-
Notifications
You must be signed in to change notification settings - Fork 14
/
Detours.h
6472 lines (5933 loc) · 191 KB
/
Detours.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#pragma once
#ifndef _DETOURS_H_
#define _DETOURS_H_
#pragma warning(push)
#pragma warning(disable : 4201)
// Default
#define NOMINMAX
#include <Windows.h>
#include <TlHelp32.h>
// Advanced
#include <intrin.h>
#include <mmintrin.h> // MMX
#include <xmmintrin.h> // SSE
#include <emmintrin.h> // SSE2
#include <pmmintrin.h> // SSE3
#include <tmmintrin.h> // SSSE3
#include <smmintrin.h> // SSE4.1
#include <nmmintrin.h> // SSE4.2
#include <immintrin.h> // AVX, AVX2, AVX-512, AMX, SVML
// STL
#include <array>
#include <set>
#include <list>
#include <deque>
#include <mutex>
#include <vector>
#include <memory>
// ----------------------------------------------------------------
// General definitions
// ----------------------------------------------------------------
// MSVC - Linker
#define LINKER_OPTION(OPTION) __pragma(comment(linker, OPTION))
// MSVC - Symbols
#define INCLUDE(SYMBOL_NAME) LINKER_OPTION("/INCLUDE:" SYMBOL_NAME)
#define SELF_INCLUDE INCLUDE(__FUNCDNAME__)
#define EXPORT(SYMBOL_NAME, ALIAS_NAME) LINKER_OPTION("/EXPORT:" ALIAS_NAME "=" SYMBOL_NAME)
#define SELF_EXPORT(ALIAS_NAME) EXPORT(__FUNCDNAME__, ALIAS_NAME)
// MSVC - Sections
#define DECLARE_SECTION(NAME) __pragma(section(NAME))
#define SECTION_READONLY "R"
#define SECTION_READWRITE "RW"
#define SECTION_EXECUTE_READ "ER"
#define SECTION_EXECUTE_READWRITE "ERW"
#define DEFINE_SECTION(NAME, ATTRIBUTES) LINKER_OPTION("/SECTION:" NAME "," ATTRIBUTES)
#define DEFINE_IN_SECTION(NAME) __declspec(allocate(NAME))
#define DEFINE_IN_CODE_SECTION(NAME) __declspec(code_seg(NAME))
#ifndef PROCESSOR_FEATURE_MAX
#define PROCESSOR_FEATURE_MAX 64
#endif // !PROCESSOR_FEATURE_MAX
#ifndef RTL_MAX_DRIVE_LETTERS
#define RTL_MAX_DRIVE_LETTERS 32
#endif // !RTL_MAX_DRIVE_LETTERS
#ifndef GDI_HANDLE_BUFFER_SIZE32
#define GDI_HANDLE_BUFFER_SIZE32 34
#endif // !GDI_HANDLE_BUFFER_SIZE32
#ifndef GDI_HANDLE_BUFFER_SIZE64
#define GDI_HANDLE_BUFFER_SIZE64 60
#endif // !GDI_HANDLE_BUFFER_SIZE64
#ifndef GDI_BATCH_BUFFER_SIZE
#define GDI_BATCH_BUFFER_SIZE 310
#endif // !GDI_BATCH_BUFFER_SIZE
#ifdef _M_X64
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
#elif _M_IX86
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
#else
#error Only x86 and x86_64 platforms are supported.
#endif
// rddisasm
#define RD_PREF_REP 0x0001
#define RD_PREF_REPC 0x0002
#define RD_PREF_LOCK 0x0004
#define RD_PREF_HLE 0x0008
#define RD_PREF_XACQUIRE 0x0010
#define RD_PREF_XRELEASE 0x0020
#define RD_PREF_BND 0x0040
#define RD_PREF_BHINT 0x0080
#define RD_PREF_HLE_WO_LOCK 0x0100
#define RD_PREF_DNT 0x0200
#define RD_MOD_R0 0x00000001
#define RD_MOD_R1 0x00000002
#define RD_MOD_R2 0x00000004
#define RD_MOD_R3 0x00000008
#define RD_MOD_REAL 0x00000010
#define RD_MOD_V8086 0x00000020
#define RD_MOD_PROT 0x00000040
#define RD_MOD_COMPAT 0x00000080
#define RD_MOD_LONG 0x00000100
#define RD_MOD_SMM 0x00001000
#define RD_MOD_SMM_OFF 0x00002000
#define RD_MOD_SGX 0x00004000
#define RD_MOD_SGX_OFF 0x00008000
#define RD_MOD_TSX 0x00010000
#define RD_MOD_TSX_OFF 0x00020000
#define RD_MOD_VMXR 0x00040000
#define RD_MOD_VMXN 0x00080000
#define RD_MOD_VMXR_SEAM 0x00100000
#define RD_MOD_VMXN_SEAM 0x00200000
#define RD_MOD_VMX_OFF 0x00400000
#define RD_MOD_RING_MASK 0x0000000F
#define RD_MOD_MODE_MASK 0x000001F0
#define RD_MOD_OTHER_MASK 0x0003F000
#define RD_MOD_VMX_MASK 0x007C0000
#define RD_MOD_ANY 0xFFFFFFFF
#define RD_DECO_ER 0x01
#define RD_DECO_SAE 0x02
#define RD_DECO_ZERO 0x04
#define RD_DECO_MASK 0x08
#define RD_DECO_BROADCAST 0x10
#define RD_OPS_CNT(EXPO, IMPO) ((EXPO) | ((IMPO) << 4))
#define RD_EXP_OPS_CNT(CNT) ((CNT) & 0xF)
#define RD_IMP_OPS_CNT(CNT) ((CNT) >> 4)
#define RD_FLAG_MODRM 0x00000001
#define RD_FLAG_F64 0x00000002
#define RD_FLAG_D64 0x00000004
#define RD_FLAG_O64 0x00000008
#define RD_FLAG_I64 0x00000010
#define RD_FLAG_COND 0x00000020
#define RD_FLAG_SSE_CONDB 0x00000040
#define RD_FLAG_VSIB 0x00000080
#define RD_FLAG_MIB 0x00000100
#define RD_FLAG_LIG 0x00000200
#define RD_FLAG_WIG 0x00000400
#define RD_FLAG_3DNOW 0x00000800
#define RD_FLAG_LOCK_SPECIAL 0x00001000
#define RD_FLAG_MMASK 0x00002000
#define RD_FLAG_NOMZ 0x00004000
#define RD_FLAG_NOL0 0x00008000
#define RD_FLAG_NOA16 0x00010000
#define RD_FLAG_MFR 0x00020000
#define RD_FLAG_VECTOR 0x00040000
#define RD_FLAG_S66 0x00080000
#define RD_FLAG_BITBASE 0x00100000
#define RD_FLAG_AG 0x00200000
#define RD_FLAG_SHS 0x00400000
#define RD_FLAG_CETT 0x00800000
#define RD_FLAG_SERIAL 0x01000000
#define RD_FLAG_NO_RIP_REL 0x02000000
#define RD_FLAG_NO66 0x04000000
#define RD_FLAG_SIBMEM 0x08000000
#define RD_FLAG_I67 0x10000000
#define RD_FLAG_IER 0x20000000
#define RD_FLAG_IWO64 0x40000000
#define RDR_RFLAG_CF (1 << 0)
#define RDR_RFLAG_PF (1 << 2)
#define RDR_RFLAG_AF (1 << 4)
#define RDR_RFLAG_ZF (1 << 6)
#define RDR_RFLAG_SF (1 << 7)
#define RDR_RFLAG_TF (1 << 8)
#define RDR_RFLAG_IF (1 << 9)
#define RDR_RFLAG_DF (1 << 10)
#define RDR_RFLAG_OF (1 << 11)
#define RDR_RFLAG_IOPL (3 << 12)
#define RDR_RFLAG_NT (1 << 14)
#define RDR_RFLAG_RF (1 << 16)
#define RDR_RFLAG_VM (1 << 17)
#define RDR_RFLAG_AC (1 << 18)
#define RDR_RFLAG_VIF (1 << 19)
#define RDR_RFLAG_VIP (1 << 20)
#define RDR_RFLAG_ID (1 << 21)
#define RD_CFF_NO_LEAF 0xFFFFFFFF
#define RD_CFF_NO_SUBLEAF 0x00FFFFFF
#define RD_CFF(LEAF, SUBLEAF, REG, BIT) (static_cast<unsigned long long>(LEAF) | (static_cast<unsigned long long>((SUBLEAF) & 0xFFFFFF) << 32) | (static_cast<unsigned long long>(REG) << 56) | (static_cast<unsigned long long>(BIT) << 59))
#define RD_CFF_FPU RD_CFF(0x00000001, 0xFFFFFFFF, RDR_EDX, 0)
#define RD_CFF_MSR RD_CFF(0x00000001, 0xFFFFFFFF, RDR_EDX, 5)
#define RD_CFF_CX8 RD_CFF(0x00000001, 0xFFFFFFFF, RDR_EDX, 8)
#define RD_CFF_SEP RD_CFF(0x00000001, 0xFFFFFFFF, RDR_EDX, 11)
#define RD_CFF_CMOV RD_CFF(0x00000001, 0xFFFFFFFF, RDR_EDX, 15)
#define RD_CFF_CLFSH RD_CFF(0x00000001, 0xFFFFFFFF, RDR_EDX, 19)
#define RD_CFF_MMX RD_CFF(0x00000001, 0xFFFFFFFF, RDR_EDX, 23)
#define RD_CFF_FXSAVE RD_CFF(0x00000001, 0xFFFFFFFF, RDR_EDX, 24)
#define RD_CFF_SSE RD_CFF(0x00000001, 0xFFFFFFFF, RDR_EDX, 25)
#define RD_CFF_SSE2 RD_CFF(0x00000001, 0xFFFFFFFF, RDR_EDX, 26)
#define RD_CFF_SSE3 RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 0)
#define RD_CFF_PCLMULQDQ RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 1)
#define RD_CFF_MONITOR RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 3)
#define RD_CFF_VTX RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 5)
#define RD_CFF_SMX RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 6)
#define RD_CFF_SSSE3 RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 9)
#define RD_CFF_FMA RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 12)
#define RD_CFF_SSE4 RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 19)
#define RD_CFF_SSE42 RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 20)
#define RD_CFF_MOVBE RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 22)
#define RD_CFF_POPCNT RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 23)
#define RD_CFF_AES RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 25)
#define RD_CFF_XSAVE RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 26)
#define RD_CFF_AVX RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 28)
#define RD_CFF_F16C RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 29)
#define RD_CFF_RDRAND RD_CFF(0x00000001, 0xFFFFFFFF, RDR_ECX, 30)
#define RD_CFF_RDWRFSGS RD_CFF(0x00000007, 0x00000000, RDR_EBX, 0)
#define RD_CFF_SGX RD_CFF(0x00000007, 0x00000000, RDR_EBX, 2)
#define RD_CFF_BMI1 RD_CFF(0x00000007, 0x00000000, RDR_EBX, 3)
#define RD_CFF_HLE RD_CFF(0x00000007, 0x00000000, RDR_EBX, 4)
#define RD_CFF_AVX2 RD_CFF(0x00000007, 0x00000000, RDR_EBX, 5)
#define RD_CFF_BMI2 RD_CFF(0x00000007, 0x00000000, RDR_EBX, 8)
#define RD_CFF_INVPCID RD_CFF(0x00000007, 0x00000000, RDR_EBX, 10)
#define RD_CFF_RTM RD_CFF(0x00000007, 0x00000000, RDR_EBX, 11)
#define RD_CFF_MPX RD_CFF(0x00000007, 0x00000000, RDR_EBX, 14)
#define RD_CFF_AVX512F RD_CFF(0x00000007, 0x00000000, RDR_EBX, 16)
#define RD_CFF_AVX512DQ RD_CFF(0x00000007, 0x00000000, RDR_EBX, 17)
#define RD_CFF_RDSEED RD_CFF(0x00000007, 0x00000000, RDR_EBX, 18)
#define RD_CFF_ADX RD_CFF(0x00000007, 0x00000000, RDR_EBX, 19)
#define RD_CFF_SMAP RD_CFF(0x00000007, 0x00000000, RDR_EBX, 20)
#define RD_CFF_AVX512IFMA RD_CFF(0x00000007, 0x00000000, RDR_EBX, 21)
#define RD_CFF_CLFSHOPT RD_CFF(0x00000007, 0x00000000, RDR_EBX, 23)
#define RD_CFF_CLWB RD_CFF(0x00000007, 0x00000000, RDR_EBX, 24)
#define RD_CFF_AVX512PF RD_CFF(0x00000007, 0x00000000, RDR_EBX, 26)
#define RD_CFF_AVX512ER RD_CFF(0x00000007, 0x00000000, RDR_EBX, 27)
#define RD_CFF_AVX512CD RD_CFF(0x00000007, 0x00000000, RDR_EBX, 28)
#define RD_CFF_SHA RD_CFF(0x00000007, 0x00000000, RDR_EBX, 29)
#define RD_CFF_AVX512BW RD_CFF(0x00000007, 0x00000000, RDR_EBX, 30)
#define RD_CFF_PREFETCHWT1 RD_CFF(0x00000007, 0x00000000, RDR_ECX, 0)
#define RD_CFF_AVX512VBMI RD_CFF(0x00000007, 0x00000000, RDR_ECX, 1)
#define RD_CFF_PKU RD_CFF(0x00000007, 0x00000000, RDR_ECX, 3)
#define RD_CFF_WAITPKG RD_CFF(0x00000007, 0x00000000, RDR_ECX, 5)
#define RD_CFF_AVX512VBMI2 RD_CFF(0x00000007, 0x00000000, RDR_ECX, 6)
#define RD_CFF_CET_SS RD_CFF(0x00000007, 0x00000000, RDR_ECX, 7)
#define RD_CFF_GFNI RD_CFF(0x00000007, 0x00000000, RDR_ECX, 8)
#define RD_CFF_VAES RD_CFF(0x00000007, 0x00000000, RDR_ECX, 9)
#define RD_CFF_VPCLMULQDQ RD_CFF(0x00000007, 0x00000000, RDR_ECX, 10)
#define RD_CFF_AVX512VNNI RD_CFF(0x00000007, 0x00000000, RDR_ECX, 11)
#define RD_CFF_AVX512BITALG RD_CFF(0x00000007, 0x00000000, RDR_ECX, 12)
#define RD_CFF_AVX512VPOPCNTDQ RD_CFF(0x00000007, 0x00000000, RDR_ECX, 14)
#define RD_CFF_RDPID RD_CFF(0x00000007, 0x00000000, RDR_ECX, 22)
#define RD_CFF_KL RD_CFF(0x00000007, 0x00000000, RDR_ECX, 23)
#define RD_CFF_CLDEMOTE RD_CFF(0x00000007, 0x00000000, RDR_ECX, 25)
#define RD_CFF_MOVDIRI RD_CFF(0x00000007, 0x00000000, RDR_ECX, 27)
#define RD_CFF_MOVDIR64B RD_CFF(0x00000007, 0x00000000, RDR_ECX, 28)
#define RD_CFF_ENQCMD RD_CFF(0x00000007, 0x00000000, RDR_ECX, 29)
#define RD_CFF_AVX5124VNNIW RD_CFF(0x00000007, 0x00000000, RDR_EDX, 2)
#define RD_CFF_AVX5124FMAPS RD_CFF(0x00000007, 0x00000000, RDR_EDX, 3)
#define RD_CFF_UINTR RD_CFF(0x00000007, 0x00000000, RDR_EDX, 5)
#define RD_CFF_AVX512VP2INTERSECT RD_CFF(0x00000007, 0x00000000, RDR_EDX, 8)
#define RD_CFF_SERIALIZE RD_CFF(0x00000007, 0x00000000, RDR_EDX, 14)
#define RD_CFF_TSXLDTRK RD_CFF(0x00000007, 0x00000000, RDR_EDX, 16)
#define RD_CFF_PCONFIG RD_CFF(0x00000007, 0x00000000, RDR_EDX, 18)
#define RD_CFF_CET_IBT RD_CFF(0x00000007, 0x00000000, RDR_EDX, 20)
#define RD_CFF_AMXBF16 RD_CFF(0x00000007, 0x00000000, RDR_EDX, 22)
#define RD_CFF_AVX512FP16 RD_CFF(0x00000007, 0x00000000, RDR_EDX, 23)
#define RD_CFF_AMXTILE RD_CFF(0x00000007, 0x00000000, RDR_EDX, 24)
#define RD_CFF_AMXINT8 RD_CFF(0x00000007, 0x00000000, RDR_EDX, 25)
#define RD_CFF_SHA512 RD_CFF(0x00000007, 0x00000001, RDR_EAX, 0)
#define RD_CFF_SM3 RD_CFF(0x00000007, 0x00000001, RDR_EAX, 1)
#define RD_CFF_SM4 RD_CFF(0x00000007, 0x00000001, RDR_EAX, 2)
#define RD_CFF_RAOINT RD_CFF(0x00000007, 0x00000001, RDR_EAX, 3)
#define RD_CFF_AVXVNNI RD_CFF(0x00000007, 0x00000001, RDR_EAX, 4)
#define RD_CFF_AVX512BF16 RD_CFF(0x00000007, 0x00000001, RDR_EAX, 5)
#define RD_CFF_CMPCCXADD RD_CFF(0x00000007, 0x00000001, RDR_EAX, 7)
#define RD_CFF_FRED RD_CFF(0x00000007, 0x00000001, RDR_EAX, 17)
#define RD_CFF_LKGS RD_CFF(0x00000007, 0x00000001, RDR_EAX, 18)
#define RD_CFF_WRMSRNS RD_CFF(0x00000007, 0x00000001, RDR_EAX, 19)
#define RD_CFF_AMXFP16 RD_CFF(0x00000007, 0x00000001, RDR_EAX, 21)
#define RD_CFF_HRESET RD_CFF(0x00000007, 0x00000001, RDR_EAX, 22)
#define RD_CFF_AVXIFMA RD_CFF(0x00000007, 0x00000001, RDR_EAX, 23)
#define RD_CFF_MSRLIST RD_CFF(0x00000007, 0x00000001, RDR_EAX, 27)
#define RD_CFF_TSE RD_CFF(0x00000007, 0x00000001, RDR_EBX, 1)
#define RD_CFF_AVXVNNIINT8 RD_CFF(0x00000007, 0x00000001, RDR_EDX, 4)
#define RD_CFF_AVXNECONVERT RD_CFF(0x00000007, 0x00000001, RDR_EDX, 5)
#define RD_CFF_AMXCOMPLEX RD_CFF(0x00000007, 0x00000001, RDR_EDX, 8)
#define RD_CFF_AVXVNNIINT16 RD_CFF(0x00000007, 0x00000001, RDR_EDX, 10)
#define RD_CFF_PREFETCHITI RD_CFF(0x00000007, 0x00000001, RDR_EDX, 14)
#define RD_CFF_XSAVEOPT RD_CFF(0x0000000D, 0x00000001, RDR_EAX, 0)
#define RD_CFF_XSAVEC RD_CFF(0x0000000D, 0x00000001, RDR_EAX, 1)
#define RD_CFF_XSAVES RD_CFF(0x0000000D, 0x00000001, RDR_EAX, 3)
#define RD_CFF_PTWRITE RD_CFF(0x00000014, 0x00000000, RDR_EBX, 4)
#define RD_CFF_SVM RD_CFF(0x80000001, 0xFFFFFFFF, RDR_ECX, 2)
#define RD_CFF_LZCNT RD_CFF(0x80000001, 0xFFFFFFFF, RDR_ECX, 5)
#define RD_CFF_SSE4A RD_CFF(0x80000001, 0xFFFFFFFF, RDR_ECX, 6)
#define RD_CFF_PREFETCHW RD_CFF(0x80000001, 0xFFFFFFFF, RDR_ECX, 8)
#define RD_CFF_FSC RD_CFF(0x80000001, 0xFFFFFFFF, RDR_ECX, 11)
#define RD_CFF_XOP RD_CFF(0x80000001, 0xFFFFFFFF, RDR_ECX, 11)
#define RD_CFF_LWP RD_CFF(0x80000001, 0xFFFFFFFF, RDR_ECX, 15)
#define RD_CFF_FMA4 RD_CFF(0x80000001, 0xFFFFFFFF, RDR_ECX, 16)
#define RD_CFF_TBM RD_CFF(0x80000001, 0xFFFFFFFF, RDR_ECX, 21)
#define RD_CFF_INVLPGB RD_CFF(0x80000001, 0xFFFFFFFF, RDR_EDX, 24)
#define RD_CFF_RDTSCP RD_CFF(0x80000001, 0xFFFFFFFF, RDR_ECX, 27)
#define RD_CFF_3DNOW RD_CFF(0x80000001, 0xFFFFFFFF, RDR_EDX, 31)
#define RD_CFF_WBNOINVD RD_CFF(0x80000008, 0xFFFFFFFF, RDR_EBX, 9)
#define RD_CFF_RDPRU RD_CFF(0x80000008, 0xFFFFFFFF, RDR_EBX, 4)
#define RD_CFF_MCOMMIT RD_CFF(0x80000008, 0xFFFFFFFF, RDR_EBX, 8)
#define RD_CFF_SNP RD_CFF(0x8000001F, 0xFFFFFFFF, RDR_EAX, 4)
#define RD_CFF_RMPQUERY RD_CFF(0x8000001F, 0xFFFFFFFF, RDR_EAX, 6)
#define RD_SUCCESS(STATUS) ((STATUS) < 0x80000000)
#define RD_STATUS_SUCCESS 0x00000000
#define RD_STATUS_HINT_OPERARD_NOT_USED 0x00000001
#define RD_STATUS_BUFFER_TOO_SMALL 0x80000001
#define RD_STATUS_INVALID_ENCODING 0x80000002
#define RD_STATUS_INSTRUCTION_TOO_LONG 0x80000003
#define RD_STATUS_INVALID_PREFIX_SEQUENCE 0x80000004
#define RD_STATUS_INVALID_REGISTER_IN_INSTRUCTION 0x80000005
#define RD_STATUS_XOP_WITH_PREFIX 0x80000006
#define RD_STATUS_VEX_WITH_PREFIX 0x80000007
#define RD_STATUS_EVEX_WITH_PREFIX 0x80000008
#define RD_STATUS_INVALID_ENCODING_IN_MODE 0x80000009
#define RD_STATUS_BAD_LOCK_PREFIX 0x8000000A
#define RD_STATUS_CS_LOAD 0x8000000B
#define RD_STATUS_66_NOT_ACCEPTED 0x8000000C
#define RD_STATUS_16_BIT_ADDRESSING_NOT_SUPPORTED 0x8000000D
#define RD_STATUS_RIP_REL_ADDRESSING_NOT_SUPPORTED 0x8000000E
#define RD_STATUS_VSIB_WITHOUT_SIB 0x80000030
#define RD_STATUS_INVALID_VSIB_REGS 0x80000031
#define RD_STATUS_VEX_VVVV_MUST_BE_ZERO 0x80000032
#define RD_STATUS_MASK_NOT_SUPPORTED 0x80000033
#define RD_STATUS_MASK_REQUIRED 0x80000034
#define RD_STATUS_ER_SAE_NOT_SUPPORTED 0x80000035
#define RD_STATUS_ZEROING_NOT_SUPPORTED 0x80000036
#define RD_STATUS_ZEROING_ON_MEMORY 0x80000037
#define RD_STATUS_ZEROING_NO_MASK 0x80000038
#define RD_STATUS_BROADCAST_NOT_SUPPORTED 0x80000039
#define RD_STATUS_BAD_EVEX_V_PRIME 0x80000040
#define RD_STATUS_BAD_EVEX_LL 0x80000041
#define RD_STATUS_SIBMEM_WITHOUT_SIB 0x80000042
#define RD_STATUS_INVALID_TILE_REGS 0x80000043
#define RD_STATUS_INVALID_DEST_REGS 0x80000044
#define RD_STATUS_INVALID_PARAMETER 0x80000100
#define RD_STATUS_INVALID_INSTRUX 0x80000101
#define RD_STATUS_BUFFER_OVERFLOW 0x80000103
#define RD_STATUS_INTERNAL_ERROR 0x80000200
#define RDR_IA32_TSC 0x00000010
#define RDR_IA32_SYSENTER_CS 0x00000174
#define RDR_IA32_SYSENTER_ESP 0x00000175
#define RDR_IA32_SYSENTER_EIP 0x00000176
#define RDR_IA32_STAR 0xC0000081
#define RDR_IA32_LSTAR 0xC0000082
#define RDR_IA32_FMASK 0xC0000084
#define RDR_IA32_FS_BASE 0xC0000100
#define RDR_IA32_GS_BASE 0xC0000101
#define RDR_IA32_KERNEL_GS_BASE 0xC0000102
#define RDR_IA32_TSC_AUX 0xC0000103
#define RDR_MSR_ANY 0xFFFFFFFF
#define RD_VERD_ANY 0
#define RD_VERD_INTEL 1
#define RD_VERD_AMD 2
#define RD_VERD_GEODE 3
#define RD_VERD_CYRIX 4
#define RD_FEAT_NONE 0x00
#define RD_FEAT_MPX 0x01
#define RD_FEAT_CET 0x02
#define RD_FEAT_CLDEMOTE 0x04
#define RD_FEAT_PITI 0x08
#define RD_FEAT_ALL 0xFF
#define RD_CODE_16 0
#define RD_CODE_32 1
#define RD_CODE_64 2
#define RD_DATA_16 0
#define RD_DATA_32 1
#define RD_DATA_64 2
#define RD_STACK_16 0
#define RD_STACK_32 1
#define RD_STACK_64 2
#define RD_ADDR_16 0
#define RD_ADDR_32 1
#define RD_ADDR_64 2
#define RD_OPSZ_16 0
#define RD_OPSZ_32 1
#define RD_OPSZ_64 2
#define RD_VECM_128 0
#define RD_VECM_256 1
#define RD_VECM_512 2
#define RD_ENCM_LEGACY 0
#define RD_ENCM_XOP 1
#define RD_ENCM_VEX 2
#define RD_ENCM_EVEX 3
#define RD_VEXM_2B 0
#define RD_VEXM_3B 1
#define RD_SIZE_8BIT 1
#define RD_SIZE_16BIT 2
#define RD_SIZE_32BIT 4
#define RD_SIZE_48BIT 6
#define RD_SIZE_64BIT 8
#define RD_SIZE_80BIT 10
#define RD_SIZE_112BIT 14
#define RD_SIZE_128BIT 16
#define RD_SIZE_224BIT 28
#define RD_SIZE_256BIT 32
#define RD_SIZE_384BIT 48
#define RD_SIZE_512BIT 64
#define RD_SIZE_752BIT 94
#define RD_SIZE_864BIT 108
#define RD_SIZE_4096BIT 512
#define RD_SIZE_1KB 1024
#define RD_SIZE_CACHE_LINE 0xFFFFFFFE
#define RD_SIZE_UNKNOWN 0xFFFFFFFF
#define RD_PREFIX_G0_LOCK 0xF0
#define RD_PREFIX_G1_REPNE_REPNZ 0xF2
#define RD_PREFIX_G1_XACQUIRE 0xF2
#define RD_PREFIX_G1_REPE_REPZ 0xF3
#define RD_PREFIX_G1_XRELEASE 0xF3
#define RD_PREFIX_G1_BND 0xF2
#define RD_PREFIX_G2_SEG_CS 0x2E
#define RD_PREFIX_G2_SEG_SS 0x36
#define RD_PREFIX_G2_SEG_DS 0x3E
#define RD_PREFIX_G2_SEG_ES 0x26
#define RD_PREFIX_G2_SEG_FS 0x64
#define RD_PREFIX_G2_SEG_GS 0x65
#define RD_PREFIX_G2_BR_NOT_TAKEN 0x2E
#define RD_PREFIX_G2_BR_TAKEN 0x3E
#define RD_PREFIX_G2_BR_ALT 0x64
#define RD_PREFIX_G2_NO_TRACK 0x3E
#define RD_PREFIX_G3_OPERARD_SIZE 0x66
#define RD_PREFIX_G4_ADDR_SIZE 0x67
#define RD_PREFIX_REX_MIN 0x40
#define RD_PREFIX_REX_MAX 0x4F
#define RD_PREFIX_VEX_2B 0xC5
#define RD_PREFIX_VEX_3B 0xC4
#define RD_PREFIX_XOP 0x8F
#define RD_PREFIX_EVEX 0x62
#define RD_ACCESS_NONE 0x00
#define RD_ACCESS_READ 0x01
#define RD_ACCESS_WRITE 0x02
#define RD_ACCESS_CORD_READ 0x04
#define RD_ACCESS_CORD_WRITE 0x08
#define RD_ACCESS_ANY_READ (RD_ACCESS_READ | RD_ACCESS_CORD_READ)
#define RD_ACCESS_ANY_WRITE (RD_ACCESS_WRITE | RD_ACCESS_CORD_WRITE)
#define RD_ACCESS_PREFETCH 0x10
#define RD_CORD_OVERFLOW 0x0
#define RD_CORD_CARRY 0x2
#define RD_CORD_BELOW 0x2
#define RD_CORD_NOT_ABOVE_OR_EQUAL 0x2
#define RD_CORD_ZERO 0x4
#define RD_CORD_EQUAL 0x4
#define RD_CORD_BELOW_OR_EQUAL 0x6
#define RD_CORD_NOT_ABOVE 0x6
#define RD_CORD_SIGN 0x8
#define RD_CORD_PARITY 0xA
#define RD_CORD_LESS 0xC
#define RD_CORD_LESS_OR_EQUAL 0xE
#define RD_CORD_NOT(X) ((X) | 0x1)
#define RD_PRED_OVERFLOW 0x0
#define RD_PRED_CARRY 0x2
#define RD_PRED_BELOW 0x2
#define RD_PRED_NOT_ABOVE_OR_EQUAL 0x2
#define RD_PRED_ZERO 0x4
#define RD_PRED_EQUAL 0x4
#define RD_PRED_BELOW_OR_EQUAL 0x6
#define RD_PRED_NOT_ABOVE 0x6
#define RD_PRED_SIGN 0x8
#define RD_PRED_PARITY 0xA
#define RD_PRED_LESS 0xC
#define RD_PRED_LESS_OR_EQUAL 0xE
#define RD_PRED_NOT(X) ((X) | 0x1)
#define RD_SSE_CORD_EQ 0x00
#define RD_SSE_CORD_LT 0x01
#define RD_SSE_CORD_LE 0x02
#define RD_SSE_CORD_UNORD 0x03
#define RD_SSE_COfalse1 0x03
#define RD_SSE_CORD_NEQ 0x04
#define RD_SSE_CORD_NLT 0x05
#define RD_SSE_CORD_NLE 0x06
#define RD_SSE_CORD_ORD 0x07
#define RD_SSE_COtrue1 0x07
#define RD_SSE_CORD_EQ_UQ 0x08
#define RD_SSE_CORD_NGE 0x09
#define RD_SSE_CORD_NGT 0x0A
#define RD_SSE_COfalse 0x0B
#define RD_SSE_CORD_NEQ_OQ 0x0C
#define RD_SSE_CORD_GE 0x0D
#define RD_SSE_CORD_GT 0x0E
#define RD_SSE_COtrue 0x0F
#define RD_SSE_CORD_EQ_OS 0x10
#define RD_SSE_CORD_LT_OQ 0x11
#define RD_SSE_CORD_LE_OQ 0x12
#define RD_SSE_CORD_UNORD_S 0x13
#define RD_SSE_CORD_NEQ_US 0x14
#define RD_SSE_CORD_NLT_UQ 0x15
#define RD_SSE_CORD_NLE_UQ 0x16
#define RD_SSE_CORD_ORD_S 0x17
#define RD_SSE_CORD_EQ_US 0x18
#define RD_SSE_CORD_NGE_UQ 0x19
#define RD_SSE_CORD_NGT_UQ 0x1A
#define RD_SSE_COfalse_OS 0x1B
#define RD_SSE_CORD_NEQ_OS 0x1C
#define RD_SSE_CORD_GE_OQ 0x1D
#define RD_SSE_CORD_GT_OQ 0x1E
#define RD_SSE_COtrue_US 0x1F
#define RD_MAX_INSTRUCTION_LENGTH 15
#define RD_MAX_MNEMONIC_LENGTH 32
#define RD_MIN_BUF_SIZE 128
#define RD_MAX_OPERAND 10
#define RD_MAX_REGISTER_SIZE 64
#define RD_MAX_GPR_REGS 16
#define RD_MAX_SEG_REGS 8
#define RD_MAX_FPU_REGS 8
#define RD_MAX_MMX_REGS 8
#define RD_MAX_SSE_REGS 32
#define RD_MAX_CR_REGS 16
#define RD_MAX_DR_REGS 16
#define RD_MAX_TR_REGS 16
#define RD_MAX_MSK_REGS 8
#define RD_MAX_BRD_REGS 4
#define RD_MAX_SYS_REGS 8
#define RD_MAX_X87_REGS 8
#define RD_MAX_TILE_REGS 8
#define RD_SIGN_EX_8(X) (((X) & 0x00000080) ? (0xFFFFFFFFFFFFFF00 | (X)) : ((X) & 0xFF))
#define RD_SIGN_EX_16(X) (((X) & 0x00008000) ? (0xFFFFFFFFFFFF0000 | (X)) : ((X) & 0xFFFF))
#define RD_SIGN_EX_32(X) (((X) & 0x80000000) ? (0xFFFFFFFF00000000 | (X)) : ((X) & 0xFFFFFFFF))
#define RD_SIGN_EX(S, X) ((S) == 1 ? RD_SIGN_EX_8(X) : (S) == 2 ? RD_SIGN_EX_16(X) : (S) == 4 ? RD_SIGN_EX_32(X) : (X))
#define RD_TRIM(S, X) ((S) == 1 ? (X) & 0xFF : (S) == 2 ? (X) & 0xFFFF : (S) == 4 ? (X) & 0xFFFFFFFF : (X))
#define RD_MSB(S, X) ((S) == 1 ? ((X) >> 7) & 1 : (S) == 2 ? ((X) >> 15) & 1 : (S) == 4 ? ((X) >> 31) & 1 : ((X) >> 63) & 1)
#define RD_LSB(S, X) ((X) & 1)
#define RD_SIZE_TO_MASK(S) (((S) < 8) ? ((1ULL << ((S) * 8)) - 1) : (0xFFFFFFFFFFFFFFFF))
#define RD_GET_BIT(BIT, X) (((X) >> (BIT)) & 1)
#define RD_GET_SIGN(S, X) RD_MSB(S, X)
#define RD_SET_SIGN(S, X) RD_SIGN_EX(S, X)
#define RD_FETCH_64(X) (*reinterpret_cast<unsigned long long*>(X))
#define RD_FETCH_32(X) (*reinterpret_cast<unsigned int*>(X))
#define RD_FETCH_16(X) (*reinterpret_cast<unsigned short*>(X))
#define RD_FETCH_8(X) (*reinterpret_cast<unsigned char*>(X))
#define RD_IS_3DNOW(X) ((X)->Attributes & RD_FLAG_3DNOW)
#define RD_HAS_PREDICATE(X) ((X)->Attributes & RD_FLAG_COND)
#define RD_HAS_CONDITION(X) ((X)->Attributes & RD_FLAG_COND)
#define RD_HAS_SSE_CONDITION(X) ((X)->Attributes & RD_FLAG_SSE_CONDB)
#define RD_HAS_MODRM(X) ((X)->Attributes & RD_FLAG_MODRM)
#define RD_HAS_VSIB(X) ((X)->Attributes & RD_FLAG_VSIB)
#define RD_HAS_MIB(X) ((X)->Attributes & RD_FLAG_MIB)
#define RD_HAS_VECTOR(X) ((X)->Attributes & RD_FLAG_VECTOR)
#define RD_HAS_BITBASE(X) ((X)->Attributes & RD_FLAG_BITBASE)
#define RD_HAS_AG(X) ((X)->Attributes & RD_FLAG_AG)
#define RD_HAS_SIBMEM(X) ((X)->Attributes & RD_FLAG_SIBMEM)
#define RD_HAS_SHS(X) ((X)->Attributes & RD_FLAG_SHS)
#define RD_HAS_CETT(X) ((X)->Attributes & RD_FLAG_CETT)
#define RD_REP_SUPPORT(X) ((X)->ValidPrefixes.Rep)
#define RD_REPC_SUPPORT(X) ((X)->ValidPrefixes.RepCond)
#define RD_LOCK_SUPPORT(X) ((X)->ValidPrefixes.Lock)
#define RD_HLE_SUPPORT(X) ((X)->ValidPrefixes.Hle)
#define RD_XACQUIRE_SUPPORT(X) ((X)->ValidPrefixes.Xacquire)
#define RD_XRELEASE_SUPPORT(X) ((X)->ValidPrefixes.Xrelease)
#define RD_BRD_SUPPORT(X) ((X)->ValidPrefixes.Bnd)
#define RD_BHINT_SUPPORT(X) ((X)->ValidPrefixes.Bhint)
#define RD_DNT_SUPPORT(X) ((X)->ValidPrefixes.Dnt)
#define RD_DECORATOR_SUPPORT(X) ((X)->ValidDecorators.Raw)
#define RD_MASK_SUPPORT(X) ((X)->ValidDecorators.Mask)
#define RD_ZERO_SUPPORT(X) ((X)->ValidDecorators.Zero)
#define RD_ER_SUPPORT(X) ((X)->ValidDecorators.Er)
#define RD_SAE_SUPPORT(X) ((X)->ValidDecorators.Sae)
#define RD_BROADCAST_SUPPORT(X) ((X)->ValidDecorators.Broadcast)
#define RD_OP_REG_ID(OP) ((static_cast<unsigned long long>((OP)->Type & 0xF) << 60) | (static_cast<unsigned long long>((OP)->Info.Register.Type & 0xFF) << 52) | (static_cast<unsigned long long>((op)->Info.Register.Size & 0xFFFF) << 36) | (static_cast<unsigned long long>((op)->Info.Register.Count & 0x3F) << 30) | (static_cast<unsigned long long>((OP)->Info.Register.IsHigh8 & 0x1) << 8) | (static_cast<unsigned long long>((OP)->Info.Register.Reg)))
#define RD_IS_OP_REG(OP, T, S, R) (RD_OP_REG_ID(OP) == ((static_cast<unsigned long long>(RD_OP_REG) << 60) | (static_cast<unsigned long long>((T) & 0xFF) << 52) | (static_cast<unsigned long long>((S) & 0xFFFF) << 36) | (1ULL << 30) | (static_cast<unsigned long long>(R))))
#define RD_IS_OP_REG_EX(OP, T, S, R, B, H) (RD_OP_REG_ID(OP) == ((static_cast<unsigned long long>(RD_OP_REG) << 60) | (static_cast<unsigned long long>((T) & 0xFF) << 52) | (static_cast<unsigned long long>((S) & 0xFFFF) << 36) | (static_cast<unsigned long long>((B) & 0x3F) << 30) | (static_cast<unsigned long long>((H) & 0x1) << 8) | (static_cast<unsigned long long>(R))))
#define RD_IS_OP_STACK(OP) (((OP)->Type == RD_OP_MEM) && (OP)->Info.Memory.IsStack)
#define RD_FPU_FLAG_SET_0 0
#define RD_FPU_FLAG_SET_1 1
#define RD_FPU_FLAG_MODIFIED 2
#define RD_FPU_FLAG_UNDEFINED 3
// Hook
#ifndef HOOK_STORAGE_CAPACITY
#define HOOK_STORAGE_CAPACITY 0x800000 // 8 MiB - Max memory usage for hooks.
#endif // !HOOK_STORAGE_CAPACITY
#ifndef HOOK_INLINE_TRAMPOLINE_SIZE
#define HOOK_INLINE_TRAMPOLINE_SIZE 0x30 // Max trampoline size.
#endif // !HOOK_INLINE_TRAMPOLINE_SIZE
#ifndef HOOK_INLINE_WRAPPER_SIZE
#ifdef _M_X64
#define HOOK_INLINE_WRAPPER_SIZE 0x18 // Max wrapper size.
#elif _M_IX86
#define HOOK_INLINE_WRAPPER_SIZE 0x18 // Max wrapper size.
#endif
#endif // !HOOK_INLINE_WRAPPER_SIZE
#ifndef HOOK_RAW_WRAPPER_SIZE
#ifdef _M_X64
#define HOOK_RAW_WRAPPER_SIZE 0x500 // Max wrapper size.
#elif _M_IX86
#define HOOK_RAW_WRAPPER_SIZE 0x300 // Max wrapper size.
#endif
#endif // !HOOK_RAW_WRAPPER_SIZE
#ifndef HOOK_RAW_TRAMPOLINE_SIZE
#define HOOK_RAW_TRAMPOLINE_SIZE 0x30 // Max trampoline size.
#endif // !HOOK_RAW_TRAMPOLINE_SIZE
// ----------------------------------------------------------------
// Detours
// ----------------------------------------------------------------
namespace Detours {
// ----------------------------------------------------------------
// KUSER_SHARED_DATA
// ----------------------------------------------------------------
typedef enum _NT_PRODUCT_TYPE {
NtProductWinNt = 1,
NtProductLanManNt,
NtProductServer
} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;
typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE {
StandardDesign,
NEC98x86,
EndAlternatives
} ALTERNATIVE_ARCHITECTURE_TYPE, *PALTERNATIVE_ARCHITECTURE_TYPE;
typedef struct _KSYSTEM_TIME {
ULONG LowPart;
LONG High1Time;
LONG High2Time;
} KSYSTEM_TIME, *PKSYSTEM_TIME;
typedef struct _KUSER_SHARED_DATA {
ULONG TickCountLowDeprecated;
ULONG TickCountMultiplier;
volatile KSYSTEM_TIME InterruptTime;
volatile KSYSTEM_TIME SystemTime;
volatile KSYSTEM_TIME TimeZoneBias;
USHORT ImageNumberLow;
USHORT ImageNumberHigh;
WCHAR NtSystemRoot[260];
ULONG MaxStackTraceDepth;
ULONG CryptoExponent;
ULONG TimeZoneId;
ULONG LargePageMinimum;
ULONG AitSamplingValue;
ULONG AppCompatFlag;
ULONGLONG RNGSeedVersion;
ULONG GlobalValidationRunlevel;
volatile LONG TimeZoneBiasStamp;
ULONG NtBuildNumber;
NT_PRODUCT_TYPE NtProductType;
BOOLEAN ProductTypeIsValid;
BOOLEAN Reserved0[1];
USHORT NativeProcessorArchitecture;
ULONG NtMajorVersion;
ULONG NtMinorVersion;
BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];
ULONG Reserved1;
ULONG Reserved3;
volatile ULONG TimeSlip;
ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
ULONG BootId;
LARGE_INTEGER SystemExpirationDate;
ULONG SuiteMask;
BOOLEAN KdDebuggerEnabled;
union {
UCHAR MitigationPolicies;
struct {
UCHAR NXSupportPolicy : 2;
UCHAR SEHValidationPolicy : 2;
UCHAR CurDirDevicesSkippedForDlls : 2;
UCHAR Reserved : 2;
};
};
USHORT CyclesPerYield;
volatile ULONG ActiveConsoleId;
volatile ULONG DismountCount;
ULONG ComPlusPackage;
ULONG LastSystemRITEventTickCount;
ULONG NumberOfPhysicalPages;
BOOLEAN SafeBootMode;
UCHAR VirtualizationFlags;
UCHAR Reserved12[2];
union {
ULONG SharedDataFlags;
struct {
ULONG DbgErrorPortPresent : 1;
ULONG DbgElevationEnabled : 1;
ULONG DbgVirtEnabled : 1;
ULONG DbgInstallerDetectEnabled : 1;
ULONG DbgLkgEnabled : 1;
ULONG DbgDynProcessorEnabled : 1;
ULONG DbgConsoleBrokerEnabled : 1;
ULONG DbgSecureBootEnabled : 1;
ULONG DbgMultiSessionSku : 1;
ULONG DbgMultiUsersInSessionSku : 1;
ULONG DbgStateSeparationEnabled : 1;
ULONG SpareBits : 21;
};
};
ULONG DataFlagsPad[1];
ULONGLONG TestRetInstruction;
LONGLONG QpcFrequency;
ULONG SystemCall;
ULONG Reserved2;
ULONGLONG SystemCallPad[2];
union {
volatile KSYSTEM_TIME TickCount;
volatile ULONG64 TickCountQuad;
struct {
ULONG ReservedTickCountOverlay[3];
ULONG TickCountPad[1];
};
};
ULONG Cookie;
ULONG CookiePad[1];
LONGLONG ConsoleSessionForegroundProcessId;
ULONGLONG TimeUpdateLock;
ULONGLONG BaselineSystemTimeQpc;
ULONGLONG BaselineInterruptTimeQpc;
ULONGLONG QpcSystemTimeIncrement;
ULONGLONG QpcInterruptTimeIncrement;
UCHAR QpcSystemTimeIncrementShift;
UCHAR QpcInterruptTimeIncrementShift;
USHORT UnparkedProcessorCount;
ULONG EnclaveFeatureMask[4];
ULONG TelemetryCoverageRound;
USHORT UserModeGlobalLogger[16];
ULONG ImageFileExecutionOptions;
ULONG LangGenerationCount;
ULONGLONG Reserved4;
volatile ULONGLONG InterruptTimeBias;
volatile ULONGLONG QpcBias;
ULONG ActiveProcessorCount;
volatile UCHAR ActiveGroupCount;
UCHAR Reserved9;
union {
USHORT QpcData;
struct {
volatile UCHAR QpcBypassEnabled;
UCHAR QpcShift;
};
};
LARGE_INTEGER TimeZoneBiasEffectiveStart;
LARGE_INTEGER TimeZoneBiasEffectiveEnd;
XSTATE_CONFIGURATION XState;
KSYSTEM_TIME FeatureConfigurationChangeStamp;
ULONG Spare;
ULONG64 UserPointerAuthMask;
} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;
extern const volatile KUSER_SHARED_DATA& KUserSharedData;
// ----------------------------------------------------------------
// KHYPERVISOR_SHARED_DATA
// ----------------------------------------------------------------
typedef struct _KHYPERVISOR_SHARED_DATA {
ULONG Present;
ULONG Reserved1;
ULONGLONG MultiplierValue;
ULONGLONG AdditionalOffset;
} KHYPERVISOR_SHARED_DATA, *PKHYPERVISOR_SHARED_DATA;
extern const volatile KHYPERVISOR_SHARED_DATA& KHypervisorSharedData;
// ----------------------------------------------------------------
// LDR
// ----------------------------------------------------------------
typedef enum _LDR_DDAG_STATE {
LdrModulesMerged = -5,
LdrModulesInitError = -4,
LdrModulesSnapError = -3,
LdrModulesUnloaded = -2,
LdrModulesUnloading = -1,
LdrModulesPlaceHolder = 0,
LdrModulesMapping = 1,
LdrModulesMapped = 2,
LdrModulesWaitingForDependencies = 3,
LdrModulesSnapping = 4,
LdrModulesSnapped = 5,
LdrModulesCondensed = 6,
LdrModulesReadyToInit = 7,
LdrModulesInitializing = 8,
LdrModulesReadyToRun = 9
} LDR_DDAG_STATE, *PLDR_DDAG_STATE;
typedef enum _LDR_DLL_LOAD_REASON {
LoadReasonStaticDependency,
LoadReasonStaticForwarderDependency,
LoadReasonDynamicForwarderDependency,
LoadReasonDelayloadDependency,
LoadReasonDynamicLoad,
LoadReasonAsImageLoad,
LoadReasonAsDataLoad,
LoadReasonEnclavePrimary,
LoadReasonEnclaveDependency,
LoadReasonPatchImage,
LoadReasonUnknown = -1
} LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON;
typedef enum _LDR_HOT_PATCH_STATE {
LdrHotPatchBaseImage,
LdrHotPatchNotApplied,
LdrHotPatchAppliedReverse,
LdrHotPatchAppliedForward,
LdrHotPatchFailedToPatch,
LdrHotPatchStateMax
} LDR_HOT_PATCH_STATE, *PLDR_HOT_PATCH_STATE;
typedef BOOLEAN(NTAPI* PLDR_INIT_ROUTINE)(PVOID DllHandle, ULONG Reason, PVOID Context);
typedef struct _LDR_SERVICE_TAG_RECORD {
struct _LDR_SERVICE_TAG_RECORD* Next;
ULONG ServiceTag;
} LDR_SERVICE_TAG_RECORD, *PLDR_SERVICE_TAG_RECORD;
typedef struct _LDRP_CSLIST {
PSINGLE_LIST_ENTRY Tail;
} LDRP_CSLIST, *PLDRP_CSLIST;
typedef struct _LDR_DDAG_NODE {
LIST_ENTRY Modules;
PLDR_SERVICE_TAG_RECORD ServiceTagList;
ULONG LoadCount;
ULONG LoadWhileUnloadingCount;
ULONG LowestLink;
union {
LDRP_CSLIST Dependencies;
SINGLE_LIST_ENTRY RemovalLink;
};
LDRP_CSLIST IncomingDependencies;
LDR_DDAG_STATE State;
SINGLE_LIST_ENTRY CondenseLink;
ULONG PreorderNumber;
} LDR_DDAG_NODE, *PLDR_DDAG_NODE;
typedef struct _RTL_BALANCED_NODE {
union {
struct _RTL_BALANCED_NODE* Children[2];
struct {
struct _RTL_BALANCED_NODE* Left;
struct _RTL_BALANCED_NODE* Right;
};
};
union {
UCHAR Red : 1;
UCHAR Balance : 2;
ULONG_PTR ParentValue;
};
} RTL_BALANCED_NODE, *PRTL_BALANCED_NODE;
typedef struct _RTL_RB_TREE {
PRTL_BALANCED_NODE Root;
PRTL_BALANCED_NODE Min;
} RTL_RB_TREE, *PRTL_RB_TREE;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWCH Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
union {
LIST_ENTRY InInitializationOrderLinks;
LIST_ENTRY InProgressLinks;
};
PVOID DllBase;
PLDR_INIT_ROUTINE EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
union {
UCHAR FlagGroup[4];
ULONG Flags;
struct {
ULONG PackagedBinary : 1;
ULONG MarkedForRemoval : 1;
ULONG ImageDll : 1;
ULONG LoadNotificationsSent : 1;
ULONG TelemetryEntryProcessed : 1;
ULONG ProcessStaticImport : 1;
ULONG InLegacyLists : 1;
ULONG InIndexes : 1;
ULONG ShimDll : 1;
ULONG InExceptionTable : 1;
ULONG ReservedFlags1 : 2;
ULONG LoadInProgress : 1;
ULONG LoadConfigProcessed : 1;
ULONG EntryProcessed : 1;
ULONG ProtectDelayLoad : 1;
ULONG ReservedFlags3 : 2;
ULONG DontCallForThreads : 1;
ULONG ProcessAttachCalled : 1;
ULONG ProcessAttachFailed : 1;
ULONG CorDeferredValidate : 1;
ULONG CorImage : 1;
ULONG DontRelocate : 1;
ULONG CorILOnly : 1;
ULONG ChpeImage : 1;
ULONG ChpeEmulatorImage : 1;
ULONG ReservedFlags5 : 1;
ULONG Redirected : 1;
ULONG ReservedFlags6 : 2;
ULONG CompatDatabaseProcessed : 1;
};
};
USHORT ObsoleteLoadCount;
USHORT TlsIndex;
LIST_ENTRY HashLinks;
ULONG TimeDateStamp;
struct _ACTIVATION_CONTEXT* EntryPointActivationContext;
PVOID Lock;
PLDR_DDAG_NODE DdagNode;
LIST_ENTRY NodeModuleLink;
struct _LDRP_LOAD_CONTEXT* LoadContext;
PVOID ParentDllBase;
PVOID SwitchBackContext;
RTL_BALANCED_NODE BaseAddressIndexNode;
RTL_BALANCED_NODE MappingInfoIndexNode;
ULONG_PTR OriginalBase;
LARGE_INTEGER LoadTime;
ULONG BaseNameHashValue;
LDR_DLL_LOAD_REASON LoadReason;
ULONG ImplicitPathOptions;
ULONG ReferenceCount;
ULONG DependentLoadFlags;
UCHAR SigningLevel;
ULONG CheckSum;
PVOID ActivePatchImageBase;
LDR_HOT_PATCH_STATE HotPatchState;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
// ----------------------------------------------------------------
// PEB
// ----------------------------------------------------------------
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
HANDLE SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
BOOLEAN ShutdownInProgress;
HANDLE ShutdownThreadId;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _CURDIR {
UNICODE_STRING DosPath;
HANDLE Handle;
} CURDIR, *PCURDIR;
typedef struct _STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} STRING, *PSTRING;
typedef struct _RTL_DRIVE_LETTER_CURDIR {
USHORT Flags;
USHORT Length;
ULONG TimeStamp;
STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;