Little-Ki
/ EnumProcessThread
Last active
October 23, 2020 15:03
[Code] [Kernel] Enum thread which in process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Enum thread which in process | |
| struct Thread_t { | |
| ULONG64 tid; | |
| ULONG64 base; | |
| } | |
| NTSTATUS EnumProcessThread( HANDLE pid, std::vector<Thread_t> & list ) | |
| { | |
| PSYSTEM_PROCESS_INFORMATION pProcess; |
Little-Ki
/ EnumModule
Created
October 23, 2020 14:51
[Code] [Kernel] Enum module which in current process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Enum module which in current process */ | |
| struct Module_t { | |
| ULONG64 base; | |
| ULONG64 size; | |
| std::string name; | |
| } | |
| void EnumModule( std::vector<Module_t> & list ) | |
| { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* SSDT proxy class */ | |
| /* | |
| #pragma pack(1) | |
| struct SYSTEM_SERVICE_TABLE { | |
| // This pointer points to an array of int | |
| // In 32 bits mode, this array saves <function's address>. | |
| // In 64 bits mode, this array saves <(function's address - table's address) << 4>. | |
| // So we calculate the function's address by this way: | |
| // In 32 bits mode : function's address = [table's address + 4 * index] |
Little-Ki
/ GetNotifyVarAddress
Last active
October 25, 2020 03:18
[Code] [Kernel] Bypass process, thread and image load notify routines
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // When you tried to create thread in process, the anti cheat will detect it, the one reason is it uses PsSetCreateThreadNotifyRoutine. | |
| // Then ac uses PsSetLoadImageNotifyRoutine to block loading of blacklisted drivers. | |
| // PsSetLoadImageNotifyRoutine is not being used to block DLL injection. | |
| // However, we can bypass both of these notifications by modifying a kernel variable: PspNotifyEnableMask. Why? | |
| // PspCallThreadNotifyRoutines is a kernel function, this function iterating the installed notification routines and calling them. | |
| // By analysis it in IDA, we can find a symbol named PspNotifyEnableMask, just fill it with zero will skip calling of any notification routines. | |
| // But it's not clean way to do it and will also block process creation routines which is not a good thing (any process you start when PsSetCreateProcessNotifyRoutine is bypassed will not have ability to connect to internet). | |
| // By look at function PsSetCreateThreadNotifyRoutine itself, we will see: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations. | |
| // This function is a most public method used by anti cheat / anti virus software. | |
| // Offical document: | |
| // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks | |
| // Function syntax: | |
| // NTSTATUS ObRegisterCallbacks( | |
| // POB_CALLBACK_REGISTRATION CallbackRegistration, | |
| // PVOID *RegistrationHandle |
Little-Ki
/ IRQL and memory protect
Last active
October 25, 2020 07:26
[Code] [Kernel] IRQL, memory protection and memory modify
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // To write other's memory in kernel, there has other rules, IRQL and memory protection. | |
| // If you try to write memory when memory protection is enabled, you will get BSOD. | |
| // In order to write other's memory, we should disable memory protection first and upgrade IRQL to level 2 (normally is 0). | |
| // The sign of memory protection state is in CR0 register. So just modify it can change state. | |
| // To change IRQL level, use KeRaiseIrqlToDpcLevel and KeLowerIrql, in 64 bits system, IRQL state stored in CR8 register, in 32 bits mode, it's in KPCR. | |
| // Code: | |
| KIRQL WPOFFx64() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #pragma once | |
| #include <type_traits> | |
| template<class _Ty> | |
| struct np_decay_impl { | |
| using _T0 = typename std::conditional_t<std::is_function_v<std::remove_pointer_t<_Ty>>, _Ty, std::remove_reference_t<_Ty>>; | |
| using _T1 = typename std::conditional_t<std::is_function_v<std::remove_pointer_t<_Ty>>, _T0, std::remove_pointer_t<_T0>>; | |
| using _T2 = typename std::conditional_t<std::is_array_v<_T1>, std::remove_extent_t<_T1>, _T1>; | |
| using type = typename std::conditional_t<std::is_function_v<std::remove_pointer_t<_Ty>>, _T2, std::remove_cv_t<_T2>>; | |
| }; |
Little-Ki
/ [C++ Template] Calculate hash by type name.hpp
Last active
September 18, 2023 03:46
[C++ Template] Calculate hash by type name
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #pragma once | |
| template <typename T> | |
| constexpr size_t hash_type() | |
| { | |
| size_t result{}; | |
| #ifdef _MSC_VER | |
| #define F __FUNCSIG__ | |
| #else | |
| #define F __PRETTY_FUNCTION__ |
Little-Ki
/ [C++ Template] Make enumrate interval.h
Last active
September 18, 2023 03:47
[C++ Template] Make enumrate interval
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| template<size_t ...args> | |
| struct enumrate_interval_pack {}; | |
| template<size_t ...args> | |
| struct enumrate_interval_impl { | |
| using type = enumrate_interval_pack<args...>; | |
| }; | |
| template<size_t l, size_t h, size_t ...args> | |
| struct enumrate_interval { |
Little-Ki
/ [C++ Template] Fixed string ( < c++ 20 ).h
Last active
September 18, 2023 03:47
[C++ Template] Fixed string ( < c++ 20 )
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| template<char ...c> | |
| struct string{ | |
| constexpr static size_t N = sizeof...(c) + 1; | |
| constexpr static const char data[N] = { c..., 0 }; | |
| }; | |
| template<char ...C> | |
| auto make_string(string<C...>) -> string<C...>; | |
| template<char ...C1, char C,char ...C2> |
OlderNewer