESS_MASK DesiredAccess,
	161	IN POBJECT_ATTRIBUTES ObjectAttributes,
	162	IN PCLIENT_ID ClientId
	163	);
	164
	165
	166	/*
	167	* ZwAllocateVirtualMemory allocates virtual memory in the user mode address range. [NAR]
	168	*/
	169
	170	NTSYSAPI
	171	NTSTATUS
	172	NTAPI
	173	ZwAllocateVirtualMemory(
	174	IN HANDLE ProcessHandle,
	175	IN OUT PVOID *BaseAddress,
	176	IN ULONG ZeroBits,
	177	IN OUT PULONG AllocationSize,
	178	IN ULONG AllocationType,
	179	IN ULONG Protect
	180	);
	181
	182
	183	/*
	184	* ZwQueryInformationProcess retrieves information about a process object. [NAR]
	185	*/
	186
	187	NTSYSAPI
	188	NTSTATUS
	189	NTAPI
	190	ZwQueryInformationProcess(
	191	IN HANDLE ProcessHandle,
	192	IN PROCESSINFOCLASS ProcessInformationClass,
	193	OUT PVOID ProcessInformation,
	194	IN ULONG ProcessInformationLength,
	195	OUT PULONG ReturnLength OPTIONAL
	196	);
	197
	198
	199	VOID
	200	KeAttachProcess(
	201	IN /PRKPROCESS/ PVOID Process
	202	);
	203
	204	VOID
	205	KeDetachProcess (
	206	VOID
	207	);
	208
	209
	210	BOOLEAN InitProcessEntries();
	211	VOID RemoveProcessEntries();
	212	VOID ProcessPostBootup();
	213
	214
	215	#endif /* __PROCESS_H__ */ \ No newline at end of file