Petr Beneš wbenny
wbenny
/ 2_WOW64_SYSTEM_SERVICE_2.h
Created
November 4, 2018 02:44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef struct _WOW64_SYSTEM_SERVICE | |
| { | |
| ULONG SystemCallNumber : 12; | |
| ULONG ServiceTableIndex : 4; | |
| ULONG TurboThunkNumber : 5; // Can hold values 0 - 31 | |
| ULONG AlwaysZero : 11; | |
| } WOW64_SYSTEM_SERVICE, *PWOW64_SYSTEM_SERVICE; |
wbenny
/ 2_WOW64_SYSTEM_SERVICE_1.h
Created
November 4, 2018 02:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef struct _WOW64_SYSTEM_SERVICE | |
| { | |
| USHORT SystemCallNumber : 12; | |
| USHORT ServiceTableIndex : 4; | |
| } WOW64_SYSTEM_SERVICE, *PWOW64_SYSTEM_SERVICE; |
wbenny
/ 2_NtWaitForSingleObject.h
Created
November 4, 2018 02:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NTSTATUS | |
| NTAPI | |
| NtWaitForSingleObject( | |
| _In_ HANDLE Handle, | |
| _In_ BOOLEAN Alertable, | |
| _In_ PLARGE_INTEGER Timeout | |
| ); |
wbenny
/ 2_IDA_BT_rename.py
Created
November 4, 2018 02:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| begin = 0x01800A8C20 | |
| end = 0x01800B7B4F | |
| struct_size = 24 | |
| ea = begin | |
| while ea < end: | |
| ea += struct_size | |
| name = idc.GetString(idc.Qword(ea)) | |
| idc.MakeName(idc.Qword(ea+8), name) |
wbenny
/ 2_BTCpuSimulate_ARM64.h
Created
November 4, 2018 02:41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DECLSPEC_NORETURN | |
| VOID | |
| BTCpuSimulate( | |
| VOID | |
| ) | |
| { | |
| NTSTATUS Status; | |
| PCONTEXT Context; | |
| // |
wbenny
/ 2_appendix.h
Created
November 4, 2018 02:40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //////////////////////////////////////////////////////////////////////////////// | |
| // General definitions. | |
| //////////////////////////////////////////////////////////////////////////////// | |
| // | |
| // Context flags. | |
| // winnt.h (Windows SDK) | |
| // |
wbenny
/ NTDLL_EXPORTS.h
Last active
November 5, 2020 01:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef struct _PS_NTDLL_EXPORT_ITEM { | |
| PCSTR RoutineName; | |
| PVOID RoutineAddress; | |
| } PS_NTDLL_EXPORT_ITEM, *PPS_NTDLL_EXPORT_ITEM; | |
| PS_NTDLL_EXPORT_ITEM NtdllExports[] = { | |
| // | |
| // 19 exports on x64 | |
| // 14 exports on ARM64 | |
| // |
wbenny
/ WOW64_SHARED_INFORMATION.h
Created
October 30, 2018 01:30
wbenny
/ PS_SYSTEM_DLL_DATA.h
Created
October 30, 2018 01:16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // sizeof=0x50, align=0x8 | |
| // | |
| typedef struct _PS_SYSTEM_DLL_DATA { | |
| // | |
| // +0x00 | |
| // | |
| // _SECTION* object of the DLL. |
wbenny
/ SYSTEM_DLL_TYPE.h
Created
October 30, 2018 01:13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef enum _SYSTEM_DLL_TYPE | |
| { | |
| PsNativeSystemDll = 0, | |
| PsWowX86SystemDll = 1, | |
| PsWowArm32SystemDll = 2, | |
| PsWowAmd64SystemDll = 3, | |
| PsWowChpeX86SystemDll = 4, | |
| PsVsmEnclaveRuntimeDll = 5, | |
| PsSystemDllTotalTypes = 6, | |
| } SYSTEM_DLL_TYPE; |