-
Notifications
You must be signed in to change notification settings - Fork 116
Expand file tree
/
Copy pathMemoryModule.h
More file actions
101 lines (77 loc) · 1.99 KB
/
MemoryModule.h
File metadata and controls
101 lines (77 loc) · 1.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#pragma once
#ifndef __MEMORY_MODULE_HEADER
#define __MEMORY_MODULE_HEADER
typedef HMODULE HMEMORYMODULE;
typedef struct _MEMORYMODULE {
/*
---------------------------
|xxxxxxxx BaseAddress |
|... |
|... |
|... | --> IMAGE_DOS_HEADER
|... | --> IMAGE_NT_HEADERS
|... |
|... |
--------------------------
struct MEMORYMODULE;
... (align)
codes
*/
ULONG64 Signature;
DWORD SizeofHeaders;
union {
struct {
//Status Flags
BYTE initialized : 1;
BYTE loadFromLdrLoadDllMemory : 1;
BYTE underUnload : 1;
BYTE reservedStatusFlags : 5;
BYTE cbFlagsReserved;
//Load Flags
WORD MappedDll : 1;
WORD InsertInvertedFunctionTableEntry : 1;
WORD TlsHandled : 1;
WORD UseReferenceCount : 1;
WORD reservedLoadFlags : 12;
};
DWORD dwFlags;
};
LPBYTE codeBase; //codeBase == ImageBase
PVOID lpReserved;
HMODULE* hModulesList; //Import module handles
DWORD dwModulesCount; //number of module handles
DWORD dwReferenceCount;
DWORD dwImageFileSize;
DWORD dwReserved;
PVOID LdrEntry;
} MEMORYMODULE, * PMEMORYMODULE;
#define MEMORY_MODULE_SIGNATURE 0x00aabbcc11ffee00
#ifdef __cplusplus
extern "C" {
#endif
NTSTATUS MemoryLoadLibrary(
_Out_ HMEMORYMODULE* MemoryModuleHandle,
_In_ LPCVOID data,
_In_ DWORD size
);
NTSTATUS MemoryResolveImportTable(
_In_ LPBYTE base,
_In_ PIMAGE_NT_HEADERS lpNtHeaders,
_In_ PMEMORYMODULE hMemoryModule
);
NTSTATUS MemorySetSectionProtection(
_In_ LPBYTE base,
_In_ PIMAGE_NT_HEADERS lpNtHeaders
);
BOOL MemoryFreeLibrary(HMEMORYMODULE);
BOOL WINAPI IsValidMemoryModuleHandle(HMEMORYMODULE hModule);
PMEMORYMODULE WINAPI MapMemoryModuleHandle(HMEMORYMODULE hModule);
NTSTATUS MmpInitializeStructure(
DWORD ImageFileSize,
LPCVOID ImageFileBuffer,
PIMAGE_NT_HEADERS ImageHeaders
);
#ifdef __cplusplus
}
#endif
#endif // __MEMORY_MODULE_HEADER