// dllmain.cpp : Defines the entry point for the DLL application. #include "progwrp.h" #include "export.h" #include "implementations.h" volatile BOOLEAN g_InitCompleted = FALSE; HANDLE hProcessClose; #define LoadFuncPfn(x, y) pfnFunc = NULL; RtlInitAnsiString(&ansi_str, #y); LdrGetProcedureAddress(x, &ansi_str, 0, &pfnFunc); \ if (pfnFunc) { g_pfn_##y = pfnFunc;} else { g_pfn_##y = (pfnFunc_generic)Implementation_##y;} #define LoadFuncPfnLite(x, y) RtlInitAnsiString(&ansi_str, #y); LdrGetProcedureAddress(x, &ansi_str, 0, &pfnFunc); g_pfn_##y = pfnFunc; // This macro above covers the cases where functions are "completely" missing. But what about when functions are "partially" missing? // (i.e. missing flags, etc.) // In the context of this DLL, we may have three different states: fully-functional function, partially-implemented function and // completely-missing function. We don't know at the init process if flags are missing or not. So if the function is partially implemented, // we can try calling the original function, test for an invalid parameter error, and then try the "missing bit". // The option to completely replace functions should also be available. void InitPtrs_kernel32() { UNICODE_STRING kernel32s; HMODULE kernel32 = NULL; RtlInitUnicodeString(&kernel32s, L"kernel32.dll"); if(!LdrLoadDll(NULL, 0, &kernel32s, &kernel32)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(kernel32, GetMaximumProcessorCount); LoadFuncPfn(kernel32, GetMaximumProcessorGroupCount); LoadFuncPfn(kernel32, GetLogicalProcessorInformationEx); LoadFuncPfn(kernel32, GetThreadGroupAffinity); LoadFuncPfn(kernel32, GetCurrentProcessorNumber); LoadFuncPfn(kernel32, PowerCreateRequest); LoadFuncPfn(kernel32, PowerSetRequest); LoadFuncPfn(kernel32, PowerClearRequest); LoadFuncPfn(kernel32, ResolveLocaleName); LoadFuncPfn(kernel32, EnumSystemLocalesEx); LoadFuncPfn(kernel32, GetCurrencyFormatEx); LoadFuncPfn(kernel32, GetDateFormatEx); LoadFuncPfn(kernel32, GetDynamicTimeZoneInformation); LoadFuncPfn(kernel32, GetLocaleInfoEx); LoadFuncPfn(kernel32, GetNumberFormatEx); LoadFuncPfn(kernel32, GetTimeFormatEx); LoadFuncPfn(kernel32, GetUserDefaultLocaleName); LoadFuncPfn(kernel32, LCIDToLocaleName); LoadFuncPfn(kernel32, LocaleNameToLCID); LoadFuncPfn(kernel32, TryAcquireSRWLockExclusive); // These functions can be loaded independently of the "real" LoadFuncPfn(kernel32, TryAcquireSRWLockShared); // SRW lock functions because they are compatible LoadFuncPfn(kernel32, AcquireSRWLockExclusive); if(g_pfn_AcquireSRWLockExclusive != (pfnFunc_generic)Implementation_AcquireSRWLockExclusive && g_pfn_TryAcquireSRWLockExclusive == (pfnFunc_generic)Implementation_TryAcquireSRWLockExclusive) // If the real AcquireSRWLockExclusive is available but not TryAcquireSRWLockExclusive, // load the "Vista" versions of the try acquire SRW lock functions { g_pfn_TryAcquireSRWLockExclusive = (pfnFunc_generic)Implementation_TryAcquireSRWLockExclusive_Vista; g_pfn_TryAcquireSRWLockShared = (pfnFunc_generic)Implementation_TryAcquireSRWLockShared_Vista; g_pfn_GetLogicalProcessorInformationEx = (pfnFunc_generic)Implementation_GetLogicalProcessorInformationEx; } LoadFuncPfn(kernel32, AcquireSRWLockShared); LoadFuncPfn(kernel32, ReleaseSRWLockExclusive); LoadFuncPfn(kernel32, ReleaseSRWLockShared); LoadFuncPfn(kernel32, InitializeSRWLock); LoadFuncPfn(kernel32, SleepConditionVariableSRW); LoadFuncPfn(kernel32, SleepConditionVariableCS); LoadFuncPfn(kernel32, WakeConditionVariable); LoadFuncPfn(kernel32, WakeAllConditionVariable); LoadFuncPfn(kernel32, InitializeConditionVariable); LoadFuncPfn(kernel32, InitOnceExecuteOnce); LoadFuncPfn(kernel32, InitOnceBeginInitialize); LoadFuncPfn(kernel32, InitOnceComplete); LoadFuncPfn(kernel32, InitOnceInitialize); LoadFuncPfn(kernel32, CreateWaitableTimerExW); LoadFuncPfn(kernel32, InitializeCriticalSectionEx); LoadFuncPfn(kernel32, DecodePointer); LoadFuncPfn(kernel32, EncodePointer); LoadFuncPfn(kernel32, WerRegisterRuntimeExceptionModule); LoadFuncPfn(kernel32, CreateRemoteThreadEx); g_pfn_FindFirstFileExW = (pfnFunc_generic)Implementation_FindFirstFileExW; LoadFuncPfn(kernel32, CancelIoEx); LoadFuncPfn(kernel32, GetFinalPathNameByHandleW); LoadFuncPfn(kernel32, SetFileInformationByHandle); LoadFuncPfn(kernel32, DeleteProcThreadAttributeList); LoadFuncPfn(kernel32, UpdateProcThreadAttribute); LoadFuncPfn(kernel32, InitializeProcThreadAttributeList); LoadFuncPfn(kernel32, QueryFullProcessImageNameA); LoadFuncPfn(kernel32, QueryFullProcessImageNameW); LoadFuncPfn(kernel32, QueryProcessCycleTime); LoadFuncPfn(kernel32, QueryThreadCycleTime); LoadFuncPfn(kernel32, GetProductInfo); LoadFuncPfn(kernel32, GetThreadId); LoadFuncPfn(kernel32, GetNamedPipeClientProcessId); LoadFuncPfn(kernel32, GetNamedPipeServerProcessId); LoadFuncPfn(kernel32, GetThreadPreferredUILanguages); LoadFuncPfn(kernel32, GetFileInformationByHandleEx); LoadFuncPfn(kernel32, Wow64GetThreadContext); LoadFuncPfn(kernel32, FlsAlloc); LoadFuncPfn(kernel32, FlsFree); //LoadFuncPfn(kernel32, FlsGetValue); g_pfn_FlsGetValue = (pfnFunc_generic)Implementation_FlsGetValue; LoadFuncPfn(kernel32, FlsSetValue); LoadFuncPfn(kernel32, IsThreadAFiber); LoadFuncPfn(kernel32, ConvertThreadToFiberEx); LoadFuncPfn(kernel32, GetProcessId); LoadFuncPfn(kernel32, AddVectoredExceptionHandler); LoadFuncPfn(kernel32, RemoveVectoredExceptionHandler); LoadFuncPfn(kernel32, AttachConsole); LoadFuncPfn(kernel32, WTSGetActiveConsoleSessionId); LoadFuncPfn(kernel32, CheckRemoteDebuggerPresent); LoadFuncPfn(kernel32, CreateMemoryResourceNotification); LoadFuncPfn(kernel32, GetGeoInfoW); LoadFuncPfn(kernel32, GetLogicalProcessorInformation); LoadFuncPfn(kernel32, GetModuleHandleExA); LoadFuncPfn(kernel32, GetModuleHandleExW); LoadFuncPfn(kernel32, GetNativeSystemInfo); LoadFuncPfn(kernel32, GetProcessHandleCount); LoadFuncPfn(kernel32, GetUserGeoID); LoadFuncPfn(kernel32, GetVolumePathNamesForVolumeNameW); LoadFuncPfn(kernel32, InitializeSListHead); LoadFuncPfn(kernel32, InterlockedFlushSList); LoadFuncPfn(kernel32, InterlockedPushEntrySList); LoadFuncPfn(kernel32, IsProcessInJob); LoadFuncPfn(kernel32, IsWow64Process); LoadFuncPfn(kernel32, SetDllDirectoryW); LoadFuncPfn(kernel32, TzSpecificLocalTimeToSystemTime); LoadFuncPfn(kernel32, ConvertFiberToThread); LoadFuncPfn(kernel32, PrefetchVirtualMemory); LoadFuncPfn(kernel32, GetFirmwareType); LoadFuncPfn(kernel32, GetPackagePathByFullName); LoadFuncPfn(kernel32, GetPackagesByPackageFamily); LoadFuncPfn(kernel32, LCMapStringEx); LoadFuncPfn(kernel32, DuplicateHandle); if(LOBYTE(GetVersion()) > 5 || LOBYTE(GetVersion() == 5) && LOBYTE(GetVersion() >> 8) >= 2) { pfnFunc = NULL; RtlInitAnsiString(&ansi_str, "CreateFiberEx"); LdrGetProcedureAddress(kernel32, &ansi_str, 0, &pfnFunc); g_pfn_CreateFiberEx = pfnFunc; pfnFunc = NULL; RtlInitAnsiString(&ansi_str, "SwitchToFiber"); LdrGetProcedureAddress(kernel32, &ansi_str, 0, &pfnFunc); g_pfn_SwitchToFiber = pfnFunc; } else { g_pfn_CreateFiberEx = (pfnFunc_generic)Implementation_CreateFiberEx; // g_pfn_SwitchToFiber = (pfnFunc_generic)Implementation_SwitchToFiber; pfnFunc = NULL; RtlInitAnsiString(&ansi_str, "SwitchToFiber"); LdrGetProcedureAddress(kernel32, &ansi_str, 0, &pfnFunc); g_pfn_SwitchToFiber = pfnFunc; } LoadFuncPfn(kernel32, SetProcessDEPPolicy); LoadFuncPfn(kernel32, InterlockedPopEntrySList); LoadFuncPfn(kernel32, HeapSetInformation); g_pfn_GetProcAddress = (pfnFunc_generic)Implementation_GetProcAddress; g_pfn_LoadLibraryW = (pfnFunc_generic)Implementation_LoadLibraryW; g_pfn_LoadLibraryA = (pfnFunc_generic)Implementation_LoadLibraryA; g_pfn_LoadLibraryExW = (pfnFunc_generic)Implementation_LoadLibraryExW; g_pfn_LoadLibraryExA = (pfnFunc_generic)Implementation_LoadLibraryExA; if (LOBYTE(GetVersion()) < 6) { g_pfn_DuplicateHandle = (pfnFunc_generic)Implementation_DuplicateHandle; } LoadFuncPfn(kernel32, DiscardVirtualMemory); } return; } void InitPtrs_shell32() { UNICODE_STRING shell32s; HMODULE shell32 = NULL; RtlInitUnicodeString(&shell32s, L"shell32.dll"); if(!LdrLoadDll(NULL, 0, &shell32s, &shell32)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(shell32, SHGetPropertyStoreForWindow); LoadFuncPfn(shell32, SHGetKnownFolderPath); LoadFuncPfn(shell32, SHQueryUserNotificationState); } return; } void InitPtrs_ntdll() { UNICODE_STRING ntdlls; HMODULE ntdll = NULL; RtlInitUnicodeString(&ntdlls, L"ntdll.dll"); if(!LdrLoadDll(NULL, 0, &ntdlls, &ntdll)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(ntdll, NtOpenKeyEx); LoadFuncPfn(ntdll, RtlGetLastNtStatus); RtlInitAnsiString(&ansi_str, "wcsstr"); pfnFunc = NULL; LdrGetProcedureAddress(ntdll, &ansi_str, 0, &pfnFunc); g_wcsstr = pfnFunc; RtlInitAnsiString(&ansi_str, "strstr"); pfnFunc = NULL; LdrGetProcedureAddress(ntdll, &ansi_str, 0, &pfnFunc); g_strstr = pfnFunc; } return; } void InitPtrs_psapi() { UNICODE_STRING psapis; HMODULE psapi = NULL; RtlInitUnicodeString(&psapis, L"psapi.dll"); if(!LdrLoadDll(NULL, 0, &psapis, &psapi)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(psapi, GetModuleInformation); LoadFuncPfn(psapi, GetProcessMemoryInfo); LoadFuncPfn(psapi, QueryWorkingSetEx); LoadFuncPfn(psapi, GetPerformanceInfo); } } void InitPtrs_user32() { UNICODE_STRING user32s; HMODULE user32 = NULL; UNICODE_STRING shcores; HMODULE shcore = NULL; RtlInitUnicodeString(&user32s, L"user32.dll"); RtlInitUnicodeString(&shcores, L"SHCore.dll"); LdrLoadDll(NULL, 0, &shcores, &shcore); if(!LdrLoadDll(NULL, 0, &user32s, &user32)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(user32, RegisterTouchWindow); LoadFuncPfn(user32, GetDisplayConfigBufferSizes); LoadFuncPfn(user32, CloseTouchInputHandle); LoadFuncPfn(user32, GetGestureInfo); LoadFuncPfn(user32, DisplayConfigGetDeviceInfo); LoadFuncPfn(user32, DisplayConfigSetDeviceInfo); LoadFuncPfn(user32, QueryDisplayConfig); LoadFuncPfn(user32, SetProcessDPIAware); LoadFuncPfn(user32, RegisterPowerSettingNotification); LoadFuncPfn(user32, UnregisterPowerSettingNotification); LoadFuncPfn(shcore, GetDpiForMonitor); LoadFuncPfn(user32, GetLayeredWindowAttributes); LoadFuncPfn(user32, GetRawInputDeviceInfoW); LoadFuncPfn(user32, PrintWindow); LoadFuncPfn(user32, DefRawInputProc); LoadFuncPfn(user32, GetRawInputDeviceList); LoadFuncPfn(user32, RegisterRawInputDevices); LoadFuncPfn(user32, UnhookWindowsHookEx); LoadFuncPfn(user32, RegisterPointerDeviceNotifications); LoadFuncPfn(user32, GetPointerDevices); LoadFuncPfn(user32, GetPointerDevice); g_pfn_SystemParametersInfoW = (pfnFunc_generic)Implementation_SystemParametersInfoW; //g_pfn_RegisterClassExW = (pfnFunc_generic)Implementation_RegisterClassExW; } return; } void InitPtrs_dbghelp() { UNICODE_STRING dbghelps; HMODULE dbghelp = NULL; RtlInitUnicodeString(&dbghelps, L"dbghelp.dll"); if(!LdrLoadDll(NULL, 0, &dbghelps, &dbghelp)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(dbghelp, SymGetSearchPathW); LoadFuncPfn(dbghelp, SymSetSearchPathW); } return; } void InitPtrs_ws2_32() { UNICODE_STRING ws2_32s; HMODULE ws2_32 = NULL; RtlInitUnicodeString(&ws2_32s, L"ws2_32.dll"); if(!LdrLoadDll(NULL, 0, &ws2_32s, &ws2_32)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(ws2_32, inet_ntop); LoadFuncPfn(ws2_32, freeaddrinfo); LoadFuncPfn(ws2_32, getaddrinfo); } return; } void InitPtrs_iphlpapi() { UNICODE_STRING iphlpapis; HMODULE iphlpapi = NULL; RtlInitUnicodeString(&iphlpapis, L"iphlpapi.dll"); if(!LdrLoadDll(NULL, 0, &iphlpapis, &iphlpapi)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(iphlpapi, FreeMibTable); LoadFuncPfn(iphlpapi, GetIfTable2); LoadFuncPfn(iphlpapi, CancelIPChangeNotify); LoadFuncPfn(iphlpapi, GetAdaptersAddresses); } return; } void InitPtrs_advapi32() { UNICODE_STRING advapi32s; HMODULE advapi32 = NULL; RtlInitUnicodeString(&advapi32s, L"advapi32.dll"); if(!LdrLoadDll(NULL, 0, &advapi32s, &advapi32)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(advapi32, AddMandatoryAce); LoadFuncPfn(advapi32, EventRegister); LoadFuncPfn(advapi32, EventSetInformation); LoadFuncPfn(advapi32, EventUnregister); LoadFuncPfn(advapi32, EventWrite); LoadFuncPfn(advapi32, EventWriteTransfer); LoadFuncPfn(advapi32, RegDeleteKeyExW); LoadFuncPfn(advapi32, RegGetValueW); LoadFuncPfn(advapi32, SystemFunction036); } return; } void InitPtrs_wevtapi() { UNICODE_STRING wevtapis; HMODULE wevtapi = NULL; RtlInitUnicodeString(&wevtapis, L"wevtapi.dll"); // This is slightly different; the DLL was not always in Windows, so we won't verify that it exists. LdrLoadDll(NULL, 0, &wevtapis, &wevtapi); ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(wevtapi, EvtQuery); LoadFuncPfn(wevtapi, EvtCreateRenderContext); LoadFuncPfn(wevtapi, EvtNext); LoadFuncPfn(wevtapi, EvtRender); LoadFuncPfn(wevtapi, EvtClose); return; } void InitPtrs_dwmapi() { UNICODE_STRING dwmapis; HMODULE dwmapi = NULL; RtlInitUnicodeString(&dwmapis, L"dwmapi.dll"); LdrLoadDll(NULL, 0, &dwmapis, &dwmapi); ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(dwmapi, DwmSetWindowAttribute); LoadFuncPfn(dwmapi, DwmGetWindowAttribute); LoadFuncPfn(dwmapi, DwmGetCompositionTimingInfo); LoadFuncPfn(dwmapi, DwmExtendFrameIntoClientArea); LoadFuncPfn(dwmapi, DwmDefWindowProc); return; } void InitPtrs_setupapi() { UNICODE_STRING setupapis; HMODULE setupapi = NULL; RtlInitUnicodeString(&setupapis, L"setupapi.dll"); if(!LdrLoadDll(NULL, 0, &setupapis, &setupapi)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(setupapi, SetupDiGetDevicePropertyW); } return; } void InitPtrs_dxgi() { UNICODE_STRING dxgis; HMODULE dxgi = NULL; RtlInitUnicodeString(&dxgis, L"dxgi.dll"); ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LdrLoadDll(NULL, 0, &dxgis, &dxgi); LoadFuncPfn(dxgi, CreateDXGIFactory); LoadFuncPfn(dxgi, CreateDXGIFactory1); return; } void InitPtrs_usp10() { UNICODE_STRING usp10s; HMODULE usp10 = NULL; RtlInitUnicodeString(&usp10s, L"usp10.dll"); if(!LdrLoadDll(NULL, 0, &usp10s, &usp10)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(usp10, ScriptItemize); } return; } void InitPtrs_pdh() { UNICODE_STRING pdhs; HMODULE pdh = NULL; RtlInitUnicodeString(&pdhs, L"pdh.dll"); if(!LdrLoadDll(NULL, 0, &pdhs, &pdh)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(pdh, PdhAddEnglishCounterW); } return; } void InitPtrs_powrprof() { UNICODE_STRING powrprofs; HMODULE powrprof = NULL; RtlInitUnicodeString(&powrprofs, L"powrprof.dll"); if(!LdrLoadDll(NULL, 0, &powrprofs, &powrprof)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(powrprof, PowerDeterminePlatformRole); } return; } void InitPtrs_wtsapi32() { UNICODE_STRING wtsapi32s; HMODULE wtsapi32 = NULL; RtlInitUnicodeString(&wtsapi32s, L"wtsapi32.dll"); if(!LdrLoadDll(NULL, 0, &wtsapi32s, &wtsapi32)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(wtsapi32, WTSRegisterSessionNotification); LoadFuncPfn(wtsapi32, WTSUnRegisterSessionNotification); } return; } void InitPtrs_crypt32() { UNICODE_STRING crypt32s; HMODULE crypt32 = NULL; RtlInitUnicodeString(&crypt32s, L"crypt32.dll"); if (!LdrLoadDll(NULL, 0, &crypt32s, &crypt32)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(crypt32, CryptProtectMemory); LoadFuncPfn(crypt32, CryptUnprotectMemory); } return; } void InitPtrs_bcryptprimitives() { UNICODE_STRING bcryptprimitivess; HMODULE bcryptprimitives = NULL; RtlInitUnicodeString(&bcryptprimitivess, L"bcryptprimitives.dll"); // if(!LdrLoadDll(NULL, 0, &bcryptprimitivess, &bcryptprimitives)) // { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; g_pfn_ProcessPrng = g_pfn_SystemFunction036; // } return; } void InitPtrs_uxtheme() { UNICODE_STRING uxthemes; HMODULE uxtheme = NULL; RtlInitUnicodeString(&uxthemes, L"uxtheme.dll"); ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LdrLoadDll(NULL, 0, &uxthemes, &uxtheme); LoadFuncPfn(uxtheme, CloseThemeData); LoadFuncPfn(uxtheme, OpenThemeData); LoadFuncPfn(uxtheme, GetThemePartSize); LoadFuncPfn(uxtheme, DrawThemeBackground); LoadFuncPfn(uxtheme, GetThemeBackgroundContentRect); return; } void InitPtrs_ole32() { UNICODE_STRING ole32s; HMODULE ole32 = NULL; RtlInitUnicodeString(&ole32s, L"ole32.dll"); if(!LdrLoadDll(NULL, 0, &ole32s, &ole32)) { ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(ole32, CoRegisterInitializeSpy); LoadFuncPfn(ole32, CoRevokeInitializeSpy); } return; } void InitPtrs_combase() { UNICODE_STRING combases; HMODULE combase = NULL; RtlInitUnicodeString(&combases, L"combase.dll"); ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LdrLoadDll(NULL, 0, &combases, &combase); LoadFuncPfn(combase, WindowsCreateString); LoadFuncPfn(combase, WindowsGetStringRawBuffer); LoadFuncPfn(combase, WindowsDeleteString); LoadFuncPfn(combase, RoGetActivationFactory); LoadFuncPfn(combase, RoActivateInstance); LoadFuncPfn(combase, WindowsCreateStringReference); return; } void InitPtrs_dwrite() { UNICODE_STRING dwrites; HMODULE dwrite = NULL; RtlInitUnicodeString(&dwrites, L"dwrite.dll"); ANSI_STRING ansi_str; PVOID pfnFunc = NULL; LoadFuncPfn(dwrite, DWriteCreateFactory); return; } typedef enum _SEMAPHORE_INFORMATION_CLASS { SemaphoreBasicInformation } SEMAPHORE_INFORMATION_CLASS, *PSEMAPHORE_INFORMATION_CLASS; typedef struct _SEMAPHORE_BASIC_INFORMATION { ULONG CurrentCount; ULONG MaximumCount; } SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION; NTSYSAPI NTSTATUS NTAPI NtQuerySemaphore( HANDLE SemaphoreHandle, SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, PVOID SemaphoreInformation, ULONG SemaphoreInformationLength, PULONG ReturnLength); typedef struct _OBJECT_BASIC_INFORMATION { ULONG Attributes; ACCESS_MASK GrantedAccess; ULONG HandleCount; ULONG PointerCount; ULONG PagedPoolCharge; ULONG NonPagedPoolCharge; ULONG Reserved [3]; ULONG NameInfoSize; ULONG TypeInfoSize; ULONG SecurityDescriptorSize; LARGE_INTEGER CreationTime; } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; typedef struct _THREAD_BASIC_INFORMATION { NTSTATUS ExitStatus; PVOID TebBaseAddress; CLIENT_ID ClientId; KAFFINITY AffinityMask; KPRIORITY Priority; KPRIORITY BasePriority; } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; ULONG g_CoreTlsEntries = 0; ULONG GetCoreTlsEntriesCount() { return g_CoreTlsEntries; } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { WCHAR AppDataDir [MAX_PATH]; WCHAR AppDataDir_Exist [MAX_PATH]; DWORD tid; PTEB_CUSTOM Teb; PLDR_DATA_TABLE_ENTRY DataTableEntry, DataTableEntryInit; LONG i; PULONG_PTR ThreadLocalStoragePointer; Teb = (PTEB_CUSTOM)NtCurrentTeb(); if(!InterlockedCompareExchange(&g_InitCompleted, 1, 0)) { // g_hFile = CreateFileA( // "tls_log.txt", // File path // GENERIC_WRITE, // Desired access // 0, // Share mode // NULL, // Security attributes // CREATE_ALWAYS, // Creation disposition // FILE_ATTRIBUTE_NORMAL, // Flags and attributes // NULL // Template file handle // ); if (Teb->ThreadLocalStoragePointer) { ThreadLocalStoragePointer = (PULONG_PTR)Teb->ThreadLocalStoragePointer; while (*ThreadLocalStoragePointer > 0 && !(*ThreadLocalStoragePointer % 4)) // Make sure only valid pointers are counted, and not padding that can also bookend the list of pointers { ++g_CoreTlsEntries; ++ThreadLocalStoragePointer; } } InitializeCriticalSection(&SrwSharedCs); InitializeCriticalSection(&SrwSharedCs2); MutexInitOnce = CreateMutexW(NULL, FALSE, NULL); g_SRWEvent = CreateEventW(NULL, TRUE, FALSE, NULL); g_hkProgwrp = 0; InitPtrs_kernel32(); InitPtrs_shell32(); InitPtrs_ntdll(); InitPtrs_user32(); InitPtrs_psapi(); InitPtrs_dbghelp(); InitPtrs_ws2_32(); InitPtrs_iphlpapi(); InitPtrs_advapi32(); InitPtrs_wevtapi(); InitPtrs_dwmapi(); InitPtrs_setupapi(); InitPtrs_dxgi(); InitPtrs_usp10(); InitPtrs_pdh(); InitPtrs_wtsapi32(); InitPtrs_powrprof(); InitPtrs_bcryptprimitives(); InitPtrs_uxtheme(); InitPtrs_ole32(); InitPtrs_combase(); InitPtrs_dwrite(); InitPtrs_crypt32(); GetEnvironmentVariableW(L"LOCALAPPDATA", AppDataDir_Exist, MAX_PATH); if(GetLastError() == ERROR_ENVVAR_NOT_FOUND) { SHGetFolderPathW(NULL, CSIDL_APPDATA, NULL, 0, AppDataDir); SetEnvironmentVariableW(L"LOCALAPPDATA", AppDataDir); } MutexRegistry = CreateMutexA(NULL, TRUE, NULL); TIMECAPS tc; if (LOBYTE(GetVersion()) < 6) { timeGetDevCaps(&tc, sizeof(TIMECAPS)); timeBeginPeriod(tc.wPeriodMin); } } switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: for (i = 0; i < TlsBasesCount; i++) { TLSInit_DllMain_ThreadAttach_Internal(TlsBases[i], NULL); } if (!Teb->SystemReserved1[0x34]) Teb->SystemReserved1[0x34] = CreateEventA(NULL, FALSE, FALSE, NULL); case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }