ntStatus=STATUS_SUCCESS;
				break;
			}

		case IOCTL_CE_RESUMEPROCESS:            
			{
				struct input
				{
					ULONG processid;							
				} *inp;
				inp=Irp->AssociatedIrp.SystemBuffer;

                DbgPrint("IOCTL_CE_RESUMEPROCESS\n");

				DBKResumeProcess(inp->processid);
				ntStatus=STATUS_SUCCESS;
				break;
            }

case IOCTL_CE_ALLOCATEMEM:
			{
				struct input
				{
					ULONG ProcessID;
					PVOID BaseAddress;
					ULONG Size;
					ULONG AllocationType;
					ULONG Protect;
				} *inp;
				PEPROCESS selectedprocess;

				PVOID BaseAddress;
				SIZE_T RegionSize;


				inp=Irp->AssociatedIrp.SystemBuffer;
				BaseAddress=inp->BaseAddress;
				RegionSize=inp->Size;




				if (PsLookupProcessByProcessId((PVOID)(inp->ProcessID),&selectedprocess)==STATUS_SUCCESS)	
				{
					__try
					{
						KAPC_STATE apc_state;
						RtlZeroMemory(&apc_state,sizeof(apc_state));					
    						KeAttachProcess((PVOID)selectedprocess); //local process is much more fun!!!!

						DbgPrint("Switched Process\n");
						__try
						{
							DbgPrint("Calling ZwAllocateVirtualMemory\n");
							ntStatus=ZwAllocateVirtualMemory((HANDLE)-1,&BaseAddress,0,  &RegionSize,      inp->AllocationType,    inp->Protect);

							if ((ntStatus==STATUS_SUCCESS) && (HiddenDriver))
							{
								//initialize the memory with crap so it becomes paged
								int i;
								char *x;
								x=BaseAddress;
								for (i=0; i < (int)RegionSize;i++)
									x[i]=(unsigned char)i;
							}
							
							DbgPrint("ntStatus=%x\n");
							DbgPrint("BaseAddress=%p\n",BaseAddress);
							DbgPrint("RegionSize=%x\n",RegionSize);
							*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)BaseAddress;

						}
						__finally
						{
							KeDetachProcess();
						}

					}
					__except(1)
					{
						ntStatus=STATUS_UNSUCCESSFUL;
						break;
					}


					ObDereferenceObject(selectedprocess);
				}

				break;
			}

		case IOCTL_CE_ALLOCATEMEM_NONPAGED:
			{
				struct input
				{
					ULONG Size;
				} *inp;
				PVOID address;
				char *x;
				int i;
				int size;

				inp=Irp->AssociatedIrp.SystemBuffer;
				size=inp->Size;

				address=ExAllocatePoolWithTag(NonPagedPool,size,0);
				*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)address;

				if (address==0)
					ntStatus=STATUS_UNSUCCESSFUL;
				else
				{
					DbgPrint("Alloc success. Cleaning memory... (size=%d)\n",size);					
					
					x=address;
					DbgPrint("x=%p\n",x);
					for (i=0; i<size; i++)					
						x[i]=0;
					
					ntStatus=STATUS_SUCCESS;
				}

				break;
			}

		case IOCTL_CE_GETPROCADDRESS:
			{
				struct input
				{
					PCWSTR s;
				} *inp;
				UNICODE_STRING y;
				PVOID x;

				inp=Irp->AssociatedIrp.SystemBuffer;

				RtlInitUnicodeString(&y, inp->s);
				x=MmGetSystemRoutineAddress(&y);			

				RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&x,4);
				ntStatus=STATUS_SUCCESS;

				break;
			}

		case IOCTL_CE_MAKEKERNELCOPY:
			{
				struct input
				{
					ULONG Base;
					ULONG KernelSize;
				} *inp;
				DbgPrint("IOCTL_CE_MAKEKERNELCOPY");
				inp=Irp->AssociatedIrp.SystemBuffer;
				ntStatus=makeKernelCopy(inp->Base, inp->KernelSize);			
				break;
			}

		case IOCTL_CE_GETVERSION:
			{
				*(PULONG)Irp->AssociatedIrp.SystemBuffer=dbkversion;	
				ntStatus=STATUS_SUCCESS;
				break;
			}

		case IOCTL_CE_INITIALIZE:
			{
				//find the KeServiceDescriptorTableShadow 
				struct input
				{
					ULONG AddressOfWin32K;
					ULONG SizeOfWin32K;
					ULONG NtUserBuildHwndList_callnumber;
					ULONG NtUserQueryWindow_callnumber;
					ULONG NtUserFindWindowEx_callnumber;
					ULONG NtUserGetForegroundWindow_callnumber;
					ULONG ActiveLinkOffset;
					ULONG ProcessNameOffset;
					ULONG DebugportOffset;	
					ULONG ProcessEvent;
					ULONG ThreadEvent;
  				} *pinp;

		
				int i;

				PSERVICE_DESCRIPTOR_TABLE PossibleKeServiceDescriptorTableShow; //long name's are FUN!!!!
				PossibleKeServiceDescriptorTableShow=KeServiceDescriptorTable;

				ntStatus=STATUS_UNSUCCESSFUL;                
				pinp=Irp->AssociatedIrp.SystemBuffer;
				NtUserBuildHwndList_callnumber=pinp->NtUserBuildHwndList_callnumber;
				NtUserQueryWindow_callnumber=pinp->NtUserQueryWindow_callnumber;
				NtUserFindWindowEx_callnumber=pinp->NtUserFindWindowEx_callnumber;
				NtUserGetForegroundWindow_callnumber=pinp->NtUserGetForegroundWindow_callnumber;

				ActiveLinkOffset=pinp->ActiveLinkOffset;
				ProcessNameOffset=pinp->ProcessNameOffset;
				DebugportOffset=pinp->DebugportOffset;


				//referencing event handles to objects
				ObReferenceObjectByHandle((HANDLE)pinp->ProcessEvent, EVENT_ALL_ACCESS, NULL,KernelMode, &ProcessEvent, NULL); 
				ObReferenceObjectByHandle((HANDLE)pinp->ThreadEvent, EVENT_ALL_ACCESS, NULL,KernelMode, &ThreadEvent, NULL); 
				

				//in win2k sp4 the distance is even bigger than -6, at least 21 entries down to find it

				i=-25;//takes some longer to load now....
				while (i<25)
				{
					if (IsAddressSafe((UINT_PTR)&PossibleKeServiceDescriptorTableShow[i])) //dont want to crash for a page pault now do we?
 					{
						/*
						look for a entry that looks like:
						unsigned int *ServiceTable=Region of Win32K.sys
						unsigned int *ServiceCounterTableBase=00000000 but lets be safe and dont check it in case of a checked build
						unsigned int NumberOfServices=smaller than 0xffff;
						unsigned char *ParamTableBase=Region of Win32K.sys;
						*/
						if (((UINT_PTR)PossibleKeServiceDescriptorTableShow[i].ServiceTable>=pinp->AddressOfWin32K) &&
							((UINT_PTR)PossibleKeServiceDescriptorTableShow[i].ServiceTable<(pinp->AddressOfWin32K+pinp->SizeOfWin32K)) &&
							
							((UINT_PTR)PossibleKeServiceDescriptorTableShow[i].ArgumentTable>=pinp->AddressOfWin32K) &&
							((UINT_PTR)PossibleKeServiceDescriptorTableShow[i].ArgumentTable<(pinp->AddressOfWin32K+pinp->SizeOfWin32K)) &&

							(PossibleKeServiceDescriptorTableShow[i].TableSize<0xffff)


							)
						{
							//found it!!!!!!
							KeServiceDescriptorTableShadow=&PossibleKeServiceDescriptorTableShow[i];
							ntStatus=STATUS_SUCCESS;							
                            *(UINT_PTR*)Irp->AssociatedIrp.SystemBuffer=(UINT_PTR)KeServiceDescriptorTableShadow;

							DbgPrint("KeServiceDescriptorTableShadow[0]=%p",&KeServiceDescriptorTableShadow[0]);
							DbgPrint("KeServiceDescriptorTableShadow[1]=%p",&KeServiceDescriptorTableShadow[1]);
							DbgPrint("KeServiceDescriptorTableShadow[2]=%p",&KeServiceDescriptorTableShadow[2]);
							DbgPrint("KeServiceDescriptorTableShadow[3]=%p",&KeServiceDescriptorTableShadow[3]);

							AddSystemServices();
							break;
						}


					}
					i++;
				}				                

				break;
			}

		case IOCTL_CE_VMXCONFIG:
			{
				struct input
				{
					ULONG Virtualization_Enabled;
					ULONG Password1;
					ULONG Password2;
  				} *pinp;
				

				DbgPrint("IOCTL_CE_VMXCONFIG called\n");	
				ntStatus=STATUS_SUCCESS;

				pinp=Irp->AssociatedIrp.SystemBuffer;

				if (pinp->Virtualization_Enabled)
				{
					vmx_password1=pinp->Password1;
					vmx_password2=pinp->Password2;
					__try
					{
						vmx_version=vmx_getversion();
						DbgPrint("Still here, so vmx is loaded. vmx_version=%d\n",vmx_version);	
						vmxusable = 1;
					}
					__except(1)
					{
						DbgPrint("Exception happened. This means no vmx installed, or one of the passwords is wrong\n");
						ntStatus = STATUS_UNSUCCESSFUL;

						vmxusable = 0;
					};
				}
				else
				{
					DbgPrint("Virtualization_Enabled=0\n");
					vmxusable=0;
				}
				
				break;
			}



        default:
            break;
    }

    Irp->IoStatus.Status = ntStatus;
    
    // Set # of bytes to copy back to user-mode...
    if(ntStatus == STATUS_SUCCESS)
        Irp->IoStatus.Information = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
    else
        Irp->IoStatus.Information = 0;

    IoCompleteRequest(Irp, IO_NO_INCREMENT);
    return ntStatus;
}


typedef NTSTATUS (*PSRCTNR)(__in PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine);
PSRCTNR PsRemoveCreateThreadNotifyRoutine2;

typedef NTSTATUS (*PSRLINR)(__in PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine);
PSRLINR PsRemoveLoadImageNotifyRoutine2;



void MSJUnloadDriver(PDRIVER_OBJECT DriverObject)
{
	if (ProtectOn)
		return;

	if (KeServiceDescriptorTableShadow && registered) //I can't unload without a shadotw table (system service registered)
	{
		//1 since my routine finds the address of the 2nd element
		KeServiceDescriptorTableShadow[1].ArgumentTable=NULL;
		KeServiceDescriptorTableShadow[1].CounterTable=NULL;
		KeServiceDescriptorTableShadow[1].ServiceTable=NULL;
		KeServiceDescriptorTableShadow[1].TableSize=0;

		KeServiceDescriptorTable[2].ArgumentTable=NULL;
		KeServiceDescriptorTable[2].CounterTable=NULL;
		KeServiceDescriptorTable[2].ServiceTable=NULL;
		KeServiceDescriptorTable[2].TableSize=0;
	}
	
	
	if (OriginalInt1.wHighOffset!=0) //hidden feature: unloading WILL be able to stop the hook so it can be enabled a second time (e.g something overwrote my hook)
	{
		int	i;		
		for (i=0;i<32;i++)
		{
			if (IDTAddresses[i]!=0)
			{							
				((PINT_VECTOR)(IDTAddresses[i]))[1]=OriginalInt1;
				//((PINT_VECTOR)(IDTAddresses[i]))[3]=OriginalInt3;
			};
		};
	}


	if ((CreateProcessNotifyRoutineEnabled) || (ImageNotifyRoutineLoaded)) 
	{
		PVOID x;
		RtlInitUnicodeString(&uszDeviceString, L"PsRemoveCreateThreadNotifyRoutine");
		PsRemoveCreateThreadNotifyRoutine2=MmGetSystemRoutineAddress(&uszDeviceString);

		RtlInitUnicodeString(&uszDeviceString, L"PsRemoveCreateThreadNotifyRoutine");
		PsRemoveLoadImageNotifyRoutine2=MmGetSystemRoutineAddress(&uszDeviceString);


		
		RtlInitUnicodeString(&uszDeviceString, L"ObOpenObjectByName");
		x=MmGetSystemRoutineAddress(&uszDeviceString);
		
		DbgPrint("ObOpenObjectByName=%p\n",x);
			

		if ((PsRemoveCreateThreadNotifyRoutine2) && (PsRemoveLoadImageNotifyRoutine2))
		{
			DbgPrint("Stopping processwatch\n");

			if (CreateProcessNotifyRoutineEnabled)
			{
				PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,TRUE);
				PsRemoveCreateThreadNotifyRoutine2(CreateThreadNotifyRoutine);
			}

			if (ImageNotifyRoutineLoaded)
				PsRemoveLoadImageNotifyRoutine2(LoadImageNotifyRoutine);
		}
		else return;  //leave now!!!!!		
	}

	//Unhook();



    IoDeleteDevice(DriverObject->DeviceObject);
	//ZwClose(ProcessEventHandle);

#ifdef CETC
#ifndef CETC_RELEASE
	UnloadCETC(); //not possible in the final build
#endif
#endif

#ifndef CETC_RELEASE
	IoDeleteSymbolicLink(&uszDeviceString);
	ExFreePool(BufDeviceString);
#endif

}

void Unhook(void)
{
#ifndef AMD64
    if (ProtectOn)
	{
        __asm
		{
			cli 
			mov eax,CR0
			and eax,not 0x10000 //disable bit
			mov CR0,eax
		}
		(ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess))=OldZwOpenProcess;
		(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation))=OldZwQuerySystemInformation;

        if ((NtUserBuildHwndList_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
          (NTUSERBUILDHWNDLIST)(KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber])=OldNtUserBuildHwndList;

        if ((NtUserQueryWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
          (NTUSERQUERYWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber])=OldNtUserQueryWindow;

        if ((NtUserFindWindowEx_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
          (NTUSERFINDWINDOWEX)(KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber])=OldNtUserFindWindowEx;

        if ((NtUserGetForegroundWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
		  (NTUSERGETFOREGROUNDWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber])=OldNtUserGetForegroundWindow;

		__asm
		{
			mov eax,CR0
			or  eax,0x10000 //re-enable this bit
			mov CR0,eax
			sti
		}
		ProtectOn=FALSE;
	}
#endif
}