certspyp.h

1. /*++
2.  
3. Copyright (c) Microsoft Corporation. All right reserved.
4.  
5. Module Name:
6.  
7. certspyp.h.
8.  
9. Abstract:
10.  
11. This is a pre-compiled header module for certspy.
12.  
13. --*/
14.  
15. #if !defined(_CERTSPYP_INCLUDED_)
16. #define _CERTSPYP_INCLUDED_
17.  
18. #if _MSC_VER > 1000
19. #pragma once
20. #endif // _MSC_VER > 1000
21.  
22. #ifdef __cplusplus
23. extern "C" {
24. #endif
25.  
26. #include <ntos.h>
27. #include <mi.h>
28. #include <ldr.h>
29. #include <xbeimage.h>
30. #include <xtl.h>
31. #include <xbdm.h>
32. #include <xboxverp.h>
33.  
34. #ifndef ARRAYSIZE
35. #define ARRAYSIZE(a) (sizeof(a)/sizeof((a)[0]))
36. #endif
37.  
38. #ifndef CONSTANT_OBJECT_STRING
39. #define CONSTANT_OBJECT_STRING(s) { sizeof(s) - sizeof(OCHAR), sizeof(s), s }
40. #endif
41.  
42. //
43. // Define bit definition of kernel export flags
44. //
45.  
46. #define KEF_INTERCEPT_AT_STARTUP 1
47.  
48. #pragma pack(1)
49.  
50. //
51. // Define structure of ordinal thunk for Intel x86 processor
52. //
53. // Here is what the stub looks like
54. //
55. // 60 pushad
56. // 8d542432 lea edx, [esp+32]
57. // b9nnnnnnnn mov ecx, OridnalNumber
58. // e8nnnnnnnn call @CertSpyLogOrdinalCall
59. // 61 popad
60. // e9nnnnnnnn jmp OriginalFunction
61. //
62.  
63. typedef struct {
64.  
65. BYTE __pushad;
66. DWORD __lea_edx_esp_plus_32;
67. BYTE __mov_ecx_immediate;
68. DWORD ImmediateValue;
69. BYTE __call_LogFunction;
70. DWORD OffsetOfLogFunction;
71. BYTE __popad;
72. BYTE __jmp_far;
73. DWORD ImmediateJmpAddress;
74.  
75. } ORDINAL_THUNK, *PORDINAL_THUNK;
76.  
77. typedef enum {
78.  
79. PT_NONE = 0,
80. PT_LONG,
81. PT_LONGLONG,
82. PT_PSTR,
83. PT_PWSTR,
84. PT_POOLTAG,
85. PT_PSTRING,
86. PT_POBJATTR,
87. PT_PUSTRING
88.  
89. } PARAMETER_TYPE;
90.  
91. //
92. // Define the structure of xboxkrnl export functions and their parameter
93. // encoding
94. //
95.  
96. typedef struct {
97.  
98. PCSTR FunctionName;
99. UCHAR Parameters[12];
100. PORDINAL_THUNK Thunk;
101.  
102. } KERNEL_EXPORT_API, *PKERNEL_EXPORT_API;
103.  
104. #pragma pack()
105.  
106. //
107. // List of xboxkrnl.exe export functions and byte-encoded parameters
108. //
109.  
110. const KERNEL_EXPORT_API KernelExports[] = {
111.  
112. { NULL, PT_NONE },
113. { "AvGetSavedDataAddress", PT_NONE },
114. { "AvSendTVEncoderOption", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
115. { "AvSetDisplayMode", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
116. { "AvSetSavedDataAddress", PT_NONE },
117. { "DbgBreakPoint", PT_NONE },
118. { "DbgBreakPointWithStatus", PT_LONG },
119. { "DbgLoadImageSymbols", PT_PSTRING, PT_LONG, PT_LONG },
120. { "DbgPrint", PT_PSTR },
121. { "HalReadSMCTrayState", PT_LONG, PT_LONG },
122. { "DbgPrompt", PT_PSTR, PT_LONG, PT_LONG },
123. { "DbgUnLoadImageSymbols", PT_PSTRING, PT_LONG, PT_LONG },
124. { "ExAcquireReadWriteLockExclusive", PT_LONG },
125. { "ExAcquireReadWriteLockShared", PT_LONG },
126. { "ExAllocatePool", PT_LONG },
127. { "ExAllocatePoolWithTag", PT_LONG, PT_POOLTAG },
128. { NULL, PT_NONE }, // ExEventObjectType
129. { "ExFreePool", PT_LONG },
130. { "ExInitializeReadWriteLock", PT_LONG },
131. { "ExInterlockedAddLargeInteger", PT_LONG, PT_LONGLONG },
132. { "ExInterlockedAddLargeStatistic", PT_LONG, PT_LONG },
133. { "ExInterlockedCompareExchange64", PT_LONG, PT_LONG, PT_LONG },
134. { NULL, PT_NONE }, // ExMutantObjectType
135. { "ExQueryPoolBlockSize", PT_LONG },
136. { "ExQueryNonVolatileSetting", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
137. { "ExReadWriteRefurbInfo", PT_LONG, PT_LONG, PT_LONG },
138. { "ExRaiseException", PT_LONG },
139. { "ExRaiseStatus", PT_LONG },
140. { "ExReleaseReadWriteLock", PT_LONG },
141. { "ExSaveNonVolatileSetting", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
142. { NULL, PT_NONE }, // ExSemaphoreObjectType
143. { NULL, PT_NONE }, // ExTimerObjectType
144. { "ExfInterlockedInsertHeadList", PT_NONE },
145. { "ExfInterlockedInsertTailList", PT_NONE },
146. { "ExfInterlockedRemoveHeadList", PT_NONE },
147. { "FscGetCacheSize", PT_NONE },
148. { "FscInvalidateIdleBlocks", PT_NONE },
149. { "FscSetCacheSize", PT_LONG },
150. { "HalClearSoftwareInterrupt", PT_NONE },
151. { "HalDisableSystemInterrupt", PT_LONG },
152. { NULL, NULL }, // HalDiskCachePartitionCount
153. { NULL, NULL }, // HalDiskModelNumber
154. { NULL, NULL }, // HalDiskSerialNumber
155. { "HalEnableSystemInterrupt", PT_LONG, PT_LONG },
156. { "HalGetInterruptVector", PT_LONG, PT_LONG },
157. { "HalReadSMBusValue", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
158. { "HalReadWritePCISpace", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
159. { "HalRegisterShutdownNotification", PT_LONG, PT_LONG },
160. { "HalRequestSoftwareInterrupt", PT_LONG },
161. { "HalReturnToFirmware", PT_LONG },
162. { "HalWriteSMBusValue", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
163. { "InterlockedCompareExchange", PT_LONG, PT_LONG, PT_LONG },
164. { "InterlockedDecrement", PT_LONG },
165. { "InterlockedIncrement", PT_LONG },
166. { "InterlockedExchange", PT_LONG, PT_LONG },
167. { "InterlockedExchangeAdd", PT_LONG, PT_LONG },
168. { "InterlockedFlushSList", PT_LONG },
169. { "InterlockedPopEntrySList", PT_LONG },
170. { "InterlockedPushEntrySList", PT_LONG, PT_LONG },
171. { "IoAllocateIrp", PT_LONG },
172. { "IoBuildAsynchronousFsdRequest", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
173. { "IoBuildDeviceIoControlRequest", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
174. { "IoBuildSynchronousFsdRequest", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
175. { "IoCheckShareAccess", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
176. { NULL, NULL }, // IoCompletionObjectType
177. { "IoCreateDevice", PT_LONG, PT_LONG, PT_PSTRING, PT_LONG, PT_LONG, PT_LONG },
178. { "IoCreateFile", PT_LONG, PT_LONG, PT_POBJATTR, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
179. { "IoCreateSymbolicLink", PT_PSTRING, PT_PSTRING },
180. { "IoDeleteDevice", PT_LONG },
181. { "IoDeleteSymbolicLink", PT_PSTRING },
182. { NULL, NULL }, // IoDeviceObjectType
183. { NULL, NULL }, // IoFileObjectType
184. { "IoFreeIrp", PT_LONG },
185. { "IoInitializeIrp", PT_LONG, PT_LONG, PT_LONG },
186. { "IoInvalidDeviceRequest", PT_LONG, PT_LONG },
187. { "IoQueryFileInformation", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
188. { "IoQueryVolumeInformation", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
189. { "IoQueueThreadIrp", PT_LONG },
190. { "IoRemoveShareAccess", PT_LONG, PT_LONG },
191. { "IoSetIoCompletion", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
192. { "IoSetShareAccess", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
193. { "IoStartNextPacket", PT_LONG },
194. { "IoStartNextPacketByKey", PT_LONG, PT_LONG },
195. { "IoStartPacket", PT_LONG, PT_LONG, PT_LONG },
196. { "IoSynchronousDeviceIoControlRequest",PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
197. { "IoSynchronousFsdRequest", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
198. { "IofCallDriver", PT_NONE },
199. { "IofCompleteRequest", PT_NONE },
200. { NULL, NULL }, // KdDebuggerEnabled
201. { NULL, NULL }, // KdDebuggerNotPresent
202. { "IoDismountVolume", PT_LONG },
203. { "IoDismountVolumeByName", PT_PSTRING },
204. { "KeAlertResumeThread", PT_LONG },
205. { "KeAlertThread", PT_LONG, PT_LONG },
206. { "KeBoostPriorityThread", PT_LONG, PT_LONG },
207. { "KeBugCheck", PT_LONG },
208. { "KeBugCheckEx", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
209. { "KeCancelTimer", PT_LONG },
210. { "KeConnectInterrupt", PT_LONG },
211. { "KeDelayExecutionThread", PT_LONG, PT_LONG, PT_LONG },
212. { "KeDisconnectInterrupt", PT_LONG },
213. { "KeEnterCriticalRegion", PT_NONE },
214. { NULL, NULL }, // MmGlobalData
215. { "KeGetCurrentIrql", PT_NONE },
216. { "KeGetCurrentThread", PT_NONE },
217. { "KeInitializeApc", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
218. { "KeInitializeDeviceQueue", PT_LONG },
219. { "KeInitializeDpc", PT_LONG, PT_LONG, PT_LONG },
220. { "KeInitializeEvent", PT_LONG, PT_LONG, PT_LONG },
221. { "KeInitializeInterrupt", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
222. { "KeInitializeMutant", PT_LONG, PT_LONG },
223. { "KeInitializeQueue", PT_LONG, PT_LONG },
224. { "KeInitializeSemaphore", PT_LONG, PT_LONG, PT_LONG },
225. { "KeInitializeTimerEx", PT_LONG, PT_LONG },
226. { "KeInsertByKeyDeviceQueue", PT_LONG, PT_LONG, PT_LONG },
227. { "KeInsertDeviceQueue", PT_LONG, PT_LONG },
228. { "KeInsertHeadQueue", PT_LONG, PT_LONG },
229. { "KeInsertQueue", PT_LONG, PT_LONG },
230. { "KeInsertQueueApc", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
231. { "KeInsertQueueDpc", PT_LONG, PT_LONG, PT_LONG },
232. { NULL, NULL }, // KeInterruptTime}
233. { "KeIsExecutingDpc", PT_NONE },
234. { "KeLeaveCriticalRegion", PT_NONE },
235. { "KePulseEvent", PT_LONG, PT_LONG, PT_LONG },
236. { "KeQueryBasePriorityThread", PT_LONG },
237. { "KeQueryInterruptTime", PT_NONE },
238. { "KeQueryPerformanceCounter", PT_NONE },
239. { "KeQueryPerformanceFrequency", PT_NONE },
240. { "KeQuerySystemTime", PT_LONG },
241. { "KeRaiseIrqlToDpcLevel", PT_NONE },
242. { "KeRaiseIrqlToSynchLevel", PT_NONE },
243. { "KeReleaseMutant", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
244. { "KeReleaseSemaphore", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
245. { "KeRemoveByKeyDeviceQueue", PT_LONG, PT_LONG },
246. { "KeRemoveDeviceQueue", PT_LONG },
247. { "KeRemoveEntryDeviceQueue", PT_LONG, PT_LONG },
248. { "KeRemoveQueue", PT_LONG, PT_LONG, PT_LONG },
249. { "KeRemoveQueueDpc", PT_LONG },
250. { "KeResetEvent", PT_LONG },
251. { "KeRestoreFloatingPointState", PT_LONG },
252. { "KeResumeThread", PT_LONG },
253. { "KeRundownQueue", PT_LONG },
254. { "KeSaveFloatingPointState", PT_LONG },
255. { "KeSetBasePriorityThread", PT_LONG, PT_LONG },
256. { "KeSetDisableBoostThread", PT_LONG, PT_LONG },
257. { "KeSetEvent", PT_LONG, PT_LONG, PT_LONG },
258. { "KeSetEventBoostPriority", PT_LONG, PT_LONG },
259. { "KeSetPriorityProcess", PT_LONG, PT_LONG },
260. { "KeSetPriorityThread", PT_LONG, PT_LONG },
261. { "KeSetTimer", PT_LONG, PT_LONGLONG, PT_LONG },
262. { "KeSetTimerEx", PT_LONG, PT_LONGLONG, PT_LONG, PT_LONG },
263. { "KeStallExecutionProcessor", PT_LONG },
264. { "KeSuspendThread", PT_LONG },
265. { "KeSynchronizeExecution", PT_LONG, PT_LONG, PT_LONG },
266. { NULL, NULL }, // KeSystemTime
267. { "KeTestAlertThread", PT_LONG },
268. { NULL, NULL }, // KeTickCount
269. { NULL, NULL }, // KeTimeIncrement
270. { "KeWaitForMultipleObjects", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
271. { "KeWaitForSingleObject", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
272. { "KfRaiseIrql", PT_NONE },
273. { "KfLowerIrql", PT_NONE },
274. { NULL, NULL }, // KiBugCheckData
275. { "KiUnlockDispatcherDatabase", PT_LONG },
276. { NULL, NULL }, // LaunchDataPage
277. { "MmAllocateContiguousMemory", PT_LONG },
278. { "MmAllocateContiguousMemoryEx", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
279. { "MmAllocateSystemMemory", PT_LONG, PT_LONG },
280. { "MmClaimGpuInstanceMemory", PT_LONG, PT_LONG },
281. { "MmCreateKernelStack", PT_LONG, PT_LONG },
282. { "MmDeleteKernelStack", PT_LONG, PT_LONG },
283. { "MmFreeContiguousMemory", PT_LONG },
284. { "MmFreeSystemMemory", PT_LONG, PT_LONG },
285. { "MmGetPhysicalAddress", PT_LONG },
286. { "MmIsAddressValid", PT_LONG },
287. { "MmLockUnlockBufferPages", PT_LONG, PT_LONG, PT_LONG },
288. { "MmLockUnlockPhysicalPage", PT_LONG, PT_LONG },
289. { "MmMapIoSpace", PT_LONG, PT_LONG, PT_LONG },
290. { "MmPersistContiguousMemory", PT_LONG, PT_LONG, PT_LONG },
291. { "MmQueryAddressProtect", PT_LONG },
292. { "MmQueryAllocationSize", PT_LONG },
293. { "MmQueryStatistics", PT_LONG },
294. { "MmSetAddressProtect", PT_LONG, PT_LONG, PT_LONG },
295. { "MmUnmapIoSpace", PT_LONG, PT_LONG },
296. { "NtAllocateVirtualMemory", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
297. { "NtCancelTimer", PT_LONG, PT_LONG },
298. { "NtClearEvent", PT_LONG },
299. { "NtClose", PT_LONG },
300. { "NtCreateDirectoryObject", PT_LONG, PT_POBJATTR },
301. { "NtCreateEvent", PT_LONG, PT_POBJATTR, PT_LONG, PT_LONG },
302. { "NtCreateFile", PT_LONG, PT_LONG, PT_POBJATTR, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
303. { "NtCreateIoCompletion", PT_LONG, PT_LONG, PT_POBJATTR, PT_LONG },
304. { "NtCreateMutant", PT_LONG, PT_POBJATTR, PT_LONG },
305. { "NtCreateSemaphore", PT_LONG, PT_POBJATTR, PT_LONG, PT_LONG },
306. { "NtCreateTimer", PT_LONG, PT_POBJATTR, PT_LONG },
307. { "NtDeleteFile", PT_POBJATTR },
308. { "NtDeviceIoControlFile", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
309. { "NtDuplicateObject", PT_LONG, PT_LONG, PT_LONG },
310. { "NtFlushBuffersFile", PT_LONG, PT_LONG },
311. { "NtFreeVirtualMemory", PT_LONG, PT_LONG, PT_LONG },
312. { "NtFsControlFile", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
313. { "NtOpenDirectoryObject", PT_LONG, PT_POBJATTR },
314. { "NtOpenFile", PT_LONG, PT_LONG, PT_POBJATTR, PT_LONG, PT_LONG, PT_LONG },
315. { "NtOpenSymbolicLinkObject", PT_LONG, PT_POBJATTR },
316. { "NtProtectVirtualMemory", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
317. { "NtPulseEvent", PT_LONG, PT_LONG },
318. { "NtQueueApcThread", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
319. { "NtQueryDirectoryFile", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_PSTRING, PT_LONG },
320. { "NtQueryDirectoryObject", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
321. { "NtQueryEvent", PT_LONG, PT_LONG },
322. { "NtQueryFullAttributesFile", PT_POBJATTR, PT_LONG },
323. { "NtQueryInformationFile", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
324. { "NtQueryIoCompletion", PT_LONG, PT_LONG },
325. { "NtQueryMutant", PT_LONG, PT_LONG },
326. { "NtQuerySemaphore", PT_LONG, PT_LONG },
327. { "NtQuerySymbolicLinkObject", PT_LONG, PT_PSTRING, PT_LONG },
328. { "NtQueryTimer", PT_LONG, PT_LONG },
329. { "NtQueryVirtualMemory", PT_LONG, PT_LONG },
330. { "NtQueryVolumeInformationFile", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
331. { "NtReadFile", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
332. { "NtReadFileScatter", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
333. { "NtReleaseMutant", PT_LONG, PT_LONG },
334. { "NtReleaseSemaphore", PT_LONG, PT_LONG, PT_LONG },
335. { "NtRemoveIoCompletion", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
336. { "NtResumeThread", PT_LONG, PT_LONG },
337. { "NtSetEvent", PT_LONG, PT_LONG },
338. { "NtSetInformationFile", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
339. { "NtSetIoCompletion", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
340. { "NtSetSystemTime", PT_LONG, PT_LONG },
341. { "NtSetTimerEx", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
342. { "NtSignalAndWaitForSingleObjectEx", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
343. { "NtSuspendThread", PT_LONG, PT_LONG },
344. { "NtUserIoApcDispatcher", PT_LONG, PT_LONG, PT_LONG },
345. { "NtWaitForSingleObject", PT_LONG, PT_LONG, PT_LONG },
346. { "NtWaitForSingleObjectEx", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
347. { "NtWaitForMultipleObjectsEx", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
348. { "NtWriteFile", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
349. { "NtWriteFileGather", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
350. { "NtYieldExecution", PT_NONE },
351. { "ObCreateObject", PT_LONG, PT_POBJATTR, PT_LONG, PT_LONG },
352. { NULL, NULL }, // ObDirectoryObjectType
353. { "ObInsertObject", PT_LONG, PT_POBJATTR, PT_LONG, PT_LONG },
354. { "ObMakeTemporaryObject", PT_LONG },
355. { "ObOpenObjectByName", PT_POBJATTR, PT_LONG, PT_LONG, PT_LONG },
356. { "ObOpenObjectByPointer", PT_LONG, PT_LONG, PT_LONG },
357. { NULL, NULL }, // ObpObjectHandleTable
358. { "ObReferenceObjectByHandle", PT_LONG, PT_LONG, PT_LONG },
359. { "ObReferenceObjectByName", PT_PSTRING, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
360. { "ObReferenceObjectByPointer", PT_LONG, PT_LONG },
361. { NULL, NULL }, // ObSymbolicLinkObjectType
362. { "ObfDereferenceObject", PT_NONE },
363. { "ObfReferenceObject", PT_NONE },
364. { "PhyGetLinkState", PT_LONG },
365. { "PhyInitialize", PT_LONG, PT_LONG },
366. { "PsCreateSystemThread", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
367. { "PsCreateSystemThreadEx", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
368. { "PsQueryStatistics", PT_LONG },
369. { "PsSetCreateThreadNotifyRoutine", PT_LONG },
370. { "PsTerminateSystemThread", PT_LONG },
371. { NULL, NULL }, // PsThreadObjectType
372. { "RtlAnsiStringToUnicodeString", PT_PUSTRING, PT_PSTRING, PT_LONG },
373. { "RtlAppendStringToString", PT_PSTRING, PT_PSTRING },
374. { "RtlAppendUnicodeStringToString", PT_PUSTRING, PT_PUSTRING },
375. { "RtlAppendUnicodeToString", PT_PUSTRING, PT_PWSTR },
376. { "RtlAssert", PT_PSTR, PT_PSTR, PT_LONG, PT_PSTR },
377. { "RtlCaptureContext", PT_LONG },
378. { "RtlCaptureStackBackTrace", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
379. { "RtlCharToInteger", PT_PSTR, PT_LONG, PT_LONG },
380. { "RtlCompareMemory", PT_LONG, PT_LONG, PT_LONG },
381. { "RtlCompareMemoryUlong", PT_LONG, PT_LONG, PT_LONG },
382. { "RtlCompareString", PT_PSTRING, PT_PSTRING, PT_LONG },
383. { "RtlCompareUnicodeString", PT_PUSTRING, PT_PUSTRING, PT_LONG },
384. { "RtlCopyString", PT_PSTRING, PT_PSTRING },
385. { "RtlCopyUnicodeString", PT_PUSTRING, PT_PUSTRING },
386. { "RtlCreateUnicodeString", PT_PUSTRING, PT_PWSTR },
387. { "RtlDowncaseUnicodeChar", PT_LONG },
388. { "RtlDowncaseUnicodeString", PT_PUSTRING, PT_PUSTRING, PT_LONG },
389. { "RtlEnterCriticalSection", PT_LONG },
390. { "RtlEnterCriticalSectionAndRegion", PT_LONG },
391. { "RtlEqualString", PT_PSTRING, PT_PSTRING, PT_LONG },
392. { "RtlEqualUnicodeString", PT_PUSTRING, PT_PUSTRING, PT_LONG },
393. { "RtlExtendedIntegerMultiply", PT_LONGLONG, PT_LONG },
394. { "RtlExtendedLargeIntegerDivide", PT_LONGLONG, PT_LONG, PT_LONG },
395. { "RtlExtendedMagicDivide", PT_LONGLONG, PT_LONGLONG, PT_LONG },
396. { "RtlFillMemory", PT_LONG, PT_LONG, PT_LONG },
397. { "RtlFillMemoryUlong", PT_LONG, PT_LONG, PT_LONG },
398. { "RtlFreeAnsiString", PT_PSTRING },
399. { "RtlFreeUnicodeString", PT_PUSTRING },
400. { "RtlGetCallersAddress", PT_LONG, PT_LONG },
401. { "RtlInitAnsiString", PT_PSTRING, PT_PSTR },
402. { "RtlInitUnicodeString", PT_PUSTRING, PT_PWSTR },
403. { "RtlInitializeCriticalSection", PT_LONG },
404. { "RtlIntegerToChar", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
405. { "RtlIntegerToUnicodeString", PT_LONG, PT_LONG, PT_PUSTRING },
406. { "RtlLeaveCriticalSection", PT_LONG },
407. { "RtlLeaveCriticalSectionAndRegion", PT_LONG },
408. { "RtlLowerChar", PT_LONG },
409. { "RtlMapGenericMask", PT_LONG, PT_LONG },
410. { "RtlMoveMemory", PT_LONG, PT_LONG, PT_LONG },
411. { "RtlMultiByteToUnicodeN", PT_LONG, PT_LONG, PT_LONG, PT_PSTR, PT_LONG },
412. { "RtlMultiByteToUnicodeSize", PT_LONG, PT_PSTR, PT_LONG },
413. { "RtlNtStatusToDosError", PT_LONG },
414. { "RtlRaiseException", PT_LONG },
415. { "RtlRaiseStatus", PT_LONG },
416. { "RtlTimeFieldsToTime", PT_LONG, PT_LONG },
417. { "RtlTimeToTimeFields", PT_LONG, PT_LONG },
418. { "RtlTryEnterCriticalSection", PT_LONG },
419. { "RtlUlongByteSwap", PT_LONG },
420. { "RtlUnicodeStringToAnsiString", PT_PSTRING, PT_PUSTRING, PT_LONG },
421. { "RtlUnicodeStringToInteger", PT_PUSTRING, PT_LONG, PT_LONG },
422. { "RtlUnicodeToMultiByteN", PT_LONG, PT_LONG, PT_LONG, PT_PWSTR, PT_LONG },
423. { "RtlUnicodeToMultiByteSize", PT_LONG, PT_PUSTRING, PT_LONG },
424. { "RtlUnwind", PT_LONG, PT_LONG, PT_LONG, PT_LONG },
425. { "RtlUpcaseUnicodeChar", PT_LONG },
426. { "RtlUpcaseUnicodeString", PT_PUSTRING, PT_PUSTRING, PT_LONG },
427. { "RtlUpcaseUnicodeToMultiByteN", PT_LONG, PT_LONG, PT_LONG, PT_PWSTR, PT_LONG },
428. { "RtlUpperChar", PT_LONG },
429. { "RtlUpperString", PT_PSTRING, PT_PSTRING },
430. { "RtlUshortByteSwap", PT_LONG },
431. { "RtlWalkFrameChain", PT_LONG, PT_LONG, PT_LONG },
432. { "RtlZeroMemory", PT_LONG, PT_LONG },
433. { NULL, NULL }, // XboxEEPROMKey
434. { NULL, NULL }, // XboxHardwareInfo
435. { NULL, NULL }, // XboxHDKey
436. { NULL, NULL }, // XboxKrnlVersion
437. { NULL, NULL }, // XboxSignatureKey
438. { NULL, NULL }, // XeImageFileName
439. { "XeLoadSection", PT_LONG },
440. { "XeUnloadSection", PT_LONG },
441. { "READ_PORT_BUFFER_UCHAR", PT_LONG, PT_LONG, PT_LONG },
442. { "READ_PORT_BUFFER_USHORT", PT_LONG, PT_LONG, PT_LONG },
443. { "READ_PORT_BUFFER_ULONG", PT_LONG, PT_LONG, PT_LONG },
444. { "WRITE_PORT_BUFFER_UCHAR", PT_LONG, PT_LONG, PT_LONG },
445. { "WRITE_PORT_BUFFER_USHORT", PT_LONG, PT_LONG, PT_LONG },
446. { "WRITE_PORT_BUFFER_ULONG", PT_LONG, PT_LONG, PT_LONG },
447. { "XcSHAInit", PT_LONG },
448. { "XcSHAUpdate", PT_LONG, PT_LONG, PT_LONG },
449. { "XcSHAFinal", PT_LONG, PT_LONG },
450. { "XcRC4Key", PT_LONG, PT_LONG, PT_LONG },
451. { "XcRC4Crypt", PT_LONG, PT_LONG, PT_LONG },
452. { "XcHMAC", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
453. { "XcPKEncPublic", PT_LONG, PT_LONG, PT_LONG },
454. { "XcPKDecPrivate", PT_LONG, PT_LONG, PT_LONG },
455. { "XcPKGetKeyLen", PT_LONG },
456. { "XcVerifyPKCS1Signature", PT_LONG, PT_LONG, PT_LONG },
457. { "XcModExp", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
458. { "XcDESKeyParity", PT_LONG, PT_LONG },
459. { "XcKeyTable", PT_LONG, PT_LONG, PT_LONG },
460. { "XcBlockCrypt", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
461. { "XcBlockCryptCBC", PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG, PT_LONG },
462. { "XcCryptService", PT_LONG, PT_LONG },
463. { "XcUpdateCrypto", PT_LONG, PT_LONG },
464. { "RtlRip", PT_PSTR, PT_PSTR, PT_PSTR },
465. { NULL, NULL }, // XboxLANKey
466. { NULL, NULL }, // XboxAlternateSignatureKeys
467. { NULL, NULL }, // XePublicKeyData
468. { NULL, NULL }, // HalBootSMCVideoMode
469. { NULL, NULL }, // IdexChannelObject
470. { "HalIsResetOrShutdownPending", PT_NONE },
471. { "IoMarkIrpMustComplete", PT_LONG },
472. { "HalInitiateShutdown", PT_NONE },
473. { "RtlSnprintf", PT_PSTR, PT_LONG, PT_PSTR },
474. { "RtlSprintf", PT_PSTR, PT_PSTR },
475. { "RtlVsnprintf", PT_PSTR, PT_LONG, PT_PSTR, PT_LONG },
476. { "RtlVsprintf", PT_PSTR, PT_PSTR, PT_LONG },
477. { "HalEnableSecureTrayEject", PT_NONE },
478. { "HalWriteSMCScratchRegister", PT_LONG },
479. { NULL, NULL }, // Unused
480. { NULL, NULL }, // Unused
481. { NULL, NULL }, // Unused
482. { "XProfpControl", PT_LONG, PT_LONG },
483. { "XProfpGetData", PT_NONE },
484. { "IrtClientInitFast", PT_NONE },
485. { "IrtSweep", PT_LONG },
486. { "MmDbgAllocateMemory", PT_LONG, PT_LONG },
487. { "MmDbgFreeMemory", PT_LONG, PT_LONG },
488. { "MmDbgQueryAvailablePages", PT_NONE },
489. { "MmDbgReleaseAddress", PT_LONG, PT_LONG },
490. { "MmDbgWriteCheck", PT_LONG, PT_LONG },
491. };
492.  
493. static const SIZE_T KernelExportSize = ARRAYSIZE(KernelExports);
494.  
495. extern BYTE KernelExportFlags[KernelExportSize];
496. extern PORDINAL_THUNK InterceptThunks[KernelExportSize];
497. extern PIMAGE_THUNK_DATA ImageThunks[KernelExportSize];
498.  
499. HRESULT
500. WINAPI
501. CertSpyCommandProcessor(
502. IN PCSTR szCommand,
503. OUT PSTR szResponse,
504. IN SIZE_T cchResponse,
505. IN PDM_CMDCONT pdmcc
506. );
507.  
508. __inline
509. VOID
510. CertSpyFlushICache(
511. VOID
512. )
513. {
514. __asm {
515. wbinvd
516. push ebx
517. xor eax, eax
518. cpuid
519. pop ebx
520. }
521. }
522.  
523. NTSTATUS
524. CertSpyHookKernelImportOrdinal(
525. IN ULONG OrdinalNumber
526. );
527.  
528. NTSTATUS
529. CertSpyUnhookKernelImportOrdinal(
530. IN ULONG OrdinalNumber
531. );
532.  
533. #ifdef __cplusplus
534. }
535. #endif
536.  
537. #endif // _CERTSPYP_INCLUDED_
538.