-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
/
DBK32functions.pas
2898 lines (2356 loc) · 87.9 KB
/
DBK32functions.pas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
unit DBK32functions;
{$MODE Delphi}
interface
uses jwawindows, windows, sysutils, classes, types, registry, multicpuexecution,
forms,dialogs, controls;
//xp sp2
//ThreadsProcess=220
//ThreadListEntry=22c
const currentversion=2000022;
const FILE_ANY_ACCESS=0;
const FILE_SPECIAL_ACCESS=FILE_ANY_ACCESS;
const FILE_READ_ACCESS=$0001;
const FILE_WRITE_ACCESS=$0002;
const FILE_RW_ACCESS=FILE_READ_ACCESS or FILE_WRITE_ACCESS;
const METHOD_BUFFERED= 0;
const METHOD_IN_DIRECT= 1;
const METHOD_OUT_DIRECT= 2;
const METHOD_NEITHER= 3;
const FILE_DEVICE_UNKNOWN=$00000022;
const IOCTL_UNKNOWN_BASE=FILE_DEVICE_UNKNOWN;
const IOCTL_CE_READMEMORY = (IOCTL_UNKNOWN_BASE shl 16) or ($0800 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_WRITEMEMORY = (IOCTL_UNKNOWN_BASE shl 16) or ($0801 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_OPENPROCESS = (IOCTL_UNKNOWN_BASE shl 16) or ($0802 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_QUERY_VIRTUAL_MEMORY = (IOCTL_UNKNOWN_BASE shl 16) or ($0803 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_TEST = (IOCTL_UNKNOWN_BASE shl 16) or ($0804 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETPEPROCESS = (IOCTL_UNKNOWN_BASE shl 16) or ($0805 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_READPHYSICALMEMORY = (IOCTL_UNKNOWN_BASE shl 16) or ($0806 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_WRITEPHYSICALMEMORY = (IOCTL_UNKNOWN_BASE shl 16) or ($0807 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETPHYSICALADDRESS = (IOCTL_UNKNOWN_BASE shl 16) or ($0808 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
//const IOCTL_CE_PROTECTME = (IOCTL_UNKNOWN_BASE shl 16) or ($0809 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETCR3 = (IOCTL_UNKNOWN_BASE shl 16) or ($080a shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
//you really don't want to do this in usermode const IOCTL_CE_SETCR3 = (IOCTL_UNKNOWN_BASE shl 16) or ($080b shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETSDT = (IOCTL_UNKNOWN_BASE shl 16) or ($080c shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_INITIALIZE = (IOCTL_UNKNOWN_BASE shl 16) or ($080d shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
//const IOCTL_CE_DONTPROTECTME = (IOCTL_UNKNOWN_BASE shl 16) or ($080e shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETIDT = (IOCTL_UNKNOWN_BASE shl 16) or ($080f shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_HOOKINTS = (IOCTL_UNKNOWN_BASE shl 16) or ($0810 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_DEBUGPROCESS = (IOCTL_UNKNOWN_BASE shl 16) or ($0811 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_RETRIEVEDEBUGDATA = (IOCTL_UNKNOWN_BASE shl 16) or ($0812 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_STARTPROCESSWATCH = (IOCTL_UNKNOWN_BASE shl 16) or ($0813 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETPROCESSEVENTS = (IOCTL_UNKNOWN_BASE shl 16) or ($0814 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETTHREADEVENTS = (IOCTL_UNKNOWN_BASE shl 16) or ($0815 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETVERSION = (IOCTL_UNKNOWN_BASE shl 16) or ($0816 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETCR4 = (IOCTL_UNKNOWN_BASE shl 16) or ($0817 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_OPENTHREAD = (IOCTL_UNKNOWN_BASE shl 16) or ($0818 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_MAKEWRITABLE = (IOCTL_UNKNOWN_BASE shl 16) or ($0819 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
//const IOCTL_CE_DEBUGPROCESS_CHANGEREG = (IOCTL_UNKNOWN_BASE shl 16) or ($081a shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_STOPDEBUGGING = (IOCTL_UNKNOWN_BASE shl 16) or ($081b shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
//const IOCTL_CE_STOP_DEBUGPROCESS_CHANGEREG = (IOCTL_UNKNOWN_BASE shl 16) or ($081c shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
//const IOCTL_CE_USEALTERNATEMETHOD = (IOCTL_UNKNOWN_BASE shl 16) or ($081d shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
//const IOCTL_CE_ISUSINGALTERNATEMETHOD = (IOCTL_UNKNOWN_BASE shl 16) or ($081e shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ALLOCATEMEM = (IOCTL_UNKNOWN_BASE shl 16) or ($081f shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_CREATEAPC = (IOCTL_UNKNOWN_BASE shl 16) or ($0820 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETPETHREAD = (IOCTL_UNKNOWN_BASE shl 16) or ($0821 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_SUSPENDTHREAD = (IOCTL_UNKNOWN_BASE shl 16) or ($0822 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_RESUMETHREAD = (IOCTL_UNKNOWN_BASE shl 16) or ($0823 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_SUSPENDPROCESS = (IOCTL_UNKNOWN_BASE shl 16) or ($0824 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_RESUMEPROCESS = (IOCTL_UNKNOWN_BASE shl 16) or ($0825 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ALLOCATEMEM_NONPAGED = (IOCTL_UNKNOWN_BASE shl 16) or ($0826 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETPROCADDRESS = (IOCTL_UNKNOWN_BASE shl 16) or ($0827 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
//const IOCTL_CE_SETSDTADDRESS = (IOCTL_UNKNOWN_BASE shl 16) or ($0828 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETSDTADDRESS = (IOCTL_UNKNOWN_BASE shl 16) or ($0829 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETGDT = (IOCTL_UNKNOWN_BASE shl 16) or ($082a shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_SETCR4 = (IOCTL_UNKNOWN_BASE shl 16) or ($082b shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_VMXCONFIG = (IOCTL_UNKNOWN_BASE shl 16) or ($082d shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETCR0 = (IOCTL_UNKNOWN_BASE shl 16) or ($082e shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_USERDEFINEDINTERRUPTHOOK = (IOCTL_UNKNOWN_BASE shl 16) or ($082f shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
//const IOCTL_CE_MAKEKERNELCOPY = (IOCTL_UNKNOWN_BASE shl 16) or ($082f shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_SETGLOBALDEBUGSTATE = (IOCTL_UNKNOWN_BASE shl 16) or ($0830 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_CONTINUEDEBUGEVENT = (IOCTL_UNKNOWN_BASE shl 16) or ($0831 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_WAITFORDEBUGEVENT = (IOCTL_UNKNOWN_BASE shl 16) or ($0832 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETDEBUGGERSTATE = (IOCTL_UNKNOWN_BASE shl 16) or ($0833 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_SETDEBUGGERSTATE = (IOCTL_UNKNOWN_BASE shl 16) or ($0834 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GD_SETBREAKPOINT = (IOCTL_UNKNOWN_BASE shl 16) or ($0835 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_TOUCHDEBUGREGISTER = (IOCTL_UNKNOWN_BASE shl 16) or ($0836 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_LAUNCHDBVM = (IOCTL_UNKNOWN_BASE shl 16) or ($083a shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_UNHOOKALLINTERRUPTS = (IOCTL_UNKNOWN_BASE shl 16) or ($083b shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_EXECUTE_CODE = (IOCTL_UNKNOWN_BASE shl 16) or ($083c shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETPROCESSNAMEADDRESS = (IOCTL_UNKNOWN_BASE shl 16) or ($083d shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_SETKERNELSTEPABILITY = (IOCTL_UNKNOWN_BASE shl 16) or ($083e shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_READMSR = (IOCTL_UNKNOWN_BASE shl 16) or ($083f shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_WRITEMSR = (IOCTL_UNKNOWN_BASE shl 16) or ($0840 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_SETSTORELBR = (IOCTL_UNKNOWN_BASE shl 16) or ($0841 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP = (IOCTL_UNKNOWN_BASE shl 16) or ($0842 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP_DISABLE = (IOCTL_UNKNOWN_BASE shl 16) or ($0843 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP_WAITFORDATA = (IOCTL_UNKNOWN_BASE shl 16) or ($0844 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP_CONTINUE = (IOCTL_UNKNOWN_BASE shl 16) or ($0845 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP_FLUSH = (IOCTL_UNKNOWN_BASE shl 16) or ($0846 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETMEMORYRANGES = (IOCTL_UNKNOWN_BASE shl 16) or ($0847 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_STARTACCESMONITOR = (IOCTL_UNKNOWN_BASE shl 16) or ($0848 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ENUMACCESSEDMEMORY = (IOCTL_UNKNOWN_BASE shl 16) or ($0849 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_GETACCESSEDMEMORYLIST = (IOCTL_UNKNOWN_BASE shl 16) or ($084a shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_WRITESIGNOREWP = (IOCTL_UNKNOWN_BASE shl 16) or ($084b shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_FREE_NONPAGED = (IOCTL_UNKNOWN_BASE shl 16) or ($084c shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_MAP_MEMORY = (IOCTL_UNKNOWN_BASE shl 16) or ($084d shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_UNMAP_MEMORY = (IOCTL_UNKNOWN_BASE shl 16) or ($084e shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2 = (IOCTL_UNKNOWN_BASE shl 16) or ($084f shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_DISABLEULTIMAP2 = (IOCTL_UNKNOWN_BASE shl 16) or ($0850 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_WAITFORDATA = (IOCTL_UNKNOWN_BASE shl 16) or ($0851 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_CONTINUE = (IOCTL_UNKNOWN_BASE shl 16) or ($0852 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_FLUSH = (IOCTL_UNKNOWN_BASE shl 16) or ($0853 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_PAUSE = (IOCTL_UNKNOWN_BASE shl 16) or ($0854 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_RESUME = (IOCTL_UNKNOWN_BASE shl 16) or ($0855 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_LOCKFILE = (IOCTL_UNKNOWN_BASE shl 16) or ($0856 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_RELEASEFILE = (IOCTL_UNKNOWN_BASE shl 16) or ($0857 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP_PAUSE = (IOCTL_UNKNOWN_BASE shl 16) or ($0858 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP_RESUME = (IOCTL_UNKNOWN_BASE shl 16) or ($0859 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_GETTRACESIZE = (IOCTL_UNKNOWN_BASE shl 16) or ($085a shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_RESETTRACESIZE= (IOCTL_UNKNOWN_BASE shl 16) or ($085b shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ENABLE_DRM = (IOCTL_UNKNOWN_BASE shl 16) or ($085c shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
type TDeviceIoControl=function(hDevice: THandle; dwIoControlCode: DWORD; lpInBuffer: Pointer; nInBufferSize: DWORD; lpOutBuffer: Pointer; nOutBufferSize: DWORD; var lpBytesReturned: DWORD; lpOverlapped: POverlapped): BOOL; stdcall;
type TFNAPCProc = TFarProc;
type
TPhysicalMemoryRange=packed record
base: uint64;
size: uint64;
end;
TPhysicalMemoryRanges=array of TPhysicalMemoryRange;
TPhysicalMemoryRangesArray=array [0..10000] of TPhysicalMemoryRange;
PPhysicalMemoryRangesArray=^TPhysicalMemoryRangesArray;
type thandlelist=record
processhandle: thandle;
processid: dword;
validhandle: boolean;
end;
type TClient_ID=record
processid: thandle;
threadid: thandle;
end;
type PClient_ID=^TClient_ID;
type
TQwordArray=array[0..9999] of QWORD;
PQwordArray=^TQwordArray;
type
TUltimapEvent=packed record
DataReadyEvent: QWORD;
DataHandledEvent: QWORD;
end;
TUltimapEventArray=array [0..0] of TUltimapEvent;
PUltimapEventArray=^TUltimapEventArray;
TMapMemoryResult=record
address: uint64;
mdladdress: uint64;
end;
type //The DataEvent structure contains the address and blockid. Use this when done handling the event
TUltimapDataEvent=packed record
Address: Qword;
Size: Qword;
BlockID: Qword;
CpuID: Qword;
KernelAddress: QWORD;
Mdl: QWORD;
end;
PUltimapDataEvent= ^TUltimapDataEvent;
TUltimap2DataEvent=packed record
Address:Qword;
Size: Qword;
Cpunr: Qword;
end;
PUltimap2DataEvent= ^TUltimap2DataEvent;
type
TURange=record
startAddress: QWORD;
endaddress: QWORD;
isStopRange: QWORD;
end;
PURange=^TPRange;
TURangeArray=array of TURange;
PURangeArray=^TURangeArray;
TPRange=record
startAddress: QWORD;
endaddress: QWORD;
end;
PPRange=^TPRange;
TPRangeArray=array [0..9999] of TPRange;
PPRangeArray=^TPRangeArray;
TPRangeDynArray=array of TPRange;
var hdevice: thandle=INVALID_HANDLE_VALUE; //handle to my the device driver
handlelist: array of thandlelist;
driverloc: string;
iamprotected:boolean;
SDTShadow: DWORD;
debugport: dword;
ThreadsProcess,ThreadListEntry:dword;
processeventname, threadeventname: string;
processevent,threadevent:thandle;
ownprocess: thandle=0; //needed for simple kernelmemory access
//Successfullyloaded:boolean;
iswow64: bool;
//usealternatedebugmethod: boolean;
saferQueryPhysicalMemory: boolean=true;
function CTL_CODE(DeviceType, Func, Method, Access : integer) : integer;
function IsValidHandle(hProcess:THandle):BOOL; stdcall;
Function {OpenProcess}OP(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwProcessId:DWORD):THANDLE; stdcall;
Function {OpenThread}OT(dwDesiredAccess:DWORD;bInheritHandle:BOOL;dwThreadId:DWORD):THANDLE; stdcall;
function {ReadProcessMemory}RPM(hProcess:THANDLE;lpBaseAddress:pointer;lpBuffer:pointer;nSize:DWORD;var NumberOfBytesRead:PtrUInt):BOOL; stdcall;
function {ReadProcessMemory64}ReadProcessMemory64(hProcess:THANDLE;lpBaseAddress:UINT64;lpBuffer:pointer;nSize:DWORD;var NumberOfBytesRead:PtrUInt):BOOL; stdcall;
function {WriteProcessMemory}WPM(hProcess:THANDLE;lpBaseAddress:pointer;lpBuffer:pointer;nSize:DWORD;var NumberOfBytesWritten:PtrUInt):BOOL; stdcall;
function {WriteProcessMemory}WriteProcessMemory64(hProcess:THANDLE;BaseAddress:qword;lpBuffer:pointer;nSize:DWORD;var NumberOfBytesWritten:PtrUInt):BOOL; stdcall;
function {VirtualQueryEx}VQE(hProcess: THandle; address: pointer; var mbi: _MEMORY_BASIC_INFORMATION; bufsize: DWORD):dword; stdcall;
Function {NtOpenProcess}NOP(var Handle: THandle; AccessMask: dword; objectattributes: pointer; clientid: PClient_ID):DWORD; stdcall;
Function {NtOpenThread}NtOT(var Handle: THandle; AccessMask: dword; objectattributes: pointer; clientid: PClient_ID):DWORD; stdcall;
Function {VirtualAllocEx}VAE(hProcess: THandle; lpAddress: Pointer; dwSize, flAllocationType: DWORD; flProtect: DWORD): Pointer; stdcall;
Function CreateRemoteAPC(threadid: dword; lpStartAddress: TFNAPCProc): THandle; stdcall;
Function GetPEProcess(ProcessID: dword):UINT64; stdcall;
Function GetPEThread(Threadid: dword):UINT64; stdcall;
function GetDebugportOffset: DWORD; stdcall;
function GetThreadsProcessOffset: dword; stdcall;
function GetThreadListEntryOffset: dword; stdcall;
function ReadPhysicalMemory(hProcess:THANDLE;lpBaseAddress:pointer;lpBuffer:pointer;nSize:DWORD;var NumberOfBytesRead:DWORD):BOOL; stdcall;
function WritePhysicalMemory(hProcess:THANDLE;lpBaseAddress:pointer;lpBuffer:pointer;nSize:DWORD;var NumberOfBytesWritten:DWORD):BOOL; stdcall;
function GetPhysicalAddress(hProcess:THandle;lpBaseAddress:pointer;var Address:int64): BOOL; stdcall;
function GetMemoryRanges(var ranges: TPhysicalMemoryRanges): boolean;
function VirtualQueryExPhysical(hProcess: THandle; lpAddress: Pointer; var lpBuffer: TMemoryBasicInformation; dwLength: DWORD): DWORD; stdcall;
function GetCR4:DWORD; stdcall;
function GetCR3(hProcess:THANDLE;var CR3:system.QWORD):BOOL; stdcall;
function GetCR3FromPID(pid: system.QWORD;var CR3:system.QWORD):BOOL; stdcall;
//function SetCR3(hProcess:THANDLE;CR3: DWORD):BOOL; stdcall;
function GetCR0:DWORD; stdcall;
function GetSDT:PtrUInt; stdcall;
function GetSDTShadow:PtrUInt; stdcall;
function StartProcessWatch:BOOL;stdcall;
function WaitForProcessListData(processpointer:pointer;threadpointer:pointer;timeout:dword):dword; stdcall;
function GetProcessNameFromPEProcess(peprocess:uint64; buffer:pchar;buffersize:dword):integer; stdcall;
function GetProcessNameFromID(processid:dword; buffer:pointer;buffersize:dword):integer; stdcall;
function MakeWritable(Address,Size:dword;copyonwrite:boolean): boolean; stdcall;
function RewriteKernel32:boolean; stdcall;
function RestoreKernel32:boolean; stdcall;
function InitializeDriver(Address: ptrUint; size:dword):BOOL; stdcall;
function GetWin32KAddress(var address:ptrUint;var size:dworD):boolean;
function GetDriverVersion: dword;
function GetIDTCurrentThread:QWORD; stdcall;
function GetIDTs(idtstore: pointer; maxidts: integer):integer; stdcall;
function GetLoadedState: BOOLEAN; stdcall;
function DBKSuspendThread(ThreadID:dword):boolean; stdcall;
function DBKResumeThread(ThreadID:dword):boolean; stdcall;
function DBKSuspendProcess(ProcessID:dword):boolean; stdcall;
function DBKResumeProcess(ProcessID:dword):boolean; stdcall;
function KernelAlloc(size: dword):pointer; stdcall;
function KernelAlloc64(size: dword):uint64; stdcall;
procedure KernelFree(address: uint64); stdcall;
function MapMemory(address: ptruint; size: dword; frompid: dword=0; topid: dword=0):TMapMemoryResult;
procedure UnmapMemory(r: TMapMemoryResult);
function GetKProcAddress(s: pwidechar):pointer; stdcall;
function GetKProcAddress64(s: pwidechar):uint64; stdcall;
function GetSDTEntry(nr: integer; address: PDWORD; paramcount: PBYTE):boolean; stdcall;
function GetSSDTEntry(nr: integer; address: PDWORD; paramcount: PBYTE):boolean; stdcall;
function UserdefinedInterruptHook(interruptnr: integer; newCS: word; newEIP: uint64; addressofjumpback: uint64):boolean; stdcall;
function ExecuteKernelCode(address: uint64; parameters: uint64): BOOL; stdcall;
function ultimap(cr3: QWORD; debugctl_value: QWORD; DS_AREA_SIZE: integer; savetofile: boolean; filename: widestring; handlercount: integer): Boolean; stdcall;
function ultimap_disable: BOOLEAN; stdcall;
function ultimap_waitForData(timeout: dword; output: PUltimapDataEvent): boolean;
function ultimap_continue(previousdataresult: PUltimapDataEvent): boolean;
procedure ultimap_flush;
procedure ultimap_pause;
procedure ultimap_resume;
procedure ultimap2(processid: dword; size: dword; outputfolder: widestring; ranges: TURangeArray);
procedure ultimap2_disable;
function ultimap2_waitForData(timeout: dword; var output: TUltimap2DataEvent): boolean;
procedure ultimap2_continue(cpunr: integer);
procedure ultimap2_flush;
procedure ultimap2_pause;
procedure ultimap2_resume;
procedure ultimap2_lockfile(cpunr: integer);
procedure ultimap2_releasefile(cpunr: integer);
procedure dbk_enabledrm;
{
const IOCTL_CE_ULTIMAP2_WAITFORDATA = (IOCTL_UNKNOWN_BASE shl 16) or ($0851 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_CONTINUE = (IOCTL_UNKNOWN_BASE shl 16) or ($0852 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_FLUSH = (IOCTL_UNKNOWN_BASE shl 16) or ($0853 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_PAUSE = (IOCTL_UNKNOWN_BASE shl 16) or ($0854 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
const IOCTL_CE_ULTIMAP2_RESUME = (IOCTL_UNKNOWN_BASE shl 16) or ($0855 shl 2) or (METHOD_BUFFERED ) or (FILE_RW_ACCESS shl 14);
}
procedure dbk_test;
procedure LaunchDBVM(cpuid: integer); stdcall;
function GetGDT(limit: pword):ptruint; stdcall;
function isDriverLoaded(SigningIsTheCause: PBOOL): BOOL; stdcall;
procedure DBK32Initialize;
function readMSR(msr: dword): QWORD;
procedure writeMSR(msr: dword; value: qword);
function MarkAllPagesAsNonAccessed(hProcess: THandle):boolean;
function EnumAndGetAccessedPages(hProcess: THandle; var r: TPRangeDynArray):integer;
function KernelWritesIgnoreWriteProtection(state: boolean): boolean;
type TIsWow64Process=function (processhandle: THandle; var isWow: BOOL): BOOL; stdcall;
function DeviceIoControl(hDevice: THandle; dwIoControlCode: DWORD; lpInBuffer: Pointer; nInBufferSize: DWORD; lpOutBuffer: Pointer; nOutBufferSize: DWORD; var lpBytesReturned: DWORD; lpOverlapped: POverlapped): BOOL; stdcall;
var kernel32dll: thandle;
IsWow64Process: TIsWow64Process;
failedduetodriversigning: boolean;
implementation
uses vmxfunctions, DBK64SecondaryLoader, NewKernelHandler, frmDriverLoadedUnit, CEFuncProc, Parsers;
resourcestring
rsInvalidMsrAddress = 'Invalid MSR address:';
rsMsrsAreUnavailable = 'msrs are unavailable';
rsCouldNotLaunchDbvm = 'Could not launch DBVM: The Intel-VT feature has been disabled in your BIOS';
rsYouAreMissingTheDriver = 'You are missing the driver. Try reinstalling cheat engine, and try to disable your anti-virus before doing so.';
rsDriverError = 'Driver error';
rsFailureToConfigureTheDriver = 'Failure to configure the driver';
rsPleaseRebootAndPressF8DuringBoot = 'Please reboot and press F8 during boot. Then choose "allow unsigned drivers". '+#13#10+'Alternatively you could sign the driver yourself.'+#13#10+'Just buy yourself a class 3 business signing certificate and sign the driver. Then you''ll never have to reboot again to use this driver';
rsDbk32Error = 'DBK32 error';
rsTheServiceCouldntGetOpened = 'The service couldn''t get opened and also couldn''t get created.'+' Check if you have the needed rights to create a service, or call your system admin (Who''ll probably beat you up for even trying this). Untill this is fixed you won''t be able to make use of the enhancements the driver gives you';
rsTheDriverCouldntBeOpened = 'The driver couldn''t be opened! It''s not loaded or not responding. Luckely you are running dbvm so it''s not a total waste. Do you wish to force load the driver?';
rsTheDriverCouldntBeOpenedTryAgain = 'The driver couldn''t be opened! It''s not loaded or not responding. I recommend to reboot your system and try again (If you''re on 64-bit windows, you might want to use dbvm)';
rsTheDriverThatIsCurrentlyLoaded = 'The driver that is currently loaded belongs to a different version of Cheat Engine. Please unload this driver or reboot.';
rsTheDriverFailedToSuccessfullyInitialize = 'The driver failed to successfully initialize. Some functions may not completely work';
rsAPCRules = 'APC rules';
rsPleaseRunThe64BitVersionOfCE = 'Please run the 64-bit version of Cheat Engine';
rsDBKError = 'DBK Error';
var dataloc: string;
applicationPath: string;
type TVirtualAllocEx=function(hProcess: THandle; lpAddress: Pointer; dwSize, flAllocationType: DWORD; flProtect: DWORD): Pointer; stdcall;
var VirtualAllocEx: TVirtualAllocEx;
function DeviceIoControl(hDevice: THandle; dwIoControlCode: DWORD; lpInBuffer: Pointer; nInBufferSize: DWORD; lpOutBuffer: Pointer; nOutBufferSize: DWORD; var lpBytesReturned: DWORD; lpOverlapped: POverlapped): BOOL; stdcall;
begin
if hdevice=$fff00fff then
begin
//dbvm handle
result:=SecondaryDeviceIoControl(dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);
end
else
result:=windows.DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer,nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped );
end;
function isDriverLoaded(SigningIsTheCause: PBOOL): BOOL; stdcall;
begin
result:=true;
if hdevice=INVALID_HANDLE_VALUE then
begin
SigningIsTheCause^:=failedduetodriversigning;
result:=false;
end;
end;
function noIsWow64(processhandle: THandle; var isWow: BOOL): BOOL; stdcall;
begin
if @isWow<>nil then
isWow:=false;
result:=false;
end;
procedure FSC;
asm
mov edx,esp
sysenter
end;
function GetLoadedState: BOOLEAN; stdcall;
begin
result:=(hdevice<>INVALID_HANDLE_VALUE);
end;
{$W+}
procedure ultimap2_disable;
var
cc,br: dword;
begin
OutputDebugString('disable ultimap2');
cc:=IOCTL_CE_DISABLEULTIMAP2;
deviceiocontrol(hdevice,cc,nil,0,nil,0,br,nil);
end;
procedure ultimap2(processid: dword; size: dword; outputfolder: widestring; ranges: TURangeArray);
var
inp:record
PID: UINT32;
BufferSize: UINT32;
rangecount: UINT32;
reserved: UINT32;
range: array[0..7] of TURange;
filename: array [0..199] of WideChar;
end;
cc,br: dword;
i: integer;
begin
OutputDebugString('ultimap2:'+outputfolder);
zeromemory(@inp, sizeof(inp));
inp.PID:=processid;
inp.BufferSize:=size;
if outputfolder<>'' then
begin
if DirectoryExists(outputfolder) then
begin
outputfolder:='\DosDevices\'+outputfolder;
if outputfolder[length(outputfolder)]<>PathDelim then
outputfolder:=outputfolder+PathDelim;
end
else
begin
OutputDebugString(outputfolder+' could not be found');
outputfolder:='';
end;
end;
for i:=1 to length(outputfolder) do
inp.filename[i-1]:=outputfolder[i];
inp.filename[length(outputfolder)]:=#0;
inp.rangecount:=min(8,length(ranges));
for i:=0 to inp.rangecount-1 do
begin
inp.range[i]:=ranges[i];
OutputDebugString(format('r%d : %x - %x', [i, inp.range[i].startAddress, inp.range[i].endaddress]));
end;
cc:=IOCTL_CE_ULTIMAP2;
deviceiocontrol(hdevice,cc,@inp,sizeof(inp),nil,0,br,nil);
end;
function ultimap2_waitForData(timeout: dword; var output: TUltimap2DataEvent): boolean;
var cc: dword;
begin
if (hdevice<>INVALID_HANDLE_VALUE) then
result:=deviceiocontrol(hdevice,IOCTL_CE_ULTIMAP2_WAITFORDATA,@timeout,sizeof(timeout),@output,sizeof(TUltimap2DataEvent),cc,nil)
else
result:=false;
end;
procedure ultimap2_continue(cpunr: integer);
var cc: dword;
begin
if (hdevice<>INVALID_HANDLE_VALUE) then
deviceiocontrol(hdevice,IOCTL_CE_ULTIMAP2_CONTINUE,@cpunr,sizeof(cpunr),nil,0,cc,nil);
end;
procedure ultimap2_flush;
var
cc,br: dword;
begin
cc:=IOCTL_CE_ULTIMAP2_FLUSH;
deviceiocontrol(hdevice,cc,nil,0,nil,0,br,nil);
end;
procedure ultimap2_pause;
var
cc,br: dword;
begin
cc:=IOCTL_CE_ULTIMAP2_PAUSE;
deviceiocontrol(hdevice,cc,nil,0,nil,0,br,nil);
end;
procedure ultimap2_resume;
var
cc,br: dword;
begin
cc:=IOCTL_CE_ULTIMAP2_RESUME;
deviceiocontrol(hdevice,cc,nil,0,nil,0,br,nil);
end;
procedure ultimap2_lockfile(cpunr: integer);
var br: dword;
begin
if (hdevice<>INVALID_HANDLE_VALUE) then
deviceiocontrol(hdevice,IOCTL_CE_ULTIMAP2_LOCKFILE,@cpunr,sizeof(cpunr),nil,0,br,nil);
end;
procedure ultimap2_releasefile(cpunr: integer);
var br: dword;
begin
if (hdevice<>INVALID_HANDLE_VALUE) then
deviceiocontrol(hdevice,IOCTL_CE_ULTIMAP2_RELEASEFILE,@cpunr,sizeof(cpunr),nil,0,br,nil);
end;
function ultimap2_getTraceSize: UINT64;
var
br: dword;
size: uint64;
begin
size:=0;
if (hdevice<>INVALID_HANDLE_VALUE) then
deviceiocontrol(hdevice,IOCTL_CE_ULTIMAP2_GETTRACESIZE,nil,0,@size,sizeof(size),br,nil);
result:=size;
end;
procedure ultimap2_resetTraceSize;
var br: dword;
begin
if (hdevice<>INVALID_HANDLE_VALUE) then
deviceiocontrol(hdevice,IOCTL_CE_ULTIMAP2_RESETTRACESIZE,nil,0,nil,0,br,nil);
end;
procedure dbk_enabledrm;
var
br: dword;
begin
deviceiocontrol(hdevice,IOCTL_CE_ENABLE_DRM,nil,0,nil,0,br,nil);
end;
procedure dbk_test;
var cc,br: dword;
begin
OutputDebugString('dbk_test');
cc:=IOCTL_CE_TEST;
deviceiocontrol(hdevice,cc,nil,0,nil,0,br,nil);
end;
function GetGDT(limit: pword):ptruint; stdcall;
var cc,br: dword;
gdtdescriptor: packed record
wLimit: word;
vector: uint64;
end;
begin
if hdevice<>INVALID_HANDLE_VALUE then
begin
cc:=IOCTL_CE_GETGDT;
deviceiocontrol(hdevice,cc,nil,0,@gdtdescriptor,10,br,nil);
result:=gdtdescriptor.vector;
outputdebugstring(pchar(format('gdtdescriptor.wlimit=%d',[gdtdescriptor.wlimit])));
if (limit<>nil) then
limit^:=gdtdescriptor.wlimit;
end else result:=0;
end;
function GetIDTCurrentThread:QWORD;
var cc,br: dword;
idtdescriptor: packed record
wLimit: word;
vector: UINT64;
end;
begin
if hdevice<>INVALID_HANDLE_VALUE then
begin
cc:=IOCTL_CE_GETIDT;
deviceiocontrol(hdevice,cc,nil,0,@idtdescriptor,10,br,nil);
result:=idtdescriptor.vector;
{$ifdef cpu32}
if not iswow64 then
result:=result and $ffffffff;
{$endif}
end else result:=0;
end;
type
TptrUintArray=array[0..9999] of ptrUint;
PptrUintArray=^TptrUintArray;
TDwordArray=array[0..9999] of Dword;
PDwordArray=^TDwordArray;
TGetIDTParams=record
idtstore: PQwordArray;
maxidts: integer;
currentindex: integer;
end;
PGetIDTParams=^TGetIDTParams;
function internal_GetIDTs(parameters: pointer): BOOL; stdcall;
var p: PGetIDTParams;
begin
OutputDebugString('internal_GetIDTs');
p:=parameters;
result:=true; //always true, even if not big enough
if p^.currentindex>=p^.maxidts then exit;
p^.idtstore[p^.currentindex]:=GetIDTCurrentThread;
inc(p^.currentindex);
end;
function GetIDTs(idtstore: pointer; maxidts: integer):integer; stdcall;
var
p: TGetIDTParams;
begin
OutputDebugString('GetIDTs');
ZeroMemory(idtstore, 8*maxidts);
p.idtstore:=idtstore;
p.maxidts:=maxidts;
p.currentindex:=0;
foreachcpu(internal_getidts, @p);
result:=p.currentindex;
end;
function GetProcessNameFromPEProcess(peprocess:uint64; buffer:pchar;buffersize:dword):integer; stdcall;
var x,cc: dword;
ar:PtrUInt;
i:integer;
address: uint64;
begin
result:=0;
if hdevice<>INVALID_HANDLE_VALUE then
begin
if buffersize>16 then buffersize:=16;
cc:=IOCTL_CE_GETPROCESSNAMEADDRESS;
if deviceiocontrol(hdevice,cc,@peprocess,8,@address,8,x,nil) then
begin
if ReadProcessMemory64(ownprocess,address,buffer,buffersize,ar) then
begin
for i:=0 to buffersize-1 do
if buffer[i]=#0 then
begin
result:=i-1;
exit;
end;
end;
end;
end;
end;
function GetCR0:DWORD; stdcall;
var x,cc:dword;
res: uint64;
begin
result:=0;
if hdevice<>INVALID_HANDLE_VALUE then
begin
cc:=IOCTL_CE_GETCR0;
if deviceiocontrol(hdevice,cc,nil,0,@res,8,x,nil) then
result:=res;
end;
end;
function GetCR4:DWORD; stdcall;
var x,cc:dword;
res: uint64;
begin
result:=0;
if hdevice<>INVALID_HANDLE_VALUE then
begin
cc:=IOCTL_CE_GETCR4;
if deviceiocontrol(hdevice,cc,nil,0,@res,sizeof(res),x,nil) then
result:=res;
end;
end;
function GetDriverVersion:dword;
var x,res,cc:dword;
begin
result:=0;
if hdevice<>INVALID_HANDLE_VALUE then
begin
cc:=IOCTL_CE_GETVERSION;
if deviceiocontrol(hdevice,cc,nil,0,@res,4,x,nil) then
result:=res;
end;
end;
function GetProcessNameFromID(processid:dword; buffer:pointer;buffersize:dword):integer; stdcall;
begin
//just a simple stub
result:=GetProcessNameFromPEProcess(GetPEProcess(processid),buffer,buffersize);
end;
function GetThreadsProcessOffset: dword; stdcall;
begin
result:=ThreadsProcess;
end;
function GetThreadListEntryOffset: dword; stdcall;
begin
result:=ThreadListEntry;
end;
function GetDebugportOffset: DWORD; stdcall;
begin
result:=debugport;
end;
function GetSDTShadow:ptruint; stdcall;
begin
result:=SDTShadow;
end;
function GetSDT:ptruint; stdcall;
var x,cc:dword;
res: uint64;
begin
result:=0;
if hdevice<>INVALID_HANDLE_VALUE then
begin
cc:=IOCTL_CE_GETSDT;
if deviceiocontrol(hdevice,cc,nil,0,@res,8,x,nil) then
result:=res;
end;
end;
function GetCR3(hProcess:THANDLE;var CR3:system.QWORD):BOOL; stdcall;
var cc:dword;
x,y:dword;
i: integer;
_cr3: uint64;
begin
result:=false;
if hdevice<>INVALID_HANDLE_VALUE then
begin
for i:=0 to length(handlelist)-1 do
if handlelist[i].processhandle=hProcess then
begin
cc:=IOCTL_CE_GETCR3;
x:=handlelist[i].processid;
result:=deviceiocontrol(hdevice,cc,@x,4,@_cr3,8,y,nil);
outputdebugstring(pchar('GetCR3: return '+inttohex(_cr3,16)));
if result then CR3:=_cr3 else cr3:=$11223344;
end;
end;
end;
function GetCR3FromPID(pid: system.QWORD;var CR3:system.QWORD):BOOL; stdcall;
var cc:dword;
x,y:dword;
_cr3: uint64;
begin
cr3:=0;
result:=false;
if hdevice<>INVALID_HANDLE_VALUE then
begin
cc:=IOCTL_CE_GETCR3;
x:=pid;
result:=deviceiocontrol(hdevice,cc,@x,4,@_cr3,8,y,nil);
outputdebugstring(pchar('GetCR3: return '+inttohex(_cr3,16)));
if result then CR3:=_cr3 else cr3:=0;
end;
end;
{function SetCR3(hProcess:THANDLE;CR3: DWORD):BOOL; stdcall;
var cc:dword;
ar: array [0..7] of byte;
x:dword;
i: integer;
begin
result:=false;
if hdevice<>INVALID_HANDLE_VALUE then
begin
for i:=0 to length(handlelist)-1 do
if handlelist[i].processhandle=hProcess then
begin
cc:=IOCTL_CE_SETCR3;
pdword(@ar[0])^:=handlelist[i].processid;
pdword(@ar[4])^:=CR3;
result:=deviceiocontrol(hdevice,cc,@ar[0],4,@ar[0],4,x,nil);
end;
end;
end; }
function DBKSuspendThread(ThreadID:dword):boolean; stdcall;
var cc,x: dword;
begin
outputdebugstring('DBKSuspendThread');
result:=false;
x:=ThreadId;
if (hdevice<>INVALID_HANDLE_VALUE) then
begin
cc:=IOCTL_CE_SUSPENDTHREAD;
result:=deviceiocontrol(hdevice,cc,@x,sizeof(x),nil,0,x,nil);
end;
end;
function DBKResumeThread(ThreadID:dword):boolean; stdcall;
var cc,x: dword;
begin
outputdebugstring('DBKResumeThread');
result:=false;
x:=threadid;
if (hdevice<>INVALID_HANDLE_VALUE) then
begin
cc:=IOCTL_CE_RESUMETHREAD;
result:=deviceiocontrol(hdevice,cc,@x,sizeof(x),nil,0,x,nil);
end;
end;
function DBKSuspendProcess(ProcessID:dword):boolean; stdcall;
var cc,x: dword;
begin
result:=false;
x:=ProcessID;
if (hdevice<>INVALID_HANDLE_VALUE) then
begin
cc:=IOCTL_CE_SUSPENDPROCESS;
result:=deviceiocontrol(hdevice,cc,@x,sizeof(x),nil,0,x,nil);
end;
end;
function DBKResumeProcess(ProcessID:dword):boolean; stdcall;
var cc,x: dword;
begin
result:=false;
x:=ProcessID;
if (hdevice<>INVALID_HANDLE_VALUE) then
begin
cc:=IOCTL_CE_RESUMEPROCESS;
result:=deviceiocontrol(hdevice,cc,@x,sizeof(x),nil,0,x,nil);
end;
end;
function internal_UserdefinedInterruptHook(parameters: pointer): BOOL; stdcall;
type
TParams=record
interruptNumber: uint64;
newcs: uint64;
neweip: uint64;
addressofjumpback: uint64;
end;
PParams=^TParams;
var
cc: dword;
pinput: PParams;
x: dword;
begin
outputdebugstring('internal_UserdefinedInterruptHook');
result:=false;
if (hdevice<>INVALID_HANDLE_VALUE) then
begin
cc:=IOCTL_CE_USERDEFINEDINTERRUPTHOOK;
pinput:=parameters;
result:=deviceiocontrol(hdevice,cc,pinput,sizeof(TParams),nil,0,x,nil);
end;
end;
function UserdefinedInterruptHook(interruptnr: integer; newCS: word; newEIP: uint64; addressofjumpback: uint64):boolean; stdcall;
var params: record
interruptNumber: uint64;
newcs: uint64;
neweip: uint64;
addressofjumpback: uint64;
end;
begin
params.interruptNumber:=interruptnr;
params.newcs:=newcs;
params.neweip:=neweip;
params.addressofjumpback:=addressofjumpback;
result:=foreachcpu(internal_UserdefinedInterruptHook, @params);
end;
function GetPhysicalAddress(hProcess:THandle;lpBaseAddress:pointer;var Address:int64): BOOL; stdcall;
type TInputstruct=record
ProcessID: UINT64;
BaseAddress: UINT64;
end;
var cc: dword;
input: TInputStruct;
physicaladdress: int64 absolute input;
x: dword;
i: integer;
begin
result:=false;
if hdevice<>INVALID_HANDLE_VALUE then
begin
cc:=IOCTL_CE_GETPHYSICALADDRESS;
for i:=0 to length(handlelist)-1 do
if handlelist[i].processhandle=hProcess then
begin
input.ProcessID:=handlelist[i].processid;
input.BaseAddress:=ptrUint(lpBaseAddresS);
// outputdebugstring(pchar(format('ProcessID(%p)=%x Baseaddress(%p)=%x',[@input.ProcessID, input.processid, @input.BaseAddress, input.baseaddress])));
result:=deviceiocontrol(hdevice,cc,@input,sizeof(TInputstruct),@physicaladdress,8,x,nil);
if result then address:=physicaladdress else address:=0;
end;
end;
end;
function GetMemoryRanges(var ranges: TPhysicalMemoryRanges): boolean;
var cc: dword;