forked from harryanon/r0ak
-
Notifications
You must be signed in to change notification settings - Fork 1
/
r0ak.h
186 lines (155 loc) · 2.77 KB
/
r0ak.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
/*++
Copyright (c) Alex Ionescu. All rights reserved.
Module Name:
r0ak.h
Abstract:
This header defines the main routines and structures for r0ak
Author:
Alex Ionescu (@aionescu) 21-Jul-2018 - First public version
Environment:
User mode only.
--*/
#define UNICODE
#include <initguid.h>
#include <windows.h>
#include <tlhelp32.h>
#include <Psapi.h>
#include <DbgHelp.h>
#include <stdlib.h>
#include <stdio.h>
#include <winternl.h>
#include <evntcons.h>
#include <Evntrace.h>
#include "nt.h"
//
// Symbols provided by the symbol engine
//
extern PVOID g_XmFunction;
extern PVOID g_HstiBufferSize;
extern PVOID g_HstiBufferPointer;
extern PVOID g_TrampolineFunction;
//
// Opaque to callers
//
typedef struct _KERNEL_ALLOC *PKERNEL_ALLOC;
typedef struct _KERNEL_EXECUTE *PKERNEL_EXECUTE;
typedef struct _ETW_DATA *PETW_DATA;
//
// Symbol Routines
//
_Success_(return != 0)
PVOID
SymLookup (
_In_ PCHAR ModuleName,
_In_ PCHAR SymbolName
);
_Success_(return != 0)
BOOL
SymSetup (
VOID
);
//
// Utility Routines
//
VOID
DumpHex (
_In_ LPCVOID Data,
_In_ SIZE_T Size
);
_Success_(return != 0)
ULONG_PTR
GetDriverBaseAddr (
_In_ PCCH BaseName
);
_Success_(return != 0)
BOOL
ElevateToSystem (
VOID
);
//
// Kernel Memory Routines
//
_Success_(return != 0)
PVOID
KernelAlloc (
_Outptr_ PKERNEL_ALLOC* KernelAlloc,
_In_ ULONG Size
);
_Success_(return != 0)
PVOID
KernelWrite (
_In_ PKERNEL_ALLOC KernelAlloc
);
VOID
KernelFree (
_In_ PKERNEL_ALLOC KernelAlloc
);
//
// Kernel Execution Routines
//
_Success_(return != 0)
BOOL
KernelExecuteRun (
_In_ PKERNEL_EXECUTE KernelExecute
);
_Success_(return != 0)
BOOL
KernelExecuteSetup (
_Outptr_ PKERNEL_EXECUTE* KernelExecute,
_In_ PVOID TrampolineFunction
);
_Success_(return != 0)
BOOL
KernelExecuteSetCallback (
_In_ PKERNEL_EXECUTE KernelExecute,
_In_ PVOID WorkFunction,
_In_ PVOID WorkParameter
);
VOID
KernelExecuteTeardown (
_In_ PKERNEL_EXECUTE KernelExecute
);
//
// Kernel Read Routine
//
_Success_(return != 0)
BOOL
CmdReadKernel (
_In_ PKERNEL_EXECUTE KernelExecute,
_In_ PVOID KernelAddress,
_In_ ULONG ValueSize
);
//
// Kernel Write Routine
//
_Success_(return != 0)
BOOL
CmdWriteKernel (
_In_ PKERNEL_EXECUTE KernelExecute,
_In_ PVOID KernelAddress,
_In_ ULONG KernelValue
);
//
// Kernel Run Routine
//
_Success_(return != 0)
BOOL
CmdExecuteKernel (
_In_ PKERNEL_EXECUTE KernelExecute,
_In_ PVOID FunctionPointer,
_In_ ULONG_PTR FunctionParameter
);
//
// ETW Routines
//
_Success_(return != 0)
BOOL
EtwStartSession (
_Outptr_ PETW_DATA* EtwData,
_In_ PVOID WorkerRoutine
);
_Success_(return != 0)
BOOL
EtwParseSession (
_In_ PETW_DATA EtwData
);