Skip to content

Instantly share code, notes, and snippets.

View wbenny's full-sized avatar

Petr Beneš wbenny

717 followers · 14 following
View GitHub Profile
@wbenny
wbenny / KCONTINUE.h
Last active August 8, 2023 14:19
//
// NtContinueEx is now used by ntdll!KiUserApcDispatcher.
// The KCONTINUE_ARGUMENT structure is built in the KiInitializeUserApc
// function.
//
typedef enum _KCONTINUE_TYPE
{
KCONTINUE_UNWIND,
KCONTINUE_RESUME,
@wbenny
wbenny / nt_syscalls.md
Last active March 22, 2023 07:59
Windows syscall stubs

Windows system calls

...by stub

x86

Windows XP

B8 ?? ?? ?? ??                mov     eax, ??
BA 00 03 FE 7F                mov     edx, 7FFE0300h
@wbenny
wbenny / SYSTEM_DLL_TYPE.h
Created October 30, 2018 01:13
typedef enum _SYSTEM_DLL_TYPE
{
PsNativeSystemDll = 0,
PsWowX86SystemDll = 1,
PsWowArm32SystemDll = 2,
PsWowAmd64SystemDll = 3,
PsWowChpeX86SystemDll = 4,
PsVsmEnclaveRuntimeDll = 5,
PsSystemDllTotalTypes = 6,
} SYSTEM_DLL_TYPE;
@wbenny
wbenny / PS_SYSTEM_DLL_DATA.h
Created October 30, 2018 01:16
//
// sizeof=0x50, align=0x8
//
typedef struct _PS_SYSTEM_DLL_DATA {
//
// +0x00
//
// _SECTION* object of the DLL.
@wbenny
wbenny / kernel32_undoc.txt
Created December 11, 2018 21:27
ActivateActCtxWorker
AddLocalAlternateComputerNameA
AddLocalAlternateComputerNameW
AddRefActCtxWorker
AdjustCalendarDate
AppXGetOSMaxVersionTested
BaseCheckAppcompatCache
BaseCheckAppcompatCacheEx
BaseCheckAppcompatCacheExWorker
BaseCheckAppcompatCacheWorker
@wbenny
wbenny / TlsCallback.c
Created September 29, 2018 19:36
TLS callback minimal example
//
// Merge .CRT section to .rdata (read only)
//
#pragma comment(linker, "/merge:.CRT=.rdata")
//
// Define variables marking the begin and the end
// of the TLS callback array.
//
@wbenny
wbenny / vmcs_field_encoding.md
Last active December 11, 2020 10:04
VMCS field encoding

VMCS field encoding

Values of VMCS fields are encoded as per section VMREAD, VMWRITE, and Encodings of VMCS Field (24.11.2, Intel Manual Volume 3C - May 2018).

This encoding can be transcribed into C:

union vmcs_component_encoding
{
 struct
@wbenny
wbenny / NTDLL_EXPORTS.h
Last active November 5, 2020 01:15
typedef struct _PS_NTDLL_EXPORT_ITEM {
PCSTR RoutineName;
PVOID RoutineAddress;
} PS_NTDLL_EXPORT_ITEM, *PPS_NTDLL_EXPORT_ITEM;
PS_NTDLL_EXPORT_ITEM NtdllExports[] = {
//
// 19 exports on x64
// 14 exports on ARM64
//
@wbenny
wbenny / 2_WOW64_SERVICE_TABLE_DESCRIPTOR.h
Created November 4, 2018 02:45
typedef struct _WOW64_ERROR_CASE {
ULONG Case;
NTSTATUS TransformedStatus;
} WOW64_ERROR_CASE, *PWOW64_ERROR_CASE;
typedef struct _WOW64_SERVICE_TABLE_DESCRIPTOR {
KSERVICE_TABLE_DESCRIPTOR Descriptor;
@wbenny
wbenny / 2_appendix.h
Created November 4, 2018 02:40
////////////////////////////////////////////////////////////////////////////////
// General definitions.
////////////////////////////////////////////////////////////////////////////////
//
// Context flags.
// winnt.h (Windows SDK)
//