From 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 Mon Sep 17 00:00:00 2001 From: tumagonx Date: Tue, 8 Aug 2017 10:54:53 +0700 Subject: initial commit --- sysinfo.h | 190 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 190 insertions(+) create mode 100644 sysinfo.h (limited to 'sysinfo.h') diff --git a/sysinfo.h b/sysinfo.h new file mode 100644 index 0000000..60a0a9a --- /dev/null +++ b/sysinfo.h @@ -0,0 +1,190 @@ +/* + * Copyright (c) 2004 Security Architects Corporation. All rights reserved. + * + * Module Name: + * + * sysinfo.h + * + * Abstract: + * + * This module defines various types used by ZwSetSystemInformation() hooking routines. + * ZwSetSystemInformation's SystemLoadAndCallImage and SystemLoadImage parameters can be used + * to load code into kernel address space. + * + * Author: + * + * Eugene Tsyrklevich 01-Mar-2004 + * + * Revision History: + * + * None. + */ + + +#ifndef __SYSINFO_H__ +#define __SYSINFO_H__ + + + +/* + * ZwSetSystemInformation sets information that affects the operation of the system. [NAR] + */ + // # Query Set +typedef enum _SYSTEM_INFORMATION_CLASS { + SystemBasicInformation, // 0 Y N + SystemProcessorInformation, // 1 Y N + SystemPerformanceInformation, // 2 Y N + SystemTimeOfDayInformation, // 3 Y N + SystemNotImplemented1, // 4 Y N // SystemPathInformation + SystemProcessesAndThreadsInformation, // 5 Y N + SystemCallCounts, // 6 Y N + SystemConfigurationInformation, // 7 Y N + SystemProcessorTimes, // 8 Y N + SystemGlobalFlag, // 9 Y Y + SystemNotImplemented2, // 10 Y N // SystemCallTimeInformation + SystemModuleInformation, // 11 Y N + SystemLockInformation, // 12 Y N + SystemNotImplemented3, // 13 Y N // SystemStackTraceInformation + SystemNotImplemented4, // 14 Y N // SystemPagedPoolInformation + SystemNotImplemented5, // 15 Y N // SystemNonPagedPoolInformation + SystemHandleInformation, // 16 Y N + SystemObjectInformation, // 17 Y N + SystemPagefileInformation, // 18 Y N + SystemInstructionEmulationCounts, // 19 Y N + SystemInvalidInfoClass1, // 20 + SystemCacheInformation, // 21 Y Y + SystemPoolTagInformation, // 22 Y N + SystemProcessorStatistics, // 23 Y N + SystemDpcInformation, // 24 Y Y + SystemNotImplemented6, // 25 Y N // SystemFullMemoryInformation + SystemLoadImage, // 26 N Y // SystemLoadGdiDriverInformation + SystemUnloadImage, // 27 N Y + SystemTimeAdjustment, // 28 Y Y + SystemNotImplemented7, // 29 Y N // SystemSummaryMemoryInformation + SystemNotImplemented8, // 30 Y N // SystemNextEventIdInformation + SystemNotImplemented9, // 31 Y N // SystemEventIdsInformation + SystemCrashDumpInformation, // 32 Y N + SystemExceptionInformation, // 33 Y N + SystemCrashDumpStateInformation, // 34 Y Y/N + SystemKernelDebuggerInformation, // 35 Y N + SystemContextSwitchInformation, // 36 Y N + SystemRegistryQuotaInformation, // 37 Y Y + SystemLoadAndCallImage, // 38 N Y // SystemExtendServiceTableInformation + SystemPrioritySeparation, // 39 N Y + SystemNotImplemented10, // 40 Y N // SystemPlugPlayBusInformation + SystemNotImplemented11, // 41 Y N // SystemDockInformation + SystemInvalidInfoClass2, // 42 // SystemPowerInformation + SystemInvalidInfoClass3, // 43 // SystemProcessorSpeedInformation + SystemTimeZoneInformation, // 44 Y N + SystemLookasideInformation, // 45 Y N + SystemSetTimeSlipEvent, // 46 N Y + SystemCreateSession, // 47 N Y + SystemDeleteSession, // 48 N Y + SystemInvalidInfoClass4, // 49 + SystemRangeStartInformation, // 50 Y N + SystemVerifierInformation, // 51 Y Y + SystemAddVerifier, // 52 N Y + SystemSessionProcessesInformation // 53 Y N +} SYSTEM_INFORMATION_CLASS; + + +/* + * Information Class 5 + */ + +typedef enum { + StateInitialized, + StateReady, + StateRunning, + StateStandby, + StateTerminated, + StateWait, + StateTransition, + StateUnknown +} THREAD_STATE; + +typedef struct _SYSTEM_THREADS { + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientId; + KPRIORITY Priority; + KPRIORITY BasePriority; + ULONG ContextSwitchCount; + THREAD_STATE State; + KWAIT_REASON WaitReason; +} SYSTEM_THREADS, *PSYSTEM_THREADS; + +typedef struct _SYSTEM_PROCESSES { + ULONG NextEntryDelta; + ULONG ThreadCount; + ULONG Reserved1[6]; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ProcessName; + KPRIORITY BasePriority; + ULONG ProcessId; + ULONG InheritedFromProcessId; + ULONG HandleCount; + ULONG Reserved2[2]; + VM_COUNTERS VmCounters; + IO_COUNTERS IoCounters; // Windows 2000 only + SYSTEM_THREADS Threads[1]; +} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES; + + +NTSTATUS +NTAPI +HookedNtSetSystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN OUT PVOID SystemInformation, + IN ULONG SystemInformationLength + ); + + +/* + * ZwQuerySystemInformation queries information about the system. [NAR] + */ + +NTSYSAPI +NTSTATUS +NTAPI +ZwQuerySystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL + ); + + +typedef NTSTATUS (*fpZwSetSystemInformation) +( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN OUT PVOID SystemInformation, + IN ULONG SystemInformationLength +); + + +/* + * Information Class 38 + * + * "This information class can only be set. Rather than setting any information (in a narrow + * sense of “setting”), it performs the operation of loading a module into the kernel + * address space and calling its entry point." [NAR] + */ + +typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE { + + UNICODE_STRING ModuleName; /* The full path in the native NT format of the module to load. */ + +} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE; + + + +BOOLEAN InitSysInfoHooks(); + + +#endif /* __SYSINFO_H__ */ -- cgit v1.3