{ // Value Query Set TObjectInformationClass = ( ObjectBasicInformation, // 0 Y N ObjectNameInformation, // 1 Y N ObjectTypeInformation, // 2 Y N ObjectAllTypesInformation, // 3 Y N ObjectHandleInformation // 4 Y Y ); } // Information Class 0 PObjectBasicInformation = ^TObjectBasicInformation; TObjectBasicInformation = packed record Attributes: ULONG; GrantedAccess: ACCESS_MASK; HandleCount: ULONG; PointerCount: ULONG; PagedPoolUsage: ULONG; NonPagedPoolUsage: ULONG; Reserved: array[0..2] of ULONG; NameInformationLength: ULONG; TypeInformationLength: ULONG; SecurityDescriptorLength: ULONG; CreateTime: LARGE_INTEGER; end;
// Information Class 1 PObjectNameInformation = ^TObjectNameInformation; TObjectNameInformation = packed record Name: TUnicodeString; end;
// Information Class 2 PObjectTypeInformation = ^TObjectTypeInformation; TObjectTypeInformation = packed record Name: TUnicodeString; ObjectCount: ULONG; HandleCount: ULONG; Reserved1: array[0..3] of ULONG; PeakObjectCount: ULONG; PeakHandleCount: ULONG; Reserved2: array[0..3] of ULONG; InvalidAttributes: ULONG; GenericMapping: GENERIC_MAPPING; ValidAccess: ULONG; Unknown: UCHAR; MaintainHandleDatabase: Boolean; PoolType: TPoolType; PagedPoolUsage: ULONG; NonPagedPoolUsage: ULONG; end;
// Information Class 3 PObjectAllTypesInformation = ^TObjectAllTypesInformation; TObjectAllTypesInformation = packed record NumberOfTypes: ULONG; TypeInformation: TObjectTypeInformation; end;
// Information Class 4 PObjectHandleInformation = ^TObjectHandleInformation; TObjectHandleInformation = packed record Inherit: Boolean; ProtectFromClose: Boolean; end;
Function ZwOpenProcess( phProcess:PDWORD; AccessMask:DWORD; ObjectAttributes:PObjectAttributes; ClientID:PClientID):NTStatus; stdcall;external 'ntdll.dll';
function ZwOpenThread( ThreadHandle:PHANDLE; DesiredAccess:ACCESS_MASK; ObjectAttributes:PObjectAttributes; ClientId:PClientID):NTStatus;stdcall;external 'ntdll.dll';
Procedure ZwReadVirtualMemory( ProcessHandle:THANDLE; BaseAddress:POINTER; var Buffer:pointer; BufferLength:ULONG; var ReturnLength:PULONG);stdcall;external 'ntdll.dll';
Function ZwQueryInformationProcess( ProcessHandle:THANDLE; ProcessInformationClass:DWORD; ProcessInformation:pointer; ProcessInformationLength:ULONG; ReturnLength:PULONG):NTStatus;stdcall; external 'ntdll.dll';
Function ZwWriteVirtualMemory( ProcessHandle:THANDLE; BaseAddress:pointer; Buffer:pointer; BufferLength:dword; ReturnLength:PULONG):NTStatus;stdcall;external 'ntdll.dll';
Function ZwProtectVirtualMemory( ProcessHandle:THANDLE; BaseAddress:pointer; ProtectSize:PULONG; NewProtect:dword; OldProtect:pulong):NTStatus;stdcall;external 'ntdll.dll';
Function ZwListenPort(PortHandle:THandle; var Msg:PPORT_MESSAGE):NTStatus; stdcall;external 'ntdll.dll';
Function ZwRequestWaitReplyPort(PortHandle:THandle; RequestMessage:PPORT_MESSAGE; var ReplyMessage:PPORT_MESSAGE):NTStatus; stdcall;external 'ntdll.dll';
Function ZwAcceptConnectPort(PortHandle:PHANDLE; PortIdentifier:dword; PortMessage:PPORT_MESSAGE; Accept:bool; WriteSection:PPORT_SECTION_WRITE; ReadSection:PPORT_SECTION_READ):NTStatus; stdcall;external 'ntdll.dll';
Function ZwCompleteConnectPort(PortHandle:THandle):NTStatus; stdcall;external 'ntdll.dll';
Function ZwRequestPort(PortHandle:THandle;RequestMessage:PPORT_MESSAGE):NTStatus; stdcall;external 'ntdll.dll';
Function ZwReplyPort(PortHandle:THandle;RequestMessage:PPORT_MESSAGE):NTStatus; stdcall;external 'ntdll.dll';
function ZwSetSystemInformation(SystemInformationClass: dword; SystemInformation: pointer; SystemInformationLength: dword): NTStatus; stdcall;external 'ntdll.dll';
function ZwLoadDriver(DriverServiceName: PUnicodeString): NTStatus; stdcall;external 'ntdll.dll';
function ZwUnloadDriver(DriverServiceName: PUnicodeString): NTStatus; stdcall;external 'ntdll.dll';
function DbgPrint( const Format : PAnsiChar ) : NTStatus; cdecl; external NTDLL;
Function DbgUiDebugActiveProcess(pHandle: dword): NTStatus;stdcall;external 'ntdll.dll'; Function DbgUiConnectToDbg(): NTStatus;stdcall;external 'ntdll.dll';
{ инициализация структуры TObjectAttributes } procedure InitializeObjectAttributes( InitializedAttributes : PObjectAttributes; pObjectName : PUnicodeString; const uAttributes : ULONG; const hRootDirectory : THandle; pSecurityDescriptor : PSECURITY_DESCRIPTOR); begin with InitializedAttributes^ do begin Length := SizeOf(TObjectAttributes); ObjectName := pObjectName; Attributes := uAttributes; RootDirectory := hRootDirectory; SecurityDescriptor := pSecurityDescriptor; SecurityQualityOfService := nil; end; end;
{ Получение буфера с системной информацией } Function GetInfoTable(ATableType:dword):Pointer; var mSize: dword; mPtr: pointer; St: NTStatus; begin Result := nil; mSize := $4000; //начальный размер буффера repeat mPtr := VirtualAlloc(nil, mSize, MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE); if mPtr = nil then Exit; St := ZwQuerySystemInformation(ATableType, mPtr, mSize, nil); if St = STATUS_INFO_LENGTH_MISMATCH then begin //надо больше памяти VirtualFree(mPtr, 0, MEM_RELEASE); mSize := mSize * 2; end; until St <> STATUS_INFO_LENGTH_MISMATCH; if St = STATUS_SUCCESS then Result := mPtr else VirtualFree(mPtr, 0, MEM_RELEASE); end;