#pragma once #include "Private.h" #include "VadRoutines.h" #include "BlackBoneDef.h" typedef enum _ATTACHED_CONTEXT { ContextNone, // Running in system context ContextHost, // Running in the context of host process ContextTarget, // Running in the context of target process } ATTACHED_CONTEXT; ///

/// Process-specific data ///

typedef struct _PROCESS_CONTEXT { HANDLE pid; // Process ID PVOID sharedPage; // Address of kernel shared page } PROCESS_CONTEXT, *PPROCESS_CONTEXT; ///

/// Target - host correspondence ///

typedef struct _PROCESS_MAP_ENTRY { PROCESS_CONTEXT host; // Hosting process context PROCESS_CONTEXT target; // Target process context PVOID pSharedPage; // Address of kernel-shared page allocated from non-paged pool PMDL pMDLShared; // MDL of kernel-shared page HANDLE targetPipe; // Hook pipe handle in target process LIST_ENTRY pageList; // List of REMAP_ENTRY structures } PROCESS_MAP_ENTRY, *PPROCESS_MAP_ENTRY; ///

/// Mapped memory region info ///

typedef struct _MAP_ENTRY { LIST_ENTRY link; // Linked list link MEMORY_BASIC_INFORMATION mem; // Original memory info ULONG_PTR newPtr; // Mapped memory address in host process PMDL pMdl; // Region MDL entry BOOLEAN locked; // MDL is locked BOOLEAN shared; // Regions has shared pages BOOLEAN readonly; // Region must be mapped as readonly } MAP_ENTRY, *PMAP_ENTRY; extern DYNAMIC_DATA dynData; extern RTL_AVL_TABLE g_ProcessPageTables; extern KGUARDED_MUTEX g_globalLock; ///

/// Map entire address space of target process into current ///

/// Mapping params /// Mapped context /// Status code NTSTATUS BBMapMemory( IN PMAP_MEMORY pRemap, OUT PPROCESS_MAP_ENTRY* ppEntry ); ///

/// Map specific memory region ///

/// Region data /// Mapping results /// Status code NTSTATUS BBMapMemoryRegion( IN PMAP_MEMORY_REGION pRegion, OUT PMAP_MEMORY_REGION_RESULT pResult ); ///

/// Unmap any mapped memory from host and target processes ///

/// Request params /// Status code NTSTATUS BBUnmapMemory( IN PUNMAP_MEMORY pUnmap ); ///

/// Unmap specific memory region ///

/// Region info /// Status ode NTSTATUS BBUnmapMemoryRegion( IN PUNMAP_MEMORY_REGION pRegion ); ///

/// Calculate size required to store mapping info ///

/// Mapped regions list /// Resulting size /// Status code NTSTATUS BBGetRequiredRemapOutputSize( IN PLIST_ENTRY pList, OUT PULONG_PTR pSize ); ///

/// Enumerate committed, accessible, non-guarded memory regions ///

/// Region list /// Region start /// Region end /// If set to FALSE, section objects will be excluded from list /// Status code NTSTATUS BBBuildProcessRegionListForRange( IN PLIST_ENTRY pList, IN ULONG_PTR start, IN ULONG_PTR end, IN BOOLEAN mapSections ); ///

/// Search process entry in list by PID ///

/// PID. /// If set to TRUE, pid is treated as host PID /// Found entry, NULL in not found PPROCESS_MAP_ENTRY BBLookupProcessEntry( IN HANDLE pid, IN BOOLEAN asHost ); ///

/// Unmap all regions, delete MDLs, close handles, remove entry from table ///

/// Process entry VOID BBCleanupProcessEntry( IN PPROCESS_MAP_ENTRY pProcessEntry ); ///

/// Clear global process map table ///

VOID BBCleanupProcessTable(); ///

/// Unmap any mapped pages from host process ///

/// Process entry VOID BBCleanupHostProcess( IN PPROCESS_MAP_ENTRY pProcessEntry ); // // AVL table routines // RTL_GENERIC_COMPARE_RESULTS AvlCompare( IN RTL_AVL_TABLE *Table, IN PVOID FirstStruct, IN PVOID SecondStruct ); PVOID AvlAllocate( IN RTL_AVL_TABLE *Table, IN CLONG ByteSize ); VOID AvlFree( IN RTL_AVL_TABLE *Table, IN PVOID Buffer );