📄 rk_ioman.h
字号:
#ifndef __RK_IOMAN_H__
#define __RK_IOMAN_H__
/* ________________________________________________________________________________
. local structs
. ________________________________________________________________________________ */
/* ________________________________________________
. Local Procedure Calls
. ________________________________________________ */
/* Maximum size of the message */
#define MAX_MESSAGE_DATA 0x130
/* Types of LPC messges */
#define UNUSED_MSG_TYPE 0x00
#define LPC_REQUEST 0x01
#define LPC_REPLY 0x02
#define LPC_DATAGRAM 0x03
#define LPC_LOST_REPLY 0x04
#define LPC_PORT_CLOSED 0x05
#define LPC_CLIENT_DIED 0x06
#define LPC_EXCEPTION 0x07
#define LPC_DEBUG_EVENT 0x08
#define LPC_ERROR_EVENT 0x09
#define LPC_CONNECTION_REQUEST 0x0A
/* Structure for the LPC message */
typedef struct LpcMessage {
/* LPC Message Header */
USHORT ActualMessageLength;
USHORT TotalMessageLength;
ULONG MessageType;
ULONG ClientProcessId;
ULONG ClientThreadId;
ULONG MessageId;
ULONG SharedSectionSize;
/* LPC Message Data, taken care of maximum message */
CCHAR MessageData[MAX_MESSAGE_DATA];
} LPCMESSAGE, *PLPCMESSAGE;
/* Structures required for big LPC through shared section */
typedef struct Unknown1 {
ULONG Length;
HANDLE SectionHandle;
ULONG Param1;
ULONG SectionSize;
ULONG ClientBaseAddress;
ULONG ServerBaseAddress;
} LPCSECTIONINFO, *PLPCSECTIONINFO;
typedef struct Unknown2 {
ULONG Length;
ULONG SectionSize;
ULONG ServerBaseAddress;
} LPCSECTIONMAPINFO, *PLPCSECTIONMAPINFO;
#pragma pack()
/* ________________________________________________________________________________
. pointer defs for file functions
. ________________________________________________________________________________ */
typedef NTSTATUS (*NTCREATEFILE)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize OPTIONAL,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer OPTIONAL,
ULONG EaLength
);
extern NTCREATEFILE OldNtCreateFile;
typedef NTSTATUS (*ZWOPENFILE)(
PHANDLE phFile,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK pIoStatusBlock,
ULONG ShareMode,
ULONG OpenMode
);
extern ZWOPENFILE OldZwOpenFile;
/* ________________________________________________________________________________
. pointer defs for registry functions
. ________________________________________________________________________________ */
typedef NTSTATUS (*ZWOPENKEY)(
IN PHANDLE,
IN OUT ACCESS_MASK,
IN POBJECT_ATTRIBUTES
);
extern ZWOPENKEY OldZwOpenKey;
typedef NTSTATUS (*ZWQUERYKEY)(
IN HANDLE,
IN KEY_INFORMATION_CLASS,
OUT PVOID,
IN ULONG,
OUT PULONG
);
extern ZWQUERYKEY OldZwQueryKey;
typedef NTSTATUS (*ZWQUERYVALUEKEY)(
IN HANDLE,
IN PUNICODE_STRING,
IN KEY_VALUE_INFORMATION_CLASS,
OUT PVOID,
IN ULONG,
OUT PULONG
);
extern ZWQUERYVALUEKEY OldZwQueryValueKey;
typedef NTSTATUS (*ZWENUMERATEVALUEKEY)(
IN HANDLE,
IN ULONG,
IN KEY_VALUE_INFORMATION_CLASS,
OUT PVOID,
IN ULONG,
OUT PULONG
);
extern ZWENUMERATEVALUEKEY OldZwEnumerateValueKey;
typedef NTSTATUS (*ZWENUMERATEKEY)(
IN HANDLE,
IN ULONG,
IN KEY_INFORMATION_CLASS,
OUT PVOID,
IN ULONG,
OUT PULONG
);
extern ZWENUMERATEKEY OldZwEnumerateKey;
typedef NTSTATUS (*ZWSETVALUEKEY)(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
extern ZWSETVALUEKEY OldZwSetValueKey;
typedef NTSTATUS (*ZWCREATEKEY)(
OUT PHANDLE,
IN ACCESS_MASK,
IN POBJECT_ATTRIBUTES,
IN ULONG,
IN PUNICODE_STRING,
IN ULONG,
OUT PULONG
);
extern ZWCREATEKEY OldZwCreateKey;
typedef NTSTATUS (*ZWDELETEVALUEKEY)(
IN HANDLE,
IN PUNICODE_STRING
);
extern ZWDELETEVALUEKEY OldZwDeleteValueKey;
typedef NTSTATUS (*ZWDELETEKEY)( IN HANDLE );
extern ZWDELETEKEY OldZwDeleteKey;
typedef NTSTATUS (*ZWFLUSHKEY)( IN HANDLE );
extern ZWFLUSHKEY OldZwFlushKey;
/* ________________________________________________________________________________
. prototypes for file trojan calls
. ________________________________________________________________________________ */
NTSYSAPI
NTSTATUS
NTAPI NewNtCreateFile(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize OPTIONAL,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer OPTIONAL,
ULONG EaLength
);
NTSYSAPI
NTSTATUS
NTAPI NewZwOpenFile(
PHANDLE phFile,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK pIoStatusBlock,
ULONG ShareMode,
ULONG OpenMode
);
NTSYSAPI
NTSTATUS
NTAPI
NewZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery
);
/* ________________________________________________________________________________
. prototypes for file real calls
. ________________________________________________________________________________ */
/* ________________________________________________________________________________
. prototypes for registry trojan calls
. ________________________________________________________________________________ */
NTSYSAPI
NTSTATUS
NTAPI NewZwOpenKey(
PHANDLE phKey,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI NewZwQueryKey(
HANDLE hKey,
KEY_INFORMATION_CLASS KeyInfoClass,
PVOID KeyInfoBuffer,
ULONG KeyInfoBufferLength,
PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI NewZwQueryValueKey(
HANDLE hKey,
PUNICODE_STRING uValueName,
KEY_VALUE_INFORMATION_CLASS KeyValueInfoClass,
PVOID KeyValueInfoBuffer,
ULONG KeyValueInfoBufferLength,
PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI NewZwEnumerateValueKey(
HANDLE hKey,
ULONG Index,
KEY_VALUE_INFORMATION_CLASS KeyValueInfoClass,
PVOID KeyValueInfoBuffer,
ULONG KeyValueInfoBufferLength,
PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI NewZwEnumerateKey(
HANDLE hKey,
ULONG Index,
KEY_INFORMATION_CLASS KeyInfoClass,
PVOID KeyInfoBuffer,
ULONG KeyInfoBufferLength,
PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI NewZwDeleteKey(
HANDLE hKey
);
NTSYSAPI
NTSTATUS
NTAPI NewZwFlushKey(
HANDLE hKey
);
NTSYSAPI
NTSTATUS
NTAPI NewZwSetValueKey(
HANDLE hKey,
PUNICODE_STRING uValueName,
ULONG TitleIndex,
ULONG ValueType,
PVOID pValueData,
ULONG pValueDataLength
);
NTSYSAPI
NTSTATUS
NTAPI NewZwSetValueKey(
HANDLE hKey,
PUNICODE_STRING uValueName,
ULONG TitleIndex,
ULONG ValueType,
PVOID pValueData,
ULONG pValueDataLength
);
NTSYSAPI
NTSTATUS
NTAPI NewZwCreateKey(
PHANDLE phKey,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG TitleIndex,
PUNICODE_STRING Class,
ULONG CreateOptions,
PULONG pDisposition
);
NTSYSAPI
NTSTATUS
NTAPI NewZwDeleteValueKey(
IN HANDLE hKey,
IN PUNICODE_STRING pValueName
);
/* ________________________________________________________________________________
. Prototypes for registry real calls
. ________________________________________________________________________________ */
NTSYSAPI
NTSTATUS
NTAPI
NtOpenKey(
OUT PHANDLE phKey,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenKey(
OUT PHANDLE phKey,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateKey(
OUT PHANDLE phKey,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class,
IN ULONG CreateOptions,
OUT PULONG pDisposition
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateKey(
OUT PHANDLE phKey,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class,
IN ULONG CreateOptions,
OUT PULONG pDisposition
);
NTSYSAPI
NTSTATUS
NTAPI
NtSetValueKey(
IN HANDLE hKey,
IN PUNICODE_STRING uValueName,
IN ULONG TitleIndex,
IN ULONG ValueType,
IN PVOID pValueData,
IN ULONG pValueDataLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetValueKey(
IN HANDLE hKey,
IN PUNICODE_STRING uValueName,
IN ULONG TitleIndex,
IN ULONG ValueType,
IN PVOID pValueData,
IN ULONG pValueDataLength
);
NTSYSAPI
NTSTATUS
NTAPI
NtEnumerateKey(
IN HANDLE hKey,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInfoClass,
OUT PVOID KeyInfoBuffer,
IN ULONG KeyInfoBufferLength,
OUT PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI
ZwEnumerateKey(
IN HANDLE hKey,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInfoClass,
OUT PVOID KeyInfoBuffer,
IN ULONG KeyInfoBufferLength,
OUT PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI
NtEnumerateValueKey(
IN HANDLE hKey,
IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInfoClass,
OUT PVOID KeyValueInfoBuffer,
IN ULONG KeyValueInfoBufferLength,
OUT PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI
ZwEnumerateValueKey(
IN HANDLE hKey,
IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInfoClass,
OUT PVOID KeyValueInfoBuffer,
IN ULONG KeyValueInfoBufferLength,
OUT PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI
NtDeleteValueKey(
IN HANDLE hKey,
IN PUNICODE_STRING pValueName
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteValueKey(
IN HANDLE hKey,
IN PUNICODE_STRING pValueName
);
NTSYSAPI
NTSTATUS
NTAPI
NtDeleteKey(
IN HANDLE hKey
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteKey(
IN HANDLE hKey
);
NTSYSAPI
NTSTATUS
NTAPI
NtFlushKey(
IN HANDLE hKey
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFlushKey(
IN HANDLE hKey
);
NTSYSAPI
NTSTATUS
NTAPI
NtInitializeRegistry(
IN ULONG UnknownParam
);
NTSTATUS
NTAPI
ZwInitializeRegistry(
IN ULONG UnknownParam
);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryKey(
IN HANDLE hKey,
IN KEY_INFORMATION_CLASS KeyInfoClass,
OUT PVOID KeyInfoBuffer,
IN ULONG KeyInfoBufferLength,
OUT PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryKey(
IN HANDLE hKey,
IN KEY_INFORMATION_CLASS KeyInfoClass,
OUT PVOID KeyInfoBuffer,
IN ULONG KeyInfoBufferLength,
OUT PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryValueKey(
IN HANDLE hKey,
IN PUNICODE_STRING uValueName,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInfoClass,
OUT PVOID KeyValueInfoBuffer,
IN ULONG KeyValueInfoBufferLength,
OUT PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryValueKey(
IN HANDLE hKey,
IN PUNICODE_STRING uValueName,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInfoClass,
OUT PVOID KeyValueInfoBuffer,
IN ULONG KeyValueInfoBufferLength,
OUT PULONG BytesCopied
);
NTSYSAPI
NTSTATUS
NTAPI
NtSaveKey(
IN HANDLE hKey,
IN HANDLE hFile
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSaveKey(
IN HANDLE hKey,
IN HANDLE hFile
);
NTSYSAPI
NTSTATUS
NTAPI
NtLoadKey(
IN POBJECT_ATTRIBUTES KeyNameAttributes,
IN POBJECT_ATTRIBUTES HiveFileNameAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwLoadKey(
IN POBJECT_ATTRIBUTES KeyNameAttributes,
IN POBJECT_ATTRIBUTES HiveFileNameAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
NtLoadKey2(
IN POBJECT_ATTRIBUTES KeyNameAttributes,
IN POBJECT_ATTRIBUTES HiveFileNameAttributes,
IN ULONG ulFlags
);
NTSTATUS
NTAPI
ZwLoadKey2(
IN POBJECT_ATTRIBUTES KeyNameAttributes,
IN POBJECT_ATTRIBUTES HiveFileNameAttributes,
IN ULONG ulFlags
);
NTSYSAPI
NTSTATUS
NTAPI
NtUnloadKey(
IN POBJECT_ATTRIBUTES KeyNameAttributes
);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -