62 lines
2.6 KiB
C
62 lines
2.6 KiB
C
/* Benjamin DELPY `gentilkiwi`
|
|
http://blog.gentilkiwi.com
|
|
benjamin@gentilkiwi.com
|
|
Licence : https://creativecommons.org/licenses/by/4.0/
|
|
*/
|
|
#pragma once
|
|
#include "globals.h"
|
|
#include "kkll_m_memory.h"
|
|
#include "kkll_m_modules.h"
|
|
|
|
#define OBJECT_HASH_TABLE_SIZE 37
|
|
#define CM_REG_MAX_CALLBACKS 100
|
|
|
|
typedef struct _KKLL_M_NOTIFY_CALLBACK {
|
|
#ifdef _M_IX86
|
|
ULONG unk0;
|
|
#endif
|
|
PVOID * callback;
|
|
} KKLL_M_NOTIFY_CALLBACK, *PKKLL_M_NOTIFY_CALLBACK;
|
|
|
|
typedef struct _OBJECT_DIRECTORY_ENTRY {
|
|
struct _OBJECT_DIRECTORY_ENTRY * ChainLink;
|
|
PVOID Object;
|
|
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
|
|
|
|
typedef struct _OBJECT_DIRECTORY {
|
|
POBJECT_DIRECTORY_ENTRY HashBuckets[OBJECT_HASH_TABLE_SIZE];
|
|
/* ... */
|
|
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
|
|
|
|
typedef struct _OBJECT_CALLBACK_ENTRY {
|
|
LIST_ENTRY CallbackList;
|
|
OB_OPERATION Operations;
|
|
ULONG Active;
|
|
/*OB_HANDLE*/ PVOID Handle;
|
|
POBJECT_TYPE ObjectType;
|
|
POB_PRE_OPERATION_CALLBACK PreOperation;
|
|
POB_POST_OPERATION_CALLBACK PostOperation;
|
|
/* ... */
|
|
} OBJECT_CALLBACK_ENTRY, *POBJECT_CALLBACK_ENTRY;
|
|
|
|
typedef NTSTATUS (* PPSSETCREATEPROCESSNOTIFYROUTINEEX) ( __in PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine, __in BOOLEAN Remove);
|
|
//typedef VOID (* POBUNREGISTERCALLBACKS) (__in PVOID RegistrationHandle);
|
|
|
|
NTSTATUS kkll_m_notify_init();
|
|
NTSTATUS kkll_m_notify_list_thread(PKIWI_BUFFER outBuffer);
|
|
NTSTATUS kkll_m_notify_list_process(PKIWI_BUFFER outBuffer);
|
|
NTSTATUS kkll_m_notify_list_image(PKIWI_BUFFER outBuffer);
|
|
NTSTATUS kkll_m_notify_list_reg(PKIWI_BUFFER outBuffer);
|
|
NTSTATUS kkll_m_notify_list_object(PKIWI_BUFFER outBuffer);
|
|
NTSTATUS kkll_m_notify_desc_object_callback(POBJECT_CALLBACK_ENTRY pCallbackEntry, PKIWI_BUFFER outBuffer);
|
|
NTSTATUS kkll_m_notify_remove_process(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer);
|
|
NTSTATUS kkll_m_notify_remove_object(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer);
|
|
|
|
NTSTATUS kkll_m_notify_list(PKIWI_BUFFER outBuffer, PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax);
|
|
NTSTATUS kkll_m_notify_search(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax, PKKLL_M_MEMORY_OFFSETS * pOffsets);
|
|
|
|
|
|
OB_PREOP_CALLBACK_STATUS kkll_m_notify_fake_ObjectPreCallback(IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION OperationInformation);
|
|
DWORD kkll_m_notify_fake_ObjectPreCallback_end();
|
|
VOID kkll_m_notify_fake_ObjectPostCallback(IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION OperationInformation);
|
|
DWORD kkll_m_notify_fake_ObjectPostCallback_end(); |