mimikatz/mimidrv/kkll_m_notify.h

62 lines
2.6 KiB
C

/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#pragma once
#include "globals.h"
#include "kkll_m_memory.h"
#include "kkll_m_modules.h"
#define OBJECT_HASH_TABLE_SIZE 37
#define CM_REG_MAX_CALLBACKS 100
typedef struct _KKLL_M_NOTIFY_CALLBACK {
#ifdef _M_IX86
ULONG unk0;
#endif
PVOID * callback;
} KKLL_M_NOTIFY_CALLBACK, *PKKLL_M_NOTIFY_CALLBACK;
typedef struct _OBJECT_DIRECTORY_ENTRY {
struct _OBJECT_DIRECTORY_ENTRY * ChainLink;
PVOID Object;
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
typedef struct _OBJECT_DIRECTORY {
POBJECT_DIRECTORY_ENTRY HashBuckets[OBJECT_HASH_TABLE_SIZE];
/* ... */
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
typedef struct _OBJECT_CALLBACK_ENTRY {
LIST_ENTRY CallbackList;
OB_OPERATION Operations;
ULONG Active;
/*OB_HANDLE*/ PVOID Handle;
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
/* ... */
} OBJECT_CALLBACK_ENTRY, *POBJECT_CALLBACK_ENTRY;
typedef NTSTATUS (* PPSSETCREATEPROCESSNOTIFYROUTINEEX) ( __in PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine, __in BOOLEAN Remove);
//typedef VOID (* POBUNREGISTERCALLBACKS) (__in PVOID RegistrationHandle);
NTSTATUS kkll_m_notify_init();
NTSTATUS kkll_m_notify_list_thread(PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_list_process(PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_list_image(PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_list_reg(PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_list_object(PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_desc_object_callback(POBJECT_CALLBACK_ENTRY pCallbackEntry, PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_remove_process(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_remove_object(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_list(PKIWI_BUFFER outBuffer, PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax);
NTSTATUS kkll_m_notify_search(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax, PKKLL_M_MEMORY_OFFSETS * pOffsets);
OB_PREOP_CALLBACK_STATUS kkll_m_notify_fake_ObjectPreCallback(IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION OperationInformation);
DWORD kkll_m_notify_fake_ObjectPreCallback_end();
VOID kkll_m_notify_fake_ObjectPostCallback(IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION OperationInformation);
DWORD kkll_m_notify_fake_ObjectPostCallback_end();