-
Notifications
You must be signed in to change notification settings - Fork 158
/
Copy pathkloader.h
177 lines (140 loc) · 5.59 KB
/
kloader.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// KLoader project Version 2.9.2
//
// module: kloader.h
// $Revision: 80 $
// $Date: 2012-07-11 18:01:22 +0400 (Ср, 11 июл 2012) $
// description:
// Kernel-mode loader for user DLL images.
#pragma once
typedef NTSTATUS (_stdcall* FUNC_LOAD_LIBRARY) (PWCHAR PathToFile, ULONG Flags, PUNICODE_STRING ModuleFileName, PHANDLE ModuleHandle);
typedef NTSTATUS (_stdcall* FUNC_PROC_ADDRESS) (PVOID ModuleHandle, PANSI_STRING FunctionName, WORD Oridinal, PVOID* FunctionAddress);
typedef NTSTATUS (_stdcall* FUNC_PROTECT_MEM) (HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR* ProtectSize, ULONG NewProtect, PULONG OldProtect);
typedef ULONG (_stdcall* FUNC_DLL_MAIN) (PVOID hinstDLL, DWORD fdwReason, PVOID lpvReserved);
typedef BOOL (_stdcall* FUNC_CREATE_PROCESS)(PWSTR lpApplicationName, PWSTR lpCommandLine, PVOID lpProcessAttributes,
PVOID lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, PVOID lpEnvironment,
PWSTR lpCurrentDirectory, PSTARTUPINFOW lpStartupInfo, PPROCESS_INFORMATION lpProcessInformation);
typedef ULONG (_stdcall* FUNC_APP_ENTRY) (PVOID Context);
typedef VOID (_stdcall* FUNC_IOP_CLOSE_FILE)(PEPROCESS Process, PVOID Object, ULONG GrantedAccess, ULONG_PTR ProcessHandleCount, ULONG_PTR SystemHandleCount);
typedef HANDLE (_stdcall* FUNC_CREATE_THREAD)(PVOID lpThreadAttributes, SIZE_T dwStackSize, PVOID lpStartAddress,
PVOID lpParameter, DWORD dwCreationFlags, PULONG lpThreadId);
typedef VOID (_stdcall* EXPORTED_FUNCTION)(PVOID Param0, PVOID Param1, PVOID Param2);
// Module description structured
typedef struct _INJECT_DESCRIPTOR
{
#if _DBG
ULONG Magic;
#endif
LIST_ENTRY InjectListEntry;
LIST_ENTRY ProcessListEntry;
PUNICODE_STRING InjectModulePath;
PVOID InjectModuleBuffer;
PVOID NtdllBase;
ULONG Flags;
ULONG TargetProcessHash;
ULONG InjectModuleId;
LONG volatile ReferenceCount;
LONG volatile AttachCount;
} INJECT_DESCRIPTOR, *PINJECT_DESCRIPTOR;
#define LOADER_STUB_MAX 0x800 // bytes
#define LOADER_PATH_MAX 0x200 // bytes
typedef struct _PROCESS_IMPORT
{
ULONGLONG pLdrLoadDll;
ULONGLONG pLdrGetProcedureAddress;
ULONGLONG pNtProtectVirtualMemory;
ULONGLONG pZwProtectVirtualMemory;
ULONGLONG pCreateThread;
} PROCESS_IMPORT, *PPROCESS_IMPORT;
// Loader stub context
typedef struct _LOADER_CONTEXT
{
PROCESS_IMPORT Import;
UCHAR LoaderStub[LOADER_STUB_MAX];
UCHAR ExportStub[LOADER_PATH_MAX];
ULONG PatchProtect;
ULONG Flags;
ULONGLONG ImageBase;
ULONGLONG PatchBase;
ULONGLONG PatchSize;
ULONGLONG ExportedFunction;
UNICODE_STRING uDllPath;
WCHAR wDllPath[0];
} LOADER_CONTEXT, *PLOADER_CONTEXT;
#define MAX_INJECTS_PER_PROCESS 4
// Inject context
typedef struct _INJECT_CONTEXT
{
PINJECT_DESCRIPTOR InjDesc;
PLOADER_CONTEXT LdrCtx;
PVOID ApcRoutine;
PVOID ApcContext;
PVOID ModuleBase;
ULONG Flags;
} INJECT_CONTEXT, *PINJECT_CONTEXT;
// Active process context
typedef struct _PID_CONTEXT
{
ULONG InjectCount;
ULONG Flags;
INJECT_CONTEXT InjectContext[MAX_INJECTS_PER_PROCESS];
PROCESS_IMPORT Import;
} PID_CONTEXT, *PPID_CONTEXT;
#define PID_IS_LOADER 0x100000
#define PID_HAS_IMPORT 0x200000
// Inject descriptor flags
#define INJECT_SPECIFIED_PROCESS 1
#define INJECT_WOW64_PROCESS 4
#define INJECT_AMD64_PROCESS 8
#define INJECT_SPECIFIED_MODULE 0x10
#define INJECT_PROCESS_TREE 0x20
#define INJECT_STATE_WAITING_APC 0x100
#define INJECT_STATE_INJECTED 0x200
#define INJECT_KERNEL_LOADED 0x1000
#define INJECT_WOW64_LOADED 0x2000
#define INJECT_DESCRIPTOR_MAGIC 'DjnI'
#if _DBG
#define TAG_INJECT_DESCRIPTOR INJECT_DESCRIPTOR_MAGIC
#define TAG_KLOADER_POOL 'rdLK'
#define ASSERT_INJECT_DESCRIPTOR(x) ASSERT((x)->Magic == INJECT_DESCRIPTOR_MAGIC)
#else
#define TAG_INJECT_DESCRIPTOR 0
#define TAG_KLOADER_POOL 0
#define ASSERT_INJECT_DESCRIPTOR(x)
#endif
#pragma pack(push)
#pragma pack(1)
typedef struct _JMP_STUB
{
UCHAR PushOpcode;
ULONG PushValue;
UCHAR CallOpcode;
ULONG CallOffset;
} JMP_STUB, *PJMP_STUB;
typedef struct _JMP_STUB64
{
USHORT Opcode;
ULONG Offset;
ULONG_PTR Address;
} JMP_STUB64, *PJMP_STUB64;
#pragma pack(pop)
#define OPCODE_JMP_NEAR 0xE9
#define OPCODE_CALL_NEAR 0xE8
#define OPCODE_PUSH_DWORD 0x68
#define ATTACH_COUNT_MAX (ULONG)-1
UCHAR LoadDllApcStubWow64[];
UCHAR CallExportStubWow64[];
PINJECT_DESCRIPTOR AllocateInjectDescriptor(ULONG ProcessHash, ULONG ModuleId, PVOID Module, ULONG AttachCount, ULONG Flags);
VOID InsertInjectDescriptor(PINJECT_DESCRIPTOR InjDesc);
VOID _stdcall LoadDllApcStub(PLOADER_CONTEXT LdrCtx, PVOID SystemArgument1, PVOID SystemArgument2);
ULONG _stdcall CallExportStub(PLOADER_CONTEXT LdrCtx);
#pragma intrinsic(_disable)
#pragma intrinsic(_enable)
//---- KLoader API ------------------------------------------------------------------------------------------------------------
NTSTATUS KldrLoadInjectConfig(VOID);
NTSTATUS KldrAddInject(PCHAR VfsDllName, PCHAR ProcessList, PCHAR pImageBuffer, ULONG ImageSize, ULONG Flags, ULONG AttachCount);
NTSTATUS KldrAddInjectConfig(PCHAR InjectStr);
ULONG KldrRemoveInject(PCHAR InjectModuleName, ULONG ProcessNameHash);
// from callback.c
NTSTATUS KldrRegisterUserNotifyCallback(PVOID pCallbackFunction, PVOID Context, HANDLE ProcessId, BOOL bSet);
VOID KldrUserNotifyCreateProcess(HANDLE ProcessId, HANDLE ParentId);