#ifndef LOADER_H #define LOADER_H #pragma pack(push, 1) struct CRC_INFO { uint32_t Address; uint32_t Size; uint32_t Hash; }; struct FILE_CRC_INFO { uint32_t FileSize; // CRCInfo crc_info[1] }; struct SECTION_INFO { uint32_t Address; uint32_t Size; uint32_t Type; }; struct PACKER_INFO { uint32_t Src; uint32_t Dst; }; struct IAT_INFO { uint32_t Src; uint32_t Dst; uint32_t Size; }; struct DLL_INFO { uint32_t Name; // IMPORT_INFO import_info[1]; }; struct IMPORT_INFO { uint32_t Name; uint32_t Address; int32_t Key; }; struct FIXUP_INFO { uint32_t Address; uint32_t BlockSize; // uint32_t type_offset[1]; }; struct RELOCATION_INFO { uint32_t Address; uint32_t Source; uint32_t Type; }; struct SETUP_IMAGE_DATA { NOINLINE SETUP_IMAGE_DATA() { empty_ = 0; } NOINLINE uint8_t *file_base() { return reinterpret_cast(FACE_FILE_BASE) - empty_; } NOINLINE uint8_t *image_base() { return reinterpret_cast(FACE_IMAGE_BASE) - empty_; } NOINLINE uint32_t options() { return FACE_LOADER_OPTIONS - empty_; } NOINLINE uint32_t storage() { return FACE_LOADER_DATA - empty_; } NOINLINE uint32_t runtime_entry() { return FACE_RUNTIME_ENTRY - empty_; } #ifdef __unix__ NOINLINE uint32_t relro_info() { return FACE_GNU_RELRO_INFO - empty_; } #elif defined(__APPLE__) #elif defined(WIN_DRIVER) #else NOINLINE uint32_t tls_index_info() { return FACE_TLS_INDEX_INFO - empty_; } #endif // file CRC information NOINLINE uint32_t file_crc_info() { return FACE_FILE_CRC_INFO - empty_; } NOINLINE uint32_t file_crc_info_size() { return FACE_FILE_CRC_INFO_SIZE - empty_; } // header and loader CRC information NOINLINE uint32_t loader_crc_info() { return FACE_LOADER_CRC_INFO - empty_; } NOINLINE uint32_t loader_crc_info_size() { return FACE_LOADER_CRC_INFO_SIZE - empty_; } NOINLINE uint32_t loader_crc_info_hash() { return FACE_LOADER_CRC_INFO_HASH - empty_; } // section information NOINLINE uint32_t section_info() { return FACE_SECTION_INFO - empty_; } NOINLINE uint32_t section_info_size() { return FACE_SECTION_INFO_SIZE - empty_; } // packer information NOINLINE uint32_t packer_info() { return FACE_PACKER_INFO - empty_; } NOINLINE uint32_t packer_info_size() { return FACE_PACKER_INFO_SIZE - empty_; } // fixups information NOINLINE uint32_t fixup_info() { return FACE_FIXUP_INFO - empty_; } NOINLINE uint32_t fixup_info_size() { return FACE_FIXUP_INFO_SIZE - empty_; } // relocations information NOINLINE uint32_t relocation_info() { return FACE_RELOCATION_INFO - empty_; } NOINLINE uint32_t relocation_info_size() { return FACE_RELOCATION_INFO_SIZE - empty_; } // IAT information NOINLINE uint32_t iat_info() { return FACE_IAT_INFO - empty_; } NOINLINE uint32_t iat_info_size() { return FACE_IAT_INFO_SIZE - empty_; } // import information NOINLINE uint32_t import_info() { return FACE_IMPORT_INFO - empty_; } NOINLINE uint32_t import_info_size() { return FACE_IMPORT_INFO_SIZE - empty_; } // internal import information NOINLINE uint32_t internal_import_info() { return FACE_INTERNAL_IMPORT_INFO - empty_; } NOINLINE uint32_t internal_import_info_size() { return FACE_INTERNAL_IMPORT_INFO_SIZE - empty_; } // memory CRC information NOINLINE uint32_t memory_crc_info() { return FACE_MEMORY_CRC_INFO - empty_; } NOINLINE uint32_t memory_crc_info_size() { return FACE_MEMORY_CRC_INFO_SIZE - empty_; } NOINLINE uint32_t memory_crc_info_hash() { return FACE_MEMORY_CRC_INFO_HASH - empty_; } // delay import information NOINLINE uint32_t delay_import_info() { return FACE_DELAY_IMPORT_INFO - empty_; } NOINLINE uint32_t delay_import_info_size() { return FACE_DELAY_IMPORT_INFO_SIZE - empty_; } private: uint32_t empty_; }; #pragma pack(pop) #ifndef VMP_GNU #define MAXIMUM_FILENAME_LENGTH 256 typedef struct _SYSTEM_MODULE_ENTRY { #ifdef _WIN64 ULONGLONG Unknown1; ULONGLONG Unknown2; #else ULONG Unknown1; ULONG Unknown2; #endif PVOID BaseAddress; ULONG Size; ULONG Flags; ULONG EntryIndex; USHORT NameLength; // Length of module name not including the path, this field contains valid value only for NTOSKRNL module USHORT PathLength; // Length of 'directory path' part of modulename CHAR Name[MAXIMUM_FILENAME_LENGTH]; } SYSTEM_MODULE_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; #ifdef _WIN64 ULONG Unknown1; #endif SYSTEM_MODULE_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION; typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { BOOLEAN DebuggerEnabled; BOOLEAN DebuggerNotPresent; } SYSTEM_KERNEL_DEBUGGER_INFORMATION; typedef enum _MEMORY_INFORMATION_CLASS { MemoryBasicInformation } MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS; #ifdef WIN_DRIVER #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ #define IMAGE_OS2_SIGNATURE 0x454E // NE #define IMAGE_OS2_SIGNATURE_LE 0x454C // LE #define IMAGE_VXD_SIGNATURE 0x454C // LE #define IMAGE_NT_SIGNATURE 0x00004550 // PE00 #pragma pack(push, 2) typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words LONG e_lfanew; // File address of new exe header } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; #pragma pack(pop) typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 typedef struct _IMAGE_OPTIONAL_HEADER { // // Standard fields. // WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; // // NT additional fields. // DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; typedef struct _IMAGE_ROM_OPTIONAL_HEADER { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD BaseOfBss; DWORD GprMask; DWORD CprMask[4]; DWORD GpValue; } IMAGE_ROM_OPTIONAL_HEADER, *PIMAGE_ROM_OPTIONAL_HEADER; typedef struct _IMAGE_OPTIONAL_HEADER64 { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; ULONGLONG ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; ULONGLONG SizeOfStackReserve; ULONGLONG SizeOfStackCommit; ULONGLONG SizeOfHeapReserve; ULONGLONG SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64; typedef struct _IMAGE_NT_HEADERS64 { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER64 OptionalHeader; } IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64; typedef struct _IMAGE_NT_HEADERS { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader; } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; typedef struct _IMAGE_ROM_HEADERS { IMAGE_FILE_HEADER FileHeader; IMAGE_ROM_OPTIONAL_HEADER OptionalHeader; } IMAGE_ROM_HEADERS, *PIMAGE_ROM_HEADERS; #ifdef _WIN64 typedef IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS; typedef PIMAGE_NT_HEADERS64 PIMAGE_NT_HEADERS; #else typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS; typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS; #endif typedef struct _IMAGE_SECTION_HEADER { BYTE Name[8]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table #define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory // IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage) #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP #define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers #define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor #define IMAGE_REL_BASED_ABSOLUTE 0 #define IMAGE_REL_BASED_HIGH 1 #define IMAGE_REL_BASED_LOW 2 #define IMAGE_REL_BASED_HIGHLOW 3 #define IMAGE_REL_BASED_HIGHADJ 4 #define IMAGE_REL_BASED_MIPS_JMPADDR 5 #define IMAGE_REL_BASED_MIPS_JMPADDR16 9 #define IMAGE_REL_BASED_IA64_IMM64 9 #define IMAGE_REL_BASED_DIR64 10 #define IMAGE_ORDINAL_FLAG64 0x8000000000000000 #define IMAGE_ORDINAL_FLAG32 0x80000000 #define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffff) #define IMAGE_ORDINAL32(Ordinal) (Ordinal & 0xffff) #define IMAGE_SNAP_BY_ORDINAL64(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG64) != 0) #define IMAGE_SNAP_BY_ORDINAL32(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG32) != 0) typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; // RVA from base of image DWORD AddressOfNames; // RVA from base of image DWORD AddressOfNameOrdinals; // RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; #define MAX_PATH 260 #define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations. #define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded. #define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable. #define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable. #define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable. #define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable. #define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable. #define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable. typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 0xb, SystemKernelDebuggerInformation = 0x23, SystemFirmwareTableInformation = 0x4c } SYSTEM_INFORMATION_CLASS; extern "C" { NTKERNELAPI NTSTATUS NTAPI NtQuerySystemInformation( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); } #else #define FILE_OPEN 0x00000001 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 #define FILE_NON_DIRECTORY_FILE 0x00000040 typedef enum _SECTION_INHERIT { ViewShare=1, ViewUnmap=2 } SECTION_INHERIT, *PSECTION_INHERIT; #define SystemModuleInformation (SYSTEM_INFORMATION_CLASS)11 #define SystemKernelDebuggerInformation (SYSTEM_INFORMATION_CLASS)35 #define ThreadHideFromDebugger (THREADINFOCLASS)17 #define ProcessDebugPort (PROCESSINFOCLASS)0x7 #define ProcessDebugObjectHandle (PROCESSINFOCLASS)0x1e #define ProcessDefaultHardErrorMode (PROCESSINFOCLASS)0x0c #define ProcessInstrumentationCallback (PROCESSINFOCLASS)40 #define MemoryMappedFilenameInformation (MEMORY_INFORMATION_CLASS)2 #define STATUS_PORT_NOT_SET ((NTSTATUS)0xC0000353L) #define STATUS_SERVICE_NOTIFICATION ((NTSTATUS)0x40000018L) #define HARDERROR_OVERRIDE_ERRORMODE 0x10000000 #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) #define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 ) typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION { ULONG Version; ULONG Reserved; PVOID Callback; } PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION, *PPROCESS_INSTRUMENTATION_CALLBACK_INFORMATION; typedef enum HardErrorResponse { ResponseReturnToCaller, ResponseNotHandled, ResponseAbort, ResponseCancel, ResponseIgnore, ResponseNo, ResponseOk, ResponseRetry, ResponseYes } HardErrorResponse; typedef enum HardErrorResponseButton { ResponseButtonOK, ResponseButtonOKCancel, ResponseButtonAbortRetryIgnore, ResponseButtonYesNoCancel, ResponseButtonYesNo, ResponseButtonRetryCancel, ResponseButtonCancelTryAgainContinue } HardErrorResponseButton; typedef enum HardErrorResponseIcon { IconAsterisk = 0x40, IconError = 0x10, IconExclamation = 0x30, IconHand = 0x10, IconInformation = 0x40, IconNone = 0, IconQuestion = 0x20, IconStop = 0x10, IconWarning = 0x30, IconUserIcon = 0x80 } HardErrorResponseIcon; #define SEC_IMAGE_NO_EXECUTE (SEC_IMAGE | SEC_NOCACHE) enum { WINDOWS_XP = 2600, WINDOWS_2003 = 3790, WINDOWS_VISTA = 6000, WINDOWS_VISTA_SP1 = 6001, WINDOWS_VISTA_SP2 = 6002, WINDOWS_7 = 7600, WINDOWS_7_SP1 = 7601, WINDOWS_8 = 9200, WINDOWS_8_1 = 9600, WINDOWS_10_TH1 = 10240, WINDOWS_10_TH2 = 10586, WINDOWS_10_RS1 = 14393, WINDOWS_10_RS2 = 15063, WINDOWS_10_RS3 = 16299, WINDOWS_10_RS4 = 17134, WINDOWS_10_RS5 = 17763, WINDOWS_10_19H1 = 18362, WINDOWS_10_19H2 = 18363, WINDOWS_10_20H1 = 19041, WINDOWS_10_20H2 = 19042, WINDOWS_10_21H1 = 19043, WINDOWS_10_21H2 = 19044, WINDOWS_10_22H2 = 19045, WINDOWS_11_21H2 = 22000, WINDOWS_11_22H2 = 22621, }; #define IS_KNOWN_WINDOWS_BUILD(b) ( \ (b) == WINDOWS_XP || \ (b) == WINDOWS_2003 || \ (b) == WINDOWS_VISTA || \ (b) == WINDOWS_VISTA_SP1 || \ (b) == WINDOWS_VISTA_SP2 || \ (b) == WINDOWS_7 || \ (b) == WINDOWS_7_SP1 || \ (b) == WINDOWS_8 || \ (b) == WINDOWS_8_1 || \ (b) == WINDOWS_10_TH1 || \ (b) == WINDOWS_10_TH2 || \ (b) == WINDOWS_10_RS1 || \ (b) == WINDOWS_10_RS2 || \ (b) == WINDOWS_10_RS3 || \ (b) == WINDOWS_10_RS4 || \ (b) == WINDOWS_10_RS5 || \ (b) == WINDOWS_10_19H1 || \ (b) == WINDOWS_10_19H2 || \ (b) == WINDOWS_10_20H1 || \ (b) == WINDOWS_10_20H2 || \ (b) == WINDOWS_10_21H1 || \ (b) == WINDOWS_10_21H2 || \ (b) == WINDOWS_10_22H2 \ ) #endif // WIN_DRIVER #endif // VMP_GNU typedef struct _PEB32 { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[0xa1]; ULONG OSMajorVersion; ULONG OSMinorVersion; USHORT OSBuildNumber; } PEB32; typedef struct _PEB64 { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[0x115]; ULONG OSMajorVersion; ULONG OSMinorVersion; USHORT OSBuildNumber; } PEB64; #endif