PatchGuard_Context Win1015063

发布于 2018-09-05  433 次阅读


struct _PatchGuard_Context_15063{
UCHAR CmpAppendDllSection[0xE8];//other Pg version dynamic
ULONG64 ExAcquireResourceSharedLite:
ULONG64 ExAcquireResourceExclusiveLite;
ULONG64 ExAllocatePoolWithTag;
ULONG64 ExFreePool;
ULONG64 ExMapHandleToPointer;
ULONG64 ExQueueWorkItem;
ULONG64 ExReleaseResourceLite;
ULONG64 ExUnlockHandleTableEntry;
ULONG64 ExAcquirePushLockExclusiveEx;
ULONG64 ExReleasePushLockExclusiveEx;
ULONG64 ExAcquirePushLockSharedEx;
ULONG64 ExReleasePushLockSharedEx;
ULONG64 KeAcquireInStackQueuedSpinLockAtDpcLevel;
ULONG64 ExAcquireSpinLockSharedAtDpcLevel;
ULONG64 KeBugCheckEx;
ULONG64 KeDelayExecutionThread;
ULONG64 KeEnterCriticalRegionThread;
ULONG64 KeLeaveCriticalRegion;
ULONG64 KeEnterGuardedRegion;
ULONG64 KeLeaveGuardedRegion;
ULONG64 KeReleaseInStackQueuedSpinLockFromDpcLevel;
ULONG64 ExReleaseSpinLockSharedFromDpcLevel;
ULONG64 KeRevertToUserGroupAffinityThread;
ULONG64 KeProcessorGroupAffinity;
ULONG64 KeInitializeEnumerationContext;
ULONG64 KeEnumerateNextProcessor;
ULONG64 KeCountSetBitsAffinityEx;
ULONG64 KeQueryAffinityProcess;
ULONG64 KeQueryAffinityThread;
ULONG64 KeSetSystemGroupAffinityThread;
ULONG64 KeSetCoalescableTimer;
ULONG64 ObfDereferenceObject;
ULONG64 ObReferenceObjectByName;
ULONG64 RtlImageDirectoryEntryToData;
ULONG64 RtlImageNtHeader;
ULONG64 RtlLookupFunctionTable;
ULONG64 RtlPcToFileHeader;
ULONG64 RtlSectionTableFromVirtualAddress;
ULONG64 DbgPrint;
ULONG64 MmAllocateIndependentPages;
ULONG64 MmFreeIndependentPages;
ULONG64 MmSetPageProtection;
ULONG64 Unknow1;
ULONG64 Unknow2;
ULONG64 Unknow3;
ULONG64 Unknow4;
ULONG64 RtlLookupFunctionEntry;
ULONG64 KeAcquireSpinLockRaiseToDpc;
ULONG64 KeReleaseSpinLock;
ULONG64 MmGetSessionById;
ULONG64 MmGetNextSession;
ULONG64 MmQuitNextSession;
ULONG64 MmAttachSession;
ULONG64 MmDetachSession;
ULONG64 MmGetSessionIdEx;
ULONG64 MmIsSessionAddress;
ULONG64 MmIsAddressValid;
ULONG64 MmSessionGetWin32Callouts;
ULONG64 KeInsertQueueApc;
ULONG64 KeWaitForSingleObject;
ULONG64 Unknow5;
ULONG64 ExReferenceCallBackBlock;
ULONG64 ExGetCallBackBlockRoutine;
ULONG64 ExDereferenceCallBackBlock;
ULONG64 KiMarkBugCheckRegions;
ULONG64 PspEnumerateCallback;
ULONG64 CmpEnumerateCallback;
ULONG64 DbgEnumerateCallback;
ULONG64 ExpEnumerateCallback;
ULONG64 ExpGetNextCallback;
ULONG64 EmpCheckErrataList;
ULONG64 KiSchedulerApcTerminate;
ULONG64 KiSchedulerApc;
ULONG64 EmpCheckErrataList;
ULONG64 KiSwInterruptDispatch;
ULONG64 MmAllocatePagesForMdlEx;
ULONG64 MmAllocateMappingAddress;
ULONG64 MmMapLockedPagesWithReservedMapping;
ULONG64 MmUnmapReservedMapping;
ULONG64 KiSwInterruptDispatch+0x12a0;
ULONG64 KiSwInterruptDispatch+0x1310;
ULONG64 MmAcquireLoadLock;
ULONG64 MmReleaseLoadLock;
ULONG64 KeEnumerateQueueApc;
ULONG64 KeIsApcRunningThread;
ULONG64 KiSwInterruptDispatch+0xe70;
ULONG64 PsAcquireProcessExitSynchronization;
ULONG64 ObDereferenceProcessHandleTable
ULONG64 PsGetNextProcess;
ULONG64 PsQuitNextProcess;
ULONG64 MmIsSessionLeaderProcess;
ULONG64 PsInvokeWin32Callout;
ULONG64 MmEnumerateAddressSpaceAndReferenceImages;
ULONG64 PsGetProcessProtection;
ULONG64 PsGetProcessSignatureLevel;
ULONG64 PsGetProcessSectionBaseAddress;
ULONG64 SeCompareSigningLevels;
ULONG64 KeComputeSha256;
ULONG64 KeComputeParallelSha256;
ULONG64 KeSetEvent;
ULONG64 RtlpConvertFunctionEntry;
ULONG64 RtlpLookupPrimaryFunctionEntry;
ULONG64 RtlIsMultiSessionSku;
ULONG64 KiEnumerateCallback;
ULONG64 KeStackAttachProcess;
ULONG64 KeUnstackDetachProcess;
ULONG64 VslVerifyPage;
ULONG64 KiGetInterruptObjectAddress;
ULONG64 Unknow6;
ULONG64 Unknow7;
ULONG64 Unknow8;
ULONG64 Unknow9;
ULONG64 Unknow10;
ULONG64 Unknow11;
ULONG64 KiEntropyTimingRoutine;
ULONG64 KiProcessListHead;
ULONG64 KiProcessListLock;
ULONG64 Unknow12;//(pG Encrypt?)
ULONG64 Unknow13;//(pG Encrypt?)
ULONG64 PsActiveProcessHead;
ULONG64 PsInvertedFunctionTable;
ULONG64 PsLoadedModuleList;
ULONG64 PsLoadedModuleResource;
ULONG64 PsLoadedModuleSpinLock;
ULONG64 PspActiveProcessLock;
ULONG64 PspCidTable;
ULONG64 ExpUuidLock;
ULONG64 AlpcpPortListLock;
ULONG64 KeServiceDescriptorTable;
ULONG64 KeServiceDescriptorTableShadow;
ULONG64 KeServiceDescriptorTableFilter;
ULONG64 VfThunksExtended;
ULONG64 PsWin32CallBack;
ULONG64 TriageImagePageSize;
ULONG64 KiTableInformation;
ULONG64 HandleTableListHead;
ULONG64 SeNullSid;
ULONG64 Unknow14;
ULONG64 Unknow15;//(fffff780`00000000)
ULONG64 Unknow16;//(a9ad6402`bae5207b)
ULONG64 SeProtectedMapping;
ULONG64 $$0;//????
ULONG64 KiStackProtectNotifyEvent;
ULONG64 Unknow17;//??fffff900`00000000
ULONG64 RtlpInvertedFunctionTable;
ULONG64 KiIsrThunk;
ULONG64 Unknow17;
ULONG64 Unknow18;
ULONG64 Unknow19;
ULONG64 Unknow20;
ULONG64 Unknow21;
ULONG64 Unknow22;
//.......
//.......PG 所使用的结构实在过于庞大.后面很多意义不明的字段 还是要结合动态调试。

}

本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

0

博客管理员