#include <ntifs.h>#define PHNT_MODE PHNT_MODE_KERNEL#include <phnt.h>#in

1.  
2. #include <ntifs.h>
3. #define PHNT_MODE PHNT_MODE_KERNEL
4. #include <phnt.h>
5. #include <ntfill.h>
6. #include <bcrypt.h>
7. #include <kphapi.h>
8.  
9. // Memory
10.  
11. #define PTR_ADD_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) + (ULONG_PTR)(Offset)))
12. #define PTR_SUB_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) - (ULONG_PTR)(Offset)))
13.  
14. // Zero extension and sign extension macros
15.  
16. #define C_2sTo4(x) ((unsigned int)(signed short)(x))
17.  
18. // Debugging
19.  
20. #ifdef DBG
21. #define dprintf(Format, ...) DbgPrint("KProcessHacker: " Format, __VA_ARGS__)
22. #else
23. #define dprintf
24. #endif
25.  
26. typedef struct _KPH_CLIENT
27. {
28.     struct
29.     {
30.         ULONG VerificationPerformed : 1;
31.         ULONG VerificationSucceeded : 1;
32.         ULONG KeysGenerated : 1;
33.         ULONG SpareBits : 29;
34.     };
35.     FAST_MUTEX StateMutex;
36.     NTSTATUS VerificationStatus;
37.     PVOID VerifiedProcess; // EPROCESS (for equality checking only - do not access contents)
38.     HANDLE VerifiedProcessId;
39.     PVOID VerifiedRangeBase;
40.     SIZE_T VerifiedRangeSize;
41.     // Level 1 and 2 secret keys
42.     FAST_MUTEX KeyBackoffMutex;
43.     KPH_KEY L1Key;
44.     KPH_KEY L2Key;
45. } KPH_CLIENT, *PKPH_CLIENT;
46.  
47. typedef struct _KPH_PARAMETERS
48. {
49.     KPH_SECURITY_LEVEL SecurityLevel;
50. } KPH_PARAMETERS, *PKPH_PARAMETERS;
51.  
52. // main
53.  
54. extern ULONG KphFeatures;
55. extern KPH_PARAMETERS KphParameters;
56.  
57. NTSTATUS KpiGetFeatures(
58.     _Out_ PULONG Features,
59.     _In_ KPROCESSOR_MODE AccessMode
60.     );
61.  
62. // devctrl
63.  
64. _Dispatch_type_(IRP_MJ_DEVICE_CONTROL) DRIVER_DISPATCH KphDispatchDeviceControl;
65.  
66. NTSTATUS KphDispatchDeviceControl(
67.     _In_ PDEVICE_OBJECT DeviceObject,
68.     _Inout_ PIRP Irp
69.     );
70.  
71. // dynimp
72.  
73. VOID KphDynamicImport(
74.     VOID
75.     );
76.  
77. PVOID KphGetSystemRoutineAddress(
78.     _In_ PWSTR SystemRoutineName
79.     );
80.  
81. // object
82.  
83. PHANDLE_TABLE KphReferenceProcessHandleTable(
84.     _In_ PEPROCESS Process
85.     );
86.  
87. VOID KphDereferenceProcessHandleTable(
88.     _In_ PEPROCESS Process
89.     );
90.  
91. VOID KphUnlockHandleTableEntry(
92.     _In_ PHANDLE_TABLE HandleTable,
93.     _In_ PHANDLE_TABLE_ENTRY HandleTableEntry
94.     );
95.  
96. NTSTATUS KpiEnumerateProcessHandles(
97.     _In_ HANDLE ProcessHandle,
98.     _Out_writes_bytes_(BufferLength) PVOID Buffer,
99.     _In_opt_ ULONG BufferLength,
100.     _Out_opt_ PULONG ReturnLength,
101.     _In_ KPROCESSOR_MODE AccessMode
102.     );
103.  
104. NTSTATUS KphQueryNameObject(
105.     _In_ PVOID Object,
106.     _Out_writes_bytes_(BufferLength) POBJECT_NAME_INFORMATION Buffer,
107.     _In_ ULONG BufferLength,
108.     _Out_ PULONG ReturnLength
109.     );
110.  
111. NTSTATUS KphQueryNameFileObject(
112.     _In_ PFILE_OBJECT FileObject,
113.     _Out_writes_bytes_(BufferLength) POBJECT_NAME_INFORMATION Buffer,
114.     _In_ ULONG BufferLength,
115.     _Out_ PULONG ReturnLength
116.     );
117.  
118. NTSTATUS KpiQueryInformationObject(
119.     _In_ HANDLE ProcessHandle,
120.     _In_ HANDLE Handle,
121.     _In_ KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass,
122.     _Out_writes_bytes_(ObjectInformationLength) PVOID ObjectInformation,
123.     _In_ ULONG ObjectInformationLength,
124.     _Out_opt_ PULONG ReturnLength,
125.     _In_ KPROCESSOR_MODE AccessMode
126.     );