104 lines
2.5 KiB
C
104 lines
2.5 KiB
C
/*++
|
|
|
|
Copyright (c) 1997 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
SIOCTL.H
|
|
|
|
Abstract:
|
|
|
|
|
|
Defines the IOCTL codes that will be used by this driver. The IOCTL code
|
|
contains a command identifier, plus other information about the device,
|
|
the type of access with which the file must have been opened,
|
|
and the type of buffering.
|
|
|
|
Environment:
|
|
|
|
Kernel mode only.
|
|
|
|
--*/
|
|
|
|
#ifndef _IOCTL_PROTOCOL_H
|
|
#define _IOCTL_PROTOCOL_H
|
|
|
|
// Device type
|
|
#define SIOCTL_TYPE 40000 // 32768 to 65535
|
|
|
|
// The IOCTL function codes from 0x800 to 0xFFF are for customer use.
|
|
#define IOCTL_SETUP_OFFSETS \
|
|
CTL_CODE(SIOCTL_TYPE, 0x900, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
|
|
|
|
#define GET_KERNEL_BASE \
|
|
CTL_CODE(SIOCTL_TYPE, 0x901, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
|
|
|
|
#define SCAN_PS_ACTIVE_HEAD \
|
|
CTL_CODE(SIOCTL_TYPE, 0x902, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
|
|
#define SCAN_POOL \
|
|
CTL_CODE(SIOCTL_TYPE, 0x903, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
|
|
|
|
#define SCAN_POOL_REMOTE \
|
|
CTL_CODE(SIOCTL_TYPE, 0x904, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
|
|
|
|
#define DEREFERENCE_ADDRESS \
|
|
CTL_CODE(SIOCTL_TYPE, 0xA00, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
|
|
|
|
#define HIDE_PROCESS_BY_NAME \
|
|
CTL_CODE(SIOCTL_TYPE, 0xA01, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
|
|
|
|
#define DRIVER_FUNC_INSTALL 0x01
|
|
#define DRIVER_FUNC_REMOVE 0x02
|
|
|
|
#define DRIVER_NAME "poolscanner"
|
|
|
|
typedef struct _OFFSET_VALUE {
|
|
ULONG64 eprocessNameOffset;
|
|
ULONG64 eprocessLinkOffset;
|
|
ULONG64 listBLinkOffset;
|
|
ULONG64 processHeadOffset;
|
|
ULONG64 miStateOffset;
|
|
ULONG64 hardwareOffset;
|
|
ULONG64 systemNodeOffset;
|
|
ULONG64 firstVaOffset;
|
|
ULONG64 lastVaOffset;
|
|
ULONG64 largePageTableOffset;
|
|
ULONG64 largePageSizeOffset;
|
|
ULONG64 poolChunkSize;
|
|
} OFFSET_VALUES, *POFFSET_VALUE;
|
|
|
|
typedef struct _DEREF_ADDR {
|
|
ULONG64 addr;
|
|
ULONG64 size; // bytes
|
|
} DEREF_ADDR, *PDEREF_ADDR;
|
|
|
|
typedef struct _SCAN_RANGE {
|
|
ULONG64 start;
|
|
ULONG64 end;
|
|
ULONG tag;
|
|
} SCAN_RANGE, *PSCAN_RANGE;
|
|
|
|
typedef struct _HIDE_PROCESS {
|
|
CHAR name[15];
|
|
ULONG64 size;
|
|
} HIDE_PROCESS, *PHIDE_PROCESS;
|
|
|
|
typedef union _INPUT_DATA {
|
|
OFFSET_VALUES offsetValues;
|
|
DEREF_ADDR derefAddr;
|
|
SCAN_RANGE scanRange;
|
|
HIDE_PROCESS processHide;
|
|
} INPUT_DATA, *PINPUT_DATA;
|
|
|
|
typedef struct _POOL_CHUNK {
|
|
ULONG64 addr;
|
|
} POOL_CHUNK, *PPOOL_CHUNK;
|
|
|
|
typedef union _OUTPUT_DATA {
|
|
ULONG64 ulong64Value; // for gereral addresses, value fit in 64 bit
|
|
POOL_CHUNK poolChunk;
|
|
} OUTPUT_DATA, *POUTPUT_DATA;
|
|
|
|
#endif
|