This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef struct _WOW64_SYSTEM_SERVICE | |
{ | |
ULONG SystemCallNumber : 12; | |
ULONG ServiceTableIndex : 4; | |
ULONG TurboThunkNumber : 5; // Can hold values 0 - 31 | |
ULONG AlwaysZero : 11; | |
} WOW64_SYSTEM_SERVICE, *PWOW64_SYSTEM_SERVICE; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef struct _WOW64_SYSTEM_SERVICE | |
{ | |
USHORT SystemCallNumber : 12; | |
USHORT ServiceTableIndex : 4; | |
} WOW64_SYSTEM_SERVICE, *PWOW64_SYSTEM_SERVICE; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
NTSTATUS | |
NTAPI | |
NtWaitForSingleObject( | |
_In_ HANDLE Handle, | |
_In_ BOOLEAN Alertable, | |
_In_ PLARGE_INTEGER Timeout | |
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
begin = 0x01800A8C20 | |
end = 0x01800B7B4F | |
struct_size = 24 | |
ea = begin | |
while ea < end: | |
ea += struct_size | |
name = idc.GetString(idc.Qword(ea)) | |
idc.MakeName(idc.Qword(ea+8), name) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DECLSPEC_NORETURN | |
VOID | |
BTCpuSimulate( | |
VOID | |
) | |
{ | |
NTSTATUS Status; | |
PCONTEXT Context; | |
// |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//////////////////////////////////////////////////////////////////////////////// | |
// General definitions. | |
//////////////////////////////////////////////////////////////////////////////// | |
// | |
// Context flags. | |
// winnt.h (Windows SDK) | |
// |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef struct _PS_NTDLL_EXPORT_ITEM { | |
PCSTR RoutineName; | |
PVOID RoutineAddress; | |
} PS_NTDLL_EXPORT_ITEM, *PPS_NTDLL_EXPORT_ITEM; | |
PS_NTDLL_EXPORT_ITEM NtdllExports[] = { | |
// | |
// 19 exports on x64 | |
// 14 exports on ARM64 | |
// |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// sizeof=0x50, align=0x8 | |
// | |
typedef struct _PS_SYSTEM_DLL_DATA { | |
// | |
// +0x00 | |
// | |
// _SECTION* object of the DLL. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef enum _SYSTEM_DLL_TYPE | |
{ | |
PsNativeSystemDll = 0, | |
PsWowX86SystemDll = 1, | |
PsWowArm32SystemDll = 2, | |
PsWowAmd64SystemDll = 3, | |
PsWowChpeX86SystemDll = 4, | |
PsVsmEnclaveRuntimeDll = 5, | |
PsSystemDllTotalTypes = 6, | |
} SYSTEM_DLL_TYPE; |