diff --git a/dlls/kernelx/Exports.def b/dlls/kernelx/Exports.def index a7a4071..9e59fc0 100644 --- a/dlls/kernelx/Exports.def +++ b/dlls/kernelx/Exports.def @@ -1,210 +1,208 @@ LIBRARY kernelx EXPORTS - AcquireSRWLockExclusive = AcquireSRWLockExclusive_X @1 - AcquireSRWLockShared = AcquireSRWLockShared_X @2 - CloseHandle = CloseHandle_X @14 - CreateDirectoryW = CreateDirectoryW_X @34 - CreateEventExW = CreateEventExW_X @37 - CreateEventW = CreateEventW_X @38 - CreateFileW = CreateFileW_X @44 - CreateThread = CreateThread_X @60 - DebugBreak = DebugBreak_X @71 - DeleteFileW = DeleteFileW_X @77 - DeviceIoControl = DeviceIoControl_X @80 - DisableThreadLibraryCalls = DisableThreadLibraryCalls_X @81 - EnterCriticalSection = EnterCriticalSection_X @87 - ExitProcess = ExitProcess_X @102 - FileTimeToSystemTime = FileTimeToSystemTime_X @107 - FindClose = FindClose_X @109 - FindFirstFileW = FindFirstFileW_X @113 - FindNextFileW = FindNextFileW_X @117 - GetConsoleType = GetConsoleType_X @140 - GetCurrentProcess = GetCurrentProcess_X @144 - GetCurrentProcessId = GetCurrentProcessId_X @145 - GetCurrentThread = GetCurrentThread_X @148 - GetCurrentThreadId = GetCurrentThreadId_X @149 - GetExitCodeThread = GetExitCodeThread_X @163 - GetFileAttributesExW = GetFileAttributesExW_X @166 - GetFileAttributesW = GetFileAttributesW_X @167 - GetFileSizeEx = GetFileSizeEx_X @171 - GetLastError = GetLastError_X @178 - GetLocalTime = GetLocalTime_X @179 - GetModuleHandleA = GetModuleHandleA_X @186 - GetModuleHandleW = GetModuleHandleW_X @189 - GetProcessHeap = GetProcessHeap_X @199 - GetProcessId = GetProcessId_X @201 - GetStartupInfoW = GetStartupInfoW_X @208 - GetSystemTime = GetSystemTime_X @216 - GetSystemTimeAsFileTime = GetSystemTimeAsFileTime_X @218 - GetTickCount = GetTickCount_X @231 - GetUserDefaultLocaleName = GetUserDefaultLocaleName_X @242 - GetUserGeoID = GetUserGeoID_X @243 - HeapFree = HeapFree_X @256 - InitializeCriticalSectionAndSpinCount = InitializeCriticalSectionAndSpinCount_X @272 - InitializeCriticalSectionEx = InitializeCriticalSectionEx_X @273 - IsDebuggerPresent = IsDebuggerPresent_X @283 - IsProcessorFeaturePresent = IsProcessorFeaturePresent_X @284 - LoadLibraryExW = LoadLibraryExW_X @296 - MultiByteToWideChar = MultiByteToWideChar_X @313 - OutputDebugStringA = OutputDebugStringA_X @327 - OutputDebugStringW = OutputDebugStringW_X @328 - PeekNamedPipe = PeekNamedPipe_X @330 - QueryPerformanceCounter = QueryPerformanceCounter_X @333 - QueryPerformanceFrequency = QueryPerformanceFrequency_X @334 - RaiseException = RaiseException_X @339 - ReadFile = ReadFile_X @344 - ResetEvent = ResetEvent_X @374 - ResumeThread = ResumeThread_X @377 - RtlCaptureContext = RtlCaptureContext_X @378 - RtlLookupFunctionEntry = RtlLookupFunctionEntry @380 - RtlUnwindEx = RtlUnwindEx_X @385 - SetEvent = SetEvent_X @399 - SetFilePointer = SetFilePointer_X @404 - SetThreadAffinityMask = SetThreadAffinityMask_X @418 - SetThreadPriority = SetThreadPriority_X @424 - SetUnhandledExceptionFilter = SetUnhandledExceptionFilter_X @433 - Sleep = Sleep_X @440 - SleepConditionVariableCS = API-MS-WIN-CORE-SYNCH-L1-2-0.SleepConditionVariableCS @441 - SystemTimeToFileTime = SystemTimeToFileTime_X @449 - TerminateProcess = TerminateProcess_X @451 - TlsAlloc = TlsAlloc_X @454 - TlsGetValue = TlsGetValue_X @456 - TlsSetValue = TlsSetValue_X @457 - UnhandledExceptionFilter = UnhandledExceptionFilter_X @467 - VirtualAlloc = VirtualAlloc_X @474 - VirtualFree = VirtualFree_X @476 - WaitForMultipleObjects = WaitForMultipleObjects_X @482 - WaitForSingleObject = WaitForSingleObject_X @484 - WaitForSingleObjectEx = WaitForSingleObjectEx_X @485 - WriteFile = WriteFile_X @500 - XMemAlloc = XMemAlloc_X @501 - XMemAllocDefault = XMemAllocDefault_X @505 - XMemFreeDefault = XMemFreeDefault_X @508 - XMemFree = XMemFree_X @507 - WriteConsoleW = WriteConsoleW_X @499 - FreeLibrary = FreeLibrary_X @129 - GetProcAddress = GetProcAddress_X @196 - GetDiskFreeSpaceExW = GetDiskFreeSpaceExW_X @154 - GetDriveTypeW = GetDriveTypeW_X @157 - - RegCloseKey = RegCloseKey_X @348 - RegCreateKeyExW = RegCreateKeyExW_X @349 - RegCreateKeyW = RegCreateKeyW_X @350 - RegDeleteKeyExW = RegDeleteKeyExW_X @351 - RegDeleteKeyW = RegDeleteKeyW_X @352 - RegDeleteValueW = RegDeleteValueW_X @353 - RegEnumKeyExW = RegEnumKeyExW_X @354 - RegEnumKeyW = RegEnumKeyW_X @355 - RegEnumValueW = RegEnumValueW_X @356 - RegOpenKeyExW = RegOpenKeyExW_X @357 - RegOpenKeyW = RegOpenKeyW_X @358 - RegQueryInfoKeyW = RegQueryInfoKeyW_X @359 - RegQueryValueExW = RegQueryValueExW_X @360 - RegSetValueExW = RegSetValueExW_X @361 - - DecodePointer = NTDLL.RtlDecodePointer @72 - WakeAllConditionVariable = NTDLL.RtlWakeAllConditionVariable @492 - AcquireSRWLockExclusive = NTDLL.RtlAcquireSRWLockExclusive @1 - AcquireSRWLockShared = NTDLL.RtlAcquireSRWLockShared @2 - AddVectoredContinueHandler = NTDLL.RtlAddVectoredContinueHandler @3 - AddVectoredExceptionHandler = NTDLL.RtlAddVectoredExceptionHandler @4 - CancelThreadpoolIo = NTDLL.TpCancelAsyncIoOperation - CloseThreadpool = NTDLL.TpReleasePool - CloseThreadpoolCleanupGroup = NTDLL.TpReleaseCleanupGroup - CloseThreadpoolCleanupGroupMembers = NTDLL.TpReleaseCleanupGroupMembers - CloseThreadpoolIo = NTDLL.TpReleaseIoCompletion - CloseThreadpoolTimer = NTDLL.TpReleaseTimer - CloseThreadpoolWait = NTDLL.TpReleaseWait - CloseThreadpoolWork = NTDLL.TpReleaseWork - CopyMemoryNonTemporal = NTDLL.RtlCopyMemoryNonTemporal - DecodeSystemPointer = NTDLL.RtlDecodeSystemPointer - DeleteCriticalSection = NTDLL.RtlDeleteCriticalSection @74 - DeleteSynchronizationBarrier = NTDLL.RtlDeleteBarrier - DisassociateCurrentThreadFromCallback = NTDLL.TpDisassociateCallback - EncodePointer = NTDLL.RtlEncodePointer @85 - EncodeSystemPointer = NTDLL.RtlEncodeSystemPointer - EnterCriticalSection = NTDLL.RtlEnterCriticalSection - EventActivityIdControl = NTDLL.EtwEventActivityIdControl - EventEnabled = NTDLL.EtwEventEnabled - EventProviderEnabled = NTDLL.EtwEventProviderEnabled - EventRegister = NTDLL.EtwEventRegister @95 - EventSetInformation = NTDLL.EtwEventSetInformation @96 - EventUnregister = NTDLL.EtwEventUnregister @97 - EventWrite = NTDLL.EtwEventWrite @98 - EventWriteEx = NTDLL.EtwEventWriteEx - EventWriteString = NTDLL.EtwEventWriteString - EventWriteTransfer = NTDLL.EtwEventWriteTransfer @101 - ExitProcess = NTDLL.RtlExitUserProcess - ExitThread = NTDLL.RtlExitUserThread - FillMemoryNonTemporal = NTDLL.RtlFillMemoryNonTemporal - FlushProcessWriteBuffers = NTDLL.NtFlushProcessWriteBuffers - FreeLibraryWhenCallbackReturns = NTDLL.TpCallbackUnloadDllOnCompletion - GetCurrentProcessorNumber = NTDLL.RtlGetCurrentProcessorNumber - GetCurrentProcessorNumberEx = NTDLL.RtlGetCurrentProcessorNumberEx - GetProcessHeaps = NTDLL.RtlGetProcessHeaps - GetTraceEnableFlags = NTDLL.EtwGetTraceEnableFlags - GetTraceEnableLevel = NTDLL.EtwGetTraceEnableLevel - GetTraceLoggerHandle = NTDLL.EtwGetTraceLoggerHandle - HeapAlloc = NTDLL.RtlAllocateHeap @252 - HeapCompact = NTDLL.RtlCompactHeap - HeapFree = NTDLL.RtlFreeHeap - HeapLock = NTDLL.RtlLockHeap - HeapReAlloc = NTDLL.RtlReAllocateHeap - HeapSize = NTDLL.RtlSizeHeap - HeapUnlock = NTDLL.RtlUnlockHeap - HeapValidate = NTDLL.RtlValidateHeap - InitOnceInitialize = NTDLL.RtlRunOnceInitialize - InitializeConditionVariable = NTDLL.RtlInitializeConditionVariable @269 - InitializeCriticalSection = NTDLL.RtlInitializeCriticalSection @271 - InitializeSListHead = NTDLL.RtlInitializeSListHead @275 - InitializeSRWLock = NTDLL.RtlInitializeSRWLock @276 - InterlockedFlushSList = NTDLL.RtlInterlockedFlushSList - InterlockedPopEntrySList = NTDLL.RtlInterlockedPopEntrySList - InterlockedPushEntrySList = NTDLL.RtlInterlockedPushEntrySList - InterlockedPushListSList = NTDLL.RtlInterlockedPushListSList - InterlockedPushListSListEx = NTDLL.RtlInterlockedPushListSListEx - IsThreadpoolTimerSet = NTDLL.TpIsTimerSet - LeaveCriticalSection = NTDLL.RtlLeaveCriticalSection @293 - LeaveCriticalSectionWhenCallbackReturns = NTDLL.TpCallbackLeaveCriticalSectionOnCompletion - QueryDepthSList = NTDLL.RtlQueryDepthSList - QueryPerformanceCounter = NTDLL.RtlQueryPerformanceCounter - QueryPerformanceFrequency = NTDLL.RtlQueryPerformanceFrequency - RegisterTraceGuidsW = NTDLL.EtwRegisterTraceGuidsW - ReleaseMutexWhenCallbackReturns = NTDLL.TpCallbackReleaseMutexOnCompletion - ReleaseSRWLockExclusive = NTDLL.RtlReleaseSRWLockExclusive @366 - ReleaseSRWLockShared = NTDLL.RtlReleaseSRWLockShared - ReleaseSemaphoreWhenCallbackReturns = NTDLL.TpCallbackReleaseSemaphoreOnCompletion - RemoveVectoredContinueHandler = NTDLL.RtlRemoveVectoredContinueHandler - RemoveVectoredExceptionHandler = NTDLL.RtlRemoveVectoredExceptionHandler - RestoreLastError = NTDLL.RtlRestoreLastWin32Error - RtlCaptureContext = NTDLL.RtlCaptureContext - RtlCaptureStackBackTrace = NTDLL.RtlCaptureStackBackTrace - RtlLookupFunctionEntry = NTDLL.RtlLookupFunctionEntry - RtlPcToFileHeader = NTDLL.RtlPcToFileHeader - RtlRaiseException = NTDLL.RtlRaiseException - RtlRestoreContext = NTDLL.RtlRestoreContext - RtlUnwind = NTDLL.RtlUnwind - RtlUnwindEx = NTDLL.RtlUnwindEx - RtlVirtualUnwind = NTDLL.RtlVirtualUnwind @386 - SetCriticalSectionSpinCount = NTDLL.RtlSetCriticalSectionSpinCount - SetEventWhenCallbackReturns = NTDLL.TpCallbackSetEventOnCompletion - SetLastError = NTDLL.RtlSetLastWin32Error @409 - SetThreadpoolThreadMaximum = NTDLL.TpSetPoolMaxThreads - SetThreadpoolTimer = NTDLL.TpSetTimer - SetThreadpoolWait = NTDLL.TpSetWait - StartThreadpoolIo = NTDLL.TpStartAsyncIoOperation - SubmitThreadpoolWork = NTDLL.TpPostWork - LogTraceEvent = NTDLL.EtwLogTraceEvent - TraceMessage = NTDLL.EtwTraceMessage - TraceMessageVa = NTDLL.EtwTraceMessageVa - TryAcquireSRWLockExclusive = NTDLL.RtlTryAcquireSRWLockExclusive - TryAcquireSRWLockShared = NTDLL.RtlTryAcquireSRWLockShared - TryEnterCriticalSection = NTDLL.RtlTryEnterCriticalSection @464 - UnregisterTraceGuids = NTDLL.EtwUnregisterTraceGuids - WaitForThreadpoolIoCallbacks = NTDLL.TpWaitForIoCompletion - WaitForThreadpoolTimerCallbacks = NTDLL.TpWaitForTimer - WaitForThreadpoolWaitCallbacks = NTDLL.TpWaitForWait - WaitForThreadpoolWorkCallbacks = NTDLL.TpWaitForWork - WakeByAddressAll = NTDLL.RtlWakeAddressAll @493 - WakeByAddressSingle = NTDLL.RtlWakeAddressSingle @494 - WakeConditionVariable = NTDLL.RtlWakeConditionVariable @495 + AcquireSRWLockExclusive = AcquireSRWLockExclusive_X @1 + AcquireSRWLockShared = AcquireSRWLockShared_X @2 + CloseHandle = CloseHandle_X @14 + CreateDirectoryW = CreateDirectoryW_X @34 + CreateEventExW = CreateEventExW_X @37 + CreateEventW = CreateEventW_X @38 + CreateFileW = CreateFileW_X @44 + CreateThread = CreateThread_X @60 + DebugBreak = DebugBreak_X @71 + DeleteFileW = DeleteFileW_X @77 + DeviceIoControl = DeviceIoControl_X @80 + DisableThreadLibraryCalls = DisableThreadLibraryCalls_X @81 + EnterCriticalSection = EnterCriticalSection_X @87 + ExitProcess = ExitProcess_X @102 + FileTimeToSystemTime = FileTimeToSystemTime_X @107 + FindClose = FindClose_X @109 + FindFirstFileW = FindFirstFileW_X @113 + FindNextFileW = FindNextFileW_X @117 + GetConsoleType = GetConsoleType_X @140 + GetCurrentProcess = GetCurrentProcess_X @144 + GetCurrentProcessId = GetCurrentProcessId_X @145 + GetCurrentThread = GetCurrentThread_X @148 + GetCurrentThreadId = GetCurrentThreadId_X @149 + GetExitCodeThread = GetExitCodeThread_X @163 + GetFileAttributesExW = GetFileAttributesExW_X @166 + GetFileAttributesW = GetFileAttributesW_X @167 + GetFileSizeEx = GetFileSizeEx_X @171 + GetLastError = GetLastError_X @178 + GetLocalTime = GetLocalTime_X @179 + GetModuleHandleA = GetModuleHandleA_X @186 + GetModuleHandleW = GetModuleHandleW_X @189 + GetProcessHeap = GetProcessHeap_X @199 + GetProcessId = GetProcessId_X @201 + GetStartupInfoW = GetStartupInfoW_X @208 + GetSystemTime = GetSystemTime_X @216 + GetSystemTimeAsFileTime = GetSystemTimeAsFileTime_X @218 + GetTickCount = GetTickCount_X @231 + GetUserDefaultLocaleName = GetUserDefaultLocaleName_X @242 + GetUserGeoID = GetUserGeoID_X @243 + HeapFree = HeapFree_X @256 + InitializeCriticalSectionAndSpinCount = InitializeCriticalSectionAndSpinCount_X @272 + InitializeCriticalSectionEx = InitializeCriticalSectionEx_X @273 + IsDebuggerPresent = IsDebuggerPresent_X @283 + IsProcessorFeaturePresent = IsProcessorFeaturePresent_X @284 + LoadLibraryExW = LoadLibraryExW_X @296 + MultiByteToWideChar = MultiByteToWideChar_X @313 + OutputDebugStringA = OutputDebugStringA_X @327 + OutputDebugStringW = OutputDebugStringW_X @328 + PeekNamedPipe = PeekNamedPipe_X @330 + QueryPerformanceCounter = QueryPerformanceCounter_X @333 + QueryPerformanceFrequency = QueryPerformanceFrequency_X @334 + RaiseException = RaiseException_X @339 + ReadFile = ReadFile_X @344 + RegCloseKey = RegCloseKey_X @348 + RegCreateKeyExW = RegCreateKeyExW_X @349 + RegCreateKeyW = RegCreateKeyW_X @350 + RegDeleteKeyExW = RegDeleteKeyExW_X @351 + RegDeleteKeyW = RegDeleteKeyW_X @352 + RegDeleteValueW = RegDeleteValueW_X @353 + RegEnumKeyExW = RegEnumKeyExW_X @354 + RegEnumKeyW = RegEnumKeyW_X @355 + RegEnumValueW = RegEnumValueW_X @356 + RegOpenKeyExW = RegOpenKeyExW_X @357 + RegOpenKeyW = RegOpenKeyW_X @358 + RegQueryInfoKeyW = RegQueryInfoKeyW_X @359 + RegQueryValueExW = RegQueryValueExW_X @360 + RegSetValueExW = RegSetValueExW_X @361 + ResetEvent = ResetEvent_X @374 + ResumeThread = ResumeThread_X @377 + RtlCaptureContext = RtlCaptureContext_X @378 + RtlLookupFunctionEntry = RtlLookupFunctionEntry @380 + RtlUnwindEx = RtlUnwindEx_X @385 + SetEvent = SetEvent_X @399 + SetFilePointer = SetFilePointer_X @404 + SetThreadAffinityMask = SetThreadAffinityMask_X @418 + SetThreadPriority = SetThreadPriority_X @424 + SetUnhandledExceptionFilter = SetUnhandledExceptionFilter_X @433 + Sleep = Sleep_X @440 + SleepConditionVariableCS = API-MS-WIN-CORE-SYNCH-L1-2-0.SleepConditionVariableCS @441 + SystemTimeToFileTime = SystemTimeToFileTime_X @449 + TerminateProcess = TerminateProcess_X @451 + TlsAlloc = TlsAlloc_X @454 + TlsGetValue = TlsGetValue_X @456 + TlsSetValue = TlsSetValue_X @457 + UnhandledExceptionFilter = UnhandledExceptionFilter_X @467 + VirtualAlloc = VirtualAlloc_X @474 + VirtualFree = VirtualFree_X @476 + WaitForMultipleObjects = WaitForMultipleObjects_X @482 + WaitForSingleObject = WaitForSingleObject_X @484 + WaitForSingleObjectEx = WaitForSingleObjectEx_X @485 + WriteFile = WriteFile_X @500 + XMemAlloc = XMemAlloc_X @501 + XMemAllocDefault = XMemAllocDefault_X @505 + XMemFreeDefault = XMemFreeDefault_X @508 + XMemFree = XMemFree_X @507 + WriteConsoleW = WriteConsoleW_X @499 + FreeLibrary = FreeLibrary_X @129 + GetProcAddress = GetProcAddress_X @196 + GetDiskFreeSpaceExW = GetDiskFreeSpaceExW_X @154 + GetDriveTypeW = GetDriveTypeW_X @157 + DecodePointer = NTDLL.RtlDecodePointer @72 + WakeAllConditionVariable = NTDLL.RtlWakeAllConditionVariable @492 + AcquireSRWLockExclusive = NTDLL.RtlAcquireSRWLockExclusive @1 + AcquireSRWLockShared = NTDLL.RtlAcquireSRWLockShared @2 + AddVectoredContinueHandler = NTDLL.RtlAddVectoredContinueHandler @3 + AddVectoredExceptionHandler = NTDLL.RtlAddVectoredExceptionHandler @4 + CancelThreadpoolIo = NTDLL.TpCancelAsyncIoOperation + CloseThreadpool = NTDLL.TpReleasePool + CloseThreadpoolCleanupGroup = NTDLL.TpReleaseCleanupGroup + CloseThreadpoolCleanupGroupMembers = NTDLL.TpReleaseCleanupGroupMembers + CloseThreadpoolIo = NTDLL.TpReleaseIoCompletion + CloseThreadpoolTimer = NTDLL.TpReleaseTimer + CloseThreadpoolWait = NTDLL.TpReleaseWait + CloseThreadpoolWork = NTDLL.TpReleaseWork + CopyMemoryNonTemporal = NTDLL.RtlCopyMemoryNonTemporal + DecodeSystemPointer = NTDLL.RtlDecodeSystemPointer + DeleteCriticalSection = NTDLL.RtlDeleteCriticalSection @74 + DeleteSynchronizationBarrier = NTDLL.RtlDeleteBarrier + DisassociateCurrentThreadFromCallback = NTDLL.TpDisassociateCallback + EncodePointer = NTDLL.RtlEncodePointer @85 + EncodeSystemPointer = NTDLL.RtlEncodeSystemPointer + EnterCriticalSection = NTDLL.RtlEnterCriticalSection + EventActivityIdControl = NTDLL.EtwEventActivityIdControl + EventEnabled = NTDLL.EtwEventEnabled + EventProviderEnabled = NTDLL.EtwEventProviderEnabled + EventRegister = NTDLL.EtwEventRegister @95 + EventSetInformation = NTDLL.EtwEventSetInformation @96 + EventUnregister = NTDLL.EtwEventUnregister @97 + EventWrite = NTDLL.EtwEventWrite @98 + EventWriteEx = NTDLL.EtwEventWriteEx + EventWriteString = NTDLL.EtwEventWriteString + EventWriteTransfer = NTDLL.EtwEventWriteTransfer @101 + ExitProcess = NTDLL.RtlExitUserProcess + ExitThread = NTDLL.RtlExitUserThread + FillMemoryNonTemporal = NTDLL.RtlFillMemoryNonTemporal + FlushProcessWriteBuffers = NTDLL.NtFlushProcessWriteBuffers + FreeLibraryWhenCallbackReturns = NTDLL.TpCallbackUnloadDllOnCompletion + GetCurrentProcessorNumber = NTDLL.RtlGetCurrentProcessorNumber + GetCurrentProcessorNumberEx = NTDLL.RtlGetCurrentProcessorNumberEx + GetProcessHeaps = NTDLL.RtlGetProcessHeaps + GetTraceEnableFlags = NTDLL.EtwGetTraceEnableFlags + GetTraceEnableLevel = NTDLL.EtwGetTraceEnableLevel + GetTraceLoggerHandle = NTDLL.EtwGetTraceLoggerHandle + HeapAlloc = NTDLL.RtlAllocateHeap @252 + HeapCompact = NTDLL.RtlCompactHeap + HeapFree = NTDLL.RtlFreeHeap + HeapLock = NTDLL.RtlLockHeap + HeapReAlloc = NTDLL.RtlReAllocateHeap + HeapSize = NTDLL.RtlSizeHeap + HeapUnlock = NTDLL.RtlUnlockHeap + HeapValidate = NTDLL.RtlValidateHeap + InitOnceInitialize = NTDLL.RtlRunOnceInitialize + InitializeConditionVariable = NTDLL.RtlInitializeConditionVariable @269 + InitializeCriticalSection = NTDLL.RtlInitializeCriticalSection @271 + InitializeSListHead = NTDLL.RtlInitializeSListHead @275 + InitializeSRWLock = NTDLL.RtlInitializeSRWLock @276 + InterlockedFlushSList = NTDLL.RtlInterlockedFlushSList + InterlockedPopEntrySList = NTDLL.RtlInterlockedPopEntrySList + InterlockedPushEntrySList = NTDLL.RtlInterlockedPushEntrySList + InterlockedPushListSList = NTDLL.RtlInterlockedPushListSList + InterlockedPushListSListEx = NTDLL.RtlInterlockedPushListSListEx + IsThreadpoolTimerSet = NTDLL.TpIsTimerSet + LeaveCriticalSection = NTDLL.RtlLeaveCriticalSection @293 + LeaveCriticalSectionWhenCallbackReturns = NTDLL.TpCallbackLeaveCriticalSectionOnCompletion + QueryDepthSList = NTDLL.RtlQueryDepthSList + QueryPerformanceCounter = NTDLL.RtlQueryPerformanceCounter + QueryPerformanceFrequency = NTDLL.RtlQueryPerformanceFrequency + RegisterTraceGuidsW = NTDLL.EtwRegisterTraceGuidsW + ReleaseMutexWhenCallbackReturns = NTDLL.TpCallbackReleaseMutexOnCompletion + ReleaseSRWLockExclusive = NTDLL.RtlReleaseSRWLockExclusive @366 + ReleaseSRWLockShared = NTDLL.RtlReleaseSRWLockShared + ReleaseSemaphoreWhenCallbackReturns = NTDLL.TpCallbackReleaseSemaphoreOnCompletion + RemoveVectoredContinueHandler = NTDLL.RtlRemoveVectoredContinueHandler + RemoveVectoredExceptionHandler = NTDLL.RtlRemoveVectoredExceptionHandler + RestoreLastError = NTDLL.RtlRestoreLastWin32Error + RtlCaptureContext = NTDLL.RtlCaptureContext + RtlCaptureStackBackTrace = NTDLL.RtlCaptureStackBackTrace + RtlLookupFunctionEntry = NTDLL.RtlLookupFunctionEntry + RtlPcToFileHeader = NTDLL.RtlPcToFileHeader + RtlRaiseException = NTDLL.RtlRaiseException + RtlRestoreContext = NTDLL.RtlRestoreContext + RtlUnwind = NTDLL.RtlUnwind + RtlUnwindEx = NTDLL.RtlUnwindEx + RtlVirtualUnwind = NTDLL.RtlVirtualUnwind @386 + SetCriticalSectionSpinCount = NTDLL.RtlSetCriticalSectionSpinCount + SetEventWhenCallbackReturns = NTDLL.TpCallbackSetEventOnCompletion + SetLastError = NTDLL.RtlSetLastWin32Error @409 + SetThreadpoolThreadMaximum = NTDLL.TpSetPoolMaxThreads + SetThreadpoolTimer = NTDLL.TpSetTimer + SetThreadpoolWait = NTDLL.TpSetWait + StartThreadpoolIo = NTDLL.TpStartAsyncIoOperation + SubmitThreadpoolWork = NTDLL.TpPostWork + LogTraceEvent = NTDLL.EtwLogTraceEvent + TraceMessage = NTDLL.EtwTraceMessage + TraceMessageVa = NTDLL.EtwTraceMessageVa + TryAcquireSRWLockExclusive = NTDLL.RtlTryAcquireSRWLockExclusive + TryAcquireSRWLockShared = NTDLL.RtlTryAcquireSRWLockShared + TryEnterCriticalSection = NTDLL.RtlTryEnterCriticalSection @464 + UnregisterTraceGuids = NTDLL.EtwUnregisterTraceGuids + WaitForThreadpoolIoCallbacks = NTDLL.TpWaitForIoCompletion + WaitForThreadpoolTimerCallbacks = NTDLL.TpWaitForTimer + WaitForThreadpoolWaitCallbacks = NTDLL.TpWaitForWait + WaitForThreadpoolWorkCallbacks = NTDLL.TpWaitForWork + WakeByAddressAll = NTDLL.RtlWakeAddressAll @493 + WakeByAddressSingle = NTDLL.RtlWakeAddressSingle @494 + WakeConditionVariable = NTDLL.RtlWakeConditionVariable @495 \ No newline at end of file diff --git a/dlls/kernelx/kernelx.cpp b/dlls/kernelx/kernelx.cpp index 4773b6e..27166b2 100644 --- a/dlls/kernelx/kernelx.cpp +++ b/dlls/kernelx/kernelx.cpp @@ -6,8 +6,10 @@ #include "pch.h" #include "framework.h" #include "kernelx.h" +#include - +NtAllocateVirtualMemory_t NtAllocateVirtualMemory; +NtFreeVirtualMemory_t NtFreeVirtualMemory; void AcquireSRWLockExclusive_X(PSRWLOCK SRWLock) @@ -30,42 +32,131 @@ HANDLE GetProcessHeap_X() return GetProcessHeap(); } -// TODO: Need to figure out this function. -PVOID XMemAllocDefault_X(ULONG_PTR a1, UINT64 a2) -{ +uint32_t dword_180021AA0[16]; +uint32_t dword_180021A60[16]; +int64_t qword_18002C7E0[34]; +HANDLE HeapHandle; + + +bool XMemFreeDefault_X(PVOID P, unsigned __int64 a2) { + if (!P) return FALSE; + + uint64_t v3 = a2 >> 29; + uint32_t v2 = static_cast(a2); + + if (!dword_180021A60[v3 & 0xF] && (v2 & 0x1F000000) <= 0x4000000 && (v2 & 0xC000) == 0) { + return HeapFree(HeapHandle, 0, P) ? TRUE : FALSE; + } + + uint64_t v6 = v3 & 0xF; + int64_t v7 = qword_18002C7E0[v6]; + + // Check if the memory can be freed using sub_18000EA08 + if (!v7 || !*reinterpret_cast(v7 + 48) || + *reinterpret_cast(v7 + 48) > reinterpret_cast(P) || + *reinterpret_cast(v7 + 56) < reinterpret_cast(P)) { + + v7 = qword_18002C7E0[static_cast(v6 + 16)]; + if (!v7 || !*reinterpret_cast(v7 + 48) || + *reinterpret_cast(v7 + 48) > reinterpret_cast(P) || + *reinterpret_cast(v7 + 56) < reinterpret_cast(P)) { + v7 = 0; + } + } + + if (v7) { + //Bored to implement + //return sub_18000EA08() ? TRUE : FALSE; + } + + SIZE_T RegionSize = 0; + return NtFreeVirtualMemory( + reinterpret_cast(0xFFFFFFFFFFFFFFFF), + &P, + &RegionSize, + MEM_RELEASE + ) >= 0 ? TRUE : FALSE; +} + +__int64 XMemFree_X(PVOID P, __int64 a2) { + return XMemFreeDefault_X(P, a2); +} + + +PVOID XMemAllocDefault_X(uint64_t size, uint64_t flags) { + if (size == 0) return nullptr; + + int64_t v8; + uint32_t v7 = dword_180021A60[(flags >> 29) & 0xF]; + if (v7 == 0 || (flags & 0x1F000000) > 0x4000000 || (flags & 0xC000) != 0) { + if (v7 == 0x400000) { + v8 = 33; + } + else { + uint64_t v9 = (flags >> 24) & 0x1F; + if (v9 > 0x10 || size > 0x20000) { + v8 = 33; + } + else if (v9 > 0xC || size > 0xF00) { + v8 = (flags >> 29) & 0xF | 0x10; + } + else { + v8 = 32; + } + } + } + else { + v8 = 32; + } + + if (v8 == 32) { + return nullptr; + } + + if (v8 == 33) { + uint32_t AllocationType = 1073754112; + if ((flags & 0x1F000000) == 285212672) { + AllocationType = -1073729536; + } + else if ((flags >> 14) & 0xFFFF == 1) { + AllocationType = 1610625024; + } + else if ((flags >> 14) & 0xFFFF == 2) { + AllocationType = -1073729536; + } + + uint32_t Protect = dword_180021AA0[(flags >> 29) & 0xF]; + if (AllocationType & (1 << 22)) { + AllocationType &= 0xFFBFFFFF; + if ((flags & 0xC000) == 0) { + AllocationType |= 0x20000000; + } + } + + void* baseAddress = nullptr; + SIZE_T regionSize = size; + if (NtAllocateVirtualMemory( + INVALID_HANDLE_VALUE, + &baseAddress, + 0, + ®ionSize, + AllocationType, + Protect) >= 0) { + return baseAddress; + } + return nullptr; + } + + HeapHandle = HeapCreate(v8, 0, 0); + if (HeapHandle) { + return HeapAlloc(HeapHandle, 0, size); + } return nullptr; } - -//TODO -PVOID XMemAlloc_X(SIZE_T dwSize, ULONGLONG dwAttributes) +PVOID XMemAlloc_X(ULONG64 a1, __int64 a2) { - return XMemAllocDefault_X(dwSize, dwAttributes); -} - -//TODO -BOOL XMemFreeDefault_X(PVOID P, UINT64 a2) -{ - //STUB - return 0; -} - -//TODO -BOOL XMemFree_X(PVOID P, UINT64 a2) -{ - return 0; - /*struct _EVENT_TRACE_HEADER v5; // [rsp+20h] [rbp-48h] BYREF - unsigned __int64 v6; // [rsp+50h] [rbp-18h] - - if (MEMORY[0x7FFE0390]) - { - v5.Class.Version = 3105; - v5.ProcessorTime = 0LL; - v6 = a2; - *(&v5.GuidPtr + 1) = (ULONGLONG)P; - NtTraceEvent(MEMORY[0x7FFE0390], 0x10402u, 0x18u, &v5); - } - return off_18002B1B0(P, a2);*/ + return XMemAllocDefault_X(a1, a2); } BOOL InitializeCriticalSectionEx_X(LPCRITICAL_SECTION lpCriticalSection, DWORD dwSpinCount, DWORD Flags) @@ -573,6 +664,17 @@ int sub_18001D96C(int v2, unsigned short* codePageData, unsigned int p, bool t,l __int64 sub_18001BB8C() { + // I know this should be done inside dllmain.cpp entrypoint but this is litreally the same (as this is called always at attachment + HMODULE ntdll = LoadLibraryA("ntdll.dll"); + if (ntdll) { + NtAllocateVirtualMemory = + (NtAllocateVirtualMemory_t)GetProcAddress(ntdll, "NtAllocateVirtualMemory"); + NtFreeVirtualMemory = + (NtFreeVirtualMemory_t)GetProcAddress(ntdll, "NtFreeVirtualMemory"); + + FreeLibrary(ntdll); + } + /*unsigned int v0; // ebx unsigned __int16* AnsiCodePageData; // rdx int v2; // ecx diff --git a/dlls/kernelx/kernelx.h b/dlls/kernelx/kernelx.h index 6af0b55..d3026f9 100644 --- a/dlls/kernelx/kernelx.h +++ b/dlls/kernelx/kernelx.h @@ -2,6 +2,22 @@ #include "framework.h" +typedef NTSTATUS(NTAPI* NtAllocateVirtualMemory_t)( + HANDLE ProcessHandle, + PVOID* BaseAddress, + ULONG_PTR ZeroBits, + PSIZE_T RegionSize, + ULONG AllocationType, + ULONG Protect + ); + +typedef NTSTATUS(NTAPI* NtFreeVirtualMemory_t)( + HANDLE ProcessHandle, + PVOID* BaseAddress, + PSIZE_T RegionSize, + ULONG FreeType + ); + // EXE EXPORTS extern "C" { @@ -59,7 +75,7 @@ extern "C" LPVOID VirtualAlloc_X(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); - BOOL XMemFreeDefault_X(PVOID P, UINT64 a2); + bool XMemFreeDefault_X(PVOID P, unsigned __int64 a2); BOOL WriteFile_X(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped);