Source Code IDA Pro Type Libraries & Useful Types

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,061
78,998
2,370
How long you been coding/hacking?
7 years
When you're reversing in IDA pro it won't always have the type libraries you need. Because IDA has a specific format it's annoying as hell to import stuff, it takes way to long to modify source code from Windows headers to make IDA happy.

So everytime I do this, and get a successful import and decompilation, I will post the header file here. Please do the same, let's help each other out, it can be such a huge time waster.

Generate your own type libraries for IDA Pro:
How to make type libraries from Windows 10 SDK and DDK?
How to import Windows DDK headers into IDA?


More Info
IDA Help: Local types window
IDA Help: Set function/item type

EPROCESS & ntoskernl.exe header

The wdk type lib that comes with IDA was not complete for my needs, I made my own using a pdb for ntoskrnl and combined it with structs from Vergilius, it's for May 2020 Update Win 10. I didn't make a type lib, just a ntoskrnl.h. I could have done more but I stopped when I had everything I needed.

iPower told me how to do it, you just open ntoskrnl.exe in IDA pro, load the symbol from the microsoft server, then export the types. The Vergilius structs were much more complete so I overwrite many of them.

I'm attaching it here, you can load it into IDA by doing File->Load File-> Parse C Header

I mainly did this for a proper EPROCESS struct, anyways maybe it will be helpful to you
 

Attachments

Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,061
78,998
2,370
ObRegisterCallBacks IDA Compatible types

Everything you need to re-type the important stuff when reversing calls to ObRegisterCallbacks with IDA Pro

Just go to Local Types -> right click insert and paste this in:

C++:
#define OB_FLT_REGISTRATION_VERSION OB_FLT_REGISTRATION_VERSION_0100

typedef ULONG OB_OPERATION;

enum OB_OPERATION
{
OB_OPERATION_HANDLE_CREATE = 0x00000001,
OB_OPERATION_HANDLE_DUPLICATE = 0x00000002
};

typedef struct _OB_PRE_CREATE_HANDLE_INFORMATION {
     ACCESS_MASK         DesiredAccess;
     ACCESS_MASK            OriginalDesiredAccess;
} OB_PRE_CREATE_HANDLE_INFORMATION, *POB_PRE_CREATE_HANDLE_INFORMATION;

typedef struct _OB_PRE_DUPLICATE_HANDLE_INFORMATION {
     ACCESS_MASK         DesiredAccess;
     ACCESS_MASK            OriginalDesiredAccess;
     PVOID                  SourceProcess;
     PVOID                  TargetProcess;
} OB_PRE_DUPLICATE_HANDLE_INFORMATION, * POB_PRE_DUPLICATE_HANDLE_INFORMATION;

typedef union _OB_PRE_OPERATION_PARAMETERS {
     OB_PRE_CREATE_HANDLE_INFORMATION        CreateHandleInformation;
     OB_PRE_DUPLICATE_HANDLE_INFORMATION     DuplicateHandleInformation;
} OB_PRE_OPERATION_PARAMETERS, *POB_PRE_OPERATION_PARAMETERS;

typedef struct _OB_PRE_OPERATION_INFORMATION {
     OB_OPERATION           Operation;
    union {
         ULONG Flags;
        struct {
             ULONG KernelHandle:1;
             ULONG Reserved:31;
        };
    };
     PVOID                         Object;
     POBJECT_TYPE                  ObjectType;
     PVOID                        CallContext;
     POB_PRE_OPERATION_PARAMETERS  Parameters;
} OB_PRE_OPERATION_INFORMATION, *POB_PRE_OPERATION_INFORMATION;

typedef struct _OB_POST_CREATE_HANDLE_INFORMATION {
     ACCESS_MASK            GrantedAccess;
} OB_POST_CREATE_HANDLE_INFORMATION, *POB_POST_CREATE_HANDLE_INFORMATION;

typedef struct _OB_POST_DUPLICATE_HANDLE_INFORMATION {
     ACCESS_MASK            GrantedAccess;
} OB_POST_DUPLICATE_HANDLE_INFORMATION, * POB_POST_DUPLICATE_HANDLE_INFORMATION;

typedef union _OB_POST_OPERATION_PARAMETERS {
     OB_POST_CREATE_HANDLE_INFORMATION       CreateHandleInformation;
     OB_POST_DUPLICATE_HANDLE_INFORMATION    DuplicateHandleInformation;
} OB_POST_OPERATION_PARAMETERS, *POB_POST_OPERATION_PARAMETERS;

typedef struct _OB_POST_OPERATION_INFORMATION {
     OB_OPERATION  Operation;
    union {
         ULONG Flags;
        struct {
             ULONG KernelHandle:1;
             ULONG Reserved:31;
        };
    };
     PVOID                          Object;
     POBJECT_TYPE                   ObjectType;
     PVOID                          CallContext;
     NTSTATUS                       ReturnStatus;
     POB_POST_OPERATION_PARAMETERS  Parameters;
} OB_POST_OPERATION_INFORMATION,*POB_POST_OPERATION_INFORMATION;

typedef enum _OB_PREOP_CALLBACK_STATUS {
    OB_PREOP_SUCCESS
} OB_PREOP_CALLBACK_STATUS, *POB_PREOP_CALLBACK_STATUS;

typedef OB_PREOP_CALLBACK_STATUS
(*POB_PRE_OPERATION_CALLBACK) (
     PVOID RegistrationContext,
     POB_PRE_OPERATION_INFORMATION OperationInformation
    );

typedef void
(*POB_POST_OPERATION_CALLBACK) (
     PVOID RegistrationContext,
     POB_POST_OPERATION_INFORMATION OperationInformation
    );

typedef struct _OB_OPERATION_REGISTRATION {
     POBJECT_TYPE                *ObjectType;
     OB_OPERATION                Operations;
     POB_PRE_OPERATION_CALLBACK  PreOperation;
     POB_POST_OPERATION_CALLBACK PostOperation;
} OB_OPERATION_REGISTRATION, *POB_OPERATION_REGISTRATION;

typedef struct _OB_CALLBACK_REGISTRATION {
     USHORT                     Version;
     USHORT                     OperationRegistrationCount;
     UNICODE_STRING             Altitude;
     PVOID                      RegistrationContext;
     OB_OPERATION_REGISTRATION  *OperationRegistration;
} OB_CALLBACK_REGISTRATION, *POB_CALLBACK_REGISTRATION;
Before:

1600196358317.png
1600196369907.png


After:
1600197470005.png

1600197489602.png


not quite done but much better
 
Last edited:
  • Like
Reactions: Kleon742
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods