{ // Value Query Set
TObjectInformationClass = (
ObjectBasicInformation, // 0 Y N
ObjectNameInformation, // 1 Y N
ObjectTypeInformation, // 2 Y N
ObjectAllTypesInformation, // 3 Y N
ObjectHandleInformation // 4 Y Y
);
}
// Information Class 0
PObjectBasicInformation = ^TObjectBasicInformation;
TObjectBasicInformation = packed record
Attributes: ULONG;
GrantedAccess: ACCESS_MASK;
HandleCount: ULONG;
PointerCount: ULONG;
PagedPoolUsage: ULONG;
NonPagedPoolUsage: ULONG;
Reserved: array[0..2] of ULONG;
NameInformationLength: ULONG;
TypeInformationLength: ULONG;
SecurityDescriptorLength: ULONG;
CreateTime: LARGE_INTEGER;
end;
// Information Class 1
PObjectNameInformation = ^TObjectNameInformation;
TObjectNameInformation = packed record
Name: TUnicodeString;
end;
// Information Class 2
PObjectTypeInformation = ^TObjectTypeInformation;
TObjectTypeInformation = packed record
Name: TUnicodeString;
ObjectCount: ULONG;
HandleCount: ULONG;
Reserved1: array[0..3] of ULONG;
PeakObjectCount: ULONG;
PeakHandleCount: ULONG;
Reserved2: array[0..3] of ULONG;
InvalidAttributes: ULONG;
GenericMapping: GENERIC_MAPPING;
ValidAccess: ULONG;
Unknown: UCHAR;
MaintainHandleDatabase: Boolean;
PoolType: TPoolType;
PagedPoolUsage: ULONG;
NonPagedPoolUsage: ULONG;
end;
// Information Class 3
PObjectAllTypesInformation = ^TObjectAllTypesInformation;
TObjectAllTypesInformation = packed record
NumberOfTypes: ULONG;
TypeInformation: TObjectTypeInformation;
end;
// Information Class 4
PObjectHandleInformation = ^TObjectHandleInformation;
TObjectHandleInformation = packed record
Inherit: Boolean;
ProtectFromClose: Boolean;
end;
Function ZwOpenProcess(
phProcess:PDWORD;
AccessMask:DWORD;
ObjectAttributes:PObjectAttributes;
ClientID:PClientID):NTStatus;
stdcall;external 'ntdll.dll';
function ZwOpenThread(
ThreadHandle:PHANDLE;
DesiredAccess:ACCESS_MASK;
ObjectAttributes:PObjectAttributes;
ClientId:PClientID):NTStatus;stdcall;external 'ntdll.dll';
Procedure ZwReadVirtualMemory(
ProcessHandle:THANDLE;
BaseAddress:POINTER;
var Buffer:pointer;
BufferLength:ULONG;
var ReturnLength:PULONG);stdcall;external 'ntdll.dll';
Function ZwQueryInformationProcess(
ProcessHandle:THANDLE;
ProcessInformationClass:DWORD;
ProcessInformation:pointer;
ProcessInformationLength:ULONG;
ReturnLength:PULONG):NTStatus;stdcall;
external 'ntdll.dll';
Function ZwWriteVirtualMemory(
ProcessHandle:THANDLE;
BaseAddress:pointer;
Buffer:pointer;
BufferLength:dword;
ReturnLength:PULONG):NTStatus;stdcall;external 'ntdll.dll';
Function ZwProtectVirtualMemory(
ProcessHandle:THANDLE;
BaseAddress:pointer;
ProtectSize:PULONG;
NewProtect:dword;
OldProtect:pulong):NTStatus;stdcall;external 'ntdll.dll';
Function ZwListenPort(PortHandle:THandle;
var Msg:PPORT_MESSAGE):NTStatus;
stdcall;external 'ntdll.dll';
Function ZwRequestWaitReplyPort(PortHandle:THandle;
RequestMessage:PPORT_MESSAGE;
var ReplyMessage:PPORT_MESSAGE):NTStatus;
stdcall;external 'ntdll.dll';
Function ZwAcceptConnectPort(PortHandle:PHANDLE;
PortIdentifier:dword;
PortMessage:PPORT_MESSAGE;
Accept:bool;
WriteSection:PPORT_SECTION_WRITE;
ReadSection:PPORT_SECTION_READ):NTStatus;
stdcall;external 'ntdll.dll';
Function ZwCompleteConnectPort(PortHandle:THandle):NTStatus;
stdcall;external 'ntdll.dll';
Function ZwRequestPort(PortHandle:THandle;RequestMessage:PPORT_MESSAGE):NTStatus;
stdcall;external 'ntdll.dll';
Function ZwReplyPort(PortHandle:THandle;RequestMessage:PPORT_MESSAGE):NTStatus;
stdcall;external 'ntdll.dll';
function ZwSetSystemInformation(SystemInformationClass: dword;
SystemInformation: pointer;
SystemInformationLength: dword): NTStatus;
stdcall;external 'ntdll.dll';
function ZwLoadDriver(DriverServiceName: PUnicodeString): NTStatus;
stdcall;external 'ntdll.dll';
function ZwUnloadDriver(DriverServiceName: PUnicodeString): NTStatus;
stdcall;external 'ntdll.dll';
function DbgPrint(
const Format : PAnsiChar
) : NTStatus; cdecl; external NTDLL;
Function DbgUiDebugActiveProcess(pHandle: dword): NTStatus;stdcall;external 'ntdll.dll';
Function DbgUiConnectToDbg(): NTStatus;stdcall;external 'ntdll.dll';
{ инициализация структуры TObjectAttributes }
procedure InitializeObjectAttributes(
InitializedAttributes : PObjectAttributes;
pObjectName : PUnicodeString;
const uAttributes : ULONG;
const hRootDirectory : THandle;
pSecurityDescriptor : PSECURITY_DESCRIPTOR);
begin
with InitializedAttributes^ do
begin
Length := SizeOf(TObjectAttributes);
ObjectName := pObjectName;
Attributes := uAttributes;
RootDirectory := hRootDirectory;
SecurityDescriptor := pSecurityDescriptor;
SecurityQualityOfService := nil;
end;
end;
{ Получение буфера с системной информацией }
Function GetInfoTable(ATableType:dword):Pointer;
var
mSize: dword;
mPtr: pointer;
St: NTStatus;
begin
Result := nil;
mSize := $4000; //начальный размер буффера
repeat
mPtr := VirtualAlloc(nil, mSize, MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE);
if mPtr = nil then Exit;
St := ZwQuerySystemInformation(ATableType, mPtr, mSize, nil);
if St = STATUS_INFO_LENGTH_MISMATCH then
begin //надо больше памяти
VirtualFree(mPtr, 0, MEM_RELEASE);
mSize := mSize * 2;
end;
until St <> STATUS_INFO_LENGTH_MISMATCH;
if St = STATUS_SUCCESS
then Result := mPtr
else VirtualFree(mPtr, 0, MEM_RELEASE);
end;