Skip to content

Instantly share code, notes, and snippets.

View swwwolf's full-sized avatar

swwwolf swwwolf

244 followers · 9 following
View GitHub Profile
@swwwolf
swwwolf / PsCallImageNotifyRoutines.c
Last active June 20, 2022 15:58
NTSTATUS
MmLoadSystemImage(IN PUNICODE_STRING ImageFileName,
IN PUNICODE_STRING NamePrefix OPTIONAL,
IN PUNICODE_STRING LoadedBaseName OPTIONAL,
IN ULONG LoadFlags,
OUT PVOID *ImageHandle,
OUT PVOID *ImageBaseAddress) {
// ...
if ( PsImageNotifyEnabled ) {
IMAGE_INFO ImageInfo;
@swwwolf
swwwolf / LoadImageNotifyRoutine.c
Last active June 20, 2022 15:58
NTSTATUS SetLoadImageNotifyRoutine(IN PLOAD_IMAGE_NOTIFY_ROUTINE Routine) {
PAGED_CODE();
if ( !Routine )
return STATUS_INVALID_PARAMETER;
return PsSetLoadImageNotifyRoutine( Routine );
}
VOID LoadImageNotifyRoutine(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo) {
@swwwolf
swwwolf / CreateProcessNotify.c
Last active June 20, 2022 15:59
typedef NTSTATUS (NTAPI* PSSETCREATEPROCESSNOTIFYROUTINEEX_PROC)(
IN PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
IN BOOLEAN Remove);
NTSTATUS SetCreateProcessNotifyRoutine(VOID) {
NTSTATUS status;
UNICODE_STRING szCreateProcessEx = { 0 };
PSSETCREATEPROCESSNOTIFYROUTINEEX_PROC pCreateProcessEx = NULL;
PAGED_CODE();
@swwwolf
swwwolf / CreateThreadNotify.c
Created December 14, 2014 21:14
NTSTATUS SetCreateThreadNotifyRoutine(IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine) {
PAGED_CODE();
if ( !NotifyRoutine )
return STATUS_INVALID_PARAMETER;
return PsSetCreateThreadNotifyRoutine(NotifyRoutine);
}
VOID CreateThreadNotifyRoutine(IN HANDLE ProcessId, IN HANDLE ThreadId, IN BOOLEAN Create) {
@swwwolf
swwwolf / PspCreateThread.c
Created December 14, 2014 21:17
NTSTATUS
PspCreateThread(OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
IN PEPROCESS ProcessPointer,
OUT PCLIENT_ID ClientId OPTIONAL,
IN PCONTEXT ThreadContext OPTIONAL,
IN PINITIAL_TEB InitialTeb OPTIONAL,
IN BOOLEAN CreateSuspended,
@swwwolf
swwwolf / PspExitProcess.c
Created December 14, 2014 21:42
VOID PspExitProcess(IN BOOLEAN LastThreadExit,
IN PEPROCESS Process) {
// ...
if (LastThreadExit) {
// ...
if (PspCreateProcessNotifyRoutineCount != 0) {
ULONG i;
PEX_CALLBACK_ROUTINE_BLOCK CallBack;
PCREATE_PROCESS_NOTIFY_ROUTINE Rtn;
@swwwolf
swwwolf / visual_commander_cpplint_py.cs
Last active October 29, 2016 13:15
Invoking external tool from the Visual Commander
using EnvDTE;
using EnvDTE80;
public class E : VisualCommanderExt.IExtension
{
public void SetSite(EnvDTE80.DTE2 DTE_, Microsoft.VisualStudio.Shell.Package package)
{
DTE = DTE_;
events = DTE.Events;
documentEvents = events.DocumentEvents;
@swwwolf
swwwolf / symsrv_dll_no_proxy.asm
Last active August 29, 2015 14:19
if ( g_NoProxy )
goto set_no_proxy_parameters;
pszProxyW = Str1;
if ( Str1 )
{
if ( !wcscmp(Str1, L"SymSrvDirectProxy") )
{
set_no_proxy_parameters:
v6 = v21;
dwAccessType = 1;
@swwwolf
swwwolf / NoInternetProxy.asm
Created April 24, 2015 08:46
if ( !RegOpenKeyExW(v1, L"Software\\Microsoft\\Symbol Server", 0, 0x20019u, &hKey) )
{
cbData = REG_DWORD;
Type = REG_DWORD;
v14 = RegQueryValueExW(hKey, L"NoInternetProxy", 0i64, &Type, Data, &cbData);
v15 = g_NoProxy;
if ( !v14 )
v15 = *(_DWORD *)Data;
g_NoProxy = v15;
RegCloseKey(hKey);
@swwwolf
swwwolf / NtSetInformationProcess_Nirvana.cpp
Last active June 20, 2022 15:59
#include <Ntifs.h>
typedef enum _PROCESS_INFORMATION_CLASS {
ProcessMemoryPriority,
ProcessMemoryExhaustionInfo,
ProcessAppMemoryInfo,
ProcessInPrivateInfo,
ProcessEDPStateInfo,
ProcessInformationClassMax
} PROCESS_INFORMATION_CLASS;