-
Notifications
You must be signed in to change notification settings - Fork 51
/
Veil.h
341 lines (275 loc) · 10.9 KB
/
Veil.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
/*
* PROJECT: Veil
* FILE: Veil.h
* PURPOSE: This file is part of Veil.
*
* LICENSE: MIT License
*
* DEVELOPER: MeeSong (meesong@outlook.com)
*/
#pragma once
#ifndef _VEIL_
#define _VEIL_
#ifdef __cplusplus
#ifdef VEIL_USE_SEPARATE_NAMESPACE
#define VEIL_BEGIN() namespace Veil { extern "C" {
#define VEIL_END() } }
#else
#define VEIL_BEGIN() extern "C" {
#define VEIL_END() }
#endif
#else
#ifdef VEIL_USE_SEPARATE_NAMESPACE
#define VEIL_BEGIN() namespace Veil {
#define VEIL_END() }
#else
#define VEIL_BEGIN()
#define VEIL_END()
#endif
#endif
#define _VEIL_STRINGIZE_(x) #x
#define _VEIL_STRINGIZE(x) _VEIL_STRINGIZE_(x)
#define _VEIL_CONCATENATE_(a, b) a ## b
#define _VEIL_CONCATENATE(a, b) _VEIL_CONCATENATE_(a, b)
//
// Force Include
//
#if defined _M_IX86
#define _VEIL_LINKER_SYMBOL_PREFIX "_"
#elif defined _M_X64 || defined _M_ARM || defined _M_ARM64
#define _VEIL_LINKER_SYMBOL_PREFIX ""
#else
#error Unsupported architecture
#endif
#define _VEIL_LINKER_FORCE_INCLUDE(name) \
__pragma(comment(linker, \
"/include:" \
_VEIL_LINKER_SYMBOL_PREFIX #name \
))
//
// Alternate Name
//
#if defined _M_IX86
#if defined _M_HYBRID
#define _VEIL_DECLARE_ALTERNATE_NAME_PREFIX "#"
#else
#define _VEIL_DECLARE_ALTERNATE_NAME_PREFIX "_"
#endif
#define _VEIL_DECLARE_ALTERNATE_NAME_PREFIX_DATA "_"
#elif defined _M_ARM64EC
#define _VEIL_DECLARE_ALTERNATE_NAME_PREFIX "#"
#define _VEIL_DECLARE_ALTERNATE_NAME_PREFIX_DATA ""
#elif defined _M_X64 || defined _M_ARM || defined _M_ARM64
#define _VEIL_DECLARE_ALTERNATE_NAME_PREFIX ""
#define _VEIL_DECLARE_ALTERNATE_NAME_PREFIX_DATA ""
#else
#error Unsupported architecture
#endif
#define _VEIL_DECLARE_ALTERNATE_NAME(name, alternate_name) \
__pragma(comment(linker, \
"/alternatename:" \
_VEIL_DECLARE_ALTERNATE_NAME_PREFIX #name \
"=" \
_VEIL_DECLARE_ALTERNATE_NAME_PREFIX #alternate_name \
))
#define _VEIL_DECLARE_ALTERNATE_NAME_DATA(name, alternate_name) \
__pragma(comment(linker, \
"/alternatename:" \
_VEIL_DECLARE_ALTERNATE_NAME_PREFIX_DATA #name \
"=" \
_VEIL_DECLARE_ALTERNATE_NAME_PREFIX_DATA #alternate_name \
))
//
// Static IAT Hook
//
// The _VEIL_DEFINE_IAT_SYMBOL macro provides an architecture-neutral way of
// defining IAT symbols (__imp_- or _imp__-prefixed symbols).
#ifdef _M_IX86
#define _VEIL_DEFINE_IAT_SYMBOL_MAKE_NAME(f) _VEIL_CONCATENATE(_imp__, f)
#else
#define _VEIL_DEFINE_IAT_SYMBOL_MAKE_NAME(f) _VEIL_CONCATENATE(__imp_, f)
#endif
#ifdef __cplusplus
#define _VEIL_DEFINE_IAT_SYMBOL(sym, fun) \
extern "C" __declspec(selectany) void const* const _VEIL_DEFINE_IAT_SYMBOL_MAKE_NAME(sym) \
= reinterpret_cast<void const*>(fun);
#define _VEIL_DEFINE_IAT_RAW_SYMBOL(sym, fun) \
__pragma(warning(suppress:4483)) \
extern "C" __declspec(selectany) void const* const __identifier(_VEIL_STRINGIZE(_VEIL_DEFINE_IAT_SYMBOL_MAKE_NAME(sym))) \
= reinterpret_cast<void const*>(fun);
#else
#define _VEIL_DEFINE_IAT_SYMBOL(sym, fun) \
extern __declspec(selectany) void const* const _VEIL_DEFINE_IAT_SYMBOL_MAKE_NAME(sym) = (void const*)(fun);
// C don't support __identifier keyword
#define _VEIL_DEFINE_IAT_RAW_SYMBOL(sym, fun)
#endif
//
// Declare Helper
//
#define VEIL_DECLARE_STRUCT(name) \
typedef struct _VEIL_CONCATENATE(_, name) name; \
typedef struct _VEIL_CONCATENATE(_, name) * _VEIL_CONCATENATE(P, name); \
typedef struct _VEIL_CONCATENATE(_, name) const * _VEIL_CONCATENATE(PC, name); \
struct _VEIL_CONCATENATE(_, name)
#define VEIL_DECLARE_STRUCT_ALIGN(name, x) \
typedef struct _VEIL_CONCATENATE(_, name) name; \
typedef struct _VEIL_CONCATENATE(_, name) * _VEIL_CONCATENATE(P, name); \
typedef struct _VEIL_CONCATENATE(_, name) const * _VEIL_CONCATENATE(PC, name); \
__declspec(align(x)) struct _VEIL_CONCATENATE(_, name)
#define VEIL_DECLARE_UNION(name) \
typedef union _VEIL_CONCATENATE(_, name) name; \
typedef union _VEIL_CONCATENATE(_, name) * _VEIL_CONCATENATE(P, name); \
typedef union _VEIL_CONCATENATE(_, name) const * _VEIL_CONCATENATE(PC, name); \
union _VEIL_CONCATENATE(_, name)
//
// Versions
//
#define NTDDI_WIN6 0x06000000 // Windows Vista
#define NTDDI_WIN6SP1 0x06000100 // Windows Vista SP1
#define NTDDI_WIN6SP2 0x06000200 // Windows Vista SP2
#define NTDDI_WIN6SP3 0x06000300 // Windows Vista SP3
#define NTDDI_WIN6SP4 0x06000400 // Windows Vista SP4
#define NTDDI_VISTA NTDDI_WIN6
#define NTDDI_VISTASP1 NTDDI_WIN6SP1
#define NTDDI_VISTASP2 NTDDI_WIN6SP2
#define NTDDI_VISTASP3 NTDDI_WIN6SP3
#define NTDDI_VISTASP4 NTDDI_WIN6SP4
#define NTDDI_LONGHORN NTDDI_VISTA // Windows Vista
#define NTDDI_WS08 NTDDI_WIN6SP1 // Windows Server 2008
#define NTDDI_WS08SP2 NTDDI_WIN6SP2 // Windows Server 2008 SP2
#define NTDDI_WS08SP3 NTDDI_WIN6SP3 // Windows Server 2008 SP3
#define NTDDI_WS08SP4 NTDDI_WIN6SP4 // Windows Server 2008 SP4
#define NTDDI_WIN7 0x06010000 // Windows 7
#define NTDDI_WIN8 0x06020000 // Windows 8
#define NTDDI_WINBLUE 0x06030000 // Windows 8.1
#define NTDDI_WINTHRESHOLD 0x0A000000 // Windows 10.0.10240 / 1507 / Threshold 1
#define NTDDI_WIN10 0x0A000000
#define NTDDI_WIN10_TH2 0x0A000001 // Windows 10.0.10586 / 1511 / Threshold 2
#define NTDDI_WIN10_RS1 0x0A000002 // Windows 10.0.14393 / 1607 / Redstone 1
#define NTDDI_WIN10_RS2 0x0A000003 // Windows 10.0.15063 / 1703 / Redstone 2
#define NTDDI_WIN10_RS3 0x0A000004 // Windows 10.0.16299 / 1709 / Redstone 3
#define NTDDI_WIN10_RS4 0x0A000005 // Windows 10.0.17134 / 1803 / Redstone 4
#define NTDDI_WIN10_RS5 0x0A000006 // Windows 10.0.17763 / 1809 / Redstone 5
#define NTDDI_WIN10_19H1 0x0A000007 // Windows 10.0.18362 / 1903 / Titanium - 19H1
// Windows 10.0.18363 / 1909 / Titanium - 19H2
#define NTDDI_WIN10_VB 0x0A000008 // Windows 10.0.19041 / 2004 / Vibranium
#define NTDDI_WIN10_MN 0x0A000009 // Windows 10.0.19042 / 20H2 / Manganese
#define NTDDI_WIN10_FE 0x0A00000A // Windows 10.0.19043 / 21H1 / Ferrum
#define NTDDI_WIN10_CO 0x0A00000B // Windows 10.0.19044 / 21H2 / Cobalt
// Windows 10.0.19045 / 22H2
#define NTDDI_WIN10_NI 0x0A00000C
#define NTDDI_WIN10_CU 0x0A00000D
// https://archive.org/search?query=subject%3A%22Windows+11%22
#define NTDDI_WIN11 NTDDI_WIN10_CO
#define NTDDI_WIN11_CO NTDDI_WIN10_CO // Windows 10.0.21277-22000 / Cobalt / 21H2
#define NTDDI_WIN11_NI NTDDI_WIN10_NI // Windows 10.0.22449-22631 / Nickel / 22H2 23H2
#define NTDDI_WIN11_CU NTDDI_WIN10_CU // Windows 10.0.25057-25236 / Copper
#define NTDDI_WIN11_ZN 0x0A00000E // Windows 10.0.25246-25398 / Zinc
#define NTDDI_WIN11_GA 0x0A00000F // Windows 10.0.25905-25941 / Gallium
#define NTDDI_WIN11_GE 0x0A000010 // Windows 10.0.25947-26100 / Germanium / 24H2
// Fix WDK
#define NTDDI_THRESHOLD NTDDI_WINTHRESHOLD
//
// C bool
//
#ifndef __cplusplus
#ifndef __bool_true_false_are_defined
#define __bool_true_false_are_defined 1
#define bool _Bool
#define false 0
#define true 1
#endif
#define nullptr NULL
#endif
//
// Headers
//
#ifndef __cplusplus
#ifndef CINTERFACE
#define CINTERFACE
#endif
#ifndef COBJMACROS
#define COBJMACROS
#endif
#endif
#ifndef __cplusplus
// This is needed to workaround C17 preprocessor errors when using legacy versions of the Windows SDK. (dmex)
#ifndef MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS
#define MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 0
#endif
#endif
#ifndef ENABLE_RTL_NUMBER_OF_V2
#define ENABLE_RTL_NUMBER_OF_V2
#endif
// Disable winternl.h
#define _WINTERNL_
#if !defined(_KERNEL_MODE) && !defined(__KERNEL_MODE)
//
// User-Mode
//
struct IUnknown;
// This header file provides access to Win32, plus NTSTATUS values and some access mask values.
#define WINDOWS_IGNORE_PACKING_MISMATCH
#define UMDF_USING_NTSTATUS
#include <stdint.h>
#include <windows.h>
#include <winioctl.h>
#include <ntstatus.h>
#pragma comment(lib, "ntdll.lib")
#if _DEBUG
#define DBG _DEBUG
#endif
#else // if !defined(_KERNEL_MODE)
//
// Kernel-Mode
//
#define NT_INLINE_GET_CURRENT_IRQL
#ifndef UNICODE
#define UNICODE 1
#endif
#if __has_include(<Windows.h>)
#define _UNKNOWN_H_ // fix: Unknownbase.h and unknown.h conflict
#endif
#include "Veil/Veil.C.stdint.h"
#pragma warning(push)
#pragma warning(disable:4324) // structure was padded due to __declspec(align())
#include <fltKernel.h>
#include <ntimage.h>
#pragma warning(pop)
#if __has_include(<Windows.h>)
#define WIN32_LEAN_AND_MEAN
#define _NTOS_
#define _DEVIOCTL_
#define _NTSECAPI_
#include "Veil/Veil.System.WinNT.h"
#include <Windows.h>
#include <Unknwn.h>
#endif
#endif // if defined(_KERNEL_MODE)
#include "Veil/Veil.System.Define.h"
#include "Veil/Veil.System.KernelCore.h"
#include "Veil/Veil.System.MemoryManager.h"
#include "Veil/Veil.System.ObjectManager.h"
#include "Veil/Veil.System.Loader.h"
#include "Veil/Veil.System.Executive.h"
#include "Veil/Veil.System.Process.h"
#include "Veil/Veil.System.Debug.h"
#include "Veil/Veil.System.IOManager.h"
#include "Veil/Veil.System.ALPC.h"
#include "Veil/Veil.System.PowerManager.h"
#include "Veil/Veil.System.ConfigurationManager.h"
#include "Veil/Veil.System.Nls.h"
#include "Veil/Veil.System.RuntimeLibrary.h"
#include "Veil/Veil.System.Security.h"
#include "Veil/Veil.System.Etw.h"
#include "Veil/Veil.System.MinCrypt.h"
#include "Veil/Veil.System.VirtualDesktop.h"
#include "Veil/Veil.System.Win32.h"
#include "Veil/Veil.System.Device.h"
#include "Veil/Veil.System.PNP.h"
#include "Veil/Veil.System.TransactionManager.h"
#include "Veil/Veil.System.VDM.h"
#include "Veil/Veil.System.Prefetcher.h"
#include "Veil/Veil.System.WindowStation.h"
#include "Veil/Veil.System.UserManagerService.h"
#endif // _VEIL_