Improved CPU usage drastically.

Switched to directx9.
Reduced RAM usage by only remapping modules from a blacklist.

2 files changed, 113 insertions, 10 deletions

diff --git a/client/src/util/native.h b/client/src/util/native.h
index aa41b65..d8b580a 100644
--- a/client/src/util/native.h
+++ b/client/src/util/native.h
@@ -157,11 +157,114 @@ namespace native {
 		uint8_t Flags;
 	};
 
-	enum SECTION_INHERIT {
-		ViewShare = 1,
-		ViewUnmap = 2
+	enum PROCESSINFOCLASS
+	{
+		ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
+		ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX
+		ProcessIoCounters, // q: IO_COUNTERS
+		ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2
+		ProcessTimes, // q: KERNEL_USER_TIMES
+		ProcessBasePriority, // s: KPRIORITY
+		ProcessRaisePriority, // s: ULONG
+		ProcessDebugPort, // q: HANDLE
+		ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT
+		ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN
+		ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10
+		ProcessLdtSize, // s: PROCESS_LDT_SIZE
+		ProcessDefaultHardErrorMode, // qs: ULONG
+		ProcessIoPortHandlers, // (kernel-mode only) // PROCESS_IO_PORT_HANDLER_INFORMATION
+		ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS
+		ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void
+		ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege)
+		ProcessEnableAlignmentFaultFixup, // s: BOOLEAN
+		ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS
+		ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed)
+		ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20
+		ProcessAffinityMask, // s: KAFFINITY
+		ProcessPriorityBoost, // qs: ULONG
+		ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX
+		ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION
+		ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND
+		ProcessWow64Information, // q: ULONG_PTR
+		ProcessImageFileName, // q: UNICODE_STRING
+		ProcessLUIDDeviceMapsEnabled, // q: ULONG
+		ProcessBreakOnTermination, // qs: ULONG
+		ProcessDebugObjectHandle, // q: HANDLE // 30
+		ProcessDebugFlags, // qs: ULONG
+		ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables
+		ProcessIoPriority, // qs: IO_PRIORITY_HINT
+		ProcessExecuteFlags, // qs: ULONG
+		ProcessResourceManagement, // ProcessTlsInformation // PROCESS_TLS_INFORMATION
+		ProcessCookie, // q: ULONG
+		ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION
+		ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA
+		ProcessPagePriority, // q: PAGE_PRIORITY_INFORMATION
+		ProcessInstrumentationCallback, // qs: PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40
+		ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
+		ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]
+		ProcessImageFileNameWin32, // q: UNICODE_STRING
+		ProcessImageFileMapping, // q: HANDLE (input)
+		ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE
+		ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE
+		ProcessGroupInformation, // q: USHORT[]
+		ProcessTokenVirtualizationEnabled, // s: ULONG
+		ProcessConsoleHostProcess, // q: ULONG_PTR // ProcessOwnerInformation
+		ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50
+		ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
+		ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION
+		ProcessDynamicFunctionTableInformation,
+		ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables
+		ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION
+		ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION
+		ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL
+		ProcessHandleTable, // q: ULONG[] // since WINBLUE
+		ProcessCheckStackExtentsMode,
+		ProcessCommandLineInformation, // q: UNICODE_STRING // 60
+		ProcessProtectionInformation, // q: PS_PROTECTION
+		ProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD
+		ProcessFaultInformation, // PROCESS_FAULT_INFORMATION
+		ProcessTelemetryIdInformation, // PROCESS_TELEMETRY_ID_INFORMATION
+		ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION
+		ProcessDefaultCpuSetsInformation,
+		ProcessAllowedCpuSetsInformation,
+		ProcessSubsystemProcess,
+		ProcessJobMemoryInformation, // PROCESS_JOB_MEMORY_INFO
+		ProcessInPrivate, // since THRESHOLD2 // 70
+		ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables
+		ProcessIumChallengeResponse,
+		ProcessChildProcessInformation, // PROCESS_CHILD_PROCESS_INFORMATION
+		ProcessHighGraphicsPriorityInformation,
+		ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2
+		ProcessEnergyValues, // PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES
+		ProcessActivityThrottleState, // PROCESS_ACTIVITY_THROTTLE_STATE
+		ProcessActivityThrottlePolicy, // PROCESS_ACTIVITY_THROTTLE_POLICY
+		ProcessWin32kSyscallFilterInformation,
+		ProcessDisableSystemAllowedCpuSets, // 80
+		ProcessWakeInformation, // PROCESS_WAKE_INFORMATION
+		ProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE
+		ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3
+		ProcessCaptureTrustletLiveDump,
+		ProcessTelemetryCoverage,
+		ProcessEnclaveInformation,
+		ProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION
+		ProcessUptimeInformation, // PROCESS_UPTIME_INFORMATION
+		ProcessImageSection, // q: HANDLE
+		ProcessDebugAuthInformation, // since REDSTONE4 // 90
+		ProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT
+		ProcessSequenceNumber, // q: ULONGLONG
+		ProcessLoaderDetour, // since REDSTONE5
+		ProcessSecurityDomainInformation, // PROCESS_SECURITY_DOMAIN_INFORMATION
+		ProcessCombineSecurityDomainsInformation, // PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION
+		ProcessEnableLogging, // PROCESS_LOGGING_INFORMATION
+		ProcessLeapSecondInformation, // PROCESS_LEAP_SECOND_INFORMATION
+		ProcessFiberShadowStackAllocation, // PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1
+		ProcessFreeFiberShadowStackAllocation, // PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION
+		ProcessAltSystemCallInformation, // since 20H1 // 100
+		ProcessDynamicEHContinuationTargets, // PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION
+		MaxProcessInfoClass
 	};
 
+
 	using NtQuerySystemInformation = NTSTATUS(__stdcall*)(SYSTEM_INFORMATION_CLASS, PVOID, SIZE_T, PULONG);
 	using NtOpenProcess = NTSTATUS(__stdcall*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, CLIENT_ID*);
 	using NtOpenThread = NTSTATUS(__stdcall*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, CLIENT_ID*);
@@ -174,8 +277,4 @@ namespace native {
 	using NtWaitForSingleObject = NTSTATUS(__stdcall*)(HANDLE, BOOLEAN, PLARGE_INTEGER);
 	using NtCreateThreadEx = NTSTATUS(__stdcall*)(PHANDLE, ACCESS_MASK, PVOID, HANDLE, LPTHREAD_START_ROUTINE, PVOID, ULONG, ULONG_PTR, SIZE_T, SIZE_T, PVOID);
 
-	using NtCreateSection = NTSTATUS(__stdcall*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, HANDLE);
-	using NtMapViewOfSection = NTSTATUS(__stdcall*)(HANDLE, HANDLE, PVOID *, ULONG_PTR, SIZE_T, PLARGE_INTEGER, PSIZE_T, SECTION_INHERIT, ULONG, ULONG);
-	using NtUnmapViewOfSection = NTSTATUS(__stdcall*)(HANDLE, PVOID);
-
 };  // namespace native
\ No newline at end of file
diff --git a/client/src/util/util.cpp b/client/src/util/util.cpp
index fab886e..7103604 100644
--- a/client/src/util/util.cpp
+++ b/client/src/util/util.cpp
@@ -56,11 +56,13 @@ bool util::close_handle(HANDLE handle) {
 }
 
 
-void pe::get_all_modules(std::unordered_map<std::string, virtual_image>& modules) {
+bool pe::get_all_modules(std::unordered_map<std::string, virtual_image>& modules) {
+	modules.clear();
+
 	auto peb = util::peb();
-	if (!peb) return;
+	if (!peb) return false;
 
-	if (!peb->Ldr->InMemoryOrderModuleList.Flink) return;
+	if (!peb->Ldr->InMemoryOrderModuleList.Flink) return false;
 
 	auto* list = &peb->Ldr->InMemoryOrderModuleList;
 
@@ -74,4 +76,6 @@ void pe::get_all_modules(std::unordered_map<std::string, virtual_image>& modules
 
 		modules[name] = virtual_image(entry->DllBase);
 	}
+
+	return !modules.empty();
 }
\ No newline at end of file